github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

added scope filtering to protection api

pull/708/merge
Justin Richer 2015-03-17 19:42:47 -04:00
parent b635a2bc88
commit f123366069
2 changed files with 49 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
openid-connect-server/src/main/java/org/mitre/uma/web/PermissionRegistrationEndpoint.java
View File

@ -26,6 +26,7 @@ import static org.mitre.util.JsonUtils.getAsStringSet;
import java.util.Set; import java.util.Set;
import org.mitre.oauth2.model.SystemScope;
import org.mitre.oauth2.service.SystemScopeService; import org.mitre.oauth2.service.SystemScopeService;
import org.mitre.openid.connect.view.JsonEntityView; import org.mitre.openid.connect.view.JsonEntityView;
import org.mitre.openid.connect.view.JsonErrorView; import org.mitre.openid.connect.view.JsonErrorView;
@ -72,6 +73,9 @@ public class PermissionRegistrationEndpoint {
@Autowired @Autowired
private ResourceSetService resourceSetService; private ResourceSetService resourceSetService;
@Autowired
private SystemScopeService scopeService;
@Autowired @Autowired
private WebResponseExceptionTranslator providerExceptionHandler; private WebResponseExceptionTranslator providerExceptionHandler;
@ -100,6 +104,11 @@ public class PermissionRegistrationEndpoint {
return JsonErrorView.VIEWNAME; return JsonErrorView.VIEWNAME;
} }
// trim any restricted scopes
Set<SystemScope> scopesRequested = scopeService.fromStrings(scopes);
scopesRequested = scopeService.removeRestrictedAndReservedScopes(scopesRequested);
scopes = scopeService.toStrings(scopesRequested);
ResourceSet resourceSet = resourceSetService.getById(rsid); ResourceSet resourceSet = resourceSetService.getById(rsid);
// requested resource set doesn't exist // requested resource set doesn't exist

43
openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java
View File

@ -22,6 +22,7 @@ import java.util.Collections;
import java.util.HashSet; import java.util.HashSet;
import java.util.Set; import java.util.Set;
import org.mitre.oauth2.model.SystemScope;
import org.mitre.oauth2.service.SystemScopeService; import org.mitre.oauth2.service.SystemScopeService;
import org.mitre.openid.connect.config.ConfigurationPropertiesBean; import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.mitre.openid.connect.view.HttpCodeView; import org.mitre.openid.connect.view.HttpCodeView;
@ -52,7 +53,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSet; import com.google.common.collect.Sets;
import com.google.gson.JsonElement; import com.google.gson.JsonElement;
import com.google.gson.JsonObject; import com.google.gson.JsonObject;
import com.google.gson.JsonParseException; import com.google.gson.JsonParseException;
@ -78,6 +79,8 @@ public class ResourceSetRegistrationEndpoint {
@Autowired @Autowired
private ConfigurationPropertiesBean config; private ConfigurationPropertiesBean config;
@Autowired
private SystemScopeService scopeService;
@Autowired @Autowired
private WebResponseExceptionTranslator providerExceptionHandler; private WebResponseExceptionTranslator providerExceptionHandler;
@ -91,8 +94,17 @@ public class ResourceSetRegistrationEndpoint {
ResourceSet rs = parseResourceSet(jsonString); ResourceSet rs = parseResourceSet(jsonString);
if (rs == null // there was no resource set in the body if (rs == null) { // there was no resource set in the body
|| Strings.isNullOrEmpty(rs.getName()) // there was no name (required) logger.warn("Resource set registration missing body.");
m.addAttribute("code", HttpStatus.BAD_REQUEST);
m.addAttribute("error_description", "Resource request was missing body.");
return JsonErrorView.VIEWNAME;
}
rs = validateScopes(rs);
if (Strings.isNullOrEmpty(rs.getName()) // there was no name (required)
|| rs.getScopes() == null // there were no scopes (required) || rs.getScopes() == null // there were no scopes (required)
) { ) {
@ -132,6 +144,8 @@ public class ResourceSetRegistrationEndpoint {
return JsonErrorView.VIEWNAME; return JsonErrorView.VIEWNAME;
} else { } else {
rs = validateScopes(rs);
if (!auth.getName().equals(rs.getOwner())) { if (!auth.getName().equals(rs.getOwner())) {
logger.warn("Unauthorized resource set request from wrong user; expected " + rs.getOwner() + " got " + auth.getName()); logger.warn("Unauthorized resource set request from wrong user; expected " + rs.getOwner() + " got " + auth.getName());
@ -278,6 +292,29 @@ public class ResourceSetRegistrationEndpoint {
} }
/**
*
* Make sure the resource set doesn't have any restricted or reserved scopes.
*
* @param rs
*/
private ResourceSet validateScopes(ResourceSet rs) {
// scopes that the client is asking for
Set<SystemScope> requestedScopes = scopeService.fromStrings(rs.getScopes());
// the scopes that the client can have must be a subset of the dynamically allowed scopes
Set<SystemScope> allowedScopes = scopeService.removeRestrictedAndReservedScopes(requestedScopes);
// if the client didn't ask for any, give them the defaults
if (allowedScopes == null || allowedScopes.isEmpty()) {
allowedScopes = scopeService.getDefaults();
}
rs.setScopes(scopeService.toStrings(allowedScopes));
return rs;
}
@ExceptionHandler(OAuth2Exception.class) @ExceptionHandler(OAuth2Exception.class)
public ResponseEntity<OAuth2Exception> handleException(Exception e) throws Exception { public ResponseEntity<OAuth2Exception> handleException(Exception e) throws Exception {
logger.info("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage()); logger.info("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage());