Skip to content

Commit

Permalink
fix(4.3): added SSA and additional access token validation during cli…
Browse files Browse the repository at this point in the history
…ent update

#1567
  • Loading branch information
yuriyz committed Sep 27, 2021
1 parent e391298 commit 8da1399
Showing 1 changed file with 55 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,9 @@ public class RegisterRestWebServiceImpl implements RegisterRestWebService {
@Inject
private CIBARegisterClientResponseService cibaRegisterClientResponseService;

@Inject
private AuthorizationGrantList authorizationGrantList;

@Override
public Response requestRegister(String requestParams, HttpServletRequest httpRequest, SecurityContext securityContext) {
com.codahale.metrics.Timer.Context timerContext = metricService.getTimer(MetricType.DYNAMIC_CLIENT_REGISTRATION_RATE).time();
Expand Down Expand Up @@ -695,7 +698,18 @@ public Response requestClientUpdate(String requestParams, String clientId, @Head
final String accessToken = tokenService.getToken(authorization);

if (StringUtils.isNotBlank(accessToken) && StringUtils.isNotBlank(clientId) && StringUtils.isNotBlank(requestParams)) {
final RegisterRequest request = RegisterRequest.fromJson(requestParams, appConfiguration.getLegacyDynamicRegistrationScopeParam());
validateAuthorizationAccessToken(accessToken, clientId);

JSONObject requestObject = new JSONObject(requestParams);
final JSONObject softwareStatement = validateSoftwareStatement(httpRequest, requestObject);
if (softwareStatement != null) {
log.trace("Override request parameters by software_statement");
for (String key : softwareStatement.keySet()) {
requestObject.putOpt(key, softwareStatement.get(key));
}
}

final RegisterRequest request = RegisterRequest.fromJson(requestObject, appConfiguration.getLegacyDynamicRegistrationScopeParam());
if (request != null) {
boolean redirectUrisValidated = true;
if (request.getRedirectUris() != null && !request.getRedirectUris().isEmpty()) {
Expand Down Expand Up @@ -779,6 +793,46 @@ public Response requestClientUpdate(String requestParams, String clientId, @Head
return internalErrorResponse("Unknown.").build();
}

private void validateAuthorizationAccessToken(String accessToken, String clientId) {
if (StringUtils.isBlank(accessToken) || StringUtils.isBlank(clientId)) {
log.trace("Access Token or clientId is blank.");
throw new WebApplicationException(Response.
status(Response.Status.BAD_REQUEST).
type(MediaType.APPLICATION_JSON_TYPE).
entity(errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token is not valid for the Client ID."))
.build());
}

final AuthorizationGrant grant = authorizationGrantList.getAuthorizationGrantByAccessToken(accessToken);
if (grant == null) {
log.trace("Unable to find grant by access token: {}", accessToken);
throw new WebApplicationException(Response.
status(Response.Status.BAD_REQUEST).
type(MediaType.APPLICATION_JSON_TYPE).
entity(errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token grant is not found."))
.build());
}

final AbstractToken accessTokenObj = grant.getAccessToken(accessToken);
if (accessTokenObj == null || !accessTokenObj.isValid()) {
log.trace("Unable to find access token object or otherwise it's expired.");
throw new WebApplicationException(Response.
status(Response.Status.BAD_REQUEST).
type(MediaType.APPLICATION_JSON_TYPE).
entity(errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token object is not found or otherwise expired."))
.build());
}

if (!clientId.equals(grant.getClientId())) {
log.trace("ClientId from request does not match to access token's client id.");
throw new WebApplicationException(Response.
status(Response.Status.BAD_REQUEST).
type(MediaType.APPLICATION_JSON_TYPE).
entity(errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token object is not found or otherwise expired."))
.build());
}
}

@Override
public Response requestClientRead(String clientId, String authorization, HttpServletRequest httpRequest,
SecurityContext securityContext) {
Expand Down

0 comments on commit 8da1399

Please sign in to comment.