Fixes #495

Author: oharsta

manage-server/src/main/java/manage/hook/OidcValidationHook.java

@@ -6,6 +6,7 @@
 import manage.model.MetaData;
 import org.everit.json.schema.Schema;
 import org.everit.json.schema.ValidationException;
+import org.springframework.util.StringUtils;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -44,6 +45,8 @@ private void validate(MetaData newMetaData) {
         Map<String, Object> metaDataFields = newMetaData.metaDataFields();
         List<String> redirectUrls = (List<String>) metaDataFields.getOrDefault("redirectUrls", new ArrayList<String>());
         List<String> grants = (List<String>) metaDataFields.getOrDefault("grants", new ArrayList<String>());
+        boolean isPublicClient = (boolean) metaDataFields.getOrDefault("isPublicClient", false);
+        String secret = (String) metaDataFields.get("secret");
         Schema schema = metaDataAutoConfiguration.schema(EntityType.RP.getType());
         if (grants.stream().anyMatch(grant -> Arrays.asList("authorization_code", "implicit").contains(grant)) &&
                 redirectUrls.isEmpty()) {
@@ -58,6 +61,16 @@ private void validate(MetaData newMetaData) {
         if (metaDataFields.get("refreshTokenValidity") != null && grants.stream().noneMatch(grant -> grant.equals("refresh_token"))) {
             throw new ValidationException(schema, "refreshTokenValidity specified, but no refresh_token grant. Either remove refreshTokenValidity or add refresh_token grant type", "refreshTokenValidity");
         }
+        if (isPublicClient && StringUtils.hasText(secret)) {
+            throw new ValidationException(schema, "Public clients are not allowed a secret", "isPublicClient");
+        }
+        if (!isPublicClient && !StringUtils.hasText(secret)) {
+            throw new ValidationException(schema, "Non-public clients are required a secret", "secret");
+        }
+        if (grants.size() == 1 && grants.get(0).equals("urn:ietf:params:oauth:grant-type:device_code") && StringUtils.hasText(secret)) {
+            throw new ValidationException(schema, "Device Code RP is not allowed a secret", "redirectUris");
+        }
+
     }
 
 }

manage-server/src/main/java/manage/service/ImporterService.java

@@ -19,6 +19,8 @@
 
 import javax.xml.stream.XMLStreamException;
 import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.nio.charset.Charset;
 import java.util.*;
@@ -102,12 +104,12 @@ public Map<String, Object> importJson(String type, Map<String, Object> json) thr
 
     public Map<String, Object> importJsonUrl(String type, Import importRequest) {
         try {
-            Resource resource = new SaveURLResource(new URL(importRequest.getUrl()),
+            Resource resource = new SaveURLResource(new URI(importRequest.getUrl()).toURL(),
                     environment.acceptsProfiles(Profiles.of("dev")), autoRefreshUserAgent);
             String json = IOUtils.toString(resource.getInputStream(), Charset.defaultCharset());
             Map<String, Object> map = objectMapper.readValue(json, Map.class);
             return importJson(type, map);
-        } catch (IOException e) {
+        } catch (IOException | URISyntaxException e) {
             return singletonMap("errors", singletonList(e.getClass().getName()));
         }
     }

manage-server/src/main/java/manage/service/MetaDataService.java

@@ -35,6 +35,8 @@
 import javax.xml.stream.XMLStreamException;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLDecoder;
 import java.time.Instant;
@@ -109,7 +111,7 @@ public Map<String, List> importFeed(Import importRequest) {
                             .map(ServiceProvider::new)
                             .collect(Collectors.toMap(ServiceProvider::getEntityId, sp -> sp));
             String feedUrl = importRequest.getUrl();
-            Resource resource = new SaveURLResource(new URL(feedUrl), environment.acceptsProfiles(Profiles.of("dev")), null);
+            Resource resource = new SaveURLResource(new URI(feedUrl).toURL(), environment.acceptsProfiles(Profiles.of("dev")), null);
 
             List<Map<String, Object>> allImports = importerService.importFeed(resource);
             List<Map<String, Object>> imports =
@@ -179,7 +181,7 @@ public Map<String, List> importFeed(Import importRequest) {
             results.put("total", Collections.singletonList(imports.size()));
 
             return results;
-        } catch (IOException | XMLStreamException e) {
+        } catch (IOException | XMLStreamException | URISyntaxException e) {
             LOG.error("Error in client/import/feed", e);
             return singletonMap("errors", singletonList(e.getClass().getName()));
         }

manage-server/src/main/resources/metadata_configuration/oidc10_rp.schema.json

@@ -516,7 +516,8 @@
               "authorization_code",
               "implicit",
               "refresh_token",
-              "client_credentials"
+              "client_credentials",
+              "urn:ietf:params:oauth:grant-type:device_code"
             ]
           },
           "info": "The authorisation grant type's of this Relying Party."
@@ -651,7 +652,7 @@
       },
       "required": [
         "name:en",
-        "secret",
+        "OrganizationName:en",
         "grants"
       ],
       "additionalProperties": false

manage-server/src/main/resources/metadata_templates/oidc10_rp.template.json

@@ -9,6 +9,7 @@
   "metaDataFields": {
     "name:en": "",
     "secret": "",
+    "OrganizationName:en": "",
     "redirectUrls": [],
     "grants": [
       "authorization_code"

manage-server/src/test/java/manage/hook/OidcValidationHookTest.java

@@ -72,12 +72,38 @@ public void clientCredentialsWithRedirect() {
                 subject.prePut(null, metaData(singletonList("client_credentials"), singletonList("https://redirect")), apiUser()));
     }
 
+    @Test
+    public void isPublicWithSecret() {
+        assertThrows(ValidationException.class, () ->
+                subject.prePut(null, metaData(Map.of("secret", "verySecret", "isPublicClient", true)), apiUser()));
+    }
+
+    @Test
+    public void privateWithoutSecret() {
+        assertThrows(ValidationException.class, () ->
+                subject.prePut(null, metaData(Map.of("secret", "", "isPublicClient", false)), apiUser()));
+    }
+
+    @Test
+    public void deviceCodeWithoutSecret() {
+        assertThrows(ValidationException.class, () ->
+                subject.prePut(null, metaData(Map.of("grants", List.of("urn:ietf:params:oauth:grant-type:device_code"),
+                        "secret", "verySecret")), apiUser()));
+    }
+
     @SuppressWarnings("unchecked")
     private MetaData metaData(List<String> grants, List<String> redirectUrls) {
         Map<String, Object> data = new HashMap<>();
         Map<String, Object> metaDataFields = (Map<String, Object>) data.computeIfAbsent("metaDataFields", key -> new HashMap<String, Object>());
         metaDataFields.put("redirectUrls", redirectUrls);
         metaDataFields.put("grants", grants);
+        metaDataFields.put("secret", "verySecret");
+        return new MetaData(EntityType.RP.getType(), data);
+    }
+
+    private MetaData metaData(Map<String, Object> metaDataFields) {
+        Map<String, Object> data = new HashMap<>();
+        data.put("metaDataFields", metaDataFields);
         return new MetaData(EntityType.RP.getType(), data);
     }
 }