Source code

001/*******************************************************************************
002 * Copyright 2017 The MIT Internet Trust Consortium
003 *
004 * Portions copyright 2011-2013 The MITRE Corporation
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License");
007 * you may not use this file except in compliance with the License.
008 * You may obtain a copy of the License at
009 *
010 *   http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 *******************************************************************************/
018/**
019 *
020 */
021package org.mitre.openid.connect.client;
022
023import java.text.ParseException;
024import java.util.Collection;
025import java.util.HashSet;
026import java.util.Set;
027
028import org.mitre.openid.connect.model.UserInfo;
029import org.slf4j.Logger;
030import org.slf4j.LoggerFactory;
031import org.springframework.security.core.GrantedAuthority;
032import org.springframework.security.core.authority.SimpleGrantedAuthority;
033
034import com.nimbusds.jwt.JWT;
035import com.nimbusds.jwt.JWTClaimsSet;
036
037/**
038 *
039 * Simple mapper that adds ROLE_USER to the authorities map for all queries,
040 * plus adds ROLE_ADMIN if the subject and issuer pair are found in the
041 * configurable "admins" set.
042 *
043 * @author jricher
044 *
045 */
046public class NamedAdminAuthoritiesMapper implements OIDCAuthoritiesMapper {
047
048        private static Logger logger = LoggerFactory.getLogger(NamedAdminAuthoritiesMapper.class);
049
050        private static final SimpleGrantedAuthority ROLE_ADMIN = new SimpleGrantedAuthority("ROLE_ADMIN");
051        private static final SimpleGrantedAuthority ROLE_USER = new SimpleGrantedAuthority("ROLE_USER");
052
053        private Set<SubjectIssuerGrantedAuthority> admins = new HashSet<>();
054
055        @Override
056        public Collection<? extends GrantedAuthority> mapAuthorities(JWT idToken, UserInfo userInfo) {
057
058                Set<GrantedAuthority> out = new HashSet<>();
059                try {
060                        JWTClaimsSet claims = idToken.getJWTClaimsSet();
061
062                        SubjectIssuerGrantedAuthority authority = new SubjectIssuerGrantedAuthority(claims.getSubject(), claims.getIssuer());
063                        out.add(authority);
064
065                        if (admins.contains(authority)) {
066                                out.add(ROLE_ADMIN);
067                        }
068
069                        // everybody's a user by default
070                        out.add(ROLE_USER);
071
072                } catch (ParseException e) {
073                        logger.error("Unable to parse ID Token inside of authorities mapper (huh?)");
074                }
075                return out;
076        }
077
078        /**
079         * @return the admins
080         */
081        public Set<SubjectIssuerGrantedAuthority> getAdmins() {
082                return admins;
083        }
084
085        /**
086         * @param admins the admins to set
087         */
088        public void setAdmins(Set<SubjectIssuerGrantedAuthority> admins) {
089                this.admins = admins;
090        }
091
092}