Skip to content

Commit 88e351c

Browse files
committed
CXF-9222 - Remove partialMatchScopeValidation for OAuth
1 parent 323c90f commit 88e351c

5 files changed

Lines changed: 28 additions & 66 deletions

File tree

rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -144,8 +144,7 @@ protected ServerAccessToken getPreAuthorizedToken(Client client,
144144
String requestedGrant,
145145
List<String> requestedScopes,
146146
List<String> audiences) {
147-
if (!OAuthUtils.validateScopes(requestedScopes, client.getRegisteredScopes(),
148-
partialMatchScopeValidation)) {
147+
if (!OAuthUtils.validateScopes(requestedScopes, client.getRegisteredScopes())) {
149148
throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE));
150149
}
151150
if (!OAuthUtils.validateAudiences(audiences, client.getRegisteredAudiences())) {

rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,6 @@
3333
public class RefreshTokenGrantHandler implements AccessTokenGrantHandler {
3434

3535
private OAuthDataProvider dataProvider;
36-
private boolean partialMatchScopeValidation;
3736
private boolean useAllClientScopes;
3837

3938
public void setDataProvider(OAuthDataProvider dataProvider) {
@@ -50,16 +49,12 @@ public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String,
5049
List<String> requestedScopes = OAuthUtils.getRequestedScopes(client,
5150
params.getFirst(OAuthConstants.SCOPE),
5251
useAllClientScopes,
53-
partialMatchScopeValidation, false);
52+
false);
5453
final ServerAccessToken st = dataProvider.refreshAccessToken(client, refreshToken, requestedScopes);
5554
st.setGrantType(OAuthConstants.REFRESH_TOKEN_GRANT);
5655
return st;
5756
}
5857

59-
public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) {
60-
this.partialMatchScopeValidation = partialMatchScopeValidation;
61-
}
62-
6358
public void setUseAllClientScopes(boolean useAllClientScopes) {
6459
this.useAllClientScopes = useAllClientScopes;
6560
}

rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,6 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
6161
private Set<String> supportedResponseTypes;
6262
private String supportedGrantType;
6363
private boolean useAllClientScopes;
64-
private boolean partialMatchScopeValidation;
6564
private boolean useRegisteredRedirectUriIfPossible = true;
6665
private SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider;
6766
private SubjectCreator subjectCreator;
@@ -180,8 +179,7 @@ protected Response startAuthorization(MultivaluedMap<String, String> params,
180179
try {
181180
requestedScope = OAuthUtils.getRequestedScopes(client,
182181
providedScope,
183-
useAllClientScopes,
184-
partialMatchScopeValidation);
182+
useAllClientScopes);
185183
requestedPermissions = getDataProvider().convertScopeToPermissions(client, requestedScope);
186184
} catch (OAuthServiceException ex) {
187185
LOG.log(Level.FINE, "Error processing scopes", ex);
@@ -401,8 +399,7 @@ protected Response completeAuthorization(MultivaluedMap<String, String> params)
401399
approvedScope.add(rScope);
402400
}
403401
}
404-
if (!OAuthUtils.validateScopes(requestedScope, client.getRegisteredScopes(),
405-
partialMatchScopeValidation)) {
402+
if (!OAuthUtils.validateScopes(requestedScope, client.getRegisteredScopes())) {
406403
return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
407404
}
408405
getMessageContext().put(AUTHORIZATION_REQUEST_PARAMETERS, params);
@@ -571,10 +568,6 @@ public void setResourceOwnerNameProvider(ResourceOwnerNameProvider resourceOwner
571568
this.resourceOwnerNameProvider = resourceOwnerNameProvider;
572569
}
573570

574-
public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) {
575-
this.partialMatchScopeValidation = partialMatchScopeValidation;
576-
}
577-
578571
public void setUseAllClientScopes(boolean useAllClientScopes) {
579572
this.useAllClientScopes = useAllClientScopes;
580573
}

rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java

Lines changed: 6 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -321,15 +321,13 @@ public static boolean checkRequestURI(String servletPath, String uri) {
321321

322322
public static List<String> getRequestedScopes(Client client,
323323
String scopeParameter,
324-
boolean useAllClientScopes,
325-
boolean partialMatchScopeValidation) {
326-
return getRequestedScopes(client, scopeParameter, useAllClientScopes, partialMatchScopeValidation, true);
324+
boolean useAllClientScopes) {
325+
return getRequestedScopes(client, scopeParameter, useAllClientScopes, true);
327326
}
328327

329328
public static List<String> getRequestedScopes(Client client,
330329
String scopeParameter,
331330
boolean useAllClientScopes,
332-
boolean partialMatchScopeValidation,
333331
boolean defaultToRegisteredScopes) {
334332
List<String> requestScopes = parseScope(scopeParameter);
335333
List<String> registeredScopes = client.getRegisteredScopes();
@@ -339,7 +337,7 @@ public static List<String> getRequestedScopes(Client client,
339337
}
340338
return requestScopes;
341339
}
342-
if (!validateScopes(requestScopes, registeredScopes, partialMatchScopeValidation)) {
340+
if (!validateScopes(requestScopes, registeredScopes)) {
343341
throw new OAuthServiceException("Unexpected scope");
344342
}
345343
if (useAllClientScopes) {
@@ -353,26 +351,10 @@ public static List<String> getRequestedScopes(Client client,
353351
return requestScopes;
354352
}
355353

356-
public static boolean validateScopes(List<String> requestScopes, List<String> registeredScopes,
357-
boolean partialMatchScopeValidation) {
354+
public static boolean validateScopes(List<String> requestScopes, List<String> registeredScopes) {
358355
if (!registeredScopes.isEmpty()) {
359-
// if it is a strict validation then pre-registered scopes have to contains all
360-
// the current request scopes
361-
if (!partialMatchScopeValidation) {
362-
return registeredScopes.containsAll(requestScopes);
363-
}
364-
for (String requestScope : requestScopes) {
365-
boolean match = false;
366-
for (String registeredScope : registeredScopes) {
367-
if (requestScope.startsWith(registeredScope)) {
368-
match = true;
369-
break;
370-
}
371-
}
372-
if (!match) {
373-
return false;
374-
}
375-
}
356+
// pre-registered scopes have to contains all the current request scopes
357+
return registeredScopes.containsAll(requestScopes);
376358
}
377359
return true;
378360
}

rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtilsTest.java

Lines changed: 18 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -18,11 +18,8 @@
1818
*/
1919
package org.apache.cxf.rs.security.oauth2.utils;
2020

21-
import java.util.Collections;
2221
import java.util.List;
2322

24-
import org.apache.cxf.rs.security.oauth2.common.Client;
25-
2623
import org.junit.Test;
2724

2825
import static org.junit.Assert.assertEquals;
@@ -35,42 +32,38 @@ public class OAuthUtilsTest {
3532
public void testValidateScopesStrict() {
3633
List<String> requestScopes = OAuthUtils.parseScope("a c b");
3734
List<String> registeredScopes = OAuthUtils.parseScope("a b c d");
38-
assertTrue(OAuthUtils.validateScopes(requestScopes, registeredScopes, false));
35+
assertTrue(OAuthUtils.validateScopes(requestScopes, registeredScopes));
3936
}
4037
@Test
4138
public void testValidateScopesStrictFail() {
4239
List<String> requestScopes = OAuthUtils.parseScope("a b c d");
4340
List<String> registeredScopes = OAuthUtils.parseScope("a b d");
44-
assertFalse(OAuthUtils.validateScopes(requestScopes, registeredScopes, false));
45-
}
46-
47-
@Test
48-
public void testValidateScopesPartial() {
49-
List<String> requestScopes = OAuthUtils.parseScope("a b c-1");
50-
List<String> registeredScopes = OAuthUtils.parseScope("a b c");
51-
assertTrue(OAuthUtils.validateScopes(requestScopes, registeredScopes, true));
41+
assertFalse(OAuthUtils.validateScopes(requestScopes, registeredScopes));
5242
}
5343

5444
@Test
55-
public void testValidateScopesPartialFail() {
56-
List<String> requestScopes = OAuthUtils.parseScope("a b c");
57-
List<String> registeredScopes = OAuthUtils.parseScope("a b");
58-
assertFalse(OAuthUtils.validateScopes(requestScopes, registeredScopes, true));
45+
public void testParseScopeEmpty() {
46+
assertTrue(OAuthUtils.parseScope(null).isEmpty());
47+
assertTrue(OAuthUtils.parseScope("").isEmpty());
48+
assertTrue(OAuthUtils.parseScope(" ").isEmpty());
5949
}
6050

6151
@Test
62-
public void testGetRequestedScopesRegistered() {
63-
Client c = new Client();
64-
List<String> scopes = Collections.singletonList("a");
65-
c.setRegisteredScopes(scopes);
66-
assertEquals(scopes, OAuthUtils.getRequestedScopes(c, "", false, false));
52+
public void testParseScopeWithExtraSpaces() {
53+
List<String> scopes = OAuthUtils.parseScope(" read write admin ");
54+
assertEquals(3, scopes.size());
55+
assertEquals("read", scopes.get(0));
56+
assertEquals("write", scopes.get(1));
57+
assertEquals("admin", scopes.get(2));
6758
}
6859

6960
@Test
70-
public void testParseScopeEmpty() {
71-
assertTrue(OAuthUtils.parseScope(null).isEmpty());
72-
assertTrue(OAuthUtils.parseScope("").isEmpty());
73-
assertTrue(OAuthUtils.parseScope(" ").isEmpty());
61+
public void testParseScopeWithDuplicates() {
62+
List<String> scopes = OAuthUtils.parseScope("a a b");
63+
assertEquals(3, scopes.size());
64+
assertEquals("a", scopes.get(0));
65+
assertEquals("a", scopes.get(1));
66+
assertEquals("b", scopes.get(2));
7467
}
7568

7669
}

0 commit comments

Comments
 (0)