Add AUP expiry notice property

indigo-iam · Oct 18, 2023 · 47a0ba7 · 47a0ba7
1 parent 92ea8a0
commit 47a0ba7
Show file tree

Hide file tree

Showing 8 changed files with 83 additions and 58 deletions.
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/EnforceAupSignatureSuccessHandler.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/EnforceAupSignatureSuccessHandler.java
@@ -27,12 +27,12 @@
 import javax.servlet.http.HttpSession;
 
 import org.mitre.openid.connect.web.AuthenticationTimeStamper;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 
 import it.infn.mw.iam.api.account.AccountUtils;
+import it.infn.mw.iam.config.IamProperties;
 import it.infn.mw.iam.core.util.IamAuthenticationLogger;
 import it.infn.mw.iam.persistence.model.IamAccount;
 import it.infn.mw.iam.persistence.repository.IamAccountRepository;
@@ -41,20 +41,20 @@
 @SuppressWarnings("deprecation")
 public class EnforceAupSignatureSuccessHandler implements AuthenticationSuccessHandler {
 
-  @Value("${iam.aup.advance-notice}")
-  private int EXPIRY_NOTICE_DAYS = 5;
-
   private final AuthenticationSuccessHandler delegate;
   private final AUPSignatureCheckService service;
   private final AccountUtils accountUtils;
   private final IamAccountRepository accountRepo;
+  private final IamProperties iamProperties;
 
   public EnforceAupSignatureSuccessHandler(AuthenticationSuccessHandler delegate,
-      AUPSignatureCheckService service, AccountUtils utils, IamAccountRepository accountRepo) {
+      AUPSignatureCheckService service, AccountUtils utils, IamAccountRepository accountRepo,
+      IamProperties iamProperties) {
     this.delegate = delegate;
     this.service = service;
     this.accountUtils = utils;
     this.accountRepo = accountRepo;
+    this.iamProperties = iamProperties;
   }
 
   private Optional<Authentication> resolveUserAuthentication(Authentication auth) {

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/IamConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/IamConfig.java
@@ -241,10 +241,9 @@ PasswordEncoder passwordEncoder() {
 
   @Bean
   FilterRegistrationBean<EnforceAupFilter> aupSignatureCheckFilter(AUPSignatureCheckService service,
-      AccountUtils utils, IamAupRepository repo) {
-    EnforceAupFilter aupFilter = new EnforceAupFilter(service, utils, repo);
-    FilterRegistrationBean<EnforceAupFilter> frb =
-        new FilterRegistrationBean<>(aupFilter);
+      AccountUtils utils, IamAupRepository repo, IamProperties iamProperties) {
+    EnforceAupFilter aupFilter = new EnforceAupFilter(service, utils, repo, iamProperties);
+    FilterRegistrationBean<EnforceAupFilter> frb = new FilterRegistrationBean<>(aupFilter);
     frb.setOrder(Ordered.LOWEST_PRECEDENCE);
     return frb;
   }

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/IamProperties.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/IamProperties.java
@@ -87,15 +87,12 @@ public void setPassword(String password) {
 
   }
 
-
   public static class ExternalConnectivityProbeProperties {
 
     private boolean enabled = true;
-
     private String endpoint = "https://www.google.com";
     private int timeoutInSecs = 10;
 
-
     public boolean isEnabled() {
       return enabled;
     }
@@ -287,7 +284,18 @@ public void setAllowCompleteVerificationUri(Boolean allowCompleteVerificationUri
       this.allowCompleteVerificationUri = allowCompleteVerificationUri;
     }
 
+  }
+
+  public static class AupProperties {
+    private int expiryNoticeDays;
+
+    public int getExpiryNoticeDays() {
+      return expiryNoticeDays;
+    }
 
+    public void setExpiryNoticeDays(int expiryNoticeDays) {
+      this.expiryNoticeDays = expiryNoticeDays;
+    }
   }
 
   public static class JWKProperties {
@@ -536,6 +544,8 @@ public void setLocation(String location) {
 
   private JWKProperties jwk = new JWKProperties();
 
+  private AupProperties aup = new AupProperties();
+
   private DeviceCodeProperties deviceCode = new DeviceCodeProperties();
 
   private boolean generateDdlSqlScript = false;
@@ -678,6 +688,14 @@ public JWKProperties getJwk() {
     return jwk;
   }
 
+  public void setAup(AupProperties aup) {
+    this.aup = aup;
+  }
+
+  public AupProperties getAup() {
+    return aup;
+  }
+
   public void setDeviceCode(DeviceCodeProperties deviceCode) {
     this.deviceCode = deviceCode;
   }

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/oidc/OidcConfiguration.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/oidc/OidcConfiguration.java
@@ -72,6 +72,7 @@
 import it.infn.mw.iam.authn.oidc.service.NullClientConfigurationService;
 import it.infn.mw.iam.authn.oidc.service.OidcUserDetailsService;
 import it.infn.mw.iam.authn.util.SessionTimeoutHelper;
+import it.infn.mw.iam.config.IamProperties;
 import it.infn.mw.iam.core.IamThirdPartyIssuerService;
 import it.infn.mw.iam.persistence.repository.IamAccountRepository;
 import it.infn.mw.iam.service.aup.AUPSignatureCheckService;
@@ -91,6 +92,9 @@ public class OidcConfiguration {
   @Autowired
   private AccountUtils accountUtils;
 
+  @Autowired
+  private IamProperties iamProperties;
+
   public static final String DEFINE_ME_PLEASE = "define_me_please";
 
   @Bean
@@ -155,7 +159,7 @@ public AuthenticationSuccessHandler successHandler() {
         new RootIsDashboardSuccessHandler(iamBaseUrl, new HttpSessionRequestCache());
 
     EnforceAupSignatureSuccessHandler successHandler = new EnforceAupSignatureSuccessHandler(sa,
-        aupSignatureCheckService, accountUtils, accountRepo);
+        aupSignatureCheckService, accountUtils, accountRepo, iamProperties);
 
     return new ExternalAuthenticationSuccessHandler(successHandler, "/");
   }
@@ -169,11 +173,12 @@ public AuthenticationManager authenticationManager(
   @Bean
   public OIDCAuthenticationProvider openIdConnectAuthenticationProvider(Clock clock,
       OidcUserDetailsService userDetailService, UserInfoFetcher userInfoFetcher,
-      AuthenticationValidator<OIDCAuthenticationToken> validator, SessionTimeoutHelper timeoutHelper) {
+      AuthenticationValidator<OIDCAuthenticationToken> validator,
+      SessionTimeoutHelper timeoutHelper) {
 
     OidcAuthenticationProvider provider =
         new OidcAuthenticationProvider(userDetailService, validator, timeoutHelper);
-    
+
     provider.setUserInfoFetcher(userInfoFetcher);
 
     return provider;

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/saml/SamlConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/saml/SamlConfig.java
@@ -724,8 +724,8 @@ public AuthenticationSuccessHandler samlAuthenticationSuccessHandler() {
     RootIsDashboardSuccessHandler sa = new RootIsDashboardSuccessHandler(iamProperties.getBaseUrl(),
         new HttpSessionRequestCache());
 
-    EnforceAupSignatureSuccessHandler aup =
-        new EnforceAupSignatureSuccessHandler(sa, aupSignatureCheckService, accountUtils, repo);
+    EnforceAupSignatureSuccessHandler aup = new EnforceAupSignatureSuccessHandler(sa,
+        aupSignatureCheckService, accountUtils, repo, iamProperties);
 
     return new ExternalAuthenticationSuccessHandler(aup, "/");
   }

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/security/IamWebSecurityConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/security/IamWebSecurityConfig.java
@@ -195,7 +195,7 @@ public AuthenticationSuccessHandler successHandler() {
           new RootIsDashboardSuccessHandler(iamBaseUrl, new HttpSessionRequestCache());
 
       return new EnforceAupSignatureSuccessHandler(delegate, aupSignatureCheckService, accountUtils,
-          accountRepo);
+          accountRepo, iamProperties);
     }
   }
 

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/aup/EnforceAupFilter.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/aup/EnforceAupFilter.java
@@ -34,12 +34,12 @@
 
 import it.infn.mw.iam.api.account.AccountUtils;
 import it.infn.mw.iam.api.aup.error.AupNotFoundError;
+import it.infn.mw.iam.config.IamProperties;
 import it.infn.mw.iam.persistence.model.IamAccount;
 import it.infn.mw.iam.persistence.model.IamAup;
 import it.infn.mw.iam.persistence.repository.IamAupRepository;
 import it.infn.mw.iam.service.aup.AUPSignatureCheckService;
 
-
 public class EnforceAupFilter implements Filter {
 
   public static final Logger LOG = LoggerFactory.getLogger(EnforceAupFilter.class);
@@ -54,26 +54,26 @@ public class EnforceAupFilter implements Filter {
   final AccountUtils accountUtils;
   final IamAupRepository aupRepo;
 
+  private final IamProperties iamProperties;
 
   public EnforceAupFilter(AUPSignatureCheckService signatureCheckService, AccountUtils accountUtils,
-      IamAupRepository aupRepo) {
+      IamAupRepository aupRepo, IamProperties iamProperties) {
     this.signatureCheckService = signatureCheckService;
     this.accountUtils = accountUtils;
     this.aupRepo = aupRepo;
+    this.iamProperties = iamProperties;
   }
 
   @Override
   public void init(FilterConfig filterConfig) throws ServletException {
     // Empty method
   }
 
-
   public boolean sessionOlderThanAupCreation(HttpSession session) {
     IamAup aup = aupRepo.findDefaultAup().orElseThrow(AupNotFoundError::new);
     return session.getCreationTime() < aup.getCreationTime().getTime();
   }
 
-
   @Override
   public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
       throws IOException, ServletException {