Skip to content

Commit

Permalink
Filter scope before device consent page
Browse files Browse the repository at this point in the history
  • Loading branch information
rmiccoli committed Aug 1, 2024
1 parent 1289b67 commit 256a43a
Showing 1 changed file with 20 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@
import it.infn.mw.iam.api.account.AccountUtils;
import it.infn.mw.iam.api.client.service.ClientService;
import it.infn.mw.iam.api.common.NoSuchAccountError;
import it.infn.mw.iam.core.oauth.scope.pdp.ScopePolicyPDP;
import it.infn.mw.iam.persistence.model.IamAccount;
import static it.infn.mw.iam.core.oauth.IamUserApprovalHandler.OIDC_AGENT_PREFIX_NAME;

Expand Down Expand Up @@ -103,6 +104,9 @@ public class IamDeviceEndpointController {
@Autowired
private ApprovedSiteService approvedSiteService;

@Autowired
private ScopePolicyPDP pdp;

@RequestMapping(value = "/" + URL, method = RequestMethod.POST,
consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE,
produces = MediaType.APPLICATION_JSON_VALUE)
Expand Down Expand Up @@ -175,20 +179,20 @@ public String requestDeviceCode(@RequestParam("client_id") String clientId,
@RequestMapping(value = "/" + USER_URL, method = RequestMethod.GET)
public String requestUserCode(
@RequestParam(value = "user_code", required = false) String userCode, ModelMap model,
HttpSession session) {
HttpSession session, Authentication authn) {

if (!config.isAllowCompleteDeviceCodeUri() || userCode == null) {
return REQUEST_USER_CODE_STRING;
} else {

return readUserCode(userCode, model, session);
return readUserCode(userCode, model, session, authn);
}
}

@PreAuthorize("hasRole('ROLE_USER')")
@RequestMapping(value = "/" + USER_URL + "/verify", method = RequestMethod.POST)
public String readUserCode(@RequestParam("user_code") String userCode, ModelMap model,
HttpSession session) {
HttpSession session, Authentication authn) {

DeviceCode dc = deviceCodeService.lookUpByUserCode(userCode);

Expand All @@ -212,7 +216,10 @@ public String readUserCode(@RequestParam("user_code") String userCode, ModelMap
model.put("client", client);
model.put("dc", dc);

sortScopesForApproval(dc, model);
IamAccount account = accountUtils.getAuthenticatedUserAccount(authn)
.orElseThrow(() -> NoSuchAccountError.forUsername(authn.getName()));

sortScopesForApproval(dc, model, account);

AuthorizationRequest authorizationRequest =
oAuth2RequestFactory.createAuthorizationRequest(dc.getRequestParameters());
Expand Down Expand Up @@ -257,17 +264,17 @@ public String approveDevice(@RequestParam("user_code") String userCode,

deviceCodeService.approveDeviceCode(dc, o2Auth);

sortScopesForApproval(dc, model);
IamAccount account = accountUtils.getAuthenticatedUserAccount(auth)
.orElseThrow(() -> NoSuchAccountError.forUsername(auth.getName()));

sortScopesForApproval(dc, model, account);

model.put("approved", true);

Date timeout = null;
approvedSiteService.createApprovedSite(client.getClientId(), auth.getName(), timeout,
dc.getScope());

IamAccount account = accountUtils.getAuthenticatedUserAccount(auth)
.orElseThrow(() -> NoSuchAccountError.forUsername(auth.getName()));

if (client.getClientName().startsWith(OIDC_AGENT_PREFIX_NAME)) {
clientService.linkClientToAccount(client, account);
}
Expand All @@ -283,20 +290,22 @@ private void checkAuthzGrant(ClientDetailsEntity client) {
}
}

private void sortScopesForApproval(DeviceCode dc, ModelMap model) {
private void sortScopesForApproval(DeviceCode dc, ModelMap model, IamAccount account) {

Set<SystemScope> scopes = scopeService.fromStrings(dc.getScope());

Set<SystemScope> sortedScopes = new LinkedHashSet<>(scopes.size());
Set<SystemScope> systemScopes = scopeService.getAll();

Set<String> filteredScopes = pdp.filterScopes(scopeService.toStrings(scopes), account);

for (SystemScope s : systemScopes) {
if (scopes.contains(s)) {
if (scopeService.fromStrings(filteredScopes).contains(s)) {
sortedScopes.add(s);
}
}

sortedScopes.addAll(Sets.difference(scopes, systemScopes));
sortedScopes.addAll(Sets.difference(scopeService.fromStrings(filteredScopes), systemScopes));

model.put("scopes", sortedScopes);

Expand Down

0 comments on commit 256a43a

Please sign in to comment.