Merge branch 'releases/2.4.1'

Author: fhanik

common/src/main/java/org/cloudfoundry/identity/uaa/UaaConfiguration.java

@@ -94,6 +94,12 @@ public class UaaConfiguration {
     public String LOGIN_SECRET;
     @Valid
     public OAuth multitenant;
+    @Valid
+    public String corsXhrAllowedHeaders;
+    @Valid
+    public String corsXhrAllowedOrigins;
+    @Valid
+    public String corsXhrAllowedUris;
 
     public static class Zones {
         @Valid
@@ -227,6 +233,10 @@ public UaaConfigConstructor() {
             addPropertyAlias("access-token-validity", OAuthClient.class, "accessTokenValidity");
             addPropertyAlias("refresh-token-validity", OAuthClient.class, "refreshTokenValidity");
             addPropertyAlias("user.override", Scim.class, "userOverride");
+
+            addPropertyAlias("cors.xhr.allowed.headers", UaaConfiguration.class, "corsXhrAllowedHeaders");
+            addPropertyAlias("cors.xhr.allowed.origins", UaaConfiguration.class, "corsXhrAllowedOrigins");
+            addPropertyAlias("cors.xhr.allowed.uris", UaaConfiguration.class, "corsXhrAllowedUris");
         }
 
         @Override

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthentication.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- *     Cloud Foundry 
+ *     Cloud Foundry
  *     Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
  *
  *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -12,37 +12,51 @@
  *******************************************************************************/
 package org.cloudfoundry.identity.uaa.authentication;
 
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+
 import java.io.Serializable;
 import java.util.Collection;
 import java.util.List;
 
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthority;
-
 /**
- * Authentication token which represents a successfully authenticated user.
- * 
- * @author Luke Taylor
+ * Authentication token which represents a user.
  */
 public class UaaAuthentication implements Authentication, Serializable {
     private List<? extends GrantedAuthority> authorities;
-    private final UaaPrincipal principal;
-    private final UaaAuthenticationDetails details;
+    private Object credentials;
+    private UaaPrincipal principal;
+    private UaaAuthenticationDetails details;
+    private boolean authenticated;
 
     /**
      * Creates a token with the supplied array of authorities.
-     * 
+     *
      * @param authorities the collection of <tt>GrantedAuthority</tt>s for the
      *            principal represented by this authentication object.
      */
-    public UaaAuthentication(UaaPrincipal principal, List<? extends GrantedAuthority> authorities,
-                    UaaAuthenticationDetails details) {
+    public UaaAuthentication(UaaPrincipal principal,
+                             List<? extends GrantedAuthority> authorities,
+                             UaaAuthenticationDetails details) {
+        this(principal, null, authorities, details, true);
+    }
+
+    @JsonCreator
+    public UaaAuthentication(@JsonProperty("principal") UaaPrincipal principal,
+                             @JsonProperty("credentials") Object credentials,
+                             @JsonProperty("authorities") List<? extends GrantedAuthority> authorities,
+                             @JsonProperty("details") UaaAuthenticationDetails details,
+                             @JsonProperty("authenticated") boolean authenticated) {
         if (principal == null || authorities == null) {
             throw new IllegalArgumentException("principal and authorities must not be null");
         }
         this.principal = principal;
         this.authorities = authorities;
         this.details = details;
+        this.credentials = credentials;
+        this.authenticated = authenticated;
     }
 
     @Override
@@ -59,7 +73,7 @@ public Collection<? extends GrantedAuthority> getAuthorities() {
 
     @Override
     public Object getCredentials() {
-        return null;
+        return credentials;
     }
 
     @Override
@@ -74,12 +88,12 @@ public UaaPrincipal getPrincipal() {
 
     @Override
     public boolean isAuthenticated() {
-        return true;
+        return authenticated;
     }
 
     @Override
     public void setAuthenticated(boolean isAuthenticated) {
-        throw new UnsupportedOperationException();
+        authenticated = isAuthenticated;
     }
 
     @Override

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaPrincipal.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- *     Cloud Foundry 
+ *     Cloud Foundry
  *     Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
  *
  *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -15,6 +15,8 @@
 import java.io.Serializable;
 import java.security.Principal;
 
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import org.cloudfoundry.identity.uaa.user.UaaUser;
 
 /**
@@ -43,7 +45,14 @@ public UaaPrincipal(UaaUser user) {
         );
     }
 
-    public UaaPrincipal(String id, String username, String email, String origin, String externalId, String zoneId) {
+    @JsonCreator
+    public UaaPrincipal(
+        @JsonProperty("id") String id,
+        @JsonProperty("name") String username,
+        @JsonProperty("email") String email,
+        @JsonProperty("origin") String origin,
+        @JsonProperty("externalId") String externalId,
+        @JsonProperty("zoneId") String zoneId) {
         this.id = id;
         this.name = username;
         this.email = email;

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/PeriodLockoutPolicy.java

@@ -51,22 +51,20 @@ public PeriodLockoutPolicy(UaaAuditService auditService, IdentityProviderProvisi
 
     @Override
     public boolean isAllowed(UaaUser user, Authentication a) throws AuthenticationException {
-        LockoutPolicy policy = getLockoutPolicyFromDb();
-        if (policy != null) {
-            this.lockoutPolicy = policy;
-        }
+        LockoutPolicy policyFromDb = getLockoutPolicyFromDb();
+        LockoutPolicy localPolicy = policyFromDb != null ? policyFromDb : lockoutPolicy;
 
-        long eventsAfter = System.currentTimeMillis() - lockoutPolicy.getCountFailuresWithin() * 1000;
+        long eventsAfter = System.currentTimeMillis() - localPolicy.getCountFailuresWithin() * 1000;
 
         List<AuditEvent> events = auditService.find(user.getId(), eventsAfter);
 
         final int failureCount = sequentialFailureCount(events);
 
-        if (failureCount >= lockoutPolicy.getLockoutAfterFailures()) {
+        if (failureCount >= localPolicy.getLockoutAfterFailures()) {
             // Check whether time of most recent failure is within the lockout
             // period
             AuditEvent lastFailure = mostRecentFailure(events);
-            if (lastFailure != null && lastFailure.getTime() > System.currentTimeMillis() - lockoutPolicy.getLockoutPeriodSeconds() * 1000) {
+            if (lastFailure != null && lastFailure.getTime() > System.currentTimeMillis() - localPolicy.getLockoutPeriodSeconds() * 1000) {
                 logger.warn("User " + user.getUsername() + " and id " + user.getId() + " has "
                                 + failureCount + " failed logins within the last checking period.");
                 return false;

common/src/main/java/org/cloudfoundry/identity/uaa/config/LockoutPolicy.java

@@ -9,21 +9,24 @@ public LockoutPolicy() {
         lockoutPeriodSeconds = lockoutAfterFailures = countFailuresWithin = -1;
     }
 
-    public void setLockoutPeriodSeconds(int lockoutPeriod) {
+    public LockoutPolicy setLockoutPeriodSeconds(int lockoutPeriod) {
         this.lockoutPeriodSeconds = lockoutPeriod;
+        return this;
     }
 
-    public void setLockoutAfterFailures(int allowedFailures) {
+    public LockoutPolicy setLockoutAfterFailures(int allowedFailures) {
         this.lockoutAfterFailures = allowedFailures;
+        return this;
     }
 
     /**
      * Only audit events within the preceding interval will be considered
      *
      * @param interval the history period to consider (in seconds)
      */
-    public void setCountFailuresWithin(int interval) {
+    public LockoutPolicy setCountFailuresWithin(int interval) {
         this.countFailuresWithin = interval;
+        return this;
     }
 
     public int getLockoutPeriodSeconds() {

common/src/main/java/org/cloudfoundry/identity/uaa/oauth/ClientAdminEndpointsValidator.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- *     Cloud Foundry 
+ *     Cloud Foundry
  *     Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
  *
  *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -24,6 +24,7 @@
 import org.cloudfoundry.identity.uaa.rest.QueryableResourceManager;
 import org.cloudfoundry.identity.uaa.security.DefaultSecurityContextAccessor;
 import org.cloudfoundry.identity.uaa.security.SecurityContextAccessor;
+import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.oauth2.provider.ClientDetails;
@@ -112,7 +113,9 @@ public ClientDetails validate(ClientDetails prototype, boolean create, boolean c
             requestedGrantTypes.add("refresh_token");
         }
 
-        if (checkAdmin && !securityContextAccessor.isAdmin()) {
+        if (checkAdmin &&
+            !(securityContextAccessor.isAdmin() || UaaStringUtils.getStringsFromAuthorities(securityContextAccessor.getAuthorities()).contains("clients.admin"))
+            ) {
 
             // Not admin, so be strict with grant types and scopes
             for (String grant : requestedGrantTypes) {
@@ -141,7 +144,7 @@ public ClientDetails validate(ClientDetails prototype, boolean create, boolean c
                 String callerPrefix = callerId + ".";
                 String clientPrefix = clientId + ".";
 
-                
+
                 Set<String> validScope = caller.getScope();
                 for (String scope : client.getScope()) {
                     if (scope.startsWith(callerPrefix) || scope.startsWith(clientPrefix)) {
@@ -156,7 +159,7 @@ public ClientDetails validate(ClientDetails prototype, boolean create, boolean c
                 }
 
             }
-            else { 
+            else {
                 // New scopes are allowed if they are for the caller or the new
                 // client.
                 String clientPrefix = clientId + ".";

common/src/main/java/org/cloudfoundry/identity/uaa/oauth/event/ClientAdminEventPublisher.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- *     Cloud Foundry 
+ *     Cloud Foundry
  *     Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
  *
  *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -29,9 +29,9 @@
  * varying according to the input and
  * outcome. Can be used as an aspect intercepting calls to a component that
  * changes client details.
- * 
+ *
  * @author Dave Syer
- * 
+ *
  */
 public class ClientAdminEventPublisher implements ApplicationEventPublisherAware {
 
@@ -51,6 +51,10 @@ public void setApplicationEventPublisher(ApplicationEventPublisher publisher) {
         this.publisher = publisher;
     }
 
+    public ApplicationEventPublisher getPublisher() {
+        return publisher;
+    }
+
     public void create(ClientDetails client) {
         publish(new ClientCreateEvent(client, getPrincipal()));
     }
@@ -76,7 +80,7 @@ public ClientDetails delete(ProceedingJoinPoint jp, String clientId) throws Thro
         publish(new ClientDeleteEvent(client, getPrincipal()));
         return client;
     }
-    
+
     public void deleteTx(ClientDetails[] clients) {
         for (ClientDetails client:clients) {
             publish(new ClientDeleteEvent(client, getPrincipal()));

common/src/main/java/org/cloudfoundry/identity/uaa/oauth/event/ClientCreateEvent.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- *     Cloud Foundry 
+ *     Cloud Foundry
  *     Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
  *
  *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -13,16 +13,14 @@
 
 package org.cloudfoundry.identity.uaa.oauth.event;
 
-import java.security.Principal;
-
 import org.cloudfoundry.identity.uaa.audit.AuditEvent;
 import org.cloudfoundry.identity.uaa.audit.AuditEventType;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.provider.ClientDetails;
 
 /**
  * @author Dave Syer
- * 
+ *
  */
 public class ClientCreateEvent extends AbstractClientAdminEvent {
 

common/src/main/java/org/cloudfoundry/identity/uaa/oauth/expression/ContextSensitiveOAuth2SecurityExpressionMethods.java

@@ -50,7 +50,7 @@ private String[] replaceContext(String[] roles) {
     }
 
     public ContextSensitiveOAuth2SecurityExpressionMethods(Authentication authentication) {
-        this(authentication, null);
+        this(authentication, IdentityZone.getUaa());
     }
 
     public ContextSensitiveOAuth2SecurityExpressionMethods(Authentication authentication, IdentityZone authenticationZone) {
@@ -89,6 +89,15 @@ public boolean hasAnyScopeMatching(String... scopesRegex) {
         return super.hasAnyScopeMatching(replaceContext(scopesRegex));
     }
 
+    public boolean hasAnyScopeInAuthZone(String... scopes) {
+        for (String scope : scopes) {
+            if (hasScopeInAuthZone(scope)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     public boolean hasScopeInAuthZone(String scope) {
         boolean hasScope = hasScope(scope);
         String authZoneId = getAuthenticationZoneId();
@@ -99,6 +108,16 @@ public boolean hasScopeInAuthZone(String scope) {
         return hasScope;
     }
 
+    public boolean clientHasRoleInAuthZone(String scope) {
+        boolean hasScope = clientHasRole(scope);
+        String authZoneId = getAuthenticationZoneId();
+        hasScope = hasScope && StringUtils.hasText(authZoneId);
+        if (hasScope) {
+            hasScope = identityZone != null && identityZone.getId().equals(authZoneId);
+        }
+        return hasScope;
+    }
+
     private String getAuthenticationZoneId() {
         if (authentication.getPrincipal() instanceof UaaPrincipal) {
             return ((UaaPrincipal)authentication.getPrincipal()).getZoneId();