Disallow scope all for non super clients.

Change-Id: I238d96d88e27a73d39e7d0228d83f22d28772298

Changes

@@ -18,6 +18,8 @@
 - Added deprecation messages to deprecated services
 - Removed mail configuration (#764)
 - Deprecate VC access deletion.
+- Change default port to 8089.
+- Disallow scope all for non super clients.
 
 # version 0.74.1-SNAPSHOT
 

src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java

@@ -25,6 +25,7 @@
 
 import de.ids_mannheim.korap.config.Attributes;
 import de.ids_mannheim.korap.config.FullConfiguration;
+import de.ids_mannheim.korap.constant.OAuth2Scope;
 import de.ids_mannheim.korap.encryption.RandomCodeGenerator;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
@@ -88,6 +89,18 @@ public URI requestAuthorizationCode (URI requestURI, String clientId,
             OAuth2Client client = clientService.authenticateClientId(clientId);
             redirectURI = verifyRedirectUri(client, redirectUri);
             //checkResponseType(authzRequest.getResponseType(), redirectURI);
+
+            if (scope == null || scope.isEmpty()) {
+                throw new KustvaktException(StatusCodes.MISSING_PARAMETER,
+                        "scope is required", OAuth2Error.INVALID_SCOPE);
+            }
+            else if (!client.isSuper()
+                    && scope.contains(OAuth2Scope.ALL.toString())) {
+                throw new KustvaktException(StatusCodes.NOT_ALLOWED,
+                        "Requested scope all is not allowed.", 
+                        OAuth2Error.INVALID_SCOPE);
+            }
+
             code = codeGenerator.createRandomCode();
             URI responseURI = createAuthorizationResponse(requestURI,
                     redirectURI, code, state);
@@ -102,7 +115,7 @@ public URI requestAuthorizationCode (URI requestURI, String clientId,
             throw e;
         }
     }
-
+    
     private URI createAuthorizationResponse (URI requestURI, URI redirectURI,
             String code, String state) throws KustvaktException {
         AuthorizationRequest authRequest = null;
@@ -171,10 +184,6 @@ public void createAuthorization (String username, String clientId,
             ZonedDateTime authenticationTime, String nonce)
             throws KustvaktException {
 
-        if (scope == null || scope.isEmpty()) {
-            throw new KustvaktException(StatusCodes.MISSING_PARAMETER,
-                    "scope is required", OAuth2Error.INVALID_SCOPE);
-        }
         Set<AccessScope> accessScopes = scopeService
                 .convertToAccessScope(scope);
 

src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationTest.java

@@ -276,6 +276,21 @@ public void testAuthorizeInvalidScope () throws KustvaktException {
                 response.getLocation().toString());
     }
 
+    @Test
+    public void testAuthorizeScopeAll () throws KustvaktException {
+        String scope = "all";
+        Response response = requestAuthorizationCode("code",
+                confidentialClientId, "", scope, state, userAuthHeader);
+        assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
+                response.getStatus());
+
+        assertEquals(
+                "https://third.party.com/confidential/redirect?"
+                        + "error=invalid_scope&error_description=Requested+scope"
+                        + "+all+is+not+allowed.&state=thisIsMyState",
+                response.getLocation().toString());
+    }
+
     @Test
     public void testAuthorizeUnsupportedTokenResponseType ()
             throws KustvaktException {