Example 1 with ScopeBinding
use of org.wso2.carbon.identity.oauth2.bean.ScopeBinding in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2ServiceComponent method loadOauthScopeBinding.
private static void loadOauthScopeBinding() {
List<Scope> scopes = new ArrayList<>();
String configDirPath = CarbonUtils.getCarbonConfigDirPath();
String confXml = Paths.get(configDirPath, IDENTITY_PATH, OAuthConstants.OAUTH_SCOPE_BINDING_PATH).toString();
File configFile = new File(confXml);
if (!configFile.exists()) {
log.warn("OAuth scope binding File is not present at: " + confXml);
return;
}
XMLStreamReader parser = null;
try (InputStream stream = new FileInputStream(configFile)) {
parser = XMLInputFactory.newInstance().createXMLStreamReader(stream);
StAXOMBuilder builder = new StAXOMBuilder(parser);
OMElement documentElement = builder.getDocumentElement();
Iterator iterator = documentElement.getChildElements();
while (iterator.hasNext()) {
OMElement omElement = (OMElement) iterator.next();
String scopeName = omElement.getAttributeValue(new QName(NAME));
String displayName = omElement.getAttributeValue(new QName(DISPLAY_NAME));
String description = omElement.getAttributeValue(new QName(DESCRIPTION));
List<String> bindingPermissions = loadScopePermissions(omElement);
ScopeBinding scopeBinding = new ScopeBinding(PERMISSIONS_BINDING_TYPE, bindingPermissions);
List<ScopeBinding> scopeBindings = new ArrayList<>();
scopeBindings.add(scopeBinding);
Scope scope = new Scope(scopeName, displayName, scopeBindings, description);
scopes.add(scope);
}
} catch (XMLStreamException e) {
log.warn("Error while streaming oauth-scope-bindings config.", e);
} catch (IOException e) {
log.warn("Error while loading oauth-scope-bindings config.", e);
} finally {
try {
if (parser != null) {
parser.close();
}
} catch (XMLStreamException e) {
log.error("Error while closing XML stream", e);
}
}
OAuth2ServiceComponentHolder.getInstance().setOauthScopeBinding(scopes);
}
Also used :
XMLStreamReader(javax.xml.stream.XMLStreamReader)
FileInputStream(java.io.FileInputStream)
InputStream(java.io.InputStream)
QName(javax.xml.namespace.QName)
ArrayList(java.util.ArrayList)
OMElement(org.apache.axiom.om.OMElement)
IOException(java.io.IOException)
FileInputStream(java.io.FileInputStream)
Scope(org.wso2.carbon.identity.oauth2.bean.Scope)
XMLStreamException(javax.xml.stream.XMLStreamException)
Iterator(java.util.Iterator)
StAXOMBuilder(org.apache.axiom.om.impl.builder.StAXOMBuilder)
File(java.io.File)
ScopeBinding(org.wso2.carbon.identity.oauth2.bean.ScopeBinding)
Example 2 with ScopeBinding
use of org.wso2.carbon.identity.oauth2.bean.ScopeBinding in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuthScopeDAOImpl method addScopeBinding.
/**
* Add bindings to a scope.
*
* @param scope Scope.
* @param conn Connection.
* @param scopeID Scope ID.
* @throws SQLException
* @throws IdentityOAuth2ScopeClientException
*/
private void addScopeBinding(Scope scope, Connection conn, int scopeID) throws SQLException {
// Adding scope bindings.
try (PreparedStatement ps = conn.prepareStatement(SQLQueries.ADD_SCOPE_BINDING)) {
List<ScopeBinding> scopeBindings = scope.getScopeBindings();
for (ScopeBinding scopeBinding : scopeBindings) {
String bindingType = scopeBinding.getBindingType();
for (String binding : scopeBinding.getBindings()) {
ps.setInt(1, scopeID);
ps.setString(2, binding);
ps.setString(3, bindingType);
ps.addBatch();
}
}
ps.executeBatch();
}
}
Also used :
NamedPreparedStatement(org.wso2.carbon.identity.oauth2.util.NamedPreparedStatement)
PreparedStatement(java.sql.PreparedStatement)
ScopeBinding(org.wso2.carbon.identity.oauth2.bean.ScopeBinding)
Example 3 with ScopeBinding
use of org.wso2.carbon.identity.oauth2.bean.ScopeBinding in project identity-inbound-auth-oauth by wso2-extensions.
the class JDBCPermissionBasedInternalScopeValidator method getUserAllowedScopes.
private List<Scope> getUserAllowedScopes(AuthenticatedUser authenticatedUser, String[] requestedScopes, String clientId) {
List<Scope> userAllowedScopes = new ArrayList<>();
try {
if (requestedScopes == null) {
return new ArrayList<>();
}
boolean isSystemScope = ArrayUtils.contains(requestedScopes, SYSTEM_SCOPE);
int tenantId = IdentityTenantUtil.getTenantId(authenticatedUser.getTenantDomain());
startTenantFlow(authenticatedUser.getTenantDomain(), tenantId);
AuthorizationManager authorizationManager = OAuthComponentServiceHolder.getInstance().getRealmService().getTenantUserRealm(tenantId).getAuthorizationManager();
String[] allowedUIResourcesForUser;
/*
Here we handle scope validation for federated user and local user separately.
For local users - user store is used to get user roles.
For federated user - get user roles from user attributes.
Note that if there is association between a federated user and local user () 'Assert identity using
mapped local subject identifier' flag will be set as true. So authenticated user will be associated
local user not federated user.
*/
if (authenticatedUser.isFederatedUser()) {
/*
There is a flow where 'Assert identity using mapped local subject identifier' flag enabled but the
federated user doesn't have any association in localIDP, to handle this case we check for 'Assert
identity using mapped local subject identifier' flag and get roles from userStore.
*/
if (isSPAlwaysSendMappedLocalSubjectId(clientId)) {
allowedUIResourcesForUser = getAllowedUIResourcesOfUser(authenticatedUser, authorizationManager);
} else {
// Handle not account associated federated users.
allowedUIResourcesForUser = getAllowedUIResourcesForNotAssociatedFederatedUser(authenticatedUser, authorizationManager);
}
} else {
allowedUIResourcesForUser = getAllowedUIResourcesOfUser(authenticatedUser, authorizationManager);
}
Set<Scope> allScopes = getScopesOfPermissionType(tenantId);
if (ArrayUtils.contains(allowedUIResourcesForUser, ROOT) || ArrayUtils.contains(allowedUIResourcesForUser, PERMISSION_ROOT)) {
return new ArrayList<>(allScopes);
} else if (ArrayUtils.contains(allowedUIResourcesForUser, ADMIN_PERMISSION_ROOT)) {
return new ArrayList<>(getAdminAllowedScopes(allScopes, requestedScopes));
}
for (Scope scope : allScopes) {
if (!isSystemScope && !ArrayUtils.contains(requestedScopes, scope.getName())) {
continue;
}
List<ScopeBinding> bindings = scope.getScopeBindings();
boolean isScopeAllowed = true;
for (ScopeBinding scopeBinding : bindings) {
if (PERMISSION_BINDING_TYPE.equalsIgnoreCase(scopeBinding.getBindingType())) {
for (String binding : scopeBinding.getBindings()) {
boolean isAllowed = false;
for (String allowedScope : allowedUIResourcesForUser) {
if ((binding + "/").startsWith(allowedScope + "/")) {
isAllowed = true;
break;
}
}
if (!isAllowed) {
isScopeAllowed = false;
break;
}
}
}
}
if (isScopeAllowed) {
userAllowedScopes.add(scope);
}
}
} catch (UserStoreException e) {
log.error("Error while accessing Authorization Manager.", e);
} catch (IdentityOAuth2Exception e) {
log.error("Error while accessing identity provider manager.", e);
} catch (IdentityOAuth2ScopeServerException e) {
log.error("Error while retrieving oAuth2 scopes.", e);
} catch (UserIdNotFoundException e) {
log.error("User id not available for user: " + authenticatedUser.getLoggableUserId(), e);
} finally {
endTenantFlow();
}
return userAllowedScopes;
}
Also used :
IdentityOAuth2ScopeServerException(org.wso2.carbon.identity.oauth2.IdentityOAuth2ScopeServerException)
ArrayList(java.util.ArrayList)
UserIdNotFoundException(org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException)
Scope(org.wso2.carbon.identity.oauth2.bean.Scope)
IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception)
UserStoreException(org.wso2.carbon.user.api.UserStoreException)
AuthorizationManager(org.wso2.carbon.user.api.AuthorizationManager)
ScopeBinding(org.wso2.carbon.identity.oauth2.bean.ScopeBinding)
Example 4 with ScopeBinding
use of org.wso2.carbon.identity.oauth2.bean.ScopeBinding in project carbon-apimgt by wso2.
the class AsyncApiParser method getScopes.
@Override
public Set<Scope> getScopes(String resourceConfigsJSON) throws APIManagementException {
Set<Scope> scopeSet = new LinkedHashSet<>();
Aai20Document document = (Aai20Document) Library.readDocumentFromJSONString(resourceConfigsJSON);
if (document.components != null && document.components.securitySchemes != null) {
Aai20SecurityScheme oauth2 = (Aai20SecurityScheme) document.components.securitySchemes.get("oauth2");
if (oauth2 != null && oauth2.flows != null && oauth2.flows.implicit != null) {
Map<String, String> scopes = oauth2.flows.implicit.scopes;
Extension xScopesBindings = oauth2.flows.implicit.getExtension(APIConstants.SWAGGER_X_SCOPES_BINDINGS);
Map<String, String> scopeBindings = new HashMap<>();
if (xScopesBindings != null) {
scopeBindings = (Map<String, String>) xScopesBindings.value;
}
if (scopes != null) {
for (Map.Entry<String, String> entry : scopes.entrySet()) {
Scope scope = new Scope();
scope.setKey(entry.getKey());
scope.setName(entry.getKey());
scope.setDescription(entry.getValue());
String scopeBinding = scopeBindings.get(scope.getKey());
if (scopeBinding != null) {
scope.setRoles(scopeBinding);
}
scopeSet.add(scope);
}
}
}
}
return scopeSet;
}
Also used :
LinkedHashSet(java.util.LinkedHashSet)
Extension(io.apicurio.datamodels.core.models.Extension)
Aai20SecurityScheme(io.apicurio.datamodels.asyncapi.v2.models.Aai20SecurityScheme)
Scope(org.wso2.carbon.apimgt.api.model.Scope)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
Aai20Document(io.apicurio.datamodels.asyncapi.v2.models.Aai20Document)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
Map(java.util.Map)
Example 5 with ScopeBinding
use of org.wso2.carbon.identity.oauth2.bean.ScopeBinding in project identity-inbound-auth-oauth by wso2-extensions.
the class ScopeUtils method getScopeBindingDTOs.
public static List<ScopeBindingDTO> getScopeBindingDTOs(List<ScopeBinding> scopeBindings) {
List<ScopeBindingDTO> scopeBindingDTOs = new ArrayList<>();
for (ScopeBinding scopeBinding : scopeBindings) {
ScopeBindingDTO scopeBindingDTO = new ScopeBindingDTO();
scopeBindingDTO.setBindingType(scopeBinding.getBindingType());
scopeBindingDTO.setBinding(scopeBinding.getBindings());
scopeBindingDTOs.add(scopeBindingDTO);
}
return scopeBindingDTOs;
}
Also used :
ArrayList(java.util.ArrayList)
ScopeBindingDTO(org.wso2.carbon.identity.oauth.scope.endpoint.dto.ScopeBindingDTO)
ScopeBinding(org.wso2.carbon.identity.oauth2.bean.ScopeBinding)
Aggregations
ScopeBinding (org.wso2.carbon.identity.oauth2.bean.ScopeBinding)4
ArrayList (java.util.ArrayList)3
Scope (org.wso2.carbon.identity.oauth2.bean.Scope)2
Aai20Document (io.apicurio.datamodels.asyncapi.v2.models.Aai20Document)1
Aai20SecurityScheme (io.apicurio.datamodels.asyncapi.v2.models.Aai20SecurityScheme)1
Extension (io.apicurio.datamodels.core.models.Extension)1
File (java.io.File)1
FileInputStream (java.io.FileInputStream)1
IOException (java.io.IOException)1
InputStream (java.io.InputStream)1
PreparedStatement (java.sql.PreparedStatement)1
HashMap (java.util.HashMap)1
Iterator (java.util.Iterator)1
LinkedHashMap (java.util.LinkedHashMap)1
LinkedHashSet (java.util.LinkedHashSet)1
Map (java.util.Map)1
QName (javax.xml.namespace.QName)1
XMLStreamException (javax.xml.stream.XMLStreamException)1
XMLStreamReader (javax.xml.stream.XMLStreamReader)1
OMElement (org.apache.axiom.om.OMElement)1
