AuthorizationRequestEndpoint.java revision 5db031755ab3a8762e266f96f5d74832548d330b
/*
* The contents of this file are subject to the terms of the Common Development and
* Distribution License (the License). You may not use this file except in compliance with the
* License.
*
* You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
* specific language governing permission and limitations under the License.
*
* When distributing Covered Software, include this CDDL Header Notice in each file and include
* the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
* Header, with the fields enclosed by brackets [] replaced by your own identifying
* information: "Portions copyright [year] [name of copyright owner]".
*
* Copyright 2015 ForgeRock AS.
*/
public class AuthorizationRequestEndpoint extends ServerResource {
private final UmaProviderSettingsFactory umaProviderSettingsFactory;
private final TokenStore oauth2TokenStore;
private static final String UNABLE_TO_RETRIEVE_TICKET_MESSAGE = "Unable to retrieve Permission Ticket";
private final OAuth2ProviderSettingsFactory oauth2ProviderSettingsFactory;
private final UmaAuditLogger auditLogger;
private final PendingRequestsService pendingRequestsService;
private final ExtensionFilterManager extensionFilterManager;
private final UmaExceptionHandler exceptionHandler;
/**
* Constructs a new AuthorizationRequestEndpoint
*/
OAuth2ProviderSettingsFactory oauth2ProviderSettingsFactory, OAuth2UrisFactory<RealmInfo> oAuth2UrisFactory,
this.requestFactory = requestFactory;
this.oauth2TokenStore = oauth2TokenStore;
this.oAuth2UrisFactory = oAuth2UrisFactory;
this.auditLogger = auditLogger;
this.claimGatherers = claimGatherers;
this.exceptionHandler = exceptionHandler;
}
@Post
public Representation requestAuthorization(JsonRepresentation entity) throws BadRequestException, UmaException,
try {
} finally {
}
} else {
try {
if (verifyPendingRequestDoesNotAlreadyExist(resourceSetId, resourceOwnerId, permissionTicket.getRealm(),
"The client is not authorised to access the requested resource set");
} else {
}
throw new UmaException(403, UmaConstants.NOT_AUTHORISED_ERROR_CODE, "Failed to create pending request");
}
throw newRequestSubmittedException();
}
}
private void validatePermissionTicketHolder(UmaTokenStore umaTokenStore, PermissionTicket permissionTicket)
if (hasExpired(permissionTicket)) {
throw new UmaException(400, UmaConstants.EXPIRED_TICKET_ERROR_CODE, "The permission ticket has expired");
}
if (ticketClientClientId == null) {
//Permission Ticket has already been used by different client!
//Best delete all RPTs gained via this Permission Ticket!
}
}
private void revokeInvalidRpts(UmaTokenStore umaTokenStore, Collection<RequestingPartyToken> invalidRpts,
}
if (logger.isErrorEnabled()) {
}
throw new UmaException(400, UmaConstants.INVALID_TICKET_ERROR_CODE, "The permission ticket is invalid");
}
}
if (claimGatherer == null) {
continue;
}
if (requestingPartyId != null) {
return requestingPartyId;
}
}
}
// Cannot rely on AAT for requesting party if trust elevation is required
throw newNeedInfoException(oAuth2Uris);
}
// Default to using AAT
return getAuthorisationApiToken().getResourceOwnerId();
}
throws NotFoundException, ServerException {
}
}
private boolean verifyPendingRequestDoesNotAlreadyExist(String resourceSetId, String resourceOwnerId,
if (!pendingRequests.isEmpty()) {
throw newRequestSubmittedException();
}
}
}
return false;
}
private UmaException newRequestSubmittedException() {
"The client is not authorised to access the requested resource set. A request has "
+ "been submitted to the resource owner requesting access to the resource");
}
throws NotFoundException, UmaException {
return resourceSetDescription.getResourceOwnerId();
}
}
private boolean isEntitled(UmaProviderSettings umaProviderSettings, OAuth2ProviderSettings oauth2ProviderSettings,
try {
}
resourceOwnerSubject = UmaUtils.createSubject(createIdentity(results.iterator().next().getResourceOwnerId(), realm));
} catch (NotFoundException e) {
throw new ServerException("Couldn't find resource that permission ticket is registered for");
}
// Implicitly grant access to the resource owner
return true;
}
}
}
}
return isAuthorized;
}
}
for (RequestAuthorizationFilter filter : extensionFilterManager.getFilters(RequestAuthorizationFilter.class)) {
}
}
private void afterAuthorization(boolean isAuthorized, PermissionTicket permissionTicket, Subject requestingParty,
for (RequestAuthorizationFilter filter : extensionFilterManager.getFilters(RequestAuthorizationFilter.class)) {
if (isAuthorized) {
} else {
}
}
}
}
private Representation createJsonRpt(UmaTokenStore umaTokenStore, PermissionTicket permissionTicket)
throws ServerException, NotFoundException {
return new JacksonRepresentation<>(response);
}
try {
} catch (NotFoundException e) {
}
}
if (!invalidRpts.isEmpty()) {
//This can never happen as revokeInvalidRpts is guarenteed to throw an UmaException
return null;
} else {
throw new UmaException(400, UmaConstants.INVALID_TICKET_ERROR_CODE, UNABLE_TO_RETRIEVE_TICKET_MESSAGE);
}
}
}
try {
} catch (Exception e) {
throw new BadRequestException(UNABLE_TO_RETRIEVE_TICKET_MESSAGE);
}
throw new BadRequestException(UNABLE_TO_RETRIEVE_TICKET_MESSAGE);
}
return ticketId;
}
try {
} catch (InvalidGrantException e) {
throw new ServerException("Unable to verify client identity.");
} catch (NotFoundException e) {
throw new ServerException(e.getMessage());
}
}
return Collections.emptyMap();
}
try {
}
return Collections.emptyMap();
} catch (JSONException e) {
throw new BadRequestException(e.getMessage());
}
}
private ResourceSetDescription getResourceSet(String resourceSetId, OAuth2ProviderSettings providerSettings)
throws UmaException {
try {
throw new UmaException(400, "invalid_resource_set_id", "Could not fing Resource Set, " + resourceSetId);
}
} catch (ServerException e) {
}
}
}