/
UmaRptService.java
317 lines (267 loc) · 11.3 KB
/
UmaRptService.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
/*
* oxAuth is available under the MIT License (2008). See http://opensource.org/licenses/MIT for full text.
*
* Copyright (c) 2014, Gluu
*/
package org.gluu.oxauth.uma.service;
import com.google.common.base.Preconditions;
import org.apache.commons.lang.ArrayUtils;
import org.gluu.oxauth.claims.Audience;
import org.gluu.oxauth.model.common.ExecutionContext;
import org.gluu.oxauth.model.common.GrantType;
import org.gluu.oxauth.model.config.StaticConfiguration;
import org.gluu.oxauth.model.config.WebKeysConfiguration;
import org.gluu.oxauth.model.configuration.AppConfiguration;
import org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.gluu.oxauth.model.jwt.Jwt;
import org.gluu.oxauth.model.registration.Client;
import org.gluu.oxauth.model.token.JwtSigner;
import org.gluu.oxauth.model.uma.persistence.UmaPermission;
import org.gluu.oxauth.model.util.JwtUtil;
import org.gluu.oxauth.service.ClientService;
import org.gluu.oxauth.service.external.ExternalUmaRptClaimsService;
import org.gluu.oxauth.service.external.context.ExternalUmaRptClaimsContext;
import org.gluu.oxauth.service.stat.StatService;
import org.gluu.oxauth.uma.authorization.UmaPCT;
import org.gluu.oxauth.uma.authorization.UmaRPT;
import org.gluu.oxauth.util.ServerUtil;
import org.gluu.oxauth.util.TokenHashUtil;
import org.gluu.persist.PersistenceEntryManager;
import org.gluu.persist.model.base.SimpleBranch;
import org.gluu.util.INumGenerator;
import org.gluu.util.StringHelper;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import java.io.IOException;
import java.util.*;
/**
* RPT manager component
*
* @author Yuriy Zabrovarnyy
* @author Javier Rojas Blum
* @version June 28, 2017
*/
@ApplicationScoped
public class UmaRptService {
private static final String ORGUNIT_OF_RPT = "uma_rpt";
public static final int DEFAULT_RPT_LIFETIME = 3600;
@Inject
private Logger log;
@Inject
private PersistenceEntryManager ldapEntryManager;
@Inject
private WebKeysConfiguration webKeysConfiguration;
@Inject
private UmaPctService pctService;
@Inject
private UmaScopeService umaScopeService;
@Inject
private AppConfiguration appConfiguration;
@Inject
private StaticConfiguration staticConfiguration;
@Inject
private ClientService clientService;
@Inject
private ExternalUmaRptClaimsService externalUmaRptClaimsService;
@Inject
private StatService statService;
private boolean containsBranch = false;
public String createDn(String tokenCode) {
return String.format("tknCde=%s,%s", TokenHashUtil.hash(tokenCode), branchDn());
}
public String branchDn() {
return String.format("ou=%s,%s", ORGUNIT_OF_RPT, staticConfiguration.getBaseDn().getTokens());
}
public void persist(UmaRPT rpt) {
try {
Preconditions.checkNotNull(rpt.getClientId());
addBranchIfNeeded();
rpt.setDn(createDn(rpt.getNotHashedCode()));
rpt.setCode(TokenHashUtil.hash(rpt.getNotHashedCode()));
ldapEntryManager.persist(rpt);
} catch (Exception e) {
log.error(e.getMessage(), e);
}
}
public UmaRPT getRPTByCode(String rptCode) {
try {
final UmaRPT entry = ldapEntryManager.find(UmaRPT.class, createDn(rptCode));
if (entry != null) {
return entry;
} else {
log.error("Failed to find RPT by code: " + rptCode);
}
} catch (Exception e) {
log.error(e.getMessage(), e);
}
return null;
}
public void deleteByCode(String rptCode) {
try {
final UmaRPT t = getRPTByCode(rptCode);
if (t != null) {
ldapEntryManager.remove(t);
}
} catch (Exception e) {
log.error(e.getMessage(), e);
}
}
public boolean addPermissionToRPT(UmaRPT rpt, Collection<UmaPermission> permissions) {
return addPermissionToRPT(rpt, permissions.toArray(new UmaPermission[permissions.size()]));
}
public boolean addPermissionToRPT(UmaRPT rpt, UmaPermission... permission) {
if (ArrayUtils.isEmpty(permission)) {
return true;
}
final List<String> permissions = getPermissionDns(Arrays.asList(permission));
if (rpt.getPermissions() != null) {
permissions.addAll(rpt.getPermissions());
}
rpt.setPermissions(permissions);
try {
rpt.resetTtlFromExpirationDate();
ldapEntryManager.merge(rpt);
log.trace("Persisted RPT: " + rpt);
return true;
} catch (Exception e) {
log.error(e.getMessage(), e);
return false;
}
}
public static List<String> getPermissionDns(Collection<UmaPermission> permissions) {
final List<String> result = new ArrayList<String>();
if (permissions != null) {
for (UmaPermission p : permissions) {
result.add(p.getDn());
}
}
return result;
}
public List<UmaPermission> getRptPermissions(UmaRPT p_rpt) {
final List<UmaPermission> result = new ArrayList<UmaPermission>();
try {
if (p_rpt != null && p_rpt.getPermissions() != null) {
final List<String> permissionDns = p_rpt.getPermissions();
for (String permissionDn : permissionDns) {
final UmaPermission permissionObject = ldapEntryManager.find(UmaPermission.class, permissionDn);
if (permissionObject != null) {
result.add(permissionObject);
}
}
}
} catch (Exception e) {
log.error(e.getMessage(), e);
}
return result;
}
public Date rptExpirationDate() {
int lifeTime = appConfiguration.getUmaRptLifetime();
if (lifeTime <= 0) {
lifeTime = DEFAULT_RPT_LIFETIME;
}
final Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.SECOND, lifeTime);
return calendar.getTime();
}
public UmaRPT createRPTAndPersist(ExecutionContext executionContext, List<UmaPermission> permissions) {
try {
final Date creationDate = new Date();
final Date expirationDate = rptExpirationDate();
final Client client = executionContext.getClient();
final String code;
if (client.isRptAsJwt()) {
code = createRptJwt(executionContext, permissions, creationDate, expirationDate);
} else {
code = UUID.randomUUID().toString() + "_" + INumGenerator.generate(8);
}
UmaRPT rpt = new UmaRPT(code, creationDate, expirationDate, null, client.getClientId());
rpt.setPermissions(getPermissionDns(permissions));
persist(rpt);
statService.reportUmaToken(GrantType.OXAUTH_UMA_TICKET);
return rpt;
} catch (Exception e) {
log.error(e.getMessage(), e);
throw new RuntimeException("Failed to generate RPT, clientId: " + executionContext.getClient().getClientId(), e);
}
}
public void merge(UmaRPT rpt) {
rpt.resetTtlFromExpirationDate();
ldapEntryManager.merge(rpt);
}
private String createRptJwt(ExecutionContext executionContext, List<UmaPermission> permissions, Date creationDate, Date expirationDate) throws Exception {
Client client = executionContext.getClient();
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.fromString(appConfiguration.getDefaultSignatureAlgorithm());
if (client.getAccessTokenSigningAlg() != null && SignatureAlgorithm.fromString(client.getAccessTokenSigningAlg()) != null) {
signatureAlgorithm = SignatureAlgorithm.fromString(client.getAccessTokenSigningAlg());
}
final JwtSigner jwtSigner = new JwtSigner(appConfiguration, webKeysConfiguration, signatureAlgorithm, client.getClientId(), clientService.decryptSecret(client.getClientSecret()));
final Jwt jwt = jwtSigner.newJwt();
jwt.getClaims().setClaim("client_id", client.getClientId());
jwt.getClaims().setExpirationTime(expirationDate);
jwt.getClaims().setIssuedAt(creationDate);
Audience.setAudience(jwt.getClaims(), client);
if (permissions != null && !permissions.isEmpty()) {
String pctCode = permissions.iterator().next().getAttributes().get(UmaPermission.PCT);
if (StringHelper.isNotEmpty(pctCode)) {
UmaPCT pct = pctService.getByCode(pctCode);
if (pct != null) {
jwt.getClaims().setClaim("pct_claims", pct.getClaims().toJsonObject());
} else {
log.error("Failed to find PCT with code: " + pctCode + " which is taken from permission object: " + permissions.iterator().next().getDn());
}
}
jwt.getClaims().setClaim("permissions", buildPermissionsJSONObject(permissions));
}
runScriptAndInjectValuesIntoJwt(jwt, executionContext);
return jwtSigner.sign().toString();
}
private void runScriptAndInjectValuesIntoJwt(Jwt jwt, ExecutionContext executionContext) {
JSONObject responseAsJsonObject = new JSONObject();
ExternalUmaRptClaimsContext context = new ExternalUmaRptClaimsContext(executionContext);
if (externalUmaRptClaimsService.externalModify(responseAsJsonObject, context)) {
log.trace("Successfully run external RPT Claim scripts.");
if (context.isTranferPropertiesIntoJwtClaims()) {
log.trace("Transfering claims into jwt ...");
JwtUtil.transferIntoJwtClaims(responseAsJsonObject, jwt);
log.trace("Transfered.");
}
}
}
public JSONArray buildPermissionsJSONObject(List<UmaPermission> permissions) throws IOException, JSONException {
List<org.gluu.oxauth.model.uma.UmaPermission> result = new ArrayList<>();
for (UmaPermission permission : permissions) {
permission.checkExpired();
permission.isValid();
if (permission.isValid()) {
final org.gluu.oxauth.model.uma.UmaPermission toAdd = ServerUtil.convert(permission, umaScopeService);
if (toAdd != null) {
result.add(toAdd);
}
} else {
log.debug("Ignore permission, skip it in response because permission is not valid. Permission dn: {}", permission.getDn());
}
}
final String json = ServerUtil.asJson(result);
return new JSONArray(json);
}
public void addBranch() {
final SimpleBranch branch = new SimpleBranch();
branch.setOrganizationalUnitName(ORGUNIT_OF_RPT);
branch.setDn(branchDn());
ldapEntryManager.persist(branch);
}
public void addBranchIfNeeded() {
if (ldapEntryManager.hasBranchesSupport(branchDn()) && !containsBranch() && !containsBranch) {
addBranch();
} else {
containsBranch = true;
}
}
public boolean containsBranch() {
return ldapEntryManager.contains(branchDn(), SimpleBranch.class);
}
}