Add end point that allows to get or delete all tokens owned by a particular owner.

apis-authorization-server-war/pom.xml

@@ -19,6 +19,11 @@
       <groupId>nl.surfnet.apis</groupId>
       <artifactId>apis-authorization-server</artifactId>
     </dependency>
+    <dependency>
+      <groupId>de.daasi</groupId>
+      <artifactId>shib-apis-authn</artifactId>
+      <version>0.0.2-SNAPSHOT</version>
+      </dependency>
     <dependency>
       <groupId>com.sun.jersey</groupId>
       <artifactId>jersey-servlet</artifactId>
@@ -42,6 +47,11 @@
       <groupId>mysql</groupId>
       <artifactId>mysql-connector-java</artifactId>
     </dependency>
+    <dependency>
+      <groupId>net.sf.uadetector</groupId>
+      <artifactId>uadetector-resources</artifactId>
+      <version>2014.04</version>
+    </dependency>
     <dependency>
       <groupId>com.sun.jersey.contribs</groupId>
       <artifactId>jersey-spring</artifactId>

apis-authorization-server/pom.xml

@@ -17,7 +17,6 @@
   </parent>
 
   <artifactId>apis-authorization-server</artifactId>
-  <packaging>jar</packaging>
   <name>API Secure - authorization server</name>
 
   <dependencies>

apis-authorization-server/src/main/java/org/surfnet/oaaas/resource/resourceserver/AccessTokenForOwnerEncryptedResource.java

@@ -0,0 +1,139 @@
+/*
+ * Copyright 2012 SURFnet bv, The Netherlands
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.surfnet.oaaas.resource.resourceserver;
+
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.surfnet.oaaas.model.AccessToken;
+import org.surfnet.oaaas.repository.AccessTokenRepository;
+
+/**
+ * JAX-RS Resource for maintaining owns access tokens.
+ */
+@Named
+@Path("/accessTokenForOwnerEncrypted")
+@Produces(MediaType.APPLICATION_JSON)
+public class AccessTokenForOwnerEncryptedResource extends AbstractResource {
+
+  private static final Logger LOG = LoggerFactory.getLogger(AccessTokenForOwnerEncryptedResource.class);
+
+  @Inject
+  private AccessTokenRepository accessTokenRepository;
+
+  /**
+   * Get all access token for the provided credentials (== owner).
+   */
+  @GET
+  public Response getAll(@Context HttpServletRequest request) {
+    Response validateScopeResponse = validateScope(request, Collections.singletonList(AbstractResource.SCOPE_READ));
+    if (validateScopeResponse != null) {
+      return validateScopeResponse;
+    }
+    List<AccessToken> tokens = getAllAccessTokens(request);
+    return Response.ok(tokens).build();
+  }
+
+  /**
+   * Get all tokens for a user.
+   */
+  @GET
+  @Path("/{accessTokenOwner}")
+  public Response getByOwner(@Context HttpServletRequest request, @PathParam("accessTokenOwner") String owner) {
+    Response validateScopeResponse = validateScope(request, Collections.singletonList(AbstractResource.SCOPE_READ));
+    if (validateScopeResponse != null) {
+      return validateScopeResponse;
+    }
+    List<AccessToken> tokens = getAccessTokensForOwner(request, decode(owner));
+    return Response.ok(tokens).build();
+  }
+
+  /**
+   * Delete all existing access tokens for a user.
+   */
+  @DELETE
+  @Path("/{accessTokenOwner}")
+  public Response delete(@Context HttpServletRequest request, @PathParam("accessTokenOwner") String owner) {
+    Response validateScopeResponse = validateScope(request, Collections.singletonList(AbstractResource.SCOPE_WRITE));
+    if (validateScopeResponse != null) {
+      return validateScopeResponse;
+    }
+    List<AccessToken> tokens = getAccessTokensForOwner(request, decode(owner));
+    if (tokens == null || tokens.isEmpty()) {
+      return Response.status(Response.Status.NOT_FOUND).build();
+    }
+	LOG.debug("About to delete accessTokens {}", Arrays.toString(tokens.toArray()));
+	accessTokenRepository.delete(tokens);
+    return Response.noContent().build();
+  }
+
+  private String decode(String owner) {
+      try {
+          owner = URLDecoder.decode(owner, StandardCharsets.UTF_8.name());
+      } catch (UnsupportedEncodingException e) {
+          LOG.error(String.format("Error while decoding '%s'", owner), e);
+      }
+      return owner;
+}
+
+  private List<AccessToken> getAccessTokensForOwner(HttpServletRequest request, String owner) {
+    List<AccessToken> accessTokens;
+    String userName = getUserId(request);
+    if (isAdminPrincipal(request) || owner.equals(userName )) {
+        accessTokens = accessTokenRepository.findByResourceOwnerId(owner);
+        LOG.debug("About to return all resource servers ({}) for owner {}", accessTokens.size(), owner);
+    } else {
+        accessTokens = new ArrayList<>();
+        LOG.debug("User {} is neither admin nor owner. Returning empty list", userName);
+    }
+    return accessTokens;
+  }
+
+  private List<AccessToken> getAllAccessTokens(HttpServletRequest request) {
+    List<AccessToken> accessTokens;
+    if (isAdminPrincipal(request)) {
+      accessTokens = addAll(accessTokenRepository.findAll().iterator());
+      LOG.debug("About to return all resource servers ({}) for adminPrincipal", accessTokens.size());
+    } else {
+      String owner = getUserId(request);
+      accessTokens = accessTokenRepository.findByResourceOwnerId(owner);
+      LOG.debug("About to return all resource servers ({}) for owner {}", accessTokens.size(), owner);
+    }
+    return accessTokens;
+  }
+
+
+}

apis-authorization-server/src/main/java/org/surfnet/oaaas/resource/resourceserver/AccessTokenForOwnerResource.java

@@ -0,0 +1,127 @@
+/*
+ * Copyright 2012 SURFnet bv, The Netherlands
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.surfnet.oaaas.resource.resourceserver;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.surfnet.oaaas.model.AccessToken;
+import org.surfnet.oaaas.repository.AccessTokenRepository;
+
+/**
+ * JAX-RS Resource for maintaining owns access tokens.
+ */
+@Named
+@Path("/accessTokenForOwner")
+@Produces(MediaType.APPLICATION_JSON)
+public class AccessTokenForOwnerResource extends AbstractResource {
+
+  private static final Logger LOG = LoggerFactory.getLogger(AccessTokenForOwnerResource.class);
+
+  @Inject
+  private AccessTokenRepository accessTokenRepository;
+
+  /**
+   * Get all access token for the provided credentials (== owner).
+   */
+  @GET
+  public Response getAll(@Context HttpServletRequest request) {
+    Response validateScopeResponse = validateScope(request, Collections.singletonList(AbstractResource.SCOPE_READ));
+    if (validateScopeResponse != null) {
+      return validateScopeResponse;
+    }
+    List<AccessToken> tokens = getAllAccessTokens(request);
+    return Response.ok(tokens).build();
+  }
+
+  /**
+   * Get all tokens for a user.
+   */
+  @GET
+  @Path("/{accessTokenOwner}")
+  public Response getByOwner(@Context HttpServletRequest request, @PathParam("accessTokenOwner") String owner) {
+    Response validateScopeResponse = validateScope(request, Collections.singletonList(AbstractResource.SCOPE_READ));
+    if (validateScopeResponse != null) {
+      return validateScopeResponse;
+    }
+    List<AccessToken> tokens = getAccessTokensForOwner(request, owner);
+    return Response.ok(tokens).build();
+  }
+
+  /**
+   * Delete all existing access tokens for a user.
+   */
+  @DELETE
+  @Path("/{accessTokenOwner}")
+  public Response delete(@Context HttpServletRequest request, @PathParam("accessTokenOwner") String owner) {
+    Response validateScopeResponse = validateScope(request, Collections.singletonList(AbstractResource.SCOPE_WRITE));
+    if (validateScopeResponse != null) {
+      return validateScopeResponse;
+    }
+    List<AccessToken> tokens = getAccessTokensForOwner(request, owner);
+    if (tokens == null || tokens.isEmpty()) {
+      return Response.status(Response.Status.NOT_FOUND).build();
+    }
+	LOG.debug("About to delete accessTokens {}", Arrays.toString(tokens.toArray()));
+	accessTokenRepository.delete(tokens);
+    return Response.noContent().build();
+  }
+
+  private List<AccessToken> getAccessTokensForOwner(HttpServletRequest request, String owner) {
+    List<AccessToken> accessTokens;
+    String userName = getUserId(request);
+    if (isAdminPrincipal(request) || owner.equals(userName )) {
+        accessTokens = accessTokenRepository.findByResourceOwnerId(owner);
+        LOG.debug("About to return all resource servers ({}) for owner {}", accessTokens.size(), owner);
+    } else {
+        accessTokens = new ArrayList<>();
+        LOG.debug("User {} is neither admin nor owner. Returning empty list", userName);
+    }
+    return accessTokens;
+  }
+
+  private List<AccessToken> getAllAccessTokens(HttpServletRequest request) {
+    List<AccessToken> accessTokens;
+    if (isAdminPrincipal(request)) {
+      accessTokens = addAll(accessTokenRepository.findAll().iterator());
+      LOG.debug("About to return all resource servers ({}) for adminPrincipal", accessTokens.size());
+    } else {
+      String owner = getUserId(request);
+      accessTokens = accessTokenRepository.findByResourceOwnerId(owner);
+      LOG.debug("About to return all resource servers ({}) for owner {}", accessTokens.size(), owner);
+    }
+    return accessTokens;
+  }
+
+
+}

pom.xml

@@ -66,6 +66,7 @@
     <module>apis-resource-server-library</module>
     <module>apis-example-resource-server</module>
     <module>apis-authorization-server</module>
+    <module>shib-apis-authn</module>
     <module>apis-authorization-server-war</module>
     <module>apis-surfconext-authn</module>
     <module>apis-example-resource-server-war</module>

shib-apis-authn/pom.xml

@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <relativePath>../pom.xml</relativePath>
+    <groupId>nl.surfnet.apis</groupId>
+    <artifactId>apis-parent</artifactId>
+    <version>1.3.6-SNAPSHOT</version>
+  </parent>
+
+
+  <groupId>de.daasi</groupId>
+  <artifactId>shib-apis-authn</artifactId>
+  <version>0.0.2-SNAPSHOT</version> 
+  <name>API Secure - Shibboleth authentication plugin</name>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.surfnet.coin</groupId>
+      <artifactId>spring-security-opensaml</artifactId>
+      <exclusions>
+          <exclusion>
+              <artifactId>commons-collections</artifactId>
+              <groupId>commons-collections</groupId>
+          </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>nl.surfnet.apis</groupId>
+      <artifactId>apis-authorization-server</artifactId>
+      <version>1.3.6-SNAPSHOT</version><!--$NO-MVN-MAN-VER$-->
+    </dependency>
+    <dependency>
+      <groupId>org.surfnet.coin</groupId>
+      <artifactId>coin-api-client</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>javax.servlet</groupId>
+      <artifactId>javax.servlet-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>javax.inject</groupId>
+      <artifactId>javax.inject</artifactId>
+    </dependency>
+    <dependency>
+    	<groupId>nl.surfnet.apis</groupId>
+    	<artifactId>apis-resource-server-library</artifactId>
+    	<version>1.3.6-SNAPSHOT</version>
+    </dependency>
+    <dependency>
+    	<groupId>net.sf.uadetector</groupId>
+    	<artifactId>uadetector-resources</artifactId>
+    	<version>2014.04</version>
+    	<scope>provided</scope>
+    </dependency>
+  </dependencies>
+
+</project>

shib-apis-authn/resources/saml.attributes.properties.dist

@@ -0,0 +1,17 @@
+#
+# APIs is protected by a Shibboleth SP now, like so:
+#<Location /oauth2/oauth2/authorize>
+#  AuthType shibboleth
+#  ShibRequestSetting requireSession 1
+#  require shib-session
+#</Location>
+#
+
+# REMOTE_USER is being used as principal. See shibboleth2.xml for which IdP attribute will make it up
+
+# could list further attributes driving displayname, admin role, etc.
+# and implement that in ShibAuthenticator.java
+
+# Comma separated list of Admin Principals, short of a usable SAML attribute
+[email protected],[email protected]
+