From f9637909434a5cd3101bffb2515aa99e49763642 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Franti=C5=A1ek=20Bu=C4=8D=C3=ADk?= Date: Fri, 29 May 2020 10:36:52 +0200 Subject: [PATCH] Removed unnecessary modules --- openid-connect-client/.gitignore | 12 - openid-connect-client/README.md | 12 - openid-connect-client/pom.xml | 76 -- .../src/META-INF/MANIFEST.MF | 3 - .../IntrospectingTokenService.java | 392 -------- .../OAuth2AccessTokenImpl.java | 117 --- .../IntrospectionAuthorityGranter.java | 37 - .../IntrospectionConfigurationService.java | 47 - ...singIntrospectionConfigurationService.java | 132 --- ...eBasedIntrospectionAuthoritiesGranter.java | 71 -- .../SimpleIntrospectionAuthorityGranter.java | 64 -- ...aticIntrospectionConfigurationService.java | 83 -- .../AuthorizationEndpointException.java | 56 -- .../client/NamedAdminAuthoritiesMapper.java | 92 -- .../client/OIDCAuthenticationFilter.java | 902 ------------------ .../client/OIDCAuthenticationProvider.java | 128 --- .../connect/client/OIDCAuthoritiesMapper.java | 39 - .../StaticPrefixTargetLinkURIChecker.java | 48 - .../client/SubjectIssuerGrantedAuthority.java | 125 --- .../connect/client/TargetLinkURIChecker.java | 28 - .../connect/client/UserInfoFetcher.java | 157 --- .../keypublisher/ClientKeyPublisher.java | 130 --- .../ClientKeyPublisherMapping.java | 82 -- .../client/keypublisher/JwkViewResolver.java | 103 -- .../client/model/IssuerServiceResponse.java | 110 --- .../service/AuthRequestOptionsService.java | 61 -- .../client/service/AuthRequestUrlBuilder.java | 47 - .../service/ClientConfigurationService.java | 34 - .../connect/client/service/IssuerService.java | 38 - .../service/RegisteredClientService.java | 48 - .../service/ServerConfigurationService.java | 33 - ...egistrationClientConfigurationService.java | 247 ----- .../DynamicServerConfigurationService.java | 215 ----- .../impl/EncryptedAuthRequestUrlBuilder.java | 147 --- .../HybridClientConfigurationService.java | 143 --- .../service/impl/HybridIssuerService.java | 124 --- .../HybridServerConfigurationService.java | 115 --- .../impl/InMemoryRegisteredClientService.java | 53 - .../impl/JsonFileRegisteredClientService.java | 143 --- .../impl/PlainAuthRequestUrlBuilder.java | 84 -- .../impl/SignedAuthRequestUrlBuilder.java | 116 --- .../impl/StaticAuthRequestOptionsService.java | 88 -- .../StaticClientConfigurationService.java | 77 -- .../StaticServerConfigurationService.java | 71 -- .../impl/StaticSingleIssuerService.java | 72 -- .../service/impl/ThirdPartyIssuerService.java | 139 --- .../service/impl/WebfingerIssuerService.java | 305 ------ .../TestOAuth2AccessTokenImpl.java | 106 -- ...eBasedIntrospectionAuthoritiesGranter.java | 84 -- .../client/TestOIDCAuthenticationFilter.java | 61 -- .../TestHybridClientConfigurationService.java | 117 --- .../TestHybridServerConfigurationService.java | 108 --- .../impl/TestPlainAuthRequestUrlBuilder.java | 108 --- .../impl/TestSignedAuthRequestUrlBuilder.java | 204 ---- .../TestStaticClientConfigurationService.java | 90 -- .../TestStaticServerConfigurationService.java | 83 -- .../impl/TestThirdPartyIssuerService.java | 130 --- .../src/test/resources/jwk/jwk | 8 - .../src/test/resources/jwk/jwkEncrypted | 8 - .../src/test/resources/test-context.xml | 57 -- .../src/test/resources/x509/x509 | 15 - .../src/test/resources/x509/x509Encrypted | 15 - openid-connect-common/.gitignore | 12 - openid-connect-common/pom.xml | 132 --- .../src/META-INF/MANIFEST.MF | 3 - .../data/AbstractPageOperationTemplate.java | 0 .../org/mitre/data/DefaultPageCriteria.java | 0 .../java/org/mitre/data/PageCriteria.java | 0 .../util/WebfingerURLNormalizer.java | 0 .../mitre/jose/keystore/JWKSetKeyStore.java | 0 .../assertion/AbstractAssertionValidator.java | 0 .../jwt/assertion/AssertionValidator.java | 0 .../impl/NullAssertionValidator.java | 0 .../impl/SelfAssertionValidator.java | 0 .../WhitelistedIssuerAssertionValidator.java | 0 .../JWTEncryptionAndDecryptionService.java | 0 ...aultJWTEncryptionAndDecryptionService.java | 0 .../JWTSigningAndValidationService.java | 0 .../service/impl/ClientKeyCacheService.java | 0 ...DefaultJWTSigningAndValidationService.java | 0 .../service/impl/JWKSetCacheService.java | 0 .../SymmetricKeyJWTValidatorCacheService.java | 0 .../DeviceCodeCreationException.java | 0 .../model/AuthenticationHolderEntity.java | 0 .../oauth2/model/AuthorizationCodeEntity.java | 0 .../oauth2/model/ClientDetailsEntity.java | 0 .../org/mitre/oauth2/model/DeviceCode.java | 0 .../oauth2/model/OAuth2AccessTokenEntity.java | 0 .../model/OAuth2RefreshTokenEntity.java | 0 .../org/mitre/oauth2/model/PKCEAlgorithm.java | 0 .../mitre/oauth2/model/RegisteredClient.java | 0 .../oauth2/model/RegisteredClientFields.java | 0 .../oauth2/model/SavedUserAuthentication.java | 0 .../org/mitre/oauth2/model/SystemScope.java | 0 .../convert/JWEAlgorithmStringConverter.java | 0 .../JWEEncryptionMethodStringConverter.java | 0 .../model/convert/JWKSetStringConverter.java | 0 .../convert/JWSAlgorithmStringConverter.java | 0 .../model/convert/JWTStringConverter.java | 0 .../convert/JsonElementStringConverter.java | 0 .../convert/PKCEAlgorithmStringConverter.java | 0 .../convert/SerializableStringConverter.java | 0 ...SimpleGrantedAuthorityStringConverter.java | 0 .../AuthenticationHolderRepository.java | 0 .../AuthorizationCodeRepository.java | 0 .../repository/OAuth2ClientRepository.java | 0 .../repository/OAuth2TokenRepository.java | 0 .../repository/SystemScopeRepository.java | 0 .../repository/impl/DeviceCodeRepository.java | 0 .../service/ClientDetailsEntityService.java | 0 .../oauth2/service/DeviceCodeService.java | 0 .../service/IntrospectionResultAssembler.java | 0 .../service/OAuth2TokenEntityService.java | 0 .../oauth2/service/SystemScopeService.java | 0 .../impl/DefaultClientUserDetailsService.java | 0 .../oauth2/service/impl/ServiceUtils.java | 0 .../UriEncodedClientUserDetailsService.java | 0 .../ClientDetailsEntityJsonProcessor.java | 0 .../ConfigurationBeanLocaleResolver.java | 0 .../config/ConfigurationPropertiesBean.java | 0 .../openid/connect/config/JWKSetEditor.java | 0 .../connect/config/ServerConfiguration.java | 0 .../connect/config/UIConfiguration.java | 0 .../mitre/openid/connect/model/Address.java | 0 .../openid/connect/model/ApprovedSite.java | 0 .../openid/connect/model/BlacklistedSite.java | 0 .../openid/connect/model/CachedImage.java | 0 .../openid/connect/model/ClientStat.java | 0 .../openid/connect/model/DefaultAddress.java | 0 .../openid/connect/model/DefaultUserInfo.java | 0 .../model/OIDCAuthenticationToken.java | 0 .../connect/model/PairwiseIdentifier.java | 0 .../model/PendingOIDCAuthenticationToken.java | 0 .../mitre/openid/connect/model/UserInfo.java | 0 .../openid/connect/model/WhitelistedSite.java | 0 .../convert/JsonObjectStringConverter.java | 0 .../connect/repository/AddressRepository.java | 0 .../repository/ApprovedSiteRepository.java | 0 .../repository/BlacklistedSiteRepository.java | 0 .../PairwiseIdentifierRepository.java | 0 .../repository/UserInfoRepository.java | 0 .../repository/WhitelistedSiteRepository.java | 0 .../connect/service/ApprovedSiteService.java | 0 .../service/BlacklistedSiteService.java | 0 .../service/ClientLogoLoadingService.java | 0 .../connect/service/LoginHintExtracter.java | 0 .../connect/service/MITREidDataService.java | 0 .../service/MITREidDataServiceExtension.java | 0 .../service/MITREidDataServiceMaps.java | 0 .../connect/service/OIDCTokenService.java | 0 .../service/PairwiseIdentiferService.java | 0 .../service/ScopeClaimTranslationService.java | 0 .../openid/connect/service/StatsService.java | 0 .../connect/service/UserInfoService.java | 0 .../service/WhitelistedSiteService.java | 0 .../mitre/openid/connect/view/JWKSetView.java | 0 .../connect/web/UserInfoInterceptor.java | 0 .../main/java/org/mitre/uma/model/Claim.java | 0 .../uma/model/ClaimProcessingResult.java | 0 .../java/org/mitre/uma/model/Permission.java | 0 .../org/mitre/uma/model/PermissionTicket.java | 0 .../main/java/org/mitre/uma/model/Policy.java | 0 .../java/org/mitre/uma/model/ResourceSet.java | 0 .../uma/model/SavedRegisteredClient.java | 0 .../RegisteredClientStringConverter.java | 0 .../uma/repository/PermissionRepository.java | 0 .../uma/repository/ResourceSetRepository.java | 0 .../uma/service/ClaimsProcessingService.java | 0 .../mitre/uma/service/PermissionService.java | 0 .../mitre/uma/service/ResourceSetService.java | 0 .../service/SavedRegisteredClientService.java | 0 .../mitre/uma/service/UmaTokenService.java | 0 .../main/java/org/mitre/util/JsonUtils.java | 0 .../main/java/org/mitre/util/jpa/JpaUtil.java | 0 .../AbstractPageOperationTemplateTest.java | 0 .../util/TestWebfingerURLNormalizer.java | 0 .../org/mitre/jose/TestJWKSetKeyStore.java | 0 ...aultJWTEncryptionAndDecryptionService.java | 0 .../oauth2/model/ClientDetailsEntityTest.java | 0 .../oauth2/model/RegisteredClientTest.java | 0 .../ClientDetailsEntityJsonProcessorTest.java | 0 .../ConfigurationPropertiesBeanTest.java | 0 .../config/ServerConfigurationTest.java | 0 pom.xml | 4 - uma-server-webapp/pom.xml | 97 -- .../src/main/resources/db/hsql/clients.sql | 77 -- .../src/main/resources/db/hsql/scopes.sql | 35 - .../src/main/resources/db/mysql/clients.sql | 69 -- .../src/main/resources/db/mysql/scopes.sql | 33 - .../resources/db/oracle/clients_oracle.sql | 61 -- .../resources/db/oracle/scopes_oracle.sql | 31 - .../src/main/resources/db/psql/clients.sql | 74 -- .../src/main/resources/db/psql/scopes.sql | 33 - .../main/webapp/WEB-INF/endpoint-config.xml | 53 - .../src/main/webapp/WEB-INF/server-config.xml | 68 -- .../main/webapp/WEB-INF/tags/actionmenu.tag | 21 - .../src/main/webapp/WEB-INF/ui-config.xml | 52 - .../src/main/webapp/WEB-INF/user-context.xml | 142 --- .../webapp/WEB-INF/views/external_login.jsp | 42 - .../webapp/resources/js/locale/en/uma.json | 59 -- .../webapp/resources/js/locale/zh/uma.json | 59 -- .../webapp/resources/js/locale/zh_CN/uma.json | 59 -- .../webapp/resources/js/locale/zh_TW/uma.json | 59 -- .../src/main/webapp/resources/js/policy.js | 786 --------------- .../webapp/resources/template/policy.html | 255 ----- uma-server/pom.xml | 50 - .../impl/JpaPermissionRepository.java | 107 --- .../impl/JpaResourceSetRepository.java | 97 -- .../impl/DefaultPermissionService.java | 96 -- .../impl/DefaultResourceSetService.java | 149 --- .../service/impl/DefaultUmaTokenService.java | 120 --- .../impl/JpaRegisteredClientService.java | 95 -- .../impl/MatchAllClaimsOnAnyPolicy.java | 89 -- .../impl/UmaDataServiceExtension_1_3.java | 715 -------------- .../util/ExternalLoginAuthoritiesMapper.java | 45 - .../ResourceSetEntityAbbreviatedView.java | 119 --- .../mitre/uma/view/ResourceSetEntityView.java | 121 --- .../uma/web/AuthorizationRequestEndpoint.java | 202 ---- .../uma/web/ClaimsCollectionEndpoint.java | 152 --- .../web/PermissionRegistrationEndpoint.java | 155 --- .../java/org/mitre/uma/web/PolicyAPI.java | 391 -------- .../web/ResourceSetRegistrationEndpoint.java | 317 ------ .../mitre/uma/web/UmaDiscoveryEndpoint.java | 79 -- .../mitre/uma/web/UserClaimSearchHelper.java | 117 --- .../impl/TestDefaultPermissionService.java | 173 ---- .../impl/TestDefaultResourceSetService.java | 101 -- 226 files changed, 12446 deletions(-) delete mode 100644 openid-connect-client/.gitignore delete mode 100644 openid-connect-client/README.md delete mode 100644 openid-connect-client/pom.xml delete mode 100644 openid-connect-client/src/META-INF/MANIFEST.MF delete mode 100644 openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/OAuth2AccessTokenImpl.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/IntrospectionAuthorityGranter.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/IntrospectionConfigurationService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/JWTParsingIntrospectionConfigurationService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/ScopeBasedIntrospectionAuthoritiesGranter.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/SimpleIntrospectionAuthorityGranter.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/StaticIntrospectionConfigurationService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/AuthorizationEndpointException.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/NamedAdminAuthoritiesMapper.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationProvider.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthoritiesMapper.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/StaticPrefixTargetLinkURIChecker.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/SubjectIssuerGrantedAuthority.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/TargetLinkURIChecker.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/UserInfoFetcher.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/ClientKeyPublisher.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/ClientKeyPublisherMapping.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/JwkViewResolver.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/model/IssuerServiceResponse.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/AuthRequestOptionsService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/AuthRequestUrlBuilder.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/ClientConfigurationService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/IssuerService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/RegisteredClientService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/ServerConfigurationService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicServerConfigurationService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/EncryptedAuthRequestUrlBuilder.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridClientConfigurationService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridIssuerService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridServerConfigurationService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/InMemoryRegisteredClientService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/JsonFileRegisteredClientService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/PlainAuthRequestUrlBuilder.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticAuthRequestOptionsService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticClientConfigurationService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticServerConfigurationService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticSingleIssuerService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/ThirdPartyIssuerService.java delete mode 100644 openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/WebfingerIssuerService.java delete mode 100644 openid-connect-client/src/test/java/org/mitre/oauth2/introspectingfilter/TestOAuth2AccessTokenImpl.java delete mode 100644 openid-connect-client/src/test/java/org/mitre/oauth2/introspectingfilter/service/impl/TestScopeBasedIntrospectionAuthoritiesGranter.java delete mode 100644 openid-connect-client/src/test/java/org/mitre/openid/connect/client/TestOIDCAuthenticationFilter.java delete mode 100644 openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestHybridClientConfigurationService.java delete mode 100644 openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestHybridServerConfigurationService.java delete mode 100644 openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestPlainAuthRequestUrlBuilder.java delete mode 100644 openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestSignedAuthRequestUrlBuilder.java delete mode 100644 openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestStaticClientConfigurationService.java delete mode 100644 openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestStaticServerConfigurationService.java delete mode 100644 openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestThirdPartyIssuerService.java delete mode 100644 openid-connect-client/src/test/resources/jwk/jwk delete mode 100644 openid-connect-client/src/test/resources/jwk/jwkEncrypted delete mode 100644 openid-connect-client/src/test/resources/test-context.xml delete mode 100644 openid-connect-client/src/test/resources/x509/x509 delete mode 100644 openid-connect-client/src/test/resources/x509/x509Encrypted delete mode 100644 openid-connect-common/.gitignore delete mode 100644 openid-connect-common/pom.xml delete mode 100644 openid-connect-common/src/META-INF/MANIFEST.MF rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/data/AbstractPageOperationTemplate.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/data/DefaultPageCriteria.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/data/PageCriteria.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/discovery/util/WebfingerURLNormalizer.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/jose/keystore/JWKSetKeyStore.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/jwt/assertion/AbstractAssertionValidator.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/jwt/assertion/AssertionValidator.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/jwt/assertion/impl/NullAssertionValidator.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/jwt/assertion/impl/SelfAssertionValidator.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/jwt/assertion/impl/WhitelistedIssuerAssertionValidator.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/jwt/encryption/service/JWTEncryptionAndDecryptionService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/jwt/encryption/service/impl/DefaultJWTEncryptionAndDecryptionService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/jwt/signer/service/JWTSigningAndValidationService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/jwt/signer/service/impl/ClientKeyCacheService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJWTSigningAndValidationService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetCacheService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/jwt/signer/service/impl/SymmetricKeyJWTValidatorCacheService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/exception/DeviceCodeCreationException.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/AuthenticationHolderEntity.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/AuthorizationCodeEntity.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/DeviceCode.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/PKCEAlgorithm.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/RegisteredClient.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/RegisteredClientFields.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/SavedUserAuthentication.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/SystemScope.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/convert/JWEAlgorithmStringConverter.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/convert/JWEEncryptionMethodStringConverter.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/convert/JWKSetStringConverter.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/convert/JWSAlgorithmStringConverter.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/convert/JWTStringConverter.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/convert/JsonElementStringConverter.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/convert/PKCEAlgorithmStringConverter.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/convert/SerializableStringConverter.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/model/convert/SimpleGrantedAuthorityStringConverter.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/repository/AuthenticationHolderRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/repository/AuthorizationCodeRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/repository/OAuth2ClientRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/repository/OAuth2TokenRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/repository/SystemScopeRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/repository/impl/DeviceCodeRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/service/ClientDetailsEntityService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/service/DeviceCodeService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/service/IntrospectionResultAssembler.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/service/SystemScopeService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/service/impl/ServiceUtils.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/ClientDetailsEntityJsonProcessor.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/config/ConfigurationBeanLocaleResolver.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/config/JWKSetEditor.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/config/ServerConfiguration.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/config/UIConfiguration.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/model/Address.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/model/ApprovedSite.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/model/BlacklistedSite.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/model/CachedImage.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/model/ClientStat.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/model/DefaultAddress.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/model/DefaultUserInfo.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/model/OIDCAuthenticationToken.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/model/PairwiseIdentifier.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/model/PendingOIDCAuthenticationToken.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/model/UserInfo.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/model/WhitelistedSite.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/model/convert/JsonObjectStringConverter.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/repository/AddressRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/repository/ApprovedSiteRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/repository/BlacklistedSiteRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/repository/PairwiseIdentifierRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/repository/UserInfoRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/repository/WhitelistedSiteRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/service/ApprovedSiteService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/service/BlacklistedSiteService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/service/ClientLogoLoadingService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/service/LoginHintExtracter.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/service/MITREidDataService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/service/MITREidDataServiceExtension.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/service/MITREidDataServiceMaps.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/service/OIDCTokenService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/service/PairwiseIdentiferService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/service/ScopeClaimTranslationService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/service/StatsService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/service/UserInfoService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/service/WhitelistedSiteService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/view/JWKSetView.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/model/Claim.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/model/ClaimProcessingResult.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/model/Permission.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/model/PermissionTicket.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/model/Policy.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/model/ResourceSet.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/model/SavedRegisteredClient.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/model/convert/RegisteredClientStringConverter.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/repository/PermissionRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/repository/ResourceSetRepository.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/service/ClaimsProcessingService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/service/PermissionService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/service/ResourceSetService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/service/SavedRegisteredClientService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/uma/service/UmaTokenService.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/util/JsonUtils.java (100%) rename {openid-connect-common => openid-connect-server}/src/main/java/org/mitre/util/jpa/JpaUtil.java (100%) rename {openid-connect-common => openid-connect-server}/src/test/java/org/mitre/data/AbstractPageOperationTemplateTest.java (100%) rename {openid-connect-common => openid-connect-server}/src/test/java/org/mitre/discovery/util/TestWebfingerURLNormalizer.java (100%) rename {openid-connect-common => openid-connect-server}/src/test/java/org/mitre/jose/TestJWKSetKeyStore.java (100%) rename {openid-connect-common => openid-connect-server}/src/test/java/org/mitre/jwt/encryption/service/impl/TestDefaultJWTEncryptionAndDecryptionService.java (100%) rename {openid-connect-common => openid-connect-server}/src/test/java/org/mitre/oauth2/model/ClientDetailsEntityTest.java (100%) rename {openid-connect-common => openid-connect-server}/src/test/java/org/mitre/oauth2/model/RegisteredClientTest.java (100%) rename {openid-connect-common => openid-connect-server}/src/test/java/org/mitre/openid/connect/ClientDetailsEntityJsonProcessorTest.java (100%) rename {openid-connect-common => openid-connect-server}/src/test/java/org/mitre/openid/connect/config/ConfigurationPropertiesBeanTest.java (100%) rename {openid-connect-common => openid-connect-server}/src/test/java/org/mitre/openid/connect/config/ServerConfigurationTest.java (100%) delete mode 100644 uma-server-webapp/pom.xml delete mode 100755 uma-server-webapp/src/main/resources/db/hsql/clients.sql delete mode 100755 uma-server-webapp/src/main/resources/db/hsql/scopes.sql delete mode 100755 uma-server-webapp/src/main/resources/db/mysql/clients.sql delete mode 100755 uma-server-webapp/src/main/resources/db/mysql/scopes.sql delete mode 100755 uma-server-webapp/src/main/resources/db/oracle/clients_oracle.sql delete mode 100755 uma-server-webapp/src/main/resources/db/oracle/scopes_oracle.sql delete mode 100755 uma-server-webapp/src/main/resources/db/psql/clients.sql delete mode 100755 uma-server-webapp/src/main/resources/db/psql/scopes.sql delete mode 100644 uma-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml delete mode 100644 uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml delete mode 100644 uma-server-webapp/src/main/webapp/WEB-INF/tags/actionmenu.tag delete mode 100644 uma-server-webapp/src/main/webapp/WEB-INF/ui-config.xml delete mode 100644 uma-server-webapp/src/main/webapp/WEB-INF/user-context.xml delete mode 100644 uma-server-webapp/src/main/webapp/WEB-INF/views/external_login.jsp delete mode 100644 uma-server-webapp/src/main/webapp/resources/js/locale/en/uma.json delete mode 100644 uma-server-webapp/src/main/webapp/resources/js/locale/zh/uma.json delete mode 100644 uma-server-webapp/src/main/webapp/resources/js/locale/zh_CN/uma.json delete mode 100644 uma-server-webapp/src/main/webapp/resources/js/locale/zh_TW/uma.json delete mode 100644 uma-server-webapp/src/main/webapp/resources/js/policy.js delete mode 100644 uma-server-webapp/src/main/webapp/resources/template/policy.html delete mode 100644 uma-server/pom.xml delete mode 100644 uma-server/src/main/java/org/mitre/uma/repository/impl/JpaPermissionRepository.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/repository/impl/JpaResourceSetRepository.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/service/impl/DefaultPermissionService.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/service/impl/DefaultResourceSetService.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/service/impl/JpaRegisteredClientService.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/service/impl/MatchAllClaimsOnAnyPolicy.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/service/impl/UmaDataServiceExtension_1_3.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/util/ExternalLoginAuthoritiesMapper.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/view/ResourceSetEntityAbbreviatedView.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/view/ResourceSetEntityView.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/web/PermissionRegistrationEndpoint.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/web/PolicyAPI.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/web/UmaDiscoveryEndpoint.java delete mode 100644 uma-server/src/main/java/org/mitre/uma/web/UserClaimSearchHelper.java delete mode 100644 uma-server/src/test/java/org/mitre/uma/service/impl/TestDefaultPermissionService.java delete mode 100644 uma-server/src/test/java/org/mitre/uma/service/impl/TestDefaultResourceSetService.java diff --git a/openid-connect-client/.gitignore b/openid-connect-client/.gitignore deleted file mode 100644 index 016a3b8f8..000000000 --- a/openid-connect-client/.gitignore +++ /dev/null @@ -1,12 +0,0 @@ -local-values.conf -target -*~ -bin -*.idea -*.iml -*.eml -.project -.settings -.classpath -/target -.springBeans diff --git a/openid-connect-client/README.md b/openid-connect-client/README.md deleted file mode 100644 index 5bddcdb6e..000000000 --- a/openid-connect-client/README.md +++ /dev/null @@ -1,12 +0,0 @@ -# OpenID Connect Client # - -## Overview ## - -This project contains an OpenID Connect Client implemented as a Spring Security AuthenticationFilter. The client facilitates a user's authentication into the secured application to an OpenID Connect Server following the OpenID Connect standard protocol. - -## Configuring ## - -For an example of the Client configuration, see the [Simple Web App](https://github.com/mitreid-connect/simple-web-app) project. - -Full documentation is available on the [project documentation wiki pages](https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Client-configuration). - diff --git a/openid-connect-client/pom.xml b/openid-connect-client/pom.xml deleted file mode 100644 index b891d4e0e..000000000 --- a/openid-connect-client/pom.xml +++ /dev/null @@ -1,76 +0,0 @@ - - - - - 4.0.0 - - openid-connect-parent - org.mitre - 1.3.4-SNAPSHOT - .. - - openid-connect-client - OpenID Connect Client filter for Spring Security - OpenID Connect Client - - - org.mitre - openid-connect-common - - - jar - - - - org.apache.maven.plugins - maven-compiler-plugin - - ${java-version} - ${java-version} - - - - - org.apache.maven.plugins - maven-source-plugin - - - attach-sources - - jar-no-fork - - - - - - - org.apache.maven.plugins - maven-javadoc-plugin - - - attach-sources - - jar - - - - - - - diff --git a/openid-connect-client/src/META-INF/MANIFEST.MF b/openid-connect-client/src/META-INF/MANIFEST.MF deleted file mode 100644 index 5e9495128..000000000 --- a/openid-connect-client/src/META-INF/MANIFEST.MF +++ /dev/null @@ -1,3 +0,0 @@ -Manifest-Version: 1.0 -Class-Path: - diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java deleted file mode 100644 index b311a84d9..000000000 --- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java +++ /dev/null @@ -1,392 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.oauth2.introspectingfilter; - -import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.SECRET_BASIC; - -import java.io.IOException; -import java.net.URI; -import java.util.Calendar; -import java.util.Date; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; - -import org.apache.http.client.HttpClient; -import org.apache.http.impl.client.HttpClientBuilder; -import org.mitre.oauth2.introspectingfilter.service.IntrospectionAuthorityGranter; -import org.mitre.oauth2.introspectingfilter.service.IntrospectionConfigurationService; -import org.mitre.oauth2.introspectingfilter.service.impl.SimpleIntrospectionAuthorityGranter; -import org.mitre.oauth2.model.RegisteredClient; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.http.HttpMethod; -import org.springframework.http.client.ClientHttpRequest; -import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; -import org.springframework.security.oauth2.common.OAuth2AccessToken; -import org.springframework.security.oauth2.common.util.OAuth2Utils; -import org.springframework.security.oauth2.provider.OAuth2Authentication; -import org.springframework.security.oauth2.provider.OAuth2Request; -import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices; -import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; -import org.springframework.util.LinkedMultiValueMap; -import org.springframework.util.MultiValueMap; -import org.springframework.web.client.RestClientException; -import org.springframework.web.client.RestTemplate; - -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import com.google.gson.JsonParser; -import com.nimbusds.jose.util.Base64; - -/** - * This ResourceServerTokenServices implementation introspects incoming tokens at a - * server's introspection endpoint URL and passes an Authentication object along - * based on the response from the introspection endpoint. - * @author jricher - * - */ -public class IntrospectingTokenService implements ResourceServerTokenServices { - - private IntrospectionConfigurationService introspectionConfigurationService; - private IntrospectionAuthorityGranter introspectionAuthorityGranter = new SimpleIntrospectionAuthorityGranter(); - - private int defaultExpireTime = 300000; // 5 minutes in milliseconds - private boolean forceCacheExpireTime = false; // force removal of cached tokens based on default expire time - private boolean cacheNonExpiringTokens = false; - private boolean cacheTokens = true; - - private HttpComponentsClientHttpRequestFactory factory; - - public IntrospectingTokenService() { - this(HttpClientBuilder.create().useSystemProperties().build()); - } - - public IntrospectingTokenService(HttpClient httpClient) { - this.factory = new HttpComponentsClientHttpRequestFactory(httpClient); - } - - // Inner class to store in the hash map - private class TokenCacheObject { - OAuth2AccessToken token; - OAuth2Authentication auth; - Date cacheExpire; - - private TokenCacheObject(OAuth2AccessToken token, OAuth2Authentication auth) { - this.token = token; - this.auth = auth; - - // we don't need to check the cacheTokens values, because this won't actually be added to the cache if cacheTokens is false - // if the token isn't null we use the token expire time - // if forceCacheExpireTime is also true, we also make sure that the token expire time is shorter than the default expire time - if ((this.token.getExpiration() != null) && (!forceCacheExpireTime || (forceCacheExpireTime && (this.token.getExpiration().getTime() - System.currentTimeMillis() <= defaultExpireTime)))) { - this.cacheExpire = this.token.getExpiration(); - } else { // if the token doesn't have an expire time, or if the using forceCacheExpireTime the token expire time is longer than the default, then use the default expire time - Calendar cal = Calendar.getInstance(); - cal.add(Calendar.MILLISECOND, defaultExpireTime); - this.cacheExpire = cal.getTime(); - } - } - } - - private Map authCache = new HashMap<>(); - /** - * Logger for this class - */ - private static final Logger logger = LoggerFactory.getLogger(IntrospectingTokenService.class); - - /** - * @return the introspectionConfigurationService - */ - public IntrospectionConfigurationService getIntrospectionConfigurationService() { - return introspectionConfigurationService; - } - - /** - * @param introspectionConfigurationService the introspectionConfigurationService to set - */ - public void setIntrospectionConfigurationService(IntrospectionConfigurationService introspectionUrlProvider) { - this.introspectionConfigurationService = introspectionUrlProvider; - } - - /** - * @param introspectionAuthorityGranter the introspectionAuthorityGranter to set - */ - public void setIntrospectionAuthorityGranter(IntrospectionAuthorityGranter introspectionAuthorityGranter) { - this.introspectionAuthorityGranter = introspectionAuthorityGranter; - } - - /** - * @return the introspectionAuthorityGranter - */ - public IntrospectionAuthorityGranter getIntrospectionAuthorityGranter() { - return introspectionAuthorityGranter; - } - - /** - * get the default cache expire time in milliseconds - * @return - */ - public int getDefaultExpireTime() { - return defaultExpireTime; - } - - /** - * set the default cache expire time in milliseconds - * @param defaultExpireTime - */ - public void setDefaultExpireTime(int defaultExpireTime) { - this.defaultExpireTime = defaultExpireTime; - } - - /** - * check if forcing a cache expire time maximum value - * @return the forceCacheExpireTime setting - */ - public boolean isForceCacheExpireTime() { - return forceCacheExpireTime; - } - - /** - * set forcing a cache expire time maximum value - * @param forceCacheExpireTime - */ - public void setForceCacheExpireTime(boolean forceCacheExpireTime) { - this.forceCacheExpireTime = forceCacheExpireTime; - } - - /** - * Are non-expiring tokens cached using the default cache time - * @return state of cacheNonExpiringTokens - */ - public boolean isCacheNonExpiringTokens() { - return cacheNonExpiringTokens; - } - - /** - * should non-expiring tokens be cached using the default cache timeout - * @param cacheNonExpiringTokens - */ - public void setCacheNonExpiringTokens(boolean cacheNonExpiringTokens) { - this.cacheNonExpiringTokens = cacheNonExpiringTokens; - } - - /** - * Is the service caching tokens, or is it hitting the introspection end point every time - * @return true is caching tokens locally, false hits the introspection end point every time - */ - public boolean isCacheTokens() { - return cacheTokens; - } - - /** - * Configure if the client should cache tokens locally or not - * @param cacheTokens - */ - public void setCacheTokens(boolean cacheTokens) { - this.cacheTokens = cacheTokens; - } - - /** - * Check to see if the introspection end point response for a token has been cached locally - * This call will return the token if it has been cached and is still valid according to - * the cache expire time on the TokenCacheObject. If a cached value has been found but is - * expired, either by default expire times or the token's own expire time, then the token is - * removed from the cache and null is returned. - * @param key is the token to check - * @return the cached TokenCacheObject or null - */ - private TokenCacheObject checkCache(String key) { - if (cacheTokens && authCache.containsKey(key)) { - TokenCacheObject tco = authCache.get(key); - - if (tco != null && tco.cacheExpire != null && tco.cacheExpire.after(new Date())) { - return tco; - } else { - // if the token is expired, don't keep things around. - authCache.remove(key); - } - } - return null; - } - - private OAuth2Request createStoredRequest(final JsonObject token) { - String clientId = token.get("client_id").getAsString(); - Set scopes = new HashSet<>(); - if (token.has("scope")) { - scopes.addAll(OAuth2Utils.parseParameterList(token.get("scope").getAsString())); - } - Map parameters = new HashMap<>(); - parameters.put("client_id", clientId); - parameters.put("scope", OAuth2Utils.formatParameterList(scopes)); - OAuth2Request storedRequest = new OAuth2Request(parameters, clientId, null, true, scopes, null, null, null, null); - return storedRequest; - } - - private Authentication createUserAuthentication(JsonObject token) { - JsonElement userId = token.get("user_id"); - if(userId == null) { - userId = token.get("sub"); - if (userId == null) { - return null; - } - } - - return new PreAuthenticatedAuthenticationToken(userId.getAsString(), token, introspectionAuthorityGranter.getAuthorities(token)); - } - - private OAuth2AccessToken createAccessToken(final JsonObject token, final String tokenString) { - OAuth2AccessToken accessToken = new OAuth2AccessTokenImpl(token, tokenString); - return accessToken; - } - - /** - * Validate a token string against the introspection endpoint, - * then parse it and store it in the local cache if caching is enabled. - * - * @param accessToken Token to pass to the introspection endpoint - * @return TokenCacheObject containing authentication and token if the token was valid, otherwise null - */ - private TokenCacheObject parseToken(String accessToken) { - - // find out which URL to ask - String introspectionUrl; - RegisteredClient client; - try { - introspectionUrl = introspectionConfigurationService.getIntrospectionUrl(accessToken); - client = introspectionConfigurationService.getClientConfiguration(accessToken); - } catch (IllegalArgumentException e) { - logger.error("Unable to load introspection URL or client configuration", e); - return null; - } - // Use the SpringFramework RestTemplate to send the request to the - // endpoint - String validatedToken = null; - - RestTemplate restTemplate; - MultiValueMap form = new LinkedMultiValueMap<>(); - - final String clientId = client.getClientId(); - final String clientSecret = client.getClientSecret(); - - if (SECRET_BASIC.equals(client.getTokenEndpointAuthMethod())){ - // use BASIC auth if configured to do so - restTemplate = new RestTemplate(factory) { - - @Override - protected ClientHttpRequest createRequest(URI url, HttpMethod method) throws IOException { - ClientHttpRequest httpRequest = super.createRequest(url, method); - httpRequest.getHeaders().add("Authorization", - String.format("Basic %s", Base64.encode(String.format("%s:%s", clientId, clientSecret)) )); - return httpRequest; - } - }; - } else { //Alternatively use form based auth - restTemplate = new RestTemplate(factory); - - form.add("client_id", clientId); - form.add("client_secret", clientSecret); - } - - form.add("token", accessToken); - - try { - validatedToken = restTemplate.postForObject(introspectionUrl, form, String.class); - } catch (RestClientException rce) { - logger.error("validateToken", rce); - return null; - } - if (validatedToken != null) { - // parse the json - JsonElement jsonRoot = new JsonParser().parse(validatedToken); - if (!jsonRoot.isJsonObject()) { - return null; // didn't get a proper JSON object - } - - JsonObject tokenResponse = jsonRoot.getAsJsonObject(); - - if (tokenResponse.get("error") != null) { - // report an error? - logger.error("Got an error back: " + tokenResponse.get("error") + ", " + tokenResponse.get("error_description")); - return null; - } - - if (!tokenResponse.get("active").getAsBoolean()) { - // non-valid token - logger.info("Server returned non-active token"); - return null; - } - // create an OAuth2Authentication - OAuth2Authentication auth = new OAuth2Authentication(createStoredRequest(tokenResponse), createUserAuthentication(tokenResponse)); - // create an OAuth2AccessToken - OAuth2AccessToken token = createAccessToken(tokenResponse, accessToken); - - if (token.getExpiration() == null || token.getExpiration().after(new Date())) { - // Store them in the cache - TokenCacheObject tco = new TokenCacheObject(token, auth); - if (cacheTokens && (cacheNonExpiringTokens || token.getExpiration() != null)) { - authCache.put(accessToken, tco); - } - return tco; - } - } - - // when the token is invalid for whatever reason - return null; - } - - @Override - public OAuth2Authentication loadAuthentication(String accessToken) throws AuthenticationException { - // First check if the in memory cache has an Authentication object, and - // that it is still valid - // If Valid, return it - TokenCacheObject cacheAuth = checkCache(accessToken); - if (cacheAuth != null) { - return cacheAuth.auth; - } else { - cacheAuth = parseToken(accessToken); - if (cacheAuth != null) { - return cacheAuth.auth; - } else { - return null; - } - } - } - - @Override - public OAuth2AccessToken readAccessToken(String accessToken) { - // First check if the in memory cache has a Token object, and that it is - // still valid - // If Valid, return it - TokenCacheObject cacheAuth = checkCache(accessToken); - if (cacheAuth != null) { - return cacheAuth.token; - } else { - cacheAuth = parseToken(accessToken); - if (cacheAuth != null) { - return cacheAuth.token; - } else { - return null; - } - } - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/OAuth2AccessTokenImpl.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/OAuth2AccessTokenImpl.java deleted file mode 100644 index 723fcc54d..000000000 --- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/OAuth2AccessTokenImpl.java +++ /dev/null @@ -1,117 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.oauth2.introspectingfilter; - -import java.util.Date; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; -import java.util.concurrent.TimeUnit; - -import org.springframework.security.oauth2.common.OAuth2AccessToken; -import org.springframework.security.oauth2.common.OAuth2RefreshToken; - -import com.google.common.base.Splitter; -import com.google.common.collect.Sets; -import com.google.gson.JsonObject; - - -public class OAuth2AccessTokenImpl implements OAuth2AccessToken { - - private JsonObject introspectionResponse; - private String tokenString; - private Set scopes = new HashSet<>(); - private Date expireDate; - - - public OAuth2AccessTokenImpl(JsonObject introspectionResponse, String tokenString) { - this.setIntrospectionResponse(introspectionResponse); - this.tokenString = tokenString; - if (introspectionResponse.get("scope") != null) { - scopes = Sets.newHashSet(Splitter.on(" ").split(introspectionResponse.get("scope").getAsString())); - } - - if (introspectionResponse.get("exp") != null) { - expireDate = new Date(introspectionResponse.get("exp").getAsLong() * 1000L); - } - } - - - @Override - public Map getAdditionalInformation() { - return null; - } - - @Override - public Set getScope() { - return scopes; - } - - @Override - public OAuth2RefreshToken getRefreshToken() { - return null; - } - - @Override - public String getTokenType() { - return BEARER_TYPE; - } - - @Override - public boolean isExpired() { - if (expireDate != null && expireDate.before(new Date())) { - return true; - } - return false; - } - - @Override - public Date getExpiration() { - return expireDate; - } - - @Override - public int getExpiresIn() { - if (expireDate != null) { - return (int)TimeUnit.MILLISECONDS.toSeconds(expireDate.getTime() - (new Date()).getTime()); - } - return 0; - } - - @Override - public String getValue() { - return tokenString; - } - - - /** - * @return the token - */ - public JsonObject getIntrospectionResponse() { - return introspectionResponse; - } - - - /** - * @param token the token to set - */ - public void setIntrospectionResponse(JsonObject token) { - this.introspectionResponse = token; - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/IntrospectionAuthorityGranter.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/IntrospectionAuthorityGranter.java deleted file mode 100644 index d514bfbab..000000000 --- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/IntrospectionAuthorityGranter.java +++ /dev/null @@ -1,37 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.oauth2.introspectingfilter.service; - -import java.util.List; - -import org.springframework.security.core.GrantedAuthority; - -import com.google.gson.JsonObject; - -/** - * @author jricher - * - */ -public interface IntrospectionAuthorityGranter { - - public List getAuthorities(JsonObject introspectionResponse); - -} diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/IntrospectionConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/IntrospectionConfigurationService.java deleted file mode 100644 index fe85727b5..000000000 --- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/IntrospectionConfigurationService.java +++ /dev/null @@ -1,47 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.oauth2.introspectingfilter.service; - -import org.mitre.oauth2.model.RegisteredClient; - -/** - * @author jricher - * - */ -public interface IntrospectionConfigurationService { - - /** - * Get the introspection URL based on the access token. - * @param accessToken - * @return - */ - public String getIntrospectionUrl(String accessToken); - - - /** - * Get the client configuration to use to connect to the - * introspection endpoint. In particular, this cares about - * the clientId, clientSecret, and tokenEndpointAuthMethod - * fields. - */ - public RegisteredClient getClientConfiguration(String accessToken); - -} diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/JWTParsingIntrospectionConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/JWTParsingIntrospectionConfigurationService.java deleted file mode 100644 index b60179f60..000000000 --- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/JWTParsingIntrospectionConfigurationService.java +++ /dev/null @@ -1,132 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.oauth2.introspectingfilter.service.impl; - -import java.text.ParseException; - -import org.mitre.oauth2.introspectingfilter.service.IntrospectionConfigurationService; -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.client.service.ClientConfigurationService; -import org.mitre.openid.connect.client.service.ServerConfigurationService; -import org.mitre.openid.connect.config.ServerConfiguration; - -import com.google.common.base.Strings; -import com.nimbusds.jwt.JWT; -import com.nimbusds.jwt.JWTParser; - -/** - * - * Parses the incoming accesstoken as a JWT and determines the issuer based on - * the "iss" field inside the JWT. Uses the ServerConfigurationService to determine - * the introspection URL for that issuer. - * - * @author jricher - * - */ -public class JWTParsingIntrospectionConfigurationService implements IntrospectionConfigurationService { - - private ServerConfigurationService serverConfigurationService; - private ClientConfigurationService clientConfigurationService; - - /** - * @return the serverConfigurationService - */ - public ServerConfigurationService getServerConfigurationService() { - return serverConfigurationService; - } - - /** - * @param serverConfigurationService the serverConfigurationService to set - */ - public void setServerConfigurationService(ServerConfigurationService serverConfigurationService) { - this.serverConfigurationService = serverConfigurationService; - } - - /** - * @param clientConfigurationService the clientConfigurationService to set - */ - public void setClientConfigurationService(ClientConfigurationService clientConfigurationService) { - this.clientConfigurationService = clientConfigurationService; - } - - private String getIssuer(String accessToken) { - try { - JWT jwt = JWTParser.parse(accessToken); - - String issuer = jwt.getJWTClaimsSet().getIssuer(); - - return issuer; - - } catch (ParseException e) { - throw new IllegalArgumentException("Unable to parse JWT", e); - } - } - - /* (non-Javadoc) - * @see org.mitre.oauth2.introspectingfilter.IntrospectionConfigurationService#getIntrospectionUrl(java.lang.String) - */ - @Override - public String getIntrospectionUrl(String accessToken) { - String issuer = getIssuer(accessToken); - if (!Strings.isNullOrEmpty(issuer)) { - ServerConfiguration server = serverConfigurationService.getServerConfiguration(issuer); - if (server != null) { - if (!Strings.isNullOrEmpty(server.getIntrospectionEndpointUri())) { - return server.getIntrospectionEndpointUri(); - } else { - throw new IllegalArgumentException("Server does not have Introspection Endpoint defined"); - } - } else { - throw new IllegalArgumentException("Could not find server configuration for issuer " + issuer); - } - } else { - throw new IllegalArgumentException("No issuer claim found in JWT"); - } - } - - /* (non-Javadoc) - * @see org.mitre.oauth2.introspectingfilter.service.IntrospectionConfigurationService#getClientConfiguration(java.lang.String) - */ - @Override - public RegisteredClient getClientConfiguration(String accessToken) { - - String issuer = getIssuer(accessToken); - if (!Strings.isNullOrEmpty(issuer)) { - ServerConfiguration server = serverConfigurationService.getServerConfiguration(issuer); - if (server != null) { - RegisteredClient client = clientConfigurationService.getClientConfiguration(server); - if (client != null) { - return client; - } else { - throw new IllegalArgumentException("Could not find client configuration for issuer " + issuer); - } - } else { - throw new IllegalArgumentException("Could not find server configuration for issuer " + issuer); - } - } else { - throw new IllegalArgumentException("No issuer claim found in JWT"); - } - - } - - - -} diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/ScopeBasedIntrospectionAuthoritiesGranter.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/ScopeBasedIntrospectionAuthoritiesGranter.java deleted file mode 100644 index 26bc7f11c..000000000 --- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/ScopeBasedIntrospectionAuthoritiesGranter.java +++ /dev/null @@ -1,71 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.oauth2.introspectingfilter.service.impl; - -import java.util.ArrayList; -import java.util.List; -import java.util.Set; - -import org.mitre.oauth2.introspectingfilter.service.IntrospectionAuthorityGranter; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.authority.AuthorityUtils; -import org.springframework.security.core.authority.SimpleGrantedAuthority; -import org.springframework.security.oauth2.common.util.OAuth2Utils; - -import com.google.gson.JsonObject; - -/** - * @author jricher - * - */ -public class ScopeBasedIntrospectionAuthoritiesGranter implements IntrospectionAuthorityGranter { - - private List authorities = AuthorityUtils.createAuthorityList("ROLE_API"); - - /* (non-Javadoc) - * @see org.mitre.oauth2.introspectingfilter.IntrospectionAuthorityGranter#getAuthorities(net.minidev.json.JSONObject) - */ - @Override - public List getAuthorities(JsonObject introspectionResponse) { - List auth = new ArrayList<>(getAuthorities()); - - if (introspectionResponse.has("scope") && introspectionResponse.get("scope").isJsonPrimitive()) { - String scopeString = introspectionResponse.get("scope").getAsString(); - Set scopes = OAuth2Utils.parseParameterList(scopeString); - for (String scope : scopes) { - auth.add(new SimpleGrantedAuthority("OAUTH_SCOPE_" + scope)); - } - } - - return auth; - } - - /** - * @return the authorities - */ - public List getAuthorities() { - return authorities; - } - - /** - * @param authorities the authorities to set - */ - public void setAuthorities(List authorities) { - this.authorities = authorities; - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/SimpleIntrospectionAuthorityGranter.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/SimpleIntrospectionAuthorityGranter.java deleted file mode 100644 index 45126f246..000000000 --- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/SimpleIntrospectionAuthorityGranter.java +++ /dev/null @@ -1,64 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.oauth2.introspectingfilter.service.impl; - -import java.util.List; - -import org.mitre.oauth2.introspectingfilter.service.IntrospectionAuthorityGranter; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.authority.AuthorityUtils; - -import com.google.gson.JsonObject; - -/** - * - * Grants the same set of authorities no matter what's passed in. - * - * @author jricher - * - */ -public class SimpleIntrospectionAuthorityGranter implements IntrospectionAuthorityGranter { - - private List authorities = AuthorityUtils.createAuthorityList("ROLE_API"); - - /* (non-Javadoc) - * @see org.mitre.oauth2.introspectingfilter.IntrospectionAuthorityGranter#getAuthorities(net.minidev.json.JSONObject) - */ - @Override - public List getAuthorities(JsonObject introspectionResponse) { - return authorities; - } - - /** - * @return the authorities - */ - public List getAuthorities() { - return authorities; - } - - /** - * @param authorities the authorities to set - */ - public void setAuthorities(List authorities) { - this.authorities = authorities; - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/StaticIntrospectionConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/StaticIntrospectionConfigurationService.java deleted file mode 100644 index 5aa370c41..000000000 --- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/StaticIntrospectionConfigurationService.java +++ /dev/null @@ -1,83 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.oauth2.introspectingfilter.service.impl; - -import org.mitre.oauth2.introspectingfilter.service.IntrospectionConfigurationService; -import org.mitre.oauth2.model.RegisteredClient; - -/** - * - * Always provides the (configured) IntrospectionURL and RegisteredClient regardless - * of token. Useful for talking to a single, trusted authorization server. - * - * @author jricher - * - */ -public class StaticIntrospectionConfigurationService implements IntrospectionConfigurationService { - - private String introspectionUrl; - private RegisteredClient clientConfiguration; - - /** - * @return the clientConfiguration - */ - public RegisteredClient getClientConfiguration() { - return clientConfiguration; - } - - /** - * @param clientConfiguration the clientConfiguration to set - */ - public void setClientConfiguration(RegisteredClient client) { - this.clientConfiguration = client; - } - - /** - * @return the introspectionUrl - */ - public String getIntrospectionUrl() { - return introspectionUrl; - } - - /** - * @param introspectionUrl the introspectionUrl to set - */ - public void setIntrospectionUrl(String introspectionUrl) { - this.introspectionUrl = introspectionUrl; - } - - /* (non-Javadoc) - * @see org.mitre.oauth2.introspectingfilter.IntrospectionConfigurationService#getIntrospectionUrl(java.lang.String) - */ - @Override - public String getIntrospectionUrl(String accessToken) { - return getIntrospectionUrl(); - } - - /* (non-Javadoc) - * @see org.mitre.oauth2.introspectingfilter.service.IntrospectionConfigurationService#getClientConfiguration(java.lang.String) - */ - @Override - public RegisteredClient getClientConfiguration(String accessToken) { - return getClientConfiguration(); - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AuthorizationEndpointException.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AuthorizationEndpointException.java deleted file mode 100644 index 0fe0c7e71..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AuthorizationEndpointException.java +++ /dev/null @@ -1,56 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client; - -import org.springframework.security.authentication.AuthenticationServiceException; - -public class AuthorizationEndpointException extends AuthenticationServiceException { - - private static final long serialVersionUID = 6953119789654778380L; - - private String error; - - private String errorDescription; - - private String errorURI; - - public AuthorizationEndpointException(String error, String errorDescription, String errorURI) { - super("Error from Authorization Endpoint: " + error + " " + errorDescription + " " + errorURI); - this.error = error; - this.errorDescription = errorDescription; - this.errorURI = errorURI; - } - - public String getError() { - return error; - } - - public String getErrorDescription() { - return errorDescription; - } - - public String getErrorURI() { - return errorURI; - } - - /* (non-Javadoc) - * @see java.lang.Object#toString() - */ - @Override - public String toString() { - return "AuthorizationEndpointException [error=" + error + ", errorDescription=" + errorDescription + ", errorURI=" + errorURI + "]"; - } -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/NamedAdminAuthoritiesMapper.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/NamedAdminAuthoritiesMapper.java deleted file mode 100644 index 1d1e810f6..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/NamedAdminAuthoritiesMapper.java +++ /dev/null @@ -1,92 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client; - -import java.text.ParseException; -import java.util.Collection; -import java.util.HashSet; -import java.util.Set; - -import org.mitre.openid.connect.model.UserInfo; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.authority.SimpleGrantedAuthority; - -import com.nimbusds.jwt.JWT; -import com.nimbusds.jwt.JWTClaimsSet; - -/** - * - * Simple mapper that adds ROLE_USER to the authorities map for all queries, - * plus adds ROLE_ADMIN if the subject and issuer pair are found in the - * configurable "admins" set. - * - * @author jricher - * - */ -public class NamedAdminAuthoritiesMapper implements OIDCAuthoritiesMapper { - - private static Logger logger = LoggerFactory.getLogger(NamedAdminAuthoritiesMapper.class); - - private static final SimpleGrantedAuthority ROLE_ADMIN = new SimpleGrantedAuthority("ROLE_ADMIN"); - private static final SimpleGrantedAuthority ROLE_USER = new SimpleGrantedAuthority("ROLE_USER"); - - private Set admins = new HashSet<>(); - - @Override - public Collection mapAuthorities(JWT idToken, UserInfo userInfo) { - - Set out = new HashSet<>(); - try { - JWTClaimsSet claims = idToken.getJWTClaimsSet(); - - SubjectIssuerGrantedAuthority authority = new SubjectIssuerGrantedAuthority(claims.getSubject(), claims.getIssuer()); - out.add(authority); - - if (admins.contains(authority)) { - out.add(ROLE_ADMIN); - } - - // everybody's a user by default - out.add(ROLE_USER); - - } catch (ParseException e) { - logger.error("Unable to parse ID Token inside of authorities mapper (huh?)"); - } - return out; - } - - /** - * @return the admins - */ - public Set getAdmins() { - return admins; - } - - /** - * @param admins the admins to set - */ - public void setAdmins(Set admins) { - this.admins = admins; - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java deleted file mode 100644 index 841252547..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java +++ /dev/null @@ -1,902 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client; - -import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.PRIVATE_KEY; -import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.SECRET_BASIC; -import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.SECRET_JWT; - -import java.io.IOException; -import java.math.BigInteger; -import java.net.URI; -import java.nio.charset.StandardCharsets; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.security.SecureRandom; -import java.text.ParseException; -import java.util.Date; -import java.util.Map; -import java.util.UUID; - -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; - -import org.apache.http.client.HttpClient; -import org.apache.http.client.config.RequestConfig; -import org.apache.http.impl.client.HttpClientBuilder; -import org.mitre.jwt.signer.service.JWTSigningAndValidationService; -import org.mitre.jwt.signer.service.impl.JWKSetCacheService; -import org.mitre.jwt.signer.service.impl.SymmetricKeyJWTValidatorCacheService; -import org.mitre.oauth2.model.PKCEAlgorithm; -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.client.model.IssuerServiceResponse; -import org.mitre.openid.connect.client.service.AuthRequestOptionsService; -import org.mitre.openid.connect.client.service.AuthRequestUrlBuilder; -import org.mitre.openid.connect.client.service.ClientConfigurationService; -import org.mitre.openid.connect.client.service.IssuerService; -import org.mitre.openid.connect.client.service.ServerConfigurationService; -import org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService; -import org.mitre.openid.connect.config.ServerConfiguration; -import org.mitre.openid.connect.model.PendingOIDCAuthenticationToken; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.http.HttpMethod; -import org.springframework.http.client.ClientHttpRequest; -import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; -import org.springframework.security.authentication.AuthenticationServiceException; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; -import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter; -import org.springframework.security.web.authentication.AuthenticationSuccessHandler; -import org.springframework.util.LinkedMultiValueMap; -import org.springframework.util.MultiValueMap; -import org.springframework.web.client.RestClientException; -import org.springframework.web.client.RestTemplate; -import org.springframework.web.util.UriUtils; - -import com.google.common.base.Strings; -import com.google.common.collect.Iterables; -import com.google.common.collect.Lists; -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import com.google.gson.JsonParser; -import com.nimbusds.jose.Algorithm; -import com.nimbusds.jose.JWSAlgorithm; -import com.nimbusds.jose.JWSHeader; -import com.nimbusds.jose.util.Base64; -import com.nimbusds.jose.util.Base64URL; -import com.nimbusds.jwt.JWT; -import com.nimbusds.jwt.JWTClaimsSet; -import com.nimbusds.jwt.JWTParser; -import com.nimbusds.jwt.PlainJWT; -import com.nimbusds.jwt.SignedJWT; - -/** - * OpenID Connect Authentication Filter class - * - * @author nemonik, jricher - * - */ -public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFilter { - - protected final static String REDIRECT_URI_SESION_VARIABLE = "redirect_uri"; - protected final static String CODE_VERIFIER_SESSION_VARIABLE = "code_verifier"; - protected final static String STATE_SESSION_VARIABLE = "state"; - protected final static String NONCE_SESSION_VARIABLE = "nonce"; - protected final static String ISSUER_SESSION_VARIABLE = "issuer"; - protected final static String TARGET_SESSION_VARIABLE = "target"; - protected final static int HTTP_SOCKET_TIMEOUT = 30000; - - public final static String FILTER_PROCESSES_URL = "/openid_connect_login"; - - // Allow for time sync issues by having a window of X seconds. - private int timeSkewAllowance = 300; - - // fetches and caches public keys for servers - @Autowired(required=false) - private JWKSetCacheService validationServices; - - // creates JWT signer/validators for symmetric keys - @Autowired(required=false) - private SymmetricKeyJWTValidatorCacheService symmetricCacheService; - - // signer based on keypair for this client (for outgoing auth requests) - @Autowired(required=false) - private JWTSigningAndValidationService authenticationSignerService; - - @Autowired(required=false) - private HttpClient httpClient; - - /* - * Modular services to build out client filter. - */ - // looks at the request and determines which issuer to use for lookup on the server - private IssuerService issuerService; - // holds server information (auth URI, token URI, etc.), indexed by issuer - private ServerConfigurationService servers; - // holds client information (client ID, redirect URI, etc.), indexed by issuer of the server - private ClientConfigurationService clients; - // provides extra options to inject into the outbound request - private AuthRequestOptionsService authOptions = new StaticAuthRequestOptionsService(); // initialize with an empty set of options - // builds the actual request URI based on input from all other services - private AuthRequestUrlBuilder authRequestBuilder; - - // private helpers to handle target link URLs - private TargetLinkURIAuthenticationSuccessHandler targetSuccessHandler = new TargetLinkURIAuthenticationSuccessHandler(); - private TargetLinkURIChecker deepLinkFilter; - - protected int httpSocketTimeout = HTTP_SOCKET_TIMEOUT; - - /** - * OpenIdConnectAuthenticationFilter constructor - */ - public OIDCAuthenticationFilter() { - super(FILTER_PROCESSES_URL); - targetSuccessHandler.passthrough = super.getSuccessHandler(); - super.setAuthenticationSuccessHandler(targetSuccessHandler); - } - - @Override - public void afterPropertiesSet() { - super.afterPropertiesSet(); - - // if our JOSE validators don't get wired in, drop defaults into place - - if (validationServices == null) { - validationServices = new JWKSetCacheService(); - } - - if (symmetricCacheService == null) { - symmetricCacheService = new SymmetricKeyJWTValidatorCacheService(); - } - - } - - /* - * This is the main entry point for the filter. - * - * (non-Javadoc) - * - * @see org.springframework.security.web.authentication. - * AbstractAuthenticationProcessingFilter - * #attemptAuthentication(javax.servlet.http.HttpServletRequest, - * javax.servlet.http.HttpServletResponse) - */ - @Override - public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException { - - if (!Strings.isNullOrEmpty(request.getParameter("error"))) { - - // there's an error coming back from the server, need to handle this - handleError(request, response); - return null; // no auth, response is sent to display page or something - - } else if (!Strings.isNullOrEmpty(request.getParameter("code"))) { - - // we got back the code, need to process this to get our tokens - Authentication auth = handleAuthorizationCodeResponse(request, response); - return auth; - - } else { - - // not an error, not a code, must be an initial login of some type - handleAuthorizationRequest(request, response); - - return null; // no auth, response redirected to the server's Auth Endpoint (or possibly to the account chooser) - } - - } - - /** - * Initiate an Authorization request - * - * @param request - * The request from which to extract parameters and perform the - * authentication - * @param response - * @throws IOException - * If an input or output exception occurs - */ - protected void handleAuthorizationRequest(HttpServletRequest request, HttpServletResponse response) throws IOException { - - HttpSession session = request.getSession(); - - IssuerServiceResponse issResp = issuerService.getIssuer(request); - - if (issResp == null) { - logger.error("Null issuer response returned from service."); - throw new AuthenticationServiceException("No issuer found."); - } - - if (issResp.shouldRedirect()) { - response.sendRedirect(issResp.getRedirectUrl()); - } else { - String issuer = issResp.getIssuer(); - - if (!Strings.isNullOrEmpty(issResp.getTargetLinkUri())) { - // there's a target URL in the response, we should save this so we can forward to it later - session.setAttribute(TARGET_SESSION_VARIABLE, issResp.getTargetLinkUri()); - } - - if (Strings.isNullOrEmpty(issuer)) { - logger.error("No issuer found: " + issuer); - throw new AuthenticationServiceException("No issuer found: " + issuer); - } - - ServerConfiguration serverConfig = servers.getServerConfiguration(issuer); - if (serverConfig == null) { - logger.error("No server configuration found for issuer: " + issuer); - throw new AuthenticationServiceException("No server configuration found for issuer: " + issuer); - } - - - session.setAttribute(ISSUER_SESSION_VARIABLE, serverConfig.getIssuer()); - - RegisteredClient clientConfig = clients.getClientConfiguration(serverConfig); - if (clientConfig == null) { - logger.error("No client configuration found for issuer: " + issuer); - throw new AuthenticationServiceException("No client configuration found for issuer: " + issuer); - } - - String redirectUri = null; - if (clientConfig.getRegisteredRedirectUri() != null && clientConfig.getRegisteredRedirectUri().size() == 1) { - // if there's a redirect uri configured (and only one), use that - redirectUri = Iterables.getOnlyElement(clientConfig.getRegisteredRedirectUri()); - } else { - // otherwise our redirect URI is this current URL, with no query parameters - redirectUri = request.getRequestURL().toString(); - } - session.setAttribute(REDIRECT_URI_SESION_VARIABLE, redirectUri); - - // this value comes back in the id token and is checked there - String nonce = createNonce(session); - - // this value comes back in the auth code response - String state = createState(session); - - Map options = authOptions.getOptions(serverConfig, clientConfig, request); - - // if we're using PKCE, handle the challenge here - if (clientConfig.getCodeChallengeMethod() != null) { - String codeVerifier = createCodeVerifier(session); - options.put("code_challenge_method", clientConfig.getCodeChallengeMethod().getName()); - if (clientConfig.getCodeChallengeMethod().equals(PKCEAlgorithm.plain)) { - options.put("code_challenge", codeVerifier); - } else if (clientConfig.getCodeChallengeMethod().equals(PKCEAlgorithm.S256)) { - try { - MessageDigest digest = MessageDigest.getInstance("SHA-256"); - String hash = Base64URL.encode(digest.digest(codeVerifier.getBytes(StandardCharsets.US_ASCII))).toString(); - options.put("code_challenge", hash); - } catch (NoSuchAlgorithmException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } - - - } - } - - String authRequest = authRequestBuilder.buildAuthRequestUrl(serverConfig, clientConfig, redirectUri, nonce, state, options, issResp.getLoginHint()); - - logger.debug("Auth Request: " + authRequest); - - response.sendRedirect(authRequest); - } - } - - /** - * @param request - * The request from which to extract parameters and perform the - * authentication - * @return The authenticated user token, or null if authentication is - * incomplete. - */ - protected Authentication handleAuthorizationCodeResponse(HttpServletRequest request, HttpServletResponse response) { - - String authorizationCode = request.getParameter("code"); - - HttpSession session = request.getSession(); - - // check for state, if it doesn't match we bail early - String storedState = getStoredState(session); - String requestState = request.getParameter("state"); - if (storedState == null || !storedState.equals(requestState)) { - throw new AuthenticationServiceException("State parameter mismatch on return. Expected " + storedState + " got " + requestState); - } - - // look up the issuer that we set out to talk to - String issuer = getStoredSessionString(session, ISSUER_SESSION_VARIABLE); - - // pull the configurations based on that issuer - ServerConfiguration serverConfig = servers.getServerConfiguration(issuer); - final RegisteredClient clientConfig = clients.getClientConfiguration(serverConfig); - - MultiValueMap form = new LinkedMultiValueMap<>(); - form.add("grant_type", "authorization_code"); - form.add("code", authorizationCode); - form.setAll(authOptions.getTokenOptions(serverConfig, clientConfig, request)); - - String codeVerifier = getStoredCodeVerifier(session); - if (codeVerifier != null) { - form.add("code_verifier", codeVerifier); - } - - String redirectUri = getStoredSessionString(session, REDIRECT_URI_SESION_VARIABLE); - if (redirectUri != null) { - form.add("redirect_uri", redirectUri); - } - - // Handle Token Endpoint interaction - - if(httpClient == null) { - httpClient = HttpClientBuilder.create() - .useSystemProperties() - .setDefaultRequestConfig(RequestConfig.custom() - .setSocketTimeout(httpSocketTimeout) - .build()) - .build(); - } - - HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient); - - RestTemplate restTemplate; - - if (SECRET_BASIC.equals(clientConfig.getTokenEndpointAuthMethod())){ - // use BASIC auth if configured to do so - restTemplate = new RestTemplate(factory) { - - @Override - protected ClientHttpRequest createRequest(URI url, HttpMethod method) throws IOException { - ClientHttpRequest httpRequest = super.createRequest(url, method); - httpRequest.getHeaders().add("Authorization", - String.format("Basic %s", Base64.encode(String.format("%s:%s", - UriUtils.encodePathSegment(clientConfig.getClientId(), "UTF-8"), - UriUtils.encodePathSegment(clientConfig.getClientSecret(), "UTF-8"))))); - - return httpRequest; - } - }; - } else { - // we're not doing basic auth, figure out what other flavor we have - restTemplate = new RestTemplate(factory); - - if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) || PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) { - // do a symmetric secret signed JWT for auth - - - JWTSigningAndValidationService signer = null; - JWSAlgorithm alg = clientConfig.getTokenEndpointAuthSigningAlg(); - - if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) && - (JWSAlgorithm.HS256.equals(alg) - || JWSAlgorithm.HS384.equals(alg) - || JWSAlgorithm.HS512.equals(alg))) { - - // generate one based on client secret - signer = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient()); - - } else if (PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) { - - // needs to be wired in to the bean - signer = authenticationSignerService; - - if (alg == null) { - alg = authenticationSignerService.getDefaultSigningAlgorithm(); - } - } - - if (signer == null) { - throw new AuthenticationServiceException("Couldn't find required signer service for use with private key auth."); - } - - JWTClaimsSet.Builder claimsSet = new JWTClaimsSet.Builder(); - - claimsSet.issuer(clientConfig.getClientId()); - claimsSet.subject(clientConfig.getClientId()); - claimsSet.audience(Lists.newArrayList(serverConfig.getTokenEndpointUri())); - claimsSet.jwtID(UUID.randomUUID().toString()); - - // TODO: make this configurable - Date exp = new Date(System.currentTimeMillis() + (60 * 1000)); // auth good for 60 seconds - claimsSet.expirationTime(exp); - - Date now = new Date(System.currentTimeMillis()); - claimsSet.issueTime(now); - claimsSet.notBeforeTime(now); - - JWSHeader header = new JWSHeader(alg, null, null, null, null, null, null, null, null, null, - signer.getDefaultSignerKeyId(), - null, null); - SignedJWT jwt = new SignedJWT(header, claimsSet.build()); - - signer.signJwt(jwt, alg); - - form.add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"); - form.add("client_assertion", jwt.serialize()); - } else { - //Alternatively use form based auth - form.add("client_id", clientConfig.getClientId()); - form.add("client_secret", clientConfig.getClientSecret()); - } - - } - - logger.debug("tokenEndpointURI = " + serverConfig.getTokenEndpointUri()); - logger.debug("form = " + form); - - String jsonString = null; - - try { - jsonString = restTemplate.postForObject(serverConfig.getTokenEndpointUri(), form, String.class); - } catch (RestClientException e) { - - // Handle error - - logger.error("Token Endpoint error response: " + e.getMessage()); - - throw new AuthenticationServiceException("Unable to obtain Access Token: " + e.getMessage()); - } - - logger.debug("from TokenEndpoint jsonString = " + jsonString); - - JsonElement jsonRoot = new JsonParser().parse(jsonString); - if (!jsonRoot.isJsonObject()) { - throw new AuthenticationServiceException("Token Endpoint did not return a JSON object: " + jsonRoot); - } - - JsonObject tokenResponse = jsonRoot.getAsJsonObject(); - - if (tokenResponse.get("error") != null) { - - // Handle error - - String error = tokenResponse.get("error").getAsString(); - - logger.error("Token Endpoint returned: " + error); - - throw new AuthenticationServiceException("Unable to obtain Access Token. Token Endpoint returned: " + error); - - } else { - - // Extract the id_token to insert into the - // OIDCAuthenticationToken - - // get out all the token strings - String accessTokenValue = null; - String idTokenValue = null; - String refreshTokenValue = null; - - if (tokenResponse.has("access_token")) { - accessTokenValue = tokenResponse.get("access_token").getAsString(); - } else { - throw new AuthenticationServiceException("Token Endpoint did not return an access_token: " + jsonString); - } - - if (tokenResponse.has("id_token")) { - idTokenValue = tokenResponse.get("id_token").getAsString(); - } else { - logger.error("Token Endpoint did not return an id_token"); - throw new AuthenticationServiceException("Token Endpoint did not return an id_token"); - } - - if (tokenResponse.has("refresh_token")) { - refreshTokenValue = tokenResponse.get("refresh_token").getAsString(); - } - - try { - JWT idToken = JWTParser.parse(idTokenValue); - - // validate our ID Token over a number of tests - JWTClaimsSet idClaims = idToken.getJWTClaimsSet(); - - // check the signature - JWTSigningAndValidationService jwtValidator = null; - - Algorithm tokenAlg = idToken.getHeader().getAlgorithm(); - - Algorithm clientAlg = clientConfig.getIdTokenSignedResponseAlg(); - - if (clientAlg != null) { - if (!clientAlg.equals(tokenAlg)) { - throw new AuthenticationServiceException("Token algorithm " + tokenAlg + " does not match expected algorithm " + clientAlg); - } - } - - if (idToken instanceof PlainJWT) { - - if (clientAlg == null) { - throw new AuthenticationServiceException("Unsigned ID tokens can only be used if explicitly configured in client."); - } - - if (tokenAlg != null && !tokenAlg.equals(Algorithm.NONE)) { - throw new AuthenticationServiceException("Unsigned token received, expected signature with " + tokenAlg); - } - } else if (idToken instanceof SignedJWT) { - - SignedJWT signedIdToken = (SignedJWT)idToken; - - if (tokenAlg.equals(JWSAlgorithm.HS256) - || tokenAlg.equals(JWSAlgorithm.HS384) - || tokenAlg.equals(JWSAlgorithm.HS512)) { - - // generate one based on client secret - jwtValidator = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient()); - } else { - // otherwise load from the server's public key - jwtValidator = validationServices.getValidator(serverConfig.getJwksUri()); - } - - if (jwtValidator != null) { - if(!jwtValidator.validateSignature(signedIdToken)) { - throw new AuthenticationServiceException("Signature validation failed"); - } - } else { - logger.error("No validation service found. Skipping signature validation"); - throw new AuthenticationServiceException("Unable to find an appropriate signature validator for ID Token."); - } - } // TODO: encrypted id tokens - - // check the issuer - if (idClaims.getIssuer() == null) { - throw new AuthenticationServiceException("Id Token Issuer is null"); - } else if (!idClaims.getIssuer().equals(serverConfig.getIssuer())){ - throw new AuthenticationServiceException("Issuers do not match, expected " + serverConfig.getIssuer() + " got " + idClaims.getIssuer()); - } - - // check expiration - if (idClaims.getExpirationTime() == null) { - throw new AuthenticationServiceException("Id Token does not have required expiration claim"); - } else { - // it's not null, see if it's expired - Date now = new Date(System.currentTimeMillis() - (timeSkewAllowance * 1000)); - if (now.after(idClaims.getExpirationTime())) { - throw new AuthenticationServiceException("Id Token is expired: " + idClaims.getExpirationTime()); - } - } - - // check not before - if (idClaims.getNotBeforeTime() != null) { - Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000)); - if (now.before(idClaims.getNotBeforeTime())){ - throw new AuthenticationServiceException("Id Token not valid untill: " + idClaims.getNotBeforeTime()); - } - } - - // check issued at - if (idClaims.getIssueTime() == null) { - throw new AuthenticationServiceException("Id Token does not have required issued-at claim"); - } else { - // since it's not null, see if it was issued in the future - Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000)); - if (now.before(idClaims.getIssueTime())) { - throw new AuthenticationServiceException("Id Token was issued in the future: " + idClaims.getIssueTime()); - } - } - - // check audience - if (idClaims.getAudience() == null) { - throw new AuthenticationServiceException("Id token audience is null"); - } else if (!idClaims.getAudience().contains(clientConfig.getClientId())) { - throw new AuthenticationServiceException("Audience does not match, expected " + clientConfig.getClientId() + " got " + idClaims.getAudience()); - } - - // compare the nonce to our stored claim - String nonce = idClaims.getStringClaim("nonce"); - if (Strings.isNullOrEmpty(nonce)) { - - logger.error("ID token did not contain a nonce claim."); - - throw new AuthenticationServiceException("ID token did not contain a nonce claim."); - } - - String storedNonce = getStoredNonce(session); - if (!nonce.equals(storedNonce)) { - logger.error("Possible replay attack detected! The comparison of the nonce in the returned " - + "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + "."); - - throw new AuthenticationServiceException( - "Possible replay attack detected! The comparison of the nonce in the returned " - + "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + "."); - } - - // construct an PendingOIDCAuthenticationToken and return a Authentication object w/the userId and the idToken - - PendingOIDCAuthenticationToken token = new PendingOIDCAuthenticationToken(idClaims.getSubject(), idClaims.getIssuer(), - serverConfig, - idToken, accessTokenValue, refreshTokenValue); - - Authentication authentication = this.getAuthenticationManager().authenticate(token); - - return authentication; - } catch (ParseException e) { - throw new AuthenticationServiceException("Couldn't parse idToken: ", e); - } - - - - } - } - - /** - * Handle Authorization Endpoint error - * - * @param request - * The request from which to extract parameters and handle the - * error - * @param response - * The response, needed to do a redirect to display the error - * @throws IOException - * If an input or output exception occurs - */ - protected void handleError(HttpServletRequest request, HttpServletResponse response) throws IOException { - - String error = request.getParameter("error"); - String errorDescription = request.getParameter("error_description"); - String errorURI = request.getParameter("error_uri"); - - throw new AuthorizationEndpointException(error, errorDescription, errorURI); - } - - /** - * Get the named stored session variable as a string. Return null if not found or not a string. - * @param session - * @param key - * @return - */ - private static String getStoredSessionString(HttpSession session, String key) { - Object o = session.getAttribute(key); - if (o != null && o instanceof String) { - return o.toString(); - } else { - return null; - } - } - - /** - * Create a cryptographically random nonce and store it in the session - * @param session - * @return - */ - protected static String createNonce(HttpSession session) { - String nonce = new BigInteger(50, new SecureRandom()).toString(16); - session.setAttribute(NONCE_SESSION_VARIABLE, nonce); - - return nonce; - } - - /** - * Get the nonce we stored in the session - * @param session - * @return - */ - protected static String getStoredNonce(HttpSession session) { - return getStoredSessionString(session, NONCE_SESSION_VARIABLE); - } - - /** - * Create a cryptographically random state and store it in the session - * @param session - * @return - */ - protected static String createState(HttpSession session) { - String state = new BigInteger(50, new SecureRandom()).toString(16); - session.setAttribute(STATE_SESSION_VARIABLE, state); - - return state; - } - - /** - * Get the state we stored in the session - * @param session - * @return - */ - protected static String getStoredState(HttpSession session) { - return getStoredSessionString(session, STATE_SESSION_VARIABLE); - } - - /** - * Create a random code challenge and store it in the session - * @param session - * @return - */ - protected static String createCodeVerifier(HttpSession session) { - String challenge = new BigInteger(50, new SecureRandom()).toString(16); - session.setAttribute(CODE_VERIFIER_SESSION_VARIABLE, challenge); - return challenge; - } - - /** - * Retrieve the stored challenge from our session - * @param session - * @return - */ - protected static String getStoredCodeVerifier(HttpSession session) { - return getStoredSessionString(session, CODE_VERIFIER_SESSION_VARIABLE); - } - - - @Override - public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler successHandler) { - targetSuccessHandler.passthrough = successHandler; - super.setAuthenticationSuccessHandler(targetSuccessHandler); - } - - - - - /** - * Handle a successful authentication event. If the issuer service sets - * a target URL, we'll go to that. Otherwise we'll let the superclass handle - * it for us with the configured behavior. - */ - protected class TargetLinkURIAuthenticationSuccessHandler implements AuthenticationSuccessHandler { - - private AuthenticationSuccessHandler passthrough; - - @Override - public void onAuthenticationSuccess(HttpServletRequest request, - HttpServletResponse response, Authentication authentication) - throws IOException, ServletException { - - HttpSession session = request.getSession(); - - // check to see if we've got a target - String target = getStoredSessionString(session, TARGET_SESSION_VARIABLE); - - if (!Strings.isNullOrEmpty(target)) { - session.removeAttribute(TARGET_SESSION_VARIABLE); - - if (deepLinkFilter != null) { - target = deepLinkFilter.filter(target); - } - - response.sendRedirect(target); - } else { - // if the target was blank, use the default behavior here - passthrough.onAuthenticationSuccess(request, response, authentication); - } - - } - - } - - - // - // Getters and setters for configuration variables - // - - - public int getTimeSkewAllowance() { - return timeSkewAllowance; - } - - public void setTimeSkewAllowance(int timeSkewAllowance) { - this.timeSkewAllowance = timeSkewAllowance; - } - - /** - * @return the validationServices - */ - public JWKSetCacheService getValidationServices() { - return validationServices; - } - - /** - * @param validationServices the validationServices to set - */ - public void setValidationServices(JWKSetCacheService validationServices) { - this.validationServices = validationServices; - } - - /** - * @return the servers - */ - public ServerConfigurationService getServerConfigurationService() { - return servers; - } - - /** - * @param servers the servers to set - */ - public void setServerConfigurationService(ServerConfigurationService servers) { - this.servers = servers; - } - - /** - * @return the clients - */ - public ClientConfigurationService getClientConfigurationService() { - return clients; - } - - /** - * @param clients the clients to set - */ - public void setClientConfigurationService(ClientConfigurationService clients) { - this.clients = clients; - } - - /** - * @return the issuerService - */ - public IssuerService getIssuerService() { - return issuerService; - } - - /** - * @param issuerService the issuerService to set - */ - public void setIssuerService(IssuerService issuerService) { - this.issuerService = issuerService; - } - - /** - * @return the authRequestBuilder - */ - public AuthRequestUrlBuilder getAuthRequestUrlBuilder() { - return authRequestBuilder; - } - - /** - * @param authRequestBuilder the authRequestBuilder to set - */ - public void setAuthRequestUrlBuilder(AuthRequestUrlBuilder authRequestBuilder) { - this.authRequestBuilder = authRequestBuilder; - } - - /** - * @return the authOptions - */ - public AuthRequestOptionsService getAuthRequestOptionsService() { - return authOptions; - } - - /** - * @param authOptions the authOptions to set - */ - public void setAuthRequestOptionsService(AuthRequestOptionsService authOptions) { - this.authOptions = authOptions; - } - - public SymmetricKeyJWTValidatorCacheService getSymmetricCacheService() { - return symmetricCacheService; - } - - public void setSymmetricCacheService(SymmetricKeyJWTValidatorCacheService symmetricCacheService) { - this.symmetricCacheService = symmetricCacheService; - } - - public TargetLinkURIAuthenticationSuccessHandler getTargetLinkURIAuthenticationSuccessHandler() { - return targetSuccessHandler; - } - - public void setTargetLinkURIAuthenticationSuccessHandler( - TargetLinkURIAuthenticationSuccessHandler targetSuccessHandler) { - this.targetSuccessHandler = targetSuccessHandler; - } - - public TargetLinkURIChecker targetLinkURIChecker() { - return deepLinkFilter; - } - - public void setTargetLinkURIChecker(TargetLinkURIChecker deepLinkFilter) { - this.deepLinkFilter = deepLinkFilter; - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationProvider.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationProvider.java deleted file mode 100644 index b43b649df..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationProvider.java +++ /dev/null @@ -1,128 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client; - -import java.util.Collection; - -import org.mitre.openid.connect.model.OIDCAuthenticationToken; -import org.mitre.openid.connect.model.PendingOIDCAuthenticationToken; -import org.mitre.openid.connect.model.UserInfo; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.security.authentication.AuthenticationProvider; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.userdetails.UsernameNotFoundException; - -import com.google.common.base.Strings; -import com.nimbusds.jwt.JWT; - -/** - * @author nemonik, Justin Richer - * - */ -public class OIDCAuthenticationProvider implements AuthenticationProvider { - - private static Logger logger = LoggerFactory.getLogger(OIDCAuthenticationProvider.class); - - private UserInfoFetcher userInfoFetcher = new UserInfoFetcher(); - - private OIDCAuthoritiesMapper authoritiesMapper = new NamedAdminAuthoritiesMapper(); - - /* - * (non-Javadoc) - * - * @see org.springframework.security.authentication.AuthenticationProvider# - * authenticate(org.springframework.security.core.Authentication) - */ - @Override - public Authentication authenticate(final Authentication authentication) throws AuthenticationException { - - if (!supports(authentication.getClass())) { - return null; - } - - if (authentication instanceof PendingOIDCAuthenticationToken) { - - PendingOIDCAuthenticationToken token = (PendingOIDCAuthenticationToken) authentication; - - // get the ID Token value out - JWT idToken = token.getIdToken(); - - // load the user info if we can - UserInfo userInfo = userInfoFetcher.loadUserInfo(token); - - if (userInfo == null) { - // user info not found -- could be an error, could be fine - } else { - // if we found userinfo, double check it - if (!Strings.isNullOrEmpty(userInfo.getSub()) && !userInfo.getSub().equals(token.getSub())) { - // the userinfo came back and the user_id fields don't match what was in the id_token - throw new UsernameNotFoundException("user_id mismatch between id_token and user_info call: " + token.getSub() + " / " + userInfo.getSub()); - } - } - - return createAuthenticationToken(token, authoritiesMapper.mapAuthorities(idToken, userInfo), userInfo); - } - - return null; - } - - /** - * Override this function to return a different kind of Authentication, processes the authorities differently, - * or do post-processing based on the UserInfo object. - * - * @param token - * @param authorities - * @param userInfo - * @return - */ - protected Authentication createAuthenticationToken(PendingOIDCAuthenticationToken token, Collection authorities, UserInfo userInfo) { - return new OIDCAuthenticationToken(token.getSub(), - token.getIssuer(), - userInfo, authorities, - token.getIdToken(), token.getAccessTokenValue(), token.getRefreshTokenValue()); - } - - /** - * @param userInfoFetcher - */ - public void setUserInfoFetcher(UserInfoFetcher userInfoFetcher) { - this.userInfoFetcher = userInfoFetcher; - } - - /** - * @param authoritiesMapper - */ - public void setAuthoritiesMapper(OIDCAuthoritiesMapper authoritiesMapper) { - this.authoritiesMapper = authoritiesMapper; - } - - /* - * (non-Javadoc) - * - * @see - * org.springframework.security.authentication.AuthenticationProvider#supports - * (java.lang.Class) - */ - @Override - public boolean supports(Class authentication) { - return PendingOIDCAuthenticationToken.class.isAssignableFrom(authentication); - } -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthoritiesMapper.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthoritiesMapper.java deleted file mode 100644 index 0ee1d1c66..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthoritiesMapper.java +++ /dev/null @@ -1,39 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.openid.connect.client; - -import java.util.Collection; - -import org.mitre.openid.connect.model.UserInfo; -import org.springframework.security.core.GrantedAuthority; - -import com.nimbusds.jwt.JWT; - -/** - * @author jricher - * - */ -public interface OIDCAuthoritiesMapper { - - /** - * @param idToken the ID Token (parsed as a JWT, cannot be @null) - * @param userInfo userInfo of the current user (could be @null) - * @return the set of authorities to map to this user - */ - Collection mapAuthorities(JWT idToken, UserInfo userInfo); - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/StaticPrefixTargetLinkURIChecker.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/StaticPrefixTargetLinkURIChecker.java deleted file mode 100644 index b7725bbe0..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/StaticPrefixTargetLinkURIChecker.java +++ /dev/null @@ -1,48 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client; - -/** - * Simple target URI checker, checks whether the string in question starts - * with a configured prefix. Returns "/" if the match fails. - * - * @author jricher - * - */ -public class StaticPrefixTargetLinkURIChecker implements TargetLinkURIChecker { - - private String prefix = ""; - - @Override - public String filter(String target) { - if (target == null) { - return "/"; - } else if (target.startsWith(prefix)) { - return target; - } else { - return "/"; - } - } - - public String getPrefix() { - return prefix; - } - - public void setPrefix(String prefix) { - this.prefix = prefix; - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/SubjectIssuerGrantedAuthority.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/SubjectIssuerGrantedAuthority.java deleted file mode 100644 index 9d4c85c51..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/SubjectIssuerGrantedAuthority.java +++ /dev/null @@ -1,125 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client; - -import org.springframework.security.core.GrantedAuthority; - -import com.google.common.base.Strings; - -/** - * - * Simple authority representing a user at an issuer. - * - * @author jricher - * - */ -public class SubjectIssuerGrantedAuthority implements GrantedAuthority { - - private static final long serialVersionUID = 5584978219226664794L; - - private final String subject; - private final String issuer; - - /** - * @param subject - * @param issuer - */ - public SubjectIssuerGrantedAuthority(String subject, String issuer) { - if (Strings.isNullOrEmpty(subject) || Strings.isNullOrEmpty(issuer)) { - throw new IllegalArgumentException("Neither subject nor issuer may be null or empty"); - } - this.subject = subject; - this.issuer = issuer; - } - - /** - * Returns a string formed by concatenating the subject with the issuer, separated by _ and prepended with OIDC_ - * - * For example, the user "bob" from issuer "http://id.example.com/" would return the authority string of: - * - * OIDC_bob_http://id.example.com/ - */ - @Override - public String getAuthority() { - return "OIDC_" + subject + "_" + issuer; - } - - /** - * @return the subject - */ - public String getSubject() { - return subject; - } - - /** - * @return the issuer - */ - public String getIssuer() { - return issuer; - } - - /* (non-Javadoc) - * @see java.lang.Object#hashCode() - */ - @Override - public int hashCode() { - final int prime = 31; - int result = 1; - result = prime * result + ((issuer == null) ? 0 : issuer.hashCode()); - result = prime * result + ((subject == null) ? 0 : subject.hashCode()); - return result; - } - - /* (non-Javadoc) - * @see java.lang.Object#equals(java.lang.Object) - */ - @Override - public boolean equals(Object obj) { - if (this == obj) { - return true; - } - if (obj == null) { - return false; - } - if (!(obj instanceof SubjectIssuerGrantedAuthority)) { - return false; - } - SubjectIssuerGrantedAuthority other = (SubjectIssuerGrantedAuthority) obj; - if (issuer == null) { - if (other.issuer != null) { - return false; - } - } else if (!issuer.equals(other.issuer)) { - return false; - } - if (subject == null) { - if (other.subject != null) { - return false; - } - } else if (!subject.equals(other.subject)) { - return false; - } - return true; - } - - @Override - public String toString() { - return getAuthority(); - } -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/TargetLinkURIChecker.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/TargetLinkURIChecker.java deleted file mode 100644 index 1fca0bfeb..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/TargetLinkURIChecker.java +++ /dev/null @@ -1,28 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client; - -public interface TargetLinkURIChecker { - - /** - * Check the parameter to make sure that it's a valid deep-link into this application. - * - * @param target - * @return - */ - public String filter(String target); - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/UserInfoFetcher.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/UserInfoFetcher.java deleted file mode 100644 index 5b755617b..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/UserInfoFetcher.java +++ /dev/null @@ -1,157 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client; - -import java.io.IOException; -import java.net.URI; -import java.net.URISyntaxException; -import java.util.concurrent.ExecutionException; -import java.util.concurrent.TimeUnit; - -import org.apache.http.client.HttpClient; -import org.apache.http.client.utils.URIBuilder; -import org.apache.http.impl.client.HttpClientBuilder; -import org.mitre.openid.connect.config.ServerConfiguration; -import org.mitre.openid.connect.config.ServerConfiguration.UserInfoTokenMethod; -import org.mitre.openid.connect.model.DefaultUserInfo; -import org.mitre.openid.connect.model.PendingOIDCAuthenticationToken; -import org.mitre.openid.connect.model.UserInfo; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.http.HttpMethod; -import org.springframework.http.client.ClientHttpRequest; -import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; -import org.springframework.util.LinkedMultiValueMap; -import org.springframework.util.MultiValueMap; -import org.springframework.web.client.RestTemplate; - -import com.google.common.base.Strings; -import com.google.common.cache.CacheBuilder; -import com.google.common.cache.CacheLoader; -import com.google.common.cache.LoadingCache; -import com.google.common.util.concurrent.UncheckedExecutionException; -import com.google.gson.JsonObject; -import com.google.gson.JsonParser; - -/** - * Utility class to fetch userinfo from the userinfo endpoint, if available. Caches the results. - * @author jricher - * - */ -public class UserInfoFetcher { - - /** - * Logger for this class - */ - private static final Logger logger = LoggerFactory.getLogger(UserInfoFetcher.class); - - private LoadingCache cache; - - public UserInfoFetcher() { - this(HttpClientBuilder.create().useSystemProperties().build()); - } - - public UserInfoFetcher(HttpClient httpClient) { - cache = CacheBuilder.newBuilder() - .expireAfterWrite(1, TimeUnit.HOURS) // expires 1 hour after fetch - .maximumSize(100) - .build(new UserInfoLoader(httpClient)); - } - - public UserInfo loadUserInfo(final PendingOIDCAuthenticationToken token) { - try { - return cache.get(token); - } catch (UncheckedExecutionException | ExecutionException e) { - logger.warn("Couldn't load User Info from token: " + e.getMessage()); - return null; - } - - } - - - private class UserInfoLoader extends CacheLoader { - private HttpComponentsClientHttpRequestFactory factory; - - UserInfoLoader(HttpClient httpClient) { - this.factory = new HttpComponentsClientHttpRequestFactory(httpClient); - } - - @Override - public UserInfo load(final PendingOIDCAuthenticationToken token) throws URISyntaxException { - - ServerConfiguration serverConfiguration = token.getServerConfiguration(); - - if (serverConfiguration == null) { - logger.warn("No server configuration found."); - return null; - } - - if (Strings.isNullOrEmpty(serverConfiguration.getUserInfoUri())) { - logger.warn("No userinfo endpoint, not fetching."); - return null; - } - - String userInfoString = null; - - if (serverConfiguration.getUserInfoTokenMethod() == null || serverConfiguration.getUserInfoTokenMethod().equals(UserInfoTokenMethod.HEADER)) { - RestTemplate restTemplate = new RestTemplate(factory) { - - @Override - protected ClientHttpRequest createRequest(URI url, HttpMethod method) throws IOException { - ClientHttpRequest httpRequest = super.createRequest(url, method); - httpRequest.getHeaders().add("Authorization", String.format("Bearer %s", token.getAccessTokenValue())); - return httpRequest; - } - }; - - userInfoString = restTemplate.getForObject(serverConfiguration.getUserInfoUri(), String.class); - - } else if (serverConfiguration.getUserInfoTokenMethod().equals(UserInfoTokenMethod.FORM)) { - MultiValueMap form = new LinkedMultiValueMap<>(); - form.add("access_token", token.getAccessTokenValue()); - - RestTemplate restTemplate = new RestTemplate(factory); - userInfoString = restTemplate.postForObject(serverConfiguration.getUserInfoUri(), form, String.class); - } else if (serverConfiguration.getUserInfoTokenMethod().equals(UserInfoTokenMethod.QUERY)) { - URIBuilder builder = new URIBuilder(serverConfiguration.getUserInfoUri()); - builder.setParameter("access_token", token.getAccessTokenValue()); - - RestTemplate restTemplate = new RestTemplate(factory); - userInfoString = restTemplate.getForObject(builder.toString(), String.class); - } - - - if (!Strings.isNullOrEmpty(userInfoString)) { - - JsonObject userInfoJson = new JsonParser().parse(userInfoString).getAsJsonObject(); - - UserInfo userInfo = fromJson(userInfoJson); - - return userInfo; - } else { - // didn't get anything throw exception - throw new IllegalArgumentException("Unable to load user info"); - } - - } - } - - protected UserInfo fromJson(JsonObject userInfoJson) { - return DefaultUserInfo.fromJson(userInfoJson); - } -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/ClientKeyPublisher.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/ClientKeyPublisher.java deleted file mode 100644 index dfd0eea85..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/ClientKeyPublisher.java +++ /dev/null @@ -1,130 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client.keypublisher; - -import java.util.Map; -import java.util.UUID; - -import org.mitre.jwt.signer.service.JWTSigningAndValidationService; -import org.mitre.openid.connect.view.JWKSetView; -import org.springframework.beans.BeansException; -import org.springframework.beans.factory.config.ConfigurableListableBeanFactory; -import org.springframework.beans.factory.support.BeanDefinitionBuilder; -import org.springframework.beans.factory.support.BeanDefinitionRegistry; -import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor; -import org.springframework.web.servlet.ModelAndView; - -import com.google.common.base.Strings; -import com.nimbusds.jose.jwk.JWK; - -/** - * @author jricher - * - */ -public class ClientKeyPublisher implements BeanDefinitionRegistryPostProcessor { - - private JWTSigningAndValidationService signingAndValidationService; - - private String jwkPublishUrl; - - private BeanDefinitionRegistry registry; - - private String jwkViewName = JWKSetView.VIEWNAME; - - /** - * If the jwkPublishUrl field is set on this bean, set up a listener on that URL to publish keys. - */ - @Override - public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException { - if (!Strings.isNullOrEmpty(getJwkPublishUrl())) { - - // add a mapping to this class - BeanDefinitionBuilder clientKeyMapping = BeanDefinitionBuilder.rootBeanDefinition(ClientKeyPublisherMapping.class); - // custom view resolver - BeanDefinitionBuilder viewResolver = BeanDefinitionBuilder.rootBeanDefinition(JwkViewResolver.class); - - if (!Strings.isNullOrEmpty(getJwkPublishUrl())) { - clientKeyMapping.addPropertyValue("jwkPublishUrl", getJwkPublishUrl()); - - // randomize view name to make sure it doesn't conflict with local views - jwkViewName = JWKSetView.VIEWNAME + "-" + UUID.randomUUID().toString(); - viewResolver.addPropertyValue("jwkViewName", jwkViewName); - - // view bean - BeanDefinitionBuilder jwkView = BeanDefinitionBuilder.rootBeanDefinition(JWKSetView.class); - registry.registerBeanDefinition(JWKSetView.VIEWNAME, jwkView.getBeanDefinition()); - viewResolver.addPropertyReference("jwk", JWKSetView.VIEWNAME); - } - - registry.registerBeanDefinition("clientKeyMapping", clientKeyMapping.getBeanDefinition()); - registry.registerBeanDefinition("jwkViewResolver", viewResolver.getBeanDefinition()); - - } - - } - - /* (non-Javadoc) - * @see org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor#postProcessBeanDefinitionRegistry(org.springframework.beans.factory.support.BeanDefinitionRegistry) - */ - @Override - public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) throws BeansException { - this.registry = registry; - } - - /** - * Return a view to publish all keys in JWK format. Only used if jwkPublishUrl is set. - * @return - */ - public ModelAndView publishClientJwk() { - - // map from key id to key - Map keys = signingAndValidationService.getAllPublicKeys(); - - return new ModelAndView(jwkViewName, "keys", keys); - } - - /** - * @return the jwkPublishUrl - */ - public String getJwkPublishUrl() { - return jwkPublishUrl; - } - - /** - * @param jwkPublishUrl the jwkPublishUrl to set - */ - public void setJwkPublishUrl(String jwkPublishUrl) { - this.jwkPublishUrl = jwkPublishUrl; - } - - /** - * @return the signingAndValidationService - */ - public JWTSigningAndValidationService getSigningAndValidationService() { - return signingAndValidationService; - } - - /** - * @param signingAndValidationService the signingAndValidationService to set - */ - public void setSigningAndValidationService(JWTSigningAndValidationService signingAndValidationService) { - this.signingAndValidationService = signingAndValidationService; - } - - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/ClientKeyPublisherMapping.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/ClientKeyPublisherMapping.java deleted file mode 100644 index e601f3c27..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/ClientKeyPublisherMapping.java +++ /dev/null @@ -1,82 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.keypublisher; - -import java.lang.reflect.Method; - -import org.springframework.stereotype.Component; -import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition; -import org.springframework.web.servlet.mvc.method.RequestMappingInfo; -import org.springframework.web.servlet.mvc.method.RequestMappingInfoHandlerMapping; - -/** - * @author jricher - * - */ -@Component -public class ClientKeyPublisherMapping extends RequestMappingInfoHandlerMapping { - - private String jwkPublishUrl; - - /* (non-Javadoc) - * @see org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#isHandler(java.lang.Class) - */ - @Override - protected boolean isHandler(Class beanType) { - return beanType.equals(ClientKeyPublisher.class); - } - - /** - * Map the "jwkKeyPublish" method to our jwkPublishUrl. - */ - @Override - protected RequestMappingInfo getMappingForMethod(Method method, Class handlerType) { - - if (method.getName().equals("publishClientJwk") && getJwkPublishUrl() != null) { - return new RequestMappingInfo( - new PatternsRequestCondition(new String[] {getJwkPublishUrl()}, getUrlPathHelper(), getPathMatcher(), false, false), - null, - null, - null, - null, - null, - null); - } else { - return null; - } - - } - - /** - * @return the jwkPublishUrl - */ - public String getJwkPublishUrl() { - return jwkPublishUrl; - } - - /** - * @param jwkPublishUrl the jwkPublishUrl to set - */ - public void setJwkPublishUrl(String jwkPublishUrl) { - this.jwkPublishUrl = jwkPublishUrl; - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/JwkViewResolver.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/JwkViewResolver.java deleted file mode 100644 index 30ebdd63f..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/JwkViewResolver.java +++ /dev/null @@ -1,103 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.keypublisher; - -import java.util.Locale; - -import org.springframework.core.Ordered; -import org.springframework.web.servlet.View; -import org.springframework.web.servlet.ViewResolver; - -/** - * - * Simple view resolver to map JWK view names to appropriate beans - * - * @author jricher - * - */ -public class JwkViewResolver implements ViewResolver, Ordered { - - private String jwkViewName = "jwkKeyList"; - private View jwk; - - private int order = HIGHEST_PRECEDENCE; // highest precedence, most specific -- avoids hitting the catch-all view resolvers - - /** - * Map "jwkKeyList" to the jwk property on this bean. - * Everything else returns null - */ - @Override - public View resolveViewName(String viewName, Locale locale) throws Exception { - if (viewName != null) { - if (viewName.equals(getJwkViewName())) { - return getJwk(); - } else { - return null; - } - } else { - return null; - } - } - - /** - * @return the jwk - */ - public View getJwk() { - return jwk; - } - - /** - * @param jwk the jwk to set - */ - public void setJwk(View jwk) { - this.jwk = jwk; - } - - /** - * @return the order - */ - @Override - public int getOrder() { - return order; - } - - /** - * @param order the order to set - */ - public void setOrder(int order) { - this.order = order; - } - - /** - * @return the jwkViewName - */ - public String getJwkViewName() { - return jwkViewName; - } - - /** - * @param jwkViewName the jwkViewName to set - */ - public void setJwkViewName(String jwkViewName) { - this.jwkViewName = jwkViewName; - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/model/IssuerServiceResponse.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/model/IssuerServiceResponse.java deleted file mode 100644 index e8de16a13..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/model/IssuerServiceResponse.java +++ /dev/null @@ -1,110 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.model; - -/** - * - * Data container to facilitate returns from the IssuerService API. - * - * @author jricher - * - */ -public class IssuerServiceResponse { - - private String issuer; - private String loginHint; - private String targetLinkUri; - private String redirectUrl; - - /** - * @param issuer - * @param loginHint - * @param targetLinkUri - */ - public IssuerServiceResponse(String issuer, String loginHint, String targetLinkUri) { - this.issuer = issuer; - this.loginHint = loginHint; - this.targetLinkUri = targetLinkUri; - } - - /** - * @param redirectUrl - */ - public IssuerServiceResponse(String redirectUrl) { - this.redirectUrl = redirectUrl; - } - /** - * @return the issuer - */ - public String getIssuer() { - return issuer; - } - /** - * @param issuer the issuer to set - */ - public void setIssuer(String issuer) { - this.issuer = issuer; - } - /** - * @return the loginHint - */ - public String getLoginHint() { - return loginHint; - } - /** - * @param loginHint the loginHint to set - */ - public void setLoginHint(String loginHint) { - this.loginHint = loginHint; - } - /** - * @return the targetLinkUri - */ - public String getTargetLinkUri() { - return targetLinkUri; - } - /** - * @param targetLinkUri the targetLinkUri to set - */ - public void setTargetLinkUri(String targetLinkUri) { - this.targetLinkUri = targetLinkUri; - } - /** - * @return the redirectUrl - */ - public String getRedirectUrl() { - return redirectUrl; - } - /** - * @param redirectUrl the redirectUrl to set - */ - public void setRedirectUrl(String redirectUrl) { - this.redirectUrl = redirectUrl; - } - - /** - * If the redirect url has been set, then we should send a redirect using it instead of processing things. - */ - public boolean shouldRedirect() { - return this.redirectUrl != null; - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/AuthRequestOptionsService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/AuthRequestOptionsService.java deleted file mode 100644 index 73a8d377f..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/AuthRequestOptionsService.java +++ /dev/null @@ -1,61 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service; - -import java.util.Map; - -import javax.servlet.http.HttpServletRequest; - -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.config.ServerConfiguration; - -/** - * - * This service provides any extra options that need to be passed to the authentication request, - * either through the authorization endpoint (getOptions) or the token endpoint (getTokenOptions). - * These options may depend on the server configuration, client configuration, or HTTP request. - * - * @author jricher - * - */ -public interface AuthRequestOptionsService { - - /** - * The set of options needed at the authorization endpoint. - * - * @param server - * @param client - * @param request - * @return - */ - public Map getOptions(ServerConfiguration server, RegisteredClient client, HttpServletRequest request); - - /** - * The set of options needed at the token endpoint. - * - * @param server - * @param client - * @param request - * @return - */ - public Map getTokenOptions(ServerConfiguration server, RegisteredClient client, HttpServletRequest request); - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/AuthRequestUrlBuilder.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/AuthRequestUrlBuilder.java deleted file mode 100644 index 14eb8a09c..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/AuthRequestUrlBuilder.java +++ /dev/null @@ -1,47 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service; - -import java.util.Map; - -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.config.ServerConfiguration; - -/** - * Builds a URL string to the IdP's authorization endpoint. - * - * @author jricher - * - */ -public interface AuthRequestUrlBuilder { - - /** - * @param serverConfig - * @param clientConfig - * @param redirectUri - * @param nonce - * @param state - * @param loginHint - * @return - */ - public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredClient clientConfig, String redirectUri, String nonce, String state, Map options, String loginHint); - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/ClientConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/ClientConfigurationService.java deleted file mode 100644 index 6444376b3..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/ClientConfigurationService.java +++ /dev/null @@ -1,34 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service; - -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.config.ServerConfiguration; - -/** - * @author jricher - * - */ -public interface ClientConfigurationService { - - public RegisteredClient getClientConfiguration(ServerConfiguration issuer); - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/IssuerService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/IssuerService.java deleted file mode 100644 index 7e4e52702..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/IssuerService.java +++ /dev/null @@ -1,38 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service; - -import javax.servlet.http.HttpServletRequest; - -import org.mitre.openid.connect.client.model.IssuerServiceResponse; - -/** - * - * Gets an issuer for the given request. Might do dynamic discovery, or might be statically configured. - * - * @author jricher - * - */ -public interface IssuerService { - - public IssuerServiceResponse getIssuer(HttpServletRequest request); - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/RegisteredClientService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/RegisteredClientService.java deleted file mode 100644 index 0ca59bc10..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/RegisteredClientService.java +++ /dev/null @@ -1,48 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service; - -import org.mitre.oauth2.model.RegisteredClient; - -/** - * @author jricher - * - */ -public interface RegisteredClientService { - - /** - * Get a remembered client (if one exists) to talk to the given issuer. This - * client likely doesn't have its full configuration information but contains - * the information needed to fetch it. - * @param issuer - * @return - */ - RegisteredClient getByIssuer(String issuer); - - /** - * Save this client's information for talking to the given issuer. This will - * save only enough information to fetch the client's full configuration from - * the server. - * @param client - */ - void save(String issuer, RegisteredClient client); - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/ServerConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/ServerConfigurationService.java deleted file mode 100644 index 44613fdc5..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/ServerConfigurationService.java +++ /dev/null @@ -1,33 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service; - -import org.mitre.openid.connect.config.ServerConfiguration; - -/** - * @author jricher - * - */ -public interface ServerConfigurationService { - - public ServerConfiguration getServerConfiguration(String issuer); - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java deleted file mode 100644 index 2c32fd8fd..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java +++ /dev/null @@ -1,247 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import java.util.HashSet; -import java.util.Set; -import java.util.concurrent.ExecutionException; - -import org.apache.http.client.HttpClient; -import org.apache.http.impl.client.HttpClientBuilder; -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.ClientDetailsEntityJsonProcessor; -import org.mitre.openid.connect.client.service.ClientConfigurationService; -import org.mitre.openid.connect.client.service.RegisteredClientService; -import org.mitre.openid.connect.config.ServerConfiguration; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.http.HttpEntity; -import org.springframework.http.HttpHeaders; -import org.springframework.http.HttpMethod; -import org.springframework.http.MediaType; -import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; -import org.springframework.security.authentication.AuthenticationServiceException; -import org.springframework.security.oauth2.common.OAuth2AccessToken; -import org.springframework.security.oauth2.common.exceptions.InvalidClientException; -import org.springframework.web.client.RestClientException; -import org.springframework.web.client.RestTemplate; - -import com.google.common.cache.CacheBuilder; -import com.google.common.cache.CacheLoader; -import com.google.common.cache.LoadingCache; -import com.google.common.collect.Lists; -import com.google.common.util.concurrent.UncheckedExecutionException; -import com.google.gson.Gson; -import com.google.gson.JsonObject; - -/** - * @author jricher - * - */ -public class DynamicRegistrationClientConfigurationService implements ClientConfigurationService { - - /** - * Logger for this class - */ - private static final Logger logger = LoggerFactory.getLogger(DynamicRegistrationClientConfigurationService.class); - - private LoadingCache clients; - - private RegisteredClientService registeredClientService = new InMemoryRegisteredClientService(); - - private RegisteredClient template; - - private Set whitelist = new HashSet<>(); - private Set blacklist = new HashSet<>(); - - public DynamicRegistrationClientConfigurationService() { - this(HttpClientBuilder.create().useSystemProperties().build()); - } - - public DynamicRegistrationClientConfigurationService(HttpClient httpClient) { - clients = CacheBuilder.newBuilder().build(new DynamicClientRegistrationLoader(httpClient)); - } - - @Override - public RegisteredClient getClientConfiguration(ServerConfiguration issuer) { - try { - if (!whitelist.isEmpty() && !whitelist.contains(issuer.getIssuer())) { - throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + issuer); - } - - if (blacklist.contains(issuer.getIssuer())) { - throw new AuthenticationServiceException("Issuer was in blacklist: " + issuer); - } - - return clients.get(issuer); - } catch (UncheckedExecutionException | ExecutionException e) { - logger.warn("Unable to get client configuration", e); - return null; - } - } - - /** - * @return the template - */ - public RegisteredClient getTemplate() { - return template; - } - - /** - * @param template the template to set - */ - public void setTemplate(RegisteredClient template) { - // make sure the template doesn't have unwanted fields set on it - if (template != null) { - template.setClientId(null); - template.setClientSecret(null); - template.setRegistrationClientUri(null); - template.setRegistrationAccessToken(null); - } - this.template = template; - } - - /** - * @return the registeredClientService - */ - public RegisteredClientService getRegisteredClientService() { - return registeredClientService; - } - - /** - * @param registeredClientService the registeredClientService to set - */ - public void setRegisteredClientService(RegisteredClientService registeredClientService) { - this.registeredClientService = registeredClientService; - } - - - /** - * @return the whitelist - */ - public Set getWhitelist() { - return whitelist; - } - - /** - * @param whitelist the whitelist to set - */ - public void setWhitelist(Set whitelist) { - this.whitelist = whitelist; - } - - /** - * @return the blacklist - */ - public Set getBlacklist() { - return blacklist; - } - - /** - * @param blacklist the blacklist to set - */ - public void setBlacklist(Set blacklist) { - this.blacklist = blacklist; - } - - - /** - * Loader class that fetches the client information. - * - * If a client has been registered (ie, it's known to the RegisteredClientService), then this - * will fetch the client's configuration from the server. - * - * @author jricher - * - */ - public class DynamicClientRegistrationLoader extends CacheLoader { - private HttpComponentsClientHttpRequestFactory httpFactory; - private Gson gson = new Gson(); // note that this doesn't serialize nulls by default - - public DynamicClientRegistrationLoader() { - this(HttpClientBuilder.create().useSystemProperties().build()); - } - - public DynamicClientRegistrationLoader(HttpClient httpClient) { - this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient); - } - - @Override - public RegisteredClient load(ServerConfiguration serverConfig) throws Exception { - RestTemplate restTemplate = new RestTemplate(httpFactory); - - - RegisteredClient knownClient = registeredClientService.getByIssuer(serverConfig.getIssuer()); - if (knownClient == null) { - - // dynamically register this client - JsonObject jsonRequest = ClientDetailsEntityJsonProcessor.serialize(template); - String serializedClient = gson.toJson(jsonRequest); - - HttpHeaders headers = new HttpHeaders(); - headers.setContentType(MediaType.APPLICATION_JSON); - headers.setAccept(Lists.newArrayList(MediaType.APPLICATION_JSON)); - - HttpEntity entity = new HttpEntity<>(serializedClient, headers); - - try { - String registered = restTemplate.postForObject(serverConfig.getRegistrationEndpointUri(), entity, String.class); - - RegisteredClient client = ClientDetailsEntityJsonProcessor.parseRegistered(registered); - - // save this client for later - registeredClientService.save(serverConfig.getIssuer(), client); - - return client; - } catch (RestClientException rce) { - throw new InvalidClientException("Error registering client with server"); - } - } else { - - if (knownClient.getClientId() == null) { - - // load this client's information from the server - HttpHeaders headers = new HttpHeaders(); - headers.set("Authorization", String.format("%s %s", OAuth2AccessToken.BEARER_TYPE, knownClient.getRegistrationAccessToken())); - headers.setAccept(Lists.newArrayList(MediaType.APPLICATION_JSON)); - - HttpEntity entity = new HttpEntity<>(headers); - - try { - String registered = restTemplate.exchange(knownClient.getRegistrationClientUri(), HttpMethod.GET, entity, String.class).getBody(); - // TODO: handle HTTP errors - - RegisteredClient client = ClientDetailsEntityJsonProcessor.parseRegistered(registered); - - return client; - } catch (RestClientException rce) { - throw new InvalidClientException("Error loading previously registered client information from server"); - } - } else { - // it's got a client ID from the store, don't bother trying to load it - return knownClient; - } - } - } - - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicServerConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicServerConfigurationService.java deleted file mode 100644 index 5f451c2dc..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicServerConfigurationService.java +++ /dev/null @@ -1,215 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import static org.mitre.util.JsonUtils.getAsBoolean; -import static org.mitre.util.JsonUtils.getAsEncryptionMethodList; -import static org.mitre.util.JsonUtils.getAsJweAlgorithmList; -import static org.mitre.util.JsonUtils.getAsJwsAlgorithmList; -import static org.mitre.util.JsonUtils.getAsString; -import static org.mitre.util.JsonUtils.getAsStringList; - -import java.util.HashSet; -import java.util.Set; -import java.util.concurrent.ExecutionException; - -import org.apache.http.client.HttpClient; -import org.apache.http.impl.client.HttpClientBuilder; -import org.mitre.openid.connect.client.service.ServerConfigurationService; -import org.mitre.openid.connect.config.ServerConfiguration; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; -import org.springframework.security.authentication.AuthenticationServiceException; -import org.springframework.web.client.RestTemplate; - -import com.google.common.cache.CacheBuilder; -import com.google.common.cache.CacheLoader; -import com.google.common.cache.LoadingCache; -import com.google.common.util.concurrent.UncheckedExecutionException; -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import com.google.gson.JsonParser; - -/** - * - * Dynamically fetches OpenID Connect server configurations based on the issuer. Caches the server configurations. - * - * @author jricher - * - */ -public class DynamicServerConfigurationService implements ServerConfigurationService { - - /** - * Logger for this class - */ - private static final Logger logger = LoggerFactory.getLogger(DynamicServerConfigurationService.class); - - // map of issuer -> server configuration, loaded dynamically from service discovery - private LoadingCache servers; - - private Set whitelist = new HashSet<>(); - private Set blacklist = new HashSet<>(); - - public DynamicServerConfigurationService() { - this(HttpClientBuilder.create().useSystemProperties().build()); - } - - public DynamicServerConfigurationService(HttpClient httpClient) { - // initialize the cache - servers = CacheBuilder.newBuilder().build(new OpenIDConnectServiceConfigurationFetcher(httpClient)); - } - - /** - * @return the whitelist - */ - public Set getWhitelist() { - return whitelist; - } - - /** - * @param whitelist the whitelist to set - */ - public void setWhitelist(Set whitelist) { - this.whitelist = whitelist; - } - - /** - * @return the blacklist - */ - public Set getBlacklist() { - return blacklist; - } - - /** - * @param blacklist the blacklist to set - */ - public void setBlacklist(Set blacklist) { - this.blacklist = blacklist; - } - - @Override - public ServerConfiguration getServerConfiguration(String issuer) { - try { - - if (!whitelist.isEmpty() && !whitelist.contains(issuer)) { - throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + issuer); - } - - if (blacklist.contains(issuer)) { - throw new AuthenticationServiceException("Issuer was in blacklist: " + issuer); - } - - return servers.get(issuer); - } catch (UncheckedExecutionException | ExecutionException e) { - logger.warn("Couldn't load configuration for " + issuer + ": " + e); - return null; - } - - } - - /** - * @author jricher - * - */ - private class OpenIDConnectServiceConfigurationFetcher extends CacheLoader { - private HttpComponentsClientHttpRequestFactory httpFactory; - private JsonParser parser = new JsonParser(); - - OpenIDConnectServiceConfigurationFetcher(HttpClient httpClient) { - this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient); - } - - @Override - public ServerConfiguration load(String issuer) throws Exception { - RestTemplate restTemplate = new RestTemplate(httpFactory); - - // data holder - ServerConfiguration conf = new ServerConfiguration(); - - // construct the well-known URI - String url = issuer + "/.well-known/openid-configuration"; - - // fetch the value - String jsonString = restTemplate.getForObject(url, String.class); - - JsonElement parsed = parser.parse(jsonString); - if (parsed.isJsonObject()) { - - JsonObject o = parsed.getAsJsonObject(); - - // sanity checks - if (!o.has("issuer")) { - throw new IllegalStateException("Returned object did not have an 'issuer' field"); - } - - if (!issuer.equals(o.get("issuer").getAsString())) { - logger.info("Issuer used for discover was " + issuer + " but final issuer is " + o.get("issuer").getAsString()); - } - - conf.setIssuer(o.get("issuer").getAsString()); - - - conf.setAuthorizationEndpointUri(getAsString(o, "authorization_endpoint")); - conf.setTokenEndpointUri(getAsString(o, "token_endpoint")); - conf.setJwksUri(getAsString(o, "jwks_uri")); - conf.setUserInfoUri(getAsString(o, "userinfo_endpoint")); - conf.setRegistrationEndpointUri(getAsString(o, "registration_endpoint")); - conf.setIntrospectionEndpointUri(getAsString(o, "introspection_endpoint")); - conf.setAcrValuesSupported(getAsStringList(o, "acr_values_supported")); - conf.setCheckSessionIframe(getAsString(o, "check_session_iframe")); - conf.setClaimsLocalesSupported(getAsStringList(o, "claims_locales_supported")); - conf.setClaimsParameterSupported(getAsBoolean(o, "claims_parameter_supported")); - conf.setClaimsSupported(getAsStringList(o, "claims_supported")); - conf.setDisplayValuesSupported(getAsStringList(o, "display_values_supported")); - conf.setEndSessionEndpoint(getAsString(o, "end_session_endpoint")); - conf.setGrantTypesSupported(getAsStringList(o, "grant_types_supported")); - conf.setIdTokenSigningAlgValuesSupported(getAsJwsAlgorithmList(o, "id_token_signing_alg_values_supported")); - conf.setIdTokenEncryptionAlgValuesSupported(getAsJweAlgorithmList(o, "id_token_encryption_alg_values_supported")); - conf.setIdTokenEncryptionEncValuesSupported(getAsEncryptionMethodList(o, "id_token_encryption_enc_values_supported")); - conf.setOpPolicyUri(getAsString(o, "op_policy_uri")); - conf.setOpTosUri(getAsString(o, "op_tos_uri")); - conf.setRequestObjectEncryptionAlgValuesSupported(getAsJweAlgorithmList(o, "request_object_encryption_alg_values_supported")); - conf.setRequestObjectEncryptionEncValuesSupported(getAsEncryptionMethodList(o, "request_object_encryption_enc_values_supported")); - conf.setRequestObjectSigningAlgValuesSupported(getAsJwsAlgorithmList(o, "request_object_signing_alg_values_supported")); - conf.setRequestParameterSupported(getAsBoolean(o, "request_parameter_supported")); - conf.setRequestUriParameterSupported(getAsBoolean(o, "request_uri_parameter_supported")); - conf.setResponseTypesSupported(getAsStringList(o, "response_types_supported")); - conf.setScopesSupported(getAsStringList(o, "scopes_supported")); - conf.setSubjectTypesSupported(getAsStringList(o, "subject_types_supported")); - conf.setServiceDocumentation(getAsString(o, "service_documentation")); - conf.setTokenEndpointAuthMethodsSupported(getAsStringList(o, "token_endpoint_auth_methods")); - conf.setTokenEndpointAuthSigningAlgValuesSupported(getAsJwsAlgorithmList(o, "token_endpoint_auth_signing_alg_values_supported")); - conf.setUiLocalesSupported(getAsStringList(o, "ui_locales_supported")); - conf.setUserinfoEncryptionAlgValuesSupported(getAsJweAlgorithmList(o, "userinfo_encryption_alg_values_supported")); - conf.setUserinfoEncryptionEncValuesSupported(getAsEncryptionMethodList(o, "userinfo_encryption_enc_values_supported")); - conf.setUserinfoSigningAlgValuesSupported(getAsJwsAlgorithmList(o, "userinfo_signing_alg_values_supported")); - - return conf; - } else { - throw new IllegalStateException("Couldn't parse server discovery results for " + url); - } - - } - - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/EncryptedAuthRequestUrlBuilder.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/EncryptedAuthRequestUrlBuilder.java deleted file mode 100644 index cad7d7399..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/EncryptedAuthRequestUrlBuilder.java +++ /dev/null @@ -1,147 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import java.net.URISyntaxException; -import java.util.Map; -import java.util.Map.Entry; - -import org.apache.http.client.utils.URIBuilder; -import org.mitre.jwt.encryption.service.JWTEncryptionAndDecryptionService; -import org.mitre.jwt.signer.service.impl.JWKSetCacheService; -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.client.service.AuthRequestUrlBuilder; -import org.mitre.openid.connect.config.ServerConfiguration; -import org.springframework.security.authentication.AuthenticationServiceException; - -import com.google.common.base.Joiner; -import com.google.common.base.Strings; -import com.nimbusds.jose.EncryptionMethod; -import com.nimbusds.jose.JWEAlgorithm; -import com.nimbusds.jose.JWEHeader; -import com.nimbusds.jwt.EncryptedJWT; -import com.nimbusds.jwt.JWTClaimsSet; - -/** - * @author jricher - * - */ -public class EncryptedAuthRequestUrlBuilder implements AuthRequestUrlBuilder { - - private JWKSetCacheService encrypterService; - - private JWEAlgorithm alg; - private EncryptionMethod enc; - - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.AuthRequestUrlBuilder#buildAuthRequestUrl(org.mitre.openid.connect.config.ServerConfiguration, org.mitre.oauth2.model.RegisteredClient, java.lang.String, java.lang.String, java.lang.String, java.util.Map) - */ - @Override - public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredClient clientConfig, String redirectUri, String nonce, String state, Map options, String loginHint) { - - // create our signed JWT for the request object - JWTClaimsSet.Builder claims = new JWTClaimsSet.Builder(); - - //set parameters to JwtClaims - claims.claim("response_type", "code"); - claims.claim("client_id", clientConfig.getClientId()); - claims.claim("scope", Joiner.on(" ").join(clientConfig.getScope())); - - // build our redirect URI - claims.claim("redirect_uri", redirectUri); - - // this comes back in the id token - claims.claim("nonce", nonce); - - // this comes back in the auth request return - claims.claim("state", state); - - // Optional parameters - for (Entry option : options.entrySet()) { - claims.claim(option.getKey(), option.getValue()); - } - - // if there's a login hint, send it - if (!Strings.isNullOrEmpty(loginHint)) { - claims.claim("login_hint", loginHint); - } - - EncryptedJWT jwt = new EncryptedJWT(new JWEHeader(alg, enc), claims.build()); - - JWTEncryptionAndDecryptionService encryptor = encrypterService.getEncrypter(serverConfig.getJwksUri()); - - encryptor.encryptJwt(jwt); - - try { - URIBuilder uriBuilder = new URIBuilder(serverConfig.getAuthorizationEndpointUri()); - uriBuilder.addParameter("request", jwt.serialize()); - - // build out the URI - return uriBuilder.build().toString(); - } catch (URISyntaxException e) { - throw new AuthenticationServiceException("Malformed Authorization Endpoint Uri", e); - } - } - - /** - * @return the encrypterService - */ - public JWKSetCacheService getEncrypterService() { - return encrypterService; - } - - /** - * @param encrypterService the encrypterService to set - */ - public void setEncrypterService(JWKSetCacheService encrypterService) { - this.encrypterService = encrypterService; - } - - /** - * @return the alg - */ - public JWEAlgorithm getAlg() { - return alg; - } - - /** - * @param alg the alg to set - */ - public void setAlg(JWEAlgorithm alg) { - this.alg = alg; - } - - /** - * @return the enc - */ - public EncryptionMethod getEnc() { - return enc; - } - - /** - * @param enc the enc to set - */ - public void setEnc(EncryptionMethod enc) { - this.enc = enc; - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridClientConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridClientConfigurationService.java deleted file mode 100644 index 16fed24ed..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridClientConfigurationService.java +++ /dev/null @@ -1,143 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import java.util.Map; -import java.util.Set; - -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.client.service.ClientConfigurationService; -import org.mitre.openid.connect.client.service.RegisteredClientService; -import org.mitre.openid.connect.config.ServerConfiguration; - -/** - * Houses both a static client configuration and a dynamic client configuration - * service in one object. Checks the static service first, then falls through to - * the dynamic service. - * - * Provides configuration passthrough for the template, registered client service, whitelist, - * and blacklist for the dynamic service, and to the static service's client map. - * - * @author jricher - * - */ -public class HybridClientConfigurationService implements ClientConfigurationService { - - private StaticClientConfigurationService staticClientService = new StaticClientConfigurationService(); - - private DynamicRegistrationClientConfigurationService dynamicClientService = new DynamicRegistrationClientConfigurationService(); - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.ClientConfigurationService#getClientConfiguration(org.mitre.openid.connect.config.ServerConfiguration) - */ - @Override - public RegisteredClient getClientConfiguration(ServerConfiguration issuer) { - - RegisteredClient client = staticClientService.getClientConfiguration(issuer); - if (client != null) { - return client; - } else { - return dynamicClientService.getClientConfiguration(issuer); - } - - } - - /** - * @return - * @see org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService#getClients() - */ - public Map getClients() { - return staticClientService.getClients(); - } - - /** - * @param clients - * @see org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService#setClients(java.util.Map) - */ - public void setClients(Map clients) { - staticClientService.setClients(clients); - } - - /** - * @return - * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#getTemplate() - */ - public RegisteredClient getTemplate() { - return dynamicClientService.getTemplate(); - } - - /** - * @param template - * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#setTemplate(org.mitre.oauth2.model.RegisteredClient) - */ - public void setTemplate(RegisteredClient template) { - dynamicClientService.setTemplate(template); - } - - /** - * @return - * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#getRegisteredClientService() - */ - public RegisteredClientService getRegisteredClientService() { - return dynamicClientService.getRegisteredClientService(); - } - - /** - * @param registeredClientService - * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#setRegisteredClientService(org.mitre.openid.connect.client.service.RegisteredClientService) - */ - public void setRegisteredClientService(RegisteredClientService registeredClientService) { - dynamicClientService.setRegisteredClientService(registeredClientService); - } - - /** - * @return - * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#getWhitelist() - */ - public Set getWhitelist() { - return dynamicClientService.getWhitelist(); - } - - /** - * @param whitelist - * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#setWhitelist(java.util.Set) - */ - public void setWhitelist(Set whitelist) { - dynamicClientService.setWhitelist(whitelist); - } - - /** - * @return - * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#getBlacklist() - */ - public Set getBlacklist() { - return dynamicClientService.getBlacklist(); - } - - /** - * @param blacklist - * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#setBlacklist(java.util.Set) - */ - public void setBlacklist(Set blacklist) { - dynamicClientService.setBlacklist(blacklist); - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridIssuerService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridIssuerService.java deleted file mode 100644 index 816f03698..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridIssuerService.java +++ /dev/null @@ -1,124 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client.service.impl; - -import java.util.Set; - -import javax.servlet.http.HttpServletRequest; - -import org.mitre.openid.connect.client.model.IssuerServiceResponse; -import org.mitre.openid.connect.client.service.IssuerService; - -import com.google.common.collect.Sets; - -/** - * - * Issuer service that tries to parse input from the inputs from a third-party - * account chooser service (if possible), but falls back to webfinger discovery - * if not. - * - * @author jricher - * - */ -public class HybridIssuerService implements IssuerService { - - /** - * @return - * @see org.mitre.openid.connect.client.service.impl.ThirdPartyIssuerService#getAccountChooserUrl() - */ - public String getAccountChooserUrl() { - return thirdPartyIssuerService.getAccountChooserUrl(); - } - - /** - * @param accountChooserUrl - * @see org.mitre.openid.connect.client.service.impl.ThirdPartyIssuerService#setAccountChooserUrl(java.lang.String) - */ - public void setAccountChooserUrl(String accountChooserUrl) { - thirdPartyIssuerService.setAccountChooserUrl(accountChooserUrl); - } - - /** - * @return - * @see org.mitre.openid.connect.client.service.impl.WebfingerIssuerService#isForceHttps() - */ - public boolean isForceHttps() { - return webfingerIssuerService.isForceHttps(); - } - - /** - * @param forceHttps - * @see org.mitre.openid.connect.client.service.impl.WebfingerIssuerService#setForceHttps(boolean) - */ - public void setForceHttps(boolean forceHttps) { - webfingerIssuerService.setForceHttps(forceHttps); - } - - private ThirdPartyIssuerService thirdPartyIssuerService = new ThirdPartyIssuerService(); - private WebfingerIssuerService webfingerIssuerService = new WebfingerIssuerService(); - - @Override - public IssuerServiceResponse getIssuer(HttpServletRequest request) { - - IssuerServiceResponse resp = thirdPartyIssuerService.getIssuer(request); - if (resp.shouldRedirect()) { - // if it wants us to redirect, try the webfinger approach first - return webfingerIssuerService.getIssuer(request); - } else { - return resp; - } - - } - - public Set getWhitelist() { - return Sets.union(thirdPartyIssuerService.getWhitelist(), webfingerIssuerService.getWhitelist()); - } - - public void setWhitelist(Set whitelist) { - thirdPartyIssuerService.setWhitelist(whitelist); - webfingerIssuerService.setWhitelist(whitelist); - } - - public Set getBlacklist() { - return Sets.union(thirdPartyIssuerService.getBlacklist(), webfingerIssuerService.getWhitelist()); - } - - public void setBlacklist(Set blacklist) { - thirdPartyIssuerService.setBlacklist(blacklist); - webfingerIssuerService.setBlacklist(blacklist); - } - - public String getParameterName() { - return webfingerIssuerService.getParameterName(); - } - - public void setParameterName(String parameterName) { - webfingerIssuerService.setParameterName(parameterName); - } - - public String getLoginPageUrl() { - return webfingerIssuerService.getLoginPageUrl(); - } - - public void setLoginPageUrl(String loginPageUrl) { - webfingerIssuerService.setLoginPageUrl(loginPageUrl); - thirdPartyIssuerService.setAccountChooserUrl(loginPageUrl); // set the same URL on both, but this one gets ignored - } - - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridServerConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridServerConfigurationService.java deleted file mode 100644 index cf519442c..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridServerConfigurationService.java +++ /dev/null @@ -1,115 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import java.util.Map; -import java.util.Set; - -import org.mitre.openid.connect.client.service.ServerConfigurationService; -import org.mitre.openid.connect.config.ServerConfiguration; - -/** - * Houses both a static server configuration and a dynamic server configuration - * service in one object. Checks the static service first, then falls through to - * the dynamic service. - * - * Provides configuration passthrough to the dynamic service's whitelist and blacklist, - * and to the static service's server map. - * - * - * @author jricher - * - */ -public class HybridServerConfigurationService implements ServerConfigurationService { - - private StaticServerConfigurationService staticServerService = new StaticServerConfigurationService(); - - private DynamicServerConfigurationService dynamicServerService = new DynamicServerConfigurationService(); - - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.ServerConfigurationService#getServerConfiguration(java.lang.String) - */ - @Override - public ServerConfiguration getServerConfiguration(String issuer) { - ServerConfiguration server = staticServerService.getServerConfiguration(issuer); - if (server != null) { - return server; - } else { - return dynamicServerService.getServerConfiguration(issuer); - } - } - - - /** - * @return - * @see org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService#getServers() - */ - public Map getServers() { - return staticServerService.getServers(); - } - - - /** - * @param servers - * @see org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService#setServers(java.util.Map) - */ - public void setServers(Map servers) { - staticServerService.setServers(servers); - } - - - /** - * @return - * @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#getWhitelist() - */ - public Set getWhitelist() { - return dynamicServerService.getWhitelist(); - } - - - /** - * @param whitelist - * @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#setWhitelist(java.util.Set) - */ - public void setWhitelist(Set whitelist) { - dynamicServerService.setWhitelist(whitelist); - } - - - /** - * @return - * @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#getBlacklist() - */ - public Set getBlacklist() { - return dynamicServerService.getBlacklist(); - } - - - /** - * @param blacklist - * @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#setBlacklist(java.util.Set) - */ - public void setBlacklist(Set blacklist) { - dynamicServerService.setBlacklist(blacklist); - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/InMemoryRegisteredClientService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/InMemoryRegisteredClientService.java deleted file mode 100644 index 6be9eca8e..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/InMemoryRegisteredClientService.java +++ /dev/null @@ -1,53 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import java.util.HashMap; -import java.util.Map; - -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.client.service.RegisteredClientService; - -/** - * @author jricher - * - */ -public class InMemoryRegisteredClientService implements RegisteredClientService { - - private Map clients = new HashMap<>(); - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.RegisteredClientService#getByIssuer(java.lang.String) - */ - @Override - public RegisteredClient getByIssuer(String issuer) { - return clients.get(issuer); - } - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.RegisteredClientService#save(org.mitre.oauth2.model.RegisteredClient) - */ - @Override - public void save(String issuer, RegisteredClient client) { - clients.put(issuer, client); - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/JsonFileRegisteredClientService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/JsonFileRegisteredClientService.java deleted file mode 100644 index de69bb8f3..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/JsonFileRegisteredClientService.java +++ /dev/null @@ -1,143 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import java.io.File; -import java.io.FileReader; -import java.io.FileWriter; -import java.io.IOException; -import java.lang.reflect.Type; -import java.util.HashMap; -import java.util.Map; - -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.ClientDetailsEntityJsonProcessor; -import org.mitre.openid.connect.client.service.RegisteredClientService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.reflect.TypeToken; -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; -import com.google.gson.JsonDeserializationContext; -import com.google.gson.JsonDeserializer; -import com.google.gson.JsonElement; -import com.google.gson.JsonParseException; -import com.google.gson.JsonSerializationContext; -import com.google.gson.JsonSerializer; - -/** - * @author jricher - * - */ -public class JsonFileRegisteredClientService implements RegisteredClientService { - - /** - * Logger for this class - */ - private static final Logger logger = LoggerFactory.getLogger(JsonFileRegisteredClientService.class); - - private Gson gson = new GsonBuilder() - .registerTypeAdapter(RegisteredClient.class, new JsonSerializer() { - @Override - public JsonElement serialize(RegisteredClient src, Type typeOfSrc, JsonSerializationContext context) { - return ClientDetailsEntityJsonProcessor.serialize(src); - } - }) - .registerTypeAdapter(RegisteredClient.class, new JsonDeserializer() { - @Override - public RegisteredClient deserialize(JsonElement json, Type typeOfT, JsonDeserializationContext context) throws JsonParseException { - return ClientDetailsEntityJsonProcessor.parseRegistered(json); - } - }) - .setPrettyPrinting() - .create(); - - private File file; - - private Map clients = new HashMap<>(); - - public JsonFileRegisteredClientService(String filename) { - this.file = new File(filename); - load(); - } - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.RegisteredClientService#getByIssuer(java.lang.String) - */ - @Override - public RegisteredClient getByIssuer(String issuer) { - return clients.get(issuer); - } - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.RegisteredClientService#save(java.lang.String, org.mitre.oauth2.model.RegisteredClient) - */ - @Override - public void save(String issuer, RegisteredClient client) { - clients.put(issuer, client); - write(); - } - - /** - * Sync the map of clients out to disk. - */ - @SuppressWarnings("serial") - private void write() { - try { - if (!file.exists()) { - // create a new file - logger.info("Creating saved clients list in " + file); - file.createNewFile(); - } - FileWriter out = new FileWriter(file); - - gson.toJson(clients, new TypeToken>(){}.getType(), out); - - out.close(); - - } catch (IOException e) { - logger.error("Could not write to output file", e); - } - } - - /** - * Load the map in from disk. - */ - @SuppressWarnings("serial") - private void load() { - try { - if (!file.exists()) { - logger.info("No sved clients file found in " + file); - return; - } - FileReader in = new FileReader(file); - - clients = gson.fromJson(in, new TypeToken>(){}.getType()); - - in.close(); - - } catch (IOException e) { - logger.error("Could not read from input file", e); - } - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/PlainAuthRequestUrlBuilder.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/PlainAuthRequestUrlBuilder.java deleted file mode 100644 index 86ecece0e..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/PlainAuthRequestUrlBuilder.java +++ /dev/null @@ -1,84 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import java.net.URISyntaxException; -import java.util.Map; -import java.util.Map.Entry; - -import org.apache.http.client.utils.URIBuilder; -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.client.service.AuthRequestUrlBuilder; -import org.mitre.openid.connect.config.ServerConfiguration; -import org.springframework.security.authentication.AuthenticationServiceException; - -import com.google.common.base.Joiner; -import com.google.common.base.Strings; - -/** - * - * Builds an auth request redirect URI with normal query parameters. - * - * @author jricher - * - */ -public class PlainAuthRequestUrlBuilder implements AuthRequestUrlBuilder { - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.AuthRequestUrlBuilder#buildAuthRequest(javax.servlet.http.HttpServletRequest, org.mitre.openid.connect.config.ServerConfiguration, org.springframework.security.oauth2.provider.ClientDetails) - */ - @Override - public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredClient clientConfig, String redirectUri, String nonce, String state, Map options, String loginHint) { - try { - - URIBuilder uriBuilder = new URIBuilder(serverConfig.getAuthorizationEndpointUri()); - uriBuilder.addParameter("response_type", "code"); - uriBuilder.addParameter("client_id", clientConfig.getClientId()); - uriBuilder.addParameter("scope", Joiner.on(" ").join(clientConfig.getScope())); - - uriBuilder.addParameter("redirect_uri", redirectUri); - - uriBuilder.addParameter("nonce", nonce); - - uriBuilder.addParameter("state", state); - - // Optional parameters: - for (Entry option : options.entrySet()) { - uriBuilder.addParameter(option.getKey(), option.getValue()); - } - - // if there's a login hint, send it - if (!Strings.isNullOrEmpty(loginHint)) { - uriBuilder.addParameter("login_hint", loginHint); - } - - return uriBuilder.build().toString(); - - } catch (URISyntaxException e) { - throw new AuthenticationServiceException("Malformed Authorization Endpoint Uri", e); - - } - - - - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java deleted file mode 100644 index 604a72a39..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java +++ /dev/null @@ -1,116 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import java.net.URISyntaxException; -import java.util.Map; -import java.util.Map.Entry; - -import org.apache.http.client.utils.URIBuilder; -import org.mitre.jwt.signer.service.JWTSigningAndValidationService; -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.client.service.AuthRequestUrlBuilder; -import org.mitre.openid.connect.config.ServerConfiguration; -import org.springframework.security.authentication.AuthenticationServiceException; - -import com.google.common.base.Joiner; -import com.google.common.base.Strings; -import com.nimbusds.jose.JWSAlgorithm; -import com.nimbusds.jose.JWSHeader; -import com.nimbusds.jwt.JWTClaimsSet; -import com.nimbusds.jwt.SignedJWT; - -/** - * @author jricher - * - */ -public class SignedAuthRequestUrlBuilder implements AuthRequestUrlBuilder { - - private JWTSigningAndValidationService signingAndValidationService; - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.AuthRequestUrlBuilder#buildAuthRequestUrl(org.mitre.openid.connect.config.ServerConfiguration, org.springframework.security.oauth2.provider.ClientDetails, java.lang.String, java.lang.String, java.lang.String) - */ - @Override - public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredClient clientConfig, String redirectUri, String nonce, String state, Map options, String loginHint) { - - // create our signed JWT for the request object - JWTClaimsSet.Builder claims = new JWTClaimsSet.Builder(); - - //set parameters to JwtClaims - claims.claim("response_type", "code"); - claims.claim("client_id", clientConfig.getClientId()); - claims.claim("scope", Joiner.on(" ").join(clientConfig.getScope())); - - // build our redirect URI - claims.claim("redirect_uri", redirectUri); - - // this comes back in the id token - claims.claim("nonce", nonce); - - // this comes back in the auth request return - claims.claim("state", state); - - // Optional parameters - for (Entry option : options.entrySet()) { - claims.claim(option.getKey(), option.getValue()); - } - - // if there's a login hint, send it - if (!Strings.isNullOrEmpty(loginHint)) { - claims.claim("login_hint", loginHint); - } - - JWSAlgorithm alg = clientConfig.getRequestObjectSigningAlg(); - if (alg == null) { - alg = signingAndValidationService.getDefaultSigningAlgorithm(); - } - - SignedJWT jwt = new SignedJWT(new JWSHeader(alg), claims.build()); - - signingAndValidationService.signJwt(jwt, alg); - - try { - URIBuilder uriBuilder = new URIBuilder(serverConfig.getAuthorizationEndpointUri()); - uriBuilder.addParameter("request", jwt.serialize()); - - // build out the URI - return uriBuilder.build().toString(); - } catch (URISyntaxException e) { - throw new AuthenticationServiceException("Malformed Authorization Endpoint Uri", e); - } - } - - /** - * @return the signingAndValidationService - */ - public JWTSigningAndValidationService getSigningAndValidationService() { - return signingAndValidationService; - } - - /** - * @param signingAndValidationService the signingAndValidationService to set - */ - public void setSigningAndValidationService(JWTSigningAndValidationService signingAndValidationService) { - this.signingAndValidationService = signingAndValidationService; - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticAuthRequestOptionsService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticAuthRequestOptionsService.java deleted file mode 100644 index 8febc64a0..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticAuthRequestOptionsService.java +++ /dev/null @@ -1,88 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import java.util.HashMap; -import java.util.Map; - -import javax.servlet.http.HttpServletRequest; - -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.client.service.AuthRequestOptionsService; -import org.mitre.openid.connect.config.ServerConfiguration; - -/** - * - * Always returns the same set of options. - * - * @author jricher - * - */ -public class StaticAuthRequestOptionsService implements AuthRequestOptionsService { - - private Map options = new HashMap<>(); - private Map tokenOptions = new HashMap<>(); - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.AuthRequestOptionsService#getOptions(org.mitre.openid.connect.config.ServerConfiguration, org.mitre.oauth2.model.RegisteredClient, javax.servlet.http.HttpServletRequest) - */ - @Override - public Map getOptions(ServerConfiguration server, RegisteredClient client, HttpServletRequest request) { - return options; - } - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.AuthRequestOptionsService#getTokenOptions(org.mitre.openid.connect.config.ServerConfiguration, org.mitre.oauth2.model.RegisteredClient, javax.servlet.http.HttpServletRequest) - */ - @Override - public Map getTokenOptions(ServerConfiguration server, RegisteredClient client, HttpServletRequest request) { - return tokenOptions; - } - - /** - * @return the options object directly - */ - public Map getOptions() { - return options; - } - - /** - * @param options the options to set - */ - public void setOptions(Map options) { - this.options = options; - } - - /** - * @return the tokenOptions - */ - public Map getTokenOptions() { - return tokenOptions; - } - - /** - * @param tokenOptions the tokenOptions to set - */ - public void setTokenOptions(Map tokenOptions) { - this.tokenOptions = tokenOptions; - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticClientConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticClientConfigurationService.java deleted file mode 100644 index df3101804..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticClientConfigurationService.java +++ /dev/null @@ -1,77 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import java.util.Map; - -import javax.annotation.PostConstruct; - -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.client.service.ClientConfigurationService; -import org.mitre.openid.connect.config.ServerConfiguration; - -/** - * Client configuration service that holds a static map from issuer URL to a ClientDetails object to use at that issuer. - * - * Designed to be configured as a bean. - * - * @author jricher - * - */ -public class StaticClientConfigurationService implements ClientConfigurationService { - - // Map of issuer URL -> client configuration information - private Map clients; - - /** - * @return the clients - */ - public Map getClients() { - return clients; - } - - /** - * @param clients the clients to set - */ - public void setClients(Map clients) { - this.clients = clients; - } - - /** - * Get the client configured for this issuer - * - * @see org.mitre.openid.connect.client.service.ClientConfigurationService#getClientConfiguration(java.lang.String) - */ - @Override - public RegisteredClient getClientConfiguration(ServerConfiguration issuer) { - - return clients.get(issuer.getIssuer()); - } - - @PostConstruct - public void afterPropertiesSet() { - if (clients == null || clients.isEmpty()) { - throw new IllegalArgumentException("Clients map cannot be null or empty"); - } - - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticServerConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticServerConfigurationService.java deleted file mode 100644 index ebca40c1e..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticServerConfigurationService.java +++ /dev/null @@ -1,71 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import java.util.Map; - -import javax.annotation.PostConstruct; - -import org.mitre.openid.connect.client.service.ServerConfigurationService; -import org.mitre.openid.connect.config.ServerConfiguration; - -/** - * Statically configured server configuration service that maps issuer URLs to server configurations to use at that issuer. - * - * @author jricher - * - */ -public class StaticServerConfigurationService implements ServerConfigurationService { - - // map of issuer url -> server configuration information - private Map servers; - - /** - * @return the servers - */ - public Map getServers() { - return servers; - } - - /** - * @param servers the servers to set - */ - public void setServers(Map servers) { - this.servers = servers; - } - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.ServerConfigurationService#getServerConfiguration(java.lang.String) - */ - @Override - public ServerConfiguration getServerConfiguration(String issuer) { - return servers.get(issuer); - } - - @PostConstruct - public void afterPropertiesSet() { - if (servers == null || servers.isEmpty()) { - throw new IllegalArgumentException("Servers map cannot be null or empty."); - } - - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticSingleIssuerService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticSingleIssuerService.java deleted file mode 100644 index c72b65523..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticSingleIssuerService.java +++ /dev/null @@ -1,72 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import javax.annotation.PostConstruct; -import javax.servlet.http.HttpServletRequest; - -import org.mitre.openid.connect.client.model.IssuerServiceResponse; -import org.mitre.openid.connect.client.service.IssuerService; - -import com.google.common.base.Strings; - -/** - * @author jricher - * - */ -public class StaticSingleIssuerService implements IssuerService { - - private String issuer; - - /** - * @return the issuer - */ - public String getIssuer() { - return issuer; - } - - /** - * @param issuer the issuer to set - */ - public void setIssuer(String issuer) { - this.issuer = issuer; - } - - /** - * Always returns the configured issuer URL - * - * @see org.mitre.openid.connect.client.service.IssuerService#getIssuer(javax.servlet.http.HttpServletRequest) - */ - @Override - public IssuerServiceResponse getIssuer(HttpServletRequest request) { - return new IssuerServiceResponse(getIssuer(), null, null); - } - - @PostConstruct - public void afterPropertiesSet() { - - if (Strings.isNullOrEmpty(issuer)) { - throw new IllegalArgumentException("Issuer must not be null or empty."); - } - - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/ThirdPartyIssuerService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/ThirdPartyIssuerService.java deleted file mode 100644 index b26b91c89..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/ThirdPartyIssuerService.java +++ /dev/null @@ -1,139 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import java.net.URISyntaxException; -import java.util.HashSet; -import java.util.Set; - -import javax.annotation.PostConstruct; -import javax.servlet.http.HttpServletRequest; - -import org.apache.http.client.utils.URIBuilder; -import org.mitre.openid.connect.client.model.IssuerServiceResponse; -import org.mitre.openid.connect.client.service.IssuerService; -import org.springframework.security.authentication.AuthenticationServiceException; - -import com.google.common.base.Strings; - -/** - * - * Determines the issuer using an account chooser or other third-party-initiated login - * - * @author jricher - * - */ -public class ThirdPartyIssuerService implements IssuerService { - - private String accountChooserUrl; - - private Set whitelist = new HashSet<>(); - private Set blacklist = new HashSet<>(); - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.IssuerService#getIssuer(javax.servlet.http.HttpServletRequest) - */ - @Override - public IssuerServiceResponse getIssuer(HttpServletRequest request) { - - // if the issuer is passed in, return that - String iss = request.getParameter("iss"); - if (!Strings.isNullOrEmpty(iss)) { - if (!whitelist.isEmpty() && !whitelist.contains(iss)) { - throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + iss); - } - - if (blacklist.contains(iss)) { - throw new AuthenticationServiceException("Issuer was in blacklist: " + iss); - } - - return new IssuerServiceResponse(iss, request.getParameter("login_hint"), request.getParameter("target_link_uri")); - } else { - - try { - // otherwise, need to forward to the account chooser - String redirectUri = request.getRequestURL().toString(); - URIBuilder builder = new URIBuilder(accountChooserUrl); - - builder.addParameter("redirect_uri", redirectUri); - - return new IssuerServiceResponse(builder.build().toString()); - - } catch (URISyntaxException e) { - throw new AuthenticationServiceException("Account Chooser URL is not valid", e); - } - - - } - - } - - /** - * @return the accountChooserUrl - */ - public String getAccountChooserUrl() { - return accountChooserUrl; - } - - /** - * @param accountChooserUrl the accountChooserUrl to set - */ - public void setAccountChooserUrl(String accountChooserUrl) { - this.accountChooserUrl = accountChooserUrl; - } - - /** - * @return the whitelist - */ - public Set getWhitelist() { - return whitelist; - } - - /** - * @param whitelist the whitelist to set - */ - public void setWhitelist(Set whitelist) { - this.whitelist = whitelist; - } - - /** - * @return the blacklist - */ - public Set getBlacklist() { - return blacklist; - } - - /** - * @param blacklist the blacklist to set - */ - public void setBlacklist(Set blacklist) { - this.blacklist = blacklist; - } - - @PostConstruct - public void afterPropertiesSet() { - if (Strings.isNullOrEmpty(this.accountChooserUrl)) { - throw new IllegalArgumentException("Account Chooser URL cannot be null or empty"); - } - - } - -} diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/WebfingerIssuerService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/WebfingerIssuerService.java deleted file mode 100644 index ca2fe5949..000000000 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/WebfingerIssuerService.java +++ /dev/null @@ -1,305 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -/** - * - */ -package org.mitre.openid.connect.client.service.impl; - -import java.util.HashSet; -import java.util.Set; -import java.util.concurrent.ExecutionException; - -import javax.servlet.http.HttpServletRequest; - -import org.apache.http.client.HttpClient; -import org.apache.http.client.utils.URIBuilder; -import org.apache.http.impl.client.HttpClientBuilder; -import org.mitre.discovery.util.WebfingerURLNormalizer; -import org.mitre.openid.connect.client.model.IssuerServiceResponse; -import org.mitre.openid.connect.client.service.IssuerService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; -import org.springframework.security.authentication.AuthenticationServiceException; -import org.springframework.web.client.RestClientException; -import org.springframework.web.client.RestTemplate; -import org.springframework.web.util.UriComponents; - -import com.google.common.base.Strings; -import com.google.common.cache.CacheBuilder; -import com.google.common.cache.CacheLoader; -import com.google.common.cache.LoadingCache; -import com.google.common.util.concurrent.UncheckedExecutionException; -import com.google.gson.JsonArray; -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import com.google.gson.JsonParseException; -import com.google.gson.JsonParser; - -/** - * Use Webfinger to discover the appropriate issuer for a user-given input string. - * @author jricher - * - */ -public class WebfingerIssuerService implements IssuerService { - - /** - * Logger for this class - */ - private static final Logger logger = LoggerFactory.getLogger(WebfingerIssuerService.class); - - // map of user input -> issuer, loaded dynamically from webfinger discover - private LoadingCache issuers; - - // private data shuttle class to get back two bits of info from the cache loader - private class LoadingResult { - public String loginHint; - public String issuer; - public LoadingResult(String loginHint, String issuer) { - this.loginHint = loginHint; - this.issuer = issuer; - } - } - - private Set whitelist = new HashSet<>(); - private Set blacklist = new HashSet<>(); - - /** - * Name of the incoming parameter to check for discovery purposes. - */ - private String parameterName = "identifier"; - - /** - * URL of the page to forward to if no identifier is given. - */ - private String loginPageUrl; - - /** - * Strict enfocement of "https" - */ - private boolean forceHttps = true; - - public WebfingerIssuerService() { - this(HttpClientBuilder.create().useSystemProperties().build()); - } - - public WebfingerIssuerService(HttpClient httpClient) { - issuers = CacheBuilder.newBuilder().build(new WebfingerIssuerFetcher(httpClient)); - } - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.IssuerService#getIssuer(javax.servlet.http.HttpServletRequest) - */ - @Override - public IssuerServiceResponse getIssuer(HttpServletRequest request) { - - String identifier = request.getParameter(parameterName); - if (!Strings.isNullOrEmpty(identifier)) { - try { - LoadingResult lr = issuers.get(identifier); - if (!whitelist.isEmpty() && !whitelist.contains(lr.issuer)) { - throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + lr.issuer); - } - - if (blacklist.contains(lr.issuer)) { - throw new AuthenticationServiceException("Issuer was in blacklist: " + lr.issuer); - } - - return new IssuerServiceResponse(lr.issuer, lr.loginHint, request.getParameter("target_link_uri")); - } catch (UncheckedExecutionException | ExecutionException e) { - logger.warn("Issue fetching issuer for user input: " + identifier + ": " + e.getMessage()); - return null; - } - - } else { - logger.warn("No user input given, directing to login page: " + loginPageUrl); - return new IssuerServiceResponse(loginPageUrl); - } - } - - /** - * @return the parameterName - */ - public String getParameterName() { - return parameterName; - } - - /** - * @param parameterName the parameterName to set - */ - public void setParameterName(String parameterName) { - this.parameterName = parameterName; - } - - - /** - * @return the loginPageUrl - */ - public String getLoginPageUrl() { - return loginPageUrl; - } - - /** - * @param loginPageUrl the loginPageUrl to set - */ - public void setLoginPageUrl(String loginPageUrl) { - this.loginPageUrl = loginPageUrl; - } - - /** - * @return the whitelist - */ - public Set getWhitelist() { - return whitelist; - } - - /** - * @param whitelist the whitelist to set - */ - public void setWhitelist(Set whitelist) { - this.whitelist = whitelist; - } - - /** - * @return the blacklist - */ - public Set getBlacklist() { - return blacklist; - } - - /** - * @param blacklist the blacklist to set - */ - public void setBlacklist(Set blacklist) { - this.blacklist = blacklist; - } - - /** - * @return the forceHttps - */ - public boolean isForceHttps() { - return forceHttps; - } - - /** - * @param forceHttps the forceHttps to set - */ - public void setForceHttps(boolean forceHttps) { - this.forceHttps = forceHttps; - } - - /** - * @author jricher - * - */ - private class WebfingerIssuerFetcher extends CacheLoader { - private HttpComponentsClientHttpRequestFactory httpFactory; - private JsonParser parser = new JsonParser(); - - WebfingerIssuerFetcher(HttpClient httpClient) { - this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient); - } - - @Override - public LoadingResult load(String identifier) throws Exception { - - UriComponents key = WebfingerURLNormalizer.normalizeResource(identifier); - - RestTemplate restTemplate = new RestTemplate(httpFactory); - // construct the URL to go to - - String scheme = key.getScheme(); - - // preserving http scheme is strictly for demo system use only. - if (!Strings.isNullOrEmpty(scheme) &&scheme.equals("http")) { - if (forceHttps) { - throw new IllegalArgumentException("Scheme must not be 'http'"); - } else { - logger.warn("Webfinger endpoint MUST use the https URI scheme, overriding by configuration"); - scheme = "http://"; // add on colon and slashes. - } - } else { - // otherwise we don't know the scheme, assume HTTPS - scheme = "https://"; - } - - // do a webfinger lookup - URIBuilder builder = new URIBuilder(scheme - + key.getHost() - + (key.getPort() >= 0 ? ":" + key.getPort() : "") - + Strings.nullToEmpty(key.getPath()) - + "/.well-known/webfinger" - + (Strings.isNullOrEmpty(key.getQuery()) ? "" : "?" + key.getQuery()) - ); - builder.addParameter("resource", identifier); - builder.addParameter("rel", "http://openid.net/specs/connect/1.0/issuer"); - - try { - - // do the fetch - logger.info("Loading: " + builder.toString()); - String webfingerResponse = restTemplate.getForObject(builder.build(), String.class); - - JsonElement json = parser.parse(webfingerResponse); - - if (json != null && json.isJsonObject()) { - // find the issuer - JsonArray links = json.getAsJsonObject().get("links").getAsJsonArray(); - for (JsonElement link : links) { - if (link.isJsonObject()) { - JsonObject linkObj = link.getAsJsonObject(); - if (linkObj.has("href") - && linkObj.has("rel") - && linkObj.get("rel").getAsString().equals("http://openid.net/specs/connect/1.0/issuer")) { - - // we found the issuer, return it - String href = linkObj.get("href").getAsString(); - - if (identifier.equals(href) - || identifier.startsWith("http")) { - // try to avoid sending a URL as the login hint - return new LoadingResult(null, href); - } else { - // otherwise pass back whatever the user typed as a login hint - return new LoadingResult(identifier, href); - } - } - } - } - } - } catch (JsonParseException | RestClientException e) { - logger.warn("Failure in fetching webfinger input", e.getMessage()); - } - - // we couldn't find it! - - if (key.getScheme().equals("http") || key.getScheme().equals("https")) { - // if it looks like HTTP then punt: return the input, hope for the best - logger.warn("Returning normalized input string as issuer, hoping for the best: " + identifier); - return new LoadingResult(null, identifier); - } else { - // if it's not HTTP, give up - logger.warn("Couldn't find issuer: " + identifier); - throw new IllegalArgumentException(); - } - - } - - } - -} diff --git a/openid-connect-client/src/test/java/org/mitre/oauth2/introspectingfilter/TestOAuth2AccessTokenImpl.java b/openid-connect-client/src/test/java/org/mitre/oauth2/introspectingfilter/TestOAuth2AccessTokenImpl.java deleted file mode 100644 index 051b5a26c..000000000 --- a/openid-connect-client/src/test/java/org/mitre/oauth2/introspectingfilter/TestOAuth2AccessTokenImpl.java +++ /dev/null @@ -1,106 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.oauth2.introspectingfilter; - -import java.util.Collections; -import java.util.Date; -import java.util.Set; - -import org.junit.Test; - -import com.google.common.collect.ImmutableSet; -import com.google.gson.JsonObject; - -import static org.hamcrest.CoreMatchers.equalTo; -import static org.hamcrest.CoreMatchers.is; - -import static org.junit.Assert.assertThat; - -public class TestOAuth2AccessTokenImpl { - - private static String tokenString = "thisisatokenstring"; - - private static Set scopes = ImmutableSet.of("bar", "foo"); - private static String scopeString = "foo bar"; - - private static Date exp = new Date(123 * 1000L); - private static Long expVal = 123L; - - @Test - public void testFullToken() { - - - JsonObject tokenObj = new JsonObject(); - tokenObj.addProperty("active", true); - tokenObj.addProperty("scope", scopeString); - tokenObj.addProperty("exp", expVal); - tokenObj.addProperty("sub", "subject"); - tokenObj.addProperty("client_id", "123-456-789"); - - OAuth2AccessTokenImpl tok = new OAuth2AccessTokenImpl(tokenObj, tokenString); - - assertThat(tok.getScope(), is(equalTo(scopes))); - assertThat(tok.getExpiration(), is(equalTo(exp))); - } - - @Test - public void testNullExp() { - - - JsonObject tokenObj = new JsonObject(); - tokenObj.addProperty("active", true); - tokenObj.addProperty("scope", scopeString); - tokenObj.addProperty("sub", "subject"); - tokenObj.addProperty("client_id", "123-456-789"); - - OAuth2AccessTokenImpl tok = new OAuth2AccessTokenImpl(tokenObj, tokenString); - - assertThat(tok.getScope(), is(equalTo(scopes))); - assertThat(tok.getExpiration(), is(equalTo(null))); - } - - @Test - public void testNullScopes() { - - - JsonObject tokenObj = new JsonObject(); - tokenObj.addProperty("active", true); - tokenObj.addProperty("exp", expVal); - tokenObj.addProperty("sub", "subject"); - tokenObj.addProperty("client_id", "123-456-789"); - - OAuth2AccessTokenImpl tok = new OAuth2AccessTokenImpl(tokenObj, tokenString); - - assertThat(tok.getScope(), is(equalTo(Collections.EMPTY_SET))); - assertThat(tok.getExpiration(), is(equalTo(exp))); - } - - @Test - public void testNullScopesNullExp() { - - - JsonObject tokenObj = new JsonObject(); - tokenObj.addProperty("active", true); - tokenObj.addProperty("sub", "subject"); - tokenObj.addProperty("client_id", "123-456-789"); - - OAuth2AccessTokenImpl tok = new OAuth2AccessTokenImpl(tokenObj, tokenString); - - assertThat(tok.getScope(), is(equalTo(Collections.EMPTY_SET))); - assertThat(tok.getExpiration(), is(equalTo(null))); - } - -} diff --git a/openid-connect-client/src/test/java/org/mitre/oauth2/introspectingfilter/service/impl/TestScopeBasedIntrospectionAuthoritiesGranter.java b/openid-connect-client/src/test/java/org/mitre/oauth2/introspectingfilter/service/impl/TestScopeBasedIntrospectionAuthoritiesGranter.java deleted file mode 100644 index 2323019ef..000000000 --- a/openid-connect-client/src/test/java/org/mitre/oauth2/introspectingfilter/service/impl/TestScopeBasedIntrospectionAuthoritiesGranter.java +++ /dev/null @@ -1,84 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.oauth2.introspectingfilter.service.impl; - -import java.util.ArrayList; -import java.util.List; - -import org.junit.Before; -import org.junit.Test; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.authority.SimpleGrantedAuthority; - -import com.google.gson.JsonObject; - -import static org.junit.Assert.assertTrue; - -/** - * @author jricher - * - */ -public class TestScopeBasedIntrospectionAuthoritiesGranter { - - private JsonObject introspectionResponse; - - private ScopeBasedIntrospectionAuthoritiesGranter granter = new ScopeBasedIntrospectionAuthoritiesGranter(); - - /** - * @throws java.lang.Exception - */ - @Before - public void setUp() throws Exception { - introspectionResponse = new JsonObject(); - } - - /** - * Test method for {@link org.mitre.oauth2.introspectingfilter.service.impl.ScopeBasedIntrospectionAuthoritiesGranter#getAuthorities(com.google.gson.JsonObject)}. - */ - @Test - public void testGetAuthoritiesJsonObject_withScopes() { - introspectionResponse.addProperty("scope", "foo bar baz batman"); - - List expected = new ArrayList<>(); - expected.add(new SimpleGrantedAuthority("ROLE_API")); - expected.add(new SimpleGrantedAuthority("OAUTH_SCOPE_foo")); - expected.add(new SimpleGrantedAuthority("OAUTH_SCOPE_bar")); - expected.add(new SimpleGrantedAuthority("OAUTH_SCOPE_baz")); - expected.add(new SimpleGrantedAuthority("OAUTH_SCOPE_batman")); - - List authorities = granter.getAuthorities(introspectionResponse); - - assertTrue(authorities.containsAll(expected)); - assertTrue(expected.containsAll(authorities)); - } - - /** - * Test method for {@link org.mitre.oauth2.introspectingfilter.service.impl.ScopeBasedIntrospectionAuthoritiesGranter#getAuthorities(com.google.gson.JsonObject)}. - */ - @Test - public void testGetAuthoritiesJsonObject_withoutScopes() { - - List expected = new ArrayList<>(); - expected.add(new SimpleGrantedAuthority("ROLE_API")); - - List authorities = granter.getAuthorities(introspectionResponse); - - assertTrue(authorities.containsAll(expected)); - assertTrue(expected.containsAll(authorities)); - } - -} diff --git a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/TestOIDCAuthenticationFilter.java b/openid-connect-client/src/test/java/org/mitre/openid/connect/client/TestOIDCAuthenticationFilter.java deleted file mode 100644 index ae3018bbc..000000000 --- a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/TestOIDCAuthenticationFilter.java +++ /dev/null @@ -1,61 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.junit.Test; -import org.mockito.Mockito; -import org.springframework.security.authentication.AuthenticationServiceException; - -import static org.hamcrest.CoreMatchers.instanceOf; -import static org.hamcrest.CoreMatchers.is; - -import static org.mockito.Mockito.mock; - -import static org.junit.Assert.assertThat; -import static org.junit.Assert.fail; - -public class TestOIDCAuthenticationFilter { - - private OIDCAuthenticationFilter filter = new OIDCAuthenticationFilter(); - - @Test - public void attemptAuthentication_error() throws Exception { - - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getParameter("error")).thenReturn("Error"); - Mockito.when(request.getParameter("error_description")).thenReturn("Description"); - Mockito.when(request.getParameter("error_uri")).thenReturn("http://example.com"); - - try { - filter.attemptAuthentication(request, mock(HttpServletResponse.class)); - - fail("AuthorizationEndpointException expected."); - } - catch (AuthorizationEndpointException exception) { - assertThat(exception.getMessage(), - is("Error from Authorization Endpoint: Error Description http://example.com")); - - assertThat(exception.getError(), is("Error")); - assertThat(exception.getErrorDescription(), is("Description")); - assertThat(exception.getErrorURI(), is("http://example.com")); - - assertThat(exception, is(instanceOf(AuthenticationServiceException.class))); - } - } -} diff --git a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestHybridClientConfigurationService.java b/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestHybridClientConfigurationService.java deleted file mode 100644 index f7455981d..000000000 --- a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestHybridClientConfigurationService.java +++ /dev/null @@ -1,117 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client.service.impl; - -import org.junit.Before; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.config.ServerConfiguration; -import org.mockito.InjectMocks; -import org.mockito.Matchers; -import org.mockito.Mock; -import org.mockito.Mockito; -import org.mockito.runners.MockitoJUnitRunner; - -import static org.hamcrest.CoreMatchers.is; -import static org.hamcrest.CoreMatchers.nullValue; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertThat; - -/** - * @author wkim - * - */ -@RunWith(MockitoJUnitRunner.class) -public class TestHybridClientConfigurationService { - - @Mock - private StaticClientConfigurationService mockStaticService; - - @Mock - private DynamicRegistrationClientConfigurationService mockDynamicService; - - @InjectMocks - private HybridClientConfigurationService hybridService; - - // test fixture - - @Mock - private RegisteredClient mockClient; - - @Mock - private ServerConfiguration mockServerConfig; - - private String issuer = "https://www.example.com/"; - - @Before - public void prepare() { - - Mockito.reset(mockDynamicService, mockStaticService); - - Mockito.when(mockServerConfig.getIssuer()).thenReturn(issuer); - - } - - @Test - public void getClientConfiguration_useStatic() { - - Mockito.when(mockStaticService.getClientConfiguration(mockServerConfig)).thenReturn(mockClient); - - RegisteredClient result = hybridService.getClientConfiguration(mockServerConfig); - - Mockito.verify(mockStaticService).getClientConfiguration(mockServerConfig); - Mockito.verify(mockDynamicService, Mockito.never()).getClientConfiguration(Matchers.any(ServerConfiguration.class)); - assertEquals(mockClient, result); - } - - @Test - public void getClientConfiguration_useDynamic() { - - Mockito.when(mockStaticService.getClientConfiguration(mockServerConfig)).thenReturn(null); - Mockito.when(mockDynamicService.getClientConfiguration(mockServerConfig)).thenReturn(mockClient); - - RegisteredClient result = hybridService.getClientConfiguration(mockServerConfig); - - Mockito.verify(mockStaticService).getClientConfiguration(mockServerConfig); - Mockito.verify(mockDynamicService).getClientConfiguration(mockServerConfig); - assertEquals(mockClient, result); - } - - /** - * Checks the behavior when the issuer is not known. - */ - @Test - public void getClientConfiguration_noIssuer() { - - // The mockServerConfig is known to both services - Mockito.when(mockStaticService.getClientConfiguration(mockServerConfig)).thenReturn(mockClient); - Mockito.when(mockDynamicService.getClientConfiguration(mockServerConfig)).thenReturn(mockClient); - - // But oh noes! We're going to ask it to find us some other issuer - ServerConfiguration badIssuer = Mockito.mock(ServerConfiguration.class); - Mockito.when(badIssuer.getIssuer()).thenReturn("www.badexample.com"); - - RegisteredClient result = hybridService.getClientConfiguration(badIssuer); - - Mockito.verify(mockStaticService).getClientConfiguration(badIssuer); - Mockito.verify(mockDynamicService).getClientConfiguration(badIssuer); - assertThat(result, is(nullValue())); - } -} diff --git a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestHybridServerConfigurationService.java b/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestHybridServerConfigurationService.java deleted file mode 100644 index c14e756f1..000000000 --- a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestHybridServerConfigurationService.java +++ /dev/null @@ -1,108 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client.service.impl; - - -import org.junit.Before; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mitre.openid.connect.config.ServerConfiguration; -import org.mockito.InjectMocks; -import org.mockito.Matchers; -import org.mockito.Mock; -import org.mockito.Mockito; -import org.mockito.runners.MockitoJUnitRunner; - -import static org.hamcrest.CoreMatchers.is; -import static org.hamcrest.CoreMatchers.nullValue; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertThat; - -/** - * @author wkim - * - */ -@RunWith(MockitoJUnitRunner.class) -public class TestHybridServerConfigurationService { - - @Mock - private StaticServerConfigurationService mockStaticService; - - @Mock - private DynamicServerConfigurationService mockDynamicService; - - @InjectMocks - private HybridServerConfigurationService hybridService; - - @Mock - private ServerConfiguration mockServerConfig; - - private String issuer = "https://www.example.com/"; - - @Before - public void prepare() { - - Mockito.reset(mockDynamicService, mockStaticService); - - } - - - @Test - public void getServerConfiguration_useStatic() { - - Mockito.when(mockStaticService.getServerConfiguration(issuer)).thenReturn(mockServerConfig); - - ServerConfiguration result = hybridService.getServerConfiguration(issuer); - - Mockito.verify(mockStaticService).getServerConfiguration(issuer); - Mockito.verify(mockDynamicService, Mockito.never()).getServerConfiguration(Matchers.anyString()); - assertEquals(mockServerConfig, result); - } - - @Test - public void getServerConfiguration_useDynamic() { - - Mockito.when(mockStaticService.getServerConfiguration(issuer)).thenReturn(null); - Mockito.when(mockDynamicService.getServerConfiguration(issuer)).thenReturn(mockServerConfig); - - ServerConfiguration result = hybridService.getServerConfiguration(issuer); - - Mockito.verify(mockStaticService).getServerConfiguration(issuer); - Mockito.verify(mockDynamicService).getServerConfiguration(issuer); - assertEquals(mockServerConfig, result); - } - - /** - * Checks the behavior when the issuer is not known. - */ - @Test - public void getServerConfiguration_noIssuer() { - - Mockito.when(mockStaticService.getServerConfiguration(issuer)).thenReturn(mockServerConfig); - Mockito.when(mockDynamicService.getServerConfiguration(issuer)).thenReturn(mockServerConfig); - - String badIssuer = "www.badexample.com"; - - ServerConfiguration result = hybridService.getServerConfiguration(badIssuer); - - Mockito.verify(mockStaticService).getServerConfiguration(badIssuer); - Mockito.verify(mockDynamicService).getServerConfiguration(badIssuer); - assertThat(result, is(nullValue())); - } -} diff --git a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestPlainAuthRequestUrlBuilder.java b/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestPlainAuthRequestUrlBuilder.java deleted file mode 100644 index 391afb612..000000000 --- a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestPlainAuthRequestUrlBuilder.java +++ /dev/null @@ -1,108 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client.service.impl; - -import java.util.Map; - -import org.junit.Before; -import org.junit.Test; -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.config.ServerConfiguration; -import org.mockito.Mockito; -import org.springframework.security.authentication.AuthenticationServiceException; - -import com.google.common.collect.ImmutableMap; -import com.google.common.collect.Sets; - -import static org.hamcrest.CoreMatchers.equalTo; - -import static org.junit.Assert.assertThat; - -/** - * @author wkim - * - */ -public class TestPlainAuthRequestUrlBuilder { - - // Test fixture: - ServerConfiguration serverConfig; - RegisteredClient clientConfig; - - private PlainAuthRequestUrlBuilder urlBuilder = new PlainAuthRequestUrlBuilder(); - - @Before - public void prepare() { - - serverConfig = Mockito.mock(ServerConfiguration.class); - Mockito.when(serverConfig.getAuthorizationEndpointUri()).thenReturn("https://server.example.com/authorize"); - - clientConfig = Mockito.mock(RegisteredClient.class); - Mockito.when(clientConfig.getClientId()).thenReturn("s6BhdRkqt3"); - Mockito.when(clientConfig.getScope()).thenReturn(Sets.newHashSet("openid", "profile")); - } - - @Test - public void buildAuthRequestUrl() { - - String expectedUrl = "https://server.example.com/authorize?" + - "response_type=code" + - "&client_id=s6BhdRkqt3" + - "&scope=openid+profile" + // plus sign used for space per application/x-www-form-encoded standard - "&redirect_uri=https%3A%2F%2Fclient.example.org%2F" + - "&nonce=34fasf3ds" + - "&state=af0ifjsldkj" + - "&foo=bar"; - - Map options = ImmutableMap.of("foo", "bar"); - - String actualUrl = urlBuilder.buildAuthRequestUrl(serverConfig, clientConfig, "https://client.example.org/", "34fasf3ds", "af0ifjsldkj", options, null); - - assertThat(actualUrl, equalTo(expectedUrl)); - } - - @Test - public void buildAuthRequestUrl_withLoginHint() { - - String expectedUrl = "https://server.example.com/authorize?" + - "response_type=code" + - "&client_id=s6BhdRkqt3" + - "&scope=openid+profile" + // plus sign used for space per application/x-www-form-encoded standard - "&redirect_uri=https%3A%2F%2Fclient.example.org%2F" + - "&nonce=34fasf3ds" + - "&state=af0ifjsldkj" + - "&foo=bar" + - "&login_hint=bob"; - - Map options = ImmutableMap.of("foo", "bar"); - - String actualUrl = urlBuilder.buildAuthRequestUrl(serverConfig, clientConfig, "https://client.example.org/", "34fasf3ds", "af0ifjsldkj", options, "bob"); - - assertThat(actualUrl, equalTo(expectedUrl)); - } - - @Test(expected = AuthenticationServiceException.class) - public void buildAuthRequestUrl_badUri() { - - Mockito.when(serverConfig.getAuthorizationEndpointUri()).thenReturn("e=mc^2"); - - Map options = ImmutableMap.of("foo", "bar"); - - urlBuilder.buildAuthRequestUrl(serverConfig, clientConfig, "example.com", "", "", options, null); - } - -} diff --git a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestSignedAuthRequestUrlBuilder.java b/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestSignedAuthRequestUrlBuilder.java deleted file mode 100644 index 1e733cadb..000000000 --- a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestSignedAuthRequestUrlBuilder.java +++ /dev/null @@ -1,204 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client.service.impl; - -import java.net.URI; -import java.net.URISyntaxException; -import java.security.NoSuchAlgorithmException; -import java.security.spec.InvalidKeySpecException; -import java.text.ParseException; -import java.util.Arrays; -import java.util.List; -import java.util.Map; - -import org.junit.Before; -import org.junit.Test; -import org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService; -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.config.ServerConfiguration; -import org.mockito.Mockito; -import org.springframework.security.authentication.AuthenticationServiceException; -import org.springframework.web.util.UriComponents; -import org.springframework.web.util.UriComponentsBuilder; - -import com.google.common.collect.ImmutableMap; -import com.google.common.collect.Maps; -import com.google.common.collect.Sets; -import com.nimbusds.jose.Algorithm; -import com.nimbusds.jose.jwk.JWK; -import com.nimbusds.jose.jwk.KeyUse; -import com.nimbusds.jose.jwk.RSAKey; -import com.nimbusds.jose.util.Base64URL; -import com.nimbusds.jwt.JWTClaimsSet; -import com.nimbusds.jwt.SignedJWT; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -/** - * @author wkim - * - */ -public class TestSignedAuthRequestUrlBuilder { - - // Test fixture: - private ServerConfiguration serverConfig; - private RegisteredClient clientConfig; - - private String redirectUri = "https://client.example.org/"; - private String nonce = "34fasf3ds"; - private String state = "af0ifjsldkj"; - private String responseType = "code"; - private Map options = ImmutableMap.of("foo", "bar"); - - - // RSA key properties: - // {@link package com.nimbusds.jose.jwk#RSAKey} - private String n = "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zw" + - "u1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc" + - "5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8K" + - "JZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh" + - "6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw"; - private String e = "AQAB"; - private String d = "X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9M7dx5oo7GURknc" + - "hnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqijwp3RTzlBaCxWp4doFk5" + - "N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d_cPVY3i07a3t8MN6TNwm0dSa" + - "wm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBznbJSzFHK66jT8bgkuqsk0GjskDJk1" + - "9Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFzme1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q"; - private String alg = "RS256"; - private String kid = "2011-04-29"; - private String loginHint = "bob"; - - private DefaultJWTSigningAndValidationService signingAndValidationService; - - private SignedAuthRequestUrlBuilder urlBuilder = new SignedAuthRequestUrlBuilder(); - - @Before - public void prepare() throws NoSuchAlgorithmException, InvalidKeySpecException { - - RSAKey key = new RSAKey(new Base64URL(n), new Base64URL(e), new Base64URL(d), KeyUse.SIGNATURE, null, new Algorithm(alg), kid, null, null, null, null, null); - Map keys = Maps.newHashMap(); - keys.put("client", key); - - signingAndValidationService = new DefaultJWTSigningAndValidationService(keys); - signingAndValidationService.setDefaultSignerKeyId("client"); - signingAndValidationService.setDefaultSigningAlgorithmName(alg); - - urlBuilder.setSigningAndValidationService(signingAndValidationService); - - serverConfig = Mockito.mock(ServerConfiguration.class); - Mockito.when(serverConfig.getAuthorizationEndpointUri()).thenReturn("https://server.example.com/authorize"); - - clientConfig = Mockito.mock(RegisteredClient.class); - Mockito.when(clientConfig.getClientId()).thenReturn("s6BhdRkqt3"); - Mockito.when(clientConfig.getScope()).thenReturn(Sets.newHashSet("openid", "profile")); - } - - /** - * This test takes the URI from the result of building a signed request - * and checks that the JWS object parsed from the request URI matches up - * with the expected claim values. - */ - @Test - public void buildAuthRequestUrl() { - - String requestUri = urlBuilder.buildAuthRequestUrl(serverConfig, clientConfig, redirectUri, nonce, state, options, null); - - // parsing the result - UriComponentsBuilder builder = null; - - try { - builder = UriComponentsBuilder.fromUri(new URI(requestUri)); - } catch (URISyntaxException e1) { - fail("URISyntaxException was thrown."); - } - - UriComponents components = builder.build(); - String jwtString = components.getQueryParams().get("request").get(0); - JWTClaimsSet claims = null; - - try { - SignedJWT jwt = SignedJWT.parse(jwtString); - claims = jwt.getJWTClaimsSet(); - } catch (ParseException e) { - fail("ParseException was thrown."); - } - - assertEquals(responseType, claims.getClaim("response_type")); - assertEquals(clientConfig.getClientId(), claims.getClaim("client_id")); - - List scopeList = Arrays.asList(((String) claims.getClaim("scope")).split(" ")); - assertTrue(scopeList.containsAll(clientConfig.getScope())); - - assertEquals(redirectUri, claims.getClaim("redirect_uri")); - assertEquals(nonce, claims.getClaim("nonce")); - assertEquals(state, claims.getClaim("state")); - for (String claim : options.keySet()) { - assertEquals(options.get(claim), claims.getClaim(claim)); - } - } - - @Test - public void buildAuthRequestUrl_withLoginHint() { - - String requestUri = urlBuilder.buildAuthRequestUrl(serverConfig, clientConfig, redirectUri, nonce, state, options, loginHint); - - // parsing the result - UriComponentsBuilder builder = null; - - try { - builder = UriComponentsBuilder.fromUri(new URI(requestUri)); - } catch (URISyntaxException e1) { - fail("URISyntaxException was thrown."); - } - - UriComponents components = builder.build(); - String jwtString = components.getQueryParams().get("request").get(0); - JWTClaimsSet claims = null; - - try { - SignedJWT jwt = SignedJWT.parse(jwtString); - claims = jwt.getJWTClaimsSet(); - } catch (ParseException e) { - fail("ParseException was thrown."); - } - - assertEquals(responseType, claims.getClaim("response_type")); - assertEquals(clientConfig.getClientId(), claims.getClaim("client_id")); - - List scopeList = Arrays.asList(((String) claims.getClaim("scope")).split(" ")); - assertTrue(scopeList.containsAll(clientConfig.getScope())); - - assertEquals(redirectUri, claims.getClaim("redirect_uri")); - assertEquals(nonce, claims.getClaim("nonce")); - assertEquals(state, claims.getClaim("state")); - for (String claim : options.keySet()) { - assertEquals(options.get(claim), claims.getClaim(claim)); - } - assertEquals(loginHint, claims.getClaim("login_hint")); - } - - @Test(expected = AuthenticationServiceException.class) - public void buildAuthRequestUrl_badUri() { - - Mockito.when(serverConfig.getAuthorizationEndpointUri()).thenReturn("e=mc^2"); - - urlBuilder.buildAuthRequestUrl(serverConfig, clientConfig, "example.com", "", "", options, null); - } -} diff --git a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestStaticClientConfigurationService.java b/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestStaticClientConfigurationService.java deleted file mode 100644 index 4f251a4e3..000000000 --- a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestStaticClientConfigurationService.java +++ /dev/null @@ -1,90 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client.service.impl; - -import java.util.HashMap; -import java.util.Map; - -import org.junit.Before; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.config.ServerConfiguration; -import org.mockito.Mock; -import org.mockito.Mockito; -import org.mockito.runners.MockitoJUnitRunner; - -import static org.hamcrest.CoreMatchers.is; -import static org.hamcrest.CoreMatchers.notNullValue; -import static org.hamcrest.CoreMatchers.nullValue; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertThat; - -/** - * @author wkim - * - */ -@RunWith(MockitoJUnitRunner.class) -public class TestStaticClientConfigurationService { - - private StaticClientConfigurationService service; - - private String issuer = "https://www.example.com/"; - - @Mock - private RegisteredClient mockClient; - - @Mock - private ServerConfiguration mockServerConfig; - - @Before - public void prepare() { - - service = new StaticClientConfigurationService(); - - Map clients = new HashMap<>(); - clients.put(issuer, mockClient); - - service.setClients(clients); - - Mockito.when(mockServerConfig.getIssuer()).thenReturn(issuer); - } - - @Test - public void getClientConfiguration_success() { - - RegisteredClient result = service.getClientConfiguration(mockServerConfig); - - assertThat(mockClient, is(notNullValue())); - assertEquals(mockClient, result); - } - - /** - * Checks the behavior when the issuer is not known. - */ - @Test - public void getClientConfiguration_noIssuer() { - Mockito.when(mockServerConfig.getIssuer()).thenReturn("www.badexample.net"); - - RegisteredClient actualClient = service.getClientConfiguration(mockServerConfig); - - assertThat(actualClient, is(nullValue())); - } - -} diff --git a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestStaticServerConfigurationService.java b/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestStaticServerConfigurationService.java deleted file mode 100644 index 9f86bd346..000000000 --- a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestStaticServerConfigurationService.java +++ /dev/null @@ -1,83 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client.service.impl; - -import java.util.HashMap; -import java.util.Map; - -import org.junit.Before; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mitre.openid.connect.config.ServerConfiguration; -import org.mockito.Mock; -import org.mockito.runners.MockitoJUnitRunner; - -import static org.hamcrest.CoreMatchers.is; -import static org.hamcrest.CoreMatchers.notNullValue; -import static org.hamcrest.CoreMatchers.nullValue; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertThat; - -/** - * @author wkim - * - */ -@RunWith(MockitoJUnitRunner.class) -public class TestStaticServerConfigurationService { - - - private StaticServerConfigurationService service; - - private String issuer = "https://www.example.com/"; - - @Mock - private ServerConfiguration mockServerConfig; - - @Before - public void prepare() { - - service = new StaticServerConfigurationService(); - - Map servers = new HashMap<>(); - servers.put(issuer, mockServerConfig); - - service.setServers(servers); - } - - @Test - public void getServerConfiguration_success() { - - ServerConfiguration result = service.getServerConfiguration(issuer); - - assertThat(mockServerConfig, is(notNullValue())); - assertEquals(mockServerConfig, result); - } - - /** - * Checks the behavior when the issuer is not known. - */ - @Test - public void getClientConfiguration_noIssuer() { - - ServerConfiguration result = service.getServerConfiguration("www.badexample.net"); - - assertThat(result, is(nullValue())); - } - -} diff --git a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestThirdPartyIssuerService.java b/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestThirdPartyIssuerService.java deleted file mode 100644 index 7a54e7d16..000000000 --- a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestThirdPartyIssuerService.java +++ /dev/null @@ -1,130 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Portions copyright 2011-2013 The MITRE Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.openid.connect.client.service.impl; - -import javax.servlet.http.HttpServletRequest; - -import org.junit.Before; -import org.junit.Test; -import org.mitre.openid.connect.client.model.IssuerServiceResponse; -import org.mockito.Mockito; -import org.springframework.security.authentication.AuthenticationServiceException; - -import com.google.common.collect.Sets; - -import static org.hamcrest.CoreMatchers.equalTo; -import static org.hamcrest.CoreMatchers.nullValue; - -import static org.junit.Assert.assertThat; - -/** - * @author wkim - * - */ -public class TestThirdPartyIssuerService { - - // Test fixture: - private HttpServletRequest request; - - private String iss = "https://server.example.org"; - private String login_hint = "I'm not telling you nothin!"; - private String target_link_uri = "https://www.example.com"; - private String redirect_uri = "https://www.example.com"; - - private String accountChooserUrl = "https://www.example.com/account"; - - private ThirdPartyIssuerService service = new ThirdPartyIssuerService(); - - @Before - public void prepare() { - - service.setAccountChooserUrl(accountChooserUrl); - - request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getParameter("iss")).thenReturn(iss); - Mockito.when(request.getParameter("login_hint")).thenReturn(login_hint); - Mockito.when(request.getParameter("target_link_uri")).thenReturn(target_link_uri); - Mockito.when(request.getRequestURL()).thenReturn(new StringBuffer(redirect_uri)); - } - - @Test - public void getIssuer_hasIssuer() { - - IssuerServiceResponse response = service.getIssuer(request); - - assertThat(response.getIssuer(), equalTo(iss)); - assertThat(response.getLoginHint(), equalTo(login_hint)); - assertThat(response.getTargetLinkUri(), equalTo(target_link_uri)); - - assertThat(response.getRedirectUrl(), nullValue()); - } - - @Test - public void getIssuer_noIssuer() { - - Mockito.when(request.getParameter("iss")).thenReturn(null); - - IssuerServiceResponse response = service.getIssuer(request); - - assertThat(response.getIssuer(), nullValue()); - assertThat(response.getLoginHint(), nullValue()); - assertThat(response.getTargetLinkUri(), nullValue()); - - String expectedRedirectUrl = accountChooserUrl + "?redirect_uri=" + "https%3A%2F%2Fwww.example.com"; // url-encoded string of the request url - assertThat(response.getRedirectUrl(), equalTo(expectedRedirectUrl)); - } - - @Test - public void getIssuer_isWhitelisted() { - - service.setWhitelist(Sets.newHashSet(iss)); - - IssuerServiceResponse response = service.getIssuer(request); - - assertThat(response.getIssuer(), equalTo(iss)); - assertThat(response.getLoginHint(), equalTo(login_hint)); - assertThat(response.getTargetLinkUri(), equalTo(target_link_uri)); - - assertThat(response.getRedirectUrl(), nullValue()); - } - - @Test(expected = AuthenticationServiceException.class) - public void getIssuer_notWhitelisted() { - - service.setWhitelist(Sets.newHashSet("some.other.site")); - - service.getIssuer(request); - } - - @Test(expected = AuthenticationServiceException.class) - public void getIssuer_blacklisted() { - - service.setBlacklist(Sets.newHashSet(iss)); - - service.getIssuer(request); - } - - @Test(expected = AuthenticationServiceException.class) - public void getIssuer_badUri() { - - Mockito.when(request.getParameter("iss")).thenReturn(null); - service.setAccountChooserUrl("e=mc^2"); - - service.getIssuer(request); - } -} diff --git a/openid-connect-client/src/test/resources/jwk/jwk b/openid-connect-client/src/test/resources/jwk/jwk deleted file mode 100644 index a5f42177d..000000000 --- a/openid-connect-client/src/test/resources/jwk/jwk +++ /dev/null @@ -1,8 +0,0 @@ - {"jwk": - [ - {"alg":"RSA", - "mod": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", - "exp":"AQAB", - "kid":"2011-04-29"} - ] - } \ No newline at end of file diff --git a/openid-connect-client/src/test/resources/jwk/jwkEncrypted b/openid-connect-client/src/test/resources/jwk/jwkEncrypted deleted file mode 100644 index a5f42177d..000000000 --- a/openid-connect-client/src/test/resources/jwk/jwkEncrypted +++ /dev/null @@ -1,8 +0,0 @@ - {"jwk": - [ - {"alg":"RSA", - "mod": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", - "exp":"AQAB", - "kid":"2011-04-29"} - ] - } \ No newline at end of file diff --git a/openid-connect-client/src/test/resources/test-context.xml b/openid-connect-client/src/test/resources/test-context.xml deleted file mode 100644 index 51d33c922..000000000 --- a/openid-connect-client/src/test/resources/test-context.xml +++ /dev/null @@ -1,57 +0,0 @@ - - - - - - - - - - - file:db/tables/accesstoken.sql - file:db/tables/address.sql - file:db/tables/approvedsite.sql - file:db/tables/authorities.sql - file:db/tables/clientdetails.sql - file:db/tables/event.sql - file:db/tables/granttypes.sql - file:db/tables/idtoken.sql - file:db/tables/idtokenclaims.sql - file:db/tables/refreshtoken.sql - file:db/tables/scope.sql - file:db/tables/userinfo.sql - file:db/tables/whitelistedsite.sql - - classpath:test-data.sql - - - - - - - - - - - diff --git a/openid-connect-client/src/test/resources/x509/x509 b/openid-connect-client/src/test/resources/x509/x509 deleted file mode 100644 index 2d60d2c3e..000000000 --- a/openid-connect-client/src/test/resources/x509/x509 +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICxDCCAi0CBECcV/wwDQYJKoZIhvcNAQEEBQAwgagxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVU -ZXhhczEPMA0GA1UEBxMGQXVzdGluMSowKAYDVQQKEyFUaGUgVW5pdmVyc2l0eSBvZiBUZXhhcyBh -dCBBdXN0aW4xKDAmBgNVBAsTH0luZm9ybWF0aW9uIFRlY2hub2xvZ3kgU2VydmljZXMxIjAgBgNV -BAMTGXhtbGdhdGV3YXkuaXRzLnV0ZXhhcy5lZHUwHhcNMDQwNTA4MDM0NjA0WhcNMDQwODA2MDM0 -NjA0WjCBqDELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMQ8wDQYDVQQHEwZBdXN0aW4xKjAo -BgNVBAoTIVRoZSBVbml2ZXJzaXR5IG9mIFRleGFzIGF0IEF1c3RpbjEoMCYGA1UECxMfSW5mb3Jt -YXRpb24gVGVjaG5vbG9neSBTZXJ2aWNlczEiMCAGA1UEAxMZeG1sZ2F0ZXdheS5pdHMudXRleGFz -LmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsmc+6+NjLmanvh+FvBziYdBwTiz+d/DZ -Uy2jyvij6f8Xly6zkhHLSsuBzw08wPzr2K+F359bf9T3uiZMuao//FBGtDrTYpvQwkn4PFZwSeY2 -Ynw4edxp1JEWT2zfOY+QJDfNgpsYQ9hrHDwqnpbMVVqjdBq5RgTKGhFBj9kxEq0CAwEAATANBgkq -hkiG9w0BAQQFAAOBgQCPYGXF6oRbnjti3CPtjfwORoO7ab1QzNS9Z2rLMuPnt6POlm1A3UPEwCS8 -6flTlAqg19Sh47H7+Iq/LuzotKvUE5ugK52QRNMa4c0OSaO5UEM5EfVox1pT9tZV1Z3whYYMhThg -oC4y/On0NUVMN5xfF/GpSACga/bVjoNvd8HWEg== ------END CERTIFICATE----- \ No newline at end of file diff --git a/openid-connect-client/src/test/resources/x509/x509Encrypted b/openid-connect-client/src/test/resources/x509/x509Encrypted deleted file mode 100644 index 2d60d2c3e..000000000 --- a/openid-connect-client/src/test/resources/x509/x509Encrypted +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICxDCCAi0CBECcV/wwDQYJKoZIhvcNAQEEBQAwgagxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVU -ZXhhczEPMA0GA1UEBxMGQXVzdGluMSowKAYDVQQKEyFUaGUgVW5pdmVyc2l0eSBvZiBUZXhhcyBh -dCBBdXN0aW4xKDAmBgNVBAsTH0luZm9ybWF0aW9uIFRlY2hub2xvZ3kgU2VydmljZXMxIjAgBgNV -BAMTGXhtbGdhdGV3YXkuaXRzLnV0ZXhhcy5lZHUwHhcNMDQwNTA4MDM0NjA0WhcNMDQwODA2MDM0 -NjA0WjCBqDELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMQ8wDQYDVQQHEwZBdXN0aW4xKjAo -BgNVBAoTIVRoZSBVbml2ZXJzaXR5IG9mIFRleGFzIGF0IEF1c3RpbjEoMCYGA1UECxMfSW5mb3Jt -YXRpb24gVGVjaG5vbG9neSBTZXJ2aWNlczEiMCAGA1UEAxMZeG1sZ2F0ZXdheS5pdHMudXRleGFz -LmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsmc+6+NjLmanvh+FvBziYdBwTiz+d/DZ -Uy2jyvij6f8Xly6zkhHLSsuBzw08wPzr2K+F359bf9T3uiZMuao//FBGtDrTYpvQwkn4PFZwSeY2 -Ynw4edxp1JEWT2zfOY+QJDfNgpsYQ9hrHDwqnpbMVVqjdBq5RgTKGhFBj9kxEq0CAwEAATANBgkq -hkiG9w0BAQQFAAOBgQCPYGXF6oRbnjti3CPtjfwORoO7ab1QzNS9Z2rLMuPnt6POlm1A3UPEwCS8 -6flTlAqg19Sh47H7+Iq/LuzotKvUE5ugK52QRNMa4c0OSaO5UEM5EfVox1pT9tZV1Z3whYYMhThg -oC4y/On0NUVMN5xfF/GpSACga/bVjoNvd8HWEg== ------END CERTIFICATE----- \ No newline at end of file diff --git a/openid-connect-common/.gitignore b/openid-connect-common/.gitignore deleted file mode 100644 index 016a3b8f8..000000000 --- a/openid-connect-common/.gitignore +++ /dev/null @@ -1,12 +0,0 @@ -local-values.conf -target -*~ -bin -*.idea -*.iml -*.eml -.project -.settings -.classpath -/target -.springBeans diff --git a/openid-connect-common/pom.xml b/openid-connect-common/pom.xml deleted file mode 100644 index a2b88b517..000000000 --- a/openid-connect-common/pom.xml +++ /dev/null @@ -1,132 +0,0 @@ - - - - - 4.0.0 - - openid-connect-parent - org.mitre - 1.3.4-SNAPSHOT - .. - - openid-connect-common - OpenID Connect Common modules - OpenID Connect Common - - - org.springframework - spring-core - - - commons-logging - commons-logging - - - - - org.springframework - spring-webmvc - - - org.springframework.security - spring-security-core - - - com.google.guava - guava - - - org.apache.httpcomponents - httpclient - - - org.springframework.security.oauth - spring-security-oauth2 - - - com.nimbusds - nimbus-jose-jwt - - - org.eclipse.persistence - javax.persistence - - - com.google.code.gson - gson - - - org.slf4j - slf4j-api - - - com.fasterxml.jackson.core - jackson-databind - - - com.fasterxml.jackson.core - jackson-annotations - - - org.bouncycastle - bcprov-jdk15on - - - - jar - - - - - org.apache.maven.plugins - maven-compiler-plugin - - ${java-version} - ${java-version} - - - - - org.apache.maven.plugins - maven-source-plugin - - - attach-sources - - jar-no-fork - - - - - - - org.apache.maven.plugins - maven-javadoc-plugin - - - attach-sources - - jar - - - - - - - diff --git a/openid-connect-common/src/META-INF/MANIFEST.MF b/openid-connect-common/src/META-INF/MANIFEST.MF deleted file mode 100644 index 5e9495128..000000000 --- a/openid-connect-common/src/META-INF/MANIFEST.MF +++ /dev/null @@ -1,3 +0,0 @@ -Manifest-Version: 1.0 -Class-Path: - diff --git a/openid-connect-common/src/main/java/org/mitre/data/AbstractPageOperationTemplate.java b/openid-connect-server/src/main/java/org/mitre/data/AbstractPageOperationTemplate.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/data/AbstractPageOperationTemplate.java rename to openid-connect-server/src/main/java/org/mitre/data/AbstractPageOperationTemplate.java diff --git a/openid-connect-common/src/main/java/org/mitre/data/DefaultPageCriteria.java b/openid-connect-server/src/main/java/org/mitre/data/DefaultPageCriteria.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/data/DefaultPageCriteria.java rename to openid-connect-server/src/main/java/org/mitre/data/DefaultPageCriteria.java diff --git a/openid-connect-common/src/main/java/org/mitre/data/PageCriteria.java b/openid-connect-server/src/main/java/org/mitre/data/PageCriteria.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/data/PageCriteria.java rename to openid-connect-server/src/main/java/org/mitre/data/PageCriteria.java diff --git a/openid-connect-common/src/main/java/org/mitre/discovery/util/WebfingerURLNormalizer.java b/openid-connect-server/src/main/java/org/mitre/discovery/util/WebfingerURLNormalizer.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/discovery/util/WebfingerURLNormalizer.java rename to openid-connect-server/src/main/java/org/mitre/discovery/util/WebfingerURLNormalizer.java diff --git a/openid-connect-common/src/main/java/org/mitre/jose/keystore/JWKSetKeyStore.java b/openid-connect-server/src/main/java/org/mitre/jose/keystore/JWKSetKeyStore.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/jose/keystore/JWKSetKeyStore.java rename to openid-connect-server/src/main/java/org/mitre/jose/keystore/JWKSetKeyStore.java diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/assertion/AbstractAssertionValidator.java b/openid-connect-server/src/main/java/org/mitre/jwt/assertion/AbstractAssertionValidator.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/jwt/assertion/AbstractAssertionValidator.java rename to openid-connect-server/src/main/java/org/mitre/jwt/assertion/AbstractAssertionValidator.java diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/assertion/AssertionValidator.java b/openid-connect-server/src/main/java/org/mitre/jwt/assertion/AssertionValidator.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/jwt/assertion/AssertionValidator.java rename to openid-connect-server/src/main/java/org/mitre/jwt/assertion/AssertionValidator.java diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/assertion/impl/NullAssertionValidator.java b/openid-connect-server/src/main/java/org/mitre/jwt/assertion/impl/NullAssertionValidator.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/jwt/assertion/impl/NullAssertionValidator.java rename to openid-connect-server/src/main/java/org/mitre/jwt/assertion/impl/NullAssertionValidator.java diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/assertion/impl/SelfAssertionValidator.java b/openid-connect-server/src/main/java/org/mitre/jwt/assertion/impl/SelfAssertionValidator.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/jwt/assertion/impl/SelfAssertionValidator.java rename to openid-connect-server/src/main/java/org/mitre/jwt/assertion/impl/SelfAssertionValidator.java diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/assertion/impl/WhitelistedIssuerAssertionValidator.java b/openid-connect-server/src/main/java/org/mitre/jwt/assertion/impl/WhitelistedIssuerAssertionValidator.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/jwt/assertion/impl/WhitelistedIssuerAssertionValidator.java rename to openid-connect-server/src/main/java/org/mitre/jwt/assertion/impl/WhitelistedIssuerAssertionValidator.java diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/encryption/service/JWTEncryptionAndDecryptionService.java b/openid-connect-server/src/main/java/org/mitre/jwt/encryption/service/JWTEncryptionAndDecryptionService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/jwt/encryption/service/JWTEncryptionAndDecryptionService.java rename to openid-connect-server/src/main/java/org/mitre/jwt/encryption/service/JWTEncryptionAndDecryptionService.java diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/encryption/service/impl/DefaultJWTEncryptionAndDecryptionService.java b/openid-connect-server/src/main/java/org/mitre/jwt/encryption/service/impl/DefaultJWTEncryptionAndDecryptionService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/jwt/encryption/service/impl/DefaultJWTEncryptionAndDecryptionService.java rename to openid-connect-server/src/main/java/org/mitre/jwt/encryption/service/impl/DefaultJWTEncryptionAndDecryptionService.java diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JWTSigningAndValidationService.java b/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/JWTSigningAndValidationService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JWTSigningAndValidationService.java rename to openid-connect-server/src/main/java/org/mitre/jwt/signer/service/JWTSigningAndValidationService.java diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/ClientKeyCacheService.java b/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/ClientKeyCacheService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/ClientKeyCacheService.java rename to openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/ClientKeyCacheService.java diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJWTSigningAndValidationService.java b/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJWTSigningAndValidationService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJWTSigningAndValidationService.java rename to openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJWTSigningAndValidationService.java diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetCacheService.java b/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetCacheService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetCacheService.java rename to openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetCacheService.java diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/SymmetricKeyJWTValidatorCacheService.java b/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/SymmetricKeyJWTValidatorCacheService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/SymmetricKeyJWTValidatorCacheService.java rename to openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/SymmetricKeyJWTValidatorCacheService.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/exception/DeviceCodeCreationException.java b/openid-connect-server/src/main/java/org/mitre/oauth2/exception/DeviceCodeCreationException.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/exception/DeviceCodeCreationException.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/exception/DeviceCodeCreationException.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthenticationHolderEntity.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/AuthenticationHolderEntity.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthenticationHolderEntity.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/AuthenticationHolderEntity.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthorizationCodeEntity.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/AuthorizationCodeEntity.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthorizationCodeEntity.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/AuthorizationCodeEntity.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/DeviceCode.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/DeviceCode.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/DeviceCode.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/DeviceCode.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/PKCEAlgorithm.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/PKCEAlgorithm.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/PKCEAlgorithm.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/PKCEAlgorithm.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/RegisteredClient.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/RegisteredClient.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/RegisteredClient.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/RegisteredClient.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/RegisteredClientFields.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/RegisteredClientFields.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/RegisteredClientFields.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/RegisteredClientFields.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/SavedUserAuthentication.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/SavedUserAuthentication.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/SavedUserAuthentication.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/SavedUserAuthentication.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/SystemScope.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/SystemScope.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/SystemScope.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/SystemScope.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWEAlgorithmStringConverter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/JWEAlgorithmStringConverter.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWEAlgorithmStringConverter.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/JWEAlgorithmStringConverter.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWEEncryptionMethodStringConverter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/JWEEncryptionMethodStringConverter.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWEEncryptionMethodStringConverter.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/JWEEncryptionMethodStringConverter.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWKSetStringConverter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/JWKSetStringConverter.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWKSetStringConverter.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/JWKSetStringConverter.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWSAlgorithmStringConverter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/JWSAlgorithmStringConverter.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWSAlgorithmStringConverter.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/JWSAlgorithmStringConverter.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWTStringConverter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/JWTStringConverter.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWTStringConverter.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/JWTStringConverter.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JsonElementStringConverter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/JsonElementStringConverter.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JsonElementStringConverter.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/JsonElementStringConverter.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/PKCEAlgorithmStringConverter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/PKCEAlgorithmStringConverter.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/PKCEAlgorithmStringConverter.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/PKCEAlgorithmStringConverter.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/SerializableStringConverter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/SerializableStringConverter.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/SerializableStringConverter.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/SerializableStringConverter.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/SimpleGrantedAuthorityStringConverter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/SimpleGrantedAuthorityStringConverter.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/SimpleGrantedAuthorityStringConverter.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/model/convert/SimpleGrantedAuthorityStringConverter.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/AuthenticationHolderRepository.java b/openid-connect-server/src/main/java/org/mitre/oauth2/repository/AuthenticationHolderRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/repository/AuthenticationHolderRepository.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/repository/AuthenticationHolderRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/AuthorizationCodeRepository.java b/openid-connect-server/src/main/java/org/mitre/oauth2/repository/AuthorizationCodeRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/repository/AuthorizationCodeRepository.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/repository/AuthorizationCodeRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2ClientRepository.java b/openid-connect-server/src/main/java/org/mitre/oauth2/repository/OAuth2ClientRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2ClientRepository.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/repository/OAuth2ClientRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2TokenRepository.java b/openid-connect-server/src/main/java/org/mitre/oauth2/repository/OAuth2TokenRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2TokenRepository.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/repository/OAuth2TokenRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/SystemScopeRepository.java b/openid-connect-server/src/main/java/org/mitre/oauth2/repository/SystemScopeRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/repository/SystemScopeRepository.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/repository/SystemScopeRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/impl/DeviceCodeRepository.java b/openid-connect-server/src/main/java/org/mitre/oauth2/repository/impl/DeviceCodeRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/repository/impl/DeviceCodeRepository.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/repository/impl/DeviceCodeRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/ClientDetailsEntityService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/ClientDetailsEntityService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/service/ClientDetailsEntityService.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/service/ClientDetailsEntityService.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/DeviceCodeService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/DeviceCodeService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/service/DeviceCodeService.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/service/DeviceCodeService.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/IntrospectionResultAssembler.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/IntrospectionResultAssembler.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/service/IntrospectionResultAssembler.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/service/IntrospectionResultAssembler.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/SystemScopeService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/service/SystemScopeService.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/ServiceUtils.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/ServiceUtils.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/ServiceUtils.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/ServiceUtils.java diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java rename to openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/ClientDetailsEntityJsonProcessor.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/ClientDetailsEntityJsonProcessor.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/ClientDetailsEntityJsonProcessor.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/ClientDetailsEntityJsonProcessor.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/config/ConfigurationBeanLocaleResolver.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/config/ConfigurationBeanLocaleResolver.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/config/ConfigurationBeanLocaleResolver.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/config/ConfigurationBeanLocaleResolver.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/config/JWKSetEditor.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/config/JWKSetEditor.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/config/JWKSetEditor.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/config/JWKSetEditor.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/config/ServerConfiguration.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/config/ServerConfiguration.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/config/ServerConfiguration.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/config/ServerConfiguration.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/config/UIConfiguration.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/config/UIConfiguration.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/config/UIConfiguration.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/config/UIConfiguration.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/Address.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/model/Address.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/model/Address.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/model/Address.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/ApprovedSite.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/model/ApprovedSite.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/model/ApprovedSite.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/model/ApprovedSite.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/BlacklistedSite.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/model/BlacklistedSite.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/model/BlacklistedSite.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/model/BlacklistedSite.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/CachedImage.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/model/CachedImage.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/model/CachedImage.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/model/CachedImage.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/ClientStat.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/model/ClientStat.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/model/ClientStat.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/model/ClientStat.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/DefaultAddress.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/model/DefaultAddress.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/model/DefaultAddress.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/model/DefaultAddress.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/DefaultUserInfo.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/model/DefaultUserInfo.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/model/DefaultUserInfo.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/model/DefaultUserInfo.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/OIDCAuthenticationToken.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/model/OIDCAuthenticationToken.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/model/OIDCAuthenticationToken.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/model/OIDCAuthenticationToken.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/PairwiseIdentifier.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/model/PairwiseIdentifier.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/model/PairwiseIdentifier.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/model/PairwiseIdentifier.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/PendingOIDCAuthenticationToken.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/model/PendingOIDCAuthenticationToken.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/model/PendingOIDCAuthenticationToken.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/model/PendingOIDCAuthenticationToken.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/UserInfo.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/model/UserInfo.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/model/UserInfo.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/model/UserInfo.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/WhitelistedSite.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/model/WhitelistedSite.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/model/WhitelistedSite.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/model/WhitelistedSite.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/model/convert/JsonObjectStringConverter.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/model/convert/JsonObjectStringConverter.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/model/convert/JsonObjectStringConverter.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/model/convert/JsonObjectStringConverter.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/repository/AddressRepository.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/repository/AddressRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/repository/AddressRepository.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/repository/AddressRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/repository/ApprovedSiteRepository.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/repository/ApprovedSiteRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/repository/ApprovedSiteRepository.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/repository/ApprovedSiteRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/repository/BlacklistedSiteRepository.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/repository/BlacklistedSiteRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/repository/BlacklistedSiteRepository.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/repository/BlacklistedSiteRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/repository/PairwiseIdentifierRepository.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/repository/PairwiseIdentifierRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/repository/PairwiseIdentifierRepository.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/repository/PairwiseIdentifierRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/repository/UserInfoRepository.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/repository/UserInfoRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/repository/UserInfoRepository.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/repository/UserInfoRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/repository/WhitelistedSiteRepository.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/repository/WhitelistedSiteRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/repository/WhitelistedSiteRepository.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/repository/WhitelistedSiteRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/ApprovedSiteService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/ApprovedSiteService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/service/ApprovedSiteService.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/service/ApprovedSiteService.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/BlacklistedSiteService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/BlacklistedSiteService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/service/BlacklistedSiteService.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/service/BlacklistedSiteService.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/ClientLogoLoadingService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/ClientLogoLoadingService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/service/ClientLogoLoadingService.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/service/ClientLogoLoadingService.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/LoginHintExtracter.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/LoginHintExtracter.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/service/LoginHintExtracter.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/service/LoginHintExtracter.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/MITREidDataService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/MITREidDataService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/service/MITREidDataService.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/service/MITREidDataService.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/MITREidDataServiceExtension.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/MITREidDataServiceExtension.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/service/MITREidDataServiceExtension.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/service/MITREidDataServiceExtension.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/MITREidDataServiceMaps.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/MITREidDataServiceMaps.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/service/MITREidDataServiceMaps.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/service/MITREidDataServiceMaps.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/OIDCTokenService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/OIDCTokenService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/service/OIDCTokenService.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/service/OIDCTokenService.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/PairwiseIdentiferService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/PairwiseIdentiferService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/service/PairwiseIdentiferService.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/service/PairwiseIdentiferService.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/ScopeClaimTranslationService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/ScopeClaimTranslationService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/service/ScopeClaimTranslationService.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/service/ScopeClaimTranslationService.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/StatsService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/StatsService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/service/StatsService.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/service/StatsService.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/UserInfoService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/UserInfoService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/service/UserInfoService.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/service/UserInfoService.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/service/WhitelistedSiteService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/WhitelistedSiteService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/service/WhitelistedSiteService.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/service/WhitelistedSiteService.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/view/JWKSetView.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JWKSetView.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/view/JWKSetView.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/view/JWKSetView.java diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java rename to openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/model/Claim.java b/openid-connect-server/src/main/java/org/mitre/uma/model/Claim.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/model/Claim.java rename to openid-connect-server/src/main/java/org/mitre/uma/model/Claim.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/model/ClaimProcessingResult.java b/openid-connect-server/src/main/java/org/mitre/uma/model/ClaimProcessingResult.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/model/ClaimProcessingResult.java rename to openid-connect-server/src/main/java/org/mitre/uma/model/ClaimProcessingResult.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/model/Permission.java b/openid-connect-server/src/main/java/org/mitre/uma/model/Permission.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/model/Permission.java rename to openid-connect-server/src/main/java/org/mitre/uma/model/Permission.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/model/PermissionTicket.java b/openid-connect-server/src/main/java/org/mitre/uma/model/PermissionTicket.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/model/PermissionTicket.java rename to openid-connect-server/src/main/java/org/mitre/uma/model/PermissionTicket.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/model/Policy.java b/openid-connect-server/src/main/java/org/mitre/uma/model/Policy.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/model/Policy.java rename to openid-connect-server/src/main/java/org/mitre/uma/model/Policy.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/model/ResourceSet.java b/openid-connect-server/src/main/java/org/mitre/uma/model/ResourceSet.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/model/ResourceSet.java rename to openid-connect-server/src/main/java/org/mitre/uma/model/ResourceSet.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/model/SavedRegisteredClient.java b/openid-connect-server/src/main/java/org/mitre/uma/model/SavedRegisteredClient.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/model/SavedRegisteredClient.java rename to openid-connect-server/src/main/java/org/mitre/uma/model/SavedRegisteredClient.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/model/convert/RegisteredClientStringConverter.java b/openid-connect-server/src/main/java/org/mitre/uma/model/convert/RegisteredClientStringConverter.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/model/convert/RegisteredClientStringConverter.java rename to openid-connect-server/src/main/java/org/mitre/uma/model/convert/RegisteredClientStringConverter.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/repository/PermissionRepository.java b/openid-connect-server/src/main/java/org/mitre/uma/repository/PermissionRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/repository/PermissionRepository.java rename to openid-connect-server/src/main/java/org/mitre/uma/repository/PermissionRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/repository/ResourceSetRepository.java b/openid-connect-server/src/main/java/org/mitre/uma/repository/ResourceSetRepository.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/repository/ResourceSetRepository.java rename to openid-connect-server/src/main/java/org/mitre/uma/repository/ResourceSetRepository.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/service/ClaimsProcessingService.java b/openid-connect-server/src/main/java/org/mitre/uma/service/ClaimsProcessingService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/service/ClaimsProcessingService.java rename to openid-connect-server/src/main/java/org/mitre/uma/service/ClaimsProcessingService.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/service/PermissionService.java b/openid-connect-server/src/main/java/org/mitre/uma/service/PermissionService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/service/PermissionService.java rename to openid-connect-server/src/main/java/org/mitre/uma/service/PermissionService.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/service/ResourceSetService.java b/openid-connect-server/src/main/java/org/mitre/uma/service/ResourceSetService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/service/ResourceSetService.java rename to openid-connect-server/src/main/java/org/mitre/uma/service/ResourceSetService.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/service/SavedRegisteredClientService.java b/openid-connect-server/src/main/java/org/mitre/uma/service/SavedRegisteredClientService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/service/SavedRegisteredClientService.java rename to openid-connect-server/src/main/java/org/mitre/uma/service/SavedRegisteredClientService.java diff --git a/openid-connect-common/src/main/java/org/mitre/uma/service/UmaTokenService.java b/openid-connect-server/src/main/java/org/mitre/uma/service/UmaTokenService.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/uma/service/UmaTokenService.java rename to openid-connect-server/src/main/java/org/mitre/uma/service/UmaTokenService.java diff --git a/openid-connect-common/src/main/java/org/mitre/util/JsonUtils.java b/openid-connect-server/src/main/java/org/mitre/util/JsonUtils.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/util/JsonUtils.java rename to openid-connect-server/src/main/java/org/mitre/util/JsonUtils.java diff --git a/openid-connect-common/src/main/java/org/mitre/util/jpa/JpaUtil.java b/openid-connect-server/src/main/java/org/mitre/util/jpa/JpaUtil.java similarity index 100% rename from openid-connect-common/src/main/java/org/mitre/util/jpa/JpaUtil.java rename to openid-connect-server/src/main/java/org/mitre/util/jpa/JpaUtil.java diff --git a/openid-connect-common/src/test/java/org/mitre/data/AbstractPageOperationTemplateTest.java b/openid-connect-server/src/test/java/org/mitre/data/AbstractPageOperationTemplateTest.java similarity index 100% rename from openid-connect-common/src/test/java/org/mitre/data/AbstractPageOperationTemplateTest.java rename to openid-connect-server/src/test/java/org/mitre/data/AbstractPageOperationTemplateTest.java diff --git a/openid-connect-common/src/test/java/org/mitre/discovery/util/TestWebfingerURLNormalizer.java b/openid-connect-server/src/test/java/org/mitre/discovery/util/TestWebfingerURLNormalizer.java similarity index 100% rename from openid-connect-common/src/test/java/org/mitre/discovery/util/TestWebfingerURLNormalizer.java rename to openid-connect-server/src/test/java/org/mitre/discovery/util/TestWebfingerURLNormalizer.java diff --git a/openid-connect-common/src/test/java/org/mitre/jose/TestJWKSetKeyStore.java b/openid-connect-server/src/test/java/org/mitre/jose/TestJWKSetKeyStore.java similarity index 100% rename from openid-connect-common/src/test/java/org/mitre/jose/TestJWKSetKeyStore.java rename to openid-connect-server/src/test/java/org/mitre/jose/TestJWKSetKeyStore.java diff --git a/openid-connect-common/src/test/java/org/mitre/jwt/encryption/service/impl/TestDefaultJWTEncryptionAndDecryptionService.java b/openid-connect-server/src/test/java/org/mitre/jwt/encryption/service/impl/TestDefaultJWTEncryptionAndDecryptionService.java similarity index 100% rename from openid-connect-common/src/test/java/org/mitre/jwt/encryption/service/impl/TestDefaultJWTEncryptionAndDecryptionService.java rename to openid-connect-server/src/test/java/org/mitre/jwt/encryption/service/impl/TestDefaultJWTEncryptionAndDecryptionService.java diff --git a/openid-connect-common/src/test/java/org/mitre/oauth2/model/ClientDetailsEntityTest.java b/openid-connect-server/src/test/java/org/mitre/oauth2/model/ClientDetailsEntityTest.java similarity index 100% rename from openid-connect-common/src/test/java/org/mitre/oauth2/model/ClientDetailsEntityTest.java rename to openid-connect-server/src/test/java/org/mitre/oauth2/model/ClientDetailsEntityTest.java diff --git a/openid-connect-common/src/test/java/org/mitre/oauth2/model/RegisteredClientTest.java b/openid-connect-server/src/test/java/org/mitre/oauth2/model/RegisteredClientTest.java similarity index 100% rename from openid-connect-common/src/test/java/org/mitre/oauth2/model/RegisteredClientTest.java rename to openid-connect-server/src/test/java/org/mitre/oauth2/model/RegisteredClientTest.java diff --git a/openid-connect-common/src/test/java/org/mitre/openid/connect/ClientDetailsEntityJsonProcessorTest.java b/openid-connect-server/src/test/java/org/mitre/openid/connect/ClientDetailsEntityJsonProcessorTest.java similarity index 100% rename from openid-connect-common/src/test/java/org/mitre/openid/connect/ClientDetailsEntityJsonProcessorTest.java rename to openid-connect-server/src/test/java/org/mitre/openid/connect/ClientDetailsEntityJsonProcessorTest.java diff --git a/openid-connect-common/src/test/java/org/mitre/openid/connect/config/ConfigurationPropertiesBeanTest.java b/openid-connect-server/src/test/java/org/mitre/openid/connect/config/ConfigurationPropertiesBeanTest.java similarity index 100% rename from openid-connect-common/src/test/java/org/mitre/openid/connect/config/ConfigurationPropertiesBeanTest.java rename to openid-connect-server/src/test/java/org/mitre/openid/connect/config/ConfigurationPropertiesBeanTest.java diff --git a/openid-connect-common/src/test/java/org/mitre/openid/connect/config/ServerConfigurationTest.java b/openid-connect-server/src/test/java/org/mitre/openid/connect/config/ServerConfigurationTest.java similarity index 100% rename from openid-connect-common/src/test/java/org/mitre/openid/connect/config/ServerConfigurationTest.java rename to openid-connect-server/src/test/java/org/mitre/openid/connect/config/ServerConfigurationTest.java diff --git a/pom.xml b/pom.xml index 6824f1360..fb64f083b 100644 --- a/pom.xml +++ b/pom.xml @@ -38,12 +38,8 @@ - openid-connect-common - openid-connect-client openid-connect-server openid-connect-server-webapp - uma-server - uma-server-webapp diff --git a/uma-server-webapp/pom.xml b/uma-server-webapp/pom.xml deleted file mode 100644 index e0485e03a..000000000 --- a/uma-server-webapp/pom.xml +++ /dev/null @@ -1,97 +0,0 @@ - - - - 4.0.0 - - org.mitre - openid-connect-parent - 1.3.4-SNAPSHOT - .. - - uma-server-webapp - war - UMA Server Webapp - Deployable package of the User Managed Access (UMA) server extension to MITREid Connect - - - - org.apache.maven.plugins - maven-compiler-plugin - - ${java-version} - ${java-version} - - - - org.appfuse.plugins - warpath-maven-plugin - true - - - - add-classes - - - - - - org.apache.maven.plugins - maven-war-plugin - - uma-server-webapp - - - org.mitre - openid-connect-server-webapp - - - false - - - - org.eclipse.jetty - jetty-maven-plugin - - ${project.build.directory}/uma-server-webapp.war - - /uma-server-webapp - - - - - - - - org.mitre - openid-connect-server-webapp - war - - - org.mitre - openid-connect-server-webapp - warpath - - - org.mitre - uma-server - - - org.mitre - openid-connect-client - - - diff --git a/uma-server-webapp/src/main/resources/db/hsql/clients.sql b/uma-server-webapp/src/main/resources/db/hsql/clients.sql deleted file mode 100755 index 8d41bcad9..000000000 --- a/uma-server-webapp/src/main/resources/db/hsql/clients.sql +++ /dev/null @@ -1,77 +0,0 @@ --- --- Turn off autocommit and start a transaction so that we can use the temp tables --- - -SET AUTOCOMMIT FALSE; - -START TRANSACTION; - --- --- Insert client information into the temporary tables. To add clients to the HSQL database, edit things here. --- - -INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES - ('client', 'secret', 'Test Client', false, null, 3600, 600, true), - ('rs', 'secret', 'Test UMA RS', false, null, null, 600, false), - ('c', 'secret', 'Test UMA Client', false, null, null, 600, false); - -INSERT INTO client_scope_TEMP (owner_id, scope) VALUES - ('client', 'openid'), - ('client', 'profile'), - ('client', 'email'), - ('client', 'address'), - ('client', 'phone'), - ('client', 'offline_access'), - ('rs', 'uma_protection'), - ('c', 'uma_authorization'); - -INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES - ('client', 'http://localhost/'), - ('client', 'http://localhost:8080/'); - -INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES - ('client', 'authorization_code'), - ('client', 'urn:ietf:params:oauth:grant_type:redelegate'), - ('client', 'implicit'), - ('client', 'refresh_token'), - ('rs', 'authorization_code'), - ('rs', 'implicit'), - ('c', 'authorization_code'), - ('c', 'implicit'); - --- --- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store. --- - -MERGE INTO client_details - USING (SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP) AS vals(client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) - ON vals.client_id = client_details.client_id - WHEN NOT MATCHED THEN - INSERT (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES(client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection); - -MERGE INTO client_scope - USING (SELECT id, scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id) AS vals(id, scope) - ON vals.id = client_scope.owner_id AND vals.scope = client_scope.scope - WHEN NOT MATCHED THEN - INSERT (owner_id, scope) values (vals.id, vals.scope); - -MERGE INTO client_redirect_uri - USING (SELECT id, redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id) AS vals(id, redirect_uri) - ON vals.id = client_redirect_uri.owner_id AND vals.redirect_uri = client_redirect_uri.redirect_uri - WHEN NOT MATCHED THEN - INSERT (owner_id, redirect_uri) values (vals.id, vals.redirect_uri); - -MERGE INTO client_grant_type - USING (SELECT id, grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id) AS vals(id, grant_type) - ON vals.id = client_grant_type.owner_id AND vals.grant_type = client_grant_type.grant_type - WHEN NOT MATCHED THEN - INSERT (owner_id, grant_type) values (vals.id, vals.grant_type); - --- --- Close the transaction and turn autocommit back on --- - -COMMIT; - -SET AUTOCOMMIT TRUE; - diff --git a/uma-server-webapp/src/main/resources/db/hsql/scopes.sql b/uma-server-webapp/src/main/resources/db/hsql/scopes.sql deleted file mode 100755 index c3ea0b113..000000000 --- a/uma-server-webapp/src/main/resources/db/hsql/scopes.sql +++ /dev/null @@ -1,35 +0,0 @@ --- --- Turn off autocommit and start a transaction so that we can use the temp tables --- - -SET AUTOCOMMIT FALSE; - -START TRANSACTION; - --- --- Insert scope information into the temporary tables. --- - -INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope) VALUES - ('openid', 'log in using your identity', 'user', false, true), - ('profile', 'basic profile information', 'list-alt', false, true), - ('email', 'email address', 'envelope', false, true), - ('address', 'physical address', 'home', false, true), - ('phone', 'telephone number', 'bell', false, true), - ('offline_access', 'offline access', 'time', false, false), - ('uma_protection', 'manage protected resources', 'briefcase', false, false), - ('uma_authorization', 'request access to protected resources', 'share', false, false); - --- --- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store. --- - -MERGE INTO system_scope - USING (SELECT scope, description, icon, restricted, default_scope FROM system_scope_TEMP) AS vals(scope, description, icon, restricted, default_scope) - ON vals.scope = system_scope.scope - WHEN NOT MATCHED THEN - INSERT (scope, description, icon, restricted, default_scope) VALUES(vals.scope, vals.description, vals.icon, vals.restricted, vals.default_scope); - -COMMIT; - -SET AUTOCOMMIT TRUE; diff --git a/uma-server-webapp/src/main/resources/db/mysql/clients.sql b/uma-server-webapp/src/main/resources/db/mysql/clients.sql deleted file mode 100755 index 02444c473..000000000 --- a/uma-server-webapp/src/main/resources/db/mysql/clients.sql +++ /dev/null @@ -1,69 +0,0 @@ --- --- Turn off autocommit and start a transaction so that we can use the temp tables --- - -SET AUTOCOMMIT = 0; - -START TRANSACTION; - --- --- Insert client information into the temporary tables. To add clients to the HSQL database, edit things here. --- - -INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES - ('client', 'secret', 'Test Client', false, null, 3600, 600, true), - ('rs', 'secret', 'Test UMA RS', false, null, null, 600, false), - ('c', 'secret', 'Test UMA Client', false, null, null, 600, false); - -INSERT INTO client_scope_TEMP (owner_id, scope) VALUES - ('client', 'openid'), - ('client', 'profile'), - ('client', 'email'), - ('client', 'address'), - ('client', 'phone'), - ('client', 'offline_access'), - ('rs', 'uma_protection'), - ('c', 'uma_authorization'); - -INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES - ('client', 'http://localhost/'), - ('client', 'http://localhost:8080/'); - -INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES - ('client', 'authorization_code'), - ('client', 'urn:ietf:params:oauth:grant_type:redelegate'), - ('client', 'implicit'), - ('client', 'refresh_token'), - ('rs', 'authorization_code'), - ('rs', 'implicit'), - ('c', 'authorization_code'), - ('c', 'implicit'); - --- --- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store. --- - -INSERT INTO client_details (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) - SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP - ON DUPLICATE KEY UPDATE client_details.client_id = client_details.client_id; - -INSERT INTO client_scope (owner_id, scope) - SELECT id, scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id - ON DUPLICATE KEY UPDATE client_scope.owner_id = client_scope.owner_id; - -INSERT INTO client_redirect_uri (owner_id, redirect_uri) - SELECT id, redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id - ON DUPLICATE KEY UPDATE client_redirect_uri.owner_id = client_redirect_uri.owner_id; - -INSERT INTO client_grant_type (owner_id, grant_type) - SELECT id, grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id - ON DUPLICATE KEY UPDATE client_grant_type.owner_id = client_grant_type.owner_id; - --- --- Close the transaction and turn autocommit back on --- - -COMMIT; - -SET AUTOCOMMIT = 1; - diff --git a/uma-server-webapp/src/main/resources/db/mysql/scopes.sql b/uma-server-webapp/src/main/resources/db/mysql/scopes.sql deleted file mode 100755 index bdcc0f6e3..000000000 --- a/uma-server-webapp/src/main/resources/db/mysql/scopes.sql +++ /dev/null @@ -1,33 +0,0 @@ --- --- Turn off autocommit and start a transaction so that we can use the temp tables --- - -SET AUTOCOMMIT = 0; - -START TRANSACTION; - --- --- Insert scope information into the temporary tables. --- - -INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES - ('openid', 'log in using your identity', 'user', false, true, false, null), - ('profile', 'basic profile information', 'list-alt', false, true, false, null), - ('email', 'email address', 'envelope', false, true, false, null), - ('address', 'physical address', 'home', false, true, false, null), - ('phone', 'telephone number', 'bell', false, true, false, null), - ('offline_access', 'offline access', 'time', false, false, false, null), - ('uma_protection', 'manage protected resources', 'briefcase', false, false, false, null), - ('uma_authorization', 'request access to protected resources', 'share', false, false, false, null); - --- --- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store. --- - -INSERT INTO system_scope (scope, description, icon, restricted, default_scope, structured, structured_param_description) - SELECT scope, description, icon, restricted, default_scope, structured, structured_param_description FROM system_scope_TEMP - ON DUPLICATE KEY UPDATE system_scope.scope = system_scope.scope; - -COMMIT; - -SET AUTOCOMMIT = 1; diff --git a/uma-server-webapp/src/main/resources/db/oracle/clients_oracle.sql b/uma-server-webapp/src/main/resources/db/oracle/clients_oracle.sql deleted file mode 100755 index 783ff2d3a..000000000 --- a/uma-server-webapp/src/main/resources/db/oracle/clients_oracle.sql +++ /dev/null @@ -1,61 +0,0 @@ --- --- Insert client information into the temporary tables. To add clients to the Oracle database, edit things here. --- - -INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES - ('client', 'secret', 'Test Client', 0, null, 3600, 600, 1); -INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES - ('rs', 'secret', 'Test UMA RS', false, null, null, 600, false); -INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES - ('c', 'secret', 'Test UMA Client', false, null, null, 600, false); - -INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'openid'); -INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'profile'); -INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'email'); -INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'address'); -INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'phone'); -INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'offline_access'); -INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('rs', 'uma_protection'); -INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('c', 'uma_authorization'); - -INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES ('client', 'http://localhost/'); -INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES ('client', 'http://localhost:8080/'); - -INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'authorization_code'); -INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'urn:ietf:params:oauth:grant_type:redelegate'); -INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'implicit'); -INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'refresh_token'); -INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('rs', 'authorization_code'); -INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('rs', 'implicit'); -INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('c', 'authorization_code'); -INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('c', 'implicit'); - --- --- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store. --- - -MERGE INTO client_details - USING (SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP) vals - ON (vals.client_id = client_details.client_id) - WHEN NOT MATCHED THEN - INSERT (id, client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, - id_token_validity_seconds, allow_introspection) VALUES(client_details_seq.nextval, vals.client_id, vals.client_secret, vals.client_name, vals.dynamically_registered, - vals.refresh_token_validity_seconds, vals.access_token_validity_seconds, vals.id_token_validity_seconds, vals.allow_introspection); - -MERGE INTO client_scope - USING (SELECT id, scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id) vals - ON (vals.id = client_scope.owner_id AND vals.scope = client_scope.scope) - WHEN NOT MATCHED THEN - INSERT (owner_id, scope) values (vals.id, vals.scope); - -MERGE INTO client_redirect_uri - USING (SELECT id, redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id) vals - ON (vals.id = client_redirect_uri.owner_id AND vals.redirect_uri = client_redirect_uri.redirect_uri) - WHEN NOT MATCHED THEN - INSERT (owner_id, redirect_uri) values (vals.id, vals.redirect_uri); - -MERGE INTO client_grant_type - USING (SELECT id, grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id) vals - ON (vals.id = client_grant_type.owner_id AND vals.grant_type = client_grant_type.grant_type) - WHEN NOT MATCHED THEN - INSERT (owner_id, grant_type) values (vals.id, vals.grant_type); diff --git a/uma-server-webapp/src/main/resources/db/oracle/scopes_oracle.sql b/uma-server-webapp/src/main/resources/db/oracle/scopes_oracle.sql deleted file mode 100755 index a52e021de..000000000 --- a/uma-server-webapp/src/main/resources/db/oracle/scopes_oracle.sql +++ /dev/null @@ -1,31 +0,0 @@ --- --- Insert scope information into the temporary tables. --- - -INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES - ('openid', 'log in using your identity', 'user', 0, 1, 0, null); -INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES - ('profile', 'basic profile information', 'list-alt', 0, 1, 0, null); -INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES - ('email', 'email address', 'envelope', 0, 1, 0, null); -INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES - ('address', 'physical address', 'home', 0, 1, 0, null); -INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES - ('phone', 'telephone number', 'bell', 0, 1, 0, null); -INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES - ('offline_access', 'offline access', 'time', 0, 0, 0, null); -INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES - ('uma_protection', 'manage protected resources', 'briefcase', 0, 0, 0, null); -INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES - ('uma_authorization', 'request access to protected resources', 'share', 0, 0, 0, null); - --- --- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store. --- - -MERGE INTO system_scope - USING (SELECT scope, description, icon, restricted, default_scope, structured, structured_param_description FROM system_scope_TEMP) vals - ON (vals.scope = system_scope.scope) - WHEN NOT MATCHED THEN - INSERT (id, scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES(system_scope_seq.nextval, vals.scope, - vals.description, vals.icon, vals.restricted, vals.default_scope, vals.structured, vals.structured_param_description); diff --git a/uma-server-webapp/src/main/resources/db/psql/clients.sql b/uma-server-webapp/src/main/resources/db/psql/clients.sql deleted file mode 100755 index d4c75e7fe..000000000 --- a/uma-server-webapp/src/main/resources/db/psql/clients.sql +++ /dev/null @@ -1,74 +0,0 @@ --- --- Turn off autocommit and start a transaction so that we can use the temp tables --- - ---SET AUTOCOMMIT = OFF; - -START TRANSACTION; - --- --- Insert client information into the temporary tables. To add clients to the HSQL database, edit things here. --- - -INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES - ('client', 'secret', 'Test Client', false, null, 3600, 600, true), - ('rs', 'secret', 'Test UMA RS', false, null, null, 600, false), - ('c', 'secret', 'Test UMA Client', false, null, null, 600, false); - -INSERT INTO client_scope_TEMP (owner_id, scope) VALUES - ('client', 'openid'), - ('client', 'profile'), - ('client', 'email'), - ('client', 'address'), - ('client', 'phone'), - ('client', 'offline_access'), - ('rs', 'uma_protection'), - ('c', 'uma_authorization'); - -INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES - ('client', 'http://localhost/'), - ('client', 'http://localhost:8080/'); - -INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES - ('client', 'authorization_code'), - ('client', 'urn:ietf:params:oauth:grant_type:redelegate'), - ('client', 'implicit'), - ('client', 'refresh_token'), - ('rs', 'authorization_code'), - ('rs', 'implicit'), - ('c', 'authorization_code'), - ('c', 'implicit'); - --- --- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store. --- - -INSERT INTO client_details (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) - SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP - ON CONFLICT - DO NOTHING; - -INSERT INTO client_scope (scope) - SELECT scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id - ON CONFLICT - DO NOTHING; - -INSERT INTO client_redirect_uri (redirect_uri) - SELECT redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id - ON CONFLICT - DO NOTHING; - -INSERT INTO client_grant_type (grant_type) - SELECT grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id - ON CONFLICT - DO NOTHING; - --- --- Close the transaction and turn autocommit back on --- - -COMMIT; - ---SET AUTOCOMMIT = ON; - - diff --git a/uma-server-webapp/src/main/resources/db/psql/scopes.sql b/uma-server-webapp/src/main/resources/db/psql/scopes.sql deleted file mode 100755 index 8b2611b83..000000000 --- a/uma-server-webapp/src/main/resources/db/psql/scopes.sql +++ /dev/null @@ -1,33 +0,0 @@ --- --- Turn off autocommit and start a transaction so that we can use the temp tables --- - ---SET AUTOCOMMIT = OFF; - -START TRANSACTION; - --- --- Insert scope information into the temporary tables. --- - -INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES - ('openid', 'log in using your identity', 'user', false, true, false, null), - ('profile', 'basic profile information', 'list-alt', false, true, false, null), - ('email', 'email address', 'envelope', false, true, false, null), - ('address', 'physical address', 'home', false, true, false, null), - ('phone', 'telephone number', 'bell', false, true, false, null), - ('offline_access', 'offline access', 'time', false, false, false, null); - --- --- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store. --- - -INSERT INTO system_scope (scope, description, icon, restricted, default_scope, structured, structured_param_description) - SELECT scope, description, icon, restricted, default_scope, structured, structured_param_description FROM system_scope_TEMP - ON CONFLICT(scope) - DO NOTHING; - -COMMIT; - ---SET AUTOCOMMIT = ON; - diff --git a/uma-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml b/uma-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml deleted file mode 100644 index 7c645d23a..000000000 --- a/uma-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml +++ /dev/null @@ -1,53 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml b/uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml deleted file mode 100644 index 92685552c..000000000 --- a/uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml +++ /dev/null @@ -1,68 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - uma - messages - - - - - - - - - - - - diff --git a/uma-server-webapp/src/main/webapp/WEB-INF/tags/actionmenu.tag b/uma-server-webapp/src/main/webapp/WEB-INF/tags/actionmenu.tag deleted file mode 100644 index 47df4a361..000000000 --- a/uma-server-webapp/src/main/webapp/WEB-INF/tags/actionmenu.tag +++ /dev/null @@ -1,21 +0,0 @@ -<%@ tag language="java" pageEncoding="UTF-8"%> -<%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%> -<%@ taglib prefix="security" - uri="http://www.springframework.org/security/tags"%> - -
    • -
    • -
    • -
    • -
    • -
  • -     -
    • -
    • -
    • -
    • -
    • -
  • -
    • -
  • -
  • \ No newline at end of file diff --git a/uma-server-webapp/src/main/webapp/WEB-INF/ui-config.xml b/uma-server-webapp/src/main/webapp/WEB-INF/ui-config.xml deleted file mode 100644 index 2cd7bfc33..000000000 --- a/uma-server-webapp/src/main/webapp/WEB-INF/ui-config.xml +++ /dev/null @@ -1,52 +0,0 @@ - - - - - - - - - - - resources/js/client.js - resources/js/grant.js - resources/js/scope.js - resources/js/whitelist.js - resources/js/dynreg.js - resources/js/rsreg.js - resources/js/token.js - resources/js/blacklist.js - resources/js/profile.js - resources/js/policy.js - - - - - - diff --git a/uma-server-webapp/src/main/webapp/WEB-INF/user-context.xml b/uma-server-webapp/src/main/webapp/WEB-INF/user-context.xml deleted file mode 100644 index 4a2f7bb0d..000000000 --- a/uma-server-webapp/src/main/webapp/WEB-INF/user-context.xml +++ /dev/null @@ -1,142 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - openid - profile - email - phone - address - - - - - - #{configBean.issuer + "openid_connect_login"} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/uma-server-webapp/src/main/webapp/WEB-INF/views/external_login.jsp b/uma-server-webapp/src/main/webapp/WEB-INF/views/external_login.jsp deleted file mode 100644 index 897afdaaa..000000000 --- a/uma-server-webapp/src/main/webapp/WEB-INF/views/external_login.jsp +++ /dev/null @@ -1,42 +0,0 @@ -<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> -<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> -<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %> -<%@ taglib prefix="o" tagdir="/WEB-INF/tags"%> - - -
    -
    -
    - -

    Log In

    - -

    Enter your email address to log in

    - -
    -
    - -
    -
    - - -
    -
    - -
    - -
    -
    -
    - - - \ No newline at end of file diff --git a/uma-server-webapp/src/main/webapp/resources/js/locale/en/uma.json b/uma-server-webapp/src/main/webapp/resources/js/locale/en/uma.json deleted file mode 100644 index 69ff2e186..000000000 --- a/uma-server-webapp/src/main/webapp/resources/js/locale/en/uma.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "admin": { - "policies": "Manage Protected Resource Policies" - }, - "policy" : { - "resource-sets": "Resource Sets", - "edit-policies": "Edit Policies", - "new-policy": "New Policy", - "edit-policy": "Edit Policy", - "loading-policies": "Policies", - "loading-policy": "Policy", - "loading-rs": "Resource Set", - "rs-table": { - "confirm": "Are you sure you want to delete this resource set?", - "no-resource-sets": "There are no resource sets registered. Introduce a protected to this authorization server to let it register some.", - "scopes": "Scopes", - "shared-with": "Shared with:", - "shared-nobody": "NOBODY", - "shared-nobody-tooltip": "This resource is not accessible by anyone else, edit the policies and share it with someone.", - "sharing": "Sharing Policies" - }, - "policy-table": { - "new": "Add New Policy", - "return": "Return to list", - "edit": "Edit Policy", - "confirm": "Are you sure you want to delete this policy?", - "delete": "Delete", - "no-policies": "There are no policies for this resource set: This resource set is inaccessible by others.", - "required-claims": "Required Claims", - "required-claims-info": "Users that you share this resource will with need to be able to present the following claims in order to access the resource.", - "remove": "Remove", - "issuers": "Issuers", - "claim": "Claim", - "value": "Value" - }, - "policy-form": { - "email-address": "email address", - "share-email": "Share with email address", - "new": "New Policy", - "edit": "Edit Policy", - "claim-name": "claim name", - "friendly-claim-name": "friendly claim name", - "claim-value": "claim value", - "value-type-text": "Text", - "value-type-number": "Number", - "clear-all": "Clear all claims", - "clear-all-confirm": "Are you sure you want to clear all claims from this policy?" - }, - "webfinger-error": "Error", - "webfinger-error-description": "The server was unable to find an identity provider for __email__.", - "advanced-error": "Error", - "advanced-error-description": "There was an error saving your advanced claim. Did you fill in all required fields?" - }, - "sidebar": { - "personal": { - "resource_policies": "Manage Protected Resource Policies" - } - } -} \ No newline at end of file diff --git a/uma-server-webapp/src/main/webapp/resources/js/locale/zh/uma.json b/uma-server-webapp/src/main/webapp/resources/js/locale/zh/uma.json deleted file mode 100644 index e2444c4ea..000000000 --- a/uma-server-webapp/src/main/webapp/resources/js/locale/zh/uma.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "admin": { - "policies": "管理受保护资源的政策" - }, - "policy" : { - "resource-sets": "资源集", - "edit-policies": "编辑政策", - "new-policy": "新建政策", - "edit-policy": "编辑政策", - "loading-policies": "政策", - "loading-policy": "政策", - "loading-rs": "资源集", - "rs-table": { - "confirm": "确定要删除该资源?", - "no-resource-sets": "尚未有已注册的资源集。您可在此授权服务器中注册一个。", - "scopes": "范围", - "shared-with": "共享给:", - "shared-nobody": "不共享", - "shared-nobody-tooltip": "此资源别人无法访问,请编辑政策使其与其他人共享。", - "sharing": "共享政策" - }, - "policy-table": { - "new": "新建政策", - "return": "返回到列表", - "edit": "编辑政策", - "confirm": "确定要删除该政策?", - "delete": "删除", - "no-policies": "此资源集尚未有政策:别人无法访问此资源集。", - "required-claims": "必须的声明", - "required-claims-info": "与您共享此资源的用户必须具备以下声明,才能访问该资源。", - "remove": "移除", - "issuers": "签发者", - "claim": "声明项", - "value": "值" - }, - "policy-form": { - "email-address": "email地址", - "share-email": "连带email地址共享", - "new": "新建政策", - "edit": "编辑政策", - "claim-name": "声明项名称", - "friendly-claim-name": "声明的显示名", - "claim-value": "声明的值", - "value-type-text": "文本", - "value-type-number": "数字", - "clear-all": "清除全部声明", - "clear-all-confirm": "您是否要从此政策中清除全部声明?" - }, - "webfinger-error": "错误", - "webfinger-error-description": "服务器无法找到__email__的身份提供者。", - "advanced-error": "错误", - "advanced-error-description": "保存高级声明时出错。您是否填写了全部必填项?" - }, - "sidebar": { - "personal": { - "resource_policies": "管理受保护资源的政策" - } - } -} \ No newline at end of file diff --git a/uma-server-webapp/src/main/webapp/resources/js/locale/zh_CN/uma.json b/uma-server-webapp/src/main/webapp/resources/js/locale/zh_CN/uma.json deleted file mode 100644 index e2444c4ea..000000000 --- a/uma-server-webapp/src/main/webapp/resources/js/locale/zh_CN/uma.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "admin": { - "policies": "管理受保护资源的政策" - }, - "policy" : { - "resource-sets": "资源集", - "edit-policies": "编辑政策", - "new-policy": "新建政策", - "edit-policy": "编辑政策", - "loading-policies": "政策", - "loading-policy": "政策", - "loading-rs": "资源集", - "rs-table": { - "confirm": "确定要删除该资源?", - "no-resource-sets": "尚未有已注册的资源集。您可在此授权服务器中注册一个。", - "scopes": "范围", - "shared-with": "共享给:", - "shared-nobody": "不共享", - "shared-nobody-tooltip": "此资源别人无法访问,请编辑政策使其与其他人共享。", - "sharing": "共享政策" - }, - "policy-table": { - "new": "新建政策", - "return": "返回到列表", - "edit": "编辑政策", - "confirm": "确定要删除该政策?", - "delete": "删除", - "no-policies": "此资源集尚未有政策:别人无法访问此资源集。", - "required-claims": "必须的声明", - "required-claims-info": "与您共享此资源的用户必须具备以下声明,才能访问该资源。", - "remove": "移除", - "issuers": "签发者", - "claim": "声明项", - "value": "值" - }, - "policy-form": { - "email-address": "email地址", - "share-email": "连带email地址共享", - "new": "新建政策", - "edit": "编辑政策", - "claim-name": "声明项名称", - "friendly-claim-name": "声明的显示名", - "claim-value": "声明的值", - "value-type-text": "文本", - "value-type-number": "数字", - "clear-all": "清除全部声明", - "clear-all-confirm": "您是否要从此政策中清除全部声明?" - }, - "webfinger-error": "错误", - "webfinger-error-description": "服务器无法找到__email__的身份提供者。", - "advanced-error": "错误", - "advanced-error-description": "保存高级声明时出错。您是否填写了全部必填项?" - }, - "sidebar": { - "personal": { - "resource_policies": "管理受保护资源的政策" - } - } -} \ No newline at end of file diff --git a/uma-server-webapp/src/main/webapp/resources/js/locale/zh_TW/uma.json b/uma-server-webapp/src/main/webapp/resources/js/locale/zh_TW/uma.json deleted file mode 100644 index 523232832..000000000 --- a/uma-server-webapp/src/main/webapp/resources/js/locale/zh_TW/uma.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "admin": { - "policies": "管理受保護資源的政策" - }, - "policy" : { - "resource-sets": "資源集", - "edit-policies": "編輯政策", - "new-policy": "新建政策", - "edit-policy": "編輯政策", - "loading-policies": "政策", - "loading-policy": "政策", - "loading-rs": "資源集", - "rs-table": { - "confirm": "確定要刪除該資源?", - "no-resource-sets": "尚未有已注冊的資源集。您可在此授權伺服器中注冊一個。", - "scopes": "范圍", - "shared-with": "共享給:", - "shared-nobody": "不共享", - "shared-nobody-tooltip": "此資源別人無法訪問,請編輯政策使其與其他人共享。", - "sharing": "共享政策" - }, - "policy-table": { - "new": "新建政策", - "return": "返回到列表", - "edit": "編輯政策", - "confirm": "確定要刪除該政策?", - "delete": "刪除", - "no-policies": "此資源集尚未有政策:別人無法訪問此資源集。", - "required-claims": "必須的聲明", - "required-claims-info": "與您共享此資源的用戶必須具備以下聲明,才能訪問該資源。", - "remove": "移除", - "issuers": "簽發者", - "claim": "聲明項", - "value": "值" - }, - "policy-form": { - "email-address": "email地址", - "share-email": "連帶email地址共享", - "new": "新建政策", - "edit": "編輯政策", - "claim-name": "聲明項名稱", - "friendly-claim-name": "聲明的顯示名", - "claim-value": "聲明的值", - "value-type-text": "文本", - "value-type-number": "數字", - "clear-all": "清除全部聲明", - "clear-all-confirm": "您是否要從此政策中清除全部聲明?" - }, - "webfinger-error": "錯誤", - "webfinger-error-description": "伺服器無法找到__email__的身份提供者。", - "advanced-error": "錯誤", - "advanced-error-description": "保存高級聲明時出錯。您是否填寫了全部必填項?" - }, - "sidebar": { - "personal": { - "resource_policies": "管理受保護資源的政策" - } - } -} \ No newline at end of file diff --git a/uma-server-webapp/src/main/webapp/resources/js/policy.js b/uma-server-webapp/src/main/webapp/resources/js/policy.js deleted file mode 100644 index 6a3b6420c..000000000 --- a/uma-server-webapp/src/main/webapp/resources/js/policy.js +++ /dev/null @@ -1,786 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -var ResourceSetModel = Backbone.Model.extend({ - urlRoot: 'api/resourceset' -}); - -var ResourceSetCollection = Backbone.Collection.extend({ - model: ResourceSetModel, - url: 'api/resourceset' -}); - -var PolicyModel = Backbone.Model.extend({ - urlRoot: function() { - return 'api/resourceset/' + this.options.rsid + '/policy/'; - }, - initialize: function(model, options) { - this.options = options; - } -}); - -var PolicyCollection = Backbone.Collection.extend({ - model: PolicyModel, - url: function() { - return 'api/resourceset/' + this.options.rsid + '/policy/'; - }, - initialize: function(models, options) { - this.options = options; - } -}); - -var ResourceSetListView = Backbone.View.extend({ - tagName: 'span', - - initialize:function (options) { - this.options = options; - }, - - load:function(callback) { - if (this.model.isFetched && - this.options.clientList.isFetched && - this.options.systemScopeList.isFetched) { - callback(); - return; - } - - $('#loadingbox').sheet('show'); - $('#loading').html( - '' + $.t('policy.resource-sets') + ' ' + - '' + $.t('common.clients') + ' ' + - '' + $.t('common.scopes') + ' ' - ); - - $.when(this.model.fetchIfNeeded({success:function(e) {$('#loading-resourcesets').addClass('label-success');}}), - this.options.clientList.fetchIfNeeded({success:function(e) {$('#loading-clients').addClass('label-success');}}), - this.options.systemScopeList.fetchIfNeeded({success:function(e) {$('#loading-scopes').addClass('label-success');}})) - .done(function() { - $('#loadingbox').sheet('hide'); - callback(); - }); - }, - - events: { - "click .refresh-table":"refreshTable" - }, - - render:function (eventName) { - $(this.el).html($('#tmpl-resource-set-table').html()); - - var _self = this; - - _.each(this.model.models, function (resourceSet) { - - // look up client - var client = this.options.clientList.getByClientId(resourceSet.get('clientId')); - - // if there's no client ID, this is an error! - if (client != null) { - var view = new ResourceSetView({model: resourceSet, client: client, systemScopeList: _self.options.systemScopeList}); - view.parentView = _self; - $('#resource-set-table', this.el).append(view.render().el); - } - - }, this); - - this.togglePlaceholder(); - $(this.el).i18n(); - return this; - }, - - togglePlaceholder:function() { - if (this.model.length > 0) { - $('#resource-set-table', this.el).show(); - $('#resource-set-table-empty', this.el).hide(); - } else { - $('#resource-set-table', this.el).hide(); - $('#resource-set-table-empty', this.el).show(); - } - }, - - refreshTable:function(e) { - e.preventDefault(); - var _self = this; - $('#loadingbox').sheet('show'); - $('#loading').html( - '' + $.t('policy.resource-sets') + ' ' + - '' + $.t('common.clients') + ' ' + - '' + $.t('common.scopes') + ' ' - ); - - $.when(this.model.fetch({success:function(e) {$('#loading-resourcesets').addClass('label-success');}}), - this.options.clientList.fetch({success:function(e) {$('#loading-clients').addClass('label-success');}}), - this.options.systemScopeList.fetch({success:function(e) {$('#loading-scopes').addClass('label-success');}})) - .done(function() { - $('#loadingbox').sheet('hide'); - _self.render(); - }); - } - - -}); - - -var ResourceSetView = Backbone.View.extend({ - tagName: 'tr', - - initialize:function(options) { - this.options = options; - if (!this.template) { - this.template = _.template($('#tmpl-resource-set').html()); - } - - if (!this.scopeTemplate) { - this.scopeTemplate = _.template($('#tmpl-scope-list').html()); - } - - if (!this.moreInfoTemplate) { - this.moreInfoTemplate = _.template($('#tmpl-client-more-info-block').html()); - } - - this.model.bind('change', this.render, this); - }, - - render:function(eventName) { - - var json = {rs: this.model.toJSON(), client: this.options.client.toJSON()}; - - this.$el.html(this.template(json)); - - $('.scope-list', this.el).html(this.scopeTemplate({scopes: this.model.get('scopes'), systemScopes: this.options.systemScopeList})); - - $('.client-more-info-block', this.el).html(this.moreInfoTemplate({client: this.options.client.toJSON()})); - - $(this.el).i18n(); - return this; - }, - - events:{ - 'click .btn-edit': 'editPolicies', - 'click .btn-delete': 'deleteResourceSet', - 'click .toggleMoreInformation': 'toggleMoreInformation' - }, - - editPolicies:function(e) { - e.preventDefault(); - app.navigate('user/policy/' + this.model.get('id'), {trigger: true}); - }, - - deleteResourceSet:function(e) { - e.preventDefault(); - - if (confirm($.t('policy.rs-table.confirm'))) { - var _self = this; - - this.model.destroy({ - dataType: false, processData: false, - success:function () { - _self.$el.fadeTo("fast", 0.00, function () { //fade - $(this).slideUp("fast", function () { //slide up - $(this).remove(); //then remove from the DOM - _self.parentView.togglePlaceholder(); - }); - }); - }, - error:function (error, response) { - console.log("An error occurred when deleting a resource set"); - - //Pull out the response text. - var responseJson = JSON.parse(response.responseText); - - //Display an alert with an error message - $('#modalAlert div.modal-header').html(responseJson.error); - $('#modalAlert div.modal-body').html(responseJson.error_description); - - $("#modalAlert").modal({ // wire up the actual modal functionality and show the dialog - "backdrop" : "static", - "keyboard" : true, - "show" : true // ensure the modal is shown immediately - }); - } - }); - - _self.parentView.delegateEvents(); - } - - return false; - - }, - - toggleMoreInformation:function(e) { - e.preventDefault(); - if ($('.moreInformation', this.el).is(':visible')) { - // hide it - $('.moreInformation', this.el).hide('fast'); - $('.toggleMoreInformation i', this.el).attr('class', 'icon-chevron-right'); - $('.moreInformationContainer', this.el).removeClass('alert').removeClass('alert-info').addClass('muted'); - - } else { - // show it - $('.moreInformation', this.el).show('fast'); - $('.toggleMoreInformation i', this.el).attr('class', 'icon-chevron-down'); - $('.moreInformationContainer', this.el).addClass('alert').addClass('alert-info').removeClass('muted'); - } - }, - -}); - -var PolicyListView = Backbone.View.extend({ - tagName: 'span', - - initialize:function(options) { - this.options = options; - }, - - load:function(callback) { - if (this.model.isFetched && - this.options.rs.isFetched && - this.options.systemScopeList.isFetched) { - callback(); - return; - } - - $('#loadingbox').sheet('show'); - $('#loading').html( - '' + $.t('policy.loading-policies') + ' ' + - '' + $.t('policy.loading-rs') + ' ' + - '' + $.t("common.scopes") + ' ' - ); - - $.when(this.model.fetchIfNeeded({success:function(e) {$('#loading-policies').addClass('label-success');}}), - this.options.rs.fetchIfNeeded({success:function(e) {$('#loading-rs').addClass('label-success');}}), - this.options.systemScopeList.fetchIfNeeded({success:function(e) {$('#loading-scopes').addClass('label-success');}})) - .done(function() { - $('#loadingbox').sheet('hide'); - callback(); - }); - }, - - events:{ - 'click .btn-add':'addPolicy', - 'click .btn-cancel':'cancel' - }, - - cancel:function(e) { - e.preventDefault(); - app.navigate('user/policy', {trigger: true}); - }, - - togglePlaceholder:function() { - if (this.model.length > 0) { - $('#policy-info', this.el).show(); - $('#policy-table', this.el).show(); - $('#policy-table-empty', this.el).hide(); - } else { - $('#policy-info', this.el).hide(); - $('#policy-table', this.el).hide(); - $('#policy-table-empty', this.el).show(); - } - }, - - addPolicy:function(e) { - e.preventDefault(); - app.navigate('user/policy/' + this.options.rs.get('id') +'/new', {trigger: true}); - }, - - render:function (eventName) { - $(this.el).html($('#tmpl-policy-table').html()); - - var _self = this; - - _.each(this.model.models, function (policy) { - - var view = new PolicyView({model: policy, systemScopeList: _self.options.systemScopeList, rs: _self.options.rs}); - view.parentView = _self; - $('#policy-table', this.el).append(view.render().el); - - }, this); - - this.togglePlaceholder(); - $(this.el).i18n(); - return this; - } -}); - - -var PolicyView = Backbone.View.extend({ - tagName: 'tr', - - initialize:function(options) { - this.options = options; - - if (!this.template) { - this.template = _.template($('#tmpl-policy').html()); - } - - if (!this.scopeTemplate) { - this.scopeTemplate = _.template($('#tmpl-scope-list').html()); - } - - - }, - - events:{ - 'click .btn-edit':'editPolicy', - 'click .btn-remove':'removePolicy' - }, - - editPolicy:function(e) { - e.preventDefault(); - app.navigate('user/policy/' + this.options.rs.get("id") + '/' + this.model.get('id'), {trigger: true}); - }, - - removePolicy:function(e) { - e.preventDefault(); - - if (confirm($.t('policy.policy-table.confirm'))) { - var _self = this; - this.model.destroy({ - dataType: false, processData: false, - success:function () { - _self.$el.fadeTo("fast", 0.00, function () { //fade - $(this).slideUp("fast", function () { //slide up - $(this).remove(); //then remove from the DOM - _self.parentView.togglePlaceholder(); - }); - }); - }, - error:function (error, response) { - console.log("An error occurred when deleting a client"); - - //Pull out the response text. - var responseJson = JSON.parse(response.responseText); - - //Display an alert with an error message - $('#modalAlert div.modal-header').html(responseJson.error); - $('#modalAlert div.modal-body').html(responseJson.error_description); - - $("#modalAlert").modal({ // wire up the actual modal functionality and show the dialog - "backdrop" : "static", - "keyboard" : true, - "show" : true // ensure the modal is shown immediately - }); - } - }); - - _self.parentView.delegateEvents(); - } - }, - - render:function (eventName) { - var json = this.model.toJSON(); - - this.$el.html(this.template(json)); - - $('.scope-list', this.el).html(this.scopeTemplate({scopes: this.model.get('scopes'), systemScopes: this.options.systemScopeList})); - - $(this.el).i18n(); - return this; - } - - -}); - - -var PolicyFormView = Backbone.View.extend({ - tagName: 'div', - - initialize:function(options) { - this.options = options; - - if (!this.template) { - this.template = _.template($('#tmpl-policy-form').html()); - } - - this.issuerCollection = new Backbone.Collection(); - - }, - - events:{ - 'click .btn-share': 'addWebfingerClaim', - 'click .btn-share-advanced': 'addAdvancedClaim', - 'click .btn-clear': 'clearAllClaims', - 'click .btn-save': 'savePolicy', - 'click .btn-cancel': 'cancel' - }, - - load:function(callback) { - if (this.model.isFetched && - this.options.rs.isFetched && - this.options.systemScopeList.isFetched) { - callback(); - return; - } - - $('#loadingbox').sheet('show'); - $('#loading').html( - '' + $.t('policy.loading-policy') + ' ' + - '' + $.t('policy.loading-rs') + ' ' + - '' + $.t("common.scopes") + ' ' - ); - - $.when(this.model.fetchIfNeeded({success:function(e) {$('#loading-policies').addClass('label-success');}}), - this.options.rs.fetchIfNeeded({success:function(e) {$('#loading-rs').addClass('label-success');}}), - this.options.systemScopeList.fetchIfNeeded({success:function(e) {$('#loading-scopes').addClass('label-success');}})) - .done(function() { - $('#loadingbox').sheet('hide'); - callback(); - }); - }, - - addWebfingerClaim:function(e) { - e.preventDefault(); - - // post to the webfinger helper and get the response back - - var _self = this; - - var email = $('#email', this.el).val(); - - $('#loadingbox').sheet('show'); - $('#loading').html( - 'Looking up identity provider...' - ); - - var base = $('base').attr('href'); - $.getJSON(base + '/api/emailsearch?' + $.param({'identifier': email}), function(data) { - - // grab the current state of the scopes checkboxes just in case - var scopes = $('#scopes input[type="checkbox"]:checked').map(function(idx, elem) { return $(elem).val(); }).get(); - - _self.model.set({ - scopes: scopes, - claimsRequired: data - }, {trigger: false}); - - _self.render(); - - $('#loadingbox').sheet('hide'); - - }).error(function(jqXHR, textStatus, errorThrown) { - console.log("An error occurred when doing a webfinger lookup", errorThrown); - - $('#loadingbox').sheet('hide'); - - //Display an alert with an error message - $('#modalAlert div.modal-header').html($.t('policy.webfinger-error')); - $('#modalAlert div.modal-body').html($.t('policy.webfinger-error-description', {email: email})); - - $("#modalAlert").modal({ // wire up the actual modal functionality and show the dialog - "backdrop" : "static", - "keyboard" : true, - "show" : true // ensure the modal is shown immediately - }); - }); - - }, - - addAdvancedClaim:function(e) { - e.preventDefault(); - - var name = $('#name', this.el).val(); - var friendly = $('#friendly-name', this.el).val(); - var rawValue = $('#value', this.el).val(); - var valueType = $('#value-type', this.el).val(); - var value = null; - if (valueType == 'number') { - value = Number(rawValue); - } else if (valueType == 'boolean') { - value = (rawValue.toLowerCase() == 'true'); - } else if (valueType == 'json') { - value = JSON.parse(rawValue); - } else { - // treat it as a string, the default - value = rawValue; - } - - var issuers = this.issuerCollection.pluck('item'); - - console.log(name, friendly, rawValue, valueType, value, issuers); - - if (!_.isEmpty(issuers) - && name - && value) { - // we've got a valid claim, add it to our set - // grab the current state of the scopes checkboxes just in case - var scopes = $('#scopes input[type="checkbox"]:checked').map(function(idx, elem) { return $(elem).val(); }).get(); - - var claimsRequired = this.model.get('claimsRequired'); - if (!claimsRequired) { - claimsRequired = []; - } - claimsRequired.push({ - name: name, - friendlyName: friendly, - value: value, - issuer: issuers - }); - - this.model.set({ - scopes: scopes, - claimsRequired: claimsRequired - }, {trigger: false}); - - $('#name', this.el).val(''); - $('#friendly-name', this.el).val(''); - $('#value', this.el).val(''); - $('#value-type', this.el).val('text'); - - this.render(); - - // re-select the advanced tab - $('a[data-target="#policy-advanced-tab"]', this.el).tab('show') - - } else { - // something is missing - $('#loadingbox').sheet('hide'); - - //Display an alert with an error message - $('#modalAlert div.modal-header').html($.t('policy.advanced-error')); - $('#modalAlert div.modal-body').html($.t('policy.advanced-error-description')); - - $("#modalAlert").modal({ // wire up the actual modal functionality and show the dialog - "backdrop" : "static", - "keyboard" : true, - "show" : true // ensure the modal is shown immediately - }); - } - }, - - clearAllClaims:function(e) { - e.preventDefault(); - - if (confirm($.t('policy.policy-form.clear-all-confirm'))) { - - var scopes = $('#scopes input[type="checkbox"]:checked').map(function(idx, elem) { return $(elem).val(); }).get(); - - var claimsRequired = []; - - this.model.set({ - scopes: scopes, - claimsRequired: claimsRequired - }, {trigger: false}); - - this.render(); - } - }, - - savePolicy:function(e) { - e.preventDefault(); - - // get all the scopes that are checked - var scopes = $('#scopes input[type="checkbox"]:checked').map(function(idx, elem) { return $(elem).val(); }).get(); - - var valid = this.model.set({ - scopes: scopes - }); - - if (valid) { - - var _self = this; - this.model.save({}, { - success:function() { - app.systemScopeList.add(_self.model); - - // refresh the associated RS - _self.options.rs.fetch({success: function() { - app.navigate('user/policy/' + _self.options.rs.get('id'), {trigger: true}); - }}); - - }, - error:function(error, response) { - - //Pull out the response text. - var responseJson = JSON.parse(response.responseText); - - //Display an alert with an error message - $('#modalAlert div.modal-header').html(responseJson.error); - $('#modalAlert div.modal-body').html(responseJson.error_description); - - $("#modalAlert").modal({ // wire up the actual modal functionality and show the dialog - "backdrop" : "static", - "keyboard" : true, - "show" : true // ensure the modal is shown immediately - }); - } - }); - } - - return false; - - }, - - cancel:function(e) { - e.preventDefault(); - app.navigate('user/policy/' + this.options.rs.get('id'), {trigger: true}); - }, - - render:function (eventName) { - var json = this.model.toJSON(); - var rs = this.options.rs.toJSON(); - - this.$el.html(this.template({policy: json, rs: rs})); - - // build and bind issuer view - var issuerView = new ListWidgetView({ - placeholder: $.t('policy.policy-form.issuer-placeholder'), - helpBlockText: $.t('policy.policy-form.issuer-help'), - collection: this.issuerCollection}); - $("#issuers .controls",this.el).html(issuerView.render().el); - - $(this.el).i18n(); - - return this; - } -}); - - -ui.routes.push({path: "user/policy", name: "policy", callback: - function() { - - this.breadCrumbView.collection.reset(); - this.breadCrumbView.collection.add([ - {text:$.t('admin.home'), href:""}, - {text:$.t('policy.resource-sets'), href:"manage/#user/policy"} - ]); - - this.updateSidebar('user/policy'); - - var view = new ResourceSetListView({model: this.resourceSetList, clientList: this.clientList, systemScopeList: this.systemScopeList}); - - view.load(function() { - $('#content').html(view.render().el); - setPageTitle($.t('policy.resource-sets')); - }); - - } -}); - -ui.routes.push({path: "user/policy/:rsid", name: "editPolicies", callback: - function(rsid) { - - this.breadCrumbView.collection.reset(); - this.breadCrumbView.collection.add([ - {text:$.t('admin.home'), href:""}, - {text:$.t('policy.resource-sets'), href:"manage/#user/policy"}, - {text:$.t('policy.edit-policies'), href:"manage/#user/policy/" + rsid} - ]); - - this.updateSidebar('user/policy'); - - var rs = this.resourceSetList.get(rsid); - var policies = null; - if (rs == null) { - // need to load it directly - policies = new PolicyCollection([], {rsid: rsid}); - rs = new ResourceSetModel({id: rsid}); - this.resourceSetList.add(rs); // it will be loaded below, don't need to load it again in the future - } else { - // the resource set is loaded, preload the claims - policies = new PolicyCollection(rs.get('policies'), {rsid: rsid}); - policies.isFetched = true; - } - - var view = new PolicyListView({model: policies, rs: rs, systemScopeList: this.systemScopeList}); - - view.load(function() { - $('#content').html(view.render().el); - setPageTitle($.t('policy.edit-policy')); - }); - - } -}); - -ui.routes.push({path: "user/policy/:rsid/new", name: "newPolicy", callback: - function(rsid) { - - this.breadCrumbView.collection.reset(); - this.breadCrumbView.collection.add([ - {text:$.t('admin.home'), href:""}, - {text:$.t('policy.resource-sets'), href:"manage/#user/policy"}, - {text:$.t('policy.edit-policies'), href:"manage/#user/policy/" + rsid}, - {text:$.t('policy.new-policy'), href:"manage/#user/policy/" + rsid + "/new"} - ]); - - this.updateSidebar('user/policy'); - - var policy = policy = new PolicyModel({}, {rsid: rsid}); - - var rs = this.resourceSetList.get(rsid); - if (rs == null) { - // need to load it directly - rs = new ResourceSetModel({id: rsid}); - this.resourceSetList.add(rs); // it will be loaded below, don't need to load it again in the future - } - - var view = new PolicyFormView({model: policy, rs: rs, systemScopeList: this.systemScopeList}); - - view.load(function() { - $('#content').html(view.render().el); - setPageTitle($.t('policy.edit-policy')); - }); - } -}); - -ui.routes.push({path: "user/policy/:rsid/:pid", name: "editPolicy", callback: - function(rsid, pid) { - this.breadCrumbView.collection.reset(); - this.breadCrumbView.collection.add([ - {text:$.t('admin.home'), href:""}, - {text:$.t('policy.resource-sets'), href:"manage/#user/policy"}, - {text:$.t('policy.edit-policies'), href:"manage/#user/policy/" + rsid}, - {text:$.t('policy.edit-policy'), href:"manage/#user/policy/" + rsid + "/" + pid} - ]); - - this.updateSidebar('user/policy'); - - var rs = this.resourceSetList.get(rsid); - var policy = null; - if (rs == null) { - // need to load it directly - policy = new PolicyModel({id: pid}, {rsid: rsid}); - rs = new ResourceSetModel({id: rsid}); - this.resourceSetList.add(rs); // it will be loaded below, don't need to load it again in the future - } else { - // the resource set is loaded, preload the claims - _.each(rs.get('policies'), function(p) { - if (p.id == pid) { - policy = new PolicyModel(p, {rsid: rsid}); - policy.isFetched = true; - } - }); - if (policy == null) { - // need to load it directly - policy = new PolicyModel({id: pid}, {rsid: rsid}); - } - } - - var view = new PolicyFormView({model: policy, rs: rs, systemScopeList: this.systemScopeList}); - - view.load(function() { - $('#content').html(view.render().el); - setPageTitle($.t('policy.edit-policy')); - }); - - - } -}); - -ui.templates.push('resources/template/policy.html'); - -ui.init.push(function(app) { - app.resourceSetList = new ResourceSetCollection(); -}); diff --git a/uma-server-webapp/src/main/webapp/resources/template/policy.html b/uma-server-webapp/src/main/webapp/resources/template/policy.html deleted file mode 100644 index 576da1b1a..000000000 --- a/uma-server-webapp/src/main/webapp/resources/template/policy.html +++ /dev/null @@ -1,255 +0,0 @@ - - - - - - - - - - - - - - \ No newline at end of file diff --git a/uma-server/pom.xml b/uma-server/pom.xml deleted file mode 100644 index 2373d34c1..000000000 --- a/uma-server/pom.xml +++ /dev/null @@ -1,50 +0,0 @@ - - - - 4.0.0 - - org.mitre - openid-connect-parent - 1.3.4-SNAPSHOT - .. - - uma-server - UMA Server Library - User Managed Access (UMA) extension of the MITREid Connect server - - - - org.apache.maven.plugins - maven-compiler-plugin - - ${java-version} - ${java-version} - - - - - - - org.mitre - openid-connect-server - - - org.mitre - openid-connect-client - - - \ No newline at end of file diff --git a/uma-server/src/main/java/org/mitre/uma/repository/impl/JpaPermissionRepository.java b/uma-server/src/main/java/org/mitre/uma/repository/impl/JpaPermissionRepository.java deleted file mode 100644 index 6d7a65d98..000000000 --- a/uma-server/src/main/java/org/mitre/uma/repository/impl/JpaPermissionRepository.java +++ /dev/null @@ -1,107 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.repository.impl; - -import java.util.Collection; - -import javax.persistence.EntityManager; -import javax.persistence.PersistenceContext; -import javax.persistence.TypedQuery; - -import org.mitre.uma.model.Permission; -import org.mitre.uma.model.PermissionTicket; -import org.mitre.uma.model.ResourceSet; -import org.mitre.uma.repository.PermissionRepository; -import org.mitre.util.jpa.JpaUtil; -import org.springframework.stereotype.Repository; -import org.springframework.transaction.annotation.Transactional; - -/** - * @author jricher - * - */ -@Repository -public class JpaPermissionRepository implements PermissionRepository { - - @PersistenceContext(unitName="defaultPersistenceUnit") - private EntityManager em; - - @Override - @Transactional(value="defaultTransactionManager") - public PermissionTicket save(PermissionTicket p) { - return JpaUtil.saveOrUpdate(em, p); - } - - /* (non-Javadoc) - * @see org.mitre.uma.repository.PermissionRepository#getByTicket(java.lang.String) - */ - @Override - public PermissionTicket getByTicket(String ticket) { - TypedQuery query = em.createNamedQuery(PermissionTicket.QUERY_TICKET, PermissionTicket.class); - query.setParameter(PermissionTicket.PARAM_TICKET, ticket); - return JpaUtil.getSingleResult(query.getResultList()); - } - - /* (non-Javadoc) - * @see org.mitre.uma.repository.PermissionRepository#getAll() - */ - @Override - public Collection getAll() { - TypedQuery query = em.createNamedQuery(PermissionTicket.QUERY_ALL, PermissionTicket.class); - return query.getResultList(); - } - - /* (non-Javadoc) - * @see org.mitre.uma.repository.PermissionRepository#saveRawPermission(org.mitre.uma.model.Permission) - */ - @Override - @Transactional(value="defaultTransactionManager") - public Permission saveRawPermission(Permission p) { - return JpaUtil.saveOrUpdate(em, p); - } - - /* (non-Javadoc) - * @see org.mitre.uma.repository.PermissionRepository#getById(java.lang.Long) - */ - @Override - public Permission getById(Long permissionId) { - return em.find(Permission.class, permissionId); - } - - /* (non-Javadoc) - * @see org.mitre.uma.repository.PermissionRepository#getPermissionTicketsForResourceSet(org.mitre.uma.model.ResourceSet) - */ - @Override - public Collection getPermissionTicketsForResourceSet(ResourceSet rs) { - TypedQuery query = em.createNamedQuery(PermissionTicket.QUERY_BY_RESOURCE_SET, PermissionTicket.class); - query.setParameter(PermissionTicket.PARAM_RESOURCE_SET_ID, rs.getId()); - return query.getResultList(); - } - - /* (non-Javadoc) - * @see org.mitre.uma.repository.PermissionRepository#remove(org.mitre.uma.model.PermissionTicket) - */ - @Override - @Transactional(value="defaultTransactionManager") - public void remove(PermissionTicket ticket) { - PermissionTicket found = getByTicket(ticket.getTicket()); - if (found != null) { - em.remove(found); - } - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/repository/impl/JpaResourceSetRepository.java b/uma-server/src/main/java/org/mitre/uma/repository/impl/JpaResourceSetRepository.java deleted file mode 100644 index 7c41a989f..000000000 --- a/uma-server/src/main/java/org/mitre/uma/repository/impl/JpaResourceSetRepository.java +++ /dev/null @@ -1,97 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.repository.impl; - -import java.util.Collection; - -import javax.persistence.EntityManager; -import javax.persistence.PersistenceContext; -import javax.persistence.TypedQuery; - -import org.mitre.uma.model.ResourceSet; -import org.mitre.uma.repository.ResourceSetRepository; -import org.mitre.util.jpa.JpaUtil; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.stereotype.Repository; -import org.springframework.transaction.annotation.Transactional; - -/** - * @author jricher - * - */ -@Repository -public class JpaResourceSetRepository implements ResourceSetRepository { - - @PersistenceContext(unitName="defaultPersistenceUnit") - private EntityManager em; - private static Logger logger = LoggerFactory.getLogger(JpaResourceSetRepository.class); - - @Override - @Transactional(value="defaultTransactionManager") - public ResourceSet save(ResourceSet rs) { - return JpaUtil.saveOrUpdate(em, rs); - } - - @Override - public ResourceSet getById(Long id) { - return em.find(ResourceSet.class, id); - } - - @Override - @Transactional(value="defaultTransactionManager") - public void remove(ResourceSet rs) { - ResourceSet found = getById(rs.getId()); - if (found != null) { - em.remove(found); - } else { - logger.info("Tried to remove unknown resource set: " + rs.getId()); - } - } - - @Override - public Collection getAllForOwner(String owner) { - TypedQuery query = em.createNamedQuery(ResourceSet.QUERY_BY_OWNER, ResourceSet.class); - query.setParameter(ResourceSet.PARAM_OWNER, owner); - return query.getResultList(); - } - - @Override - public Collection getAllForOwnerAndClient(String owner, String clientId) { - TypedQuery query = em.createNamedQuery(ResourceSet.QUERY_BY_OWNER_AND_CLIENT, ResourceSet.class); - query.setParameter(ResourceSet.PARAM_OWNER, owner); - query.setParameter(ResourceSet.PARAM_CLIENTID, clientId); - return query.getResultList(); - } - - @Override - public Collection getAll() { - TypedQuery query = em.createNamedQuery(ResourceSet.QUERY_ALL, ResourceSet.class); - return query.getResultList(); - } - - /* (non-Javadoc) - * @see org.mitre.uma.repository.ResourceSetRepository#getAllForClient(org.mitre.oauth2.model.ClientDetailsEntity) - */ - @Override - public Collection getAllForClient(String clientId) { - TypedQuery query = em.createNamedQuery(ResourceSet.QUERY_BY_CLIENT, ResourceSet.class); - query.setParameter(ResourceSet.PARAM_CLIENTID, clientId); - return query.getResultList(); - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultPermissionService.java b/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultPermissionService.java deleted file mode 100644 index 8b9c379e4..000000000 --- a/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultPermissionService.java +++ /dev/null @@ -1,96 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.service.impl; - -import java.sql.Date; -import java.util.Set; -import java.util.UUID; - -import org.mitre.oauth2.service.SystemScopeService; -import org.mitre.uma.model.Permission; -import org.mitre.uma.model.PermissionTicket; -import org.mitre.uma.model.ResourceSet; -import org.mitre.uma.repository.PermissionRepository; -import org.mitre.uma.service.PermissionService; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException; -import org.springframework.stereotype.Service; - -/** - * @author jricher - * - */ -@Service -public class DefaultPermissionService implements PermissionService { - - @Autowired - private PermissionRepository repository; - - @Autowired - private SystemScopeService scopeService; - - private Long permissionExpirationSeconds = 60L * 60L; // 1 hr - - /* (non-Javadoc) - * @see org.mitre.uma.service.PermissionService#create(org.mitre.uma.model.ResourceSet, java.util.Set) - */ - @Override - public PermissionTicket createTicket(ResourceSet resourceSet, Set scopes) { - - // check to ensure that the scopes requested are a subset of those in the resource set - - if (!scopeService.scopesMatch(resourceSet.getScopes(), scopes)) { - throw new InsufficientScopeException("Scopes of resource set are not enough for requested permission."); - } - - Permission perm = new Permission(); - perm.setResourceSet(resourceSet); - perm.setScopes(scopes); - - PermissionTicket ticket = new PermissionTicket(); - ticket.setPermission(perm); - ticket.setTicket(UUID.randomUUID().toString()); - ticket.setExpiration(new Date(System.currentTimeMillis() + permissionExpirationSeconds * 1000L)); - - return repository.save(ticket); - - } - - /* (non-Javadoc) - * @see org.mitre.uma.service.PermissionService#getByTicket(java.lang.String) - */ - @Override - public PermissionTicket getByTicket(String ticket) { - return repository.getByTicket(ticket); - } - - /* (non-Javadoc) - * @see org.mitre.uma.service.PermissionService#updateTicket(org.mitre.uma.model.PermissionTicket) - */ - @Override - public PermissionTicket updateTicket(PermissionTicket ticket) { - if (ticket.getId() != null) { - return repository.save(ticket); - } else { - return null; - } - - } - - - -} diff --git a/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultResourceSetService.java b/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultResourceSetService.java deleted file mode 100644 index a5c3e5ec4..000000000 --- a/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultResourceSetService.java +++ /dev/null @@ -1,149 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.service.impl; - -import java.util.Collection; - -import org.mitre.oauth2.model.ClientDetailsEntity; -import org.mitre.oauth2.model.OAuth2AccessTokenEntity; -import org.mitre.oauth2.repository.OAuth2TokenRepository; -import org.mitre.uma.model.PermissionTicket; -import org.mitre.uma.model.Policy; -import org.mitre.uma.model.ResourceSet; -import org.mitre.uma.repository.PermissionRepository; -import org.mitre.uma.repository.ResourceSetRepository; -import org.mitre.uma.service.ResourceSetService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.Primary; -import org.springframework.stereotype.Service; - -/** - * @author jricher - * - */ -@Service -@Primary -public class DefaultResourceSetService implements ResourceSetService { - - private static final Logger logger = LoggerFactory.getLogger(DefaultResourceSetService.class); - - @Autowired - private ResourceSetRepository repository; - - @Autowired - private OAuth2TokenRepository tokenRepository; - - @Autowired - private PermissionRepository ticketRepository; - - @Override - public ResourceSet saveNew(ResourceSet rs) { - - if (rs.getId() != null) { - throw new IllegalArgumentException("Can't save a new resource set with an ID already set to it."); - } - - if (!checkScopeConsistency(rs)) { - throw new IllegalArgumentException("Can't save a resource set with inconsistent claims."); - } - - ResourceSet saved = repository.save(rs); - - return saved; - - } - - @Override - public ResourceSet getById(Long id) { - return repository.getById(id); - } - - @Override - public ResourceSet update(ResourceSet oldRs, ResourceSet newRs) { - - if (oldRs.getId() == null || newRs.getId() == null - || !oldRs.getId().equals(newRs.getId())) { - - throw new IllegalArgumentException("Resource set IDs mismatched"); - - } - - if (!checkScopeConsistency(newRs)) { - throw new IllegalArgumentException("Can't save a resource set with inconsistent claims."); - } - - newRs.setOwner(oldRs.getOwner()); // preserve the owner tag across updates - newRs.setClientId(oldRs.getClientId()); // preserve the client id across updates - - ResourceSet saved = repository.save(newRs); - - return saved; - - } - - @Override - public void remove(ResourceSet rs) { - // find all the access tokens issued against this resource set and revoke them - Collection tokens = tokenRepository.getAccessTokensForResourceSet(rs); - for (OAuth2AccessTokenEntity token : tokens) { - tokenRepository.removeAccessToken(token); - } - - // find all outstanding tickets issued against this resource set and revoke them too - Collection tickets = ticketRepository.getPermissionTicketsForResourceSet(rs); - for (PermissionTicket ticket : tickets) { - ticketRepository.remove(ticket); - } - - repository.remove(rs); - } - - @Override - public Collection getAllForOwner(String owner) { - return repository.getAllForOwner(owner); - } - - @Override - public Collection getAllForOwnerAndClient(String owner, String clientId) { - return repository.getAllForOwnerAndClient(owner, clientId); - } - - private boolean checkScopeConsistency(ResourceSet rs) { - if (rs.getPolicies() == null) { - // nothing to check, no problem! - return true; - } - for (Policy policy : rs.getPolicies()) { - if (!rs.getScopes().containsAll(policy.getScopes())) { - return false; - } - } - // we've checked everything, we're good - return true; - } - - /* (non-Javadoc) - * @see org.mitre.uma.service.ResourceSetService#getAllForClient(org.mitre.oauth2.model.ClientDetailsEntity) - */ - @Override - public Collection getAllForClient(ClientDetailsEntity client) { - return repository.getAllForClient(client.getClientId()); - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java b/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java deleted file mode 100644 index 62bd24eac..000000000 --- a/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java +++ /dev/null @@ -1,120 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.service.impl; - -import java.util.Date; -import java.util.HashSet; -import java.util.Set; -import java.util.UUID; - -import org.mitre.jwt.signer.service.JWTSigningAndValidationService; -import org.mitre.oauth2.model.AuthenticationHolderEntity; -import org.mitre.oauth2.model.ClientDetailsEntity; -import org.mitre.oauth2.model.OAuth2AccessTokenEntity; -import org.mitre.oauth2.repository.AuthenticationHolderRepository; -import org.mitre.oauth2.service.ClientDetailsEntityService; -import org.mitre.oauth2.service.OAuth2TokenEntityService; -import org.mitre.openid.connect.config.ConfigurationPropertiesBean; -import org.mitre.uma.model.Permission; -import org.mitre.uma.model.PermissionTicket; -import org.mitre.uma.model.Policy; -import org.mitre.uma.service.UmaTokenService; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.security.oauth2.provider.OAuth2Authentication; -import org.springframework.stereotype.Service; - -import com.google.common.collect.Lists; -import com.google.common.collect.Sets; -import com.nimbusds.jose.JWSAlgorithm; -import com.nimbusds.jose.JWSHeader; -import com.nimbusds.jwt.JWTClaimsSet; -import com.nimbusds.jwt.SignedJWT; - -/** - * @author jricher - * - */ -@Service("defaultUmaTokenService") -public class DefaultUmaTokenService implements UmaTokenService { - - @Autowired - private AuthenticationHolderRepository authenticationHolderRepository; - - @Autowired - private OAuth2TokenEntityService tokenService; - - @Autowired - private ClientDetailsEntityService clientService; - - @Autowired - private ConfigurationPropertiesBean config; - - @Autowired - private JWTSigningAndValidationService jwtService; - - - @Override - public OAuth2AccessTokenEntity createRequestingPartyToken(OAuth2Authentication o2auth, PermissionTicket ticket, Policy policy) { - OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); - AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity(); - authHolder.setAuthentication(o2auth); - authHolder = authenticationHolderRepository.save(authHolder); - - token.setAuthenticationHolder(authHolder); - - ClientDetailsEntity client = clientService.loadClientByClientId(o2auth.getOAuth2Request().getClientId()); - token.setClient(client); - - Set ticketScopes = ticket.getPermission().getScopes(); - Set policyScopes = policy.getScopes(); - - Permission perm = new Permission(); - perm.setResourceSet(ticket.getPermission().getResourceSet()); - perm.setScopes(new HashSet<>(Sets.intersection(ticketScopes, policyScopes))); - - token.setPermissions(Sets.newHashSet(perm)); - - JWTClaimsSet.Builder claims = new JWTClaimsSet.Builder(); - - claims.audience(Lists.newArrayList(ticket.getPermission().getResourceSet().getId().toString())); - claims.issuer(config.getIssuer()); - claims.jwtID(UUID.randomUUID().toString()); - - if (config.getRqpTokenLifeTime() != null) { - Date exp = new Date(System.currentTimeMillis() + config.getRqpTokenLifeTime() * 1000L); - - claims.expirationTime(exp); - token.setExpiration(exp); - } - - - JWSAlgorithm signingAlgorithm = jwtService.getDefaultSigningAlgorithm(); - JWSHeader header = new JWSHeader(signingAlgorithm, null, null, null, null, null, null, null, null, null, - jwtService.getDefaultSignerKeyId(), - null, null); - SignedJWT signed = new SignedJWT(header, claims.build()); - - jwtService.signJwt(signed); - - token.setJwt(signed); - - tokenService.saveAccessToken(token); - - return token; - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/service/impl/JpaRegisteredClientService.java b/uma-server/src/main/java/org/mitre/uma/service/impl/JpaRegisteredClientService.java deleted file mode 100644 index 8ceb548e8..000000000 --- a/uma-server/src/main/java/org/mitre/uma/service/impl/JpaRegisteredClientService.java +++ /dev/null @@ -1,95 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.service.impl; - -import java.util.Collection; - -import javax.persistence.EntityManager; -import javax.persistence.PersistenceContext; -import javax.persistence.TypedQuery; - -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.openid.connect.client.service.RegisteredClientService; -import org.mitre.uma.model.SavedRegisteredClient; -import org.mitre.uma.service.SavedRegisteredClientService; -import org.mitre.util.jpa.JpaUtil; -import org.springframework.stereotype.Service; -import org.springframework.transaction.annotation.Transactional; - -/** - * @author jricher - * - */ -@Service -public class JpaRegisteredClientService implements RegisteredClientService, SavedRegisteredClientService{ - - @PersistenceContext(unitName="defaultPersistenceUnit") - private EntityManager em; - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.RegisteredClientService#getByIssuer(java.lang.String) - */ - @Override - public RegisteredClient getByIssuer(String issuer) { - SavedRegisteredClient saved = getSavedRegisteredClientFromStorage(issuer); - - if (saved == null) { - return null; - } else { - return saved.getRegisteredClient(); - } - } - - /* (non-Javadoc) - * @see org.mitre.openid.connect.client.service.RegisteredClientService#save(java.lang.String, org.mitre.oauth2.model.RegisteredClient) - */ - @Override - @Transactional(value="defaultTransactionManager") - public void save(String issuer, RegisteredClient client) { - - - SavedRegisteredClient saved = getSavedRegisteredClientFromStorage(issuer); - - if (saved == null) { - saved = new SavedRegisteredClient(); - saved.setIssuer(issuer); - } - - saved.setRegisteredClient(client); - - em.persist(saved); - - } - - private SavedRegisteredClient getSavedRegisteredClientFromStorage(String issuer) { - TypedQuery query = em.createQuery("SELECT c from SavedRegisteredClient c where c.issuer = :issuer", SavedRegisteredClient.class); - query.setParameter("issuer", issuer); - - SavedRegisteredClient saved = JpaUtil.getSingleResult(query.getResultList()); - return saved; - } - - /** - * @return - */ - @Override - public Collection getAll() { - TypedQuery query = em.createQuery("SELECT c from SavedRegisteredClient c", SavedRegisteredClient.class); - return query.getResultList(); - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/service/impl/MatchAllClaimsOnAnyPolicy.java b/uma-server/src/main/java/org/mitre/uma/service/impl/MatchAllClaimsOnAnyPolicy.java deleted file mode 100644 index 7d480bf61..000000000 --- a/uma-server/src/main/java/org/mitre/uma/service/impl/MatchAllClaimsOnAnyPolicy.java +++ /dev/null @@ -1,89 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.service.impl; - -import java.util.Collection; -import java.util.HashSet; - -import org.mitre.uma.model.Claim; -import org.mitre.uma.model.ClaimProcessingResult; -import org.mitre.uma.model.PermissionTicket; -import org.mitre.uma.model.Policy; -import org.mitre.uma.model.ResourceSet; -import org.mitre.uma.service.ClaimsProcessingService; -import org.springframework.stereotype.Service; - -/** - * Tests if all the claims in the required set have a matching - * value in the supplied set. - * - * @author jricher - * - */ -@Service("matchAllClaimsOnAnyPolicy") -public class MatchAllClaimsOnAnyPolicy implements ClaimsProcessingService { - - /* (non-Javadoc) - * @see org.mitre.uma.service.ClaimsProcessingService#claimsAreSatisfied(java.util.Collection, java.util.Collection) - */ - @Override - public ClaimProcessingResult claimsAreSatisfied(ResourceSet rs, PermissionTicket ticket) { - Collection allUnmatched = new HashSet<>(); - for (Policy policy : rs.getPolicies()) { - Collection unmatched = checkIndividualClaims(policy.getClaimsRequired(), ticket.getClaimsSupplied()); - if (unmatched.isEmpty()) { - // we found something that's satisfied the claims, let's go with it! - return new ClaimProcessingResult(policy); - } else { - // otherwise add it to the stack to send back - allUnmatched.addAll(unmatched); - } - } - - // otherwise, tell the caller that we'll need some set of these fulfilled somehow - return new ClaimProcessingResult(allUnmatched); - } - - private Collection checkIndividualClaims(Collection claimsRequired, Collection claimsSupplied) { - - Collection claimsUnmatched = new HashSet<>(claimsRequired); - - // see if each of the required claims has a counterpart in the supplied claims set - for (Claim required : claimsRequired) { - for (Claim supplied : claimsSupplied) { - - if (required.getIssuer().containsAll(supplied.getIssuer())) { - // it's from the right issuer - - if (required.getName().equals(supplied.getName()) && - required.getValue().equals(supplied.getValue())) { - - // the claim matched, pull it from the set - claimsUnmatched.remove(required); - - } - - } - } - } - - // if there's anything left then the claims aren't satisfied, return the leftovers - return claimsUnmatched; - - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/service/impl/UmaDataServiceExtension_1_3.java b/uma-server/src/main/java/org/mitre/uma/service/impl/UmaDataServiceExtension_1_3.java deleted file mode 100644 index 6e9fba180..000000000 --- a/uma-server/src/main/java/org/mitre/uma/service/impl/UmaDataServiceExtension_1_3.java +++ /dev/null @@ -1,715 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.service.impl; - -import static org.mitre.util.JsonUtils.readSet; - -import java.io.IOException; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; - -import org.mitre.oauth2.model.OAuth2AccessTokenEntity; -import org.mitre.oauth2.model.RegisteredClient; -import org.mitre.oauth2.repository.OAuth2TokenRepository; -import org.mitre.openid.connect.ClientDetailsEntityJsonProcessor; -import org.mitre.openid.connect.service.MITREidDataService; -import org.mitre.openid.connect.service.MITREidDataServiceExtension; -import org.mitre.openid.connect.service.MITREidDataServiceMaps; -import org.mitre.openid.connect.service.impl.MITREidDataServiceSupport; -import org.mitre.uma.model.Claim; -import org.mitre.uma.model.Permission; -import org.mitre.uma.model.PermissionTicket; -import org.mitre.uma.model.Policy; -import org.mitre.uma.model.ResourceSet; -import org.mitre.uma.model.SavedRegisteredClient; -import org.mitre.uma.repository.PermissionRepository; -import org.mitre.uma.repository.ResourceSetRepository; -import org.mitre.uma.service.SavedRegisteredClientService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Service; - -import com.google.gson.JsonElement; -import com.google.gson.JsonParser; -import com.google.gson.stream.JsonReader; -import com.google.gson.stream.JsonToken; -import com.google.gson.stream.JsonWriter; - -/** - * @author jricher - * - */ -@Service("umaDataExtension_1_3") -public class UmaDataServiceExtension_1_3 extends MITREidDataServiceSupport implements MITREidDataServiceExtension { - - private static final String THIS_VERSION = MITREidDataService.MITREID_CONNECT_1_3; - - private static final String REGISTERED_CLIENT = "registeredClient"; - private static final String URI = "uri"; - private static final String NAME = "name"; - private static final String TYPE = "type"; - private static final String VALUE = "value"; - private static final String CLIENT_ID = "clientId"; - private static final String EXPIRATION = "expiration"; - private static final String ID = "id"; - private static final String ICON_URI = "iconUri"; - private static final String OWNER = "owner"; - private static final String POLICIES = "policies"; - private static final String SCOPES = "scopes"; - private static final String CLAIMS_REQUIRED = "claimsRequired"; - private static final String ISSUER = "issuer"; - private static final String CLAIM_TOKEN_FORMAT = "claimTokenFormat"; - private static final String CLAIM_TYPE = "claimType"; - private static final String FRIENDLY_NAME = "friendlyName"; - private static final String PERMISSIONS = "permissions"; - private static final String RESOURCE_SET = "resourceSet"; - private static final String PERMISSION_TICKETS = "permissionTickets"; - private static final String PERMISSION = "permission"; - private static final String TICKET = "ticket"; - private static final String CLAIMS_SUPPLIED = "claimsSupplied"; - private static final String SAVED_REGISTERED_CLIENTS = "savedRegisteredClients"; - private static final String RESOURCE_SETS = "resourceSets"; - private static final String TOKEN_PERMISSIONS = "tokenPermissions"; - private static final String TOKEN_ID = "tokenId"; - - private static final Logger logger = LoggerFactory.getLogger(UmaDataServiceExtension_1_3.class); - - - - @Autowired - private SavedRegisteredClientService registeredClientService; - @Autowired - private ResourceSetRepository resourceSetRepository; - @Autowired - private PermissionRepository permissionRepository; - @Autowired - private OAuth2TokenRepository tokenRepository; - - private Map> tokenToPermissionRefs = new HashMap<>(); - - /* (non-Javadoc) - * @see org.mitre.openid.connect.service.MITREidDataServiceExtension#supportsVersion(java.lang.String) - */ - @Override - public boolean supportsVersion(String version) { - return THIS_VERSION.equals(version); - - } - - /* (non-Javadoc) - * @see org.mitre.openid.connect.service.MITREidDataServiceExtension#exportExtensionData(com.google.gson.stream.JsonWriter) - */ - @Override - public void exportExtensionData(JsonWriter writer) throws IOException { - writer.name(SAVED_REGISTERED_CLIENTS); - writer.beginArray(); - writeSavedRegisteredClients(writer); - writer.endArray(); - - writer.name(RESOURCE_SETS); - writer.beginArray(); - writeResourceSets(writer); - writer.endArray(); - - writer.name(PERMISSION_TICKETS); - writer.beginArray(); - writePermissionTickets(writer); - writer.endArray(); - - writer.name(TOKEN_PERMISSIONS); - writer.beginArray(); - writeTokenPermissions(writer); - writer.endArray(); - } - - /** - * @param writer - * @throws IOException - */ - private void writeTokenPermissions(JsonWriter writer) throws IOException { - for (OAuth2AccessTokenEntity token : tokenRepository.getAllAccessTokens()) { - if (!token.getPermissions().isEmpty()) { // skip tokens that don't have the permissions structure attached - writer.beginObject(); - writer.name(TOKEN_ID).value(token.getId()); - writer.name(PERMISSIONS); - writer.beginArray(); - for (Permission p : token.getPermissions()) { - writer.beginObject(); - writer.name(RESOURCE_SET).value(p.getResourceSet().getId()); - writer.name(SCOPES); - writer.beginArray(); - for (String s : p.getScopes()) { - writer.value(s); - } - writer.endArray(); - writer.endObject(); - } - writer.endArray(); - - writer.endObject(); - } - } - } - - /** - * @param writer - * @throws IOException - */ - private void writePermissionTickets(JsonWriter writer) throws IOException { - for (PermissionTicket ticket : permissionRepository.getAll()) { - writer.beginObject(); - - writer.name(CLAIMS_SUPPLIED); - writer.beginArray(); - for (Claim claim : ticket.getClaimsSupplied()) { - writer.beginObject(); - - writer.name(ISSUER); - writer.beginArray(); - for (String issuer : claim.getIssuer()) { - writer.value(issuer); - } - writer.endArray(); - writer.name(CLAIM_TOKEN_FORMAT); - writer.beginArray(); - for (String format : claim.getClaimTokenFormat()) { - writer.value(format); - } - writer.endArray(); - writer.name(CLAIM_TYPE).value(claim.getClaimType()); - writer.name(FRIENDLY_NAME).value(claim.getFriendlyName()); - writer.name(NAME).value(claim.getName()); - writer.name(VALUE).value(claim.getValue().toString()); - writer.endObject(); - } - writer.endArray(); - - writer.name(EXPIRATION).value(toUTCString(ticket.getExpiration())); - - writer.name(PERMISSION); - writer.beginObject(); - Permission p = ticket.getPermission(); - writer.name(RESOURCE_SET).value(p.getResourceSet().getId()); - writer.name(SCOPES); - writer.beginArray(); - for (String s : p.getScopes()) { - writer.value(s); - } - writer.endArray(); - writer.endObject(); - - writer.name(TICKET).value(ticket.getTicket()); - - writer.endObject(); - } - - - } - - /** - * @param writer - * @throws IOException - */ - private void writeResourceSets(JsonWriter writer) throws IOException { - for (ResourceSet rs : resourceSetRepository.getAll()) { - writer.beginObject(); - writer.name(ID).value(rs.getId()); - writer.name(CLIENT_ID).value(rs.getClientId()); - writer.name(ICON_URI).value(rs.getIconUri()); - writer.name(NAME).value(rs.getName()); - writer.name(TYPE).value(rs.getType()); - writer.name(URI).value(rs.getUri()); - writer.name(OWNER).value(rs.getOwner()); - writer.name(POLICIES); - writer.beginArray(); - for (Policy policy : rs.getPolicies()) { - writer.beginObject(); - writer.name(NAME).value(policy.getName()); - writer.name(SCOPES); - writer.beginArray(); - for (String scope : policy.getScopes()) { - writer.value(scope); - } - writer.endArray(); - writer.name(CLAIMS_REQUIRED); - writer.beginArray(); - for (Claim claim : policy.getClaimsRequired()) { - writer.beginObject(); - - writer.name(ISSUER); - writer.beginArray(); - for (String issuer : claim.getIssuer()) { - writer.value(issuer); - } - writer.endArray(); - writer.name(CLAIM_TOKEN_FORMAT); - writer.beginArray(); - for (String format : claim.getClaimTokenFormat()) { - writer.value(format); - } - writer.endArray(); - writer.name(CLAIM_TYPE).value(claim.getClaimType()); - writer.name(FRIENDLY_NAME).value(claim.getFriendlyName()); - writer.name(NAME).value(claim.getName()); - writer.name(VALUE).value(claim.getValue().toString()); - writer.endObject(); - } - writer.endArray(); - writer.endObject(); - } - writer.endArray(); - writer.name(SCOPES); - writer.beginArray(); - for (String scope : rs.getScopes()) { - writer.value(scope); - } - writer.endArray(); - writer.endObject(); - logger.debug("Finished writing resource set {}", rs.getId()); - } - - } - - /** - * @param writer - */ - private void writeSavedRegisteredClients(JsonWriter writer) throws IOException { - for (SavedRegisteredClient src : registeredClientService.getAll()) { - writer.beginObject(); - writer.name(ISSUER).value(src.getIssuer()); - writer.name(REGISTERED_CLIENT).value(src.getRegisteredClient().getSource().toString()); - writer.endObject(); - logger.debug("Wrote saved registered client {}", src.getId()); - } - logger.info("Done writing saved registered clients"); - } - - /* (non-Javadoc) - * @see org.mitre.openid.connect.service.MITREidDataServiceExtension#importExtensionData(com.google.gson.stream.JsonReader) - */ - @Override - public boolean importExtensionData(String name, JsonReader reader) throws IOException { - if (name.equals(SAVED_REGISTERED_CLIENTS)) { - readSavedRegisteredClients(reader); - return true; - } else if (name.equals(RESOURCE_SETS)) { - readResourceSets(reader); - return true; - } else if (name.equals(PERMISSION_TICKETS)) { - readPermissionTickets(reader); - return true; - } else if (name.equals(TOKEN_PERMISSIONS)) { - readTokenPermissions(reader); - return true; - } else { - return false; - } - } - - /** - * @param reader - */ - private void readTokenPermissions(JsonReader reader) throws IOException { - reader.beginArray(); - while(reader.hasNext()) { - reader.beginObject(); - Long tokenId = null; - Set permissions = new HashSet<>(); - while (reader.hasNext()) { - switch(reader.peek()) { - case END_OBJECT: - continue; - case NAME: - String name = reader.nextName(); - if (name.equals(TOKEN_ID)) { - tokenId = reader.nextLong(); - } else if (name.equals(PERMISSIONS)) { - reader.beginArray(); - while (reader.hasNext()) { - Permission p = new Permission(); - Long rsid = null; - Set scope = new HashSet<>(); - reader.beginObject(); - while (reader.hasNext()) { - switch (reader.peek()) { - case END_OBJECT: - continue; - case NAME: - String pname = reader.nextName(); - if (reader.peek() == JsonToken.NULL) { - reader.skipValue(); - } else if (pname.equals(RESOURCE_SET)) { - rsid = reader.nextLong(); - } else if (pname.equals(SCOPES)) { - scope = readSet(reader); - } else { - logger.debug("Found unexpected entry"); - reader.skipValue(); - } - break; - default: - logger.debug("Found unexpected entry"); - reader.skipValue(); - continue; - } - } - reader.endObject(); - p.setScopes(scope); - Permission saved = permissionRepository.saveRawPermission(p); - permissionToResourceRefs.put(saved.getId(), rsid); - permissions.add(saved.getId()); - } - reader.endArray(); - } - break; - default: - logger.debug("Found unexpected entry"); - reader.skipValue(); - continue; - } - } - reader.endObject(); - tokenToPermissionRefs.put(tokenId, permissions); - } - reader.endArray(); - - } - - private Map permissionToResourceRefs = new HashMap<>(); - - /** - * @param reader - */ - private void readPermissionTickets(JsonReader reader) throws IOException { - JsonParser parser = new JsonParser(); - reader.beginArray(); - while (reader.hasNext()) { - PermissionTicket ticket = new PermissionTicket(); - reader.beginObject(); - while (reader.hasNext()) { - switch (reader.peek()) { - case END_OBJECT: - continue; - case NAME: - String name = reader.nextName(); - if (reader.peek() == JsonToken.NULL) { - reader.skipValue(); - } else if (name.equals(CLAIMS_SUPPLIED)) { - Set claimsSupplied = new HashSet<>(); - reader.beginArray(); - while (reader.hasNext()) { - Claim c = new Claim(); - reader.beginObject(); - while (reader.hasNext()) { - switch (reader.peek()) { - case END_OBJECT: - continue; - case NAME: - String cname = reader.nextName(); - if (reader.peek() == JsonToken.NULL) { - reader.skipValue(); - } else if (cname.equals(ISSUER)) { - c.setIssuer(readSet(reader)); - } else if (cname.equals(CLAIM_TOKEN_FORMAT)) { - c.setClaimTokenFormat(readSet(reader)); - } else if (cname.equals(CLAIM_TYPE)) { - c.setClaimType(reader.nextString()); - } else if (cname.equals(FRIENDLY_NAME)) { - c.setFriendlyName(reader.nextString()); - } else if (cname.equals(NAME)) { - c.setName(reader.nextString()); - } else if (cname.equals(VALUE)) { - JsonElement e = parser.parse(reader.nextString()); - c.setValue(e); - } else { - logger.debug("Found unexpected entry"); - reader.skipValue(); - } - break; - default: - logger.debug("Found unexpected entry"); - reader.skipValue(); - continue; - } - } - reader.endObject(); - claimsSupplied.add(c); - } - reader.endArray(); - ticket.setClaimsSupplied(claimsSupplied); - } else if (name.equals(EXPIRATION)) { - ticket.setExpiration(utcToDate(reader.nextString())); - } else if (name.equals(PERMISSION)) { - Permission p = new Permission(); - Long rsid = null; - reader.beginObject(); - while (reader.hasNext()) { - switch (reader.peek()) { - case END_OBJECT: - continue; - case NAME: - String pname = reader.nextName(); - if (reader.peek() == JsonToken.NULL) { - reader.skipValue(); - } else if (pname.equals(RESOURCE_SET)) { - rsid = reader.nextLong(); - } else if (pname.equals(SCOPES)) { - p.setScopes(readSet(reader)); - } else { - logger.debug("Found unexpected entry"); - reader.skipValue(); - } - break; - default: - logger.debug("Found unexpected entry"); - reader.skipValue(); - continue; - } - } - reader.endObject(); - Permission saved = permissionRepository.saveRawPermission(p); - permissionToResourceRefs.put(saved.getId(), rsid); - ticket.setPermission(saved); - } else if (name.equals(TICKET)) { - ticket.setTicket(reader.nextString()); - } else { - logger.debug("Found unexpected entry"); - reader.skipValue(); - } - break; - default: - logger.debug("Found unexpected entry"); - reader.skipValue(); - continue; - } - } - reader.endObject(); - permissionRepository.save(ticket); - } - reader.endArray(); - } - - - private Map resourceSetOldToNewIdMap = new HashMap<>(); - - /** - * @param reader - */ - private void readResourceSets(JsonReader reader) throws IOException { - JsonParser parser = new JsonParser(); - reader.beginArray(); - while (reader.hasNext()) { - Long oldId = null; - ResourceSet rs = new ResourceSet(); - reader.beginObject(); - while (reader.hasNext()) { - switch (reader.peek()) { - case END_OBJECT: - continue; - case NAME: - String name = reader.nextName(); - if (reader.peek() == JsonToken.NULL) { - reader.skipValue(); - } else if (name.equals(ID)) { - oldId = reader.nextLong(); - } else if (name.equals(CLIENT_ID)) { - rs.setClientId(reader.nextString()); - } else if (name.equals(ICON_URI)) { - rs.setIconUri(reader.nextString()); - } else if (name.equals(NAME)) { - rs.setName(reader.nextString()); - } else if (name.equals(TYPE)) { - rs.setType(reader.nextString()); - } else if (name.equals(URI)) { - rs.setUri(reader.nextString()); - } else if (name.equals(OWNER)) { - rs.setOwner(reader.nextString()); - } else if (name.equals(POLICIES)) { - Set policies = new HashSet<>(); - reader.beginArray(); - while (reader.hasNext()) { - Policy p = new Policy(); - reader.beginObject(); - while (reader.hasNext()) { - switch (reader.peek()) { - case END_OBJECT: - continue; - case NAME: - String pname = reader.nextName(); - if (reader.peek() == JsonToken.NULL) { - reader.skipValue(); - } else if (pname.equals(NAME)) { - p.setName(reader.nextString()); - } else if (pname.equals(SCOPES)) { - p.setScopes(readSet(reader)); - } else if (pname.equals(CLAIMS_REQUIRED)) { - Set claimsRequired = new HashSet<>(); - reader.beginArray(); - while (reader.hasNext()) { - Claim c = new Claim(); - reader.beginObject(); - while (reader.hasNext()) { - switch (reader.peek()) { - case END_OBJECT: - continue; - case NAME: - String cname = reader.nextName(); - if (reader.peek() == JsonToken.NULL) { - reader.skipValue(); - } else if (cname.equals(ISSUER)) { - c.setIssuer(readSet(reader)); - } else if (cname.equals(CLAIM_TOKEN_FORMAT)) { - c.setClaimTokenFormat(readSet(reader)); - } else if (cname.equals(CLAIM_TYPE)) { - c.setClaimType(reader.nextString()); - } else if (cname.equals(FRIENDLY_NAME)) { - c.setFriendlyName(reader.nextString()); - } else if (cname.equals(NAME)) { - c.setName(reader.nextString()); - } else if (cname.equals(VALUE)) { - JsonElement e = parser.parse(reader.nextString()); - c.setValue(e); - } else { - logger.debug("Found unexpected entry"); - reader.skipValue(); - } - break; - default: - logger.debug("Found unexpected entry"); - reader.skipValue(); - continue; - } - } - reader.endObject(); - claimsRequired.add(c); - } - reader.endArray(); - p.setClaimsRequired(claimsRequired); - } else { - logger.debug("Found unexpected entry"); - reader.skipValue(); - } - break; - default: - logger.debug("Found unexpected entry"); - reader.skipValue(); - continue; - } - } - reader.endObject(); - policies.add(p); - } - reader.endArray(); - rs.setPolicies(policies); - } else if (name.equals(SCOPES)) { - rs.setScopes(readSet(reader)); - } else { - logger.debug("Found unexpected entry"); - reader.skipValue(); - } - break; - default: - logger.debug("Found unexpected entry"); - reader.skipValue(); - continue; - } - } - reader.endObject(); - Long newId = resourceSetRepository.save(rs).getId(); - resourceSetOldToNewIdMap.put(oldId, newId); - } - reader.endArray(); - logger.info("Done reading resource sets"); - } - - /** - * @param reader - */ - private void readSavedRegisteredClients(JsonReader reader) throws IOException{ - reader.beginArray(); - while (reader.hasNext()) { - String issuer = null; - String clientString = null; - reader.beginObject(); - while (reader.hasNext()) { - switch (reader.peek()) { - case END_OBJECT: - continue; - case NAME: - String name = reader.nextName(); - if (reader.peek() == JsonToken.NULL) { - reader.skipValue(); - } else if (name.equals(ISSUER)) { - issuer = reader.nextString(); - } else if (name.equals(REGISTERED_CLIENT)) { - clientString = reader.nextString(); - } else { - logger.debug("Found unexpected entry"); - reader.skipValue(); - } - break; - default: - logger.debug("Found unexpected entry"); - reader.skipValue(); - continue; - } - } - reader.endObject(); - RegisteredClient client = ClientDetailsEntityJsonProcessor.parseRegistered(clientString); - registeredClientService.save(issuer, client); - logger.debug("Saved registered client"); - } - reader.endArray(); - logger.info("Done reading saved registered clients"); - } - - /* (non-Javadoc) - * @see org.mitre.openid.connect.service.MITREidDataServiceExtension#fixExtensionObjectReferences() - */ - @Override - public void fixExtensionObjectReferences(MITREidDataServiceMaps maps) { - for (Long permissionId : permissionToResourceRefs.keySet()) { - Long oldResourceId = permissionToResourceRefs.get(permissionId); - Long newResourceId = resourceSetOldToNewIdMap.get(oldResourceId); - Permission p = permissionRepository.getById(permissionId); - ResourceSet rs = resourceSetRepository.getById(newResourceId); - p.setResourceSet(rs); - permissionRepository.saveRawPermission(p); - logger.debug("Mapping rsid " + oldResourceId + " to " + newResourceId + " for permission " + permissionId); - } - for (Long tokenId : tokenToPermissionRefs.keySet()) { - Long newTokenId = maps.getAccessTokenOldToNewIdMap().get(tokenId); - OAuth2AccessTokenEntity token = tokenRepository.getAccessTokenById(newTokenId); - - Set permissions = new HashSet<>(); - for (Long permissionId : tokenToPermissionRefs.get(tokenId)) { - Permission p = permissionRepository.getById(permissionId); - permissions.add(p); - } - - token.setPermissions(permissions); - tokenRepository.saveAccessToken(token); - } - permissionToResourceRefs.clear(); - resourceSetOldToNewIdMap.clear(); - tokenToPermissionRefs.clear(); - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/util/ExternalLoginAuthoritiesMapper.java b/uma-server/src/main/java/org/mitre/uma/util/ExternalLoginAuthoritiesMapper.java deleted file mode 100644 index 9626eba04..000000000 --- a/uma-server/src/main/java/org/mitre/uma/util/ExternalLoginAuthoritiesMapper.java +++ /dev/null @@ -1,45 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.util; - -import java.util.Collection; - -import org.mitre.openid.connect.client.OIDCAuthoritiesMapper; -import org.mitre.openid.connect.model.UserInfo; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.authority.SimpleGrantedAuthority; - -import com.google.common.collect.Sets; -import com.nimbusds.jwt.JWT; - -/** - * Utility class to map all external logins to the ROLE_EXTERNAL_USER authority - * to prevent them from accessing other parts of the server. - * - * @author jricher - * - */ -public class ExternalLoginAuthoritiesMapper implements OIDCAuthoritiesMapper { - - private static final GrantedAuthority ROLE_EXTERNAL_USER = new SimpleGrantedAuthority("ROLE_EXTERNAL_USER"); - - @Override - public Collection mapAuthorities(JWT idToken, UserInfo userInfo) { - return Sets.newHashSet(ROLE_EXTERNAL_USER); - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/view/ResourceSetEntityAbbreviatedView.java b/uma-server/src/main/java/org/mitre/uma/view/ResourceSetEntityAbbreviatedView.java deleted file mode 100644 index 9f581fb67..000000000 --- a/uma-server/src/main/java/org/mitre/uma/view/ResourceSetEntityAbbreviatedView.java +++ /dev/null @@ -1,119 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.uma.view; - -import java.io.IOException; -import java.io.Writer; -import java.util.Map; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.mitre.openid.connect.config.ConfigurationPropertiesBean; -import org.mitre.openid.connect.view.HttpCodeView; -import org.mitre.openid.connect.view.JsonEntityView; -import org.mitre.uma.model.ResourceSet; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.http.HttpHeaders; -import org.springframework.http.HttpStatus; -import org.springframework.stereotype.Component; -import org.springframework.validation.BeanPropertyBindingResult; -import org.springframework.web.servlet.view.AbstractView; - -import com.google.common.base.Strings; -import com.google.gson.ExclusionStrategy; -import com.google.gson.FieldAttributes; -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; -import com.google.gson.JsonObject; -import com.google.gson.LongSerializationPolicy; - -@Component(ResourceSetEntityAbbreviatedView.VIEWNAME) -public class ResourceSetEntityAbbreviatedView extends AbstractView { - private static Logger logger = LoggerFactory.getLogger(JsonEntityView.class); - - public static final String VIEWNAME = "resourceSetEntityAbbreviatedView"; - - public static final String LOCATION = "location"; - - @Autowired - private ConfigurationPropertiesBean config; - - private Gson gson = new GsonBuilder() - .setExclusionStrategies(new ExclusionStrategy() { - - @Override - public boolean shouldSkipField(FieldAttributes f) { - - return false; - } - - @Override - public boolean shouldSkipClass(Class clazz) { - // skip the JPA binding wrapper - if (clazz.equals(BeanPropertyBindingResult.class)) { - return true; - } - return false; - } - - }) - .serializeNulls() - .setDateFormat("yyyy-MM-dd'T'HH:mm:ssZ") - .setLongSerializationPolicy(LongSerializationPolicy.STRING) - .create(); - - @Override - protected void renderMergedOutputModel(Map model, HttpServletRequest request, HttpServletResponse response) { - - response.setContentType("application/json"); - - - HttpStatus code = (HttpStatus) model.get(HttpCodeView.CODE); - if (code == null) { - code = HttpStatus.OK; // default to 200 - } - - response.setStatus(code.value()); - - String location = (String) model.get(LOCATION); - if (!Strings.isNullOrEmpty(location)) { - response.setHeader(HttpHeaders.LOCATION, location); - } - - try { - - Writer out = response.getWriter(); - ResourceSet rs = (ResourceSet) model.get(JsonEntityView.ENTITY); - - JsonObject o = new JsonObject(); - - o.addProperty("_id", rs.getId().toString()); // set the ID to a string - o.addProperty("user_access_policy_uri", config.getIssuer() + "manage/user/policy/" + rs.getId()); - - - gson.toJson(o, out); - - } catch (IOException e) { - - logger.error("IOException in ResourceSetEntityView.java: ", e); - - } - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/view/ResourceSetEntityView.java b/uma-server/src/main/java/org/mitre/uma/view/ResourceSetEntityView.java deleted file mode 100644 index e34e47431..000000000 --- a/uma-server/src/main/java/org/mitre/uma/view/ResourceSetEntityView.java +++ /dev/null @@ -1,121 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.uma.view; - -import java.io.IOException; -import java.io.Writer; -import java.util.Map; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.mitre.openid.connect.config.ConfigurationPropertiesBean; -import org.mitre.openid.connect.view.JsonEntityView; -import org.mitre.uma.model.ResourceSet; -import org.mitre.util.JsonUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.http.HttpHeaders; -import org.springframework.http.HttpStatus; -import org.springframework.stereotype.Component; -import org.springframework.validation.BeanPropertyBindingResult; -import org.springframework.web.servlet.view.AbstractView; - -import com.google.common.base.Strings; -import com.google.gson.ExclusionStrategy; -import com.google.gson.FieldAttributes; -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; -import com.google.gson.JsonObject; -import com.google.gson.LongSerializationPolicy; - -@Component(ResourceSetEntityView.VIEWNAME) -public class ResourceSetEntityView extends AbstractView { - private static Logger logger = LoggerFactory.getLogger(JsonEntityView.class); - - public static final String VIEWNAME = "resourceSetEntityView"; - - @Autowired - private ConfigurationPropertiesBean config; - - private Gson gson = new GsonBuilder() - .setExclusionStrategies(new ExclusionStrategy() { - - @Override - public boolean shouldSkipField(FieldAttributes f) { - - return false; - } - - @Override - public boolean shouldSkipClass(Class clazz) { - // skip the JPA binding wrapper - if (clazz.equals(BeanPropertyBindingResult.class)) { - return true; - } - return false; - } - - }) - .serializeNulls() - .setDateFormat("yyyy-MM-dd'T'HH:mm:ssZ") - .setLongSerializationPolicy(LongSerializationPolicy.STRING) - .create(); - - @Override - protected void renderMergedOutputModel(Map model, HttpServletRequest request, HttpServletResponse response) { - - response.setContentType("application/json"); - - - HttpStatus code = (HttpStatus) model.get("code"); - if (code == null) { - code = HttpStatus.OK; // default to 200 - } - - response.setStatus(code.value()); - - String location = (String) model.get("location"); - if (!Strings.isNullOrEmpty(location)) { - response.setHeader(HttpHeaders.LOCATION, location); - } - - try { - - Writer out = response.getWriter(); - ResourceSet rs = (ResourceSet) model.get("entity"); - - JsonObject o = new JsonObject(); - - o.addProperty("_id", rs.getId().toString()); // send the id as a string - o.addProperty("user_access_policy_uri", config.getIssuer() + "manage/resource/" + rs.getId()); - o.addProperty("name", rs.getName()); - o.addProperty("uri", rs.getUri()); - o.addProperty("type", rs.getType()); - o.add("scopes", JsonUtils.getAsArray(rs.getScopes())); - o.addProperty("icon_uri", rs.getIconUri()); - - gson.toJson(o, out); - - } catch (IOException e) { - - logger.error("IOException in ResourceSetEntityView.java: ", e); - - } - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java b/uma-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java deleted file mode 100644 index 04f837844..000000000 --- a/uma-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java +++ /dev/null @@ -1,202 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.web; - -import java.util.Map; - -import org.mitre.oauth2.model.OAuth2AccessTokenEntity; -import org.mitre.oauth2.service.OAuth2TokenEntityService; -import org.mitre.oauth2.service.SystemScopeService; -import org.mitre.oauth2.web.AuthenticationUtilities; -import org.mitre.openid.connect.view.HttpCodeView; -import org.mitre.openid.connect.view.JsonEntityView; -import org.mitre.openid.connect.view.JsonErrorView; -import org.mitre.uma.model.Claim; -import org.mitre.uma.model.ClaimProcessingResult; -import org.mitre.uma.model.PermissionTicket; -import org.mitre.uma.model.ResourceSet; -import org.mitre.uma.service.ClaimsProcessingService; -import org.mitre.uma.service.PermissionService; -import org.mitre.uma.service.UmaTokenService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.http.HttpStatus; -import org.springframework.security.core.Authentication; -import org.springframework.security.oauth2.provider.OAuth2Authentication; -import org.springframework.stereotype.Controller; -import org.springframework.ui.Model; -import org.springframework.util.MimeTypeUtils; -import org.springframework.web.bind.annotation.RequestBody; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; - -import com.google.common.collect.ImmutableMap; -import com.google.gson.JsonArray; -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import com.google.gson.JsonParser; -import com.google.gson.JsonPrimitive; - -/** - * @author jricher - * - */ -@Controller -@RequestMapping("/" + AuthorizationRequestEndpoint.URL) -public class AuthorizationRequestEndpoint { - // Logger for this class - private static final Logger logger = LoggerFactory.getLogger(AuthorizationRequestEndpoint.class); - - public static final String RPT = "rpt"; - public static final String TICKET = "ticket"; - public static final String URL = "authz_request"; - - @Autowired - private PermissionService permissionService; - - @Autowired - private OAuth2TokenEntityService tokenService; - - @Autowired - private ClaimsProcessingService claimsProcessingService; - - @Autowired - private UmaTokenService umaTokenService; - - @RequestMapping(method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String authorizationRequest(@RequestBody String jsonString, Model m, Authentication auth) { - - AuthenticationUtilities.ensureOAuthScope(auth, SystemScopeService.UMA_AUTHORIZATION_SCOPE); - - JsonParser parser = new JsonParser(); - JsonElement e = parser.parse(jsonString); - - if (e.isJsonObject()) { - JsonObject o = e.getAsJsonObject(); - - if (o.has(TICKET)) { - - OAuth2AccessTokenEntity incomingRpt = null; - if (o.has(RPT)) { - String rptValue = o.get(RPT).getAsString(); - incomingRpt = tokenService.readAccessToken(rptValue); - } - - String ticketValue = o.get(TICKET).getAsString(); - - PermissionTicket ticket = permissionService.getByTicket(ticketValue); - - if (ticket != null) { - // found the ticket, see if it's any good - - ResourceSet rs = ticket.getPermission().getResourceSet(); - - if (rs.getPolicies() == null || rs.getPolicies().isEmpty()) { - // the required claims are empty, this resource has no way to be authorized - - m.addAttribute(JsonErrorView.ERROR, "not_authorized"); - m.addAttribute(JsonErrorView.ERROR_MESSAGE, "This resource set can not be accessed."); - m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); - return JsonErrorView.VIEWNAME; - } else { - // claims weren't empty or missing, we need to check against what we have - - ClaimProcessingResult result = claimsProcessingService.claimsAreSatisfied(rs, ticket); - - - if (result.isSatisfied()) { - // the service found what it was looking for, issue a token - - // we need to downscope this based on the required set that was matched if it was matched - OAuth2Authentication o2auth = (OAuth2Authentication) auth; - - OAuth2AccessTokenEntity token = umaTokenService.createRequestingPartyToken(o2auth, ticket, result.getMatched()); - - // if we have an inbound RPT, throw it out because we're replacing it - if (incomingRpt != null) { - tokenService.revokeAccessToken(incomingRpt); - } - - Map entity = ImmutableMap.of("rpt", token.getValue()); - - m.addAttribute(JsonEntityView.ENTITY, entity); - - return JsonEntityView.VIEWNAME; - - } else { - - // if we got here, the claim didn't match, forward the user to the claim gathering endpoint - JsonObject entity = new JsonObject(); - - entity.addProperty(JsonErrorView.ERROR, "need_info"); - JsonObject details = new JsonObject(); - - JsonObject rpClaims = new JsonObject(); - rpClaims.addProperty("redirect_user", true); - rpClaims.addProperty("ticket", ticketValue); - JsonArray req = new JsonArray(); - for (Claim claim : result.getUnmatched()) { - JsonObject c = new JsonObject(); - c.addProperty("name", claim.getName()); - c.addProperty("friendly_name", claim.getFriendlyName()); - c.addProperty("claim_type", claim.getClaimType()); - JsonArray f = new JsonArray(); - for (String format : claim.getClaimTokenFormat()) { - f.add(new JsonPrimitive(format)); - } - c.add("claim_token_format", f); - JsonArray i = new JsonArray(); - for (String issuer : claim.getIssuer()) { - i.add(new JsonPrimitive(issuer)); - } - c.add("issuer", i); - req.add(c); - } - rpClaims.add("required_claims", req); - details.add("requesting_party_claims", rpClaims); - entity.add("error_details", details); - - m.addAttribute(JsonEntityView.ENTITY, entity); - return JsonEntityView.VIEWNAME; - } - - - } - } else { - // ticket wasn't found, return an error - m.addAttribute(HttpStatus.BAD_REQUEST); - m.addAttribute(JsonErrorView.ERROR, "invalid_ticket"); - return JsonErrorView.VIEWNAME; - } - - } else { - m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); - m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Missing JSON elements."); - return JsonErrorView.VIEWNAME; - } - - - } else { - m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); - m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Malformed JSON request."); - return JsonErrorView.VIEWNAME; - } - - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java b/uma-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java deleted file mode 100644 index 52061e4eb..000000000 --- a/uma-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java +++ /dev/null @@ -1,152 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.web; - -import java.util.Set; - -import org.mitre.oauth2.model.ClientDetailsEntity; -import org.mitre.oauth2.service.ClientDetailsEntityService; -import org.mitre.openid.connect.model.OIDCAuthenticationToken; -import org.mitre.openid.connect.model.UserInfo; -import org.mitre.openid.connect.view.HttpCodeView; -import org.mitre.uma.model.Claim; -import org.mitre.uma.model.PermissionTicket; -import org.mitre.uma.service.PermissionService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.http.HttpStatus; -import org.springframework.security.access.prepost.PreAuthorize; -import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException; -import org.springframework.stereotype.Controller; -import org.springframework.ui.Model; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.util.UriComponentsBuilder; - -import com.google.common.base.Strings; -import com.google.common.collect.Sets; -import com.google.gson.JsonElement; -import com.google.gson.JsonPrimitive; - -/** - * - * Collect claims interactively from the end user. - * - * @author jricher - * - */ -@Controller -@PreAuthorize("hasRole('ROLE_EXTERNAL_USER')") -@RequestMapping("/" + ClaimsCollectionEndpoint.URL) -public class ClaimsCollectionEndpoint { - // Logger for this class - private static final Logger logger = LoggerFactory.getLogger(ClaimsCollectionEndpoint.class); - - public static final String URL = "rqp_claims"; - - @Autowired - private ClientDetailsEntityService clientService; - - @Autowired - private PermissionService permissionService; - - - @RequestMapping(method = RequestMethod.GET) - public String collectClaims(@RequestParam("client_id") String clientId, @RequestParam(value = "redirect_uri", required = false) String redirectUri, - @RequestParam("ticket") String ticketValue, @RequestParam(value = "state", required = false) String state, - Model m, OIDCAuthenticationToken auth) { - - - ClientDetailsEntity client = clientService.loadClientByClientId(clientId); - - PermissionTicket ticket = permissionService.getByTicket(ticketValue); - - if (client == null || ticket == null) { - logger.info("Client or ticket not found: " + clientId + " :: " + ticketValue); - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - return HttpCodeView.VIEWNAME; - } - - // we've got a client and ticket, let's attach the claims that we have from the token and userinfo - - // subject - Set claimsSupplied = Sets.newHashSet(ticket.getClaimsSupplied()); - - String issuer = auth.getIssuer(); - UserInfo userInfo = auth.getUserInfo(); - - claimsSupplied.add(mkClaim(issuer, "sub", new JsonPrimitive(auth.getSub()))); - if (userInfo.getEmail() != null) { - claimsSupplied.add(mkClaim(issuer, "email", new JsonPrimitive(userInfo.getEmail()))); - } - if (userInfo.getEmailVerified() != null) { - claimsSupplied.add(mkClaim(issuer, "email_verified", new JsonPrimitive(userInfo.getEmailVerified()))); - } - if (userInfo.getPhoneNumber() != null) { - claimsSupplied.add(mkClaim(issuer, "phone_number", new JsonPrimitive(auth.getUserInfo().getPhoneNumber()))); - } - if (userInfo.getPhoneNumberVerified() != null) { - claimsSupplied.add(mkClaim(issuer, "phone_number_verified", new JsonPrimitive(auth.getUserInfo().getPhoneNumberVerified()))); - } - if (userInfo.getPreferredUsername() != null) { - claimsSupplied.add(mkClaim(issuer, "preferred_username", new JsonPrimitive(auth.getUserInfo().getPreferredUsername()))); - } - if (userInfo.getProfile() != null) { - claimsSupplied.add(mkClaim(issuer, "profile", new JsonPrimitive(auth.getUserInfo().getProfile()))); - } - - ticket.setClaimsSupplied(claimsSupplied); - - PermissionTicket updatedTicket = permissionService.updateTicket(ticket); - - if (Strings.isNullOrEmpty(redirectUri)) { - if (client.getClaimsRedirectUris().size() == 1) { - redirectUri = client.getClaimsRedirectUris().iterator().next(); // get the first (and only) redirect URI to use here - logger.info("No redirect URI passed in, using registered value: " + redirectUri); - } else { - throw new RedirectMismatchException("Unable to find redirect URI and none passed in."); - } - } else { - if (!client.getClaimsRedirectUris().contains(redirectUri)) { - throw new RedirectMismatchException("Claims redirect did not match the registered values."); - } - } - - UriComponentsBuilder template = UriComponentsBuilder.fromUriString(redirectUri); - template.queryParam("authorization_state", "claims_submitted"); - if (!Strings.isNullOrEmpty(state)) { - template.queryParam("state", state); - } - - String uriString = template.toUriString(); - logger.info("Redirecting to " + uriString); - - return "redirect:" + uriString; - } - - - private Claim mkClaim(String issuer, String name, JsonElement value) { - Claim c = new Claim(); - c.setIssuer(Sets.newHashSet(issuer)); - c.setName(name); - c.setValue(value); - return c; - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/web/PermissionRegistrationEndpoint.java b/uma-server/src/main/java/org/mitre/uma/web/PermissionRegistrationEndpoint.java deleted file mode 100644 index a3b660129..000000000 --- a/uma-server/src/main/java/org/mitre/uma/web/PermissionRegistrationEndpoint.java +++ /dev/null @@ -1,155 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.web; - -import static org.mitre.oauth2.web.AuthenticationUtilities.ensureOAuthScope; -import static org.mitre.util.JsonUtils.getAsLong; -import static org.mitre.util.JsonUtils.getAsStringSet; - -import java.util.Set; - -import org.mitre.oauth2.model.SystemScope; -import org.mitre.oauth2.service.SystemScopeService; -import org.mitre.openid.connect.view.JsonEntityView; -import org.mitre.openid.connect.view.JsonErrorView; -import org.mitre.uma.model.PermissionTicket; -import org.mitre.uma.model.ResourceSet; -import org.mitre.uma.service.PermissionService; -import org.mitre.uma.service.ResourceSetService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.http.HttpStatus; -import org.springframework.security.access.prepost.PreAuthorize; -import org.springframework.security.core.Authentication; -import org.springframework.stereotype.Controller; -import org.springframework.ui.Model; -import org.springframework.util.MimeTypeUtils; -import org.springframework.web.bind.annotation.RequestBody; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; - -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import com.google.gson.JsonParseException; -import com.google.gson.JsonParser; - -/** - * @author jricher - * - */ -@Controller -@RequestMapping("/" + PermissionRegistrationEndpoint.URL) -@PreAuthorize("hasRole('ROLE_USER')") -public class PermissionRegistrationEndpoint { - // Logger for this class - private static final Logger logger = LoggerFactory.getLogger(PermissionRegistrationEndpoint.class); - - public static final String URL = "permission"; - - @Autowired - private PermissionService permissionService; - - @Autowired - private ResourceSetService resourceSetService; - - @Autowired - private SystemScopeService scopeService; - - private JsonParser parser = new JsonParser(); - - @RequestMapping(method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String getPermissionTicket(@RequestBody String jsonString, Model m, Authentication auth) { - - ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE); - - try { - - // parse the permission request - - JsonElement el = parser.parse(jsonString); - if (el.isJsonObject()) { - JsonObject o = el.getAsJsonObject(); - - Long rsid = getAsLong(o, "resource_set_id"); - Set scopes = getAsStringSet(o, "scopes"); - - if (rsid == null || scopes == null || scopes.isEmpty()){ - // missing information - m.addAttribute("code", HttpStatus.BAD_REQUEST); - m.addAttribute("errorMessage", "Missing required component of permission registration request."); - return JsonErrorView.VIEWNAME; - } - - // trim any restricted scopes - Set scopesRequested = scopeService.fromStrings(scopes); - scopesRequested = scopeService.removeRestrictedAndReservedScopes(scopesRequested); - scopes = scopeService.toStrings(scopesRequested); - - ResourceSet resourceSet = resourceSetService.getById(rsid); - - // requested resource set doesn't exist - if (resourceSet == null) { - m.addAttribute("code", HttpStatus.NOT_FOUND); - m.addAttribute("errorMessage", "Requested resource set not found: " + rsid); - return JsonErrorView.VIEWNAME; - } - - // authorized user of the token doesn't match owner of the resource set - if (!resourceSet.getOwner().equals(auth.getName())) { - m.addAttribute("code", HttpStatus.FORBIDDEN); - m.addAttribute("errorMessage", "Party requesting permission is not owner of resource set, expected " + resourceSet.getOwner() + " got " + auth.getName()); - return JsonErrorView.VIEWNAME; - } - - // create the permission - PermissionTicket permission = permissionService.createTicket(resourceSet, scopes); - - if (permission != null) { - // we've created the permission, return the ticket - JsonObject out = new JsonObject(); - out.addProperty("ticket", permission.getTicket()); - m.addAttribute("entity", out); - - m.addAttribute("code", HttpStatus.CREATED); - - return JsonEntityView.VIEWNAME; - } else { - // there was a failure creating the permission object - - m.addAttribute("code", HttpStatus.INTERNAL_SERVER_ERROR); - m.addAttribute("errorMessage", "Unable to save permission and generate ticket."); - - return JsonErrorView.VIEWNAME; - } - - } else { - // malformed request - m.addAttribute("code", HttpStatus.BAD_REQUEST); - m.addAttribute("errorMessage", "Malformed JSON request."); - return JsonErrorView.VIEWNAME; - } - } catch (JsonParseException e) { - // malformed request - m.addAttribute("code", HttpStatus.BAD_REQUEST); - m.addAttribute("errorMessage", "Malformed JSON request."); - return JsonErrorView.VIEWNAME; - } - - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/web/PolicyAPI.java b/uma-server/src/main/java/org/mitre/uma/web/PolicyAPI.java deleted file mode 100644 index 2b1feda58..000000000 --- a/uma-server/src/main/java/org/mitre/uma/web/PolicyAPI.java +++ /dev/null @@ -1,391 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.web; - -import java.util.Collection; -import java.util.HashSet; -import java.util.Set; - -import org.mitre.openid.connect.view.HttpCodeView; -import org.mitre.openid.connect.view.JsonEntityView; -import org.mitre.openid.connect.view.JsonErrorView; -import org.mitre.openid.connect.web.RootController; -import org.mitre.uma.model.Claim; -import org.mitre.uma.model.Policy; -import org.mitre.uma.model.ResourceSet; -import org.mitre.uma.service.ResourceSetService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.http.HttpStatus; -import org.springframework.security.access.prepost.PreAuthorize; -import org.springframework.security.core.Authentication; -import org.springframework.stereotype.Controller; -import org.springframework.ui.Model; -import org.springframework.util.MimeTypeUtils; -import org.springframework.web.bind.annotation.PathVariable; -import org.springframework.web.bind.annotation.RequestBody; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; - -import com.google.common.collect.Sets; -import com.google.gson.Gson; - -/** - * API for managing policies on resource sets. - * - * @author jricher - * - */ -@Controller -@RequestMapping("/" + PolicyAPI.URL) -@PreAuthorize("hasRole('ROLE_USER')") -public class PolicyAPI { - - // Logger for this class - private static final Logger logger = LoggerFactory.getLogger(PolicyAPI.class); - - public static final String URL = RootController.API_URL + "/resourceset"; - public static final String POLICYURL = "/policy"; - - private Gson gson = new Gson(); - - @Autowired - private ResourceSetService resourceSetService; - - /** - * List all resource sets for the current user - * @param m - * @param auth - * @return - */ - @RequestMapping(value = "", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String getResourceSetsForCurrentUser(Model m, Authentication auth) { - - Collection resourceSets = resourceSetService.getAllForOwner(auth.getName()); - - m.addAttribute(JsonEntityView.ENTITY, resourceSets); - - return JsonEntityView.VIEWNAME; - } - - /** - * Get the indicated resource set - * @param rsid - * @param m - * @param auth - * @return - */ - @RequestMapping(value = "/{rsid}", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String getResourceSet(@PathVariable (value = "rsid") Long rsid, Model m, Authentication auth) { - - ResourceSet rs = resourceSetService.getById(rsid); - - if (rs == null) { - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - return HttpCodeView.VIEWNAME; - } - - if (!rs.getOwner().equals(auth.getName())) { - logger.warn("Unauthorized resource set request from bad user; expected " + rs.getOwner() + " got " + auth.getName()); - - // authenticated user didn't match the owner of the resource set - m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); - return HttpCodeView.VIEWNAME; - } - - m.addAttribute(JsonEntityView.ENTITY, rs); - - return JsonEntityView.VIEWNAME; - } - - /** - * Delete the indicated resource set - * @param rsid - * @param m - * @param auth - * @return - */ - @RequestMapping(value = "/{rsid}", method = RequestMethod.DELETE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String deleteResourceSet(@PathVariable (value = "rsid") Long rsid, Model m, Authentication auth) { - - ResourceSet rs = resourceSetService.getById(rsid); - - if (rs == null) { - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - return HttpCodeView.VIEWNAME; - } - - if (!rs.getOwner().equals(auth.getName())) { - logger.warn("Unauthorized resource set request from bad user; expected " + rs.getOwner() + " got " + auth.getName()); - - // authenticated user didn't match the owner of the resource set - m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); - return HttpCodeView.VIEWNAME; - } - - resourceSetService.remove(rs); - m.addAttribute(HttpCodeView.CODE, HttpStatus.NO_CONTENT); - return HttpCodeView.VIEWNAME; - - } - - /** - * List all the policies for the given resource set - * @param rsid - * @param m - * @param auth - * @return - */ - @RequestMapping(value = "/{rsid}" + POLICYURL, method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String getPoliciesForResourceSet(@PathVariable (value = "rsid") Long rsid, Model m, Authentication auth) { - - ResourceSet rs = resourceSetService.getById(rsid); - - if (rs == null) { - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - return HttpCodeView.VIEWNAME; - } - - if (!rs.getOwner().equals(auth.getName())) { - logger.warn("Unauthorized resource set request from bad user; expected " + rs.getOwner() + " got " + auth.getName()); - - // authenticated user didn't match the owner of the resource set - m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); - return HttpCodeView.VIEWNAME; - } - - m.addAttribute(JsonEntityView.ENTITY, rs.getPolicies()); - - return JsonEntityView.VIEWNAME; - } - - /** - * Create a new policy on the given resource set - * @param rsid - * @param m - * @param auth - * @return - */ - @RequestMapping(value = "/{rsid}" + POLICYURL, method = RequestMethod.POST, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String createNewPolicyForResourceSet(@PathVariable (value = "rsid") Long rsid, @RequestBody String jsonString, Model m, Authentication auth) { - ResourceSet rs = resourceSetService.getById(rsid); - - if (rs == null) { - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - return HttpCodeView.VIEWNAME; - } - - if (!rs.getOwner().equals(auth.getName())) { - logger.warn("Unauthorized resource set request from bad user; expected " + rs.getOwner() + " got " + auth.getName()); - - // authenticated user didn't match the owner of the resource set - m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); - return HttpCodeView.VIEWNAME; - } - - Policy p = gson.fromJson(jsonString, Policy.class); - - if (p.getId() != null) { - logger.warn("Tried to add a policy with a non-null ID: " + p.getId()); - m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); - return HttpCodeView.VIEWNAME; - } - - for (Claim claim : p.getClaimsRequired()) { - if (claim.getId() != null) { - logger.warn("Tried to add a policy with a non-null claim ID: " + claim.getId()); - m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); - return HttpCodeView.VIEWNAME; - } - } - - rs.getPolicies().add(p); - ResourceSet saved = resourceSetService.update(rs, rs); - - // find the new policy object - Collection newPolicies = Sets.difference(new HashSet<>(saved.getPolicies()), new HashSet<>(rs.getPolicies())); - - if (newPolicies.size() == 1) { - Policy newPolicy = newPolicies.iterator().next(); - m.addAttribute(JsonEntityView.ENTITY, newPolicy); - return JsonEntityView.VIEWNAME; - } else { - logger.warn("Unexpected result trying to add a new policy object: " + newPolicies); - m.addAttribute(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR); - return HttpCodeView.VIEWNAME; - } - - } - - /** - * Get a specific policy - * @param rsid - * @param pid - * @param m - * @param auth - * @return - */ - @RequestMapping(value = "/{rsid}" + POLICYURL + "/{pid}", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String getPolicy(@PathVariable (value = "rsid") Long rsid, @PathVariable (value = "pid") Long pid, Model m, Authentication auth) { - - ResourceSet rs = resourceSetService.getById(rsid); - - if (rs == null) { - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - return HttpCodeView.VIEWNAME; - } - - if (!rs.getOwner().equals(auth.getName())) { - logger.warn("Unauthorized resource set request from bad user; expected " + rs.getOwner() + " got " + auth.getName()); - - // authenticated user didn't match the owner of the resource set - m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); - return HttpCodeView.VIEWNAME; - } - - for (Policy policy : rs.getPolicies()) { - if (policy.getId().equals(pid)) { - // found it! - m.addAttribute(JsonEntityView.ENTITY, policy); - return JsonEntityView.VIEWNAME; - } - } - - // if we made it this far, we haven't found it - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - return HttpCodeView.VIEWNAME; - } - - /** - * Update a specific policy - * @param rsid - * @param pid - * @param jsonString - * @param m - * @param auth - * @return - */ - @RequestMapping(value = "/{rsid}" + POLICYURL + "/{pid}", method = RequestMethod.PUT, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String setClaimsForResourceSet(@PathVariable (value = "rsid") Long rsid, @PathVariable (value = "pid") Long pid, @RequestBody String jsonString, Model m, Authentication auth) { - - ResourceSet rs = resourceSetService.getById(rsid); - - if (rs == null) { - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - return HttpCodeView.VIEWNAME; - } - - if (!rs.getOwner().equals(auth.getName())) { - logger.warn("Unauthorized resource set request from bad user; expected " + rs.getOwner() + " got " + auth.getName()); - - // authenticated user didn't match the owner of the resource set - m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); - return HttpCodeView.VIEWNAME; - } - - Policy p = gson.fromJson(jsonString, Policy.class); - - if (!pid.equals(p.getId())) { - logger.warn("Policy ID mismatch, expected " + pid + " got " + p.getId()); - - m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); - return HttpCodeView.VIEWNAME; - } - - for (Policy policy : rs.getPolicies()) { - if (policy.getId().equals(pid)) { - // found it! - - // find the existing claim IDs, make sure we're not overwriting anything from another policy - Set claimIds = new HashSet<>(); - for (Claim claim : policy.getClaimsRequired()) { - claimIds.add(claim.getId()); - } - - for (Claim claim : p.getClaimsRequired()) { - if (claim.getId() != null && !claimIds.contains(claim.getId())) { - logger.warn("Tried to add a policy with a an unmatched claim ID: got " + claim.getId() + " expected " + claimIds); - m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); - return HttpCodeView.VIEWNAME; - } - } - - // update the existing object with the new values - policy.setClaimsRequired(p.getClaimsRequired()); - policy.setName(p.getName()); - policy.setScopes(p.getScopes()); - - resourceSetService.update(rs, rs); - - m.addAttribute(JsonEntityView.ENTITY, policy); - return JsonEntityView.VIEWNAME; - } - } - - // if we made it this far, we haven't found it - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - return HttpCodeView.VIEWNAME; - } - - /** - * Delete a specific policy - * @param rsid - * @param pid - * @param m - * @param auth - * @return - */ - @RequestMapping(value = "/{rsid}" + POLICYURL + "/{pid}", method = RequestMethod.DELETE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String deleteResourceSet(@PathVariable ("rsid") Long rsid, @PathVariable (value = "pid") Long pid, Model m, Authentication auth) { - - ResourceSet rs = resourceSetService.getById(rsid); - - if (rs == null) { - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - m.addAttribute(JsonErrorView.ERROR, "not_found"); - return JsonErrorView.VIEWNAME; - } - - if (!auth.getName().equals(rs.getOwner())) { - - logger.warn("Unauthorized resource set request from bad user; expected " + rs.getOwner() + " got " + auth.getName()); - - // it wasn't issued to this user - m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); - return JsonErrorView.VIEWNAME; - } - - - for (Policy policy : rs.getPolicies()) { - if (policy.getId().equals(pid)) { - // found it! - rs.getPolicies().remove(policy); - resourceSetService.update(rs, rs); - - m.addAttribute(HttpCodeView.CODE, HttpStatus.NO_CONTENT); - return HttpCodeView.VIEWNAME; - } - } - - // if we made it this far, we haven't found it - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - return HttpCodeView.VIEWNAME; - - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java b/uma-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java deleted file mode 100644 index ce10568fb..000000000 --- a/uma-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java +++ /dev/null @@ -1,317 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ -package org.mitre.uma.web; - - -import static org.mitre.oauth2.web.AuthenticationUtilities.ensureOAuthScope; -import static org.mitre.util.JsonUtils.getAsLong; -import static org.mitre.util.JsonUtils.getAsString; -import static org.mitre.util.JsonUtils.getAsStringSet; - -import java.util.Collection; -import java.util.Collections; -import java.util.HashSet; -import java.util.Set; - -import org.mitre.oauth2.model.SystemScope; -import org.mitre.oauth2.service.SystemScopeService; -import org.mitre.openid.connect.config.ConfigurationPropertiesBean; -import org.mitre.openid.connect.view.HttpCodeView; -import org.mitre.openid.connect.view.JsonEntityView; -import org.mitre.openid.connect.view.JsonErrorView; -import org.mitre.uma.model.ResourceSet; -import org.mitre.uma.service.ResourceSetService; -import org.mitre.uma.view.ResourceSetEntityAbbreviatedView; -import org.mitre.uma.view.ResourceSetEntityView; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.http.HttpStatus; -import org.springframework.security.access.prepost.PreAuthorize; -import org.springframework.security.core.Authentication; -import org.springframework.security.oauth2.provider.OAuth2Authentication; -import org.springframework.stereotype.Controller; -import org.springframework.ui.Model; -import org.springframework.util.MimeTypeUtils; -import org.springframework.web.bind.annotation.PathVariable; -import org.springframework.web.bind.annotation.RequestBody; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; - -import com.google.common.base.Strings; -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import com.google.gson.JsonParseException; -import com.google.gson.JsonParser; - -@Controller -@RequestMapping("/" + ResourceSetRegistrationEndpoint.URL) -@PreAuthorize("hasRole('ROLE_USER')") -public class ResourceSetRegistrationEndpoint { - - private static final Logger logger = LoggerFactory.getLogger(ResourceSetRegistrationEndpoint.class); - - public static final String DISCOVERY_URL = "resource_set"; - public static final String URL = DISCOVERY_URL + "/resource_set"; - - @Autowired - private ResourceSetService resourceSetService; - - @Autowired - private ConfigurationPropertiesBean config; - - @Autowired - private SystemScopeService scopeService; - - private JsonParser parser = new JsonParser(); - - @RequestMapping(method = RequestMethod.POST, produces = MimeTypeUtils.APPLICATION_JSON_VALUE, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String createResourceSet(@RequestBody String jsonString, Model m, Authentication auth) { - ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE); - - ResourceSet rs = parseResourceSet(jsonString); - - if (rs == null) { // there was no resource set in the body - logger.warn("Resource set registration missing body."); - - m.addAttribute("code", HttpStatus.BAD_REQUEST); - m.addAttribute("error_description", "Resource request was missing body."); - return JsonErrorView.VIEWNAME; - } - - if (auth instanceof OAuth2Authentication) { - // if it's an OAuth mediated call, it's on behalf of a client, so store that - OAuth2Authentication o2a = (OAuth2Authentication) auth; - rs.setClientId(o2a.getOAuth2Request().getClientId()); - rs.setOwner(auth.getName()); // the username is going to be in the auth object - } else { - // this one shouldn't be called if it's not OAuth - m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); - m.addAttribute(JsonErrorView.ERROR_MESSAGE, "This call must be made with an OAuth token"); - return JsonErrorView.VIEWNAME; - } - - rs = validateScopes(rs); - - if (Strings.isNullOrEmpty(rs.getName()) // there was no name (required) - || rs.getScopes() == null // there were no scopes (required) - ) { - - logger.warn("Resource set registration missing one or more required fields."); - - m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); - m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Resource request was missing one or more required fields."); - return JsonErrorView.VIEWNAME; - } - - ResourceSet saved = resourceSetService.saveNew(rs); - - m.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED); - m.addAttribute(JsonEntityView.ENTITY, saved); - m.addAttribute(ResourceSetEntityAbbreviatedView.LOCATION, config.getIssuer() + URL + "/" + saved.getId()); - - return ResourceSetEntityAbbreviatedView.VIEWNAME; - - } - - @RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String readResourceSet(@PathVariable ("id") Long id, Model m, Authentication auth) { - ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE); - - ResourceSet rs = resourceSetService.getById(id); - - if (rs == null) { - m.addAttribute("code", HttpStatus.NOT_FOUND); - m.addAttribute("error", "not_found"); - return JsonErrorView.VIEWNAME; - } else { - - rs = validateScopes(rs); - - if (!auth.getName().equals(rs.getOwner())) { - - logger.warn("Unauthorized resource set request from wrong user; expected " + rs.getOwner() + " got " + auth.getName()); - - // it wasn't issued to this user - m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); - return JsonErrorView.VIEWNAME; - } else { - m.addAttribute(JsonEntityView.ENTITY, rs); - return ResourceSetEntityView.VIEWNAME; - } - - } - - } - - @RequestMapping(value = "/{id}", method = RequestMethod.PUT, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String updateResourceSet(@PathVariable ("id") Long id, @RequestBody String jsonString, Model m, Authentication auth) { - ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE); - - ResourceSet newRs = parseResourceSet(jsonString); - - if (newRs == null // there was no resource set in the body - || Strings.isNullOrEmpty(newRs.getName()) // there was no name (required) - || newRs.getScopes() == null // there were no scopes (required) - || newRs.getId() == null || !newRs.getId().equals(id) // the IDs didn't match - ) { - - logger.warn("Resource set registration missing one or more required fields."); - - m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); - m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Resource request was missing one or more required fields."); - return JsonErrorView.VIEWNAME; - } - - ResourceSet rs = resourceSetService.getById(id); - - if (rs == null) { - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - m.addAttribute(JsonErrorView.ERROR, "not_found"); - return JsonErrorView.VIEWNAME; - } else { - if (!auth.getName().equals(rs.getOwner())) { - - logger.warn("Unauthorized resource set request from bad user; expected " + rs.getOwner() + " got " + auth.getName()); - - // it wasn't issued to this user - m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); - return JsonErrorView.VIEWNAME; - } else { - - ResourceSet saved = resourceSetService.update(rs, newRs); - - m.addAttribute(JsonEntityView.ENTITY, saved); - m.addAttribute(ResourceSetEntityAbbreviatedView.LOCATION, config.getIssuer() + URL + "/" + rs.getId()); - return ResourceSetEntityAbbreviatedView.VIEWNAME; - } - - } - } - - @RequestMapping(value = "/{id}", method = RequestMethod.DELETE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String deleteResourceSet(@PathVariable ("id") Long id, Model m, Authentication auth) { - ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE); - - ResourceSet rs = resourceSetService.getById(id); - - if (rs == null) { - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - m.addAttribute(JsonErrorView.ERROR, "not_found"); - return JsonErrorView.VIEWNAME; - } else { - if (!auth.getName().equals(rs.getOwner())) { - - logger.warn("Unauthorized resource set request from bad user; expected " + rs.getOwner() + " got " + auth.getName()); - - // it wasn't issued to this user - m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); - return JsonErrorView.VIEWNAME; - } else if (auth instanceof OAuth2Authentication && - !((OAuth2Authentication)auth).getOAuth2Request().getClientId().equals(rs.getClientId())){ - - logger.warn("Unauthorized resource set request from bad client; expected " + rs.getClientId() + " got " + ((OAuth2Authentication)auth).getOAuth2Request().getClientId()); - - // it wasn't issued to this client - m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); - return JsonErrorView.VIEWNAME; - } else { - - // user and client matched - resourceSetService.remove(rs); - - m.addAttribute(HttpCodeView.CODE, HttpStatus.NO_CONTENT); - return HttpCodeView.VIEWNAME; - } - - } - } - - @RequestMapping(method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String listResourceSets(Model m, Authentication auth) { - ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE); - - String owner = auth.getName(); - - Collection resourceSets = Collections.emptySet(); - if (auth instanceof OAuth2Authentication) { - // if it's an OAuth mediated call, it's on behalf of a client, so look that up too - OAuth2Authentication o2a = (OAuth2Authentication) auth; - resourceSets = resourceSetService.getAllForOwnerAndClient(owner, o2a.getOAuth2Request().getClientId()); - } else { - // otherwise get everything for the current user - resourceSets = resourceSetService.getAllForOwner(owner); - } - - // build the entity here and send to the display - - Set ids = new HashSet<>(); - for (ResourceSet resourceSet : resourceSets) { - ids.add(resourceSet.getId().toString()); // add them all as strings so that gson renders them properly - } - - m.addAttribute(JsonEntityView.ENTITY, ids); - return JsonEntityView.VIEWNAME; - } - - private ResourceSet parseResourceSet(String jsonString) { - - try { - JsonElement el = parser.parse(jsonString); - - if (el.isJsonObject()) { - JsonObject o = el.getAsJsonObject(); - - ResourceSet rs = new ResourceSet(); - rs.setId(getAsLong(o, "_id")); - rs.setName(getAsString(o, "name")); - rs.setIconUri(getAsString(o, "icon_uri")); - rs.setType(getAsString(o, "type")); - rs.setScopes(getAsStringSet(o, "scopes")); - rs.setUri(getAsString(o, "uri")); - - return rs; - - } - - return null; - - } catch (JsonParseException e) { - return null; - } - - } - - - /** - * - * Make sure the resource set doesn't have any restricted or reserved scopes. - * - * @param rs - */ - private ResourceSet validateScopes(ResourceSet rs) { - // scopes that the client is asking for - Set requestedScopes = scopeService.fromStrings(rs.getScopes()); - - // the scopes that the resource set can have must be a subset of the dynamically allowed scopes - Set allowedScopes = scopeService.removeRestrictedAndReservedScopes(requestedScopes); - - rs.setScopes(scopeService.toStrings(allowedScopes)); - - return rs; - } - -} diff --git a/uma-server/src/main/java/org/mitre/uma/web/UmaDiscoveryEndpoint.java b/uma-server/src/main/java/org/mitre/uma/web/UmaDiscoveryEndpoint.java deleted file mode 100644 index 6dc8717ad..000000000 --- a/uma-server/src/main/java/org/mitre/uma/web/UmaDiscoveryEndpoint.java +++ /dev/null @@ -1,79 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.web; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.Map; - -import org.mitre.oauth2.web.IntrospectionEndpoint; -import org.mitre.openid.connect.config.ConfigurationPropertiesBean; -import org.mitre.openid.connect.view.JsonEntityView; -import org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Controller; -import org.springframework.ui.Model; -import org.springframework.web.bind.annotation.RequestMapping; - -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Lists; - -/** - * @author jricher - * - */ -@Controller -public class UmaDiscoveryEndpoint { - - @Autowired - private ConfigurationPropertiesBean config; - - @RequestMapping(".well-known/uma-configuration") - public String umaConfiguration(Model model) { - - Map m = new HashMap<>(); - - String issuer = config.getIssuer(); - ImmutableSet tokenProfiles = ImmutableSet.of("bearer"); - ArrayList grantTypes = Lists.newArrayList("authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "client_credentials", "urn:ietf:params:oauth:grant_type:redelegate"); - - m.put("version", "1.0"); - m.put("issuer", issuer); - m.put("pat_profiles_supported", tokenProfiles); - m.put("aat_profiles_supported", tokenProfiles); - m.put("rpt_profiles_supported", tokenProfiles); - m.put("pat_grant_types_supported", grantTypes); - m.put("aat_grant_types_supported", grantTypes); - m.put("claim_token_profiles_supported", ImmutableSet.of()); - m.put("uma_profiles_supported", ImmutableSet.of()); - m.put("dynamic_client_endpoint", issuer + DynamicClientRegistrationEndpoint.URL); - m.put("token_endpoint", issuer + "token"); - m.put("authorization_endpoint", issuer + "authorize"); - m.put("requesting_party_claims_endpoint", issuer + ClaimsCollectionEndpoint.URL); - m.put("introspection_endpoint", issuer + IntrospectionEndpoint.URL); - m.put("resource_set_registration_endpoint", issuer + ResourceSetRegistrationEndpoint.DISCOVERY_URL); - m.put("permission_registration_endpoint", issuer + PermissionRegistrationEndpoint.URL); - m.put("rpt_endpoint", issuer + AuthorizationRequestEndpoint.URL); - - - - model.addAttribute("entity", m); - return JsonEntityView.VIEWNAME; - } - - -} diff --git a/uma-server/src/main/java/org/mitre/uma/web/UserClaimSearchHelper.java b/uma-server/src/main/java/org/mitre/uma/web/UserClaimSearchHelper.java deleted file mode 100644 index 377326470..000000000 --- a/uma-server/src/main/java/org/mitre/uma/web/UserClaimSearchHelper.java +++ /dev/null @@ -1,117 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.web; - -import java.util.HashMap; -import java.util.Map; - -import javax.servlet.http.HttpServletRequest; - -import org.mitre.openid.connect.client.model.IssuerServiceResponse; -import org.mitre.openid.connect.client.service.impl.WebfingerIssuerService; -import org.mitre.openid.connect.config.ConfigurationPropertiesBean; -import org.mitre.openid.connect.model.UserInfo; -import org.mitre.openid.connect.service.UserInfoService; -import org.mitre.openid.connect.view.HttpCodeView; -import org.mitre.openid.connect.view.JsonEntityView; -import org.mitre.openid.connect.view.JsonErrorView; -import org.mitre.openid.connect.web.RootController; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.http.HttpStatus; -import org.springframework.security.access.prepost.PreAuthorize; -import org.springframework.security.core.Authentication; -import org.springframework.stereotype.Controller; -import org.springframework.ui.Model; -import org.springframework.util.MimeTypeUtils; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; -import org.springframework.web.bind.annotation.RequestParam; - -import com.google.common.collect.ImmutableSet; - - -/** - * @author jricher - * - */ -@Controller -@RequestMapping("/" + UserClaimSearchHelper.URL) -@PreAuthorize("hasRole('ROLE_USER')") -public class UserClaimSearchHelper { - - public static final String URL = RootController.API_URL + "/emailsearch"; - - private WebfingerIssuerService webfingerIssuerService = new WebfingerIssuerService(); - - @Autowired - private UserInfoService userInfoService; - - @Autowired - private ConfigurationPropertiesBean config; - - - @RequestMapping(method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) - public String search(@RequestParam(value = "identifier") String email, Model m, Authentication auth, HttpServletRequest req) { - - // check locally first - UserInfo localUser = userInfoService.getByEmailAddress(email); - - if (localUser != null) { - Map e = new HashMap<>(); - e.put("issuer", ImmutableSet.of(config.getIssuer())); - e.put("name", "email"); - e.put("value", localUser.getEmail()); - - Map ev = new HashMap<>(); - ev.put("issuer", ImmutableSet.of(config.getIssuer())); - ev.put("name", "email_verified"); - ev.put("value", localUser.getEmailVerified()); - - Map s = new HashMap<>(); - s.put("issuer", ImmutableSet.of(config.getIssuer())); - s.put("name", "sub"); - s.put("value", localUser.getSub()); - - m.addAttribute(JsonEntityView.ENTITY, ImmutableSet.of(e, ev, s)); - return JsonEntityView.VIEWNAME; - } else { - - // otherwise do a webfinger lookup - IssuerServiceResponse resp = webfingerIssuerService.getIssuer(req); - - if (resp != null && resp.getIssuer() != null) { - // we found an issuer, return that - Map e = new HashMap<>(); - e.put("issuer", ImmutableSet.of(resp.getIssuer())); - e.put("name", "email"); - e.put("value", email); - - Map ev = new HashMap<>(); - ev.put("issuer", ImmutableSet.of(resp.getIssuer())); - ev.put("name", "email_verified"); - ev.put("value", true); - - m.addAttribute(JsonEntityView.ENTITY, ImmutableSet.of(e, ev)); - return JsonEntityView.VIEWNAME; - } else { - m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); - return JsonErrorView.VIEWNAME; - } - } - } - -} diff --git a/uma-server/src/test/java/org/mitre/uma/service/impl/TestDefaultPermissionService.java b/uma-server/src/test/java/org/mitre/uma/service/impl/TestDefaultPermissionService.java deleted file mode 100644 index 0a2063cb3..000000000 --- a/uma-server/src/test/java/org/mitre/uma/service/impl/TestDefaultPermissionService.java +++ /dev/null @@ -1,173 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.service.impl; - -import static org.mockito.Matchers.anySetOf; - -import java.util.Set; -import java.util.UUID; - -import org.junit.Before; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mitre.oauth2.service.SystemScopeService; -import org.mitre.uma.model.PermissionTicket; -import org.mitre.uma.model.ResourceSet; -import org.mitre.uma.repository.PermissionRepository; -import org.mockito.AdditionalAnswers; -import org.mockito.InjectMocks; -import org.mockito.Matchers; -import org.mockito.Mock; -import org.mockito.invocation.InvocationOnMock; -import org.mockito.runners.MockitoJUnitRunner; -import org.mockito.stubbing.Answer; -import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException; - -import com.google.common.collect.ImmutableSet; - -import static org.hamcrest.CoreMatchers.equalTo; -import static org.hamcrest.CoreMatchers.not; - -import static org.mockito.Mockito.when; - -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertThat; - -/** - * @author jricher - * - */ -@RunWith(MockitoJUnitRunner.class) -public class TestDefaultPermissionService { - - @Mock - private PermissionRepository permissionRepository; - - @Mock - private SystemScopeService scopeService; - - @InjectMocks - private DefaultPermissionService permissionService; - - private Set scopes1 = ImmutableSet.of("foo", "bar", "baz"); - private Set scopes2 = ImmutableSet.of("alpha", "beta", "betest"); - - private ResourceSet rs1; - private ResourceSet rs2; - - private String rs1Name = "resource set 1"; - private String rs1Owner = "resource set owner 1"; - private Long rs1Id = 1L; - - private String rs2Name = "resource set 2"; - private String rs2Owner = "resource set owner 2"; - private Long rs2Id = 2L; - - - @Before - public void prepare() { - rs1 = new ResourceSet(); - rs1.setName(rs1Name); - rs1.setOwner(rs1Owner); - rs1.setId(rs1Id ); - rs1.setScopes(scopes1); - - rs2 = new ResourceSet(); - rs2.setName(rs2Name); - rs2.setOwner(rs2Owner); - rs2.setId(rs2Id); - rs2.setScopes(scopes2); - - // have the repository just pass the argument through - when(permissionRepository.save(Matchers.any(PermissionTicket.class))).then(AdditionalAnswers.returnsFirstArg()); - - when(scopeService.scopesMatch(anySetOf(String.class), anySetOf(String.class))).then(new Answer() { - - @Override - public Boolean answer(InvocationOnMock invocation) throws Throwable { - Object[] arguments = invocation.getArguments(); - @SuppressWarnings("unchecked") - Set expected = (Set) arguments[0]; - @SuppressWarnings("unchecked") - Set actual = (Set) arguments[1]; - - return expected.containsAll(actual); - } - }); - - } - - - /** - * Test method for {@link org.mitre.uma.service.impl.DefaultPermissionService#createTicket(org.mitre.uma.model.ResourceSet, java.util.Set)}. - */ - @Test - public void testCreate_ticket() { - - PermissionTicket perm = permissionService.createTicket(rs1, scopes1); - - // we want there to be a non-null ticket - assertNotNull(perm.getTicket()); - } - - @Test - public void testCreate_uuid() { - PermissionTicket perm = permissionService.createTicket(rs1, scopes1); - - // we expect this to be a UUID - UUID uuid = UUID.fromString(perm.getTicket()); - - assertNotNull(uuid); - - } - - @Test - public void testCreate_differentTicketsSameClient() { - - PermissionTicket perm1 = permissionService.createTicket(rs1, scopes1); - PermissionTicket perm2 = permissionService.createTicket(rs1, scopes1); - - assertNotNull(perm1.getTicket()); - assertNotNull(perm2.getTicket()); - - // make sure these are different from each other - assertThat(perm1.getTicket(), not(equalTo(perm2.getTicket()))); - - } - - @Test - public void testCreate_differentTicketsDifferentClient() { - - PermissionTicket perm1 = permissionService.createTicket(rs1, scopes1); - PermissionTicket perm2 = permissionService.createTicket(rs2, scopes2); - - assertNotNull(perm1.getTicket()); - assertNotNull(perm2.getTicket()); - - // make sure these are different from each other - assertThat(perm1.getTicket(), not(equalTo(perm2.getTicket()))); - - } - - @Test(expected = InsufficientScopeException.class) - public void testCreate_scopeMismatch() { - @SuppressWarnings("unused") - // try to get scopes outside of what we're allowed to do, this should throw an exception - PermissionTicket perm = permissionService.createTicket(rs1, scopes2); - } - -} diff --git a/uma-server/src/test/java/org/mitre/uma/service/impl/TestDefaultResourceSetService.java b/uma-server/src/test/java/org/mitre/uma/service/impl/TestDefaultResourceSetService.java deleted file mode 100644 index 52ca091be..000000000 --- a/uma-server/src/test/java/org/mitre/uma/service/impl/TestDefaultResourceSetService.java +++ /dev/null @@ -1,101 +0,0 @@ -/******************************************************************************* - * Copyright 2018 The MIT Internet Trust Consortium - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *******************************************************************************/ - -package org.mitre.uma.service.impl; - -import static org.mockito.Matchers.any; - -import org.junit.Before; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mitre.uma.model.ResourceSet; -import org.mitre.uma.repository.ResourceSetRepository; -import org.mockito.AdditionalAnswers; -import org.mockito.InjectMocks; -import org.mockito.Mock; -import org.mockito.runners.MockitoJUnitRunner; - -import static org.mockito.Mockito.when; - -/** - * @author jricher - * - */ -@RunWith(MockitoJUnitRunner.class) -public class TestDefaultResourceSetService { - - @Mock - private ResourceSetRepository repository; - - @InjectMocks - private DefaultResourceSetService resourceSetService; - - /** - * @throws java.lang.Exception - */ - @Before - public void setUp() throws Exception { - - when(repository.save(any(ResourceSet.class))).then(AdditionalAnswers.returnsFirstArg()); - - } - - /** - * Test method for {@link org.mitre.uma.service.impl.DefaultResourceSetService#saveNew(org.mitre.uma.model.ResourceSet)}. - */ - @Test(expected = IllegalArgumentException.class) - public void testSaveNew_hasId() { - - ResourceSet rs = new ResourceSet(); - rs.setId(1L); - - resourceSetService.saveNew(rs); - - } - - @Test(expected = IllegalArgumentException.class) - public void testUpdate_nullId() { - ResourceSet rs = new ResourceSet(); - rs.setId(1L); - - ResourceSet rs2 = new ResourceSet(); - - resourceSetService.update(rs, rs2); - } - - @Test(expected = IllegalArgumentException.class) - public void testUpdate_nullId2() { - ResourceSet rs = new ResourceSet(); - - ResourceSet rs2 = new ResourceSet(); - rs2.setId(1L); - - resourceSetService.update(rs, rs2); - } - - @Test(expected = IllegalArgumentException.class) - public void testUpdate_mismatchedIds() { - ResourceSet rs = new ResourceSet(); - rs.setId(1L); - - ResourceSet rs2 = new ResourceSet(); - rs2.setId(2L); - - resourceSetService.update(rs, rs2); - - } - -}