diff --git a/api/api-iam/iam-client/pom.xml b/api/api-iam/iam-client/pom.xml index 476b3e6f383..5a7cb176184 100644 --- a/api/api-iam/iam-client/pom.xml +++ b/api/api-iam/iam-client/pom.xml @@ -14,14 +14,11 @@ - - 21 - 17 + 21 21 - 17 - 17 + 21 + 21 diff --git a/api/api-iam/iam-client/src/main/java/fr/gouv/vitamui/iam/openapiclient/IamApiClient.java b/api/api-iam/iam-client/src/main/java/fr/gouv/vitamui/iam/openapiclient/IamApiClient.java index 3c7ca670a66..97f796f31f6 100644 --- a/api/api-iam/iam-client/src/main/java/fr/gouv/vitamui/iam/openapiclient/IamApiClient.java +++ b/api/api-iam/iam-client/src/main/java/fr/gouv/vitamui/iam/openapiclient/IamApiClient.java @@ -29,16 +29,22 @@ import fr.gouv.vitamui.commons.api.CommonConstants; import fr.gouv.vitamui.commons.rest.client.HttpContext; +import fr.gouv.vitamui.commons.rest.client.HttpContextHolder; import fr.gouv.vitamui.iam.openapiclient.invoker.ApiClient; +import lombok.extern.slf4j.Slf4j; import org.springframework.http.HttpHeaders; import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; import org.springframework.util.MultiValueMap; import org.springframework.web.client.RestTemplate; -import java.util.Collections; +import java.util.Arrays; +import java.util.Optional; +import java.util.function.Supplier; +@Slf4j public class IamApiClient extends ApiClient { public IamApiClient(RestTemplate restTemplate) { @@ -52,48 +58,85 @@ protected void updateParamsForAuth( HttpHeaders headerParams, MultiValueMap cookieParams ) { - final Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); - if (authentication != null) { - final HttpContext context; - if (authentication instanceof PreAuthenticatedAuthenticationToken) { - // Needed for the initial call to usersApi.getMe() during authentication - context = (HttpContext) authentication.getPrincipal(); - } else { - // The other calls get normal authentication credentials - context = (HttpContext) authentication.getCredentials(); - } - updateParamsForAuth(headerParams, context); - } + resolveContext() + .ifPresentOrElse( + context -> { + applyHeaders(context, headerParams); + log.debug("IAM headers applied. Context={}", context); + }, + () -> log.warn("No HttpContext available for authNames={}", Arrays.toString(authNames)) + ); } - private void updateParamsForAuth(HttpHeaders headerParams, HttpContext context) { - final Integer tenantIdentifier = context.getTenantIdentifier(); - final String userToken = context.getUserToken(); - final String applicationId = context.getApplicationId(); - final String identity = context.getIdentity(); - final String requestId = context.getRequestId(); - final String accessContractId = context.getAccessContract(); - headerParams.set(CommonConstants.X_ORIGIN_HEADER_NAME, CommonConstants.X_ORIGIN_HEADER_INTERNAL); - if (tenantIdentifier != null) { - headerParams.put( - CommonConstants.X_TENANT_ID_HEADER, - Collections.singletonList(String.valueOf(tenantIdentifier)) - ); - } - if (userToken != null) { - headerParams.put(CommonConstants.X_USER_TOKEN_HEADER, Collections.singletonList(userToken)); - } - if (applicationId != null) { - headerParams.put(CommonConstants.X_APPLICATION_ID_HEADER, Collections.singletonList(applicationId)); + private Optional resolveContext() { + return resolveFromHolder().or(this::resolveFromSecurityContext); + } + + /** + * First priority: context manually set in HttpContextHolder. + */ + private Optional resolveFromHolder() { + return HttpContextHolder.get(); + } + + /** + * Fallback: try to resolve HttpContext from Spring Security. + */ + private Optional resolveFromSecurityContext() { + Authentication authentication = Optional.ofNullable(SecurityContextHolder.getContext()) + .map(SecurityContext::getAuthentication) + .orElse(null); + + if (authentication == null) { + return Optional.empty(); } - if (identity != null) { - headerParams.put(CommonConstants.X_IDENTITY_HEADER, Collections.singletonList(identity)); + + // Special case: initial usersApi.getMe() call during authentication + if ( + authentication instanceof PreAuthenticatedAuthenticationToken && + authentication.getPrincipal() instanceof HttpContext context + ) { + return Optional.of(context); } - if (requestId != null) { - headerParams.put(CommonConstants.X_REQUEST_ID_HEADER, Collections.singletonList(requestId)); + + // Standard case: HttpContext stored in credentials + if (authentication.getCredentials() instanceof HttpContext context) { + return Optional.of(context); } - if (accessContractId != null) { - headerParams.put(CommonConstants.X_ACCESS_CONTRACT_ID_HEADER, Collections.singletonList(accessContractId)); + + return Optional.empty(); + } + + /** + * Apply IAM-related headers based on the resolved HttpContext. + */ + private void applyHeaders(HttpContext context, HttpHeaders headers) { + headers.set(CommonConstants.X_ORIGIN_HEADER_NAME, CommonConstants.X_ORIGIN_HEADER_INTERNAL); + + putIfNotNull( + headers, + CommonConstants.X_TENANT_ID_HEADER, + () -> Optional.ofNullable(context.getTenantIdentifier()).map(String::valueOf).orElse(null) + ); + + putIfNotNull(headers, CommonConstants.X_USER_TOKEN_HEADER, context::getUserToken); + + putIfNotNull(headers, CommonConstants.X_APPLICATION_ID_HEADER, context::getApplicationId); + + putIfNotNull(headers, CommonConstants.X_IDENTITY_HEADER, context::getIdentity); + + putIfNotNull(headers, CommonConstants.X_REQUEST_ID_HEADER, context::getRequestId); + + putIfNotNull(headers, CommonConstants.X_ACCESS_CONTRACT_ID_HEADER, context::getAccessContract); + } + + /** + * Add header only if the supplied value is not null. + */ + private void putIfNotNull(HttpHeaders headers, String headerName, Supplier valueSupplier) { + String value = valueSupplier.get(); + if (value != null) { + headers.set(headerName, value); } } } diff --git a/api/api-iam/iam-client/src/main/resources/swagger.yaml b/api/api-iam/iam-client/src/main/resources/swagger.yaml index c68215d596a..27e2328cdee 100644 --- a/api/api-iam/iam-client/src/main/resources/swagger.yaml +++ b/api/api-iam/iam-client/src/main/resources/swagger.yaml @@ -2526,7 +2526,7 @@ paths: content: '*/*': schema: - $ref: "#/components/schemas/UserDto" + $ref: "#/components/schemas/AuthUserDto" example: null /iam/v1/cas/subrogations: get: diff --git a/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/dto/IdentityProviderDto.java b/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/dto/IdentityProviderDto.java index 91de6791792..0c0ab6a09e0 100644 --- a/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/dto/IdentityProviderDto.java +++ b/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/dto/IdentityProviderDto.java @@ -1,38 +1,28 @@ -/** - * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) - * and the signatories of the "VITAM - Accord du Contributeur" agreement. +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) * - * contact@programmevitam.fr + * contact.vitam@culture.gouv.fr * - * This software is a computer program whose purpose is to implement - * implement a digital archiving front-office system for the secure and - * efficient high volumetry VITAM solution. + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. * - * This software is governed by the CeCILL-C license under French law and - * abiding by the rules of distribution of free software. You can use, - * modify and/ or redistribute the software under the terms of the CeCILL-C - * license as circulated by CEA, CNRS and INRIA at the following URL - * "http://www.cecill.info". + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". * - * As a counterpart to the access to the source code and rights to copy, - * modify and redistribute granted by the license, users are provided only - * with a limited warranty and the software's author, the holder of the - * economic rights, and the successive licensors have only limited - * liability. + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. * - * In this respect, the user's attention is drawn to the risks associated - * with loading, using, modifying and/or developing or reproducing the - * software by the user in light of its specific status of free software, - * that may mean that it is complicated to manipulate, and that also - * therefore means that it is reserved for developers and experienced - * professionals having in-depth computer knowledge. Users are therefore - * encouraged to load and test the software's suitability as regards their - * requirements in conditions enabling the security of their systems and/or - * data to be ensured and, more generally, to use and operate it in the - * same conditions as regards security. + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. * - * The fact that you are presently reading this means that you have had - * knowledge of the CeCILL-C license and that you accept its terms. + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. */ package fr.gouv.vitamui.iam.common.dto; diff --git a/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/CustomOidcOpMetadataResolver.java b/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/CustomOidcOpMetadataResolver.java new file mode 100644 index 00000000000..346e69a24a3 --- /dev/null +++ b/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/CustomOidcOpMetadataResolver.java @@ -0,0 +1,18 @@ +package fr.gouv.vitamui.iam.common.utils; + +import org.pac4j.oidc.config.OidcConfiguration; +import org.pac4j.oidc.metadata.OidcOpMetadataResolver; +import org.pac4j.oidc.profile.creator.TokenValidator; + +/** Custom OIDC metadata resolver. */ +public class CustomOidcOpMetadataResolver extends OidcOpMetadataResolver { + + public CustomOidcOpMetadataResolver(final OidcConfiguration configuration) { + super(configuration); + } + + @Override + protected TokenValidator createTokenValidator() { + return new CustomTokenValidator(configuration, this.loaded); + } +} diff --git a/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/CustomTokenValidator.java b/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/CustomTokenValidator.java index 1fdf8a201ca..8af2a921e72 100644 --- a/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/CustomTokenValidator.java +++ b/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/CustomTokenValidator.java @@ -42,6 +42,7 @@ import com.nimbusds.jwt.proc.BadJWTException; import com.nimbusds.openid.connect.sdk.Nonce; import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; import org.pac4j.oidc.config.OidcConfiguration; import org.pac4j.oidc.profile.creator.TokenValidator; @@ -57,8 +58,11 @@ public class CustomTokenValidator extends TokenValidator { private static final List AGENTCONNECT_ACR_VALUES = Arrays.asList("eidas1", "eidas2", "eidas3"); - public CustomTokenValidator(final OidcConfiguration configuration) { - super(configuration); + private final OidcConfiguration configuration; + + public CustomTokenValidator(final OidcConfiguration configuration, final OIDCProviderMetadata metadata) { + super(configuration, metadata); + this.configuration = configuration; } public IDTokenClaimsSet validate(final JWT idToken, final Nonce expectedNonce) diff --git a/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderHelper.java b/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderHelper.java index c7182445044..e6cece2ea13 100644 --- a/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderHelper.java +++ b/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderHelper.java @@ -102,6 +102,22 @@ public Optional findByUserIdentifierAndCustomerId( .findFirst(); } + public Optional findAutoProvisioningProviderByEmail( + final List providers, + final String email + ) { + for (final IdentityProviderDto provider : providers) { + if (provider.isAutoProvisioningEnabled()) { + for (final String pattern : provider.getPatterns()) { + if (Pattern.compile(pattern, Pattern.CASE_INSENSITIVE).matcher(email).matches()) { + return Optional.of(provider); + } + } + } + } + return Optional.empty(); + } + public boolean identifierMatchProviderPattern( final List providers, final String userEmail, diff --git a/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilder.java b/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilder.java index 281d9d47f59..d84ed93d90d 100644 --- a/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilder.java +++ b/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilder.java @@ -45,6 +45,7 @@ import jakarta.validation.constraints.NotNull; import lombok.Getter; import lombok.Setter; +import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.opensaml.saml.common.xml.SAMLConstants; import org.pac4j.core.client.IndirectClient; @@ -53,8 +54,6 @@ import org.pac4j.oidc.config.OidcConfiguration; import org.pac4j.saml.client.SAML2Client; import org.pac4j.saml.config.SAML2Configuration; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; import org.springframework.core.io.ByteArrayResource; @@ -62,17 +61,12 @@ import java.util.Map; import java.util.Optional; -/** - * A pac4j client builder. - * - * - */ +/** A pac4j client builder. */ @Getter @Setter +@Slf4j public class Pac4jClientBuilder { - private static final Logger LOGGER = LoggerFactory.getLogger(Pac4jClientBuilder.class); - @Value("${login.url}") @NotNull private String casLoginUrl; @@ -153,13 +147,14 @@ public Optional buildClient(final IdentityProviderDto provider) oidcConfiguration.setUseNonce(useNonce != null ? useNonce : true); final Boolean usePkce = provider.getUsePkce(); oidcConfiguration.setDisablePkce(usePkce != null ? !usePkce : true); - oidcConfiguration.setStateGenerator((context, store) -> new Nonce().toString()); - oidcConfiguration.setTokenValidator(new CustomTokenValidator(oidcConfiguration)); + oidcConfiguration.setStateGenerator(ctx -> new Nonce().toString()); + oidcConfiguration.setOpMetadataResolver(new CustomOidcOpMetadataResolver(oidcConfiguration)); final OidcClient oidcClient = new OidcClient(oidcConfiguration); setCallbackUrl(oidcClient, technicalName); oidcClient.init(); + oidcClient.getConfiguration().getOpMetadataResolver().load(); return Optional.of(oidcClient); } } @@ -172,7 +167,7 @@ public Optional buildClient(final IdentityProviderDto provider) } else if (message.equals("Error parsing idp Metadata")) { throw new InvalidFormatException(message, ErrorsConstants.ERRORS_VALID_IDP_METADATA); } - LOGGER.error("Cannot build pac4j client with provider identifier: " + provider.getIdentifier(), e); + log.error("Cannot build pac4j client with provider identifier: " + provider.getIdentifier(), e); } return Optional.empty(); } diff --git a/api/api-iam/iam-commons/src/test/java/fr/gouv/vitamui/iam/common/utils/CustomTokenValidatorTest.java b/api/api-iam/iam-commons/src/test/java/fr/gouv/vitamui/iam/common/utils/CustomTokenValidatorTest.java index f800ecccd25..06922093610 100644 --- a/api/api-iam/iam-commons/src/test/java/fr/gouv/vitamui/iam/common/utils/CustomTokenValidatorTest.java +++ b/api/api-iam/iam-commons/src/test/java/fr/gouv/vitamui/iam/common/utils/CustomTokenValidatorTest.java @@ -1,3 +1,30 @@ +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) + * + * contact.vitam@culture.gouv.fr + * + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. + * + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". + * + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. + * + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. + * + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. + */ + package fr.gouv.vitamui.iam.common.utils; import com.nimbusds.jose.JWSAlgorithm; @@ -43,7 +70,6 @@ public void setUp() { configuration = mock(OidcConfiguration.class); final OIDCProviderMetadata metadata = mock(OIDCProviderMetadata.class); when(metadata.getIssuer()).thenReturn(new Issuer(ISSUER)); - when(configuration.findProviderMetadata()).thenReturn(metadata); when(configuration.getClientId()).thenReturn(CLIENT_ID); when(configuration.getSecret()).thenReturn(CLIENT_SECRET); when(metadata.getIDTokenJWSAlgs()).thenReturn(Arrays.asList(JWSAlgorithm.HS256)); @@ -59,7 +85,7 @@ public void setUp() { nonce = new Nonce(); claims.put("nonce", nonce.toString()); - validator = new CustomTokenValidator(configuration); + validator = new CustomTokenValidator(configuration, metadata); } @Test diff --git a/api/api-iam/iam-commons/src/test/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilderTest.java b/api/api-iam/iam-commons/src/test/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilderTest.java index 142fadf3fe6..2eca64186e5 100644 --- a/api/api-iam/iam-commons/src/test/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilderTest.java +++ b/api/api-iam/iam-commons/src/test/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilderTest.java @@ -2,7 +2,6 @@ import com.nimbusds.jose.JWSAlgorithm; import fr.gouv.vitamui.iam.common.dto.IdentityProviderDto; -import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; import org.pac4j.core.client.IndirectClient; import org.pac4j.oidc.client.OidcClient; @@ -27,7 +26,6 @@ public class Pac4jClientBuilderTest { private static final JWSAlgorithm ALGORITHM = JWSAlgorithm.HS256; private static final Map CUSTOM_PARAMS = Map.of("prompt", "login"); - @Disabled @Test public void testOidcProviderCreationSuccessful() { final IdentityProviderDto provider = new IdentityProviderDto(); @@ -62,9 +60,8 @@ public void testOidcProviderCreationSuccessful() { } @Test - public void testOidcProviderCreationFailure() { + public void shouldClientCreationFailsWhenNoProviderClientId() { final IdentityProviderDto provider = new IdentityProviderDto(); - provider.setClientId(CLIENT_ID); provider.setClientSecret(CLIENT_SECRET); provider.setDiscoveryUrl("http://url"); @@ -72,7 +69,45 @@ public void testOidcProviderCreationFailure() { builder.setCasLoginUrl(LOGIN_URL); final Optional optClient = builder.buildClient(provider); + assertTrue(optClient.isEmpty()); + } + + @Test + public void shouldClientCreationFailsWhenNoProviderClientSecret() { + final IdentityProviderDto provider = new IdentityProviderDto(); + provider.setClientId(CLIENT_ID); + provider.setDiscoveryUrl("http://url"); + + final Pac4jClientBuilder builder = new Pac4jClientBuilder(); + builder.setCasLoginUrl(LOGIN_URL); + + final Optional optClient = builder.buildClient(provider); + assertTrue(optClient.isEmpty()); + } + + @Test + public void shouldClientCreationFailsWhenNoProviderDiscoveryUrl() { + final IdentityProviderDto provider = new IdentityProviderDto(); + provider.setClientId(CLIENT_ID); + provider.setClientSecret(CLIENT_SECRET); + + final Pac4jClientBuilder builder = new Pac4jClientBuilder(); + builder.setCasLoginUrl(LOGIN_URL); + + final Optional optClient = builder.buildClient(provider); + assertTrue(optClient.isEmpty()); + } + @Test + public void shouldClientCreationFailsWhenNoBuilderLoginUrl() { + final IdentityProviderDto provider = new IdentityProviderDto(); + provider.setClientId(CLIENT_ID); + provider.setClientSecret(CLIENT_SECRET); + provider.setDiscoveryUrl("http://url"); + + final Pac4jClientBuilder builder = new Pac4jClientBuilder(); + + final Optional optClient = builder.buildClient(provider); assertTrue(optClient.isEmpty()); } } diff --git a/api/api-iam/iam/pom.xml b/api/api-iam/iam/pom.xml index d91123c6cdd..882bccd7df2 100644 --- a/api/api-iam/iam/pom.xml +++ b/api/api-iam/iam/pom.xml @@ -23,6 +23,10 @@ + + fr.gouv.vitamui.commons + commons-utils + fr.gouv.vitamui iam-commons diff --git a/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/cas/service/CasService.java b/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/cas/service/CasService.java index 73fac8ce2fb..591ab114597 100644 --- a/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/cas/service/CasService.java +++ b/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/cas/service/CasService.java @@ -82,8 +82,6 @@ import lombok.Setter; import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.time.DateUtils; -import org.apereo.cas.ticket.UniqueTicketIdGenerator; -import org.apereo.cas.util.DefaultUniqueTicketIdGenerator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -107,6 +105,7 @@ import java.util.Objects; import java.util.Optional; import java.util.Set; +import java.util.UUID; import java.util.stream.Collectors; /** @@ -202,7 +201,16 @@ public class CasService { @SuppressWarnings("unused") private static final Logger LOGGER = LoggerFactory.getLogger(CasService.class); - private static final UniqueTicketIdGenerator TICKET_GENERATOR = new DefaultUniqueTicketIdGenerator(); + /** + * Generate a unique ticket ID with the given prefix. + * Uses UUID for guaranteed uniqueness. + * + * @param prefix The prefix for the ticket ID + * @return A unique ticket ID in the format: prefix-uuid + */ + private static String generateUniqueTicketId(String prefix) { + return prefix + "-" + UUID.randomUUID().toString(); + } public CasService() {} @@ -346,10 +354,10 @@ private UserDto loadFullUserProfileIfRequired( /** * Method to retrieve the user information * - * @param loginEmail email of the user + * @param loginEmail email of the user * @param loginCustomerId The customerId of the user - * @param idp can be null - * @param userIdentifier can be null + * @param idp can be null + * @param userIdentifier can be null * @param optEmbedded * @return */ @@ -637,7 +645,7 @@ private void generateAndAddAuthToken(final AuthUserDto user, final boolean isSub token.setCreatedDate(currentDate); final Date nowPlusXMinutes = DateUtils.addMinutes(currentDate, ttlInMinutes); token.setUpdatedDate(nowPlusXMinutes); - token.setId(TICKET_GENERATOR.getNewTicketId(TOKEN_PREFIX)); + token.setId(generateUniqueTicketId(TOKEN_PREFIX)); token.setSurrogation(isSubrogation); tokenRepository.save(token); user.setLastConnection(OffsetDateTime.now()); diff --git a/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/customer/config/CustomerInitConfig.java b/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/customer/config/CustomerInitConfig.java index 4d40d0a6387..d4d487d3d11 100644 --- a/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/customer/config/CustomerInitConfig.java +++ b/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/customer/config/CustomerInitConfig.java @@ -39,7 +39,6 @@ import fr.gouv.vitamui.commons.api.domain.Role; import fr.gouv.vitamui.commons.api.domain.ServicesData; -import fr.gouv.vitamui.commons.spring.YamlPropertySourceFactory; import lombok.AccessLevel; import lombok.Getter; import lombok.Setter; @@ -60,7 +59,10 @@ @Getter @Setter @Component -@PropertySource(factory = YamlPropertySourceFactory.class, value = "file:${customer.init.config.file}") +@PropertySource( + factory = fr.gouv.vitamui.commons.spring.YamlPropertySourceFactory.class, + value = "file:${customer.init.config.file}" +) @ConfigurationProperties("customer-init") public class CustomerInitConfig implements InitializingBean { diff --git a/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/security/IamUserAuthentificationService.java b/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/security/IamUserAuthentificationService.java index f368f99078b..829d46ae27d 100644 --- a/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/security/IamUserAuthentificationService.java +++ b/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/security/IamUserAuthentificationService.java @@ -77,7 +77,7 @@ public class IamUserAuthentificationService implements UserAuthenticationService @NotNull private Integer tokenAdditionalTtl; - @Value("${cas.secret.token}") + @Value("${cas_secret_token}") @NotNull private String casSecretToken; diff --git a/api/api-iam/iam/src/main/resources/application-dev.yml b/api/api-iam/iam/src/main/resources/application-dev.yml index bb9dcb0c54c..407c800d567 100644 --- a/api/api-iam/iam/src/main/resources/application-dev.yml +++ b/api/api-iam/iam/src/main/resources/application-dev.yml @@ -33,6 +33,15 @@ server: client-certificate-header-name: x-ssl-cert error: path: /error + tomcat: + connection-timeout: 60000 + accesslog: + enabled: true + max-days: 365 + directory: "/vitamui/log/iam" + prefix: "accesslog-iam" + file-date-format: ".yyyy-MM-dd" + suffix: ".log" management: server: @@ -62,7 +71,7 @@ cas-client: cas.reset.password.url: /cas/extras/resetPassword?username={username}&firstname={firstname}&lastname={lastname}&language={language}&customerId={customerId}&ttl=1day cas.tenant.identifier: -1 -cas.secret.token: tokcas_ie6UZsEcHIWrfv2x +cas_secret_token: tokcas_ie6UZsEcHIWrfv2x login: url: http://dev.vitamui.com:8080/cas/login diff --git a/api/api-iam/iam/src/test/resources/application.yml b/api/api-iam/iam/src/test/resources/application.yml index 6f922211108..437e5d3af9d 100644 --- a/api/api-iam/iam/src/test/resources/application.yml +++ b/api/api-iam/iam/src/test/resources/application.yml @@ -42,7 +42,7 @@ customer.init.config.file: src/test/resources/customer-init.yml cas.reset.password.url: /extras/resetPassword?username={username}&firstname={firstname}&lastname={lastname}&language={language}&customerId={customerId}&ttl=1day cas.tenant.identifier: -1 -cas.secret.token: tokcas_ie6UZsEcHIWrfv2x +cas_secret_token: tokcas_ie6UZsEcHIWrfv2x address: max-street-length: 250 diff --git a/bom/pom.xml b/bom/pom.xml index 777f93c1f94..7958c6ef3c1 100644 --- a/bom/pom.xml +++ b/bom/pom.xml @@ -18,7 +18,7 @@ 2.0.31 3.25.3 1.78 - 6.6.12 + 7.0.10.1 1.9.4 4.4 1.26.1 @@ -33,14 +33,14 @@ 2.3.30 3.0.2 2.10.1 - 6.1.7.Final + 8.0.1.Final 5.4.4 5.3.4 4.0.0-M2 2.17.0 3.3.1 5.0.1 - 1.6.5 + 2.0.1 4.0.2 3.30.2-GA 6.0.0 @@ -54,27 +54,24 @@ 1.2.3 20240303 1.5.0 - 1.1.1 - 1.2.13 + 1.4.14 1.18.38 1.3.0.Final 1.13.15 - 4.6.1 1.1.0 5.4 0.8.2-incubating 0.8.7 - 5.4.6 + 6.1.1 7.2.5.RELEASE 5.2.5 1.0 3.3.10 2.2.6 3.3.10 - 1.7.30 + 2.0.9 2025.0.0 6.2.8 - 6.0.3 3.0.0 1.21.4 20220510 @@ -313,11 +310,6 @@ - - org.pac4j - spring-webmvc-pac4j - ${spring-webmvc-pac4j.version} - org.pac4j pac4j-saml @@ -343,36 +335,6 @@ pac4j-jwt ${pac4j.version} - - org.pac4j - pac4j-jee - ${pac4j.version} - - - org.pac4j - pac4j-javaee - ${pac4j.version} - - - org.pac4j - pac4j-http - ${pac4j.version} - - - org.pac4j - pac4j-config - ${pac4j.version} - - - org.pac4j - pac4j-cas - ${pac4j.version} - - - org.pac4j - pac4j-oauth - ${pac4j.version} - org.pac4j pac4j-core @@ -682,11 +644,6 @@ commons-codec ${apache.commons.codec.version} - - org.gandon.tomcat - juli-to-slf4j - ${juli.to.slf4j.version} - com.fasterxml.jackson.dataformat diff --git a/cas/cas-server/pom.xml b/cas/cas-server/pom.xml index ed806a9cdf3..e229f0317ef 100644 --- a/cas/cas-server/pom.xml +++ b/cas/cas-server/pom.xml @@ -11,59 +11,126 @@ VITAMUI CAS Server + UTF-8 UTF-8 - - 17 - 17 - 17 - 17 - 17 + 21 + 21 + 21 - 6.6.12 + + 3.2.1 + 4.1.0 - - 3.11.1 + + 7.0.10.1 + 6.1.1 + 6.0.3 + + + 2.0.9 + 1.4.14 + 8.0 + 2.16.1 + 1.18.36 + 2.0.1 + 4.0.17 + 3.6.2 + 1.12.1 + 2.2.2 6.5.1 - true + 1.14.1 1.13.2 + 8.0.1.Final + 2.15.1 + 1.8.20.GA + + 5.7.2 - 1.9.3 5.2.0 - 4.7.1 - ${project.build.finalName}.war - false - 6.0.3 - 2.7.18 - 3.1.1 - 5.3.22 - 5.3.22 - 2.2.2 - 3.0.15.RELEASE + 3.11.1 - + + 3.11.0 + 3.2.0 3.4.2 0.3.1 - 3.2.0 2.43.0 3.2.4 2.6.0 + + + true + false + ${project.build.finalName}.war + fr.gouv.vitamui bom - 8.1.1 + ${project.version} + pom + import + + + + + org.apereo.cas + cas-server-support-bom + ${cas.version} pom import + + + + org.springframework.boot + spring-boot-dependencies + ${spring.boot.version} + pom + import + + + org.apache.groovy + groovy-bom + ${groovy.version} + pom + import + + + com.fasterxml.jackson + jackson-bom + ${jackson.version} + pom + import + + + + + org.apache.httpcomponents.client5 + httpclient5 + 5.2.3 + + + org.apache.httpcomponents.core5 + httpcore5 + 5.2.4 + + + org.apache.httpcomponents.core5 + httpcore5-h2 + 5.2.4 + - + + + fr.gouv.vitamui iam-client @@ -91,39 +158,49 @@ - + + + + + org.springframework.boot + spring-boot-actuator-autoconfigure + org.springframework.boot spring-boot-autoconfigure - ${spring.boot.version} provided - - org.springframework.cloud spring-cloud-starter-consul-discovery - ${spring.cloud.consul.version} runtime spring-cloud-starter-loadbalancer org.springframework.cloud + + org.apache.httpcomponents + httpclient + + + org.apache.httpcomponents + httpcore + org.springframework.cloud spring-cloud-commons - ${spring.cloud.consul.version} org.springframework.cloud spring-cloud-context - ${spring.cloud.consul.version} - + + + org.apereo.cas cas-server-webapp-tomcat @@ -131,13 +208,27 @@ war runtime + + org.apereo.cas + cas-server-webapp-init + + + org.apereo.cas + cas-server-core + - + + + + org.apereo.cas cas-server-support-mongo-service-registry - ${cas.version} + + org.apache.httpcomponents.core5 + httpcore5 + io.dropwizard.metrics metrics-core @@ -149,360 +240,362 @@ - org.mongodb - mongodb-driver-sync - ${mongo.version} + org.apereo.cas + cas-server-core-services-api + + + org.apereo.cas + cas-server-core-services-authentication + + + org.apereo.cas + cas-server-core-services - + org.apereo.cas - cas-server-core-authentication - ${cas.version} + cas-server-support-hazelcast-ticket-registry org.apereo.cas - cas-server-support-pac4j-webflow - ${cas.version} + cas-server-core-tickets + + + + + org.apereo.cas + cas-server-core-authentication - io.dropwizard.metrics - metrics-core + org.apereo.inspektr + inspektr-audit + + + org.apereo.inspektr + inspektr-common + + + org.apereo.inspektr + inspektr-support-spring org.apereo.cas - cas-server-support-pac4j-core - ${cas.version} + cas-server-core-authentication-api org.apereo.cas cas-server-support-pac4j-api - ${cas.version} org.apereo.cas - cas-server-support-pac4j-core-clients - ${cas.version} + cas-server-support-pac4j-core org.apereo.cas - cas-server-core-web - ${cas.version} + cas-server-support-pac4j-core-clients org.apereo.cas - cas-server-core-util - ${cas.version} + cas-server-support-pac4j-webflow + + org.apereo.cas cas-server-support-saml-core-api - ${cas.version} - org.pac4j - pac4j-jee - - - org.pac4j - pac4j-javaee - - - org.pac4j - pac4j-http + org.apereo.cas + cas-server-support-saml-core - org.pac4j - pac4j-config + org.apereo.cas + cas-server-support-oauth-webflow - org.pac4j - pac4j-cas + org.apereo.cas + cas-server-support-oauth - org.pac4j - pac4j-oauth + org.apereo.cas + cas-server-support-oauth-api - org.pac4j - pac4j-core + org.apereo.cas + cas-server-support-oauth-core - org.pac4j - spring-webmvc-pac4j + org.apereo.cas + cas-server-support-oauth-core-api - org.pac4j - pac4j-saml + org.apereo.cas + cas-server-support-oauth-services - org.pac4j - pac4j-oidc + org.apereo.cas + cas-server-support-oidc - javax.servlet - javax.servlet-api - provided + org.apereo.cas + cas-server-support-oidc-core-api - - org.apereo.cas - cas-server-support-hazelcast-ticket-registry - ${cas.version} + cas-server-support-oidc-core - commons-io - commons-io + org.apereo.cas + cas-server-support-token-core-api - + org.apereo.cas cas-server-support-x509-webflow - ${cas.version} org.apereo.cas cas-server-support-x509-core - ${cas.version} - - - org.apereo.cas - cas-server-core-webflow-api - ${cas.version} - + org.apereo.cas cas-server-support-surrogate-api - ${cas.version} org.apereo.cas cas-server-support-surrogate-authentication - ${cas.version} org.apereo.cas cas-server-support-surrogate-webflow - ${cas.version} org.apereo.cas - cas-server-core-services-api - ${cas.version} + cas-server-support-surrogate-core - + org.apereo.cas cas-server-support-pm-webflow - ${cas.version} - - - org.apereo.cas - cas-server-core - ${cas.version} org.apereo.cas cas-server-support-pm-core - ${cas.version} - - - org.apereo.cas - cas-server-core-notifications - ${cas.version} - + org.apereo.cas cas-server-support-simple-mfa - ${cas.version} org.apereo.cas cas-server-support-simple-mfa-core - ${cas.version} org.apereo.cas cas-server-core-authentication-mfa - ${cas.version} + + + org.apereo.cas + cas-server-core-authentication-mfa-api org.apereo.cas cas-server-core-webflow-mfa-api - ${cas.version} org.apereo.cas cas-server-support-sms-smsmode - ${cas.version} + + org.apereo.cas - cas-server-core-authentication-mfa-api - ${cas.version} + cas-server-core-webflow-api org.apereo.cas - cas-server-support-bucket4j-core - ${cas.version} + cas-server-core-web-api - - org.apereo.cas - cas-server-support-throttle - ${cas.version} + cas-server-core-web - - org.apereo.cas - cas-server-support-actions-core - ${cas.version} + cas-server-core-cookie-api - - org.apereo.cas - cas-server-core-cookie-api - ${cas.version} + cas-server-core-util org.apereo.cas - cas-server-core-web-api - ${cas.version} + cas-server-core-notifications org.apereo.cas - cas-server-core-authentication-api - ${cas.version} + cas-server-core-notifications-api org.apereo.cas - cas-server-support-actions - ${cas.version} + cas-server-support-actions-core org.apereo.cas - cas-server-webapp-init - ${cas.version} + cas-server-support-actions org.apereo.cas - cas-server-core-tickets - ${cas.version} + cas-server-support-throttle org.apereo.cas - cas-server-core-services-authentication - ${cas.version} + cas-server-support-metrics org.apereo.cas - cas-server-support-saml-core - ${cas.version} + cas-server-support-webconfig - io.opentracing.contrib - opentracing-spring-jaeger-web-starter + org.apereo.cas + cas-server-support-bucket4j-core - com.sun.mail - jakarta.mail + org.apereo.cas + cas-server-support-passwordless-api - + + + - org.apereo.cas - cas-server-support-oauth-webflow - ${cas.version} + org.pac4j + pac4j-javaee + ${pac4j.version} - org.apereo.cas - cas-server-support-oauth - ${cas.version} + org.pac4j + pac4j-http + ${pac4j.version} - org.apereo.cas - cas-server-support-oauth-api - ${cas.version} + org.pac4j + pac4j-config + ${pac4j.version} - org.apereo.cas - cas-server-support-oauth-core - ${cas.version} + org.pac4j + pac4j-cas + ${pac4j.version} - org.apereo.cas - cas-server-support-token-core-api - ${cas.version} + org.pac4j + pac4j-oauth + ${pac4j.version} - org.apereo.cas - cas-server-support-oauth-core-api - ${cas.version} + org.pac4j + pac4j-core + ${pac4j.version} - org.apereo.cas - cas-server-support-oauth-services - ${cas.version} + org.pac4j + pac4j-saml + ${pac4j.version} - - - org.apereo.cas - cas-server-support-oidc - ${cas.version} + org.pac4j + pac4j-oidc + ${pac4j.version} - org.apereo.cas - cas-server-support-oidc-core-api - ${cas.version} + org.pac4j + spring-webmvc-pac4j + ${spring-webmvc-pac4j.version} - org.apereo.cas - cas-server-support-oidc-core - ${cas.version} + jakarta.servlet + jakarta.servlet-api + provided - + + + + - org.apereo.cas - cas-server-webapp-config - ${cas.version} + com.fasterxml.jackson.core + jackson-annotations - org.apereo.cas - cas-server-core-services - ${cas.version} + com.fasterxml.jackson.core + jackson-core + + + com.fasterxml.jackson.dataformat + jackson-dataformat-yaml - + - org.apereo.cas - cas-server-support-metrics - ${cas.version} + io.projectreactor + reactor-core + + + + org.springframework.data + spring-data-mongodb + + + org.mongodb + mongodb-driver-sync + + + io.micrometer micrometer-registry-prometheus - ${micrometer.version} + + + io.micrometer + micrometer-tracing-bridge-otel + + + io.opentelemetry + opentelemetry-exporter-otlp - + + + org.apereo.cas + cas-server-support-logback + + + org.codehaus.janino + janino + ch.qos.logback logback-classic + + ch.qos.logback + logback-core + + + org.slf4j + slf4j-api + org.slf4j jcl-over-slf4j @@ -512,25 +605,35 @@ jul-to-slf4j - org.gandon.tomcat - juli-to-slf4j + net.logstash.logback + logstash-logback-encoder + ${logstash.logback.encoder.version} - + org.projectlombok lombok - 1.18.38 + provided - org.thymeleaf - thymeleaf-spring5 - ${thymeleaf-spring5.version} + org.hibernate.validator + hibernate-validator + ${hibernate-validator.version} + + + commons-io + commons-io + ${commons-io.version} commons-codec commons-codec + + org.eclipse.angus + jakarta.mail + org.webjars jquery-ui @@ -542,34 +645,54 @@ ${font-awesome.version} - + + + org.junit.vintage junit-vintage-engine - ${junit-vintage-engine.version} test org.mockito mockito-inline - ${mockito.version} test org.springframework spring-test - ${spring.test.version} test org.assertj assertj-core - ${assertj-core.version} test + + + + org.apereo.inspektr + inspektr-common + ${inspektr.version} + provided + + + org.apereo.inspektr + inspektr-audit + ${inspektr.version} + provided + + + org.apereo.inspektr + inspektr-support-spring + ${inspektr.version} + provided + + ${project.artifactId} + src/main/resources @@ -580,10 +703,9 @@ - ${project.artifactId} - + com.diffplug.spotless spotless-maven-plugin @@ -597,8 +719,7 @@ ${spotless-maven-plugin.prettier.version} - ${spotless-maven-plugin.prettier-plugin-java.version} - + ${spotless-maven-plugin.prettier-plugin-java.version} 120 @@ -625,6 +746,22 @@ + + + maven-compiler-plugin + ${maven.compiler.plugin.version} + + + + org.projectlombok + lombok + ${lombok.version} + + + + + + org.apache.maven.plugins maven-war-plugin @@ -634,9 +771,7 @@ false false - - ${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp-tomcat/META-INF/MANIFEST.MF - + ${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp-tomcat/META-INF/MANIFEST.MF @@ -661,10 +796,16 @@ WEB-INF/lib/oauth2-oidc-sdk-*.jar WEB-INF/lib/pac4j-*.jar WEB-INF/lib/slf4j-api-*.jar - WEB-INF/lib/slf4j-api-*.jar WEB-INF/lib/spring-boot-starter-log4j2-*.jar WEB-INF/lib/spring-expression-*.jar WEB-INF/lib/spring-webmvc-pac4j-*.jar + WEB-INF/lib/log4j-slf4j2-impl-*.jar + WEB-INF/lib/log4j-jakarta-web-*.jar + WEB-INF/lib/log4j-spring-boot-*.jar + WEB-INF/lib/log4j-spring-cloud-config-client-*.jar + WEB-INF/lib/httpclient5-*.jar + WEB-INF/lib/httpclient-*.jar + WEB-INF/lib/httpcore-*.jar @@ -689,11 +830,19 @@ WEB-INF/lib/slf4j-api-*.jar, WEB-INF/lib/oauth2-oidc-sdk-*.jar, WEB-INF/lib/pac4j-*.jar, - WEB-INF/lib/spring-webmvc-pac4j-*.jar + WEB-INF/lib/spring-webmvc-pac4j-*.jar, + WEB-INF/lib/log4j-slf4j2-impl-*.jar, + WEB-INF/lib/log4j-jakarta-web-*.jar, + WEB-INF/lib/log4j-spring-boot-*.jar, + WEB-INF/lib/log4j-spring-cloud-config-client-*.jar, + WEB-INF/lib/httpclient5-*.jar, + WEB-INF/lib/httpclient-*.jar, + WEB-INF/lib/httpcore-*.jar + org.springframework.boot spring-boot-maven-plugin @@ -707,9 +856,7 @@ - - --spring.config.additional-location=file:${basedir}/src/main/config/cas-server-application-dev.yml - + --spring.config.additional-location=file:${basedir}/src/main/config/cas-server-application-dev.yml @@ -721,6 +868,7 @@ + com.gitlab.haynes libsass-maven-plugin @@ -737,9 +885,11 @@ ${project.basedir}/src/main/config/sass ${project.basedir}/src/main/resources/static/css false - + compressed + + com.google.cloud.tools jib-maven-plugin @@ -766,7 +916,7 @@ - + rpm @@ -801,7 +951,7 @@ - + deb @@ -827,9 +977,6 @@ NAME=${project.artifactId} VERSION=${project.version} JAR_FILE=${rpm.jar-file} - DEPENDENCIES=systemd diff --git a/cas/cas-server/src/main/config/cas-server-application-dev.yml b/cas/cas-server/src/main/config/cas-server-application-dev.yml index 05b02d78d3c..5d7366090d4 100644 --- a/cas/cas-server/src/main/config/cas-server-application-dev.yml +++ b/cas/cas-server/src/main/config/cas-server-application-dev.yml @@ -38,8 +38,14 @@ management: port: 7080 ssl: enabled: false -#management.metrics.export.prometheus.enabled: true - + elastic: + metrics: + export: + enabled: false + prometheus: + metrics: + export: + enabled: false vitamui.cas.tenant.identifier: -1 vitamui.cas.identity: cas @@ -78,19 +84,29 @@ cas.authn.oauth.crypto.signing.key: kSs5OT5bTV6E9Ba0biGZ3taVlmlBFmoMyvG4JB0pSiZJ cas.authn.oauth.access-token.crypto.encryption.key: RGAYHpTTKJ-YMbh7Yrt3Xd6VQH_myXYISwThfo-9OKI cas.authn.oauth.access-token.crypto.signing.key: j8AZtUo6i4BI2n3bu2Elr9d3aIOL35vec0AjUBubP6rgj5arKWB9lRcWq9bjxGIwoAbFv-1MRmiScXlIIX0BGg +cas.authn.oauth.session-replication.cookie.crypto.encryption.key: 2macKckIM22PrUn9cHkyVe1lB4jc12hXsbUa8e7Ih8Q +cas.authn.oauth.session-replication.cookie.crypto.signing.key: vhnibDmTxFA0q_jO3XedyoHgKkPQPmfVeWLVj9byRfLiVFqZi38ZsEy4Qt0Vu2rZFXceBgp5nb55iWgxo2EzCQ +cas.authn.pac4j: + core.session-replication.cookie: + name: DISSESSIONAD + crypto: + encryption.key: T4LxS93IaaD-F-7kz66VEc2BD3g8uGGYKPECFkV9vBU + signing.key: fRYHy2_3_qApascjXEaXuTL5o52nrohztttpiGKFkWpXYUHaV85lS8Ph10OGfkpUUZlkyhhq6oPOXOlGIAQbiQ + cas: + - login-url: https://dev.vitamui.com:8080/cas/login + cas.server.prefix: https://dev.vitamui.com:8080/cas login.url: ${cas.server.prefix}/login -cas.service-registry.mongo.client-uri: mongodb://mongod_dbuser_cas:mongod_dbpwd_cas@localhost:27018/cas - -#cas.service-registry.mongo.port: 27018 -#cas.service-registry.mongo.database-name: cas -#cas.service-registry.mongo.authentication-database-name: cas -#cas.service-registry.mongo.replica-set: rs0 -cas.service-registry.mongo.collection: services -#cas.service-registry.mongo.user-id: mongod_dbuser_cas -#cas.service-registry.mongo.password: mongod_dbpwd_cas - +cas.service-registry.mongo: + client-uri: mongodb://mongod_dbuser_cas:mongod_dbpwd_cas@localhost:27018/cas +# port: 27018 +# database-name: cas +# authentication-database-name: cas +# replica-set: rs0 + collection: services +# user-id: mongod_dbuser_cas +# password: mongod_dbpwd_cas cas.authn.surrogate.separator: "," cas.authn.surrogate.mail.attribute-name: fakeNameToBeSureToFindNoAttributeAndNeverSendAnEmail @@ -155,7 +171,7 @@ cas.sms-provider.sms-mode.access-token: changeme vitamui.portal.url: https://dev.vitamui.com:4200/ -cas.secret.token: tokcas_ie6UZsEcHIWrfv2x +cas_secret_token: tokcas_ie6UZsEcHIWrfv2x ip.header: X-Real-IP @@ -187,6 +203,8 @@ logging: org.springframework.context.annotation: 'OFF' org.springframework.boot.devtools: 'OFF' org.apereo.inspektr.audit.support: 'INFO' + org.springframework.webflow: INFO + org.apereo: INFO # Cas CORS (necessary for mobile app) cas.http-web-request.cors.enabled: true @@ -206,24 +224,34 @@ password: defaults: fr: messages: - - minimum ${password.length} caractères + - Avoir une taille d'au moins ${password.length} caractères special-chars: - title: 'minimum 2 caractères issus de chaque catégorie, pour au moins 3 des catégories suivantes :' + title: 'Contenir au moins 2 caractères issus de chaque catégorie, pour au moins 3 des catégories suivantes:' messages: - - minuscules (a-z) - - majuscules (A-Z) - - numériques (0-9) - - caractères spéciaux (!"#$%&£'()*+,-./:;<=>?@[]^_`{|}~) + - Minuscules (a-z) + - Majuscules (A-Z) + - Numériques (0-9) + - Caractères spéciaux (!"#$%&£'()*+,-./:;<=>?@[]^_`{|}~) en: messages: - - minimum ${password.length} characters + - Have a size of at least ${password.length} characters special-chars: - title: 'minimum 2 characters from each category, for at least 3 of the following categories :' + title: 'Contain at least 2 characters from each category, for at least 3 of the following categories:' messages: - - lowercases (a-z) - - uppercases (A-Z) - - digital (0-9) - - special characters (!"#$%&£'()*+,-./:;<=>?@[]^_`{|}~) + - Uppercases (a-z) + - Lowercases (A-Z) + - Digits (0-9) + - Special Characters (!"#$%&£'()*+,-./:;<=>?@[]^_`{|}~) + de: + messages: + - Mindestens ${password.length} Zeichen lang sein + special-chars: + title: 'Mindestens 2 Zeichen aus jeder Kategorie enthalten, für mindestens 3 der folgenden Kategorien:' + messages: + - Großbuchstaben (a-z) + - Kleinbuchstaben (A-Z) + - Ziffern (0-9) + - Spezielle Charaktere (!"#$%&£'()*+,-./:;<=>?@[]^_`{|}~) customs: fr: title: 'Pour des raisons de sécurité, votre mot de passe doit:' @@ -237,7 +265,12 @@ password: - At least ${password.length} characters - Lowercase and uppercase - At least one number and one special character (!"#$%&£'()*+,-./:;<=>?@[]^_`{|}~) - + de: + title: 'Aus Sicherheitsgründen muss Ihr Passwort:' + messages: + - Mindestens ${password.length} Zeichen + - Klein- und Großbuchstaben + - Mindestens eine Zahl und ein Sonderzeichen (!"#$%&£'()*+,-./:;<=>?@[]^_`{|}~) --- spring: diff --git a/cas/cas-server/src/main/config/cas-server-application-recette.yml b/cas/cas-server/src/main/config/cas-server-application-recette.yml index 736a950ba38..ce0f8130a79 100644 --- a/cas/cas-server/src/main/config/cas-server-application-recette.yml +++ b/cas/cas-server/src/main/config/cas-server-application-recette.yml @@ -126,7 +126,7 @@ cas.sms-provider.sms-mode.access-token: changeme vitamui.portal.url: https://dev.vitamui.com:9000/ -cas.secret.token: tokcas_ie6UZsEcHIWrfv2x +cas_secret_token: tokcas_ie6UZsEcHIWrfv2x ip.header: X-Real-IP @@ -188,7 +188,7 @@ password: messages: - lowercases (a-z) - uppercases (A-Z) - - digital (0-9) + - digits (0-9) - special characters (!"#$%&£'()*+,-./:;<=>?@[]^_`{|}~) customs: fr: diff --git a/cas/cas-server/src/main/config/sass/_login.scss b/cas/cas-server/src/main/config/sass/_login.scss index 24a6ae23d55..a342bd29287 100644 --- a/cas/cas-server/src/main/config/sass/_login.scss +++ b/cas/cas-server/src/main/config/sass/_login.scss @@ -1,6 +1,5 @@ .login { - position: fixed; height: 100%; top: 0; diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/UserAuthenticationHandler.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/LoginPwdAuthenticationHandler.java similarity index 55% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/UserAuthenticationHandler.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/LoginPwdAuthenticationHandler.java index 6f47c26353b..de5175329a6 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/UserAuthenticationHandler.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/LoginPwdAuthenticationHandler.java @@ -36,8 +36,6 @@ */ package fr.gouv.vitamui.cas.authentication; -import fr.gouv.vitamui.cas.util.Constants; -import fr.gouv.vitamui.cas.util.Utils; import fr.gouv.vitamui.commons.api.domain.UserDto; import fr.gouv.vitamui.commons.api.enums.UserStatusEnum; import fr.gouv.vitamui.commons.api.enums.UserTypeEnum; @@ -45,8 +43,10 @@ import fr.gouv.vitamui.commons.api.exception.InvalidFormatException; import fr.gouv.vitamui.commons.api.exception.TooManyRequestsException; import fr.gouv.vitamui.commons.api.exception.VitamUIException; -import fr.gouv.vitamui.iam.client.CasRestClient; -import lombok.val; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import fr.gouv.vitamui.iam.openapiclient.domain.LoginRequestDto; +import jakarta.servlet.http.HttpServletRequest; +import lombok.extern.slf4j.Slf4j; import org.apereo.cas.authentication.AuthenticationHandlerExecutionResult; import org.apereo.cas.authentication.PreventedException; import org.apereo.cas.authentication.credential.UsernamePasswordCredential; @@ -56,15 +56,13 @@ import org.apereo.cas.authentication.principal.Principal; import org.apereo.cas.authentication.principal.PrincipalFactory; import org.apereo.cas.services.ServicesManager; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import org.springframework.webflow.execution.RequestContext; import org.springframework.webflow.execution.RequestContextHolder; import javax.security.auth.login.AccountException; import javax.security.auth.login.AccountLockedException; import javax.security.auth.login.AccountNotFoundException; import javax.security.auth.login.CredentialNotFoundException; -import javax.servlet.http.HttpServletRequest; import java.security.GeneralSecurityException; import java.time.OffsetDateTime; import java.util.ArrayList; @@ -72,29 +70,29 @@ import java.util.List; import java.util.Map; +import static fr.gouv.vitamui.cas.util.Constants.FLOW_LOGIN_CUSTOMER_ID; +import static fr.gouv.vitamui.cas.util.Constants.FLOW_LOGIN_EMAIL; +import static fr.gouv.vitamui.cas.util.Constants.FLOW_SURROGATE_CUSTOMER_ID; +import static fr.gouv.vitamui.cas.util.Constants.FLOW_SURROGATE_EMAIL; + /** * Authentication handler to check the username/password on the IAM API. */ -public class UserAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler { - - private static final Logger LOGGER = LoggerFactory.getLogger(UserAuthenticationHandler.class); - - private final CasRestClient casRestClient; +@Slf4j +public class LoginPwdAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler { - private final Utils utils; + private final CasApi casApi; private final String ipHeaderName; - public UserAuthenticationHandler( + public LoginPwdAuthenticationHandler( final ServicesManager servicesManager, final PrincipalFactory principalFactory, - final CasRestClient casRestClient, - final Utils utils, + final CasApi casApi, final String ipHeaderName ) { - super(UserAuthenticationHandler.class.getSimpleName(), servicesManager, principalFactory, 1); - this.casRestClient = casRestClient; - this.utils = utils; + super(LoginPwdAuthenticationHandler.class.getSimpleName(), servicesManager, principalFactory, 1); + this.casApi = casApi; this.ipHeaderName = ipHeaderName; } @@ -103,79 +101,132 @@ protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInter final UsernamePasswordCredential transformedCredential, final String originalPassword ) throws GeneralSecurityException, PreventedException { - val requestContext = RequestContextHolder.getRequestContext(); - val flowScope = requestContext.getFlowScope(); - val loginEmail = flowScope.getRequiredString(Constants.FLOW_LOGIN_EMAIL); - val loginCustomerId = flowScope.getRequiredString(Constants.FLOW_LOGIN_CUSTOMER_ID); - val surrogateEmail = flowScope.getString(Constants.FLOW_SURROGATE_EMAIL); - val surrogateCustomerId = flowScope.getString(Constants.FLOW_SURROGATE_CUSTOMER_ID); - val externalContext = requestContext.getExternalContext(); - val ip = ((HttpServletRequest) externalContext.getNativeRequest()).getHeader(ipHeaderName); - val context = utils.buildContext(loginEmail); - - LOGGER.debug( - "Authenticating loginEmail: {} / loginCustomerId: {} / surrogateEmail: {} / surrogateCustomerId:" + - " {} / IP: {}", - loginEmail, - loginCustomerId, - surrogateEmail, - surrogateCustomerId, - ip - ); + final var login = buildLoginRequestFromFlowScopeData(originalPassword); try { - val user = casRestClient.login( - context, - loginEmail, - loginCustomerId, - originalPassword, - surrogateEmail, - surrogateCustomerId, - ip - ); + final var user = casApi.login(login); + if (user != null) { if (mustChangePassword(user)) { - LOGGER.info("Password expired for: {} ({})", loginEmail, loginCustomerId); - throw new AccountPasswordMustChangeException("Password expired for: " + loginEmail); + LOGGER.info("Password expired for: {} ({})", login.getLoginEmail(), login.getLoginCustomerId()); + throw new AccountPasswordMustChangeException("Password expired for: " + login.getLoginEmail()); } else if (user.getStatus() == UserStatusEnum.ENABLED && user.getType() == UserTypeEnum.NOMINATIVE) { Map> attributes = new HashMap<>(); - attributes.put(Constants.FLOW_LOGIN_EMAIL, List.of(loginEmail)); - attributes.put(Constants.FLOW_LOGIN_CUSTOMER_ID, List.of(loginCustomerId)); + attributes.put(FLOW_LOGIN_EMAIL, List.of(login.getLoginEmail())); + attributes.put(FLOW_LOGIN_CUSTOMER_ID, List.of(login.getLoginCustomerId())); - if (surrogateEmail != null) { - attributes.put(Constants.FLOW_SURROGATE_EMAIL, List.of(surrogateEmail)); - attributes.put(Constants.FLOW_SURROGATE_CUSTOMER_ID, List.of(surrogateCustomerId)); + if (login.getSurrogateEmail() != null) { + attributes.put(FLOW_SURROGATE_EMAIL, List.of(login.getSurrogateEmail())); + attributes.put(FLOW_SURROGATE_CUSTOMER_ID, List.of(login.getSurrogateCustomerId())); } - final Principal principal = principalFactory.createPrincipal(loginEmail, attributes); + Principal principal; + try { + principal = principalFactory.createPrincipal(login.getLoginEmail(), attributes); + } catch (final Throwable e) { + LOGGER.error("Error creating principal", e); + throw new PreventedException(e); + } LOGGER.debug("Successful authentication, created principal: {}", principal); return createHandlerResult(transformedCredential, principal, new ArrayList<>()); } else { - LOGGER.debug("Cannot login user: {} ({})", loginEmail, loginCustomerId); - throw new AccountException("Disabled or cannot login user: " + loginEmail); + LOGGER.debug("Cannot login user: {} ({})", login.getLoginEmail(), login.getLoginCustomerId()); + throw new AccountException("Disabled or cannot login user: " + login.getLoginEmail()); } } else { - LOGGER.debug("No user found for: {} ({})", loginEmail, loginCustomerId); - throw new AccountNotFoundException("Bad credentials for: " + loginEmail); + LOGGER.debug("No user found for: {} ({})", login.getLoginEmail(), login.getLoginCustomerId()); + throw new AccountNotFoundException("Bad credentials for: " + login.getLoginEmail()); } } catch (final InvalidAuthenticationException e) { - LOGGER.error("Bad credentials for username: {} ({})", loginEmail, loginCustomerId); - throw new CredentialNotFoundException("Bad credentials for username: " + loginEmail); + LOGGER.error("Bad credentials for username: {} ({})", login.getLoginEmail(), login.getLoginCustomerId()); + throw new CredentialNotFoundException("Bad credentials for username: " + login.getLoginEmail()); } catch (final TooManyRequestsException e) { - LOGGER.error("Too many login attempts for username: {} ({})", loginEmail, loginCustomerId); - throw new AccountLockedException("Too many login attempts for username: " + loginEmail); + LOGGER.error( + "Too many login attempts for username: {} ({})", + login.getLoginEmail(), + login.getLoginCustomerId() + ); + throw new AccountLockedException("Too many login attempts for username: " + login.getLoginEmail()); } catch (final InvalidFormatException e) { - LOGGER.error("Bad status for username: {} ({})", loginEmail, loginCustomerId); - throw new AccountDisabledException("Bad status: " + loginEmail); + LOGGER.error("Bad status for username: {} ({})", login.getLoginEmail(), login.getLoginCustomerId()); + throw new AccountDisabledException("Bad status: " + login.getLoginEmail()); } catch (final VitamUIException e) { - LOGGER.error(String.format("Unexpected exception for username: %s(%s)", loginEmail, loginCustomerId), e); + LOGGER.error( + "Unexpected exception for username: {}({})", + login.getLoginEmail(), + login.getLoginCustomerId(), + e + ); throw new PreventedException(e); } } protected boolean mustChangePassword(final UserDto user) { - val pwdExpirationDate = user.getPasswordExpirationDate(); + var pwdExpirationDate = user.getPasswordExpirationDate(); return (pwdExpirationDate == null || pwdExpirationDate.isBefore(OffsetDateTime.now())); } + + private LoginRequestDto buildLoginRequestFromFlowScopeData(String originalPassword) { + var requestContext = RequestContextHolder.getRequestContext(); + var flowScope = requestContext.getFlowScope(); + + String loginEmail = flowScope.getRequiredString(FLOW_LOGIN_EMAIL); + String loginCustomerId = flowScope.getRequiredString(FLOW_LOGIN_CUSTOMER_ID); + String surrogateEmail = flowScope.getString(FLOW_SURROGATE_EMAIL); + String surrogateCustomerId = flowScope.getString(FLOW_SURROGATE_CUSTOMER_ID); + String ip = extractClientIp(requestContext); + + logAuthenticationAttempt(loginEmail, loginCustomerId, surrogateEmail, surrogateCustomerId, ip); + + return buildLoginRequest( + originalPassword, + loginEmail, + loginCustomerId, + surrogateEmail, + surrogateCustomerId, + ip + ); + } + + private String extractClientIp(RequestContext requestContext) { + var externalContext = requestContext.getExternalContext(); + var request = (HttpServletRequest) externalContext.getNativeRequest(); + return request.getHeader(ipHeaderName); + } + + private void logAuthenticationAttempt( + String loginEmail, + String loginCustomerId, + String surrogateEmail, + String surrogateCustomerId, + String ip + ) { + LOGGER.debug( + "Authenticating loginEmail={} loginCustomerId={} surrogateEmail={} surrogateCustomerId={} ip={}", + loginEmail, + loginCustomerId, + surrogateEmail, + surrogateCustomerId, + ip + ); + } + + private LoginRequestDto buildLoginRequest( + String password, + String loginEmail, + String loginCustomerId, + String surrogateEmail, + String surrogateCustomerId, + String ip + ) { + var login = new LoginRequestDto(); + login.setLoginEmail(loginEmail); + login.setLoginCustomerId(loginCustomerId); + login.setPassword(password); + login.setSurrogateEmail(surrogateEmail); + login.setSurrogateCustomerId(surrogateCustomerId); + login.setIp(ip); + return login; + } } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolver.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolver.java index ab2a2d8138c..209b4fa2044 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolver.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolver.java @@ -36,21 +36,18 @@ */ package fr.gouv.vitamui.cas.authentication; -import fr.gouv.vitamui.cas.provider.ProvidersService; +import fr.gouv.vitamui.cas.delegation.ProvidersService; import fr.gouv.vitamui.cas.util.Constants; -import fr.gouv.vitamui.cas.util.Utils; import fr.gouv.vitamui.cas.x509.CertificateParser; import fr.gouv.vitamui.cas.x509.X509AttributeMapping; -import fr.gouv.vitamui.commons.api.domain.ProfileDto; -import fr.gouv.vitamui.commons.api.domain.UserDto; import fr.gouv.vitamui.commons.api.enums.UserStatusEnum; import fr.gouv.vitamui.commons.api.utils.CasJsonWrapper; -import fr.gouv.vitamui.commons.security.client.dto.AuthUserDto; -import fr.gouv.vitamui.iam.client.CasRestClient; import fr.gouv.vitamui.iam.common.dto.IdentityProviderDto; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import fr.gouv.vitamui.iam.openapiclient.domain.AuthUserDto; import lombok.RequiredArgsConstructor; -import lombok.val; +import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang.StringUtils; import org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential; import org.apereo.cas.authentication.AuthenticationHandler; @@ -68,8 +65,6 @@ import org.pac4j.core.context.session.SessionStore; import org.pac4j.core.util.CommonHelper; import org.pac4j.jee.context.JEEContext; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.util.Assert; import org.springframework.util.CollectionUtils; import org.springframework.webflow.execution.RequestContextHolder; @@ -80,11 +75,11 @@ import java.util.HashMap; import java.util.HashSet; import java.util.List; +import java.util.Map; import java.util.Objects; import java.util.Optional; import java.util.Set; import java.util.regex.Pattern; -import java.util.stream.Collectors; import static fr.gouv.vitamui.commons.api.CommonConstants.ADDRESS_ATTRIBUTE; import static fr.gouv.vitamui.commons.api.CommonConstants.ANALYTICS_ATTRIBUTE; @@ -127,6 +122,7 @@ /** * Resolver to retrieve the user. */ +@Slf4j @RequiredArgsConstructor public class UserPrincipalResolver implements PrincipalResolver { @@ -136,14 +132,13 @@ public class UserPrincipalResolver implements PrincipalResolver { public static final String SUPER_USER_ID_ATTRIBUTE = "superUserId"; public static final String COMPUTED_OTP = "computedOtp"; - private static final Logger LOGGER = LoggerFactory.getLogger(UserPrincipalResolver.class); public static final String PROVIDER_PROTOCOL_TYPE_CERTIFICAT = "CERTIFICAT"; - private final PrincipalFactory principalFactory; + private static final String DEFAULT_PROVIDER = ""; - private final CasRestClient casRestClient; + private final PrincipalFactory principalFactory; - private final Utils utils; + private final CasApi casApi; private final SessionStore sessionStore; @@ -161,16 +156,17 @@ public class UserPrincipalResolver implements PrincipalResolver { public Principal resolve( final Credential credential, final Optional optPrincipal, - final Optional handler + final Optional handler, + final Optional service ) { // OAuth 2 authorization code flow (client credentials authentication) if (optPrincipal.isEmpty()) { return NullPrincipal.getInstance(); } - val principal = optPrincipal.get(); - val principalId = principal.getId(); - val requestContext = RequestContextHolder.getRequestContext(); + final var principal = optPrincipal.get(); + final var principalId = principal.getId(); + final var requestContext = RequestContextHolder.getRequestContext(); final boolean subrogationCall; String loginEmail; @@ -184,7 +180,7 @@ public Principal resolve( if (credential instanceof X509CertificateCredential) { String emailFromCertificate; try { - val certificate = ((X509CertificateCredential) credential).getCertificate(); + final var certificate = ((X509CertificateCredential) credential).getCertificate(); emailFromCertificate = CertificateParser.extract(certificate, x509EmailAttributeMapping); technicalUserId = Optional.ofNullable( CertificateParser.extract(certificate, x509IdentifierAttributeMapping) @@ -199,7 +195,8 @@ public Principal resolve( String userDomain; - // If the certificate does not contain the user mail, then we use the default domain configured + // If the certificate does not contain the user mail, then we use the default + // domain configured if ( StringUtils.isBlank(emailFromCertificate) || !EMAIL_VALID_REGEXP.matcher(emailFromCertificate).matches() ) { @@ -210,16 +207,17 @@ public Principal resolve( userDomain = emailFromCertificate; } - // Certificate authn mode does not support multi-domain. Ensure a single provider matches user email. - val availableProvidersForUserDomain = identityProviderHelper.findAllProvidersByUserIdentifier( + // Certificate authn mode does not support multi-domain. Ensure a single + // provider matches user email. + final var availableProvidersForUserDomain = identityProviderHelper.findAllProvidersByUserIdentifier( providersService.getProviders(), userDomain ); - var certProviders = availableProvidersForUserDomain + final var certProviders = availableProvidersForUserDomain .stream() .filter(p -> p.getProtocoleType().equals(PROVIDER_PROTOCOL_TYPE_CERTIFICAT)) - .collect(Collectors.toList()); + .toList(); if (certProviders.isEmpty()) { LOGGER.warn( @@ -236,7 +234,7 @@ public Principal resolve( return NullPrincipal.getInstance(); } - IdentityProviderDto providerDto = certProviders.get(0); + IdentityProviderDto providerDto = certProviders.getFirst(); userProviderId = providerDto.getId(); loginCustomerId = providerDto.getCustomerId(); } else if (credential instanceof SurrogateUsernamePasswordCredential) { @@ -244,35 +242,35 @@ public Principal resolve( technicalUserId = Optional.empty(); subrogationCall = true; - loginEmail = (String) principal.getAttributes().get(Constants.FLOW_SURROGATE_EMAIL).get(0); - loginCustomerId = (String) principal.getAttributes().get(Constants.FLOW_SURROGATE_CUSTOMER_ID).get(0); - superUserEmail = (String) principal.getAttributes().get(Constants.FLOW_LOGIN_EMAIL).get(0); - superUserCustomerId = (String) principal.getAttributes().get(Constants.FLOW_LOGIN_CUSTOMER_ID).get(0); + loginEmail = (String) principal.getAttributes().get(Constants.FLOW_SURROGATE_EMAIL).getFirst(); + loginCustomerId = (String) principal.getAttributes().get(Constants.FLOW_SURROGATE_CUSTOMER_ID).getFirst(); + superUserEmail = (String) principal.getAttributes().get(Constants.FLOW_LOGIN_EMAIL).getFirst(); + superUserCustomerId = (String) principal.getAttributes().get(Constants.FLOW_LOGIN_CUSTOMER_ID).getFirst(); } else if (credential instanceof UsernamePasswordCredential) { // login/password userProviderId = null; technicalUserId = Optional.empty(); subrogationCall = false; - loginEmail = (String) principal.getAttributes().get(Constants.FLOW_LOGIN_EMAIL).get(0); - loginCustomerId = (String) principal.getAttributes().get(Constants.FLOW_LOGIN_CUSTOMER_ID).get(0); + loginEmail = (String) principal.getAttributes().get(Constants.FLOW_LOGIN_EMAIL).getFirst(); + loginCustomerId = (String) principal.getAttributes().get(Constants.FLOW_LOGIN_CUSTOMER_ID).getFirst(); superUserEmail = null; superUserCustomerId = null; } else { // authentication delegation (+ surrogation) - val request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext); - val response = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext); - val webContext = new JEEContext(request, response); - val clientCredential = (ClientCredential) credential; - val providerName = clientCredential.getClientName(); - val provider = identityProviderHelper + final var request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext); + final var response = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext); + final var webContext = new JEEContext(request, response); + final var clientCredential = (ClientCredential) credential; + final var providerName = clientCredential.getClientName(); + final var provider = identityProviderHelper .findByTechnicalName(providersService.getProviders(), providerName) .get(); - val mailAttribute = provider.getMailAttribute(); + final var mailAttribute = provider.getMailAttribute(); String email = principalId; if (CommonHelper.isNotBlank(mailAttribute)) { - val mails = principal.getAttributes().get(mailAttribute); - if (CollectionUtils.isEmpty(mails) || CommonHelper.isBlank((String) mails.get(0))) { + final var mails = principal.getAttributes().get(mailAttribute); + if (CollectionUtils.isEmpty(mails) || CommonHelper.isBlank((String) mails.getFirst())) { LOGGER.error( "Provider: '{}' requested specific mail attribute: '{}' for id, but attribute does not exist or has no value", providerName, @@ -280,7 +278,7 @@ public Principal resolve( ); return NullPrincipal.getInstance(); } else { - val mail = (String) mails.get(0); + final var mail = (String) mails.getFirst(); LOGGER.info( "Provider: '{}' requested specific mail attribute: '{}' for id: '{}' replaced by: '{}'", providerName, @@ -292,11 +290,11 @@ public Principal resolve( } } - val identifierAttribute = provider.getIdentifierAttribute(); + final var identifierAttribute = provider.getIdentifierAttribute(); String identifier = principalId; if (CommonHelper.isNotBlank(identifierAttribute)) { - val identifiers = principal.getAttributes().get(identifierAttribute); - if (CollectionUtils.isEmpty(identifiers) || CommonHelper.isBlank((String) identifiers.get(0))) { + final var identifiers = principal.getAttributes().get(identifierAttribute); + if (CollectionUtils.isEmpty(identifiers) || CommonHelper.isBlank((String) identifiers.getFirst())) { LOGGER.error( "Provider: '{}' requested specific identifier attribute: '{}' for id, but attribute does not exist or has no value", providerName, @@ -304,7 +302,7 @@ public Principal resolve( ); return NullPrincipal.getInstance(); } else { - val identifierAttr = (String) identifiers.get(0); + final var identifierAttr = (String) identifiers.getFirst(); LOGGER.info( "Provider: '{}' requested specific identifier attribute: '{}' for id: '{}' replaced by: '{}'", providerName, @@ -378,20 +376,25 @@ public Principal resolve( } LOGGER.debug("Computed embedded: {}", embedded); - final UserDto user = casRestClient.getUser( - utils.buildContext(loginEmail), + // FIXME: The new vitam client not allow null providerId but handles correctly empty strings... + // TODO: Need to investigate and fix this behavior + if (userProviderId == null) { + userProviderId = DEFAULT_PROVIDER; + } + + final AuthUserDto user = casApi.getUser( loginEmail, loginCustomerId, userProviderId, - technicalUserId, - Optional.of(embedded) + technicalUserId.orElse(null), + embedded ); if (user == null) { LOGGER.debug("No user resolved for: {}", loginEmail); return null; } else if (user.getStatus() != UserStatusEnum.ENABLED) { - LOGGER.debug("User cannot login: {} - User {}", loginEmail, user.toString()); + LOGGER.debug("User cannot login: {} - User {}", loginEmail, user); return null; } @@ -399,18 +402,18 @@ public Principal resolve( loginEmail = user.getEmail(); } - val attributes = new HashMap>(); + final var attributes = new HashMap>(); attributes.put(USER_ID_ATTRIBUTE, Collections.singletonList(user.getId())); attributes.put(CUSTOMER_ID_ATTRIBUTE, Collections.singletonList(user.getCustomerId())); attributes.put(EMAIL_ATTRIBUTE, Collections.singletonList(loginEmail)); attributes.put(FIRSTNAME_ATTRIBUTE, Collections.singletonList(user.getFirstname())); attributes.put(LASTNAME_ATTRIBUTE, Collections.singletonList(user.getLastname())); attributes.put(IDENTIFIER_ATTRIBUTE, Collections.singletonList(user.getIdentifier())); - val otp = user.isOtp(); + final var otp = user.isOtp(); attributes.put(OTP_ATTRIBUTE, Collections.singletonList(otp)); - val otpUsername = subrogationCall ? superUserEmail : loginEmail; - val otpCustomerId = subrogationCall ? superUserCustomerId : loginCustomerId; - val computedOtp = + final var otpUsername = subrogationCall ? superUserEmail : loginEmail; + final var otpCustomerId = subrogationCall ? superUserCustomerId : loginCustomerId; + var computedOtp = otp && identityProviderHelper.identifierMatchProviderPattern( providersService.getProviders(), @@ -433,18 +436,11 @@ public Principal resolve( attributes.put(ADDRESS_ATTRIBUTE, Collections.singletonList(new CasJsonWrapper(user.getAddress()))); attributes.put(ANALYTICS_ATTRIBUTE, Collections.singletonList(new CasJsonWrapper(user.getAnalytics()))); attributes.put(INTERNAL_CODE, Collections.singletonList(user.getInternalCode())); - UserDto superUser = null; + AuthUserDto superUser = null; if (subrogationCall) { attributes.put(SUPER_USER_ATTRIBUTE, Collections.singletonList(superUserEmail)); attributes.put(SUPER_USER_CUSTOMER_ID_ATTRIBUTE, Collections.singletonList(superUserCustomerId)); - superUser = casRestClient.getUser( - utils.buildContext(superUserEmail), - superUserEmail, - superUserCustomerId, - null, - Optional.empty(), - Optional.empty() - ); + superUser = casApi.getUser(superUserEmail, superUserCustomerId, userProviderId, null, null); if (superUser == null) { LOGGER.debug("No super user found for: {}", superUserEmail); return NullPrincipal.getInstance(); @@ -452,33 +448,26 @@ public Principal resolve( attributes.put(SUPER_USER_IDENTIFIER_ATTRIBUTE, Collections.singletonList(superUser.getIdentifier())); attributes.put(SUPER_USER_ID_ATTRIBUTE, Collections.singletonList(superUser.getId())); } - if (user instanceof AuthUserDto) { - final AuthUserDto authUser = (AuthUserDto) user; - attributes.put( - PROFILE_GROUP_ATTRIBUTE, - Collections.singletonList(new CasJsonWrapper(authUser.getProfileGroup())) - ); - attributes.put(CUSTOMER_IDENTIFIER_ATTRIBUTE, Collections.singletonList(authUser.getCustomerIdentifier())); - attributes.put( - BASIC_CUSTOMER_ATTRIBUTE, - Collections.singletonList(new CasJsonWrapper(authUser.getBasicCustomer())) - ); - attributes.put(AUTHTOKEN_ATTRIBUTE, Collections.singletonList(authUser.getAuthToken())); - attributes.put(PROOF_TENANT_ID_ATTRIBUTE, Collections.singletonList(authUser.getProofTenantIdentifier())); - attributes.put( - TENANTS_BY_APP_ATTRIBUTE, - Collections.singletonList(new CasJsonWrapper(authUser.getTenantsByApp())) - ); - attributes.put(SITE_CODE, Collections.singletonList(user.getSiteCode())); - attributes.put(CENTER_CODES, Collections.singletonList(user.getCenterCodes())); - final Set roles = new HashSet<>(); - final List profiles = authUser.getProfileGroup().getProfiles(); - profiles.forEach(profile -> profile.getRoles().forEach(role -> roles.add(role.getName()))); - attributes.put(ROLES_ATTRIBUTE, new ArrayList<>(roles)); + + if (isTrueAuthUserDtoInstance(user)) { + addAuthenticatedUserAttributes(user, attributes); + } + + Principal createdPrincipal; + try { + createdPrincipal = principalFactory.createPrincipal(user.getId(), attributes); + } catch (final Throwable e) { + LOGGER.error("Error creating principal", e); + throw new RuntimeException(e); } - val createdPrincipal = principalFactory.createPrincipal(user.getId(), attributes); if (subrogationCall) { - val createdSuperPrincipal = principalFactory.createPrincipal(superUser.getId()); + Principal createdSuperPrincipal; + try { + createdSuperPrincipal = principalFactory.createPrincipal(superUser.getId()); + } catch (final Throwable e) { + LOGGER.error("Error creating super principal", e); + throw new RuntimeException(e); + } return new SurrogatePrincipal(createdSuperPrincipal, createdPrincipal); } else { return createdPrincipal; @@ -498,4 +487,36 @@ public boolean supports(final Credential credential) { public IPersonAttributeDao getAttributeRepository() { return null; } + + private boolean isTrueAuthUserDtoInstance(AuthUserDto authUser) { + return authUser.getProfileGroup() != null; + } + + private void addAuthenticatedUserAttributes(AuthUserDto authUser, Map> attributes) { + attributes.put( + PROFILE_GROUP_ATTRIBUTE, + Collections.singletonList(new CasJsonWrapper(authUser.getProfileGroup())) + ); + attributes.put(CUSTOMER_IDENTIFIER_ATTRIBUTE, Collections.singletonList(authUser.getCustomerIdentifier())); + attributes.put( + BASIC_CUSTOMER_ATTRIBUTE, + Collections.singletonList(new CasJsonWrapper(authUser.getBasicCustomer())) + ); + attributes.put(AUTHTOKEN_ATTRIBUTE, Collections.singletonList(authUser.getAuthToken())); + attributes.put(PROOF_TENANT_ID_ATTRIBUTE, Collections.singletonList(authUser.getProofTenantIdentifier())); + attributes.put( + TENANTS_BY_APP_ATTRIBUTE, + Collections.singletonList(new CasJsonWrapper(authUser.getTenantsByApp())) + ); + attributes.put(SITE_CODE, Collections.singletonList(authUser.getSiteCode())); + attributes.put(CENTER_CODES, Collections.singletonList(authUser.getCenterCodes())); + final Set roles = new HashSet<>(); + if (authUser.getProfileGroup() != null) { + authUser + .getProfileGroup() + .getProfiles() + .forEach(profile -> profile.getRoles().forEach(role -> roles.add(role.getName()))); + } + attributes.put(ROLES_ATTRIBUTE, new ArrayList<>(roles)); + } } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/AppConfig.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/AppConfig.java index d44ab228443..c4111ce5c16 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/AppConfig.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/AppConfig.java @@ -36,34 +36,50 @@ */ package fr.gouv.vitamui.cas.config; -import fr.gouv.vitamui.cas.authentication.IamSurrogateAuthenticationService; -import fr.gouv.vitamui.cas.authentication.UserAuthenticationHandler; +import fr.gouv.vitamui.cas.authentication.LoginPwdAuthenticationHandler; import fr.gouv.vitamui.cas.authentication.UserPrincipalResolver; -import fr.gouv.vitamui.cas.pm.IamPasswordManagementService; -import fr.gouv.vitamui.cas.provider.ProvidersService; +import fr.gouv.vitamui.cas.delegation.CustomDelegatedIdentityProviders; +import fr.gouv.vitamui.cas.delegation.ProvidersService; +import fr.gouv.vitamui.cas.password.IamPasswordManagementService; +import fr.gouv.vitamui.cas.surrogation.IamSurrogateAuthenticationService; import fr.gouv.vitamui.cas.ticket.CustomOAuth20DefaultAccessTokenFactory; import fr.gouv.vitamui.cas.ticket.DynamicTicketGrantingTicketFactory; +import fr.gouv.vitamui.cas.util.IamApiDecorator; import fr.gouv.vitamui.cas.util.Utils; import fr.gouv.vitamui.cas.x509.X509AttributeMapping; import fr.gouv.vitamui.commons.security.client.config.password.PasswordConfiguration; import fr.gouv.vitamui.commons.security.client.password.PasswordValidator; -import fr.gouv.vitamui.iam.client.CasRestClient; -import fr.gouv.vitamui.iam.client.IamRestClientFactory; -import fr.gouv.vitamui.iam.client.IdentityProviderRestClient; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; import fr.gouv.vitamui.iam.common.utils.Pac4jClientBuilder; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import fr.gouv.vitamui.iam.openapiclient.CustomersApi; +import fr.gouv.vitamui.iam.openapiclient.IamApiClientsFactory; +import fr.gouv.vitamui.iam.openapiclient.IdentityProvidersApi; +import io.micrometer.observation.ObservationRegistry; +import jakarta.validation.constraints.NotNull; import lombok.SneakyThrows; -import lombok.val; +import lombok.extern.slf4j.Slf4j; import org.apereo.cas.CentralAuthenticationService; import org.apereo.cas.audit.AuditableExecution; import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer; +import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan; +import org.apereo.cas.authentication.AuthenticationSystemSupport; +import org.apereo.cas.authentication.adaptive.AdaptiveAuthenticationPolicy; +import org.apereo.cas.authentication.principal.DelegatedAuthenticationCredentialExtractor; +import org.apereo.cas.authentication.principal.DelegatedAuthenticationPreProcessor; import org.apereo.cas.authentication.principal.PrincipalFactory; import org.apereo.cas.authentication.principal.PrincipalResolver; import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationService; import org.apereo.cas.configuration.CasConfigurationProperties; import org.apereo.cas.configuration.support.Beans; +import org.apereo.cas.logout.LogoutExecutionPlan; +import org.apereo.cas.logout.slo.SingleLogoutRequestExecutor; import org.apereo.cas.mfa.simple.CasSimpleMultifactorTokenCommunicationStrategy; import org.apereo.cas.mfa.simple.ticket.CasSimpleMultifactorAuthenticationTicket; +import org.apereo.cas.pac4j.client.DelegatedClientAuthenticationRequestCustomizer; +import org.apereo.cas.pac4j.client.DelegatedClientIdentityProviderRedirectionStrategy; +import org.apereo.cas.pac4j.client.DelegatedClientNameExtractor; +import org.apereo.cas.pac4j.client.DelegatedIdentityProviders; import org.apereo.cas.pm.PasswordHistoryService; import org.apereo.cas.pm.PasswordManagementService; import org.apereo.cas.services.ServicesManager; @@ -71,156 +87,69 @@ import org.apereo.cas.ticket.ExpirationPolicyBuilder; import org.apereo.cas.ticket.TicketCatalog; import org.apereo.cas.ticket.TicketDefinition; +import org.apereo.cas.ticket.TicketFactory; import org.apereo.cas.ticket.TicketGrantingTicketFactory; import org.apereo.cas.ticket.UniqueTicketIdGenerator; import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken; import org.apereo.cas.ticket.accesstoken.OAuth20AccessTokenFactory; import org.apereo.cas.ticket.accesstoken.OAuth20DefaultAccessToken; import org.apereo.cas.ticket.registry.TicketRegistry; +import org.apereo.cas.ticket.tracking.TicketTrackingPolicy; import org.apereo.cas.token.JwtBuilder; import org.apereo.cas.util.crypto.CipherExecutor; +import org.apereo.cas.util.spring.beans.BeanSupplier; +import org.apereo.cas.web.cookie.CasCookieBuilder; +import org.apereo.cas.web.flow.DelegatedClientAuthenticationConfigurationContext; +import org.apereo.cas.web.flow.DelegatedClientIdentityProviderAuthorizer; +import org.apereo.cas.web.flow.DelegatedClientIdentityProviderConfigurationPostProcessor; +import org.apereo.cas.web.flow.DelegatedClientIdentityProviderConfigurationProducer; +import org.apereo.cas.web.flow.SingleSignOnParticipationStrategy; +import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver; +import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver; +import org.apereo.cas.web.support.ArgumentExtractor; import org.pac4j.core.client.Clients; import org.pac4j.core.context.session.SessionStore; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.beans.factory.ObjectProvider; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.autoconfigure.mongo.MongoClientSettingsBuilderCustomizer; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.boot.web.client.RestTemplateBuilder; +import org.springframework.boot.web.client.RestTemplateCustomizer; import org.springframework.boot.web.servlet.ServletContextInitializer; import org.springframework.cloud.context.config.annotation.RefreshScope; -import org.springframework.context.ApplicationEventPublisher; +import org.springframework.context.ConfigurableApplicationContext; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.ScopedProxyMode; import org.springframework.core.Ordered; +import org.springframework.data.mongodb.observability.ContextProviderFactory; +import org.springframework.data.mongodb.observability.MongoObservationCommandListener; import org.springframework.http.converter.HttpMessageConverter; import org.springframework.mail.javamail.JavaMailSender; -import javax.validation.constraints.NotNull; +import java.util.ArrayList; import java.util.EnumSet; +import java.util.List; +import java.util.Optional; +import java.util.stream.Collectors; + +import static fr.gouv.vitamui.commons.api.CommonConstants.X_ORIGIN_HEADER_EXTERNAL; +import static fr.gouv.vitamui.commons.api.CommonConstants.X_ORIGIN_HEADER_NAME; /** * Configure all beans to customize the CAS server. */ +@Slf4j @Configuration @EnableConfigurationProperties( { CasConfigurationProperties.class, IamClientConfigurationProperties.class, PasswordConfiguration.class } ) public class AppConfig extends BaseTicketCatalogConfigurer { - private static final Logger LOGGER = LoggerFactory.getLogger(AppConfig.class); - - @Autowired - private CasConfigurationProperties casProperties; - - @Autowired - @Qualifier("servicesManager") - private ServicesManager servicesManager; - - @Autowired - @Qualifier("principalFactory") - private PrincipalFactory principalFactory; - - @Autowired - private ApplicationEventPublisher eventPublisher; - - @Autowired - @Qualifier("surrogateAuthenticationService") - private SurrogateAuthenticationService surrogateAuthenticationService; - - @Autowired - private IamClientConfigurationProperties iamClientProperties; - - @Autowired - @Qualifier("registeredServiceAccessStrategyEnforcer") - private AuditableExecution registeredServiceAccessStrategyEnforcer; - - @Autowired - @Qualifier("surrogateEligibilityAuditableExecution") - private AuditableExecution surrogateEligibilityAuditableExecution; - - @Autowired - @Qualifier("ticketGrantingTicketUniqueIdGenerator") - private UniqueTicketIdGenerator ticketGrantingTicketUniqueIdGenerator; - - @Autowired - @Qualifier("accessTokenJwtBuilder") - private JwtBuilder accessTokenJwtBuilder; - - @Autowired - @Qualifier("grantingTicketExpirationPolicy") - private ObjectProvider grantingTicketExpirationPolicy; - - @Autowired - private CipherExecutor protocolTicketCipherExecutor; - - @Autowired - @Qualifier("accessTokenExpirationPolicy") - private ExpirationPolicyBuilder accessTokenExpirationPolicy; - - @Autowired - private JavaMailSender mailSender; - - @Autowired - @Qualifier("centralAuthenticationService") - private ObjectProvider centralAuthenticationService; - - @Autowired - @Qualifier("passwordManagementCipherExecutor") - private CipherExecutor passwordManagementCipherExecutor; - - @Autowired - @Qualifier("passwordHistoryService") - private PasswordHistoryService passwordHistoryService; - - @Autowired - private PasswordConfiguration passwordConfiguration; - - @Value("${cas.secret.token}") - @NotNull - private String tokenApiCas; - - @Value("${ip.header}") - private String ipHeaderName; - - @Value("${vitamui.cas.tenant.identifier}") - private Integer casTenantIdentifier; - - @Value("${vitamui.cas.identity}") - private String casIdentity; - - @Value("${theme.vitamui-logo-large:#{null}}") - private String vitamuiLogoLargePath; - - @Value("${theme.vitamui-favicon:#{null}}") - private String vitamuiFaviconPath; - - @Value("${vitamui.authn.x509.emailAttribute:}") - private String x509EmailAttribute; - - @Value("${vitamui.authn.x509.emailAttributeParsing:}") - private String x509EmailAttributeParsing; - - @Value("${vitamui.authn.x509.emailAttributeExpansion:}") - private String x509EmailAttributeExpansion; - - @Value("${vitamui.authn.x509.identifierAttribute:}") - private String x509IdentifierAttribute; - - @Value("${vitamui.authn.x509.identifierAttributeParsing:}") - private String x509IdentifierAttributeParsing; - - @Value("${vitamui.authn.x509.identifierAttributeExpansion:}") - private String x509IdentifierAttributeExpansion; - - @Value("${vitamui.authn.x509.defaultDomain:}") - private String x509DefaultDomain; - // overrides the CAS specific message converter to prevent - // the CasRestExternalClient to use the 'application/vnd.cas.services+yaml;charset=UTF-8' + // the CasRestExternalClient to use the + // 'application/vnd.cas.services+yaml;charset=UTF-8' // content type and to fail @Bean public HttpMessageConverter yamlHttpMessageConverter() { @@ -233,34 +162,43 @@ public PasswordValidator passwordValidator() { } @Bean - public UserAuthenticationHandler userAuthenticationHandler( - final IamRestClientFactory iamRestClientFactory, - final CasRestClient casRestClient + public LoginPwdAuthenticationHandler loginPwdAuthenticationHandler( + final CasApi casApi, + @Value("${ip.header}") final String ipHeaderName, + @Qualifier("principalFactory") final PrincipalFactory principalFactory, + @Qualifier("servicesManager") final ServicesManager servicesManager ) { - return new UserAuthenticationHandler(servicesManager, principalFactory, casRestClient, utils(), ipHeaderName); + return new LoginPwdAuthenticationHandler(servicesManager, principalFactory, casApi, ipHeaderName); } @Bean @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) public PrincipalResolver defaultPrincipalResolver( - final ProvidersService providersService, + @Value("${vitamui.authn.x509.emailAttribute:}") final String x509EmailAttribute, + @Value("${vitamui.authn.x509.emailAttributeParsing:}") final String x509EmailAttributeParsing, + @Value("${vitamui.authn.x509.emailAttributeExpansion:}") final String x509EmailAttributeExpansion, + @Value("${vitamui.authn.x509.identifierAttribute:}") final String x509IdentifierAttribute, + @Value("${vitamui.authn.x509.identifierAttributeParsing:}") final String x509IdentifierAttributeParsing, + @Value("${vitamui.authn.x509.identifierAttributeExpansion:}") final String x509IdentifierAttributeExpansion, + @Value("${vitamui.authn.x509.defaultDomain:}") final String x509DefaultDomain, @Qualifier("delegatedClientDistributedSessionStore") final SessionStore delegatedClientDistributedSessionStore, - final CasRestClient casRestClient + @Qualifier(PrincipalFactory.BEAN_NAME) PrincipalFactory principalFactory, + final ProvidersService providersService, + final CasApi casApi ) { - val emailMapping = new X509AttributeMapping( + final var emailMapping = new X509AttributeMapping( x509EmailAttribute, x509EmailAttributeParsing, x509EmailAttributeExpansion ); - val identifierMapping = new X509AttributeMapping( + final var identifierMapping = new X509AttributeMapping( x509IdentifierAttribute, x509IdentifierAttributeParsing, x509IdentifierAttributeExpansion ); return new UserPrincipalResolver( principalFactory, - casRestClient, - utils(), + casApi, delegatedClientDistributedSessionStore, identityProviderHelper(), providersService, @@ -272,12 +210,12 @@ public PrincipalResolver defaultPrincipalResolver( @Bean public AuthenticationEventExecutionPlanConfigurer registerInternalHandler( - final UserAuthenticationHandler userAuthenticationHandler, - @Qualifier("defaultPrincipalResolver") PrincipalResolver defaultPrincipalResolver + final LoginPwdAuthenticationHandler loginPwdAuthenticationHandler, + @Qualifier("defaultPrincipalResolver") final PrincipalResolver defaultPrincipalResolver ) { return plan -> plan.registerAuthenticationHandlerWithPrincipalResolver( - userAuthenticationHandler, + loginPwdAuthenticationHandler, defaultPrincipalResolver ); } @@ -285,7 +223,7 @@ public AuthenticationEventExecutionPlanConfigurer registerInternalHandler( @Bean @RefreshScope public PrincipalResolver surrogatePrincipalResolver( - @Qualifier("defaultPrincipalResolver") PrincipalResolver defaultPrincipalResolver + @Qualifier("defaultPrincipalResolver") final PrincipalResolver defaultPrincipalResolver ) { return defaultPrincipalResolver; } @@ -293,39 +231,83 @@ public PrincipalResolver surrogatePrincipalResolver( @Bean @RefreshScope public PrincipalResolver x509SubjectDNPrincipalResolver( - @Qualifier("defaultPrincipalResolver") PrincipalResolver defaultPrincipalResolver + @Qualifier("defaultPrincipalResolver") final PrincipalResolver defaultPrincipalResolver ) { return defaultPrincipalResolver; } + /** + * We must define our customizer to replace X_ORIGIN header from IamApiClient.java for CAS usage. + * + * @return a rest template customizer. + */ + @Bean + @Qualifier("restTemplateCustomizer") + public RestTemplateCustomizer restTemplateCustomizer() { + return restTemplate -> + restTemplate + .getInterceptors() + .add((request, body, execution) -> { + // Hack for CAS - CAS is considered as an external server requiring proper roles + request.getHeaders().set(X_ORIGIN_HEADER_NAME, X_ORIGIN_HEADER_EXTERNAL); + + LOGGER.debug("Final request URI: {}, headers: {}", request.getURI(), request.getHeaders()); + + return execution.execute(request, body); + }); + } + @Bean - public IamRestClientFactory iamRestClientFactory(final RestTemplateBuilder restTemplateBuilder) { - LOGGER.debug("Iam client factory: {}", iamClientProperties); - return new IamRestClientFactory(iamClientProperties, restTemplateBuilder); + public IamApiClientsFactory iamApiClientsFactory( + final IamClientConfigurationProperties iamClientProperties, + final RestTemplateBuilder restTemplateBuilder, + @Qualifier("restTemplateCustomizer") final RestTemplateCustomizer restTemplateCustomizer + ) { + return new IamApiClientsFactory( + iamClientProperties, + restTemplateBuilder.additionalCustomizers(restTemplateCustomizer) + ); } @Bean - public CasRestClient casRestClient(final IamRestClientFactory iamRestClientFactory) { - return iamRestClientFactory.getCasExternalRestClient(); + public IamApiDecorator iamApiDecorator(Utils utils) { + return new IamApiDecorator(utils); } @Bean - public IdentityProviderRestClient identityProviderCrudRestClient(final IamRestClientFactory iamRestClientFactory) { - return iamRestClientFactory.getIdentityProviderExternalRestClient(); + public CasApi casApi(final IamApiClientsFactory iamApiClientsFactory, final IamApiDecorator iamApiDecorator) { + return iamApiDecorator.decorate(iamApiClientsFactory.getCasApi()); } - @RefreshScope @Bean - public Clients builtClients() { + public CustomersApi customersApi( + final IamApiClientsFactory iamApiClientsFactory, + final IamApiDecorator iamApiDecorator + ) { + return iamApiDecorator.decorate(iamApiClientsFactory.getCustomersApi()); + } + + @Bean + public IdentityProvidersApi identityProvidersApi( + final IamApiClientsFactory iamApiClientsFactory, + final IamApiDecorator iamApiDecorator + ) { + return iamApiDecorator.decorate(iamApiClientsFactory.getIdentityProvidersApi()); + } + + @Bean + @RefreshScope + public Clients builtClients(final CasConfigurationProperties casProperties) { return new Clients(casProperties.getServer().getLoginUrl()); } @Bean public ProvidersService providersService( - @Qualifier("builtClients") final Clients builtClients, - final IdentityProviderRestClient identityProviderCrudRestClient + final Clients builtClients, + final IdentityProvidersApi identityProvidersApi, + final Pac4jClientBuilder pac4jClientBuilder ) { - return new ProvidersService(builtClients, identityProviderCrudRestClient, pac4jClientBuilder(), utils()); + return new ProvidersService(builtClients, identityProvidersApi, pac4jClientBuilder); } @Bean @@ -339,7 +321,13 @@ public IdentityProviderHelper identityProviderHelper() { } @Bean - public Utils utils() { + public Utils utils( + @Value("${cas_secret_token}") @NotNull final String tokenApiCas, + @Value("${vitamui.cas.tenant.identifier}") final Integer casTenantIdentifier, + @Value("${vitamui.cas.identity}") final String casIdentity, + final JavaMailSender mailSender, + final CasConfigurationProperties casProperties + ) { return new Utils( tokenApiCas, casTenantIdentifier, @@ -350,23 +338,43 @@ public Utils utils() { } @Bean - public TicketGrantingTicketFactory defaultTicketGrantingTicketFactory() { + public TicketGrantingTicketFactory defaultTicketGrantingTicketFactory( + @Qualifier(ServicesManager.BEAN_NAME) ServicesManager servicesManager, + @Qualifier( + "ticketGrantingTicketUniqueIdGenerator" + ) final UniqueTicketIdGenerator ticketGrantingTicketUniqueIdGenerator, + @Qualifier("grantingTicketExpirationPolicy") final ObjectProvider< + ExpirationPolicyBuilder + > grantingTicketExpirationPolicy, + @Qualifier("protocolTicketCipherExecutor") final CipherExecutor protocolTicketCipherExecutor, + final Utils utils + ) { return new DynamicTicketGrantingTicketFactory( ticketGrantingTicketUniqueIdGenerator, grantingTicketExpirationPolicy.getObject(), protocolTicketCipherExecutor, servicesManager, - utils() + utils ); } @Bean - @RefreshScope - public OAuth20AccessTokenFactory defaultAccessTokenFactory() { + @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) + public OAuth20AccessTokenFactory defaultAccessTokenFactory( + @Qualifier("accessTokenIdGenerator") final UniqueTicketIdGenerator accessTokenIdGenerator, + @Qualifier("accessTokenExpirationPolicy") final ExpirationPolicyBuilder accessTokenExpirationPolicy, + @Qualifier(ServicesManager.BEAN_NAME) final ServicesManager servicesManager, + @Qualifier("accessTokenJwtBuilder") final JwtBuilder accessTokenJwtBuilder, + @Qualifier( + TicketTrackingPolicy.BEAN_NAME_DESCENDANT_TICKET_TRACKING + ) final TicketTrackingPolicy descendantTicketsTrackingPolicy + ) { return new CustomOAuth20DefaultAccessTokenFactory( + accessTokenIdGenerator, accessTokenExpirationPolicy, accessTokenJwtBuilder, - servicesManager + servicesManager, + descendantTicketsTrackingPolicy ); } @@ -380,40 +388,51 @@ public void configureTicketCatalog(final TicketCatalog plan, final CasConfigurat Ordered.HIGHEST_PRECEDENCE ); metadata.getProperties().setStorageName(casProperties.getAuthn().getOauth().getAccessToken().getStorageName()); - val timeout = Beans.newDuration( + final var timeout = Beans.newDuration( casProperties.getAuthn().getOauth().getAccessToken().getMaxTimeToLiveInSeconds() ).getSeconds(); metadata.getProperties().setStorageTimeout(timeout); - metadata.getProperties().setExcludeFromCascade(casProperties.getLogout().isRemoveDescendantTickets()); + metadata.getProperties().setExcludeFromCascade(casProperties.getTicket().isTrackDescendantTickets()); registerTicketDefinition(plan, metadata); } @RefreshScope @Bean @SneakyThrows - public SurrogateAuthenticationService surrogateAuthenticationService(final CasRestClient casRestClient) { - return new IamSurrogateAuthenticationService(casRestClient, servicesManager, utils()); + public SurrogateAuthenticationService surrogateAuthenticationService( + final CasApi casApi, + @Qualifier(ServicesManager.BEAN_NAME) final ServicesManager servicesManager + ) { + return new IamSurrogateAuthenticationService(casApi, servicesManager); } - @RefreshScope + @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) @Bean public PasswordManagementService passwordChangeService( + final CasConfigurationProperties casProperties, + @Qualifier("passwordManagementCipherExecutor") final CipherExecutor passwordManagementCipherExecutor, + @Qualifier(PasswordHistoryService.BEAN_NAME) final PasswordHistoryService passwordHistoryService, final ProvidersService providersService, final TicketRegistry ticketRegistry, - final CasRestClient casRestClient + final CasApi casApi, + final IdentityProviderHelper identityProviderHelper, + final Utils utils, + final PasswordValidator passwordValidator, + @Qualifier("centralAuthenticationService") final CentralAuthenticationService centralAuthenticationService, + final PasswordConfiguration passwordConfiguration ) { return new IamPasswordManagementService( casProperties.getAuthn().getPm(), passwordManagementCipherExecutor, casProperties.getServer().getPrefix(), passwordHistoryService, - casRestClient, + casApi, providersService, - identityProviderHelper(), - centralAuthenticationService.getObject(), - utils(), + identityProviderHelper, + centralAuthenticationService, + utils, ticketRegistry, - passwordValidator(), + passwordValidator, passwordConfiguration ); } @@ -424,7 +443,7 @@ public CasSimpleMultifactorTokenCommunicationStrategy mfaSimpleMultifactorTokenC return new CasSimpleMultifactorTokenCommunicationStrategy() { @Override public EnumSet determineStrategy( - CasSimpleMultifactorAuthenticationTicket token + final CasSimpleMultifactorAuthenticationTicket token ) { return EnumSet.of(TokenSharingStrategyOptions.SMS); } @@ -432,12 +451,145 @@ public EnumSet determineStrategy( } @Bean - public ServletContextInitializer servletContextInitializer() { - return new InitContextConfiguration(vitamuiLogoLargePath, vitamuiFaviconPath); + public ServletContextInitializer servletContextInitializer( + @Value("${theme.vitamui-logo-large:#{null}}") final String vitamuiLargeLogoPath, + @Value("${theme.vitamui-favicon:#{null}}") final String vitamuiFaviconPath + ) { + return new InitContextConfiguration(vitamuiLargeLogoPath, vitamuiFaviconPath); } @Bean public ServletContextInitializer servletPasswordContextInitializer() { return new InitPasswordConstraintsConfiguration(); } + + @Bean + @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) + public AuthenticationEventExecutionPlanConfigurer passwordManagementAuthenticationExecutionPlanConfigurer() { + return plan -> {}; + } + + @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) + @Bean + public DelegatedIdentityProviders delegatedIdentityProviders(final ProvidersService providersService) { + return new CustomDelegatedIdentityProviders(providersService); + } + + @Bean + @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) + public DelegatedClientAuthenticationConfigurationContext delegatedClientAuthenticationConfigurationContext( + @Qualifier( + SingleLogoutRequestExecutor.BEAN_NAME + ) final SingleLogoutRequestExecutor defaultSingleLogoutRequestExecutor, + @Qualifier( + AuditableExecution.AUDITABLE_EXECUTION_DELEGATED_AUTHENTICATION_ACCESS + ) final AuditableExecution registeredServiceDelegatedAuthenticationPolicyAuditableEnforcer, + @Qualifier( + "serviceTicketRequestWebflowEventResolver" + ) final CasWebflowEventResolver serviceTicketRequestWebflowEventResolver, + @Qualifier( + "initialAuthenticationAttemptWebflowEventResolver" + ) final CasDelegatingWebflowEventResolver initialAuthenticationAttemptWebflowEventResolver, + @Qualifier("adaptiveAuthenticationPolicy") final AdaptiveAuthenticationPolicy adaptiveAuthenticationPolicy, + final CasConfigurationProperties casProperties, + @Qualifier(ServicesManager.BEAN_NAME) final ServicesManager servicesManager, + @Qualifier(DelegatedIdentityProviders.BEAN_NAME) final DelegatedIdentityProviders identityProviders, + @Qualifier( + DelegatedClientIdentityProviderConfigurationProducer.BEAN_NAME + ) final DelegatedClientIdentityProviderConfigurationProducer delegatedClientIdentityProviderConfigurationProducer, + @Qualifier( + "delegatedClientIdentityProviderConfigurationPostProcessor" + ) final DelegatedClientIdentityProviderConfigurationPostProcessor delegatedClientIdentityProviderConfigurationPostProcessor, + @Qualifier( + "delegatedClientDistributedSessionCookieGenerator" + ) final CasCookieBuilder delegatedClientDistributedSessionCookieGenerator, + @Qualifier( + CentralAuthenticationService.BEAN_NAME + ) final CentralAuthenticationService centralAuthenticationService, + @Qualifier( + "pac4jDelegatedClientNameExtractor" + ) final DelegatedClientNameExtractor pac4jDelegatedClientNameExtractor, + @Qualifier(AuthenticationSystemSupport.BEAN_NAME) final AuthenticationSystemSupport authenticationSystemSupport, + @Qualifier(ArgumentExtractor.BEAN_NAME) final ArgumentExtractor argumentExtractor, + @Qualifier(TicketRegistry.BEAN_NAME) final TicketRegistry ticketRegistry, + @Qualifier("delegatedClientDistributedSessionStore") final SessionStore delegatedClientDistributedSessionStore, + @Qualifier(TicketFactory.BEAN_NAME) final TicketFactory ticketFactory, + @Qualifier( + AuditableExecution.AUDITABLE_EXECUTION_REGISTERED_SERVICE_ACCESS + ) final AuditableExecution registeredServiceAccessStrategyEnforcer, + @Qualifier( + "delegatedClientIdentityProviderRedirectionStrategy" + ) final DelegatedClientIdentityProviderRedirectionStrategy delegatedClientIdentityProviderRedirectionStrategy, + @Qualifier( + SingleSignOnParticipationStrategy.BEAN_NAME + ) final SingleSignOnParticipationStrategy webflowSingleSignOnParticipationStrategy, + @Qualifier( + AuthenticationServiceSelectionPlan.BEAN_NAME + ) final AuthenticationServiceSelectionPlan authenticationRequestServiceSelectionStrategies, + @Qualifier( + "delegatedAuthenticationCookieGenerator" + ) final CasCookieBuilder delegatedAuthenticationCookieGenerator, + @Qualifier( + "delegatedAuthenticationCredentialExtractor" + ) final DelegatedAuthenticationCredentialExtractor delegatedAuthenticationCredentialExtractor, + final ConfigurableApplicationContext applicationContext, + @Qualifier(LogoutExecutionPlan.BEAN_NAME) final LogoutExecutionPlan logoutExecutionPlan, + final ObjectProvider> customizersProvider, + final List delegatedClientIdentityProviderAuthorizers + ) { + final var customizers = Optional.ofNullable(customizersProvider.getIfAvailable()) + .orElseGet(ArrayList::new) + .stream() + .filter(BeanSupplier::isNotProxy) + .collect(Collectors.toList()); + + final var authorizers = delegatedClientIdentityProviderAuthorizers; + + return DelegatedClientAuthenticationConfigurationContext.builder() + .credentialExtractor(delegatedAuthenticationCredentialExtractor) + .initialAuthenticationAttemptWebflowEventResolver(initialAuthenticationAttemptWebflowEventResolver) + .serviceTicketRequestWebflowEventResolver(serviceTicketRequestWebflowEventResolver) + .adaptiveAuthenticationPolicy(adaptiveAuthenticationPolicy) + .identityProviders(identityProviders) + .ticketRegistry(ticketRegistry) + .applicationContext(applicationContext) + .servicesManager(servicesManager) + .delegatedAuthenticationPolicyEnforcer(registeredServiceDelegatedAuthenticationPolicyAuditableEnforcer) + .authenticationSystemSupport(authenticationSystemSupport) + .casProperties(casProperties) + .centralAuthenticationService(centralAuthenticationService) + .authenticationRequestServiceSelectionStrategies(authenticationRequestServiceSelectionStrategies) + .singleSignOnParticipationStrategy(webflowSingleSignOnParticipationStrategy) + .sessionStore(delegatedClientDistributedSessionStore) + .argumentExtractor(argumentExtractor) + .ticketFactory(ticketFactory) + .delegatedClientIdentityProvidersProducer(delegatedClientIdentityProviderConfigurationProducer) + .delegatedClientIdentityProviderConfigurationPostProcessor( + delegatedClientIdentityProviderConfigurationPostProcessor + ) + .delegatedClientCookieGenerator(delegatedAuthenticationCookieGenerator) + .delegatedClientDistributedSessionCookieGenerator(delegatedClientDistributedSessionCookieGenerator) + .registeredServiceAccessStrategyEnforcer(registeredServiceAccessStrategyEnforcer) + .delegatedClientAuthenticationRequestCustomizers(customizers) + .delegatedClientNameExtractor(pac4jDelegatedClientNameExtractor) + .delegatedClientIdentityProviderAuthorizers(authorizers) + .delegatedClientIdentityProviderRedirectionStrategy(delegatedClientIdentityProviderRedirectionStrategy) + .singleLogoutRequestExecutor(defaultSingleLogoutRequestExecutor) + .logoutExecutionPlan(logoutExecutionPlan) + .build(); + } + + @Bean + @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) + public DelegatedAuthenticationPreProcessor surrogateDelegatedAuthenticationPreProcessor() { + return (principal, client, credential, service) -> principal; + } + + @Bean + MongoClientSettingsBuilderCustomizer mongoMetricsSynchronousContextProvider(ObservationRegistry registry) { + return clientSettingsBuilder -> + clientSettingsBuilder + .contextProvider(ContextProviderFactory.create(registry)) + .addCommandListener(new MongoObservationCommandListener(registry)); + } } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/CustomSurrogateInitialAuthenticationAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/CustomSurrogateInitialAuthenticationAction.java index 15c22f41183..ecd22a0e0b7 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/CustomSurrogateInitialAuthenticationAction.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/CustomSurrogateInitialAuthenticationAction.java @@ -1,14 +1,12 @@ package fr.gouv.vitamui.cas.config; import fr.gouv.vitamui.cas.util.Constants; -import lombok.val; +import lombok.extern.slf4j.Slf4j; import org.apereo.cas.authentication.SurrogateUsernamePasswordCredential; import org.apereo.cas.authentication.credential.UsernamePasswordCredential; import org.apereo.cas.web.flow.action.SurrogateInitialAuthenticationAction; import org.apereo.cas.web.flow.actions.BaseCasWebflowAction; import org.apereo.cas.web.support.WebUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.webflow.core.collection.MutableAttributeMap; import org.springframework.webflow.execution.Event; import org.springframework.webflow.execution.RequestContext; @@ -16,13 +14,12 @@ /** * CUSTO: Full rewrite of {@link SurrogateInitialAuthenticationAction} */ +@Slf4j public class CustomSurrogateInitialAuthenticationAction extends BaseCasWebflowAction { - private static final Logger LOGGER = LoggerFactory.getLogger(CustomSurrogateInitialAuthenticationAction.class); - @Override - protected Event doExecute(RequestContext context) throws Exception { - val up = WebUtils.getCredential(context, UsernamePasswordCredential.class); + protected Event doExecuteInternal(RequestContext context) { + final var up = WebUtils.getCredential(context, UsernamePasswordCredential.class); if (up == null) { LOGGER.debug( "Provided credentials cannot be found, or are already of type [{}]", @@ -31,7 +28,7 @@ protected Event doExecute(RequestContext context) throws Exception { return null; } - val flowScope = context.getFlowScope(); + final var flowScope = context.getFlowScope(); if (isSubrogationMode(flowScope)) { String surrogateEmail = (String) flowScope.get(Constants.FLOW_SURROGATE_EMAIL); String surrogateCustomerId = (String) flowScope.get(Constants.FLOW_SURROGATE_CUSTOMER_ID); diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/InitContextConfiguration.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/InitContextConfiguration.java index 8acfac0d011..cb2b4ef0e01 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/InitContextConfiguration.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/InitContextConfiguration.java @@ -37,14 +37,13 @@ package fr.gouv.vitamui.cas.config; import fr.gouv.vitamui.cas.util.Constants; +import jakarta.servlet.ServletContext; +import jakarta.servlet.ServletException; +import jakarta.xml.bind.DatatypeConverter; import lombok.RequiredArgsConstructor; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import lombok.extern.slf4j.Slf4j; import org.springframework.boot.web.servlet.ServletContextInitializer; -import javax.servlet.ServletContext; -import javax.servlet.ServletException; -import javax.xml.bind.DatatypeConverter; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; @@ -53,17 +52,14 @@ /** * Custom context initializer to pre-fill logo and favicon. */ +@Slf4j @RequiredArgsConstructor public class InitContextConfiguration implements ServletContextInitializer { - private static final Logger LOGGER = LoggerFactory.getLogger(InitContextConfiguration.class); - private final String vitamuiLogoLargePath; private final String vitamuiFaviconPath; - private static final String VITAMUI_LOGO_LARGE = "vitamuiLogoLarge"; - @Override public void onStartup(final ServletContext servletContext) throws ServletException { if (vitamuiLogoLargePath != null) { @@ -76,7 +72,7 @@ public void onStartup(final ServletContext servletContext) throws ServletExcepti // default PNG base64Logo = "data:image/png;base64," + base64Logo; } - servletContext.setAttribute(VITAMUI_LOGO_LARGE, base64Logo); + servletContext.setAttribute(Constants.VITAMUI_LOGO_LARGE, base64Logo); } catch (final IOException e) { LOGGER.warn("Can't find vitam ui large logo", e); } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/InitPasswordConstraintsConfiguration.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/InitPasswordConstraintsConfiguration.java index 780c0b7da31..207828c8d00 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/InitPasswordConstraintsConfiguration.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/InitPasswordConstraintsConfiguration.java @@ -38,22 +38,20 @@ import fr.gouv.vitamui.cas.util.Constants; import fr.gouv.vitamui.commons.security.client.config.password.PasswordConfiguration; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import jakarta.servlet.ServletContext; +import jakarta.servlet.ServletException; +import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.web.servlet.ServletContextInitializer; -import javax.servlet.ServletContext; -import javax.servlet.ServletException; import java.util.Objects; /** * Custom context initializer for password complexity configuration. */ +@Slf4j public class InitPasswordConstraintsConfiguration implements ServletContextInitializer { - private static final Logger LOGGER = LoggerFactory.getLogger(InitPasswordConstraintsConfiguration.class); - @Autowired private PasswordConfiguration passwordConfiguration; diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebConfig.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebConfig.java index 8a7f88fb9ef..6c10724e8d6 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebConfig.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebConfig.java @@ -36,30 +36,51 @@ */ package fr.gouv.vitamui.cas.config; -import fr.gouv.vitamui.cas.provider.ProvidersService; +import com.fasterxml.jackson.databind.ObjectMapper; +import fr.gouv.vitamui.cas.delegation.ProvidersService; +import fr.gouv.vitamui.cas.password.CustomCasWebSecurityConfigurerAdapter; +import fr.gouv.vitamui.cas.password.ResetPasswordController; +import fr.gouv.vitamui.cas.util.Utils; import fr.gouv.vitamui.cas.web.CustomCorsProcessor; import fr.gouv.vitamui.cas.web.CustomOidcCasClientRedirectActionBuilder; +import fr.gouv.vitamui.cas.web.CustomOidcRevocationEndpointController; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; import lombok.val; import org.apereo.cas.configuration.CasConfigurationProperties; +import org.apereo.cas.notifications.CommunicationsManager; +import org.apereo.cas.oidc.OidcConfigurationContext; import org.apereo.cas.oidc.util.OidcRequestSupport; +import org.apereo.cas.oidc.web.controllers.token.OidcRevocationEndpointController; +import org.apereo.cas.pm.PasswordManagementService; +import org.apereo.cas.pm.PasswordResetUrlBuilder; import org.apereo.cas.services.ServicesManager; import org.apereo.cas.services.web.support.RegisteredServiceCorsConfigurationSource; import org.apereo.cas.support.oauth.web.OAuth20RequestParameterResolver; import org.apereo.cas.support.oauth.web.response.OAuth20CasClientRedirectActionBuilder; +import org.apereo.cas.web.CasWebSecurityConfigurer; import org.apereo.cas.web.support.ArgumentExtractor; import org.pac4j.cas.client.CasClient; import org.pac4j.core.client.Client; +import org.springframework.beans.factory.ObjectProvider; import org.springframework.beans.factory.annotation.Qualifier; -import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties; +import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints; +import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.cloud.context.config.annotation.RefreshScope; import org.springframework.context.ConfigurableApplicationContext; +import org.springframework.context.HierarchicalMessageSource; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.ScopedProxyMode; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; +import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.filter.CorsFilter; +import java.util.List; + /** * Web customizations. */ @@ -75,9 +96,12 @@ public OAuth20CasClientRedirectActionBuilder oidcCasClientRedirectActionBuilder( @Qualifier("oidcRequestSupport") final OidcRequestSupport oidcRequestSupport, @Qualifier("oauthCasClient") final Client oauthCasClient ) { - val builder = new CustomOidcCasClientRedirectActionBuilder(oidcRequestSupport, oauthRequestParameterResolver); - val casClient = (CasClient) oauthCasClient; - casClient.setRedirectionActionBuilder((webContext, sessionStore) -> builder.build(casClient, webContext)); + final var builder = new CustomOidcCasClientRedirectActionBuilder( + oidcRequestSupport, + oauthRequestParameterResolver + ); + final var casClient = (CasClient) oauthCasClient; + casClient.setRedirectionActionBuilder(callContext -> builder.build(casClient, callContext.webContext())); return builder; } @@ -94,7 +118,7 @@ public CorsConfigurationSource corsHttpWebRequestConfigurationSource( @Bean @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) - public FilterRegistrationBean casCorsFilter( + public CorsFilter corsFilter( final CasConfigurationProperties casProperties, @Qualifier( "corsHttpWebRequestConfigurationSource" @@ -102,14 +126,80 @@ public FilterRegistrationBean casCorsFilter( final IdentityProviderHelper identityProviderHelper, final ProvidersService providersService ) { - val filter = new CorsFilter(corsHttpWebRequestConfigurationSource); - // CUSTO: + final var filter = new CorsFilter(corsHttpWebRequestConfigurationSource); filter.setCorsProcessor(new CustomCorsProcessor(providersService, identityProviderHelper)); - val bean = new FilterRegistrationBean<>(filter); - bean.setName("casCorsFilter"); - bean.setAsyncSupported(true); - bean.setOrder(0); - bean.setEnabled(casProperties.getHttpWebRequest().getCors().isEnabled()); - return bean; + return filter; + } + + @Bean + public ResetPasswordController resetPasswordController( + @Qualifier(PasswordResetUrlBuilder.BEAN_NAME) final PasswordResetUrlBuilder passwordResetUrlBuilder, + @Qualifier(CommunicationsManager.BEAN_NAME) final CommunicationsManager communicationsManager, + @Qualifier( + PasswordManagementService.DEFAULT_BEAN_NAME + ) final PasswordManagementService passwordManagementService, + @Qualifier("messageSource") final HierarchicalMessageSource messageSource, + final CasConfigurationProperties casProperties, + final IdentityProviderHelper identityProviderHelper, + final ProvidersService providersService, + final Utils utils + ) { + return new ResetPasswordController( + casProperties, + passwordManagementService, + communicationsManager, + messageSource, + utils, + passwordResetUrlBuilder, + identityProviderHelper, + providersService, + new ObjectMapper() + ); + } + + @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) + @Bean + public OidcRevocationEndpointController oidcRevocationEndpointController( + @Qualifier(OidcConfigurationContext.BEAN_NAME) final OidcConfigurationContext oidcConfigurationContext + ) { + return new CustomOidcRevocationEndpointController(oidcConfigurationContext); + } + + @Bean + public WebSecurityCustomizer casWebSecurityCustomizer( + @Qualifier("securityContextRepository") final SecurityContextRepository securityContextRepository, + final ObjectProvider pathMappedEndpoints, + final List configurersList, + final WebEndpointProperties webEndpointProperties, + final CasConfigurationProperties casProperties + ) { + val adapter = new CustomCasWebSecurityConfigurerAdapter( + casProperties, + webEndpointProperties, + pathMappedEndpoints, + configurersList, + securityContextRepository + ); + return adapter::configureWebSecurity; + } + + @Bean + public SecurityFilterChain casWebSecurityConfigurerAdapter( + @Qualifier("securityContextRepository") final SecurityContextRepository securityContextRepository, + final HttpSecurity http, + final ObjectProvider pathMappedEndpoints, + final List configurersList, + final WebEndpointProperties webEndpointProperties, + final SecurityProperties securityProperties, + final CasConfigurationProperties casProperties + ) throws Exception { + val adapter = new CustomCasWebSecurityConfigurerAdapter( + casProperties, + webEndpointProperties, + pathMappedEndpoints, + configurersList, + securityContextRepository + ); + return adapter.configureHttpSecurity(http).build(); } } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebflowConfig.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebflowConfig.java index 9e3c5214dc9..bd0c06f88e1 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebflowConfig.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebflowConfig.java @@ -36,30 +36,30 @@ */ package fr.gouv.vitamui.cas.config; -import com.fasterxml.jackson.databind.ObjectMapper; -import fr.gouv.vitamui.cas.pm.PmTransientSessionTicketExpirationPolicyBuilder; -import fr.gouv.vitamui.cas.pm.ResetPasswordController; -import fr.gouv.vitamui.cas.provider.ProvidersService; +import fr.gouv.vitamui.cas.delegation.ProvidersService; +import fr.gouv.vitamui.cas.logout.CustomDelegatedAuthenticationClientLogoutAction; +import fr.gouv.vitamui.cas.logout.TerminateApiSessionAction; +import fr.gouv.vitamui.cas.password.PmTransientSessionTicketExpirationPolicyBuilder; import fr.gouv.vitamui.cas.util.Utils; -import fr.gouv.vitamui.cas.web.CustomOidcRevocationEndpointController; -import fr.gouv.vitamui.cas.webflow.actions.CheckMfaTokenAction; -import fr.gouv.vitamui.cas.webflow.actions.CustomDelegatedAuthenticationClientLogoutAction; -import fr.gouv.vitamui.cas.webflow.actions.CustomDelegatedClientAuthenticationAction; -import fr.gouv.vitamui.cas.webflow.actions.CustomSendTokenAction; -import fr.gouv.vitamui.cas.webflow.actions.CustomerSelectedAction; -import fr.gouv.vitamui.cas.webflow.actions.DispatcherAction; -import fr.gouv.vitamui.cas.webflow.actions.GeneralTerminateSessionAction; -import fr.gouv.vitamui.cas.webflow.actions.I18NSendPasswordResetInstructionsAction; -import fr.gouv.vitamui.cas.webflow.actions.ListCustomersAction; -import fr.gouv.vitamui.cas.webflow.actions.TriggerChangePasswordAction; -import fr.gouv.vitamui.cas.webflow.configurer.CustomCasSimpleMultifactorWebflowConfigurer; -import fr.gouv.vitamui.cas.webflow.configurer.CustomLoginWebflowConfigurer; -import fr.gouv.vitamui.cas.webflow.resolver.CustomCasDelegatingWebflowEventResolver; +import fr.gouv.vitamui.cas.webflow.login.VitamLoginWebflowConfigurer; +import fr.gouv.vitamui.cas.webflow.login.actions.CheckSubrogationAction; +import fr.gouv.vitamui.cas.webflow.login.actions.CustomDelegatedClientAuthenticationAction; +import fr.gouv.vitamui.cas.webflow.login.actions.CustomerSelectedAction; +import fr.gouv.vitamui.cas.webflow.login.actions.DispatcherAction; +import fr.gouv.vitamui.cas.webflow.login.actions.I18NSendPasswordResetInstructionsAction; +import fr.gouv.vitamui.cas.webflow.login.actions.ListCustomersAction; +import fr.gouv.vitamui.cas.webflow.login.actions.TriggerChangePasswordAction; +import fr.gouv.vitamui.cas.webflow.mfa.VitamMfaWebflowConfigurer; +import fr.gouv.vitamui.cas.webflow.mfa.actions.CheckMfaTokenAction; +import fr.gouv.vitamui.cas.webflow.mfa.actions.CustomSendTokenAction; import fr.gouv.vitamui.cas.x509.CustomRequestHeaderX509CertificateExtractor; -import fr.gouv.vitamui.iam.client.CasRestClient; +import fr.gouv.vitamui.cas.x509.X509CasDelegatingWebflowEventResolver; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; +import fr.gouv.vitamui.iam.openapiclient.CasApi; import lombok.val; import org.apereo.cas.CentralAuthenticationService; +import org.apereo.cas.authentication.AuthenticationSystemSupport; +import org.apereo.cas.authentication.MultifactorAuthenticationProviderSelector; import org.apereo.cas.authentication.adaptive.AdaptiveAuthenticationPolicy; import org.apereo.cas.authentication.principal.PrincipalResolver; import org.apereo.cas.bucket4j.consumer.BucketConsumer; @@ -67,17 +67,13 @@ import org.apereo.cas.logout.LogoutManager; import org.apereo.cas.logout.slo.SingleLogoutRequestExecutor; import org.apereo.cas.mfa.simple.CasSimpleMultifactorTokenCommunicationStrategy; -import org.apereo.cas.mfa.simple.ticket.CasSimpleMultifactorAuthenticationTicketFactory; import org.apereo.cas.mfa.simple.validation.CasSimpleMultifactorAuthenticationService; import org.apereo.cas.notifications.CommunicationsManager; -import org.apereo.cas.oidc.OidcConfigurationContext; -import org.apereo.cas.oidc.web.controllers.token.OidcRevocationEndpointController; import org.apereo.cas.pac4j.client.DelegatedClientAuthenticationFailureEvaluator; +import org.apereo.cas.pac4j.client.DelegatedIdentityProviders; import org.apereo.cas.pm.PasswordManagementService; import org.apereo.cas.pm.PasswordResetUrlBuilder; import org.apereo.cas.services.ServicesManager; -import org.apereo.cas.ticket.ServiceTicketSessionTrackingPolicy; -import org.apereo.cas.ticket.TicketFactory; import org.apereo.cas.ticket.TransientSessionTicket; import org.apereo.cas.ticket.factory.DefaultTicketFactory; import org.apereo.cas.ticket.factory.DefaultTransientSessionTicketFactory; @@ -98,10 +94,8 @@ import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver; import org.apereo.cas.web.flow.resolver.impl.CasWebflowEventResolutionConfigurationContext; import org.apereo.cas.web.flow.util.MultifactorAuthenticationWebflowUtils; -import org.pac4j.core.client.Clients; import org.pac4j.core.context.session.SessionStore; import org.springframework.beans.factory.ObjectProvider; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; @@ -124,103 +118,13 @@ @Configuration public class WebflowConfig { - @Autowired - private CasConfigurationProperties casProperties; - - @Autowired - private ProvidersService providersService; - - @Autowired - private IdentityProviderHelper identityProviderHelper; - - @Autowired - private FlowBuilderServices flowBuilderServices; - - @Autowired - @Qualifier("logoutFlowRegistry") - private FlowDefinitionRegistry logoutFlowDefinitionRegistry; - - @Autowired - @Qualifier("loginFlowRegistry") - private FlowDefinitionRegistry loginFlowDefinitionRegistry; - - @Autowired - private ConfigurableApplicationContext applicationContext; - - @Autowired - private CasRestClient casRestClient; - - @Autowired - private TicketRegistry ticketRegistry; - - @Autowired - @Qualifier("centralAuthenticationService") - private ObjectProvider centralAuthenticationService; - - @Autowired - @Qualifier("delegatedClientDistributedSessionStore") - private ObjectProvider delegatedClientDistributedSessionStore; - - @Autowired - private Utils utils; - - @Autowired - private TicketRegistrySupport ticketRegistrySupport; - - @Autowired - @Qualifier("messageSource") - private HierarchicalMessageSource messageSource; - - @Autowired - @Qualifier("casSimpleMultifactorAuthenticationTicketFactory") - private CasSimpleMultifactorAuthenticationTicketFactory casSimpleMultifactorAuthenticationTicketFactory; - - @Autowired - private LogoutManager logoutManager; - - @Autowired - @Qualifier("mfaSimpleMultifactorTokenCommunicationStrategy") - private CasSimpleMultifactorTokenCommunicationStrategy mfaSimpleMultifactorTokenCommunicationStrategy; - - @Autowired - @Qualifier("mfaSimpleAuthenticatorFlowRegistry") - private FlowDefinitionRegistry mfaSimpleAuthenticatorFlowRegistry; - - @Autowired - @Qualifier("servicesManager") - private ServicesManager servicesManager; - - @Autowired - @Qualifier("frontChannelLogoutAction") - private Action frontChannelLogoutAction; - - @Autowired - @Qualifier("adaptiveAuthenticationPolicy") - private ObjectProvider adaptiveAuthenticationPolicy; - - @Autowired - @Qualifier("serviceTicketRequestWebflowEventResolver") - private ObjectProvider serviceTicketRequestWebflowEventResolver; - - @Autowired - @Qualifier("initialAuthenticationAttemptWebflowEventResolver") - private ObjectProvider initialAuthenticationAttemptWebflowEventResolver; - - @Value("${vitamui.portal.url}") - private String vitamuiPortalUrl; - - @Value("${theme.vitamui-platform-name:VITAM-UI}") - private String vitamuiPlatformName; - - @Value("${vitamui.authn.x509.enabled:false}") - private boolean x509AuthnEnabled; - - @Value("${vitamui.authn.x509.mandatory:false}") - private boolean x509AuthnMandatory; - @Bean - public ListCustomersAction listCustomersAction() { - return new ListCustomersAction(providersService, identityProviderHelper, casRestClient, utils); + public ListCustomersAction listCustomersAction( + ProvidersService providersService, + IdentityProviderHelper identityProviderHelper, + CasApi casApi + ) { + return new ListCustomersAction(providersService, identityProviderHelper, casApi); } @Bean @@ -229,26 +133,44 @@ public CustomerSelectedAction customerSelectedAction() { } @Bean - public DispatcherAction dispatcherAction() { + public DispatcherAction dispatcherAction( + ProvidersService providersService, + IdentityProviderHelper identityProviderHelper, + CasApi casApi, + Utils utils, + @Qualifier("delegatedClientDistributedSessionStore") ObjectProvider< + SessionStore + > delegatedClientDistributedSessionStore + ) { return new DispatcherAction( providersService, identityProviderHelper, - casRestClient, + casApi, utils, delegatedClientDistributedSessionStore.getObject() ); } @Bean - public DefaultTransientSessionTicketFactory pmTicketFactory() { + public DefaultTransientSessionTicketFactory pmTicketFactory(final CasConfigurationProperties casProperties) { return new DefaultTransientSessionTicketFactory( new PmTransientSessionTicketExpirationPolicyBuilder(casProperties) ); } + @Bean + public Action checkSubrogationAction(final CasApi casApi) { + return new CheckSubrogationAction(casApi); + } + @Bean @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) public Action sendPasswordResetInstructionsAction( + @Qualifier(AuthenticationSystemSupport.BEAN_NAME) final AuthenticationSystemSupport authenticationSystemSupport, + @Qualifier( + MultifactorAuthenticationProviderSelector.BEAN_NAME + ) final MultifactorAuthenticationProviderSelector multifactorAuthenticationProviderSelector, + final ConfigurableApplicationContext applicationContext, final CasConfigurationProperties casProperties, @Qualifier( PasswordManagementService.DEFAULT_BEAN_NAME @@ -256,11 +178,15 @@ public Action sendPasswordResetInstructionsAction( @Qualifier(TicketRegistry.BEAN_NAME) final TicketRegistry ticketRegistry, @Qualifier(PrincipalResolver.BEAN_NAME_PRINCIPAL_RESOLVER) final PrincipalResolver defaultPrincipalResolver, @Qualifier(CommunicationsManager.BEAN_NAME) final CommunicationsManager communicationsManager, - @Qualifier(TicketFactory.BEAN_NAME) final TicketFactory ticketFactory, - @Qualifier(PasswordResetUrlBuilder.BEAN_NAME) final PasswordResetUrlBuilder passwordResetUrlBuilder + @Qualifier(PasswordResetUrlBuilder.BEAN_NAME) final PasswordResetUrlBuilder passwordResetUrlBuilder, + final ProvidersService providersService, + final IdentityProviderHelper identityProviderHelper, + final Utils utils, + @Qualifier("messageSource") final HierarchicalMessageSource messageSource, + @Value("${theme.vitamui-platform-name:VITAM-UI}") final String vitamuiPlatformName ) { - val pmTicketFactory = new DefaultTicketFactory(); - pmTicketFactory.addTicketFactory(TransientSessionTicket.class, pmTicketFactory()); + final var pmTicketFactory = new DefaultTicketFactory(); + pmTicketFactory.addTicketFactory(TransientSessionTicket.class, pmTicketFactory(casProperties)); return new I18NSendPasswordResetInstructionsAction( casProperties, @@ -270,6 +196,9 @@ public Action sendPasswordResetInstructionsAction( pmTicketFactory, defaultPrincipalResolver, passwordResetUrlBuilder, + multifactorAuthenticationProviderSelector, + authenticationSystemSupport, + applicationContext, messageSource, providersService, identityProviderHelper, @@ -279,7 +208,10 @@ public Action sendPasswordResetInstructionsAction( } @Bean - public TriggerChangePasswordAction triggerChangePasswordAction() { + public TriggerChangePasswordAction triggerChangePasswordAction( + TicketRegistrySupport ticketRegistrySupport, + Utils utils + ) { return new TriggerChangePasswordAction(ticketRegistrySupport, utils); } @@ -297,14 +229,14 @@ public CasWebflowConfigurer defaultWebflowConfigurer( ) final FlowDefinitionRegistry logoutFlowRegistry, @Qualifier(CasWebflowConstants.BEAN_NAME_FLOW_BUILDER_SERVICES) final FlowBuilderServices flowBuilderServices ) { - val c = new CustomLoginWebflowConfigurer( + final var c = new VitamLoginWebflowConfigurer( flowBuilderServices, loginFlowRegistry, applicationContext, casProperties ); c.setLogoutFlowDefinitionRegistry(logoutFlowRegistry); - c.setOrder(Ordered.HIGHEST_PRECEDENCE); + c.setOrder(10); return c; } @@ -317,11 +249,18 @@ public Action delegatedAuthenticationAction( DelegatedClientAuthenticationFailureEvaluator.BEAN_NAME ) final DelegatedClientAuthenticationFailureEvaluator delegatedClientAuthenticationFailureEvaluator, @Qualifier( - DelegatedClientAuthenticationConfigurationContext.DEFAULT_BEAN_NAME + DelegatedClientAuthenticationConfigurationContext.BEAN_NAME ) final DelegatedClientAuthenticationConfigurationContext delegatedClientAuthenticationConfigurationContext, @Qualifier( DelegatedClientAuthenticationWebflowManager.DEFAULT_BEAN_NAME - ) final DelegatedClientAuthenticationWebflowManager delegatedClientWebflowManager + ) final DelegatedClientAuthenticationWebflowManager delegatedClientWebflowManager, + final ProvidersService providersService, + final IdentityProviderHelper identityProviderHelper, + final TicketRegistry ticketRegistry, + final CasApi casApi, + final Utils utils, + @Value("${vitamui.portal.url}") final String vitamuiPortalUrl + // ,@Value("${cas.authn.surrogate.separator}") final String surrogationSeparator ) { return WebflowActionBeanSupplier.builder() .withApplicationContext(applicationContext) @@ -336,7 +275,7 @@ public Action delegatedAuthenticationAction( providersService, utils, ticketRegistry, - casRestClient, + casApi, vitamuiPortalUrl ) ) @@ -358,33 +297,34 @@ public Action terminateSessionAction( @Qualifier( CentralAuthenticationService.BEAN_NAME ) final CentralAuthenticationService centralAuthenticationService, + final Utils utils, + final CasApi casApi, + final ServicesManager servicesManager, + final TicketRegistry ticketRegistry, + @Qualifier(CasWebflowConstants.ACTION_ID_FRONT_CHANNEL_LOGOUT) final Action frontChannelLogoutAction, @Qualifier( SingleLogoutRequestExecutor.BEAN_NAME - ) final SingleLogoutRequestExecutor defaultSingleLogoutRequestExecutor, - @Qualifier( - ServiceTicketSessionTrackingPolicy.BEAN_NAME - ) final ServiceTicketSessionTrackingPolicy serviceTicketSessionTrackingPolicy + ) final SingleLogoutRequestExecutor defaultSingleLogoutRequestExecutor ) { return WebflowActionBeanSupplier.builder() .withApplicationContext(applicationContext) .withProperties(casProperties) .withAction( () -> - new GeneralTerminateSessionAction( + new TerminateApiSessionAction( centralAuthenticationService, ticketGrantingTicketCookieGenerator, warnCookieGenerator, casProperties.getLogout(), logoutManager, applicationContext, - defaultSingleLogoutRequestExecutor, utils, - casRestClient, + casApi, servicesManager, casProperties, frontChannelLogoutAction, ticketRegistry, - serviceTicketSessionTrackingPolicy + defaultSingleLogoutRequestExecutor ) ) .withId(CasWebflowConstants.ACTION_ID_TERMINATE_SESSION) @@ -392,29 +332,6 @@ public Action terminateSessionAction( .get(); } - @Bean - public ResetPasswordController resetPasswordController( - @Qualifier(PasswordResetUrlBuilder.BEAN_NAME) final PasswordResetUrlBuilder passwordResetUrlBuilder, - final IdentityProviderHelper identityProviderHelper, - final ProvidersService providersService, - @Qualifier(CommunicationsManager.BEAN_NAME) final CommunicationsManager communicationsManager, - @Qualifier( - PasswordManagementService.DEFAULT_BEAN_NAME - ) final PasswordManagementService passwordManagementService - ) { - return new ResetPasswordController( - casProperties, - passwordManagementService, - communicationsManager, - messageSource, - utils, - passwordResetUrlBuilder, - identityProviderHelper, - providersService, - new ObjectMapper() - ); - } - @Bean public Action loadSurrogatesListAction() { return StaticEventExecutionAction.SUCCESS; @@ -430,15 +347,16 @@ public Action mfaSimpleMultifactorSendTokenAction( @Qualifier( "mfaSimpleMultifactorTokenCommunicationStrategy" ) final CasSimpleMultifactorTokenCommunicationStrategy mfaSimpleMultifactorTokenCommunicationStrategy, - final CasConfigurationProperties casProperties, @Qualifier(CommunicationsManager.BEAN_NAME) final CommunicationsManager communicationsManager, - @Qualifier("mfaSimpleMultifactorBucketConsumer") final BucketConsumer mfaSimpleMultifactorBucketConsumer + @Qualifier("mfaSimpleMultifactorBucketConsumer") final BucketConsumer mfaSimpleMultifactorBucketConsumer, + final CasConfigurationProperties casProperties, + final Utils utils ) { return WebflowActionBeanSupplier.builder() .withApplicationContext(applicationContext) .withProperties(casProperties) .withAction(() -> { - val simple = casProperties.getAuthn().getMfa().getSimple(); + var simple = casProperties.getAuthn().getMfa().getSimple(); return new CustomSendTokenAction( communicationsManager, casSimpleMultifactorAuthenticationService, @@ -455,10 +373,21 @@ public Action mfaSimpleMultifactorSendTokenAction( @Bean @DependsOn("defaultWebflowConfigurer") - public CasWebflowConfigurer mfaSimpleMultifactorWebflowConfigurer() { - val cfg = new CustomCasSimpleMultifactorWebflowConfigurer( + @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) + public CasWebflowConfigurer mfaSimpleMultifactorWebflowConfigurer( + @Qualifier( + "mfaSimpleAuthenticatorFlowRegistry" + ) final FlowDefinitionRegistry mfaSimpleAuthenticatorFlowRegistry, + @Qualifier( + CasWebflowConstants.BEAN_NAME_LOGIN_FLOW_DEFINITION_REGISTRY + ) final FlowDefinitionRegistry loginFlowRegistry, + @Qualifier(CasWebflowConstants.BEAN_NAME_FLOW_BUILDER_SERVICES) final FlowBuilderServices flowBuilderServices, + final CasConfigurationProperties casProperties, + final ConfigurableApplicationContext applicationContext + ) { + final var cfg = new VitamMfaWebflowConfigurer( flowBuilderServices, - loginFlowDefinitionRegistry, + loginFlowRegistry, mfaSimpleAuthenticatorFlowRegistry, applicationContext, casProperties, @@ -469,7 +398,7 @@ public CasWebflowConfigurer mfaSimpleMultifactorWebflowConfigurer() { } @Bean - public Action checkMfaTokenAction() { + public Action checkMfaTokenAction(final TicketRegistry ticketRegistry) { return new CheckMfaTokenAction(ticketRegistry); } @@ -478,10 +407,10 @@ public Action checkMfaTokenAction() { public Action delegatedAuthenticationClientLogoutAction( final CasConfigurationProperties casProperties, final ConfigurableApplicationContext applicationContext, - @Qualifier("builtClients") final Clients builtClients, + @Qualifier(DelegatedIdentityProviders.BEAN_NAME) final DelegatedIdentityProviders identityProviders, @Qualifier("delegatedClientDistributedSessionStore") final SessionStore delegatedClientDistributedSessionStore, - final IdentityProviderHelper identityProviderHelper, - final ProvidersService providersService + final ProvidersService providersService, + final IdentityProviderHelper identityProviderHelper ) { return BeanSupplier.of(Action.class) .when( @@ -498,7 +427,7 @@ public Action delegatedAuthenticationClientLogoutAction( .withAction( () -> new CustomDelegatedAuthenticationClientLogoutAction( - builtClients, + identityProviders, delegatedClientDistributedSessionStore, providersService, identityProviderHelper @@ -514,7 +443,18 @@ public Action delegatedAuthenticationClientLogoutAction( @Bean @RefreshScope - public Action x509Check() { + public Action x509Check( + final CasConfigurationProperties casProperties, + @Qualifier("adaptiveAuthenticationPolicy") final AdaptiveAuthenticationPolicy adaptiveAuthenticationPolicy, + @Qualifier( + "serviceTicketRequestWebflowEventResolver" + ) final CasWebflowEventResolver serviceTicketRequestWebflowEventResolver, + @Qualifier( + "initialAuthenticationAttemptWebflowEventResolver" + ) final CasDelegatingWebflowEventResolver initialAuthenticationAttemptWebflowEventResolver, + @Value("${vitamui.authn.x509.enabled:false}") final boolean x509AuthnEnabled, + @Value("${vitamui.authn.x509.mandatory:false}") final boolean x509AuthnMandatory + ) { if (x509AuthnEnabled) { val sslHeaderName = casProperties.getAuthn().getX509().getSslHeaderName(); val certificateExtractor = new CustomRequestHeaderX509CertificateExtractor( @@ -523,9 +463,9 @@ public Action x509Check() { ); return new X509CertificateCredentialsRequestHeaderAction( - initialAuthenticationAttemptWebflowEventResolver.getObject(), - serviceTicketRequestWebflowEventResolver.getObject(), - adaptiveAuthenticationPolicy.getObject(), + initialAuthenticationAttemptWebflowEventResolver, + serviceTicketRequestWebflowEventResolver, + adaptiveAuthenticationPolicy, certificateExtractor, casProperties ); @@ -558,9 +498,9 @@ public CasDelegatingWebflowEventResolver initialAuthenticationAttemptWebflowEven @Qualifier( "restEndpointAuthenticationPolicyWebflowEventResolver" ) final CasWebflowEventResolver restEndpointAuthenticationPolicyWebflowEventResolver, - @Qualifier( - "groovyScriptAuthenticationPolicyWebflowEventResolver" - ) final CasWebflowEventResolver groovyScriptAuthenticationPolicyWebflowEventResolver, + @Qualifier("groovyScriptAuthenticationPolicyWebflowEventResolver") final ObjectProvider< + CasWebflowEventResolver + > groovyScriptAuthenticationPolicyWebflowEventResolver, @Qualifier( "scriptedRegisteredServiceAuthenticationPolicyWebflowEventResolver" ) final CasWebflowEventResolver scriptedRegisteredServiceAuthenticationPolicyWebflowEventResolver, @@ -578,9 +518,10 @@ public CasDelegatingWebflowEventResolver initialAuthenticationAttemptWebflowEven ) final CasWebflowEventResolver authenticationAttributeAuthenticationPolicyWebflowEventResolver, @Qualifier( "registeredServiceAuthenticationPolicyWebflowEventResolver" - ) final CasWebflowEventResolver registeredServiceAuthenticationPolicyWebflowEventResolver + ) final CasWebflowEventResolver registeredServiceAuthenticationPolicyWebflowEventResolver, + @Value("${vitamui.authn.x509.mandatory:false}") final boolean x509AuthnMandatory ) { - val resolver = new CustomCasDelegatingWebflowEventResolver( + final var resolver = new X509CasDelegatingWebflowEventResolver( casWebflowConfigurationContext, selectiveAuthenticationProviderWebflowEventResolver, x509AuthnMandatory @@ -590,7 +531,7 @@ public CasDelegatingWebflowEventResolver initialAuthenticationAttemptWebflowEven resolver.addDelegate(globalAuthenticationPolicyWebflowEventResolver); resolver.addDelegate(httpRequestAuthenticationPolicyWebflowEventResolver); resolver.addDelegate(restEndpointAuthenticationPolicyWebflowEventResolver); - resolver.addDelegate(groovyScriptAuthenticationPolicyWebflowEventResolver); + groovyScriptAuthenticationPolicyWebflowEventResolver.ifAvailable(resolver::addDelegate); resolver.addDelegate(scriptedRegisteredServiceAuthenticationPolicyWebflowEventResolver); resolver.addDelegate(registeredServicePrincipalAttributeAuthenticationPolicyWebflowEventResolver); resolver.addDelegate(predicatedPrincipalAttributeMultifactorAuthenticationPolicyEventResolver); @@ -600,18 +541,10 @@ public CasDelegatingWebflowEventResolver initialAuthenticationAttemptWebflowEven return resolver; } - @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) - @Bean - public OidcRevocationEndpointController oidcRevocationEndpointController( - @Qualifier(OidcConfigurationContext.BEAN_NAME) final OidcConfigurationContext oidcConfigurationContext - ) { - return new CustomOidcRevocationEndpointController(oidcConfigurationContext); - } - @Bean @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) @ConditionalOnMissingBean(name = CasWebflowConstants.ACTION_ID_SURROGATE_INITIAL_AUTHENTICATION) - public Action surrogateInitialAuthenticationAction(final CasConfigurationProperties casProperties) { + public Action surrogateInitialAuthenticationAction() { return new CustomSurrogateInitialAuthenticationAction(); } } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/delegation/CustomDelegatedIdentityProviders.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/delegation/CustomDelegatedIdentityProviders.java new file mode 100644 index 00000000000..b6dcaedad43 --- /dev/null +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/delegation/CustomDelegatedIdentityProviders.java @@ -0,0 +1,55 @@ +/** + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) and the signatories + * of the "VITAM - Accord du Contributeur" agreement. + * + *

contact@programmevitam.fr + * + *

This software is a computer program whose purpose is to implement implement a digital + * archiving front-office system for the secure and efficient high volumetry VITAM solution. + * + *

This software is governed by the CeCILL-C license under French law and abiding by the rules of + * distribution of free software. You can use, modify and/ or redistribute the software under the + * terms of the CeCILL-C license as circulated by CEA, CNRS and INRIA at the following URL + * "http://www.cecill.info". + * + *

As a counterpart to the access to the source code and rights to copy, modify and redistribute + * granted by the license, users are provided only with a limited warranty and the software's + * author, the holder of the economic rights, and the successive licensors have only limited + * liability. + * + *

In this respect, the user's attention is drawn to the risks associated with loading, using, + * modifying and/or developing or reproducing the software by the user in light of its specific + * status of free software, that may mean that it is complicated to manipulate, and that also + * therefore means that it is reserved for developers and experienced professionals having in-depth + * computer knowledge. Users are therefore encouraged to load and test the software's suitability as + * regards their requirements in conditions enabling the security of their systems and/or data to be + * ensured and, more generally, to use and operate it in the same conditions as regards security. + * + *

The fact that you are presently reading this means that you have had knowledge of the CeCILL-C + * license and that you accept its terms. + */ +package fr.gouv.vitamui.cas.delegation; + +import lombok.RequiredArgsConstructor; +import org.apereo.cas.pac4j.client.DelegatedIdentityProviders; +import org.pac4j.core.client.Client; + +import java.util.List; +import java.util.Optional; + +/** Wrapper of the ProvidersService for the CAS DelegatedIdentityProviders */ +@RequiredArgsConstructor +public class CustomDelegatedIdentityProviders implements DelegatedIdentityProviders { + + private final ProvidersService providerService; + + @Override + public List findAllClients() { + return providerService.getClients().findAllClients(); + } + + @Override + public Optional findClient(final String name) { + return providerService.getClients().findClient(name); + } +} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/provider/Pac4jClientIdentityProviderDto.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/delegation/Pac4jClientIdentityProviderDto.java similarity index 99% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/provider/Pac4jClientIdentityProviderDto.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/delegation/Pac4jClientIdentityProviderDto.java index 04b2908fe36..469e0590a71 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/provider/Pac4jClientIdentityProviderDto.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/delegation/Pac4jClientIdentityProviderDto.java @@ -34,7 +34,7 @@ * The fact that you are presently reading this means that you have had * knowledge of the CeCILL-C license and that you accept its terms. */ -package fr.gouv.vitamui.cas.provider; +package fr.gouv.vitamui.cas.delegation; import fr.gouv.vitamui.iam.common.dto.IdentityProviderDto; import org.pac4j.core.client.IndirectClient; diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/provider/ProvidersService.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/delegation/ProvidersService.java similarity index 85% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/provider/ProvidersService.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/delegation/ProvidersService.java index a244758c3ef..1e5c74ff94f 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/provider/ProvidersService.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/delegation/ProvidersService.java @@ -34,29 +34,26 @@ * The fact that you are presently reading this means that you have had * knowledge of the CeCILL-C license and that you accept its terms. */ -package fr.gouv.vitamui.cas.provider; +package fr.gouv.vitamui.cas.delegation; -import fr.gouv.vitamui.cas.util.Utils; -import fr.gouv.vitamui.iam.client.IdentityProviderRestClient; import fr.gouv.vitamui.iam.common.dto.IdentityProviderDto; import fr.gouv.vitamui.iam.common.dto.common.ProviderEmbeddedOptions; import fr.gouv.vitamui.iam.common.utils.Pac4jClientBuilder; +import fr.gouv.vitamui.iam.openapiclient.IdentityProvidersApi; +import jakarta.annotation.PostConstruct; import lombok.Getter; import lombok.RequiredArgsConstructor; +import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.pac4j.core.client.Client; import org.pac4j.core.client.Clients; import org.pac4j.core.client.IndirectClient; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.scheduling.annotation.Scheduled; import org.springframework.util.Assert; -import javax.annotation.PostConstruct; import java.util.ArrayList; import java.util.Comparator; import java.util.List; -import java.util.Optional; import java.util.stream.Collectors; /** @@ -64,22 +61,21 @@ * * */ -@Getter + +@Slf4j @RequiredArgsConstructor public class ProvidersService { - private static final Logger LOGGER = LoggerFactory.getLogger(ProvidersService.class); - + @Getter private List providers = new ArrayList<>(); + @Getter private final Clients clients; - private final IdentityProviderRestClient identityProviderRestClient; + private final IdentityProvidersApi identityProvidersApi; private final Pac4jClientBuilder pac4jClientBuilder; - private final Utils utils; - @PostConstruct public void afterPropertiesSet() { loadData(); @@ -97,11 +93,9 @@ public void reloadData() { } protected void loadData() { - final List temporaryProviders = identityProviderRestClient.getAll( - utils.buildContext(null), - Optional.empty(), - Optional.of(ProviderEmbeddedOptions.KEYSTORE + "," + ProviderEmbeddedOptions.IDPMETADATA) - ); + final String embedded = ProviderEmbeddedOptions.KEYSTORE + "," + ProviderEmbeddedOptions.IDPMETADATA; + List temporaryProviders = + identityProvidersApi.getAll(null, embedded); // sort by identifier. This is needed in order to take the internal provider first. temporaryProviders.sort(Comparator.comparing(IdentityProviderDto::getIdentifier)); LOGGER.debug( diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/logout/CustomDelegatedAuthenticationClientLogoutAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/logout/CustomDelegatedAuthenticationClientLogoutAction.java new file mode 100644 index 00000000000..3c9d08059b8 --- /dev/null +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/logout/CustomDelegatedAuthenticationClientLogoutAction.java @@ -0,0 +1,85 @@ +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) + * + * contact.vitam@culture.gouv.fr + * + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. + * + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". + * + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. + * + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. + * + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. + */ + +package fr.gouv.vitamui.cas.logout; + +import fr.gouv.vitamui.cas.delegation.ProvidersService; +import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; +import lombok.extern.slf4j.Slf4j; +import lombok.val; +import org.apereo.cas.pac4j.client.DelegatedIdentityProviders; +import org.apereo.cas.web.flow.actions.logout.DelegatedAuthenticationClientLogoutAction; +import org.pac4j.core.client.Client; +import org.pac4j.core.context.session.SessionStore; +import org.pac4j.core.profile.UserProfile; + +import java.util.Optional; + +/** + * Propagate the logout from CAS to the authn delegated server. + */ +@Slf4j +public class CustomDelegatedAuthenticationClientLogoutAction extends DelegatedAuthenticationClientLogoutAction { + + private final ProvidersService providersService; + + private final IdentityProviderHelper identityProviderHelper; + + public CustomDelegatedAuthenticationClientLogoutAction( + final DelegatedIdentityProviders identityProviders, + final SessionStore sessionStore, + final ProvidersService providersService, + final IdentityProviderHelper identityProviderHelper + ) { + super(identityProviders, sessionStore); + this.providersService = providersService; + this.identityProviderHelper = identityProviderHelper; + } + + @Override + protected Optional findCurrentClient(final UserProfile currentProfile) { + val optClient = currentProfile == null + ? Optional.empty() + : identityProviders.findClient(currentProfile.getClientName()); + + LOGGER.debug("optClient: {}", optClient); + if (optClient.isEmpty()) { + return Optional.empty(); + } + + val client = optClient.get(); + val provider = identityProviderHelper + .findByTechnicalName(providersService.getProviders(), client.getName()) + .get(); + LOGGER.debug("provider: {}", provider); + if (!provider.isPropagateLogout()) { + return Optional.empty(); + } + + return optClient; + } +} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/logout/TerminateApiSessionAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/logout/TerminateApiSessionAction.java new file mode 100644 index 00000000000..1509b4c2a78 --- /dev/null +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/logout/TerminateApiSessionAction.java @@ -0,0 +1,230 @@ +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) + * + * contact.vitam@culture.gouv.fr + * + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. + * + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". + * + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. + * + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. + * + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. + */ +package fr.gouv.vitamui.cas.logout; + +import fr.gouv.vitamui.cas.util.Utils; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import lombok.Getter; +import lombok.RequiredArgsConstructor; +import lombok.SneakyThrows; +import lombok.extern.slf4j.Slf4j; +import org.apache.commons.lang3.StringUtils; +import org.apereo.cas.CentralAuthenticationService; +import org.apereo.cas.authentication.Authentication; +import org.apereo.cas.authentication.AuthenticationResult; +import org.apereo.cas.authentication.DefaultAuthenticationBuilder; +import org.apereo.cas.authentication.DefaultAuthenticationResultBuilder; +import org.apereo.cas.authentication.principal.DefaultPrincipalElectionStrategy; +import org.apereo.cas.authentication.principal.Principal; +import org.apereo.cas.authentication.principal.WebApplicationService; +import org.apereo.cas.authentication.principal.WebApplicationServiceFactory; +import org.apereo.cas.configuration.CasConfigurationProperties; +import org.apereo.cas.configuration.model.core.logout.LogoutProperties; +import org.apereo.cas.logout.LogoutManager; +import org.apereo.cas.logout.slo.SingleLogoutExecutionRequest; +import org.apereo.cas.logout.slo.SingleLogoutRequestContext; +import org.apereo.cas.logout.slo.SingleLogoutRequestExecutor; +import org.apereo.cas.services.BaseRegisteredService; +import org.apereo.cas.services.RegisteredService; +import org.apereo.cas.services.ServicesManager; +import org.apereo.cas.ticket.InvalidTicketException; +import org.apereo.cas.ticket.TicketGrantingTicket; +import org.apereo.cas.ticket.registry.TicketRegistry; +import org.apereo.cas.web.cookie.CasCookieBuilder; +import org.apereo.cas.web.flow.logout.TerminateSessionAction; +import org.apereo.cas.web.support.WebUtils; +import org.springframework.context.ConfigurableApplicationContext; +import org.springframework.webflow.execution.Action; +import org.springframework.webflow.execution.Event; +import org.springframework.webflow.execution.RequestContext; + +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; +import java.util.Map; +import java.util.Optional; + +import static fr.gouv.vitamui.commons.api.CommonConstants.AUTHTOKEN_ATTRIBUTE; +import static fr.gouv.vitamui.commons.api.CommonConstants.SUPER_USER_ATTRIBUTE; +import static fr.gouv.vitamui.commons.api.CommonConstants.SUPER_USER_CUSTOMER_ID_ATTRIBUTE; + +/** Terminate session action with custom IAM logout call. */ +@Slf4j +public class TerminateApiSessionAction extends TerminateSessionAction { + + private final Utils utils; + private final CasApi casApi; + private final ServicesManager servicesManager; + private final CasConfigurationProperties casProperties; + private final Action frontChannelLogoutAction; + private final TicketRegistry ticketRegistry; + + public TerminateApiSessionAction( + final CentralAuthenticationService centralAuthenticationService, + final CasCookieBuilder ticketGrantingTicketCookieGenerator, + final CasCookieBuilder warnCookieGenerator, + final LogoutProperties logoutProperties, + final LogoutManager logoutManager, + final ConfigurableApplicationContext applicationContext, + final Utils utils, + final CasApi casApi, + final ServicesManager servicesManager, + final CasConfigurationProperties casProperties, + final Action frontChannelLogoutAction, + final TicketRegistry ticketRegistry, + final SingleLogoutRequestExecutor singleLogoutRequestExecutor + ) { + super( + centralAuthenticationService, + ticketGrantingTicketCookieGenerator, + warnCookieGenerator, + logoutProperties, + logoutManager, + applicationContext, + singleLogoutRequestExecutor + ); + this.utils = utils; + this.casApi = casApi; + this.servicesManager = servicesManager; + this.casProperties = casProperties; + this.frontChannelLogoutAction = frontChannelLogoutAction; + this.ticketRegistry = ticketRegistry; + } + + @Override + @SneakyThrows + public Event terminate(final RequestContext context) { + final HttpServletRequest request = WebUtils.getHttpServletRequestFromExternalWebflowContext(context); + final HttpServletResponse response = WebUtils.getHttpServletResponseFromExternalWebflowContext(context); + + String tgtId = WebUtils.getTicketGrantingTicketId(context); + if (StringUtils.isBlank(tgtId)) { + tgtId = ticketGrantingTicketCookieGenerator.retrieveCookieValue(request); + } + + TicketGrantingTicket ticket = null; + if (StringUtils.isNotBlank(tgtId)) { + try { + ticket = ticketRegistry.getTicket(tgtId, TicketGrantingTicket.class); + if (ticket != null) { + final Principal principal = ticket.getAuthentication().getPrincipal(); + final Map> attributes = principal.getAttributes(); + final String authToken = (String) utils.getAttributeValue(attributes, AUTHTOKEN_ATTRIBUTE); + final String superUserEmail = Optional.ofNullable( + (String) utils.getAttributeValue(attributes, SUPER_USER_ATTRIBUTE) + ).orElse(""); + final String superUserCustomerId = Optional.ofNullable( + (String) utils.getAttributeValue(attributes, SUPER_USER_CUSTOMER_ID_ATTRIBUTE) + ).orElse(""); + + LOGGER.debug( + "Calling logout for authToken={} and superUser={}, superUserCustomerId={}", + authToken, + superUserEmail, + superUserCustomerId + ); + + casApi.logout(authToken, superUserEmail, superUserCustomerId); + } + } catch (final InvalidTicketException e) { + LOGGER.warn("No TGT found for the CAS cookie: {}", tgtId); + } + } + + final Event event = super.terminate(context); + + // Remove IdP cookie + response.addCookie(utils.buildIdpCookie(null, casProperties.getTgc())); + + // Fallback general logout + if (tgtId == null || ticket == null || ticket.isExpired()) { + List logoutRequests = performGeneralLogout(tgtId != null ? tgtId : "nocookie"); + WebUtils.putLogoutRequests(context, logoutRequests); + } + + // Front channel logout in login flow + if ("login".equals(context.getFlowExecutionContext().getDefinition().getId())) { + LOGGER.debug("Computing front channel logout URLs"); + frontChannelLogoutAction.execute(context); + } + + return event; + } + + protected List performGeneralLogout(final String tgtId) { + try { + // 1️⃣ Crée l'Authentication factice + Authentication fakeAuthentication = new DefaultAuthenticationBuilder() + .setPrincipal(new FakePrincipal(tgtId)) + .build(); + + // 2️⃣ Crée un AuthenticationResult factice à partir de l'authentication + AuthenticationResult authenticationResult = new DefaultAuthenticationResultBuilder() + .collect(fakeAuthentication) + .build(new DefaultPrincipalElectionStrategy()); // PrincipalElectionStrategy trivial + + // 3️⃣ Crée le TGT factice via l'API CAS 7 + TicketGrantingTicket fakeTgt = centralAuthenticationService.createTicketGrantingTicket( + authenticationResult + ); + + Collection registeredServices = servicesManager.getAllServices(); + // Préparer le factory de services CAS + WebApplicationServiceFactory serviceFactory = new WebApplicationServiceFactory(); + + for (RegisteredService registeredService : registeredServices) { + if (!(registeredService instanceof BaseRegisteredService baseService)) continue; + + String logoutUrl = baseService.getLogoutUrl(); + if (logoutUrl != null) { + WebApplicationService service = serviceFactory.createService(logoutUrl); + + // Génère le ST factice lié au TGT factice + centralAuthenticationService.grantServiceTicket(fakeTgt.getId(), service, authenticationResult); + // Pas besoin de collecter les ST dans une liste + } + } + + // Ensuite le logout général + return logoutManager.performLogout( + SingleLogoutExecutionRequest.builder().ticketGrantingTicket(fakeTgt).build() + ); + } catch (Throwable e) { + LOGGER.error("Unable to perform general logout", e); + return new ArrayList<>(); + } + } + + @Getter + @RequiredArgsConstructor + private static class FakePrincipal implements Principal { + + private final String id; + } +} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/model/CustomerModel.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/model/CustomerModel.java index 1b9f5859dd9..7a8afb53bae 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/model/CustomerModel.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/model/CustomerModel.java @@ -38,16 +38,38 @@ */ package fr.gouv.vitamui.cas.model; -import lombok.Data; -import lombok.experimental.Accessors; - import java.io.Serializable; -@Data -@Accessors(chain = true) public class CustomerModel implements Serializable { - String customerId; - String code; - String name; + private String customerId; + private String code; + private String name; + + public String getCustomerId() { + return customerId; + } + + public CustomerModel setCustomerId(String customerId) { + this.customerId = customerId; + return this; + } + + public String getCode() { + return code; + } + + public CustomerModel setCode(String code) { + this.code = code; + return this; + } + + public String getName() { + return name; + } + + public CustomerModel setName(String name) { + this.name = name; + return this; + } } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/model/UserLoginModel.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/model/UserLoginModel.java index 071076139a8..6d770b31ebf 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/model/UserLoginModel.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/model/UserLoginModel.java @@ -40,9 +40,7 @@ package fr.gouv.vitamui.cas.model; import com.fasterxml.jackson.annotation.JsonProperty; -import lombok.Data; -@Data public class UserLoginModel { @JsonProperty("userEmail") @@ -50,4 +48,40 @@ public class UserLoginModel { @JsonProperty("customerId") private String customerId; + + public String getUserEmail() { + return userEmail; + } + + public void setUserEmail(String userEmail) { + this.userEmail = userEmail; + } + + public String getCustomerId() { + return customerId; + } + + public void setCustomerId(String customerId) { + this.customerId = customerId; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + UserLoginModel that = (UserLoginModel) o; + return ( + java.util.Objects.equals(userEmail, that.userEmail) && java.util.Objects.equals(customerId, that.customerId) + ); + } + + @Override + public int hashCode() { + return java.util.Objects.hash(userEmail, customerId); + } + + @Override + public String toString() { + return "UserLoginModel{" + "userEmail='" + userEmail + '\'' + ", customerId='" + customerId + '\'' + '}'; + } } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/CustomCasWebSecurityConfigurerAdapter.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/CustomCasWebSecurityConfigurerAdapter.java new file mode 100644 index 00000000000..f29f0f2e99f --- /dev/null +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/CustomCasWebSecurityConfigurerAdapter.java @@ -0,0 +1,69 @@ +/** + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) and the signatories + * of the "VITAM - Accord du Contributeur" agreement. + * + *

contact@programmevitam.fr + * + *

This software is a computer program whose purpose is to implement implement a digital + * archiving front-office system for the secure and efficient high volumetry VITAM solution. + * + *

This software is governed by the CeCILL-C license under French law and abiding by the rules of + * distribution of free software. You can use, modify and/ or redistribute the software under the + * terms of the CeCILL-C license as circulated by CEA, CNRS and INRIA at the following URL + * "http://www.cecill.info". + * + *

As a counterpart to the access to the source code and rights to copy, modify and redistribute + * granted by the license, users are provided only with a limited warranty and the software's + * author, the holder of the economic rights, and the successive licensors have only limited + * liability. + * + *

In this respect, the user's attention is drawn to the risks associated with loading, using, + * modifying and/or developing or reproducing the software by the user in light of its specific + * status of free software, that may mean that it is complicated to manipulate, and that also + * therefore means that it is reserved for developers and experienced professionals having in-depth + * computer knowledge. Users are therefore encouraged to load and test the software's suitability as + * regards their requirements in conditions enabling the security of their systems and/or data to be + * ensured and, more generally, to use and operate it in the same conditions as regards security. + * + *

The fact that you are presently reading this means that you have had knowledge of the CeCILL-C + * license and that you accept its terms. + */ +package fr.gouv.vitamui.cas.password; + +import lombok.val; +import org.apereo.cas.configuration.CasConfigurationProperties; +import org.apereo.cas.web.CasWebSecurityConfigurer; +import org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter; +import org.springframework.beans.factory.ObjectProvider; +import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties; +import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints; +import org.springframework.security.web.context.SecurityContextRepository; + +import java.util.List; + +/** Exclude the URL /extras from security. */ +public class CustomCasWebSecurityConfigurerAdapter extends CasWebSecurityConfigurerAdapter { + + public CustomCasWebSecurityConfigurerAdapter( + final CasConfigurationProperties casProperties, + final WebEndpointProperties webEndpointProperties, + final ObjectProvider pathMappedEndpoints, + final List webSecurityConfigurers, + final SecurityContextRepository securityContextRepository + ) { + super( + casProperties, + webEndpointProperties, + pathMappedEndpoints, + webSecurityConfigurers, + securityContextRepository + ); + } + + @Override + protected List getAllowedPatternsToIgnore() { + val patterns = super.getAllowedPatternsToIgnore(); + patterns.add("/extras/**"); + return patterns; + } +} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementService.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/IamPasswordManagementService.java similarity index 83% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementService.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/IamPasswordManagementService.java index ae60692477f..179d445951f 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementService.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/IamPasswordManagementService.java @@ -34,13 +34,13 @@ * The fact that you are presently reading this means that you have had * knowledge of the CeCILL-C license and that you accept its terms. */ -package fr.gouv.vitamui.cas.pm; +package fr.gouv.vitamui.cas.password; import com.fasterxml.jackson.core.JacksonException; import com.fasterxml.jackson.core.type.TypeReference; import com.fasterxml.jackson.databind.ObjectMapper; +import fr.gouv.vitamui.cas.delegation.ProvidersService; import fr.gouv.vitamui.cas.model.UserLoginModel; -import fr.gouv.vitamui.cas.provider.ProvidersService; import fr.gouv.vitamui.cas.util.Constants; import fr.gouv.vitamui.cas.util.Utils; import fr.gouv.vitamui.commons.api.domain.UserDto; @@ -49,16 +49,15 @@ import fr.gouv.vitamui.commons.api.exception.VitamUIException; import fr.gouv.vitamui.commons.security.client.config.password.PasswordConfiguration; import fr.gouv.vitamui.commons.security.client.password.PasswordValidator; -import fr.gouv.vitamui.iam.client.CasRestClient; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import jakarta.validation.constraints.NotNull; import lombok.Getter; import lombok.Setter; -import lombok.val; +import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.apereo.cas.CentralAuthenticationService; -import org.apereo.cas.authentication.Credential; import org.apereo.cas.authentication.PreventedException; -import org.apereo.cas.authentication.credential.UsernamePasswordCredential; import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationService; import org.apereo.cas.configuration.model.support.pm.PasswordManagementProperties; import org.apereo.cas.pm.InvalidPasswordException; @@ -69,8 +68,6 @@ import org.apereo.cas.ticket.registry.TicketRegistry; import org.apereo.cas.util.crypto.CipherExecutor; import org.apereo.cas.web.support.WebUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.security.authentication.InsufficientAuthenticationException; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.util.Assert; @@ -78,11 +75,9 @@ import org.springframework.webflow.execution.RequestContext; import org.springframework.webflow.execution.RequestContextHolder; -import javax.validation.constraints.NotNull; import java.io.Serializable; import java.util.Map; import java.util.Objects; -import java.util.Optional; import static fr.gouv.vitamui.commons.api.CommonConstants.SUPER_USER_ATTRIBUTE; @@ -91,13 +86,12 @@ */ @Getter @Setter +@Slf4j public class IamPasswordManagementService extends BasePasswordManagementService { - private static final Logger LOGGER = LoggerFactory.getLogger(IamPasswordManagementService.class); - private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper(); - private final CasRestClient casRestClient; + private final CasApi casApi; private final ProvidersService providersService; @@ -113,14 +107,12 @@ public class IamPasswordManagementService extends BasePasswordManagementService private final PasswordConfiguration passwordConfiguration; - private static Integer maxOldPassword; - public IamPasswordManagementService( final PasswordManagementProperties passwordManagementProperties, final CipherExecutor cipherExecutor, final String issuer, final PasswordHistoryService passwordHistoryService, - final CasRestClient casRestClient, + final CasApi casApi, final ProvidersService providersService, final IdentityProviderHelper identityProviderHelper, final CentralAuthenticationService centralAuthenticationService, @@ -130,7 +122,7 @@ public IamPasswordManagementService( final PasswordConfiguration passwordConfiguration ) { super(passwordManagementProperties, cipherExecutor, issuer, passwordHistoryService); - this.casRestClient = casRestClient; + this.casApi = casApi; this.providersService = providersService; this.identityProviderHelper = identityProviderHelper; this.centralAuthenticationService = centralAuthenticationService; @@ -138,12 +130,11 @@ public IamPasswordManagementService( this.ticketRegistry = ticketRegistry; this.passwordValidator = passwordValidator; this.passwordConfiguration = passwordConfiguration; - this.maxOldPassword = passwordConfiguration.getMaxOldPassword(); } protected RequestContext blockIfSubrogation() { - val requestContext = RequestContextHolder.getRequestContext(); - val authentication = WebUtils.getAuthentication(requestContext); + final var requestContext = RequestContextHolder.getRequestContext(); + final var authentication = WebUtils.getAuthentication(requestContext); if (authentication != null) { // login/pwd subrogation String superUsername = (String) utils.getAttributeValue( @@ -165,40 +156,37 @@ protected RequestContext blockIfSubrogation() { } @Override - public boolean changeInternal(final Credential c, final PasswordChangeRequest bean) - throws InvalidPasswordException { - val requestContext = blockIfSubrogation(); - val flowScope = requestContext.getFlowScope(); + public boolean changeInternal(final PasswordChangeRequest bean) throws InvalidPasswordException { + final var requestContext = blockIfSubrogation(); + final var flowScope = requestContext.getFlowScope(); if (flowScope != null) { flowScope.put("passwordHasBeenChanged", true); } - if (!passwordValidator.isEqualConfirmed(bean.getPassword(), bean.getConfirmedPassword())) { + String password = new String(bean.getPassword()); + String confirmedPassword = new String(bean.getConfirmedPassword()); + + if (!passwordValidator.isEqualConfirmed(password, confirmedPassword)) { throw new PasswordConfirmException(); } - if (!passwordValidator.isValid(getProperties().getCore().getPasswordPolicyPattern(), bean.getPassword())) { + if (!passwordValidator.isValid(getProperties().getCore().getPasswordPolicyPattern(), password)) { throw new PasswordNotMatchRegexException(); } - val upc = (UsernamePasswordCredential) c; - val username = upc.getUsername(); - + final var username = bean.getUsername(); LOGGER.debug("passwordConfiguration: {}", passwordConfiguration); Assert.notNull(username, "username can not be null"); - UserLoginModel userLogin = extractUserLoginAndCustomerIdModel(flowScope, username); - final UserDto user = casRestClient.getUserByEmailAndCustomerId( - utils.buildContext(userLogin.getUserEmail()), - userLogin.getUserEmail(), - userLogin.getCustomerId(), - Optional.empty() - ); + final UserLoginModel userLogin = extractUserLoginAndCustomerIdModel(flowScope, username); + final UserDto user = findUserByEmailAndCustomerId(userLogin.getUserEmail(), userLogin.getCustomerId()); + if (user == null) { LOGGER.debug("User not found with login: {}", userLogin.getUserEmail()); throw new InvalidPasswordException(); } + if (user.getStatus() != UserStatusEnum.ENABLED) { LOGGER.debug("User cannot login: {} - User {}", userLogin.getUserEmail(), user.toString()); throw new InvalidPasswordException(); @@ -219,7 +207,7 @@ public boolean changeInternal(final Credential c, final PasswordChangeRequest be if ( passwordValidator.isContainsUserOccurrences( userLastName, - bean.getPassword(), + password, passwordConfiguration.getOccurrencesCharsNumber() ) ) { @@ -229,7 +217,7 @@ public boolean changeInternal(final Credential c, final PasswordChangeRequest be } } - val identityProvider = identityProviderHelper.findByUserIdentifierAndCustomerId( + final var identityProvider = identityProviderHelper.findByUserIdentifierAndCustomerId( providersService.getProviders(), userLogin.getUserEmail(), userLogin.getCustomerId() @@ -244,12 +232,7 @@ public boolean changeInternal(final Credential c, final PasswordChangeRequest be ); try { - casRestClient.changePassword( - utils.buildContext(userLogin.getUserEmail()), - userLogin.getUserEmail(), - userLogin.getCustomerId(), - bean.getPassword() - ); + casApi.changePassword(userLogin.getUserEmail(), password, userLogin.getCustomerId()); return true; } catch (final ConflictException e) { throw new PasswordAlreadyUsedException(); @@ -262,9 +245,11 @@ public boolean changeInternal(final Credential c, final PasswordChangeRequest be @NotNull private UserLoginModel extractUserLoginAndCustomerIdModel(MutableAttributeMap flowScope, String username) { // IMPORTANT: 2 possible workflows : - // -> If we came from password expiration workflow ==> We already have the username/customerId from flow scope - // -> If we came from password reset link by email ==> We use a dirty hack to encode a username+password pair as - // a json-serialized UserLoginModel encoded into the `username` field. + // -> If we came from password expiration workflow ==> We already have the + // username/customerId from flow scope + // -> If we came from password reset link by email ==> We use a dirty hack to + // encode a username+password pair as + // a json-serialized UserLoginModel encoded into the `username` field. String loginEmailFromFlowScope = null; String loginCustomerIdFromFlowScope = null; @@ -315,17 +300,11 @@ private UserLoginModel extractUserLoginAndCustomerIdModel(MutableAttributeMap user.getCustomerId().equals(customerId)) + .findFirst() + .orElse(null); + } } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/PmMessageToSend.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/PmMessageToSend.java similarity index 96% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/PmMessageToSend.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/PmMessageToSend.java index 84e7e7ee528..bd9cee9270f 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/PmMessageToSend.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/PmMessageToSend.java @@ -34,11 +34,8 @@ * The fact that you are presently reading this means that you have had * knowledge of the CeCILL-C license and that you accept its terms. */ -package fr.gouv.vitamui.cas.pm; +package fr.gouv.vitamui.cas.password; -import lombok.EqualsAndHashCode; -import lombok.Getter; -import lombok.ToString; import org.springframework.context.HierarchicalMessageSource; import java.util.Locale; @@ -48,9 +45,6 @@ * * */ -@Getter -@ToString -@EqualsAndHashCode public class PmMessageToSend { public static final String ONE_DAY = "1day"; @@ -69,6 +63,14 @@ public class PmMessageToSend { private final String text; + public String getSubject() { + return subject; + } + + public String getText() { + return text; + } + private PmMessageToSend(final String subject, final String text) { this.subject = subject; this.text = text; diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/PmTransientSessionTicketExpirationPolicyBuilder.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/PmTransientSessionTicketExpirationPolicyBuilder.java similarity index 72% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/PmTransientSessionTicketExpirationPolicyBuilder.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/PmTransientSessionTicketExpirationPolicyBuilder.java index 15648a573d7..0b17e2ea784 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/PmTransientSessionTicketExpirationPolicyBuilder.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/PmTransientSessionTicketExpirationPolicyBuilder.java @@ -34,37 +34,44 @@ * The fact that you are presently reading this means that you have had * knowledge of the CeCILL-C license and that you accept its terms. */ -package fr.gouv.vitamui.cas.pm; +package fr.gouv.vitamui.cas.password; -import lombok.val; +import lombok.extern.slf4j.Slf4j; import org.apereo.cas.configuration.CasConfigurationProperties; import org.apereo.cas.configuration.support.Beans; import org.apereo.cas.ticket.ExpirationPolicy; +import org.apereo.cas.ticket.ExpirationPolicyBuilder; +import org.apereo.cas.ticket.TransientSessionTicket; import org.apereo.cas.ticket.expiration.HardTimeoutExpirationPolicy; import org.apereo.cas.ticket.expiration.builder.TransientSessionTicketExpirationPolicyBuilder; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.web.context.request.RequestContextHolder; /** - * Specific expiration policy builder for password management (retrieves the expiration in minutes pushed by the ResetPasswordController). + * Specific expiration policy builder for password management (retrieves the + * expiration in minutes pushed by the ResetPasswordController). */ -public class PmTransientSessionTicketExpirationPolicyBuilder extends TransientSessionTicketExpirationPolicyBuilder { - - private static final Logger LOGGER = LoggerFactory.getLogger(PmTransientSessionTicketExpirationPolicyBuilder.class); +@Slf4j +public class PmTransientSessionTicketExpirationPolicyBuilder + implements ExpirationPolicyBuilder { public static final String PM_EXPIRATION_IN_MINUTES_ATTRIBUTE = "pmExpirationInMinutes"; + private final CasConfigurationProperties casProperties; + + private final TransientSessionTicketExpirationPolicyBuilder transientSessionTicketExpirationPolicyBuilder; + public PmTransientSessionTicketExpirationPolicyBuilder(final CasConfigurationProperties casProperties) { - super(casProperties); + this.casProperties = casProperties; + this.transientSessionTicketExpirationPolicyBuilder = new TransientSessionTicketExpirationPolicyBuilder( + casProperties + ); } - @Override public ExpirationPolicy toTransientSessionTicketExpirationPolicy() { - val attributes = RequestContextHolder.getRequestAttributes(); + final var attributes = RequestContextHolder.getRequestAttributes(); if (attributes != null) { try { - val expInMinutes = (Long) attributes.getAttribute(PM_EXPIRATION_IN_MINUTES_ATTRIBUTE, 0); + final var expInMinutes = (Long) attributes.getAttribute(PM_EXPIRATION_IN_MINUTES_ATTRIBUTE, 0); if (expInMinutes != null) { return new HardTimeoutExpirationPolicy(expInMinutes * 60); } @@ -72,7 +79,12 @@ public ExpirationPolicy toTransientSessionTicketExpirationPolicy() { LOGGER.error("Cannot get expiration in minutes", e); } } - val duration = Beans.newDuration(casProperties.getAuthn().getPm().getReset().getExpiration()); + final var duration = Beans.newDuration(casProperties.getAuthn().getPm().getReset().getExpiration()); return new HardTimeoutExpirationPolicy(duration.toSeconds()); } + + @Override + public ExpirationPolicy buildTicketExpirationPolicy() { + return toTransientSessionTicketExpirationPolicy(); + } } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/ResetPasswordController.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/ResetPasswordController.java similarity index 90% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/ResetPasswordController.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/ResetPasswordController.java index 6402a90b390..0b5ba5d4f3f 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/ResetPasswordController.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/ResetPasswordController.java @@ -34,17 +34,17 @@ * The fact that you are presently reading this means that you have had * knowledge of the CeCILL-C license and that you accept its terms. */ -package fr.gouv.vitamui.cas.pm; +package fr.gouv.vitamui.cas.password; import com.fasterxml.jackson.databind.ObjectMapper; +import fr.gouv.vitamui.cas.delegation.ProvidersService; import fr.gouv.vitamui.cas.model.UserLoginModel; -import fr.gouv.vitamui.cas.provider.ProvidersService; import fr.gouv.vitamui.cas.util.Constants; import fr.gouv.vitamui.cas.util.Utils; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; +import jakarta.servlet.http.HttpServletRequest; import lombok.RequiredArgsConstructor; import lombok.extern.slf4j.Slf4j; -import lombok.val; import org.apache.commons.lang3.StringUtils; import org.apereo.cas.configuration.CasConfigurationProperties; import org.apereo.cas.configuration.support.Beans; @@ -60,7 +60,6 @@ import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; -import javax.servlet.http.HttpServletRequest; import java.util.Locale; /** @@ -115,12 +114,18 @@ public boolean resetPassword( return false; } - val usernameLower = username.toLowerCase().trim(); + final var usernameLower = username.toLowerCase().trim(); LinkedMultiValueMap customerIdMapElt = new LinkedMultiValueMap<>(); customerIdMapElt.add(Constants.RESET_PWD_CUSTOMER_ID_ATTR, customerId); - val query = PasswordManagementQuery.builder().username(usernameLower).record(customerIdMapElt).build(); + final var query = PasswordManagementQuery.builder().username(usernameLower).record(customerIdMapElt).build(); - val email = passwordManagementService.findEmail(query); + String email; + try { + email = passwordManagementService.findEmail(query); + } catch (final Throwable e) { + LOGGER.error("Error finding email", e); + return false; + } if (StringUtils.isBlank(email)) { LOGGER.warn("No recipient is provided"); return false; @@ -132,7 +137,7 @@ public boolean resetPassword( } final Locale locale = new Locale(language); - val duration = Beans.newDuration(casProperties.getAuthn().getPm().getReset().getExpiration()); + final var duration = Beans.newDuration(casProperties.getAuthn().getPm().getReset().getExpiration()); final long expMinutes = PmMessageToSend.ONE_DAY.equals(ttl) ? 24 * 60L : duration.toMinutes(); request.setAttribute( PmTransientSessionTicketExpirationPolicyBuilder.PM_EXPIRATION_IN_MINUTES_ATTRIBUTE, @@ -144,7 +149,7 @@ public boolean resetPassword( userLoginModel.setCustomerId(customerId); String userLoginModelToToken = objectMapper.writeValueAsString(userLoginModel); - val url = passwordResetUrlBuilder.build(userLoginModelToToken).toString(); + final var url = passwordResetUrlBuilder.build(userLoginModelToToken).toString(); final PmMessageToSend messageToSend = PmMessageToSend.buildMessage( messageSource, firstname, @@ -164,7 +169,7 @@ public boolean resetPassword( ); return sendPasswordResetEmailToAccount(email, messageToSend.getSubject(), messageToSend.getText()); - } catch (final Exception e) { + } catch (final Throwable e) { LOGGER.error("Cannot reset password", e); return false; } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/IamSurrogateAuthenticationService.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/surrogation/IamSurrogateAuthenticationService.java similarity index 55% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/IamSurrogateAuthenticationService.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/surrogation/IamSurrogateAuthenticationService.java index b26e2c0898c..8f83f982dd5 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/IamSurrogateAuthenticationService.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/surrogation/IamSurrogateAuthenticationService.java @@ -1,53 +1,40 @@ -/** - * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) - * and the signatories of the "VITAM - Accord du Contributeur" agreement. +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) * - * contact@programmevitam.fr + * contact.vitam@culture.gouv.fr * - * This software is a computer program whose purpose is to implement - * implement a digital archiving front-office system for the secure and - * efficient high volumetry VITAM solution. + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. * - * This software is governed by the CeCILL-C license under French law and - * abiding by the rules of distribution of free software. You can use, - * modify and/ or redistribute the software under the terms of the CeCILL-C - * license as circulated by CEA, CNRS and INRIA at the following URL - * "http://www.cecill.info". + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". * - * As a counterpart to the access to the source code and rights to copy, - * modify and redistribute granted by the license, users are provided only - * with a limited warranty and the software's author, the holder of the - * economic rights, and the successive licensors have only limited - * liability. + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. * - * In this respect, the user's attention is drawn to the risks associated - * with loading, using, modifying and/or developing or reproducing the - * software by the user in light of its specific status of free software, - * that may mean that it is complicated to manipulate, and that also - * therefore means that it is reserved for developers and experienced - * professionals having in-depth computer knowledge. Users are therefore - * encouraged to load and test the software's suitability as regards their - * requirements in conditions enabling the security of their systems and/or - * data to be ensured and, more generally, to use and operate it in the - * same conditions as regards security. + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. * - * The fact that you are presently reading this means that you have had - * knowledge of the CeCILL-C license and that you accept its terms. + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. */ -package fr.gouv.vitamui.cas.authentication; +package fr.gouv.vitamui.cas.surrogation; import fr.gouv.vitamui.cas.util.Constants; -import fr.gouv.vitamui.cas.util.Utils; import fr.gouv.vitamui.commons.api.exception.VitamUIException; -import fr.gouv.vitamui.iam.client.CasRestClient; import fr.gouv.vitamui.iam.common.enums.SubrogationStatusEnum; -import lombok.val; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import lombok.extern.slf4j.Slf4j; import org.apereo.cas.authentication.principal.Principal; import org.apereo.cas.authentication.principal.Service; import org.apereo.cas.authentication.surrogate.BaseSurrogateAuthenticationService; import org.apereo.cas.services.ServicesManager; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.util.Assert; import org.springframework.webflow.execution.RequestContextHolder; @@ -57,22 +44,14 @@ /** * Specific surrogate service based on the IAM API. */ +@Slf4j public class IamSurrogateAuthenticationService extends BaseSurrogateAuthenticationService { - private static final Logger LOGGER = LoggerFactory.getLogger(IamSurrogateAuthenticationService.class); - - private final CasRestClient casRestClient; + private final CasApi casApi; - private final Utils utils; - - public IamSurrogateAuthenticationService( - final CasRestClient casRestClient, - final ServicesManager servicesManager, - final Utils utils - ) { + public IamSurrogateAuthenticationService(final CasApi casApi, final ServicesManager servicesManager) { super(servicesManager); - this.casRestClient = casRestClient; - this.utils = utils; + this.casApi = casApi; } @Override @@ -81,8 +60,8 @@ public boolean canImpersonateInternal( final Principal principal, final Optional service ) { - val requestContext = RequestContextHolder.getRequestContext(); - val flowScope = requestContext.getFlowScope(); + final var requestContext = RequestContextHolder.getRequestContext(); + final var flowScope = requestContext.getFlowScope(); String surrogateEmail = (String) flowScope.get(Constants.FLOW_SURROGATE_EMAIL); String surrogateCustomerId = (String) flowScope.get(Constants.FLOW_SURROGATE_CUSTOMER_ID); @@ -102,10 +81,10 @@ public boolean canImpersonateInternal( String.format("Invalid surrogate. Expected '%s', got: '%s'", surrogateEmail, surrogate) ); - val id = principal.getId(); + final var id = principal.getId(); boolean canAuthenticate = false; try { - val subrogations = casRestClient.getSubrogationsBySuperUserId(utils.buildContext(id), id); + final var subrogations = casApi.getSubrogationsBySuperUserIdOrEmailAndCustomerId(id, null, null); canAuthenticate = subrogations .stream() .filter(s -> s.getStatus() == SubrogationStatusEnum.ACCEPTED) diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/ticket/CustomOAuth20DefaultAccessTokenFactory.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/ticket/CustomOAuth20DefaultAccessTokenFactory.java index a670f2f54f3..61be159d88d 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/ticket/CustomOAuth20DefaultAccessTokenFactory.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/ticket/CustomOAuth20DefaultAccessTokenFactory.java @@ -38,14 +38,20 @@ import fr.gouv.vitamui.commons.api.CommonConstants; import lombok.Getter; +import lombok.extern.slf4j.Slf4j; +import lombok.val; +import org.apache.commons.lang.StringUtils; import org.apereo.cas.authentication.Authentication; import org.apereo.cas.authentication.principal.Principal; import org.apereo.cas.authentication.principal.Service; import org.apereo.cas.services.ServicesManager; import org.apereo.cas.ticket.ExpirationPolicyBuilder; +import org.apereo.cas.ticket.UniqueTicketIdGenerator; import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken; import org.apereo.cas.ticket.accesstoken.OAuth20DefaultAccessTokenFactory; +import org.apereo.cas.ticket.tracking.TicketTrackingPolicy; import org.apereo.cas.token.JwtBuilder; +import org.springframework.web.context.request.ServletRequestAttributes; import java.util.List; @@ -55,22 +61,42 @@ * */ @Getter +@Slf4j public class CustomOAuth20DefaultAccessTokenFactory extends OAuth20DefaultAccessTokenFactory { public CustomOAuth20DefaultAccessTokenFactory( - final ExpirationPolicyBuilder expirationPolicy, + final UniqueTicketIdGenerator accessTokenIdGenerator, + final ExpirationPolicyBuilder expirationPolicyBuilder, final JwtBuilder jwtBuilder, - final ServicesManager servicesManager + final ServicesManager servicesManager, + final TicketTrackingPolicy descendantTicketsTrackingPolicy ) { - super(expirationPolicy, jwtBuilder, servicesManager); + super( + accessTokenIdGenerator, + expirationPolicyBuilder, + jwtBuilder, + servicesManager, + descendantTicketsTrackingPolicy + ); } - protected String generateAccessTokenId(final Service service, final Authentication authentication) { + @Override + protected String generateAccessTokenId(final Service service, final Authentication authentication) + throws Throwable { + val request = + ((ServletRequestAttributes) org.springframework.web.context.request.RequestContextHolder.getRequestAttributes()).getRequest(); final Principal principal = authentication.getPrincipal(); - final List authToken = principal.getAttributes().get(CommonConstants.AUTHTOKEN_ATTRIBUTE); - if (authToken == null || authToken.size() == 0) { - throw new RuntimeException("Cannot create access token for null authtoken: " + principal); + String authToken; + final List values = principal.getAttributes().get(CommonConstants.AUTHTOKEN_ATTRIBUTE); + if (values != null && !values.isEmpty()) { + authToken = (String) values.getFirst(); + request.setAttribute(CommonConstants.AUTHTOKEN_ATTRIBUTE, authToken); + } else { + authToken = (String) request.getAttribute(CommonConstants.AUTHTOKEN_ATTRIBUTE); } - return (String) authToken.get(0); + if (StringUtils.isBlank(authToken)) { + return super.generateAccessTokenId(service, authentication); + } + return authToken; } } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Constants.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Constants.java index a369864af7a..048f9c01500 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Constants.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Constants.java @@ -67,6 +67,8 @@ public abstract class Constants { public static final String VITAM_UI_FAVICON = "vitamuiFavicon"; + public static final String VITAMUI_LOGO_LARGE = "vitamuiLogoLarge"; + public static final String PASSWORD_CUSTOM_CONSTRAINTS = "passwordCustomConstraints"; public static final String PASSWORD_DEFAULT_CONSTRAINTS = "passwordAnssiConstraints"; diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/IamApiDecorator.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/IamApiDecorator.java new file mode 100644 index 00000000000..c60df3e6eb1 --- /dev/null +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/IamApiDecorator.java @@ -0,0 +1,108 @@ +package fr.gouv.vitamui.cas.util; + +import fr.gouv.vitamui.commons.rest.client.HttpContext; +import fr.gouv.vitamui.commons.rest.client.HttpContextHolder; +import lombok.RequiredArgsConstructor; +import lombok.extern.slf4j.Slf4j; +import org.aopalliance.intercept.MethodInterceptor; +import org.apache.commons.lang3.StringUtils; +import org.apereo.cas.authentication.principal.Principal; +import org.springframework.aop.framework.ProxyFactory; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextHolder; + +import java.util.List; +import java.util.Map; +import java.util.Optional; + +import static fr.gouv.vitamui.commons.api.CommonConstants.EMAIL_ATTRIBUTE; +import static fr.gouv.vitamui.commons.api.CommonConstants.SUPER_USER_ATTRIBUTE; +import static fr.gouv.vitamui.commons.api.CommonConstants.SUPER_USER_CUSTOMER_ID_ATTRIBUTE; + +/** + * Decorator for IAM API beans that ensures an HttpContext is always available + * during method execution. + * + * The HttpContext is positioned in the HttpContextHolder before invoking the + * target method so that downstream components—especially IamApiClient—can + * retrieve the correct contextual information (tenant, user token, identity, + * application id, etc.) at the exact time HTTP headers are built. + * + * This guarantees that outgoing IAM requests are enriched with consistent and + * properly scoped security and tenant data, whether the call originates from + * an authenticated user or from a technical/service context. + */ +@Slf4j +@RequiredArgsConstructor +public class IamApiDecorator { + + private static final String DEFAULT_SERVICE_ACCOUNT = "admin@change-it.fr"; + + private final Utils utils; + + @SuppressWarnings("unchecked") + public T decorate(T target) { + ProxyFactory factory = new ProxyFactory(target); + + factory.addAdvice( + (MethodInterceptor) invocation -> { + Optional existingContext = HttpContextHolder.get(); + if (existingContext.isPresent()) { + LOGGER.debug("HTTP context already present: {}", existingContext.get()); + return invocation.proceed(); + } + + HttpContext context = resolveUserContext().orElseGet(this::createServiceContext); + + try (var ignored = HttpContextHolder.setInScope(context)) { + return invocation.proceed(); + } + } + ); + + return (T) factory.getProxy(); + } + + private Optional resolveUserContext() { + SecurityContext securityContext = SecurityContextHolder.getContext(); + + if (securityContext == null || securityContext.getAuthentication() == null) { + return Optional.empty(); + } + + Object principal = securityContext.getAuthentication().getPrincipal(); + if (principal == null) { + return Optional.empty(); + } + + return extractUsername(principal).map(this::createContext); + } + + private Optional extractUsername(Object principal) { + if (principal instanceof Principal casPrincipal) { + Map> attributes = casPrincipal.getAttributes(); + String principalEmail = (String) utils.getAttributeValue(attributes, EMAIL_ATTRIBUTE); + String superUserEmail = (String) utils.getAttributeValue(attributes, SUPER_USER_ATTRIBUTE); + String superUserCustomerId = (String) utils.getAttributeValue(attributes, SUPER_USER_CUSTOMER_ID_ATTRIBUTE); + String username = StringUtils.isNotBlank(superUserCustomerId) ? superUserEmail : principalEmail; + + return Optional.ofNullable(username); + } + + if (principal instanceof String username) { + return Optional.of(username); + } + + return Optional.empty(); + } + + private HttpContext createServiceContext() { + LOGGER.debug("Using service account context"); + return createContext(DEFAULT_SERVICE_ACCOUNT); + } + + private HttpContext createContext(String username) { + LOGGER.debug("Building HTTP context for {}", username); + return utils.buildContext(username); + } +} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Utils.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Utils.java index 0a89ef733ef..7a03b407779 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Utils.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Utils.java @@ -38,8 +38,12 @@ import fr.gouv.vitamui.commons.api.CommonConstants; import fr.gouv.vitamui.commons.rest.client.HttpContext; +import jakarta.mail.internet.MimeMessage; +import jakarta.servlet.http.Cookie; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import lombok.RequiredArgsConstructor; -import lombok.val; +import lombok.extern.slf4j.Slf4j; import org.apache.commons.collections4.CollectionUtils; import org.apache.commons.lang3.StringUtils; import org.apereo.cas.CasProtocolConstants; @@ -49,8 +53,6 @@ import org.pac4j.core.client.IndirectClient; import org.pac4j.core.util.CommonHelper; import org.pac4j.core.util.Pac4jConstants; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.mail.javamail.JavaMailSender; import org.springframework.mail.javamail.MimeMessageHelper; import org.springframework.webflow.context.ExternalContext; @@ -58,10 +60,6 @@ import org.springframework.webflow.execution.Event; import org.springframework.webflow.execution.RequestContext; -import javax.mail.internet.MimeMessage; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.List; import java.util.Map; @@ -71,11 +69,10 @@ * * */ +@Slf4j @RequiredArgsConstructor public class Utils { - private static final Logger LOGGER = LoggerFactory.getLogger(Utils.class); - private static final int BROWSER_SESSION_LIFETIME = -1; private final String casToken; @@ -98,7 +95,7 @@ public Event performClientRedirection( final RequestContext requestContext ) throws IOException { final HttpServletResponse response = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext); - val service = WebUtils.getService(requestContext); + final var service = WebUtils.getService(requestContext); String url = CommonHelper.addParameter( casServerPrefix + "/clientredirect", @@ -192,7 +189,7 @@ public String getIdpValue(final HttpServletRequest request) { if (StringUtils.isNotBlank(idp)) { return idp; } - val cookie = org.springframework.web.util.WebUtils.getCookie(request, CommonConstants.IDP_PARAMETER); + final var cookie = org.springframework.web.util.WebUtils.getCookie(request, CommonConstants.IDP_PARAMETER); if (cookie != null) { return cookie.getValue(); } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/web/CustomCorsProcessor.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/web/CustomCorsProcessor.java index 3a1e582c81d..b2c9a7402c3 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/web/CustomCorsProcessor.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/web/CustomCorsProcessor.java @@ -1,11 +1,10 @@ package fr.gouv.vitamui.cas.web; -import fr.gouv.vitamui.cas.provider.ProvidersService; +import fr.gouv.vitamui.cas.delegation.ProvidersService; import fr.gouv.vitamui.iam.common.dto.IdentityProviderDto; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; import lombok.RequiredArgsConstructor; import lombok.extern.slf4j.Slf4j; -import lombok.val; import org.apache.commons.lang3.StringUtils; import org.pac4j.core.util.Pac4jConstants; import org.springframework.http.HttpHeaders; @@ -64,33 +63,33 @@ protected boolean handleInternal( } if (serverRequest instanceof ServletServerHttpRequest) { - val request = ((ServletServerHttpRequest) serverRequest).getServletRequest(); + final var request = ((ServletServerHttpRequest) serverRequest).getServletRequest(); - val uri = request.getRequestURI(); - val clientName = request.getParameter(Pac4jConstants.DEFAULT_CLIENT_NAME_PARAMETER); + final var uri = request.getRequestURI(); + final var clientName = request.getParameter(Pac4jConstants.DEFAULT_CLIENT_NAME_PARAMETER); if (StringUtils.endsWith(uri, "/login") && StringUtils.isNotBlank(clientName)) { LOGGER.debug("Delegated authn callback for clientName: {}", clientName); - val identityProvider = identityProviderHelper.findByTechnicalName( + final var identityProvider = identityProviderHelper.findByTechnicalName( providersService.getProviders(), clientName ); if (identityProvider.isPresent()) { String providerUrl = null; - val provider = identityProvider.get(); + final var provider = identityProvider.get(); // SAML? - val samlMetadata = provider.getIdpMetadata(); + final var samlMetadata = provider.getIdpMetadata(); if (StringUtils.isNotBlank(samlMetadata)) { providerUrl = getSamlProviderUrl(provider); // OIDC? } else { - val discoveryUrl = provider.getDiscoveryUrl(); + final var discoveryUrl = provider.getDiscoveryUrl(); if (StringUtils.isNotBlank(discoveryUrl)) { providerUrl = discoveryUrl; } } LOGGER.debug("providerUrl: {}", providerUrl); if (StringUtils.isNotBlank(providerUrl)) { - val followingSlash = providerUrl.indexOf("/", 9); + final var followingSlash = providerUrl.indexOf("/", 9); if (followingSlash < 0) { allowOrigin = providerUrl; } else { @@ -173,12 +172,12 @@ private String getSamlProviderUrl(IdentityProviderDto provider) { XPathFactory xpathFactory = XPathFactory.newInstance(); XPath xpath = xpathFactory.newXPath(); - var location = xpath.evaluate(IDP_LOCATION_XPATH_EXPRESSION, document); + final var location = xpath.evaluate(IDP_LOCATION_XPATH_EXPRESSION, document); if (StringUtils.isNotBlank(location)) { return location; } - var entityId = xpath.evaluate(IDP_ENTITY_XPATH_EXPRESSION, document); + final var entityId = xpath.evaluate(IDP_ENTITY_XPATH_EXPRESSION, document); if (StringUtils.isNotBlank(entityId)) { return entityId; } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/web/CustomOidcCasClientRedirectActionBuilder.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/web/CustomOidcCasClientRedirectActionBuilder.java index 5852d7cd3e3..ba98770e23c 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/web/CustomOidcCasClientRedirectActionBuilder.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/web/CustomOidcCasClientRedirectActionBuilder.java @@ -4,7 +4,6 @@ import fr.gouv.vitamui.commons.api.CommonConstants; import lombok.RequiredArgsConstructor; import lombok.extern.slf4j.Slf4j; -import lombok.val; import org.apache.commons.lang3.StringUtils; import org.apereo.cas.CasProtocolConstants; import org.apereo.cas.oidc.OidcConstants; @@ -22,6 +21,7 @@ /** * Propagates custom parameters from OIDC to CAS. */ + @Slf4j @RequiredArgsConstructor public class CustomOidcCasClientRedirectActionBuilder extends OAuth20DefaultCasClientRedirectActionBuilder { @@ -35,7 +35,7 @@ public Optional build(final CasClient casClient, final WebCon var renew = casClient.getConfiguration().isRenew(); var gateway = casClient.getConfiguration().isGateway(); - val prompts = parameterResolver.resolveSupportedPromptValues(context); + final var prompts = parameterResolver.resolveSupportedPromptValues(context); if (prompts.contains(OidcConstants.PROMPT_NONE)) { renew = false; gateway = true; @@ -46,7 +46,7 @@ public Optional build(final CasClient casClient, final WebCon renew = true; } - val action = internalBuild(casClient, context, renew, gateway); + final var action = internalBuild(casClient, context, renew, gateway); LOGGER.debug("Final redirect action is [{}]", action); return action; } @@ -57,11 +57,11 @@ protected Optional internalBuild( final boolean renew, final boolean gateway ) { - val username = context.getRequestParameter(Constants.LOGIN_USER_EMAIL_PARAM); - val superUserEmail = context.getRequestParameter(Constants.LOGIN_SUPER_USER_EMAIL_PARAM); - val superUserCustomerId = context.getRequestParameter(Constants.LOGIN_SUPER_USER_CUSTOMER_ID_PARAM); - val surrogateEmail = context.getRequestParameter(Constants.LOGIN_SURROGATE_EMAIL_PARAM); - val surrogateCustomerId = context.getRequestParameter(Constants.LOGIN_SURROGATE_CUSTOMER_ID_PARAM); + final var username = context.getRequestParameter(Constants.LOGIN_USER_EMAIL_PARAM); + final var superUserEmail = context.getRequestParameter(Constants.LOGIN_SUPER_USER_EMAIL_PARAM); + final var superUserCustomerId = context.getRequestParameter(Constants.LOGIN_SUPER_USER_CUSTOMER_ID_PARAM); + final var surrogateEmail = context.getRequestParameter(Constants.LOGIN_SURROGATE_EMAIL_PARAM); + final var surrogateCustomerId = context.getRequestParameter(Constants.LOGIN_SURROGATE_CUSTOMER_ID_PARAM); boolean subrogationMode = superUserEmail.isPresent() && @@ -69,11 +69,11 @@ protected Optional internalBuild( surrogateEmail.isPresent() && surrogateCustomerId.isPresent(); - val idp = context.getRequestParameter(CommonConstants.IDP_PARAMETER); + final var idp = context.getRequestParameter(CommonConstants.IDP_PARAMETER); - val serviceUrl = casClient.computeFinalCallbackUrl(context); - val casServerLoginUrl = casClient.getConfiguration().getLoginUrl(); - val redirectionUrl = + final var serviceUrl = casClient.computeFinalCallbackUrl(context); + final var casServerLoginUrl = casClient.getConfiguration().getLoginUrl(); + final var redirectionUrl = casServerLoginUrl + (casServerLoginUrl.contains("?") ? "&" : "?") + CasProtocolConstants.PARAMETER_SERVICE + diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/web/CustomOidcRevocationEndpointController.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/web/CustomOidcRevocationEndpointController.java index 5862261ed41..d3a40160cfd 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/web/CustomOidcRevocationEndpointController.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/web/CustomOidcRevocationEndpointController.java @@ -1,6 +1,7 @@ package fr.gouv.vitamui.cas.web; -import lombok.val; +import jakarta.servlet.http.HttpServletResponse; +import lombok.extern.slf4j.Slf4j; import org.apereo.cas.oidc.OidcConfigurationContext; import org.apereo.cas.oidc.web.controllers.token.OidcRevocationEndpointController; import org.apereo.cas.support.oauth.OAuth20Constants; @@ -10,21 +11,17 @@ import org.apereo.cas.ticket.refreshtoken.OAuth20RefreshToken; import org.apereo.cas.util.function.FunctionUtils; import org.jooq.lambda.Unchecked; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.http.HttpStatus; import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.view.json.MappingJackson2JsonView; -import javax.servlet.http.HttpServletResponse; - /** - * Custom : Revoke token for all services without checking clientId : Global Logout + * Custom : Revoke token for all services without checking clientId : Global + * Logout */ +@Slf4j public class CustomOidcRevocationEndpointController extends OidcRevocationEndpointController { - private static final Logger LOGGER = LoggerFactory.getLogger(CustomOidcRevocationEndpointController.class); - public CustomOidcRevocationEndpointController(final OidcConfigurationContext configurationContext) { super(configurationContext); } @@ -34,20 +31,21 @@ protected ModelAndView generateRevocationResponse( final String clientId, final HttpServletResponse response ) throws Exception { - val registryToken = FunctionUtils.doAndHandle(() -> { - val state = getConfigurationContext().getTicketRegistry().getTicket(token, OAuth20Token.class); + final var registryToken = FunctionUtils.doAndHandle(() -> { + final var state = getConfigurationContext().getTicketRegistry().getTicket(token, OAuth20Token.class); return state == null || state.isExpired() ? null : state; }); if (registryToken == null) { LOGGER.error("Provided token [{}] has not been found in the ticket registry", token); } else if (isRefreshToken(registryToken) || isAccessToken(registryToken)) { /* - Custom : Don't check clientId to allow revoke token to all services (SSO) - if (!StringUtils.equals(clientId, registryToken.getClientId())) { - LOGGER.warn("Provided token [{}] has not been issued for the service [{}]", token, clientId); - return OAuth20Utils.writeError(response, OAuth20Constants.INVALID_REQUEST); - } - */ + * Custom : Don't check clientId to allow revoke token to all services (SSO) + * if (!StringUtils.equals(clientId, registryToken.getClientId())) { + * LOGGER.warn("Provided token [{}] has not been issued for the service [{}]", + * token, clientId); + * return OAuth20Utils.writeError(response, OAuth20Constants.INVALID_REQUEST); + * } + */ if (isRefreshToken(registryToken)) { revokeToken((OAuth20RefreshToken) registryToken); @@ -59,7 +57,7 @@ protected ModelAndView generateRevocationResponse( return OAuth20Utils.writeError(response, OAuth20Constants.INVALID_REQUEST); } - val mv = new ModelAndView(new MappingJackson2JsonView()); + final var mv = new ModelAndView(new MappingJackson2JsonView()); mv.setStatus(HttpStatus.OK); return mv; } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/CustomCasDelegatingWebflowEventResolver.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/CustomCasDelegatingWebflowEventResolver.java deleted file mode 100644 index 01d998addc3..00000000000 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/CustomCasDelegatingWebflowEventResolver.java +++ /dev/null @@ -1,41 +0,0 @@ -package fr.gouv.vitamui.cas.webflow; - -import org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential; -import org.apereo.cas.authentication.Credential; -import org.apereo.cas.authentication.principal.WebApplicationService; -import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver; -import org.apereo.cas.web.flow.resolver.impl.CasWebflowEventResolutionConfigurationContext; -import org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver; -import org.springframework.webflow.execution.Event; - -/** - * Custom webflow event resolver to handle when the x509 authn is mandatory. - */ -public class CustomCasDelegatingWebflowEventResolver extends DefaultCasDelegatingWebflowEventResolver { - - private final boolean x509AuthnMandatory; - - public CustomCasDelegatingWebflowEventResolver( - final CasWebflowEventResolutionConfigurationContext configurationContext, - final CasWebflowEventResolver selectiveResolver, - final boolean x509AuthnMandatory - ) { - super(configurationContext, selectiveResolver); - this.x509AuthnMandatory = x509AuthnMandatory; - } - - @Override - protected Event returnAuthenticationExceptionEventIfNeeded( - final Exception exception, - final Credential credential, - final WebApplicationService service - ) { - if (x509AuthnMandatory) { - if (credential instanceof X509CertificateCredential) { - throw new IllegalArgumentException("Authentication failure for mandatory X509 login"); - } - } - - return super.returnAuthenticationExceptionEventIfNeeded(exception, credential, service); - } -} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CheckMfaTokenAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CheckMfaTokenAction.java deleted file mode 100644 index d7bd8bfb873..00000000000 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CheckMfaTokenAction.java +++ /dev/null @@ -1,84 +0,0 @@ -/** - * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) - * and the signatories of the "VITAM - Accord du Contributeur" agreement. - * - * contact@programmevitam.fr - * - * This software is a computer program whose purpose is to implement - * implement a digital archiving front-office system for the secure and - * efficient high volumetry VITAM solution. - * - * This software is governed by the CeCILL-C license under French law and - * abiding by the rules of distribution of free software. You can use, - * modify and/ or redistribute the software under the terms of the CeCILL-C - * license as circulated by CEA, CNRS and INRIA at the following URL - * "http://www.cecill.info". - * - * As a counterpart to the access to the source code and rights to copy, - * modify and redistribute granted by the license, users are provided only - * with a limited warranty and the software's author, the holder of the - * economic rights, and the successive licensors have only limited - * liability. - * - * In this respect, the user's attention is drawn to the risks associated - * with loading, using, modifying and/or developing or reproducing the - * software by the user in light of its specific status of free software, - * that may mean that it is complicated to manipulate, and that also - * therefore means that it is reserved for developers and experienced - * professionals having in-depth computer knowledge. Users are therefore - * encouraged to load and test the software's suitability as regards their - * requirements in conditions enabling the security of their systems and/or - * data to be ensured and, more generally, to use and operate it in the - * same conditions as regards security. - * - * The fact that you are presently reading this means that you have had - * knowledge of the CeCILL-C license and that you accept its terms. - */ -package fr.gouv.vitamui.cas.webflow.actions; - -import lombok.RequiredArgsConstructor; -import lombok.extern.slf4j.Slf4j; -import lombok.val; -import org.apereo.cas.mfa.simple.CasSimpleMultifactorTokenCredential; -import org.apereo.cas.mfa.simple.ticket.CasSimpleMultifactorAuthenticationTicket; -import org.apereo.cas.ticket.InvalidTicketException; -import org.apereo.cas.ticket.registry.TicketRegistry; -import org.apereo.cas.web.support.WebUtils; -import org.springframework.webflow.action.AbstractAction; -import org.springframework.webflow.execution.Event; -import org.springframework.webflow.execution.RequestContext; - -import java.time.ZonedDateTime; -import java.time.temporal.ChronoUnit; - -/** - * Check the MFA token. - */ -@RequiredArgsConstructor -@Slf4j -public class CheckMfaTokenAction extends AbstractAction { - - private final TicketRegistry ticketRegistry; - - @Override - protected Event doExecute(final RequestContext requestContext) { - val credential = WebUtils.getCredential(requestContext); - val tokenCredential = (CasSimpleMultifactorTokenCredential) credential; - val token = CasSimpleMultifactorAuthenticationTicket.PREFIX + "-" + tokenCredential.getToken(); - LOGGER.debug("Checking token: {}", token); - WebUtils.putCredential(requestContext, new CasSimpleMultifactorTokenCredential(token)); - - try { - val acct = this.ticketRegistry.getTicket(token, CasSimpleMultifactorAuthenticationTicket.class); - if (acct != null) { - val creationTime = acct.getCreationTime(); - val now_less_one_minute = ZonedDateTime.now().minus(60, ChronoUnit.SECONDS); - // considered expired after 60 seconds - if (creationTime.isBefore(now_less_one_minute)) { - return error(); - } - } - } catch (InvalidTicketException e) {} - return success(); - } -} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CustomDelegatedAuthenticationClientLogoutAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CustomDelegatedAuthenticationClientLogoutAction.java deleted file mode 100644 index a15acff9c51..00000000000 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CustomDelegatedAuthenticationClientLogoutAction.java +++ /dev/null @@ -1,58 +0,0 @@ -package fr.gouv.vitamui.cas.webflow.actions; - -import fr.gouv.vitamui.cas.provider.ProvidersService; -import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; -import lombok.extern.slf4j.Slf4j; -import lombok.val; -import org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientLogoutAction; -import org.pac4j.core.client.Client; -import org.pac4j.core.client.Clients; -import org.pac4j.core.context.session.SessionStore; -import org.pac4j.core.profile.UserProfile; - -import java.util.Optional; - -/** - * Propagate the logout from CAS to the authn delegated server. - */ -@Slf4j -public class CustomDelegatedAuthenticationClientLogoutAction extends DelegatedAuthenticationClientLogoutAction { - - private final ProvidersService providersService; - - private final IdentityProviderHelper identityProviderHelper; - - public CustomDelegatedAuthenticationClientLogoutAction( - final Clients clients, - final SessionStore sessionStore, - final ProvidersService providersService, - final IdentityProviderHelper identityProviderHelper - ) { - super(clients, sessionStore); - this.providersService = providersService; - this.identityProviderHelper = identityProviderHelper; - } - - @Override - protected Optional findCurrentClient(final UserProfile currentProfile) { - val optClient = currentProfile == null - ? Optional.empty() - : clients.findClient(currentProfile.getClientName()); - - LOGGER.debug("optClient: {}", optClient); - if (optClient.isEmpty()) { - return Optional.empty(); - } - - val client = optClient.get(); - val provider = identityProviderHelper - .findByTechnicalName(providersService.getProviders(), client.getName()) - .get(); - LOGGER.debug("provider: {}", provider); - if (!provider.isPropagateLogout()) { - return Optional.empty(); - } - - return optClient; - } -} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CustomerSelectedAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CustomerSelectedAction.java deleted file mode 100644 index f5992588431..00000000000 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CustomerSelectedAction.java +++ /dev/null @@ -1,86 +0,0 @@ -/** - * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) - * and the signatories of the "VITAM - Accord du Contributeur" agreement. - * - * contact@programmevitam.fr - * - * This software is a computer program whose purpose is to implement - * implement a digital archiving front-office system for the secure and - * efficient high volumetry VITAM solution. - * - * This software is governed by the CeCILL-C license under French law and - * abiding by the rules of distribution of free software. You can use, - * modify and/ or redistribute the software under the terms of the CeCILL-C - * license as circulated by CEA, CNRS and INRIA at the following URL - * "http://www.cecill.info". - * - * As a counterpart to the access to the source code and rights to copy, - * modify and redistribute granted by the license, users are provided only - * with a limited warranty and the software's author, the holder of the - * economic rights, and the successive licensors have only limited - * liability. - * - * In this respect, the user's attention is drawn to the risks associated - * with loading, using, modifying and/or developing or reproducing the - * software by the user in light of its specific status of free software, - * that may mean that it is complicated to manipulate, and that also - * therefore means that it is reserved for developers and experienced - * professionals having in-depth computer knowledge. Users are therefore - * encouraged to load and test the software's suitability as regards their - * requirements in conditions enabling the security of their systems and/or - * data to be ensured and, more generally, to use and operate it in the - * same conditions as regards security. - * - * The fact that you are presently reading this means that you have had - * knowledge of the CeCILL-C license and that you accept its terms. - */ -package fr.gouv.vitamui.cas.webflow.actions; - -import fr.gouv.vitamui.cas.model.CustomerModel; -import fr.gouv.vitamui.cas.util.Constants; -import lombok.RequiredArgsConstructor; -import lombok.val; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.webflow.action.AbstractAction; -import org.springframework.webflow.execution.Event; -import org.springframework.webflow.execution.RequestContext; - -import java.io.IOException; -import java.util.List; - -import static fr.gouv.vitamui.cas.webflow.configurer.CustomLoginWebflowConfigurer.TRANSITION_TO_CUSTOMER_SELECTED; - -/** - * This class persists user selected customerId into flow scope and redirect to dispatcher - */ -@RequiredArgsConstructor -public class CustomerSelectedAction extends AbstractAction { - - private static final Logger LOGGER = LoggerFactory.getLogger(CustomerSelectedAction.class); - - @Override - protected Event doExecute(final RequestContext requestContext) throws IOException { - val flowScope = requestContext.getFlowScope(); - - String loginEmail = flowScope.getRequiredString(Constants.FLOW_LOGIN_EMAIL); - String customerId = requestContext.getRequestParameters().get(Constants.SELECT_CUSTOMER_ID_PARAM); - - List customerModels = (List) flowScope.getRequired( - Constants.FLOW_LOGIN_AVAILABLE_CUSTOMER_LIST - ); - - CustomerModel customerModel = customerModels - .stream() - .filter(c -> c.getCustomerId().equals(customerId)) - .findFirst() - .orElseThrow(() -> new IllegalArgumentException("Invalid customerId '" + customerId + "'")); - - LOGGER.debug("Valid customer selected: {} for user: {}", customerModel, loginEmail); - - flowScope.put(Constants.FLOW_LOGIN_CUSTOMER_ID, customerId); - flowScope.remove(Constants.FLOW_LOGIN_AVAILABLE_CUSTOMER_LIST); - - return new Event(this, TRANSITION_TO_CUSTOMER_SELECTED); - } -} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/GeneralTerminateSessionAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/GeneralTerminateSessionAction.java deleted file mode 100644 index 6f4275f68ef..00000000000 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/GeneralTerminateSessionAction.java +++ /dev/null @@ -1,278 +0,0 @@ -/** - * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) - * and the signatories of the "VITAM - Accord du Contributeur" agreement. - * - * contact@programmevitam.fr - * - * This software is a computer program whose purpose is to implement - * implement a digital archiving front-office system for the secure and - * efficient high volumetry VITAM solution. - * - * This software is governed by the CeCILL-C license under French law and - * abiding by the rules of distribution of free software. You can use, - * modify and/ or redistribute the software under the terms of the CeCILL-C - * license as circulated by CEA, CNRS and INRIA at the following URL - * "http://www.cecill.info". - * - * As a counterpart to the access to the source code and rights to copy, - * modify and redistribute granted by the license, users are provided only - * with a limited warranty and the software's author, the holder of the - * economic rights, and the successive licensors have only limited - * liability. - * - * In this respect, the user's attention is drawn to the risks associated - * with loading, using, modifying and/or developing or reproducing the - * software by the user in light of its specific status of free software, - * that may mean that it is complicated to manipulate, and that also - * therefore means that it is reserved for developers and experienced - * professionals having in-depth computer knowledge. Users are therefore - * encouraged to load and test the software's suitability as regards their - * requirements in conditions enabling the security of their systems and/or - * data to be ensured and, more generally, to use and operate it in the - * same conditions as regards security. - * - * The fact that you are presently reading this means that you have had - * knowledge of the CeCILL-C license and that you accept its terms. - */ -package fr.gouv.vitamui.cas.webflow.actions; - -import fr.gouv.vitamui.cas.util.Utils; -import fr.gouv.vitamui.commons.rest.client.HttpContext; -import fr.gouv.vitamui.iam.client.CasRestClient; -import lombok.Getter; -import lombok.RequiredArgsConstructor; -import lombok.SneakyThrows; -import org.apache.commons.lang3.StringUtils; -import org.apereo.cas.CentralAuthenticationService; -import org.apereo.cas.authentication.Authentication; -import org.apereo.cas.authentication.AuthenticationHandlerExecutionResult; -import org.apereo.cas.authentication.DefaultAuthenticationBuilder; -import org.apereo.cas.authentication.principal.Principal; -import org.apereo.cas.authentication.principal.Service; -import org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl; -import org.apereo.cas.configuration.CasConfigurationProperties; -import org.apereo.cas.configuration.model.core.logout.LogoutProperties; -import org.apereo.cas.logout.LogoutManager; -import org.apereo.cas.logout.SingleLogoutExecutionRequest; -import org.apereo.cas.logout.slo.SingleLogoutRequestContext; -import org.apereo.cas.logout.slo.SingleLogoutRequestExecutor; -import org.apereo.cas.services.BaseRegisteredService; -import org.apereo.cas.services.RegisteredService; -import org.apereo.cas.services.ServicesManager; -import org.apereo.cas.ticket.InvalidTicketException; -import org.apereo.cas.ticket.ServiceTicketSessionTrackingPolicy; -import org.apereo.cas.ticket.TicketGrantingTicket; -import org.apereo.cas.ticket.TicketGrantingTicketImpl; -import org.apereo.cas.ticket.expiration.NeverExpiresExpirationPolicy; -import org.apereo.cas.ticket.registry.TicketRegistry; -import org.apereo.cas.web.cookie.CasCookieBuilder; -import org.apereo.cas.web.flow.logout.TerminateSessionAction; -import org.apereo.cas.web.support.WebUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.context.ConfigurableApplicationContext; -import org.springframework.webflow.execution.Action; -import org.springframework.webflow.execution.Event; -import org.springframework.webflow.execution.RequestContext; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.util.ArrayList; -import java.util.Collection; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -import static fr.gouv.vitamui.commons.api.CommonConstants.AUTHTOKEN_ATTRIBUTE; -import static fr.gouv.vitamui.commons.api.CommonConstants.EMAIL_ATTRIBUTE; -import static fr.gouv.vitamui.commons.api.CommonConstants.SUPER_USER_ATTRIBUTE; -import static fr.gouv.vitamui.commons.api.CommonConstants.SUPER_USER_CUSTOMER_ID_ATTRIBUTE; - -/** - * Terminate session action with custom IAM logout and fallback mechanisms (to perform a general logout). - * - * - */ -@Getter -public class GeneralTerminateSessionAction extends TerminateSessionAction { - - private static final Logger LOGGER = LoggerFactory.getLogger(GeneralTerminateSessionAction.class); - - private final Utils utils; - - private final CasRestClient casRestClient; - - private final ServicesManager servicesManager; - - private final CasConfigurationProperties casProperties; - - private final Action frontChannelLogoutAction; - - private final TicketRegistry ticketRegistry; - - private final ServiceTicketSessionTrackingPolicy serviceTicketSessionTrackingPolicy; - - public GeneralTerminateSessionAction( - final CentralAuthenticationService centralAuthenticationService, - final CasCookieBuilder ticketGrantingTicketCookieGenerator, - final CasCookieBuilder warnCookieGenerator, - final LogoutProperties logoutProperties, - final LogoutManager logoutManager, - final ConfigurableApplicationContext applicationContext, - final SingleLogoutRequestExecutor singleLogoutRequestExecutor, - final Utils utils, - final CasRestClient casRestClient, - final ServicesManager servicesManager, - final CasConfigurationProperties casProperties, - final Action frontChannelLogoutAction, - final TicketRegistry ticketRegistry, - final ServiceTicketSessionTrackingPolicy serviceTicketSessionTrackingPolicy - ) { - super( - centralAuthenticationService, - ticketGrantingTicketCookieGenerator, - warnCookieGenerator, - logoutProperties, - logoutManager, - applicationContext, - singleLogoutRequestExecutor - ); - this.utils = utils; - this.casRestClient = casRestClient; - this.servicesManager = servicesManager; - this.casProperties = casProperties; - this.frontChannelLogoutAction = frontChannelLogoutAction; - this.ticketRegistry = ticketRegistry; - this.serviceTicketSessionTrackingPolicy = serviceTicketSessionTrackingPolicy; - } - - @Override - @SneakyThrows - public Event terminate(final RequestContext context) { - final HttpServletRequest request = WebUtils.getHttpServletRequestFromExternalWebflowContext(context); - String tgtId = WebUtils.getTicketGrantingTicketId(context); - if (StringUtils.isBlank(tgtId)) { - tgtId = ticketGrantingTicketCookieGenerator.retrieveCookieValue(request); - } - - // if we found a ticket, properly log out the user in the IAM web services - TicketGrantingTicket ticket = null; - if (StringUtils.isNotBlank(tgtId)) { - try { - ticket = ticketRegistry.getTicket(tgtId, TicketGrantingTicket.class); - if (ticket != null) { - final Principal principal = ticket.getAuthentication().getPrincipal(); - final Map> attributes = principal.getAttributes(); - final String authToken = (String) utils.getAttributeValue(attributes, AUTHTOKEN_ATTRIBUTE); - final String principalEmail = (String) utils.getAttributeValue(attributes, EMAIL_ATTRIBUTE); - final String superUserEmail = (String) utils.getAttributeValue(attributes, SUPER_USER_ATTRIBUTE); - final String superUserCustomerId = (String) utils.getAttributeValue( - attributes, - SUPER_USER_CUSTOMER_ID_ATTRIBUTE - ); - - final HttpContext httpContext; - if (StringUtils.isNotBlank(superUserCustomerId)) { - httpContext = utils.buildContext(superUserEmail); - } else { - httpContext = utils.buildContext(principalEmail); - } - - LOGGER.debug( - "calling logout for authToken={} and superUser={}, superUserCustomerId={}", - authToken, - superUserEmail, - superUserCustomerId - ); - casRestClient.logout(httpContext, authToken, superUserEmail, superUserCustomerId); - } - } catch (final InvalidTicketException e) { - LOGGER.warn("No TGT found for the CAS cookie: {}", tgtId); - } - } - - final Event event = super.terminate(context); - - final HttpServletResponse response = WebUtils.getHttpServletResponseFromExternalWebflowContext(context); - // remove the idp cookie - response.addCookie(utils.buildIdpCookie(null, casProperties.getTgc())); - - // fallback cases: - // no CAS cookie -> general logout - if (tgtId == null) { - final List logoutRequests = performGeneralLogout("nocookie"); - WebUtils.putLogoutRequests(context, logoutRequests); - // no ticket or expired -> general logout - } else if (ticket == null || ticket.isExpired()) { - final List logoutRequests = performGeneralLogout(tgtId); - WebUtils.putLogoutRequests(context, logoutRequests); - } - - // if we are in the login webflow, compute the logout URLs - if ("login".equals(context.getFlowExecutionContext().getDefinition().getId())) { - LOGGER.debug("Computing front channel logout URLs"); - frontChannelLogoutAction.execute(context); - } - - return event; - } - - protected List performGeneralLogout(final String tgtId) { - try { - final Map successes = new HashMap<>(); - successes.put("fake", null); - - final Authentication authentication = new DefaultAuthenticationBuilder() - .setPrincipal(new FakePrincipal(tgtId)) - .setSuccesses(successes) - .addCredential(null) - .build(); - - final TicketGrantingTicketImpl fakeTgt = new TicketGrantingTicketImpl( - tgtId, - authentication, - new NeverExpiresExpirationPolicy() - ); - - final Collection registeredServices = servicesManager.getAllServices(); - int i = 1; - for (final RegisteredService registeredService : registeredServices) { - final String logoutUrl = ((BaseRegisteredService) registeredService).getLogoutUrl(); - if (logoutUrl != null) { - final String serviceId = logoutUrl.toString(); - final String fakeSt = "ST-fake-" + i; - final Service service = new FakeSimpleWebApplicationServiceImpl(serviceId, serviceId, fakeSt); - fakeTgt.grantServiceTicket( - fakeSt, - service, - new NeverExpiresExpirationPolicy(), - false, - serviceTicketSessionTrackingPolicy - ); - i++; - } - } - - return logoutManager.performLogout( - SingleLogoutExecutionRequest.builder().ticketGrantingTicket(fakeTgt).build() - ); - } catch (final RuntimeException e) { - LOGGER.error("Unable to perform general logout", e); - return new ArrayList<>(); - } - } - - private static class FakeSimpleWebApplicationServiceImpl extends SimpleWebApplicationServiceImpl { - - public FakeSimpleWebApplicationServiceImpl(final String id, final String originalUrl, final String artifactId) { - super(id, originalUrl, artifactId); - } - } - - @Getter - @RequiredArgsConstructor - private static class FakePrincipal implements Principal { - - private final String id; - } -} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/VitamLoginWebflowConfigurer.java similarity index 84% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/VitamLoginWebflowConfigurer.java index 5466a455542..2c27964ebb8 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/VitamLoginWebflowConfigurer.java @@ -34,11 +34,12 @@ * The fact that you are presently reading this means that you have had * knowledge of the CeCILL-C license and that you accept its terms. */ -package fr.gouv.vitamui.cas.webflow.configurer; +package fr.gouv.vitamui.cas.webflow.login; -import fr.gouv.vitamui.cas.webflow.actions.DispatcherAction; -import fr.gouv.vitamui.cas.webflow.actions.ListCustomersAction; -import fr.gouv.vitamui.cas.webflow.actions.TriggerChangePasswordAction; +import fr.gouv.vitamui.cas.webflow.login.actions.CheckSubrogationAction; +import fr.gouv.vitamui.cas.webflow.login.actions.DispatcherAction; +import fr.gouv.vitamui.cas.webflow.login.actions.ListCustomersAction; +import fr.gouv.vitamui.cas.webflow.login.actions.TriggerChangePasswordAction; import lombok.val; import org.apereo.cas.authentication.credential.UsernamePasswordCredential; import org.apereo.cas.configuration.CasConfigurationProperties; @@ -56,12 +57,16 @@ /** * A webflow configurer: - * - to handle the change password action even if the user is already authenticated + * - to handle the change password action even if the user is already + * authenticated * - with a username page * - with an optional customer selection page * - with a password page. */ -public class CustomLoginWebflowConfigurer extends DefaultLoginWebflowConfigurer { +public class VitamLoginWebflowConfigurer extends DefaultLoginWebflowConfigurer { + + private static final String ACTION_STATE_CHECK_SUBROGATION = "checkSubrogation"; + public static final String VIEW_STATE_SUBROGATION_FORM = "casSubrogationView"; private static final String VIEW_STATE_PASSWORD_FORM = "viewPwfForm"; private static final String VIEW_STATE_LOGIN_CUSTOMER_FORM = "viewStateCustomerForm"; @@ -82,7 +87,7 @@ public class CustomLoginWebflowConfigurer extends DefaultLoginWebflowConfigurer public static final String PASSWORD = "password"; public static final String CUSTOMER_ID = "customerId"; - public CustomLoginWebflowConfigurer( + public VitamLoginWebflowConfigurer( final FlowBuilderServices flowBuilderServices, final FlowDefinitionRegistry flowDefinitionRegistry, final ConfigurableApplicationContext applicationContext, @@ -91,6 +96,27 @@ public CustomLoginWebflowConfigurer( super(flowBuilderServices, flowDefinitionRegistry, applicationContext, casProperties); } + private void createCheckSubrogationAction(final Flow flow) { + val action = createActionState(flow, ACTION_STATE_CHECK_SUBROGATION, "checkSubrogationAction"); + createTransitionForState(action, CheckSubrogationAction.SUBROGATION, VIEW_STATE_SUBROGATION_FORM); + createTransitionForState( + action, + CheckSubrogationAction.PROCEED, + CasWebflowConstants.STATE_ID_GATEWAY_REQUEST_CHECK + ); + createSubrogationFormView(flow); + } + + protected void createSubrogationFormView(final Flow flow) { + var propertiesToBind = Map.of(USERNAME, Map.of("required", "false")); + var binder = createStateBinderConfiguration(propertiesToBind); + + var state = createViewState(flow, VIEW_STATE_SUBROGATION_FORM, TEMPLATE_EMAIL_FORM, binder); + createStateModelBinding(state, CasWebflowConstants.VAR_ID_CREDENTIAL, UsernamePasswordCredential.class); + + createTransitionForState(state, CasWebflowConstants.TRANSITION_ID_SUBMIT, ACTION_STATE_INTERMEDIATE_SUBMIT); + } + @Override protected void createTicketGrantingTicketCheckAction(final Flow flow) { val action = createActionState( @@ -98,16 +124,23 @@ protected void createTicketGrantingTicketCheckAction(final Flow flow) { CasWebflowConstants.STATE_ID_TICKET_GRANTING_TICKET_CHECK, CasWebflowConstants.ACTION_ID_TICKET_GRANTING_TICKET_CHECK ); + + // CUSTO: instead of STATE_ID_GATEWAY_REQUEST_CHECK, send to ACTION_STATE_CHECK_SUBROGATION createTransitionForState( action, CasWebflowConstants.TRANSITION_ID_TICKET_GRANTING_TICKET_NOT_EXISTS, - CasWebflowConstants.STATE_ID_GATEWAY_REQUEST_CHECK + ACTION_STATE_CHECK_SUBROGATION ); + + createCheckSubrogationAction(flow); + // + createTransitionForState( action, CasWebflowConstants.TRANSITION_ID_TICKET_GRANTING_TICKET_INVALID, CasWebflowConstants.STATE_ID_TERMINATE_SESSION ); + // CUSTO: instead of STATE_ID_HAS_SERVICE_CHECK, send to STATE_ID_TRIGGER_CHANGE_PASSWORD createTransitionForState( action, @@ -142,7 +175,7 @@ protected void createLoginFormView(final Flow flow) { val binder = createStateBinderConfiguration(propertiesToBind); val state = createViewState(flow, CasWebflowConstants.STATE_ID_VIEW_LOGIN_FORM, TEMPLATE_EMAIL_FORM, binder); - state.getRenderActionList().add(createEvaluateAction(CasWebflowConstants.ACTION_ID_RENDER_LOGIN_FORM)); + state.getRenderActionList().add(createEvaluateAction(CasWebflowConstants.ACTION_ID_INIT_LOGIN_ACTION)); createStateModelBinding(state, CasWebflowConstants.VAR_ID_CREDENTIAL, UsernamePasswordCredential.class); // CUSTO: CasWebflowConstants.STATE_ID_REAL_SUBMIT becomes ACTION_STATE_LIST_CUSTOMERS @@ -187,7 +220,7 @@ protected void createPwdFormView(final Flow flow) { val binder = createStateBinderConfiguration(propertiesToBind); val state = createViewState(flow, VIEW_STATE_PASSWORD_FORM, TEMPLATE_PASSWORD_FORM, binder); - state.getRenderActionList().add(createEvaluateAction(CasWebflowConstants.ACTION_ID_RENDER_LOGIN_FORM)); + state.getRenderActionList().add(createEvaluateAction(CasWebflowConstants.ACTION_ID_INIT_LOGIN_ACTION)); createStateModelBinding(state, CasWebflowConstants.VAR_ID_CREDENTIAL, UsernamePasswordCredential.class); val transition = createTransitionForState( diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/CheckSubrogationAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/CheckSubrogationAction.java new file mode 100644 index 00000000000..72a059d0925 --- /dev/null +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/CheckSubrogationAction.java @@ -0,0 +1,129 @@ +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) + * + * contact.vitam@culture.gouv.fr + * + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. + * + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". + * + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. + * + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. + * + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. + */ + +package fr.gouv.vitamui.cas.webflow.login.actions; + +import fr.gouv.vitamui.cas.util.Constants; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import fr.gouv.vitamui.iam.openapiclient.domain.CustomerDto; +import lombok.RequiredArgsConstructor; +import lombok.extern.slf4j.Slf4j; +import org.apache.commons.lang3.StringUtils; +import org.springframework.webflow.action.AbstractAction; +import org.springframework.webflow.execution.Event; +import org.springframework.webflow.execution.RequestContext; + +import java.util.List; +import java.util.regex.Pattern; + +/** + * Action to check if subrogation parameters are present in the request. + * If present, it populates the flow scope and returns 'subrogation'. + * Otherwise, it returns 'proceed'. + */ +@Slf4j +@RequiredArgsConstructor +public class CheckSubrogationAction extends AbstractAction { + + public static final String SUBROGATION = "subrogation"; + public static final String PROCEED = "proceed"; + + private static final Pattern EMAIL_VALID_REGEXP = Pattern.compile( + "^[_A-Za-z0-9]+(((\\.|-)[_A-Za-z0-9]+))*@[A-Za-z0-9-]+(\\.[A-Za-z0-9-]+)*(\\.[A-Za-z]{2,})$" + ); + private static final Pattern CUSTOMER_ID_VALIDATION_PATTERN = Pattern.compile("^\\w+$"); + + private final CasApi casApi; + + @Override + protected Event doExecute(RequestContext context) { + String surrogateEmail = context.getRequestParameters().get(Constants.LOGIN_SURROGATE_EMAIL_PARAM); + String surrogateCustomerId = context.getRequestParameters().get(Constants.LOGIN_SURROGATE_CUSTOMER_ID_PARAM); + String superUserEmail = context.getRequestParameters().get(Constants.LOGIN_SUPER_USER_EMAIL_PARAM); + String superUserCustomerId = context.getRequestParameters().get(Constants.LOGIN_SUPER_USER_CUSTOMER_ID_PARAM); + + if (StringUtils.isNoneBlank(surrogateEmail, surrogateCustomerId, superUserEmail, superUserCustomerId)) { + try { + validateEmail(surrogateEmail); + validateEmail(superUserEmail); + validateCustomerId(surrogateCustomerId); + validateCustomerId(superUserCustomerId); + + LOGGER.debug( + "Subrogation parameters validated: surrogateEmail={}, surrogateCustomerId={}, superUserEmail={}, superUserCustomerId={}", + surrogateEmail, + surrogateCustomerId, + superUserEmail, + superUserCustomerId + ); + + var flowScope = context.getFlowScope(); + flowScope.put(Constants.FLOW_SURROGATE_EMAIL, surrogateEmail); + flowScope.put(Constants.FLOW_SURROGATE_CUSTOMER_ID, surrogateCustomerId); + flowScope.put(Constants.FLOW_LOGIN_EMAIL, superUserEmail); + flowScope.put(Constants.FLOW_LOGIN_CUSTOMER_ID, superUserCustomerId); + + // Fetch surrogate customer info for display in subrogation validation mire + CustomerDto surrogateCustomer = casApi + .getCustomersByIds(List.of(surrogateCustomerId)) + .stream() + .findFirst() + .orElseThrow( + () -> new IllegalArgumentException("Invalid surrogateCustomerId: '" + surrogateCustomerId + "'") + ); + + flowScope.put(Constants.SHOW_SURROGATE_CUSTOMER_CODE, surrogateCustomer.getCode()); + flowScope.put(Constants.SHOW_SURROGATE_CUSTOMER_NAME, surrogateCustomer.getName()); + + return new Event(this, SUBROGATION); + } catch (Exception e) { + LOGGER.error("Validation of subrogation parameters failed", e); + // If validation fails, we treat it as a normal login request + } + } + + return new Event(this, PROCEED); + } + + private void validateEmail(String email) { + if (email == null) { + throw new IllegalArgumentException("Null email"); + } + if (!EMAIL_VALID_REGEXP.matcher(email).matches()) { + throw new IllegalArgumentException("email : '" + email + "' format is not allowed"); + } + } + + private void validateCustomerId(String customerId) { + if (customerId == null) { + throw new IllegalArgumentException("Null customerId"); + } + if (!CUSTOMER_ID_VALIDATION_PATTERN.matcher(customerId).matches()) { + throw new IllegalArgumentException("Invalid customerId: '" + customerId + "'"); + } + } +} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CustomDelegatedClientAuthenticationAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/CustomDelegatedClientAuthenticationAction.java similarity index 71% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CustomDelegatedClientAuthenticationAction.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/CustomDelegatedClientAuthenticationAction.java index 40ec0b991cc..aa731cfd31d 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CustomDelegatedClientAuthenticationAction.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/CustomDelegatedClientAuthenticationAction.java @@ -1,49 +1,39 @@ -/** - * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) - * and the signatories of the "VITAM - Accord du Contributeur" agreement. +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) * - * contact@programmevitam.fr + * contact.vitam@culture.gouv.fr * - * This software is a computer program whose purpose is to implement - * implement a digital archiving front-office system for the secure and - * efficient high volumetry VITAM solution. + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. * - * This software is governed by the CeCILL-C license under French law and - * abiding by the rules of distribution of free software. You can use, - * modify and/ or redistribute the software under the terms of the CeCILL-C - * license as circulated by CEA, CNRS and INRIA at the following URL - * "http://www.cecill.info". + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". * - * As a counterpart to the access to the source code and rights to copy, - * modify and redistribute granted by the license, users are provided only - * with a limited warranty and the software's author, the holder of the - * economic rights, and the successive licensors have only limited - * liability. + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. * - * In this respect, the user's attention is drawn to the risks associated - * with loading, using, modifying and/or developing or reproducing the - * software by the user in light of its specific status of free software, - * that may mean that it is complicated to manipulate, and that also - * therefore means that it is reserved for developers and experienced - * professionals having in-depth computer knowledge. Users are therefore - * encouraged to load and test the software's suitability as regards their - * requirements in conditions enabling the security of their systems and/or - * data to be ensured and, more generally, to use and operate it in the - * same conditions as regards security. + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. * - * The fact that you are presently reading this means that you have had - * knowledge of the CeCILL-C license and that you accept its terms. + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. */ -package fr.gouv.vitamui.cas.webflow.actions; +package fr.gouv.vitamui.cas.webflow.login.actions; -import fr.gouv.vitamui.cas.provider.Pac4jClientIdentityProviderDto; -import fr.gouv.vitamui.cas.provider.ProvidersService; +import fr.gouv.vitamui.cas.delegation.Pac4jClientIdentityProviderDto; +import fr.gouv.vitamui.cas.delegation.ProvidersService; import fr.gouv.vitamui.cas.util.Constants; import fr.gouv.vitamui.cas.util.Utils; -import fr.gouv.vitamui.iam.client.CasRestClient; import fr.gouv.vitamui.iam.common.dto.CustomerDto; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; -import lombok.val; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.apereo.cas.authentication.SurrogateUsernamePasswordCredential; import org.apereo.cas.authentication.credential.UsernamePasswordCredential; @@ -55,8 +45,6 @@ import org.apereo.cas.web.flow.DelegatedClientAuthenticationWebflowManager; import org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction; import org.apereo.cas.web.support.WebUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.webflow.execution.Event; import org.springframework.webflow.execution.RequestContext; @@ -72,12 +60,11 @@ * - extraction of the username/surrogate passed as a request parameter * - save the portalUrl in the webflow. */ +@Slf4j public class CustomDelegatedClientAuthenticationAction extends DelegatedClientAuthenticationAction { public static final Pattern CUSTOMER_ID_VALIDATION_PATTERN = Pattern.compile("^[_a-z0-9]+$"); - private static final Logger LOGGER = LoggerFactory.getLogger(CustomDelegatedClientAuthenticationAction.class); - private final IdentityProviderHelper identityProviderHelper; private final ProvidersService providersService; @@ -86,7 +73,7 @@ public class CustomDelegatedClientAuthenticationAction extends DelegatedClientAu private final TicketRegistry ticketRegistry; - private final CasRestClient casRestClient; + private final CasApi casApi; private final String vitamuiPortalUrl; @@ -98,7 +85,7 @@ public CustomDelegatedClientAuthenticationAction( final ProvidersService providersService, final Utils utils, final TicketRegistry ticketRegistry, - final CasRestClient casRestClient, + final CasApi casApi, final String vitamuiPortalUrl ) { super(configContext, delegatedClientAuthenticationWebflowManager, failureEvaluator); @@ -106,23 +93,24 @@ public CustomDelegatedClientAuthenticationAction( this.providersService = providersService; this.utils = utils; this.ticketRegistry = ticketRegistry; - this.casRestClient = casRestClient; + this.casApi = casApi; this.vitamuiPortalUrl = vitamuiPortalUrl; } @Override - public Event doExecute(final RequestContext context) { + protected Event doExecuteInternal(final RequestContext context) { // save a label in the webflow - val flowScope = context.getFlowScope(); + final var flowScope = context.getFlowScope(); flowScope.put(Constants.PORTAL_URL, vitamuiPortalUrl); - // retrieve the service if it exists to prepare the serviceUrl parameter (for the back links) - val service = WebUtils.getService(context); + // retrieve the service if it exists to prepare the serviceUrl parameter (for + // the back links) + final var service = WebUtils.getService(context); if (service != null) { flowScope.put("serviceUrl", service.getOriginalUrl()); } - val event = super.doExecute(context); + final var event = super.doExecuteInternal(context); if (CasWebflowConstants.TRANSITION_ID_GENERATE.equals(event.getId())) { // extract and parse username String username = context.getRequestParameters().get(Constants.LOGIN_USER_EMAIL_PARAM); @@ -162,8 +150,8 @@ public Event doExecute(final RequestContext context) { credential.setSurrogateUsername(surrogateEmail); WebUtils.putCredential(context, credential); - CustomerDto surrogateCustomer = casRestClient - .getCustomersByIds(utils.buildContext(surrogateEmail), List.of(surrogateCustomerId)) + CustomerDto surrogateCustomer = casApi + .getCustomersByIds(List.of(surrogateCustomerId)) .stream() .findFirst() .orElseThrow( @@ -179,12 +167,12 @@ public Event doExecute(final RequestContext context) { } // get the idp if it exists - val request = WebUtils.getHttpServletRequestFromExternalWebflowContext(context); - val idp = utils.getIdpValue(request); + final var request = WebUtils.getHttpServletRequestFromExternalWebflowContext(context); + final var idp = utils.getIdpValue(request); LOGGER.debug("Provided idp: {}", idp); if (StringUtils.isNotBlank(idp)) { TicketGrantingTicket tgt = null; - val tgtId = WebUtils.getTicketGrantingTicketId(context); + final var tgtId = WebUtils.getTicketGrantingTicketId(context); if (tgtId != null) { tgt = ticketRegistry.getTicket(tgtId, TicketGrantingTicket.class); } @@ -192,11 +180,14 @@ public Event doExecute(final RequestContext context) { // if no authentication if (tgt == null || tgt.isExpired()) { // if it matches an existing IdP, save it and redirect - val optProvider = identityProviderHelper.findByTechnicalName(providersService.getProviders(), idp); + final var optProvider = identityProviderHelper.findByTechnicalName( + providersService.getProviders(), + idp + ); if (optProvider.isPresent()) { - val response = WebUtils.getHttpServletResponseFromExternalWebflowContext(context); + final var response = WebUtils.getHttpServletResponseFromExternalWebflowContext(context); response.addCookie(utils.buildIdpCookie(idp, configContext.getCasProperties().getTgc())); - val client = ((Pac4jClientIdentityProviderDto) optProvider.get()).getClient(); + final var client = ((Pac4jClientIdentityProviderDto) optProvider.get()).getClient(); LOGGER.debug("Force redirect to the SAML IdP: {}", client.getName()); try { return utils.performClientRedirection(this, client, context); diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/CustomerSelectedAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/CustomerSelectedAction.java new file mode 100644 index 00000000000..50ff32f68d1 --- /dev/null +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/CustomerSelectedAction.java @@ -0,0 +1,74 @@ +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) + * + * contact.vitam@culture.gouv.fr + * + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. + * + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". + * + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. + * + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. + * + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. + */ +package fr.gouv.vitamui.cas.webflow.login.actions; + +import fr.gouv.vitamui.cas.model.CustomerModel; +import fr.gouv.vitamui.cas.util.Constants; +import lombok.RequiredArgsConstructor; +import lombok.extern.slf4j.Slf4j; +import org.springframework.webflow.action.AbstractAction; +import org.springframework.webflow.execution.Event; +import org.springframework.webflow.execution.RequestContext; + +import java.io.IOException; +import java.util.List; + +import static fr.gouv.vitamui.cas.webflow.login.VitamLoginWebflowConfigurer.TRANSITION_TO_CUSTOMER_SELECTED; + +/** + * This class persists user selected customerId into flow scope and redirect to + * dispatcher + */ +@Slf4j +@RequiredArgsConstructor +public class CustomerSelectedAction extends AbstractAction { + + @Override + protected Event doExecute(final RequestContext requestContext) throws IOException { + var flowScope = requestContext.getFlowScope(); + + String loginEmail = flowScope.getRequiredString(Constants.FLOW_LOGIN_EMAIL); + String customerId = requestContext.getRequestParameters().get(Constants.SELECT_CUSTOMER_ID_PARAM); + + List customerModels = (List) flowScope.getRequired( + Constants.FLOW_LOGIN_AVAILABLE_CUSTOMER_LIST + ); + + CustomerModel customerModel = customerModels + .stream() + .filter(c -> c.getCustomerId().equals(customerId)) + .findFirst() + .orElseThrow(() -> new IllegalArgumentException("Invalid customerId '" + customerId + "'")); + + LOGGER.debug("Valid customer selected: {} for user: {}", customerModel, loginEmail); + + flowScope.put(Constants.FLOW_LOGIN_CUSTOMER_ID, customerId); + flowScope.remove(Constants.FLOW_LOGIN_AVAILABLE_CUSTOMER_LIST); + + return new Event(this, TRANSITION_TO_CUSTOMER_SELECTED); + } +} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/DispatcherAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/DispatcherAction.java similarity index 73% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/DispatcherAction.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/DispatcherAction.java index 096f1244ef8..dd0fd10784f 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/DispatcherAction.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/DispatcherAction.java @@ -1,58 +1,46 @@ -/** - * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) - * and the signatories of the "VITAM - Accord du Contributeur" agreement. +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) * - * contact@programmevitam.fr + * contact.vitam@culture.gouv.fr * - * This software is a computer program whose purpose is to implement - * implement a digital archiving front-office system for the secure and - * efficient high volumetry VITAM solution. + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. * - * This software is governed by the CeCILL-C license under French law and - * abiding by the rules of distribution of free software. You can use, - * modify and/ or redistribute the software under the terms of the CeCILL-C - * license as circulated by CEA, CNRS and INRIA at the following URL - * "http://www.cecill.info". + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". * - * As a counterpart to the access to the source code and rights to copy, - * modify and redistribute granted by the license, users are provided only - * with a limited warranty and the software's author, the holder of the - * economic rights, and the successive licensors have only limited - * liability. + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. * - * In this respect, the user's attention is drawn to the risks associated - * with loading, using, modifying and/or developing or reproducing the - * software by the user in light of its specific status of free software, - * that may mean that it is complicated to manipulate, and that also - * therefore means that it is reserved for developers and experienced - * professionals having in-depth computer knowledge. Users are therefore - * encouraged to load and test the software's suitability as regards their - * requirements in conditions enabling the security of their systems and/or - * data to be ensured and, more generally, to use and operate it in the - * same conditions as regards security. + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. * - * The fact that you are presently reading this means that you have had - * knowledge of the CeCILL-C license and that you accept its terms. + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. */ -package fr.gouv.vitamui.cas.webflow.actions; +package fr.gouv.vitamui.cas.webflow.login.actions; -import fr.gouv.vitamui.cas.provider.Pac4jClientIdentityProviderDto; -import fr.gouv.vitamui.cas.provider.ProvidersService; +import fr.gouv.vitamui.cas.delegation.Pac4jClientIdentityProviderDto; +import fr.gouv.vitamui.cas.delegation.ProvidersService; import fr.gouv.vitamui.cas.util.Constants; import fr.gouv.vitamui.cas.util.Utils; import fr.gouv.vitamui.commons.api.ParameterChecker; import fr.gouv.vitamui.commons.api.domain.UserDto; import fr.gouv.vitamui.commons.api.enums.UserStatusEnum; -import fr.gouv.vitamui.iam.client.CasRestClient; import fr.gouv.vitamui.iam.common.dto.IdentityProviderDto; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; +import fr.gouv.vitamui.iam.openapiclient.CasApi; import lombok.RequiredArgsConstructor; -import lombok.val; +import lombok.extern.slf4j.Slf4j; import org.apereo.cas.web.support.WebUtils; import org.pac4j.core.context.session.SessionStore; import org.pac4j.jee.context.JEEContext; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.webflow.action.AbstractAction; import org.springframework.webflow.core.collection.MutableAttributeMap; import org.springframework.webflow.execution.Event; @@ -63,12 +51,15 @@ /** * This class can dispatch the user: - * - either to customer selection page (if user have multiple accounts for different customers) + * - either to customer selection page (if user have multiple accounts for + * different customers) * - or to the password page * - or to an external IdP (authentication delegation) - * - or to the bad configuration page if the user is not linked to any identity provider + * - or to the bad configuration page if the user is not linked to any identity + * provider * - or to the disabled account page if the user is disabled. */ +@Slf4j @RequiredArgsConstructor public class DispatcherAction extends AbstractAction { @@ -76,13 +67,11 @@ public class DispatcherAction extends AbstractAction { public static final String BAD_CONFIGURATION = "badConfiguration"; public static final String TRANSITION_SELECT_CUSTOMER = "selectCustomer"; - private static final Logger LOGGER = LoggerFactory.getLogger(DispatcherAction.class); - private final ProvidersService providersService; private final IdentityProviderHelper identityProviderHelper; - private final CasRestClient casRestClient; + private final CasApi casApi; private final Utils utils; @@ -90,7 +79,7 @@ public class DispatcherAction extends AbstractAction { @Override protected Event doExecute(final RequestContext requestContext) throws IOException { - val flowScope = requestContext.getFlowScope(); + var flowScope = requestContext.getFlowScope(); if (isSubrogationMode(flowScope)) { return processSubrogationRequest(requestContext, flowScope); @@ -167,9 +156,9 @@ private Event dispatchUser( } var identityProviderDto = providerOpt.get(); - val request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext); - val response = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext); - val webContext = new JEEContext(request, response); + var request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext); + var response = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext); + var webContext = new JEEContext(request, response); if (identityProviderDto.getInternal()) { sessionStore.set(webContext, Constants.FLOW_LOGIN_EMAIL, null); @@ -203,15 +192,15 @@ private Event dispatchUser( private boolean ensureUserIsEnabled(String email, String customerId) { UserDto userDto = - this.casRestClient.getUserByEmailAndCustomerId( - utils.buildContext(email), - email, - customerId, - Optional.empty() - ); + this.casApi.getUsersByEmail(email, null) + .stream() + .filter(user -> user.getCustomerId().equals(customerId)) + .findFirst() + .orElse(null); if (userDto == null) { // To avoid account existence disclosure, unknown users are silently ignored. - // Once they enter their credentials, they will get a generic "login or password invalid" error message. + // Once they enter their credentials, they will get a generic "login or password + // invalid" error message. return false; } return (userDto.getStatus() != UserStatusEnum.ENABLED); diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/I18NSendPasswordResetInstructionsAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/I18NSendPasswordResetInstructionsAction.java similarity index 69% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/I18NSendPasswordResetInstructionsAction.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/I18NSendPasswordResetInstructionsAction.java index 93b39ca8d9e..3e6888008f1 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/I18NSendPasswordResetInstructionsAction.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/I18NSendPasswordResetInstructionsAction.java @@ -1,53 +1,45 @@ -/** - * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) - * and the signatories of the "VITAM - Accord du Contributeur" agreement. +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) * - * contact@programmevitam.fr + * contact.vitam@culture.gouv.fr * - * This software is a computer program whose purpose is to implement - * implement a digital archiving front-office system for the secure and - * efficient high volumetry VITAM solution. + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. * - * This software is governed by the CeCILL-C license under French law and - * abiding by the rules of distribution of free software. You can use, - * modify and/ or redistribute the software under the terms of the CeCILL-C - * license as circulated by CEA, CNRS and INRIA at the following URL - * "http://www.cecill.info". + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". * - * As a counterpart to the access to the source code and rights to copy, - * modify and redistribute granted by the license, users are provided only - * with a limited warranty and the software's author, the holder of the - * economic rights, and the successive licensors have only limited - * liability. + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. * - * In this respect, the user's attention is drawn to the risks associated - * with loading, using, modifying and/or developing or reproducing the - * software by the user in light of its specific status of free software, - * that may mean that it is complicated to manipulate, and that also - * therefore means that it is reserved for developers and experienced - * professionals having in-depth computer knowledge. Users are therefore - * encouraged to load and test the software's suitability as regards their - * requirements in conditions enabling the security of their systems and/or - * data to be ensured and, more generally, to use and operate it in the - * same conditions as regards security. + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. * - * The fact that you are presently reading this means that you have had - * knowledge of the CeCILL-C license and that you accept its terms. + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. */ -package fr.gouv.vitamui.cas.webflow.actions; +package fr.gouv.vitamui.cas.webflow.login.actions; import com.fasterxml.jackson.databind.ObjectMapper; +import fr.gouv.vitamui.cas.delegation.ProvidersService; import fr.gouv.vitamui.cas.model.UserLoginModel; -import fr.gouv.vitamui.cas.pm.PmMessageToSend; -import fr.gouv.vitamui.cas.provider.ProvidersService; +import fr.gouv.vitamui.cas.password.PmMessageToSend; import fr.gouv.vitamui.cas.util.Constants; import fr.gouv.vitamui.cas.util.Utils; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; -import lombok.val; +import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.apereo.cas.audit.AuditActionResolvers; import org.apereo.cas.audit.AuditResourceResolvers; import org.apereo.cas.audit.AuditableActions; +import org.apereo.cas.authentication.AuthenticationSystemSupport; +import org.apereo.cas.authentication.MultifactorAuthenticationProviderSelector; import org.apereo.cas.authentication.credential.UsernamePasswordCredential; import org.apereo.cas.authentication.principal.PrincipalResolver; import org.apereo.cas.configuration.CasConfigurationProperties; @@ -62,8 +54,7 @@ import org.apereo.cas.ticket.registry.TicketRegistry; import org.apereo.cas.web.support.WebUtils; import org.apereo.inspektr.audit.annotation.Audit; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import org.springframework.context.ApplicationContext; import org.springframework.context.HierarchicalMessageSource; import org.springframework.context.i18n.LocaleContextHolder; import org.springframework.util.LinkedMultiValueMap; @@ -76,10 +67,9 @@ /** * Send reset password emails with i18n messages. */ +@Slf4j public class I18NSendPasswordResetInstructionsAction extends SendPasswordResetInstructionsAction { - private static final Logger LOGGER = LoggerFactory.getLogger(I18NSendPasswordResetInstructionsAction.class); - private final HierarchicalMessageSource messageSource; private final ProvidersService providersService; @@ -100,6 +90,9 @@ public I18NSendPasswordResetInstructionsAction( final TicketFactory ticketFactory, final PrincipalResolver principalResolver, final PasswordResetUrlBuilder passwordResetUrlBuilder, + final MultifactorAuthenticationProviderSelector multifactorAuthenticationProviderSelector, + final AuthenticationSystemSupport authenticationSystemSupport, + final ApplicationContext applicationContext, final HierarchicalMessageSource messageSource, final ProvidersService providersService, final IdentityProviderHelper identityProviderHelper, @@ -113,7 +106,10 @@ public I18NSendPasswordResetInstructionsAction( ticketRegistry, ticketFactory, principalResolver, - passwordResetUrlBuilder + passwordResetUrlBuilder, + multifactorAuthenticationProviderSelector, + authenticationSystemSupport, + applicationContext ); this.messageSource = messageSource; this.providersService = providersService; @@ -130,18 +126,25 @@ public I18NSendPasswordResetInstructionsAction( resourceResolverName = AuditResourceResolvers.REQUEST_CHANGE_PASSWORD_RESOURCE_RESOLVER ) @Override - protected Event doExecute(final RequestContext requestContext) throws Exception { + protected Event doExecuteInternal(final RequestContext requestContext) throws Exception { if (!communicationsManager.isMailSenderDefined() && !communicationsManager.isSmsSenderDefined()) { return getErrorEvent("contact.failed", "Unable to send email as no mail sender is defined", requestContext); } - val query = buildPasswordManagementQuery(requestContext); + var query = buildPasswordManagementQuery(requestContext); - val email = passwordManagementService.findEmail(query); - val service = WebUtils.getService(requestContext); + String email; + try { + email = passwordManagementService.findEmail(query); + } catch (final Throwable e) { + LOGGER.error("Error finding email", e); + return getErrorEvent("contact.failed", "Error finding email", requestContext); + } + var service = WebUtils.getService(requestContext); final String customerId = (String) query.getRecord().getFirst(Constants.RESET_PWD_CUSTOMER_ID_ATTR); - // CUSTO: only retrieve email (and not phone) and force success event (instead of error) when failure + // CUSTO: only retrieve email (and not phone) and force success event (instead + // of error) when failure if (StringUtils.isBlank(email) || customerId == null) { LOGGER.warn("No recipient is provided; nonetheless, we return to the success page"); return success(); @@ -152,25 +155,32 @@ protected Event doExecute(final RequestContext requestContext) throws Exception return success(); } - // Hack: Encode loginEmail+loginCustomerId pair into a json-serialized UserLoginModel as we are not able to - // persist 2 separate fields. + // Hack: Encode loginEmail+loginCustomerId pair into a json-serialized + // UserLoginModel as we are not able to + // persist 2 separate fields. UserLoginModel userLoginModel = new UserLoginModel(); userLoginModel.setUserEmail(email); userLoginModel.setCustomerId(customerId); String userLoginModelToToken = objectMapper.writeValueAsString(userLoginModel); - val url = buildPasswordResetUrl(userLoginModelToToken, service); + URL url; + try { + url = buildPasswordResetUrl(userLoginModelToToken, service); + } catch (final Throwable e) { + LOGGER.error("Error building password reset URL", e); + return getErrorEvent("contact.failed", "Error building password reset URL", requestContext); + } if (url != null) { - val pm = casProperties.getAuthn().getPm(); - val duration = Beans.newDuration(pm.getReset().getExpiration()); + var pm = casProperties.getAuthn().getPm(); + var duration = Beans.newDuration(pm.getReset().getExpiration()); LOGGER.debug( "Generated password reset URL [{}]; Link is only active for the next [{}] minute(s)", url, duration ); // CUSTO: only send email (and not SMS) - val sendEmail = sendPasswordResetEmailToAccount(email, url); + var sendEmail = sendPasswordResetEmailToAccount(email, url); if (sendEmail.isSuccess()) { return success(url); } @@ -187,14 +197,14 @@ protected Event doExecute(final RequestContext requestContext) throws Exception @Override protected PasswordManagementQuery buildPasswordManagementQuery(final RequestContext requestContext) { - val request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext); + var request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext); final MutableAttributeMap flowScope = requestContext.getFlowScope(); - // CUSTO: try to get the username from the credentials also (after a password expiration) + // CUSTO: try to get the username from the credentials also (after a password + // expiration) String username = request.getParameter(REQUEST_PARAMETER_USERNAME); if (StringUtils.isBlank(username)) { final Object credential = flowScope.get("credential"); - if (credential instanceof UsernamePasswordCredential) { - final UsernamePasswordCredential usernamePasswordCredential = (UsernamePasswordCredential) credential; + if (credential instanceof UsernamePasswordCredential usernamePasswordCredential) { username = usernamePasswordCredential.getUsername(); } } @@ -212,12 +222,12 @@ protected PasswordManagementQuery buildPasswordManagementQuery(final RequestCont LinkedMultiValueMap records = new LinkedMultiValueMap<>(); records.add(Constants.RESET_PWD_CUSTOMER_ID_ATTR, loginCustomerId); - val builder = PasswordManagementQuery.builder(); + var builder = PasswordManagementQuery.builder(); return builder.username(username).record(records).build(); } private EmailCommunicationResult sendPasswordResetEmailToAccount(final String to, final URL url) { - val duration = Beans.newDuration(casProperties.getAuthn().getPm().getReset().getExpiration()); + var duration = Beans.newDuration(casProperties.getAuthn().getPm().getReset().getExpiration()); final PmMessageToSend messageToSend = PmMessageToSend.buildMessage( messageSource, diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/ListCustomersAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/ListCustomersAction.java similarity index 71% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/ListCustomersAction.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/ListCustomersAction.java index 25d1810863c..70747e2ac48 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/ListCustomersAction.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/ListCustomersAction.java @@ -1,98 +1,90 @@ -/** - * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) - * and the signatories of the "VITAM - Accord du Contributeur" agreement. +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) * - * contact@programmevitam.fr + * contact.vitam@culture.gouv.fr * - * This software is a computer program whose purpose is to implement - * implement a digital archiving front-office system for the secure and - * efficient high volumetry VITAM solution. + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. * - * This software is governed by the CeCILL-C license under French law and - * abiding by the rules of distribution of free software. You can use, - * modify and/ or redistribute the software under the terms of the CeCILL-C - * license as circulated by CEA, CNRS and INRIA at the following URL - * "http://www.cecill.info". + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". * - * As a counterpart to the access to the source code and rights to copy, - * modify and redistribute granted by the license, users are provided only - * with a limited warranty and the software's author, the holder of the - * economic rights, and the successive licensors have only limited - * liability. + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. * - * In this respect, the user's attention is drawn to the risks associated - * with loading, using, modifying and/or developing or reproducing the - * software by the user in light of its specific status of free software, - * that may mean that it is complicated to manipulate, and that also - * therefore means that it is reserved for developers and experienced - * professionals having in-depth computer knowledge. Users are therefore - * encouraged to load and test the software's suitability as regards their - * requirements in conditions enabling the security of their systems and/or - * data to be ensured and, more generally, to use and operate it in the - * same conditions as regards security. + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. * - * The fact that you are presently reading this means that you have had - * knowledge of the CeCILL-C license and that you accept its terms. + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. */ -package fr.gouv.vitamui.cas.webflow.actions; +package fr.gouv.vitamui.cas.webflow.login.actions; +import fr.gouv.vitamui.cas.delegation.ProvidersService; import fr.gouv.vitamui.cas.model.CustomerModel; -import fr.gouv.vitamui.cas.provider.ProvidersService; import fr.gouv.vitamui.cas.util.Constants; -import fr.gouv.vitamui.cas.util.Utils; import fr.gouv.vitamui.commons.api.ParameterChecker; import fr.gouv.vitamui.commons.api.domain.CustomerIdDto; -import fr.gouv.vitamui.commons.api.domain.UserDto; -import fr.gouv.vitamui.iam.client.CasRestClient; -import fr.gouv.vitamui.iam.common.dto.CustomerDto; import fr.gouv.vitamui.iam.common.dto.IdentityProviderDto; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; -import lombok.RequiredArgsConstructor; -import lombok.val; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import fr.gouv.vitamui.iam.openapiclient.domain.CustomerDto; +import fr.gouv.vitamui.iam.openapiclient.domain.UserDto; +import jakarta.validation.constraints.NotNull; +import lombok.extern.slf4j.Slf4j; import org.apereo.cas.authentication.credential.UsernamePasswordCredential; import org.apereo.cas.web.support.WebUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.webflow.action.AbstractAction; import org.springframework.webflow.core.collection.MutableAttributeMap; import org.springframework.webflow.execution.Event; import org.springframework.webflow.execution.RequestContext; -import javax.validation.constraints.NotNull; import java.io.IOException; import java.util.Comparator; import java.util.List; import java.util.Optional; import java.util.stream.Collectors; -import static fr.gouv.vitamui.cas.webflow.configurer.CustomLoginWebflowConfigurer.TRANSITION_TO_CUSTOMER_SELECTED; -import static fr.gouv.vitamui.cas.webflow.configurer.CustomLoginWebflowConfigurer.TRANSITION_TO_CUSTOMER_SELECTION_VIEW; +import static fr.gouv.vitamui.cas.webflow.login.VitamLoginWebflowConfigurer.TRANSITION_TO_CUSTOMER_SELECTED; +import static fr.gouv.vitamui.cas.webflow.login.VitamLoginWebflowConfigurer.TRANSITION_TO_CUSTOMER_SELECTION_VIEW; /** * This class lists users matching provided login email: - * - if subrogation mode : customerId is already provided in scope ==> continue to dispatcher * - if a single user is found ==> continue to dispatcher * - if multiple users found ==> redirect to customer selection page - * - if no user found : act as if it exists (to avoid account existence disclosure) + * - if no user found : act as if it exists (to avoid account existence + * disclosure) */ -@RequiredArgsConstructor +@Slf4j public class ListCustomersAction extends AbstractAction { public static final String BAD_CONFIGURATION = "badConfiguration"; - private static final Logger LOGGER = LoggerFactory.getLogger(ListCustomersAction.class); - private final ProvidersService providersService; private final IdentityProviderHelper identityProviderHelper; - private final CasRestClient casRestClient; + private final CasApi casApi; - private final Utils utils; + public ListCustomersAction( + final ProvidersService providersService, + final IdentityProviderHelper identityProviderHelper, + final CasApi casApi + ) { + this.providersService = providersService; + this.identityProviderHelper = identityProviderHelper; + this.casApi = casApi; + } @Override protected Event doExecute(final RequestContext requestContext) throws IOException { - val flowScope = requestContext.getFlowScope(); + var flowScope = requestContext.getFlowScope(); if (isSubrogationMode(flowScope)) { return processSubrogationRequest(flowScope); @@ -151,21 +143,23 @@ private Event processEmailInput(RequestContext requestContext, MutableAttributeM LOGGER.debug("User provided login of '{}'", username); - List existingUsersList = getUsers(username); + List existingUsersList = casApi.getUsersByEmail(username, null); - if (existingUsersList.size() == 1) { - return processSingleUserForInputEmail(flowScope, username, existingUsersList.get(0)); - } else if (existingUsersList.isEmpty()) { - // To avoid account existence disclosure, unknown users are silently ignored. - // Once they enter their credentials, they will get a generic "login or password invalid" error message. - return processNoUserFoundMatchingInputEmail(flowScope, username); - } else { + if (existingUsersList.size() > 1) { return processMultipleUsersForInputEmail(flowScope, username, existingUsersList); + } else if (!existingUsersList.isEmpty()) { + return processSingleUserForInputEmail(flowScope, username, existingUsersList.getFirst()); } + + // To avoid account existence disclosure, unknown users are silently ignored. + // Once they enter their credentials, they will get a generic "login or password + // invalid" error message. + return processNoUserFoundMatchingInputEmail(flowScope, username); } private Event processSingleUserForInputEmail(MutableAttributeMap flowScope, String username, UserDto user) { - // Ensure user has a proper Identity Provided configured, and redirect to dispatcher... + // Ensure user has a proper Identity Provided configured, and redirect to + // dispatcher... LOGGER.debug("A single user matched provided login of '{}': {}", username, user); String customerId = user.getCustomerId(); @@ -201,7 +195,11 @@ private Event processNoUserFoundMatchingInputEmail(MutableAttributeMap f username ); // User not found, but email domain matches existing provider - return handleSingleAuthenticationProvider(flowScope, username, identityProviders.get(0).getCustomerId()); + return handleSingleAuthenticationProvider( + flowScope, + username, + identityProviders.getFirst().getCustomerId() + ); } List availableCustomerIds = identityProviders @@ -265,10 +263,7 @@ private Event handleMultipleAuthenticationProviders( availableCustomerIds ); - List customers = casRestClient.getCustomersByIds( - utils.buildContext(username), - availableCustomerIds - ); + List customers = casApi.getCustomersByIds(availableCustomerIds); LOGGER.debug("Available customers: {}", customers); @@ -291,10 +286,6 @@ private Event handleMultipleAuthenticationProviders( return new Event(this, TRANSITION_TO_CUSTOMER_SELECTION_VIEW); } - private List getUsers(String email) { - return casRestClient.getUsersByEmail(utils.buildContext(email), email, Optional.empty()); - } - private static boolean isSubrogationMode(MutableAttributeMap flowScope) { return flowScope.contains(Constants.FLOW_SURROGATE_EMAIL); } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/TriggerChangePasswordAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/TriggerChangePasswordAction.java similarity index 55% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/TriggerChangePasswordAction.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/TriggerChangePasswordAction.java index c89b39162c1..e6cb3cc439f 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/TriggerChangePasswordAction.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/TriggerChangePasswordAction.java @@ -1,66 +1,55 @@ -/** - * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) - * and the signatories of the "VITAM - Accord du Contributeur" agreement. +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) * - * contact@programmevitam.fr + * contact.vitam@culture.gouv.fr * - * This software is a computer program whose purpose is to implement - * implement a digital archiving front-office system for the secure and - * efficient high volumetry VITAM solution. + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. * - * This software is governed by the CeCILL-C license under French law and - * abiding by the rules of distribution of free software. You can use, - * modify and/ or redistribute the software under the terms of the CeCILL-C - * license as circulated by CEA, CNRS and INRIA at the following URL - * "http://www.cecill.info". + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". * - * As a counterpart to the access to the source code and rights to copy, - * modify and redistribute granted by the license, users are provided only - * with a limited warranty and the software's author, the holder of the - * economic rights, and the successive licensors have only limited - * liability. + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. * - * In this respect, the user's attention is drawn to the risks associated - * with loading, using, modifying and/or developing or reproducing the - * software by the user in light of its specific status of free software, - * that may mean that it is complicated to manipulate, and that also - * therefore means that it is reserved for developers and experienced - * professionals having in-depth computer knowledge. Users are therefore - * encouraged to load and test the software's suitability as regards their - * requirements in conditions enabling the security of their systems and/or - * data to be ensured and, more generally, to use and operate it in the - * same conditions as regards security. + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. * - * The fact that you are presently reading this means that you have had - * knowledge of the CeCILL-C license and that you accept its terms. + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. */ -package fr.gouv.vitamui.cas.webflow.actions; +package fr.gouv.vitamui.cas.webflow.login.actions; import fr.gouv.vitamui.cas.util.Utils; import fr.gouv.vitamui.commons.api.CommonConstants; import lombok.RequiredArgsConstructor; +import lombok.extern.slf4j.Slf4j; import org.apereo.cas.authentication.credential.UsernamePasswordCredential; import org.apereo.cas.authentication.principal.Principal; -import org.apereo.cas.pm.web.flow.PasswordManagementWebflowConfigurer; import org.apereo.cas.ticket.registry.TicketRegistrySupport; import org.apereo.cas.web.support.WebUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.webflow.action.AbstractAction; import org.springframework.webflow.execution.Event; import org.springframework.webflow.execution.RequestContext; import org.springframework.webflow.execution.RequestContextHolder; +import static org.apereo.cas.pm.PasswordManagementService.PARAMETER_DO_CHANGE_PASSWORD; + /** * Check if the password change must be started, even authenticated. * * */ +@Slf4j @RequiredArgsConstructor public class TriggerChangePasswordAction extends AbstractAction { - private static final Logger LOGGER = LoggerFactory.getLogger(TriggerChangePasswordAction.class); - public static final String EVENT_ID_CHANGE_PASSWORD = "changePassword"; public static final String EVENT_ID_CONTINUE = "continue"; @@ -69,9 +58,7 @@ public class TriggerChangePasswordAction extends AbstractAction { private final Utils utils; protected Event doExecute(final RequestContext context) { - final String doChangePassword = context - .getRequestParameters() - .get(PasswordManagementWebflowConfigurer.DO_CHANGE_PASSWORD_PARAMETER); + final String doChangePassword = context.getRequestParameters().get(PARAMETER_DO_CHANGE_PASSWORD); LOGGER.debug("doChangePassword: {}", doChangePassword); if (doChangePassword != null) { // we force to change the password and as the user is already authenticated, diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomCasSimpleMultifactorWebflowConfigurer.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/mfa/VitamMfaWebflowConfigurer.java similarity index 90% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomCasSimpleMultifactorWebflowConfigurer.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/mfa/VitamMfaWebflowConfigurer.java index 82279d7cf77..42442981cba 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomCasSimpleMultifactorWebflowConfigurer.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/mfa/VitamMfaWebflowConfigurer.java @@ -34,9 +34,8 @@ * The fact that you are presently reading this means that you have had * knowledge of the CeCILL-C license and that you accept its terms. */ -package fr.gouv.vitamui.cas.webflow.configurer; +package fr.gouv.vitamui.cas.webflow.mfa; -import lombok.val; import org.apereo.cas.configuration.CasConfigurationProperties; import org.apereo.cas.mfa.simple.CasSimpleMultifactorTokenCredential; import org.apereo.cas.util.CollectionUtils; @@ -54,7 +53,7 @@ /** * Custom webflow for simple MFA. */ -public class CustomCasSimpleMultifactorWebflowConfigurer extends AbstractCasMultifactorWebflowConfigurer { +public class VitamMfaWebflowConfigurer extends AbstractCasMultifactorWebflowConfigurer { /** * Webflow event id. @@ -62,7 +61,7 @@ public class CustomCasSimpleMultifactorWebflowConfigurer extends AbstractCasMult public static final String MFA_SIMPLE_EVENT_ID = "mfa-simple"; public static final String TEMPLATE_SIMPLE_MFA_LOGIN = "simple-mfa/casSimpleMfaLoginView"; - public CustomCasSimpleMultifactorWebflowConfigurer( + public VitamMfaWebflowConfigurer( final FlowBuilderServices flowBuilderServices, final FlowDefinitionRegistry loginFlowDefinitionRegistry, final FlowDefinitionRegistry flowDefinitionRegistry, @@ -83,11 +82,11 @@ public CustomCasSimpleMultifactorWebflowConfigurer( @Override protected void doInitialize() { multifactorAuthenticationFlowDefinitionRegistries.forEach(registry -> { - val flow = getFlow(registry, MFA_SIMPLE_EVENT_ID); + var flow = getFlow(registry, MFA_SIMPLE_EVENT_ID); createFlowVariable(flow, CasWebflowConstants.VAR_ID_CREDENTIAL, CasSimpleMultifactorTokenCredential.class); flow.getStartActionList().add(createEvaluateAction(CasWebflowConstants.ACTION_ID_INITIAL_FLOW_SETUP)); - val initLoginFormState = createActionState( + var initLoginFormState = createActionState( flow, CasWebflowConstants.STATE_ID_INIT_LOGIN_FORM, createEvaluateAction(CasWebflowConstants.ACTION_ID_INIT_LOGIN_ACTION) @@ -101,7 +100,7 @@ protected void doInitialize() { createEndState(flow, CasWebflowConstants.STATE_ID_SUCCESS); createEndState(flow, CasWebflowConstants.STATE_ID_UNAVAILABLE); - val sendSimpleToken = createActionState( + var sendSimpleToken = createActionState( flow, CasWebflowConstants.STATE_ID_SIMPLE_MFA_SEND_TOKEN, CasWebflowConstants.ACTION_ID_MFA_SIMPLE_SEND_TOKEN @@ -121,13 +120,13 @@ protected void doInitialize() { createViewState(flow, "missingPhone", "casSmsMissingPhoneView"); // - val setPrincipalAction = createSetAction( + var setPrincipalAction = createSetAction( "viewScope.principal", "conversationScope.authentication.principal" ); - val propertiesToBind = CollectionUtils.wrapList("token"); - val binder = createStateBinderConfiguration(propertiesToBind); - val viewLoginFormState = createViewState( + var propertiesToBind = CollectionUtils.wrapList("token"); + var binder = createStateBinderConfiguration(propertiesToBind); + var viewLoginFormState = createViewState( flow, CasWebflowConstants.STATE_ID_VIEW_LOGIN_FORM, TEMPLATE_SIMPLE_MFA_LOGIN, @@ -140,7 +139,8 @@ protected void doInitialize() { ); viewLoginFormState.getEntryActionList().add(setPrincipalAction); - // CUSTO: instead of CasWebflowConstants.STATE_ID_REAL_SUBMIT, send to intermediateSubmit + // CUSTO: instead of CasWebflowConstants.STATE_ID_REAL_SUBMIT, send to + // intermediateSubmit createTransitionForState( viewLoginFormState, CasWebflowConstants.TRANSITION_ID_SUBMIT, @@ -156,7 +156,7 @@ protected void doInitialize() { ); // CUSTO: - val intermediateSubmit = createActionState( + var intermediateSubmit = createActionState( flow, "intermediateSubmit", createEvaluateAction("checkMfaTokenAction") @@ -167,7 +167,7 @@ protected void doInitialize() { CasWebflowConstants.STATE_ID_REAL_SUBMIT ); createTransitionForState(intermediateSubmit, CasWebflowConstants.TRANSITION_ID_ERROR, "codeExpired"); - val codeExpired = createViewState(flow, "codeExpired", "casSmsCodeExpiredView"); + var codeExpired = createViewState(flow, "codeExpired", "casSmsCodeExpiredView"); createTransitionForState( codeExpired, CasWebflowConstants.TRANSITION_ID_RESEND, @@ -175,7 +175,7 @@ protected void doInitialize() { ); // - val realSubmitState = createActionState( + var realSubmitState = createActionState( flow, CasWebflowConstants.STATE_ID_REAL_SUBMIT, createEvaluateAction(CasWebflowConstants.ACTION_ID_OTP_AUTHENTICATION_ACTION) diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/mfa/actions/CheckMfaTokenAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/mfa/actions/CheckMfaTokenAction.java new file mode 100644 index 00000000000..5e80eb04f23 --- /dev/null +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/mfa/actions/CheckMfaTokenAction.java @@ -0,0 +1,73 @@ +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) + * + * contact.vitam@culture.gouv.fr + * + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. + * + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". + * + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. + * + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. + * + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. + */ +package fr.gouv.vitamui.cas.webflow.mfa.actions; + +import lombok.RequiredArgsConstructor; +import lombok.extern.slf4j.Slf4j; +import org.apereo.cas.mfa.simple.CasSimpleMultifactorTokenCredential; +import org.apereo.cas.mfa.simple.ticket.CasSimpleMultifactorAuthenticationTicket; +import org.apereo.cas.ticket.InvalidTicketException; +import org.apereo.cas.ticket.registry.TicketRegistry; +import org.apereo.cas.web.support.WebUtils; +import org.springframework.webflow.action.AbstractAction; +import org.springframework.webflow.execution.Event; +import org.springframework.webflow.execution.RequestContext; + +import java.time.ZonedDateTime; +import java.time.temporal.ChronoUnit; + +/** + * Check the MFA token. + */ +@Slf4j +@RequiredArgsConstructor +public class CheckMfaTokenAction extends AbstractAction { + + private final TicketRegistry ticketRegistry; + + @Override + protected Event doExecute(final RequestContext requestContext) { + var credential = WebUtils.getCredential(requestContext); + var tokenCredential = (CasSimpleMultifactorTokenCredential) credential; + var token = CasSimpleMultifactorAuthenticationTicket.PREFIX + "-" + tokenCredential.getToken(); + LOGGER.debug("Checking token: {}", token); + WebUtils.putCredential(requestContext, new CasSimpleMultifactorTokenCredential(token)); + + try { + var acct = this.ticketRegistry.getTicket(token, CasSimpleMultifactorAuthenticationTicket.class); + if (acct != null) { + var creationTime = acct.getCreationTime(); + var now_less_one_minute = ZonedDateTime.now().minus(60, ChronoUnit.SECONDS); + // considered expired after 60 seconds + if (creationTime.isBefore(now_less_one_minute)) { + return error(); + } + } + } catch (InvalidTicketException e) {} + return success(); + } +} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CustomSendTokenAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/mfa/actions/CustomSendTokenAction.java similarity index 59% rename from cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CustomSendTokenAction.java rename to cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/mfa/actions/CustomSendTokenAction.java index f4a366b7a14..b930661eca0 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/CustomSendTokenAction.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/mfa/actions/CustomSendTokenAction.java @@ -1,44 +1,33 @@ -/** - * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) - * and the signatories of the "VITAM - Accord du Contributeur" agreement. +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) * - * contact@programmevitam.fr + * contact.vitam@culture.gouv.fr * - * This software is a computer program whose purpose is to implement - * implement a digital archiving front-office system for the secure and - * efficient high volumetry VITAM solution. + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. * - * This software is governed by the CeCILL-C license under French law and - * abiding by the rules of distribution of free software. You can use, - * modify and/ or redistribute the software under the terms of the CeCILL-C - * license as circulated by CEA, CNRS and INRIA at the following URL - * "http://www.cecill.info". + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". * - * As a counterpart to the access to the source code and rights to copy, - * modify and redistribute granted by the license, users are provided only - * with a limited warranty and the software's author, the holder of the - * economic rights, and the successive licensors have only limited - * liability. + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. * - * In this respect, the user's attention is drawn to the risks associated - * with loading, using, modifying and/or developing or reproducing the - * software by the user in light of its specific status of free software, - * that may mean that it is complicated to manipulate, and that also - * therefore means that it is reserved for developers and experienced - * professionals having in-depth computer knowledge. Users are therefore - * encouraged to load and test the software's suitability as regards their - * requirements in conditions enabling the security of their systems and/or - * data to be ensured and, more generally, to use and operate it in the - * same conditions as regards security. + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. * - * The fact that you are presently reading this means that you have had - * knowledge of the CeCILL-C license and that you accept its terms. + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. */ -package fr.gouv.vitamui.cas.webflow.actions; +package fr.gouv.vitamui.cas.webflow.mfa.actions; import fr.gouv.vitamui.cas.util.Utils; import lombok.extern.slf4j.Slf4j; -import lombok.val; import org.apereo.cas.bucket4j.consumer.BucketConsumer; import org.apereo.cas.configuration.model.support.mfa.simple.CasSimpleMultifactorAuthenticationProperties; import org.apereo.cas.mfa.simple.CasSimpleMultifactorTokenCommunicationStrategy; @@ -81,13 +70,13 @@ public CustomSendTokenAction( } @Override - protected Event doExecute(final RequestContext requestContext) throws Exception { - val authentication = WebUtils.getInProgressAuthentication(); - val principal = resolvePrincipal(authentication.getPrincipal()); + protected Event doExecuteInternal(final RequestContext requestContext) { + var authentication = WebUtils.getInProgressAuthentication(); + var principal = resolvePrincipal(authentication.getPrincipal(), requestContext); // check for a principal attribute and redirect to a custom page when missing - val principalAttributes = principal.getAttributes(); - val mobile = (String) utils.getAttributeValue(principalAttributes, "mobile"); + var principalAttributes = principal.getAttributes(); + var mobile = (String) utils.getAttributeValue(principalAttributes, "mobile"); if (mobile == null) { requestContext.getFlowScope().put("firstname", utils.getAttributeValue(principalAttributes, "firstname")); return getEventFactorySupport().event(this, "missingPhone"); @@ -96,7 +85,7 @@ protected Event doExecute(final RequestContext requestContext) throws Exception // remove token WebUtils.removeSimpleMultifactorAuthenticationToken(requestContext); - val event = super.doExecute(requestContext); + var event = super.doExecuteInternal(requestContext); // add the obfuscated phone to the webflow in case of success if (CasWebflowConstants.TRANSITION_ID_SUCCESS.equals(event.getId())) { diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/resolver/CustomCasDelegatingWebflowEventResolver.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/resolver/CustomCasDelegatingWebflowEventResolver.java deleted file mode 100644 index 26cd0e98658..00000000000 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/resolver/CustomCasDelegatingWebflowEventResolver.java +++ /dev/null @@ -1,45 +0,0 @@ -package fr.gouv.vitamui.cas.webflow.resolver; - -import org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential; -import org.apereo.cas.authentication.Credential; -import org.apereo.cas.authentication.principal.WebApplicationService; -import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver; -import org.apereo.cas.web.flow.resolver.impl.CasWebflowEventResolutionConfigurationContext; -import org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver; -import org.springframework.webflow.execution.Event; - -/** - * Custom event resolver to block when the x509 authn is mandatory. - */ -public class CustomCasDelegatingWebflowEventResolver extends DefaultCasDelegatingWebflowEventResolver { - - private final boolean x509AuthnMandatory; - - public CustomCasDelegatingWebflowEventResolver( - final CasWebflowEventResolutionConfigurationContext configurationContext, - final CasWebflowEventResolver selectiveResolver, - final boolean x509AuthnMandatory - ) { - super(configurationContext, selectiveResolver); - this.x509AuthnMandatory = x509AuthnMandatory; - } - - @Override - protected Event returnAuthenticationExceptionEventIfNeeded( - final Exception exception, - final Credential credential, - final WebApplicationService service - ) { - // - // CUSTO - if (x509AuthnMandatory) { - if (credential instanceof X509CertificateCredential) { - throw new IllegalArgumentException("Authentication failure for mandatory X509 login"); - } - } - // - // - - return super.returnAuthenticationExceptionEventIfNeeded(exception, credential, service); - } -} diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/x509/CertificateParser.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/x509/CertificateParser.java index f8b37a3c902..0cd0af2f0bb 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/x509/CertificateParser.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/x509/CertificateParser.java @@ -36,7 +36,6 @@ */ package fr.gouv.vitamui.cas.x509; -import lombok.val; import org.apache.commons.lang.StringUtils; import org.cryptacular.x509.GeneralNameType; @@ -54,14 +53,14 @@ private CertificateParser() {} public static String extract(final X509Certificate cert, final X509AttributeMapping mapping) throws CertificateParsingException { - val name = mapping.getName(); + final var name = mapping.getName(); String value = null; if (X509CertificateAttributes.ISSUER_DN.name().equalsIgnoreCase(name)) { value = cert.getIssuerDN().getName(); } else if (X509CertificateAttributes.SUBJECT_DN.name().equalsIgnoreCase(name)) { value = cert.getSubjectDN().getName(); } else if (X509CertificateAttributes.SUBJECT_ALTERNATE_NAME.name().equalsIgnoreCase(name)) { - val altNames = cert.getSubjectAlternativeNames(); + final var altNames = cert.getSubjectAlternativeNames(); final StringBuilder subjectAltNamesBuilder = new StringBuilder(); if (altNames != null && altNames.size() > 0) { for (final var attribute : altNames) { @@ -80,13 +79,13 @@ public static String extract(final X509Certificate cert, final X509AttributeMapp if (value == null) { throw new CertificateParsingException("Cannot find X509 value for: " + name); } - val parsing = mapping.getParsing(); - val expansion = mapping.getExpansion(); + var parsing = mapping.getParsing(); + var expansion = mapping.getExpansion(); if (StringUtils.isNotBlank(parsing)) { - val pattern = Pattern.compile(parsing); - val matcher = pattern.matcher(value); + var pattern = Pattern.compile(parsing); + var matcher = pattern.matcher(value); if (matcher.matches()) { - val groupCount = matcher.groupCount(); + var groupCount = matcher.groupCount(); if (groupCount == 0) { throw new CertificateParsingException("Parsing fails for X509 value: " + value); } diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/x509/CustomRequestHeaderX509CertificateExtractor.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/x509/CustomRequestHeaderX509CertificateExtractor.java index a88a9840a46..2b0eb315e90 100644 --- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/x509/CustomRequestHeaderX509CertificateExtractor.java +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/x509/CustomRequestHeaderX509CertificateExtractor.java @@ -1,46 +1,36 @@ -/** - * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020) - * and the signatories of the "VITAM - Accord du Contributeur" agreement. +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) * - * contact@programmevitam.fr + * contact.vitam@culture.gouv.fr * - * This software is a computer program whose purpose is to implement - * implement a digital archiving front-office system for the secure and - * efficient high volumetry VITAM solution. + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. * - * This software is governed by the CeCILL-C license under French law and - * abiding by the rules of distribution of free software. You can use, - * modify and/ or redistribute the software under the terms of the CeCILL-C - * license as circulated by CEA, CNRS and INRIA at the following URL - * "http://www.cecill.info". + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". * - * As a counterpart to the access to the source code and rights to copy, - * modify and redistribute granted by the license, users are provided only - * with a limited warranty and the software's author, the holder of the - * economic rights, and the successive licensors have only limited - * liability. + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. * - * In this respect, the user's attention is drawn to the risks associated - * with loading, using, modifying and/or developing or reproducing the - * software by the user in light of its specific status of free software, - * that may mean that it is complicated to manipulate, and that also - * therefore means that it is reserved for developers and experienced - * professionals having in-depth computer knowledge. Users are therefore - * encouraged to load and test the software's suitability as regards their - * requirements in conditions enabling the security of their systems and/or - * data to be ensured and, more generally, to use and operate it in the - * same conditions as regards security. + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. * - * The fact that you are presently reading this means that you have had - * knowledge of the CeCILL-C license and that you accept its terms. + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. */ package fr.gouv.vitamui.cas.x509; +import jakarta.servlet.http.HttpServletRequest; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.apereo.cas.adaptors.x509.authentication.X509CertificateExtractor; -import javax.servlet.http.HttpServletRequest; import java.io.ByteArrayInputStream; import java.net.URLDecoder; import java.nio.charset.StandardCharsets; diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/x509/X509CasDelegatingWebflowEventResolver.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/x509/X509CasDelegatingWebflowEventResolver.java new file mode 100644 index 00000000000..370d2237855 --- /dev/null +++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/x509/X509CasDelegatingWebflowEventResolver.java @@ -0,0 +1,70 @@ +/* + * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022) + * + * contact.vitam@culture.gouv.fr + * + * This software is a computer program whose purpose is to implement a digital archiving back-office system managing + * high volumetry securely and efficiently. + * + * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free + * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as + * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info". + * + * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license, + * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the + * successive licensors have only limited liability. + * + * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or + * developing or reproducing the software by the user in light of its specific status of free software, that may mean + * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and + * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the + * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data + * to be ensured and, more generally, to use and operate it in the same conditions as regards security. + * + * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you + * accept its terms. + */ + +package fr.gouv.vitamui.cas.x509; + +import org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential; +import org.apereo.cas.authentication.Credential; +import org.apereo.cas.authentication.principal.Service; +import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver; +import org.apereo.cas.web.flow.resolver.impl.CasWebflowEventResolutionConfigurationContext; +import org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver; +import org.springframework.webflow.execution.Event; +import org.springframework.webflow.execution.RequestContext; + +import java.util.List; + +/** Custom webflow event resolver to handle when the x509 authn is mandatory. */ +public class X509CasDelegatingWebflowEventResolver extends DefaultCasDelegatingWebflowEventResolver { + + private final boolean x509AuthnMandatory; + + public X509CasDelegatingWebflowEventResolver( + final CasWebflowEventResolutionConfigurationContext configurationContext, + final CasWebflowEventResolver selectiveResolver, + final boolean x509AuthnMandatory + ) { + super(configurationContext, selectiveResolver); + this.x509AuthnMandatory = x509AuthnMandatory; + } + + @Override + protected Event buildEventFromException( + final Throwable exception, + final RequestContext requestContext, + final List credential, + final Service service + ) { + if (x509AuthnMandatory) { + if (credential != null && credential.stream().anyMatch(X509CertificateCredential.class::isInstance)) { + throw new IllegalArgumentException("Authentication failure for mandatory X509 login"); + } + } + + return super.buildEventFromException(exception, requestContext, credential, service); + } +} diff --git a/cas/cas-server/src/main/java/org/apereo/cas/authentication/SurrogateUsernamePasswordCredential.java b/cas/cas-server/src/main/java/org/apereo/cas/authentication/SurrogateUsernamePasswordCredential.java new file mode 100644 index 00000000000..0e709de642b --- /dev/null +++ b/cas/cas-server/src/main/java/org/apereo/cas/authentication/SurrogateUsernamePasswordCredential.java @@ -0,0 +1,12 @@ +package org.apereo.cas.authentication; + +import lombok.Getter; +import lombok.Setter; +import org.apereo.cas.authentication.credential.UsernamePasswordCredential; + +@Getter +@Setter +public class SurrogateUsernamePasswordCredential extends UsernamePasswordCredential { + + private String surrogateUsername; +} diff --git a/cas/cas-server/src/main/java/org/apereo/cas/config/CasFiltersConfiguration.java b/cas/cas-server/src/main/java/org/apereo/cas/config/CasFiltersConfiguration.java deleted file mode 100644 index 70c93d7d345..00000000000 --- a/cas/cas-server/src/main/java/org/apereo/cas/config/CasFiltersConfiguration.java +++ /dev/null @@ -1,254 +0,0 @@ -package org.apereo.cas.config; - -import lombok.val; -import org.apache.commons.lang3.BooleanUtils; -import org.apache.commons.lang3.StringUtils; -import org.apereo.cas.audit.AuditableExecution; -import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan; -import org.apereo.cas.configuration.CasConfigurationProperties; -import org.apereo.cas.configuration.features.CasFeatureModule; -import org.apereo.cas.services.ServicesManager; -import org.apereo.cas.services.web.support.RegisteredServiceCorsConfigurationSource; -import org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter; -import org.apereo.cas.util.CollectionUtils; -import org.apereo.cas.util.spring.beans.BeanCondition; -import org.apereo.cas.util.spring.beans.BeanSupplier; -import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled; -import org.apereo.cas.web.support.ArgumentExtractor; -import org.apereo.cas.web.support.AuthenticationCredentialsThreadLocalBinderClearingFilter; -import org.apereo.cas.web.support.filters.AbstractSecurityFilter; -import org.apereo.cas.web.support.filters.AddResponseHeadersFilter; -import org.apereo.cas.web.support.filters.RequestParameterPolicyEnforcementFilter; -import org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter; -import org.springframework.beans.factory.ObjectProvider; -import org.springframework.beans.factory.annotation.Qualifier; -import org.springframework.boot.autoconfigure.AutoConfiguration; -import org.springframework.boot.autoconfigure.AutoConfigureAfter; -import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; -import org.springframework.boot.context.properties.EnableConfigurationProperties; -import org.springframework.boot.web.servlet.FilterRegistrationBean; -import org.springframework.cloud.context.config.annotation.RefreshScope; -import org.springframework.context.ConfigurableApplicationContext; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.context.annotation.ScopedProxyMode; -import org.springframework.web.cors.CorsConfigurationSource; -import org.springframework.web.filter.CharacterEncodingFilter; -import org.springframework.web.filter.CorsFilter; - -import java.util.HashMap; - -/** - * To be removed when upgrading to CAS v6.6.5. - */ -@EnableConfigurationProperties(CasConfigurationProperties.class) -@ConditionalOnFeatureEnabled(feature = CasFeatureModule.FeatureCatalog.WebApplication) -@AutoConfiguration -public class CasFiltersConfiguration { - - @Configuration(value = "CasFiltersEncodingConfiguration", proxyBeanMethods = false) - @EnableConfigurationProperties(CasConfigurationProperties.class) - public static class CasFiltersBaseConfiguration { - - @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) - @Bean - public FilterRegistrationBean characterEncodingFilter( - final CasConfigurationProperties casProperties - ) { - val bean = new FilterRegistrationBean(); - val web = casProperties.getHttpWebRequest().getWeb(); - bean.setFilter(new CharacterEncodingFilter(web.getEncoding(), web.isForceEncoding())); - bean.setUrlPatterns(CollectionUtils.wrap("/*")); - bean.setName("characterEncodingFilter"); - bean.setAsyncSupported(true); - return bean; - } - - @Bean - @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) - public FilterRegistrationBean< - AuthenticationCredentialsThreadLocalBinderClearingFilter - > currentCredentialsAndAuthenticationClearingFilter() { - val bean = new FilterRegistrationBean(); - bean.setFilter(new AuthenticationCredentialsThreadLocalBinderClearingFilter()); - bean.setUrlPatterns(CollectionUtils.wrap("/*")); - bean.setName("currentCredentialsAndAuthenticationClearingFilter"); - bean.setAsyncSupported(true); - return bean; - } - } - - @Configuration(value = "CasFiltersResponseHeadersConfiguration", proxyBeanMethods = false) - @EnableConfigurationProperties(CasConfigurationProperties.class) - @AutoConfigureAfter(CasCoreServicesConfiguration.class) - public static class CasFiltersResponseHeadersConfiguration { - - @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) - @Bean - public FilterRegistrationBean responseHeadersFilter( - final CasConfigurationProperties casProperties - ) { - val bean = new FilterRegistrationBean(); - val filter = new AddResponseHeadersFilter(); - filter.setHeadersMap(casProperties.getHttpWebRequest().getCustomHeaders()); - bean.setFilter(filter); - bean.setUrlPatterns(CollectionUtils.wrap("/*")); - bean.setName("responseHeadersFilter"); - bean.setAsyncSupported(true); - return bean; - } - - @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) - @Bean - public FilterRegistrationBean responseHeadersSecurityFilter( - final CasConfigurationProperties casProperties, - @Qualifier(ArgumentExtractor.BEAN_NAME) final ObjectProvider argumentExtractor, - @Qualifier(ServicesManager.BEAN_NAME) final ObjectProvider servicesManager, - @Qualifier(AuditableExecution.AUDITABLE_EXECUTION_REGISTERED_SERVICE_ACCESS) final ObjectProvider< - AuditableExecution - > registeredServiceAccessStrategyEnforcer, - @Qualifier(AuthenticationServiceSelectionPlan.BEAN_NAME) final ObjectProvider< - AuthenticationServiceSelectionPlan - > authenticationRequestServiceSelectionStrategies - ) { - val header = casProperties.getHttpWebRequest().getHeader(); - val initParams = new HashMap(); - initParams.put( - ResponseHeadersEnforcementFilter.INIT_PARAM_ENABLE_CACHE_CONTROL, - BooleanUtils.toStringTrueFalse(header.isCache()) - ); - initParams.put( - ResponseHeadersEnforcementFilter.INIT_PARAM_ENABLE_XCONTENT_OPTIONS, - BooleanUtils.toStringTrueFalse(header.isXcontent()) - ); - initParams.put( - ResponseHeadersEnforcementFilter.INIT_PARAM_ENABLE_STRICT_TRANSPORT_SECURITY, - BooleanUtils.toStringTrueFalse(header.isHsts()) - ); - initParams.put( - ResponseHeadersEnforcementFilter.INIT_PARAM_ENABLE_STRICT_XFRAME_OPTIONS, - BooleanUtils.toStringTrueFalse(header.isXframe()) - ); - initParams.put( - ResponseHeadersEnforcementFilter.INIT_PARAM_STRICT_XFRAME_OPTIONS, - header.getXframeOptions() - ); - initParams.put( - ResponseHeadersEnforcementFilter.INIT_PARAM_ENABLE_XSS_PROTECTION, - BooleanUtils.toStringTrueFalse(header.isXss()) - ); - initParams.put(ResponseHeadersEnforcementFilter.INIT_PARAM_XSS_PROTECTION, header.getXssOptions()); - initParams.put( - ResponseHeadersEnforcementFilter.INIT_PARAM_CACHE_CONTROL_STATIC_RESOURCES, - header.getCacheControlStaticResources() - ); - if (StringUtils.isNotBlank(header.getContentSecurityPolicy())) { - initParams.put( - ResponseHeadersEnforcementFilter.INIT_PARAM_CONTENT_SECURITY_POLICY, - header.getContentSecurityPolicy() - ); - } - val bean = new FilterRegistrationBean(); - bean.setFilter( - new RegisteredServiceResponseHeadersEnforcementFilter( - servicesManager, - argumentExtractor, - authenticationRequestServiceSelectionStrategies, - registeredServiceAccessStrategyEnforcer - ) - ); - bean.setUrlPatterns(CollectionUtils.wrap("/*")); - bean.setInitParameters(initParams); - bean.setName("responseHeadersSecurityFilter"); - bean.setAsyncSupported(true); - bean.setEnabled(casProperties.getHttpWebRequest().getHeader().isEnabled()); - return bean; - } - - @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) - @Bean - public FilterRegistrationBean requestParameterSecurityFilter( - final CasConfigurationProperties casProperties - ) { - val httpWebRequest = casProperties.getHttpWebRequest(); - val initParams = new HashMap(); - if (StringUtils.isNotBlank(httpWebRequest.getParamsToCheck())) { - initParams.put( - RequestParameterPolicyEnforcementFilter.PARAMETERS_TO_CHECK, - httpWebRequest.getParamsToCheck() - ); - } - initParams.put( - RequestParameterPolicyEnforcementFilter.CHARACTERS_TO_FORBID, - httpWebRequest.getCharactersToForbid() - ); - initParams.put( - RequestParameterPolicyEnforcementFilter.ALLOW_MULTI_VALUED_PARAMETERS, - BooleanUtils.toStringTrueFalse(httpWebRequest.isAllowMultiValueParameters()) - ); - initParams.put( - RequestParameterPolicyEnforcementFilter.ONLY_POST_PARAMETERS, - httpWebRequest.getOnlyPostParams() - ); - initParams.put(AbstractSecurityFilter.THROW_ON_ERROR, Boolean.TRUE.toString()); - - if (StringUtils.isNotBlank(httpWebRequest.getPatternToBlock())) { - initParams.put( - RequestParameterPolicyEnforcementFilter.PATTERN_TO_BLOCK, - httpWebRequest.getPatternToBlock() - ); - } - - val bean = new FilterRegistrationBean(); - bean.setFilter(new RequestParameterPolicyEnforcementFilter()); - bean.setUrlPatterns(CollectionUtils.wrap("/*")); - bean.setName("requestParameterSecurityFilter"); - bean.setInitParameters(initParams); - bean.setAsyncSupported(true); - return bean; - } - } - - @Configuration(value = "CasFiltersCorsConfiguration", proxyBeanMethods = false) - public static class CasFiltersCorsConfiguration { - - private static final BeanCondition CONDITION = BeanCondition.on("cas.http-web-request.cors.enabled").isTrue(); - - @Bean - @ConditionalOnMissingBean(name = "corsHttpWebRequestConfigurationSource") - @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) - public CorsConfigurationSource corsHttpWebRequestConfigurationSource( - final ConfigurableApplicationContext applicationContext, - final CasConfigurationProperties casProperties, - @Qualifier(ArgumentExtractor.BEAN_NAME) final ArgumentExtractor argumentExtractor, - @Qualifier(ServicesManager.BEAN_NAME) final ServicesManager servicesManager - ) { - return BeanSupplier.of(CorsConfigurationSource.class) - .when(CONDITION.given(applicationContext.getEnvironment())) - .supply( - () -> - new RegisteredServiceCorsConfigurationSource(casProperties, servicesManager, argumentExtractor) - ) - .otherwiseProxy() - .get(); - } - - @Bean - // CUSTO: - @ConditionalOnMissingBean(name = "casCorsFilter") - @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) - public FilterRegistrationBean casCorsFilter( - final CasConfigurationProperties casProperties, - @Qualifier( - "corsHttpWebRequestConfigurationSource" - ) final CorsConfigurationSource corsHttpWebRequestConfigurationSource - ) { - val bean = new FilterRegistrationBean<>(new CorsFilter(corsHttpWebRequestConfigurationSource)); - bean.setName("casCorsFilter"); - bean.setAsyncSupported(true); - bean.setOrder(0); - bean.setEnabled(casProperties.getHttpWebRequest().getCors().isEnabled()); - return bean; - } - } -} diff --git a/cas/cas-server/src/main/java/org/apereo/cas/configuration/model/support/sms/SmsModeProperties.java b/cas/cas-server/src/main/java/org/apereo/cas/configuration/model/support/sms/SmsModeProperties.java deleted file mode 100644 index 173a1ec5f2b..00000000000 --- a/cas/cas-server/src/main/java/org/apereo/cas/configuration/model/support/sms/SmsModeProperties.java +++ /dev/null @@ -1,63 +0,0 @@ -package org.apereo.cas.configuration.model.support.sms; - -import com.fasterxml.jackson.annotation.JsonFilter; -import lombok.Getter; -import lombok.Setter; -import lombok.experimental.Accessors; -import org.apereo.cas.configuration.support.RequiredProperty; -import org.apereo.cas.configuration.support.RequiresModule; - -import java.io.Serializable; -import java.util.HashMap; -import java.util.Map; - -/** - * This is {@link SmsModeProperties}. - * Custom : add proxy url - to be removed at the next CAS version upgrade - * @author Jérôme Rautureau - * @since 6.5.0 - */ -@RequiresModule(name = "cas-server-support-sms-smsmode") -@Getter -@Setter -@Accessors(chain = true) -@JsonFilter("SmsModeProperties") -public class SmsModeProperties implements Serializable { - - private static final long serialVersionUID = -4185702036613030013L; - - /** - * Secure token used to establish a handshake with the service. - */ - @RequiredProperty - private String accessToken; - - /** - * Query attribute name for the message. - */ - private String messageAttribute = "message"; - - /** - * Query attribute name for the to field. - */ - private String toAttribute = "numero"; - - /** - * URL to contact and send messages (GET only). - */ - @RequiredProperty - private String url = "https://api.smsmode.com/http/1.6/sendSMS.do"; - - /** - * Headers, defined as a Map, to include in the request when making the HTTP call. - * Will overwrite any header that CAS is pre-defined to - * send and include in the request. Key in the map should be the header name - * and the value in the map should be the header value. - */ - private Map headers = new HashMap<>(); - - /** - * URL of the proxy (if defined). - */ - private String proxyUrl; -} diff --git a/cas/cas-server/src/main/java/org/apereo/cas/mfa/simple/web/flow/CasSimpleMultifactorSendTokenAction.java b/cas/cas-server/src/main/java/org/apereo/cas/mfa/simple/web/flow/CasSimpleMultifactorSendTokenAction.java deleted file mode 100644 index ef14c8e94f4..00000000000 --- a/cas/cas-server/src/main/java/org/apereo/cas/mfa/simple/web/flow/CasSimpleMultifactorSendTokenAction.java +++ /dev/null @@ -1,219 +0,0 @@ -package org.apereo.cas.mfa.simple.web.flow; - -import lombok.RequiredArgsConstructor; -import lombok.extern.slf4j.Slf4j; -import lombok.val; -import org.apache.commons.lang3.StringUtils; -import org.apereo.cas.authentication.Authentication; -import org.apereo.cas.authentication.CoreAuthenticationUtils; -import org.apereo.cas.authentication.principal.Principal; -import org.apereo.cas.bucket4j.consumer.BucketConsumer; -import org.apereo.cas.configuration.model.support.mfa.simple.CasSimpleMultifactorAuthenticationProperties; -import org.apereo.cas.mfa.simple.CasSimpleMultifactorAuthenticationProvider; -import org.apereo.cas.mfa.simple.CasSimpleMultifactorTokenCommunicationStrategy; -import org.apereo.cas.mfa.simple.ticket.CasSimpleMultifactorAuthenticationTicket; -import org.apereo.cas.mfa.simple.validation.CasSimpleMultifactorAuthenticationService; -import org.apereo.cas.notifications.CommunicationsManager; -import org.apereo.cas.notifications.mail.EmailCommunicationResult; -import org.apereo.cas.notifications.mail.EmailMessageBodyBuilder; -import org.apereo.cas.notifications.mail.EmailMessageRequest; -import org.apereo.cas.notifications.sms.SmsBodyBuilder; -import org.apereo.cas.notifications.sms.SmsRequest; -import org.apereo.cas.ticket.Ticket; -import org.apereo.cas.web.flow.CasWebflowConstants; -import org.apereo.cas.web.flow.actions.AbstractMultifactorAuthenticationAction; -import org.apereo.cas.web.support.WebUtils; -import org.jooq.lambda.Unchecked; -import org.springframework.web.servlet.support.RequestContextUtils; -import org.springframework.webflow.action.EventFactorySupport; -import org.springframework.webflow.core.collection.LocalAttributeMap; -import org.springframework.webflow.execution.Event; -import org.springframework.webflow.execution.RequestContext; - -import java.util.Map; -import java.util.Optional; - -/** - * To be removed when upgrading to CAS version >= 6.6.3. - */ -@Slf4j -@RequiredArgsConstructor -public class CasSimpleMultifactorSendTokenAction - extends AbstractMultifactorAuthenticationAction { - - private static final String MESSAGE_MFA_TOKEN_SENT = "cas.mfa.simple.label.tokensent"; - - private final CommunicationsManager communicationsManager; - - private final CasSimpleMultifactorAuthenticationService multifactorAuthenticationService; - - private final CasSimpleMultifactorAuthenticationProperties properties; - - private final CasSimpleMultifactorTokenCommunicationStrategy tokenCommunicationStrategy; - - private final BucketConsumer bucketConsumer; - - protected boolean isSmsSent( - final CommunicationsManager communicationsManager, - final CasSimpleMultifactorAuthenticationProperties properties, - final Principal principal, - final Ticket tokenTicket, - final RequestContext requestContext - ) { - if (communicationsManager.isSmsSenderDefined()) { - val smsProperties = properties.getSms(); - val token = tokenTicket.getId(); - // CUSTO: - val tokenWithoutPrefix = token.substring(CasSimpleMultifactorAuthenticationTicket.PREFIX.length() + 1); - val smsText = StringUtils.isNotBlank(smsProperties.getText()) - ? SmsBodyBuilder.builder() - .properties(smsProperties) - .parameters(Map.of("token", token, "tokenWithoutPrefix", tokenWithoutPrefix)) - .build() - .get() - : token; - - val smsRequest = SmsRequest.builder() - .from(smsProperties.getFrom()) - .principal(principal) - .attribute(smsProperties.getAttributeName()) - .text(smsText) - .build(); - return communicationsManager.sms(smsRequest); - } - return false; - } - - /** - * Send an email. - * - * @param communicationsManager the communication manager - * @param properties the properties - * @param principal the principal - * @param tokenTicket the token - * @param requestContext the request context - * @return whether the email has been sent. - */ - protected EmailCommunicationResult isMailSent( - final CommunicationsManager communicationsManager, - final CasSimpleMultifactorAuthenticationProperties properties, - final Principal principal, - final Ticket tokenTicket, - final RequestContext requestContext - ) { - if (communicationsManager.isMailSenderDefined()) { - val mailProperties = properties.getMail(); - val request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext); - val parameters = CoreAuthenticationUtils.convertAttributeValuesToObjects(principal.getAttributes()); - - val token = tokenTicket.getId(); - val tokenWithoutPrefix = token.substring(CasSimpleMultifactorAuthenticationTicket.PREFIX.length() + 1); - parameters.put("token", token); - // CUSTO: - parameters.put("tokenWithoutPrefix", tokenWithoutPrefix); - - val locale = Optional.ofNullable(RequestContextUtils.getLocaleResolver(request)).map( - resolver -> resolver.resolveLocale(request) - ); - val body = EmailMessageBodyBuilder.builder() - .properties(mailProperties) - .locale(locale) - .parameters(parameters) - .build() - .get(); - val emailRequest = EmailMessageRequest.builder() - .emailProperties(mailProperties) - .principal(principal) - .attribute(mailProperties.getAttributeName()) - .body(body) - .build(); - return communicationsManager.email(emailRequest); - } - return EmailCommunicationResult.builder().build(); - } - - protected boolean isNotificationSent( - final CommunicationsManager communicationsManager, - final Principal principal, - final Ticket token - ) { - return ( - communicationsManager.isNotificationSenderDefined() && - communicationsManager.notify(principal, "Apereo CAS Token", String.format("Token: %s", token.getId())) - ); - } - - @Override - protected Event doPreExecute(final RequestContext requestContext) throws Exception { - val response = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext); - val authentication = WebUtils.getInProgressAuthentication(); - val result = bucketConsumer.consume(getThrottledRequestKeyFor(authentication)); - result.getHeaders().forEach(response::addHeader); - return result.isConsumed() ? super.doPreExecute(requestContext) : error(); - } - - @Override - protected Event doExecute(final RequestContext requestContext) throws Exception { - val authentication = WebUtils.getInProgressAuthentication(); - val principal = resolvePrincipal(authentication.getPrincipal()); - val token = getOrCreateToken(requestContext, principal); - LOGGER.debug("Using token [{}] created at [{}]", token.getId(), token.getCreationTime()); - - val strategy = tokenCommunicationStrategy.determineStrategy(token); - val smsSent = - strategy.contains(CasSimpleMultifactorTokenCommunicationStrategy.TokenSharingStrategyOptions.SMS) && - isSmsSent(communicationsManager, properties, principal, token, requestContext); - - val emailSent = - strategy.contains(CasSimpleMultifactorTokenCommunicationStrategy.TokenSharingStrategyOptions.EMAIL) && - isMailSent(communicationsManager, properties, principal, token, requestContext).isSuccess(); - - val notificationSent = - strategy.contains( - CasSimpleMultifactorTokenCommunicationStrategy.TokenSharingStrategyOptions.NOTIFICATION - ) && - isNotificationSent(communicationsManager, principal, token); - - if (smsSent || emailSent || notificationSent) { - multifactorAuthenticationService.store(token); - LOGGER.debug("Successfully submitted token via strategy option [{}] to [{}]", strategy, principal.getId()); - WebUtils.addInfoMessageToContext(requestContext, MESSAGE_MFA_TOKEN_SENT); - val attributes = new LocalAttributeMap("token", token.getId()); - WebUtils.putSimpleMultifactorAuthenticationToken(requestContext, token); - return new EventFactorySupport().event(this, CasWebflowConstants.TRANSITION_ID_SUCCESS, attributes); - } - LOGGER.error("Communication strategies failed to submit token [{}] to user", token.getId()); - return error(); - } - - /** - * Get or create a token. - * - * @param requestContext the request context - * @param principal the principal - * @return the token - */ - protected CasSimpleMultifactorAuthenticationTicket getOrCreateToken( - final RequestContext requestContext, - final Principal principal - ) { - val currentToken = WebUtils.getSimpleMultifactorAuthenticationToken( - requestContext, - CasSimpleMultifactorAuthenticationTicket.class - ); - return Optional.ofNullable(currentToken) - .filter(token -> !token.isExpired()) - .orElseGet( - Unchecked.supplier(() -> { - WebUtils.removeSimpleMultifactorAuthenticationToken(requestContext); - val service = WebUtils.getService(requestContext); - return multifactorAuthenticationService.generate(principal, service); - }) - ); - } - - private String getThrottledRequestKeyFor(final Authentication authentication) { - val principal = resolvePrincipal(authentication.getPrincipal()); - return principal.getId(); - } -} diff --git a/cas/cas-server/src/main/java/org/apereo/cas/oidc/web/controllers/token/CustomOidcRevocationEndpointController.java b/cas/cas-server/src/main/java/org/apereo/cas/oidc/web/controllers/token/CustomOidcRevocationEndpointController.java deleted file mode 100644 index fb772ef3eaf..00000000000 --- a/cas/cas-server/src/main/java/org/apereo/cas/oidc/web/controllers/token/CustomOidcRevocationEndpointController.java +++ /dev/null @@ -1,78 +0,0 @@ -package org.apereo.cas.oidc.web.controllers.token; - -import lombok.val; -import org.apereo.cas.oidc.OidcConfigurationContext; -import org.apereo.cas.support.oauth.OAuth20Constants; -import org.apereo.cas.support.oauth.util.OAuth20Utils; -import org.apereo.cas.ticket.OAuth20Token; -import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken; -import org.apereo.cas.ticket.refreshtoken.OAuth20RefreshToken; -import org.apereo.cas.util.function.FunctionUtils; -import org.jooq.lambda.Unchecked; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.http.HttpStatus; -import org.springframework.web.servlet.ModelAndView; -import org.springframework.web.servlet.view.json.MappingJackson2JsonView; - -import javax.servlet.http.HttpServletResponse; - -/** - * Custom : Revoke token for all services without checking clientId : Global Logout - */ -public class CustomOidcRevocationEndpointController extends OidcRevocationEndpointController { - - private static final Logger LOGGER = LoggerFactory.getLogger(CustomOidcRevocationEndpointController.class); - - public CustomOidcRevocationEndpointController(final OidcConfigurationContext configurationContext) { - super(configurationContext); - } - - protected ModelAndView generateRevocationResponse( - final String token, - final String clientId, - final HttpServletResponse response - ) throws Exception { - val registryToken = FunctionUtils.doAndHandle(() -> { - val state = getConfigurationContext().getTicketRegistry().getTicket(token, OAuth20Token.class); - return state == null || state.isExpired() ? null : state; - }); - if (registryToken == null) { - LOGGER.error("Provided token [{}] has not been found in the ticket registry", token); - } else if (isRefreshToken(registryToken) || isAccessToken(registryToken)) { - /* - Custom : Don't check clientId to allow revoke token to all services (SSO) - if (!StringUtils.equals(clientId, registryToken.getClientId())) { - LOGGER.warn("Provided token [{}] has not been issued for the service [{}]", token, clientId); - return OAuth20Utils.writeError(response, OAuth20Constants.INVALID_REQUEST); - } - */ - - if (isRefreshToken(registryToken)) { - revokeToken((OAuth20RefreshToken) registryToken); - } else { - revokeToken(registryToken.getId()); - } - } else { - LOGGER.error("Provided token [{}] is either not a refresh token or not an access token", token); - return OAuth20Utils.writeError(response, OAuth20Constants.INVALID_REQUEST); - } - - val mv = new ModelAndView(new MappingJackson2JsonView()); - mv.setStatus(HttpStatus.OK); - return mv; - } - - private void revokeToken(final OAuth20RefreshToken token) throws Exception { - this.revokeToken(token.getId()); - token.getAccessTokens().forEach(Unchecked.consumer(this::revokeToken)); - } - - private boolean isRefreshToken(final OAuth20Token token) { - return token instanceof OAuth20RefreshToken; - } - - private boolean isAccessToken(final OAuth20Token token) { - return token instanceof OAuth20AccessToken; - } -} diff --git a/cas/cas-server/src/main/java/org/apereo/cas/support/sms/SmsModeSmsSender.java b/cas/cas-server/src/main/java/org/apereo/cas/support/sms/SmsModeSmsSender.java deleted file mode 100644 index 325383e867c..00000000000 --- a/cas/cas-server/src/main/java/org/apereo/cas/support/sms/SmsModeSmsSender.java +++ /dev/null @@ -1,84 +0,0 @@ -package org.apereo.cas.support.sms; - -import com.fasterxml.jackson.databind.ObjectMapper; -import lombok.Getter; -import lombok.RequiredArgsConstructor; -import lombok.extern.slf4j.Slf4j; -import lombok.val; -import org.apache.commons.io.IOUtils; -import org.apache.http.HttpResponse; -import org.apereo.cas.configuration.model.support.sms.SmsModeProperties; -import org.apereo.cas.notifications.sms.SmsSender; -import org.apereo.cas.util.CollectionUtils; -import org.apereo.cas.util.HttpUtils; -import org.apereo.cas.util.LoggingUtils; -import org.apereo.cas.util.serialization.JacksonObjectMapperFactory; -import org.springframework.http.HttpMethod; -import org.springframework.http.HttpStatus; -import org.springframework.http.MediaType; - -import java.nio.charset.Charset; -import java.nio.charset.StandardCharsets; -import java.util.HashMap; - -/** - * To be removed when upgrading to CAS version >= 7.0.0. - */ -@Getter -@RequiredArgsConstructor -@Slf4j -public class SmsModeSmsSender implements SmsSender { - - private static final ObjectMapper MAPPER = JacksonObjectMapperFactory.builder() - .defaultTypingEnabled(false) - .build() - .toObjectMapper(); - - private final SmsModeProperties properties; - - @Override - public boolean send(final String from, final String to, final String message) { - HttpResponse response = null; - try { - val data = new HashMap(); - val recipient = new HashMap(); - recipient.put("to", to); - data.put("recipient", recipient); - val body = new HashMap(); - body.put("text", message); - data.put("body", body); - data.put("from", from); - - val headers = CollectionUtils.wrap( - "Content-Type", - MediaType.APPLICATION_JSON_VALUE, - "Accept", - MediaType.APPLICATION_JSON_VALUE, - "X-Api-Key", - properties.getAccessToken() - ); - headers.putAll(properties.getHeaders()); - val exec = HttpUtils.HttpExecutionRequest.builder() - .method(HttpMethod.POST) - .url(properties.getUrl()) - .proxyUrl(properties.getProxyUrl()) - .headers(headers) - .entity(MAPPER.writeValueAsString(data)) - .build(); - response = HttpUtils.execute(exec); - val status = HttpStatus.valueOf(response.getStatusLine().getStatusCode()); - val entity = response.getEntity(); - val charset = entity.getContentEncoding() != null - ? Charset.forName(entity.getContentEncoding().getValue()) - : StandardCharsets.ISO_8859_1; - val resp = IOUtils.toString(entity.getContent(), charset); - LOGGER.debug("Response from SmsMode: [{}]", resp); - return status.is2xxSuccessful(); - } catch (final Exception e) { - LoggingUtils.error(LOGGER, e); - } finally { - HttpUtils.close(response); - } - return false; - } -} diff --git a/cas/cas-server/src/main/java/org/apereo/cas/ticket/accesstoken/OAuth20DefaultAccessTokenFactory.java b/cas/cas-server/src/main/java/org/apereo/cas/ticket/accesstoken/OAuth20DefaultAccessTokenFactory.java deleted file mode 100644 index 1e33ee933fd..00000000000 --- a/cas/cas-server/src/main/java/org/apereo/cas/ticket/accesstoken/OAuth20DefaultAccessTokenFactory.java +++ /dev/null @@ -1,130 +0,0 @@ -package org.apereo.cas.ticket.accesstoken; - -import lombok.Getter; -import lombok.RequiredArgsConstructor; -import lombok.val; -import org.apache.commons.lang3.StringUtils; -import org.apereo.cas.authentication.Authentication; -import org.apereo.cas.authentication.principal.Service; -import org.apereo.cas.configuration.support.Beans; -import org.apereo.cas.services.ServicesManager; -import org.apereo.cas.support.oauth.OAuth20GrantTypes; -import org.apereo.cas.support.oauth.OAuth20ResponseTypes; -import org.apereo.cas.support.oauth.services.OAuthRegisteredService; -import org.apereo.cas.support.oauth.util.OAuth20Utils; -import org.apereo.cas.ticket.ExpirationPolicy; -import org.apereo.cas.ticket.ExpirationPolicyBuilder; -import org.apereo.cas.ticket.Ticket; -import org.apereo.cas.ticket.TicketGrantingTicket; -import org.apereo.cas.ticket.UniqueTicketIdGenerator; -import org.apereo.cas.token.JwtBuilder; -import org.apereo.cas.util.DefaultUniqueTicketIdGenerator; - -import java.util.Collection; -import java.util.Map; - -/** - * To be removed when upgrading to CAS version >= 6.6.3. - */ -@RequiredArgsConstructor -@Getter -public class OAuth20DefaultAccessTokenFactory implements OAuth20AccessTokenFactory { - - /** - * Default instance for the ticket id generator. - */ - protected final UniqueTicketIdGenerator accessTokenIdGenerator; - - /** - * ExpirationPolicy for refresh tokens. - */ - protected final ExpirationPolicyBuilder expirationPolicy; - - /** - * JWT builder instance. - */ - protected final JwtBuilder jwtBuilder; - - /** - * Services manager. - */ - protected final ServicesManager servicesManager; - - public OAuth20DefaultAccessTokenFactory( - final ExpirationPolicyBuilder expirationPolicy, - final JwtBuilder jwtBuilder, - final ServicesManager servicesManager - ) { - this(new DefaultUniqueTicketIdGenerator(), expirationPolicy, jwtBuilder, servicesManager); - } - - @Override - public OAuth20AccessToken create( - final Service service, - final Authentication authentication, - final TicketGrantingTicket ticketGrantingTicket, - final Collection scopes, - final String token, - final String clientId, - final Map> requestClaims, - final OAuth20ResponseTypes responseType, - final OAuth20GrantTypes grantType - ) { - val registeredService = OAuth20Utils.getRegisteredOAuthServiceByClientId( - jwtBuilder.getServicesManager(), - clientId - ); - val expirationPolicyToUse = determineExpirationPolicyForService(registeredService); - // CUSTO: - val accessTokenId = generateAccessTokenId(service, authentication); - - val at = new OAuth20DefaultAccessToken( - accessTokenId, - service, - authentication, - expirationPolicyToUse, - ticketGrantingTicket, - token, - scopes, - clientId, - requestClaims, - responseType, - grantType - ); - if (ticketGrantingTicket != null) { - ticketGrantingTicket.getDescendantTickets().add(at.getId()); - } - return at; - } - - // CUSTO: - protected String generateAccessTokenId(final Service service, final Authentication authentication) { - return this.accessTokenIdGenerator.getNewTicketId(OAuth20AccessToken.PREFIX); - } - - @Override - public Class getTicketType() { - return OAuth20AccessToken.class; - } - - /** - * Determine the expiration policy for the registered service. - * - * @param registeredService the registered service - * @return the expiration policy - */ - protected ExpirationPolicy determineExpirationPolicyForService(final OAuthRegisteredService registeredService) { - if (registeredService != null && registeredService.getAccessTokenExpirationPolicy() != null) { - val policy = registeredService.getAccessTokenExpirationPolicy(); - val maxTime = policy.getMaxTimeToLive(); - val ttl = policy.getTimeToKill(); - if (StringUtils.isNotBlank(maxTime) && StringUtils.isNotBlank(ttl)) { - return new OAuth20AccessTokenExpirationPolicy( - Beans.newDuration(maxTime).getSeconds(), - Beans.newDuration(ttl).getSeconds() - ); - } - } - return this.expirationPolicy.buildTicketExpirationPolicy(); - } -} diff --git a/cas/cas-server/src/main/java/org/apereo/cas/web/flow/actions/DelegatedAuthenticationClientLogoutAction.java b/cas/cas-server/src/main/java/org/apereo/cas/web/flow/actions/DelegatedAuthenticationClientLogoutAction.java deleted file mode 100644 index bbaca54df23..00000000000 --- a/cas/cas-server/src/main/java/org/apereo/cas/web/flow/actions/DelegatedAuthenticationClientLogoutAction.java +++ /dev/null @@ -1,100 +0,0 @@ -package org.apereo.cas.web.flow.actions; - -import lombok.RequiredArgsConstructor; -import lombok.extern.slf4j.Slf4j; -import lombok.val; -import org.apereo.cas.web.support.WebUtils; -import org.pac4j.core.client.Client; -import org.pac4j.core.client.Clients; -import org.pac4j.core.context.session.SessionStore; -import org.pac4j.core.exception.http.HttpAction; -import org.pac4j.core.profile.ProfileManager; -import org.pac4j.core.profile.UserProfile; -import org.pac4j.jee.context.JEEContext; -import org.pac4j.jee.http.adapter.JEEHttpActionAdapter; -import org.pac4j.saml.state.SAML2StateGenerator; -import org.springframework.webflow.execution.Event; -import org.springframework.webflow.execution.RequestContext; - -import java.util.Optional; - -/** - * To be removed when upgrading to CAS version >= 6.6.13 - */ -@Slf4j -@RequiredArgsConstructor -public class DelegatedAuthenticationClientLogoutAction extends BaseCasWebflowAction { - - protected final Clients clients; - - protected final SessionStore sessionStore; - - @Override - protected Event doPreExecute(final RequestContext requestContext) { - val request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext); - val response = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext); - val context = new JEEContext(request, response); - - val currentProfile = findCurrentProfile(context); - val clientResult = findCurrentClient(currentProfile); - if (clientResult.isPresent()) { - val client = clientResult.get(); - requestContext.getFlowScope().put("delegatedAuthenticationLogoutRequest", true); - - LOGGER.debug("Handling logout for delegated authentication client [{}]", client); - WebUtils.putDelegatedAuthenticationClientName(requestContext, client.getName()); - sessionStore.set(context, SAML2StateGenerator.SAML_RELAY_STATE_ATTRIBUTE, client.getName()); - } - return null; - } - - @Override - protected Event doExecute(final RequestContext requestContext) { - val request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext); - val response = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext); - val context = new JEEContext(request, response); - - val currentProfile = findCurrentProfile(context); - val clientResult = findCurrentClient(currentProfile); - if (clientResult.isPresent()) { - val client = clientResult.get(); - LOGGER.trace("Located client [{}]", client); - - val service = WebUtils.getService(requestContext); - val targetUrl = service != null ? service.getId() : null; - LOGGER.debug("Logout target url based on service [{}] is [{}]", service, targetUrl); - - val actionResult = client.getLogoutAction(context, sessionStore, currentProfile, targetUrl); - if (actionResult.isPresent()) { - val action = (HttpAction) actionResult.get(); - LOGGER.debug("Adapting logout action [{}] for client [{}]", action, client); - JEEHttpActionAdapter.INSTANCE.adapt(action, context); - } - } else { - LOGGER.debug("The current client cannot be found; No logout action can execute"); - } - return null; - } - - /** - * Finds the current profile from the context. - * - * @param webContext A web context (request + response). - * @return The common profile active. - */ - protected UserProfile findCurrentProfile(final JEEContext webContext) { - val pm = new ProfileManager(webContext, this.sessionStore); - val profile = pm.getProfile(); - return profile.orElse(null); - } - - /** - * Find the current client from the current profile. - * - * @param currentProfile the current profile - * @return the current client - */ - protected Optional findCurrentClient(final UserProfile currentProfile) { - return currentProfile == null ? Optional.empty() : clients.findClient(currentProfile.getClientName()); - } -} diff --git a/cas/cas-server/src/main/resources/META-INF/spring.factories b/cas/cas-server/src/main/resources/META-INF/spring.factories deleted file mode 100644 index 8700c878be8..00000000000 --- a/cas/cas-server/src/main/resources/META-INF/spring.factories +++ /dev/null @@ -1,4 +0,0 @@ -org.springframework.boot.autoconfigure.EnableAutoConfiguration=\ -fr.gouv.vitamui.cas.config.AppConfig, \ -fr.gouv.vitamui.cas.config.WebConfig, \ -fr.gouv.vitamui.cas.config.WebflowConfig diff --git a/cas/cas-server/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports b/cas/cas-server/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports new file mode 100644 index 00000000000..1d0a37c99cf --- /dev/null +++ b/cas/cas-server/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports @@ -0,0 +1,3 @@ +fr.gouv.vitamui.cas.config.AppConfig +fr.gouv.vitamui.cas.config.WebConfig +fr.gouv.vitamui.cas.config.WebflowConfig diff --git a/cas/cas-server/src/main/resources/application.properties b/cas/cas-server/src/main/resources/application.properties index 2a7441e5b6f..5d5c1db01dd 100644 --- a/cas/cas-server/src/main/resources/application.properties +++ b/cas/cas-server/src/main/resources/application.properties @@ -11,7 +11,7 @@ server.ssl.enabled=true # server.port=8443 server.servlet.context-path=/cas -server.max-http-header-size=2097152 +server.max-http-request-header-size=2097152 ## CUSTO: NATIVE -> NONE server.forward-headers-strategy=NONE ## CUSTO: ALWAYS -> NEVER @@ -44,10 +44,6 @@ server.tomcat.remoteip.remote-ip-header=X-FORWARDED-FOR server.tomcat.uri-encoding=UTF-8 server.tomcat.additional-tld-skip-patterns=*.jar -# To be removed when upgrading to CAS v6.6.13 -cas.authn.oauth.session-replication.cookie.name: DISSESSIONOA -cas.authn.pac4j.core.session-replication.cookie.name: DISSESSIONAD - ## # CAS Web Application JMX/Spring Configuration # @@ -152,20 +148,19 @@ server.servlet.context-parameters.isLog4jAutoInitializationDisabled=true ## # CAS Metrics Configuration # -management.metrics.web.server.request.autotime.enabled=true - -management.metrics.export.atlas.enabled=false -management.metrics.export.datadog.enabled=false -management.metrics.export.ganglia.enabled=false -management.metrics.export.graphite.enabled=false -management.metrics.export.influx.enabled=false -management.metrics.export.jmx.enabled=false -management.metrics.export.newrelic.enabled=false -management.metrics.export.prometheus.enabled=false -management.metrics.export.signalfx.enabled=false -management.metrics.export.statsd.enabled=false -management.metrics.export.wavefront.enabled=false -management.metrics.export.simple.enabled=true + +management.atlas.metrics.export.enabled=false +management.datadog.metrics.export.enabled=false +management.ganglia.metrics.export.enabled=false +management.graphite.metrics.export.enabled=false +management.influx.metrics.export.enabled=false +management.jmx.metrics.export.enabled=false +management.newrelic.metrics.export.enabled=false +management.prometheus.metrics.export.enabled=false +management.signalfx.metrics.export.enabled=false +management.statsd.metrics.export.enabled=false +management.wavefront.metrics.export.enabled=false +management.simple.metrics.export.enabled=true management.metrics.enable.logback=true management.metrics.enable.process.files=true diff --git a/cas/cas-server/src/main/resources/static/js/cas.js b/cas/cas-server/src/main/resources/static/js/cas.js index 59a3140655b..fb59d4a627b 100644 --- a/cas/cas-server/src/main/resources/static/js/cas.js +++ b/cas/cas-server/src/main/resources/static/js/cas.js @@ -1,11 +1,20 @@ +/* global trackGeoLocation, jqueryReady */ + +/* exported resourceLoadedSuccessfully */ + +const formId = '#main-form'; // Vitam form id value +// const formId = '#fm1'; // Xelians form id value + function preserveAnchorTagOnForm() { - $('#main-form').submit(function () { + $(formId).submit(function () { var location = self.document.location; var hash = decodeURIComponent(location.hash); + if (hash !== undefined && hash !== '' && hash.indexOf('#') === -1) { hash = '#' + hash; } - var action = $('#main-form').attr('action'); + + var action = $(formId).attr('action'); if (action === undefined) { action = location.href; } else { @@ -16,10 +25,11 @@ function preserveAnchorTagOnForm() { } } action += hash; - $('#main-form').attr('action', action); + $(formId).attr('action', action); }); } + function preventFormResubmission() { $('form').submit(function () { $(':submit').attr('disabled', true); @@ -33,17 +43,18 @@ function preventFormResubmission() { // Customization VITAMUI ======================= function disableEmptyInputFormSubmission() { - var fields = $('#main-form input[name="username"],[name="password"]'); + var fields = $(`${formId} input[name="username"],[name="password"]`); if (fields.length === 2) { fields.on('input', function (event) { - var enableSubmission = $('#main-form input[name="username"]').val().trim() && - $('#main-form input[name="password"]').val().trim(); + var enableSubmission = + $(`${formId} input[name="username"]`).val().trim() && + $(`${formId} input[name="password"]`).val().trim(); if (enableSubmission) { - $('#main-form input[name=submit]').removeAttr('disabled'); + $(`${formId} input[name=submit]`).removeAttr('disabled'); event.stopPropagation(); } else { - $('#main-form input[name=submit]').attr('disabled', 'true'); + $(`${formId} input[name=submit]`).attr('disabled', 'true'); } }); } @@ -51,15 +62,14 @@ function disableEmptyInputFormSubmission() { /** * Handle auto-complete events to the extent possible. */ - if ($('#main-form input[name="username"]').length > 0) { + if ($(`${formId} input[name="username"]`).length > 0) { setTimeout(function () { var uid = $('#username').val(); if (uid != null && uid != '') { $('#username').change(); $('#username').focus(); - $('#main-form input[name=submit]').removeAttr('disabled'); + $(`${formId} input[name=submit]`).removeAttr('disabled'); } - }, 100); } } @@ -68,8 +78,6 @@ function disableEmptyInputFormSubmission() { function resourceLoadedSuccessfully() { $(document).ready(function () { - - if ($(':focus').length === 0) { $('input:visible:enabled:first').focus(); } @@ -81,8 +89,9 @@ function resourceLoadedSuccessfully() { preventFormResubmission(); $('#capslock-on').hide(); - $('#main-form input[name="username"],[name="password"]').trigger('input'); - $('#main-form input[name="username"]').focus(); + $(`${formId} input[name="username"],[name="password"]`).trigger('input'); + $(`${formId} input[name="username"]`).focus(); + $('#password').keypress(function (e) { var s = String.fromCharCode(e.which); if (s.toUpperCase() === s && s.toLowerCase() !== s && !e.shiftKey) { @@ -91,38 +100,38 @@ function resourceLoadedSuccessfully() { $('#capslock-on').hide(); } }); - if (typeof (jqueryReady) == 'function') { - console.log("jqueryReady is a function") + if (typeof jqueryReady == 'function') { + console.log('jqueryReady is a function'); jqueryReady(); } else { - console.log("jqueryReady not a function") + console.log('jqueryReady not a function'); } }); } function displayMainFormSubmitButton() { $(document).ready(function () { - $("#main-form-submit").css("display", "flex"); + $('#main-form-submit').css('display', 'flex'); }); } function displayMainFormValidateButton() { $(document).ready(function () { - $("#main-form-validate").css("display", "flex"); + $('#main-form-validate').css('display', 'flex'); }); } function disableMainFormSubmitButton() { - $("#main-form-submit").attr("disabled", "true"); + $('#main-form-submit').attr('disabled', 'true'); } function enableMainFormSubmitButton() { - $("#main-form-submit").removeAttr("disabled"); + $('#main-form-submit').removeAttr('disabled'); } function hiddeMainFormReturnButton() { $(document).ready(function () { - $("#main-form-return").hide(); + $('#main-form-return').hide(); }); } @@ -132,7 +141,7 @@ function sanitizeUrl(inputUrl) { '<': '<', '>': '>', '"': '"', - "'": ''' + "'": ''', }; return inputUrl.replace(true ? /[&<>'"]/g : /[&<>]/g, function (c) { return ESC_MAP[c]; diff --git a/cas/cas-server/src/main/resources/static/js/passwordMeter.js b/cas/cas-server/src/main/resources/static/js/passwordMeter.js new file mode 100644 index 00000000000..6c2ca55df47 --- /dev/null +++ b/cas/cas-server/src/main/resources/static/js/passwordMeter.js @@ -0,0 +1,110 @@ +/* global jqueryReady, policyPattern, zxcvbn, passwordStrengthI18n */ +/*eslint-disable no-unused-vars*/ +function jqueryReady() { + var strength = passwordStrengthI18n; + + $.fn.zxcvbnProgressBar = function (options) { + + //init settings + var settings = $.extend({ + allProgressBarClasses: 'progress-bar-danger progress-bar-warning progress-bar-success progress-bar-striped active', + progressBarClass0: 'progress-bar-danger progress-bar-striped active', + progressBarClass1: 'progress-bar-danger progress-bar-striped active', + progressBarClass2: 'progress-bar-warning progress-bar-striped active', + progressBarClass3: 'progress-bar-success', + progressBarClass4: 'progress-bar-success' + }, options); + + return this.each(function () { + settings.progressBar = this; + //init progress bar display + UpdateProgressBar(); + //Update progress bar on each keypress of password input + $(settings.passwordInput).keyup(function (event) { + UpdateProgressBar(); + }); + }); + + function UpdateProgressBar() { + var progressBar = settings.progressBar; + var password = $('#password').val(); + if (password) { + var result = zxcvbn(password, settings.userInputs); + //result.score: 0, 1, 2, 3 or 4 - if crack time is less than 10**2, 10**4, 10**6, 10**8, Infinity. + var scorePercentage = (result.score + 1) * 20; + $(progressBar).css('width', scorePercentage + '%'); + + if (result.score == 0) { + //weak + $(progressBar).removeClass(settings.allProgressBarClasses).addClass(settings.progressBarClass0); + $(progressBar).html(strength[0]); + } + else if (result.score == 1) { + //normal + $(progressBar).removeClass(settings.allProgressBarClasses).addClass(settings.progressBarClass1); + $(progressBar).html(strength[1]); + } + else if (result.score == 2) { + //medium + $(progressBar).removeClass(settings.allProgressBarClasses).addClass(settings.progressBarClass2); + $(progressBar).html(strength[2]); + } + else if (result.score == 3) { + //strong + $(progressBar).removeClass(settings.allProgressBarClasses).addClass(settings.progressBarClass3); + $(progressBar).html(strength[3]); + } + else if (result.score == 4) { + //very strong + $(progressBar).removeClass(settings.allProgressBarClasses).addClass(settings.progressBarClass4); + $(progressBar).html(strength[4]); + } + } + else { + $(progressBar).css('width', '0%'); + $(progressBar).removeClass(settings.allProgressBarClasses).addClass(settings.progressBarClass0); + $(progressBar).html(''); + } + } + }; + /// + var policyPatternRegex = new RegExp(policyPattern); + var password = document.getElementById('password'); + var confirmed = document.getElementById('confirmedPassword'); + + password.addEventListener('input', validate); + confirmed.addEventListener('input', validate); + + var alertSettings = { + allAlertClasses: 'fa-times-circle fa-exclamation-circle fa-info-circle fa-check-circle', + alertClassDanger: 'fa-times-circle', + alertClassWarning: 'fa-exclamation-circle', + alertClassInfo: 'fa-info-circle', + alertClassSuccess: 'fa-check-circle' + }; + + function validate() { + var val = password.value; + var cnf = confirmed.value; + var responseText; + var passwordIsNotValid = !policyPatternRegex.test(val); + + var disableSubmit = val == '' || cnf == '' || val != cnf || passwordIsNotValid || !policyPatternRegex.test(cnf); + $('#submit').prop('disabled', disableSubmit); + + var result = zxcvbn(val); + $('#strengthProgressBar').zxcvbnProgressBar({ passwordInput: '#password' }); + + if (passwordIsNotValid && $('#security-four.valid').length > 0 && $('#security-valid-password.valid').length > 0) { + $('#security-invalid-password').addClass("valid"); + $('#security-invalid-password').show(); + } else { + $('#password-policy-text').hide(); + $('#security-valid-password').show(); + } + + if (disableSubmit) { + return; + } + } +} diff --git a/cas/cas-server/src/main/resources/templates/login/casLoginView.html b/cas/cas-server/src/main/resources/templates/login/casLoginView.html new file mode 100644 index 00000000000..7ac6afdbb43 --- /dev/null +++ b/cas/cas-server/src/main/resources/templates/login/casLoginView.html @@ -0,0 +1,129 @@ + + + + + + + VITAM-UI + + + + + + + + + + + + +
+
+ +
+ + + + + + diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/BaseWebflowActionTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/BaseWebflowActionTest.java index be8b54e15d8..5a55bc27cef 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/BaseWebflowActionTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/BaseWebflowActionTest.java @@ -1,7 +1,8 @@ package fr.gouv.vitamui.cas; -import fr.gouv.vitam.common.exception.InvalidParseOperationException; -import lombok.val; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpSession; import org.apereo.cas.authentication.principal.WebApplicationService; import org.junit.Before; import org.junit.runner.RunWith; @@ -18,9 +19,6 @@ import org.springframework.webflow.execution.RequestContextHolder; import org.springframework.webflow.test.MockParameterMap; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import java.io.FileNotFoundException; import static org.mockito.Mockito.mock; @@ -48,7 +46,7 @@ public abstract class BaseWebflowActionTest { protected HttpServletResponse response; @Before - public void setUp() throws FileNotFoundException, InvalidParseOperationException { + public void setUp() throws FileNotFoundException { context = mock(RequestContext.class); requestParameters = new MockParameterMap(); @@ -58,7 +56,7 @@ public void setUp() throws FileNotFoundException, InvalidParseOperationException when(context.getFlowScope()).thenReturn(flowParameters); flowParameters.put("service", mock(WebApplicationService.class)); - val flow = mock(Flow.class); + final var flow = mock(Flow.class); when(flow.getVariable("credential")).thenReturn(mock(FlowVariable.class)); when(context.getActiveFlow()).thenReturn(flow); diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/IamSurrogateAuthenticationServiceTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/IamSurrogateAuthenticationServiceTest.java index 2b3bcfba725..de809db8e63 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/IamSurrogateAuthenticationServiceTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/IamSurrogateAuthenticationServiceTest.java @@ -1,12 +1,10 @@ package fr.gouv.vitamui.cas.authentication; +import fr.gouv.vitamui.cas.surrogation.IamSurrogateAuthenticationService; import fr.gouv.vitamui.cas.util.Constants; -import fr.gouv.vitamui.cas.util.Utils; -import fr.gouv.vitamui.commons.rest.client.HttpContext; -import fr.gouv.vitamui.iam.client.CasRestClient; -import fr.gouv.vitamui.iam.common.dto.SubrogationDto; import fr.gouv.vitamui.iam.common.enums.SubrogationStatusEnum; -import lombok.val; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import fr.gouv.vitamui.iam.openapiclient.domain.SubrogationDto; import org.apereo.cas.authentication.principal.DefaultPrincipalFactory; import org.apereo.cas.authentication.principal.Principal; import org.apereo.cas.services.ServicesManager; @@ -26,7 +24,6 @@ import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; -import static org.mockito.Mockito.any; import static org.mockito.Mockito.doReturn; import static org.mockito.Mockito.eq; import static org.mockito.Mockito.mock; @@ -42,22 +39,17 @@ public final class IamSurrogateAuthenticationServiceTest { private static final String SURROGATE = "surrogate"; private static final String SURROGATE_CUSTOMER_ID = "surrogate_customer_id"; - private static final String SU_ID = "id"; - private static final String SU_EMAIL = "superUser"; private static final String SU_CUSTOMER_ID = "superUserCustomerId"; private IamSurrogateAuthenticationService service; - - private CasRestClient casRestClient; + private CasApi casApi; @Before public void setUp() { - casRestClient = mock(CasRestClient.class); - - val utils = new Utils(null, 0, null, null, ""); - service = new IamSurrogateAuthenticationService(casRestClient, mock(ServicesManager.class), utils); + casApi = mock(CasApi.class); + service = new IamSurrogateAuthenticationService(casApi, mock(ServicesManager.class)); } @After @@ -69,7 +61,7 @@ public void after() { public void testCanAuthenticateOk() { givenSubrogationInRequestContext(); - when(casRestClient.getSubrogationsBySuperUserId(any(HttpContext.class), eq(SU_ID))).thenReturn( + when(casApi.getSubrogationsBySuperUserIdOrEmailAndCustomerId(eq(SU_ID), eq(null), eq(null))).thenReturn( List.of(surrogation()) ); @@ -80,9 +72,9 @@ public void testCanAuthenticateOk() { public void testCanAuthenticateCannotSurrogate() { givenSubrogationInRequestContext(); - val subrogation = surrogation(); + final var subrogation = surrogation(); subrogation.setSurrogate("anotherUser"); - when(casRestClient.getSubrogationsBySuperUserId(any(HttpContext.class), eq(SU_ID))).thenReturn( + when(casApi.getSubrogationsBySuperUserIdOrEmailAndCustomerId(eq(SU_ID), eq(null), eq(null))).thenReturn( List.of(subrogation) ); @@ -93,9 +85,9 @@ public void testCanAuthenticateCannotSurrogate() { public void testCanAuthenticateNotAccepted() { givenSubrogationInRequestContext(); - val subrogation = surrogation(); + final var subrogation = surrogation(); subrogation.setStatus(SubrogationStatusEnum.CREATED); - when(casRestClient.getSubrogationsBySuperUserId(any(HttpContext.class), eq(SU_ID))).thenReturn( + when(casApi.getSubrogationsBySuperUserIdOrEmailAndCustomerId(eq(SU_ID), eq(null), eq(null))).thenReturn( List.of(subrogation) ); @@ -107,23 +99,23 @@ public void testGetAccounts() { givenSubrogationInRequestContext(); when( - casRestClient.getSubrogationsBySuperUserEmailAndCustomerId( - any(HttpContext.class), - eq(SU_EMAIL), - eq(SU_CUSTOMER_ID) - ) + casApi.getSubrogationsBySuperUserIdOrEmailAndCustomerId(eq(null), eq(SU_EMAIL), eq(SU_CUSTOMER_ID)) ).thenReturn(List.of(surrogation())); service.getImpersonationAccounts(SU_EMAIL); } private Principal principal() { - val factory = new DefaultPrincipalFactory(); - return factory.createPrincipal(SU_ID); + final var factory = new DefaultPrincipalFactory(); + try { + return factory.createPrincipal(SU_ID); + } catch (Throwable e) { + throw new RuntimeException(e); + } } private SubrogationDto surrogation() { - val subrogation = new SubrogationDto(); + final var subrogation = new SubrogationDto(); subrogation.setSurrogate(SURROGATE); subrogation.setSurrogateCustomerId(SURROGATE_CUSTOMER_ID); subrogation.setSuperUser(SU_EMAIL); diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/UserAuthenticationHandlerTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/LoginPwdAuthenticationHandlerTest.java similarity index 61% rename from cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/UserAuthenticationHandlerTest.java rename to cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/LoginPwdAuthenticationHandlerTest.java index ee7958d3c60..9e408b9efce 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/UserAuthenticationHandlerTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/LoginPwdAuthenticationHandlerTest.java @@ -1,16 +1,15 @@ package fr.gouv.vitamui.cas.authentication; import fr.gouv.vitamui.cas.util.Constants; -import fr.gouv.vitamui.cas.util.Utils; -import fr.gouv.vitamui.commons.api.domain.UserDto; import fr.gouv.vitamui.commons.api.enums.UserStatusEnum; import fr.gouv.vitamui.commons.api.enums.UserTypeEnum; import fr.gouv.vitamui.commons.api.exception.BadRequestException; import fr.gouv.vitamui.commons.api.exception.InvalidAuthenticationException; import fr.gouv.vitamui.commons.api.exception.TooManyRequestsException; -import fr.gouv.vitamui.commons.rest.client.HttpContext; -import fr.gouv.vitamui.iam.client.CasRestClient; -import lombok.val; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import fr.gouv.vitamui.iam.openapiclient.domain.LoginRequestDto; +import fr.gouv.vitamui.iam.openapiclient.domain.UserDto; +import jakarta.servlet.http.HttpServletRequest; import org.apereo.cas.authentication.Credential; import org.apereo.cas.authentication.PreventedException; import org.apereo.cas.authentication.credential.UsernamePasswordCredential; @@ -32,26 +31,23 @@ import javax.security.auth.login.AccountLockedException; import javax.security.auth.login.AccountNotFoundException; import javax.security.auth.login.CredentialException; -import javax.servlet.http.HttpServletRequest; -import java.security.GeneralSecurityException; import java.time.OffsetDateTime; import static org.assertj.core.api.Assertions.assertThatThrownBy; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNull; -import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.doReturn; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; /** - * Tests {@link UserAuthenticationHandler}. + * Tests {@link LoginPwdAuthenticationHandler}. */ @RunWith(SpringRunner.class) -@ContextConfiguration(classes = UserAuthenticationHandlerTest.class) +@ContextConfiguration(classes = LoginPwdAuthenticationHandlerTest.class) @TestPropertySource(locations = "classpath:/application-test.properties") -public final class UserAuthenticationHandlerTest { +public final class LoginPwdAuthenticationHandlerTest { private static final String USERNAME = "user@test.com"; private static final String CUSTOMER_ID = "customerId"; @@ -62,24 +58,17 @@ public final class UserAuthenticationHandlerTest { private static final String IP_ADDRESS = "1.2.3.4"; private static final String IP_HEADER_NAME = "X-Real-IP"; - private UserAuthenticationHandler handler; + private LoginPwdAuthenticationHandler handler; - private CasRestClient casRestClient; + private CasApi casApi; private Credential credential; private LocalAttributeMap flowParameters; @Before public void setUp() { - casRestClient = mock(CasRestClient.class); - val utils = new Utils(null, 0, null, null, ""); - handler = new UserAuthenticationHandler( - null, - new DefaultPrincipalFactory(), - casRestClient, - utils, - IP_HEADER_NAME - ); + casApi = mock(CasApi.class); + handler = new LoginPwdAuthenticationHandler(null, new DefaultPrincipalFactory(), casApi, IP_HEADER_NAME); credential = new UsernamePasswordCredential("ignored", PASSWORD); RequestContext requestContext = mock(RequestContext.class); @@ -101,64 +90,50 @@ public void reset() { } @Test - public void testSuccessfulAuthentication() throws GeneralSecurityException, PreventedException { + public void testSuccessfulAuthentication() throws Throwable { // Given givenLoginRequestInRequestContext(); - when( - casRestClient.login( - any(HttpContext.class), - eq(USERNAME), - eq(CUSTOMER_ID), - eq(PASSWORD), - eq(null), - eq(null), - eq(IP_ADDRESS) - ) - ).thenReturn(basicUser(UserStatusEnum.ENABLED)); + when(casApi.login(eq(userCredentials()))).thenReturn(basicUser(UserStatusEnum.ENABLED)); // When - val result = handler.authenticate(credential, null); + final var result = handler.authenticate(credential, null); // Then assertEquals(USERNAME, result.getPrincipal().getId()); - assertEquals(USERNAME, result.getPrincipal().getAttributes().get(Constants.FLOW_LOGIN_EMAIL).get(0)); - assertEquals(CUSTOMER_ID, result.getPrincipal().getAttributes().get(Constants.FLOW_LOGIN_CUSTOMER_ID).get(0)); + assertEquals(USERNAME, result.getPrincipal().getAttributes().get(Constants.FLOW_LOGIN_EMAIL).getFirst()); + assertEquals( + CUSTOMER_ID, + result.getPrincipal().getAttributes().get(Constants.FLOW_LOGIN_CUSTOMER_ID).getFirst() + ); assertNull(result.getPrincipal().getAttributes().get(Constants.FLOW_SURROGATE_EMAIL)); assertNull(result.getPrincipal().getAttributes().get(Constants.FLOW_SURROGATE_CUSTOMER_ID)); } @Test - public void testSuccessfulSubrogationAuthentication() throws GeneralSecurityException, PreventedException { + public void testSuccessfulSubrogationAuthentication() throws Throwable { // Given givenSubrogationRequestInRequestContext(); - when( - casRestClient.login( - any(HttpContext.class), - eq(SUPER_USER_EMAIL), - eq(SUPER_USER_CUSTOMER_ID), - eq(PASSWORD), - eq(USERNAME), - eq(CUSTOMER_ID), - eq(IP_ADDRESS) - ) - ).thenReturn(basicUser(UserStatusEnum.ENABLED)); + when(casApi.login(eq(surrogateCredentials()))).thenReturn(basicUser(UserStatusEnum.ENABLED)); // When - val result = handler.authenticate(credential, null); + final var result = handler.authenticate(credential, null); // Then assertEquals(SUPER_USER_EMAIL, result.getPrincipal().getId()); - assertEquals(SUPER_USER_EMAIL, result.getPrincipal().getAttributes().get(Constants.FLOW_LOGIN_EMAIL).get(0)); + assertEquals( + SUPER_USER_EMAIL, + result.getPrincipal().getAttributes().get(Constants.FLOW_LOGIN_EMAIL).getFirst() + ); assertEquals( SUPER_USER_CUSTOMER_ID, - result.getPrincipal().getAttributes().get(Constants.FLOW_LOGIN_CUSTOMER_ID).get(0) + result.getPrincipal().getAttributes().get(Constants.FLOW_LOGIN_CUSTOMER_ID).getFirst() ); - assertEquals(USERNAME, result.getPrincipal().getAttributes().get(Constants.FLOW_SURROGATE_EMAIL).get(0)); + assertEquals(USERNAME, result.getPrincipal().getAttributes().get(Constants.FLOW_SURROGATE_EMAIL).getFirst()); assertEquals( CUSTOMER_ID, - result.getPrincipal().getAttributes().get(Constants.FLOW_SURROGATE_CUSTOMER_ID).get(0) + result.getPrincipal().getAttributes().get(Constants.FLOW_SURROGATE_CUSTOMER_ID).getFirst() ); } @@ -167,17 +142,7 @@ public void testNoUser() { // Given givenLoginRequestInRequestContext(); - when( - casRestClient.login( - any(HttpContext.class), - eq(USERNAME), - eq(PASSWORD), - eq(CUSTOMER_ID), - eq(null), - eq(null), - eq(IP_ADDRESS) - ) - ).thenReturn(null); + when(casApi.login(eq(userCredentials()))).thenReturn(null); // When / Then assertThatThrownBy(() -> handler.authenticate(credential, null)).isInstanceOf(AccountNotFoundException.class); @@ -188,17 +153,7 @@ public void testUserDisabled() { // Given givenLoginRequestInRequestContext(); - when( - casRestClient.login( - any(HttpContext.class), - eq(USERNAME), - eq(PASSWORD), - eq(CUSTOMER_ID), - eq(null), - eq(null), - eq(IP_ADDRESS) - ) - ).thenReturn(basicUser(UserStatusEnum.DISABLED)); + when(casApi.login(eq(userCredentials()))).thenReturn(basicUser(UserStatusEnum.DISABLED)); // When / Then assertThatThrownBy(() -> handler.authenticate(credential, null)).isInstanceOf(AccountException.class); @@ -209,17 +164,7 @@ public void testUserCannotLogin() { // Given givenLoginRequestInRequestContext(); - when( - casRestClient.login( - any(HttpContext.class), - eq(USERNAME), - eq(CUSTOMER_ID), - eq(PASSWORD), - eq(null), - eq(null), - eq(IP_ADDRESS) - ) - ).thenReturn(basicUser(UserStatusEnum.BLOCKED)); + when(casApi.login(eq(userCredentials()))).thenReturn(basicUser(UserStatusEnum.BLOCKED)); // When / Then assertThatThrownBy(() -> handler.authenticate(credential, null)).isInstanceOf(AccountException.class); @@ -230,19 +175,9 @@ public void testExpiredPassword() { // Given givenLoginRequestInRequestContext(); - val user = basicUser(UserStatusEnum.ENABLED); + final var user = basicUser(UserStatusEnum.ENABLED); user.setPasswordExpirationDate(OffsetDateTime.now().minusDays(1)); - when( - casRestClient.login( - any(HttpContext.class), - eq(USERNAME), - eq(CUSTOMER_ID), - eq(PASSWORD), - eq(null), - eq(null), - eq(IP_ADDRESS) - ) - ).thenReturn(user); + when(casApi.login(eq(userCredentials()))).thenReturn(user); // When / Then assertThatThrownBy(() -> handler.authenticate(credential, null)).isInstanceOf( @@ -255,17 +190,7 @@ public void testUserBadCredentials() { // Given givenLoginRequestInRequestContext(); - when( - casRestClient.login( - any(HttpContext.class), - eq(USERNAME), - eq(CUSTOMER_ID), - eq(PASSWORD), - eq(null), - eq(null), - eq(IP_ADDRESS) - ) - ).thenThrow(new InvalidAuthenticationException("")); + when(casApi.login(eq(userCredentials()))).thenThrow(new InvalidAuthenticationException("")); // When / Then assertThatThrownBy(() -> handler.authenticate(credential, null)).isInstanceOf(CredentialException.class); @@ -276,17 +201,7 @@ public void testUserLockedAccount() { // Given givenLoginRequestInRequestContext(); - when( - casRestClient.login( - any(HttpContext.class), - eq(USERNAME), - eq(CUSTOMER_ID), - eq(PASSWORD), - eq(null), - eq(null), - eq(IP_ADDRESS) - ) - ).thenThrow(new TooManyRequestsException("")); + when(casApi.login(eq(userCredentials()))).thenThrow(new TooManyRequestsException("")); // When / Then assertThatThrownBy(() -> handler.authenticate(credential, null)).isInstanceOf(AccountLockedException.class); @@ -297,24 +212,14 @@ public void testTechnicalError() { // Given givenLoginRequestInRequestContext(); - when( - casRestClient.login( - any(HttpContext.class), - eq(USERNAME), - eq(CUSTOMER_ID), - eq(PASSWORD), - eq(null), - eq(null), - eq(IP_ADDRESS) - ) - ).thenThrow(new BadRequestException("")); + when(casApi.login(eq(userCredentials()))).thenThrow(new BadRequestException("")); // When / Then assertThatThrownBy(() -> handler.authenticate(credential, null)).isInstanceOf(PreventedException.class); } private UserDto basicUser(final UserStatusEnum status) { - val user = new UserDto(); + final var user = new UserDto(); user.setStatus(status); user.setType(UserTypeEnum.NOMINATIVE); user.setPasswordExpirationDate(OffsetDateTime.now().plusDays(1)); @@ -334,4 +239,29 @@ private void givenSubrogationRequestInRequestContext() { flowParameters.put(Constants.FLOW_SURROGATE_EMAIL, USERNAME); flowParameters.put(Constants.FLOW_SURROGATE_CUSTOMER_ID, CUSTOMER_ID); } + + private LoginRequestDto userCredentials() { + final LoginRequestDto credentials = new LoginRequestDto(); + + credentials.setLoginEmail(USERNAME); + credentials.setPassword(PASSWORD); + credentials.setLoginCustomerId(CUSTOMER_ID); + credentials.setSurrogateEmail(null); + credentials.setSurrogateCustomerId(null); + credentials.setIp(IP_ADDRESS); + + return credentials; + } + + private LoginRequestDto surrogateCredentials() { + final LoginRequestDto credentials = userCredentials(); + + credentials.setSurrogateEmail(credentials.getLoginEmail()); + credentials.setSurrogateCustomerId(credentials.getLoginCustomerId()); + + credentials.setLoginEmail(SUPER_USER_EMAIL); + credentials.setLoginCustomerId(SUPER_USER_CUSTOMER_ID); + + return credentials; + } } diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolverTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolverTest.java index 95c34bd3949..2f49a02057c 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolverTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolverTest.java @@ -1,10 +1,8 @@ package fr.gouv.vitamui.cas.authentication; -import fr.gouv.vitam.common.exception.InvalidParseOperationException; import fr.gouv.vitamui.cas.BaseWebflowActionTest; -import fr.gouv.vitamui.cas.provider.ProvidersService; +import fr.gouv.vitamui.cas.delegation.ProvidersService; import fr.gouv.vitamui.cas.util.Constants; -import fr.gouv.vitamui.cas.util.Utils; import fr.gouv.vitamui.cas.x509.X509AttributeMapping; import fr.gouv.vitamui.commons.api.CommonConstants; import fr.gouv.vitamui.commons.api.domain.AddressDto; @@ -14,12 +12,10 @@ import fr.gouv.vitamui.commons.api.enums.UserStatusEnum; import fr.gouv.vitamui.commons.api.enums.UserTypeEnum; import fr.gouv.vitamui.commons.api.utils.CasJsonWrapper; -import fr.gouv.vitamui.commons.rest.client.HttpContext; -import fr.gouv.vitamui.commons.security.client.dto.AuthUserDto; -import fr.gouv.vitamui.iam.client.CasRestClient; import fr.gouv.vitamui.iam.common.dto.IdentityProviderDto; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; -import lombok.val; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import fr.gouv.vitamui.iam.openapiclient.domain.AuthUserDto; import org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential; import org.apereo.cas.authentication.SurrogateUsernamePasswordCredential; import org.apereo.cas.authentication.credential.UsernamePasswordCredential; @@ -29,12 +25,10 @@ import org.apereo.cas.authentication.principal.PrincipalFactory; import org.junit.Before; import org.junit.Test; -import org.junit.runner.RunWith; import org.pac4j.core.context.session.SessionStore; import org.pac4j.jee.context.JEEContext; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.TestPropertySource; -import org.springframework.test.context.junit4.SpringRunner; import java.io.FileNotFoundException; import java.security.cert.X509Certificate; @@ -59,7 +53,6 @@ /** * Tests {@link UserPrincipalResolver}. */ -@RunWith(SpringRunner.class) @ContextConfiguration(classes = UserPrincipalResolverTest.class) @TestPropertySource(locations = "classpath:/application-test.properties") public final class UserPrincipalResolverTest extends BaseWebflowActionTest { @@ -67,52 +60,40 @@ public final class UserPrincipalResolverTest extends BaseWebflowActionTest { private static final String PROVIDER_NAME = "google"; private static final String MAIL = "mail"; private static final String IDENTIFIER = "identifier"; - private static final String USERNAME = "user@test.com"; private static final String USERNAME_EMAIL_WITH_OTHER_CASE = "USER@test.com"; private static final String CUSTOMER_ID = "customerId"; private static final String ADMIN = "admin@test.com"; private static final String ADMIN_CUSTOMER_ID = "customer_admin"; private static final String IDENTIFIER_VALUE = "007"; - private static final String PWD = "password"; - private static final String USERNAME_ID = "userId"; private static final String ADMIN_ID = "admin"; - private static final String ROLE_NAME = "role1"; - private static final String PROVIDER_ID = "providerId"; public static final String CERTIFICATE_PROTOCOL_TYPE = "CERTIFICAT"; private UserPrincipalResolver resolver; - - private CasRestClient casRestClient; - + private CasApi casApi; private PrincipalFactory principalFactory; - private SessionStore sessionStore; - private IdentityProviderHelper identityProviderHelper; - private ProvidersService providersService; @Before - public void setUp() throws FileNotFoundException, InvalidParseOperationException { + public void setUp() throws FileNotFoundException { super.setUp(); - casRestClient = mock(CasRestClient.class); - val utils = new Utils(null, 0, null, null, ""); + casApi = mock(CasApi.class); principalFactory = new DefaultPrincipalFactory(); sessionStore = mock(SessionStore.class); identityProviderHelper = mock(IdentityProviderHelper.class); providersService = mock(ProvidersService.class); - val emailMapping = new X509AttributeMapping("subject_dn", null, null); - val identifierMapping = new X509AttributeMapping("issuer_dn", null, null); + final var emailMapping = new X509AttributeMapping("subject_dn", null, null); + final var identifierMapping = new X509AttributeMapping("issuer_dn", null, null); resolver = new UserPrincipalResolver( principalFactory, - casRestClient, - utils, + casApi, sessionStore, identityProviderHelper, providersService, @@ -125,33 +106,27 @@ public void setUp() throws FileNotFoundException, InvalidParseOperationException @Test public void testResolveUserSuccessfully() { when( - casRestClient.getUser( - any(HttpContext.class), - eq(USERNAME), - eq(CUSTOMER_ID), - eq(null), - eq(Optional.empty()), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)) - ) + casApi.getUser(eq(USERNAME), eq(CUSTOMER_ID), eq(""), eq(null), eq(CommonConstants.AUTH_TOKEN_PARAMETER)) ).thenReturn(userProfile(UserStatusEnum.ENABLED)); - val principal = resolver.resolve( + final var principal = resolver.resolve( new UsernamePasswordCredential(USERNAME, PWD), Optional.of(createLoginPrincipal()), + Optional.empty(), Optional.empty() ); assertEquals(USERNAME_ID, principal.getId()); final Map> attributes = principal.getAttributes(); - assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).get(0)); + assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).getFirst()); assertEquals(List.of(ROLE_NAME), attributes.get(CommonConstants.ROLES_ATTRIBUTE)); assertNull(attributes.get(SUPER_USER_ATTRIBUTE)); assertNull(attributes.get(SUPER_USER_CUSTOMER_ID_ATTRIBUTE)); } @Test - public void testResolveX509() { - val provider = new IdentityProviderDto(); + public void testResolveX509() throws Throwable { + final var provider = new IdentityProviderDto(); provider.setId(PROVIDER_ID); provider.setCustomerId(CUSTOMER_ID); provider.setProtocoleType(CERTIFICATE_PROTOCOL_TYPE); @@ -161,40 +136,40 @@ public void testResolveX509() { ).thenReturn(List.of(provider)); when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME), eq(CUSTOMER_ID), eq(PROVIDER_ID), - eq(Optional.of(IDENTIFIER)), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)) + eq(IDENTIFIER), + eq(CommonConstants.AUTH_TOKEN_PARAMETER) ) ).thenReturn(userProfile(UserStatusEnum.ENABLED)); - val cert = mock(X509Certificate.class); - val subjectDn = mock(java.security.Principal.class); + final var cert = mock(X509Certificate.class); + final var subjectDn = mock(java.security.Principal.class); when(subjectDn.getName()).thenReturn(USERNAME); when(cert.getSubjectDN()).thenReturn(subjectDn); - val issuerDn = mock(java.security.Principal.class); + final var issuerDn = mock(java.security.Principal.class); when(issuerDn.getName()).thenReturn(IDENTIFIER); when(cert.getIssuerDN()).thenReturn(issuerDn); - val principal = resolver.resolve( + final var principal = resolver.resolve( new X509CertificateCredential(new X509Certificate[] { cert }), Optional.of(principalFactory.createPrincipal(USERNAME)), + Optional.empty(), Optional.empty() ); assertEquals(USERNAME_ID, principal.getId()); final Map> attributes = principal.getAttributes(); - assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).get(0)); + assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).getFirst()); assertEquals(List.of(ROLE_NAME), attributes.get(CommonConstants.ROLES_ATTRIBUTE)); assertNull(attributes.get(SUPER_USER_ATTRIBUTE)); assertNull(attributes.get(SUPER_USER_CUSTOMER_ID_ATTRIBUTE)); } @Test - public void testResolveX509CaseInsensitive() { - val provider = new IdentityProviderDto(); + public void testResolveX509CaseInsensitive() throws Throwable { + final var provider = new IdentityProviderDto(); provider.setId(PROVIDER_ID); provider.setCustomerId(CUSTOMER_ID); provider.setProtocoleType(CERTIFICATE_PROTOCOL_TYPE); @@ -210,49 +185,48 @@ public void testResolveX509CaseInsensitive() { ).thenReturn(List.of(provider)); when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME_EMAIL_WITH_OTHER_CASE), eq(CUSTOMER_ID), eq(PROVIDER_ID), - eq(Optional.of(IDENTIFIER)), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)) + eq(IDENTIFIER), + eq(CommonConstants.AUTH_TOKEN_PARAMETER) ) ).thenReturn(userProfile(UserStatusEnum.ENABLED)); - val cert = mock(X509Certificate.class); - val subjectDn = mock(java.security.Principal.class); + final var cert = mock(X509Certificate.class); + final var subjectDn = mock(java.security.Principal.class); when(subjectDn.getName()).thenReturn(USERNAME_EMAIL_WITH_OTHER_CASE); when(cert.getSubjectDN()).thenReturn(subjectDn); - val issuerDn = mock(java.security.Principal.class); + final var issuerDn = mock(java.security.Principal.class); when(issuerDn.getName()).thenReturn(IDENTIFIER); when(cert.getIssuerDN()).thenReturn(issuerDn); - val principal = resolver.resolve( + final var principal = resolver.resolve( new X509CertificateCredential(new X509Certificate[] { cert }), Optional.of(principalFactory.createPrincipal(USERNAME)), + Optional.empty(), Optional.empty() ); assertEquals(USERNAME_ID, principal.getId()); final Map> attributes = principal.getAttributes(); - assertEquals(USERNAME_EMAIL_WITH_OTHER_CASE, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).get(0)); + assertEquals(USERNAME_EMAIL_WITH_OTHER_CASE, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).getFirst()); assertEquals(List.of(ROLE_NAME), attributes.get(CommonConstants.ROLES_ATTRIBUTE)); assertNull(attributes.get(SUPER_USER_ATTRIBUTE)); assertNull(attributes.get(SUPER_USER_CUSTOMER_ID_ATTRIBUTE)); } @Test - public void testResolveAuthnDelegation() { - val provider = new IdentityProviderDto(); + public void testResolveAuthnDelegation() throws Throwable { + final var provider = new IdentityProviderDto(); provider.setId(PROVIDER_ID); when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME), eq(CUSTOMER_ID), eq(PROVIDER_ID), - eq(Optional.of(USERNAME)), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)) + eq(USERNAME), + eq(CommonConstants.AUTH_TOKEN_PARAMETER) ) ).thenReturn(userProfile(UserStatusEnum.ENABLED)); givenLoginInfoInSessionForDeleguatedAuthn(); @@ -261,33 +235,33 @@ public void testResolveAuthnDelegation() { identityProviderHelper.findByTechnicalName(eq(providersService.getProviders()), eq(PROVIDER_NAME)) ).thenReturn(Optional.of(provider)); - val principal = resolver.resolve( + final var principal = resolver.resolve( new ClientCredential(null, PROVIDER_NAME), Optional.of(principalFactory.createPrincipal(USERNAME)), + Optional.empty(), Optional.empty() ); assertEquals(USERNAME_ID, principal.getId()); final Map> attributes = principal.getAttributes(); - assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).get(0)); + assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).getFirst()); assertEquals(List.of(ROLE_NAME), attributes.get(CommonConstants.ROLES_ATTRIBUTE)); assertNull(attributes.get(SUPER_USER_ATTRIBUTE)); assertNull(attributes.get(SUPER_USER_CUSTOMER_ID_ATTRIBUTE)); } @Test - public void testResolveAuthnDelegationMailAttribute() { - val provider = new IdentityProviderDto(); + public void testResolveAuthnDelegationMailAttribute() throws Throwable { + final var provider = new IdentityProviderDto(); provider.setId(PROVIDER_ID); provider.setMailAttribute(MAIL); when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME), eq(CUSTOMER_ID), eq(PROVIDER_ID), - eq(Optional.of("fake")), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)) + eq("fake"), + eq(CommonConstants.AUTH_TOKEN_PARAMETER) ) ).thenReturn(userProfile(UserStatusEnum.ENABLED)); givenLoginInfoInSessionForDeleguatedAuthn(); @@ -295,36 +269,36 @@ public void testResolveAuthnDelegationMailAttribute() { identityProviderHelper.findByTechnicalName(eq(providersService.getProviders()), eq(PROVIDER_NAME)) ).thenReturn(Optional.of(provider)); - val princAttributes = new HashMap>(); + final var princAttributes = new HashMap>(); princAttributes.put(MAIL, Collections.singletonList(USERNAME)); - val principal = resolver.resolve( + final var principal = resolver.resolve( new ClientCredential(null, PROVIDER_NAME), Optional.of(principalFactory.createPrincipal("fake", princAttributes)), + Optional.empty(), Optional.empty() ); assertEquals(USERNAME_ID, principal.getId()); final Map> attributes = principal.getAttributes(); - assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).get(0)); + assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).getFirst()); assertEquals(List.of(ROLE_NAME), attributes.get(CommonConstants.ROLES_ATTRIBUTE)); assertNull(attributes.get(SUPER_USER_ATTRIBUTE)); assertNull(attributes.get(SUPER_USER_CUSTOMER_ID_ATTRIBUTE)); } @Test - public void testResolveAuthnDelegationIdentifierAttribute() { - val provider = new IdentityProviderDto(); + public void testResolveAuthnDelegationIdentifierAttribute() throws Throwable { + final var provider = new IdentityProviderDto(); provider.setId(PROVIDER_ID); provider.setIdentifierAttribute(IDENTIFIER); when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME), eq(CUSTOMER_ID), eq(PROVIDER_ID), - eq(Optional.of(IDENTIFIER_VALUE)), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)) + eq(IDENTIFIER_VALUE), + eq(CommonConstants.AUTH_TOKEN_PARAMETER) ) ).thenReturn(userProfile(UserStatusEnum.ENABLED)); givenLoginInfoInSessionForDeleguatedAuthn(); @@ -332,12 +306,13 @@ public void testResolveAuthnDelegationIdentifierAttribute() { identityProviderHelper.findByTechnicalName(eq(providersService.getProviders()), eq(PROVIDER_NAME)) ).thenReturn(Optional.of(provider)); - val princAttributes = new HashMap>(); + final var princAttributes = new HashMap>(); princAttributes.put(IDENTIFIER, Collections.singletonList(IDENTIFIER_VALUE)); - val principal = resolver.resolve( + final var principal = resolver.resolve( new ClientCredential(null, PROVIDER_NAME), Optional.of(principalFactory.createPrincipal(USERNAME, princAttributes)), + Optional.empty(), Optional.empty() ); @@ -349,18 +324,17 @@ public void testResolveAuthnDelegationIdentifierAttribute() { } @Test - public void testResolveAuthnDelegationMailAttributeNoValue() { - val provider = new IdentityProviderDto(); + public void testResolveAuthnDelegationMailAttributeNoValue() throws Throwable { + final var provider = new IdentityProviderDto(); provider.setId(PROVIDER_ID); provider.setMailAttribute(MAIL); when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME), eq(CUSTOMER_ID), eq(PROVIDER_ID), - eq(Optional.of("fake")), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)) + eq("fake"), + eq(CommonConstants.AUTH_TOKEN_PARAMETER) ) ).thenReturn(userProfile(UserStatusEnum.ENABLED)); givenLoginInfoInSessionForDeleguatedAuthn(); @@ -368,12 +342,13 @@ public void testResolveAuthnDelegationMailAttributeNoValue() { identityProviderHelper.findByTechnicalName(eq(providersService.getProviders()), eq(PROVIDER_NAME)) ).thenReturn(Optional.of(provider)); - val princAttributes = new HashMap>(); + final var princAttributes = new HashMap>(); princAttributes.put(MAIL, Collections.emptyList()); - val principal = resolver.resolve( + final var principal = resolver.resolve( new ClientCredential(null, PROVIDER_NAME), Optional.of(principalFactory.createPrincipal("fake", princAttributes)), + Optional.empty(), Optional.empty() ); @@ -381,18 +356,17 @@ public void testResolveAuthnDelegationMailAttributeNoValue() { } @Test - public void testResolveAuthnDelegationIdentifierAttributeNoValue() { - val provider = new IdentityProviderDto(); + public void testResolveAuthnDelegationIdentifierAttributeNoValue() throws Throwable { + final var provider = new IdentityProviderDto(); provider.setId(PROVIDER_ID); provider.setIdentifierAttribute(IDENTIFIER_ATTRIBUTE); when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME), eq(CUSTOMER_ID), eq(PROVIDER_ID), - eq(Optional.of("fake")), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)) + eq("fake"), + eq(CommonConstants.AUTH_TOKEN_PARAMETER) ) ).thenReturn(userProfile(UserStatusEnum.ENABLED)); givenLoginInfoInSessionForDeleguatedAuthn(); @@ -400,12 +374,13 @@ public void testResolveAuthnDelegationIdentifierAttributeNoValue() { identityProviderHelper.findByTechnicalName(eq(providersService.getProviders()), eq(PROVIDER_NAME)) ).thenReturn(Optional.of(provider)); - val princAttributes = new HashMap>(); + final var princAttributes = new HashMap>(); princAttributes.put(IDENTIFIER, Collections.emptyList()); - val principal = resolver.resolve( + final var principal = resolver.resolve( new ClientCredential(null, PROVIDER_NAME), Optional.of(principalFactory.createPrincipal("fake", princAttributes)), + Optional.empty(), Optional.empty() ); @@ -415,158 +390,134 @@ public void testResolveAuthnDelegationIdentifierAttributeNoValue() { @Test public void testResolveSurrogateUser() { when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME), eq(CUSTOMER_ID), + eq(""), eq(null), - eq(Optional.empty()), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER + "," + CommonConstants.SURROGATION_PARAMETER)) + eq(CommonConstants.AUTH_TOKEN_PARAMETER + "," + CommonConstants.SURROGATION_PARAMETER) ) ).thenReturn(userProfile(UserStatusEnum.ENABLED)); - when( - casRestClient.getUser( - any(HttpContext.class), - eq(ADMIN), - eq(ADMIN_CUSTOMER_ID), - eq(null), - eq(Optional.empty()), - eq(Optional.empty()) - ) - ).thenReturn(adminProfile()); + when(casApi.getUser(eq(ADMIN), eq(ADMIN_CUSTOMER_ID), eq(""), eq(null), eq(null))).thenReturn( + infoProfile(UserStatusEnum.ENABLED, ADMIN_ID) + ); - val credential = new SurrogateUsernamePasswordCredential(); + final var credential = new SurrogateUsernamePasswordCredential(); credential.setUsername(ADMIN); credential.setSurrogateUsername(USERNAME); - val principal = resolver.resolve(credential, Optional.of(createSubrogationPrincipal()), Optional.empty()); + final var principal = resolver.resolve( + credential, + Optional.of(createSubrogationPrincipal()), + Optional.empty(), + Optional.empty() + ); assertEquals(USERNAME_ID, principal.getId()); final Map> attributes = principal.getAttributes(); - assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).get(0)); + assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).getFirst()); assertEquals(List.of(ROLE_NAME), attributes.get(CommonConstants.ROLES_ATTRIBUTE)); - assertEquals(ADMIN, attributes.get(SUPER_USER_ATTRIBUTE).get(0)); - assertEquals(ADMIN_CUSTOMER_ID, attributes.get(SUPER_USER_CUSTOMER_ID_ATTRIBUTE).get(0)); + assertEquals(ADMIN, attributes.get(SUPER_USER_ATTRIBUTE).getFirst()); + assertEquals(ADMIN_CUSTOMER_ID, attributes.get(SUPER_USER_CUSTOMER_ID_ATTRIBUTE).getFirst()); } @Test - public void testResolveAuthnDelegationSurrogate() { + public void testResolveAuthnDelegationSurrogate() throws Throwable { when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME), eq(CUSTOMER_ID), + eq(""), eq(null), - eq(Optional.empty()), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER + "," + CommonConstants.SURROGATION_PARAMETER)) + eq(CommonConstants.AUTH_TOKEN_PARAMETER + "," + CommonConstants.SURROGATION_PARAMETER) ) ).thenReturn(userProfile(UserStatusEnum.ENABLED)); - when( - casRestClient.getUser( - any(HttpContext.class), - eq(ADMIN), - eq(ADMIN_CUSTOMER_ID), - eq(null), - eq(Optional.empty()), - eq(Optional.empty()) - ) - ).thenReturn(adminProfile()); + when(casApi.getUser(eq(ADMIN), eq(ADMIN_CUSTOMER_ID), eq(""), eq(null), eq(null))).thenReturn( + infoProfile(UserStatusEnum.ENABLED, ADMIN_ID) + ); givenSubrogationInfoInSessionForDeleguatedAuthn(); when( identityProviderHelper.findByTechnicalName(eq(providersService.getProviders()), eq(PROVIDER_NAME)) ).thenReturn(Optional.of(new IdentityProviderDto())); - val principal = resolver.resolve( + final var principal = resolver.resolve( new ClientCredential(null, PROVIDER_NAME), Optional.of(principalFactory.createPrincipal(ADMIN)), + Optional.empty(), Optional.empty() ); assertEquals(USERNAME_ID, principal.getId()); final Map> attributes = principal.getAttributes(); - assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).get(0)); + assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).getFirst()); assertEquals(List.of(ROLE_NAME), attributes.get(CommonConstants.ROLES_ATTRIBUTE)); - assertEquals(ADMIN, attributes.get(SUPER_USER_ATTRIBUTE).get(0)); - assertEquals(ADMIN_CUSTOMER_ID, attributes.get(SUPER_USER_CUSTOMER_ID_ATTRIBUTE).get(0)); + assertEquals(ADMIN, attributes.get(SUPER_USER_ATTRIBUTE).getFirst()); + assertEquals(ADMIN_CUSTOMER_ID, attributes.get(SUPER_USER_CUSTOMER_ID_ATTRIBUTE).getFirst()); } @Test - public void testResolveAuthnDelegationSurrogateMailAttribute() { + public void testResolveAuthnDelegationSurrogateMailAttribute() throws Throwable { when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME), eq(CUSTOMER_ID), + eq(""), eq(null), - eq(Optional.empty()), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER + "," + CommonConstants.SURROGATION_PARAMETER)) + eq(CommonConstants.AUTH_TOKEN_PARAMETER + "," + CommonConstants.SURROGATION_PARAMETER) ) ).thenReturn(userProfile(UserStatusEnum.ENABLED)); - when( - casRestClient.getUser( - any(HttpContext.class), - eq(ADMIN), - eq(ADMIN_CUSTOMER_ID), - eq(null), - eq(Optional.empty()), - eq(Optional.empty()) - ) - ).thenReturn(adminProfile()); + when(casApi.getUser(eq(ADMIN), eq(ADMIN_CUSTOMER_ID), eq(""), eq(null), eq(null))).thenReturn( + infoProfile(UserStatusEnum.ENABLED, ADMIN_ID) + ); givenSubrogationInfoInSessionForDeleguatedAuthn(); - val provider = new IdentityProviderDto(); + final var provider = new IdentityProviderDto(); provider.setMailAttribute(MAIL); when( identityProviderHelper.findByTechnicalName(eq(providersService.getProviders()), eq(PROVIDER_NAME)) ).thenReturn(Optional.of(provider)); - val princAttributes = new HashMap>(); + final var princAttributes = new HashMap>(); princAttributes.put(MAIL, Collections.singletonList(ADMIN)); - val principal = resolver.resolve( + final var principal = resolver.resolve( new ClientCredential(null, PROVIDER_NAME), Optional.of(principalFactory.createPrincipal("fake", princAttributes)), + Optional.empty(), Optional.empty() ); assertEquals(USERNAME_ID, principal.getId()); final Map> attributes = principal.getAttributes(); - assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).get(0)); + assertEquals(USERNAME, attributes.get(CommonConstants.EMAIL_ATTRIBUTE).getFirst()); assertEquals(List.of(ROLE_NAME), attributes.get(CommonConstants.ROLES_ATTRIBUTE)); - assertEquals(ADMIN, attributes.get(SUPER_USER_ATTRIBUTE).get(0)); - assertEquals(ADMIN_CUSTOMER_ID, attributes.get(SUPER_USER_CUSTOMER_ID_ATTRIBUTE).get(0)); + assertEquals(ADMIN, attributes.get(SUPER_USER_ATTRIBUTE).getFirst()); + assertEquals(ADMIN_CUSTOMER_ID, attributes.get(SUPER_USER_CUSTOMER_ID_ATTRIBUTE).getFirst()); } @Test - public void testResolveAuthnDelegationSurrogateMailAttributeNoMail() { + public void testResolveAuthnDelegationSurrogateMailAttributeNoMail() throws Throwable { when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME), eq(CUSTOMER_ID), + eq(""), eq(null), - eq(Optional.empty()), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER + "," + CommonConstants.SURROGATION_PARAMETER)) + eq(CommonConstants.AUTH_TOKEN_PARAMETER + "," + CommonConstants.SURROGATION_PARAMETER) ) ).thenReturn(userProfile(UserStatusEnum.ENABLED)); - when( - casRestClient.getUser( - any(HttpContext.class), - eq(ADMIN), - eq(ADMIN_CUSTOMER_ID), - eq(null), - eq(Optional.empty()), - eq(Optional.empty()) - ) - ).thenReturn(adminProfile()); + when(casApi.getUser(eq(ADMIN), eq(ADMIN_CUSTOMER_ID), eq(""), eq(null), eq(null))).thenReturn( + infoProfile(UserStatusEnum.ENABLED, ADMIN_ID) + ); givenSubrogationInfoInSessionForDeleguatedAuthn(); - val provider = new IdentityProviderDto(); + final var provider = new IdentityProviderDto(); provider.setMailAttribute(MAIL); when( identityProviderHelper.findByTechnicalName(eq(providersService.getProviders()), eq(PROVIDER_NAME)) ).thenReturn(Optional.of(provider)); - val principal = resolver.resolve( + final var principal = resolver.resolve( new ClientCredential(null, PROVIDER_NAME), Optional.of(principalFactory.createPrincipal("fake")), + Optional.empty(), Optional.empty() ); @@ -575,21 +526,15 @@ public void testResolveAuthnDelegationSurrogateMailAttributeNoMail() { @Test public void testResolveAddressDeserializeSuccessfully() { - AuthUserDto authUserDto = userProfile(UserStatusEnum.ENABLED); + AuthUserDto userProfile = userProfile(UserStatusEnum.ENABLED); when( - casRestClient.getUser( - any(HttpContext.class), - eq(USERNAME), - eq(CUSTOMER_ID), - eq(null), - eq(Optional.empty()), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)) - ) - ).thenReturn(authUserDto); + casApi.getUser(eq(USERNAME), eq(CUSTOMER_ID), eq(""), eq(null), eq(CommonConstants.AUTH_TOKEN_PARAMETER)) + ).thenReturn(userProfile); - val principal = resolver.resolve( + final var principal = resolver.resolve( new UsernamePasswordCredential(USERNAME, PWD), Optional.of(createLoginPrincipal()), + Optional.empty(), Optional.empty() ); @@ -597,15 +542,15 @@ public void testResolveAddressDeserializeSuccessfully() { AddressDto addressDto = (AddressDto) ((CasJsonWrapper) principal .getAttributes() .get(CommonConstants.ADDRESS_ATTRIBUTE) - .get(0)).getData(); - assertThat(addressDto).isEqualToComparingFieldByField(authUserDto.getAddress()); + .getFirst()).getData(); + assertThat(addressDto).isEqualToComparingFieldByField(userProfile.getAddress()); assertNull(principal.getAttributes().get(SUPER_USER_ATTRIBUTE)); assertNull(principal.getAttributes().get(SUPER_USER_CUSTOMER_ID_ATTRIBUTE)); } @Test public void testNoUser() { - val provider = new IdentityProviderDto(); + final var provider = new IdentityProviderDto(); provider.setId(PROVIDER_ID); when( identityProviderHelper.findByUserIdentifierAndCustomerId( @@ -615,13 +560,12 @@ public void testNoUser() { ) ).thenReturn(Optional.of(provider)); when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME), eq(CUSTOMER_ID), eq(PROVIDER_ID), - eq(Optional.empty()), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)) + eq(null), + eq(CommonConstants.AUTH_TOKEN_PARAMETER) ) ).thenReturn(null); @@ -629,6 +573,7 @@ public void testNoUser() { resolver.resolve( new UsernamePasswordCredential(USERNAME, PWD), Optional.of(createLoginPrincipal()), + Optional.empty(), Optional.empty() ) ); @@ -636,7 +581,7 @@ public void testNoUser() { @Test public void testDisabledUser() { - val provider = new IdentityProviderDto(); + final var provider = new IdentityProviderDto(); provider.setId(PROVIDER_ID); when( identityProviderHelper.findByUserIdentifierAndCustomerId( @@ -646,13 +591,12 @@ public void testDisabledUser() { ) ).thenReturn(Optional.of(provider)); when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME), eq(CUSTOMER_ID), eq(PROVIDER_ID), - eq(Optional.empty()), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)) + eq(null), + eq(CommonConstants.AUTH_TOKEN_PARAMETER) ) ).thenReturn(userProfile(UserStatusEnum.DISABLED)); @@ -660,6 +604,7 @@ public void testDisabledUser() { resolver.resolve( new UsernamePasswordCredential(USERNAME, PWD), Optional.of(createLoginPrincipal()), + Optional.empty(), Optional.empty() ) ); @@ -667,7 +612,7 @@ public void testDisabledUser() { @Test public void testUserCannotLogin() { - val provider = new IdentityProviderDto(); + final var provider = new IdentityProviderDto(); provider.setId(PROVIDER_ID); when( identityProviderHelper.findByUserIdentifierAndCustomerId( @@ -677,13 +622,12 @@ public void testUserCannotLogin() { ) ).thenReturn(Optional.of(provider)); when( - casRestClient.getUser( - any(HttpContext.class), + casApi.getUser( eq(USERNAME), eq(CUSTOMER_ID), eq(PROVIDER_ID), - eq(Optional.empty()), - eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)) + eq(null), + eq(CommonConstants.AUTH_TOKEN_PARAMETER) ) ).thenReturn(userProfile(UserStatusEnum.BLOCKED)); @@ -691,48 +635,60 @@ public void testUserCannotLogin() { resolver.resolve( new UsernamePasswordCredential(USERNAME, PWD), Optional.of(createLoginPrincipal()), + Optional.empty(), Optional.empty() ) ); } - private AuthUserDto adminProfile() { - return profile(UserStatusEnum.ENABLED, ADMIN_ID); - } - private AuthUserDto userProfile(final UserStatusEnum status) { - return profile(status, USERNAME_ID); + return infoProfile(status, USERNAME_ID); } - private AuthUserDto profile(final UserStatusEnum status, final String id) { - val user = new AuthUserDto(); - user.setId(id); - user.setStatus(status); - user.setType(UserTypeEnum.NOMINATIVE); - AddressDto address = new AddressDto(); + private AuthUserDto infoProfile(final UserStatusEnum status, final String id) { + final AddressDto address = new AddressDto(); address.setStreet("73 rue du faubourg poissonnière"); address.setZipCode("75009"); address.setCity("Paris"); address.setCountry("France"); + + final var user = new AuthUserDto(); + user.setId(id); + user.setStatus(status); + user.setType(UserTypeEnum.NOMINATIVE); user.setAddress(address); - val profile = new ProfileDto(); - profile.setRoles(List.of(new Role(ROLE_NAME))); - val group = new GroupDto(); - group.setProfiles(List.of(profile)); - user.setProfileGroup(group); user.setCustomerId("customerId"); + + Role role = new Role(); + role.setName(ROLE_NAME); + ProfileDto profile = new ProfileDto(); + profile.setRoles(Collections.singletonList(role)); + GroupDto group = new GroupDto(); + group.setProfiles(Collections.singletonList(profile)); + user.setProfileGroup(group); + return user; } private Principal createLoginPrincipal() { - Principal principal = principalFactory.createPrincipal(UserPrincipalResolverTest.USERNAME); + Principal principal; + try { + principal = principalFactory.createPrincipal(UserPrincipalResolverTest.USERNAME); + } catch (Throwable e) { + throw new RuntimeException(e); + } principal.getAttributes().put(Constants.FLOW_LOGIN_EMAIL, List.of(UserPrincipalResolverTest.USERNAME)); principal.getAttributes().put(Constants.FLOW_LOGIN_CUSTOMER_ID, List.of(UserPrincipalResolverTest.CUSTOMER_ID)); return principal; } private Principal createSubrogationPrincipal() { - Principal principal = principalFactory.createPrincipal(UserPrincipalResolverTest.ADMIN); + Principal principal; + try { + principal = principalFactory.createPrincipal(UserPrincipalResolverTest.ADMIN); + } catch (Throwable e) { + throw new RuntimeException(e); + } principal.getAttributes().put(Constants.FLOW_LOGIN_EMAIL, List.of(UserPrincipalResolverTest.ADMIN)); principal .getAttributes() diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/config/CustomSurrogateInitialAuthenticationActionTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/config/CustomSurrogateInitialAuthenticationActionTest.java index 224dfe69765..9f74044794d 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/config/CustomSurrogateInitialAuthenticationActionTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/config/CustomSurrogateInitialAuthenticationActionTest.java @@ -31,7 +31,7 @@ public void testNoSubrogationThanCredentialUnchanged() throws Exception { CustomSurrogateInitialAuthenticationAction instance = new CustomSurrogateInitialAuthenticationAction(); // When - instance.doExecute(context); + instance.execute(context); // Then assertThat(flowParameters.get("credential")).isEqualTo(usernamePasswordCredential); @@ -54,7 +54,7 @@ public void testSubrogationThanCredentialChanged() throws Exception { CustomSurrogateInitialAuthenticationAction instance = new CustomSurrogateInitialAuthenticationAction(); // When - instance.doExecute(context); + instance.execute(context); // Then Object credential = flowParameters.get("credential"); diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/provider/ProvidersServiceTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/delegation/ProvidersServiceTest.java similarity index 69% rename from cas/cas-server/src/test/java/fr/gouv/vitamui/cas/provider/ProvidersServiceTest.java rename to cas/cas-server/src/test/java/fr/gouv/vitamui/cas/delegation/ProvidersServiceTest.java index ee9ae99a08b..c0f7d1349e1 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/provider/ProvidersServiceTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/delegation/ProvidersServiceTest.java @@ -1,13 +1,10 @@ -package fr.gouv.vitamui.cas.provider; +package fr.gouv.vitamui.cas.delegation; -import fr.gouv.vitamui.cas.util.Utils; -import fr.gouv.vitamui.commons.rest.client.HttpContext; -import fr.gouv.vitamui.iam.client.IdentityProviderRestClient; -import fr.gouv.vitamui.iam.common.dto.IdentityProviderDto; import fr.gouv.vitamui.iam.common.dto.common.ProviderEmbeddedOptions; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; import fr.gouv.vitamui.iam.common.utils.Pac4jClientBuilder; -import lombok.val; +import fr.gouv.vitamui.iam.openapiclient.IdentityProvidersApi; +import fr.gouv.vitamui.iam.openapiclient.domain.IdentityProviderDto; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; @@ -17,7 +14,7 @@ import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit4.SpringRunner; -import java.util.Arrays; +import java.util.Collections; import java.util.List; import java.util.Optional; @@ -25,7 +22,6 @@ import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; -import static org.mockito.Mockito.any; import static org.mockito.Mockito.eq; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; @@ -44,7 +40,7 @@ public final class ProvidersServiceTest { private ProvidersService service; - private IdentityProviderRestClient restClient; + private IdentityProvidersApi identityProvidersApi; private SAML2Client saml2Client; @@ -54,11 +50,10 @@ public final class ProvidersServiceTest { @Before public void setUp() { - val clients = new Clients(); - val builder = mock(Pac4jClientBuilder.class); - restClient = mock(IdentityProviderRestClient.class); - val utils = new Utils(null, 0, null, null, ""); - service = new ProvidersService(clients, restClient, builder, utils); + final var clients = new Clients(); + final var builder = mock(Pac4jClientBuilder.class); + identityProvidersApi = mock(IdentityProvidersApi.class); + service = new ProvidersService(clients, identityProvidersApi, builder); provider = new IdentityProviderDto(); provider.setId(PROVIDER_ID); @@ -76,23 +71,22 @@ public void setUp() { @Test public void testGetProviders() { when( - restClient.getAll( - any(HttpContext.class), - eq(Optional.empty()), - eq(Optional.of(ProviderEmbeddedOptions.KEYSTORE + "," + ProviderEmbeddedOptions.IDPMETADATA)) + identityProvidersApi.getAll( + eq(null), + eq(ProviderEmbeddedOptions.KEYSTORE + "," + ProviderEmbeddedOptions.IDPMETADATA) ) - ).thenReturn(Arrays.asList(provider)); + ).thenReturn(Collections.singletonList(provider)); service.loadData(); - val missingProvider = identityProviderHelper.findByUserIdentifierAndCustomerId( + final var missingProvider = identityProviderHelper.findByUserIdentifierAndCustomerId( service.getProviders(), "user1@vitamui.com", CUSTOMER_ID ); assertFalse(missingProvider.isPresent()); - val userProvider = identityProviderHelper.findByUserIdentifierAndCustomerId( + final var userProvider = identityProviderHelper.findByUserIdentifierAndCustomerId( service.getProviders(), "user1@company.com", CUSTOMER_ID @@ -110,10 +104,9 @@ public void testReloadDoesNotThrowException() { @Test public void testNoProviderResponse() { when( - restClient.getAll( - any(HttpContext.class), - eq(Optional.empty()), - eq(Optional.of(ProviderEmbeddedOptions.KEYSTORE + "," + ProviderEmbeddedOptions.IDPMETADATA)) + identityProvidersApi.getAll( + eq(null), + eq(ProviderEmbeddedOptions.KEYSTORE + "," + ProviderEmbeddedOptions.IDPMETADATA) ) ).thenReturn(null); try { @@ -130,10 +123,9 @@ public void testNoProviderResponse() { @Test public void testBadProviderResponse() { when( - restClient.getAll( - any(HttpContext.class), - eq(Optional.empty()), - eq(Optional.of(ProviderEmbeddedOptions.KEYSTORE + "," + ProviderEmbeddedOptions.IDPMETADATA)) + identityProvidersApi.getAll( + eq(null), + eq(ProviderEmbeddedOptions.KEYSTORE + "," + ProviderEmbeddedOptions.IDPMETADATA) ) ).thenThrow(new RuntimeException(ERROR_MESSAGE)); diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementServiceTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/password/IamPasswordManagementServiceTest.java similarity index 66% rename from cas/cas-server/src/test/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementServiceTest.java rename to cas/cas-server/src/test/java/fr/gouv/vitamui/cas/password/IamPasswordManagementServiceTest.java index 23ccccc7dba..c8d4dc6f94e 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementServiceTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/password/IamPasswordManagementServiceTest.java @@ -34,29 +34,25 @@ * The fact that you are presently reading this means that you have had * knowledge of the CeCILL-C license and that you accept its terms. */ -package fr.gouv.vitamui.cas.pm; +package fr.gouv.vitamui.cas.password; -import fr.gouv.vitam.common.exception.InvalidParseOperationException; import fr.gouv.vitamui.cas.BaseWebflowActionTest; -import fr.gouv.vitamui.cas.provider.ProvidersService; +import fr.gouv.vitamui.cas.delegation.ProvidersService; import fr.gouv.vitamui.cas.util.Constants; import fr.gouv.vitamui.cas.util.Utils; -import fr.gouv.vitamui.commons.api.domain.UserDto; import fr.gouv.vitamui.commons.api.enums.UserStatusEnum; import fr.gouv.vitamui.commons.api.enums.UserTypeEnum; import fr.gouv.vitamui.commons.api.exception.BadRequestException; import fr.gouv.vitamui.commons.api.exception.InvalidAuthenticationException; -import fr.gouv.vitamui.commons.rest.client.HttpContext; import fr.gouv.vitamui.commons.security.client.config.password.PasswordConfiguration; import fr.gouv.vitamui.commons.security.client.password.PasswordValidator; -import fr.gouv.vitamui.iam.client.CasRestClient; import fr.gouv.vitamui.iam.common.dto.IdentityProviderDto; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; -import lombok.val; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import fr.gouv.vitamui.iam.openapiclient.domain.UserDto; import org.apereo.cas.authentication.AuthenticationHandlerExecutionResult; import org.apereo.cas.authentication.DefaultAuthentication; import org.apereo.cas.authentication.PreventedException; -import org.apereo.cas.authentication.credential.UsernamePasswordCredential; import org.apereo.cas.authentication.principal.Principal; import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationService; import org.apereo.cas.configuration.model.support.pm.PasswordManagementProperties; @@ -64,11 +60,9 @@ import org.apereo.cas.pm.PasswordManagementQuery; import org.junit.Before; import org.junit.Test; -import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Value; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.TestPropertySource; -import org.springframework.test.context.junit4.SpringRunner; import org.springframework.util.LinkedMultiValueMap; import java.io.FileNotFoundException; @@ -100,7 +94,6 @@ /** * Tests {@link IamPasswordManagementService}. */ -@RunWith(SpringRunner.class) @ContextConfiguration(classes = { PasswordConfiguration.class }) @TestPropertySource(locations = "classpath:/application-test.properties") public final class IamPasswordManagementServiceTest extends BaseWebflowActionTest { @@ -114,41 +107,28 @@ public final class IamPasswordManagementServiceTest extends BaseWebflowActionTes private static final String PASSWORD_CONTAINS_DICTIONARY_INSENSITIVE = "admin-Change-itChange-it0!0!"; private IamPasswordManagementService service; - - private CasRestClient casRestClient; - - private ProvidersService providersService; - + private CasApi casApi; private Map> authAttributes; - private IdentityProviderDto identityProviderDto; - private IdentityProviderHelper identityProviderHelper; - - private PasswordValidator passwordValidator; - private Principal principal; - private PasswordManagementProperties passwordManagementProperties; - @Value("${cas.authn.pm.core.password-policy-pattern}") private String policyPattern; - private PasswordConfiguration passwordConfiguration; - @Before - public void setUp() throws FileNotFoundException, InvalidParseOperationException { + public void setUp() throws FileNotFoundException { super.setUp(); - casRestClient = mock(CasRestClient.class); - providersService = mock(ProvidersService.class); - passwordValidator = new PasswordValidator(); + casApi = mock(CasApi.class); + ProvidersService providersService = mock(ProvidersService.class); + PasswordValidator passwordValidator = new PasswordValidator(); identityProviderHelper = mock(IdentityProviderHelper.class); identityProviderDto = new IdentityProviderDto(); identityProviderDto.setInternal(true); - passwordManagementProperties = new PasswordManagementProperties(); + PasswordManagementProperties passwordManagementProperties = new PasswordManagementProperties(); passwordManagementProperties.getCore().setPasswordPolicyPattern(encode(policyPattern)); - passwordConfiguration = new PasswordConfiguration(); + PasswordConfiguration passwordConfiguration = new PasswordConfiguration(); passwordConfiguration.setCheckOccurrence(true); passwordConfiguration.setOccurrencesCharsNumber(4); when( @@ -157,21 +137,15 @@ public void setUp() throws FileNotFoundException, InvalidParseOperationException UserDto userDto = new UserDto(); userDto.setLastname("ADMIN"); userDto.setCustomerId(CUSTOMER_ID); - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(EMAIL), - eq(CUSTOMER_ID), - any(Optional.class) - ) - ).thenReturn(userDto); - val utils = new Utils(null, 0, null, null, ""); + userDto.setStatus(UserStatusEnum.ENABLED); + when(casApi.getUsersByEmail(eq(EMAIL), eq(CUSTOMER_ID))).thenReturn(java.util.List.of(userDto)); + final var utils = new Utils(null, 0, null, null, ""); service = new IamPasswordManagementService( passwordManagementProperties, null, null, null, - casRestClient, + casApi, providersService, identityProviderHelper, null, @@ -200,12 +174,15 @@ public void setUp() throws FileNotFoundException, InvalidParseOperationException } @Test - public void testChangePasswordSuccessfully() { + public void testChangePasswordSuccessfully() throws Throwable { + UserDto userDto = new UserDto(); + userDto.setLastname("ADMIN"); + userDto.setCustomerId(CUSTOMER_ID); + userDto.setStatus(UserStatusEnum.ENABLED); + when(casApi.getUsersByEmail(eq(EMAIL), eq(CUSTOMER_ID))).thenReturn(java.util.List.of(userDto)); + assertTrue( - service.change( - new UsernamePasswordCredential(EMAIL, PASSWORD), - new PasswordChangeRequest(EMAIL, PASSWORD, PASSWORD) - ) + service.change(new PasswordChangeRequest(EMAIL, null, PASSWORD.toCharArray(), PASSWORD.toCharArray())) ); } @@ -214,8 +191,7 @@ public void testChangePasswordFailureNotMatchConfirmed() { assertThatCode( () -> service.change( - new UsernamePasswordCredential(EMAIL, NOT_PASSWORD), - new PasswordChangeRequest(EMAIL, PASSWORD, NOT_PASSWORD) + new PasswordChangeRequest(EMAIL, null, PASSWORD.toCharArray(), NOT_PASSWORD.toCharArray()) ) ).isInstanceOf(IamPasswordManagementService.PasswordConfirmException.class); } @@ -225,19 +201,22 @@ public void testChangePasswordFailureNotConformWithRegex() { assertThatCode( () -> service.change( - new UsernamePasswordCredential(EMAIL, BAD_PASSWORD), - new PasswordChangeRequest(EMAIL, BAD_PASSWORD, BAD_PASSWORD) + new PasswordChangeRequest(EMAIL, null, BAD_PASSWORD.toCharArray(), BAD_PASSWORD.toCharArray()) ) ).isInstanceOf(IamPasswordManagementService.PasswordNotMatchRegexException.class); } @Test - public void testChangePasswordFailureBecauseOfPresenceOfUsernameOccurenceInPassword() { + public void testChangePasswordFailureBecauseOfPresenceOfUsernameOccurrenceInPassword() throws Throwable { try { assertTrue( service.change( - new UsernamePasswordCredential(EMAIL, PASSWORD_CONTAINS_DICTIONARY), - new PasswordChangeRequest(EMAIL, PASSWORD_CONTAINS_DICTIONARY, PASSWORD_CONTAINS_DICTIONARY) + new PasswordChangeRequest( + EMAIL, + null, + PASSWORD_CONTAINS_DICTIONARY.toCharArray(), + PASSWORD_CONTAINS_DICTIONARY.toCharArray() + ) ) ); fail("should fail"); @@ -247,15 +226,16 @@ public void testChangePasswordFailureBecauseOfPresenceOfUsernameOccurenceInPassw } @Test - public void testChangePasswordFailureBecauseOfPresenceOfUsernameOccurenceInsensitiveCaseInPassword() { + public void testChangePasswordFailureBecauseOfPresenceOfUsernameOccurrenceInsensitiveCaseInPassword() + throws Throwable { try { assertTrue( service.change( - new UsernamePasswordCredential(EMAIL, PASSWORD_CONTAINS_DICTIONARY_INSENSITIVE), new PasswordChangeRequest( EMAIL, - PASSWORD_CONTAINS_DICTIONARY_INSENSITIVE, - PASSWORD_CONTAINS_DICTIONARY_INSENSITIVE + null, + PASSWORD_CONTAINS_DICTIONARY_INSENSITIVE.toCharArray(), + PASSWORD_CONTAINS_DICTIONARY_INSENSITIVE.toCharArray() ) ) ); @@ -266,24 +246,15 @@ public void testChangePasswordFailureBecauseOfPresenceOfUsernameOccurenceInsensi } @Test - public void testChangePasswordFailureBecauseOfGenericUser() { + public void testChangePasswordFailureBecauseOfGenericUser() throws Throwable { try { UserDto userDto = new UserDto(); userDto.setType(UserTypeEnum.GENERIC); userDto.setCustomerId(CUSTOMER_ID); - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(EMAIL), - eq(CUSTOMER_ID), - any(Optional.class) - ) - ).thenReturn(userDto); + userDto.setStatus(UserStatusEnum.ENABLED); + when(casApi.getUsersByEmail(eq(EMAIL), eq(CUSTOMER_ID))).thenReturn(java.util.List.of(userDto)); assertTrue( - service.change( - new UsernamePasswordCredential(EMAIL, PASSWORD), - new PasswordChangeRequest(EMAIL, PASSWORD, PASSWORD) - ) + service.change(new PasswordChangeRequest(EMAIL, null, PASSWORD.toCharArray(), PASSWORD.toCharArray())) ); fail("should fail"); } catch (final IllegalArgumentException e) { @@ -292,42 +263,33 @@ public void testChangePasswordFailureBecauseOfGenericUser() { } @Test - public void testChangePasswordOKWhenUsernameLengthIsLowerThanCheckOccurrenceCharNumber() { + public void testChangePasswordOKWhenUsernameLengthIsLowerThanCheckOccurrenceCharNumber() throws Throwable { UserDto userDto = new UserDto(); userDto.setLastname("ADMI"); - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(EMAIL), - eq(CUSTOMER_ID), - any(Optional.class) - ) - ).thenReturn(userDto); + userDto.setCustomerId(CUSTOMER_ID); + userDto.setStatus(UserStatusEnum.ENABLED); + when(casApi.getUsersByEmail(eq(EMAIL), eq(CUSTOMER_ID))).thenReturn(java.util.List.of(userDto)); assertTrue( - service.change( - new UsernamePasswordCredential(EMAIL, PASSWORD), - new PasswordChangeRequest(EMAIL, PASSWORD, PASSWORD) - ) + service.change(new PasswordChangeRequest(EMAIL, null, PASSWORD.toCharArray(), PASSWORD.toCharArray())) ); } @Test - public void testChangePasswordFailureBecausePasswordContaisnFullUsernameThenReturnException() { + public void testChangePasswordFailureBecausePasswordContainsFullUsernameThenReturnException() throws Throwable { try { UserDto userDto = new UserDto(); userDto.setLastname("ADMIN"); - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(EMAIL), - eq(CUSTOMER_ID), - any(Optional.class) - ) - ).thenReturn(userDto); + userDto.setCustomerId(CUSTOMER_ID); + userDto.setStatus(UserStatusEnum.ENABLED); + when(casApi.getUsersByEmail(eq(EMAIL), eq(CUSTOMER_ID))).thenReturn(java.util.List.of(userDto)); assertTrue( service.change( - new UsernamePasswordCredential(EMAIL, PASSWORD_CONTAINS_DICTIONARY), - new PasswordChangeRequest(EMAIL, PASSWORD_CONTAINS_DICTIONARY, PASSWORD_CONTAINS_DICTIONARY) + new PasswordChangeRequest( + EMAIL, + null, + PASSWORD_CONTAINS_DICTIONARY.toCharArray(), + PASSWORD_CONTAINS_DICTIONARY.toCharArray() + ) ) ); fail("should fail"); @@ -337,17 +299,14 @@ public void testChangePasswordFailureBecausePasswordContaisnFullUsernameThenRetu } @Test - public void testChangePasswordFailsBecauseOfASuperUser() { + public void testChangePasswordFailsBecauseOfASuperUser() throws Throwable { authAttributes.put( SurrogateAuthenticationService.AUTHENTICATION_ATTR_SURROGATE_PRINCIPAL, Collections.singletonList("fakeSuperUser") ); try { - service.change( - new UsernamePasswordCredential(EMAIL, PASSWORD), - new PasswordChangeRequest(EMAIL, PASSWORD, PASSWORD) - ); + service.change(new PasswordChangeRequest(EMAIL, null, PASSWORD.toCharArray(), PASSWORD.toCharArray())); fail("should fail"); } catch (final IllegalArgumentException e) { assertEquals("cannot use password management with subrogation", e.getMessage()); @@ -355,17 +314,14 @@ public void testChangePasswordFailsBecauseOfASuperUser() { } @Test - public void testChangePasswordFailsBecauseOfASuperUser2() { - val attributes = new HashMap>(); + public void testChangePasswordFailsBecauseOfASuperUser2() throws Throwable { + final var attributes = new HashMap>(); attributes.put(SUPER_USER_ATTRIBUTE, Collections.singletonList("fakeSuperUser")); attributes.put(SUPER_USER_CUSTOMER_ID_ATTRIBUTE, Collections.singletonList("fakeSuperUserCustomerId")); when(principal.getAttributes()).thenReturn(attributes); try { - service.change( - new UsernamePasswordCredential(EMAIL, PASSWORD), - new PasswordChangeRequest(EMAIL, PASSWORD, PASSWORD) - ); + service.change(new PasswordChangeRequest(EMAIL, null, PASSWORD.toCharArray(), PASSWORD.toCharArray())); fail("should fail"); } catch (final IllegalArgumentException e) { assertEquals("cannot use password management with subrogation", e.getMessage()); @@ -373,14 +329,11 @@ public void testChangePasswordFailsBecauseOfASuperUser2() { } @Test - public void testChangePasswordFailsBecauseUserIsExternal() { + public void testChangePasswordFailsBecauseUserIsExternal() throws Throwable { identityProviderDto.setInternal(null); try { - service.change( - new UsernamePasswordCredential(EMAIL, null), - new PasswordChangeRequest(EMAIL, PASSWORD, PASSWORD) - ); + service.change(new PasswordChangeRequest(EMAIL, null, PASSWORD.toCharArray(), PASSWORD.toCharArray())); fail("should fail"); } catch (final IllegalArgumentException e) { assertEquals("only an internal user [" + EMAIL + "] can change his password", e.getMessage()); @@ -388,16 +341,13 @@ public void testChangePasswordFailsBecauseUserIsExternal() { } @Test - public void testChangePasswordFailsBecauseUserIsNotLinkedToAnIdentityProvider() { + public void testChangePasswordFailsBecauseUserIsNotLinkedToAnIdentityProvider() throws Throwable { when( identityProviderHelper.findByUserIdentifierAndCustomerId(anyList(), eq(EMAIL), eq(CUSTOMER_ID)) ).thenReturn(Optional.empty()); try { - service.change( - new UsernamePasswordCredential(EMAIL, null), - new PasswordChangeRequest(EMAIL, PASSWORD, PASSWORD) - ); + service.change(new PasswordChangeRequest(EMAIL, null, PASSWORD.toCharArray(), PASSWORD.toCharArray())); fail("should fail"); } catch (final IllegalArgumentException e) { assertEquals( @@ -408,29 +358,21 @@ public void testChangePasswordFailsBecauseUserIsNotLinkedToAnIdentityProvider() } @Test - public void testChangePasswordFailsAtServer() { + public void testChangePasswordFailsAtServer() throws Throwable { doThrow(new InvalidAuthenticationException("")) - .when(casRestClient) - .changePassword(any(HttpContext.class), any(String.class), any(String.class), any(String.class)); + .when(casApi) + .changePassword(any(String.class), any(String.class), any(String.class)); assertFalse( - service.change( - new UsernamePasswordCredential(EMAIL, PASSWORD), - new PasswordChangeRequest(EMAIL, PASSWORD, PASSWORD) - ) + service.change(new PasswordChangeRequest(EMAIL, null, PASSWORD.toCharArray(), PASSWORD.toCharArray())) ); } @Test public void testFindEmailOk() { - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(EMAIL), - eq(CUSTOMER_ID), - eq(Optional.empty()) - ) - ).thenReturn(user(UserStatusEnum.ENABLED)); + when(casApi.getUsersByEmail(eq(EMAIL), eq(CUSTOMER_ID))).thenReturn( + java.util.List.of(user(UserStatusEnum.ENABLED)) + ); assertEquals(EMAIL, service.findEmail(getPasswordManagementQuery())); } @@ -443,14 +385,7 @@ private static PasswordManagementQuery getPasswordManagementQuery() { @Test public void testFindEmailErrorThrown() { - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(EMAIL), - eq(CUSTOMER_ID), - eq(Optional.empty()) - ) - ).thenThrow(new BadRequestException("error")); + when(casApi.getUsersByEmail(eq(EMAIL), eq(CUSTOMER_ID))).thenThrow(new BadRequestException("error")); assertThatThrownBy(() -> service.findEmail(getPasswordManagementQuery())).isInstanceOf( PreventedException.class @@ -459,48 +394,35 @@ public void testFindEmailErrorThrown() { @Test public void testFindEmailUserNull() { - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(EMAIL), - eq(CUSTOMER_ID), - eq(Optional.empty()) - ) - ).thenReturn(null); + when(casApi.getUsersByEmail(eq(EMAIL), eq(CUSTOMER_ID))).thenReturn(java.util.Collections.emptyList()); assertNull(service.findEmail(getPasswordManagementQuery())); } @Test public void testFindEmailUserDisabled() { - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(EMAIL), - eq(CUSTOMER_ID), - eq(Optional.empty()) - ) - ).thenReturn(user(UserStatusEnum.DISABLED)); + when(casApi.getUsersByEmail(eq(EMAIL), eq(CUSTOMER_ID))).thenReturn( + java.util.List.of(user(UserStatusEnum.DISABLED)) + ); assertNull(service.findEmail(getPasswordManagementQuery())); } @Test(expected = UnsupportedOperationException.class) public void testGetSecurityQuestionsOk() { - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(EMAIL), - eq(CUSTOMER_ID), - eq(Optional.empty()) - ) - ).thenReturn(user(UserStatusEnum.ENABLED)); + when(casApi.getUsersByEmail(eq(EMAIL), eq(CUSTOMER_ID))).thenReturn( + java.util.List.of(infoProfile(UserStatusEnum.ENABLED, null)) + ); service.getSecurityQuestions(getPasswordManagementQuery()); } private UserDto user(final UserStatusEnum status) { - val user = new UserDto(); + return infoProfile(status, "id"); + } + + private UserDto infoProfile(final UserStatusEnum status, final String id) { + final var user = new UserDto(); user.setStatus(status); user.setEmail(EMAIL); user.setCustomerId(CUSTOMER_ID); @@ -508,7 +430,8 @@ private UserDto user(final UserStatusEnum status) { } /* - * application properties are by default encod with */ + * application properties are by default encod with + */ private String encode(String policyPattern) { return new String(policyPattern.getBytes(StandardCharsets.UTF_8), StandardCharsets.UTF_8); } diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/pm/PasswordConfigurationTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/password/PasswordConfigurationTest.java similarity index 98% rename from cas/cas-server/src/test/java/fr/gouv/vitamui/cas/pm/PasswordConfigurationTest.java rename to cas/cas-server/src/test/java/fr/gouv/vitamui/cas/password/PasswordConfigurationTest.java index 2d69ad0e084..f368a0e77c2 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/pm/PasswordConfigurationTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/password/PasswordConfigurationTest.java @@ -34,7 +34,7 @@ * The fact that you are presently reading this means that you have had * knowledge of the CeCILL-C license and that you accept its terms. */ -package fr.gouv.vitamui.cas.pm; +package fr.gouv.vitamui.cas.password; import fr.gouv.vitamui.commons.security.client.config.password.PasswordConfiguration; import org.junit.Assert; diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/CustomDelegatedClientAuthenticationActionTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/CustomDelegatedClientAuthenticationActionTest.java index 5ac00b45273..ea90a1bd871 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/CustomDelegatedClientAuthenticationActionTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/CustomDelegatedClientAuthenticationActionTest.java @@ -1,14 +1,13 @@ package fr.gouv.vitamui.cas.webflow.actions; -import fr.gouv.vitam.common.exception.InvalidParseOperationException; import fr.gouv.vitamui.cas.BaseWebflowActionTest; -import fr.gouv.vitamui.cas.provider.ProvidersService; +import fr.gouv.vitamui.cas.delegation.ProvidersService; import fr.gouv.vitamui.cas.util.Constants; import fr.gouv.vitamui.cas.util.Utils; -import fr.gouv.vitamui.iam.client.CasRestClient; +import fr.gouv.vitamui.cas.webflow.login.actions.CustomDelegatedClientAuthenticationAction; import fr.gouv.vitamui.iam.common.dto.CustomerDto; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; -import lombok.val; +import fr.gouv.vitamui.iam.openapiclient.CasApi; import org.apereo.cas.authentication.SurrogateUsernamePasswordCredential; import org.apereo.cas.pac4j.client.DelegatedClientAuthenticationFailureEvaluator; import org.apereo.cas.pac4j.client.DelegatedClientNameExtractor; @@ -18,10 +17,8 @@ import org.apereo.cas.web.flow.DelegatedClientIdentityProviderConfigurationProducer; import org.junit.Before; import org.junit.Test; -import org.junit.runner.RunWith; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.TestPropertySource; -import org.springframework.test.context.junit4.SpringRunner; import java.io.FileNotFoundException; import java.util.List; @@ -29,7 +26,6 @@ import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatThrownBy; import static org.junit.Assert.assertNull; -import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.doReturn; import static org.mockito.Mockito.mock; @@ -38,7 +34,6 @@ /** * Tests {@link CustomDelegatedClientAuthenticationAction}. */ -@RunWith(SpringRunner.class) @ContextConfiguration(classes = CustomDelegatedClientAuthenticationActionTest.class) @TestPropertySource(locations = "classpath:/application-test.properties") public final class CustomDelegatedClientAuthenticationActionTest extends BaseWebflowActionTest { @@ -56,23 +51,27 @@ public final class CustomDelegatedClientAuthenticationActionTest extends BaseWeb @Override @Before - public void setUp() throws FileNotFoundException, InvalidParseOperationException { + public void setUp() throws FileNotFoundException { super.setUp(); - val configContext = mock(DelegatedClientAuthenticationConfigurationContext.class); + final var configContext = mock(DelegatedClientAuthenticationConfigurationContext.class); when(configContext.getDelegatedClientIdentityProvidersProducer()).thenReturn( mock(DelegatedClientIdentityProviderConfigurationProducer.class) ); when(configContext.getDelegatedClientNameExtractor()).thenReturn(mock(DelegatedClientNameExtractor.class)); + final var casProperties = mock( + org.apereo.cas.configuration.CasConfigurationProperties.class, + org.mockito.Answers.RETURNS_DEEP_STUBS + ); + when(configContext.getCasProperties()).thenReturn(casProperties); + when(casProperties.getAuthn().getPac4j().getCore().getName()).thenReturn("clientName"); - CasRestClient casRestClient = mock(CasRestClient.class); + CasApi casApi = mock(CasApi.class); CustomerDto surrogateCustomerDto = new CustomerDto(); surrogateCustomerDto.setCode(CODE); surrogateCustomerDto.setName(COMPANY); surrogateCustomerDto.setId(CUSTOMER_ID_2); - doReturn(List.of(surrogateCustomerDto)) - .when(casRestClient) - .getCustomersByIds(any(), eq(List.of(CUSTOMER_ID_2))); + doReturn(List.of(surrogateCustomerDto)).when(casApi).getCustomersByIds(eq(List.of(CUSTOMER_ID_2))); action = new CustomDelegatedClientAuthenticationAction( configContext, @@ -82,16 +81,16 @@ public void setUp() throws FileNotFoundException, InvalidParseOperationException mock(ProvidersService.class), mock(Utils.class), mock(TicketRegistry.class), - casRestClient, + casApi, "" ); } @Test - public void testPreProvidedUsername() { + public void testPreProvidedUsername() throws Exception { requestParameters.put("username", EMAIL1); - action.doExecute(context); + action.execute(context); assertThat(flowParameters.get(Constants.PROVIDED_USERNAME)).isEqualTo(EMAIL1); @@ -105,19 +104,19 @@ public void testPreProvidedUsername() { public void testInvalidPreProvidedUsername() { requestParameters.put("username", BAD_EMAIL); - assertThatThrownBy(() -> action.doExecute(context)) + assertThatThrownBy(() -> action.execute(context)) .isInstanceOf(IllegalArgumentException.class) .hasMessageContaining("format is not allowed"); } @Test - public void testSubrogation() { + public void testSubrogation() throws Exception { requestParameters.put(Constants.LOGIN_SUPER_USER_EMAIL_PARAM, EMAIL1); requestParameters.put(Constants.LOGIN_SUPER_USER_CUSTOMER_ID_PARAM, CUSTOMER_ID_1); requestParameters.put(Constants.LOGIN_SURROGATE_EMAIL_PARAM, EMAIL2); requestParameters.put(Constants.LOGIN_SURROGATE_CUSTOMER_ID_PARAM, CUSTOMER_ID_2); - action.doExecute(context); + action.execute(context); assertThat(flowParameters.get("credential")).isOfAnyClassIn(SurrogateUsernamePasswordCredential.class); SurrogateUsernamePasswordCredential credential = @@ -142,7 +141,7 @@ public void testInvalidSubrogationEmail() { requestParameters.put(Constants.LOGIN_SURROGATE_EMAIL_PARAM, EMAIL2); requestParameters.put(Constants.LOGIN_SURROGATE_CUSTOMER_ID_PARAM, CUSTOMER_ID_2); - assertThatThrownBy(() -> action.doExecute(context)) + assertThatThrownBy(() -> action.execute(context)) .isInstanceOf(IllegalArgumentException.class) .hasMessageContaining("format is not allowed"); } @@ -154,14 +153,14 @@ public void testInvalidSubrogationCustomerId() { requestParameters.put(Constants.LOGIN_SURROGATE_EMAIL_PARAM, EMAIL2); requestParameters.put(Constants.LOGIN_SURROGATE_CUSTOMER_ID_PARAM, BAD_CUSTOMER_ID); - assertThatThrownBy(() -> action.doExecute(context)) + assertThatThrownBy(() -> action.execute(context)) .isInstanceOf(IllegalArgumentException.class) .hasMessageContaining("Invalid customerId"); } @Test - public void testNoUsernameAndNoSubrogation() { - action.doExecute(context); + public void testNoUsernameAndNoSubrogation() throws Exception { + action.execute(context); assertNull(flowParameters.get(Constants.PROVIDED_USERNAME)); diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/GeneralTerminateSessionActionTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/GeneralTerminateSessionActionTest.java deleted file mode 100644 index 2da8d294e96..00000000000 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/GeneralTerminateSessionActionTest.java +++ /dev/null @@ -1,59 +0,0 @@ -package fr.gouv.vitamui.cas.webflow.actions; - -import fr.gouv.vitamui.cas.BaseWebflowActionTest; -import org.apereo.cas.configuration.CasConfigurationProperties; -import org.apereo.cas.logout.LogoutManager; -import org.apereo.cas.services.RegexRegisteredService; -import org.apereo.cas.services.ServicesManager; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.springframework.test.context.ContextConfiguration; -import org.springframework.test.context.TestPropertySource; -import org.springframework.test.context.junit4.SpringRunner; - -import java.util.Arrays; - -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -/** - * Tests the customized {@link GeneralTerminateSessionAction}. - * - * - */ -@RunWith(SpringRunner.class) -@ContextConfiguration(classes = GeneralTerminateSessionActionTest.class) -@TestPropertySource(locations = "classpath:/application-test.properties") -public final class GeneralTerminateSessionActionTest extends BaseWebflowActionTest { - - private static final String LOGOUT_URL = "http://dev.vitamui.com:8080/cas/app1/callback"; - - @Test - public void test() { - final ServicesManager servicesManager = mock(ServicesManager.class); - RegexRegisteredService registeredService = new RegexRegisteredService(); - registeredService.setLogoutUrl(LOGOUT_URL); - when(servicesManager.getAllServices()).thenReturn(Arrays.asList(registeredService)); - - final LogoutManager logoutManager = mock(LogoutManager.class); - - final GeneralTerminateSessionAction action = new GeneralTerminateSessionAction( - null, - null, - null, - null, - logoutManager, - null, - null, - null, - null, - servicesManager, - new CasConfigurationProperties(), - null, - null, - null - ); - - action.performGeneralLogout("tgtId"); - } -} diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/TerminateApiSessionActionTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/TerminateApiSessionActionTest.java new file mode 100644 index 00000000000..90e616cd418 --- /dev/null +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/TerminateApiSessionActionTest.java @@ -0,0 +1,142 @@ +package fr.gouv.vitamui.cas.webflow.actions; + +import fr.gouv.vitamui.cas.BaseWebflowActionTest; +import fr.gouv.vitamui.cas.logout.TerminateApiSessionAction; +import fr.gouv.vitamui.cas.util.Utils; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import org.apereo.cas.CentralAuthenticationService; +import org.apereo.cas.authentication.Authentication; +import org.apereo.cas.authentication.principal.WebApplicationService; +import org.apereo.cas.configuration.CasConfigurationProperties; +import org.apereo.cas.configuration.model.core.logout.LogoutProperties; +import org.apereo.cas.logout.LogoutManager; +import org.apereo.cas.logout.slo.SingleLogoutRequestContext; +import org.apereo.cas.services.RegexRegisteredService; +import org.apereo.cas.services.ServicesManager; +import org.apereo.cas.ticket.ServiceTicket; +import org.apereo.cas.ticket.TicketGrantingTicket; +import org.apereo.cas.ticket.registry.TicketRegistry; +import org.apereo.cas.web.cookie.CasCookieBuilder; +import org.junit.Assert; +import org.junit.Test; +import org.springframework.context.ConfigurableApplicationContext; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.TestPropertySource; +import org.springframework.webflow.execution.Action; + +import java.util.Collections; +import java.util.List; + +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +/** + * Tests the customized {@link TerminateApiSessionAction}. + */ +@ContextConfiguration(classes = TerminateApiSessionActionTest.class) +@TestPropertySource(locations = "classpath:/application-test.properties") +public final class TerminateApiSessionActionTest extends BaseWebflowActionTest { + + private static final String LOGOUT_URL = "http://dev.vitamui.com:8080/cas/app1/callback"; + + @Test + public void testPerformGeneralLogout() throws Throwable { + // Mocker ServicesManager + final ServicesManager servicesManager = mock(ServicesManager.class); + RegexRegisteredService registeredService = new RegexRegisteredService(); + registeredService.setLogoutUrl(LOGOUT_URL); + when(servicesManager.getAllServices()).thenReturn(List.of(registeredService)); + + // Mocker LogoutManager + final LogoutManager logoutManager = mock(LogoutManager.class); + when(logoutManager.performLogout(any())).thenReturn(Collections.emptyList()); + + // Mocker les autres dépendances + final CentralAuthenticationService cas = mock(CentralAuthenticationService.class); + final CasCookieBuilder ticketCookie = mock(CasCookieBuilder.class); + final CasCookieBuilder warnCookie = mock(CasCookieBuilder.class); + final CasConfigurationProperties casProperties = mock(CasConfigurationProperties.class); + when(casProperties.getLogout()).thenReturn(new LogoutProperties()); + final Action frontChannelLogoutAction = mock(Action.class); + final TicketRegistry ticketRegistry = mock(TicketRegistry.class); + final Utils utils = mock(Utils.class); + final CasApi casApi = mock(CasApi.class); + + // Créer l'action avec les mocks + final TestableTerminateApiSessionAction action = new TestableTerminateApiSessionAction( + cas, + ticketCookie, + warnCookie, + casProperties.getLogout(), + logoutManager, + mock(ConfigurableApplicationContext.class), + utils, + casApi, + servicesManager, + casProperties, + frontChannelLogoutAction, + ticketRegistry + ); + + // Mocker le TGT factice et le ST pour CAS 7 + final TicketGrantingTicket fakeTgt = mock(TicketGrantingTicket.class); + final Authentication fakeAuth = mock(Authentication.class); + when(fakeTgt.getAuthentication()).thenReturn(fakeAuth); + when(fakeAuth.getPrincipal()).thenReturn(() -> "tgtId"); + when(cas.createTicketGrantingTicket(any())).thenReturn(fakeTgt); + when(cas.grantServiceTicket(anyString(), any(WebApplicationService.class), any())).thenReturn( + mock(ServiceTicket.class) + ); + + List result = action.performGeneralLogoutPublic("tgtId"); + Assert.assertNotNull(result); + verify(logoutManager).performLogout(any()); + + // Vérification simple + Assert.assertNotNull(result); + verify(logoutManager, times(1)).performLogout(any()); + } + + private static class TestableTerminateApiSessionAction extends TerminateApiSessionAction { + + public TestableTerminateApiSessionAction( + CentralAuthenticationService cas, + CasCookieBuilder ticketCookie, + CasCookieBuilder warnCookie, + LogoutProperties logoutProps, + LogoutManager logoutManager, + ConfigurableApplicationContext ctx, + Utils utils, + CasApi casApi, + ServicesManager servicesManager, + CasConfigurationProperties casProperties, + Action frontChannelLogoutAction, + TicketRegistry ticketRegistry + ) { + super( + cas, + ticketCookie, + warnCookie, + logoutProps, + logoutManager, + ctx, + utils, + casApi, + servicesManager, + casProperties, + frontChannelLogoutAction, + ticketRegistry, + null + ); + } + + // Expose protected method as public for testing + public List performGeneralLogoutPublic(String tgtId) { + return performGeneralLogout(tgtId); + } + } +} diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/CheckSubrogationActionTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/CheckSubrogationActionTest.java new file mode 100644 index 00000000000..ef46e2e09d1 --- /dev/null +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/CheckSubrogationActionTest.java @@ -0,0 +1,82 @@ +package fr.gouv.vitamui.cas.webflow.login.actions; + +import fr.gouv.vitamui.cas.BaseWebflowActionTest; +import fr.gouv.vitamui.cas.util.Constants; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import fr.gouv.vitamui.iam.openapiclient.domain.CustomerDto; +import org.junit.Before; +import org.junit.Test; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.TestPropertySource; +import org.springframework.webflow.execution.Event; + +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.ArgumentMatchers.anyList; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +@ContextConfiguration(classes = CheckSubrogationActionTest.class) +@TestPropertySource(locations = "classpath:/application-test.properties") +public class CheckSubrogationActionTest extends BaseWebflowActionTest { + + private CasApi casApi; + private CheckSubrogationAction checkSubrogationAction; + + @Before + public void before() { + casApi = mock(CasApi.class); + checkSubrogationAction = new CheckSubrogationAction(casApi); + } + + @Test + public void shouldReturnProceedWhenNoSubrogationParams() { + // When + Event event = checkSubrogationAction.doExecute(context); + + // Then + assertThat(event.getId()).isEqualTo(CheckSubrogationAction.PROCEED); + } + + @Test + public void shouldReturnSubrogationWhenValidParams() { + // Given + requestParameters.put(Constants.LOGIN_SURROGATE_EMAIL_PARAM, "surrogate@vitamui.fr"); + requestParameters.put(Constants.LOGIN_SURROGATE_CUSTOMER_ID_PARAM, "customerSurrogate"); + requestParameters.put(Constants.LOGIN_SUPER_USER_EMAIL_PARAM, "admin@vitamui.fr"); + requestParameters.put(Constants.LOGIN_SUPER_USER_CUSTOMER_ID_PARAM, "customerAdmin"); + + CustomerDto customerDto = new CustomerDto(); + customerDto.setCode("SURR"); + customerDto.setName("Surrogate Customer"); + when(casApi.getCustomersByIds(anyList())).thenReturn(List.of(customerDto)); + + // When + Event event = checkSubrogationAction.doExecute(context); + + // Then + assertThat(event.getId()).isEqualTo(CheckSubrogationAction.SUBROGATION); + assertThat(flowParameters.get(Constants.FLOW_SURROGATE_EMAIL)).isEqualTo("surrogate@vitamui.fr"); + assertThat(flowParameters.get(Constants.FLOW_SURROGATE_CUSTOMER_ID)).isEqualTo("customerSurrogate"); + assertThat(flowParameters.get(Constants.FLOW_LOGIN_EMAIL)).isEqualTo("admin@vitamui.fr"); + assertThat(flowParameters.get(Constants.FLOW_LOGIN_CUSTOMER_ID)).isEqualTo("customerAdmin"); + assertThat(flowParameters.get(Constants.SHOW_SURROGATE_CUSTOMER_CODE)).isEqualTo("SURR"); + assertThat(flowParameters.get(Constants.SHOW_SURROGATE_CUSTOMER_NAME)).isEqualTo("Surrogate Customer"); + } + + @Test + public void shouldReturnProceedWhenInvalidEmail() { + // Given + requestParameters.put(Constants.LOGIN_SURROGATE_EMAIL_PARAM, "invalid-email"); + requestParameters.put(Constants.LOGIN_SURROGATE_CUSTOMER_ID_PARAM, "customerSurrogate"); + requestParameters.put(Constants.LOGIN_SUPER_USER_EMAIL_PARAM, "admin@vitamui.fr"); + requestParameters.put(Constants.LOGIN_SUPER_USER_CUSTOMER_ID_PARAM, "customerAdmin"); + + // When + Event event = checkSubrogationAction.doExecute(context); + + // Then + assertThat(event.getId()).isEqualTo(CheckSubrogationAction.PROCEED); + } +} diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/CustomerSelectedActionTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/CustomerSelectedActionTest.java similarity index 94% rename from cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/CustomerSelectedActionTest.java rename to cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/CustomerSelectedActionTest.java index 19668cc51df..f09409151ac 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/CustomerSelectedActionTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/CustomerSelectedActionTest.java @@ -1,4 +1,4 @@ -package fr.gouv.vitamui.cas.webflow.actions; +package fr.gouv.vitamui.cas.webflow.login.actions; import fr.gouv.vitamui.cas.BaseWebflowActionTest; import fr.gouv.vitamui.cas.model.CustomerModel; @@ -14,7 +14,7 @@ import java.io.IOException; import java.util.List; -import static fr.gouv.vitamui.cas.webflow.configurer.CustomLoginWebflowConfigurer.TRANSITION_TO_CUSTOMER_SELECTED; +import static fr.gouv.vitamui.cas.webflow.login.VitamLoginWebflowConfigurer.TRANSITION_TO_CUSTOMER_SELECTED; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatThrownBy; diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/DispatcherActionTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/DispatcherActionTest.java similarity index 78% rename from cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/DispatcherActionTest.java rename to cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/DispatcherActionTest.java index 3d169c77964..744fd05cbe7 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/DispatcherActionTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/DispatcherActionTest.java @@ -1,25 +1,21 @@ -package fr.gouv.vitamui.cas.webflow.actions; +package fr.gouv.vitamui.cas.webflow.login.actions; -import fr.gouv.vitam.common.exception.InvalidParseOperationException; import fr.gouv.vitamui.cas.BaseWebflowActionTest; -import fr.gouv.vitamui.cas.provider.Pac4jClientIdentityProviderDto; -import fr.gouv.vitamui.cas.provider.ProvidersService; +import fr.gouv.vitamui.cas.delegation.Pac4jClientIdentityProviderDto; +import fr.gouv.vitamui.cas.delegation.ProvidersService; import fr.gouv.vitamui.cas.util.Constants; import fr.gouv.vitamui.cas.util.Utils; -import fr.gouv.vitamui.commons.api.domain.UserDto; import fr.gouv.vitamui.commons.api.enums.UserStatusEnum; -import fr.gouv.vitamui.commons.rest.client.HttpContext; -import fr.gouv.vitamui.iam.client.CasRestClient; import fr.gouv.vitamui.iam.common.dto.IdentityProviderDto; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import fr.gouv.vitamui.iam.openapiclient.domain.UserDto; import org.junit.Before; import org.junit.Test; -import org.junit.runner.RunWith; import org.pac4j.core.context.session.SessionStore; import org.pac4j.saml.client.SAML2Client; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.TestPropertySource; -import org.springframework.test.context.junit4.SpringRunner; import org.springframework.webflow.execution.Event; import java.io.FileNotFoundException; @@ -28,7 +24,6 @@ import static org.junit.Assert.assertEquals; import static org.mockito.ArgumentMatchers.anyList; -import static org.mockito.Mockito.any; import static org.mockito.Mockito.eq; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; @@ -36,7 +31,6 @@ /** * Tests {@link DispatcherAction}. */ -@RunWith(SpringRunner.class) @ContextConfiguration(classes = DispatcherActionTest.class) @TestPropertySource(locations = "classpath:/application-test.properties") public final class DispatcherActionTest extends BaseWebflowActionTest { @@ -46,11 +40,9 @@ public final class DispatcherActionTest extends BaseWebflowActionTest { private static final String USER_2 = "user2@vitamui.fr"; private static final String CUSTOMER_ID_2 = "customer2"; - private static final String PASSWORD = "password"; - private IdentityProviderHelper identityProviderHelper; - private CasRestClient casRestClient; + private CasApi casApi; private DispatcherAction action; @@ -58,18 +50,18 @@ public final class DispatcherActionTest extends BaseWebflowActionTest { @Override @Before - public void setUp() throws FileNotFoundException, InvalidParseOperationException { + public void setUp() throws FileNotFoundException { super.setUp(); ProvidersService providersService = mock(ProvidersService.class); identityProviderHelper = mock(IdentityProviderHelper.class); - casRestClient = mock(CasRestClient.class); + casApi = mock(CasApi.class); final Utils utils = new Utils(null, 0, null, null, ""); action = new DispatcherAction( providersService, identityProviderHelper, - casRestClient, + casApi, utils, mock(SessionStore.class) ); @@ -118,15 +110,9 @@ public void testInternalAuthnDisabled() throws IOException { flowParameters.remove(Constants.FLOW_SURROGATE_CUSTOMER_ID); UserDto userDto = new UserDto(); + userDto.setCustomerId(CUSTOMER_ID_1); userDto.setStatus(UserStatusEnum.BLOCKED); - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(USER_1), - eq(CUSTOMER_ID_1), - eq(Optional.empty()) - ) - ).thenReturn(userDto); + when(casApi.getUsersByEmail(eq(USER_1), eq(null))).thenReturn(java.util.List.of(userDto)); final Event event = action.doExecute(context); @@ -153,15 +139,9 @@ public void testInternalSubrogationSurrogateDisabled() throws IOException { flowParameters.put(Constants.FLOW_SURROGATE_CUSTOMER_ID, CUSTOMER_ID_2); UserDto userDto = new UserDto(); + userDto.setCustomerId(CUSTOMER_ID_2); userDto.setStatus(UserStatusEnum.BLOCKED); - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(USER_2), - eq(CUSTOMER_ID_2), - eq(Optional.empty()) - ) - ).thenReturn(userDto); + when(casApi.getUsersByEmail(eq(USER_2), eq(null))).thenReturn(java.util.List.of(userDto)); final Event event = action.doExecute(context); @@ -176,15 +156,9 @@ public void testInternalSubrogationSuperUserDisabled() throws IOException { flowParameters.put(Constants.FLOW_SURROGATE_CUSTOMER_ID, CUSTOMER_ID_2); UserDto userDto = new UserDto(); + userDto.setCustomerId(CUSTOMER_ID_1); userDto.setStatus(UserStatusEnum.BLOCKED); - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(USER_1), - eq(CUSTOMER_ID_1), - eq(Optional.empty()) - ) - ).thenReturn(userDto); + when(casApi.getUsersByEmail(eq(USER_1), eq(null))).thenReturn(java.util.List.of(userDto)); final Event event = action.doExecute(context); @@ -215,15 +189,9 @@ public void testExternalDisabled() throws IOException { flowParameters.remove(Constants.FLOW_SURROGATE_CUSTOMER_ID); UserDto userDto = new UserDto(); + userDto.setCustomerId(CUSTOMER_ID_1); userDto.setStatus(UserStatusEnum.BLOCKED); - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(USER_1), - eq(CUSTOMER_ID_1), - eq(Optional.empty()) - ) - ).thenReturn(userDto); + when(casApi.getUsersByEmail(eq(USER_1), eq(null))).thenReturn(java.util.List.of(userDto)); final Event event = action.doExecute(context); @@ -254,15 +222,9 @@ public void testExternalSubrogationSurrogateDisabled() throws IOException { flowParameters.put(Constants.FLOW_SURROGATE_CUSTOMER_ID, CUSTOMER_ID_2); UserDto userDto = new UserDto(); + userDto.setCustomerId(CUSTOMER_ID_2); userDto.setStatus(UserStatusEnum.BLOCKED); - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(USER_2), - eq(CUSTOMER_ID_2), - eq(Optional.empty()) - ) - ).thenReturn(userDto); + when(casApi.getUsersByEmail(eq(USER_2), eq(null))).thenReturn(java.util.List.of(userDto)); final Event event = action.doExecute(context); @@ -279,15 +241,9 @@ public void testExternalSubrogationSuperUserDisabled() throws IOException { flowParameters.put(Constants.FLOW_SURROGATE_CUSTOMER_ID, CUSTOMER_ID_2); UserDto userDto = new UserDto(); + userDto.setCustomerId(CUSTOMER_ID_1); userDto.setStatus(UserStatusEnum.BLOCKED); - when( - casRestClient.getUserByEmailAndCustomerId( - any(HttpContext.class), - eq(USER_1), - eq(CUSTOMER_ID_1), - eq(Optional.empty()) - ) - ).thenReturn(userDto); + when(casApi.getUsersByEmail(eq(USER_1), eq(null))).thenReturn(java.util.List.of(userDto)); final Event event = action.doExecute(context); diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/ListCustomersActionTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/ListCustomersActionTest.java similarity index 64% rename from cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/ListCustomersActionTest.java rename to cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/ListCustomersActionTest.java index 59b603e9c46..7718dd89cbc 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/ListCustomersActionTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/ListCustomersActionTest.java @@ -1,31 +1,30 @@ -package fr.gouv.vitamui.cas.webflow.actions; +package fr.gouv.vitamui.cas.webflow.login.actions; import fr.gouv.vitamui.cas.BaseWebflowActionTest; +import fr.gouv.vitamui.cas.delegation.ProvidersService; import fr.gouv.vitamui.cas.model.CustomerModel; -import fr.gouv.vitamui.cas.provider.ProvidersService; import fr.gouv.vitamui.cas.util.Constants; -import fr.gouv.vitamui.cas.util.Utils; -import fr.gouv.vitamui.commons.api.domain.UserDto; -import fr.gouv.vitamui.iam.client.CasRestClient; -import fr.gouv.vitamui.iam.common.dto.CustomerDto; +import fr.gouv.vitamui.commons.api.enums.UserStatusEnum; import fr.gouv.vitamui.iam.common.dto.IdentityProviderDto; import fr.gouv.vitamui.iam.common.utils.IdentityProviderHelper; +import fr.gouv.vitamui.iam.openapiclient.CasApi; +import fr.gouv.vitamui.iam.openapiclient.domain.CustomerDto; +import fr.gouv.vitamui.iam.openapiclient.domain.UserDto; +import lombok.extern.slf4j.Slf4j; import org.apereo.cas.authentication.credential.UsernamePasswordCredential; import org.junit.Before; import org.junit.Test; -import org.junit.runner.RunWith; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.TestPropertySource; -import org.springframework.test.context.junit4.SpringRunner; import org.springframework.webflow.execution.Event; import java.io.IOException; import java.util.List; import java.util.Optional; -import static fr.gouv.vitamui.cas.webflow.actions.ListCustomersAction.BAD_CONFIGURATION; -import static fr.gouv.vitamui.cas.webflow.configurer.CustomLoginWebflowConfigurer.TRANSITION_TO_CUSTOMER_SELECTED; -import static fr.gouv.vitamui.cas.webflow.configurer.CustomLoginWebflowConfigurer.TRANSITION_TO_CUSTOMER_SELECTION_VIEW; +import static fr.gouv.vitamui.cas.webflow.login.VitamLoginWebflowConfigurer.TRANSITION_TO_CUSTOMER_SELECTED; +import static fr.gouv.vitamui.cas.webflow.login.VitamLoginWebflowConfigurer.TRANSITION_TO_CUSTOMER_SELECTION_VIEW; +import static fr.gouv.vitamui.cas.webflow.login.actions.ListCustomersAction.BAD_CONFIGURATION; import static java.util.Collections.emptyList; import static org.assertj.core.api.Assertions.assertThat; import static org.mockito.ArgumentMatchers.any; @@ -33,7 +32,7 @@ import static org.mockito.Mockito.doReturn; import static org.mockito.Mockito.mock; -@RunWith(SpringRunner.class) +@Slf4j @ContextConfiguration(classes = ListCustomersActionTest.class) @TestPropertySource(locations = "classpath:/application-test.properties") public class ListCustomersActionTest extends BaseWebflowActionTest { @@ -45,25 +44,22 @@ public class ListCustomersActionTest extends BaseWebflowActionTest { private static final String CUSTOMER_ID_2 = "customer2"; public static final String EMAIL_DOMAIN_1 = ".*@vitamui.com"; public static final String EMAIL_DOMAIN_2 = ".*@vitamui.fr"; - private CasRestClient casRestClient; + private CasApi casApi; + private IdentityProviderHelper identityProviderHelper; private ListCustomersAction listCustomersAction; + private IdentityProviderDto providerDto1; + private IdentityProviderDto providerDto2; @Before public void before() { ProvidersService providersService = mock(ProvidersService.class); - casRestClient = mock(CasRestClient.class); + casApi = mock(CasApi.class); + identityProviderHelper = mock(IdentityProviderHelper.class); - final Utils utils = new Utils(null, 0, null, null, ""); + listCustomersAction = new ListCustomersAction(providersService, identityProviderHelper, casApi); - listCustomersAction = new ListCustomersAction( - providersService, - new IdentityProviderHelper(), - casRestClient, - utils - ); - - IdentityProviderDto providerDto1 = getIdentityProvider(CUSTOMER_ID_1, false, EMAIL_DOMAIN_1); - IdentityProviderDto providerDto2 = getIdentityProvider(CUSTOMER_ID_2, true, EMAIL_DOMAIN_1, EMAIL_DOMAIN_2); + providerDto1 = getIdentityProvider(CUSTOMER_ID_1, false, EMAIL_DOMAIN_1); + providerDto2 = getIdentityProvider(CUSTOMER_ID_2, true, EMAIL_DOMAIN_1, EMAIL_DOMAIN_2); doReturn(List.of(providerDto1, providerDto2)).when(providersService).getProviders(); } @@ -74,6 +70,15 @@ public void testSubrogationThenNoCustomerSelection() throws IOException { flowParameters.put(Constants.FLOW_LOGIN_CUSTOMER_ID, CUSTOMER_ID_1); flowParameters.put(Constants.FLOW_SURROGATE_EMAIL, EMAIL2); flowParameters.put(Constants.FLOW_SURROGATE_CUSTOMER_ID, CUSTOMER_ID_2); + flowParameters.put("credential", new UsernamePasswordCredential(EMAIL1, "password")); + + // Ensure multiple providers match to trigger selection view + doReturn(List.of(getIdentityProvider("c1", false, ".*@vitamui.com"))) + .when(identityProviderHelper) + .findAllProvidersByUserIdentifier(any(), any()); + doReturn(Optional.of(providerDto1)) + .when(identityProviderHelper) + .findByUserIdentifierAndCustomerId(any(), eq(EMAIL1), eq(CUSTOMER_ID_1)); // When Event event = listCustomersAction.doExecute(context); @@ -82,6 +87,36 @@ public void testSubrogationThenNoCustomerSelection() throws IOException { assertThat(event.getId()).isEqualTo(TRANSITION_TO_CUSTOMER_SELECTED); } + @Test + public void shouldTriggerOrganizationSelectionWhenSubrogatedUserHasManyOrganizationOrIdentityProviders() + throws IOException { + // Given + flowParameters.put(Constants.FLOW_LOGIN_EMAIL, EMAIL1); + flowParameters.put(Constants.FLOW_LOGIN_CUSTOMER_ID, CUSTOMER_ID_1); + flowParameters.put(Constants.FLOW_SURROGATE_EMAIL, EMAIL2); + flowParameters.put(Constants.FLOW_SURROGATE_CUSTOMER_ID, CUSTOMER_ID_2); + flowParameters.put("credential", new UsernamePasswordCredential(EMAIL1, "password")); + + // Ensure multiple providers match to trigger selection view + doReturn( + List.of( + getIdentityProvider("c1", false, ".*@vitamui.com"), + getIdentityProvider("c2", false, ".*@vitamui.com") + ) + ) + .when(identityProviderHelper) + .findAllProvidersByUserIdentifier(any(), any()); + doReturn(Optional.of(providerDto1)) + .when(identityProviderHelper) + .findByUserIdentifierAndCustomerId(any(), eq(EMAIL1), eq(CUSTOMER_ID_1)); + + // When + Event event = listCustomersAction.doExecute(context); + + // Then (Subrogation mode is deterministic and bypasses customer selection) + assertThat(event.getId()).isEqualTo(TRANSITION_TO_CUSTOMER_SELECTED); + } + @Test public void testSubrogationWithInvalidProviderThenBadConfig() throws IOException { // Given @@ -89,6 +124,7 @@ public void testSubrogationWithInvalidProviderThenBadConfig() throws IOException flowParameters.put(Constants.FLOW_LOGIN_CUSTOMER_ID, CUSTOMER_ID_1); flowParameters.put(Constants.FLOW_SURROGATE_EMAIL, EMAIL2); flowParameters.put(Constants.FLOW_SURROGATE_CUSTOMER_ID, CUSTOMER_ID_2); + flowParameters.put("credential", new UsernamePasswordCredential(EMAIL_UNKNOWN_DOMAIN, "password")); // When Event event = listCustomersAction.doExecute(context); @@ -104,8 +140,12 @@ public void testLoginWithEmailMatchingASingleUser() throws IOException { UserDto userDto = new UserDto(); userDto.setCustomerId(CUSTOMER_ID_1); + userDto.setStatus(UserStatusEnum.ENABLED); // Added status just in case - doReturn(List.of(userDto)).when(casRestClient).getUsersByEmail(any(), eq(EMAIL1), eq(Optional.empty())); + doReturn(List.of(userDto)).when(casApi).getUsersByEmail(eq(EMAIL1), eq(null)); + doReturn(Optional.of(providerDto1)) + .when(identityProviderHelper) + .findByUserIdentifierAndCustomerId(any(), eq(EMAIL1), eq(CUSTOMER_ID_1)); // When Event event = listCustomersAction.doExecute(context); @@ -129,15 +169,13 @@ public void testLoginWithEmailMatchingMultipleUsers() throws IOException { UserDto userDto2 = new UserDto(); userDto2.setCustomerId(CUSTOMER_ID_2); - doReturn(List.of(userDto1, userDto2)) - .when(casRestClient) - .getUsersByEmail(any(), eq(EMAIL1), eq(Optional.empty())); + doReturn(List.of(userDto1, userDto2)).when(casApi).getUsersByEmail(eq(EMAIL1), eq(null)); CustomerDto customerDto1 = getCustomerDto(CUSTOMER_ID_1, "MyCode1", "MyCustomer1"); CustomerDto customerDto2 = getCustomerDto(CUSTOMER_ID_2, "MyCode2", "MyCustomer2"); doReturn(List.of(customerDto1, customerDto2)) - .when(casRestClient) - .getCustomersByIds(any(), eq(List.of(CUSTOMER_ID_1, CUSTOMER_ID_2))); + .when(casApi) + .getCustomersByIds(eq(List.of(CUSTOMER_ID_1, CUSTOMER_ID_2))); // When Event event = listCustomersAction.doExecute(context); @@ -159,10 +197,13 @@ public void testLoginWithEmailMatchingMultipleUsers() throws IOException { public void testLoginWithUnknownUserMatchingASingleCustomerMailDomain() throws IOException { flowParameters.put("credential", new UsernamePasswordCredential(EMAIL2, "password")); - doReturn(emptyList()).when(casRestClient).getUsersByEmail(any(), eq(EMAIL2), eq(Optional.empty())); + doReturn(emptyList()).when(casApi).getUsersByEmail(eq(EMAIL2), eq(null)); + doReturn(List.of(providerDto2)) + .when(identityProviderHelper) + .findAllProvidersByUserIdentifier(any(), eq(EMAIL2)); CustomerDto customerDto2 = getCustomerDto(CUSTOMER_ID_2, "code2", "customer2"); - doReturn(List.of(customerDto2)).when(casRestClient).getCustomersByIds(any(), eq(List.of(CUSTOMER_ID_2))); + doReturn(List.of(customerDto2)).when(casApi).getCustomersByIds(eq(List.of(CUSTOMER_ID_2))); // When Event event = listCustomersAction.doExecute(context); @@ -179,13 +220,16 @@ public void testLoginWithUnknownUserMatchingASingleCustomerMailDomain() throws I public void testLoginWithUnknownUserMatchingMultipleCustomerMailDomain() throws IOException { flowParameters.put("credential", new UsernamePasswordCredential(EMAIL1, "password")); - doReturn(emptyList()).when(casRestClient).getUsersByEmail(any(), eq(EMAIL1), eq(Optional.empty())); + doReturn(emptyList()).when(casApi).getUsersByEmail(eq(EMAIL1), eq(null)); + doReturn(List.of(providerDto1, providerDto2)) + .when(identityProviderHelper) + .findAllProvidersByUserIdentifier(any(), eq(EMAIL1)); CustomerDto customerDto1 = getCustomerDto(CUSTOMER_ID_1, "MyCode1", "MyCustomer1"); CustomerDto customerDto2 = getCustomerDto(CUSTOMER_ID_2, "MyCode2", "MyCustomer2"); doReturn(List.of(customerDto1, customerDto2)) - .when(casRestClient) - .getCustomersByIds(any(), eq(List.of(CUSTOMER_ID_1, CUSTOMER_ID_2))); + .when(casApi) + .getCustomersByIds(eq(List.of(CUSTOMER_ID_1, CUSTOMER_ID_2))); // When Event event = listCustomersAction.doExecute(context); @@ -207,15 +251,13 @@ public void testLoginWithUnknownUserMatchingMultipleCustomerMailDomain() throws public void testLoginWithUnknownUserMatchingNoValidCustomerMailDomain() throws IOException { flowParameters.put("credential", new UsernamePasswordCredential(EMAIL_UNKNOWN_DOMAIN, "password")); - doReturn(emptyList()) - .when(casRestClient) - .getUsersByEmail(any(), eq(EMAIL_UNKNOWN_DOMAIN), eq(Optional.empty())); + doReturn(emptyList()).when(casApi).getUsersByEmail(eq(EMAIL_UNKNOWN_DOMAIN), eq(null)); CustomerDto customerDto1 = getCustomerDto(CUSTOMER_ID_1, "MyCode1", "MyCustomer1"); CustomerDto customerDto2 = getCustomerDto(CUSTOMER_ID_2, "MyCode2", "MyCustomer2"); doReturn(List.of(customerDto1, customerDto2)) - .when(casRestClient) - .getCustomersByIds(any(), eq(List.of(CUSTOMER_ID_1, CUSTOMER_ID_2))); + .when(casApi) + .getCustomersByIds(eq(List.of(CUSTOMER_ID_1, CUSTOMER_ID_2))); // When Event event = listCustomersAction.doExecute(context); @@ -226,6 +268,7 @@ public void testLoginWithUnknownUserMatchingNoValidCustomerMailDomain() throws I private static IdentityProviderDto getIdentityProvider(String customerId, boolean internal, String... patterns) { IdentityProviderDto providerDto1 = new IdentityProviderDto(); + providerDto1.setId(customerId); // Use customerId as provider Id for uniqueness providerDto1.setCustomerId(customerId); providerDto1.setInternal(internal); providerDto1.setPatterns(List.of(patterns)); diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/TriggerChangePasswordActionTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/TriggerChangePasswordActionTest.java similarity index 79% rename from cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/TriggerChangePasswordActionTest.java rename to cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/TriggerChangePasswordActionTest.java index 0df9bb2dd87..b24b26ad829 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/TriggerChangePasswordActionTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/login/actions/TriggerChangePasswordActionTest.java @@ -1,9 +1,7 @@ -package fr.gouv.vitamui.cas.webflow.actions; +package fr.gouv.vitamui.cas.webflow.login.actions; -import fr.gouv.vitam.common.exception.InvalidParseOperationException; import fr.gouv.vitamui.cas.BaseWebflowActionTest; import fr.gouv.vitamui.cas.util.Utils; -import lombok.val; import org.apereo.cas.authentication.principal.Principal; import org.apereo.cas.ticket.registry.TicketRegistrySupport; import org.junit.Before; @@ -31,14 +29,14 @@ public class TriggerChangePasswordActionTest extends BaseWebflowActionTest { @Override @Before - public void setUp() throws FileNotFoundException, InvalidParseOperationException { + public void setUp() throws FileNotFoundException { super.setUp(); - val tgtId = "TGT-1"; + final var tgtId = "TGT-1"; flowParameters.put("ticketGrantingTicketId", tgtId); - val ticketRegistrySupport = mock(TicketRegistrySupport.class); + final var ticketRegistrySupport = mock(TicketRegistrySupport.class); action = new TriggerChangePasswordAction(ticketRegistrySupport, mock(Utils.class)); when(ticketRegistrySupport.getAuthenticatedPrincipalFrom(tgtId)).thenReturn(mock(Principal.class)); @@ -48,14 +46,14 @@ public void setUp() throws FileNotFoundException, InvalidParseOperationException public void changePassword() { requestParameters.put("doChangePassword", "yes"); - val event = action.doExecute(context); + final var event = action.doExecute(context); assertEquals("changePassword", event.getId()); } @Test public void dontChangePassword() { - val event = action.doExecute(context); + final var event = action.doExecute(context); assertEquals("continue", event.getId()); } diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/CheckMfaTokenActionTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/mfa/actions/CheckMfaTokenActionTest.java similarity index 79% rename from cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/CheckMfaTokenActionTest.java rename to cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/mfa/actions/CheckMfaTokenActionTest.java index 687f6356d15..2a4297f7c1a 100644 --- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/actions/CheckMfaTokenActionTest.java +++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/webflow/mfa/actions/CheckMfaTokenActionTest.java @@ -1,8 +1,6 @@ -package fr.gouv.vitamui.cas.webflow.actions; +package fr.gouv.vitamui.cas.webflow.mfa.actions; -import fr.gouv.vitam.common.exception.InvalidParseOperationException; import fr.gouv.vitamui.cas.BaseWebflowActionTest; -import lombok.val; import org.apereo.cas.mfa.simple.CasSimpleMultifactorTokenCredential; import org.apereo.cas.mfa.simple.ticket.CasSimpleMultifactorAuthenticationTicket; import org.apereo.cas.ticket.registry.TicketRegistry; @@ -39,13 +37,13 @@ public class CheckMfaTokenActionTest extends BaseWebflowActionTest { @Override @Before - public void setUp() throws FileNotFoundException, InvalidParseOperationException { + public void setUp() throws FileNotFoundException { super.setUp(); ticketRegistry = mock(TicketRegistry.class); action = new CheckMfaTokenAction(ticketRegistry); - val credential = mock(CasSimpleMultifactorTokenCredential.class); + final var credential = mock(CasSimpleMultifactorTokenCredential.class); when(credential.getToken()).thenReturn(TOKEN); when(credential.getId()).thenReturn(TOKEN); flowParameters.put("credential", credential); @@ -58,20 +56,20 @@ public void setUp() throws FileNotFoundException, InvalidParseOperationException @Test public void tokenNotExpired() { - val creationDate = ZonedDateTime.now().minus(30, ChronoUnit.SECONDS); + final var creationDate = ZonedDateTime.now().minus(30, ChronoUnit.SECONDS); when(ticket.getCreationTime()).thenReturn(creationDate); - val event = action.doExecute(context); + final var event = action.doExecute(context); assertEquals("success", event.getId()); } @Test public void tokenExpired() { - val creationDate = ZonedDateTime.now().minus(70, ChronoUnit.SECONDS); + final var creationDate = ZonedDateTime.now().minus(70, ChronoUnit.SECONDS); when(ticket.getCreationTime()).thenReturn(creationDate); - val event = action.doExecute(context); + final var event = action.doExecute(context); assertEquals("error", event.getId()); } diff --git a/commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/HttpContextHolder.java b/commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/HttpContextHolder.java new file mode 100644 index 00000000000..f0e6f5f1509 --- /dev/null +++ b/commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/HttpContextHolder.java @@ -0,0 +1,56 @@ +package fr.gouv.vitamui.commons.rest.client; + +import java.util.Optional; + +/** + * Thread-local holder for HttpContext. + * Allows context propagation across API calls when the security context is + * empty. + */ +public class HttpContextHolder { + + private static final ThreadLocal CONTEXT = new ThreadLocal<>(); + + /** + * Set the current HttpContext. + */ + public static void set(HttpContext context) { + CONTEXT.set(context); + } + + /** + * Get the current HttpContext. + */ + public static Optional get() { + return Optional.ofNullable(CONTEXT.get()); + } + + /** + * Clear the current HttpContext. + */ + public static void clear() { + CONTEXT.remove(); + } + + /** + * Set the current HttpContext in a scope that will be cleared automatically. + */ + public static HttpContextScope setInScope(HttpContext context) { + return new HttpContextScope(context); + } + + /** + * AutoCloseable scope for HttpContext. + */ + public static class HttpContextScope implements AutoCloseable { + + public HttpContextScope(HttpContext context) { + set(context); + } + + @Override + public void close() { + clear(); + } + } +} diff --git a/deployment/environments/group_vars/all/vault-vitamui.yml.example b/deployment/environments/group_vars/all/vault-vitamui.yml.example index 8c1557df1d6..4f50ec0be4c 100755 --- a/deployment/environments/group_vars/all/vault-vitamui.yml.example +++ b/deployment/environments/group_vars/all/vault-vitamui.yml.example @@ -22,3 +22,18 @@ vitamui: cas_server: # Secret internal token for CAS to vitam-ui communication secret_token: changeit_cas_secret_token + crypto: + oauth: + encryption_key: "my_oauth_encryption_key" + signing_key: "my_oauth_signing_key" + pac4j: + cookie_name: "DISSESSIONAD" + encryption_key: "my_pac4j_encryption_key" + signing_key: "my_pac4j_signing_key" + pm_reset: + encryption_key: "my_pm_reset_encryption_key" + signing_key: "my_pm_reset_signing_key" + webflow: + signing_key: "my_webflow_signing_key" + encryption_key: "my_webflow_encryption_key" + encryption_key_size: 128 diff --git a/deployment/environments/group_vars/all/vitamui_vars.yml b/deployment/environments/group_vars/all/vitamui_vars.yml index ba1cd35f7ee..ac22a18e47b 100755 --- a/deployment/environments/group_vars/all/vitamui_vars.yml +++ b/deployment/environments/group_vars/all/vitamui_vars.yml @@ -135,6 +135,29 @@ vitamui: port_admin: 7001 cors: enabled: true + crypto: + - prefix: cas.tgc.crypto + config: + enabled: yes + - prefix: cas.authn.oauth.session-replication.cookie.crypto + config: + enabled: yes + - prefix: cas.authn.pac4j.core.session-replication.cookie + config: + enabled: yes + - prefix: cas.authn.pm.reset.crypto + config: + enabled: yes + - prefix: cas.webflow.crypto + config: + enabled: yes +# - prefix: +# config: +# enabled: +# key: +# encryption: +# encryption-size: +# signing: security: host: "vitamui-security.service.{{ consul_domain }}" diff --git a/deployment/pki/scripts/lib/stores.sh b/deployment/pki/scripts/lib/stores.sh index da5c2bbb751..3d27d588fcf 100755 --- a/deployment/pki/scripts/lib/stores.sh +++ b/deployment/pki/scripts/lib/stores.sh @@ -125,8 +125,14 @@ function main() { pki_logger "Creating keystores for TYPE: ${AUTHORITY_NAME}/${TYPE_NAME}" + EXCLUDES=(-e "README" -e "reverse") + + if [ "$DEV_MODE" != "true" ]; then + EXCLUDES+=(-e "^ui-") + fi + # Generate keystore for each components except for ui- & reverse - for COMPONENT in $( ls ${TYPE_PATH} | grep -v -e "README" -e "^ui-" -e "reverse" ); do + for COMPONENT in $( grep -v "${EXCLUDES[@]}" < <(printf "%s\n" "${TYPE_PATH}"/* | xargs -n1 basename) ); do generateKeystore "${AUTHORITY_NAME}" \ "${TYPE_NAME}" \ "${COMPONENT}" diff --git a/deployment/roles/nginx_webapp/templates/frontend/config.json.j2 b/deployment/roles/nginx_webapp/templates/frontend/config.json.j2 index bdde2b83018..cf42aabdbda 100644 --- a/deployment/roles/nginx_webapp/templates/frontend/config.json.j2 +++ b/deployment/roles/nginx_webapp/templates/frontend/config.json.j2 @@ -38,7 +38,7 @@ {% endif %} "OIDC_CONFIG": { "issuer": "{{ vitamui.cas_server.base_url | default(url_prefix+'/cas') }}/oidc", - "redirectUri": "?", + "redirectUri": "{{ vitamui.ui_portal.base_url | default(url_prefix+'/') }}", "postLogoutRedirectUri": "{{ vitamui.ui_portal.base_url | default(url_prefix+'/') }}", "clientId": "{{ vitamui_struct.vitamui_component | regex_replace('^ui-', '') }}", "responseType": "code", diff --git a/deployment/roles/vitamui/templates/cas-server/application.yml.j2 b/deployment/roles/vitamui/templates/cas-server/application.yml.j2 index 2e4425a5fa0..0f048fb458d 100644 --- a/deployment/roles/vitamui/templates/cas-server/application.yml.j2 +++ b/deployment/roles/vitamui/templates/cas-server/application.yml.j2 @@ -25,12 +25,13 @@ server: {% endif %} address: {{ ip_service }} port: {{ vitamui_struct.port_service }} + servlet: {% if vitamui.cas_server.base_url is defined %} - context-path: / - servlet.session.cookie.path: / + context-path: / + session.cookie.path: / {% else %} - context-path: /cas - servlet.session.cookie.path: /cas + context-path: /cas + session.cookie.path: /cas {% endif %} tomcat: basedir: {{ vitamui_folder_conf }}/tomcat @@ -84,9 +85,6 @@ cas.host.name: cas cas.tgc.path: /cas {% endif %} cas.tgc.secure: true -cas.tgc.crypto.enabled: false -cas.webflow.crypto.enabled: true -cas.authn.pm.reset.crypto.enabled: true ## # CAS Web Application Session Configuration @@ -166,17 +164,19 @@ cas: management.endpoints.enabled-by-default: true management.endpoints.web.exposure.include: '*' cas.monitor.endpoints.endpoint.defaults.access[0]: PERMIT -management.metrics.export.prometheus.enabled: true +management.prometheus.metrics.export.enabled: true {% if sms.enabled|lower == "true" %} # for SMS: cas.sms-provider.sms-mode.access-token: {{ sms.token }} -mfa.sms.sender: "{{ sms.sender }}" +cas.authn.mfa.simple.sms: + from: "{{ sms.sender }}" + attribute-name: "{{ sms.attribute_name | default('mobile') }}" {% endif %} vitamui.portal.url: {{ vitamui.ui_portal.base_url | default(url_prefix) }} -cas.secret.token: {{ vitamui.cas_server.secret_token }} +cas_secret_token: {{ vitamui.cas_server.secret_token }} ip.header: X-Real-IP @@ -332,3 +332,26 @@ password: {% endfor %} {% endif %} {% endif %} + +# Crypto configurations + +{% macro crypto_block(prefix, keys) %} +{% if keys is defined %} +{% set is_enabled = keys.enabled | default(false) %} +{{ prefix }}: + enabled: {{ is_enabled | string | lower }} + {% if is_enabled %} + {% if keys.key.encryption is defined %} + encryption.key: {{ keys.key.encryption }} + {% endif %} + encryption.key-size: {{ keys.key.size | default(128) }} + {% if keys.key.signing is defined %} + signing.key: {{ keys.key.signing }} + {% endif %} + {% endif %} +{% endif %} +{% endmacro %} + +{% for crypto_item in vitamui.cas_server.crypto %} +{{ crypto_block(crypto_item.prefix, crypto_item.config) }} +{% endfor %} diff --git a/deployment/roles/vitamui/templates/iam/application.yml.j2 b/deployment/roles/vitamui/templates/iam/application.yml.j2 index a9740042e82..36b8de2371f 100644 --- a/deployment/roles/vitamui/templates/iam/application.yml.j2 +++ b/deployment/roles/vitamui/templates/iam/application.yml.j2 @@ -118,7 +118,7 @@ cas-client: cas.reset.password.url: {{ vitamui.cas_server.base_url | default('/cas') }}{{ vitamui.cas_server.reset_password_url | default('/extras/resetPassword?username={username}&firstname={firstname}&lastname={lastname}&language={language}&customerId={customerId}&ttl=1day') }} cas.tenant.identifier: {{ vitamui_platform_informations.cas_tenant }} -cas.secret.token: {{ vitamui.cas_server.secret_token }} +cas_secret_token: {{ vitamui.cas_server.secret_token }} login.attempts.maximum.failures: {{ vitamui_struct.login_max_failure | default(5) }} login.attempts.time.interval: {{ vitamui_struct.login_interval|default(20) }} diff --git a/intellij-conf/.run/Jar-app/CAS.run.xml b/intellij-conf/.run/Jar-app/CAS.run.xml index 4a51079f372..563bb24f904 100644 --- a/intellij-conf/.run/Jar-app/CAS.run.xml +++ b/intellij-conf/.run/Jar-app/CAS.run.xml @@ -4,7 +4,7 @@