From ef01de168d581ca014d934261fff6f62d7839af4 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Wed, 27 Nov 2013 10:21:52 -0500 Subject: [PATCH] Moved special token scopes to scope service interface --- .../org/mitre/oauth2/model/OAuth2AccessTokenEntity.java | 7 ++----- .../org/mitre/oauth2/service/SystemScopeService.java | 4 ++++ .../impl/DefaultOAuth2ClientDetailsEntityService.java | 9 +++++---- .../service/impl/DefaultOAuth2ProviderTokenService.java | 4 ++-- .../org/mitre/oauth2/token/JwtAssertionTokenGranter.java | 3 ++- .../connect/service/impl/DefaultOIDCTokenService.java | 7 ++++--- .../connect/web/ClientDynamicRegistrationEndpoint.java | 6 +++--- .../TestDefaultOAuth2ClientDetailsEntityService.java | 9 +++++---- .../impl/TestDefaultOAuth2ProviderTokenService.java | 3 ++- 9 files changed, 29 insertions(+), 23 deletions(-) diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java index 5f29e44c7..1c3f37e52 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java @@ -68,10 +68,7 @@ import com.nimbusds.jwt.JWTParser; //@JsonDeserialize(using = OAuth2AccessTokenDeserializer.class) public class OAuth2AccessTokenEntity implements OAuth2AccessToken { - public static final String ID_TOKEN_SCOPE = "id-token"; - public static final String REGISTRATION_TOKEN_SCOPE = "registration-token"; - - public static String ID_TOKEN = "id_token"; + public static String ID_TOKEN_FIELD_NAME = "id_token"; private Long id; @@ -123,7 +120,7 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken { public Map getAdditionalInformation() { Map map = new HashMap(); //super.getAdditionalInformation(); if (getIdToken() != null) { - map.put(ID_TOKEN, getIdTokenString()); + map.put(ID_TOKEN_FIELD_NAME, getIdTokenString()); } return map; } diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java b/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java index 1b950ee45..b7a0e1c74 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java @@ -29,6 +29,10 @@ import org.mitre.oauth2.model.SystemScope; */ public interface SystemScopeService { + public static final String OFFLINE_ACCESS = "offline_access"; + public static final String ID_TOKEN_SCOPE = "id-token"; + public static final String REGISTRATION_TOKEN_SCOPE = "registration-token"; + public Set getAll(); /** diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java index d6a348068..8051b58bc 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java @@ -33,6 +33,7 @@ import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.repository.OAuth2ClientRepository; import org.mitre.oauth2.repository.OAuth2TokenRepository; import org.mitre.oauth2.service.ClientDetailsEntityService; +import org.mitre.oauth2.service.SystemScopeService; import org.mitre.openid.connect.model.WhitelistedSite; import org.mitre.openid.connect.service.ApprovedSiteService; import org.mitre.openid.connect.service.BlacklistedSiteService; @@ -101,9 +102,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt // if the client is flagged to allow for refresh tokens, make sure it's got the right granted scopes if (client.isAllowRefresh()) { - client.getScope().add("offline_access"); + client.getScope().add(SystemScopeService.OFFLINE_ACCESS); } else { - client.getScope().remove("offline_access"); + client.getScope().remove(SystemScopeService.OFFLINE_ACCESS); } // timestamp this to right now @@ -203,9 +204,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt // if the client is flagged to allow for refresh tokens, make sure it's got the right scope if (newClient.isAllowRefresh()) { - newClient.getScope().add("offline_access"); + newClient.getScope().add(SystemScopeService.OFFLINE_ACCESS); } else { - newClient.getScope().remove("offline_access"); + newClient.getScope().remove(SystemScopeService.OFFLINE_ACCESS); } // check the sector URI diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java index 1d8ddffa6..a712a9f79 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java @@ -34,6 +34,7 @@ import org.mitre.oauth2.repository.AuthenticationHolderRepository; import org.mitre.oauth2.repository.OAuth2TokenRepository; import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.oauth2.service.OAuth2TokenEntityService; +import org.mitre.oauth2.service.SystemScopeService; import org.mitre.openid.connect.model.ApprovedSite; import org.mitre.openid.connect.service.ApprovedSiteService; import org.slf4j.Logger; @@ -159,8 +160,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi token.setAuthenticationHolder(authHolder); // attach a refresh token, if this client is allowed to request them and the user gets the offline scope - // TODO: tie this to some kind of scope service - if (client.isAllowRefresh() && scopes.contains("offline_access")) { + if (client.isAllowRefresh() && scopes.contains(SystemScopeService.OFFLINE_ACCESS)) { OAuth2RefreshTokenEntity refreshToken = new OAuth2RefreshTokenEntity(); //refreshTokenFactory.createNewRefreshToken(); JWTClaimsSet refreshClaims = new JWTClaimsSet(); diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java index 6136c791a..af089e051 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java @@ -27,6 +27,7 @@ import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.oauth2.service.OAuth2TokenEntityService; +import org.mitre.oauth2.service.SystemScopeService; import org.mitre.openid.connect.config.ConfigurationPropertiesBean; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.BadCredentialsException; @@ -79,7 +80,7 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter { String incomingTokenValue = tokenRequest.getRequestParameters().get("assertion"); OAuth2AccessTokenEntity incomingToken = tokenServices.readAccessToken(incomingTokenValue); - if (incomingToken.getScope().contains(OAuth2AccessTokenEntity.ID_TOKEN_SCOPE)) { + if (incomingToken.getScope().contains(SystemScopeService.ID_TOKEN_SCOPE)) { if (!client.getClientId().equals(tokenRequest.getClientId())) { throw new InvalidClientException("Not the right client for this token"); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java index c74a6a1e8..5f6e80d75 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java @@ -26,6 +26,7 @@ import org.mitre.oauth2.model.AuthenticationHolderEntity; import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; import org.mitre.oauth2.repository.AuthenticationHolderRepository; +import org.mitre.oauth2.service.SystemScopeService; import org.mitre.openid.connect.config.ConfigurationPropertiesBean; import org.mitre.openid.connect.service.OIDCTokenService; import org.mitre.openid.connect.util.IdTokenHashUtils; @@ -118,7 +119,7 @@ public class DefaultOIDCTokenService implements OIDCTokenService { // create a scope set with just the special "id-token" scope //Set idScopes = new HashSet(token.getScope()); // this would copy the original token's scopes in, we don't really want that - Set idScopes = Sets.newHashSet(OAuth2AccessTokenEntity.ID_TOKEN_SCOPE); + Set idScopes = Sets.newHashSet(SystemScopeService.ID_TOKEN_SCOPE); idTokenEntity.setScope(idScopes); idTokenEntity.setClient(accessToken.getClient()); @@ -136,12 +137,12 @@ public class DefaultOIDCTokenService implements OIDCTokenService { Map authorizationParameters = Maps.newHashMap(); OAuth2Request clientAuth = new OAuth2Request(authorizationParameters, client.getClientId(), Sets.newHashSet(new SimpleGrantedAuthority("ROLE_CLIENT")), true, - Sets.newHashSet(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE), null, null, null, null); + Sets.newHashSet(SystemScopeService.REGISTRATION_TOKEN_SCOPE), null, null, null, null); OAuth2Authentication authentication = new OAuth2Authentication(clientAuth, null); OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); token.setClient(client); - token.setScope(Sets.newHashSet(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE)); + token.setScope(Sets.newHashSet(SystemScopeService.REGISTRATION_TOKEN_SCOPE)); AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity(); authHolder.setAuthentication(authentication); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java index f7b5f8d4a..f8c82b57b 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java @@ -189,7 +189,7 @@ public class ClientDynamicRegistrationEndpoint { * @param auth * @return */ - @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE + "')") + @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + SystemScopeService.REGISTRATION_TOKEN_SCOPE + "')") @RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = "application/json") public String readClientConfiguration(@PathVariable("id") String clientId, Model m, OAuth2Authentication auth) { @@ -228,7 +228,7 @@ public class ClientDynamicRegistrationEndpoint { * @param auth * @return */ - @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE + "')") + @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + SystemScopeService.REGISTRATION_TOKEN_SCOPE + "')") @RequestMapping(value = "/{id}", method = RequestMethod.PUT, produces = "application/json", consumes = "application/json") public String updateClient(@PathVariable("id") String clientId, @RequestBody String jsonString, Model m, OAuth2Authentication auth) { @@ -307,7 +307,7 @@ public class ClientDynamicRegistrationEndpoint { * @param auth * @return */ - @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE + "')") + @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + SystemScopeService.REGISTRATION_TOKEN_SCOPE + "')") @RequestMapping(value = "/{id}", method = RequestMethod.DELETE, produces = "application/json") public String deleteClient(@PathVariable("id") String clientId, Model m, OAuth2Authentication auth) { diff --git a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java b/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java index 870caa5f1..f7609704f 100644 --- a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java +++ b/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java @@ -24,6 +24,7 @@ import org.junit.runner.RunWith; import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.repository.OAuth2ClientRepository; import org.mitre.oauth2.repository.OAuth2TokenRepository; +import org.mitre.oauth2.service.SystemScopeService; import org.mitre.openid.connect.model.WhitelistedSite; import org.mitre.openid.connect.service.ApprovedSiteService; import org.mitre.openid.connect.service.BlacklistedSiteService; @@ -133,7 +134,7 @@ public class TestDefaultOAuth2ClientDetailsEntityService { service.saveNewClient(client); - Mockito.verify(scopes).add("offline_access"); + Mockito.verify(scopes).add(SystemScopeService.OFFLINE_ACCESS); } /** @@ -155,7 +156,7 @@ public class TestDefaultOAuth2ClientDetailsEntityService { service.saveNewClient(client); - Mockito.verify(scopes).remove("offline_access"); + Mockito.verify(scopes).remove(SystemScopeService.OFFLINE_ACCESS); } @Test @@ -281,7 +282,7 @@ public class TestDefaultOAuth2ClientDetailsEntityService { service.updateClient(oldClient, newClient); - Mockito.verify(scopes).add("offline_access"); + Mockito.verify(scopes).add(SystemScopeService.OFFLINE_ACCESS); } @Test @@ -300,6 +301,6 @@ public class TestDefaultOAuth2ClientDetailsEntityService { service.updateClient(oldClient, newClient); - Mockito.verify(scopes).remove("offline_access"); + Mockito.verify(scopes).remove(SystemScopeService.OFFLINE_ACCESS); } } diff --git a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java index 347e598ed..4e055c398 100644 --- a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java +++ b/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java @@ -37,6 +37,7 @@ import org.mitre.oauth2.model.OAuth2RefreshTokenEntity; import org.mitre.oauth2.repository.AuthenticationHolderRepository; import org.mitre.oauth2.repository.OAuth2TokenRepository; import org.mitre.oauth2.service.ClientDetailsEntityService; +import org.mitre.oauth2.service.SystemScopeService; import org.mockito.InjectMocks; import org.mockito.Matchers; import org.mockito.Mock; @@ -191,7 +192,7 @@ public class TestDefaultOAuth2ProviderTokenService { @Test public void createAccessToken_yesRefresh() { - OAuth2Request clientAuth = new OAuth2Request(null, clientId, null, true, Sets.newHashSet("offline_access"), null, null, null, null); + OAuth2Request clientAuth = new OAuth2Request(null, clientId, null, true, Sets.newHashSet(SystemScopeService.OFFLINE_ACCESS), null, null, null, null); Mockito.when(authentication.getOAuth2Request()).thenReturn(clientAuth); Mockito.when(client.isAllowRefresh()).thenReturn(true);