(4.2.2) Introduced revoke interception script

#1502
GluuFederation · Dec 10, 2020 · 1695193 · 1695193
1 parent 1d2ec03
commit 1695193
Show file tree

Hide file tree

Showing 3 changed files with 122 additions and 0 deletions.
diff --git a/Server/src/main/java/org/gluu/oxauth/revoke/RevokeRestWebServiceImpl.java b/Server/src/main/java/org/gluu/oxauth/revoke/RevokeRestWebServiceImpl.java
@@ -20,6 +20,8 @@
 import org.gluu.oxauth.security.Identity;
 import org.gluu.oxauth.service.ClientService;
 import org.gluu.oxauth.service.GrantService;
+import org.gluu.oxauth.service.external.ExternalRevokeTokenService;
+import org.gluu.oxauth.service.external.context.RevokeTokenContext;
 import org.gluu.oxauth.util.ServerUtil;
 import org.slf4j.Logger;
 
@@ -62,6 +64,9 @@ public class RevokeRestWebServiceImpl implements RevokeRestWebService {
     @Inject
     private ClientService clientService;
 
+    @Inject
+    private ExternalRevokeTokenService externalRevokeTokenService;
+
     @Override
     public Response requestAccessToken(String token, String tokenTypeHint, String clientId,
                                        HttpServletRequest request, HttpServletResponse response, SecurityContext sec) {
@@ -113,6 +118,13 @@ public Response requestAccessToken(String token, String tokenTypeHint, String cl
             return response(builder, oAuth2AuditLog);
         }
 
+        RevokeTokenContext revokeTokenContext = new RevokeTokenContext(request, client, authorizationGrant, builder);
+        final boolean scriptResult = externalRevokeTokenService.revokeTokenMethods(revokeTokenContext);
+        if (!scriptResult) {
+            log.trace("Revoke is forbidden by 'Revoke Token' custom script (method returned false). Exit without revoking.");
+            return response(builder, oAuth2AuditLog);
+        }
+
         grantService.removeAllByGrantId(authorizationGrant.getGrantId());
         log.trace("Revoked successfully.");
 

diff --git a/Server/src/main/java/org/gluu/oxauth/service/external/ExternalRevokeTokenService.java b/Server/src/main/java/org/gluu/oxauth/service/external/ExternalRevokeTokenService.java
@@ -0,0 +1,56 @@
+package org.gluu.oxauth.service.external;
+
+import org.gluu.model.custom.script.CustomScriptType;
+import org.gluu.model.custom.script.conf.CustomScriptConfiguration;
+import org.gluu.model.custom.script.type.revoke.RevokeTokenType;
+import org.gluu.oxauth.service.external.context.RevokeTokenContext;
+import org.gluu.service.custom.script.ExternalScriptService;
+import org.slf4j.Logger;
+
+import javax.ejb.DependsOn;
+import javax.enterprise.context.ApplicationScoped;
+import javax.inject.Inject;
+import javax.inject.Named;
+
+/**
+ * @author Yuriy Zabrovarnyy
+ */
+@ApplicationScoped
+@DependsOn("appInitializer")
+@Named
+public class ExternalRevokeTokenService extends ExternalScriptService {
+
+    @Inject
+    private Logger log;
+
+    public ExternalRevokeTokenService() {
+        super(CustomScriptType.REVOKE_TOKEN);
+    }
+
+    public boolean revokeToken(CustomScriptConfiguration script, RevokeTokenContext context) {
+        try {
+            log.trace("Executing python 'revokeToken' method, context: {}", context);
+            context.setScript(script);
+            RevokeTokenType revokeTokenType = (RevokeTokenType) script.getExternalType();
+            final boolean result = revokeTokenType.revoke(context);
+            log.trace("Finished 'revokeToken' method, result: {}, context: {}", result, context);
+            return result;
+        } catch (Exception ex) {
+            log.error(ex.getMessage(), ex);
+            saveScriptError(script.getCustomScript(), ex);
+        }
+
+        return false;
+    }
+
+    public boolean revokeTokenMethods(RevokeTokenContext context) {
+        for (CustomScriptConfiguration script : this.customScriptConfigurations) {
+            if (script.getExternalType().getApiVersion() > 1) {
+                if (!revokeToken(script, context)) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+}
diff --git a/Server/src/main/java/org/gluu/oxauth/service/external/context/RevokeTokenContext.java b/Server/src/main/java/org/gluu/oxauth/service/external/context/RevokeTokenContext.java
@@ -0,0 +1,54 @@
+package org.gluu.oxauth.service.external.context;
+
+import org.gluu.model.custom.script.conf.CustomScriptConfiguration;
+import org.gluu.oxauth.model.common.AuthorizationGrant;
+import org.gluu.oxauth.model.registration.Client;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.core.Response;
+
+/**
+ * @author Yuriy Zabrovarnyy
+ */
+public class RevokeTokenContext extends ExternalScriptContext {
+
+    private final Client client;
+    private final AuthorizationGrant grant;
+    private final Response.ResponseBuilder responseBuilder;
+    private CustomScriptConfiguration script;
+
+    public RevokeTokenContext(HttpServletRequest httpRequest, Client client, AuthorizationGrant grant, Response.ResponseBuilder responseBuilder) {
+        super(httpRequest);
+        this.client = client;
+        this.grant = grant;
+        this.responseBuilder = responseBuilder;
+    }
+
+    public Client getClient() {
+        return client;
+    }
+
+    public AuthorizationGrant getGrant() {
+        return grant;
+    }
+
+    public Response.ResponseBuilder getResponseBuilder() {
+        return responseBuilder;
+    }
+
+    public CustomScriptConfiguration getScript() {
+        return script;
+    }
+
+    public void setScript(CustomScriptConfiguration script) {
+        this.script = script;
+    }
+
+    @Override
+    public String toString() {
+        return "RevokeTokenContext{" +
+                "clientId=" + (client != null ? client.getClientId() : "") +
+                ", script=" + (script != null ? script.getName() : "") +
+                "} " + super.toString();
+    }
+}