org.cloudfoundry.identity.uaa.oauth.UserManagedAuthzApprovalHandler.java Source code

Java tutorial

Introduction

Here is the source code for org.cloudfoundry.identity.uaa.oauth.UserManagedAuthzApprovalHandler.java

Source

/*******************************************************************************
 *     Cloud Foundry
 *     Copyright (c) [2009-2016] Pivotal Software, Inc. All Rights Reserved.
 *
 *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
 *     You may not use this product except in compliance with the License.
 *
 *     This product includes a number of subcomponents with
 *     separate copyright notices and license terms. Your use of these
 *     subcomponents is subject to the terms and conditions of the
 *     subcomponent's license, as noted in the LICENSE file.
 *******************************************************************************/
package org.cloudfoundry.identity.uaa.oauth;

import static org.cloudfoundry.identity.uaa.approval.Approval.ApprovalStatus.APPROVED;
import static org.cloudfoundry.identity.uaa.approval.Approval.ApprovalStatus.DENIED;

import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.authentication.Origin;
import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
import org.cloudfoundry.identity.uaa.approval.Approval;
import org.cloudfoundry.identity.uaa.approval.ApprovalStore;
import org.cloudfoundry.identity.uaa.resources.QueryableResourceManager;
import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;

public class UserManagedAuthzApprovalHandler implements UserApprovalHandler {

    private static final String SCOPE_PREFIX = "scope.";

    private static Log logger = LogFactory.getLog(UserManagedAuthzApprovalHandler.class);

    private final String approvalParameter = OAuth2Utils.USER_OAUTH_APPROVAL;

    private ApprovalStore approvalStore;

    private QueryableResourceManager<ClientDetails> clientDetailsService;

    private int approvalExpiryInMillis = -1;

    /**
     * @param clientDetailsService the clientDetailsService to set
     */
    public void setClientDetailsService(QueryableResourceManager<ClientDetails> clientDetailsService) {
        this.clientDetailsService = clientDetailsService;
    }

    public void setApprovalStore(ApprovalStore approvalStore) {
        this.approvalStore = approvalStore;
    }

    @Override
    public boolean isApproved(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {

        String flag = authorizationRequest.getApprovalParameters().get(approvalParameter);
        boolean userApproval = flag != null && flag.toLowerCase().equals("true");

        if (logger.isDebugEnabled()) {
            StringBuilder builder = new StringBuilder("Looking up user approved authorizations for ");
            builder.append("client_id=").append(authorizationRequest.getClientId());
            builder.append(" and username=").append(userAuthentication.getName());
            logger.debug(builder.toString());
        }

        Collection<String> requestedScopes = authorizationRequest.getScope();

        // Factor in auto approved scopes
        Set<String> autoApprovedScopes = new HashSet<>();
        BaseClientDetails client = (BaseClientDetails) clientDetailsService
                .retrieve(authorizationRequest.getClientId());
        if (client != null && requestedScopes != null) {
            autoApprovedScopes.addAll(client.getAutoApproveScopes());
            autoApprovedScopes = UaaTokenUtils.retainAutoApprovedScopes(requestedScopes, autoApprovedScopes);
        }
        //translate scope to user scopes - including wild cards

        if (userApproval) {
            // Store the scopes that have been approved / denied
            Date expiry = computeExpiry();

            // Get the approved scopes, calculate the denied scope
            Map<String, String> approvalParameters = authorizationRequest.getApprovalParameters();
            Set<String> approvedScopes = new HashSet<>();
            approvedScopes.addAll(autoApprovedScopes);
            boolean foundUserApprovalParameter = false;
            for (String approvalParameter : approvalParameters.keySet()) {
                if (approvalParameter.startsWith(SCOPE_PREFIX)) {
                    approvedScopes.add(approvalParameters.get(approvalParameter).substring(SCOPE_PREFIX.length()));
                    foundUserApprovalParameter = true;
                }
            }

            if (foundUserApprovalParameter) {
                authorizationRequest.setScope(approvedScopes);

                for (String requestedScope : requestedScopes) {
                    if (approvedScopes.contains(requestedScope)) {
                        Approval approval = new Approval().setUserId(getUserId(userAuthentication))
                                .setClientId(authorizationRequest.getClientId()).setScope(requestedScope)
                                .setExpiresAt(expiry).setStatus(APPROVED);
                        approvalStore.addApproval(approval);
                    } else {
                        Approval approval = new Approval().setUserId(getUserId(userAuthentication))
                                .setClientId(authorizationRequest.getClientId()).setScope(requestedScope)
                                .setExpiresAt(expiry).setStatus(DENIED);
                        approvalStore.addApproval(approval);
                    }
                }

            } else { // Deny all except auto approved scopes
                authorizationRequest.setScope(autoApprovedScopes);

                for (String requestedScope : requestedScopes) {
                    if (!autoApprovedScopes.contains(requestedScope)) {
                        Approval approval = new Approval().setUserId(getUserId(userAuthentication))
                                .setClientId(authorizationRequest.getClientId()).setScope(requestedScope)
                                .setExpiresAt(expiry).setStatus(DENIED);
                        approvalStore.addApproval(approval);
                    }
                }
            }

            if (userAuthentication.isAuthenticated()) {
                return true;
            }

        } else {
            // Find the stored approvals for that user and client
            List<Approval> userApprovals = approvalStore.getApprovals(getUserId(userAuthentication),
                    authorizationRequest.getClientId());

            // Look at the scopes and see if they have expired
            Set<String> validUserApprovedScopes = new HashSet<>();
            Set<String> approvedScopes = new HashSet<>();
            approvedScopes.addAll(autoApprovedScopes);
            validUserApprovedScopes.addAll(autoApprovedScopes);
            Date today = new Date();
            for (Approval approval : userApprovals) {
                if (approval.getExpiresAt().after(today)) {
                    validUserApprovedScopes.add(approval.getScope());
                    if (approval.getStatus() == APPROVED) {
                        approvedScopes.add(approval.getScope());
                    }
                }
            }

            if (logger.isDebugEnabled()) {
                logger.debug("Valid user approved/denied scopes are " + validUserApprovedScopes);
            }

            // If the requested scopes have already been acted upon by the user,
            // this request is approved
            if (validUserApprovedScopes.containsAll(requestedScopes) && userAuthentication.isAuthenticated()) {
                approvedScopes = UaaTokenUtils.retainAutoApprovedScopes(requestedScopes, approvedScopes);
                // Set only the scopes that have been approved by the user
                authorizationRequest.setScope(approvedScopes);
                return true;
            }
        }

        return false;
    }

    protected String getUserId(Authentication authentication) {
        return Origin.getUserId(authentication);
    }

    private Date computeExpiry() {
        Calendar expiresAt = Calendar.getInstance();
        if (approvalExpiryInMillis == -1) { // use default of 1 month
            expiresAt.add(Calendar.MONTH, 1);
        } else {
            expiresAt.add(Calendar.MILLISECOND, approvalExpiryInMillis);
        }
        return expiresAt.getTime();
    }

    public void setApprovalExpiryInSeconds(int approvalExpirySeconds) {
        this.approvalExpiryInMillis = approvalExpirySeconds * 1000;
    }

    @Override
    public AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizationRequest,
            Authentication userAuthentication) {
        return authorizationRequest;
    }

    @Override
    public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizationRequest,
            Authentication userAuthentication) {
        return authorizationRequest;
    }

    @Override
    public Map<String, Object> getUserApprovalRequest(AuthorizationRequest authorizationRequest,
            Authentication userAuthentication) {
        Map<String, Object> model = new HashMap<String, Object>();
        model.putAll(authorizationRequest.getRequestParameters());
        return model;
    }
}