Java tutorial
/******************************************************************************* * Cloud Foundry * Copyright (c) [2009-2016] Pivotal Software, Inc. All Rights Reserved. * * This product is licensed to you under the Apache License, Version 2.0 (the "License"). * You may not use this product except in compliance with the License. * * This product includes a number of subcomponents with * separate copyright notices and license terms. Your use of these * subcomponents is subject to the terms and conditions of the * subcomponent's license, as noted in the LICENSE file. *******************************************************************************/ package org.cloudfoundry.identity.uaa.oauth; import static org.cloudfoundry.identity.uaa.approval.Approval.ApprovalStatus.APPROVED; import static org.cloudfoundry.identity.uaa.approval.Approval.ApprovalStatus.DENIED; import java.util.Calendar; import java.util.Collection; import java.util.Date; import java.util.HashMap; import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.cloudfoundry.identity.uaa.authentication.Origin; import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants; import org.cloudfoundry.identity.uaa.approval.Approval; import org.cloudfoundry.identity.uaa.approval.ApprovalStore; import org.cloudfoundry.identity.uaa.resources.QueryableResourceManager; import org.cloudfoundry.identity.uaa.util.UaaTokenUtils; import org.springframework.security.core.Authentication; import org.springframework.security.oauth2.common.util.OAuth2Utils; import org.springframework.security.oauth2.provider.AuthorizationRequest; import org.springframework.security.oauth2.provider.ClientDetails; import org.springframework.security.oauth2.provider.approval.UserApprovalHandler; import org.springframework.security.oauth2.provider.client.BaseClientDetails; public class UserManagedAuthzApprovalHandler implements UserApprovalHandler { private static final String SCOPE_PREFIX = "scope."; private static Log logger = LogFactory.getLog(UserManagedAuthzApprovalHandler.class); private final String approvalParameter = OAuth2Utils.USER_OAUTH_APPROVAL; private ApprovalStore approvalStore; private QueryableResourceManager<ClientDetails> clientDetailsService; private int approvalExpiryInMillis = -1; /** * @param clientDetailsService the clientDetailsService to set */ public void setClientDetailsService(QueryableResourceManager<ClientDetails> clientDetailsService) { this.clientDetailsService = clientDetailsService; } public void setApprovalStore(ApprovalStore approvalStore) { this.approvalStore = approvalStore; } @Override public boolean isApproved(AuthorizationRequest authorizationRequest, Authentication userAuthentication) { String flag = authorizationRequest.getApprovalParameters().get(approvalParameter); boolean userApproval = flag != null && flag.toLowerCase().equals("true"); if (logger.isDebugEnabled()) { StringBuilder builder = new StringBuilder("Looking up user approved authorizations for "); builder.append("client_id=").append(authorizationRequest.getClientId()); builder.append(" and username=").append(userAuthentication.getName()); logger.debug(builder.toString()); } Collection<String> requestedScopes = authorizationRequest.getScope(); // Factor in auto approved scopes Set<String> autoApprovedScopes = new HashSet<>(); BaseClientDetails client = (BaseClientDetails) clientDetailsService .retrieve(authorizationRequest.getClientId()); if (client != null && requestedScopes != null) { autoApprovedScopes.addAll(client.getAutoApproveScopes()); autoApprovedScopes = UaaTokenUtils.retainAutoApprovedScopes(requestedScopes, autoApprovedScopes); } //translate scope to user scopes - including wild cards if (userApproval) { // Store the scopes that have been approved / denied Date expiry = computeExpiry(); // Get the approved scopes, calculate the denied scope Map<String, String> approvalParameters = authorizationRequest.getApprovalParameters(); Set<String> approvedScopes = new HashSet<>(); approvedScopes.addAll(autoApprovedScopes); boolean foundUserApprovalParameter = false; for (String approvalParameter : approvalParameters.keySet()) { if (approvalParameter.startsWith(SCOPE_PREFIX)) { approvedScopes.add(approvalParameters.get(approvalParameter).substring(SCOPE_PREFIX.length())); foundUserApprovalParameter = true; } } if (foundUserApprovalParameter) { authorizationRequest.setScope(approvedScopes); for (String requestedScope : requestedScopes) { if (approvedScopes.contains(requestedScope)) { Approval approval = new Approval().setUserId(getUserId(userAuthentication)) .setClientId(authorizationRequest.getClientId()).setScope(requestedScope) .setExpiresAt(expiry).setStatus(APPROVED); approvalStore.addApproval(approval); } else { Approval approval = new Approval().setUserId(getUserId(userAuthentication)) .setClientId(authorizationRequest.getClientId()).setScope(requestedScope) .setExpiresAt(expiry).setStatus(DENIED); approvalStore.addApproval(approval); } } } else { // Deny all except auto approved scopes authorizationRequest.setScope(autoApprovedScopes); for (String requestedScope : requestedScopes) { if (!autoApprovedScopes.contains(requestedScope)) { Approval approval = new Approval().setUserId(getUserId(userAuthentication)) .setClientId(authorizationRequest.getClientId()).setScope(requestedScope) .setExpiresAt(expiry).setStatus(DENIED); approvalStore.addApproval(approval); } } } if (userAuthentication.isAuthenticated()) { return true; } } else { // Find the stored approvals for that user and client List<Approval> userApprovals = approvalStore.getApprovals(getUserId(userAuthentication), authorizationRequest.getClientId()); // Look at the scopes and see if they have expired Set<String> validUserApprovedScopes = new HashSet<>(); Set<String> approvedScopes = new HashSet<>(); approvedScopes.addAll(autoApprovedScopes); validUserApprovedScopes.addAll(autoApprovedScopes); Date today = new Date(); for (Approval approval : userApprovals) { if (approval.getExpiresAt().after(today)) { validUserApprovedScopes.add(approval.getScope()); if (approval.getStatus() == APPROVED) { approvedScopes.add(approval.getScope()); } } } if (logger.isDebugEnabled()) { logger.debug("Valid user approved/denied scopes are " + validUserApprovedScopes); } // If the requested scopes have already been acted upon by the user, // this request is approved if (validUserApprovedScopes.containsAll(requestedScopes) && userAuthentication.isAuthenticated()) { approvedScopes = UaaTokenUtils.retainAutoApprovedScopes(requestedScopes, approvedScopes); // Set only the scopes that have been approved by the user authorizationRequest.setScope(approvedScopes); return true; } } return false; } protected String getUserId(Authentication authentication) { return Origin.getUserId(authentication); } private Date computeExpiry() { Calendar expiresAt = Calendar.getInstance(); if (approvalExpiryInMillis == -1) { // use default of 1 month expiresAt.add(Calendar.MONTH, 1); } else { expiresAt.add(Calendar.MILLISECOND, approvalExpiryInMillis); } return expiresAt.getTime(); } public void setApprovalExpiryInSeconds(int approvalExpirySeconds) { this.approvalExpiryInMillis = approvalExpirySeconds * 1000; } @Override public AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) { return authorizationRequest; } @Override public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) { return authorizationRequest; } @Override public Map<String, Object> getUserApprovalRequest(AuthorizationRequest authorizationRequest, Authentication userAuthentication) { Map<String, Object> model = new HashMap<String, Object>(); model.putAll(authorizationRequest.getRequestParameters()); return model; } }