Persist Authorizations by Person #83

GluuFederation · Oct 17, 2015 · 27d4320 · 27d4320
1 parent 9d45127
commit 27d4320
Show file tree

Hide file tree

Showing 11 changed files with 446 additions and 21 deletions.
diff --git a/Client/src/test/java/org/xdi/oxauth/ws/rs/PersistClientAuthorizationsHttpTest.java b/Client/src/test/java/org/xdi/oxauth/ws/rs/PersistClientAuthorizationsHttpTest.java
@@ -0,0 +1,181 @@
+package org.xdi.oxauth.ws.rs;
+
+import org.testng.annotations.Parameters;
+import org.testng.annotations.Test;
+import org.xdi.oxauth.BaseTest;
+import org.xdi.oxauth.client.*;
+import org.xdi.oxauth.model.common.AuthenticationMethod;
+import org.xdi.oxauth.model.common.GrantType;
+import org.xdi.oxauth.model.common.Prompt;
+import org.xdi.oxauth.model.common.ResponseType;
+import org.xdi.oxauth.model.register.ApplicationType;
+import org.xdi.oxauth.model.util.StringUtils;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.UUID;
+
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertNotNull;
+
+/**
+ * @author Javier Rojas Blum
+ * @version October 16, 2015
+ */
+public class PersistClientAuthorizationsHttpTest extends BaseTest {
+
+    @Parameters({"userId", "userSecret", "redirectUris", "redirectUri"})
+    @Test
+    public void persistentClientAuthorizations(final String userId, final String userSecret,
+                                               final String redirectUris, final String redirectUri) throws Exception {
+        showTitle("persistentClientAuthorizations");
+
+        List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.ID_TOKEN);
+
+        // 1. Register client
+        RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
+                StringUtils.spaceSeparatedToList(redirectUris));
+        registerRequest.setResponseTypes(responseTypes);
+
+        RegisterClient registerClient = new RegisterClient(registrationEndpoint);
+        registerClient.setRequest(registerRequest);
+        RegisterResponse registerResponse = registerClient.exec();
+
+        showClient(registerClient);
+        assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
+        assertNotNull(registerResponse.getClientId());
+        assertNotNull(registerResponse.getClientSecret());
+        assertNotNull(registerResponse.getRegistrationAccessToken());
+        assertNotNull(registerResponse.getClientIdIssuedAt());
+        assertNotNull(registerResponse.getClientSecretExpiresAt());
+
+        String clientId = registerResponse.getClientId();
+        String clientSecret = registerResponse.getClientSecret();
+
+        String sessionId = null;
+        {
+            // 2. Request authorization
+            List<String> scopes = Arrays.asList("openid", "profile");
+            String nonce = UUID.randomUUID().toString();
+            String state = UUID.randomUUID().toString();
+
+            AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
+            authorizationRequest.setState(state);
+
+            AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
+                    authorizationEndpoint, authorizationRequest, userId, userSecret);
+
+            assertNotNull(authorizationResponse.getLocation());
+            assertNotNull(authorizationResponse.getCode());
+            assertNotNull(authorizationResponse.getIdToken());
+            assertNotNull(authorizationResponse.getState());
+
+            String authorizationCode = authorizationResponse.getCode();
+            sessionId = authorizationResponse.getSessionId();
+
+            // 3. Request access token using the authorization code.
+            TokenRequest tokenRequest = new TokenRequest(GrantType.AUTHORIZATION_CODE);
+            tokenRequest.setCode(authorizationCode);
+            tokenRequest.setRedirectUri(redirectUri);
+            tokenRequest.setAuthUsername(clientId);
+            tokenRequest.setAuthPassword(clientSecret);
+            tokenRequest.setAuthenticationMethod(AuthenticationMethod.CLIENT_SECRET_BASIC);
+
+            TokenClient tokenClient = new TokenClient(tokenEndpoint);
+            tokenClient.setRequest(tokenRequest);
+            TokenResponse tokenResponse = tokenClient.exec();
+
+            showClient(tokenClient);
+            assertEquals(tokenResponse.getStatus(), 200, "Unexpected response code: " + tokenResponse.getStatus());
+            assertNotNull(tokenResponse.getEntity());
+            assertNotNull(tokenResponse.getAccessToken());
+            assertNotNull(tokenResponse.getExpiresIn());
+            assertNotNull(tokenResponse.getTokenType());
+            assertNotNull(tokenResponse.getRefreshToken());
+        }
+
+        {
+            // 4. Request authorization
+            List<String> scopes = Arrays.asList("openid", "address", "email");
+            String nonce = UUID.randomUUID().toString();
+            String state = UUID.randomUUID().toString();
+
+            AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
+            authorizationRequest.setState(state);
+
+            AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
+                    authorizationEndpoint, authorizationRequest, userId, userSecret);
+
+            assertNotNull(authorizationResponse.getLocation());
+            assertNotNull(authorizationResponse.getCode());
+            assertNotNull(authorizationResponse.getIdToken());
+            assertNotNull(authorizationResponse.getState());
+
+            String authorizationCode = authorizationResponse.getCode();
+
+            // 5. Request access token using the authorization code.
+            TokenRequest tokenRequest = new TokenRequest(GrantType.AUTHORIZATION_CODE);
+            tokenRequest.setCode(authorizationCode);
+            tokenRequest.setRedirectUri(redirectUri);
+            tokenRequest.setAuthUsername(clientId);
+            tokenRequest.setAuthPassword(clientSecret);
+            tokenRequest.setAuthenticationMethod(AuthenticationMethod.CLIENT_SECRET_BASIC);
+
+            TokenClient tokenClient = new TokenClient(tokenEndpoint);
+            tokenClient.setRequest(tokenRequest);
+            TokenResponse tokenResponse = tokenClient.exec();
+
+            showClient(tokenClient);
+            assertEquals(tokenResponse.getStatus(), 200, "Unexpected response code: " + tokenResponse.getStatus());
+            assertNotNull(tokenResponse.getEntity());
+            assertNotNull(tokenResponse.getAccessToken());
+            assertNotNull(tokenResponse.getExpiresIn());
+            assertNotNull(tokenResponse.getTokenType());
+            assertNotNull(tokenResponse.getRefreshToken());
+        }
+
+        {
+            // 6. Request authorization
+            List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
+            String nonce = UUID.randomUUID().toString();
+            String state = UUID.randomUUID().toString();
+
+            AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
+            authorizationRequest.setState(state);
+            authorizationRequest.getPrompts().add(Prompt.NONE);
+            authorizationRequest.setSessionId(sessionId);
+
+            AuthorizeClient authorizeClient = new AuthorizeClient(authorizationEndpoint);
+            authorizeClient.setRequest(authorizationRequest);
+
+            AuthorizationResponse authorizationResponse = authorizeClient.exec();
+
+            assertNotNull(authorizationResponse.getLocation());
+            assertNotNull(authorizationResponse.getCode());
+            assertNotNull(authorizationResponse.getState());
+            assertNotNull(authorizationResponse.getScope());
+
+            String authorizationCode = authorizationResponse.getCode();
+
+            // 7. Get Access Token
+            TokenRequest tokenRequest = new TokenRequest(GrantType.AUTHORIZATION_CODE);
+            tokenRequest.setCode(authorizationCode);
+            tokenRequest.setRedirectUri(redirectUri);
+            tokenRequest.setAuthUsername(clientId);
+            tokenRequest.setAuthPassword(clientSecret);
+            tokenRequest.setAuthenticationMethod(AuthenticationMethod.CLIENT_SECRET_BASIC);
+
+            TokenClient tokenClient = new TokenClient(tokenEndpoint);
+            tokenClient.setRequest(tokenRequest);
+            TokenResponse tokenResponse = tokenClient.exec();
+
+            showClient(tokenClient);
+            assertEquals(tokenResponse.getStatus(), 200, "Unexpected response code: " + tokenResponse.getStatus());
+            assertNotNull(tokenResponse.getEntity(), "The entity is null");
+            assertNotNull(tokenResponse.getAccessToken(), "The access token is null");
+            assertNotNull(tokenResponse.getExpiresIn(), "The expires in value is null");
+            assertNotNull(tokenResponse.getTokenType(), "The token type is null");
+            assertNotNull(tokenResponse.getRefreshToken(), "The refresh token is null");
+        }
+    }
+}
diff --git a/Client/src/test/resources/testng.xml b/Client/src/test/resources/testng.xml
@@ -72,6 +72,13 @@
         </classes>
     </test>
 
+    <!-- PersistClientAuthorizationsHttpTest -->
+    <test name="Persist Client Authorizations test (HTTP)" enabled="true">
+        <classes>
+            <class name="org.xdi.oxauth.ws.rs.PersistClientAuthorizationsHttpTest"/>
+        </classes>
+    </test>
+
     <!-- Register test -->
     <test name="Register test (HTTP)" enabled="true">
         <classes>

diff --git a/Server/conf/oxauth-config.xml b/Server/conf/oxauth-config.xml
@@ -272,6 +272,7 @@
     <dynamic-registration-enabled>true</dynamic-registration-enabled>
     <!-- Value in seconds or 0 if they do not expire -->
     <dynamic-registration-expiration-time>${config.client.dynamic-registration-expiration-time}</dynamic-registration-expiration-time>
+    <dynamic-registration-persist-client-authorizations>true</dynamic-registration-persist-client-authorizations>
 
     <trusted-client-enabled>true</trusted-client-enabled>
 

diff --git a/Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeAction.java b/Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeAction.java
@@ -32,6 +32,7 @@
 import org.xdi.oxauth.model.federation.FederationTrust;
 import org.xdi.oxauth.model.federation.FederationTrustStatus;
 import org.xdi.oxauth.model.jwt.JwtClaimName;
+import org.xdi.oxauth.model.ldap.ClientAuthorizations;
 import org.xdi.oxauth.model.registration.Client;
 import org.xdi.oxauth.model.util.LocaleUtil;
 import org.xdi.oxauth.model.util.Util;
@@ -47,7 +48,7 @@
 /**
  * @author Javier Rojas Blum
  * @author Yuriy Movchan
- * @version October 1, 2015
+ * @version October 16, 2015
  */
 @Name("authorizeAction")
 @Scope(ScopeType.EVENT) // Do not change scope, we try to keep server without http sessions
@@ -80,6 +81,9 @@ public class AuthorizeAction {
     @In
     private AuthenticationService authenticationService;
 
+    @In
+    private ClientAuthorizationsService clientAuthorizationsService;
+
     @In
     private ExternalAuthenticationService externalAuthenticationService;
 
@@ -237,8 +241,12 @@ public void checkPermissionGranted() {
                 }
 
                 if (AuthorizeParamsValidator.validatePrompt(prompts)) {
-                    // if trusted client = true, then skip authorization page and grant access directly
-                    if (ConfigurationFactory.instance().getConfiguration().getTrustedClientEnabled()) {
+                    ClientAuthorizations clientAuthorizations = clientAuthorizationsService.findClientAuthorizations(user.getAttribute("inum"), client.getClientId());
+                    if (clientAuthorizations != null && clientAuthorizations.getScopes() != null &&
+                            Arrays.asList(clientAuthorizations.getScopes()).containsAll(
+                                    org.xdi.oxauth.model.util.StringUtils.spaceSeparatedToList(scope))) {
+                        permissionGranted(session);
+                    } else if (ConfigurationFactory.instance().getConfiguration().getTrustedClientEnabled()) { // if trusted client = true, then skip authorization page and grant access directly
                         if (Boolean.parseBoolean(client.getTrustedClient()) && !prompts.contains(Prompt.CONSENT)) {
                             permissionGranted(session);
                         }
@@ -575,6 +583,11 @@ public void permissionGranted() {
 
     public void permissionGranted(SessionId session) {
         try {
+            final User user = userService.getUserByDn(session.getUserDn());
+            final Client client = clientService.getClient(clientId);
+            final List<String> scopes = org.xdi.oxauth.model.util.StringUtils.spaceSeparatedToList(scope);
+            clientAuthorizationsService.add(user.getAttribute("inum"), client.getClientId(), scopes);
+
             session.addPermission(clientId, true);
             sessionIdService.updateSessionId(session);
 

diff --git a/Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.java b/Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.java
@@ -24,6 +24,7 @@
 import org.xdi.oxauth.model.error.ErrorResponseFactory;
 import org.xdi.oxauth.model.exception.InvalidJwtException;
 import org.xdi.oxauth.model.jwt.JwtClaimName;
+import org.xdi.oxauth.model.ldap.ClientAuthorizations;
 import org.xdi.oxauth.model.registration.Client;
 import org.xdi.oxauth.model.util.JwtUtil;
 import org.xdi.oxauth.model.util.Util;
@@ -54,7 +55,7 @@
  * Implementation for request authorization through REST web services.
  *
  * @author Javier Rojas Blum
- * @version October 1, 2015
+ * @version October 16, 2015
  */
 @Name("requestAuthorizationRestWebService")
 @Api(value = "/oxauth/authorize", description = "Authorization Endpoint")
@@ -105,6 +106,9 @@ public class AuthorizeRestWebServiceImpl implements AuthorizeRestWebService {
     @In
     private SessionId sessionUser;
 
+    @In
+    private ClientAuthorizationsService clientAuthorizationsService;
+
     @Override
     public Response requestAuthorizationGet(
             String scope, String responseType, String clientId, String redirectUri, String state, String responseMode,
@@ -391,6 +395,11 @@ public Response requestAuthorization(
                                     }
                                 }
 
+                                ClientAuthorizations clientAuthorizations = clientAuthorizationsService.findClientAuthorizations(user.getAttribute("inum"), client.getClientId());
+                                if (clientAuthorizations != null && clientAuthorizations.getScopes() != null &&
+                                        Arrays.asList(clientAuthorizations.getScopes()).containsAll(scopes)) {
+                                    sessionUser.addPermission(clientId, true);
+                                }
                                 if (prompts.contains(Prompt.NONE) && Boolean.parseBoolean(client.getTrustedClient())) {
                                     sessionUser.addPermission(clientId, true);
                                 }

diff --git a/Server/src/main/java/org/xdi/oxauth/model/config/Configuration.java b/Server/src/main/java/org/xdi/oxauth/model/config/Configuration.java
@@ -22,7 +22,7 @@
  * @author Javier Rojas Blum
  * @author Yuriy Zabrovarnyy
  * @author Yuriy Movchan
- * @version October 1, 2015
+ * @version October 16, 2015
  */
 @XmlRootElement(name = "configuration")
 @JsonIgnoreProperties(ignoreUnknown = true)
@@ -95,6 +95,7 @@ public class Configuration {
     private String oxId;
     private Boolean dynamicRegistrationEnabled;
     private int dynamicRegistrationExpirationTime;
+    private Boolean dynamicRegistrationPersistClientAuthorizations;
     private Boolean trustedClientEnabled;
     private Boolean dynamicRegistrationScopesParamEnabled;
     private String dynamicRegistrationCustomObjectClass;
@@ -881,6 +882,15 @@ public void setDynamicRegistrationExpirationTime(int dynamicRegistrationExpirati
         this.dynamicRegistrationExpirationTime = dynamicRegistrationExpirationTime;
     }
 
+    @XmlElement(name = "dynamic-registration-persist-client-authorizations")
+    public Boolean getDynamicRegistrationPersistClientAuthorizations() {
+        return dynamicRegistrationPersistClientAuthorizations;
+    }
+
+    public void setDynamicRegistrationPersistClientAuthorizations(Boolean dynamicRegistrationPersistClientAuthorizations) {
+        this.dynamicRegistrationPersistClientAuthorizations = dynamicRegistrationPersistClientAuthorizations;
+    }
+
     @XmlElement(name = "trusted-client-enabled")
     public Boolean getTrustedClientEnabled() {
         return trustedClientEnabled;