Merge branch 'releases/2.6.2'

Author: fhanik

docs/UAA-APIs.rst

@@ -240,6 +240,45 @@ URI.
 * ``curl -v -H "Accept:application/json" "http://localhost:8080/uaa/oauth/authorize?response_type=code&client_id=app&scope=password.write&redirect_uri=http%3A%2F%2Fwww.example.com%2Fcallback" --cookie cookies.txt --cookie-jar cookies.txt``
 * ``curl -v -H "Accept:application/json" http://localhost:8080/uaa/oauth/authorize -d "scope.0=scope.password.write&user_oauth_approval=true" --cookie cookies.txt --cookie-jar cookies.txt``
 
+API Authorization Requests Code: ``GET /oauth/authorize`` (non standard /oauth/authorize)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+* Request: ``GET /oauth/authorize``
+* Request Parameters:
+
+  * ``client_id=some_valid_client_id``
+  * ``scope=``
+  * ``response_type=code``
+  * ``redirect_uri`` - optional if the client has a redirect URI already registered.
+  * ``state`` - any random string - will be returned in the Location header as a query parameter
+
+* Request Header:
+
+  * Authorization: Bearer <token containing uaa.user scope> - the authentication for this user
+
+* Response Header: Containing the code::
+
+        HTTP/1.1 302 Found
+        Location: https://www.cloudfoundry.example.com?code=F45jH&state=<your state>
+        or in case of error
+        Location: https://www.cloudfoundry.example.com?error=<error code>
+
+* Response Codes::
+
+        302 - Found
+
+*Notes about this API*
+
+* The client must have autoapprove=true, or you will not get a code back
+* If the client doesn't have a redirect_uri registered, it is an required parameter of the request
+* The token must have scope "uaa.user" in order for this request to succeed
+
+*Sample curl commands for this flow*
+
+*
+
+
 Client Obtains Token: ``POST /oauth/token``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

gradle.properties

@@ -1 +1 @@
-version=2.6.1
+version=2.6.2

uaa/src/main/webapp/WEB-INF/spring/oauth-clients.xml

@@ -64,7 +64,7 @@
                             <entry key="id" value="cf" />
                             <entry key="authorized-grant-types" value="implicit,password,refresh_token" />
                             <entry key="scope"
-                                value="cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,cloud_controller.admin,scim.read,scim.write" />
+                                value="uaa.user,cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,cloud_controller.admin,scim.read,scim.write" />
                             <entry key="authorities" value="uaa.none" />
                             <entry key="autoapprove" value="true" />
                         </map>

uaa/src/main/webapp/WEB-INF/spring/oauth-endpoints.xml

@@ -124,6 +124,21 @@
         <csrf disabled="true"/>
     </http>
 
+    <!-- Version of the /authorize endpoint for stateless clients such as cf
+         /oauth/authorize Authorization: Bearer <access_token> response_type=code&client_id=<value>&grant_type=authorization_code
+    -->
+    <http name="statelessAuthorizeApiSecurity" request-matcher-ref="oauthAuthorizeApiRequestMatcher" create-session="stateless"
+          entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="emptyAuthenticationManager"
+          xmlns="http://www.springframework.org/schema/security" use-expressions="true">
+        <intercept-url pattern="/**" access="#oauth2.hasScope('uaa.user')" />
+        <custom-filter ref="backwardsCompatibleScopeParameter" position="FIRST"/>
+        <custom-filter ref="resourceAgnosticAuthenticationFilter" position="PRE_AUTH_FILTER" />
+        <access-denied-handler ref="oauthAccessDeniedHandler" />
+        <expression-handler ref="oauthWebExpressionHandler" />
+        <anonymous enabled="false" />
+        <csrf disabled="true"/>
+    </http>
+
     <bean id="clientAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
         <constructor-arg ref="clientAuthenticationManager" />
         <constructor-arg ref="basicAuthenticationEntryPoint" />
@@ -180,6 +195,22 @@
         </property>
     </bean>
 
+    <bean id="oauthAuthorizeApiRequestMatcher" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
+        <constructor-arg value="/oauth/authorize" />
+        <property name="headers">
+            <map>
+                <entry key="Authorization" value="bearer "  />
+            </map>
+        </property>
+        <property name="parameters">
+            <map>
+                <entry key="response_type" value="code" />
+                <entry key="client_id" value="" />
+            </map>
+        </property>
+    </bean>
+
+
     <bean id="authzAuthenticationFilter" class="org.cloudfoundry.identity.uaa.authentication.AuthzAuthenticationFilter">
         <constructor-arg ref="zoneAwareAuthzAuthenticationManager" />
         <property name="parameterNames">

uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/OpenIdTokenAuthorizationWithApprovalIntegrationTests.java

@@ -215,15 +215,18 @@ private String doOpenIdHybridFlowIdTokenAndReturnCode(Set<String> responseTypes,
         String clientSecret = resource.getClientSecret();
         String uri = serverRunning.getUrl("/oauth/authorize?response_type={response_type}&"+
             "state={state}&client_id={client_id}&redirect_uri={redirect_uri}");
+        headers.remove("Authorization");
+        RestTemplate restTemplate = serverRunning.createRestTemplate();
 
-        ResponseEntity<Void> result = serverRunning.getForResponse(
-            uri,
-            headers,
+        ResponseEntity<Void> result = restTemplate.exchange(uri,
+            HttpMethod.GET,
+            new HttpEntity<Void>(null, headers),
+            Void.class,
             responseType,
             state,
             clientId,
-            redirectUri
-        );
+            redirectUri);
+
         assertEquals(HttpStatus.FOUND, result.getStatusCode());
         String location = UriUtils.decode(result.getHeaders().getLocation().toString(), "UTF-8");
 
@@ -260,7 +263,11 @@ private String doOpenIdHybridFlowIdTokenAndReturnCode(Set<String> responseTypes,
         }
 
         location = UriUtils.decode(result.getHeaders().getLocation().toString(), "UTF-8");
-        response = serverRunning.getForString(location, headers);
+        //response = serverRunning.getForString(location, headers);
+        response = restTemplate.exchange(location,
+            HttpMethod.GET,
+            new HttpEntity<>(null,headers),
+            String.class);
         if (response.getStatusCode() == HttpStatus.OK) {
             // The grant access page should be returned
             assertTrue(response.getBody().contains("Application Authorization</h1>"));

uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/ScimGroupEndpointsIntegrationTests.java

@@ -49,6 +49,7 @@
 
 import java.io.IOException;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -468,14 +469,16 @@ private OAuth2AccessToken getAccessTokenWithPassword(String clientId, String cli
         return accessToken;
     }
 
-    private OAuth2AccessToken getAccessToken(String clientId, String clientSecret, String username, String password) {
+    private OAuth2AccessToken getAccessToken(String clientId, String clientSecret, String username, String password) throws URISyntaxException {
         HttpHeaders headers = new HttpHeaders();
         headers.setAccept(Arrays.asList(MediaType.TEXT_HTML, MediaType.ALL));
 
         URI uri = serverRunning.buildUri("/oauth/authorize").queryParam("response_type", "code")
                         .queryParam("state", "mystateid").queryParam("client_id", clientId)
                         .queryParam("redirect_uri", "http://anywhere.com").build();
-        ResponseEntity<Void> result = serverRunning.getForResponse(uri.toString(), headers);
+        ResponseEntity<Void> result = serverRunning.createRestTemplate().exchange(
+            uri.toString(), HttpMethod.GET, new HttpEntity<>(null, headers),
+            Void.class);
         assertEquals(HttpStatus.FOUND, result.getStatusCode());
         String location = result.getHeaders().getLocation().toString();
 
@@ -511,7 +514,11 @@ private OAuth2AccessToken getAccessToken(String clientId, String clientSecret, S
             }
         }
 
-        response = serverRunning.getForString(result.getHeaders().getLocation().toString(), headers);
+        response = serverRunning.createRestTemplate().exchange(
+            new URI(result.getHeaders().getLocation().toString()),
+            HttpMethod.GET,
+            new HttpEntity<>(null,headers),
+            String.class);
         if (response.getStatusCode() == HttpStatus.OK) {
             // The grant access page should be returned
             assertTrue(response.getBody().contains("<h1>Application Authorization</h1>"));

uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/ImplicitGrantIT.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- *     Cloud Foundry 
+ *     Cloud Foundry
  *     Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
  *
  *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -56,7 +56,7 @@ public class ImplicitGrantIT {
 
     @Autowired
     TestAccounts testAccounts;
-    
+
     @Autowired @Rule
     public IntegrationTestRule integrationTestRule;
 
@@ -107,11 +107,12 @@ public void testDefaultScopes() throws Exception {
 
         String[] scopes = UriUtils.decode(params.getFirst("scope"), "UTF-8").split(" ");
         Assert.assertThat(Arrays.asList(scopes), containsInAnyOrder(
-                "scim.userids",
-                "password.write",
-                "cloud_controller.write",
-                "openid",
-                "cloud_controller.read"
+            "scim.userids",
+            "password.write",
+            "cloud_controller.write",
+            "openid",
+            "cloud_controller.read",
+            "uaa.user"
         ));
 
         Jwt access_token = JwtHelper.decode(params.getFirst("access_token"));
@@ -127,7 +128,7 @@ public void testDefaultScopes() throws Exception {
         Assert.assertThat(((List<String>) claims.get("scope")), containsInAnyOrder(scopes));
 
         Assert.assertThat(((List<String>) claims.get("aud")), containsInAnyOrder(
-                "scim", "openid", "cloud_controller", "password", "cf"));
+                "scim", "openid", "cloud_controller", "password", "cf", "uaa"));
     }
 
     @Test

uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/OpenIdTokenGrantsIT.java

@@ -152,11 +152,12 @@ public void testImplicitGrant() throws Exception {
 
         String[] scopes = UriUtils.decode(params.getFirst("scope"), "UTF-8").split(" ");
         Assert.assertThat(Arrays.asList(scopes), containsInAnyOrder(
-                "scim.userids",
-                "password.write",
-                "cloud_controller.write",
-                "openid",
-                "cloud_controller.read"
+            "scim.userids",
+            "password.write",
+            "cloud_controller.write",
+            "openid",
+            "cloud_controller.read",
+            "uaa.user"
         ));
 
         validateToken("access_token", params.toSingleValueMap(), scopes);
@@ -177,7 +178,7 @@ private void validateToken(String paramName, Map params, String[] scopes) throws
         Assert.assertThat(((List<String>) claims.get("scope")), containsInAnyOrder(scopes));
 
         Assert.assertThat(((List<String>) claims.get("aud")), containsInAnyOrder(
-                "scim", "openid", "cloud_controller", "password", "cf"));
+                "scim", "openid", "cloud_controller", "password", "cf", "uaa"));
     }
 
     @Test
@@ -216,7 +217,8 @@ public void testPasswordGrant() throws Exception {
             "password.write",
             "cloud_controller.write",
             "openid",
-            "cloud_controller.read"
+            "cloud_controller.read",
+            "uaa.user"
         ));
 
         validateToken("access_token", params, scopes);

uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/util/IntegrationTestUtils.java

@@ -433,7 +433,9 @@ public static Map<String,String> getAuthorizationCodeTokenMap(ServerRunning serv
         URI uri = serverRunning.buildUri("/oauth/authorize").queryParam("response_type", "code")
             .queryParam("state", "mystateid").queryParam("client_id", resource.getClientId())
             .queryParam("redirect_uri", resource.getPreEstablishedRedirectUri()).build();
-        ResponseEntity<Void> result = serverRunning.getForResponse(uri.toString(), headers);
+        ResponseEntity<Void> result = serverRunning.createRestTemplate().exchange(
+            uri.toString(),HttpMethod.GET, new HttpEntity<>(null,headers),
+            Void.class);
         assertEquals(HttpStatus.FOUND, result.getStatusCode());
         String location = result.getHeaders().getLocation().toString();
 
@@ -473,7 +475,11 @@ public static Map<String,String> getAuthorizationCodeTokenMap(ServerRunning serv
             }
         }
 
-        response = serverRunning.getForString(result.getHeaders().getLocation().toString(), headers);
+        response = serverRunning.createRestTemplate().exchange(
+            result.getHeaders().getLocation().toString(),HttpMethod.GET, new HttpEntity<>(null,headers),
+            String.class);
+
+
         if (response.getStatusCode() == HttpStatus.OK) {
             // The grant access page should be returned
             assertTrue(response.getBody().contains("<h1>Application Authorization</h1>"));

uaa/src/test/java/org/cloudfoundry/identity/uaa/login/PasscodeMockMvcTests.java

@@ -141,7 +141,7 @@ public void testLoginUsingPasscodeWithSamlToken() throws Exception {
         assertNotNull(accessToken.get("access_token"));
         assertNotNull(accessToken.get("refresh_token"));
         String[] scopes = ((String) accessToken.get("scope")).split(" ");
-        assertThat(Arrays.asList(scopes), containsInAnyOrder("scim.userids", "password.write", "cloud_controller.write", "openid", "cloud_controller.read"));
+        assertThat(Arrays.asList(scopes), containsInAnyOrder("uaa.user", "scim.userids", "password.write", "cloud_controller.write", "openid", "cloud_controller.read"));
 
         Authentication authentication = captureSecurityContextFilter.getAuthentication();
         assertNotNull(authentication);
@@ -206,7 +206,7 @@ public void testLoginUsingPasscodeWithUaaToken() throws Exception {
         assertNotNull(accessToken.get("access_token"));
         assertNotNull(accessToken.get("refresh_token"));
         String[] scopes = ((String) accessToken.get("scope")).split(" ");
-        assertThat(Arrays.asList(scopes), containsInAnyOrder("scim.userids", "password.write", "cloud_controller.write", "openid", "cloud_controller.read"));
+        assertThat(Arrays.asList(scopes), containsInAnyOrder("uaa.user", "scim.userids", "password.write", "cloud_controller.write", "openid", "cloud_controller.read"));
 
         Authentication authentication = captureSecurityContextFilter.getAuthentication();
         assertNotNull(authentication);

uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java

@@ -19,6 +19,7 @@
 import org.cloudfoundry.identity.uaa.client.ClientConstants;
 import org.cloudfoundry.identity.uaa.config.PasswordPolicy;
 import org.cloudfoundry.identity.uaa.mock.InjectedMockContextTest;
+import org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils;
 import org.cloudfoundry.identity.uaa.oauth.Claims;
 import org.cloudfoundry.identity.uaa.oauth.token.SignerProvider;
 import org.cloudfoundry.identity.uaa.oauth.token.UaaTokenServices;
@@ -87,6 +88,8 @@
 import java.util.UUID;
 
 import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.stringContainsInOrder;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertThat;
@@ -388,6 +391,61 @@ public void testClientIdentityProviderRestrictionForPasswordGrant() throws Excep
             .andExpect(status().isOk());
     }
 
+    @Test
+    public void test_Oauth_Authorize_API_Endpoint() throws Exception {
+        String clientId = "testclient"+new RandomValueStringGenerator().generate();
+        String scopes = "openid,uaa.user,scim.me";
+        setUpClients(clientId, "", scopes, "authorization_code", true);
+        String username = "testuser"+new RandomValueStringGenerator().generate();
+        String userScopes = "";
+        setUpUser(username, userScopes, Origin.UAA, IdentityZoneHolder.get().getId());
+
+        String cfAccessToken = MockMvcUtils.utils().getUserOAuthAccessToken(
+            getMockMvc(),
+            "cf",
+            "",
+            username,
+            SECRET,
+            ""
+        );
+
+        String state = new RandomValueStringGenerator().generate();
+
+        MockHttpServletRequestBuilder oauthTokenPost = get("/oauth/authorize")
+            .header("Authorization", "Bearer " + cfAccessToken)
+            .param(OAuth2Utils.RESPONSE_TYPE, "code")
+            .param(OAuth2Utils.SCOPE, "")
+            .param(OAuth2Utils.STATE, state)
+            .param(OAuth2Utils.CLIENT_ID, clientId);
+
+        MvcResult result = getMockMvc().perform(oauthTokenPost).andExpect(status().is3xxRedirection()).andReturn();
+        String location = result.getResponse().getHeader("Location");
+        assertNotNull("Location must be present", location);
+        assertThat("Location must have a code parameter.", location, containsString("code="));
+        URL url = new URL(location);
+        Map query = splitQuery(url);
+        assertNotNull(query.get("code"));
+        String code = ((List<String>) query.get("code")).get(0);
+        assertNotNull(code);
+
+        String body = getMockMvc().perform(post("/oauth/token")
+            .header("Authorization", "Basic " + new String(Base64.encode((clientId + ":" + SECRET).getBytes())))
+            .accept(MediaType.APPLICATION_JSON)
+            .param(OAuth2Utils.RESPONSE_TYPE, "token")
+            .param(OAuth2Utils.GRANT_TYPE, "authorization_code")
+            .param(OAuth2Utils.CLIENT_ID, clientId)
+            .param("code", code))
+            .andExpect(status().isOk())
+            .andReturn().getResponse().getContentAsString();
+
+        assertNotNull("Token body must not be null.", body);
+        assertThat(body, stringContainsInOrder(Arrays.asList("access_token", "refresh_token")));
+        Map<String,Object> map = JsonUtils.readValue(body, new TypeReference<Map<String,Object>>() {});
+        String accessToken = (String) map.get("access_token");
+        OAuth2Authentication token = tokenServices.loadAuthentication(accessToken);
+        assertTrue("Must have uaa.user scope", token.getOAuth2Request().getScope().contains("uaa.user"));
+    }
+
     @Test
     public void testOpenIdTokenHybridFlowWithNoImplicitGrantWhenLenient() throws Exception {
         uaaAuthorizationEndpoint.setFallbackToAuthcode(true);