@Test
public void shouldQueryResourceSetToken() throws Exception {
// Given
Map<String, Object> queryParameters = new HashMap<String, Object>();
queryParameters.put(ResourceSetTokenField.CLIENT_ID, "CLIENT_ID");
ResourceSetDescription resourceSet1 =
new ResourceSetDescription(
"123", "CLIENT_ID", "RESOURCE_OWNER_ID", Collections.<String, Object>emptyMap());
ResourceSetDescription resourceSet2 =
new ResourceSetDescription(
"456", "CLIENT_ID", "RESOURCE_OWNER_ID", Collections.<String, Object>emptyMap());
given(dataStore.query(Matchers.<QueryFilter<String>>anyObject()))
.willReturn(asSet(resourceSet1, resourceSet2));
resourceSet1.setRealm("REALM");
resourceSet2.setRealm("REALM");
// When
QueryFilter<String> query = QueryFilter.alwaysTrue();
Set<ResourceSetDescription> resourceSetDescriptions = store.query(query);
// Then
assertThat(resourceSetDescriptions).contains(resourceSet1, resourceSet2);
ArgumentCaptor<QueryFilter> tokenFilterCaptor = ArgumentCaptor.forClass(QueryFilter.class);
verify(dataStore).query(tokenFilterCaptor.capture());
assertThat(tokenFilterCaptor.getValue())
.isEqualTo(
QueryFilter.and(query, QueryFilter.equalTo(ResourceSetTokenField.REALM, "REALM")));
}
@Test
public void shouldReadResourceSetToken() throws Exception {
// Given
ResourceSetDescription resourceSetDescription =
new ResourceSetDescription(
"RESOURCE_SET_ID",
"CLIENT_ID",
"RESOURCE_OWNER_ID",
Collections.<String, Object>emptyMap());
given(
dataStore.query(
QueryFilter.and(
QueryFilter.equalTo(ResourceSetTokenField.RESOURCE_SET_ID, "RESOURCE_SET_ID"),
QueryFilter.equalTo(ResourceSetTokenField.REALM, "REALM"))))
.willReturn(Collections.singleton(resourceSetDescription));
// When
ResourceSetDescription readResourceSetDescription =
store.read("RESOURCE_SET_ID", "RESOURCE_OWNER_ID");
// Then
assertThat(readResourceSetDescription).isEqualTo(readResourceSetDescription);
}
@Test
public void shouldDeleteResourceSetToken() throws Exception {
// Given
ResourceSetDescription resourceSetDescription =
new ResourceSetDescription(
"RESOURCE_SET_ID",
"CLIENT_ID",
"RESOURCE_OWNER_ID",
Collections.<String, Object>emptyMap());
resourceSetDescription.setRealm("REALM");
given(
dataStore.query(
QueryFilter.and(
QueryFilter.equalTo(ResourceSetTokenField.RESOURCE_SET_ID, "RESOURCE_SET_ID"),
QueryFilter.equalTo(ResourceSetTokenField.REALM, "REALM"))))
.willReturn(Collections.singleton(resourceSetDescription));
// When
store.delete("RESOURCE_SET_ID", "RESOURCE_OWNER_ID");
// Then
verify(dataStore).delete("RESOURCE_SET_ID");
}
/**
* Queries relationships, returning the relationship associated with this providers resource path
* and the specified relationship field.
*
* @param context The current context
* @param managedObjectId The id of the managed object to find relationships associated with
* @return
*/
private Promise<ResourceResponse, ResourceException> queryRelationship(
final Context context, final String managedObjectId) {
try {
final QueryRequest queryRequest = Requests.newQueryRequest(REPO_RESOURCE_PATH);
final List<ResourceResponse> relationships = new ArrayList<>();
queryRequest.setQueryFilter(
QueryFilter.and(
QueryFilter.equalTo(
new JsonPointer(isReverse ? REPO_FIELD_SECOND_ID : REPO_FIELD_FIRST_ID),
resourcePath.child(managedObjectId)),
QueryFilter.equalTo(new JsonPointer(REPO_FIELD_FIRST_PROPERTY_NAME), propertyName)));
connectionFactory.getConnection().query(context, queryRequest, relationships);
if (relationships.isEmpty()) {
return new NotFoundException().asPromise();
} else {
// TODO OPENIDM-4094 - check size and throw illegal state if more than one?
return newResultPromise(FORMAT_RESPONSE.apply(relationships.get(0)));
}
} catch (ResourceException e) {
return e.asPromise();
}
}
@Override
public QueryFilter<CoreTokenField> visitAndFilter(
Void aVoid, List<QueryFilter<JsonPointer>> subFilters) {
List<QueryFilter<CoreTokenField>> subCoreTokenFieldFilters =
new ArrayList<>(subFilters.size());
for (QueryFilter<JsonPointer> filter : subFilters) {
subCoreTokenFieldFilters.add(filter.accept(this, aVoid));
}
return QueryFilter.and(subCoreTokenFieldFilters);
}
@Test
public void nameQueryShouldBeSupported() throws Exception {
// Given
ServerContext context = mock(ServerContext.class);
QueryRequest request = mock(QueryRequest.class);
given(request.getFields()).willReturn(Arrays.asList(new JsonPointer("/fred")));
QueryResultHandler handler = mock(QueryResultHandler.class);
ResourceSetDescription resourceSet = mock(ResourceSetDescription.class);
QueryFilter queryFilter =
QueryFilter.and(
QueryFilter.equalTo("/name", "NAME"),
QueryFilter.equalTo("/resourceServer", "myclient"),
QueryFilter.equalTo("/policy/permissions/subject", "SUBJECT"));
Promise<Collection<ResourceSetDescription>, ResourceException> resourceSetsPromise =
Promises.newSuccessfulPromise((Collection<ResourceSetDescription>) asSet(resourceSet));
given(contextHelper.getRealm(context)).willReturn("REALM");
given(contextHelper.getUserId(context)).willReturn("RESOURCE_OWNER_ID");
given(request.getQueryFilter()).willReturn(queryFilter);
given(
resourceSetService.getResourceSets(
eq(context),
eq("REALM"),
Matchers.<ResourceSetWithPolicyQuery>anyObject(),
eq("RESOURCE_OWNER_ID"),
eq(false)))
.willReturn(resourceSetsPromise);
// When
resource.queryCollection(context, request, handler);
// Then
ArgumentCaptor<ResourceSetWithPolicyQuery> queryCaptor =
ArgumentCaptor.forClass(ResourceSetWithPolicyQuery.class);
verify(resourceSetService)
.getResourceSets(
eq(context), eq("REALM"), queryCaptor.capture(), eq("RESOURCE_OWNER_ID"), eq(false));
assertThat(queryCaptor.getValue().getOperator()).isEqualTo(AggregateQuery.Operator.AND);
assertThat(queryCaptor.getValue().getPolicyQuery())
.isEqualTo(QueryFilter.equalTo("/permissions/subject", "SUBJECT"));
assertThat(queryCaptor.getValue().getResourceSetQuery())
.isEqualTo(
org.forgerock.util.query.QueryFilter.and(
org.forgerock.util.query.QueryFilter.equalTo("name", "NAME"),
org.forgerock.util.query.QueryFilter.equalTo("clientId", "myclient")));
verify(handler).handleResult(any(QueryResult.class));
}
private QueryFilter<CoreTokenField> convertToCoreTokenFieldQueryFilter(
QueryFilter<JsonPointer> queryFilter) throws CTSTokenPersistenceException {
try {
return queryFilter.accept(CORE_TOKEN_FIELD_QUERY_FILTER_VISITOR, null);
} catch (IllegalArgumentException e) {
throw new CTSTokenPersistenceException(ResourceException.BAD_REQUEST, e.getMessage(), e);
}
}
@Override
public QueryFilter<CoreTokenField> visitEqualsFilter(
Void aVoid, JsonPointer field, Object valueAssertion) {
final String fieldString = field.toString().substring(1);
if (STSIssuedTokenState.STS_ID_QUERY_ATTRIBUTE.equals(fieldString)) {
return QueryFilter.equalTo(
CTSTokenPersistence.CTS_TOKEN_FIELD_STS_ID, valueAssertion);
} else if (STSIssuedTokenState.STS_TOKEN_PRINCIPAL_QUERY_ATTRIBUTE.equals(
fieldString)) {
return QueryFilter.equalTo(CoreTokenField.USER_ID, valueAssertion);
} else {
throw new IllegalArgumentException(
"Querying TokenService on field "
+ fieldString
+ " not supported. Query format: "
+ getUsageString());
}
}
private boolean isEntitled(
UmaProviderSettings umaProviderSettings,
PermissionTicket permissionTicket,
AccessToken authorisationApiToken)
throws EntitlementException, ServerException {
String realm = permissionTicket.getRealm();
String resourceSetId = permissionTicket.getResourceSetId();
String resourceName = UmaConstants.UMA_POLICY_SCHEME;
Subject resourceOwnerSubject;
try {
ResourceSetStore store =
oauth2ProviderSettingsFactory
.get(requestFactory.create(getRequest()))
.getResourceSetStore();
Set<ResourceSetDescription> results =
store.query(
org.forgerock.util.query.QueryFilter.equalTo(
ResourceSetTokenField.RESOURCE_SET_ID, resourceSetId));
if (results.size() != 1) {
throw new NotFoundException("Could not find Resource Set, " + resourceSetId);
}
resourceName += results.iterator().next().getId();
resourceOwnerSubject =
UmaUtils.createSubject(
createIdentity(results.iterator().next().getResourceOwnerId(), realm));
} catch (NotFoundException e) {
debug.message("Couldn't find resource that permission ticket is registered for", e);
throw new ServerException("Couldn't find resource that permission ticket is registered for");
}
Subject requestingPartySubject =
UmaUtils.createSubject(createIdentity(authorisationApiToken.getResourceOwnerId(), realm));
// Implicitly grant access to the resource owner
if (isRequestingPartyResourceOwner(requestingPartySubject, resourceOwnerSubject)) {
return true;
}
List<Entitlement> entitlements =
umaProviderSettings
.getPolicyEvaluator(
requestingPartySubject, permissionTicket.getClientId().toLowerCase())
.evaluate(realm, requestingPartySubject, resourceName, null, false);
Set<String> requestedScopes = permissionTicket.getScopes();
Set<String> requiredScopes = new HashSet<String>(requestedScopes);
for (Entitlement entitlement : entitlements) {
for (String requestedScope : requestedScopes) {
final Boolean actionValue = entitlement.getActionValue(requestedScope);
if (actionValue != null && actionValue) {
requiredScopes.remove(requestedScope);
}
}
}
return requiredScopes.isEmpty();
}
private ResourceSetDescription getResourceSet(
String resourceSetId, OAuth2ProviderSettings providerSettings) throws UmaException {
try {
ResourceSetStore store = providerSettings.getResourceSetStore();
Set<ResourceSetDescription> results =
store.query(
org.forgerock.util.query.QueryFilter.equalTo(
ResourceSetTokenField.RESOURCE_SET_ID, resourceSetId));
if (results.size() != 1) {
throw new UmaException(
400, "invalid_resource_set_id", "Could not fing Resource Set, " + resourceSetId);
}
return results.iterator().next();
} catch (ServerException e) {
throw new UmaException(400, "invalid_resource_set_id", e.getMessage());
}
}
