PermissionRegistrationEndpoint.java

  1. /*******************************************************************************
  2.  * Copyright 2017 The MIT Internet Trust Consortium
  3.  *
  4.  * Licensed under the Apache License, Version 2.0 (the "License");
  5.  * you may not use this file except in compliance with the License.
  6.  * You may obtain a copy of the License at
  7.  *
  8.  *   http://www.apache.org/licenses/LICENSE-2.0
  9.  *
  10.  * Unless required by applicable law or agreed to in writing, software
  11.  * distributed under the License is distributed on an "AS IS" BASIS,
  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13.  * See the License for the specific language governing permissions and
  14.  * limitations under the License.
  15.  *******************************************************************************/

  17. package org.mitre.uma.web;

  19. import static org.mitre.oauth2.web.AuthenticationUtilities.ensureOAuthScope;
  20. import static org.mitre.util.JsonUtils.getAsLong;
  21. import static org.mitre.util.JsonUtils.getAsStringSet;

  23. import java.util.Set;

  25. import org.mitre.oauth2.model.SystemScope;
  26. import org.mitre.oauth2.service.SystemScopeService;
  27. import org.mitre.openid.connect.view.JsonEntityView;
  28. import org.mitre.openid.connect.view.JsonErrorView;
  29. import org.mitre.uma.model.PermissionTicket;
  30. import org.mitre.uma.model.ResourceSet;
  31. import org.mitre.uma.service.PermissionService;
  32. import org.mitre.uma.service.ResourceSetService;
  33. import org.slf4j.Logger;
  34. import org.slf4j.LoggerFactory;
  35. import org.springframework.beans.factory.annotation.Autowired;
  36. import org.springframework.http.HttpStatus;
  37. import org.springframework.security.access.prepost.PreAuthorize;
  38. import org.springframework.security.core.Authentication;
  39. import org.springframework.stereotype.Controller;
  40. import org.springframework.ui.Model;
  41. import org.springframework.util.MimeTypeUtils;
  42. import org.springframework.web.bind.annotation.RequestBody;
  43. import org.springframework.web.bind.annotation.RequestMapping;
  44. import org.springframework.web.bind.annotation.RequestMethod;

  46. import com.google.gson.JsonElement;
  47. import com.google.gson.JsonObject;
  48. import com.google.gson.JsonParseException;
  49. import com.google.gson.JsonParser;

  51. /**
  52.  * @author jricher
  53.  *
  54.  */
  55. @Controller
  56. @RequestMapping("/" + PermissionRegistrationEndpoint.URL)
  57. @PreAuthorize("hasRole('ROLE_USER')")
  58. public class PermissionRegistrationEndpoint {
  59.     // Logger for this class
  60.     private static final Logger logger = LoggerFactory.getLogger(PermissionRegistrationEndpoint.class);

  62.     public static final String URL = "permission";

  64.     @Autowired
  65.     private PermissionService permissionService;

  67.     @Autowired
  68.     private ResourceSetService resourceSetService;

  70.     @Autowired
  71.     private SystemScopeService scopeService;

  73.     private JsonParser parser = new JsonParser();

  75.     @RequestMapping(method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
  76.     public String getPermissionTicket(@RequestBody String jsonString, Model m, Authentication auth) {

  78.         ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);

  80.         try {

  82.             // parse the permission request

  84.             JsonElement el = parser.parse(jsonString);
  85.             if (el.isJsonObject()) {
  86.                 JsonObject o = el.getAsJsonObject();

  88.                 Long rsid = getAsLong(o, "resource_set_id");
  89.                 Set<String> scopes = getAsStringSet(o, "scopes");

  91.                 if (rsid == null || scopes == null || scopes.isEmpty()){
  92.                     // missing information
  93.                     m.addAttribute("code", HttpStatus.BAD_REQUEST);
  94.                     m.addAttribute("errorMessage", "Missing required component of permission registration request.");
  95.                     return JsonErrorView.VIEWNAME;
  96.                 }

  98.                 // trim any restricted scopes
  99.                 Set<SystemScope> scopesRequested = scopeService.fromStrings(scopes);
  100.                 scopesRequested = scopeService.removeRestrictedAndReservedScopes(scopesRequested);
  101.                 scopes = scopeService.toStrings(scopesRequested);

  103.                 ResourceSet resourceSet = resourceSetService.getById(rsid);

  105.                 // requested resource set doesn't exist
  106.                 if (resourceSet == null) {
  107.                     m.addAttribute("code", HttpStatus.NOT_FOUND);
  108.                     m.addAttribute("errorMessage", "Requested resource set not found: " + rsid);
  109.                     return JsonErrorView.VIEWNAME;
  110.                 }

  112.                 // authorized user of the token doesn't match owner of the resource set
  113.                 if (!resourceSet.getOwner().equals(auth.getName())) {
  114.                     m.addAttribute("code", HttpStatus.FORBIDDEN);
  115.                     m.addAttribute("errorMessage", "Party requesting permission is not owner of resource set, expected " + resourceSet.getOwner() + " got " + auth.getName());
  116.                     return JsonErrorView.VIEWNAME;
  117.                 }

  119.                 // create the permission
  120.                 PermissionTicket permission = permissionService.createTicket(resourceSet, scopes);

  122.                 if (permission != null) {
  123.                     // we've created the permission, return the ticket
  124.                     JsonObject out = new JsonObject();
  125.                     out.addProperty("ticket", permission.getTicket());
  126.                     m.addAttribute("entity", out);

  128.                     m.addAttribute("code", HttpStatus.CREATED);

  130.                     return JsonEntityView.VIEWNAME;
  131.                 } else {
  132.                     // there was a failure creating the permission object

  134.                     m.addAttribute("code", HttpStatus.INTERNAL_SERVER_ERROR);
  135.                     m.addAttribute("errorMessage", "Unable to save permission and generate ticket.");

  137.                     return JsonErrorView.VIEWNAME;
  138.                 }

  140.             } else {
  141.                 // malformed request
  142.                 m.addAttribute("code", HttpStatus.BAD_REQUEST);
  143.                 m.addAttribute("errorMessage", "Malformed JSON request.");
  144.                 return JsonErrorView.VIEWNAME;
  145.             }
  146.         } catch (JsonParseException e) {
  147.             // malformed request
  148.             m.addAttribute("code", HttpStatus.BAD_REQUEST);
  149.             m.addAttribute("errorMessage", "Malformed JSON request.");
  150.             return JsonErrorView.VIEWNAME;
  151.         }

  153.     }

  155. }
Created with JaCoCo 0.7.9.201702052155