Examples with UmaRPT io.jans.as.server.uma.authorization.UmaRPT used on opensource projects

Example 1 with UmaRPT

use of io.jans.as.server.uma.authorization.UmaRPT in project jans by JanssenProject.

the class UmaRptService method createRPTAndPersist.

public UmaRPT createRPTAndPersist(ExecutionContext executionContext, List<UmaPermission> permissions) {
    try {
        final Date creationDate = new Date();
        final Date expirationDate = rptExpirationDate();
        final Client client = executionContext.getClient();
        final String code;
        if (client.isRptAsJwt()) {
            code = createRptJwt(executionContext, permissions, creationDate, expirationDate);
        } else {
            code = UUID.randomUUID().toString() + "_" + INumGenerator.generate(8);
        }
        UmaRPT rpt = new UmaRPT(code, creationDate, expirationDate, null, client.getClientId());
        rpt.setPermissions(getPermissionDns(permissions));
        persist(rpt);
        statService.reportUmaToken(GrantType.OXAUTH_UMA_TICKET);
        return rpt;
    } catch (Exception e) {
        if (log.isErrorEnabled()) {
            log.error(e.getMessage(), e);
        }
        throw new RuntimeException("Failed to generate RPT, clientId: " + executionContext.getClient().getClientId(), e);
    }
}

Example 2 with UmaRPT

use of io.jans.as.server.uma.authorization.UmaRPT in project jans by JanssenProject.

the class CleanerTimerTest method umaRpt_whichIsExpiredAndDeletable_MustBeRemoved.

@Test
public void umaRpt_whichIsExpiredAndDeletable_MustBeRemoved() throws StringEncrypter.EncryptionException {
    final Client client = createClient();
    clientService.persist(client);
    // 1. create RPT
    final ExecutionContext executionContext = new ExecutionContext(null, null);
    executionContext.setClient(client);
    final UmaRPT rpt = umaRptService.createRPTAndPersist(executionContext, Lists.newArrayList());
    // 2. RPT exists
    assertNotNull(umaRptService.getRPTByCode(rpt.getNotHashedCode()));
    // 3. clean up
    cleanerTimer.processImpl();
    cacheService.clear();
    // 4. RPT exists
    assertNotNull(umaRptService.getRPTByCode(rpt.getNotHashedCode()));
    final Calendar calendar = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
    calendar.add(Calendar.MINUTE, -10);
    rpt.setExpirationDate(calendar.getTime());
    umaRptService.merge(rpt);
    // 5. clean up
    cleanerTimer.processImpl();
    cacheService.clear();
    // 6. no RPT in persistence
    assertNull(umaRptService.getRPTByCode(rpt.getNotHashedCode()));
}

Example 3 with UmaRPT

use of io.jans.as.server.uma.authorization.UmaRPT in project jans by JanssenProject.

the class UmaRptIntrospectionWS method introspect.

private Response introspect(String authorization, String token, HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
    try {
        errorResponseFactory.validateComponentEnabled(ComponentType.UMA);
        umaValidationService.assertHasProtectionScope(authorization);
        final UmaRPT rpt = rptService.getRPTByCode(token);
        if (!isValid(rpt)) {
            return Response.status(Response.Status.OK).entity(new RptIntrospectionResponse(false)).cacheControl(ServerUtil.cacheControl(true)).build();
        }
        final List<io.jans.as.model.uma.UmaPermission> permissions = buildStatusResponsePermissions(rpt);
        // active status
        final RptIntrospectionResponse statusResponse = new RptIntrospectionResponse();
        statusResponse.setActive(true);
        statusResponse.setExpiresAt(ServerUtil.dateToSeconds(rpt.getExpirationDate()));
        statusResponse.setIssuedAt(ServerUtil.dateToSeconds(rpt.getCreationDate()));
        statusResponse.setPermissions(permissions);
        statusResponse.setClientId(rpt.getClientId());
        statusResponse.setAud(rpt.getClientId());
        statusResponse.setSub(rpt.getUserId());
        final List<UmaPermission> rptPermissions = rptService.getRptPermissions(rpt);
        if (!rptPermissions.isEmpty()) {
            UmaPermission permission = rptPermissions.iterator().next();
            String pctCode = permission.getAttributes().get(UmaPermission.PCT);
            if (StringHelper.isNotEmpty(pctCode)) {
                UmaPCT pct = pctService.getByCode(pctCode);
                if (pct != null) {
                    statusResponse.setPctClaims(pct.getClaims().toMap());
                } else {
                    log.error("Failed to find PCT with code: {} which is taken from permission object: {}", pctCode, permission.getDn());
                }
            } else {
                log.trace("PCT code is blank for RPT: {}", rpt.getCode());
            }
        }
        JSONObject rptAsJson = new JSONObject(ServerUtil.asJson(statusResponse));
        ExternalUmaRptClaimsContext context = new ExternalUmaRptClaimsContext(clientService.getClient(rpt.getClientId()), httpRequest, httpResponse);
        if (externalUmaRptClaimsService.externalModify(rptAsJson, context)) {
            log.trace("Successfully run external RPT Claims script associated with {}", rpt.getClientId());
        } else {
            rptAsJson = new JSONObject(ServerUtil.asJson(statusResponse));
            log.trace("Canceled changes made by external RPT Claims script since method returned `false`.");
        }
        return Response.status(Response.Status.OK).entity(rptAsJson.toString()).type(MediaType.APPLICATION_JSON_TYPE).cacheControl(ServerUtil.cacheControl(true)).build();
    } catch (Exception ex) {
        log.error("Exception happened", ex);
        if (ex instanceof WebApplicationException) {
            throw (WebApplicationException) ex;
        }
        throw errorResponseFactory.createWebApplicationException(Response.Status.INTERNAL_SERVER_ERROR, UmaErrorResponseType.SERVER_ERROR, "Internal error.");
    }
}

Example 4 with UmaRPT

use of io.jans.as.server.uma.authorization.UmaRPT in project jans by JanssenProject.

the class UmaTokenService method requestRpt.

public Response requestRpt(String grantType, String ticket, String claimToken, String claimTokenFormat, String pctCode, String rptCode, String scope, HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
    try {
        log.trace("requestRpt grant_type: {}, ticket: {}, claim_token: {}, claim_token_format: {}, pct: {}, rpt: {}, scope: {}", grantType, ticket, claimToken, claimTokenFormat, pctCode, rptCode, scope);
        umaValidationService.validateGrantType(grantType);
        List<UmaPermission> permissions = umaValidationService.validateTicket(ticket);
        Jwt idToken = umaValidationService.validateClaimToken(claimToken, claimTokenFormat);
        UmaPCT pct = umaValidationService.validatePct(pctCode);
        UmaRPT rpt = umaValidationService.validateRPT(rptCode);
        Client client = umaValidationService.validate(identity.getSessionClient().getClient());
        Map<Scope, Boolean> scopes = umaValidationService.validateScopes(scope, permissions, client);
        // creates new pct if pct is null in request
        pct = pctService.updateClaims(pct, idToken, client.getClientId(), permissions);
        Claims claims = new Claims(idToken, pct, claimToken);
        Map<UmaScriptByScope, UmaAuthorizationContext> scriptMap = umaNeedsInfoService.checkNeedsInfo(claims, scopes, permissions, pct, httpRequest, client);
        if (!scriptMap.isEmpty()) {
            expressionService.evaluate(scriptMap, permissions);
        } else {
            if (log.isWarnEnabled())
                log.warn("There are no any policies that protects scopes. Scopes: {}. Configuration property umaGrantAccessIfNoPolicies: {}", UmaScopeService.asString(scopes.keySet()), appConfiguration.getUmaGrantAccessIfNoPolicies());
            if (appConfiguration.getUmaGrantAccessIfNoPolicies() != null && appConfiguration.getUmaGrantAccessIfNoPolicies()) {
                log.warn("Access granted because there are no any protection. Make sure it is intentional behavior.");
            } else {
                log.warn("Access denied because there are no any protection. Make sure it is intentional behavior.");
                throw errorResponseFactory.createWebApplicationException(Response.Status.FORBIDDEN, UmaErrorResponseType.FORBIDDEN_BY_POLICY, "Access denied because there are no any protection. Make sure it is intentional behavior.");
            }
        }
        log.trace("Access granted.");
        updatePermissionsWithClientRequestedScope(permissions, scopes);
        addPctToPermissions(permissions, pct);
        boolean upgraded = false;
        if (rpt == null) {
            ExecutionContext executionContext = new ExecutionContext(httpRequest, httpResponse);
            executionContext.setClient(client);
            rpt = rptService.createRPTAndPersist(executionContext, permissions);
            rptCode = rpt.getNotHashedCode();
        } else if (rptService.addPermissionToRPT(rpt, permissions)) {
            upgraded = true;
        }
        UmaTokenResponse response = new UmaTokenResponse();
        response.setAccessToken(rptCode);
        response.setUpgraded(upgraded);
        response.setTokenType("Bearer");
        response.setPct(pct.getCode());
        return Response.ok(ServerUtil.asJson(response)).build();
    } catch (Exception ex) {
        log.error("Exception happened", ex);
        if (ex instanceof WebApplicationException) {
            throw (WebApplicationException) ex;
        }
    }
    log.error("Failed to handle request to UMA Token Endpoint.");
    throw errorResponseFactory.createWebApplicationException(Response.Status.INTERNAL_SERVER_ERROR, UmaErrorResponseType.SERVER_ERROR, "Failed to handle request to UMA Token Endpoint.");
}