Backport: Add system flag config to enable/disable CIBA #1404

GluuFederation · Apr 19, 2021 · c4f2220 · c4f2220
1 parent 989da19
commit c4f2220
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 6 deletions.
diff --git a/Model/src/main/java/org/gluu/oxauth/model/configuration/AppConfiguration.java b/Model/src/main/java/org/gluu/oxauth/model/configuration/AppConfiguration.java
@@ -255,6 +255,7 @@ public class AppConfiguration implements Configuration {
     private int backchannelRequestsProcessorJobChunkSize;
     private int cibaGrantLifeExtraTimeSec;
     private int cibaMaxExpirationTimeAllowedSec;
+    private Boolean cibaEnabled;
 
     public Boolean getSubjectIdentifierBasedOnWholeUriBackwardCompatibility() {
         return subjectIdentifierBasedOnWholeUriBackwardCompatibility;
@@ -2054,6 +2055,17 @@ public void setDeviceAuthzResponseTypeToProcessAuthz(String deviceAuthzResponseT
         this.deviceAuthzResponseTypeToProcessAuthz = deviceAuthzResponseTypeToProcessAuthz;
     }
 
+    public Boolean getCibaEnabled() {
+        if (cibaEnabled == null) {
+            return false;
+        }
+        return cibaEnabled;
+    }
+
+    public void setCibaEnabled(Boolean cibaEnabled) {
+        this.cibaEnabled = cibaEnabled;
+    }
+
     public Boolean getRequestUriHashVerificationEnabled() {
         return requestUriHashVerificationEnabled != null ? requestUriHashVerificationEnabled : false;
     }

diff --git a/...c/main/java/org/gluu/oxauth/bcauthorize/ws/rs/BackchannelAuthorizeRestWebServiceImpl.java b/...c/main/java/org/gluu/oxauth/bcauthorize/ws/rs/BackchannelAuthorizeRestWebServiceImpl.java
@@ -131,6 +131,13 @@ public Response requestBackchannelAuthorizationPost(
 
         Response.ResponseBuilder builder = Response.ok();
 
+        if (!appConfiguration.getCibaEnabled()) {
+            log.warn("Trying to register a CIBA request, however CIBA config is disabled.");
+            builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
+            builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
+            return builder.build();
+        }
+
         SessionClient sessionClient = identity.getSessionClient();
         Client client = null;
         if (sessionClient != null) {
@@ -143,6 +150,12 @@ public Response requestBackchannelAuthorizationPost(
             return builder.build();
         }
 
+        if (!cibaRequestService.hasCibaCompatibility(client)) {
+            builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode()); // 401
+            builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
+            return builder.build();
+        }
+
         List<String> scopes = new ArrayList<>();
         if (StringHelper.isNotEmpty(scope)) {
             Set<String> grantedScopes = scopeChecker.checkScopesPolicy(client, scope);

diff --git a/...va/org/gluu/oxauth/bcauthorize/ws/rs/BackchannelDeviceRegistrationRestWebServiceImpl.java b/...va/org/gluu/oxauth/bcauthorize/ws/rs/BackchannelDeviceRegistrationRestWebServiceImpl.java
@@ -28,6 +28,7 @@
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.SecurityContext;
 
+import static org.gluu.oxauth.model.ciba.BackchannelAuthenticationErrorResponseType.INVALID_REQUEST;
 import static org.gluu.oxauth.model.ciba.BackchannelDeviceRegistrationErrorResponseType.UNKNOWN_USER_ID;
 
 /**
@@ -75,6 +76,13 @@ public Response requestBackchannelDeviceRegistrationPost(
 
         Response.ResponseBuilder builder = Response.ok();
 
+        if (!appConfiguration.getCibaEnabled()) {
+            log.warn("Trying to register a CIBA device, however CIBA config is disabled.");
+            builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
+            builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
+            return builder.build();
+        }
+
         DefaultErrorResponse cibaDeviceRegistrationValidation = cibaDeviceRegistrationValidatorService.validateParams(
                 idTokenHint, deviceRegistrationToken);
         if (cibaDeviceRegistrationValidation != null) {

diff --git a/Server/src/main/java/org/gluu/oxauth/service/AppInitializer.java b/Server/src/main/java/org/gluu/oxauth/service/AppInitializer.java
@@ -231,7 +231,7 @@ public void applicationInitialized(@Observes @Initialized(ApplicationScoped.clas
 		initTimer();
 		initCibaRequestsProcessor();
 
-		// Set default authentication method after 
+		// Set default authentication method after
 		setDefaultAuthenticationMethod(newConfiguration);
 
 		// Notify plugins about finish application initialization
@@ -700,12 +700,12 @@ public void setLastFinishedTime(long lastFinishedTime) {
 	 * should be more than 0 seconds of interval
 	 */
 	private void initCibaRequestsProcessor() {
-		if (appConfiguration.getBackchannelRequestsProcessorJobIntervalSec() > 0) {
+		if (appConfiguration.getCibaEnabled() && appConfiguration.getBackchannelRequestsProcessorJobIntervalSec() > 0) {
 			if (cibaRequestsProcessorJob != null) {
 				cibaRequestsProcessorJob.initTimer();
 			}
 		} else {
-			log.warn("Didn't start ciba requests processor job because the interval is not valid to run, value: {}",
+			log.warn("Ciba requests processor hasn't been started because the interval is not valid to run or this is disabled, value: {}",
 					appConfiguration.getBackchannelRequestsProcessorJobIntervalSec());
 		}
 	}

diff --git a/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java b/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java
@@ -50,6 +50,8 @@
 import java.util.Arrays;
 import java.util.Date;
 
+import static org.gluu.oxauth.model.ciba.BackchannelAuthenticationErrorResponseType.INVALID_REQUEST;
+
 /**
  * Provides interface for token REST web services
  *
@@ -108,6 +110,9 @@ public class TokenRestWebServiceImpl implements TokenRestWebService {
     @Inject
     private DeviceAuthorizationService deviceAuthorizationService;
 
+    @Inject
+    private Boolean isCibaEnabled;
+
     @Override
     public Response requestAccessToken(String grantType, String code,
                                        String redirectUri, String username, String password, String scope,
@@ -403,6 +408,11 @@ public Response requestAccessToken(String grantType, String code,
                     builder = error(401, TokenErrorResponseType.INVALID_CLIENT, "Invalid user.");
                 }
             } else if (gt == GrantType.CIBA) {
+                if (!appConfiguration.getCibaEnabled()) {
+                    log.warn("Trying to get CIBA token, however CIBA config is disabled.");
+                    return response(error(400, TokenErrorResponseType.INVALID_REQUEST, "Grant types are invalid."), oAuth2AuditLog);
+                }
+
                 if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
                     return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Grant types are invalid."), oAuth2AuditLog);
                 }

diff --git a/...nce-model/src/main/java/org/oxauth/persistence/model/configuration/GluuConfiguration.java b/...nce-model/src/main/java/org/oxauth/persistence/model/configuration/GluuConfiguration.java
@@ -6,9 +6,6 @@
 
 package org.oxauth.persistence.model.configuration;
 
-import java.io.Serializable;
-import java.util.List;
-
 import org.gluu.model.SmtpConfiguration;
 import org.gluu.persist.annotation.AttributeName;
 import org.gluu.persist.annotation.DataEntry;
@@ -18,6 +15,9 @@
 import org.gluu.service.cache.CacheConfiguration;
 import org.gluu.service.document.store.conf.DocumentStoreConfiguration;
 
+import java.io.Serializable;
+import java.util.List;
+
 /**
  * Gluu Configuration
  *