Search in sources :

Example 6 with ScopePathType

use of org.orcid.jaxb.model.message.ScopePathType in project ORCID-Source by ORCID.

the class DefaultPermissionCheckerTest method testCheckUserPermissionsAuthenticationScopesOrcidAndOrcidMessageWhenWrongUser.

@Test(expected = AccessControlException.class)
@Transactional
@Rollback
public void testCheckUserPermissionsAuthenticationScopesOrcidAndOrcidMessageWhenWrongUser() throws Exception {
    Set<String> resourceIds = new HashSet<String>(Arrays.asList("orcid"));
    HashSet<GrantedAuthority> grantedAuthorities = new HashSet<GrantedAuthority>(Arrays.asList(new SimpleGrantedAuthority("ROLE_CLIENT")));
    AuthorizationRequest request = new AuthorizationRequest("4444-4444-4444-4441", Arrays.asList("/orcid-bio/external-identifiers/create"));
    request.setAuthorities(grantedAuthorities);
    request.setResourceIds(resourceIds);
    ProfileEntity entity = profileEntityManager.findByOrcid("4444-4444-4444-4445");
    OrcidOauth2UserAuthentication oauth2UserAuthentication = new OrcidOauth2UserAuthentication(entity, true);
    OAuth2Authentication oAuth2Authentication = new OrcidOAuth2Authentication(request, oauth2UserAuthentication, "made-up-token");
    ScopePathType requiredScope = ScopePathType.ORCID_BIO_EXTERNAL_IDENTIFIERS_CREATE;
    OrcidMessage orcidMessage = getOrcidMessage();
    String messageOrcid = orcidMessage.getOrcidProfile().getOrcidIdentifier().getPath();
    defaultPermissionChecker.checkPermissions(oAuth2Authentication, requiredScope, messageOrcid, orcidMessage);
}
Also used : AuthorizationRequest(org.springframework.security.oauth2.provider.AuthorizationRequest) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) GrantedAuthority(org.springframework.security.core.GrantedAuthority) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) ProfileEntity(org.orcid.persistence.jpa.entities.ProfileEntity) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) ScopePathType(org.orcid.jaxb.model.message.ScopePathType) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) OrcidMessage(org.orcid.jaxb.model.message.OrcidMessage) OrcidOauth2UserAuthentication(org.orcid.core.oauth.OrcidOauth2UserAuthentication) HashSet(java.util.HashSet) DBUnitTest(org.orcid.test.DBUnitTest) Test(org.junit.Test) Rollback(org.springframework.test.annotation.Rollback) Transactional(org.springframework.transaction.annotation.Transactional)

Example 7 with ScopePathType

use of org.orcid.jaxb.model.message.ScopePathType in project ORCID-Source by ORCID.

the class DefaultPermissionCheckerTest method testCheckPermissionsAuthenticationScopesAndOrcidMessage.

@Test
public void testCheckPermissionsAuthenticationScopesAndOrcidMessage() throws Exception {
    Set<String> resourceIds = new HashSet<String>(Arrays.asList("orcid"));
    HashSet<GrantedAuthority> grantedAuthorities = new HashSet<GrantedAuthority>(Arrays.asList(new SimpleGrantedAuthority("ROLE_CLIENT")));
    AuthorizationRequest request = new AuthorizationRequest("4444-4444-4444-4441", Arrays.asList(ScopePathType.ORCID_WORKS_CREATE.value()));
    request.setAuthorities(grantedAuthorities);
    request.setResourceIds(resourceIds);
    OAuth2Authentication oAuth2Authentication = new OrcidOAuth2Authentication(request, null, "made-up-token");
    ScopePathType requiredScope = ScopePathType.ORCID_WORKS_CREATE;
    OrcidMessage orcidMessage = getOrcidMessage();
    defaultPermissionChecker.checkPermissions(oAuth2Authentication, requiredScope, orcidMessage);
}
Also used : SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) AuthorizationRequest(org.springframework.security.oauth2.provider.AuthorizationRequest) ScopePathType(org.orcid.jaxb.model.message.ScopePathType) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) GrantedAuthority(org.springframework.security.core.GrantedAuthority) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) OrcidMessage(org.orcid.jaxb.model.message.OrcidMessage) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) HashSet(java.util.HashSet) DBUnitTest(org.orcid.test.DBUnitTest) Test(org.junit.Test)

Example 8 with ScopePathType

use of org.orcid.jaxb.model.message.ScopePathType in project ORCID-Source by ORCID.

the class OauthControllerBase method generateRequestInfoForm.

private RequestInfoForm generateRequestInfoForm(String clientId, String scopesString, String redirectUri, String responseType, String stateParam, String email, String orcid, String givenNames, String familyNames, String nonce, String maxAge) throws UnsupportedEncodingException {
    RequestInfoForm infoForm = new RequestInfoForm();
    //If the user is logged in 
    String loggedUserOrcid = getEffectiveUserOrcid();
    if (!PojoUtil.isEmpty(loggedUserOrcid)) {
        infoForm.setUserOrcid(loggedUserOrcid);
        ProfileEntity profile = profileEntityCacheManager.retrieve(loggedUserOrcid);
        String creditName = "";
        RecordNameEntity recordName = profile.getRecordNameEntity();
        if (recordName != null) {
            if (!PojoUtil.isEmpty(profile.getRecordNameEntity().getCreditName())) {
                creditName = profile.getRecordNameEntity().getCreditName();
            } else {
                creditName = PojoUtil.isEmpty(profile.getRecordNameEntity().getGivenNames()) ? profile.getRecordNameEntity().getFamilyName() : profile.getRecordNameEntity().getGivenNames() + " " + profile.getRecordNameEntity().getFamilyName();
            }
        }
        if (!PojoUtil.isEmpty(creditName)) {
            infoForm.setUserName(URLDecoder.decode(creditName, "UTF-8").trim());
        }
    }
    Set<ScopePathType> scopes = new HashSet<ScopePathType>();
    if (!PojoUtil.isEmpty(clientId) && !PojoUtil.isEmpty(scopesString)) {
        scopesString = URLDecoder.decode(scopesString, "UTF-8").trim();
        scopesString = scopesString.replaceAll(" +", " ");
        scopes = ScopePathType.getScopesFromSpaceSeparatedString(scopesString);
    } else {
        throw new InvalidRequestException("Unable to find parameters");
    }
    for (ScopePathType theScope : scopes) {
        ScopeInfoForm scopeInfoForm = new ScopeInfoForm();
        scopeInfoForm.setValue(theScope.value());
        scopeInfoForm.setName(theScope.name());
        try {
            scopeInfoForm.setDescription(getMessage(ScopePathType.class.getName() + '.' + theScope.name()));
            scopeInfoForm.setLongDescription(getMessage(ScopePathType.class.getName() + '.' + theScope.name() + ".longDesc"));
        } catch (NoSuchMessageException e) {
            LOGGER.warn("Unable to find key message for scope: " + theScope.name() + " " + theScope.value());
        }
        infoForm.getScopes().add(scopeInfoForm);
    }
    // Check if the client has persistent tokens enabled
    ClientDetailsEntity clientDetails = clientDetailsEntityCacheManager.retrieve(clientId);
    if (clientDetails.isPersistentTokensEnabled()) {
        infoForm.setClientHavePersistentTokens(true);
    }
    // If client details is ok, continue
    String clientName = clientDetails.getClientName() == null ? "" : clientDetails.getClientName();
    String clientEmailRequestReason = clientDetails.getEmailAccessReason() == null ? "" : clientDetails.getEmailAccessReason();
    String clientDescription = clientDetails.getClientDescription() == null ? "" : clientDetails.getClientDescription();
    String memberName = "";
    // If client type is null it means it is a public client
    if (ClientType.PUBLIC_CLIENT.equals(clientDetails.getClientType())) {
        memberName = PUBLIC_MEMBER_NAME;
    } else if (!PojoUtil.isEmpty(clientDetails.getGroupProfileId())) {
        ProfileEntity groupProfile = profileEntityCacheManager.retrieve(clientDetails.getGroupProfileId());
        if (groupProfile.getRecordNameEntity() != null) {
            memberName = groupProfile.getRecordNameEntity().getCreditName();
        }
    }
    // name, since it should be a SSO user
    if (StringUtils.isBlank(memberName)) {
        memberName = clientName;
    }
    if (!PojoUtil.isEmpty(email) || !PojoUtil.isEmpty(orcid)) {
        // Check if orcid exists, if so, show login screen
        if (!PojoUtil.isEmpty(orcid)) {
            orcid = orcid.trim();
            if (orcidProfileManager.exists(orcid)) {
                infoForm.setUserId(orcid);
            }
        } else {
            // Check if email exists, if so, show login screen
            if (!PojoUtil.isEmpty(email)) {
                email = email.trim();
                if (emailManager.emailExists(email)) {
                    infoForm.setUserId(email);
                }
            }
        }
    }
    infoForm.setUserEmail(email);
    if (PojoUtil.isEmpty(loggedUserOrcid))
        infoForm.setUserOrcid(orcid);
    infoForm.setUserGivenNames(givenNames);
    infoForm.setUserFamilyNames(familyNames);
    infoForm.setClientId(clientId);
    infoForm.setClientDescription(clientDescription);
    infoForm.setClientName(clientName);
    infoForm.setClientEmailRequestReason(clientEmailRequestReason);
    infoForm.setMemberName(memberName);
    infoForm.setRedirectUrl(redirectUri);
    infoForm.setStateParam(stateParam);
    infoForm.setResponseType(responseType);
    infoForm.setNonce(nonce);
    return infoForm;
}
Also used : ClientDetailsEntity(org.orcid.persistence.jpa.entities.ClientDetailsEntity) NoSuchMessageException(org.springframework.context.NoSuchMessageException) ScopePathType(org.orcid.jaxb.model.message.ScopePathType) RecordNameEntity(org.orcid.persistence.jpa.entities.RecordNameEntity) RequestInfoForm(org.orcid.pojo.ajaxForm.RequestInfoForm) InvalidRequestException(org.springframework.security.oauth2.common.exceptions.InvalidRequestException) ProfileEntity(org.orcid.persistence.jpa.entities.ProfileEntity) ScopeInfoForm(org.orcid.pojo.ajaxForm.ScopeInfoForm) HashSet(java.util.HashSet)

Example 9 with ScopePathType

use of org.orcid.jaxb.model.message.ScopePathType in project ORCID-Source by ORCID.

the class OpenIDController method getUserInfo.

/** Manually checks bearer token, looks up user or throws 403.
     * 
     * @return
     */
@RequestMapping(value = "/oauth/userinfo", method = { RequestMethod.GET, RequestMethod.POST }, produces = "application/json")
@ResponseBody
public ResponseEntity<OpenIDConnectUserInfo> getUserInfo(HttpServletRequest request) {
    //note we do not support form post per https://tools.ietf.org/html/rfc6750 because it's a MAY and pointless
    String authHeader = request.getHeader("Authorization");
    if (authHeader != null) {
        //lookup token, check it's valid, check scope.
        String tokenValue = authHeader.replace("Bearer", "").trim();
        OAuth2AccessToken tok = tokenStore.readAccessToken(tokenValue);
        if (tok != null && !tok.isExpired()) {
            boolean hasScope = false;
            Set<ScopePathType> requestedScopes = ScopePathType.getScopesFromStrings(tok.getScope());
            for (ScopePathType scope : requestedScopes) {
                if (scope.hasScope(ScopePathType.OPENID)) {
                    hasScope = true;
                }
            }
            if (hasScope) {
                String orcid = tok.getAdditionalInformation().get("orcid").toString();
                Person person = personDetailsManagerReadOnly.getPublicPersonDetails(orcid);
                return ResponseEntity.ok(new OpenIDConnectUserInfo(orcid, person));
            }
        }
    }
    return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
}
Also used : ScopePathType(org.orcid.jaxb.model.message.ScopePathType) OAuth2AccessToken(org.springframework.security.oauth2.common.OAuth2AccessToken) OpenIDConnectUserInfo(org.orcid.core.oauth.openid.OpenIDConnectUserInfo) Person(org.orcid.jaxb.model.record_v2.Person) RequestMapping(org.springframework.web.bind.annotation.RequestMapping) ResponseBody(org.springframework.web.bind.annotation.ResponseBody)

Example 10 with ScopePathType

use of org.orcid.jaxb.model.message.ScopePathType in project ORCID-Source by ORCID.

the class ClientDetailsManagerImpl method getClientRegisteredRedirectUris.

private SortedSet<ClientRedirectUriEntity> getClientRegisteredRedirectUris(Set<RedirectUri> clientRegisteredRedirectUris, ClientDetailsEntity clientDetailsEntity) {
    SortedSet<ClientRedirectUriEntity> clientRedirectUriEntities = new TreeSet<ClientRedirectUriEntity>();
    for (RedirectUri clientRegisteredRedirectUri : clientRegisteredRedirectUris) {
        ClientRedirectUriEntity clientRedirectUriEntity = new ClientRedirectUriEntity();
        clientRedirectUriEntity.setClientDetailsEntity(clientDetailsEntity);
        clientRedirectUriEntity.setRedirectUri(clientRegisteredRedirectUri.getValue());
        clientRedirectUriEntity.setRedirectUriType(clientRegisteredRedirectUri.getType().value());
        List<ScopePathType> scopesForRedirect = clientRegisteredRedirectUri.getScope();
        String clientPredefinedScopes = scopesForRedirect != null ? ScopePathType.getScopesAsSingleString(scopesForRedirect) : null;
        clientRedirectUriEntity.setPredefinedClientScope(clientPredefinedScopes);
        clientRedirectUriEntity.setUriActType(clientRegisteredRedirectUri.getActType());
        clientRedirectUriEntity.setUriGeoArea(clientRegisteredRedirectUri.getGeoArea());
        clientRedirectUriEntities.add(clientRedirectUriEntity);
    }
    return clientRedirectUriEntities;
}
Also used : ScopePathType(org.orcid.jaxb.model.message.ScopePathType) TreeSet(java.util.TreeSet) RedirectUri(org.orcid.jaxb.model.clientgroup.RedirectUri) ClientRedirectUriEntity(org.orcid.persistence.jpa.entities.ClientRedirectUriEntity)

Aggregations

ScopePathType (org.orcid.jaxb.model.message.ScopePathType)30 HashSet (java.util.HashSet)16 Test (org.junit.Test)9 OrcidOAuth2Authentication (org.orcid.core.oauth.OrcidOAuth2Authentication)9 ProfileEntity (org.orcid.persistence.jpa.entities.ProfileEntity)8 Transactional (org.springframework.transaction.annotation.Transactional)8 ClientDetailsEntity (org.orcid.persistence.jpa.entities.ClientDetailsEntity)6 GrantedAuthority (org.springframework.security.core.GrantedAuthority)6 SimpleGrantedAuthority (org.springframework.security.core.authority.SimpleGrantedAuthority)6 AuthorizationRequest (org.springframework.security.oauth2.provider.AuthorizationRequest)6 OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)6 ArrayList (java.util.ArrayList)5 RedirectUri (org.orcid.jaxb.model.clientgroup.RedirectUri)5 OrcidMessage (org.orcid.jaxb.model.message.OrcidMessage)5 DBUnitTest (org.orcid.test.DBUnitTest)5 OAuth2Request (org.springframework.security.oauth2.provider.OAuth2Request)5 Date (java.util.Date)4 OrcidOauth2TokenDetail (org.orcid.persistence.jpa.entities.OrcidOauth2TokenDetail)4 Authentication (org.springframework.security.core.Authentication)4 Rollback (org.springframework.test.annotation.Rollback)4