use of io.jans.as.model.uma.persistence.UmaPermission in project jans by JanssenProject.
the class UmaTokenService method updatePermissionsWithClientRequestedScope.
private void updatePermissionsWithClientRequestedScope(List<UmaPermission> permissions, Map<Scope, Boolean> scopes) {
log.trace("Updating permissions with requested scopes ...");
for (UmaPermission permission : permissions) {
Set<String> scopeDns = new HashSet<>(permission.getScopeDns());
for (Map.Entry<Scope, Boolean> entry : scopes.entrySet()) {
log.trace("Updating permissions with scope: {}, isRequestedScope: {}, permisson: {}", entry.getKey().getId(), entry.getValue(), permission.getDn());
scopeDns.add(entry.getKey().getDn());
}
permission.setScopeDns(new ArrayList<>(scopeDns));
}
}
use of io.jans.as.model.uma.persistence.UmaPermission in project jans by JanssenProject.
the class UmaPermissionService method changeTicket.
public String changeTicket(List<UmaPermission> permissions, Map<String, String> attributes) {
String newTicket = generateNewTicket();
for (UmaPermission permission : permissions) {
ldapEntryManager.remove(permission);
String dn = String.format("jansTicket=%s,%s", newTicket, StringUtils.substringAfter(permission.getDn(), ","));
permission.setTicket(newTicket);
permission.setDn(dn);
permission.setAttributes(attributes);
ldapEntryManager.persist(permission);
log.trace("New ticket: {}, old permission: {}", newTicket, dn);
}
return newTicket;
}
use of io.jans.as.model.uma.persistence.UmaPermission in project jans by JanssenProject.
the class UmaRptService method buildPermissionsJSONObject.
public JSONArray buildPermissionsJSONObject(List<UmaPermission> permissions) throws IOException, JSONException {
List<io.jans.as.model.uma.UmaPermission> result = new ArrayList<>();
for (UmaPermission permission : permissions) {
permission.checkExpired();
permission.isValid();
if (permission.isValid()) {
final io.jans.as.model.uma.UmaPermission toAdd = ServerUtil.convert(permission, umaScopeService);
if (toAdd != null) {
result.add(toAdd);
}
} else {
log.debug("Ignore permission, skip it in response because permission is not valid. Permission dn: {}", permission.getDn());
}
}
final String json = ServerUtil.asJson(result);
return new JSONArray(json);
}
use of io.jans.as.model.uma.persistence.UmaPermission in project jans by JanssenProject.
the class UmaValidationService method validateScopes.
/**
* @param scope scope string from token request
* @param permissions permissions
* @return map of loaded scope and boolean, true - if client requested scope and false if it is permission ticket scope
*/
public Map<Scope, Boolean> validateScopes(String scope, List<UmaPermission> permissions, Client client) {
scope = ServerUtil.urlDecode(scope);
final String[] scopesRequested = StringUtils.isNotBlank(scope) ? scope.split(" ") : new String[0];
final Map<Scope, Boolean> result = new HashMap<>();
if (ArrayUtils.isNotEmpty(scopesRequested)) {
final Set<String> resourceScopes = resourceService.getResourceScopes(permissions.stream().map(UmaPermission::getResourceId).collect(Collectors.toSet()));
for (String scopeId : scopesRequested) {
final Scope ldapScope = umaScopeService.getOrCreate(client, scopeId, resourceScopes);
if (ldapScope != null) {
result.put(ldapScope, true);
} else {
log.trace("Skip requested scope because it's not allowed, scope: {}", scopeId);
}
}
}
for (UmaPermission permission : permissions) {
for (Scope s : umaScopeService.getScopesByDns(permission.getScopeDns())) {
result.put(s, false);
}
}
if (result.isEmpty()) {
log.error("There are no any scopes requested in the request.");
throw errorResponseFactory.createWebApplicationException(BAD_REQUEST, UmaErrorResponseType.INVALID_SCOPE, "There are no any scopes requested in give request.");
}
if (log.isTraceEnabled()) {
log.trace("CandidateGrantedScopes: {}", Joiner.on(", ").join(Iterables.transform(result.keySet(), Scope::getId)));
}
return result;
}
use of io.jans.as.model.uma.persistence.UmaPermission in project jans by JanssenProject.
the class UmaTokenService method requestRpt.
public Response requestRpt(String grantType, String ticket, String claimToken, String claimTokenFormat, String pctCode, String rptCode, String scope, HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
try {
log.trace("requestRpt grant_type: {}, ticket: {}, claim_token: {}, claim_token_format: {}, pct: {}, rpt: {}, scope: {}", grantType, ticket, claimToken, claimTokenFormat, pctCode, rptCode, scope);
umaValidationService.validateGrantType(grantType);
List<UmaPermission> permissions = umaValidationService.validateTicket(ticket);
Jwt idToken = umaValidationService.validateClaimToken(claimToken, claimTokenFormat);
UmaPCT pct = umaValidationService.validatePct(pctCode);
UmaRPT rpt = umaValidationService.validateRPT(rptCode);
Client client = umaValidationService.validate(identity.getSessionClient().getClient());
Map<Scope, Boolean> scopes = umaValidationService.validateScopes(scope, permissions, client);
// creates new pct if pct is null in request
pct = pctService.updateClaims(pct, idToken, client.getClientId(), permissions);
Claims claims = new Claims(idToken, pct, claimToken);
Map<UmaScriptByScope, UmaAuthorizationContext> scriptMap = umaNeedsInfoService.checkNeedsInfo(claims, scopes, permissions, pct, httpRequest, client);
if (!scriptMap.isEmpty()) {
expressionService.evaluate(scriptMap, permissions);
} else {
if (log.isWarnEnabled())
log.warn("There are no any policies that protects scopes. Scopes: {}. Configuration property umaGrantAccessIfNoPolicies: {}", UmaScopeService.asString(scopes.keySet()), appConfiguration.getUmaGrantAccessIfNoPolicies());
if (appConfiguration.getUmaGrantAccessIfNoPolicies() != null && appConfiguration.getUmaGrantAccessIfNoPolicies()) {
log.warn("Access granted because there are no any protection. Make sure it is intentional behavior.");
} else {
log.warn("Access denied because there are no any protection. Make sure it is intentional behavior.");
throw errorResponseFactory.createWebApplicationException(Response.Status.FORBIDDEN, UmaErrorResponseType.FORBIDDEN_BY_POLICY, "Access denied because there are no any protection. Make sure it is intentional behavior.");
}
}
log.trace("Access granted.");
updatePermissionsWithClientRequestedScope(permissions, scopes);
addPctToPermissions(permissions, pct);
boolean upgraded = false;
if (rpt == null) {
ExecutionContext executionContext = new ExecutionContext(httpRequest, httpResponse);
executionContext.setClient(client);
rpt = rptService.createRPTAndPersist(executionContext, permissions);
rptCode = rpt.getNotHashedCode();
} else if (rptService.addPermissionToRPT(rpt, permissions)) {
upgraded = true;
}
UmaTokenResponse response = new UmaTokenResponse();
response.setAccessToken(rptCode);
response.setUpgraded(upgraded);
response.setTokenType("Bearer");
response.setPct(pct.getCode());
return Response.ok(ServerUtil.asJson(response)).build();
} catch (Exception ex) {
log.error("Exception happened", ex);
if (ex instanceof WebApplicationException) {
throw (WebApplicationException) ex;
}
}
log.error("Failed to handle request to UMA Token Endpoint.");
throw errorResponseFactory.createWebApplicationException(Response.Status.INTERNAL_SERVER_ERROR, UmaErrorResponseType.SERVER_ERROR, "Failed to handle request to UMA Token Endpoint.");
}
Aggregations