#432 , # 433 : introspection endpoint must be protected by PAT and re…

…turn scopes.
GluuFederation · Jan 12, 2017 · 5013269 · 5013269
1 parent db05255
commit 5013269
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 15 deletions.
diff --git a/Client/src/test/java/org/xdi/oxauth/ws/rs/IntrospectionWsHttpTest.java b/Client/src/test/java/org/xdi/oxauth/ws/rs/IntrospectionWsHttpTest.java
@@ -27,8 +27,8 @@ public class IntrospectionWsHttpTest extends BaseTest {
     @Parameters({"umaAatClientId", "umaAatClientSecret"})
     public void test(final String umaAatClientId, final String umaAatClientSecret) throws Exception {
 
-        final Token authorization = UmaClient.requestAat(tokenEndpoint, umaAatClientId, umaAatClientSecret);
-        final Token tokenToIntrospect = UmaClient.requestPat(tokenEndpoint, umaAatClientId, umaAatClientSecret);
+        final Token authorization = UmaClient.requestPat(tokenEndpoint, umaAatClientId, umaAatClientSecret);
+        final Token tokenToIntrospect = UmaClient.requestAat(tokenEndpoint, umaAatClientId, umaAatClientSecret);
 
         final IntrospectionService introspectionService = ClientFactory.instance().createIntrospectionService(introspectionEndpoint);
         final IntrospectionResponse introspectionResponse = introspectionService.introspectToken("Bearer " + authorization.getAccessToken(), tokenToIntrospect.getAccessToken());

diff --git a/Model/src/main/java/org/xdi/oxauth/model/common/IntrospectionResponse.java b/Model/src/main/java/org/xdi/oxauth/model/common/IntrospectionResponse.java
@@ -10,31 +10,36 @@
 import org.codehaus.jackson.annotate.JsonPropertyOrder;
 import org.jboss.resteasy.annotations.providers.jaxb.IgnoreMediaTypes;
 
+import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Date;
+import java.util.List;
 
 /**
  * @author Yuriy Zabrovarnyy
  * @version 0.9, 17/09/2013
  */
-@JsonPropertyOrder({"active", "exp", "iat", "acr_values"})
+@JsonPropertyOrder({"active", "exp", "iat", "acr_values", "scopes"})
 // ignore jettison as it's recommended here: http://docs.jboss.org/resteasy/docs/2.3.4.Final/userguide/html/json.html
 @IgnoreMediaTypes("application/*+json")
 public class IntrospectionResponse {
 
     @JsonProperty(value = "active")
-    private boolean m_active;   // according spec, must be "active" http://tools.ietf.org/html/draft-richer-oauth-introspection-03#section-2.2
+    private boolean active;   // according spec, must be "active" http://tools.ietf.org/html/draft-richer-oauth-introspection-03#section-2.2
     @JsonProperty(value = "exp")
     private Date expiresAt;
     @JsonProperty(value = "iat")
     private Date issuedAt;
     @JsonProperty(value = "acr_values")
     private String acrValues;
+    @JsonProperty(value = "scopes")
+    private List<String> scopes;
 
     public IntrospectionResponse() {
     }
 
     public IntrospectionResponse(boolean p_active) {
-        m_active = p_active;
+        active = p_active;
     }
 
     public String getAcrValues() {
@@ -46,11 +51,19 @@ public void setAcrValues(String p_authMode) {
     }
 
     public boolean isActive() {
-        return m_active;
+        return active;
     }
 
     public void setActive(boolean p_active) {
-        m_active = p_active;
+        active = p_active;
+    }
+
+    public List<String> getScopes() {
+        return scopes;
+    }
+
+    public void setScopes(Collection<String> scopes) {
+        this.scopes = new ArrayList<String>(scopes);
     }
 
     public Date getExpiresAt() {

diff --git a/Server/src/main/java/org/xdi/oxauth/introspection/ws/rs/IntrospectionWebService.java b/Server/src/main/java/org/xdi/oxauth/introspection/ws/rs/IntrospectionWebService.java
@@ -18,6 +18,7 @@
 import org.xdi.oxauth.model.common.AuthorizationGrantList;
 import org.xdi.oxauth.model.common.IntrospectionResponse;
 import org.xdi.oxauth.model.error.ErrorResponseFactory;
+import org.xdi.oxauth.model.uma.UmaScopeType;
 import org.xdi.oxauth.service.token.TokenService;
 import org.xdi.oxauth.util.ServerUtil;
 
@@ -77,7 +78,8 @@ private Response introspect(String p_authorization, String p_token, String token
                 final AuthorizationGrant authorizationGrant = tokenService.getAuthorizationGrant(p_authorization);
                 if (authorizationGrant != null) {
                     final AbstractToken accessToken = authorizationGrant.getAccessToken(tokenService.getTokenFromAuthorizationParameter(p_authorization));
-                    if (accessToken != null && accessToken.isValid()) {
+                    boolean isPat = authorizationGrant.getScopesAsString().contains(UmaScopeType.PROTECTION.getValue()); // #432
+                    if (accessToken != null && accessToken.isValid() && isPat) {
                         final IntrospectionResponse response = new IntrospectionResponse(false);
 
                         final AuthorizationGrant grantOfIntrospectionToken = authorizationGrantList.getAuthorizationGrantByAccessToken(p_token);
@@ -88,6 +90,7 @@ private Response introspect(String p_authorization, String p_token, String token
                                 response.setExpiresAt(tokenToIntrospect.getExpirationDate());
                                 response.setIssuedAt(tokenToIntrospect.getCreationDate());
                                 response.setAcrValues(tokenToIntrospect.getAuthMode());
+                                response.setScopes(grantOfIntrospectionToken.getScopes()); // #433
                             }
                         }
                         return Response.status(Response.Status.OK).entity(ServerUtil.asJson(response)).build();

diff --git a/Server/src/test/java/org/xdi/oxauth/ws/rs/IntrospectionWebServiceEmbeddedTest.java b/Server/src/test/java/org/xdi/oxauth/ws/rs/IntrospectionWebServiceEmbeddedTest.java
@@ -6,10 +6,6 @@
 
 package org.xdi.oxauth.ws.rs;
 
-import static org.testng.Assert.assertEquals;
-import static org.testng.Assert.assertTrue;
-import static org.testng.Assert.fail;
-
 import org.jboss.seam.mock.EnhancedMockHttpServletRequest;
 import org.jboss.seam.mock.EnhancedMockHttpServletResponse;
 import org.jboss.seam.mock.ResourceRequestEnvironment;
@@ -22,6 +18,8 @@
 import org.xdi.oxauth.model.uma.wrapper.Token;
 import org.xdi.oxauth.util.ServerUtil;
 
+import static org.testng.Assert.*;
+
 /**
  * @author Yuriy Zabrovarnyy
  * @version 0.9, 17/09/2013
@@ -34,10 +32,10 @@ public class IntrospectionWebServiceEmbeddedTest extends BaseTest {
 
     @Test
     @Parameters({"authorizePath", "tokenPath",
-            "umaUserId", "umaUserSecret", "umaAatClientId", "umaAatClientSecret", "umaRedirectUri"})
+            "umaUserId", "umaUserSecret", "umaPatClientId", "umaPatClientSecret", "umaRedirectUri"})
     public void requestAuthorization(String authorizePath, String tokenPath, String umaUserId, String umaUserSecret,
-                                     String umaAatClientId, String umaAatClientSecret, String umaRedirectUri) {
-        m_authorization = TUma.requestAat(this, authorizePath, tokenPath, umaUserId, umaUserSecret, umaAatClientId, umaAatClientSecret, umaRedirectUri);
+                                     String umaPatClientId, String umaPatClientSecret, String umaRedirectUri) {
+        m_authorization = TUma.requestPat(this, authorizePath, tokenPath, umaUserId, umaUserSecret, umaPatClientId, umaPatClientSecret, umaRedirectUri);
         UmaTestUtil.assert_(m_authorization);
     }