/**
* Copyright (c) 2011-2014, OpenIoT
*
* This library is free software; you can redistribute it and/or
* modify it either under the terms of the GNU Lesser General Public
* License version 2.1 as published by the Free Software Foundation
* (the "LGPL"). If you do not alter this
* notice, a recipient may use your version of this file under the LGPL.
*
* You should have received a copy of the LGPL along with this library
* in the file COPYING-LGPL-2.1; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY
* OF ANY KIND, either express or implied. See the LGPL for
* the specific language governing rights and limitations.
*
* Contact: OpenIoT mailto: info@openiot.eu
*/
package org.openiot.security.oauth.lsm;
import java.io.IOException;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.jasig.cas.authentication.principal.Principal;
import org.jasig.cas.services.RegisteredService;
import org.jasig.cas.services.ServicesManager;
import org.jasig.cas.support.oauth.OAuthConstants;
import org.jasig.cas.support.oauth.profile.CasWrapperProfile;
import org.jasig.cas.ticket.TicketGrantingTicket;
import org.jasig.cas.ticket.registry.TicketRegistry;
import org.openiot.lsm.security.oauth.mgmt.Permission;
import org.openiot.lsm.security.oauth.mgmt.Role;
import org.openiot.lsm.security.oauth.mgmt.User;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.AbstractController;
import com.fasterxml.jackson.core.JsonFactory;
import com.fasterxml.jackson.core.JsonGenerator;
/**
* This controller returns the roles and permissions associated with the roles for the requesting
* client
*
* @author Mehdi Riahi
*/
public final class LSMOAuth20PermissionController extends AbstractController {
private static Logger log = LoggerFactory.getLogger(LSMOAuth20PermissionController.class);
private static final String MISSING_CLIENT_ID = "missing_clientId";
private static final String NONEXISTENT_CLIENT_ID = "nonexisting_clientId";
public static final String ERROR = "error";
public static final String CALLER_ACCESS_TOKEN = "caller_access_token";
public static final String CALLER_CLIENT_ID = "caller_client_id";
public static final String USER_ACCESS_TOKEN = "user_access_token";
public static final String USER_CLIENT_ID = "user_client_id";
public static final String TARGET_CLIENT_ID = "target_client_id";
public static final String PERMISSION_NAME = "ext:retrieve_permissions";
private final ServicesManager servicesManager;
private final TicketRegistry ticketRegistry;
private LSMOAuthManager manager = LSMOAuthManager.getInstance();
public LSMOAuth20PermissionController(final ServicesManager servicesManager, final TicketRegistry ticketRegistry) {
this.servicesManager = servicesManager;
this.ticketRegistry = ticketRegistry;
}
@Override
protected ModelAndView handleRequestInternal(final HttpServletRequest request, final HttpServletResponse response) throws Exception {
final String clientId = request.getParameter(OAuthConstants.CLIENT_ID);
log.debug("clientId : {}", clientId);
final String accessToken = request.getParameter(OAuthConstants.ACCESS_TOKEN);
log.debug("accessToken : {}", accessToken);
final String callerClientId = request.getParameter(CALLER_CLIENT_ID);
log.debug("callerClientId : {}", callerClientId);
final String callerAccessToken = request.getParameter(CALLER_ACCESS_TOKEN);
log.debug("callerAccessToken : {}", callerAccessToken);
final String userClientId = request.getParameter(USER_CLIENT_ID);
log.debug("userClientId : {}", userClientId);
final String userAccessToken = request.getParameter(USER_ACCESS_TOKEN);
log.debug("userAccessToken : {}", userAccessToken);
final String targetClientId = request.getParameter(TARGET_CLIENT_ID);
log.debug("targetClientId : {}", targetClientId);
response.setContentType("application/json");
// accessToken is required
if (StringUtils.isBlank(accessToken)) {
log.error("missing accessToken");
writeErrorMessage(response, OAuthConstants.MISSING_ACCESS_TOKEN);
return null;
}
// clientId is required
if (StringUtils.isBlank(clientId)) {
log.error("missing clientId");
writeErrorMessage(response, MISSING_CLIENT_ID);
return null;
}
// userToken is required
if (StringUtils.isBlank(userAccessToken)) {
log.error("missing user accessToken");
writeErrorMessage(response, "missing_userAccessToken");
return null;
}
// target clientId is required
if (StringUtils.isBlank(targetClientId)) {
log.error("missing target clientId");
writeErrorMessage(response, MISSING_CLIENT_ID + "for_target");
return null;
}
// caller accessToken and clientId are required if one of them is provided
if (!StringUtils.isBlank(callerAccessToken) || !StringUtils.isBlank(callerClientId)) {
if (StringUtils.isBlank(callerAccessToken)) {
log.error("missing caller accessToken");
writeErrorMessage(response, "missing_callerAccessToken");
return null;
} else if (StringUtils.isBlank(callerClientId)) {
log.error("missing caller clientId");
writeErrorMessage(response, "missing_callerClientId");
return null;
}
}
// get ticket granting ticket
final TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) this.ticketRegistry.getTicket(accessToken);
if (ticketGrantingTicket == null || ticketGrantingTicket.isExpired()) {
log.error("expired accessToken : {}", accessToken);
writeErrorMessage(response, OAuthConstants.EXPIRED_ACCESS_TOKEN);
return null;
}
// get ticket granting ticket for the user
final TicketGrantingTicket userTicketGrantingTicket;
if (StringUtils.equals(accessToken, userAccessToken))
userTicketGrantingTicket = ticketGrantingTicket;
else {
userTicketGrantingTicket = (TicketGrantingTicket) this.ticketRegistry.getTicket(userAccessToken);
if (userTicketGrantingTicket == null || userTicketGrantingTicket.isExpired()) {
log.error("expired user accessToken : {}", userAccessToken);
writeErrorMessage(response, OAuthConstants.EXPIRED_ACCESS_TOKEN + "_for_user");
return null;
}
}
// Retrieve all registered services
final Collection<RegisteredService> services = servicesManager.getAllServices();
// If called accessToken and clientId are provided, check their validity
if (!StringUtils.isBlank(callerAccessToken)) {
// get ticket granting ticket for the caller
final TicketGrantingTicket callerTicketGrantingTicket = (TicketGrantingTicket) this.ticketRegistry.getTicket(callerAccessToken);
if (callerTicketGrantingTicket == null || callerTicketGrantingTicket.isExpired()) {
log.error("expired accessToken : {}", callerAccessToken);
writeErrorMessage(response, OAuthConstants.EXPIRED_ACCESS_TOKEN + "_for_caller");
return null;
}
// name of the CAS service for caller
RegisteredService callerService = null;
for (final RegisteredService aService : services) {
if (StringUtils.equals(aService.getName(), callerClientId)) {
callerService = aService;
break;
}
}
if (callerService == null) {
log.error("nonexistent caller clientId : {}", callerClientId);
writeErrorMessage(response, NONEXISTENT_CLIENT_ID + "for_caller");
return null;
}
}
// if user clienId is provided, check its validity
if (!StringUtils.isBlank(userClientId)) {
RegisteredService userService = null;
for (final RegisteredService aService : services) {
if (StringUtils.equals(aService.getName(), userClientId)) {
userService = aService;
break;
}
}
if (userService == null) {
log.error("nonexistent clientId : {}", userClientId);
writeErrorMessage(response, NONEXISTENT_CLIENT_ID + "_for_user");
return null;
}
}
// check validity of clientId
RegisteredService service = null;
for (final RegisteredService aService : services) {
if (StringUtils.equals(aService.getName(), clientId)) {
service = aService;
break;
}
}
if (service == null) {
log.error("nonexistent clientId : {}", clientId);
writeErrorMessage(response, NONEXISTENT_CLIENT_ID);
return null;
}
// check validity of target clientId
RegisteredService targetService = null;
for (final RegisteredService aService : services) {
if (StringUtils.equals(aService.getName(), targetClientId)) {
targetService = aService;
break;
}
}
if (targetService == null) {
log.error("nonexistent target clientId : {}", clientId);
writeErrorMessage(response, NONEXISTENT_CLIENT_ID + "for_target");
return null;
}
// TODO: check if the TGT is granted to the client?!
// final TicketGrantingTicket rawTicket =
// ((AbstractDistributedTicketRegistry.TicketGrantingTicketDelegator)ticketGrantingTicket).getTicket();
// final Field servicesField =
// rawTicket.getClass().getDeclaredField("services");
// servicesField.setAccessible(true);
// HashMap<String, Service> servicesMap = new HashMap<String,
// Service>();
// servicesMap = (HashMap<String, Service>)
// servicesField.get(rawTicket);
// log.error("ServiceMaps is empty ? {}", servicesMap.isEmpty());
// for(Map.Entry<String, Service> entry : servicesMap.entrySet()){
// AbstractWebApplicationService webAppService =
// (AbstractWebApplicationService) entry.getValue();
// log.error("Service for ticket {} is {}", rawTicket.getId(),
// webAppService.getId());
// }
// if (!servicesMap.containsKey(service.getId()) ||
// !servicesMap.get(service.getId()).equals(service)) {
// log.error("Ticket is not granted to client : {}", clientId);
// jsonGenerator.writeStartObject();
// jsonGenerator.writeStringField("error", TICKET_NOT_GRANTED);
// jsonGenerator.writeEndObject();
// jsonGenerator.close();
// response.flushBuffer();
// return null;
// }
// Check if the caller has permission for retrieving permission information
if (!targetClientId.equals(clientId)) {
final Principal principal = ticketGrantingTicket.getAuthentication().getPrincipal();
if (!isPermitted(principal.getId(), targetService.getId())) {
log.error("[{} from {}] is not permitted to retrieve permission information on [{}]", principal.getId(), clientId, targetClientId);
writeErrorMessage(response, "permission_denied");
return null;
}
}
final JsonFactory jsonFactory = new JsonFactory();
final JsonGenerator jsonGenerator = jsonFactory.createJsonGenerator(response.getWriter());
final Principal principal = userTicketGrantingTicket.getAuthentication().getPrincipal();
final Map<String, Set<String>> permissions = extractPermissions(targetService.getId(), principal.getId());
jsonGenerator.writeStartObject();
jsonGenerator.writeStringField(CasWrapperProfile.ID, principal.getId());
jsonGenerator.writeArrayFieldStart("role_permissions");
for (final String roleName : permissions.keySet()) {
jsonGenerator.writeStartObject();
jsonGenerator.writeArrayFieldStart(roleName);
for (final String permission : permissions.get(roleName))
jsonGenerator.writeString(permission);
jsonGenerator.writeEndArray();
jsonGenerator.writeEndObject();
}
jsonGenerator.writeEndArray();
jsonGenerator.writeEndObject();
jsonGenerator.close();
response.flushBuffer();
return null;
}
private void writeErrorMessage(HttpServletResponse response, String message) throws IOException {
final JsonFactory jsonFactory = new JsonFactory();
final JsonGenerator jsonGenerator = jsonFactory.createJsonGenerator(response.getWriter());
jsonGenerator.writeStartObject();
jsonGenerator.writeStringField("error", message);
jsonGenerator.writeEndObject();
jsonGenerator.close();
response.flushBuffer();
}
private Map<String, Set<String>> extractPermissions(Long serviceId, String username) {
Map<String, Set<String>> rolePermissions = new HashMap<String, Set<String>>();
final User user = manager.getUserByUsername(username);
final List<Role> roles = user.getRoles();
for (Role role : roles) {
if (role.getServiceId().equals(serviceId)) {
Set<String> set = new HashSet<String>();
final List<Permission> permissionForService = role.getPermissions();
if (permissionForService != null) {
for (Permission perm : permissionForService)
set.add(perm.getName());
}
rolePermissions.put(role.getName(), set);
}
}
return rolePermissions;
}
private boolean isPermitted(String username, Long targetServiceId) {
final User user = manager.getUserByUsername(username);
final List<Role> roles = user.getRoles();
boolean permitted = false;
for (Role role : roles) {
if (!permitted && role.getServiceId().equals(targetServiceId)) {
final List<Permission> permissionForService = role.getPermissions();
if (permissionForService != null) {
for (Permission perm : permissionForService)
if ("*".equals(perm.getName()) || PERMISSION_NAME.equals(perm.getName())) {
permitted = true;
break;
}
}
}
}
return permitted;
}
static void setLogger(final Logger aLogger) {
log = aLogger;
}
}