Feature toggle for eduID required

SURFnet · Apr 5, 2024 · 02d787f · 02d787f
1 parent 65ef14d
commit 02d787f
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 9 deletions.
diff --git a/src/main/java/generiek/api/EnrollmentEndpoint.java b/src/main/java/generiek/api/EnrollmentEndpoint.java
@@ -69,6 +69,7 @@ public class EnrollmentEndpoint {
     private final String brokerUrl;
     private final ServiceRegistry serviceRegistry;
     private final boolean allowPlayground;
+    private final boolean eduIDRequired;
     private final EnrollmentRepository enrollmentRepository;
     private final AssociationRepository associationRepository;
     private final ObjectMapper objectMapper;
@@ -90,6 +91,7 @@ public EnrollmentEndpoint(@Value("${oidc.acr-context-class-ref}") String acr,
                               @Value("${backend.api_password}") String backendApiPassword,
                               @Value("${broker.url}") String brokerUrl,
                               @Value("${features.allow_playground}") boolean allowPlayground,
+                              @Value("${features.require_eduid}") boolean eduIDRequired,
                               @Value("${config.connection_timeout_millis}") int connectionTimeoutMillis,
                               @Value("${config.connection_pool_keep_alive_duration_millis}") int keepAliveDurationMillis,
                               @Value("${config.connection_pool_max_idle_connections}") int maxIdleConnections,
@@ -116,6 +118,7 @@ public EnrollmentEndpoint(@Value("${oidc.acr-context-class-ref}") String acr,
         this.serviceRegistry = serviceRegistry;
         this.objectMapper = objectMapper;
         this.allowPlayground = allowPlayground;
+        this.eduIDRequired = eduIDRequired;
         // Otherwise, we can't use method PATCH
         OkHttpClient.Builder builder = new OkHttpClient.Builder();
         builder
@@ -200,7 +203,7 @@ public View redirect(@RequestParam("code") String code, @RequestParam("state") S
         givenName = URLEncoder.encode(givenName, "UTF-8");
 
         String eduid = claimsSet.getStringClaim("eduid");
-        if (!StringUtils.hasText(eduid)) {
+        if (!StringUtils.hasText(eduid) && this.eduIDRequired) {
             LOG.error("eduid is required. Check the ARP for RP:" + this.clientId);
             String redirect = String.format("%s?error=%s", brokerUrl, 419);
             return new RedirectView(redirect, false);
@@ -216,8 +219,9 @@ public View redirect(@RequestParam("code") String code, @RequestParam("state") S
         }
 
         LOG.debug("Redirect after authorization called for enrollment request: " + enrollmentRequest);
-
-        enrollmentRequest.setEduid(eduid);
+        if (this.eduIDRequired) {
+            enrollmentRequest.setEduid(eduid);
+        }
         enrollmentRequest.setAccessToken(accessToken);
         enrollmentRequest.setRefreshToken(refreshToken);
         enrollmentRepository.save(enrollmentRequest);
@@ -261,8 +265,12 @@ public ResponseEntity<Map<String, Object>> start(
         } catch (HttpStatusCodeException e) {
             return this.errorResponseEntity("Error in retrieving person for enrollmentRequest: " + enrollmentRequest, e);
         }
-        LOG.debug(String.format("Replacing personId %s with eduID %s", personMap.get("personId"), enrollmentRequest.getEduid()));
-        personMap.put("personId", enrollmentRequest.getEduid());
+        if (this.eduIDRequired) {
+            LOG.debug(String.format("Replacing personId %s with eduID %s", personMap.get("personId"), enrollmentRequest.getEduid()));
+            personMap.put("personId", enrollmentRequest.getEduid());
+        } else {
+            LOG.debug(String.format("Not replacing personId with an eduID as eduIDRequired is false", personMap.get("personId")));
+        }
         body.put("person", personMap);
 
         HttpHeaders httpHeaders = new HttpHeaders();
@@ -301,7 +309,9 @@ public ResponseEntity<Map<String, Object>> playResults(@RequestHeader("X-Correla
         }
         EnrollmentRequest enrollmentRequest = enrollmentRepository.findByIdentifier(correlationId).orElseThrow(ExpiredEnrollmentRequestException::new);
         Map<String, Object> newResults = new HashMap<>(results);
-        newResults.put("personId", enrollmentRequest.getEduid());
+        if (this.eduIDRequired) {
+            newResults.put("personId", enrollmentRequest.getEduid());
+        }
         Association association;
         if (results.containsKey("associationId")) {
             association = associationRepository.findByAssociationId((String) results.get("associationId"))

diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -43,6 +43,7 @@ config:
 features:
   # Do we allow to mock the different scenario's - only allow on test
   allow_playground: true
+  require_eduid: true
 
 # URL of the broker-gui to redirect back after authentication and the
 # credentials of the broker-server to check against

diff --git a/src/test/java/generiek/api/EnrollmentEndpointTest.java b/src/test/java/generiek/api/EnrollmentEndpointTest.java
@@ -590,7 +590,7 @@ void registrationBrokerException() throws Exception {
     }
 
     @SneakyThrows
-    private String doAuthorize(String personAuth) {
+    protected String doAuthorize(String personAuth) {
         stubFor(post(urlPathMatching("/api/validate-service-registry-endpoints")).willReturn(aResponse()
                 .withHeader("Content-Type", "application/json")
                 .withBody(objectMapper.writeValueAsString(singletonMap("valid", true)))));
@@ -613,7 +613,7 @@ private String doAuthorize(String personAuth) {
     }
 
 
-    private String doToken(String state) throws NoSuchProviderException, NoSuchAlgorithmException, JOSEException, IOException {
+    private String doToken(String state) throws JOSEException, IOException {
         Map<String, String> claims = new HashMap<>();
         claims.put("family_name", "Doe");
         claims.put("given_name", "John");
@@ -782,7 +782,7 @@ private String readFile(String path) throws IOException {
         return IOUtils.toString(new ClassPathResource(path).getInputStream());
     }
 
-    private String accessToken(Map<String, String> claims) throws JOSEException, IOException {
+    protected String accessToken(Map<String, String> claims) throws JOSEException, IOException {
         stubFor(get(urlPathMatching("/oidc/certs")).willReturn(aResponse()
                 .withHeader("Content-Type", "application/json")
                 .withBody(objectMapper.writeValueAsString(jwkSetMap))));