Search in sources :

Example 56 with AuthorizationRequest

use of org.springframework.security.oauth2.provider.AuthorizationRequest in project ORCID-Source by ORCID.

the class SecurityContextTestUtils method setUpSecurityContextForClientOnly.

public static void setUpSecurityContextForClientOnly(String clientId, Set<String> scopes) {
    SecurityContextImpl securityContext = new SecurityContextImpl();
    OrcidOAuth2Authentication mockedAuthentication = mock(OrcidOAuth2Authentication.class);
    securityContext.setAuthentication(mockedAuthentication);
    SecurityContextHolder.setContext(securityContext);
    when(mockedAuthentication.getPrincipal()).thenReturn(new ProfileEntity(clientId));
    when(mockedAuthentication.isClientOnly()).thenReturn(true);
    OAuth2Request authorizationRequest = new OAuth2Request(Collections.<String, String>emptyMap(), clientId, Collections.<GrantedAuthority>emptyList(), true, scopes, Collections.<String>emptySet(), null, Collections.<String>emptySet(), Collections.<String, Serializable>emptyMap());
    when(mockedAuthentication.getOAuth2Request()).thenReturn(authorizationRequest);
    when(mockedAuthentication.isAuthenticated()).thenReturn(true);
    when(mockedAuthentication.getName()).thenReturn(clientId);
}
Also used : SecurityContextImpl(org.springframework.security.core.context.SecurityContextImpl) OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) ProfileEntity(org.orcid.persistence.jpa.entities.ProfileEntity)

Example 57 with AuthorizationRequest

use of org.springframework.security.oauth2.provider.AuthorizationRequest in project ORCID-Source by ORCID.

the class SourceManagerImpl method retrieveRealUserOrcid.

@Override
public String retrieveRealUserOrcid() {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    if (authentication == null) {
        return null;
    }
    // API
    if (OAuth2Authentication.class.isAssignableFrom(authentication.getClass())) {
        OAuth2Request authorizationRequest = ((OAuth2Authentication) authentication).getOAuth2Request();
        return authorizationRequest.getClientId();
    }
    // Delegation mode
    String realUserIfInDelegationMode = getRealUserIfInDelegationMode(authentication);
    if (realUserIfInDelegationMode != null) {
        return realUserIfInDelegationMode;
    }
    // Normal web user
    return retrieveEffectiveOrcid(authentication);
}
Also used : OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) Authentication(org.springframework.security.core.Authentication) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication)

Example 58 with AuthorizationRequest

use of org.springframework.security.oauth2.provider.AuthorizationRequest in project ORCID-Source by ORCID.

the class OrcidRandomValueTokenServicesImpl method refreshAccessToken.

@Override
@Transactional
public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenRequest tokenRequest) throws AuthenticationException {
    String parentTokenValue = tokenRequest.getRequestParameters().get(OrcidOauth2Constants.AUTHORIZATION);
    String clientId = tokenRequest.getClientId();
    String scopes = tokenRequest.getRequestParameters().get(OAuth2Utils.SCOPE);
    Long expiresIn = tokenRequest.getRequestParameters().containsKey(OrcidOauth2Constants.EXPIRES_IN) ? Long.valueOf(tokenRequest.getRequestParameters().get(OrcidOauth2Constants.EXPIRES_IN)) : 0L;
    Boolean revokeOld = tokenRequest.getRequestParameters().containsKey(OrcidOauth2Constants.REVOKE_OLD) ? Boolean.valueOf(tokenRequest.getRequestParameters().get(OrcidOauth2Constants.REVOKE_OLD)) : true;
    // Check if the refresh token is enabled
    if (!customSupportRefreshToken) {
        throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
    }
    // Check if the client support refresh token
    ClientDetailsEntity clientDetails = clientDetailsEntityCacheManager.retrieve(clientId);
    if (!clientDetails.getAuthorizedGrantTypes().contains(OrcidOauth2Constants.REFRESH_TOKEN)) {
        throw new InvalidGrantException("Client " + clientId + " doesnt have refresh token enabled");
    }
    OrcidOauth2TokenDetail parentToken = orcidOauth2TokenDetailDao.findByTokenValue(parentTokenValue);
    ProfileEntity profileEntity = new ProfileEntity(parentToken.getProfile().getId());
    OrcidOauth2TokenDetail newToken = new OrcidOauth2TokenDetail();
    newToken.setApproved(true);
    newToken.setClientDetailsId(clientId);
    newToken.setDateCreated(new Date());
    newToken.setLastModified(new Date());
    newToken.setPersistent(parentToken.isPersistent());
    newToken.setProfile(profileEntity);
    newToken.setRedirectUri(parentToken.getRedirectUri());
    newToken.setRefreshTokenValue(UUID.randomUUID().toString());
    newToken.setResourceId(parentToken.getResourceId());
    newToken.setResponseType(parentToken.getResponseType());
    newToken.setState(parentToken.getState());
    newToken.setTokenDisabled(false);
    if (expiresIn <= 0) {
        //If expiresIn is 0 or less, set the parent token 
        newToken.setTokenExpiration(parentToken.getTokenExpiration());
    } else {
        //Assumes expireIn already contains the real expired time expressed in millis 
        newToken.setTokenExpiration(new Date(expiresIn));
    }
    newToken.setTokenType(parentToken.getTokenType());
    newToken.setTokenValue(UUID.randomUUID().toString());
    newToken.setVersion(parentToken.getVersion());
    if (PojoUtil.isEmpty(scopes)) {
        newToken.setScope(parentToken.getScope());
    } else {
        newToken.setScope(scopes);
    }
    //Generate an authentication object to be able to generate the authentication key
    Set<String> scopesSet = OAuth2Utils.parseParameterList(newToken.getScope());
    AuthorizationRequest request = new AuthorizationRequest(clientId, scopesSet);
    request.setApproved(true);
    Authentication authentication = new OrcidOauth2UserAuthentication(profileEntity, true);
    OrcidOAuth2Authentication orcidAuthentication = new OrcidOAuth2Authentication(request, authentication, newToken.getTokenValue());
    newToken.setAuthenticationKey(authenticationKeyGenerator.extractKey(orcidAuthentication));
    // Store the new token and return it
    orcidOauth2TokenDetailDao.persist(newToken);
    // Revoke the old token when required
    if (revokeOld) {
        orcidOauth2TokenDetailDao.disableAccessToken(parentTokenValue);
    }
    // Save the changes
    orcidOauth2TokenDetailDao.flush();
    // and return it                
    return toOAuth2AccessToken(newToken);
}
Also used : ClientDetailsEntity(org.orcid.persistence.jpa.entities.ClientDetailsEntity) AuthorizationRequest(org.springframework.security.oauth2.provider.AuthorizationRequest) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) InvalidGrantException(org.springframework.security.oauth2.common.exceptions.InvalidGrantException) ProfileEntity(org.orcid.persistence.jpa.entities.ProfileEntity) Date(java.util.Date) OrcidOauth2UserAuthentication(org.orcid.core.oauth.OrcidOauth2UserAuthentication) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) Authentication(org.springframework.security.core.Authentication) OrcidOauth2UserAuthentication(org.orcid.core.oauth.OrcidOauth2UserAuthentication) OrcidOauth2TokenDetail(org.orcid.persistence.jpa.entities.OrcidOauth2TokenDetail) Transactional(org.springframework.transaction.annotation.Transactional)

Example 59 with AuthorizationRequest

use of org.springframework.security.oauth2.provider.AuthorizationRequest in project ORCID-Source by ORCID.

the class OrcidTokenStoreServiceImpl method getOAuth2AuthenticationFromDetails.

private OAuth2Authentication getOAuth2AuthenticationFromDetails(OrcidOauth2TokenDetail details) {
    if (details != null) {
        ClientDetailsEntity clientDetailsEntity = clientDetailsEntityCacheManager.retrieve(details.getClientDetailsId());
        Authentication authentication = null;
        AuthorizationRequest request = null;
        if (clientDetailsEntity != null) {
            //Check member is not locked                
            orcidOAuth2RequestValidator.validateClientIsEnabled(clientDetailsEntity);
            Set<String> scopes = OAuth2Utils.parseParameterList(details.getScope());
            request = new AuthorizationRequest(clientDetailsEntity.getClientId(), scopes);
            request.setAuthorities(clientDetailsEntity.getAuthorities());
            Set<String> resourceIds = new HashSet<>();
            resourceIds.add(details.getResourceId());
            request.setResourceIds(resourceIds);
            request.setApproved(details.isApproved());
            ProfileEntity profile = details.getProfile();
            if (profile != null) {
                authentication = new OrcidOauth2UserAuthentication(profile, details.isApproved());
            }
        }
        return new OrcidOAuth2Authentication(request, authentication, details.getTokenValue());
    }
    throw new InvalidTokenException("Token not found");
}
Also used : ClientDetailsEntity(org.orcid.persistence.jpa.entities.ClientDetailsEntity) InvalidTokenException(org.springframework.security.oauth2.common.exceptions.InvalidTokenException) AuthorizationRequest(org.springframework.security.oauth2.provider.AuthorizationRequest) OrcidOauth2UserAuthentication(org.orcid.core.oauth.OrcidOauth2UserAuthentication) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) Authentication(org.springframework.security.core.Authentication) OrcidOauth2UserAuthentication(org.orcid.core.oauth.OrcidOauth2UserAuthentication) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) ProfileEntity(org.orcid.persistence.jpa.entities.ProfileEntity) HashSet(java.util.HashSet)

Example 60 with AuthorizationRequest

use of org.springframework.security.oauth2.provider.AuthorizationRequest in project ORCID-Source by ORCID.

the class DefaultPermissionChecker method checkScopes.

private void checkScopes(OAuth2Authentication oAuth2Authentication, ScopePathType requiredScope) {
    OAuth2Request authorizationRequest = oAuth2Authentication.getOAuth2Request();
    Set<String> requestedScopes = authorizationRequest.getScope();
    if (requiredScope.isUserGrantWriteScope()) {
        OrcidOAuth2Authentication orcidOauth2Authentication = (OrcidOAuth2Authentication) oAuth2Authentication;
        String activeToken = orcidOauth2Authentication.getActiveToken();
        if (activeToken != null) {
            OrcidOauth2TokenDetail tokenDetail = orcidOauthTokenDetailService.findNonDisabledByTokenValue(activeToken);
            if (removeUserGrantWriteScopePastValitity(tokenDetail)) {
                throw new AccessControlException("Write scopes for this token have expired ");
            }
        }
    }
    if (!hasRequiredScope(requestedScopes, requiredScope)) {
        throw new AccessControlException("Insufficient or wrong scope " + requestedScopes);
    }
}
Also used : OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) AccessControlException(java.security.AccessControlException) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) OrcidOauth2TokenDetail(org.orcid.persistence.jpa.entities.OrcidOauth2TokenDetail)

Aggregations

AuthorizationRequest (org.springframework.security.oauth2.provider.AuthorizationRequest)66 Test (org.junit.Test)57 OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)45 OAuth2Request (org.springframework.security.oauth2.provider.OAuth2Request)42 Authentication (org.springframework.security.core.Authentication)33 HashMap (java.util.HashMap)18 ModelAndView (org.springframework.web.servlet.ModelAndView)16 HashSet (java.util.HashSet)15 ProfileEntity (org.orcid.persistence.jpa.entities.ProfileEntity)15 OrcidOAuth2Authentication (org.orcid.core.oauth.OrcidOAuth2Authentication)14 RedirectView (org.springframework.web.servlet.view.RedirectView)14 OAuth2AccessToken (org.springframework.security.oauth2.common.OAuth2AccessToken)13 DefaultOAuth2AccessToken (org.springframework.security.oauth2.common.DefaultOAuth2AccessToken)12 TokenRequest (org.springframework.security.oauth2.provider.TokenRequest)12 BaseClientDetails (org.springframework.security.oauth2.provider.client.BaseClientDetails)12 Date (java.util.Date)11 ScopePathType (org.orcid.jaxb.model.message.ScopePathType)10 ClientDetailsEntity (org.orcid.persistence.jpa.entities.ClientDetailsEntity)8 TokenGranter (org.springframework.security.oauth2.provider.TokenGranter)8 DefaultUserApprovalHandler (org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler)8