wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java - syncope - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.syncope.wa.starter.mapping;

 import java.util.HashSet;
 import java.util.List;
 import java.util.Objects;
 import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import org.apache.syncope.common.lib.to.ClientAppTO;
 import org.apache.syncope.common.lib.to.OIDCRPClientAppTO;
 import org.apache.syncope.common.lib.types.OIDCGrantType;
 import org.apache.syncope.common.lib.types.OIDCResponseType;
 import org.apache.syncope.common.lib.types.OIDCScope;
 import org.apache.syncope.common.lib.wa.WAClientApp;
 import org.apereo.cas.configuration.CasConfigurationProperties;
 import org.apereo.cas.oidc.claims.OidcAddressScopeAttributeReleasePolicy;
 import org.apereo.cas.oidc.claims.OidcCustomScopeAttributeReleasePolicy;
 import org.apereo.cas.oidc.claims.OidcEmailScopeAttributeReleasePolicy;
 import org.apereo.cas.oidc.claims.OidcOpenIdScopeAttributeReleasePolicy;
 import org.apereo.cas.oidc.claims.OidcPhoneScopeAttributeReleasePolicy;
 import org.apereo.cas.oidc.claims.OidcProfileScopeAttributeReleasePolicy;
 import org.apereo.cas.services.BaseMappedAttributeReleasePolicy;
 import org.apereo.cas.services.ChainingAttributeReleasePolicy;
 import org.apereo.cas.services.OidcRegisteredService;
 import org.apereo.cas.services.RegisteredService;
 import org.apereo.cas.services.RegisteredServiceAccessStrategy;
 import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy;
 import org.apereo.cas.services.RegisteredServiceAuthenticationPolicy;
 import org.apereo.cas.services.RegisteredServiceMultifactorPolicy;
 import org.apereo.cas.services.RegisteredServiceProxyGrantingTicketExpirationPolicy;
 import org.apereo.cas.services.RegisteredServiceProxyTicketExpirationPolicy;
 import org.apereo.cas.services.RegisteredServiceServiceTicketExpirationPolicy;
 import org.apereo.cas.services.RegisteredServiceTicketGrantingTicketExpirationPolicy;
 import org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy;

 public class OIDCRPClientAppTOMapper extends AbstractClientAppMapper {

     private static final String CUSTOM_SCOPE = "syncope";

     @Override
     public boolean supports(final ClientAppTO clientApp) {
         return OIDCRPClientAppTO.class.equals(clientApp.getClass());
     }

     @Override
     public RegisteredService map(
             final WAClientApp clientApp,
             final RegisteredServiceAuthenticationPolicy authPolicy,
             final RegisteredServiceMultifactorPolicy mfaPolicy,
             final RegisteredServiceAccessStrategy accessStrategy,
             final RegisteredServiceAttributeReleasePolicy attributeReleasePolicy,
             final RegisteredServiceTicketGrantingTicketExpirationPolicy tgtExpirationPolicy,
             final RegisteredServiceServiceTicketExpirationPolicy stExpirationPolicy,
             final RegisteredServiceProxyGrantingTicketExpirationPolicy tgtProxyExpirationPolicy,
             final RegisteredServiceProxyTicketExpirationPolicy stProxyExpirationPolicy,
             final CasConfigurationProperties properties) {

         OIDCRPClientAppTO rp = OIDCRPClientAppTO.class.cast(clientApp.getClientAppTO());
         OidcRegisteredService service = new OidcRegisteredService();
         setCommon(service, rp);

         service.setServiceId(rp.getRedirectUris().stream().
                 filter(Objects::nonNull).
                 collect(Collectors.joining("|")));
         service.setClientId(rp.getClientId());
         service.setClientSecret(rp.getClientSecret());
         service.setSignIdToken(rp.isSignIdToken());
         if (!service.isSignIdToken()) {
             service.setIdTokenSigningAlg("none");
         }
         service.setJwtAccessToken(rp.isJwtAccessToken());
         service.setBypassApprovalPrompt(rp.isBypassApprovalPrompt());
         service.setSupportedGrantTypes(rp.getSupportedGrantTypes().stream().
                 map(OIDCGrantType::name).collect(Collectors.toCollection(HashSet::new)));
         service.setSupportedResponseTypes(rp.getSupportedResponseTypes().stream().
                 map(OIDCResponseType::getExternalForm).collect(Collectors.toCollection(HashSet::new)));
         if (rp.getSubjectType() != null) {
             service.setSubjectType(rp.getSubjectType().name());
         }
         service.setLogoutUrl(rp.getLogoutUri());

         ChainingAttributeReleasePolicy chain;
         if (attributeReleasePolicy instanceof ChainingAttributeReleasePolicy chainingAttributeReleasePolicy) {
             chain = chainingAttributeReleasePolicy;
         } else {
             chain = new ChainingAttributeReleasePolicy();
             if (attributeReleasePolicy != null) {
                 chain.addPolicies(attributeReleasePolicy);
             }
         }

         if (rp.getScopes().contains(OIDCScope.OPENID)) {
             chain.addPolicies(new OidcOpenIdScopeAttributeReleasePolicy());
         }
         if (rp.getScopes().contains(OIDCScope.PROFILE)) {
             chain.addPolicies(new OidcProfileScopeAttributeReleasePolicy());
         }
         if (rp.getScopes().contains(OIDCScope.ADDRESS)) {
             chain.addPolicies(new OidcAddressScopeAttributeReleasePolicy());
         }
         if (rp.getScopes().contains(OIDCScope.EMAIL)) {
             chain.addPolicies(new OidcEmailScopeAttributeReleasePolicy());
         }
         if (rp.getScopes().contains(OIDCScope.PHONE)) {
             chain.addPolicies(new OidcPhoneScopeAttributeReleasePolicy());
         }

         Set<String> customClaims = new HashSet<>();
         if (attributeReleasePolicy instanceof BaseMappedAttributeReleasePolicy) {
             customClaims.addAll(((BaseMappedAttributeReleasePolicy) attributeReleasePolicy).
                     getAllowedAttributes().values().stream().
                     map(Objects::toString).collect(Collectors.toSet()));
         } else if (attributeReleasePolicy instanceof ReturnAllowedAttributeReleasePolicy) {
             customClaims.addAll(((ReturnAllowedAttributeReleasePolicy) attributeReleasePolicy).
                     getAllowedAttributes().stream().collect(Collectors.toSet()));
         } else if (attributeReleasePolicy instanceof ChainingAttributeReleasePolicy) {
             ((ChainingAttributeReleasePolicy) attributeReleasePolicy).getPolicies().stream().
                     filter(ReturnAllowedAttributeReleasePolicy.class::isInstance).
                     findFirst().map(ReturnAllowedAttributeReleasePolicy.class::cast).
                     map(p -> p.getAllowedAttributes().stream().collect(Collectors.toSet())).
                     ifPresent(customClaims::addAll);
         }
         if (rp.getScopes().contains(OIDCScope.PROFILE)) {
             customClaims.removeAll(OidcProfileScopeAttributeReleasePolicy.ALLOWED_CLAIMS);
         }
         if (rp.getScopes().contains(OIDCScope.ADDRESS)) {
             customClaims.removeAll(OidcAddressScopeAttributeReleasePolicy.ALLOWED_CLAIMS);
         }
         if (rp.getScopes().contains(OIDCScope.EMAIL)) {
             customClaims.removeAll(OidcEmailScopeAttributeReleasePolicy.ALLOWED_CLAIMS);
         }
         if (rp.getScopes().contains(OIDCScope.PHONE)) {
             customClaims.removeAll(OidcPhoneScopeAttributeReleasePolicy.ALLOWED_CLAIMS);
         }
         if (!customClaims.isEmpty()) {
             List<String> supportedClaims = properties.getAuthn().getOidc().getDiscovery().getClaims();
             if (!supportedClaims.containsAll(customClaims)) {
                 properties.getAuthn().getOidc().getDiscovery().setClaims(
                         Stream.concat(supportedClaims.stream(), customClaims.stream()).
                                 distinct().collect(Collectors.toList()));
             }

             chain.addPolicies(new OidcCustomScopeAttributeReleasePolicy(
                     CUSTOM_SCOPE, customClaims.stream().collect(Collectors.toList())));
         }

         setPolicies(service, authPolicy, mfaPolicy, accessStrategy, chain,
                 tgtExpirationPolicy, stExpirationPolicy, tgtProxyExpirationPolicy, stProxyExpirationPolicy);

         return service;
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.syncope.wa.starter.mapping;

	import java.util.HashSet;
	import java.util.List;
	import java.util.Objects;
	import java.util.Set;
	import java.util.stream.Collectors;
	import java.util.stream.Stream;
	import org.apache.syncope.common.lib.to.ClientAppTO;
	import org.apache.syncope.common.lib.to.OIDCRPClientAppTO;
	import org.apache.syncope.common.lib.types.OIDCGrantType;
	import org.apache.syncope.common.lib.types.OIDCResponseType;
	import org.apache.syncope.common.lib.types.OIDCScope;
	import org.apache.syncope.common.lib.wa.WAClientApp;
	import org.apereo.cas.configuration.CasConfigurationProperties;
	import org.apereo.cas.oidc.claims.OidcAddressScopeAttributeReleasePolicy;
	import org.apereo.cas.oidc.claims.OidcCustomScopeAttributeReleasePolicy;
	import org.apereo.cas.oidc.claims.OidcEmailScopeAttributeReleasePolicy;
	import org.apereo.cas.oidc.claims.OidcOpenIdScopeAttributeReleasePolicy;
	import org.apereo.cas.oidc.claims.OidcPhoneScopeAttributeReleasePolicy;
	import org.apereo.cas.oidc.claims.OidcProfileScopeAttributeReleasePolicy;
	import org.apereo.cas.services.BaseMappedAttributeReleasePolicy;
	import org.apereo.cas.services.ChainingAttributeReleasePolicy;
	import org.apereo.cas.services.OidcRegisteredService;
	import org.apereo.cas.services.RegisteredService;
	import org.apereo.cas.services.RegisteredServiceAccessStrategy;
	import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy;
	import org.apereo.cas.services.RegisteredServiceAuthenticationPolicy;
	import org.apereo.cas.services.RegisteredServiceMultifactorPolicy;
	import org.apereo.cas.services.RegisteredServiceProxyGrantingTicketExpirationPolicy;
	import org.apereo.cas.services.RegisteredServiceProxyTicketExpirationPolicy;
	import org.apereo.cas.services.RegisteredServiceServiceTicketExpirationPolicy;
	import org.apereo.cas.services.RegisteredServiceTicketGrantingTicketExpirationPolicy;
	import org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy;

	public class OIDCRPClientAppTOMapper extends AbstractClientAppMapper {

	private static final String CUSTOM_SCOPE = "syncope";

	@Override
	public boolean supports(final ClientAppTO clientApp) {
	return OIDCRPClientAppTO.class.equals(clientApp.getClass());
	}

	@Override
	public RegisteredService map(
	final WAClientApp clientApp,
	final RegisteredServiceAuthenticationPolicy authPolicy,
	final RegisteredServiceMultifactorPolicy mfaPolicy,
	final RegisteredServiceAccessStrategy accessStrategy,
	final RegisteredServiceAttributeReleasePolicy attributeReleasePolicy,
	final RegisteredServiceTicketGrantingTicketExpirationPolicy tgtExpirationPolicy,
	final RegisteredServiceServiceTicketExpirationPolicy stExpirationPolicy,
	final RegisteredServiceProxyGrantingTicketExpirationPolicy tgtProxyExpirationPolicy,
	final RegisteredServiceProxyTicketExpirationPolicy stProxyExpirationPolicy,
	final CasConfigurationProperties properties) {

	OIDCRPClientAppTO rp = OIDCRPClientAppTO.class.cast(clientApp.getClientAppTO());
	OidcRegisteredService service = new OidcRegisteredService();
	setCommon(service, rp);

	service.setServiceId(rp.getRedirectUris().stream().
	filter(Objects::nonNull).
	collect(Collectors.joining("\|")));
	service.setClientId(rp.getClientId());
	service.setClientSecret(rp.getClientSecret());
	service.setSignIdToken(rp.isSignIdToken());
	if (!service.isSignIdToken()) {
	service.setIdTokenSigningAlg("none");
	}
	service.setJwtAccessToken(rp.isJwtAccessToken());
	service.setBypassApprovalPrompt(rp.isBypassApprovalPrompt());
	service.setSupportedGrantTypes(rp.getSupportedGrantTypes().stream().
	map(OIDCGrantType::name).collect(Collectors.toCollection(HashSet::new)));
	service.setSupportedResponseTypes(rp.getSupportedResponseTypes().stream().
	map(OIDCResponseType::getExternalForm).collect(Collectors.toCollection(HashSet::new)));
	if (rp.getSubjectType() != null) {
	service.setSubjectType(rp.getSubjectType().name());
	}
	service.setLogoutUrl(rp.getLogoutUri());

	ChainingAttributeReleasePolicy chain;
	if (attributeReleasePolicy instanceof ChainingAttributeReleasePolicy chainingAttributeReleasePolicy) {
	chain = chainingAttributeReleasePolicy;
	} else {
	chain = new ChainingAttributeReleasePolicy();
	if (attributeReleasePolicy != null) {
	chain.addPolicies(attributeReleasePolicy);
	}
	}

	if (rp.getScopes().contains(OIDCScope.OPENID)) {
	chain.addPolicies(new OidcOpenIdScopeAttributeReleasePolicy());
	}
	if (rp.getScopes().contains(OIDCScope.PROFILE)) {
	chain.addPolicies(new OidcProfileScopeAttributeReleasePolicy());
	}
	if (rp.getScopes().contains(OIDCScope.ADDRESS)) {
	chain.addPolicies(new OidcAddressScopeAttributeReleasePolicy());
	}
	if (rp.getScopes().contains(OIDCScope.EMAIL)) {
	chain.addPolicies(new OidcEmailScopeAttributeReleasePolicy());
	}
	if (rp.getScopes().contains(OIDCScope.PHONE)) {
	chain.addPolicies(new OidcPhoneScopeAttributeReleasePolicy());
	}

	Set<String> customClaims = new HashSet<>();
	if (attributeReleasePolicy instanceof BaseMappedAttributeReleasePolicy) {
	customClaims.addAll(((BaseMappedAttributeReleasePolicy) attributeReleasePolicy).
	getAllowedAttributes().values().stream().
	map(Objects::toString).collect(Collectors.toSet()));
	} else if (attributeReleasePolicy instanceof ReturnAllowedAttributeReleasePolicy) {
	customClaims.addAll(((ReturnAllowedAttributeReleasePolicy) attributeReleasePolicy).
	getAllowedAttributes().stream().collect(Collectors.toSet()));
	} else if (attributeReleasePolicy instanceof ChainingAttributeReleasePolicy) {
	((ChainingAttributeReleasePolicy) attributeReleasePolicy).getPolicies().stream().
	filter(ReturnAllowedAttributeReleasePolicy.class::isInstance).
	findFirst().map(ReturnAllowedAttributeReleasePolicy.class::cast).
	map(p -> p.getAllowedAttributes().stream().collect(Collectors.toSet())).
	ifPresent(customClaims::addAll);
	}
	if (rp.getScopes().contains(OIDCScope.PROFILE)) {
	customClaims.removeAll(OidcProfileScopeAttributeReleasePolicy.ALLOWED_CLAIMS);
	}
	if (rp.getScopes().contains(OIDCScope.ADDRESS)) {
	customClaims.removeAll(OidcAddressScopeAttributeReleasePolicy.ALLOWED_CLAIMS);
	}
	if (rp.getScopes().contains(OIDCScope.EMAIL)) {
	customClaims.removeAll(OidcEmailScopeAttributeReleasePolicy.ALLOWED_CLAIMS);
	}
	if (rp.getScopes().contains(OIDCScope.PHONE)) {
	customClaims.removeAll(OidcPhoneScopeAttributeReleasePolicy.ALLOWED_CLAIMS);
	}
	if (!customClaims.isEmpty()) {
	List<String> supportedClaims = properties.getAuthn().getOidc().getDiscovery().getClaims();
	if (!supportedClaims.containsAll(customClaims)) {
	properties.getAuthn().getOidc().getDiscovery().setClaims(
	Stream.concat(supportedClaims.stream(), customClaims.stream()).
	distinct().collect(Collectors.toList()));
	}

	chain.addPolicies(new OidcCustomScopeAttributeReleasePolicy(
	CUSTOM_SCOPE, customClaims.stream().collect(Collectors.toList())));
	}

	setPolicies(service, authPolicy, mfaPolicy, accessStrategy, chain,
	tgtExpirationPolicy, stExpirationPolicy, tgtProxyExpirationPolicy, stProxyExpirationPolicy);

	return service;
	}
	}