services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/logout/LogoutService.java - cxf-fediz - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements. See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership. The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License. You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.cxf.fediz.service.oidc.logout;

 import java.net.URI;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;

 import javax.ws.rs.BadRequestException;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;

 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.fediz.service.oidc.FedizSubjectCreator;
 import org.apache.cxf.jaxrs.ext.MessageContext;
 import org.apache.cxf.rs.security.jose.common.JoseException;
 import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;

 @Path("/logout")
 public class LogoutService extends JoseJwtConsumer {
     private static final String CLIENT_LOGOUT_URI = "post_logout_redirect_uri";
     private static final String CLIENT_LOGOUT_URIS = "post_logout_redirect_uris";
     private static final String ID_TOKEN_HINT = "id_token_hint";

     @Context
     private MessageContext mc;
     private String relativeIdpLogoutUri;
     private OAuthDataProvider dataProvider;
     private FedizSubjectCreator subjectCreator = new FedizSubjectCreator();
     private BackChannelLogoutHandler backChannelLogoutHandler;
     private List<LogoutHandler> logoutHandlers;
     private boolean allowAnonymousLogout;

     @POST
     public Response initiateLogoutPost(MultivaluedMap<String, String> params) {
         return doInitiateLogout(params);
     }
     @GET
     public Response initiateLogoutGet() {
         return doInitiateLogout(mc.getUriInfo().getQueryParameters());
     }

     protected Response doInitiateLogout(MultivaluedMap<String, String> params) {

         IdToken idTokenHint = getIdTokenHint(params);
         Client client = getClient(params, idTokenHint);

         if (!allowAnonymousLogout || mc.getSecurityContext().getUserPrincipal() != null) {
             OidcUserSubject subject = subjectCreator.createUserSubject(mc, params);

             if (backChannelLogoutHandler != null) {
                 backChannelLogoutHandler.handleLogout(client, subject, idTokenHint);
             }
             if (logoutHandlers != null) {

                 for (LogoutHandler handler : logoutHandlers) {
                     handler.handleLogout(client, subject);
                 }
             }
         }

         // Clear OIDC session now
         mc.getHttpServletRequest().getSession().invalidate();

         // Redirect to the core IDP
         URI idpLogoutUri = getAbsoluteIdpLogoutUri(client, params);
         return Response.seeOther(idpLogoutUri).build();
     }


     private IdToken getIdTokenHint(MultivaluedMap<String, String> params) {
         String tokenHint = params.getFirst(ID_TOKEN_HINT);
         if (tokenHint == null) {
             return null;
         }
         final JwtToken token;
         try {
             token = super.getJwtToken(tokenHint);
         } catch (JoseException ex) {
             throw new BadRequestException(ex);
         }
         return new IdToken(token.getClaims());
     }

     private static URI getClientLogoutUri(final Client client, final MultivaluedMap<String, String> params) {
         String logoutUriProp = client.getProperties().get(CLIENT_LOGOUT_URIS);
         // logoutUriProp is guaranteed to be not null at this point
         String[] uris = logoutUriProp.split(" ");
         String clientLogoutUriParam = params.getFirst(CLIENT_LOGOUT_URI);
         final String uriStr;
         if (uris.length > 1) {
             if (clientLogoutUriParam == null
                     || !Arrays.asList(uris).contains(clientLogoutUriParam)) {
                 throw new BadRequestException();
             }
             uriStr = clientLogoutUriParam;
         } else {
             if (clientLogoutUriParam != null && !uris[0].equals(clientLogoutUriParam)) {
                 throw new BadRequestException();
             }
             uriStr = uris[0];
         }
         UriBuilder ub = UriBuilder.fromUri(uriStr);
         String state = params.getFirst(OAuthConstants.STATE);
         if (state != null) {
             ub.queryParam(OAuthConstants.STATE, state);
         }
         return ub.build().normalize();
     }

     private Client getClient(MultivaluedMap<String, String> params, IdToken idTokenHint) {
         String clientId = params.getFirst(OAuthConstants.CLIENT_ID);
         if (clientId == null && idTokenHint != null) {
             clientId = idTokenHint.getAudience();
             mc.getHttpServletRequest().setAttribute(OAuthConstants.CLIENT_ID, clientId);
         }
         if (clientId == null) {
             throw new BadRequestException();
         }
         Client c = dataProvider.getClient(clientId);
         if (c == null) {
             throw new BadRequestException();
         }
         if (StringUtils.isEmpty(c.getProperties().get(CLIENT_LOGOUT_URIS))) {
             throw new BadRequestException();
         }
         return c;
     }

     private URI getAbsoluteIdpLogoutUri(final Client client, final MultivaluedMap<String, String> params) {
         UriBuilder ub = mc.getUriInfo().getAbsolutePathBuilder()
             .path(relativeIdpLogoutUri)
             .queryParam("wreply", getClientLogoutUri(client, params))
             .queryParam(OAuthConstants.CLIENT_ID, client.getClientId());
         return ub.build().normalize();
     }

     public void setRelativeIdpLogoutUri(String relativeIdpLogoutUri) {
         this.relativeIdpLogoutUri = relativeIdpLogoutUri;
     }

     public void setLogoutHandlers(List<LogoutHandler> logoutHandlers) {
         this.logoutHandlers = logoutHandlers;
     }
     public void setLogoutHandler(LogoutHandler logoutHandler) {
         setLogoutHandlers(Collections.singletonList(logoutHandler));
     }
     public void setDataProvider(OAuthDataProvider dataProvider) {
         this.dataProvider = dataProvider;
     }
     public void setSubjectCreator(FedizSubjectCreator subjectCreator) {
         this.subjectCreator = subjectCreator;
     }
     public void setBackChannelLogoutHandler(BackChannelLogoutHandler handler) {
         this.backChannelLogoutHandler = handler;
     }

     public void setAllowAnonymousLogout(boolean allowAnonymousLogout) {
         this.allowAnonymousLogout = allowAnonymousLogout;
     }

     public void close() {
         if (backChannelLogoutHandler != null) {
             backChannelLogoutHandler.close();
         }
     }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.cxf.fediz.service.oidc.logout;

	import java.net.URI;
	import java.util.Arrays;
	import java.util.Collections;
	import java.util.List;

	import javax.ws.rs.BadRequestException;
	import javax.ws.rs.GET;
	import javax.ws.rs.POST;
	import javax.ws.rs.Path;
	import javax.ws.rs.core.Context;
	import javax.ws.rs.core.MultivaluedMap;
	import javax.ws.rs.core.Response;
	import javax.ws.rs.core.UriBuilder;

	import org.apache.cxf.common.util.StringUtils;
	import org.apache.cxf.fediz.service.oidc.FedizSubjectCreator;
	import org.apache.cxf.jaxrs.ext.MessageContext;
	import org.apache.cxf.rs.security.jose.common.JoseException;
	import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
	import org.apache.cxf.rs.security.jose.jwt.JwtToken;
	import org.apache.cxf.rs.security.oauth2.common.Client;
	import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
	import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
	import org.apache.cxf.rs.security.oidc.common.IdToken;
	import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;

	@Path("/logout")
	public class LogoutService extends JoseJwtConsumer {
	private static final String CLIENT_LOGOUT_URI = "post_logout_redirect_uri";
	private static final String CLIENT_LOGOUT_URIS = "post_logout_redirect_uris";
	private static final String ID_TOKEN_HINT = "id_token_hint";

	@Context
	private MessageContext mc;
	private String relativeIdpLogoutUri;
	private OAuthDataProvider dataProvider;
	private FedizSubjectCreator subjectCreator = new FedizSubjectCreator();
	private BackChannelLogoutHandler backChannelLogoutHandler;
	private List<LogoutHandler> logoutHandlers;
	private boolean allowAnonymousLogout;

	@POST
	public Response initiateLogoutPost(MultivaluedMap<String, String> params) {
	return doInitiateLogout(params);
	}
	@GET
	public Response initiateLogoutGet() {
	return doInitiateLogout(mc.getUriInfo().getQueryParameters());
	}

	protected Response doInitiateLogout(MultivaluedMap<String, String> params) {

	IdToken idTokenHint = getIdTokenHint(params);
	Client client = getClient(params, idTokenHint);

	if (!allowAnonymousLogout \|\| mc.getSecurityContext().getUserPrincipal() != null) {
	OidcUserSubject subject = subjectCreator.createUserSubject(mc, params);

	if (backChannelLogoutHandler != null) {
	backChannelLogoutHandler.handleLogout(client, subject, idTokenHint);
	}
	if (logoutHandlers != null) {

	for (LogoutHandler handler : logoutHandlers) {
	handler.handleLogout(client, subject);
	}
	}
	}

	// Clear OIDC session now
	mc.getHttpServletRequest().getSession().invalidate();

	// Redirect to the core IDP
	URI idpLogoutUri = getAbsoluteIdpLogoutUri(client, params);
	return Response.seeOther(idpLogoutUri).build();
	}


	private IdToken getIdTokenHint(MultivaluedMap<String, String> params) {
	String tokenHint = params.getFirst(ID_TOKEN_HINT);
	if (tokenHint == null) {
	return null;
	}
	final JwtToken token;
	try {
	token = super.getJwtToken(tokenHint);
	} catch (JoseException ex) {
	throw new BadRequestException(ex);
	}
	return new IdToken(token.getClaims());
	}

	private static URI getClientLogoutUri(final Client client, final MultivaluedMap<String, String> params) {
	String logoutUriProp = client.getProperties().get(CLIENT_LOGOUT_URIS);
	// logoutUriProp is guaranteed to be not null at this point
	String[] uris = logoutUriProp.split(" ");
	String clientLogoutUriParam = params.getFirst(CLIENT_LOGOUT_URI);
	final String uriStr;
	if (uris.length > 1) {
	if (clientLogoutUriParam == null
	\|\| !Arrays.asList(uris).contains(clientLogoutUriParam)) {
	throw new BadRequestException();
	}
	uriStr = clientLogoutUriParam;
	} else {
	if (clientLogoutUriParam != null && !uris[0].equals(clientLogoutUriParam)) {
	throw new BadRequestException();
	}
	uriStr = uris[0];
	}
	UriBuilder ub = UriBuilder.fromUri(uriStr);
	String state = params.getFirst(OAuthConstants.STATE);
	if (state != null) {
	ub.queryParam(OAuthConstants.STATE, state);
	}
	return ub.build().normalize();
	}

	private Client getClient(MultivaluedMap<String, String> params, IdToken idTokenHint) {
	String clientId = params.getFirst(OAuthConstants.CLIENT_ID);
	if (clientId == null && idTokenHint != null) {
	clientId = idTokenHint.getAudience();
	mc.getHttpServletRequest().setAttribute(OAuthConstants.CLIENT_ID, clientId);
	}
	if (clientId == null) {
	throw new BadRequestException();
	}
	Client c = dataProvider.getClient(clientId);
	if (c == null) {
	throw new BadRequestException();
	}
	if (StringUtils.isEmpty(c.getProperties().get(CLIENT_LOGOUT_URIS))) {
	throw new BadRequestException();
	}
	return c;
	}

	private URI getAbsoluteIdpLogoutUri(final Client client, final MultivaluedMap<String, String> params) {
	UriBuilder ub = mc.getUriInfo().getAbsolutePathBuilder()
	.path(relativeIdpLogoutUri)
	.queryParam("wreply", getClientLogoutUri(client, params))
	.queryParam(OAuthConstants.CLIENT_ID, client.getClientId());
	return ub.build().normalize();
	}

	public void setRelativeIdpLogoutUri(String relativeIdpLogoutUri) {
	this.relativeIdpLogoutUri = relativeIdpLogoutUri;
	}

	public void setLogoutHandlers(List<LogoutHandler> logoutHandlers) {
	this.logoutHandlers = logoutHandlers;
	}
	public void setLogoutHandler(LogoutHandler logoutHandler) {
	setLogoutHandlers(Collections.singletonList(logoutHandler));
	}
	public void setDataProvider(OAuthDataProvider dataProvider) {
	this.dataProvider = dataProvider;
	}
	public void setSubjectCreator(FedizSubjectCreator subjectCreator) {
	this.subjectCreator = subjectCreator;
	}
	public void setBackChannelLogoutHandler(BackChannelLogoutHandler handler) {
	this.backChannelLogoutHandler = handler;
	}

	public void setAllowAnonymousLogout(boolean allowAnonymousLogout) {
	this.allowAnonymousLogout = allowAnonymousLogout;
	}

	public void close() {
	if (backChannelLogoutHandler != null) {
	backChannelLogoutHandler.close();
	}
	}
	}