• Home
• org.cloudfoundry.identity
• cloudfoundry-identity-server
• 4.24.0
• source code
• ApprovalService.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.cloudfoundry.identity.uaa.approval.ApprovalService Maven / Gradle / Ivy

package org.cloudfoundry.identity.uaa.approval;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.util.TimeService;
import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;

import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_PASSWORD;

public class ApprovalService {
    TimeService timeService;
    ApprovalStore approvalStore;
    private final Log logger = LogFactory.getLog(getClass());

    public ApprovalService(TimeService timeService, ApprovalStore approvalStore) {
        this.timeService = timeService;
        this.approvalStore = approvalStore;
    }

    public void ensureRequiredApprovals(String userId,
                                        Collection requestedScopes,
                                        String grantType,
                                        BaseClientDetails clientDetails) {
        Set autoApprovedScopes = getAutoApprovedScopes(grantType, requestedScopes, clientDetails.getAutoApproveScopes());
        if(autoApprovedScopes.containsAll(requestedScopes)) { return; }
        Set approvedScopes = new HashSet<>(autoApprovedScopes);

        List approvals = approvalStore.getApprovals(userId, clientDetails.getClientId(), IdentityZoneHolder.get().getId());
        for (Approval approval : approvals) {
            if (requestedScopes.contains(approval.getScope()) && approval.getStatus() == Approval.ApprovalStatus.APPROVED) {
                if (!approval.isActiveAsOf(timeService.getCurrentDate())) {
                    logger.debug("Approval " + approval + " has expired. Need to re-approve.");
                    throw new InvalidTokenException("Invalid token (approvals expired)");
                }
                approvedScopes.add(approval.getScope());
            }
        }

        if (!approvedScopes.containsAll(requestedScopes)) {
            logger.debug("All requested scopes " + requestedScopes + " were not approved. Approved scopes: " + approvedScopes);
            Set unapprovedScopes = new HashSet<>(requestedScopes);
            unapprovedScopes.removeAll(approvedScopes);
            throw new InvalidTokenException("Invalid token (some requested scopes are not approved): "
                    + unapprovedScopes);
        }
    }

    private Set getAutoApprovedScopes(Object grantType, Collection tokenScopes, Set autoapprovedScopes) {
        // ALL requested scopes are considered auto-approved for password grant
        if (grantType != null && GRANT_TYPE_PASSWORD.equals(grantType.toString())) {
            return new HashSet<>(tokenScopes);
        }
        return UaaTokenUtils.retainAutoApprovedScopes(tokenScopes, autoapprovedScopes);
    }
}