Skip to content

Commit

Permalink
feat(config-api): scope enhancement- wip
Browse files Browse the repository at this point in the history
  • Loading branch information
@pujavs
pujavs committed Nov 28, 2022
1 parent 90bf084 commit f7c1498
Show file tree
Hide file tree
Showing 4 changed files with 94 additions and 86 deletions.
16 changes: 8 additions & 8 deletions jans-config-api/docs/jans-config-api-swagger-auto.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7178,19 +7178,19 @@ components:
$ref: '#/components/schemas/AttributeValidation'
tooltip:
type: string
whitePagesCanView:
adminCanEdit:
type: boolean
adminCanAccess:
adminCanView:
type: boolean
userCanView:
type: boolean
userCanEdit:
type: boolean
userCanAccess:
type: boolean
adminCanEdit:
type: boolean
userCanView:
adminCanAccess:
type: boolean
adminCanView:
whitePagesCanView:
type: boolean
baseDn:
type: string
Expand Down Expand Up @@ -8361,6 +8361,8 @@ components:
- STAT
- PAR
- SSA
fapi:
type: boolean
allResponseTypesSupported:
uniqueItems: true
type: array
Expand All @@ -8370,8 +8372,6 @@ components:
- code
- token
- id_token
fapi:
type: boolean
AuthenticationFilter:
required:
- baseDn
Expand Down
52 changes: 26 additions & 26 deletions ...-config-api/server/src/main/java/io/jans/configapi/security/api/ApiProtectionService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ public Collection<RsResource> getResourceList() {
}

public void verifyResources(String apiProtectionType, String clientId) throws IOException {
log.error(
log.debug(
"ApiProtectionService::verifyResources() - apiProtectionType:{}, clientId:{}, configurationFactory:{} ",
apiProtectionType, clientId, configurationFactory);

Expand All @@ -64,13 +64,13 @@ public void verifyResources(String apiProtectionType, String clientId) throws IO

RsResourceList resourceList = Jackson.createJsonMapper().readValue(inputStream, RsResourceList.class);
this.rsResourceList = resourceList.getResources();
log.error("verifyResources() - rsResourceList{} ", rsResourceList);
log.debug("verifyResources() - rsResourceList{} ", rsResourceList);

Preconditions.checkNotNull(rsResourceList, "Config Api Resource list cannot be null !!!");

createScopeIfNeeded(apiProtectionType);
log.error(
"\n\n\n ***** ApiProtectionService:::verifyResources() - getAllResources:{}, getScopes():{}, getGroupScopes():{}, getSuperScopes():{}, getAllTypesOfScopes():{}",
log.trace(
" *** ApiProtectionService:::verifyResources() - getAllResources:{}, getScopes():{}, getGroupScopes():{}, getSuperScopes():{}, getAllTypesOfScopes():{}",
ApiProtectionCache.getAllResources(), ApiProtectionCache.getScopes(),
ApiProtectionCache.getGroupScopes(), ApiProtectionCache.getSuperScopes(),
ApiProtectionCache.getAllTypesOfScopes());
Expand All @@ -80,14 +80,14 @@ public void verifyResources(String apiProtectionType, String clientId) throws IO
}

private void createScopeIfNeeded(String apiProtectionType) {
log.error("ApiProtectionService:::createScopeIfNeeded() - apiProtectionType:{}", apiProtectionType);
log.debug("ApiProtectionService:::createScopeIfNeeded() - apiProtectionType:{}", apiProtectionType);

List<Scope> scopeList = new ArrayList<>();
for (RsResource rsResource : rsResourceList) {
for (Condition condition : rsResource.getConditions()) {
String resourceName = condition.getHttpMethods() + ":::" + rsResource.getPath();

log.error(
log.debug(
"ApiProtectionService:::createScopeIfNeeded() - resourceName:{}, condition.getScopes():{}, condition.getGroupScopes():{}, condition.getSuperScopes():{}",
resourceName, condition.getScopes(), condition.getGroupScopes(), condition.getSuperScopes());

Expand All @@ -110,7 +110,7 @@ private void createScopeIfNeeded(String apiProtectionType) {
processScope(resourceName, ProtectionScopeType.SUPER, superScopes);
}

log.error("ApiProtectionService:::createScopeIfNeeded() - resourceName:{}, scopeList:{}", resourceName,
log.debug("ApiProtectionService:::createScopeIfNeeded() - resourceName:{}, scopeList:{}", resourceName,
scopeList);

} // condition
Expand All @@ -119,7 +119,7 @@ private void createScopeIfNeeded(String apiProtectionType) {

private void processScope(String resourceName, ProtectionScopeType protectionScopeType,
List<io.jans.configapi.core.protect.Scope> scopeList) {
log.error("ApiProtectionService:::processScope() - resourceName:{}, protectionScopeType:{}, scopeList:{}",
log.debug("ApiProtectionService:::processScope() - resourceName:{}, protectionScopeType:{}, scopeList:{}",
resourceName, protectionScopeType, scopeList);

// return if no scopes
Expand All @@ -130,7 +130,7 @@ private void processScope(String resourceName, ProtectionScopeType protectionSco
for (io.jans.configapi.core.protect.Scope rsScope : scopeList) {
String inum = rsScope.getInum();
String scopeName = rsScope.getName();
log.error("ApiProtectionService:::processScope() - resourceName:{}, inum:{}, scopeName:{}", resourceName,
log.debug("ApiProtectionService:::processScope() - resourceName:{}, inum:{}, scopeName:{}", resourceName,
inum, scopeName);

// return if no scope details
Expand All @@ -145,21 +145,21 @@ private void processScope(String resourceName, ProtectionScopeType protectionSco

private List<Scope> validateScope(String resourceName, ProtectionScopeType protectionScopeType,
io.jans.configapi.core.protect.Scope rsScope) {
log.error("Verify Scope in DB - protectionScopeType:{}, rsScope:{} ", protectionScopeType, rsScope);
log.debug("Verify Scope in DB - protectionScopeType:{}, rsScope:{} ", protectionScopeType, rsScope);
Set<Scope> scopeList = new HashSet<>();

// Check in DB
Scope scope = scopeService.getScope(rsScope.getInum());
log.error("Scopes from DB - {}'", scope);
log.debug("Scopes from DB - {}'", scope);

if (scope != null) {
// Fetch existing scope to store in cache
log.error("Scope from DB is not null scope.getInum():{}, scope.getId():{}", scope.getInum(), scope.getId());
log.debug("Scope from DB is not null scope.getInum():{}, scope.getId():{}", scope.getInum(), scope.getId());
scopeList.add(scope);
}

ScopeType scopeType = ScopeType.OAUTH;
log.error(
log.debug(
"Scope details - scope:{}, rsScope.getName():{}, exclusiveAuthScopes:{}, isConfigApiScope(scopeName):{} '",
scope, rsScope.getName(), configurationFactory.getApiAppConfiguration().getExclusiveAuthScopes(),
isConfigApiScope(rsScope.getName()));
Expand All @@ -169,10 +169,10 @@ private List<Scope> validateScope(String resourceName, ProtectionScopeType prote

// ensure scope does not exists
scope = scopeService.getScope(rsScope.getInum());
log.error("Re-verify ConfigApiScope rsScope.getName():{} with rsScope.getInum():{} in DB - scope:{} ",
log.debug("Re-verify ConfigApiScope rsScope.getName():{} with rsScope.getInum():{} in DB - scope:{} ",
rsScope.getName(), rsScope.getInum(), scope);
if (scope == null) {
log.error("Scope - '{}' does not exist, hence creating it.", scope);
log.debug("Scope - '{}' does not exist, hence creating it.", scope);
// Scope does not exists hence create Scope
scope = new Scope();
String inum = rsScope.getInum();
Expand All @@ -184,7 +184,7 @@ private List<Scope> validateScope(String resourceName, ProtectionScopeType prote
scopeService.addScope(scope);
} else {
// Update resource
log.error("Scope - '{}' already exists, hence updating it.", rsScope.getName());
log.debug("Scope - '{}' already exists, hence updating it.", rsScope.getName());
scope.setId(rsScope.getName());
scope.setScopeType(scopeType);
scopeService.updateScope(scope);
Expand All @@ -206,25 +206,25 @@ private boolean isConfigApiScope(String scopeName) {
}

private void updateScopeForClientIfNeeded(String clientId) {
log.error(" Internal clientId:{} ", clientId);
log.debug(" Internal clientId:{} ", clientId);

if (StringUtils.isBlank(clientId)) {
return;
}

try {
Client client = this.clientService.getClientByInum(clientId);
log.error("updateScopeForClientIfNeeded() - Verify client:{} ", client);
log.debug("updateScopeForClientIfNeeded() - Verify client:{} ", client);

if (client != null) {
// Assign scope
// Prepare scope array
List<String> scopes = getScopeWithDn(getAllScopes());
log.error("updateScopeForClientIfNeeded() - All scopes:{}", scopes);
log.debug("updateScopeForClientIfNeeded() - All scopes:{}", scopes);

if (client.getScopes() != null) {
List<String> existingScopes = Arrays.asList(client.getScopes());
log.error("updateScopeForClientIfNeeded() - Clients existing scopes:{} ", existingScopes);
log.debug("updateScopeForClientIfNeeded() - Clients existing scopes:{} ", existingScopes);
if (scopes == null) {
scopes = new ArrayList<>();
}
Expand All @@ -234,16 +234,16 @@ private void updateScopeForClientIfNeeded(String clientId) {
// Distinct scopes
List<String> distinctScopes = (scopes == null ? Collections.emptyList()
: scopes.stream().distinct().collect(Collectors.toList()));
log.error("updateScopeForClientIfNeeded() - Distinct scopes to add:{} ", distinctScopes);
log.debug("updateScopeForClientIfNeeded() - Distinct scopes to add:{} ", distinctScopes);

String[] scopeArray = this.getAllScopesArray(distinctScopes);
log.error("All Scope to assign to client:{}", Arrays.asList(scopeArray));
log.debug("All Scope to assign to client:{}", Arrays.asList(scopeArray));

client.setScopes(scopeArray);
this.clientService.updateClient(client);
}
client = this.clientService.getClientByInum(clientId);
log.error(" Verify scopes post assignment, clientId:{}, scopes:{}", clientId,
log.debug(" Verify scopes post assignment, clientId:{}, scopes:{}", clientId,
Arrays.asList(client.getScopes()));
} catch (Exception ex) {
log.error("Error while searching internal client", ex);
Expand All @@ -257,14 +257,14 @@ private List<String> getAllScopes() {
// Verify in cache
Map<String, Scope> scopeMap = ApiProtectionCache.getAllTypesOfScopes();
Set<String> keys = scopeMap.keySet();
log.error(" All Scopes scopeMap:{}, keys:{}", scopeMap, keys);
log.debug(" All Scopes scopeMap:{}, keys:{}", scopeMap, keys);

for (String id : keys) {
Scope scope = scopeMap.get(id);
log.error(" All Scopes scopeMap:{}, keys:{}", scopeMap, keys);
log.trace(" All Scopes scopeMap:{}, keys:{}", scopeMap, keys);
scopes.add(scope.getInum());
}
log.error(" All Scopes being returned scopes:{}", scopes);
log.debug(" All Scopes being returned scopes:{}", scopes);
return scopes;
}

Expand Down
61 changes: 36 additions & 25 deletions ...i/server/src/main/java/io/jans/configapi/security/service/OpenIdAuthorizationService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,25 +120,26 @@ public String processAuthorization(String token, String issuer, ResourceInfo res

private String validateScope(String accessToken, List<String> tokenScopes, ResourceInfo resourceInfo, String issuer)
throws WebApplicationException {
logger.error("Validate scope, accessToken:{}, tokenScopes:{}, resourceInfo: {}, issuer: {}", accessToken,
logger.debug("Validate scope, accessToken:{}, tokenScopes:{}, resourceInfo: {}, issuer: {}", accessToken,
tokenScopes, resourceInfo, issuer);
try {
// Get resource scope
Map<ProtectionScopeType, List<String>> resourceScopesByType = getRequestedScopes(resourceInfo);
List<String> resourceScopes = getAllScopeList(resourceScopesByType);
logger.error("Validate scope, accessresourceScopesByType: {}, resourceScopes: {}", resourceScopesByType,
logger.debug("Validate scope, resourceScopesByType: {}, resourceScopes: {}", resourceScopesByType,
resourceScopes);

// find missing scopes
List<String> missingScopes = findMissingScopes(resourceScopesByType, tokenScopes);
logger.error("missingScopes:{}", missingScopes);
logger.debug("missingScopes:{}", missingScopes);

// Check if resource requires auth server specific scope
List<String> authSpecificScope = getAuthSpecificScopeRequired(resourceInfo);
logger.error(" resourceScopes:{}, authSpecificScope:{} ", resourceScopes, authSpecificScope);
logger.debug(" resourceScopes:{}, authSpecificScope:{} ", resourceScopes, authSpecificScope);

// If No auth scope required OR if token contains the authSpecificScope
if ((authSpecificScope == null || authSpecificScope.isEmpty())) {
logger.error("Validating token scopes as no authSpecificScope required");
logger.debug("Validating token scopes as no authSpecificScope required");
if ((missingScopes != null && !missingScopes.isEmpty())) {
logger.error("Insufficient scopes! Required scope:{} - however token scopes:{}", resourceScopes,
tokenScopes);
Expand All @@ -163,7 +164,7 @@ private String validateScope(String accessToken, List<String> tokenScopes, Resou
// Generate token with required resourceScopes
resourceScopes.addAll(authSpecificScope);
accessToken = openIdService.requestAccessToken(authUtil.getClientId(), resourceScopes);
logger.error("Introspecting new accessToken:{}", accessToken);
logger.debug("Introspecting new accessToken:{}", accessToken);

// Introspect
IntrospectionResponse introspectionResponse = openIdService
Expand All @@ -182,8 +183,8 @@ private String validateScope(String accessToken, List<String> tokenScopes, Resou
logger.info("Token scopes Valid Returning accessToken:{}", accessToken);
return AUTHENTICATION_SCHEME + accessToken;
} catch (Exception ex) {
if (log.isErrorEnabled()) {
log.error("oAuth authorization error:{} ", ex.getMessage());
if (logger.isErrorEnabled()) {
logger.error("oAuth authorization error:{} ", ex.getMessage());
}
throw new WebApplicationException("oAuth authorization error " + ex.getMessage(),
Response.status(Response.Status.INTERNAL_SERVER_ERROR).build());
Expand All @@ -205,44 +206,54 @@ private boolean externalAuthorization(String token, String issuer, String method
}

private List<String> findMissingScopes(Map<ProtectionScopeType, List<String>> scopeMap, List<String> tokenScopes) {
logger.error("Check scopeMap:{}, tokenScopes:{}", scopeMap, tokenScopes);
logger.debug("Check scopeMap:{}, tokenScopes:{}", scopeMap, tokenScopes);
List<String> scopeList = new ArrayList<>();
if (tokenScopes == null || tokenScopes.isEmpty() || scopeMap == null || scopeMap.isEmpty()) {
return scopeList;
}

for (Map.Entry<ProtectionScopeType, List<String>> entry : scopeMap.entrySet()) {
log.error("Get all entry.getKey():{}, entry.getValue():{} ", entry.getKey(), entry.getValue());
logger.error("Get all entry.getKey():{}, entry.getValue():{} ", entry.getKey(), entry.getValue());
}

// Super scope
scopeList = scopeMap.get(ProtectionScopeType.SUPER);
// find missing scopes
List<String> missingScopes = findMissingElements(scopeList, tokenScopes);
logger.error("SUPER Missing Scopes:{}", missingScopes);
logger.debug("SUPER Scopes:{}", scopeList);
List<String> missingScopes = null;

if (scopeList != null && !scopeList.isEmpty()) {
// find missing scopes
missingScopes = findMissingElements(scopeList, tokenScopes);
logger.debug("SUPER Missing Scopes:{}", missingScopes);

// Super scope present so no need to check other types of scope
if (missingScopes == null || missingScopes.isEmpty()) {
return missingScopes;
// Super scope present so no need to check other types of scope
if (missingScopes == null || missingScopes.isEmpty()) {
return missingScopes;
}
}

// Group scope present so no need to check normal scope presence
scopeList = scopeMap.get(ProtectionScopeType.GROUP);
// find missing scopes
missingScopes = findMissingElements(scopeList, tokenScopes);
logger.error("GROUP Missing Scopes:{}", missingScopes);
logger.debug("GROUP Scopes:{}", scopeList);
if (scopeList != null && !scopeList.isEmpty()) {
// find missing scopes
missingScopes = findMissingElements(scopeList, tokenScopes);
logger.debug("GROUP Missing Scopes:{}", missingScopes);

if (missingScopes == null || missingScopes.isEmpty()) {
return missingScopes;
if (missingScopes == null || missingScopes.isEmpty()) {
return missingScopes;
}
}

// Normal scope
scopeList = scopeMap.get(ProtectionScopeType.SCOPE);
// find missing scopes
missingScopes = findMissingElements(scopeList, tokenScopes);
logger.error("SCOPE Missing Scopes:{}", missingScopes);
logger.debug("SCOPE Scopes:{}", scopeList);
if (scopeList != null && !scopeList.isEmpty()) {
// find missing scopes
missingScopes = findMissingElements(scopeList, tokenScopes);
logger.debug("SCOPE Missing Scopes:{}", missingScopes);
}
return missingScopes;

}

}
Loading

0 comments on commit f7c1498

Please sign in to comment.