/*
Alice has removed Dave's rights to EDIT, so EDIT needs removing from the
active Dave -> Ed policy, and adding to an inactive policy.
*/
@Test
public void shouldRemoveLostRights() throws Exception {
// Given
List<Resource> policies = excludePolicies(DAVE, ED);
policies.add(makePolicy(DAVE, ED, true, VIEW, DELETE, EDIT));
PolicyGraph graph = makePolicyGraph(policies);
graph.computeGraph();
given(resourceSetStore.read(anyString()))
.willReturn(new ResourceSetDescription(RESOURCE_SET_ID, "RESOURCE_SERVER_ID", ALICE, null));
given(delegate.updatePolicies(isNull(ServerContext.class), anySet()))
.willReturn(
Promises.<List<Resource>, ResourceException>newResultPromise(
Collections.<Resource>emptyList()));
given(delegate.createPolicies(isNull(ServerContext.class), anySet()))
.willReturn(
Promises.<List<Resource>, ResourceException>newResultPromise(
Collections.<Resource>emptyList()));
// When
Promise<List<List<Resource>>, ResourceException> promise = graph.update(null, delegate);
// Then
AssertJPromiseAssert.assertThat(promise).succeeded();
JsonValue created = policyCreated();
assertThat(UmaPolicyUtils.getPolicyScopes(created)).containsOnly(EDIT);
assertThat(created.get("active").asBoolean()).isFalse();
assertThat(UmaPolicyUtils.getPolicyScopes(policyUpdated())).containsOnly(VIEW, DELETE);
verifyNoMoreInteractions(delegate);
}
/*
Dave had previously re-shared VIEW scope to ED, but that was made invalid when
he lost that scope himself. He has been re-granted that scope so the VIEW scope
should move the active policy and the empty inactive policy should be deleted.
*/
@Test
public void shouldUpdateInvalidRightsTree() throws Exception {
// Given
List<Resource> policies = excludePolicies(DAVE, ED);
policies.add(makePolicy(DAVE, ED, true, DELETE));
policies.add(makePolicy(DAVE, ED, false, VIEW));
PolicyGraph graph = makePolicyGraph(policies);
graph.computeGraph();
given(delegate.updatePolicies(isNull(ServerContext.class), anySet()))
.willReturn(
Promises.<List<Resource>, ResourceException>newResultPromise(
Collections.<Resource>emptyList()));
given(delegate.deletePolicies(isNull(ServerContext.class), anySet()))
.willReturn(
Promises.<List<Resource>, ResourceException>newResultPromise(
Collections.<Resource>emptyList()));
// When
Promise<List<List<Resource>>, ResourceException> promise = graph.update(null, delegate);
// Then
AssertJPromiseAssert.assertThat(promise).succeeded();
assertThat(UmaPolicyUtils.getPolicyScopes(policyUpdated())).containsOnly(VIEW, DELETE);
assertThat(policyDeleted()).isEqualTo("Dave-Ed-false");
verifyNoMoreInteractions(delegate);
}
@Test
public void crestActionBlowupIsAllowed() throws SSOException, DelegationException {
// Given...
final Set<String> actions = new HashSet<>(Arrays.asList("MODIFY"));
final DelegationPermission permission =
new DelegationPermission(
"/abc", "rest", "1.0", "policies", "destroy", actions, EXTENSIONS, DUMB_FUNC);
given(factory.newInstance("/abc", "rest", "1.0", "policies", "destroy", actions, EXTENSIONS))
.willReturn(permission);
given(subjectContext.getCallerSSOToken()).willReturn(token);
given(evaluator.isAllowed(eq(token), eq(permission), eq(ENVIRONMENT))).willReturn(true);
JsonValue jsonValue = json(object(field("someKey", "someValue")));
Promise<ActionResponse, ResourceException> promise =
Promises.newResultPromise(Responses.newActionResponse(jsonValue));
given(provider.actionCollection(isA(Context.class), isA(ActionRequest.class)))
.willReturn(promise);
// When...
final FilterChain chain = AuthorizationFilters.createAuthorizationFilter(provider, module);
final Router router = new Router();
router.addRoute(RoutingMode.STARTS_WITH, Router.uriTemplate("/policies"), chain);
final RealmContext context = new RealmContext(subjectContext);
context.setSubRealm("abc", "abc");
final ActionRequest request = Requests.newActionRequest("/policies", "blowup");
Promise<ActionResponse, ResourceException> result = router.handleAction(context, request);
// Then...
assertThat(result).succeeded().withContent().stringAt("someKey").isEqualTo("someValue");
}
// 1st time called: Mock a 401 (Unauthorized status) response
@Override
public Promise<Response, NeverThrowsException> answer(InvocationOnMock invocation)
throws Throwable {
Response response = new Response();
response.setStatus(Status.UNAUTHORIZED);
response.getHeaders().putSingle(AUTHENTICATE_HEADER, "Basic realm=\"Login\"");
return Promises.newResultPromise(response);
}
@Override
public Promise<Response, NeverThrowsException> handle(Context context, Request request) {
try {
latch2.countDown();
latch1.await();
return null;
} catch (InterruptedException e) {
return Promises.newResultPromise(new Response(Status.INTERNAL_SERVER_ERROR));
}
}
@Override
public Promise<Response, NeverThrowsException> answer(InvocationOnMock invocation)
throws Throwable {
Request request = (Request) invocation.getArguments()[1];
// Verify the authorization header: base64(user:pass)
assertThat(request.getHeaders().getFirst(AUTHORIZATION_HEADER))
.isEqualTo("Basic " + credentials);
// Produce a valid response, no special headers are required
Response response = new Response();
response.setStatus(Status.OK);
return Promises.newResultPromise(response);
}
/** {@inheritDoc} */
@Override
public Promise<AuthorizationResult, ResourceException> authorizeCreate(
Context context, CreateRequest request) {
try {
if (!getUserId(context).equalsIgnoreCase(getUserIdFromUri(context))) {
return Promises.newResultPromise(
AuthorizationResult.accessDenied(
"Only resource owner of resource set can create UMA " + "policies for it."));
} else {
return authorize(context);
}
} catch (ResourceException e) {
return e.asPromise();
}
}
private Promise<AuthStatus, AuthenticationException> validateRequest(
final MessageInfoContext messageInfo,
final Subject clientSubject,
final Subject serviceSubject) {
if (position < authModules.size()) {
final AsyncServerAuthModule authModule = authModules.get(position);
return authModule
.validateRequest(messageInfo, clientSubject, serviceSubject)
.thenOnResult(
new ResultHandler<AuthStatus>() {
@Override
public void handleResult(AuthStatus authStatus) {
if (isSuccess(authStatus)) {
/*
* Save the index of the authenticating module so that it can
* be retrieved when securing the response
*/
logger.trace(
"Adding authenticating auth module to private context map, {}",
authModule.getClass().getSimpleName());
state.setAuthenticatedAuthModuleIndex(position);
}
}
})
.thenAsync(
new AsyncFunction<AuthStatus, AuthStatus, AuthenticationException>() {
@Override
public Promise<AuthStatus, AuthenticationException> apply(AuthStatus authStatus) {
if (isSendFailure(authStatus)) {
return next().validateRequest(messageInfo, clientSubject, serviceSubject);
} else {
return Promises.newResultPromise(authStatus);
}
}
});
} else {
return Promises.newResultPromise(AuthStatus.SEND_FAILURE);
}
}
/*
Dave had removed Ed's ability to DELETE, so Ed's resharing policy to Bob had been
made inactive. Dave has re-granted Ed's DELETE, so the inactive policy can be made
active again.
*/
@Test
public void shouldSwitchAllScopesInvalid() throws Exception {
// Given
List<Resource> policies = excludePolicies(ED, BOB);
policies.add(makePolicy(ED, BOB, false, DELETE));
PolicyGraph graph = makePolicyGraph(policies);
graph.computeGraph();
given(delegate.updatePolicies(isNull(ServerContext.class), anySet()))
.willReturn(
Promises.<List<Resource>, ResourceException>newResultPromise(
Collections.<Resource>emptyList()));
// When
Promise<List<List<Resource>>, ResourceException> promise = graph.update(null, delegate);
// Then
AssertJPromiseAssert.assertThat(promise).succeeded();
assertThat(policyUpdated().get("active").asBoolean()).isTrue();
verifyNoMoreInteractions(delegate);
}
/**
* Allows users to query OAuth2 applications that they have given their consent access to and that
* have active access and/or refresh tokens.
*
* <p>Applications consist of an id, a name (the client id), a set of scopes and an expiry time.
* The scopes field is the union of the scopes of the individual access/refresh tokens. The expiry
* time is the time when the last access/refresh token will expire, or null if the server is
* configured to allow tokens to be refreshed indefinitely.
*
* @param context The request context.
* @param queryHandler The query handler.
* @param request Unused but necessary for used of the {@link @Query} annotation.
* @return A promise of a query response.
*/
@Query
public Promise<QueryResponse, ResourceException> query(
Context context, QueryResourceHandler queryHandler, QueryRequest request) {
String userId = contextHelper.getUserId(context);
String realm = contextHelper.getRealm(context);
try {
QueryFilter<CoreTokenField> queryFilter = getQueryFilter(userId, realm);
JsonValue tokens = tokenStore.query(queryFilter);
Map<String, Set<JsonValue>> applicationTokensMap = new HashMap<>();
for (JsonValue token : tokens) {
String clientId = getAttributeValue(token, CLIENT_ID.getOAuthField());
Set<JsonValue> applicationTokens = applicationTokensMap.get(clientId);
if (applicationTokens == null) {
applicationTokens = new HashSet<>();
applicationTokensMap.put(clientId, applicationTokens);
}
applicationTokens.add(token);
}
for (Map.Entry<String, Set<JsonValue>> applicationTokens : applicationTokensMap.entrySet()) {
ResourceResponse resource =
getResourceResponse(context, applicationTokens.getKey(), applicationTokens.getValue());
queryHandler.handleResource(resource);
}
return Promises.newResultPromise(Responses.newQueryResponse());
} catch (CoreTokenException | ServerException | InvalidClientException | NotFoundException e) {
debug.message("Failed to query OAuth2 clients for user {}", userId, e);
return new InternalServerErrorException(e).asPromise();
} catch (InternalServerErrorException e) {
debug.message("Failed to query OAuth2 clients for user {}", userId, e);
return e.asPromise();
}
}
@Test
public void crestQueryIsAllowed() throws SSOException, DelegationException, ResourceException {
// Given...
final Set<String> actions = new HashSet<>(Arrays.asList("READ"));
final DelegationPermission permission =
new DelegationPermission(
"/abc", "rest", "1.0", "policies", "read", actions, EXTENSIONS, DUMB_FUNC);
given(factory.newInstance("/abc", "rest", "1.0", "policies", "read", actions, EXTENSIONS))
.willReturn(permission);
given(subjectContext.getCallerSSOToken()).willReturn(token);
given(evaluator.isAllowed(eq(token), eq(permission), eq(ENVIRONMENT))).willReturn(true);
QueryResourceHandler handler = mock(QueryResourceHandler.class);
Promise<QueryResponse, ResourceException> promise =
Promises.newResultPromise(Responses.newQueryResponse("abc-def"));
given(
provider.queryCollection(
isA(Context.class), isA(QueryRequest.class), isA(QueryResourceHandler.class)))
.willReturn(promise);
// When...
final FilterChain chain = AuthorizationFilters.createAuthorizationFilter(provider, module);
final Router router = new Router();
router.addRoute(RoutingMode.STARTS_WITH, Router.uriTemplate("/policies"), chain);
final RealmContext context = new RealmContext(subjectContext);
context.setSubRealm("abc", "abc");
final QueryRequest request = Requests.newQueryRequest("/policies");
Promise<QueryResponse, ResourceException> result =
router.handleQuery(context, request, handler);
// Then...
QueryResponse response = result.getOrThrowUninterruptibly();
assertThat(response.getPagedResultsCookie()).isEqualTo("abc-def");
}
@Override
public Promise<Response, NeverThrowsException> handle(
final Context context, final Request request) {
return Promises.newResultPromise(response);
}
