Fix scope of allowedToProxy flag

cas-server-core/src/main/java/org/jasig/cas/CentralAuthenticationServiceImpl.java

@@ -275,16 +275,27 @@ public ServiceTicket grantServiceTicket(
             throw new UnauthorizedSsoServiceException();
         }
 
-        //CAS-1019
-        final List<Authentication> authns = ticketGrantingTicket.getChainedAuthentications();
-        if(authns.size() > 1) {
-            if (!registeredService.getProxyPolicy().isAllowedToProxy()) {
-                final String message = String.
-                        format("ServiceManagement: Proxy attempt by service [%s] (registered service [%s]) is not allowed.",
-                        service.getId(), registeredService.toString());
-                logger.warn(message);
-                throw new UnauthorizedProxyingException(message);
+        final Service proxiedBy = ticketGrantingTicket.getProxiedBy();
+        if (proxiedBy != null) {
+            logger.debug("TGT is proxied by [{}]. Locating proxy service in registry...", proxiedBy.getId());
+            final RegisteredService proxyingService = servicesManager.findServiceBy(proxiedBy);
+
+            if (proxyingService != null) {
+                logger.debug("Located proxying service [{}] in the service registry", proxyingService);
+                if (!proxyingService.getProxyPolicy().isAllowedToProxy()) {
+                    logger.warn("Found proxying service [{}], but proxy attempt by service [{}] (registered service [{}]) is not allowed.",
+                            proxyingService.getId(), service.getId(), registeredService.toString());
+                    throw new UnauthorizedProxyingException("Proxying is not allowed for registered service "
+                            + registeredService.getId());
+                }
+            } else {
+                logger.warn("No proxying service found. Proxy attempt by service [{}] (registered service [{}]) is not allowed.",
+                        service.getId(), registeredService.getId());
+                throw new UnauthorizedProxyingException("Proxying is not allowed for registered service "
+                        + registeredService.getId());
             }
+        } else {
+            logger.trace("TGT is not proxied by another service");
         }
 
         // Perform security policy check by getting the authentication that satisfies the configured policy

cas-server-core/src/main/java/org/jasig/cas/ticket/ServiceTicketImpl.java

@@ -27,6 +27,7 @@
 import javax.persistence.Entity;
 import javax.persistence.Lob;
 import javax.persistence.Table;
+import javax.validation.constraints.NotNull;
 
 /**
  * Domain object representing a Service Ticket. A service ticket grants specific
@@ -79,13 +80,10 @@ public ServiceTicketImpl() {
      * Service are null.
      */
     protected ServiceTicketImpl(final String id,
-        final TicketGrantingTicketImpl ticket, final Service service,
+        @NotNull final TicketGrantingTicketImpl ticket, @NotNull final Service service,
         final boolean fromNewLogin, final ExpirationPolicy policy) {
         super(id, ticket, policy);
 
-        Assert.notNull(ticket, "ticket cannot be null");
-        Assert.notNull(service, "service cannot be null");
-
         this.service = service;
         this.fromNewLogin = fromNewLogin;
     }
@@ -146,8 +144,8 @@ public TicketGrantingTicket grantTicketGrantingTicket(
             this.grantedTicketAlready = Boolean.TRUE;
         }
 
-        return new TicketGrantingTicketImpl(id, this.getGrantingTicket(),
-            authentication, expirationPolicy);
+        return new TicketGrantingTicketImpl(id, service,
+                this.getGrantingTicket(), authentication, expirationPolicy);
     }
 
     public Authentication getAuthentication() {

cas-server-core/src/main/java/org/jasig/cas/ticket/TicketGrantingTicket.java

@@ -30,7 +30,6 @@
  * CAS cannot do anything.
  *
  * @author Scott Battaglia
-
  * @since 3.0.0
  */
 public interface TicketGrantingTicket extends Ticket {
@@ -109,4 +108,15 @@ ServiceTicket grantServiceTicket(String id, Service service,
      * @return Non-null list of authentication associated with this ticket in leaf-first order.
      */
     List<Authentication> getChainedAuthentications();
+
+
+    /**
+    * Gets the service that produced a proxy-granting ticket.
+    *
+    * @return  Service that produced proxy-granting ticket or null if this is
+    * not a proxy-granting ticket.
+     * @since 4.1
+    */
+    Service getProxiedBy();
+
 }

cas-server-core/src/main/java/org/jasig/cas/ticket/TicketGrantingTicketImpl.java

@@ -30,6 +30,7 @@
 import javax.persistence.Entity;
 import javax.persistence.Lob;
 import javax.persistence.Table;
+import javax.validation.constraints.NotNull;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
@@ -66,6 +67,10 @@ public final class TicketGrantingTicketImpl extends AbstractTicket implements Ti
     @Column(name="EXPIRED", nullable=false)
     private Boolean expired = Boolean.FALSE;
 
+    /** Service that produced a proxy-granting ticket. */
+    @Column(name="PROXIED_BY", nullable=true)
+    private Service proxiedBy;
+
     /** The services associated to this ticket. */
     @Lob
     @Column(name="SERVICES_GRANTED_ACCESS_TO", nullable=false, length = 1000000)
@@ -87,18 +92,24 @@ public TicketGrantingTicketImpl() {
      * May throw an {@link IllegalArgumentException} if the Authentication object is null.
      *
      * @param id the id of the Ticket
-     * @param ticketGrantingTicket the parent ticket
+     * @param proxiedBy Service that produced this proxy ticket.
+     * @param parentTicketGrantingTicket the parent ticket
      * @param authentication the Authentication request for this ticket
      * @param policy the expiration policy for this ticket.
      */
     public TicketGrantingTicketImpl(final String id,
-        final TicketGrantingTicket ticketGrantingTicket,
-        final Authentication authentication, final ExpirationPolicy policy) {
-        super(id, ticketGrantingTicket, policy);
+        final Service proxiedBy,
+        final TicketGrantingTicket parentTicketGrantingTicket,
+        @NotNull final Authentication authentication, final ExpirationPolicy policy) {
 
-        Assert.notNull(authentication, "authentication cannot be null");
+        super(id, parentTicketGrantingTicket, policy);
 
+        if (parentTicketGrantingTicket != null && proxiedBy == null) {
+            throw new IllegalArgumentException("Must specify proxiedBy when providing parent TGT");
+        }
+        Assert.notNull(authentication, "authentication cannot be null");
         this.authentication = authentication;
+        this.proxiedBy = proxiedBy;
     }
 
     /**
@@ -111,7 +122,7 @@ public TicketGrantingTicketImpl(final String id,
      */
     public TicketGrantingTicketImpl(final String id,
         final Authentication authentication, final ExpirationPolicy policy) {
-        this(id, null, authentication, policy);
+        this(id, null, null, authentication, policy);
     }
 
     /**
@@ -235,6 +246,11 @@ public List<Authentication> getChainedAuthentications() {
         return Collections.unmodifiableList(list);
     }
 
+    @Override
+    public Service getProxiedBy() {
+        return this.proxiedBy;
+    }
+
     /**
      * {@inheritDoc}
      */

cas-server-core/src/main/java/org/jasig/cas/ticket/registry/AbstractDistributedTicketRegistry.java

@@ -216,6 +216,11 @@ public Authentication getAuthentication() {
             return getTicket().getAuthentication();
         }
 
+        @Override
+        public Service getProxiedBy() {
+            return getTicket().getProxiedBy();
+        }
+
         @Override
         public List<Authentication> getSupplementalAuthentications() {
             return getTicket().getSupplementalAuthentications();

cas-server-core/src/test/java/org/jasig/cas/CentralAuthenticationServiceImplWithMokitoTests.java → cas-server-core/src/test/java/org/jasig/cas/CentralAuthenticationServiceImplWithMockitoTests.java

@@ -69,7 +69,7 @@
  * @author Dmitriy Kopylenko
  * @since 3.0.0
  */
-public class CentralAuthenticationServiceImplWithMokitoTests {
+public class CentralAuthenticationServiceImplWithMockitoTests {
     private static final String TGT_ID = "tgt-id";
     private static final String TGT2_ID = "tgt2-id";
 
@@ -117,8 +117,9 @@ public void prepareNewCAS() {
         final TicketGrantingTicket tgtRootMock = createRootTicketGrantingTicket();
 
         final TicketGrantingTicket tgtMock = createMockTicketGrantingTicket(TGT_ID, stMock, false,
-                tgtRootMock, new ArrayList<Authentication>()); 
-
+                tgtRootMock, new ArrayList<Authentication>());
+        when(tgtMock.getProxiedBy()).thenReturn(TestUtils.getService("proxiedBy"));
+
         final List<Authentication> authnListMock = mock(List.class);
         //Size is required to be 2, so that we can simulate proxying capabilities
         when(authnListMock.size()).thenReturn(2);
@@ -220,7 +221,7 @@ private TicketGrantingTicket createMockTicketGrantingTicket(final String id,
         final TicketGrantingTicket tgtMock = mock(TicketGrantingTicket.class);
         when(tgtMock.isExpired()).thenReturn(isExpired);
         when(tgtMock.getId()).thenReturn(id);
-        
+
         final String svcId = svcTicket.getService().getId();
         when(tgtMock.grantServiceTicket(anyString(), argThat(new VerifyServiceByIdMatcher(svcId)),
                 any(ExpirationPolicy.class), anyBoolean())).thenReturn(svcTicket);

cas-server-core/src/test/java/org/jasig/cas/mock/MockTicketGrantingTicket.java

@@ -60,7 +60,9 @@ public class MockTicketGrantingTicket implements TicketGrantingTicket {
 
     private boolean expired;
 
-    private Map<String, Service> services = new HashMap<>();
+    private Service proxiedBy;
+
+    private final Map<String, Service> services = new HashMap<>();
 
     public MockTicketGrantingTicket(final String principal) {
         id = ID_GENERATOR.getNewTicketId("TGT");
@@ -75,6 +77,7 @@ public MockTicketGrantingTicket(final String principal) {
         created = new Date();
     }
 
+    @Override
     public Authentication getAuthentication() {
         return authentication;
     }
@@ -83,6 +86,7 @@ public ServiceTicket grantServiceTicket(final Service service) {
         return grantServiceTicket(ID_GENERATOR.getNewTicketId("ST"), service, null, true);
     }
 
+    @Override
     public ServiceTicket grantServiceTicket(
             final String id,
             final Service service,
@@ -92,38 +96,52 @@ public ServiceTicket grantServiceTicket(
         return new MockServiceTicket(id, service, this);
     }
 
+    @Override
+    public Service getProxiedBy() {
+        return this.proxiedBy;
+    }
+
+    @Override
     public boolean isRoot() {
         return true;
     }
 
+    @Override
     public TicketGrantingTicket getRoot() {
         return this;
     }
 
+    @Override
     public List<Authentication> getSupplementalAuthentications() {
         return Collections.emptyList();
     }
 
+    @Override
     public List<Authentication> getChainedAuthentications() {
         return Collections.emptyList();
     }
 
+    @Override
     public String getId() {
         return id;
     }
 
+    @Override
     public boolean isExpired() {
         return expired;
     }
 
+    @Override
     public TicketGrantingTicket getGrantingTicket() {
         return this;
     }
 
+    @Override
     public long getCreationTime() {
         return created.getTime();
     }
 
+    @Override
     public int getCountOfUses() {
         return usageCount;
     }