From f1233660697ff2487328672194fb09d95ec3130f Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Tue, 17 Mar 2015 19:42:47 -0400
Subject: [PATCH] added scope filtering to protection api

---
 .../web/PermissionRegistrationEndpoint.java   |  9 ++++
 .../web/ResourceSetRegistrationEndpoint.java  | 43 +++++++++++++++++--
 2 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/uma/web/PermissionRegistrationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/uma/web/PermissionRegistrationEndpoint.java
index bab1ccdd0..6f4c5b083 100644
--- a/openid-connect-server/src/main/java/org/mitre/uma/web/PermissionRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/uma/web/PermissionRegistrationEndpoint.java
@@ -26,6 +26,7 @@ import static org.mitre.util.JsonUtils.getAsStringSet;
 
 import java.util.Set;
 
+import org.mitre.oauth2.model.SystemScope;
 import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.openid.connect.view.JsonEntityView;
 import org.mitre.openid.connect.view.JsonErrorView;
@@ -71,6 +72,9 @@ public class PermissionRegistrationEndpoint {
 	
 	@Autowired
 	private ResourceSetService resourceSetService;
+	
+	@Autowired
+	private SystemScopeService scopeService;
 
 	@Autowired
 	private WebResponseExceptionTranslator providerExceptionHandler;
@@ -100,6 +104,11 @@ public class PermissionRegistrationEndpoint {
 					return JsonErrorView.VIEWNAME;
 				}
 				
+				// trim any restricted scopes
+				Set<SystemScope> scopesRequested = scopeService.fromStrings(scopes);
+				scopesRequested = scopeService.removeRestrictedAndReservedScopes(scopesRequested);
+				scopes = scopeService.toStrings(scopesRequested);
+				
 				ResourceSet resourceSet = resourceSetService.getById(rsid);
 				
 				// requested resource set doesn't exist
diff --git a/openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java
index cc43ccf1f..23069799e 100644
--- a/openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java
@@ -22,6 +22,7 @@ import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 
+import org.mitre.oauth2.model.SystemScope;
 import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.mitre.openid.connect.view.HttpCodeView;
@@ -52,7 +53,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
 import com.google.common.base.Strings;
-import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
 import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
 import com.google.gson.JsonParseException;
@@ -78,6 +79,8 @@ public class ResourceSetRegistrationEndpoint {
 	@Autowired
 	private ConfigurationPropertiesBean config;
 
+	@Autowired
+	private SystemScopeService scopeService;
 
 	@Autowired
 	private WebResponseExceptionTranslator providerExceptionHandler;
@@ -91,8 +94,17 @@ public class ResourceSetRegistrationEndpoint {
 		
 		ResourceSet rs = parseResourceSet(jsonString);
 		
-		if (rs == null // there was no resource set in the body
-				|| Strings.isNullOrEmpty(rs.getName()) // there was no name (required)
+		if (rs == null) { // there was no resource set in the body
+			logger.warn("Resource set registration missing body.");
+			
+			m.addAttribute("code", HttpStatus.BAD_REQUEST);
+			m.addAttribute("error_description", "Resource request was missing body.");
+			return JsonErrorView.VIEWNAME;
+		}
+		
+		rs = validateScopes(rs);
+		
+		if (Strings.isNullOrEmpty(rs.getName()) // there was no name (required)
 				|| rs.getScopes() == null // there were no scopes (required)
 			) {
 
@@ -132,6 +144,8 @@ public class ResourceSetRegistrationEndpoint {
 			return JsonErrorView.VIEWNAME;
 		} else {
 			
+			rs = validateScopes(rs);
+			
 			if (!auth.getName().equals(rs.getOwner())) {
 				
 				logger.warn("Unauthorized resource set request from wrong user; expected " + rs.getOwner() + " got " + auth.getName());
@@ -278,6 +292,29 @@ public class ResourceSetRegistrationEndpoint {
 	}
 	
 
+	/**
+	 * 
+	 * Make sure the resource set doesn't have any restricted or reserved scopes.
+	 * 
+	 * @param rs
+	 */
+	private ResourceSet validateScopes(ResourceSet rs) {
+		// scopes that the client is asking for
+		Set<SystemScope> requestedScopes = scopeService.fromStrings(rs.getScopes());
+
+		// the scopes that the client can have must be a subset of the dynamically allowed scopes
+		Set<SystemScope> allowedScopes = scopeService.removeRestrictedAndReservedScopes(requestedScopes);
+
+		// if the client didn't ask for any, give them the defaults
+		if (allowedScopes == null || allowedScopes.isEmpty()) {
+			allowedScopes = scopeService.getDefaults();
+		}
+
+		rs.setScopes(scopeService.toStrings(allowedScopes));
+
+		return rs;
+	}
+
 	@ExceptionHandler(OAuth2Exception.class)
 	public ResponseEntity<OAuth2Exception> handleException(Exception e) throws Exception {
 		logger.info("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage());