Search in sources :

Example 1 with ApprovedSite

use of org.mitre.openid.connect.model.ApprovedSite in project OpenID-Connect-Java-Spring-Server by mitreid-connect.

the class MITREidDataService_1_3 method fixObjectReferences.

private void fixObjectReferences() {
    logger.info("Fixing object references...");
    for (Long oldRefreshTokenId : maps.getRefreshTokenToClientRefs().keySet()) {
        String clientRef = maps.getRefreshTokenToClientRefs().get(oldRefreshTokenId);
        ClientDetailsEntity client = clientRepository.getClientByClientId(clientRef);
        Long newRefreshTokenId = maps.getRefreshTokenOldToNewIdMap().get(oldRefreshTokenId);
        OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenById(newRefreshTokenId);
        refreshToken.setClient(client);
        tokenRepository.saveRefreshToken(refreshToken);
    }
    for (Long oldRefreshTokenId : maps.getRefreshTokenToAuthHolderRefs().keySet()) {
        Long oldAuthHolderId = maps.getRefreshTokenToAuthHolderRefs().get(oldRefreshTokenId);
        Long newAuthHolderId = maps.getAuthHolderOldToNewIdMap().get(oldAuthHolderId);
        AuthenticationHolderEntity authHolder = authHolderRepository.getById(newAuthHolderId);
        Long newRefreshTokenId = maps.getRefreshTokenOldToNewIdMap().get(oldRefreshTokenId);
        OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenById(newRefreshTokenId);
        refreshToken.setAuthenticationHolder(authHolder);
        tokenRepository.saveRefreshToken(refreshToken);
    }
    for (Long oldAccessTokenId : maps.getAccessTokenToClientRefs().keySet()) {
        String clientRef = maps.getAccessTokenToClientRefs().get(oldAccessTokenId);
        ClientDetailsEntity client = clientRepository.getClientByClientId(clientRef);
        Long newAccessTokenId = maps.getAccessTokenOldToNewIdMap().get(oldAccessTokenId);
        OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenById(newAccessTokenId);
        accessToken.setClient(client);
        tokenRepository.saveAccessToken(accessToken);
    }
    for (Long oldAccessTokenId : maps.getAccessTokenToAuthHolderRefs().keySet()) {
        Long oldAuthHolderId = maps.getAccessTokenToAuthHolderRefs().get(oldAccessTokenId);
        Long newAuthHolderId = maps.getAuthHolderOldToNewIdMap().get(oldAuthHolderId);
        AuthenticationHolderEntity authHolder = authHolderRepository.getById(newAuthHolderId);
        Long newAccessTokenId = maps.getAccessTokenOldToNewIdMap().get(oldAccessTokenId);
        OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenById(newAccessTokenId);
        accessToken.setAuthenticationHolder(authHolder);
        tokenRepository.saveAccessToken(accessToken);
    }
    for (Long oldAccessTokenId : maps.getAccessTokenToRefreshTokenRefs().keySet()) {
        Long oldRefreshTokenId = maps.getAccessTokenToRefreshTokenRefs().get(oldAccessTokenId);
        Long newRefreshTokenId = maps.getRefreshTokenOldToNewIdMap().get(oldRefreshTokenId);
        OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenById(newRefreshTokenId);
        Long newAccessTokenId = maps.getAccessTokenOldToNewIdMap().get(oldAccessTokenId);
        OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenById(newAccessTokenId);
        accessToken.setRefreshToken(refreshToken);
        tokenRepository.saveAccessToken(accessToken);
    }
    for (Long oldGrantId : maps.getGrantToAccessTokensRefs().keySet()) {
        Set<Long> oldAccessTokenIds = maps.getGrantToAccessTokensRefs().get(oldGrantId);
        Long newGrantId = maps.getGrantOldToNewIdMap().get(oldGrantId);
        ApprovedSite site = approvedSiteRepository.getById(newGrantId);
        for (Long oldTokenId : oldAccessTokenIds) {
            Long newTokenId = maps.getAccessTokenOldToNewIdMap().get(oldTokenId);
            OAuth2AccessTokenEntity token = tokenRepository.getAccessTokenById(newTokenId);
            token.setApprovedSite(site);
            tokenRepository.saveAccessToken(token);
        }
        approvedSiteRepository.save(site);
    }
    /*
		refreshTokenToClientRefs.clear();
		refreshTokenToAuthHolderRefs.clear();
		accessTokenToClientRefs.clear();
		accessTokenToAuthHolderRefs.clear();
		accessTokenToRefreshTokenRefs.clear();
		refreshTokenOldToNewIdMap.clear();
		accessTokenOldToNewIdMap.clear();
		grantOldToNewIdMap.clear();
		 */
    logger.info("Done fixing object references.");
}
Also used : ClientDetailsEntity(org.mitre.oauth2.model.ClientDetailsEntity) OAuth2RefreshTokenEntity(org.mitre.oauth2.model.OAuth2RefreshTokenEntity) ApprovedSite(org.mitre.openid.connect.model.ApprovedSite) OAuth2AccessTokenEntity(org.mitre.oauth2.model.OAuth2AccessTokenEntity) AuthenticationHolderEntity(org.mitre.oauth2.model.AuthenticationHolderEntity)

Example 2 with ApprovedSite

use of org.mitre.openid.connect.model.ApprovedSite in project OpenID-Connect-Java-Spring-Server by mitreid-connect.

the class MITREidDataService_1_3 method readGrants.

/**
 * @param reader
 * @throws IOException
 */
private void readGrants(JsonReader reader) throws IOException {
    reader.beginArray();
    while (reader.hasNext()) {
        ApprovedSite site = new ApprovedSite();
        Long currentId = null;
        Set<Long> tokenIds = null;
        reader.beginObject();
        while (reader.hasNext()) {
            switch(reader.peek()) {
                case END_OBJECT:
                    continue;
                case NAME:
                    String name = reader.nextName();
                    if (reader.peek() == JsonToken.NULL) {
                        reader.skipValue();
                    } else if (name.equals(ID)) {
                        currentId = reader.nextLong();
                    } else if (name.equals(ACCESS_DATE)) {
                        Date date = utcToDate(reader.nextString());
                        site.setAccessDate(date);
                    } else if (name.equals(CLIENT_ID)) {
                        site.setClientId(reader.nextString());
                    } else if (name.equals(CREATION_DATE)) {
                        Date date = utcToDate(reader.nextString());
                        site.setCreationDate(date);
                    } else if (name.equals(TIMEOUT_DATE)) {
                        Date date = utcToDate(reader.nextString());
                        site.setTimeoutDate(date);
                    } else if (name.equals(USER_ID)) {
                        site.setUserId(reader.nextString());
                    } else if (name.equals(ALLOWED_SCOPES)) {
                        Set<String> allowedScopes = readSet(reader);
                        site.setAllowedScopes(allowedScopes);
                    } else if (name.equals(APPROVED_ACCESS_TOKENS)) {
                        tokenIds = readSet(reader);
                    } else {
                        logger.debug("Found unexpected entry");
                        reader.skipValue();
                    }
                    break;
                default:
                    logger.debug("Found unexpected entry");
                    reader.skipValue();
                    continue;
            }
        }
        reader.endObject();
        Long newId = approvedSiteRepository.save(site).getId();
        maps.getGrantOldToNewIdMap().put(currentId, newId);
        if (tokenIds != null) {
            maps.getGrantToAccessTokensRefs().put(currentId, tokenIds);
        }
        logger.debug("Read grant {}", currentId);
    }
    reader.endArray();
    logger.info("Done reading grants");
}
Also used : JWKSet(com.nimbusds.jose.jwk.JWKSet) Set(java.util.Set) JsonUtils.readSet(org.mitre.util.JsonUtils.readSet) HashSet(java.util.HashSet) ApprovedSite(org.mitre.openid.connect.model.ApprovedSite) Date(java.util.Date)

Example 3 with ApprovedSite

use of org.mitre.openid.connect.model.ApprovedSite in project OpenID-Connect-Java-Spring-Server by mitreid-connect.

the class TofuUserApprovalHandler method checkForPreApproval.

/**
 * Check if the user has already stored a positive approval decision for this site; or if the
 * site is whitelisted, approve it automatically.
 *
 * Otherwise the user will be directed to the approval page and can make their own decision.
 *
 * @param authorizationRequest	the incoming authorization request
 * @param userAuthentication	the Principal representing the currently-logged-in user
 *
 * @return 						the updated AuthorizationRequest
 */
@Override
public AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
    // First, check database to see if the user identified by the userAuthentication has stored an approval decision
    String userId = userAuthentication.getName();
    String clientId = authorizationRequest.getClientId();
    // lookup ApprovedSites by userId and clientId
    boolean alreadyApproved = false;
    // find out if we're supposed to force a prompt on the user or not
    String prompt = (String) authorizationRequest.getExtensions().get(PROMPT);
    List<String> prompts = Splitter.on(PROMPT_SEPARATOR).splitToList(Strings.nullToEmpty(prompt));
    if (!prompts.contains(PROMPT_CONSENT)) {
        // if the prompt parameter is set to "consent" then we can't use approved sites or whitelisted sites
        // otherwise, we need to check them below
        Collection<ApprovedSite> aps = approvedSiteService.getByClientIdAndUserId(clientId, userId);
        for (ApprovedSite ap : aps) {
            if (!ap.isExpired()) {
                // if we find one that fits...
                if (systemScopes.scopesMatch(ap.getAllowedScopes(), authorizationRequest.getScope())) {
                    // We have a match; update the access date on the AP entry and return true.
                    ap.setAccessDate(new Date());
                    approvedSiteService.save(ap);
                    String apId = ap.getId().toString();
                    authorizationRequest.getExtensions().put(APPROVED_SITE, apId);
                    authorizationRequest.setApproved(true);
                    alreadyApproved = true;
                    setAuthTime(authorizationRequest);
                }
            }
        }
        if (!alreadyApproved) {
            WhitelistedSite ws = whitelistedSiteService.getByClientId(clientId);
            if (ws != null && systemScopes.scopesMatch(ws.getAllowedScopes(), authorizationRequest.getScope())) {
                authorizationRequest.setApproved(true);
                setAuthTime(authorizationRequest);
            }
        }
    }
    return authorizationRequest;
}
Also used : WhitelistedSite(org.mitre.openid.connect.model.WhitelistedSite) ApprovedSite(org.mitre.openid.connect.model.ApprovedSite) Date(java.util.Date)

Example 4 with ApprovedSite

use of org.mitre.openid.connect.model.ApprovedSite in project OpenID-Connect-Java-Spring-Server by mitreid-connect.

the class MITREidDataService_1_0 method fixObjectReferences.

private void fixObjectReferences() {
    for (Long oldRefreshTokenId : maps.getRefreshTokenToClientRefs().keySet()) {
        String clientRef = maps.getRefreshTokenToClientRefs().get(oldRefreshTokenId);
        ClientDetailsEntity client = clientRepository.getClientByClientId(clientRef);
        Long newRefreshTokenId = maps.getRefreshTokenOldToNewIdMap().get(oldRefreshTokenId);
        OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenById(newRefreshTokenId);
        refreshToken.setClient(client);
        tokenRepository.saveRefreshToken(refreshToken);
    }
    for (Long oldRefreshTokenId : maps.getRefreshTokenToAuthHolderRefs().keySet()) {
        Long oldAuthHolderId = maps.getRefreshTokenToAuthHolderRefs().get(oldRefreshTokenId);
        Long newAuthHolderId = maps.getAuthHolderOldToNewIdMap().get(oldAuthHolderId);
        AuthenticationHolderEntity authHolder = authHolderRepository.getById(newAuthHolderId);
        Long newRefreshTokenId = maps.getRefreshTokenOldToNewIdMap().get(oldRefreshTokenId);
        OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenById(newRefreshTokenId);
        refreshToken.setAuthenticationHolder(authHolder);
        tokenRepository.saveRefreshToken(refreshToken);
    }
    for (Long oldAccessTokenId : maps.getAccessTokenToClientRefs().keySet()) {
        String clientRef = maps.getAccessTokenToClientRefs().get(oldAccessTokenId);
        ClientDetailsEntity client = clientRepository.getClientByClientId(clientRef);
        Long newAccessTokenId = maps.getAccessTokenOldToNewIdMap().get(oldAccessTokenId);
        OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenById(newAccessTokenId);
        accessToken.setClient(client);
        tokenRepository.saveAccessToken(accessToken);
    }
    for (Long oldAccessTokenId : maps.getAccessTokenToAuthHolderRefs().keySet()) {
        Long oldAuthHolderId = maps.getAccessTokenToAuthHolderRefs().get(oldAccessTokenId);
        Long newAuthHolderId = maps.getAuthHolderOldToNewIdMap().get(oldAuthHolderId);
        AuthenticationHolderEntity authHolder = authHolderRepository.getById(newAuthHolderId);
        Long newAccessTokenId = maps.getAccessTokenOldToNewIdMap().get(oldAccessTokenId);
        OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenById(newAccessTokenId);
        accessToken.setAuthenticationHolder(authHolder);
        tokenRepository.saveAccessToken(accessToken);
    }
    maps.getAccessTokenToAuthHolderRefs().clear();
    for (Long oldAccessTokenId : maps.getAccessTokenToRefreshTokenRefs().keySet()) {
        Long oldRefreshTokenId = maps.getAccessTokenToRefreshTokenRefs().get(oldAccessTokenId);
        Long newRefreshTokenId = maps.getRefreshTokenOldToNewIdMap().get(oldRefreshTokenId);
        OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenById(newRefreshTokenId);
        Long newAccessTokenId = maps.getAccessTokenOldToNewIdMap().get(oldAccessTokenId);
        OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenById(newAccessTokenId);
        accessToken.setRefreshToken(refreshToken);
        tokenRepository.saveAccessToken(accessToken);
    }
    for (Long oldGrantId : maps.getGrantToAccessTokensRefs().keySet()) {
        Set<Long> oldAccessTokenIds = maps.getGrantToAccessTokensRefs().get(oldGrantId);
        Long newGrantId = maps.getGrantOldToNewIdMap().get(oldGrantId);
        ApprovedSite site = approvedSiteRepository.getById(newGrantId);
        for (Long oldTokenId : oldAccessTokenIds) {
            Long newTokenId = maps.getAccessTokenOldToNewIdMap().get(oldTokenId);
            OAuth2AccessTokenEntity token = tokenRepository.getAccessTokenById(newTokenId);
            token.setApprovedSite(site);
            tokenRepository.saveAccessToken(token);
        }
        approvedSiteRepository.save(site);
    }
}
Also used : ClientDetailsEntity(org.mitre.oauth2.model.ClientDetailsEntity) OAuth2RefreshTokenEntity(org.mitre.oauth2.model.OAuth2RefreshTokenEntity) ApprovedSite(org.mitre.openid.connect.model.ApprovedSite) OAuth2AccessTokenEntity(org.mitre.oauth2.model.OAuth2AccessTokenEntity) AuthenticationHolderEntity(org.mitre.oauth2.model.AuthenticationHolderEntity)

Example 5 with ApprovedSite

use of org.mitre.openid.connect.model.ApprovedSite in project OpenID-Connect-Java-Spring-Server by mitreid-connect.

the class MITREidDataService_1_2 method readGrants.

/**
 * @param reader
 * @throws IOException
 */
private void readGrants(JsonReader reader) throws IOException {
    reader.beginArray();
    while (reader.hasNext()) {
        ApprovedSite site = new ApprovedSite();
        Long currentId = null;
        Set<Long> tokenIds = null;
        reader.beginObject();
        while (reader.hasNext()) {
            switch(reader.peek()) {
                case END_OBJECT:
                    continue;
                case NAME:
                    String name = reader.nextName();
                    if (reader.peek() == JsonToken.NULL) {
                        reader.skipValue();
                    } else if (name.equals(ID)) {
                        currentId = reader.nextLong();
                    } else if (name.equals(ACCESS_DATE)) {
                        Date date = utcToDate(reader.nextString());
                        site.setAccessDate(date);
                    } else if (name.equals(CLIENT_ID)) {
                        site.setClientId(reader.nextString());
                    } else if (name.equals(CREATION_DATE)) {
                        Date date = utcToDate(reader.nextString());
                        site.setCreationDate(date);
                    } else if (name.equals(TIMEOUT_DATE)) {
                        Date date = utcToDate(reader.nextString());
                        site.setTimeoutDate(date);
                    } else if (name.equals(USER_ID)) {
                        site.setUserId(reader.nextString());
                    } else if (name.equals(ALLOWED_SCOPES)) {
                        Set<String> allowedScopes = readSet(reader);
                        site.setAllowedScopes(allowedScopes);
                    } else if (name.equals(APPROVED_ACCESS_TOKENS)) {
                        tokenIds = readSet(reader);
                    } else {
                        logger.debug("Found unexpected entry");
                        reader.skipValue();
                    }
                    break;
                default:
                    logger.debug("Found unexpected entry");
                    reader.skipValue();
                    continue;
            }
        }
        reader.endObject();
        Long newId = approvedSiteRepository.save(site).getId();
        maps.getGrantOldToNewIdMap().put(currentId, newId);
        if (tokenIds != null) {
            maps.getGrantToAccessTokensRefs().put(currentId, tokenIds);
        }
        logger.debug("Read grant {}", currentId);
    }
    reader.endArray();
    logger.info("Done reading grants");
}
Also used : JWKSet(com.nimbusds.jose.jwk.JWKSet) HashSet(java.util.HashSet) Set(java.util.Set) JsonUtils.readSet(org.mitre.util.JsonUtils.readSet) ApprovedSite(org.mitre.openid.connect.model.ApprovedSite) Date(java.util.Date)

Aggregations

ApprovedSite (org.mitre.openid.connect.model.ApprovedSite)32 OAuth2AccessTokenEntity (org.mitre.oauth2.model.OAuth2AccessTokenEntity)18 Date (java.util.Date)15 ClientDetailsEntity (org.mitre.oauth2.model.ClientDetailsEntity)14 HashSet (java.util.HashSet)13 AuthenticationHolderEntity (org.mitre.oauth2.model.AuthenticationHolderEntity)13 OAuth2RefreshTokenEntity (org.mitre.oauth2.model.OAuth2RefreshTokenEntity)13 WhitelistedSite (org.mitre.openid.connect.model.WhitelistedSite)13 Test (org.junit.Test)12 SystemScope (org.mitre.oauth2.model.SystemScope)9 JsonArray (com.google.gson.JsonArray)8 JsonElement (com.google.gson.JsonElement)8 JsonObject (com.google.gson.JsonObject)8 JsonParser (com.google.gson.JsonParser)8 JsonWriter (com.google.gson.stream.JsonWriter)8 StringWriter (java.io.StringWriter)8 BlacklistedSite (org.mitre.openid.connect.model.BlacklistedSite)8 Matchers.anyString (org.mockito.Matchers.anyString)7 HashMap (java.util.HashMap)5 JsonReader (com.google.gson.stream.JsonReader)4