github-advanced-security[bot] commented on code in PR #1320:
URL: https://github.com/apache/syncope/pull/1320#discussion_r2930275835
##########
wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/DefaultAttrReleaseMapper.java:
##########
@@ -230,4 +137,165 @@
return single == null ? chain : single;
}
+
+ @Override
+ public RegisteredServiceAttributeReleasePolicy build(final ClientAppTO
app, final AttrReleasePolicyTO policy) {
+ DefaultAttrReleasePolicyConf conf = (DefaultAttrReleasePolicyConf)
policy.getConf();
+
+ ReturnMappedAttributeReleasePolicy returnMapped = null;
+ ReturnAllowedAttributeReleasePolicy returnAllowed = null;
+ if (!conf.getReleaseAttrs().isEmpty()) {
+ returnMapped = new ReturnMappedAttributeReleasePolicy();
+ returnMapped.setAllowedAttributes(conf.getReleaseAttrs());
+
+ if (!conf.getAllowedAttrs().isEmpty()) {
+ returnAllowed = new ReturnAllowedAttributeReleasePolicy();
+ returnAllowed.setAllowedAttributes(conf.getAllowedAttrs());
+ }
+ }
+
+ ChainingAttributeReleasePolicy chain = new
ChainingAttributeReleasePolicy();
+ AbstractRegisteredServiceAttributeReleasePolicy single = null;
+ if (returnMapped == null && returnAllowed == null) {
+ single = new DenyAllAttributeReleasePolicy();
+ } else if (returnMapped != null && returnAllowed == null) {
+ single = returnMapped;
+ } else if (returnMapped == null && returnAllowed != null) {
+ single = returnAllowed;
+ } else {
+ chain.addPolicies(returnMapped, returnAllowed);
+ }
+
+ return build(policy, conf, single, chain);
+ }
+
+ protected void buildForOIDCStandardScope(
+ final OIDCRPClientAppTO clientApp,
+ final DefaultAttrReleasePolicyConf conf,
+ final Map<String, BaseOidcScopeAttributeReleasePolicy> policies,
+ final Supplier<BaseOidcScopeAttributeReleasePolicy>
attributeReleasePolicyCreator,
+ final OIDCStandardScope scope,
+ final String internal,
+ final String external) {
+
+ if (clientApp.getScopes().contains(scope.name())) {
+ BaseOidcScopeAttributeReleasePolicy policy =
policies.computeIfAbsent(
+ scope.name(), k -> attributeReleasePolicyCreator.get());
+
+ policy.getClaimMappings().put(external, internal);
+
+ if (conf.getAllowedAttrs().contains(external)) {
+ policy.getAllowedAttributes().add(external);
+ }
+ } else {
+ warnMissingScope(clientApp.getName(), internal, external,
scope.name());
+ }
+ }
+
+ protected void buildForOIDCustomScope(
+ final OIDCRPClientAppTO clientApp,
+ final DefaultAttrReleasePolicyConf conf,
+ final Map<String, BaseOidcScopeAttributeReleasePolicy> policies,
+ final String scope,
+ final String internal,
+ final String external) {
+
+ if (clientApp.getScopes().contains(scope)) {
+ BaseOidcScopeAttributeReleasePolicy policy =
policies.computeIfAbsent(
+ scope, k -> new
OidcCustomScopeAttributeReleasePolicy(scope, new ArrayList<>()));
+
+ policy.getClaimMappings().put(external, internal);
+
+ policy.getAllowedAttributes().add(external);
+ } else {
+ warnMissingScope(clientApp.getName(), internal, external, scope);
+ }
+ }
+
+ @Override
+ public RegisteredServiceAttributeReleasePolicy build(
+ final OIDCRPClientAppTO clientApp,
+ final AttrReleasePolicyTO policy,
+ final OIDCOpEntityTO oidcOpEntity) {
+
+ if (clientApp.getScopes().isEmpty()) {
+ return build(clientApp, policy);
+ }
+
+ DefaultAttrReleasePolicyConf conf = (DefaultAttrReleasePolicyConf)
policy.getConf();
+
+ Map<String, BaseOidcScopeAttributeReleasePolicy> policies = new
HashMap<>();
+
+ if (clientApp.getScopes().contains(OIDCStandardScope.openid.name())) {
+ policies.put(OIDCStandardScope.openid.name(), new
OidcOpenIdScopeAttributeReleasePolicy());
+ }
+ conf.getReleaseAttrs().forEach((internal, external) -> {
+ if
(OidcProfileScopeAttributeReleasePolicy.ALLOWED_CLAIMS.contains(external.toString()))
{
+ buildForOIDCStandardScope(
+ clientApp,
+ conf,
+ policies,
+ OidcProfileScopeAttributeReleasePolicy::new,
+ OIDCStandardScope.profile,
+ internal,
+ external.toString());
+ } else if
(OidcEmailScopeAttributeReleasePolicy.ALLOWED_CLAIMS.contains(external.toString()))
{
+ buildForOIDCStandardScope(
+ clientApp,
+ conf,
+ policies,
+ OidcEmailScopeAttributeReleasePolicy::new,
+ OIDCStandardScope.email,
+ internal,
+ external.toString());
+ } else if
(OidcAddressScopeAttributeReleasePolicy.ALLOWED_CLAIMS.contains(external.toString()))
{
+ buildForOIDCStandardScope(
+ clientApp,
+ conf,
+ policies,
+ OidcAddressScopeAttributeReleasePolicy::new,
+ OIDCStandardScope.address,
+ internal,
+ external.toString());
+ } else if
(OidcPhoneScopeAttributeReleasePolicy.ALLOWED_CLAIMS.contains(external.toString()))
{
+ buildForOIDCStandardScope(
+ clientApp,
+ conf,
+ policies,
+ OidcPhoneScopeAttributeReleasePolicy::new,
+ OIDCStandardScope.phone,
+ internal,
+ external.toString());
+ } else {
+ oidcOpEntity.getCustomScopes().entrySet().stream().
+ filter(entry ->
entry.getValue().contains(external.toString())).
+ map(Map.Entry::getKey).findFirst().ifPresentOrElse(
+ scope -> buildForOIDCustomScope(
+ clientApp, conf, policies, scope, internal,
external.toString()),
+ () -> LOG.warn(
+ "OIDC client app {} defines custom claim {}={}
for which no valid scope could be found",
+ clientApp, internal, external));
Review Comment:
## Use of default toString()
Default toString(): OIDCRPClientAppTO inherits toString() from Object, and
so is not suitable for printing.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/2594)
##########
common/am/lib/src/main/java/org/apache/syncope/common/lib/to/OIDCOpEntityTO.java:
##########
@@ -67,13 +45,26 @@
this.key = key;
}
+ public String getJWKS() {
+ return jwks;
+ }
+
+ public void setJWKS(final String jwks) {
+ this.jwks = jwks;
+ }
+
+ public Map<String, Set<String>> getCustomScopes() {
Review Comment:
## Exposing internal representation
getCustomScopes exposes the internal representation stored in field
customScopes. The value may be modified [after this call to getCustomScopes](1).
getCustomScopes exposes the internal representation stored in field
customScopes. The value may be modified [after this call to getCustomScopes](2).
getCustomScopes exposes the internal representation stored in field
customScopes. The value may be modified [after this call to getCustomScopes](3).
getCustomScopes exposes the internal representation stored in field
customScopes. The value may be modified [after this call to getCustomScopes](4).
getCustomScopes exposes the internal representation stored in field
customScopes. The value may be modified [after this call to getCustomScopes](5).
getCustomScopes exposes the internal representation stored in field
customScopes. The value may be modified [after this call to getCustomScopes](6).
getCustomScopes exposes the internal representation stored in field
customScopes. The value may be modified [after this call to getCustomScopes](7).
getCustomScopes exposes the internal representation stored in field
customScopes. The value may be modified [after this call to getCustomScopes](8).
[Show more
details](https://github.com/apache/syncope/security/code-scanning/2595)
##########
client/am/console/src/main/java/org/apache/syncope/client/console/panels/OIDCCustomScopeDirectoryPanel.java:
##########
@@ -0,0 +1,226 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.client.console.panels;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Optional;
+import java.util.stream.Collectors;
+import org.apache.commons.lang3.mutable.Mutable;
+import org.apache.syncope.client.console.SyncopeConsoleSession;
+import org.apache.syncope.client.console.commons.AMConstants;
+import org.apache.syncope.client.console.commons.DirectoryDataProvider;
+import org.apache.syncope.client.console.pages.BasePage;
+import
org.apache.syncope.client.console.panels.OIDCCustomScopeDirectoryPanel.CustomScope;
+import org.apache.syncope.client.console.rest.OIDCOpEntityRestClient;
+import org.apache.syncope.client.console.wicket.markup.html.form.ActionLink;
+import org.apache.syncope.client.console.wicket.markup.html.form.ActionsPanel;
+import org.apache.syncope.client.ui.commons.Constants;
+import org.apache.syncope.client.ui.commons.wizards.AjaxWizard;
+import org.apache.syncope.common.lib.SyncopeClientException;
+import org.apache.syncope.common.lib.to.EntityTO;
+import org.apache.syncope.common.lib.to.OIDCOpEntityTO;
+import org.apache.syncope.common.lib.types.AMEntitlement;
+import org.apache.wicket.PageReference;
+import org.apache.wicket.ajax.AjaxRequestTarget;
+import
org.apache.wicket.authroles.authorization.strategies.role.metadata.MetaDataRoleAuthorizationStrategy;
+import org.apache.wicket.event.Broadcast;
+import org.apache.wicket.extensions.markup.html.repeater.data.table.IColumn;
+import
org.apache.wicket.extensions.markup.html.repeater.data.table.PropertyColumn;
+import org.apache.wicket.model.CompoundPropertyModel;
+import org.apache.wicket.model.IModel;
+import org.apache.wicket.model.StringResourceModel;
+
+public abstract class OIDCCustomScopeDirectoryPanel
+ extends DirectoryPanel<CustomScope, CustomScope,
DirectoryDataProvider<CustomScope>, OIDCOpEntityRestClient> {
+
+ private static final long serialVersionUID = -7283064059391373326L;
+
+ public class CustomScope implements EntityTO {
Review Comment:
## Inner class could be static
CustomScope should be made static, since the enclosing instance is not used.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/2590)
##########
client/am/console/src/main/java/org/apache/syncope/client/console/panels/OIDCCustomScopeWizardBuilder.java:
##########
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.client.console.panels;
+
+import java.io.Serializable;
+import java.util.HashSet;
+import java.util.Optional;
+import
org.apache.syncope.client.console.panels.OIDCCustomScopeDirectoryPanel.CustomScope;
+import org.apache.syncope.client.console.rest.OIDCOpEntityRestClient;
+import org.apache.syncope.client.console.wizards.BaseAjaxWizardBuilder;
+import
org.apache.syncope.client.ui.commons.markup.html.form.AjaxTextFieldPanel;
+import org.apache.syncope.client.ui.commons.markup.html.form.MultiFieldPanel;
+import org.apache.syncope.common.lib.to.OIDCOpEntityTO;
+import org.apache.wicket.PageReference;
+import org.apache.wicket.extensions.wizard.WizardModel;
+import org.apache.wicket.extensions.wizard.WizardStep;
+import org.apache.wicket.model.Model;
+import org.apache.wicket.model.PropertyModel;
+
+public class OIDCCustomScopeWizardBuilder extends
BaseAjaxWizardBuilder<CustomScope> {
+
+ private static final long serialVersionUID = 6268620772839923063L;
+
+ protected final OIDCOpEntityRestClient restClient;
+
+ public OIDCCustomScopeWizardBuilder(
+ final CustomScope customScope,
+ final OIDCOpEntityRestClient restClient,
+ final PageReference pageRef) {
+
+ super(customScope, pageRef);
+ this.restClient = restClient;
+ }
+
+ @Override
+ protected Serializable onApplyInternal(final CustomScope modelObject) {
+ OIDCOpEntityTO oidcOpEntity =
Optional.ofNullable(restClient.get().get()).orElseGet(() -> new
OIDCOpEntityTO());
+
+
Optional.ofNullable(getOriginalItem().getKey()).ifPresent(oidcOpEntity.getCustomScopes()::remove);
+
+ oidcOpEntity.getCustomScopes().put(modelObject.getKey(), new
HashSet<>(modelObject.getClaims()));
+
+ restClient.set(oidcOpEntity);
+
+ return modelObject;
+ }
+
+ @Override
+ protected WizardModel buildModelSteps(final CustomScope modelObject, final
WizardModel wizardModel) {
+ wizardModel.add(new Profile(modelObject));
+ return wizardModel;
+ }
+
+ protected class Profile extends WizardStep {
Review Comment:
## Inner class could be static
Profile should be made static, since the enclosing instance is not used.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/2591)
##########
common/am/rest-api/src/main/java/org/apache/syncope/common/rest/api/service/OIDCOpEntityService.java:
##########
@@ -31,31 +31,32 @@
import jakarta.ws.rs.DefaultValue;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.POST;
+import jakarta.ws.rs.PUT;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
-import org.apache.syncope.common.lib.to.OIDCJWKSTO;
+import org.apache.syncope.common.lib.to.OIDCOpEntityTO;
@Tag(name = "OpenID Connect 1.0")
@SecurityRequirements({
@SecurityRequirement(name = "BasicAuthentication"),
@SecurityRequirement(name = "Bearer") })
-@Path("oidc/jwks")
-public interface OIDCJWKSService extends JAXRSService {
+@Path("oidc/op")
+public interface OIDCOpEntityService extends JAXRSService {
Review Comment:
## Constant interface anti-pattern
Type OIDCOpEntityService implements constant interface [JAXRSService](1).
[Show more
details](https://github.com/apache/syncope/security/code-scanning/2593)
##########
wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/DefaultAttrReleaseMapper.java:
##########
@@ -230,4 +137,165 @@
return single == null ? chain : single;
}
+
+ @Override
+ public RegisteredServiceAttributeReleasePolicy build(final ClientAppTO
app, final AttrReleasePolicyTO policy) {
+ DefaultAttrReleasePolicyConf conf = (DefaultAttrReleasePolicyConf)
policy.getConf();
+
+ ReturnMappedAttributeReleasePolicy returnMapped = null;
+ ReturnAllowedAttributeReleasePolicy returnAllowed = null;
+ if (!conf.getReleaseAttrs().isEmpty()) {
+ returnMapped = new ReturnMappedAttributeReleasePolicy();
+ returnMapped.setAllowedAttributes(conf.getReleaseAttrs());
+
+ if (!conf.getAllowedAttrs().isEmpty()) {
+ returnAllowed = new ReturnAllowedAttributeReleasePolicy();
+ returnAllowed.setAllowedAttributes(conf.getAllowedAttrs());
+ }
+ }
+
+ ChainingAttributeReleasePolicy chain = new
ChainingAttributeReleasePolicy();
+ AbstractRegisteredServiceAttributeReleasePolicy single = null;
+ if (returnMapped == null && returnAllowed == null) {
+ single = new DenyAllAttributeReleasePolicy();
+ } else if (returnMapped != null && returnAllowed == null) {
+ single = returnMapped;
+ } else if (returnMapped == null && returnAllowed != null) {
+ single = returnAllowed;
+ } else {
+ chain.addPolicies(returnMapped, returnAllowed);
+ }
+
+ return build(policy, conf, single, chain);
+ }
+
+ protected void buildForOIDCStandardScope(
+ final OIDCRPClientAppTO clientApp,
+ final DefaultAttrReleasePolicyConf conf,
+ final Map<String, BaseOidcScopeAttributeReleasePolicy> policies,
+ final Supplier<BaseOidcScopeAttributeReleasePolicy>
attributeReleasePolicyCreator,
+ final OIDCStandardScope scope,
+ final String internal,
+ final String external) {
+
+ if (clientApp.getScopes().contains(scope.name())) {
+ BaseOidcScopeAttributeReleasePolicy policy =
policies.computeIfAbsent(
+ scope.name(), k -> attributeReleasePolicyCreator.get());
+
+ policy.getClaimMappings().put(external, internal);
+
+ if (conf.getAllowedAttrs().contains(external)) {
+ policy.getAllowedAttributes().add(external);
+ }
+ } else {
+ warnMissingScope(clientApp.getName(), internal, external,
scope.name());
+ }
+ }
+
+ protected void buildForOIDCustomScope(
+ final OIDCRPClientAppTO clientApp,
+ final DefaultAttrReleasePolicyConf conf,
Review Comment:
## Useless parameter
The parameter 'conf' is never used.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/2592)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
