From c4f222044b5d151496cf8f87a5457311fa1aa7d2 Mon Sep 17 00:00:00 2001
From: yurem <Yuriy.Movchan@gmail.com>
Date: Mon, 19 Apr 2021 19:01:17 +0300
Subject: [PATCH] Backport: Add system flag config to enable/disable CIBA #1404

---
 .../model/configuration/AppConfiguration.java       | 12 ++++++++++++
 .../rs/BackchannelAuthorizeRestWebServiceImpl.java  | 13 +++++++++++++
 ...channelDeviceRegistrationRestWebServiceImpl.java |  8 ++++++++
 .../org/gluu/oxauth/service/AppInitializer.java     |  6 +++---
 .../oxauth/token/ws/rs/TokenRestWebServiceImpl.java | 10 ++++++++++
 .../model/configuration/GluuConfiguration.java      |  6 +++---
 6 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/Model/src/main/java/org/gluu/oxauth/model/configuration/AppConfiguration.java b/Model/src/main/java/org/gluu/oxauth/model/configuration/AppConfiguration.java
index 721e46c398..23db86b971 100644
--- a/Model/src/main/java/org/gluu/oxauth/model/configuration/AppConfiguration.java
+++ b/Model/src/main/java/org/gluu/oxauth/model/configuration/AppConfiguration.java
@@ -255,6 +255,7 @@ public class AppConfiguration implements Configuration {
     private int backchannelRequestsProcessorJobChunkSize;
     private int cibaGrantLifeExtraTimeSec;
     private int cibaMaxExpirationTimeAllowedSec;
+    private Boolean cibaEnabled;
 
     public Boolean getSubjectIdentifierBasedOnWholeUriBackwardCompatibility() {
         return subjectIdentifierBasedOnWholeUriBackwardCompatibility;
@@ -2054,6 +2055,17 @@ public void setDeviceAuthzResponseTypeToProcessAuthz(String deviceAuthzResponseT
         this.deviceAuthzResponseTypeToProcessAuthz = deviceAuthzResponseTypeToProcessAuthz;
     }
 
+    public Boolean getCibaEnabled() {
+        if (cibaEnabled == null) {
+            return false;
+        }
+        return cibaEnabled;
+    }
+
+    public void setCibaEnabled(Boolean cibaEnabled) {
+        this.cibaEnabled = cibaEnabled;
+    }
+
     public Boolean getRequestUriHashVerificationEnabled() {
         return requestUriHashVerificationEnabled != null ? requestUriHashVerificationEnabled : false;
     }
diff --git a/Server/src/main/java/org/gluu/oxauth/bcauthorize/ws/rs/BackchannelAuthorizeRestWebServiceImpl.java b/Server/src/main/java/org/gluu/oxauth/bcauthorize/ws/rs/BackchannelAuthorizeRestWebServiceImpl.java
index 8bfe193846..c984922544 100644
--- a/Server/src/main/java/org/gluu/oxauth/bcauthorize/ws/rs/BackchannelAuthorizeRestWebServiceImpl.java
+++ b/Server/src/main/java/org/gluu/oxauth/bcauthorize/ws/rs/BackchannelAuthorizeRestWebServiceImpl.java
@@ -131,6 +131,13 @@ public Response requestBackchannelAuthorizationPost(
 
         Response.ResponseBuilder builder = Response.ok();
 
+        if (!appConfiguration.getCibaEnabled()) {
+            log.warn("Trying to register a CIBA request, however CIBA config is disabled.");
+            builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
+            builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
+            return builder.build();
+        }
+
         SessionClient sessionClient = identity.getSessionClient();
         Client client = null;
         if (sessionClient != null) {
@@ -143,6 +150,12 @@ public Response requestBackchannelAuthorizationPost(
             return builder.build();
         }
 
+        if (!cibaRequestService.hasCibaCompatibility(client)) {
+            builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode()); // 401
+            builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
+            return builder.build();
+        }
+
         List<String> scopes = new ArrayList<>();
         if (StringHelper.isNotEmpty(scope)) {
             Set<String> grantedScopes = scopeChecker.checkScopesPolicy(client, scope);
diff --git a/Server/src/main/java/org/gluu/oxauth/bcauthorize/ws/rs/BackchannelDeviceRegistrationRestWebServiceImpl.java b/Server/src/main/java/org/gluu/oxauth/bcauthorize/ws/rs/BackchannelDeviceRegistrationRestWebServiceImpl.java
index 2b4eedb8f0..24f26de616 100644
--- a/Server/src/main/java/org/gluu/oxauth/bcauthorize/ws/rs/BackchannelDeviceRegistrationRestWebServiceImpl.java
+++ b/Server/src/main/java/org/gluu/oxauth/bcauthorize/ws/rs/BackchannelDeviceRegistrationRestWebServiceImpl.java
@@ -28,6 +28,7 @@
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.SecurityContext;
 
+import static org.gluu.oxauth.model.ciba.BackchannelAuthenticationErrorResponseType.INVALID_REQUEST;
 import static org.gluu.oxauth.model.ciba.BackchannelDeviceRegistrationErrorResponseType.UNKNOWN_USER_ID;
 
 /**
@@ -75,6 +76,13 @@ public Response requestBackchannelDeviceRegistrationPost(
 
         Response.ResponseBuilder builder = Response.ok();
 
+        if (!appConfiguration.getCibaEnabled()) {
+            log.warn("Trying to register a CIBA device, however CIBA config is disabled.");
+            builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
+            builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
+            return builder.build();
+        }
+
         DefaultErrorResponse cibaDeviceRegistrationValidation = cibaDeviceRegistrationValidatorService.validateParams(
                 idTokenHint, deviceRegistrationToken);
         if (cibaDeviceRegistrationValidation != null) {
diff --git a/Server/src/main/java/org/gluu/oxauth/service/AppInitializer.java b/Server/src/main/java/org/gluu/oxauth/service/AppInitializer.java
index e8b2adc195..1fccd6bfec 100644
--- a/Server/src/main/java/org/gluu/oxauth/service/AppInitializer.java
+++ b/Server/src/main/java/org/gluu/oxauth/service/AppInitializer.java
@@ -231,7 +231,7 @@ public void applicationInitialized(@Observes @Initialized(ApplicationScoped.clas
 		initTimer();
 		initCibaRequestsProcessor();
 
-		// Set default authentication method after 
+		// Set default authentication method after
 		setDefaultAuthenticationMethod(newConfiguration);
 
 		// Notify plugins about finish application initialization
@@ -700,12 +700,12 @@ public void setLastFinishedTime(long lastFinishedTime) {
 	 * should be more than 0 seconds of interval
 	 */
 	private void initCibaRequestsProcessor() {
-		if (appConfiguration.getBackchannelRequestsProcessorJobIntervalSec() > 0) {
+		if (appConfiguration.getCibaEnabled() && appConfiguration.getBackchannelRequestsProcessorJobIntervalSec() > 0) {
 			if (cibaRequestsProcessorJob != null) {
 				cibaRequestsProcessorJob.initTimer();
 			}
 		} else {
-			log.warn("Didn't start ciba requests processor job because the interval is not valid to run, value: {}",
+			log.warn("Ciba requests processor hasn't been started because the interval is not valid to run or this is disabled, value: {}",
 					appConfiguration.getBackchannelRequestsProcessorJobIntervalSec());
 		}
 	}
diff --git a/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java b/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java
index 42866d18a1..d821a77a0c 100644
--- a/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java
+++ b/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java
@@ -50,6 +50,8 @@
 import java.util.Arrays;
 import java.util.Date;
 
+import static org.gluu.oxauth.model.ciba.BackchannelAuthenticationErrorResponseType.INVALID_REQUEST;
+
 /**
  * Provides interface for token REST web services
  *
@@ -108,6 +110,9 @@ public class TokenRestWebServiceImpl implements TokenRestWebService {
     @Inject
     private DeviceAuthorizationService deviceAuthorizationService;
 
+    @Inject
+    private Boolean isCibaEnabled;
+
     @Override
     public Response requestAccessToken(String grantType, String code,
                                        String redirectUri, String username, String password, String scope,
@@ -403,6 +408,11 @@ public Response requestAccessToken(String grantType, String code,
                     builder = error(401, TokenErrorResponseType.INVALID_CLIENT, "Invalid user.");
                 }
             } else if (gt == GrantType.CIBA) {
+                if (!appConfiguration.getCibaEnabled()) {
+                    log.warn("Trying to get CIBA token, however CIBA config is disabled.");
+                    return response(error(400, TokenErrorResponseType.INVALID_REQUEST, "Grant types are invalid."), oAuth2AuditLog);
+                }
+
                 if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
                     return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Grant types are invalid."), oAuth2AuditLog);
                 }
diff --git a/persistence-model/src/main/java/org/oxauth/persistence/model/configuration/GluuConfiguration.java b/persistence-model/src/main/java/org/oxauth/persistence/model/configuration/GluuConfiguration.java
index 08949e4d71..e1b490c644 100644
--- a/persistence-model/src/main/java/org/oxauth/persistence/model/configuration/GluuConfiguration.java
+++ b/persistence-model/src/main/java/org/oxauth/persistence/model/configuration/GluuConfiguration.java
@@ -6,9 +6,6 @@
 
 package org.oxauth.persistence.model.configuration;
 
-import java.io.Serializable;
-import java.util.List;
-
 import org.gluu.model.SmtpConfiguration;
 import org.gluu.persist.annotation.AttributeName;
 import org.gluu.persist.annotation.DataEntry;
@@ -18,6 +15,9 @@
 import org.gluu.service.cache.CacheConfiguration;
 import org.gluu.service.document.store.conf.DocumentStoreConfiguration;
 
+import java.io.Serializable;
+import java.util.List;
+
 /**
  * Gluu Configuration
  *