private boolean verifyPendingRequestDoesNotAlreadyExist(
String resourceSetId,
String resourceOwnerId,
String realm,
String requestingUserId,
Set<String> scopes)
throws org.forgerock.openam.sm.datalayer.store.ServerException, UmaException {
Set<UmaPendingRequest> pendingRequests =
pendingRequestsService.queryPendingRequests(
resourceSetId, resourceOwnerId, requestingUserId, realm);
if (!pendingRequests.isEmpty()) {
for (UmaPendingRequest pendingRequest : pendingRequests) {
if (pendingRequest.getScopes().containsAll(scopes)) {
throw newRequestSubmittedException();
}
}
}
return false;
}
@Post
public Representation requestAuthorization(JsonRepresentation entity)
throws BadRequestException, UmaException, EntitlementException, ServerException,
NotFoundException {
UmaProviderSettings umaProviderSettings = umaProviderSettingsFactory.get(this.getRequest());
JsonValue requestBody = json(toMap(entity));
PermissionTicket permissionTicket =
getPermissionTicket(umaProviderSettings.getUmaTokenStore(), requestBody);
final AccessToken authorisationApiToken = getAuthorisationApiToken();
if (hasExpired(permissionTicket)) {
throw new UmaException(
400, UmaConstants.EXPIRED_TICKET_ERROR_CODE, "The permission ticket has expired");
}
// Remove permission ticket so it cannot be re-used
umaProviderSettings.getUmaTokenStore().deletePermissionTicket(permissionTicket.getId());
final String requestingUserId = authorisationApiToken.getResourceOwnerId();
final String resourceSetId = permissionTicket.getResourceSetId();
final Request request = getRequest();
final String resourceOwnerId = getResourceOwnerId(resourceSetId);
auditLogger.log(
resourceSetId, resourceOwnerId, UmaAuditType.REQUEST, request, requestingUserId);
if (isEntitled(umaProviderSettings, permissionTicket, authorisationApiToken)) {
getResponse().setStatus(new Status(200));
auditLogger.log(
resourceSetId, resourceOwnerId, UmaAuditType.GRANTED, request, requestingUserId);
return createJsonRpt(
umaProviderSettings.getUmaTokenStore(), permissionTicket, authorisationApiToken);
} else {
try {
if (verifyPendingRequestDoesNotAlreadyExist(
resourceSetId,
resourceOwnerId,
permissionTicket.getRealm(),
requestingUserId,
permissionTicket.getScopes())) {
auditLogger.log(
resourceSetId, resourceOwnerId, UmaAuditType.DENIED, request, requestingUserId);
throw new UmaException(
403,
UmaConstants.NOT_AUTHORISED_ERROR_CODE,
"The client is not authorised to access the requested resource set");
} else {
pendingRequestsService.createPendingRequest(
ServletUtils.getRequest(getRequest()),
resourceSetId,
auditLogger.getResourceName(resourceSetId, request),
resourceOwnerId,
requestingUserId,
permissionTicket.getRealm(),
permissionTicket.getScopes());
auditLogger.log(
resourceSetId,
resourceOwnerId,
UmaAuditType.REQUEST_SUBMITTED,
request,
requestingUserId);
}
} catch (org.forgerock.openam.sm.datalayer.store.ServerException e) {
logger.error("Failed to create pending request", e);
throw new UmaException(
403, UmaConstants.NOT_AUTHORISED_ERROR_CODE, "Failed to create pending request");
}
throw newRequestSubmittedException();
}
// TODO not sure where "need_info" error fits in....
}