private boolean isEntitled(
UmaProviderSettings umaProviderSettings,
PermissionTicket permissionTicket,
AccessToken authorisationApiToken)
throws EntitlementException, ServerException {
String realm = permissionTicket.getRealm();
String resourceSetId = permissionTicket.getResourceSetId();
String resourceName = UmaConstants.UMA_POLICY_SCHEME;
Subject resourceOwnerSubject;
try {
ResourceSetStore store =
oauth2ProviderSettingsFactory
.get(requestFactory.create(getRequest()))
.getResourceSetStore();
Set<ResourceSetDescription> results =
store.query(
org.forgerock.util.query.QueryFilter.equalTo(
ResourceSetTokenField.RESOURCE_SET_ID, resourceSetId));
if (results.size() != 1) {
throw new NotFoundException("Could not find Resource Set, " + resourceSetId);
}
resourceName += results.iterator().next().getId();
resourceOwnerSubject =
UmaUtils.createSubject(
createIdentity(results.iterator().next().getResourceOwnerId(), realm));
} catch (NotFoundException e) {
debug.message("Couldn't find resource that permission ticket is registered for", e);
throw new ServerException("Couldn't find resource that permission ticket is registered for");
}
Subject requestingPartySubject =
UmaUtils.createSubject(createIdentity(authorisationApiToken.getResourceOwnerId(), realm));
// Implicitly grant access to the resource owner
if (isRequestingPartyResourceOwner(requestingPartySubject, resourceOwnerSubject)) {
return true;
}
List<Entitlement> entitlements =
umaProviderSettings
.getPolicyEvaluator(
requestingPartySubject, permissionTicket.getClientId().toLowerCase())
.evaluate(realm, requestingPartySubject, resourceName, null, false);
Set<String> requestedScopes = permissionTicket.getScopes();
Set<String> requiredScopes = new HashSet<String>(requestedScopes);
for (Entitlement entitlement : entitlements) {
for (String requestedScope : requestedScopes) {
final Boolean actionValue = entitlement.getActionValue(requestedScope);
if (actionValue != null && actionValue) {
requiredScopes.remove(requestedScope);
}
}
}
return requiredScopes.isEmpty();
}
@Post
public Representation requestAuthorization(JsonRepresentation entity)
throws BadRequestException, UmaException, EntitlementException, ServerException,
NotFoundException {
UmaProviderSettings umaProviderSettings = umaProviderSettingsFactory.get(this.getRequest());
JsonValue requestBody = json(toMap(entity));
PermissionTicket permissionTicket =
getPermissionTicket(umaProviderSettings.getUmaTokenStore(), requestBody);
final AccessToken authorisationApiToken = getAuthorisationApiToken();
if (hasExpired(permissionTicket)) {
throw new UmaException(
400, UmaConstants.EXPIRED_TICKET_ERROR_CODE, "The permission ticket has expired");
}
// Remove permission ticket so it cannot be re-used
umaProviderSettings.getUmaTokenStore().deletePermissionTicket(permissionTicket.getId());
final String requestingUserId = authorisationApiToken.getResourceOwnerId();
final String resourceSetId = permissionTicket.getResourceSetId();
final Request request = getRequest();
final String resourceOwnerId = getResourceOwnerId(resourceSetId);
auditLogger.log(
resourceSetId, resourceOwnerId, UmaAuditType.REQUEST, request, requestingUserId);
if (isEntitled(umaProviderSettings, permissionTicket, authorisationApiToken)) {
getResponse().setStatus(new Status(200));
auditLogger.log(
resourceSetId, resourceOwnerId, UmaAuditType.GRANTED, request, requestingUserId);
return createJsonRpt(
umaProviderSettings.getUmaTokenStore(), permissionTicket, authorisationApiToken);
} else {
try {
if (verifyPendingRequestDoesNotAlreadyExist(
resourceSetId,
resourceOwnerId,
permissionTicket.getRealm(),
requestingUserId,
permissionTicket.getScopes())) {
auditLogger.log(
resourceSetId, resourceOwnerId, UmaAuditType.DENIED, request, requestingUserId);
throw new UmaException(
403,
UmaConstants.NOT_AUTHORISED_ERROR_CODE,
"The client is not authorised to access the requested resource set");
} else {
pendingRequestsService.createPendingRequest(
ServletUtils.getRequest(getRequest()),
resourceSetId,
auditLogger.getResourceName(resourceSetId, request),
resourceOwnerId,
requestingUserId,
permissionTicket.getRealm(),
permissionTicket.getScopes());
auditLogger.log(
resourceSetId,
resourceOwnerId,
UmaAuditType.REQUEST_SUBMITTED,
request,
requestingUserId);
}
} catch (org.forgerock.openam.sm.datalayer.store.ServerException e) {
logger.error("Failed to create pending request", e);
throw new UmaException(
403, UmaConstants.NOT_AUTHORISED_ERROR_CODE, "Failed to create pending request");
}
throw newRequestSubmittedException();
}
// TODO not sure where "need_info" error fits in....
}
private boolean hasExpired(PermissionTicket permissionTicket) {
return permissionTicket.getExpiryTime() < System.currentTimeMillis();
}
