From a9a246c2c46302210374cb56504e2d62877db294 Mon Sep 17 00:00:00 2001
From: Janak Amarasena <janakamarasena@gmail.com>
Date: Mon, 5 Jun 2017 16:45:37 +0530
Subject: [PATCH] Add new oauth grant type

---
 .../pom.xml                                   |   8 ++
 .../grant/AccessTokenGrantHandler.java        | 134 ++++++++++++++++++
 .../validators/AccessTokenGrantValidator.java |  33 +++++
 components/identity-extensions/pom.xml        |   2 +-
 4 files changed, 176 insertions(+), 1 deletion(-)
 create mode 100644 components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/AccessTokenGrantHandler.java
 create mode 100644 components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/AccessTokenGrantValidator.java

diff --git a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml
index e40c8515c6..d8d1f32dad 100644
--- a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml
+++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml
@@ -34,6 +34,10 @@
     <url>http://wso2.org</url>
 
     <dependencies>
+        <dependency>
+            <groupId>org.wso2.carbon.devicemgt</groupId>
+            <artifactId>org.wso2.carbon.identity.authenticator.backend.oauth</artifactId>
+        </dependency>
 		<dependency>
 			<groupId>commons-codec.wso2</groupId>
 			<artifactId>commons-codec</artifactId>
@@ -87,13 +91,17 @@
                             org.wso2.carbon.device.mgt.oauth.extensions.*
                         </Export-Package>
                         <Import-Package>
+                            org.wso2.carbon.identity.authenticator.backend.oauth.*,
 							org.wso2.carbon.identity.oauth2.grant.jwt;version="${carbon.identity.jwt.grant.version.range}",
+                            org.apache.commons.lang.StringUtils,
                             org.apache.commons.logging,
                             org.osgi.service.component,
                             org.wso2.carbon.identity.application.common.model;version="${carbon.identity.framework.version.range}",
+                            org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;version="${carbon.identity.framework.version.range}",
                             org.wso2.carbon.user.api,
                             org.wso2.carbon.user.core.service,
                             org.wso2.carbon.user.core.tenant,
+                            org.wso2.carbon.user.core.util,
                             org.json.simple,
                             javax.cache,
                             org.wso2.carbon.identity.core.util;version="${carbon.identity.framework.version.range}",
diff --git a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/AccessTokenGrantHandler.java b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/AccessTokenGrantHandler.java
new file mode 100644
index 0000000000..d1a718c24d
--- /dev/null
+++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/AccessTokenGrantHandler.java
@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
+import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
+import org.wso2.carbon.identity.application.common.model.ServiceProvider;
+import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuth2TokenValidator;
+import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidationResponse;
+import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidatorFactory;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
+import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
+import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
+import org.wso2.carbon.identity.oauth2.model.RequestParameter;
+import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
+import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler;
+import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
+import org.wso2.carbon.user.core.util.UserCoreUtil;
+import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
+import java.rmi.RemoteException;
+
+/**
+ * This allows user to generate a new access token using an existing access token.
+ */
+@SuppressWarnings("unused")
+public class AccessTokenGrantHandler extends AbstractAuthorizationGrantHandler {
+    private static Log log = LogFactory.getLog(AccessTokenGrantHandler.class);
+    private static final String TENANT_DOMAIN_KEY = "tenantDomain";
+
+    private OAuth2TokenValidator tokenValidator;
+    public static final String TOKEN_GRANT_PARAM = "admin_access_token";
+
+    public AccessTokenGrantHandler() {
+        try {
+            tokenValidator = OAuthValidatorFactory.getValidator();
+        } catch (IllegalArgumentException e) {
+            log.error("Failed to initialise Authenticator", e);
+        }
+    }
+
+    @Override
+    public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception {
+        if (!super.validateGrant(tokReqMsgCtx)) {
+            return false;
+        } else {
+            OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO = tokReqMsgCtx.getOauth2AccessTokenReqDTO();
+            String username = null;
+            String userTenantDomain = null;
+            String clientId = oAuth2AccessTokenReqDTO.getClientId();
+            String spTenantDomain = null;
+            OAuthValidationResponse response;
+            ServiceProvider serviceProvider;
+            boolean authStatus = false;
+
+            String accessToken = null;
+            RequestParameter[] parameters = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getRequestParameters();
+
+            for (RequestParameter parameter : parameters) {
+                if (TOKEN_GRANT_PARAM.equals(parameter.getKey())) {
+                    if (parameter.getValue() != null && parameter.getValue().length > 0) {
+                        accessToken = parameter.getValue()[0];
+                    }
+                }
+            }
+
+            if (accessToken != null && !accessToken.isEmpty()) {
+                try {
+                    response = tokenValidator.validateToken(accessToken);
+                } catch (RemoteException e) {
+                    log.error("Failed to validate the OAuth token provided.", e);
+                    return false;
+                }
+                if (response != null && response.isValid()) {
+                    authStatus = true;
+                    username = response.getUserName();
+                    userTenantDomain = MultitenantUtils.getTenantDomain(username);
+                    spTenantDomain = response.getTenantDomain();
+                }
+            }
+
+            try {
+                serviceProvider = OAuth2ServiceComponentHolder.getApplicationMgtService()
+                        .getServiceProviderByClientId(clientId, "oauth2", spTenantDomain);
+            } catch (IdentityApplicationManagementException var15) {
+                throw new IdentityOAuth2Exception("Error occurred while retrieving OAuth2 application data for client id "
+                        + clientId, var15);
+            }
+
+            if (!serviceProvider.isSaasApp() && !userTenantDomain.equals(spTenantDomain)) {
+                if (log.isDebugEnabled()) {
+                    log.debug("Non-SaaS service provider tenant domain is not same as user tenant domain; "
+                            + spTenantDomain + " != " + userTenantDomain);
+                }
+
+                return false;
+            } else {
+                String tenantAwareUserName = MultitenantUtils.getTenantAwareUsername(username);
+                username = tenantAwareUserName + "@" + userTenantDomain;
+                if (authStatus) {
+                    if (!username.contains("/") && StringUtils.isNotBlank(UserCoreUtil.getDomainFromThreadLocal())) {
+                        username = UserCoreUtil.getDomainFromThreadLocal() + "/" + username;
+                    }
+
+                    AuthenticatedUser user = OAuth2Util.getUserFromUserName(username);
+                    user.setAuthenticatedSubjectIdentifier(user.toString());
+                    tokReqMsgCtx.setAuthorizedUser(user);
+                    tokReqMsgCtx.setScope(oAuth2AccessTokenReqDTO.getScope());
+                    return authStatus;
+                } else {
+                    throw new IdentityOAuth2Exception("Authentication failed for " + username);
+                }
+            }
+        }
+    }
+}
diff --git a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/AccessTokenGrantValidator.java b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/AccessTokenGrantValidator.java
new file mode 100644
index 0000000000..c3f323df4d
--- /dev/null
+++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/AccessTokenGrantValidator.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.device.mgt.oauth.extensions.validators;
+
+import org.apache.oltu.oauth2.common.validators.AbstractValidator;
+import org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant.AccessTokenGrantHandler;
+
+import javax.servlet.http.HttpServletRequest;
+
+@SuppressWarnings("unused")
+public class AccessTokenGrantValidator extends AbstractValidator<HttpServletRequest> {
+
+    public AccessTokenGrantValidator() {
+        requiredParams.add(AccessTokenGrantHandler.TOKEN_GRANT_PARAM);
+    }
+
+}
diff --git a/components/identity-extensions/pom.xml b/components/identity-extensions/pom.xml
index eb21ecb2ea..ce9eee400b 100644
--- a/components/identity-extensions/pom.xml
+++ b/components/identity-extensions/pom.xml
@@ -34,10 +34,10 @@
     <url>http://wso2.org</url>
 
     <modules>
+        <module>org.wso2.carbon.identity.authenticator.backend.oauth</module>
         <module>org.wso2.carbon.device.mgt.oauth.extensions</module>
         <module>org.wso2.carbon.identity.jwt.client.extension</module>
         <module>dynamic-client-registration</module>
-        <module>org.wso2.carbon.identity.authenticator.backend.oauth</module>
     </modules>
 
 </project>