Search in sources :

Example 11 with OA2ServiceTransaction

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.

the class OA2CertServlet method doRealCertRequest.

@Override
protected void doRealCertRequest(ServiceTransaction trans, String statusString) throws Throwable {
    // CIL-243: binding the CR's DN to the user name. Uncomment if we ever decide to do this         \
    /*
        if (trans.getCertReq().getCN()==null || (!trans.getUsername().equals(trans.getCertReq().getCN()))) { // CN can be null
            throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "The common name on the cert request is \"" +
                    trans.getCertReq().getCN() +
                    "\" which does not match the username \"" + trans.getUsername() + "\"", HttpStatus.SC_BAD_REQUEST);
        }
*/
    OA2ServiceTransaction st = (OA2ServiceTransaction) trans;
    OA2SE oa2SE = (OA2SE) getServiceEnvironment();
    if (!oa2SE.isTwoFactorSupportEnabled()) {
        checkMPConnection(st);
    } else {
        // and for all.
        if (!getMyproxyConnectionCache().containsKey(st.getIdentifier())) {
            throw new GeneralException("No cached my proxy object with identifier " + st.getIdentifierString());
        }
        MPSingleConnectionProvider.MyProxyLogonConnection mpc = (MPSingleConnectionProvider.MyProxyLogonConnection) getMyproxyConnectionCache().get(st.getIdentifier()).getValue();
        // not done promptly by the user.
        if (mpc.getMyProxyLogon() instanceof MyMyProxyLogon) {
            MyMyProxyLogon myProxyLogon = (MyMyProxyLogon) mpc.getMyProxyLogon();
            getMyproxyConnectionCache().remove(mpc.getIdentifier());
            createMPConnection(trans.getIdentifier(), myProxyLogon.getUsername(), myProxyLogon.getPassphrase(), trans.getLifetime());
        }
    }
    doCertRequest(st, statusString);
}
Also used : GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException) OA2SE(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE) OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction) MPSingleConnectionProvider(edu.uiuc.ncsa.myproxy.MPSingleConnectionProvider) MyMyProxyLogon(edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.AbstractAuthorizationServlet.MyMyProxyLogon)

Example 12 with OA2ServiceTransaction

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.

the class OA2CertServlet method postprocess.

@Override
public void postprocess(TransactionState state) throws Throwable {
    super.postprocess(state);
    OA2ServiceTransaction t = (OA2ServiceTransaction) state.getTransaction();
    if (((OA2SE) getServiceEnvironment()).isRefreshTokenEnabled() && t.hasRefreshToken()) {
        // If this has a refresh token, then then do not invalidate the access token, since
        // users may re-get certs for the lifetime of the refresh token.
        t.setAccessTokenValid(true);
        getTransactionStore().save(t);
    }
}
Also used : OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction)

Example 13 with OA2ServiceTransaction

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.

the class OA2CertServlet method verifyAndGet.

public ServiceTransaction verifyAndGet(IssuerResponse iResponse) throws IOException {
    PAIResponse2 par = (PAIResponse2) iResponse;
    AccessToken accessToken = par.getAccessToken();
    OA2ServiceTransaction t = (OA2ServiceTransaction) getTransactionStore().get(accessToken);
    // an HTTP status code of 200 with no other information.
    if (t == null) {
        throw new GeneralException("Invalid access token. Request refused");
    }
    if (!t.getScopes().contains(OA2Scopes.SCOPE_MYPROXY)) {
        // Note that this requires a state, but none is sent in the OA4MP cert request.
        throw new GeneralException("Certificate request is not in scope.");
    }
    if (t == null) {
        throw new GeneralException("No transaction found for access token \"" + accessToken + "\"");
    }
    if (!t.isAccessTokenValid()) {
        throw new GeneralException("Invalid access token. Request refused");
    }
    checkClientApproval(t.getClient());
    // Access tokens must be valid in order to get a cert. If the token is invalid, the user must
    // get a valid one using the refresh token.
    checkTimestamp(accessToken.getToken());
    return t;
}
Also used : GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException) AccessToken(edu.uiuc.ncsa.security.delegation.token.AccessToken) OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction) PAIResponse2(edu.uiuc.ncsa.security.oauth_2_0.server.PAIResponse2)

Example 14 with OA2ServiceTransaction

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.

the class UserInfoServlet method doIt.

@Override
protected void doIt(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    // The access token is sent in the authorization header and should look like
    // Bearer oa4mp:...
    AccessToken at = getAT(request);
    ServiceTransaction transaction = (ServiceTransaction) getTransactionStore().get(at);
    if (((OA2Client) transaction.getClient()).isPublicClient()) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "public client not authorized to access user information", HttpStatus.SC_UNAUTHORIZED);
    }
    if (transaction == null) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "no transaction for the access token was found.", HttpStatus.SC_BAD_REQUEST);
    }
    if (!transaction.isAccessTokenValid()) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "invalid access token.", HttpStatus.SC_BAD_REQUEST);
    }
    try {
        checkTimestamp(at.getToken());
    } catch (InvalidTimestampException itx) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "token expired.", HttpStatus.SC_BAD_REQUEST);
    }
    OA2SE oa2SE = (OA2SE) getServiceEnvironment();
    UII2 uis = new UII2(oa2SE.getTokenForge(), getServiceEnvironment().getServiceAddress());
    UIIRequest2 uireq = new UIIRequest2(request, at);
    uireq.setUsername(getUsername(transaction));
    // Now we figure out which scope handler to use.
    UIIResponse2 uiresp = (UIIResponse2) uis.process(uireq);
    LinkedList<ClaimSource> claimSources = OA2ATServlet.setupScopeHandlers((OA2ServiceTransaction) transaction, oa2SE);
    DebugUtil.dbg(this, "Invoking scope handler");
    if (claimSources == null || claimSources.isEmpty()) {
        DebugUtil.dbg(this, " ***** NO SCOPE HANDLERS ");
    }
    for (ClaimSource claimSource : claimSources) {
        DebugUtil.dbg(this, " scope handler=" + claimSource.getClass().getSimpleName());
        claimSource.process(uiresp.getUserInfo(), transaction);
    }
    uiresp.write(response);
}
Also used : OA2Client(edu.uiuc.ncsa.security.oauth_2_0.OA2Client) OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction) ServiceTransaction(edu.uiuc.ncsa.security.delegation.server.ServiceTransaction) OA2SE(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE) AccessToken(edu.uiuc.ncsa.security.delegation.token.AccessToken) UIIRequest2(edu.uiuc.ncsa.security.oauth_2_0.server.UIIRequest2) OA2GeneralError(edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError) InvalidTimestampException(edu.uiuc.ncsa.security.core.exceptions.InvalidTimestampException) UII2(edu.uiuc.ncsa.security.oauth_2_0.server.UII2) ClaimSource(edu.uiuc.ncsa.security.oauth_2_0.server.ClaimSource) UIIResponse2(edu.uiuc.ncsa.security.oauth_2_0.server.UIIResponse2)

Example 15 with OA2ServiceTransaction

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.

the class OA2ATServlet method verifyAndGet.

@Override
public ServiceTransaction verifyAndGet(IssuerResponse iResponse) throws IOException {
    ATIResponse2 atResponse = (ATIResponse2) iResponse;
    TransactionStore transactionStore = getTransactionStore();
    BasicIdentifier basicIdentifier = new BasicIdentifier(atResponse.getParameters().get(OA2Constants.AUTHORIZATION_CODE));
    DebugUtil.dbg(this, "getting transaction for identifier=" + basicIdentifier);
    OA2ServiceTransaction transaction = (OA2ServiceTransaction) transactionStore.get(basicIdentifier);
    if (transaction == null) {
        // Then this request does not correspond to an previous one and must be rejected asap.
        throw new OA2ATException(OA2Errors.INVALID_REQUEST, "No pending transaction found for id=" + basicIdentifier);
    }
    if (!transaction.isAuthGrantValid()) {
        String msg = "Error: Attempt to use invalid authorization code.  Request rejected.";
        warn(msg);
        throw new GeneralException(msg);
    }
    URI uri = URI.create(atResponse.getParameters().get(OA2Constants.REDIRECT_URI));
    if (!transaction.getCallback().equals(uri)) {
        String msg = "Attempt to use alternate redirect uri rejected.";
        warn(msg);
        throw new OA2ATException(OA2Errors.INVALID_REQUEST, msg);
    }
    /* Now we have to determine which scopes to return
           The spec says we don't have to return anything if the requested scopes are the same as the
           supported scopes. Otherwise, return what scopes *are* supported.
         */
    ArrayList<String> targetScopes = new ArrayList<>();
    OA2SE oa2SE = (OA2SE) getServiceEnvironment();
    // set true if something is requested we don't support
    boolean returnScopes = false;
    for (String s : transaction.getScopes()) {
        if (oa2SE.getScopes().contains(s)) {
            targetScopes.add(s);
        } else {
            returnScopes = true;
        }
    }
    if (returnScopes) {
        atResponse.setSupportedScopes(targetScopes);
    }
    atResponse.setScopeHandlers(setupScopeHandlers(transaction, oa2SE));
    atResponse.setServiceTransaction(transaction);
    atResponse.setJsonWebKey(oa2SE.getJsonWebKeys().getDefault());
    // return null;
    return transaction;
}
Also used : TransactionStore(edu.uiuc.ncsa.security.delegation.storage.TransactionStore) OA2SE(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE) OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction) BasicIdentifier(edu.uiuc.ncsa.security.core.util.BasicIdentifier) ArrayList(java.util.ArrayList) URI(java.net.URI)

Aggregations

OA2ServiceTransaction (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction)17 OA2SE (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE)7 RefreshToken (edu.uiuc.ncsa.security.delegation.token.RefreshToken)4 GeneralException (edu.uiuc.ncsa.security.core.exceptions.GeneralException)3 AccessToken (edu.uiuc.ncsa.security.delegation.token.AccessToken)3 IssuerTransactionState (edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.IssuerTransactionState)2 InvalidTimestampException (edu.uiuc.ncsa.security.core.exceptions.InvalidTimestampException)2 BasicIdentifier (edu.uiuc.ncsa.security.core.util.BasicIdentifier)2 ArrayList (java.util.ArrayList)2 MPSingleConnectionProvider (edu.uiuc.ncsa.myproxy.MPSingleConnectionProvider)1 RefreshTokenStore (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.RefreshTokenStore)1 UsernameFindable (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.UsernameFindable)1 AdminClient (edu.uiuc.ncsa.myproxy.oa4mp.server.admin.adminClient.AdminClient)1 OA4MPIdentifierProvider (edu.uiuc.ncsa.myproxy.oa4mp.server.admin.transactions.OA4MPIdentifierProvider)1 MyMyProxyLogon (edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.AbstractAuthorizationServlet.MyMyProxyLogon)1 IdentifiableProvider (edu.uiuc.ncsa.security.core.IdentifiableProvider)1 Identifier (edu.uiuc.ncsa.security.core.Identifier)1 NFWException (edu.uiuc.ncsa.security.core.exceptions.NFWException)1 ServiceTransaction (edu.uiuc.ncsa.security.delegation.server.ServiceTransaction)1 AGResponse (edu.uiuc.ncsa.security.delegation.server.request.AGResponse)1