Inviters can only use eduID for accepting invites

https://www.pivotaltracker.com/story/show/186798505
OpenConext · Jan 8, 2024 · 85ac121 · 85ac121
1 parent 697e985
commit 85ac121
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/server/src/main/java/access/security/AuthorizationRequestCustomizer.java b/server/src/main/java/access/security/AuthorizationRequestCustomizer.java
@@ -1,5 +1,6 @@
 package access.security;
 
+import access.model.Authority;
 import access.model.Invitation;
 import access.repository.InvitationRepository;
 import jakarta.servlet.http.HttpSession;
@@ -40,7 +41,7 @@ public void accept(OAuth2AuthorizationRequest.Builder builder) {
             if (hash != null && hash.length == 1) {
                 Optional<Invitation> optionalInvitation = invitationRepository.findByHash(hash[0]);
                 optionalInvitation.ifPresent(invitation -> {
-                    if (invitation.isEduIDOnly()) {
+                    if (invitation.isEduIDOnly() && invitation.getIntendedAuthority().equals(Authority.GUEST)) {
                         params.put("login_hint", eduidEntityId);
                     }
                 });

diff --git a/server/src/test/java/access/api/InvitationControllerTest.java b/server/src/test/java/access/api/InvitationControllerTest.java
@@ -9,6 +9,8 @@
 import io.restassured.common.mapper.TypeRef;
 import io.restassured.http.ContentType;
 import org.junit.jupiter.api.Test;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.util.UriComponentsBuilder;
 
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
@@ -426,4 +428,20 @@ void allByInviter() throws Exception {
                 });
         assertEquals(2, invitations.size());
     }
+
+    @Test
+    void eduIDRequiredLoginOnlyForGuests() throws Exception {
+        Invitation invitation = invitationRepository.findByHash(Authority.INVITER.name()).get();
+        invitation.setEduIDOnly(true);
+        invitationRepository.save(invitation);
+        openIDConnectFlow(
+                "/api/v1/users/login?force=true&hash=" + Authority.INVITER.name(),
+                "urn:collab:person:example.com:admin",
+                authorizationUrl -> {
+                    MultiValueMap<String, String> queryParams = UriComponentsBuilder.fromUriString(authorizationUrl).build().getQueryParams();
+                    assertFalse(queryParams.containsKey("login_hint"));
+                },
+                m -> m);
+    }
+
 }