From e5e4c150582c1ebe2064e22dde1e11d8a5483b07 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Tue, 10 Mar 2015 11:12:37 -0400 Subject: [PATCH] removed introspection authorizer hook --- .../service/IntrospectionAuthorizer.java | 36 ------ .../impl/DefaultIntrospectionAuthorizer.java | 43 ------- .../oauth2/web/IntrospectionEndpoint.java | 42 +++---- .../TestDefaultIntrospectionAuthorizer.java | 112 ------------------ 4 files changed, 16 insertions(+), 217 deletions(-) delete mode 100755 openid-connect-common/src/main/java/org/mitre/oauth2/service/IntrospectionAuthorizer.java delete mode 100755 openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionAuthorizer.java delete mode 100755 openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultIntrospectionAuthorizer.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/IntrospectionAuthorizer.java b/openid-connect-common/src/main/java/org/mitre/oauth2/service/IntrospectionAuthorizer.java deleted file mode 100755 index 4fbfaf818..000000000 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/IntrospectionAuthorizer.java +++ /dev/null @@ -1,36 +0,0 @@ -/******************************************************************************* - * Copyright 2015 The MITRE Corporation - * and the MIT Kerberos and Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.oauth2.service; - -import java.util.Set; - -import org.springframework.security.oauth2.provider.ClientDetails; - -/** - * Strategy interface used for authorizing token introspection. - */ -public interface IntrospectionAuthorizer { - - /** - * @param authClient the authenticated client wanting to perform token introspection - * @param tokenClient the client the token was issued to - * @param tokenScope the scope associated with the token - * @return {@code true} in case introspection is permitted; {@code false} otherwise - */ - boolean isIntrospectionPermitted(ClientDetails authClient, ClientDetails tokenClient, Set tokenScope); - -} diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionAuthorizer.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionAuthorizer.java deleted file mode 100755 index dab876a88..000000000 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionAuthorizer.java +++ /dev/null @@ -1,43 +0,0 @@ -/******************************************************************************* - * Copyright 2015 The MITRE Corporation - * and the MIT Kerberos and Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.oauth2.service.impl; - -import java.util.Set; - -import org.mitre.oauth2.service.IntrospectionAuthorizer; -import org.mitre.oauth2.service.SystemScopeService; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.security.oauth2.provider.ClientDetails; -import org.springframework.stereotype.Service; - -@Service -public class DefaultIntrospectionAuthorizer implements IntrospectionAuthorizer { - - @Autowired - private SystemScopeService scopeService; - - @Override - public boolean isIntrospectionPermitted(ClientDetails authClient, - ClientDetails tokenClient, Set tokenScope) { - // permit introspection if it's the same client that the token was - // issued to, or it at least has all the scopes the token was issued - // with - return authClient.getClientId().equals(tokenClient.getClientId()) - || scopeService.scopesMatch(authClient.getScope(), tokenScope); - } - -} diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java b/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java index 0edcb5b88..3d6e131b6 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java @@ -23,7 +23,6 @@ import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; import org.mitre.oauth2.model.OAuth2RefreshTokenEntity; import org.mitre.oauth2.service.ClientDetailsEntityService; -import org.mitre.oauth2.service.IntrospectionAuthorizer; import org.mitre.oauth2.service.IntrospectionResultAssembler; import org.mitre.oauth2.service.OAuth2TokenEntityService; import org.mitre.oauth2.service.SystemScopeService; @@ -57,9 +56,6 @@ public class IntrospectionEndpoint { @Autowired private ClientDetailsEntityService clientService; - @Autowired - private IntrospectionAuthorizer introspectionAuthorizer; - @Autowired private IntrospectionResultAssembler introspectionResultAssembler; @@ -168,30 +164,24 @@ public class IntrospectionEndpoint { } } - if (introspectionAuthorizer.isIntrospectionPermitted(authClient, tokenClient, scopes)) { - // if it's a valid token, we'll print out information on it - - if (accessToken != null) { - Map entity = introspectionResultAssembler.assembleFrom(accessToken, user); - model.addAttribute("entity", entity); - } else if (refreshToken != null) { - Map entity = introspectionResultAssembler.assembleFrom(refreshToken, user); - model.addAttribute("entity", entity); - } else { - // no tokens were found (we shouldn't get here) - logger.error("Verify failed; Invalid access/refresh token"); - Map entity = ImmutableMap.of("active", Boolean.FALSE); - model.addAttribute("entity", entity); - return JsonEntityView.VIEWNAME; - } - - return JsonEntityView.VIEWNAME; - + // if it's a valid token, we'll print out information on it + + if (accessToken != null) { + Map entity = introspectionResultAssembler.assembleFrom(accessToken, user); + model.addAttribute("entity", entity); + } else if (refreshToken != null) { + Map entity = introspectionResultAssembler.assembleFrom(refreshToken, user); + model.addAttribute("entity", entity); } else { - logger.error("Verify failed; client configuration or scope don't permit token introspection"); - model.addAttribute("code", HttpStatus.FORBIDDEN); - return HttpCodeView.VIEWNAME; + // no tokens were found (we shouldn't get here) + logger.error("Verify failed; Invalid access/refresh token"); + Map entity = ImmutableMap.of("active", Boolean.FALSE); + model.addAttribute("entity", entity); + return JsonEntityView.VIEWNAME; } + + return JsonEntityView.VIEWNAME; + } } diff --git a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultIntrospectionAuthorizer.java b/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultIntrospectionAuthorizer.java deleted file mode 100755 index d163f11c1..000000000 --- a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultIntrospectionAuthorizer.java +++ /dev/null @@ -1,112 +0,0 @@ -/******************************************************************************* - * Copyright 2015 The MITRE Corporation - * and the MIT Kerberos and Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.oauth2.service.impl; - -import static com.google.common.collect.Sets.newHashSet; -import static org.hamcrest.CoreMatchers.is; -import static org.junit.Assert.assertThat; -import static org.mockito.BDDMockito.given; -import static org.mockito.Mockito.mock; - -import java.util.Set; - -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mitre.oauth2.service.SystemScopeService; -import org.mockito.InjectMocks; -import org.mockito.Mock; -import org.mockito.runners.MockitoJUnitRunner; -import org.springframework.security.oauth2.provider.ClientDetails; - -@RunWith(MockitoJUnitRunner.class) -public class TestDefaultIntrospectionAuthorizer { - - @InjectMocks - private DefaultIntrospectionAuthorizer introspectionPermitter; - - @Mock - private SystemScopeService scopeService; - - @Test - public void shouldPermitIntrospectionToSameClientTheTokenWasIssuedTo() { - - // given - String sameClient = "same"; - - // when - boolean permitted = introspectionPermitter.isIntrospectionPermitted( - clientWithId(sameClient), clientWithId(sameClient), - scope("scope")); - - // then - assertThat(permitted, is(true)); - } - - @Test - public void shouldPermitIntrospectionToDifferentClientIfScopesMatch() { - - // given - String authClient = "auth"; - String tokenClient = "token"; - Set authScope = scope("scope1", "scope2", "scope3"); - Set tokenScope = scope("scope1", "scope2"); - given(scopeService.scopesMatch(authScope, tokenScope)).willReturn(true); - - // when - boolean permitted = introspectionPermitter.isIntrospectionPermitted( - clientWithIdAndScope(authClient, authScope), - clientWithId(tokenClient), tokenScope); - - // then - assertThat(permitted, is(true)); - } - - @Test - public void shouldNotPermitIntrospectionToDifferentClientIfScopesDontMatch() { - - // given - String authClient = "auth"; - String tokenClient = "token"; - Set authScope = scope("scope1", "scope2"); - Set tokenScope = scope("scope1", "scope2", "scope3"); - given(scopeService.scopesMatch(authScope, tokenScope)).willReturn(false); - - // when - boolean permitted = introspectionPermitter.isIntrospectionPermitted( - clientWithIdAndScope(authClient, authScope), - clientWithId(tokenClient), tokenScope); - - // then - assertThat(permitted, is(false)); - } - - private ClientDetails clientWithId(String clientId) { - ClientDetails client = mock(ClientDetails.class); - given(client.getClientId()).willReturn(clientId); - return client; - } - - private ClientDetails clientWithIdAndScope(String clientId, Set scope) { - ClientDetails client = clientWithId(clientId); - given(client.getScope()).willReturn(scope); - return client; - } - - private Set scope(String... scopeItems) { - return newHashSet(scopeItems); - } -}