updated to manage authorised redirect URLs

git-svn-id: http://svn.research-infrastructures.eu/public/d4science/gcube/trunk/portlets/user/my-vres@141580 82a268e6-3cf1-43bd-a215-b396298e98cf
This commit is contained in:
Massimiliano Assante 2017-01-15 18:35:31 +00:00
parent 5fec8824b6
commit 38fde43f0e
6 changed files with 36 additions and 47 deletions

View File

@ -5,17 +5,14 @@ public class GetParameters {
String state;
String context;
String clientId;
String clientSecret;
public GetParameters(String redirectURI, String state, String context, String clientId, String clientSecret) {
public GetParameters(String redirectURI, String state, String context, String clientId) {
super();
this.redirectURI = redirectURI;
this.state = state;
this.context = context;
this.clientId = clientId;
this.clientSecret = clientSecret;
}
public String getRedirectURI() {
@ -34,14 +31,10 @@ public class GetParameters {
return clientId;
}
public String getClientSecret() {
return clientSecret;
}
@Override
public String toString() {
return "GetParameters [redirectURI=" + redirectURI + ", state=" + state + ", context=" + context + ", clientId="
+ clientId + ", clientSecret=" + clientSecret + "]";
+ clientId + "]";
}

View File

@ -49,7 +49,7 @@ public class MyVREs implements EntryPoint {
RootPanel.get("myVREsDIV").add(new VresPanel(params));
}
else {
myVREsService.getUserToken(params.context, params.state, params.clientId, params.clientSecret, new AsyncCallback<AuthorizationBean>() {
myVREsService.getUserToken(params.context, params.state, params.clientId, params.redirectURI, new AsyncCallback<AuthorizationBean>() {
@Override
public void onSuccess(AuthorizationBean result) {
if (result.isSuccess()) {
@ -80,8 +80,7 @@ public class MyVREs implements EntryPoint {
String state = Window.Location.getParameter(GET_STATE_PARAMETER);
String context = Window.Location.getParameter(GET_CONTEXT_PARAMETER);
String clientId = Window.Location.getParameter(GET_CLIENT_ID_PARAMETER);
String clientSecret = Window.Location.getParameter(GET_CLIENT_SECRET_PARAMETER);
return new GetParameters(redirectURI, state, context, clientId, clientSecret);
return new GetParameters(redirectURI, state, context, clientId);
}
}

View File

@ -18,5 +18,5 @@ public interface MyVREsService extends RemoteService {
String getSiteLandingPagePath();
AuthorizationBean getUserToken(String context, String state, String clientId, String clientSecret);
AuthorizationBean getUserToken(String context, String state, String clientId, String authorisedRedirectURL);
}

View File

@ -15,7 +15,7 @@ public interface MyVREsServiceAsync {
void getSiteLandingPagePath(AsyncCallback<String> callback);
void getUserToken(String context, String state, String clientId, String clientSecret,
void getUserToken(String context, String state, String clientId, String authorisedRedirectURI,
AsyncCallback<AuthorizationBean> callback);
}

View File

@ -62,7 +62,7 @@ public class ClickableVRE extends HTML {
if (params != null) {
addClickHandler(new ClickHandler() {
public void onClick(ClickEvent event) {
myVREsService.getUserToken(vre.getContext(), params.getState(), params.getClientId(), params.getClientSecret(), new AsyncCallback<AuthorizationBean>() {
myVREsService.getUserToken(vre.getContext(), params.getState(), params.getClientId(), params.getRedirectURI(), new AsyncCallback<AuthorizationBean>() {
@Override
public void onSuccess(AuthorizationBean result) {
if (result.isSuccess()) {

View File

@ -10,7 +10,6 @@ import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.gcube.common.encryption.StringEncrypter;
import org.gcube.common.portal.GCubePortalConstants;
import org.gcube.common.portal.PortalContext;
import org.gcube.common.resources.gcore.ServiceEndpoint;
@ -51,10 +50,14 @@ public class MyVREsServiceImpl extends RemoteServiceServlet implements MyVREsSer
*
*/
public static final String CACHED_VOS = "CACHED_VRES";
/**
* needed when querying for authorised services in authentication
*/
public static final String REDIRECT_URL = "RedirectURL";
private static final String SERVICE_ENDPOINT_CATEGORY = "OnlineService";
public static final String ADD_MORE_CATEGORY = "Add More";
public static final String ADD_MORE_IMAGE_PATH= "images/More.png";
private static final String SERVICE_ENDPOINT_CATEGORY = "Portal";
@Override
public String getSiteLandingPagePath() {
@ -257,20 +260,25 @@ public class MyVREsServiceImpl extends RemoteServiceServlet implements MyVREsSer
}
@Override
public AuthorizationBean getUserToken(String context, String state, String clientId, String clientSecret) {
public AuthorizationBean getUserToken(String context, String state, String clientId, String redirectURL) {
if (clientId == null || clientId.compareTo("")== 0) {
return new AuthorizationBean(null, null, false, "client_id is null, you MUST register your application to allow users connect with their D4Science Credentials");
}
if (clientSecret == null || clientSecret.compareTo("")== 0) {
return new AuthorizationBean(null, null, false, "client_secret is null, you MUST pass the clientSecret related to your client_id registered application to allow users connect with their D4Science Credentials");
if (redirectURL == null || redirectURL.compareTo("")== 0) {
return new AuthorizationBean(null, null, false, "authorised redirect URL is null, you MUST pass the authorisedRedirectURI related to your client_id registered application to allow users connect with their D4Science Credentials");
}
String registeredClientSecret = getClientSecretFromIs(clientId);
if (registeredClientSecret == null) {
return new AuthorizationBean(null, null, false, "Your client_id ("+ clientId +") is not registered in the infrastructure, you MUST register your client_id to allow users connect with their D4Science Credentials");
}
if (registeredClientSecret.compareTo(clientSecret)!=0) {
return new AuthorizationBean(null, null, false, "The client_secret for clientId ("+ clientId +"), does not match");
List<String> authorisedRedirectURLs = getAuthorisedRedirectURLsFromIs(clientId);
if (authorisedRedirectURLs == null || authorisedRedirectURLs.isEmpty()) {
return new AuthorizationBean(null, null, false, "Your application ("+ clientId + ") is not registered or there are no authorised redirect URLs registered for your application");
}
boolean urlAuthorised = false;
for (String authorisedURL : authorisedRedirectURLs)
if (authorisedURL.compareTo(redirectURL)==0) {
urlAuthorised = true;
break;
}
if (! urlAuthorised)
return new AuthorizationBean(null, null, false, "Invalid redirect URL. This value must match a URL registered with the clientId: " + clientId);
if (state == null || state.compareTo("")== 0) {
return new AuthorizationBean(null, null, false, "State is null, please use a unique string value of your choice that is hard to guess (e.g. state=7d12bf13-111c-4f46-ab06-9e9e08ad377b). Used to prevent CSRF attacks");
}
@ -312,13 +320,13 @@ public class MyVREsServiceImpl extends RemoteServiceServlet implements MyVREsSer
}
//TODO: check the query, it doesn work
private List<ServiceEndpoint> getPortalConfigurationFromIS(String infrastructureName, String gatewayName) throws Exception {
private List<ServiceEndpoint> getPortalConfigurationFromIS(String infrastructureName, String clientId) throws Exception {
String scope = "/" + infrastructureName;
String currScope = ScopeProvider.instance.get();
ScopeProvider.instance.set(scope);
SimpleQuery query = queryFor(ServiceEndpoint.class);
query.addCondition("$resource/Profile/Category/text() eq '"+ SERVICE_ENDPOINT_CATEGORY +"'");
query.addCondition("$resource/Profile/Name/text() eq '"+ gatewayName +"'");
query.addCondition("$resource/Profile/Name/text() eq '"+ clientId +"'");
DiscoveryClient<ServiceEndpoint> client = clientFor(ServiceEndpoint.class);
List<ServiceEndpoint> toReturn = client.submit(query);
ScopeProvider.instance.set(currScope);
@ -330,37 +338,26 @@ public class MyVREsServiceImpl extends RemoteServiceServlet implements MyVREsSer
* @param clientId
* @return the client secret related to the id, or null if non existent
*/
private String getClientSecretFromIs(String clientId) {
private List<String> getAuthorisedRedirectURLsFromIs(String clientId) {
PortalContext pContext = PortalContext.getConfiguration();
String gatewayName = pContext.getGatewayName(getThreadLocalRequest());
String scope = "/"+pContext.getInfrastructureName();
List<String> autRedirectURLs = new ArrayList<>();
try {
List<ServiceEndpoint> list = getPortalConfigurationFromIS(pContext.getInfrastructureName(), gatewayName);
List<ServiceEndpoint> list = getPortalConfigurationFromIS(pContext.getInfrastructureName(), clientId);
if (list.size() > 1) {
_log.error("Too many Service Endpoints having name " + gatewayName +" in this scope having Category " + SERVICE_ENDPOINT_CATEGORY);
_log.error("Too many Service Endpoints having name " + clientId +" in this scope having Category " + SERVICE_ENDPOINT_CATEGORY);
}
else if (list.size() == 0){
_log.warn("There is no Service Endpoint having name " + gatewayName +" and Category " + SERVICE_ENDPOINT_CATEGORY + " in this scope: " + scope);
_log.warn("There is no Service Endpoint having name " + clientId +" and Category " + SERVICE_ENDPOINT_CATEGORY + " in this scope: " + scope);
}
else {
for (ServiceEndpoint res : list) {
Group<AccessPoint> apGroup = res.profile().accessPoints();
AccessPoint[] accessPoints = (AccessPoint[]) apGroup.toArray(new AccessPoint[apGroup.size()]);
for (int i = 0; i < accessPoints.length; i++) {
if (accessPoints[i].name().compareTo(clientId) == 0) {
_log.info("Found credentials for " + clientId);
if (accessPoints[i].name().compareTo(REDIRECT_URL) == 0) {
AccessPoint found = accessPoints[i];
//String thumbnailURL = found.address();
String encrPassword = found.password();
String clientSecret = "";
try {
clientSecret = StringEncrypter.getEncrypter().decrypt( encrPassword);
_log.debug("clientSecret for " + clientId + " found");
return clientSecret;
} catch (Exception e) {
_log.error("Something went wrong while decrypting password for " + clientId);
e.printStackTrace();
}
autRedirectURLs.add(found.address());
}
}
}
@ -369,7 +366,7 @@ public class MyVREsServiceImpl extends RemoteServiceServlet implements MyVREsSer
e.printStackTrace();
return null;
}
return null;
return autRedirectURLs;
}
}