added scope filtering to protection api
Justin Richer
parent
b635a2bc88
commit
f123366069
|
|
@ -26,6 +26,7 @@ import static org.mitre.util.JsonUtils.getAsStringSet;
|
|||
|
||||
import java.util.Set;
|
||||
|
||||
import org.mitre.oauth2.model.SystemScope;
|
||||
import org.mitre.oauth2.service.SystemScopeService;
|
||||
import org.mitre.openid.connect.view.JsonEntityView;
|
||||
import org.mitre.openid.connect.view.JsonErrorView;
|
||||
|
|
@ -71,6 +72,9 @@ public class PermissionRegistrationEndpoint {
|
|||
|
||||
@Autowired
|
||||
private ResourceSetService resourceSetService;
|
||||
|
||||
@Autowired
|
||||
private SystemScopeService scopeService;
|
||||
|
||||
@Autowired
|
||||
private WebResponseExceptionTranslator providerExceptionHandler;
|
||||
|
|
@ -100,6 +104,11 @@ public class PermissionRegistrationEndpoint {
|
|||
return JsonErrorView.VIEWNAME;
|
||||
}
|
||||
|
||||
// trim any restricted scopes
|
||||
Set<SystemScope> scopesRequested = scopeService.fromStrings(scopes);
|
||||
scopesRequested = scopeService.removeRestrictedAndReservedScopes(scopesRequested);
|
||||
scopes = scopeService.toStrings(scopesRequested);
|
||||
|
||||
ResourceSet resourceSet = resourceSetService.getById(rsid);
|
||||
|
||||
// requested resource set doesn't exist
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ import java.util.Collections;
|
|||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import org.mitre.oauth2.model.SystemScope;
|
||||
import org.mitre.oauth2.service.SystemScopeService;
|
||||
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
|
||||
import org.mitre.openid.connect.view.HttpCodeView;
|
||||
|
|
@ -52,7 +53,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
|
|||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
|
||||
import com.google.common.base.Strings;
|
||||
import com.google.common.collect.ImmutableSet;
|
||||
import com.google.common.collect.Sets;
|
||||
import com.google.gson.JsonElement;
|
||||
import com.google.gson.JsonObject;
|
||||
import com.google.gson.JsonParseException;
|
||||
|
|
@ -78,6 +79,8 @@ public class ResourceSetRegistrationEndpoint {
|
|||
@Autowired
|
||||
private ConfigurationPropertiesBean config;
|
||||
|
||||
@Autowired
|
||||
private SystemScopeService scopeService;
|
||||
|
||||
@Autowired
|
||||
private WebResponseExceptionTranslator providerExceptionHandler;
|
||||
|
|
@ -91,8 +94,17 @@ public class ResourceSetRegistrationEndpoint {
|
|||
|
||||
ResourceSet rs = parseResourceSet(jsonString);
|
||||
|
||||
if (rs == null // there was no resource set in the body
|
||||
|| Strings.isNullOrEmpty(rs.getName()) // there was no name (required)
|
||||
if (rs == null) { // there was no resource set in the body
|
||||
logger.warn("Resource set registration missing body.");
|
||||
|
||||
m.addAttribute("code", HttpStatus.BAD_REQUEST);
|
||||
m.addAttribute("error_description", "Resource request was missing body.");
|
||||
return JsonErrorView.VIEWNAME;
|
||||
}
|
||||
|
||||
rs = validateScopes(rs);
|
||||
|
||||
if (Strings.isNullOrEmpty(rs.getName()) // there was no name (required)
|
||||
|| rs.getScopes() == null // there were no scopes (required)
|
||||
) {
|
||||
|
||||
|
|
@ -132,6 +144,8 @@ public class ResourceSetRegistrationEndpoint {
|
|||
return JsonErrorView.VIEWNAME;
|
||||
} else {
|
||||
|
||||
rs = validateScopes(rs);
|
||||
|
||||
if (!auth.getName().equals(rs.getOwner())) {
|
||||
|
||||
logger.warn("Unauthorized resource set request from wrong user; expected " + rs.getOwner() + " got " + auth.getName());
|
||||
|
|
@ -278,6 +292,29 @@ public class ResourceSetRegistrationEndpoint {
|
|||
}
|
||||
|
||||
|
||||
/**
|
||||
*
|
||||
* Make sure the resource set doesn't have any restricted or reserved scopes.
|
||||
*
|
||||
* @param rs
|
||||
*/
|
||||
private ResourceSet validateScopes(ResourceSet rs) {
|
||||
// scopes that the client is asking for
|
||||
Set<SystemScope> requestedScopes = scopeService.fromStrings(rs.getScopes());
|
||||
|
||||
// the scopes that the client can have must be a subset of the dynamically allowed scopes
|
||||
Set<SystemScope> allowedScopes = scopeService.removeRestrictedAndReservedScopes(requestedScopes);
|
||||
|
||||
// if the client didn't ask for any, give them the defaults
|
||||
if (allowedScopes == null || allowedScopes.isEmpty()) {
|
||||
allowedScopes = scopeService.getDefaults();
|
||||
}
|
||||
|
||||
rs.setScopes(scopeService.toStrings(allowedScopes));
|
||||
|
||||
return rs;
|
||||
}
|
||||
|
||||
@ExceptionHandler(OAuth2Exception.class)
|
||||
public ResponseEntity<OAuth2Exception> handleException(Exception e) throws Exception {
|
||||
logger.info("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage());
|
||||
|
|
|
|||
Loading…
Reference in New Issue