ResourceSetRegistrationEndpoint.java

  1. /*******************************************************************************
  2.  * Copyright 2017 The MIT Internet Trust Consortium
  3.  *
  4.  * Licensed under the Apache License, Version 2.0 (the "License");
  5.  * you may not use this file except in compliance with the License.
  6.  * You may obtain a copy of the License at
  7.  *
  8.  *   http://www.apache.org/licenses/LICENSE-2.0
  9.  *
  10.  * Unless required by applicable law or agreed to in writing, software
  11.  * distributed under the License is distributed on an "AS IS" BASIS,
  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13.  * See the License for the specific language governing permissions and
  14.  * limitations under the License.
  15.  *******************************************************************************/
  16. package org.mitre.uma.web;


  19. import static org.mitre.oauth2.web.AuthenticationUtilities.ensureOAuthScope;
  20. import static org.mitre.util.JsonUtils.getAsLong;
  21. import static org.mitre.util.JsonUtils.getAsString;
  22. import static org.mitre.util.JsonUtils.getAsStringSet;

  24. import java.util.Collection;
  25. import java.util.Collections;
  26. import java.util.HashSet;
  27. import java.util.Set;

  29. import org.mitre.oauth2.model.SystemScope;
  30. import org.mitre.oauth2.service.SystemScopeService;
  31. import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
  32. import org.mitre.openid.connect.view.HttpCodeView;
  33. import org.mitre.openid.connect.view.JsonEntityView;
  34. import org.mitre.openid.connect.view.JsonErrorView;
  35. import org.mitre.uma.model.ResourceSet;
  36. import org.mitre.uma.service.ResourceSetService;
  37. import org.mitre.uma.view.ResourceSetEntityAbbreviatedView;
  38. import org.mitre.uma.view.ResourceSetEntityView;
  39. import org.slf4j.Logger;
  40. import org.slf4j.LoggerFactory;
  41. import org.springframework.beans.factory.annotation.Autowired;
  42. import org.springframework.http.HttpStatus;
  43. import org.springframework.security.access.prepost.PreAuthorize;
  44. import org.springframework.security.core.Authentication;
  45. import org.springframework.security.oauth2.provider.OAuth2Authentication;
  46. import org.springframework.stereotype.Controller;
  47. import org.springframework.ui.Model;
  48. import org.springframework.util.MimeTypeUtils;
  49. import org.springframework.web.bind.annotation.PathVariable;
  50. import org.springframework.web.bind.annotation.RequestBody;
  51. import org.springframework.web.bind.annotation.RequestMapping;
  52. import org.springframework.web.bind.annotation.RequestMethod;

  54. import com.google.common.base.Strings;
  55. import com.google.gson.JsonElement;
  56. import com.google.gson.JsonObject;
  57. import com.google.gson.JsonParseException;
  58. import com.google.gson.JsonParser;

  60. @Controller
  61. @RequestMapping("/" + ResourceSetRegistrationEndpoint.URL)
  62. @PreAuthorize("hasRole('ROLE_USER')")
  63. public class ResourceSetRegistrationEndpoint {

  65.     private static final Logger logger = LoggerFactory.getLogger(ResourceSetRegistrationEndpoint.class);

  67.     public static final String DISCOVERY_URL = "resource_set";
  68.     public static final String URL = DISCOVERY_URL + "/resource_set";

  70.     @Autowired
  71.     private ResourceSetService resourceSetService;

  73.     @Autowired
  74.     private ConfigurationPropertiesBean config;

  76.     @Autowired
  77.     private SystemScopeService scopeService;

  79.     private JsonParser parser = new JsonParser();

  81.     @RequestMapping(method = RequestMethod.POST, produces = MimeTypeUtils.APPLICATION_JSON_VALUE, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE)
  82.     public String createResourceSet(@RequestBody String jsonString, Model m, Authentication auth) {
  83.         ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);

  85.         ResourceSet rs = parseResourceSet(jsonString);

  87.         if (rs == null) { // there was no resource set in the body
  88.             logger.warn("Resource set registration missing body.");

  90.             m.addAttribute("code", HttpStatus.BAD_REQUEST);
  91.             m.addAttribute("error_description", "Resource request was missing body.");
  92.             return JsonErrorView.VIEWNAME;
  93.         }

  95.         if (auth instanceof OAuth2Authentication) {
  96.             // if it's an OAuth mediated call, it's on behalf of a client, so store that
  97.             OAuth2Authentication o2a = (OAuth2Authentication) auth;
  98.             rs.setClientId(o2a.getOAuth2Request().getClientId());
  99.             rs.setOwner(auth.getName()); // the username is going to be in the auth object
  100.         } else {
  101.             // this one shouldn't be called if it's not OAuth
  102.             m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
  103.             m.addAttribute(JsonErrorView.ERROR_MESSAGE, "This call must be made with an OAuth token");
  104.             return JsonErrorView.VIEWNAME;
  105.         }

  107.         rs = validateScopes(rs);

  109.         if (Strings.isNullOrEmpty(rs.getName()) // there was no name (required)
  110.                 || rs.getScopes() == null // there were no scopes (required)
  111.                 ) {

  113.             logger.warn("Resource set registration missing one or more required fields.");

  115.             m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
  116.             m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Resource request was missing one or more required fields.");
  117.             return JsonErrorView.VIEWNAME;
  118.         }

  120.         ResourceSet saved = resourceSetService.saveNew(rs);

  122.         m.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED);
  123.         m.addAttribute(JsonEntityView.ENTITY, saved);
  124.         m.addAttribute(ResourceSetEntityAbbreviatedView.LOCATION, config.getIssuer() + URL + "/" + saved.getId());

  126.         return ResourceSetEntityAbbreviatedView.VIEWNAME;

  128.     }

  130.     @RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
  131.     public String readResourceSet(@PathVariable ("id") Long id, Model m, Authentication auth) {
  132.         ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);

  134.         ResourceSet rs = resourceSetService.getById(id);

  136.         if (rs == null) {
  137.             m.addAttribute("code", HttpStatus.NOT_FOUND);
  138.             m.addAttribute("error", "not_found");
  139.             return JsonErrorView.VIEWNAME;
  140.         } else {

  142.             rs = validateScopes(rs);

  144.             if (!auth.getName().equals(rs.getOwner())) {

  146.                 logger.warn("Unauthorized resource set request from wrong user; expected " + rs.getOwner() + " got " + auth.getName());

  148.                 // it wasn't issued to this user
  149.                 m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
  150.                 return JsonErrorView.VIEWNAME;
  151.             } else {
  152.                 m.addAttribute(JsonEntityView.ENTITY, rs);
  153.                 return ResourceSetEntityView.VIEWNAME;
  154.             }

  156.         }

  158.     }

  160.     @RequestMapping(value = "/{id}", method = RequestMethod.PUT, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
  161.     public String updateResourceSet(@PathVariable ("id") Long id, @RequestBody String jsonString, Model m, Authentication auth) {
  162.         ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);

  164.         ResourceSet newRs = parseResourceSet(jsonString);

  166.         if (newRs == null // there was no resource set in the body
  167.                 || Strings.isNullOrEmpty(newRs.getName()) // there was no name (required)
  168.                 || newRs.getScopes() == null // there were no scopes (required)
  169.                 || newRs.getId() == null || !newRs.getId().equals(id) // the IDs didn't match
  170.                 ) {

  172.             logger.warn("Resource set registration missing one or more required fields.");

  174.             m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
  175.             m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Resource request was missing one or more required fields.");
  176.             return JsonErrorView.VIEWNAME;
  177.         }

  179.         ResourceSet rs = resourceSetService.getById(id);

  181.         if (rs == null) {
  182.             m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
  183.             m.addAttribute(JsonErrorView.ERROR, "not_found");
  184.             return JsonErrorView.VIEWNAME;
  185.         } else {
  186.             if (!auth.getName().equals(rs.getOwner())) {

  188.                 logger.warn("Unauthorized resource set request from bad user; expected " + rs.getOwner() + " got " + auth.getName());

  190.                 // it wasn't issued to this user
  191.                 m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
  192.                 return JsonErrorView.VIEWNAME;
  193.             } else {

  195.                 ResourceSet saved = resourceSetService.update(rs, newRs);

  197.                 m.addAttribute(JsonEntityView.ENTITY, saved);
  198.                 m.addAttribute(ResourceSetEntityAbbreviatedView.LOCATION, config.getIssuer() + URL + "/" + rs.getId());
  199.                 return ResourceSetEntityAbbreviatedView.VIEWNAME;
  200.             }

  202.         }
  203.     }

  205.     @RequestMapping(value = "/{id}", method = RequestMethod.DELETE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
  206.     public String deleteResourceSet(@PathVariable ("id") Long id, Model m, Authentication auth) {
  207.         ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);

  209.         ResourceSet rs = resourceSetService.getById(id);

  211.         if (rs == null) {
  212.             m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
  213.             m.addAttribute(JsonErrorView.ERROR, "not_found");
  214.             return JsonErrorView.VIEWNAME;
  215.         } else {
  216.             if (!auth.getName().equals(rs.getOwner())) {

  218.                 logger.warn("Unauthorized resource set request from bad user; expected " + rs.getOwner() + " got " + auth.getName());

  220.                 // it wasn't issued to this user
  221.                 m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
  222.                 return JsonErrorView.VIEWNAME;
  223.             } else if (auth instanceof OAuth2Authentication &&
  224.                     !((OAuth2Authentication)auth).getOAuth2Request().getClientId().equals(rs.getClientId())){

  226.                 logger.warn("Unauthorized resource set request from bad client; expected " + rs.getClientId() + " got " + ((OAuth2Authentication)auth).getOAuth2Request().getClientId());

  228.                 // it wasn't issued to this client
  229.                 m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
  230.                 return JsonErrorView.VIEWNAME;
  231.             } else {

  233.                 // user and client matched
  234.                 resourceSetService.remove(rs);

  236.                 m.addAttribute(HttpCodeView.CODE, HttpStatus.NO_CONTENT);
  237.                 return HttpCodeView.VIEWNAME;
  238.             }

  240.         }
  241.     }

  243.     @RequestMapping(method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
  244.     public String listResourceSets(Model m, Authentication auth) {
  245.         ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);

  247.         String owner = auth.getName();

  249.         Collection<ResourceSet> resourceSets = Collections.emptySet();
  250.         if (auth instanceof OAuth2Authentication) {
  251.             // if it's an OAuth mediated call, it's on behalf of a client, so look that up too
  252.             OAuth2Authentication o2a = (OAuth2Authentication) auth;
  253.             resourceSets = resourceSetService.getAllForOwnerAndClient(owner, o2a.getOAuth2Request().getClientId());
  254.         } else {
  255.             // otherwise get everything for the current user
  256.             resourceSets = resourceSetService.getAllForOwner(owner);
  257.         }

  259.         // build the entity here and send to the display

  261.         Set<String> ids = new HashSet<>();
  262.         for (ResourceSet resourceSet : resourceSets) {
  263.             ids.add(resourceSet.getId().toString()); // add them all as strings so that gson renders them properly
  264.         }

  266.         m.addAttribute(JsonEntityView.ENTITY, ids);
  267.         return JsonEntityView.VIEWNAME;
  268.     }

  270.     private ResourceSet parseResourceSet(String jsonString) {

  272.         try {
  273.             JsonElement el = parser.parse(jsonString);

  275.             if (el.isJsonObject()) {
  276.                 JsonObject o = el.getAsJsonObject();

  278.                 ResourceSet rs = new ResourceSet();
  279.                 rs.setId(getAsLong(o, "_id"));
  280.                 rs.setName(getAsString(o, "name"));
  281.                 rs.setIconUri(getAsString(o, "icon_uri"));
  282.                 rs.setType(getAsString(o, "type"));
  283.                 rs.setScopes(getAsStringSet(o, "scopes"));
  284.                 rs.setUri(getAsString(o, "uri"));

  286.                 return rs;

  288.             }

  290.             return null;

  292.         } catch (JsonParseException e) {
  293.             return null;
  294.         }

  296.     }


  299.     /**
  300.      *
  301.      * Make sure the resource set doesn't have any restricted or reserved scopes.
  302.      *
  303.      * @param rs
  304.      */
  305.     private ResourceSet validateScopes(ResourceSet rs) {
  306.         // scopes that the client is asking for
  307.         Set<SystemScope> requestedScopes = scopeService.fromStrings(rs.getScopes());

  309.         // the scopes that the resource set can have must be a subset of the dynamically allowed scopes
  310.         Set<SystemScope> allowedScopes = scopeService.removeRestrictedAndReservedScopes(requestedScopes);

  312.         rs.setScopes(scopeService.toStrings(allowedScopes));

  314.         return rs;
  315.     }

  317. }
Created with JaCoCo 0.7.9.201702052155