use of org.springframework.security.oauth2.provider.AuthorizationRequest in project ORCID-Source by ORCID.
the class SecurityContextTestUtils method setUpSecurityContextForClientOnly.
public static void setUpSecurityContextForClientOnly(String clientId, Set<String> scopes) {
SecurityContextImpl securityContext = new SecurityContextImpl();
OrcidOAuth2Authentication mockedAuthentication = mock(OrcidOAuth2Authentication.class);
securityContext.setAuthentication(mockedAuthentication);
SecurityContextHolder.setContext(securityContext);
when(mockedAuthentication.getPrincipal()).thenReturn(new ProfileEntity(clientId));
when(mockedAuthentication.isClientOnly()).thenReturn(true);
OAuth2Request authorizationRequest = new OAuth2Request(Collections.<String, String>emptyMap(), clientId, Collections.<GrantedAuthority>emptyList(), true, scopes, Collections.<String>emptySet(), null, Collections.<String>emptySet(), Collections.<String, Serializable>emptyMap());
when(mockedAuthentication.getOAuth2Request()).thenReturn(authorizationRequest);
when(mockedAuthentication.isAuthenticated()).thenReturn(true);
when(mockedAuthentication.getName()).thenReturn(clientId);
}
use of org.springframework.security.oauth2.provider.AuthorizationRequest in project ORCID-Source by ORCID.
the class SourceManagerImpl method retrieveRealUserOrcid.
@Override
public String retrieveRealUserOrcid() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication == null) {
return null;
}
// API
if (OAuth2Authentication.class.isAssignableFrom(authentication.getClass())) {
OAuth2Request authorizationRequest = ((OAuth2Authentication) authentication).getOAuth2Request();
return authorizationRequest.getClientId();
}
// Delegation mode
String realUserIfInDelegationMode = getRealUserIfInDelegationMode(authentication);
if (realUserIfInDelegationMode != null) {
return realUserIfInDelegationMode;
}
// Normal web user
return retrieveEffectiveOrcid(authentication);
}
use of org.springframework.security.oauth2.provider.AuthorizationRequest in project ORCID-Source by ORCID.
the class OrcidRandomValueTokenServicesImpl method refreshAccessToken.
@Override
@Transactional
public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenRequest tokenRequest) throws AuthenticationException {
String parentTokenValue = tokenRequest.getRequestParameters().get(OrcidOauth2Constants.AUTHORIZATION);
String clientId = tokenRequest.getClientId();
String scopes = tokenRequest.getRequestParameters().get(OAuth2Utils.SCOPE);
Long expiresIn = tokenRequest.getRequestParameters().containsKey(OrcidOauth2Constants.EXPIRES_IN) ? Long.valueOf(tokenRequest.getRequestParameters().get(OrcidOauth2Constants.EXPIRES_IN)) : 0L;
Boolean revokeOld = tokenRequest.getRequestParameters().containsKey(OrcidOauth2Constants.REVOKE_OLD) ? Boolean.valueOf(tokenRequest.getRequestParameters().get(OrcidOauth2Constants.REVOKE_OLD)) : true;
// Check if the refresh token is enabled
if (!customSupportRefreshToken) {
throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
}
// Check if the client support refresh token
ClientDetailsEntity clientDetails = clientDetailsEntityCacheManager.retrieve(clientId);
if (!clientDetails.getAuthorizedGrantTypes().contains(OrcidOauth2Constants.REFRESH_TOKEN)) {
throw new InvalidGrantException("Client " + clientId + " doesnt have refresh token enabled");
}
OrcidOauth2TokenDetail parentToken = orcidOauth2TokenDetailDao.findByTokenValue(parentTokenValue);
ProfileEntity profileEntity = new ProfileEntity(parentToken.getProfile().getId());
OrcidOauth2TokenDetail newToken = new OrcidOauth2TokenDetail();
newToken.setApproved(true);
newToken.setClientDetailsId(clientId);
newToken.setDateCreated(new Date());
newToken.setLastModified(new Date());
newToken.setPersistent(parentToken.isPersistent());
newToken.setProfile(profileEntity);
newToken.setRedirectUri(parentToken.getRedirectUri());
newToken.setRefreshTokenValue(UUID.randomUUID().toString());
newToken.setResourceId(parentToken.getResourceId());
newToken.setResponseType(parentToken.getResponseType());
newToken.setState(parentToken.getState());
newToken.setTokenDisabled(false);
if (expiresIn <= 0) {
//If expiresIn is 0 or less, set the parent token
newToken.setTokenExpiration(parentToken.getTokenExpiration());
} else {
//Assumes expireIn already contains the real expired time expressed in millis
newToken.setTokenExpiration(new Date(expiresIn));
}
newToken.setTokenType(parentToken.getTokenType());
newToken.setTokenValue(UUID.randomUUID().toString());
newToken.setVersion(parentToken.getVersion());
if (PojoUtil.isEmpty(scopes)) {
newToken.setScope(parentToken.getScope());
} else {
newToken.setScope(scopes);
}
//Generate an authentication object to be able to generate the authentication key
Set<String> scopesSet = OAuth2Utils.parseParameterList(newToken.getScope());
AuthorizationRequest request = new AuthorizationRequest(clientId, scopesSet);
request.setApproved(true);
Authentication authentication = new OrcidOauth2UserAuthentication(profileEntity, true);
OrcidOAuth2Authentication orcidAuthentication = new OrcidOAuth2Authentication(request, authentication, newToken.getTokenValue());
newToken.setAuthenticationKey(authenticationKeyGenerator.extractKey(orcidAuthentication));
// Store the new token and return it
orcidOauth2TokenDetailDao.persist(newToken);
// Revoke the old token when required
if (revokeOld) {
orcidOauth2TokenDetailDao.disableAccessToken(parentTokenValue);
}
// Save the changes
orcidOauth2TokenDetailDao.flush();
// and return it
return toOAuth2AccessToken(newToken);
}
use of org.springframework.security.oauth2.provider.AuthorizationRequest in project ORCID-Source by ORCID.
the class OrcidTokenStoreServiceImpl method getOAuth2AuthenticationFromDetails.
private OAuth2Authentication getOAuth2AuthenticationFromDetails(OrcidOauth2TokenDetail details) {
if (details != null) {
ClientDetailsEntity clientDetailsEntity = clientDetailsEntityCacheManager.retrieve(details.getClientDetailsId());
Authentication authentication = null;
AuthorizationRequest request = null;
if (clientDetailsEntity != null) {
//Check member is not locked
orcidOAuth2RequestValidator.validateClientIsEnabled(clientDetailsEntity);
Set<String> scopes = OAuth2Utils.parseParameterList(details.getScope());
request = new AuthorizationRequest(clientDetailsEntity.getClientId(), scopes);
request.setAuthorities(clientDetailsEntity.getAuthorities());
Set<String> resourceIds = new HashSet<>();
resourceIds.add(details.getResourceId());
request.setResourceIds(resourceIds);
request.setApproved(details.isApproved());
ProfileEntity profile = details.getProfile();
if (profile != null) {
authentication = new OrcidOauth2UserAuthentication(profile, details.isApproved());
}
}
return new OrcidOAuth2Authentication(request, authentication, details.getTokenValue());
}
throw new InvalidTokenException("Token not found");
}
use of org.springframework.security.oauth2.provider.AuthorizationRequest in project ORCID-Source by ORCID.
the class DefaultPermissionChecker method checkScopes.
private void checkScopes(OAuth2Authentication oAuth2Authentication, ScopePathType requiredScope) {
OAuth2Request authorizationRequest = oAuth2Authentication.getOAuth2Request();
Set<String> requestedScopes = authorizationRequest.getScope();
if (requiredScope.isUserGrantWriteScope()) {
OrcidOAuth2Authentication orcidOauth2Authentication = (OrcidOAuth2Authentication) oAuth2Authentication;
String activeToken = orcidOauth2Authentication.getActiveToken();
if (activeToken != null) {
OrcidOauth2TokenDetail tokenDetail = orcidOauthTokenDetailService.findNonDisabledByTokenValue(activeToken);
if (removeUserGrantWriteScopePastValitity(tokenDetail)) {
throw new AccessControlException("Write scopes for this token have expired ");
}
}
}
if (!hasRequiredScope(requestedScopes, requiredScope)) {
throw new AccessControlException("Insufficient or wrong scope " + requestedScopes);
}
}
Aggregations