コード例 #1
0
  private boolean isEntitled(
      UmaProviderSettings umaProviderSettings,
      PermissionTicket permissionTicket,
      AccessToken authorisationApiToken)
      throws EntitlementException, ServerException {
    String realm = permissionTicket.getRealm();
    String resourceSetId = permissionTicket.getResourceSetId();
    String resourceName = UmaConstants.UMA_POLICY_SCHEME;
    Subject resourceOwnerSubject;
    try {
      ResourceSetStore store =
          oauth2ProviderSettingsFactory
              .get(requestFactory.create(getRequest()))
              .getResourceSetStore();
      Set<ResourceSetDescription> results =
          store.query(
              org.forgerock.util.query.QueryFilter.equalTo(
                  ResourceSetTokenField.RESOURCE_SET_ID, resourceSetId));
      if (results.size() != 1) {
        throw new NotFoundException("Could not find Resource Set, " + resourceSetId);
      }
      resourceName += results.iterator().next().getId();
      resourceOwnerSubject =
          UmaUtils.createSubject(
              createIdentity(results.iterator().next().getResourceOwnerId(), realm));
    } catch (NotFoundException e) {
      debug.message("Couldn't find resource that permission ticket is registered for", e);
      throw new ServerException("Couldn't find resource that permission ticket is registered for");
    }
    Subject requestingPartySubject =
        UmaUtils.createSubject(createIdentity(authorisationApiToken.getResourceOwnerId(), realm));

    // Implicitly grant access to the resource owner
    if (isRequestingPartyResourceOwner(requestingPartySubject, resourceOwnerSubject)) {
      return true;
    }

    List<Entitlement> entitlements =
        umaProviderSettings
            .getPolicyEvaluator(
                requestingPartySubject, permissionTicket.getClientId().toLowerCase())
            .evaluate(realm, requestingPartySubject, resourceName, null, false);

    Set<String> requestedScopes = permissionTicket.getScopes();
    Set<String> requiredScopes = new HashSet<String>(requestedScopes);
    for (Entitlement entitlement : entitlements) {
      for (String requestedScope : requestedScopes) {
        final Boolean actionValue = entitlement.getActionValue(requestedScope);
        if (actionValue != null && actionValue) {
          requiredScopes.remove(requestedScope);
        }
      }
    }

    return requiredScopes.isEmpty();
  }
コード例 #2
0
  @Post
  public Representation requestAuthorization(JsonRepresentation entity)
      throws BadRequestException, UmaException, EntitlementException, ServerException,
          NotFoundException {
    UmaProviderSettings umaProviderSettings = umaProviderSettingsFactory.get(this.getRequest());
    JsonValue requestBody = json(toMap(entity));
    PermissionTicket permissionTicket =
        getPermissionTicket(umaProviderSettings.getUmaTokenStore(), requestBody);

    final AccessToken authorisationApiToken = getAuthorisationApiToken();

    if (hasExpired(permissionTicket)) {
      throw new UmaException(
          400, UmaConstants.EXPIRED_TICKET_ERROR_CODE, "The permission ticket has expired");
    }

    // Remove permission ticket so it cannot be re-used
    umaProviderSettings.getUmaTokenStore().deletePermissionTicket(permissionTicket.getId());

    final String requestingUserId = authorisationApiToken.getResourceOwnerId();
    final String resourceSetId = permissionTicket.getResourceSetId();
    final Request request = getRequest();
    final String resourceOwnerId = getResourceOwnerId(resourceSetId);

    auditLogger.log(
        resourceSetId, resourceOwnerId, UmaAuditType.REQUEST, request, requestingUserId);

    if (isEntitled(umaProviderSettings, permissionTicket, authorisationApiToken)) {
      getResponse().setStatus(new Status(200));
      auditLogger.log(
          resourceSetId, resourceOwnerId, UmaAuditType.GRANTED, request, requestingUserId);
      return createJsonRpt(
          umaProviderSettings.getUmaTokenStore(), permissionTicket, authorisationApiToken);
    } else {
      try {
        if (verifyPendingRequestDoesNotAlreadyExist(
            resourceSetId,
            resourceOwnerId,
            permissionTicket.getRealm(),
            requestingUserId,
            permissionTicket.getScopes())) {
          auditLogger.log(
              resourceSetId, resourceOwnerId, UmaAuditType.DENIED, request, requestingUserId);
          throw new UmaException(
              403,
              UmaConstants.NOT_AUTHORISED_ERROR_CODE,
              "The client is not authorised to access the requested resource set");
        } else {
          pendingRequestsService.createPendingRequest(
              ServletUtils.getRequest(getRequest()),
              resourceSetId,
              auditLogger.getResourceName(resourceSetId, request),
              resourceOwnerId,
              requestingUserId,
              permissionTicket.getRealm(),
              permissionTicket.getScopes());
          auditLogger.log(
              resourceSetId,
              resourceOwnerId,
              UmaAuditType.REQUEST_SUBMITTED,
              request,
              requestingUserId);
        }
      } catch (org.forgerock.openam.sm.datalayer.store.ServerException e) {
        logger.error("Failed to create pending request", e);
        throw new UmaException(
            403, UmaConstants.NOT_AUTHORISED_ERROR_CODE, "Failed to create pending request");
      }
      throw newRequestSubmittedException();
    }

    // TODO not sure where "need_info" error fits in....
  }