Merge branch 'master' of

jateeter · jateeter · commit c4d61056ea8d · 2015-03-30T12:28:00.000-06:00
https://github.com/energyos/OpenESPI-DataCustodian-java.git
diff --git a/src/main/java/org/energyos/espi/datacustodian/web/api/ManageRESTController.java b/src/main/java/org/energyos/espi/datacustodian/web/api/ManageRESTController.java
@@ -30,6 +30,7 @@
 
 import org.energyos.espi.common.domain.Routes;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -67,6 +68,8 @@ public void handleGenericException() {
 	public void doCommand(HttpServletResponse response,
 			@RequestParam Map<String, String> params, InputStream stream)
 			throws IOException {
+		
+		response.setContentType(MediaType.TEXT_PLAIN_VALUE);
 
 		try {
 			try {
diff --git a/src/main/java/org/energyos/espi/datacustodian/web/customer/ScopeSelectionController.java b/src/main/java/org/energyos/espi/datacustodian/web/customer/ScopeSelectionController.java
@@ -18,43 +18,56 @@
 
 import static org.energyos.espi.datacustodian.utils.URLHelper.newScopeParams;
 
-import java.security.Principal;
-
+import javax.persistence.NoResultException;
 import javax.servlet.http.HttpServletRequest;
 
 import org.energyos.espi.common.domain.ApplicationInformation;
-import org.energyos.espi.common.domain.RetailCustomer;
 import org.energyos.espi.common.domain.Routes;
 import org.energyos.espi.common.service.ApplicationInformationService;
+
 import org.energyos.espi.datacustodian.web.BaseController;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.dao.EmptyResultDataAccessException;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
-
-///DataCustodian/src/main/java/org/energyos/espi/datacustodian/utils/URLHelper.java
+import org.springframework.web.bind.annotation.ResponseStatus;
 
 @Controller
 @PreAuthorize("hasRole('ROLE_USER')")
 public class ScopeSelectionController extends BaseController {
 
     @Autowired
     private ApplicationInformationService applicationInformationService;
+    
+	@ExceptionHandler(Exception.class)
+	@ResponseStatus(value=HttpStatus.FORBIDDEN, reason="Access Not Authorized")
+	public void handleGenericException() {
+	} 
 
     @RequestMapping(value = Routes.DATA_CUSTODIAN_SCOPE_SELECTION_SCREEN, method = RequestMethod.GET)
-    public String scopeSelection(HttpServletRequest request, String[] scopes, @RequestParam("ThirdPartyID") String thirdPartyClientId) {
-        ApplicationInformation applicationInformation = applicationInformationService.findByClientId(thirdPartyClientId);
-//        RetailCustomer retailCustomer = this.currentCustomer(principal);
-//        if (retailCustomer != null) {
-//            System.out.printf("*****CurrentCustomer: %s\n", retailCustomer.getUsername());
-//        }
-        return "redirect:" + 
+    public String scopeSelection(HttpServletRequest request, String[] scopes, 
+    		@RequestParam("ThirdPartyID") String thirdPartyClientId) throws Exception 
+    {
+    	
+    	try {
+    		ApplicationInformation applicationInformation = applicationInformationService.findByClientId(thirdPartyClientId);
+
+    		return "redirect:" + 
         		applicationInformation.getThirdPartyScopeSelectionScreenURI() + 
         		"?" + 
         		newScopeParams(applicationInformation.getScope()) +
                 "&DataCustodianID=" + applicationInformation.getDataCustodianId();
+    	} catch (NoResultException | EmptyResultDataAccessException e) {
+			System.out.printf("ScopeSelectionController: ApplicationInformation record not found!  "
+					+ "ThirdPartyID = %s\n", thirdPartyClientId);
+			throw new Exception("Access Not Authorized");
+    	}
     }
 
 
diff --git a/src/main/java/org/energyos/espi/datacustodian/web/filter/ResourceValidationFilter.java b/src/main/java/org/energyos/espi/datacustodian/web/filter/ResourceValidationFilter.java
@@ -87,56 +87,38 @@ public void doFilter(ServletRequest req, ServletResponse res,
 		if ((uri.indexOf("/espi/1_1/resource/") != -1))
 		{
 			resourceRequest = true;
+		}
 			
-			///////////////////////////////////////////////////////////////////////
-			// find the access token if present and validate we have a good one
-			///////////////////////////////////////////////////////////////////////
-			String token = request.getHeader("authorization");
+		///////////////////////////////////////////////////////////////////////
+		// find the access token if present and validate we have a good one
+		///////////////////////////////////////////////////////////////////////
+		String token = request.getHeader("authorization");
 			
-			if(token!=null)
+		if(token!=null)
+		{
+			if (token.contains("Bearer"))
 			{
-				if (token.contains("Bearer"))
-				{
-					// has Authorization header with Bearer type
-					hasBearer = true;
-					token = token.replace("Bearer ", "");
-					
-					// ensure length is >12 characters (48 bits in hex at least)
-					if(token.length()>=12)
-					{
-						// lookup the authorization -- we must have one to correspond to an access token
-						try {
-							authorizationFromToken = authorizationService.findByAccessToken(token);
-							
-						}
-						catch (Exception e) {
-							System.out.printf("ResourceValidationFilter: doFilter - No Authorization Found - %s\n",
-											  e.toString());						
-							throw new AccessDeniedException(String.format("No Authorization Found"));												
-						}
+				// has Authorization header with Bearer type
+				hasBearer = true;
+				token = token.replace("Bearer ", "");
 					
-						// see if we have valid authorization and can get parameters
-						if(authorizationFromToken != null)
-						{
-							long tend = authorizationFromToken.getAuthorizedPeriod().getStart() + authorizationFromToken.getAuthorizedPeriod().getDuration();
-							Calendar c = Calendar.getInstance(); 						
-							long now = c.getTimeInMillis()/1000;
+				// ensure length is >12 characters (48 bits in hex at least)
+				if(token.length()>=12)
+				{
+					// lookup the authorization -- we must have one to correspond to an access token
+					try {
+						authorizationFromToken = authorizationService.findByAccessToken(token);
 						
-							// check that it is still active and check that it has not expired
+						hasValidOAuthAccessToken = true;
+						resourceUri = authorizationFromToken.getResourceURI();
+						authorizationUri = authorizationFromToken.getAuthorizationURI();
+						subscription = authorizationFromToken.getSubscription();
 						
-							if( (authorizationFromToken.getStatus().equals("1") ) && ((tend == 0) || (tend >= now))){
-								hasValidOAuthAccessToken = true;
-								resourceUri = authorizationFromToken.getResourceURI();
-								authorizationUri = authorizationFromToken.getAuthorizationURI();
-								subscription = authorizationFromToken.getSubscription();
-							
-							} else {
-							
-								// authorization not valid now
-								System.out.printf("ResourceValidationFilter: doFilter - Access Not Authorized\n");
-								throw new AccessDeniedException(String.format("Access Not Authorized"));													
-							}
-						}
+					}
+					catch (Exception e) {
+						System.out.printf("ResourceValidationFilter: doFilter - No Authorization Found - %s\n",
+										  e.toString());						
+						throw new AccessDeniedException(String.format("No Authorization Found"));												
 					}
 				}
 			}
@@ -400,32 +382,23 @@ else if (invalid && roles.contains("ROLE_TP_REGISTRATION"))	{
 							if(applicationInformationIdFromUri.equals(applicationInformationId)) {
 								invalid = false;
 							}
-						} 
-						else 
-						{
+							
+						} else {
 							// not authorized for this resource
 							System.out.printf("ResourceValidationFilter: doFilter - Access Not Authorized\n");
 							throw new AccessDeniedException(String.format("Access Not Authorized"));							
 						}
-					}
-				}
-				else
-				{
-					// not authorized for this resource
-					System.out.printf("ResourceValidationFilter: doFilter - Access Not Authorized\n");
-					throw new AccessDeniedException(String.format("Access Not Authorized"));							
-				}
-
-				// check if it is this authorization request
-				if (uri.contains("/resource/Authorization")) {
-					if(authorizationUri.equals(uri) && service.equals("GET")) {
-						invalid=false;
-					}
-					else {
+						
+					} else {
 						// not authorized for this resource
 						System.out.printf("ResourceValidationFilter: doFilter - Access Not Authorized\n");
 						throw new AccessDeniedException(String.format("Access Not Authorized"));							
 					}
+
+				} else {
+					// not authorized for this resource
+					System.out.printf("ResourceValidationFilter: doFilter - Access Not Authorized\n");
+					throw new AccessDeniedException(String.format("Access Not Authorized"));							
 				}
 			}
 		}
