Search in sources :

Example 41 with ServerException

use of org.forgerock.oauth2.core.exceptions.ServerException in project OpenAM by OpenRock.

the class AuthorizationRequestEndpoint method isEntitled.

private boolean isEntitled(UmaProviderSettings umaProviderSettings, OAuth2ProviderSettings oauth2ProviderSettings, PermissionTicket permissionTicket, String requestingPartyId) throws EntitlementException, ServerException, UmaException {
    String realm = permissionTicket.getRealm();
    String resourceSetId = permissionTicket.getResourceSetId();
    String resourceName = UmaConstants.UMA_POLICY_SCHEME;
    Subject resourceOwnerSubject;
    try {
        ResourceSetStore store = oauth2ProviderSettings.getResourceSetStore();
        Set<ResourceSetDescription> results = store.query(QueryFilter.equalTo(ResourceSetTokenField.RESOURCE_SET_ID, resourceSetId));
        if (results.size() != 1) {
            throw new NotFoundException("Could not find Resource Set, " + resourceSetId);
        }
        resourceName += results.iterator().next().getId();
        resourceOwnerSubject = UmaUtils.createSubject(createIdentity(results.iterator().next().getResourceOwnerId(), realm));
    } catch (NotFoundException e) {
        debug.message("Couldn't find resource that permission ticket is registered for", e);
        throw new ServerException("Couldn't find resource that permission ticket is registered for");
    }
    Subject requestingPartySubject = UmaUtils.createSubject(createIdentity(requestingPartyId, realm));
    beforeAuthorization(permissionTicket, requestingPartySubject, resourceOwnerSubject);
    // Implicitly grant access to the resource owner
    if (isRequestingPartyResourceOwner(requestingPartySubject, resourceOwnerSubject)) {
        afterAuthorization(true, permissionTicket, requestingPartySubject, resourceOwnerSubject);
        return true;
    }
    List<Entitlement> entitlements = umaProviderSettings.getPolicyEvaluator(requestingPartySubject, permissionTicket.getResourceServerClientId().toLowerCase()).evaluate(realm, requestingPartySubject, resourceName, null, false);
    Set<String> requestedScopes = permissionTicket.getScopes();
    Set<String> requiredScopes = new HashSet<>(requestedScopes);
    for (Entitlement entitlement : entitlements) {
        for (String requestedScope : requestedScopes) {
            final Boolean actionValue = entitlement.getActionValue(requestedScope);
            if (actionValue != null && actionValue) {
                requiredScopes.remove(requestedScope);
            }
        }
    }
    boolean isAuthorized = requiredScopes.isEmpty();
    afterAuthorization(isAuthorized, permissionTicket, requestingPartySubject, resourceOwnerSubject);
    return isAuthorized;
}
Also used : ServerException(org.forgerock.oauth2.core.exceptions.ServerException) NotFoundException(org.forgerock.oauth2.core.exceptions.NotFoundException) ResourceSetDescription(org.forgerock.oauth2.resources.ResourceSetDescription) Subject(javax.security.auth.Subject) ResourceSetStore(org.forgerock.oauth2.resources.ResourceSetStore) Entitlement(com.sun.identity.entitlement.Entitlement) HashSet(java.util.HashSet)

Example 42 with ServerException

use of org.forgerock.oauth2.core.exceptions.ServerException in project OpenAM by OpenRock.

the class UmaTokenStore method deletePermissionTicket.

public void deletePermissionTicket(String id) throws NotFoundException, ServerException {
    try {
        // check token is permission ticket
        readPermissionTicket(id);
        cts.delete(id);
    } catch (CoreTokenException e) {
        throw new ServerException("Could not delete token: " + id);
    }
}
Also used : ServerException(org.forgerock.oauth2.core.exceptions.ServerException) CoreTokenException(org.forgerock.openam.cts.exceptions.CoreTokenException)

Example 43 with ServerException

use of org.forgerock.oauth2.core.exceptions.ServerException in project OpenAM by OpenRock.

the class ResourceSetRegistrationEndpointTest method setup.

@BeforeMethod
@SuppressWarnings("unchecked")
public void setup() throws ServerException, InvalidGrantException, NotFoundException {
    store = mock(ResourceSetStore.class);
    validator = mock(ResourceSetDescriptionValidator.class);
    OAuth2RequestFactory<?, Request> requestFactory = mock(OAuth2RequestFactory.class);
    Set<ResourceSetRegistrationHook> hooks = new HashSet<>();
    hook = mock(ResourceSetRegistrationHook.class);
    hooks.add(hook);
    labelRegistration = mock(ResourceSetLabelRegistration.class);
    ExtensionFilterManager extensionFilterManager = mock(ExtensionFilterManager.class);
    resourceRegistrationFilter = mock(ResourceRegistrationFilter.class);
    given(extensionFilterManager.getFilters(ResourceRegistrationFilter.class)).willReturn(Collections.singletonList(resourceRegistrationFilter));
    OAuth2ProviderSettingsFactory providerSettingsFactory = mock(OAuth2ProviderSettingsFactory.class);
    OAuth2ProviderSettings providerSettings = mock(OAuth2ProviderSettings.class);
    given(providerSettingsFactory.get(Matchers.<OAuth2Request>anyObject())).willReturn(providerSettings);
    given(providerSettings.getResourceSetStore()).willReturn(store);
    ExceptionHandler exceptionHandler = mock(ExceptionHandler.class);
    UmaLabelsStore umaLabelsStore = mock(UmaLabelsStore.class);
    endpoint = spy(new ResourceSetRegistrationEndpoint(providerSettingsFactory, validator, requestFactory, hooks, labelRegistration, extensionFilterManager, exceptionHandler, umaLabelsStore, jacksonRepresentationFactory));
    Request request = mock(Request.class);
    ChallengeResponse challengeResponse = new ChallengeResponse(ChallengeScheme.HTTP_BASIC);
    challengeResponse.setRawValue("PAT");
    given(request.getChallengeResponse()).willReturn(challengeResponse);
    given(endpoint.getRequest()).willReturn(request);
    AccessToken accessToken = mock(AccessToken.class);
    given(accessToken.getClientId()).willReturn("CLIENT_ID");
    given(accessToken.getResourceOwnerId()).willReturn("RESOURCE_OWNER_ID");
    response = mock(Response.class);
    given(endpoint.getResponse()).willReturn(response);
    OAuth2Request oAuth2Request = mock(OAuth2Request.class);
    given(requestFactory.create(Matchers.<Request>anyObject())).willReturn(oAuth2Request);
    given(oAuth2Request.getToken(AccessToken.class)).willReturn(accessToken);
}
Also used : ResourceSetRegistrationHook(org.forgerock.oauth2.restlet.resources.ResourceSetRegistrationHook) OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) Request(org.restlet.Request) ResourceRegistrationFilter(org.forgerock.openam.oauth2.extensions.ResourceRegistrationFilter) ResourceSetDescriptionValidator(org.forgerock.oauth2.restlet.resources.ResourceSetDescriptionValidator) ChallengeResponse(org.restlet.data.ChallengeResponse) ExceptionHandler(org.forgerock.oauth2.restlet.ExceptionHandler) ChallengeResponse(org.restlet.data.ChallengeResponse) Response(org.restlet.Response) OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) OAuth2ProviderSettingsFactory(org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory) ResourceSetStore(org.forgerock.oauth2.resources.ResourceSetStore) AccessToken(org.forgerock.oauth2.core.AccessToken) OAuth2ProviderSettings(org.forgerock.oauth2.core.OAuth2ProviderSettings) UmaLabelsStore(org.forgerock.openam.oauth2.resources.labels.UmaLabelsStore) ExtensionFilterManager(org.forgerock.openam.oauth2.extensions.ExtensionFilterManager) HashSet(java.util.HashSet) BeforeMethod(org.testng.annotations.BeforeMethod)

Example 44 with ServerException

use of org.forgerock.oauth2.core.exceptions.ServerException in project OpenAM by OpenRock.

the class Saml2GrantTypeHandler method handle.

public AccessToken handle(OAuth2Request request) throws InvalidGrantException, InvalidClientException, InvalidRequestException, ServerException, InvalidScopeException, NotFoundException {
    String clientId = request.getParameter(OAuth2Constants.Params.CLIENT_ID);
    Reject.ifTrue(isEmpty(clientId), "Missing parameter, 'client_id'");
    final ClientRegistration clientRegistration = clientRegistrationStore.get(clientId, request);
    Reject.ifTrue(isEmpty(request.<String>getParameter("assertion")), "Missing parameter, 'assertion'");
    final String assertion = request.getParameter(OAuth2Constants.SAML20.ASSERTION);
    logger.trace("Assertion:\n" + assertion);
    final byte[] decodedAssertion = Base64.decode(assertion.replace(" ", "+"));
    if (decodedAssertion == null) {
        logger.error("Decoding assertion failed\nassertion:" + assertion);
    }
    final String finalAssertion = new String(decodedAssertion);
    logger.trace("Decoded assertion:\n" + finalAssertion);
    final Assertion assertionObject;
    final boolean valid;
    try {
        final AssertionFactory factory = AssertionFactory.getInstance();
        assertionObject = factory.createAssertion(finalAssertion);
        valid = validAssertion(assertionObject, getDeploymentUrl(request));
    } catch (SAML2Exception e) {
        logger.error("Error parsing assertion", e);
        throw new InvalidGrantException("Assertion is invalid");
    }
    if (!valid) {
        logger.error("Error parsing assertion");
        throw new InvalidGrantException("Assertion is invalid.");
    }
    logger.trace("Assertion is valid");
    final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
    final String validatedClaims = providerSettings.validateRequestedClaims((String) request.getParameter(OAuth2Constants.Custom.CLAIMS));
    final String grantType = request.getParameter(OAuth2Constants.Params.GRANT_TYPE);
    final Set<String> scope = splitScope(request.<String>getParameter(OAuth2Constants.Params.SCOPE));
    final Set<String> validatedScope = providerSettings.validateAccessTokenScope(clientRegistration, scope, request);
    logger.trace("Granting scope: " + validatedScope.toString());
    logger.trace("Creating token with data: " + clientRegistration.getAccessTokenType() + "\n" + validatedScope.toString() + "\n" + normaliseRealm(request.<String>getParameter(OAuth2Constants.Params.REALM)) + "\n" + assertionObject.getSubject().getNameID().getValue() + "\n" + clientRegistration.getClientId());
    final AccessToken accessToken = tokenStore.createAccessToken(grantType, BEARER, null, assertionObject.getSubject().getNameID().getValue(), clientRegistration.getClientId(), null, validatedScope, null, null, validatedClaims, request);
    logger.trace("Token created: " + accessToken.toString());
    providerSettings.additionalDataToReturnFromTokenEndpoint(accessToken, request);
    if (validatedScope != null && !validatedScope.isEmpty()) {
        accessToken.put(SCOPE, joinScope(validatedScope));
    }
    tokenStore.updateAccessToken(accessToken);
    return accessToken;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory) ClientRegistration(org.forgerock.oauth2.core.ClientRegistration) AccessToken(org.forgerock.oauth2.core.AccessToken) Assertion(com.sun.identity.saml2.assertion.Assertion) OAuth2ProviderSettings(org.forgerock.oauth2.core.OAuth2ProviderSettings) InvalidGrantException(org.forgerock.oauth2.core.exceptions.InvalidGrantException)

Example 45 with ServerException

use of org.forgerock.oauth2.core.exceptions.ServerException in project OpenAM by OpenRock.

the class OpenAMOAuth2ProviderSettings method createRSAJWK.

private Map<String, Object> createRSAJWK(RSAPublicKey key, KeyUse use, String alg) throws ServerException {
    String alias = null;
    try {
        alias = getStringSetting(realm, OAuth2Constants.OAuth2ProviderService.KEYSTORE_ALIAS);
    } catch (SSOException | SMSException e) {
        logger.error(e.getMessage());
        throw new ServerException(e);
    }
    if (StringUtils.isBlank(alias)) {
        logger.error("Alias of ID Token Signing Key not set.");
        throw new ServerException("Alias of ID Token Signing Key not set.");
    } else if ("test".equals(alias)) {
        logger.warning("Alias of ID Token Signing Key should be changed from default, 'test'.");
    }
    String kid = Hash.hash(alias + key.getModulus().toString() + key.getPublicExponent().toString());
    return json(object(field("kty", "RSA"), field(OAuth2Constants.JWTTokenParams.KEY_ID, kid), field("use", use.toString()), field("alg", alg), field("n", Base64url.encode(key.getModulus().toByteArray())), field("e", Base64url.encode(key.getPublicExponent().toByteArray())))).asMap();
}
Also used : ServerException(org.forgerock.oauth2.core.exceptions.ServerException) SMSException(com.sun.identity.sm.SMSException) SSOException(com.iplanet.sso.SSOException)

Aggregations

ServerException (org.forgerock.oauth2.core.exceptions.ServerException)60 OAuth2ProviderSettings (org.forgerock.oauth2.core.OAuth2ProviderSettings)31 OAuth2Request (org.forgerock.oauth2.core.OAuth2Request)25 JsonValue (org.forgerock.json.JsonValue)18 NotFoundException (org.forgerock.oauth2.core.exceptions.NotFoundException)18 CoreTokenException (org.forgerock.openam.cts.exceptions.CoreTokenException)18 ResourceSetDescription (org.forgerock.oauth2.resources.ResourceSetDescription)14 HashMap (java.util.HashMap)13 AccessToken (org.forgerock.oauth2.core.AccessToken)13 HashSet (java.util.HashSet)12 InvalidGrantException (org.forgerock.oauth2.core.exceptions.InvalidGrantException)11 ResourceSetStore (org.forgerock.oauth2.resources.ResourceSetStore)11 SSOException (com.iplanet.sso.SSOException)9 Request (org.restlet.Request)9 InvalidClientException (org.forgerock.oauth2.core.exceptions.InvalidClientException)8 Map (java.util.Map)7 OAuth2Uris (org.forgerock.oauth2.core.OAuth2Uris)7 JSONObject (org.json.JSONObject)7 SMSException (com.sun.identity.sm.SMSException)6 ResourceOwner (org.forgerock.oauth2.core.ResourceOwner)6