cxf-fediz git commit: [FEDIZ-172] Enforcing the oidc scope at the Fediz data provider level

[sergeyb]

Repository: cxf-fediz
Updated Branches:
  refs/heads/master 167455bbe -> 86f7a5eb6


[FEDIZ-172] Enforcing the oidc scope at the Fediz data provider level


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/86f7a5eb
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/86f7a5eb
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/86f7a5eb

Branch: refs/heads/master
Commit: 86f7a5eb68d56363ee919235ba94c52ca1e5fdaf
Parents: 167455b
Author: Sergey Beryozkin <sberyoz...@gmail.com>
Authored: Thu Jul 28 21:27:32 2016 +0300
Committer: Sergey Beryozkin <sberyoz...@gmail.com>
Committed: Thu Jul 28 21:27:32 2016 +0300

----------------------------------------------------------------------
 .../service/oidc/OAuthDataProviderImpl.java     | 23 +++++++++++++++++---
 .../src/main/webapp/WEB-INF/data-manager.xml    |  2 --
 2 files changed, 20 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/86f7a5eb/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
----------------------------------------------------------------------
diff --git 
a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
 
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
index 7c37cc2..ff34955 100644
--- 
a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
+++ 
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
@@ -19,10 +19,15 @@
 package org.apache.cxf.fediz.service.oidc;
 
 import java.security.Principal;
+import java.util.Collections;
+import java.util.List;
 
 import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import 
org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 public class OAuthDataProviderImpl extends DefaultEHCacheCodeDataProvider {
     
@@ -30,10 +35,12 @@ public class OAuthDataProviderImpl extends 
DefaultEHCacheCodeDataProvider {
     
     @Override
     public Client getClient(String clientId) {
+        //TODO: push most of this code into the abstract class
         Client client = super.getClient(clientId);
         if (client != null || checkOnlyRegisteredClients) {
             return client;
         }
+        
         String grantType = 
(String)getMessageContext().get(OAuthConstants.GRANT_TYPE);
         if (OAuthConstants.CLIENT_CREDENTIALS_GRANT.equals(grantType)) {
             // Pre-registering the OAuth2 Client representations for 
@@ -46,15 +53,25 @@ public class OAuthDataProviderImpl extends 
DefaultEHCacheCodeDataProvider {
             } else {
                 Principal p = 
super.getMessageContext().getSecurityContext().getUserPrincipal();
                 if (clientId.equals(p.getName())) {
-                    // Client was already authenticated with Servlet Security 
-                    // or CXF (JAAS/etc) filters
-                    return new Client(clientId, null, true);
+                    Client c = new Client(clientId, null, true);
+                    
c.setAllowedGrantTypes(Collections.singletonList(OAuthConstants.CLIENT_CREDENTIALS_GRANT));
+                    return c;
                 }
             }
         }
         return null;
     }
 
+    @Override
+    public List<OAuthPermission> convertScopeToPermissions(Client client, 
List<String> requestedScopes) {
+        //TODO: push this code into the abstract class
+        if 
(!client.getAllowedGrantTypes().contains(OAuthConstants.CLIENT_CREDENTIALS_GRANT)
+            && !requestedScopes.contains(OidcUtils.OPENID_SCOPE)) {
+            throw new OAuthServiceException("Required scopes are missing"); 
+        }
+        return super.convertScopeToPermissions(client, requestedScopes);
+    }
+    
     protected Client authenticateClient(String clientId, String clientSecret) {
         // If the authentication is successful: 
         // return new Client(clientId, clientSecret, true)

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/86f7a5eb/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml 
b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
index 5640443..0fd539a 100644
--- a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
@@ -60,8 +60,6 @@
           init-method="init" destroy-method="close">
         <!-- List of accepted scopes -->  
         <property name="supportedScopes" ref="supportedScopes"/>
-        <!-- List of required scopes -->
-        <property name="requiredScopes" ref="coreScopes"/>
         <!-- 
              List of scopes that the consent/authorization form should make 
              selected by default. For example, asking a user to do an extra 
click