TokenAuthServerResource.java

/**
 * Copyright 2005-2014 Restlet
 * 
 * The contents of this file are subject to the terms of one of the following
 * open source licenses: Apache 2.0 or or EPL 1.0 (the "Licenses"). You can
 * select the license that you prefer but you may not use this file except in
 * compliance with one of these Licenses.
 * 
 * You can obtain a copy of the Apache 2.0 license at
 * http://www.opensource.org/licenses/apache-2.0
 * 
 * You can obtain a copy of the EPL 1.0 license at
 * http://www.opensource.org/licenses/eclipse-1.0
 * 
 * See the Licenses for the specific language governing permissions and
 * limitations under the Licenses.
 * 
 * Alternatively, you can obtain a royalty free commercial license with less
 * limitations, transferable or non-transferable, directly at
 * http://restlet.com/products/restlet-framework
 * 
 * Restlet is a registered trademark of Restlet S.A.S.
 */

package org.restlet.ext.oauth;

import org.json.JSONObject;
import org.restlet.data.Protocol;
import org.restlet.data.Status;
import org.restlet.ext.json.JsonRepresentation;
import org.restlet.ext.oauth.internal.Scopes;
import org.restlet.ext.oauth.internal.ServerToken;
import org.restlet.ext.oauth.internal.Token;
import org.restlet.representation.Representation;
import org.restlet.resource.Post;
import org.restlet.resource.ResourceException;

/**
 * Token "Authenticate" Resource for internal use.
 * 
 * @author Shotaro Uchida <fantom@xmaker.mx>
 */
public class TokenAuthServerResource extends OAuthServerResource {

    public static final String LOCAL_ACCESS_ONLY = "localOnly";

    @Post("json")
    public Representation authenticate(Representation input) throws Exception {
        getLogger().fine("In Authenticate resource");

        if (isLocalAcessOnly()) { // Check that protocol = RIAP
            String scheme = getOriginalRef().getScheme();

            if (!Protocol.RIAP.getSchemeName().equals(scheme)) {
                throw new ResourceException(Status.CLIENT_ERROR_BAD_REQUEST,
                        "Auth server only allows local resource validation");
            }
        }

        JSONObject call = new JsonRepresentation(input).getJsonObject();

        if (!call.has(TOKEN_TYPE)) {
            throw new OAuthException(OAuthError.invalid_request,
                    "No token_type", null);
        }
        String tokenType = call.getString(TOKEN_TYPE);

        final Token token;
        if (tokenType.equals(OAuthServerResource.TOKEN_TYPE_BEARER)) {
            token = tokens.validateToken(call.get(ACCESS_TOKEN).toString());
        }/*
          * else if (tokenType.equals(OAuthServerResource.TOKEN_TYPE_MAC)) { //
          * TODO }
          */else {
            throw new OAuthException(OAuthError.invalid_request,
                    "Unsupported token_type", null);
        }

        JSONObject resp = new JSONObject();
        resp.put(USERNAME, ((ServerToken) token).getUsername());
        resp.put(SCOPE, Scopes.toString(token.getScope()));

        return new JsonRepresentation(resp);
    }

    @Override
    protected void doCatch(Throwable t) {
        final OAuthException oex = OAuthException.toOAuthException(t);
        // XXX: Generally, we only communicate with TokenVerifier. So we don't
        // need HTTP 400 code.
        // getResponse().setStatus(Status.CLIENT_ERROR_BAD_REQUEST);
        getResponse().setStatus(Status.SUCCESS_OK);
        getResponse().setEntity(responseErrorRepresentation(oex));
    }

    private boolean isLocalAcessOnly() {
        String lo = (String) getContext().getAttributes()
                .get(LOCAL_ACCESS_ONLY);
        return (lo != null) && (lo.length() > 0) && Boolean.parseBoolean(lo);
    }
}