Search in sources :

Example 1 with UmaAuthorizationContext

use of io.jans.as.server.uma.authorization.UmaAuthorizationContext in project jans by JanssenProject.

the class UmaNeedsInfoService method checkNeedsInfo.

public Map<UmaScriptByScope, UmaAuthorizationContext> checkNeedsInfo(Claims claims, Map<Scope, Boolean> requestedScopes, List<UmaPermission> permissions, UmaPCT pct, HttpServletRequest httpRequest, Client client) {
    Map<UmaScriptByScope, UmaAuthorizationContext> scriptMap = new HashMap<>();
    Map<String, String> ticketAttributes = new HashMap<>();
    List<ClaimDefinition> missedClaims = new ArrayList<>();
    UmaAuthorizationContextBuilder contextBuilder = new UmaAuthorizationContextBuilder(appConfiguration, resourceService, permissions, requestedScopes, claims, httpRequest, sessionService, permissionService, client);
    for (Scope scope : requestedScopes.keySet()) {
        List<String> authorizationPolicies = scope.getUmaAuthorizationPolicies();
        if (authorizationPolicies != null && !authorizationPolicies.isEmpty()) {
            for (String scriptDN : authorizationPolicies) {
                CustomScriptConfiguration script = policyService.getScriptByDn(scriptDN);
                if (script != null) {
                    UmaAuthorizationContext context = contextBuilder.build(script);
                    scriptMap.put(new UmaScriptByScope(scope, script), context);
                    List<ClaimDefinition> requiredClaims = policyService.getRequiredClaims(script, context);
                    if (requiredClaims != null && !requiredClaims.isEmpty()) {
                        for (ClaimDefinition definition : requiredClaims) {
                            if (!claims.has(definition.getName())) {
                                missedClaims.add(definition);
                            }
                        }
                    }
                    String claimsGatheringScriptName = policyService.getClaimsGatheringScriptName(script, context);
                    if (StringUtils.isNotBlank(claimsGatheringScriptName)) {
                        ticketAttributes.put(UmaConstants.GATHERING_ID, constructGatheringScriptNameValue(ticketAttributes.get(UmaConstants.GATHERING_ID), claimsGatheringScriptName));
                    } else {
                        log.debug("External 'getClaimsGatheringScriptName' script method return null or blank value, script: {}", script.getName());
                    }
                } else {
                    log.error("Unable to load UMA script dn: '{}'", scriptDN);
                }
            }
        } else {
            log.trace("No policies defined for scope: {}, scopeDn: {}", scope.getId(), scope.getDn());
        }
    }
    if (!missedClaims.isEmpty()) {
        ticketAttributes.put(UmaPermission.PCT, pct.getCode());
        String newTicket = permissionService.changeTicket(permissions, ticketAttributes);
        UmaNeedInfoResponse needInfoResponse = new UmaNeedInfoResponse();
        needInfoResponse.setTicket(newTicket);
        needInfoResponse.setError("need_info");
        needInfoResponse.setRedirectUser(buildClaimsGatheringRedirectUri(scriptMap.values(), client, newTicket));
        needInfoResponse.setRequiredClaims(missedClaims);
        throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(ServerUtil.asJsonSilently(needInfoResponse)).build());
    }
    return scriptMap;
}
Also used : UmaNeedInfoResponse(io.jans.as.model.uma.UmaNeedInfoResponse) WebApplicationException(javax.ws.rs.WebApplicationException) UmaAuthorizationContext(io.jans.as.server.uma.authorization.UmaAuthorizationContext) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) UmaScriptByScope(io.jans.as.server.uma.authorization.UmaScriptByScope) ClaimDefinition(io.jans.model.uma.ClaimDefinition) UmaScriptByScope(io.jans.as.server.uma.authorization.UmaScriptByScope) Scope(io.jans.as.persistence.model.Scope) UmaAuthorizationContextBuilder(io.jans.as.server.uma.authorization.UmaAuthorizationContextBuilder) CustomScriptConfiguration(io.jans.model.custom.script.conf.CustomScriptConfiguration)

Example 2 with UmaAuthorizationContext

use of io.jans.as.server.uma.authorization.UmaAuthorizationContext in project jans by JanssenProject.

the class UmaNeedsInfoService method buildClaimsGatheringRedirectUri.

private String buildClaimsGatheringRedirectUri(Collection<UmaAuthorizationContext> contexts, Client client, String newTicket) {
    StringBuilder queryParametersBuilder = new StringBuilder();
    for (UmaAuthorizationContext context : contexts) {
        queryParametersBuilder.append(context.getRedirectUserParameters().buildQueryString()).append("&");
    }
    String queryParameters = queryParametersBuilder.toString();
    queryParameters = StringUtils.removeEnd(queryParameters, "&");
    String result = appConfiguration.getBaseEndpoint() + "/uma/gather_claims";
    if (StringUtils.isNotBlank(queryParameters)) {
        result += "?" + queryParameters;
    }
    result += "&client_id=" + client.getClientId() + "&ticket=" + newTicket;
    return result;
}
Also used : UmaAuthorizationContext(io.jans.as.server.uma.authorization.UmaAuthorizationContext)

Example 3 with UmaAuthorizationContext

use of io.jans.as.server.uma.authorization.UmaAuthorizationContext in project jans by JanssenProject.

the class UmaTokenService method requestRpt.

public Response requestRpt(String grantType, String ticket, String claimToken, String claimTokenFormat, String pctCode, String rptCode, String scope, HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
    try {
        log.trace("requestRpt grant_type: {}, ticket: {}, claim_token: {}, claim_token_format: {}, pct: {}, rpt: {}, scope: {}", grantType, ticket, claimToken, claimTokenFormat, pctCode, rptCode, scope);
        umaValidationService.validateGrantType(grantType);
        List<UmaPermission> permissions = umaValidationService.validateTicket(ticket);
        Jwt idToken = umaValidationService.validateClaimToken(claimToken, claimTokenFormat);
        UmaPCT pct = umaValidationService.validatePct(pctCode);
        UmaRPT rpt = umaValidationService.validateRPT(rptCode);
        Client client = umaValidationService.validate(identity.getSessionClient().getClient());
        Map<Scope, Boolean> scopes = umaValidationService.validateScopes(scope, permissions, client);
        // creates new pct if pct is null in request
        pct = pctService.updateClaims(pct, idToken, client.getClientId(), permissions);
        Claims claims = new Claims(idToken, pct, claimToken);
        Map<UmaScriptByScope, UmaAuthorizationContext> scriptMap = umaNeedsInfoService.checkNeedsInfo(claims, scopes, permissions, pct, httpRequest, client);
        if (!scriptMap.isEmpty()) {
            expressionService.evaluate(scriptMap, permissions);
        } else {
            if (log.isWarnEnabled())
                log.warn("There are no any policies that protects scopes. Scopes: {}. Configuration property umaGrantAccessIfNoPolicies: {}", UmaScopeService.asString(scopes.keySet()), appConfiguration.getUmaGrantAccessIfNoPolicies());
            if (appConfiguration.getUmaGrantAccessIfNoPolicies() != null && appConfiguration.getUmaGrantAccessIfNoPolicies()) {
                log.warn("Access granted because there are no any protection. Make sure it is intentional behavior.");
            } else {
                log.warn("Access denied because there are no any protection. Make sure it is intentional behavior.");
                throw errorResponseFactory.createWebApplicationException(Response.Status.FORBIDDEN, UmaErrorResponseType.FORBIDDEN_BY_POLICY, "Access denied because there are no any protection. Make sure it is intentional behavior.");
            }
        }
        log.trace("Access granted.");
        updatePermissionsWithClientRequestedScope(permissions, scopes);
        addPctToPermissions(permissions, pct);
        boolean upgraded = false;
        if (rpt == null) {
            ExecutionContext executionContext = new ExecutionContext(httpRequest, httpResponse);
            executionContext.setClient(client);
            rpt = rptService.createRPTAndPersist(executionContext, permissions);
            rptCode = rpt.getNotHashedCode();
        } else if (rptService.addPermissionToRPT(rpt, permissions)) {
            upgraded = true;
        }
        UmaTokenResponse response = new UmaTokenResponse();
        response.setAccessToken(rptCode);
        response.setUpgraded(upgraded);
        response.setTokenType("Bearer");
        response.setPct(pct.getCode());
        return Response.ok(ServerUtil.asJson(response)).build();
    } catch (Exception ex) {
        log.error("Exception happened", ex);
        if (ex instanceof WebApplicationException) {
            throw (WebApplicationException) ex;
        }
    }
    log.error("Failed to handle request to UMA Token Endpoint.");
    throw errorResponseFactory.createWebApplicationException(Response.Status.INTERNAL_SERVER_ERROR, UmaErrorResponseType.SERVER_ERROR, "Failed to handle request to UMA Token Endpoint.");
}
Also used : UmaPCT(io.jans.as.server.uma.authorization.UmaPCT) Claims(io.jans.as.server.uma.authorization.Claims) UmaTokenResponse(io.jans.as.model.uma.UmaTokenResponse) WebApplicationException(javax.ws.rs.WebApplicationException) UmaAuthorizationContext(io.jans.as.server.uma.authorization.UmaAuthorizationContext) Jwt(io.jans.as.model.jwt.Jwt) WebApplicationException(javax.ws.rs.WebApplicationException) UmaScriptByScope(io.jans.as.server.uma.authorization.UmaScriptByScope) ExecutionContext(io.jans.as.server.model.common.ExecutionContext) UmaRPT(io.jans.as.server.uma.authorization.UmaRPT) UmaScriptByScope(io.jans.as.server.uma.authorization.UmaScriptByScope) Scope(io.jans.as.persistence.model.Scope) UmaPermission(io.jans.as.model.uma.persistence.UmaPermission) Client(io.jans.as.common.model.registration.Client)

Aggregations

UmaAuthorizationContext (io.jans.as.server.uma.authorization.UmaAuthorizationContext)3 Scope (io.jans.as.persistence.model.Scope)2 UmaScriptByScope (io.jans.as.server.uma.authorization.UmaScriptByScope)2 WebApplicationException (javax.ws.rs.WebApplicationException)2 Client (io.jans.as.common.model.registration.Client)1 Jwt (io.jans.as.model.jwt.Jwt)1 UmaNeedInfoResponse (io.jans.as.model.uma.UmaNeedInfoResponse)1 UmaTokenResponse (io.jans.as.model.uma.UmaTokenResponse)1 UmaPermission (io.jans.as.model.uma.persistence.UmaPermission)1 ExecutionContext (io.jans.as.server.model.common.ExecutionContext)1 Claims (io.jans.as.server.uma.authorization.Claims)1 UmaAuthorizationContextBuilder (io.jans.as.server.uma.authorization.UmaAuthorizationContextBuilder)1 UmaPCT (io.jans.as.server.uma.authorization.UmaPCT)1 UmaRPT (io.jans.as.server.uma.authorization.UmaRPT)1 CustomScriptConfiguration (io.jans.model.custom.script.conf.CustomScriptConfiguration)1 ClaimDefinition (io.jans.model.uma.ClaimDefinition)1 ArrayList (java.util.ArrayList)1 HashMap (java.util.HashMap)1