Scope handling (#14)

* Improve validating scopes

Author: adhesivee

kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/Oauth2TokenService.kt

@@ -2,8 +2,10 @@ package nl.myndocs.oauth2
 
 import nl.myndocs.oauth2.authenticator.Authenticator
 import nl.myndocs.oauth2.authenticator.IdentityScopeVerifier
+import nl.myndocs.oauth2.client.Client
 import nl.myndocs.oauth2.client.ClientService
 import nl.myndocs.oauth2.exception.*
+import nl.myndocs.oauth2.identity.Identity
 import nl.myndocs.oauth2.identity.IdentityService
 import nl.myndocs.oauth2.identity.UserInfo
 import nl.myndocs.oauth2.request.*
@@ -59,15 +61,7 @@ class Oauth2TokenService(
             requestedScopes = requestedClient.clientScopes
         }
 
-        val scopesAllowed = scopesAllowed(requestedClient.clientScopes, requestedScopes)
-
-        if (!scopesAllowed) {
-            throw InvalidScopeException(requestedScopes.minus(requestedClient.clientScopes))
-        }
-
-        if (!identityService.validScopes(requestedClient, requestedIdentity, requestedScopes)) {
-            throw InvalidScopeException(requestedScopes)
-        }
+        validateScopes(requestedClient, requestedIdentity, requestedScopes)
 
         val accessToken = accessTokenConverter.convertToToken(
                 requestedIdentity.username,
@@ -186,16 +180,7 @@ class Oauth2TokenService(
             requestedScopes = clientOf.clientScopes
         }
 
-        val scopesAllowed = identityScopeVerifier?.validScopes(clientOf, identityOf, requestedScopes)
-                ?: scopesAllowed(clientOf.clientScopes, requestedScopes)
-
-        if (!scopesAllowed) {
-            throw InvalidScopeException(requestedScopes.minus(clientOf.clientScopes))
-        }
-
-        if (!identityService.validScopes(clientOf, identityOf, requestedScopes)) {
-            throw InvalidScopeException(requestedScopes)
-        }
+        validateScopes(clientOf, identityOf, requestedScopes, identityScopeVerifier)
 
         val codeToken = codeTokenConverter.convertToToken(
                 identityOf.username,
@@ -250,15 +235,7 @@ class Oauth2TokenService(
             requestedScopes = clientOf.clientScopes
         }
 
-        val scopesAllowed = identityScopeVerifier?.validScopes(clientOf, identityOf, requestedScopes)
-                ?: scopesAllowed(clientOf.clientScopes, requestedScopes)
-        if (!scopesAllowed) {
-            throw InvalidScopeException(requestedScopes.minus(clientOf.clientScopes))
-        }
-
-        if (!identityService.validScopes(clientOf, identityOf, requestedScopes)) {
-            throw InvalidScopeException(requestedScopes)
-        }
+        validateScopes(clientOf, identityOf, requestedScopes, identityScopeVerifier)
 
         val accessToken = accessTokenConverter.convertToToken(
                 identityOf.username,
@@ -272,6 +249,25 @@ class Oauth2TokenService(
         return accessToken
     }
 
+    private fun validateScopes(
+            client: Client,
+            identity: Identity,
+            requestedScopes: Set<String>,
+            identityScopeVerifier: IdentityScopeVerifier? = null) {
+        val scopesAllowed = scopesAllowed(client.clientScopes, requestedScopes)
+        if (!scopesAllowed) {
+            throw InvalidScopeException(requestedScopes.minus(client.clientScopes))
+        }
+
+        val allowedScopes = identityScopeVerifier?.allowedScopes(client, identity, requestedScopes)
+                ?: identityService.allowedScopes(client, identity, requestedScopes)
+
+        val ivalidScopes = requestedScopes.minus(allowedScopes)
+        if (ivalidScopes.isNotEmpty()) {
+            throw InvalidScopeException(ivalidScopes)
+        }
+    }
+
     override fun userInfo(accessToken: String): UserInfo {
         val storedAccessToken = tokenStore.accessToken(accessToken)!!
         val client = clientService.clientOf(storedAccessToken.clientId)!!

kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/authenticator/IdentityScopeVerifier.kt

@@ -4,5 +4,8 @@ import nl.myndocs.oauth2.client.Client
 import nl.myndocs.oauth2.identity.Identity
 
 interface IdentityScopeVerifier {
-    fun validScopes(forClient: Client, identity: Identity, scopes: Set<String>): Boolean
+    /**
+     * Validate which scopes are allowed. Leave out the scopes which are not allowed
+     */
+    fun allowedScopes(forClient: Client, identity: Identity, scopes: Set<String>): Set<String>
 }

kotlin-oauth2-server-core/src/test/java/nl/myndocs/oauth2/PasswordGrantTokenServiceTest.kt

@@ -71,7 +71,7 @@ internal class PasswordGrantTokenServiceTest {
         every { clientService.validClient(client, clientSecret) } returns true
         every { identityService.identityOf(client, username) } returns identity
         every { identityService.validCredentials(client, identity, password) } returns true
-        every { identityService.validScopes(client, identity, requestScopes) } returns true
+        every { identityService.allowedScopes(client, identity, requestScopes) } returns scopes
         every { refreshTokenConverter.convertToToken(username, clientId, requestScopes) } returns refreshToken
         every { accessTokenConverter.convertToToken(username, clientId, requestScopes, refreshToken) } returns accessToken
 
@@ -162,7 +162,7 @@ internal class PasswordGrantTokenServiceTest {
         every { clientService.validClient(client, clientSecret) } returns true
         every { identityService.identityOf(client, username) } returns identity
         every { identityService.validCredentials(client, identity, password) } returns true
-        every { identityService.validScopes(client, identity, scopes) } returns false
+        every { identityService.allowedScopes(client, identity, scopes) } returns setOf()
 
         assertThrows(
                 InvalidScopeException::class.java
@@ -178,7 +178,7 @@ internal class PasswordGrantTokenServiceTest {
         every { clientService.validClient(client, clientSecret) } returns true
         every { identityService.identityOf(client, username) } returns identity
         every { identityService.validCredentials(client, identity, password) } returns true
-        every { identityService.validScopes(client, identity, scopes) } returns false
+        every { identityService.allowedScopes(client, identity, scopes) } returns scopes
 
         assertThrows(
                 InvalidScopeException::class.java
@@ -205,7 +205,7 @@ internal class PasswordGrantTokenServiceTest {
         every { clientService.validClient(client, clientSecret) } returns true
         every { identityService.identityOf(client, username) } returns identity
         every { identityService.validCredentials(client, identity, password) } returns true
-        every { identityService.validScopes(client, identity, requestScopes) } returns true
+        every { identityService.allowedScopes(client, identity, requestScopes) } returns requestScopes
         every { refreshTokenConverter.convertToToken(username, clientId, requestScopes) } returns refreshToken
         every { accessTokenConverter.convertToToken(username, clientId, requestScopes, refreshToken) } returns accessToken
 

kotlin-oauth2-server-identity-inmemory/src/main/java/nl/myndocs/oauth2/identity/inmemory/InMemoryIdentity.kt

@@ -27,7 +27,7 @@ class InMemoryIdentity : IdentityService {
         )
     }
 
-    override fun validScopes(forClient: Client, identity: Identity, scopes: Set<String>) = true
+    override fun allowedScopes(forClient: Client, identity: Identity, scopes: Set<String>) = scopes
 
     override fun validCredentials(forClient: Client, identity: Identity, password: String): Boolean =
             findConfiguration(identity.username)!!.password == password