/*******************************************************************************
* Copyright 2014 The MITRE Corporation
* and the MIT Kerberos and Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
******************************************************************************/
/**
*
*/
package org.mitre.oauth2.web;
import java.security.Principal;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.SystemScope;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.SystemScopeService;
import org.mitre.openid.connect.model.UserInfo;
import org.mitre.openid.connect.service.ScopeClaimTranslationService;
import org.mitre.openid.connect.service.StatsService;
import org.mitre.openid.connect.service.UserInfoService;
import org.mitre.openid.connect.view.HttpCodeView;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.SessionAttributes;
import com.google.common.base.Joiner;
import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import com.google.common.collect.Sets;
import com.google.gson.JsonObject;
/**
* @author jricher
*
*/
@Controller
@SessionAttributes("authorizationRequest")
public class OAuthConfirmationController {
@Autowired
private ClientDetailsEntityService clientService;
@Autowired
private SystemScopeService scopeService;
@Autowired
private ScopeClaimTranslationService scopeClaimTranslationService;
@Autowired
private UserInfoService userInfoService;
@Autowired
private StatsService statsService;
private static Logger logger = LoggerFactory.getLogger(OAuthConfirmationController.class);
public OAuthConfirmationController() {
}
public OAuthConfirmationController(ClientDetailsEntityService clientService) {
this.clientService = clientService;
}
@PreAuthorize("hasRole('ROLE_USER')")
@RequestMapping("/oauth/confirm_access")
public String confimAccess(Map<String, Object> model, @ModelAttribute("authorizationRequest") AuthorizationRequest authRequest,
Principal p) {
// Check the "prompt" parameter to see if we need to do special processing
String prompt = (String)authRequest.getExtensions().get("prompt");
List<String> prompts = Splitter.on(" ").splitToList(Strings.nullToEmpty(prompt));
if (prompts.contains("none")) {
// we're not supposed to prompt, so "return an error"
logger.info("Client requested no prompt, returning 403 from confirmation endpoint");
model.put("code", HttpStatus.FORBIDDEN);
return HttpCodeView.VIEWNAME;
}
//AuthorizationRequest clientAuth = (AuthorizationRequest) model.remove("authorizationRequest");
ClientDetailsEntity client = null;
try {
client = clientService.loadClientByClientId(authRequest.getClientId());
} catch (OAuth2Exception e) {
logger.error("confirmAccess: OAuth2Exception was thrown when attempting to load client", e);
model.put("code", HttpStatus.BAD_REQUEST);
return HttpCodeView.VIEWNAME;
} catch (IllegalArgumentException e) {
logger.error("confirmAccess: IllegalArgumentException was thrown when attempting to load client", e);
model.put("code", HttpStatus.BAD_REQUEST);
return HttpCodeView.VIEWNAME;
}
if (client == null) {
logger.error("confirmAccess: could not find client " + authRequest.getClientId());
model.put("code", HttpStatus.NOT_FOUND);
return HttpCodeView.VIEWNAME;
}
model.put("auth_request", authRequest);
model.put("client", client);
String redirect_uri = authRequest.getRedirectUri();
model.put("redirect_uri", redirect_uri);
// pre-process the scopes
Set<SystemScope> scopes = scopeService.fromStrings(authRequest.getScope());
Set<SystemScope> sortedScopes = new LinkedHashSet<SystemScope>(scopes.size());
Set<SystemScope> systemScopes = scopeService.getAll();
// sort scopes for display based on the inherent order of system scopes
for (SystemScope s : systemScopes) {
if (scopes.contains(s)) {
sortedScopes.add(s);
}
}
// add in any scopes that aren't system scopes to the end of the list
sortedScopes.addAll(Sets.difference(scopes, systemScopes));
model.put("scopes", sortedScopes);
// get the userinfo claims for each scope
UserInfo user = userInfoService.getByUsername(p.getName());
Map<String, Map<String, String>> claimsForScopes = new HashMap<String, Map<String, String>>();
if (user != null) {
JsonObject userJson = user.toJson();
for (SystemScope systemScope : sortedScopes) {
Map<String, String> claimValues = new HashMap<String, String>();
Set<String> claims = scopeClaimTranslationService.getClaimsForScope(systemScope.getValue());
for (String claim : claims) {
if (userJson.has(claim) && userJson.get(claim).isJsonPrimitive()) {
// TODO: this skips the address claim
claimValues.put(claim, userJson.get(claim).getAsString());
}
}
claimsForScopes.put(systemScope.getValue(), claimValues);
}
}
model.put("claims", claimsForScopes);
// client stats
Integer count = statsService.getCountForClientId(client.getId());
model.put("count", count);
// contacts
if (client.getContacts() != null) {
String contacts = Joiner.on(", ").join(client.getContacts());
model.put("contacts", contacts);
}
// if the client is over a week old and has more than one registration, don't give such a big warning
// instead, tag as "Generally Recognized As Safe (gras)
Date lastWeek = new Date(System.currentTimeMillis() + (60 * 60 * 24 * 7 * 1000));
//Date lastWeek = new Date(System.currentTimeMillis() - (60 * 60 * 24 * 7 * 1000));
if (count > 1 && client.getCreatedAt() != null && client.getCreatedAt().before(lastWeek)) {
model.put("gras", true);
} else {
model.put("gras", false);
}
// inject a random value for CSRF purposes
model.put("csrf", authRequest.getExtensions().get("csrf"));
return "approve";
}
/**
* @return the clientService
*/
public ClientDetailsEntityService getClientService() {
return clientService;
}
/**
* @param clientService the clientService to set
*/
public void setClientService(ClientDetailsEntityService clientService) {
this.clientService = clientService;
}
}