Search in sources :

Example 6 with PermissionRequest

use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.

the class PermissionTicketServiceTest method create_errorMultipleResource_missingScope.

@Test
public void create_errorMultipleResource_missingScope() {
    // Prepare request
    List<PermissionRequest> request = Arrays.asList(new PermissionRequest().setResourceId("one").setResourceScopes(Arrays.asList("a", "b")), new PermissionRequest().setResourceId("two").setResourceScopes(Arrays.asList("c", "d")));
    // Prepare Resource
    Flowable<Resource> found = Flowable.just(new Resource().setId("one").setResourceScopes(Arrays.asList("a", "b")), new Resource().setId("two").setResourceScopes(Arrays.asList("not", "same")));
    when(resourceService.findByDomainAndClientAndResources(DOMAIN_ID, CLIENT_ID, Arrays.asList("one", "two"))).thenReturn(found);
    TestObserver<PermissionTicket> testObserver = service.create(request, DOMAIN_ID, CLIENT_ID).test();
    testObserver.assertNotComplete();
    testObserver.assertError(err -> ((InvalidPermissionRequestException) err).getOAuth2ErrorCode().equals("invalid_scope"));
    verify(repository, times(0)).create(any());
}
Also used : PermissionRequest(io.gravitee.am.model.uma.PermissionRequest) PermissionTicket(io.gravitee.am.model.uma.PermissionTicket) Resource(io.gravitee.am.model.uma.Resource) InvalidPermissionRequestException(io.gravitee.am.service.exception.InvalidPermissionRequestException) Test(org.junit.Test)

Example 7 with PermissionRequest

use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.

the class PermissionTicketServiceTest method create_errorMultipleResource_moreThanOneResourceOwner.

@Test
public void create_errorMultipleResource_moreThanOneResourceOwner() {
    // Prepare request
    List<PermissionRequest> request = Arrays.asList(new PermissionRequest().setResourceId("one").setResourceScopes(Arrays.asList("a", "b")), new PermissionRequest().setResourceId("two").setResourceScopes(Arrays.asList("c", "d")));
    // Prepare Resource
    Flowable<Resource> found = Flowable.fromIterable(request).map(s -> new Resource().setId(s.getResourceId()).setResourceScopes(s.getResourceScopes()).setUserId("user_" + s.getResourceId()));
    when(resourceService.findByDomainAndClientAndResources(DOMAIN_ID, CLIENT_ID, Arrays.asList("one", "two"))).thenReturn(found);
    TestObserver<PermissionTicket> testObserver = service.create(request, DOMAIN_ID, CLIENT_ID).test();
    testObserver.assertNotComplete();
    testObserver.assertError(err -> ((InvalidPermissionRequestException) err).getOAuth2ErrorCode().equals("invalid_resource_id"));
    verify(repository, times(0)).create(any());
}
Also used : PermissionRequest(io.gravitee.am.model.uma.PermissionRequest) PermissionTicket(io.gravitee.am.model.uma.PermissionTicket) Resource(io.gravitee.am.model.uma.Resource) InvalidPermissionRequestException(io.gravitee.am.service.exception.InvalidPermissionRequestException) Test(org.junit.Test)

Example 8 with PermissionRequest

use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.

the class UMATokenGranter method executePolicies.

/**
 * The resource owner works with the authorization server to configure policy conditions (authorization grant rules), which the authorization server executes in the process of issuing access tokens.
 * The authorization process makes use of claims gathered from the requesting party and client in order to satisfy all operative operative policy conditions.
 * @param oAuth2Request OAuth 2.0 Token Request
 * @param client client
 * @param endUser requesting party
 * @return
 */
private Single<OAuth2Request> executePolicies(OAuth2Request oAuth2Request, Client client, User endUser) {
    List<PermissionRequest> permissionRequests = oAuth2Request.getPermissions();
    if (permissionRequests == null || permissionRequests.isEmpty()) {
        return Single.just(oAuth2Request);
    }
    List<String> resourceIds = permissionRequests.stream().map(PermissionRequest::getResourceId).collect(Collectors.toList());
    // find access policies for the given resources
    return resourceService.findAccessPoliciesByResources(resourceIds).map(accessPolicy -> {
        Rule rule = new DefaultRule(accessPolicy);
        Optional<PermissionRequest> permission = permissionRequests.stream().filter(permissionRequest -> permissionRequest.getResourceId().equals(accessPolicy.getResource())).findFirst();
        if (permission.isPresent()) {
            ((DefaultRule) rule).setMetadata(Collections.singletonMap("permissionRequest", permission.get()));
        }
        return rule;
    }).toList().flatMap(rules -> {
        // no policy registered, continue
        if (rules.isEmpty()) {
            return Single.just(oAuth2Request);
        }
        // prepare the execution context
        ExecutionContext simpleExecutionContext = new SimpleExecutionContext(oAuth2Request, oAuth2Request.getHttpResponse());
        ExecutionContext executionContext = executionContextFactory.create(simpleExecutionContext);
        executionContext.setAttribute("client", new ClientProperties(client));
        if (endUser != null) {
            executionContext.setAttribute("user", new UserProperties(endUser));
        }
        // execute the policies
        return rulesEngine.fire(rules, executionContext).toSingleDefault(oAuth2Request).onErrorResumeNext(ex -> Single.error(new InvalidGrantException("Policy conditions are not met for actual request parameters")));
    });
}
Also used : DefaultRule(io.gravitee.am.gateway.handler.uma.policy.DefaultRule) PermissionTicket(io.gravitee.am.model.uma.PermissionTicket) ResourceService(io.gravitee.am.service.ResourceService) java.util(java.util) Client(io.gravitee.am.model.oidc.Client) MultiValueMap(io.gravitee.common.util.MultiValueMap) Maybe(io.reactivex.Maybe) InvalidTokenException(io.gravitee.am.common.exception.oauth2.InvalidTokenException) TokenService(io.gravitee.am.gateway.handler.oauth2.service.token.TokenService) TechnicalException(io.gravitee.am.repository.exceptions.TechnicalException) InvalidScopeException(io.gravitee.am.gateway.handler.oauth2.exception.InvalidScopeException) Single(io.reactivex.Single) JWTService(io.gravitee.am.gateway.handler.common.jwt.JWTService) RulesEngine(io.gravitee.am.gateway.handler.uma.policy.RulesEngine) JsonObject(io.vertx.core.json.JsonObject) Rule(io.gravitee.am.gateway.handler.uma.policy.Rule) PermissionTicketService(io.gravitee.am.service.PermissionTicketService) TokenType(io.gravitee.am.common.oauth2.TokenType) User(io.gravitee.am.model.User) ExecutionContextFactory(io.gravitee.am.gateway.handler.context.ExecutionContextFactory) InvalidGrantException(io.gravitee.am.gateway.handler.oauth2.exception.InvalidGrantException) GrantType(io.gravitee.am.common.oauth2.GrantType) ClientProperties(io.gravitee.am.model.safe.ClientProperties) PermissionRequest(io.gravitee.am.model.uma.PermissionRequest) ExecutionContext(io.gravitee.gateway.api.ExecutionContext) JWT(io.gravitee.am.common.jwt.JWT) UserAuthenticationManager(io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationManager) TokenRequest(io.gravitee.am.gateway.handler.oauth2.service.request.TokenRequest) UmaException(io.gravitee.am.common.exception.uma.UmaException) Domain(io.gravitee.am.model.Domain) AbstractTokenGranter(io.gravitee.am.gateway.handler.oauth2.service.granter.AbstractTokenGranter) Resource(io.gravitee.am.model.uma.Resource) UserInvalidException(io.gravitee.am.service.exception.UserInvalidException) Collectors(java.util.stream.Collectors) Stream(java.util.stream.Stream) RequiredClaims(io.gravitee.am.common.exception.uma.RequiredClaims) Token(io.gravitee.am.gateway.handler.oauth2.service.token.Token) DefaultRule(io.gravitee.am.gateway.handler.uma.policy.DefaultRule) ApplicationScopeSettings(io.gravitee.am.model.application.ApplicationScopeSettings) UserProperties(io.gravitee.am.model.safe.UserProperties) OAuth2Request(io.gravitee.am.gateway.handler.oauth2.service.request.OAuth2Request) SimpleExecutionContext(io.gravitee.gateway.api.context.SimpleExecutionContext) Parameters(io.gravitee.am.common.oauth2.Parameters) StringUtils(org.springframework.util.StringUtils) PermissionRequest(io.gravitee.am.model.uma.PermissionRequest) ClientProperties(io.gravitee.am.model.safe.ClientProperties) SimpleExecutionContext(io.gravitee.gateway.api.context.SimpleExecutionContext) InvalidGrantException(io.gravitee.am.gateway.handler.oauth2.exception.InvalidGrantException) ExecutionContext(io.gravitee.gateway.api.ExecutionContext) SimpleExecutionContext(io.gravitee.gateway.api.context.SimpleExecutionContext) UserProperties(io.gravitee.am.model.safe.UserProperties) Rule(io.gravitee.am.gateway.handler.uma.policy.Rule) DefaultRule(io.gravitee.am.gateway.handler.uma.policy.DefaultRule)

Example 9 with PermissionRequest

use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.

the class UMATokenGranter method convert.

private Map<String, PermissionRequest> convert(List<HashMap> permissions) {
    Map<String, PermissionRequest> result = new LinkedHashMap<>(permissions.size());
    for (HashMap permission : permissions) {
        JsonObject json = new JsonObject(permission);
        PermissionRequest permissionRequest = json.mapTo(PermissionRequest.class);
        result.put(permissionRequest.getResourceId(), permissionRequest);
    }
    return result;
}
Also used : PermissionRequest(io.gravitee.am.model.uma.PermissionRequest) JsonObject(io.vertx.core.json.JsonObject)

Example 10 with PermissionRequest

use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.

the class TokenServiceTest method shouldCreateWithPermissions.

@Test
public void shouldCreateWithPermissions() {
    OAuth2Request oAuth2Request = new OAuth2Request();
    oAuth2Request.setPermissions(Arrays.asList(new PermissionRequest().setResourceId("rs_one")));
    Client client = new Client();
    client.setClientId("my-client-id");
    ExecutionContext executionContext = mock(ExecutionContext.class);
    ArgumentCaptor<JWT> jwtCaptor = ArgumentCaptor.forClass(JWT.class);
    when(jwtService.encode(jwtCaptor.capture(), any(Client.class))).thenReturn(Single.just(""));
    when(tokenEnhancer.enhance(any(), any(), any(), any(), any())).thenReturn(Single.just(new AccessToken("token-id")));
    when(executionContextFactory.create(any())).thenReturn(executionContext);
    doNothing().when(tokenManager).storeAccessToken(any());
    TestObserver<Token> testObserver = tokenService.create(oAuth2Request, client, null).test();
    testObserver.assertComplete();
    testObserver.assertNoErrors();
    JWT jwt = jwtCaptor.getValue();
    assertTrue(jwt != null && jwt.get("permissions") != null);
    verify(tokenManager, times(1)).storeAccessToken(any());
    verify(accessTokenRepository, never()).delete(anyString());
    verify(refreshTokenRepository, never()).delete(anyString());
}
Also used : PermissionRequest(io.gravitee.am.model.uma.PermissionRequest) OAuth2Request(io.gravitee.am.gateway.handler.oauth2.service.request.OAuth2Request) ExecutionContext(io.gravitee.gateway.api.ExecutionContext) ReactableExecutionContext(io.gravitee.am.gateway.handler.context.ReactableExecutionContext) JWT(io.gravitee.am.common.jwt.JWT) AccessToken(io.gravitee.am.gateway.handler.oauth2.service.token.impl.AccessToken) RefreshToken(io.gravitee.am.repository.oauth2.model.RefreshToken) AccessToken(io.gravitee.am.gateway.handler.oauth2.service.token.impl.AccessToken) Client(io.gravitee.am.model.oidc.Client) Test(org.junit.Test)

Aggregations

PermissionRequest (io.gravitee.am.model.uma.PermissionRequest)16 PermissionTicket (io.gravitee.am.model.uma.PermissionTicket)12 Test (org.junit.Test)11 Resource (io.gravitee.am.model.uma.Resource)10 InvalidPermissionRequestException (io.gravitee.am.service.exception.InvalidPermissionRequestException)6 JWT (io.gravitee.am.common.jwt.JWT)4 TokenRequest (io.gravitee.am.gateway.handler.oauth2.service.request.TokenRequest)3 AccessToken (io.gravitee.am.gateway.handler.oauth2.service.token.impl.AccessToken)3 Client (io.gravitee.am.model.oidc.Client)3 OAuth2Request (io.gravitee.am.gateway.handler.oauth2.service.request.OAuth2Request)2 RefreshToken (io.gravitee.am.repository.oauth2.model.RefreshToken)2 PermissionTicketService (io.gravitee.am.service.PermissionTicketService)2 ResourceService (io.gravitee.am.service.ResourceService)2 ExecutionContext (io.gravitee.gateway.api.ExecutionContext)2 Maybe (io.reactivex.Maybe)2 Single (io.reactivex.Single)2 JsonObject (io.vertx.core.json.JsonObject)2 ArrayList (java.util.ArrayList)2 Date (java.util.Date)2 Collectors (java.util.stream.Collectors)2