Skip to content
Permalink
Browse files
Merge pull request #26 from mgeiss/develop
token minification
  • Loading branch information
mgeiss committed Aug 9, 2017
2 parents c4ec8b4 + f908884 commit 2b8d42744cf451221aefbd98e30b8d0da7e8b890
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 15 deletions.
@@ -2,6 +2,7 @@
.idea
build/
target/
out/

# Ignore Gradle GUI config
gradle-app.setting
@@ -14,6 +14,7 @@
* limitations under the License.
*/

import com.google.common.collect.Sets;
import io.mifos.anubis.api.v1.client.Anubis;
import io.mifos.anubis.api.v1.domain.*;
import io.mifos.anubis.test.v1.SystemSecurityEnvironment;
@@ -89,9 +90,9 @@ public void testPermissionsCorrectInAdminToken() throws InterruptedException {

final Set<TokenPermission> expectedTokenPermissions = new HashSet<>();
Collections.addAll(expectedTokenPermissions,
new TokenPermission("identity-v1/permittablegroups/*", Collections.singleton(AllowedOperation.CHANGE)),
new TokenPermission("identity-v1/roles/*", Collections.singleton(AllowedOperation.DELETE)),
new TokenPermission("identity-v1/users/*", Collections.singleton(AllowedOperation.READ)));
new TokenPermission("identity-v1/permittablegroups/*", Sets.newHashSet(AllowedOperation.CHANGE, AllowedOperation.DELETE, AllowedOperation.READ)),
new TokenPermission("identity-v1/roles/*", Sets.newHashSet(AllowedOperation.CHANGE, AllowedOperation.DELETE, AllowedOperation.READ)),
new TokenPermission("identity-v1/users/*", Sets.newHashSet(AllowedOperation.CHANGE, AllowedOperation.DELETE, AllowedOperation.READ)));
//This is not a complete list. This is a spot check.

Assert.assertTrue("Expected: " + expectedTokenPermissions + "\nActual: " + tokenPermissions,
@@ -141,8 +142,9 @@ public void testPermissionsCorrectInTokenWhenMultiplePermittableGroupsInRole() t
Collections.addAll(expectedTokenPermissions,
new TokenPermission(horusEndpoint.getPath(), Collections.singleton(AllowedOperation.READ)),
new TokenPermission(maatEndpoint.getPath(), Collections.singleton(AllowedOperation.READ)),
new TokenPermission("identity-v1/users/{useridentifier}/password", Collections.singleton(AllowedOperation.CHANGE)),
new TokenPermission("identity-v1/users/{useridentifier}/permissions", Collections.singleton(AllowedOperation.READ)),
new TokenPermission("identity-v1/users/{useridentifier}/password",
Sets.newHashSet(AllowedOperation.READ, AllowedOperation.CHANGE, AllowedOperation.DELETE)),
new TokenPermission("identity-v1/users/{useridentifier}/permissions", Sets.newHashSet(AllowedOperation.READ)),
new TokenPermission("identity-v1/token/_current", Collections.singleton(AllowedOperation.DELETE)));

Assert.assertTrue("Expected: " + expectedTokenPermissions + "\nActual: " + tokenPermissions,
@@ -15,6 +15,7 @@
*/
package io.mifos.identity.internal.command.handler;

import com.google.common.collect.Sets;
import com.google.gson.Gson;
import io.mifos.anubis.api.v1.domain.AllowedOperation;
import io.mifos.anubis.api.v1.domain.TokenContent;
@@ -267,16 +268,31 @@ private AuthenticationCommandResponse getAuthenticationResponse(
tokenPermissions = getApplicationTokenPermissions(user, sourceApplicationName, callEndpointSet);
}

final HashSet<TokenPermission> minifiedTokenPermissions = new HashSet<>(
tokenPermissions
.stream()
.collect(Collectors.toMap(TokenPermission::getPath,
tokenPermission -> tokenPermission,
(currentTokenPermission, newTokenPermission) -> {
newTokenPermission.getAllowedOperations()
.forEach(allowedOperation -> currentTokenPermission.getAllowedOperations().add(allowedOperation));
return currentTokenPermission;
})
)
.values()
);


logger.info("Access token for tenant '{}', user '{}', application '{}', and callEndpointSet '{}' being returned containing the permissions '{}'.",
TenantContextHolder.identifier().orElse("null"),
user.getIdentifier(),
sourceApplicationName,
callEndpointSet.orElse("null"),
tokenPermissions.toString());
minifiedTokenPermissions.toString());

final TokenSerializationResult accessToken = getAuthenticationResponse(
user.getIdentifier(),
tokenPermissions,
minifiedTokenPermissions,
privateSignature,
sourceApplicationName);

@@ -474,10 +490,10 @@ private Set<TokenPermission> identityEndpointsForEveryUser() {

ret.add(new TokenPermission(
applicationName + "/applications/*/permissions/*/users/{useridentifier}/enabled",
AllowedOperation.ALL));
Sets.newHashSet(AllowedOperation.READ, AllowedOperation.CHANGE, AllowedOperation.DELETE)));
ret.add(new TokenPermission(
applicationName + "/users/{useridentifier}/permissions",
Collections.singleton(AllowedOperation.READ)));
Sets.newHashSet(AllowedOperation.READ)));

return ret;
}
@@ -487,10 +503,10 @@ private Set<TokenPermission> identityEndpointsAllowedEvenWithExpiredPassword() {

ret.add(new TokenPermission(
applicationName + "/users/{useridentifier}/password",
Collections.singleton(AllowedOperation.CHANGE)));
Sets.newHashSet(AllowedOperation.READ, AllowedOperation.CHANGE, AllowedOperation.DELETE)));
ret.add(new TokenPermission(
applicationName + "/token/_current",
Collections.singleton(AllowedOperation.DELETE)));
Sets.newHashSet(AllowedOperation.DELETE)));

return ret;
}
@@ -520,9 +536,9 @@ private boolean isAllowed(final PermittableType permittable, final PermissionTyp
}

private TokenPermission getTokenPermission(final PermittableType permittable) {
return new TokenPermission(
permittable.getPath(),
Collections.singleton(RoleMapper.mapAllowedOperation(AllowedOperationType.fromHttpMethod(permittable.getMethod()))));
final HashSet<AllowedOperation> allowedOperations = new HashSet<>();
allowedOperations.add(RoleMapper.mapAllowedOperation(AllowedOperationType.fromHttpMethod(permittable.getMethod())));
return new TokenPermission(permittable.getPath(), allowedOperations);
}

private TokenSerializationResult getRefreshToken(final UserEntity user,
@@ -83,7 +83,7 @@
@RequestMapping(value= PathConstants.IDENTIFIER_RESOURCE_STRING, method = RequestMethod.GET,
consumes = {MediaType.ALL_VALUE},
produces = {MediaType.APPLICATION_JSON_VALUE})
@Permittable(AcceptedTokenType.TENANT)
@Permittable(value = AcceptedTokenType.TENANT, groupId = PermittableGroupIds.ROLE_MANAGEMENT)
public @ResponseBody ResponseEntity<Role> get(@PathVariable(PathConstants.IDENTIFIER_PATH_VARIABLE) final String identifier)
{
return new ResponseEntity<>(checkIdentifier(identifier), HttpStatus.OK);

0 comments on commit 2b8d427

Please sign in to comment.