Examples with RegisteredServiceAttributeReleasePolicy org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy used on opensource projects

Example 1 with RegisteredServiceAttributeReleasePolicy

use of org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy in project cas by apereo.

the class OidcServiceRegistryListener method reconcile.

/**
 * Reconcile registered service.
 *
 * @param oidcService the oidc service
 * @return the registered service
 */
protected RegisteredService reconcile(final OidcRegisteredService oidcService) {
    LOGGER.trace("Reconciling OpenId Connect scopes and claims for [{}]", oidcService.getServiceId());
    val definedServiceScopes = oidcService.getScopes();
    if (definedServiceScopes.isEmpty()) {
        LOGGER.trace("Registered service [{}] does not define any scopes to control attribute release policies. " + "CAS will allow the existing attribute release policies assigned to the service to operate without a scope.", oidcService.getServiceId());
        return oidcService;
    }
    val userScopes = attributeReleasePolicyFactory.getUserDefinedScopes();
    val policyChain = new ChainingAttributeReleasePolicy();
    definedServiceScopes.forEach(givenScope -> {
        LOGGER.trace("Reviewing scope [{}] for [{}]", givenScope, oidcService.getServiceId());
        val userDefinedScope = Arrays.stream(OidcConstants.StandardScopes.values()).noneMatch(scope -> scope.getScope().trim().equalsIgnoreCase(givenScope.trim()));
        if (userDefinedScope) {
            LOGGER.debug("[{}] appears to be a user-defined scope and does not match any of the predefined standard scopes. " + "Checking [{}] against user-defined scopes provided as [{}]", givenScope, givenScope, userScopes);
            userScopes.stream().filter(t -> t.getScopeName().equals(givenScope.trim())).findFirst().ifPresent(userPolicy -> addAttributeReleasePolicy(policyChain, userPolicy, givenScope, oidcService));
        } else {
            val scope = OidcConstants.StandardScopes.valueOf(givenScope.trim().toUpperCase());
            switch(scope) {
                case EMAIL:
                    addAttributeReleasePolicy(policyChain, attributeReleasePolicyFactory.get(scope), givenScope, oidcService);
                    break;
                case ADDRESS:
                    addAttributeReleasePolicy(policyChain, attributeReleasePolicyFactory.get(scope), givenScope, oidcService);
                    break;
                case PROFILE:
                    addAttributeReleasePolicy(policyChain, attributeReleasePolicyFactory.get(scope), givenScope, oidcService);
                    break;
                case PHONE:
                    addAttributeReleasePolicy(policyChain, attributeReleasePolicyFactory.get(scope), givenScope, oidcService);
                    break;
                case OFFLINE_ACCESS:
                    LOGGER.debug("Given scope [{}], service [{}] is marked to generate refresh tokens", givenScope, oidcService.getId());
                    oidcService.setGenerateRefreshToken(true);
                    break;
                default:
                    LOGGER.debug("Scope [{}] is unsupported for service [{}]", givenScope, oidcService.getId());
                    break;
            }
        }
    });
    val scopeFree = definedServiceScopes.isEmpty() || (definedServiceScopes.size() == 1 && definedServiceScopes.contains(OidcConstants.StandardScopes.OPENID.getScope()));
    if (scopeFree) {
        LOGGER.trace("Service definition [{}] will use the assigned attribute release policy without scopes", oidcService.getName());
        if (oidcService.getAttributeReleasePolicy() instanceof ChainingAttributeReleasePolicy) {
            val chain = (ChainingAttributeReleasePolicy) oidcService.getAttributeReleasePolicy();
            policyChain.addPolicies(chain.getPolicies().toArray(new RegisteredServiceAttributeReleasePolicy[0]));
        } else {
            policyChain.addPolicy(oidcService.getAttributeReleasePolicy());
        }
    }
    if (policyChain.getPolicies().isEmpty()) {
        LOGGER.debug("No attribute release policy could be determined based on given scopes. " + "No claims/attributes will be released to [{}]", oidcService.getServiceId());
        oidcService.setAttributeReleasePolicy(new DenyAllAttributeReleasePolicy());
    } else {
        if (policyChain.size() == 1) {
            oidcService.setAttributeReleasePolicy(policyChain.getPolicies().get(0));
        } else {
            oidcService.setAttributeReleasePolicy(policyChain);
        }
    }
    LOGGER.trace("Scope/claim reconciliation for service [{}] resulted in the following attribute release policy [{}]", oidcService.getServiceId(), oidcService.getAttributeReleasePolicy());
    return oidcService;
}

Example 2 with RegisteredServiceAttributeReleasePolicy

use of org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy in project cas by apereo.

the class DefaultRegisteredServiceFactory method createRegisteredService.

@Override
public RegisteredService createRegisteredService(final ServiceData data) {
    final RegisteredService svc = this.registeredServiceMapper.toRegisteredService(data);
    if (svc instanceof AbstractRegisteredService) {
        final AbstractRegisteredService absSvc = (AbstractRegisteredService) svc;
        final RegisteredServiceAccessStrategy accessStrategy = this.accessStrategyMapper.toAccessStrategy(data);
        if (accessStrategy != null) {
            absSvc.setAccessStrategy(accessStrategy);
        }
        final RegisteredServiceUsernameAttributeProvider usernameAttributeProvider = this.usernameAttributeProviderMapper.toUsernameAttributeProvider(data);
        if (usernameAttributeProvider != null) {
            absSvc.setUsernameAttributeProvider(usernameAttributeProvider);
        }
        final RegisteredServiceProxyPolicy proxyPolicy = this.proxyPolicyMapper.toProxyPolicy(data);
        if (proxyPolicy != null) {
            absSvc.setProxyPolicy(proxyPolicy);
        }
        final RegisteredServiceAttributeReleasePolicy attrPolicy = this.attributeReleasePolicyMapper.toAttributeReleasePolicy(data);
        if (attrPolicy != null) {
            absSvc.setAttributeReleasePolicy(attrPolicy);
        }
        final RegisteredServiceMultifactorPolicy mfaPolicy = this.multifactorAuthenticationMapper.toMultifactorPolicy(data);
        if (mfaPolicy != null) {
            absSvc.setMultifactorPolicy(mfaPolicy);
        }
    }
    return svc;
}

Example 3 with RegisteredServiceAttributeReleasePolicy

use of org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy in project cas by apereo.

the class AbstractCasView method decideIfCredentialPasswordShouldBeReleasedAsAttribute.

/**
 * Decide if credential password should be released as attribute.
 * The credential must have been cached as an authentication attribute
 * and the attribute release policy must be allowed to release the
 * attribute.
 *
 * @param attributes the attributes
 * @param model      the model
 * @param service    the service
 */
protected void decideIfCredentialPasswordShouldBeReleasedAsAttribute(final Map<String, Object> attributes, final Map<String, Object> model, final RegisteredService service) {
    final RegisteredServiceAttributeReleasePolicy policy = service.getAttributeReleasePolicy();
    final boolean isAuthorized = policy != null && policy.isAuthorizedToReleaseCredentialPassword();
    decideAttributeReleaseBasedOnServiceAttributePolicy(attributes, getAuthenticationAttribute(model, CasViewConstants.MODEL_ATTRIBUTE_NAME_PRINCIPAL_CREDENTIAL), CasViewConstants.MODEL_ATTRIBUTE_NAME_PRINCIPAL_CREDENTIAL, service, isAuthorized);
}

Example 4 with RegisteredServiceAttributeReleasePolicy

use of org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy in project cas by apereo.

the class AbstractCasView method decideIfProxyGrantingTicketShouldBeReleasedAsAttribute.

/**
 * Decide if PGT should be released as attribute.
 * The PGT must have been cached as an authentication attribute
 * and the attribute release policy must be allowed to release the
 * attribute.
 *
 * @param attributes the attributes
 * @param model      the model
 * @param service    the service
 */
protected void decideIfProxyGrantingTicketShouldBeReleasedAsAttribute(final Map<String, Object> attributes, final Map<String, Object> model, final RegisteredService service) {
    final RegisteredServiceAttributeReleasePolicy policy = service.getAttributeReleasePolicy();
    final boolean isAuthorized = policy != null && policy.isAuthorizedToReleaseProxyGrantingTicket();
    decideAttributeReleaseBasedOnServiceAttributePolicy(attributes, getProxyGrantingTicketId(model), CasViewConstants.MODEL_ATTRIBUTE_NAME_PROXY_GRANTING_TICKET, service, isAuthorized);
}