Search in sources :

Example 1 with Validator

use of org.owasp.esapi.Validator in project OpenAM by OpenRock.

the class ConsumerRequest method postConsumerRegistrations.

/**
     * POST method for registering a Service Consumer
     * and obtaining corresponding consumer key & secret.
     *
     * @param formParams {@link String} containing the service 
     * consumer's description.
     * This description takes the form of name=value pairs separated by &.
     * The following parameters are supported:
     * <OL>
     * <LI>name - the service consumer's name.</LI>
     * <LI>icon - the service consumer's URI for its icon (MUST be unique).</LI>
     * <LI>service - the service consumer's URI for its service</LI>
     * <LI>rsapublickey - (optional) the RSA public key of the Service Consumer.</LI>
     * </OL>
     * <p>
     *
     * Example of string:
     * <pre>
     *  name=Service XYZ&icon=http://www.example.com/icon.jpg&service=http://www.example.com
     * </pre>
     *
     *
     * @return an HTTP response with content of the created resource.
     * The location URI is set to the newly created OAuth consumer key.
     * The body of the response is of the form:
     * <pre>
     * consumer_key=http://serviceprovider/0123456762121
     * consumer_secret=12345633
     * </pre>
     * Both values are URL encoded.
     */
@POST
@Consumes("application/x-www-form-urlencoded")
public Response postConsumerRegistrations(MultivaluedMap<String, String> formParams) {
    OAuthResourceManager oauthResMgr = OAuthResourceManager.getInstance();
    try {
        Consumer cons = new Consumer();
        String cert = null;
        String tmpsecret = null;
        Boolean keyed = false;
        Set<String> pnames = formParams.keySet();
        Iterator<String> iter = pnames.iterator();
        Encoder enc = ESAPI.encoder();
        Validator validator = ESAPI.validator();
        while (iter.hasNext()) {
            String key = iter.next();
            String val = formParams.getFirst(key);
            if (key.equalsIgnoreCase(C_NAME)) {
                String consumerName = enc.canonicalize(val);
                if (!validator.isValidInput(C_NAME, consumerName, "HTTPParameterValue", 512, true)) {
                    String resp = "Invalid name entered entered. Please try again.";
                    return Response.ok().entity(resp).type(MediaType.APPLICATION_FORM_URLENCODED).build();
                }
                // Check if a consumer with the same name is already registered,
                // if so, will not do the registration again.
                Map<String, String> searchMap = new HashMap<String, String>();
                searchMap.put(CONSUMER_NAME, consumerName);
                List<Consumer> consumers = oauthResMgr.searchConsumers(searchMap);
                if ((consumers != null) && (!consumers.isEmpty())) {
                    String resp = "A consumer is already registered with name " + enc.encodeForHTML(consumerName) + ".";
                    return Response.ok().entity(resp).type(MediaType.APPLICATION_FORM_URLENCODED).build();
                }
                cons.setConsName(consumerName);
            } else if (key.equalsIgnoreCase(C_CERT)) {
                // The cert is in PEM format (no URL decode needed)
                cert = val;
            } else if (key.equalsIgnoreCase(C_SECRET)) {
                tmpsecret = URLDecoder.decode(val);
            } else if (key.equalsIgnoreCase(C_KEY)) {
                keyed = true;
                String consumerKey = enc.canonicalize(val);
                if (!validator.isValidInput(C_KEY, consumerKey, "HTTPParameterValue", 512, true)) {
                    String resp = "Invalid key entered entered. Please try again.";
                    return Response.ok().entity(resp).type(MediaType.APPLICATION_FORM_URLENCODED).build();
                }
                // Check if a consumer with the same key is already registered,
                // if so, will not do the registration again.
                cons.setConsKey(consumerKey);
                Map<String, String> searchMap = new HashMap<String, String>();
                searchMap.put(CONSUMER_KEY, consumerKey);
                List<Consumer> consumers = oauthResMgr.searchConsumers(searchMap);
                if ((consumers != null) && (!consumers.isEmpty())) {
                    String resp = "A consumer is already registered with key " + enc.encodeForHTML(consumerKey) + ".";
                    return Response.ok().entity(resp).type(MediaType.APPLICATION_FORM_URLENCODED).build();
                }
            } else {
            // anything else is ignored for the time being
            }
        }
        if (cert != null) {
            cons.setConsRsakey(cert);
        }
        if (tmpsecret != null) {
            cons.setConsSecret(tmpsecret);
        } else {
            cons.setConsSecret(new UniqueRandomString().getString());
        }
        if (!keyed) {
            String baseUri = context.getBaseUri().toString();
            if (baseUri.endsWith("/"))
                baseUri = baseUri.substring(0, baseUri.length() - 1);
            URI loc = URI.create(baseUri + PathDefs.CONSUMERS_PATH + "/" + new UniqueRandomString().getString());
            String consKey = loc.toString();
            cons.setConsKey(consKey);
        }
        oauthResMgr.createConsumer(null, cons);
        String resp = "consumer_key=" + URLEncoder.encode(cons.getConsKey()) + "&consumer_secret=" + URLEncoder.encode(cons.getConsSecret());
        return Response.created(URI.create(cons.getConsKey())).entity(resp).type(MediaType.APPLICATION_FORM_URLENCODED).build();
    } catch (OAuthServiceException e) {
        Logger.getLogger(ConsumerRequest.class.getName()).log(Level.SEVERE, null, e);
        throw new WebApplicationException(e);
    } catch (IntrusionException e) {
        Logger.getLogger(ConsumerRequest.class.getName()).log(Level.SEVERE, null, e);
        throw new WebApplicationException(e);
    } catch (EncodingException e) {
        Logger.getLogger(ConsumerRequest.class.getName()).log(Level.SEVERE, null, e);
        throw new WebApplicationException(e);
    }
}
Also used : UniqueRandomString(com.sun.identity.oauth.service.util.UniqueRandomString) WebApplicationException(javax.ws.rs.WebApplicationException) HashMap(java.util.HashMap) EncodingException(org.owasp.esapi.errors.EncodingException) UniqueRandomString(com.sun.identity.oauth.service.util.UniqueRandomString) URI(java.net.URI) Consumer(com.sun.identity.oauth.service.models.Consumer) Encoder(org.owasp.esapi.Encoder) URLEncoder(java.net.URLEncoder) List(java.util.List) IntrusionException(org.owasp.esapi.errors.IntrusionException) HashMap(java.util.HashMap) Map(java.util.Map) MultivaluedMap(javax.ws.rs.core.MultivaluedMap) Validator(org.owasp.esapi.Validator) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes)

Aggregations

Consumer (com.sun.identity.oauth.service.models.Consumer)1 UniqueRandomString (com.sun.identity.oauth.service.util.UniqueRandomString)1 URI (java.net.URI)1 URLEncoder (java.net.URLEncoder)1 HashMap (java.util.HashMap)1 List (java.util.List)1 Map (java.util.Map)1 Consumes (javax.ws.rs.Consumes)1 POST (javax.ws.rs.POST)1 WebApplicationException (javax.ws.rs.WebApplicationException)1 MultivaluedMap (javax.ws.rs.core.MultivaluedMap)1 Encoder (org.owasp.esapi.Encoder)1 Validator (org.owasp.esapi.Validator)1 EncodingException (org.owasp.esapi.errors.EncodingException)1 IntrusionException (org.owasp.esapi.errors.IntrusionException)1