- private Result<Data> refreshBearerToken(AuthzTrans trans, Data odd) {
- Result<List<Data>> rld = tokenDAO.readByUser(trans, trans.user());
- if(rld.notOK()) {
- return Result.err(rld);
- }
- if(rld.isEmpty()) {
- return Result.err(Result.ERR_NotFound,"Data not Found for %1 %2",trans.user(),odd.refresh==null?"":odd.refresh.toString());
- }
- Data token = null;
- for(Data d : rld.value) {
- if(d.refresh.equals(odd.refresh)) {
- token = d;
- boolean scopesNE = false;
- Set<String> scopes = odd.scopes(false);
- if(scopes.size()>0) { // only check if Scopes listed, RFC 6749, Section 6
- if(scopesNE=!(scopes.size() == d.scopes(false).size())) {
- for(String s : odd.scopes(false)) {
- if(!d.scopes(false).contains(s)) {
- scopesNE=true;
- break;
- }
- }
- }
- if(scopesNE) {
- return Result.err(Result.ERR_BadData,"Requested Scopes do not match existing Token");
- }
- }
- break;
- }
- }
-
- if(token==null) {
- trans.audit().printf("Duplicate Refresh Token (%s) attempted for %s. Possible Replay Attack",odd.refresh.toString(),trans.user());
- return Result.err(Result.ERR_Security,"Invalid Refresh Token");
- } else {
- // Got the Result
- Data deleteMe = new Data();
- deleteMe.id = token.id;
- token.id = AAFToken.toToken(UUID.randomUUID());
- token.client_id = trans.user();
- token.refresh = AAFToken.toToken(UUID.randomUUID());
- long exp;
- token.expires = new Date(exp=(System.currentTimeMillis()+TOK_EXP));
- token.exp_sec = exp/1000;
- token.req_ip = trans.ip();
- Result<Data> rd = tokenDAO.create(trans, token);
- if(rd.notOK()) {
- return Result.err(rd);
- }
- Result<Void> rv = tokenDAO.delete(trans, deleteMe,false);
- if(rv.notOK()) {
- trans.error().log("Unable to delete token", token);
- }
- }
- return Result.ok(token);
- }
+ public Result<OAuthTokenDAO.Data> introspect(AuthzTrans trans, String token) {
+ Result<List<Data>> rld;
+ try {
+ UUID uuid = AAFToken.fromToken(token);
+ if (uuid==null) { // not an AAF Token
+ // Attempt to get Alternative Token
+ if (altIntrospectClient!=null) {
+ org.onap.aaf.cadi.client.Result<Introspect> rai = altIntrospectClient.introspect(token);
+ if (rai.isOK()) {
+ Introspect in = rai.value;
+ if (in.getExp()==null) {
+ trans.audit().printf("Alt OAuth sent back inactive, empty token: requesting_id,%s,access_token=%s,ip=%s\n",trans.user(),token,trans.ip());
+ }
+ long expires = in.getExp()*1000;
+ if (in.isActive() && expires>System.currentTimeMillis()) {
+ // We have a good Token, modify to be Fully Qualified
+ String fqid = in.getUsername()+altDomain;
+ // read contents
+ rld = tokenDAO.read(trans, token);
+ if (rld.isOKhasData()) {
+ Data td = rld.value.get(0);
+ in.setContent(td.content);
+ } else {
+ Data td = new Data();
+ td.id = token;
+ td.client_id = in.getClientId();
+ td.user = fqid;
+ td.active=true;
+ td.type = TOKEN_TYPE.bearer.ordinal();
+ td.expires = new Date(expires);
+ td.exp_sec = in.getExp();
+ Set<String> scopes = td.scopes(true);
+ if (in.getScope()!=null) {
+ for (String s : Split.split(' ', in.getScope())) {
+ scopes.add(s);
+ }
+ }
+ // td.state = nothing to add at this point
+ td.req_ip = trans.ip();
+ trans.checkpoint(td.user + ':' + td.client_id + ", " + td.id);
+ return loadToken(trans, td);
+ }
+ }
+// System.out.println(rai.value.getClientId());
+ } else {
+ trans.audit().printf("Alt OAuth rejects: requesting_id,%s,access_token=%s,ip=%s,code=%d,error=%s\n",trans.user(),token,trans.ip(),rai.code,rai.error);
+ }
+ } else {
+ trans.audit().printf("Bad Token: requesting_id,%s,access_token=%s,ip=%s\n",trans.user(),token,trans.ip());
+ }
+ return Result.err(Result.ERR_Denied,"Bad Token");
+ } else {
+ return dbIntrospect(trans,token);
+ }
+ } catch (CadiException | APIException | LocatorException e) {
+ return Result.err(e);
+ }
+ }