Search in sources :

Example 6 with OA2Client

use of edu.uiuc.ncsa.security.oauth_2_0.OA2Client in project OA4MP by ncsa.

the class PermissionTest method testAttributes.

public void testAttributes(PermissionsStore pStore, ClientStore clientStore, AdminClientStore acStore) throws Exception {
    AdminClient ac = (AdminClient) acStore.create();
    OA2Client c = (OA2Client) clientStore.create();
    Permission p = (Permission) pStore.create();
    p.setAdminID(ac.getIdentifier());
    p.setClientID(c.getIdentifier());
    p.setApprove(false);
    pStore.save(p);
    Permission p2 = (Permission) pStore.get(p.getIdentifier());
    assert p2.equals(p);
    p.setCreate(false);
    pStore.save(p);
    p2 = (Permission) pStore.get(p.getIdentifier());
    assert p2.equals(p);
    p.setRead(false);
    pStore.save(p);
    p2 = (Permission) pStore.get(p.getIdentifier());
    assert p2.equals(p);
    p.setDelete(false);
    pStore.save(p);
    p2 = (Permission) pStore.get(p.getIdentifier());
    assert p2.equals(p);
    p.setDelete(false);
    pStore.save(p);
    p2 = (Permission) pStore.get(p.getIdentifier());
    assert p2.equals(p);
}
Also used : OA2Client(edu.uiuc.ncsa.security.oauth_2_0.OA2Client) Permission(edu.uiuc.ncsa.myproxy.oa4mp.server.admin.permissions.Permission) AdminClient(edu.uiuc.ncsa.myproxy.oa4mp.server.admin.adminClient.AdminClient)

Example 7 with OA2Client

use of edu.uiuc.ncsa.security.oauth_2_0.OA2Client in project OA4MP by ncsa.

the class OA2CertServlet method getClient.

/**
 * This looks for the information about the client and checks the secret.
 *
 * @param req
 * @return
 */
@Override
public Client getClient(HttpServletRequest req) {
    String rawID = req.getParameter(CONST(CONSUMER_KEY));
    String rawSecret = getFirstParameterValue(req, CLIENT_SECRET);
    // According to the spec. this must be in a Basic Authz header if it is not sent as parameter
    List<String> basicTokens = HeaderUtils.getAuthHeader(req, "Basic");
    if (2 < basicTokens.size()) {
        // too many tokens to unscramble
        throw new OA2GeneralError(OA2Errors.INVALID_TOKEN, "Error: Too many authorization tokens.", HttpStatus.SC_UNAUTHORIZED);
    // throw new GeneralException("Too many authorization tokens");
    }
    if (rawID == null) {
        for (String x : basicTokens) {
            try {
                // Here is some detective work. We get up to TWO basic Authz headers with the id and secret.
                // Since ids are valid URIs the idea here is anything that is uri must be an id and the other
                // one is the secret. This also handles the case that one of these is sent as a parameter
                // in the call and the other is in the header.
                URI test = URI.create(x);
                // be the secret.
                if (test.getScheme() != null) {
                    rawID = x;
                } else {
                    rawSecret = x;
                }
            } catch (Throwable t) {
                if (rawSecret == null) {
                    rawSecret = x;
                }
            }
        }
    }
    if (rawID == null) {
        throw new UnknownClientException("No client id");
    }
    Identifier id = BasicIdentifier.newID(rawID);
    OA2Client client = (OA2Client) getClient(id);
    if (client.isPublicClient()) {
        throw new GeneralException("Error: public clients not supported for this operation.");
    }
    if (rawSecret == null) {
        throw new GeneralException("Error: No secret. request refused.");
    }
    if (!client.getSecret().equals(DigestUtils.shaHex(rawSecret))) {
        throw new GeneralException("Error: Secret is incorrect. request refused.");
    }
    return client;
}
Also used : OA2Client(edu.uiuc.ncsa.security.oauth_2_0.OA2Client) BasicIdentifier(edu.uiuc.ncsa.security.core.util.BasicIdentifier) Identifier(edu.uiuc.ncsa.security.core.Identifier) GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException) UnknownClientException(edu.uiuc.ncsa.security.core.exceptions.UnknownClientException) OA2GeneralError(edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError) URI(java.net.URI)

Example 8 with OA2Client

use of edu.uiuc.ncsa.security.oauth_2_0.OA2Client in project OA4MP by ncsa.

the class OA2RegistrationServlet method addNewClient.

protected Client addNewClient(HttpServletRequest request, HttpServletResponse response, boolean fireClientEvents) throws Throwable {
    OA2Client client = (OA2Client) super.addNewClient(request, response);
    String rawCBs = getRequiredParam(request, CALLBACK_URI, client);
    String rawRTLifetime = getParameter(request, REFRESH_TOKEN_LIFETIME);
    String[] rawScopes = request.getParameterValues("chkScopes");
    if (rawScopes != null) {
        Collection<String> newScopes = new LinkedList<>();
        boolean hasDefaultScope = false;
        for (String scope : rawScopes) {
            if (OA2Scopes.SCOPE_OPENID.equals(scope))
                hasDefaultScope = true;
            newScopes.add(scope);
        }
        if (!hasDefaultScope) {
            // has to be there or all requests are rejected.
            newScopes.add(OA2Scopes.SCOPE_OPENID);
        }
        client.setScopes(newScopes);
    }
    String issuer = getParameter(request, ISSUER_NAME);
    String ldap = getParameter(request, LDAP_NAME);
    if (!isEmpty(issuer)) {
        client.setIssuer(issuer);
    }
    if (!isEmpty(ldap)) {
        try {
            JSON json = JSONObject.fromObject(ldap);
            Collection<LDAPConfiguration> ldapConfiguration = LDAPConfigurationUtil.fromJSON(json);
            client.setLdaps(ldapConfiguration);
        } catch (Throwable t) {
            warn("Could not parse LDAP string during client registration for \"" + client.getIdentifierString() + "\". Skipping...");
        }
    }
    try {
        URI.create(client.getHomeUri());
    } catch (Throwable t) {
        throw new ClientRegistrationRetryException("Error. The stated home uri is invalid: " + t.getMessage(), null, client);
    }
    if (rawRTLifetime == null || rawRTLifetime.length() == 0) {
        // This effectively means there is no refresh token set.
        // FIXES CIL-309 (partial)
        client.setRtLifetime(0);
    } else {
        long clientRtLifetime = 0L;
        boolean rtLifetimeOK = true;
        if (rawRTLifetime != null && 0 < rawRTLifetime.length()) {
            try {
                // The value is in seconds on the form
                clientRtLifetime = Long.parseLong(rawRTLifetime) * 1000;
                if (clientRtLifetime < 0) {
                    rtLifetimeOK = false;
                } else {
                    rtLifetimeOK = true;
                }
            } catch (Throwable t) {
                // do nix...
                rtLifetimeOK = false;
            }
            if (!rtLifetimeOK) {
                info("Client requested illegal value for refresh token lifetime at registration of \"" + rawRTLifetime + "\"");
            }
        }
        // FIX CIL-309 (partial)
        client.setRtLifetime(Math.min(getOA2SE().getMaxClientRefreshTokenLifetime(), clientRtLifetime));
    }
    // Now generate the client secret. We generate this here:
    byte[] bytes = new byte[getOA2SE().getClientSecretLength()];
    random.nextBytes(bytes);
    String secret64 = Base64.encodeBase64URLSafeString(bytes);
    // we have to return this to the client registration ok page and store a hash of it internally
    // so we don't have a copy of it any place but the client.
    // After this is displayed the secret is actually hashed and stored.
    client.setSecret(secret64);
    BufferedReader br = new BufferedReader(new StringReader(rawCBs));
    String x = br.readLine();
    LinkedList<String> uris = new LinkedList<>();
    while (x != null) {
        if (!x.toLowerCase().startsWith("https:")) {
            warn("Attempt to add bad callback uri for client " + client.getIdentifierString());
            throw new ClientRegistrationRetryException("The callback \"" + x + "\" is not secure.", null, client);
        }
        // passes here means it is a uri. All we want this to do is throw an exception if needed.
        URI.create(x);
        uris.add(x);
        // skip it.
        x = br.readLine();
    }
    br.close();
    client.setCallbackURIs(uris);
    // part of CIL-359, signing ID tokens.
    client.setSignTokens(true);
    // CIL-414 makes the approval record here so that we can get an accurate count later.
    ClientApproval approval = (ClientApproval) getOA2SE().getClientApprovalStore().create();
    approval.setApproved(false);
    approval.setIdentifier(client.getIdentifier());
    getOA2SE().getClientApprovalStore().save(approval);
    if (fireClientEvents) {
        fireNewClientEvent(client);
    }
    return client;
}
Also used : JSON(net.sf.json.JSON) LDAPConfiguration(edu.uiuc.ncsa.security.oauth_2_0.server.config.LDAPConfiguration) LinkedList(java.util.LinkedList) OA2Client(edu.uiuc.ncsa.security.oauth_2_0.OA2Client) ClientApproval(edu.uiuc.ncsa.security.delegation.server.storage.ClientApproval) BufferedReader(java.io.BufferedReader) StringReader(java.io.StringReader)

Example 9 with OA2Client

use of edu.uiuc.ncsa.security.oauth_2_0.OA2Client in project OA4MP by ncsa.

the class AttributeServerTest method testAttributeServerSet.

public void testAttributeServerSet(CMTestStoreProvider tp2) throws Exception {
    CC cc = setupClients(tp2);
    OA2ClientKeys keys = getClientKeys(tp2);
    AttributeServer attributeServer = new AttributeServer(tp2.getCOSE());
    JSONObject map = new JSONObject();
    String random = getRandom(8);
    LinkedList<String> scopes = new LinkedList<>();
    scopes.add(OA2Scopes.SCOPE_PROFILE);
    scopes.add(OA2Scopes.SCOPE_OPENID);
    map.put(keys.name(), "new name " + random);
    map.put(keys.homeURL(), "https://" + random + "/client");
    map.put(keys.scopes(), scopes);
    AttributeSetClientRequest req = RequestFactory.createRequest(cc.adminClient, new TypeAttribute(), new ActionSet(), cc.client, map);
    AttributeClientResponse resp = (AttributeClientResponse) attributeServer.process(req);
    OA2Client client = (OA2Client) resp.getClient();
    assert client.getName().equals(map.get(keys.name()));
    assert client.getIdentifier().equals(cc.client.getIdentifier());
    assert client.getHomeUri().equals(map.get(keys.homeURL()));
    assert client.getScopes().size() == scopes.size();
    for (String scope : scopes) {
        assert client.getScopes().contains(scope) : "returned scopes failed to contain " + scope;
    }
}
Also used : OA2Client(edu.uiuc.ncsa.security.oauth_2_0.OA2Client) JSONObject(net.sf.json.JSONObject) TypeAttribute(edu.uiuc.ncsa.myproxy.oa4mp.server.admin.things.types.TypeAttribute) OA2ClientKeys(edu.uiuc.ncsa.security.oauth_2_0.OA2ClientKeys) LinkedList(java.util.LinkedList) ActionSet(edu.uiuc.ncsa.myproxy.oa4mp.server.admin.things.actions.ActionSet)

Example 10 with OA2Client

use of edu.uiuc.ncsa.security.oauth_2_0.OA2Client in project OA4MP by ncsa.

the class ResponseSerializer method serialize.

protected void serialize(ListClientResponse response, HttpServletResponse servletResponse) throws IOException {
    JSONArray clientIDs = new JSONArray();
    if (response.getClients() != null) {
        for (OA2Client client : response.getClients()) {
            clientIDs.add(client.getIdentifierString());
        }
    }
    PrintWriter pw = servletResponse.getWriter();
    JSONObject json = new JSONObject();
    json.put("status", 0);
    json.put("content", clientIDs);
    pw.println(json);
}
Also used : OA2Client(edu.uiuc.ncsa.security.oauth_2_0.OA2Client) JSONObject(net.sf.json.JSONObject) JSONArray(net.sf.json.JSONArray) PrintWriter(java.io.PrintWriter)

Aggregations

OA2Client (edu.uiuc.ncsa.security.oauth_2_0.OA2Client)31 JSONObject (net.sf.json.JSONObject)10 OA2ClientKeys (edu.uiuc.ncsa.security.oauth_2_0.OA2ClientKeys)7 LinkedList (java.util.LinkedList)7 ColumnMap (edu.uiuc.ncsa.security.storage.sql.internals.ColumnMap)6 LDAPConfiguration (edu.uiuc.ncsa.security.oauth_2_0.server.config.LDAPConfiguration)5 AdminClient (edu.uiuc.ncsa.myproxy.oa4mp.server.admin.adminClient.AdminClient)4 Permission (edu.uiuc.ncsa.myproxy.oa4mp.server.admin.permissions.Permission)4 Identifier (edu.uiuc.ncsa.security.core.Identifier)4 OA2ClientConverter (edu.uiuc.ncsa.security.oauth_2_0.OA2ClientConverter)4 JSONArray (net.sf.json.JSONArray)4 TypeAttribute (edu.uiuc.ncsa.myproxy.oa4mp.server.admin.things.types.TypeAttribute)3 TypePermission (edu.uiuc.ncsa.myproxy.oa4mp.server.admin.things.types.TypePermission)3 ClientApproval (edu.uiuc.ncsa.security.delegation.server.storage.ClientApproval)3 OA2GeneralError (edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError)3 LDAPEntry (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.cm.ldap.LDAPEntry)2 ActionAdd (edu.uiuc.ncsa.myproxy.oa4mp.server.admin.things.actions.ActionAdd)2 TypeClient (edu.uiuc.ncsa.myproxy.oa4mp.server.admin.things.types.TypeClient)2 GeneralException (edu.uiuc.ncsa.security.core.exceptions.GeneralException)2 ClaimSource (edu.uiuc.ncsa.security.oauth_2_0.server.ClaimSource)2