feat(jans-auth-server): removed id_generation_endpoint and other clai…

…ms from discovery response #1827 docs: no docs required
JanssenProject · Jul 22, 2022 · 4068197 · 4068197
1 parent 4cfe53f
commit 4068197
Show file tree

Hide file tree

Showing 7 changed files with 104 additions and 27 deletions.
diff --git a/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.json b/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.json
@@ -26,6 +26,12 @@
     "backchannelDeviceRegistrationEndpoint":"https://%(hostname)s/jans-auth/restv1/bc-deviceRegistration",
     "deviceAuthzEndpoint":"https://%(hostname)s/jans-auth/restv1/device_authorization",
     "openidSubAttribute":"inum",
+    "discoveryDenyKeys": [
+        "id_generation_endpoint",
+        "auth_level_mapping",
+        "scope_to_claims_mapping",
+        "op_policy_uri"
+    ],
     "publicSubjectIdentifierPerClientEnabled": true,
     "subjectIdentifiersPerClientSupported": [
         "mail",

diff --git a/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.ob.json b/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.ob.json
@@ -26,6 +26,12 @@
     "backchannelDeviceRegistrationEndpoint":"https://%(hostname)s/jans-auth/restv1/bc-deviceRegistration",
     "deviceAuthzEndpoint":"https://%(hostname)s/jans-auth/restv1/device_authorization",
     "openidSubAttribute":"inum",
+    "discoveryDenyKeys": [
+        "id_generation_endpoint",
+        "auth_level_mapping",
+        "scope_to_claims_mapping",
+        "op_policy_uri"
+    ],
     "discoveryAllowedKeys": [
         "issuer",
         "authorization_endpoint",

diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java b/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java
@@ -309,6 +309,7 @@ public class AppConfiguration implements Configuration {
 
     private int discoveryCacheLifetimeInMinutes = 60;
     private List<String> discoveryAllowedKeys;
+    private List<String> discoveryDenyKeys;
 
     private List<String> enabledComponents;
 
@@ -354,6 +355,15 @@ public void setAllowIdTokenWithoutImplicitGrantType(Boolean allowIdTokenWithoutI
         this.allowIdTokenWithoutImplicitGrantType = allowIdTokenWithoutImplicitGrantType;
     }
 
+    public List<String> getDiscoveryDenyKeys() {
+        if (discoveryDenyKeys == null) discoveryDenyKeys = new ArrayList<>();
+        return discoveryDenyKeys;
+    }
+
+    public void setDiscoveryDenyKeys(List<String> discoveryDenyKeys) {
+        this.discoveryDenyKeys = discoveryDenyKeys;
+    }
+
     public List<String> getDiscoveryAllowedKeys() {
         if (discoveryAllowedKeys == null) discoveryAllowedKeys = new ArrayList<>();
         return discoveryAllowedKeys;

diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/servlet/OpenIdConfiguration.java b/jans-auth-server/server/src/main/java/io/jans/as/server/servlet/OpenIdConfiguration.java
@@ -111,34 +111,34 @@
 @WebServlet(urlPatterns = "/.well-known/openid-configuration", loadOnStartup = 10)
 public class OpenIdConfiguration extends HttpServlet {
 
-    private static final long serialVersionUID = -8224898157373678903L;
+    private static final long serialVersionUID = -8224898157373678904L;
 
     @Inject
-    private Logger log;
+    private transient Logger log;
 
     @Inject
-    private AppConfiguration appConfiguration;
+    private transient AppConfiguration appConfiguration;
 
     @Inject
-    private AttributeService attributeService;
+    private transient AttributeService attributeService;
 
     @Inject
-    private ScopeService scopeService;
+    private transient ScopeService scopeService;
 
     @Inject
-    private ExternalAuthenticationService externalAuthenticationService;
+    private transient ExternalAuthenticationService externalAuthenticationService;
 
     @Inject
-    private ExternalDynamicScopeService externalDynamicScopeService;
+    private transient ExternalDynamicScopeService externalDynamicScopeService;
 
     @Inject
-    private ExternalDiscoveryService externalDiscoveryService;
+    private transient ExternalDiscoveryService externalDiscoveryService;
 
     @Inject
-    private CIBAConfigurationService cibaConfigurationService;
+    private transient CIBAConfigurationService cibaConfigurationService;
 
     @Inject
-    private LocalResponseCache localResponseCache;
+    private transient LocalResponseCache localResponseCache;
 
     /**
      * Processes requests for both HTTP <code>GET</code> and <code>POST</code>
@@ -148,7 +148,7 @@ public class OpenIdConfiguration extends HttpServlet {
      * @param httpResponse   servlet response
      * @throws IOException
      */
-    @SuppressWarnings("deprecation")
+    @SuppressWarnings({"deprecation", "java:S3776"})
     protected void processRequest(HttpServletRequest servletRequest, HttpServletResponse httpResponse) throws IOException {
         if (!(externalAuthenticationService.isLoaded() && externalDynamicScopeService.isLoaded())) {
             httpResponse.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
@@ -429,7 +429,7 @@ protected void processRequest(HttpServletRequest servletRequest, HttpServletResp
             // CIBA Configuration
             cibaConfigurationService.processConfiguration(jsonObj);
 
-            filterOutKeys(jsonObj);
+            filterOutKeys(jsonObj, appConfiguration);
             localResponseCache.putDiscoveryResponse(jsonObj);
 
             JSONObject clone = new JSONObject(jsonObj.toString());
@@ -445,6 +445,7 @@ protected void processRequest(HttpServletRequest servletRequest, HttpServletResp
         }
     }
 
+    @SuppressWarnings("java:S3776")
     private void addMtlsAliases(JSONObject jsonObj) {
         JSONObject aliases = new JSONObject();
 
@@ -478,23 +479,31 @@ private void addMtlsAliases(JSONObject jsonObj) {
             aliases.put(PAR_ENDPOINT, appConfiguration.getMtlsParEndpoint());
         }
 
-        log.trace("MTLS aliases: " + aliases.toString());
-        if (!aliases.isEmpty())
+        if (log.isTraceEnabled()) {
+            log.trace("MTLS aliases: {}", aliases);
+        }
+        if (!aliases.isEmpty()) {
             jsonObj.put(MTLS_ENDPOINT_ALIASES, aliases);
+        }
     }
 
-    private void filterOutKeys(JSONObject jsonObj) {
-        final List<String> allowedKeys = appConfiguration.getDiscoveryAllowedKeys();
-        if (allowedKeys == null || allowedKeys.isEmpty()) {
-            return; // nothing to filter
+    public static void filterOutKeys(JSONObject jsonObj, AppConfiguration appConfiguration) {
+        final List<String> denyKeys = appConfiguration.getDiscoveryDenyKeys();
+        if (!denyKeys.isEmpty()) {
+            for (String key : new HashSet<>(jsonObj.keySet())) {
+                if (denyKeys.contains(key)) {
+                    jsonObj.remove(key);
+                }
+            }
         }
 
-        for (String key : new HashSet<>(jsonObj.keySet())) {
-            if (allowedKeys.contains(key)) {
-                continue;
+        final List<String> allowedKeys = appConfiguration.getDiscoveryAllowedKeys();
+        if (!allowedKeys.isEmpty()) {
+            for (String key : new HashSet<>(jsonObj.keySet())) {
+                if (!allowedKeys.contains(key)) {
+                    jsonObj.remove(key);
+                }
             }
-
-            jsonObj.remove(key);
         }
     }
 
@@ -514,10 +523,11 @@ private String endpointUrl(String path) {
      * /.well-known/gluu-configuration
      */
     @Deprecated
+    @SuppressWarnings("java:S3776")
     private JSONArray createScopeToClaimsMapping(JSONArray scopesSupported, JSONArray claimsSupported) {
         final JSONArray scopeToClaimMapping = new JSONArray();
-        Set<String> scopes = new HashSet<String>();
-        Set<String> claims = new HashSet<String>();
+        Set<String> scopes = new HashSet<>();
+        Set<String> claims = new HashSet<>();
 
         try {
             for (Scope scope : scopeService.getAllScopesList()) {
@@ -589,8 +599,8 @@ private JSONObject createAuthLevelMapping() {
         final JSONObject mappings = new JSONObject();
         try {
             Map<Integer, Set<String>> map = externalAuthenticationService.levelToAcrMapping();
-            for (Integer level : map.keySet())
-                mappings.put(level.toString(), map.get(level));
+            for (Map.Entry<Integer, Set<String>> entry : map.entrySet())
+                mappings.put(entry.getKey().toString(), entry.getValue());
         } catch (Exception e) {
             log.error(e.getMessage(), e);
         }

diff --git a/jans-auth-server/server/src/test/java/io/jans/as/server/servlet/OpenIdConfigurationTest.java b/jans-auth-server/server/src/test/java/io/jans/as/server/servlet/OpenIdConfigurationTest.java
@@ -0,0 +1,38 @@
+package io.jans.as.server.servlet;
+
+import io.jans.as.model.configuration.AppConfiguration;
+import org.json.JSONObject;
+import org.testng.annotations.Test;
+
+import static org.junit.Assert.assertTrue;
+import static org.testng.AssertJUnit.assertFalse;
+
+/**
+ * @author Yuriy Z
+ */
+public class OpenIdConfigurationTest {
+
+    @Test
+    public void filterOutKeys_whenKeyIsInDentiedList_mustRemoveThemFromJson() {
+        AppConfiguration appConfiguration = new AppConfiguration();
+        appConfiguration.getDiscoveryDenyKeys().add("test");
+
+        JSONObject json = new JSONObject("{\"test\": 1}");
+        assertTrue(json.has("test"));
+
+        OpenIdConfiguration.filterOutKeys(json, appConfiguration);
+        assertFalse(json.has("test"));
+    }
+
+    @Test
+    public void filterOutKeys_whenKeyIsNotInDentiedList_mustNotRemoveThemFromJson() {
+        AppConfiguration appConfiguration = new AppConfiguration();
+        appConfiguration.getDiscoveryDenyKeys().add("testX");
+
+        JSONObject json = new JSONObject("{\"test\": 1}");
+        assertTrue(json.has("test"));
+
+        OpenIdConfiguration.filterOutKeys(json, appConfiguration);
+        assertTrue(json.has("test"));
+    }
+}
diff --git a/jans-auth-server/server/src/test/resources/testng.xml b/jans-auth-server/server/src/test/resources/testng.xml
@@ -16,6 +16,7 @@
 			<class name="io.jans.as.server.service.RedirectionUriServiceTest" />
 			<class name="io.jans.as.server.service.external.ExternalAuthenticationServiceTest" />
 			<class name="io.jans.as.server.token.ws.rs.TokenRestWebServiceValidatorTest" />
+			<class name="io.jans.as.server.servlet.OpenIdConfigurationTest" />
         </classes>
     </test>
 

diff --git a/jans-config-api/docs/jans-config-api-swagger.yaml b/jans-config-api/docs/jans-config-api-swagger.yaml
@@ -4768,6 +4768,12 @@ components:
           items:
             type: string
           example: '\"RS256\", \"RS512\", \"ES384\", \"PS256\"'
+        discoveryDenyKeys:
+          type: array
+            description: List of configuration response claims which must not be displayed in discovery endpoint response.
+            items:
+              type: string
+            example: 'id_generation_endpoint, auth_level_mapping, etc.'
         discoveryAllowedKeys:
           type: array
           description: List of configuration response claim allowed to be displayed in discovery endpoint.