From 35240c236130b4001000e255ee86603e4cb1b450 Mon Sep 17 00:00:00 2001
From: Roberta Miccoli <85555840+rmiccoli@users.noreply.github.com>
Date: Tue, 17 Dec 2024 11:19:50 +0100
Subject: [PATCH] Find account by certificate sub and iss in VOMS AA (#897)

---
 .../impl/DefaultIamVomsAccountResolver.java   | 28 ++++++++++++-------
 .../it/infn/mw/voms/config/VomsConfig.java    |  6 ++--
 2 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/iam-voms-aa/src/main/java/it/infn/mw/voms/aa/impl/DefaultIamVomsAccountResolver.java b/iam-voms-aa/src/main/java/it/infn/mw/voms/aa/impl/DefaultIamVomsAccountResolver.java
index b12e11841..590779d9e 100644
--- a/iam-voms-aa/src/main/java/it/infn/mw/voms/aa/impl/DefaultIamVomsAccountResolver.java
+++ b/iam-voms-aa/src/main/java/it/infn/mw/voms/aa/impl/DefaultIamVomsAccountResolver.java
@@ -18,24 +18,32 @@
 import java.util.Optional;
 
 import it.infn.mw.iam.persistence.model.IamAccount;
-import it.infn.mw.iam.persistence.repository.IamAccountRepository;
+import it.infn.mw.iam.persistence.model.IamX509Certificate;
+import it.infn.mw.iam.persistence.repository.IamX509CertificateRepository;
 import it.infn.mw.voms.aa.VOMSRequestContext;
 
 public class DefaultIamVomsAccountResolver implements IamVOMSAccountResolver {
 
-  IamAccountRepository accountRepo;
-  
-  public DefaultIamVomsAccountResolver(IamAccountRepository repo) {
-    this.accountRepo = repo;
+  IamX509CertificateRepository certificateRepo;
+
+  public DefaultIamVomsAccountResolver(IamX509CertificateRepository repo) {
+    this.certificateRepo = repo;
   }
-  
+
   @Override
   public Optional<IamAccount> resolveAccountFromRequest(VOMSRequestContext requestContext) {
-    
+
     String certificateSubject = requestContext.getRequest().getRequesterSubject();
-    
-    return accountRepo.findByCertificateSubject(certificateSubject);
-    
+    String certificateIssuer = requestContext.getRequest().getRequesterIssuer();
+
+    Optional<IamX509Certificate> cert =
+        certificateRepo.findBySubjectDnAndIssuerDn(certificateSubject, certificateIssuer);
+
+    if (cert.isEmpty()) {
+      return Optional.empty();
+    }
+    return Optional.ofNullable(cert.get().getAccount());
+
   }
 
 }
diff --git a/iam-voms-aa/src/main/java/it/infn/mw/voms/config/VomsConfig.java b/iam-voms-aa/src/main/java/it/infn/mw/voms/config/VomsConfig.java
index 0bcb89506..2c046aca2 100644
--- a/iam-voms-aa/src/main/java/it/infn/mw/voms/config/VomsConfig.java
+++ b/iam-voms-aa/src/main/java/it/infn/mw/voms/config/VomsConfig.java
@@ -32,7 +32,7 @@
 import it.infn.mw.iam.authn.x509.IamX509AuthenticationProvider;
 import it.infn.mw.iam.authn.x509.IamX509AuthenticationUserDetailService;
 import it.infn.mw.iam.authn.x509.InactiveAccountAuthenticationHander;
-import it.infn.mw.iam.persistence.repository.IamAccountRepository;
+import it.infn.mw.iam.persistence.repository.IamX509CertificateRepository;
 import it.infn.mw.voms.aa.AttributeAuthority;
 import it.infn.mw.voms.aa.ac.ACGenerator;
 import it.infn.mw.voms.aa.ac.ThreadLocalACGenerator;
@@ -97,8 +97,8 @@ ACGenerator acGenerator(PEMCredential aaCredential) {
   }
 
   @Bean
-  IamVOMSAccountResolver iamAccountResolver(IamAccountRepository accountRepo) {
-    return new DefaultIamVomsAccountResolver(accountRepo);
+  IamVOMSAccountResolver iamAccountResolver(IamX509CertificateRepository certificateRepo) {
+    return new DefaultIamVomsAccountResolver(certificateRepo);
   }
 
   @Bean