Search in sources :

Example 1 with AuthorizationGrant

use of edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant in project OA4MP by ncsa.

the class AbstractAccessTokenServlet method doDelegation.

protected IssuerTransactionState doDelegation(Client client, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable, ServletException {
    printAllParameters(httpServletRequest);
    info("5.a. Starting access token exchange");
    Verifier v = getServiceEnvironment().getTokenForge().getVerifier(httpServletRequest);
    AuthorizationGrant ag = getServiceEnvironment().getTokenForge().getAuthorizationGrant(httpServletRequest);
    ATRequest atRequest = new ATRequest(httpServletRequest, client);
    atRequest.setVerifier(v);
    atRequest.setAuthorizationGrant(ag);
    // FIXME!! make this configurable??
    atRequest.setExpiresIn(DateUtils.MAX_TIMEOUT);
    ATResponse atResp = (ATResponse) getATI().process(atRequest);
    ServiceTransaction transaction = verifyAndGet(atResp);
    String cc = "client=" + transaction.getClient();
    info("5.a. got access token " + cc);
    preprocess(new TransactionState(httpServletRequest, httpServletResponse, atResp.getParameters(), transaction));
    debug("5.a. access token = " + atResp.getAccessToken() + " for verifier = " + v);
    transaction.setAuthGrantValid(false);
    transaction.setAccessToken(atResp.getAccessToken());
    transaction.setAccessTokenValid(true);
    try {
        getTransactionStore().save(transaction);
        info("5.a. updated transaction state for " + cc + ", sending response to client");
    } catch (GeneralException e) {
        throw new ServletException("Error saving transaction", e);
    }
    // atResp.write(httpServletResponse);
    info("5.b. done with access token exchange with " + cc);
    IssuerTransactionState transactionState = new IssuerTransactionState(httpServletRequest, httpServletResponse, atResp.getParameters(), transaction, atResp);
    postprocess(transactionState);
    return transactionState;
}
Also used : ServletException(javax.servlet.ServletException) TransactionState(edu.uiuc.ncsa.security.delegation.servlet.TransactionState) GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException) ServiceTransaction(edu.uiuc.ncsa.security.delegation.server.ServiceTransaction) ATRequest(edu.uiuc.ncsa.security.delegation.server.request.ATRequest) Verifier(edu.uiuc.ncsa.security.delegation.token.Verifier) AuthorizationGrant(edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant) ATResponse(edu.uiuc.ncsa.security.delegation.server.request.ATResponse)

Example 2 with AuthorizationGrant

use of edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant in project OA4MP by ncsa.

the class OA2ReadyServlet method doIt.

@Override
protected void doIt(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    if (request.getParameterMap().containsKey(OA2Constants.ERROR)) {
        throw new OA2RedirectableError(request.getParameter(OA2Constants.ERROR), request.getParameter(OA2Constants.ERROR_DESCRIPTION), request.getParameter(OA2Constants.STATE));
    }
    // Get the cert itself. The server itself does a redirect using the callback to this servlet
    // (so it is the portal that actually is invoking this method after the authorization
    // step.) The token and verifier are peeled off and used
    // to complete the request.
    info("2.a. Getting token and verifier.");
    String token = request.getParameter(CONST(ClientEnvironment.TOKEN));
    String state = request.getParameter(OA2Constants.STATE);
    if (token == null) {
        warn("2.a. The token is " + (token == null ? "null" : token) + ".");
        GeneralException ge = new GeneralException("Error: This servlet requires parameters for the token and possibly verifier.");
        request.setAttribute("exception", ge);
        JSPUtil.fwd(request, response, getCE().getErrorPagePath());
        return;
    }
    info("2.a Token found.");
    AuthorizationGrant grant = new AuthorizationGrantImpl(URI.create(token));
    info("2.a. Getting the cert(s) from the service");
    String identifier = clearCookie(request, response);
    OA2Asset asset = null;
    if (identifier == null) {
        asset = (OA2Asset) getCE().getAssetStore().getByToken(BasicIdentifier.newID(token));
        if (asset != null) {
            identifier = asset.getIdentifierString();
        }
    }
    AssetResponse assetResponse = null;
    OA2MPService oa2MPService = (OA2MPService) getOA4MPService();
    UserInfo ui = null;
    boolean getCerts = ((OA2ClientEnvironment) getCE()).getScopes().contains(OA2Scopes.SCOPE_MYPROXY);
    if (identifier == null) {
        // Since this is a demo servlet, we don't blow up if there is no identifier found, just can't save anything.
        String msg = "Error: no cookie found. Cannot save certificates";
        warn(msg);
        debug("No cookie found");
        // if(asset == null) asset = new OA2Asset(BasicIdentifier.newID())
        ATResponse2 atResponse2 = oa2MPService.getAccessToken(asset, grant);
        ui = oa2MPService.getUserInfo(atResponse2.getAccessToken().toString());
        if (getCerts) {
            assetResponse = oa2MPService.getCert(asset, atResponse2);
        }
    } else {
        asset = (OA2Asset) getCE().getAssetStore().get(identifier);
        if (asset.getState() == null || !asset.getState().equals(state)) {
            // Just a note: This is most likely to arise when the server's authorize-init.jsp has been
            // changed or replaced and the hidden field for the state (passed to the form, then passed back
            // and therefore not stored on the server anyplace) is missing.
            warn("The expected state from the server was \"" + asset.getState() + "\", but instead \"" + state + "\" was returned. Transaction aborted.");
            throw new IllegalArgumentException("Error: The state returned by the server is invalid.");
        }
        ATResponse2 atResponse2 = oa2MPService.getAccessToken(asset, grant);
        // ui = oa2MPService.getUserInfo(atResponse2.getAccessToken().getToken());
        ui = oa2MPService.getUserInfo(identifier);
        if (getCerts) {
            assetResponse = oa2MPService.getCert(asset, atResponse2);
        }
    // The general case is to do the call with the identifier if you want the asset store managed.
    // assetResponse = getOA4MPService().getCert(token, null, BasicIdentifier.newID(identifier));
    }
    // The work in this call
    // Again, we take the first returned cert to peel off some information to display. This
    // just proves we got a response.
    info("2.b. Done! Displaying success page.");
    if (getCerts) {
        if (assetResponse.getX509Certificates() == null) {
            request.setAttribute("certSubject", "(no cert returned)");
        } else {
            X509Certificate cert = assetResponse.getX509Certificates()[0];
            // Rest of this is putting up something for the user to see
            request.setAttribute("certSubject", cert.getSubjectDN());
            request.setAttribute("cert", CertUtil.toPEM(assetResponse.getX509Certificates()));
            request.setAttribute("username", assetResponse.getUsername());
            // FIX OAUTH-216. Note that this is displayed on the client's success page.
            if (asset.getPrivateKey() != null) {
                request.setAttribute("privateKey", KeyUtil.toPKCS1PEM(asset.getPrivateKey()));
            } else {
                request.setAttribute("privateKey", "(none)");
            }
        }
    } else {
        request.setAttribute("certSubject", "(no cert requested)");
    }
    if (ui != null) {
        String output = JSONUtils.valueToString(ui.toJSon(), 4, 2);
        request.setAttribute("userinfo", output);
    } else {
        request.setAttribute("userinfo", "no user info returned.");
    }
    // Fix in cases where the server request passes through Apache before going to Tomcat.
    String contextPath = request.getContextPath();
    if (!contextPath.endsWith("/")) {
        contextPath = contextPath + "/";
    }
    request.setAttribute("action", contextPath);
    info("2.a. Completely finished with delegation.");
    JSPUtil.fwd(request, response, getCE().getSuccessPagePath());
    return;
}
Also used : GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException) OA2RedirectableError(edu.uiuc.ncsa.security.oauth_2_0.OA2RedirectableError) AuthorizationGrantImpl(edu.uiuc.ncsa.security.delegation.token.impl.AuthorizationGrantImpl) AssetResponse(edu.uiuc.ncsa.myproxy.oa4mp.client.AssetResponse) UserInfo(edu.uiuc.ncsa.security.oauth_2_0.UserInfo) X509Certificate(java.security.cert.X509Certificate) ATResponse2(edu.uiuc.ncsa.security.oauth_2_0.client.ATResponse2) OA2MPService(edu.uiuc.ncsa.oa4mp.oauth2.client.OA2MPService) AuthorizationGrant(edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant) OA2Asset(edu.uiuc.ncsa.oa4mp.oauth2.client.OA2Asset)

Example 3 with AuthorizationGrant

use of edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant in project OA4MP by ncsa.

the class AbstractOA4MPService method getCert.

/**
 * Performs the {@link #getCert(String, String)} call then updates the asset associated with
 * the given identifier. This throws an exception is there is no asset or if the asset store
 * is not enabled.
 *
 * @param tempToken
 * @param verifier
 * @param identifier
 * @return
 */
public AssetResponse getCert(String tempToken, String verifier, Identifier identifier) {
    Asset asset = null;
    Identifier realId = null;
    if (identifier == null) {
        // failsafe. Should only happen if user never specifies an identifier
        realId = makeb64Uri(tempToken);
    } else {
        // most common use case by far.
        realId = identifier;
    }
    if (realId == null) {
        throw new IllegalArgumentException("Error: no identifier found for this transaction. Cannot retrieve asset.");
    }
    asset = getAssetStore().get(realId);
    if (asset == null && tempToken != null) {
        asset = getAssetStore().getByToken(BasicIdentifier.newID(tempToken));
    }
    if (asset == null) {
        // If the asset is still null nothing is found, so demunge any identifier and throw an exception.
        String currentID = tempToken == null ? realId.toString() : tempToken;
        throw new IllegalArgumentException("Error:No asset with the given identifier \"" + currentID + "\" found. " + "You might need to clear your cookies and retry the entire request.");
    }
    AuthorizationGrant ag = getEnvironment().getTokenForge().getAuthorizationGrant(tempToken);
    Verifier v = null;
    if (verifier != null) {
        v = getEnvironment().getTokenForge().getVerifier(verifier);
    }
    return getCert(asset, ag, v);
}
Also used : BasicIdentifier(edu.uiuc.ncsa.security.core.util.BasicIdentifier) Identifier(edu.uiuc.ncsa.security.core.Identifier) Base64String(edu.uiuc.ncsa.security.util.pkcs.Base64String) Verifier(edu.uiuc.ncsa.security.delegation.token.Verifier) AuthorizationGrant(edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant)

Example 4 with AuthorizationGrant

use of edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant in project OA4MP by ncsa.

the class RefreshTokenStoreTest method testRT.

public void testRT(TransactionStore tStore) throws Exception {
    if (!(tStore instanceof RefreshTokenStore)) {
        // fail here if can't cast
        throw new IllegalStateException("Error: The store " + tStore.getClass().getSimpleName() + " is not of a type RefreshTokenStore");
    }
    RefreshTokenStore rts = (RefreshTokenStore) tStore;
    OA2ServiceTransaction st2 = (OA2ServiceTransaction) tStore.create();
    OA2TokenForge tf2 = new OA2TokenForge("http://localhost/test/");
    RefreshToken rt = tf2.getRefreshToken();
    st2.setRefreshToken(rt);
    // the auth grant is used to retrieve this later and should in this case just be set to the identifier.
    AuthorizationGrant ag = tf2.getAuthorizationGrant(st2.getIdentifierString());
    st2.setAuthorizationGrant(ag);
    st2.setRefreshTokenLifetime(EXPIRES_IN);
    tStore.save(st2);
    OA2ServiceTransaction testST = rts.get(rt);
    assert testST.equals(st2) : "Error: created transaction is not fetched faithfully from the store";
    // get another one and retry since we have to be able to show the store can handle updating the refresh token
    rt = tf2.getRefreshToken();
    st2.setRefreshToken(rt);
    st2.setRefreshTokenValid(false);
    tStore.save(st2);
    assert rts.get(rt).equals(st2) : "Error: updating refresh token fails.";
}
Also used : RefreshTokenStore(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.RefreshTokenStore) RefreshToken(edu.uiuc.ncsa.security.delegation.token.RefreshToken) OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction) AuthorizationGrant(edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant) OA2TokenForge(edu.uiuc.ncsa.security.oauth_2_0.OA2TokenForge)

Example 5 with AuthorizationGrant

use of edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant in project OA4MP by ncsa.

the class NewTransactionTest method newAG.

protected AuthorizationGrant newAG(TokenForge tokenForge, String... x) {
    AuthorizationGrant ag = tokenForge.getAuthorizationGrant(x);
    // The forge may return a shared secret. Since we never use this in OA4MP, make sure it is null
    // or you will get false test results since the secret won't be stored.
    ag.setSharedSecret(null);
    return ag;
}
Also used : AuthorizationGrant(edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant)

Aggregations

AuthorizationGrant (edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant)8 GeneralException (edu.uiuc.ncsa.security.core.exceptions.GeneralException)4 ServiceTransaction (edu.uiuc.ncsa.security.delegation.server.ServiceTransaction)3 Verifier (edu.uiuc.ncsa.security.delegation.token.Verifier)2 AssetResponse (edu.uiuc.ncsa.myproxy.oa4mp.client.AssetResponse)1 OA2ServiceTransaction (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction)1 RefreshTokenStore (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.RefreshTokenStore)1 OA2Asset (edu.uiuc.ncsa.oa4mp.oauth2.client.OA2Asset)1 OA2MPService (edu.uiuc.ncsa.oa4mp.oauth2.client.OA2MPService)1 Identifier (edu.uiuc.ncsa.security.core.Identifier)1 BasicIdentifier (edu.uiuc.ncsa.security.core.util.BasicIdentifier)1 ATRequest (edu.uiuc.ncsa.security.delegation.server.request.ATRequest)1 ATResponse (edu.uiuc.ncsa.security.delegation.server.request.ATResponse)1 TransactionState (edu.uiuc.ncsa.security.delegation.servlet.TransactionState)1 RefreshToken (edu.uiuc.ncsa.security.delegation.token.RefreshToken)1 AuthorizationGrantImpl (edu.uiuc.ncsa.security.delegation.token.impl.AuthorizationGrantImpl)1 OA2RedirectableError (edu.uiuc.ncsa.security.oauth_2_0.OA2RedirectableError)1 OA2TokenForge (edu.uiuc.ncsa.security.oauth_2_0.OA2TokenForge)1 UserInfo (edu.uiuc.ncsa.security.oauth_2_0.UserInfo)1 ATResponse2 (edu.uiuc.ncsa.security.oauth_2_0.client.ATResponse2)1