use of org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy in project cas by apereo.
the class OidcServiceRegistryListener method reconcile.
/**
* Reconcile registered service.
*
* @param oidcService the oidc service
* @return the registered service
*/
protected RegisteredService reconcile(final OidcRegisteredService oidcService) {
LOGGER.trace("Reconciling OpenId Connect scopes and claims for [{}]", oidcService.getServiceId());
val definedServiceScopes = oidcService.getScopes();
if (definedServiceScopes.isEmpty()) {
LOGGER.trace("Registered service [{}] does not define any scopes to control attribute release policies. " + "CAS will allow the existing attribute release policies assigned to the service to operate without a scope.", oidcService.getServiceId());
return oidcService;
}
val userScopes = attributeReleasePolicyFactory.getUserDefinedScopes();
val policyChain = new ChainingAttributeReleasePolicy();
definedServiceScopes.forEach(givenScope -> {
LOGGER.trace("Reviewing scope [{}] for [{}]", givenScope, oidcService.getServiceId());
val userDefinedScope = Arrays.stream(OidcConstants.StandardScopes.values()).noneMatch(scope -> scope.getScope().trim().equalsIgnoreCase(givenScope.trim()));
if (userDefinedScope) {
LOGGER.debug("[{}] appears to be a user-defined scope and does not match any of the predefined standard scopes. " + "Checking [{}] against user-defined scopes provided as [{}]", givenScope, givenScope, userScopes);
userScopes.stream().filter(t -> t.getScopeName().equals(givenScope.trim())).findFirst().ifPresent(userPolicy -> addAttributeReleasePolicy(policyChain, userPolicy, givenScope, oidcService));
} else {
val scope = OidcConstants.StandardScopes.valueOf(givenScope.trim().toUpperCase());
switch(scope) {
case EMAIL:
addAttributeReleasePolicy(policyChain, attributeReleasePolicyFactory.get(scope), givenScope, oidcService);
break;
case ADDRESS:
addAttributeReleasePolicy(policyChain, attributeReleasePolicyFactory.get(scope), givenScope, oidcService);
break;
case PROFILE:
addAttributeReleasePolicy(policyChain, attributeReleasePolicyFactory.get(scope), givenScope, oidcService);
break;
case PHONE:
addAttributeReleasePolicy(policyChain, attributeReleasePolicyFactory.get(scope), givenScope, oidcService);
break;
case OFFLINE_ACCESS:
LOGGER.debug("Given scope [{}], service [{}] is marked to generate refresh tokens", givenScope, oidcService.getId());
oidcService.setGenerateRefreshToken(true);
break;
default:
LOGGER.debug("Scope [{}] is unsupported for service [{}]", givenScope, oidcService.getId());
break;
}
}
});
val scopeFree = definedServiceScopes.isEmpty() || (definedServiceScopes.size() == 1 && definedServiceScopes.contains(OidcConstants.StandardScopes.OPENID.getScope()));
if (scopeFree) {
LOGGER.trace("Service definition [{}] will use the assigned attribute release policy without scopes", oidcService.getName());
if (oidcService.getAttributeReleasePolicy() instanceof ChainingAttributeReleasePolicy) {
val chain = (ChainingAttributeReleasePolicy) oidcService.getAttributeReleasePolicy();
policyChain.addPolicies(chain.getPolicies().toArray(new RegisteredServiceAttributeReleasePolicy[0]));
} else {
policyChain.addPolicy(oidcService.getAttributeReleasePolicy());
}
}
if (policyChain.getPolicies().isEmpty()) {
LOGGER.debug("No attribute release policy could be determined based on given scopes. " + "No claims/attributes will be released to [{}]", oidcService.getServiceId());
oidcService.setAttributeReleasePolicy(new DenyAllAttributeReleasePolicy());
} else {
if (policyChain.size() == 1) {
oidcService.setAttributeReleasePolicy(policyChain.getPolicies().get(0));
} else {
oidcService.setAttributeReleasePolicy(policyChain);
}
}
LOGGER.trace("Scope/claim reconciliation for service [{}] resulted in the following attribute release policy [{}]", oidcService.getServiceId(), oidcService.getAttributeReleasePolicy());
return oidcService;
}
use of org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy in project cas by apereo.
the class DefaultRegisteredServiceFactory method createRegisteredService.
@Override
public RegisteredService createRegisteredService(final ServiceData data) {
final RegisteredService svc = this.registeredServiceMapper.toRegisteredService(data);
if (svc instanceof AbstractRegisteredService) {
final AbstractRegisteredService absSvc = (AbstractRegisteredService) svc;
final RegisteredServiceAccessStrategy accessStrategy = this.accessStrategyMapper.toAccessStrategy(data);
if (accessStrategy != null) {
absSvc.setAccessStrategy(accessStrategy);
}
final RegisteredServiceUsernameAttributeProvider usernameAttributeProvider = this.usernameAttributeProviderMapper.toUsernameAttributeProvider(data);
if (usernameAttributeProvider != null) {
absSvc.setUsernameAttributeProvider(usernameAttributeProvider);
}
final RegisteredServiceProxyPolicy proxyPolicy = this.proxyPolicyMapper.toProxyPolicy(data);
if (proxyPolicy != null) {
absSvc.setProxyPolicy(proxyPolicy);
}
final RegisteredServiceAttributeReleasePolicy attrPolicy = this.attributeReleasePolicyMapper.toAttributeReleasePolicy(data);
if (attrPolicy != null) {
absSvc.setAttributeReleasePolicy(attrPolicy);
}
final RegisteredServiceMultifactorPolicy mfaPolicy = this.multifactorAuthenticationMapper.toMultifactorPolicy(data);
if (mfaPolicy != null) {
absSvc.setMultifactorPolicy(mfaPolicy);
}
}
return svc;
}
use of org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy in project cas by apereo.
the class AbstractCasView method decideIfCredentialPasswordShouldBeReleasedAsAttribute.
/**
* Decide if credential password should be released as attribute.
* The credential must have been cached as an authentication attribute
* and the attribute release policy must be allowed to release the
* attribute.
*
* @param attributes the attributes
* @param model the model
* @param service the service
*/
protected void decideIfCredentialPasswordShouldBeReleasedAsAttribute(final Map<String, Object> attributes, final Map<String, Object> model, final RegisteredService service) {
final RegisteredServiceAttributeReleasePolicy policy = service.getAttributeReleasePolicy();
final boolean isAuthorized = policy != null && policy.isAuthorizedToReleaseCredentialPassword();
decideAttributeReleaseBasedOnServiceAttributePolicy(attributes, getAuthenticationAttribute(model, CasViewConstants.MODEL_ATTRIBUTE_NAME_PRINCIPAL_CREDENTIAL), CasViewConstants.MODEL_ATTRIBUTE_NAME_PRINCIPAL_CREDENTIAL, service, isAuthorized);
}
use of org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy in project cas by apereo.
the class AbstractCasView method decideIfProxyGrantingTicketShouldBeReleasedAsAttribute.
/**
* Decide if PGT should be released as attribute.
* The PGT must have been cached as an authentication attribute
* and the attribute release policy must be allowed to release the
* attribute.
*
* @param attributes the attributes
* @param model the model
* @param service the service
*/
protected void decideIfProxyGrantingTicketShouldBeReleasedAsAttribute(final Map<String, Object> attributes, final Map<String, Object> model, final RegisteredService service) {
final RegisteredServiceAttributeReleasePolicy policy = service.getAttributeReleasePolicy();
final boolean isAuthorized = policy != null && policy.isAuthorizedToReleaseProxyGrantingTicket();
decideAttributeReleaseBasedOnServiceAttributePolicy(attributes, getProxyGrantingTicketId(model), CasViewConstants.MODEL_ATTRIBUTE_NAME_PROXY_GRANTING_TICKET, service, isAuthorized);
}
Aggregations