Search in sources :

Example 6 with OA2ServiceTransaction

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.

the class RefreshTokenRetentionPolicy method retain.

@Override
public boolean retain(Object key, Object value) {
    OA2ServiceTransaction st2 = (OA2ServiceTransaction) value;
    RefreshToken rt = st2.getRefreshToken();
    long timeout = st2.getRefreshTokenLifetime();
    if (rt == null || rt.getToken() == null) {
        // fall back to looking at the access token timestamp. Failing that, fall back to the creation time from
        // the identifier.
        String token;
        token = (st2.getAccessToken() == null ? st2.getIdentifierString() : st2.getAccessToken().getToken());
        try {
            DateUtils.checkTimestamp(token);
        } catch (InvalidTimestampException its) {
            return false;
        }
        return true;
    }
    try {
        if (timeout <= 0) {
            // use default????
            DateUtils.checkTimestamp(rt.getToken());
        } else {
            DateUtils.checkTimestamp(rt.getToken(), timeout);
        }
        return true;
    } catch (InvalidTimestampException its) {
        return false;
    }
}
Also used : RefreshToken(edu.uiuc.ncsa.security.delegation.token.RefreshToken) OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction) InvalidTimestampException(edu.uiuc.ncsa.security.core.exceptions.InvalidTimestampException)

Example 7 with OA2ServiceTransaction

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.

the class XsedeClaimsSource method process.

@Override
public UserInfo process(UserInfo userInfo, ServiceTransaction transaction) throws UnsupportedScopeException {
    OA2ServiceTransaction t = (OA2ServiceTransaction) transaction;
    myLogger.info("In XSEDE scope handler9: " + getScopes());
    String subject = t.getUsername();
    if (subject == null) {
        myLogger.debug("No subject available in transaction");
        // nothing can be done without subject info
        return userInfo;
    }
    // See if userInfo already has the requisite info
    myLogger.debug("Profile:" + t.getScopes().contains(SCOPE_PROFILE) + ":" + userInfo.getGiven_name() + ":" + userInfo.getMiddle_name() + ":" + userInfo.getFamily_name());
    myLogger.debug("EMAIL:" + userInfo.getEmail());
    myLogger.debug("XSEDE:" + userInfo.getString("xsedeHomeOrganization".toString()));
    if ((!t.getScopes().contains(SCOPE_PROFILE) || (userInfo.getGiven_name() != null && userInfo.getMiddle_name() != null && userInfo.getFamily_name() != null)) && (!t.getScopes().contains(SCOPE_EMAIL) || (userInfo.getEmail() != null)) && (!t.getScopes().contains(SCOPE_XSEDE) || (userInfo.getString("xsedeHomeOrganization".toString()) != null))) {
        myLogger.info("Info for all claims in requested scopes already " + "available in userInfo; skipping call to XDCDB");
        return userInfo;
    }
    // One or more requisite info missing; retrieve from XCDB and set
    JsonObject profile = getUserInfo(subject);
    String firstName = profile.isNull("first_name".toString()) ? "".toString() : profile.getString("first_name".toString());
    String middleName = profile.isNull("middle_name".toString()) ? "".toString() : profile.getString("middle_name".toString());
    String lastName = profile.isNull("last_name".toString()) ? "".toString() : profile.getString("last_name".toString());
    String email = profile.isNull("email".toString()) ? "".toString() : profile.getString("email".toString());
    String organization = profile.isNull("organization".toString()) ? "".toString() : profile.getString("organization".toString());
    if (t.getScopes().contains(SCOPE_PROFILE)) {
        myLogger.info("Processing profile scope in XSEDE handler");
        userInfo.setGiven_name(firstName);
        userInfo.setMiddle_name(middleName);
        userInfo.setFamily_name(lastName);
    }
    if (t.getScopes().contains(SCOPE_EMAIL)) {
        myLogger.info("Processing email scope in XSEDE handler");
        userInfo.setEmail(email);
    }
    if (t.getScopes().contains(SCOPE_XSEDE)) {
        myLogger.info("Processing xsede scope in XSEDE handler");
        userInfo.put("xsedeHomeOrganization".toString(), organization);
    }
    return userInfo;
}
Also used : OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction) JsonObject(javax.json.JsonObject)

Example 8 with OA2ServiceTransaction

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.

the class OA2AuthorizationServer method createRedirect.

@Override
protected void createRedirect(HttpServletRequest request, HttpServletResponse response, ServiceTransaction trans) throws Throwable {
    String rawrtl = request.getParameter(AUTHORIZATION_REFRESH_TOKEN_LIFETIME_KEY);
    OA2ServiceTransaction st2 = (OA2ServiceTransaction) trans;
    try {
        if (rawrtl != null) {
            st2.setRefreshTokenLifetime(Long.parseLong(rawrtl) * 1000);
        }
    } catch (Throwable t) {
        st2.setRefreshTokenLifetime(0L);
    }
    super.createRedirect(request, response, trans);
}
Also used : OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction)

Example 9 with OA2ServiceTransaction

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.

the class OA2AuthorizedServlet method verifyAndGet.

@Override
public ServiceTransaction verifyAndGet(IssuerResponse iResponse) throws UnsupportedEncodingException {
    AGResponse agResponse = (AGResponse) iResponse;
    Map<String, String> params = agResponse.getParameters();
    // Since the state (if present) has to be returned with any error message, we have to see if there is one
    // there first.
    String state = null;
    if (params.containsKey(STATE)) {
        state = params.get(STATE);
    }
    // Spec says that the redirect must match one of the ones stored and if not, the request is rejected.
    String givenRedirect = params.get(REDIRECT_URI);
    OA2ClientCheck.check(agResponse.getClient(), givenRedirect);
    // by this point it has been verified that the redirect uri is valid.
    String rawSecret = params.get(CLIENT_SECRET);
    if (rawSecret != null) {
        info("Client is sending secret in initial request. Though not forbidden by the protocol this is discouraged.");
        if (!agResponse.getClient().getSecret().equals(rawSecret)) {
            info("And for what it is worth, the client sent along an incorrect secret too...");
        }
    }
    String nonce = params.get(NONCE);
    // FIX for OAUTH-180. Server must support clients that do not use a nonce. Just log it and rock on.
    if (nonce == null || nonce.length() == 0) {
        info("No nonce in initial request for " + ((AGResponse) iResponse).getClient().getIdentifierString());
    } else {
        // Don't check it, just store it and return it later.
        NonceHerder.putNonce(nonce);
    }
    if (params.containsKey(DISPLAY)) {
        if (!params.get(DISPLAY).equals(DISPLAY_PAGE)) {
            throw new OA2RedirectableError(OA2Errors.INVALID_REQUEST, "Only " + DISPLAY + "=" + DISPLAY_PAGE + " is supported", state, givenRedirect);
        }
    }
    OA2ServiceTransaction st = createNewTransaction(agResponse.getGrant());
    info("Created new unsaved transaction with id=" + st.getIdentifierString());
    ArrayList<String> scopes = resolveScopes(st, params, state, givenRedirect);
    st.setScopes(scopes);
    st.setAuthGrantValid(false);
    st.setAccessTokenValid(false);
    st.setCallback(URI.create(params.get(REDIRECT_URI)));
    // fine if the nonce is null or empty, just set what they sent.
    st.setNonce(nonce);
    // in all subsequent attempts. Since all requests have an expiration date, this parameter is redundant in any case.
    if (agResponse.getParameters().containsKey(OA2Constants.MAX_AGE)) {
        throw new OA2RedirectableError(OA2Errors.INVALID_REQUEST, "The " + OA2Constants.MAX_AGE + " parameter is not supported at this time.", state, givenRedirect);
    }
    // Store the callback the user needs to use for this request, since the spec allows for many.
    // and now check for a bunch of stuff that might fail.
    checkPrompts(params);
    if (params.containsKey(REQUEST)) {
        throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "The \"request\" parameter is not supported on this server", state, givenRedirect);
    }
    if (params.containsKey(REQUEST_URI)) {
        throw new OA2RedirectableError(OA2Errors.REQUEST_URI_NOT_SUPPORTED, "The \"request_uri\" parameter is not supported on this server", state, givenRedirect);
    }
    return st;
}
Also used : AGResponse(edu.uiuc.ncsa.security.delegation.server.request.AGResponse) OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction)

Example 10 with OA2ServiceTransaction

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.

the class OA2AuthorizedServlet method CheckIdTokenHint.

/**
 * In this case, a previous request to the token endpoint returned an ID token. If this is sent to
 * this endpoint, we are to check that there is an active logon for the user (=there is a transaction
 * for that name here) and return a success but no body. Otherwise, we throw an exception.
 *
 * @param httpServletRequest
 * @param httpServletResponse
 * @param callback
 * @return
 */
protected boolean CheckIdTokenHint(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String callback) {
    if (!httpServletRequest.getParameterMap().containsKey(ID_TOKEN_HINT)) {
        return false;
    }
    UsernameFindable ufStore = null;
    String rawIDToken = String.valueOf(httpServletRequest.getParameterMap().get(ID_TOKEN_HINT));
    JSONObject idToken = null;
    try {
        idToken = JWTUtil.verifyAndReadJWT(rawIDToken, ((OA2SE) getServiceEnvironment()).getJsonWebKeys());
    } catch (Throwable e) {
        throw new GeneralException("Error: Cannot read ID token hint", e);
    }
    String state = httpServletRequest.getParameter(STATE);
    String username = null;
    if (idToken.containsKey(OA2Claims.SUBJECT)) {
        username = idToken.getString(OA2Claims.SUBJECT);
    } else {
    }
    try {
        ufStore = (UsernameFindable) getTransactionStore();
        OA2ServiceTransaction t = ufStore.getByUsername(username);
        if (t != null) {
            // Then there is a transaction, so the user authenticated successfully.
            if (idToken.containsKey(OA2Claims.AUDIENCE)) {
                if (!t.getClient().getIdentifierString().equals(idToken.getString(OA2Claims.AUDIENCE))) {
                    // The wrong client for this user is attempting the request. That is not allowed.
                    throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "Incorrect aud parameter in the ID token. This request is not supported on this server", state, callback);
                }
            } else {
                // The client that is associated with this user must be supplied.
                throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "No aud parameter in the ID token. This request is not supported on this server", state, callback);
            }
            httpServletResponse.setStatus(HttpStatus.SC_OK);
            // The spec does not state that anything is returned, just a positive response.
            return true;
        }
    } catch (IOException e) {
        // Really something is probably wrong with the class structure is this fails...
        throw new NFWException("Internal error: Could not cast the store to a username findable store.");
    }
    throw new OA2RedirectableError(OA2Errors.LOGIN_REQUIRED, "Login required.", state, callback);
}
Also used : NFWException(edu.uiuc.ncsa.security.core.exceptions.NFWException) GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException) JSONObject(net.sf.json.JSONObject) OA2SE(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE) UsernameFindable(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.UsernameFindable) OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction) IOException(java.io.IOException)

Aggregations

OA2ServiceTransaction (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction)17 OA2SE (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE)7 RefreshToken (edu.uiuc.ncsa.security.delegation.token.RefreshToken)4 GeneralException (edu.uiuc.ncsa.security.core.exceptions.GeneralException)3 AccessToken (edu.uiuc.ncsa.security.delegation.token.AccessToken)3 IssuerTransactionState (edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.IssuerTransactionState)2 InvalidTimestampException (edu.uiuc.ncsa.security.core.exceptions.InvalidTimestampException)2 BasicIdentifier (edu.uiuc.ncsa.security.core.util.BasicIdentifier)2 ArrayList (java.util.ArrayList)2 MPSingleConnectionProvider (edu.uiuc.ncsa.myproxy.MPSingleConnectionProvider)1 RefreshTokenStore (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.RefreshTokenStore)1 UsernameFindable (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.UsernameFindable)1 AdminClient (edu.uiuc.ncsa.myproxy.oa4mp.server.admin.adminClient.AdminClient)1 OA4MPIdentifierProvider (edu.uiuc.ncsa.myproxy.oa4mp.server.admin.transactions.OA4MPIdentifierProvider)1 MyMyProxyLogon (edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.AbstractAuthorizationServlet.MyMyProxyLogon)1 IdentifiableProvider (edu.uiuc.ncsa.security.core.IdentifiableProvider)1 Identifier (edu.uiuc.ncsa.security.core.Identifier)1 NFWException (edu.uiuc.ncsa.security.core.exceptions.NFWException)1 ServiceTransaction (edu.uiuc.ncsa.security.delegation.server.ServiceTransaction)1 AGResponse (edu.uiuc.ncsa.security.delegation.server.request.AGResponse)1