Merge pull request #473 from personium/develop

CHANGELOG.md

@@ -1,14 +1,30 @@
+## 1.7.18
+NEW FEATURES:
+* Each Cell's OAuth 2.0 token endpoint now accepts scope request.
+  * Apps can request single or multiple Cell level privilege name(s) as scope request.
+  * Issued tokens now carry assigned scope information.
+  * Cell Level API Access is now limited to tokens with appropriate scope. ([#445](https://github.com/personium/personium-core/issues/445))
+  * Added unit config keys for configuring default scopes for different grant type ([#470](https://github.com/personium/personium-core/issues/470))
+  * Default configurations for all grant types are set to "root" for backward compatibility. (Change configuration to use your unit with more security)
+* URL scheme "personium-localunit" is extended and supports a syntax using two colons. ([#284](https://github.com/personium/personium-core/issues/284))
+
+IMPROVEMENTS:
+* Base URL in ACL is now converted to one using "personium-localunit" scheme when internally pesisted. Unit FQDN change won't require data change.
+
+SECURITY FIX:
+* Token refreshing between apps now disabled. ([#463](https://github.com/personium/personium-core/issues/463))
+
 ## 1.7.17
 IMPROVEMENTS:
-* Add IO logging with IO time. ([#446](https://github.com/personium/personium-core/issues/446))
+* Add IO logging with elapsed time. ([#446](https://github.com/personium/personium-core/issues/446))
 
 ## 1.7.16
 BUG FIXES:
 * Even if Depth:1 is specified in "Retrieve cell snapshot file setting" API, it is ignored. ([#439](https://github.com/personium/personium-core/issues/439))
 * If Accept request header contains extra values, 409 is returned ([#435](https://github.com/personium/personium-core/issues/435))
 
 IMPROVEMENTS:
-* Fix crossdomain.xml error in Eclipse. ([#448](https://github.com/personium/personium-core/issues/444))
+* Fix crossdomain.xml namespace URL. ([#448](https://github.com/personium/personium-core/issues/444))
 
 ## 1.7.15
 BUG FIXES:

pom.xml

@@ -3,7 +3,7 @@
     <groupId>io.personium</groupId>
     <artifactId>personium-core</artifactId>
     <packaging>war</packaging>
-    <version>1.7.17_es6.6.1</version>
+    <version>1.7.18_es6.6.1</version>
     <name>personium-core Maven Webapp</name>
     <url>http://maven.apache.org</url>
     <licenses>
@@ -28,11 +28,11 @@
         <kafka.version>1.1.1</kafka.version>
     </properties>
     <dependencies>
-        <!-- personium-lib. -->
+        <!-- personium-lib.-->
         <dependency>
             <groupId>io.personium</groupId>
             <artifactId>personium-lib-common</artifactId>
-            <version>1.4.20</version>
+            <version>1.5.1</version>
         </dependency>
         <dependency>
             <groupId>io.personium</groupId>

src/main/java/io/personium/core/PersoniumCoreAuthnException.java

@@ -38,9 +38,6 @@
 /**
  * Log message creation class.
  */
-/**
- * @author naoki
- */
 @SuppressWarnings("serial")
 public final class PersoniumCoreAuthnException extends PersoniumCoreException {
 
@@ -56,7 +53,7 @@ public final class PersoniumCoreAuthnException extends PersoniumCoreException {
     /**
      * Client Secret Parsing error.
      */
-    public static final PersoniumCoreAuthnException CLIENT_SECRET_PARSE_ERROR =
+    public static final PersoniumCoreAuthnException CLIENT_ASSERTION_PARSE_ERROR =
             create("PR400-AN-0003", Error.INVALID_CLIENT);
     /**
      * Client Secret expiration date check.
@@ -69,7 +66,7 @@ public final class PersoniumCoreAuthnException extends PersoniumCoreException {
     public static final PersoniumCoreAuthnException CLIENT_SECRET_DSIG_INVALID =
             create("PR400-AN-0005", Error.INVALID_CLIENT);
     /**
-     * Issuer of Client Secret is not equal to ID.
+     * Issuer of Client Secret does not match client id.
      */
     public static final PersoniumCoreAuthnException CLIENT_SECRET_ISSUER_MISMATCH =
             create("PR400-AN-0006", Error.INVALID_CLIENT);
@@ -129,12 +126,29 @@ public final class PersoniumCoreAuthnException extends PersoniumCoreException {
      */
     public static final PersoniumCoreAuthnException AUTH_HEADER_IS_INVALID =
             create("PR400-AN-0018", Error.INVALID_CLIENT);
+    /**
+     * Invalid assertion type parameter.
+     */
+    public static final PersoniumCoreAuthnException INVALID_CLIENT_ASSERTION_TYPE =
+            create("PR400-AN-0022", Error.INVALID_CLIENT);
+    /**
+     * Authenticated Client does not match the refresh token.
+     */
+    public static final PersoniumCoreAuthnException CLIENT_MISMATCH_FOR_REFRESH =
+            create("PR401-AN-0020", Error.INVALID_CLIENT);
+    /**
+     * Client auth required to refresh the token.
+     */
+    public static final PersoniumCoreAuthnException CLIENT_AUTH_REQUIRED =
+            create("PR401-AN-0021", Error.INVALID_CLIENT);
     /**
      * Password change required.
      */
     public static final PersoniumCoreAuthnException PASSWORD_CHANGE_REQUIRED =
             create("PR401-AN-0001", Error.UNAUTHORIZED_CLIENT);
 
+
+
     /**
      * NetWork related error.
      */

src/main/java/io/personium/core/PersoniumCoreException.java

@@ -739,6 +739,11 @@ public static class Auth {
          * Schema authentication level is insufficient.
          */
         public static final PersoniumCoreException INSUFFICIENT_SCHEMA_AUTHZ_LEVEL = create("PR403-AU-0006");
+        /**
+         * Scope is insufficient.
+         */
+        public static final PersoniumCoreException INSUFFICIENT_SCOPE = create("PR403-AU-0007");
+
         /**
          * Error setting root CA certificate.
          */
@@ -1014,6 +1019,13 @@ public static class Common {
          * {0} : Overview of failed processing
          */
         public static final PersoniumCoreException FILE_IO_ERROR = create("PR500-CM-0002");
+
+        /**
+         * Unchecked Invalid URL used internally.
+         * <p>
+         * {0} : URL
+         */
+        public static final PersoniumCoreException INVALID_URL = create("PR500-CM-0003");
     }
 
     /**

src/main/java/io/personium/core/PersoniumReadDeleteModeManager.java

@@ -42,7 +42,7 @@ private PersoniumReadDeleteModeManager() {
                     HttpMethod.DELETE,
                     HttpMethod.OPTIONS,
                     HttpMethod.HEAD,
-                    io.personium.common.utils.PersoniumCoreUtils.HttpMethod.PROPFIND,
+                    io.personium.common.utils.CommonUtils.HttpMethod.PROPFIND,
                     "REPORT"
                     )
             );

src/main/java/io/personium/core/PersoniumUnitConfig.java

@@ -1,6 +1,7 @@
 /**
- * personium.io
- * Copyright 2014-2018 FUJITSU LIMITED
+ * Personium
+ * Copyright 2014-2018 Personium Project
+ * - FUJITSU LIMITED
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,7 +35,7 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.crypto.scrypt.SCryptPasswordEncoder;
 
-import io.personium.common.utils.PersoniumCoreUtils;
+import io.personium.common.utils.CommonUtils;
 import io.personium.core.auth.AuthUtils;
 import io.personium.core.utils.UriUtils;
 
@@ -188,6 +189,16 @@ public static final class Security {
 
         /** Encrypt the DAV file (true: enabled false: disabled (default)). */
         public static final String DAV_ENCRYPT_ENABLED = KEY_ROOT + "security.dav.encrypt.enabled";
+
+        /** Default scope of token for grant_type=password . */
+        public static final String TOKEN_DEFAULT_SCOPE_ROPC = KEY_ROOT + "security.token.defaultScope.ropc";
+
+        /** Default scope of token for grant_type=assertion . */
+        public static final String TOKEN_DEFAULT_SCOPE_ASSERTION = KEY_ROOT + "security.token.defaultScope.assertion";
+
+        /** Default scope of token for grant_type=code . */
+        public static final String TOKEN_DEFAULT_SCOPE_CODE = KEY_ROOT + "security.token.defaultScope.grant_code";
+
     }
 
     /**
@@ -538,14 +549,14 @@ private synchronized void doReload() {
         }
     }
 
-    private static boolean isSpaceSeparatedValueIncluded(String spaceSeparatedValue, String testValue, String unitUrl) {
+    private static boolean isSpaceSeparatedValueIncluded(String spaceSeparatedValue, String testValue) {
         if (testValue == null || spaceSeparatedValue == null) {
             return false;
         }
         String[] values = spaceSeparatedValue.split(" ");
         for (String val : values) {
             // Correspondence when "localunit" is set for issuers.
-            String convertedValue = UriUtils.convertSchemeFromLocalUnitToHttp(unitUrl, val);
+            String convertedValue = UriUtils.convertSchemeFromLocalUnitToHttp(val);
             if (testValue.equals(convertedValue)) {
                 return true;
             }
@@ -871,7 +882,7 @@ public static String getPluginPath() {
     public static String getBaseUrl() {
          return UriBuilder.fromPath("/")
                           .scheme(getUnitScheme())
-                          .host(PersoniumCoreUtils.getFQDN())
+                          .host(CommonUtils.getFQDN())
                           .port(getUnitPort())
                           .build()
                           .toString();
@@ -1473,6 +1484,29 @@ public static boolean isDavEncryptEnabled() {
         return Boolean.parseBoolean(get(Security.DAV_ENCRYPT_ENABLED));
     }
 
+    /**
+     *
+     * @return scope string
+     */
+    public static String getTokenDefaultScopeRopc() {
+        return get(Security.TOKEN_DEFAULT_SCOPE_ROPC);
+    }
+    /**
+     *
+     * @return scope string
+     */
+    public static String getTokenDefaultScopeCode() {
+        return get(Security.TOKEN_DEFAULT_SCOPE_CODE);
+    }
+    /**
+     *
+     * @return scope string
+     */
+    public static String getTokenDefaultScopeAssertion() {
+        return get(Security.TOKEN_DEFAULT_SCOPE_ASSERTION);
+    }
+
+
     /**
      * Get message queue implementation of EventBus.
      * @return message queue
@@ -1614,8 +1648,8 @@ public static boolean isHttps() {
      * @param unitUrl Unit URL
      * @return Included:true
      */
-    public static boolean checkUnitUserIssuers(String url, String unitUrl) {
-        return isSpaceSeparatedValueIncluded(getUnitUserIssuers(), url, unitUrl);
+    public static boolean checkUnitUserIssuers(String url) {
+        return isSpaceSeparatedValueIncluded(getUnitUserIssuers(), url);
     }
 
     /**