Skip to content

Commit d272f57

Browse files
committed
Merge branch 'releases/2.4.1'
2 parents 786372e + 27ac6e4 commit d272f57

File tree

63 files changed

+2870
-661
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

63 files changed

+2870
-661
lines changed

common/src/main/java/org/cloudfoundry/identity/uaa/UaaConfiguration.java

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,12 @@ public class UaaConfiguration {
9494
public String LOGIN_SECRET;
9595
@Valid
9696
public OAuth multitenant;
97+
@Valid
98+
public String corsXhrAllowedHeaders;
99+
@Valid
100+
public String corsXhrAllowedOrigins;
101+
@Valid
102+
public String corsXhrAllowedUris;
97103

98104
public static class Zones {
99105
@Valid
@@ -227,6 +233,10 @@ public UaaConfigConstructor() {
227233
addPropertyAlias("access-token-validity", OAuthClient.class, "accessTokenValidity");
228234
addPropertyAlias("refresh-token-validity", OAuthClient.class, "refreshTokenValidity");
229235
addPropertyAlias("user.override", Scim.class, "userOverride");
236+
237+
addPropertyAlias("cors.xhr.allowed.headers", UaaConfiguration.class, "corsXhrAllowedHeaders");
238+
addPropertyAlias("cors.xhr.allowed.origins", UaaConfiguration.class, "corsXhrAllowedOrigins");
239+
addPropertyAlias("cors.xhr.allowed.uris", UaaConfiguration.class, "corsXhrAllowedUris");
230240
}
231241

232242
@Override

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthentication.java

Lines changed: 29 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*******************************************************************************
2-
* Cloud Foundry
2+
* Cloud Foundry
33
* Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
44
*
55
* This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -12,37 +12,51 @@
1212
*******************************************************************************/
1313
package org.cloudfoundry.identity.uaa.authentication;
1414

15+
import com.fasterxml.jackson.annotation.JsonCreator;
16+
import com.fasterxml.jackson.annotation.JsonProperty;
17+
import org.springframework.security.core.Authentication;
18+
import org.springframework.security.core.GrantedAuthority;
19+
1520
import java.io.Serializable;
1621
import java.util.Collection;
1722
import java.util.List;
1823

19-
import org.springframework.security.core.Authentication;
20-
import org.springframework.security.core.GrantedAuthority;
21-
2224
/**
23-
* Authentication token which represents a successfully authenticated user.
24-
*
25-
* @author Luke Taylor
25+
* Authentication token which represents a user.
2626
*/
2727
public class UaaAuthentication implements Authentication, Serializable {
2828
private List<? extends GrantedAuthority> authorities;
29-
private final UaaPrincipal principal;
30-
private final UaaAuthenticationDetails details;
29+
private Object credentials;
30+
private UaaPrincipal principal;
31+
private UaaAuthenticationDetails details;
32+
private boolean authenticated;
3133

3234
/**
3335
* Creates a token with the supplied array of authorities.
34-
*
36+
*
3537
* @param authorities the collection of <tt>GrantedAuthority</tt>s for the
3638
* principal represented by this authentication object.
3739
*/
38-
public UaaAuthentication(UaaPrincipal principal, List<? extends GrantedAuthority> authorities,
39-
UaaAuthenticationDetails details) {
40+
public UaaAuthentication(UaaPrincipal principal,
41+
List<? extends GrantedAuthority> authorities,
42+
UaaAuthenticationDetails details) {
43+
this(principal, null, authorities, details, true);
44+
}
45+
46+
@JsonCreator
47+
public UaaAuthentication(@JsonProperty("principal") UaaPrincipal principal,
48+
@JsonProperty("credentials") Object credentials,
49+
@JsonProperty("authorities") List<? extends GrantedAuthority> authorities,
50+
@JsonProperty("details") UaaAuthenticationDetails details,
51+
@JsonProperty("authenticated") boolean authenticated) {
4052
if (principal == null || authorities == null) {
4153
throw new IllegalArgumentException("principal and authorities must not be null");
4254
}
4355
this.principal = principal;
4456
this.authorities = authorities;
4557
this.details = details;
58+
this.credentials = credentials;
59+
this.authenticated = authenticated;
4660
}
4761

4862
@Override
@@ -59,7 +73,7 @@ public Collection<? extends GrantedAuthority> getAuthorities() {
5973

6074
@Override
6175
public Object getCredentials() {
62-
return null;
76+
return credentials;
6377
}
6478

6579
@Override
@@ -74,12 +88,12 @@ public UaaPrincipal getPrincipal() {
7488

7589
@Override
7690
public boolean isAuthenticated() {
77-
return true;
91+
return authenticated;
7892
}
7993

8094
@Override
8195
public void setAuthenticated(boolean isAuthenticated) {
82-
throw new UnsupportedOperationException();
96+
authenticated = isAuthenticated;
8397
}
8498

8599
@Override

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaPrincipal.java

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*******************************************************************************
2-
* Cloud Foundry
2+
* Cloud Foundry
33
* Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
44
*
55
* This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -15,6 +15,8 @@
1515
import java.io.Serializable;
1616
import java.security.Principal;
1717

18+
import com.fasterxml.jackson.annotation.JsonCreator;
19+
import com.fasterxml.jackson.annotation.JsonProperty;
1820
import org.cloudfoundry.identity.uaa.user.UaaUser;
1921

2022
/**
@@ -43,7 +45,14 @@ public UaaPrincipal(UaaUser user) {
4345
);
4446
}
4547

46-
public UaaPrincipal(String id, String username, String email, String origin, String externalId, String zoneId) {
48+
@JsonCreator
49+
public UaaPrincipal(
50+
@JsonProperty("id") String id,
51+
@JsonProperty("name") String username,
52+
@JsonProperty("email") String email,
53+
@JsonProperty("origin") String origin,
54+
@JsonProperty("externalId") String externalId,
55+
@JsonProperty("zoneId") String zoneId) {
4756
this.id = id;
4857
this.name = username;
4958
this.email = email;

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/PeriodLockoutPolicy.java

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -51,22 +51,20 @@ public PeriodLockoutPolicy(UaaAuditService auditService, IdentityProviderProvisi
5151

5252
@Override
5353
public boolean isAllowed(UaaUser user, Authentication a) throws AuthenticationException {
54-
LockoutPolicy policy = getLockoutPolicyFromDb();
55-
if (policy != null) {
56-
this.lockoutPolicy = policy;
57-
}
54+
LockoutPolicy policyFromDb = getLockoutPolicyFromDb();
55+
LockoutPolicy localPolicy = policyFromDb != null ? policyFromDb : lockoutPolicy;
5856

59-
long eventsAfter = System.currentTimeMillis() - lockoutPolicy.getCountFailuresWithin() * 1000;
57+
long eventsAfter = System.currentTimeMillis() - localPolicy.getCountFailuresWithin() * 1000;
6058

6159
List<AuditEvent> events = auditService.find(user.getId(), eventsAfter);
6260

6361
final int failureCount = sequentialFailureCount(events);
6462

65-
if (failureCount >= lockoutPolicy.getLockoutAfterFailures()) {
63+
if (failureCount >= localPolicy.getLockoutAfterFailures()) {
6664
// Check whether time of most recent failure is within the lockout
6765
// period
6866
AuditEvent lastFailure = mostRecentFailure(events);
69-
if (lastFailure != null && lastFailure.getTime() > System.currentTimeMillis() - lockoutPolicy.getLockoutPeriodSeconds() * 1000) {
67+
if (lastFailure != null && lastFailure.getTime() > System.currentTimeMillis() - localPolicy.getLockoutPeriodSeconds() * 1000) {
7068
logger.warn("User " + user.getUsername() + " and id " + user.getId() + " has "
7169
+ failureCount + " failed logins within the last checking period.");
7270
return false;

common/src/main/java/org/cloudfoundry/identity/uaa/config/LockoutPolicy.java

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,21 +9,24 @@ public LockoutPolicy() {
99
lockoutPeriodSeconds = lockoutAfterFailures = countFailuresWithin = -1;
1010
}
1111

12-
public void setLockoutPeriodSeconds(int lockoutPeriod) {
12+
public LockoutPolicy setLockoutPeriodSeconds(int lockoutPeriod) {
1313
this.lockoutPeriodSeconds = lockoutPeriod;
14+
return this;
1415
}
1516

16-
public void setLockoutAfterFailures(int allowedFailures) {
17+
public LockoutPolicy setLockoutAfterFailures(int allowedFailures) {
1718
this.lockoutAfterFailures = allowedFailures;
19+
return this;
1820
}
1921

2022
/**
2123
* Only audit events within the preceding interval will be considered
2224
*
2325
* @param interval the history period to consider (in seconds)
2426
*/
25-
public void setCountFailuresWithin(int interval) {
27+
public LockoutPolicy setCountFailuresWithin(int interval) {
2628
this.countFailuresWithin = interval;
29+
return this;
2730
}
2831

2932
public int getLockoutPeriodSeconds() {

common/src/main/java/org/cloudfoundry/identity/uaa/oauth/ClientAdminEndpointsValidator.java

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*******************************************************************************
2-
* Cloud Foundry
2+
* Cloud Foundry
33
* Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
44
*
55
* This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -24,6 +24,7 @@
2424
import org.cloudfoundry.identity.uaa.rest.QueryableResourceManager;
2525
import org.cloudfoundry.identity.uaa.security.DefaultSecurityContextAccessor;
2626
import org.cloudfoundry.identity.uaa.security.SecurityContextAccessor;
27+
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
2728
import org.springframework.beans.factory.InitializingBean;
2829
import org.springframework.security.core.authority.AuthorityUtils;
2930
import org.springframework.security.oauth2.provider.ClientDetails;
@@ -112,7 +113,9 @@ public ClientDetails validate(ClientDetails prototype, boolean create, boolean c
112113
requestedGrantTypes.add("refresh_token");
113114
}
114115

115-
if (checkAdmin && !securityContextAccessor.isAdmin()) {
116+
if (checkAdmin &&
117+
!(securityContextAccessor.isAdmin() || UaaStringUtils.getStringsFromAuthorities(securityContextAccessor.getAuthorities()).contains("clients.admin"))
118+
) {
116119

117120
// Not admin, so be strict with grant types and scopes
118121
for (String grant : requestedGrantTypes) {
@@ -141,7 +144,7 @@ public ClientDetails validate(ClientDetails prototype, boolean create, boolean c
141144
String callerPrefix = callerId + ".";
142145
String clientPrefix = clientId + ".";
143146

144-
147+
145148
Set<String> validScope = caller.getScope();
146149
for (String scope : client.getScope()) {
147150
if (scope.startsWith(callerPrefix) || scope.startsWith(clientPrefix)) {
@@ -156,7 +159,7 @@ public ClientDetails validate(ClientDetails prototype, boolean create, boolean c
156159
}
157160

158161
}
159-
else {
162+
else {
160163
// New scopes are allowed if they are for the caller or the new
161164
// client.
162165
String clientPrefix = clientId + ".";

common/src/main/java/org/cloudfoundry/identity/uaa/oauth/event/ClientAdminEventPublisher.java

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*******************************************************************************
2-
* Cloud Foundry
2+
* Cloud Foundry
33
* Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
44
*
55
* This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -29,9 +29,9 @@
2929
* varying according to the input and
3030
* outcome. Can be used as an aspect intercepting calls to a component that
3131
* changes client details.
32-
*
32+
*
3333
* @author Dave Syer
34-
*
34+
*
3535
*/
3636
public class ClientAdminEventPublisher implements ApplicationEventPublisherAware {
3737

@@ -51,6 +51,10 @@ public void setApplicationEventPublisher(ApplicationEventPublisher publisher) {
5151
this.publisher = publisher;
5252
}
5353

54+
public ApplicationEventPublisher getPublisher() {
55+
return publisher;
56+
}
57+
5458
public void create(ClientDetails client) {
5559
publish(new ClientCreateEvent(client, getPrincipal()));
5660
}
@@ -76,7 +80,7 @@ public ClientDetails delete(ProceedingJoinPoint jp, String clientId) throws Thro
7680
publish(new ClientDeleteEvent(client, getPrincipal()));
7781
return client;
7882
}
79-
83+
8084
public void deleteTx(ClientDetails[] clients) {
8185
for (ClientDetails client:clients) {
8286
publish(new ClientDeleteEvent(client, getPrincipal()));

common/src/main/java/org/cloudfoundry/identity/uaa/oauth/event/ClientCreateEvent.java

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*******************************************************************************
2-
* Cloud Foundry
2+
* Cloud Foundry
33
* Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
44
*
55
* This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -13,16 +13,14 @@
1313

1414
package org.cloudfoundry.identity.uaa.oauth.event;
1515

16-
import java.security.Principal;
17-
1816
import org.cloudfoundry.identity.uaa.audit.AuditEvent;
1917
import org.cloudfoundry.identity.uaa.audit.AuditEventType;
2018
import org.springframework.security.core.Authentication;
2119
import org.springframework.security.oauth2.provider.ClientDetails;
2220

2321
/**
2422
* @author Dave Syer
25-
*
23+
*
2624
*/
2725
public class ClientCreateEvent extends AbstractClientAdminEvent {
2826

common/src/main/java/org/cloudfoundry/identity/uaa/oauth/expression/ContextSensitiveOAuth2SecurityExpressionMethods.java

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ private String[] replaceContext(String[] roles) {
5050
}
5151

5252
public ContextSensitiveOAuth2SecurityExpressionMethods(Authentication authentication) {
53-
this(authentication, null);
53+
this(authentication, IdentityZone.getUaa());
5454
}
5555

5656
public ContextSensitiveOAuth2SecurityExpressionMethods(Authentication authentication, IdentityZone authenticationZone) {
@@ -89,6 +89,15 @@ public boolean hasAnyScopeMatching(String... scopesRegex) {
8989
return super.hasAnyScopeMatching(replaceContext(scopesRegex));
9090
}
9191

92+
public boolean hasAnyScopeInAuthZone(String... scopes) {
93+
for (String scope : scopes) {
94+
if (hasScopeInAuthZone(scope)) {
95+
return true;
96+
}
97+
}
98+
return false;
99+
}
100+
92101
public boolean hasScopeInAuthZone(String scope) {
93102
boolean hasScope = hasScope(scope);
94103
String authZoneId = getAuthenticationZoneId();
@@ -99,6 +108,16 @@ public boolean hasScopeInAuthZone(String scope) {
99108
return hasScope;
100109
}
101110

111+
public boolean clientHasRoleInAuthZone(String scope) {
112+
boolean hasScope = clientHasRole(scope);
113+
String authZoneId = getAuthenticationZoneId();
114+
hasScope = hasScope && StringUtils.hasText(authZoneId);
115+
if (hasScope) {
116+
hasScope = identityZone != null && identityZone.getId().equals(authZoneId);
117+
}
118+
return hasScope;
119+
}
120+
102121
private String getAuthenticationZoneId() {
103122
if (authentication.getPrincipal() instanceof UaaPrincipal) {
104123
return ((UaaPrincipal)authentication.getPrincipal()).getZoneId();

0 commit comments

Comments
 (0)