use of org.forgerock.json.JsonValue in project OpenAM by OpenRock.
the class UmaPolicyServiceImplDelegationTest method aliceShouldBeAbleToUpdatePolicyForResource.
@Test
public void aliceShouldBeAbleToUpdatePolicyForResource() throws Exception {
//Given
userIsLoggedIn("alice", "REALM");
accessingUriForUser("alice");
String resourceSetId = registerResourceSet("alice");
createPolicyFor("bob", resourceSetId, "SCOPE_A", "SCOPE_B");
JsonValue policy = policyToUpdate(resourceSetId);
Context context = getContext();
//When
Promise<UmaPolicy, ResourceException> promise = policyService.updatePolicy(context, resourceSetId, policy);
//Then
assertThat(promise).succeeded();
}
use of org.forgerock.json.JsonValue in project OpenAM by OpenRock.
the class UmaPolicyServiceImplDelegationTest method policyToUpdate.
private JsonValue policyToUpdate(String resourceSetId) {
mockPolicyResourceDelegateForUpdatedPolicy();
JsonValue umaPolicy = createUmaPolicyForResourceSet(resourceSetId);
umaPolicy.remove(new JsonPointer("/permissions/0/scopes/1"));
return umaPolicy;
}
use of org.forgerock.json.JsonValue in project OpenAM by OpenRock.
the class OpenAMOpenIdConnectClientRegistrationService method createRegistration.
/**
* {@inheritDoc}
*/
public JsonValue createRegistration(String accessToken, String deploymentUrl, OAuth2Request request) throws InvalidRedirectUri, InvalidClientMetadata, ServerException, UnsupportedResponseTypeException, AccessDeniedException, NotFoundException, InvalidPostLogoutRedirectUri {
final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
if (!providerSettings.isOpenDynamicClientRegistrationAllowed()) {
if (!tokenVerifier.verify(request).isValid()) {
throw new AccessDeniedException("Access Token not valid");
}
}
final JsonValue input = request.getBody();
//check input to ensure it is valid
Set<String> inputKeys = input.keys();
for (String key : inputKeys) {
OAuth2Constants.ShortClientAttributeNames keyName = fromString(key);
if (keyName == null) {
logger.warn("Unknown input given. Key: " + key);
}
}
//create client given input
ClientBuilder clientBuilder = new ClientBuilder();
try {
boolean jwks = false;
if (input.get(JWKS.getType()).asString() != null) {
jwks = true;
try {
JsonValueBuilder.toJsonValue(input.get(JWKS.getType()).asString());
} catch (JsonException e) {
throw new InvalidClientMetadata("jwks must be valid JSON.");
}
clientBuilder.setJwks(input.get(JWKS.getType()).asString());
clientBuilder.setPublicKeySelector(Client.PublicKeySelector.JWKS.getType());
}
if (input.get(JWKS_URI.getType()).asString() != null) {
if (jwks) {
//allowed to set either jwks or jwks_uri but not both
throw new InvalidClientMetadata("Must define either jwks or jwks_uri, not both.");
}
jwks = true;
try {
new URL(input.get(JWKS_URI.getType()).asString());
} catch (MalformedURLException e) {
throw new InvalidClientMetadata("jwks_uri must be a valid URL.");
}
clientBuilder.setJwksUri(input.get(JWKS_URI.getType()).asString());
clientBuilder.setPublicKeySelector(Client.PublicKeySelector.JWKS_URI.getType());
}
//not spec-defined, this is OpenAM proprietary
if (input.get(X509.getType()).asString() != null) {
clientBuilder.setX509(input.get(X509.getType()).asString());
}
//drop to this if neither other are set
if (!jwks) {
clientBuilder.setPublicKeySelector(Client.PublicKeySelector.X509.getType());
}
if (input.get(TOKEN_ENDPOINT_AUTH_METHOD.getType()).asString() != null) {
if (Client.TokenEndpointAuthMethod.fromString(input.get(TOKEN_ENDPOINT_AUTH_METHOD.getType()).asString()) == null) {
logger.error("Invalid token_endpoint_auth_method requested.");
throw new InvalidClientMetadata("Invalid token_endpoint_auth_method requested.");
}
clientBuilder.setTokenEndpointAuthMethod(input.get(TOKEN_ENDPOINT_AUTH_METHOD.getType()).asString());
} else {
clientBuilder.setTokenEndpointAuthMethod(Client.TokenEndpointAuthMethod.CLIENT_SECRET_BASIC.getType());
}
if (input.get(CLIENT_ID.getType()).asString() != null) {
clientBuilder.setClientID(input.get(CLIENT_ID.getType()).asString());
} else {
clientBuilder.setClientID(UUID.randomUUID().toString());
}
if (input.get(CLIENT_SECRET.getType()).asString() != null) {
clientBuilder.setClientSecret(input.get(CLIENT_SECRET.getType()).asString());
} else {
clientBuilder.setClientSecret(UUID.randomUUID().toString());
}
if (input.get(CLIENT_TYPE.getType()).asString() != null) {
if (Client.ClientType.fromString(input.get(CLIENT_TYPE.getType()).asString()) != null) {
clientBuilder.setClientType(input.get(CLIENT_TYPE.getType()).asString());
} else {
logger.error("Invalid client_type requested.");
throw new InvalidClientMetadata("Invalid client_type requested");
}
} else {
clientBuilder.setClientType(Client.ClientType.CONFIDENTIAL.getType());
}
if (input.get(DEFAULT_MAX_AGE.getType()).asLong() != null) {
clientBuilder.setDefaultMaxAge(input.get(DEFAULT_MAX_AGE.getType()).asLong());
clientBuilder.setDefaultMaxAgeEnabled(true);
} else {
clientBuilder.setDefaultMaxAge(Client.MIN_DEFAULT_MAX_AGE);
clientBuilder.setDefaultMaxAgeEnabled(false);
}
List<String> redirectUris = new ArrayList<String>();
if (input.get(REDIRECT_URIS.getType()).asList() != null) {
redirectUris = input.get(REDIRECT_URIS.getType()).asList(String.class);
boolean isValidUris = true;
for (String redirectUri : redirectUris) {
try {
urlValidator.validate(redirectUri);
} catch (ValidationException e) {
isValidUris = false;
logger.error("The redirectUri: " + redirectUri + " is invalid.");
}
}
if (!isValidUris) {
throw new InvalidRedirectUri();
}
clientBuilder.setRedirectionURIs(redirectUris);
}
if (input.get(SECTOR_IDENTIFIER_URI.getType()).asString() != null) {
try {
URL sectorIdentifier = new URL(input.get(SECTOR_IDENTIFIER_URI.getType()).asString());
List<String> response = mapper.readValue(sectorIdentifier, List.class);
if (!response.containsAll(redirectUris)) {
logger.error("Request_uris not included in sector_identifier_uri.");
throw new InvalidClientMetadata();
}
} catch (Exception e) {
logger.error("Invalid sector_identifier_uri requested.");
throw new InvalidClientMetadata("Invalid sector_identifier_uri requested.");
}
clientBuilder.setSectorIdentifierUri(input.get(SECTOR_IDENTIFIER_URI.getType()).asString());
}
List<String> scopes = input.get(SCOPES.getType()).asList(String.class);
if (scopes != null && !scopes.isEmpty()) {
if (!containsAllCaseInsensitive(providerSettings.getSupportedScopes(), scopes)) {
logger.error("Invalid scopes requested.");
throw new InvalidClientMetadata("Invalid scopes requested");
}
} else {
//if nothing requested, fall back to provider defaults
scopes = new ArrayList<String>();
scopes.addAll(providerSettings.getDefaultScopes());
}
//regardless, we add openid
if (!scopes.contains(OPENID)) {
scopes = new ArrayList<String>(scopes);
scopes.add(OPENID);
}
clientBuilder.setAllowedGrantScopes(scopes);
List<String> defaultScopes = input.get(DEFAULT_SCOPES.getType()).asList(String.class);
if (defaultScopes != null) {
if (containsAllCaseInsensitive(providerSettings.getSupportedScopes(), defaultScopes)) {
clientBuilder.setDefaultGrantScopes(defaultScopes);
} else {
throw new InvalidClientMetadata("Invalid default scopes requested.");
}
}
List<String> clientNames = new ArrayList<String>();
Set<String> keys = input.keys();
for (String key : keys) {
if (key.equals(CLIENT_NAME.getType())) {
clientNames.add(input.get(key).asString());
} else if (key.startsWith(CLIENT_NAME.getType())) {
try {
Locale locale = new Locale(key.substring(CLIENT_NAME.getType().length() + 1));
clientNames.add(locale.toString() + "|" + input.get(key).asString());
} catch (Exception e) {
logger.error("Invalid locale for client_name.");
throw new InvalidClientMetadata("Invalid locale for client_name.");
}
}
}
if (clientNames != null) {
clientBuilder.setClientName(clientNames);
}
if (input.get(CLIENT_DESCRIPTION.getType()).asList() != null) {
clientBuilder.setDisplayDescription(input.get(CLIENT_DESCRIPTION.getType()).asList(String.class));
}
if (input.get(SUBJECT_TYPE.getType()).asString() != null) {
if (providerSettings.getSupportedSubjectTypes().contains(input.get(SUBJECT_TYPE.getType()).asString())) {
clientBuilder.setSubjectType(input.get(SUBJECT_TYPE.getType()).asString());
} else {
logger.error("Invalid subject_type requested.");
throw new InvalidClientMetadata("Invalid subject_type requested");
}
} else {
clientBuilder.setSubjectType(Client.SubjectType.PUBLIC.getType());
}
if (input.get(ID_TOKEN_SIGNED_RESPONSE_ALG.getType()).asString() != null) {
if (containsCaseInsensitive(providerSettings.getSupportedIDTokenSigningAlgorithms(), input.get(ID_TOKEN_SIGNED_RESPONSE_ALG.getType()).asString())) {
clientBuilder.setIdTokenSignedResponseAlgorithm(input.get(ID_TOKEN_SIGNED_RESPONSE_ALG.getType()).asString());
} else {
logger.error("Unsupported id_token_response_signed_alg requested.");
throw new InvalidClientMetadata("Unsupported id_token_response_signed_alg requested.");
}
} else {
clientBuilder.setIdTokenSignedResponseAlgorithm(ID_TOKEN_SIGNED_RESPONSE_ALG_DEFAULT);
}
if (input.get(POST_LOGOUT_REDIRECT_URIS.getType()).asList() != null) {
List<String> logoutRedirectUris = input.get(POST_LOGOUT_REDIRECT_URIS.getType()).asList(String.class);
boolean isValidUris = true;
for (String logoutRedirectUri : logoutRedirectUris) {
try {
urlValidator.validate(logoutRedirectUri);
} catch (ValidationException e) {
isValidUris = false;
logger.error("The post_logout_redirect_uris: {} is invalid.", logoutRedirectUri);
}
}
if (!isValidUris) {
throw new InvalidPostLogoutRedirectUri();
}
clientBuilder.setPostLogoutRedirectionURIs(logoutRedirectUris);
}
if (input.get(REGISTRATION_ACCESS_TOKEN.getType()).asString() != null) {
clientBuilder.setAccessToken(input.get(REGISTRATION_ACCESS_TOKEN.getType()).asString());
} else {
clientBuilder.setAccessToken(accessToken);
}
if (input.get(CLIENT_SESSION_URI.getType()).asString() != null) {
clientBuilder.setClientSessionURI(input.get(CLIENT_SESSION_URI.getType()).asString());
}
if (input.get(APPLICATION_TYPE.getType()).asString() != null) {
if (Client.ApplicationType.fromString(input.get(APPLICATION_TYPE.getType()).asString()) != null) {
clientBuilder.setApplicationType(Client.ApplicationType.WEB.getType());
} else {
logger.error("Invalid application_type requested.");
throw new InvalidClientMetadata("Invalid application_type requested.");
}
} else {
clientBuilder.setApplicationType(DEFAULT_APPLICATION_TYPE);
}
if (input.get(DISPLAY_NAME.getType()).asList() != null) {
clientBuilder.setDisplayName(input.get(DISPLAY_NAME.getType()).asList(String.class));
}
if (input.get(RESPONSE_TYPES.getType()).asList() != null) {
final List<String> clientResponseTypeList = input.get(RESPONSE_TYPES.getType()).asList(String.class);
final List<String> typeList = new ArrayList<String>();
for (String responseType : clientResponseTypeList) {
typeList.addAll(Arrays.asList(responseType.split(" ")));
}
if (containsAllCaseInsensitive(providerSettings.getAllowedResponseTypes().keySet(), typeList)) {
clientBuilder.setResponseTypes(clientResponseTypeList);
} else {
logger.error("Invalid response_types requested.");
throw new InvalidClientMetadata("Invalid response_types requested.");
}
} else {
List<String> defaultResponseTypes = new ArrayList<String>();
defaultResponseTypes.add("code");
clientBuilder.setResponseTypes(defaultResponseTypes);
}
if (input.get(AUTHORIZATION_CODE_LIFE_TIME.getType()).asLong() != null) {
clientBuilder.setAuthorizationCodeLifeTime(input.get(AUTHORIZATION_CODE_LIFE_TIME.getType()).asLong());
} else {
clientBuilder.setAuthorizationCodeLifeTime(0L);
}
if (input.get(ACCESS_TOKEN_LIFE_TIME.getType()).asLong() != null) {
clientBuilder.setAccessTokenLifeTime(input.get(ACCESS_TOKEN_LIFE_TIME.getType()).asLong());
} else {
clientBuilder.setAccessTokenLifeTime(0L);
}
if (input.get(REFRESH_TOKEN_LIFE_TIME.getType()).asLong() != null) {
clientBuilder.setRefreshTokenLifeTime(input.get(REFRESH_TOKEN_LIFE_TIME.getType()).asLong());
} else {
clientBuilder.setRefreshTokenLifeTime(0L);
}
if (input.get(JWT_TOKEN_LIFE_TIME.getType()).asLong() != null) {
clientBuilder.setJwtTokenLifeTime(input.get(JWT_TOKEN_LIFE_TIME.getType()).asLong());
} else {
clientBuilder.setJwtTokenLifeTime(0L);
}
if (input.get(CONTACTS.getType()).asList() != null) {
clientBuilder.setContacts(input.get(CONTACTS.getType()).asList(String.class));
}
} catch (JsonValueException e) {
logger.error("Unable to build client.", e);
throw new InvalidClientMetadata();
}
Client client = clientBuilder.createClient();
// See OPENAM-3604 and http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration
if (providerSettings.isRegistrationAccessTokenGenerationEnabled() && !client.hasAccessToken()) {
client.setAccessToken(createRegistrationAccessToken(client, request));
}
clientDAO.create(client, request);
// have some visibility on who is registering clients.
if (logger.isInfoEnabled()) {
logger.info("Registered OpenID Connect client: " + client.getClientID() + ", name=" + client.getClientName() + ", type=" + client.getClientType());
}
Map<String, Object> response = client.asMap();
response = convertClientReadResponseFormat(response);
response.put(REGISTRATION_CLIENT_URI, deploymentUrl + "/oauth2/connect/register?client_id=" + client.getClientID());
response.put(EXPIRES_AT, 0);
return new JsonValue(response);
}
use of org.forgerock.json.JsonValue in project OpenAM by OpenRock.
the class OpenAMOpenIdConnectClientRegistrationService method getRegistration.
/**
* {@inheritDoc}
*/
public JsonValue getRegistration(String clientId, String accessToken, OAuth2Request request) throws InvalidRequestException, InvalidClientMetadata, InvalidTokenException {
if (clientId != null) {
final Client client;
try {
client = clientDAO.read(clientId, request);
} catch (UnauthorizedClientException e) {
logger.error("ConnectClientRegistration.Validate(): Unable to create client", e);
throw new InvalidClientMetadata();
}
if (!client.getAccessToken().equals(accessToken)) {
//client access token doesn't match the access token supplied in the request
logger.error("ConnectClientRegistration.getClient(): Invalid accessToken");
throw new InvalidTokenException();
}
//remove the client fields that don't need to be reported.
client.remove(REGISTRATION_ACCESS_TOKEN.getType());
final JsonValue response = new JsonValue(convertClientReadResponseFormat(client.asMap()));
response.put(EXPIRES_AT, 0);
return response;
} else {
logger.error("ConnectClientRegistration.readRequest(): No client id sent");
throw new InvalidRequestException();
}
}
use of org.forgerock.json.JsonValue in project OpenAM by OpenRock.
the class ClientResource method createInstance.
public Promise<ResourceResponse, ResourceException> createInstance(Context context, CreateRequest createRequest) {
String principal = PrincipalRestUtils.getPrincipalNameFromServerContext(context);
Map<String, String> responseVal = new HashMap<String, String>();
try {
if (serviceSchema == null || serviceSchemaManager == null) {
if (debug.errorEnabled()) {
debug.error("ClientResource :: CREATE by " + principal + ": No serviceSchema available.");
}
throw new PermanentException(ResourceException.INTERNAL_ERROR, "", null);
}
Map<String, ArrayList<String>> client = (Map<String, ArrayList<String>>) createRequest.getContent().getObject();
String realm = null;
if (client == null || client.isEmpty()) {
if (debug.errorEnabled()) {
debug.error("ClientResource :: CREATE by " + principal + ": No client definition.");
}
throw new PermanentException(ResourceException.BAD_REQUEST, "Missing client definition", null);
}
//check for id
String id = createRequest.getNewResourceId();
if (client.containsKey(OAuth2Constants.OAuth2Client.CLIENT_ID)) {
ArrayList<String> idList = client.remove(OAuth2Constants.OAuth2Client.CLIENT_ID);
if (idList != null && !idList.isEmpty()) {
id = idList.iterator().next();
}
}
if (id == null || id.isEmpty()) {
debug.error("ClientResource :: CREATE by " + principal + ": No client ID.");
throw new PermanentException(ResourceException.BAD_REQUEST, "Missing client id", null);
}
//get realm
if (client.containsKey(OAuth2Constants.OAuth2Client.REALM)) {
ArrayList<String> realmList = client.remove(OAuth2Constants.OAuth2Client.REALM);
if (realmList != null && !realmList.isEmpty()) {
realm = realmList.iterator().next();
}
}
//check for required parameters
if (!client.containsKey(OAuth2Constants.OAuth2Client.USERPASSWORD) || client.get(OAuth2Constants.OAuth2Client.USERPASSWORD).iterator().next().isEmpty()) {
if (debug.errorEnabled()) {
debug.error("ClientResource :: CREATE by " + principal + ": " + "Resource ID: " + id + ": No user password.");
}
throw new PermanentException(ResourceException.BAD_REQUEST, "Missing user password", null);
}
if (client.containsKey(OAuth2Constants.OAuth2Client.CLIENT_TYPE)) {
String type = client.get(OAuth2Constants.OAuth2Client.CLIENT_TYPE).iterator().next();
if (!(type.equals("Confidential") || type.equals("Public"))) {
debug.error("ClientResource :: CREATE by " + principal + ": " + "Resource ID: " + id + ": No client type.");
throw new PermanentException(ResourceException.BAD_REQUEST, "Missing client type", null);
}
} else {
debug.error("ClientResource :: CREATE by" + principal + ": " + "Resource ID: " + id + ": No client type.");
throw new PermanentException(ResourceException.BAD_REQUEST, "Missing client type", null);
}
Map<String, Set<String>> attrs = new HashMap<String, Set<String>>();
for (Map.Entry mapEntry : client.entrySet()) {
List<String> list = (ArrayList) mapEntry.getValue();
Set<String> set = new HashSet<String>();
if (isSingle((String) mapEntry.getKey())) {
set.add((String) ((ArrayList) mapEntry.getValue()).get(0));
} else {
for (int i = 0; i < list.size(); i++) {
set.add("[" + i + "]=" + list.get(i));
}
}
attrs.put((String) mapEntry.getKey(), set);
}
Set<String> temp = new HashSet<String>();
temp.add("OAuth2Client");
attrs.put("AgentType", temp);
temp = new HashSet<String>();
temp.add("Active");
attrs.put("sunIdentityServerDeviceStatus", temp);
manager.createIdentity(realm, id, attrs);
responseVal.put("success", "true");
JsonValue response = new JsonValue(responseVal);
ResourceResponse resource = newResourceResponse("results", String.valueOf(System.currentTimeMillis()), response);
if (auditLogger.isAuditLogEnabled()) {
String[] obs = { "CREATED_CLIENT", responseVal.toString() };
auditLogger.logAccessMessage("CREATED_CLIENT", obs, null);
}
return newResultPromise(resource);
} catch (IdRepoException e) {
responseVal.put("success", "false");
if (auditLogger.isAuditLogEnabled()) {
String[] obs = { "FAILED_CREATE_CLIENT", responseVal.toString() };
auditLogger.logErrorMessage("FAILED_CREATE_CLIENT", obs, null);
}
if (debug.errorEnabled()) {
debug.error("ClientResource :: CREATE by " + principal + ": Unable to create client due to " + "IdRepo exception.", e);
}
return new InternalServerErrorException("Unable to create client", e).asPromise();
} catch (SSOException e) {
responseVal.put("success", "false");
if (auditLogger.isAuditLogEnabled()) {
String[] obs = { "FAILED_CREATE_CLIENT", responseVal.toString() };
auditLogger.logErrorMessage("FAILED_CREATE_CLIENT", obs, null);
}
if (debug.errorEnabled()) {
debug.error("ClientResource :: CREATE by " + principal + ": Unable to create client due to " + "SSO exception.", e);
}
return new InternalServerErrorException("Unable to create client", e).asPromise();
} catch (PermanentException e) {
responseVal.put("success", "false");
if (auditLogger.isAuditLogEnabled()) {
String[] obs = { "FAILED_CREATE_CLIENT", responseVal.toString() };
auditLogger.logErrorMessage("FAILED_CREATE_CLIENT", obs, null);
}
if (debug.errorEnabled()) {
debug.error("ClientResource :: CREATE by " + principal + ": Unable to create client due to exception.", e);
}
return e.asPromise();
} catch (org.forgerock.json.resource.BadRequestException e) {
responseVal.put("success", "false");
if (auditLogger.isAuditLogEnabled()) {
String[] obs = { "FAILED_CREATE_CLIENT", responseVal.toString() };
auditLogger.logErrorMessage("FAILED_CREATE_CLIENT", obs, null);
}
debug.error("ClientResource :: CREATE : Unable to create client due to Bad Request.", e);
return e.asPromise();
}
}
Aggregations