Skip to content

Commit

Permalink
Fix scope matching which affects device code flow (#649)
Browse files Browse the repository at this point in the history
  • Loading branch information
rmiccoli authored and enricovianello committed Sep 20, 2023
1 parent 2e76048 commit 686416c
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 10 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ public IamSystemScopeService(ScopeMatcherRegistry matcherRegistry) {
public boolean scopesMatch(Set<String> allowedScopes, Set<String> requestedScopes) {

Set<ScopeMatcher> allowedScopeMatchers =
requestedScopes.stream().map(scopeMatcherRegistry::findMatcherForScope).collect(toSet());
allowedScopes.stream().map(scopeMatcherRegistry::findMatcherForScope).collect(toSet());

for (String rs : requestedScopes) {
if (allowedScopeMatchers.stream().noneMatch(m -> m.matches(rs))) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;

import java.io.UnsupportedEncodingException;
import java.util.Optional;
import java.util.Set;

import org.junit.Test;
import org.junit.runner.RunWith;
Expand All @@ -47,6 +49,7 @@

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Sets;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
Expand Down Expand Up @@ -433,7 +436,7 @@ public void deviceCodeWorksForDynamicallyRegisteredClient()

RegisteredClientDTO registrationResponse =
objectMapper.readValue(clientJson, RegisteredClientDTO.class);

ClientDetailsEntity newClient =
clientRepo.findByClientId(registrationResponse.getClientId()).orElseThrow();

Expand Down Expand Up @@ -559,6 +562,13 @@ public void deviceCodeWorksForDynamicallyRegisteredClient()
@Test
public void publicClientDeviceCodeWorks() throws Exception {

Optional<ClientDetailsEntity> client = clientRepo.findByClientId(PUBLIC_DEVICE_CODE_CLIENT_ID);
Set<String> scopes = Sets.newHashSet();
scopes.add("openid");
scopes.add("profile");
if (client.isPresent()) {
client.get().setScope(scopes);
}
String deviceResponse = mvc
.perform(post(DEVICE_CODE_ENDPOINT).contentType(APPLICATION_FORM_URLENCODED)
.param("client_id", PUBLIC_DEVICE_CODE_CLIENT_ID)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,13 @@
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;

import java.util.Optional;
import java.util.Set;

import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.SystemScope;
import org.mitre.oauth2.service.SystemScopeService;
import org.springframework.beans.factory.annotation.Autowired;
Expand All @@ -44,8 +48,10 @@

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Sets;

import it.infn.mw.iam.IamLoginService;
import it.infn.mw.iam.persistence.repository.client.IamClientRepository;
import it.infn.mw.iam.test.oauth.EndpointsTestUtils;
import it.infn.mw.iam.test.util.annotation.IamMockMvcIntegrationTest;

Expand All @@ -67,6 +73,9 @@ public class StructuredScopeRequestIntegrationTests extends EndpointsTestUtils
@Autowired
private ObjectMapper mapper;

@Autowired
private IamClientRepository clientRepo;

@Before
public void setup() throws Exception {
SystemScope storageReadScope = new SystemScope("storage.read:/");
Expand Down Expand Up @@ -124,6 +133,17 @@ public void testIntrospectionResponse() throws Exception {

@Test
public void testDeviceCodeStructuredScopeRequest() throws Exception {

Optional<ClientDetailsEntity> client = clientRepo.findByClientId(DEVICE_CODE_CLIENT_ID);
Set<String> scopes = Sets.newHashSet();
scopes.add("storage.read:/");
scopes.add("openid");
scopes.add("profile");
scopes.add("offline_access");
if (client.isPresent()) {
client.get().setScope(scopes);
}

String response = mvc
.perform(post(DEVICE_CODE_ENDPOINT).contentType(APPLICATION_FORM_URLENCODED)
.with(httpBasic(DEVICE_CODE_CLIENT_ID, DEVICE_CODE_CLIENT_SECRET))
Expand Down Expand Up @@ -243,11 +263,11 @@ public void testDeviceCodeStructuredScopeRequest() throws Exception {
public void testRefreshTokenStructuredScopeRequest() throws Exception {

DefaultOAuth2AccessToken tokenResponse = new AccessTokenGetter().grantType(PASSWORD_GRANT_TYPE)
.clientId(PASSWORD_CLIENT_ID)
.clientSecret(PASSWORD_CLIENT_SECRET)
.username(TEST_USERNAME)
.password(TEST_PASSWORD)
.scope("openid storage.read:/ offline_access")
.clientId(PASSWORD_CLIENT_ID)
.clientSecret(PASSWORD_CLIENT_SECRET)
.username(TEST_USERNAME)
.password(TEST_PASSWORD)
.scope("openid storage.read:/ offline_access")
.getTokenResponseObject();

assertThat(tokenResponse.getScope(), hasItem("storage.read:/"));
Expand All @@ -260,9 +280,8 @@ public void testRefreshTokenStructuredScopeRequest() throws Exception {
.andExpect(status().isOk())
.andExpect(jsonPath("$.access_token").exists())
.andExpect(jsonPath("$.refresh_token").exists())
.andExpect(jsonPath("$.scope",
allOf(containsString("storage.read:/test "), containsString("offline_access"),
containsString("openid"))));
.andExpect(jsonPath("$.scope", allOf(containsString("storage.read:/test "),
containsString("offline_access"), containsString("openid"))));

}
}

0 comments on commit 686416c

Please sign in to comment.