Search in sources :

Example 1 with PermissionRequest

use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.

the class TokenServiceImpl method createJWT.

private JWT createJWT(OAuth2Request oAuth2Request, Client client, User user) {
    JWT jwt = new JWT();
    jwt.setIss(openIDDiscoveryService.getIssuer(oAuth2Request.getOrigin()));
    jwt.setSub(oAuth2Request.isClientOnly() ? client.getClientId() : user.getId());
    jwt.setAud(oAuth2Request.getClientId());
    jwt.setDomain(client.getDomain());
    jwt.setIat(Instant.now().getEpochSecond());
    jwt.setJti(SecureRandomString.generate());
    // set scopes
    Set<String> scopes = oAuth2Request.getScopes();
    if (scopes != null && !scopes.isEmpty()) {
        jwt.setScope(String.join(" ", scopes));
    }
    // set permissions (UMA 2.0)
    List<PermissionRequest> permissions = oAuth2Request.getPermissions();
    if (permissions != null && !permissions.isEmpty()) {
        jwt.put("permissions", permissions);
    }
    return jwt;
}
Also used : PermissionRequest(io.gravitee.am.model.uma.PermissionRequest) JWT(io.gravitee.am.common.jwt.JWT) SecureRandomString(io.gravitee.am.common.utils.SecureRandomString) RandomString(io.gravitee.am.common.utils.RandomString)

Example 2 with PermissionRequest

use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.

the class UmaTokenGranterTest method setUp.

@Before
public void setUp() {
    // Init parameters
    parameters.add(TICKET, TICKET_ID);
    parameters.add(CLAIM_TOKEN, RQP_ID_TOKEN);
    parameters.add(CLAIM_TOKEN_FORMAT, TokenType.ID_TOKEN);
    tokenRequest = new TokenRequest();
    tokenRequest.setParameters(parameters);
    List<PermissionRequest> permissions = Arrays.asList(new PermissionRequest().setResourceId(RS_ONE).setResourceScopes(new ArrayList<>(Arrays.asList("scopeA"))), new PermissionRequest().setResourceId(RS_TWO).setResourceScopes(new ArrayList<>(Arrays.asList("scopeA"))));
    Map permission = new HashMap();
    permission.put("resourceId", RS_ONE);
    permission.put("resourceScopes", Arrays.asList("scopeB"));
    // Init mocks
    when(domain.getUma()).thenReturn(new UMASettings().setEnabled(true));
    when(client.getClientId()).thenReturn(CLIENT_ID);
    when(client.getScopeSettings()).thenReturn(Arrays.asList(new ApplicationScopeSettings("scopeA"), new ApplicationScopeSettings("scopeB"), new ApplicationScopeSettings("scopeC"), new ApplicationScopeSettings("scopeD")));
    when(client.getAuthorizedGrantTypes()).thenReturn(Arrays.asList(GrantType.UMA, GrantType.REFRESH_TOKEN));
    when(user.getId()).thenReturn(USER_ID);
    when(jwt.getSub()).thenReturn(USER_ID);
    when(rpt.getSub()).thenReturn(USER_ID);
    when(rpt.getAud()).thenReturn(CLIENT_ID);
    when(rpt.get("permissions")).thenReturn(new LinkedList(Arrays.asList(permission)));
    when(jwtService.decodeAndVerify(RQP_ID_TOKEN, client)).thenReturn(Single.just(jwt));
    when(jwtService.decodeAndVerify(RPT_OLD_TOKEN, client)).thenReturn(Single.just(rpt));
    when(userAuthenticationManager.loadPreAuthenticatedUser(USER_ID, tokenRequest)).thenReturn(Maybe.just(user));
    when(permissionTicketService.remove(TICKET_ID)).thenReturn(Single.just(new PermissionTicket().setId(TICKET_ID).setPermissionRequest(permissions)));
    when(resourceService.findByResources(Arrays.asList(RS_ONE, RS_TWO))).thenReturn(Flowable.just(new Resource().setId(RS_ONE).setResourceScopes(Arrays.asList("scopeA", "scopeB", "scopeC")), new Resource().setId(RS_TWO).setResourceScopes(Arrays.asList("scopeA", "scopeB", "scopeD"))));
    when(tokenService.create(oauth2RequestCaptor.capture(), eq(client), any())).thenReturn(Single.just(new AccessToken("success")));
    when(resourceService.findAccessPoliciesByResources(anyList())).thenReturn(Flowable.empty());
}
Also used : PermissionRequest(io.gravitee.am.model.uma.PermissionRequest) PermissionTicket(io.gravitee.am.model.uma.PermissionTicket) AccessToken(io.gravitee.am.gateway.handler.oauth2.service.token.impl.AccessToken) TokenRequest(io.gravitee.am.gateway.handler.oauth2.service.request.TokenRequest) ApplicationScopeSettings(io.gravitee.am.model.application.ApplicationScopeSettings) Resource(io.gravitee.am.model.uma.Resource) MultiValueMap(io.gravitee.common.util.MultiValueMap) LinkedMultiValueMap(io.gravitee.common.util.LinkedMultiValueMap) UMASettings(io.gravitee.am.model.uma.UMASettings) Before(org.junit.Before)

Example 3 with PermissionRequest

use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.

the class PermissionTicketServiceTest method create_errorSingleResource_missingResource.

@Test
public void create_errorSingleResource_missingResource() {
    // Prepare request & resource
    List<PermissionRequest> request = Arrays.asList(new PermissionRequest().setResourceId("one").setResourceScopes(Arrays.asList("a", "b")));
    when(resourceService.findByDomainAndClientAndResources(DOMAIN_ID, CLIENT_ID, Arrays.asList("one"))).thenReturn(Flowable.empty());
    TestObserver<PermissionTicket> testObserver = service.create(request, DOMAIN_ID, CLIENT_ID).test();
    testObserver.assertNotComplete();
    testObserver.assertError(err -> ((InvalidPermissionRequestException) err).getOAuth2ErrorCode().equals("invalid_resource_id"));
    verify(repository, times(0)).create(any());
}
Also used : PermissionRequest(io.gravitee.am.model.uma.PermissionRequest) PermissionTicket(io.gravitee.am.model.uma.PermissionTicket) InvalidPermissionRequestException(io.gravitee.am.service.exception.InvalidPermissionRequestException) Test(org.junit.Test)

Example 4 with PermissionRequest

use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.

the class PermissionTicketServiceTest method create_successMultipleResources.

@Test
public void create_successMultipleResources() {
    // Prepare request
    List<PermissionRequest> request = Arrays.asList(new PermissionRequest().setResourceId("one").setResourceScopes(Arrays.asList("a", "b")), new PermissionRequest().setResourceId("two").setResourceScopes(Arrays.asList("c", "d")));
    // Prepare Resource
    Flowable<Resource> found = Flowable.fromIterable(request).map(s -> new Resource().setId(s.getResourceId()).setResourceScopes(s.getResourceScopes()));
    when(resourceService.findByDomainAndClientAndResources(DOMAIN_ID, CLIENT_ID, Arrays.asList("one", "two"))).thenReturn(found);
    when(repository.create(any())).thenReturn(Single.just(new PermissionTicket().setId("success")));
    TestObserver<PermissionTicket> testObserver = service.create(request, DOMAIN_ID, CLIENT_ID).test();
    testObserver.assertNoErrors().assertComplete().assertValue(permissionTicket -> "success".equals(permissionTicket.getId()));
    verify(repository, times(1)).create(any());
}
Also used : PermissionRequest(io.gravitee.am.model.uma.PermissionRequest) PermissionTicket(io.gravitee.am.model.uma.PermissionTicket) Resource(io.gravitee.am.model.uma.Resource) Test(org.junit.Test)

Example 5 with PermissionRequest

use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.

the class PermissionTicketServiceTest method create_errorSingleResource_missingScope.

@Test
public void create_errorSingleResource_missingScope() {
    // Prepare request & resource
    List<PermissionRequest> request = Arrays.asList(new PermissionRequest().setResourceId("one").setResourceScopes(Arrays.asList("a", "b")));
    when(resourceService.findByDomainAndClientAndResources(DOMAIN_ID, CLIENT_ID, Arrays.asList("one"))).thenReturn(Flowable.just(new Resource().setId("one").setResourceScopes(Arrays.asList("not", "same"))));
    TestObserver<PermissionTicket> testObserver = service.create(request, DOMAIN_ID, CLIENT_ID).test();
    testObserver.assertNotComplete();
    testObserver.assertError(err -> ((InvalidPermissionRequestException) err).getOAuth2ErrorCode().equals("invalid_scope"));
    verify(repository, times(0)).create(any());
}
Also used : PermissionRequest(io.gravitee.am.model.uma.PermissionRequest) PermissionTicket(io.gravitee.am.model.uma.PermissionTicket) Resource(io.gravitee.am.model.uma.Resource) InvalidPermissionRequestException(io.gravitee.am.service.exception.InvalidPermissionRequestException) Test(org.junit.Test)

Aggregations

PermissionRequest (io.gravitee.am.model.uma.PermissionRequest)16 PermissionTicket (io.gravitee.am.model.uma.PermissionTicket)12 Test (org.junit.Test)11 Resource (io.gravitee.am.model.uma.Resource)10 InvalidPermissionRequestException (io.gravitee.am.service.exception.InvalidPermissionRequestException)6 JWT (io.gravitee.am.common.jwt.JWT)4 TokenRequest (io.gravitee.am.gateway.handler.oauth2.service.request.TokenRequest)3 AccessToken (io.gravitee.am.gateway.handler.oauth2.service.token.impl.AccessToken)3 Client (io.gravitee.am.model.oidc.Client)3 OAuth2Request (io.gravitee.am.gateway.handler.oauth2.service.request.OAuth2Request)2 RefreshToken (io.gravitee.am.repository.oauth2.model.RefreshToken)2 PermissionTicketService (io.gravitee.am.service.PermissionTicketService)2 ResourceService (io.gravitee.am.service.ResourceService)2 ExecutionContext (io.gravitee.gateway.api.ExecutionContext)2 Maybe (io.reactivex.Maybe)2 Single (io.reactivex.Single)2 JsonObject (io.vertx.core.json.JsonObject)2 ArrayList (java.util.ArrayList)2 Date (java.util.Date)2 Collectors (java.util.stream.Collectors)2