Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow user revoked tokens to delete #7060

Merged
merged 28 commits into from
Aug 4, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
3279481
Deactivated records should get 409 on GET requests
amontenegro Feb 27, 2024
b3660c2
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Feb 28, 2024
2cc66ab
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Mar 1, 2024
f2dc713
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Mar 4, 2024
b4f8223
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Mar 7, 2024
b0026c3
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Mar 12, 2024
53e7616
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Mar 19, 2024
bf82372
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Mar 25, 2024
23b6afb
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Apr 4, 2024
182c67d
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Apr 4, 2024
c52ef13
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Apr 8, 2024
d4f779b
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Apr 8, 2024
27b0033
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Apr 17, 2024
585b896
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Apr 18, 2024
9c9dfef
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro May 8, 2024
42ac636
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro May 28, 2024
3f0d771
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Jun 10, 2024
e65ec79
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Jun 20, 2024
e69191a
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Jun 24, 2024
cff8029
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Jul 3, 2024
ddf3e67
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Jul 4, 2024
a091bb3
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Jul 5, 2024
97024f0
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Jul 15, 2024
3201e7e
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Jul 18, 2024
c85de91
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Jul 22, 2024
3132245
Merge branch 'main' of https://github.com/ORCID/ORCID-Source
amontenegro Jul 30, 2024
64e8c47
On OBO, When a token is user disabled, it should be possible to use t…
amontenegro Aug 1, 2024
e30fbe1
More unit tests
amontenegro Aug 1, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,6 @@
*/
public class IETFExchangeTokenGranter implements TokenGranter {

public static final String IETF_EXCHANGE = "urn:ietf:params:oauth:grant-type:token-exchange";
private AuthorizationServerTokenServices tokenServices;

@Resource(name = "orcidOauth2AuthoriziationCodeDetailDao")
Expand All @@ -75,7 +74,7 @@ public class IETFExchangeTokenGranter implements TokenGranter {
@Resource
OpenIDConnectTokenEnhancer openIDConnectTokenEnhancer;

private List<String> doNotAllowDeleteOnTheseRevokeReasons = List.of(RevokeReason.CLIENT_REVOKED.name(), RevokeReason.STAFF_REVOKED.name());
private final List<RevokeReason> doNotAllowDeleteOnTheseRevokeReasons = List.of(RevokeReason.CLIENT_REVOKED, RevokeReason.STAFF_REVOKED, RevokeReason.RECORD_DEACTIVATED, RevokeReason.AUTH_CODE_REUSED);

public IETFExchangeTokenGranter(AuthorizationServerTokenServices tokenServices) {
this.tokenServices = tokenServices;
Expand Down Expand Up @@ -239,10 +238,12 @@ private OAuth2AccessToken generateAccessToken(TokenRequest tokenRequest, String
Set<ScopePathType> inactiveScopesOBO = Sets.newHashSet();
boolean issueRevokedToken = false;
RevokeReason revokeReason = null;
// Lets consider token expiration time anything that goes beyond this date
Date now = new Date();
for (OrcidOauth2TokenDetail d : details) {
Set<ScopePathType> scopesInToken = ScopePathType.getScopesFromSpaceSeparatedString(d.getScope());
// If token is expired, we should ignore it
if (d.getTokenExpiration().after(new Date())) {
if (d.getTokenExpiration().after(now)) {
// If token is disabled, we should know if it have the /activities/update scope on it
if(d.getTokenDisabled() == null || !d.getTokenDisabled()) {
activeScopesOBO.addAll(scopesInToken);
Expand All @@ -257,8 +258,12 @@ private OAuth2AccessToken generateAccessToken(TokenRequest tokenRequest, String
// Keep only the /activities/update scope if the token was not revoked by a client or staff member
if(revokeReason == null || !doNotAllowDeleteOnTheseRevokeReasons.contains(revokeReason)) {
inactiveScopesOBO.add(ScopePathType.ACTIVITIES_UPDATE);
} else {
throw new OrcidInvalidScopeException("The id_token is disabled and does not contain any valid scope");
}
}
} else {
throw new OrcidInvalidScopeException("The id_token is disabled and does not contain any valid scope");
}
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -289,14 +289,14 @@ public void grantDisabledTokenDoesntWorkTest() throws NoSuchAlgorithmException,
tokenGranter.grant(GRANT_TYPE, getTokenRequest(ACTIVE_CLIENT_ID, List.of("/read-limited")));
fail();
} catch (OrcidInvalidScopeException oise) {
assertEquals("The id_token is not associated with a valid scope", oise.getMessage());
assertEquals("The id_token is disabled and does not contain any valid scope", oise.getMessage());
} catch (Exception e) {
fail();
}
}

@Test
public void grantDisabledTokenWithActivitiesReadLimitedGenerateDeactivatedTokenTest()
public void grantUserDisabledTokenWithActivitiesReadLimitedGenerateDeactivatedTokenTest()
throws NoSuchAlgorithmException, IOException, ParseException, URISyntaxException, JOSEException {
OrcidOauth2TokenDetail token1 = getOrcidOauth2TokenDetail(true, "/activities/update", System.currentTimeMillis() + 60000, true);
token1.setRevokeReason(RevokeReason.USER_REVOKED.name());
Expand All @@ -309,6 +309,38 @@ public void grantDisabledTokenWithActivitiesReadLimitedGenerateDeactivatedTokenT
verify(tokenServicesMock, never()).createAccessToken(any());
}

@Test
public void grantClientDisabledTokenWithActivitiesReadLimitedThrowExceptionTest()
throws NoSuchAlgorithmException, IOException, ParseException, URISyntaxException, JOSEException {
OrcidOauth2TokenDetail token1 = getOrcidOauth2TokenDetail(true, "/activities/update", System.currentTimeMillis() + 60000, true);
token1.setRevokeReason(RevokeReason.CLIENT_REVOKED.name());

when(orcidOauthTokenDetailServiceMock.findByClientIdAndUserName(any(), any())).thenReturn(List.of(token1));
try {
tokenGranter.grant(GRANT_TYPE, getTokenRequest(ACTIVE_CLIENT_ID, List.of("/activities/update")));
} catch(OrcidInvalidScopeException e) {
assertEquals("The id_token is disabled and does not contain any valid scope", e.getMessage());
} catch(Exception e) {
fail("Unhandled exception:" + e.getMessage());
}
}

@Test
public void grantStaffDisabledTokenWithActivitiesReadLimitedThrowExceptionTest()
throws NoSuchAlgorithmException, IOException, ParseException, URISyntaxException, JOSEException {
OrcidOauth2TokenDetail token1 = getOrcidOauth2TokenDetail(true, "/activities/update", System.currentTimeMillis() + 60000, true);
token1.setRevokeReason(RevokeReason.STAFF_REVOKED.name());

when(orcidOauthTokenDetailServiceMock.findByClientIdAndUserName(any(), any())).thenReturn(List.of(token1));
try {
tokenGranter.grant(GRANT_TYPE, getTokenRequest(ACTIVE_CLIENT_ID, List.of("/activities/update")));
} catch(OrcidInvalidScopeException e) {
assertEquals("The id_token is disabled and does not contain any valid scope", e.getMessage());
} catch(Exception e) {
fail("Unhandled exception:" + e.getMessage());
}
}

@Test
public void grantDisabledTokenWithActivitiesUpdateAndOtherActiveTokenWithOtherScopesGenerateDeactivatedTokenTest()
throws NoSuchAlgorithmException, IOException, ParseException, URISyntaxException, JOSEException {
Expand Down
Loading