openinfra/openstackid
Code Issues Proposed changes

Refactored offline_access

Browse Source 
User can not explicitly delete offline_access scope
once is granted.

Change-Id: I3e94e4afeccf1050a3d20cde738a960b5aea4d3b
Signed-off-by: smarcet <smarcet@gmail.com>
This commit is contained in:
smarcet 2020-02-28 22:22:47 -03:00
parent 94ba72402c
commit 0a23b02e4b
3 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/Models/OAuth2/Client.php
View File

@ -426,6 +426,14 @@ class Client extends BaseEntity implements IClient
$this->client_type = $this->infereClientTypeFromAppType($this->application_type); $this->client_type = $this->infereClientTypeFromAppType($this->application_type);
} }
/**
* @return bool
*/
public function canRequestRefreshTokens():bool{
return $this->getApplicationType() == IClient::ApplicationType_Native ||
$this->getApplicationType() == IClient::ApplicationType_Web_App;
}
/** /**
* @param string $app_type * @param string $app_type
* @return string * @return string

7
app/Models/OAuth2/Factories/ClientFactory.php
View File

@ -39,11 +39,8 @@ final class ClientFactory
foreach ($scope_repository->getDefaults() as $default_scope) { foreach ($scope_repository->getDefaults() as $default_scope) {
if if
( (
$default_scope->getName() === OAuth2Protocol::OfflineAccess_Scope && $default_scope->getName() === OAuth2Protocol::OfflineAccess_Scope
!( && !$client->canRequestRefreshTokens()
$client->getApplicationType() == IClient::ApplicationType_Native ||
$client->getApplicationType() == IClient::ApplicationType_Web_App
)
) { ) {
continue; continue;
} }

10
app/Services/OAuth2/ClientService.php
View File

@ -373,11 +373,17 @@ final class ClientService extends AbstractService implements IClientService
return $this->tx_service->transaction(function() use ($id, $scope_id){ return $this->tx_service->transaction(function() use ($id, $scope_id){
$client = $this->client_repository->getById($id); $client = $this->client_repository->getById($id);
if (is_null($client) || !$client instanceof Client) { if (is_null($client) || !$client instanceof Client) {
throw new EntityNotFoundException(sprintf("client id %s does not exists!", $id)); throw new EntityNotFoundException(sprintf("Client id %s does not exists.", $id));
} }
$scope = $this->scope_repository->getById($scope_id); $scope = $this->scope_repository->getById($scope_id);
if (is_null($scope) || !$scope instanceof ApiScope) { if (is_null($scope) || !$scope instanceof ApiScope) {
throw new EntityNotFoundException(sprintf("scope id %s does not exists!", $scope_id)); throw new EntityNotFoundException(sprintf("Scope id %s does not exists.", $scope_id));
}
if($scope->getName() == OAuth2Protocol::OpenIdConnect_Scope){
throw new ValidationException(sprintf("Scope %s can not be removed.", OAuth2Protocol::OpenIdConnect_Scope));
}
if($scope->getName() == OAuth2Protocol::OfflineAccess_Scope && $client->canRequestRefreshTokens()){
throw new ValidationException(sprintf("Scope %s can not be removed.", OAuth2Protocol::OfflineAccess_Scope));
} }
$client->removeScope($scope); $client->removeScope($scope);
$client->setEditedBy($this->auth_service->getCurrentUser()); $client->setEditedBy($this->auth_service->getCurrentUser());