Search in sources :

Example 11 with OrcidOAuth2Authentication

use of org.orcid.core.oauth.OrcidOAuth2Authentication in project ORCID-Source by ORCID.

the class OrcidApiAuthorizationSecurityAspect method visibilityResponseFilter.

@AfterReturning(pointcut = "@annotation(accessControl)", returning = "response")
public void visibilityResponseFilter(Response response, AccessControl accessControl) {
    if (accessControl.requestComesFromInternalApi()) {
        return;
    }
    Object entity = response.getEntity();
    if (entity != null && OrcidMessage.class.isAssignableFrom(entity.getClass())) {
        OrcidMessage orcidMessage = (OrcidMessage) entity;
        // If it is search results, don't filter them, just return them
        if (orcidMessage.getOrcidSearchResults() != null) {
            return;
        }
        // get the client id
        Object authentication = getAuthentication();
        Set<Visibility> visibilities = new HashSet<Visibility>();
        if (allowAnonymousAccess((Authentication) authentication, accessControl)) {
            visibilities.add(Visibility.PUBLIC);
        } else {
            visibilities = permissionChecker.obtainVisibilitiesForAuthentication(getAuthentication(), accessControl.requiredScope(), orcidMessage);
        }
        // If the message contains a bio, and the given name is filtered, restore it as an empty space
        boolean setEmptyGivenNameIfFiltered = false;
        if (orcidMessage.getOrcidProfile() != null) {
            if (orcidMessage.getOrcidProfile() != null && orcidMessage.getOrcidProfile().getOrcidBio() != null) {
                setEmptyGivenNameIfFiltered = true;
            }
        }
        ScopePathType requiredScope = accessControl.requiredScope();
        // If the required scope is */read-limited or */update
        if (isUpdateOrReadScope(requiredScope)) {
            // if it should be able to
            if (OrcidOAuth2Authentication.class.isAssignableFrom(authentication.getClass())) {
                OrcidOAuth2Authentication orcidAuth = (OrcidOAuth2Authentication) getAuthentication();
                OAuth2Request authorization = orcidAuth.getOAuth2Request();
                String clientId = authorization.getClientId();
                // #1: Get the user orcid
                String userOrcid = getUserOrcidFromOrcidMessage(orcidMessage);
                // #2: Evaluate the scope to know which field to filter
                boolean allowWorks = false;
                boolean allowFunding = false;
                boolean allowAffiliations = false;
                // Get the update equivalent scope, if it is reading, but,
                // doesnt have the read permissions, check if it have the
                // update permissions
                ScopePathType equivalentUpdateScope = getEquivalentUpdateScope(requiredScope);
                if (requiredScope.equals(ScopePathType.READ_LIMITED)) {
                    if (hasScopeEnabled(clientId, userOrcid, ScopePathType.ORCID_WORKS_READ_LIMITED.getContent(), ScopePathType.ORCID_WORKS_UPDATE.getContent()))
                        allowWorks = true;
                    if (hasScopeEnabled(clientId, userOrcid, ScopePathType.FUNDING_READ_LIMITED.getContent(), ScopePathType.FUNDING_UPDATE.getContent()))
                        allowFunding = true;
                    if (hasScopeEnabled(clientId, userOrcid, ScopePathType.AFFILIATIONS_READ_LIMITED.getContent(), ScopePathType.AFFILIATIONS_UPDATE.getContent()))
                        allowAffiliations = true;
                } else if (requiredScope.equals(ScopePathType.ORCID_WORKS_UPDATE) || requiredScope.equals(ScopePathType.ORCID_WORKS_READ_LIMITED)) {
                    // works
                    if (hasScopeEnabled(clientId, userOrcid, requiredScope.getContent(), equivalentUpdateScope == null ? null : equivalentUpdateScope.getContent()))
                        // If so, allow him to see private works
                        allowWorks = true;
                } else if (requiredScope.equals(ScopePathType.FUNDING_UPDATE) || requiredScope.equals(ScopePathType.FUNDING_READ_LIMITED)) {
                    // funding
                    if (hasScopeEnabled(clientId, userOrcid, requiredScope.getContent(), equivalentUpdateScope == null ? null : equivalentUpdateScope.getContent()))
                        // If so, allow him to see private funding
                        allowFunding = true;
                } else if (requiredScope.equals(ScopePathType.AFFILIATIONS_UPDATE) || requiredScope.equals(ScopePathType.AFFILIATIONS_READ_LIMITED)) {
                    // affiliations
                    if (hasScopeEnabled(clientId, userOrcid, requiredScope.getContent(), equivalentUpdateScope == null ? null : equivalentUpdateScope.getContent()))
                        // If so, allow him to see private affiliations
                        allowAffiliations = true;
                }
                visibilityFilter.filter(orcidMessage, clientId, allowWorks, allowFunding, allowAffiliations, visibilities.toArray(new Visibility[visibilities.size()]));
            } else {
                visibilityFilter.filter(orcidMessage, null, false, false, false, visibilities.toArray(new Visibility[visibilities.size()]));
            }
        } else {
            visibilityFilter.filter(orcidMessage, null, false, false, false, visibilities.toArray(new Visibility[visibilities.size()]));
        }
        // If the given name was set at the beginning and now is filtered, it means we should restore it as an empty field
        if (setEmptyGivenNameIfFiltered) {
            if (orcidMessage.getOrcidProfile() != null) {
                if (orcidMessage.getOrcidProfile().getOrcidBio() == null) {
                    orcidMessage.getOrcidProfile().setOrcidBio(new OrcidBio());
                }
                if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails() == null) {
                    orcidMessage.getOrcidProfile().getOrcidBio().setPersonalDetails(new PersonalDetails());
                }
            }
        }
        // Filter given or family names visibility
        if (orcidMessage.getOrcidProfile() != null) {
            if (orcidMessage.getOrcidProfile().getOrcidBio() != null) {
                if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails() != null) {
                    if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getGivenNames() != null) {
                        orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getGivenNames().setVisibility(null);
                    } else {
                        // Null given names could break client integrations, so, lets return an empty string
                        GivenNames empty = new GivenNames();
                        empty.setContent(StringUtils.EMPTY);
                        orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().setGivenNames(empty);
                    }
                    if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getFamilyName() != null) {
                        orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getFamilyName().setVisibility(null);
                    }
                }
            }
        }
        // replace section visibilities now we may have filtered items
        if (orcidMessage.getOrcidProfile() != null) {
            if (orcidMessage.getOrcidProfile().getOrcidBio() != null) {
                if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails() != null) {
                    OtherNames n = orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getOtherNames();
                    if (n != null) {
                        n.setVisibility(getMostFromCollection(n.getOtherName()));
                    }
                }
                ExternalIdentifiers ids = orcidMessage.getOrcidProfile().getOrcidBio().getExternalIdentifiers();
                if (ids != null) {
                    ids.setVisibility(getMostFromCollection(ids.getExternalIdentifier()));
                }
                Keywords kws = orcidMessage.getOrcidProfile().getOrcidBio().getKeywords();
                if (kws != null) {
                    kws.setVisibility(getMostFromCollection(kws.getKeyword()));
                }
                ResearcherUrls urls = orcidMessage.getOrcidProfile().getOrcidBio().getResearcherUrls();
                if (urls != null) {
                    urls.setVisibility(getMostFromCollection(urls.getResearcherUrl()));
                }
            }
        }
    }
}
Also used : Keywords(org.orcid.jaxb.model.message.Keywords) OrcidBio(org.orcid.jaxb.model.message.OrcidBio) OtherNames(org.orcid.jaxb.model.message.OtherNames) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) PersonalDetails(org.orcid.jaxb.model.message.PersonalDetails) OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) ScopePathType(org.orcid.jaxb.model.message.ScopePathType) GivenNames(org.orcid.jaxb.model.message.GivenNames) OrcidMessage(org.orcid.jaxb.model.message.OrcidMessage) ResearcherUrls(org.orcid.jaxb.model.message.ResearcherUrls) Visibility(org.orcid.jaxb.model.message.Visibility) ExternalIdentifiers(org.orcid.jaxb.model.message.ExternalIdentifiers) HashSet(java.util.HashSet) AfterReturning(org.aspectj.lang.annotation.AfterReturning)

Example 12 with OrcidOAuth2Authentication

use of org.orcid.core.oauth.OrcidOAuth2Authentication in project ORCID-Source by ORCID.

the class DefaultPermissionCheckerTest method testCheckClientPermissionsAuthenticationScopesOrcidAndOrcidMessage.

@Test
@Transactional
@Rollback
public void testCheckClientPermissionsAuthenticationScopesOrcidAndOrcidMessage() throws Exception {
    Set<String> resourceIds = new HashSet<String>(Arrays.asList("orcid"));
    HashSet<GrantedAuthority> grantedAuthorities = new HashSet<GrantedAuthority>(Arrays.asList(new SimpleGrantedAuthority("ROLE_CLIENT")));
    AuthorizationRequest request = new AuthorizationRequest("APP-5555555555555555", Arrays.asList("/orcid-bio/external-identifiers/create"));
    request.setAuthorities(grantedAuthorities);
    request.setResourceIds(resourceIds);
    OAuth2Authentication oAuth2Authentication = new OrcidOAuth2Authentication(request, null, "made-up-token");
    ScopePathType requiredScope = ScopePathType.ORCID_BIO_EXTERNAL_IDENTIFIERS_CREATE;
    OrcidMessage orcidMessage = getOrcidMessage();
    orcidMessage.getOrcidProfile().getOrcidIdentifier().setPath("4444-4444-4444-4447");
    String messageOrcid = orcidMessage.getOrcidProfile().getOrcidIdentifier().getPath();
    defaultPermissionChecker.checkPermissions(oAuth2Authentication, requiredScope, messageOrcid, orcidMessage);
}
Also used : SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) AuthorizationRequest(org.springframework.security.oauth2.provider.AuthorizationRequest) ScopePathType(org.orcid.jaxb.model.message.ScopePathType) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) GrantedAuthority(org.springframework.security.core.GrantedAuthority) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) OrcidMessage(org.orcid.jaxb.model.message.OrcidMessage) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) HashSet(java.util.HashSet) DBUnitTest(org.orcid.test.DBUnitTest) Test(org.junit.Test) Rollback(org.springframework.test.annotation.Rollback) Transactional(org.springframework.transaction.annotation.Transactional)

Example 13 with OrcidOAuth2Authentication

use of org.orcid.core.oauth.OrcidOAuth2Authentication in project ORCID-Source by ORCID.

the class DefaultPermissionCheckerTest method testCheckUserPermissionsAuthenticationScopesOrcidAndOrcidMessage.

@Test
@Rollback
@Transactional
public void testCheckUserPermissionsAuthenticationScopesOrcidAndOrcidMessage() throws Exception {
    Set<String> resourceIds = new HashSet<String>(Arrays.asList("orcid"));
    HashSet<GrantedAuthority> grantedAuthorities = new HashSet<GrantedAuthority>(Arrays.asList(new SimpleGrantedAuthority("ROLE_CLIENT")));
    AuthorizationRequest request = new AuthorizationRequest("4444-4444-4444-4441", Arrays.asList("/orcid-bio/external-identifiers/create"));
    request.setAuthorities(grantedAuthorities);
    request.setResourceIds(resourceIds);
    ProfileEntity entity = profileEntityManager.findByOrcid("4444-4444-4444-4446");
    OrcidOauth2UserAuthentication oauth2UserAuthentication = new OrcidOauth2UserAuthentication(entity, true);
    OAuth2Authentication oAuth2Authentication = new OrcidOAuth2Authentication(request, oauth2UserAuthentication, "made-up-token");
    ScopePathType requiredScope = ScopePathType.ORCID_BIO_EXTERNAL_IDENTIFIERS_CREATE;
    OrcidMessage orcidMessage = getOrcidMessage();
    String messageOrcid = orcidMessage.getOrcidProfile().getOrcidIdentifier().getPath();
    defaultPermissionChecker.checkPermissions(oAuth2Authentication, requiredScope, messageOrcid, orcidMessage);
}
Also used : AuthorizationRequest(org.springframework.security.oauth2.provider.AuthorizationRequest) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) GrantedAuthority(org.springframework.security.core.GrantedAuthority) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) ProfileEntity(org.orcid.persistence.jpa.entities.ProfileEntity) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) ScopePathType(org.orcid.jaxb.model.message.ScopePathType) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) OrcidMessage(org.orcid.jaxb.model.message.OrcidMessage) OrcidOauth2UserAuthentication(org.orcid.core.oauth.OrcidOauth2UserAuthentication) HashSet(java.util.HashSet) DBUnitTest(org.orcid.test.DBUnitTest) Test(org.junit.Test) Rollback(org.springframework.test.annotation.Rollback) Transactional(org.springframework.transaction.annotation.Transactional)

Example 14 with OrcidOAuth2Authentication

use of org.orcid.core.oauth.OrcidOAuth2Authentication in project ORCID-Source by ORCID.

the class T2OrcidApiServiceVersionedDelegatorTest method setUpSecurityContextForClientOnly.

private void setUpSecurityContextForClientOnly(String clientId, Set<String> scopes) {
    SecurityContextImpl securityContext = new SecurityContextImpl();
    OrcidOAuth2Authentication mockedAuthentication = mock(OrcidOAuth2Authentication.class);
    securityContext.setAuthentication(mockedAuthentication);
    SecurityContextHolder.setContext(securityContext);
    when(mockedAuthentication.getPrincipal()).thenReturn(new ProfileEntity(clientId));
    when(mockedAuthentication.isClientOnly()).thenReturn(true);
    OAuth2Request authorizationRequest = new OAuth2Request(Collections.<String, String>emptyMap(), clientId, Collections.<GrantedAuthority>emptyList(), true, scopes, Collections.<String>emptySet(), null, Collections.<String>emptySet(), Collections.<String, Serializable>emptyMap());
    when(mockedAuthentication.getOAuth2Request()).thenReturn(authorizationRequest);
}
Also used : SecurityContextImpl(org.springframework.security.core.context.SecurityContextImpl) OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) ProfileEntity(org.orcid.persistence.jpa.entities.ProfileEntity)

Example 15 with OrcidOAuth2Authentication

use of org.orcid.core.oauth.OrcidOAuth2Authentication in project ORCID-Source by ORCID.

the class T2OrcidApiServiceVersionedDelegatorTest method setUpSecurityContext.

private void setUpSecurityContext(String userOrcid) {
    SecurityContextImpl securityContext = new SecurityContextImpl();
    OrcidOAuth2Authentication mockedAuthentication = mock(OrcidOAuth2Authentication.class);
    securityContext.setAuthentication(mockedAuthentication);
    SecurityContextHolder.setContext(securityContext);
    when(mockedAuthentication.getPrincipal()).thenReturn(new ProfileEntity(userOrcid));
    Set<String> scopes = new HashSet<String>();
    scopes.add(ScopePathType.ACTIVITIES_UPDATE.value());
    scopes.add(ScopePathType.READ_LIMITED.value());
    OAuth2Request authorizationRequest = new OAuth2Request(Collections.<String, String>emptyMap(), userOrcid, Collections.<GrantedAuthority>emptyList(), true, scopes, Collections.<String>emptySet(), null, Collections.<String>emptySet(), Collections.<String, Serializable>emptyMap());
    when(mockedAuthentication.getOAuth2Request()).thenReturn(authorizationRequest);
}
Also used : SecurityContextImpl(org.springframework.security.core.context.SecurityContextImpl) OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) ProfileEntity(org.orcid.persistence.jpa.entities.ProfileEntity) HashSet(java.util.HashSet)

Aggregations

OrcidOAuth2Authentication (org.orcid.core.oauth.OrcidOAuth2Authentication)16 HashSet (java.util.HashSet)11 ProfileEntity (org.orcid.persistence.jpa.entities.ProfileEntity)10 ScopePathType (org.orcid.jaxb.model.message.ScopePathType)9 AuthorizationRequest (org.springframework.security.oauth2.provider.AuthorizationRequest)8 Test (org.junit.Test)7 OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)7 OAuth2Request (org.springframework.security.oauth2.provider.OAuth2Request)7 DBUnitTest (org.orcid.test.DBUnitTest)6 GrantedAuthority (org.springframework.security.core.GrantedAuthority)6 SimpleGrantedAuthority (org.springframework.security.core.authority.SimpleGrantedAuthority)6 OrcidOauth2UserAuthentication (org.orcid.core.oauth.OrcidOauth2UserAuthentication)5 OrcidMessage (org.orcid.jaxb.model.message.OrcidMessage)5 Authentication (org.springframework.security.core.Authentication)5 SecurityContextImpl (org.springframework.security.core.context.SecurityContextImpl)5 Transactional (org.springframework.transaction.annotation.Transactional)5 Rollback (org.springframework.test.annotation.Rollback)4 OrcidOauth2TokenDetail (org.orcid.persistence.jpa.entities.OrcidOauth2TokenDetail)3 Date (java.util.Date)2 Visibility (org.orcid.jaxb.model.message.Visibility)2