use of org.forgerock.oauth2.core.exceptions.ServerException in project OpenAM by OpenRock.
the class AuthorizationRequestEndpoint method isEntitled.
private boolean isEntitled(UmaProviderSettings umaProviderSettings, OAuth2ProviderSettings oauth2ProviderSettings, PermissionTicket permissionTicket, String requestingPartyId) throws EntitlementException, ServerException, UmaException {
String realm = permissionTicket.getRealm();
String resourceSetId = permissionTicket.getResourceSetId();
String resourceName = UmaConstants.UMA_POLICY_SCHEME;
Subject resourceOwnerSubject;
try {
ResourceSetStore store = oauth2ProviderSettings.getResourceSetStore();
Set<ResourceSetDescription> results = store.query(QueryFilter.equalTo(ResourceSetTokenField.RESOURCE_SET_ID, resourceSetId));
if (results.size() != 1) {
throw new NotFoundException("Could not find Resource Set, " + resourceSetId);
}
resourceName += results.iterator().next().getId();
resourceOwnerSubject = UmaUtils.createSubject(createIdentity(results.iterator().next().getResourceOwnerId(), realm));
} catch (NotFoundException e) {
debug.message("Couldn't find resource that permission ticket is registered for", e);
throw new ServerException("Couldn't find resource that permission ticket is registered for");
}
Subject requestingPartySubject = UmaUtils.createSubject(createIdentity(requestingPartyId, realm));
beforeAuthorization(permissionTicket, requestingPartySubject, resourceOwnerSubject);
// Implicitly grant access to the resource owner
if (isRequestingPartyResourceOwner(requestingPartySubject, resourceOwnerSubject)) {
afterAuthorization(true, permissionTicket, requestingPartySubject, resourceOwnerSubject);
return true;
}
List<Entitlement> entitlements = umaProviderSettings.getPolicyEvaluator(requestingPartySubject, permissionTicket.getResourceServerClientId().toLowerCase()).evaluate(realm, requestingPartySubject, resourceName, null, false);
Set<String> requestedScopes = permissionTicket.getScopes();
Set<String> requiredScopes = new HashSet<>(requestedScopes);
for (Entitlement entitlement : entitlements) {
for (String requestedScope : requestedScopes) {
final Boolean actionValue = entitlement.getActionValue(requestedScope);
if (actionValue != null && actionValue) {
requiredScopes.remove(requestedScope);
}
}
}
boolean isAuthorized = requiredScopes.isEmpty();
afterAuthorization(isAuthorized, permissionTicket, requestingPartySubject, resourceOwnerSubject);
return isAuthorized;
}
use of org.forgerock.oauth2.core.exceptions.ServerException in project OpenAM by OpenRock.
the class UmaTokenStore method deletePermissionTicket.
public void deletePermissionTicket(String id) throws NotFoundException, ServerException {
try {
// check token is permission ticket
readPermissionTicket(id);
cts.delete(id);
} catch (CoreTokenException e) {
throw new ServerException("Could not delete token: " + id);
}
}
use of org.forgerock.oauth2.core.exceptions.ServerException in project OpenAM by OpenRock.
the class ResourceSetRegistrationEndpointTest method setup.
@BeforeMethod
@SuppressWarnings("unchecked")
public void setup() throws ServerException, InvalidGrantException, NotFoundException {
store = mock(ResourceSetStore.class);
validator = mock(ResourceSetDescriptionValidator.class);
OAuth2RequestFactory<?, Request> requestFactory = mock(OAuth2RequestFactory.class);
Set<ResourceSetRegistrationHook> hooks = new HashSet<>();
hook = mock(ResourceSetRegistrationHook.class);
hooks.add(hook);
labelRegistration = mock(ResourceSetLabelRegistration.class);
ExtensionFilterManager extensionFilterManager = mock(ExtensionFilterManager.class);
resourceRegistrationFilter = mock(ResourceRegistrationFilter.class);
given(extensionFilterManager.getFilters(ResourceRegistrationFilter.class)).willReturn(Collections.singletonList(resourceRegistrationFilter));
OAuth2ProviderSettingsFactory providerSettingsFactory = mock(OAuth2ProviderSettingsFactory.class);
OAuth2ProviderSettings providerSettings = mock(OAuth2ProviderSettings.class);
given(providerSettingsFactory.get(Matchers.<OAuth2Request>anyObject())).willReturn(providerSettings);
given(providerSettings.getResourceSetStore()).willReturn(store);
ExceptionHandler exceptionHandler = mock(ExceptionHandler.class);
UmaLabelsStore umaLabelsStore = mock(UmaLabelsStore.class);
endpoint = spy(new ResourceSetRegistrationEndpoint(providerSettingsFactory, validator, requestFactory, hooks, labelRegistration, extensionFilterManager, exceptionHandler, umaLabelsStore, jacksonRepresentationFactory));
Request request = mock(Request.class);
ChallengeResponse challengeResponse = new ChallengeResponse(ChallengeScheme.HTTP_BASIC);
challengeResponse.setRawValue("PAT");
given(request.getChallengeResponse()).willReturn(challengeResponse);
given(endpoint.getRequest()).willReturn(request);
AccessToken accessToken = mock(AccessToken.class);
given(accessToken.getClientId()).willReturn("CLIENT_ID");
given(accessToken.getResourceOwnerId()).willReturn("RESOURCE_OWNER_ID");
response = mock(Response.class);
given(endpoint.getResponse()).willReturn(response);
OAuth2Request oAuth2Request = mock(OAuth2Request.class);
given(requestFactory.create(Matchers.<Request>anyObject())).willReturn(oAuth2Request);
given(oAuth2Request.getToken(AccessToken.class)).willReturn(accessToken);
}
use of org.forgerock.oauth2.core.exceptions.ServerException in project OpenAM by OpenRock.
the class Saml2GrantTypeHandler method handle.
public AccessToken handle(OAuth2Request request) throws InvalidGrantException, InvalidClientException, InvalidRequestException, ServerException, InvalidScopeException, NotFoundException {
String clientId = request.getParameter(OAuth2Constants.Params.CLIENT_ID);
Reject.ifTrue(isEmpty(clientId), "Missing parameter, 'client_id'");
final ClientRegistration clientRegistration = clientRegistrationStore.get(clientId, request);
Reject.ifTrue(isEmpty(request.<String>getParameter("assertion")), "Missing parameter, 'assertion'");
final String assertion = request.getParameter(OAuth2Constants.SAML20.ASSERTION);
logger.trace("Assertion:\n" + assertion);
final byte[] decodedAssertion = Base64.decode(assertion.replace(" ", "+"));
if (decodedAssertion == null) {
logger.error("Decoding assertion failed\nassertion:" + assertion);
}
final String finalAssertion = new String(decodedAssertion);
logger.trace("Decoded assertion:\n" + finalAssertion);
final Assertion assertionObject;
final boolean valid;
try {
final AssertionFactory factory = AssertionFactory.getInstance();
assertionObject = factory.createAssertion(finalAssertion);
valid = validAssertion(assertionObject, getDeploymentUrl(request));
} catch (SAML2Exception e) {
logger.error("Error parsing assertion", e);
throw new InvalidGrantException("Assertion is invalid");
}
if (!valid) {
logger.error("Error parsing assertion");
throw new InvalidGrantException("Assertion is invalid.");
}
logger.trace("Assertion is valid");
final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
final String validatedClaims = providerSettings.validateRequestedClaims((String) request.getParameter(OAuth2Constants.Custom.CLAIMS));
final String grantType = request.getParameter(OAuth2Constants.Params.GRANT_TYPE);
final Set<String> scope = splitScope(request.<String>getParameter(OAuth2Constants.Params.SCOPE));
final Set<String> validatedScope = providerSettings.validateAccessTokenScope(clientRegistration, scope, request);
logger.trace("Granting scope: " + validatedScope.toString());
logger.trace("Creating token with data: " + clientRegistration.getAccessTokenType() + "\n" + validatedScope.toString() + "\n" + normaliseRealm(request.<String>getParameter(OAuth2Constants.Params.REALM)) + "\n" + assertionObject.getSubject().getNameID().getValue() + "\n" + clientRegistration.getClientId());
final AccessToken accessToken = tokenStore.createAccessToken(grantType, BEARER, null, assertionObject.getSubject().getNameID().getValue(), clientRegistration.getClientId(), null, validatedScope, null, null, validatedClaims, request);
logger.trace("Token created: " + accessToken.toString());
providerSettings.additionalDataToReturnFromTokenEndpoint(accessToken, request);
if (validatedScope != null && !validatedScope.isEmpty()) {
accessToken.put(SCOPE, joinScope(validatedScope));
}
tokenStore.updateAccessToken(accessToken);
return accessToken;
}
use of org.forgerock.oauth2.core.exceptions.ServerException in project OpenAM by OpenRock.
the class OpenAMOAuth2ProviderSettings method createRSAJWK.
private Map<String, Object> createRSAJWK(RSAPublicKey key, KeyUse use, String alg) throws ServerException {
String alias = null;
try {
alias = getStringSetting(realm, OAuth2Constants.OAuth2ProviderService.KEYSTORE_ALIAS);
} catch (SSOException | SMSException e) {
logger.error(e.getMessage());
throw new ServerException(e);
}
if (StringUtils.isBlank(alias)) {
logger.error("Alias of ID Token Signing Key not set.");
throw new ServerException("Alias of ID Token Signing Key not set.");
} else if ("test".equals(alias)) {
logger.warning("Alias of ID Token Signing Key should be changed from default, 'test'.");
}
String kid = Hash.hash(alias + key.getModulus().toString() + key.getPublicExponent().toString());
return json(object(field("kty", "RSA"), field(OAuth2Constants.JWTTokenParams.KEY_ID, kid), field("use", use.toString()), field("alg", alg), field("n", Base64url.encode(key.getModulus().toByteArray())), field("e", Base64url.encode(key.getPublicExponent().toByteArray())))).asMap();
}
Aggregations