use of org.orcid.core.oauth.OrcidOAuth2Authentication in project ORCID-Source by ORCID.
the class OrcidApiAuthorizationSecurityAspect method visibilityResponseFilter.
@AfterReturning(pointcut = "@annotation(accessControl)", returning = "response")
public void visibilityResponseFilter(Response response, AccessControl accessControl) {
if (accessControl.requestComesFromInternalApi()) {
return;
}
Object entity = response.getEntity();
if (entity != null && OrcidMessage.class.isAssignableFrom(entity.getClass())) {
OrcidMessage orcidMessage = (OrcidMessage) entity;
// If it is search results, don't filter them, just return them
if (orcidMessage.getOrcidSearchResults() != null) {
return;
}
// get the client id
Object authentication = getAuthentication();
Set<Visibility> visibilities = new HashSet<Visibility>();
if (allowAnonymousAccess((Authentication) authentication, accessControl)) {
visibilities.add(Visibility.PUBLIC);
} else {
visibilities = permissionChecker.obtainVisibilitiesForAuthentication(getAuthentication(), accessControl.requiredScope(), orcidMessage);
}
// If the message contains a bio, and the given name is filtered, restore it as an empty space
boolean setEmptyGivenNameIfFiltered = false;
if (orcidMessage.getOrcidProfile() != null) {
if (orcidMessage.getOrcidProfile() != null && orcidMessage.getOrcidProfile().getOrcidBio() != null) {
setEmptyGivenNameIfFiltered = true;
}
}
ScopePathType requiredScope = accessControl.requiredScope();
// If the required scope is */read-limited or */update
if (isUpdateOrReadScope(requiredScope)) {
// if it should be able to
if (OrcidOAuth2Authentication.class.isAssignableFrom(authentication.getClass())) {
OrcidOAuth2Authentication orcidAuth = (OrcidOAuth2Authentication) getAuthentication();
OAuth2Request authorization = orcidAuth.getOAuth2Request();
String clientId = authorization.getClientId();
// #1: Get the user orcid
String userOrcid = getUserOrcidFromOrcidMessage(orcidMessage);
// #2: Evaluate the scope to know which field to filter
boolean allowWorks = false;
boolean allowFunding = false;
boolean allowAffiliations = false;
// Get the update equivalent scope, if it is reading, but,
// doesnt have the read permissions, check if it have the
// update permissions
ScopePathType equivalentUpdateScope = getEquivalentUpdateScope(requiredScope);
if (requiredScope.equals(ScopePathType.READ_LIMITED)) {
if (hasScopeEnabled(clientId, userOrcid, ScopePathType.ORCID_WORKS_READ_LIMITED.getContent(), ScopePathType.ORCID_WORKS_UPDATE.getContent()))
allowWorks = true;
if (hasScopeEnabled(clientId, userOrcid, ScopePathType.FUNDING_READ_LIMITED.getContent(), ScopePathType.FUNDING_UPDATE.getContent()))
allowFunding = true;
if (hasScopeEnabled(clientId, userOrcid, ScopePathType.AFFILIATIONS_READ_LIMITED.getContent(), ScopePathType.AFFILIATIONS_UPDATE.getContent()))
allowAffiliations = true;
} else if (requiredScope.equals(ScopePathType.ORCID_WORKS_UPDATE) || requiredScope.equals(ScopePathType.ORCID_WORKS_READ_LIMITED)) {
// works
if (hasScopeEnabled(clientId, userOrcid, requiredScope.getContent(), equivalentUpdateScope == null ? null : equivalentUpdateScope.getContent()))
// If so, allow him to see private works
allowWorks = true;
} else if (requiredScope.equals(ScopePathType.FUNDING_UPDATE) || requiredScope.equals(ScopePathType.FUNDING_READ_LIMITED)) {
// funding
if (hasScopeEnabled(clientId, userOrcid, requiredScope.getContent(), equivalentUpdateScope == null ? null : equivalentUpdateScope.getContent()))
// If so, allow him to see private funding
allowFunding = true;
} else if (requiredScope.equals(ScopePathType.AFFILIATIONS_UPDATE) || requiredScope.equals(ScopePathType.AFFILIATIONS_READ_LIMITED)) {
// affiliations
if (hasScopeEnabled(clientId, userOrcid, requiredScope.getContent(), equivalentUpdateScope == null ? null : equivalentUpdateScope.getContent()))
// If so, allow him to see private affiliations
allowAffiliations = true;
}
visibilityFilter.filter(orcidMessage, clientId, allowWorks, allowFunding, allowAffiliations, visibilities.toArray(new Visibility[visibilities.size()]));
} else {
visibilityFilter.filter(orcidMessage, null, false, false, false, visibilities.toArray(new Visibility[visibilities.size()]));
}
} else {
visibilityFilter.filter(orcidMessage, null, false, false, false, visibilities.toArray(new Visibility[visibilities.size()]));
}
// If the given name was set at the beginning and now is filtered, it means we should restore it as an empty field
if (setEmptyGivenNameIfFiltered) {
if (orcidMessage.getOrcidProfile() != null) {
if (orcidMessage.getOrcidProfile().getOrcidBio() == null) {
orcidMessage.getOrcidProfile().setOrcidBio(new OrcidBio());
}
if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails() == null) {
orcidMessage.getOrcidProfile().getOrcidBio().setPersonalDetails(new PersonalDetails());
}
}
}
// Filter given or family names visibility
if (orcidMessage.getOrcidProfile() != null) {
if (orcidMessage.getOrcidProfile().getOrcidBio() != null) {
if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails() != null) {
if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getGivenNames() != null) {
orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getGivenNames().setVisibility(null);
} else {
// Null given names could break client integrations, so, lets return an empty string
GivenNames empty = new GivenNames();
empty.setContent(StringUtils.EMPTY);
orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().setGivenNames(empty);
}
if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getFamilyName() != null) {
orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getFamilyName().setVisibility(null);
}
}
}
}
// replace section visibilities now we may have filtered items
if (orcidMessage.getOrcidProfile() != null) {
if (orcidMessage.getOrcidProfile().getOrcidBio() != null) {
if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails() != null) {
OtherNames n = orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getOtherNames();
if (n != null) {
n.setVisibility(getMostFromCollection(n.getOtherName()));
}
}
ExternalIdentifiers ids = orcidMessage.getOrcidProfile().getOrcidBio().getExternalIdentifiers();
if (ids != null) {
ids.setVisibility(getMostFromCollection(ids.getExternalIdentifier()));
}
Keywords kws = orcidMessage.getOrcidProfile().getOrcidBio().getKeywords();
if (kws != null) {
kws.setVisibility(getMostFromCollection(kws.getKeyword()));
}
ResearcherUrls urls = orcidMessage.getOrcidProfile().getOrcidBio().getResearcherUrls();
if (urls != null) {
urls.setVisibility(getMostFromCollection(urls.getResearcherUrl()));
}
}
}
}
}
use of org.orcid.core.oauth.OrcidOAuth2Authentication in project ORCID-Source by ORCID.
the class DefaultPermissionCheckerTest method testCheckClientPermissionsAuthenticationScopesOrcidAndOrcidMessage.
@Test
@Transactional
@Rollback
public void testCheckClientPermissionsAuthenticationScopesOrcidAndOrcidMessage() throws Exception {
Set<String> resourceIds = new HashSet<String>(Arrays.asList("orcid"));
HashSet<GrantedAuthority> grantedAuthorities = new HashSet<GrantedAuthority>(Arrays.asList(new SimpleGrantedAuthority("ROLE_CLIENT")));
AuthorizationRequest request = new AuthorizationRequest("APP-5555555555555555", Arrays.asList("/orcid-bio/external-identifiers/create"));
request.setAuthorities(grantedAuthorities);
request.setResourceIds(resourceIds);
OAuth2Authentication oAuth2Authentication = new OrcidOAuth2Authentication(request, null, "made-up-token");
ScopePathType requiredScope = ScopePathType.ORCID_BIO_EXTERNAL_IDENTIFIERS_CREATE;
OrcidMessage orcidMessage = getOrcidMessage();
orcidMessage.getOrcidProfile().getOrcidIdentifier().setPath("4444-4444-4444-4447");
String messageOrcid = orcidMessage.getOrcidProfile().getOrcidIdentifier().getPath();
defaultPermissionChecker.checkPermissions(oAuth2Authentication, requiredScope, messageOrcid, orcidMessage);
}
use of org.orcid.core.oauth.OrcidOAuth2Authentication in project ORCID-Source by ORCID.
the class DefaultPermissionCheckerTest method testCheckUserPermissionsAuthenticationScopesOrcidAndOrcidMessage.
@Test
@Rollback
@Transactional
public void testCheckUserPermissionsAuthenticationScopesOrcidAndOrcidMessage() throws Exception {
Set<String> resourceIds = new HashSet<String>(Arrays.asList("orcid"));
HashSet<GrantedAuthority> grantedAuthorities = new HashSet<GrantedAuthority>(Arrays.asList(new SimpleGrantedAuthority("ROLE_CLIENT")));
AuthorizationRequest request = new AuthorizationRequest("4444-4444-4444-4441", Arrays.asList("/orcid-bio/external-identifiers/create"));
request.setAuthorities(grantedAuthorities);
request.setResourceIds(resourceIds);
ProfileEntity entity = profileEntityManager.findByOrcid("4444-4444-4444-4446");
OrcidOauth2UserAuthentication oauth2UserAuthentication = new OrcidOauth2UserAuthentication(entity, true);
OAuth2Authentication oAuth2Authentication = new OrcidOAuth2Authentication(request, oauth2UserAuthentication, "made-up-token");
ScopePathType requiredScope = ScopePathType.ORCID_BIO_EXTERNAL_IDENTIFIERS_CREATE;
OrcidMessage orcidMessage = getOrcidMessage();
String messageOrcid = orcidMessage.getOrcidProfile().getOrcidIdentifier().getPath();
defaultPermissionChecker.checkPermissions(oAuth2Authentication, requiredScope, messageOrcid, orcidMessage);
}
use of org.orcid.core.oauth.OrcidOAuth2Authentication in project ORCID-Source by ORCID.
the class T2OrcidApiServiceVersionedDelegatorTest method setUpSecurityContextForClientOnly.
private void setUpSecurityContextForClientOnly(String clientId, Set<String> scopes) {
SecurityContextImpl securityContext = new SecurityContextImpl();
OrcidOAuth2Authentication mockedAuthentication = mock(OrcidOAuth2Authentication.class);
securityContext.setAuthentication(mockedAuthentication);
SecurityContextHolder.setContext(securityContext);
when(mockedAuthentication.getPrincipal()).thenReturn(new ProfileEntity(clientId));
when(mockedAuthentication.isClientOnly()).thenReturn(true);
OAuth2Request authorizationRequest = new OAuth2Request(Collections.<String, String>emptyMap(), clientId, Collections.<GrantedAuthority>emptyList(), true, scopes, Collections.<String>emptySet(), null, Collections.<String>emptySet(), Collections.<String, Serializable>emptyMap());
when(mockedAuthentication.getOAuth2Request()).thenReturn(authorizationRequest);
}
use of org.orcid.core.oauth.OrcidOAuth2Authentication in project ORCID-Source by ORCID.
the class T2OrcidApiServiceVersionedDelegatorTest method setUpSecurityContext.
private void setUpSecurityContext(String userOrcid) {
SecurityContextImpl securityContext = new SecurityContextImpl();
OrcidOAuth2Authentication mockedAuthentication = mock(OrcidOAuth2Authentication.class);
securityContext.setAuthentication(mockedAuthentication);
SecurityContextHolder.setContext(securityContext);
when(mockedAuthentication.getPrincipal()).thenReturn(new ProfileEntity(userOrcid));
Set<String> scopes = new HashSet<String>();
scopes.add(ScopePathType.ACTIVITIES_UPDATE.value());
scopes.add(ScopePathType.READ_LIMITED.value());
OAuth2Request authorizationRequest = new OAuth2Request(Collections.<String, String>emptyMap(), userOrcid, Collections.<GrantedAuthority>emptyList(), true, scopes, Collections.<String>emptySet(), null, Collections.<String>emptySet(), Collections.<String, Serializable>emptyMap());
when(mockedAuthentication.getOAuth2Request()).thenReturn(authorizationRequest);
}
Aggregations