From 85ac121ba4455dc119372dc6ee4ffdcd35080493 Mon Sep 17 00:00:00 2001
From: Okke Harsta <oharsta@zilverline.com>
Date: Mon, 8 Jan 2024 15:03:46 +0100
Subject: [PATCH] Inviters can only use eduID for accepting invites
 https://www.pivotaltracker.com/story/show/186798505

---
 .../AuthorizationRequestCustomizer.java        |  3 ++-
 .../access/api/InvitationControllerTest.java   | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/server/src/main/java/access/security/AuthorizationRequestCustomizer.java b/server/src/main/java/access/security/AuthorizationRequestCustomizer.java
index 9841b4ed..5f6cab25 100644
--- a/server/src/main/java/access/security/AuthorizationRequestCustomizer.java
+++ b/server/src/main/java/access/security/AuthorizationRequestCustomizer.java
@@ -1,5 +1,6 @@
 package access.security;
 
+import access.model.Authority;
 import access.model.Invitation;
 import access.repository.InvitationRepository;
 import jakarta.servlet.http.HttpSession;
@@ -40,7 +41,7 @@ public void accept(OAuth2AuthorizationRequest.Builder builder) {
             if (hash != null && hash.length == 1) {
                 Optional<Invitation> optionalInvitation = invitationRepository.findByHash(hash[0]);
                 optionalInvitation.ifPresent(invitation -> {
-                    if (invitation.isEduIDOnly()) {
+                    if (invitation.isEduIDOnly() && invitation.getIntendedAuthority().equals(Authority.GUEST)) {
                         params.put("login_hint", eduidEntityId);
                     }
                 });
diff --git a/server/src/test/java/access/api/InvitationControllerTest.java b/server/src/test/java/access/api/InvitationControllerTest.java
index 926ddf46..86c8630b 100644
--- a/server/src/test/java/access/api/InvitationControllerTest.java
+++ b/server/src/test/java/access/api/InvitationControllerTest.java
@@ -9,6 +9,8 @@
 import io.restassured.common.mapper.TypeRef;
 import io.restassured.http.ContentType;
 import org.junit.jupiter.api.Test;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.util.UriComponentsBuilder;
 
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
@@ -426,4 +428,20 @@ void allByInviter() throws Exception {
                 });
         assertEquals(2, invitations.size());
     }
+
+    @Test
+    void eduIDRequiredLoginOnlyForGuests() throws Exception {
+        Invitation invitation = invitationRepository.findByHash(Authority.INVITER.name()).get();
+        invitation.setEduIDOnly(true);
+        invitationRepository.save(invitation);
+        openIDConnectFlow(
+                "/api/v1/users/login?force=true&hash=" + Authority.INVITER.name(),
+                "urn:collab:person:example.com:admin",
+                authorizationUrl -> {
+                    MultiValueMap<String, String> queryParams = UriComponentsBuilder.fromUriString(authorizationUrl).build().getQueryParams();
+                    assertFalse(queryParams.containsKey("login_hint"));
+                },
+                m -> m);
+    }
+
 }
\ No newline at end of file