4.0 RC2 check-in

ncsa-security-common/ncsa-security-util/src/main/java/edu/uiuc/ncsa/security/util/functor/JFunctorFactory.java

@@ -194,7 +194,7 @@ public JFunctor fromJSON(JSONObject rawJson) {
         }
         JFunctor ff = figureOutFunctor(rawJson);
         if (ff == null) {
-            throw new NotImplementedException("Error: not an implemented functor");
+            throw new NotImplementedException("Error: \"" + rawJson + "\" is not an implemented functor");
         }
         addArgs(ff, rawJson);
         return ff;

ncsa-security-common/ncsa-security-util/src/main/java/edu/uiuc/ncsa/security/util/functor/LogicBlock.java

@@ -15,35 +15,45 @@
 
 /**
  * This class contains a {@link JFunctor} if-then-else block. You supply a JSONObject, this parses it
- * into its correct elements at runtime.
+ * into its correct elements at runtime. You may also use this as a utility to create such blocks by creating the
+ * if then else blcks, setting them and invoking the {@link #toJSON()} method.
  * <p>Created by Jeff Gaynor<br>
  * on 2/27/18 at  4:33 PM
  */
 public class LogicBlock {
+    public LogicBlock(jIf ifBlock, jThen thenBlock, jElse elseBlock) {
+        this.ifBlock = ifBlock;
+        this.thenBlock = thenBlock;
+        this.elseBlock = elseBlock;
+    }
+
     jIf ifBlock;
 
     /**
      * The consequent is either the hten or else block, depending on the antecedent (the if block). If this has not
      * executed, then null is returned.
+     *
      * @return
      */
-    public jThen getConsequent(){
-        if(!isExecuted()){
+    public jThen getConsequent() {
+        if (!isExecuted()) {
             return null;
         }
-        if(isIfTrue()){
+        if (isIfTrue()) {
             return thenBlock;
         }
         return elseBlock;
     }
+
     public jElse getElseBlock() {
         return elseBlock;
     }
 
     public jThen getThenBlock() {
         return thenBlock;
     }
-    public jIf getIfBlock(){
+
+    public jIf getIfBlock() {
         return ifBlock;
     }
 
@@ -167,6 +177,7 @@ public ArrayList<Object> getResults() {
     ArrayList<Object> results = new ArrayList<>();
 
     boolean executed = false;
+
     public void execute() {
         initialize();
 
@@ -189,4 +200,40 @@ public String toString() {
         return json.toString();
 
     }
+
+    public void setIfBlock(jIf ifBlock) {
+        this.ifBlock = ifBlock;
+    }
+
+    public void setThenBlock(jThen thenBlock) {
+        this.thenBlock = thenBlock;
+    }
+
+    public void setElseBlock(jElse elseBlock) {
+        this.elseBlock = elseBlock;
+    }
+
+    public JSONObject toJSON() {
+        JSONObject jsonObject = new JSONObject();
+        if (ifBlock == null && json!= null) {
+            initialize();
+        }
+        // If it's still null. then there is nothing to do
+        if (ifBlock == null) {
+            return jsonObject;
+        }
+        JSONObject tempIf = ifBlock.toJSON();
+        System.out.println(tempIf);
+        if (thenBlock != null) {
+            JSONObject tempThen = thenBlock.toJSON();
+            System.out.println(tempThen);
+        }
+
+        if (elseBlock != null) {
+            JSONObject tempElse = elseBlock.toJSON();
+            System.out.println(tempElse);
+        }
+
+        return jsonObject;
+    }
 }

ncsa-security-common/ncsa-security-util/src/main/java/edu/uiuc/ncsa/security/util/functor/LogicBlocks.java

@@ -25,7 +25,11 @@ public boolean execute() {
         }
         for (LogicBlock lb : this) {
             lb.execute();
-            getFunctorMap().putAll(lb.getConsequent().getFunctorMap());
+            // It is possible to have a null consequent, e.g. in the case that the conditional
+            // is false and there is no else clause. Only do something if something happened.
+            if(lb.getConsequent() != null) {
+                getFunctorMap().putAll(lb.getConsequent().getFunctorMap());
+            }
         }
         executed = true;
         return executed;

ncsa-security-common/ncsa-security-util/src/main/java/edu/uiuc/ncsa/security/util/functor/logic/jNot.java

@@ -24,7 +24,7 @@ public Object execute() {
         }
         JFunctorImpl ff = (JFunctorImpl) args.get(0);
         ff.execute();
-        boolean rc = getBooleanResult();
+        boolean rc = ff.getBooleanResult();
         rc = !rc;
         result = new Boolean(rc);
         executed = true;

ncsa-security-common/ncsa-security-util/src/test/java/edu/uiuc/ncsa/security/util/JFunctorTest.java

@@ -177,6 +177,19 @@ public void testBadAnd() throws Exception {
         assert !ff.getBooleanResult();
     }
 
+    @Test
+      public void testNot() throws Exception {
+          jNot ff = new jNot();
+
+          jContains jContains = new jContains();
+          jContains.addArg("foo");
+          jContains.addArg("zfoo");
+
+          ff.addArg(jContains);
+          ff.execute();
+          assert !ff.getBooleanResult();
+      }
+
     @Test
     public void testOr() throws Exception {
         jOr ff = new jOr();
@@ -301,6 +314,9 @@ public void testLBCreation() throws Exception {
 
     }
 
+
+
+
     @Test
     public void testDrop() throws Exception {
         jDrop jDrop = new jDrop();

ncsa-security-delegation/ncsa-security-oauth-2.0/src/main/java/edu/uiuc/ncsa/security/oauth_2_0/client/ATServer2.java

@@ -86,7 +86,7 @@ protected ATResponse2 getAccessToken(ATRequest atRequest) {
             }
         }
         JSONObject claims = getAndCheckIDToken(jsonObject, atRequest);
-        if(jsonObject.containsKey(ID_TOKEN)){
+        if (jsonObject.containsKey(ID_TOKEN)) {
             params.put(RAW_ID_TOKEN, jsonObject.getString(ID_TOKEN));
         }
         // and now the specific checks for ID tokens returned by the AT server.
@@ -96,13 +96,17 @@ protected ATResponse2 getAccessToken(ATRequest atRequest) {
 
         params.put(ISSUED_AT, new Date(claims.getLong(ISSUED_AT) * 1000L));
         params.put(SUBJECT, claims.getString(SUBJECT));
-        params.put(AUTHORIZATION_TIME, claims.getLong(AUTHORIZATION_TIME));
+        if (claims.containsKey(AUTHORIZATION_TIME)) {
+            // auth_time claim is optional (unless max_age is returned). At this point we do not do max_age.
+            params.put(AUTHORIZATION_TIME, claims.getLong(AUTHORIZATION_TIME));
+        }
         params.put(ID_TOKEN, claims);
         ATResponse2 atr = createResponse(at, rt);
         atr.setParameters(params);
         return atr;
     }
-    protected ATResponse2 createResponse(AccessToken at, RefreshToken rt){
+
+    protected ATResponse2 createResponse(AccessToken at, RefreshToken rt) {
         return new ATResponse2(at, rt);
     }
 

ncsa-security-delegation/ncsa-security-oauth-2.0/src/main/java/edu/uiuc/ncsa/security/oauth_2_0/client/TokenAwareServer.java

@@ -87,7 +87,11 @@ protected JSONObject getAndCheckIDToken(JSONObject jsonObject, BasicRequest atRe
             throw new GeneralException("Error: Missing id token.");
         }
         claims = JWTUtil.verifyAndReadJWT(jsonObject.getString(ID_TOKEN), keys);
-
+        if(claims.isNullObject()){
+            // the response may be a null object. At this point it means that there was a null
+            // object and that the resulting signature was valid for it, so that is indeed the server response.
+            return new JSONObject();
+        }
         // Now we have to check claims.
         if (!claims.getString(AUDIENCE).equals(atRequest.getClient().getIdentifierString())) {
             throw new GeneralException("Error: Audience is incorrect");

ncsa-security-delegation/ncsa-security-oauth-2.0/src/main/java/edu/uiuc/ncsa/security/oauth_2_0/server/claims/ClaimSource.java

@@ -3,7 +3,8 @@
 import edu.uiuc.ncsa.security.delegation.server.ServiceTransaction;
 import edu.uiuc.ncsa.security.oauth_2_0.UserInfo;
 import edu.uiuc.ncsa.security.oauth_2_0.server.UnsupportedScopeException;
-import edu.uiuc.ncsa.security.oauth_2_0.server.config.JSONConfig;
+import edu.uiuc.ncsa.security.oauth_2_0.server.config.JSONClaimSourceConfig;
+import edu.uiuc.ncsa.security.util.functor.LogicBlocks;
 import net.sf.json.JSONObject;
 
 import javax.servlet.http.HttpServletRequest;
@@ -20,29 +21,35 @@ public interface ClaimSource {
     /**
      * This passes in a {@link JSONObject} that is in turn used to configure the source. It is up to the implementaton
      * to make sense of this.
+     *
      * @param configuration
      */
-    public void setConfiguration(JSONConfig configuration);
+    public void setConfiguration(JSONClaimSourceConfig configuration);
+    public JSONClaimSourceConfig  getConfiguration();
+    public boolean hasConfiguration();
+
     /**
      * A {@link UserInfo} object and the current service transaction are supplied. The contract is that
-     * this handler will receive a UserInfo object with standard information in place for
-     * the request, but may then populate a UserInfo object and return it. Whatever is returned will be
-     * serialized in JSON and returned as the response from the user info request.
-     * @param userInfo
+     * this handler will receive a claims object with standard information in place for
+     * the request, but may then populate a claims object and return it. It is up to the source to
+     * run the pre and post processors before actually invoking the claims.
+     *
+     * @param claims
      * @param transaction
      * @return
      * @throws UnsupportedScopeException
      */
-    public UserInfo process(UserInfo userInfo, ServiceTransaction transaction) throws UnsupportedScopeException;
+    public JSONObject process(JSONObject claims, ServiceTransaction transaction) throws UnsupportedScopeException;
 
-    // Resolves OAUTH-199, pass in servlet request to scope handler.
+    // Resolves OAUTH-199, pass in servlet request to the claim source.
+    public JSONObject process(JSONObject claims, HttpServletRequest request, ServiceTransaction transaction) throws UnsupportedScopeException;
 
-    public UserInfo process(UserInfo userInfo, HttpServletRequest request, ServiceTransaction transaction) throws UnsupportedScopeException;
     public void setScopes(Collection<String> scopes);
 
     /**
-     * A list of scopes that this handler supports. Any scope that is not recognized by this handler should
+     * A list of scopes that this source supports. Any scope that is not recognized by this source should
      * be rejected.
+     *
      * @return
      */
     public Collection<String> getScopes();
@@ -51,9 +58,33 @@ public interface ClaimSource {
      * in order to support server discovery, every plugin must enumerate whatever claims it may
      * serve. This is not a guarantee that all of these claims will be delivered, just that they
      * might be.
+     *
      * @return
      */
     public Collection<String> getClaims();
 
     public boolean isEnabled();
+
+    /**
+     * Whether to run this during the authorization phase or not. That means it will either run in the authorization servlet
+     * or, if there is an external authorization application (e.g. Shibboleth) it will be invoked when the transaction has been created.
+     * The other option is to be invoked immediately before the access token is issued.
+     *
+     * @return
+     */
+    public boolean isRunAtAuthorization();
+
+    /**
+     * This is the preprocessor <b>after</b> it has run. It is not available until execution time since it has to be
+     * constructed on the fly from the current state of the claims.
+     * @return
+     */
+   public LogicBlocks getPreProcessor();
+
+    /**
+     * See comment in {@link #getPreProcessor()}.
+     * @return
+     */
+    public LogicBlocks getPostProcessor();
+
 }

ncsa-security-delegation/ncsa-security-oauth-2.0/src/main/java/edu/uiuc/ncsa/security/oauth_2_0/server/config/ClientConfigurationUtil.java

@@ -11,11 +11,17 @@
  * on 8/30/17 at  3:37 PM
  */
 public class ClientConfigurationUtil {
+    public static final String CLAIM_POST_PROCESSING_KEY = "postProcessing";
+    public static final String CLAIM_PRE_PROCESSING_KEY = "preProcessing";
     public static final String RUNTIME_KEY = "runtime";
     public static void setRuntime(JSONObject config, JSONArray runtime){
              config.put(RUNTIME_KEY, runtime);
       }
 
+      public static boolean hasRuntime(JSONObject config){
+              return !getRuntime(config).isEmpty();
+
+      }
       public static JSONArray getRuntime(JSONObject config){
           if(config.containsKey(RUNTIME_KEY)){
               Object obj = config.get(RUNTIME_KEY);

ncsa-security-delegation/ncsa-security-oauth-2.0/src/main/java/edu/uiuc/ncsa/security/oauth_2_0/server/config/JSONConfig.java → ncsa-security-delegation/ncsa-security-oauth-2.0/src/main/java/edu/uiuc/ncsa/security/oauth_2_0/server/config/JSONClaimSourceConfig.java

@@ -1,16 +1,17 @@
 package edu.uiuc.ncsa.security.oauth_2_0.server.config;
 
+import net.sf.json.JSONArray;
 import net.sf.json.JSONObject;
 
 /**
- * This is a facade for JSON backed POJOs. All components that are configurations should probably
+ * All components that are configurations should probably
  * extend this. That means that there is a JSON object behind the
  * scenes that is used for all attributes and all the implementation does is front that.
  * <p>Created by Jeff Gaynor<br>
  * on 4/16/18 at  2:12 PM
  */
-public abstract class JSONConfig {
-    public JSONConfig(JSONObject jsonObject) {
+public abstract class JSONClaimSourceConfig {
+    public JSONClaimSourceConfig(JSONObject jsonObject) {
         this.jsonObject = jsonObject;
     }
 
@@ -32,5 +33,20 @@ public void fromJSON(JSONObject json) {
         this.jsonObject = json;
     }
 
+
     public abstract String getName();
+
+
+    public abstract JSONArray getPostProcessing();
+
+    public abstract void setPostProcessing(JSONArray postProcessing);
+
+    /**
+     * The <b>raw json</b> for the pre-processing directives. This has to be done this way since the directives
+     * rely on being constructed with the claims at runtime (e.g. for replacement templates).
+     * @return
+     */
+    public abstract JSONArray getPreProcessing();
+
+    public abstract void setPreProcessing(JSONArray preProcessing);
 }