org.mitre.openid.connect.view.UserInfoView.java Source code

Java tutorial

  1. HOME
  2. Java
  3. org.mitre.openid.connect.view.UserInfoView.java

Introduction

Here is the source code for org.mitre.openid.connect.view.UserInfoView.java

Source

/*******************************************************************************
 * Copyright 2016 The MITRE Corporation
 *   and the MIT Internet Trust Consortium
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *******************************************************************************/
package org.mitre.openid.connect.view;

import java.io.IOException;
import java.io.Writer;
import java.util.HashSet;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.mitre.openid.connect.model.UserInfo;
import org.mitre.openid.connect.service.ScopeClaimTranslationService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.stereotype.Component;
import org.springframework.validation.BeanPropertyBindingResult;
import org.springframework.web.servlet.view.AbstractView;

import com.google.gson.ExclusionStrategy;
import com.google.gson.FieldAttributes;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;

@Component(UserInfoView.VIEWNAME)
public class UserInfoView extends AbstractView {

    public static final String REQUESTED_CLAIMS = "requestedClaims";
    public static final String AUTHORIZED_CLAIMS = "authorizedClaims";
    public static final String SCOPE = "scope";
    public static final String USER_INFO = "userInfo";

    public static final String VIEWNAME = "userInfoView";

    private static JsonParser jsonParser = new JsonParser();

    /**
     * Logger for this class
     */
    private static final Logger logger = LoggerFactory.getLogger(UserInfoView.class);

    @Autowired
    private ScopeClaimTranslationService translator;

    protected Gson gson = new GsonBuilder().setExclusionStrategies(new ExclusionStrategy() {

        @Override
        public boolean shouldSkipField(FieldAttributes f) {

            return false;
        }

        @Override
        public boolean shouldSkipClass(Class<?> clazz) {
            // skip the JPA binding wrapper
            if (clazz.equals(BeanPropertyBindingResult.class)) {
                return true;
            }
            return false;
        }

    }).create();

    /*
     * (non-Javadoc)
     * 
     * @see
     * org.springframework.web.servlet.view.AbstractView#renderMergedOutputModel
     * (java.util.Map, javax.servlet.http.HttpServletRequest,
     * javax.servlet.http.HttpServletResponse)
     */
    @Override
    protected void renderMergedOutputModel(Map<String, Object> model, HttpServletRequest request,
            HttpServletResponse response) {

        UserInfo userInfo = (UserInfo) model.get(USER_INFO);

        Set<String> scope = (Set<String>) model.get(SCOPE);

        response.setContentType(MediaType.APPLICATION_JSON_VALUE);

        JsonObject authorizedClaims = null;
        JsonObject requestedClaims = null;
        if (model.get(AUTHORIZED_CLAIMS) != null) {
            authorizedClaims = jsonParser.parse((String) model.get(AUTHORIZED_CLAIMS)).getAsJsonObject();
        }
        if (model.get(REQUESTED_CLAIMS) != null) {
            requestedClaims = jsonParser.parse((String) model.get(REQUESTED_CLAIMS)).getAsJsonObject();
        }
        JsonObject json = toJsonFromRequestObj(userInfo, scope, authorizedClaims, requestedClaims);

        writeOut(json, model, request, response);
    }

    protected void writeOut(JsonObject json, Map<String, Object> model, HttpServletRequest request,
            HttpServletResponse response) {
        try {
            Writer out = response.getWriter();
            gson.toJson(json, out);
        } catch (IOException e) {

            logger.error("IOException in UserInfoView.java: ", e);

        }

    }

    /**
     * Build a JSON response according to the request object received.
     * 
     * Claims requested in requestObj.userinfo.claims are added to any
     * claims corresponding to requested scopes, if any.
     * 
     * @param ui the UserInfo to filter
     * @param scope the allowed scopes to filter by
     * @param authorizedClaims the claims authorized by the client or user
     * @param requestedClaims the claims requested in the RequestObject
     * @return the filtered JsonObject result
     */
    private JsonObject toJsonFromRequestObj(UserInfo ui, Set<String> scope, JsonObject authorizedClaims,
            JsonObject requestedClaims) {

        // get the base object
        JsonObject obj = ui.toJson();

        Set<String> allowedByScope = translator.getClaimsForScopeSet(scope);
        Set<String> authorizedByClaims = new HashSet<>();
        Set<String> requestedByClaims = new HashSet<>();

        if (authorizedClaims != null) {
            JsonObject userinfoAuthorized = authorizedClaims.getAsJsonObject().get("userinfo").getAsJsonObject();
            for (Entry<String, JsonElement> entry : userinfoAuthorized.getAsJsonObject().entrySet()) {
                authorizedByClaims.add(entry.getKey());
            }
        }
        if (requestedClaims != null) {
            JsonObject userinfoRequested = requestedClaims.getAsJsonObject().get("userinfo").getAsJsonObject();
            for (Entry<String, JsonElement> entry : userinfoRequested.getAsJsonObject().entrySet()) {
                requestedByClaims.add(entry.getKey());
            }
        }

        // Filter claims by performing a manual intersection of claims that are allowed by the given scope, requested, and authorized.
        // We cannot use Sets.intersection() or similar because Entry<> objects will evaluate to being unequal if their values are
        // different, whereas we are only interested in matching the Entry<>'s key values.
        JsonObject result = new JsonObject();
        for (Entry<String, JsonElement> entry : obj.entrySet()) {

            if (allowedByScope.contains(entry.getKey()) || authorizedByClaims.contains(entry.getKey())) {
                // it's allowed either by scope or by the authorized claims (either way is fine with us)

                if (requestedByClaims.isEmpty() || requestedByClaims.contains(entry.getKey())) {
                    // the requested claims are empty (so we allow all), or they're not empty and this claim was specifically asked for
                    result.add(entry.getKey(), entry.getValue());
                } // otherwise there were specific claims requested and this wasn't one of them
            }
        }

        return result;
    }
}