NamedAdminAuthoritiesMapper.java

  1. /*******************************************************************************
  2.  * Copyright 2017 The MIT Internet Trust Consortium
  3.  *
  4.  * Portions copyright 2011-2013 The MITRE Corporation
  5.  *
  6.  * Licensed under the Apache License, Version 2.0 (the "License");
  7.  * you may not use this file except in compliance with the License.
  8.  * You may obtain a copy of the License at
  9.  *
  10.  *   http://www.apache.org/licenses/LICENSE-2.0
  11.  *
  12.  * Unless required by applicable law or agreed to in writing, software
  13.  * distributed under the License is distributed on an "AS IS" BASIS,
  14.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  15.  * See the License for the specific language governing permissions and
  16.  * limitations under the License.
  17.  *******************************************************************************/
  18. /**
  19.  *
  20.  */
  21. package org.mitre.openid.connect.client;

  23. import java.text.ParseException;
  24. import java.util.Collection;
  25. import java.util.HashSet;
  26. import java.util.Set;

  28. import org.mitre.openid.connect.model.UserInfo;
  29. import org.slf4j.Logger;
  30. import org.slf4j.LoggerFactory;
  31. import org.springframework.security.core.GrantedAuthority;
  32. import org.springframework.security.core.authority.SimpleGrantedAuthority;

  34. import com.nimbusds.jwt.JWT;
  35. import com.nimbusds.jwt.JWTClaimsSet;

  37. /**
  38.  *
  39.  * Simple mapper that adds ROLE_USER to the authorities map for all queries,
  40.  * plus adds ROLE_ADMIN if the subject and issuer pair are found in the
  41.  * configurable "admins" set.
  42.  *
  43.  * @author jricher
  44.  *
  45.  */
  46. public class NamedAdminAuthoritiesMapper implements OIDCAuthoritiesMapper {

  48.     private static Logger logger = LoggerFactory.getLogger(NamedAdminAuthoritiesMapper.class);

  50.     private static final SimpleGrantedAuthority ROLE_ADMIN = new SimpleGrantedAuthority("ROLE_ADMIN");
  51.     private static final SimpleGrantedAuthority ROLE_USER = new SimpleGrantedAuthority("ROLE_USER");

  53.     private Set<SubjectIssuerGrantedAuthority> admins = new HashSet<>();

  55.     @Override
  56.     public Collection<? extends GrantedAuthority> mapAuthorities(JWT idToken, UserInfo userInfo) {

  58.         Set<GrantedAuthority> out = new HashSet<>();
  59.         try {
  60.             JWTClaimsSet claims = idToken.getJWTClaimsSet();

  62.             SubjectIssuerGrantedAuthority authority = new SubjectIssuerGrantedAuthority(claims.getSubject(), claims.getIssuer());
  63.             out.add(authority);

  65.             if (admins.contains(authority)) {
  66.                 out.add(ROLE_ADMIN);
  67.             }

  69.             // everybody's a user by default
  70.             out.add(ROLE_USER);

  72.         } catch (ParseException e) {
  73.             logger.error("Unable to parse ID Token inside of authorities mapper (huh?)");
  74.         }
  75.         return out;
  76.     }

  78.     /**
  79.      * @return the admins
  80.      */
  81.     public Set<SubjectIssuerGrantedAuthority> getAdmins() {
  82.         return admins;
  83.     }

  85.     /**
  86.      * @param admins the admins to set
  87.      */
  88.     public void setAdmins(Set<SubjectIssuerGrantedAuthority> admins) {
  89.         this.admins = admins;
  90.     }

  92. }
Created with JaCoCo 0.7.9.201702052155