in stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java [305:442]
private Response getAccessTokenInternal(UriInfo ui, String authorization, String grant_type, String username,
String password, String client_id, String client_secret, long ttl,
String callback, boolean adminData, boolean me) throws Exception {
UserInfo user = null;
try {
if ( SubjectUtils.getUser() != null ) {
user = SubjectUtils.getUser();
}
if (logger.isTraceEnabled()) {
logger.trace("ManagementResource.getAccessToken with username: {}", username);
}
String errorDescription = "invalid username or password";
if ( user == null ) {
// make sure authentication is allowed considering
// external token validation configuration (UG Central SSO)
ensureAuthenticationAllowed( username, grant_type );
if ( authorization != null ) {
String type = stringOrSubstringBeforeFirst( authorization, ' ' ).toUpperCase();
if ( "BASIC".equals( type ) ) {
String token = stringOrSubstringAfterFirst( authorization, ' ' );
String[] values = Base64.decodeToString( token ).split( ":" );
if ( values.length >= 2 ) {
client_id = values[0];
client_secret = values[1];
}
}
}
// do checking for different grant types
if ( GrantType.PASSWORD.toString().equals( grant_type ) ) {
try {
user = management.verifyAdminUserPasswordCredentials( username, password );
if ( user != null ) {
if (logger.isTraceEnabled()) {
logger.trace("found user from verify: {}", user.getUuid());
}
}
}
catch ( UnactivatedAdminUserException uaue ) {
errorDescription = "user not activated";
logger.error( errorDescription, uaue );
}
catch ( DisabledAdminUserException daue ) {
errorDescription = "user disabled";
logger.error( errorDescription, daue );
}
catch ( UnconfirmedAdminUserException uaue ) {
errorDescription = "User must be confirmed to authenticate";
logger.warn("Responding with HTTP 403 forbidden response for unconfirmed user");
OAuthResponse response = OAuthResponse.errorResponse( SC_FORBIDDEN )
.setError( OAuthError.TokenResponse.INVALID_GRANT )
.setErrorDescription( errorDescription )
.buildJSONMessage();
return Response.status( response.getResponseStatus() ).type( jsonMediaType( callback ) )
.entity( wrapWithCallback( response.getBody(), callback ) ).build();
}
catch ( Exception e1 ) {
logger.error( errorDescription, e1 );
}
}
else if ( "client_credentials".equals( grant_type ) ) {
try {
AccessInfo access_info = management.authorizeClient( client_id, client_secret, ttl );
if ( access_info != null ) {
return Response.status( SC_OK ).type( jsonMediaType( callback ) )
.entity( wrapWithCallback( access_info, callback ) ).build();
}
}
catch ( Exception e1 ) {
logger.error( "failed authorizeClient", e1 );
}
}
}
if ( user == null ) {
//TODO: this could be fixed to return the reason why a user is null. In some cases the USER is not found
//so a 404 would be more appropriate etc...
OAuthResponse response =
OAuthResponse.errorResponse( SC_BAD_REQUEST ).setError( OAuthError.TokenResponse.INVALID_GRANT )
.setErrorDescription( errorDescription ).buildJSONMessage();
return Response.status( response.getResponseStatus() ).type( jsonMediaType( callback ) )
.entity( wrapWithCallback( response.getBody(), callback ) ).build();
}
//moved the check for sso enabled form MangementServiceImpl since was unable to get the current user there to check if its super user.
if( tokens.isExternalSSOProviderEnabled()
&& properties.getProperty(TokenServiceImpl.USERGRID_EXTERNAL_SSO_PROVIDER).equalsIgnoreCase("usergrid")
&& !userServiceAdmin(username) ){
OAuthResponse response =
OAuthResponse.errorResponse( SC_BAD_REQUEST ).setError( OAuthError.TokenResponse.INVALID_GRANT )
.setErrorDescription( "External SSO integration is enabled, admin users must login via provider: "+
properties.getProperty(TokenServiceImpl.USERGRID_EXTERNAL_SSO_PROVIDER) ).buildJSONMessage();
return Response.status( response.getResponseStatus() ).type( jsonMediaType( callback ) )
.entity( wrapWithCallback( response.getBody(), callback ) ).build();
}
String token = management.getAccessTokenForAdminUser( user.getUuid(), ttl );
Long passwordChanged = management.getLastAdminPasswordChange( user.getUuid() );
AccessInfo access_info =
new AccessInfo().withExpiresIn( tokens.getMaxTokenAgeInSeconds( token ) ).withAccessToken( token )
.withPasswordChanged( passwordChanged );
access_info.setProperty( "user", management.getAdminUserOrganizationData( user, true, false) );
// increment counters for admin login
management.countAdminUserAction( user, "login" );
return Response.status( SC_OK ).type( jsonMediaType( callback ) )
.entity( wrapWithCallback( access_info, callback ) ).build();
}
catch ( OAuthProblemException e ) {
logger.error( "OAuth Error", e );
OAuthResponse res = OAuthResponse.errorResponse( SC_BAD_REQUEST ).error( e ).buildJSONMessage();
return Response.status( res.getResponseStatus() ).type( jsonMediaType( callback ) )
.entity( wrapWithCallback( res.getBody(), callback ) ).build();
}
}