Examples with OA2SE edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE used on opensource projects

Example 11 with OA2SE

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE in project OA4MP by ncsa.

the class OA2ATServlet method verifyAndGet.

@Override
public ServiceTransaction verifyAndGet(IssuerResponse iResponse) throws IOException {
    ATIResponse2 atResponse = (ATIResponse2) iResponse;
    TransactionStore transactionStore = getTransactionStore();
    BasicIdentifier basicIdentifier = new BasicIdentifier(atResponse.getParameters().get(OA2Constants.AUTHORIZATION_CODE));
    DebugUtil.dbg(this, "getting transaction for identifier=" + basicIdentifier);
    OA2ServiceTransaction transaction = (OA2ServiceTransaction) transactionStore.get(basicIdentifier);
    if (transaction == null) {
        // Then this request does not correspond to an previous one and must be rejected asap.
        throw new OA2ATException(OA2Errors.INVALID_REQUEST, "No pending transaction found for id=" + basicIdentifier);
    }
    if (!transaction.isAuthGrantValid()) {
        String msg = "Error: Attempt to use invalid authorization code.  Request rejected.";
        warn(msg);
        throw new GeneralException(msg);
    }
    URI uri = URI.create(atResponse.getParameters().get(OA2Constants.REDIRECT_URI));
    if (!transaction.getCallback().equals(uri)) {
        String msg = "Attempt to use alternate redirect uri rejected.";
        warn(msg);
        throw new OA2ATException(OA2Errors.INVALID_REQUEST, msg);
    }
    /* Now we have to determine which scopes to return
           The spec says we don't have to return anything if the requested scopes are the same as the
           supported scopes. Otherwise, return what scopes *are* supported.
         */
    ArrayList<String> targetScopes = new ArrayList<>();
    OA2SE oa2SE = (OA2SE) getServiceEnvironment();
    // set true if something is requested we don't support
    boolean returnScopes = false;
    for (String s : transaction.getScopes()) {
        if (oa2SE.getScopes().contains(s)) {
            targetScopes.add(s);
        } else {
            returnScopes = true;
        }
    }
    if (returnScopes) {
        atResponse.setSupportedScopes(targetScopes);
    }
    atResponse.setScopeHandlers(setupScopeHandlers(transaction, oa2SE));
    atResponse.setServiceTransaction(transaction);
    atResponse.setJsonWebKey(oa2SE.getJsonWebKeys().getDefault());
    // return null;
    return transaction;
}

Example 12 with OA2SE

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE in project OA4MP by ncsa.

the class OA2ATServlet method populateClaims.

protected Map<String, String> populateClaims(HttpServletRequest request, Map<String, String> p, OA2ServiceTransaction st) {
    OA2SE oa2se = (OA2SE) getServiceEnvironment();
    String issuer = null;
    // So in order
    // 1. get the issuer from the admin client
    List<Identifier> admins = oa2se.getPermissionStore().getAdmins(st.getClient().getIdentifier());
    for (Identifier adminID : admins) {
        AdminClient ac = oa2se.getAdminClientStore().get(adminID);
        if (ac != null) {
            if (ac.getIssuer() != null) {
                issuer = ac.getIssuer();
                break;
            }
        }
    }
    // 2. If the admin client does not have an issuer set, see if the client has one
    if (issuer == null) {
        issuer = ((OA2Client) st.getClient()).getIssuer();
    }
    // The discovery servlet will try to use the server default or construct the issuer
    if (issuer == null) {
        issuer = OA2DiscoveryServlet.getIssuer(request);
    }
    p.put(OA2Claims.ISSUER, issuer);
    p.put(OA2Claims.SUBJECT, st.getUsername());
    if (st.hasAuthTime()) {
        // convert the date to a time if needed.
        p.put(OA2Constants.AUTHORIZATION_TIME, Long.toString(st.getAuthTime().getTime() / 1000));
    }
    return p;
}

Example 13 with OA2SE

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE in project OA4MP by ncsa.

the class OA2ATServlet method computeRefreshLifetime.

/**
 * The lifetime of the refresh token. This is the non-zero minimum of the client's requested
 * lifetime, the user's request at authorization time and the server global limit.
 *
 * @param st2
 * @return
 */
protected long computeRefreshLifetime(OA2ServiceTransaction st2) {
    OA2Client client = (OA2Client) st2.getClient();
    long lifetime = Math.max(st2.getRefreshTokenLifetime(), client.getRtLifetime());
    OA2SE oa2SE = (OA2SE) getServiceEnvironment();
    if (oa2SE.getRefreshTokenLifetime() <= 0) {
        throw new NFWException("Internal error: the server-wide default for the refresh token lifetime has not been set.");
    }
    lifetime = Math.min(lifetime, oa2SE.getRefreshTokenLifetime());
    return lifetime;
}

Example 14 with OA2SE

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE in project OA4MP by ncsa.

the class OA2ATServlet method doRefresh.

protected TransactionState doRefresh(OA2Client c, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
    RefreshToken oldRT = getTF2().getRefreshToken(request.getParameter(OA2Constants.REFRESH_TOKEN));
    if (c == null) {
        throw new InvalidTokenException("Could not find the client associated with refresh token \"" + oldRT + "\"");
    }
    OA2ServiceTransaction t = getByRT(oldRT);
    if ((!((OA2SE) getServiceEnvironment()).isRefreshTokenEnabled()) || (!c.isRTLifetimeEnabled())) {
        throw new OA2ATException(OA2Errors.REQUEST_NOT_SUPPORTED, "Refresh tokens are not supported on this server");
    }
    if (t == null || !t.isRefreshTokenValid()) {
        throw new OA2ATException(OA2Errors.INVALID_REQUEST, "Error: The refresh token is no longer valid.");
    }
    // this way if it fails at some point we know it is invalid.
    t.setRefreshTokenValid(false);
    AccessToken at = t.getAccessToken();
    RTIRequest rtiRequest = new RTIRequest(request, c, at);
    RTI2 rtIsuuer = new RTI2(getTF2(), getServiceEnvironment().getServiceAddress());
    RTIResponse rtiResponse = (RTIResponse) rtIsuuer.process(rtiRequest);
    rtiResponse.setSignToken(c.isSignTokens());
    populateClaims(request, rtiResponse.getParameters(), t);
    RefreshToken rt = rtiResponse.getRefreshToken();
    rt.setExpiresIn(computeRefreshLifetime(t));
    t.setRefreshToken(rtiResponse.getRefreshToken());
    t.setRefreshTokenValid(true);
    t.setAccessToken(rtiResponse.getAccessToken());
    // At this point, key in the transaction store is the grant, so changing the access token
    // over-writes the current value. This practically invalidates the previous access token.
    // this is necessary to clear any caches.
    getTransactionStore().remove(t.getIdentifier());
    ArrayList<String> targetScopes = new ArrayList<>();
    OA2SE oa2SE = (OA2SE) getServiceEnvironment();
    // set true if something is requested we don't support
    boolean returnScopes = false;
    for (String s : t.getScopes()) {
        if (oa2SE.getScopes().contains(s)) {
            targetScopes.add(s);
        } else {
            returnScopes = true;
        }
    }
    if (returnScopes) {
        rtiResponse.setSupportedScopes(targetScopes);
    }
    rtiResponse.setScopeHandlers(setupScopeHandlers(t, oa2SE));
    rtiResponse.setServiceTransaction(t);
    rtiResponse.setJsonWebKey(oa2SE.getJsonWebKeys().getDefault());
    getTransactionStore().save(t);
    rtiResponse.write(response);
    IssuerTransactionState state = new IssuerTransactionState(request, response, rtiResponse.getParameters(), t, rtiResponse);
    return state;
}

Example 15 with OA2SE

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE in project OA4MP by ncsa.

the class OA2ServletInitializer method init.

@Override
public void init() throws ServletException {
    if (isInitRun)
        return;
    super.init();
    OA2SE oa2SE = (OA2SE) getEnvironment();
    MyProxyDelegationServlet mps = (MyProxyDelegationServlet) getServlet();
    try {
        // mps.storeUpdates();
        mps.processStoreCheck(oa2SE.getPermissionStore());
        mps.processStoreCheck(oa2SE.getAdminClientStore());
    } catch (SQLException e) {
        if (DebugUtil.isEnabled()) {
            e.printStackTrace();
        }
        throw new ServletException("Could not update table", e);
    }
    if (oa2SE.isRefreshTokenEnabled()) {
        // We need a different set of policies than the original one.
        MyProxyDelegationServlet.transactionCleanup.getRetentionPolicies().clear();
        MyProxyDelegationServlet.transactionCleanup.addRetentionPolicy(new RefreshTokenRetentionPolicy((RefreshTokenStore) oa2SE.getTransactionStore()));
        oa2SE.getMyLogger().info("Initialized refresh token cleanup thread");
    }
    if (!ClaimSourceFactory.isFactorySet()) {
        ClaimSourceFactory.setFactory(new LDAPClaimSourceFactory());
    }
    try {
        SATFactory.setAdminClientConverter(AdminClientStoreProviders.getAdminClientConverter());
        SATFactory.setClientConverter((ClientConverter<? extends Client>) oa2SE.getClientStore().getACConverter());
    } catch (Exception e) {
        e.printStackTrace();
    }
}