public boolean isTokenRevocationForSelf(HttpServletRequest request, int index) {
String pathInfo = UaaUrlUtils.getRequestPath(request);
String tokenId = extractIdFromUrl(index, pathInfo);
if (hasText(pathInfo) && hasText(tokenId)) {
try {
RevocableToken revocableToken = tokenProvisioning.retrieve(tokenId);
String clientIdFromToken = revocableToken.getClientId();
String clientIdFromAuthentication =
extractClientIdFromAuthentication(
SecurityContextHolder.getContext().getAuthentication());
if (clientIdFromToken.equals(clientIdFromAuthentication)) {
return true;
}
String userIdFromToken = revocableToken.getUserId();
String userIdFromAuthentication =
extractUserIdFromAuthentication(SecurityContextHolder.getContext().getAuthentication());
if (hasText(userIdFromToken) && userIdFromToken.equals(userIdFromAuthentication)) {
return true;
}
} catch (EmptyResultDataAccessException x) {
logger.debug("Token not found:" + tokenId);
}
}
return false;
}
public boolean isTokenListForAuthenticatedUser(HttpServletRequest request) {
String pathInfo = UaaUrlUtils.getRequestPath(request);
String userId = extractIdFromUrl(4, pathInfo);
String idFromAuth =
extractUserIdFromAuthentication(SecurityContextHolder.getContext().getAuthentication());
return hasText(idFromAuth) && idFromAuth.equals(userId);
}
public boolean isClientTokenRevocationForSelf(HttpServletRequest request, int index) {
String pathInfo = UaaUrlUtils.getRequestPath(request);
String clientIdFromPath = extractIdFromUrl(index, pathInfo);
String clientIdFromAuth =
extractClientIdFromAuthentication(SecurityContextHolder.getContext().getAuthentication());
return (hasText(clientIdFromPath) && clientIdFromPath.equals(clientIdFromAuth));
}
public boolean isUserSelf(HttpServletRequest request, int pathParameterIndex) {
String pathInfo = UaaUrlUtils.getRequestPath(request);
String idFromUrl = extractIdFromUrl(pathParameterIndex, pathInfo);
String idFromAuth =
extractUserIdFromAuthentication(SecurityContextHolder.getContext().getAuthentication());
return idFromAuth != null && idFromAuth.equals(idFromUrl);
}
@RequestMapping(
value = "/invite_users",
method = RequestMethod.POST,
consumes = "application/json")
public ResponseEntity<InvitationsResponse> inviteUsers(
@RequestBody InvitationsRequest invitations,
@RequestParam(value = "client_id", required = false) String clientId,
@RequestParam(value = "redirect_uri") String redirectUri) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication instanceof OAuth2Authentication) {
OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) authentication;
if (clientId == null) {
clientId = oAuth2Authentication.getOAuth2Request().getClientId();
}
}
InvitationsResponse invitationsResponse = new InvitationsResponse();
DomainFilter filter = new DomainFilter();
List<IdentityProvider> activeProviders =
providers.retrieveActive(IdentityZoneHolder.get().getId());
ClientDetails client = clients.loadClientByClientId(clientId);
for (String email : invitations.getEmails()) {
try {
List<IdentityProvider> providers = filter.filter(activeProviders, client, email);
if (providers.size() == 1) {
ScimUser user = findOrCreateUser(email, providers.get(0).getOriginKey());
String accountsUrl = UaaUrlUtils.getUaaUrl("/invitations/accept");
Map<String, String> data = new HashMap<>();
data.put(InvitationConstants.USER_ID, user.getId());
data.put(InvitationConstants.EMAIL, user.getPrimaryEmail());
data.put(CLIENT_ID, clientId);
data.put(REDIRECT_URI, redirectUri);
data.put(ORIGIN, user.getOrigin());
Timestamp expiry =
new Timestamp(
System.currentTimeMillis() + (INVITATION_EXPIRY_DAYS * 24 * 60 * 60 * 1000));
ExpiringCode code =
expiringCodeStore.generateCode(JsonUtils.writeValueAsString(data), expiry, null);
String invitationLink = accountsUrl + "?code=" + code.getCode();
try {
URL inviteLink = new URL(invitationLink);
invitationsResponse
.getNewInvites()
.add(
InvitationsResponse.success(
user.getPrimaryEmail(), user.getId(), user.getOrigin(), inviteLink));
} catch (MalformedURLException mue) {
invitationsResponse
.getFailedInvites()
.add(
InvitationsResponse.failure(
email,
"invitation.exception.url",
String.format("Malformed url", invitationLink)));
}
} else if (providers.size() == 0) {
invitationsResponse
.getFailedInvites()
.add(
InvitationsResponse.failure(
email, "provider.non-existent", "No authentication provider found."));
} else {
invitationsResponse
.getFailedInvites()
.add(
InvitationsResponse.failure(
email, "provider.ambiguous", "Multiple authentication providers found."));
}
} catch (ScimResourceConflictException x) {
invitationsResponse
.getFailedInvites()
.add(
InvitationsResponse.failure(
email,
"user.ambiguous",
"Multiple users with the same origin matched to the email address."));
} catch (UaaException uaae) {
invitationsResponse
.getFailedInvites()
.add(InvitationsResponse.failure(email, "invitation.exception", uaae.getMessage()));
}
}
return new ResponseEntity<>(invitationsResponse, HttpStatus.OK);
}
protected String extractIdFromUrl(int pathParameterIndex, String pathInfo) {
if (!hasText(pathInfo)) {
return null;
}
return UaaUrlUtils.extractPathVariableFromUrl(pathParameterIndex, pathInfo);
}