Source code

001/*
002 * (C) Copyright 2014 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Arnaud Kervern
018 */
019package org.nuxeo.ecm.platform.oauth2.clients;
020
021import static org.nuxeo.ecm.platform.oauth2.clients.OAuth2ClientService.OAUTH2CLIENT_SCHEMA;
022
023import java.util.Arrays;
024import java.util.Collections;
025import java.util.List;
026import java.util.regex.Pattern;
027
028import org.apache.commons.lang.StringUtils;
029import org.nuxeo.ecm.core.api.DocumentModel;
030
031/**
032 * @author <a href="mailto:ak@nuxeo.com">Arnaud Kervern</a>
033 * @since 5.9.2
034 */
035public class OAuth2Client {
036
037    protected static final Pattern LOCALHOST_PATTERN = Pattern.compile("http://localhost(:\\d+)?(/.*)?");
038
039    protected String name;
040
041    protected String id;
042
043    protected String secret;
044
045    /**
046     * @since 9.2
047     */
048    protected List<String> redirectURIs;
049
050    protected boolean enabled;
051
052    /**
053     * @since 9.2
054     */
055    protected OAuth2Client(String name, String id, String secret, List<String> redirectURIs, boolean enabled) {
056        this.name = name;
057        this.id = id;
058        this.secret = secret;
059        this.redirectURIs = redirectURIs;
060        this.enabled = enabled;
061    }
062
063    public String getName() {
064        return name;
065    }
066
067    public String getId() {
068        return id;
069    }
070
071    /**
072     * @since 9.2
073     */
074    public List<String> getRedirectURIs() {
075        return redirectURIs;
076    }
077
078    public boolean isEnabled() {
079        return enabled;
080    }
081
082    public static OAuth2Client fromDocumentModel(DocumentModel doc) {
083        String name = (String) doc.getPropertyValue(OAUTH2CLIENT_SCHEMA + ":name");
084        String id = (String) doc.getPropertyValue(OAUTH2CLIENT_SCHEMA + ":clientId");
085        String secret = (String) doc.getPropertyValue(OAUTH2CLIENT_SCHEMA + ":clientSecret");
086        List<String> redirectURIs;
087        String redirectURIsProperty = (String) doc.getPropertyValue(OAUTH2CLIENT_SCHEMA + ":redirectURIs");
088        if (StringUtils.isEmpty(redirectURIsProperty)) {
089            redirectURIs = Collections.emptyList();
090        } else {
091            redirectURIs = Arrays.asList(redirectURIsProperty.split(","));
092        }
093        boolean enabled = (Boolean) doc.getPropertyValue(OAUTH2CLIENT_SCHEMA + ":enabled");
094
095        return new OAuth2Client(name, id, secret, redirectURIs, enabled);
096    }
097
098    /**
099     * A redirect URI is considered as valid if and only if:
100     * <ul>
101     * <li>It is not empty</li>
102     * <li>It starts with https, e.g. https://my.redirect.uri</li>
103     * <li>It doesn't start with http, e.g. nuxeo://authorize</li>
104     * <li>It starts with http://localhost with localhost not part of the domain name, e.g. http://localhost:8080/nuxeo,
105     * a counter-example being http://localhost.somecompany.com</li>
106     * </ul>
107     *
108     * @since 9.2
109     */
110    public static boolean isRedirectURIValid(String redirectURI) {
111        String trimmed = redirectURI.trim();
112        return !trimmed.isEmpty() && (trimmed.startsWith("https") || !trimmed.startsWith("http")
113                || LOCALHOST_PATTERN.matcher(trimmed).matches());
114    }
115
116    public boolean isValidWith(String clientId, String clientSecret) {
117        // Related to RFC 6749 2.3.1 clientSecret is omitted if empty
118        return enabled && id.equals(clientId) && (StringUtils.isEmpty(secret) || secret.equals(clientSecret));
119    }
120
121    /**
122     * @since 9.2
123     */
124    @Override
125    public String toString() {
126        return String.format("%s(name=%s, id=%s, redirectURIs=%s, enabled=%b)", getClass().getSimpleName(), name, id,
127                redirectURIs, enabled);
128    }
129}