From 6f38d34dca4b6e6fb4b52e0c925676ab12d4ba9e Mon Sep 17 00:00:00 2001 From: Arne Gnisa Date: Thu, 9 Nov 2023 14:23:21 +0100 Subject: [PATCH 1/6] N21-1374 removes old login flow --- .../controller/api-test/oauth-sso.api.spec.ts | 582 ------------------ .../oauth/controller/oauth-sso.controller.ts | 172 +----- .../modules/oauth/uc/hydra-oauth.uc.spec.ts | 2 +- .../src/modules/oauth/uc/hydra-oauth.uc.ts | 2 - config/default.schema.json | 5 - src/services/config/publicAppConfigService.js | 1 - 6 files changed, 8 insertions(+), 756 deletions(-) delete mode 100644 apps/server/src/modules/oauth/controller/api-test/oauth-sso.api.spec.ts diff --git a/apps/server/src/modules/oauth/controller/api-test/oauth-sso.api.spec.ts b/apps/server/src/modules/oauth/controller/api-test/oauth-sso.api.spec.ts deleted file mode 100644 index a259c405cfb..00000000000 --- a/apps/server/src/modules/oauth/controller/api-test/oauth-sso.api.spec.ts +++ /dev/null @@ -1,582 +0,0 @@ -import { Configuration } from '@hpi-schul-cloud/commons/lib'; -import { EntityManager, ObjectId } from '@mikro-orm/mongodb'; -import { ExecutionContext, INestApplication } from '@nestjs/common'; -import { Test, TestingModule } from '@nestjs/testing'; -import { Account, EntityId, SchoolEntity, SystemEntity, User } from '@shared/domain'; -import { UserLoginMigrationEntity } from '@shared/domain/entity/user-login-migration.entity'; -import { SystemProvisioningStrategy } from '@shared/domain/interface/system-provisioning.strategy'; -import { KeycloakAdministrationService } from '@infra/identity-management/keycloak-administration/service/keycloak-administration.service'; -import { - accountFactory, - cleanupCollections, - mapUserToCurrentUser, - schoolFactory, - systemFactory, - userFactory, -} from '@shared/testing'; -import { JwtTestFactory } from '@shared/testing/factory/jwt.test.factory'; -import { userLoginMigrationFactory } from '@shared/testing/factory/user-login-migration.factory'; -import { ICurrentUser } from '@modules/authentication'; -import { JwtAuthGuard } from '@modules/authentication/guard/jwt-auth.guard'; -import { SanisResponse, SanisRole } from '@modules/provisioning/strategy/sanis/response'; -import { ServerTestModule } from '@modules/server'; -import axios from 'axios'; -import MockAdapter from 'axios-mock-adapter'; -import { UUID } from 'bson'; -import { Request } from 'express'; -import request, { Response } from 'supertest'; -import { SSOAuthenticationError } from '../../interface/sso-authentication-error.enum'; -import { OauthTokenResponse } from '../../service/dto'; -import { AuthorizationParams, SSOLoginQuery } from '../dto'; - -jest.mock('jwks-rsa', () => () => { - return { - getKeys: jest.fn(), - getSigningKey: jest.fn().mockResolvedValue({ - kid: 'kid', - alg: 'RS256', - getPublicKey: jest.fn().mockReturnValue(JwtTestFactory.getPublicKey()), - rsaPublicKey: JwtTestFactory.getPublicKey(), - }), - getSigningKeys: jest.fn(), - }; -}); - -describe('OAuth SSO Controller (API)', () => { - let app: INestApplication; - let em: EntityManager; - let currentUser: ICurrentUser; - let axiosMock: MockAdapter; - - const sessionCookieName: string = Configuration.get('SESSION__NAME') as string; - beforeAll(async () => { - Configuration.set('PUBLIC_BACKEND_URL', 'http://localhost:3030/api'); - const schulcloudJwt: string = JwtTestFactory.createJwt(); - - const moduleRef: TestingModule = await Test.createTestingModule({ - imports: [ServerTestModule], - }) - .overrideGuard(JwtAuthGuard) - .useValue({ - canActivate(context: ExecutionContext) { - const req: Request = context.switchToHttp().getRequest(); - req.user = currentUser; - req.headers.authorization = schulcloudJwt; - return true; - }, - }) - .compile(); - - axiosMock = new MockAdapter(axios); - app = moduleRef.createNestApplication(); - await app.init(); - em = app.get(EntityManager); - const kcAdminService = app.get(KeycloakAdministrationService); - - axiosMock.onGet(kcAdminService.getWellKnownUrl()).reply(200, { - issuer: 'issuer', - token_endpoint: 'token_endpoint', - authorization_endpoint: 'authorization_endpoint', - end_session_endpoint: 'end_session_endpoint', - jwks_uri: 'jwks_uri', - }); - }); - - afterAll(async () => { - await app.close(); - }); - - afterEach(async () => { - await cleanupCollections(em); - }); - - const setupSessionState = async (systemId: EntityId, migration: boolean) => { - const query: SSOLoginQuery = { - migration, - }; - - const response: Response = await request(app.getHttpServer()) - .get(`/sso/login/${systemId}`) - .query(query) - .expect(302) - .expect('set-cookie', new RegExp(`^${sessionCookieName}`)); - - const cookies: string[] = response.get('Set-Cookie'); - const redirect: string = response.get('Location'); - const matchState: RegExpMatchArray | null = redirect.match(/(?<=state=)([^&]+)/); - const state = matchState ? matchState[0] : ''; - - return { - cookies, - state, - }; - }; - - const setup = async () => { - const externalUserId = 'externalUserId'; - const system: SystemEntity = systemFactory.withOauthConfig().buildWithId(); - const school: SchoolEntity = schoolFactory.buildWithId({ systems: [system] }); - const user: User = userFactory.buildWithId({ externalId: externalUserId, school }); - const account: Account = accountFactory.buildWithId({ systemId: system.id, userId: user.id }); - - await em.persistAndFlush([system, user, school, account]); - em.clear(); - - const query: AuthorizationParams = new AuthorizationParams(); - query.code = 'code'; - query.state = 'state'; - - return { - system, - user, - externalUserId, - school, - query, - }; - }; - - describe('[GET] sso/login/:systemId', () => { - describe('when no error occurs', () => { - it('should redirect to the authentication url and set a session cookie', async () => { - const { system } = await setup(); - - await request(app.getHttpServer()) - .get(`/sso/login/${system.id}`) - .expect(302) - .expect('set-cookie', new RegExp(`^${sessionCookieName}`)) - .expect( - 'Location', - /^http:\/\/mock.de\/auth\?client_id=12345&redirect_uri=http%3A%2F%2Flocalhost%3A3030%2Fapi%2Fv3%2Fsso%2Foauth&response_type=code&scope=openid\+uuid&state=\w*/ - ); - }); - }); - - describe('when an error occurs', () => { - it('should redirect to the login page', async () => { - const unknownSystemId: string = new ObjectId().toHexString(); - const clientUrl: string = Configuration.get('HOST') as string; - - await request(app.getHttpServer()) - .get(`/sso/login/${unknownSystemId}`) - .expect(302) - .expect('Location', `${clientUrl}/login?error=sso_login_failed`); - }); - }); - }); - - describe('[GET] sso/oauth', () => { - describe('when the session has no oauthLoginState', () => { - it('should return 401 Unauthorized', async () => { - await setup(); - const query: AuthorizationParams = new AuthorizationParams(); - query.code = 'code'; - query.state = 'state'; - - await request(app.getHttpServer()).get(`/sso/oauth`).query(query).expect(401); - }); - }); - - describe('when the session and the request have a different state', () => { - it('should return 401 Unauthorized', async () => { - const { system } = await setup(); - const { cookies } = await setupSessionState(system.id, false); - const query: AuthorizationParams = new AuthorizationParams(); - query.code = 'code'; - query.state = 'wrongState'; - - await request(app.getHttpServer()).get(`/sso/oauth`).set('Cookie', cookies).query(query).expect(401); - }); - }); - - describe('when code and state are valid', () => { - it('should set a jwt and redirect', async () => { - const { system, externalUserId, query } = await setup(); - const { state, cookies } = await setupSessionState(system.id, false); - const baseUrl: string = Configuration.get('HOST') as string; - query.code = 'code'; - query.state = state; - - const idToken: string = JwtTestFactory.createJwt({ - sub: 'testUser', - iss: system.oauthConfig?.issuer, - aud: system.oauthConfig?.clientId, - // For OIDC provisioning strategy - external_sub: externalUserId, - }); - - axiosMock.onPost(system.oauthConfig?.tokenEndpoint).reply(200, { - id_token: idToken, - refresh_token: 'refreshToken', - access_token: 'accessToken', - }); - - await request(app.getHttpServer()) - .get(`/sso/oauth`) - .set('Cookie', cookies) - .query(query) - .expect(302) - .expect('Location', `${baseUrl}/dashboard`) - .expect( - (res: Response) => res.get('Set-Cookie').filter((value: string) => value.startsWith('jwt')).length === 1 - ); - }); - }); - - describe('when an error occurs during the login process', () => { - it('should redirect to the login page', async () => { - const { system, query } = await setup(); - const { state, cookies } = await setupSessionState(system.id, false); - const clientUrl: string = Configuration.get('HOST') as string; - query.error = SSOAuthenticationError.ACCESS_DENIED; - query.state = state; - - await request(app.getHttpServer()) - .get(`/sso/oauth`) - .set('Cookie', cookies) - .query(query) - .expect(302) - .expect( - 'Location', - `${clientUrl}/login?error=access_denied&provider=${system.oauthConfig?.provider as string}` - ); - }); - }); - - describe('when a faulty query is passed', () => { - it('should redirect to the login page with an error', async () => { - const { system, query } = await setup(); - const { state, cookies } = await setupSessionState(system.id, false); - const clientUrl: string = Configuration.get('HOST') as string; - query.state = state; - query.code = undefined; - - await request(app.getHttpServer()) - .get(`/sso/oauth`) - .set('Cookie', cookies) - .query(query) - .expect(302) - .expect( - 'Location', - `${clientUrl}/login?error=sso_auth_code_step&provider=${system.oauthConfig?.provider as string}` - ); - }); - }); - }); - - describe('[GET] sso/oauth/migration', () => { - const mockPostOauthTokenEndpoint = ( - idToken: string, - targetSystem: SystemEntity, - targetUserId: string, - schoolExternalId: string, - officialSchoolNumber: string - ) => { - axiosMock - .onPost(targetSystem.oauthConfig?.tokenEndpoint) - .replyOnce(200, { - id_token: idToken, - refresh_token: 'refreshToken', - access_token: 'accessToken', - }) - .onGet(targetSystem.provisioningUrl) - .replyOnce(200, { - pid: targetUserId, - person: { - name: { - familienname: 'familienName', - vorname: 'vorname', - }, - geschlecht: 'weiblich', - lokalisierung: 'not necessary', - vertrauensstufe: 'not necessary', - }, - personenkontexte: [ - { - id: new UUID('aef1f4fd-c323-466e-962b-a84354c0e713').toString(), - rolle: SanisRole.LEHR, - organisation: { - id: new UUID('aef1f4fd-c323-466e-962b-a84354c0e713').toString(), - kennung: officialSchoolNumber, - name: 'schulName', - typ: 'not necessary', - }, - personenstatus: 'not necessary', - }, - ], - }); - }; - - describe('when the session has no oauthLoginState', () => { - it('should return 401 Unauthorized', async () => { - const { query } = await setup(); - - await request(app.getHttpServer()).get(`/sso/oauth/migration`).query(query).expect(401); - }); - }); - - describe('when the migration is successful', () => { - const setupMigration = async () => { - const { externalUserId, query } = await setup(); - - const targetSystem: SystemEntity = systemFactory - .withOauthConfig() - .buildWithId({ provisioningStrategy: SystemProvisioningStrategy.SANIS }, new ObjectId().toHexString(), {}); - const sourceSystem: SystemEntity = systemFactory - .withOauthConfig() - .buildWithId({ provisioningStrategy: SystemProvisioningStrategy.ISERV }, new ObjectId().toHexString(), {}); - - const sourceSchool: SchoolEntity = schoolFactory.buildWithId({ - systems: [sourceSystem], - officialSchoolNumber: '11111', - externalId: 'aef1f4fd-c323-466e-962b-a84354c0e713', - }); - const userLoginMigration: UserLoginMigrationEntity = userLoginMigrationFactory.buildWithId({ - school: sourceSchool, - targetSystem, - sourceSystem, - startedAt: new Date('2022-12-17T03:24:00'), - }); - - const targetSchoolExternalId = 'aef1f4fd-c323-466e-962b-a84354c0e714'; - - const sourceUser: User = userFactory.buildWithId({ externalId: externalUserId, school: sourceSchool }); - - const sourceUserAccount: Account = accountFactory.buildWithId({ - userId: sourceUser.id, - systemId: sourceSystem.id, - username: sourceUser.email, - }); - - await em.persistAndFlush([sourceSystem, targetSystem, sourceUser, sourceUserAccount, userLoginMigration]); - - const { state, cookies } = await setupSessionState(targetSystem.id, true); - query.code = 'code'; - query.state = state; - - return { - targetSystem, - targetSchoolExternalId, - sourceSystem, - sourceUser, - externalUserId, - query, - cookies, - }; - }; - - it('should redirect to the success page', async () => { - const { query, sourceUser, targetSystem, externalUserId, cookies, sourceSystem, targetSchoolExternalId } = - await setupMigration(); - currentUser = mapUserToCurrentUser(sourceUser, undefined, sourceSystem.id); - const baseUrl: string = Configuration.get('HOST') as string; - - const idToken: string = JwtTestFactory.createJwt({ - sub: 'testUser', - iss: targetSystem.oauthConfig?.issuer, - aud: targetSystem.oauthConfig?.clientId, - external_sub: externalUserId, - }); - - mockPostOauthTokenEndpoint(idToken, targetSystem, currentUser.userId, targetSchoolExternalId, 'NI_11111'); - - await request(app.getHttpServer()) - .get(`/sso/oauth/migration`) - .set('Cookie', cookies) - .query(query) - .expect(302) - .expect( - 'Location', - `${baseUrl}/migration/success?sourceSystem=${ - currentUser.systemId ? currentUser.systemId : '' - }&targetSystem=${targetSystem.id}` - ); - }); - }); - - describe('when currentUser has no systemId', () => { - const setupMigration = async () => { - const { externalUserId, query } = await setup(); - - const targetSystem: SystemEntity = systemFactory - .withOauthConfig() - .buildWithId({ provisioningStrategy: SystemProvisioningStrategy.SANIS }, new ObjectId().toHexString(), {}); - const sourceSystem: SystemEntity = systemFactory - .withOauthConfig() - .buildWithId({ provisioningStrategy: SystemProvisioningStrategy.ISERV }, new ObjectId().toHexString(), {}); - - const sourceSchool: SchoolEntity = schoolFactory.buildWithId({ - systems: [sourceSystem], - officialSchoolNumber: '11110', - externalId: 'aef1f4fd-c323-466e-962b-a84354c0e713', - }); - - const userLoginMigration: UserLoginMigrationEntity = userLoginMigrationFactory.buildWithId({ - school: sourceSchool, - targetSystem, - sourceSystem, - startedAt: new Date('2022-12-17T03:24:00'), - }); - - const sourceUser: User = userFactory.buildWithId({ externalId: externalUserId, school: sourceSchool }); - - await em.persistAndFlush([targetSystem, sourceUser, userLoginMigration]); - - const { state, cookies } = await setupSessionState(targetSystem.id, true); - query.code = 'code'; - query.state = state; - - return { - sourceUser, - query, - cookies, - }; - }; - - it('should throw UnprocessableEntityException', async () => { - const { sourceUser, query, cookies } = await setupMigration(); - currentUser = mapUserToCurrentUser(sourceUser, undefined, undefined); - query.error = SSOAuthenticationError.INVALID_REQUEST; - - await request(app.getHttpServer()).get(`/sso/oauth/migration`).set('Cookie', cookies).query(query).expect(422); - }); - }); - - describe('when invalid request', () => { - const setupMigration = async () => { - const { externalUserId, query } = await setup(); - - const targetSystem: SystemEntity = systemFactory - .withOauthConfig() - .buildWithId({ provisioningStrategy: SystemProvisioningStrategy.SANIS }, new ObjectId().toHexString(), {}); - const sourceSystem: SystemEntity = systemFactory - .withOauthConfig() - .buildWithId({ provisioningStrategy: SystemProvisioningStrategy.ISERV }, new ObjectId().toHexString(), {}); - - const sourceSchool: SchoolEntity = schoolFactory.buildWithId({ - systems: [sourceSystem], - officialSchoolNumber: '11111', - externalId: 'aef1f4fd-c323-466e-962b-a84354c0e713', - }); - - const userLoginMigration: UserLoginMigrationEntity = userLoginMigrationFactory.buildWithId({ - school: sourceSchool, - targetSystem, - sourceSystem, - startedAt: new Date('2022-12-17T03:24:00'), - }); - - const sourceUser: User = userFactory.buildWithId({ externalId: externalUserId, school: sourceSchool }); - - await em.persistAndFlush([sourceSystem, targetSystem, sourceSchool, sourceUser, userLoginMigration]); - - const { state, cookies } = await setupSessionState(targetSystem.id, true); - query.code = 'code'; - query.state = state; - - return { - targetSystem, - sourceSystem, - sourceUser, - query, - cookies, - }; - }; - - it('should redirect to the general migration error page', async () => { - const { sourceUser, sourceSystem, query, cookies } = await setupMigration(); - currentUser = mapUserToCurrentUser(sourceUser, undefined, sourceSystem.id); - const baseUrl: string = Configuration.get('HOST') as string; - query.error = SSOAuthenticationError.INVALID_REQUEST; - - await request(app.getHttpServer()) - .get(`/sso/oauth/migration`) - .set('Cookie', cookies) - .query(query) - .expect(302) - .expect('Location', `${baseUrl}/migration/error`); - }); - }); - - describe('when schoolnumbers mismatch', () => { - const setupMigration = async () => { - const { externalUserId, query } = await setup(); - - const targetSystem: SystemEntity = systemFactory - .withOauthConfig() - .buildWithId({ provisioningStrategy: SystemProvisioningStrategy.SANIS }, new ObjectId().toHexString(), {}); - const sourceSystem: SystemEntity = systemFactory - .withOauthConfig() - .buildWithId({ provisioningStrategy: SystemProvisioningStrategy.ISERV }, new ObjectId().toHexString(), {}); - - const sourceSchool: SchoolEntity = schoolFactory.buildWithId({ - systems: [sourceSystem], - officialSchoolNumber: '11111', - externalId: 'aef1f4fd-c323-466e-962b-a84354c0e713', - }); - - const userLoginMigration: UserLoginMigrationEntity = userLoginMigrationFactory.buildWithId({ - school: sourceSchool, - targetSystem, - sourceSystem, - startedAt: new Date('2022-12-17T03:24:00'), - }); - - const targetSchool: SchoolEntity = schoolFactory.buildWithId({ - systems: [targetSystem], - officialSchoolNumber: '22222', - externalId: 'aef1f4fd-c323-466e-962b-a84354c0e713', - }); - - const sourceUser: User = userFactory.buildWithId({ externalId: externalUserId, school: sourceSchool }); - - const targetUser: User = userFactory.buildWithId({ - externalId: 'differentExternalUserId', - school: targetSchool, - }); - - await em.persistAndFlush([sourceSystem, targetSystem, sourceUser, targetUser, userLoginMigration]); - - const { state, cookies } = await setupSessionState(targetSystem.id, true); - query.code = 'code'; - query.state = state; - - return { - targetSystem, - sourceSystem, - sourceUser, - targetUser, - targetSchoolExternalId: targetSchool.externalId as string, - query, - cookies, - }; - }; - - it('should redirect to the login page with an schoolnumber mismatch error', async () => { - const { targetSystem, sourceUser, targetUser, sourceSystem, targetSchoolExternalId, query, cookies } = - await setupMigration(); - currentUser = mapUserToCurrentUser(sourceUser, undefined, sourceSystem.id); - const baseUrl: string = Configuration.get('HOST') as string; - - const idToken: string = JwtTestFactory.createJwt({ - sub: 'differentExternalUserId', - iss: targetSystem.oauthConfig?.issuer, - aud: targetSystem.oauthConfig?.clientId, - external_sub: 'differentExternalUserId', - }); - - mockPostOauthTokenEndpoint(idToken, targetSystem, targetUser.id, targetSchoolExternalId, 'NI_22222'); - - await request(app.getHttpServer()) - .get(`/sso/oauth/migration`) - .set('Cookie', cookies) - .query(query) - .expect(302) - .expect('Location', `${baseUrl}/migration/error?sourceSchoolNumber=11111&targetSchoolNumber=22222`); - }); - }); - - afterAll(() => { - axiosMock.restore(); - }); - }); -}); diff --git a/apps/server/src/modules/oauth/controller/oauth-sso.controller.ts b/apps/server/src/modules/oauth/controller/oauth-sso.controller.ts index 5ff7e7cae02..b5549cf2d98 100644 --- a/apps/server/src/modules/oauth/controller/oauth-sso.controller.ts +++ b/apps/server/src/modules/oauth/controller/oauth-sso.controller.ts @@ -1,150 +1,18 @@ -import { Configuration } from '@hpi-schul-cloud/commons/lib'; -import { - Controller, - Get, - InternalServerErrorException, - Param, - Query, - Req, - Res, - Session, - UnauthorizedException, - UnprocessableEntityException, -} from '@nestjs/common'; -import { ApiOkResponse, ApiResponse, ApiTags } from '@nestjs/swagger'; -import { ISession } from '@shared/domain/types/session'; +import { Authenticate, CurrentUser, ICurrentUser } from '@modules/authentication'; +import { Controller, Get, Param, Query, Req, UnauthorizedException } from '@nestjs/common'; +import { ApiTags } from '@nestjs/swagger'; import { LegacyLogger } from '@src/core/logger'; -import { ICurrentUser, Authenticate, CurrentUser, JWT } from '@modules/authentication'; -import { OAuthMigrationError } from '@modules/user-login-migration/error/oauth-migration.error'; -import { MigrationDto } from '@modules/user-login-migration/service/dto'; -import { CookieOptions, Request, Response } from 'express'; -import { HydraOauthUc } from '../uc/hydra-oauth.uc'; -import { UserMigrationResponse } from './dto/user-migration.response'; -import { OAuthSSOError } from '../loggable/oauth-sso.error'; +import { Request } from 'express'; import { OAuthTokenDto } from '../interface'; -import { OauthLoginStateMapper } from '../mapper/oauth-login-state.mapper'; -import { UserMigrationMapper } from '../mapper/user-migration.mapper'; -import { OAuthProcessDto } from '../service/dto'; -import { OauthUc } from '../uc'; -import { OauthLoginStateDto } from '../uc/dto/oauth-login-state.dto'; -import { AuthorizationParams, SSOLoginQuery, SystemIdParams } from './dto'; +import { HydraOauthUc } from '../uc'; +import { AuthorizationParams } from './dto'; import { StatelessAuthorizationParams } from './dto/stateless-authorization.params'; @ApiTags('SSO') @Controller('sso') export class OauthSSOController { - private readonly clientUrl: string; - - constructor( - private readonly oauthUc: OauthUc, - private readonly hydraUc: HydraOauthUc, - private readonly logger: LegacyLogger - ) { + constructor(private readonly hydraUc: HydraOauthUc, private readonly logger: LegacyLogger) { this.logger.setContext(OauthSSOController.name); - this.clientUrl = Configuration.get('HOST') as string; - } - - private errorHandler(error: unknown, session: ISession, res: Response, provider?: string) { - this.logger.error(error); - const ssoError: OAuthSSOError = error instanceof OAuthSSOError ? error : new OAuthSSOError(); - - session.destroy((err) => { - this.logger.log(err); - }); - - const errorRedirect: URL = new URL('/login', this.clientUrl); - errorRedirect.searchParams.append('error', ssoError.errorcode); - - if (provider) { - errorRedirect.searchParams.append('provider', provider); - } - - res.redirect(errorRedirect.toString()); - } - - private migrationErrorHandler(error: unknown, session: ISession, res: Response) { - const migrationError: OAuthMigrationError = - error instanceof OAuthMigrationError ? error : new OAuthMigrationError(); - - session.destroy((err) => { - this.logger.log(err); - }); - - const errorRedirect: URL = new URL('/migration/error', this.clientUrl); - - if (migrationError.officialSchoolNumberFromSource && migrationError.officialSchoolNumberFromTarget) { - errorRedirect.searchParams.append('sourceSchoolNumber', migrationError.officialSchoolNumberFromSource); - errorRedirect.searchParams.append('targetSchoolNumber', migrationError.officialSchoolNumberFromTarget); - } - - res.redirect(errorRedirect.toString()); - } - - private sessionHandler(session: ISession, query: AuthorizationParams): OauthLoginStateDto { - if (!session.oauthLoginState) { - throw new UnauthorizedException('Oauth session not found'); - } - - const oauthLoginState: OauthLoginStateDto = OauthLoginStateMapper.mapSessionToDto(session); - - if (oauthLoginState.state !== query.state) { - throw new UnauthorizedException(`Invalid state. Got: ${query.state} Expected: ${oauthLoginState.state}`); - } - - return oauthLoginState; - } - - @Get('login/:systemId') - async getAuthenticationUrl( - @Session() session: ISession, - @Res() res: Response, - @Param() params: SystemIdParams, - @Query() query: SSOLoginQuery - ): Promise { - try { - const redirect: string = await this.oauthUc.startOauthLogin( - session, - params.systemId, - query.migration || false, - query.postLoginRedirect - ); - - res.redirect(redirect); - } catch (error) { - this.errorHandler(error, session, res); - } - } - - @Get('oauth') - async startOauthAuthorizationCodeFlow( - @Session() session: ISession, - @Res() res: Response, - @Query() query: AuthorizationParams - ): Promise { - const oauthLoginState: OauthLoginStateDto = this.sessionHandler(session, query); - - try { - const oauthProcessDto: OAuthProcessDto = await this.oauthUc.processOAuthLogin( - oauthLoginState, - query.code, - query.error - ); - - if (oauthProcessDto.jwt) { - const cookieDefaultOptions: CookieOptions = { - httpOnly: Configuration.get('COOKIE__HTTP_ONLY') as boolean, - sameSite: Configuration.get('COOKIE__SAME_SITE') as 'lax' | 'strict' | 'none', - secure: Configuration.get('COOKIE__SECURE') as boolean, - expires: new Date(Date.now() + (Configuration.get('COOKIE__EXPIRES_SECONDS') as number)), - }; - - res.cookie('jwt', oauthProcessDto.jwt, cookieDefaultOptions); - } - - res.redirect(oauthProcessDto.redirect); - } catch (error) { - this.errorHandler(error, session, res, oauthLoginState.provider); - } } @Get('hydra/:oauthClientId') @@ -175,30 +43,4 @@ export class OauthSSOController { } return this.hydraUc.requestAuthCode(currentUser.userId, jwt, oauthClientId); } - - @Get('oauth/migration') - @Authenticate('jwt') - @ApiOkResponse({ description: 'The User has been succesfully migrated.' }) - @ApiResponse({ type: InternalServerErrorException, description: 'The migration of the User was not possible. ' }) - async migrateUser( - @JWT() jwt: string, - @Session() session: ISession, - @CurrentUser() currentUser: ICurrentUser, - @Query() query: AuthorizationParams, - @Res() res: Response - ): Promise { - const oauthLoginState: OauthLoginStateDto = this.sessionHandler(session, query); - - if (!currentUser.systemId) { - throw new UnprocessableEntityException('Current user does not have a system.'); - } - - try { - const migration: MigrationDto = await this.oauthUc.migrate(jwt, currentUser.userId, query, oauthLoginState); - const response: UserMigrationResponse = UserMigrationMapper.mapDtoToResponse(migration); - res.redirect(response.redirect); - } catch (error) { - this.migrationErrorHandler(error, session, res); - } - } } diff --git a/apps/server/src/modules/oauth/uc/hydra-oauth.uc.spec.ts b/apps/server/src/modules/oauth/uc/hydra-oauth.uc.spec.ts index 3d42b0e977f..339bc6c09d9 100644 --- a/apps/server/src/modules/oauth/uc/hydra-oauth.uc.spec.ts +++ b/apps/server/src/modules/oauth/uc/hydra-oauth.uc.spec.ts @@ -13,7 +13,7 @@ import { AxiosResponse } from 'axios'; import { HydraOauthUc } from '.'; import { AuthorizationParams } from '../controller/dto'; import { StatelessAuthorizationParams } from '../controller/dto/stateless-authorization.params'; -import { OAuthSSOError } from '../loggable/oauth-sso.error'; +import { OAuthSSOError } from '../loggable'; import { OAuthTokenDto } from '../interface'; class HydraOauthUcSpec extends HydraOauthUc { diff --git a/apps/server/src/modules/oauth/uc/hydra-oauth.uc.ts b/apps/server/src/modules/oauth/uc/hydra-oauth.uc.ts index 905cd3c8802..f80e03aeaff 100644 --- a/apps/server/src/modules/oauth/uc/hydra-oauth.uc.ts +++ b/apps/server/src/modules/oauth/uc/hydra-oauth.uc.ts @@ -22,8 +22,6 @@ export class HydraOauthUc { private readonly MAX_REDIRECTS: number = 10; - private readonly HYDRA_PUBLIC_URI: string = Configuration.get('HYDRA_PUBLIC_URI') as string; - async getOauthToken(oauthClientId: string, code?: string, error?: string): Promise { if (error || !code) { throw new OAuthSSOError( diff --git a/config/default.schema.json b/config/default.schema.json index a34d8e899ad..edea2d8bc96 100644 --- a/config/default.schema.json +++ b/config/default.schema.json @@ -1271,11 +1271,6 @@ "default": false, "description": "Makes the new school administration page the default page" }, - "FEATURE_CLIENT_USER_LOGIN_MIGRATION_ENABLED": { - "type": "boolean", - "default": false, - "description": "Changes the schulcloud client to use new login endpoints" - }, "FEATURE_CTL_TOOLS_TAB_ENABLED": { "type": "boolean", "default": false, diff --git a/src/services/config/publicAppConfigService.js b/src/services/config/publicAppConfigService.js index 06a54c6cf96..62615f0efb1 100644 --- a/src/services/config/publicAppConfigService.js +++ b/src/services/config/publicAppConfigService.js @@ -56,7 +56,6 @@ const exposedVars = [ 'FEATURE_ALLOW_INSECURE_LDAP_URL_ENABLED', 'FEATURE_NEW_SCHOOL_ADMINISTRATION_PAGE_AS_DEFAULT_ENABLED', 'MIGRATION_END_GRACE_PERIOD_MS', - 'FEATURE_CLIENT_USER_LOGIN_MIGRATION_ENABLED', 'FEATURE_CTL_TOOLS_TAB_ENABLED', 'FEATURE_LTI_TOOLS_TAB_ENABLED', 'FILES_STORAGE__MAX_FILE_SIZE', From 61bfe2eb76dea8b1003abcc13f4afffb7b3a0bfb Mon Sep 17 00:00:00 2001 From: Arne Gnisa Date: Thu, 9 Nov 2023 14:58:52 +0100 Subject: [PATCH 2/6] N21-1374 removes deprecation of authorization.params.ts --- .../src/modules/oauth/controller/dto/authorization.params.ts | 3 --- 1 file changed, 3 deletions(-) diff --git a/apps/server/src/modules/oauth/controller/dto/authorization.params.ts b/apps/server/src/modules/oauth/controller/dto/authorization.params.ts index 1a20985ce43..af76d0799e4 100644 --- a/apps/server/src/modules/oauth/controller/dto/authorization.params.ts +++ b/apps/server/src/modules/oauth/controller/dto/authorization.params.ts @@ -1,9 +1,6 @@ import { IsEnum, IsNotEmpty, IsOptional, IsString } from 'class-validator'; import { SSOAuthenticationError } from '../../interface/sso-authentication-error.enum'; -/** - * @deprecated - */ export class AuthorizationParams { @IsOptional() @IsString() From 2497112997c253a814abe002d914211297584ec5 Mon Sep 17 00:00:00 2001 From: Arne Gnisa Date: Thu, 9 Nov 2023 15:00:08 +0100 Subject: [PATCH 3/6] N21-1374 uses optional chaining --- .../server/src/modules/oauth/controller/oauth-sso.controller.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/server/src/modules/oauth/controller/oauth-sso.controller.ts b/apps/server/src/modules/oauth/controller/oauth-sso.controller.ts index b5549cf2d98..61ed319d1cd 100644 --- a/apps/server/src/modules/oauth/controller/oauth-sso.controller.ts +++ b/apps/server/src/modules/oauth/controller/oauth-sso.controller.ts @@ -34,7 +34,7 @@ export class OauthSSOController { ): Promise { let jwt: string; const authHeader: string | undefined = req.headers.authorization; - if (authHeader && authHeader.toLowerCase().startsWith('bearer ')) { + if (authHeader?.toLowerCase()?.startsWith('bearer ')) { [, jwt] = authHeader.split(' '); } else { throw new UnauthorizedException( From 719fac6e3d2e324d623d162cb264ddbd8447af3e Mon Sep 17 00:00:00 2001 From: Arne Gnisa Date: Thu, 9 Nov 2023 15:01:22 +0100 Subject: [PATCH 4/6] N21-1374 adjusts imports --- apps/server/src/modules/oauth/uc/hydra-oauth.uc.ts | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/apps/server/src/modules/oauth/uc/hydra-oauth.uc.ts b/apps/server/src/modules/oauth/uc/hydra-oauth.uc.ts index f80e03aeaff..2c461e6db4d 100644 --- a/apps/server/src/modules/oauth/uc/hydra-oauth.uc.ts +++ b/apps/server/src/modules/oauth/uc/hydra-oauth.uc.ts @@ -1,12 +1,11 @@ -import { Configuration } from '@hpi-schul-cloud/commons/lib'; +import { HydraRedirectDto } from '@modules/oauth/service/dto/hydra.redirect.dto'; import { Injectable, InternalServerErrorException } from '@nestjs/common'; import { OauthConfig } from '@shared/domain'; import { LegacyLogger } from '@src/core/logger'; -import { HydraRedirectDto } from '@modules/oauth/service/dto/hydra.redirect.dto'; import { AxiosRequestConfig, AxiosResponse } from 'axios'; import { AuthorizationParams } from '../controller/dto'; -import { OAuthSSOError } from '../loggable/oauth-sso.error'; import { OAuthTokenDto } from '../interface'; +import { OAuthSSOError } from '../loggable'; import { HydraSsoService } from '../service/hydra.service'; import { OAuthService } from '../service/oauth.service'; From 63ec0e3769da4f99495152fb684231c5b177a711 Mon Sep 17 00:00:00 2001 From: Arne Gnisa Date: Fri, 10 Nov 2023 16:53:15 +0100 Subject: [PATCH 5/6] N21-1374 review changes --- .../oauth/mapper/oauth-login-state.mapper.ts | 9 - .../src/modules/oauth/oauth-api.module.ts | 10 +- .../oauth/service/oauth.service.spec.ts | 92 +- .../modules/oauth/service/oauth.service.ts | 25 - .../oauth/uc/dto/oauth-login-state.dto.ts | 21 - apps/server/src/modules/oauth/uc/index.ts | 1 - .../src/modules/oauth/uc/oauth.uc.spec.ts | 923 ------------------ apps/server/src/modules/oauth/uc/oauth.uc.ts | 149 --- 8 files changed, 13 insertions(+), 1217 deletions(-) delete mode 100644 apps/server/src/modules/oauth/mapper/oauth-login-state.mapper.ts delete mode 100644 apps/server/src/modules/oauth/uc/dto/oauth-login-state.dto.ts delete mode 100644 apps/server/src/modules/oauth/uc/oauth.uc.spec.ts delete mode 100644 apps/server/src/modules/oauth/uc/oauth.uc.ts diff --git a/apps/server/src/modules/oauth/mapper/oauth-login-state.mapper.ts b/apps/server/src/modules/oauth/mapper/oauth-login-state.mapper.ts deleted file mode 100644 index 67c1ae8a6ef..00000000000 --- a/apps/server/src/modules/oauth/mapper/oauth-login-state.mapper.ts +++ /dev/null @@ -1,9 +0,0 @@ -import { ISession } from '@shared/domain/types/session'; -import { OauthLoginStateDto } from '../uc/dto/oauth-login-state.dto'; - -export class OauthLoginStateMapper { - static mapSessionToDto(session: ISession): OauthLoginStateDto { - const dto = new OauthLoginStateDto(session.oauthLoginState as OauthLoginStateDto); - return dto; - } -} diff --git a/apps/server/src/modules/oauth/oauth-api.module.ts b/apps/server/src/modules/oauth/oauth-api.module.ts index 98e62d87eca..2efacf66adf 100644 --- a/apps/server/src/modules/oauth/oauth-api.module.ts +++ b/apps/server/src/modules/oauth/oauth-api.module.ts @@ -1,15 +1,15 @@ -import { Module } from '@nestjs/common'; -import { LoggerModule } from '@src/core/logger'; import { AuthenticationModule } from '@modules/authentication/authentication.module'; import { AuthorizationModule } from '@modules/authorization'; -import { ProvisioningModule } from '@modules/provisioning'; import { LegacySchoolModule } from '@modules/legacy-school'; +import { ProvisioningModule } from '@modules/provisioning'; import { SystemModule } from '@modules/system'; import { UserModule } from '@modules/user'; import { UserLoginMigrationModule } from '@modules/user-login-migration'; +import { Module } from '@nestjs/common'; +import { LoggerModule } from '@src/core/logger'; import { OauthSSOController } from './controller/oauth-sso.controller'; import { OauthModule } from './oauth.module'; -import { HydraOauthUc, OauthUc } from './uc'; +import { HydraOauthUc } from './uc'; @Module({ imports: [ @@ -24,6 +24,6 @@ import { HydraOauthUc, OauthUc } from './uc'; LoggerModule, ], controllers: [OauthSSOController], - providers: [OauthUc, HydraOauthUc], + providers: [HydraOauthUc], }) export class OauthApiModule {} diff --git a/apps/server/src/modules/oauth/service/oauth.service.spec.ts b/apps/server/src/modules/oauth/service/oauth.service.spec.ts index 9c4b45582df..1ea2fe5ce07 100644 --- a/apps/server/src/modules/oauth/service/oauth.service.spec.ts +++ b/apps/server/src/modules/oauth/service/oauth.service.spec.ts @@ -1,23 +1,23 @@ import { createMock, DeepMocked } from '@golevelup/ts-jest'; import { Configuration } from '@hpi-schul-cloud/commons'; -import { Test, TestingModule } from '@nestjs/testing'; -import { LegacySchoolDo, OauthConfig, SchoolFeatures, SystemEntity } from '@shared/domain'; -import { UserDO } from '@shared/domain/domainobject/user.do'; -import { SystemProvisioningStrategy } from '@shared/domain/interface/system-provisioning.strategy'; import { DefaultEncryptionService, IEncryptionService, SymetricKeyEncryptionService } from '@infra/encryption'; -import { legacySchoolDoFactory, setupEntities, systemFactory, userDoFactory } from '@shared/testing'; -import { LegacyLogger } from '@src/core/logger'; +import { LegacySchoolService } from '@modules/legacy-school'; import { ProvisioningDto, ProvisioningService } from '@modules/provisioning'; import { ExternalSchoolDto, ExternalUserDto, OauthDataDto, ProvisioningSystemDto } from '@modules/provisioning/dto'; -import { LegacySchoolService } from '@modules/legacy-school'; import { OauthConfigDto } from '@modules/system/service'; import { SystemDto } from '@modules/system/service/dto/system.dto'; import { SystemService } from '@modules/system/service/system.service'; import { UserService } from '@modules/user'; import { MigrationCheckService, UserMigrationService } from '@modules/user-login-migration'; +import { Test, TestingModule } from '@nestjs/testing'; +import { LegacySchoolDo, OauthConfig, SchoolFeatures, SystemEntity } from '@shared/domain'; +import { UserDO } from '@shared/domain/domainobject/user.do'; +import { SystemProvisioningStrategy } from '@shared/domain/interface/system-provisioning.strategy'; +import { legacySchoolDoFactory, setupEntities, systemFactory, userDoFactory } from '@shared/testing'; +import { LegacyLogger } from '@src/core/logger'; import jwt, { JwtPayload } from 'jsonwebtoken'; -import { OAuthSSOError, UserNotFoundAfterProvisioningLoggableException } from '../loggable'; import { OAuthTokenDto } from '../interface'; +import { OAuthSSOError, UserNotFoundAfterProvisioningLoggableException } from '../loggable'; import { OauthTokenResponse } from './dto'; import { OauthAdapterService } from './oauth-adapter.service'; import { OAuthService } from './oauth.service'; @@ -560,80 +560,4 @@ describe('OAuthService', () => { }); }); }); - - describe('getAuthenticationUrl is called', () => { - describe('when a normal authentication url is requested', () => { - it('should return a authentication url', () => { - const oauthConfig: OauthConfig = new OauthConfig({ - clientId: '12345', - clientSecret: 'mocksecret', - tokenEndpoint: 'http://mock.de/mock/auth/public/mockToken', - grantType: 'authorization_code', - redirectUri: 'http://mockhost:3030/api/v3/sso/oauth/testsystemId', - scope: 'openid uuid', - responseType: 'code', - authEndpoint: 'http://mock.de/auth', - provider: 'mock_type', - logoutEndpoint: 'http://mock.de/logout', - issuer: 'mock_issuer', - jwksEndpoint: 'http://mock.de/jwks', - }); - - const result: string = service.getAuthenticationUrl(oauthConfig, 'state', false); - - expect(result).toEqual( - 'http://mock.de/auth?client_id=12345&redirect_uri=https%3A%2F%2Fmock.de%2Fapi%2Fv3%2Fsso%2Foauth&response_type=code&scope=openid+uuid&state=state' - ); - }); - }); - - describe('when a migration authentication url is requested', () => { - it('should return a authentication url', () => { - const oauthConfig: OauthConfig = new OauthConfig({ - clientId: '12345', - clientSecret: 'mocksecret', - tokenEndpoint: 'http://mock.de/mock/auth/public/mockToken', - grantType: 'authorization_code', - redirectUri: 'http://mockhost.de/api/v3/sso/oauth/testsystemId', - scope: 'openid uuid', - responseType: 'code', - authEndpoint: 'http://mock.de/auth', - provider: 'mock_type', - logoutEndpoint: 'http://mock.de/logout', - issuer: 'mock_issuer', - jwksEndpoint: 'http://mock.de/jwks', - }); - - const result: string = service.getAuthenticationUrl(oauthConfig, 'state', true); - - expect(result).toEqual( - 'http://mock.de/auth?client_id=12345&redirect_uri=https%3A%2F%2Fmock.de%2Fapi%2Fv3%2Fsso%2Foauth%2Fmigration&response_type=code&scope=openid+uuid&state=state' - ); - }); - - it('should return add an idp hint if existing authentication url', () => { - const oauthConfig: OauthConfig = new OauthConfig({ - clientId: '12345', - clientSecret: 'mocksecret', - tokenEndpoint: 'http://mock.de/mock/auth/public/mockToken', - grantType: 'authorization_code', - redirectUri: 'http://mockhost.de/api/v3/sso/oauth/testsystemId', - scope: 'openid uuid', - responseType: 'code', - authEndpoint: 'http://mock.de/auth', - provider: 'mock_type', - logoutEndpoint: 'http://mock.de/logout', - issuer: 'mock_issuer', - jwksEndpoint: 'http://mock.de/jwks', - idpHint: 'TheIdpHint', - }); - - const result: string = service.getAuthenticationUrl(oauthConfig, 'state', true); - - expect(result).toEqual( - 'http://mock.de/auth?client_id=12345&redirect_uri=https%3A%2F%2Fmock.de%2Fapi%2Fv3%2Fsso%2Foauth%2Fmigration&response_type=code&scope=openid+uuid&state=state&kc_idp_hint=TheIdpHint' - ); - }); - }); - }); }); diff --git a/apps/server/src/modules/oauth/service/oauth.service.ts b/apps/server/src/modules/oauth/service/oauth.service.ts index 190c962cd97..1f7935d919e 100644 --- a/apps/server/src/modules/oauth/service/oauth.service.ts +++ b/apps/server/src/modules/oauth/service/oauth.service.ts @@ -186,31 +186,6 @@ export class OAuthService { return redirect; } - getAuthenticationUrl(oauthConfig: OauthConfig, state: string, migration: boolean): string { - const redirectUri: string = this.getRedirectUri(migration); - - const authenticationUrl: URL = new URL(oauthConfig.authEndpoint); - authenticationUrl.searchParams.append('client_id', oauthConfig.clientId); - authenticationUrl.searchParams.append('redirect_uri', redirectUri); - authenticationUrl.searchParams.append('response_type', oauthConfig.responseType); - authenticationUrl.searchParams.append('scope', oauthConfig.scope); - authenticationUrl.searchParams.append('state', state); - if (oauthConfig.idpHint) { - authenticationUrl.searchParams.append('kc_idp_hint', oauthConfig.idpHint); - } - - return authenticationUrl.toString(); - } - - getRedirectUri(migration: boolean) { - const publicBackendUrl: string = Configuration.get('PUBLIC_BACKEND_URL') as string; - - const path: string = migration ? 'api/v3/sso/oauth/migration' : 'api/v3/sso/oauth'; - const redirectUri: URL = new URL(path, publicBackendUrl); - - return redirectUri.toString(); - } - private buildTokenRequestPayload( code: string, oauthConfig: OauthConfig, diff --git a/apps/server/src/modules/oauth/uc/dto/oauth-login-state.dto.ts b/apps/server/src/modules/oauth/uc/dto/oauth-login-state.dto.ts deleted file mode 100644 index 10d01b596d2..00000000000 --- a/apps/server/src/modules/oauth/uc/dto/oauth-login-state.dto.ts +++ /dev/null @@ -1,21 +0,0 @@ -import { EntityId } from '@shared/domain'; - -export class OauthLoginStateDto { - state: string; - - systemId: EntityId; - - provider: string; - - postLoginRedirect?: string; - - userLoginMigration: boolean; - - constructor(props: OauthLoginStateDto) { - this.state = props.state; - this.systemId = props.systemId; - this.postLoginRedirect = props.postLoginRedirect; - this.provider = props.provider; - this.userLoginMigration = props.userLoginMigration; - } -} diff --git a/apps/server/src/modules/oauth/uc/index.ts b/apps/server/src/modules/oauth/uc/index.ts index 32e4dce0f74..e1a569e5f88 100644 --- a/apps/server/src/modules/oauth/uc/index.ts +++ b/apps/server/src/modules/oauth/uc/index.ts @@ -1,2 +1 @@ -export * from './oauth.uc'; export * from './hydra-oauth.uc'; diff --git a/apps/server/src/modules/oauth/uc/oauth.uc.spec.ts b/apps/server/src/modules/oauth/uc/oauth.uc.spec.ts deleted file mode 100644 index 1e888abd5f1..00000000000 --- a/apps/server/src/modules/oauth/uc/oauth.uc.spec.ts +++ /dev/null @@ -1,923 +0,0 @@ -import { createMock, DeepMocked } from '@golevelup/ts-jest'; -import { AuthenticationService } from '@modules/authentication/services/authentication.service'; -import { LegacySchoolService } from '@modules/legacy-school'; -import { OauthUc } from '@modules/oauth/uc/oauth.uc'; -import { ProvisioningService } from '@modules/provisioning'; -import { ExternalUserDto, OauthDataDto, ProvisioningSystemDto } from '@modules/provisioning/dto'; -import { SystemService } from '@modules/system'; -import { OauthConfigDto, SystemDto } from '@modules/system/service'; -import { UserService } from '@modules/user'; -import { UserMigrationService } from '@modules/user-login-migration'; -import { OAuthMigrationError } from '@modules/user-login-migration/error/oauth-migration.error'; -import { SchoolMigrationService } from '@modules/user-login-migration/service'; -import { MigrationDto } from '@modules/user-login-migration/service/dto'; -import { UnauthorizedException, UnprocessableEntityException } from '@nestjs/common'; -import { Test, TestingModule } from '@nestjs/testing'; -import { LegacySchoolDo, UserDO } from '@shared/domain'; -import { SystemProvisioningStrategy } from '@shared/domain/interface/system-provisioning.strategy'; -import { ISession } from '@shared/domain/types/session'; -import { legacySchoolDoFactory, setupEntities } from '@shared/testing'; -import { LegacyLogger } from '@src/core/logger'; -import { OauthCurrentUser } from '@modules/authentication/interface'; -import { AuthorizationParams } from '../controller/dto'; -import { OAuthTokenDto } from '../interface'; -import { OAuthSSOError } from '../loggable/oauth-sso.error'; -import { OAuthProcessDto } from '../service/dto'; -import { OAuthService } from '../service/oauth.service'; -import { OauthLoginStateDto } from './dto/oauth-login-state.dto'; -import resetAllMocks = jest.resetAllMocks; - -jest.mock('nanoid', () => { - return { - nanoid: () => 'mockNanoId', - }; -}); - -describe('OAuthUc', () => { - let module: TestingModule; - let uc: OauthUc; - - let authenticationService: DeepMocked; - let oauthService: DeepMocked; - let systemService: DeepMocked; - let provisioningService: DeepMocked; - let userMigrationService: DeepMocked; - let userService: DeepMocked; - let schoolMigrationService: DeepMocked; - - beforeAll(async () => { - await setupEntities(); - - module = await Test.createTestingModule({ - providers: [ - OauthUc, - { - provide: LegacyLogger, - useValue: createMock(), - }, - { - provide: SystemService, - useValue: createMock(), - }, - { - provide: OAuthService, - useValue: createMock(), - }, - { - provide: AuthenticationService, - useValue: createMock(), - }, - { - provide: ProvisioningService, - useValue: createMock(), - }, - { - provide: UserService, - useValue: createMock(), - }, - { - provide: LegacySchoolService, - useValue: createMock(), - }, - { - provide: UserMigrationService, - useValue: createMock(), - }, - { - provide: SchoolMigrationService, - useValue: createMock(), - }, - { - provide: AuthenticationService, - useValue: createMock(), - }, - ], - }).compile(); - - uc = module.get(OauthUc); - systemService = module.get(SystemService); - authenticationService = module.get(AuthenticationService); - oauthService = module.get(OAuthService); - provisioningService = module.get(ProvisioningService); - userService = module.get(UserService); - userMigrationService = module.get(UserMigrationService); - schoolMigrationService = module.get(SchoolMigrationService); - authenticationService = module.get(AuthenticationService); - }); - - afterAll(async () => { - await module.close(); - }); - - afterEach(() => { - resetAllMocks(); - }); - - const createOAuthTestData = () => { - const oauthConfig: OauthConfigDto = new OauthConfigDto({ - clientId: '12345', - clientSecret: 'mocksecret', - tokenEndpoint: 'https://mock.de/mock/auth/public/mockToken', - grantType: 'authorization_code', - scope: 'openid uuid', - responseType: 'code', - authEndpoint: 'mock_authEndpoint', - provider: 'mock_provider', - logoutEndpoint: 'mock_logoutEndpoint', - issuer: 'mock_issuer', - jwksEndpoint: 'mock_jwksEndpoint', - redirectUri: 'mock_codeRedirectUri', - }); - const system: SystemDto = new SystemDto({ - id: 'systemId', - type: 'oauth', - oauthConfig, - }); - - return { - system, - systemId: system.id as string, - oauthConfig, - }; - }; - - describe('startOauthLogin', () => { - describe('when starting an oauth login without migration', () => { - const setup = () => { - const { system, systemId } = createOAuthTestData(); - - const session: DeepMocked = createMock(); - const authenticationUrl = 'authenticationUrl'; - - systemService.findById.mockResolvedValue(system); - oauthService.getAuthenticationUrl.mockReturnValue(authenticationUrl); - - return { - systemId, - session, - authenticationUrl, - }; - }; - - it('should return the authentication url for the system', async () => { - const { systemId, session, authenticationUrl } = setup(); - - const result: string = await uc.startOauthLogin(session, systemId, false); - - expect(result).toEqual(authenticationUrl); - }); - }); - - describe('when starting an oauth login during a migration', () => { - const setup = () => { - const { system, systemId } = createOAuthTestData(); - - const session: DeepMocked = createMock(); - const authenticationUrl = 'authenticationUrl'; - const postLoginRedirect = 'postLoginRedirect'; - - systemService.findById.mockResolvedValue(system); - oauthService.getAuthenticationUrl.mockReturnValue(authenticationUrl); - - return { - system, - systemId, - postLoginRedirect, - session, - }; - }; - - it('should save data to the session', async () => { - const { systemId, system, session, postLoginRedirect } = setup(); - - await uc.startOauthLogin(session, systemId, false, postLoginRedirect); - - expect(session.oauthLoginState).toEqual({ - systemId, - state: 'mockNanoId', - postLoginRedirect, - provider: system.oauthConfig?.provider as string, - userLoginMigration: false, - }); - }); - }); - - describe('when the system cannot be found', () => { - const setup = () => { - const { systemId, system } = createOAuthTestData(); - system.oauthConfig = undefined; - const session: DeepMocked = createMock(); - const authenticationUrl = 'authenticationUrl'; - - systemService.findById.mockResolvedValue(system); - oauthService.getAuthenticationUrl.mockReturnValue(authenticationUrl); - - return { - systemId, - session, - authenticationUrl, - }; - }; - - it('should throw UnprocessableEntityException', async () => { - const { systemId, session } = setup(); - - const func = async () => uc.startOauthLogin(session, systemId, false); - - await expect(func).rejects.toThrow(UnprocessableEntityException); - }); - }); - }); - - describe('processOAuth', () => { - const setup = () => { - const postLoginRedirect = 'postLoginRedirect'; - const cachedState: OauthLoginStateDto = new OauthLoginStateDto({ - state: 'state', - systemId: 'systemId', - postLoginRedirect, - provider: 'mock_provider', - userLoginMigration: false, - }); - const code = 'code'; - const error = 'error'; - - const jwt = 'schulcloudJwt'; - const redirect = 'redirect'; - const user: UserDO = new UserDO({ - id: 'mockUserId', - firstName: 'firstName', - lastName: 'lastame', - email: '', - roles: [], - schoolId: 'mockSchoolId', - externalId: 'mockExternalId', - }); - - const currentUser: OauthCurrentUser = { userId: 'userId', isExternalUser: true } as OauthCurrentUser; - const testSystem: SystemDto = new SystemDto({ - id: 'mockSystemId', - type: 'mock', - oauthConfig: { provider: 'testProvider' } as OauthConfigDto, - }); - const tokenDto: OAuthTokenDto = new OAuthTokenDto({ - idToken: 'idToken', - refreshToken: 'refreshToken', - accessToken: 'accessToken', - }); - - return { cachedState, code, error, jwt, redirect, user, currentUser, testSystem, tokenDto }; - }; - - describe('when a user is returned', () => { - it('should return a response with a valid jwt', async () => { - const { cachedState, code, error, jwt, redirect, user, currentUser, tokenDto } = setup(); - - userService.getResolvedUser.mockResolvedValue(currentUser); - authenticationService.generateJwt.mockResolvedValue({ accessToken: jwt }); - oauthService.authenticateUser.mockResolvedValue(tokenDto); - oauthService.provisionUser.mockResolvedValue({ user, redirect }); - - const response: OAuthProcessDto = await uc.processOAuthLogin(cachedState, code, error); - expect(response).toEqual( - expect.objectContaining({ - jwt, - redirect, - }) - ); - }); - }); - - describe('when no user is returned', () => { - it('should return a response without a jwt', async () => { - const { cachedState, code, error, redirect, tokenDto } = setup(); - oauthService.authenticateUser.mockResolvedValue(tokenDto); - oauthService.provisionUser.mockResolvedValue({ redirect }); - - const response: OAuthProcessDto = await uc.processOAuthLogin(cachedState, code, error); - - expect(response).toEqual({ - redirect, - }); - }); - }); - - describe('when an error occurs', () => { - it('should return an OAuthProcessDto with error', async () => { - const { cachedState, code, error, testSystem } = setup(); - oauthService.authenticateUser.mockRejectedValue(new OAuthSSOError('Testmessage')); - systemService.findById.mockResolvedValue(testSystem); - - const response = uc.processOAuthLogin(cachedState, code, error); - - await expect(response).rejects.toThrow(OAuthSSOError); - }); - }); - - describe('when the process runs successfully', () => { - it('should return a valid jwt', async () => { - const { cachedState, code, user, currentUser, jwt, redirect, tokenDto } = setup(); - - userService.getResolvedUser.mockResolvedValue(currentUser); - authenticationService.generateJwt.mockResolvedValue({ accessToken: jwt }); - oauthService.authenticateUser.mockResolvedValue(tokenDto); - oauthService.provisionUser.mockResolvedValue({ user, redirect }); - - const response: OAuthProcessDto = await uc.processOAuthLogin(cachedState, code); - - expect(response).toEqual({ - jwt, - redirect, - }); - }); - }); - }); - - describe('migration', () => { - describe('migrate', () => { - describe('when authorize user and migration was successful', () => { - const setupMigration = () => { - const code = '43534543jnj543342jn2'; - - const query: AuthorizationParams = { code, state: 'state' }; - - const cachedState: OauthLoginStateDto = new OauthLoginStateDto({ - state: 'state', - systemId: 'systemId', - provider: 'mock_provider', - userLoginMigration: true, - }); - - const oauthConfig: OauthConfigDto = new OauthConfigDto({ - clientId: '12345', - clientSecret: 'mocksecret', - tokenEndpoint: 'https://mock.de/mock/auth/public/mockToken', - grantType: 'authorization_code', - scope: 'openid uuid', - responseType: 'code', - authEndpoint: 'mock_authEndpoint', - provider: 'mock_provider', - logoutEndpoint: 'mock_logoutEndpoint', - issuer: 'mock_issuer', - jwksEndpoint: 'mock_jwksEndpoint', - redirectUri: 'mock_codeRedirectUri', - }); - - const system: SystemDto = new SystemDto({ - id: 'systemId', - type: 'oauth', - oauthConfig, - }); - - const externalUserId = 'externalUserId'; - - const oauthData: OauthDataDto = new OauthDataDto({ - system: new ProvisioningSystemDto({ - systemId: 'systemId', - provisioningStrategy: SystemProvisioningStrategy.SANIS, - }), - externalUser: new ExternalUserDto({ - externalId: externalUserId, - }), - }); - - const userMigrationDto: MigrationDto = new MigrationDto({ - redirect: 'https://mock.de/migration/succeed', - }); - - const tokenDto: OAuthTokenDto = new OAuthTokenDto({ - idToken: 'idToken', - refreshToken: 'refreshToken', - accessToken: 'accessToken', - }); - - oauthService.requestToken.mockResolvedValue(tokenDto); - provisioningService.getData.mockResolvedValue(oauthData); - systemService.findById.mockResolvedValue(system); - userMigrationService.migrateUser.mockResolvedValue(userMigrationDto); - oauthService.authenticateUser.mockResolvedValue(tokenDto); - - return { - query, - cachedState, - }; - }; - - it('should return redirect to migration succeed page', async () => { - const { query, cachedState } = setupMigration(); - - const result: MigrationDto = await uc.migrate('jwt', 'currentUserId', query, cachedState); - - expect(result.redirect).toStrictEqual('https://mock.de/migration/succeed'); - }); - - it('should remove the jwt from the whitelist', async () => { - const { query, cachedState } = setupMigration(); - - await uc.migrate('jwt', 'currentUserId', query, cachedState); - - expect(authenticationService.removeJwtFromWhitelist).toHaveBeenCalledWith('jwt'); - }); - }); - - describe('when the jwt cannot be removed', () => { - const setupMigration = () => { - const code = '43534543jnj543342jn2'; - - const query: AuthorizationParams = { code, state: 'state' }; - - const cachedState: OauthLoginStateDto = new OauthLoginStateDto({ - state: 'state', - systemId: 'systemId', - provider: 'mock_provider', - userLoginMigration: true, - }); - - const oauthConfig: OauthConfigDto = new OauthConfigDto({ - clientId: '12345', - clientSecret: 'mocksecret', - tokenEndpoint: 'https://mock.de/mock/auth/public/mockToken', - grantType: 'authorization_code', - scope: 'openid uuid', - responseType: 'code', - authEndpoint: 'mock_authEndpoint', - provider: 'mock_provider', - logoutEndpoint: 'mock_logoutEndpoint', - issuer: 'mock_issuer', - jwksEndpoint: 'mock_jwksEndpoint', - redirectUri: 'mock_codeRedirectUri', - }); - - const system: SystemDto = new SystemDto({ - id: 'systemId', - type: 'oauth', - oauthConfig, - }); - - const externalUserId = 'externalUserId'; - - const oauthData: OauthDataDto = new OauthDataDto({ - system: new ProvisioningSystemDto({ - systemId: 'systemId', - provisioningStrategy: SystemProvisioningStrategy.SANIS, - }), - externalUser: new ExternalUserDto({ - externalId: externalUserId, - }), - }); - - const userMigrationDto: MigrationDto = new MigrationDto({ - redirect: 'https://mock.de/migration/succeed', - }); - - const tokenDto: OAuthTokenDto = new OAuthTokenDto({ - idToken: 'idToken', - refreshToken: 'refreshToken', - accessToken: 'accessToken', - }); - - oauthService.requestToken.mockResolvedValue(tokenDto); - provisioningService.getData.mockResolvedValue(oauthData); - - const error: Error = new Error('testError'); - systemService.findById.mockResolvedValue(system); - userMigrationService.migrateUser.mockResolvedValue(userMigrationDto); - oauthService.authenticateUser.mockResolvedValue(tokenDto); - authenticationService.removeJwtFromWhitelist.mockRejectedValue(error); - - return { - query, - cachedState, - error, - }; - }; - - it('should throw', async () => { - const { query, error, cachedState } = setupMigration(); - - const func = () => uc.migrate('jwt', 'currentUserId', query, cachedState); - - await expect(func).rejects.toThrow(error); - }); - }); - - describe('when migration failed', () => { - const setupMigration = () => { - const code = '43534543jnj543342jn2'; - - const query: AuthorizationParams = { code, state: 'state' }; - - const cachedState: OauthLoginStateDto = new OauthLoginStateDto({ - state: 'state', - systemId: 'systemId', - provider: 'mock_provider', - userLoginMigration: true, - }); - - const externalUserId = 'externalUserId'; - - const oauthData: OauthDataDto = new OauthDataDto({ - system: new ProvisioningSystemDto({ - systemId: 'systemId', - provisioningStrategy: SystemProvisioningStrategy.SANIS, - }), - externalUser: new ExternalUserDto({ - externalId: externalUserId, - }), - }); - - const userMigrationFailedDto: MigrationDto = new MigrationDto({ - redirect: 'https://mock.de/dashboard', - }); - - const tokenDto: OAuthTokenDto = new OAuthTokenDto({ - idToken: 'idToken', - refreshToken: 'refreshToken', - accessToken: 'accessToken', - }); - - oauthService.requestToken.mockResolvedValue(tokenDto); - provisioningService.getData.mockResolvedValue(oauthData); - userMigrationService.migrateUser.mockResolvedValue(userMigrationFailedDto); - oauthService.authenticateUser.mockResolvedValue(tokenDto); - - return { - query, - cachedState, - }; - }; - - it('should return redirect to dashboard ', async () => { - const { query, cachedState } = setupMigration(); - - const result: MigrationDto = await uc.migrate('jwt', 'currentUserId', query, cachedState); - - expect(result.redirect).toStrictEqual('https://mock.de/dashboard'); - }); - }); - - describe('when external school and official school number is defined ', () => { - const setupMigration = () => { - const code = '43534543jnj543342jn2'; - - const query: AuthorizationParams = { code, state: 'state' }; - - const cachedState: OauthLoginStateDto = new OauthLoginStateDto({ - state: 'state', - systemId: 'systemId', - provider: 'mock_provider', - userLoginMigration: true, - }); - - const externalUserId = 'externalUserId'; - - const oauthData: OauthDataDto = new OauthDataDto({ - system: new ProvisioningSystemDto({ - systemId: 'systemId', - provisioningStrategy: SystemProvisioningStrategy.SANIS, - }), - externalUser: new ExternalUserDto({ - externalId: externalUserId, - }), - externalSchool: { - externalId: 'mockId', - officialSchoolNumber: 'mockNumber', - name: 'mockName', - }, - }); - - const tokenDto: OAuthTokenDto = new OAuthTokenDto({ - idToken: 'idToken', - refreshToken: 'refreshToken', - accessToken: 'accessToken', - }); - - oauthService.requestToken.mockResolvedValue(tokenDto); - provisioningService.getData.mockResolvedValue(oauthData); - oauthService.authenticateUser.mockResolvedValue(tokenDto); - - return { - query, - cachedState, - oauthData, - }; - }; - - it('should call schoolToMigrate', async () => { - const { oauthData, query, cachedState } = setupMigration(); - - await uc.migrate('jwt', 'currentUserId', query, cachedState); - - expect(schoolMigrationService.schoolToMigrate).toHaveBeenCalledWith( - 'currentUserId', - oauthData.externalSchool?.externalId, - oauthData.externalSchool?.officialSchoolNumber - ); - }); - }); - - describe('when external school and official school number is defined and school has to be migrated', () => { - const setupMigration = () => { - const code = '43534543jnj543342jn2'; - - const query: AuthorizationParams = { code, state: 'state' }; - - const cachedState: OauthLoginStateDto = new OauthLoginStateDto({ - state: 'state', - systemId: 'systemId', - provider: 'mock_provider', - userLoginMigration: true, - }); - - const externalUserId = 'externalUserId'; - - const oauthData: OauthDataDto = new OauthDataDto({ - system: new ProvisioningSystemDto({ - systemId: 'systemId', - provisioningStrategy: SystemProvisioningStrategy.SANIS, - }), - externalUser: new ExternalUserDto({ - externalId: externalUserId, - }), - externalSchool: { - externalId: 'mockId', - officialSchoolNumber: 'mockNumber', - name: 'mockName', - }, - }); - - const userMigrationDto: MigrationDto = new MigrationDto({ - redirect: 'https://mock.de/migration/succeed', - }); - - const tokenDto: OAuthTokenDto = new OAuthTokenDto({ - idToken: 'idToken', - refreshToken: 'refreshToken', - accessToken: 'accessToken', - }); - - oauthService.requestToken.mockResolvedValue(tokenDto); - provisioningService.getData.mockResolvedValue(oauthData); - const schoolToMigrate: LegacySchoolDo | void = legacySchoolDoFactory.build({ name: 'mockName' }); - oauthService.authenticateUser.mockResolvedValue(tokenDto); - schoolMigrationService.schoolToMigrate.mockResolvedValue(schoolToMigrate); - userMigrationService.migrateUser.mockResolvedValue(userMigrationDto); - - return { - query, - cachedState, - oauthData, - schoolToMigrate, - }; - }; - - it('should call migrateSchool', async () => { - const { oauthData, query, cachedState, schoolToMigrate } = setupMigration(); - - await uc.migrate('jwt', 'currentUserId', query, cachedState); - - expect(schoolMigrationService.migrateSchool).toHaveBeenCalledWith( - oauthData.externalSchool?.externalId, - schoolToMigrate, - 'systemId' - ); - }); - }); - - describe('when external school and official school number is defined and school is already migrated', () => { - const setupMigration = () => { - const code = '43534543jnj543342jn2'; - - const query: AuthorizationParams = { code, state: 'state' }; - - const cachedState: OauthLoginStateDto = new OauthLoginStateDto({ - state: 'state', - systemId: 'systemId', - provider: 'mock_provider', - userLoginMigration: true, - }); - - const externalUserId = 'externalUserId'; - - const oauthData: OauthDataDto = new OauthDataDto({ - system: new ProvisioningSystemDto({ - systemId: 'systemId', - provisioningStrategy: SystemProvisioningStrategy.SANIS, - }), - externalUser: new ExternalUserDto({ - externalId: externalUserId, - }), - externalSchool: { - externalId: 'mockId', - officialSchoolNumber: 'mockNumber', - name: 'mockName', - }, - }); - - const userMigrationDto: MigrationDto = new MigrationDto({ - redirect: 'https://mock.de/migration/succeed', - }); - - const tokenDto: OAuthTokenDto = new OAuthTokenDto({ - idToken: 'idToken', - refreshToken: 'refreshToken', - accessToken: 'accessToken', - }); - - oauthService.requestToken.mockResolvedValue(tokenDto); - provisioningService.getData.mockResolvedValue(oauthData); - oauthService.authenticateUser.mockResolvedValue(tokenDto); - schoolMigrationService.schoolToMigrate.mockResolvedValue(null); - userMigrationService.migrateUser.mockResolvedValue(userMigrationDto); - - return { - query, - cachedState, - }; - }; - - it('should not call migrateSchool', async () => { - const { query, cachedState } = setupMigration(); - - await uc.migrate('jwt', 'currentUserId', query, cachedState); - - expect(schoolMigrationService.migrateSchool).not.toHaveBeenCalled(); - }); - }); - - describe('when external school is not defined', () => { - const setupMigration = () => { - const code = '43534543jnj543342jn2'; - - const query: AuthorizationParams = { code, state: 'state' }; - - const cachedState: OauthLoginStateDto = new OauthLoginStateDto({ - state: 'state', - systemId: 'systemId', - provider: 'mock_provider', - userLoginMigration: true, - }); - - const externalUserId = 'externalUserId'; - - const oauthData: OauthDataDto = new OauthDataDto({ - system: new ProvisioningSystemDto({ - systemId: 'systemId', - provisioningStrategy: SystemProvisioningStrategy.SANIS, - }), - externalUser: new ExternalUserDto({ - externalId: externalUserId, - }), - }); - - const userMigrationDto: MigrationDto = new MigrationDto({ - redirect: 'https://mock.de/migration/succeed', - }); - - const tokenDto: OAuthTokenDto = new OAuthTokenDto({ - idToken: 'idToken', - refreshToken: 'refreshToken', - accessToken: 'accessToken', - }); - - oauthService.authenticateUser.mockResolvedValue(tokenDto); - userMigrationService.migrateUser.mockResolvedValue(userMigrationDto); - oauthService.requestToken.mockResolvedValue(tokenDto); - provisioningService.getData.mockResolvedValue(oauthData); - - return { - query, - cachedState, - }; - }; - - it('should not call schoolToMigrate', async () => { - const { query, cachedState } = setupMigration(); - - await uc.migrate('jwt', 'currentUserId', query, cachedState); - - expect(schoolMigrationService.schoolToMigrate).not.toHaveBeenCalled(); - }); - }); - - describe('when official school number is not defined', () => { - const setupMigration = () => { - const code = '43534543jnj543342jn2'; - - const query: AuthorizationParams = { code, state: 'state' }; - - const cachedState: OauthLoginStateDto = new OauthLoginStateDto({ - state: 'state', - systemId: 'systemId', - provider: 'mock_provider', - userLoginMigration: true, - }); - - const externalUserId = 'externalUserId'; - - const oauthData: OauthDataDto = new OauthDataDto({ - system: new ProvisioningSystemDto({ - systemId: 'systemId', - provisioningStrategy: SystemProvisioningStrategy.SANIS, - }), - externalUser: new ExternalUserDto({ - externalId: externalUserId, - }), - externalSchool: { - externalId: 'mockId', - name: 'mockName', - }, - }); - - const userMigrationDto: MigrationDto = new MigrationDto({ - redirect: 'https://mock.de/migration/succeed', - }); - - const tokenDto: OAuthTokenDto = new OAuthTokenDto({ - idToken: 'idToken', - refreshToken: 'refreshToken', - accessToken: 'accessToken', - }); - - const error = new OAuthMigrationError( - 'Official school number from target migration system is missing', - 'ext_official_school_number_missing' - ); - - oauthService.requestToken.mockResolvedValue(tokenDto); - provisioningService.getData.mockResolvedValue(oauthData); - oauthService.authenticateUser.mockResolvedValue(tokenDto); - schoolMigrationService.schoolToMigrate.mockImplementation(() => { - throw error; - }); - userMigrationService.migrateUser.mockResolvedValue(userMigrationDto); - - return { - query, - cachedState, - error, - }; - }; - - it('should throw OAuthMigrationError', async () => { - const { query, cachedState, error } = setupMigration(); - - await expect(uc.migrate('jwt', 'currentUserId', query, cachedState)).rejects.toThrow(error); - }); - }); - }); - - describe('when state is mismatched', () => { - const setupMigration = () => { - const cachedState: OauthLoginStateDto = new OauthLoginStateDto({ - state: 'state', - systemId: 'systemId', - provider: 'mock_provider', - userLoginMigration: true, - }); - - const query: AuthorizationParams = { state: 'failedState' }; - - const externalUserId = 'externalUserId'; - - const oauthData: OauthDataDto = new OauthDataDto({ - system: new ProvisioningSystemDto({ - systemId: 'systemId', - provisioningStrategy: SystemProvisioningStrategy.SANIS, - }), - externalUser: new ExternalUserDto({ - externalId: externalUserId, - }), - }); - - const userMigrationDto: MigrationDto = new MigrationDto({ - redirect: 'https://mock.de/migration/succeed', - }); - - const tokenDto: OAuthTokenDto = new OAuthTokenDto({ - idToken: 'idToken', - refreshToken: 'refreshToken', - accessToken: 'accessToken', - }); - - oauthService.authenticateUser.mockResolvedValue(tokenDto); - userMigrationService.migrateUser.mockResolvedValue(userMigrationDto); - oauthService.requestToken.mockResolvedValue(tokenDto); - provisioningService.getData.mockResolvedValue(oauthData); - - return { - cachedState, - query, - }; - }; - - it('should throw an UnauthorizedException', async () => { - const { cachedState, query } = setupMigration(); - - const response = uc.migrate('jwt', 'currentUserId', query, cachedState); - - await expect(response).rejects.toThrow(UnauthorizedException); - }); - }); - }); -}); diff --git a/apps/server/src/modules/oauth/uc/oauth.uc.ts b/apps/server/src/modules/oauth/uc/oauth.uc.ts deleted file mode 100644 index c495e7be05d..00000000000 --- a/apps/server/src/modules/oauth/uc/oauth.uc.ts +++ /dev/null @@ -1,149 +0,0 @@ -import { Injectable, UnauthorizedException, UnprocessableEntityException } from '@nestjs/common'; -import { EntityId, LegacySchoolDo, UserDO } from '@shared/domain'; -import { ISession } from '@shared/domain/types/session'; -import { LegacyLogger } from '@src/core/logger'; -import { AuthenticationService } from '@modules/authentication/services/authentication.service'; -import { ProvisioningService } from '@modules/provisioning'; -import { OauthDataDto } from '@modules/provisioning/dto'; -import { SystemService } from '@modules/system'; -import { SystemDto } from '@modules/system/service/dto/system.dto'; -import { UserService } from '@modules/user'; -import { UserMigrationService } from '@modules/user-login-migration'; -import { SchoolMigrationService } from '@modules/user-login-migration/service'; -import { MigrationDto } from '@modules/user-login-migration/service/dto'; -import { nanoid } from 'nanoid'; -import { OauthCurrentUser } from '@modules/authentication/interface'; -import { AuthorizationParams } from '../controller/dto'; -import { OAuthTokenDto } from '../interface'; -import { OAuthProcessDto } from '../service/dto'; -import { OAuthService } from '../service/oauth.service'; -import { OauthLoginStateDto } from './dto/oauth-login-state.dto'; - -/** - * @deprecated remove after login via oauth moved to authentication module - */ -@Injectable() -export class OauthUc { - constructor( - private readonly oauthService: OAuthService, - private readonly authenticationService: AuthenticationService, - private readonly systemService: SystemService, - private readonly provisioningService: ProvisioningService, - private readonly userService: UserService, - private readonly userMigrationService: UserMigrationService, - private readonly schoolMigrationService: SchoolMigrationService, - private readonly logger: LegacyLogger - ) { - this.logger.setContext(OauthUc.name); - } - - async startOauthLogin( - session: ISession, - systemId: EntityId, - migration: boolean, - postLoginRedirect?: string - ): Promise { - const state = nanoid(16); - - const system: SystemDto = await this.systemService.findById(systemId); - if (!system.oauthConfig) { - throw new UnprocessableEntityException(`Requested system ${systemId} has no oauth configured`); - } - - const authenticationUrl: string = this.oauthService.getAuthenticationUrl(system.oauthConfig, state, migration); - - session.oauthLoginState = new OauthLoginStateDto({ - state, - systemId, - provider: system.oauthConfig.provider, - postLoginRedirect, - userLoginMigration: migration, - }); - - return authenticationUrl; - } - - async processOAuthLogin(cachedState: OauthLoginStateDto, code?: string, error?: string): Promise { - const { state, systemId, postLoginRedirect, userLoginMigration } = cachedState; - - this.logger.debug(`Oauth login process started. [state: ${state}, system: ${systemId}]`); - - const redirectUri: string = this.oauthService.getRedirectUri(userLoginMigration); - - const tokenDto: OAuthTokenDto = await this.oauthService.authenticateUser(systemId, redirectUri, code, error); - - const { user, redirect }: { user?: UserDO; redirect: string } = await this.oauthService.provisionUser( - systemId, - tokenDto.idToken, - tokenDto.accessToken, - postLoginRedirect - ); - - this.logger.debug(`Generating jwt for user. [state: ${state}, system: ${systemId}]`); - - let jwt: string | undefined; - if (user && user.id) { - jwt = await this.getJwtForUser(user.id); - } - - const response = new OAuthProcessDto({ - jwt, - redirect, - }); - - return response; - } - - async migrate( - userJwt: string, - currentUserId: string, - query: AuthorizationParams, - cachedState: OauthLoginStateDto - ): Promise { - const { state, systemId, userLoginMigration } = cachedState; - - if (state !== query.state) { - throw new UnauthorizedException(`Invalid state. Got: ${query.state} Expected: ${state}`); - } - - const redirectUri: string = this.oauthService.getRedirectUri(userLoginMigration); - - const tokenDto: OAuthTokenDto = await this.oauthService.authenticateUser( - systemId, - redirectUri, - query.code, - query.error - ); - - const data: OauthDataDto = await this.provisioningService.getData(systemId, tokenDto.idToken, tokenDto.accessToken); - - if (data.externalSchool) { - const schoolToMigrate: LegacySchoolDo | null = await this.schoolMigrationService.schoolToMigrate( - currentUserId, - data.externalSchool.externalId, - data.externalSchool.officialSchoolNumber - ); - if (schoolToMigrate) { - await this.schoolMigrationService.migrateSchool(data.externalSchool.externalId, schoolToMigrate, systemId); - } - } - - const migrationDto: MigrationDto = await this.userMigrationService.migrateUser( - currentUserId, - data.externalUser.externalId, - systemId - ); - - await this.authenticationService.removeJwtFromWhitelist(userJwt); - - return migrationDto; - } - - private async getJwtForUser(userId: EntityId): Promise { - const oauthCurrentUser: OauthCurrentUser = await this.userService.getResolvedUser(userId); - - const { accessToken } = await this.authenticationService.generateJwt(oauthCurrentUser); - - return accessToken; - } -} From 6c8171a4b31df518d93594250314dd68025fa07c Mon Sep 17 00:00:00 2001 From: Arne Gnisa Date: Mon, 13 Nov 2023 09:44:40 +0100 Subject: [PATCH 6/6] N21-1456 fixes test --- .../modules/oauth/controller/oauth-sso.controller.spec.ts | 5 ----- 1 file changed, 5 deletions(-) diff --git a/apps/server/src/modules/oauth/controller/oauth-sso.controller.spec.ts b/apps/server/src/modules/oauth/controller/oauth-sso.controller.spec.ts index 3d1a470e227..c42eeb22e24 100644 --- a/apps/server/src/modules/oauth/controller/oauth-sso.controller.spec.ts +++ b/apps/server/src/modules/oauth/controller/oauth-sso.controller.spec.ts @@ -8,7 +8,6 @@ import { HydraOauthUc } from '@modules/oauth/uc/hydra-oauth.uc'; import { Request } from 'express'; import { OauthSSOController } from './oauth-sso.controller'; import { StatelessAuthorizationParams } from './dto/stateless-authorization.params'; -import { OauthUc } from '../uc'; describe('OAuthController', () => { let module: TestingModule; @@ -52,10 +51,6 @@ describe('OAuthController', () => { provide: LegacyLogger, useValue: createMock(), }, - { - provide: OauthUc, - useValue: createMock(), - }, { provide: HydraOauthUc, useValue: createMock(),