diff --git a/CHANGELOG.md b/CHANGELOG.md index 6591ec6f4..01ec199c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,46 @@ # Changelog +## 1.0.0 (2017-8-31) + +This release provides improvements, bug fixes and new features: + +- IAM now supports hierarchical groups. The SCIM group management API has been + extended to support nested group creation and listing, and the IAM dashboard + can now leverage these new API functions (#88) +- IAM now supports native X.509 authentication (#119) and the ability to + link/unlink X.509 certificates to a user membership (#120) +- IAM now supports configurable on-demand account provisioning for trusted SAML + IDPs; this means that the IAM can be configured to automatically on-board + users from a trusted IdP/federation after a succesfull external + authentication (i.e. no former registration or administration approval is + required to on-board users) (#130) +- IAM now provides an enhanced token management and revocation API that can be + used by IAM administrators to see and revoke active tokens in the system (#121) +- Account linking can be now be disabled via a configuration option (#142) +- IAM dashboard now correctly displays valid active access tokens for a user + (#112) +- A problem that caused IAM registration access tokens to expire after the + first use has been fixed (#134) +- IAM now provides an endpoint than can be used to monitor the service + connectivity to external service (ie. Google) (#150) +- Improved SAML metadata handling (#146) and reloading (#115) +- Account linking can now be disabled via a configuration option (#142) +- The IAM audit log now provides fine-grained information for many events + (#137) +- The IAM token introspection endpoint now correctly supports HTTP form + authentication (#149) +- Notes in registration requests are now required (#114) to make life easier + for VO administrators that wants to understand the reason for a registration + request +- Password reset emails now contain the username of the user that has requested + the password reset (#108) +- A stronger SAML account linking logic is now in place (#116) +- Starting from this release, we provide RPM and Deb packages (#110) and a + puppet module to configure the IAM service (#109) +- The spring-boot dependency has been updated to version 1.3.8.RELEASE (#144) +- An issue that prevented access to the token revocation endpoint has been + fixed (#159) + ## 0.6.0 (2017-3-31) This release provides improvements and bug fixes: diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 000000000..532804b7e --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,135 @@ +#!/usr/bin/env groovy + +pipeline { + + agent { label 'maven' } + + options { + timeout(time: 1, unit: 'HOURS') + buildDiscarder(logRotator(numToKeepStr: '5')) + } + + parameters { + choice(name: 'RUN_SONAR', choices: 'yes\nno', description: 'Run Sonar static analysis') + } + + stages { + stage('checkout') { + steps { + deleteDir() + checkout scm + stash name: 'code', useDefaultExcludes: false + } + } + + stage('build') { + steps { + sh 'mvn -B clean compile' + } + } + + stage('test') { + steps { + sh 'mvn -B clean test' + } + + post { + always { + junit '**/target/surefire-reports/TEST-*.xml' + } + } + } + + stage('PR analysis'){ + when{ + not { + environment name: 'CHANGE_URL', value: '' + } + } + steps { + script{ + def tokens = "${env.CHANGE_URL}".tokenize('/') + def organization = tokens[tokens.size()-4] + def repo = tokens[tokens.size()-3] + + withCredentials([string(credentialsId: '630f8e6c-0d31-4f96-8d82-a1ef536ef059', variable: 'GITHUB_ACCESS_TOKEN')]) { + withSonarQubeEnv{ + sh """ + mvn -B -U clean compile sonar:sonar \\ + -Dsonar.analysis.mode=preview \\ + -Dsonar.github.pullRequest=${env.CHANGE_ID} \\ + -Dsonar.github.repository=${organization}/${repo} \\ + -Dsonar.github.oauth=${GITHUB_ACCESS_TOKEN} \\ + -Dsonar.host.url=${SONAR_HOST_URL} \\ + -Dsonar.login=${SONAR_AUTH_TOKEN} + """ + } + } + } + } + } + + stage('analysis'){ + when{ + expression { + return "yes" == "${params.RUN_SONAR}" + } + anyOf { branch 'master'; branch 'develop' } + environment name: 'CHANGE_URL', value: '' + } + steps { + script{ + def cobertura_opts = 'cobertura:cobertura -Dmaven.test.failure.ignore -DfailIfNoTests=false -Dcobertura.report.format=xml' + def checkstyle_opts = 'checkstyle:check -Dcheckstyle.config.location=google_checks.xml' + + withSonarQubeEnv{ + sh "mvn clean -U ${cobertura_opts} ${checkstyle_opts} ${SONAR_MAVEN_GOAL} -Dsonar.host.url=${SONAR_HOST_URL} -Dsonar.login=${SONAR_AUTH_TOKEN}" + } + } + } + } + + stage('package') { + steps { + sh 'mvn -B -DskipTests=true clean package' + archive 'iam-login-service/target/iam-login-service.war' + archive 'iam-login-service/target/classes/iam.version.properties' + archive 'iam-test-client/target/iam-test-client.jar' + stash includes: 'iam-login-service/target/iam-login-service.war,iam-login-service/target/classes/iam.version.properties,iam-test-client/target/iam-test-client.jar', name: 'iam-artifacts' + } + } + + stage('docker-images') { + agent { label 'docker' } + steps { + deleteDir() + unstash 'code' + unstash 'iam-artifacts' + sh ''' + sed -i -e 's#iam\\.version#IAM_VERSION#' iam-login-service/target/classes/iam.version.properties + source iam-login-service/target/classes/iam.version.properties + export IAM_LOGIN_SERVICE_VERSION="v${IAM_VERSION}" + + /bin/bash iam-login-service/docker/build-prod-image.sh + /bin/bash iam-login-service/docker/push-prod-image.sh + /bin/bash iam-test-client/docker/build-prod-image.sh + /bin/bash iam-test-client/docker/push-prod-image.sh + ''' + } + } + } + + post { + success { + slackSend channel: "#iam", color: 'good', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Success (<${env.BUILD_URL}|Open>)" + } + + unstable { + slackSend channel: "#iam", color: 'danger', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Unstable (<${env.BUILD_URL}|Open>)" + } + + failure { + slackSend channel: "#iam", color: 'danger', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Failure (<${env.BUILD_URL}|Open>)" + } + } +} diff --git a/debian/etc/default/iam-login-service b/debian/etc/default/iam-login-service new file mode 100644 index 000000000..b9cd24917 --- /dev/null +++ b/debian/etc/default/iam-login-service @@ -0,0 +1,37 @@ +# Java VM arguments +IAM_JAVA_OPTS=-Dspring.profiles.active=prod,registration + +# Generic options +IAM_BASE_URL=https://iam.example.org +IAM_ISSUER=https://iam.example.org/ +IAM_USE_FORWARDED_HEADERS=true +#IAM_KEY_STORE_LOCATION=file:///var/lib/indigo/iam-login-service/keystore.jks +IAM_ORGANISATION_NAME=indigo-dc + +# Database connection settings +IAM_DB_HOST=localhost +IAM_DB_PORT=3306 +IAM_DB_NAME=iam_login_service +IAM_DB_USERNAME=iam +IAM_DB_PASSWORD=iam_login_service +IAM_DB_VALIDATION_QUERY=SELECT 1 + +## Google profile settings +#IAM_GOOGLE_CLIENT_ID=define_me_please +#IAM_GOOGLE_CLIENT_SECRET=define_me_please +#IAM_GOOGLE_REDIRECT_URIS=https://iam.example.org/openid_connect_login + +## SAML profile settings +#IAM_SAML_ENTITY_ID=https://localhost +#IAM_SAML_KEYSTORE=file:///var/lib/indigo/iam/iam-login-service/example.ks +#IAM_SAML_KEYSTORE_PASSWORD=define_me_please +#IAM_SAML_KEY_ID=define_me_please +#IAM_SAML_KEY_PASSWORD=define_me_please +#IAM_SAML_IDP_METADATA=file:///var/lib/indigo/iam-login-service/example-metadata-sha256.xml + +# Notification settings +#IAM_NOTIFICATION_DISABLE=true +#IAM_NOTIFICATION_FROM=iam@example.org +#IAM_NOTIFICATION_TASK_DELAY=5000 +#IAM_NOTIFICATION_ADMIN_ADDRESS=iam-support@example.org +#IAM_MAIL_HOST=smtp.example.org diff --git a/debian/lib/systemd/system/iam-login-service.service b/debian/lib/systemd/system/iam-login-service.service new file mode 100644 index 000000000..8b58d1837 --- /dev/null +++ b/debian/lib/systemd/system/iam-login-service.service @@ -0,0 +1,13 @@ +[Unit] +Description=INDIGO IAM Service +After=syslog.target network.target + +[Service] +EnvironmentFile=/etc/default/iam-login-service +WorkingDirectory=/var/lib/indigo/iam-login-service +ExecStart=/usr/bin/java ${IAM_JAVA_OPTS} -jar iam-login-service.war +KillMode=process +User=iam + +[Install] +WantedBy=multi-user.target diff --git a/docker-compose.yml b/docker-compose.yml index 10ca7c857..e8ec9b98d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -35,7 +35,7 @@ services: dockerfile: ./iam-login-service/docker/Dockerfile environment: - IAM_JAVA_OPTS: -Xdebug -Xrunjdwp:server=y,transport=dt_socket,suspend=n,address=1044 -Dspring.profiles.active=mysql-test + IAM_JAVA_OPTS: -Djava.security.egd=file:/dev/./urandom -Xdebug -Xrunjdwp:server=y,transport=dt_socket,suspend=n,address=1044 -Dspring.profiles.active=mysql-test -Dlogging.level.it.infn.mw.iam.authn.x509=DEBUG IAM_JAR: /code/iam-login-service/target/iam-login-service.war IAM_BASE_URL: https://iam.local.io IAM_ISSUER: https://iam.local.io diff --git a/docker/nginx/Dockerfile b/docker/nginx/Dockerfile index fbce89f2e..260a83ef0 100644 --- a/docker/nginx/Dockerfile +++ b/docker/nginx/Dockerfile @@ -1,6 +1,11 @@ FROM nginx COPY ./wait-for-it.sh / RUN chmod +x /wait-for-it.sh -COPY nginx.conf /etc/nginx/conf.d/default.conf +RUN apt-get update && apt-get install -y ca-certificates && apt-get clean all +COPY INFN-CA-2015.pem /usr/local/share/ca-certificates/INFN-CA-2015.crt +COPY igi-test-ca.pem /usr/local/share/ca-certificates/igi-test-ca.crt +COPY nginx.conf /etc/nginx/ +COPY iam.conf /etc/nginx/conf.d/default.conf COPY iam.key.pem /etc/ssl/private/ COPY iam.cert.pem /etc/ssl/certs/ +RUN update-ca-certificates diff --git a/docker/nginx/INFN-CA-2015.pem b/docker/nginx/INFN-CA-2015.pem new file mode 100644 index 000000000..fad0bf049 --- /dev/null +++ b/docker/nginx/INFN-CA-2015.pem @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFwjCCA6qgAwIBAgIJALMmAsZ9SSYnMA0GCSqGSIb3DQEBCwUAMEMxCzAJBgNV +BAYTAklUMQ0wCwYDVQQKEwRJTkZOMSUwIwYDVQQDExxJTkZOIENlcnRpZmljYXRp +b24gQXV0aG9yaXR5MB4XDTE1MTAwNjEwMjIwNVoXDTMwMTAwNjEwMjIwNVowQzEL +MAkGA1UEBhMCSVQxDTALBgNVBAoTBElORk4xJTAjBgNVBAMTHElORk4gQ2VydGlm +aWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC +AQDiXdR7kfK7dqc5tQCDZ3YKD89FizGFho2pBxzddUmjVEbEBeOmG//zK4FmBku8 +3STid3YmYOcMMf8C0nAVGktdjw2hqYVjP+pw7mnmWFog/mNMkw/Q7/avLeoiY8I+ +pJtWKPCbhTZInK59k/KcLs7brauV4+fBBp2vscOpM8j4Y6TH7MAJLsrYddzgxCoE +IvjZ5cRXcPHDN7n2WhojN70XtlQfhYNjUlSGIoqdVXOEKVBEG74Olg888AGeoFPx +Sc5FaLlM0GeKLgRYYtDUu8tGMdhMdCTgRT515P36v41P7K4wZGMexRb4l7BMHVNf +ljlVqjr8L2f2g4Dy21HZDDlFfcoq6VzltcDpF3s8o5/r3eQiGVWTSS1JXJpXLJTc +dvj4q6hPQEsdkyH2aqcvS06N2XWWG27np0JzVsipAP9WRYyLAJO+ETtwOOvqtakF +7JrP0Nb6jySRPy/QmfY+jKmwf6hJ3WHq/8/6Gr1VRTq0si+ZC46nY89pYf++QLKk +cge7uKvddxepoLV93Hx/GMGc96jAtD/R4XcRfRjO/1+9rwBOXZNLeNVoD5eCj+Ad +NDF1ML/Ya8Gv3AOVJNcyAcM145VbFphZwkSTh3M9DRBKTqyQIBVVAF75cpkU13qa +dQBQQOhiFAZCSSxLG6Iq0lW5KsfQqHd13XaSorPIV/p80wIDAQABo4G4MIG1MA8G +A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRDjE3+7JbK +6e8KpH3BnQLln72WgDBzBgNVHSMEbDBqgBRDjE3+7JbK6e8KpH3BnQLln72WgKFH +pEUwQzELMAkGA1UEBhMCSVQxDTALBgNVBAoTBElORk4xJTAjBgNVBAMTHElORk4g +Q2VydGlmaWNhdGlvbiBBdXRob3JpdHmCCQCzJgLGfUkmJzANBgkqhkiG9w0BAQsF +AAOCAgEAz0nec0stGy30+hNRN52Ni5YYCMFFoX4aD7LdrWt+MT86i4UFzvPRwvOp +bPcPC63sjQbP+jePgFXsmEaPkDKuf0x344lNyAgIU+JFWinc4gv4nN5oHfuSXG6J +UTfYLHaVuPahKeHUUpBOytyOMDRKG+FlGOxQvhnohhjUwBffbu1FIu993+d0w2GC +9Z4zT+GUKSlviOUYbzctDuG0D8FVWJK7L5SsjFSPSfCJlbWKGmdpDNV2vNzkaHsA +dQ13WqxE8b0JTHdpS3vsrvfSehY4IG4Fj2HqsDE/dflH3gcJb5l4ls8kcA53YRG2 +NDTjvjdq3tv5AlYJzHKcxq1vhUmVx1vkg1aYNgcV8m8wkPhsnQuTdiQm8EA3ItOO +RNYawfuVeS021RXwRL290HFIlfwm6imRmlKepGvJBWbrVdrrLCq4s5UPjcxnQnZE +tapQPUtfV1m9V/T69h5jrfVy1nMM4WWA6MVPljlol1k72jArm+oXvoEvDiNfj2qj +gfvV03R4GXxP+0EWFXac4tiFFu6YC4Hu7ou38tnnW/nx+xurvnsxIW7ZDaLGKCd+ +VJmb+qhU3NJvDPGjDuksXp0idfhbK6R2dFz7UFS1DYdRit7jeZpou5D4LaIL0CQ/ +KjUrC7M6W+Zhicc0ihbwb03ppLv9/vbj06MY4+HMivKiK1oxd+Q= +-----END CERTIFICATE----- diff --git a/docker/nginx/iam.conf b/docker/nginx/iam.conf new file mode 100644 index 000000000..6ea27e1a8 --- /dev/null +++ b/docker/nginx/iam.conf @@ -0,0 +1,44 @@ +server { + listen 443 ssl; + server_name iam.local.io; + access_log /var/log/nginx/iam_local_io.access.log combined_ssl; + + ssl on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_certificate /etc/ssl/certs/iam.cert.pem; + ssl_certificate_key /etc/ssl/private/iam.key.pem; + ssl_client_certificate /etc/ssl/certs/ca-certificates.crt; + ssl_verify_client optional; + ssl_verify_depth 5; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + + location / { + proxy_pass http://iam-be:8080; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + + # TLS stuff + + proxy_set_header X-SSL-Client-Cert $ssl_client_cert; + proxy_set_header X-SSL-Client-I-Dn $ssl_client_i_dn; + proxy_set_header X-SSL-Client-S-Dn $ssl_client_s_dn; + proxy_set_header X-SSL-Client-Serial $ssl_client_serial; + proxy_set_header X-SSL-Client-V-Start $ssl_client_v_start; + proxy_set_header X-SSL-Client-V-End $ssl_client_v_end; + proxy_set_header X-SSL-Client-Verify $ssl_client_verify; + proxy_set_header X-SSL-Protocol $ssl_protocol; + proxy_set_header X-SSL-Server-Name $ssl_server_name; + } + + location /iam-test-client { + proxy_pass http://client:8080/iam-test-client; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + } +} diff --git a/docker/nginx/igi-test-ca.pem b/docker/nginx/igi-test-ca.pem new file mode 100644 index 000000000..19906b3bf --- /dev/null +++ b/docker/nginx/igi-test-ca.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgDCCAmigAwIBAgIJAMzDwAv7o5VUMA0GCSqGSIb3DQEBBQUAMC0xCzAJBgNV +BAYTAklUMQwwCgYDVQQKDANJR0kxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTIwOTI2 +MTUwMDU0WhcNMjIwOTI0MTUwMDU0WjAtMQswCQYDVQQGEwJJVDEMMAoGA1UECgwD +SUdJMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA9u4Fgtj7YpMRql3NAasEUmP6Byv/CH+dPZNzSxfNCMOPqARLBWS/2Ora +m5cRpoBByT0LpjDCFBJhLrBKvCvmWOTfS1jYsQwSpC/5scButthlcNOhLKQSZblS +8Pa7HoFS4zQFwCwWOYbOLF+FblYRgSY30WMi361giydeV8iei8KNH2FIoDyo9kjV +gYQKp76LFv7urGhc5sHA+HWq7+AfyivtZC+a55Rw6EHXOQ+vih5TPXa1t5RL7IkY +4U7Ld5ExptBIDx0UkSihYexAY4RGXVUaq535dGtJQ8/NYMrJ5NMGt2X0bRszArnE +EKc/qdAcgcalgoiaZtVkq45eXADXzwIDAQABo4GiMIGfMB0GA1UdDgQWBBSRdzZ7 +LrRp8yfqt/YIi0ojohFJxjBdBgNVHSMEVjBUgBSRdzZ7LrRp8yfqt/YIi0ojohFJ +xqExpC8wLTELMAkGA1UEBhMCSVQxDDAKBgNVBAoMA0lHSTEQMA4GA1UEAwwHVGVz +dCBDQYIJAMzDwAv7o5VUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG +MA0GCSqGSIb3DQEBBQUAA4IBAQB379cvZmfCLvGdoGbW+6ppDNy3pT9hqYmZAlfV +FGZSEaTKjGCbPuErUNC6+7zhij5CmMtMRhccI3JswjPHPQGm12jiEC492J6Avj/x +PL8vcBRofe4whXefDVgUw8G1nkQYr2BF0jzeiN72ToISGMbt/q94QV70lYCo/Tog +UQQ6F+XhztffxQyRgsUXhR4qq1D4h7UifqfQGBzknS23RMLQUdKXG4MhTLMVmxJC +uY9Oi0It3hk9Qtn0nlZ7rvo5weJGxuRBbZ85Nvw2tIhH7G2osc6zqmHTmUAR4FXb +l8/ElwGVrURMMuJLDbISVXjBNFuVOS2BdlyEe4x5kfQAWITZ +-----END CERTIFICATE----- diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf index 2d8f91171..28531501d 100644 --- a/docker/nginx/nginx.conf +++ b/docker/nginx/nginx.conf @@ -1,27 +1,37 @@ -server { - listen 443 ssl; - server_name iam.local.io; - access_log /var/log/nginx/iam_local_io.access.log combined; - - ssl on; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_certificate /etc/ssl/certs/iam.cert.pem; - ssl_certificate_key /etc/ssl/private/iam.key.pem; - - location / { - proxy_pass http://iam-be:8080; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Host $http_host; - } - - location /iam-test-client { - proxy_pass http://client:8080/iam-test-client; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Host $http_host; - } +user nginx; +worker_processes 1; +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + +http { + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + log_format combined_ssl '$remote_addr - $remote_user [$time_local] "$request" ' + '$ssl_protocol/$ssl_cipher ' + '"$ssl_client_s_dn" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; } diff --git a/iam-common/pom.xml b/iam-common/pom.xml index 678ad0c3e..3c699c947 100644 --- a/iam-common/pom.xml +++ b/iam-common/pom.xml @@ -7,7 +7,7 @@ it.infn.mw iam-parent - 0.6.0 + 1.0.0 iam-common diff --git a/iam-login-service/pom.xml b/iam-login-service/pom.xml index 53d156174..07626ab9a 100644 --- a/iam-login-service/pom.xml +++ b/iam-login-service/pom.xml @@ -7,7 +7,7 @@ it.infn.mw iam-parent - 0.6.0 + 1.0.0 iam-login-service diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/actuator/endpoint/ExternalServiceHealthEndpoint.java b/iam-login-service/src/main/java/it/infn/mw/iam/actuator/endpoint/ExternalServiceHealthEndpoint.java new file mode 100644 index 000000000..a58682624 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/actuator/endpoint/ExternalServiceHealthEndpoint.java @@ -0,0 +1,40 @@ +package it.infn.mw.iam.actuator.endpoint; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.actuate.endpoint.AbstractEndpoint; +import org.springframework.boot.actuate.health.CompositeHealthIndicator; +import org.springframework.boot.actuate.health.Health; +import org.springframework.boot.actuate.health.HealthAggregator; +import org.springframework.boot.actuate.health.HealthIndicator; +import org.springframework.boot.actuate.health.OrderedHealthAggregator; +import org.springframework.boot.context.properties.ConfigurationProperties; +import org.springframework.stereotype.Component; + +import it.infn.mw.iam.actuator.health.GoogleHealthIndicator; + +@Component +@ConfigurationProperties(prefix = "endpoints.externalService") +public class ExternalServiceHealthEndpoint extends AbstractEndpoint { + + private static final String ENDPOINT_ID = "externalService"; + + private final HealthIndicator healthIndicator; + + @Autowired + private HealthAggregator healthAggregator = new OrderedHealthAggregator(); + + @Autowired + public ExternalServiceHealthEndpoint(GoogleHealthIndicator googleHealthIndicator) { + super(ENDPOINT_ID, false); + + CompositeHealthIndicator indicator = new CompositeHealthIndicator(healthAggregator); + indicator.addHealthIndicator("google", googleHealthIndicator); + + this.healthIndicator = indicator; + } + + @Override + public Health invoke() { + return this.healthIndicator.health(); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/actuator/endpoint/mvc/ExternalServiceHealthMvcEndpoint.java b/iam-login-service/src/main/java/it/infn/mw/iam/actuator/endpoint/mvc/ExternalServiceHealthMvcEndpoint.java new file mode 100644 index 000000000..14694fd9d --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/actuator/endpoint/mvc/ExternalServiceHealthMvcEndpoint.java @@ -0,0 +1,77 @@ +package it.infn.mw.iam.actuator.endpoint.mvc; + +import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE; + +import java.util.Collection; +import java.util.Map; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.actuate.endpoint.mvc.AbstractEndpointMvcAdapter; +import org.springframework.boot.actuate.health.Health; +import org.springframework.boot.context.properties.ConfigurationProperties; +import org.springframework.http.HttpStatus; +import org.springframework.http.ResponseEntity; +import org.springframework.security.authentication.AbstractAuthenticationToken; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.stereotype.Component; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.ResponseBody; + +import com.google.common.collect.Maps; + +import it.infn.mw.iam.actuator.endpoint.ExternalServiceHealthEndpoint; + +@Component +@ConfigurationProperties(prefix = "endpoints.externalService") +public class ExternalServiceHealthMvcEndpoint + extends AbstractEndpointMvcAdapter { + + private Map statusMapping = Maps.newLinkedHashMap(); + + @Autowired + public ExternalServiceHealthMvcEndpoint(ExternalServiceHealthEndpoint delegate) { + super(delegate); + statusMapping.put("DOWN", HttpStatus.SERVICE_UNAVAILABLE); + } + + @RequestMapping(produces = APPLICATION_JSON_VALUE) + @ResponseBody + public Object getServiceHealth(AbstractAuthenticationToken auth) { + if (!getDelegate().isEnabled()) { + return getDisabledResponse(); + } + + Health health = getHealth(auth); + HttpStatus status = getStatus(health); + + if (status != null) { + return new ResponseEntity(health, status); + } + + return health; + } + + + private HttpStatus getStatus(Health health) { + return statusMapping.get(health.getStatus().getCode()); + } + + private Health getHealth(AbstractAuthenticationToken auth) { + Health health = getDelegate().invoke(); + + if (auth != null && isAdmin(auth.getAuthorities())) { + return health; + } + return Health.status(health.getStatus()).build(); + } + + private boolean isAdmin(Collection authorities) { + for (GrantedAuthority authority : authorities) { + if ("ROLE_ADMIN".equals(authority.getAuthority())) { + return true; + } + } + return false; + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/actuator/health/GoogleHealthIndicator.java b/iam-login-service/src/main/java/it/infn/mw/iam/actuator/health/GoogleHealthIndicator.java new file mode 100644 index 000000000..bbb691157 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/actuator/health/GoogleHealthIndicator.java @@ -0,0 +1,40 @@ +package it.infn.mw.iam.actuator.health; + +import java.net.HttpURLConnection; +import java.net.URL; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.actuate.health.AbstractHealthIndicator; +import org.springframework.boot.actuate.health.Health.Builder; +import org.springframework.stereotype.Component; + +@Component +public class GoogleHealthIndicator extends AbstractHealthIndicator { + + private final String googleEndpoint; + private final int timeout; + + @Autowired + public GoogleHealthIndicator(@Value("${health.googleEndpoint}") String googleEndpoint, + @Value("${health.timeout}") int timeout) { + this.googleEndpoint = googleEndpoint; + this.timeout = timeout; + } + + @Override + protected void doHealthCheck(Builder builder) throws Exception { + builder.withDetail("location", googleEndpoint); + + HttpURLConnection conn = (HttpURLConnection) new URL(googleEndpoint).openConnection(); + conn.setRequestMethod("HEAD"); + conn.setConnectTimeout(timeout); + int responseCode = conn.getResponseCode(); + if (responseCode != 200) { + builder.down(); + } else { + builder.up(); + } + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java index 33fef3b17..be96a56d6 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java @@ -54,18 +54,16 @@ protected IamAccount findAccountByName(String name) { @PreAuthorize("hasRole('USER')") @RequestMapping(value = "/me/authorities", method = RequestMethod.GET) public AuthoritySetDTO getAuthoritiesForMe(Authentication authn) { - AuthoritySetDTO result = AuthoritySetDTO + return AuthoritySetDTO .fromAuthorities(authorityService.getAccountAuthorities(findAccountByName(authn.getName()))); - return result; } @PreAuthorize("hasRole('ADMIN')") @RequestMapping(value = "/account/{id}/authorities", method = RequestMethod.GET) @ResponseBody public AuthoritySetDTO getAuthoritiesForAccount(@PathVariable("id") String id) { - AuthoritySetDTO result = AuthoritySetDTO + return AuthoritySetDTO .fromAuthorities(authorityService.getAccountAuthorities(findAccountById(id))); - return result; } @PreAuthorize("hasRole('ADMIN')") diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AuthorityAlreadyBoundError.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AuthorityAlreadyBoundError.java index bf1f1e9d4..870b2e24c 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AuthorityAlreadyBoundError.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AuthorityAlreadyBoundError.java @@ -6,7 +6,6 @@ public class AuthorityAlreadyBoundError extends RuntimeException { public AuthorityAlreadyBoundError(String message) { super(message); - // TODO Auto-generated constructor stub } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AuthorityDTO.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AuthorityDTO.java index 134d0bea6..c37defb19 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AuthorityDTO.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AuthorityDTO.java @@ -10,10 +10,6 @@ public class AuthorityDTO { @Size(max = 128, message = "Invalid authority size") private String authority; - public AuthorityDTO() { - - } - public String getAuthority() { return authority; } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AuthoritySetDTO.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AuthoritySetDTO.java index 2112857dd..3fc54ce36 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AuthoritySetDTO.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AuthoritySetDTO.java @@ -6,11 +6,6 @@ public class AuthoritySetDTO { Set authorities; - public static AuthoritySetDTO fromAuthorities(Set authorities) { - return new AuthoritySetDTO(authorities); - } - - private AuthoritySetDTO(Set authorities) { this.authorities = authorities; } @@ -18,4 +13,8 @@ private AuthoritySetDTO(Set authorities) { public Set getAuthorities() { return authorities; } + + public static AuthoritySetDTO fromAuthorities(Set authorities) { + return new AuthoritySetDTO(authorities); + } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/DefaultAccountAuthorityService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/DefaultAccountAuthorityService.java index 8018c3e2b..502da0811 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/DefaultAccountAuthorityService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/DefaultAccountAuthorityService.java @@ -21,6 +21,8 @@ public class DefaultAccountAuthorityService implements AccountAuthorityService, ApplicationEventPublisherAware { + public static final String ACCOUNT_NOT_NULL_MSG = "account must not be null"; + final IamAuthoritiesRepository authRepo; final IamAccountRepository accountRepo; private ApplicationEventPublisher eventPublisher; @@ -45,7 +47,7 @@ protected IamAuthority findAuthorityFromString(String authority) { @Override public void addAuthorityToAccount(IamAccount account, String authority) { - checkNotNull(account, "account must not be null"); + checkNotNull(account, ACCOUNT_NOT_NULL_MSG); IamAuthority iamAuthority = findAuthorityFromString(authority); @@ -58,30 +60,33 @@ public void addAuthorityToAccount(IamAccount account, String authority) { account.getAuthorities().add(iamAuthority); accountRepo.save(account); - final String message = String.format("Authority %s was added to user %s.", - authority, account.getUsername()); - + final String message = + String.format("Authority %s was added to user %s.", authority, account.getUsername()); + eventPublisher.publishEvent(new AuthorityAddedEvent(this, account, message, authority)); } @Override public void removeAuthorityFromAccount(IamAccount account, String authority) { - checkNotNull(account, "account must not be null"); + checkNotNull(account, ACCOUNT_NOT_NULL_MSG); IamAuthority iamAuthority = findAuthorityFromString(authority); account.getAuthorities().remove(iamAuthority); accountRepo.save(account); - final String message = + final String message = String.format("Authority %s was removed from user %s.", authority, account.getUsername()); - + eventPublisher.publishEvent(new AuthorityRemovedEvent(this, account, message, authority)); } @Override public Set getAccountAuthorities(IamAccount account) { - checkNotNull(account, "account must not be null"); + checkNotNull(account, ACCOUNT_NOT_NULL_MSG); - return account.getAuthorities().stream().map(i -> i.getAuthority()).collect(Collectors.toSet()); + return account.getAuthorities() + .stream() + .map(IamAuthority::getAuthority) + .collect(Collectors.toSet()); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/DefaultPasswordResetService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/DefaultPasswordResetService.java index f262c90ed..184db708f 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/DefaultPasswordResetService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/DefaultPasswordResetService.java @@ -1,6 +1,6 @@ package it.infn.mw.iam.api.account.password_reset; -import java.util.NoSuchElementException; +import java.util.Optional; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -65,8 +65,11 @@ public void validateResetToken(String resetToken) { public void resetPassword(String resetToken, String password) { validateResetToken(resetToken); - - IamAccount account = accountRepository.findByResetKey(resetToken).get(); + // FIXME: we perform the lookup twice. if validateResetToken + // was modified to return the IamAccount we save one call to the DB + IamAccount account = accountRepository.findByResetKey(resetToken) + .orElseThrow(() -> new InvalidPasswordResetTokenError( + String.format("No account found for reset_key [%s]", resetToken))); eventPublisher.publishEvent(new PasswordResetEvent(this, account, String.format("User %s reset its password", account.getUsername()))); @@ -80,19 +83,20 @@ public void resetPassword(String resetToken, String password) { @Override public void createPasswordResetToken(String email) { - try { - IamAccount account = accountRepository.findByEmail(email).get(); - - if (accountActiveAndEmailVerified(account)) { - String resetKey = tokenGenerator.generateToken(); - account.setResetKey(resetKey); - accountRepository.save(account); - - notificationService.createResetPasswordMessage(account); + Optional accountByMail = accountRepository.findByEmail(email); + + accountByMail.ifPresent(a -> { + if (accountActiveAndEmailVerified(a)) { + String resetKey = tokenGenerator.generateToken(); + a.setResetKey(resetKey); + accountRepository.save(a); + notificationService.createResetPasswordMessage(a); + } + }); + + if (!accountByMail.isPresent()){ + logger.warn("No account found linked to email: {}", email); } - } catch (NoSuchElementException nse) { - logger.warn("No account found for the email {}. Message: {}", email, nse.getMessage()); - } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/EmailDTO.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/EmailDTO.java index 0ba914a22..f0b76fe55 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/EmailDTO.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/EmailDTO.java @@ -10,8 +10,6 @@ public class EmailDTO { @NotNull(message = "please specify an email address") private String email; - public EmailDTO() {} - public String getEmail() { return email; } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/PasswordDTO.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/PasswordDTO.java index 172a4c8b4..3c781ff80 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/PasswordDTO.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/PasswordDTO.java @@ -11,10 +11,6 @@ public class PasswordDTO { @NotEmpty(message = "The password cannot be empty") @Length(min = 5, message = "The password must be at least 5 characters") private String updatedPassword; - - public PasswordDTO() { - - } public String getCurrentPassword() { return currentPassword; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/PasswordUpdateController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/PasswordUpdateController.java index 69380f5de..ca2236b92 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/PasswordUpdateController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/password_reset/PasswordUpdateController.java @@ -29,9 +29,9 @@ @Transactional public class PasswordUpdateController { - public final static String BASE_URL = "/iam/password-update"; - public final static String CURRENT_PASSWORD = "currentPassword"; - public final static String UPDATED_PASSWORD = "updatedPassword"; + public static final String BASE_URL = "/iam/password-update"; + public static final String CURRENT_PASSWORD = "currentPassword"; + public static final String UPDATED_PASSWORD = "updatedPassword"; @Autowired private PasswordResetService service; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingConstants.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingConstants.java new file mode 100644 index 000000000..70caabfaa --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingConstants.java @@ -0,0 +1,5 @@ +package it.infn.mw.iam.api.account_linking; + +public interface AccountLinkingConstants { + String ACCOUNT_LINKING_DISABLE_PROPERTY = "${accountLinking.disable}"; +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingController.java index 06dea4c03..e23811492 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingController.java @@ -1,6 +1,8 @@ package it.infn.mw.iam.api.account_linking; +import static java.lang.String.format; + import java.io.IOException; import java.security.Principal; @@ -9,6 +11,7 @@ import javax.servlet.http.HttpSession; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; import org.springframework.http.HttpStatus; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.Authentication; @@ -24,22 +27,73 @@ import it.infn.mw.iam.authn.AbstractExternalAuthenticationToken; import it.infn.mw.iam.authn.ExternalAuthenticationHandlerSupport; import it.infn.mw.iam.authn.ExternalAuthenticationRegistrationInfo.ExternalAuthenticationType; +import it.infn.mw.iam.authn.x509.IamX509AuthenticationCredential; @Controller @RequestMapping(AccountLinkingController.ACCCOUNT_LINKING_BASE_RESOURCE) public class AccountLinkingController extends ExternalAuthenticationHandlerSupport { final AccountLinkingService linkingService; + @Value(ACCOUNT_LINKING_DISABLE_PROPERTY) + private Boolean accountLinkingDisabled; + @Autowired public AccountLinkingController(AccountLinkingService s) { linkingService = s; } + + @PreAuthorize("hasRole('USER')") + @RequestMapping(value = "/X509", method = RequestMethod.DELETE) + @ResponseStatus(value = HttpStatus.NO_CONTENT) + public void unlinkX509Certificate(Principal principal, @RequestParam String certificateSubject, + RedirectAttributes attributes) { + + checkAccountLinkingEnabled(attributes); + linkingService.unlinkX509Certificate(principal, certificateSubject); + } + + + @PreAuthorize("hasRole('USER')") + @RequestMapping(value = "/X509", method = RequestMethod.POST) + public String linkX509Certificate(HttpSession session, Principal principal, + RedirectAttributes attributes) { + + clearAccountLinkingSessionAttributes(session); + checkAccountLinkingEnabled(attributes); + + try { + IamX509AuthenticationCredential cred = getSavedX509AuthenticationCredential(session) + .orElseThrow(() -> new IllegalArgumentException( + format("No X.509 credential found in session for user '%s'", principal.getName()))); + + linkingService.linkX509Certificate(principal, cred); + saveX509LinkingSuccess(cred, attributes); + + } catch (Exception ex) { + saveAccountLinkingError(ex, attributes); + } + + return "redirect:/dashboard"; + } + + + private void checkAccountLinkingEnabled(RedirectAttributes attributes) { + if (accountLinkingDisabled) { + AccountLinkingDisabledException ex = new AccountLinkingDisabledException(); + saveAccountLinkingError(ex, attributes); + throw ex; + } + } + @PreAuthorize("hasRole('USER')") @RequestMapping(value = "/{type}", method = RequestMethod.POST) public void linkAccount(@PathVariable ExternalAuthenticationType type, @RequestParam(value = "id", required = false) String externalIdpId, Authentication authn, - HttpServletRequest request, HttpServletResponse response) throws IOException { + final RedirectAttributes redirectAttributes, HttpServletRequest request, + HttpServletResponse response) throws IOException { + + checkAccountLinkingEnabled(redirectAttributes); HttpSession session = request.getSession(); @@ -56,6 +110,7 @@ public String finalizeAccountLinking(@PathVariable ExternalAuthenticationType ty Principal principal, final RedirectAttributes redirectAttributes, HttpServletRequest request, HttpServletResponse response) throws IOException { + checkAccountLinkingEnabled(redirectAttributes); HttpSession session = request.getSession(); if (!hasAccountLinkingDoneKey(session)) { @@ -90,9 +145,12 @@ public String finalizeAccountLinking(@PathVariable ExternalAuthenticationType ty @RequestMapping(value = "/{type}", method = RequestMethod.DELETE) @ResponseStatus(value = HttpStatus.NO_CONTENT) public void unlinkAccount(@PathVariable ExternalAuthenticationType type, Principal principal, - @RequestParam("iss") String issuer, @RequestParam("sub") String subject) { + @RequestParam("iss") String issuer, @RequestParam("sub") String subject, + @RequestParam(name = "attr", required = false) String attributeId, + final RedirectAttributes redirectAttributes) { - linkingService.unlinkExternalAccount(principal, type, issuer, subject); + checkAccountLinkingEnabled(redirectAttributes); + linkingService.unlinkExternalAccount(principal, type, issuer, subject, attributeId); } @ResponseStatus(value = HttpStatus.BAD_REQUEST) @@ -100,4 +158,10 @@ public void unlinkAccount(@PathVariable ExternalAuthenticationType type, Princip public String handleIllegalArgumentException(HttpServletRequest request, Exception ex) { return "iam/dashboard"; } + + @ResponseStatus(value = HttpStatus.FORBIDDEN) + @ExceptionHandler(AccountLinkingDisabledException.class) + public String handleAccountLinkingDisabledException(HttpServletRequest request, Exception ex) { + return "iam/dashboard"; + } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingDisabledException.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingDisabledException.java new file mode 100644 index 000000000..623a36c4c --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingDisabledException.java @@ -0,0 +1,16 @@ +package it.infn.mw.iam.api.account_linking; + +public class AccountLinkingDisabledException extends RuntimeException { + + /** + * + */ + private static final long serialVersionUID = 1L; + + public static final String MESSAGE = "Account linking is disabled for this IAM instance"; + + public AccountLinkingDisabledException() { + super(MESSAGE); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingService.java index 484a86ec5..2073f4a26 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/AccountLinkingService.java @@ -4,13 +4,19 @@ import it.infn.mw.iam.authn.AbstractExternalAuthenticationToken; import it.infn.mw.iam.authn.ExternalAuthenticationRegistrationInfo.ExternalAuthenticationType; +import it.infn.mw.iam.authn.x509.IamX509AuthenticationCredential; public interface AccountLinkingService { + void linkX509Certificate(Principal authenticatedUser, + IamX509AuthenticationCredential x509Credential); + + void unlinkX509Certificate(Principal authenticatedUser, String certificateSubject); + void linkExternalAccount(Principal authenticatedUser, AbstractExternalAuthenticationToken externalAuthenticationToken); void unlinkExternalAccount(Principal authenticatedUser, ExternalAuthenticationType type, - String iss, String sub); + String iss, String sub, String attributeId); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/DefaultAccountLinkingService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/DefaultAccountLinkingService.java index 7b30e54aa..7f22015b4 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/DefaultAccountLinkingService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account_linking/DefaultAccountLinkingService.java @@ -1,8 +1,11 @@ package it.infn.mw.iam.api.account_linking; import static it.infn.mw.iam.authn.ExternalAuthenticationRegistrationInfo.ExternalAuthenticationType.SAML; +import static java.lang.String.format; import java.security.Principal; +import java.util.Date; +import java.util.Optional; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationEventPublisher; @@ -12,12 +15,18 @@ import it.infn.mw.iam.audit.events.account.AccountLinkedEvent; import it.infn.mw.iam.audit.events.account.AccountUnlinkedEvent; +import it.infn.mw.iam.audit.events.account.X509CertificateLinkedEvent; +import it.infn.mw.iam.audit.events.account.X509CertificateUnlinkedEvent; +import it.infn.mw.iam.audit.events.account.X509CertificateUpdatedEvent; import it.infn.mw.iam.authn.AbstractExternalAuthenticationToken; import it.infn.mw.iam.authn.ExternalAccountLinker; import it.infn.mw.iam.authn.ExternalAuthenticationRegistrationInfo.ExternalAuthenticationType; +import it.infn.mw.iam.authn.error.AccountAlreadyLinkedError; +import it.infn.mw.iam.authn.x509.IamX509AuthenticationCredential; import it.infn.mw.iam.persistence.model.IamAccount; import it.infn.mw.iam.persistence.model.IamOidcId; import it.infn.mw.iam.persistence.model.IamSamlId; +import it.infn.mw.iam.persistence.model.IamX509Certificate; import it.infn.mw.iam.persistence.repository.IamAccountRepository; @Service @@ -39,10 +48,9 @@ public void setApplicationEventPublisher(ApplicationEventPublisher publisher) { } private IamAccount findAccount(Principal authenticatedUser) { - return iamAccountRepository.findByUsername(authenticatedUser.getName()).orElseThrow(() -> { - return new UsernameNotFoundException( - "No user found with username '" + authenticatedUser.getName() + "'"); - }); + return iamAccountRepository.findByUsername(authenticatedUser.getName()) + .orElseThrow(() -> new UsernameNotFoundException( + "No user found with username '" + authenticatedUser.getName() + "'")); } @Override @@ -54,24 +62,28 @@ public void linkExternalAccount(Principal authenticatedUser, externalAuthenticationToken.linkToIamAccount(externalAccountLinker, userAccount); eventPublisher.publishEvent(new AccountLinkedEvent(this, userAccount, - externalAuthenticationToken.toExernalAuthenticationInfo(), + externalAuthenticationToken.toExernalAuthenticationRegistrationInfo(), String.format("User %s has linked a new account of type %s", userAccount.getUsername(), - externalAuthenticationToken.toExernalAuthenticationInfo().getType().toString()))); + externalAuthenticationToken.toExernalAuthenticationRegistrationInfo() + .getType() + .toString()))); } @Override public void unlinkExternalAccount(Principal authenticatedUser, ExternalAuthenticationType type, - String iss, String sub) { + String iss, String sub, String attributeId) { IamAccount userAccount = findAccount(authenticatedUser); boolean modified = false; + if (SAML.equals(type)) { IamSamlId id = new IamSamlId(); id.setIdpId(iss); id.setUserId(sub); + id.setAttributeId(attributeId); userAccount.getSamlIds() .stream() @@ -106,4 +118,83 @@ public void unlinkExternalAccount(Principal authenticatedUser, ExternalAuthentic } } + @Override + public void linkX509Certificate(Principal authenticatedUser, + IamX509AuthenticationCredential x509Credential) { + + IamAccount userAccount = findAccount(authenticatedUser); + + iamAccountRepository.findByCertificateSubject(x509Credential.getSubject()) + .ifPresent(linkedAccount -> { + if (!linkedAccount.getUuid().equals(userAccount.getUuid())) { + throw new AccountAlreadyLinkedError( + format("X.509 credential with subject '%s' is already linked to another user", + x509Credential.getSubject())); + } + }); + + Optional linkedCert = userAccount.getX509Certificates() + .stream() + .filter(c -> c.getSubjectDn().equals(x509Credential.getSubject())) + .findAny(); + + if (linkedCert.isPresent()) { + + linkedCert.ifPresent(c -> { + c.setSubjectDn(x509Credential.getSubject()); + c.setIssuerDn(x509Credential.getIssuer()); + c.setCertificate(x509Credential.getCertificateChainPemString()); + c.setLastUpdateTime(new Date()); + }); + + userAccount.touch(); + iamAccountRepository.save(userAccount); + + eventPublisher.publishEvent(new X509CertificateUpdatedEvent(this, userAccount, + String.format("User '%s' has updated its linked certificate with subject '%s'", + userAccount.getUsername(), x509Credential.getSubject()), + x509Credential)); + + } else { + + Date now = new Date(); + IamX509Certificate newCert = x509Credential.asIamX509Certificate(); + newCert.setLabel(String.format("cert-%d", userAccount.getX509Certificates().size())); + + newCert.setCreationTime(now); + newCert.setLastUpdateTime(now); + + newCert.setPrimary(true); + newCert.setAccount(userAccount); + userAccount.getX509Certificates().add(newCert); + userAccount.touch(); + + iamAccountRepository.save(userAccount); + + eventPublisher.publishEvent(new X509CertificateLinkedEvent(this, userAccount, + String.format("User '%s' linked certificate with subject '%s' to his/her membership", + userAccount.getUsername(), x509Credential.getSubject()), + x509Credential)); + + } + } + + @Override + public void unlinkX509Certificate(Principal authenticatedUser, String certificateSubject) { + IamAccount userAccount = findAccount(authenticatedUser); + + boolean removed = userAccount.getX509Certificates() + .removeIf(c -> c.getSubjectDn().equals(certificateSubject)); + + if (removed) { + userAccount.touch(); + iamAccountRepository.save(userAccount); + + eventPublisher.publishEvent(new X509CertificateUnlinkedEvent(this, userAccount, + String.format("User '%s' unlinked certificate with subject '%s' from his/her membership", + userAccount.getUsername(), certificateSubject), + certificateSubject)); + } + } + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/authn_info/AuthnInfoController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/authn_info/AuthnInfoController.java index 439d72680..88a6b1d65 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/authn_info/AuthnInfoController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/authn_info/AuthnInfoController.java @@ -23,7 +23,7 @@ public ExternalAuthenticationRegistrationInfo getAuthenticationInfo() { (AbstractExternalAuthenticationToken) SecurityContextHolder.getContext() .getAuthentication(); - return extAuthnToken.toExernalAuthenticationInfo(); + return extAuthnToken.toExernalAuthenticationRegistrationInfo(); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimControllerSupport.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimControllerSupport.java new file mode 100644 index 000000000..35924f29d --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimControllerSupport.java @@ -0,0 +1,52 @@ +package it.infn.mw.iam.api.scim.controller; + +import it.infn.mw.iam.api.scim.provisioning.paging.DefaultScimPageRequest; +import it.infn.mw.iam.api.scim.provisioning.paging.ScimPageRequest; + +public class ScimControllerSupport { + + protected static final int SCIM_USER_MAX_PAGE_SIZE = 100; + protected static final int SCIM_GROUP_MAX_PAGE_SIZE = 10; + + protected ScimPageRequest buildUserPageRequest(Integer count, Integer startIndex) { + return buildPageRequest(count, startIndex, SCIM_USER_MAX_PAGE_SIZE); + } + + protected ScimPageRequest buildGroupPageRequest(Integer count, Integer startIndex) { + return buildPageRequest(count, startIndex, SCIM_GROUP_MAX_PAGE_SIZE); + } + + private ScimPageRequest buildPageRequest(Integer count, Integer startIndex, int maxPageSize) { + + int validCount = 0; + int validStartIndex = 1; + + if (count == null) { + validCount = maxPageSize; + } else { + validCount = count; + if (count < 0) { + validCount = 0; + } else if (count > maxPageSize) { + validCount = maxPageSize; + } + } + + // SCIM pages index is 1-based + if (startIndex == null) { + validStartIndex = 1; + + } else { + + validStartIndex = startIndex; + if (startIndex < 1) { + validStartIndex = 1; + } + } + + return new DefaultScimPageRequest.Builder().count(validCount) + .startIndex(validStartIndex - 1) + .build(); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimExceptionHandler.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimExceptionHandler.java index e70807a7a..230cbced5 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimExceptionHandler.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimExceptionHandler.java @@ -17,6 +17,7 @@ import it.infn.mw.iam.api.scim.exception.ScimResourceNotFoundException; import it.infn.mw.iam.api.scim.exception.ScimValidationException; import it.infn.mw.iam.api.scim.model.ScimErrorResponse; +import it.infn.mw.iam.authn.x509.CertificateParsingError; import it.infn.mw.iam.util.ssh.InvalidSshKeyException; @ControllerAdvice @@ -40,6 +41,14 @@ public ScimErrorResponse handleScimValidationException(ScimValidationException e return buildErrorResponse(HttpStatus.BAD_REQUEST, e.getMessage()); } + @ResponseStatus(code = HttpStatus.BAD_REQUEST) + @ExceptionHandler(CertificateParsingError.class) + @ResponseBody + public ScimErrorResponse handleCertificateParsingError(CertificateParsingError e) { + + return buildErrorResponse(HttpStatus.BAD_REQUEST, e.getMessage()); + } + @ResponseStatus(code = HttpStatus.BAD_REQUEST) @ExceptionHandler(IllegalArgumentException.class) @ResponseBody diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimGroupController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimGroupController.java index 051def0d8..2e19025b1 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimGroupController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimGroupController.java @@ -34,22 +34,21 @@ import it.infn.mw.iam.api.scim.model.ScimGroupPatchRequest; import it.infn.mw.iam.api.scim.model.ScimListResponse; import it.infn.mw.iam.api.scim.provisioning.ScimGroupProvisioning; -import it.infn.mw.iam.api.scim.provisioning.paging.DefaultScimPageRequest; import it.infn.mw.iam.api.scim.provisioning.paging.ScimPageRequest; @RestController @RequestMapping("/scim/Groups") @Transactional -public class ScimGroupController { - - private static final int SCIM_MAX_PAGE_SIZE = 10; - +public class ScimGroupController extends ScimControllerSupport{ + private Set parseAttributes(final String attributesParameter) { Set result = new HashSet<>(); if (!Strings.isNullOrEmpty(attributesParameter)) { - result = Sets.newHashSet(Splitter.on(CharMatcher.anyOf(".,")).trimResults().omitEmptyStrings() - .split(attributesParameter)); + result = Sets.newHashSet(Splitter.on(CharMatcher.anyOf(".,")) + .trimResults() + .omitEmptyStrings() + .split(attributesParameter)); } result.add("schemas"); result.add("id"); @@ -59,27 +58,6 @@ private Set parseAttributes(final String attributesParameter) { @Autowired ScimGroupProvisioning groupProvisioningService; - private ScimPageRequest buildPageRequest(Integer count, Integer startIndex) { - - if (count == null || count > SCIM_MAX_PAGE_SIZE) { - count = SCIM_MAX_PAGE_SIZE; - } - - if (count < 0) { - count = 0; - } - - // SCIM pages index is 1-based - if (startIndex == null || startIndex < 1) { - startIndex = 1; - } - - ScimPageRequest pr = - new DefaultScimPageRequest.Builder().count(count).startIndex(startIndex - 1).build(); - - return pr; - } - @PreAuthorize("#oauth2.hasScope('scim:read') or hasRole('ADMIN')") @RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) @@ -94,7 +72,7 @@ public MappingJacksonValue listGroups(@RequestParam(required = false) final Inte @RequestParam(required = false) final Integer startIndex, @RequestParam(required = false) final String attributes) { - ScimPageRequest pr = buildPageRequest(count, startIndex); + ScimPageRequest pr = buildGroupPageRequest(count, startIndex); ScimListResponse result = groupProvisioningService.list(pr); MappingJacksonValue wrapper = new MappingJacksonValue(result); @@ -119,8 +97,7 @@ public ScimGroup create(@RequestBody @Validated final ScimGroup group, final BindingResult validationResult) { handleValidationError("Invalid Scim Group", validationResult); - ScimGroup result = groupProvisioningService.create(group); - return result; + return groupProvisioningService.create(group); } @PreAuthorize("#oauth2.hasScope('scim:write') or hasRole('ADMIN')") @@ -141,7 +118,8 @@ public ScimGroup replaceGroup(@PathVariable final String id, consumes = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.NO_CONTENT) public void updateGroup(@PathVariable final String id, - @RequestBody @Validated final ScimGroupPatchRequest groupPatchRequest, final BindingResult validationResult) { + @RequestBody @Validated final ScimGroupPatchRequest groupPatchRequest, + final BindingResult validationResult) { handleValidationError("Invalid Scim Group", validationResult); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimMeController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimMeController.java index b86f770d8..0d441ca4d 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimMeController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimMeController.java @@ -2,19 +2,22 @@ import static it.infn.mw.iam.api.scim.controller.utils.ValidationHelper.handleValidationError; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_OIDC_ID; +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_PICTURE; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_SAML_ID; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_EMAIL; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_FAMILY_NAME; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_GIVEN_NAME; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_PICTURE; -import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_PICTURE; +import java.util.ArrayList; import java.util.EnumSet; import java.util.List; import javax.transaction.Transactional; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationEventPublisher; +import org.springframework.context.ApplicationEventPublisherAware; import org.springframework.http.HttpStatus; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.Authentication; @@ -50,9 +53,9 @@ @RestController @RequestMapping("/scim/Me") @Transactional -public class ScimMeController { +public class ScimMeController implements ApplicationEventPublisherAware { - public static final EnumSet SUPPORTED_UPDATER_TYPES = + protected static final EnumSet SUPPORTED_UPDATER_TYPES = EnumSet.of(ACCOUNT_REMOVE_OIDC_ID, ACCOUNT_REMOVE_SAML_ID, ACCOUNT_REPLACE_EMAIL, ACCOUNT_REPLACE_FAMILY_NAME, ACCOUNT_REPLACE_GIVEN_NAME, ACCOUNT_REPLACE_PICTURE, ACCOUNT_REMOVE_PICTURE); @@ -63,6 +66,8 @@ public class ScimMeController { private final DefaultAccountUpdaterFactory updatersFactory; + private ApplicationEventPublisher eventPublisher; + @Autowired public ScimMeController(IamAccountRepository accountRepository, UserConverter userConverter, PasswordEncoder passwordEncoder, OidcIdConverter oidcIdConverter, @@ -75,8 +80,12 @@ public ScimMeController(IamAccountRepository accountRepository, UserConverter us oidcIdConverter, samlIdConverter, sshKeyConverter, x509CertificateConverter); } + public void setApplicationEventPublisher(ApplicationEventPublisher publisher) { + this.eventPublisher = publisher; + } + @PreAuthorize("#oauth2.hasScope('scim:read') or hasRole('USER')") - @RequestMapping(method = RequestMethod.GET) + @RequestMapping(method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public ScimUser whoami() { IamAccount account = getCurrentUserAccount(); @@ -102,6 +111,7 @@ public void updateUser( private void executePatchOperation(IamAccount account, ScimPatchOperation op) { List updaters = updatersFactory.getUpdatersForPatchOperation(account, op); + List updatesToPublish = new ArrayList<>(); boolean hasChanged = false; @@ -111,6 +121,7 @@ private void executePatchOperation(IamAccount account, ScimPatchOperation parseAttributes(final String attributesParameter) { Set result = new HashSet<>(); if (!Strings.isNullOrEmpty(attributesParameter)) { - result = Sets.newHashSet(Splitter.on(CharMatcher.anyOf(".,")).trimResults().omitEmptyStrings() - .split(attributesParameter)); + result = Sets.newHashSet(Splitter.on(CharMatcher.anyOf(".,")) + .trimResults() + .omitEmptyStrings() + .split(attributesParameter)); } result.add("schemas"); result.add("id"); return result; } - - private ScimPageRequest buildPageRequest(Integer count, Integer startIndex) { - - if (count == null || count > SCIM_MAX_PAGE_SIZE) { - count = SCIM_MAX_PAGE_SIZE; - } - - if (count < 0) { - count = 0; - } - - // SCIM pages index is 1-based - if (startIndex == null || startIndex < 1) { - startIndex = 1; - } - - ScimPageRequest pr = - new DefaultScimPageRequest.Builder().count(count).startIndex(startIndex - 1).build(); - - return pr; - } - @PreAuthorize("#oauth2.hasScope('scim:read') or hasRole('ADMIN')") @RequestMapping(method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public MappingJacksonValue listUsers(@RequestParam(required = false) final Integer count, @RequestParam(required = false) final Integer startIndex, @RequestParam(required = false) final String attributes) { - ScimPageRequest pr = buildPageRequest(count, startIndex); + ScimPageRequest pr = buildUserPageRequest(count, startIndex); ScimListResponse result = userProvisioningService.list(pr); MappingJacksonValue wrapper = new MappingJacksonValue(result); @@ -126,9 +103,7 @@ public MappingJacksonValue create( handleValidationError("Invalid Scim User", validationResult); ScimUser result = userProvisioningService.create(user); - MappingJacksonValue wrapper = new MappingJacksonValue(result); - - return wrapper; + return new MappingJacksonValue(result); } @PreAuthorize("#oauth2.hasScope('scim:write') or hasRole('ADMIN')") diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/AddressConverter.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/AddressConverter.java index a1e042994..4c448db0b 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/AddressConverter.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/AddressConverter.java @@ -28,12 +28,14 @@ public Address fromScim(ScimAddress scim) { @Override public ScimAddress toScim(Address entity) { - ScimAddress address = - ScimAddress.builder().country(entity.getCountry()).formatted(entity.getFormatted()) - .locality(entity.getLocality()).postalCode(entity.getPostalCode()) - .region(entity.getRegion()).streetAddress(entity.getStreetAddress()).build(); - - return address; + return ScimAddress.builder() + .country(entity.getCountry()) + .formatted(entity.getFormatted()) + .locality(entity.getLocality()) + .postalCode(entity.getPostalCode()) + .region(entity.getRegion()) + .streetAddress(entity.getStreetAddress()) + .build(); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/SamlIdConverter.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/SamlIdConverter.java index 6f5ef8a32..84b431078 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/SamlIdConverter.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/SamlIdConverter.java @@ -14,6 +14,7 @@ public IamSamlId fromScim(ScimSamlId scim) { IamSamlId samlId = new IamSamlId(); samlId.setIdpId(scim.getIdpId()); samlId.setUserId(scim.getUserId()); + samlId.setAttributeId(scim.getAttributeId()); samlId.setAccount(null); return samlId; @@ -22,6 +23,9 @@ public IamSamlId fromScim(ScimSamlId scim) { @Override public ScimSamlId toScim(IamSamlId entity) { - return ScimSamlId.builder().idpId(entity.getIdpId()).userId(entity.getUserId()).build(); + return ScimSamlId.builder().idpId(entity.getIdpId()). + userId(entity.getUserId()) + .attributeId(entity.getAttributeId()) + .build(); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/UserConverter.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/UserConverter.java index f37f81eae..f19a2cc84 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/UserConverter.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/UserConverter.java @@ -28,22 +28,23 @@ public class UserConverter implements Converter { private final AddressConverter addressConverter; - private final X509CertificateConverter x509CertificateConverter; private final OidcIdConverter oidcIdConverter; private final SshKeyConverter sshKeyConverter; private final SamlIdConverter samlIdConverter; + private final X509CertificateConverter x509CertificateIamConverter; @Autowired - public UserConverter(ScimResourceLocationProvider rlp, X509CertificateConverter x509cc, - AddressConverter ac, OidcIdConverter oidc, SshKeyConverter sshc, SamlIdConverter samlc) { + public UserConverter(ScimResourceLocationProvider rlp, AddressConverter ac, + OidcIdConverter oidc, SshKeyConverter sshc, SamlIdConverter samlc, + X509CertificateConverter x509Iamcc) { this.resourceLocationProvider = rlp; this.addressConverter = ac; - this.x509CertificateConverter = x509cc; this.oidcIdConverter = oidc; this.sshKeyConverter = sshc; this.samlIdConverter = samlc; + this.x509CertificateIamConverter = x509Iamcc; } @Override @@ -63,17 +64,7 @@ public IamAccount fromScim(ScimUser scimUser) { account.setPassword(scimUser.getPassword()); } - - if (scimUser.hasX509Certificates()) { - - scimUser.getX509Certificates().forEach(scimCert -> { - - IamX509Certificate iamCert = x509CertificateConverter.fromScim(scimCert); - iamCert.setAccount(account); - account.getX509Certificates().add(iamCert); - }); - } - + if (scimUser.hasOidcIds()) { scimUser.getIndigoUser().getOidcIds().forEach(oidcId -> { @@ -96,7 +87,7 @@ public IamAccount fromScim(ScimUser scimUser) { try { iamSshKey.setFingerprint(RSAPublicKeyUtils.getSHA256Fingerprint(iamSshKey.getValue())); } catch (InvalidSshKeyException e) { - throw new ScimException(e.getMessage()); + throw new ScimException(e.getMessage(),e); } } @@ -121,6 +112,14 @@ public IamAccount fromScim(ScimUser scimUser) { }); } + + if (scimUser.hasX509Certificates()) { + scimUser.getIndigoUser().getCertificates().forEach(c -> { + IamX509Certificate cert = x509CertificateIamConverter.fromScim(c); + cert.setAccount(account); + account.getX509Certificates().add(cert); + }); + } IamUserInfo userInfo = new IamUserInfo(); @@ -138,6 +137,7 @@ public IamAccount fromScim(ScimUser scimUser) { } account.setUserInfo(userInfo); + userInfo.setIamAccount(account); return account; } @@ -174,8 +174,6 @@ public ScimUser toScim(IamAccount entity) { } entity.getGroups().forEach(group -> builder.addGroupRef(getScimGroupRef(group))); - entity.getX509Certificates() - .forEach(cert -> builder.addX509Certificate(x509CertificateConverter.toScim(cert))); return builder.build(); } @@ -210,6 +208,9 @@ private ScimIndigoUser getScimIndigoUser(IamAccount entity) { entity.getSamlIds() .forEach(samlId -> indigoUserBuilder.addSamlId(samlIdConverter.toScim(samlId))); + entity.getX509Certificates() + .forEach(cert -> indigoUserBuilder.addCertificate(x509CertificateIamConverter.toScim(cert))); + ScimIndigoUser indigoUser = indigoUserBuilder.build(); return indigoUser.isEmpty() ? null : indigoUser; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/X509CertificateConverter.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/X509CertificateConverter.java index 719cdb168..6aadaafee 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/X509CertificateConverter.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/X509CertificateConverter.java @@ -1,40 +1,63 @@ package it.infn.mw.iam.api.scim.converter; +import java.security.Principal; +import java.security.cert.X509Certificate; + +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; -import it.infn.mw.iam.api.scim.exception.ScimValidationException; +import eu.emi.security.authn.x509.impl.X500NameUtils; import it.infn.mw.iam.api.scim.model.ScimX509Certificate; +import it.infn.mw.iam.authn.x509.X509CertificateChainParser; +import it.infn.mw.iam.authn.x509.X509CertificateChainParsingResult; import it.infn.mw.iam.persistence.model.IamX509Certificate; -import it.infn.mw.iam.util.x509.X509Utils; @Service public class X509CertificateConverter implements Converter { - /** - *
    - *
  • scim.value => certificate
    • - *
  • scim.display => label
    • - *
  • scim.primary => primary
    • - *
  • scim.certificateSubject => must be extract from certificate
    • - *
- */ + private final X509CertificateChainParser parser; + + + @Autowired + public X509CertificateConverter(X509CertificateChainParser parser) { + this.parser = parser; + } + + private String principalAsRfc2253String(Principal principal) { + return X500NameUtils.getPortableRFC2253Form(principal.getName()); + } - @Override - public IamX509Certificate fromScim(ScimX509Certificate scim) throws ScimValidationException { + + private IamX509Certificate parseCertificateFromString(String pemString) { + X509CertificateChainParsingResult result = parser.parseChainFromString(pemString); IamX509Certificate cert = new IamX509Certificate(); + X509Certificate leafCert = result.getChain()[0]; - cert.setCertificate(scim.getValue()); - cert.setLabel(scim.getDisplay()); + cert.setSubjectDn(principalAsRfc2253String(leafCert.getSubjectX500Principal())); + cert.setIssuerDn(principalAsRfc2253String(leafCert.getIssuerX500Principal())); + + cert.setCertificate(pemString); + return cert; + } - if (scim.isPrimary() != null) { - cert.setPrimary(scim.isPrimary()); + @Override + public IamX509Certificate fromScim(ScimX509Certificate scim) { + + IamX509Certificate cert; + + if (scim.getPemEncodedCertificate() != null) { + cert = parseCertificateFromString(scim.getPemEncodedCertificate()); } else { - cert.setPrimary(false); + cert = new IamX509Certificate(); + cert.setCertificate(scim.getPemEncodedCertificate()); + cert.setSubjectDn(scim.getSubjectDn()); + cert.setIssuerDn(scim.getIssuerDn()); } - - cert.setCertificateSubject(X509Utils.getCertificateSubject(scim.getValue())); + + cert.setLabel(scim.getDisplay()); + cert.setPrimary(scim.getPrimary() == null ? false : scim.getPrimary()); return cert; } @@ -43,9 +66,14 @@ public IamX509Certificate fromScim(ScimX509Certificate scim) throws ScimValidati public ScimX509Certificate toScim(IamX509Certificate entity) { return ScimX509Certificate.builder() - .primary(entity.isPrimary()) + .created(entity.getCreationTime()) + .lastModified(entity.getLastUpdateTime()) .display(entity.getLabel()) - .value(entity.getCertificate()) + .subjectDn(entity.getSubjectDn()) + .issuerDn(entity.getIssuerDn()) + .pemEncodedCertificate(entity.getCertificate()) + .primary(entity.isPrimary()) .build(); } + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/IllegalArgumentException.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/IllegalArgumentException.java index 28afe78fb..fb705a447 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/IllegalArgumentException.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/IllegalArgumentException.java @@ -10,4 +10,9 @@ public class IllegalArgumentException extends ScimException { public IllegalArgumentException(String message) { super(message); } + + public IllegalArgumentException(String message, Throwable cause) { + super(message, cause); + } + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/ScimException.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/ScimException.java index 5841c44c4..0c1b7cd49 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/ScimException.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/ScimException.java @@ -7,4 +7,14 @@ public class ScimException extends RuntimeException { public ScimException(String message) { super(message); } + + public ScimException(String message, Throwable cause) { + super(message, cause); + } + + public ScimException(Throwable cause) { + super(cause); + } + + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/ScimResourceExistsException.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/ScimResourceExistsException.java index dfca12690..b1c32092c 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/ScimResourceExistsException.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/ScimResourceExistsException.java @@ -8,4 +8,9 @@ public class ScimResourceExistsException extends ScimException { public ScimResourceExistsException(String s) { super(s); } + + public ScimResourceExistsException(String message, Throwable cause) { + super(message, cause); + } + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/ScimValidationException.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/ScimValidationException.java index 9c781a8df..44fbb3319 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/ScimValidationException.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/exception/ScimValidationException.java @@ -11,4 +11,8 @@ public ScimValidationException(String message) { super(message); } + public ScimValidationException(String message, Throwable cause) { + super(message, cause); + } + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimAddress.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimAddress.java index 2aaafd311..d4168d1a2 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimAddress.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimAddress.java @@ -7,7 +7,7 @@ @JsonInclude(JsonInclude.Include.NON_EMPTY) public class ScimAddress { - public static enum ScimAddressType { + public enum ScimAddressType { work, home, other; } @@ -172,10 +172,6 @@ public static class Builder { private String country; private boolean primary = true; - public Builder() { - - } - public Builder formatted(String formatted) { this.formatted = formatted; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimEmail.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimEmail.java index df2b9101f..a14509378 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimEmail.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimEmail.java @@ -14,7 +14,7 @@ public class ScimEmail { - public static enum ScimEmailType { + public enum ScimEmailType { work, home, other; } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimGroup.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimGroup.java index 72edf98b1..abff281ee 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimGroup.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimGroup.java @@ -8,6 +8,7 @@ import javax.validation.Valid; +import org.hibernate.validator.constraints.Length; import org.hibernate.validator.constraints.NotBlank; import com.fasterxml.jackson.annotation.JsonCreator; @@ -24,6 +25,7 @@ public final class ScimGroup extends ScimResource { public static final String RESOURCE_TYPE = "Group"; @NotBlank + @Length(max = 512) private final String displayName; @Valid @@ -63,7 +65,7 @@ public Set getMembers() { return members; } - + public ScimIndigoGroup getIndigoGroup() { return indigoGroup; } @@ -76,7 +78,7 @@ public static Builder builder(String groupName) { public static class Builder extends ScimResource.Builder { private String displayName; - private Set members = new HashSet(); + private Set members = new HashSet<>(); private ScimIndigoGroup indigoGroup = null; public Builder(String displayName) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimGroupPatchRequest.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimGroupPatchRequest.java index 86183b31d..c64bd5fdb 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimGroupPatchRequest.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimGroupPatchRequest.java @@ -56,9 +56,9 @@ public static Builder builder() { public static class Builder { - private Set schemas = new HashSet(); + private Set schemas = new HashSet<>(); private List>> operations = - new ArrayList>>(); + new ArrayList<>(); public Builder() { schemas.add(PATCHOP_SCHEMA); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimGroupRef.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimGroupRef.java index b2a600149..9dd0152c7 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimGroupRef.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimGroupRef.java @@ -43,6 +43,31 @@ public String getRef() { return ref; } + @Override + public int hashCode() { + int prime = 31; + int result = 1; + result = prime * result + ((value == null) ? 0 : value.hashCode()); + return result; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) + return true; + if (obj == null) + return false; + if (getClass() != obj.getClass()) + return false; + ScimGroupRef other = (ScimGroupRef) obj; + if (value == null) { + if (other.value != null) + return false; + } else if (!value.equals(other.value)) + return false; + return true; + } + public static Builder builder() { return new Builder(); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimIndigoUser.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimIndigoUser.java index 3960160a0..503651fd1 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimIndigoUser.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimIndigoUser.java @@ -3,6 +3,8 @@ import java.util.LinkedList; import java.util.List; +import javax.validation.Valid; + import com.fasterxml.jackson.annotation.JsonCreator; import com.fasterxml.jackson.annotation.JsonIgnore; import com.fasterxml.jackson.annotation.JsonInclude; @@ -15,7 +17,8 @@ public enum INDIGO_USER_SCHEMA { SSH_KEYS(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys"), OIDC_IDS(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds"), - SAML_IDS(ScimConstants.INDIGO_USER_SCHEMA + ".samlIds"); + SAML_IDS(ScimConstants.INDIGO_USER_SCHEMA + ".samlIds"), + X509_CERTS(ScimConstants.INDIGO_USER_SCHEMA + ".x509Certificates"); private final String text; @@ -27,20 +30,27 @@ private INDIGO_USER_SCHEMA(String text) { public String toString() { return text; } - }; + } private final List sshKeys; private final List oidcIds; + + @Valid private final List samlIds; + @Valid + private final List certificates; + @JsonCreator private ScimIndigoUser(@JsonProperty("oidcIds") List oidcIds, @JsonProperty("sshKeys") List sshKeys, - @JsonProperty("samlIds") List samlIds) { + @JsonProperty("samlIds") List samlIds, + @JsonProperty("x509Certificates") List certs ) { - this.oidcIds = oidcIds != null ? oidcIds : new LinkedList(); - this.sshKeys = sshKeys != null ? sshKeys : new LinkedList(); - this.samlIds = samlIds != null ? samlIds : new LinkedList(); + this.oidcIds = oidcIds != null ? oidcIds : new LinkedList<>(); + this.sshKeys = sshKeys != null ? sshKeys : new LinkedList<>(); + this.samlIds = samlIds != null ? samlIds : new LinkedList<>(); + this.certificates = certs != null ? certs: new LinkedList<>(); } @@ -48,12 +58,13 @@ private ScimIndigoUser(Builder b) { this.sshKeys = b.sshKeys; this.oidcIds = b.oidcIds; this.samlIds = b.samlIds; + this.certificates = b.certificates; } @JsonIgnore public boolean isEmpty() { - return sshKeys.isEmpty() && oidcIds.isEmpty() && samlIds.isEmpty(); + return sshKeys.isEmpty() && oidcIds.isEmpty() && samlIds.isEmpty() && certificates.isEmpty(); } public List getSshKeys() { @@ -71,6 +82,10 @@ public List getSamlIds() { return samlIds; } + public List getCertificates() { + return certificates; + } + public static Builder builder() { return new Builder(); @@ -78,9 +93,10 @@ public static Builder builder() { public static class Builder { - private List sshKeys = new LinkedList(); - private List oidcIds = new LinkedList(); - private List samlIds = new LinkedList(); + private List sshKeys = new LinkedList<>(); + private List oidcIds = new LinkedList<>(); + private List samlIds = new LinkedList<>(); + private List certificates = new LinkedList<>(); public Builder addSshKey(ScimSshKey sshKey) { @@ -100,8 +116,12 @@ public Builder addSamlId(ScimSamlId samlId) { return this; } + public Builder addCertificate(ScimX509Certificate cert){ + certificates.add(cert); + return this; + } + public ScimIndigoUser build() { - return new ScimIndigoUser(this); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimName.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimName.java index 3b38455ee..7be30895d 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimName.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimName.java @@ -13,10 +13,10 @@ public class ScimName { interface NewUserValidation { - }; + } interface UpdateUserValidation { - }; + } private final String formatted; @@ -34,7 +34,7 @@ interface UpdateUserValidation { private final String honorificSuffix; @JsonCreator - private ScimName(@JsonProperty("givenName") String givenName, + private ScimName(@JsonProperty("GIVEN_NAME") String givenName, @JsonProperty("familyName") String familyName, @JsonProperty("middleName") String middleName, @JsonProperty("honorificPrefix") String honorificPrefix, @JsonProperty("honorificSuffix") String honorificSuffix) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimOidcId.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimOidcId.java index 3073f353d..198bec4ee 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimOidcId.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimOidcId.java @@ -65,6 +65,37 @@ public ScimOidcId build() { } } + @Override + public int hashCode() { + int prime = 31; + int result = 1; + result = prime * result + ((issuer == null) ? 0 : issuer.hashCode()); + result = prime * result + ((subject == null) ? 0 : subject.hashCode()); + return result; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) + return true; + if (obj == null) + return false; + if (getClass() != obj.getClass()) + return false; + ScimOidcId other = (ScimOidcId) obj; + if (issuer == null) { + if (other.issuer != null) + return false; + } else if (!issuer.equals(other.issuer)) + return false; + if (subject == null) { + if (other.subject != null) + return false; + } else if (!subject.equals(other.subject)) + return false; + return true; + } + @Override public String toString() { return "ScimOidcId [issuer=" + issuer + ", subject=" + subject + "]"; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimPatchOperation.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimPatchOperation.java index d59938568..e473f0cf4 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimPatchOperation.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimPatchOperation.java @@ -10,7 +10,7 @@ @JsonInclude(JsonInclude.Include.NON_EMPTY) public class ScimPatchOperation { - public static enum ScimPatchOperationType { + public enum ScimPatchOperationType { add, remove, replace } @@ -59,8 +59,6 @@ public static class Builder { String path; T value; - public Builder() {} - public Builder path(String path) { this.path = path; @@ -93,7 +91,7 @@ public Builder replace() { public ScimPatchOperation build() { - return new ScimPatchOperation(this); + return new ScimPatchOperation<>(this); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimPhoto.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimPhoto.java index 46e3ede9e..c6770228a 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimPhoto.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimPhoto.java @@ -19,7 +19,7 @@ public class ScimPhoto { @NotNull private final ScimPhotoType type; - public static enum ScimPhotoType { + public enum ScimPhotoType { thumbnail, photo; } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimResource.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimResource.java index 0677c338b..82a3cd192 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimResource.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimResource.java @@ -77,7 +77,7 @@ public boolean equals(Object obj) { return true; } - public static abstract class Builder { + public abstract static class Builder { protected String externalid; protected String id; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimSamlId.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimSamlId.java index b1810af82..ab297dc96 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimSamlId.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimSamlId.java @@ -8,6 +8,8 @@ import com.fasterxml.jackson.annotation.JsonInclude.Include; import com.fasterxml.jackson.annotation.JsonProperty; +import it.infn.mw.iam.authn.saml.util.Saml2Attribute; + @JsonInclude(Include.NON_EMPTY) public class ScimSamlId { @@ -19,11 +21,24 @@ public class ScimSamlId { @Length(max = 256) private final String userId; + @NotBlank + @Length(max = 256) + private final String attributeId; + @JsonCreator - private ScimSamlId(@JsonProperty("idpId") String idpId, @JsonProperty("userId") String userId) { + private ScimSamlId(@JsonProperty("idpId") String idpId, @JsonProperty("userId") String userId, + @JsonProperty("attributeId") String attributeId) { this.userId = userId; this.idpId = idpId; + this.attributeId = attributeId; + } + + private ScimSamlId(Builder b) { + + this.idpId = b.idpId; + this.userId = b.userId; + this.attributeId = b.attributeId; } public String getUserId() { @@ -36,10 +51,8 @@ public String getIdpId() { return idpId; } - private ScimSamlId(Builder b) { - - this.idpId = b.idpId; - this.userId = b.userId; + public String getAttributeId() { + return attributeId; } public static Builder builder() { @@ -47,10 +60,42 @@ public static Builder builder() { return new Builder(); } + @Override + public int hashCode() { + int prime = 31; + int result = 1; + result = prime * result + ((idpId == null) ? 0 : idpId.hashCode()); + result = prime * result + ((userId == null) ? 0 : userId.hashCode()); + return result; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) + return true; + if (obj == null) + return false; + if (getClass() != obj.getClass()) + return false; + ScimSamlId other = (ScimSamlId) obj; + if (idpId == null) { + if (other.idpId != null) + return false; + } else if (!idpId.equals(other.idpId)) + return false; + if (userId == null) { + if (other.userId != null) + return false; + } else if (!userId.equals(other.userId)) + return false; + return true; + } + public static class Builder { private String idpId; private String userId; + private String attributeId = Saml2Attribute.EPUID.getAttributeName(); public Builder idpId(String idpId) { @@ -64,6 +109,11 @@ public Builder userId(String userId) { return this; } + public Builder attributeId(String attributeId) { + this.attributeId = attributeId; + return this; + } + public ScimSamlId build() { return new ScimSamlId(this); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimSshKey.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimSshKey.java index 8ac5692d1..6a467df24 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimSshKey.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimSshKey.java @@ -76,10 +76,6 @@ public static class Builder { private Boolean primary; private String fingerprint; - public Builder() { - - } - public Builder display(String display) { this.display = display; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimUser.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimUser.java index 644cb418b..5e4e1675b 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimUser.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimUser.java @@ -23,10 +23,10 @@ public class ScimUser extends ScimResource { public interface NewUserValidation { - }; + } public interface UpdateUserValidation { - }; + } public static final String USER_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:User"; public static final String RESOURCE_TYPE = "User"; @@ -56,10 +56,10 @@ public interface UpdateUserValidation { private final List addresses; private final List photos; - private final List x509Certificates; private final Set groups; + @Valid private final ScimIndigoUser indigoUser; @JsonCreator @@ -98,8 +98,6 @@ private ScimUser(@JsonProperty("id") String id, @JsonProperty("externalId") Stri this.groups = groups; this.addresses = addresses; this.indigoUser = indigoUser; - this.x509Certificates = x509Certificates; - } private ScimUser(Builder b) { @@ -118,7 +116,6 @@ private ScimUser(Builder b) { this.active = b.active; this.emails = b.emails; this.addresses = b.addresses; - this.x509Certificates = b.x509Certificates; this.indigoUser = b.indigoUser; this.groups = b.groups; this.password = b.password; @@ -208,11 +205,6 @@ public List getAddresses() { return addresses; } - public List getX509Certificates() { - - return x509Certificates; - } - @JsonProperty(value = ScimConstants.INDIGO_USER_SCHEMA) public ScimIndigoUser getIndigoUser() { @@ -226,7 +218,8 @@ public Set getGroups() { public boolean hasX509Certificates() { - return x509Certificates != null && !x509Certificates.isEmpty(); + return indigoUser != null && indigoUser.getCertificates() != null + && !indigoUser.getCertificates().isEmpty(); } public boolean hasOidcIds() { @@ -282,11 +275,10 @@ public static class Builder extends ScimResource.Builder { private String timezone; private Boolean active; - private List emails = new ArrayList(); - private Set groups = new LinkedHashSet(); - private List addresses = new ArrayList(); - private List photos = new ArrayList(); - private List x509Certificates = new ArrayList(); + private List emails = new ArrayList<>(); + private Set groups = new LinkedHashSet<>(); + private List addresses = new ArrayList<>(); + private List photos = new ArrayList<>(); private ScimIndigoUser indigoUser; public Builder() { @@ -441,14 +433,12 @@ public Builder addX509Certificate(ScimX509Certificate scimX509Certificate) { Preconditions.checkNotNull(scimX509Certificate, "Null x509 certificate"); - x509Certificates.add(scimX509Certificate); - return this; - } - - public Builder buildX509Certificate(String display, String value, Boolean isPrimary) { + if (indigoUser == null) { + indigoUser = ScimIndigoUser.builder().addCertificate(scimX509Certificate).build(); + } else { + indigoUser.getCertificates().add(scimX509Certificate); + } - addX509Certificate( - ScimX509Certificate.builder().display(display).value(value).primary(isPrimary).build()); return this; } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimUserPatchRequest.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimUserPatchRequest.java index fae4718db..efe621a9b 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimUserPatchRequest.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimUserPatchRequest.java @@ -12,7 +12,6 @@ import com.fasterxml.jackson.annotation.JsonCreator; import com.fasterxml.jackson.annotation.JsonInclude; import com.fasterxml.jackson.annotation.JsonInclude.Include; - import com.fasterxml.jackson.annotation.JsonProperty; import com.google.common.base.Preconditions; @@ -59,9 +58,9 @@ public static Builder builder() { public static class Builder { - private Set schemas = new HashSet(); + private Set schemas = new HashSet<>(); private List> operations = - new ArrayList>(); + new ArrayList<>(); public Builder() { schemas.add(PATCHOP_SCHEMA); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimX509Certificate.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimX509Certificate.java index 72746fd66..9b98ab16a 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimX509Certificate.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimX509Certificate.java @@ -1,91 +1,149 @@ package it.infn.mw.iam.api.scim.model; +import java.util.Date; + import org.hibernate.validator.constraints.Length; -import org.hibernate.validator.constraints.NotBlank; import com.fasterxml.jackson.annotation.JsonCreator; import com.fasterxml.jackson.annotation.JsonInclude; import com.fasterxml.jackson.annotation.JsonProperty; -import com.fasterxml.jackson.annotation.JsonInclude.Include; +import com.fasterxml.jackson.databind.annotation.JsonSerialize; + +import it.infn.mw.iam.api.scim.controller.utils.JsonDateSerializer; -@JsonInclude(Include.NON_EMPTY) +@JsonInclude(JsonInclude.Include.NON_EMPTY) public class ScimX509Certificate { @Length(max = 36) private final String display; - + private final Boolean primary; + + @Length(max = 128) + private final String subjectDn; + + @Length(max = 128) + private final String issuerDn; + + private final String pemEncodedCertificate; - @NotBlank - private final String value; + @JsonSerialize(using = JsonDateSerializer.class) + private final Date created; + + @JsonSerialize(using = JsonDateSerializer.class) + private final Date lastModified; @JsonCreator - private ScimX509Certificate(@JsonProperty("display") String display, - @JsonProperty("primary") Boolean primary, @JsonProperty("value") String value) { + private ScimX509Certificate(@JsonProperty("label") String display, @JsonProperty("primary") Boolean primary, + @JsonProperty("subjectDn") String subjectDn, + @JsonProperty("issuerDn") String issuerDn, + @JsonProperty("pemEncodedCertificate") String pemEncodedCertificate) { this.display = display; - this.value = value; this.primary = primary; + this.subjectDn = subjectDn; + this.issuerDn = issuerDn; + this.pemEncodedCertificate = pemEncodedCertificate; + this.created = this.lastModified = null; } - public String getDisplay() { + private ScimX509Certificate(Builder b) { + this.display = b.display; + this.primary = b.primary; + this.subjectDn = b.subjectDn; + this.issuerDn = b.issuerDn; + this.created = b.created; + this.lastModified = b.lastModified; + this.pemEncodedCertificate = b.pemEncodedCertificate; + } + public String getDisplay() { return display; } - public String getValue() { - - return value; + public Boolean getPrimary() { + return primary; } - public Boolean isPrimary() { - - return primary; + public String getSubjectDn() { + return subjectDn; } - private ScimX509Certificate(Builder b) { + public String getPemEncodedCertificate() { + return pemEncodedCertificate; + } - this.display = b.display; - this.value = b.value; - this.primary = b.primary; + public String getIssuerDn() { + return issuerDn; } - public static Builder builder() { + public Date getCreated() { + return created; + } - return new Builder(); + public Date getLastModified() { + return lastModified; } + public static class Builder { private String display; - private String value; + + private String subjectDn; + + private String issuerDn; + private Boolean primary; - public Builder() { + private String pemEncodedCertificate; - } + private Date created; - public Builder display(String display) { + private Date lastModified; + public Builder display(String display) { this.display = display; return this; } - public Builder value(String value) { + public Builder primary(Boolean primary) { - this.value = value; + this.primary = primary; return this; } - public Builder primary(Boolean primary) { + public Builder subjectDn(String subjectDn) { + this.subjectDn = subjectDn; + return this; + } - this.primary = primary; + public Builder issuerDn(String issuerDn) { + this.issuerDn = issuerDn; return this; } - public ScimX509Certificate build() { + public Builder created(Date created) { + this.created = created; + return this; + } + public Builder lastModified(Date lastModified) { + this.lastModified = lastModified; + return this; + } + + public Builder pemEncodedCertificate(String certificate) { + this.pemEncodedCertificate = certificate; + return this; + } + + public ScimX509Certificate build() { return new ScimX509Certificate(this); } } + + public static Builder builder() { + return new Builder(); + } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/provisioning/ScimGroupProvisioning.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/provisioning/ScimGroupProvisioning.java index b733d605f..db0e1d6d5 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/provisioning/ScimGroupProvisioning.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/provisioning/ScimGroupProvisioning.java @@ -1,5 +1,7 @@ package it.infn.mw.iam.api.scim.provisioning; +import static java.lang.String.format; + import java.util.ArrayList; import java.util.Collections; import java.util.Date; @@ -14,6 +16,8 @@ import org.springframework.data.domain.Page; import org.springframework.stereotype.Service; +import com.google.common.base.Strings; + import it.infn.mw.iam.api.scim.converter.GroupConverter; import it.infn.mw.iam.api.scim.exception.IllegalArgumentException; import it.infn.mw.iam.api.scim.exception.ScimException; @@ -31,7 +35,6 @@ import it.infn.mw.iam.audit.events.group.GroupCreatedEvent; import it.infn.mw.iam.audit.events.group.GroupRemovedEvent; import it.infn.mw.iam.audit.events.group.GroupReplacedEvent; -import it.infn.mw.iam.audit.events.group.GroupUpdatedEvent; import it.infn.mw.iam.persistence.model.IamAccount; import it.infn.mw.iam.persistence.model.IamGroup; import it.infn.mw.iam.persistence.repository.IamAccountRepository; @@ -41,6 +44,9 @@ public class ScimGroupProvisioning implements ScimProvisioning>, ApplicationEventPublisherAware { + private static final int GROUP_NAME_MAX_LENGTH = 50; + private static final int GROUP_FULLNAME_MAX_LENGTH = 512; + private final IamGroupRepository groupRepository; private final IamAccountRepository accountRepository; @@ -91,6 +97,8 @@ public ScimGroup getById(String id) { @Override public ScimGroup create(ScimGroup group) { + displayNameSanityChecks(group.getDisplayName()); + IamGroup iamGroup = new IamGroup(); Date creationTime = new Date(); @@ -100,35 +108,35 @@ public ScimGroup create(ScimGroup group) { iamGroup.setName(group.getDisplayName()); iamGroup.setCreationTime(creationTime); iamGroup.setLastUpdateTime(creationTime); - iamGroup.setAccounts(new HashSet()); + iamGroup.setAccounts(new HashSet<>()); iamGroup.setChildrenGroups(new HashSet<>()); - if (groupRepository.findByName(group.getDisplayName()).isPresent()) { - throw new ScimResourceExistsException("Duplicated group '" + group.getDisplayName() + "'"); - } - IamGroup iamParentGroup = null; if (group.getIndigoGroup().getParentGroup() != null) { String parentGroupUuid = group.getIndigoGroup().getParentGroup().getValue(); + String parentGroupName = group.getIndigoGroup().getParentGroup().getDisplay(); iamParentGroup = groupRepository.findByUuid(parentGroupUuid) .orElseThrow(() -> new ScimResourceNotFoundException( String.format("Parent group '%s' not found", parentGroupUuid))); + String fullName = String.format("%s/%s", parentGroupName, group.getDisplayName()); + fullNameSanityChecks(fullName); + iamGroup.setParentGroup(iamParentGroup); + iamGroup.setName(fullName); Set children = iamParentGroup.getChildrenGroups(); children.add(iamGroup); } groupRepository.save(iamGroup); + if (iamParentGroup != null) { groupRepository.save(iamParentGroup); - eventPublisher.publishEvent( - new GroupCreatedEvent(this, iamGroup, "Group created with name " + iamParentGroup.getName())); } - + eventPublisher.publishEvent( new GroupCreatedEvent(this, iamGroup, "Group created with name " + iamGroup.getName())); @@ -169,9 +177,10 @@ public ScimGroup replace(String id, ScimGroup scimItemToBeReplaced) { /* displayname is required */ String displayName = scimItemToBeReplaced.getDisplayName(); + displayNameSanityChecks(displayName); if (!isGroupNameAvailable(displayName, id)) { - throw new ScimResourceExistsException(displayName + " is already mappped to another group"); + throw new ScimResourceExistsException(displayName + " is already mapped to another group"); } IamGroup updatedGroup = converter.fromScim(scimItemToBeReplaced); @@ -235,6 +244,7 @@ private void executePatchOperation(IamGroup group, ScimPatchOperation updaters = groupUpdaterFactory.getUpdatersForPatchOperation(group, op); + List updatesToPublish = new ArrayList<>(); boolean hasChanged = false; @@ -244,9 +254,7 @@ private void executePatchOperation(IamGroup group, ScimPatchOperation> op) { if (op.getPath() == null || op.getPath().isEmpty()) { throw new ScimPatchOperationNotSupported("empty path value is not currently supported"); } - if (op.getPath().equals("members")) { + if ("members".equals(op.getPath())) { return; } throw new ScimPatchOperationNotSupported( "path value " + op.getPath() + " is not currently supported"); } + private void displayNameSanityChecks(String displayName) { + if (Strings.isNullOrEmpty(displayName)) { + throw new IllegalArgumentException("Group displayName cannot be empty"); + } + + if (displayName.contains("/")) { + throw new IllegalArgumentException("Group displayName cannot contain a slash character"); + } + + if (displayName.length() > GROUP_NAME_MAX_LENGTH) { + throw new IllegalArgumentException( + format("Group name length cannot be higher than %d characters", GROUP_NAME_MAX_LENGTH)); + } + } + + private void fullNameSanityChecks(String displayName) { + if (displayName.length() > GROUP_FULLNAME_MAX_LENGTH) { + throw new IllegalArgumentException( + format("Group displayName length cannot be higher than %d characters", + GROUP_FULLNAME_MAX_LENGTH)); + } + + if (groupRepository.findByName(displayName).isPresent()) { + throw new ScimResourceExistsException(format("Duplicated group '%s'", displayName)); + } + } + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/provisioning/ScimQuery.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/provisioning/ScimQuery.java index e6acfa575..dee9c9388 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/provisioning/ScimQuery.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/provisioning/ScimQuery.java @@ -4,7 +4,7 @@ public interface ScimQuery extends ScimPageRequest { - public static enum SortOrder { + public enum SortOrder { ascending, descending; } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/provisioning/ScimUserProvisioning.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/provisioning/ScimUserProvisioning.java index 92ace1b0a..1693ef720 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/provisioning/ScimUserProvisioning.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/provisioning/ScimUserProvisioning.java @@ -19,10 +19,8 @@ import java.util.ArrayList; import java.util.Collections; -import java.util.Date; import java.util.EnumSet; import java.util.List; -import java.util.UUID; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationEventPublisher; @@ -31,15 +29,12 @@ import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.stereotype.Service; -import com.google.common.base.Preconditions; - import it.infn.mw.iam.api.scim.converter.OidcIdConverter; import it.infn.mw.iam.api.scim.converter.SamlIdConverter; import it.infn.mw.iam.api.scim.converter.SshKeyConverter; import it.infn.mw.iam.api.scim.converter.UserConverter; import it.infn.mw.iam.api.scim.converter.X509CertificateConverter; import it.infn.mw.iam.api.scim.exception.IllegalArgumentException; -import it.infn.mw.iam.api.scim.exception.ScimException; import it.infn.mw.iam.api.scim.exception.ScimPatchOperationNotSupported; import it.infn.mw.iam.api.scim.exception.ScimResourceExistsException; import it.infn.mw.iam.api.scim.exception.ScimResourceNotFoundException; @@ -51,45 +46,40 @@ import it.infn.mw.iam.api.scim.updater.AccountUpdater; import it.infn.mw.iam.api.scim.updater.UpdaterType; import it.infn.mw.iam.api.scim.updater.factory.DefaultAccountUpdaterFactory; -import it.infn.mw.iam.audit.events.account.AccountCreatedEvent; -import it.infn.mw.iam.audit.events.account.AccountRemovedEvent; import it.infn.mw.iam.audit.events.account.AccountReplacedEvent; -import it.infn.mw.iam.audit.events.account.AccountUpdatedEvent; +import it.infn.mw.iam.core.user.IamAccountService; +import it.infn.mw.iam.core.user.exception.CredentialAlreadyBoundException; +import it.infn.mw.iam.core.user.exception.UserAlreadyExistsException; import it.infn.mw.iam.persistence.model.IamAccount; -import it.infn.mw.iam.persistence.model.IamOidcId; -import it.infn.mw.iam.persistence.model.IamSamlId; -import it.infn.mw.iam.persistence.model.IamSshKey; -import it.infn.mw.iam.persistence.model.IamX509Certificate; import it.infn.mw.iam.persistence.repository.IamAccountRepository; -import it.infn.mw.iam.persistence.repository.IamAuthoritiesRepository; @Service public class ScimUserProvisioning implements ScimProvisioning, ApplicationEventPublisherAware { - public static final EnumSet SUPPORTED_UPDATER_TYPES = EnumSet.of(ACCOUNT_ADD_OIDC_ID, + protected static final EnumSet SUPPORTED_UPDATER_TYPES = EnumSet.of(ACCOUNT_ADD_OIDC_ID, ACCOUNT_REMOVE_OIDC_ID, ACCOUNT_ADD_SAML_ID, ACCOUNT_REMOVE_SAML_ID, ACCOUNT_ADD_SSH_KEY, ACCOUNT_REMOVE_SSH_KEY, ACCOUNT_ADD_X509_CERTIFICATE, ACCOUNT_REMOVE_X509_CERTIFICATE, ACCOUNT_REPLACE_ACTIVE, ACCOUNT_REPLACE_EMAIL, ACCOUNT_REPLACE_FAMILY_NAME, ACCOUNT_REPLACE_GIVEN_NAME, ACCOUNT_REPLACE_PASSWORD, ACCOUNT_REPLACE_PICTURE, ACCOUNT_REPLACE_USERNAME, ACCOUNT_REMOVE_PICTURE); + private final IamAccountService accountService; private final IamAccountRepository accountRepository; - private final IamAuthoritiesRepository authorityRepository; + private final DefaultAccountUpdaterFactory updatersFactory; - private final PasswordEncoder passwordEncoder; + private final UserConverter userConverter; private ApplicationEventPublisher eventPublisher; @Autowired - public ScimUserProvisioning(IamAccountRepository accountRepository, - IamAuthoritiesRepository authorityRepository, PasswordEncoder passwordEncoder, + public ScimUserProvisioning(IamAccountService accountService, + IamAccountRepository accountRepository, PasswordEncoder passwordEncoder, UserConverter userConverter, OidcIdConverter oidcIdConverter, SamlIdConverter samlIdConverter, SshKeyConverter sshKeyConverter, X509CertificateConverter x509CertificateConverter) { + this.accountService = accountService; this.accountRepository = accountRepository; - this.authorityRepository = authorityRepository; - this.passwordEncoder = passwordEncoder; this.userConverter = userConverter; this.updatersFactory = new DefaultAccountUpdaterFactory(passwordEncoder, accountRepository, oidcIdConverter, samlIdConverter, sshKeyConverter, x509CertificateConverter); @@ -130,165 +120,24 @@ public void delete(final String id) { IamAccount account = accountRepository.findByUuid(id) .orElseThrow(() -> new ScimResourceNotFoundException("No user mapped to id '" + id + "'")); - accountRepository.delete(account); - - eventPublisher.publishEvent( - new AccountRemovedEvent(this, account, "Removed account for user " + account.getUsername())); - } - - private void checkForDuplicates(ScimUser user) throws ScimResourceExistsException { - - Preconditions.checkNotNull(user.getEmails()); - Preconditions.checkNotNull(user.getEmails().get(0)); - Preconditions.checkNotNull(user.getEmails().get(0).getValue()); - - accountRepository.findByUsername(user.getUserName()).ifPresent(a -> { - throw new ScimResourceExistsException("userName is already taken: " + a.getUsername()); - }); - - accountRepository.findByEmail(user.getEmails().get(0).getValue()).ifPresent(a -> { - throw new ScimResourceExistsException( - "email already assigned to an existing user: " + a.getUserInfo().getEmail()); - }); + accountService.deleteAccount(account); + } - public IamAccount createAccount(final ScimUser user) { - - checkForDuplicates(user); - - final Date creationTime = new Date(); - final String uuid = UUID.randomUUID().toString(); - - IamAccount account = userConverter.fromScim(user); - account.setUuid(uuid); - account.setCreationTime(creationTime); - account.setLastUpdateTime(creationTime); - account.setUsername(user.getUserName()); - - if (user.getActive() != null) { - account.setActive(user.getActive()); - } else { - /* if no active status is specified, disable user */ - account.setActive(false); - } - - /* users created via SCIM are set with email-verified as true */ - account.getUserInfo().setEmailVerified(true); - - if (account.getPassword() == null) { - account.setPassword(UUID.randomUUID().toString()); - } - - account.setPassword(passwordEncoder.encode(account.getPassword())); - - authorityRepository.findByAuthority("ROLE_USER") - .map(a -> account.getAuthorities().add(a)) - .orElseThrow( - () -> new IllegalStateException("ROLE_USER not found in database. This is a bug")); - - if (account.hasX509Certificates()) { - - account.getX509Certificates().forEach(cert -> checkX509CertificateNotExists(cert)); - - long count = account.getX509Certificates().stream().filter(cert -> cert.isPrimary()).count(); - - if (count > 1) { - - throw new ScimException("Too many primary x509 certificates provided!"); - } - - if (count == 0) { - - account.getX509Certificates().stream().findFirst().get().setPrimary(true); - } - } - - if (account.hasOidcIds()) { - - account.getOidcIds().forEach(oidcId -> checkOidcIdNotAlreadyBounded(oidcId)); - } - - if (account.hasSshKeys()) { - - account.getSshKeys().forEach(sshKey -> checkSshKeyNotExists(sshKey)); - - long count = account.getSshKeys().stream().filter(sshKey -> sshKey.isPrimary()).count(); - - if (count > 1) { - - throw new ScimException("Too many primary ssh keys provided!"); - } - - if (count == 0) { - - account.getSshKeys().stream().findFirst().get().setPrimary(true); - } - } - - if (account.hasSamlIds()) { - - account.getSamlIds().forEach(samlId -> checkSamlIdNotAlreadyBounded(samlId)); - } - - accountRepository.save(account); - - eventPublisher.publishEvent( - new AccountCreatedEvent(this, account, "Account created for user " + account.getUsername())); - - return account; - } @Override public ScimUser create(final ScimUser user) { - IamAccount account = createAccount(user); - - return userConverter.toScim(account); - } + IamAccount newAccount = userConverter.fromScim(user); - private void checkX509CertificateNotExists(IamX509Certificate cert) { - - if (accountRepository.findByCertificate(cert.getCertificate()).isPresent()) { - - throw new ScimResourceExistsException( - String.format("X509 Certificate %s is already mapped to a user", cert.getCertificate())); + try { + IamAccount account = accountService.createAccount(newAccount); + return userConverter.toScim(account); + } catch (CredentialAlreadyBoundException | UserAlreadyExistsException e) { + throw new ScimResourceExistsException(e.getMessage(),e); } } - private void checkOidcIdNotAlreadyBounded(IamOidcId oidcId) { - - Preconditions.checkNotNull(oidcId); - Preconditions.checkNotNull(oidcId.getIssuer()); - Preconditions.checkNotNull(oidcId.getSubject()); - accountRepository.findByOidcId(oidcId.getIssuer(), oidcId.getSubject()).ifPresent(account -> { - throw new ScimResourceExistsException( - String.format("OIDC id (%s,%s) already bounded to another user", oidcId.getIssuer(), - oidcId.getSubject())); - }); - } - - private void checkSshKeyNotExists(IamSshKey sshKey) { - - Preconditions.checkNotNull(sshKey); - Preconditions.checkNotNull(sshKey.getValue()); - accountRepository.findBySshKeyValue(sshKey.getValue()).ifPresent(account -> { - throw new ScimResourceExistsException( - String.format("Ssh key (%s) already bounded to another user", sshKey.getValue())); - }); - } - - private void checkSamlIdNotAlreadyBounded(IamSamlId samlId) { - - Preconditions.checkNotNull(samlId); - Preconditions.checkNotNull(samlId.getIdpId()); - Preconditions.checkNotNull(samlId.getUserId()); - accountRepository.findBySamlId(samlId.getIdpId(), samlId.getUserId()).ifPresent(account -> { - throw new ScimResourceExistsException( - String.format("SAML id (%s,%s) already bounded to another user", samlId.getIdpId(), - samlId.getUserId())); - }); - } - @Override public ScimListResponse list(final ScimPageRequest params) { @@ -342,10 +191,6 @@ public ScimUser replace(final String uuid, final ScimUser scimItemToBeUpdated) { updatedAccount.setActive(existingAccount.isActive()); } - if (scimItemToBeUpdated.getPassword() != null) { - - } - updatedAccount.touch(); accountRepository.save(updatedAccount); @@ -360,23 +205,31 @@ public ScimUser replace(final String uuid, final ScimUser scimItemToBeUpdated) { private void executePatchOperation(IamAccount account, ScimPatchOperation op) { List updaters = updatersFactory.getUpdatersForPatchOperation(account, op); + List updatesToPublish = new ArrayList<>(); - boolean hasChanged = false; + boolean oneUpdaterChangedAccount = false; for (AccountUpdater u : updaters) { if (!SUPPORTED_UPDATER_TYPES.contains(u.getType())) { throw new ScimPatchOperationNotSupported(u.getType().getDescription() + " not supported"); } - hasChanged |= u.update(); - eventPublisher.publishEvent(new AccountUpdatedEvent(this, account, u.getType(), - String.format("Updated account information for user %s", account.getUsername()))); + boolean lastUpdaterChangedAccount = u.update(); + + oneUpdaterChangedAccount |= lastUpdaterChangedAccount; + + if (lastUpdaterChangedAccount) { + updatesToPublish.add(u); + } } - if (hasChanged) { + if (oneUpdaterChangedAccount) { account.touch(); accountRepository.save(account); + for (AccountUpdater u : updatesToPublish) { + u.publishUpdateEvent(this, eventPublisher); + } } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/AccountEventBuilder.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/AccountEventBuilder.java new file mode 100644 index 000000000..f93247c1f --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/AccountEventBuilder.java @@ -0,0 +1,11 @@ +package it.infn.mw.iam.api.scim.updater; + +import it.infn.mw.iam.audit.events.account.AccountEvent; +import it.infn.mw.iam.persistence.model.IamAccount; + +@FunctionalInterface +public interface AccountEventBuilder { + + E buildEvent(Object source, IamAccount account, T newValue); + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/AccountEventPublisher.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/AccountEventPublisher.java new file mode 100644 index 000000000..04a85afba --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/AccountEventPublisher.java @@ -0,0 +1,9 @@ +package it.infn.mw.iam.api.scim.updater; + +import org.springframework.context.ApplicationEventPublisher; + +@FunctionalInterface +public interface AccountEventPublisher { + + void publishAccountEvent(Object source, ApplicationEventPublisher publisher); +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/AccountUpdaterFactory.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/AccountUpdaterFactory.java index 620402f73..8ede9c9e1 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/AccountUpdaterFactory.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/AccountUpdaterFactory.java @@ -7,12 +7,13 @@ /** * Builds a list of {@link AccountUpdater} objects linked to a patch operation */ -public interface AccountUpdaterFactory { +@FunctionalInterface +public interface AccountUpdaterFactory { /** * * @param entity @param u @return */ - List getUpdatersForPatchOperation(EntityType entity, ScimPatchOperation u); + List getUpdatersForPatchOperation(E entity, ScimPatchOperation u); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/DefaultAccountUpdater.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/DefaultAccountUpdater.java index 47ca10375..1e53034fb 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/DefaultAccountUpdater.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/DefaultAccountUpdater.java @@ -4,22 +4,29 @@ import java.util.function.Predicate; import java.util.function.Supplier; +import org.springframework.context.ApplicationEventPublisher; + +import it.infn.mw.iam.audit.events.account.AccountEvent; import it.infn.mw.iam.persistence.model.IamAccount; -public class DefaultAccountUpdater extends DefaultUpdater implements AccountUpdater { +public class DefaultAccountUpdater extends DefaultUpdater + implements AccountUpdater { private final IamAccount account; - - public DefaultAccountUpdater(IamAccount account, UpdaterType type, Supplier supplier, Consumer consumer, - T newVal) { + private final AccountEventBuilder eventBuilder; + + public DefaultAccountUpdater(IamAccount account, UpdaterType type, Supplier supplier, + Consumer consumer, T newVal, AccountEventBuilder eventBuilder) { super(type, supplier, consumer, newVal); this.account = account; + this.eventBuilder = eventBuilder; } public DefaultAccountUpdater(IamAccount account, UpdaterType type, Consumer consumer, T newVal, - Predicate predicate) { + Predicate predicate, AccountEventBuilder eventBuilder) { super(type, consumer, newVal, predicate); this.account = account; + this.eventBuilder = eventBuilder; } @Override @@ -27,4 +34,12 @@ public IamAccount getAccount() { return this.account; } + @Override + public void publishUpdateEvent(Object source, ApplicationEventPublisher publisher) { + + if (eventBuilder != null) { + publisher.publishEvent(eventBuilder.buildEvent(source, account, newValue)); + } + } + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/DefaultUpdater.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/DefaultUpdater.java index 646b02897..c009622e3 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/DefaultUpdater.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/DefaultUpdater.java @@ -9,7 +9,7 @@ import it.infn.mw.iam.api.scim.updater.util.NullSafeNotEqualsMatcher; -public class DefaultUpdater implements Updater { +public abstract class DefaultUpdater implements Updater { public static final Logger LOG = LoggerFactory.getLogger(DefaultUpdater.class); @@ -48,7 +48,7 @@ public boolean update() { } private static NullSafeNotEqualsMatcher nullSafeNotEqualsMatcher(Supplier supp) { - return new NullSafeNotEqualsMatcher(supp); + return new NullSafeNotEqualsMatcher<>(supp); } @Override diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/Updater.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/Updater.java index 58de85fce..3e029755a 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/Updater.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/Updater.java @@ -1,5 +1,7 @@ package it.infn.mw.iam.api.scim.updater; +import org.springframework.context.ApplicationEventPublisher; + /** * And updater attempts to update something, and returns true if that something was actually updated * @@ -9,8 +11,11 @@ public interface Updater { /** * The updater update logic * - * @return
  • true, if the object was modified by the update
    • - *
  • false, otherwise
+ * @return + *
    + *
  • true, if the object was modified by the update
    • + *
  • false, otherwise
    • + *
*/ boolean update(); @@ -20,4 +25,6 @@ public interface Updater { * @return the updater type (see {@link UpdaterType}) */ UpdaterType getType(); + + void publishUpdateEvent(Object source, ApplicationEventPublisher publisher); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/AccountUpdaters.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/AccountUpdaters.java index 7a718a3e9..61bee03e7 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/AccountUpdaters.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/AccountUpdaters.java @@ -7,6 +7,9 @@ public class AccountUpdaters { + private AccountUpdaters() { + } + public static Adders adders(IamAccountRepository repo, PasswordEncoder encoder, IamAccount account) { return new Adders(repo, encoder, account); @@ -20,5 +23,7 @@ public static Replacers replacers(IamAccountRepository repo, PasswordEncoder enc IamAccount account) { return new Replacers(repo, encoder, account); } + + } \ No newline at end of file diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/Adders.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/Adders.java index 2095f9f2a..f35924cd0 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/Adders.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/Adders.java @@ -13,11 +13,19 @@ import org.springframework.security.crypto.password.PasswordEncoder; +import com.google.common.base.Strings; + +import it.infn.mw.iam.api.scim.exception.IllegalArgumentException; import it.infn.mw.iam.api.scim.exception.ScimResourceExistsException; import it.infn.mw.iam.api.scim.updater.AccountUpdater; import it.infn.mw.iam.api.scim.updater.DefaultAccountUpdater; import it.infn.mw.iam.api.scim.updater.util.AccountFinder; import it.infn.mw.iam.api.scim.updater.util.IdNotBoundChecker; +import it.infn.mw.iam.audit.events.account.group.GroupMembershipAddedEvent; +import it.infn.mw.iam.audit.events.account.oidc.OidcAccountAddedEvent; +import it.infn.mw.iam.audit.events.account.saml.SamlAccountAddedEvent; +import it.infn.mw.iam.audit.events.account.ssh.SshKeyAddedEvent; +import it.infn.mw.iam.audit.events.account.x509.X509CertificateAddedEvent; import it.infn.mw.iam.persistence.model.IamAccount; import it.infn.mw.iam.persistence.model.IamGroup; import it.infn.mw.iam.persistence.model.IamOidcId; @@ -38,144 +46,155 @@ public class Adders extends Replacers { final AccountFinder findByOidcId; final AccountFinder findBySamlId; final AccountFinder findBySshKey; - final AccountFinder findByX509Certificate; + final AccountFinder findByX509CertificateSubject; + + public Adders(IamAccountRepository repo, PasswordEncoder encoder, IamAccount account) { + super(repo, encoder, account); + + findByOidcId = id -> repo.findByOidcId(id.getIssuer(), id.getSubject()); + findBySamlId = repo::findBySamlId; + findBySshKey = key -> repo.findBySshKeyValue(key.getValue()); + findByX509CertificateSubject = cert -> repo.findByCertificateSubject(cert.getSubjectDn()); + + oidcIdAddChecks = buildOidcIdsAddChecks(); + samlIdAddChecks = buildSamlIdsAddChecks(); + sshKeyAddChecks = buildSshKeyAddChecks(); + x509CertificateAddChecks = buildX509CertificateAddChecks(); + addMembersChecks = buildAddMembersCheck(); + } + private Predicate> buildOidcIdsAddChecks() { Predicate oidcIdNotBound = - new IdNotBoundChecker(findByOidcId, account, (id, a) -> { + new IdNotBoundChecker<>(findByOidcId, account, (id, a) -> { throw new ScimResourceExistsException( "OpenID connect account " + id + " already bound to another user"); }); Predicate> oidcIdsNotBound = c -> { c.removeIf(Objects::isNull); - c.stream().forEach(id -> oidcIdNotBound.test(id)); + c.stream().forEach(oidcIdNotBound::test); return true; }; - Predicate> oidcIdsNotOwned = c -> { - return !account.getOidcIds().containsAll(c); - }; + Predicate> oidcIdsNotOwned = c -> !account.getOidcIds().containsAll(c); return oidcIdsNotBound.and(oidcIdsNotOwned); } private Predicate> buildSamlIdsAddChecks() { + + Predicate> samlIdWellFormed = c -> { + c.removeIf(Objects::isNull); + c.stream().forEach(id -> { + if (Strings.isNullOrEmpty(id.getIdpId())) { + throw new IllegalArgumentException("idpId cannot be null or empty!"); + } + + if (Strings.isNullOrEmpty(id.getAttributeId())) { + throw new IllegalArgumentException("attributeId cannot be null or empty!"); + } + + if (Strings.isNullOrEmpty(id.getUserId())) { + throw new IllegalArgumentException("userId cannot be null or empty!"); + } + }); + + return true; + }; + Predicate samlIdNotBound = - new IdNotBoundChecker(findBySamlId, account, (id, a) -> { + new IdNotBoundChecker<>(findBySamlId, account, (id, a) -> { throw new ScimResourceExistsException( "SAML account " + id + " already bound to another user"); }); Predicate> samlIdsNotBound = c -> { - c.removeIf(Objects::isNull); - c.stream().forEach(id -> samlIdNotBound.test(id)); + c.stream().forEach(samlIdNotBound::test); return true; }; - Predicate> samlIdsNotOwned = c -> { - return !account.getSamlIds().containsAll(c); - }; + Predicate> samlIdsNotOwned = c -> !account.getSamlIds().containsAll(c); - return samlIdsNotBound.and(samlIdsNotOwned); + return samlIdWellFormed.and(samlIdsNotBound.and(samlIdsNotOwned)); } private Predicate> buildSshKeyAddChecks() { Predicate sshKeyNotBound = - new IdNotBoundChecker(findBySshKey, account, (key, a) -> { + new IdNotBoundChecker<>(findBySshKey, account, (key, a) -> { throw new ScimResourceExistsException( "SSH key '" + key.getValue() + "' already bound to another user"); }); Predicate> sshKeysNotBound = c -> { c.removeIf(Objects::isNull); - c.stream().forEach(id -> sshKeyNotBound.test(id)); + c.stream().forEach(sshKeyNotBound::test); return true; }; - Predicate> sshKeysNotOwned = c -> { - return !account.getSshKeys().containsAll(c); - }; - + Predicate> sshKeysNotOwned = c -> !account.getSshKeys().containsAll(c); return sshKeysNotBound.and(sshKeysNotOwned); } private Predicate> buildX509CertificateAddChecks() { Predicate x509CertificateNotBound = - new IdNotBoundChecker(findByX509Certificate, account, (cert, a) -> { - throw new ScimResourceExistsException( - "X509 Certificate " + cert.getCertificate() + "' already bound to another user"); + new IdNotBoundChecker<>(findByX509CertificateSubject, account, (cert, a) -> { + throw new ScimResourceExistsException("X509 certificate with subject '" + + cert.getSubjectDn() + "' is already bound to another user"); }); Predicate> x509CertificatesNotBound = c -> { c.removeIf(Objects::isNull); - c.stream().forEach(id -> x509CertificateNotBound.test(id)); + c.stream().forEach(x509CertificateNotBound::test); return true; }; - Predicate> x509CertificatesNotOwned = c -> { - return !account.getX509Certificates().containsAll(c); - }; - + Predicate> x509CertificatesNotOwned = + c -> !account.getX509Certificates().containsAll(c); return x509CertificatesNotBound.and(x509CertificatesNotOwned); } private Predicate> buildAddMembersCheck() { - - Predicate> notAlreadyMember = a -> { - return !account.getGroups().containsAll(a); - }; - - return notAlreadyMember; - } - - public Adders(IamAccountRepository repo, PasswordEncoder encoder, IamAccount account) { - super(repo, encoder, account); - - findByOidcId = id -> repo.findByOidcId(id.getIssuer(), id.getSubject()); - findBySamlId = id -> repo.findBySamlId(id.getIdpId(), id.getUserId()); - findBySshKey = key -> repo.findBySshKeyValue(key.getValue()); - findByX509Certificate = cert -> repo.findByCertificate(cert.getCertificate()); - - oidcIdAddChecks = buildOidcIdsAddChecks(); - samlIdAddChecks = buildSamlIdsAddChecks(); - sshKeyAddChecks = buildSshKeyAddChecks(); - x509CertificateAddChecks = buildX509CertificateAddChecks(); - addMembersChecks = buildAddMembersCheck(); + return a -> !account.getGroups().containsAll(a); } public AccountUpdater oidcId(Collection newOidcIds) { - return new DefaultAccountUpdater>(account, ACCOUNT_ADD_OIDC_ID, - account::linkOidcIds, newOidcIds, oidcIdAddChecks); + return new DefaultAccountUpdater, OidcAccountAddedEvent>(account, + ACCOUNT_ADD_OIDC_ID, account::linkOidcIds, newOidcIds, oidcIdAddChecks, + OidcAccountAddedEvent::new); } public AccountUpdater samlId(Collection newSamlIds) { - return new DefaultAccountUpdater>(account, ACCOUNT_ADD_SAML_ID, - account::linkSamlIds, newSamlIds, samlIdAddChecks); + return new DefaultAccountUpdater, SamlAccountAddedEvent>(account, + ACCOUNT_ADD_SAML_ID, account::linkSamlIds, newSamlIds, samlIdAddChecks, + SamlAccountAddedEvent::new); } public AccountUpdater sshKey(Collection newSshKeys) { - return new DefaultAccountUpdater>(account, ACCOUNT_ADD_SSH_KEY, - account::linkSshKeys, newSshKeys, sshKeyAddChecks); + return new DefaultAccountUpdater, SshKeyAddedEvent>(account, + ACCOUNT_ADD_SSH_KEY, account::linkSshKeys, newSshKeys, sshKeyAddChecks, + SshKeyAddedEvent::new); } public AccountUpdater x509Certificate(Collection newX509Certificates) { - return new DefaultAccountUpdater>(account, ACCOUNT_ADD_X509_CERTIFICATE, - account::linkX509Certificates, newX509Certificates, x509CertificateAddChecks); + return new DefaultAccountUpdater, X509CertificateAddedEvent>( + account, ACCOUNT_ADD_X509_CERTIFICATE, account::linkX509Certificates, newX509Certificates, + x509CertificateAddChecks, X509CertificateAddedEvent::new); } public AccountUpdater group(Collection groups) { - return new DefaultAccountUpdater>(account, ACCOUNT_ADD_GROUP_MEMBERSHIP, - account::linkMembers, groups, addMembersChecks); + return new DefaultAccountUpdater, GroupMembershipAddedEvent>(account, + ACCOUNT_ADD_GROUP_MEMBERSHIP, account::linkMembers, groups, addMembersChecks, + GroupMembershipAddedEvent::new); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/Removers.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/Removers.java index 77d230a03..ac64246c1 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/Removers.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/Removers.java @@ -12,6 +12,12 @@ import it.infn.mw.iam.api.scim.updater.AccountUpdater; import it.infn.mw.iam.api.scim.updater.DefaultAccountUpdater; +import it.infn.mw.iam.audit.events.account.PictureRemovedEvent; +import it.infn.mw.iam.audit.events.account.group.GroupMembershipRemovedEvent; +import it.infn.mw.iam.audit.events.account.oidc.OidcAccountRemovedEvent; +import it.infn.mw.iam.audit.events.account.saml.SamlAccountRemovedEvent; +import it.infn.mw.iam.audit.events.account.ssh.SshKeyRemovedEvent; +import it.infn.mw.iam.audit.events.account.x509.X509CertificateRemovedEvent; import it.infn.mw.iam.persistence.model.IamAccount; import it.infn.mw.iam.persistence.model.IamGroup; import it.infn.mw.iam.persistence.model.IamOidcId; @@ -22,44 +28,50 @@ import it.infn.mw.iam.persistence.repository.IamAccountRepository; public class Removers extends AccountBuilderSupport { - + public Removers(IamAccountRepository repo, IamAccount account) { super(repo, account); } public AccountUpdater oidcId(Collection toBeRemoved) { - return new DefaultAccountUpdater>(account, ACCOUNT_REMOVE_OIDC_ID, account::unlinkOidcIds, - toBeRemoved, i -> !Collections.disjoint(account.getOidcIds(), i)); + return new DefaultAccountUpdater, OidcAccountRemovedEvent>(account, + ACCOUNT_REMOVE_OIDC_ID, account::unlinkOidcIds, toBeRemoved, + i -> !Collections.disjoint(account.getOidcIds(), i), OidcAccountRemovedEvent::new); } public AccountUpdater samlId(Collection toBeRemoved) { - return new DefaultAccountUpdater>(account, ACCOUNT_REMOVE_SAML_ID, account::unlinkSamlIds, - toBeRemoved, i -> !Collections.disjoint(account.getSamlIds(), i)); + return new DefaultAccountUpdater, SamlAccountRemovedEvent>(account, + ACCOUNT_REMOVE_SAML_ID, account::unlinkSamlIds, toBeRemoved, + i -> !Collections.disjoint(account.getSamlIds(), i), SamlAccountRemovedEvent::new); } public AccountUpdater sshKey(Collection toBeRemoved) { - return new DefaultAccountUpdater>(account, ACCOUNT_REMOVE_SSH_KEY, account::unlinkSshKeys, - toBeRemoved, i -> !Collections.disjoint(account.getSshKeys(), i)); + return new DefaultAccountUpdater, SshKeyRemovedEvent>(account, + ACCOUNT_REMOVE_SSH_KEY, account::unlinkSshKeys, toBeRemoved, + i -> !Collections.disjoint(account.getSshKeys(), i), SshKeyRemovedEvent::new); } public AccountUpdater x509Certificate(Collection toBeRemoved) { - return new DefaultAccountUpdater>(account, ACCOUNT_REMOVE_X509_CERTIFICATE, - account::unlinkX509Certificates, toBeRemoved, - i -> !Collections.disjoint(account.getX509Certificates(), i)); + return new DefaultAccountUpdater, X509CertificateRemovedEvent>( + account, ACCOUNT_REMOVE_X509_CERTIFICATE, account::unlinkX509Certificates, toBeRemoved, + i -> !Collections.disjoint(account.getX509Certificates(), i), + X509CertificateRemovedEvent::new); } public AccountUpdater group(Collection toBeRemoved) { - return new DefaultAccountUpdater>(account, ACCOUNT_REMOVE_GROUP_MEMBERSHIP, account::unlinkMembers, - toBeRemoved, i -> !Collections.disjoint(account.getGroups(), i)); + return new DefaultAccountUpdater, GroupMembershipRemovedEvent>(account, + ACCOUNT_REMOVE_GROUP_MEMBERSHIP, account::unlinkMembers, toBeRemoved, + i -> !Collections.disjoint(account.getGroups(), i), GroupMembershipRemovedEvent::new); } public AccountUpdater picture(String picture) { final IamUserInfo ui = account.getUserInfo(); - return new DefaultAccountUpdater(account, ACCOUNT_REMOVE_PICTURE, ui::getPicture, ui::setPicture, null); + return new DefaultAccountUpdater(account, ACCOUNT_REMOVE_PICTURE, + ui::getPicture, ui::setPicture, null, PictureRemovedEvent::new); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/Replacers.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/Replacers.java index e1bb570c1..53b6b933b 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/Replacers.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/Replacers.java @@ -18,6 +18,13 @@ import it.infn.mw.iam.api.scim.updater.DefaultAccountUpdater; import it.infn.mw.iam.api.scim.updater.util.AccountFinder; import it.infn.mw.iam.api.scim.updater.util.IdNotBoundChecker; +import it.infn.mw.iam.audit.events.account.ActiveReplacedEvent; +import it.infn.mw.iam.audit.events.account.EmailReplacedEvent; +import it.infn.mw.iam.audit.events.account.FamilyNameReplacedEvent; +import it.infn.mw.iam.audit.events.account.GivenNameReplacedEvent; +import it.infn.mw.iam.audit.events.account.PasswordReplacedEvent; +import it.infn.mw.iam.audit.events.account.PictureReplacedEvent; +import it.infn.mw.iam.audit.events.account.UsernameReplacedEvent; import it.infn.mw.iam.persistence.model.IamAccount; import it.infn.mw.iam.persistence.model.IamUserInfo; import it.infn.mw.iam.persistence.repository.IamAccountRepository; @@ -36,8 +43,8 @@ public class Replacers extends AccountBuilderSupport { public Replacers(IamAccountRepository repo, PasswordEncoder encoder, IamAccount account) { super(repo, encoder, account); - findByEmail = e -> repo.findByEmail(e); - findByUsername = u -> repo.findByUsername(u); + findByEmail = repo::findByEmail; + findByUsername = repo::findByUsername; encodedPasswordSetter = t -> account.setPassword(encoder.encode(t)); encodedPasswordChecker = t -> !encoder.matches(t, account.getPassword()); emailAddChecks = buildEmailAddChecks(); @@ -47,7 +54,7 @@ public Replacers(IamAccountRepository repo, PasswordEncoder encoder, IamAccount private Predicate buildEmailAddChecks() { Predicate emailNotBound = - new IdNotBoundChecker(findByEmail, account, (e, a) -> { + new IdNotBoundChecker<>(findByEmail, account, (e, a) -> { throw new ScimResourceExistsException("Email " + e + " already bound to another user"); }); @@ -58,7 +65,7 @@ private Predicate buildEmailAddChecks() { private Predicate buildUsernameAddChecks() { Predicate usernameNotBound = - new IdNotBoundChecker(findByUsername, account, (e, a) -> { + new IdNotBoundChecker<>(findByUsername, account, (e, a) -> { throw new ScimResourceExistsException("Username " + e + " already bound to another user"); }); @@ -70,46 +77,51 @@ private Predicate buildUsernameAddChecks() { public AccountUpdater givenName(String givenName) { IamUserInfo ui = account.getUserInfo(); - return new DefaultAccountUpdater(account, ACCOUNT_REPLACE_GIVEN_NAME, ui::getGivenName, - ui::setGivenName, givenName); + return new DefaultAccountUpdater(account, + ACCOUNT_REPLACE_GIVEN_NAME, ui::getGivenName, ui::setGivenName, givenName, + GivenNameReplacedEvent::new); } public AccountUpdater familyName(String familyName) { final IamUserInfo ui = account.getUserInfo(); - return new DefaultAccountUpdater(account, ACCOUNT_REPLACE_FAMILY_NAME, ui::getFamilyName, - ui::setFamilyName, familyName); + return new DefaultAccountUpdater(account, + ACCOUNT_REPLACE_FAMILY_NAME, ui::getFamilyName, ui::setFamilyName, familyName, + FamilyNameReplacedEvent::new); } public AccountUpdater picture(String newPicture) { final IamUserInfo ui = account.getUserInfo(); - return new DefaultAccountUpdater(account, ACCOUNT_REPLACE_PICTURE, ui::getPicture, ui::setPicture, - newPicture); + return new DefaultAccountUpdater(account, ACCOUNT_REPLACE_PICTURE, + ui::getPicture, ui::setPicture, newPicture, PictureReplacedEvent::new); } public AccountUpdater email(String email) { final IamUserInfo ui = account.getUserInfo(); - return new DefaultAccountUpdater(account, ACCOUNT_REPLACE_EMAIL, ui::setEmail, email, emailAddChecks); + return new DefaultAccountUpdater(account, ACCOUNT_REPLACE_EMAIL, + ui::setEmail, email, emailAddChecks, EmailReplacedEvent::new); } public AccountUpdater password(String newPassword) { - return new DefaultAccountUpdater(account, ACCOUNT_REPLACE_PASSWORD, encodedPasswordSetter, newPassword, - encodedPasswordChecker); + return new DefaultAccountUpdater(account, + ACCOUNT_REPLACE_PASSWORD, encodedPasswordSetter, newPassword, encodedPasswordChecker, + PasswordReplacedEvent::new); } public AccountUpdater username(String newUsername) { - return new DefaultAccountUpdater(account, ACCOUNT_REPLACE_USERNAME, account::setUsername, newUsername, - usernameAddChecks); + return new DefaultAccountUpdater(account, + ACCOUNT_REPLACE_USERNAME, account::setUsername, newUsername, usernameAddChecks, + UsernameReplacedEvent::new); } public AccountUpdater active(boolean isActive) { - return new DefaultAccountUpdater(account, ACCOUNT_REPLACE_ACTIVE, account::isActive, - account::setActive, isActive); + return new DefaultAccountUpdater(account, ACCOUNT_REPLACE_ACTIVE, + account::isActive, account::setActive, isActive, ActiveReplacedEvent::new); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/factory/DefaultAccountUpdaterFactory.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/factory/DefaultAccountUpdaterFactory.java index b442647fe..44a3a4b71 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/factory/DefaultAccountUpdaterFactory.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/factory/DefaultAccountUpdaterFactory.java @@ -17,6 +17,7 @@ import it.infn.mw.iam.api.scim.converter.SamlIdConverter; import it.infn.mw.iam.api.scim.converter.SshKeyConverter; import it.infn.mw.iam.api.scim.converter.X509CertificateConverter; +import it.infn.mw.iam.api.scim.exception.ScimPatchOperationNotSupported; import it.infn.mw.iam.api.scim.model.ScimOidcId; import it.infn.mw.iam.api.scim.model.ScimPatchOperation; import it.infn.mw.iam.api.scim.model.ScimSamlId; @@ -64,27 +65,28 @@ public DefaultAccountUpdaterFactory(PasswordEncoder encoder, IamAccountRepositor private ScimCollectionConverter sshKeyConverter(ScimUser user) { - return new ScimCollectionConverter(user.getIndigoUser()::getSshKeys, + return new ScimCollectionConverter<>(user.getIndigoUser()::getSshKeys, sshKeyConverter::fromScim); } private ScimCollectionConverter oidcIdConverter(ScimUser user) { - return new ScimCollectionConverter(user.getIndigoUser()::getOidcIds, + return new ScimCollectionConverter<>(user.getIndigoUser()::getOidcIds, oidcIdConverter::fromScim); } private ScimCollectionConverter samlIdConverter(ScimUser user) { - return new ScimCollectionConverter(user.getIndigoUser()::getSamlIds, + return new ScimCollectionConverter<>(user.getIndigoUser()::getSamlIds, samlIdConverter::fromScim); } private ScimCollectionConverter x509CertificateConverter( ScimUser user) { - return new ScimCollectionConverter( - user::getX509Certificates, x509CertificateConverter::fromScim); + return new ScimCollectionConverter<>( + user.getIndigoUser()::getCertificates, x509CertificateConverter::fromScim); } - private static AccountUpdater buildUpdater(AccountUpdaterBuilder factory, Supplier valueSupplier) { + private static AccountUpdater buildUpdater(AccountUpdaterBuilder factory, + Supplier valueSupplier) { return factory.build(valueSupplier.get()); } @@ -188,7 +190,7 @@ private void prepareReplacers(List updaters, ScimUser user, IamA @Override public List getUpdatersForPatchOperation(IamAccount account, - ScimPatchOperation op) { + ScimPatchOperation op) throws ScimPatchOperationNotSupported { final List updaters = Lists.newArrayList(); @@ -208,6 +210,11 @@ public List getUpdatersForPatchOperation(IamAccount account, prepareReplacers(updaters, user, account); } + + if (updaters.isEmpty()) { + throw new ScimPatchOperationNotSupported(op.getOp() + " operation not supported"); + } + return updaters; } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/util/CollectionHelpers.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/util/CollectionHelpers.java index 8be1a190c..82b924850 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/util/CollectionHelpers.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/util/CollectionHelpers.java @@ -6,8 +6,12 @@ public class CollectionHelpers { + private CollectionHelpers() { + // This class should not be instantiated + } + public static boolean notNullOrEmpty(Collection c) { return nonNull(c) && !c.isEmpty(); } - + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/util/IdNotBoundChecker.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/util/IdNotBoundChecker.java index c7ab7d850..66db2d3f4 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/util/IdNotBoundChecker.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/util/IdNotBoundChecker.java @@ -2,6 +2,7 @@ import static com.google.common.base.Preconditions.checkNotNull; +import java.util.Optional; import java.util.function.BiConsumer; import java.util.function.Predicate; @@ -27,7 +28,9 @@ public IdNotBoundChecker(AccountFinder finder, IamAccount account, public boolean test(T id) { checkNotNull(id); - finder.find(id).ifPresent(otherAccount -> { + Optional a = finder.find(id); + + a.ifPresent(otherAccount -> { if (!otherAccount.equals(account)) { action.accept(id, account); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/util/ScimCollectionConverter.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/util/ScimCollectionConverter.java index 5d8d437c9..24fdf94ef 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/util/ScimCollectionConverter.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/util/ScimCollectionConverter.java @@ -28,7 +28,7 @@ public Collection get() { return supplier.get() .stream() .filter(Objects::nonNull) - .map(i -> converter.fromScim(i)) + .map(converter::fromScim) .collect(Collectors.toList()); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/AccessTokensController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/AccessTokensController.java new file mode 100644 index 000000000..98c25d8d7 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/AccessTokensController.java @@ -0,0 +1,93 @@ +package it.infn.mw.iam.api.tokens; + +import static it.infn.mw.iam.api.tokens.Constants.ACCESS_TOKENS_ENDPOINT; + +import it.infn.mw.iam.api.account.authority.ErrorDTO; +import it.infn.mw.iam.api.tokens.exception.TokenNotFoundException; +import it.infn.mw.iam.api.tokens.model.AccessToken; +import it.infn.mw.iam.api.tokens.model.TokensListResponse; +import it.infn.mw.iam.api.tokens.service.TokenService; +import it.infn.mw.iam.api.tokens.service.paging.TokensPageRequest; +import it.infn.mw.iam.core.user.exception.IamAccountException; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.http.HttpStatus; +import org.springframework.http.converter.json.MappingJacksonValue; +import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.transaction.annotation.Transactional; +import org.springframework.web.bind.annotation.ExceptionHandler; +import org.springframework.web.bind.annotation.PathVariable; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseStatus; +import org.springframework.web.bind.annotation.RestController; + +import java.util.Optional; + +@RestController +@Transactional +@PreAuthorize("hasRole('ADMIN')") +@RequestMapping(ACCESS_TOKENS_ENDPOINT) +public class AccessTokensController extends TokensControllerSupport { + + @Autowired + private TokenService tokenService; + + @RequestMapping(method = RequestMethod.GET, produces = CONTENT_TYPE) + public MappingJacksonValue listAccessTokens(@RequestParam(required = false) Integer count, + @RequestParam(required = false) Integer startIndex, + @RequestParam(required = false) String userId, + @RequestParam(required = false) String clientId, + @RequestParam(required = false) final String attributes) { + + TokensPageRequest pr = buildTokensPageRequest(count, startIndex); + TokensListResponse results = getFilteredList(pr, userId, clientId); + return filterAttributes(results, attributes); + } + + private TokensListResponse getFilteredList(TokensPageRequest pageRequest, + String userId, String clientId) { + + Optional user = Optional.ofNullable(userId); + Optional client = Optional.ofNullable(clientId); + + if (user.isPresent() && client.isPresent()) { + return tokenService.getTokensForClientAndUser(user.get(), client.get(), pageRequest); + } + if (user.isPresent()) { + return tokenService.getTokensForUser(user.get(), pageRequest); + } + if (client.isPresent()) { + return tokenService.getTokensForClient(client.get(), pageRequest); + } + return tokenService.getAllTokens(pageRequest); + } + + @RequestMapping(method = RequestMethod.GET, value = "/{id}", produces = CONTENT_TYPE) + public AccessToken getAccessToken(@PathVariable("id") Long id) { + + return tokenService.getTokenById(id); + } + + @RequestMapping(method = RequestMethod.DELETE, value = "/{id}") + @ResponseStatus(HttpStatus.NO_CONTENT) + public void revokeAccessToken(@PathVariable("id") Long id) { + + tokenService.revokeTokenById(id); + } + + @ResponseStatus(value = HttpStatus.NOT_FOUND) + @ExceptionHandler(TokenNotFoundException.class) + public ErrorDTO tokenNotFoundError(Exception ex) { + + return ErrorDTO.fromString(ex.getMessage()); + } + + @ResponseStatus(value = HttpStatus.INTERNAL_SERVER_ERROR) + @ExceptionHandler(IamAccountException.class) + public ErrorDTO accountNotFoundError(Exception ex) { + + return ErrorDTO.fromString(ex.getMessage()); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/Constants.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/Constants.java new file mode 100644 index 000000000..c8feeb89f --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/Constants.java @@ -0,0 +1,11 @@ +package it.infn.mw.iam.api.tokens; + +public class Constants { + + public static final String ACCESS_TOKENS_ENDPOINT = "/iam/api/access-tokens"; + public static final String REFRESH_TOKENS_ENDPOINT = "/iam/api/refresh-tokens"; + + private Constants() { + // utility class, it should not be instantiated + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/DefaultTokensResourceLocationProvider.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/DefaultTokensResourceLocationProvider.java new file mode 100644 index 000000000..29bd73271 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/DefaultTokensResourceLocationProvider.java @@ -0,0 +1,25 @@ +package it.infn.mw.iam.api.tokens; + +import static it.infn.mw.iam.api.tokens.Constants.ACCESS_TOKENS_ENDPOINT; +import static it.infn.mw.iam.api.tokens.Constants.REFRESH_TOKENS_ENDPOINT; + +import org.springframework.beans.factory.annotation.Value; +import org.springframework.stereotype.Service; + +@Service +public class DefaultTokensResourceLocationProvider implements TokensResourceLocationProvider { + + @Value("${iam.baseUrl}") + private String baseUrl; + + @Override + public String accessTokenLocation(Long accessTokenId) { + return String.format("%s%s/%d", baseUrl, ACCESS_TOKENS_ENDPOINT, accessTokenId); + } + + @Override + public String refreshTokenLocation(Long refreshTokenId) { + return String.format("%s%s/%d", baseUrl, REFRESH_TOKENS_ENDPOINT, refreshTokenId); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/RefreshTokensController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/RefreshTokensController.java new file mode 100644 index 000000000..369e26954 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/RefreshTokensController.java @@ -0,0 +1,94 @@ +package it.infn.mw.iam.api.tokens; + +import static it.infn.mw.iam.api.tokens.Constants.REFRESH_TOKENS_ENDPOINT; + +import it.infn.mw.iam.api.account.authority.ErrorDTO; +import it.infn.mw.iam.api.tokens.exception.TokenNotFoundException; +import it.infn.mw.iam.api.tokens.model.RefreshToken; +import it.infn.mw.iam.api.tokens.model.TokensListResponse; +import it.infn.mw.iam.api.tokens.service.TokenService; +import it.infn.mw.iam.api.tokens.service.paging.TokensPageRequest; +import it.infn.mw.iam.core.user.exception.IamAccountException; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.http.HttpStatus; +import org.springframework.http.converter.json.MappingJacksonValue; +import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.transaction.annotation.Transactional; +import org.springframework.web.bind.annotation.ExceptionHandler; +import org.springframework.web.bind.annotation.PathVariable; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseStatus; +import org.springframework.web.bind.annotation.RestController; + +import java.util.Optional; + +@RestController +@Transactional +@PreAuthorize("hasRole('ADMIN')") +@RequestMapping(REFRESH_TOKENS_ENDPOINT) +public class RefreshTokensController extends TokensControllerSupport { + + @Autowired + private TokenService tokenService; + + @RequestMapping(method = RequestMethod.GET, produces = CONTENT_TYPE) + public MappingJacksonValue lisRefreshTokens(@RequestParam(required = false) Integer count, + @RequestParam(required = false) Integer startIndex, + @RequestParam(required = false) String userId, + @RequestParam(required = false) String clientId, + @RequestParam(required = false) final String attributes) { + + TokensPageRequest pr = buildTokensPageRequest(count, startIndex); + TokensListResponse results = getFilteredList(pr, userId, clientId); + return filterAttributes(results, attributes); + } + + private TokensListResponse getFilteredList(TokensPageRequest pageRequest, + String userId, String clientId) { + + Optional user = Optional.ofNullable(userId); + Optional client = Optional.ofNullable(clientId); + + if (user.isPresent() && client.isPresent()) { + return tokenService.getTokensForClientAndUser(user.get(), client.get(), pageRequest); + } + if (user.isPresent()) { + return tokenService.getTokensForUser(user.get(), pageRequest); + } + if (client.isPresent()) { + return tokenService.getTokensForClient(client.get(), pageRequest); + } + return tokenService.getAllTokens(pageRequest); + } + + @RequestMapping(method = RequestMethod.GET, value = "/{id}", produces = CONTENT_TYPE) + public RefreshToken getRefreshToken(@PathVariable("id") Long id) { + + return tokenService.getTokenById(id); + } + + @RequestMapping(method = RequestMethod.DELETE, value = "/{id}") + @ResponseStatus(HttpStatus.NO_CONTENT) + public void revokeRefreshToken(@PathVariable("id") Long id) { + + tokenService.revokeTokenById(id); + } + + + @ResponseStatus(value = HttpStatus.NOT_FOUND) + @ExceptionHandler(TokenNotFoundException.class) + public ErrorDTO tokenNotFoundError(Exception ex) { + + return ErrorDTO.fromString(ex.getMessage()); + } + + @ResponseStatus(value = HttpStatus.INTERNAL_SERVER_ERROR) + @ExceptionHandler(IamAccountException.class) + public ErrorDTO accountNotFoundError(Exception ex) { + + return ErrorDTO.fromString(ex.getMessage()); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/TokensControllerSupport.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/TokensControllerSupport.java new file mode 100644 index 000000000..0c9ed4745 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/TokensControllerSupport.java @@ -0,0 +1,91 @@ +package it.infn.mw.iam.api.tokens; + +import com.google.common.base.CharMatcher; +import com.google.common.base.Splitter; +import com.google.common.base.Strings; +import com.google.common.collect.Sets; + +import com.fasterxml.jackson.databind.ser.FilterProvider; +import com.fasterxml.jackson.databind.ser.impl.SimpleBeanPropertyFilter; +import com.fasterxml.jackson.databind.ser.impl.SimpleFilterProvider; +import it.infn.mw.iam.api.tokens.model.TokensListResponse; +import it.infn.mw.iam.api.tokens.service.paging.DefaultTokensPageRequest; +import it.infn.mw.iam.api.tokens.service.paging.TokensPageRequest; + +import org.springframework.http.converter.json.MappingJacksonValue; + +import java.util.HashSet; +import java.util.Set; + +public class TokensControllerSupport { + + public static final String CONTENT_TYPE = "application/json"; + public static final int TOKENS_MAX_PAGE_SIZE = 20; + + protected TokensPageRequest buildTokensPageRequest(Integer count, Integer startIndex) { + return buildPageRequest(count, startIndex, TOKENS_MAX_PAGE_SIZE); + } + + private TokensPageRequest buildPageRequest(Integer count, Integer startIndex, int maxPageSize) { + + int validCount = 0; + int validStartIndex = 1; + + if (count == null) { + validCount = maxPageSize; + } else { + validCount = count; + if (count < 0) { + validCount = 0; + } else if (count > maxPageSize) { + validCount = maxPageSize; + } + } + + // tokens pages index is 1-based + if (startIndex == null) { + validStartIndex = 1; + + } else { + + validStartIndex = startIndex; + if (startIndex < 1) { + validStartIndex = 1; + } + } + + return new DefaultTokensPageRequest.Builder().count(validCount) + .startIndex(validStartIndex - 1) + .build(); + } + + protected Set parseAttributes(final String attributesParameter) { + + Set result = new HashSet<>(); + if (!Strings.isNullOrEmpty(attributesParameter)) { + result = Sets.newHashSet(Splitter.on(CharMatcher.anyOf(".,")) + .trimResults() + .omitEmptyStrings() + .split(attributesParameter)); + } + result.add("id"); + return result; + } + + protected MappingJacksonValue filterAttributes(TokensListResponse result, + String attributes) { + + MappingJacksonValue wrapper = new MappingJacksonValue(result); + + if (attributes != null) { + Set includeAttributes = parseAttributes(attributes); + + FilterProvider filterProvider = new SimpleFilterProvider().addFilter("attributeFilter", + SimpleBeanPropertyFilter.filterOutAllExcept(includeAttributes)); + + wrapper.setFilters(filterProvider); + } + + return wrapper; + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/TokensResourceLocationProvider.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/TokensResourceLocationProvider.java new file mode 100644 index 000000000..e5f21686f --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/TokensResourceLocationProvider.java @@ -0,0 +1,8 @@ +package it.infn.mw.iam.api.tokens; + +public interface TokensResourceLocationProvider { + + public String accessTokenLocation(Long accessTokenId); + + public String refreshTokenLocation(Long refreshTokenId); +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/converter/TokensConverter.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/converter/TokensConverter.java new file mode 100644 index 000000000..d1762ab5f --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/converter/TokensConverter.java @@ -0,0 +1,119 @@ +package it.infn.mw.iam.api.tokens.converter; + +import it.infn.mw.iam.api.scim.converter.ScimResourceLocationProvider; +import it.infn.mw.iam.api.tokens.TokensResourceLocationProvider; +import it.infn.mw.iam.api.tokens.model.AccessToken; +import it.infn.mw.iam.api.tokens.model.ClientRef; +import it.infn.mw.iam.api.tokens.model.IdTokenRef; +import it.infn.mw.iam.api.tokens.model.RefreshToken; +import it.infn.mw.iam.api.tokens.model.UserRef; +import it.infn.mw.iam.core.user.exception.IamAccountException; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; + +import org.mitre.oauth2.model.AuthenticationHolderEntity; +import org.mitre.oauth2.model.ClientDetailsEntity; +import org.mitre.oauth2.model.OAuth2AccessTokenEntity; +import org.mitre.oauth2.model.OAuth2RefreshTokenEntity; +import org.mitre.oauth2.model.SavedUserAuthentication; +import org.mitre.oauth2.service.ClientDetailsEntityService; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Component +public class TokensConverter { + + @Autowired + private ClientDetailsEntityService clientDetailsService; + + @Autowired + private IamAccountRepository accountRepository; + + @Autowired + private TokensResourceLocationProvider tokensResourceLocationProvider; + + @Autowired + private ScimResourceLocationProvider scimResourceLocationProvider; + + public AccessToken toAccessToken(OAuth2AccessTokenEntity at) { + + AuthenticationHolderEntity ah = at.getAuthenticationHolder(); + + ClientRef clientRef = buildClientRef(ah.getClientId()); + UserRef userRef = buildUserRef(ah.getUserAuth()); + IdTokenRef idTokenRef = buildIdTokenRef(at.getIdToken()); + + return AccessToken.builder() + .id(at.getId()) + .client(clientRef) + .expiration(at.getExpiration()) + .idToken(idTokenRef) + .scopes(at.getScope()) + .user(userRef) + .value(at.getValue()) + .build(); + } + + public RefreshToken toRefreshToken(OAuth2RefreshTokenEntity rt) { + + AuthenticationHolderEntity ah = rt.getAuthenticationHolder(); + + ClientRef clientRef = buildClientRef(ah.getClientId()); + UserRef userRef = buildUserRef(ah.getUserAuth()); + + return RefreshToken.builder() + .id(rt.getId()) + .client(clientRef) + .expiration(rt.getExpiration()) + .user(userRef) + .value(rt.getValue()) + .build(); + } + + + private ClientRef buildClientRef(String clientId) { + + if (clientId == null) { + return null; + } + + ClientDetailsEntity cd = clientDetailsService.loadClientByClientId(clientId); + + return ClientRef.builder() + .id(cd.getId()) + .clientId(cd.getClientId()) + .contacts(cd.getContacts()) + .ref(cd.getClientUri()) + .build(); + } + + private UserRef buildUserRef(SavedUserAuthentication userAuth) { + + if (userAuth == null) { + return null; + } + + String username = userAuth.getPrincipal().toString(); + + IamAccount account = accountRepository.findByUsername(username) + .orElseThrow(() -> new IamAccountException("Account for " + username + " not found")); + + return UserRef.builder() + .id(account.getUuid()) + .userName(account.getUsername()) + .ref(scimResourceLocationProvider.userLocation(account.getUuid())) + .build(); + } + + private IdTokenRef buildIdTokenRef(OAuth2AccessTokenEntity idToken) { + + if (idToken == null) { + return null; + } + + return IdTokenRef.builder() + .id(idToken.getId()) + .ref(tokensResourceLocationProvider.accessTokenLocation(idToken.getId())) + .build(); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/exception/TokenNotFoundException.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/exception/TokenNotFoundException.java new file mode 100644 index 000000000..19abe1e46 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/exception/TokenNotFoundException.java @@ -0,0 +1,21 @@ +package it.infn.mw.iam.api.tokens.exception; + +public class TokenNotFoundException extends RuntimeException { + + private final Long tokenId; + + /** + * + */ + private static final long serialVersionUID = 1L; + + public TokenNotFoundException(Long tokenId) { + super("Token with id = " + tokenId + " not found"); + this.tokenId = tokenId; + } + + public Long getTokenId() { + return tokenId; + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/AccessToken.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/AccessToken.java new file mode 100644 index 000000000..ff69225e1 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/AccessToken.java @@ -0,0 +1,151 @@ +package it.infn.mw.iam.api.tokens.model; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonFilter; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.Date; +import java.util.Set; + +@JsonInclude(JsonInclude.Include.NON_EMPTY) +@JsonFilter("attributeFilter") +public class AccessToken { + + private Long id; + private String value; + private Set scopes; + private Date expiration; + private ClientRef client; + private UserRef user; + private IdTokenRef idToken; + + @JsonCreator + public AccessToken(@JsonProperty("id") Long id, @JsonProperty("value") String value, + @JsonProperty("scopes") Set scopes, @JsonProperty("expiration") Date expiration, + @JsonProperty("client") ClientRef client, @JsonProperty("user") UserRef user, + @JsonProperty("idToken") IdTokenRef idToken) { + + this.id = id; + this.value = value; + this.scopes = scopes; + this.expiration = expiration; + this.client = client; + this.user = user; + this.idToken = idToken; + } + + public AccessToken(Builder builder) { + + this.id = builder.id; + this.value = builder.value; + this.scopes = builder.scopes; + this.expiration = builder.expiration; + this.client = builder.client; + this.user = builder.user; + this.idToken = builder.idToken; + } + + @JsonProperty("id") + public Long getId() { + + return id; + } + + @JsonProperty("value") + public String getValue() { + + return value; + } + + @JsonProperty("scopes") + public Set getScopes() { + + return scopes; + } + + @JsonProperty("expiration") + public Date getExpiration() { + + return expiration; + } + + @JsonProperty("client") + public ClientRef getClient() { + + return client; + } + + @JsonProperty("user") + public UserRef getUser() { + + return user; + } + + @JsonProperty("idToken") + public IdTokenRef getIdToken() { + + return idToken; + } + + @Override + public String toString() { + return "AccessToken [id=" + id + ", value=" + value + ", scopes=" + scopes + ", expiration=" + + expiration + ", client=" + client + ", user=" + user + ", idToken=" + idToken + "]"; + } + + public static Builder builder() { + + return new Builder(); + } + + public static class Builder { + + private Long id; + private String value; + private Set scopes; + private Date expiration; + private ClientRef client; + private UserRef user; + private IdTokenRef idToken; + + public Builder id(Long id) { + this.id = id; + return this; + } + + public Builder value(String value) { + this.value = value; + return this; + } + + public Builder scopes(Set scopes) { + this.scopes = scopes; + return this; + } + + public Builder expiration(Date expiration) { + this.expiration = expiration; + return this; + } + + public Builder client(ClientRef client) { + this.client = client; + return this; + } + + public Builder user(UserRef user) { + this.user = user; + return this; + } + + public Builder idToken(IdTokenRef idToken) { + this.idToken = idToken; + return this; + } + + public AccessToken build() { + return new AccessToken(this); + } + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/ClientRef.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/ClientRef.java new file mode 100644 index 000000000..19f1e823c --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/ClientRef.java @@ -0,0 +1,102 @@ +package it.infn.mw.iam.api.tokens.model; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.Set; + +@JsonInclude(JsonInclude.Include.NON_EMPTY) +public class ClientRef { + + private Long id; + private String clientId; + private Set contacts; + private String ref = null; + + @JsonCreator + public ClientRef(@JsonProperty("id") Long id, @JsonProperty("clientId") String clientId, + @JsonProperty("contacts") Set contacts, @JsonProperty("$ref") String ref) { + + this.id = id; + this.clientId = clientId; + this.contacts = contacts; + this.ref = ref; + } + + public ClientRef(Builder builder) { + + this.id = builder.id; + this.clientId = builder.clientId; + this.contacts = builder.contacts; + this.ref = builder.ref; + } + + @JsonProperty("id") + public Long getId() { + + return id; + } + + @JsonProperty("clientId") + public String getClientId() { + + return clientId; + } + + @JsonProperty("contacts") + public Set getContacts() { + + return contacts; + } + + @JsonProperty("$ref") + public String getRef() { + + return ref; + } + + @Override + public String toString() { + + return "Client [id=" + id + ", clientId=" + clientId + ", contacts=" + contacts + + ", ref=" + ref + "]"; + } + + public static Builder builder() { + + return new Builder(); + } + + public static class Builder { + + private Long id; + private String clientId; + private Set contacts; + private String ref; + + public Builder id(Long id) { + this.id = id; + return this; + } + + public Builder clientId(String clientId) { + this.clientId = clientId; + return this; + } + + public Builder contacts(Set contacts) { + this.contacts = contacts; + return this; + } + + public Builder ref(String ref) { + this.ref = ref; + return this; + } + + public ClientRef build() { + return new ClientRef(this); + } + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/IdTokenRef.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/IdTokenRef.java new file mode 100644 index 000000000..ed64692c1 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/IdTokenRef.java @@ -0,0 +1,68 @@ +package it.infn.mw.iam.api.tokens.model; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; + +@JsonInclude(JsonInclude.Include.NON_EMPTY) +public class IdTokenRef { + + private Long id; + private String ref; + + @JsonCreator + public IdTokenRef(@JsonProperty("id") Long id, @JsonProperty("$ref") String ref) { + + this.id = id; + this.ref = ref; + } + + public IdTokenRef(Builder builder) { + + this.id = builder.id; + this.ref = builder.ref; + } + + @JsonProperty("id") + public Long getId() { + + return id; + } + + @JsonProperty("$ref") + public String getRef() { + + return ref; + } + + @Override + public String toString() { + return "IdToken [id=" + id + ", ref=" + ref + "]"; + } + + public static Builder builder() { + + return new Builder(); + } + + public static class Builder { + + private Long id; + private String ref; + + public Builder id(Long id) { + this.id = id; + return this; + } + + public Builder ref(String ref) { + this.ref = ref; + return this; + } + + public IdTokenRef build() { + return new IdTokenRef(this); + } + } +} + diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/RefreshToken.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/RefreshToken.java new file mode 100644 index 000000000..06ac35a47 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/RefreshToken.java @@ -0,0 +1,109 @@ +package it.infn.mw.iam.api.tokens.model; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonFilter; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.Date; + +@JsonInclude(JsonInclude.Include.NON_EMPTY) +@JsonFilter("attributeFilter") +public class RefreshToken { + + private Long id; + private String value; + private Date expiration; + private ClientRef client; + private UserRef user; + + @JsonCreator + public RefreshToken(@JsonProperty("id") Long id, @JsonProperty("value") String value, + @JsonProperty("expiration") Date expiration, @JsonProperty("client") ClientRef client, + @JsonProperty("user") UserRef user) { + + this.id = id; + this.value = value; + this.expiration = expiration; + this.client = client; + this.user = user; + } + + public RefreshToken(Builder builder) { + + this.id = builder.id; + this.value = builder.value; + this.expiration = builder.expiration; + this.client = builder.client; + this.user = builder.user; + } + + @JsonProperty("id") + public Long getId() { + return id; + } + + @JsonProperty("value") + public String getValue() { + return value; + } + + @JsonProperty("expiration") + public Date getExpiration() { + return expiration; + } + + @JsonProperty("client") + public ClientRef getClient() { + return client; + } + + @JsonProperty("user") + public UserRef getUser() { + return user; + } + + public static Builder builder() { + + return new Builder(); + } + + public static class Builder { + + private Long id; + private String value; + private Date expiration; + private ClientRef client; + private UserRef user; + + public Builder id(Long id) { + this.id = id; + return this; + } + + public Builder value(String value) { + this.value = value; + return this; + } + + public Builder expiration(Date expiration) { + this.expiration = expiration; + return this; + } + + public Builder client(ClientRef client) { + this.client = client; + return this; + } + + public Builder user(UserRef user) { + this.user = user; + return this; + } + + public RefreshToken build() { + return new RefreshToken(this); + } + } +} + diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/TokensListResponse.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/TokensListResponse.java new file mode 100644 index 000000000..46181b81f --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/TokensListResponse.java @@ -0,0 +1,46 @@ +package it.infn.mw.iam.api.tokens.model; + +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.ArrayList; +import java.util.List; + +public class TokensListResponse { + + private long totalResults; + private long itemsPerPage; + private long startIndex; + private List resources = new ArrayList<>(); + + public TokensListResponse() {} + + public TokensListResponse(List resources, long totalResults, long itemsPerPage, + long startIndex) { + + this.resources = resources; + this.totalResults = totalResults; + this.itemsPerPage = itemsPerPage; + this.startIndex = startIndex; + } + + public long getTotalResults() { + + return totalResults; + } + + public long getItemsPerPage() { + + return itemsPerPage; + } + + public long getStartIndex() { + + return startIndex; + } + + @JsonProperty("Resources") + public List getResources() { + + return resources; + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/UserRef.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/UserRef.java new file mode 100644 index 000000000..c2178a253 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/model/UserRef.java @@ -0,0 +1,80 @@ +package it.infn.mw.iam.api.tokens.model; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; + +@JsonInclude(JsonInclude.Include.NON_EMPTY) +public class UserRef { + + private String id; + private String userName; + private String ref; + + @JsonCreator + public UserRef(@JsonProperty("id") String id, @JsonProperty("userName") String userName, + @JsonProperty("$ref") String ref) { + + this.id = id; + this.userName = userName; + this.ref = ref; + } + + public UserRef(Builder builder) { + + this.id = builder.id; + this.userName = builder.userName; + this.ref = builder.ref; + } + + @JsonProperty("id") + public String getId() { + return id; + } + + @JsonProperty("userName") + public String getUserName() { + return userName; + } + + @JsonProperty("$ref") + public String getRef() { + return ref; + } + + @Override + public String toString() { + return "User [id=" + id + ", userName=" + userName + ", ref=" + ref + "]"; + } + + public static Builder builder() { + + return new Builder(); + } + + public static class Builder { + + private String id; + private String userName; + private String ref; + + public Builder id(String id) { + this.id = id; + return this; + } + + public Builder userName(String userName) { + this.userName = userName; + return this; + } + + public Builder ref(String ref) { + this.ref = ref; + return this; + } + + public UserRef build() { + return new UserRef(this); + } + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/DefaultAccessTokenService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/DefaultAccessTokenService.java new file mode 100644 index 000000000..530f2f44a --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/DefaultAccessTokenService.java @@ -0,0 +1,123 @@ +package it.infn.mw.iam.api.tokens.service; + +import it.infn.mw.iam.api.tokens.converter.TokensConverter; +import it.infn.mw.iam.api.tokens.exception.TokenNotFoundException; +import it.infn.mw.iam.api.tokens.model.AccessToken; +import it.infn.mw.iam.api.tokens.model.TokensListResponse; +import it.infn.mw.iam.api.tokens.service.paging.OffsetPageable; +import it.infn.mw.iam.api.tokens.service.paging.TokensPageRequest; +import it.infn.mw.iam.persistence.repository.IamOAuthAccessTokenRepository; + +import org.mitre.oauth2.model.OAuth2AccessTokenEntity; +import org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.data.domain.Page; +import org.springframework.stereotype.Service; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.Date; +import java.util.List; +import java.util.Optional; + +@Service +public class DefaultAccessTokenService implements TokenService { + + @Autowired + private TokensConverter tokensConverter; + + @Autowired + private DefaultOAuth2ProviderTokenService tokenService; + + @Autowired + private IamOAuthAccessTokenRepository tokenRepository; + + @Override + public AccessToken getTokenById(Long id) { + + OAuth2AccessTokenEntity at = + getAccessTokenById(id).orElseThrow(() -> new TokenNotFoundException(id)); + return tokensConverter.toAccessToken(at); + } + + @Override + public void revokeTokenById(Long id) { + + OAuth2AccessTokenEntity at = + getAccessTokenById(id).orElseThrow(() -> new TokenNotFoundException(id)); + tokenService.revokeAccessToken(at); + } + + private Optional getAccessTokenById(Long accessTokenId) { + + OAuth2AccessTokenEntity at = tokenService.getAccessTokenById(accessTokenId); + return Optional.ofNullable(at); + } + + private TokensListResponse buildTokensCountResponse() { + + return new TokensListResponse<>(Collections.emptyList(), tokenRepository.count(), 0, 1); + } + + private TokensListResponse buildTokensListResponse( + Page entities, OffsetPageable op) { + + List resources = new ArrayList<>(); + + entities.getContent().forEach(a -> resources.add(tokensConverter.toAccessToken(a))); + + return new TokensListResponse<>(resources, entities.getTotalElements(), resources.size(), + op.getOffset() + 1); + } + + @Override + public TokensListResponse getAllTokens(TokensPageRequest pageRequest) { + + if (pageRequest.getCount() == 0) { + return buildTokensCountResponse(); + } + + OffsetPageable op = new OffsetPageable(pageRequest.getStartIndex(), pageRequest.getCount()); + return buildTokensListResponse(tokenRepository.findAllValidAccessTokens(new Date(), op), op); + } + + @Override + public TokensListResponse getTokensForUser(String userId, + TokensPageRequest pageRequest) { + + if (pageRequest.getCount() == 0) { + return buildTokensCountResponse(); + } + + OffsetPageable op = new OffsetPageable(pageRequest.getStartIndex(), pageRequest.getCount()); + return buildTokensListResponse( + tokenRepository.findValidAccessTokensForUser(userId, new Date(), op), op); + } + + @Override + public TokensListResponse getTokensForClient(String clientId, + TokensPageRequest pageRequest) { + + if (pageRequest.getCount() == 0) { + return buildTokensCountResponse(); + } + + OffsetPageable op = new OffsetPageable(pageRequest.getStartIndex(), pageRequest.getCount()); + return buildTokensListResponse( + tokenRepository.findValidAccessTokensForClient(clientId, new Date(), op), op); + } + + @Override + public TokensListResponse getTokensForClientAndUser(String userId, String clientId, + TokensPageRequest pageRequest) { + + if (pageRequest.getCount() == 0) { + return buildTokensCountResponse(); + } + + OffsetPageable op = new OffsetPageable(pageRequest.getStartIndex(), pageRequest.getCount()); + return buildTokensListResponse( + tokenRepository.findValidAccessTokensForUserAndClient(userId, clientId, new Date(), op), + op); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/DefaultRefreshTokenService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/DefaultRefreshTokenService.java new file mode 100644 index 000000000..39d13fccb --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/DefaultRefreshTokenService.java @@ -0,0 +1,123 @@ +package it.infn.mw.iam.api.tokens.service; + +import it.infn.mw.iam.api.tokens.converter.TokensConverter; +import it.infn.mw.iam.api.tokens.exception.TokenNotFoundException; +import it.infn.mw.iam.api.tokens.model.RefreshToken; +import it.infn.mw.iam.api.tokens.model.TokensListResponse; +import it.infn.mw.iam.api.tokens.service.paging.OffsetPageable; +import it.infn.mw.iam.api.tokens.service.paging.TokensPageRequest; +import it.infn.mw.iam.persistence.repository.IamOAuthRefreshTokenRepository; + +import org.mitre.oauth2.model.OAuth2RefreshTokenEntity; +import org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.data.domain.Page; +import org.springframework.stereotype.Service; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.Date; +import java.util.List; +import java.util.Optional; + +@Service +public class DefaultRefreshTokenService implements TokenService { + + @Autowired + private TokensConverter tokensConverter; + + @Autowired + private DefaultOAuth2ProviderTokenService tokenService; + + @Autowired + private IamOAuthRefreshTokenRepository tokenRepository; + + @Override + public RefreshToken getTokenById(Long id) { + + OAuth2RefreshTokenEntity rt = + getRefreshTokenById(id).orElseThrow(() -> new TokenNotFoundException(id)); + return tokensConverter.toRefreshToken(rt); + } + + @Override + public void revokeTokenById(Long id) { + + OAuth2RefreshTokenEntity rt = + getRefreshTokenById(id).orElseThrow(() -> new TokenNotFoundException(id)); + tokenService.revokeRefreshToken(rt); + } + + private Optional getRefreshTokenById(Long refreshTokenId) { + + OAuth2RefreshTokenEntity at = tokenService.getRefreshTokenById(refreshTokenId); + return Optional.ofNullable(at); + } + + private TokensListResponse buildTokensCountResponse() { + + return new TokensListResponse<>(Collections.emptyList(), tokenRepository.count(), 0, 1); + } + + private TokensListResponse buildTokensListResponse( + Page entities, OffsetPageable op) { + + List resources = new ArrayList<>(); + + entities.getContent().forEach(a -> resources.add(tokensConverter.toRefreshToken(a))); + + return new TokensListResponse<>(resources, entities.getTotalElements(), resources.size(), + op.getOffset() + 1); + } + + @Override + public TokensListResponse getAllTokens(TokensPageRequest pageRequest) { + + if (pageRequest.getCount() == 0) { + return buildTokensCountResponse(); + } + + OffsetPageable op = new OffsetPageable(pageRequest.getStartIndex(), pageRequest.getCount()); + return buildTokensListResponse(tokenRepository.findAllValidRefreshTokens(new Date(), op), op); + } + + @Override + public TokensListResponse getTokensForUser(String userId, + TokensPageRequest pageRequest) { + + if (pageRequest.getCount() == 0) { + return buildTokensCountResponse(); + } + + OffsetPageable op = new OffsetPageable(pageRequest.getStartIndex(), pageRequest.getCount()); + return buildTokensListResponse( + tokenRepository.findValidRefreshTokensForUser(userId, new Date(), op), op); + } + + @Override + public TokensListResponse getTokensForClient(String clientId, + TokensPageRequest pageRequest) { + + if (pageRequest.getCount() == 0) { + return buildTokensCountResponse(); + } + + OffsetPageable op = new OffsetPageable(pageRequest.getStartIndex(), pageRequest.getCount()); + return buildTokensListResponse( + tokenRepository.findValidRefreshTokensForClient(clientId, new Date(), op), op); + } + + @Override + public TokensListResponse getTokensForClientAndUser(String userId, String clientId, + TokensPageRequest pageRequest) { + + if (pageRequest.getCount() == 0) { + return buildTokensCountResponse(); + } + + OffsetPageable op = new OffsetPageable(pageRequest.getStartIndex(), pageRequest.getCount()); + return buildTokensListResponse( + tokenRepository.findValidRefreshTokensForUserAndClient(userId, clientId, new Date(), op), + op); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/TokenService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/TokenService.java new file mode 100644 index 000000000..12d24d79a --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/TokenService.java @@ -0,0 +1,22 @@ +package it.infn.mw.iam.api.tokens.service; + +import it.infn.mw.iam.api.tokens.model.TokensListResponse; +import it.infn.mw.iam.api.tokens.service.paging.TokensPageRequest; + +public interface TokenService { + + TokensListResponse getAllTokens(final TokensPageRequest pageRequest); + + TokensListResponse getTokensForUser(final String userId, final TokensPageRequest pageRequest); + + TokensListResponse getTokensForClient(final String clientId, + final TokensPageRequest pageRequest); + + TokensListResponse getTokensForClientAndUser(final String userId, final String clientId, + final TokensPageRequest pageRequest); + + T getTokenById(Long id); + + void revokeTokenById(Long id); + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/paging/DefaultTokensPageRequest.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/paging/DefaultTokensPageRequest.java new file mode 100644 index 000000000..b42ba3b75 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/paging/DefaultTokensPageRequest.java @@ -0,0 +1,47 @@ +package it.infn.mw.iam.api.tokens.service.paging; + +public class DefaultTokensPageRequest implements TokensPageRequest { + + private final int count; + private final int startIndex; + + private DefaultTokensPageRequest(Builder b) { + this.count = b.count; + this.startIndex = b.startIndex; + } + + @Override + public int getCount() { + + return count; + } + + @Override + public int getStartIndex() { + + return startIndex; + } + + public static class Builder { + + private int count; + private int startIndex; + + public Builder count(int count) { + + this.count = count; + return this; + } + + public Builder startIndex(int startIndex) { + + this.startIndex = startIndex; + return this; + } + + public DefaultTokensPageRequest build() { + + return new DefaultTokensPageRequest(this); + } + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/paging/OffsetPageable.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/paging/OffsetPageable.java new file mode 100644 index 000000000..42791176e --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/paging/OffsetPageable.java @@ -0,0 +1,105 @@ +package it.infn.mw.iam.api.tokens.service.paging; + +import org.springframework.data.domain.Pageable; +import org.springframework.data.domain.Sort; + +import com.google.common.base.Preconditions; + +public class OffsetPageable implements Pageable { + + private final int offset; + private final int count; + + public OffsetPageable(int offset, int count) { + Preconditions.checkArgument(offset >= 0, "offset must be greater or equal to 0"); + + Preconditions.checkArgument(count >= 1, "count must be a positive integer"); + + this.offset = offset; + this.count = count; + } + + @Override + public int getPageNumber() { + + return offset / count; + } + + @Override + public int getPageSize() { + + return count; + } + + @Override + public int getOffset() { + + return offset; + } + + @Override + public Sort getSort() { + + return null; + } + + @Override + public Pageable next() { + + return new OffsetPageable(offset + count, count); + } + + @Override + public Pageable previousOrFirst() { + + int newOffset = offset - count; + if (newOffset < 0) { + newOffset = 0; + } + + return new OffsetPageable(newOffset, count); + + } + + @Override + public Pageable first() { + + return new OffsetPageable(0, count); + } + + @Override + public boolean hasPrevious() { + + return offset > 0; + } + + @Override + public int hashCode() { + final int PRIME = 31; + int result = 1; + result = PRIME * result + count; + result = PRIME * result + offset; + return result; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) + return true; + if (obj == null) + return false; + if (getClass() != obj.getClass()) + return false; + OffsetPageable other = (OffsetPageable) obj; + if (count != other.count) + return false; + return offset != other.offset; + } + + @Override + public String toString() { + + return "OffsetPageable [offset=" + offset + ", count=" + count + "]"; + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/paging/TokensPageRequest.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/paging/TokensPageRequest.java new file mode 100644 index 000000000..bceab19cc --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/service/paging/TokensPageRequest.java @@ -0,0 +1,9 @@ +package it.infn.mw.iam.api.tokens.service.paging; + +public interface TokensPageRequest { + + public int getCount(); + + public int getStartIndex(); + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/AuditDataSerializer.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/AuditDataSerializer.java index 2225b0b2e..6f7d28fdf 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/audit/AuditDataSerializer.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/AuditDataSerializer.java @@ -1,7 +1,7 @@ package it.infn.mw.iam.audit; import it.infn.mw.iam.audit.events.IamAuditApplicationEvent; - +@FunctionalInterface public interface AuditDataSerializer { public String serialize(IamAuditApplicationEvent event); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/AuditEventLogger.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/AuditEventLogger.java index 87edf6c60..c6ff5b774 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/audit/AuditEventLogger.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/AuditEventLogger.java @@ -2,6 +2,7 @@ import it.infn.mw.iam.audit.events.IamAuditApplicationEvent; +@FunctionalInterface public interface AuditEventLogger { public void logAuditEvent(IamAuditApplicationEvent event); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/IamAuditEventLogger.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/IamAuditEventLogger.java index 07093ac82..297f5699d 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/audit/IamAuditEventLogger.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/IamAuditEventLogger.java @@ -28,7 +28,10 @@ public IamAuditEventLogger(AuditDataSerializer serializer) { @Override public void logAuditEvent(IamAuditApplicationEvent event) { lastEvent = event; - LOG.info(AUDIT_MARKER, serializer.serialize(event)); + if (LOG.isInfoEnabled()){ + final String serializedEvent = serializer.serialize(event); + LOG.info(AUDIT_MARKER, serializedEvent); + } } public IamAuditApplicationEvent getLastEvent() { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/IamAuditApplicationEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/IamAuditApplicationEvent.java index 58a654803..57d7ce414 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/IamAuditApplicationEvent.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/IamAuditApplicationEvent.java @@ -17,7 +17,7 @@ @JsonTypeInfo(use=Id.NAME, property="@type") public abstract class IamAuditApplicationEvent extends ApplicationEvent { - public static enum IamEventCategory { + public enum IamEventCategory { NONE, ACCOUNT, GROUP, diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/AccountLinkedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/AccountLinkedEvent.java index 436b6c6f8..f2dacae87 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/AccountLinkedEvent.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/AccountLinkedEvent.java @@ -9,7 +9,7 @@ public class AccountLinkedEvent extends AccountEvent { private static final long serialVersionUID = -1605221918249294636L; - @JsonIgnoreProperties({"email", "givenName", "familyName"}) + @JsonIgnoreProperties({"email", "GIVEN_NAME", "familyName"}) private final ExternalAuthenticationRegistrationInfo externalAccountInfo; public AccountLinkedEvent(Object source, IamAccount account, diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/AccountUnlinkedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/AccountUnlinkedEvent.java index b62cc1492..4db9f1cf1 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/AccountUnlinkedEvent.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/AccountUnlinkedEvent.java @@ -9,7 +9,7 @@ public class AccountUnlinkedEvent extends AccountEvent { private static final long serialVersionUID = -1605221918249294636L; - @JsonIgnoreProperties({"email", "givenName", "familyName", "issuer", "subject"}) + @JsonIgnoreProperties({"email", "GIVEN_NAME", "familyName", "issuer", "subject"}) private final ExternalAuthenticationType externalAuthenticationType; private final String issuer; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/ActiveReplacedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/ActiveReplacedEvent.java new file mode 100644 index 000000000..cf95b4ed5 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/ActiveReplacedEvent.java @@ -0,0 +1,26 @@ +package it.infn.mw.iam.audit.events.account; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_ACTIVE; + +import it.infn.mw.iam.api.scim.updater.UpdaterType; +import it.infn.mw.iam.persistence.model.IamAccount; + +public class ActiveReplacedEvent extends AccountUpdatedEvent { + + private static final long serialVersionUID = 5681737929767602266L; + + private final Boolean active; + + public ActiveReplacedEvent(Object source, IamAccount account, Boolean active) { + super(source, account, ACCOUNT_REPLACE_ACTIVE, buildMessage(ACCOUNT_REPLACE_ACTIVE, active)); + this.active = active; + } + + public Boolean getActive() { + return active; + } + + protected static String buildMessage(UpdaterType t, Boolean active) { + return String.format("%s: %s", t.getDescription(), active); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/EmailReplacedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/EmailReplacedEvent.java new file mode 100644 index 000000000..7f634f5dd --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/EmailReplacedEvent.java @@ -0,0 +1,27 @@ +package it.infn.mw.iam.audit.events.account; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_EMAIL; + +import it.infn.mw.iam.api.scim.updater.UpdaterType; +import it.infn.mw.iam.persistence.model.IamAccount; + +public class EmailReplacedEvent extends AccountUpdatedEvent { + + private static final long serialVersionUID = -2527611317336416111L; + + private final String email; + + public EmailReplacedEvent(Object source, IamAccount account, String email) { + super(source, account, ACCOUNT_REPLACE_EMAIL, buildMessage(ACCOUNT_REPLACE_EMAIL, email)); + this.email = email; + } + + public String getEmail() { + return email; + } + + protected static String buildMessage(UpdaterType t, String email) { + return String.format("%s: %s", t.getDescription(), email); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/FamilyNameReplacedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/FamilyNameReplacedEvent.java new file mode 100644 index 000000000..5e1e95df9 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/FamilyNameReplacedEvent.java @@ -0,0 +1,27 @@ +package it.infn.mw.iam.audit.events.account; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_FAMILY_NAME; + +import it.infn.mw.iam.api.scim.updater.UpdaterType; +import it.infn.mw.iam.persistence.model.IamAccount; + +public class FamilyNameReplacedEvent extends AccountUpdatedEvent { + + private static final long serialVersionUID = 1984232242208443669L; + + private final String familyName; + + public FamilyNameReplacedEvent(Object source, IamAccount account, String familyName) { + super(source, account, ACCOUNT_REPLACE_FAMILY_NAME, + buildMessage(ACCOUNT_REPLACE_FAMILY_NAME, familyName)); + this.familyName = familyName; + } + + public String getFamilyName() { + return familyName; + } + + protected static String buildMessage(UpdaterType t, String familyName) { + return String.format("%s: %s", t.getDescription(), familyName); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/GivenNameReplacedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/GivenNameReplacedEvent.java new file mode 100644 index 000000000..09f98a29f --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/GivenNameReplacedEvent.java @@ -0,0 +1,27 @@ +package it.infn.mw.iam.audit.events.account; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_GIVEN_NAME; + +import it.infn.mw.iam.api.scim.updater.UpdaterType; +import it.infn.mw.iam.persistence.model.IamAccount; + +public class GivenNameReplacedEvent extends AccountUpdatedEvent { + + private static final long serialVersionUID = -8832461145651484401L; + + private final String givenName; + + public GivenNameReplacedEvent(Object source, IamAccount account, String givenName) { + super(source, account, ACCOUNT_REPLACE_GIVEN_NAME, + buildMessage(ACCOUNT_REPLACE_GIVEN_NAME, givenName)); + this.givenName = givenName; + } + + public String getGivenName() { + return givenName; + } + + protected static String buildMessage(UpdaterType t, String givenName) { + return String.format("%s: %s", t.getDescription(), givenName); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/PasswordReplacedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/PasswordReplacedEvent.java new file mode 100644 index 000000000..0148cfc3e --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/PasswordReplacedEvent.java @@ -0,0 +1,27 @@ +package it.infn.mw.iam.audit.events.account; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_PASSWORD; + +import it.infn.mw.iam.api.scim.updater.UpdaterType; +import it.infn.mw.iam.persistence.model.IamAccount; + +public class PasswordReplacedEvent extends AccountUpdatedEvent { + + private static final long serialVersionUID = -1656076046003614399L; + + private final String password; + + public PasswordReplacedEvent(Object source, IamAccount account, String password) { + super(source, account, ACCOUNT_REPLACE_PASSWORD, + buildMessage(ACCOUNT_REPLACE_PASSWORD, password)); + this.password = password; + } + + public String getPassword() { + return password; + } + + protected static String buildMessage(UpdaterType t, String password) { + return String.format("%s: %s", t.getDescription(), password); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/PictureRemovedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/PictureRemovedEvent.java new file mode 100644 index 000000000..8145a307a --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/PictureRemovedEvent.java @@ -0,0 +1,26 @@ +package it.infn.mw.iam.audit.events.account; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_PICTURE; + +import it.infn.mw.iam.api.scim.updater.UpdaterType; +import it.infn.mw.iam.persistence.model.IamAccount; + +public class PictureRemovedEvent extends AccountUpdatedEvent { + + private static final long serialVersionUID = 4301089543652866437L; + + private final String picture; + + public PictureRemovedEvent(Object source, IamAccount account, String picture) { + super(source, account, ACCOUNT_REMOVE_PICTURE, buildMessage(ACCOUNT_REMOVE_PICTURE, picture)); + this.picture = picture; + } + + public String getPictures() { + return picture; + } + + protected static String buildMessage(UpdaterType t, String picture) { + return String.format("%s: %s", t.getDescription(), picture); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/PictureReplacedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/PictureReplacedEvent.java new file mode 100644 index 000000000..482f4655a --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/PictureReplacedEvent.java @@ -0,0 +1,26 @@ +package it.infn.mw.iam.audit.events.account; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_PICTURE; + +import it.infn.mw.iam.api.scim.updater.UpdaterType; +import it.infn.mw.iam.persistence.model.IamAccount; + +public class PictureReplacedEvent extends AccountUpdatedEvent { + + private static final long serialVersionUID = -2527611317336416111L; + + private final String picture; + + public PictureReplacedEvent(Object source, IamAccount account, String picture) { + super(source, account, ACCOUNT_REPLACE_PICTURE, buildMessage(ACCOUNT_REPLACE_PICTURE, picture)); + this.picture = picture; + } + + public String getPicture() { + return picture; + } + + protected static String buildMessage(UpdaterType t, String picture) { + return String.format("%s: %s", t.getDescription(), picture); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/UsernameReplacedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/UsernameReplacedEvent.java new file mode 100644 index 000000000..c45be6323 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/UsernameReplacedEvent.java @@ -0,0 +1,27 @@ +package it.infn.mw.iam.audit.events.account; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_USERNAME; + +import it.infn.mw.iam.api.scim.updater.UpdaterType; +import it.infn.mw.iam.persistence.model.IamAccount; + +public class UsernameReplacedEvent extends AccountUpdatedEvent { + + private static final long serialVersionUID = -4559709075463515934L; + + private final String username; + + public UsernameReplacedEvent(Object source, IamAccount account, String username) { + super(source, account, ACCOUNT_REPLACE_USERNAME, + buildMessage(ACCOUNT_REPLACE_USERNAME, username)); + this.username = username; + } + + public String getUsername() { + return username; + } + + protected static String buildMessage(UpdaterType t, String username) { + return String.format("%s: %s", t.getDescription(), username); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/X509CertificateLinkedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/X509CertificateLinkedEvent.java new file mode 100644 index 000000000..a0ff5af16 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/X509CertificateLinkedEvent.java @@ -0,0 +1,24 @@ +package it.infn.mw.iam.audit.events.account; + +import it.infn.mw.iam.authn.x509.IamX509AuthenticationCredential; +import it.infn.mw.iam.persistence.model.IamAccount; + +public class X509CertificateLinkedEvent extends AccountEvent { + + /** + * + */ + private static final long serialVersionUID = 1L; + + private final IamX509AuthenticationCredential x509Certificate; + + public X509CertificateLinkedEvent(Object source, IamAccount account, String message, + IamX509AuthenticationCredential cred) { + super(source, account, message); + this.x509Certificate = cred; + } + + public IamX509AuthenticationCredential getX509Certificate() { + return x509Certificate; + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/X509CertificateUnlinkedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/X509CertificateUnlinkedEvent.java new file mode 100644 index 000000000..6b3954dd1 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/X509CertificateUnlinkedEvent.java @@ -0,0 +1,25 @@ +package it.infn.mw.iam.audit.events.account; + +import it.infn.mw.iam.persistence.model.IamAccount; + +public class X509CertificateUnlinkedEvent extends AccountEvent { + + /** + * + */ + private static final long serialVersionUID = 1L; + + + private final String certificateSubject; + + public X509CertificateUnlinkedEvent(Object source, IamAccount account, String message, + String certificateSubject) { + super(source, account, message); + this.certificateSubject = certificateSubject; + } + + public String getCertificateSubject() { + return certificateSubject; + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/X509CertificateUpdatedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/X509CertificateUpdatedEvent.java new file mode 100644 index 000000000..5c0e7a62d --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/X509CertificateUpdatedEvent.java @@ -0,0 +1,13 @@ +package it.infn.mw.iam.audit.events.account; + +import it.infn.mw.iam.authn.x509.IamX509AuthenticationCredential; +import it.infn.mw.iam.persistence.model.IamAccount; + +public class X509CertificateUpdatedEvent extends X509CertificateLinkedEvent { + + public X509CertificateUpdatedEvent(Object source, IamAccount account, String message, + IamX509AuthenticationCredential cred) { + super(source, account, message, cred); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/group/GroupMembershipAddedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/group/GroupMembershipAddedEvent.java new file mode 100644 index 000000000..2eabcabee --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/group/GroupMembershipAddedEvent.java @@ -0,0 +1,19 @@ +package it.infn.mw.iam.audit.events.account.group; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_ADD_GROUP_MEMBERSHIP; + +import java.util.Collection; + +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamGroup; + +public class GroupMembershipAddedEvent extends GroupMembershipUpdatedEvent { + + private static final long serialVersionUID = 1L; + + + public GroupMembershipAddedEvent(Object source, IamAccount account, Collection groups) { + super(source, account, ACCOUNT_ADD_GROUP_MEMBERSHIP, groups); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/group/GroupMembershipRemovedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/group/GroupMembershipRemovedEvent.java new file mode 100644 index 000000000..123e2e172 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/group/GroupMembershipRemovedEvent.java @@ -0,0 +1,19 @@ +package it.infn.mw.iam.audit.events.account.group; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_GROUP_MEMBERSHIP; + +import java.util.Collection; + +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamGroup; + +public class GroupMembershipRemovedEvent extends GroupMembershipUpdatedEvent { + + private static final long serialVersionUID = 1L; + + public GroupMembershipRemovedEvent(Object source, IamAccount account, + Collection groups) { + super(source, account, ACCOUNT_REMOVE_GROUP_MEMBERSHIP, groups); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/group/GroupMembershipUpdatedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/group/GroupMembershipUpdatedEvent.java new file mode 100644 index 000000000..128d8fc0e --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/group/GroupMembershipUpdatedEvent.java @@ -0,0 +1,36 @@ +package it.infn.mw.iam.audit.events.account.group; + +import java.util.Collection; + +import com.fasterxml.jackson.databind.annotation.JsonSerialize; + +import it.infn.mw.iam.api.scim.updater.UpdaterType; +import it.infn.mw.iam.audit.events.account.AccountUpdatedEvent; +import it.infn.mw.iam.audit.utils.IamGroupCollectionSerializer; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamGroup; + +public abstract class GroupMembershipUpdatedEvent extends AccountUpdatedEvent { + + private static final long serialVersionUID = 1L; + + @JsonSerialize(using = IamGroupCollectionSerializer.class) + private final Collection groups; + + public GroupMembershipUpdatedEvent(Object source, IamAccount account, UpdaterType type, + Collection groups) { + super(source, account, type, buildMessage(type, account, groups)); + this.groups = groups; + } + + protected Collection getGroups() { + return groups; + } + + protected static String buildMessage(UpdaterType t, IamAccount account, + Collection groups) { + return String.format("%s: username: '%s' values: '%s'", t.getDescription(), + account.getUsername(), groups); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/oidc/OidcAccountAddedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/oidc/OidcAccountAddedEvent.java new file mode 100644 index 000000000..937f0ba20 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/oidc/OidcAccountAddedEvent.java @@ -0,0 +1,18 @@ +package it.infn.mw.iam.audit.events.account.oidc; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_ADD_OIDC_ID; + +import java.util.Collection; + +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamOidcId; + +public class OidcAccountAddedEvent extends OidcAccountUpdatedEvent { + + private static final long serialVersionUID = 1L; + + public OidcAccountAddedEvent(Object source, IamAccount account, Collection oidcIds) { + super(source, account, ACCOUNT_ADD_OIDC_ID, oidcIds); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/oidc/OidcAccountRemovedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/oidc/OidcAccountRemovedEvent.java new file mode 100644 index 000000000..c9772e8f3 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/oidc/OidcAccountRemovedEvent.java @@ -0,0 +1,18 @@ +package it.infn.mw.iam.audit.events.account.oidc; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_OIDC_ID; + +import java.util.Collection; + +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamOidcId; + +public class OidcAccountRemovedEvent extends OidcAccountUpdatedEvent { + + private static final long serialVersionUID = 1L; + + public OidcAccountRemovedEvent(Object source, IamAccount account, Collection oidcIds) { + super(source, account, ACCOUNT_REMOVE_OIDC_ID, oidcIds); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/oidc/OidcAccountUpdatedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/oidc/OidcAccountUpdatedEvent.java new file mode 100644 index 000000000..0675aab23 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/oidc/OidcAccountUpdatedEvent.java @@ -0,0 +1,36 @@ +package it.infn.mw.iam.audit.events.account.oidc; + +import java.util.Collection; + +import com.fasterxml.jackson.databind.annotation.JsonSerialize; + +import it.infn.mw.iam.api.scim.updater.UpdaterType; +import it.infn.mw.iam.audit.events.account.AccountUpdatedEvent; +import it.infn.mw.iam.audit.utils.IamOidcSerializer; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamOidcId; + +public abstract class OidcAccountUpdatedEvent extends AccountUpdatedEvent { + + private static final long serialVersionUID = 1L; + + @JsonSerialize(using = IamOidcSerializer.class) + private final Collection oidcIds; + + public OidcAccountUpdatedEvent(Object source, IamAccount account, UpdaterType type, + Collection oidcIds) { + super(source, account, type, buildMessage(type, account, oidcIds)); + this.oidcIds = oidcIds; + } + + protected Collection getOidcIds() { + return oidcIds; + } + + protected static String buildMessage(UpdaterType t, IamAccount account, + Collection oidcIds) { + return String.format("%s: username: '%s' values: '%s'", t.getDescription(), + account.getUsername(), oidcIds); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/saml/SamlAccountAddedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/saml/SamlAccountAddedEvent.java new file mode 100644 index 000000000..c059383a0 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/saml/SamlAccountAddedEvent.java @@ -0,0 +1,17 @@ +package it.infn.mw.iam.audit.events.account.saml; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_ADD_SAML_ID; + +import java.util.Collection; + +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamSamlId; + +public class SamlAccountAddedEvent extends SamlAccountUpdatedEvent { + + private static final long serialVersionUID = 1L; + + public SamlAccountAddedEvent(Object source, IamAccount account, Collection samlIds) { + super(source, account, ACCOUNT_ADD_SAML_ID, samlIds); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/saml/SamlAccountRemovedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/saml/SamlAccountRemovedEvent.java new file mode 100644 index 000000000..c1a4ae57b --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/saml/SamlAccountRemovedEvent.java @@ -0,0 +1,18 @@ +package it.infn.mw.iam.audit.events.account.saml; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_SAML_ID; + +import java.util.Collection; + +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamSamlId; + +public class SamlAccountRemovedEvent extends SamlAccountUpdatedEvent { + + private static final long serialVersionUID = 1L; + + public SamlAccountRemovedEvent(Object source, IamAccount account, Collection samlIds) { + super(source, account, ACCOUNT_REMOVE_SAML_ID, samlIds); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/saml/SamlAccountUpdatedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/saml/SamlAccountUpdatedEvent.java new file mode 100644 index 000000000..796b93b82 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/saml/SamlAccountUpdatedEvent.java @@ -0,0 +1,36 @@ +package it.infn.mw.iam.audit.events.account.saml; + +import java.util.Collection; + +import com.fasterxml.jackson.databind.annotation.JsonSerialize; + +import it.infn.mw.iam.api.scim.updater.UpdaterType; +import it.infn.mw.iam.audit.events.account.AccountUpdatedEvent; +import it.infn.mw.iam.audit.utils.IamSamlSerializer; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamSamlId; + +public abstract class SamlAccountUpdatedEvent extends AccountUpdatedEvent { + + private static final long serialVersionUID = 1L; + + @JsonSerialize(using = IamSamlSerializer.class) + private Collection samlIds; + + public SamlAccountUpdatedEvent(Object source, IamAccount account, UpdaterType type, + Collection samlIds) { + super(source, account, type, buildMessage(type, account, samlIds)); + this.samlIds = samlIds; + } + + protected Collection getSamlIds() { + return samlIds; + } + + protected static String buildMessage(UpdaterType t, IamAccount account, + Collection samlIds) { + return String.format("%s: username: '%s' values '%s'", t.getDescription(), + account.getUsername(), samlIds); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/ssh/SshKeyAddedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/ssh/SshKeyAddedEvent.java new file mode 100644 index 000000000..518c05c51 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/ssh/SshKeyAddedEvent.java @@ -0,0 +1,19 @@ +package it.infn.mw.iam.audit.events.account.ssh; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_ADD_SSH_KEY; + +import java.util.Collection; + +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamSshKey; + +public class SshKeyAddedEvent extends SshKeyUpdatedEvent { + + private static final long serialVersionUID = 1L; + + public SshKeyAddedEvent(Object source, IamAccount account, Collection sshKeys) { + super(source, account, ACCOUNT_ADD_SSH_KEY, sshKeys); + } + + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/ssh/SshKeyRemovedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/ssh/SshKeyRemovedEvent.java new file mode 100644 index 000000000..6c12b31c8 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/ssh/SshKeyRemovedEvent.java @@ -0,0 +1,18 @@ +package it.infn.mw.iam.audit.events.account.ssh; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_SSH_KEY; + +import java.util.Collection; + +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamSshKey; + +public class SshKeyRemovedEvent extends SshKeyUpdatedEvent { + + private static final long serialVersionUID = 1L; + + public SshKeyRemovedEvent(Object source, IamAccount account, Collection sshKeys) { + super(source, account, ACCOUNT_REMOVE_SSH_KEY, sshKeys); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/ssh/SshKeyUpdatedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/ssh/SshKeyUpdatedEvent.java new file mode 100644 index 000000000..33e400563 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/ssh/SshKeyUpdatedEvent.java @@ -0,0 +1,36 @@ +package it.infn.mw.iam.audit.events.account.ssh; + +import java.util.Collection; + +import com.fasterxml.jackson.databind.annotation.JsonSerialize; + +import it.infn.mw.iam.api.scim.updater.UpdaterType; +import it.infn.mw.iam.audit.events.account.AccountUpdatedEvent; +import it.infn.mw.iam.audit.utils.IamSshKeySerializer; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamSshKey; + +public abstract class SshKeyUpdatedEvent extends AccountUpdatedEvent { + + private static final long serialVersionUID = 1L; + + @JsonSerialize(using = IamSshKeySerializer.class) + private final Collection sshKeys; + + public SshKeyUpdatedEvent(Object source, IamAccount account, UpdaterType type, + Collection sshKeys) { + super(source, account, type, buildMessage(type, account, sshKeys)); + this.sshKeys = sshKeys; + } + + protected Collection getSshKeys() { + return sshKeys; + } + + protected static String buildMessage(UpdaterType t, IamAccount account, + Collection sshKeys) { + return String.format("%s: username: '%s' values: '%s'", t.getDescription(), + account.getUsername(), sshKeys); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/x509/X509CertificateAddedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/x509/X509CertificateAddedEvent.java new file mode 100644 index 000000000..ffe72afe1 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/x509/X509CertificateAddedEvent.java @@ -0,0 +1,19 @@ +package it.infn.mw.iam.audit.events.account.x509; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_ADD_X509_CERTIFICATE; + +import java.util.Collection; + +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamX509Certificate; + +public class X509CertificateAddedEvent extends X509CertificateUpdatedEvent { + + private static final long serialVersionUID = 1L; + + public X509CertificateAddedEvent(Object source, IamAccount account, + Collection x509certificates) { + super(source, account, ACCOUNT_ADD_X509_CERTIFICATE, x509certificates); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/x509/X509CertificateRemovedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/x509/X509CertificateRemovedEvent.java new file mode 100644 index 000000000..3f5a19c27 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/x509/X509CertificateRemovedEvent.java @@ -0,0 +1,19 @@ +package it.infn.mw.iam.audit.events.account.x509; + +import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_X509_CERTIFICATE; + +import java.util.Collection; + +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamX509Certificate; + +public class X509CertificateRemovedEvent extends X509CertificateUpdatedEvent { + + private static final long serialVersionUID = 1L; + + public X509CertificateRemovedEvent(Object source, IamAccount account, + Collection x509certificates) { + super(source, account, ACCOUNT_REMOVE_X509_CERTIFICATE, x509certificates); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/x509/X509CertificateUpdatedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/x509/X509CertificateUpdatedEvent.java new file mode 100644 index 000000000..fe3fe0a12 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/x509/X509CertificateUpdatedEvent.java @@ -0,0 +1,36 @@ +package it.infn.mw.iam.audit.events.account.x509; + +import java.util.Collection; + +import com.fasterxml.jackson.databind.annotation.JsonSerialize; + +import it.infn.mw.iam.api.scim.updater.UpdaterType; +import it.infn.mw.iam.audit.events.account.AccountUpdatedEvent; +import it.infn.mw.iam.audit.utils.IamX509CertificateSerializer; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamX509Certificate; + +public abstract class X509CertificateUpdatedEvent extends AccountUpdatedEvent { + + private static final long serialVersionUID = 1L; + + @JsonSerialize(using = IamX509CertificateSerializer.class) + private final Collection x509Certificates; + + public X509CertificateUpdatedEvent(Object source, IamAccount account, UpdaterType type, + Collection x509Certificates) { + super(source, account, type, buildMessage(type, account, x509Certificates)); + this.x509Certificates = x509Certificates; + } + + protected Collection getX509certificates() { + return x509Certificates; + } + + protected static String buildMessage(UpdaterType t, IamAccount account, + Collection x509Certificates) { + return String.format("%s: username: '%s' values: '%s'", t.getDescription(), + account.getUsername(), x509Certificates); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/group/GroupUpdatedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/group/GroupUpdatedEvent.java deleted file mode 100644 index ae45b19aa..000000000 --- a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/group/GroupUpdatedEvent.java +++ /dev/null @@ -1,26 +0,0 @@ -package it.infn.mw.iam.audit.events.group; - -import com.fasterxml.jackson.databind.annotation.JsonSerialize; - -import it.infn.mw.iam.api.scim.updater.UpdaterType; -import it.infn.mw.iam.audit.utils.UpdaterTypeSerializer; -import it.infn.mw.iam.persistence.model.IamGroup; - -public class GroupUpdatedEvent extends GroupEvent { - - private static final long serialVersionUID = -3060371331110710895L; - - @JsonSerialize(using=UpdaterTypeSerializer.class) - private final UpdaterType updaterType; - - public GroupUpdatedEvent(Object source, IamGroup group, UpdaterType updateType, String message) { - super(source, group, message); - this.updaterType = updateType; - } - - - public UpdaterType getUpdaterType() { - return updaterType; - } - -} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamGroupCollectionSerializer.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamGroupCollectionSerializer.java new file mode 100644 index 000000000..072519189 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamGroupCollectionSerializer.java @@ -0,0 +1,29 @@ +package it.infn.mw.iam.audit.utils; + +import java.io.IOException; +import java.util.Collection; + +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.JsonSerializer; +import com.fasterxml.jackson.databind.SerializerProvider; + +import it.infn.mw.iam.persistence.model.IamGroup; + +public class IamGroupCollectionSerializer extends JsonSerializer> { + + @Override + public void serialize(Collection value, JsonGenerator gen, + SerializerProvider serializers) throws IOException, JsonProcessingException { + + gen.writeStartArray(); + for (IamGroup elem : value) { + gen.writeStartObject(); + gen.writeStringField("uuid", elem.getUuid()); + gen.writeStringField("name", elem.getName()); + gen.writeEndObject(); + } + gen.writeEndArray(); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamGroupSerializer.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamGroupSerializer.java index 990d0fe5e..9528a9128 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamGroupSerializer.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamGroupSerializer.java @@ -14,10 +14,11 @@ public class IamGroupSerializer extends JsonSerializer { @Override public void serialize(IamGroup value, JsonGenerator gen, SerializerProvider serializers) throws IOException, JsonProcessingException { - gen.writeStartObject(); - gen.writeStringField("uuid", value.getUuid()); - gen.writeStringField("name", value.getName()); - gen.writeEndObject(); + + gen.writeStartObject(); + gen.writeStringField("uuid", value.getUuid()); + gen.writeStringField("name", value.getName()); + gen.writeEndObject(); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamOidcSerializer.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamOidcSerializer.java new file mode 100644 index 000000000..9d1d262a9 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamOidcSerializer.java @@ -0,0 +1,28 @@ +package it.infn.mw.iam.audit.utils; + +import java.io.IOException; +import java.util.Collection; + +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.JsonSerializer; +import com.fasterxml.jackson.databind.SerializerProvider; + +import it.infn.mw.iam.persistence.model.IamOidcId; + +public class IamOidcSerializer extends JsonSerializer> { + + @Override + public void serialize(Collection value, JsonGenerator gen, + SerializerProvider serializers) throws IOException, JsonProcessingException { + gen.writeStartArray(); + for (IamOidcId elem : value) { + gen.writeStartObject(); + gen.writeStringField("issuer", elem.getIssuer()); + gen.writeStringField("subject", elem.getSubject()); + gen.writeEndObject(); + } + gen.writeEndArray(); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamSamlSerializer.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamSamlSerializer.java new file mode 100644 index 000000000..3d803ec02 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamSamlSerializer.java @@ -0,0 +1,29 @@ +package it.infn.mw.iam.audit.utils; + +import java.io.IOException; +import java.util.Collection; + +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.JsonSerializer; +import com.fasterxml.jackson.databind.SerializerProvider; + +import it.infn.mw.iam.persistence.model.IamSamlId; + +public class IamSamlSerializer extends JsonSerializer> { + + @Override + public void serialize(Collection value, JsonGenerator gen, + SerializerProvider serializers) throws IOException, JsonProcessingException { + + gen.writeStartArray(); + for (IamSamlId elem : value) { + gen.writeStartObject(); + gen.writeStringField("idpid", elem.getIdpId()); + gen.writeStringField("userid", elem.getUserId()); + gen.writeEndObject(); + } + gen.writeEndArray(); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamSshKeySerializer.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamSshKeySerializer.java new file mode 100644 index 000000000..381e954b8 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamSshKeySerializer.java @@ -0,0 +1,29 @@ +package it.infn.mw.iam.audit.utils; + +import java.io.IOException; +import java.util.Collection; + +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.JsonSerializer; +import com.fasterxml.jackson.databind.SerializerProvider; + +import it.infn.mw.iam.persistence.model.IamSshKey; + +public class IamSshKeySerializer extends JsonSerializer> { + + @Override + public void serialize(Collection value, JsonGenerator gen, + SerializerProvider serializers) throws IOException, JsonProcessingException { + + gen.writeStartArray(); + for (IamSshKey elem : value) { + gen.writeStartObject(); + gen.writeStringField("label", elem.getLabel()); + gen.writeStringField("fingerprint", elem.getFingerprint()); + gen.writeEndObject(); + } + gen.writeEndArray(); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamX509CertificateSerializer.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamX509CertificateSerializer.java new file mode 100644 index 000000000..f582a3abb --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/utils/IamX509CertificateSerializer.java @@ -0,0 +1,31 @@ +package it.infn.mw.iam.audit.utils; + +import java.io.IOException; +import java.util.Collection; + +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.JsonSerializer; +import com.fasterxml.jackson.databind.SerializerProvider; + +import it.infn.mw.iam.persistence.model.IamX509Certificate; + +public class IamX509CertificateSerializer extends JsonSerializer> { + + @Override + public void serialize(Collection value, JsonGenerator gen, + SerializerProvider serializers) throws IOException, JsonProcessingException { + + gen.writeStartArray(); + for (IamX509Certificate elem : value) { + gen.writeStartObject(); + gen.writeStringField("label", elem.getLabel()); + gen.writeStringField("subjectDn", elem.getSubjectDn()); + gen.writeStringField("issuerDn", elem.getIssuerDn()); + gen.writeStringField("certificate", elem.getCertificate()); + gen.writeEndObject(); + } + gen.writeEndArray(); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/AbstractExternalAuthenticationToken.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/AbstractExternalAuthenticationToken.java index da1a30dd7..ae6873264 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/AbstractExternalAuthenticationToken.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/AbstractExternalAuthenticationToken.java @@ -1,5 +1,6 @@ package it.infn.mw.iam.authn; +import java.io.Serializable; import java.util.Collection; import java.util.Date; import java.util.Map; @@ -9,10 +10,9 @@ import it.infn.mw.iam.persistence.model.IamAccount; -public abstract class AbstractExternalAuthenticationToken +public abstract class AbstractExternalAuthenticationToken extends ExpiringUsernameAuthenticationToken { - /** * */ @@ -32,7 +32,6 @@ public AbstractExternalAuthenticationToken(T authn, Date tokenExpiration, Object this.wrappedAuthentication = authn; } - public T getExternalAuthentication() { return wrappedAuthentication; } @@ -41,6 +40,31 @@ public T getExternalAuthentication() { public abstract void linkToIamAccount(ExternalAccountLinker visitor, IamAccount account); - public abstract ExternalAuthenticationRegistrationInfo toExernalAuthenticationInfo(); + public abstract ExternalAuthenticationRegistrationInfo toExernalAuthenticationRegistrationInfo(); + @Override + public int hashCode() { + int prime = 31; + int result = super.hashCode(); + result = + prime * result + ((wrappedAuthentication == null) ? 0 : wrappedAuthentication.hashCode()); + return result; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) + return true; + if (!super.equals(obj)) + return false; + if (getClass() != obj.getClass()) + return false; + AbstractExternalAuthenticationToken other = (AbstractExternalAuthenticationToken) obj; + if (wrappedAuthentication == null) { + if (other.wrappedAuthentication != null) + return false; + } else if (!wrappedAuthentication.equals(other.wrappedAuthentication)) + return false; + return true; + } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/AuthenticationExceptionMessageHelper.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/AuthenticationExceptionMessageHelper.java index 3f60c290f..6a181c4d8 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/AuthenticationExceptionMessageHelper.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/AuthenticationExceptionMessageHelper.java @@ -2,6 +2,7 @@ import org.springframework.security.core.AuthenticationException; +@FunctionalInterface public interface AuthenticationExceptionMessageHelper { String buildErrorMessage(AuthenticationException e); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultExternalAccountLinker.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultExternalAccountLinker.java index 1d818e103..ea83057de 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultExternalAccountLinker.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultExternalAccountLinker.java @@ -37,19 +37,19 @@ public void linkToIamAccount(IamAccount targetAccount, OidcExternalAuthenticatio if (found.equals(targetAccount)) { - String errorMsg = - String.format("OpenID connect account '[%s] %s' is already linked to user '%s'", - oidcIssuer, oidcSubject, found.getUsername()); + String errorMsg = + String.format("OpenID connect account '[%s] %s' is already linked to user '%s'", + oidcIssuer, oidcSubject, found.getUsername()); - throw new AccountAlreadyLinkedError(errorMsg); + throw new AccountAlreadyLinkedError(errorMsg); } else { - String errorMsg = - String.format("OpenID connect account '[%s] %s' is already linked to another user", - oidcIssuer, oidcSubject); + String errorMsg = + String.format("OpenID connect account '[%s] %s' is already linked to another user", + oidcIssuer, oidcSubject); - throw new AccountAlreadyLinkedError(errorMsg); + throw new AccountAlreadyLinkedError(errorMsg); } }); @@ -65,37 +65,35 @@ public void linkToIamAccount(IamAccount targetAccount, OidcExternalAuthenticatio public void linkToIamAccount(IamAccount targetAccount, SamlExternalAuthenticationToken token) { final SAMLCredential credential = - (SAMLCredential) token.getExternalAuthentication().getCredentials(); + (SAMLCredential) token.getExternalAuthentication().getCredentials(); - final String samlSubject = samlUserIdResolver.getUserIdentifier(credential) + final IamSamlId iamSamlId = samlUserIdResolver.resolveSamlUserIdentifier(credential) + .getResolvedId() .orElseThrow(() -> new UsernameNotFoundException( - "Could not extract a user identifier from the SAML assertion")); + "Could not extract a user identifier from the SAML assertion")); - final String samlIssuer = credential.getRemoteEntityID(); - - repo.findBySamlId(samlIssuer, samlSubject).ifPresent(found -> { + repo.findBySamlId(iamSamlId).ifPresent(found -> { if (found.equals(targetAccount)) { - String errorMsg = String.format("SAML account '[%s] %s' is already linked to user '%s'", - samlIssuer, samlSubject, found.getUsername()); + String errorMsg = String.format( + "SAML account '[%s] (%s = %s)' is already linked to user '%s'", iamSamlId.getIdpId(), + iamSamlId.getAttributeId(), iamSamlId.getUserId(), found.getUsername()); - throw new AccountAlreadyLinkedError(errorMsg); + throw new AccountAlreadyLinkedError(errorMsg); } else { - String errorMsg = String.format("SAML account '[%s] %s' is already linked to another user", - samlIssuer, samlSubject); + String errorMsg = + String.format("SAML account '[%s] (%s = %s)' is already linked to another user", + iamSamlId.getIdpId(), iamSamlId.getAttributeId(), iamSamlId.getUserId()); - throw new AccountAlreadyLinkedError(errorMsg); + throw new AccountAlreadyLinkedError(errorMsg); } }); - IamSamlId samlId = new IamSamlId(); - samlId.setIdpId(samlIssuer); - samlId.setUserId(samlSubject); - samlId.setAccount(targetAccount); - targetAccount.getSamlIds().add(samlId); + iamSamlId.setAccount(targetAccount); + targetAccount.getSamlIds().add(iamSamlId); repo.save(targetAccount); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultExternalAuthenticationInfoBuilder.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultExternalAuthenticationInfoBuilder.java index aa540aad2..4e4d7e048 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultExternalAuthenticationInfoBuilder.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultExternalAuthenticationInfoBuilder.java @@ -10,7 +10,7 @@ import it.infn.mw.iam.authn.oidc.OidcExternalAuthenticationToken; import it.infn.mw.iam.authn.saml.SamlExternalAuthenticationToken; -import it.infn.mw.iam.authn.saml.util.SamlIdResolvers; +import it.infn.mw.iam.authn.saml.util.Saml2Attribute; @Component public class DefaultExternalAuthenticationInfoBuilder implements ExternalAuthenticationInfoBuilder { @@ -19,7 +19,9 @@ public class DefaultExternalAuthenticationInfoBuilder implements ExternalAuthent public static final String OIDC_TYPE = "oidc"; public static final String SAML_TYPE = "saml"; - public DefaultExternalAuthenticationInfoBuilder() {} + public DefaultExternalAuthenticationInfoBuilder() { + // Empty constructor required by Spring + } public Map buildInfoMap(OidcExternalAuthenticationToken token) { checkNotNull(token, "token cannot be null"); @@ -40,16 +42,14 @@ public Map buildInfoMap(SamlExternalAuthenticationToken token) { result.put(TYPE_ATTR, SAML_TYPE); SAMLCredential cred = (SAMLCredential) token.getExternalAuthentication().getCredentials(); + result.put("idpEntityId", cred.getRemoteEntityID()); - // EPUID - if (cred.getAttributeAsString(SamlIdResolvers.EPUID_NAME) != null) { - result.put("epuid", cred.getAttributeAsString(SamlIdResolvers.EPUID_NAME)); - } - - // EPPN - if (cred.getAttributeAsString(SamlIdResolvers.EPPN_NAME) != null) { - result.put("eppn", cred.getAttributeAsString(SamlIdResolvers.EPPN_NAME)); + for (Saml2Attribute attr: Saml2Attribute.values()){ + String attrVal = cred.getAttributeAsString(attr.getAttributeName()); + if ( attrVal != null) { + result.put(attr.name(), attrVal); + } } return result; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultExternalAuthenticationInfoProcessor.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultExternalAuthenticationInfoProcessor.java index def87d6a6..de43163f5 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultExternalAuthenticationInfoProcessor.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultExternalAuthenticationInfoProcessor.java @@ -11,7 +11,9 @@ public class DefaultExternalAuthenticationInfoProcessor implements ExternalAuthenticationInfoProcessor { - public DefaultExternalAuthenticationInfoProcessor() {} + public DefaultExternalAuthenticationInfoProcessor() { + // Empty constructor required by Spring? + } @Override public Map process(OAuth2Authentication authentication) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultInactiveAccountAuthenticationHandler.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultInactiveAccountAuthenticationHandler.java index 1bc8b6b6c..c2ec2a994 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultInactiveAccountAuthenticationHandler.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/DefaultInactiveAccountAuthenticationHandler.java @@ -24,18 +24,18 @@ public class DefaultInactiveAccountAuthenticationHandler EnumSet ongoingStatus = EnumSet.of(NEW, CONFIRMED); - public final String WAITING_CONFIRMATION_MSG; - public final String WAITING_APPROVAL_MSG; + public final String waitingConfirmationMsg; + public final String waitingApprovalMsg; @Autowired public DefaultInactiveAccountAuthenticationHandler(IamProperties properties) { this.iamProps = properties; - WAITING_CONFIRMATION_MSG = String.format("Your registration request to %s was submitted " + waitingConfirmationMsg = String.format("Your registration request to %s was submitted " + "successfully, but you haven't confirmed it yet. Check your inbox, you should have received a message with " + "a confirmation URL", iamProps.getOrganisationName()); - WAITING_APPROVAL_MSG = + waitingApprovalMsg = String.format("Your registration request to %s was submitted and confirmed successfully, " + "and is now waiting for administrator approval. As soon as your request is approved you will receive a " + "confirmation email", iamProps.getOrganisationName()); @@ -43,13 +43,8 @@ public DefaultInactiveAccountAuthenticationHandler(IamProperties properties) { protected boolean hasOngoingRegistrationRequest(IamAccount account) { - if (account.getRegistrationRequest() != null) { - if (ongoingStatus.contains(account.getRegistrationRequest().getStatus())) { - return true; - } - } - - return false; + return (account.getRegistrationRequest() != null + && ongoingStatus.contains(account.getRegistrationRequest().getStatus())); } @@ -81,11 +76,11 @@ public void handleInactiveAccount(IamAccount account) throws UsernameNotFoundExc if (hasOngoingRegistrationRequest(account)) { if (requestWaitingForUserConfirmation(account)) { - raiseAuthenticationError(WAITING_CONFIRMATION_MSG); + raiseAuthenticationError(waitingConfirmationMsg); } if (requestWaitingForAdminApproval(account)) { - raiseAuthenticationError(WAITING_APPROVAL_MSG); + raiseAuthenticationError(waitingApprovalMsg); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationFailureHandler.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationFailureHandler.java index 52c777d57..583a3e2d1 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationFailureHandler.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationFailureHandler.java @@ -33,7 +33,7 @@ private String buildRedirectURL(AuthenticationException exception) { try { errorMessage = UriUtils.encode(errorMessage, StandardCharsets.UTF_8.toString()); } catch (UnsupportedEncodingException uex) { - // Unlikely + LOG.error(uex.getMessage(), uex); } return UriComponentsBuilder.fromPath("/login") diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationHandlerSupport.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationHandlerSupport.java index 0555f5953..ce2a8a491 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationHandlerSupport.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationHandlerSupport.java @@ -1,5 +1,7 @@ package it.infn.mw.iam.authn; +import static it.infn.mw.iam.authn.x509.IamX509PreauthenticationProcessingFilter.X509_CREDENTIAL_SESSION_KEY; + import java.util.Optional; import javax.servlet.http.HttpServletRequest; @@ -15,10 +17,12 @@ import com.google.common.base.Strings; +import it.infn.mw.iam.api.account_linking.AccountLinkingConstants; import it.infn.mw.iam.api.scim.exception.IllegalArgumentException; import it.infn.mw.iam.authn.ExternalAuthenticationRegistrationInfo.ExternalAuthenticationType; +import it.infn.mw.iam.authn.x509.IamX509AuthenticationCredential; -public class ExternalAuthenticationHandlerSupport { +public class ExternalAuthenticationHandlerSupport implements AccountLinkingConstants{ public static final String ACCCOUNT_LINKING_BASE_RESOURCE = "/iam/account-linking"; @@ -59,7 +63,7 @@ protected boolean hasAccountLinkingDoneKey(HttpSession session) { } protected void setAccountLinkingDone(HttpSession session) { - session.setAttribute(ACCOUNT_LINKING_DONE_KEY, "DONE");; + session.setAttribute(ACCOUNT_LINKING_DONE_KEY, "DONE"); } protected boolean isExternalUnregisteredUser(Authentication authentication) { @@ -77,10 +81,23 @@ protected boolean hasOngoingAccountLinking(HttpServletRequest request) { return (request.getSession().getAttribute(ACCOUNT_LINKING_SESSION_KEY) != null); } + protected Optional getSavedX509AuthenticationCredential( + HttpSession session) { + return Optional.ofNullable( + (IamX509AuthenticationCredential) session.getAttribute(X509_CREDENTIAL_SESSION_KEY)); + } + + protected Authentication getAccountLinkingSavedAuthentication(HttpSession session) { return (Authentication) session.getAttribute(ACCOUNT_LINKING_SESSION_SAVED_AUTHENTICATION); } + protected void saveX509LinkingSuccess(IamX509AuthenticationCredential cred, + RedirectAttributes attributes) { + attributes.addFlashAttribute(ACCOUNT_LINKING_DASHBOARD_MESSAGE_KEY, + String.format("Certificate '%s' linked succesfully", cred.getSubject())); + } + protected void saveAccountLinkingSuccess( AbstractExternalAuthenticationToken externalAuthenticationToken, RedirectAttributes attributes) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationInfoProcessor.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationInfoProcessor.java index 0ba99b305..d0073f214 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationInfoProcessor.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationInfoProcessor.java @@ -3,7 +3,7 @@ import java.util.Map; import org.springframework.security.oauth2.provider.OAuth2Authentication; - +@FunctionalInterface public interface ExternalAuthenticationInfoProcessor { Map process(OAuth2Authentication authentication); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationRegistrationInfo.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationRegistrationInfo.java index 7dfb64ef3..13f67651f 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationRegistrationInfo.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/ExternalAuthenticationRegistrationInfo.java @@ -1,9 +1,16 @@ package it.infn.mw.iam.authn; +import java.io.Serializable; + import com.fasterxml.jackson.annotation.JsonCreator; import com.fasterxml.jackson.annotation.JsonProperty; -public class ExternalAuthenticationRegistrationInfo { +public class ExternalAuthenticationRegistrationInfo implements Serializable { + + /** + * + */ + private static final long serialVersionUID = 1L; public enum ExternalAuthenticationType { OIDC, SAML @@ -14,6 +21,7 @@ public enum ExternalAuthenticationType { private String issuer; private String subject; + private String subjectAttribute; private String email; @@ -27,6 +35,7 @@ public ExternalAuthenticationRegistrationInfo(ExternalAuthenticationType type) { @JsonCreator public ExternalAuthenticationRegistrationInfo(@JsonProperty("type") String type, @JsonProperty("issuer") String issuer, @JsonProperty("subject") String subject, + @JsonProperty("subject_attribute") String subjectAttribute, @JsonProperty("email") String email, @JsonProperty("given_name") String givenName, @JsonProperty("family_name") String familyName) { @@ -36,6 +45,7 @@ public ExternalAuthenticationRegistrationInfo(@JsonProperty("type") String type, this.email = email; this.givenName = givenName; this.familyName = familyName; + this.subjectAttribute = subjectAttribute; } public ExternalAuthenticationType getType() { @@ -83,4 +93,13 @@ public String getFamilyName() { public void setFamilyName(String familyName) { this.familyName = familyName; } + + @JsonProperty("subject_attribute") + public String getSubjectAttribute() { + return subjectAttribute; + } + + public void setSubjectAttribute(String subjectAttribute) { + this.subjectAttribute = subjectAttribute; + } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/InactiveAccountAuthenticationHander.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/InactiveAccountAuthenticationHander.java index 9d17ac7d9..31e86d036 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/InactiveAccountAuthenticationHander.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/InactiveAccountAuthenticationHander.java @@ -3,7 +3,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException; import it.infn.mw.iam.persistence.model.IamAccount; - +@FunctionalInterface public interface InactiveAccountAuthenticationHander { public void handleInactiveAccount(IamAccount account) throws UsernameNotFoundException; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/TimestamperSuccessHandler.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/TimestamperSuccessHandler.java index 4928a4b75..1be1869df 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/TimestamperSuccessHandler.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/TimestamperSuccessHandler.java @@ -13,17 +13,23 @@ import org.mitre.openid.connect.web.AuthenticationTimeStamper; import org.slf4j.Logger; import org.springframework.security.core.Authentication; +import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import it.infn.mw.iam.core.util.IamAuthenticationLogger; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; public class TimestamperSuccessHandler implements AuthenticationSuccessHandler { public static final Logger LOG = getLogger(TimestamperSuccessHandler.class); private final AuthenticationSuccessHandler delegate; - - public TimestamperSuccessHandler(AuthenticationSuccessHandler delegate) { + + private final IamAccountRepository accountRepository; + + public TimestamperSuccessHandler(AuthenticationSuccessHandler delegate, + IamAccountRepository accountRepository) { this.delegate = delegate; + this.accountRepository = accountRepository; } protected void setAuthenticationTimestamp(HttpServletRequest request, @@ -35,13 +41,24 @@ protected void setAuthenticationTimestamp(HttpServletRequest request, IamAuthenticationLogger.INSTANCE.logAuthenticationSuccess(authentication); } + protected void touchLastLoginTimeForIamAccount(Authentication authentication){ + if (authentication instanceof OAuth2Authentication){ + OAuth2Authentication oauth = (OAuth2Authentication) authentication; + if (oauth.getUserAuthentication() != null){ + accountRepository.touchLastLoginTimeForUserWithUsername(oauth.getUserAuthentication().getName()); + } + }else { + accountRepository.touchLastLoginTimeForUserWithUsername(authentication.getName()); + } + } + @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { delegate.onAuthenticationSuccess(request, response, authentication); setAuthenticationTimestamp(request, response, authentication); + touchLastLoginTimeForIamAccount(authentication); } - } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/DefaultOidcTokenRequestor.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/DefaultOidcTokenRequestor.java index 414df00ec..16db15496 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/DefaultOidcTokenRequestor.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/DefaultOidcTokenRequestor.java @@ -73,40 +73,39 @@ protected HttpEntity> prepareTokenRequest( switch (config.clientConfig.getTokenEndpointAuthMethod()) { case SECRET_BASIC: - basicAuthRequest(config.clientConfig, headers); - break; + basicAuthRequest(config.clientConfig, headers); + break; case SECRET_JWT: - jwtAuthRequest(config.clientConfig); - break; + jwtAuthRequest(config.clientConfig); + break; case PRIVATE_KEY: - jwtPrivateKeyAuthRequest(config.clientConfig); - break; + jwtPrivateKeyAuthRequest(config.clientConfig); + break; case SECRET_POST: - formAuthRequest(config.clientConfig, tokenRequestParams); - break; + formAuthRequest(config.clientConfig, tokenRequestParams); + break; case NONE: - break; + break; default: - throw new AuthenticationServiceException( - "Unsupported token endpoint authentication method"); + throw new AuthenticationServiceException( + "Unsupported token endpoint authentication method"); } - HttpEntity> tokenRequest = - new HttpEntity<>(tokenRequestParams, headers); + return + new HttpEntity<>(tokenRequestParams, headers); - return tokenRequest; } Optional parseErrorResponse(HttpClientErrorException e) { try { TokenEndpointErrorResponse response = jacksonObjectMapper - .readValue(e.getResponseBodyAsByteArray(), TokenEndpointErrorResponse.class); + .readValue(e.getResponseBodyAsByteArray(), TokenEndpointErrorResponse.class); return Optional.of(response); } catch (Exception jsonParsingError) { LOG.error("Error parsing token endpoint response: {}. input: {}", - jsonParsingError.getMessage(), e.getResponseBodyAsString()); + jsonParsingError.getMessage(), e.getResponseBodyAsString(), jsonParsingError); return Optional.empty(); } @@ -122,28 +121,28 @@ public String requestTokens(OidcProviderConfiguration conf, try { return restTemplate.postForObject(conf.serverConfig.getTokenEndpointUri(), - prepareTokenRequest(conf, tokenRequestParams), String.class); + prepareTokenRequest(conf, tokenRequestParams), String.class); } catch (HttpClientErrorException e) { if (e.getStatusCode() != null && e.getStatusCode().equals(BAD_REQUEST)) { - parseErrorResponse(e).ifPresent(er -> { + parseErrorResponse(e).ifPresent(er -> { - String errorMessage = String.format("Token request error: %s '%s'", er.getError(), - er.getErrorDescription()); - LOG.error(errorMessage); + String errorMessage = String.format("Token request error: %s '%s'", er.getError(), + er.getErrorDescription()); + LOG.error(errorMessage); - throw new OidcClientError(e.getMessage(), er.getError(), er.getErrorDescription(), - er.getErrorUri()); + throw new OidcClientError(e.getMessage(), er.getError(), er.getErrorDescription(), + er.getErrorUri()); - }); + }); } String errorMessage = String.format("Token request error: %s", e.getMessage()); LOG.error(errorMessage, e); throw new OidcClientError(errorMessage, e); - } catch (Throwable e) { + } catch (Exception e) { String errorMessage = String.format("Token request error: %s", e.getMessage()); LOG.error(errorMessage, e); throw new OidcClientError(errorMessage, e); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcClientFilter.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcClientFilter.java index 724029f63..d6e7fd9a2 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcClientFilter.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcClientFilter.java @@ -35,9 +35,9 @@ import com.nimbusds.jwt.SignedJWT; /** - * A slightly modified version of mitreid client filter that allows to provide a custom {@link - * ClientHttpRequestFactory} object. This is needed to accomodate SSL connections to providers that - * use EUGridPMA certificates. + * A slightly modified version of mitreid client filter that allows to provide a custom + * {@link ClientHttpRequestFactory} object. This is needed to accomodate SSL connections to + * providers that use EUGridPMA certificates. * */ public class OidcClientFilter extends OIDCAuthenticationFilter { @@ -51,7 +51,7 @@ public OidcProviderConfiguration(ServerConfiguration sc, RegisteredClient cc) { ServerConfiguration serverConfig; RegisteredClient clientConfig; - }; + } public static final Logger LOG = LoggerFactory.getLogger(OidcClientFilter.class); @@ -82,18 +82,18 @@ protected OidcProviderConfiguration lookupProvider(HttpServletRequest request) { throw new AuthenticationServiceException("Issuser not found in session."); } ServerConfiguration serverConfig = - getServerConfigurationService().getServerConfiguration(issuer); + getServerConfigurationService().getServerConfiguration(issuer); if (serverConfig == null) { throw new AuthenticationServiceException("Unknow OpenID provider :" + issuer); } RegisteredClient clientConfig = - getClientConfigurationService().getClientConfiguration(serverConfig); + getClientConfigurationService().getClientConfiguration(serverConfig); if (clientConfig == null) { throw new AuthenticationServiceException( - "Client configuration not found for OpenID provider :" + issuer); + "Client configuration not found for OpenID provider :" + issuer); } return new OidcProviderConfiguration(serverConfig, clientConfig); @@ -145,11 +145,9 @@ private JWT parseToken(String tokenValue) { protected void handleError(HttpServletRequest request, HttpServletResponse response) throws IOException { - OidcClientError error = - new OidcClientError("External authentication error", request.getParameter("error"), - request.getParameter("error_description"), request.getParameter("error_uri")); + throw new OidcClientError("External authentication error", request.getParameter("error"), + request.getParameter("error_description"), request.getParameter("error_uri")); - throw error; } @Override @@ -164,11 +162,11 @@ protected Authentication handleAuthorizationCodeResponse(HttpServletRequest requ try { tokenResponseString = - tokenRequestor.requestTokens(config, initTokenRequestParameters(request, config)); + tokenRequestor.requestTokens(config, initTokenRequestParameters(request, config)); } catch (OidcClientError e) { LOG.error("Error executing token request against endpoint {}: {}", - config.serverConfig.getTokenEndpointUri(), e.getMessage(), e); + config.serverConfig.getTokenEndpointUri(), e.getMessage(), e); throw e; } @@ -184,7 +182,7 @@ protected Authentication handleAuthorizationCodeResponse(HttpServletRequest requ accessTokenValue = tokenResponse.get("access_token").getAsString(); } else { throw new AuthenticationServiceException( - "Token Endpoint did not return an access_token. Response: " + tokenResponseString); + "Token Endpoint did not return an access_token. Response: " + tokenResponseString); } if (tokenResponse.has("id_token")) { @@ -230,11 +228,9 @@ protected void validateSignature(JWT idToken, OidcProviderConfiguration config) JWTSigningAndValidationService jwtValidator = null; - if (clientAlg != null) { - if (!clientAlg.equals(tokenAlg)) { - throw new AuthenticationServiceException( - "Token algorithm " + tokenAlg + " does not match expected algorithm " + clientAlg); - } + if (clientAlg != null && !clientAlg.equals(tokenAlg)) { + throw new AuthenticationServiceException( + "Token algorithm " + tokenAlg + " does not match expected algorithm " + clientAlg); } if (idToken instanceof PlainJWT) { @@ -370,11 +366,13 @@ protected void validateClaims(HttpSession session, JWT idToken, JWTClaimsSet idC } } + @Override public int getTimeSkewAllowance() { return timeSkewAllowance; } + @Override public void setTimeSkewAllowance(int timeSkewAllowance) { this.timeSkewAllowance = timeSkewAllowance; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcExceptionMessageHelper.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcExceptionMessageHelper.java index 5cd5ced30..647441807 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcExceptionMessageHelper.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcExceptionMessageHelper.java @@ -10,7 +10,7 @@ public String buildErrorMessage(AuthenticationException e) { if (e instanceof OidcClientError) { OidcClientError error = (OidcClientError) e; - if (error.getError().equals("access_denied")) { + if ("access_denied".equals(error.getError())) { return "User denied access to requested identity information"; } return error.getError(); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcExternalAuthenticationToken.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcExternalAuthenticationToken.java index 7fad8edd8..4b76dbcd0 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcExternalAuthenticationToken.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcExternalAuthenticationToken.java @@ -36,7 +36,7 @@ public Map buildAuthnInfoMap(ExternalAuthenticationInfoBuilder v } @Override - public ExternalAuthenticationRegistrationInfo toExernalAuthenticationInfo() { + public ExternalAuthenticationRegistrationInfo toExernalAuthenticationRegistrationInfo() { ExternalAuthenticationRegistrationInfo ri = new ExternalAuthenticationRegistrationInfo(ExternalAuthenticationType.OIDC); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcTokenRequestor.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcTokenRequestor.java index 8df5bcf58..9096aa920 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcTokenRequestor.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/OidcTokenRequestor.java @@ -3,7 +3,7 @@ import org.springframework.util.MultiValueMap; import it.infn.mw.iam.authn.oidc.OidcClientFilter.OidcProviderConfiguration; - +@FunctionalInterface public interface OidcTokenRequestor { String requestTokens(OidcProviderConfiguration conf, diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/RestTemplateFactory.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/RestTemplateFactory.java index ffa75dd65..d6ece1b1d 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/RestTemplateFactory.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/RestTemplateFactory.java @@ -1,7 +1,7 @@ package it.infn.mw.iam.authn.oidc; import org.springframework.web.client.RestTemplate; - +@FunctionalInterface public interface RestTemplateFactory { RestTemplate newRestTemplate(); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/service/DefaultOidcUserDetailsService.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/service/DefaultOidcUserDetailsService.java index 6e25efbee..5fbf18c30 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/service/DefaultOidcUserDetailsService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/service/DefaultOidcUserDetailsService.java @@ -55,10 +55,8 @@ protected User buildUserFromIamAccount(IamAccount account) { protected User buildUserFromOIDCAuthentication(OIDCAuthenticationToken token) { String username = token.getSub(); - if (token.getUserInfo() != null) { - if (!Strings.isNullOrEmpty(token.getUserInfo().getName())) { - username = token.getUserInfo().getName(); - } + if (token.getUserInfo() != null && !Strings.isNullOrEmpty(token.getUserInfo().getName())) { + username = token.getUserInfo().getName(); } return new User(username, "", diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/service/OidcUserDetailsService.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/service/OidcUserDetailsService.java index 1a4ce77e4..a26d3373b 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/service/OidcUserDetailsService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/oidc/service/OidcUserDetailsService.java @@ -1,7 +1,7 @@ package it.infn.mw.iam.authn.oidc.service; import org.mitre.openid.connect.model.OIDCAuthenticationToken; - +@FunctionalInterface public interface OidcUserDetailsService { Object loadUserByOIDC(OIDCAuthenticationToken token); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/CleanInactiveProvisionedAccounts.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/CleanInactiveProvisionedAccounts.java new file mode 100644 index 000000000..a16f1b172 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/CleanInactiveProvisionedAccounts.java @@ -0,0 +1,61 @@ +package it.infn.mw.iam.authn.saml; + +import static com.google.common.base.Preconditions.checkArgument; +import static com.google.common.base.Preconditions.checkNotNull; + +import java.time.Instant; +import java.time.LocalDateTime; +import java.time.ZoneId; +import java.util.Date; +import java.util.List; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import it.infn.mw.iam.core.time.TimeProvider; +import it.infn.mw.iam.core.user.IamAccountService; +import it.infn.mw.iam.persistence.model.IamAccount; + +public class CleanInactiveProvisionedAccounts implements Runnable { + + public static final Logger LOG = LoggerFactory.getLogger(CleanInactiveProvisionedAccounts.class); + + final TimeProvider timeProvider; + final IamAccountService accountService; + final int inactiveUserLifetimeInDays; + + public CleanInactiveProvisionedAccounts(TimeProvider timeProvider, + IamAccountService accountService, int inactiveUserLifetimeInDays) { + checkNotNull(timeProvider, "null timeProvider"); + checkNotNull(accountService, "null accountService"); + checkArgument(inactiveUserLifetimeInDays > 0, "inactiveUserLifetimeInDays must be > 0"); + this.timeProvider = timeProvider; + this.accountService = accountService; + this.inactiveUserLifetimeInDays = inactiveUserLifetimeInDays; + } + + private Date computeProvisionedUsersExpirationTimestamp() { + LocalDateTime ldt = LocalDateTime + .ofInstant(Instant.ofEpochMilli(timeProvider.currentTimeMillis()), ZoneId.systemDefault()); + + return Date + .from(ldt.minusDays(inactiveUserLifetimeInDays).atZone(ZoneId.systemDefault()).toInstant()); + } + + @Override + public void run() { + Date expirationTimestamp = computeProvisionedUsersExpirationTimestamp(); + + LOG.info("Attempting removal of provisioned accounts inactive since {}", expirationTimestamp); + + List removedAccounts = + accountService.deleteInactiveProvisionedUsersSinceTime(expirationTimestamp); + + if (removedAccounts.isEmpty()) { + LOG.info("No accounts removed"); + } else { + removedAccounts.forEach(a -> LOG.info("Removed inactive provisioned account: {}", a)); + } + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/DefaultMetadataLookupService.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/DefaultMetadataLookupService.java index f1db4bd9e..969238864 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/DefaultMetadataLookupService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/DefaultMetadataLookupService.java @@ -4,7 +4,10 @@ import java.util.Comparator; import java.util.HashSet; import java.util.List; +import java.util.Optional; import java.util.Set; +import java.util.concurrent.locks.ReadWriteLock; +import java.util.concurrent.locks.ReentrantReadWriteLock; import java.util.stream.Collectors; import org.opensaml.common.xml.SAMLConstants; @@ -34,23 +37,36 @@ public class DefaultMetadataLookupService implements MetadataLookupService { private static final Logger LOG = LoggerFactory.getLogger(DefaultMetadataLookupService.class); Set descriptions = new HashSet<>(); + ReadWriteLock lock = new ReentrantReadWriteLock(true); MetadataManager metadataManager; @Autowired public DefaultMetadataLookupService(MetadataManager manager) { this.metadataManager = manager; - try { - initializeMetadataSet(); - } catch (MetadataProviderException e) { - throw new IllegalStateException(e); - } + refreshMetadata(); } private void initializeMetadataSet() throws MetadataProviderException { + LOG.info("Initializing IdP descriptor list from metadata"); + + Set newDescriptions = new HashSet<>(); + for (String idpName : metadataManager.getIDPEntityNames()) { - descriptions.add(descriptionFromMetadata(metadataManager.getEntityDescriptor(idpName))); + + IdpDescription idpDescription = + descriptionFromMetadata(metadataManager.getEntityDescriptor(idpName)); + + LOG.debug("Adding IdP description: {}", idpDescription); + newDescriptions.add(idpDescription); + } + + try { + lock.writeLock().lock(); + descriptions = newDescriptions; + } finally { + lock.writeLock().unlock(); } } @@ -60,32 +76,26 @@ private IdpDescription descriptionFromMetadata(EntityDescriptor descriptor) { result.setEntityId(descriptor.getEntityID()); IDPSSODescriptor idpDesc = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS); - if (idpDesc != null) { - if (idpDesc.getExtensions() != null) { - - for (final XMLObject object : idpDesc.getExtensions() - .getUnknownXMLObjects(UIInfo.DEFAULT_ELEMENT_NAME)) { - if (object instanceof UIInfo) { - UIInfo uiInfo = (UIInfo) object; - - if (!uiInfo.getDisplayNames().isEmpty()) { - result - .setOrganizationName(uiInfo.getDisplayNames().get(0).getName().getLocalString()); - } + if (idpDesc != null && idpDesc.getExtensions() != null) { - if (!uiInfo.getLogos().isEmpty()) { + for (final XMLObject object : idpDesc.getExtensions() + .getUnknownXMLObjects(UIInfo.DEFAULT_ELEMENT_NAME)) { + if (object instanceof UIInfo) { + UIInfo uiInfo = (UIInfo) object; - Logo minLogo = - uiInfo.getLogos().stream().min(Comparator.comparing(Logo::getHeight)).get(); + if (!uiInfo.getDisplayNames().isEmpty()) { + result.setOrganizationName(uiInfo.getDisplayNames().get(0).getName().getLocalString()); + } - result.setImageUrl(minLogo.getURL()); - } + if (!uiInfo.getLogos().isEmpty()) { + uiInfo.getLogos().stream().min(Comparator.comparing(Logo::getHeight)).ifPresent( + l -> result.setImageUrl(l.getURL())); } } } } - if (result.getOrganizationName() == null || result.getOrganizationName().isEmpty()) { + if (Strings.isNullOrEmpty(result.getOrganizationName())) { result.setOrganizationName(result.getEntityId()); } @@ -93,28 +103,42 @@ private IdpDescription descriptionFromMetadata(EntityDescriptor descriptor) { } - - @Override - public List lookupIdp(String text) { - + private Optional> lookupByEntityId(String text) { // Try entityId match try { EntityDescriptor entityDescriptor = metadataManager.getEntityDescriptor(text); if (entityDescriptor != null) { - return ImmutableList.of(descriptionFromMetadata(entityDescriptor)); + return Optional.of(ImmutableList.of(descriptionFromMetadata(entityDescriptor))); } } catch (MetadataProviderException e) { - throw new RuntimeException(e); + throw new SamlMetadataError(e.getMessage(), e); } - return descriptions.stream() - .filter(p -> p.getOrganizationName() != null - && p.getOrganizationName().toLowerCase().contains(text.toLowerCase())) - .limit(MAX_RESULTS) - .collect(Collectors.toList()); + return Optional.empty(); + } + + @Override + public List lookupIdp(String text) { + + List result = new ArrayList<>(); + + lookupByEntityId(text).ifPresent(result::addAll); + + if (!result.isEmpty()) { + return result; + } + try { + lock.readLock().lock(); + return descriptions.stream() + .filter(p -> p.getOrganizationName().toLowerCase().contains(text.toLowerCase())) + .limit(MAX_RESULTS) + .collect(Collectors.toList()); + } finally { + lock.readLock().unlock(); + } } @Override @@ -142,5 +166,13 @@ public List listIdps() { } + @Override + public void refreshMetadata() { + try { + initializeMetadataSet(); + } catch (MetadataProviderException e) { + throw new SamlMetadataError(e); + } + } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/DefaultSAMLUserDetailsService.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/DefaultSAMLUserDetailsService.java index 1dcd1ae50..151289ab8 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/DefaultSAMLUserDetailsService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/DefaultSAMLUserDetailsService.java @@ -1,76 +1,42 @@ package it.infn.mw.iam.authn.saml; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.List; import java.util.Optional; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.authority.SimpleGrantedAuthority; -import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.saml.SAMLCredential; import org.springframework.security.saml.userdetails.SAMLUserDetailsService; -import it.infn.mw.iam.authn.ExternalAuthenticationHandlerSupport; import it.infn.mw.iam.authn.InactiveAccountAuthenticationHander; import it.infn.mw.iam.authn.saml.util.SamlUserIdentifierResolver; import it.infn.mw.iam.persistence.model.IamAccount; -import it.infn.mw.iam.persistence.model.IamAuthority; +import it.infn.mw.iam.persistence.model.IamSamlId; import it.infn.mw.iam.persistence.repository.IamAccountRepository; -public class DefaultSAMLUserDetailsService implements SAMLUserDetailsService { +public class DefaultSAMLUserDetailsService extends SAMLUserDetailsServiceSupport + implements SAMLUserDetailsService { - final SamlUserIdentifierResolver resolver; final IamAccountRepository repo; - final InactiveAccountAuthenticationHander inactiveAccountHandler; - @Autowired public DefaultSAMLUserDetailsService(SamlUserIdentifierResolver resolver, IamAccountRepository repo, InactiveAccountAuthenticationHander handler) { - this.resolver = resolver; + super(handler, resolver); this.repo = repo; - this.inactiveAccountHandler = handler; - } - - - List convertAuthorities(IamAccount a) { - - List authorities = new ArrayList<>(); - for (IamAuthority auth : a.getAuthorities()) { - authorities.add(new SimpleGrantedAuthority(auth.getAuthority())); - } - return authorities; - } - - protected User buildUserFromIamAccount(IamAccount account) { - inactiveAccountHandler.handleInactiveAccount(account); - return new User(account.getUsername(), account.getPassword(), convertAuthorities(account)); - } - - protected User buildUserFromSamlCredential(String userSamlId, SAMLCredential credential) { - return new User(userSamlId, "", - Arrays.asList(ExternalAuthenticationHandlerSupport.EXT_AUTHN_UNREGISTERED_USER_AUTH)); } @Override public Object loadUserBySAML(SAMLCredential credential) throws UsernameNotFoundException { - String issuerId = credential.getRemoteEntityID(); - - String userSamlId = - resolver.getUserIdentifier(credential).orElseThrow(() -> new UsernameNotFoundException( - "Could not extract a user identifier from the SAML assertion")); + IamSamlId samlId = resolverSamlId(credential); - Optional account = repo.findBySamlId(issuerId, userSamlId); + Optional account = repo.findBySamlId(samlId); if (account.isPresent()) { return buildUserFromIamAccount(account.get()); } - return buildUserFromSamlCredential(userSamlId, credential); + return buildUserFromSamlCredential(samlId, credential); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/IamSamlAuthenticationProvider.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/IamSamlAuthenticationProvider.java index e0d3bbb66..88dfe2903 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/IamSamlAuthenticationProvider.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/IamSamlAuthenticationProvider.java @@ -1,13 +1,40 @@ package it.infn.mw.iam.authn.saml; +import java.util.Collections; +import java.util.List; +import java.util.function.Supplier; + +import org.springframework.security.authentication.AuthenticationServiceException; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.userdetails.User; import org.springframework.security.providers.ExpiringUsernameAuthenticationToken; import org.springframework.security.saml.SAMLAuthenticationProvider; +import org.springframework.security.saml.SAMLCredential; + +import com.google.common.base.Joiner; + +import it.infn.mw.iam.authn.saml.util.SamlUserIdentifierResolutionResult; +import it.infn.mw.iam.authn.saml.util.SamlUserIdentifierResolver; +import it.infn.mw.iam.persistence.model.IamSamlId; public class IamSamlAuthenticationProvider extends SAMLAuthenticationProvider { + final SamlUserIdentifierResolver userIdResolver; + final Joiner joiner = Joiner.on(",").skipNulls(); + + public IamSamlAuthenticationProvider(SamlUserIdentifierResolver resolver) { + this.userIdResolver = resolver; + } + + private Supplier handleResolutionFailure( + SamlUserIdentifierResolutionResult result) { + + List errorMessages = result.getErrorMessages().orElse(Collections.emptyList()); + + return () -> new AuthenticationServiceException(joiner.join(errorMessages)); + } + @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { @@ -20,11 +47,16 @@ public Authentication authenticate(Authentication authentication) throws Authent User user = (User) token.getDetails(); - SamlExternalAuthenticationToken extAuthnToken = - new SamlExternalAuthenticationToken(token, token.getTokenExpiration(), user.getUsername(), - token.getCredentials(), token.getAuthorities()); + SAMLCredential samlCredentials = (SAMLCredential) token.getCredentials(); + + SamlUserIdentifierResolutionResult result = + userIdResolver.resolveSamlUserIdentifier(samlCredentials); + + IamSamlId samlId = result.getResolvedId().orElseThrow(handleResolutionFailure(result)); + + return new SamlExternalAuthenticationToken(samlId, token, token.getTokenExpiration(), + user.getUsername(), token.getCredentials(), token.getAuthorities()); - return extAuthnToken; } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/JustInTimeProvisioningSAMLUserDetailsService.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/JustInTimeProvisioningSAMLUserDetailsService.java new file mode 100644 index 000000000..abc814ab7 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/JustInTimeProvisioningSAMLUserDetailsService.java @@ -0,0 +1,114 @@ +package it.infn.mw.iam.authn.saml; + +import static com.google.common.base.Preconditions.checkNotNull; +import static it.infn.mw.iam.authn.saml.util.Saml2Attribute.GIVEN_NAME; +import static it.infn.mw.iam.authn.saml.util.Saml2Attribute.MAIL; + +import java.util.EnumSet; +import java.util.Optional; +import java.util.Set; +import java.util.UUID; + +import org.springframework.security.core.userdetails.UsernameNotFoundException; +import org.springframework.security.saml.SAMLCredential; +import org.springframework.security.saml.userdetails.SAMLUserDetailsService; + +import it.infn.mw.iam.authn.InactiveAccountAuthenticationHander; +import it.infn.mw.iam.authn.saml.util.Saml2Attribute; +import it.infn.mw.iam.authn.saml.util.SamlUserIdentifierResolver; +import it.infn.mw.iam.core.user.IamAccountService; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamSamlId; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; + +public class JustInTimeProvisioningSAMLUserDetailsService extends SAMLUserDetailsServiceSupport + implements SAMLUserDetailsService { + + private final IamAccountRepository repo; + private final IamAccountService accountService; + private final Optional> trustedIdpEntityIds; + + private static final EnumSet REQUIRED_SAML_ATTRIBUTES = + EnumSet.of(Saml2Attribute.MAIL, Saml2Attribute.GIVEN_NAME, Saml2Attribute.SN); + + public JustInTimeProvisioningSAMLUserDetailsService(SamlUserIdentifierResolver resolver, + IamAccountService accountService, InactiveAccountAuthenticationHander inactiveAccountHandler, + IamAccountRepository repo, + Optional> trustedIdpEntityIds) { + super(inactiveAccountHandler, resolver); + this.accountService = accountService; + this.repo = repo; + this.trustedIdpEntityIds = trustedIdpEntityIds; + } + + + protected void samlCredentialEntityIdChecks(SAMLCredential credential){ + trustedIdpEntityIds.ifPresent(l -> { + if (!l.contains(credential.getRemoteEntityID())){ + throw new UsernameNotFoundException( + String.format("Error provisioning user! SAML credential issuer '%s' is not trusted" + + " for just-in-time account provisioning.", credential.getRemoteEntityID())); + } + }); + } + + protected void samlCredentialSanityChecks(SAMLCredential credential) { + + for (Saml2Attribute a : REQUIRED_SAML_ATTRIBUTES) { + if (credential.getAttributeAsString(a.getAttributeName()) == null) { + throw new UsernameNotFoundException(String.format( + "Error provisioning user! SAML credential is missing required attribute: %s (%s)", + a.getAlias(), a.getAttributeName())); + } + } + + + } + + + @Override + public Object loadUserBySAML(SAMLCredential credential) throws UsernameNotFoundException { + checkNotNull(credential, "null saml credential"); + + IamSamlId samlId = resolverSamlId(credential); + + Optional account = repo.findBySamlId(samlId); + + if (account.isPresent()) { + return buildUserFromIamAccount(account.get()); + } + + samlCredentialEntityIdChecks(credential); + samlCredentialSanityChecks(credential); + + final String randomUuid = UUID.randomUUID().toString(); + + // Create account from SAMLCredential + IamAccount newAccount = IamAccount.newAccount(); + + newAccount.setProvisioned(true); + newAccount.getSamlIds().add(samlId); + samlId.setAccount(newAccount); + + newAccount.setActive(true); + + if (samlId.getUserId().length() < 128) { + newAccount.setUsername(samlId.getUserId()); + } else { + newAccount.setUsername(randomUuid); + } + + newAccount.getUserInfo() + .setGivenName(credential.getAttributeAsString(GIVEN_NAME.getAttributeName())); + + newAccount.getUserInfo() + .setFamilyName(credential.getAttributeAsString(Saml2Attribute.SN.getAttributeName())); + + newAccount.getUserInfo().setEmail(credential.getAttributeAsString(MAIL.getAttributeName())); + + accountService.createAccount(newAccount); + + return buildUserFromIamAccount(newAccount); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/MetadataLookupService.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/MetadataLookupService.java index 29dc82ff1..f28b8900d 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/MetadataLookupService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/MetadataLookupService.java @@ -9,4 +9,6 @@ public interface MetadataLookupService { List lookupIdp(String text); List listIdps(); + + void refreshMetadata(); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/SAMLUserDetailsServiceSupport.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/SAMLUserDetailsServiceSupport.java new file mode 100644 index 000000000..8d84811e9 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/SAMLUserDetailsServiceSupport.java @@ -0,0 +1,56 @@ +package it.infn.mw.iam.authn.saml; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UsernameNotFoundException; +import org.springframework.security.saml.SAMLCredential; + +import it.infn.mw.iam.authn.ExternalAuthenticationHandlerSupport; +import it.infn.mw.iam.authn.InactiveAccountAuthenticationHander; +import it.infn.mw.iam.authn.saml.util.SamlUserIdentifierResolver; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamAuthority; +import it.infn.mw.iam.persistence.model.IamSamlId; + +public class SAMLUserDetailsServiceSupport { + + private final InactiveAccountAuthenticationHander inactiveAccountHandler; + private final SamlUserIdentifierResolver resolver; + + protected SAMLUserDetailsServiceSupport(InactiveAccountAuthenticationHander inactiveAccountHandler, + SamlUserIdentifierResolver resolver) { + + this.inactiveAccountHandler = inactiveAccountHandler; + this.resolver = resolver; + } + + protected List convertAuthorities(IamAccount a) { + + List authorities = new ArrayList<>(); + for (IamAuthority auth : a.getAuthorities()) { + authorities.add(new SimpleGrantedAuthority(auth.getAuthority())); + } + return authorities; + } + + protected User buildUserFromIamAccount(IamAccount account) { + inactiveAccountHandler.handleInactiveAccount(account); + return new User(account.getUsername(), account.getPassword(), convertAuthorities(account)); + } + + protected User buildUserFromSamlCredential(IamSamlId samlId, SAMLCredential credential) { + return new User(samlId.getUserId(), "", + Arrays.asList(ExternalAuthenticationHandlerSupport.EXT_AUTHN_UNREGISTERED_USER_AUTH)); + } + + protected IamSamlId resolverSamlId(SAMLCredential credential) { + return resolver.resolveSamlUserIdentifier(credential).getResolvedId() + .orElseThrow(() -> new UsernameNotFoundException( + "Could not extract a user identifier from the SAML assertion")); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/SamlExternalAuthenticationToken.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/SamlExternalAuthenticationToken.java index b964522e2..a56addef4 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/SamlExternalAuthenticationToken.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/SamlExternalAuthenticationToken.java @@ -1,5 +1,9 @@ package it.infn.mw.iam.authn.saml; +import static it.infn.mw.iam.authn.saml.util.Saml2Attribute.GIVEN_NAME; +import static it.infn.mw.iam.authn.saml.util.Saml2Attribute.MAIL; +import static it.infn.mw.iam.authn.saml.util.Saml2Attribute.SN; + import java.util.Collection; import java.util.Date; import java.util.Map; @@ -16,21 +20,20 @@ import it.infn.mw.iam.authn.ExternalAuthenticationRegistrationInfo; import it.infn.mw.iam.authn.ExternalAuthenticationRegistrationInfo.ExternalAuthenticationType; import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamSamlId; public class SamlExternalAuthenticationToken extends AbstractExternalAuthenticationToken { private static final long serialVersionUID = -7854473523011856692L; - - public static final String OID_GIVEN_NAME = "urn:oid:2.5.4.42"; - public static final String OID_SN = "urn:oid:2.5.4.4"; - public static final String OID_CN = "urn:oid:2.5.4.3"; - public static final String OID_MAIL = "urn:oid:0.9.2342.19200300.100.1.3"; - - public SamlExternalAuthenticationToken(ExpiringUsernameAuthenticationToken authn, + + private final IamSamlId samlId; + + public SamlExternalAuthenticationToken(IamSamlId samlId, ExpiringUsernameAuthenticationToken authn, Date tokenExpiration, Object principal, Object credentials, Collection authorities) { super(authn, tokenExpiration, principal, credentials, authorities); + this.samlId = samlId; } @Override @@ -40,26 +43,27 @@ public Map buildAuthnInfoMap(ExternalAuthenticationInfoBuilder v } @Override - public ExternalAuthenticationRegistrationInfo toExernalAuthenticationInfo() { + public ExternalAuthenticationRegistrationInfo toExernalAuthenticationRegistrationInfo() { ExternalAuthenticationRegistrationInfo ri = new ExternalAuthenticationRegistrationInfo(ExternalAuthenticationType.SAML); SAMLCredential cred = (SAMLCredential) getExternalAuthentication().getCredentials(); - ri.setIssuer(cred.getRemoteEntityID()); - ri.setSubject(getName()); + ri.setIssuer(samlId.getIdpId()); + ri.setSubject(samlId.getUserId()); + ri.setSubjectAttribute(samlId.getAttributeId()); - if (!Strings.isNullOrEmpty(cred.getAttributeAsString(OID_GIVEN_NAME))) { - ri.setGivenName(cred.getAttributeAsString(OID_GIVEN_NAME)); + if (!Strings.isNullOrEmpty(cred.getAttributeAsString(GIVEN_NAME.getAttributeName()))) { + ri.setGivenName(cred.getAttributeAsString(GIVEN_NAME.getAttributeName())); } - if (!Strings.isNullOrEmpty(cred.getAttributeAsString(OID_SN))) { - ri.setFamilyName(cred.getAttributeAsString(OID_SN)); + if (!Strings.isNullOrEmpty(cred.getAttributeAsString(SN.getAttributeName()))) { + ri.setFamilyName(cred.getAttributeAsString(SN.getAttributeName())); } - if (!Strings.isNullOrEmpty(cred.getAttributeAsString(OID_MAIL))) { - ri.setEmail(cred.getAttributeAsString(OID_MAIL)); + if (!Strings.isNullOrEmpty(cred.getAttributeAsString(MAIL.getAttributeName()))) { + ri.setEmail(cred.getAttributeAsString(MAIL.getAttributeName())); } return ri; @@ -70,4 +74,7 @@ public void linkToIamAccount(ExternalAccountLinker visitor, IamAccount account) visitor.linkToIamAccount(account, this); } + public IamSamlId getSamlId() { + return samlId; + } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/SamlMetadataError.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/SamlMetadataError.java new file mode 100644 index 000000000..77188dd02 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/SamlMetadataError.java @@ -0,0 +1,23 @@ +package it.infn.mw.iam.authn.saml; + +public class SamlMetadataError extends RuntimeException { + + + /** + * + */ + private static final long serialVersionUID = 1L; + + public SamlMetadataError(String message) { + super(message); + } + + public SamlMetadataError(Throwable cause) { + super(cause); + } + + public SamlMetadataError(String message, Throwable cause) { + super(message, cause); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/model/IdpDescription.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/model/IdpDescription.java index 8f0ae0751..dc778f5b2 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/model/IdpDescription.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/model/IdpDescription.java @@ -4,7 +4,7 @@ import com.fasterxml.jackson.annotation.JsonInclude.Include; @JsonInclude(Include.NON_EMPTY) -public class IdpDescription { +public class IdpDescription { private String entityId; private String organizationName; @@ -34,5 +34,9 @@ public void setImageUrl(String imageUrl) { this.imageUrl = imageUrl; } - + @Override + public String toString() { + return "IdpDescription [entityId=" + entityId + ", organizationName=" + organizationName + + ", imageUrl=" + imageUrl + "]"; + } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/AbstractSamlUserIdentifierResolver.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/AbstractSamlUserIdentifierResolver.java new file mode 100644 index 000000000..d46d9a093 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/AbstractSamlUserIdentifierResolver.java @@ -0,0 +1,17 @@ +package it.infn.mw.iam.authn.saml.util; + +public abstract class AbstractSamlUserIdentifierResolver + implements NamedSamlUserIdentifierResolver { + + private final String name; + + public AbstractSamlUserIdentifierResolver(String name) { + this.name = name; + } + + @Override + public String getName() { + return name; + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/AttributeUserIdentifierResolver.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/AttributeUserIdentifierResolver.java index 171747ed0..42a84f102 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/AttributeUserIdentifierResolver.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/AttributeUserIdentifierResolver.java @@ -1,22 +1,37 @@ package it.infn.mw.iam.authn.saml.util; -import java.util.Optional; - import org.springframework.security.saml.SAMLCredential; -public class AttributeUserIdentifierResolver implements SamlUserIdentifierResolver { +import it.infn.mw.iam.persistence.model.IamSamlId; + +public class AttributeUserIdentifierResolver extends AbstractSamlUserIdentifierResolver { - private final String attributeName; + Saml2Attribute attribute; - public AttributeUserIdentifierResolver(String attributeName) { - this.attributeName = attributeName; + public AttributeUserIdentifierResolver(Saml2Attribute attribute) { + super(attribute.name()); + this.attribute = attribute; } @Override - public Optional getUserIdentifier(SAMLCredential samlCredential) { - - return Optional.ofNullable(samlCredential.getAttributeAsString(attributeName)); - + public SamlUserIdentifierResolutionResult resolveSamlUserIdentifier( + SAMLCredential samlCredential) { + + String attributeValue = samlCredential.getAttributeAsString(attribute.getAttributeName()); + + if (attributeValue == null) { + return SamlUserIdentifierResolutionResult + .resolutionFailure(String.format("Attribute '%s:%s' not found in assertion", attribute.getAlias(), + attribute.getAttributeName())); + } + + IamSamlId samlId = new IamSamlId(); + samlId.setIdpId(samlCredential.getRemoteEntityID()); + samlId.setAttributeId(attribute.getAttributeName()); + samlId.setUserId(attributeValue); + + return SamlUserIdentifierResolutionResult.resolutionSuccess(samlId); + } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/FirstApplicableChainedSamlIdResolver.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/FirstApplicableChainedSamlIdResolver.java index 3a7db146e..115c21acd 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/FirstApplicableChainedSamlIdResolver.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/FirstApplicableChainedSamlIdResolver.java @@ -1,7 +1,7 @@ package it.infn.mw.iam.authn.saml.util; +import java.util.ArrayList; import java.util.List; -import java.util.Optional; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -18,25 +18,29 @@ public FirstApplicableChainedSamlIdResolver(List res } @Override - public Optional getUserIdentifier(SAMLCredential samlCredential) { + public SamlUserIdentifierResolutionResult resolveSamlUserIdentifier(SAMLCredential samlCredential) { + List errorMessages = new ArrayList<>(); + for (SamlUserIdentifierResolver resolver : resolvers) { LOG.debug("Attempting SAML user id resolution with resolver {}", resolver.getClass().getName()); - Optional userId = resolver.getUserIdentifier(samlCredential); - - if (userId.isPresent()) { - - LOG.debug("Resolved user id: {}", userId); - return userId; + SamlUserIdentifierResolutionResult result = resolver + .resolveSamlUserIdentifier(samlCredential); + + if (result.getResolvedId().isPresent()){ + LOG.debug("Resolved SAML user id: {}", result.getResolvedId().get()); + return result; } + + result.getErrorMessages().ifPresent(errorMessages::addAll); } LOG.debug( "All configured user id resolvers could not resolve the user id from SAML credential"); - return Optional.empty(); + return SamlUserIdentifierResolutionResult.resolutionFailure(errorMessages); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/NameIdUserIdentifierResolver.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/NameIdUserIdentifierResolver.java index c21e1493a..ec7559a8c 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/NameIdUserIdentifierResolver.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/NameIdUserIdentifierResolver.java @@ -1,26 +1,39 @@ package it.infn.mw.iam.authn.saml.util; -import java.util.Optional; - import org.opensaml.saml2.core.NameID; import org.springframework.security.saml.SAMLCredential; import com.google.common.base.Verify; -public class NameIdUserIdentifierResolver implements SamlUserIdentifierResolver { +import it.infn.mw.iam.persistence.model.IamSamlId; - @Override - public Optional getUserIdentifier(SAMLCredential samlCredential) { +public class NameIdUserIdentifierResolver extends AbstractSamlUserIdentifierResolver{ - Verify.verifyNotNull(samlCredential); + public static final String NAMEID_RESOLVER = "nameID"; + + public NameIdUserIdentifierResolver() { + super(NAMEID_RESOLVER); + } + @Override + public SamlUserIdentifierResolutionResult resolveSamlUserIdentifier( + SAMLCredential samlCredential) { + + Verify.verifyNotNull(samlCredential); + if (samlCredential.getNameID() != null) { NameID nameId = samlCredential.getNameID(); - return Optional.of(nameId.getValue()); + + IamSamlId samlId = new IamSamlId(); + samlId.setAttributeId(nameId.getFormat()); + samlId.setUserId(nameId.getValue()); + samlId.setIdpId(samlCredential.getRemoteEntityID()); + + return SamlUserIdentifierResolutionResult.resolutionSuccess(samlId); } - return Optional.empty(); + return SamlUserIdentifierResolutionResult.resolutionFailure("NameID resolution failure"); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/NamedSamlUserIdentifierResolver.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/NamedSamlUserIdentifierResolver.java new file mode 100644 index 000000000..ffe2dfce9 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/NamedSamlUserIdentifierResolver.java @@ -0,0 +1,7 @@ +package it.infn.mw.iam.authn.saml.util; + +public interface NamedSamlUserIdentifierResolver extends SamlUserIdentifierResolver { + + public String getName(); + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/Saml2Attribute.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/Saml2Attribute.java new file mode 100644 index 000000000..9233d9d43 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/Saml2Attribute.java @@ -0,0 +1,32 @@ +package it.infn.mw.iam.authn.saml.util; + +public enum Saml2Attribute { + + EPUID("eduPersonUniqueId", "urn:oid:1.3.6.1.4.1.5923.1.1.1.13"), + EPTID("eduPersonTargetedId", "urn:oid:1.3.6.1.4.1.5923.1.1.1.10"), + EPPN("eduPersonPrincipalName", "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"), + EPORCID("eduPersonOrcid", "urn:oid:1.3.6.1.4.1.5923.1.1.1.16"), + MAIL("mail", "urn:oid:0.9.2342.19200300.100.1.3"), + GIVEN_NAME("givenName", "urn:oid:2.5.4.42"), + SN("sn", "urn:oid:2.5.4.4"), + CN("cn", "urn:oid:2.5.4.3"), + EMPLOYEE_NUMBER("employeeNumber", "urn:oid:2.16.840.1.113730.3.1.3"), + SPID_CODE("spidCode", "spidCode"); + + private String alias; + private String attributeName; + + private Saml2Attribute(String alias, String attributeName) { + this.alias = alias; + this.attributeName = attributeName; + } + + public String getAlias() { + return alias; + } + + public String getAttributeName() { + return attributeName; + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/SamlIdResolvers.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/SamlIdResolvers.java index 93cb0f589..335b471c4 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/SamlIdResolvers.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/SamlIdResolvers.java @@ -1,26 +1,33 @@ package it.infn.mw.iam.authn.saml.util; +import com.google.common.collect.ImmutableMap; + public class SamlIdResolvers { - public static final String EPUID_NAME = "urn:oid:1.3.6.1.4.1.5923.1.1.1.13"; - public static final String EPPN_NAME = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"; - public static final String MAIL_NAME = "urn:oid:0.9.2342.19200300.100.1.3"; + public static final String NAME_ID_NAME = "nameID"; + + private ImmutableMap registeredResolvers; - private SamlIdResolvers() {} + public SamlIdResolvers() { + ImmutableMap.Builder builder = + ImmutableMap.builder(); - public static SamlUserIdentifierResolver epuid() { - return new AttributeUserIdentifierResolver(EPUID_NAME); - } + for (Saml2Attribute a : Saml2Attribute.values()) { + builder.put(a.getAlias(), new AttributeUserIdentifierResolver(a)); + } - public static SamlUserIdentifierResolver eppn() { - return new AttributeUserIdentifierResolver(EPPN_NAME); - } + builder.put(NAME_ID_NAME, new NameIdUserIdentifierResolver()); - public static SamlUserIdentifierResolver mail() { - return new AttributeUserIdentifierResolver(MAIL_NAME); + registeredResolvers = builder.build(); } - public static SamlUserIdentifierResolver nameid() { - return new NameIdUserIdentifierResolver(); + public SamlUserIdentifierResolver byAttribute(Saml2Attribute attribute) { + return registeredResolvers.get(attribute.getAlias()); } + + public SamlUserIdentifierResolver byName(String name) { + return registeredResolvers.get(name); + } + + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/SamlUserIdentifierResolutionResult.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/SamlUserIdentifierResolutionResult.java new file mode 100644 index 000000000..ec9208a42 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/SamlUserIdentifierResolutionResult.java @@ -0,0 +1,51 @@ +package it.infn.mw.iam.authn.saml.util; + +import java.util.ArrayList; +import java.util.List; +import java.util.Optional; + +import it.infn.mw.iam.persistence.model.IamSamlId; + +public class SamlUserIdentifierResolutionResult { + + + final Optional resolvedId; + final Optional> errorMessages; + + private SamlUserIdentifierResolutionResult(IamSamlId resolvedId){ + this.resolvedId = Optional.of(resolvedId); + this.errorMessages = Optional.empty(); + } + + private SamlUserIdentifierResolutionResult(String errorMessage){ + this.resolvedId = Optional.empty(); + List errors = new ArrayList<>(); + errors.add(errorMessage); + this.errorMessages = Optional.of(errors); + } + + private SamlUserIdentifierResolutionResult(List errorMessages){ + this.resolvedId = Optional.empty(); + this.errorMessages = Optional.of(errorMessages); + } + + public Optional getResolvedId() { + return resolvedId; + } + + public Optional> getErrorMessages() { + return errorMessages; + } + + public static SamlUserIdentifierResolutionResult resolutionSuccess(IamSamlId resolvedId){ + return new SamlUserIdentifierResolutionResult(resolvedId); + } + + public static SamlUserIdentifierResolutionResult resolutionFailure(String errorMessage){ + return new SamlUserIdentifierResolutionResult(errorMessage); + } + + public static SamlUserIdentifierResolutionResult resolutionFailure(List errorMessages) { + return new SamlUserIdentifierResolutionResult(errorMessages); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/SamlUserIdentifierResolver.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/SamlUserIdentifierResolver.java index 2b62ee533..025869123 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/SamlUserIdentifierResolver.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/util/SamlUserIdentifierResolver.java @@ -1,11 +1,7 @@ package it.infn.mw.iam.authn.saml.util; -import java.util.Optional; - import org.springframework.security.saml.SAMLCredential; - +@FunctionalInterface public interface SamlUserIdentifierResolver { - - public Optional getUserIdentifier(SAMLCredential samlCredential); - + public SamlUserIdentifierResolutionResult resolveSamlUserIdentifier(SAMLCredential samlCredential); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/web/SamlRefreshMetadataController.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/web/SamlRefreshMetadataController.java new file mode 100644 index 000000000..c2911c5ca --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/web/SamlRefreshMetadataController.java @@ -0,0 +1,31 @@ +package it.infn.mw.iam.authn.saml.web; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Profile; +import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.security.saml.metadata.MetadataManager; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +import it.infn.mw.iam.authn.saml.MetadataLookupService; + +@RestController +@Profile("saml") +public class SamlRefreshMetadataController { + + @Autowired + MetadataManager metadataManager; + + @Autowired + MetadataLookupService metadataLookupService; + + @PreAuthorize("hasRole('ADMIN')") + @RequestMapping(value="/saml/refresh-metadata") + public String refreshMetadata() { + metadataManager.setRefreshRequired(true); + metadataManager.refreshMetadata(); + metadataLookupService.refreshMetadata(); + return "ok"; + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/web/SamlSsoController.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/web/SamlSsoController.java index 2d59c70c6..4122cbbf5 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/web/SamlSsoController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/web/SamlSsoController.java @@ -25,7 +25,7 @@ public class SamlSsoController { @Autowired MetadataLookupService lookupService; - + @RequestMapping(value = "/idps", method = RequestMethod.GET) public @ResponseBody List idps( @RequestParam(value = "q", required = false) String text) { @@ -43,4 +43,5 @@ public String selectIdp(@RequestParam("entityID") String entityId, @RequestParam("returnIDParam") String returnIDParam) { return "iam/samlDiscovery"; } + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/util/AuthenticationUtils.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/util/AuthenticationUtils.java index 7965c56c3..f4327fba2 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/util/AuthenticationUtils.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/util/AuthenticationUtils.java @@ -1,12 +1,19 @@ package it.infn.mw.iam.authn.util; +import java.util.List; +import java.util.stream.Collectors; + import org.mitre.oauth2.model.SavedUserAuthentication; import org.springframework.security.core.Authentication; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.User; import com.google.common.collect.ImmutableSet; import it.infn.mw.iam.authn.oidc.OidcExternalAuthenticationToken; import it.infn.mw.iam.authn.saml.SamlExternalAuthenticationToken; +import it.infn.mw.iam.persistence.model.IamAccount; public class AuthenticationUtils { @@ -14,6 +21,8 @@ public class AuthenticationUtils { ImmutableSet.of(SamlExternalAuthenticationToken.class.getName(), OidcExternalAuthenticationToken.class.getName()); + private AuthenticationUtils() {} + public static boolean isSupportedExternalAuthenticationToken(Authentication authn) { if (authn instanceof SavedUserAuthentication) { @@ -27,6 +36,17 @@ public static boolean isSupportedExternalAuthenticationToken(Authentication auth return false; } - private AuthenticationUtils() {} + public static List convertIamAccountAuthorities(IamAccount account) { + return account.getAuthorities() + .stream() + .map(a -> new SimpleGrantedAuthority(a.getAuthority())) + .collect(Collectors.toList()); + } + + public static User userFromIamAccount(IamAccount account){ + return new User(account.getUsername(), account.getPassword(), convertIamAccountAuthorities(account)); + } + + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/CertificateParsingError.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/CertificateParsingError.java new file mode 100644 index 000000000..70ed02516 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/CertificateParsingError.java @@ -0,0 +1,17 @@ +package it.infn.mw.iam.authn.x509; + +public class CertificateParsingError extends RuntimeException { + + /** + * + */ + private static final long serialVersionUID = 1L; + + public CertificateParsingError(String message) { + super(message); + } + + public CertificateParsingError(String message, Throwable cause) { + super(message, cause); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/DefaultX509AuthenticationCredentialExtractor.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/DefaultX509AuthenticationCredentialExtractor.java new file mode 100644 index 000000000..69d9a3854 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/DefaultX509AuthenticationCredentialExtractor.java @@ -0,0 +1,127 @@ +package it.infn.mw.iam.authn.x509; + +import static it.infn.mw.iam.authn.x509.DefaultX509AuthenticationCredentialExtractor.Headers.CLIENT_CERT; +import static it.infn.mw.iam.authn.x509.DefaultX509AuthenticationCredentialExtractor.Headers.ISSUER; +import static it.infn.mw.iam.authn.x509.DefaultX509AuthenticationCredentialExtractor.Headers.SUBJECT; +import static it.infn.mw.iam.authn.x509.DefaultX509AuthenticationCredentialExtractor.Headers.VERIFY; + +import java.util.EnumSet; +import java.util.Optional; + +import javax.servlet.http.HttpServletRequest; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import com.google.common.base.Strings; + +@Component +public class DefaultX509AuthenticationCredentialExtractor + implements X509AuthenticationCredentialExtractor { + + public enum Headers { + CLIENT_CERT("X-SSL-Client-Cert"), + SUBJECT("X-SSL-Client-S-Dn"), + ISSUER("X-SSL-Client-I-Dn"), + SERIAL("X-SSL-Client-Serial"), + VERIFY("X-SSL-Client-Verify"), + V_START("X-SSL-Client-V-Start"), + V_END("X-SSL-Client-V-End"), + PROTOCOL("X-SSL-Protocol"), + SERVER_NAME("X-SSL-Server-Name"); + + private final String header; + + private Headers(String header) { + this.header = header; + } + + public String getHeader() { + return header; + } + } + + public static final Logger LOG = + LoggerFactory.getLogger(DefaultX509AuthenticationCredentialExtractor.class); + + private final X509CertificateChainParser certChainParser; + + protected static final EnumSet HEADERS_REQUIRED = + EnumSet.complementOf(EnumSet.of(Headers.SERVER_NAME)); + + @Autowired + public DefaultX509AuthenticationCredentialExtractor(X509CertificateChainParser chainParser) { + this.certChainParser = chainParser; + } + + private String getHeader(HttpServletRequest request, Headers header){ + return request.getHeader(header.header); + } + + private void headerNamesSanityChecks(HttpServletRequest request) { + for (Headers e : HEADERS_REQUIRED) { + if (Strings.isNullOrEmpty(request.getHeader(e.header))) { + throw new IllegalArgumentException("Required header not found: " + e.header); + } + } + } + + private X509CertificateVerificationResult parseVerifyHeader(HttpServletRequest request) { + String verifyHeaderContent = request.getHeader(VERIFY.header); + + if ("SUCCESS".equals(verifyHeaderContent)) { + return X509CertificateVerificationResult.success(); + } + + // NGINX returns a client certificate validation failure in the following form: + // FAILED:reason + if (verifyHeaderContent.startsWith("FAILED:")) { + String reason = verifyHeaderContent.substring(7); // skip the "FAILED:" preamble + return X509CertificateVerificationResult.failed(reason); + } + + final String errorMsg = + String.format("Could not parse X.509 certificate verification header: %s : %s", + VERIFY.header, verifyHeaderContent); + + LOG.error(errorMsg); + throw new IllegalArgumentException(errorMsg); + + } + + @Override + public Optional extractX509Credential( + HttpServletRequest request) { + + String clientCertHeaderContent = getHeader(request, CLIENT_CERT); + + if (Strings.isNullOrEmpty(clientCertHeaderContent)) { + LOG.debug("{} null or empty", CLIENT_CERT.header); + return Optional.empty(); + } + + headerNamesSanityChecks(request); + + String pemCertificateString = clientCertHeaderContent.replace('\t', '\n'); + + X509CertificateChainParsingResult chain = + certChainParser.parseChainFromString(pemCertificateString); + + IamX509AuthenticationCredential.Builder credBuilder = + new IamX509AuthenticationCredential.Builder(); + + // FIXME: populate all the fields we get from NGINX + credBuilder.certificateChain(chain.getChain()) + .certificateChainPemString(chain.getPemString()) + .subject(getHeader(request, SUBJECT)) + .issuer(getHeader(request, ISSUER)) + .verificationResult(parseVerifyHeader(request)); + + final IamX509AuthenticationCredential cred = credBuilder.build(); + LOG.debug("Extracted X.509 credential: {}", cred); + return Optional.of(cred); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/IamX509AuthenticationCredential.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/IamX509AuthenticationCredential.java new file mode 100644 index 000000000..116f9d4cf --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/IamX509AuthenticationCredential.java @@ -0,0 +1,111 @@ +package it.infn.mw.iam.authn.x509; + +import java.io.Serializable; +import java.security.cert.X509Certificate; + +import com.fasterxml.jackson.annotation.JsonIgnore; + +import it.infn.mw.iam.persistence.model.IamX509Certificate; + +public class IamX509AuthenticationCredential implements Serializable{ + + /** + * + */ + private static final long serialVersionUID = 1L; + + private final String subject; + private final String issuer; + + @JsonIgnore + private final X509Certificate[] certificateChain; + + private final String certificateChainPemString; + + @JsonIgnore + private final X509CertificateVerificationResult verificationResult; + + private IamX509AuthenticationCredential(Builder builder) { + this.subject = builder.subject; + this.issuer = builder.issuer; + this.certificateChain = builder.certificateChain; + this.verificationResult = builder.verificationResult; + this.certificateChainPemString = builder.certificateChainPemString; + } + + public static class Builder { + private String subject; + private String issuer; + private X509Certificate[] certificateChain; + private String certificateChainPemString; + private X509CertificateVerificationResult verificationResult; + + public Builder subject(String subject){ + this.subject = subject; + return this; + } + + public Builder issuer(String issuer){ + this.issuer = issuer; + return this; + } + + public Builder certificateChain(X509Certificate[] chain){ + this.certificateChain = chain; + return this; + } + + public Builder verificationResult(X509CertificateVerificationResult s){ + this.verificationResult = s; + return this; + } + + public Builder certificateChainPemString(String ccps){ + this.certificateChainPemString =ccps; + return this; + } + + public IamX509AuthenticationCredential build(){ + return new IamX509AuthenticationCredential(this); + } + } + + public IamX509Certificate asIamX509Certificate(){ + IamX509Certificate cert = new IamX509Certificate(); + cert.setSubjectDn(getSubject()); + cert.setIssuerDn(getIssuer()); + cert.setCertificate(getCertificateChainPemString()); + return cert; + } + + public String getSubject() { + return subject; + } + + public String getIssuer() { + return issuer; + } + + public X509Certificate[] getCertificateChain() { + return certificateChain; + } + + public String getCertificateChainPemString() { + return certificateChainPemString; + } + public X509CertificateVerificationResult getVerificationResult() { + return verificationResult; + } + + public boolean failedVerification(){ + return verificationResult.failedVerification(); + } + + public String verificationError(){ + return verificationResult.error().orElse("X.509 credential is valid"); + } + + public static Builder builder(){ + return new Builder(); + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/IamX509AuthenticationProvider.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/IamX509AuthenticationProvider.java new file mode 100644 index 000000000..8954aad46 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/IamX509AuthenticationProvider.java @@ -0,0 +1,9 @@ +package it.infn.mw.iam.authn.x509; + +import org.springframework.security.authentication.AuthenticationManager; +import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider; + +public class IamX509AuthenticationProvider extends PreAuthenticatedAuthenticationProvider + implements AuthenticationManager { + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/IamX509AuthenticationUserDetailService.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/IamX509AuthenticationUserDetailService.java new file mode 100644 index 000000000..53ea25359 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/IamX509AuthenticationUserDetailService.java @@ -0,0 +1,58 @@ +package it.infn.mw.iam.authn.x509; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.core.userdetails.AuthenticationUserDetailsService; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.UsernameNotFoundException; +import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; +import org.springframework.stereotype.Service; + +import it.infn.mw.iam.authn.InactiveAccountAuthenticationHander; +import it.infn.mw.iam.authn.util.AuthenticationUtils; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; + +@Service +public class IamX509AuthenticationUserDetailService + implements AuthenticationUserDetailsService { + + public static final Logger LOG = + LoggerFactory.getLogger(IamX509AuthenticationUserDetailService.class); + + IamAccountRepository accountRepository; + InactiveAccountAuthenticationHander inactiveAccountHandler; + + @Autowired + public IamX509AuthenticationUserDetailService(IamAccountRepository accountRepository, + InactiveAccountAuthenticationHander handler) { + this.accountRepository = accountRepository; + this.inactiveAccountHandler = handler; + } + + protected UserDetails buildUserFromIamAccount(IamAccount account) { + return AuthenticationUtils.userFromIamAccount(account); + } + + @Override + public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token) + throws UsernameNotFoundException { + + String principal = (String) token.getPrincipal(); + + LOG.debug("Loading IAM account for X.509 principal '{}'", principal); + + IamAccount account = accountRepository.findByCertificateSubject(principal).orElseThrow(() -> { + final String msg = String.format("No IAM account found for X.509 principal '%s'", principal); + LOG.debug(msg); + return new UsernameNotFoundException(msg); + }); + + LOG.debug("Found IAM account {} linked to principal '{}'", account, principal); + + return buildUserFromIamAccount(account); + + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/IamX509PreauthenticationProcessingFilter.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/IamX509PreauthenticationProcessingFilter.java new file mode 100644 index 000000000..4ad4e7dd4 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/IamX509PreauthenticationProcessingFilter.java @@ -0,0 +1,132 @@ +package it.infn.mw.iam.authn.x509; + +import java.util.Optional; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.authentication.AuthenticationManager; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.web.authentication.AuthenticationFailureHandler; +import org.springframework.security.web.authentication.AuthenticationSuccessHandler; +import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter; + +public class IamX509PreauthenticationProcessingFilter + extends AbstractPreAuthenticatedProcessingFilter { + + public static final Logger LOG = + LoggerFactory.getLogger(IamX509PreauthenticationProcessingFilter.class); + + public static final String X509_CREDENTIAL_SESSION_KEY = "IAM_X509_CRED"; + + private final X509AuthenticationCredentialExtractor credentialExtractor; + + private AuthenticationSuccessHandler successHandler; + private AuthenticationFailureHandler failureHandler; + + public IamX509PreauthenticationProcessingFilter(X509AuthenticationCredentialExtractor extractor, + AuthenticationManager authenticationManager) { + this.credentialExtractor = extractor; + setCheckForPrincipalChanges(false); + setAuthenticationManager(authenticationManager); + } + + protected void storeCredentialInSession(HttpServletRequest request, + IamX509AuthenticationCredential cred) { + + HttpSession session = request.getSession(false); + + if (session != null && !cred.failedVerification()) { + LOG.debug("Storing X.509 {} credential in session ", cred); + session.setAttribute(X509_CREDENTIAL_SESSION_KEY, cred); + } + + } + + + protected Optional extractCredential( + HttpServletRequest request) { + Optional credential = + credentialExtractor.extractX509Credential(request); + + if (!credential.isPresent()) { + LOG.debug("No X.509 client credential found in request"); + } + + if (credential.isPresent() && credential.get().failedVerification()) { + LOG.warn("X.509 client credential failed verification: {}", + credential.get().verificationError()); + return Optional.empty(); + } + + credential.ifPresent(c -> storeCredentialInSession(request, c)); + + return credential; + } + + + @Override + protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) { + + Optional credential = extractCredential(request); + + if (!credential.isPresent()) { + return null; + } + + final String subject = credential.get().getSubject(); + + LOG.debug("Found valid X.509 credential in request with principal subject '{}'", subject); + + return subject; + } + + @Override + protected Object getPreAuthenticatedCredentials(HttpServletRequest request) { + + return extractCredential(request).orElse(null); + } + + @Override + protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, + Authentication authentication) { + + super.successfulAuthentication(request, response, authentication); + + if (successHandler != null) { + try { + successHandler.onAuthenticationSuccess(request, response, authentication); + } catch (Exception e) { + throw new RuntimeException(e.getMessage(), e); + } + } + } + + @Override + protected void unsuccessfulAuthentication(HttpServletRequest request, + HttpServletResponse response, AuthenticationException failed) { + + super.unsuccessfulAuthentication(request, response, failed); + + if (failureHandler != null) { + try { + failureHandler.onAuthenticationFailure(request, response, failed); + } catch (Exception e) { + throw new RuntimeException(e.getMessage(), e); + } + } + } + + public void setSuccessHandler(AuthenticationSuccessHandler successHandler) { + this.successHandler = successHandler; + } + + public void setFailureHandler(AuthenticationFailureHandler failureHandler) { + this.failureHandler = failureHandler; + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/MockX509AuthenticationCredentialExtractor.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/MockX509AuthenticationCredentialExtractor.java new file mode 100644 index 000000000..2d5e76521 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/MockX509AuthenticationCredentialExtractor.java @@ -0,0 +1,65 @@ +package it.infn.mw.iam.authn.x509; + +import java.util.Optional; + +import javax.servlet.http.HttpServletRequest; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.context.annotation.Primary; +import org.springframework.stereotype.Component; + +@Component +@Primary +@ConditionalOnProperty("mockX509Authentication") +public class MockX509AuthenticationCredentialExtractor + implements X509AuthenticationCredentialExtractor { + + public static final String TEST_0_SUBJECT = "CN=test0,O=IGI,C=IT"; + public static final String TEST_0_ISSUER = "CN=Test CA,O=IGI,C=IT"; + private static final String TEST_0_CERT = "-----BEGIN CERTIFICATE-----\n" + + "MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM\n" + + "MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX\n" + + "DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG\n" + + "A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw\n" + + "hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R\n" + + "BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc\n" + + "CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK\n" + + "2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al\n" + + "xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop\n" + + "kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU\n" + + "fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG\n" + + "CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF\n" + + "BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe\n" + + "gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB\n" + + "AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx\n" + + "d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu\n" + + "SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf\n" + + "49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg\n" + + "C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N\n" + + "vDxcPMc/wmnMa+smNal0sJ6m\n" + "-----END CERTIFICATE-----"; + + private final IamX509AuthenticationCredential test0Cred; + + @Autowired + public MockX509AuthenticationCredentialExtractor(X509CertificateChainParser parser) { + + X509CertificateChainParsingResult result = parser.parseChainFromString(TEST_0_CERT); + test0Cred = IamX509AuthenticationCredential.builder() + .certificateChain(result.getChain()) + .certificateChainPemString(result.getPemString()) + .subject(TEST_0_SUBJECT) + .issuer(TEST_0_ISSUER) + .verificationResult(X509CertificateVerificationResult.success()) + .build(); + } + + + @Override + public Optional extractX509Credential( + HttpServletRequest request) { + + return Optional.of(test0Cred); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/PEMX509CertificateChainParser.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/PEMX509CertificateChainParser.java new file mode 100644 index 000000000..014da6301 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/PEMX509CertificateChainParser.java @@ -0,0 +1,48 @@ +package it.infn.mw.iam.authn.x509; + +import static eu.emi.security.authn.x509.impl.CertificateUtils.configureSecProvider; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.security.cert.X509Certificate; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.stereotype.Component; + +import eu.emi.security.authn.x509.impl.CertificateUtils; +import eu.emi.security.authn.x509.impl.CertificateUtils.Encoding; + +@Component +public class PEMX509CertificateChainParser implements X509CertificateChainParser { + + public static final Logger LOG = LoggerFactory.getLogger(PEMX509CertificateChainParser.class); + + public PEMX509CertificateChainParser() { + configureSecProvider(); + } + + @Override + public X509CertificateChainParsingResult parseChainFromString(String pemString) { + + InputStream stream = new ByteArrayInputStream(pemString + .getBytes(StandardCharsets.US_ASCII)); + + try { + + X509Certificate[] chain = CertificateUtils.loadCertificateChain(stream, Encoding.PEM); + return X509CertificateChainParsingResult.from(pemString, chain); + + } catch (IOException e) { + final String errorMessage = String.format("Error parsing certificate chain: %s", + e.getMessage()); + + LOG.error(errorMessage, e); + + throw new CertificateParsingError(errorMessage, e); + } + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/X509AuthenticationCredentialExtractor.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/X509AuthenticationCredentialExtractor.java new file mode 100644 index 000000000..022a3fe49 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/X509AuthenticationCredentialExtractor.java @@ -0,0 +1,10 @@ +package it.infn.mw.iam.authn.x509; + +import java.util.Optional; + +import javax.servlet.http.HttpServletRequest; +@FunctionalInterface +public interface X509AuthenticationCredentialExtractor { + + Optional extractX509Credential(HttpServletRequest request); +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/X509CertificateChainParser.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/X509CertificateChainParser.java new file mode 100644 index 000000000..383c5e3fe --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/X509CertificateChainParser.java @@ -0,0 +1,7 @@ +package it.infn.mw.iam.authn.x509; +@FunctionalInterface +public interface X509CertificateChainParser { + + X509CertificateChainParsingResult parseChainFromString(String pemCertificateChain); + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/X509CertificateChainParsingResult.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/X509CertificateChainParsingResult.java new file mode 100644 index 000000000..bf5329a68 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/X509CertificateChainParsingResult.java @@ -0,0 +1,27 @@ +package it.infn.mw.iam.authn.x509; + +import java.security.cert.X509Certificate; + +public class X509CertificateChainParsingResult { + + private final String pemString; + private final X509Certificate[] chain; + + private X509CertificateChainParsingResult(String pemString, X509Certificate[] chain) { + this.pemString = pemString; + this.chain = chain; + } + + public String getPemString() { + return pemString; + } + + public X509Certificate[] getChain() { + return chain; + } + + public static X509CertificateChainParsingResult from(String pemString, X509Certificate[] chain){ + return new X509CertificateChainParsingResult(pemString, chain); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/X509CertificateVerificationResult.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/X509CertificateVerificationResult.java new file mode 100644 index 000000000..53966fcf0 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/x509/X509CertificateVerificationResult.java @@ -0,0 +1,51 @@ +package it.infn.mw.iam.authn.x509; + +import java.io.Serializable; +import java.util.Optional; + +public class X509CertificateVerificationResult implements Serializable{ + + /** + * + */ + private static final long serialVersionUID = 1L; + + public enum Status { + SUCCESS, + FAILED + } + + final Status verificationStatus; + final transient Optional verificationError; + + private X509CertificateVerificationResult(Status s, String verificationError) { + this.verificationStatus = s; + this.verificationError = Optional.ofNullable(verificationError); + } + + public Status status() { + return verificationStatus; + } + + public Optional error() { + return verificationError; + } + + public static X509CertificateVerificationResult success(){ + return new X509CertificateVerificationResult(Status.SUCCESS, null); + } + + public static X509CertificateVerificationResult failed(String reason){ + return new X509CertificateVerificationResult(Status.FAILED, reason); + } + + public boolean failedVerification(){ + return verificationStatus == Status.FAILED; + } + + @Override + public String toString() { + return "X509CertificateVerificationResult [verificationStatus=" + verificationStatus + + ", verificationError=" + verificationError + "]"; + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/AssertionConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/AssertionConfig.java index dca5d34e9..0f7fadd03 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/config/AssertionConfig.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/AssertionConfig.java @@ -30,7 +30,6 @@ public AssertionOAuth2RequestFactory jwtAssertionTokenFactory() { @Bean @Qualifier("clientAssertionValidator") public AssertionValidator clientAssertionValidator() { - // TODO: verify whitelist Map whitelist = new LinkedHashMap<>(); whitelist.put("http://artemesia.local", "http://localhost:8080/jwk"); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/AuthorizationServerConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/AuthorizationServerConfig.java index c7a65f2ef..b646255ab 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/config/AuthorizationServerConfig.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/AuthorizationServerConfig.java @@ -53,6 +53,7 @@ public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdap private OAuth2TokenEntityService tokenServices; @Autowired + @Qualifier("iamClientDetailsEntityService") private ClientDetailsEntityService clientDetailsService; @Autowired @@ -72,7 +73,7 @@ public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdap @Autowired private SystemScopeService systemScopeService; - + @Bean WebResponseExceptionTranslator webResponseExceptionTranslator() { @@ -81,10 +82,10 @@ WebResponseExceptionTranslator webResponseExceptionTranslator() { } @Bean(name = "iamAuthenticationEventPublisher") - AuthenticationEventPublisher iamAuthenticationEventPublisher(){ + AuthenticationEventPublisher iamAuthenticationEventPublisher() { return new IamAuthenticationEventPublisher(); } - + @Bean(name = "authenticationManager") AuthenticationManager authenticationManager() { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/JpaConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/JpaConfig.java index 6d98ac69a..5e2107919 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/config/JpaConfig.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/JpaConfig.java @@ -36,16 +36,16 @@ protected AbstractJpaVendorAdapter createJpaVendorAdapter() { @Override protected Map getVendorProperties() { - Map map = new HashMap(); + Map map = new HashMap<>(); map.put("eclipselink.weaving", "false"); map.put("eclipselink.logging.level", "INFO"); map.put("eclipselink.logging.level.sql", "OFF"); map.put("eclipselink.cache.shared.default", "false"); - // map.put("eclipselink.ddl-generation.output-mode", "sql-script"); - // map.put("eclipselink.ddl-generation", "create-tables"); - // map.put("eclipselink.create-ddl-jdbc-file-name", "ddl.sql"); +// map.put("eclipselink.ddl-generation.output-mode", "sql-script"); +// map.put("eclipselink.ddl-generation", "create-tables"); +// map.put("eclipselink.create-ddl-jdbc-file-name", "ddl.sql"); return map; @@ -56,14 +56,12 @@ public LocalContainerEntityManagerFactoryBean entityManagerFactory( final EntityManagerFactoryBuilder factoryBuilder) { - LocalContainerEntityManagerFactoryBean emf = factoryBuilder.dataSource(dataSource) + return factoryBuilder.dataSource(dataSource) .packages("org.mitre", "it.infn.mw.iam.persistence") .persistenceUnit("defaultPersistenceUnit") .properties(getVendorProperties()) .build(); - return emf; - } @Bean(name = {"defaultTransactionManager", "transactionManager"}) diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/MitreConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/MitreConfig.java index 2e90de12e..7c7974a57 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/config/MitreConfig.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/MitreConfig.java @@ -38,7 +38,13 @@ public ConfigurationPropertiesBean config() { } config.setIssuer(issuer); - config.setRegTokenLifeTime(tokenLifeTime); + + if (tokenLifeTime <= 0L){ + config.setRegTokenLifeTime(null); + } else { + config.setRegTokenLifeTime(tokenLifeTime); + } + config.setForceHttps(false); config.setLocale(Locale.ENGLISH); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/MitreServicesConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/MitreServicesConfig.java index 76e9111a4..1a492191d 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/config/MitreServicesConfig.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/MitreServicesConfig.java @@ -42,9 +42,11 @@ import org.mitre.openid.connect.web.ServerConfigInterceptor; import org.mitre.openid.connect.web.UserInfoInterceptor; import org.mitre.uma.service.ResourceSetService; +import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.context.embedded.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Primary; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.oauth2.provider.OAuth2RequestFactory; import org.springframework.security.oauth2.provider.OAuth2RequestValidator; @@ -80,12 +82,12 @@ UserApprovalHandler tofuApprovalHandler() { @Bean OAuth2RequestFactory requestFactory() { - - return new IamOAuth2RequestFactory(clientDetailsService()); + return new IamOAuth2RequestFactory(clientDetailsEntityService()); } @Bean - ClientDetailsEntityService clientDetailsService() { + @Qualifier("iamClientDetailsEntityService") + ClientDetailsEntityService clientDetailsEntityService() { return new DefaultOAuth2ClientDetailsEntityService(); } @@ -143,6 +145,7 @@ public FilterRegistrationBean disabledCorsFilterRegistration(CorsFilter c) { return b; } + @Primary @Bean public CorsFilter corsFilter() { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/SecurityConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/SecurityConfig.java index 7fe6031b4..499fc5bbd 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/config/SecurityConfig.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/SecurityConfig.java @@ -1,5 +1,19 @@ package it.infn.mw.iam.config; +import static it.infn.mw.iam.api.tokens.Constants.ACCESS_TOKENS_ENDPOINT; +import static it.infn.mw.iam.api.tokens.Constants.REFRESH_TOKENS_ENDPOINT; + +import it.infn.mw.iam.authn.RootIsDashboardSuccessHandler; +import it.infn.mw.iam.authn.TimestamperSuccessHandler; +import it.infn.mw.iam.authn.oidc.OidcAccessDeniedHandler; +import it.infn.mw.iam.authn.oidc.OidcAuthenticationProvider; +import it.infn.mw.iam.authn.oidc.OidcClientFilter; +import it.infn.mw.iam.authn.x509.IamX509AuthenticationProvider; +import it.infn.mw.iam.authn.x509.IamX509AuthenticationUserDetailService; +import it.infn.mw.iam.authn.x509.IamX509PreauthenticationProcessingFilter; +import it.infn.mw.iam.authn.x509.X509AuthenticationCredentialExtractor; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; + import org.mitre.oauth2.service.OAuth2TokenEntityService; import org.mitre.oauth2.web.CorsFilter; import org.springframework.beans.factory.annotation.Autowired; @@ -37,18 +51,10 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.web.filter.GenericFilterBean; -import it.infn.mw.iam.authn.RootIsDashboardSuccessHandler; -import it.infn.mw.iam.authn.TimestamperSuccessHandler; -import it.infn.mw.iam.authn.oidc.OidcAccessDeniedHandler; -import it.infn.mw.iam.authn.oidc.OidcAuthenticationProvider; -import it.infn.mw.iam.authn.oidc.OidcClientFilter; - @Configuration @EnableWebSecurity public class SecurityConfig { - - @Configuration @Order(100) public static class UserLoginConfig extends WebSecurityConfigurerAdapter { @@ -67,9 +73,18 @@ public static class UserLoginConfig extends WebSecurityConfigurerAdapter { @Qualifier("iamUserDetailsService") private UserDetailsService iamUserDetailsService; + @Autowired + private X509AuthenticationCredentialExtractor x509CredentialExtractor; + + @Autowired + private IamX509AuthenticationUserDetailService x509UserDetailsService; + @Autowired private PasswordEncoder passwordEncoder; + @Autowired + private IamAccountRepository accountRepo; + @Autowired public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception { // @formatter:off @@ -85,6 +100,20 @@ public void configure(final WebSecurity web) throws Exception { web.expressionHandler(oAuth2WebSecurityExpressionHandler); } + + public IamX509AuthenticationProvider iamX509AuthenticationProvider() { + + IamX509AuthenticationProvider provider = new IamX509AuthenticationProvider(); + provider.setPreAuthenticatedUserDetailsService(x509UserDetailsService); + return provider; + } + + + public IamX509PreauthenticationProcessingFilter iamX509Filter() throws Exception { + return new IamX509PreauthenticationProcessingFilter(x509CredentialExtractor, + iamX509AuthenticationProvider()); + } + @Override protected void configure(final HttpSecurity http) throws Exception { @@ -118,7 +147,9 @@ protected void configure(final HttpSecurity http) throws Exception { .and().anonymous() .and() .csrf() - .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/authorize")).disable(); + .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/authorize")).disable() + .addFilter(iamX509Filter()); + // @formatter:on } @@ -131,7 +162,8 @@ public OAuth2WebSecurityExpressionHandler oAuth2WebSecurityExpressionHandler() { public AuthenticationSuccessHandler successHandler() { return new TimestamperSuccessHandler( - new RootIsDashboardSuccessHandler(iamBaseUrl, new HttpSessionRequestCache())); + new RootIsDashboardSuccessHandler(iamBaseUrl, new HttpSessionRequestCache()), + accountRepo); } } @@ -425,7 +457,9 @@ protected void configure(final HttpSecurity http) throws Exception { http.antMatcher("/revoke**").httpBasic().authenticationEntryPoint(authenticationEntryPoint) .and().addFilterBefore(corsFilter, SecurityContextPersistenceFilter.class) .addFilterBefore(clientCredentialsEndpointFilter(), BasicAuthenticationFilter.class) - .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint).and() + .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint) + .and() + .csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // @formatter:on } @@ -649,7 +683,7 @@ protected void configure(final HttpSecurity http) throws Exception { .requestMatchers() .antMatchers("/metrics", "/configprops", "/env", "/mappings", "/flyway", "/autoconfig", "/beans", "/dump", "/trace", - "/info", "/health", "/health/mail") + "/info", "/health", "/health/mail", "/health/external") .and() .httpBasic() .authenticationEntryPoint(authenticationEntryPoint) @@ -662,13 +696,52 @@ protected void configure(final HttpSecurity http) throws Exception { .sessionCreationPolicy(SessionCreationPolicy.NEVER) .and() .authorizeRequests() - .antMatchers(HttpMethod.GET, "/info", "/health", "/health/mail").permitAll() + .antMatchers(HttpMethod.GET, "/info", "/health", "/health/mail", "/health/external").permitAll() .antMatchers("/metrics", "/configprops", "/env", "/mappings", "/flyway", "/autoconfig", "/beans", "/dump", "/trace").hasRole("ADMIN"); // @formatter:on } } + @Configuration + @Order(25) + public static class TokensApiEndpointConfig extends WebSecurityConfigurerAdapter { + + @Autowired + private OAuth2AuthenticationProcessingFilter resourceFilter; + + @Autowired + private OAuth2AuthenticationEntryPoint authenticationEntryPoint; + + @Autowired + private CorsFilter corsFilter; + + @Override + protected void configure(final HttpSecurity http) throws Exception { + + // @formatter:off + http + .requestMatchers() + .antMatchers(ACCESS_TOKENS_ENDPOINT + "/**", REFRESH_TOKENS_ENDPOINT + "/**") + .and() + .exceptionHandling() + .authenticationEntryPoint(authenticationEntryPoint) + .and() + .addFilterAfter(resourceFilter, SecurityContextPersistenceFilter.class) + .addFilterBefore(corsFilter, WebAsyncManagerIntegrationFilter.class) + .sessionManagement() + .sessionCreationPolicy(SessionCreationPolicy.NEVER) + .and() + .authorizeRequests() + .antMatchers(ACCESS_TOKENS_ENDPOINT + "/**", REFRESH_TOKENS_ENDPOINT + "/**") + .authenticated() + .and() + .csrf() + .disable(); + // @formatter:on + } + } + @Configuration @Order(Ordered.HIGHEST_PRECEDENCE) @Profile("dev") diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/TaskConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/TaskConfig.java index 0c56e28d3..8af5a1f4d 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/config/TaskConfig.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/TaskConfig.java @@ -5,6 +5,8 @@ import org.mitre.oauth2.service.OAuth2TokenEntityService; import org.mitre.openid.connect.service.ApprovedSiteService; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.context.annotation.Bean; @@ -14,17 +16,22 @@ import org.springframework.scheduling.annotation.SchedulingConfigurer; import org.springframework.scheduling.config.ScheduledTaskRegistrar; +import it.infn.mw.iam.core.user.IamAccountService; import it.infn.mw.iam.notification.NotificationService; @Configuration @EnableScheduling public class TaskConfig implements SchedulingConfigurer { + public static final Logger LOG = LoggerFactory.getLogger(TaskConfig.class); + public static final long ONE_SECOND_MSEC = 1000; public static final long TEN_SECONDS_MSEC = 10 * ONE_SECOND_MSEC; public static final long THIRTY_SECONDS_MSEC = 30 * ONE_SECOND_MSEC; public static final long ONE_MINUTE_MSEC = 60 * ONE_SECOND_MSEC; public static final long TEN_MINUTES_MSEC = 10 * ONE_MINUTE_MSEC; + public static final long ONE_HOUR_MSEC = 60 * ONE_MINUTE_MSEC; + public static final long ONE_DAY_MSEC = 24 * ONE_HOUR_MSEC; @Autowired OAuth2TokenEntityService tokenEntityService; @@ -36,6 +43,9 @@ public class TaskConfig implements SchedulingConfigurer { @Qualifier("defaultNotificationService") NotificationService notificationService; + @Autowired + IamAccountService accountService; + @Bean(destroyMethod = "shutdown") public ScheduledExecutorService taskScheduler() { return Executors.newSingleThreadScheduledExecutor(); @@ -63,10 +73,9 @@ public void sendNotifications() { public void clearExpiredNotifications() { notificationService.clearExpiredNotifications(); } - + @Override public void configureTasks(final ScheduledTaskRegistrar taskRegistrar) { - taskRegistrar.setScheduler(taskScheduler()); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/oidc/GoogleClient.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/oidc/GoogleClient.java index 86d811c12..88a110790 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/config/oidc/GoogleClient.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/oidc/GoogleClient.java @@ -60,6 +60,9 @@ public class GoogleClient { @Autowired private GoogleClientProperties googleClientProperties; + @Autowired + private IamAccountRepository accountRepo; + @Bean public FilterRegistrationBean disabledAutomaticOidcFilterRegistration(OidcClientFilter f) { @@ -111,7 +114,8 @@ public AuthenticationSuccessHandler successHandler() { RootIsDashboardSuccessHandler sa = new RootIsDashboardSuccessHandler(iamBaseUrl, new HttpSessionRequestCache()); - AuthenticationSuccessHandler successHandler = new TimestamperSuccessHandler(sa); + + AuthenticationSuccessHandler successHandler = new TimestamperSuccessHandler(sa, accountRepo); return new ExternalAuthenticationSuccessHandler(successHandler, "/"); @@ -151,7 +155,7 @@ public ServerConfigurationService dynamicServerConfiguration() { @Bean public ClientConfigurationService staticClientConfiguration() { - Map clients = new LinkedHashMap(); + Map clients = new LinkedHashMap<>(); clients.put(googleClientProperties.getIssuer(), googleClientProperties); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/saml/IamSamlProperties.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/saml/IamSamlProperties.java index 9a3639cea..78e420ec2 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/config/saml/IamSamlProperties.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/saml/IamSamlProperties.java @@ -1,22 +1,104 @@ package it.infn.mw.iam.config.saml; +import static java.lang.Boolean.FALSE; + +import java.util.Optional; +import java.util.Set; +import java.util.concurrent.TimeUnit; + +import javax.validation.constraints.Min; + import org.springframework.boot.context.properties.ConfigurationProperties; +import com.google.common.base.Splitter; +import com.google.common.collect.Sets; + @ConfigurationProperties(prefix = "saml") public class IamSamlProperties { + @ConfigurationProperties(prefix = "saml.jit-account-provisioning") + public static class IamSamlJITAccountProvisioningProperties { + + private Boolean enabled = FALSE; + private String trustedIdps = "all"; + private Boolean cleanupTaskEnabled = FALSE; + + @Min(5) + private long cleanupTaskPeriodSec = TimeUnit.DAYS.toSeconds(1); + + @Min(1) + private Integer inactiveAccountLifetimeDays = 15; + + public Boolean getEnabled() { + return enabled; + } + + public void setEnabled(Boolean enabled) { + this.enabled = enabled; + } + + public String getTrustedIdps() { + return trustedIdps; + } + + public void setTrustedIdps(String trustedIdps) { + this.trustedIdps = trustedIdps; + } + + public Boolean getCleanupTaskEnabled() { + return cleanupTaskEnabled; + } + + public void setCleanupTaskEnabled(Boolean cleanupEnabled) { + this.cleanupTaskEnabled = cleanupEnabled; + } + + public Integer getInactiveAccountLifetimeDays() { + return inactiveAccountLifetimeDays; + } + + public void setInactiveAccountLifetimeDays(Integer inactiveUserLifetimeDays) { + this.inactiveAccountLifetimeDays = inactiveUserLifetimeDays; + } + + public long getCleanupTaskPeriodSec() { + return cleanupTaskPeriodSec; + } + + public void setCleanupTaskPeriodSec(long cleanupTaskPeriodSec) { + this.cleanupTaskPeriodSec = cleanupTaskPeriodSec; + } + + + public Optional> getTrustedIdpsAsOptionalSet() { + if ("all".equals(trustedIdps)) { + return Optional.empty(); + } + + Set trustedIdpIds = + Sets.newHashSet(Splitter.on(",").trimResults().omitEmptyStrings().split(trustedIdps)); + + if (trustedIdpIds.isEmpty()) { + return Optional.empty(); + } + + return Optional.of(trustedIdpIds); + } + } + private String entityId; private String idpMetadata; private String keystore; private String keystorePassword; private String keyId; private String keyPassword; + private String idResolvers; private int maxAssertionTimeSec; private int maxAuthenticationAgeSec; - public IamSamlProperties() {} + private int metadataLookupServiceRefreshPeriodSec = (int) TimeUnit.MINUTES.toSeconds(5); public String getEntityId() { return entityId; @@ -25,7 +107,7 @@ public String getEntityId() { public void setEntityId(String entityId) { this.entityId = entityId; } - + public String getIdpMetadata() { return idpMetadata; } @@ -82,4 +164,20 @@ public void setMaxAuthenticationAgeSec(int maxAuthenticationAgeSec) { this.maxAuthenticationAgeSec = maxAuthenticationAgeSec; } + public String getIdResolvers() { + return idResolvers; + } + + public void setIdResolvers(String idResolvers) { + this.idResolvers = idResolvers; + } + + public int getMetadataLookupServiceRefreshPeriodSec() { + return metadataLookupServiceRefreshPeriodSec; + } + + public void setMetadataLookupServiceRefreshPeriodSec(int metadataLookupServiceRefreshPeriodSec) { + this.metadataLookupServiceRefreshPeriodSec = metadataLookupServiceRefreshPeriodSec; + } + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/saml/SamlConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/saml/SamlConfig.java index f6956fae0..0bccebc45 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/config/saml/SamlConfig.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/saml/SamlConfig.java @@ -1,16 +1,20 @@ package it.infn.mw.iam.config.saml; -import static it.infn.mw.iam.authn.saml.util.SamlIdResolvers.eppn; -import static it.infn.mw.iam.authn.saml.util.SamlIdResolvers.epuid; +import static it.infn.mw.iam.authn.saml.util.Saml2Attribute.EPPN; +import static it.infn.mw.iam.authn.saml.util.Saml2Attribute.EPTID; +import static it.infn.mw.iam.authn.saml.util.Saml2Attribute.EPUID; +import java.io.File; import java.io.IOException; import java.net.URISyntaxException; +import java.nio.file.Files; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collection; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.Timer; +import java.util.concurrent.TimeUnit; import org.apache.commons.httpclient.HttpClient; import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager; @@ -18,12 +22,18 @@ import org.apache.commons.httpclient.protocol.ProtocolSocketFactory; import org.apache.velocity.app.VelocityEngine; import org.opensaml.saml2.core.NameIDType; +import org.opensaml.saml2.metadata.provider.FileBackedHTTPMetadataProvider; import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider; +import org.opensaml.util.resource.ClasspathResource; +import org.opensaml.util.resource.ResourceException; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.parse.ParserPool; import org.opensaml.xml.parse.StaticBasicParserPool; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.context.properties.ConfigurationProperties; @@ -36,6 +46,9 @@ import org.springframework.core.io.DefaultResourceLoader; import org.springframework.core.io.Resource; import org.springframework.core.io.ResourceLoader; +import org.springframework.scheduling.annotation.EnableScheduling; +import org.springframework.scheduling.annotation.SchedulingConfigurer; +import org.springframework.scheduling.config.ScheduledTaskRegistrar; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @@ -94,26 +107,39 @@ import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; +import com.google.common.base.Splitter; +import com.google.common.base.Strings; + import it.infn.mw.iam.authn.ExternalAuthenticationFailureHandler; import it.infn.mw.iam.authn.ExternalAuthenticationSuccessHandler; import it.infn.mw.iam.authn.InactiveAccountAuthenticationHander; import it.infn.mw.iam.authn.RootIsDashboardSuccessHandler; import it.infn.mw.iam.authn.TimestamperSuccessHandler; +import it.infn.mw.iam.authn.saml.CleanInactiveProvisionedAccounts; import it.infn.mw.iam.authn.saml.DefaultSAMLUserDetailsService; import it.infn.mw.iam.authn.saml.IamSamlAuthenticationProvider; +import it.infn.mw.iam.authn.saml.JustInTimeProvisioningSAMLUserDetailsService; +import it.infn.mw.iam.authn.saml.MetadataLookupService; import it.infn.mw.iam.authn.saml.SamlExceptionMessageHelper; import it.infn.mw.iam.authn.saml.util.FirstApplicableChainedSamlIdResolver; +import it.infn.mw.iam.authn.saml.util.SamlIdResolvers; import it.infn.mw.iam.authn.saml.util.SamlUserIdentifierResolver; +import it.infn.mw.iam.config.saml.IamSamlProperties.IamSamlJITAccountProvisioningProperties; import it.infn.mw.iam.config.saml.SamlConfig.IamProperties; import it.infn.mw.iam.config.saml.SamlConfig.ServerProperties; +import it.infn.mw.iam.core.time.SystemTimeProvider; +import it.infn.mw.iam.core.user.IamAccountService; import it.infn.mw.iam.persistence.repository.IamAccountRepository; @Configuration @Order(value = Ordered.LOWEST_PRECEDENCE) @Profile("saml") -@EnableConfigurationProperties({IamSamlProperties.class, IamProperties.class, - ServerProperties.class}) -public class SamlConfig extends WebSecurityConfigurerAdapter { +@EnableConfigurationProperties({IamSamlProperties.class, + IamSamlJITAccountProvisioningProperties.class, IamProperties.class, ServerProperties.class}) +@EnableScheduling +public class SamlConfig extends WebSecurityConfigurerAdapter implements SchedulingConfigurer { + + public static final Logger LOG = LoggerFactory.getLogger(SamlConfig.class); @Autowired ResourceLoader resourceLoader; @@ -124,18 +150,32 @@ public class SamlConfig extends WebSecurityConfigurerAdapter { @Autowired IamAccountRepository repo; + @Autowired + IamAccountService accountService; + @Autowired IamProperties iamProperties; @Autowired IamSamlProperties samlProperties; + @Autowired + IamSamlJITAccountProvisioningProperties jitProperties; + @Autowired ServerProperties serverProperties; @Autowired InactiveAccountAuthenticationHander inactiveAccountHandler; + @Autowired + MetadataLookupService metadataLookupService; + + + Timer metadataFetchTimer = new Timer(); + + BasicParserPool basicParserPool = new BasicParserPool(); + @ConfigurationProperties(prefix = "iam") public static class IamProperties { @@ -165,12 +205,46 @@ public void setUseForwardHeaders(boolean useForwardHeaders) { } @Configuration + @EnableConfigurationProperties({IamSamlProperties.class}) public static class IamSamlConfig { + + protected static final String[] DEFAULT_ID_RESOLVERS = + {EPUID.getAlias(), EPTID.getAlias(), EPPN.getAlias()}; + + @Autowired + IamSamlProperties samlProperties; + + private String[] resolverNames() { + + if (Strings.isNullOrEmpty(samlProperties.getIdResolvers())) { + return DEFAULT_ID_RESOLVERS; + } + + return samlProperties.getIdResolvers().split(","); + } + @Bean public SamlUserIdentifierResolver resolver() { - List resolvers = Arrays.asList(epuid(), eppn()); + List resolvers = new ArrayList<>(); + + SamlIdResolvers resolverFactory = new SamlIdResolvers(); + + String[] resolverNames = resolverNames(); + + for (String n : resolverNames) { + SamlUserIdentifierResolver r = resolverFactory.byName(n); + if (r != null) { + resolvers.add(r); + } else { + LOG.warn("Unsupported saml id resolver: {}", n); + } + } + + if (resolvers.isEmpty()) { + throw new IllegalStateException("Could not configure SAML id resolvers"); + } return new FirstApplicableChainedSamlIdResolver(resolvers); } @@ -181,6 +255,12 @@ public SamlUserIdentifierResolver resolver() { public SAMLUserDetailsService samlUserDetailsService(SamlUserIdentifierResolver resolver, IamAccountRepository accountRepo, InactiveAccountAuthenticationHander handler) { + if (jitProperties.getEnabled()) { + + return new JustInTimeProvisioningSAMLUserDetailsService(resolver, accountService, handler, + accountRepo, jitProperties.getTrustedIdpsAsOptionalSet()); + } + return new DefaultSAMLUserDetailsService(resolver, accountRepo, handler); } @@ -217,13 +297,13 @@ public HttpClient httpClient() { return new HttpClient(multiThreadedHttpConnectionManager()); } - // SAML Authentication Provider responsible for validating of received SAML - // messages @Bean public SAMLAuthenticationProvider samlAuthenticationProvider(SamlUserIdentifierResolver resolver, IamAccountRepository accountRepo, InactiveAccountAuthenticationHander handler) { - IamSamlAuthenticationProvider samlAuthenticationProvider = new IamSamlAuthenticationProvider(); + IamSamlAuthenticationProvider samlAuthenticationProvider = + new IamSamlAuthenticationProvider(resolver); + samlAuthenticationProvider .setUserDetails(samlUserDetailsService(resolver, accountRepo, handler)); samlAuthenticationProvider.setForcePrincipalAsString(false); @@ -302,7 +382,7 @@ public SingleLogoutProfile logoutprofile() { @Bean public KeyManager keyManager() { - Map passwords = new HashMap(); + Map passwords = new HashMap<>(); passwords.put(samlProperties.getKeyId(), samlProperties.getKeyPassword()); DefaultResourceLoader loader = new DefaultResourceLoader(); @@ -332,17 +412,6 @@ public Protocol socketFactoryProtocol() { return new Protocol("https", socketFactory(), 443); } - // - // @Bean - // public MethodInvokingFactoryBean socketFactoryInitialization() { - // - // MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean(); - // methodInvokingFactoryBean.setTargetClass(Protocol.class); - // methodInvokingFactoryBean.setTargetMethod("registerProtocol"); - // Object[] args = {"https", socketFactoryProtocol()}; - // methodInvokingFactoryBean.setArguments(args); - // return methodInvokingFactoryBean; - // } @Bean public WebSSOProfileOptions defaultWebSSOProfileOptions() { @@ -365,7 +434,6 @@ public SAMLEntryPoint samlEntryPoint() { return samlEntryPoint; } - // Setup advanced info about metadata @Bean public ExtendedMetadata extendedMetadata() { @@ -378,40 +446,88 @@ public ExtendedMetadata extendedMetadata() { return extendedMetadata; } - @Bean - @Qualifier("local") - public ExtendedMetadataDelegate localIdpMetadataProvider() - throws MetadataProviderException, URISyntaxException, IOException { - - Resource metadataResource = resourceLoader.getResource(samlProperties.getIdpMetadata()); - - FilesystemMetadataProvider localIdpMetadataProvider = - new FilesystemMetadataProvider(metadataResource.getFile()); - - localIdpMetadataProvider.setParserPool(new BasicParserPool()); - localIdpMetadataProvider.initialize(); - + private ExtendedMetadataDelegate metadataDelegate(MetadataProvider p) { ExtendedMetadataDelegate extendedMetadataDelegate = - new ExtendedMetadataDelegate(localIdpMetadataProvider, extendedMetadata()); + new ExtendedMetadataDelegate(p, extendedMetadata()); extendedMetadataDelegate.setMetadataTrustCheck(true); extendedMetadataDelegate.setMetadataRequireSignature(false); return extendedMetadataDelegate; + } + + private List metadataProviders() + throws MetadataProviderException, IOException, ResourceException { + + List providers = new ArrayList<>(); + + String metadata = samlProperties.getIdpMetadata(); + Iterable metadataIterable = + Splitter.on(",").trimResults().omitEmptyStrings().split(metadata); + + + for (String m : metadataIterable) { + if (m.startsWith("classpath:")) { + LOG.info("Adding classpath based metadata provider for URL: {}", m); + + ClasspathResource cpMetadataResources = + new ClasspathResource(m.replaceFirst("classpath:", "")); + + ResourceBackedMetadataProvider metadataProvider = + new ResourceBackedMetadataProvider(metadataFetchTimer, cpMetadataResources); + + metadataProvider.setParserPool(basicParserPool); + metadataProvider.initialize(); + providers.add(metadataDelegate(metadataProvider)); + + } else if (m.startsWith("file:")) { + + LOG.info("Adding File based metadata provider for URL: {}", m); + Resource metadataResource = resourceLoader.getResource(m); + + + FilesystemMetadataProvider metadataProvider = + new FilesystemMetadataProvider(metadataResource.getFile()); + + metadataProvider.setParserPool(basicParserPool); + metadataProvider.initialize(); + providers.add(metadataDelegate(metadataProvider)); + + } else if (m.startsWith("http")) { + + LOG.info("Adding HTTP metadata provider for URL: {}", m); + + File metadataBackupFile = Files.createTempFile("metadata", "xml").toFile(); + metadataBackupFile.deleteOnExit(); + + FileBackedHTTPMetadataProvider metadataProvider = new FileBackedHTTPMetadataProvider( + metadataFetchTimer, httpClient(), m, metadataBackupFile.getAbsolutePath()); + + metadataProvider.setParserPool(basicParserPool); + metadataProvider.initialize(); + providers.add(metadataDelegate(metadataProvider)); + } else { + LOG.error("Skipping invalid saml.idp-metatadata value: {}", m); + } + } + + if (providers.isEmpty()) { + String message = "Empty SAML metadata providers after initialization"; + LOG.error(message); + throw new IllegalStateException(message); + } + + return providers; } - // IDP Metadata configuration - paths to metadata of IDPs in circle of trust - // is here + @Bean @Qualifier("metadata") public CachingMetadataManager metadata() - throws MetadataProviderException, URISyntaxException, IOException { + throws MetadataProviderException, URISyntaxException, IOException, ResourceException { - List providers = new ArrayList(); - providers.add(localIdpMetadataProvider()); - return new CachingMetadataManager(providers); + return new CachingMetadataManager(metadataProviders()); } - // Filter automatically generates default SP metadata @Bean public MetadataGenerator metadataGenerator() { @@ -435,15 +551,12 @@ public MetadataDisplayFilter metadataDisplayFilter() { @Bean - public AuthenticationSuccessHandler successRedirectHandler() { - + public AuthenticationSuccessHandler samlAuthenticationSuccessHandler() { RootIsDashboardSuccessHandler sa = new RootIsDashboardSuccessHandler(iamProperties.getBaseUrl(), new HttpSessionRequestCache()); - ExternalAuthenticationSuccessHandler successHandler = - new ExternalAuthenticationSuccessHandler(new TimestamperSuccessHandler(sa), "/"); - return successHandler; + return new ExternalAuthenticationSuccessHandler(new TimestamperSuccessHandler(sa, repo), "/"); } @@ -457,7 +570,8 @@ public SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter() throws Exce SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter = new SAMLWebSSOHoKProcessingFilter(); - samlWebSSOHoKProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler()); + samlWebSSOHoKProcessingFilter + .setAuthenticationSuccessHandler(samlAuthenticationSuccessHandler()); samlWebSSOHoKProcessingFilter.setAuthenticationManager(authenticationManager()); samlWebSSOHoKProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler()); return samlWebSSOHoKProcessingFilter; @@ -469,7 +583,7 @@ public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception { SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter(); samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager()); - samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler()); + samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(samlAuthenticationSuccessHandler()); samlWebSSOProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler()); return samlWebSSOProcessingFilter; } @@ -558,7 +672,7 @@ public HTTPPAOS11Binding httpPAOS11Binding() { @Bean public SAMLProcessor processor() { - Collection bindings = new ArrayList(); + Collection bindings = new ArrayList<>(); bindings.add(httpRedirectDeflateBinding()); bindings.add(httpPostBinding()); bindings.add(artifactBinding(parserPool(), velocityEngine())); @@ -576,7 +690,7 @@ public SAMLProcessor processor() { @Bean public FilterChainProxy samlFilter() throws Exception { - List chains = new ArrayList(); + List chains = new ArrayList<>(); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), @@ -595,12 +709,13 @@ public FilterChainProxy samlFilter() throws Exception { @Override protected void configure(HttpSecurity http) throws Exception { + String pattern = "/saml/**"; - http.antMatcher("/saml/**"); + http.antMatcher(pattern); - http.csrf().ignoringAntMatchers("/saml/**"); + http.csrf().ignoringAntMatchers(pattern); - http.authorizeRequests().antMatchers("/saml/**").permitAll(); + http.authorizeRequests().antMatchers(pattern).permitAll(); http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class) .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class); @@ -611,4 +726,42 @@ protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(samlAuthenticationProvider(resolver, repo, inactiveAccountHandler)); } + + private void scheduleMetadataLookupServiceRefresh(ScheduledTaskRegistrar taskRegistrar) { + LOG.info("Scheduling metadata lookup service refresh task to run every {} seconds.", + samlProperties.getMetadataLookupServiceRefreshPeriodSec()); + taskRegistrar.addFixedRateTask(() -> metadataLookupService.refreshMetadata(), + TimeUnit.SECONDS.toMillis(samlProperties.getMetadataLookupServiceRefreshPeriodSec())); + } + + private void scheduleProvisionedAccountsCleanup(final ScheduledTaskRegistrar taskRegistrar) { + + if (!jitProperties.getEnabled()) { + LOG.info("Just-in-time account provisioning for SAML is DISABLED."); + return; + } + + if (!jitProperties.getCleanupTaskEnabled()) { + LOG.info("Cleanup for SAML JIT account provisioning is DISABLED."); + return; + } + + LOG.info( + "Scheduling Just-in-time provisioned account cleanup task to run every {} seconds. Accounts inactive for {} " + + "days will be deleted", + jitProperties.getCleanupTaskPeriodSec(), jitProperties.getInactiveAccountLifetimeDays()); + + taskRegistrar.addFixedRateTask( + new CleanInactiveProvisionedAccounts(new SystemTimeProvider(), accountService, + jitProperties.getInactiveAccountLifetimeDays()), + TimeUnit.SECONDS.toMillis(jitProperties.getCleanupTaskPeriodSec())); + + } + + @Override + public void configureTasks(ScheduledTaskRegistrar taskRegistrar) { + scheduleProvisionedAccountsCleanup(taskRegistrar); + scheduleMetadataLookupServiceRefresh(taskRegistrar); + } + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/IamIntrospectionResultAssembler.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/IamIntrospectionResultAssembler.java index a97c53527..7d32390d8 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/IamIntrospectionResultAssembler.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/IamIntrospectionResultAssembler.java @@ -27,8 +27,6 @@ public class IamIntrospectionResultAssembler extends DefaultIntrospectionResultA public static final String GROUPS = "groups"; public static final String ORGANISATION_NAME = "organisation_name"; - public IamIntrospectionResultAssembler() {} - @Override public Map assembleFrom(OAuth2AccessTokenEntity accessToken, UserInfo userInfo, Set authScopes) { @@ -39,7 +37,7 @@ public Map assembleFrom(OAuth2AccessTokenEntity accessToken, Use List audience = accessToken.getJwt().getJWTClaimsSet().getAudience(); - if (audience != null && audience.size() > 0) { + if (audience != null && !audience.isEmpty()) { result.put("aud", Joiner.on(' ').join(audience)); } @@ -64,6 +62,8 @@ public Map assembleFrom(OAuth2AccessTokenEntity accessToken, Use result.put(PREFERRED_USERNAME, iamUserInfo.getPreferredUsername()); + LOGGER.debug("Organisation name: {}", IamProperties.INSTANCE.getOrganisationName()); + result.put(ORGANISATION_NAME, IamProperties.INSTANCE.getOrganisationName()); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/IamOAuth2RequestFactory.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/IamOAuth2RequestFactory.java index 9812f00a1..db52bafa9 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/IamOAuth2RequestFactory.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/IamOAuth2RequestFactory.java @@ -9,7 +9,7 @@ public class IamOAuth2RequestFactory extends ConnectOAuth2RequestFactory { - public static final String[] AUDIENCE_KEYS = {"aud", "audience"}; + protected static final String[] AUDIENCE_KEYS = {"aud", "audience"}; public static final String AUD = "aud"; public static final String PASSWORD_GRANT = "password"; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/IamScopeClaimTranslationService.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/IamScopeClaimTranslationService.java index 8d38ec40c..6fb596136 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/IamScopeClaimTranslationService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/IamScopeClaimTranslationService.java @@ -16,36 +16,42 @@ public class IamScopeClaimTranslationService implements ScopeClaimTranslationSer private SetMultimap scopesToClaims = HashMultimap.create(); + public static final String OPENID_SCOPE = "openid"; + public static final String PROFILE_SCOPE = "profile"; + public static final String EMAIL_SCOPE = "email"; + public static final String PHONE_SCOPE = "phone"; + public static final String ADDRESS_SCOPE = "address"; + public IamScopeClaimTranslationService() { // Mitreid scope mappings - scopesToClaims.put("openid", "sub"); - - scopesToClaims.put("profile", "name"); - scopesToClaims.put("profile", "preferred_username"); - scopesToClaims.put("profile", "given_name"); - scopesToClaims.put("profile", "family_name"); - scopesToClaims.put("profile", "middle_name"); - scopesToClaims.put("profile", "nickname"); - scopesToClaims.put("profile", "profile"); - scopesToClaims.put("profile", "picture"); - scopesToClaims.put("profile", "website"); - scopesToClaims.put("profile", "gender"); - scopesToClaims.put("profile", "zoneinfo"); - scopesToClaims.put("profile", "locale"); - scopesToClaims.put("profile", "updated_at"); - scopesToClaims.put("profile", "birthdate"); - - scopesToClaims.put("email", "email"); - scopesToClaims.put("email", "email_verified"); - - scopesToClaims.put("phone", "phone_number"); - scopesToClaims.put("phone", "phone_number_verified"); - - scopesToClaims.put("address", "address"); + scopesToClaims.put(OPENID_SCOPE, "sub"); + + scopesToClaims.put(PROFILE_SCOPE, "name"); + scopesToClaims.put(PROFILE_SCOPE, "preferred_username"); + scopesToClaims.put(PROFILE_SCOPE, "given_name"); + scopesToClaims.put(PROFILE_SCOPE, "family_name"); + scopesToClaims.put(PROFILE_SCOPE, "middle_name"); + scopesToClaims.put(PROFILE_SCOPE, "nickname"); + scopesToClaims.put(PROFILE_SCOPE, "profile"); + scopesToClaims.put(PROFILE_SCOPE, "picture"); + scopesToClaims.put(PROFILE_SCOPE, "website"); + scopesToClaims.put(PROFILE_SCOPE, "gender"); + scopesToClaims.put(PROFILE_SCOPE, "zoneinfo"); + scopesToClaims.put(PROFILE_SCOPE, "locale"); + scopesToClaims.put(PROFILE_SCOPE, "updated_at"); + scopesToClaims.put(PROFILE_SCOPE, "birthdate"); + + scopesToClaims.put(EMAIL_SCOPE, "email"); + scopesToClaims.put(EMAIL_SCOPE, "email_verified"); + + scopesToClaims.put(PHONE_SCOPE, "phone_number"); + scopesToClaims.put(PHONE_SCOPE, "phone_number_verified"); + + scopesToClaims.put(ADDRESS_SCOPE, "address"); // Iam scope mappings - scopesToClaims.put("profile", "organisation_name"); - scopesToClaims.put("profile", "groups"); + scopesToClaims.put(PROFILE_SCOPE, "organisation_name"); + scopesToClaims.put(PROFILE_SCOPE, "groups"); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/IamTokenService.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/IamTokenService.java index 484b71cdf..7122c5b76 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/IamTokenService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/IamTokenService.java @@ -1,5 +1,6 @@ package it.infn.mw.iam.core; +import java.util.Date; import java.util.Set; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; @@ -33,7 +34,7 @@ public IamTokenService(IamOAuthAccessTokenRepository atRepo, public Set getAllAccessTokensForUser(String id) { Set results = Sets.newLinkedHashSet(); - results.addAll(accessTokenRepo.findValidAccessTokensForUser(id)); + results.addAll(accessTokenRepo.findValidAccessTokensForUser(id, new Date())); return results; } @@ -41,7 +42,7 @@ public Set getAllAccessTokensForUser(String id) { @Override public Set getAllRefreshTokensForUser(String id) { Set results = Sets.newLinkedHashSet(); - results.addAll(refreshTokenRepo.findValidRefreshTokensForUser(id)); + results.addAll(refreshTokenRepo.findValidRefreshTokensForUser(id, new Date())); return results; } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/IamUserDetailsService.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/IamUserDetailsService.java index 5d44285f8..557a51cd0 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/IamUserDetailsService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/IamUserDetailsService.java @@ -43,8 +43,7 @@ public UserDetails loadUserByUsername(final String username) throws UsernameNotF if (a.isActive()) { - User u = new User(a.getUsername(), a.getPassword(), convertAuthorities(a)); - return u; + return new User(a.getUsername(), a.getPassword(), convertAuthorities(a)); } else { throw new DisabledException("User '" + username + "' is not active."); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/time/SystemTimeProvider.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/time/SystemTimeProvider.java index 60d6b4323..bef2f52fe 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/time/SystemTimeProvider.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/time/SystemTimeProvider.java @@ -11,8 +11,6 @@ @Component public class SystemTimeProvider implements TimeProvider { - public SystemTimeProvider() {} - @Override public long currentTimeMillis() { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/time/TimeProvider.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/time/TimeProvider.java index 8595ba128..2d636d9b1 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/time/TimeProvider.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/time/TimeProvider.java @@ -4,6 +4,7 @@ * Time provider interface. * */ +@FunctionalInterface public interface TimeProvider { /** diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/user/DefaultIamAccountService.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/user/DefaultIamAccountService.java new file mode 100644 index 000000000..f72454eb9 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/user/DefaultIamAccountService.java @@ -0,0 +1,241 @@ +package it.infn.mw.iam.core.user; + +import static com.google.common.base.Preconditions.checkArgument; +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.base.Strings.isNullOrEmpty; + +import java.util.Date; +import java.util.List; +import java.util.UUID; + +import javax.transaction.Transactional; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationEventPublisher; +import org.springframework.security.crypto.password.PasswordEncoder; +import org.springframework.stereotype.Service; + +import it.infn.mw.iam.audit.events.account.AccountCreatedEvent; +import it.infn.mw.iam.audit.events.account.AccountRemovedEvent; +import it.infn.mw.iam.core.user.exception.CredentialAlreadyBoundException; +import it.infn.mw.iam.core.user.exception.InvalidCredentialException; +import it.infn.mw.iam.core.user.exception.UserAlreadyExistsException; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamAuthority; +import it.infn.mw.iam.persistence.model.IamOidcId; +import it.infn.mw.iam.persistence.model.IamSamlId; +import it.infn.mw.iam.persistence.model.IamSshKey; +import it.infn.mw.iam.persistence.model.IamX509Certificate; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; +import it.infn.mw.iam.persistence.repository.IamAuthoritiesRepository; + +@Service +@Transactional +public class DefaultIamAccountService implements IamAccountService { + + private final IamAccountRepository accountRepo; + private final IamAuthoritiesRepository authoritiesRepo; + private final PasswordEncoder passwordEncoder; + private final ApplicationEventPublisher eventPublisher; + + @Autowired + public DefaultIamAccountService(IamAccountRepository accountRepo, + IamAuthoritiesRepository authoritiesRepo, PasswordEncoder passwordEncoder, + ApplicationEventPublisher eventPublisher) { + + this.accountRepo = accountRepo; + this.authoritiesRepo = authoritiesRepo; + this.passwordEncoder = passwordEncoder; + this.eventPublisher = eventPublisher; + } + + @Override + public IamAccount createAccount(IamAccount account) { + checkNotNull(account, "Cannot create a null account"); + + final Date now = new Date(); + final String randomUuid = UUID.randomUUID().toString(); + + newAccountSanityChecks(account); + + if (account.getCreationTime() == null) { + account.setCreationTime(now); + } + + if (account.getUuid() == null) { + account.setUuid(randomUuid); + } + + account.setLastUpdateTime(now); + + account.getUserInfo().setEmailVerified(true); + + if (account.getPassword() == null) { + account.setPassword(UUID.randomUUID().toString()); + } + + account.setPassword(passwordEncoder.encode(account.getPassword())); + + IamAuthority roleUserAuthority = authoritiesRepo.findByAuthority("ROLE_USER").orElseThrow( + () -> new IllegalStateException("ROLE_USER not found in database. This is a bug")); + + account.getAuthorities().add(roleUserAuthority); + + // Credentials sanity checks + newAccountX509CertificatesSanityChecks(account); + newAccountSshKeysSanityChecks(account); + newAccountSamlIdsSanityChecks(account); + newAccountOidcIdsSanityChecks(account); + + // Set creation time for certificates + account.getX509Certificates().forEach(c -> { + c.setCreationTime(now); + c.setLastUpdateTime(now); + }); + + accountRepo.save(account); + + eventPublisher.publishEvent(new AccountCreatedEvent(this, account, + "Account created for user " + account.getUsername())); + + return account; + } + + @Override + public IamAccount deleteAccount(IamAccount account) { + checkNotNull(account, "cannot delete a null account"); + accountRepo.delete(account); + + eventPublisher.publishEvent(new AccountRemovedEvent(this, account, + "Removed account for user " + account.getUsername())); + + return account; + } + + private void newAccountOidcIdsSanityChecks(IamAccount account) { + account.getOidcIds().forEach(this::oidcIdSanityChecks); + } + + + private void newAccountSamlIdsSanityChecks(IamAccount account) { + account.getSamlIds().forEach(this::samlIdSanityChecks); + } + + private void newAccountSanityChecks(IamAccount account) { + checkArgument(!isNullOrEmpty(account.getUsername()), "Null or empty username"); + checkNotNull(account.getUserInfo(), "Null userinfo object"); + checkArgument(!isNullOrEmpty(account.getUserInfo().getEmail()), "Null or empty email"); + + accountRepo.findByUsername(account.getUsername()).ifPresent(a -> { + throw new UserAlreadyExistsException( + String.format("A user with username '%s' already exists", a.getUsername())); + }); + + accountRepo.findByEmail(account.getUserInfo().getEmail()).ifPresent(a -> { + throw new UserAlreadyExistsException(String + .format("A user linked with email '%s' already exists", a.getUserInfo().getEmail())); + }); + + } + + private void newAccountSshKeysSanityChecks(IamAccount account) { + + if (account.hasSshKeys()) { + + account.getSshKeys().forEach(this::sshKeySanityChecks); + + final long count = account.getSshKeys().stream().filter(IamSshKey::isPrimary).count(); + + if (count > 1) { + throw new InvalidCredentialException("Only one SSH key can be marked as primary"); + } + + if (count == 0) { + account.getSshKeys().stream().findFirst().ifPresent(k -> k.setPrimary(true)); + } + } + } + + private void newAccountX509CertificatesSanityChecks(IamAccount account) { + + if (account.hasX509Certificates()) { + + account.getX509Certificates().forEach(this::x509CertificateSanityCheck); + + final long count = + account.getX509Certificates().stream().filter(IamX509Certificate::isPrimary).count(); + + if (count > 1) { + throw new InvalidCredentialException("Only one X.509 certificate can be marked as primary"); + } + + if (count == 0) { + account.getX509Certificates().stream().findFirst().ifPresent(c -> c.setPrimary(true)); + } + } + + } + + private void oidcIdSanityChecks(IamOidcId oidcId) { + checkNotNull(oidcId, "null oidc id"); + checkArgument(!isNullOrEmpty(oidcId.getIssuer()), "null or empty oidc id issuer"); + checkArgument(!isNullOrEmpty(oidcId.getSubject()), "null or empty oidc id subject"); + + accountRepo.findByOidcId(oidcId.getIssuer(), oidcId.getSubject()).ifPresent(account -> { + + throw new CredentialAlreadyBoundException(String.format( + "OIDC id '%s,%s' is already bound to a user", oidcId.getIssuer(), oidcId.getSubject())); + }); + } + + private void samlIdSanityChecks(IamSamlId samlId) { + + checkNotNull(samlId, "null saml id"); + + checkArgument(!isNullOrEmpty(samlId.getIdpId()), "null or empty idpId"); + checkArgument(!isNullOrEmpty(samlId.getUserId()), "null or empty userId"); + checkArgument(!isNullOrEmpty(samlId.getAttributeId()), "null or empty attributeId"); + + accountRepo.findBySamlId(samlId).ifPresent(account -> { + throw new CredentialAlreadyBoundException( + String.format("SAML id '%s,%s,%s' already bound to a user", samlId.getIdpId(), + samlId.getAttributeId(), samlId.getUserId())); + }); + } + + private void sshKeySanityChecks(IamSshKey sshKey) { + + checkNotNull(sshKey, "null ssh key"); + checkArgument(!isNullOrEmpty(sshKey.getValue()), "null or empty ssh key value"); + + accountRepo.findBySshKeyValue(sshKey.getValue()).ifPresent(account -> { + throw new CredentialAlreadyBoundException( + String.format("SSH key '%s' already bound to a user", sshKey.getValue())); + }); + } + + private void x509CertificateSanityCheck(IamX509Certificate cert) { + checkNotNull(cert, "null X.509 certificate"); + checkArgument(!isNullOrEmpty(cert.getSubjectDn()), + "null or empty X.509 certificate subject DN"); + checkArgument(!isNullOrEmpty(cert.getIssuerDn()), "null or empty X.509 certificate issuer DN"); + checkArgument(!isNullOrEmpty(cert.getLabel()), "null or empty X.509 certificate label"); + + accountRepo.findByCertificateSubject(cert.getSubjectDn()).ifPresent(c -> { + throw new CredentialAlreadyBoundException(String + .format("X509 certificate with subject '%s' is already bound to another user", cert.getSubjectDn())); + }); + } + + @Override + public List deleteInactiveProvisionedUsersSinceTime(Date timestamp) { + checkNotNull(timestamp, "null timestamp"); + + List accounts = + accountRepo.findProvisionedAccountsWithLastLoginTimeBeforeTimestamp(timestamp); + + accounts.forEach(this::deleteAccount); + + return accounts; + } +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/user/IamAccountService.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/user/IamAccountService.java new file mode 100644 index 000000000..e416ebc2a --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/user/IamAccountService.java @@ -0,0 +1,39 @@ +package it.infn.mw.iam.core.user; + +import java.util.Date; +import java.util.List; + +import it.infn.mw.iam.persistence.model.IamAccount; + +/** + * This service provides basic functionality used to manage IAM accounts + */ +public interface IamAccountService { + + /** + * Creates a new {@link IamAccount}, after some checks. + * + * @param account the account to be created + * @return the created {@link IamAccount} + */ + IamAccount createAccount(IamAccount account); + + + /** + * Deletes a {@link IamAccount}. + * + * @param account the account to be deleted + * + * @return the deleted {@link IamAccount} + */ + IamAccount deleteAccount(IamAccount account); + + /** + * Deletes provisioned accounts whose last login time is before than the timestamp passed as + * argument + * + * @param timestamp the timestamp + * @return the possibly empty {@link List} of {@link IamAccount} that have been removed + */ + List deleteInactiveProvisionedUsersSinceTime(Date timestamp); +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/user/exception/CredentialAlreadyBoundException.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/user/exception/CredentialAlreadyBoundException.java new file mode 100644 index 000000000..9f8cebb7c --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/user/exception/CredentialAlreadyBoundException.java @@ -0,0 +1,14 @@ +package it.infn.mw.iam.core.user.exception; + +public class CredentialAlreadyBoundException extends IamAccountException { + + /** + * + */ + private static final long serialVersionUID = -5213327060856570097L; + + public CredentialAlreadyBoundException(String message) { + super(message); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/user/exception/IamAccountException.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/user/exception/IamAccountException.java new file mode 100644 index 000000000..99155f5c6 --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/user/exception/IamAccountException.java @@ -0,0 +1,14 @@ +package it.infn.mw.iam.core.user.exception; + +public class IamAccountException extends RuntimeException { + + /** + * + */ + private static final long serialVersionUID = 2769590935871518008L; + + public IamAccountException(String message) { + super(message); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/user/exception/InvalidCredentialException.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/user/exception/InvalidCredentialException.java new file mode 100644 index 000000000..c0773f0cb --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/user/exception/InvalidCredentialException.java @@ -0,0 +1,11 @@ +package it.infn.mw.iam.core.user.exception; + +public class InvalidCredentialException extends IamAccountException { + + private static final long serialVersionUID = 7461872494570748516L; + + public InvalidCredentialException(String message) { + super(message); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/user/exception/UserAlreadyExistsException.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/user/exception/UserAlreadyExistsException.java new file mode 100644 index 000000000..fb749716a --- /dev/null +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/user/exception/UserAlreadyExistsException.java @@ -0,0 +1,14 @@ +package it.infn.mw.iam.core.user.exception; + +public class UserAlreadyExistsException extends IamAccountException { + + /** + * + */ + private static final long serialVersionUID = 4103663720620113509L; + + public UserAlreadyExistsException(String message) { + super(message); + } + +} diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/util/AuthenticationLogger.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/util/AuthenticationLogger.java index 7aa012888..4d9ff7b27 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/util/AuthenticationLogger.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/util/AuthenticationLogger.java @@ -2,6 +2,7 @@ import org.springframework.security.core.Authentication; +@FunctionalInterface public interface AuthenticationLogger { public void logAuthenticationSuccess(Authentication auth); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/util/IamAuthenticationLogger.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/util/IamAuthenticationLogger.java index 134c03f87..1ac9ad943 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/util/IamAuthenticationLogger.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/util/IamAuthenticationLogger.java @@ -9,12 +9,12 @@ public enum IamAuthenticationLogger implements AuthenticationLogger { INSTANCE; - private final Logger LOG = LoggerFactory.getLogger(IamAuthenticationLogger.class); + private final Logger log = LoggerFactory.getLogger(IamAuthenticationLogger.class); @Override public void logAuthenticationSuccess(Authentication auth) { if (!(auth instanceof OAuth2Authentication)) { - LOG.info("{} was authenticated succesfully", auth.getName()); + log.info("{} was authenticated succesfully", auth.getName()); return; } @@ -23,9 +23,9 @@ public void logAuthenticationSuccess(Authentication auth) { if (oauth.getUserAuthentication() != null) { final String userName = oauth.getUserAuthentication().getName(); - LOG.info("{} acting for {} was authenticated succesfully", clientName, userName); + log.info("{} acting for {} was authenticated succesfully", clientName, userName); } else { - LOG.info("Client {} was authenticated succesfully", clientName); + log.info("Client {} was authenticated succesfully", clientName); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/util/PoliteJsonMessageSource.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/util/PoliteJsonMessageSource.java index ce113daf4..593816293 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/util/PoliteJsonMessageSource.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/util/PoliteJsonMessageSource.java @@ -33,7 +33,7 @@ public class PoliteJsonMessageSource extends AbstractMessageSource { // Logger for this class - private static final Logger logger = LoggerFactory.getLogger(PoliteJsonMessageSource.class); + private static final Logger LOG = LoggerFactory.getLogger(PoliteJsonMessageSource.class); private Resource baseDirectory; @@ -148,7 +148,7 @@ private List getLanguageMap(Locale locale) { Resource r = getBaseDirectory().createRelative(filename); - logger.info("No locale loaded, trying to load from " + r); + LOG.info("No locale loaded, trying to load from {}" , r); JsonParser parser = new JsonParser(); JsonObject obj = @@ -158,7 +158,7 @@ private List getLanguageMap(Locale locale) { } languageMaps.put(locale, set); } catch (JsonIOException | JsonSyntaxException | IOException e) { - logger.debug("Unable to load locale: {}", e.getMessage()); + LOG.debug("Unable to load locale: {}", e.getMessage(),e); } } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/DefaultLoginPageConfiguration.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/DefaultLoginPageConfiguration.java index b1199129c..64a356d3c 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/DefaultLoginPageConfiguration.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/DefaultLoginPageConfiguration.java @@ -1,10 +1,13 @@ package it.infn.mw.iam.core.web; +import static it.infn.mw.iam.api.account_linking.AccountLinkingConstants.ACCOUNT_LINKING_DISABLE_PROPERTY; + import java.util.Arrays; import javax.annotation.PostConstruct; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; import org.springframework.context.EnvironmentAware; import org.springframework.core.env.Environment; import org.springframework.stereotype.Component; @@ -20,7 +23,9 @@ public class DefaultLoginPageConfiguration implements LoginPageConfiguration, En private boolean githubEnabled; private boolean samlEnabled; private boolean registrationEnabled; - + + @Value(ACCOUNT_LINKING_DISABLE_PROPERTY) + private Boolean accountLinkingDisable; @Autowired GoogleClientProperties googleClientConfiguration; @@ -70,4 +75,9 @@ public boolean isRegistrationEnabled() { return registrationEnabled; } + @Override + public boolean isAccountLinkingEnabled() { + return !accountLinkingDisable.booleanValue(); + } + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/IamDiscoveryEndpoint.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/IamDiscoveryEndpoint.java index e9adbb42a..431b21c15 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/IamDiscoveryEndpoint.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/IamDiscoveryEndpoint.java @@ -81,8 +81,8 @@ public String apply(Algorithm alg) { public String webfinger(@RequestParam("resource") String resource, @RequestParam(value = "rel", required = false) String rel, Model model) { - if (!Strings.isNullOrEmpty(rel) && !rel.equals("http://openid.net/specs/connect/1.0/issuer")) { - logger.warn("Responding to webfinger request for non-OIDC relation: " + rel); + if (!Strings.isNullOrEmpty(rel) && !"http://openid.net/specs/connect/1.0/issuer".equals(rel)) { + logger.warn("Responding to webfinger request for non-OIDC relation: {}", rel); } if (!resource.equals(config.getIssuer())) { @@ -118,7 +118,7 @@ public String webfinger(@RequestParam("resource") String resource, // if the user's still null, punt and say we didn't find them - logger.info("User not found: " + resource); + logger.info("User not found: {}", resource); model.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); return HttpCodeView.VIEWNAME; } @@ -126,7 +126,7 @@ public String webfinger(@RequestParam("resource") String resource, } } else { - logger.info("Unknown URI format: " + resource); + logger.info("Unknown URI format: {}", resource); model.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND); return HttpCodeView.VIEWNAME; } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/LoginPageConfiguration.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/LoginPageConfiguration.java index 48b837043..e400c3bb8 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/LoginPageConfiguration.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/LoginPageConfiguration.java @@ -9,4 +9,6 @@ public interface LoginPageConfiguration { boolean isSamlEnabled(); boolean isRegistrationEnabled(); + + boolean isAccountLinkingEnabled(); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/github/GithubAuthFilter.java b/iam-login-service/src/main/java/it/infn/mw/iam/github/GithubAuthFilter.java index b15936dcd..41e9e6b88 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/github/GithubAuthFilter.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/github/GithubAuthFilter.java @@ -8,22 +8,21 @@ import javax.servlet.http.HttpSession; import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; import org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter; import org.springframework.security.web.savedrequest.DefaultSavedRequest; public class GithubAuthFilter extends OAuth2ClientAuthenticationProcessingFilter { - protected final static String REDIRECT_URI_SESSION_VARIABLE = "redirect_uri"; - protected final static String STATE_SESSION_VARIABLE = "state"; - protected final static String NONCE_SESSION_VARIABLE = "nonce"; - protected final static String ISSUER_SESSION_VARIABLE = "issuer"; + protected static final String REDIRECT_URI_SESSION_VARIABLE = "redirect_uri"; + protected static final String STATE_SESSION_VARIABLE = "state"; + protected static final String NONCE_SESSION_VARIABLE = "nonce"; + protected static final String ISSUER_SESSION_VARIABLE = "issuer"; protected static final String TARGET_SESSION_VARIABLE = "target"; - protected final static int HTTP_SOCKET_TIMEOUT = 30000; + protected static final int HTTP_SOCKET_TIMEOUT = 30000; - protected final static String ORIGIN_AUTH_REQUEST_SESSION_VARIABLE = "origin_auth_request"; + protected static final String ORIGIN_AUTH_REQUEST_SESSION_VARIABLE = "origin_auth_request"; - public final static String FILTER_PROCESSES_URL = "/login/github"; + public static final String FILTER_PROCESSES_URL = "/login/github"; public GithubAuthFilter() { super(FILTER_PROCESSES_URL); @@ -36,7 +35,7 @@ public GithubAuthFilter(String processingUrl) { @Override public Authentication attemptAuthentication(final HttpServletRequest request, final HttpServletResponse response) - throws AuthenticationException, IOException, ServletException { + throws IOException, ServletException { HttpSession session = request.getSession(); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/notification/DefaultNotificationService.java b/iam-login-service/src/main/java/it/infn/mw/iam/notification/DefaultNotificationService.java index ce86a50f3..db8e0c73d 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/notification/DefaultNotificationService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/notification/DefaultNotificationService.java @@ -134,6 +134,7 @@ public IamEmailNotification createResetPasswordMessage(IamAccount account) { model.put(RECIPIENT_FIELD, recipient); model.put("resetPasswordUrl", resetPasswordUrl); model.put("organisationName", organisationName); + model.put("username", account.getUsername()); return createMessage("resetPassword.vm", model, IamNotificationType.RESETPASSWD, properties.getSubject().get("resetPassword"), account.getUserInfo().getEmail()); @@ -169,7 +170,7 @@ public void sendPendingNotifications() { } catch (MailException me) { elem.setDeliveryStatus(IamDeliveryStatus.DELIVERY_ERROR); logger.error("Message delivery fail. message_id:{} reason:{}", elem.getUuid(), - me.getMessage()); + me.getMessage(), me); } elem.setLastUpdate(new Date()); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/registration/DefaultRegistrationRequestService.java b/iam-login-service/src/main/java/it/infn/mw/iam/registration/DefaultRegistrationRequestService.java index 19bc8c1b6..7e17d8654 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/registration/DefaultRegistrationRequestService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/registration/DefaultRegistrationRequestService.java @@ -23,12 +23,12 @@ import com.google.common.collect.ImmutableTable; import com.google.common.collect.Table; +import it.infn.mw.iam.api.scim.converter.UserConverter; import it.infn.mw.iam.api.scim.exception.IllegalArgumentException; import it.infn.mw.iam.api.scim.exception.ScimResourceNotFoundException; import it.infn.mw.iam.api.scim.model.ScimOidcId; import it.infn.mw.iam.api.scim.model.ScimSamlId; import it.infn.mw.iam.api.scim.model.ScimUser; -import it.infn.mw.iam.api.scim.provisioning.ScimUserProvisioning; import it.infn.mw.iam.audit.events.registration.RegistrationApproveEvent; import it.infn.mw.iam.audit.events.registration.RegistrationConfirmEvent; import it.infn.mw.iam.audit.events.registration.RegistrationRejectEvent; @@ -36,6 +36,7 @@ import it.infn.mw.iam.authn.ExternalAuthenticationRegistrationInfo; import it.infn.mw.iam.authn.ExternalAuthenticationRegistrationInfo.ExternalAuthenticationType; import it.infn.mw.iam.core.IamRegistrationRequestStatus; +import it.infn.mw.iam.core.user.IamAccountService; import it.infn.mw.iam.notification.NotificationService; import it.infn.mw.iam.persistence.model.IamAccount; import it.infn.mw.iam.persistence.model.IamRegistrationRequest; @@ -50,7 +51,10 @@ public class DefaultRegistrationRequestService private IamRegistrationRequestRepository requestRepository; @Autowired - private ScimUserProvisioning userService; + private IamAccountService accountService; + + @Autowired + private UserConverter userConverter; @Autowired @Qualifier("defaultNotificationService") @@ -67,10 +71,6 @@ public class DefaultRegistrationRequestService private ApplicationEventPublisher eventPublisher; - public void setApplicationEventPublisher(ApplicationEventPublisher publisher) { - this.eventPublisher = publisher; - } - private static final Table allowedStateTransitions = new ImmutableTable.Builder() .put(NEW, CONFIRMED, true) @@ -98,6 +98,7 @@ private void addExternalAuthnInfo(ScimUser.Builder user, } else if (ExternalAuthenticationType.SAML.equals(extAuthnInfo.getType())) { ScimSamlId samlId = new ScimSamlId.Builder().idpId(extAuthnInfo.getIssuer()) .userId(extAuthnInfo.getSubject()) + .attributeId(extAuthnInfo.getSubjectAttribute()) .build(); user.addSamlId(samlId); } @@ -107,6 +108,8 @@ private void addExternalAuthnInfo(ScimUser.Builder user, public RegistrationRequestDto createRequest(RegistrationRequestDto request, Optional extAuthnInfo) { + notesSanityChecks(request.getNotes()); + ScimUser.Builder userBuilder = ScimUser.builder() .buildName(request.getGivenname(), request.getFamilyname()) .buildEmail(request.getEmail()) @@ -115,7 +118,8 @@ public RegistrationRequestDto createRequest(RegistrationRequestDto request, extAuthnInfo.ifPresent(i -> addExternalAuthnInfo(userBuilder, i)); - IamAccount newAccount = userService.createAccount(userBuilder.build()); + IamAccount newAccount = + accountService.createAccount(userConverter.fromScim(userBuilder.build())); newAccount.setConfirmationKey(tokenGenerator.generateToken()); newAccount.setActive(false); @@ -145,7 +149,9 @@ public List listRequests(IamRegistrationRequestStatus st List result = new ArrayList<>(); if (status != null) { - result = requestRepository.findByStatus(status).get(); + result = requestRepository.findByStatus(status).orElseThrow( + () -> new IllegalStateException("No request found with status: " + status.name())); + } else { Sort srt = new Sort(Sort.Direction.ASC, "creationTime"); Iterable iter = requestRepository.findAll(srt); @@ -167,7 +173,7 @@ public List listRequests(IamRegistrationRequestStatus st @Override public List listPendingRequests() { - List result = requestRepository.findPendingRequests().get(); + List result = requestRepository.findPendingRequests(); List requests = new ArrayList<>(); @@ -275,7 +281,7 @@ private RegistrationRequestDto handleReject(IamRegistrationRequest request) { notificationService.createRequestRejectedMessage(request); RegistrationRequestDto retval = converter.fromEntity(request); - userService.delete(request.getAccount().getUuid()); + accountService.deleteAccount(request.getAccount()); eventPublisher.publishEvent(new RegistrationRejectEvent(this, request, "Reject registration request for user " + request.getAccount().getUsername())); @@ -283,4 +289,19 @@ private RegistrationRequestDto handleReject(IamRegistrationRequest request) { return retval; } + private void notesSanityChecks(final String notes) { + + if (notes == null) { + throw new IllegalArgumentException("Notes field cannot be null"); + } + + if (notes.trim().isEmpty()) { + throw new IllegalArgumentException("Notes field cannot be the empty string"); + } + } + + public void setApplicationEventPublisher(ApplicationEventPublisher publisher) { + this.eventPublisher = publisher; + } + } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/registration/RegistrationController.java b/iam-login-service/src/main/java/it/infn/mw/iam/registration/RegistrationController.java index 54912c730..1e324755b 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/registration/RegistrationController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/registration/RegistrationController.java @@ -1,8 +1,12 @@ package it.infn.mw.iam.registration; +import static java.lang.String.format; + import java.util.List; import java.util.Optional; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Profile; import org.springframework.security.access.prepost.PreAuthorize; @@ -30,6 +34,7 @@ @Profile("registration") public class RegistrationController { + public static final Logger LOG = LoggerFactory.getLogger(RegistrationController.class); private RegistrationRequestService service; private Optional getExternalAuthenticationInfo() { @@ -43,7 +48,7 @@ private Optional getExternalAuthenticati if (authn instanceof AbstractExternalAuthenticationToken) { return Optional - .of(((AbstractExternalAuthenticationToken) authn).toExernalAuthenticationInfo()); + .of(((AbstractExternalAuthenticationToken) authn).toExernalAuthenticationRegistrationInfo()); } return Optional.empty(); @@ -62,8 +67,7 @@ public Boolean usernameAvailable(@PathVariable("username") String username) { @RequestMapping(value = "/registration/email-available/{email:.+}", method = RequestMethod.GET) public Boolean emailAvailable(@PathVariable("email") String email) { - Boolean emailAvaiable = service.emailAvailable(email); - return emailAvaiable; + return service.emailAvailable(email); } @PreAuthorize("#oauth2.hasScope('registration:read') or hasRole('ADMIN')") @@ -101,7 +105,7 @@ public RegistrationRequestDto changeStatus(@PathVariable("uuid") String uuid, try { status = IamRegistrationRequestStatus.valueOf(decision); } catch (Exception e) { - throw new IllegalArgumentException(String.format("Operation [%s] not found", decision)); + throw new IllegalArgumentException(format("Operation [%s] not found", decision),e); } return service.updateStatus(uuid, status); @@ -120,6 +124,7 @@ public ModelAndView verify(final Model model, @PathVariable("token") String toke model.addAttribute("verificationSuccess", true); SecurityContextHolder.clearContext(); } catch (ScimResourceNotFoundException e) { + LOG.warn(e.getMessage(),e); String message = "Activation failed: " + e.getMessage(); model.addAttribute("verificationMessage", message); model.addAttribute("verificationFailure", true); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/registration/TokenGenerator.java b/iam-login-service/src/main/java/it/infn/mw/iam/registration/TokenGenerator.java index 634293c9e..3b9d1c75e 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/registration/TokenGenerator.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/registration/TokenGenerator.java @@ -1,5 +1,5 @@ package it.infn.mw.iam.registration; - +@FunctionalInterface public interface TokenGenerator { String generateToken(); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/util/ssh/RSAPublicKeyUtils.java b/iam-login-service/src/main/java/it/infn/mw/iam/util/ssh/RSAPublicKeyUtils.java index 04bb3850d..e2f04213f 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/util/ssh/RSAPublicKeyUtils.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/util/ssh/RSAPublicKeyUtils.java @@ -1,13 +1,15 @@ package it.infn.mw.iam.util.ssh; -import org.apache.commons.codec.binary.Hex; -import org.apache.commons.codec.digest.MessageDigestAlgorithms; - import java.security.MessageDigest; import java.util.Base64; +import org.apache.commons.codec.binary.Hex; +import org.apache.commons.codec.digest.MessageDigestAlgorithms; + public class RSAPublicKeyUtils { + private RSAPublicKeyUtils() {} + public static String getMD5Fingerprint(String key) { return buildMD5Fingerprint(key); @@ -33,7 +35,7 @@ private static String buildMD5Fingerprint(String key) throws InvalidSshKeyExcept byte[] digest = MessageDigest.getInstance(MessageDigestAlgorithms.MD5).digest(decodedKey); fingerprint = Hex.encodeHexString(digest); - } catch (Throwable e) { + } catch (Exception e) { throw new InvalidSshKeyException( "Error during fingerprint generation: RSA key is not base64 encoded", e); @@ -52,7 +54,7 @@ private static String buildSHA256Fingerprint(String key) throws InvalidSshKeyExc byte[] digest = MessageDigest.getInstance(MessageDigestAlgorithms.SHA_256).digest(decodedKey); fingerprint = Base64.getEncoder().encodeToString(digest); - } catch (Throwable e) { + } catch (Exception e) { throw new InvalidSshKeyException( "Error during fingerprint generation: RSA key is not base64 encoded", e); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/util/x509/X509Utils.java b/iam-login-service/src/main/java/it/infn/mw/iam/util/x509/X509Utils.java index ef918cc07..9a18112dd 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/util/x509/X509Utils.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/util/x509/X509Utils.java @@ -24,7 +24,7 @@ public static X509Certificate getX509CertificateFromString(String certValue) } catch (IllegalArgumentException iae) { throw new ScimValidationException( - "Error in conversion from String to x509 certificate: Not valid Base64 scheme"); + "Error in conversion from String to x509 certificate: Not valid Base64 scheme", iae); } X509Certificate cert = null; @@ -37,7 +37,7 @@ public static X509Certificate getX509CertificateFromString(String certValue) } catch (CertificateException ce) { throw new ScimValidationException( - "Error in conversion from String to x509 certificate: the base64 encoded string is not a valid certificate"); + "Error in conversion from String to x509 certificate: the base64 encoded string is not a valid certificate", ce); } return cert; diff --git a/iam-login-service/src/main/resources/application-h2-test.yml b/iam-login-service/src/main/resources/application-h2-test.yml index eb449586f..33337d7f3 100644 --- a/iam-login-service/src/main/resources/application-h2-test.yml +++ b/iam-login-service/src/main/resources/application-h2-test.yml @@ -1,6 +1,6 @@ spring: profiles: - include: google,saml + include: google,registration,saml datasource: driverClassName: org.h2.Driver url: jdbc:h2:mem:iam;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE diff --git a/iam-login-service/src/main/resources/application-saml.yml b/iam-login-service/src/main/resources/application-saml.yml index baf1d96f7..c660e2487 100644 --- a/iam-login-service/src/main/resources/application-saml.yml +++ b/iam-login-service/src/main/resources/application-saml.yml @@ -6,4 +6,13 @@ saml: key-password: ${IAM_SAML_KEY_PASSWORD:password} idp-metadata: ${IAM_SAML_IDP_METADATA:classpath:/saml/idp-metadata.xml} max-assertion-time-sec: ${IAM_SAML_MAX_ASSERTION_TIME:3000} - max-authentication-age-sec: ${IAM_SAML_MAX_AUTHENTICATION_AGE:86400} \ No newline at end of file + max-authentication-age-sec: ${IAM_SAML_MAX_AUTHENTICATION_AGE:86400} + id-resolvers: ${IAM_SAML_ID_RESOLVERS:eduPersonUniqueId,eduPersonTargetedId,eduPersonPrincipalName} + metadata-lookup-service-refresh-period-sec: ${IAM_SAML_METADATA_LOOKUP_SERVICE_REFRESH_PERIOD_SEC:600} + + jit-account-provisioning: + enabled: ${IAM_SAML_JIT_ACCOUNT_PROVISIONING_ENABLED:false} + trusted-idps: ${IAM_SAML_JIT_ACCOUNT_PROVISIONING_TRUSTED_IDPS:all} + cleanup-task-enabled: ${IAM_SAML_JIT_ACCOUNT_PROVISIONING_CLEANUP_TASK_ENABLED:false} + cleanup-task-period-sec: ${IAM_SAML_JIT_ACCOUNT_PROVISIONING_CLEANUP_TASK_PERIOD_SEC:86400} + inactive-account-lifetime-days: ${IAM_SAML_JIT_ACCOUNT_PROVISIONING_INACTIVE_ACCOUNT_LIFETIME_DAYS:15} \ No newline at end of file diff --git a/iam-login-service/src/main/resources/application.yml b/iam-login-service/src/main/resources/application.yml index 13cfbed13..e0fa3b3a7 100644 --- a/iam-login-service/src/main/resources/application.yml +++ b/iam-login-service/src/main/resources/application.yml @@ -13,7 +13,7 @@ server: spring: profiles: - active: h2-test,registration + active: h2-test application: name: INDIGO IAM @@ -92,3 +92,12 @@ task: endpoints: healthMail: path: /health/mail + externalService: + path: /health/external + +health: + timeout: 5000 + googleEndpoint: http://www.google.it + +accountLinking: + disable: ${IAM_ACCOUNT_LINKING_DISABLE:false} diff --git a/iam-login-service/src/main/resources/templates/resetPassword.vm b/iam-login-service/src/main/resources/templates/resetPassword.vm index 6dc60a5d9..9932b53a1 100644 --- a/iam-login-service/src/main/resources/templates/resetPassword.vm +++ b/iam-login-service/src/main/resources/templates/resetPassword.vm @@ -4,5 +4,8 @@ Follow this link to set a new password for your $organisationName account: $resetPasswordUrl +Once your password has been reset, you can login to the IAM using the following username: + +$username The $organisationName registration service diff --git a/iam-login-service/src/main/webapp/WEB-INF/tags/header.tag b/iam-login-service/src/main/webapp/WEB-INF/tags/header.tag index 16d1817e7..36ccabdd6 100644 --- a/iam-login-service/src/main/webapp/WEB-INF/tags/header.tag +++ b/iam-login-service/src/main/webapp/WEB-INF/tags/header.tag @@ -24,7 +24,7 @@ - + diff --git a/iam-login-service/src/main/webapp/WEB-INF/tags/iam/page.tag b/iam-login-service/src/main/webapp/WEB-INF/tags/iam/page.tag index a89981469..fa2e3cb80 100644 --- a/iam-login-service/src/main/webapp/WEB-INF/tags/iam/page.tag +++ b/iam-login-service/src/main/webapp/WEB-INF/tags/iam/page.tag @@ -46,7 +46,7 @@ + href="/webjars/font-awesome/css/font-awesome.css"> - \ No newline at end of file + diff --git a/iam-login-service/src/main/webapp/WEB-INF/tags/iamHeader.tag b/iam-login-service/src/main/webapp/WEB-INF/tags/iamHeader.tag index d44b52a04..a8b8537bc 100644 --- a/iam-login-service/src/main/webapp/WEB-INF/tags/iamHeader.tag +++ b/iam-login-service/src/main/webapp/WEB-INF/tags/iamHeader.tag @@ -32,9 +32,10 @@ rel="stylesheet" href="resources/iam/css/ionicons/ionicons.min.css"> + + href="/webjars/font-awesome/css/font-awesome.css"> + toaster-options="{'close-button': true, 'time-out':{ 'toast-error': 5000, 'toast-success': 5000, 'toast-warning': 5000 }, 'position-class': 'toast-top-center'}">
@@ -97,12 +97,12 @@ + - - + @@ -117,7 +117,8 @@ - + + diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/HELP-US-OUT.txt b/iam-login-service/src/main/webapp/resources/font-awesome/HELP-US-OUT.txt deleted file mode 100644 index 83d083dd7..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/HELP-US-OUT.txt +++ /dev/null @@ -1,7 +0,0 @@ -I hope you love Font Awesome. If you've found it useful, please do me a favor and check out my latest project, -Fort Awesome (https://fortawesome.com). It makes it easy to put the perfect icons on your website. Choose from our awesome, -comprehensive icon sets or copy and paste your own. - -Please. Check it out. - --Dave Gandy diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/css/font-awesome.css b/iam-login-service/src/main/webapp/resources/font-awesome/css/font-awesome.css deleted file mode 100644 index bb0fe51ad..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/css/font-awesome.css +++ /dev/null @@ -1,2178 +0,0 @@ -/*! - * Font Awesome 4.6.1 by @davegandy - http://fontawesome.io - @fontawesome - * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License) - */ -/* FONT PATH - * -------------------------- */ -@font-face { - font-family: 'FontAwesome'; - src: url('../fonts/fontawesome-webfont.eot?v=4.6.1'); - src: url('../fonts/fontawesome-webfont.eot?#iefix&v=4.6.1') format('embedded-opentype'), url('../fonts/fontawesome-webfont.woff2?v=4.6.1') format('woff2'), url('../fonts/fontawesome-webfont.woff?v=4.6.1') format('woff'), url('../fonts/fontawesome-webfont.ttf?v=4.6.1') format('truetype'), url('../fonts/fontawesome-webfont.svg?v=4.6.1#fontawesomeregular') format('svg'); - font-weight: normal; - font-style: normal; -} -.fa { - display: inline-block; - font: normal normal normal 14px/1 FontAwesome; - font-size: inherit; - text-rendering: auto; - -webkit-font-smoothing: antialiased; - -moz-osx-font-smoothing: grayscale; -} -/* makes the font 33% larger relative to the icon container */ -.fa-lg { - font-size: 1.33333333em; - line-height: 0.75em; - vertical-align: -15%; -} -.fa-2x { - font-size: 2em; -} -.fa-3x { - font-size: 3em; -} -.fa-4x { - font-size: 4em; -} -.fa-5x { - font-size: 5em; -} -.fa-fw { - width: 1.28571429em; - text-align: center; -} -.fa-ul { - padding-left: 0; - margin-left: 2.14285714em; - list-style-type: none; -} -.fa-ul > li { - position: relative; -} -.fa-li { - position: absolute; - left: -2.14285714em; - width: 2.14285714em; - top: 0.14285714em; - text-align: center; -} -.fa-li.fa-lg { - left: -1.85714286em; -} -.fa-border { - padding: .2em .25em .15em; - border: solid 0.08em #eeeeee; - border-radius: .1em; -} -.fa-pull-left { - float: left; -} -.fa-pull-right { - float: right; -} -.fa.fa-pull-left { - margin-right: .3em; -} -.fa.fa-pull-right { - margin-left: .3em; -} -/* Deprecated as of 4.4.0 */ -.pull-right { - float: right; -} -.pull-left { - float: left; -} -.fa.pull-left { - margin-right: .3em; -} -.fa.pull-right { - margin-left: .3em; -} -.fa-spin { - -webkit-animation: fa-spin 2s infinite linear; - animation: fa-spin 2s infinite linear; -} -.fa-pulse { - -webkit-animation: fa-spin 1s infinite steps(8); - animation: fa-spin 1s infinite steps(8); -} -@-webkit-keyframes fa-spin { - 0% { - -webkit-transform: rotate(0deg); - transform: rotate(0deg); - } - 100% { - -webkit-transform: rotate(359deg); - transform: rotate(359deg); - } -} -@keyframes fa-spin { - 0% { - -webkit-transform: rotate(0deg); - transform: rotate(0deg); - } - 100% { - -webkit-transform: rotate(359deg); - transform: rotate(359deg); - } -} -.fa-rotate-90 { - -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=1)"; - -webkit-transform: rotate(90deg); - -ms-transform: rotate(90deg); - transform: rotate(90deg); -} -.fa-rotate-180 { - -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=2)"; - -webkit-transform: rotate(180deg); - -ms-transform: rotate(180deg); - transform: rotate(180deg); -} -.fa-rotate-270 { - -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=3)"; - -webkit-transform: rotate(270deg); - -ms-transform: rotate(270deg); - transform: rotate(270deg); -} -.fa-flip-horizontal { - -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=0, mirror=1)"; - -webkit-transform: scale(-1, 1); - -ms-transform: scale(-1, 1); - transform: scale(-1, 1); -} -.fa-flip-vertical { - -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=2, mirror=1)"; - -webkit-transform: scale(1, -1); - -ms-transform: scale(1, -1); - transform: scale(1, -1); -} -:root .fa-rotate-90, -:root .fa-rotate-180, -:root .fa-rotate-270, -:root .fa-flip-horizontal, -:root .fa-flip-vertical { - filter: none; -} -.fa-stack { - position: relative; - display: inline-block; - width: 2em; - height: 2em; - line-height: 2em; - vertical-align: middle; -} -.fa-stack-1x, -.fa-stack-2x { - position: absolute; - left: 0; - width: 100%; - text-align: center; -} -.fa-stack-1x { - line-height: inherit; -} -.fa-stack-2x { - font-size: 2em; -} -.fa-inverse { - color: #ffffff; -} -/* Font Awesome uses the Unicode Private Use Area (PUA) to ensure screen - readers do not read off random characters that represent icons */ -.fa-glass:before { - content: "\f000"; -} -.fa-music:before { - content: "\f001"; -} -.fa-search:before { - content: "\f002"; -} -.fa-envelope-o:before { - content: "\f003"; -} -.fa-heart:before { - content: "\f004"; -} -.fa-star:before { - content: "\f005"; -} -.fa-star-o:before { - content: "\f006"; -} -.fa-user:before { - content: "\f007"; -} -.fa-film:before { - content: "\f008"; -} -.fa-th-large:before { - content: "\f009"; -} -.fa-th:before { - content: "\f00a"; -} -.fa-th-list:before { - content: "\f00b"; -} -.fa-check:before { - content: "\f00c"; -} -.fa-remove:before, -.fa-close:before, -.fa-times:before { - content: "\f00d"; -} -.fa-search-plus:before { - content: "\f00e"; -} -.fa-search-minus:before { - content: "\f010"; -} -.fa-power-off:before { - content: "\f011"; -} -.fa-signal:before { - content: "\f012"; -} -.fa-gear:before, -.fa-cog:before { - content: "\f013"; -} -.fa-trash-o:before { - content: "\f014"; -} -.fa-home:before { - content: "\f015"; -} -.fa-file-o:before { - content: "\f016"; -} -.fa-clock-o:before { - content: "\f017"; -} -.fa-road:before { - content: "\f018"; -} -.fa-download:before { - content: "\f019"; -} -.fa-arrow-circle-o-down:before { - content: "\f01a"; -} -.fa-arrow-circle-o-up:before { - content: "\f01b"; -} -.fa-inbox:before { - content: "\f01c"; -} -.fa-play-circle-o:before { - content: "\f01d"; -} -.fa-rotate-right:before, -.fa-repeat:before { - content: "\f01e"; -} -.fa-refresh:before { - content: "\f021"; -} -.fa-list-alt:before { - content: "\f022"; -} -.fa-lock:before { - content: "\f023"; -} -.fa-flag:before { - content: "\f024"; -} -.fa-headphones:before { - content: "\f025"; -} -.fa-volume-off:before { - content: "\f026"; -} -.fa-volume-down:before { - content: "\f027"; -} -.fa-volume-up:before { - content: "\f028"; -} -.fa-qrcode:before { - content: "\f029"; -} -.fa-barcode:before { - content: "\f02a"; -} -.fa-tag:before { - content: "\f02b"; -} -.fa-tags:before { - content: "\f02c"; -} -.fa-book:before { - content: "\f02d"; -} -.fa-bookmark:before { - content: "\f02e"; -} -.fa-print:before { - content: "\f02f"; -} -.fa-camera:before { - content: "\f030"; -} -.fa-font:before { - content: "\f031"; -} -.fa-bold:before { - content: "\f032"; -} -.fa-italic:before { - content: "\f033"; -} -.fa-text-height:before { - content: "\f034"; -} -.fa-text-width:before { - content: "\f035"; -} -.fa-align-left:before { - content: "\f036"; -} -.fa-align-center:before { - content: "\f037"; -} -.fa-align-right:before { - content: "\f038"; -} -.fa-align-justify:before { - content: "\f039"; -} -.fa-list:before { - content: "\f03a"; -} -.fa-dedent:before, -.fa-outdent:before { - content: "\f03b"; -} -.fa-indent:before { - content: "\f03c"; -} -.fa-video-camera:before { - content: "\f03d"; -} -.fa-photo:before, -.fa-image:before, -.fa-picture-o:before { - content: "\f03e"; -} -.fa-pencil:before { - content: "\f040"; -} -.fa-map-marker:before { - content: "\f041"; -} -.fa-adjust:before { - content: "\f042"; -} -.fa-tint:before { - content: "\f043"; -} -.fa-edit:before, -.fa-pencil-square-o:before { - content: "\f044"; -} -.fa-share-square-o:before { - content: "\f045"; -} -.fa-check-square-o:before { - content: "\f046"; -} -.fa-arrows:before { - content: "\f047"; -} -.fa-step-backward:before { - content: "\f048"; -} -.fa-fast-backward:before { - content: "\f049"; -} -.fa-backward:before { - content: "\f04a"; -} -.fa-play:before { - content: "\f04b"; -} -.fa-pause:before { - content: "\f04c"; -} -.fa-stop:before { - content: "\f04d"; -} -.fa-forward:before { - content: "\f04e"; -} -.fa-fast-forward:before { - content: "\f050"; -} -.fa-step-forward:before { - content: "\f051"; -} -.fa-eject:before { - content: "\f052"; -} -.fa-chevron-left:before { - content: "\f053"; -} -.fa-chevron-right:before { - content: "\f054"; -} -.fa-plus-circle:before { - content: "\f055"; -} -.fa-minus-circle:before { - content: "\f056"; -} -.fa-times-circle:before { - content: "\f057"; -} -.fa-check-circle:before { - content: "\f058"; -} -.fa-question-circle:before { - content: "\f059"; -} -.fa-info-circle:before { - content: "\f05a"; -} -.fa-crosshairs:before { - content: "\f05b"; -} -.fa-times-circle-o:before { - content: "\f05c"; -} -.fa-check-circle-o:before { - content: "\f05d"; -} -.fa-ban:before { - content: "\f05e"; -} -.fa-arrow-left:before { - content: "\f060"; -} -.fa-arrow-right:before { - content: "\f061"; -} -.fa-arrow-up:before { - content: "\f062"; -} -.fa-arrow-down:before { - content: "\f063"; -} -.fa-mail-forward:before, -.fa-share:before { - content: "\f064"; -} -.fa-expand:before { - content: "\f065"; -} -.fa-compress:before { - content: "\f066"; -} -.fa-plus:before { - content: "\f067"; -} -.fa-minus:before { - content: "\f068"; -} -.fa-asterisk:before { - content: "\f069"; -} -.fa-exclamation-circle:before { - content: "\f06a"; -} -.fa-gift:before { - content: "\f06b"; -} -.fa-leaf:before { - content: "\f06c"; -} -.fa-fire:before { - content: "\f06d"; -} -.fa-eye:before { - content: "\f06e"; -} -.fa-eye-slash:before { - content: "\f070"; -} -.fa-warning:before, -.fa-exclamation-triangle:before { - content: "\f071"; -} -.fa-plane:before { - content: "\f072"; -} -.fa-calendar:before { - content: "\f073"; -} -.fa-random:before { - content: "\f074"; -} -.fa-comment:before { - content: "\f075"; -} -.fa-magnet:before { - content: "\f076"; -} -.fa-chevron-up:before { - content: "\f077"; -} -.fa-chevron-down:before { - content: "\f078"; -} -.fa-retweet:before { - content: "\f079"; -} -.fa-shopping-cart:before { - content: "\f07a"; -} -.fa-folder:before { - content: "\f07b"; -} -.fa-folder-open:before { - content: "\f07c"; -} -.fa-arrows-v:before { - content: "\f07d"; -} -.fa-arrows-h:before { - content: "\f07e"; -} -.fa-bar-chart-o:before, -.fa-bar-chart:before { - content: "\f080"; -} -.fa-twitter-square:before { - content: "\f081"; -} -.fa-facebook-square:before { - content: "\f082"; -} -.fa-camera-retro:before { - content: "\f083"; -} -.fa-key:before { - content: "\f084"; -} -.fa-gears:before, -.fa-cogs:before { - content: "\f085"; -} -.fa-comments:before { - content: "\f086"; -} -.fa-thumbs-o-up:before { - content: "\f087"; -} -.fa-thumbs-o-down:before { - content: "\f088"; -} -.fa-star-half:before { - content: "\f089"; -} -.fa-heart-o:before { - content: "\f08a"; -} -.fa-sign-out:before { - content: "\f08b"; -} -.fa-linkedin-square:before { - content: "\f08c"; -} -.fa-thumb-tack:before { - content: "\f08d"; -} -.fa-external-link:before { - content: "\f08e"; -} -.fa-sign-in:before { - content: "\f090"; -} -.fa-trophy:before { - content: "\f091"; -} -.fa-github-square:before { - content: "\f092"; -} -.fa-upload:before { - content: "\f093"; -} -.fa-lemon-o:before { - content: "\f094"; -} -.fa-phone:before { - content: "\f095"; -} -.fa-square-o:before { - content: "\f096"; -} -.fa-bookmark-o:before { - content: "\f097"; -} -.fa-phone-square:before { - content: "\f098"; -} -.fa-twitter:before { - content: "\f099"; -} -.fa-facebook-f:before, -.fa-facebook:before { - content: "\f09a"; -} -.fa-github:before { - content: "\f09b"; -} -.fa-unlock:before { - content: "\f09c"; -} -.fa-credit-card:before { - content: "\f09d"; -} -.fa-feed:before, -.fa-rss:before { - content: "\f09e"; -} -.fa-hdd-o:before { - content: "\f0a0"; -} -.fa-bullhorn:before { - content: "\f0a1"; -} -.fa-bell:before { - content: "\f0f3"; -} -.fa-certificate:before { - content: "\f0a3"; -} -.fa-hand-o-right:before { - content: "\f0a4"; -} -.fa-hand-o-left:before { - content: "\f0a5"; -} -.fa-hand-o-up:before { - content: "\f0a6"; -} -.fa-hand-o-down:before { - content: "\f0a7"; -} -.fa-arrow-circle-left:before { - content: "\f0a8"; -} -.fa-arrow-circle-right:before { - content: "\f0a9"; -} -.fa-arrow-circle-up:before { - content: "\f0aa"; -} -.fa-arrow-circle-down:before { - content: "\f0ab"; -} -.fa-globe:before { - content: "\f0ac"; -} -.fa-wrench:before { - content: "\f0ad"; -} -.fa-tasks:before { - content: "\f0ae"; -} -.fa-filter:before { - content: "\f0b0"; -} -.fa-briefcase:before { - content: "\f0b1"; -} -.fa-arrows-alt:before { - content: "\f0b2"; -} -.fa-group:before, -.fa-users:before { - content: "\f0c0"; -} -.fa-chain:before, -.fa-link:before { - content: "\f0c1"; -} -.fa-cloud:before { - content: "\f0c2"; -} -.fa-flask:before { - content: "\f0c3"; -} -.fa-cut:before, -.fa-scissors:before { - content: "\f0c4"; -} -.fa-copy:before, -.fa-files-o:before { - content: "\f0c5"; -} -.fa-paperclip:before { - content: "\f0c6"; -} -.fa-save:before, -.fa-floppy-o:before { - content: "\f0c7"; -} -.fa-square:before { - content: "\f0c8"; -} -.fa-navicon:before, -.fa-reorder:before, -.fa-bars:before { - content: "\f0c9"; -} -.fa-list-ul:before { - content: "\f0ca"; -} -.fa-list-ol:before { - content: "\f0cb"; -} -.fa-strikethrough:before { - content: "\f0cc"; -} -.fa-underline:before { - content: "\f0cd"; -} -.fa-table:before { - content: "\f0ce"; -} -.fa-magic:before { - content: "\f0d0"; -} -.fa-truck:before { - content: "\f0d1"; -} -.fa-pinterest:before { - content: "\f0d2"; -} -.fa-pinterest-square:before { - content: "\f0d3"; -} -.fa-google-plus-square:before { - content: "\f0d4"; -} -.fa-google-plus:before { - content: "\f0d5"; -} -.fa-money:before { - content: "\f0d6"; -} -.fa-caret-down:before { - content: "\f0d7"; -} -.fa-caret-up:before { - content: "\f0d8"; -} -.fa-caret-left:before { - content: "\f0d9"; -} -.fa-caret-right:before { - content: "\f0da"; -} -.fa-columns:before { - content: "\f0db"; -} -.fa-unsorted:before, -.fa-sort:before { - content: "\f0dc"; -} -.fa-sort-down:before, -.fa-sort-desc:before { - content: "\f0dd"; -} -.fa-sort-up:before, -.fa-sort-asc:before { - content: "\f0de"; -} -.fa-envelope:before { - content: "\f0e0"; -} -.fa-linkedin:before { - content: "\f0e1"; -} -.fa-rotate-left:before, -.fa-undo:before { - content: "\f0e2"; -} -.fa-legal:before, -.fa-gavel:before { - content: "\f0e3"; -} -.fa-dashboard:before, -.fa-tachometer:before { - content: "\f0e4"; -} -.fa-comment-o:before { - content: "\f0e5"; -} -.fa-comments-o:before { - content: "\f0e6"; -} -.fa-flash:before, -.fa-bolt:before { - content: "\f0e7"; -} -.fa-sitemap:before { - content: "\f0e8"; -} -.fa-umbrella:before { - content: "\f0e9"; -} -.fa-paste:before, -.fa-clipboard:before { - content: "\f0ea"; -} -.fa-lightbulb-o:before { - content: "\f0eb"; -} -.fa-exchange:before { - content: "\f0ec"; -} -.fa-cloud-download:before { - content: "\f0ed"; -} -.fa-cloud-upload:before { - content: "\f0ee"; -} -.fa-user-md:before { - content: "\f0f0"; -} -.fa-stethoscope:before { - content: "\f0f1"; -} -.fa-suitcase:before { - content: "\f0f2"; -} -.fa-bell-o:before { - content: "\f0a2"; -} -.fa-coffee:before { - content: "\f0f4"; -} -.fa-cutlery:before { - content: "\f0f5"; -} -.fa-file-text-o:before { - content: "\f0f6"; -} -.fa-building-o:before { - content: "\f0f7"; -} -.fa-hospital-o:before { - content: "\f0f8"; -} -.fa-ambulance:before { - content: "\f0f9"; -} -.fa-medkit:before { - content: "\f0fa"; -} -.fa-fighter-jet:before { - content: "\f0fb"; -} -.fa-beer:before { - content: "\f0fc"; -} -.fa-h-square:before { - content: "\f0fd"; -} -.fa-plus-square:before { - content: "\f0fe"; -} -.fa-angle-double-left:before { - content: "\f100"; -} -.fa-angle-double-right:before { - content: "\f101"; -} -.fa-angle-double-up:before { - content: "\f102"; -} -.fa-angle-double-down:before { - content: "\f103"; -} -.fa-angle-left:before { - content: "\f104"; -} -.fa-angle-right:before { - content: "\f105"; -} -.fa-angle-up:before { - content: "\f106"; -} -.fa-angle-down:before { - content: "\f107"; -} -.fa-desktop:before { - content: "\f108"; -} -.fa-laptop:before { - content: "\f109"; -} -.fa-tablet:before { - content: "\f10a"; -} -.fa-mobile-phone:before, -.fa-mobile:before { - content: "\f10b"; -} -.fa-circle-o:before { - content: "\f10c"; -} -.fa-quote-left:before { - content: "\f10d"; -} -.fa-quote-right:before { - content: "\f10e"; -} -.fa-spinner:before { - content: "\f110"; -} -.fa-circle:before { - content: "\f111"; -} -.fa-mail-reply:before, -.fa-reply:before { - content: "\f112"; -} -.fa-github-alt:before { - content: "\f113"; -} -.fa-folder-o:before { - content: "\f114"; -} -.fa-folder-open-o:before { - content: "\f115"; -} -.fa-smile-o:before { - content: "\f118"; -} -.fa-frown-o:before { - content: "\f119"; -} -.fa-meh-o:before { - content: "\f11a"; -} -.fa-gamepad:before { - content: "\f11b"; -} -.fa-keyboard-o:before { - content: "\f11c"; -} -.fa-flag-o:before { - content: "\f11d"; -} -.fa-flag-checkered:before { - content: "\f11e"; -} -.fa-terminal:before { - content: "\f120"; -} -.fa-code:before { - content: "\f121"; -} -.fa-mail-reply-all:before, -.fa-reply-all:before { - content: "\f122"; -} -.fa-star-half-empty:before, -.fa-star-half-full:before, -.fa-star-half-o:before { - content: "\f123"; -} -.fa-location-arrow:before { - content: "\f124"; -} -.fa-crop:before { - content: "\f125"; -} -.fa-code-fork:before { - content: "\f126"; -} -.fa-unlink:before, -.fa-chain-broken:before { - content: "\f127"; -} -.fa-question:before { - content: "\f128"; -} -.fa-info:before { - content: "\f129"; -} -.fa-exclamation:before { - content: "\f12a"; -} -.fa-superscript:before { - content: "\f12b"; -} -.fa-subscript:before { - content: "\f12c"; -} -.fa-eraser:before { - content: "\f12d"; -} -.fa-puzzle-piece:before { - content: "\f12e"; -} -.fa-microphone:before { - content: "\f130"; -} -.fa-microphone-slash:before { - content: "\f131"; -} -.fa-shield:before { - content: "\f132"; -} -.fa-calendar-o:before { - content: "\f133"; -} -.fa-fire-extinguisher:before { - content: "\f134"; -} -.fa-rocket:before { - content: "\f135"; -} -.fa-maxcdn:before { - content: "\f136"; -} -.fa-chevron-circle-left:before { - content: "\f137"; -} -.fa-chevron-circle-right:before { - content: "\f138"; -} -.fa-chevron-circle-up:before { - content: "\f139"; -} -.fa-chevron-circle-down:before { - content: "\f13a"; -} -.fa-html5:before { - content: "\f13b"; -} -.fa-css3:before { - content: "\f13c"; -} -.fa-anchor:before { - content: "\f13d"; -} -.fa-unlock-alt:before { - content: "\f13e"; -} -.fa-bullseye:before { - content: "\f140"; -} -.fa-ellipsis-h:before { - content: "\f141"; -} -.fa-ellipsis-v:before { - content: "\f142"; -} -.fa-rss-square:before { - content: "\f143"; -} -.fa-play-circle:before { - content: "\f144"; -} -.fa-ticket:before { - content: "\f145"; -} -.fa-minus-square:before { - content: "\f146"; -} -.fa-minus-square-o:before { - content: "\f147"; -} -.fa-level-up:before { - content: "\f148"; -} -.fa-level-down:before { - content: "\f149"; -} -.fa-check-square:before { - content: "\f14a"; -} -.fa-pencil-square:before { - content: "\f14b"; -} -.fa-external-link-square:before { - content: "\f14c"; -} -.fa-share-square:before { - content: "\f14d"; -} -.fa-compass:before { - content: "\f14e"; -} -.fa-toggle-down:before, -.fa-caret-square-o-down:before { - content: "\f150"; -} -.fa-toggle-up:before, -.fa-caret-square-o-up:before { - content: "\f151"; -} -.fa-toggle-right:before, -.fa-caret-square-o-right:before { - content: "\f152"; -} -.fa-euro:before, -.fa-eur:before { - content: "\f153"; -} -.fa-gbp:before { - content: "\f154"; -} -.fa-dollar:before, -.fa-usd:before { - content: "\f155"; -} -.fa-rupee:before, -.fa-inr:before { - content: "\f156"; -} -.fa-cny:before, -.fa-rmb:before, -.fa-yen:before, -.fa-jpy:before { - content: "\f157"; -} -.fa-ruble:before, -.fa-rouble:before, -.fa-rub:before { - content: "\f158"; -} -.fa-won:before, -.fa-krw:before { - content: "\f159"; -} -.fa-bitcoin:before, -.fa-btc:before { - content: "\f15a"; -} -.fa-file:before { - content: "\f15b"; -} -.fa-file-text:before { - content: "\f15c"; -} -.fa-sort-alpha-asc:before { - content: "\f15d"; -} -.fa-sort-alpha-desc:before { - content: "\f15e"; -} -.fa-sort-amount-asc:before { - content: "\f160"; -} -.fa-sort-amount-desc:before { - content: "\f161"; -} -.fa-sort-numeric-asc:before { - content: "\f162"; -} -.fa-sort-numeric-desc:before { - content: "\f163"; -} -.fa-thumbs-up:before { - content: "\f164"; -} -.fa-thumbs-down:before { - content: "\f165"; -} -.fa-youtube-square:before { - content: "\f166"; -} -.fa-youtube:before { - content: "\f167"; -} -.fa-xing:before { - content: "\f168"; -} -.fa-xing-square:before { - content: "\f169"; -} -.fa-youtube-play:before { - content: "\f16a"; -} -.fa-dropbox:before { - content: "\f16b"; -} -.fa-stack-overflow:before { - content: "\f16c"; -} -.fa-instagram:before { - content: "\f16d"; -} -.fa-flickr:before { - content: "\f16e"; -} -.fa-adn:before { - content: "\f170"; -} -.fa-bitbucket:before { - content: "\f171"; -} -.fa-bitbucket-square:before { - content: "\f172"; -} -.fa-tumblr:before { - content: "\f173"; -} -.fa-tumblr-square:before { - content: "\f174"; -} -.fa-long-arrow-down:before { - content: "\f175"; -} -.fa-long-arrow-up:before { - content: "\f176"; -} -.fa-long-arrow-left:before { - content: "\f177"; -} -.fa-long-arrow-right:before { - content: "\f178"; -} -.fa-apple:before { - content: "\f179"; -} -.fa-windows:before { - content: "\f17a"; -} -.fa-android:before { - content: "\f17b"; -} -.fa-linux:before { - content: "\f17c"; -} -.fa-dribbble:before { - content: "\f17d"; -} -.fa-skype:before { - content: "\f17e"; -} -.fa-foursquare:before { - content: "\f180"; -} -.fa-trello:before { - content: "\f181"; -} -.fa-female:before { - content: "\f182"; -} -.fa-male:before { - content: "\f183"; -} -.fa-gittip:before, -.fa-gratipay:before { - content: "\f184"; -} -.fa-sun-o:before { - content: "\f185"; -} -.fa-moon-o:before { - content: "\f186"; -} -.fa-archive:before { - content: "\f187"; -} -.fa-bug:before { - content: "\f188"; -} -.fa-vk:before { - content: "\f189"; -} -.fa-weibo:before { - content: "\f18a"; -} -.fa-renren:before { - content: "\f18b"; -} -.fa-pagelines:before { - content: "\f18c"; -} -.fa-stack-exchange:before { - content: "\f18d"; -} -.fa-arrow-circle-o-right:before { - content: "\f18e"; -} -.fa-arrow-circle-o-left:before { - content: "\f190"; -} -.fa-toggle-left:before, -.fa-caret-square-o-left:before { - content: "\f191"; -} -.fa-dot-circle-o:before { - content: "\f192"; -} -.fa-wheelchair:before { - content: "\f193"; -} -.fa-vimeo-square:before { - content: "\f194"; -} -.fa-turkish-lira:before, -.fa-try:before { - content: "\f195"; -} -.fa-plus-square-o:before { - content: "\f196"; -} -.fa-space-shuttle:before { - content: "\f197"; -} -.fa-slack:before { - content: "\f198"; -} -.fa-envelope-square:before { - content: "\f199"; -} -.fa-wordpress:before { - content: "\f19a"; -} -.fa-openid:before { - content: "\f19b"; -} -.fa-institution:before, -.fa-bank:before, -.fa-university:before { - content: "\f19c"; -} -.fa-mortar-board:before, -.fa-graduation-cap:before { - content: "\f19d"; -} -.fa-yahoo:before { - content: "\f19e"; -} -.fa-google:before { - content: "\f1a0"; -} -.fa-reddit:before { - content: "\f1a1"; -} -.fa-reddit-square:before { - content: "\f1a2"; -} -.fa-stumbleupon-circle:before { - content: "\f1a3"; -} -.fa-stumbleupon:before { - content: "\f1a4"; -} -.fa-delicious:before { - content: "\f1a5"; -} -.fa-digg:before { - content: "\f1a6"; -} -.fa-pied-piper:before { - content: "\f1a7"; -} -.fa-pied-piper-alt:before { - content: "\f1a8"; -} -.fa-drupal:before { - content: "\f1a9"; -} -.fa-joomla:before { - content: "\f1aa"; -} -.fa-language:before { - content: "\f1ab"; -} -.fa-fax:before { - content: "\f1ac"; -} -.fa-building:before { - content: "\f1ad"; -} -.fa-child:before { - content: "\f1ae"; -} -.fa-paw:before { - content: "\f1b0"; -} -.fa-spoon:before { - content: "\f1b1"; -} -.fa-cube:before { - content: "\f1b2"; -} -.fa-cubes:before { - content: "\f1b3"; -} -.fa-behance:before { - content: "\f1b4"; -} -.fa-behance-square:before { - content: "\f1b5"; -} -.fa-steam:before { - content: "\f1b6"; -} -.fa-steam-square:before { - content: "\f1b7"; -} -.fa-recycle:before { - content: "\f1b8"; -} -.fa-automobile:before, -.fa-car:before { - content: "\f1b9"; -} -.fa-cab:before, -.fa-taxi:before { - content: "\f1ba"; -} -.fa-tree:before { - content: "\f1bb"; -} -.fa-spotify:before { - content: "\f1bc"; -} -.fa-deviantart:before { - content: "\f1bd"; -} -.fa-soundcloud:before { - content: "\f1be"; -} -.fa-database:before { - content: "\f1c0"; -} -.fa-file-pdf-o:before { - content: "\f1c1"; -} -.fa-file-word-o:before { - content: "\f1c2"; -} -.fa-file-excel-o:before { - content: "\f1c3"; -} -.fa-file-powerpoint-o:before { - content: "\f1c4"; -} -.fa-file-photo-o:before, -.fa-file-picture-o:before, -.fa-file-image-o:before { - content: "\f1c5"; -} -.fa-file-zip-o:before, -.fa-file-archive-o:before { - content: "\f1c6"; -} -.fa-file-sound-o:before, -.fa-file-audio-o:before { - content: "\f1c7"; -} -.fa-file-movie-o:before, -.fa-file-video-o:before { - content: "\f1c8"; -} -.fa-file-code-o:before { - content: "\f1c9"; -} -.fa-vine:before { - content: "\f1ca"; -} -.fa-codepen:before { - content: "\f1cb"; -} -.fa-jsfiddle:before { - content: "\f1cc"; -} -.fa-life-bouy:before, -.fa-life-buoy:before, -.fa-life-saver:before, -.fa-support:before, -.fa-life-ring:before { - content: "\f1cd"; -} -.fa-circle-o-notch:before { - content: "\f1ce"; -} -.fa-ra:before, -.fa-rebel:before { - content: "\f1d0"; -} -.fa-ge:before, -.fa-empire:before { - content: "\f1d1"; -} -.fa-git-square:before { - content: "\f1d2"; -} -.fa-git:before { - content: "\f1d3"; -} -.fa-y-combinator-square:before, -.fa-yc-square:before, -.fa-hacker-news:before { - content: "\f1d4"; -} -.fa-tencent-weibo:before { - content: "\f1d5"; -} -.fa-qq:before { - content: "\f1d6"; -} -.fa-wechat:before, -.fa-weixin:before { - content: "\f1d7"; -} -.fa-send:before, -.fa-paper-plane:before { - content: "\f1d8"; -} -.fa-send-o:before, -.fa-paper-plane-o:before { - content: "\f1d9"; -} -.fa-history:before { - content: "\f1da"; -} -.fa-circle-thin:before { - content: "\f1db"; -} -.fa-header:before { - content: "\f1dc"; -} -.fa-paragraph:before { - content: "\f1dd"; -} -.fa-sliders:before { - content: "\f1de"; -} -.fa-share-alt:before { - content: "\f1e0"; -} -.fa-share-alt-square:before { - content: "\f1e1"; -} -.fa-bomb:before { - content: "\f1e2"; -} -.fa-soccer-ball-o:before, -.fa-futbol-o:before { - content: "\f1e3"; -} -.fa-tty:before { - content: "\f1e4"; -} -.fa-binoculars:before { - content: "\f1e5"; -} -.fa-plug:before { - content: "\f1e6"; -} -.fa-slideshare:before { - content: "\f1e7"; -} -.fa-twitch:before { - content: "\f1e8"; -} -.fa-yelp:before { - content: "\f1e9"; -} -.fa-newspaper-o:before { - content: "\f1ea"; -} -.fa-wifi:before { - content: "\f1eb"; -} -.fa-calculator:before { - content: "\f1ec"; -} -.fa-paypal:before { - content: "\f1ed"; -} -.fa-google-wallet:before { - content: "\f1ee"; -} -.fa-cc-visa:before { - content: "\f1f0"; -} -.fa-cc-mastercard:before { - content: "\f1f1"; -} -.fa-cc-discover:before { - content: "\f1f2"; -} -.fa-cc-amex:before { - content: "\f1f3"; -} -.fa-cc-paypal:before { - content: "\f1f4"; -} -.fa-cc-stripe:before { - content: "\f1f5"; -} -.fa-bell-slash:before { - content: "\f1f6"; -} -.fa-bell-slash-o:before { - content: "\f1f7"; -} -.fa-trash:before { - content: "\f1f8"; -} -.fa-copyright:before { - content: "\f1f9"; -} -.fa-at:before { - content: "\f1fa"; -} -.fa-eyedropper:before { - content: "\f1fb"; -} -.fa-paint-brush:before { - content: "\f1fc"; -} -.fa-birthday-cake:before { - content: "\f1fd"; -} -.fa-area-chart:before { - content: "\f1fe"; -} -.fa-pie-chart:before { - content: "\f200"; -} -.fa-line-chart:before { - content: "\f201"; -} -.fa-lastfm:before { - content: "\f202"; -} -.fa-lastfm-square:before { - content: "\f203"; -} -.fa-toggle-off:before { - content: "\f204"; -} -.fa-toggle-on:before { - content: "\f205"; -} -.fa-bicycle:before { - content: "\f206"; -} -.fa-bus:before { - content: "\f207"; -} -.fa-ioxhost:before { - content: "\f208"; -} -.fa-angellist:before { - content: "\f209"; -} -.fa-cc:before { - content: "\f20a"; -} -.fa-shekel:before, -.fa-sheqel:before, -.fa-ils:before { - content: "\f20b"; -} -.fa-meanpath:before { - content: "\f20c"; -} -.fa-buysellads:before { - content: "\f20d"; -} -.fa-connectdevelop:before { - content: "\f20e"; -} -.fa-dashcube:before { - content: "\f210"; -} -.fa-forumbee:before { - content: "\f211"; -} -.fa-leanpub:before { - content: "\f212"; -} -.fa-sellsy:before { - content: "\f213"; -} -.fa-shirtsinbulk:before { - content: "\f214"; -} -.fa-simplybuilt:before { - content: "\f215"; -} -.fa-skyatlas:before { - content: "\f216"; -} -.fa-cart-plus:before { - content: "\f217"; -} -.fa-cart-arrow-down:before { - content: "\f218"; -} -.fa-diamond:before { - content: "\f219"; -} -.fa-ship:before { - content: "\f21a"; -} -.fa-user-secret:before { - content: "\f21b"; -} -.fa-motorcycle:before { - content: "\f21c"; -} -.fa-street-view:before { - content: "\f21d"; -} -.fa-heartbeat:before { - content: "\f21e"; -} -.fa-venus:before { - content: "\f221"; -} -.fa-mars:before { - content: "\f222"; -} -.fa-mercury:before { - content: "\f223"; -} -.fa-intersex:before, -.fa-transgender:before { - content: "\f224"; -} -.fa-transgender-alt:before { - content: "\f225"; -} -.fa-venus-double:before { - content: "\f226"; -} -.fa-mars-double:before { - content: "\f227"; -} -.fa-venus-mars:before { - content: "\f228"; -} -.fa-mars-stroke:before { - content: "\f229"; -} -.fa-mars-stroke-v:before { - content: "\f22a"; -} -.fa-mars-stroke-h:before { - content: "\f22b"; -} -.fa-neuter:before { - content: "\f22c"; -} -.fa-genderless:before { - content: "\f22d"; -} -.fa-facebook-official:before { - content: "\f230"; -} -.fa-pinterest-p:before { - content: "\f231"; -} -.fa-whatsapp:before { - content: "\f232"; -} -.fa-server:before { - content: "\f233"; -} -.fa-user-plus:before { - content: "\f234"; -} -.fa-user-times:before { - content: "\f235"; -} -.fa-hotel:before, -.fa-bed:before { - content: "\f236"; -} -.fa-viacoin:before { - content: "\f237"; -} -.fa-train:before { - content: "\f238"; -} -.fa-subway:before { - content: "\f239"; -} -.fa-medium:before { - content: "\f23a"; -} -.fa-yc:before, -.fa-y-combinator:before { - content: "\f23b"; -} -.fa-optin-monster:before { - content: "\f23c"; -} -.fa-opencart:before { - content: "\f23d"; -} -.fa-expeditedssl:before { - content: "\f23e"; -} -.fa-battery-4:before, -.fa-battery-full:before { - content: "\f240"; -} -.fa-battery-3:before, -.fa-battery-three-quarters:before { - content: "\f241"; -} -.fa-battery-2:before, -.fa-battery-half:before { - content: "\f242"; -} -.fa-battery-1:before, -.fa-battery-quarter:before { - content: "\f243"; -} -.fa-battery-0:before, -.fa-battery-empty:before { - content: "\f244"; -} -.fa-mouse-pointer:before { - content: "\f245"; -} -.fa-i-cursor:before { - content: "\f246"; -} -.fa-object-group:before { - content: "\f247"; -} -.fa-object-ungroup:before { - content: "\f248"; -} -.fa-sticky-note:before { - content: "\f249"; -} -.fa-sticky-note-o:before { - content: "\f24a"; -} -.fa-cc-jcb:before { - content: "\f24b"; -} -.fa-cc-diners-club:before { - content: "\f24c"; -} -.fa-clone:before { - content: "\f24d"; -} -.fa-balance-scale:before { - content: "\f24e"; -} -.fa-hourglass-o:before { - content: "\f250"; -} -.fa-hourglass-1:before, -.fa-hourglass-start:before { - content: "\f251"; -} -.fa-hourglass-2:before, -.fa-hourglass-half:before { - content: "\f252"; -} -.fa-hourglass-3:before, -.fa-hourglass-end:before { - content: "\f253"; -} -.fa-hourglass:before { - content: "\f254"; -} -.fa-hand-grab-o:before, -.fa-hand-rock-o:before { - content: "\f255"; -} -.fa-hand-stop-o:before, -.fa-hand-paper-o:before { - content: "\f256"; -} -.fa-hand-scissors-o:before { - content: "\f257"; -} -.fa-hand-lizard-o:before { - content: "\f258"; -} -.fa-hand-spock-o:before { - content: "\f259"; -} -.fa-hand-pointer-o:before { - content: "\f25a"; -} -.fa-hand-peace-o:before { - content: "\f25b"; -} -.fa-trademark:before { - content: "\f25c"; -} -.fa-registered:before { - content: "\f25d"; -} -.fa-creative-commons:before { - content: "\f25e"; -} -.fa-gg:before { - content: "\f260"; -} -.fa-gg-circle:before { - content: "\f261"; -} -.fa-tripadvisor:before { - content: "\f262"; -} -.fa-odnoklassniki:before { - content: "\f263"; -} -.fa-odnoklassniki-square:before { - content: "\f264"; -} -.fa-get-pocket:before { - content: "\f265"; -} -.fa-wikipedia-w:before { - content: "\f266"; -} -.fa-safari:before { - content: "\f267"; -} -.fa-chrome:before { - content: "\f268"; -} -.fa-firefox:before { - content: "\f269"; -} -.fa-opera:before { - content: "\f26a"; -} -.fa-internet-explorer:before { - content: "\f26b"; -} -.fa-tv:before, -.fa-television:before { - content: "\f26c"; -} -.fa-contao:before { - content: "\f26d"; -} -.fa-500px:before { - content: "\f26e"; -} -.fa-amazon:before { - content: "\f270"; -} -.fa-calendar-plus-o:before { - content: "\f271"; -} -.fa-calendar-minus-o:before { - content: "\f272"; -} -.fa-calendar-times-o:before { - content: "\f273"; -} -.fa-calendar-check-o:before { - content: "\f274"; -} -.fa-industry:before { - content: "\f275"; -} -.fa-map-pin:before { - content: "\f276"; -} -.fa-map-signs:before { - content: "\f277"; -} -.fa-map-o:before { - content: "\f278"; -} -.fa-map:before { - content: "\f279"; -} -.fa-commenting:before { - content: "\f27a"; -} -.fa-commenting-o:before { - content: "\f27b"; -} -.fa-houzz:before { - content: "\f27c"; -} -.fa-vimeo:before { - content: "\f27d"; -} -.fa-black-tie:before { - content: "\f27e"; -} -.fa-fonticons:before { - content: "\f280"; -} -.fa-reddit-alien:before { - content: "\f281"; -} -.fa-edge:before { - content: "\f282"; -} -.fa-credit-card-alt:before { - content: "\f283"; -} -.fa-codiepie:before { - content: "\f284"; -} -.fa-modx:before { - content: "\f285"; -} -.fa-fort-awesome:before { - content: "\f286"; -} -.fa-usb:before { - content: "\f287"; -} -.fa-product-hunt:before { - content: "\f288"; -} -.fa-mixcloud:before { - content: "\f289"; -} -.fa-scribd:before { - content: "\f28a"; -} -.fa-pause-circle:before { - content: "\f28b"; -} -.fa-pause-circle-o:before { - content: "\f28c"; -} -.fa-stop-circle:before { - content: "\f28d"; -} -.fa-stop-circle-o:before { - content: "\f28e"; -} -.fa-shopping-bag:before { - content: "\f290"; -} -.fa-shopping-basket:before { - content: "\f291"; -} -.fa-hashtag:before { - content: "\f292"; -} -.fa-bluetooth:before { - content: "\f293"; -} -.fa-bluetooth-b:before { - content: "\f294"; -} -.fa-percent:before { - content: "\f295"; -} -.fa-gitlab:before { - content: "\f296"; -} -.fa-wpbeginner:before { - content: "\f297"; -} -.fa-wpforms:before { - content: "\f298"; -} -.fa-envira:before { - content: "\f299"; -} -.fa-universal-access:before { - content: "\f29a"; -} -.fa-wheelchair-alt:before { - content: "\f29b"; -} -.fa-question-circle-o:before { - content: "\f29c"; -} -.fa-blind:before { - content: "\f29d"; -} -.fa-audio-description:before { - content: "\f29e"; -} -.fa-volume-control-phone:before { - content: "\f2a0"; -} -.fa-braille:before { - content: "\f2a1"; -} -.fa-assistive-listening-systems:before { - content: "\f2a2"; -} -.fa-asl-interpreting:before, -.fa-american-sign-language-interpreting:before { - content: "\f2a3"; -} -.fa-deafness:before, -.fa-hard-of-hearing:before, -.fa-deaf:before { - content: "\f2a4"; -} -.fa-glide:before { - content: "\f2a5"; -} -.fa-glide-g:before { - content: "\f2a6"; -} -.fa-signing:before, -.fa-sign-language:before { - content: "\f2a7"; -} -.fa-low-vision:before { - content: "\f2a8"; -} -.fa-viadeo:before { - content: "\f2a9"; -} -.fa-viadeo-square:before { - content: "\f2aa"; -} -.fa-snapchat:before { - content: "\f2ab"; -} -.fa-snapchat-ghost:before { - content: "\f2ac"; -} -.fa-snapchat-square:before { - content: "\f2ad"; -} -.sr-only { - position: absolute; - width: 1px; - height: 1px; - padding: 0; - margin: -1px; - overflow: hidden; - clip: rect(0, 0, 0, 0); - border: 0; -} -.sr-only-focusable:active, -.sr-only-focusable:focus { - position: static; - width: auto; - height: auto; - margin: 0; - overflow: visible; - clip: auto; -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/css/font-awesome.min.css b/iam-login-service/src/main/webapp/resources/font-awesome/css/font-awesome.min.css deleted file mode 100644 index 885b38403..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/css/font-awesome.min.css +++ /dev/null @@ -1,4 +0,0 @@ -/*! - * Font Awesome 4.6.1 by @davegandy - http://fontawesome.io - @fontawesome - * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License) - */@font-face{font-family:'FontAwesome';src:url('../fonts/fontawesome-webfont.eot?v=4.6.1');src:url('../fonts/fontawesome-webfont.eot?#iefix&v=4.6.1') format('embedded-opentype'),url('../fonts/fontawesome-webfont.woff2?v=4.6.1') format('woff2'),url('../fonts/fontawesome-webfont.woff?v=4.6.1') format('woff'),url('../fonts/fontawesome-webfont.ttf?v=4.6.1') format('truetype'),url('../fonts/fontawesome-webfont.svg?v=4.6.1#fontawesomeregular') format('svg');font-weight:normal;font-style:normal}.fa{display:inline-block;font:normal normal normal 14px/1 FontAwesome;font-size:inherit;text-rendering:auto;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.fa-lg{font-size:1.33333333em;line-height:.75em;vertical-align:-15%}.fa-2x{font-size:2em}.fa-3x{font-size:3em}.fa-4x{font-size:4em}.fa-5x{font-size:5em}.fa-fw{width:1.28571429em;text-align:center}.fa-ul{padding-left:0;margin-left:2.14285714em;list-style-type:none}.fa-ul>li{position:relative}.fa-li{position:absolute;left:-2.14285714em;width:2.14285714em;top:.14285714em;text-align:center}.fa-li.fa-lg{left:-1.85714286em}.fa-border{padding:.2em .25em .15em;border:solid .08em #eee;border-radius:.1em}.fa-pull-left{float:left}.fa-pull-right{float:right}.fa.fa-pull-left{margin-right:.3em}.fa.fa-pull-right{margin-left:.3em}.pull-right{float:right}.pull-left{float:left}.fa.pull-left{margin-right:.3em}.fa.pull-right{margin-left:.3em}.fa-spin{-webkit-animation:fa-spin 2s infinite linear;animation:fa-spin 2s infinite linear}.fa-pulse{-webkit-animation:fa-spin 1s infinite steps(8);animation:fa-spin 1s infinite steps(8)}@-webkit-keyframes fa-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@keyframes fa-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}.fa-rotate-90{-ms-filter:"progid:DXImageTransform.Microsoft.BasicImage(rotation=1)";-webkit-transform:rotate(90deg);-ms-transform:rotate(90deg);transform:rotate(90deg)}.fa-rotate-180{-ms-filter:"progid:DXImageTransform.Microsoft.BasicImage(rotation=2)";-webkit-transform:rotate(180deg);-ms-transform:rotate(180deg);transform:rotate(180deg)}.fa-rotate-270{-ms-filter:"progid:DXImageTransform.Microsoft.BasicImage(rotation=3)";-webkit-transform:rotate(270deg);-ms-transform:rotate(270deg);transform:rotate(270deg)}.fa-flip-horizontal{-ms-filter:"progid:DXImageTransform.Microsoft.BasicImage(rotation=0, mirror=1)";-webkit-transform:scale(-1, 1);-ms-transform:scale(-1, 1);transform:scale(-1, 1)}.fa-flip-vertical{-ms-filter:"progid:DXImageTransform.Microsoft.BasicImage(rotation=2, mirror=1)";-webkit-transform:scale(1, -1);-ms-transform:scale(1, -1);transform:scale(1, -1)}:root .fa-rotate-90,:root .fa-rotate-180,:root .fa-rotate-270,:root .fa-flip-horizontal,:root .fa-flip-vertical{filter:none}.fa-stack{position:relative;display:inline-block;width:2em;height:2em;line-height:2em;vertical-align:middle}.fa-stack-1x,.fa-stack-2x{position:absolute;left:0;width:100%;text-align:center}.fa-stack-1x{line-height:inherit}.fa-stack-2x{font-size:2em}.fa-inverse{color:#fff}.fa-glass:before{content:"\f000"}.fa-music:before{content:"\f001"}.fa-search:before{content:"\f002"}.fa-envelope-o:before{content:"\f003"}.fa-heart:before{content:"\f004"}.fa-star:before{content:"\f005"}.fa-star-o:before{content:"\f006"}.fa-user:before{content:"\f007"}.fa-film:before{content:"\f008"}.fa-th-large:before{content:"\f009"}.fa-th:before{content:"\f00a"}.fa-th-list:before{content:"\f00b"}.fa-check:before{content:"\f00c"}.fa-remove:before,.fa-close:before,.fa-times:before{content:"\f00d"}.fa-search-plus:before{content:"\f00e"}.fa-search-minus:before{content:"\f010"}.fa-power-off:before{content:"\f011"}.fa-signal:before{content:"\f012"}.fa-gear:before,.fa-cog:before{content:"\f013"}.fa-trash-o:before{content:"\f014"}.fa-home:before{content:"\f015"}.fa-file-o:before{content:"\f016"}.fa-clock-o:before{content:"\f017"}.fa-road:before{content:"\f018"}.fa-download:before{content:"\f019"}.fa-arrow-circle-o-down:before{content:"\f01a"}.fa-arrow-circle-o-up:before{content:"\f01b"}.fa-inbox:before{content:"\f01c"}.fa-play-circle-o:before{content:"\f01d"}.fa-rotate-right:before,.fa-repeat:before{content:"\f01e"}.fa-refresh:before{content:"\f021"}.fa-list-alt:before{content:"\f022"}.fa-lock:before{content:"\f023"}.fa-flag:before{content:"\f024"}.fa-headphones:before{content:"\f025"}.fa-volume-off:before{content:"\f026"}.fa-volume-down:before{content:"\f027"}.fa-volume-up:before{content:"\f028"}.fa-qrcode:before{content:"\f029"}.fa-barcode:before{content:"\f02a"}.fa-tag:before{content:"\f02b"}.fa-tags:before{content:"\f02c"}.fa-book:before{content:"\f02d"}.fa-bookmark:before{content:"\f02e"}.fa-print:before{content:"\f02f"}.fa-camera:before{content:"\f030"}.fa-font:before{content:"\f031"}.fa-bold:before{content:"\f032"}.fa-italic:before{content:"\f033"}.fa-text-height:before{content:"\f034"}.fa-text-width:before{content:"\f035"}.fa-align-left:before{content:"\f036"}.fa-align-center:before{content:"\f037"}.fa-align-right:before{content:"\f038"}.fa-align-justify:before{content:"\f039"}.fa-list:before{content:"\f03a"}.fa-dedent:before,.fa-outdent:before{content:"\f03b"}.fa-indent:before{content:"\f03c"}.fa-video-camera:before{content:"\f03d"}.fa-photo:before,.fa-image:before,.fa-picture-o:before{content:"\f03e"}.fa-pencil:before{content:"\f040"}.fa-map-marker:before{content:"\f041"}.fa-adjust:before{content:"\f042"}.fa-tint:before{content:"\f043"}.fa-edit:before,.fa-pencil-square-o:before{content:"\f044"}.fa-share-square-o:before{content:"\f045"}.fa-check-square-o:before{content:"\f046"}.fa-arrows:before{content:"\f047"}.fa-step-backward:before{content:"\f048"}.fa-fast-backward:before{content:"\f049"}.fa-backward:before{content:"\f04a"}.fa-play:before{content:"\f04b"}.fa-pause:before{content:"\f04c"}.fa-stop:before{content:"\f04d"}.fa-forward:before{content:"\f04e"}.fa-fast-forward:before{content:"\f050"}.fa-step-forward:before{content:"\f051"}.fa-eject:before{content:"\f052"}.fa-chevron-left:before{content:"\f053"}.fa-chevron-right:before{content:"\f054"}.fa-plus-circle:before{content:"\f055"}.fa-minus-circle:before{content:"\f056"}.fa-times-circle:before{content:"\f057"}.fa-check-circle:before{content:"\f058"}.fa-question-circle:before{content:"\f059"}.fa-info-circle:before{content:"\f05a"}.fa-crosshairs:before{content:"\f05b"}.fa-times-circle-o:before{content:"\f05c"}.fa-check-circle-o:before{content:"\f05d"}.fa-ban:before{content:"\f05e"}.fa-arrow-left:before{content:"\f060"}.fa-arrow-right:before{content:"\f061"}.fa-arrow-up:before{content:"\f062"}.fa-arrow-down:before{content:"\f063"}.fa-mail-forward:before,.fa-share:before{content:"\f064"}.fa-expand:before{content:"\f065"}.fa-compress:before{content:"\f066"}.fa-plus:before{content:"\f067"}.fa-minus:before{content:"\f068"}.fa-asterisk:before{content:"\f069"}.fa-exclamation-circle:before{content:"\f06a"}.fa-gift:before{content:"\f06b"}.fa-leaf:before{content:"\f06c"}.fa-fire:before{content:"\f06d"}.fa-eye:before{content:"\f06e"}.fa-eye-slash:before{content:"\f070"}.fa-warning:before,.fa-exclamation-triangle:before{content:"\f071"}.fa-plane:before{content:"\f072"}.fa-calendar:before{content:"\f073"}.fa-random:before{content:"\f074"}.fa-comment:before{content:"\f075"}.fa-magnet:before{content:"\f076"}.fa-chevron-up:before{content:"\f077"}.fa-chevron-down:before{content:"\f078"}.fa-retweet:before{content:"\f079"}.fa-shopping-cart:before{content:"\f07a"}.fa-folder:before{content:"\f07b"}.fa-folder-open:before{content:"\f07c"}.fa-arrows-v:before{content:"\f07d"}.fa-arrows-h:before{content:"\f07e"}.fa-bar-chart-o:before,.fa-bar-chart:before{content:"\f080"}.fa-twitter-square:before{content:"\f081"}.fa-facebook-square:before{content:"\f082"}.fa-camera-retro:before{content:"\f083"}.fa-key:before{content:"\f084"}.fa-gears:before,.fa-cogs:before{content:"\f085"}.fa-comments:before{content:"\f086"}.fa-thumbs-o-up:before{content:"\f087"}.fa-thumbs-o-down:before{content:"\f088"}.fa-star-half:before{content:"\f089"}.fa-heart-o:before{content:"\f08a"}.fa-sign-out:before{content:"\f08b"}.fa-linkedin-square:before{content:"\f08c"}.fa-thumb-tack:before{content:"\f08d"}.fa-external-link:before{content:"\f08e"}.fa-sign-in:before{content:"\f090"}.fa-trophy:before{content:"\f091"}.fa-github-square:before{content:"\f092"}.fa-upload:before{content:"\f093"}.fa-lemon-o:before{content:"\f094"}.fa-phone:before{content:"\f095"}.fa-square-o:before{content:"\f096"}.fa-bookmark-o:before{content:"\f097"}.fa-phone-square:before{content:"\f098"}.fa-twitter:before{content:"\f099"}.fa-facebook-f:before,.fa-facebook:before{content:"\f09a"}.fa-github:before{content:"\f09b"}.fa-unlock:before{content:"\f09c"}.fa-credit-card:before{content:"\f09d"}.fa-feed:before,.fa-rss:before{content:"\f09e"}.fa-hdd-o:before{content:"\f0a0"}.fa-bullhorn:before{content:"\f0a1"}.fa-bell:before{content:"\f0f3"}.fa-certificate:before{content:"\f0a3"}.fa-hand-o-right:before{content:"\f0a4"}.fa-hand-o-left:before{content:"\f0a5"}.fa-hand-o-up:before{content:"\f0a6"}.fa-hand-o-down:before{content:"\f0a7"}.fa-arrow-circle-left:before{content:"\f0a8"}.fa-arrow-circle-right:before{content:"\f0a9"}.fa-arrow-circle-up:before{content:"\f0aa"}.fa-arrow-circle-down:before{content:"\f0ab"}.fa-globe:before{content:"\f0ac"}.fa-wrench:before{content:"\f0ad"}.fa-tasks:before{content:"\f0ae"}.fa-filter:before{content:"\f0b0"}.fa-briefcase:before{content:"\f0b1"}.fa-arrows-alt:before{content:"\f0b2"}.fa-group:before,.fa-users:before{content:"\f0c0"}.fa-chain:before,.fa-link:before{content:"\f0c1"}.fa-cloud:before{content:"\f0c2"}.fa-flask:before{content:"\f0c3"}.fa-cut:before,.fa-scissors:before{content:"\f0c4"}.fa-copy:before,.fa-files-o:before{content:"\f0c5"}.fa-paperclip:before{content:"\f0c6"}.fa-save:before,.fa-floppy-o:before{content:"\f0c7"}.fa-square:before{content:"\f0c8"}.fa-navicon:before,.fa-reorder:before,.fa-bars:before{content:"\f0c9"}.fa-list-ul:before{content:"\f0ca"}.fa-list-ol:before{content:"\f0cb"}.fa-strikethrough:before{content:"\f0cc"}.fa-underline:before{content:"\f0cd"}.fa-table:before{content:"\f0ce"}.fa-magic:before{content:"\f0d0"}.fa-truck:before{content:"\f0d1"}.fa-pinterest:before{content:"\f0d2"}.fa-pinterest-square:before{content:"\f0d3"}.fa-google-plus-square:before{content:"\f0d4"}.fa-google-plus:before{content:"\f0d5"}.fa-money:before{content:"\f0d6"}.fa-caret-down:before{content:"\f0d7"}.fa-caret-up:before{content:"\f0d8"}.fa-caret-left:before{content:"\f0d9"}.fa-caret-right:before{content:"\f0da"}.fa-columns:before{content:"\f0db"}.fa-unsorted:before,.fa-sort:before{content:"\f0dc"}.fa-sort-down:before,.fa-sort-desc:before{content:"\f0dd"}.fa-sort-up:before,.fa-sort-asc:before{content:"\f0de"}.fa-envelope:before{content:"\f0e0"}.fa-linkedin:before{content:"\f0e1"}.fa-rotate-left:before,.fa-undo:before{content:"\f0e2"}.fa-legal:before,.fa-gavel:before{content:"\f0e3"}.fa-dashboard:before,.fa-tachometer:before{content:"\f0e4"}.fa-comment-o:before{content:"\f0e5"}.fa-comments-o:before{content:"\f0e6"}.fa-flash:before,.fa-bolt:before{content:"\f0e7"}.fa-sitemap:before{content:"\f0e8"}.fa-umbrella:before{content:"\f0e9"}.fa-paste:before,.fa-clipboard:before{content:"\f0ea"}.fa-lightbulb-o:before{content:"\f0eb"}.fa-exchange:before{content:"\f0ec"}.fa-cloud-download:before{content:"\f0ed"}.fa-cloud-upload:before{content:"\f0ee"}.fa-user-md:before{content:"\f0f0"}.fa-stethoscope:before{content:"\f0f1"}.fa-suitcase:before{content:"\f0f2"}.fa-bell-o:before{content:"\f0a2"}.fa-coffee:before{content:"\f0f4"}.fa-cutlery:before{content:"\f0f5"}.fa-file-text-o:before{content:"\f0f6"}.fa-building-o:before{content:"\f0f7"}.fa-hospital-o:before{content:"\f0f8"}.fa-ambulance:before{content:"\f0f9"}.fa-medkit:before{content:"\f0fa"}.fa-fighter-jet:before{content:"\f0fb"}.fa-beer:before{content:"\f0fc"}.fa-h-square:before{content:"\f0fd"}.fa-plus-square:before{content:"\f0fe"}.fa-angle-double-left:before{content:"\f100"}.fa-angle-double-right:before{content:"\f101"}.fa-angle-double-up:before{content:"\f102"}.fa-angle-double-down:before{content:"\f103"}.fa-angle-left:before{content:"\f104"}.fa-angle-right:before{content:"\f105"}.fa-angle-up:before{content:"\f106"}.fa-angle-down:before{content:"\f107"}.fa-desktop:before{content:"\f108"}.fa-laptop:before{content:"\f109"}.fa-tablet:before{content:"\f10a"}.fa-mobile-phone:before,.fa-mobile:before{content:"\f10b"}.fa-circle-o:before{content:"\f10c"}.fa-quote-left:before{content:"\f10d"}.fa-quote-right:before{content:"\f10e"}.fa-spinner:before{content:"\f110"}.fa-circle:before{content:"\f111"}.fa-mail-reply:before,.fa-reply:before{content:"\f112"}.fa-github-alt:before{content:"\f113"}.fa-folder-o:before{content:"\f114"}.fa-folder-open-o:before{content:"\f115"}.fa-smile-o:before{content:"\f118"}.fa-frown-o:before{content:"\f119"}.fa-meh-o:before{content:"\f11a"}.fa-gamepad:before{content:"\f11b"}.fa-keyboard-o:before{content:"\f11c"}.fa-flag-o:before{content:"\f11d"}.fa-flag-checkered:before{content:"\f11e"}.fa-terminal:before{content:"\f120"}.fa-code:before{content:"\f121"}.fa-mail-reply-all:before,.fa-reply-all:before{content:"\f122"}.fa-star-half-empty:before,.fa-star-half-full:before,.fa-star-half-o:before{content:"\f123"}.fa-location-arrow:before{content:"\f124"}.fa-crop:before{content:"\f125"}.fa-code-fork:before{content:"\f126"}.fa-unlink:before,.fa-chain-broken:before{content:"\f127"}.fa-question:before{content:"\f128"}.fa-info:before{content:"\f129"}.fa-exclamation:before{content:"\f12a"}.fa-superscript:before{content:"\f12b"}.fa-subscript:before{content:"\f12c"}.fa-eraser:before{content:"\f12d"}.fa-puzzle-piece:before{content:"\f12e"}.fa-microphone:before{content:"\f130"}.fa-microphone-slash:before{content:"\f131"}.fa-shield:before{content:"\f132"}.fa-calendar-o:before{content:"\f133"}.fa-fire-extinguisher:before{content:"\f134"}.fa-rocket:before{content:"\f135"}.fa-maxcdn:before{content:"\f136"}.fa-chevron-circle-left:before{content:"\f137"}.fa-chevron-circle-right:before{content:"\f138"}.fa-chevron-circle-up:before{content:"\f139"}.fa-chevron-circle-down:before{content:"\f13a"}.fa-html5:before{content:"\f13b"}.fa-css3:before{content:"\f13c"}.fa-anchor:before{content:"\f13d"}.fa-unlock-alt:before{content:"\f13e"}.fa-bullseye:before{content:"\f140"}.fa-ellipsis-h:before{content:"\f141"}.fa-ellipsis-v:before{content:"\f142"}.fa-rss-square:before{content:"\f143"}.fa-play-circle:before{content:"\f144"}.fa-ticket:before{content:"\f145"}.fa-minus-square:before{content:"\f146"}.fa-minus-square-o:before{content:"\f147"}.fa-level-up:before{content:"\f148"}.fa-level-down:before{content:"\f149"}.fa-check-square:before{content:"\f14a"}.fa-pencil-square:before{content:"\f14b"}.fa-external-link-square:before{content:"\f14c"}.fa-share-square:before{content:"\f14d"}.fa-compass:before{content:"\f14e"}.fa-toggle-down:before,.fa-caret-square-o-down:before{content:"\f150"}.fa-toggle-up:before,.fa-caret-square-o-up:before{content:"\f151"}.fa-toggle-right:before,.fa-caret-square-o-right:before{content:"\f152"}.fa-euro:before,.fa-eur:before{content:"\f153"}.fa-gbp:before{content:"\f154"}.fa-dollar:before,.fa-usd:before{content:"\f155"}.fa-rupee:before,.fa-inr:before{content:"\f156"}.fa-cny:before,.fa-rmb:before,.fa-yen:before,.fa-jpy:before{content:"\f157"}.fa-ruble:before,.fa-rouble:before,.fa-rub:before{content:"\f158"}.fa-won:before,.fa-krw:before{content:"\f159"}.fa-bitcoin:before,.fa-btc:before{content:"\f15a"}.fa-file:before{content:"\f15b"}.fa-file-text:before{content:"\f15c"}.fa-sort-alpha-asc:before{content:"\f15d"}.fa-sort-alpha-desc:before{content:"\f15e"}.fa-sort-amount-asc:before{content:"\f160"}.fa-sort-amount-desc:before{content:"\f161"}.fa-sort-numeric-asc:before{content:"\f162"}.fa-sort-numeric-desc:before{content:"\f163"}.fa-thumbs-up:before{content:"\f164"}.fa-thumbs-down:before{content:"\f165"}.fa-youtube-square:before{content:"\f166"}.fa-youtube:before{content:"\f167"}.fa-xing:before{content:"\f168"}.fa-xing-square:before{content:"\f169"}.fa-youtube-play:before{content:"\f16a"}.fa-dropbox:before{content:"\f16b"}.fa-stack-overflow:before{content:"\f16c"}.fa-instagram:before{content:"\f16d"}.fa-flickr:before{content:"\f16e"}.fa-adn:before{content:"\f170"}.fa-bitbucket:before{content:"\f171"}.fa-bitbucket-square:before{content:"\f172"}.fa-tumblr:before{content:"\f173"}.fa-tumblr-square:before{content:"\f174"}.fa-long-arrow-down:before{content:"\f175"}.fa-long-arrow-up:before{content:"\f176"}.fa-long-arrow-left:before{content:"\f177"}.fa-long-arrow-right:before{content:"\f178"}.fa-apple:before{content:"\f179"}.fa-windows:before{content:"\f17a"}.fa-android:before{content:"\f17b"}.fa-linux:before{content:"\f17c"}.fa-dribbble:before{content:"\f17d"}.fa-skype:before{content:"\f17e"}.fa-foursquare:before{content:"\f180"}.fa-trello:before{content:"\f181"}.fa-female:before{content:"\f182"}.fa-male:before{content:"\f183"}.fa-gittip:before,.fa-gratipay:before{content:"\f184"}.fa-sun-o:before{content:"\f185"}.fa-moon-o:before{content:"\f186"}.fa-archive:before{content:"\f187"}.fa-bug:before{content:"\f188"}.fa-vk:before{content:"\f189"}.fa-weibo:before{content:"\f18a"}.fa-renren:before{content:"\f18b"}.fa-pagelines:before{content:"\f18c"}.fa-stack-exchange:before{content:"\f18d"}.fa-arrow-circle-o-right:before{content:"\f18e"}.fa-arrow-circle-o-left:before{content:"\f190"}.fa-toggle-left:before,.fa-caret-square-o-left:before{content:"\f191"}.fa-dot-circle-o:before{content:"\f192"}.fa-wheelchair:before{content:"\f193"}.fa-vimeo-square:before{content:"\f194"}.fa-turkish-lira:before,.fa-try:before{content:"\f195"}.fa-plus-square-o:before{content:"\f196"}.fa-space-shuttle:before{content:"\f197"}.fa-slack:before{content:"\f198"}.fa-envelope-square:before{content:"\f199"}.fa-wordpress:before{content:"\f19a"}.fa-openid:before{content:"\f19b"}.fa-institution:before,.fa-bank:before,.fa-university:before{content:"\f19c"}.fa-mortar-board:before,.fa-graduation-cap:before{content:"\f19d"}.fa-yahoo:before{content:"\f19e"}.fa-google:before{content:"\f1a0"}.fa-reddit:before{content:"\f1a1"}.fa-reddit-square:before{content:"\f1a2"}.fa-stumbleupon-circle:before{content:"\f1a3"}.fa-stumbleupon:before{content:"\f1a4"}.fa-delicious:before{content:"\f1a5"}.fa-digg:before{content:"\f1a6"}.fa-pied-piper:before{content:"\f1a7"}.fa-pied-piper-alt:before{content:"\f1a8"}.fa-drupal:before{content:"\f1a9"}.fa-joomla:before{content:"\f1aa"}.fa-language:before{content:"\f1ab"}.fa-fax:before{content:"\f1ac"}.fa-building:before{content:"\f1ad"}.fa-child:before{content:"\f1ae"}.fa-paw:before{content:"\f1b0"}.fa-spoon:before{content:"\f1b1"}.fa-cube:before{content:"\f1b2"}.fa-cubes:before{content:"\f1b3"}.fa-behance:before{content:"\f1b4"}.fa-behance-square:before{content:"\f1b5"}.fa-steam:before{content:"\f1b6"}.fa-steam-square:before{content:"\f1b7"}.fa-recycle:before{content:"\f1b8"}.fa-automobile:before,.fa-car:before{content:"\f1b9"}.fa-cab:before,.fa-taxi:before{content:"\f1ba"}.fa-tree:before{content:"\f1bb"}.fa-spotify:before{content:"\f1bc"}.fa-deviantart:before{content:"\f1bd"}.fa-soundcloud:before{content:"\f1be"}.fa-database:before{content:"\f1c0"}.fa-file-pdf-o:before{content:"\f1c1"}.fa-file-word-o:before{content:"\f1c2"}.fa-file-excel-o:before{content:"\f1c3"}.fa-file-powerpoint-o:before{content:"\f1c4"}.fa-file-photo-o:before,.fa-file-picture-o:before,.fa-file-image-o:before{content:"\f1c5"}.fa-file-zip-o:before,.fa-file-archive-o:before{content:"\f1c6"}.fa-file-sound-o:before,.fa-file-audio-o:before{content:"\f1c7"}.fa-file-movie-o:before,.fa-file-video-o:before{content:"\f1c8"}.fa-file-code-o:before{content:"\f1c9"}.fa-vine:before{content:"\f1ca"}.fa-codepen:before{content:"\f1cb"}.fa-jsfiddle:before{content:"\f1cc"}.fa-life-bouy:before,.fa-life-buoy:before,.fa-life-saver:before,.fa-support:before,.fa-life-ring:before{content:"\f1cd"}.fa-circle-o-notch:before{content:"\f1ce"}.fa-ra:before,.fa-rebel:before{content:"\f1d0"}.fa-ge:before,.fa-empire:before{content:"\f1d1"}.fa-git-square:before{content:"\f1d2"}.fa-git:before{content:"\f1d3"}.fa-y-combinator-square:before,.fa-yc-square:before,.fa-hacker-news:before{content:"\f1d4"}.fa-tencent-weibo:before{content:"\f1d5"}.fa-qq:before{content:"\f1d6"}.fa-wechat:before,.fa-weixin:before{content:"\f1d7"}.fa-send:before,.fa-paper-plane:before{content:"\f1d8"}.fa-send-o:before,.fa-paper-plane-o:before{content:"\f1d9"}.fa-history:before{content:"\f1da"}.fa-circle-thin:before{content:"\f1db"}.fa-header:before{content:"\f1dc"}.fa-paragraph:before{content:"\f1dd"}.fa-sliders:before{content:"\f1de"}.fa-share-alt:before{content:"\f1e0"}.fa-share-alt-square:before{content:"\f1e1"}.fa-bomb:before{content:"\f1e2"}.fa-soccer-ball-o:before,.fa-futbol-o:before{content:"\f1e3"}.fa-tty:before{content:"\f1e4"}.fa-binoculars:before{content:"\f1e5"}.fa-plug:before{content:"\f1e6"}.fa-slideshare:before{content:"\f1e7"}.fa-twitch:before{content:"\f1e8"}.fa-yelp:before{content:"\f1e9"}.fa-newspaper-o:before{content:"\f1ea"}.fa-wifi:before{content:"\f1eb"}.fa-calculator:before{content:"\f1ec"}.fa-paypal:before{content:"\f1ed"}.fa-google-wallet:before{content:"\f1ee"}.fa-cc-visa:before{content:"\f1f0"}.fa-cc-mastercard:before{content:"\f1f1"}.fa-cc-discover:before{content:"\f1f2"}.fa-cc-amex:before{content:"\f1f3"}.fa-cc-paypal:before{content:"\f1f4"}.fa-cc-stripe:before{content:"\f1f5"}.fa-bell-slash:before{content:"\f1f6"}.fa-bell-slash-o:before{content:"\f1f7"}.fa-trash:before{content:"\f1f8"}.fa-copyright:before{content:"\f1f9"}.fa-at:before{content:"\f1fa"}.fa-eyedropper:before{content:"\f1fb"}.fa-paint-brush:before{content:"\f1fc"}.fa-birthday-cake:before{content:"\f1fd"}.fa-area-chart:before{content:"\f1fe"}.fa-pie-chart:before{content:"\f200"}.fa-line-chart:before{content:"\f201"}.fa-lastfm:before{content:"\f202"}.fa-lastfm-square:before{content:"\f203"}.fa-toggle-off:before{content:"\f204"}.fa-toggle-on:before{content:"\f205"}.fa-bicycle:before{content:"\f206"}.fa-bus:before{content:"\f207"}.fa-ioxhost:before{content:"\f208"}.fa-angellist:before{content:"\f209"}.fa-cc:before{content:"\f20a"}.fa-shekel:before,.fa-sheqel:before,.fa-ils:before{content:"\f20b"}.fa-meanpath:before{content:"\f20c"}.fa-buysellads:before{content:"\f20d"}.fa-connectdevelop:before{content:"\f20e"}.fa-dashcube:before{content:"\f210"}.fa-forumbee:before{content:"\f211"}.fa-leanpub:before{content:"\f212"}.fa-sellsy:before{content:"\f213"}.fa-shirtsinbulk:before{content:"\f214"}.fa-simplybuilt:before{content:"\f215"}.fa-skyatlas:before{content:"\f216"}.fa-cart-plus:before{content:"\f217"}.fa-cart-arrow-down:before{content:"\f218"}.fa-diamond:before{content:"\f219"}.fa-ship:before{content:"\f21a"}.fa-user-secret:before{content:"\f21b"}.fa-motorcycle:before{content:"\f21c"}.fa-street-view:before{content:"\f21d"}.fa-heartbeat:before{content:"\f21e"}.fa-venus:before{content:"\f221"}.fa-mars:before{content:"\f222"}.fa-mercury:before{content:"\f223"}.fa-intersex:before,.fa-transgender:before{content:"\f224"}.fa-transgender-alt:before{content:"\f225"}.fa-venus-double:before{content:"\f226"}.fa-mars-double:before{content:"\f227"}.fa-venus-mars:before{content:"\f228"}.fa-mars-stroke:before{content:"\f229"}.fa-mars-stroke-v:before{content:"\f22a"}.fa-mars-stroke-h:before{content:"\f22b"}.fa-neuter:before{content:"\f22c"}.fa-genderless:before{content:"\f22d"}.fa-facebook-official:before{content:"\f230"}.fa-pinterest-p:before{content:"\f231"}.fa-whatsapp:before{content:"\f232"}.fa-server:before{content:"\f233"}.fa-user-plus:before{content:"\f234"}.fa-user-times:before{content:"\f235"}.fa-hotel:before,.fa-bed:before{content:"\f236"}.fa-viacoin:before{content:"\f237"}.fa-train:before{content:"\f238"}.fa-subway:before{content:"\f239"}.fa-medium:before{content:"\f23a"}.fa-yc:before,.fa-y-combinator:before{content:"\f23b"}.fa-optin-monster:before{content:"\f23c"}.fa-opencart:before{content:"\f23d"}.fa-expeditedssl:before{content:"\f23e"}.fa-battery-4:before,.fa-battery-full:before{content:"\f240"}.fa-battery-3:before,.fa-battery-three-quarters:before{content:"\f241"}.fa-battery-2:before,.fa-battery-half:before{content:"\f242"}.fa-battery-1:before,.fa-battery-quarter:before{content:"\f243"}.fa-battery-0:before,.fa-battery-empty:before{content:"\f244"}.fa-mouse-pointer:before{content:"\f245"}.fa-i-cursor:before{content:"\f246"}.fa-object-group:before{content:"\f247"}.fa-object-ungroup:before{content:"\f248"}.fa-sticky-note:before{content:"\f249"}.fa-sticky-note-o:before{content:"\f24a"}.fa-cc-jcb:before{content:"\f24b"}.fa-cc-diners-club:before{content:"\f24c"}.fa-clone:before{content:"\f24d"}.fa-balance-scale:before{content:"\f24e"}.fa-hourglass-o:before{content:"\f250"}.fa-hourglass-1:before,.fa-hourglass-start:before{content:"\f251"}.fa-hourglass-2:before,.fa-hourglass-half:before{content:"\f252"}.fa-hourglass-3:before,.fa-hourglass-end:before{content:"\f253"}.fa-hourglass:before{content:"\f254"}.fa-hand-grab-o:before,.fa-hand-rock-o:before{content:"\f255"}.fa-hand-stop-o:before,.fa-hand-paper-o:before{content:"\f256"}.fa-hand-scissors-o:before{content:"\f257"}.fa-hand-lizard-o:before{content:"\f258"}.fa-hand-spock-o:before{content:"\f259"}.fa-hand-pointer-o:before{content:"\f25a"}.fa-hand-peace-o:before{content:"\f25b"}.fa-trademark:before{content:"\f25c"}.fa-registered:before{content:"\f25d"}.fa-creative-commons:before{content:"\f25e"}.fa-gg:before{content:"\f260"}.fa-gg-circle:before{content:"\f261"}.fa-tripadvisor:before{content:"\f262"}.fa-odnoklassniki:before{content:"\f263"}.fa-odnoklassniki-square:before{content:"\f264"}.fa-get-pocket:before{content:"\f265"}.fa-wikipedia-w:before{content:"\f266"}.fa-safari:before{content:"\f267"}.fa-chrome:before{content:"\f268"}.fa-firefox:before{content:"\f269"}.fa-opera:before{content:"\f26a"}.fa-internet-explorer:before{content:"\f26b"}.fa-tv:before,.fa-television:before{content:"\f26c"}.fa-contao:before{content:"\f26d"}.fa-500px:before{content:"\f26e"}.fa-amazon:before{content:"\f270"}.fa-calendar-plus-o:before{content:"\f271"}.fa-calendar-minus-o:before{content:"\f272"}.fa-calendar-times-o:before{content:"\f273"}.fa-calendar-check-o:before{content:"\f274"}.fa-industry:before{content:"\f275"}.fa-map-pin:before{content:"\f276"}.fa-map-signs:before{content:"\f277"}.fa-map-o:before{content:"\f278"}.fa-map:before{content:"\f279"}.fa-commenting:before{content:"\f27a"}.fa-commenting-o:before{content:"\f27b"}.fa-houzz:before{content:"\f27c"}.fa-vimeo:before{content:"\f27d"}.fa-black-tie:before{content:"\f27e"}.fa-fonticons:before{content:"\f280"}.fa-reddit-alien:before{content:"\f281"}.fa-edge:before{content:"\f282"}.fa-credit-card-alt:before{content:"\f283"}.fa-codiepie:before{content:"\f284"}.fa-modx:before{content:"\f285"}.fa-fort-awesome:before{content:"\f286"}.fa-usb:before{content:"\f287"}.fa-product-hunt:before{content:"\f288"}.fa-mixcloud:before{content:"\f289"}.fa-scribd:before{content:"\f28a"}.fa-pause-circle:before{content:"\f28b"}.fa-pause-circle-o:before{content:"\f28c"}.fa-stop-circle:before{content:"\f28d"}.fa-stop-circle-o:before{content:"\f28e"}.fa-shopping-bag:before{content:"\f290"}.fa-shopping-basket:before{content:"\f291"}.fa-hashtag:before{content:"\f292"}.fa-bluetooth:before{content:"\f293"}.fa-bluetooth-b:before{content:"\f294"}.fa-percent:before{content:"\f295"}.fa-gitlab:before{content:"\f296"}.fa-wpbeginner:before{content:"\f297"}.fa-wpforms:before{content:"\f298"}.fa-envira:before{content:"\f299"}.fa-universal-access:before{content:"\f29a"}.fa-wheelchair-alt:before{content:"\f29b"}.fa-question-circle-o:before{content:"\f29c"}.fa-blind:before{content:"\f29d"}.fa-audio-description:before{content:"\f29e"}.fa-volume-control-phone:before{content:"\f2a0"}.fa-braille:before{content:"\f2a1"}.fa-assistive-listening-systems:before{content:"\f2a2"}.fa-asl-interpreting:before,.fa-american-sign-language-interpreting:before{content:"\f2a3"}.fa-deafness:before,.fa-hard-of-hearing:before,.fa-deaf:before{content:"\f2a4"}.fa-glide:before{content:"\f2a5"}.fa-glide-g:before{content:"\f2a6"}.fa-signing:before,.fa-sign-language:before{content:"\f2a7"}.fa-low-vision:before{content:"\f2a8"}.fa-viadeo:before{content:"\f2a9"}.fa-viadeo-square:before{content:"\f2aa"}.fa-snapchat:before{content:"\f2ab"}.fa-snapchat-ghost:before{content:"\f2ac"}.fa-snapchat-square:before{content:"\f2ad"}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0, 0, 0, 0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/fonts/FontAwesome.otf b/iam-login-service/src/main/webapp/resources/font-awesome/fonts/FontAwesome.otf deleted file mode 100644 index 59853bcda..000000000 Binary files a/iam-login-service/src/main/webapp/resources/font-awesome/fonts/FontAwesome.otf and /dev/null differ diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.eot b/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.eot deleted file mode 100644 index 96f92f9b8..000000000 Binary files a/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.eot and /dev/null differ diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.svg b/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.svg deleted file mode 100644 index 5a5f0ecd4..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.svg +++ /dev/null @@ -1,685 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.ttf b/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.ttf deleted file mode 100644 index 86784df96..000000000 Binary files a/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.ttf and /dev/null differ diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.woff b/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.woff deleted file mode 100644 index c7faa19c4..000000000 Binary files a/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.woff and /dev/null differ diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.woff2 b/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.woff2 deleted file mode 100644 index cab8571d5..000000000 Binary files a/iam-login-service/src/main/webapp/resources/font-awesome/fonts/fontawesome-webfont.woff2 and /dev/null differ diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/animated.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/animated.less deleted file mode 100644 index 66ad52a5b..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/animated.less +++ /dev/null @@ -1,34 +0,0 @@ -// Animated Icons -// -------------------------- - -.@{fa-css-prefix}-spin { - -webkit-animation: fa-spin 2s infinite linear; - animation: fa-spin 2s infinite linear; -} - -.@{fa-css-prefix}-pulse { - -webkit-animation: fa-spin 1s infinite steps(8); - animation: fa-spin 1s infinite steps(8); -} - -@-webkit-keyframes fa-spin { - 0% { - -webkit-transform: rotate(0deg); - transform: rotate(0deg); - } - 100% { - -webkit-transform: rotate(359deg); - transform: rotate(359deg); - } -} - -@keyframes fa-spin { - 0% { - -webkit-transform: rotate(0deg); - transform: rotate(0deg); - } - 100% { - -webkit-transform: rotate(359deg); - transform: rotate(359deg); - } -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/bordered-pulled.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/bordered-pulled.less deleted file mode 100644 index f1c8ad75f..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/bordered-pulled.less +++ /dev/null @@ -1,25 +0,0 @@ -// Bordered & Pulled -// ------------------------- - -.@{fa-css-prefix}-border { - padding: .2em .25em .15em; - border: solid .08em @fa-border-color; - border-radius: .1em; -} - -.@{fa-css-prefix}-pull-left { float: left; } -.@{fa-css-prefix}-pull-right { float: right; } - -.@{fa-css-prefix} { - &.@{fa-css-prefix}-pull-left { margin-right: .3em; } - &.@{fa-css-prefix}-pull-right { margin-left: .3em; } -} - -/* Deprecated as of 4.4.0 */ -.pull-right { float: right; } -.pull-left { float: left; } - -.@{fa-css-prefix} { - &.pull-left { margin-right: .3em; } - &.pull-right { margin-left: .3em; } -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/core.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/core.less deleted file mode 100644 index c577ac84a..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/core.less +++ /dev/null @@ -1,12 +0,0 @@ -// Base Class Definition -// ------------------------- - -.@{fa-css-prefix} { - display: inline-block; - font: normal normal normal @fa-font-size-base/@fa-line-height-base FontAwesome; // shortening font declaration - font-size: inherit; // can't have font-size inherit on line above, so need to override - text-rendering: auto; // optimizelegibility throws things off #1094 - -webkit-font-smoothing: antialiased; - -moz-osx-font-smoothing: grayscale; - -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/fixed-width.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/fixed-width.less deleted file mode 100644 index 110289f2f..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/fixed-width.less +++ /dev/null @@ -1,6 +0,0 @@ -// Fixed Width Icons -// ------------------------- -.@{fa-css-prefix}-fw { - width: (18em / 14); - text-align: center; -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/font-awesome.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/font-awesome.less deleted file mode 100644 index 767096008..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/font-awesome.less +++ /dev/null @@ -1,18 +0,0 @@ -/*! - * Font Awesome 4.6.1 by @davegandy - http://fontawesome.io - @fontawesome - * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License) - */ - -@import "variables.less"; -@import "mixins.less"; -@import "path.less"; -@import "core.less"; -@import "larger.less"; -@import "fixed-width.less"; -@import "list.less"; -@import "bordered-pulled.less"; -@import "animated.less"; -@import "rotated-flipped.less"; -@import "stacked.less"; -@import "icons.less"; -@import "screen-reader.less"; diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/icons.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/icons.less deleted file mode 100644 index c5e643091..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/icons.less +++ /dev/null @@ -1,724 +0,0 @@ -/* Font Awesome uses the Unicode Private Use Area (PUA) to ensure screen - readers do not read off random characters that represent icons */ - -.@{fa-css-prefix}-glass:before { content: @fa-var-glass; } -.@{fa-css-prefix}-music:before { content: @fa-var-music; } -.@{fa-css-prefix}-search:before { content: @fa-var-search; } -.@{fa-css-prefix}-envelope-o:before { content: @fa-var-envelope-o; } -.@{fa-css-prefix}-heart:before { content: @fa-var-heart; } -.@{fa-css-prefix}-star:before { content: @fa-var-star; } -.@{fa-css-prefix}-star-o:before { content: @fa-var-star-o; } -.@{fa-css-prefix}-user:before { content: @fa-var-user; } -.@{fa-css-prefix}-film:before { content: @fa-var-film; } -.@{fa-css-prefix}-th-large:before { content: @fa-var-th-large; } -.@{fa-css-prefix}-th:before { content: @fa-var-th; } -.@{fa-css-prefix}-th-list:before { content: @fa-var-th-list; } -.@{fa-css-prefix}-check:before { content: @fa-var-check; } -.@{fa-css-prefix}-remove:before, -.@{fa-css-prefix}-close:before, -.@{fa-css-prefix}-times:before { content: @fa-var-times; } -.@{fa-css-prefix}-search-plus:before { content: @fa-var-search-plus; } -.@{fa-css-prefix}-search-minus:before { content: @fa-var-search-minus; } -.@{fa-css-prefix}-power-off:before { content: @fa-var-power-off; } -.@{fa-css-prefix}-signal:before { content: @fa-var-signal; } -.@{fa-css-prefix}-gear:before, -.@{fa-css-prefix}-cog:before { content: @fa-var-cog; } -.@{fa-css-prefix}-trash-o:before { content: @fa-var-trash-o; } -.@{fa-css-prefix}-home:before { content: @fa-var-home; } -.@{fa-css-prefix}-file-o:before { content: @fa-var-file-o; } -.@{fa-css-prefix}-clock-o:before { content: @fa-var-clock-o; } -.@{fa-css-prefix}-road:before { content: @fa-var-road; } -.@{fa-css-prefix}-download:before { content: @fa-var-download; } -.@{fa-css-prefix}-arrow-circle-o-down:before { content: @fa-var-arrow-circle-o-down; } -.@{fa-css-prefix}-arrow-circle-o-up:before { content: @fa-var-arrow-circle-o-up; } -.@{fa-css-prefix}-inbox:before { content: @fa-var-inbox; } -.@{fa-css-prefix}-play-circle-o:before { content: @fa-var-play-circle-o; } -.@{fa-css-prefix}-rotate-right:before, -.@{fa-css-prefix}-repeat:before { content: @fa-var-repeat; } -.@{fa-css-prefix}-refresh:before { content: @fa-var-refresh; } -.@{fa-css-prefix}-list-alt:before { content: @fa-var-list-alt; } -.@{fa-css-prefix}-lock:before { content: @fa-var-lock; } -.@{fa-css-prefix}-flag:before { content: @fa-var-flag; } -.@{fa-css-prefix}-headphones:before { content: @fa-var-headphones; } -.@{fa-css-prefix}-volume-off:before { content: @fa-var-volume-off; } -.@{fa-css-prefix}-volume-down:before { content: @fa-var-volume-down; } -.@{fa-css-prefix}-volume-up:before { content: @fa-var-volume-up; } -.@{fa-css-prefix}-qrcode:before { content: @fa-var-qrcode; } -.@{fa-css-prefix}-barcode:before { content: @fa-var-barcode; } -.@{fa-css-prefix}-tag:before { content: @fa-var-tag; } -.@{fa-css-prefix}-tags:before { content: @fa-var-tags; } -.@{fa-css-prefix}-book:before { content: @fa-var-book; } -.@{fa-css-prefix}-bookmark:before { content: @fa-var-bookmark; } -.@{fa-css-prefix}-print:before { content: @fa-var-print; } -.@{fa-css-prefix}-camera:before { content: @fa-var-camera; } -.@{fa-css-prefix}-font:before { content: @fa-var-font; } -.@{fa-css-prefix}-bold:before { content: @fa-var-bold; } -.@{fa-css-prefix}-italic:before { content: @fa-var-italic; } -.@{fa-css-prefix}-text-height:before { content: @fa-var-text-height; } -.@{fa-css-prefix}-text-width:before { content: @fa-var-text-width; } -.@{fa-css-prefix}-align-left:before { content: @fa-var-align-left; } -.@{fa-css-prefix}-align-center:before { content: @fa-var-align-center; } -.@{fa-css-prefix}-align-right:before { content: @fa-var-align-right; } -.@{fa-css-prefix}-align-justify:before { content: @fa-var-align-justify; } -.@{fa-css-prefix}-list:before { content: @fa-var-list; } -.@{fa-css-prefix}-dedent:before, -.@{fa-css-prefix}-outdent:before { content: @fa-var-outdent; } -.@{fa-css-prefix}-indent:before { content: @fa-var-indent; } -.@{fa-css-prefix}-video-camera:before { content: @fa-var-video-camera; } -.@{fa-css-prefix}-photo:before, -.@{fa-css-prefix}-image:before, -.@{fa-css-prefix}-picture-o:before { content: @fa-var-picture-o; } -.@{fa-css-prefix}-pencil:before { content: @fa-var-pencil; } -.@{fa-css-prefix}-map-marker:before { content: @fa-var-map-marker; } -.@{fa-css-prefix}-adjust:before { content: @fa-var-adjust; } -.@{fa-css-prefix}-tint:before { content: @fa-var-tint; } -.@{fa-css-prefix}-edit:before, -.@{fa-css-prefix}-pencil-square-o:before { content: @fa-var-pencil-square-o; } -.@{fa-css-prefix}-share-square-o:before { content: @fa-var-share-square-o; } -.@{fa-css-prefix}-check-square-o:before { content: @fa-var-check-square-o; } -.@{fa-css-prefix}-arrows:before { content: @fa-var-arrows; } -.@{fa-css-prefix}-step-backward:before { content: @fa-var-step-backward; } -.@{fa-css-prefix}-fast-backward:before { content: @fa-var-fast-backward; } -.@{fa-css-prefix}-backward:before { content: @fa-var-backward; } -.@{fa-css-prefix}-play:before { content: @fa-var-play; } -.@{fa-css-prefix}-pause:before { content: @fa-var-pause; } -.@{fa-css-prefix}-stop:before { content: @fa-var-stop; } -.@{fa-css-prefix}-forward:before { content: @fa-var-forward; } -.@{fa-css-prefix}-fast-forward:before { content: @fa-var-fast-forward; } -.@{fa-css-prefix}-step-forward:before { content: @fa-var-step-forward; } -.@{fa-css-prefix}-eject:before { content: @fa-var-eject; } -.@{fa-css-prefix}-chevron-left:before { content: @fa-var-chevron-left; } -.@{fa-css-prefix}-chevron-right:before { content: @fa-var-chevron-right; } -.@{fa-css-prefix}-plus-circle:before { content: @fa-var-plus-circle; } -.@{fa-css-prefix}-minus-circle:before { content: @fa-var-minus-circle; } -.@{fa-css-prefix}-times-circle:before { content: @fa-var-times-circle; } -.@{fa-css-prefix}-check-circle:before { content: @fa-var-check-circle; } -.@{fa-css-prefix}-question-circle:before { content: @fa-var-question-circle; } -.@{fa-css-prefix}-info-circle:before { content: @fa-var-info-circle; } -.@{fa-css-prefix}-crosshairs:before { content: @fa-var-crosshairs; } -.@{fa-css-prefix}-times-circle-o:before { content: @fa-var-times-circle-o; } -.@{fa-css-prefix}-check-circle-o:before { content: @fa-var-check-circle-o; } -.@{fa-css-prefix}-ban:before { content: @fa-var-ban; } -.@{fa-css-prefix}-arrow-left:before { content: @fa-var-arrow-left; } -.@{fa-css-prefix}-arrow-right:before { content: @fa-var-arrow-right; } -.@{fa-css-prefix}-arrow-up:before { content: @fa-var-arrow-up; } -.@{fa-css-prefix}-arrow-down:before { content: @fa-var-arrow-down; } -.@{fa-css-prefix}-mail-forward:before, -.@{fa-css-prefix}-share:before { content: @fa-var-share; } -.@{fa-css-prefix}-expand:before { content: @fa-var-expand; } -.@{fa-css-prefix}-compress:before { content: @fa-var-compress; } -.@{fa-css-prefix}-plus:before { content: @fa-var-plus; } -.@{fa-css-prefix}-minus:before { content: @fa-var-minus; } -.@{fa-css-prefix}-asterisk:before { content: @fa-var-asterisk; } -.@{fa-css-prefix}-exclamation-circle:before { content: @fa-var-exclamation-circle; } -.@{fa-css-prefix}-gift:before { content: @fa-var-gift; } -.@{fa-css-prefix}-leaf:before { content: @fa-var-leaf; } -.@{fa-css-prefix}-fire:before { content: @fa-var-fire; } -.@{fa-css-prefix}-eye:before { content: @fa-var-eye; } -.@{fa-css-prefix}-eye-slash:before { content: @fa-var-eye-slash; } -.@{fa-css-prefix}-warning:before, -.@{fa-css-prefix}-exclamation-triangle:before { content: @fa-var-exclamation-triangle; } -.@{fa-css-prefix}-plane:before { content: @fa-var-plane; } -.@{fa-css-prefix}-calendar:before { content: @fa-var-calendar; } -.@{fa-css-prefix}-random:before { content: @fa-var-random; } -.@{fa-css-prefix}-comment:before { content: @fa-var-comment; } -.@{fa-css-prefix}-magnet:before { content: @fa-var-magnet; } -.@{fa-css-prefix}-chevron-up:before { content: @fa-var-chevron-up; } -.@{fa-css-prefix}-chevron-down:before { content: @fa-var-chevron-down; } -.@{fa-css-prefix}-retweet:before { content: @fa-var-retweet; } -.@{fa-css-prefix}-shopping-cart:before { content: @fa-var-shopping-cart; } -.@{fa-css-prefix}-folder:before { content: @fa-var-folder; } -.@{fa-css-prefix}-folder-open:before { content: @fa-var-folder-open; } -.@{fa-css-prefix}-arrows-v:before { content: @fa-var-arrows-v; } -.@{fa-css-prefix}-arrows-h:before { content: @fa-var-arrows-h; } -.@{fa-css-prefix}-bar-chart-o:before, -.@{fa-css-prefix}-bar-chart:before { content: @fa-var-bar-chart; } -.@{fa-css-prefix}-twitter-square:before { content: @fa-var-twitter-square; } -.@{fa-css-prefix}-facebook-square:before { content: @fa-var-facebook-square; } -.@{fa-css-prefix}-camera-retro:before { content: @fa-var-camera-retro; } -.@{fa-css-prefix}-key:before { content: @fa-var-key; } -.@{fa-css-prefix}-gears:before, -.@{fa-css-prefix}-cogs:before { content: @fa-var-cogs; } -.@{fa-css-prefix}-comments:before { content: @fa-var-comments; } -.@{fa-css-prefix}-thumbs-o-up:before { content: @fa-var-thumbs-o-up; } -.@{fa-css-prefix}-thumbs-o-down:before { content: @fa-var-thumbs-o-down; } -.@{fa-css-prefix}-star-half:before { content: @fa-var-star-half; } -.@{fa-css-prefix}-heart-o:before { content: @fa-var-heart-o; } -.@{fa-css-prefix}-sign-out:before { content: @fa-var-sign-out; } -.@{fa-css-prefix}-linkedin-square:before { content: @fa-var-linkedin-square; } -.@{fa-css-prefix}-thumb-tack:before { content: @fa-var-thumb-tack; } -.@{fa-css-prefix}-external-link:before { content: @fa-var-external-link; } -.@{fa-css-prefix}-sign-in:before { content: @fa-var-sign-in; } -.@{fa-css-prefix}-trophy:before { content: @fa-var-trophy; } -.@{fa-css-prefix}-github-square:before { content: @fa-var-github-square; } -.@{fa-css-prefix}-upload:before { content: @fa-var-upload; } -.@{fa-css-prefix}-lemon-o:before { content: @fa-var-lemon-o; } -.@{fa-css-prefix}-phone:before { content: @fa-var-phone; } -.@{fa-css-prefix}-square-o:before { content: @fa-var-square-o; } -.@{fa-css-prefix}-bookmark-o:before { content: @fa-var-bookmark-o; } -.@{fa-css-prefix}-phone-square:before { content: @fa-var-phone-square; } -.@{fa-css-prefix}-twitter:before { content: @fa-var-twitter; } -.@{fa-css-prefix}-facebook-f:before, -.@{fa-css-prefix}-facebook:before { content: @fa-var-facebook; } -.@{fa-css-prefix}-github:before { content: @fa-var-github; } -.@{fa-css-prefix}-unlock:before { content: @fa-var-unlock; } -.@{fa-css-prefix}-credit-card:before { content: @fa-var-credit-card; } -.@{fa-css-prefix}-feed:before, -.@{fa-css-prefix}-rss:before { content: @fa-var-rss; } -.@{fa-css-prefix}-hdd-o:before { content: @fa-var-hdd-o; } -.@{fa-css-prefix}-bullhorn:before { content: @fa-var-bullhorn; } -.@{fa-css-prefix}-bell:before { content: @fa-var-bell; } -.@{fa-css-prefix}-certificate:before { content: @fa-var-certificate; } -.@{fa-css-prefix}-hand-o-right:before { content: @fa-var-hand-o-right; } -.@{fa-css-prefix}-hand-o-left:before { content: @fa-var-hand-o-left; } -.@{fa-css-prefix}-hand-o-up:before { content: @fa-var-hand-o-up; } -.@{fa-css-prefix}-hand-o-down:before { content: @fa-var-hand-o-down; } -.@{fa-css-prefix}-arrow-circle-left:before { content: @fa-var-arrow-circle-left; } -.@{fa-css-prefix}-arrow-circle-right:before { content: @fa-var-arrow-circle-right; } -.@{fa-css-prefix}-arrow-circle-up:before { content: @fa-var-arrow-circle-up; } -.@{fa-css-prefix}-arrow-circle-down:before { content: @fa-var-arrow-circle-down; } -.@{fa-css-prefix}-globe:before { content: @fa-var-globe; } -.@{fa-css-prefix}-wrench:before { content: @fa-var-wrench; } -.@{fa-css-prefix}-tasks:before { content: @fa-var-tasks; } -.@{fa-css-prefix}-filter:before { content: @fa-var-filter; } -.@{fa-css-prefix}-briefcase:before { content: @fa-var-briefcase; } -.@{fa-css-prefix}-arrows-alt:before { content: @fa-var-arrows-alt; } -.@{fa-css-prefix}-group:before, -.@{fa-css-prefix}-users:before { content: @fa-var-users; } -.@{fa-css-prefix}-chain:before, -.@{fa-css-prefix}-link:before { content: @fa-var-link; } -.@{fa-css-prefix}-cloud:before { content: @fa-var-cloud; } -.@{fa-css-prefix}-flask:before { content: @fa-var-flask; } -.@{fa-css-prefix}-cut:before, -.@{fa-css-prefix}-scissors:before { content: @fa-var-scissors; } -.@{fa-css-prefix}-copy:before, -.@{fa-css-prefix}-files-o:before { content: @fa-var-files-o; } -.@{fa-css-prefix}-paperclip:before { content: @fa-var-paperclip; } -.@{fa-css-prefix}-save:before, -.@{fa-css-prefix}-floppy-o:before { content: @fa-var-floppy-o; } -.@{fa-css-prefix}-square:before { content: @fa-var-square; } -.@{fa-css-prefix}-navicon:before, -.@{fa-css-prefix}-reorder:before, -.@{fa-css-prefix}-bars:before { content: @fa-var-bars; } -.@{fa-css-prefix}-list-ul:before { content: @fa-var-list-ul; } -.@{fa-css-prefix}-list-ol:before { content: @fa-var-list-ol; } -.@{fa-css-prefix}-strikethrough:before { content: @fa-var-strikethrough; } -.@{fa-css-prefix}-underline:before { content: @fa-var-underline; } -.@{fa-css-prefix}-table:before { content: @fa-var-table; } -.@{fa-css-prefix}-magic:before { content: @fa-var-magic; } -.@{fa-css-prefix}-truck:before { content: @fa-var-truck; } -.@{fa-css-prefix}-pinterest:before { content: @fa-var-pinterest; } -.@{fa-css-prefix}-pinterest-square:before { content: @fa-var-pinterest-square; } -.@{fa-css-prefix}-google-plus-square:before { content: @fa-var-google-plus-square; } -.@{fa-css-prefix}-google-plus:before { content: @fa-var-google-plus; } -.@{fa-css-prefix}-money:before { content: @fa-var-money; } -.@{fa-css-prefix}-caret-down:before { content: @fa-var-caret-down; } -.@{fa-css-prefix}-caret-up:before { content: @fa-var-caret-up; } -.@{fa-css-prefix}-caret-left:before { content: @fa-var-caret-left; } -.@{fa-css-prefix}-caret-right:before { content: @fa-var-caret-right; } -.@{fa-css-prefix}-columns:before { content: @fa-var-columns; } -.@{fa-css-prefix}-unsorted:before, -.@{fa-css-prefix}-sort:before { content: @fa-var-sort; } -.@{fa-css-prefix}-sort-down:before, -.@{fa-css-prefix}-sort-desc:before { content: @fa-var-sort-desc; } -.@{fa-css-prefix}-sort-up:before, -.@{fa-css-prefix}-sort-asc:before { content: @fa-var-sort-asc; } -.@{fa-css-prefix}-envelope:before { content: @fa-var-envelope; } -.@{fa-css-prefix}-linkedin:before { content: @fa-var-linkedin; } -.@{fa-css-prefix}-rotate-left:before, -.@{fa-css-prefix}-undo:before { content: @fa-var-undo; } -.@{fa-css-prefix}-legal:before, -.@{fa-css-prefix}-gavel:before { content: @fa-var-gavel; } -.@{fa-css-prefix}-dashboard:before, -.@{fa-css-prefix}-tachometer:before { content: @fa-var-tachometer; } -.@{fa-css-prefix}-comment-o:before { content: @fa-var-comment-o; } -.@{fa-css-prefix}-comments-o:before { content: @fa-var-comments-o; } -.@{fa-css-prefix}-flash:before, -.@{fa-css-prefix}-bolt:before { content: @fa-var-bolt; } -.@{fa-css-prefix}-sitemap:before { content: @fa-var-sitemap; } -.@{fa-css-prefix}-umbrella:before { content: @fa-var-umbrella; } -.@{fa-css-prefix}-paste:before, -.@{fa-css-prefix}-clipboard:before { content: @fa-var-clipboard; } -.@{fa-css-prefix}-lightbulb-o:before { content: @fa-var-lightbulb-o; } -.@{fa-css-prefix}-exchange:before { content: @fa-var-exchange; } -.@{fa-css-prefix}-cloud-download:before { content: @fa-var-cloud-download; } -.@{fa-css-prefix}-cloud-upload:before { content: @fa-var-cloud-upload; } -.@{fa-css-prefix}-user-md:before { content: @fa-var-user-md; } -.@{fa-css-prefix}-stethoscope:before { content: @fa-var-stethoscope; } -.@{fa-css-prefix}-suitcase:before { content: @fa-var-suitcase; } -.@{fa-css-prefix}-bell-o:before { content: @fa-var-bell-o; } -.@{fa-css-prefix}-coffee:before { content: @fa-var-coffee; } -.@{fa-css-prefix}-cutlery:before { content: @fa-var-cutlery; } -.@{fa-css-prefix}-file-text-o:before { content: @fa-var-file-text-o; } -.@{fa-css-prefix}-building-o:before { content: @fa-var-building-o; } -.@{fa-css-prefix}-hospital-o:before { content: @fa-var-hospital-o; } -.@{fa-css-prefix}-ambulance:before { content: @fa-var-ambulance; } -.@{fa-css-prefix}-medkit:before { content: @fa-var-medkit; } -.@{fa-css-prefix}-fighter-jet:before { content: @fa-var-fighter-jet; } -.@{fa-css-prefix}-beer:before { content: @fa-var-beer; } -.@{fa-css-prefix}-h-square:before { content: @fa-var-h-square; } -.@{fa-css-prefix}-plus-square:before { content: @fa-var-plus-square; } -.@{fa-css-prefix}-angle-double-left:before { content: @fa-var-angle-double-left; } -.@{fa-css-prefix}-angle-double-right:before { content: @fa-var-angle-double-right; } -.@{fa-css-prefix}-angle-double-up:before { content: @fa-var-angle-double-up; } -.@{fa-css-prefix}-angle-double-down:before { content: @fa-var-angle-double-down; } -.@{fa-css-prefix}-angle-left:before { content: @fa-var-angle-left; } -.@{fa-css-prefix}-angle-right:before { content: @fa-var-angle-right; } -.@{fa-css-prefix}-angle-up:before { content: @fa-var-angle-up; } -.@{fa-css-prefix}-angle-down:before { content: @fa-var-angle-down; } -.@{fa-css-prefix}-desktop:before { content: @fa-var-desktop; } -.@{fa-css-prefix}-laptop:before { content: @fa-var-laptop; } -.@{fa-css-prefix}-tablet:before { content: @fa-var-tablet; } -.@{fa-css-prefix}-mobile-phone:before, -.@{fa-css-prefix}-mobile:before { content: @fa-var-mobile; } -.@{fa-css-prefix}-circle-o:before { content: @fa-var-circle-o; } -.@{fa-css-prefix}-quote-left:before { content: @fa-var-quote-left; } -.@{fa-css-prefix}-quote-right:before { content: @fa-var-quote-right; } -.@{fa-css-prefix}-spinner:before { content: @fa-var-spinner; } -.@{fa-css-prefix}-circle:before { content: @fa-var-circle; } -.@{fa-css-prefix}-mail-reply:before, -.@{fa-css-prefix}-reply:before { content: @fa-var-reply; } -.@{fa-css-prefix}-github-alt:before { content: @fa-var-github-alt; } -.@{fa-css-prefix}-folder-o:before { content: @fa-var-folder-o; } -.@{fa-css-prefix}-folder-open-o:before { content: @fa-var-folder-open-o; } -.@{fa-css-prefix}-smile-o:before { content: @fa-var-smile-o; } -.@{fa-css-prefix}-frown-o:before { content: @fa-var-frown-o; } -.@{fa-css-prefix}-meh-o:before { content: @fa-var-meh-o; } -.@{fa-css-prefix}-gamepad:before { content: @fa-var-gamepad; } -.@{fa-css-prefix}-keyboard-o:before { content: @fa-var-keyboard-o; } -.@{fa-css-prefix}-flag-o:before { content: @fa-var-flag-o; } -.@{fa-css-prefix}-flag-checkered:before { content: @fa-var-flag-checkered; } -.@{fa-css-prefix}-terminal:before { content: @fa-var-terminal; } -.@{fa-css-prefix}-code:before { content: @fa-var-code; } -.@{fa-css-prefix}-mail-reply-all:before, -.@{fa-css-prefix}-reply-all:before { content: @fa-var-reply-all; } -.@{fa-css-prefix}-star-half-empty:before, -.@{fa-css-prefix}-star-half-full:before, -.@{fa-css-prefix}-star-half-o:before { content: @fa-var-star-half-o; } -.@{fa-css-prefix}-location-arrow:before { content: @fa-var-location-arrow; } -.@{fa-css-prefix}-crop:before { content: @fa-var-crop; } -.@{fa-css-prefix}-code-fork:before { content: @fa-var-code-fork; } -.@{fa-css-prefix}-unlink:before, -.@{fa-css-prefix}-chain-broken:before { content: @fa-var-chain-broken; } -.@{fa-css-prefix}-question:before { content: @fa-var-question; } -.@{fa-css-prefix}-info:before { content: @fa-var-info; } -.@{fa-css-prefix}-exclamation:before { content: @fa-var-exclamation; } -.@{fa-css-prefix}-superscript:before { content: @fa-var-superscript; } -.@{fa-css-prefix}-subscript:before { content: @fa-var-subscript; } -.@{fa-css-prefix}-eraser:before { content: @fa-var-eraser; } -.@{fa-css-prefix}-puzzle-piece:before { content: @fa-var-puzzle-piece; } -.@{fa-css-prefix}-microphone:before { content: @fa-var-microphone; } -.@{fa-css-prefix}-microphone-slash:before { content: @fa-var-microphone-slash; } -.@{fa-css-prefix}-shield:before { content: @fa-var-shield; } -.@{fa-css-prefix}-calendar-o:before { content: @fa-var-calendar-o; } -.@{fa-css-prefix}-fire-extinguisher:before { content: @fa-var-fire-extinguisher; } -.@{fa-css-prefix}-rocket:before { content: @fa-var-rocket; } -.@{fa-css-prefix}-maxcdn:before { content: @fa-var-maxcdn; } -.@{fa-css-prefix}-chevron-circle-left:before { content: @fa-var-chevron-circle-left; } -.@{fa-css-prefix}-chevron-circle-right:before { content: @fa-var-chevron-circle-right; } -.@{fa-css-prefix}-chevron-circle-up:before { content: @fa-var-chevron-circle-up; } -.@{fa-css-prefix}-chevron-circle-down:before { content: @fa-var-chevron-circle-down; } -.@{fa-css-prefix}-html5:before { content: @fa-var-html5; } -.@{fa-css-prefix}-css3:before { content: @fa-var-css3; } -.@{fa-css-prefix}-anchor:before { content: @fa-var-anchor; } -.@{fa-css-prefix}-unlock-alt:before { content: @fa-var-unlock-alt; } -.@{fa-css-prefix}-bullseye:before { content: @fa-var-bullseye; } -.@{fa-css-prefix}-ellipsis-h:before { content: @fa-var-ellipsis-h; } -.@{fa-css-prefix}-ellipsis-v:before { content: @fa-var-ellipsis-v; } -.@{fa-css-prefix}-rss-square:before { content: @fa-var-rss-square; } -.@{fa-css-prefix}-play-circle:before { content: @fa-var-play-circle; } -.@{fa-css-prefix}-ticket:before { content: @fa-var-ticket; } -.@{fa-css-prefix}-minus-square:before { content: @fa-var-minus-square; } -.@{fa-css-prefix}-minus-square-o:before { content: @fa-var-minus-square-o; } -.@{fa-css-prefix}-level-up:before { content: @fa-var-level-up; } -.@{fa-css-prefix}-level-down:before { content: @fa-var-level-down; } -.@{fa-css-prefix}-check-square:before { content: @fa-var-check-square; } -.@{fa-css-prefix}-pencil-square:before { content: @fa-var-pencil-square; } -.@{fa-css-prefix}-external-link-square:before { content: @fa-var-external-link-square; } -.@{fa-css-prefix}-share-square:before { content: @fa-var-share-square; } -.@{fa-css-prefix}-compass:before { content: @fa-var-compass; } -.@{fa-css-prefix}-toggle-down:before, -.@{fa-css-prefix}-caret-square-o-down:before { content: @fa-var-caret-square-o-down; } -.@{fa-css-prefix}-toggle-up:before, -.@{fa-css-prefix}-caret-square-o-up:before { content: @fa-var-caret-square-o-up; } -.@{fa-css-prefix}-toggle-right:before, -.@{fa-css-prefix}-caret-square-o-right:before { content: @fa-var-caret-square-o-right; } -.@{fa-css-prefix}-euro:before, -.@{fa-css-prefix}-eur:before { content: @fa-var-eur; } -.@{fa-css-prefix}-gbp:before { content: @fa-var-gbp; } -.@{fa-css-prefix}-dollar:before, -.@{fa-css-prefix}-usd:before { content: @fa-var-usd; } -.@{fa-css-prefix}-rupee:before, -.@{fa-css-prefix}-inr:before { content: @fa-var-inr; } -.@{fa-css-prefix}-cny:before, -.@{fa-css-prefix}-rmb:before, -.@{fa-css-prefix}-yen:before, -.@{fa-css-prefix}-jpy:before { content: @fa-var-jpy; } -.@{fa-css-prefix}-ruble:before, -.@{fa-css-prefix}-rouble:before, -.@{fa-css-prefix}-rub:before { content: @fa-var-rub; } -.@{fa-css-prefix}-won:before, -.@{fa-css-prefix}-krw:before { content: @fa-var-krw; } -.@{fa-css-prefix}-bitcoin:before, -.@{fa-css-prefix}-btc:before { content: @fa-var-btc; } -.@{fa-css-prefix}-file:before { content: @fa-var-file; } -.@{fa-css-prefix}-file-text:before { content: @fa-var-file-text; } -.@{fa-css-prefix}-sort-alpha-asc:before { content: @fa-var-sort-alpha-asc; } -.@{fa-css-prefix}-sort-alpha-desc:before { content: @fa-var-sort-alpha-desc; } -.@{fa-css-prefix}-sort-amount-asc:before { content: @fa-var-sort-amount-asc; } -.@{fa-css-prefix}-sort-amount-desc:before { content: @fa-var-sort-amount-desc; } -.@{fa-css-prefix}-sort-numeric-asc:before { content: @fa-var-sort-numeric-asc; } -.@{fa-css-prefix}-sort-numeric-desc:before { content: @fa-var-sort-numeric-desc; } -.@{fa-css-prefix}-thumbs-up:before { content: @fa-var-thumbs-up; } -.@{fa-css-prefix}-thumbs-down:before { content: @fa-var-thumbs-down; } -.@{fa-css-prefix}-youtube-square:before { content: @fa-var-youtube-square; } -.@{fa-css-prefix}-youtube:before { content: @fa-var-youtube; } -.@{fa-css-prefix}-xing:before { content: @fa-var-xing; } -.@{fa-css-prefix}-xing-square:before { content: @fa-var-xing-square; } -.@{fa-css-prefix}-youtube-play:before { content: @fa-var-youtube-play; } -.@{fa-css-prefix}-dropbox:before { content: @fa-var-dropbox; } -.@{fa-css-prefix}-stack-overflow:before { content: @fa-var-stack-overflow; } -.@{fa-css-prefix}-instagram:before { content: @fa-var-instagram; } -.@{fa-css-prefix}-flickr:before { content: @fa-var-flickr; } -.@{fa-css-prefix}-adn:before { content: @fa-var-adn; } -.@{fa-css-prefix}-bitbucket:before { content: @fa-var-bitbucket; } -.@{fa-css-prefix}-bitbucket-square:before { content: @fa-var-bitbucket-square; } -.@{fa-css-prefix}-tumblr:before { content: @fa-var-tumblr; } -.@{fa-css-prefix}-tumblr-square:before { content: @fa-var-tumblr-square; } -.@{fa-css-prefix}-long-arrow-down:before { content: @fa-var-long-arrow-down; } -.@{fa-css-prefix}-long-arrow-up:before { content: @fa-var-long-arrow-up; } -.@{fa-css-prefix}-long-arrow-left:before { content: @fa-var-long-arrow-left; } -.@{fa-css-prefix}-long-arrow-right:before { content: @fa-var-long-arrow-right; } -.@{fa-css-prefix}-apple:before { content: @fa-var-apple; } -.@{fa-css-prefix}-windows:before { content: @fa-var-windows; } -.@{fa-css-prefix}-android:before { content: @fa-var-android; } -.@{fa-css-prefix}-linux:before { content: @fa-var-linux; } -.@{fa-css-prefix}-dribbble:before { content: @fa-var-dribbble; } -.@{fa-css-prefix}-skype:before { content: @fa-var-skype; } -.@{fa-css-prefix}-foursquare:before { content: @fa-var-foursquare; } -.@{fa-css-prefix}-trello:before { content: @fa-var-trello; } -.@{fa-css-prefix}-female:before { content: @fa-var-female; } -.@{fa-css-prefix}-male:before { content: @fa-var-male; } -.@{fa-css-prefix}-gittip:before, -.@{fa-css-prefix}-gratipay:before { content: @fa-var-gratipay; } -.@{fa-css-prefix}-sun-o:before { content: @fa-var-sun-o; } -.@{fa-css-prefix}-moon-o:before { content: @fa-var-moon-o; } -.@{fa-css-prefix}-archive:before { content: @fa-var-archive; } -.@{fa-css-prefix}-bug:before { content: @fa-var-bug; } -.@{fa-css-prefix}-vk:before { content: @fa-var-vk; } -.@{fa-css-prefix}-weibo:before { content: @fa-var-weibo; } -.@{fa-css-prefix}-renren:before { content: @fa-var-renren; } -.@{fa-css-prefix}-pagelines:before { content: @fa-var-pagelines; } -.@{fa-css-prefix}-stack-exchange:before { content: @fa-var-stack-exchange; } -.@{fa-css-prefix}-arrow-circle-o-right:before { content: @fa-var-arrow-circle-o-right; } -.@{fa-css-prefix}-arrow-circle-o-left:before { content: @fa-var-arrow-circle-o-left; } -.@{fa-css-prefix}-toggle-left:before, -.@{fa-css-prefix}-caret-square-o-left:before { content: @fa-var-caret-square-o-left; } -.@{fa-css-prefix}-dot-circle-o:before { content: @fa-var-dot-circle-o; } -.@{fa-css-prefix}-wheelchair:before { content: @fa-var-wheelchair; } -.@{fa-css-prefix}-vimeo-square:before { content: @fa-var-vimeo-square; } -.@{fa-css-prefix}-turkish-lira:before, -.@{fa-css-prefix}-try:before { content: @fa-var-try; } -.@{fa-css-prefix}-plus-square-o:before { content: @fa-var-plus-square-o; } -.@{fa-css-prefix}-space-shuttle:before { content: @fa-var-space-shuttle; } -.@{fa-css-prefix}-slack:before { content: @fa-var-slack; } -.@{fa-css-prefix}-envelope-square:before { content: @fa-var-envelope-square; } -.@{fa-css-prefix}-wordpress:before { content: @fa-var-wordpress; } -.@{fa-css-prefix}-openid:before { content: @fa-var-openid; } -.@{fa-css-prefix}-institution:before, -.@{fa-css-prefix}-bank:before, -.@{fa-css-prefix}-university:before { content: @fa-var-university; } -.@{fa-css-prefix}-mortar-board:before, -.@{fa-css-prefix}-graduation-cap:before { content: @fa-var-graduation-cap; } -.@{fa-css-prefix}-yahoo:before { content: @fa-var-yahoo; } -.@{fa-css-prefix}-google:before { content: @fa-var-google; } -.@{fa-css-prefix}-reddit:before { content: @fa-var-reddit; } -.@{fa-css-prefix}-reddit-square:before { content: @fa-var-reddit-square; } -.@{fa-css-prefix}-stumbleupon-circle:before { content: @fa-var-stumbleupon-circle; } -.@{fa-css-prefix}-stumbleupon:before { content: @fa-var-stumbleupon; } -.@{fa-css-prefix}-delicious:before { content: @fa-var-delicious; } -.@{fa-css-prefix}-digg:before { content: @fa-var-digg; } -.@{fa-css-prefix}-pied-piper:before { content: @fa-var-pied-piper; } -.@{fa-css-prefix}-pied-piper-alt:before { content: @fa-var-pied-piper-alt; } -.@{fa-css-prefix}-drupal:before { content: @fa-var-drupal; } -.@{fa-css-prefix}-joomla:before { content: @fa-var-joomla; } -.@{fa-css-prefix}-language:before { content: @fa-var-language; } -.@{fa-css-prefix}-fax:before { content: @fa-var-fax; } -.@{fa-css-prefix}-building:before { content: @fa-var-building; } -.@{fa-css-prefix}-child:before { content: @fa-var-child; } -.@{fa-css-prefix}-paw:before { content: @fa-var-paw; } -.@{fa-css-prefix}-spoon:before { content: @fa-var-spoon; } -.@{fa-css-prefix}-cube:before { content: @fa-var-cube; } -.@{fa-css-prefix}-cubes:before { content: @fa-var-cubes; } -.@{fa-css-prefix}-behance:before { content: @fa-var-behance; } -.@{fa-css-prefix}-behance-square:before { content: @fa-var-behance-square; } -.@{fa-css-prefix}-steam:before { content: @fa-var-steam; } -.@{fa-css-prefix}-steam-square:before { content: @fa-var-steam-square; } -.@{fa-css-prefix}-recycle:before { content: @fa-var-recycle; } -.@{fa-css-prefix}-automobile:before, -.@{fa-css-prefix}-car:before { content: @fa-var-car; } -.@{fa-css-prefix}-cab:before, -.@{fa-css-prefix}-taxi:before { content: @fa-var-taxi; } -.@{fa-css-prefix}-tree:before { content: @fa-var-tree; } -.@{fa-css-prefix}-spotify:before { content: @fa-var-spotify; } -.@{fa-css-prefix}-deviantart:before { content: @fa-var-deviantart; } -.@{fa-css-prefix}-soundcloud:before { content: @fa-var-soundcloud; } -.@{fa-css-prefix}-database:before { content: @fa-var-database; } -.@{fa-css-prefix}-file-pdf-o:before { content: @fa-var-file-pdf-o; } -.@{fa-css-prefix}-file-word-o:before { content: @fa-var-file-word-o; } -.@{fa-css-prefix}-file-excel-o:before { content: @fa-var-file-excel-o; } -.@{fa-css-prefix}-file-powerpoint-o:before { content: @fa-var-file-powerpoint-o; } -.@{fa-css-prefix}-file-photo-o:before, -.@{fa-css-prefix}-file-picture-o:before, -.@{fa-css-prefix}-file-image-o:before { content: @fa-var-file-image-o; } -.@{fa-css-prefix}-file-zip-o:before, -.@{fa-css-prefix}-file-archive-o:before { content: @fa-var-file-archive-o; } -.@{fa-css-prefix}-file-sound-o:before, -.@{fa-css-prefix}-file-audio-o:before { content: @fa-var-file-audio-o; } -.@{fa-css-prefix}-file-movie-o:before, -.@{fa-css-prefix}-file-video-o:before { content: @fa-var-file-video-o; } -.@{fa-css-prefix}-file-code-o:before { content: @fa-var-file-code-o; } -.@{fa-css-prefix}-vine:before { content: @fa-var-vine; } -.@{fa-css-prefix}-codepen:before { content: @fa-var-codepen; } -.@{fa-css-prefix}-jsfiddle:before { content: @fa-var-jsfiddle; } -.@{fa-css-prefix}-life-bouy:before, -.@{fa-css-prefix}-life-buoy:before, -.@{fa-css-prefix}-life-saver:before, -.@{fa-css-prefix}-support:before, -.@{fa-css-prefix}-life-ring:before { content: @fa-var-life-ring; } -.@{fa-css-prefix}-circle-o-notch:before { content: @fa-var-circle-o-notch; } -.@{fa-css-prefix}-ra:before, -.@{fa-css-prefix}-rebel:before { content: @fa-var-rebel; } -.@{fa-css-prefix}-ge:before, -.@{fa-css-prefix}-empire:before { content: @fa-var-empire; } -.@{fa-css-prefix}-git-square:before { content: @fa-var-git-square; } -.@{fa-css-prefix}-git:before { content: @fa-var-git; } -.@{fa-css-prefix}-y-combinator-square:before, -.@{fa-css-prefix}-yc-square:before, -.@{fa-css-prefix}-hacker-news:before { content: @fa-var-hacker-news; } -.@{fa-css-prefix}-tencent-weibo:before { content: @fa-var-tencent-weibo; } -.@{fa-css-prefix}-qq:before { content: @fa-var-qq; } -.@{fa-css-prefix}-wechat:before, -.@{fa-css-prefix}-weixin:before { content: @fa-var-weixin; } -.@{fa-css-prefix}-send:before, -.@{fa-css-prefix}-paper-plane:before { content: @fa-var-paper-plane; } -.@{fa-css-prefix}-send-o:before, -.@{fa-css-prefix}-paper-plane-o:before { content: @fa-var-paper-plane-o; } -.@{fa-css-prefix}-history:before { content: @fa-var-history; } -.@{fa-css-prefix}-circle-thin:before { content: @fa-var-circle-thin; } -.@{fa-css-prefix}-header:before { content: @fa-var-header; } -.@{fa-css-prefix}-paragraph:before { content: @fa-var-paragraph; } -.@{fa-css-prefix}-sliders:before { content: @fa-var-sliders; } -.@{fa-css-prefix}-share-alt:before { content: @fa-var-share-alt; } -.@{fa-css-prefix}-share-alt-square:before { content: @fa-var-share-alt-square; } -.@{fa-css-prefix}-bomb:before { content: @fa-var-bomb; } -.@{fa-css-prefix}-soccer-ball-o:before, -.@{fa-css-prefix}-futbol-o:before { content: @fa-var-futbol-o; } -.@{fa-css-prefix}-tty:before { content: @fa-var-tty; } -.@{fa-css-prefix}-binoculars:before { content: @fa-var-binoculars; } -.@{fa-css-prefix}-plug:before { content: @fa-var-plug; } -.@{fa-css-prefix}-slideshare:before { content: @fa-var-slideshare; } -.@{fa-css-prefix}-twitch:before { content: @fa-var-twitch; } -.@{fa-css-prefix}-yelp:before { content: @fa-var-yelp; } -.@{fa-css-prefix}-newspaper-o:before { content: @fa-var-newspaper-o; } -.@{fa-css-prefix}-wifi:before { content: @fa-var-wifi; } -.@{fa-css-prefix}-calculator:before { content: @fa-var-calculator; } -.@{fa-css-prefix}-paypal:before { content: @fa-var-paypal; } -.@{fa-css-prefix}-google-wallet:before { content: @fa-var-google-wallet; } -.@{fa-css-prefix}-cc-visa:before { content: @fa-var-cc-visa; } -.@{fa-css-prefix}-cc-mastercard:before { content: @fa-var-cc-mastercard; } -.@{fa-css-prefix}-cc-discover:before { content: @fa-var-cc-discover; } -.@{fa-css-prefix}-cc-amex:before { content: @fa-var-cc-amex; } -.@{fa-css-prefix}-cc-paypal:before { content: @fa-var-cc-paypal; } -.@{fa-css-prefix}-cc-stripe:before { content: @fa-var-cc-stripe; } -.@{fa-css-prefix}-bell-slash:before { content: @fa-var-bell-slash; } -.@{fa-css-prefix}-bell-slash-o:before { content: @fa-var-bell-slash-o; } -.@{fa-css-prefix}-trash:before { content: @fa-var-trash; } -.@{fa-css-prefix}-copyright:before { content: @fa-var-copyright; } -.@{fa-css-prefix}-at:before { content: @fa-var-at; } -.@{fa-css-prefix}-eyedropper:before { content: @fa-var-eyedropper; } -.@{fa-css-prefix}-paint-brush:before { content: @fa-var-paint-brush; } -.@{fa-css-prefix}-birthday-cake:before { content: @fa-var-birthday-cake; } -.@{fa-css-prefix}-area-chart:before { content: @fa-var-area-chart; } -.@{fa-css-prefix}-pie-chart:before { content: @fa-var-pie-chart; } -.@{fa-css-prefix}-line-chart:before { content: @fa-var-line-chart; } -.@{fa-css-prefix}-lastfm:before { content: @fa-var-lastfm; } -.@{fa-css-prefix}-lastfm-square:before { content: @fa-var-lastfm-square; } -.@{fa-css-prefix}-toggle-off:before { content: @fa-var-toggle-off; } -.@{fa-css-prefix}-toggle-on:before { content: @fa-var-toggle-on; } -.@{fa-css-prefix}-bicycle:before { content: @fa-var-bicycle; } -.@{fa-css-prefix}-bus:before { content: @fa-var-bus; } -.@{fa-css-prefix}-ioxhost:before { content: @fa-var-ioxhost; } -.@{fa-css-prefix}-angellist:before { content: @fa-var-angellist; } -.@{fa-css-prefix}-cc:before { content: @fa-var-cc; } -.@{fa-css-prefix}-shekel:before, -.@{fa-css-prefix}-sheqel:before, -.@{fa-css-prefix}-ils:before { content: @fa-var-ils; } -.@{fa-css-prefix}-meanpath:before { content: @fa-var-meanpath; } -.@{fa-css-prefix}-buysellads:before { content: @fa-var-buysellads; } -.@{fa-css-prefix}-connectdevelop:before { content: @fa-var-connectdevelop; } -.@{fa-css-prefix}-dashcube:before { content: @fa-var-dashcube; } -.@{fa-css-prefix}-forumbee:before { content: @fa-var-forumbee; } -.@{fa-css-prefix}-leanpub:before { content: @fa-var-leanpub; } -.@{fa-css-prefix}-sellsy:before { content: @fa-var-sellsy; } -.@{fa-css-prefix}-shirtsinbulk:before { content: @fa-var-shirtsinbulk; } -.@{fa-css-prefix}-simplybuilt:before { content: @fa-var-simplybuilt; } -.@{fa-css-prefix}-skyatlas:before { content: @fa-var-skyatlas; } -.@{fa-css-prefix}-cart-plus:before { content: @fa-var-cart-plus; } -.@{fa-css-prefix}-cart-arrow-down:before { content: @fa-var-cart-arrow-down; } -.@{fa-css-prefix}-diamond:before { content: @fa-var-diamond; } -.@{fa-css-prefix}-ship:before { content: @fa-var-ship; } -.@{fa-css-prefix}-user-secret:before { content: @fa-var-user-secret; } -.@{fa-css-prefix}-motorcycle:before { content: @fa-var-motorcycle; } -.@{fa-css-prefix}-street-view:before { content: @fa-var-street-view; } -.@{fa-css-prefix}-heartbeat:before { content: @fa-var-heartbeat; } -.@{fa-css-prefix}-venus:before { content: @fa-var-venus; } -.@{fa-css-prefix}-mars:before { content: @fa-var-mars; } -.@{fa-css-prefix}-mercury:before { content: @fa-var-mercury; } -.@{fa-css-prefix}-intersex:before, -.@{fa-css-prefix}-transgender:before { content: @fa-var-transgender; } -.@{fa-css-prefix}-transgender-alt:before { content: @fa-var-transgender-alt; } -.@{fa-css-prefix}-venus-double:before { content: @fa-var-venus-double; } -.@{fa-css-prefix}-mars-double:before { content: @fa-var-mars-double; } -.@{fa-css-prefix}-venus-mars:before { content: @fa-var-venus-mars; } -.@{fa-css-prefix}-mars-stroke:before { content: @fa-var-mars-stroke; } -.@{fa-css-prefix}-mars-stroke-v:before { content: @fa-var-mars-stroke-v; } -.@{fa-css-prefix}-mars-stroke-h:before { content: @fa-var-mars-stroke-h; } -.@{fa-css-prefix}-neuter:before { content: @fa-var-neuter; } -.@{fa-css-prefix}-genderless:before { content: @fa-var-genderless; } -.@{fa-css-prefix}-facebook-official:before { content: @fa-var-facebook-official; } -.@{fa-css-prefix}-pinterest-p:before { content: @fa-var-pinterest-p; } -.@{fa-css-prefix}-whatsapp:before { content: @fa-var-whatsapp; } -.@{fa-css-prefix}-server:before { content: @fa-var-server; } -.@{fa-css-prefix}-user-plus:before { content: @fa-var-user-plus; } -.@{fa-css-prefix}-user-times:before { content: @fa-var-user-times; } -.@{fa-css-prefix}-hotel:before, -.@{fa-css-prefix}-bed:before { content: @fa-var-bed; } -.@{fa-css-prefix}-viacoin:before { content: @fa-var-viacoin; } -.@{fa-css-prefix}-train:before { content: @fa-var-train; } -.@{fa-css-prefix}-subway:before { content: @fa-var-subway; } -.@{fa-css-prefix}-medium:before { content: @fa-var-medium; } -.@{fa-css-prefix}-yc:before, -.@{fa-css-prefix}-y-combinator:before { content: @fa-var-y-combinator; } -.@{fa-css-prefix}-optin-monster:before { content: @fa-var-optin-monster; } -.@{fa-css-prefix}-opencart:before { content: @fa-var-opencart; } -.@{fa-css-prefix}-expeditedssl:before { content: @fa-var-expeditedssl; } -.@{fa-css-prefix}-battery-4:before, -.@{fa-css-prefix}-battery-full:before { content: @fa-var-battery-full; } -.@{fa-css-prefix}-battery-3:before, -.@{fa-css-prefix}-battery-three-quarters:before { content: @fa-var-battery-three-quarters; } -.@{fa-css-prefix}-battery-2:before, -.@{fa-css-prefix}-battery-half:before { content: @fa-var-battery-half; } -.@{fa-css-prefix}-battery-1:before, -.@{fa-css-prefix}-battery-quarter:before { content: @fa-var-battery-quarter; } -.@{fa-css-prefix}-battery-0:before, -.@{fa-css-prefix}-battery-empty:before { content: @fa-var-battery-empty; } -.@{fa-css-prefix}-mouse-pointer:before { content: @fa-var-mouse-pointer; } -.@{fa-css-prefix}-i-cursor:before { content: @fa-var-i-cursor; } -.@{fa-css-prefix}-object-group:before { content: @fa-var-object-group; } -.@{fa-css-prefix}-object-ungroup:before { content: @fa-var-object-ungroup; } -.@{fa-css-prefix}-sticky-note:before { content: @fa-var-sticky-note; } -.@{fa-css-prefix}-sticky-note-o:before { content: @fa-var-sticky-note-o; } -.@{fa-css-prefix}-cc-jcb:before { content: @fa-var-cc-jcb; } -.@{fa-css-prefix}-cc-diners-club:before { content: @fa-var-cc-diners-club; } -.@{fa-css-prefix}-clone:before { content: @fa-var-clone; } -.@{fa-css-prefix}-balance-scale:before { content: @fa-var-balance-scale; } -.@{fa-css-prefix}-hourglass-o:before { content: @fa-var-hourglass-o; } -.@{fa-css-prefix}-hourglass-1:before, -.@{fa-css-prefix}-hourglass-start:before { content: @fa-var-hourglass-start; } -.@{fa-css-prefix}-hourglass-2:before, -.@{fa-css-prefix}-hourglass-half:before { content: @fa-var-hourglass-half; } -.@{fa-css-prefix}-hourglass-3:before, -.@{fa-css-prefix}-hourglass-end:before { content: @fa-var-hourglass-end; } -.@{fa-css-prefix}-hourglass:before { content: @fa-var-hourglass; } -.@{fa-css-prefix}-hand-grab-o:before, -.@{fa-css-prefix}-hand-rock-o:before { content: @fa-var-hand-rock-o; } -.@{fa-css-prefix}-hand-stop-o:before, -.@{fa-css-prefix}-hand-paper-o:before { content: @fa-var-hand-paper-o; } -.@{fa-css-prefix}-hand-scissors-o:before { content: @fa-var-hand-scissors-o; } -.@{fa-css-prefix}-hand-lizard-o:before { content: @fa-var-hand-lizard-o; } -.@{fa-css-prefix}-hand-spock-o:before { content: @fa-var-hand-spock-o; } -.@{fa-css-prefix}-hand-pointer-o:before { content: @fa-var-hand-pointer-o; } -.@{fa-css-prefix}-hand-peace-o:before { content: @fa-var-hand-peace-o; } -.@{fa-css-prefix}-trademark:before { content: @fa-var-trademark; } -.@{fa-css-prefix}-registered:before { content: @fa-var-registered; } -.@{fa-css-prefix}-creative-commons:before { content: @fa-var-creative-commons; } -.@{fa-css-prefix}-gg:before { content: @fa-var-gg; } -.@{fa-css-prefix}-gg-circle:before { content: @fa-var-gg-circle; } -.@{fa-css-prefix}-tripadvisor:before { content: @fa-var-tripadvisor; } -.@{fa-css-prefix}-odnoklassniki:before { content: @fa-var-odnoklassniki; } -.@{fa-css-prefix}-odnoklassniki-square:before { content: @fa-var-odnoklassniki-square; } -.@{fa-css-prefix}-get-pocket:before { content: @fa-var-get-pocket; } -.@{fa-css-prefix}-wikipedia-w:before { content: @fa-var-wikipedia-w; } -.@{fa-css-prefix}-safari:before { content: @fa-var-safari; } -.@{fa-css-prefix}-chrome:before { content: @fa-var-chrome; } -.@{fa-css-prefix}-firefox:before { content: @fa-var-firefox; } -.@{fa-css-prefix}-opera:before { content: @fa-var-opera; } -.@{fa-css-prefix}-internet-explorer:before { content: @fa-var-internet-explorer; } -.@{fa-css-prefix}-tv:before, -.@{fa-css-prefix}-television:before { content: @fa-var-television; } -.@{fa-css-prefix}-contao:before { content: @fa-var-contao; } -.@{fa-css-prefix}-500px:before { content: @fa-var-500px; } -.@{fa-css-prefix}-amazon:before { content: @fa-var-amazon; } -.@{fa-css-prefix}-calendar-plus-o:before { content: @fa-var-calendar-plus-o; } -.@{fa-css-prefix}-calendar-minus-o:before { content: @fa-var-calendar-minus-o; } -.@{fa-css-prefix}-calendar-times-o:before { content: @fa-var-calendar-times-o; } -.@{fa-css-prefix}-calendar-check-o:before { content: @fa-var-calendar-check-o; } -.@{fa-css-prefix}-industry:before { content: @fa-var-industry; } -.@{fa-css-prefix}-map-pin:before { content: @fa-var-map-pin; } -.@{fa-css-prefix}-map-signs:before { content: @fa-var-map-signs; } -.@{fa-css-prefix}-map-o:before { content: @fa-var-map-o; } -.@{fa-css-prefix}-map:before { content: @fa-var-map; } -.@{fa-css-prefix}-commenting:before { content: @fa-var-commenting; } -.@{fa-css-prefix}-commenting-o:before { content: @fa-var-commenting-o; } -.@{fa-css-prefix}-houzz:before { content: @fa-var-houzz; } -.@{fa-css-prefix}-vimeo:before { content: @fa-var-vimeo; } -.@{fa-css-prefix}-black-tie:before { content: @fa-var-black-tie; } -.@{fa-css-prefix}-fonticons:before { content: @fa-var-fonticons; } -.@{fa-css-prefix}-reddit-alien:before { content: @fa-var-reddit-alien; } -.@{fa-css-prefix}-edge:before { content: @fa-var-edge; } -.@{fa-css-prefix}-credit-card-alt:before { content: @fa-var-credit-card-alt; } -.@{fa-css-prefix}-codiepie:before { content: @fa-var-codiepie; } -.@{fa-css-prefix}-modx:before { content: @fa-var-modx; } -.@{fa-css-prefix}-fort-awesome:before { content: @fa-var-fort-awesome; } -.@{fa-css-prefix}-usb:before { content: @fa-var-usb; } -.@{fa-css-prefix}-product-hunt:before { content: @fa-var-product-hunt; } -.@{fa-css-prefix}-mixcloud:before { content: @fa-var-mixcloud; } -.@{fa-css-prefix}-scribd:before { content: @fa-var-scribd; } -.@{fa-css-prefix}-pause-circle:before { content: @fa-var-pause-circle; } -.@{fa-css-prefix}-pause-circle-o:before { content: @fa-var-pause-circle-o; } -.@{fa-css-prefix}-stop-circle:before { content: @fa-var-stop-circle; } -.@{fa-css-prefix}-stop-circle-o:before { content: @fa-var-stop-circle-o; } -.@{fa-css-prefix}-shopping-bag:before { content: @fa-var-shopping-bag; } -.@{fa-css-prefix}-shopping-basket:before { content: @fa-var-shopping-basket; } -.@{fa-css-prefix}-hashtag:before { content: @fa-var-hashtag; } -.@{fa-css-prefix}-bluetooth:before { content: @fa-var-bluetooth; } -.@{fa-css-prefix}-bluetooth-b:before { content: @fa-var-bluetooth-b; } -.@{fa-css-prefix}-percent:before { content: @fa-var-percent; } -.@{fa-css-prefix}-gitlab:before { content: @fa-var-gitlab; } -.@{fa-css-prefix}-wpbeginner:before { content: @fa-var-wpbeginner; } -.@{fa-css-prefix}-wpforms:before { content: @fa-var-wpforms; } -.@{fa-css-prefix}-envira:before { content: @fa-var-envira; } -.@{fa-css-prefix}-universal-access:before { content: @fa-var-universal-access; } -.@{fa-css-prefix}-wheelchair-alt:before { content: @fa-var-wheelchair-alt; } -.@{fa-css-prefix}-question-circle-o:before { content: @fa-var-question-circle-o; } -.@{fa-css-prefix}-blind:before { content: @fa-var-blind; } -.@{fa-css-prefix}-audio-description:before { content: @fa-var-audio-description; } -.@{fa-css-prefix}-volume-control-phone:before { content: @fa-var-volume-control-phone; } -.@{fa-css-prefix}-braille:before { content: @fa-var-braille; } -.@{fa-css-prefix}-assistive-listening-systems:before { content: @fa-var-assistive-listening-systems; } -.@{fa-css-prefix}-asl-interpreting:before, -.@{fa-css-prefix}-american-sign-language-interpreting:before { content: @fa-var-american-sign-language-interpreting; } -.@{fa-css-prefix}-deafness:before, -.@{fa-css-prefix}-hard-of-hearing:before, -.@{fa-css-prefix}-deaf:before { content: @fa-var-deaf; } -.@{fa-css-prefix}-glide:before { content: @fa-var-glide; } -.@{fa-css-prefix}-glide-g:before { content: @fa-var-glide-g; } -.@{fa-css-prefix}-signing:before, -.@{fa-css-prefix}-sign-language:before { content: @fa-var-sign-language; } -.@{fa-css-prefix}-low-vision:before { content: @fa-var-low-vision; } -.@{fa-css-prefix}-viadeo:before { content: @fa-var-viadeo; } -.@{fa-css-prefix}-viadeo-square:before { content: @fa-var-viadeo-square; } -.@{fa-css-prefix}-snapchat:before { content: @fa-var-snapchat; } -.@{fa-css-prefix}-snapchat-ghost:before { content: @fa-var-snapchat-ghost; } -.@{fa-css-prefix}-snapchat-square:before { content: @fa-var-snapchat-square; } diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/larger.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/larger.less deleted file mode 100644 index c9d646770..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/larger.less +++ /dev/null @@ -1,13 +0,0 @@ -// Icon Sizes -// ------------------------- - -/* makes the font 33% larger relative to the icon container */ -.@{fa-css-prefix}-lg { - font-size: (4em / 3); - line-height: (3em / 4); - vertical-align: -15%; -} -.@{fa-css-prefix}-2x { font-size: 2em; } -.@{fa-css-prefix}-3x { font-size: 3em; } -.@{fa-css-prefix}-4x { font-size: 4em; } -.@{fa-css-prefix}-5x { font-size: 5em; } diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/list.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/list.less deleted file mode 100644 index 0b440382f..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/list.less +++ /dev/null @@ -1,19 +0,0 @@ -// List Icons -// ------------------------- - -.@{fa-css-prefix}-ul { - padding-left: 0; - margin-left: @fa-li-width; - list-style-type: none; - > li { position: relative; } -} -.@{fa-css-prefix}-li { - position: absolute; - left: -@fa-li-width; - width: @fa-li-width; - top: (2em / 14); - text-align: center; - &.@{fa-css-prefix}-lg { - left: (-@fa-li-width + (4em / 14)); - } -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/mixins.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/mixins.less deleted file mode 100644 index beef231d0..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/mixins.less +++ /dev/null @@ -1,60 +0,0 @@ -// Mixins -// -------------------------- - -.fa-icon() { - display: inline-block; - font: normal normal normal @fa-font-size-base/@fa-line-height-base FontAwesome; // shortening font declaration - font-size: inherit; // can't have font-size inherit on line above, so need to override - text-rendering: auto; // optimizelegibility throws things off #1094 - -webkit-font-smoothing: antialiased; - -moz-osx-font-smoothing: grayscale; - -} - -.fa-icon-rotate(@degrees, @rotation) { - -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=@{rotation})"; - -webkit-transform: rotate(@degrees); - -ms-transform: rotate(@degrees); - transform: rotate(@degrees); -} - -.fa-icon-flip(@horiz, @vert, @rotation) { - -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=@{rotation}, mirror=1)"; - -webkit-transform: scale(@horiz, @vert); - -ms-transform: scale(@horiz, @vert); - transform: scale(@horiz, @vert); -} - - -// Only display content to screen readers. A la Bootstrap 4. -// -// See: http://a11yproject.com/posts/how-to-hide-content/ - -.sr-only() { - position: absolute; - width: 1px; - height: 1px; - padding: 0; - margin: -1px; - overflow: hidden; - clip: rect(0,0,0,0); - border: 0; -} - -// Use in conjunction with .sr-only to only display content when it's focused. -// -// Useful for "Skip to main content" links; see http://www.w3.org/TR/2013/NOTE-WCAG20-TECHS-20130905/G1 -// -// Credit: HTML5 Boilerplate - -.sr-only-focusable() { - &:active, - &:focus { - position: static; - width: auto; - height: auto; - margin: 0; - overflow: visible; - clip: auto; - } -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/path.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/path.less deleted file mode 100644 index 835be41f8..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/path.less +++ /dev/null @@ -1,15 +0,0 @@ -/* FONT PATH - * -------------------------- */ - -@font-face { - font-family: 'FontAwesome'; - src: url('@{fa-font-path}/fontawesome-webfont.eot?v=@{fa-version}'); - src: url('@{fa-font-path}/fontawesome-webfont.eot?#iefix&v=@{fa-version}') format('embedded-opentype'), - url('@{fa-font-path}/fontawesome-webfont.woff2?v=@{fa-version}') format('woff2'), - url('@{fa-font-path}/fontawesome-webfont.woff?v=@{fa-version}') format('woff'), - url('@{fa-font-path}/fontawesome-webfont.ttf?v=@{fa-version}') format('truetype'), - url('@{fa-font-path}/fontawesome-webfont.svg?v=@{fa-version}#fontawesomeregular') format('svg'); - // src: url('@{fa-font-path}/FontAwesome.otf') format('opentype'); // used when developing fonts - font-weight: normal; - font-style: normal; -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/rotated-flipped.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/rotated-flipped.less deleted file mode 100644 index f6ba81475..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/rotated-flipped.less +++ /dev/null @@ -1,20 +0,0 @@ -// Rotated & Flipped Icons -// ------------------------- - -.@{fa-css-prefix}-rotate-90 { .fa-icon-rotate(90deg, 1); } -.@{fa-css-prefix}-rotate-180 { .fa-icon-rotate(180deg, 2); } -.@{fa-css-prefix}-rotate-270 { .fa-icon-rotate(270deg, 3); } - -.@{fa-css-prefix}-flip-horizontal { .fa-icon-flip(-1, 1, 0); } -.@{fa-css-prefix}-flip-vertical { .fa-icon-flip(1, -1, 2); } - -// Hook for IE8-9 -// ------------------------- - -:root .@{fa-css-prefix}-rotate-90, -:root .@{fa-css-prefix}-rotate-180, -:root .@{fa-css-prefix}-rotate-270, -:root .@{fa-css-prefix}-flip-horizontal, -:root .@{fa-css-prefix}-flip-vertical { - filter: none; -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/screen-reader.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/screen-reader.less deleted file mode 100644 index 11c188196..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/screen-reader.less +++ /dev/null @@ -1,5 +0,0 @@ -// Screen Readers -// ------------------------- - -.sr-only { .sr-only(); } -.sr-only-focusable { .sr-only-focusable(); } diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/stacked.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/stacked.less deleted file mode 100644 index fc53fb0e7..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/stacked.less +++ /dev/null @@ -1,20 +0,0 @@ -// Stacked Icons -// ------------------------- - -.@{fa-css-prefix}-stack { - position: relative; - display: inline-block; - width: 2em; - height: 2em; - line-height: 2em; - vertical-align: middle; -} -.@{fa-css-prefix}-stack-1x, .@{fa-css-prefix}-stack-2x { - position: absolute; - left: 0; - width: 100%; - text-align: center; -} -.@{fa-css-prefix}-stack-1x { line-height: inherit; } -.@{fa-css-prefix}-stack-2x { font-size: 2em; } -.@{fa-css-prefix}-inverse { color: @fa-inverse; } diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/less/variables.less b/iam-login-service/src/main/webapp/resources/font-awesome/less/variables.less deleted file mode 100644 index 8118e8f70..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/less/variables.less +++ /dev/null @@ -1,735 +0,0 @@ -// Variables -// -------------------------- - -@fa-font-path: "../fonts"; -@fa-font-size-base: 14px; -@fa-line-height-base: 1; -//@fa-font-path: "//netdna.bootstrapcdn.com/font-awesome/4.6.1/fonts"; // for referencing Bootstrap CDN font files directly -@fa-css-prefix: fa; -@fa-version: "4.6.1"; -@fa-border-color: #eee; -@fa-inverse: #fff; -@fa-li-width: (30em / 14); - -@fa-var-500px: "\f26e"; -@fa-var-adjust: "\f042"; -@fa-var-adn: "\f170"; -@fa-var-align-center: "\f037"; -@fa-var-align-justify: "\f039"; -@fa-var-align-left: "\f036"; -@fa-var-align-right: "\f038"; -@fa-var-amazon: "\f270"; -@fa-var-ambulance: "\f0f9"; -@fa-var-american-sign-language-interpreting: "\f2a3"; -@fa-var-anchor: "\f13d"; -@fa-var-android: "\f17b"; -@fa-var-angellist: "\f209"; -@fa-var-angle-double-down: "\f103"; -@fa-var-angle-double-left: "\f100"; -@fa-var-angle-double-right: "\f101"; -@fa-var-angle-double-up: "\f102"; -@fa-var-angle-down: "\f107"; -@fa-var-angle-left: "\f104"; -@fa-var-angle-right: "\f105"; -@fa-var-angle-up: "\f106"; -@fa-var-apple: "\f179"; -@fa-var-archive: "\f187"; -@fa-var-area-chart: "\f1fe"; -@fa-var-arrow-circle-down: "\f0ab"; -@fa-var-arrow-circle-left: "\f0a8"; -@fa-var-arrow-circle-o-down: "\f01a"; -@fa-var-arrow-circle-o-left: "\f190"; -@fa-var-arrow-circle-o-right: "\f18e"; -@fa-var-arrow-circle-o-up: "\f01b"; -@fa-var-arrow-circle-right: "\f0a9"; -@fa-var-arrow-circle-up: "\f0aa"; -@fa-var-arrow-down: "\f063"; -@fa-var-arrow-left: "\f060"; -@fa-var-arrow-right: "\f061"; -@fa-var-arrow-up: "\f062"; -@fa-var-arrows: "\f047"; -@fa-var-arrows-alt: "\f0b2"; -@fa-var-arrows-h: "\f07e"; -@fa-var-arrows-v: "\f07d"; -@fa-var-asl-interpreting: "\f2a3"; -@fa-var-assistive-listening-systems: "\f2a2"; -@fa-var-asterisk: "\f069"; -@fa-var-at: "\f1fa"; -@fa-var-audio-description: "\f29e"; -@fa-var-automobile: "\f1b9"; -@fa-var-backward: "\f04a"; -@fa-var-balance-scale: "\f24e"; -@fa-var-ban: "\f05e"; -@fa-var-bank: "\f19c"; -@fa-var-bar-chart: "\f080"; -@fa-var-bar-chart-o: "\f080"; -@fa-var-barcode: "\f02a"; -@fa-var-bars: "\f0c9"; -@fa-var-battery-0: "\f244"; -@fa-var-battery-1: "\f243"; -@fa-var-battery-2: "\f242"; -@fa-var-battery-3: "\f241"; -@fa-var-battery-4: "\f240"; -@fa-var-battery-empty: "\f244"; -@fa-var-battery-full: "\f240"; -@fa-var-battery-half: "\f242"; -@fa-var-battery-quarter: "\f243"; -@fa-var-battery-three-quarters: "\f241"; -@fa-var-bed: "\f236"; -@fa-var-beer: "\f0fc"; -@fa-var-behance: "\f1b4"; -@fa-var-behance-square: "\f1b5"; -@fa-var-bell: "\f0f3"; -@fa-var-bell-o: "\f0a2"; -@fa-var-bell-slash: "\f1f6"; -@fa-var-bell-slash-o: "\f1f7"; -@fa-var-bicycle: "\f206"; -@fa-var-binoculars: "\f1e5"; -@fa-var-birthday-cake: "\f1fd"; -@fa-var-bitbucket: "\f171"; -@fa-var-bitbucket-square: "\f172"; -@fa-var-bitcoin: "\f15a"; -@fa-var-black-tie: "\f27e"; -@fa-var-blind: "\f29d"; -@fa-var-bluetooth: "\f293"; -@fa-var-bluetooth-b: "\f294"; -@fa-var-bold: "\f032"; -@fa-var-bolt: "\f0e7"; -@fa-var-bomb: "\f1e2"; -@fa-var-book: "\f02d"; -@fa-var-bookmark: "\f02e"; -@fa-var-bookmark-o: "\f097"; -@fa-var-braille: "\f2a1"; -@fa-var-briefcase: "\f0b1"; -@fa-var-btc: "\f15a"; -@fa-var-bug: "\f188"; -@fa-var-building: "\f1ad"; -@fa-var-building-o: "\f0f7"; -@fa-var-bullhorn: "\f0a1"; -@fa-var-bullseye: "\f140"; -@fa-var-bus: "\f207"; -@fa-var-buysellads: "\f20d"; -@fa-var-cab: "\f1ba"; -@fa-var-calculator: "\f1ec"; -@fa-var-calendar: "\f073"; -@fa-var-calendar-check-o: "\f274"; -@fa-var-calendar-minus-o: "\f272"; -@fa-var-calendar-o: "\f133"; -@fa-var-calendar-plus-o: "\f271"; -@fa-var-calendar-times-o: "\f273"; -@fa-var-camera: "\f030"; -@fa-var-camera-retro: "\f083"; -@fa-var-car: "\f1b9"; -@fa-var-caret-down: "\f0d7"; -@fa-var-caret-left: "\f0d9"; -@fa-var-caret-right: "\f0da"; -@fa-var-caret-square-o-down: "\f150"; -@fa-var-caret-square-o-left: "\f191"; -@fa-var-caret-square-o-right: "\f152"; -@fa-var-caret-square-o-up: "\f151"; -@fa-var-caret-up: "\f0d8"; -@fa-var-cart-arrow-down: "\f218"; -@fa-var-cart-plus: "\f217"; -@fa-var-cc: "\f20a"; -@fa-var-cc-amex: "\f1f3"; -@fa-var-cc-diners-club: "\f24c"; -@fa-var-cc-discover: "\f1f2"; -@fa-var-cc-jcb: "\f24b"; -@fa-var-cc-mastercard: "\f1f1"; -@fa-var-cc-paypal: "\f1f4"; -@fa-var-cc-stripe: "\f1f5"; -@fa-var-cc-visa: "\f1f0"; -@fa-var-certificate: "\f0a3"; -@fa-var-chain: "\f0c1"; -@fa-var-chain-broken: "\f127"; -@fa-var-check: "\f00c"; -@fa-var-check-circle: "\f058"; -@fa-var-check-circle-o: "\f05d"; -@fa-var-check-square: "\f14a"; -@fa-var-check-square-o: "\f046"; -@fa-var-chevron-circle-down: "\f13a"; -@fa-var-chevron-circle-left: "\f137"; -@fa-var-chevron-circle-right: "\f138"; -@fa-var-chevron-circle-up: "\f139"; -@fa-var-chevron-down: "\f078"; -@fa-var-chevron-left: "\f053"; -@fa-var-chevron-right: "\f054"; -@fa-var-chevron-up: "\f077"; -@fa-var-child: "\f1ae"; -@fa-var-chrome: "\f268"; -@fa-var-circle: "\f111"; -@fa-var-circle-o: "\f10c"; -@fa-var-circle-o-notch: "\f1ce"; -@fa-var-circle-thin: "\f1db"; -@fa-var-clipboard: "\f0ea"; -@fa-var-clock-o: "\f017"; -@fa-var-clone: "\f24d"; -@fa-var-close: "\f00d"; -@fa-var-cloud: "\f0c2"; -@fa-var-cloud-download: "\f0ed"; -@fa-var-cloud-upload: "\f0ee"; -@fa-var-cny: "\f157"; -@fa-var-code: "\f121"; -@fa-var-code-fork: "\f126"; -@fa-var-codepen: "\f1cb"; -@fa-var-codiepie: "\f284"; -@fa-var-coffee: "\f0f4"; -@fa-var-cog: "\f013"; -@fa-var-cogs: "\f085"; -@fa-var-columns: "\f0db"; -@fa-var-comment: "\f075"; -@fa-var-comment-o: "\f0e5"; -@fa-var-commenting: "\f27a"; -@fa-var-commenting-o: "\f27b"; -@fa-var-comments: "\f086"; -@fa-var-comments-o: "\f0e6"; -@fa-var-compass: "\f14e"; -@fa-var-compress: "\f066"; -@fa-var-connectdevelop: "\f20e"; -@fa-var-contao: "\f26d"; -@fa-var-copy: "\f0c5"; -@fa-var-copyright: "\f1f9"; -@fa-var-creative-commons: "\f25e"; -@fa-var-credit-card: "\f09d"; -@fa-var-credit-card-alt: "\f283"; -@fa-var-crop: "\f125"; -@fa-var-crosshairs: "\f05b"; -@fa-var-css3: "\f13c"; -@fa-var-cube: "\f1b2"; -@fa-var-cubes: "\f1b3"; -@fa-var-cut: "\f0c4"; -@fa-var-cutlery: "\f0f5"; -@fa-var-dashboard: "\f0e4"; -@fa-var-dashcube: "\f210"; -@fa-var-database: "\f1c0"; -@fa-var-deaf: "\f2a4"; -@fa-var-deafness: "\f2a4"; -@fa-var-dedent: "\f03b"; -@fa-var-delicious: "\f1a5"; -@fa-var-desktop: "\f108"; -@fa-var-deviantart: "\f1bd"; -@fa-var-diamond: "\f219"; -@fa-var-digg: "\f1a6"; -@fa-var-dollar: "\f155"; -@fa-var-dot-circle-o: "\f192"; -@fa-var-download: "\f019"; -@fa-var-dribbble: "\f17d"; -@fa-var-dropbox: "\f16b"; -@fa-var-drupal: "\f1a9"; -@fa-var-edge: "\f282"; -@fa-var-edit: "\f044"; -@fa-var-eject: "\f052"; -@fa-var-ellipsis-h: "\f141"; -@fa-var-ellipsis-v: "\f142"; -@fa-var-empire: "\f1d1"; -@fa-var-envelope: "\f0e0"; -@fa-var-envelope-o: "\f003"; -@fa-var-envelope-square: "\f199"; -@fa-var-envira: "\f299"; -@fa-var-eraser: "\f12d"; -@fa-var-eur: "\f153"; -@fa-var-euro: "\f153"; -@fa-var-exchange: "\f0ec"; -@fa-var-exclamation: "\f12a"; -@fa-var-exclamation-circle: "\f06a"; -@fa-var-exclamation-triangle: "\f071"; -@fa-var-expand: "\f065"; -@fa-var-expeditedssl: "\f23e"; -@fa-var-external-link: "\f08e"; -@fa-var-external-link-square: "\f14c"; -@fa-var-eye: "\f06e"; -@fa-var-eye-slash: "\f070"; -@fa-var-eyedropper: "\f1fb"; -@fa-var-facebook: "\f09a"; -@fa-var-facebook-f: "\f09a"; -@fa-var-facebook-official: "\f230"; -@fa-var-facebook-square: "\f082"; -@fa-var-fast-backward: "\f049"; -@fa-var-fast-forward: "\f050"; -@fa-var-fax: "\f1ac"; -@fa-var-feed: "\f09e"; -@fa-var-female: "\f182"; -@fa-var-fighter-jet: "\f0fb"; -@fa-var-file: "\f15b"; -@fa-var-file-archive-o: "\f1c6"; -@fa-var-file-audio-o: "\f1c7"; -@fa-var-file-code-o: "\f1c9"; -@fa-var-file-excel-o: "\f1c3"; -@fa-var-file-image-o: "\f1c5"; -@fa-var-file-movie-o: "\f1c8"; -@fa-var-file-o: "\f016"; -@fa-var-file-pdf-o: "\f1c1"; -@fa-var-file-photo-o: "\f1c5"; -@fa-var-file-picture-o: "\f1c5"; -@fa-var-file-powerpoint-o: "\f1c4"; -@fa-var-file-sound-o: "\f1c7"; -@fa-var-file-text: "\f15c"; -@fa-var-file-text-o: "\f0f6"; -@fa-var-file-video-o: "\f1c8"; -@fa-var-file-word-o: "\f1c2"; -@fa-var-file-zip-o: "\f1c6"; -@fa-var-files-o: "\f0c5"; -@fa-var-film: "\f008"; -@fa-var-filter: "\f0b0"; -@fa-var-fire: "\f06d"; -@fa-var-fire-extinguisher: "\f134"; -@fa-var-firefox: "\f269"; -@fa-var-flag: "\f024"; -@fa-var-flag-checkered: "\f11e"; -@fa-var-flag-o: "\f11d"; -@fa-var-flash: "\f0e7"; -@fa-var-flask: "\f0c3"; -@fa-var-flickr: "\f16e"; -@fa-var-floppy-o: "\f0c7"; -@fa-var-folder: "\f07b"; -@fa-var-folder-o: "\f114"; -@fa-var-folder-open: "\f07c"; -@fa-var-folder-open-o: "\f115"; -@fa-var-font: "\f031"; -@fa-var-fonticons: "\f280"; -@fa-var-fort-awesome: "\f286"; -@fa-var-forumbee: "\f211"; -@fa-var-forward: "\f04e"; -@fa-var-foursquare: "\f180"; -@fa-var-frown-o: "\f119"; -@fa-var-futbol-o: "\f1e3"; -@fa-var-gamepad: "\f11b"; -@fa-var-gavel: "\f0e3"; -@fa-var-gbp: "\f154"; -@fa-var-ge: "\f1d1"; -@fa-var-gear: "\f013"; -@fa-var-gears: "\f085"; -@fa-var-genderless: "\f22d"; -@fa-var-get-pocket: "\f265"; -@fa-var-gg: "\f260"; -@fa-var-gg-circle: "\f261"; -@fa-var-gift: "\f06b"; -@fa-var-git: "\f1d3"; -@fa-var-git-square: "\f1d2"; -@fa-var-github: "\f09b"; -@fa-var-github-alt: "\f113"; -@fa-var-github-square: "\f092"; -@fa-var-gitlab: "\f296"; -@fa-var-gittip: "\f184"; -@fa-var-glass: "\f000"; -@fa-var-glide: "\f2a5"; -@fa-var-glide-g: "\f2a6"; -@fa-var-globe: "\f0ac"; -@fa-var-google: "\f1a0"; -@fa-var-google-plus: "\f0d5"; -@fa-var-google-plus-square: "\f0d4"; -@fa-var-google-wallet: "\f1ee"; -@fa-var-graduation-cap: "\f19d"; -@fa-var-gratipay: "\f184"; -@fa-var-group: "\f0c0"; -@fa-var-h-square: "\f0fd"; -@fa-var-hacker-news: "\f1d4"; -@fa-var-hand-grab-o: "\f255"; -@fa-var-hand-lizard-o: "\f258"; -@fa-var-hand-o-down: "\f0a7"; -@fa-var-hand-o-left: "\f0a5"; -@fa-var-hand-o-right: "\f0a4"; -@fa-var-hand-o-up: "\f0a6"; -@fa-var-hand-paper-o: "\f256"; -@fa-var-hand-peace-o: "\f25b"; -@fa-var-hand-pointer-o: "\f25a"; -@fa-var-hand-rock-o: "\f255"; -@fa-var-hand-scissors-o: "\f257"; -@fa-var-hand-spock-o: "\f259"; -@fa-var-hand-stop-o: "\f256"; -@fa-var-hard-of-hearing: "\f2a4"; -@fa-var-hashtag: "\f292"; -@fa-var-hdd-o: "\f0a0"; -@fa-var-header: "\f1dc"; -@fa-var-headphones: "\f025"; -@fa-var-heart: "\f004"; -@fa-var-heart-o: "\f08a"; -@fa-var-heartbeat: "\f21e"; -@fa-var-history: "\f1da"; -@fa-var-home: "\f015"; -@fa-var-hospital-o: "\f0f8"; -@fa-var-hotel: "\f236"; -@fa-var-hourglass: "\f254"; -@fa-var-hourglass-1: "\f251"; -@fa-var-hourglass-2: "\f252"; -@fa-var-hourglass-3: "\f253"; -@fa-var-hourglass-end: "\f253"; -@fa-var-hourglass-half: "\f252"; -@fa-var-hourglass-o: "\f250"; -@fa-var-hourglass-start: "\f251"; -@fa-var-houzz: "\f27c"; -@fa-var-html5: "\f13b"; -@fa-var-i-cursor: "\f246"; -@fa-var-ils: "\f20b"; -@fa-var-image: "\f03e"; -@fa-var-inbox: "\f01c"; -@fa-var-indent: "\f03c"; -@fa-var-industry: "\f275"; -@fa-var-info: "\f129"; -@fa-var-info-circle: "\f05a"; -@fa-var-inr: "\f156"; -@fa-var-instagram: "\f16d"; -@fa-var-institution: "\f19c"; -@fa-var-internet-explorer: "\f26b"; -@fa-var-intersex: "\f224"; -@fa-var-ioxhost: "\f208"; -@fa-var-italic: "\f033"; -@fa-var-joomla: "\f1aa"; -@fa-var-jpy: "\f157"; -@fa-var-jsfiddle: "\f1cc"; -@fa-var-key: "\f084"; -@fa-var-keyboard-o: "\f11c"; -@fa-var-krw: "\f159"; -@fa-var-language: "\f1ab"; -@fa-var-laptop: "\f109"; -@fa-var-lastfm: "\f202"; -@fa-var-lastfm-square: "\f203"; -@fa-var-leaf: "\f06c"; -@fa-var-leanpub: "\f212"; -@fa-var-legal: "\f0e3"; -@fa-var-lemon-o: "\f094"; -@fa-var-level-down: "\f149"; -@fa-var-level-up: "\f148"; -@fa-var-life-bouy: "\f1cd"; -@fa-var-life-buoy: "\f1cd"; -@fa-var-life-ring: "\f1cd"; -@fa-var-life-saver: "\f1cd"; -@fa-var-lightbulb-o: "\f0eb"; -@fa-var-line-chart: "\f201"; -@fa-var-link: "\f0c1"; -@fa-var-linkedin: "\f0e1"; -@fa-var-linkedin-square: "\f08c"; -@fa-var-linux: "\f17c"; -@fa-var-list: "\f03a"; -@fa-var-list-alt: "\f022"; -@fa-var-list-ol: "\f0cb"; -@fa-var-list-ul: "\f0ca"; -@fa-var-location-arrow: "\f124"; -@fa-var-lock: "\f023"; -@fa-var-long-arrow-down: "\f175"; -@fa-var-long-arrow-left: "\f177"; -@fa-var-long-arrow-right: "\f178"; -@fa-var-long-arrow-up: "\f176"; -@fa-var-low-vision: "\f2a8"; -@fa-var-magic: "\f0d0"; -@fa-var-magnet: "\f076"; -@fa-var-mail-forward: "\f064"; -@fa-var-mail-reply: "\f112"; -@fa-var-mail-reply-all: "\f122"; -@fa-var-male: "\f183"; -@fa-var-map: "\f279"; -@fa-var-map-marker: "\f041"; -@fa-var-map-o: "\f278"; -@fa-var-map-pin: "\f276"; -@fa-var-map-signs: "\f277"; -@fa-var-mars: "\f222"; -@fa-var-mars-double: "\f227"; -@fa-var-mars-stroke: "\f229"; -@fa-var-mars-stroke-h: "\f22b"; -@fa-var-mars-stroke-v: "\f22a"; -@fa-var-maxcdn: "\f136"; -@fa-var-meanpath: "\f20c"; -@fa-var-medium: "\f23a"; -@fa-var-medkit: "\f0fa"; -@fa-var-meh-o: "\f11a"; -@fa-var-mercury: "\f223"; -@fa-var-microphone: "\f130"; -@fa-var-microphone-slash: "\f131"; -@fa-var-minus: "\f068"; -@fa-var-minus-circle: "\f056"; -@fa-var-minus-square: "\f146"; -@fa-var-minus-square-o: "\f147"; -@fa-var-mixcloud: "\f289"; -@fa-var-mobile: "\f10b"; -@fa-var-mobile-phone: "\f10b"; -@fa-var-modx: "\f285"; -@fa-var-money: "\f0d6"; -@fa-var-moon-o: "\f186"; -@fa-var-mortar-board: "\f19d"; -@fa-var-motorcycle: "\f21c"; -@fa-var-mouse-pointer: "\f245"; -@fa-var-music: "\f001"; -@fa-var-navicon: "\f0c9"; -@fa-var-neuter: "\f22c"; -@fa-var-newspaper-o: "\f1ea"; -@fa-var-object-group: "\f247"; -@fa-var-object-ungroup: "\f248"; -@fa-var-odnoklassniki: "\f263"; -@fa-var-odnoklassniki-square: "\f264"; -@fa-var-opencart: "\f23d"; -@fa-var-openid: "\f19b"; -@fa-var-opera: "\f26a"; -@fa-var-optin-monster: "\f23c"; -@fa-var-outdent: "\f03b"; -@fa-var-pagelines: "\f18c"; -@fa-var-paint-brush: "\f1fc"; -@fa-var-paper-plane: "\f1d8"; -@fa-var-paper-plane-o: "\f1d9"; -@fa-var-paperclip: "\f0c6"; -@fa-var-paragraph: "\f1dd"; -@fa-var-paste: "\f0ea"; -@fa-var-pause: "\f04c"; -@fa-var-pause-circle: "\f28b"; -@fa-var-pause-circle-o: "\f28c"; -@fa-var-paw: "\f1b0"; -@fa-var-paypal: "\f1ed"; -@fa-var-pencil: "\f040"; -@fa-var-pencil-square: "\f14b"; -@fa-var-pencil-square-o: "\f044"; -@fa-var-percent: "\f295"; -@fa-var-phone: "\f095"; -@fa-var-phone-square: "\f098"; -@fa-var-photo: "\f03e"; -@fa-var-picture-o: "\f03e"; -@fa-var-pie-chart: "\f200"; -@fa-var-pied-piper: "\f1a7"; -@fa-var-pied-piper-alt: "\f1a8"; -@fa-var-pinterest: "\f0d2"; -@fa-var-pinterest-p: "\f231"; -@fa-var-pinterest-square: "\f0d3"; -@fa-var-plane: "\f072"; -@fa-var-play: "\f04b"; -@fa-var-play-circle: "\f144"; -@fa-var-play-circle-o: "\f01d"; -@fa-var-plug: "\f1e6"; -@fa-var-plus: "\f067"; -@fa-var-plus-circle: "\f055"; -@fa-var-plus-square: "\f0fe"; -@fa-var-plus-square-o: "\f196"; -@fa-var-power-off: "\f011"; -@fa-var-print: "\f02f"; -@fa-var-product-hunt: "\f288"; -@fa-var-puzzle-piece: "\f12e"; -@fa-var-qq: "\f1d6"; -@fa-var-qrcode: "\f029"; -@fa-var-question: "\f128"; -@fa-var-question-circle: "\f059"; -@fa-var-question-circle-o: "\f29c"; -@fa-var-quote-left: "\f10d"; -@fa-var-quote-right: "\f10e"; -@fa-var-ra: "\f1d0"; -@fa-var-random: "\f074"; -@fa-var-rebel: "\f1d0"; -@fa-var-recycle: "\f1b8"; -@fa-var-reddit: "\f1a1"; -@fa-var-reddit-alien: "\f281"; -@fa-var-reddit-square: "\f1a2"; -@fa-var-refresh: "\f021"; -@fa-var-registered: "\f25d"; -@fa-var-remove: "\f00d"; -@fa-var-renren: "\f18b"; -@fa-var-reorder: "\f0c9"; -@fa-var-repeat: "\f01e"; -@fa-var-reply: "\f112"; -@fa-var-reply-all: "\f122"; -@fa-var-retweet: "\f079"; -@fa-var-rmb: "\f157"; -@fa-var-road: "\f018"; -@fa-var-rocket: "\f135"; -@fa-var-rotate-left: "\f0e2"; -@fa-var-rotate-right: "\f01e"; -@fa-var-rouble: "\f158"; -@fa-var-rss: "\f09e"; -@fa-var-rss-square: "\f143"; -@fa-var-rub: "\f158"; -@fa-var-ruble: "\f158"; -@fa-var-rupee: "\f156"; -@fa-var-safari: "\f267"; -@fa-var-save: "\f0c7"; -@fa-var-scissors: "\f0c4"; -@fa-var-scribd: "\f28a"; -@fa-var-search: "\f002"; -@fa-var-search-minus: "\f010"; -@fa-var-search-plus: "\f00e"; -@fa-var-sellsy: "\f213"; -@fa-var-send: "\f1d8"; -@fa-var-send-o: "\f1d9"; -@fa-var-server: "\f233"; -@fa-var-share: "\f064"; -@fa-var-share-alt: "\f1e0"; -@fa-var-share-alt-square: "\f1e1"; -@fa-var-share-square: "\f14d"; -@fa-var-share-square-o: "\f045"; -@fa-var-shekel: "\f20b"; -@fa-var-sheqel: "\f20b"; -@fa-var-shield: "\f132"; -@fa-var-ship: "\f21a"; -@fa-var-shirtsinbulk: "\f214"; -@fa-var-shopping-bag: "\f290"; -@fa-var-shopping-basket: "\f291"; -@fa-var-shopping-cart: "\f07a"; -@fa-var-sign-in: "\f090"; -@fa-var-sign-language: "\f2a7"; -@fa-var-sign-out: "\f08b"; -@fa-var-signal: "\f012"; -@fa-var-signing: "\f2a7"; -@fa-var-simplybuilt: "\f215"; -@fa-var-sitemap: "\f0e8"; -@fa-var-skyatlas: "\f216"; -@fa-var-skype: "\f17e"; -@fa-var-slack: "\f198"; -@fa-var-sliders: "\f1de"; -@fa-var-slideshare: "\f1e7"; -@fa-var-smile-o: "\f118"; -@fa-var-snapchat: "\f2ab"; -@fa-var-snapchat-ghost: "\f2ac"; -@fa-var-snapchat-square: "\f2ad"; -@fa-var-soccer-ball-o: "\f1e3"; -@fa-var-sort: "\f0dc"; -@fa-var-sort-alpha-asc: "\f15d"; -@fa-var-sort-alpha-desc: "\f15e"; -@fa-var-sort-amount-asc: "\f160"; -@fa-var-sort-amount-desc: "\f161"; -@fa-var-sort-asc: "\f0de"; -@fa-var-sort-desc: "\f0dd"; -@fa-var-sort-down: "\f0dd"; -@fa-var-sort-numeric-asc: "\f162"; -@fa-var-sort-numeric-desc: "\f163"; -@fa-var-sort-up: "\f0de"; -@fa-var-soundcloud: "\f1be"; -@fa-var-space-shuttle: "\f197"; -@fa-var-spinner: "\f110"; -@fa-var-spoon: "\f1b1"; -@fa-var-spotify: "\f1bc"; -@fa-var-square: "\f0c8"; -@fa-var-square-o: "\f096"; -@fa-var-stack-exchange: "\f18d"; -@fa-var-stack-overflow: "\f16c"; -@fa-var-star: "\f005"; -@fa-var-star-half: "\f089"; -@fa-var-star-half-empty: "\f123"; -@fa-var-star-half-full: "\f123"; -@fa-var-star-half-o: "\f123"; -@fa-var-star-o: "\f006"; -@fa-var-steam: "\f1b6"; -@fa-var-steam-square: "\f1b7"; -@fa-var-step-backward: "\f048"; -@fa-var-step-forward: "\f051"; -@fa-var-stethoscope: "\f0f1"; -@fa-var-sticky-note: "\f249"; -@fa-var-sticky-note-o: "\f24a"; -@fa-var-stop: "\f04d"; -@fa-var-stop-circle: "\f28d"; -@fa-var-stop-circle-o: "\f28e"; -@fa-var-street-view: "\f21d"; -@fa-var-strikethrough: "\f0cc"; -@fa-var-stumbleupon: "\f1a4"; -@fa-var-stumbleupon-circle: "\f1a3"; -@fa-var-subscript: "\f12c"; -@fa-var-subway: "\f239"; -@fa-var-suitcase: "\f0f2"; -@fa-var-sun-o: "\f185"; -@fa-var-superscript: "\f12b"; -@fa-var-support: "\f1cd"; -@fa-var-table: "\f0ce"; -@fa-var-tablet: "\f10a"; -@fa-var-tachometer: "\f0e4"; -@fa-var-tag: "\f02b"; -@fa-var-tags: "\f02c"; -@fa-var-tasks: "\f0ae"; -@fa-var-taxi: "\f1ba"; -@fa-var-television: "\f26c"; -@fa-var-tencent-weibo: "\f1d5"; -@fa-var-terminal: "\f120"; -@fa-var-text-height: "\f034"; -@fa-var-text-width: "\f035"; -@fa-var-th: "\f00a"; -@fa-var-th-large: "\f009"; -@fa-var-th-list: "\f00b"; -@fa-var-thumb-tack: "\f08d"; -@fa-var-thumbs-down: "\f165"; -@fa-var-thumbs-o-down: "\f088"; -@fa-var-thumbs-o-up: "\f087"; -@fa-var-thumbs-up: "\f164"; -@fa-var-ticket: "\f145"; -@fa-var-times: "\f00d"; -@fa-var-times-circle: "\f057"; -@fa-var-times-circle-o: "\f05c"; -@fa-var-tint: "\f043"; -@fa-var-toggle-down: "\f150"; -@fa-var-toggle-left: "\f191"; -@fa-var-toggle-off: "\f204"; -@fa-var-toggle-on: "\f205"; -@fa-var-toggle-right: "\f152"; -@fa-var-toggle-up: "\f151"; -@fa-var-trademark: "\f25c"; -@fa-var-train: "\f238"; -@fa-var-transgender: "\f224"; -@fa-var-transgender-alt: "\f225"; -@fa-var-trash: "\f1f8"; -@fa-var-trash-o: "\f014"; -@fa-var-tree: "\f1bb"; -@fa-var-trello: "\f181"; -@fa-var-tripadvisor: "\f262"; -@fa-var-trophy: "\f091"; -@fa-var-truck: "\f0d1"; -@fa-var-try: "\f195"; -@fa-var-tty: "\f1e4"; -@fa-var-tumblr: "\f173"; -@fa-var-tumblr-square: "\f174"; -@fa-var-turkish-lira: "\f195"; -@fa-var-tv: "\f26c"; -@fa-var-twitch: "\f1e8"; -@fa-var-twitter: "\f099"; -@fa-var-twitter-square: "\f081"; -@fa-var-umbrella: "\f0e9"; -@fa-var-underline: "\f0cd"; -@fa-var-undo: "\f0e2"; -@fa-var-universal-access: "\f29a"; -@fa-var-university: "\f19c"; -@fa-var-unlink: "\f127"; -@fa-var-unlock: "\f09c"; -@fa-var-unlock-alt: "\f13e"; -@fa-var-unsorted: "\f0dc"; -@fa-var-upload: "\f093"; -@fa-var-usb: "\f287"; -@fa-var-usd: "\f155"; -@fa-var-user: "\f007"; -@fa-var-user-md: "\f0f0"; -@fa-var-user-plus: "\f234"; -@fa-var-user-secret: "\f21b"; -@fa-var-user-times: "\f235"; -@fa-var-users: "\f0c0"; -@fa-var-venus: "\f221"; -@fa-var-venus-double: "\f226"; -@fa-var-venus-mars: "\f228"; -@fa-var-viacoin: "\f237"; -@fa-var-viadeo: "\f2a9"; -@fa-var-viadeo-square: "\f2aa"; -@fa-var-video-camera: "\f03d"; -@fa-var-vimeo: "\f27d"; -@fa-var-vimeo-square: "\f194"; -@fa-var-vine: "\f1ca"; -@fa-var-vk: "\f189"; -@fa-var-volume-control-phone: "\f2a0"; -@fa-var-volume-down: "\f027"; -@fa-var-volume-off: "\f026"; -@fa-var-volume-up: "\f028"; -@fa-var-warning: "\f071"; -@fa-var-wechat: "\f1d7"; -@fa-var-weibo: "\f18a"; -@fa-var-weixin: "\f1d7"; -@fa-var-whatsapp: "\f232"; -@fa-var-wheelchair: "\f193"; -@fa-var-wheelchair-alt: "\f29b"; -@fa-var-wifi: "\f1eb"; -@fa-var-wikipedia-w: "\f266"; -@fa-var-windows: "\f17a"; -@fa-var-won: "\f159"; -@fa-var-wordpress: "\f19a"; -@fa-var-wpbeginner: "\f297"; -@fa-var-wpforms: "\f298"; -@fa-var-wrench: "\f0ad"; -@fa-var-xing: "\f168"; -@fa-var-xing-square: "\f169"; -@fa-var-y-combinator: "\f23b"; -@fa-var-y-combinator-square: "\f1d4"; -@fa-var-yahoo: "\f19e"; -@fa-var-yc: "\f23b"; -@fa-var-yc-square: "\f1d4"; -@fa-var-yelp: "\f1e9"; -@fa-var-yen: "\f157"; -@fa-var-youtube: "\f167"; -@fa-var-youtube-play: "\f16a"; -@fa-var-youtube-square: "\f166"; - diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_animated.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/_animated.scss deleted file mode 100644 index 8a020dbff..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_animated.scss +++ /dev/null @@ -1,34 +0,0 @@ -// Spinning Icons -// -------------------------- - -.#{$fa-css-prefix}-spin { - -webkit-animation: fa-spin 2s infinite linear; - animation: fa-spin 2s infinite linear; -} - -.#{$fa-css-prefix}-pulse { - -webkit-animation: fa-spin 1s infinite steps(8); - animation: fa-spin 1s infinite steps(8); -} - -@-webkit-keyframes fa-spin { - 0% { - -webkit-transform: rotate(0deg); - transform: rotate(0deg); - } - 100% { - -webkit-transform: rotate(359deg); - transform: rotate(359deg); - } -} - -@keyframes fa-spin { - 0% { - -webkit-transform: rotate(0deg); - transform: rotate(0deg); - } - 100% { - -webkit-transform: rotate(359deg); - transform: rotate(359deg); - } -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_bordered-pulled.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/_bordered-pulled.scss deleted file mode 100644 index d4b85a02f..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_bordered-pulled.scss +++ /dev/null @@ -1,25 +0,0 @@ -// Bordered & Pulled -// ------------------------- - -.#{$fa-css-prefix}-border { - padding: .2em .25em .15em; - border: solid .08em $fa-border-color; - border-radius: .1em; -} - -.#{$fa-css-prefix}-pull-left { float: left; } -.#{$fa-css-prefix}-pull-right { float: right; } - -.#{$fa-css-prefix} { - &.#{$fa-css-prefix}-pull-left { margin-right: .3em; } - &.#{$fa-css-prefix}-pull-right { margin-left: .3em; } -} - -/* Deprecated as of 4.4.0 */ -.pull-right { float: right; } -.pull-left { float: left; } - -.#{$fa-css-prefix} { - &.pull-left { margin-right: .3em; } - &.pull-right { margin-left: .3em; } -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_core.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/_core.scss deleted file mode 100644 index 7425ef85f..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_core.scss +++ /dev/null @@ -1,12 +0,0 @@ -// Base Class Definition -// ------------------------- - -.#{$fa-css-prefix} { - display: inline-block; - font: normal normal normal #{$fa-font-size-base}/#{$fa-line-height-base} FontAwesome; // shortening font declaration - font-size: inherit; // can't have font-size inherit on line above, so need to override - text-rendering: auto; // optimizelegibility throws things off #1094 - -webkit-font-smoothing: antialiased; - -moz-osx-font-smoothing: grayscale; - -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_fixed-width.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/_fixed-width.scss deleted file mode 100644 index b221c9813..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_fixed-width.scss +++ /dev/null @@ -1,6 +0,0 @@ -// Fixed Width Icons -// ------------------------- -.#{$fa-css-prefix}-fw { - width: (18em / 14); - text-align: center; -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_icons.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/_icons.scss deleted file mode 100644 index b64017aef..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_icons.scss +++ /dev/null @@ -1,724 +0,0 @@ -/* Font Awesome uses the Unicode Private Use Area (PUA) to ensure screen - readers do not read off random characters that represent icons */ - -.#{$fa-css-prefix}-glass:before { content: $fa-var-glass; } -.#{$fa-css-prefix}-music:before { content: $fa-var-music; } -.#{$fa-css-prefix}-search:before { content: $fa-var-search; } -.#{$fa-css-prefix}-envelope-o:before { content: $fa-var-envelope-o; } -.#{$fa-css-prefix}-heart:before { content: $fa-var-heart; } -.#{$fa-css-prefix}-star:before { content: $fa-var-star; } -.#{$fa-css-prefix}-star-o:before { content: $fa-var-star-o; } -.#{$fa-css-prefix}-user:before { content: $fa-var-user; } -.#{$fa-css-prefix}-film:before { content: $fa-var-film; } -.#{$fa-css-prefix}-th-large:before { content: $fa-var-th-large; } -.#{$fa-css-prefix}-th:before { content: $fa-var-th; } -.#{$fa-css-prefix}-th-list:before { content: $fa-var-th-list; } -.#{$fa-css-prefix}-check:before { content: $fa-var-check; } -.#{$fa-css-prefix}-remove:before, -.#{$fa-css-prefix}-close:before, -.#{$fa-css-prefix}-times:before { content: $fa-var-times; } -.#{$fa-css-prefix}-search-plus:before { content: $fa-var-search-plus; } -.#{$fa-css-prefix}-search-minus:before { content: $fa-var-search-minus; } -.#{$fa-css-prefix}-power-off:before { content: $fa-var-power-off; } -.#{$fa-css-prefix}-signal:before { content: $fa-var-signal; } -.#{$fa-css-prefix}-gear:before, -.#{$fa-css-prefix}-cog:before { content: $fa-var-cog; } -.#{$fa-css-prefix}-trash-o:before { content: $fa-var-trash-o; } -.#{$fa-css-prefix}-home:before { content: $fa-var-home; } -.#{$fa-css-prefix}-file-o:before { content: $fa-var-file-o; } -.#{$fa-css-prefix}-clock-o:before { content: $fa-var-clock-o; } -.#{$fa-css-prefix}-road:before { content: $fa-var-road; } -.#{$fa-css-prefix}-download:before { content: $fa-var-download; } -.#{$fa-css-prefix}-arrow-circle-o-down:before { content: $fa-var-arrow-circle-o-down; } -.#{$fa-css-prefix}-arrow-circle-o-up:before { content: $fa-var-arrow-circle-o-up; } -.#{$fa-css-prefix}-inbox:before { content: $fa-var-inbox; } -.#{$fa-css-prefix}-play-circle-o:before { content: $fa-var-play-circle-o; } -.#{$fa-css-prefix}-rotate-right:before, -.#{$fa-css-prefix}-repeat:before { content: $fa-var-repeat; } -.#{$fa-css-prefix}-refresh:before { content: $fa-var-refresh; } -.#{$fa-css-prefix}-list-alt:before { content: $fa-var-list-alt; } -.#{$fa-css-prefix}-lock:before { content: $fa-var-lock; } -.#{$fa-css-prefix}-flag:before { content: $fa-var-flag; } -.#{$fa-css-prefix}-headphones:before { content: $fa-var-headphones; } -.#{$fa-css-prefix}-volume-off:before { content: $fa-var-volume-off; } -.#{$fa-css-prefix}-volume-down:before { content: $fa-var-volume-down; } -.#{$fa-css-prefix}-volume-up:before { content: $fa-var-volume-up; } -.#{$fa-css-prefix}-qrcode:before { content: $fa-var-qrcode; } -.#{$fa-css-prefix}-barcode:before { content: $fa-var-barcode; } -.#{$fa-css-prefix}-tag:before { content: $fa-var-tag; } -.#{$fa-css-prefix}-tags:before { content: $fa-var-tags; } -.#{$fa-css-prefix}-book:before { content: $fa-var-book; } -.#{$fa-css-prefix}-bookmark:before { content: $fa-var-bookmark; } -.#{$fa-css-prefix}-print:before { content: $fa-var-print; } -.#{$fa-css-prefix}-camera:before { content: $fa-var-camera; } -.#{$fa-css-prefix}-font:before { content: $fa-var-font; } -.#{$fa-css-prefix}-bold:before { content: $fa-var-bold; } -.#{$fa-css-prefix}-italic:before { content: $fa-var-italic; } -.#{$fa-css-prefix}-text-height:before { content: $fa-var-text-height; } -.#{$fa-css-prefix}-text-width:before { content: $fa-var-text-width; } -.#{$fa-css-prefix}-align-left:before { content: $fa-var-align-left; } -.#{$fa-css-prefix}-align-center:before { content: $fa-var-align-center; } -.#{$fa-css-prefix}-align-right:before { content: $fa-var-align-right; } -.#{$fa-css-prefix}-align-justify:before { content: $fa-var-align-justify; } -.#{$fa-css-prefix}-list:before { content: $fa-var-list; } -.#{$fa-css-prefix}-dedent:before, -.#{$fa-css-prefix}-outdent:before { content: $fa-var-outdent; } -.#{$fa-css-prefix}-indent:before { content: $fa-var-indent; } -.#{$fa-css-prefix}-video-camera:before { content: $fa-var-video-camera; } -.#{$fa-css-prefix}-photo:before, -.#{$fa-css-prefix}-image:before, -.#{$fa-css-prefix}-picture-o:before { content: $fa-var-picture-o; } -.#{$fa-css-prefix}-pencil:before { content: $fa-var-pencil; } -.#{$fa-css-prefix}-map-marker:before { content: $fa-var-map-marker; } -.#{$fa-css-prefix}-adjust:before { content: $fa-var-adjust; } -.#{$fa-css-prefix}-tint:before { content: $fa-var-tint; } -.#{$fa-css-prefix}-edit:before, -.#{$fa-css-prefix}-pencil-square-o:before { content: $fa-var-pencil-square-o; } -.#{$fa-css-prefix}-share-square-o:before { content: $fa-var-share-square-o; } -.#{$fa-css-prefix}-check-square-o:before { content: $fa-var-check-square-o; } -.#{$fa-css-prefix}-arrows:before { content: $fa-var-arrows; } -.#{$fa-css-prefix}-step-backward:before { content: $fa-var-step-backward; } -.#{$fa-css-prefix}-fast-backward:before { content: $fa-var-fast-backward; } -.#{$fa-css-prefix}-backward:before { content: $fa-var-backward; } -.#{$fa-css-prefix}-play:before { content: $fa-var-play; } -.#{$fa-css-prefix}-pause:before { content: $fa-var-pause; } -.#{$fa-css-prefix}-stop:before { content: $fa-var-stop; } -.#{$fa-css-prefix}-forward:before { content: $fa-var-forward; } -.#{$fa-css-prefix}-fast-forward:before { content: $fa-var-fast-forward; } -.#{$fa-css-prefix}-step-forward:before { content: $fa-var-step-forward; } -.#{$fa-css-prefix}-eject:before { content: $fa-var-eject; } -.#{$fa-css-prefix}-chevron-left:before { content: $fa-var-chevron-left; } -.#{$fa-css-prefix}-chevron-right:before { content: $fa-var-chevron-right; } -.#{$fa-css-prefix}-plus-circle:before { content: $fa-var-plus-circle; } -.#{$fa-css-prefix}-minus-circle:before { content: $fa-var-minus-circle; } -.#{$fa-css-prefix}-times-circle:before { content: $fa-var-times-circle; } -.#{$fa-css-prefix}-check-circle:before { content: $fa-var-check-circle; } -.#{$fa-css-prefix}-question-circle:before { content: $fa-var-question-circle; } -.#{$fa-css-prefix}-info-circle:before { content: $fa-var-info-circle; } -.#{$fa-css-prefix}-crosshairs:before { content: $fa-var-crosshairs; } -.#{$fa-css-prefix}-times-circle-o:before { content: $fa-var-times-circle-o; } -.#{$fa-css-prefix}-check-circle-o:before { content: $fa-var-check-circle-o; } -.#{$fa-css-prefix}-ban:before { content: $fa-var-ban; } -.#{$fa-css-prefix}-arrow-left:before { content: $fa-var-arrow-left; } -.#{$fa-css-prefix}-arrow-right:before { content: $fa-var-arrow-right; } -.#{$fa-css-prefix}-arrow-up:before { content: $fa-var-arrow-up; } -.#{$fa-css-prefix}-arrow-down:before { content: $fa-var-arrow-down; } -.#{$fa-css-prefix}-mail-forward:before, -.#{$fa-css-prefix}-share:before { content: $fa-var-share; } -.#{$fa-css-prefix}-expand:before { content: $fa-var-expand; } -.#{$fa-css-prefix}-compress:before { content: $fa-var-compress; } -.#{$fa-css-prefix}-plus:before { content: $fa-var-plus; } -.#{$fa-css-prefix}-minus:before { content: $fa-var-minus; } -.#{$fa-css-prefix}-asterisk:before { content: $fa-var-asterisk; } -.#{$fa-css-prefix}-exclamation-circle:before { content: $fa-var-exclamation-circle; } -.#{$fa-css-prefix}-gift:before { content: $fa-var-gift; } -.#{$fa-css-prefix}-leaf:before { content: $fa-var-leaf; } -.#{$fa-css-prefix}-fire:before { content: $fa-var-fire; } -.#{$fa-css-prefix}-eye:before { content: $fa-var-eye; } -.#{$fa-css-prefix}-eye-slash:before { content: $fa-var-eye-slash; } -.#{$fa-css-prefix}-warning:before, -.#{$fa-css-prefix}-exclamation-triangle:before { content: $fa-var-exclamation-triangle; } -.#{$fa-css-prefix}-plane:before { content: $fa-var-plane; } -.#{$fa-css-prefix}-calendar:before { content: $fa-var-calendar; } -.#{$fa-css-prefix}-random:before { content: $fa-var-random; } -.#{$fa-css-prefix}-comment:before { content: $fa-var-comment; } -.#{$fa-css-prefix}-magnet:before { content: $fa-var-magnet; } -.#{$fa-css-prefix}-chevron-up:before { content: $fa-var-chevron-up; } -.#{$fa-css-prefix}-chevron-down:before { content: $fa-var-chevron-down; } -.#{$fa-css-prefix}-retweet:before { content: $fa-var-retweet; } -.#{$fa-css-prefix}-shopping-cart:before { content: $fa-var-shopping-cart; } -.#{$fa-css-prefix}-folder:before { content: $fa-var-folder; } -.#{$fa-css-prefix}-folder-open:before { content: $fa-var-folder-open; } -.#{$fa-css-prefix}-arrows-v:before { content: $fa-var-arrows-v; } -.#{$fa-css-prefix}-arrows-h:before { content: $fa-var-arrows-h; } -.#{$fa-css-prefix}-bar-chart-o:before, -.#{$fa-css-prefix}-bar-chart:before { content: $fa-var-bar-chart; } -.#{$fa-css-prefix}-twitter-square:before { content: $fa-var-twitter-square; } -.#{$fa-css-prefix}-facebook-square:before { content: $fa-var-facebook-square; } -.#{$fa-css-prefix}-camera-retro:before { content: $fa-var-camera-retro; } -.#{$fa-css-prefix}-key:before { content: $fa-var-key; } -.#{$fa-css-prefix}-gears:before, -.#{$fa-css-prefix}-cogs:before { content: $fa-var-cogs; } -.#{$fa-css-prefix}-comments:before { content: $fa-var-comments; } -.#{$fa-css-prefix}-thumbs-o-up:before { content: $fa-var-thumbs-o-up; } -.#{$fa-css-prefix}-thumbs-o-down:before { content: $fa-var-thumbs-o-down; } -.#{$fa-css-prefix}-star-half:before { content: $fa-var-star-half; } -.#{$fa-css-prefix}-heart-o:before { content: $fa-var-heart-o; } -.#{$fa-css-prefix}-sign-out:before { content: $fa-var-sign-out; } -.#{$fa-css-prefix}-linkedin-square:before { content: $fa-var-linkedin-square; } -.#{$fa-css-prefix}-thumb-tack:before { content: $fa-var-thumb-tack; } -.#{$fa-css-prefix}-external-link:before { content: $fa-var-external-link; } -.#{$fa-css-prefix}-sign-in:before { content: $fa-var-sign-in; } -.#{$fa-css-prefix}-trophy:before { content: $fa-var-trophy; } -.#{$fa-css-prefix}-github-square:before { content: $fa-var-github-square; } -.#{$fa-css-prefix}-upload:before { content: $fa-var-upload; } -.#{$fa-css-prefix}-lemon-o:before { content: $fa-var-lemon-o; } -.#{$fa-css-prefix}-phone:before { content: $fa-var-phone; } -.#{$fa-css-prefix}-square-o:before { content: $fa-var-square-o; } -.#{$fa-css-prefix}-bookmark-o:before { content: $fa-var-bookmark-o; } -.#{$fa-css-prefix}-phone-square:before { content: $fa-var-phone-square; } -.#{$fa-css-prefix}-twitter:before { content: $fa-var-twitter; } -.#{$fa-css-prefix}-facebook-f:before, -.#{$fa-css-prefix}-facebook:before { content: $fa-var-facebook; } -.#{$fa-css-prefix}-github:before { content: $fa-var-github; } -.#{$fa-css-prefix}-unlock:before { content: $fa-var-unlock; } -.#{$fa-css-prefix}-credit-card:before { content: $fa-var-credit-card; } -.#{$fa-css-prefix}-feed:before, -.#{$fa-css-prefix}-rss:before { content: $fa-var-rss; } -.#{$fa-css-prefix}-hdd-o:before { content: $fa-var-hdd-o; } -.#{$fa-css-prefix}-bullhorn:before { content: $fa-var-bullhorn; } -.#{$fa-css-prefix}-bell:before { content: $fa-var-bell; } -.#{$fa-css-prefix}-certificate:before { content: $fa-var-certificate; } -.#{$fa-css-prefix}-hand-o-right:before { content: $fa-var-hand-o-right; } -.#{$fa-css-prefix}-hand-o-left:before { content: $fa-var-hand-o-left; } -.#{$fa-css-prefix}-hand-o-up:before { content: $fa-var-hand-o-up; } -.#{$fa-css-prefix}-hand-o-down:before { content: $fa-var-hand-o-down; } -.#{$fa-css-prefix}-arrow-circle-left:before { content: $fa-var-arrow-circle-left; } -.#{$fa-css-prefix}-arrow-circle-right:before { content: $fa-var-arrow-circle-right; } -.#{$fa-css-prefix}-arrow-circle-up:before { content: $fa-var-arrow-circle-up; } -.#{$fa-css-prefix}-arrow-circle-down:before { content: $fa-var-arrow-circle-down; } -.#{$fa-css-prefix}-globe:before { content: $fa-var-globe; } -.#{$fa-css-prefix}-wrench:before { content: $fa-var-wrench; } -.#{$fa-css-prefix}-tasks:before { content: $fa-var-tasks; } -.#{$fa-css-prefix}-filter:before { content: $fa-var-filter; } -.#{$fa-css-prefix}-briefcase:before { content: $fa-var-briefcase; } -.#{$fa-css-prefix}-arrows-alt:before { content: $fa-var-arrows-alt; } -.#{$fa-css-prefix}-group:before, -.#{$fa-css-prefix}-users:before { content: $fa-var-users; } -.#{$fa-css-prefix}-chain:before, -.#{$fa-css-prefix}-link:before { content: $fa-var-link; } -.#{$fa-css-prefix}-cloud:before { content: $fa-var-cloud; } -.#{$fa-css-prefix}-flask:before { content: $fa-var-flask; } -.#{$fa-css-prefix}-cut:before, -.#{$fa-css-prefix}-scissors:before { content: $fa-var-scissors; } -.#{$fa-css-prefix}-copy:before, -.#{$fa-css-prefix}-files-o:before { content: $fa-var-files-o; } -.#{$fa-css-prefix}-paperclip:before { content: $fa-var-paperclip; } -.#{$fa-css-prefix}-save:before, -.#{$fa-css-prefix}-floppy-o:before { content: $fa-var-floppy-o; } -.#{$fa-css-prefix}-square:before { content: $fa-var-square; } -.#{$fa-css-prefix}-navicon:before, -.#{$fa-css-prefix}-reorder:before, -.#{$fa-css-prefix}-bars:before { content: $fa-var-bars; } -.#{$fa-css-prefix}-list-ul:before { content: $fa-var-list-ul; } -.#{$fa-css-prefix}-list-ol:before { content: $fa-var-list-ol; } -.#{$fa-css-prefix}-strikethrough:before { content: $fa-var-strikethrough; } -.#{$fa-css-prefix}-underline:before { content: $fa-var-underline; } -.#{$fa-css-prefix}-table:before { content: $fa-var-table; } -.#{$fa-css-prefix}-magic:before { content: $fa-var-magic; } -.#{$fa-css-prefix}-truck:before { content: $fa-var-truck; } -.#{$fa-css-prefix}-pinterest:before { content: $fa-var-pinterest; } -.#{$fa-css-prefix}-pinterest-square:before { content: $fa-var-pinterest-square; } -.#{$fa-css-prefix}-google-plus-square:before { content: $fa-var-google-plus-square; } -.#{$fa-css-prefix}-google-plus:before { content: $fa-var-google-plus; } -.#{$fa-css-prefix}-money:before { content: $fa-var-money; } -.#{$fa-css-prefix}-caret-down:before { content: $fa-var-caret-down; } -.#{$fa-css-prefix}-caret-up:before { content: $fa-var-caret-up; } -.#{$fa-css-prefix}-caret-left:before { content: $fa-var-caret-left; } -.#{$fa-css-prefix}-caret-right:before { content: $fa-var-caret-right; } -.#{$fa-css-prefix}-columns:before { content: $fa-var-columns; } -.#{$fa-css-prefix}-unsorted:before, -.#{$fa-css-prefix}-sort:before { content: $fa-var-sort; } -.#{$fa-css-prefix}-sort-down:before, -.#{$fa-css-prefix}-sort-desc:before { content: $fa-var-sort-desc; } -.#{$fa-css-prefix}-sort-up:before, -.#{$fa-css-prefix}-sort-asc:before { content: $fa-var-sort-asc; } -.#{$fa-css-prefix}-envelope:before { content: $fa-var-envelope; } -.#{$fa-css-prefix}-linkedin:before { content: $fa-var-linkedin; } -.#{$fa-css-prefix}-rotate-left:before, -.#{$fa-css-prefix}-undo:before { content: $fa-var-undo; } -.#{$fa-css-prefix}-legal:before, -.#{$fa-css-prefix}-gavel:before { content: $fa-var-gavel; } -.#{$fa-css-prefix}-dashboard:before, -.#{$fa-css-prefix}-tachometer:before { content: $fa-var-tachometer; } -.#{$fa-css-prefix}-comment-o:before { content: $fa-var-comment-o; } -.#{$fa-css-prefix}-comments-o:before { content: $fa-var-comments-o; } -.#{$fa-css-prefix}-flash:before, -.#{$fa-css-prefix}-bolt:before { content: $fa-var-bolt; } -.#{$fa-css-prefix}-sitemap:before { content: $fa-var-sitemap; } -.#{$fa-css-prefix}-umbrella:before { content: $fa-var-umbrella; } -.#{$fa-css-prefix}-paste:before, -.#{$fa-css-prefix}-clipboard:before { content: $fa-var-clipboard; } -.#{$fa-css-prefix}-lightbulb-o:before { content: $fa-var-lightbulb-o; } -.#{$fa-css-prefix}-exchange:before { content: $fa-var-exchange; } -.#{$fa-css-prefix}-cloud-download:before { content: $fa-var-cloud-download; } -.#{$fa-css-prefix}-cloud-upload:before { content: $fa-var-cloud-upload; } -.#{$fa-css-prefix}-user-md:before { content: $fa-var-user-md; } -.#{$fa-css-prefix}-stethoscope:before { content: $fa-var-stethoscope; } -.#{$fa-css-prefix}-suitcase:before { content: $fa-var-suitcase; } -.#{$fa-css-prefix}-bell-o:before { content: $fa-var-bell-o; } -.#{$fa-css-prefix}-coffee:before { content: $fa-var-coffee; } -.#{$fa-css-prefix}-cutlery:before { content: $fa-var-cutlery; } -.#{$fa-css-prefix}-file-text-o:before { content: $fa-var-file-text-o; } -.#{$fa-css-prefix}-building-o:before { content: $fa-var-building-o; } -.#{$fa-css-prefix}-hospital-o:before { content: $fa-var-hospital-o; } -.#{$fa-css-prefix}-ambulance:before { content: $fa-var-ambulance; } -.#{$fa-css-prefix}-medkit:before { content: $fa-var-medkit; } -.#{$fa-css-prefix}-fighter-jet:before { content: $fa-var-fighter-jet; } -.#{$fa-css-prefix}-beer:before { content: $fa-var-beer; } -.#{$fa-css-prefix}-h-square:before { content: $fa-var-h-square; } -.#{$fa-css-prefix}-plus-square:before { content: $fa-var-plus-square; } -.#{$fa-css-prefix}-angle-double-left:before { content: $fa-var-angle-double-left; } -.#{$fa-css-prefix}-angle-double-right:before { content: $fa-var-angle-double-right; } -.#{$fa-css-prefix}-angle-double-up:before { content: $fa-var-angle-double-up; } -.#{$fa-css-prefix}-angle-double-down:before { content: $fa-var-angle-double-down; } -.#{$fa-css-prefix}-angle-left:before { content: $fa-var-angle-left; } -.#{$fa-css-prefix}-angle-right:before { content: $fa-var-angle-right; } -.#{$fa-css-prefix}-angle-up:before { content: $fa-var-angle-up; } -.#{$fa-css-prefix}-angle-down:before { content: $fa-var-angle-down; } -.#{$fa-css-prefix}-desktop:before { content: $fa-var-desktop; } -.#{$fa-css-prefix}-laptop:before { content: $fa-var-laptop; } -.#{$fa-css-prefix}-tablet:before { content: $fa-var-tablet; } -.#{$fa-css-prefix}-mobile-phone:before, -.#{$fa-css-prefix}-mobile:before { content: $fa-var-mobile; } -.#{$fa-css-prefix}-circle-o:before { content: $fa-var-circle-o; } -.#{$fa-css-prefix}-quote-left:before { content: $fa-var-quote-left; } -.#{$fa-css-prefix}-quote-right:before { content: $fa-var-quote-right; } -.#{$fa-css-prefix}-spinner:before { content: $fa-var-spinner; } -.#{$fa-css-prefix}-circle:before { content: $fa-var-circle; } -.#{$fa-css-prefix}-mail-reply:before, -.#{$fa-css-prefix}-reply:before { content: $fa-var-reply; } -.#{$fa-css-prefix}-github-alt:before { content: $fa-var-github-alt; } -.#{$fa-css-prefix}-folder-o:before { content: $fa-var-folder-o; } -.#{$fa-css-prefix}-folder-open-o:before { content: $fa-var-folder-open-o; } -.#{$fa-css-prefix}-smile-o:before { content: $fa-var-smile-o; } -.#{$fa-css-prefix}-frown-o:before { content: $fa-var-frown-o; } -.#{$fa-css-prefix}-meh-o:before { content: $fa-var-meh-o; } -.#{$fa-css-prefix}-gamepad:before { content: $fa-var-gamepad; } -.#{$fa-css-prefix}-keyboard-o:before { content: $fa-var-keyboard-o; } -.#{$fa-css-prefix}-flag-o:before { content: $fa-var-flag-o; } -.#{$fa-css-prefix}-flag-checkered:before { content: $fa-var-flag-checkered; } -.#{$fa-css-prefix}-terminal:before { content: $fa-var-terminal; } -.#{$fa-css-prefix}-code:before { content: $fa-var-code; } -.#{$fa-css-prefix}-mail-reply-all:before, -.#{$fa-css-prefix}-reply-all:before { content: $fa-var-reply-all; } -.#{$fa-css-prefix}-star-half-empty:before, -.#{$fa-css-prefix}-star-half-full:before, -.#{$fa-css-prefix}-star-half-o:before { content: $fa-var-star-half-o; } -.#{$fa-css-prefix}-location-arrow:before { content: $fa-var-location-arrow; } -.#{$fa-css-prefix}-crop:before { content: $fa-var-crop; } -.#{$fa-css-prefix}-code-fork:before { content: $fa-var-code-fork; } -.#{$fa-css-prefix}-unlink:before, -.#{$fa-css-prefix}-chain-broken:before { content: $fa-var-chain-broken; } -.#{$fa-css-prefix}-question:before { content: $fa-var-question; } -.#{$fa-css-prefix}-info:before { content: $fa-var-info; } -.#{$fa-css-prefix}-exclamation:before { content: $fa-var-exclamation; } -.#{$fa-css-prefix}-superscript:before { content: $fa-var-superscript; } -.#{$fa-css-prefix}-subscript:before { content: $fa-var-subscript; } -.#{$fa-css-prefix}-eraser:before { content: $fa-var-eraser; } -.#{$fa-css-prefix}-puzzle-piece:before { content: $fa-var-puzzle-piece; } -.#{$fa-css-prefix}-microphone:before { content: $fa-var-microphone; } -.#{$fa-css-prefix}-microphone-slash:before { content: $fa-var-microphone-slash; } -.#{$fa-css-prefix}-shield:before { content: $fa-var-shield; } -.#{$fa-css-prefix}-calendar-o:before { content: $fa-var-calendar-o; } -.#{$fa-css-prefix}-fire-extinguisher:before { content: $fa-var-fire-extinguisher; } -.#{$fa-css-prefix}-rocket:before { content: $fa-var-rocket; } -.#{$fa-css-prefix}-maxcdn:before { content: $fa-var-maxcdn; } -.#{$fa-css-prefix}-chevron-circle-left:before { content: $fa-var-chevron-circle-left; } -.#{$fa-css-prefix}-chevron-circle-right:before { content: $fa-var-chevron-circle-right; } -.#{$fa-css-prefix}-chevron-circle-up:before { content: $fa-var-chevron-circle-up; } -.#{$fa-css-prefix}-chevron-circle-down:before { content: $fa-var-chevron-circle-down; } -.#{$fa-css-prefix}-html5:before { content: $fa-var-html5; } -.#{$fa-css-prefix}-css3:before { content: $fa-var-css3; } -.#{$fa-css-prefix}-anchor:before { content: $fa-var-anchor; } -.#{$fa-css-prefix}-unlock-alt:before { content: $fa-var-unlock-alt; } -.#{$fa-css-prefix}-bullseye:before { content: $fa-var-bullseye; } -.#{$fa-css-prefix}-ellipsis-h:before { content: $fa-var-ellipsis-h; } -.#{$fa-css-prefix}-ellipsis-v:before { content: $fa-var-ellipsis-v; } -.#{$fa-css-prefix}-rss-square:before { content: $fa-var-rss-square; } -.#{$fa-css-prefix}-play-circle:before { content: $fa-var-play-circle; } -.#{$fa-css-prefix}-ticket:before { content: $fa-var-ticket; } -.#{$fa-css-prefix}-minus-square:before { content: $fa-var-minus-square; } -.#{$fa-css-prefix}-minus-square-o:before { content: $fa-var-minus-square-o; } -.#{$fa-css-prefix}-level-up:before { content: $fa-var-level-up; } -.#{$fa-css-prefix}-level-down:before { content: $fa-var-level-down; } -.#{$fa-css-prefix}-check-square:before { content: $fa-var-check-square; } -.#{$fa-css-prefix}-pencil-square:before { content: $fa-var-pencil-square; } -.#{$fa-css-prefix}-external-link-square:before { content: $fa-var-external-link-square; } -.#{$fa-css-prefix}-share-square:before { content: $fa-var-share-square; } -.#{$fa-css-prefix}-compass:before { content: $fa-var-compass; } -.#{$fa-css-prefix}-toggle-down:before, -.#{$fa-css-prefix}-caret-square-o-down:before { content: $fa-var-caret-square-o-down; } -.#{$fa-css-prefix}-toggle-up:before, -.#{$fa-css-prefix}-caret-square-o-up:before { content: $fa-var-caret-square-o-up; } -.#{$fa-css-prefix}-toggle-right:before, -.#{$fa-css-prefix}-caret-square-o-right:before { content: $fa-var-caret-square-o-right; } -.#{$fa-css-prefix}-euro:before, -.#{$fa-css-prefix}-eur:before { content: $fa-var-eur; } -.#{$fa-css-prefix}-gbp:before { content: $fa-var-gbp; } -.#{$fa-css-prefix}-dollar:before, -.#{$fa-css-prefix}-usd:before { content: $fa-var-usd; } -.#{$fa-css-prefix}-rupee:before, -.#{$fa-css-prefix}-inr:before { content: $fa-var-inr; } -.#{$fa-css-prefix}-cny:before, -.#{$fa-css-prefix}-rmb:before, -.#{$fa-css-prefix}-yen:before, -.#{$fa-css-prefix}-jpy:before { content: $fa-var-jpy; } -.#{$fa-css-prefix}-ruble:before, -.#{$fa-css-prefix}-rouble:before, -.#{$fa-css-prefix}-rub:before { content: $fa-var-rub; } -.#{$fa-css-prefix}-won:before, -.#{$fa-css-prefix}-krw:before { content: $fa-var-krw; } -.#{$fa-css-prefix}-bitcoin:before, -.#{$fa-css-prefix}-btc:before { content: $fa-var-btc; } -.#{$fa-css-prefix}-file:before { content: $fa-var-file; } -.#{$fa-css-prefix}-file-text:before { content: $fa-var-file-text; } -.#{$fa-css-prefix}-sort-alpha-asc:before { content: $fa-var-sort-alpha-asc; } -.#{$fa-css-prefix}-sort-alpha-desc:before { content: $fa-var-sort-alpha-desc; } -.#{$fa-css-prefix}-sort-amount-asc:before { content: $fa-var-sort-amount-asc; } -.#{$fa-css-prefix}-sort-amount-desc:before { content: $fa-var-sort-amount-desc; } -.#{$fa-css-prefix}-sort-numeric-asc:before { content: $fa-var-sort-numeric-asc; } -.#{$fa-css-prefix}-sort-numeric-desc:before { content: $fa-var-sort-numeric-desc; } -.#{$fa-css-prefix}-thumbs-up:before { content: $fa-var-thumbs-up; } -.#{$fa-css-prefix}-thumbs-down:before { content: $fa-var-thumbs-down; } -.#{$fa-css-prefix}-youtube-square:before { content: $fa-var-youtube-square; } -.#{$fa-css-prefix}-youtube:before { content: $fa-var-youtube; } -.#{$fa-css-prefix}-xing:before { content: $fa-var-xing; } -.#{$fa-css-prefix}-xing-square:before { content: $fa-var-xing-square; } -.#{$fa-css-prefix}-youtube-play:before { content: $fa-var-youtube-play; } -.#{$fa-css-prefix}-dropbox:before { content: $fa-var-dropbox; } -.#{$fa-css-prefix}-stack-overflow:before { content: $fa-var-stack-overflow; } -.#{$fa-css-prefix}-instagram:before { content: $fa-var-instagram; } -.#{$fa-css-prefix}-flickr:before { content: $fa-var-flickr; } -.#{$fa-css-prefix}-adn:before { content: $fa-var-adn; } -.#{$fa-css-prefix}-bitbucket:before { content: $fa-var-bitbucket; } -.#{$fa-css-prefix}-bitbucket-square:before { content: $fa-var-bitbucket-square; } -.#{$fa-css-prefix}-tumblr:before { content: $fa-var-tumblr; } -.#{$fa-css-prefix}-tumblr-square:before { content: $fa-var-tumblr-square; } -.#{$fa-css-prefix}-long-arrow-down:before { content: $fa-var-long-arrow-down; } -.#{$fa-css-prefix}-long-arrow-up:before { content: $fa-var-long-arrow-up; } -.#{$fa-css-prefix}-long-arrow-left:before { content: $fa-var-long-arrow-left; } -.#{$fa-css-prefix}-long-arrow-right:before { content: $fa-var-long-arrow-right; } -.#{$fa-css-prefix}-apple:before { content: $fa-var-apple; } -.#{$fa-css-prefix}-windows:before { content: $fa-var-windows; } -.#{$fa-css-prefix}-android:before { content: $fa-var-android; } -.#{$fa-css-prefix}-linux:before { content: $fa-var-linux; } -.#{$fa-css-prefix}-dribbble:before { content: $fa-var-dribbble; } -.#{$fa-css-prefix}-skype:before { content: $fa-var-skype; } -.#{$fa-css-prefix}-foursquare:before { content: $fa-var-foursquare; } -.#{$fa-css-prefix}-trello:before { content: $fa-var-trello; } -.#{$fa-css-prefix}-female:before { content: $fa-var-female; } -.#{$fa-css-prefix}-male:before { content: $fa-var-male; } -.#{$fa-css-prefix}-gittip:before, -.#{$fa-css-prefix}-gratipay:before { content: $fa-var-gratipay; } -.#{$fa-css-prefix}-sun-o:before { content: $fa-var-sun-o; } -.#{$fa-css-prefix}-moon-o:before { content: $fa-var-moon-o; } -.#{$fa-css-prefix}-archive:before { content: $fa-var-archive; } -.#{$fa-css-prefix}-bug:before { content: $fa-var-bug; } -.#{$fa-css-prefix}-vk:before { content: $fa-var-vk; } -.#{$fa-css-prefix}-weibo:before { content: $fa-var-weibo; } -.#{$fa-css-prefix}-renren:before { content: $fa-var-renren; } -.#{$fa-css-prefix}-pagelines:before { content: $fa-var-pagelines; } -.#{$fa-css-prefix}-stack-exchange:before { content: $fa-var-stack-exchange; } -.#{$fa-css-prefix}-arrow-circle-o-right:before { content: $fa-var-arrow-circle-o-right; } -.#{$fa-css-prefix}-arrow-circle-o-left:before { content: $fa-var-arrow-circle-o-left; } -.#{$fa-css-prefix}-toggle-left:before, -.#{$fa-css-prefix}-caret-square-o-left:before { content: $fa-var-caret-square-o-left; } -.#{$fa-css-prefix}-dot-circle-o:before { content: $fa-var-dot-circle-o; } -.#{$fa-css-prefix}-wheelchair:before { content: $fa-var-wheelchair; } -.#{$fa-css-prefix}-vimeo-square:before { content: $fa-var-vimeo-square; } -.#{$fa-css-prefix}-turkish-lira:before, -.#{$fa-css-prefix}-try:before { content: $fa-var-try; } -.#{$fa-css-prefix}-plus-square-o:before { content: $fa-var-plus-square-o; } -.#{$fa-css-prefix}-space-shuttle:before { content: $fa-var-space-shuttle; } -.#{$fa-css-prefix}-slack:before { content: $fa-var-slack; } -.#{$fa-css-prefix}-envelope-square:before { content: $fa-var-envelope-square; } -.#{$fa-css-prefix}-wordpress:before { content: $fa-var-wordpress; } -.#{$fa-css-prefix}-openid:before { content: $fa-var-openid; } -.#{$fa-css-prefix}-institution:before, -.#{$fa-css-prefix}-bank:before, -.#{$fa-css-prefix}-university:before { content: $fa-var-university; } -.#{$fa-css-prefix}-mortar-board:before, -.#{$fa-css-prefix}-graduation-cap:before { content: $fa-var-graduation-cap; } -.#{$fa-css-prefix}-yahoo:before { content: $fa-var-yahoo; } -.#{$fa-css-prefix}-google:before { content: $fa-var-google; } -.#{$fa-css-prefix}-reddit:before { content: $fa-var-reddit; } -.#{$fa-css-prefix}-reddit-square:before { content: $fa-var-reddit-square; } -.#{$fa-css-prefix}-stumbleupon-circle:before { content: $fa-var-stumbleupon-circle; } -.#{$fa-css-prefix}-stumbleupon:before { content: $fa-var-stumbleupon; } -.#{$fa-css-prefix}-delicious:before { content: $fa-var-delicious; } -.#{$fa-css-prefix}-digg:before { content: $fa-var-digg; } -.#{$fa-css-prefix}-pied-piper:before { content: $fa-var-pied-piper; } -.#{$fa-css-prefix}-pied-piper-alt:before { content: $fa-var-pied-piper-alt; } -.#{$fa-css-prefix}-drupal:before { content: $fa-var-drupal; } -.#{$fa-css-prefix}-joomla:before { content: $fa-var-joomla; } -.#{$fa-css-prefix}-language:before { content: $fa-var-language; } -.#{$fa-css-prefix}-fax:before { content: $fa-var-fax; } -.#{$fa-css-prefix}-building:before { content: $fa-var-building; } -.#{$fa-css-prefix}-child:before { content: $fa-var-child; } -.#{$fa-css-prefix}-paw:before { content: $fa-var-paw; } -.#{$fa-css-prefix}-spoon:before { content: $fa-var-spoon; } -.#{$fa-css-prefix}-cube:before { content: $fa-var-cube; } -.#{$fa-css-prefix}-cubes:before { content: $fa-var-cubes; } -.#{$fa-css-prefix}-behance:before { content: $fa-var-behance; } -.#{$fa-css-prefix}-behance-square:before { content: $fa-var-behance-square; } -.#{$fa-css-prefix}-steam:before { content: $fa-var-steam; } -.#{$fa-css-prefix}-steam-square:before { content: $fa-var-steam-square; } -.#{$fa-css-prefix}-recycle:before { content: $fa-var-recycle; } -.#{$fa-css-prefix}-automobile:before, -.#{$fa-css-prefix}-car:before { content: $fa-var-car; } -.#{$fa-css-prefix}-cab:before, -.#{$fa-css-prefix}-taxi:before { content: $fa-var-taxi; } -.#{$fa-css-prefix}-tree:before { content: $fa-var-tree; } -.#{$fa-css-prefix}-spotify:before { content: $fa-var-spotify; } -.#{$fa-css-prefix}-deviantart:before { content: $fa-var-deviantart; } -.#{$fa-css-prefix}-soundcloud:before { content: $fa-var-soundcloud; } -.#{$fa-css-prefix}-database:before { content: $fa-var-database; } -.#{$fa-css-prefix}-file-pdf-o:before { content: $fa-var-file-pdf-o; } -.#{$fa-css-prefix}-file-word-o:before { content: $fa-var-file-word-o; } -.#{$fa-css-prefix}-file-excel-o:before { content: $fa-var-file-excel-o; } -.#{$fa-css-prefix}-file-powerpoint-o:before { content: $fa-var-file-powerpoint-o; } -.#{$fa-css-prefix}-file-photo-o:before, -.#{$fa-css-prefix}-file-picture-o:before, -.#{$fa-css-prefix}-file-image-o:before { content: $fa-var-file-image-o; } -.#{$fa-css-prefix}-file-zip-o:before, -.#{$fa-css-prefix}-file-archive-o:before { content: $fa-var-file-archive-o; } -.#{$fa-css-prefix}-file-sound-o:before, -.#{$fa-css-prefix}-file-audio-o:before { content: $fa-var-file-audio-o; } -.#{$fa-css-prefix}-file-movie-o:before, -.#{$fa-css-prefix}-file-video-o:before { content: $fa-var-file-video-o; } -.#{$fa-css-prefix}-file-code-o:before { content: $fa-var-file-code-o; } -.#{$fa-css-prefix}-vine:before { content: $fa-var-vine; } -.#{$fa-css-prefix}-codepen:before { content: $fa-var-codepen; } -.#{$fa-css-prefix}-jsfiddle:before { content: $fa-var-jsfiddle; } -.#{$fa-css-prefix}-life-bouy:before, -.#{$fa-css-prefix}-life-buoy:before, -.#{$fa-css-prefix}-life-saver:before, -.#{$fa-css-prefix}-support:before, -.#{$fa-css-prefix}-life-ring:before { content: $fa-var-life-ring; } -.#{$fa-css-prefix}-circle-o-notch:before { content: $fa-var-circle-o-notch; } -.#{$fa-css-prefix}-ra:before, -.#{$fa-css-prefix}-rebel:before { content: $fa-var-rebel; } -.#{$fa-css-prefix}-ge:before, -.#{$fa-css-prefix}-empire:before { content: $fa-var-empire; } -.#{$fa-css-prefix}-git-square:before { content: $fa-var-git-square; } -.#{$fa-css-prefix}-git:before { content: $fa-var-git; } -.#{$fa-css-prefix}-y-combinator-square:before, -.#{$fa-css-prefix}-yc-square:before, -.#{$fa-css-prefix}-hacker-news:before { content: $fa-var-hacker-news; } -.#{$fa-css-prefix}-tencent-weibo:before { content: $fa-var-tencent-weibo; } -.#{$fa-css-prefix}-qq:before { content: $fa-var-qq; } -.#{$fa-css-prefix}-wechat:before, -.#{$fa-css-prefix}-weixin:before { content: $fa-var-weixin; } -.#{$fa-css-prefix}-send:before, -.#{$fa-css-prefix}-paper-plane:before { content: $fa-var-paper-plane; } -.#{$fa-css-prefix}-send-o:before, -.#{$fa-css-prefix}-paper-plane-o:before { content: $fa-var-paper-plane-o; } -.#{$fa-css-prefix}-history:before { content: $fa-var-history; } -.#{$fa-css-prefix}-circle-thin:before { content: $fa-var-circle-thin; } -.#{$fa-css-prefix}-header:before { content: $fa-var-header; } -.#{$fa-css-prefix}-paragraph:before { content: $fa-var-paragraph; } -.#{$fa-css-prefix}-sliders:before { content: $fa-var-sliders; } -.#{$fa-css-prefix}-share-alt:before { content: $fa-var-share-alt; } -.#{$fa-css-prefix}-share-alt-square:before { content: $fa-var-share-alt-square; } -.#{$fa-css-prefix}-bomb:before { content: $fa-var-bomb; } -.#{$fa-css-prefix}-soccer-ball-o:before, -.#{$fa-css-prefix}-futbol-o:before { content: $fa-var-futbol-o; } -.#{$fa-css-prefix}-tty:before { content: $fa-var-tty; } -.#{$fa-css-prefix}-binoculars:before { content: $fa-var-binoculars; } -.#{$fa-css-prefix}-plug:before { content: $fa-var-plug; } -.#{$fa-css-prefix}-slideshare:before { content: $fa-var-slideshare; } -.#{$fa-css-prefix}-twitch:before { content: $fa-var-twitch; } -.#{$fa-css-prefix}-yelp:before { content: $fa-var-yelp; } -.#{$fa-css-prefix}-newspaper-o:before { content: $fa-var-newspaper-o; } -.#{$fa-css-prefix}-wifi:before { content: $fa-var-wifi; } -.#{$fa-css-prefix}-calculator:before { content: $fa-var-calculator; } -.#{$fa-css-prefix}-paypal:before { content: $fa-var-paypal; } -.#{$fa-css-prefix}-google-wallet:before { content: $fa-var-google-wallet; } -.#{$fa-css-prefix}-cc-visa:before { content: $fa-var-cc-visa; } -.#{$fa-css-prefix}-cc-mastercard:before { content: $fa-var-cc-mastercard; } -.#{$fa-css-prefix}-cc-discover:before { content: $fa-var-cc-discover; } -.#{$fa-css-prefix}-cc-amex:before { content: $fa-var-cc-amex; } -.#{$fa-css-prefix}-cc-paypal:before { content: $fa-var-cc-paypal; } -.#{$fa-css-prefix}-cc-stripe:before { content: $fa-var-cc-stripe; } -.#{$fa-css-prefix}-bell-slash:before { content: $fa-var-bell-slash; } -.#{$fa-css-prefix}-bell-slash-o:before { content: $fa-var-bell-slash-o; } -.#{$fa-css-prefix}-trash:before { content: $fa-var-trash; } -.#{$fa-css-prefix}-copyright:before { content: $fa-var-copyright; } -.#{$fa-css-prefix}-at:before { content: $fa-var-at; } -.#{$fa-css-prefix}-eyedropper:before { content: $fa-var-eyedropper; } -.#{$fa-css-prefix}-paint-brush:before { content: $fa-var-paint-brush; } -.#{$fa-css-prefix}-birthday-cake:before { content: $fa-var-birthday-cake; } -.#{$fa-css-prefix}-area-chart:before { content: $fa-var-area-chart; } -.#{$fa-css-prefix}-pie-chart:before { content: $fa-var-pie-chart; } -.#{$fa-css-prefix}-line-chart:before { content: $fa-var-line-chart; } -.#{$fa-css-prefix}-lastfm:before { content: $fa-var-lastfm; } -.#{$fa-css-prefix}-lastfm-square:before { content: $fa-var-lastfm-square; } -.#{$fa-css-prefix}-toggle-off:before { content: $fa-var-toggle-off; } -.#{$fa-css-prefix}-toggle-on:before { content: $fa-var-toggle-on; } -.#{$fa-css-prefix}-bicycle:before { content: $fa-var-bicycle; } -.#{$fa-css-prefix}-bus:before { content: $fa-var-bus; } -.#{$fa-css-prefix}-ioxhost:before { content: $fa-var-ioxhost; } -.#{$fa-css-prefix}-angellist:before { content: $fa-var-angellist; } -.#{$fa-css-prefix}-cc:before { content: $fa-var-cc; } -.#{$fa-css-prefix}-shekel:before, -.#{$fa-css-prefix}-sheqel:before, -.#{$fa-css-prefix}-ils:before { content: $fa-var-ils; } -.#{$fa-css-prefix}-meanpath:before { content: $fa-var-meanpath; } -.#{$fa-css-prefix}-buysellads:before { content: $fa-var-buysellads; } -.#{$fa-css-prefix}-connectdevelop:before { content: $fa-var-connectdevelop; } -.#{$fa-css-prefix}-dashcube:before { content: $fa-var-dashcube; } -.#{$fa-css-prefix}-forumbee:before { content: $fa-var-forumbee; } -.#{$fa-css-prefix}-leanpub:before { content: $fa-var-leanpub; } -.#{$fa-css-prefix}-sellsy:before { content: $fa-var-sellsy; } -.#{$fa-css-prefix}-shirtsinbulk:before { content: $fa-var-shirtsinbulk; } -.#{$fa-css-prefix}-simplybuilt:before { content: $fa-var-simplybuilt; } -.#{$fa-css-prefix}-skyatlas:before { content: $fa-var-skyatlas; } -.#{$fa-css-prefix}-cart-plus:before { content: $fa-var-cart-plus; } -.#{$fa-css-prefix}-cart-arrow-down:before { content: $fa-var-cart-arrow-down; } -.#{$fa-css-prefix}-diamond:before { content: $fa-var-diamond; } -.#{$fa-css-prefix}-ship:before { content: $fa-var-ship; } -.#{$fa-css-prefix}-user-secret:before { content: $fa-var-user-secret; } -.#{$fa-css-prefix}-motorcycle:before { content: $fa-var-motorcycle; } -.#{$fa-css-prefix}-street-view:before { content: $fa-var-street-view; } -.#{$fa-css-prefix}-heartbeat:before { content: $fa-var-heartbeat; } -.#{$fa-css-prefix}-venus:before { content: $fa-var-venus; } -.#{$fa-css-prefix}-mars:before { content: $fa-var-mars; } -.#{$fa-css-prefix}-mercury:before { content: $fa-var-mercury; } -.#{$fa-css-prefix}-intersex:before, -.#{$fa-css-prefix}-transgender:before { content: $fa-var-transgender; } -.#{$fa-css-prefix}-transgender-alt:before { content: $fa-var-transgender-alt; } -.#{$fa-css-prefix}-venus-double:before { content: $fa-var-venus-double; } -.#{$fa-css-prefix}-mars-double:before { content: $fa-var-mars-double; } -.#{$fa-css-prefix}-venus-mars:before { content: $fa-var-venus-mars; } -.#{$fa-css-prefix}-mars-stroke:before { content: $fa-var-mars-stroke; } -.#{$fa-css-prefix}-mars-stroke-v:before { content: $fa-var-mars-stroke-v; } -.#{$fa-css-prefix}-mars-stroke-h:before { content: $fa-var-mars-stroke-h; } -.#{$fa-css-prefix}-neuter:before { content: $fa-var-neuter; } -.#{$fa-css-prefix}-genderless:before { content: $fa-var-genderless; } -.#{$fa-css-prefix}-facebook-official:before { content: $fa-var-facebook-official; } -.#{$fa-css-prefix}-pinterest-p:before { content: $fa-var-pinterest-p; } -.#{$fa-css-prefix}-whatsapp:before { content: $fa-var-whatsapp; } -.#{$fa-css-prefix}-server:before { content: $fa-var-server; } -.#{$fa-css-prefix}-user-plus:before { content: $fa-var-user-plus; } -.#{$fa-css-prefix}-user-times:before { content: $fa-var-user-times; } -.#{$fa-css-prefix}-hotel:before, -.#{$fa-css-prefix}-bed:before { content: $fa-var-bed; } -.#{$fa-css-prefix}-viacoin:before { content: $fa-var-viacoin; } -.#{$fa-css-prefix}-train:before { content: $fa-var-train; } -.#{$fa-css-prefix}-subway:before { content: $fa-var-subway; } -.#{$fa-css-prefix}-medium:before { content: $fa-var-medium; } -.#{$fa-css-prefix}-yc:before, -.#{$fa-css-prefix}-y-combinator:before { content: $fa-var-y-combinator; } -.#{$fa-css-prefix}-optin-monster:before { content: $fa-var-optin-monster; } -.#{$fa-css-prefix}-opencart:before { content: $fa-var-opencart; } -.#{$fa-css-prefix}-expeditedssl:before { content: $fa-var-expeditedssl; } -.#{$fa-css-prefix}-battery-4:before, -.#{$fa-css-prefix}-battery-full:before { content: $fa-var-battery-full; } -.#{$fa-css-prefix}-battery-3:before, -.#{$fa-css-prefix}-battery-three-quarters:before { content: $fa-var-battery-three-quarters; } -.#{$fa-css-prefix}-battery-2:before, -.#{$fa-css-prefix}-battery-half:before { content: $fa-var-battery-half; } -.#{$fa-css-prefix}-battery-1:before, -.#{$fa-css-prefix}-battery-quarter:before { content: $fa-var-battery-quarter; } -.#{$fa-css-prefix}-battery-0:before, -.#{$fa-css-prefix}-battery-empty:before { content: $fa-var-battery-empty; } -.#{$fa-css-prefix}-mouse-pointer:before { content: $fa-var-mouse-pointer; } -.#{$fa-css-prefix}-i-cursor:before { content: $fa-var-i-cursor; } -.#{$fa-css-prefix}-object-group:before { content: $fa-var-object-group; } -.#{$fa-css-prefix}-object-ungroup:before { content: $fa-var-object-ungroup; } -.#{$fa-css-prefix}-sticky-note:before { content: $fa-var-sticky-note; } -.#{$fa-css-prefix}-sticky-note-o:before { content: $fa-var-sticky-note-o; } -.#{$fa-css-prefix}-cc-jcb:before { content: $fa-var-cc-jcb; } -.#{$fa-css-prefix}-cc-diners-club:before { content: $fa-var-cc-diners-club; } -.#{$fa-css-prefix}-clone:before { content: $fa-var-clone; } -.#{$fa-css-prefix}-balance-scale:before { content: $fa-var-balance-scale; } -.#{$fa-css-prefix}-hourglass-o:before { content: $fa-var-hourglass-o; } -.#{$fa-css-prefix}-hourglass-1:before, -.#{$fa-css-prefix}-hourglass-start:before { content: $fa-var-hourglass-start; } -.#{$fa-css-prefix}-hourglass-2:before, -.#{$fa-css-prefix}-hourglass-half:before { content: $fa-var-hourglass-half; } -.#{$fa-css-prefix}-hourglass-3:before, -.#{$fa-css-prefix}-hourglass-end:before { content: $fa-var-hourglass-end; } -.#{$fa-css-prefix}-hourglass:before { content: $fa-var-hourglass; } -.#{$fa-css-prefix}-hand-grab-o:before, -.#{$fa-css-prefix}-hand-rock-o:before { content: $fa-var-hand-rock-o; } -.#{$fa-css-prefix}-hand-stop-o:before, -.#{$fa-css-prefix}-hand-paper-o:before { content: $fa-var-hand-paper-o; } -.#{$fa-css-prefix}-hand-scissors-o:before { content: $fa-var-hand-scissors-o; } -.#{$fa-css-prefix}-hand-lizard-o:before { content: $fa-var-hand-lizard-o; } -.#{$fa-css-prefix}-hand-spock-o:before { content: $fa-var-hand-spock-o; } -.#{$fa-css-prefix}-hand-pointer-o:before { content: $fa-var-hand-pointer-o; } -.#{$fa-css-prefix}-hand-peace-o:before { content: $fa-var-hand-peace-o; } -.#{$fa-css-prefix}-trademark:before { content: $fa-var-trademark; } -.#{$fa-css-prefix}-registered:before { content: $fa-var-registered; } -.#{$fa-css-prefix}-creative-commons:before { content: $fa-var-creative-commons; } -.#{$fa-css-prefix}-gg:before { content: $fa-var-gg; } -.#{$fa-css-prefix}-gg-circle:before { content: $fa-var-gg-circle; } -.#{$fa-css-prefix}-tripadvisor:before { content: $fa-var-tripadvisor; } -.#{$fa-css-prefix}-odnoklassniki:before { content: $fa-var-odnoklassniki; } -.#{$fa-css-prefix}-odnoklassniki-square:before { content: $fa-var-odnoklassniki-square; } -.#{$fa-css-prefix}-get-pocket:before { content: $fa-var-get-pocket; } -.#{$fa-css-prefix}-wikipedia-w:before { content: $fa-var-wikipedia-w; } -.#{$fa-css-prefix}-safari:before { content: $fa-var-safari; } -.#{$fa-css-prefix}-chrome:before { content: $fa-var-chrome; } -.#{$fa-css-prefix}-firefox:before { content: $fa-var-firefox; } -.#{$fa-css-prefix}-opera:before { content: $fa-var-opera; } -.#{$fa-css-prefix}-internet-explorer:before { content: $fa-var-internet-explorer; } -.#{$fa-css-prefix}-tv:before, -.#{$fa-css-prefix}-television:before { content: $fa-var-television; } -.#{$fa-css-prefix}-contao:before { content: $fa-var-contao; } -.#{$fa-css-prefix}-500px:before { content: $fa-var-500px; } -.#{$fa-css-prefix}-amazon:before { content: $fa-var-amazon; } -.#{$fa-css-prefix}-calendar-plus-o:before { content: $fa-var-calendar-plus-o; } -.#{$fa-css-prefix}-calendar-minus-o:before { content: $fa-var-calendar-minus-o; } -.#{$fa-css-prefix}-calendar-times-o:before { content: $fa-var-calendar-times-o; } -.#{$fa-css-prefix}-calendar-check-o:before { content: $fa-var-calendar-check-o; } -.#{$fa-css-prefix}-industry:before { content: $fa-var-industry; } -.#{$fa-css-prefix}-map-pin:before { content: $fa-var-map-pin; } -.#{$fa-css-prefix}-map-signs:before { content: $fa-var-map-signs; } -.#{$fa-css-prefix}-map-o:before { content: $fa-var-map-o; } -.#{$fa-css-prefix}-map:before { content: $fa-var-map; } -.#{$fa-css-prefix}-commenting:before { content: $fa-var-commenting; } -.#{$fa-css-prefix}-commenting-o:before { content: $fa-var-commenting-o; } -.#{$fa-css-prefix}-houzz:before { content: $fa-var-houzz; } -.#{$fa-css-prefix}-vimeo:before { content: $fa-var-vimeo; } -.#{$fa-css-prefix}-black-tie:before { content: $fa-var-black-tie; } -.#{$fa-css-prefix}-fonticons:before { content: $fa-var-fonticons; } -.#{$fa-css-prefix}-reddit-alien:before { content: $fa-var-reddit-alien; } -.#{$fa-css-prefix}-edge:before { content: $fa-var-edge; } -.#{$fa-css-prefix}-credit-card-alt:before { content: $fa-var-credit-card-alt; } -.#{$fa-css-prefix}-codiepie:before { content: $fa-var-codiepie; } -.#{$fa-css-prefix}-modx:before { content: $fa-var-modx; } -.#{$fa-css-prefix}-fort-awesome:before { content: $fa-var-fort-awesome; } -.#{$fa-css-prefix}-usb:before { content: $fa-var-usb; } -.#{$fa-css-prefix}-product-hunt:before { content: $fa-var-product-hunt; } -.#{$fa-css-prefix}-mixcloud:before { content: $fa-var-mixcloud; } -.#{$fa-css-prefix}-scribd:before { content: $fa-var-scribd; } -.#{$fa-css-prefix}-pause-circle:before { content: $fa-var-pause-circle; } -.#{$fa-css-prefix}-pause-circle-o:before { content: $fa-var-pause-circle-o; } -.#{$fa-css-prefix}-stop-circle:before { content: $fa-var-stop-circle; } -.#{$fa-css-prefix}-stop-circle-o:before { content: $fa-var-stop-circle-o; } -.#{$fa-css-prefix}-shopping-bag:before { content: $fa-var-shopping-bag; } -.#{$fa-css-prefix}-shopping-basket:before { content: $fa-var-shopping-basket; } -.#{$fa-css-prefix}-hashtag:before { content: $fa-var-hashtag; } -.#{$fa-css-prefix}-bluetooth:before { content: $fa-var-bluetooth; } -.#{$fa-css-prefix}-bluetooth-b:before { content: $fa-var-bluetooth-b; } -.#{$fa-css-prefix}-percent:before { content: $fa-var-percent; } -.#{$fa-css-prefix}-gitlab:before { content: $fa-var-gitlab; } -.#{$fa-css-prefix}-wpbeginner:before { content: $fa-var-wpbeginner; } -.#{$fa-css-prefix}-wpforms:before { content: $fa-var-wpforms; } -.#{$fa-css-prefix}-envira:before { content: $fa-var-envira; } -.#{$fa-css-prefix}-universal-access:before { content: $fa-var-universal-access; } -.#{$fa-css-prefix}-wheelchair-alt:before { content: $fa-var-wheelchair-alt; } -.#{$fa-css-prefix}-question-circle-o:before { content: $fa-var-question-circle-o; } -.#{$fa-css-prefix}-blind:before { content: $fa-var-blind; } -.#{$fa-css-prefix}-audio-description:before { content: $fa-var-audio-description; } -.#{$fa-css-prefix}-volume-control-phone:before { content: $fa-var-volume-control-phone; } -.#{$fa-css-prefix}-braille:before { content: $fa-var-braille; } -.#{$fa-css-prefix}-assistive-listening-systems:before { content: $fa-var-assistive-listening-systems; } -.#{$fa-css-prefix}-asl-interpreting:before, -.#{$fa-css-prefix}-american-sign-language-interpreting:before { content: $fa-var-american-sign-language-interpreting; } -.#{$fa-css-prefix}-deafness:before, -.#{$fa-css-prefix}-hard-of-hearing:before, -.#{$fa-css-prefix}-deaf:before { content: $fa-var-deaf; } -.#{$fa-css-prefix}-glide:before { content: $fa-var-glide; } -.#{$fa-css-prefix}-glide-g:before { content: $fa-var-glide-g; } -.#{$fa-css-prefix}-signing:before, -.#{$fa-css-prefix}-sign-language:before { content: $fa-var-sign-language; } -.#{$fa-css-prefix}-low-vision:before { content: $fa-var-low-vision; } -.#{$fa-css-prefix}-viadeo:before { content: $fa-var-viadeo; } -.#{$fa-css-prefix}-viadeo-square:before { content: $fa-var-viadeo-square; } -.#{$fa-css-prefix}-snapchat:before { content: $fa-var-snapchat; } -.#{$fa-css-prefix}-snapchat-ghost:before { content: $fa-var-snapchat-ghost; } -.#{$fa-css-prefix}-snapchat-square:before { content: $fa-var-snapchat-square; } diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_larger.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/_larger.scss deleted file mode 100644 index 41e9a8184..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_larger.scss +++ /dev/null @@ -1,13 +0,0 @@ -// Icon Sizes -// ------------------------- - -/* makes the font 33% larger relative to the icon container */ -.#{$fa-css-prefix}-lg { - font-size: (4em / 3); - line-height: (3em / 4); - vertical-align: -15%; -} -.#{$fa-css-prefix}-2x { font-size: 2em; } -.#{$fa-css-prefix}-3x { font-size: 3em; } -.#{$fa-css-prefix}-4x { font-size: 4em; } -.#{$fa-css-prefix}-5x { font-size: 5em; } diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_list.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/_list.scss deleted file mode 100644 index 7d1e4d54d..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_list.scss +++ /dev/null @@ -1,19 +0,0 @@ -// List Icons -// ------------------------- - -.#{$fa-css-prefix}-ul { - padding-left: 0; - margin-left: $fa-li-width; - list-style-type: none; - > li { position: relative; } -} -.#{$fa-css-prefix}-li { - position: absolute; - left: -$fa-li-width; - width: $fa-li-width; - top: (2em / 14); - text-align: center; - &.#{$fa-css-prefix}-lg { - left: -$fa-li-width + (4em / 14); - } -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_mixins.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/_mixins.scss deleted file mode 100644 index c3bbd5745..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_mixins.scss +++ /dev/null @@ -1,60 +0,0 @@ -// Mixins -// -------------------------- - -@mixin fa-icon() { - display: inline-block; - font: normal normal normal #{$fa-font-size-base}/#{$fa-line-height-base} FontAwesome; // shortening font declaration - font-size: inherit; // can't have font-size inherit on line above, so need to override - text-rendering: auto; // optimizelegibility throws things off #1094 - -webkit-font-smoothing: antialiased; - -moz-osx-font-smoothing: grayscale; - -} - -@mixin fa-icon-rotate($degrees, $rotation) { - -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=#{$rotation})"; - -webkit-transform: rotate($degrees); - -ms-transform: rotate($degrees); - transform: rotate($degrees); -} - -@mixin fa-icon-flip($horiz, $vert, $rotation) { - -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=#{$rotation}, mirror=1)"; - -webkit-transform: scale($horiz, $vert); - -ms-transform: scale($horiz, $vert); - transform: scale($horiz, $vert); -} - - -// Only display content to screen readers. A la Bootstrap 4. -// -// See: http://a11yproject.com/posts/how-to-hide-content/ - -@mixin sr-only { - position: absolute; - width: 1px; - height: 1px; - padding: 0; - margin: -1px; - overflow: hidden; - clip: rect(0,0,0,0); - border: 0; -} - -// Use in conjunction with .sr-only to only display content when it's focused. -// -// Useful for "Skip to main content" links; see http://www.w3.org/TR/2013/NOTE-WCAG20-TECHS-20130905/G1 -// -// Credit: HTML5 Boilerplate - -@mixin sr-only-focusable { - &:active, - &:focus { - position: static; - width: auto; - height: auto; - margin: 0; - overflow: visible; - clip: auto; - } -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_path.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/_path.scss deleted file mode 100644 index bb457c23a..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_path.scss +++ /dev/null @@ -1,15 +0,0 @@ -/* FONT PATH - * -------------------------- */ - -@font-face { - font-family: 'FontAwesome'; - src: url('#{$fa-font-path}/fontawesome-webfont.eot?v=#{$fa-version}'); - src: url('#{$fa-font-path}/fontawesome-webfont.eot?#iefix&v=#{$fa-version}') format('embedded-opentype'), - url('#{$fa-font-path}/fontawesome-webfont.woff2?v=#{$fa-version}') format('woff2'), - url('#{$fa-font-path}/fontawesome-webfont.woff?v=#{$fa-version}') format('woff'), - url('#{$fa-font-path}/fontawesome-webfont.ttf?v=#{$fa-version}') format('truetype'), - url('#{$fa-font-path}/fontawesome-webfont.svg?v=#{$fa-version}#fontawesomeregular') format('svg'); -// src: url('#{$fa-font-path}/FontAwesome.otf') format('opentype'); // used when developing fonts - font-weight: normal; - font-style: normal; -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_rotated-flipped.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/_rotated-flipped.scss deleted file mode 100644 index a3558fd09..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_rotated-flipped.scss +++ /dev/null @@ -1,20 +0,0 @@ -// Rotated & Flipped Icons -// ------------------------- - -.#{$fa-css-prefix}-rotate-90 { @include fa-icon-rotate(90deg, 1); } -.#{$fa-css-prefix}-rotate-180 { @include fa-icon-rotate(180deg, 2); } -.#{$fa-css-prefix}-rotate-270 { @include fa-icon-rotate(270deg, 3); } - -.#{$fa-css-prefix}-flip-horizontal { @include fa-icon-flip(-1, 1, 0); } -.#{$fa-css-prefix}-flip-vertical { @include fa-icon-flip(1, -1, 2); } - -// Hook for IE8-9 -// ------------------------- - -:root .#{$fa-css-prefix}-rotate-90, -:root .#{$fa-css-prefix}-rotate-180, -:root .#{$fa-css-prefix}-rotate-270, -:root .#{$fa-css-prefix}-flip-horizontal, -:root .#{$fa-css-prefix}-flip-vertical { - filter: none; -} diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_screen-reader.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/_screen-reader.scss deleted file mode 100644 index 637426f0d..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_screen-reader.scss +++ /dev/null @@ -1,5 +0,0 @@ -// Screen Readers -// ------------------------- - -.sr-only { @include sr-only(); } -.sr-only-focusable { @include sr-only-focusable(); } diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_stacked.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/_stacked.scss deleted file mode 100644 index aef740366..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_stacked.scss +++ /dev/null @@ -1,20 +0,0 @@ -// Stacked Icons -// ------------------------- - -.#{$fa-css-prefix}-stack { - position: relative; - display: inline-block; - width: 2em; - height: 2em; - line-height: 2em; - vertical-align: middle; -} -.#{$fa-css-prefix}-stack-1x, .#{$fa-css-prefix}-stack-2x { - position: absolute; - left: 0; - width: 100%; - text-align: center; -} -.#{$fa-css-prefix}-stack-1x { line-height: inherit; } -.#{$fa-css-prefix}-stack-2x { font-size: 2em; } -.#{$fa-css-prefix}-inverse { color: $fa-inverse; } diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_variables.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/_variables.scss deleted file mode 100644 index 1f374d6c9..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/_variables.scss +++ /dev/null @@ -1,735 +0,0 @@ -// Variables -// -------------------------- - -$fa-font-path: "../fonts" !default; -$fa-font-size-base: 14px !default; -$fa-line-height-base: 1 !default; -//$fa-font-path: "//netdna.bootstrapcdn.com/font-awesome/4.6.1/fonts" !default; // for referencing Bootstrap CDN font files directly -$fa-css-prefix: fa !default; -$fa-version: "4.6.1" !default; -$fa-border-color: #eee !default; -$fa-inverse: #fff !default; -$fa-li-width: (30em / 14) !default; - -$fa-var-500px: "\f26e"; -$fa-var-adjust: "\f042"; -$fa-var-adn: "\f170"; -$fa-var-align-center: "\f037"; -$fa-var-align-justify: "\f039"; -$fa-var-align-left: "\f036"; -$fa-var-align-right: "\f038"; -$fa-var-amazon: "\f270"; -$fa-var-ambulance: "\f0f9"; -$fa-var-american-sign-language-interpreting: "\f2a3"; -$fa-var-anchor: "\f13d"; -$fa-var-android: "\f17b"; -$fa-var-angellist: "\f209"; -$fa-var-angle-double-down: "\f103"; -$fa-var-angle-double-left: "\f100"; -$fa-var-angle-double-right: "\f101"; -$fa-var-angle-double-up: "\f102"; -$fa-var-angle-down: "\f107"; -$fa-var-angle-left: "\f104"; -$fa-var-angle-right: "\f105"; -$fa-var-angle-up: "\f106"; -$fa-var-apple: "\f179"; -$fa-var-archive: "\f187"; -$fa-var-area-chart: "\f1fe"; -$fa-var-arrow-circle-down: "\f0ab"; -$fa-var-arrow-circle-left: "\f0a8"; -$fa-var-arrow-circle-o-down: "\f01a"; -$fa-var-arrow-circle-o-left: "\f190"; -$fa-var-arrow-circle-o-right: "\f18e"; -$fa-var-arrow-circle-o-up: "\f01b"; -$fa-var-arrow-circle-right: "\f0a9"; -$fa-var-arrow-circle-up: "\f0aa"; -$fa-var-arrow-down: "\f063"; -$fa-var-arrow-left: "\f060"; -$fa-var-arrow-right: "\f061"; -$fa-var-arrow-up: "\f062"; -$fa-var-arrows: "\f047"; -$fa-var-arrows-alt: "\f0b2"; -$fa-var-arrows-h: "\f07e"; -$fa-var-arrows-v: "\f07d"; -$fa-var-asl-interpreting: "\f2a3"; -$fa-var-assistive-listening-systems: "\f2a2"; -$fa-var-asterisk: "\f069"; -$fa-var-at: "\f1fa"; -$fa-var-audio-description: "\f29e"; -$fa-var-automobile: "\f1b9"; -$fa-var-backward: "\f04a"; -$fa-var-balance-scale: "\f24e"; -$fa-var-ban: "\f05e"; -$fa-var-bank: "\f19c"; -$fa-var-bar-chart: "\f080"; -$fa-var-bar-chart-o: "\f080"; -$fa-var-barcode: "\f02a"; -$fa-var-bars: "\f0c9"; -$fa-var-battery-0: "\f244"; -$fa-var-battery-1: "\f243"; -$fa-var-battery-2: "\f242"; -$fa-var-battery-3: "\f241"; -$fa-var-battery-4: "\f240"; -$fa-var-battery-empty: "\f244"; -$fa-var-battery-full: "\f240"; -$fa-var-battery-half: "\f242"; -$fa-var-battery-quarter: "\f243"; -$fa-var-battery-three-quarters: "\f241"; -$fa-var-bed: "\f236"; -$fa-var-beer: "\f0fc"; -$fa-var-behance: "\f1b4"; -$fa-var-behance-square: "\f1b5"; -$fa-var-bell: "\f0f3"; -$fa-var-bell-o: "\f0a2"; -$fa-var-bell-slash: "\f1f6"; -$fa-var-bell-slash-o: "\f1f7"; -$fa-var-bicycle: "\f206"; -$fa-var-binoculars: "\f1e5"; -$fa-var-birthday-cake: "\f1fd"; -$fa-var-bitbucket: "\f171"; -$fa-var-bitbucket-square: "\f172"; -$fa-var-bitcoin: "\f15a"; -$fa-var-black-tie: "\f27e"; -$fa-var-blind: "\f29d"; -$fa-var-bluetooth: "\f293"; -$fa-var-bluetooth-b: "\f294"; -$fa-var-bold: "\f032"; -$fa-var-bolt: "\f0e7"; -$fa-var-bomb: "\f1e2"; -$fa-var-book: "\f02d"; -$fa-var-bookmark: "\f02e"; -$fa-var-bookmark-o: "\f097"; -$fa-var-braille: "\f2a1"; -$fa-var-briefcase: "\f0b1"; -$fa-var-btc: "\f15a"; -$fa-var-bug: "\f188"; -$fa-var-building: "\f1ad"; -$fa-var-building-o: "\f0f7"; -$fa-var-bullhorn: "\f0a1"; -$fa-var-bullseye: "\f140"; -$fa-var-bus: "\f207"; -$fa-var-buysellads: "\f20d"; -$fa-var-cab: "\f1ba"; -$fa-var-calculator: "\f1ec"; -$fa-var-calendar: "\f073"; -$fa-var-calendar-check-o: "\f274"; -$fa-var-calendar-minus-o: "\f272"; -$fa-var-calendar-o: "\f133"; -$fa-var-calendar-plus-o: "\f271"; -$fa-var-calendar-times-o: "\f273"; -$fa-var-camera: "\f030"; -$fa-var-camera-retro: "\f083"; -$fa-var-car: "\f1b9"; -$fa-var-caret-down: "\f0d7"; -$fa-var-caret-left: "\f0d9"; -$fa-var-caret-right: "\f0da"; -$fa-var-caret-square-o-down: "\f150"; -$fa-var-caret-square-o-left: "\f191"; -$fa-var-caret-square-o-right: "\f152"; -$fa-var-caret-square-o-up: "\f151"; -$fa-var-caret-up: "\f0d8"; -$fa-var-cart-arrow-down: "\f218"; -$fa-var-cart-plus: "\f217"; -$fa-var-cc: "\f20a"; -$fa-var-cc-amex: "\f1f3"; -$fa-var-cc-diners-club: "\f24c"; -$fa-var-cc-discover: "\f1f2"; -$fa-var-cc-jcb: "\f24b"; -$fa-var-cc-mastercard: "\f1f1"; -$fa-var-cc-paypal: "\f1f4"; -$fa-var-cc-stripe: "\f1f5"; -$fa-var-cc-visa: "\f1f0"; -$fa-var-certificate: "\f0a3"; -$fa-var-chain: "\f0c1"; -$fa-var-chain-broken: "\f127"; -$fa-var-check: "\f00c"; -$fa-var-check-circle: "\f058"; -$fa-var-check-circle-o: "\f05d"; -$fa-var-check-square: "\f14a"; -$fa-var-check-square-o: "\f046"; -$fa-var-chevron-circle-down: "\f13a"; -$fa-var-chevron-circle-left: "\f137"; -$fa-var-chevron-circle-right: "\f138"; -$fa-var-chevron-circle-up: "\f139"; -$fa-var-chevron-down: "\f078"; -$fa-var-chevron-left: "\f053"; -$fa-var-chevron-right: "\f054"; -$fa-var-chevron-up: "\f077"; -$fa-var-child: "\f1ae"; -$fa-var-chrome: "\f268"; -$fa-var-circle: "\f111"; -$fa-var-circle-o: "\f10c"; -$fa-var-circle-o-notch: "\f1ce"; -$fa-var-circle-thin: "\f1db"; -$fa-var-clipboard: "\f0ea"; -$fa-var-clock-o: "\f017"; -$fa-var-clone: "\f24d"; -$fa-var-close: "\f00d"; -$fa-var-cloud: "\f0c2"; -$fa-var-cloud-download: "\f0ed"; -$fa-var-cloud-upload: "\f0ee"; -$fa-var-cny: "\f157"; -$fa-var-code: "\f121"; -$fa-var-code-fork: "\f126"; -$fa-var-codepen: "\f1cb"; -$fa-var-codiepie: "\f284"; -$fa-var-coffee: "\f0f4"; -$fa-var-cog: "\f013"; -$fa-var-cogs: "\f085"; -$fa-var-columns: "\f0db"; -$fa-var-comment: "\f075"; -$fa-var-comment-o: "\f0e5"; -$fa-var-commenting: "\f27a"; -$fa-var-commenting-o: "\f27b"; -$fa-var-comments: "\f086"; -$fa-var-comments-o: "\f0e6"; -$fa-var-compass: "\f14e"; -$fa-var-compress: "\f066"; -$fa-var-connectdevelop: "\f20e"; -$fa-var-contao: "\f26d"; -$fa-var-copy: "\f0c5"; -$fa-var-copyright: "\f1f9"; -$fa-var-creative-commons: "\f25e"; -$fa-var-credit-card: "\f09d"; -$fa-var-credit-card-alt: "\f283"; -$fa-var-crop: "\f125"; -$fa-var-crosshairs: "\f05b"; -$fa-var-css3: "\f13c"; -$fa-var-cube: "\f1b2"; -$fa-var-cubes: "\f1b3"; -$fa-var-cut: "\f0c4"; -$fa-var-cutlery: "\f0f5"; -$fa-var-dashboard: "\f0e4"; -$fa-var-dashcube: "\f210"; -$fa-var-database: "\f1c0"; -$fa-var-deaf: "\f2a4"; -$fa-var-deafness: "\f2a4"; -$fa-var-dedent: "\f03b"; -$fa-var-delicious: "\f1a5"; -$fa-var-desktop: "\f108"; -$fa-var-deviantart: "\f1bd"; -$fa-var-diamond: "\f219"; -$fa-var-digg: "\f1a6"; -$fa-var-dollar: "\f155"; -$fa-var-dot-circle-o: "\f192"; -$fa-var-download: "\f019"; -$fa-var-dribbble: "\f17d"; -$fa-var-dropbox: "\f16b"; -$fa-var-drupal: "\f1a9"; -$fa-var-edge: "\f282"; -$fa-var-edit: "\f044"; -$fa-var-eject: "\f052"; -$fa-var-ellipsis-h: "\f141"; -$fa-var-ellipsis-v: "\f142"; -$fa-var-empire: "\f1d1"; -$fa-var-envelope: "\f0e0"; -$fa-var-envelope-o: "\f003"; -$fa-var-envelope-square: "\f199"; -$fa-var-envira: "\f299"; -$fa-var-eraser: "\f12d"; -$fa-var-eur: "\f153"; -$fa-var-euro: "\f153"; -$fa-var-exchange: "\f0ec"; -$fa-var-exclamation: "\f12a"; -$fa-var-exclamation-circle: "\f06a"; -$fa-var-exclamation-triangle: "\f071"; -$fa-var-expand: "\f065"; -$fa-var-expeditedssl: "\f23e"; -$fa-var-external-link: "\f08e"; -$fa-var-external-link-square: "\f14c"; -$fa-var-eye: "\f06e"; -$fa-var-eye-slash: "\f070"; -$fa-var-eyedropper: "\f1fb"; -$fa-var-facebook: "\f09a"; -$fa-var-facebook-f: "\f09a"; -$fa-var-facebook-official: "\f230"; -$fa-var-facebook-square: "\f082"; -$fa-var-fast-backward: "\f049"; -$fa-var-fast-forward: "\f050"; -$fa-var-fax: "\f1ac"; -$fa-var-feed: "\f09e"; -$fa-var-female: "\f182"; -$fa-var-fighter-jet: "\f0fb"; -$fa-var-file: "\f15b"; -$fa-var-file-archive-o: "\f1c6"; -$fa-var-file-audio-o: "\f1c7"; -$fa-var-file-code-o: "\f1c9"; -$fa-var-file-excel-o: "\f1c3"; -$fa-var-file-image-o: "\f1c5"; -$fa-var-file-movie-o: "\f1c8"; -$fa-var-file-o: "\f016"; -$fa-var-file-pdf-o: "\f1c1"; -$fa-var-file-photo-o: "\f1c5"; -$fa-var-file-picture-o: "\f1c5"; -$fa-var-file-powerpoint-o: "\f1c4"; -$fa-var-file-sound-o: "\f1c7"; -$fa-var-file-text: "\f15c"; -$fa-var-file-text-o: "\f0f6"; -$fa-var-file-video-o: "\f1c8"; -$fa-var-file-word-o: "\f1c2"; -$fa-var-file-zip-o: "\f1c6"; -$fa-var-files-o: "\f0c5"; -$fa-var-film: "\f008"; -$fa-var-filter: "\f0b0"; -$fa-var-fire: "\f06d"; -$fa-var-fire-extinguisher: "\f134"; -$fa-var-firefox: "\f269"; -$fa-var-flag: "\f024"; -$fa-var-flag-checkered: "\f11e"; -$fa-var-flag-o: "\f11d"; -$fa-var-flash: "\f0e7"; -$fa-var-flask: "\f0c3"; -$fa-var-flickr: "\f16e"; -$fa-var-floppy-o: "\f0c7"; -$fa-var-folder: "\f07b"; -$fa-var-folder-o: "\f114"; -$fa-var-folder-open: "\f07c"; -$fa-var-folder-open-o: "\f115"; -$fa-var-font: "\f031"; -$fa-var-fonticons: "\f280"; -$fa-var-fort-awesome: "\f286"; -$fa-var-forumbee: "\f211"; -$fa-var-forward: "\f04e"; -$fa-var-foursquare: "\f180"; -$fa-var-frown-o: "\f119"; -$fa-var-futbol-o: "\f1e3"; -$fa-var-gamepad: "\f11b"; -$fa-var-gavel: "\f0e3"; -$fa-var-gbp: "\f154"; -$fa-var-ge: "\f1d1"; -$fa-var-gear: "\f013"; -$fa-var-gears: "\f085"; -$fa-var-genderless: "\f22d"; -$fa-var-get-pocket: "\f265"; -$fa-var-gg: "\f260"; -$fa-var-gg-circle: "\f261"; -$fa-var-gift: "\f06b"; -$fa-var-git: "\f1d3"; -$fa-var-git-square: "\f1d2"; -$fa-var-github: "\f09b"; -$fa-var-github-alt: "\f113"; -$fa-var-github-square: "\f092"; -$fa-var-gitlab: "\f296"; -$fa-var-gittip: "\f184"; -$fa-var-glass: "\f000"; -$fa-var-glide: "\f2a5"; -$fa-var-glide-g: "\f2a6"; -$fa-var-globe: "\f0ac"; -$fa-var-google: "\f1a0"; -$fa-var-google-plus: "\f0d5"; -$fa-var-google-plus-square: "\f0d4"; -$fa-var-google-wallet: "\f1ee"; -$fa-var-graduation-cap: "\f19d"; -$fa-var-gratipay: "\f184"; -$fa-var-group: "\f0c0"; -$fa-var-h-square: "\f0fd"; -$fa-var-hacker-news: "\f1d4"; -$fa-var-hand-grab-o: "\f255"; -$fa-var-hand-lizard-o: "\f258"; -$fa-var-hand-o-down: "\f0a7"; -$fa-var-hand-o-left: "\f0a5"; -$fa-var-hand-o-right: "\f0a4"; -$fa-var-hand-o-up: "\f0a6"; -$fa-var-hand-paper-o: "\f256"; -$fa-var-hand-peace-o: "\f25b"; -$fa-var-hand-pointer-o: "\f25a"; -$fa-var-hand-rock-o: "\f255"; -$fa-var-hand-scissors-o: "\f257"; -$fa-var-hand-spock-o: "\f259"; -$fa-var-hand-stop-o: "\f256"; -$fa-var-hard-of-hearing: "\f2a4"; -$fa-var-hashtag: "\f292"; -$fa-var-hdd-o: "\f0a0"; -$fa-var-header: "\f1dc"; -$fa-var-headphones: "\f025"; -$fa-var-heart: "\f004"; -$fa-var-heart-o: "\f08a"; -$fa-var-heartbeat: "\f21e"; -$fa-var-history: "\f1da"; -$fa-var-home: "\f015"; -$fa-var-hospital-o: "\f0f8"; -$fa-var-hotel: "\f236"; -$fa-var-hourglass: "\f254"; -$fa-var-hourglass-1: "\f251"; -$fa-var-hourglass-2: "\f252"; -$fa-var-hourglass-3: "\f253"; -$fa-var-hourglass-end: "\f253"; -$fa-var-hourglass-half: "\f252"; -$fa-var-hourglass-o: "\f250"; -$fa-var-hourglass-start: "\f251"; -$fa-var-houzz: "\f27c"; -$fa-var-html5: "\f13b"; -$fa-var-i-cursor: "\f246"; -$fa-var-ils: "\f20b"; -$fa-var-image: "\f03e"; -$fa-var-inbox: "\f01c"; -$fa-var-indent: "\f03c"; -$fa-var-industry: "\f275"; -$fa-var-info: "\f129"; -$fa-var-info-circle: "\f05a"; -$fa-var-inr: "\f156"; -$fa-var-instagram: "\f16d"; -$fa-var-institution: "\f19c"; -$fa-var-internet-explorer: "\f26b"; -$fa-var-intersex: "\f224"; -$fa-var-ioxhost: "\f208"; -$fa-var-italic: "\f033"; -$fa-var-joomla: "\f1aa"; -$fa-var-jpy: "\f157"; -$fa-var-jsfiddle: "\f1cc"; -$fa-var-key: "\f084"; -$fa-var-keyboard-o: "\f11c"; -$fa-var-krw: "\f159"; -$fa-var-language: "\f1ab"; -$fa-var-laptop: "\f109"; -$fa-var-lastfm: "\f202"; -$fa-var-lastfm-square: "\f203"; -$fa-var-leaf: "\f06c"; -$fa-var-leanpub: "\f212"; -$fa-var-legal: "\f0e3"; -$fa-var-lemon-o: "\f094"; -$fa-var-level-down: "\f149"; -$fa-var-level-up: "\f148"; -$fa-var-life-bouy: "\f1cd"; -$fa-var-life-buoy: "\f1cd"; -$fa-var-life-ring: "\f1cd"; -$fa-var-life-saver: "\f1cd"; -$fa-var-lightbulb-o: "\f0eb"; -$fa-var-line-chart: "\f201"; -$fa-var-link: "\f0c1"; -$fa-var-linkedin: "\f0e1"; -$fa-var-linkedin-square: "\f08c"; -$fa-var-linux: "\f17c"; -$fa-var-list: "\f03a"; -$fa-var-list-alt: "\f022"; -$fa-var-list-ol: "\f0cb"; -$fa-var-list-ul: "\f0ca"; -$fa-var-location-arrow: "\f124"; -$fa-var-lock: "\f023"; -$fa-var-long-arrow-down: "\f175"; -$fa-var-long-arrow-left: "\f177"; -$fa-var-long-arrow-right: "\f178"; -$fa-var-long-arrow-up: "\f176"; -$fa-var-low-vision: "\f2a8"; -$fa-var-magic: "\f0d0"; -$fa-var-magnet: "\f076"; -$fa-var-mail-forward: "\f064"; -$fa-var-mail-reply: "\f112"; -$fa-var-mail-reply-all: "\f122"; -$fa-var-male: "\f183"; -$fa-var-map: "\f279"; -$fa-var-map-marker: "\f041"; -$fa-var-map-o: "\f278"; -$fa-var-map-pin: "\f276"; -$fa-var-map-signs: "\f277"; -$fa-var-mars: "\f222"; -$fa-var-mars-double: "\f227"; -$fa-var-mars-stroke: "\f229"; -$fa-var-mars-stroke-h: "\f22b"; -$fa-var-mars-stroke-v: "\f22a"; -$fa-var-maxcdn: "\f136"; -$fa-var-meanpath: "\f20c"; -$fa-var-medium: "\f23a"; -$fa-var-medkit: "\f0fa"; -$fa-var-meh-o: "\f11a"; -$fa-var-mercury: "\f223"; -$fa-var-microphone: "\f130"; -$fa-var-microphone-slash: "\f131"; -$fa-var-minus: "\f068"; -$fa-var-minus-circle: "\f056"; -$fa-var-minus-square: "\f146"; -$fa-var-minus-square-o: "\f147"; -$fa-var-mixcloud: "\f289"; -$fa-var-mobile: "\f10b"; -$fa-var-mobile-phone: "\f10b"; -$fa-var-modx: "\f285"; -$fa-var-money: "\f0d6"; -$fa-var-moon-o: "\f186"; -$fa-var-mortar-board: "\f19d"; -$fa-var-motorcycle: "\f21c"; -$fa-var-mouse-pointer: "\f245"; -$fa-var-music: "\f001"; -$fa-var-navicon: "\f0c9"; -$fa-var-neuter: "\f22c"; -$fa-var-newspaper-o: "\f1ea"; -$fa-var-object-group: "\f247"; -$fa-var-object-ungroup: "\f248"; -$fa-var-odnoklassniki: "\f263"; -$fa-var-odnoklassniki-square: "\f264"; -$fa-var-opencart: "\f23d"; -$fa-var-openid: "\f19b"; -$fa-var-opera: "\f26a"; -$fa-var-optin-monster: "\f23c"; -$fa-var-outdent: "\f03b"; -$fa-var-pagelines: "\f18c"; -$fa-var-paint-brush: "\f1fc"; -$fa-var-paper-plane: "\f1d8"; -$fa-var-paper-plane-o: "\f1d9"; -$fa-var-paperclip: "\f0c6"; -$fa-var-paragraph: "\f1dd"; -$fa-var-paste: "\f0ea"; -$fa-var-pause: "\f04c"; -$fa-var-pause-circle: "\f28b"; -$fa-var-pause-circle-o: "\f28c"; -$fa-var-paw: "\f1b0"; -$fa-var-paypal: "\f1ed"; -$fa-var-pencil: "\f040"; -$fa-var-pencil-square: "\f14b"; -$fa-var-pencil-square-o: "\f044"; -$fa-var-percent: "\f295"; -$fa-var-phone: "\f095"; -$fa-var-phone-square: "\f098"; -$fa-var-photo: "\f03e"; -$fa-var-picture-o: "\f03e"; -$fa-var-pie-chart: "\f200"; -$fa-var-pied-piper: "\f1a7"; -$fa-var-pied-piper-alt: "\f1a8"; -$fa-var-pinterest: "\f0d2"; -$fa-var-pinterest-p: "\f231"; -$fa-var-pinterest-square: "\f0d3"; -$fa-var-plane: "\f072"; -$fa-var-play: "\f04b"; -$fa-var-play-circle: "\f144"; -$fa-var-play-circle-o: "\f01d"; -$fa-var-plug: "\f1e6"; -$fa-var-plus: "\f067"; -$fa-var-plus-circle: "\f055"; -$fa-var-plus-square: "\f0fe"; -$fa-var-plus-square-o: "\f196"; -$fa-var-power-off: "\f011"; -$fa-var-print: "\f02f"; -$fa-var-product-hunt: "\f288"; -$fa-var-puzzle-piece: "\f12e"; -$fa-var-qq: "\f1d6"; -$fa-var-qrcode: "\f029"; -$fa-var-question: "\f128"; -$fa-var-question-circle: "\f059"; -$fa-var-question-circle-o: "\f29c"; -$fa-var-quote-left: "\f10d"; -$fa-var-quote-right: "\f10e"; -$fa-var-ra: "\f1d0"; -$fa-var-random: "\f074"; -$fa-var-rebel: "\f1d0"; -$fa-var-recycle: "\f1b8"; -$fa-var-reddit: "\f1a1"; -$fa-var-reddit-alien: "\f281"; -$fa-var-reddit-square: "\f1a2"; -$fa-var-refresh: "\f021"; -$fa-var-registered: "\f25d"; -$fa-var-remove: "\f00d"; -$fa-var-renren: "\f18b"; -$fa-var-reorder: "\f0c9"; -$fa-var-repeat: "\f01e"; -$fa-var-reply: "\f112"; -$fa-var-reply-all: "\f122"; -$fa-var-retweet: "\f079"; -$fa-var-rmb: "\f157"; -$fa-var-road: "\f018"; -$fa-var-rocket: "\f135"; -$fa-var-rotate-left: "\f0e2"; -$fa-var-rotate-right: "\f01e"; -$fa-var-rouble: "\f158"; -$fa-var-rss: "\f09e"; -$fa-var-rss-square: "\f143"; -$fa-var-rub: "\f158"; -$fa-var-ruble: "\f158"; -$fa-var-rupee: "\f156"; -$fa-var-safari: "\f267"; -$fa-var-save: "\f0c7"; -$fa-var-scissors: "\f0c4"; -$fa-var-scribd: "\f28a"; -$fa-var-search: "\f002"; -$fa-var-search-minus: "\f010"; -$fa-var-search-plus: "\f00e"; -$fa-var-sellsy: "\f213"; -$fa-var-send: "\f1d8"; -$fa-var-send-o: "\f1d9"; -$fa-var-server: "\f233"; -$fa-var-share: "\f064"; -$fa-var-share-alt: "\f1e0"; -$fa-var-share-alt-square: "\f1e1"; -$fa-var-share-square: "\f14d"; -$fa-var-share-square-o: "\f045"; -$fa-var-shekel: "\f20b"; -$fa-var-sheqel: "\f20b"; -$fa-var-shield: "\f132"; -$fa-var-ship: "\f21a"; -$fa-var-shirtsinbulk: "\f214"; -$fa-var-shopping-bag: "\f290"; -$fa-var-shopping-basket: "\f291"; -$fa-var-shopping-cart: "\f07a"; -$fa-var-sign-in: "\f090"; -$fa-var-sign-language: "\f2a7"; -$fa-var-sign-out: "\f08b"; -$fa-var-signal: "\f012"; -$fa-var-signing: "\f2a7"; -$fa-var-simplybuilt: "\f215"; -$fa-var-sitemap: "\f0e8"; -$fa-var-skyatlas: "\f216"; -$fa-var-skype: "\f17e"; -$fa-var-slack: "\f198"; -$fa-var-sliders: "\f1de"; -$fa-var-slideshare: "\f1e7"; -$fa-var-smile-o: "\f118"; -$fa-var-snapchat: "\f2ab"; -$fa-var-snapchat-ghost: "\f2ac"; -$fa-var-snapchat-square: "\f2ad"; -$fa-var-soccer-ball-o: "\f1e3"; -$fa-var-sort: "\f0dc"; -$fa-var-sort-alpha-asc: "\f15d"; -$fa-var-sort-alpha-desc: "\f15e"; -$fa-var-sort-amount-asc: "\f160"; -$fa-var-sort-amount-desc: "\f161"; -$fa-var-sort-asc: "\f0de"; -$fa-var-sort-desc: "\f0dd"; -$fa-var-sort-down: "\f0dd"; -$fa-var-sort-numeric-asc: "\f162"; -$fa-var-sort-numeric-desc: "\f163"; -$fa-var-sort-up: "\f0de"; -$fa-var-soundcloud: "\f1be"; -$fa-var-space-shuttle: "\f197"; -$fa-var-spinner: "\f110"; -$fa-var-spoon: "\f1b1"; -$fa-var-spotify: "\f1bc"; -$fa-var-square: "\f0c8"; -$fa-var-square-o: "\f096"; -$fa-var-stack-exchange: "\f18d"; -$fa-var-stack-overflow: "\f16c"; -$fa-var-star: "\f005"; -$fa-var-star-half: "\f089"; -$fa-var-star-half-empty: "\f123"; -$fa-var-star-half-full: "\f123"; -$fa-var-star-half-o: "\f123"; -$fa-var-star-o: "\f006"; -$fa-var-steam: "\f1b6"; -$fa-var-steam-square: "\f1b7"; -$fa-var-step-backward: "\f048"; -$fa-var-step-forward: "\f051"; -$fa-var-stethoscope: "\f0f1"; -$fa-var-sticky-note: "\f249"; -$fa-var-sticky-note-o: "\f24a"; -$fa-var-stop: "\f04d"; -$fa-var-stop-circle: "\f28d"; -$fa-var-stop-circle-o: "\f28e"; -$fa-var-street-view: "\f21d"; -$fa-var-strikethrough: "\f0cc"; -$fa-var-stumbleupon: "\f1a4"; -$fa-var-stumbleupon-circle: "\f1a3"; -$fa-var-subscript: "\f12c"; -$fa-var-subway: "\f239"; -$fa-var-suitcase: "\f0f2"; -$fa-var-sun-o: "\f185"; -$fa-var-superscript: "\f12b"; -$fa-var-support: "\f1cd"; -$fa-var-table: "\f0ce"; -$fa-var-tablet: "\f10a"; -$fa-var-tachometer: "\f0e4"; -$fa-var-tag: "\f02b"; -$fa-var-tags: "\f02c"; -$fa-var-tasks: "\f0ae"; -$fa-var-taxi: "\f1ba"; -$fa-var-television: "\f26c"; -$fa-var-tencent-weibo: "\f1d5"; -$fa-var-terminal: "\f120"; -$fa-var-text-height: "\f034"; -$fa-var-text-width: "\f035"; -$fa-var-th: "\f00a"; -$fa-var-th-large: "\f009"; -$fa-var-th-list: "\f00b"; -$fa-var-thumb-tack: "\f08d"; -$fa-var-thumbs-down: "\f165"; -$fa-var-thumbs-o-down: "\f088"; -$fa-var-thumbs-o-up: "\f087"; -$fa-var-thumbs-up: "\f164"; -$fa-var-ticket: "\f145"; -$fa-var-times: "\f00d"; -$fa-var-times-circle: "\f057"; -$fa-var-times-circle-o: "\f05c"; -$fa-var-tint: "\f043"; -$fa-var-toggle-down: "\f150"; -$fa-var-toggle-left: "\f191"; -$fa-var-toggle-off: "\f204"; -$fa-var-toggle-on: "\f205"; -$fa-var-toggle-right: "\f152"; -$fa-var-toggle-up: "\f151"; -$fa-var-trademark: "\f25c"; -$fa-var-train: "\f238"; -$fa-var-transgender: "\f224"; -$fa-var-transgender-alt: "\f225"; -$fa-var-trash: "\f1f8"; -$fa-var-trash-o: "\f014"; -$fa-var-tree: "\f1bb"; -$fa-var-trello: "\f181"; -$fa-var-tripadvisor: "\f262"; -$fa-var-trophy: "\f091"; -$fa-var-truck: "\f0d1"; -$fa-var-try: "\f195"; -$fa-var-tty: "\f1e4"; -$fa-var-tumblr: "\f173"; -$fa-var-tumblr-square: "\f174"; -$fa-var-turkish-lira: "\f195"; -$fa-var-tv: "\f26c"; -$fa-var-twitch: "\f1e8"; -$fa-var-twitter: "\f099"; -$fa-var-twitter-square: "\f081"; -$fa-var-umbrella: "\f0e9"; -$fa-var-underline: "\f0cd"; -$fa-var-undo: "\f0e2"; -$fa-var-universal-access: "\f29a"; -$fa-var-university: "\f19c"; -$fa-var-unlink: "\f127"; -$fa-var-unlock: "\f09c"; -$fa-var-unlock-alt: "\f13e"; -$fa-var-unsorted: "\f0dc"; -$fa-var-upload: "\f093"; -$fa-var-usb: "\f287"; -$fa-var-usd: "\f155"; -$fa-var-user: "\f007"; -$fa-var-user-md: "\f0f0"; -$fa-var-user-plus: "\f234"; -$fa-var-user-secret: "\f21b"; -$fa-var-user-times: "\f235"; -$fa-var-users: "\f0c0"; -$fa-var-venus: "\f221"; -$fa-var-venus-double: "\f226"; -$fa-var-venus-mars: "\f228"; -$fa-var-viacoin: "\f237"; -$fa-var-viadeo: "\f2a9"; -$fa-var-viadeo-square: "\f2aa"; -$fa-var-video-camera: "\f03d"; -$fa-var-vimeo: "\f27d"; -$fa-var-vimeo-square: "\f194"; -$fa-var-vine: "\f1ca"; -$fa-var-vk: "\f189"; -$fa-var-volume-control-phone: "\f2a0"; -$fa-var-volume-down: "\f027"; -$fa-var-volume-off: "\f026"; -$fa-var-volume-up: "\f028"; -$fa-var-warning: "\f071"; -$fa-var-wechat: "\f1d7"; -$fa-var-weibo: "\f18a"; -$fa-var-weixin: "\f1d7"; -$fa-var-whatsapp: "\f232"; -$fa-var-wheelchair: "\f193"; -$fa-var-wheelchair-alt: "\f29b"; -$fa-var-wifi: "\f1eb"; -$fa-var-wikipedia-w: "\f266"; -$fa-var-windows: "\f17a"; -$fa-var-won: "\f159"; -$fa-var-wordpress: "\f19a"; -$fa-var-wpbeginner: "\f297"; -$fa-var-wpforms: "\f298"; -$fa-var-wrench: "\f0ad"; -$fa-var-xing: "\f168"; -$fa-var-xing-square: "\f169"; -$fa-var-y-combinator: "\f23b"; -$fa-var-y-combinator-square: "\f1d4"; -$fa-var-yahoo: "\f19e"; -$fa-var-yc: "\f23b"; -$fa-var-yc-square: "\f1d4"; -$fa-var-yelp: "\f1e9"; -$fa-var-yen: "\f157"; -$fa-var-youtube: "\f167"; -$fa-var-youtube-play: "\f16a"; -$fa-var-youtube-square: "\f166"; - diff --git a/iam-login-service/src/main/webapp/resources/font-awesome/scss/font-awesome.scss b/iam-login-service/src/main/webapp/resources/font-awesome/scss/font-awesome.scss deleted file mode 100644 index a19d664c3..000000000 --- a/iam-login-service/src/main/webapp/resources/font-awesome/scss/font-awesome.scss +++ /dev/null @@ -1,18 +0,0 @@ -/*! - * Font Awesome 4.6.1 by @davegandy - http://fontawesome.io - @fontawesome - * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License) - */ - -@import "variables"; -@import "mixins"; -@import "path"; -@import "core"; -@import "larger"; -@import "fixed-width"; -@import "list"; -@import "bordered-pulled"; -@import "animated"; -@import "rotated-flipped"; -@import "stacked"; -@import "icons"; -@import "screen-reader"; diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/registration/registration.html b/iam-login-service/src/main/webapp/resources/iam/apps/registration/registration.html index 9f960a48c..094f02132 100644 --- a/iam-login-service/src/main/webapp/resources/iam/apps/registration/registration.html +++ b/iam-login-service/src/main/webapp/resources/iam/apps/registration/registration.html @@ -79,8 +79,10 @@

- + + + Please writes a reason for your registration +
diff --git a/iam-login-service/src/main/webapp/resources/iam/css/iam.css b/iam-login-service/src/main/webapp/resources/iam/css/iam.css index 767aac871..0745c2120 100644 --- a/iam-login-service/src/main/webapp/resources/iam/css/iam.css +++ b/iam-login-service/src/main/webapp/resources/iam/css/iam.css @@ -183,7 +183,7 @@ body.skin-blue { .version-info{ text-align: center; position: absolute; - color: #4b646f; + color: #b8c7ce; background: #1a2226; bottom: 0; @@ -191,4 +191,14 @@ body.skin-blue { width: 230px; height: 50px; font-size: 12px; +} + +.subjectDn { + font-weight: 600; +} + +.issuerDn { + margin-top: .2em; + font-size: smaller; + color: #4b646f; } \ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/groups/user.groups.component.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/groups/user.groups.component.js index 821b26bb4..7d4e6ede6 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/groups/user.groups.component.js +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/groups/user.groups.component.js @@ -11,12 +11,12 @@ self.isVoAdmin = function() { return self.userCtrl.isVoAdmin(); }; - self.handleSuccess = function() { + self.handleSuccess = function(msg) { self.enabled = true; - self.userCtrl.loadUser().then(function(user) { + self.userCtrl.loadUser().then(function() { toaster.pop({ type: 'success', - body: `User '${user.name.formatted}' groups updated succesfully` + body: msg }); }); }; @@ -48,7 +48,9 @@ .removeUserFromGroup( group.value, self.user.id, self.user.meta.location, self.user.name.formatted) - .then(self.handleSuccess) + .then(function(){ + self.handleSuccess(`User removed from group '${group.display}'`); + }) .catch(self.userCtrl.handleError); }); diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/oidc-id.add.dialog.html b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/oidc-id.add.dialog.html new file mode 100644 index 000000000..b2598fd91 --- /dev/null +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/oidc-id.add.dialog.html @@ -0,0 +1,44 @@ +
+

Add OpenID Connect account to {{$ctrl.user.name.formatted}}

+
+
+
+
+ + + + + Please set the OpenID provider ID + + + OpenID provider ID must be at most 256 characters long + +
+ +
+ + + + Please set the OpenID provider subject + + + OpenID provider subject must be at most 256 characters long + + + {{ $ctrl.error.data.detail }} + +
+ +
+
+ +
+ + + +
\ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/oidc-id.remove.dialog.html b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/oidc-id.remove.dialog.html new file mode 100644 index 000000000..d5233e45d --- /dev/null +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/oidc-id.remove.dialog.html @@ -0,0 +1,25 @@ +
+

Remove OpenID Connect account from {{$ctrl.user.name.formatted}}?

+
+
+

+ The following OpenID Connect account will be removed from {{$ctrl.user.name.formatted}} account: +

+ +
+
OpenID provider issuer
+
{{$ctrl.account.issuer}}
+
OpenID provider subject
+
{{$ctrl.account.subject}}
+
+

+ Login with the above linked OpenID Connect account will not be possible for user {{$ctrl.user.name.formatted}} if you proceed. +

+
+ +
+ +
+ + +
\ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/user.oidc.component.html b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/user.oidc.component.html index c34f21f92..e48539d34 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/user.oidc.component.html +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/user.oidc.component.html @@ -21,10 +21,10 @@

OpenID-Connect accounts

{{ oidcId.subject }}
- -
@@ -35,11 +35,11 @@

OpenID-Connect accounts

- -
diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/user.oidc.component.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/user.oidc.component.js index e40de6654..4e0501213 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/user.oidc.component.js +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/oidc/user.oidc.component.js @@ -1,6 +1,76 @@ -(function() { +(function () { 'use strict'; + function RemoveOidcController($uibModalInstance, scimFactory, user, account) { + var self = this; + + self.user = user; + self.enabled = true; + self.error = undefined; + self.account = account; + + self.doRemove = function () { + self.error = undefined; + self.enabled = false; + scimFactory.removeOpenIDAccount(self.user.id, self.account).then(function (response) { + $uibModalInstance.close('OpenID Connect account removed'); + self.enabled = true; + }).catch(function (error) { + console.error(error); + self.error = error; + self.enabled = true; + }); + }; + + self.cancel = function () { + $uibModalInstance.dismiss('Dismissed'); + }; + } + + + function AddOidcController($uibModalInstance, scimFactory, user) { + var self = this; + + self.user = user; + self.enabled = true; + self.error = undefined; + + self.reset = function () { + self.account = { + "issuer": "", + "subject": "" + }; + self.enabled = true; + }; + + self.reset(); + + self.doAdd = function () { + self.error = undefined; + self.enabled = false; + scimFactory.addOpenIDAccount(self.user.id, self.account).then(function (response) { + $uibModalInstance.close('OpenID Connect account added'); + self.enabled = true; + }).catch(function (error) { + console.error(error); + self.error = error; + self.enabled = true; + }); + }; + + self.cancel = function () { + $uibModalInstance.dismiss('Dismissed'); + }; + + self.reset = function () { + self.account = { + "issuer": "", + "subject": "" + }; + self.enabled = true; + }; + } + function LinkOidcController(AccountLinkingService, $uibModalInstance, action, account) { var self = this; @@ -10,51 +80,48 @@ self.account = account; self.enabled = true; - self.doLink = function() { + self.doLink = function () { self.enabled = false; document.getElementById("link-account-form").submit(); }; - self.doUnlink = function() { + self.doUnlink = function () { self.enabled = false; - AccountLinkingService.unlinkOidcAccount(self.account).then(function(response){ - $uibModalInstance.close(response); - }).catch(function(error){ + AccountLinkingService.unlinkOidcAccount(self.account).then(function (response) { + $uibModalInstance.close("Google account unlinked"); + }).catch(function (error) { console.error(error); }); }; - self.cancel = function() { $uibModalInstance.dismiss('Dismissed'); }; + self.cancel = function () { + $uibModalInstance.dismiss('Dismissed'); + }; } function UserOidcController($uibModal, toaster, ModalService, scimFactory) { var self = this; - self.indigoUser = function() { + self.indigoUser = function () { return self.user['urn:indigo-dc:scim:schemas:IndigoUser']; }; - self.isMe = function() { return self.userCtrl.isMe(); }; - - self.isVoAdmin = function() { return self.userCtrl.isVoAdmin(); }; - - self.$onInit = function() { + self.$onInit = function () { console.log('UserOidcController onInit'); self.enabled = true; }; - self.handleSuccess = function(user) { + self.handleSuccess = function (msg) { self.enabled = true; - self.userCtrl.loadUser().then(function(user) { + self.userCtrl.loadUser().then(function () { toaster.pop({ type: 'success', - body: - `User '${user.name.formatted}' OpenID-Connect accounts updated succesfully` + body: msg }); }); }; - self.hasOidcIds = function() { + self.hasOidcIds = function () { var oidcIds = self.getOidcIds(); if (oidcIds) { @@ -64,7 +131,7 @@ return false; }; - self.getOidcIds = function() { + self.getOidcIds = function () { if (self.indigoUser()) { return self.indigoUser().oidcIds; } @@ -72,40 +139,52 @@ return undefined; }; - self.openAddOidcAccountDialog = function() { + self.openAddOidcAccountDialog = function () { var modalInstance = $uibModal.open({ - templateUrl: '/resources/iam/template/dashboard/user/addoidc.html', - controller: 'AddOIDCAccountController', - controllerAs: 'addOidcCtrl', - resolve: {user: function() { return self.user; }} + templateUrl: '/resources/iam/js/dashboard-app/components/user/oidc/oidc-id.add.dialog.html', + controller: AddOidcController, + controllerAs: '$ctrl', + resolve: { + user: function () { + return self.user; + } + } }); modalInstance.result.then(self.handleSuccess); }; - self.openLinkOidcAccountDialog = function() { + self.openLinkOidcAccountDialog = function () { var modalInstance = $uibModal.open({ - templateUrl: - '/resources/iam/js/dashboard-app/components/common/user.linking.dialog.html', + templateUrl: '/resources/iam/js/dashboard-app/components/common/user.linking.dialog.html', controller: LinkOidcController, controllerAs: '$ctrl', - resolve: {action: function() { return 'link'; }, account: undefined} + resolve: { + action: function () { + return 'link'; + }, + account: undefined + } }); modalInstance.result.then(self.handleSuccess); }; - self.openUnlinkOidcAccountDialog = function(oidcId) { + self.openUnlinkOidcAccountDialog = function (oidcId) { var modalInstance = $uibModal.open({ - templateUrl: - '/resources/iam/js/dashboard-app/components/common/user.linking.dialog.html', + templateUrl: '/resources/iam/js/dashboard-app/components/common/user.linking.dialog.html', controller: LinkOidcController, controllerAs: '$ctrl', resolve: { - action: function() { return 'unlink'; }, - account: function() { - return { iss: oidcId.issuer, sub: oidcId.subject } + action: function () { + return 'unlink'; + }, + account: function () { + return { + iss: oidcId.issuer, + sub: oidcId.subject + } } } }); @@ -115,33 +194,32 @@ - self.openRemoveOidcAccountDialog = function(oidcId) { - var account = `${oidcId.issuer} : ${oidcId.subject}`; - - var modalOptions = { - closeButtonText: 'Cancel', - actionButtonText: `Remove OpenID-Connect Account'`, - headerText: - `Remove OpenID-Connect Account from user '${self.user.name.formatted}'`, - bodyText: - `Are you sure you want to remove the following Open ID Account from user '${self.user.name.formatted}'?`, - bodyDetail: account - }; + self.openRemoveOidcAccountDialog = function (oidcId) { - ModalService.showModal({}, modalOptions).then(function() { - scimFactory - .removeOpenIDAccount(self.user.id, oidcId.issuer, oidcId.subject) - .then(self.handleSuccess) - .catch(self.userCtrl.handleError); + var modalInstance = $uibModal.open({ + templateUrl: '/resources/iam/js/dashboard-app/components/user/oidc/oidc-id.remove.dialog.html', + controller: RemoveOidcController, + controllerAs: '$ctrl', + resolve: { + user: function () { + return self.user; + }, + account: oidcId + } }); + + modalInstance.result.then(self.handleSuccess); }; } angular.module('dashboardApp').component('userOidc', { - require: {userCtrl: '^user'}, - bindings: {user: '='}, - templateUrl: - '/resources/iam/js/dashboard-app/components/user/oidc/user.oidc.component.html', + require: { + userCtrl: '^user' + }, + bindings: { + user: '=' + }, + templateUrl: '/resources/iam/js/dashboard-app/components/user/oidc/user.oidc.component.html', controller: [ '$uibModal', 'toaster', 'ModalService', 'scimFactory', UserOidcController ] diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/saml-id.add.dialog.html b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/saml-id.add.dialog.html new file mode 100644 index 000000000..9160045d4 --- /dev/null +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/saml-id.add.dialog.html @@ -0,0 +1,57 @@ +
+

Add SAML account to {{$ctrl.user.name.formatted}}

+
+
+
+
+ + + + + Please set the IDP entity ID + + + IDP entity id must be at most 256 characters long + +
+ +
+ + +
+ +
+ + + + Please set an attribute value + + + Attribute value must be at most 256 characters long + +
+ + + {{$ctrl.error.data}} + + +
+
+ +
+ + + +
\ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/saml-id.remove.dialog.html b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/saml-id.remove.dialog.html new file mode 100644 index 000000000..989ace68c --- /dev/null +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/saml-id.remove.dialog.html @@ -0,0 +1,28 @@ +
+

Remove SAML account from {{$ctrl.user.name.formatted}}?

+
+
+

+ The following SAML account will be removed from {{$ctrl.user.name.formatted}} account: +

+ +
+
IDP entity ID
+
{{$ctrl.samlId.idpId}}
+
SAML attribute ID
+
{{$ctrl.samlId.attributeId}}
+
SAML attribute value
+
{{$ctrl.samlId.userId}}
+
+

+ Login with the above linked SAML account will not be possible for user {{$ctrl.user.name.formatted}} if you proceed. +

+
+ + + +
+ + + +
\ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/saml-id.unlink.dialog.html b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/saml-id.unlink.dialog.html new file mode 100644 index 000000000..85c6565c2 --- /dev/null +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/saml-id.unlink.dialog.html @@ -0,0 +1,32 @@ +
+

Unlink SAML account?

+
+
+

+ The following SAML account will be unlinked from your account: +

+ +
+
IDP entity ID
+
{{$ctrl.account.idpId}}
+
SAML attribute ID
+
{{$ctrl.account.attributeId}}
+
SAML attribute value
+
{{$ctrl.account.userId}}
+
+

+ Login with the above linked SAML account will not be possible if you proceed. +

+ +
+ {{$ctrl.error.statusText}} +
+
+ + + +
+ + + +
\ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/user.saml.component.html b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/user.saml.component.html index a82f55ee5..d1ee2397c 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/user.saml.component.html +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/user.saml.component.html @@ -5,29 +5,33 @@

Saml accounts

- +
No SAML account found
+
- - + + + + +
Identity Provider IDUser IDIdP Entity IDAttributeAttribute Value
{{ samlId.idpId }}{{ samlId.attributeId }} {{ samlId.userId }}
- -
@@ -36,12 +40,13 @@

Saml accounts
+
- -
diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/user.saml.component.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/user.saml.component.js index 13988db66..457974be0 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/user.saml.component.js +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/saml/user.saml.component.js @@ -1,6 +1,68 @@ -(function() { +(function () { 'use strict'; + function RemoveSamlIdController($uibModalInstance, scimFactory, user, samlId) { + var self = this; + + self.error = undefined; + self.user = user; + self.samlId = samlId; + self.enabled = true; + + + self.cancel = function () { + $uibModalInstance.dismiss("Cancel"); + }; + + self.doRemove = function () { + self.enabled = false; + self.error = undefined; + scimFactory.removeSamlId(self.user.id, self.samlId).then(function (response) { + $uibModalInstance.close(`SAML account removed`); + self.enabled = true; + }).catch(function (error) { + console.error(error); + self.error = error; + self.enabled = true; + }); + }; + } + + function AddSamlIdController($uibModalInstance, scimFactory, user) { + var self = this; + + self.error = undefined; + self.user = user; + + self.reset = function () { + self.samlId = { + "idpId": "", + "attributeId": "", + "userId": "" + }; + self.enabled = true; + }; + + self.reset(); + + self.cancel = function () { + $uibModalInstance.dismiss("Cancel"); + }; + + self.doAdd = function () { + self.error = undefined; + self.enabled = false; + scimFactory.addSamlId(self.user.id, self.samlId).then(function (response) { + $uibModalInstance.close(`SAML account added`); + self.enabled = true; + }).catch(function (error) { + console.error(error); + self.error = error; + self.enabled = true; + }); + }; + } + function LinkSamlController(AccountLinkingService, $uibModalInstance, action, account) { var self = this; @@ -9,45 +71,64 @@ self.actionUrl = '/iam/account-linking/SAML'; self.type = 'SAML'; self.account = account; + self.error = undefined; self.doLink = function() { self.enabled = false; document.getElementById("link-account-form").submit(); }; - self.doUnlink = function() { + + self.doUnlink = function () { self.enabled = false; - AccountLinkingService.unlinkSamlAccount(self.account).then(function(response){ - $uibModalInstance.close(response); - }).catch(function(error){ + self.error = undefined; + + AccountLinkingService.unlinkSamlAccount({ + iss: self.account.idpId, + attr: self.account.attributeId, + sub: self.account.userId + }).then(function (response) { + $uibModalInstance.close("SAML account unlinked"); + }).catch(function (error) { console.error(error); + + self.error = error; + self.enabled = true; }); }; - self.cancel = function() { $uibModalInstance.dismiss('Dismissed'); }; + self.cancel = function () { + $uibModalInstance.dismiss('Dismissed'); + }; } function IdpSelectionController( - $scope, $http, $uibModalInstance, $window, $timeout) { - $scope.ok = function() { + $scope, $http, $uibModalInstance, $window, $timeout) { + $scope.ok = function () { $window.location.href = '/saml/login?idp=' + $scope.idpSelected.entityId; }; - $scope.cancel = function() { $uibModalInstance.close(); }; + $scope.cancel = function () { + $uibModalInstance.close(); + }; - $scope.reset = function() { + $scope.reset = function () { $scope.idpSelected = null; - $timeout(function() { + $timeout(function () { $window.document.getElementById('idp-selection-input').focus(); }, 0); }; - $scope.lookupIdp = function(val) { + $scope.lookupIdp = function (val) { var result = - $http.get('/saml/idps', {params: {q: val}}).then(function(response) { - return response.data; - }); + $http.get('/saml/idps', { + params: { + q: val + } + }).then(function (response) { + return response.data; + }); return result; }; @@ -56,86 +137,119 @@ function UserSamlController(toaster, $uibModal, ModalService, scimFactory) { var self = this; - self.indigoUser = function() { + self.SAML_ATTRIBUTES = [{ + name: "eduPersonUniqueId", + oid: "urn:oid:1.3.6.1.4.1.5923.1.1.1.13" + }, { + name: "eduPersonTargetedId", + oid: "urn:oid:1.3.6.1.4.1.5923.1.1.1.10" + }, { + name: "eduPersonPrincipalName", + oid: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" + }, { + name: "eduPersonOrcid", + oid: "urn:oid:1.3.6.1.4.1.5923.1.1.1.16" + }, { + name: "employeeNumber", + oid: "urn:oid:2.16.840.1.113730.3.1.3" + }, { + name: "spidCode", + oid: "spidCode" + }]; + + self.SAML_NAME_TO_OID = {}; + self.SAML_OID_TO_NAME = {}; + + for (let v in self.SAML_ATTRIBUTES) { + self.SAML_NAME_TO_OID[v.name] = v.oid; + self.SAML_OID_TO_NAME[v.oid] = v.name; + } + + self.samlAttributeNameToOid = function (name) { + return self.SAML_NAME_TO_OID[name]; + }; + + self.samlAttributeOidToName = function (oid) { + return self.SAML_OID_TO_NAME[oid]; + }; + + self.indigoUser = function () { return self.user['urn:indigo-dc:scim:schemas:IndigoUser']; }; - self.$onInit = function() { + self.$onInit = function () { console.log('UserSamlController onInit'); self.enabled = true; }; - self.isVoAdmin = function() { return self.userCtrl.isVoAdmin(); }; - - self.isMe = function() { return self.userCtrl.isMe(); }; - - self.handleSuccess = function(user) { + self.handleSuccess = function (msg) { self.enabled = true; - self.userCtrl.loadUser().then(function(user) { + self.userCtrl.loadUser().then(function () { toaster.pop({ type: 'success', - body: - `User '${user.name.formatted}' SAML accounts updated succesfully` + body: msg }); }); }; - - self.openLinkSamlAccountDialog = function() { + + self.openLinkSamlAccountDialog = function () { var modalInstance = $uibModal.open({ - templateUrl: - '/resources/iam/js/dashboard-app/components/common/user.linking.dialog.html', + templateUrl: '/resources/iam/js/dashboard-app/components/common/user.linking.dialog.html', controller: LinkSamlController, controllerAs: '$ctrl', - resolve: {action: function() { return 'link'; }, account: undefined} + resolve: { + action: function () { + return 'link'; + }, + account: undefined + } }); modalInstance.result.then(self.handleSuccess); }; - self.openAddSamlAccountDialog = function() { + self.openAddSamlAccountDialog = function () { var modalInstance = $uibModal.open({ - templateUrl: - '/resources/iam/template/dashboard/user/addsamlaccount.html', - controller: 'AddSamlAccountController', - controllerAs: 'addSamlAccountCtrl', - resolve: {user: function() { return self.user; }} + templateUrl: '/resources/iam/js/dashboard-app/components/user/saml/saml-id.add.dialog.html', + controller: AddSamlIdController, + controllerAs: '$ctrl', + resolve: { + user: function () { + return self.user; + } + } }); modalInstance.result.then(self.handleSuccess); }; - self.openRemoveSamlAccountDialog = function(samlId) { - var account = `${samlId.idpId} : ${samlId.userId}`; - - var modalOptions = { - closeButtonText: 'Cancel', - actionButtonText: 'Remove SAML Account', - headerText: - `Remove SAML account from user '${self.user.name.formatted}'`, - bodyText: - `Are you sure you want to remove the following SAML Account from user '${self.user.name.formatted}'?`, - bodyDetail: account - }; - - ModalService.showModal({}, modalOptions).then(function() { - scimFactory.removeSamlId(self.user.id, samlId) - .then(self.handleSuccess) - .catch(self.userCtrl.handleError); + self.openRemoveSamlAccountDialog = function (samlId) { + var modalInstance = $uibModal.open({ + templateUrl: '/resources/iam/js/dashboard-app/components/user/saml/saml-id.remove.dialog.html', + controller: RemoveSamlIdController, + controllerAs: '$ctrl', + resolve: { + user: function () { + return self.user; + }, + samlId: samlId + } }); + + modalInstance.result.then(self.handleSuccess); }; - self.openUnlinkSamlAccountDialog = function(samlId) { + self.openUnlinkSamlAccountDialog = function (samlId) { var modalInstance = $uibModal.open({ - templateUrl: - '/resources/iam/js/dashboard-app/components/common/user.linking.dialog.html', + templateUrl: '/resources/iam/js/dashboard-app/components/user/saml/saml-id.unlink.dialog.html', controller: LinkSamlController, controllerAs: '$ctrl', resolve: { - action: function() { return 'unlink'; }, - account: function() { - return { iss: samlId.idpId, sub: samlId.userId } - } + action: function () { + return 'unlink'; + }, + account: samlId } }); @@ -143,7 +257,7 @@ }; - self.hasSamlIds = function() { + self.hasSamlIds = function () { var samlIds = self.getSamlIds(); if (samlIds) { @@ -153,7 +267,7 @@ return false; }; - self.getSamlIds = function() { + self.getSamlIds = function () { if (self.indigoUser()) { return self.indigoUser().samlIds; } @@ -163,12 +277,15 @@ } angular.module('dashboardApp').component('userSaml', { - require: {userCtrl: '^user'}, - bindings: {user: '='}, - templateUrl: - '/resources/iam/js/dashboard-app/components/user/saml/user.saml.component.html', + require: { + userCtrl: '^user' + }, + bindings: { + user: '=' + }, + templateUrl: '/resources/iam/js/dashboard-app/components/user/saml/user.saml.component.html', controller: [ 'toaster', '$uibModal', 'ModalService', 'scimFactory', UserSamlController ] }); -})(); \ No newline at end of file +})(); diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/user.component.html b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/user.component.html index eca94cca2..9e1927c7b 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/user.component.html +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/user.component.html @@ -45,6 +45,7 @@

+ diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/user.component.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/user.component.js index 019b3561d..e1f13e103 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/user.component.js +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/user.component.js @@ -12,10 +12,26 @@ $timeout(self.showAccountLinkingFeedback, 0); }; + self.accountLinkingEnabled = getAccountLinkingEnabled(); + self.isVoAdmin = function() { return Utils.isAdmin(); }; self.userIsVoAdmin = function() { return Utils.userIsVoAdmin(self.user); }; + self.isMe = function() { return Utils.isMe(self.user.id); }; + + self.canManageLinkedAccounts = function() { + if (!self.accountLinkingEnabled){ + return self.isVoAdmin(); + } + + return self.isVoAdmin() && !self.isMe(); + }; + + self.canLinkAccounts = function() { + return self.accountLinkingEnabled && self.isMe(); + }; + self.showAccountLinkingFeedback = function() { if (_accountLinkingError){ toaster.pop({type: 'error', body: _accountLinkingError}); @@ -28,8 +44,6 @@ } }; - self.isMe = function() { return Utils.isMe(self.user.id); }; - self.handleError = function(error) { console.error(error); toaster.pop({type: 'error', body: error}); diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/cert.add.dialog.html b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/cert.add.dialog.html new file mode 100644 index 000000000..b9727ea27 --- /dev/null +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/cert.add.dialog.html @@ -0,0 +1,49 @@ +
+

+ Add an X.509 certificate to {{$ctrl.user.name.formatted}} IAM account? +

+
+ +
+
+ +

{{$ctrl.user.name.formatted}}

+
+
+
+ + + Please provide a label + + + Label must be at least 2 characters long + + + Label must be at most 36 characters long + +
+ +
+ + + + {{ $ctrl.error.data.detail }} + + + Please paste here a PEM-encoded certificate + +
+
+
+ +
+ + + + + +
\ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/cert.link.dialog.html b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/cert.link.dialog.html new file mode 100644 index 000000000..40ef54768 --- /dev/null +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/cert.link.dialog.html @@ -0,0 +1,55 @@ +
+

+ Link an X.509 certificate to your IAM account? +

+

+ Unlink X.509 certificate from your IAM account? +

+
+
+
+

+ {{ $ctrl.error.data.detail }} +

+
+
+

+ The following trusted X.509 certificate was presented when + authenticating to this IAM instance: +

+ +

+

{{$ctrl.cert.subjectDn}}
+
{{$ctrl.cert.issuerDn}}
+

+ +

+ Do you want to link this certificate to your account? +

+
+
+

+ Do you want to unlink the following X.509 certificate from your IAM account? +

+

+

{{$ctrl.cert.subjectDn}}
+
{{$ctrl.cert.issuerDn}}
+

+

+ Login with the above certificate will NOT be allowed if you proceed. +

+

+
+
+
+ + + +
+ + +
+
\ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/cert.remove.dialog.html b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/cert.remove.dialog.html new file mode 100644 index 000000000..8cad0877d --- /dev/null +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/cert.remove.dialog.html @@ -0,0 +1,27 @@ +
+

+ Remove X.509 certificate from {{$ctrl.user.name.formatted}} IAM account? +

+
+ +
+

+ The following X.509 certificate will be removed from {{$ctrl.user.name.formatted}} account: +

+ +

+

{{$ctrl.cert.subjectDn}}
+
{{$ctrl.cert.issuerDn}}
+

+ +

+ Login with the above certificate will not be possible for user {{$ctrl.user.name.formatted}} if + you proceed. +

+
+ +
+ + + +
\ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/user.x509.component.html b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/user.x509.component.html new file mode 100644 index 000000000..ca5e962b3 --- /dev/null +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/user.x509.component.html @@ -0,0 +1,51 @@ + +
+
+

X.509 certificates

+ +
+ +
+
No certificates found
+ +
+ + + + + + + + + + + + + + + + + +
Subject & IssuerLast modified
+
{{ cert.subjectDn }}
+
{{ cert.issuerDn }}
+ 		{{ cert.lastModified | relativeDate }} +
+ + +
+
+
+
+ + +
+
\ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/user.x509.component.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/user.x509.component.js new file mode 100644 index 000000000..a192cf969 --- /dev/null +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/components/user/x509/user.x509.component.js @@ -0,0 +1,234 @@ +(function () { + 'use strict'; + + function AddRemoveCertificateController($scope, scimFactory, $uibModalInstance, action, cert, user, successHandler) { + var self = this; + self.enabled = true; + self.action = action; + self.cert = cert; + self.user = user; + self.error = undefined; + self.successHandler = successHandler; + + self.certVal = {}; + + self.doAdd = function () { + self.error = undefined; + self.enabled = false; + scimFactory.addX509Certificate(self.user.id, self.certVal).then( + function (response) { + $uibModalInstance.close(response.data); + self.successHandler(`Certificate added`); + self.enabled = true; + }).catch(function (error) { + console.error(error); + self.error = error; + self.enabled = true; + }); + }; + + self.doRemove = function () { + self.error = undefined; + self.enabled = false; + scimFactory.removeX509Certificate(self.user.id, self.cert) + .then(function (response) { + $uibModalInstance.close(response.data); + self.successHandler(`Certificate ${self.cert.subjectDn} removed`); + self.enabled = true; + }).catch(function (error) { + console.error(error); + self.enabled = true; + self.error = error; + }); + }; + + self.cancel = function () { + $uibModalInstance.dismiss('Dismissed'); + }; + + self.reset = function () { + self.certVal = { + label: "", + primary: false, + pemEncodedCertificate: "", + }; + self.error = undefined; + }; + + self.certLabelValid = function() { + return $scope.certLabel.$dirty && $scope.certLabel.$valid; + }; + } + + function LinkCertificateController(AccountLinkingService, $uibModalInstance, action, cert) { + + var self = this; + + self.enabled = true; + self.action = action; + self.actionUrl = '/iam/account-linking/X509'; + self.cert = cert; + + self.doLink = function () { + self.enabled = false; + document.getElementById("link-certificate-form").submit(); + }; + + self.doUnlink = function () { + self.enabled = false; + AccountLinkingService.unlinkX509Certificate(self.cert).then(function (response) { + $uibModalInstance.close(`Certificate '${self.cert.subjectDn}' unlinked succesfully`); + }).catch(function (error) { + console.error(error); + self.error = error; + self.enabled = true; + }); + }; + + self.cancel = function () { + $uibModalInstance.dismiss('Dismissed'); + }; + } + + function UserX509Controller(toaster, $uibModal, ModalService, scimFactory) { + var self = this; + + self.accountLinkingEnabled = getAccountLinkingEnabled(); + + self.indigoUser = function () { + return self.user['urn:indigo-dc:scim:schemas:IndigoUser']; + }; + + self.$onInit = function () { + console.log('UserX509Controller onInit'); + self.enabled = true; + }; + + self.getCertificates = function () { + if (self.indigoUser()) { + return self.indigoUser().certificates; + } + + return undefined; + }; + + self.getUserCertSubject = function () { + return getUserX509CertficateSubject(); + }; + + self.getUserCertIssuer = function () { + return getUserX509CertficateIssuer(); + }; + + self.hasCertificates = function () { + var certs = self.getCertificates(); + if (certs) { + return certs.length > 0; + } + + return false; + }; + + self.handleSuccess = function (msg) { + self.enabled = true; + self.userCtrl.loadUser().then(function (user) { + toaster.pop({ + type: 'success', + body: msg + }); + }); + }; + + self.openAddCertificateDialog = function () { + var modalInstance = $uibModal.open({ + templateUrl: '/resources/iam/js/dashboard-app/components/user/x509/cert.add.dialog.html', + controller: AddRemoveCertificateController, + controllerAs: '$ctrl', + resolve: { + action: function () { + return 'add'; + }, + user: function () { + return self.user; + }, + cert: undefined, + successHandler: function () { + return self.handleSuccess; + } + } + }); + }; + + self.openRemoveCertificateDialog = function (cert) { + var modalInstance = $uibModal.open({ + templateUrl: '/resources/iam/js/dashboard-app/components/user/x509/cert.remove.dialog.html', + controller: AddRemoveCertificateController, + controllerAs: '$ctrl', + resolve: { + action: function () { + return 'remove'; + }, + user: function () { + return self.user; + }, + cert: function () { + return cert; + }, + successHandler: function () { + return self.handleSuccess; + } + } + }); + }; + + self.openLinkCertificateDialog = function () { + var modalInstance = $uibModal.open({ + templateUrl: '/resources/iam/js/dashboard-app/components/user/x509/cert.link.dialog.html', + controller: LinkCertificateController, + controllerAs: '$ctrl', + resolve: { + action: function () { + return 'link'; + }, + cert: { + subjectDn: self.getUserCertSubject(), + issuerDn: self.getUserCertIssuer() + } + } + }); + + modalInstance.result.then(self.handleSuccess); + }; + + self.openUnlinkCertificateDialog = function (certificate) { + var modalInstance = $uibModal.open({ + templateUrl: '/resources/iam/js/dashboard-app/components/user/x509/cert.link.dialog.html', + controller: LinkCertificateController, + controllerAs: '$ctrl', + resolve: { + action: function () { + return 'unlink'; + }, + cert: function () { + return certificate; + } + } + }); + + modalInstance.result.then(self.handleSuccess); + }; + } + + angular.module('dashboardApp').component('userX509', { + require: { + userCtrl: '^user' + }, + bindings: { + user: '=' + }, + templateUrl: '/resources/iam/js/dashboard-app/components/user/x509/user.x509.component.html', + controller: [ + 'toaster', '$uibModal', 'ModalService', 'scimFactory', UserX509Controller + ] + }); +})(); \ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-group.controller.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-group.controller.js index ea2b27f7c..fa9b296a9 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-group.controller.js +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-group.controller.js @@ -14,6 +14,8 @@ function AddGroupController($scope, $rootScope, $uibModalInstance, Utils, scimFa addGroupCtrl.addGroup = addGroup; addGroupCtrl.resetGroup = resetGroup; addGroupCtrl.cancel = cancel; + addGroupCtrl.parents = $rootScope.groups; + addGroupCtrl.parentSelected = addGroupCtrl.parents[-1]; function resetGroup() { @@ -30,7 +32,19 @@ function AddGroupController($scope, $rootScope, $uibModalInstance, Utils, scimFa addGroupCtrl.group.schemas = []; addGroupCtrl.group.schemas[0] = "urn:ietf:params:scim:schemas:core:2.0:Group"; + addGroupCtrl.group.schemas[1] = "urn:indigo-dc:scim:schemas:IndigoGroup"; + var parent = addGroupCtrl.parentSelected + if(parent){ + addGroupCtrl.group["urn:indigo-dc:scim:schemas:IndigoGroup"] = { + "parentGroup": { + display: parent.displayName, + value: parent.id, + $ref: parent.meta.location + } + } + } + console.info(addGroupCtrl.group); scimFactory.createGroup(addGroupCtrl.group).then(function(response) { diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-subgroup.controller.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-subgroup.controller.js new file mode 100644 index 000000000..5fb7d0c84 --- /dev/null +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-subgroup.controller.js @@ -0,0 +1,56 @@ +'use strict'; + +angular.module('dashboardApp').controller('AddSubGroupController', AddSubGroupController); + +AddSubGroupController.$inject = [ '$scope', '$rootScope', '$uibModalInstance', 'Utils', 'scimFactory', 'group' ]; + +function AddSubGroupController($scope, $rootScope, $uibModalInstance, Utils, scimFactory, group) { + + var addSubGroupCtrl = this; + + addSubGroupCtrl.parent = group; + addSubGroupCtrl.addSubGroup = addSubGroup; + addSubGroupCtrl.resetGroup = resetGroup; + addSubGroupCtrl.cancel = cancel; + + addSubGroupCtrl.subgroup = {}; + + function resetGroup() { + + addSubGroupCtrl.subgroup.displayName = ""; + addSubGroupCtrl.enabled = true; + + } + + addSubGroupCtrl.resetGroup(); + + function addSubGroup() { + + addSubGroupCtrl.enabled = false; + + addSubGroupCtrl.subgroup.schemas = ["urn:ietf:params:scim:schemas:core:2.0:Group", "urn:indigo-dc:scim:schemas:IndigoGroup"]; + addSubGroupCtrl.subgroup["urn:indigo-dc:scim:schemas:IndigoGroup"] = { + "parentGroup": { + display: addSubGroupCtrl.parent.displayName, + value: addSubGroupCtrl.parent.id, + $ref: addSubGroupCtrl.parent.meta.location + } + } + + console.info(addSubGroupCtrl.subgroup); + + scimFactory.createGroup(addSubGroupCtrl.subgroup).then(function(response) { + $rootScope.loggedUser.totGroups = $rootScope.loggedUser.totGroups + 1; + $uibModalInstance.close(response.data); + addSubGroupCtrl.enabled = true; + }, function(error) { + console.error('Error creating group', error); + $scope.operationResult = Utils.buildErrorOperationResult(error); + addSubGroupCtrl.enabled = true; + }); + } + + function cancel() { + $uibModalInstance.dismiss("cancel"); + } +} \ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-user-group.controller.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-user-group.controller.js index bfe2440c0..08f8b98b7 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-user-group.controller.js +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-user-group.controller.js @@ -50,14 +50,16 @@ function AddUserGroupController($scope, $state, $filter, Utils, $q, $uibModalIns addGroupCtrl.enabled = false; var requests = []; + var groupNames = []; angular.forEach(addGroupCtrl.groupsSelected, function(groupToAdd) { + groupNames.push(groupToAdd.displayName); requests.push(scimFactory.addUserToGroup(groupToAdd.id, addGroupCtrl.user)); }); $q.all(requests).then(function(response) { console.log("Added ", addGroupCtrl.groupsSelected); - $uibModalInstance.close(response); + $uibModalInstance.close(`User added to groups: '${groupNames.join(",")}'`); addGroupCtrl.enabled = true; }, function(error) { console.error(error); diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-user-oidc-account.controller.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-user-oidc-account.controller.js deleted file mode 100644 index ceeaf6ddc..000000000 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-user-oidc-account.controller.js +++ /dev/null @@ -1,45 +0,0 @@ -'use strict'; - -angular.module('dashboardApp').controller('AddOIDCAccountController', - AddOIDCAccountController); - -AddOIDCAccountController.$inject = [ '$scope', '$uibModalInstance', - 'scimFactory', '$state', 'Utils', 'user' ]; - -function AddOIDCAccountController($scope, $uibModalInstance, scimFactory, - $state, Utils, user) { - - var addOidcCtrl = this; - addOidcCtrl.user = user; - addOidcCtrl.cancel = cancel; - - addOidcCtrl.addOidcAccount = addOidcAccount; - addOidcCtrl.reset = reset; - - addOidcCtrl.reset(); - - function reset() { - - addOidcCtrl.issuer = ""; - addOidcCtrl.subject = ""; - addOidcCtrl.enabled = true; - } - - function addOidcAccount() { - - addOidcCtrl.enabled = false; - scimFactory.addOpenIDAccount(addOidcCtrl.user.id, addOidcCtrl.issuer, - addOidcCtrl.subject).then(function(response) { - $uibModalInstance.close(response.data); - addOidcCtrl.enabled = true; - }, function(error) { - console.error('Error creating group: ' + error); - $scope.operationResult = Utils.buildErrorOperationResult(error); - addOidcCtrl.enabled = true; - }); - } - - function cancel() { - $uibModalInstance.dismiss("cancel"); - } -} \ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-user-saml-account.controller.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-user-saml-account.controller.js deleted file mode 100644 index b5a32ecf0..000000000 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-user-saml-account.controller.js +++ /dev/null @@ -1,41 +0,0 @@ -'use strict'; - -angular.module('dashboardApp').controller('AddSamlAccountController', AddSamlAccountController); - -AddSamlAccountController.$inject = ['$scope', '$uibModalInstance', 'scimFactory', 'Utils', '$state', 'user']; - -function AddSamlAccountController($scope, $uibModalInstance, scimFactory, Utils, $state, user) { - - var addSamlAccountCtrl = this; - addSamlAccountCtrl.user = user; - addSamlAccountCtrl.cancel = cancel; - - addSamlAccountCtrl.addSamlAccount = addSamlAccount; - addSamlAccountCtrl.reset = reset; - - addSamlAccountCtrl.reset(); - - function reset() { - - addSamlAccountCtrl.idpId = ""; - addSamlAccountCtrl.userId = ""; - addSamlAccountCtrl.enabled = true; - }; - - function addSamlAccount() { - - addSamlAccountCtrl.enabled = false; - scimFactory.addSamlId(addSamlAccountCtrl.user.id, addSamlAccountCtrl.idpId, addSamlAccountCtrl.userId).then(function(response) { - $uibModalInstance.close(response.data); - addSamlAccountCtrl.enabled = true; - },function(error) { - console.error('Error creating new saml account: ' + error); - $scope.operationResult = Utils.buildErrorOperationResult(error); - addSamlAccountCtrl.enabled = true; - }); - } - - function cancel() { - $uibModalInstance.dismiss("Cancel"); - } -} \ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-user-x509-certificate.controller.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-user-x509-certificate.controller.js deleted file mode 100644 index 21a9b650b..000000000 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/add-user-x509-certificate.controller.js +++ /dev/null @@ -1,68 +0,0 @@ -'use strict'; - -angular.module('dashboardApp').controller('AddX509CertificateController', - AddX509CertificateController); - -AddX509CertificateController.$inject = [ '$scope', '$uibModalInstance', - 'scimFactory', 'Utils', '$state', 'user' ]; - -function AddX509CertificateController($scope, $uibModalInstance, scimFactory, Utils, - $state, user) { - - var addX509CertCtrl = this; - addX509CertCtrl.user = user; - addX509CertCtrl.cancel = cancel; - - addX509CertCtrl.addCertificate = addCertificate; - addX509CertCtrl.reset = reset; - - addX509CertCtrl.reset(); - - function reset() { - - addX509CertCtrl.label = ""; - addX509CertCtrl.value = ""; - addX509CertCtrl.enabled = true; - } - - function checkBase64Encoding() { - - var base64Matcher = new RegExp( - "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$"); - return (base64Matcher.test(addX509CertCtrl.value)); - } - - function addCertificate() { - - addX509CertCtrl.enabled = false; - - console.log("Adding Certificate ", addX509CertCtrl.label, - addX509CertCtrl.value); - - if (!checkBase64Encoding()) { - $scope.operationResult = Utils.buildErrorOperationResult({ - data: { - detail: "Key is not a base64 encoded string!" - } - }); - return; - } - - scimFactory.addX509Certificate(addX509CertCtrl.user.id, - addX509CertCtrl.label, false, addX509CertCtrl.value).then( - function(response) { - console.log("Added x509 Certificate: ", - addX509CertCtrl.label, addX509CertCtrl.value); - $uibModalInstance.close(response.data); - addX509CertCtrl.enabled = true; - }, function(error) { - console.error('Error creating x509 certificate: ', error); - $scope.operationResult = Utils.buildErrorOperationResult(error); - addX509CertCtrl.enabled = true; - }); - } - - function cancel() { - $uibModalInstance.dismiss("cancel"); - } -} \ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/group.controller.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/group.controller.js index 8757e45b7..afa9f890e 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/group.controller.js +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/group.controller.js @@ -2,16 +2,22 @@ angular.module('dashboardApp').controller('GroupController', GroupController); -GroupController.$inject = [ '$rootScope', '$state', '$filter', 'scimFactory', '$uibModal', 'ModalService', 'Utils' ]; +GroupController.$inject = [ '$scope', '$rootScope', '$state', '$filter', 'scimFactory', '$uibModal', 'ModalService', 'Utils', 'toaster' ]; -function GroupController($rootScope, $state, $filter, scimFactory, $uibModal, ModalService, Utils) { +function GroupController($scope, $rootScope, $state, $filter, scimFactory, $uibModal, ModalService, Utils, toaster) { var group = this; group.loadGroup = loadGroup; + group.openAddSubgroupDialog = openAddSubgroupDialog; group.id = $state.params.id; group.data = []; + group.subgroups = []; + + group.removeMemberFromList = removeMemberFromList; + group.deleteMember = deleteMember; + group.deleteGroup = deleteGroup; group.loadGroup(); @@ -32,6 +38,7 @@ function GroupController($rootScope, $state, $filter, scimFactory, $uibModal, Mo group.data.members = $filter('orderBy')(group.data.members, "display", false); $rootScope.pageLoadingProgress = 100; group.loadingModal.dismiss("Dismiss"); + separateSubGroups(); }, function(error) { @@ -43,36 +50,111 @@ function GroupController($rootScope, $state, $filter, scimFactory, $uibModal, Mo }); } - group.removeMemberFromList = removeMemberFromList; - - function removeMemberFromList(user) { + function removeMemberFromList(member) { - var i = group.data.members.indexOf(user); + var i = group.data.members.indexOf(member); group.data.members.splice(i, 1); } + + function removeSubgroupFromList(member) { - group.deleteMember = deleteMember; + var i = group.subgroups.indexOf(member); + group.subgroups.splice(i, 1); + } - function deleteMember(user) { + function deleteMember(member) { var modalOptions = { closeButtonText: 'Cancel', actionButtonText: 'Remove membership', - headerText: 'Remove «' + user.display + "» from «" + group.data.displayName + "»", - bodyText: `Are you sure you want to remove '${user.display}' from '${group.data.displayName}'?` + headerText: 'Remove «' + member.display + "» from «" + group.data.displayName + "»", + bodyText: `Are you sure you want to remove '${member.display}' from '${group.data.displayName}'?` }; ModalService.showModal({}, modalOptions).then( function (){ - scimFactory.removeUserFromGroup(group.id, user.value, user.$ref, - user.display) + scimFactory.removeMemberFromGroup(group.id, member.value, member.$ref, + member.display) .then(function(response) { - console.log("Deleted: ", user.display); - group.removeMemberFromList(user); - $scope.operationResult = Utils.buildSuccessOperationResult("User " + user.display + " membership has been removed successfully"); + console.log("Deleted: ", member.display); + group.removeMemberFromList(member); + toaster.pop({ + type: 'success', + body: + `Member ${member.display} has been removed successfully` + }); }, function(error) { - $scope.operationResult = Utils.buildErrorOperationResult(error); + toaster.pop({ + type: 'error', + body: + `${error.data.detail}` + }); }); }); } -} \ No newline at end of file + + function separateSubGroups(){ + if(group.data.members){ + group.subgroups = group.data.members.filter(memberIsAGroup); + group.subgroups.forEach(function(member){ + removeMemberFromList(member); + }); + }else{ + group.subgroups = []; + } + } + + function memberIsAGroup(member){ + return (member.$ref.indexOf('scim/Groups')!=-1); + } + + function openAddSubgroupDialog() { + var modalInstance = $uibModal.open({ + templateUrl: '/resources/iam/template/dashboard/group/addsubgroup.html', + controller: 'AddSubGroupController', + controllerAs: 'addSubGroupCtrl', + resolve: {group: function() { return group.data; }} + }); + modalInstance.result.then(function(createdGroup) { + console.info(createdGroup); + group.loadGroup(); + toaster.pop({ + type: 'success', + body: + `Group '${createdGroup.displayName}' CREATED successfully` + }); + }, function() { + console.info('Modal dismissed at: ', new Date()); + }); + } + + function deleteGroup(member) { + + var modalOptions = { + closeButtonText: 'Cancel', + actionButtonText: 'Delete Group', + headerText: "Delete Group «" + member.display + "»", + bodyText: `Are you sure you want to delete group '${member.display}'?` + }; + + ModalService.showModal({}, modalOptions).then( + function (){ + scimFactory.deleteGroup(member.value) + .then(function(response) { + removeSubgroupFromList(member); + $rootScope.loggedUser.totGroups = $rootScope.loggedUser.totGroups -1; + toaster.pop({ + type: 'success', + body: + `Group '${member.display}' DELETED successfully` + }); + }, function(error) { + toaster.pop({ + type: 'error', + body: + `${error.data.detail}` + }); + }); + }); + } +} diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/groups.controller.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/groups.controller.js index f1faeccea..78ca30980 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/groups.controller.js +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/controllers/groups.controller.js @@ -3,10 +3,10 @@ angular.module('dashboardApp').controller('GroupsController', GroupsController); GroupsController.$inject = [ '$scope', '$rootScope', '$uibModal', '$state', - '$filter', 'filterFilter', 'scimFactory', 'ModalService', 'Utils' ]; + '$filter', 'filterFilter', 'scimFactory', 'ModalService', 'Utils', 'toaster' ]; function GroupsController($scope, $rootScope, $uibModal, $state, $filter, - filterFilter, scimFactory, ModalService, Utils) { + filterFilter, scimFactory, ModalService, Utils, toaster) { var gc = this; @@ -29,7 +29,7 @@ function GroupsController($scope, $rootScope, $uibModal, $state, $filter, gc.rebuildFilteredList = rebuildFilteredList; // add group - gc.clickToOpen = clickToOpen; + gc.openAddGroupDialog = openAddGroupDialog; // delete group gc.deleteGroup = deleteGroup; @@ -38,10 +38,9 @@ function GroupsController($scope, $rootScope, $uibModal, $state, $filter, gc.loadGroupList = loadGroupList; // Controller actions: - gc.resetFilters() + gc.resetFilters(); gc.loadGroupList(); // eval gc.groups - function rebuildFilteredList() { gc.filtered = filterFilter(gc.groups, {'displayName': gc.searchText}); @@ -94,7 +93,9 @@ function GroupsController($scope, $rootScope, $uibModal, $state, $filter, } else { $rootScope.pageLoadingProgress = 100; gc.loadingModal.dismiss("Cancel"); + $rootScope.groups = gc.groups; } + }, function(error) { console.log("getGroups error", error); gc.loadingModal.dismiss("Error"); @@ -102,7 +103,7 @@ function GroupsController($scope, $rootScope, $uibModal, $state, $filter, }); } - function clickToOpen() { + function openAddGroupDialog() { var modalInstance = $uibModal.open({ templateUrl : '/resources/iam/template/dashboard/groups/newgroup.html', controller : 'AddGroupController', @@ -111,13 +112,16 @@ function GroupsController($scope, $rootScope, $uibModal, $state, $filter, modalInstance.result.then(function(createdGroup) { console.info(createdGroup); gc.groups.push(createdGroup); - gc.rebuildFilteredList(); - $scope.operationResult = Utils.buildSuccessOperationResult("Group " + createdGroup.displayName + " CREATED successfully"); + gc.loadGroupList() + toaster.pop({ + type: 'success', + body: + `Group '${createdGroup.displayName}' CREATED successfully` + }); }, function() { console.info('Modal dismissed at: ', new Date()); }); } - ; function removeGroupFromList(group) { @@ -142,9 +146,17 @@ function GroupsController($scope, $rootScope, $uibModal, $state, $filter, .then(function(response) { gc.removeGroupFromList(group); $rootScope.loggedUser.totGroups = $rootScope.loggedUser.totGroups -1; - $scope.operationResult = Utils.buildSuccessOperationResult("Group " + group.displayName + " DELETED successfully"); + toaster.pop({ + type: 'success', + body: + `Group '${group.displayName}' DELETED successfully` + }); }, function(error) { - $scope.operationResult = Utils.buildErrorOperationResult(error); + toaster.pop({ + type: 'error', + body: + `${error.data.detail}` + }); }); }); } diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/dashboard-app.module.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/dashboard-app.module.js index f05555662..cba26760f 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/dashboard-app.module.js +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/dashboard-app.module.js @@ -15,6 +15,7 @@ angular.module('dashboardApp') $rootScope.iamVersion = getIamVersion(); $rootScope.iamCommitId = getIamGitCommitId(); + $rootScope.accountLinkingEnabled = getAccountLinkingEnabled(); LoadTemplatesService.loadTemplates(); @@ -76,4 +77,4 @@ angular.module('dashboardApp') $('#body').show(); - }); \ No newline at end of file + }); diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/services/account-linking.service.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/services/account-linking.service.js index f9cdd1928..954229895 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/services/account-linking.service.js +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/services/account-linking.service.js @@ -8,22 +8,29 @@ function AccountLinkingService($http) { var OIDC_RESOURCE = '/iam/account-linking/OIDC'; var SAML_RESOURCE = '/iam/account-linking/SAML'; + var X509_RESOURCE = '/iam/account-linking/X509'; var service = { unlinkOidcAccount: unlinkOidcAccount, - unlinkSamlAccount: unlinkSamlAccount + unlinkSamlAccount: unlinkSamlAccount, + unlinkX509Certificate: unlinkX509Certificate }; return service; function unlinkOidcAccount(account) { return $http.delete( - OIDC_RESOURCE, {params: {iss: account.iss, sub: account.sub}}); + OIDC_RESOURCE, {params: account}); } function unlinkSamlAccount(account) { return $http.delete( - SAML_RESOURCE, {params: {iss: account.iss, sub: account.sub}}); + SAML_RESOURCE, {params: account}); + } + + function unlinkX509Certificate(cert) { + return $http.delete( + X509_RESOURCE, {params: {certificateSubject: cert.subjectDn}}); } } diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/services/load-templates.service.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/services/load-templates.service.js index 5b6441234..1791037be 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/services/load-templates.service.js +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/services/load-templates.service.js @@ -21,11 +21,8 @@ '/resources/iam/template/dashboard/nav.html', '/resources/iam/template/dashboard/operation-result.html', '/resources/iam/template/dashboard/requests/management.html', - '/resources/iam/template/dashboard/user/addoidc.html', - '/resources/iam/template/dashboard/user/addsamlaccount.html', '/resources/iam/template/dashboard/user/addsshkey.html', '/resources/iam/template/dashboard/user/addusergroup.html', - '/resources/iam/template/dashboard/user/addx509certificate.html', '/resources/iam/template/dashboard/user/assign-vo-admin-privileges.html', '/resources/iam/template/dashboard/user/edituser.html', '/resources/iam/template/dashboard/user/revoke-vo-admin-privileges.html', diff --git a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/services/scim-factory.service.js b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/services/scim-factory.service.js index 7cc9a9bd0..b0f4ebfaa 100644 --- a/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/services/scim-factory.service.js +++ b/iam-login-service/src/main/webapp/resources/iam/js/dashboard-app/services/scim-factory.service.js @@ -1,12 +1,12 @@ -angular.module('dashboardApp').factory("scimFactory", [ '$http', '$httpParamSerializer', function($http, $httpParamSerializer) { +angular.module('dashboardApp').factory("scimFactory", ['$http', '$httpParamSerializer', function ($http, $httpParamSerializer) { var urlBase = '/scim'; var urlUsers = urlBase + '/Users'; var urlGroups = urlBase + '/Groups'; var urlMe = urlBase + '/Me'; - + var service = { - + getUsers: getUsers, getGroups: getGroups, getUser: getUser, @@ -18,6 +18,7 @@ angular.module('dashboardApp').factory("scimFactory", [ '$http', '$httpParamSeri deleteUser: deleteUser, addUserToGroup: addUserToGroup, removeUserFromGroup: removeUserFromGroup, + removeMemberFromGroup: removeMemberFromGroup, addOpenIDAccount: addOpenIDAccount, removeOpenIDAccount: removeOpenIDAccount, addSshKey: addSshKey, @@ -30,51 +31,51 @@ angular.module('dashboardApp').factory("scimFactory", [ '$http', '$httpParamSeri updateUser: updateUser, updateMe: updateMe } - + return service; function getUsers(startIndex, count) { - + console.info("Getting users from-to: ", startIndex, count); var qs = $httpParamSerializer({ 'startIndex': startIndex, 'count': count }); var url = urlUsers + '?' + qs; - + return $http.get(url); }; function getGroups(startIndex, count) { - + console.info("Getting groups from-to: ", startIndex, count); var qs = $httpParamSerializer({ 'startIndex': startIndex, 'count': count }); var url = urlGroups + '?' + qs; - + return $http.get(url); }; function getUser(userId) { - + console.info("Getting user: ", userId); var url = urlUsers + '/' + userId; - + return $http.get(url); }; function getGroup(groupId) { - + console.info("Getting group: ", groupId); var url = urlGroups + '/' + groupId; - + return $http.get(url); }; function getMe() { - + console.info("Getting Me endpoint"); var url = urlBase + '/Me'; @@ -85,74 +86,102 @@ angular.module('dashboardApp').factory("scimFactory", [ '$http', '$httpParamSeri console.info("Creating group: ", group); var config = { - headers : { - 'Accept' : 'application/scim+json', - 'Content-Type' : 'application/scim+json' + headers: { + 'Accept': 'application/scim+json', + 'Content-Type': 'application/scim+json' } } return $http.post(urlGroups, group, config); }; - + function createUser(user) { console.info("Creating user: ", user); var config = { - headers : { - 'Accept' : 'application/scim+json', - 'Content-Type' : 'application/scim+json' + headers: { + 'Accept': 'application/scim+json', + 'Content-Type': 'application/scim+json' } } return $http.post(urlUsers, user, config); }; - + function deleteGroup(groupId) { - + console.info("Deleting group: ", groupId); var url = urlGroups + '/' + groupId; return $http.delete(url); }; - + function deleteUser(userId) { - + console.info("Deleting user: ", userId); var url = urlUsers + '/' + userId; return $http.delete(url); }; - + function addUserToGroup(groupId, scimUser) { - + console.info("Patch groupId, add user ", groupId, scimUser); - + var config = { - headers: { 'Content-Type': 'application/scim+json' } - }; + headers: { + 'Content-Type': 'application/scim+json' + } + }; var data = { - - schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], - operations: [{ - op: "add", - path: "members", - value: [{ - value: scimUser.id, - $ref: scimUser.meta.location, - display: scimUser.displayName - }] + + schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + operations: [{ + op: "add", + path: "members", + value: [{ + value: scimUser.id, + $ref: scimUser.meta.location, + display: scimUser.displayName }] + }] }; - + var url = urlGroups + '/' + groupId; return $http.patch(url, data, config); }; function removeUserFromGroup(groupId, userId, userLocation, userDisplayName) { - + console.info("Patch groupId, remove user", groupId, userId, userLocation); + + var config = { + headers: { + 'Content-Type': 'application/scim+json' + } + }; + var data = { + schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + operations: [{ + op: "remove", + path: "members", + value: [{ + display: userDisplayName, + value: userId, + $ref: userLocation + }] + }] + }; + var url = urlGroups + '/' + groupId; + + return $http.patch(url, data, config); + }; + + function removeMemberFromGroup(groupId, memberId, memberLocation, memberDisplayName) { + + console.info("Patch groupId, remove member", groupId, memberId, memberLocation); var config = { headers: { 'Content-Type': 'application/scim+json' } @@ -163,9 +192,9 @@ angular.module('dashboardApp').factory("scimFactory", [ '$http', '$httpParamSeri op: "remove", path: "members", value: [{ - display: userDisplayName, - value: userId, - $ref: userLocation + display: memberDisplayName, + value: memberId, + $ref: memberLocation }] }] }; @@ -173,237 +202,262 @@ angular.module('dashboardApp').factory("scimFactory", [ '$http', '$httpParamSeri return $http.patch(url, data, config); }; - - function addOpenIDAccount(userId, issuer, subject) { + + function removeMemberFromGroup(groupId, memberId, memberLocation, memberDisplayName) { - console.info("Patch user-id, add oidc account ", userId, issuer, subject); + console.info("Patch groupId, remove member", groupId, memberId, memberLocation); var config = { headers: { 'Content-Type': 'application/scim+json' } }; var data = { - schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], operations: [{ - op: "add", - value: { - "urn:indigo-dc:scim:schemas:IndigoUser": { - oidcIds: [{ - "issuer": issuer, - "subject": subject - } - ] - } - } + op: "remove", + path: "members", + value: [{ + display: memberDisplayName, + value: memberId, + $ref: memberLocation + }] }] }; - var url = urlUsers + '/' + userId; + var url = urlGroups + '/' + groupId; return $http.patch(url, data, config); }; - function removeOpenIDAccount(userId, issuer, subject) { - - console.info("Patch user-id, remove oidc account ", userId, issuer, subject); + function addOpenIDAccount(userId, account) { + + var url = urlUsers + '/' + userId; var config = { - headers: { 'Content-Type': 'application/scim+json' } - }; + headers: { + 'Content-Type': 'application/scim+json' + } + }; + var data = { - - schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], - operations: [{ - op: "remove", - value: { - "urn:indigo-dc:scim:schemas:IndigoUser": { - oidcIds: [{ - "issuer": issuer, - "subject": subject - } - ] - } + + schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + operations: [{ + op: "add", + value: { + "urn:indigo-dc:scim:schemas:IndigoUser": { + oidcIds: [account] } - }] + } + }] }; + + + return $http.patch(url, data, config); + } + + function removeOpenIDAccount(userId, account) { + var url = urlUsers + '/' + userId; + + var config = { + headers: { + 'Content-Type': 'application/scim+json' + } + }; + var data = { + + schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + operations: [{ + op: "remove", + value: { + "urn:indigo-dc:scim:schemas:IndigoUser": { + oidcIds: [account] + } + } + }] + }; + return $http.patch(url, data, config); - }; + } function addSshKey(userId, label, isPrimary, value) { - + console.info("Patch user-id, add ssh-key ", userId, label, value); - + var config = { - headers: { 'Content-Type': 'application/scim+json' } - }; + headers: { + 'Content-Type': 'application/scim+json' + } + }; var data = { - schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], - operations: [{ - op: "add", - value: { - "urn:indigo-dc:scim:schemas:IndigoUser": { - sshKeys: [{ - "display": label, - "primary": isPrimary, - "value": value - } - ] - } + schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + operations: [{ + op: "add", + value: { + "urn:indigo-dc:scim:schemas:IndigoUser": { + sshKeys: [{ + "display": label, + "primary": isPrimary, + "value": value + }] } - }] + } + }] }; var url = urlUsers + '/' + userId; - + return $http.patch(url, data, config); }; function removeSshKey(userId, fingerprint) { - + console.info("Patch user-id, remove ssh-key ", userId, fingerprint); - + var config = { - headers: { 'Content-Type': 'application/scim+json' } - }; + headers: { + 'Content-Type': 'application/scim+json' + } + }; var data = { - schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], - operations: [{ - op: "remove", - value: { - "urn:indigo-dc:scim:schemas:IndigoUser": { - sshKeys: [{ - "fingerprint": fingerprint - } - ] - } + schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + operations: [{ + op: "remove", + value: { + "urn:indigo-dc:scim:schemas:IndigoUser": { + sshKeys: [{ + "fingerprint": fingerprint + }] } - }] + } + }] }; var url = urlUsers + '/' + userId; - + return $http.patch(url, data, config); }; - - function addX509Certificate(userId, label, isPrimary, value) { - - console.info("Patch user-id, add ssh-key ", userId, label, value); - + + function addX509Certificate(userId, certificate) { + + var url = urlUsers + '/' + userId; + var config = { - headers: { 'Content-Type': 'application/scim+json' } - }; + headers: { + 'Content-Type': 'application/scim+json' + } + }; + var data = { - schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], - operations: [{ - op: "add", - value: { - x509Certificates: [{ - "display": label, - "primary": isPrimary, - "value": value - }] - } - }] - }; - var url = urlUsers + '/' + userId; - + schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + operations: [{ + op: "add", + value: { + "urn:indigo-dc:scim:schemas:IndigoUser": { + certificates: [certificate] + } + } + }] + }; + return $http.patch(url, data, config); }; - - function removeX509Certificate(userId, value) { - - console.info("Patch user-id, add ssh-key ", userId, value); - + + function removeX509Certificate(userId, certificate) { + var config = { - headers: { 'Content-Type': 'application/scim+json' } - }; + headers: { + 'Content-Type': 'application/scim+json' + } + }; + var data = { - schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], - operations: [{ - op: "remove", - value: { - x509Certificates: [{ - "value": value - }] - } - }] - }; + schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + operations: [{ + op: "remove", + value: { + "urn:indigo-dc:scim:schemas:IndigoUser": { + certificates: [certificate] + } + } + }] + }; var url = urlUsers + '/' + userId; - + return $http.patch(url, data, config); }; - - function addSamlId(userId, samlIdpId, samlUserId) { - - console.info("Patch user-id, add saml-account ", userId, samlIdpId, samlUserId); + + function addSamlId(userId, samlId) { + + var url = urlUsers + '/' + userId; var config = { - headers: { 'Content-Type': 'application/scim+json' } - }; + headers: { + 'Content-Type': 'application/scim+json' + } + }; var data = { - schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], - operations: [{ - op: "add", - value: { - "urn:indigo-dc:scim:schemas:IndigoUser": { - samlIds: [{ - "idpId": samlIdpId, - "userId": samlUserId - } - ] - } + schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + operations: [{ + op: "add", + value: { + "urn:indigo-dc:scim:schemas:IndigoUser": { + samlIds: [samlId] } - }] - }; - var url = urlUsers + '/' + userId; + } + }] + }; return $http.patch(url, data, config); - }; - + } + function removeSamlId(userId, samlId) { - + console.info("Patch user-id, remove saml-account ", userId, samlId.idpId, samlId.userId); - + var config = { - headers: { 'Content-Type': 'application/scim+json' } - }; + headers: { + 'Content-Type': 'application/scim+json' + } + }; var data = { - schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], - operations: [{ - op: "remove", - value: { - "urn:indigo-dc:scim:schemas:IndigoUser": { - samlIds: [{ - "idpId": samlId.idpId, - "userId": samlId.userId - } - ] - } + schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + operations: [{ + op: "remove", + value: { + "urn:indigo-dc:scim:schemas:IndigoUser": { + samlIds: [{ + "idpId": samlId.idpId, + "attributeId": samlId.attributeId, + "userId": samlId.userId + }] } - }] - }; + } + }] + }; var url = urlUsers + '/' + userId; - + return $http.patch(url, data, config); }; - + function setUserActiveStatus(userId, status) { - + console.info("Patch user-id, set active to ", userId, status); - + var config = { - headers: { 'Content-Type': 'application/scim+json' } - }; + headers: { + 'Content-Type': 'application/scim+json' + } + }; var data = { - schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], - operations: [{ - op: "replace", - value: { - active: status - } - }] - }; + schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + operations: [{ + op: "replace", + value: { + active: status + } + }] + }; var url = urlUsers + '/' + userId; - + return $http.patch(url, data, config); }; @@ -412,12 +466,14 @@ angular.module('dashboardApp').factory("scimFactory", [ '$http', '$httpParamSeri console.info("Patch user ", userId, ops); var config = { - headers: { 'Content-Type': 'application/scim+json' } - }; + headers: { + 'Content-Type': 'application/scim+json' + } + }; var data = { - schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], - operations: ops - }; + schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + operations: ops + }; var url = urlUsers + '/' + userId; return $http.patch(url, data, config); @@ -428,15 +484,17 @@ angular.module('dashboardApp').factory("scimFactory", [ '$http', '$httpParamSeri console.info("Patch current user", ops); var config = { - headers: { 'Content-Type': 'application/scim+json' } - }; + headers: { + 'Content-Type': 'application/scim+json' + } + }; var data = { - schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], - operations: ops - }; + schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + operations: ops + }; return $http.patch(urlMe, data, config); }; return scimFactory; -} ]); +}]); \ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/template/dashboard/group/addsubgroup.html b/iam-login-service/src/main/webapp/resources/iam/template/dashboard/group/addsubgroup.html new file mode 100644 index 000000000..aa1b6c52d --- /dev/null +++ b/iam-login-service/src/main/webapp/resources/iam/template/dashboard/group/addsubgroup.html @@ -0,0 +1,30 @@ +
+

Add new subgroup to {{addSubGroupCtrl.parent.displayName}}

+
+
+
+
+ +
+
+ + + Group name length must not exceed 50 characters +
+
+
+
+
+
+ +
+
+ +
+
+ + +
diff --git a/iam-login-service/src/main/webapp/resources/iam/template/dashboard/group/group.html b/iam-login-service/src/main/webapp/resources/iam/template/dashboard/group/group.html index db83d306b..039808a6b 100644 --- a/iam-login-service/src/main/webapp/resources/iam/template/dashboard/group/group.html +++ b/iam-login-service/src/main/webapp/resources/iam/template/dashboard/group/group.html @@ -24,6 +24,46 @@

+
+
+

Subgroups

+ +
+
+

No subgroup found.

+ + + + + + + + + + + + + + + + + + + + + + +
#NameActions
{{$index + 1}}{{member.display}} + +
#NameActions
+
+
+ +
+
+

Members

@@ -41,11 +81,11 @@

Members

- - {{$index + 1}} - {{user.display}} - - @@ -59,11 +99,9 @@

Members

-
- - \ No newline at end of file + diff --git a/iam-login-service/src/main/webapp/resources/iam/template/dashboard/groups/groups.html b/iam-login-service/src/main/webapp/resources/iam/template/dashboard/groups/groups.html index c8e9a9db2..3909d0dfc 100644 --- a/iam-login-service/src/main/webapp/resources/iam/template/dashboard/groups/groups.html +++ b/iam-login-service/src/main/webapp/resources/iam/template/dashboard/groups/groups.html @@ -47,10 +47,10 @@

- {{$index + (gc.currentPage-1)*gc.entryLimit + 1}} - {{group.displayName}} + {{$index + (gc.currentPage-1)*gc.entryLimit + 1}} + {{group.displayName}} - + @@ -72,10 +72,9 @@

- +
- \ No newline at end of file + diff --git a/iam-login-service/src/main/webapp/resources/iam/template/dashboard/groups/newgroup.html b/iam-login-service/src/main/webapp/resources/iam/template/dashboard/groups/newgroup.html index c76334491..dfbfbb5ec 100644 --- a/iam-login-service/src/main/webapp/resources/iam/template/dashboard/groups/newgroup.html +++ b/iam-login-service/src/main/webapp/resources/iam/template/dashboard/groups/newgroup.html @@ -2,18 +2,34 @@

Add new group

- -
- - -
- -
-
- +
+
+ +
+
+ + + Group name length must not exceed 50 characters +
+
+
+ +
+ +
+
+ +
+
+
+ +
+
+ +
-
- +
-
\ No newline at end of file +
diff --git a/iam-login-service/src/main/webapp/resources/iam/template/dashboard/user/addoidc.html b/iam-login-service/src/main/webapp/resources/iam/template/dashboard/user/addoidc.html deleted file mode 100644 index 4d6270fb9..000000000 --- a/iam-login-service/src/main/webapp/resources/iam/template/dashboard/user/addoidc.html +++ /dev/null @@ -1,28 +0,0 @@ -
-

Add Open ID Connect account to {{addOidcCtrl.user.name.formatted}}

-
-
- -
- - -
-
- - -
- -
-
- -
-
- -
-
- - -
\ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/template/dashboard/user/addsamlaccount.html b/iam-login-service/src/main/webapp/resources/iam/template/dashboard/user/addsamlaccount.html deleted file mode 100644 index 8324f98fe..000000000 --- a/iam-login-service/src/main/webapp/resources/iam/template/dashboard/user/addsamlaccount.html +++ /dev/null @@ -1,28 +0,0 @@ -
-

Add SAML Account to {{addSamlAccountCtrl.user.name.formatted}}

-
-
- -
- - -
-
- - -
- -
-
- -
-
- -
-
- - -
\ No newline at end of file diff --git a/iam-login-service/src/main/webapp/resources/iam/template/dashboard/user/addusergroup.html b/iam-login-service/src/main/webapp/resources/iam/template/dashboard/user/addusergroup.html index 8a9654730..0c517e28b 100644 --- a/iam-login-service/src/main/webapp/resources/iam/template/dashboard/user/addusergroup.html +++ b/iam-login-service/src/main/webapp/resources/iam/template/dashboard/user/addusergroup.html @@ -2,21 +2,20 @@

Add group(s) to {{addGroupCtrl.user.name.formatted}}

- - {{addGroupCtrl.loadingGroupsProgress}} / 100 + + {{addGroupCtrl.loadingGroupsProgress}} / 100
- {{$item.displayName}} - -
- No results found + + {{$item.displayName}} + +
+ + No results found +
@@ -26,9 +25,6 @@

- - + +
\ No newline at end of file diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/OidcIdUtils.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/OidcIdUtils.java new file mode 100644 index 000000000..7c4f67246 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/OidcIdUtils.java @@ -0,0 +1,23 @@ +package it.infn.mw.iam.test; + +import java.util.ArrayList; +import java.util.List; + +public class OidcIdUtils { + + public static final List oidcIds = new ArrayList(); + + static { + + OidcId oidcId = new OidcId(); + oidcId.issuer = "Oidc ID Issuer"; + oidcId.subject = "User1 subject"; + oidcIds.add(oidcId); + + oidcId = new OidcId(); + oidcId.issuer = "Oidc ID Issuer"; + oidcId.subject = "User2 subject"; + oidcIds.add(oidcId); + + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/SamlIdUtils.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/SamlIdUtils.java new file mode 100644 index 000000000..c2e3d9d79 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/SamlIdUtils.java @@ -0,0 +1,23 @@ +package it.infn.mw.iam.test; + +import java.util.ArrayList; +import java.util.List; + +public class SamlIdUtils { + + public static final List samlIds = new ArrayList(); + + static { + + SamlId samlId = new SamlId(); + samlId.idpId = "Saml IDP ID"; + samlId.userId = "User1 ID"; + SamlIdUtils.samlIds.add(samlId); + + samlId = new SamlId(); + samlId.idpId = "Saml IDP ID"; + samlId.userId = "User2 ID"; + SamlIdUtils.samlIds.add(samlId); + + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/SshKeyUtils.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/SshKeyUtils.java new file mode 100644 index 000000000..170e312ae --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/SshKeyUtils.java @@ -0,0 +1,37 @@ +package it.infn.mw.iam.test; + +import java.util.ArrayList; +import java.util.List; + +public class SshKeyUtils { + + public static final List sshKeys = new ArrayList(); + + static { + + SshKey sshKey = new SshKey(); + sshKey.fingerprintSHA256 = "iXUu+MjanRMxt+Sd9qkw7J2y7xYP/FRodd4lxHnc7zA="; + sshKey.fingerprintMD5Formatted = "d6:cc:0f:af:ed:c4:aa:5e:fa:40:52:3e:f1:11:db:e0"; + sshKey.fingerprintMDS = "d6cc0fafedc4aa5efa40523ef111dbe0"; + sshKey.key = "AAAAB3NzaC1yc2EAAAADAQABAAABAQC4tjz4mfMLvJsM8RXIgdRYPBhH//VXLXbeLb" + + "UsJpm5ARIQPY6Gu1befPA3jqKacvdcBrMsYGiMp/DOhpkAwWclSnzMdvYLbYWkrOP" + + "wBVrRh7lvFtXFLaQZ6do4uMZHb5zU2ViTFacrJ6zJ/GLltjk4nBea7Z4qHaQdWou3" + + "Fk/108oMQGx7jqW44m+TA+HYo6rEbVWbimWVXyyiKchO2LTLKUbK6GBSWJiItezwA" + + "WR3KKs3FXKRmbJDiKESh3mDccJidfkjzNLPyDf3JHI2b/C/mcvtJsoAtkIWuVll2B" + + "hBBiqkYt3tX2llZCYGtF7rZOYTsqhw+LPnsJtsX+W7e4iN"; + SshKeyUtils.sshKeys.add(sshKey); + + sshKey = new SshKey(); + sshKey.fingerprintSHA256 = "dowJH1al1DJII+i7DYux1BGQkx3P+XVpaz3TIX5zt5Y="; + sshKey.fingerprintMD5Formatted = "26:5a:f5:c5:56:42:1a:4e:94:32:f6:5e:48:b3:7d:91"; + sshKey.fingerprintMDS = "265af5c556421a4e9432f65e48b37d91"; + sshKey.key = "AAAAB3NzaC1yc2EAAAABIwAAAQEAxL6nllg/rMURT2QTy4MGj0gxYQ6sxcqCde5or" + + "LBs4rjIogo9bL7+HFLt6FHpCQbZ0CXakoL2M7PmXbFdwlD4Yw4ye4VxEaW3J1eNzR" + + "MWMGNTaAlcGiQqDuS/SsxI6SOlp/kfXQprDn2MnED1jIQHQq5pm25wKpKYeUBAaC6" + + "hvA4OlE39YpMCsVPEM3BhkR7F51I/60+5jV5P/g0arCnZKYJOnLmNpYc86ry8yydQ" + + "MvD5HFBjRR8GRfvTU/0UcVtNsa1PzHTD7+lTA7iwDHX4cfe+4o38C850zU9yUMV+S" + + "nlLMJhwBiCxaaqeU0SdBbG+nCL47drSlSvv85+baXftSw=="; + SshKeyUtils.sshKeys.add(sshKey); + + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/TestUtils.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/TestUtils.java index 9570e5a28..571237f40 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/TestUtils.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/TestUtils.java @@ -27,109 +27,6 @@ public class TestUtils { public static final String PASSWORD_GRANT_CLIENT_ID = "password-grant"; public static final String PASSWORD_GRANT_CLIENT_SECRET = "secret"; - public static final List sshKeys = new ArrayList(); - public static final List x509Certs = new ArrayList(); - public static final List samlIds = new ArrayList(); - public static final List oidcIds = new ArrayList(); - - static { - - SshKey sshKey = new SshKey(); - sshKey.fingerprintSHA256 = "iXUu+MjanRMxt+Sd9qkw7J2y7xYP/FRodd4lxHnc7zA="; - sshKey.fingerprintMD5Formatted = "d6:cc:0f:af:ed:c4:aa:5e:fa:40:52:3e:f1:11:db:e0"; - sshKey.fingerprintMDS = "d6cc0fafedc4aa5efa40523ef111dbe0"; - sshKey.key = "AAAAB3NzaC1yc2EAAAADAQABAAABAQC4tjz4mfMLvJsM8RXIgdRYPBhH//VXLXbeLb" - + "UsJpm5ARIQPY6Gu1befPA3jqKacvdcBrMsYGiMp/DOhpkAwWclSnzMdvYLbYWkrOP" - + "wBVrRh7lvFtXFLaQZ6do4uMZHb5zU2ViTFacrJ6zJ/GLltjk4nBea7Z4qHaQdWou3" - + "Fk/108oMQGx7jqW44m+TA+HYo6rEbVWbimWVXyyiKchO2LTLKUbK6GBSWJiItezwA" - + "WR3KKs3FXKRmbJDiKESh3mDccJidfkjzNLPyDf3JHI2b/C/mcvtJsoAtkIWuVll2B" - + "hBBiqkYt3tX2llZCYGtF7rZOYTsqhw+LPnsJtsX+W7e4iN"; - sshKeys.add(sshKey); - - sshKey = new SshKey(); - sshKey.fingerprintSHA256 = "dowJH1al1DJII+i7DYux1BGQkx3P+XVpaz3TIX5zt5Y="; - sshKey.fingerprintMD5Formatted = "26:5a:f5:c5:56:42:1a:4e:94:32:f6:5e:48:b3:7d:91"; - sshKey.fingerprintMDS = "265af5c556421a4e9432f65e48b37d91"; - sshKey.key = "AAAAB3NzaC1yc2EAAAABIwAAAQEAxL6nllg/rMURT2QTy4MGj0gxYQ6sxcqCde5or" - + "LBs4rjIogo9bL7+HFLt6FHpCQbZ0CXakoL2M7PmXbFdwlD4Yw4ye4VxEaW3J1eNzR" - + "MWMGNTaAlcGiQqDuS/SsxI6SOlp/kfXQprDn2MnED1jIQHQq5pm25wKpKYeUBAaC6" - + "hvA4OlE39YpMCsVPEM3BhkR7F51I/60+5jV5P/g0arCnZKYJOnLmNpYc86ry8yydQ" - + "MvD5HFBjRR8GRfvTU/0UcVtNsa1PzHTD7+lTA7iwDHX4cfe+4o38C850zU9yUMV+S" - + "nlLMJhwBiCxaaqeU0SdBbG+nCL47drSlSvv85+baXftSw=="; - sshKeys.add(sshKey); - - X509Cert x509Cert = new X509Cert(); - x509Cert.display = "Personal Certificate"; - x509Cert.certificate = "MIIEWDCCA0CgAwIBAgIDAII4MA0GCSqGSIb3DQEBCwUAMC4xCzAJBgNVBAYTAklU" - + "MQ0wCwYDVQQKEwRJTkZOMRAwDgYDVQQDEwdJTkZOIENBMB4XDTE1MDUxODEzNTQx" - + "NFoXDTE2MDUxNzEzNTQxNFowZDELMAkGA1UEBhMCSVQxDTALBgNVBAoTBElORk4x" - + "HTAbBgNVBAsTFFBlcnNvbmFsIENlcnRpZmljYXRlMQ0wCwYDVQQHEwRDTkFGMRgw" - + "FgYDVQQDEw9FbnJpY28gVmlhbmVsbG8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw" - + "ggEKAoIBAQDf74gCX/5D7HAKlI9u+vMy4R8uYvtZp60L401zOuDHc0sKPCq2sU8N" - + "IB8cNOC+69h+hPqbU8gcleXZ0T3KOy3NPrU7CFaOxzsCVAoDcLeKFlCMu4X1OK0V" - + "NPq7+fgJ1cVdsJ4StHl3oTtQPCoU6NNly8HJIufVjat2IgjNHdMHINs5IcxpTmE5" - + "OGae3reOfRBtqBr8UvyiTwHEEll6JpdbKjzjrcHBoOdFZTiwR18fO+B8MZLOjXSk" - + "OEG5p5K8y4UOkHQeqooKgW0tn7dvCxQfuu5TGYUmK6pwjcxzcnSE9U4abFh5/oD1" - + "PqjoCGtlvnl9nGrhAFD+qa5zq6SrgWsNAgMBAAGjggFHMIIBQzAMBgNVHRMBAf8E" - + "AjAAMA4GA1UdDwEB/wQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH" - + "AwQwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL3NlY3VyaXR5LmZpLmluZm4uaXQv" - + "Q0EvSU5GTkNBX2NybC5kZXIwJQYDVR0gBB4wHDAMBgorBgEEAdEjCgEHMAwGCiqG" - + "SIb3TAUCAgEwHQYDVR0OBBYEFIQEiwCbKssJqSBNMziZtu54ZQRCMFYGA1UdIwRP" - + "ME2AFNFi87N3csgu+/J5Gm83TiefE9UgoTKkMDAuMQswCQYDVQQGEwJJVDENMAsG" - + "A1UEChMESU5GTjEQMA4GA1UEAxMHSU5GTiBDQYIBADAnBgNVHREEIDAegRxlbnJp" - + "Y28udmlhbmVsbG9AY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBCwUAA4IBAQBfhv9P" - + "4bYo7lVRYjHrxreKVaEyujzPZFowZPYMz0e/lPcdqh9TIoDBbhy7/PXiTVqQEniZ" - + "fU1Nso4rqBj8Qy609Y60PEFHhfLnjhvd/d+pXu6F1QTzUMwA2k7z5M+ykh7L46/z" - + "1vwvcdvCgtWZ+FedvLuKh7miTCfxEIRLcpRPggbC856BSKet7jPdkMxkUwbFa34Z" - + "qOuDQ6MvcrFA/lLgqN1c1OoE9tnf/uyOjVYq8hyXqOAhi2heE1e+s4o3/PQsaP5x" - + "LetVho/J33BExHo+hCMt1rN89DO5qU7FFijLlbmOZROacpjkPNn2V4wkd5WeX2dm" + "b6UoBRqPsAiQL0mY"; - x509Certs.add(x509Cert); - - x509Cert = new X509Cert(); - x509Cert.display = "Personal Certificate"; - x509Cert.certificate = "MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDE" - + "MMAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNF" - + "oXDTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOM" - + "AwGA1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK" - + "xtrwhoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6" - + "Y113RBwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAo" - + "ZJ/QFcCfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkl" - + "etDImJK2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSR" - + "On7tF2alxoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0" - + "LGd5dTVopkKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBg" - + "NVHQ4EFgQUfLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA" - + "1UdJQQ3MDUGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4" - + "QgQBBggrBgEFBQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjA" - + "nBgNVHREEIDAegRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSI" - + "b3DQEBBQUAA4IBAQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We" - + "7ACK/G7u1DebJYxd8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFy" - + "RXjD0+wMGwzX7MDuSL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwz" - + "JwRhnrSJiO5WIZAZf49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOd" - + "s+PrehSRR8Gn0IjlEgC68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8" - + "ymIkb8nxCPnxCcT2I2NvDxcPMc/wmnMa+smNal0sJ6m"; - x509Certs.add(x509Cert); - - SamlId samlId = new SamlId(); - samlId.idpId = "Saml IDP ID"; - samlId.userId = "User1 ID"; - samlIds.add(samlId); - - samlId = new SamlId(); - samlId.idpId = "Saml IDP ID"; - samlId.userId = "User2 ID"; - samlIds.add(samlId); - - OidcId oidcId = new OidcId(); - oidcId.issuer = "Oidc ID Issuer"; - oidcId.subject = "User1 subject"; - oidcIds.add(oidcId); - - oidcId = new OidcId(); - oidcId.issuer = "Oidc ID Issuer"; - oidcId.subject = "User2 subject"; - oidcIds.add(oidcId); - } - public static ObjectMapper createJacksonObjectMapper() { FilterProvider filters = new SimpleFilterProvider().setFailOnUnknownId(false); @@ -200,7 +97,7 @@ public static AccessTokenGetter passwordTokenGetter() { public static AccessTokenGetter passwordTokenGetter(String clientId, String clientSecret) { return new AccessTokenGetter(clientId, clientSecret).grantType("password"); } - + public static class AccessTokenGetter { private String clientId; private String clientSecret; diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/X509Utils.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/X509Utils.java new file mode 100644 index 000000000..3cf5bd878 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/X509Utils.java @@ -0,0 +1,71 @@ +package it.infn.mw.iam.test; + +import java.util.ArrayList; +import java.util.List; + +public class X509Utils { + + public static final List x509Certs = new ArrayList(); + + static { + + X509Cert x509Cert = new X509Cert(); + x509Cert.display = "Personal Certificate"; + x509Cert.certificate = new StringBuilder("-----BEGIN CERTIFICATE-----\n") + .append("MIIEWDCCA0CgAwIBAgIDAII4MA0GCSqGSIb3DQEBCwUAMC4xCzAJBgNVBAYTAklU\n") + .append("MQ0wCwYDVQQKEwRJTkZOMRAwDgYDVQQDEwdJTkZOIENBMB4XDTE1MDUxODEzNTQx\n") + .append("NFoXDTE2MDUxNzEzNTQxNFowZDELMAkGA1UEBhMCSVQxDTALBgNVBAoTBElORk4x\n") + .append("HTAbBgNVBAsTFFBlcnNvbmFsIENlcnRpZmljYXRlMQ0wCwYDVQQHEwRDTkFGMRgw\n") + .append("FgYDVQQDEw9FbnJpY28gVmlhbmVsbG8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n") + .append("ggEKAoIBAQDf74gCX/5D7HAKlI9u+vMy4R8uYvtZp60L401zOuDHc0sKPCq2sU8N\n") + .append("IB8cNOC+69h+hPqbU8gcleXZ0T3KOy3NPrU7CFaOxzsCVAoDcLeKFlCMu4X1OK0V\n") + .append("NPq7+fgJ1cVdsJ4StHl3oTtQPCoU6NNly8HJIufVjat2IgjNHdMHINs5IcxpTmE5\n") + .append("OGae3reOfRBtqBr8UvyiTwHEEll6JpdbKjzjrcHBoOdFZTiwR18fO+B8MZLOjXSk\n") + .append("OEG5p5K8y4UOkHQeqooKgW0tn7dvCxQfuu5TGYUmK6pwjcxzcnSE9U4abFh5/oD1\n") + .append("PqjoCGtlvnl9nGrhAFD+qa5zq6SrgWsNAgMBAAGjggFHMIIBQzAMBgNVHRMBAf8E\n") + .append("AjAAMA4GA1UdDwEB/wQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH\n") + .append("AwQwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL3NlY3VyaXR5LmZpLmluZm4uaXQv\n") + .append("Q0EvSU5GTkNBX2NybC5kZXIwJQYDVR0gBB4wHDAMBgorBgEEAdEjCgEHMAwGCiqG\n") + .append("SIb3TAUCAgEwHQYDVR0OBBYEFIQEiwCbKssJqSBNMziZtu54ZQRCMFYGA1UdIwRP\n") + .append("ME2AFNFi87N3csgu+/J5Gm83TiefE9UgoTKkMDAuMQswCQYDVQQGEwJJVDENMAsG\n") + .append("A1UEChMESU5GTjEQMA4GA1UEAxMHSU5GTiBDQYIBADAnBgNVHREEIDAegRxlbnJp\n") + .append("Y28udmlhbmVsbG9AY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBCwUAA4IBAQBfhv9P\n") + .append("4bYo7lVRYjHrxreKVaEyujzPZFowZPYMz0e/lPcdqh9TIoDBbhy7/PXiTVqQEniZ\n") + .append("fU1Nso4rqBj8Qy609Y60PEFHhfLnjhvd/d+pXu6F1QTzUMwA2k7z5M+ykh7L46/z\n") + .append("1vwvcdvCgtWZ+FedvLuKh7miTCfxEIRLcpRPggbC856BSKet7jPdkMxkUwbFa34Z\n") + .append("qOuDQ6MvcrFA/lLgqN1c1OoE9tnf/uyOjVYq8hyXqOAhi2heE1e+s4o3/PQsaP5x\n") + .append("LetVho/J33BExHo+hCMt1rN89DO5qU7FFijLlbmOZROacpjkPNn2V4wkd5WeX2dm\n") + .append("b6UoBRqPsAiQL0mY\n") + .append("-----END CERTIFICATE-----") + .toString(); + x509Certs.add(x509Cert); + + x509Cert = new X509Cert(); + x509Cert.display = "Personal Certificate"; + x509Cert.certificate = new StringBuilder("-----BEGIN CERTIFICATE-----\n") + .append("MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDE\n") + .append("MMAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNF\n") + .append("oXDTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOM\n") + .append("AwGA1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK\n") + .append("xtrwhoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6\n") + .append("Y113RBwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAo\n") + .append("ZJ/QFcCfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkl\n") + .append("etDImJK2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSR\n") + .append("On7tF2alxoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0\n") + .append("LGd5dTVopkKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBg\n") + .append("NVHQ4EFgQUfLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA\n") + .append("1UdJQQ3MDUGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4\n") + .append("QgQBBggrBgEFBQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjA\n") + .append("nBgNVHREEIDAegRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSI\n") + .append("b3DQEBBQUAA4IBAQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We\n") + .append("7ACK/G7u1DebJYxd8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFy\n") + .append("RXjD0+wMGwzX7MDuSL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwz\n") + .append("JwRhnrSJiO5WIZAZf49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOd\n") + .append("s+PrehSRR8Gn0IjlEgC68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8\n") + .append("ymIkb8nxCPnxCcT2I2NvDxcPMc/wmnMa+smNal0sJ6m\n") + .append("-----END CERTIFICATE-----") + .toString(); + x509Certs.add(x509Cert); + } + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/account/PasswordEncodingTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/account/PasswordEncodingTests.java index 5169d4493..0e5f6ac57 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/account/PasswordEncodingTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/account/PasswordEncodingTests.java @@ -1,5 +1,6 @@ package it.infn.mw.iam.test.account; +import org.junit.After; import org.junit.Assert; import org.junit.BeforeClass; import org.junit.Test; @@ -13,6 +14,7 @@ import it.infn.mw.iam.IamLoginService; import it.infn.mw.iam.persistence.model.IamAccount; import it.infn.mw.iam.persistence.repository.IamAccountRepository; +import it.infn.mw.iam.persistence.repository.IamEmailNotificationRepository; import it.infn.mw.iam.registration.PersistentUUIDTokenGenerator; import it.infn.mw.iam.registration.RegistrationRequestDto; import it.infn.mw.iam.test.RegistrationUtils; @@ -32,6 +34,9 @@ public class PasswordEncodingTests { @Autowired private IamAccountRepository iamAccountRepository; + @Autowired + private IamEmailNotificationRepository notificationRepository; + private RegistrationRequestDto reg; @BeforeClass @@ -39,6 +44,11 @@ public static void init() { TestUtils.initRestAssured(); } + @After + public void tearDown() { + notificationRepository.deleteAll(); + } + @Test public void testPasswordEncoded() { String username = "test_user"; diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/actuator/ActuatorEndpointsTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/actuator/ActuatorEndpointsTests.java index 832edf345..bd6457bcf 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/actuator/ActuatorEndpointsTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/actuator/ActuatorEndpointsTests.java @@ -45,12 +45,21 @@ public class ActuatorEndpointsTests { private static final Set SENSITIVE_ENDPOINTS = Sets.newHashSet("/metrics", "/configprops", "/env", "/mappings", "/flyway", "/autoconfig", "/beans", "/dump", "/trace"); + @Value("${endpoints.healthMail.path}") + private String mailHealthEndpoint; + + @Value("${endpoints.externalService.path}") + private String externalHealthEndpoint; + @Value("${spring.mail.host}") private String mailHost; @Value("${spring.mail.port}") private Integer mailPort; + @Value("${health.googleEndpoint}") + private String googleEndpoint; + @Autowired private WebApplicationContext context; @@ -170,7 +179,7 @@ public void testSensitiveEndpointsAsAdmin() throws Exception { @Test public void testMailHealthEndpointWithoutSmtp() throws Exception { // @formatter:off - mvc.perform(get("/health/mail")) + mvc.perform(get(mailHealthEndpoint)) .andExpect(status().isServiceUnavailable()) .andExpect(jsonPath("$.status", equalTo(STATUS_DOWN))) .andExpect(jsonPath("$.mail").doesNotExist()); @@ -181,7 +190,7 @@ public void testMailHealthEndpointWithoutSmtp() throws Exception { @WithMockUser(username = USER_USERNAME, roles = {USER_ROLE}) public void testMailHealthEndpointWithoutSmtpAsUser() throws Exception { // @formatter:off - mvc.perform(get("/health/mail")) + mvc.perform(get(mailHealthEndpoint)) .andExpect(status().isServiceUnavailable()) .andExpect(jsonPath("$.status", equalTo(STATUS_DOWN))) .andExpect(jsonPath("$.mail").doesNotExist()); @@ -192,7 +201,7 @@ public void testMailHealthEndpointWithoutSmtpAsUser() throws Exception { @WithMockUser(username = ADMIN_USERNAME, roles = {ADMIN_ROLE}) public void testMailHealthEndpointWithoutSmtpAsAdmin() throws Exception { // @formatter:off - mvc.perform(get("/health/mail")) + mvc.perform(get(mailHealthEndpoint)) .andExpect(status().isServiceUnavailable()) .andExpect(jsonPath("$.status", equalTo(STATUS_DOWN))) .andExpect(jsonPath("$.mail.status", equalTo(STATUS_DOWN))) @@ -200,4 +209,38 @@ public void testMailHealthEndpointWithoutSmtpAsAdmin() throws Exception { .andExpect(jsonPath("$.mail.error").exists()); // @formatter:on } + + @Test + public void testExternalServicesHealthEndpoint() throws Exception { + // @formatter:off + mvc.perform(get(externalHealthEndpoint)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.status", equalTo(STATUS_UP))) + .andExpect(jsonPath("$.google").doesNotExist()); + // @formatter:on + } + + @Test + @WithMockUser(username = USER_USERNAME, roles = {USER_ROLE}) + public void testExternalServicesHealthEndpointAsUser() throws Exception { + // @formatter:off + mvc.perform(get(externalHealthEndpoint)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.status", equalTo(STATUS_UP))) + .andExpect(jsonPath("$.google").doesNotExist()); + // @formatter:on + } + + @Test + @WithMockUser(username = ADMIN_USERNAME, roles = {ADMIN_ROLE}) + public void testExternalServicesHealthEndpointAsAdmin() throws Exception { + // @formatter:off + mvc.perform(get(externalHealthEndpoint)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.status", equalTo(STATUS_UP))) + .andExpect(jsonPath("$.google.status", equalTo(STATUS_UP))) + .andExpect(jsonPath("$.google.location", equalTo(googleEndpoint))) + .andExpect(jsonPath("$.google.error").doesNotExist()); + // @formatter:on + } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/actuator/MailHealthEndpointsTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/actuator/MailHealthEndpointsTests.java index 60c61509a..dcf510357 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/actuator/MailHealthEndpointsTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/actuator/MailHealthEndpointsTests.java @@ -1,5 +1,7 @@ package it.infn.mw.iam.test.actuator; +import static it.infn.mw.iam.test.util.MockSmtpServerUtils.startMockSmtpServer; +import static it.infn.mw.iam.test.util.MockSmtpServerUtils.stopMockSmtpServer; import static java.lang.String.format; import static org.hamcrest.Matchers.equalTo; import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; @@ -9,6 +11,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import org.junit.After; +import org.junit.Assert; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; @@ -54,25 +57,29 @@ public class MailHealthEndpointsTests { private Wiser wiser; @Before - public void setup() { + public synchronized void setup() throws InterruptedException { + mvc = MockMvcBuilders.webAppContextSetup(context) .apply(springSecurity()) .alwaysDo(print()) .build(); - - wiser = new Wiser(); - wiser.setHostname(mailHost); - wiser.setPort(mailPort); - wiser.start(); + + wiser = startMockSmtpServer(mailHost, mailPort); } @After - public void teardown() throws InterruptedException { - wiser.stop(); + public synchronized void teardown() { + + stopMockSmtpServer(wiser); + + if (wiser.getServer().isRunning()) { + Assert.fail("Fake mail server is still running after stop!!"); + } } @Test public void testMailHealthEndpointWithSmtp() throws Exception { + // @formatter:off mvc.perform(get(mailEndpointPath)) .andExpect(status().isOk()) @@ -84,6 +91,7 @@ public void testMailHealthEndpointWithSmtp() throws Exception { @Test @WithMockUser(username = USER_USERNAME, roles = {USER_ROLE}) public void testMailHealthEndpointWithSmtpAsUser() throws Exception { + // @formatter:off mvc.perform(get(mailEndpointPath)) .andExpect(status().isOk()) @@ -96,6 +104,7 @@ public void testMailHealthEndpointWithSmtpAsUser() throws Exception { @Test @WithMockUser(username = ADMIN_USERNAME, roles = {ADMIN_ROLE}) public void testMailHealthEndpointWithSmtpAsAdmin() throws Exception { + // @formatter:off mvc.perform(get(mailEndpointPath)) .andExpect(status().isOk()) diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/AccessTokenAnonymousTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/AccessTokenAnonymousTests.java new file mode 100644 index 000000000..12930cef7 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/AccessTokenAnonymousTests.java @@ -0,0 +1,47 @@ +package it.infn.mw.iam.test.api.tokens; + +import static it.infn.mw.iam.api.tokens.TokensControllerSupport.CONTENT_TYPE; +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication; +import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +public class AccessTokenAnonymousTests extends TestTokensUtils { + + private static final int FAKE_TOKEN_ID = 12345; + + @Before + public void setup() { + clearAllTokens(); + initMvc(); + } + + @Test + public void authenticationRequiredOnGettingListTest() throws Exception { + mvc.perform(get(ACCESS_TOKENS_BASE_PATH).contentType(CONTENT_TYPE) + .with(authentication(anonymousAuthenticationToken()))).andExpect(unauthenticated()); + } + + @Test + public void authenticationRequiredOnRevokingTest() throws Exception { + + String path = String.format("%s/%d", ACCESS_TOKENS_BASE_PATH, FAKE_TOKEN_ID); + mvc.perform( + delete(path).contentType(CONTENT_TYPE).with(authentication(anonymousAuthenticationToken()))) + .andExpect(unauthenticated()); + + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/AccessTokenAuthenticatedTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/AccessTokenAuthenticatedTests.java new file mode 100644 index 000000000..67d1790b7 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/AccessTokenAuthenticatedTests.java @@ -0,0 +1,46 @@ +package it.infn.mw.iam.test.api.tokens; + +import static it.infn.mw.iam.api.tokens.TokensControllerSupport.CONTENT_TYPE; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.util.WithMockOAuthUser; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +public class AccessTokenAuthenticatedTests extends TestTokensUtils { + + private static final String TESTUSER_USERNAME = "test_102"; + private static final int FAKE_TOKEN_ID = 12345; + + @Before + public void setup() { + initMvc(); + } + + @Test + @WithMockOAuthUser(user = TESTUSER_USERNAME, authorities = {"ROLE_USER"}) + public void forbiddenOnGettingListTest() throws Exception { + + mvc.perform(get(ACCESS_TOKENS_BASE_PATH).contentType(CONTENT_TYPE)).andExpect(status().isForbidden()); + } + + @Test + @WithMockOAuthUser(user = TESTUSER_USERNAME, authorities = {"ROLE_USER"}) + public void forbiddenOnRevokingTest() throws Exception { + + String path = String.format("%s/%d", ACCESS_TOKENS_BASE_PATH, FAKE_TOKEN_ID); + mvc.perform(delete(path).contentType(CONTENT_TYPE)).andExpect(status().isForbidden()); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/AccessTokenGetListTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/AccessTokenGetListTests.java new file mode 100644 index 000000000..12a362b17 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/AccessTokenGetListTests.java @@ -0,0 +1,385 @@ +package it.infn.mw.iam.test.api.tokens; + +import static it.infn.mw.iam.api.tokens.TokensControllerSupport.CONTENT_TYPE; +import static it.infn.mw.iam.api.tokens.TokensControllerSupport.TOKENS_MAX_PAGE_SIZE; +import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertThat; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import com.google.common.collect.Lists; + +import com.fasterxml.jackson.core.type.TypeReference; +import com.fasterxml.jackson.databind.ObjectMapper; +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.api.scim.converter.ScimResourceLocationProvider; +import it.infn.mw.iam.api.tokens.model.AccessToken; +import it.infn.mw.iam.api.tokens.model.TokensListResponse; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.repository.IamOAuthAccessTokenRepository; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.util.WithMockOAuthUser; + +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mitre.oauth2.model.ClientDetailsEntity; +import org.mitre.oauth2.model.OAuth2AccessTokenEntity; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; + +import java.util.List; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +@WithMockOAuthUser(user = "admin", authorities = {"ROLE_ADMIN"}) +public class AccessTokenGetListTests extends TestTokensUtils { + + public static final String[] SCOPES = {"openid", "profile"}; + + public static final String TEST_CLIENT_ID = "token-lookup-client"; + public static final String TEST_CLIENT2_ID = "password-grant"; + public static final int FAKE_TOKEN_ID = 12345; + + @Autowired + private ScimResourceLocationProvider scimResourceLocationProvider; + + @Autowired + private ObjectMapper mapper; + + @Autowired + private IamOAuthAccessTokenRepository tokenRepository; + + private static final String TESTUSER_USERNAME = "test_102"; + private static final String TESTUSER2_USERNAME = "test_103"; + private static final String PARTIAL_USERNAME = "test_10"; + + @Before + public void setup() { + clearAllTokens(); + initMvc(); + } + + @After + public void teardown() { + clearAllTokens(); + } + + @Test + public void getEmptyAccessTokenList() throws Exception { + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(ACCESS_TOKENS_BASE_PATH).contentType(CONTENT_TYPE)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(0L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(0L)); + } + + @Test + public void getNotEmptyAccessTokenListWithCountZero() throws Exception { + + buildAccessToken(loadTestClient(TEST_CLIENT_ID), TESTUSER_USERNAME, SCOPES); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(ACCESS_TOKENS_BASE_PATH).contentType(CONTENT_TYPE).param("count", "0")) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(2L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(0L)); + } + + @Test + public void getAccessTokenListWithAttributes() throws Exception { + + ClientDetailsEntity client = loadTestClient(TEST_CLIENT_ID); + IamAccount user = loadTestUser(TESTUSER_USERNAME); + + OAuth2AccessTokenEntity at = buildAccessToken(client, TESTUSER_USERNAME, SCOPES); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(ACCESS_TOKENS_BASE_PATH).contentType(CONTENT_TYPE).param("attributes", + "user,idToken")) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(2L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(2L)); + assertThat(atl.getResources().size(), equalTo(2)); + + List acl = atl.getResources(); + AccessToken remoteAt = acl.stream().filter(a -> a.getIdToken() != null).findFirst().get(); + + assertThat(remoteAt.getId(), equalTo(at.getId())); + assertThat(remoteAt.getClient(), equalTo(null)); + assertThat(remoteAt.getExpiration(), equalTo(null)); + assertThat(remoteAt.getIdToken().getId(), equalTo(at.getIdToken().getId())); + assertThat(remoteAt.getUser().getId(), equalTo(user.getUuid())); + assertThat(remoteAt.getUser().getUserName(), equalTo(user.getUsername())); + assertThat(remoteAt.getUser().getRef(), + equalTo(scimResourceLocationProvider.userLocation(user.getUuid()))); + } + + @Test + public void getAccessTokenListWithClientIdFilter() throws Exception { + + ClientDetailsEntity client1 = loadTestClient(TEST_CLIENT_ID); + ClientDetailsEntity client2 = loadTestClient(TEST_CLIENT2_ID); + + IamAccount user = loadTestUser(TESTUSER_USERNAME); + + List accessTokens = Lists.newArrayList(); + OAuth2AccessTokenEntity target = buildAccessToken(client1, TESTUSER_USERNAME, SCOPES); + accessTokens.add(target); + accessTokens.add(buildAccessToken(client2, TESTUSER_USERNAME, SCOPES)); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(ACCESS_TOKENS_BASE_PATH).contentType(CONTENT_TYPE).param("clientId", + client1.getClientId())) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(2L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(2L)); + assertThat(atl.getResources().size(), equalTo(2)); + + List acl = atl.getResources(); + AccessToken remoteAt = acl.stream().filter(a -> a.getIdToken() != null).findFirst().get(); + + assertThat(remoteAt.getId(), equalTo(target.getId())); + assertThat(remoteAt.getClient().getId(), equalTo(target.getClient().getId())); + assertThat(remoteAt.getClient().getClientId(), equalTo(target.getClient().getClientId())); + assertThat(remoteAt.getClient().getRef(), equalTo(target.getClient().getClientUri())); + + assertThat(remoteAt.getExpiration(), equalTo(target.getExpiration())); + assertThat(remoteAt.getIdToken().getId(), equalTo(target.getIdToken().getId())); + assertThat(remoteAt.getUser().getId(), equalTo(user.getUuid())); + assertThat(remoteAt.getUser().getUserName(), equalTo(user.getUsername())); + assertThat(remoteAt.getUser().getRef(), + equalTo(scimResourceLocationProvider.userLocation(user.getUuid()))); + } + + @Test + public void getAccessTokenListWithUserIdFilter() throws Exception { + + ClientDetailsEntity client = loadTestClient(TEST_CLIENT_ID); + + IamAccount user1 = loadTestUser(TESTUSER_USERNAME); + + List accessTokens = Lists.newArrayList(); + OAuth2AccessTokenEntity target = buildAccessToken(client, TESTUSER_USERNAME, SCOPES); + accessTokens.add(target); + accessTokens.add(buildAccessToken(client, TESTUSER2_USERNAME, SCOPES)); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(ACCESS_TOKENS_BASE_PATH).contentType(CONTENT_TYPE).param("userId", + user1.getUsername())) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(2L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(2L)); + assertThat(atl.getResources().size(), equalTo(2)); + + List acl = atl.getResources(); + AccessToken remoteAt = acl.stream().filter(a -> a.getIdToken() != null).findFirst().get(); + + assertThat(remoteAt.getId(), equalTo(target.getId())); + assertThat(remoteAt.getClient().getId(), equalTo(target.getClient().getId())); + assertThat(remoteAt.getClient().getClientId(), equalTo(target.getClient().getClientId())); + assertThat(remoteAt.getClient().getRef(), equalTo(target.getClient().getClientUri())); + + assertThat(remoteAt.getExpiration(), equalTo(target.getExpiration())); + assertThat(remoteAt.getIdToken().getId(), equalTo(target.getIdToken().getId())); + assertThat(remoteAt.getUser().getId(), equalTo(user1.getUuid())); + assertThat(remoteAt.getUser().getUserName(), equalTo(user1.getUsername())); + assertThat(remoteAt.getUser().getRef(), + equalTo(scimResourceLocationProvider.userLocation(user1.getUuid()))); + } + + @Test + public void getAccessTokenListWithFullClientIdAndUserIdFilter() throws Exception { + + ClientDetailsEntity client1 = loadTestClient(TEST_CLIENT_ID); + ClientDetailsEntity client2 = loadTestClient(TEST_CLIENT2_ID); + + IamAccount user1 = loadTestUser(TESTUSER_USERNAME); + + List accessTokens = Lists.newArrayList(); + OAuth2AccessTokenEntity target = buildAccessToken(client1, TESTUSER_USERNAME, SCOPES); + accessTokens.add(target); + accessTokens.add(buildAccessToken(client1, TESTUSER2_USERNAME, SCOPES)); + accessTokens.add(buildAccessToken(client2, TESTUSER_USERNAME, SCOPES)); + accessTokens.add(buildAccessToken(client2, TESTUSER2_USERNAME, SCOPES)); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(ACCESS_TOKENS_BASE_PATH).contentType(CONTENT_TYPE) + .param("userId", user1.getUsername()) + .param("clientId", client1.getClientId())) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(2L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(2L)); + assertThat(atl.getResources().size(), equalTo(2)); + + List acl = atl.getResources(); + AccessToken remoteAt = acl.stream().filter(a -> a.getIdToken() != null).findFirst().get(); + + assertThat(remoteAt.getId(), equalTo(target.getId())); + assertThat(remoteAt.getClient().getId(), equalTo(target.getClient().getId())); + assertThat(remoteAt.getClient().getClientId(), equalTo(target.getClient().getClientId())); + assertThat(remoteAt.getClient().getRef(), equalTo(target.getClient().getClientUri())); + + assertThat(remoteAt.getExpiration(), equalTo(target.getExpiration())); + assertThat(remoteAt.getIdToken().getId(), equalTo(target.getIdToken().getId())); + assertThat(remoteAt.getUser().getId(), equalTo(user1.getUuid())); + assertThat(remoteAt.getUser().getUserName(), equalTo(user1.getUsername())); + assertThat(remoteAt.getUser().getRef(), + equalTo(scimResourceLocationProvider.userLocation(user1.getUuid()))); + } + + @Test + public void getAccessTokenListWithPartialUserIdFilterReturnsEmpty() throws Exception { + + ClientDetailsEntity client = loadTestClient(TEST_CLIENT_ID); + + buildAccessToken(client, TESTUSER_USERNAME, SCOPES); + buildAccessToken(client, TESTUSER2_USERNAME, SCOPES); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(ACCESS_TOKENS_BASE_PATH).contentType(CONTENT_TYPE).param("userId", + PARTIAL_USERNAME)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(0L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(0L)); + assertThat(atl.getResources().size(), equalTo(0)); + } + + @Test + public void getAccessTokenListLimitedToPageSizeFirstPage() throws Exception { + + for (int i = 0; i < TOKENS_MAX_PAGE_SIZE; i++) { + buildAccessToken(loadTestClient(TEST_CLIENT_ID), TESTUSER_USERNAME, SCOPES); + } + + /* get first page */ + TokensListResponse atl = mapper.readValue( + mvc.perform(get(ACCESS_TOKENS_BASE_PATH).contentType(CONTENT_TYPE)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(2L * TOKENS_MAX_PAGE_SIZE)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(Long.valueOf(TOKENS_MAX_PAGE_SIZE))); + assertThat(atl.getResources().size(), equalTo(TOKENS_MAX_PAGE_SIZE)); + } + + @Test + public void getAccessTokenListLimitedToPageSizeSecondPage() throws Exception { + + for (int i = 0; i < TOKENS_MAX_PAGE_SIZE; i++) { + buildAccessToken(loadTestClient(TEST_CLIENT_ID), TESTUSER_USERNAME, SCOPES); + } + + /* get second page */ + TokensListResponse atl = mapper.readValue( + mvc.perform(get(ACCESS_TOKENS_BASE_PATH).contentType(CONTENT_TYPE).param("startIndex", + String.valueOf(TOKENS_MAX_PAGE_SIZE))) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(2L * TOKENS_MAX_PAGE_SIZE)); + assertThat(atl.getStartIndex(), equalTo(Long.valueOf(TOKENS_MAX_PAGE_SIZE))); + assertThat(atl.getItemsPerPage(), equalTo(Long.valueOf(TOKENS_MAX_PAGE_SIZE))); + assertThat(atl.getResources().size(), equalTo(TOKENS_MAX_PAGE_SIZE)); + } + + @Test + public void getAccessTokenListFilterUserIdInjection() throws Exception { + + ClientDetailsEntity client = loadTestClient(TEST_CLIENT_ID); + + buildAccessToken(client, TESTUSER_USERNAME, SCOPES); + + assertThat(tokenRepository.count(), equalTo(2L)); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(ACCESS_TOKENS_BASE_PATH).contentType(CONTENT_TYPE).param("userId", + "1%; DELETE FROM access_token; SELECT * FROM access_token WHERE userId LIKE %")) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(0L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(0L)); + assertThat(atl.getResources().size(), equalTo(0)); + + assertThat(tokenRepository.count(), equalTo(2L)); + } + + + @Test + public void getAccessTokenListWithOneClientCredentialAccessToken() throws Exception { + + buildAccessToken(loadTestClient(TEST_CLIENT_ID), TESTUSER_USERNAME, SCOPES); + buildAccessToken(loadTestClient(TEST_CLIENT_ID), SCOPES); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(ACCESS_TOKENS_BASE_PATH).contentType(CONTENT_TYPE)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(3L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(3L)); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/AccessTokenGetRevokeTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/AccessTokenGetRevokeTests.java new file mode 100644 index 000000000..fecf02989 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/AccessTokenGetRevokeTests.java @@ -0,0 +1,154 @@ +package it.infn.mw.iam.test.api.tokens; + +import static it.infn.mw.iam.api.tokens.TokensControllerSupport.CONTENT_TYPE; +import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertThat; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import com.fasterxml.jackson.core.JsonParseException; +import com.fasterxml.jackson.databind.JsonMappingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.api.scim.converter.ScimResourceLocationProvider; +import it.infn.mw.iam.api.tokens.TokensResourceLocationProvider; +import it.infn.mw.iam.api.tokens.model.AccessToken; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.util.WithMockOAuthUser; + +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mitre.oauth2.model.ClientDetailsEntity; +import org.mitre.oauth2.model.OAuth2AccessTokenEntity; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; + +import java.io.IOException; +import java.io.UnsupportedEncodingException; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +@WithMockOAuthUser(user = "admin", authorities = {"ROLE_ADMIN"}) +public class AccessTokenGetRevokeTests extends TestTokensUtils { + + public static final String[] SCOPES = {"openid", "profile"}; + + public static final String TEST_CLIENT_ID = "token-lookup-client"; + public static final String TEST_CLIENT2_ID = "password-grant"; + public static final int FAKE_TOKEN_ID = 12345; + + @Autowired + private TokensResourceLocationProvider tokensResourceLocationProvider; + + @Autowired + private ScimResourceLocationProvider scimResourceLocationProvider; + + @Autowired + private ObjectMapper mapper; + + private static final String TESTUSER_USERNAME = "test_102"; + + @Before + public void setup() { + clearAllTokens(); + initMvc(); + } + + @After + public void teardown() { + clearAllTokens(); + } + + @Test + public void getAccessToken() throws JsonParseException, JsonMappingException, + UnsupportedEncodingException, IOException, Exception { + + ClientDetailsEntity client = loadTestClient(TEST_CLIENT_ID); + IamAccount user = loadTestUser(TESTUSER_USERNAME); + + OAuth2AccessTokenEntity at = buildAccessToken(client, TESTUSER_USERNAME, SCOPES); + + String path = String.format("%s/%d", ACCESS_TOKENS_BASE_PATH, at.getId()); + + AccessToken remoteAt = mapper.readValue( + mvc.perform(get(path).contentType(CONTENT_TYPE)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + AccessToken.class); + + System.out.println(remoteAt); + + assertThat(remoteAt.getId(), equalTo(at.getId())); + assertThat(remoteAt.getValue(), equalTo(at.getValue())); + assertThat(remoteAt.getExpiration(), equalTo(at.getExpiration())); + + assertThat(remoteAt.getScopes().contains("openid"), equalTo(true)); + assertThat(remoteAt.getScopes().contains("profile"), equalTo(true)); + + assertThat(remoteAt.getIdToken().getId(), equalTo(at.getIdToken().getId())); + assertThat(remoteAt.getIdToken().getRef(), + equalTo(tokensResourceLocationProvider.accessTokenLocation(at.getIdToken().getId()))); + + assertThat(remoteAt.getClient().getId(), equalTo(client.getId())); + assertThat(remoteAt.getClient().getClientId(), equalTo(client.getClientId())); + + assertThat(remoteAt.getUser().getId(), equalTo(user.getUuid())); + assertThat(remoteAt.getUser().getUserName(), equalTo(user.getUsername())); + assertThat(remoteAt.getUser().getRef(), + equalTo(scimResourceLocationProvider.userLocation(user.getUuid()))); + + String idPath = tokensResourceLocationProvider.accessTokenLocation(at.getIdToken().getId()); + AccessToken remoteId = mapper.readValue( + mvc.perform(get(idPath).contentType(CONTENT_TYPE)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + AccessToken.class); + + assertThat(remoteId.getId(), equalTo(at.getIdToken().getId())); + assertThat(remoteId.getValue(), equalTo(at.getIdToken().getValue())); + assertThat(remoteId.getExpiration(), equalTo(at.getIdToken().getExpiration())); + assertThat(remoteId.getScopes().contains("id-token"), equalTo(true)); + assertThat(remoteId.getScopes().size(), equalTo(1)); + } + + @Test + public void getAccessTokenNotFound() throws JsonParseException, JsonMappingException, + UnsupportedEncodingException, IOException, Exception { + + String path = String.format("%s/%d", ACCESS_TOKENS_BASE_PATH, FAKE_TOKEN_ID); + mvc.perform(get(path).contentType(CONTENT_TYPE)).andExpect(status().isNotFound()); + } + + @Test + public void revokeAccessToken() throws JsonParseException, JsonMappingException, + UnsupportedEncodingException, IOException, Exception { + + ClientDetailsEntity client = loadTestClient(TEST_CLIENT_ID); + OAuth2AccessTokenEntity at = buildAccessToken(client, TESTUSER_USERNAME, SCOPES); + String path = String.format("%s/%d", ACCESS_TOKENS_BASE_PATH, at.getId()); + + mvc.perform(delete(path).contentType(CONTENT_TYPE)).andExpect(status().isNoContent()); + + assertThat(tokenService.getAccessTokenById(at.getId()), equalTo(null)); + assertThat(tokenService.getAccessTokenById(at.getIdToken().getId()), equalTo(null)); + } + + @Test + public void revokeAccessTokenNotFound() throws JsonParseException, JsonMappingException, + UnsupportedEncodingException, IOException, Exception { + + String path = String.format("%s/%d", ACCESS_TOKENS_BASE_PATH, FAKE_TOKEN_ID); + mvc.perform(delete(path).contentType(CONTENT_TYPE)).andExpect(status().isNotFound()); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/RefreshTokenAnonymousTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/RefreshTokenAnonymousTests.java new file mode 100644 index 000000000..2aa2e59b0 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/RefreshTokenAnonymousTests.java @@ -0,0 +1,48 @@ +package it.infn.mw.iam.test.api.tokens; + +import static it.infn.mw.iam.api.tokens.TokensControllerSupport.CONTENT_TYPE; +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication; +import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +public class RefreshTokenAnonymousTests extends TestTokensUtils { + + private static final int FAKE_TOKEN_ID = 12345; + + @Before + public void setup() { + clearAllTokens(); + initMvc(); + } + + @Test + public void authenticationRequiredOnGettingListTest() throws Exception { + + mvc.perform(get(REFRESH_TOKENS_BASE_PATH).contentType(CONTENT_TYPE) + .with(authentication(anonymousAuthenticationToken()))).andExpect(unauthenticated()); + } + + @Test + public void authenticationRequiredOnRevokingTest() throws Exception { + + String path = String.format("%s/%d", REFRESH_TOKENS_BASE_PATH, FAKE_TOKEN_ID); + mvc.perform( + delete(path).contentType(CONTENT_TYPE).with(authentication(anonymousAuthenticationToken()))) + .andExpect(unauthenticated()); + + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/RefreshTokenAuthenticatedTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/RefreshTokenAuthenticatedTests.java new file mode 100644 index 000000000..21e398d67 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/RefreshTokenAuthenticatedTests.java @@ -0,0 +1,46 @@ +package it.infn.mw.iam.test.api.tokens; + +import static it.infn.mw.iam.api.tokens.TokensControllerSupport.CONTENT_TYPE; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.util.WithMockOAuthUser; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +public class RefreshTokenAuthenticatedTests extends TestTokensUtils { + + private static final String TESTUSER_USERNAME = "test_102"; + private static final int FAKE_TOKEN_ID = 12345; + + @Before + public void setup() { + initMvc(); + } + + @Test + @WithMockOAuthUser(user = TESTUSER_USERNAME, authorities = {"ROLE_USER"}) + public void forbiddenOnGettingListTest() throws Exception { + + mvc.perform(get(REFRESH_TOKENS_BASE_PATH).contentType(CONTENT_TYPE)).andExpect(status().isForbidden()); + } + + @Test + @WithMockOAuthUser(user = TESTUSER_USERNAME, authorities = {"ROLE_USER"}) + public void forbiddenOnRevokingTest() throws Exception { + + String path = String.format("%s/%d", REFRESH_TOKENS_BASE_PATH, FAKE_TOKEN_ID); + mvc.perform(delete(path).contentType(CONTENT_TYPE)).andExpect(status().isForbidden()); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/RefreshTokenGetListTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/RefreshTokenGetListTests.java new file mode 100644 index 000000000..69d553b0c --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/RefreshTokenGetListTests.java @@ -0,0 +1,333 @@ +package it.infn.mw.iam.test.api.tokens; + +import static it.infn.mw.iam.api.tokens.TokensControllerSupport.CONTENT_TYPE; +import static it.infn.mw.iam.api.tokens.TokensControllerSupport.TOKENS_MAX_PAGE_SIZE; +import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertThat; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import com.google.common.collect.Lists; + +import com.fasterxml.jackson.core.type.TypeReference; +import com.fasterxml.jackson.databind.ObjectMapper; +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.api.scim.converter.ScimResourceLocationProvider; +import it.infn.mw.iam.api.tokens.model.RefreshToken; +import it.infn.mw.iam.api.tokens.model.TokensListResponse; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.repository.IamOAuthRefreshTokenRepository; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.util.WithMockOAuthUser; + +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mitre.oauth2.model.ClientDetailsEntity; +import org.mitre.oauth2.model.OAuth2RefreshTokenEntity; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; + +import java.util.List; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +@WithMockOAuthUser(user = "admin", authorities = {"ROLE_ADMIN"}) +public class RefreshTokenGetListTests extends TestTokensUtils { + + public static final String[] SCOPES = {"openid", "profile", "offline_access"}; + + public static final String TEST_CLIENT_ID = "token-lookup-client"; + public static final String TEST_CLIENT2_ID = "password-grant"; + public static final int FAKE_TOKEN_ID = 12345; + + @Autowired + private ScimResourceLocationProvider scimResourceLocationProvider; + + @Autowired + private ObjectMapper mapper; + + @Autowired + private IamOAuthRefreshTokenRepository tokenRepository; + + private static final String TESTUSER_USERNAME = "test_102"; + private static final String TESTUSER2_USERNAME = "test_103"; + + @Before + public void setup() { + clearAllTokens(); + initMvc(); + } + + @After + public void teardown() { + clearAllTokens(); + } + + @Test + public void getEmptyRefreshTokenList() throws Exception { + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(REFRESH_TOKENS_BASE_PATH).contentType(CONTENT_TYPE)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(0L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(0L)); + } + + @Test + public void getNotEmptyRefreshTokenListWithCountZero() throws Exception { + + buildAccessToken(loadTestClient(TEST_CLIENT_ID), TESTUSER_USERNAME, SCOPES); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(REFRESH_TOKENS_BASE_PATH).contentType(CONTENT_TYPE).param("count", "0")) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(1L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(0L)); + } + + @Test + public void getRefreshTokenListWithAttributes() throws Exception { + + ClientDetailsEntity client = loadTestClient(TEST_CLIENT_ID); + IamAccount user = loadTestUser(TESTUSER_USERNAME); + + OAuth2RefreshTokenEntity at = buildAccessToken(client, TESTUSER_USERNAME, SCOPES).getRefreshToken(); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(REFRESH_TOKENS_BASE_PATH).contentType(CONTENT_TYPE).param("attributes", "user,idToken")) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(1L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(1L)); + assertThat(atl.getResources().size(), equalTo(1)); + + RefreshToken remoteRt = atl.getResources().get(0); + + assertThat(remoteRt.getId(), equalTo(at.getId())); + assertThat(remoteRt.getClient(), equalTo(null)); + assertThat(remoteRt.getExpiration(), equalTo(null)); + assertThat(remoteRt.getUser().getId(), equalTo(user.getUuid())); + assertThat(remoteRt.getUser().getUserName(), equalTo(user.getUsername())); + assertThat(remoteRt.getUser().getRef(), + equalTo(scimResourceLocationProvider.userLocation(user.getUuid()))); + } + + @Test + public void getRefreshTokenListWithClientIdFilter() throws Exception { + + ClientDetailsEntity client1 = loadTestClient(TEST_CLIENT_ID); + ClientDetailsEntity client2 = loadTestClient(TEST_CLIENT2_ID); + + IamAccount user = loadTestUser(TESTUSER_USERNAME); + + List refreshTokens = Lists.newArrayList(); + OAuth2RefreshTokenEntity target = buildAccessToken(client1, TESTUSER_USERNAME, SCOPES).getRefreshToken(); + refreshTokens.add(target); + refreshTokens.add(buildAccessToken(client2, TESTUSER_USERNAME, SCOPES).getRefreshToken()); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(REFRESH_TOKENS_BASE_PATH).contentType(CONTENT_TYPE) + .param("clientId", client1.getClientId())) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(1L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(1L)); + assertThat(atl.getResources().size(), equalTo(1)); + + RefreshToken remoteRt = atl.getResources().get(0); + + assertThat(remoteRt.getId(), equalTo(target.getId())); + assertThat(remoteRt.getClient().getId(), equalTo(target.getClient().getId())); + assertThat(remoteRt.getClient().getClientId(), equalTo(target.getClient().getClientId())); + assertThat(remoteRt.getClient().getRef(), equalTo(target.getClient().getClientUri())); + + assertThat(remoteRt.getExpiration(), equalTo(target.getExpiration())); + assertThat(remoteRt.getUser().getId(), equalTo(user.getUuid())); + assertThat(remoteRt.getUser().getUserName(), equalTo(user.getUsername())); + assertThat(remoteRt.getUser().getRef(), + equalTo(scimResourceLocationProvider.userLocation(user.getUuid()))); + } + + @Test + public void getRefreshTokenListWithUserIdFilter() throws Exception { + + ClientDetailsEntity client = loadTestClient(TEST_CLIENT_ID); + + IamAccount user1 = loadTestUser(TESTUSER_USERNAME); + + List refreshTokens = Lists.newArrayList(); + OAuth2RefreshTokenEntity target = buildAccessToken(client, TESTUSER_USERNAME, SCOPES).getRefreshToken(); + refreshTokens.add(target); + refreshTokens.add(buildAccessToken(client, TESTUSER2_USERNAME, SCOPES).getRefreshToken()); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(REFRESH_TOKENS_BASE_PATH).contentType(CONTENT_TYPE) + .param("userId", user1.getUsername())) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(1L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(1L)); + assertThat(atl.getResources().size(), equalTo(1)); + + RefreshToken remoteRt = atl.getResources().get(0); + + assertThat(remoteRt.getId(), equalTo(target.getId())); + assertThat(remoteRt.getClient().getId(), equalTo(target.getClient().getId())); + assertThat(remoteRt.getClient().getClientId(), equalTo(target.getClient().getClientId())); + assertThat(remoteRt.getClient().getRef(), equalTo(target.getClient().getClientUri())); + + assertThat(remoteRt.getExpiration(), equalTo(target.getExpiration())); + assertThat(remoteRt.getUser().getId(), equalTo(user1.getUuid())); + assertThat(remoteRt.getUser().getUserName(), equalTo(user1.getUsername())); + assertThat(remoteRt.getUser().getRef(), + equalTo(scimResourceLocationProvider.userLocation(user1.getUuid()))); + } + + @Test + public void getRefreshTokenListWithClientIdAndUserIdFilter() throws Exception { + + ClientDetailsEntity client1 = loadTestClient(TEST_CLIENT_ID); + ClientDetailsEntity client2 = loadTestClient(TEST_CLIENT2_ID); + + IamAccount user1 = loadTestUser(TESTUSER_USERNAME); + + List refreshTokens = Lists.newArrayList(); + OAuth2RefreshTokenEntity target = buildAccessToken(client1, TESTUSER_USERNAME, SCOPES).getRefreshToken(); + refreshTokens.add(target); + refreshTokens.add(buildAccessToken(client1, TESTUSER2_USERNAME, SCOPES).getRefreshToken()); + refreshTokens.add(buildAccessToken(client2, TESTUSER_USERNAME, SCOPES).getRefreshToken()); + refreshTokens.add(buildAccessToken(client2, TESTUSER2_USERNAME, SCOPES).getRefreshToken()); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(REFRESH_TOKENS_BASE_PATH).contentType(CONTENT_TYPE) + .param("userId", user1.getUsername()) + .param("clientId", client1.getClientId())) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(1L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(1L)); + assertThat(atl.getResources().size(), equalTo(1)); + + RefreshToken remoteRt = atl.getResources().get(0); + + assertThat(remoteRt.getId(), equalTo(target.getId())); + assertThat(remoteRt.getClient().getId(), equalTo(target.getClient().getId())); + assertThat(remoteRt.getClient().getClientId(), equalTo(target.getClient().getClientId())); + assertThat(remoteRt.getClient().getRef(), equalTo(target.getClient().getClientUri())); + + assertThat(remoteRt.getExpiration(), equalTo(target.getExpiration())); + assertThat(remoteRt.getUser().getId(), equalTo(user1.getUuid())); + assertThat(remoteRt.getUser().getUserName(), equalTo(user1.getUsername())); + assertThat(remoteRt.getUser().getRef(), + equalTo(scimResourceLocationProvider.userLocation(user1.getUuid()))); + } + + + @Test + public void getRefreshTokenListLimitedToPageSizeFirstPage() throws Exception { + + for (int i = 0; i < 2 * TOKENS_MAX_PAGE_SIZE; i++) { + buildAccessToken(loadTestClient(TEST_CLIENT_ID), TESTUSER_USERNAME, SCOPES); + } + + /* get first page */ + TokensListResponse atl = mapper.readValue( + mvc.perform(get(REFRESH_TOKENS_BASE_PATH).contentType(CONTENT_TYPE)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(2L * TOKENS_MAX_PAGE_SIZE)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(Long.valueOf(TOKENS_MAX_PAGE_SIZE))); + assertThat(atl.getResources().size(), equalTo(TOKENS_MAX_PAGE_SIZE)); + } + + @Test + public void getRefreshTokenListLimitedToPageSizeSecondPage() throws Exception { + + for (int i = 0; i < 2 * TOKENS_MAX_PAGE_SIZE; i++) { + buildAccessToken(loadTestClient(TEST_CLIENT_ID), TESTUSER_USERNAME, SCOPES); + } + + /* get second page */ + TokensListResponse atl = mapper.readValue( + mvc.perform(get(REFRESH_TOKENS_BASE_PATH).contentType(CONTENT_TYPE).param("startIndex", + String.valueOf(TOKENS_MAX_PAGE_SIZE))) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(2L * TOKENS_MAX_PAGE_SIZE)); + assertThat(atl.getStartIndex(), equalTo(Long.valueOf(TOKENS_MAX_PAGE_SIZE))); + assertThat(atl.getItemsPerPage(), equalTo(Long.valueOf(TOKENS_MAX_PAGE_SIZE))); + assertThat(atl.getResources().size(), equalTo(TOKENS_MAX_PAGE_SIZE)); + } + + @Test + public void getRefreshTokenListFilterUserIdInjection() throws Exception { + + ClientDetailsEntity client = loadTestClient(TEST_CLIENT_ID); + + buildAccessToken(client, TESTUSER_USERNAME, SCOPES); + + assertThat(tokenRepository.count(), equalTo(1L)); + + TokensListResponse atl = mapper.readValue( + mvc.perform(get(REFRESH_TOKENS_BASE_PATH).contentType(CONTENT_TYPE) + .param("userId", "1%; DELETE FROM access_token; SELECT * FROM refresh_token WHERE userId LIKE %")) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + new TypeReference>() {}); + + assertThat(atl.getTotalResults(), equalTo(0L)); + assertThat(atl.getStartIndex(), equalTo(1L)); + assertThat(atl.getItemsPerPage(), equalTo(0L)); + assertThat(atl.getResources().size(), equalTo(0)); + + assertThat(tokenRepository.count(), equalTo(1L)); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/RefreshTokenGetRevokeTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/RefreshTokenGetRevokeTests.java new file mode 100644 index 000000000..c36a00706 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/RefreshTokenGetRevokeTests.java @@ -0,0 +1,127 @@ +package it.infn.mw.iam.test.api.tokens; + +import static it.infn.mw.iam.api.tokens.TokensControllerSupport.CONTENT_TYPE; +import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertThat; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import com.fasterxml.jackson.core.JsonParseException; +import com.fasterxml.jackson.databind.JsonMappingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.api.scim.converter.ScimResourceLocationProvider; +import it.infn.mw.iam.api.tokens.model.RefreshToken; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.util.WithMockOAuthUser; + +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mitre.oauth2.model.ClientDetailsEntity; +import org.mitre.oauth2.model.OAuth2RefreshTokenEntity; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; + +import java.io.IOException; +import java.io.UnsupportedEncodingException; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +@WithMockOAuthUser(user = "admin", authorities = {"ROLE_ADMIN"}) +public class RefreshTokenGetRevokeTests extends TestTokensUtils { + + public static final String[] SCOPES = {"openid", "profile", "offline_access"}; + + public static final String TEST_CLIENT_ID = "token-lookup-client"; + public static final String TEST_CLIENT2_ID = "password-grant"; + public static final int FAKE_TOKEN_ID = 12345; + + @Autowired + private ScimResourceLocationProvider scimResourceLocationProvider; + + @Autowired + private ObjectMapper mapper; + + private static final String TESTUSER_USERNAME = "test_102"; + + @Before + public void setup() { + clearAllTokens(); + initMvc(); + } + + @After + public void teardown() { + clearAllTokens(); + } + + @Test + public void getRefreshToken() throws JsonParseException, JsonMappingException, + UnsupportedEncodingException, IOException, Exception { + + ClientDetailsEntity client = loadTestClient(TEST_CLIENT_ID); + IamAccount user = loadTestUser(TESTUSER_USERNAME); + + OAuth2RefreshTokenEntity rt = buildAccessToken(client, TESTUSER_USERNAME, SCOPES).getRefreshToken(); + + String path = String.format("%s/%d", REFRESH_TOKENS_BASE_PATH, rt.getId()); + + RefreshToken remoteRt = mapper.readValue( + mvc.perform(get(path).contentType(CONTENT_TYPE)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(), + RefreshToken.class); + + System.out.println(remoteRt); + + assertThat(remoteRt.getId(), equalTo(rt.getId())); + assertThat(remoteRt.getValue(), equalTo(rt.getValue())); + assertThat(remoteRt.getExpiration(), equalTo(rt.getExpiration())); + + assertThat(remoteRt.getClient().getId(), equalTo(client.getId())); + assertThat(remoteRt.getClient().getClientId(), equalTo(client.getClientId())); + + assertThat(remoteRt.getUser().getId(), equalTo(user.getUuid())); + assertThat(remoteRt.getUser().getUserName(), equalTo(user.getUsername())); + assertThat(remoteRt.getUser().getRef(), + equalTo(scimResourceLocationProvider.userLocation(user.getUuid()))); + } + + @Test + public void getRefreshTokenNotFound() throws JsonParseException, JsonMappingException, + UnsupportedEncodingException, IOException, Exception { + + String path = String.format("%s/%d", REFRESH_TOKENS_BASE_PATH, FAKE_TOKEN_ID); + mvc.perform(get(path).contentType(CONTENT_TYPE)).andExpect(status().isNotFound()); + } + + @Test + public void revokeRefreshToken() throws JsonParseException, JsonMappingException, + UnsupportedEncodingException, IOException, Exception { + + ClientDetailsEntity client = loadTestClient(TEST_CLIENT_ID); + OAuth2RefreshTokenEntity rt = buildAccessToken(client, TESTUSER_USERNAME, SCOPES).getRefreshToken(); + String path = String.format("%s/%d", REFRESH_TOKENS_BASE_PATH, rt.getId()); + + mvc.perform(delete(path).contentType(CONTENT_TYPE)).andExpect(status().isNoContent()); + + assertThat(tokenService.getRefreshTokenById(rt.getId()), equalTo(null)); + } + + @Test + public void revokeAccessTokenNotFound() throws JsonParseException, JsonMappingException, + UnsupportedEncodingException, IOException, Exception { + + String path = String.format("%s/%d", REFRESH_TOKENS_BASE_PATH, FAKE_TOKEN_ID); + mvc.perform(delete(path).contentType(CONTENT_TYPE)).andExpect(status().isNotFound()); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/TestTokensUtils.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/TestTokensUtils.java new file mode 100644 index 000000000..8068b9551 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/tokens/TestTokensUtils.java @@ -0,0 +1,110 @@ +package it.infn.mw.iam.test.api.tokens; + +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; + +import it.infn.mw.iam.api.tokens.Constants; +import it.infn.mw.iam.core.user.exception.IamAccountException; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; +import it.infn.mw.iam.persistence.repository.IamOAuthAccessTokenRepository; +import it.infn.mw.iam.persistence.repository.IamOAuthRefreshTokenRepository; +import it.infn.mw.iam.test.util.oauth.MockOAuth2Request; + +import org.mitre.oauth2.model.ClientDetailsEntity; +import org.mitre.oauth2.model.OAuth2AccessTokenEntity; +import org.mitre.oauth2.service.ClientDetailsEntityService; +import org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.authentication.AnonymousAuthenticationToken; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.oauth2.provider.OAuth2Authentication; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; + +public class TestTokensUtils { + + protected static final String REFRESH_TOKENS_BASE_PATH = Constants.REFRESH_TOKENS_ENDPOINT; + protected static final String ACCESS_TOKENS_BASE_PATH = Constants.ACCESS_TOKENS_ENDPOINT; + + @Autowired + private IamOAuthAccessTokenRepository accessTokenRepository; + + @Autowired + private IamOAuthRefreshTokenRepository refreshTokenRepository; + + @Autowired + private ClientDetailsEntityService clientDetailsService; + + @Autowired + private IamAccountRepository accountRepository; + + @Autowired + protected DefaultOAuth2ProviderTokenService tokenService; + + @Autowired + private WebApplicationContext context; + + protected MockMvc mvc; + + public void initMvc() { + initMvc(context); + } + + public void initMvc(WebApplicationContext context) { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } + + private OAuth2Authentication oauth2Authentication(ClientDetailsEntity client, String username, + String[] scopes) { + + Authentication userAuth = null; + + if (username != null) { + userAuth = new UsernamePasswordAuthenticationToken(username, ""); + } + + MockOAuth2Request req = new MockOAuth2Request(client.getClientId(), scopes); + OAuth2Authentication auth = new OAuth2Authentication(req, userAuth); + + return auth; + } + + public ClientDetailsEntity loadTestClient(String clientId) { + return clientDetailsService.loadClientByClientId(clientId); + } + + public IamAccount loadTestUser(String userId) { + return accountRepository.findByUsername(userId) + .orElseThrow(() -> new IamAccountException("User not found")); + } + + public OAuth2AccessTokenEntity buildAccessToken(ClientDetailsEntity client, String username, + String[] scopes) { + OAuth2AccessTokenEntity token = + tokenService.createAccessToken(oauth2Authentication(client, username, scopes)); + return token; + } + + public OAuth2AccessTokenEntity buildAccessToken(ClientDetailsEntity client, String[] scopes) { + OAuth2AccessTokenEntity token = + tokenService.createAccessToken(oauth2Authentication(client, null, scopes)); + return token; + } + + public void clearAllTokens() { + accessTokenRepository.deleteAll(); + refreshTokenRepository.deleteAll(); + } + + public Authentication anonymousAuthenticationToken() { + return new AnonymousAuthenticationToken("key", "anonymous", + AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/audit/event/EventTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/audit/event/EventTests.java new file mode 100644 index 000000000..eda631742 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/audit/event/EventTests.java @@ -0,0 +1,348 @@ +package it.infn.mw.iam.test.audit.event; + +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.instanceOf; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThat; + +import javax.transaction.Transactional; + +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; + +import com.google.common.collect.Lists; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.api.scim.converter.ScimResourceLocationProvider; +import it.infn.mw.iam.api.scim.converter.UserConverter; +import it.infn.mw.iam.api.scim.model.ScimGroup; +import it.infn.mw.iam.api.scim.model.ScimGroupPatchRequest; +import it.infn.mw.iam.api.scim.model.ScimMemberRef; +import it.infn.mw.iam.api.scim.model.ScimOidcId; +import it.infn.mw.iam.api.scim.model.ScimSamlId; +import it.infn.mw.iam.api.scim.model.ScimSshKey; +import it.infn.mw.iam.api.scim.model.ScimUser; +import it.infn.mw.iam.api.scim.model.ScimUserPatchRequest; +import it.infn.mw.iam.api.scim.model.ScimX509Certificate; +import it.infn.mw.iam.api.scim.provisioning.ScimGroupProvisioning; +import it.infn.mw.iam.api.scim.provisioning.ScimUserProvisioning; +import it.infn.mw.iam.audit.IamAuditEventLogger; +import it.infn.mw.iam.audit.events.IamAuditApplicationEvent; +import it.infn.mw.iam.audit.events.account.group.GroupMembershipAddedEvent; +import it.infn.mw.iam.audit.events.account.group.GroupMembershipRemovedEvent; +import it.infn.mw.iam.audit.events.account.oidc.OidcAccountAddedEvent; +import it.infn.mw.iam.audit.events.account.oidc.OidcAccountRemovedEvent; +import it.infn.mw.iam.audit.events.account.saml.SamlAccountAddedEvent; +import it.infn.mw.iam.audit.events.account.saml.SamlAccountRemovedEvent; +import it.infn.mw.iam.audit.events.account.ssh.SshKeyAddedEvent; +import it.infn.mw.iam.audit.events.account.ssh.SshKeyRemovedEvent; +import it.infn.mw.iam.audit.events.account.x509.X509CertificateAddedEvent; +import it.infn.mw.iam.audit.events.account.x509.X509CertificateRemovedEvent; +import it.infn.mw.iam.authn.saml.util.SamlAttributeNames; +import it.infn.mw.iam.core.user.IamAccountService; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.test.SshKeyUtils; +import it.infn.mw.iam.test.ext_authn.x509.X509TestSupport; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class}) +@WebAppConfiguration +@Transactional +public class EventTests extends X509TestSupport { + + private static final String USERNAME = "event_user"; + private static final String GIVENNAME = "Event"; + private static final String FAMILYNAME = "User"; + private static final String EMAIL = "event_user@localhost"; + private static final String SAML_IDP = "test_idp"; + private static final String SAML_USER_ID = "test_user_id"; + private static final String OIDC_ISSUER = "test_issuer"; + private static final String OIDC_SUBJECT = "test_subject"; + private static final String SSH_LABEL = "test_label"; + private static final String SSH_KEY = SshKeyUtils.sshKeys.get(0).key; + private static final String SSH_FINGERPRINT = SshKeyUtils.sshKeys.get(0).fingerprintSHA256; + private static final String GROUPNAME = "event_group"; + + private static final String USERNAME_MESSAGE_CHECK = String.format("username: '%s'", USERNAME); + + @Autowired + private IamAuditEventLogger logger; + + @Autowired + private IamAccountService accountService; + + @Autowired + private UserConverter userConverter; + + @Autowired + private ScimUserProvisioning userProvisioning; + + @Autowired + private ScimGroupProvisioning groupProvisioning; + + @Autowired + private ScimResourceLocationProvider scimResourceLocationProvider; + + private IamAccount account; + private ScimGroup group; + private ScimMemberRef accountRef; + + @Before + public void setup() { + + group = groupProvisioning.create(ScimGroup.builder(GROUPNAME).build()); + + ScimX509Certificate test1Cert = ScimX509Certificate.builder() + .pemEncodedCertificate(TEST_1_CERT_STRING) + .display(TEST_1_CERT_LABEL) + .build(); + + ScimUser user = ScimUser.builder(USERNAME) + .buildName(GIVENNAME, FAMILYNAME) + .buildEmail(EMAIL) + .buildSamlId(SAML_IDP, SAML_USER_ID) + .buildOidcId(OIDC_ISSUER, OIDC_SUBJECT) + .buildSshKey(SSH_LABEL, SSH_KEY, SSH_FINGERPRINT, true) + .addX509Certificate(test1Cert) + .build(); + + + account = accountService.createAccount(userConverter.fromScim(user)); + + assertNotNull(account); + + accountRef = ScimMemberRef.builder() + .display(account.getUsername()) + .value(account.getUuid()) + .ref(scimResourceLocationProvider.userLocation(account.getUuid())) + .build(); + + ScimGroupPatchRequest req = + ScimGroupPatchRequest.builder().add(Lists.newArrayList(accountRef)).build(); + + groupProvisioning.update(group.getId(), req.getOperations()); + } + + @After + public void teardown() { + userProvisioning.delete(account.getUuid()); + groupProvisioning.delete(group.getId()); + } + + @Test + public void testAddSamlAccountEvent() { + + ScimUser update = ScimUser.builder() + .addSamlId(ScimSamlId.builder().attributeId("foo").idpId("bar").userId("test").build()) + .build(); + + ScimUserPatchRequest req = ScimUserPatchRequest.builder().add(update).build(); + userProvisioning.update(account.getUuid(), req.getOperations()); + + IamAuditApplicationEvent event = logger.getLastEvent(); + assertThat(event, instanceOf(SamlAccountAddedEvent.class)); + assertNotNull(event.getMessage()); + assertThat(event.getMessage(), containsString("Add SAML account to user")); + assertThat(event.getMessage(), containsString(USERNAME_MESSAGE_CHECK)); + assertThat(event.getMessage(), containsString("idpId=bar")); + assertThat(event.getMessage(), containsString("attributeId=foo")); + assertThat(event.getMessage(), containsString("userId=test")); + } + + @Test + public void testRemoveSamlAccountEvent() { + + ScimUser update = ScimUser.builder() + .addSamlId(ScimSamlId.builder().idpId(SAML_IDP).userId(SAML_USER_ID).build()) + .build(); + + ScimUserPatchRequest req = ScimUserPatchRequest.builder().remove(update).build(); + userProvisioning.update(account.getUuid(), req.getOperations()); + + IamAuditApplicationEvent event = logger.getLastEvent(); + assertThat(event, instanceOf(SamlAccountRemovedEvent.class)); + assertNotNull(event.getMessage()); + assertThat(event.getMessage(), containsString("Remove SAML account from user")); + assertThat(event.getMessage(), containsString(USERNAME_MESSAGE_CHECK)); + assertThat(event.getMessage(), containsString("idpId=" + SAML_IDP)); + assertThat(event.getMessage(), + containsString("attributeId=" + SamlAttributeNames.eduPersonUniqueId)); + assertThat(event.getMessage(), containsString("userId=" + SAML_USER_ID)); + } + + @Test + public void testAddOidcAccountEvent() { + + ScimUser update = ScimUser.builder() + .addOidcId(ScimOidcId.builder().issuer("foo").subject("bar").build()) + .build(); + + ScimUserPatchRequest req = ScimUserPatchRequest.builder().add(update).build(); + userProvisioning.update(account.getUuid(), req.getOperations()); + + IamAuditApplicationEvent event = logger.getLastEvent(); + assertThat(event, instanceOf(OidcAccountAddedEvent.class)); + assertNotNull(event.getMessage()); + assertThat(event.getMessage(), containsString("Add OpenID Connect account to user")); + assertThat(event.getMessage(), containsString(USERNAME_MESSAGE_CHECK)); + assertThat(event.getMessage(), containsString("issuer=foo")); + assertThat(event.getMessage(), containsString("subject=bar")); + } + + @Test + public void testRemoveOidcAccountEvent() { + + ScimUser update = ScimUser.builder() + .addOidcId(ScimOidcId.builder().issuer(OIDC_ISSUER).subject(OIDC_SUBJECT).build()) + .build(); + + ScimUserPatchRequest req = ScimUserPatchRequest.builder().remove(update).build(); + userProvisioning.update(account.getUuid(), req.getOperations()); + + IamAuditApplicationEvent event = logger.getLastEvent(); + assertThat(event, instanceOf(OidcAccountRemovedEvent.class)); + assertNotNull(event.getMessage()); + assertThat(event.getMessage(), containsString("Remove OpenID Connect account from user")); + assertThat(event.getMessage(), containsString(USERNAME_MESSAGE_CHECK)); + assertThat(event.getMessage(), containsString("issuer=" + OIDC_ISSUER)); + assertThat(event.getMessage(), containsString("subject=" + OIDC_SUBJECT)); + } + + @Test + public void testAddSshKeyEvent() { + + ScimUser update = ScimUser.builder() + .addSshKey(ScimSshKey.builder() + .display("foo") + .value(SshKeyUtils.sshKeys.get(1).key) + .fingerprint(SshKeyUtils.sshKeys.get(1).fingerprintSHA256) + .build()) + .build(); + + ScimUserPatchRequest req = ScimUserPatchRequest.builder().add(update).build(); + userProvisioning.update(account.getUuid(), req.getOperations()); + + IamAuditApplicationEvent event = logger.getLastEvent(); + assertThat(event, instanceOf(SshKeyAddedEvent.class)); + assertNotNull(event.getMessage()); + assertThat(event.getMessage(), containsString("Add ssh key to user")); + assertThat(event.getMessage(), containsString(USERNAME_MESSAGE_CHECK)); + assertThat(event.getMessage(), containsString("label=foo")); + assertThat(event.getMessage(), + containsString("fingerprint=" + SshKeyUtils.sshKeys.get(1).fingerprintSHA256)); + assertThat(event.getMessage(), containsString("value=" + SshKeyUtils.sshKeys.get(1).key)); + } + + @Test + public void testRemoveSshKeyEvent() { + + ScimUser update = ScimUser.builder() + .addSshKey(ScimSshKey.builder() + .display(SSH_LABEL) + .value(SSH_KEY) + .fingerprint(SSH_FINGERPRINT) + .build()) + .build(); + + ScimUserPatchRequest req = ScimUserPatchRequest.builder().remove(update).build(); + userProvisioning.update(account.getUuid(), req.getOperations()); + + IamAuditApplicationEvent event = logger.getLastEvent(); + assertThat(event, instanceOf(SshKeyRemovedEvent.class)); + assertNotNull(event.getMessage()); + assertThat(event.getMessage(), containsString("Remove ssh key from user")); + assertThat(event.getMessage(), containsString(USERNAME_MESSAGE_CHECK)); + assertThat(event.getMessage(), containsString("label=" + SSH_LABEL)); + assertThat(event.getMessage(), containsString("fingerprint=" + SSH_FINGERPRINT)); + assertThat(event.getMessage(), containsString("value=" + SSH_KEY)); + } + + @Test + public void testAddX509CertificateEvent() { + + ScimX509Certificate cert = ScimX509Certificate.builder() + .pemEncodedCertificate(TEST_0_CERT_STRING) + .display(TEST_0_CERT_LABEL) + .build(); + + ScimUser update = ScimUser.builder().addX509Certificate(cert).build(); + + ScimUserPatchRequest req = ScimUserPatchRequest.builder().add(update).build(); + userProvisioning.update(account.getUuid(), req.getOperations()); + + IamAuditApplicationEvent event = logger.getLastEvent(); + assertThat(event, instanceOf(X509CertificateAddedEvent.class)); + assertNotNull(event.getMessage()); + assertThat(event.getMessage(), containsString("Add x509 certificate to user")); + assertThat(event.getMessage(), containsString(USERNAME_MESSAGE_CHECK)); + assertThat(event.getMessage(), containsString("label=" + TEST_0_CERT_LABEL)); + assertThat(event.getMessage(), containsString("subjectDn=" + TEST_0_SUBJECT)); + assertThat(event.getMessage(), containsString("issuerDn=" + TEST_0_ISSUER)); + assertThat(event.getMessage(), containsString("certificate=" + TEST_0_CERT_STRING)); + } + + @Test + public void testRemoveX509CertificateEvent() { + + ScimX509Certificate cert = ScimX509Certificate.builder() + .pemEncodedCertificate(TEST_1_CERT_STRING) + .display(TEST_1_CERT_LABEL) + .build(); + + ScimUser update = ScimUser.builder().addX509Certificate(cert).build(); + + ScimUserPatchRequest req = ScimUserPatchRequest.builder().remove(update).build(); + userProvisioning.update(account.getUuid(), req.getOperations()); + + IamAuditApplicationEvent event = logger.getLastEvent(); + assertThat(event, instanceOf(X509CertificateRemovedEvent.class)); + assertNotNull(event.getMessage()); + assertThat(event.getMessage(), containsString("Remove x509 certificate from user")); + assertThat(event.getMessage(), containsString(USERNAME_MESSAGE_CHECK)); + assertThat(event.getMessage(), containsString("label=" + TEST_1_CERT_LABEL)); + assertThat(event.getMessage(), containsString("subjectDn=" + TEST_1_SUBJECT)); + assertThat(event.getMessage(), containsString("issuerDn=" + TEST_1_ISSUER)); + assertThat(event.getMessage(), containsString("certificate=" + TEST_1_CERT_STRING)); + } + + @Test + public void testAddGroupMembershipEvent() { + + ScimGroup secondGroup = groupProvisioning.create(ScimGroup.builder("second_group").build()); + + ScimGroupPatchRequest req = + ScimGroupPatchRequest.builder().add(Lists.newArrayList(accountRef)).build(); + + groupProvisioning.update(secondGroup.getId(), req.getOperations()); + + IamAuditApplicationEvent event = logger.getLastEvent(); + assertThat(event, instanceOf(GroupMembershipAddedEvent.class)); + assertNotNull(event.getMessage()); + assertThat(event.getMessage(), containsString("Add group to user")); + assertThat(event.getMessage(), containsString(USERNAME_MESSAGE_CHECK)); + assertThat(event.getMessage(), containsString("name=second_group")); + } + + @Test + public void testRemoveGroupMembershipEvent() { + + ScimGroupPatchRequest req = + ScimGroupPatchRequest.builder().remove(Lists.newArrayList(accountRef)).build(); + + groupProvisioning.update(group.getId(), req.getOperations()); + + IamAuditApplicationEvent event = logger.getLastEvent(); + assertThat(event, instanceOf(GroupMembershipRemovedEvent.class)); + assertNotNull(event.getMessage()); + assertThat(event.getMessage(), containsString("Remove user from group")); + assertThat(event.getMessage(), containsString(USERNAME_MESSAGE_CHECK)); + assertThat(event.getMessage(), containsString("name=" + GROUPNAME)); + } + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/core/MeControllerTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/core/MeControllerTests.java new file mode 100644 index 000000000..23f9f1b51 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/core/MeControllerTests.java @@ -0,0 +1,69 @@ +package it.infn.mw.iam.test.core; + +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_CLIENT_ID; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_READ_SCOPE; +import static org.hamcrest.CoreMatchers.is; +import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertThat; +import static org.springframework.http.HttpStatus.BAD_REQUEST; +import static org.springframework.http.HttpStatus.FORBIDDEN; +import static org.springframework.http.HttpStatus.NOT_FOUND; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.test.scim.ScimRestUtilsMvc; +import it.infn.mw.iam.test.util.WithMockOAuthUser; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration( + classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}) +@WebAppConfiguration +public class MeControllerTests { + + @Autowired + private ScimRestUtilsMvc restUtils; + + private final static String TESTUSER_USERNAME = "test_101"; + private final static String NOT_FOUND_USERNAME = "not_found"; + + @Before + public void setup() {} + + @Test + @WithMockOAuthUser(user = TESTUSER_USERNAME, authorities = {}) + public void insufficientScopeUser() throws Exception { + + restUtils.getMe(FORBIDDEN); + } + + @Test + @WithMockOAuthUser(user = NOT_FOUND_USERNAME, authorities = {"ROLE_USER"}) + public void notFoundUser() throws Exception { + + restUtils.getMe(NOT_FOUND); + } + + @Test + @WithMockOAuthUser(user = TESTUSER_USERNAME, authorities = {"ROLE_USER"}) + public void authenticatedUser() throws Exception { + + assertThat(restUtils.getMe().getUserName(), equalTo(TESTUSER_USERNAME)); + } + + @Test + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE}) + public void notAuthorizedClient() throws Exception { + + restUtils.getMe(BAD_REQUEST) + .andExpect(jsonPath("$.detail", is("No user linked to the current OAuth token"))); + + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/ExternalAuthenticationBuilderTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/ExternalAuthenticationBuilderTests.java index c0213585b..8a6f2f4b3 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/ExternalAuthenticationBuilderTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/ExternalAuthenticationBuilderTests.java @@ -3,6 +3,8 @@ import static it.infn.mw.iam.authn.DefaultExternalAuthenticationInfoBuilder.OIDC_TYPE; import static it.infn.mw.iam.authn.DefaultExternalAuthenticationInfoBuilder.SAML_TYPE; import static it.infn.mw.iam.authn.DefaultExternalAuthenticationInfoBuilder.TYPE_ATTR; +import static it.infn.mw.iam.authn.saml.util.Saml2Attribute.EPPN; +import static it.infn.mw.iam.authn.saml.util.Saml2Attribute.EPUID; import static org.junit.Assert.assertThat; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; @@ -18,7 +20,6 @@ import it.infn.mw.iam.authn.DefaultExternalAuthenticationInfoBuilder; import it.infn.mw.iam.authn.oidc.OidcExternalAuthenticationToken; import it.infn.mw.iam.authn.saml.SamlExternalAuthenticationToken; -import it.infn.mw.iam.authn.saml.util.SamlIdResolvers; public class ExternalAuthenticationBuilderTests { @@ -53,13 +54,13 @@ public void testBuildSamlInfoMap() { when(mockToken.getExternalAuthentication()).thenReturn(token); when(token.getCredentials()).thenReturn(cred); when(cred.getRemoteEntityID()).thenReturn("idpId"); - when(cred.getAttributeAsString(SamlIdResolvers.EPUID_NAME)).thenReturn("epuid"); - when(cred.getAttributeAsString(SamlIdResolvers.EPPN_NAME)).thenReturn("eppn"); + when(cred.getAttributeAsString(EPUID.getAttributeName())).thenReturn("EPUID"); + when(cred.getAttributeAsString(EPPN.getAttributeName())).thenReturn("EPPN"); Map infoMap = builder.buildInfoMap(mockToken); assertThat(infoMap.get(TYPE_ATTR), Matchers.equalTo(SAML_TYPE)); - assertThat(infoMap.get("epuid"), Matchers.equalTo("epuid")); - assertThat(infoMap.get("eppn"), Matchers.equalTo("eppn")); + assertThat(infoMap.get("EPUID"), Matchers.equalTo("EPUID")); + assertThat(infoMap.get("EPPN"), Matchers.equalTo("EPPN")); } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/ExternalAuthenticationRegistrationInfoTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/ExternalAuthenticationRegistrationInfoTests.java index 1ac9a5124..a743af7f0 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/ExternalAuthenticationRegistrationInfoTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/ExternalAuthenticationRegistrationInfoTests.java @@ -17,6 +17,8 @@ import it.infn.mw.iam.authn.ExternalAuthenticationRegistrationInfo.ExternalAuthenticationType; import it.infn.mw.iam.authn.oidc.OidcExternalAuthenticationToken; import it.infn.mw.iam.authn.saml.SamlExternalAuthenticationToken; +import it.infn.mw.iam.authn.saml.util.Saml2Attribute; +import it.infn.mw.iam.persistence.model.IamSamlId; public class ExternalAuthenticationRegistrationInfoTests { @@ -30,7 +32,7 @@ public void testOidcMinimalInfoConversion() { OidcExternalAuthenticationToken extAuthToken = new OidcExternalAuthenticationToken(token, "test-oidc-subject", null); - ExternalAuthenticationRegistrationInfo uri = extAuthToken.toExernalAuthenticationInfo(); + ExternalAuthenticationRegistrationInfo uri = extAuthToken.toExernalAuthenticationRegistrationInfo(); assertThat(uri.getType(), equalTo(ExternalAuthenticationType.OIDC)); assertThat(uri.getGivenName(), Matchers.nullValue()); @@ -59,7 +61,7 @@ public void testOidcEmailAndNameReturnedIfPresent() { OidcExternalAuthenticationToken extAuthToken = new OidcExternalAuthenticationToken(token, "test-oidc-subject", null); - ExternalAuthenticationRegistrationInfo uri = extAuthToken.toExernalAuthenticationInfo(); + ExternalAuthenticationRegistrationInfo uri = extAuthToken.toExernalAuthenticationRegistrationInfo(); assertThat(uri.getType(), equalTo(ExternalAuthenticationType.OIDC)); assertThat(uri.getSubject(), equalTo("test-oidc-subject")); @@ -81,14 +83,19 @@ public void testSamlMinimalInfoConversion() { when(token.getName()).thenReturn("test-saml-subject"); when(cred.getRemoteEntityID()).thenReturn("test-saml-issuer"); + IamSamlId samlId = new IamSamlId("test-saml-issuer", + Saml2Attribute.EPUID.getAttributeName(), + "test-saml-subject"); + SamlExternalAuthenticationToken extAuthToken = - new SamlExternalAuthenticationToken(token, token.getTokenExpiration(), "test-saml-subject", + new SamlExternalAuthenticationToken(samlId, token, token.getTokenExpiration(), "test-saml-subject", token.getCredentials(), token.getAuthorities()); - ExternalAuthenticationRegistrationInfo uri = extAuthToken.toExernalAuthenticationInfo(); + ExternalAuthenticationRegistrationInfo uri = extAuthToken.toExernalAuthenticationRegistrationInfo(); assertThat(uri.getType(), equalTo(ExternalAuthenticationType.SAML)); assertThat(uri.getSubject(), equalTo("test-saml-subject")); assertThat(uri.getIssuer(), equalTo("test-saml-issuer")); + assertThat(uri.getSubjectAttribute(), equalTo(samlId.getAttributeId())); assertThat(uri.getGivenName(), Matchers.nullValue()); assertThat(uri.getFamilyName(), Matchers.nullValue()); assertThat(uri.getEmail(), Matchers.nullValue()); @@ -102,25 +109,29 @@ public void testSamlEmailAndNameReturnedIfPresent() { SAMLCredential cred = mock(SAMLCredential.class); when(cred.getRemoteEntityID()).thenReturn("test-saml-issuer"); - when(cred.getAttributeAsString(SamlExternalAuthenticationToken.OID_GIVEN_NAME)) + when(cred.getAttributeAsString(Saml2Attribute.GIVEN_NAME.getAttributeName())) .thenReturn("Test Given Name"); - when(cred.getAttributeAsString(SamlExternalAuthenticationToken.OID_SN)) + when(cred.getAttributeAsString(Saml2Attribute.SN.getAttributeName())) .thenReturn("Test Family Name"); - when(cred.getAttributeAsString(SamlExternalAuthenticationToken.OID_MAIL)) + when(cred.getAttributeAsString(Saml2Attribute.MAIL.getAttributeName())) .thenReturn("test@test.org"); when(token.getCredentials()).thenReturn(cred); when(token.getName()).thenReturn("test-saml-subject"); + IamSamlId samlId = new IamSamlId("test-saml-issuer", + Saml2Attribute.EPUID.getAttributeName(), + "test-saml-subject"); SamlExternalAuthenticationToken extAuthToken = - new SamlExternalAuthenticationToken(token, token.getTokenExpiration(), "test-saml-subject", + new SamlExternalAuthenticationToken(samlId,token, token.getTokenExpiration(), "test-saml-subject", token.getCredentials(), token.getAuthorities()); - ExternalAuthenticationRegistrationInfo uri = extAuthToken.toExernalAuthenticationInfo(); + ExternalAuthenticationRegistrationInfo uri = extAuthToken.toExernalAuthenticationRegistrationInfo(); assertThat(uri.getType(), equalTo(ExternalAuthenticationType.SAML)); assertThat(uri.getSubject(), equalTo("test-saml-subject")); assertThat(uri.getIssuer(), equalTo("test-saml-issuer")); + assertThat(uri.getSubjectAttribute(), equalTo(samlId.getAttributeId())); assertThat(uri.getGivenName(), equalTo("Test Given Name")); assertThat(uri.getFamilyName(), equalTo("Test Family Name")); assertThat(uri.getEmail(), equalTo("test@test.org")); diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/InactiveAccountHandlerTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/InactiveAccountHandlerTests.java index 1429f1590..6bc9a209f 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/InactiveAccountHandlerTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/InactiveAccountHandlerTests.java @@ -17,10 +17,9 @@ public class InactiveAccountHandlerTests { - + @Test public void inactiveAccountHandlerSilentlyIgnoresActiveAccount() { - IamProperties.INSTANCE.setOrganisationName("test"); IamAccount account = Mockito.mock(IamAccount.class); @@ -35,7 +34,6 @@ public void inactiveAccountHandlerSilentlyIgnoresActiveAccount() { @Test public void inactiveAccountHandlerRaiseErrorForDisabledUser() { - IamProperties.INSTANCE.setOrganisationName("test"); IamAccount account = Mockito.mock(IamAccount.class); @@ -56,7 +54,6 @@ public void inactiveAccountHandlerRaiseErrorForDisabledUser() { @Test public void inactiveAccountHandlerInformsOfRegistrationRequestWaitingConfirmation() { - IamProperties.INSTANCE.setOrganisationName("test"); IamRegistrationRequest req = Mockito.mock(IamRegistrationRequest.class); IamAccount account = Mockito.mock(IamAccount.class); @@ -80,7 +77,6 @@ public void inactiveAccountHandlerInformsOfRegistrationRequestWaitingConfirmatio @Test public void inactiveAccountHandlerInformsOfRegistrationRequestWaitingForApproval() { - IamProperties.INSTANCE.setOrganisationName("test"); IamRegistrationRequest req = Mockito.mock(IamRegistrationRequest.class); IamAccount account = Mockito.mock(IamAccount.class); @@ -104,7 +100,6 @@ public void inactiveAccountHandlerInformsOfRegistrationRequestWaitingForApproval @Test public void inactiveAccountHandlerIgnoresApprovedRegistrationRequest() { - IamProperties.INSTANCE.setOrganisationName("test"); IamRegistrationRequest req = Mockito.mock(IamRegistrationRequest.class); IamAccount account = Mockito.mock(IamAccount.class); diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/AccountLinkingDisabledTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/AccountLinkingDisabledTests.java new file mode 100644 index 000000000..858e01c8e --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/AccountLinkingDisabledTests.java @@ -0,0 +1,87 @@ +package it.infn.mw.iam.test.ext_authn.account_linking; + +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import javax.transaction.Transactional; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.test.context.TestPropertySource; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; + +import it.infn.mw.iam.IamLoginService; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class}) +@WebAppConfiguration +@TestPropertySource(properties = {"accountLinking.disable=true"}) +@Transactional +public class AccountLinkingDisabledTests { + + @Autowired + private WebApplicationContext context; + + private MockMvc mvc; + + @Before + public void setup() { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } + + + @Test + @WithMockUser(username = "test") + public void accountLinkingDisabledWorkAsExpected() throws Throwable { + + mvc.perform(post("/iam/account-linking/X509").with(csrf().asHeader())) + .andExpect(status().isForbidden()); + + mvc.perform(delete("/iam/account-linking/X509") + .param("certificateSubject", "certificateSubject").with(csrf().asHeader())) + .andExpect(status().isForbidden()); + + mvc.perform(post("/iam/account-linking/OIDC").with(csrf().asHeader())) + .andExpect(status().isForbidden()); + + mvc.perform(get("/iam/account-linking/OIDC/done").with(csrf().asHeader())) + .andExpect(status().isForbidden()); + + mvc.perform(delete("/iam/account-linking/OIDC").param("sub", "sub") + .param("iss", "iss") + .with(csrf().asHeader())).andExpect(status().isForbidden()); + + mvc.perform(post("/iam/account-linking/SAML").with(csrf().asHeader())) + .andExpect(status().isForbidden()); + + mvc.perform(get("/iam/account-linking/SAML/done").with(csrf().asHeader())) + .andExpect(status().isForbidden()); + + mvc + .perform(delete("/iam/account-linking/SAML").param("sub", "sub") + .param("iss", "iss") + .param("attr", "attr") + .with(csrf().asHeader())) + .andExpect(status().isForbidden()); + + } + + + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/AccountUnlinkTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/AccountUnlinkTests.java index 4bcd07c6b..cf64d7f68 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/AccountUnlinkTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/AccountUnlinkTests.java @@ -1,7 +1,9 @@ package it.infn.mw.iam.test.ext_authn.account_linking; -import static it.infn.mw.iam.test.ext_authn.saml.SamlExternalAuthenticationTestSupport.DEFAULT_IDP_ID; -import static it.infn.mw.iam.test.ext_authn.saml.SamlExternalAuthenticationTestSupport.T2_EPUID; +import static it.infn.mw.iam.authn.saml.util.Saml2Attribute.EPUID; + +import static it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport.DEFAULT_IDP_ID; +import static it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport.T2_EPUID; import static org.hamcrest.Matchers.containsInAnyOrder; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.isIn; @@ -50,6 +52,8 @@ public class AccountUnlinkTests { private IamAccountRepository iamAccountRepo; private MockMvc mvc; + + public static final String SAML_ATTRIBUTE_ID = EPUID.getAttributeName(); public static final String UNLINKED_ISSUER = UUID.randomUUID().toString(); public static final String UNLINKED_SUBJECT = UUID.randomUUID().toString(); @@ -60,11 +64,14 @@ public class AccountUnlinkTests { public static final String SAML_LINKED_ISSUER = DEFAULT_IDP_ID; public static final String SAML_LINKED_SUBJECT = T2_EPUID; - public static final IamSamlId UNLINKED_SAML_ID = new IamSamlId(UNLINKED_ISSUER, UNLINKED_SUBJECT); - public static final IamOidcId UNLINKED_OIDC_ID = new IamOidcId(UNLINKED_ISSUER, UNLINKED_SUBJECT); + public static final IamSamlId UNLINKED_SAML_ID = new IamSamlId(UNLINKED_ISSUER, + SAML_ATTRIBUTE_ID, UNLINKED_SUBJECT); + + public static final IamOidcId UNLINKED_OIDC_ID = new IamOidcId(UNLINKED_ISSUER, + UNLINKED_SUBJECT); public static final IamSamlId LINKED_SAML_ID = - new IamSamlId(SAML_LINKED_ISSUER, SAML_LINKED_SUBJECT); + new IamSamlId(SAML_LINKED_ISSUER, SAML_ATTRIBUTE_ID, SAML_LINKED_SUBJECT); public static final IamOidcId LINKED_OIDC_ID = new IamOidcId(OIDC_LINKED_ISSUER, OIDC_LINKED_SUBJECT); @@ -93,13 +100,13 @@ public void accountUnlinkEndpointFailsForUnauthenticatedUsers() throws Exception .perform(delete(accountLinkingResourceOidc()).param("iss", LINKED_OIDC_ID.getIssuer()) .param("sub", LINKED_OIDC_ID.getSubject())) .andDo(print()) - .andExpect(status().is4xxClientError()); + .andExpect(status().isUnauthorized()); mvc .perform(delete(accountLinkingResourceSaml()).param("iss", LINKED_SAML_ID.getIdpId()) .param("sub", LINKED_SAML_ID.getUserId())) .andDo(print()) - .andExpect(status().is4xxClientError()); + .andExpect(status().isUnauthorized()); } @Test @@ -186,6 +193,7 @@ public void samlAccountUnlinkWorks() throws Exception { mvc .perform(delete(accountLinkingResourceSaml()).param("iss", SAML_LINKED_ISSUER) .param("sub", SAML_LINKED_SUBJECT) + .param("attr", LINKED_SAML_ID.getAttributeId()) .with(csrf().asHeader())) .andDo(print()).andExpect(status().isNoContent()); @@ -198,5 +206,7 @@ public void samlAccountUnlinkWorks() throws Exception { iamAccountRepo.save(user); } + + } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/OidcAccountLinkingTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/OidcAccountLinkingTests.java index a042909b6..d89729b8f 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/OidcAccountLinkingTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/OidcAccountLinkingTests.java @@ -76,7 +76,7 @@ public void accessToAccountLinkingApiFailsForAnonymousUsers() throws Exception { mvc.perform(get("/iam/account-linking/OIDC")).andExpect(status().isUnauthorized()); mvc.perform(get("/iam/account-linking/SAML")).andExpect(status().isUnauthorized()); - + } @Test @@ -99,7 +99,7 @@ public void oidcAccountLinkingWorks() throws Exception { .andExpect( request().sessionAttribute(ACCOUNT_LINKING_SESSION_SAVED_AUTHENTICATION, notNullValue())) .andExpect(request().sessionAttribute(ACCOUNT_LINKING_SESSION_KEY, - Matchers.equalTo("/iam/account-linking/OIDC"))) + equalTo("/iam/account-linking/OIDC"))) .andReturn() .getRequest() .getSession(); diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/SamlAccountLinkingTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/SamlAccountLinkingTests.java index c5caea5bc..77fe3a060 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/SamlAccountLinkingTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/account_linking/SamlAccountLinkingTests.java @@ -5,6 +5,7 @@ import static it.infn.mw.iam.authn.ExternalAuthenticationHandlerSupport.ACCOUNT_LINKING_SESSION_KEY; import static it.infn.mw.iam.authn.ExternalAuthenticationHandlerSupport.ACCOUNT_LINKING_SESSION_SAVED_AUTHENTICATION; import static it.infn.mw.iam.authn.ExternalAuthenticationHandlerSupport.EXT_AUTH_ERROR_KEY; +import static it.infn.mw.iam.authn.saml.util.Saml2Attribute.EPUID; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.notNullValue; import static org.hamcrest.Matchers.nullValue; @@ -38,8 +39,9 @@ import it.infn.mw.iam.IamLoginService; import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamSamlId; import it.infn.mw.iam.persistence.repository.IamAccountRepository; -import it.infn.mw.iam.test.ext_authn.saml.SamlExternalAuthenticationTestSupport; +import it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport; import it.infn.mw.iam.test.ext_authn.saml.SamlTestConfig; import it.infn.mw.iam.test.util.saml.SamlUtils; @@ -47,7 +49,7 @@ @SpringApplicationConfiguration(classes = {IamLoginService.class, SamlTestConfig.class}) @WebAppConfiguration @Transactional -public class SamlAccountLinkingTests extends SamlExternalAuthenticationTestSupport { +public class SamlAccountLinkingTests extends SamlAuthenticationTestSupport { private static final String TEST_100_USER = "test_100"; @@ -108,7 +110,10 @@ public void samlAccountLinkingWorks() throws Throwable { request().sessionAttribute(ACCOUNT_LINKING_SESSION_SAVED_AUTHENTICATION, nullValue())) .andExpect(request().sessionAttribute(ACCOUNT_LINKING_SESSION_KEY, nullValue())); - IamAccount account = iamAccountRepo.findBySamlId(DEFAULT_IDP_ID, T1_EPUID) + IamSamlId samlId = new IamSamlId(DEFAULT_IDP_ID, EPUID.getAttributeName(), + T1_EPUID); + + IamAccount account = iamAccountRepo.findBySamlId(samlId) .orElseThrow(() -> new AssertionError("User not found linked to expected SAML id")); Assert.assertThat(account.getUsername(), equalTo(TEST_100_USER)); @@ -164,7 +169,9 @@ public void samlAccountLinkingFailsSinceSamlAccountAlreadyLinkedToAnotherUser() .getSession(); String expectedErrorMessage = String - .format("SAML account '[%s] %s' is already linked to another user", DEFAULT_IDP_ID, T2_EPUID); + .format("SAML account '[%s] (%s = %s)' is already linked to another user", DEFAULT_IDP_ID, + EPUID.getAttributeName(), + T2_EPUID); mvc.perform(get("/iam/account-linking/SAML/done").session(session)) .andExpect(status().isFound()) @@ -226,7 +233,9 @@ public void samlAccountLinkingFailsSinceSamlAccountIsAlreadyBoundToAuthenticated String expectedErrorMessage = String - .format("SAML account '[%s] %s' is already linked to user 'test'", DEFAULT_IDP_ID, T2_EPUID); + .format("SAML account '[%s] (%s = %s)' is already linked to user 'test'", DEFAULT_IDP_ID, + EPUID.getAttributeName(), + T2_EPUID); mvc.perform(get("/iam/account-linking/SAML/done").session(session)) .andExpect(status().isFound()) diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/MetadataLookupServiceTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/MetadataLookupServiceTests.java new file mode 100644 index 000000000..5374578ca --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/MetadataLookupServiceTests.java @@ -0,0 +1,195 @@ +package it.infn.mw.iam.test.ext_authn.saml; + +import static java.util.Arrays.asList; +import static java.util.Collections.emptySet; +import static org.hamcrest.CoreMatchers.hasItem; +import static org.hamcrest.Matchers.allOf; +import static org.hamcrest.Matchers.hasProperty; +import static org.hamcrest.Matchers.hasSize; +import static org.hamcrest.Matchers.is; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThat; +import static org.mockito.Mockito.when; + +import java.util.List; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.runners.MockitoJUnitRunner; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.common.Extensions; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.saml2.metadata.LocalizedString; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.samlext.saml2mdui.DisplayName; +import org.opensaml.samlext.saml2mdui.UIInfo; +import org.springframework.security.saml.metadata.MetadataManager; + +import com.google.common.collect.Sets; + +import it.infn.mw.iam.authn.saml.DefaultMetadataLookupService; +import it.infn.mw.iam.authn.saml.model.IdpDescription; + +@RunWith(MockitoJUnitRunner.class) +public class MetadataLookupServiceTests { + + public static final String IDP1_ENTITY_ID = "urn:test:idp1"; + public static final String IDP2_ENTITY_ID = "urn:test:idp2"; + public static final String IDP3_ENTITY_ID = "urn:test:idp3"; + public static final String IDP4_ENTITY_ID = "urn:test:idp4"; + + public static final String IDP1_ORGANIZATION_NAME = "IDP1 organization"; + public static final String IDP2_ORGANIZATION_NAME = "IDP2 organization"; + + @Mock + MetadataManager manager; + + @Mock + EntityDescriptor idp1Desc, idp2Desc, idp3Desc, idp4Desc; + + @Mock + IDPSSODescriptor idp1SsoDesc, idp2SsoDesc, idp4SsoDesc; + + @Mock + Extensions idp1SsoExtensions, idp2SsoExtensions, idp4SsoExtensions; + + @Mock + UIInfo idp1UIInfo, idp2UIInfo, idp4UIInfo; + + @Mock + DisplayName idp1DisplayName, idp2DisplayName, idp4DisplayName; + + @Mock + LocalizedString idp1LocalizedString, idp2LocalizedString, idp4LocalizedString; + + @Before + public void setup() throws MetadataProviderException { + + when(idp1LocalizedString.getLocalString()).thenReturn(IDP1_ORGANIZATION_NAME); + when(idp1DisplayName.getName()).thenReturn(idp1LocalizedString); + when(idp1UIInfo.getDisplayNames()).thenReturn(asList(idp1DisplayName)); + + when(idp2LocalizedString.getLocalString()).thenReturn(IDP2_ORGANIZATION_NAME); + when(idp2DisplayName.getName()).thenReturn(idp2LocalizedString); + when(idp2UIInfo.getDisplayNames()).thenReturn(asList(idp2DisplayName)); + + when(idp4LocalizedString.getLocalString()).thenReturn(""); + when(idp4DisplayName.getName()).thenReturn(idp4LocalizedString); + when(idp4UIInfo.getDisplayNames()).thenReturn(asList(idp4DisplayName)); + + when(idp1SsoExtensions.getUnknownXMLObjects(UIInfo.DEFAULT_ELEMENT_NAME)) + .thenReturn(asList(idp1UIInfo)); + + when(idp2SsoExtensions.getUnknownXMLObjects(UIInfo.DEFAULT_ELEMENT_NAME)) + .thenReturn(asList(idp2UIInfo)); + + when(idp4SsoExtensions.getUnknownXMLObjects(UIInfo.DEFAULT_ELEMENT_NAME)) + .thenReturn(asList(idp4UIInfo)); + + when(idp1SsoDesc.getExtensions()).thenReturn(idp1SsoExtensions); + + when(idp2SsoDesc.getExtensions()).thenReturn(idp2SsoExtensions); + + when(idp4SsoDesc.getExtensions()).thenReturn(idp4SsoExtensions); + + when(idp1Desc.getEntityID()).thenReturn(IDP1_ENTITY_ID); + when(idp1Desc.getIDPSSODescriptor(SAMLConstants.SAML20P_NS)).thenReturn(idp1SsoDesc); + + when(idp2Desc.getEntityID()).thenReturn(IDP2_ENTITY_ID); + when(idp2Desc.getIDPSSODescriptor(SAMLConstants.SAML20P_NS)).thenReturn(idp2SsoDesc); + + when(idp3Desc.getEntityID()).thenReturn(IDP3_ENTITY_ID); + + when(idp4Desc.getEntityID()).thenReturn(IDP4_ENTITY_ID); + when(idp4Desc.getIDPSSODescriptor(SAMLConstants.SAML20P_NS)).thenReturn(idp4SsoDesc); + + when(manager.getEntityDescriptor(IDP1_ENTITY_ID)).thenReturn(idp1Desc); + when(manager.getEntityDescriptor(IDP2_ENTITY_ID)).thenReturn(idp2Desc); + when(manager.getEntityDescriptor(IDP3_ENTITY_ID)).thenReturn(idp3Desc); + when(manager.getEntityDescriptor(IDP4_ENTITY_ID)).thenReturn(idp4Desc); + + when(manager.getIDPEntityNames()).thenReturn(Sets.newHashSet(IDP1_ENTITY_ID, IDP2_ENTITY_ID, + IDP3_ENTITY_ID, IDP4_ENTITY_ID)); + } + + + @Test + public void testServiceInitialization() throws MetadataProviderException { + + DefaultMetadataLookupService service = new DefaultMetadataLookupService(manager); + + assertNotNull(service.listIdps()); + List idps = service.listIdps(); + + assertThat(idps, hasSize(4)); + + assertThat(idps, hasItem(allOf(hasProperty("entityId", is(IDP1_ENTITY_ID)), + hasProperty("organizationName", is(IDP1_ORGANIZATION_NAME))))); + + assertThat(idps, hasItem(allOf(hasProperty("entityId", is(IDP2_ENTITY_ID)), + hasProperty("organizationName", is(IDP2_ORGANIZATION_NAME))))); + + assertThat(idps, hasItem(allOf(hasProperty("entityId", is(IDP3_ENTITY_ID)), + hasProperty("organizationName", is(IDP3_ENTITY_ID))))); + + assertThat(idps, hasItem(allOf(hasProperty("entityId", is(IDP4_ENTITY_ID)), + hasProperty("organizationName", is(IDP4_ENTITY_ID))))); + } + + + @Test + public void testEmptyMetadataInitialization() { + when(manager.getIDPEntityNames()).thenReturn(emptySet()); + DefaultMetadataLookupService service = new DefaultMetadataLookupService(manager); + + assertThat(service.listIdps(), hasSize(0)); + } + + @Test + public void testLookupByOrganizationNameWorks() { + DefaultMetadataLookupService service = new DefaultMetadataLookupService(manager); + + List idps = service.lookupIdp(IDP1_ORGANIZATION_NAME); + assertThat(idps, hasSize(1)); + + assertThat(idps, hasItem(allOf(hasProperty("entityId", is(IDP1_ENTITY_ID)), + hasProperty("organizationName", is(IDP1_ORGANIZATION_NAME))))); + } + + @Test + public void testPartialLookupWorks() { + DefaultMetadataLookupService service = new DefaultMetadataLookupService(manager); + + List idps = service.lookupIdp("idp"); + assertThat(idps, hasSize(4)); + + assertThat(idps, hasItem(allOf(hasProperty("entityId", is(IDP1_ENTITY_ID)), + hasProperty("organizationName", is(IDP1_ORGANIZATION_NAME))))); + + assertThat(idps, hasItem(allOf(hasProperty("entityId", is(IDP2_ENTITY_ID)), + hasProperty("organizationName", is(IDP2_ORGANIZATION_NAME))))); + + assertThat(idps, hasItem(allOf(hasProperty("entityId", is(IDP3_ENTITY_ID)), + hasProperty("organizationName", is(IDP3_ENTITY_ID))))); + + assertThat(idps, hasItem(allOf(hasProperty("entityId", is(IDP4_ENTITY_ID)), + hasProperty("organizationName", is(IDP4_ENTITY_ID))))); + } + + @Test + public void testEntityIdLookupWorks() { + + DefaultMetadataLookupService service = new DefaultMetadataLookupService(manager); + List idps = service.lookupIdp(IDP1_ENTITY_ID); + assertThat(idps, hasSize(1)); + + assertThat(idps, hasItem(allOf(hasProperty("entityId", is(IDP1_ENTITY_ID)), + hasProperty("organizationName", is(IDP1_ORGANIZATION_NAME))))); + + idps = service.lookupIdp("unknown"); + assertThat(idps, hasSize(0)); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/ResolverTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/ResolverTests.java index 7cae175af..5d822b0ce 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/ResolverTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/ResolverTests.java @@ -1,5 +1,11 @@ package it.infn.mw.iam.test.ext_authn.saml; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.is; +import static org.hamcrest.Matchers.not; +import static org.hamcrest.Matchers.nullValue; +import static org.junit.Assert.assertThat; + import java.util.Optional; import org.hamcrest.Matchers; @@ -9,22 +15,34 @@ import org.opensaml.saml2.core.NameID; import org.springframework.security.saml.SAMLCredential; -import it.infn.mw.iam.authn.saml.util.SamlAttributeNames; +import it.infn.mw.iam.authn.saml.util.NameIdUserIdentifierResolver; +import it.infn.mw.iam.authn.saml.util.Saml2Attribute; import it.infn.mw.iam.authn.saml.util.SamlIdResolvers; import it.infn.mw.iam.authn.saml.util.SamlUserIdentifierResolver; +import it.infn.mw.iam.persistence.model.IamSamlId; public class ResolverTests { + @Test + public void testSamlIdResolverAttributeResolution(){ + SamlIdResolvers resolvers = new SamlIdResolvers(); + + for (Saml2Attribute a: Saml2Attribute.values()){ + Assert.assertNotNull(resolvers.byName(a.getAlias())); + } + + } + @Test public void emptyNameIdResolverTest() { SAMLCredential cred = Mockito.mock(SAMLCredential.class); Mockito.when(cred.getNameID()).thenReturn(null); - SamlUserIdentifierResolver resolver = SamlIdResolvers.nameid(); + SamlUserIdentifierResolver resolver = new NameIdUserIdentifierResolver(); - Optional resolvedId = resolver.getUserIdentifier(cred); + Optional resolvedId = resolver.resolveSamlUserIdentifier(cred).getResolvedId(); Assert.assertFalse(resolvedId.isPresent()); @@ -34,26 +52,44 @@ public void emptyNameIdResolverTest() { public void nameIdResolverTest() { NameID nameId = Mockito.mock(NameID.class); Mockito.when(nameId.getValue()).thenReturn("nameid"); + Mockito.when(nameId.getFormat()).thenReturn("format"); SAMLCredential cred = Mockito.mock(SAMLCredential.class); Mockito.when(cred.getNameID()).thenReturn(nameId); + Mockito.when(cred.getRemoteEntityID()).thenReturn("entityId"); - SamlUserIdentifierResolver resolver = SamlIdResolvers.nameid(); - Optional resolvedId = resolver.getUserIdentifier(cred); + SamlUserIdentifierResolver resolver = new NameIdUserIdentifierResolver(); - Assert.assertThat(resolvedId.get(), Matchers.equalTo("nameid")); + IamSamlId resolvedId = resolver.resolveSamlUserIdentifier(cred).getResolvedId() + .orElseThrow(() -> new AssertionError("Could not resolve nameid SAML ID")); + Assert.assertThat(resolvedId.getUserId(), Matchers.equalTo("nameid")); + Assert.assertThat(resolvedId.getIdpId(), Matchers.equalTo("entityId")); + Assert.assertThat(resolvedId.getAttributeId(), Matchers.equalTo("format")); } @Test public void mailIdResolverTest() { - SamlUserIdentifierResolver resolver = SamlIdResolvers.mail(); + SamlIdResolvers resolvers = new SamlIdResolvers(); + + SamlUserIdentifierResolver resolver = resolvers.byAttribute(Saml2Attribute.MAIL); + + assertThat(resolver, is(not(nullValue()))); + SAMLCredential cred = Mockito.mock(SAMLCredential.class); - Mockito.when(cred.getAttributeAsString(SamlAttributeNames.mail)).thenReturn("test@test.org"); + Mockito.when(cred.getAttributeAsString(Saml2Attribute.MAIL.getAttributeName())) + .thenReturn("test@test.org"); + Mockito.when(cred.getRemoteEntityID()).thenReturn("entityId"); + + IamSamlId resolvedId = resolver.resolveSamlUserIdentifier(cred).getResolvedId() + .orElseThrow(() -> new AssertionError("Could not resolve email address SAML ID")); + + assertThat(resolvedId.getUserId(), equalTo("test@test.org")); + assertThat(resolvedId.getAttributeId(), + equalTo(Saml2Attribute.MAIL.getAttributeName())); - Optional resolvedId = resolver.getUserIdentifier(cred); + Assert.assertThat(resolvedId.getIdpId(), equalTo("entityId")); - Assert.assertThat(resolvedId.get(), Matchers.equalTo("test@test.org")); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlExternalAuthenticationTestSupport.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlAuthenticationTestSupport.java similarity index 83% rename from iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlExternalAuthenticationTestSupport.java rename to iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlAuthenticationTestSupport.java index 53e1c82ef..f367c3134 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlExternalAuthenticationTestSupport.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlAuthenticationTestSupport.java @@ -32,16 +32,25 @@ import com.fasterxml.jackson.databind.ObjectMapper; import com.google.common.collect.ImmutableMap; +import it.infn.mw.iam.authn.saml.util.Saml2Attribute; +import it.infn.mw.iam.persistence.model.IamSamlId; import it.infn.mw.iam.test.util.saml.SamlAssertionBuilder; import it.infn.mw.iam.test.util.saml.SamlResponseBuilder; -public class SamlExternalAuthenticationTestSupport { +public class SamlAuthenticationTestSupport { public static final String DEFAULT_IDP_ID = "https://idptestbed/idp/shibboleth"; public static final String KEY_ALIAS = "iam-test"; public static final String KS_PASSWORD = "iam-test"; + public static final String JIT1_NAMEID = "jit1"; + public static final String JIT1_EPPN = "jit1.eppn@idptestbed"; + public static final String JIT1_EPUID = "jit1.epuid@idptestbed"; + public static final String JIT1_GIVEN_NAME = "JustInTime1"; + public static final String JIT1_FAMILY_NAME = "Saml User"; + public static final String JIT1_MAIL = "jit1@example.org"; + public static final String T1_NAMEID = "1234"; public static final String T1_EPPN = "test-user@idptestbed"; public static final String T1_EPUID = "123456@idptestbed"; @@ -58,6 +67,9 @@ public class SamlExternalAuthenticationTestSupport { public static final String EXT_AUTHN_URL = "/iam/authn-info"; + public static final IamSamlId T1_SAML_ID = + new IamSamlId(DEFAULT_IDP_ID, Saml2Attribute.EPUID.getAttributeName(), T1_EPUID); + @Autowired protected MetadataGenerator metadataGenerator; @@ -239,6 +251,37 @@ public Response buildTest1Response(AuthnRequest authnRequest) } + public Response buildJitTest1Response(AuthnRequest authnRequest) + throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException, + SecurityException, SignatureException, MarshallingException { + + SamlAssertionBuilder sab = samlAssertionBuilder(); + + DateTime issueTime = DateTime.now().minusSeconds(30); + + Assertion a = sab.issuer(DEFAULT_IDP_ID) + .nameId(JIT1_NAMEID) + .eppn(JIT1_EPPN) + .epuid(JIT1_EPUID) + .givenName(JIT1_GIVEN_NAME) + .sn(JIT1_FAMILY_NAME) + .mail(JIT1_MAIL) + .recipient(authnRequest.getAssertionConsumerServiceURL()) + .requestId(authnRequest.getID()) + .audience(metadataGenerator.getEntityId()) + .issueInstant(issueTime) + .build(); + + SamlResponseBuilder srb = samlResponseBuilder(); + Response r = srb.assertion(a) + .recipient(authnRequest.getAssertionConsumerServiceURL()) + .requestId(authnRequest.getID()) + .issueInstant(DateTime.now()) + .build(); + + return r; + } + @SuppressWarnings("rawtypes") public AuthnRequest getAuthnRequestFromSession(MockHttpSession session) { @SuppressWarnings("unchecked") diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlControllerTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlControllerTests.java index 563ea7cf6..85d2c6591 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlControllerTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlControllerTests.java @@ -17,7 +17,7 @@ @RunWith(SpringJUnit4ClassRunner.class) @SpringApplicationConfiguration(classes = {IamLoginService.class, SamlTestConfig.class}) @WebAppConfiguration -public class SamlControllerTests extends SamlExternalAuthenticationTestSupport { +public class SamlControllerTests extends SamlAuthenticationTestSupport { @Test public void testListIdpsMatch() throws Exception { diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlExternalAuthenticationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlExternalAuthenticationTests.java index f9f5affc8..05b5fb3f6 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlExternalAuthenticationTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlExternalAuthenticationTests.java @@ -33,7 +33,7 @@ @RunWith(SpringJUnit4ClassRunner.class) @SpringApplicationConfiguration(classes = {IamLoginService.class, SamlTestConfig.class}) @WebAppConfiguration -public class SamlExternalAuthenticationTests extends SamlExternalAuthenticationTestSupport { +public class SamlExternalAuthenticationTests extends SamlAuthenticationTestSupport { @Test public void testSuccessfulExternalUnregisteredUserAuthentication() throws Throwable { diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlTestConfig.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlTestConfig.java index 7677cd027..bc46e9c37 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlTestConfig.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/SamlTestConfig.java @@ -8,6 +8,4 @@ public class SamlTestConfig { @Autowired ResourceLoader resourceLoader; - - } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitPropertiesTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitPropertiesTests.java new file mode 100644 index 000000000..7bcfa4aff --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitPropertiesTests.java @@ -0,0 +1,59 @@ +package it.infn.mw.iam.test.ext_authn.saml.jit_account_provisioning; + +import static org.hamcrest.Matchers.hasSize; +import static org.hamcrest.Matchers.isIn; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertTrue; + +import java.util.Optional; +import java.util.Set; + +import org.junit.Assert; +import org.junit.Test; + +import it.infn.mw.iam.config.saml.IamSamlProperties.IamSamlJITAccountProvisioningProperties; + +public class JitPropertiesTests { + + + @Test + public void testTrustedIdpsListIsByDefaultEmpty() { + IamSamlJITAccountProvisioningProperties props = new IamSamlJITAccountProvisioningProperties(); + + Assert.assertFalse(props.getTrustedIdpsAsOptionalSet().isPresent()); + + props.setTrustedIdps("all"); + + assertFalse(props.getTrustedIdpsAsOptionalSet().isPresent()); + } + + + @Test + public void testTrustedIdpsListParsing() { + IamSamlJITAccountProvisioningProperties props = new IamSamlJITAccountProvisioningProperties(); + + props.setTrustedIdps("idp1,idp2,idp3,,, "); + + Optional> trustedIdps = props.getTrustedIdpsAsOptionalSet(); + + assertTrue(trustedIdps.isPresent()); + + assertThat(trustedIdps.get(), hasSize(3)); + assertThat("idp1", isIn(trustedIdps.get())); + assertThat("idp2", isIn(trustedIdps.get())); + assertThat("idp3", isIn(trustedIdps.get())); + } + + + @Test + public void testTrustedIdpsEmptyListYeldsEmptyOptional() { + IamSamlJITAccountProvisioningProperties props = new IamSamlJITAccountProvisioningProperties(); + + props.setTrustedIdps(""); + Optional> trustedIdps = props.getTrustedIdpsAsOptionalSet(); + assertFalse(trustedIdps.isPresent()); + + } + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitTestConfig.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitTestConfig.java new file mode 100644 index 000000000..0b938d780 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitTestConfig.java @@ -0,0 +1,39 @@ +package it.infn.mw.iam.test.ext_authn.saml.jit_account_provisioning; + +import org.springframework.context.ApplicationListener; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +import it.infn.mw.iam.audit.events.account.AccountCreatedEvent; + +@Configuration +public class JitTestConfig { + + public static class CountAccountCreatedEventsListener + implements ApplicationListener { + + long eventCount = 0; + + @Override + public void onApplicationEvent(AccountCreatedEvent event) { + eventCount++; + } + + public void resetCount() { + eventCount = 0; + } + + public long getCount() { + return eventCount; + } + + } + + public JitTestConfig() {} + + @Bean + public CountAccountCreatedEventsListener accountCreatedEventiListener() { + return new CountAccountCreatedEventsListener(); + } + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitUserCleanupTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitUserCleanupTests.java new file mode 100644 index 000000000..d8cb2c10e --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitUserCleanupTests.java @@ -0,0 +1,127 @@ +package it.infn.mw.iam.test.ext_authn.saml.jit_account_provisioning; + + +import static java.util.Arrays.asList; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertTrue; +import static org.mockito.Matchers.anyObject; +import static org.mockito.Mockito.when; + +import java.time.Instant; +import java.time.LocalDateTime; +import java.time.ZoneId; +import java.util.Date; + +import org.hamcrest.Matchers; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.ArgumentCaptor; +import org.mockito.Captor; +import org.mockito.Mock; +import org.mockito.Mockito; +import org.mockito.runners.MockitoJUnitRunner; + +import it.infn.mw.iam.authn.saml.CleanInactiveProvisionedAccounts; +import it.infn.mw.iam.core.time.TimeProvider; +import it.infn.mw.iam.core.user.IamAccountService; +import it.infn.mw.iam.persistence.model.IamAccount; + +@RunWith(MockitoJUnitRunner.class) +public class JitUserCleanupTests { + + public static final int NUM_DAYS = 15; + + @Mock + private IamAccountService accountService; + + @Mock + private TimeProvider timeProvider; + + @Captor + ArgumentCaptor dateArgumentCaptor; + + @Captor + ArgumentCaptor iamAccountArgumentCaptor; + + private CleanInactiveProvisionedAccounts cleanupTask; + + @Before + public void setup() { + when(timeProvider.currentTimeMillis()).thenReturn(System.currentTimeMillis()); + cleanupTask = new CleanInactiveProvisionedAccounts(timeProvider, accountService, NUM_DAYS); + + } + + + @Test(expected = IllegalArgumentException.class) + public void testLifetimeInDaysSanityChecks() { + try { + cleanupTask = new CleanInactiveProvisionedAccounts(timeProvider, accountService, 0); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), Matchers.equalTo("inactiveUserLifetimeInDays must be > 0")); + throw e; + } + } + + @Test(expected= NullPointerException.class) + public void testNullTimeProviderSanityChecks() { + try { + cleanupTask = new CleanInactiveProvisionedAccounts(null, accountService, 1); + } catch (NullPointerException e) { + assertThat(e.getMessage(), Matchers.equalTo("null timeProvider")); + throw e; + } + } + + @Test(expected= NullPointerException.class) + public void testAccountServiceSanityChecks() { + try { + cleanupTask = new CleanInactiveProvisionedAccounts(timeProvider, null, 1); + } catch (NullPointerException e) { + assertThat(e.getMessage(), Matchers.equalTo("null accountService")); + throw e; + } + } + + @Test + public void testExpirationDateComputation() { + + long now = System.currentTimeMillis(); + + LocalDateTime currentDateTime = + LocalDateTime.ofInstant(Instant.ofEpochMilli(now), ZoneId.systemDefault()); + + when(timeProvider.currentTimeMillis()).thenReturn(now); + + cleanupTask.run(); + + LocalDateTime numDaysAgo = currentDateTime.minusDays(NUM_DAYS); + + Mockito.verify(accountService) + .deleteInactiveProvisionedUsersSinceTime(dateArgumentCaptor.capture()); + + Instant computedDateInstant = dateArgumentCaptor.getValue().toInstant(); + + assertTrue(computedDateInstant + .isAfter(numDaysAgo.minusSeconds(1).atZone(ZoneId.systemDefault()).toInstant())); + + assertTrue(computedDateInstant + .isBefore(numDaysAgo.plusSeconds(1).atZone(ZoneId.systemDefault()).toInstant())); + + } + + @Test + public void testSomethingToCleanup() { + + IamAccount anAccount = IamAccount.newAccount(); + + when(accountService.deleteInactiveProvisionedUsersSinceTime(anyObject())) + .thenReturn(asList(anAccount)); + + cleanupTask.run(); + + } + + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitUserDetailServiceTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitUserDetailServiceTests.java new file mode 100644 index 000000000..71d05bdfd --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitUserDetailServiceTests.java @@ -0,0 +1,212 @@ +package it.infn.mw.iam.test.ext_authn.saml.jit_account_provisioning; + +import static it.infn.mw.iam.authn.saml.util.SamlUserIdentifierResolutionResult.resolutionSuccess; +import static it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport.DEFAULT_IDP_ID; +import static it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport.T1_EPUID; +import static it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport.T1_GIVEN_NAME; +import static it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport.T1_MAIL; +import static it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport.T1_SN; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertThat; +import static org.mockito.Matchers.anyObject; +import static org.mockito.Matchers.anyString; +import static org.mockito.Mockito.when; + +import java.util.Optional; +import java.util.Set; + +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.runners.MockitoJUnitRunner; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UsernameNotFoundException; +import org.springframework.security.saml.SAMLCredential; + +import com.google.common.collect.Sets; + +import it.infn.mw.iam.authn.InactiveAccountAuthenticationHander; +import it.infn.mw.iam.authn.saml.JustInTimeProvisioningSAMLUserDetailsService; +import it.infn.mw.iam.authn.saml.util.Saml2Attribute; +import it.infn.mw.iam.authn.saml.util.SamlUserIdentifierResolutionResult; +import it.infn.mw.iam.authn.saml.util.SamlUserIdentifierResolver; +import it.infn.mw.iam.core.user.IamAccountService; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; +import it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport; + +@RunWith(MockitoJUnitRunner.class) +public class JitUserDetailServiceTests extends JitUserDetailsServiceTestsSupport { + + @Mock + private IamAccountRepository accountRepo; + + @Mock + private IamAccountService accountService; + + @Mock + private SamlUserIdentifierResolver resolver; + + @Mock + private InactiveAccountAuthenticationHander inactiveAccountHander; + + private JustInTimeProvisioningSAMLUserDetailsService userDetailsService; + + @Mock + private SAMLCredential cred; + + @Before + public void setup() { + when(accountRepo.findBySamlId(anyObject())).thenReturn(Optional.empty()); + when(accountRepo.findBySamlId(anyString(), anyString(), anyString())) + .thenReturn(Optional.empty()); + + when(accountService.createAccount(anyObject())).thenAnswer(invocation -> { + IamAccount account = (IamAccount) invocation.getArguments()[0]; + account.setPassword("password"); + return account; + }); + + when(resolver.resolveSamlUserIdentifier(anyObject())) + .thenReturn(SamlUserIdentifierResolutionResult.resolutionFailure("No suitable user id found")); + + userDetailsService = new JustInTimeProvisioningSAMLUserDetailsService(resolver, accountService, + inactiveAccountHander, accountRepo, Optional.empty()); + } + + @Test(expected = NullPointerException.class) + public void testNullSamlCredential() { + try { + userDetailsService.loadUserBySAML(null); + } catch (NullPointerException e) { + Assert.assertThat(e.getMessage(), equalTo("null saml credential")); + throw e; + } + } + + @Test(expected = UsernameNotFoundException.class) + public void testUnresolvedSamlIdSanityChecks() { + + try { + userDetailsService.loadUserBySAML(cred); + } catch (UsernameNotFoundException e) { + assertThat(e.getMessage(), + equalTo("Could not extract a user identifier from the SAML assertion")); + throw e; + } + } + + @Test(expected = UsernameNotFoundException.class) + public void testMissingEmailSamlCredentialSanityCheck() { + when(resolver.resolveSamlUserIdentifier(cred)).thenReturn(resolutionSuccess(T1_SAML_ID)); + try { + userDetailsService.loadUserBySAML(cred); + } catch (UsernameNotFoundException e) { + + assertThat(e.getMessage(), containsString(String.format("missing required attribute: %s (%s)", + Saml2Attribute.MAIL.getAlias(), Saml2Attribute.MAIL.getAttributeName()))); + throw e; + } + } + + @Test(expected = UsernameNotFoundException.class) + public void testMissingGivenNameSamlCredentialSanityCheck() { + when(resolver.resolveSamlUserIdentifier(cred)).thenReturn(resolutionSuccess(T1_SAML_ID)); + when(cred.getAttributeAsString(Saml2Attribute.MAIL.getAttributeName())).thenReturn(T1_MAIL); + + try { + userDetailsService.loadUserBySAML(cred); + } catch (UsernameNotFoundException e) { + + assertThat(e.getMessage(), containsString(String.format("missing required attribute: %s (%s)", + Saml2Attribute.GIVEN_NAME.getAlias(), Saml2Attribute.GIVEN_NAME.getAttributeName()))); + throw e; + } + } + + @Test(expected = UsernameNotFoundException.class) + public void testMissingFamilyNameSamlCredentialSanityCheck() { + when(resolver.resolveSamlUserIdentifier(cred)).thenReturn(resolutionSuccess(T1_SAML_ID)); + when(cred.getAttributeAsString(Saml2Attribute.MAIL.getAttributeName())).thenReturn(T1_MAIL); + when(cred.getAttributeAsString(Saml2Attribute.GIVEN_NAME.getAttributeName())) + .thenReturn(T1_GIVEN_NAME); + + try { + userDetailsService.loadUserBySAML(cred); + } catch (UsernameNotFoundException e) { + + assertThat(e.getMessage(), containsString(String.format("missing required attribute: %s (%s)", + Saml2Attribute.SN.getAlias(), Saml2Attribute.SN.getAttributeName()))); + throw e; + } + } + + @Test + public void testSamlIdIsUsedForUsername() { + when(resolver.resolveSamlUserIdentifier(cred)).thenReturn(resolutionSuccess(T1_SAML_ID)); + when(cred.getAttributeAsString(Saml2Attribute.MAIL.getAttributeName())).thenReturn(T1_MAIL); + when(cred.getAttributeAsString(Saml2Attribute.GIVEN_NAME.getAttributeName())) + .thenReturn(T1_GIVEN_NAME); + when(cred.getAttributeAsString(Saml2Attribute.SN.getAttributeName())).thenReturn(T1_SN); + + User user = (User) userDetailsService.loadUserBySAML(cred); + assertThat(user.getUsername(), equalTo(T1_EPUID)); + + } + + @Test + public void uuidIsUsedForAccountUsernameIfResolvedIdLongerThan128Chars() { + when(resolver.resolveSamlUserIdentifier(cred)).thenReturn(resolutionSuccess(LONG_SAML_ID)); + when(cred.getAttributeAsString(Saml2Attribute.MAIL.getAttributeName())).thenReturn(T1_MAIL); + when(cred.getAttributeAsString(Saml2Attribute.GIVEN_NAME.getAttributeName())) + .thenReturn(T1_GIVEN_NAME); + when(cred.getAttributeAsString(Saml2Attribute.SN.getAttributeName())).thenReturn(T1_SN); + + User user = (User) userDetailsService.loadUserBySAML(cred); + assertThat(user.getUsername().length(), equalTo(36)); + } + + @Test(expected = UsernameNotFoundException.class) + public void testEntityIdSanityChecksWorkForUntrustedIdp() { + Set trustedIdps = Sets.newHashSet("http://trusted.idp.example"); + userDetailsService = new JustInTimeProvisioningSAMLUserDetailsService(resolver, accountService, + inactiveAccountHander, accountRepo, Optional.of(trustedIdps)); + + when(resolver.resolveSamlUserIdentifier(cred)).thenReturn(resolutionSuccess(T1_SAML_ID)); + when(cred.getRemoteEntityID()).thenReturn(SamlAuthenticationTestSupport.DEFAULT_IDP_ID); + when(cred.getAttributeAsString(Saml2Attribute.MAIL.getAttributeName())).thenReturn(T1_MAIL); + when(cred.getAttributeAsString(Saml2Attribute.GIVEN_NAME.getAttributeName())) + .thenReturn(T1_GIVEN_NAME); + when(cred.getAttributeAsString(Saml2Attribute.SN.getAttributeName())).thenReturn(T1_SN); + try { + userDetailsService.loadUserBySAML(cred); + } catch (UsernameNotFoundException e) { + assertThat(e.getMessage(), + containsString(String.format("SAML credential issuer '%s' is not trusted", + SamlAuthenticationTestSupport.DEFAULT_IDP_ID))); + throw e; + } + } + + @Test + public void testEntityIdSanityChecksWorkForTrustedIdp() { + Set trustedIdps = Sets.newHashSet("http://trusted.idp.example", DEFAULT_IDP_ID); + userDetailsService = new JustInTimeProvisioningSAMLUserDetailsService(resolver, accountService, + inactiveAccountHander, accountRepo, Optional.of(trustedIdps)); + + when(resolver.resolveSamlUserIdentifier(cred)).thenReturn(resolutionSuccess(T1_SAML_ID)); + when(cred.getRemoteEntityID()).thenReturn(SamlAuthenticationTestSupport.DEFAULT_IDP_ID); + when(cred.getAttributeAsString(Saml2Attribute.MAIL.getAttributeName())).thenReturn(T1_MAIL); + when(cred.getAttributeAsString(Saml2Attribute.GIVEN_NAME.getAttributeName())) + .thenReturn(T1_GIVEN_NAME); + when(cred.getAttributeAsString(Saml2Attribute.SN.getAttributeName())).thenReturn(T1_SN); + + User user = (User) userDetailsService.loadUserBySAML(cred); + assertThat(user.getUsername(), equalTo(T1_EPUID)); + + } + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitUserDetailsServiceTestsSupport.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitUserDetailsServiceTestsSupport.java new file mode 100644 index 000000000..6267a8f1d --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/JitUserDetailsServiceTestsSupport.java @@ -0,0 +1,39 @@ +package it.infn.mw.iam.test.ext_authn.saml.jit_account_provisioning; + +import static com.google.common.base.Preconditions.checkArgument; +import static it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport.DEFAULT_IDP_ID; +import static it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport.T1_EPUID; + +import java.util.Random; + +import it.infn.mw.iam.authn.saml.util.Saml2Attribute; +import it.infn.mw.iam.persistence.model.IamSamlId; + +public class JitUserDetailsServiceTestsSupport { + + public static final IamSamlId T1_SAML_ID = + new IamSamlId(DEFAULT_IDP_ID, Saml2Attribute.EPUID.getAttributeName(), T1_EPUID); + + public static final IamSamlId LONG_SAML_ID = + new IamSamlId(DEFAULT_IDP_ID, Saml2Attribute.EPUID.getAttributeName(), generateRandomString(130)); + + + + public static String generateRandomString(int length) { + checkArgument(length > 0, "Please provide a positive length argument"); + char[] chars = "abcdefghijklmnopqrstuvwxyz".toCharArray(); + StringBuilder sb = new StringBuilder(); + Random random = new Random(); + + for (int i = 0; i < length; i++) { + char c = chars[random.nextInt(chars.length)]; + sb.append(c); + + } + + return sb.toString(); + } + + + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/SamlJitAccountProvisioningTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/SamlJitAccountProvisioningTests.java new file mode 100644 index 000000000..bbd2713df --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/saml/jit_account_provisioning/SamlJitAccountProvisioningTests.java @@ -0,0 +1,141 @@ +package it.infn.mw.iam.test.ext_authn.saml.jit_account_provisioning; + +import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertTrue; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view; + +import org.hamcrest.Matchers; +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.core.Response; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.http.MediaType; +import org.springframework.mock.web.MockHttpSession; +import org.springframework.test.context.TestPropertySource; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; +import org.springframework.test.web.servlet.result.MockMvcResultMatchers; +import org.springframework.transaction.annotation.Transactional; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.authn.saml.util.Saml2Attribute; +import it.infn.mw.iam.config.saml.IamSamlProperties.IamSamlJITAccountProvisioningProperties; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; +import it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport; +import it.infn.mw.iam.test.ext_authn.saml.SamlTestConfig; +import it.infn.mw.iam.test.ext_authn.saml.jit_account_provisioning.JitTestConfig.CountAccountCreatedEventsListener; +import it.infn.mw.iam.test.util.saml.SamlUtils; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration( + classes = {IamLoginService.class, SamlTestConfig.class, JitTestConfig.class}) +@WebAppConfiguration +@TestPropertySource(properties = {"saml.jit-account-provisioning.enabled=true", + "saml.jit-account-provisioning.trusted-idps=" + SamlAuthenticationTestSupport.DEFAULT_IDP_ID}) +@Transactional +public class SamlJitAccountProvisioningTests extends SamlAuthenticationTestSupport { + + + @Autowired + IamSamlJITAccountProvisioningProperties props; + + @Autowired + IamAccountRepository accountRepo; + + @Autowired + CountAccountCreatedEventsListener accountCreatedEventListener; + + @Test + public void testLoadedConfiguration() { + Assert.assertTrue(props.getEnabled()); + } + + @Test + public void testJITAccountProvisionAccountOnlyOnce() throws Throwable { + + MockHttpSession session = + (MockHttpSession) mvc.perform(MockMvcRequestBuilders.get(samlLoginUrl())) + .andExpect(MockMvcResultMatchers.status().isOk()) + .andReturn() + .getRequest() + .getSession(); + + AuthnRequest authnRequest = getAuthnRequestFromSession(session); + + assertThat(authnRequest.getAssertionConsumerServiceURL(), + Matchers.equalTo("http://localhost:8080/saml/SSO")); + + Response r = buildJitTest1Response(authnRequest); + + session = (MockHttpSession) mvc + .perform(post(authnRequest.getAssertionConsumerServiceURL()) + .contentType(MediaType.APPLICATION_FORM_URLENCODED) + .param("SAMLResponse", SamlUtils.signAndSerializeToBase64(r)) + .session(session)) + .andExpect(redirectedUrl("/dashboard")) + .andReturn() + .getRequest() + .getSession(); + + assertThat(accountCreatedEventListener.getCount(), equalTo(1L)); + + mvc.perform(get("/dashboard").session(session)) + .andExpect(status().isOk()) + .andExpect(view().name("iam/dashboard")); + + IamAccount provisionedAccount = accountRepo + .findBySamlId(DEFAULT_IDP_ID, Saml2Attribute.EPUID.getAttributeName(), JIT1_EPUID) + .orElseThrow(() -> new AssertionError( + String.format("Expected provisioned account not found for EPUID '%s'", JIT1_EPUID))); + + assertThat(provisionedAccount.getUsername(), equalTo(JIT1_EPUID)); + assertThat(provisionedAccount.getUserInfo().getEmail(), equalTo(JIT1_MAIL)); + assertTrue(provisionedAccount.isActive()); + assertTrue(provisionedAccount.isProvisioned()); + assertThat(provisionedAccount.getUserInfo().getGivenName(), equalTo(JIT1_GIVEN_NAME)); + assertThat(provisionedAccount.getUserInfo().getFamilyName(), equalTo(JIT1_FAMILY_NAME)); + + session = (MockHttpSession) mvc.perform(MockMvcRequestBuilders.get(samlLoginUrl())) + .andExpect(MockMvcResultMatchers.status().isOk()) + .andReturn() + .getRequest() + .getSession(); + + authnRequest = getAuthnRequestFromSession(session); + + assertThat(authnRequest.getAssertionConsumerServiceURL(), + Matchers.equalTo("http://localhost:8080/saml/SSO")); + + r = buildJitTest1Response(authnRequest); + + session = (MockHttpSession) mvc + .perform(post(authnRequest.getAssertionConsumerServiceURL()) + .contentType(MediaType.APPLICATION_FORM_URLENCODED) + .param("SAMLResponse", SamlUtils.signAndSerializeToBase64(r)) + .session(session)) + .andExpect(redirectedUrl("/dashboard")) + .andReturn() + .getRequest() + .getSession(); + + IamAccount newProvisionedAccount = accountRepo + .findBySamlId(DEFAULT_IDP_ID, Saml2Attribute.EPUID.getAttributeName(), JIT1_EPUID) + .orElseThrow(() -> new AssertionError( + String.format("Expected provisioned account not found for EPUID '%s'", JIT1_EPUID))); + + assertThat(newProvisionedAccount.getUuid(), equalTo(provisionedAccount.getUuid())); + assertThat(accountCreatedEventListener.getCount(), equalTo(1L)); + + } + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509AuthenticationCredentialTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509AuthenticationCredentialTests.java new file mode 100644 index 000000000..d87638e04 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509AuthenticationCredentialTests.java @@ -0,0 +1,41 @@ +package it.infn.mw.iam.test.ext_authn.x509; + +import static org.hamcrest.Matchers.emptyArray; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.is; +import static org.junit.Assert.assertThat; + +import java.security.cert.X509Certificate; + +import org.junit.Test; + +import it.infn.mw.iam.authn.x509.IamX509AuthenticationCredential; +import it.infn.mw.iam.authn.x509.X509CertificateVerificationResult; + +public class X509AuthenticationCredentialTests { + + public static final String TEST_SUBJECT = "Test subject"; + public static final String TEST_ISSUER = "Test issuer"; + public static final String VERIFICATION_ERROR = "Verification error"; + + @Test + public void testCredentialCreation() { + IamX509AuthenticationCredential.Builder builder = new IamX509AuthenticationCredential.Builder(); + IamX509AuthenticationCredential cred = builder.subject(TEST_SUBJECT) + .issuer(TEST_ISSUER) + .verificationResult(X509CertificateVerificationResult.failed(VERIFICATION_ERROR)) + .certificateChain(new X509Certificate[] {}) + .build(); + + assertThat(cred.getSubject(), equalTo(TEST_SUBJECT)); + assertThat(cred.getIssuer(), equalTo(TEST_ISSUER)); + assertThat(cred.getVerificationResult().status(), + is(X509CertificateVerificationResult.Status.FAILED)); + + assertThat(cred.getVerificationResult().error().get(), + equalTo(VERIFICATION_ERROR)); + + assertThat(cred.getCertificateChain(), emptyArray()); + } + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509AuthenticationIntegrationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509AuthenticationIntegrationTests.java new file mode 100644 index 000000000..fb78e2519 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509AuthenticationIntegrationTests.java @@ -0,0 +1,227 @@ +package it.infn.mw.iam.test.ext_authn.x509; + +import static it.infn.mw.iam.authn.ExternalAuthenticationHandlerSupport.ACCOUNT_LINKING_DASHBOARD_ERROR_KEY; +import static it.infn.mw.iam.authn.ExternalAuthenticationHandlerSupport.ACCOUNT_LINKING_DASHBOARD_MESSAGE_KEY; +import static it.infn.mw.iam.authn.x509.IamX509PreauthenticationProcessingFilter.X509_CREDENTIAL_SESSION_KEY; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.is; +import static org.junit.Assert.assertThat; +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.flash; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.forwardedUrl; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import java.util.Date; + +import javax.transaction.Transactional; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.mock.web.MockHttpSession; +import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.authn.x509.IamX509AuthenticationCredential; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; +import junit.framework.AssertionFailedError; + + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class}) +@WebAppConfiguration +@Transactional +public class X509AuthenticationIntegrationTests extends X509TestSupport { + + @Autowired + private IamAccountRepository iamAccountRepo; + + @Autowired + private WebApplicationContext context; + + private MockMvc mvc; + + @Before + public void setup() { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } + + + @Test + public void testX509AuthenticationSuccessUserNotFound() throws Exception { + mvc.perform(MockMvcRequestBuilders.get("/").headers(test0SSLHeadersVerificationSuccess())) + .andExpect(status().isFound()) + .andExpect(redirectedUrl("http://localhost/login")); + } + + @Test + public void testX509AuthenticationSuccessUserFoundLeadsToHomePage() throws Exception { + + IamAccount testAccount = iamAccountRepo.findByUsername("test") + .orElseThrow(() -> new AssertionError("Expected test user not found")); + + linkTest0CertificateToAccount(testAccount); + + iamAccountRepo.save(testAccount); + + IamAccount resolvedAccount = + iamAccountRepo.findByCertificateSubject(TEST_0_SUBJECT).orElseThrow( + () -> new AssertionError("Expected test user linked with subject " + TEST_0_SUBJECT)); + + assertThat(resolvedAccount.getUsername(), equalTo("test")); + + mvc.perform(MockMvcRequestBuilders.get("/").headers(test0SSLHeadersVerificationSuccess())) + .andExpect(status().isOk()) + .andExpect(forwardedUrl("/WEB-INF/views/home.jsp")); + } + + @Test + public void testX509AuthenticationVerifyFailedLeadsToLoginPage() throws Exception { + + IamAccount testAccount = iamAccountRepo.findByUsername("test") + .orElseThrow(() -> new AssertionError("Expected test user not found")); + + linkTest0CertificateToAccount(testAccount); + + iamAccountRepo.save(testAccount); + + IamAccount resolvedAccount = + iamAccountRepo.findByCertificateSubject(TEST_0_SUBJECT).orElseThrow( + () -> new AssertionError("Expected test user linked with subject " + TEST_0_SUBJECT)); + + assertThat(resolvedAccount.getUsername(), equalTo("test")); + + mvc + .perform(MockMvcRequestBuilders.get("/") + .headers(test0SSLHeadersVerificationFailed("verification failed"))) + .andExpect(status().isFound()) + .andExpect(redirectedUrl("http://localhost/login")); + } + + + @Test + public void testX509AccountLinkingRequiresAuthenticatedUser() throws Exception { + mvc.perform(post("/iam/account-linking/X509").with(csrf().asHeader())) + .andExpect(status().isUnauthorized()); + } + + + @Test + @WithMockUser(username = "test") + public void testX509AccountLinkingWithoutCertFails() throws Exception { + + String errorMessage = "No X.509 credential found in session for user 'test'"; + mvc.perform(post("/iam/account-linking/X509").with(csrf().asHeader())) + .andExpect(status().is3xxRedirection()) + .andExpect(redirectedUrl("/dashboard")) + .andExpect(flash().attribute(ACCOUNT_LINKING_DASHBOARD_ERROR_KEY, equalTo(errorMessage))); + } + + @Test + public void testx509AccountLinking() throws Exception { + + MockHttpSession session = loginAsTestUserWithTest0Cert(mvc); + IamX509AuthenticationCredential credential = + (IamX509AuthenticationCredential) session.getAttribute(X509_CREDENTIAL_SESSION_KEY); + + assertThat(credential.getSubject(), equalTo(TEST_0_SUBJECT)); + + String confirmationMessage = + String.format("Certificate '%s' linked succesfully", credential.getSubject()); + + mvc.perform(post("/iam/account-linking/X509").session(session).with(csrf().asHeader())) + .andExpect(status().is3xxRedirection()) + .andExpect(redirectedUrl("/dashboard")) + .andExpect( + flash().attribute(ACCOUNT_LINKING_DASHBOARD_MESSAGE_KEY, equalTo(confirmationMessage))); + + IamAccount linkedAccount = iamAccountRepo.findByCertificateSubject(TEST_0_SUBJECT) + .orElseThrow(() -> new AssertionFailedError("Expected user linked to certificate not found")); + + Date lastUpdateTime = linkedAccount.getLastUpdateTime(); + assertThat(linkedAccount.getUsername(), equalTo("test")); + + // This is to "update" the linked certificate + mvc.perform(post("/iam/account-linking/X509").session(session).with(csrf().asHeader())) + .andExpect(status().is3xxRedirection()) + .andExpect(redirectedUrl("/dashboard")) + .andExpect( + flash().attribute(ACCOUNT_LINKING_DASHBOARD_MESSAGE_KEY, equalTo(confirmationMessage))); + + linkedAccount = iamAccountRepo.findByCertificateSubject(TEST_0_SUBJECT) + .orElseThrow(() -> new AssertionFailedError("Expected user linked to certificate not found")); + + assertThat(linkedAccount.getLastUpdateTime().after(lastUpdateTime), is(true)); + } + + + @Test + @WithMockUser(username = "test") + public void x509AccountUnlinkWorks() throws Exception { + IamAccount user = iamAccountRepo.findByUsername("test") + .orElseThrow(() -> new AssertionError("Expected user not found")); + + linkTest0CertificateToAccount(user); + + iamAccountRepo.save(user); + + IamAccount linkedAccount = iamAccountRepo.findByCertificateSubject(TEST_0_SUBJECT) + .orElseThrow(() -> new AssertionError( + "Expected test user linked with certificate subject " + TEST_0_SUBJECT)); + + assertThat(linkedAccount.getUsername(), equalTo("test")); + + mvc.perform(delete("/iam/account-linking/X509").param("certificateSubject", TEST_0_SUBJECT) + .with(csrf().asHeader())).andDo(print()).andExpect(status().isNoContent()); + + iamAccountRepo.findByCertificateSubject(TEST_0_SUBJECT).ifPresent(a -> { + throw new AssertionError( + "Found unexpected user linked with certificate subject " + TEST_0_SUBJECT); + }); + + } + + @Test + @WithMockUser(username = "test") + public void x509AccountUnlinkSuccedsSilentlyForUnlinkedAccount() throws Exception { + iamAccountRepo.findByUsername("test") + .orElseThrow(() -> new AssertionError("Expected user not found")); + + iamAccountRepo.findByCertificateSubject(TEST_0_SUBJECT).ifPresent(a -> { + throw new AssertionError( + "Found unexpected user linked with certificate subject " + TEST_0_SUBJECT); + }); + + mvc.perform(delete("/iam/account-linking/X509").param("certificateSubject", TEST_0_SUBJECT) + .with(csrf().asHeader())).andExpect(status().isNoContent()); + + iamAccountRepo.findByCertificateSubject(TEST_0_SUBJECT).ifPresent(a -> { + throw new AssertionError( + "Found unexpected user linked with certificate subject " + TEST_0_SUBJECT); + }); + } + + @Test + public void x509AccountUnlinkingFailsForUnauthenticatedUsers() throws Exception { + mvc.perform(delete("/iam/account-linking/X509").param("certificateSubject", TEST_0_SUBJECT) + .with(csrf().asHeader())).andDo(print()).andExpect(status().isUnauthorized()); + } + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509CertificateParserTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509CertificateParserTests.java new file mode 100644 index 000000000..806c4c556 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509CertificateParserTests.java @@ -0,0 +1,49 @@ +package it.infn.mw.iam.test.ext_authn.x509; + +import static org.hamcrest.Matchers.arrayWithSize; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertThat; + +import org.junit.Test; + +import it.infn.mw.iam.authn.x509.CertificateParsingError; +import it.infn.mw.iam.authn.x509.PEMX509CertificateChainParser; +import it.infn.mw.iam.authn.x509.X509CertificateChainParser; +import it.infn.mw.iam.authn.x509.X509CertificateChainParsingResult; + +public class X509CertificateParserTests extends X509TestSupport { + + + @Test + public void testCertificateParsing() { + X509CertificateChainParser parser = new PEMX509CertificateChainParser(); + X509CertificateChainParsingResult result = parser.parseChainFromString(TEST_0_CERT_STRING); + + assertThat(result.getChain(), arrayWithSize(1)); + assertThat(result.getChain()[0].getSubjectX500Principal().getName(), equalTo(TEST_0_SUBJECT)); + + } + + @Test(expected = CertificateParsingError.class) + public void testCertificateParsingFailsWithGarbage() { + X509CertificateChainParser parser = new PEMX509CertificateChainParser(); + try { + parser.parseChainFromString("48327498dsahtdsadasgyr9"); + } catch (RuntimeException e) { + assertThat(e.getMessage(), containsString("PEM data not found")); + throw e; + } + } + + @Test(expected = CertificateParsingError.class) + public void testCertificateParsingFailsWithEmptyString() { + X509CertificateChainParser parser = new PEMX509CertificateChainParser(); + try { + parser.parseChainFromString(""); + } catch (RuntimeException e) { + assertThat(e.getMessage(), containsString("PEM data not found")); + throw e; + } + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509CredentialExtractorTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509CredentialExtractorTests.java new file mode 100644 index 000000000..f7b450a15 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509CredentialExtractorTests.java @@ -0,0 +1,99 @@ +package it.infn.mw.iam.test.ext_authn.x509; + +import static org.hamcrest.Matchers.arrayWithSize; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.is; +import static org.junit.Assert.assertThat; + +import java.util.Optional; + +import javax.servlet.http.HttpServletRequest; + +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.Mockito; +import org.mockito.runners.MockitoJUnitRunner; + +import it.infn.mw.iam.authn.x509.DefaultX509AuthenticationCredentialExtractor; +import it.infn.mw.iam.authn.x509.IamX509AuthenticationCredential; +import it.infn.mw.iam.authn.x509.PEMX509CertificateChainParser; +import it.infn.mw.iam.authn.x509.X509CertificateVerificationResult.Status; + +@RunWith(MockitoJUnitRunner.class) +public class X509CredentialExtractorTests extends X509TestSupport { + + + @Mock + HttpServletRequest request; + + DefaultX509AuthenticationCredentialExtractor extractor = + new DefaultX509AuthenticationCredentialExtractor(new PEMX509CertificateChainParser()); + + @Test + public void testEmptyHeaders() { + + Optional cred = extractor.extractX509Credential(request); + assertThat(cred.isPresent(), is(false)); + } + + @Test(expected = IllegalArgumentException.class) + public void testPartialHeadersResultInExceptionThrown() { + + Mockito + .when(request + .getHeader(DefaultX509AuthenticationCredentialExtractor.Headers.CLIENT_CERT.getHeader())) + .thenReturn(TEST_0_CERT_STRING); + + try { + extractor.extractX509Credential(request); + } catch (IllegalArgumentException e) { + Assert.assertThat(e.getMessage(), containsString("Required header not found")); + throw e; + } + } + + @Test + public void testSuccesfullx509Extraction() { + mockHttpRequestWithTest0SSLHeaders(request); + + IamX509AuthenticationCredential cred = extractor.extractX509Credential(request) + .orElseThrow(() -> new AssertionError("Credential not found when one was expected")); + + assertThat(cred.getSubject(), equalTo(TEST_0_SUBJECT)); + assertThat(cred.getIssuer(), equalTo(TEST_0_ISSUER)); + assertThat(cred.getCertificateChain(), arrayWithSize(1)); + assertThat(cred.getVerificationResult().status(), is(Status.SUCCESS)); + } + + @Test(expected=IllegalArgumentException.class) + public void testInvalidVerifyHeaderParsing(){ + mockHttpRequestWithTest0SSLHeaders(request); + mockVerifyHeader(request, "invalid"); + + try { + extractor.extractX509Credential(request); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), containsString("Could not parse X.509 certificate verification header")); + throw e; + } + } + + @Test + public void testVerifyHeaderFailureParsing(){ + mockHttpRequestWithTest0SSLHeaders(request); + mockVerifyHeader(request, "FAILED:invalid whatever"); + + IamX509AuthenticationCredential cred = extractor.extractX509Credential(request) + .orElseThrow(() -> new AssertionError("Credential not found when one was expected")); + + assertThat(cred.getSubject(), equalTo(TEST_0_SUBJECT)); + assertThat(cred.getIssuer(), equalTo(TEST_0_ISSUER)); + assertThat(cred.getCertificateChain(), arrayWithSize(1)); + + assertThat(cred.getVerificationResult().status(), is(Status.FAILED)); + assertThat(cred.getVerificationResult().error().get(), equalTo("invalid whatever")); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509TestSupport.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509TestSupport.java new file mode 100644 index 000000000..185c26e1a --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/ext_authn/x509/X509TestSupport.java @@ -0,0 +1,266 @@ +package it.infn.mw.iam.test.ext_authn.x509; + +import static it.infn.mw.iam.authn.x509.IamX509PreauthenticationProcessingFilter.X509_CREDENTIAL_SESSION_KEY; +import static org.hamcrest.Matchers.notNullValue; +import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.security.cert.X509Certificate; +import java.util.Date; + +import javax.servlet.http.HttpServletRequest; + +import org.mockito.Mockito; +import org.springframework.http.HttpHeaders; +import org.springframework.mock.web.MockHttpSession; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.result.MockMvcResultMatchers; + +import eu.emi.security.authn.x509.impl.CertificateUtils; +import eu.emi.security.authn.x509.impl.CertificateUtils.Encoding; +import it.infn.mw.iam.authn.x509.DefaultX509AuthenticationCredentialExtractor; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamX509Certificate; + +public class X509TestSupport { + + public static final String TEST_0_CERT_PATH = "src/test/resources/x509/test0.cert.pem"; + public static final String TEST_0_SUBJECT = "CN=test0,O=IGI,C=IT"; + public static final String TEST_0_ISSUER = "CN=Test CA,O=IGI,C=IT"; + public static final String TEST_0_SERIAL = "09"; + public static final String TEST_0_V_START = "Sep 26 15:39:34 2012 GMT"; + public static final String TEST_0_V_END = "Sep 24 15:39:34 2022 GMT"; + + public static final String TEST_1_CERT_PATH = "src/test/resources/x509/test1.cert.pem"; + public static final String TEST_1_SUBJECT = "CN=test1,O=IGI,C=IT"; + public static final String TEST_1_ISSUER = "CN=Test CA,O=IGI,C=IT"; + public static final String TEST_1_SERIAL = "10"; + public static final String TEST_1_V_START = "Sep 26 15:39:36 2012 GMT"; + public static final String TEST_1_V_END = "Sep 24 15:39:36 2022 GMT"; + + protected X509Certificate TEST_0_CERT; + protected String TEST_0_CERT_STRING; + protected String TEST_0_CERT_STRING_NGINX; + + protected X509Certificate TEST_1_CERT; + protected String TEST_1_CERT_STRING; + protected String TEST_1_CERT_STRING_NGINX; + + protected IamX509Certificate TEST_0_IAM_X509_CERT; + protected IamX509Certificate TEST_1_IAM_X509_CERT; + + protected String TEST_0_CERT_LABEL = "TEST 0 cert label"; + protected String TEST_1_CERT_LABEL = "TEST 1 cert label"; + + protected String TEST_USERNAME = "test"; + protected String TEST_PASSWORD = "password"; + + protected X509TestSupport() { + try { + TEST_0_CERT_STRING = new String(Files.readAllBytes(Paths.get(TEST_0_CERT_PATH))); + + TEST_0_CERT = CertificateUtils.loadCertificate( + new ByteArrayInputStream(TEST_0_CERT_STRING.getBytes(StandardCharsets.US_ASCII)), + Encoding.PEM); + + TEST_1_CERT_STRING = new String(Files.readAllBytes(Paths.get(TEST_1_CERT_PATH))); + + TEST_1_CERT = CertificateUtils.loadCertificate( + new ByteArrayInputStream(TEST_1_CERT_STRING.getBytes(StandardCharsets.US_ASCII)), + Encoding.PEM); + + TEST_0_IAM_X509_CERT = new IamX509Certificate(); + TEST_0_IAM_X509_CERT.setCertificate(TEST_0_CERT_STRING); + TEST_0_IAM_X509_CERT.setSubjectDn(TEST_0_SUBJECT); + TEST_0_IAM_X509_CERT.setIssuerDn(TEST_0_ISSUER); + TEST_0_IAM_X509_CERT.setLabel(TEST_0_CERT_LABEL); + TEST_0_IAM_X509_CERT.setPrimary(false); + + TEST_1_IAM_X509_CERT = new IamX509Certificate(); + TEST_1_IAM_X509_CERT.setCertificate(TEST_1_CERT_STRING); + TEST_1_IAM_X509_CERT.setSubjectDn(TEST_1_SUBJECT); + TEST_1_IAM_X509_CERT.setIssuerDn(TEST_1_ISSUER); + TEST_1_IAM_X509_CERT.setLabel(TEST_1_CERT_LABEL); + TEST_1_IAM_X509_CERT.setPrimary(false); + + // This is how NGINX encodes certficate in the header + TEST_0_CERT_STRING_NGINX = TEST_0_CERT_STRING.replace('\n', '\t'); + TEST_1_CERT_STRING_NGINX = TEST_1_CERT_STRING.replace('\n', '\t'); + + } catch (IOException e) { + throw new AssertionError(e.getMessage(), e); + } + } + + protected void mockVerifyHeader(HttpServletRequest request, String content) { + Mockito + .when(request + .getHeader(DefaultX509AuthenticationCredentialExtractor.Headers.VERIFY.getHeader())) + .thenReturn(content); + + } + + protected MockHttpSession loginAsTestUserWithTest0Cert(MockMvc mvc) throws Exception { + + MockHttpSession session = (MockHttpSession) mvc + .perform(get("/").headers(test0SSLHeadersVerificationSuccess())) + .andExpect(status().isFound()) + .andExpect(redirectedUrl("http://localhost/login")) + .andExpect(MockMvcResultMatchers.request().sessionAttribute(X509_CREDENTIAL_SESSION_KEY, notNullValue())) + .andReturn() + .getRequest() + .getSession(); + + session = (MockHttpSession) mvc.perform( + post("/login") + .session(session) + .param("username", TEST_USERNAME) + .param("password", TEST_PASSWORD) + .param("submit", "Login")) + .andExpect(status().is3xxRedirection()) + .andExpect(redirectedUrl("http://localhost/")) + .andExpect(authenticated().withUsername("test")) + .andReturn() + .getRequest() + .getSession(); + + return session; + } + + protected void linkTest1CertificateToAccount(IamAccount account) { + IamX509Certificate test1Cert = new IamX509Certificate(); + test1Cert.setPrimary(false); + + test1Cert.setCertificate(TEST_1_CERT_STRING); + test1Cert.setSubjectDn(TEST_1_SUBJECT); + test1Cert.setIssuerDn(TEST_1_ISSUER); + + test1Cert.setLabel(TEST_1_CERT_LABEL); + + Date now = new Date(); + + test1Cert.setCreationTime(now); + test1Cert.setLastUpdateTime(now); + + test1Cert.setAccount(account); + account.getX509Certificates().add(test1Cert); + } + + protected void linkTest0CertificateToAccount(IamAccount account) { + IamX509Certificate test0Cert = new IamX509Certificate(); + test0Cert.setPrimary(true); + + Date now = new Date(); + + test0Cert.setCertificate(TEST_0_CERT_STRING); + test0Cert.setSubjectDn(TEST_0_SUBJECT); + test0Cert.setIssuerDn(TEST_0_ISSUER); + test0Cert.setLabel(TEST_0_CERT_LABEL); + + test0Cert.setCreationTime(now); + test0Cert.setLastUpdateTime(now); + + test0Cert.setAccount(account); + account.getX509Certificates().add(test0Cert); + } + + protected HttpHeaders test0SSLHeadersVerificationSuccess() { + return test0SSLHeaders(true, null); + } + + protected HttpHeaders test0SSLHeadersVerificationFailed(String verificationError) { + return test0SSLHeaders(false, verificationError); + } + + private HttpHeaders test0SSLHeaders(boolean verified, String verificationError) { + HttpHeaders headers = new HttpHeaders(); + headers.add(DefaultX509AuthenticationCredentialExtractor.Headers.CLIENT_CERT.getHeader(), + TEST_0_CERT_STRING_NGINX); + + headers.add(DefaultX509AuthenticationCredentialExtractor.Headers.SUBJECT.getHeader(), + TEST_0_SUBJECT); + + headers.add(DefaultX509AuthenticationCredentialExtractor.Headers.ISSUER.getHeader(), + TEST_0_ISSUER); + + headers.add(DefaultX509AuthenticationCredentialExtractor.Headers.SERIAL.getHeader(), + TEST_0_SERIAL); + + headers.add(DefaultX509AuthenticationCredentialExtractor.Headers.V_START.getHeader(), + TEST_0_V_START); + + headers.add(DefaultX509AuthenticationCredentialExtractor.Headers.V_END.getHeader(), + TEST_0_V_END); + + headers.add(DefaultX509AuthenticationCredentialExtractor.Headers.PROTOCOL.getHeader(), "TLS"); + + headers.add(DefaultX509AuthenticationCredentialExtractor.Headers.SERVER_NAME.getHeader(), + "serverName"); + + if (verified) { + headers.add(DefaultX509AuthenticationCredentialExtractor.Headers.VERIFY.getHeader(), + "SUCCESS"); + } else { + headers.add(DefaultX509AuthenticationCredentialExtractor.Headers.VERIFY.getHeader(), + "FAILED:" + verificationError); + } + + return headers; + } + + protected void mockHttpRequestWithTest0SSLHeaders(HttpServletRequest request) { + Mockito + .when(request + .getHeader(DefaultX509AuthenticationCredentialExtractor.Headers.CLIENT_CERT.getHeader())) + .thenReturn(TEST_0_CERT_STRING_NGINX); + + Mockito + .when(request + .getHeader(DefaultX509AuthenticationCredentialExtractor.Headers.SUBJECT.getHeader())) + .thenReturn(TEST_0_SUBJECT); + + Mockito + .when(request + .getHeader(DefaultX509AuthenticationCredentialExtractor.Headers.ISSUER.getHeader())) + .thenReturn(TEST_0_ISSUER); + + Mockito + .when(request + .getHeader(DefaultX509AuthenticationCredentialExtractor.Headers.SERIAL.getHeader())) + .thenReturn(TEST_0_SERIAL); + + Mockito + .when(request + .getHeader(DefaultX509AuthenticationCredentialExtractor.Headers.V_START.getHeader())) + .thenReturn(TEST_0_V_START); + + Mockito + .when( + request.getHeader(DefaultX509AuthenticationCredentialExtractor.Headers.V_END.getHeader())) + .thenReturn(TEST_0_V_END); + + Mockito + .when(request + .getHeader(DefaultX509AuthenticationCredentialExtractor.Headers.PROTOCOL.getHeader())) + .thenReturn("TLS"); + + Mockito + .when(request + .getHeader(DefaultX509AuthenticationCredentialExtractor.Headers.SERVER_NAME.getHeader())) + .thenReturn("serverName"); + + Mockito + .when(request + .getHeader(DefaultX509AuthenticationCredentialExtractor.Headers.VERIFY.getHeader())) + .thenReturn("SUCCESS"); + + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/login/LoginTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/login/LoginTests.java new file mode 100644 index 000000000..bcdcdf19d --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/login/LoginTests.java @@ -0,0 +1,109 @@ +package it.infn.mw.iam.test.login; + + +import static org.hamcrest.Matchers.greaterThan; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThat; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import java.time.Instant; + +import javax.transaction.Transactional; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.mock.web.MockHttpSession; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.result.MockMvcResultMatchers; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class}) +@WebAppConfiguration +@Transactional +public class LoginTests { + + public static final String LOGIN_URL = "/login"; + public static final String ADMIN_USERNAME = "admin"; + public static final String ADMIN_PASSWORD = "password"; + + @Autowired + private WebApplicationContext context; + + @Autowired + private IamAccountRepository accountRepo; + + private MockMvc mvc; + + @Before + public void setup() { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } + + @Test + public void loginForAdminUserWorks() throws Exception { + + Instant now = Instant.now(); + + //@formatter:off + MockHttpSession session = (MockHttpSession) mvc + .perform( + post(LOGIN_URL) + .param("username", ADMIN_USERNAME) + .param("password", ADMIN_PASSWORD) + .param("submit", "Login")) + .andExpect(status().is3xxRedirection()) + .andExpect(MockMvcResultMatchers.redirectedUrl("/dashboard")) + .andReturn() + .getRequest() + .getSession(); + //@formatter:on + + mvc.perform(get("/dashboard").session(session)) + .andExpect(status().isOk()) + .andExpect(MockMvcResultMatchers.view().name("iam/dashboard")) + .andReturn(); + + IamAccount adminAccount = accountRepo.findByUsername(ADMIN_USERNAME) + .orElseThrow(() -> new AssertionError("Admin user not found!")); + + assertNotNull(adminAccount.getLastLoginTime()); + assertThat(adminAccount.getLastLoginTime().toInstant(), greaterThan(now)); + } + + @Test + public void loginWithInvalidCredentialsIsBlocked() throws Exception { + //@formatter:off + mvc.perform(post(LOGIN_URL) + .param("username", ADMIN_USERNAME) + .param("password", "whatever") + .param("submit", "Login")) + .andExpect(status().is3xxRedirection()) + .andExpect(MockMvcResultMatchers.redirectedUrl("/login?error=failure")); + + mvc.perform(post(LOGIN_URL) + .param("username", "whatever") + .param("password", "whatever") + .param("submit", "Login")) + .andExpect(status().is3xxRedirection()) + .andExpect(MockMvcResultMatchers.redirectedUrl("/login?error=failure")); + //@formatter:on + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/notification/NotificationConcurrentTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/notification/NotificationConcurrentTests.java index 68094b54e..8067dd0ff 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/notification/NotificationConcurrentTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/notification/NotificationConcurrentTests.java @@ -2,6 +2,11 @@ import static it.infn.mw.iam.test.RegistrationUtils.createRegistrationRequest; import static it.infn.mw.iam.test.RegistrationUtils.deleteUser; +import static it.infn.mw.iam.test.util.MockSmtpServerUtils.startMockSmtpServer; +import static it.infn.mw.iam.test.util.MockSmtpServerUtils.stopMockSmtpServer; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasSize; +import static org.junit.Assert.assertThat; import java.util.ArrayList; import java.util.Date; @@ -70,21 +75,22 @@ public static void init() { } @Before - public void setUp() { - wiserSmtpServer = new Wiser(); - wiserSmtpServer.setHostname(mailHost); - wiserSmtpServer.setPort(mailPort); - wiserSmtpServer.start(); - + public void setUp() throws InterruptedException { + notificationRepository.deleteAll(); + wiserSmtpServer = startMockSmtpServer(mailHost, mailPort); registrationRequest = createRegistrationRequest("test_user"); } @After public void tearDown() { - wiserSmtpServer.stop(); - + stopMockSmtpServer(wiserSmtpServer); deleteUser(registrationRequest.getAccountId()); + notificationRepository.deleteAll(); + + if (wiserSmtpServer.getServer().isRunning()) { + Assert.fail("Fake mail server is still running after stop!!"); + } } @Test @@ -106,7 +112,7 @@ public void testConcurrentDelivery() throws Exception { } int count = wiserSmtpServer.getMessages().size(); - Assert.assertEquals(1, count); + assertThat(count, equalTo(1)); } @@ -114,7 +120,7 @@ public void testConcurrentDelivery() throws Exception { public void testConcurrentCleanUp() throws Exception { notificationService.sendPendingNotifications(); - Assert.assertEquals(1, wiserSmtpServer.getMessages().size()); + assertThat(wiserSmtpServer.getMessages(), hasSize(1)); Date fakeDate = DateUtils.addDays(new Date(), (notificationCleanUpAge + 1)); timeProvider.setTime(fakeDate.getTime()); @@ -129,14 +135,17 @@ public void testConcurrentCleanUp() throws Exception { } barrier.await(); - executorService.shutdown(); for (Future elem : futuresList) { elem.get(); } + + executorService.shutdown(); + + executorService.shutdown(); int count = notificationRepository.countAllMessages(); - Assert.assertEquals(0, count); + assertThat(count, equalTo(0)); } public class WorkerSend implements Callable { @@ -179,7 +188,7 @@ public Integer call() { try { barrier.await(); } catch (Exception ex) { - ex.printStackTrace(); + throw new RuntimeException(ex); } this.notificationService.clearExpiredNotifications(); diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/notification/NotificationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/notification/NotificationTests.java index 468d6f094..e369e2a62 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/notification/NotificationTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/notification/NotificationTests.java @@ -1,8 +1,21 @@ package it.infn.mw.iam.test.notification; +import static it.infn.mw.iam.test.RegistrationUtils.approveRequest; import static it.infn.mw.iam.test.RegistrationUtils.confirmRegistrationRequest; import static it.infn.mw.iam.test.RegistrationUtils.createRegistrationRequest; import static it.infn.mw.iam.test.RegistrationUtils.deleteUser; +import static it.infn.mw.iam.test.RegistrationUtils.rejectRequest; +import static it.infn.mw.iam.test.util.MockSmtpServerUtils.startMockSmtpServer; +import static it.infn.mw.iam.test.util.MockSmtpServerUtils.stopMockSmtpServer; +import static java.lang.String.format; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasSize; +import static org.hamcrest.Matchers.is; +import static org.hamcrest.Matchers.startsWith; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertTrue; import java.io.IOException; import java.util.ArrayList; @@ -12,7 +25,6 @@ import javax.mail.MessagingException; import org.apache.commons.lang.time.DateUtils; -import org.hamcrest.Matchers; import org.junit.After; import org.junit.Assert; import org.junit.Before; @@ -30,6 +42,7 @@ import it.infn.mw.iam.IamLoginService; import it.infn.mw.iam.api.account.password_reset.PasswordResetController; +import it.infn.mw.iam.api.account.password_reset.PasswordResetService; import it.infn.mw.iam.core.IamDeliveryStatus; import it.infn.mw.iam.notification.MockTimeProvider; import it.infn.mw.iam.notification.NotificationProperties; @@ -38,7 +51,6 @@ import it.infn.mw.iam.persistence.repository.IamEmailNotificationRepository; import it.infn.mw.iam.registration.PersistentUUIDTokenGenerator; import it.infn.mw.iam.registration.RegistrationRequestDto; -import it.infn.mw.iam.test.RegistrationUtils; import it.infn.mw.iam.test.TestUtils; @RunWith(SpringJUnit4ClassRunner.class) @@ -68,6 +80,9 @@ public class NotificationTests { @Autowired private IamEmailNotificationRepository notificationRepository; + @Autowired + private PasswordResetService passwordResetService; + @Autowired private MockTimeProvider timeProvider; @@ -84,19 +99,17 @@ public static void init() { } @Before - public void setUp() { - wiser = new Wiser(); - wiser.setHostname(mailHost); - wiser.setPort(mailPort); - wiser.start(); + public void setUp() throws InterruptedException { + wiser = startMockSmtpServer(mailHost, mailPort); } @After public void tearDown() throws InterruptedException { - wiser.stop(); - Thread.sleep(1000L); - + stopMockSmtpServer(wiser); notificationRepository.deleteAll(); + if (wiser.getServer().isRunning()) { + Assert.fail("Fake mail server is still running after stop!!"); + } } @Test @@ -107,17 +120,17 @@ public void testSendEmails() throws MessagingException { RegistrationRequestDto reg = createRegistrationRequest(username); notificationService.sendPendingNotifications(); - Assert.assertEquals(1, wiser.getMessages().size()); + assertThat(wiser.getMessages(), hasSize(1)); WiserMessage message = wiser.getMessages().get(0); - Assert.assertEquals(properties.getMailFrom(), message.getEnvelopeSender()); - Assert.assertTrue("receiver", message.getEnvelopeReceiver().startsWith(username)); - Assert.assertEquals(properties.getSubject().get("confirmation"), - message.getMimeMessage().getSubject()); + assertThat(message.getEnvelopeSender(), equalTo(properties.getMailFrom())); + assertThat(message.getEnvelopeReceiver(), startsWith(username)); + assertThat(message.getMimeMessage().getSubject(), + equalTo(properties.getSubject().get("confirmation"))); Iterable queue = notificationRepository.findAll(); for (IamEmailNotification elem : queue) { - Assert.assertEquals(IamDeliveryStatus.DELIVERED, elem.getDeliveryStatus()); + assertThat(elem.getDeliveryStatus(), equalTo(IamDeliveryStatus.DELIVERED)); } deleteUser(reg.getAccountId()); @@ -132,11 +145,11 @@ public void testDisableNotificationOption() { properties.setDisable(true); notificationService.sendPendingNotifications(); - Assert.assertEquals(0, wiser.getMessages().size()); + assertThat(wiser.getMessages(), hasSize(0)); Iterable queue = notificationRepository.findAll(); for (IamEmailNotification elem : queue) { - Assert.assertEquals(IamDeliveryStatus.DELIVERED, elem.getDeliveryStatus()); + assertThat(elem.getDeliveryStatus(), equalTo(IamDeliveryStatus.DELIVERED)); } deleteUser(reg.getAccountId()); @@ -156,11 +169,11 @@ public void testSendMultipleNotifications() { notificationService.sendPendingNotifications(); - Assert.assertEquals(count, wiser.getMessages().size()); + assertThat(wiser.getMessages(), hasSize(count)); Iterable queue = notificationRepository.findAll(); for (IamEmailNotification elem : queue) { - Assert.assertEquals(IamDeliveryStatus.DELIVERED, elem.getDeliveryStatus()); + assertThat(elem.getDeliveryStatus(), equalTo(IamDeliveryStatus.DELIVERED)); } for (RegistrationRequestDto elem : requestList) { @@ -172,7 +185,7 @@ public void testSendMultipleNotifications() { public void testSendWithEmptyQueue() { notificationService.sendPendingNotifications(); - Assert.assertEquals(0, wiser.getMessages().size()); + assertThat(wiser.getMessages(), hasSize(0)); } @Test @@ -186,7 +199,7 @@ public void testDeliveryFailure() { Iterable queue = notificationRepository.findAll(); for (IamEmailNotification elem : queue) { - Assert.assertEquals(IamDeliveryStatus.DELIVERY_ERROR, elem.getDeliveryStatus()); + assertThat(elem.getDeliveryStatus(), equalTo(IamDeliveryStatus.DELIVERY_ERROR)); } deleteUser(reg.getAccountId()); @@ -200,36 +213,35 @@ public void testApproveFlowNotifications() throws MessagingException { RegistrationRequestDto reg = createRegistrationRequest(username); notificationService.sendPendingNotifications(); - Assert.assertEquals(1, wiser.getMessages().size()); + assertThat(wiser.getMessages(), hasSize(1)); WiserMessage message = wiser.getMessages().get(0); - Assert.assertEquals(message.getMimeMessage().getSubject(), - properties.getSubject().get("confirmation")); + assertThat(message.getMimeMessage().getSubject(), + equalTo(properties.getSubject().get("confirmation"))); String confirmationKey = generator.getLastToken(); confirmRegistrationRequest(confirmationKey); notificationService.sendPendingNotifications(); - Assert.assertEquals(2, wiser.getMessages().size()); + assertThat(wiser.getMessages(), hasSize(2)); message = wiser.getMessages().get(1); - Assert.assertEquals(properties.getSubject().get("adminHandleRequest"), + assertEquals(properties.getSubject().get("adminHandleRequest"), message.getMimeMessage().getSubject()); - Assert.assertTrue("receiver", - message.getEnvelopeReceiver().startsWith(properties.getAdminAddress())); + assertThat(message.getEnvelopeReceiver(), startsWith(properties.getAdminAddress())); - RegistrationUtils.approveRequest(reg.getUuid()); + approveRequest(reg.getUuid()); notificationService.sendPendingNotifications(); - Assert.assertEquals(3, wiser.getMessages().size()); + assertThat(wiser.getMessages(), hasSize(3)); message = wiser.getMessages().get(2); - Assert.assertEquals(properties.getSubject().get("activated"), - message.getMimeMessage().getSubject()); + assertThat(message.getMimeMessage().getSubject(), + equalTo(properties.getSubject().get("activated"))); deleteUser(reg.getAccountId()); } @@ -241,31 +253,30 @@ public void testRejectFlowNotifications() throws MessagingException { RegistrationRequestDto reg = createRegistrationRequest(username); notificationService.sendPendingNotifications(); - Assert.assertEquals(1, wiser.getMessages().size()); + assertThat(wiser.getMessages(), hasSize(1)); WiserMessage message = wiser.getMessages().get(0); - Assert.assertEquals(properties.getSubject().get("confirmation"), - message.getMimeMessage().getSubject()); + assertThat(message.getMimeMessage().getSubject(), + equalTo(properties.getSubject().get("confirmation"))); String confirmationKey = generator.getLastToken(); confirmRegistrationRequest(confirmationKey); notificationService.sendPendingNotifications(); - Assert.assertEquals(2, wiser.getMessages().size()); + assertThat(wiser.getMessages(), hasSize(2)); message = wiser.getMessages().get(1); - Assert.assertEquals(properties.getSubject().get("adminHandleRequest"), - message.getMimeMessage().getSubject()); - Assert.assertTrue("receiver", - message.getEnvelopeReceiver().startsWith(properties.getAdminAddress())); + assertThat(message.getMimeMessage().getSubject(), + equalTo(properties.getSubject().get("adminHandleRequest"))); + assertThat(message.getEnvelopeReceiver(), startsWith(properties.getAdminAddress())); - RegistrationUtils.rejectRequest(reg.getUuid()); + rejectRequest(reg.getUuid()); notificationService.sendPendingNotifications(); - Assert.assertEquals(3, wiser.getMessages().size()); + assertThat(wiser.getMessages(), hasSize(3)); message = wiser.getMessages().get(2); - Assert.assertEquals(properties.getSubject().get("rejected"), - message.getMimeMessage().getSubject()); + assertThat(message.getMimeMessage().getSubject(), + equalTo(properties.getSubject().get("rejected"))); } @Test @@ -274,7 +285,7 @@ public void testCleanOldMessages() { RegistrationRequestDto reg = createRegistrationRequest(username); notificationService.sendPendingNotifications(); - Assert.assertEquals(1, wiser.getMessages().size()); + assertThat(wiser.getMessages(), hasSize(1)); Date fakeDate = DateUtils.addDays(new Date(), (properties.getCleanupAge() + 1)); timeProvider.setTime(fakeDate.getTime()); @@ -284,9 +295,7 @@ public void testCleanOldMessages() { deleteUser(reg.getAccountId()); int count = notificationRepository.countAllMessages(); - Assert.assertEquals(0, count); - - + assertEquals(0, count); } @Test @@ -298,14 +307,14 @@ public void testEveryMailShouldContainSignature() throws MessagingException, IOE RegistrationRequestDto reg = createRegistrationRequest(username); String confirmationKey = generator.getLastToken(); confirmRegistrationRequest(confirmationKey); - RegistrationUtils.approveRequest(reg.getUuid()); + approveRequest(reg.getUuid()); notificationService.sendPendingNotifications(); for (WiserMessage message : wiser.getMessages()) { - Assert.assertTrue("text/plain", message.getMimeMessage().isMimeType("text/plain")); + assertTrue("text/plain", message.getMimeMessage().isMimeType("text/plain")); String content = message.getMimeMessage().getContent().toString(); - Assert.assertThat(content, Matchers.containsString(signature)); + assertThat(content, containsString(signature)); } deleteUser(reg.getAccountId()); @@ -320,15 +329,15 @@ public void testConfirmMailShouldContainsConfirmationLink() RegistrationRequestDto reg = createRegistrationRequest(username); String confirmationKey = generator.getLastToken(); - String confirmURL = String.format("%s/registration/verify/%s", baseUrl, confirmationKey); + String confirmURL = format("%s/registration/verify/%s", baseUrl, confirmationKey); notificationService.sendPendingNotifications(); WiserMessage message = wiser.getMessages().get(0); - Assert.assertTrue("text/plain", message.getMimeMessage().isMimeType("text/plain")); + assertThat(message.getMimeMessage().isMimeType("text/plain"), is(true)); String content = message.getMimeMessage().getContent().toString(); - Assert.assertThat(content, Matchers.containsString(confirmURL)); + assertThat(content, containsString(confirmURL)); deleteUser(reg.getAccountId()); } @@ -341,20 +350,20 @@ public void testActivationMailShouldContainsResetPasswordLink() RegistrationRequestDto reg = createRegistrationRequest(username); String confirmationKey = generator.getLastToken(); - RegistrationUtils.confirmRegistrationRequest(confirmationKey); - RegistrationUtils.approveRequest(reg.getUuid()); + confirmRegistrationRequest(confirmationKey); + approveRequest(reg.getUuid()); String resetKey = generator.getLastToken(); String resetPasswordUrl = - String.format("%s%s/%s", baseUrl, PasswordResetController.BASE_TOKEN_URL, resetKey); + format("%s%s/%s", baseUrl, PasswordResetController.BASE_TOKEN_URL, resetKey); notificationService.sendPendingNotifications(); WiserMessage message = wiser.getMessages().get(2); - Assert.assertTrue("text/plain", message.getMimeMessage().isMimeType("text/plain")); + assertThat(message.getMimeMessage().isMimeType("text/plain"), is(true)); String content = message.getMimeMessage().getContent().toString(); - Assert.assertThat(content, Matchers.containsString(resetPasswordUrl)); + assertThat(content, containsString(resetPasswordUrl)); deleteUser(reg.getAccountId()); } @@ -367,19 +376,41 @@ public void testAdminNotificationMailShouldContainsDashboardLink() RegistrationRequestDto reg = createRegistrationRequest(username); String confirmationKey = generator.getLastToken(); - RegistrationUtils.confirmRegistrationRequest(confirmationKey); + confirmRegistrationRequest(confirmationKey); - String dashboardUrl = String.format("%s/dashboard#/requests", baseUrl); + String dashboardUrl = format("%s/dashboard#/requests", baseUrl); notificationService.sendPendingNotifications(); WiserMessage message = wiser.getMessages().get(1); - Assert.assertTrue("text/plain", message.getMimeMessage().isMimeType("text/plain")); + assertThat(message.getMimeMessage().isMimeType("text/plain"), is(true)); String content = message.getMimeMessage().getContent().toString(); - Assert.assertThat(content, Matchers.containsString(dashboardUrl)); + assertThat(content, containsString(dashboardUrl)); deleteUser(reg.getAccountId()); } + @Test + public void testPasswordResetMailContainsUsername() throws MessagingException, IOException { + + String username = "test_user"; + + RegistrationRequestDto reg = createRegistrationRequest(username); + String confirmationKey = generator.getLastToken(); + confirmRegistrationRequest(confirmationKey); + approveRequest(reg.getUuid()); + passwordResetService.createPasswordResetToken(reg.getEmail()); + + notificationService.sendPendingNotifications(); + + List msgList = wiser.getMessages(); + WiserMessage message = wiser.getMessages().get(msgList.size() - 1); + + assertThat(message.getMimeMessage().isMimeType("text/plain"), is(true)); + String content = message.getMimeMessage().getContent().toString(); + assertThat(content, containsString(username)); + + deleteUser(reg.getAccountId()); + } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/AudienceTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/AudienceTests.java index a74b8d898..62b11579e 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/AudienceTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/AudienceTests.java @@ -10,7 +10,6 @@ import org.junit.Test; import org.junit.runner.RunWith; -import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.test.SpringApplicationConfiguration; import org.springframework.boot.test.WebIntegrationTest; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; @@ -30,10 +29,6 @@ public class AudienceTests { public static final String TEST_USERNAME = "test"; public static final String TEST_PASSWORD = "password"; - - @Value("${server.port}") - private Integer iamPort; - @Test public void testAudienceRequestPasswordFlow() throws ParseException { diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/ClientRegistrationScopeTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/ClientRegistrationScopeTests.java index 41471382e..1d85b0a95 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/ClientRegistrationScopeTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/ClientRegistrationScopeTests.java @@ -1,47 +1,112 @@ package it.infn.mw.iam.test.oauth; +import static com.google.common.collect.Sets.newHashSet; +import static org.hamcrest.Matchers.hasItem; +import static org.hamcrest.Matchers.not; +import static org.hamcrest.Matchers.notNullValue; import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThat; +import static org.mitre.util.JsonUtils.getAsArray; +import static org.springframework.http.MediaType.APPLICATION_JSON; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; -import java.io.IOException; import java.util.Set; import javax.transaction.Transactional; -import org.junit.Assert; +import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.model.RegisteredClientFields; import org.mitre.openid.connect.ClientDetailsEntityJsonProcessor; -import org.mitre.util.JsonUtils; -import org.springframework.beans.factory.annotation.Value; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; -import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; import com.google.common.base.Joiner; import com.google.common.collect.Sets; import com.google.gson.JsonObject; -import com.jayway.restassured.RestAssured; -import com.jayway.restassured.http.ContentType; -import com.jayway.restassured.response.Response; import it.infn.mw.iam.IamLoginService; @RunWith(SpringJUnit4ClassRunner.class) @SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@WebAppConfiguration @Transactional public class ClientRegistrationScopeTests { - @Value("${server.port}") - private Integer iamPort; + private final static String REGISTER_ENDPOINT = "/register"; + + @Autowired + private WebApplicationContext context; + + @Autowired + private ObjectMapper mapper; + + private MockMvc mvc; + + @Before + public void setup() throws Exception { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } + + @Test + public void testClientRegistrationAccessTokenWorks() throws Exception { + String clientName = "test_test_test"; + String jsonInString = buildClientJsonString(clientName, Sets.newHashSet("test")); + + // @formatter:off + String response = + mvc.perform(post(REGISTER_ENDPOINT) + .contentType(APPLICATION_JSON) + .content(jsonInString)) + .andExpect(status().isCreated()) + .andExpect(content().contentType(APPLICATION_JSON)) + .andReturn() + .getResponse() + .getContentAsString(); + // @formatter:on + + JsonNode jsonNode = mapper.readTree(response); + + String rat = jsonNode.get("registration_access_token").asText(); + String registrationUri = jsonNode.get("registration_client_uri").asText(); + + assertThat(rat, notNullValue()); + assertThat(registrationUri, notNullValue()); + + // @formatter:off + mvc.perform(get(registrationUri) + .contentType(APPLICATION_JSON) + .header("Authorization", "Bearer " + rat)) + .andExpect(status().isOk()) + .andExpect(content().contentType(APPLICATION_JSON)); + + mvc.perform(get(registrationUri) + .contentType(APPLICATION_JSON) + .header("Authorization", "Bearer " + rat)) + .andExpect(status().isOk()) + .andExpect(content().contentType(APPLICATION_JSON)); + // @formatter:on + } @Test - public void testCreateClientWithRegistrationReservedScopes() - throws JsonProcessingException, IOException { + public void testCreateClientWithRegistrationReservedScopes() throws Exception { String clientName = "test_client"; Set scopes = @@ -50,38 +115,27 @@ public void testCreateClientWithRegistrationReservedScopes() String jsonInString = buildClientJsonString(clientName, scopes); // @formatter:off - Response response = RestAssured.given() - .port(iamPort) - .contentType(ContentType.JSON) - .body(jsonInString) - .log() - .all(true) - .when() - .post("/register") - .then() - .log() - .body(true) - .statusCode(HttpStatus.CREATED.value()) - .contentType(ContentType.JSON) - .extract() - .response() - ; + String response = + mvc.perform(post(REGISTER_ENDPOINT) + .contentType(APPLICATION_JSON) + .content(jsonInString)) + .andExpect(status().isCreated()) + .andExpect(content().contentType(APPLICATION_JSON)) + .andReturn() + .getResponse() + .getContentAsString(); // @formatter:on - String str = response.asString(); - ClientDetailsEntity saved = ClientDetailsEntityJsonProcessor.parse(str); + ClientDetailsEntity saved = ClientDetailsEntityJsonProcessor.parse(response); assertNotNull(saved); for (String reservedScope : scopes) { - Assert.assertFalse(saved.getScope().contains(reservedScope)); + assertThat(saved.getScope(), not(hasItem(reservedScope))); } - - } @Test - public void testGetTokenWithScimReservedScopesFailure() - throws JsonProcessingException, IOException { + public void testGetTokenWithScimReservedScopesFailure() throws Exception { String clientName = "test_client"; Set scopes = @@ -90,43 +144,28 @@ public void testGetTokenWithScimReservedScopesFailure() String jsonInString = buildClientJsonString(clientName, scopes); // @formatter:off - Response response = RestAssured.given() - .port(iamPort) - .contentType(ContentType.JSON) - .body(jsonInString) - .log() - .all(true) - .when() - .post("/register") - .then() - .log() - .body(true) - .statusCode(HttpStatus.CREATED.value()) - .contentType(ContentType.JSON) - .extract() - .response() - ; + String response = + mvc.perform(post(REGISTER_ENDPOINT) + .contentType(APPLICATION_JSON) + .content(jsonInString)) + .andExpect(status().isCreated()) + .andExpect(content().contentType(APPLICATION_JSON)) + .andReturn() + .getResponse() + .getContentAsString(); // @formatter:on - String str = response.asString(); - ClientDetailsEntity saved = ClientDetailsEntityJsonProcessor.parse(str); + ClientDetailsEntity saved = ClientDetailsEntityJsonProcessor.parse(response); - Assert.assertNotNull(saved); + assertNotNull(saved); // @formatter:off - RestAssured.given() - .port(iamPort) - .param("grant_type", "client_credentials") - .param("client_id", saved.getClientId()) - .param("client_secret", saved.getClientSecret()) - .param("scope", setToString(scopes)) - .when() - .post("/token") - .then() - .log() - .all(true) - .statusCode(HttpStatus.BAD_REQUEST.value()) - ; + mvc.perform(post("/token") + .param("grant_type", "client_credentials") + .param("client_id", saved.getClientId()) + .param("client_secret", saved.getClientSecret()) + .param("scope", setToString(scopes))) + .andExpect(status().isBadRequest()); // @formatter:on } @@ -136,16 +175,12 @@ private String buildClientJsonString(String clientName, Set scopes) { JsonObject json = new JsonObject(); json.addProperty(RegisteredClientFields.CLIENT_NAME, clientName); json.addProperty(RegisteredClientFields.SCOPE, setToString(scopes)); - json.add(RegisteredClientFields.REDIRECT_URIS, - JsonUtils.getAsArray(Sets.newHashSet("http://localhost:9090"))); - json.add(RegisteredClientFields.GRANT_TYPES, - JsonUtils.getAsArray(Sets.newHashSet("client_credentials"))); - json.add(RegisteredClientFields.RESPONSE_TYPES, JsonUtils.getAsArray(Sets.newHashSet(), true)); - json.add(RegisteredClientFields.CONTACTS, - JsonUtils.getAsArray(Sets.newHashSet("test@iam.test"))); - json.add(RegisteredClientFields.CLAIMS_REDIRECT_URIS, - JsonUtils.getAsArray(Sets.newHashSet(), true)); - json.add(RegisteredClientFields.REQUEST_URIS, JsonUtils.getAsArray(Sets.newHashSet(), true)); + json.add(RegisteredClientFields.REDIRECT_URIS, getAsArray(newHashSet("http://localhost:9090"))); + json.add(RegisteredClientFields.GRANT_TYPES, getAsArray(newHashSet("client_credentials"))); + json.add(RegisteredClientFields.RESPONSE_TYPES, getAsArray(newHashSet(), true)); + json.add(RegisteredClientFields.CONTACTS, getAsArray(newHashSet("test@iam.test"))); + json.add(RegisteredClientFields.CLAIMS_REDIRECT_URIS, getAsArray(newHashSet(), true)); + json.add(RegisteredClientFields.REQUEST_URIS, getAsArray(newHashSet(), true)); return json.toString(); } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/DiscoveryEndpointTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/DiscoveryEndpointTests.java index 06bcea44d..73bc7fce9 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/DiscoveryEndpointTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/DiscoveryEndpointTests.java @@ -1,34 +1,41 @@ package it.infn.mw.iam.test.oauth; +import static org.hamcrest.Matchers.containsInAnyOrder; +import static org.hamcrest.Matchers.hasItem; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + import java.util.Arrays; import java.util.Set; -import org.hamcrest.Matchers; -import org.junit.Assert; +import javax.transaction.Transactional; + +import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; -import org.mitre.discovery.web.DiscoveryEndpoint; -import org.springframework.beans.factory.annotation.Value; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; import com.google.common.collect.Sets; -import com.jayway.restassured.RestAssured; -import com.jayway.restassured.response.Response; import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.core.web.IamDiscoveryEndpoint; @RunWith(SpringJUnit4ClassRunner.class) @SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@WebAppConfiguration +@Transactional public class DiscoveryEndpointTests { - @Value("${server.port}") - private Integer iamPort; - - private String endpoint = DiscoveryEndpoint.OPENID_CONFIGURATION_URL; + private String endpoint = "/" + IamDiscoveryEndpoint.OPENID_CONFIGURATION_URL; private Set iamSupportedGrants = Sets.newLinkedHashSet(Arrays.asList("authorization_code", "implicit", "refresh_token", "client_credentials", "password", @@ -39,47 +46,42 @@ public class DiscoveryEndpointTests { private static final String IAM_GROUPS_CLAIM = "groups"; private static final String IAM_EXTERNAL_AUTHN_CLAIM = "external_authn"; + @Autowired + private WebApplicationContext context; + + private MockMvc mvc; + + @Before + public void setup() throws Exception { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } + @Test - public void testGrantTypesSupported() { + public void testGrantTypesSupported() throws Exception { // @formatter:off - Response response =RestAssured.given() - .port(iamPort) - .when() - .post(endpoint) - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body("grant_types_supported", Matchers.notNullValue()) - .extract() - .response() - ; + mvc.perform(post(endpoint)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.grant_types_supported").isNotEmpty()) + .andExpect(jsonPath("$.grant_types_supported").isArray()) + .andExpect(jsonPath("$.grant_types_supported").value(containsInAnyOrder(iamSupportedGrants.toArray()))); // @formatter:on - - Set grantsSet = Sets.newLinkedHashSet(response.getBody().path("grant_types_supported")); - Assert.assertThat(Sets.difference(iamSupportedGrants, grantsSet), Matchers.empty()); } @Test - public void testSupportedClaims() { + public void testSupportedClaims() throws Exception { + // @formatter:off - Response response =RestAssured.given() - .port(iamPort) - .when() - .post(endpoint) - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body("claims_supported", Matchers.notNullValue()) - .extract() - .response() - ; + mvc.perform(post(endpoint)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.claims_supported").isNotEmpty()) + .andExpect(jsonPath("$.claims_supported").isArray()) + .andExpect(jsonPath("$.claims_supported", hasItem(IAM_ORGANISATION_NAME_CLAIM))) + .andExpect(jsonPath("$.claims_supported", hasItem(IAM_GROUPS_CLAIM))) + .andExpect(jsonPath("$.claims_supported", hasItem(IAM_EXTERNAL_AUTHN_CLAIM))); // @formatter:on - Set claimsSet = Sets.newLinkedHashSet(response.getBody().path("claims_supported")); - Assert.assertThat(claimsSet, Matchers.hasItem(IAM_ORGANISATION_NAME_CLAIM)); - Assert.assertThat(claimsSet, Matchers.hasItem(IAM_GROUPS_CLAIM)); - Assert.assertThat(claimsSet, Matchers.hasItem(IAM_EXTERNAL_AUTHN_CLAIM)); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/EndpointsTestUtils.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/EndpointsTestUtils.java new file mode 100644 index 000000000..30ba099de --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/EndpointsTestUtils.java @@ -0,0 +1,145 @@ +package it.infn.mw.iam.test.oauth; + +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; + +import com.fasterxml.jackson.databind.ObjectMapper; + +public class EndpointsTestUtils { + + private static final String DEFAULT_USERNAME = "test"; + private static final String DEFAULT_PASSWORD = "password"; + private static final String DEFAULT_CLIENT_ID = "password-grant"; + private static final String DEFAULT_CLIENT_SECRET = "secret"; + private static final String DEFAULT_SCOPE = ""; + + + @Autowired + protected ObjectMapper mapper; + + @Autowired + protected WebApplicationContext context; + + protected MockMvc mvc; + + protected void buildMockMvc() { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } + + public AccessTokenGetter buildAccessTokenGetter() { + return new AccessTokenGetter().grantType("password") + .clientId(DEFAULT_CLIENT_ID) + .clientSecret(DEFAULT_CLIENT_SECRET) + .username(DEFAULT_USERNAME) + .password(DEFAULT_PASSWORD); + } + + protected String getPasswordAccessToken(String scope) throws Exception { + + AccessTokenGetter tg = buildAccessTokenGetter().scope(scope); + return tg.getAccessTokenValue(); + } + + protected String getPasswordAccessToken() throws Exception { + return getPasswordAccessToken(DEFAULT_SCOPE); + } + + public class AccessTokenGetter { + private String clientId; + private String clientSecret; + private String scope; + private String grantType; + private String username; + private String password; + private String audience; + + public AccessTokenGetter clientId(String clientId) { + this.clientId = clientId; + return this; + } + + public AccessTokenGetter clientSecret(String clientSecret) { + this.clientSecret = clientSecret; + return this; + } + + public AccessTokenGetter scope(String scope) { + this.scope = scope; + return this; + } + + public AccessTokenGetter grantType(String grantType) { + this.grantType = grantType; + return this; + } + + public AccessTokenGetter username(String username) { + this.username = username; + return this; + } + + public AccessTokenGetter password(String password) { + this.password = password; + return this; + } + + public AccessTokenGetter audience(String audience) { + this.audience = audience; + return this; + } + + public String performTokenRequest() throws Exception { + MockHttpServletRequestBuilder req = post("/token").param("grant_type", grantType) + .param("client_id", clientId) + .param("client_secret", clientSecret) + .param("scope", scope); + + if ("password".equals(grantType)) { + req.param("username", username).param("password", password); + } + + if (audience != null) { + req.param("aud", audience); + } + + //@formatter:off + String response = mvc.perform(req) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(); + //@formatter:on + + return response; + } + + public DefaultOAuth2AccessToken getTokenResponseObject() throws Exception { + + String response = performTokenRequest(); + + // This is incorrectly named in spring security OAuth, what they call OAuth2AccessToken + // is a TokenResponse object + DefaultOAuth2AccessToken tokenResponseObject = + mapper.readValue(response, DefaultOAuth2AccessToken.class); + + return tokenResponseObject; + } + + public String getAccessTokenValue() throws Exception { + + return getTokenResponseObject().getValue(); + } + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/IntrospectionEndpointAuthenticationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/IntrospectionEndpointAuthenticationTests.java index 654b98f6c..dba8419fa 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/IntrospectionEndpointAuthenticationTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/IntrospectionEndpointAuthenticationTests.java @@ -1,88 +1,79 @@ package it.infn.mw.iam.test.oauth; -import static com.jayway.restassured.RestAssured.given; import static org.hamcrest.Matchers.equalTo; +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import javax.transaction.Transactional; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; import it.infn.mw.iam.IamLoginService; -import it.infn.mw.iam.test.TestUtils; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@SpringApplicationConfiguration(classes = {IamLoginService.class}) +@WebAppConfiguration @Transactional -public class IntrospectionEndpointAuthenticationTests { +public class IntrospectionEndpointAuthenticationTests extends EndpointsTestUtils { - private String accessToken; + private static final String ENDPOINT = "/introspect"; - @Before - public void initAccessToken() { + @Autowired + private WebApplicationContext context; + private String accessToken; - accessToken = TestUtils.passwordTokenGetter() - .username("test") - .password("password") - .scope("openid profile offline_access") - .getAccessToken(); + @Before + public void setup() throws Exception { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + accessToken = getPasswordAccessToken("openid profile offline_access"); } + @Test - public void testTokenIntrospectionEndpointBasicAuthentication() { + public void testTokenIntrospectionEndpointBasicAuthentication() throws Exception { // @formatter:off - given() - .port(8080) - .auth() - .preemptive() - .basic("password-grant", "secret") - .formParam("token", accessToken) - .when() - .post("/introspect") - .then() - .log().body(true) - .statusCode(HttpStatus.OK.value()) - .body("active", equalTo(true)); + mvc.perform(post(ENDPOINT) + .with(httpBasic("password-grant", "secret")) + .param("token", accessToken)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.active", equalTo(true))); // @formatter:on } @Test - public void testTokenIntrospectionEndpointFormAuthentication() { + public void testTokenIntrospectionEndpointFormAuthentication() throws Exception { // @formatter:off - given() - .port(8080) - .formParam("token", accessToken) - .formParam("client_id", "client-cred") - .formParam("client_secret", "secret") - .log().all(true) - .when() - .post("/introspect") - .then() - .log().all(true) - .statusCode(HttpStatus.UNAUTHORIZED.value()); + mvc.perform(post(ENDPOINT) + .param("token", accessToken) + .param("client_id", "client-cred") + .param("client_secret", "secret")) + .andExpect(status().isUnauthorized()); // @formatter:on } @Test - public void testTokenIntrospectionEndpointNoAuthenticationFailure() { + public void testTokenIntrospectionEndpointNoAuthenticationFailure() throws Exception { // @formatter:off - given() - .port(8080) - .formParam("token", accessToken) - .when() - .post("/introspect") - .then() - .log().body(true) - .statusCode(HttpStatus.UNAUTHORIZED.value()); + mvc.perform(post(ENDPOINT) + .param("token", accessToken)) + .andExpect(status().isUnauthorized()); // @formatter:on - } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/IntrospectionEndpointTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/IntrospectionEndpointTests.java index 4adb91821..30e7a1f69 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/IntrospectionEndpointTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/IntrospectionEndpointTests.java @@ -2,106 +2,104 @@ -import static com.jayway.restassured.RestAssured.given; -import static it.infn.mw.iam.test.TestUtils.passwordTokenGetter; +import static org.hamcrest.Matchers.containsInAnyOrder; import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasSize; +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import javax.transaction.Transactional; -import org.hamcrest.Matchers; +import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; import it.infn.mw.iam.IamLoginService; @RunWith(SpringJUnit4ClassRunner.class) @SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@WebAppConfiguration @Transactional -public class IntrospectionEndpointTests { +public class IntrospectionEndpointTests extends EndpointsTestUtils { + + @Value("${iam.organisation.name}") + String organisationName; + + private static final String ENDPOINT = "/introspect"; + private static final String CLIENT_ID = "password-grant"; + private static final String CLIENT_SECRET = "secret"; + + @Autowired + private WebApplicationContext context; + + @Before + public void setup() throws Exception { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } @Test - public void testIntrospectionEndpointRetursBasicUserInformation() { - String accessToken = - passwordTokenGetter().username("test").password("password").getAccessToken(); - - // @formatter:off - given() - .port(8080) - .auth() - .preemptive() - .basic("password-grant", "secret") - .formParam("token", accessToken) - .when() - .post("/introspect") - .then() - .log().body(true) - .statusCode(HttpStatus.OK.value()) - .body("active", equalTo(true)) - .body("groups", Matchers.hasSize(Matchers.equalTo(2))) - .body("groups", Matchers.containsInAnyOrder("Production", "Analysis")) - .body("preferred_username", Matchers.equalTo("test")) - .body("organisation_name", Matchers.equalTo("indigo-dc")) - .body("email", Matchers.equalTo("test@iam.test")); + public void testIntrospectionEndpointRetursBasicUserInformation() throws Exception { + String accessToken = getPasswordAccessToken(); + + // @formatter:off + mvc.perform(post(ENDPOINT) + .with(httpBasic(CLIENT_ID, CLIENT_SECRET)) + .param("token", accessToken)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.active", equalTo(true))) + .andExpect(jsonPath("$.groups", hasSize(equalTo(2)))) + .andExpect(jsonPath("$.groups", containsInAnyOrder("Production", "Analysis"))) + .andExpect(jsonPath("$.preferred_username", equalTo("test"))) + .andExpect(jsonPath("$.organisation_name", equalTo(organisationName))) + .andExpect(jsonPath("$.email", equalTo("test@iam.test"))); // @formatter:on } @Test - public void testNoGroupsReturnedWithoutProfileScope() { - String accessToken = passwordTokenGetter().username("test") - .password("password") - .scope("openid") - .getAccessToken(); - - // @formatter:off - given() - .port(8080) - .auth() - .preemptive() - .basic("password-grant", "secret") - .formParam("token", accessToken) - .when() - .post("/introspect") - .then() - .log().body(true) - .statusCode(HttpStatus.OK.value()) - .body("active", equalTo(true)) - .body("groups", Matchers.nullValue()) - .body("preferred_username", Matchers.nullValue()) - .body("organisation_name", Matchers.nullValue()) - .body("email", Matchers.nullValue()); + public void testNoGroupsReturnedWithoutProfileScope() throws Exception { + String accessToken = getPasswordAccessToken("openid"); + + // @formatter:off + mvc.perform(post(ENDPOINT) + .with(httpBasic(CLIENT_ID, CLIENT_SECRET)) + .param("token", accessToken)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.active", equalTo(true))) + .andExpect(jsonPath("$.groups").doesNotExist()) + .andExpect(jsonPath("$.preferred_username").doesNotExist()) + .andExpect(jsonPath("$.organisation_name").doesNotExist()) + .andExpect(jsonPath("$.email").doesNotExist()); // @formatter:on } @Test - public void testEmailReturnedWithEmailScope() { - String accessToken = passwordTokenGetter().username("test") - .password("password") - .scope("openid email") - .getAccessToken(); - - // @formatter:off - given() - .port(8080) - .auth() - .preemptive() - .basic("password-grant", "secret") - .formParam("token", accessToken) - .when() - .post("/introspect") - .then() - .log().body(true) - .statusCode(HttpStatus.OK.value()) - .body("active", equalTo(true)) - .body("groups", Matchers.nullValue()) - .body("preferred_username", Matchers.nullValue()) - .body("organisation_name", Matchers.nullValue()) - .body("email", Matchers.equalTo("test@iam.test")); + public void testEmailReturnedWithEmailScope() throws Exception { + String accessToken = getPasswordAccessToken("openid email"); + + // @formatter:off + mvc.perform(post(ENDPOINT) + .with(httpBasic(CLIENT_ID, CLIENT_SECRET)) + .param("token", accessToken)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.active", equalTo(true))) + .andExpect(jsonPath("$.groups").doesNotExist()) + .andExpect(jsonPath("$.preferred_username").doesNotExist()) + .andExpect(jsonPath("$.organisation_name").doesNotExist()) + .andExpect(jsonPath("$.email", equalTo("test@iam.test"))); // @formatter:on } - } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/ResourceOwnerPasswordCredentialsTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/ResourceOwnerPasswordCredentialsTests.java index 2d87bd328..067a4e8c0 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/ResourceOwnerPasswordCredentialsTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/ResourceOwnerPasswordCredentialsTests.java @@ -1,127 +1,177 @@ package it.infn.mw.iam.test.oauth; -import static com.jayway.restassured.RestAssured.given; import static org.hamcrest.Matchers.equalTo; import static org.junit.Assert.assertNotNull; - -import java.text.ParseException; +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import javax.transaction.Transactional; +import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; +import org.springframework.http.MediaType; +import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; +import com.fasterxml.jackson.databind.ObjectMapper; import com.nimbusds.jwt.JWT; import com.nimbusds.jwt.JWTParser; import it.infn.mw.iam.IamLoginService; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@SpringApplicationConfiguration(classes = {IamLoginService.class}) +@WebAppConfiguration @Transactional public class ResourceOwnerPasswordCredentialsTests { + private static final String GRANT_TYPE = "password"; + private static final String USERNAME = "test"; + private static final String PASSWORD = "password"; + private static final String SCOPE = "openid profile"; + + @Autowired + private WebApplicationContext context; + + @Autowired + private ObjectMapper mapper; + + private MockMvc mvc; + + @Before + public void setup() throws Exception { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } + @Test - public void testDiscoveryEndpoint() { + public void testDiscoveryEndpoint() throws Exception { // @formatter:off - given().port(8080).when().get("/.well-known/openid-configuration").then().body("issuer", - equalTo("http://localhost:8080/")); + mvc.perform(get("/.well-known/openid-configuration")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.issuer", equalTo("http://localhost:8080/"))); // @formatter:on } @Test - public void testResourceOwnerPasswordCredentialsFlow() { + public void testResourceOwnerPasswordCredentialsFlow() throws Exception { String clientId = "password-grant"; String clientSecret = "secret"; // @formatter:off - given().auth().preemptive().basic(clientId, clientSecret).port(8080) - .param("grant_type", "password").param("username", "test").param("password", "password") - .param("scope", "openid profile").expect().log().body(true).statusCode(200) - .body("scope", equalTo("openid profile")).when().post("/token"); + mvc.perform(post("/token") + .with(httpBasic(clientId, clientSecret)) + .param("grant_type", GRANT_TYPE) + .param("username", USERNAME) + .param("password", PASSWORD) + .param("scope", SCOPE)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.scope", equalTo(SCOPE))); // @formatter:on } @Test - public void testInvalidResourceOwnerPasswordCredentials() { + public void testInvalidResourceOwnerPasswordCredentials() throws Exception { String clientId = "password-grant"; String clientSecret = "secret"; // @formatter:off - given().auth().preemptive().basic(clientId, clientSecret).port(8080) - .param("grant_type", "password").param("username", "test") - .param("password", "wrong_password").param("scope", "openid profile").expect().log() - .body(true).statusCode(400).body("error", equalTo("invalid_grant")) - .body("error_description", equalTo("Bad credentials")).when().post("/token"); + mvc.perform(post("/token") + .with(httpBasic(clientId, clientSecret)) + .param("grant_type", GRANT_TYPE) + .param("username", USERNAME) + .param("password", "wrong_password") + .param("scope", SCOPE)) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.error", equalTo("invalid_grant"))) + .andExpect(jsonPath("$.error_description", equalTo("Bad credentials"))); // @formatter:on - } @Test - public void testResourceOwnerPasswordCredentialsInvalidClientCredentials() { + public void testResourceOwnerPasswordCredentialsInvalidClientCredentials() throws Exception { String clientId = "password-grant"; String clientSecret = "socret"; // @formatter:off - given().auth().preemptive().basic(clientId, clientSecret).port(8080) - .param("grant_type", "password").param("username", "test").param("password", "password") - .param("scope", "openid profile").expect().log().body(true).statusCode(401) - .body("error", equalTo("Unauthorized")).body("message", equalTo("Bad credentials")).when() - .post("/token"); + mvc.perform(post("/token") + .with(httpBasic(clientId, clientSecret)) + .param("grant_type", GRANT_TYPE) + .param("username", USERNAME) + .param("password", PASSWORD) + .param("scope", SCOPE)) + .andExpect(status().isUnauthorized()) +// .andExpect(jsonPath("$.error", equalTo("Unauthorized"))) +// .andExpect(jsonPath("$.message", equalTo("Bad credentials"))) + ; // @formatter:on - } @Test - public void testResourceOwnerPasswordCredentialsUnknownClient() { + public void testResourceOwnerPasswordCredentialsUnknownClient() throws Exception { String clientId = "unknown"; String clientSecret = "socret"; // @formatter:off - given().auth().preemptive().basic(clientId, clientSecret).port(8080) - .param("grant_type", "password").param("username", "test").param("password", "password") - .param("scope", "openid profile").expect().log().body(true).statusCode(401) - .body("error", equalTo("Unauthorized")) - .body("message", equalTo("Client with id unknown was not found")).when().post("/token"); + mvc.perform(post("/token") + .with(httpBasic(clientId, clientSecret)) + .param("grant_type", GRANT_TYPE) + .param("username", USERNAME) + .param("password", PASSWORD) + .param("scope", SCOPE) + .contentType(MediaType.APPLICATION_FORM_URLENCODED)) + .andExpect(status().isUnauthorized()) +// .andExpect(jsonPath("$.error", equalTo("Unauthorized"))) +// .andExpect(jsonPath("$.message", equalTo("Client with id unknown was not found"))) + ; // @formatter:on - } @Test - public void testResourceOwnerPasswordCredentialAuthenticationTimestamp() throws ParseException { + public void testResourceOwnerPasswordCredentialAuthenticationTimestamp() throws Exception { String clientId = "password-grant"; String clientSecret = "secret"; - String idToken = given().auth() - .preemptive() - .basic(clientId, clientSecret) - .port(8080) - .param("grant_type", "password") - .param("username", "test") - .param("password", "password") - .param("scope", "openid profile") - .when() - .post("/token") - .then() - .log() - .body(true) - .statusCode(200) - .extract() - .path("id_token"); + // @formatter:off + String response = mvc.perform(post("/token") + .with(httpBasic(clientId, clientSecret)) + .param("grant_type", GRANT_TYPE) + .param("username", USERNAME) + .param("password", PASSWORD) + .param("scope", SCOPE)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(); + // @formatter:on + + DefaultOAuth2AccessToken tokenResponse = + mapper.readValue(response, DefaultOAuth2AccessToken.class); + + String idToken = tokenResponse.getAdditionalInformation().get("id_token").toString(); JWT token = JWTParser.parse(idToken); System.out.println(token.getJWTClaimsSet()); assertNotNull(token.getJWTClaimsSet().getClaim("auth_time")); - } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/RevocationEndpointTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/RevocationEndpointTests.java new file mode 100644 index 000000000..6969f9d1c --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/RevocationEndpointTests.java @@ -0,0 +1,177 @@ +package it.infn.mw.iam.test.oauth; + +import static org.hamcrest.Matchers.hasSize; +import static org.junit.Assert.assertThat; +import static org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED; +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import java.util.Set; + +import javax.transaction.Transactional; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mitre.oauth2.model.OAuth2AccessTokenEntity; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.core.IamTokenService; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = IamLoginService.class) +@WebAppConfiguration +@Transactional +public class RevocationEndpointTests extends EndpointsTestUtils { + + public static final String REVOKE_ENDPOINT = "/revoke"; + + public static final String PASSWORD_GRANT_CLIENT_ID = "password-grant"; + public static final String PASSWORD_GRANT_CLIENT_SECRET = "secret"; + + @Autowired + IamTokenService iamTokenService; + + @Autowired + IamAccountRepository accountRepo; + + @Before + public void setup() throws Exception { + buildMockMvc(); + } + + + @Test + public void testRevocationEnpointRequiresClientAuth() throws Exception { + mvc + .perform(post(REVOKE_ENDPOINT) + .contentType(APPLICATION_FORM_URLENCODED) + .param("token", "whatever")) + .andExpect(status().isUnauthorized()); + } + + @Test + public void testRevokeInvalidTokenReturns200() throws Exception { + mvc + .perform(post(REVOKE_ENDPOINT) + .with(httpBasic(PASSWORD_GRANT_CLIENT_ID, PASSWORD_GRANT_CLIENT_SECRET)) + .contentType(APPLICATION_FORM_URLENCODED) + .param("token", "whatever")) + .andExpect(status().isOk()); + } + + @Test + public void accessTokenRevocationWorks() throws Exception { + + Set accessTokens = iamTokenService.getAllAccessTokensForUser("test"); + + // Start clean + accessTokens.forEach(iamTokenService::revokeAccessToken); + + String accessToken = getPasswordAccessToken(); + + accessTokens = iamTokenService.getAllAccessTokensForUser("test"); + + assertThat(accessTokens, hasSize(2)); // access token + id token -> size 2 + + mvc + .perform(post(REVOKE_ENDPOINT) + .with(httpBasic(PASSWORD_GRANT_CLIENT_ID, PASSWORD_GRANT_CLIENT_SECRET)) + .contentType(APPLICATION_FORM_URLENCODED) + .param("token", accessToken)) + .andExpect(status().isOk()); + + accessTokens = iamTokenService.getAllAccessTokensForUser("test"); + + assertThat(accessTokens, hasSize(0)); // revoking the access token revokes the linked id token + + } + + @Test + public void accessTokenRevocationRevokesTheRightToken() throws Exception { + Set accessTokens = iamTokenService.getAllAccessTokensForUser("test"); + + // Start clean + accessTokens.forEach(iamTokenService::revokeAccessToken); + + String tokenOne = getPasswordAccessToken(); + String tokenTwo = getPasswordAccessToken(); + + accessTokens = iamTokenService.getAllAccessTokensForUser("test"); + assertThat(accessTokens, hasSize(4)); + + mvc + .perform(post(REVOKE_ENDPOINT) + .with(httpBasic(PASSWORD_GRANT_CLIENT_ID, PASSWORD_GRANT_CLIENT_SECRET)) + .contentType(APPLICATION_FORM_URLENCODED) + .param("token", tokenOne)) + .andExpect(status().isOk()); + + accessTokens = iamTokenService.getAllAccessTokensForUser("test"); + assertThat(accessTokens, hasSize(2)); + accessTokens.stream().filter(t -> t.getValue().equals(tokenTwo)).findAny().orElseThrow( + () -> new AssertionError("Expected access token not found")); + } + + @Test + public void refreshTokenRevocationWorks() throws Exception { + + // Start clean + iamTokenService.getAllAccessTokensForUser("test").forEach(iamTokenService::revokeAccessToken); + iamTokenService.getAllRefreshTokensForUser("test").forEach(iamTokenService::revokeRefreshToken); + + AccessTokenGetter tg = buildAccessTokenGetter(); + tg.scope("openid profile offline_access"); + DefaultOAuth2AccessToken tokenResponseObject = tg.getTokenResponseObject(); + String refreshTokenValue = tokenResponseObject.getRefreshToken().getValue(); + + assertThat(iamTokenService.getAllRefreshTokensForUser("test"), hasSize(1)); + + mvc + .perform(post(REVOKE_ENDPOINT) + .with(httpBasic(PASSWORD_GRANT_CLIENT_ID, PASSWORD_GRANT_CLIENT_SECRET)) + .contentType(APPLICATION_FORM_URLENCODED) + .param("token", refreshTokenValue)) + .andExpect(status().isOk()); + + assertThat(iamTokenService.getAllRefreshTokensForUser("test"), hasSize(0)); + } + + @Test + public void refreshTokenRevocationRevokesTheRightToken() throws Exception { + // Start clean + iamTokenService.getAllAccessTokensForUser("test").forEach(iamTokenService::revokeAccessToken); + iamTokenService.getAllRefreshTokensForUser("test").forEach(iamTokenService::revokeRefreshToken); + + AccessTokenGetter tg = buildAccessTokenGetter(); + tg.scope("openid profile offline_access"); + + String rt1 = tg.getTokenResponseObject().getRefreshToken().getValue(); + String rt2 = tg.getTokenResponseObject().getRefreshToken().getValue(); + + assertThat(iamTokenService.getAllRefreshTokensForUser("test"), hasSize(2)); + + mvc + .perform(post(REVOKE_ENDPOINT) + .with(httpBasic(PASSWORD_GRANT_CLIENT_ID, PASSWORD_GRANT_CLIENT_SECRET)) + .contentType(APPLICATION_FORM_URLENCODED) + .param("token", rt1)) + .andExpect(status().isOk()); + + + assertThat(iamTokenService.getAllRefreshTokensForUser("test"), hasSize(1)); + + iamTokenService.getAllRefreshTokensForUser("test") + .stream() + .filter(t -> t.getValue().equals(rt2)) + .findAny() + .orElseThrow(() -> new AssertionError("Expected refresh token not found")); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/TokenEndpointClientAuthenticationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/TokenEndpointClientAuthenticationTests.java index 5a37eb9f2..831345e4f 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/TokenEndpointClientAuthenticationTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/TokenEndpointClientAuthenticationTests.java @@ -1,77 +1,118 @@ package it.infn.mw.iam.test.oauth; -import static com.jayway.restassured.RestAssured.given; import static org.hamcrest.Matchers.equalTo; +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import javax.transaction.Transactional; +import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; import it.infn.mw.iam.IamLoginService; @RunWith(SpringJUnit4ClassRunner.class) @SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@WebAppConfiguration @Transactional public class TokenEndpointClientAuthenticationTests { + private static final String ENDPOINT = "/token"; + private static final String GRANT_TYPE = "client_credentials"; + private static final String SCOPE = "read-tasks"; + + @Autowired + private WebApplicationContext context; + + private MockMvc mvc; + + @Before + public void setup() throws Exception { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } + + @Test - public void testTokenEndpointFormClientAuthentication() { + public void testTokenEndpointFormClientAuthentication() throws Exception { String clientId = "post-client"; String clientSecret = "secret"; // @formatter:off - given().port(8080).param("grant_type", "client_credentials").param("client_id", clientId) - .param("client_secret", clientSecret).param("scope", "read-tasks").expect().log().body(true) - .statusCode(200).body("scope", equalTo("read-tasks")).when().post("/token"); + mvc.perform(post(ENDPOINT) + .param("grant_type", GRANT_TYPE) + .param("client_id", clientId) + .param("client_secret", clientSecret) + .param("scope", SCOPE)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.scope", equalTo(SCOPE))); // @formatter:on } @Test - public void testTokenEndpointFormClientAuthenticationInvalidCredentials() { + public void testTokenEndpointFormClientAuthenticationInvalidCredentials() throws Exception { String clientId = "post-client"; String clientSecret = "wrong-password"; // @formatter:off - given().port(8080).param("grant_type", "client_credentials").param("client_id", clientId) - .param("client_secret", clientSecret).param("scope", "read-tasks").expect().log().body(true) - .statusCode(401).body("error", equalTo("invalid_client")) - .body("error_description", equalTo("Bad client credentials")).when().post("/token"); + mvc.perform(post(ENDPOINT) + .param("grant_type", GRANT_TYPE) + .param("client_id", clientId) + .param("client_secret", clientSecret) + .param("scope", SCOPE)) + .andExpect(status().isUnauthorized()) + .andExpect(jsonPath("$.error", equalTo("invalid_client"))) + .andExpect(jsonPath("$.error_description", equalTo("Bad client credentials"))); // @formatter:on } @Test - public void testTokenEndpointFormClientAuthenticationUnknownClient() { + public void testTokenEndpointFormClientAuthenticationUnknownClient() throws Exception { String clientId = "unknown-client"; String clientSecret = "password"; // @formatter:off - given().port(8080).param("grant_type", "client_credentials").param("client_id", clientId) - .param("client_secret", clientSecret).param("scope", "read-tasks").expect().log().body(true) - .statusCode(401).body("error", equalTo("invalid_client")) - .body("error_description", equalTo("Client with id unknown-client was not found")).when() - .post("/token"); + mvc.perform(post(ENDPOINT) + .param("grant_type", GRANT_TYPE) + .param("client_id", clientId) + .param("client_secret", clientSecret) + .param("scope", SCOPE)) + .andExpect(status().isUnauthorized()) + .andExpect(jsonPath("$.error", equalTo("invalid_client"))) + .andExpect(jsonPath("$.error_description", equalTo("Client with id unknown-client was not found"))); // @formatter:on } @Test - public void testTokenEndpointBasicClientAuthentication() { + public void testTokenEndpointBasicClientAuthentication() throws Exception { String clientId = "post-client"; String clientSecret = "secret"; // @formatter:off - given().auth().preemptive().basic(clientId, clientSecret).port(8080) - .param("grant_type", "client_credentials").param("scope", "read-tasks").expect().log() - .body(true).statusCode(200).body("scope", equalTo("read-tasks")).when().post("/token"); + mvc.perform(post(ENDPOINT) + .with(httpBasic(clientId, clientSecret)) + .param("grant_type", GRANT_TYPE) + .param("scope", SCOPE)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.scope", equalTo(SCOPE))); // @formatter:on } - } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/TokenExchangeTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/TokenExchangeTests.java index c7cce3a82..8af816422 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/TokenExchangeTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/TokenExchangeTests.java @@ -1,6 +1,5 @@ package it.infn.mw.iam.test.oauth; -import static com.jayway.restassured.RestAssured.given; import static org.hamcrest.Matchers.allOf; import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.containsString; @@ -11,43 +10,66 @@ import static org.hamcrest.Matchers.nullValue; import static org.junit.Assert.assertThat; import static org.junit.Assert.fail; +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import java.text.ParseException; -import java.util.Arrays; import javax.transaction.Transactional; -import org.hamcrest.Matchers; +import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; -import org.springframework.beans.factory.annotation.Value; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; +import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; +import com.fasterxml.jackson.databind.ObjectMapper; import com.nimbusds.jwt.JWT; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.JWTParser; import it.infn.mw.iam.IamLoginService; -import it.infn.mw.iam.test.TestUtils; @RunWith(SpringJUnit4ClassRunner.class) @SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@WebAppConfiguration @Transactional -public class TokenExchangeTests { +public class TokenExchangeTests extends EndpointsTestUtils { - @Value("${server.port}") - private Integer iamPort; + private static final String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange"; + private static final String TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt"; + + private static final String USERNAME = "test"; + private static final String PASSWORD = "password"; + private static final String TOKEN_ENDPOINT = "/token"; + + @Autowired + private WebApplicationContext context; + + @Autowired + private ObjectMapper mapper; + + @Before + public void setup() throws Exception { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } - private final String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange"; - private final String TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt"; @Test - public void testImpersonationFlowWithAudience() { + public void testImpersonationFlowWithAudience() throws Exception { String clientId = "token-exchange-subject"; String clientSecret = "secret"; @@ -57,38 +79,37 @@ public void testImpersonationFlowWithAudience() { String audClientId = "tasks-app"; - String accessToken = TestUtils.passwordTokenGetter(clientId, clientSecret) + String accessToken = new AccessTokenGetter().grantType("password") + .clientId(clientId) + .clientSecret(clientSecret) + .username(USERNAME) + .password(PASSWORD) .scope("openid profile") - .username("test") - .password("password") - .getAccessToken(); + .getAccessTokenValue(); // @formatter:off - String actorAccessToken = - given() - .auth() - .preemptive() - .basic(actorClientId, actorClientSecret) - .port(iamPort) + String response = mvc.perform(post(TOKEN_ENDPOINT) + .with(httpBasic(actorClientId, actorClientSecret)) .param("grant_type", GRANT_TYPE) .param("audience", audClientId) .param("subject_token", accessToken) .param("subject_token_type", TOKEN_TYPE) - .param("scope", "read-tasks") - .when() - .post("/token") - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body("scope", equalTo("read-tasks")) - .body("issued_token_type", equalTo(TOKEN_TYPE)) - .body("token_type", equalTo("Bearer")) - .body("access_token", notNullValue()) - .extract() - .path("access_token"); + .param("scope", "read-tasks")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.scope", equalTo("read-tasks"))) + .andExpect(jsonPath("$.issued_token_type", equalTo(TOKEN_TYPE))) + .andExpect(jsonPath("$.token_type", equalTo("Bearer"))) + .andExpect(jsonPath("$.access_token").exists()) + .andExpect(jsonPath("$.access_token", notNullValue())) + .andReturn() + .getResponse() + .getContentAsString(); // @formatter:on + DefaultOAuth2AccessToken responseToken = + mapper.readValue(response, DefaultOAuth2AccessToken.class); + String actorAccessToken = responseToken.getValue(); + // Check audience is encoded in JWT access token try { JWT jwtAccessToken = JWTParser.parse(actorAccessToken); @@ -104,44 +125,28 @@ public void testImpersonationFlowWithAudience() { // Check audience is also returned by the introspection endpoint // @formatter:off // Introspect token - given() - .auth() - .preemptive() - .basic(actorClientId, actorClientSecret) - .port(iamPort) - .formParam("token", actorAccessToken) - .when() - .post("/introspect") - .then() - .log().body(true) - .statusCode(HttpStatus.OK.value()) - .body("aud", equalTo("tasks-app")) - .body("active", equalTo(true)) - .body("scope", equalTo("read-tasks")) - .body("user_id", equalTo("test")) - .body("client_id", equalTo(actorClientId)); + mvc.perform(post("/introspect") + .with(httpBasic(actorClientId, actorClientSecret)) + .param("token", actorAccessToken)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.aud", equalTo("tasks-app"))) + .andExpect(jsonPath("$.active", equalTo(true))) + .andExpect(jsonPath("$.scope", equalTo("read-tasks"))) + .andExpect(jsonPath("$.user_id", equalTo("test"))) + .andExpect(jsonPath("$.client_id", equalTo(actorClientId))); // @formatter:on // @formatter:off // get user info on token, this fails as we did not // request to openid scope - given() - .port(iamPort) - .authentication() - .preemptive().oauth2(actorAccessToken) - .when() - .post("/userinfo") - .then() - .log().body(true) - .statusCode(HttpStatus.FORBIDDEN.value()); + mvc.perform(post("/userinfo") + .header("Authorization", "Bearer "+actorAccessToken)) + .andExpect(status().isForbidden()); // @formatter:on - - - } @Test - public void testImpersonationFlowWithoutAudience() { + public void testImpersonationFlowWithoutAudience() throws Exception { String clientId = "token-exchange-subject"; String clientSecret = "secret"; @@ -149,37 +154,36 @@ public void testImpersonationFlowWithoutAudience() { String actorClientId = "token-exchange-actor"; String actorClientSecret = "secret"; - String accessToken = TestUtils.passwordTokenGetter(clientId, clientSecret) + String accessToken = new AccessTokenGetter().grantType("password") + .clientId(clientId) + .clientSecret(clientSecret) + .username(USERNAME) + .password(PASSWORD) .scope("openid profile") - .username("test") - .password("password") - .getAccessToken(); + .getAccessTokenValue(); // @formatter:off - String actorAccessToken = - given() - .auth() - .preemptive() - .basic(actorClientId, actorClientSecret) - .port(iamPort) + String response = mvc.perform(post(TOKEN_ENDPOINT) + .with(httpBasic(actorClientId, actorClientSecret)) .param("grant_type", GRANT_TYPE) .param("subject_token", accessToken) .param("subject_token_type", TOKEN_TYPE) - .param("scope", "read-tasks openid profile") - .when() - .post("/token") - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body("scope", equalTo("read-tasks openid profile")) - .body("issued_token_type", equalTo(TOKEN_TYPE)) - .body("token_type", equalTo("Bearer")) - .body("access_token", notNullValue()) - .extract() - .path("access_token"); + .param("scope", "read-tasks openid profile")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.scope", equalTo("read-tasks openid profile"))) + .andExpect(jsonPath("$.issued_token_type", equalTo(TOKEN_TYPE))) + .andExpect(jsonPath("$.token_type", equalTo("Bearer"))) + .andExpect(jsonPath("$.access_token").exists()) + .andExpect(jsonPath("$.access_token", notNullValue())) + .andReturn() + .getResponse() + .getContentAsString(); // @formatter:on + DefaultOAuth2AccessToken responseToken = + mapper.readValue(response, DefaultOAuth2AccessToken.class); + String actorAccessToken = responseToken.getValue(); + // Check audience is NOT encoded in JWT access token try { JWT jwtAccessToken = JWTParser.parse(actorAccessToken); @@ -191,83 +195,61 @@ public void testImpersonationFlowWithoutAudience() { fail(e.getMessage()); } - // @formatter:off // Introspect token - given() - .auth() - .preemptive() - .basic(actorClientId, actorClientSecret) - .port(iamPort) - .formParam("token", actorAccessToken) - .when() - .post("/introspect") - .then() - .log().body(true) - .statusCode(HttpStatus.OK.value()) - .body("active", equalTo(true)) - .body("scope", allOf( - containsString("read-tasks"), - containsString("openid"), - containsString("profile"))) - .body("user_id", equalTo("test")) - .body("client_id", equalTo(actorClientId)) - .body("aud", is(nullValue())); + // @formatter:off + mvc.perform(post("/introspect") + .with(httpBasic(actorClientId, actorClientSecret)) + .param("token", actorAccessToken)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.aud").doesNotExist()) + .andExpect(jsonPath("$.active", equalTo(true))) + .andExpect(jsonPath("$.scope", allOf(containsString("read-tasks"), containsString("openid"), containsString("profile")))) + .andExpect(jsonPath("$.user_id", equalTo("test"))) + .andExpect(jsonPath("$.client_id", equalTo(actorClientId))); // @formatter:on - // @formatter:off - // get user info on token, this fails as we did not + // get user info on token, this fails as we did not // request to openid scope - given() - .port(iamPort) - .authentication() - .preemptive().oauth2(actorAccessToken) - .when() - .post("/userinfo") - .then() - .log().body(true) - .statusCode(HttpStatus.OK.value()) - .body("sub", equalTo("80e5fb8d-b7c8-451a-89ba-346ae278a66f")); + // @formatter:off + mvc.perform(post("/userinfo") + .header("Authorization", "Bearer " + actorAccessToken)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.sub", equalTo("80e5fb8d-b7c8-451a-89ba-346ae278a66f"))); // @formatter:on } @Test - public void testUnauthorizedClient() { + public void testUnauthorizedClient() throws Exception { String clientId = "client-cred"; String clientSecret = "secret"; String audClientId = "tasks-app"; - String accessToken = TestUtils.passwordTokenGetter(clientId, clientSecret) + String accessToken = new AccessTokenGetter().grantType("password") + .clientId(clientId) + .clientSecret(clientSecret) + .username(USERNAME) + .password(PASSWORD) .scope("openid profile") - .username("test") - .password("password") - .getAccessToken(); + .getAccessTokenValue(); // @formatter:off - given() - .auth() - .preemptive() - .basic(clientId, clientSecret) - .port(iamPort) - .param("grant_type", GRANT_TYPE) - .param("audience", audClientId) - .param("subject_token", accessToken) - .param("subject_token_type", TOKEN_TYPE) - .param("scope", "read-tasks") - .when() - .post("/token") - .then() - .log() - .body(true) - .statusCode(HttpStatus.UNAUTHORIZED.value()) - .body("error", equalTo("invalid_client")) - .body("error_description", Matchers.stringContainsInOrder(Arrays.asList("Unauthorized grant type"))); + mvc.perform(post(TOKEN_ENDPOINT) + .with(httpBasic(clientId, clientSecret)) + .param("grant_type", GRANT_TYPE) + .param("audience", audClientId) + .param("subject_token", accessToken) + .param("subject_token_type", TOKEN_TYPE) + .param("scope", "read-tasks")) + .andExpect(status().isUnauthorized()) + .andExpect(jsonPath("$.error", equalTo("invalid_client"))) + .andExpect(jsonPath("$.error_description", containsString("Unauthorized grant type"))); // @formatter:on } @Test - public void testTokenExchangeWithRefreshToken() { + public void testTokenExchangeWithRefreshToken() throws Exception { String clientId = "token-exchange-subject"; String clientSecret = "secret"; @@ -277,61 +259,52 @@ public void testTokenExchangeWithRefreshToken() { String audClientId = "client"; - String accessToken = TestUtils.passwordTokenGetter(clientId, clientSecret) + String accessToken = new AccessTokenGetter().grantType("password") + .clientId(clientId) + .clientSecret(clientSecret) + .username(USERNAME) + .password(PASSWORD) .scope("openid profile offline_access") - .username("test") - .password("password") - .getAccessToken(); + .getAccessTokenValue(); // @formatter:off - // get refresh token - String refreshToken = - given() - .auth() - .preemptive() - .basic(actorClientId, actorClientSecret) - .port(iamPort) - .param("grant_type", GRANT_TYPE) - .param("audience", audClientId) - .param("subject_token", accessToken) - .param("subject_token_type", TOKEN_TYPE) - .param("scope", "openid offline_access read-tasks") - .when() - .post("/token") - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body("scope", equalTo("read-tasks openid offline_access")) - .body("issued_token_type", equalTo(TOKEN_TYPE)) - .body("token_type", equalTo("Bearer")) - .body("access_token", notNullValue()) - .body("refresh_token", notNullValue()) - .extract() - .path("refresh_token"); + String response = mvc.perform(post(TOKEN_ENDPOINT) + .with(httpBasic(actorClientId, actorClientSecret)) + .param("grant_type", GRANT_TYPE) + .param("audience", audClientId) + .param("subject_token", accessToken) + .param("subject_token_type", TOKEN_TYPE) + .param("scope", "openid offline_access read-tasks")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.scope", equalTo("read-tasks openid offline_access"))) + .andExpect(jsonPath("$.issued_token_type", equalTo(TOKEN_TYPE))) + .andExpect(jsonPath("$.token_type", equalTo("Bearer"))) + .andExpect(jsonPath("$.access_token").exists()) + .andExpect(jsonPath("$.access_token", notNullValue())) + .andReturn() + .getResponse() + .getContentAsString(); + // @formatter:on + + DefaultOAuth2AccessToken responseToken = + mapper.readValue(response, DefaultOAuth2AccessToken.class); + String refreshToken = responseToken.getRefreshToken().getValue(); // use refresh token - given() - .auth() - .preemptive() - .basic(actorClientId, actorClientSecret) - .port(iamPort) - .param("grant_type", "refresh_token") - .param("refresh_token", refreshToken) - .param("client_id", actorClientId) - .param("client_secret", actorClientSecret) - .when() - .post("/token") - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body("access_token", notNullValue()); + // @formatter:off + mvc.perform(post(TOKEN_ENDPOINT) + .with(httpBasic(actorClientId, actorClientSecret)) + .param("grant_type", "refresh_token") + .param("refresh_token", refreshToken) + .param("client_id", actorClientId) + .param("client_secret", actorClientSecret)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.access_token", notNullValue())); // @formatter:on } @Test - public void testRequestRefreshTokenWithoutOfflineAccessScope() { + public void testRequestRefreshTokenWithoutOfflineAccessScope() throws Exception { String clientId = "token-exchange-subject"; String clientSecret = "secret"; @@ -341,35 +314,29 @@ public void testRequestRefreshTokenWithoutOfflineAccessScope() { String audClientId = "client"; - String accessToken = TestUtils.passwordTokenGetter(clientId, clientSecret) + String accessToken = new AccessTokenGetter().grantType("password") + .clientId(clientId) + .clientSecret(clientSecret) + .username(USERNAME) + .password(PASSWORD) .scope("openid") - .username("test") - .password("password") - .getAccessToken(); + .getAccessTokenValue(); // @formatter:off - given() - .auth() - .preemptive() - .basic(actorClientId, actorClientSecret) - .port(iamPort) - .param("grant_type", GRANT_TYPE) - .param("audience", audClientId) - .param("subject_token", accessToken) - .param("subject_token_type", TOKEN_TYPE) - .param("scope", "openid offline_access") - .when() - .post("/token") - .then() - .log() - .body(true) - .statusCode(HttpStatus.BAD_REQUEST.value()) - .body("error", equalTo("invalid_scope")); + mvc.perform(post(TOKEN_ENDPOINT) + .with(httpBasic(actorClientId, actorClientSecret)) + .param("grant_type", GRANT_TYPE) + .param("audience", audClientId) + .param("subject_token", accessToken) + .param("subject_token_type", TOKEN_TYPE) + .param("scope", "openid offline_access")) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.error", equalTo("invalid_scope"))); // @formatter:on } @Test - public void testDelegationFlow() { + public void testDelegationFlow() throws Exception { String clientId = "token-exchange-subject"; String clientSecret = "secret"; @@ -379,45 +346,41 @@ public void testDelegationFlow() { String audClientId = "client"; - String subjectToken = TestUtils.passwordTokenGetter(clientId, clientSecret) + String subjectToken = new AccessTokenGetter().grantType("password") + .clientId(clientId) + .clientSecret(clientSecret) + .username(USERNAME) + .password(PASSWORD) .scope("openid") - .username("test") - .password("password") - .getAccessToken(); + .getAccessTokenValue(); - String actorToken = TestUtils.passwordTokenGetter(clientId, clientSecret) + String actorToken = new AccessTokenGetter().grantType("password") + .clientId(clientId) + .clientSecret(clientSecret) + .username(USERNAME) + .password(PASSWORD) .scope("openid") - .username("test") - .password("password") - .getAccessToken(); + .getAccessTokenValue(); // @formatter:off - given() - .auth() - .preemptive() - .basic(actorClientId, actorClientSecret) - .port(iamPort) - .param("grant_type", GRANT_TYPE) - .param("audience", audClientId) - .param("subject_token", subjectToken) - .param("subject_token_type", TOKEN_TYPE) - .param("actor_token", actorToken) - .param("actor_token_type", TOKEN_TYPE) - .param("want_composite", "true") - .param("scope", "read-tasks") - .when() - .post("/token") - .then() - .log() - .body(true) - .statusCode(HttpStatus.BAD_REQUEST.value()) - .body("error", equalTo("invalid_request")) - .body("error_description", Matchers.stringContainsInOrder(Arrays.asList("not supported"))); + mvc.perform(post(TOKEN_ENDPOINT) + .with(httpBasic(actorClientId, actorClientSecret)) + .param("grant_type", GRANT_TYPE) + .param("audience", audClientId) + .param("subject_token", subjectToken) + .param("subject_token_type", TOKEN_TYPE) + .param("actor_token", actorToken) + .param("actor_token_type", TOKEN_TYPE) + .param("want_composite", "true") + .param("scope", "read-tasks")) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.error", equalTo("invalid_request"))) + .andExpect(jsonPath("$.error_description", containsString("not supported"))); // @formatter:on } @Test - public void testWithInvalidSubjectToken() { + public void testWithInvalidSubjectToken() throws Exception { String actorClientId = "token-exchange-actor"; String actorClientSecret = "secret"; @@ -425,55 +388,39 @@ public void testWithInvalidSubjectToken() { String accessToken = "abcdefghilmnopqrstuvz0123456789"; // @formatter:off - given() - .auth() - .preemptive() - .basic(actorClientId, actorClientSecret) - .port(iamPort) - .param("grant_type", GRANT_TYPE) - .param("subject_token", accessToken) - .param("subject_token_type", TOKEN_TYPE) - .param("scope", "read-tasks") - .when() - .post("/token") - .then() - .log() - .body(true) - .statusCode(HttpStatus.UNAUTHORIZED.value()) - .body("error", equalTo("invalid_token")) - ; + mvc.perform(post(TOKEN_ENDPOINT) + .with(httpBasic(actorClientId, actorClientSecret)) + .param("grant_type", GRANT_TYPE) + .param("subject_token", accessToken) + .param("subject_token_type", TOKEN_TYPE) + .param("scope", "read-tasks")) + .andExpect(status().isUnauthorized()) + .andExpect(jsonPath("$.error", equalTo("invalid_token"))); // @formatter:on } @Test - public void testTokenExchangeFailureForClientCredentialsClient() { + public void testTokenExchangeFailureForClientCredentialsClient() throws Exception { - String accessToken = - TestUtils.clientCredentialsTokenGetter().scope("read-tasks write-tasks").getAccessToken(); + String accessToken = new AccessTokenGetter().grantType("client_credentials") + .clientId("client-cred") + .clientSecret("secret") + .scope("read-tasks write-tasks") + .getAccessTokenValue(); String actorClientId = "token-exchange-actor"; String actorClientSecret = "secret"; // @formatter:off - given() - .auth() - .preemptive() - .basic(actorClientId, actorClientSecret) - .port(iamPort) - .param("grant_type", GRANT_TYPE) - .param("subject_token", accessToken) - .param("subject_token_type", TOKEN_TYPE) - .param("scope", "read-tasks") - .when() - .post("/token") - .then() - .log() - .body(true) - .statusCode(HttpStatus.BAD_REQUEST.value()) - .body("error", equalTo("invalid_request")) - .body("error_description", Matchers.stringContainsInOrder(Arrays.asList("No user identity linked to subject token."))); + mvc.perform(post(TOKEN_ENDPOINT) + .with(httpBasic(actorClientId, actorClientSecret)) + .param("grant_type", GRANT_TYPE) + .param("subject_token", accessToken) + .param("subject_token_type", TOKEN_TYPE) + .param("scope", "read-tasks")) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.error", equalTo("invalid_request"))) + .andExpect(jsonPath("$.error_description", containsString("No user identity linked to subject token."))); // @formatter:on - - } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/UserInfoEndpointTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/UserInfoEndpointTests.java index 36f40ea78..c8b9abc46 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/UserInfoEndpointTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/UserInfoEndpointTests.java @@ -1,58 +1,63 @@ package it.infn.mw.iam.test.oauth; -import static com.jayway.restassured.RestAssured.given; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import javax.transaction.Transactional; +import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; import it.infn.mw.iam.IamLoginService; -import it.infn.mw.iam.test.TestUtils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration @Transactional public class UserInfoEndpointTests { - @Test - public void testUserInfoEndpointReturs404ForClientCredentialsToken() { - String accessToken = TestUtils.clientCredentialsTokenGetter().scope("openid").getAccessToken(); + @Autowired + private WebApplicationContext context; + + private MockMvc mvc; + @Before + public void setup() throws Exception { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } + + @Test + @WithMockOAuthUser(clientId = "client-cred", scopes = {"openid"}) + public void testUserInfoEndpointReturs404ForClientCredentialsToken() throws Exception { // @formatter:off - given() - .port(8080) - .auth().preemptive().oauth2(accessToken) - .when() - .get("/userinfo") - .then() - .log().all(true) - .statusCode(HttpStatus.FORBIDDEN.value()); + mvc.perform(get("/userinfo")) + .andExpect(status().isForbidden()); // @formatter:on } @Test - public void testUserInfoEndpointRetursOk() { - String accessToken = TestUtils.passwordTokenGetter() - .scope("openid") - .username("test") - .password("password") - .getAccessToken(); + @WithMockOAuthUser(clientId = "password-grant", user = "test", authorities = {"ROLE_USER"}, + scopes = {"openid"}) + public void testUserInfoEndpointRetursOk() throws Exception { // @formatter:off - given() - .port(8080) - .auth().preemptive().oauth2(accessToken) - .when() - .get("/userinfo") - .then() - .log().all(true) - .statusCode(HttpStatus.OK.value()); + mvc.perform(get("/userinfo")) + .andExpect(status().isOk()); // @formatter:on } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/ExternalAuthenticationRegistrationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/ExternalAuthenticationRegistrationTests.java index 4e797527b..75458e763 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/ExternalAuthenticationRegistrationTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/ExternalAuthenticationRegistrationTests.java @@ -1,6 +1,6 @@ package it.infn.mw.iam.test.registration; -import static it.infn.mw.iam.test.ext_authn.saml.SamlExternalAuthenticationTestSupport.DEFAULT_IDP_ID; +import static it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport.DEFAULT_IDP_ID; import static org.hamcrest.Matchers.equalTo; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertThat; diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/RegistrationPrivilegedTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/RegistrationPrivilegedTests.java new file mode 100644 index 000000000..9a06e8b17 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/RegistrationPrivilegedTests.java @@ -0,0 +1,271 @@ +package it.infn.mw.iam.test.registration; + +import static it.infn.mw.iam.api.scim.model.ScimConstants.SCIM_CONTENT_TYPE; +import static it.infn.mw.iam.core.IamRegistrationRequestStatus.APPROVED; +import static it.infn.mw.iam.core.IamRegistrationRequestStatus.CONFIRMED; +import static it.infn.mw.iam.core.IamRegistrationRequestStatus.NEW; +import static it.infn.mw.iam.core.IamRegistrationRequestStatus.REJECTED; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasSize; +import static org.junit.Assert.assertNotNull; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import javax.transaction.Transactional; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.http.MediaType; +import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; + +import com.fasterxml.jackson.databind.ObjectMapper; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.core.IamRegistrationRequestStatus; +import it.infn.mw.iam.registration.PersistentUUIDTokenGenerator; +import it.infn.mw.iam.registration.RegistrationRequestDto; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.util.WithMockOAuthUser; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +@Transactional +public class RegistrationPrivilegedTests { + + @Autowired + private WebApplicationContext context; + + @Autowired + private PersistentUUIDTokenGenerator generator; + + @Autowired + private ObjectMapper objectMapper; + + private MockMvc mvc; + + @Before + public void setup() { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } + + @Test + @WithMockOAuthUser(clientId = "registration-client", scopes = {"registration:read"}) + public void testListNewRequests() throws Exception { + + createRegistrationRequest("test_list_new"); + + // @formatter:off + mvc.perform(get("/registration/list") + .param("status", NEW.name())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$", hasSize(1))); + // @formatter:on + } + + @Test + @WithMockOAuthUser(clientId = "registration-client", + scopes = {"registration:read", "registration:write"}) + public void testListPendingRequest() throws Exception { + + createRegistrationRequest("test_1"); + createRegistrationRequest("test_2"); + + String confirmationKey = generator.getLastToken(); + confirmRegistrationRequest(confirmationKey); + + RegistrationRequestDto reg3 = createRegistrationRequest("test_3"); + approveRequest(reg3.getUuid()); + + // @formatter:off + // 1 NEW, 1 CONFIRMED, 1 APPROVED -> expect 2 elements returned + mvc.perform(get("/registration/list/pending")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$", hasSize(2))); + // @formatter:on + } + + @Test + @WithMockOAuthUser(clientId = "registration-client", scopes = {"registration:read"}) + public void testListAllRequests() throws Exception { + + createRegistrationRequest("test_list_1"); + createRegistrationRequest("test_list_2"); + + String token = generator.getLastToken(); + assertNotNull(token); + + confirmRegistrationRequest(token); + + // @formatter:off + mvc.perform(get("/registration/list")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$", hasSize(2))); + // @formatter:on + } + + @Test + @WithMockOAuthUser(clientId = "registration-client", scopes = {"registration:write"}) + public void testApproveRequest() throws Exception { + + RegistrationRequestDto reg = createRegistrationRequest("test_approve"); + assertNotNull(reg); + + String token = generator.getLastToken(); + assertNotNull(token); + + confirmRegistrationRequest(token); + + // approve it + // @formatter:off + mvc.perform(post("/registration/{uuid}/{decision}", reg.getUuid(), APPROVED.name())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.status", equalTo(APPROVED.name()))) + .andExpect(jsonPath("$.uuid", equalTo(reg.getUuid()))); + // @formatter:on + } + + @Test + @WithMockOAuthUser(clientId = "registration-client", + scopes = {"scim:write", "scim:read", "registration:write"}) + public void testRejectRequest() throws Exception { + + RegistrationRequestDto reg = createRegistrationRequest("test_reject"); + assertNotNull(reg); + + String token = generator.getLastToken(); + assertNotNull(token); + + confirmRegistrationRequest(token); + + // @formatter:off + // reject it + mvc.perform(post("/registration/{uuid}/{decision}", reg.getUuid(), REJECTED.name())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.status", equalTo(REJECTED.name()))) + .andExpect(jsonPath("$.uuid", equalTo(reg.getUuid()))); + // @formatter:on + + // Reject delete user: verify user not found + // @formatter:off + mvc.perform(get("/scim/Users/{uuid}", reg.getAccountId()) + .contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isNotFound()); + // @formatter:on + } + + @Test + @WithMockOAuthUser(clientId = "registration-client", scopes = {"registration:write"}) + public void testApproveRequestNotConfirmed() throws Exception { + + // create new request + RegistrationRequestDto reg = createRegistrationRequest("test_approve_not_confirmed"); + assertNotNull(reg); + + // @formatter:off + // approve it without confirm + mvc.perform(post("/registration/{uuid}/{decision}", reg.getUuid(), APPROVED.name())) + .andExpect(status().isOk()); + // @formatter:on + } + + @Test + @WithMockOAuthUser(clientId = "registration-client", scopes = {"registration:write"}) + public void testWrongDecisionFailure() throws Exception { + + RegistrationRequestDto reg = createRegistrationRequest("test_wrong_decision"); + assertNotNull(reg); + + String token = generator.getLastToken(); + assertNotNull(token); + + confirmRegistrationRequest(token); + + // @formatter:off + mvc.perform(post("/registration/{uuid}/{decision}", reg.getUuid(), "wrong")) + .andExpect(status().isBadRequest()); + // @formatter:on + } + + @Test + @WithMockOAuthUser(clientId = "registration-client", scopes = {"registration:write"}) + public void testConfirmAfterApprovation() throws Exception { + + RegistrationRequestDto reg = createRegistrationRequest("test_confirm_after_approve"); + assertNotNull(reg); + String confirmationKey = generator.getLastToken(); + + approveRequest(reg.getUuid()); + + // @formatter:off + mvc.perform(get("/registration/confirm/{token}", confirmationKey)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.status", equalTo(APPROVED.name()))); + // @formatter:on + } + + private RegistrationRequestDto createRegistrationRequest(String username) throws Exception { + + String email = username + "@example.org"; + RegistrationRequestDto request = new RegistrationRequestDto(); + request.setGivenname("Test"); + request.setFamilyname("User"); + request.setEmail(email); + request.setUsername(username); + request.setNotes("Some short notes..."); + request.setPassword("password"); + + // @formatter:off + String response = mvc + .perform(post("/registration/create").contentType(MediaType.APPLICATION_JSON) + .content(objectMapper.writeValueAsString(request))) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(); + // @formatter:on + + return objectMapper.readValue(response, RegistrationRequestDto.class); + } + + private void confirmRegistrationRequest(String confirmationKey) throws Exception { + // @formatter:off + mvc.perform(get("/registration/confirm/{token}", confirmationKey)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.status", equalTo(CONFIRMED.name()))); + // @formatter:on + } + + protected RegistrationRequestDto approveRequest(String uuid) throws Exception { + return requestDecision(uuid, APPROVED); + } + + private RegistrationRequestDto requestDecision(String uuid, IamRegistrationRequestStatus decision) + throws Exception { + // @formatter:off + String response = mvc + .perform(post("/registration/{uuid}/{decision}", uuid, decision.name()) + .with(SecurityMockMvcRequestPostProcessors.user("admin").roles("ADMIN", "USER"))) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(); + // @formatter:on + return objectMapper.readValue(response, RegistrationRequestDto.class); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/RegistrationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/RegistrationTests.java deleted file mode 100644 index 6347908a5..000000000 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/RegistrationTests.java +++ /dev/null @@ -1,461 +0,0 @@ -package it.infn.mw.iam.test.registration; - -import static com.jayway.restassured.RestAssured.given; -import static it.infn.mw.iam.api.scim.model.ScimConstants.SCIM_CONTENT_TYPE; -import static it.infn.mw.iam.test.RegistrationUtils.confirmRegistrationRequest; -import static it.infn.mw.iam.test.RegistrationUtils.createRegistrationRequest; -import static it.infn.mw.iam.test.RegistrationUtils.deleteUser; -import static org.hamcrest.Matchers.equalTo; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertThat; - -import org.hamcrest.Matchers; -import org.junit.BeforeClass; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.beans.factory.annotation.Value; -import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; -import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; - -import it.infn.mw.iam.IamLoginService; -import it.infn.mw.iam.core.IamRegistrationRequestStatus; -import it.infn.mw.iam.registration.PersistentUUIDTokenGenerator; -import it.infn.mw.iam.registration.RegistrationRequestDto; -import it.infn.mw.iam.test.RegistrationUtils; -import it.infn.mw.iam.test.TestUtils; - -@RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest -public class RegistrationTests { - - @Autowired - private PersistentUUIDTokenGenerator generator; - - @Value("${server.port}") - private Integer iamPort; - - @BeforeClass - public static void init() { - - TestUtils.initRestAssured(); - } - - @Test - public void testCreateRequest() { - - RegistrationRequestDto reg = createRegistrationRequest("test_create"); - - assertNotNull(reg); - assertThat(reg.getUsername(), equalTo("test_create")); - assertThat(reg.getGivenname(), equalTo("Test")); - assertThat(reg.getFamilyname(), equalTo("User")); - assertThat(reg.getEmail(), equalTo("test_create@example.org")); - assertThat(reg.getNotes(), equalTo("Some short notes...")); - - deleteUser(reg.getAccountId()); - } - - @Test - public void testListNewRequests() { - - String accessToken = - TestUtils.getAccessToken("registration-client", "secret", "registration:read"); - - RegistrationRequestDto reg = createRegistrationRequest("test_list_new"); - - // @formatter:off - given() - .port(iamPort) - .auth() - .preemptive() - .oauth2(accessToken) - .param("status", IamRegistrationRequestStatus.NEW) - .when() - .get("/registration/list") - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body("size()", Matchers.greaterThanOrEqualTo(1)); - // @formatter:on - - deleteUser(reg.getAccountId()); - } - - @Test - public void testListPendingRequest() { - String accessToken = - TestUtils.getAccessToken("registration-client", "secret", "registration:read"); - - RegistrationRequestDto reg1 = createRegistrationRequest("test_1"); - - RegistrationRequestDto reg2 = createRegistrationRequest("test_2"); - String confirmationKey = generator.getLastToken(); - RegistrationUtils.confirmRegistrationRequest(confirmationKey); - - RegistrationRequestDto reg3 = createRegistrationRequest("test_3"); - RegistrationUtils.approveRequest(reg3.getUuid()); - - // @formatter:off - // 1 NEW, 1 CONFIRMED, 1 APPROVED -> expect 2 elements returned - given() - .port(iamPort) - .auth() - .preemptive() - .oauth2(accessToken) - .when() - .get("/registration/list/pending") - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body("size()", Matchers.greaterThanOrEqualTo(2)); - // @formatter:on - - deleteUser(reg1.getAccountId()); - deleteUser(reg2.getAccountId()); - deleteUser(reg3.getAccountId()); - } - - @Test - public void testListRequestsUnauthorized() { - - // @formatter:off - given() - .port(iamPort) - .param("status", IamRegistrationRequestStatus.NEW) - .when() - .get("/registration/list") - .then() - .log() - .body(true) - .statusCode(HttpStatus.UNAUTHORIZED.value()); - // @formatter:on - } - - @Test - public void testListAllRequests() { - - String accessToken = - TestUtils.getAccessToken("registration-client", "secret", "registration:read"); - - RegistrationRequestDto reg1 = createRegistrationRequest("test_list_1"); - RegistrationRequestDto reg2 = createRegistrationRequest("test_list_2"); - - String token = generator.getLastToken(); - assertNotNull(token); - - confirmRegistrationRequest(token); - - // @formatter:off - given() - .port(iamPort) - .auth() - .preemptive() - .oauth2(accessToken) - .when() - .get("/registration/list") - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body("size()", Matchers.greaterThanOrEqualTo(2)); - // @formatter:on - - deleteUser(reg1.getAccountId()); - deleteUser(reg2.getAccountId()); - } - - @Test - public void testConfirmRequest() { - - RegistrationRequestDto reg = createRegistrationRequest("test_confirm"); - - String token = generator.getLastToken(); - - assertNotNull(token); - - confirmRegistrationRequest(token); - - deleteUser(reg.getAccountId()); - } - - @Test - public void testConfirmRequestFailureWithWrongToken() { - - RegistrationRequestDto reg = createRegistrationRequest("test_confirm_fail"); - - String badToken = "abcdefghilmnopqrstuvz"; - - // @formatter:off - given() - .port(iamPort) - .pathParam("token", badToken) - .when() - .get("/registration/confirm/{token}") - .then() - .log() - .body(true) - .statusCode(HttpStatus.NOT_FOUND.value()); - // @formatter:on - - deleteUser(reg.getAccountId()); - } - - @Test - public void testApproveRequest() { - - String accessToken = - TestUtils.getAccessToken("registration-client", "secret", "registration:write"); - - // create new request - RegistrationRequestDto reg = createRegistrationRequest("test_approve"); - assertNotNull(reg); - - String token = generator.getLastToken(); - assertNotNull(token); - - // confirm - confirmRegistrationRequest(token); - - // approve it - // @formatter:off - given() - .port(iamPort) - .auth() - .preemptive() - .oauth2(accessToken) - .pathParam("uuid", reg.getUuid()) - .pathParam("decision", IamRegistrationRequestStatus.APPROVED.name()) - .when() - .post("/registration/{uuid}/{decision}") - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body("status", Matchers.equalTo(IamRegistrationRequestStatus.APPROVED.name())) - .body("uuid", Matchers.equalTo(reg.getUuid())); - // @formatter:on - - deleteUser(reg.getAccountId()); - } - - @Test - public void testRejectRequest() { - - String accessToken = - TestUtils.getAccessToken("registration-client", "secret", "registration:write"); - - // create new request - RegistrationRequestDto reg = createRegistrationRequest("test_reject"); - assertNotNull(reg); - - String token = generator.getLastToken(); - assertNotNull(token); - - // confirm - confirmRegistrationRequest(token); - - // @formatter:off - // reject it - given() - .port(iamPort) - .auth() - .preemptive() - .oauth2(accessToken) - .pathParam("uuid", reg.getUuid()) - .pathParam("decision", IamRegistrationRequestStatus.REJECTED.name()) - .when() - .post("/registration/{uuid}/{decision}") - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body("status", Matchers.equalTo(IamRegistrationRequestStatus.REJECTED.name())) - .body("uuid", Matchers.equalTo(reg.getUuid())); - // @formatter:on - - // Reject delete user: verify user not found - accessToken = TestUtils.getAccessToken("registration-client", "secret", "scim:read"); - - // @formatter:off - given() - .port(iamPort) - .auth() - .preemptive() - .oauth2(accessToken) - .contentType(SCIM_CONTENT_TYPE) - .pathParam("uuid", reg.getAccountId()) - .when() - .get("scim/Users/{uuid}") - .then() - .statusCode(HttpStatus.NOT_FOUND.value()) - .body("status", Matchers.equalTo("404")) - ; - // @formatter:on - } - - @Test - public void testApproveRequestNotConfirmed() { - - String accessToken = - TestUtils.getAccessToken("registration-client", "secret", "registration:write"); - - // create new request - RegistrationRequestDto reg = createRegistrationRequest("test_approve_not_confirmed"); - assertNotNull(reg); - - // @formatter:off - // approve it without confirm - given() - .port(iamPort) - .auth() - .preemptive() - .oauth2(accessToken) - .pathParam("uuid", reg.getUuid()) - .pathParam("decision", IamRegistrationRequestStatus.APPROVED.name()) - .when() - .post("/registration/{uuid}/{decision}") - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()); - // @formatter:on - - deleteUser(reg.getAccountId()); - } - - @Test - public void testApproveRequestUnauthorized() { - - // create new request - RegistrationRequestDto reg = createRegistrationRequest("test_approve_unauth"); - assertNotNull(reg); - - String token = generator.getLastToken(); - assertNotNull(token); - - // confirm - confirmRegistrationRequest(token); - - // approve it - // @formatter:off - given() - .port(iamPort) - .pathParam("uuid", reg.getUuid()) - .pathParam("decision", IamRegistrationRequestStatus.APPROVED.name()) - .when() - .post("/registration/{uuid}/{decision}") - .then() - .log() - .body(true) - .statusCode(HttpStatus.UNAUTHORIZED.value()); - // @formatter:on - - deleteUser(reg.getAccountId()); - } - - @Test - public void testWrongDecisionFailure() { - - String accessToken = - TestUtils.getAccessToken("registration-client", "secret", "registration:write"); - - // create new request - RegistrationRequestDto reg = createRegistrationRequest("test_wrong_decision"); - assertNotNull(reg); - - String token = generator.getLastToken(); - assertNotNull(token); - - // confirm - confirmRegistrationRequest(token); - - // approve it - // @formatter:off - given() - .port(iamPort) - .auth() - .preemptive() - .oauth2(accessToken) - .pathParam("uuid", reg.getUuid()) - .pathParam("decision", "wrong") - .when() - .post("/registration/{uuid}/{decision}") - .then() - .log() - .body(true) - .statusCode(HttpStatus.BAD_REQUEST.value()); - // @formatter:on - - deleteUser(reg.getAccountId()); - } - - @Test - public void testUsernameAvailable() { - String username = "tester"; - // @formatter:off - given() - .port(iamPort) - .pathParam("username", username) - .when() - .get("registration/username-available/{username}") - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body(Matchers.equalTo("true")) - ; - // @formatter:on - } - - @Test - public void testUsernameAlreadyTaken() { - String username = "admin"; - // @formatter:off - given() - .port(iamPort) - .pathParam("username", username) - .when() - .get("registration/username-available/{username}") - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body(Matchers.equalTo("false")) - ; - // @formatter:on - } - - @Test - public void testConfirmAfterApprovation() { - - // create new request - RegistrationRequestDto reg = createRegistrationRequest("test_confirm_after_approve"); - assertNotNull(reg); - String confirmationKey = generator.getLastToken(); - - RegistrationUtils.approveRequest(reg.getUuid()); - - // @formatter:off - given() - .port(8080) - .pathParam("token", confirmationKey) - .when() - .get("/registration/confirm/{token}") - .then() - .log() - .body(true) - .statusCode(HttpStatus.OK.value()) - .body("status", Matchers.equalTo(IamRegistrationRequestStatus.APPROVED.name())) - ; - // @formatter:on - - deleteUser(reg.getAccountId()); - } - -} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/RegistrationUnprivilegedTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/RegistrationUnprivilegedTests.java new file mode 100644 index 000000000..3d104db45 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/RegistrationUnprivilegedTests.java @@ -0,0 +1,227 @@ +package it.infn.mw.iam.test.registration; + +import static it.infn.mw.iam.core.IamRegistrationRequestStatus.APPROVED; +import static it.infn.mw.iam.core.IamRegistrationRequestStatus.CONFIRMED; +import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThat; +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import javax.transaction.Transactional; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.http.MediaType; +import org.springframework.security.authentication.AnonymousAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; + +import com.fasterxml.jackson.databind.ObjectMapper; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.registration.PersistentUUIDTokenGenerator; +import it.infn.mw.iam.registration.RegistrationRequestDto; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class}) +@WebAppConfiguration +@Transactional +public class RegistrationUnprivilegedTests { + + @Autowired + private WebApplicationContext context; + + @Autowired + private PersistentUUIDTokenGenerator generator; + + @Autowired + private ObjectMapper objectMapper; + + private MockMvc mvc; + + @Before + public void setup() { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } + + @Test + public void testCreateRequest() throws Exception { + + RegistrationRequestDto reg = createRegistrationRequest("test_create"); + + assertNotNull(reg); + assertThat(reg.getUsername(), equalTo("test_create")); + assertThat(reg.getGivenname(), equalTo("Test")); + assertThat(reg.getFamilyname(), equalTo("User")); + assertThat(reg.getEmail(), equalTo("test_create@example.org")); + assertThat(reg.getNotes(), equalTo("Some short notes...")); + } + + @Test + public void testConfirmRequest() throws Exception { + + createRegistrationRequest("test_confirm"); + String token = generator.getLastToken(); + assertNotNull(token); + confirmRegistrationRequest(token); + } + + @Test + public void testListRequestsUnauthorized() throws Exception { + + // @formatter:off + mvc.perform(get("/registration/list") + .with(authentication(anonymousAuthenticationToken()))) + .andExpect(status().isUnauthorized()); + // @formatter:on + } + + @Test + public void testConfirmRequestFailureWithWrongToken() throws Exception { + + createRegistrationRequest("test_confirm_fail"); + String badToken = "abcdefghilmnopqrstuvz"; + + // @formatter:off + mvc.perform(get("/registration/confirm/{token}", badToken)) + .andExpect(status().isNotFound()); + // @formatter:on + } + + @Test + public void testApproveRequestUnauthorized() throws Exception { + + RegistrationRequestDto reg = createRegistrationRequest("test_approve_unauth"); + assertNotNull(reg); + + String token = generator.getLastToken(); + assertNotNull(token); + + confirmRegistrationRequest(token); + + // @formatter:off + mvc.perform(post("/registration/{uuid}/{decision}", reg.getUuid(), APPROVED.name()) + .with(authentication(anonymousAuthenticationToken()))) + .andExpect(status().isUnauthorized()); + // @formatter:on + } + + @Test + public void testUsernameAvailable() throws Exception { + String username = "tester"; + // @formatter:off + mvc.perform(get("/registration/username-available/{username}", username)) + .andExpect(status().isOk()) + .andExpect(content().string("true")); + // @formatter:on + } + + @Test + public void testUsernameAlreadyTaken() throws Exception { + String username = "admin"; + // @formatter:off + mvc.perform(get("/registration/username-available/{username}", username)) + .andExpect(status().isOk()) + .andExpect(content().string("false")); + // @formatter:on + } + + @Test + public void testCreateRequestWithoutNotes() throws Exception { + + String username = "user_with_empty_notes"; + String email = username + "@example.org"; + + RegistrationRequestDto request = new RegistrationRequestDto(); + request.setGivenname("Test"); + request.setFamilyname("User"); + request.setEmail(email); + request.setUsername(username); + request.setPassword("password"); + + // @formatter:off + mvc.perform(post("/registration/create") + .contentType(MediaType.APPLICATION_JSON) + .content(objectMapper.writeValueAsString(request))) + .andExpect(status().isBadRequest()); + // @formatter:on + } + + @Test + public void testCreateRequestBlankNotes() throws Exception { + + String username = "user_with_empty_notes"; + String email = username + "@example.org"; + + RegistrationRequestDto request = new RegistrationRequestDto(); + request.setGivenname("Test"); + request.setFamilyname("User"); + request.setEmail(email); + request.setUsername(username); + request.setPassword("password"); + request.setNotes(" "); + + // @formatter:off + mvc.perform(post("/registration/create") + .contentType(MediaType.APPLICATION_JSON) + .content(objectMapper.writeValueAsString(request))) + .andExpect(status().isBadRequest()); + // @formatter:on + } + + + private Authentication anonymousAuthenticationToken() { + return new AnonymousAuthenticationToken("key", "anonymous", + AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")); + } + + private RegistrationRequestDto createRegistrationRequest(String username) throws Exception { + + String email = username + "@example.org"; + RegistrationRequestDto request = new RegistrationRequestDto(); + request.setGivenname("Test"); + request.setFamilyname("User"); + request.setEmail(email); + request.setUsername(username); + request.setNotes("Some short notes..."); + request.setPassword("password"); + + // @formatter:off + String response = mvc + .perform(post("/registration/create").contentType(MediaType.APPLICATION_JSON) + .content(objectMapper.writeValueAsString(request))) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(); + // @formatter:on + + return objectMapper.readValue(response, RegistrationRequestDto.class); + } + + private void confirmRegistrationRequest(String confirmationKey) throws Exception { + // @formatter:off + mvc.perform(get("/registration/confirm/{token}", confirmationKey)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.status", equalTo(CONFIRMED.name()))); + // @formatter:on + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/SamlExtAuthRegistrationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/SamlExtAuthRegistrationTests.java index 5fa16b05e..f9c38e848 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/SamlExtAuthRegistrationTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/registration/SamlExtAuthRegistrationTests.java @@ -26,11 +26,13 @@ import org.springframework.test.context.web.WebAppConfiguration; import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.authn.saml.util.Saml2Attribute; import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamSamlId; import it.infn.mw.iam.persistence.repository.IamAccountRepository; import it.infn.mw.iam.registration.PersistentUUIDTokenGenerator; import it.infn.mw.iam.registration.RegistrationRequestDto; -import it.infn.mw.iam.test.ext_authn.saml.SamlExternalAuthenticationTestSupport; +import it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport; import it.infn.mw.iam.test.ext_authn.saml.SamlTestConfig; import it.infn.mw.iam.test.util.WithMockSAMLUser; import it.infn.mw.iam.test.util.saml.SamlUtils; @@ -39,7 +41,7 @@ @SpringApplicationConfiguration(classes = {IamLoginService.class, SamlTestConfig.class}) @WebAppConfiguration @Transactional -public class SamlExtAuthRegistrationTests extends SamlExternalAuthenticationTestSupport { +public class SamlExtAuthRegistrationTests extends SamlAuthenticationTestSupport { @Autowired private IamAccountRepository iamAccountRepo; @@ -129,7 +131,9 @@ public void externalSamlRegistrationCreatesDisabledAccount() throws Throwable { assertThat(err.getMessage(), startsWith( "Your registration request to indigo-dc was submitted and confirmed successfully")); - IamAccount account = iamAccountRepo.findBySamlId(DEFAULT_IDP_ID, T1_EPUID) + IamSamlId id = new IamSamlId(DEFAULT_IDP_ID, Saml2Attribute.EPUID.getAttributeName(), T1_EPUID); + + IamAccount account = iamAccountRepo.findBySamlId(id) .orElseThrow(() -> new AssertionError("Expected account not found")); iamAccountRepo.delete(account); diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/repository/IamAccountRepositoryTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/repository/IamAccountRepositoryTests.java new file mode 100644 index 000000000..40c705148 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/repository/IamAccountRepositoryTests.java @@ -0,0 +1,42 @@ +package it.infn.mw.iam.test.repository; + +import static org.hamcrest.Matchers.equalTo; + +import javax.persistence.EntityManager; + +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.authn.saml.util.Saml2Attribute; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamSamlId; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class}) +public class IamAccountRepositoryTests { + + static final IamSamlId TEST_USER_ID = new IamSamlId("https://idptestbed/idp/shibboleth", + Saml2Attribute.EPUID.getAttributeName(), "78901@idptestbed"); + + @Autowired + IamAccountRepository repo; + + @Autowired + EntityManager em; + + @Test + public void testSamlIdResolutionWorksAsExpected() { + + IamAccount testUserAccount = repo.findBySamlId(TEST_USER_ID) + .orElseThrow(() -> new AssertionError("Could not lookup test user by SAML id")); + + Assert.assertThat(testUserAccount.getUsername(), equalTo("test")); + } + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/repository/IamTokenRepositoryTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/repository/IamTokenRepositoryTests.java index 8708b7062..172e057bd 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/repository/IamTokenRepositoryTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/repository/IamTokenRepositoryTests.java @@ -8,6 +8,7 @@ import javax.persistence.EntityManager; +import org.apache.commons.lang.time.DateUtils; import org.junit.Test; import org.junit.runner.RunWith; import org.mitre.oauth2.model.ClientDetailsEntity; @@ -89,15 +90,20 @@ private OAuth2AccessTokenEntity buildAccessToken(ClientDetailsEntity client) { public void testTokenResolutionCorrectlyEnforcesUsernameChecks() { buildAccessToken(loadTestClient(), TEST_347_USER); + Date currentTimestamp = new Date(); - assertThat(accessTokenRepo.findValidAccessTokensForUser(TEST_346_USER), hasSize(0)); - assertThat(refreshTokenRepo.findValidRefreshTokensForUser(TEST_346_USER), hasSize(0)); + assertThat(accessTokenRepo.findValidAccessTokensForUser(TEST_346_USER, currentTimestamp), + hasSize(0)); + assertThat(refreshTokenRepo.findValidRefreshTokensForUser(TEST_346_USER, currentTimestamp), + hasSize(0)); - assertThat(accessTokenRepo.findValidAccessTokensForUser(TEST_347_USER), hasSize(2)); // access - // token + assertThat(accessTokenRepo.findValidAccessTokensForUser(TEST_347_USER, currentTimestamp), + hasSize(2)); // access + // token // + ID token - assertThat(refreshTokenRepo.findValidRefreshTokensForUser(TEST_347_USER), hasSize(1)); + assertThat(refreshTokenRepo.findValidRefreshTokensForUser(TEST_347_USER, currentTimestamp), + hasSize(1)); } @Test @@ -119,16 +125,38 @@ public void testExpiredTokensAreNotReturned() { tokenService.saveAccessToken(at.getIdToken()); tokenService.saveRefreshToken(at.getRefreshToken()); - assertThat(accessTokenRepo.findValidAccessTokensForUser(TEST_347_USER), hasSize(0)); - assertThat(refreshTokenRepo.findValidRefreshTokensForUser(TEST_347_USER), hasSize(0)); + Date currentTimestamp = new Date(); + + assertThat(accessTokenRepo.findValidAccessTokensForUser(TEST_347_USER, currentTimestamp), + hasSize(0)); + assertThat(refreshTokenRepo.findValidRefreshTokensForUser(TEST_347_USER, currentTimestamp), + hasSize(0)); } @Test public void testClientTokensNotBoundToUsersAreIgnored() { buildAccessToken(loadTestClient()); + Date currentTimestamp = new Date(); + + assertThat(accessTokenRepo.findValidAccessTokensForUser(TEST_347_USER, currentTimestamp), + hasSize(0)); + assertThat(refreshTokenRepo.findValidRefreshTokensForUser(TEST_347_USER, currentTimestamp), + hasSize(0)); + } + + @Test + public void testRepositoryDoesntRelyOnDbTime() { + OAuth2AccessTokenEntity at = buildAccessToken(loadTestClient(), TEST_347_USER); + + Date now = DateUtils.addHours(new Date(), -2); + Date exp = DateUtils.addHours(now, +1); + + at.setExpiration(exp); + at.getIdToken().setExpiration(exp); + at.getRefreshToken().setExpiration(exp); - assertThat(accessTokenRepo.findValidAccessTokensForUser(TEST_347_USER), hasSize(0)); - assertThat(refreshTokenRepo.findValidRefreshTokensForUser(TEST_347_USER), hasSize(0)); + assertThat(accessTokenRepo.findValidAccessTokensForUser(TEST_347_USER, now), hasSize(2)); + assertThat(refreshTokenRepo.findValidRefreshTokensForUser(TEST_347_USER, now), hasSize(1)); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/RestUtils.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/RestUtils.java new file mode 100644 index 000000000..0ecf1abdf --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/RestUtils.java @@ -0,0 +1,96 @@ +package it.infn.mw.iam.test.scim; + +import static org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.http.HttpStatus; +import org.springframework.stereotype.Component; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.ResultActions; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.util.MultiValueMap; +import org.springframework.web.context.WebApplicationContext; + +import com.fasterxml.jackson.databind.ObjectMapper; + +@Component +public class RestUtils { + + protected final MockMvc mvc; + protected final ObjectMapper mapper; + + @Autowired + public RestUtils(WebApplicationContext context, ObjectMapper mapper) { + + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + this.mapper = mapper; + } + + public ResultActions doPost(String location, B contentObj, String contentType, + HttpStatus expectedStatus) throws Exception { + + String contentJson = mapper.writeValueAsString(contentObj); + + return mvc.perform(post(location).contentType(contentType).content(contentJson)) + .andExpect(status().is(expectedStatus.value())) + .andExpect(content().contentType(contentType)); + } + + public ResultActions doPost(String location, + MultiValueMap formParams, String expectedContentType, + HttpStatus expectedStatus) throws Exception { + + return mvc.perform(post(location).contentType(APPLICATION_FORM_URLENCODED).params(formParams)) + .andExpect(status().is(expectedStatus.value())) + .andExpect(content().contentType(expectedContentType)); + } + + public ResultActions doGet(String location, String expectedContentType, HttpStatus expectedStatus) + throws Exception { + + return mvc.perform(get(location)).andExpect(status().is(expectedStatus.value())); + } + + public ResultActions doGet(String location, MultiValueMap params, + String expectedContentType, HttpStatus expectedStatus) throws Exception { + + return mvc.perform(get(location).params(params)).andExpect(status().is(expectedStatus.value())); + } + + public ResultActions doDelete(String location, HttpStatus expectedStatus) throws Exception { + + return mvc.perform(delete(location)).andExpect(status().is(expectedStatus.value())); + } + + public ResultActions doPut(String location, B contentObj, String expectedContentType, + HttpStatus expectedStatus) throws Exception { + + String contentJson = mapper.writeValueAsString(contentObj); + + return mvc.perform(put(location).contentType(expectedContentType).content(contentJson)) + .andExpect(status().is(expectedStatus.value())) + .andExpect(content().contentType(expectedContentType)); + } + + public ResultActions doPatch(String location, T contentObj, String expectedContentType, + HttpStatus expectedStatus) throws Exception { + + String contentJson = mapper.writeValueAsString(contentObj); + + return mvc.perform(patch(location).contentType(expectedContentType).content(contentJson)) + .andExpect(status().is(expectedStatus.value())); + } + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/ScimRestUtilsMvc.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/ScimRestUtilsMvc.java new file mode 100644 index 000000000..dac9ac6d3 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/ScimRestUtilsMvc.java @@ -0,0 +1,172 @@ +package it.infn.mw.iam.test.scim; + +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_CONTENT_TYPE; +import static it.infn.mw.iam.test.scim.ScimUtils.getMeLocation; +import static it.infn.mw.iam.test.scim.ScimUtils.getUserLocation; +import static it.infn.mw.iam.test.scim.ScimUtils.getUsersLocation; +import static org.springframework.http.HttpStatus.CREATED; +import static org.springframework.http.HttpStatus.NO_CONTENT; +import static org.springframework.http.HttpStatus.OK; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.http.HttpStatus; +import org.springframework.stereotype.Component; +import org.springframework.test.web.servlet.ResultActions; +import org.springframework.util.MultiValueMap; +import org.springframework.web.context.WebApplicationContext; + +import com.fasterxml.jackson.databind.ObjectMapper; + +import it.infn.mw.iam.api.scim.model.ScimUser; +import it.infn.mw.iam.api.scim.model.ScimUserPatchRequest; +import it.infn.mw.iam.api.scim.model.ScimPatchOperation.ScimPatchOperationType; + +@Component +public class ScimRestUtilsMvc extends RestUtils { + + @Autowired + public ScimRestUtilsMvc(WebApplicationContext context, ObjectMapper mapper) { + super(context, mapper); + } + + public ScimUser postUser(ScimUser user) throws Exception { + + return mapper.readValue(postUser(user, CREATED).andReturn().getResponse().getContentAsString(), + ScimUser.class); + } + + public ResultActions postUser(ScimUser user, HttpStatus expectedStatus) throws Exception { + + return doPost(getUsersLocation(), user, SCIM_CONTENT_TYPE, expectedStatus); + } + + public ScimUser getUser(String uuid) throws Exception { + + return mapper.readValue(getUser(uuid, OK).andReturn().getResponse().getContentAsString(), + ScimUser.class); + } + + public ResultActions getUser(String uuid, HttpStatus expectedStatus) throws Exception { + + return doGet(getUserLocation(uuid), SCIM_CONTENT_TYPE, expectedStatus); + } + + public ResultActions getUsers(MultiValueMap params, HttpStatus expectedStatus) + throws Exception { + + return doGet(getUsersLocation(), params, SCIM_CONTENT_TYPE, expectedStatus); + } + + public ResultActions getUsers(MultiValueMap params) throws Exception { + + return doGet(getUsersLocation(), params, SCIM_CONTENT_TYPE, OK); + } + + public ResultActions getUsers(HttpStatus expectedStatus) throws Exception { + + return doGet(getUsersLocation(), SCIM_CONTENT_TYPE, expectedStatus); + } + + public ResultActions getUsers() throws Exception { + + return doGet(getUsersLocation(), SCIM_CONTENT_TYPE, OK); + } + + public ScimUser getMe() throws Exception { + + return mapper.readValue(getMe(OK).andExpect(content().contentType(SCIM_CONTENT_TYPE)) + .andReturn() + .getResponse() + .getContentAsString(), ScimUser.class); + } + + public ResultActions getMe(HttpStatus expectedStatus) throws Exception { + + return doGet(getMeLocation(), SCIM_CONTENT_TYPE, expectedStatus); + } + + public ResultActions putUser(String uuid, ScimUser user, HttpStatus expectedStatus) + throws Exception { + + return doPut(getUserLocation(uuid), user, SCIM_CONTENT_TYPE, expectedStatus); + } + + public ScimUser putUser(String uuid, ScimUser user) throws Exception { + + return mapper.readValue(putUser(uuid, user, OK).andReturn().getResponse().getContentAsString(), + ScimUser.class); + } + + public ResultActions deleteUser(String uuid, HttpStatus expectedStatus) throws Exception { + + return doDelete(getUserLocation(uuid), expectedStatus); + } + + public void deleteUser(String uuid) throws Exception { + + deleteUser(uuid, NO_CONTENT); + } + + public void deleteUser(ScimUser user, HttpStatus expectedStatus) throws Exception { + + deleteUser(user.getId(), expectedStatus); + } + + public void deleteUser(ScimUser user) throws Exception { + + deleteUser(user.getId()); + } + + public void deleteUsers(ScimUser... users) throws Exception { + + for (ScimUser u : users) { + deleteUser(u); + } + } + + private ScimUserPatchRequest getUserPatchRequest(ScimPatchOperationType type, ScimUser updates) + throws Exception { + + ScimUserPatchRequest patchRequest; + switch (type) { + case add: + patchRequest = ScimUserPatchRequest.builder().add(updates).build(); + break; + case remove: + patchRequest = ScimUserPatchRequest.builder().remove(updates).build(); + break; + case replace: + patchRequest = ScimUserPatchRequest.builder().replace(updates).build(); + break; + default: + throw new Exception("unsupported patch type"); + } + return patchRequest; + } + + public ResultActions patchUser(String uuid, ScimPatchOperationType type, ScimUser updates, + HttpStatus expectedStatus) throws Exception { + + return doPatch(getUserLocation(uuid), getUserPatchRequest(type, updates), SCIM_CONTENT_TYPE, + expectedStatus); + } + + public ResultActions patchUser(String uuid, ScimPatchOperationType type, ScimUser updates) + throws Exception { + + return patchUser(uuid, type, updates, NO_CONTENT); + } + + public ResultActions patchMe(ScimPatchOperationType type, ScimUser updates, + HttpStatus expectedStatus) throws Exception { + + return doPatch(getMeLocation(), getUserPatchRequest(type, updates), SCIM_CONTENT_TYPE, + expectedStatus); + } + + public ResultActions patchMe(ScimPatchOperationType type, ScimUser updates) throws Exception { + + return patchMe(type, updates, NO_CONTENT); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/ScimUtils.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/ScimUtils.java new file mode 100644 index 000000000..fa6b40c22 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/ScimUtils.java @@ -0,0 +1,101 @@ +package it.infn.mw.iam.test.scim; + +import org.springframework.util.LinkedMultiValueMap; +import org.springframework.util.MultiValueMap; + +import it.infn.mw.iam.api.scim.model.ScimUser; + +public class ScimUtils { + + public static String SCIM_CONTENT_TYPE = "application/scim+json"; + + public static final String SCIM_CLIENT_ID = "scim-client-rw"; + public static final String SCIM_CLIENT_SECRET = "secret"; + public static final String SCIM_READ_SCOPE = "scim:read"; + public static final String SCIM_WRITE_SCOPE = "scim:write"; + + public static final String SCIM_ENDPOINT_BASEURL = "/scim"; + + public static String getUsersLocation() { + + return SCIM_ENDPOINT_BASEURL + "/Users"; + } + + public static String getGroupsLocation() { + + return SCIM_ENDPOINT_BASEURL + "/Groups"; + } + + public static String getMeLocation() { + + return SCIM_ENDPOINT_BASEURL + "/Me"; + } + + public static String getUserLocation(String uuid) { + + return getUsersLocation() + "/" + uuid; + } + + public static String getGroupLocation(String uuid) { + + return getGroupsLocation() + "/" + uuid; + } + + public static ScimUser buildUser(String username, String email, String givenName, + String familyName) { + + return ScimUser.builder(username).buildEmail(email).buildName(givenName, familyName).build(); + } + + public static ScimUser buildUserWithUUID(String uuid, String username, String email, + String givenName, String familyName) { + + return ScimUser.builder(username) + .id(uuid) + .buildEmail(email) + .buildName(givenName, familyName) + .build(); + } + + public static ScimUser buildUserWithPassword(String username, String password, String email, + String givenName, String familyName) { + + return ScimUser.builder(username) + .password(password) + .buildEmail(email) + .buildName(givenName, familyName) + .build(); + } + + public static class ParamsBuilder { + + private MultiValueMap params; + + public static ParamsBuilder builder() { + return new ParamsBuilder(); + } + + private ParamsBuilder() { + params = new LinkedMultiValueMap(); + } + + public ParamsBuilder count(int count) { + params.add("count", String.valueOf(count)); + return this; + } + + public ParamsBuilder startIndex(int startIndex) { + params.add("startIndex", String.valueOf(startIndex)); + return this; + } + + public ParamsBuilder attributes(String attributes) { + params.add("attributes", attributes); + return this; + } + + public MultiValueMap build() { + return params; + } + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/converter/ScimX509CertificateConverterTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/converter/ScimX509CertificateConverterTests.java index 6cb39c616..8d3f5b70b 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/converter/ScimX509CertificateConverterTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/converter/ScimX509CertificateConverterTests.java @@ -1,59 +1,59 @@ package it.infn.mw.iam.test.scim.converter; -import javax.transaction.Transactional; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.nullValue; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertTrue; -import org.junit.Assert; import org.junit.Test; -import org.junit.runner.RunWith; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; -import it.infn.mw.iam.IamLoginService; import it.infn.mw.iam.api.scim.converter.X509CertificateConverter; import it.infn.mw.iam.api.scim.model.ScimX509Certificate; +import it.infn.mw.iam.authn.x509.PEMX509CertificateChainParser; import it.infn.mw.iam.persistence.model.IamX509Certificate; -import it.infn.mw.iam.test.TestUtils; +import it.infn.mw.iam.test.ext_authn.x509.X509TestSupport; -@RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@Transactional -@WebIntegrationTest -public class ScimX509CertificateConverterTests { - @Autowired - X509CertificateConverter converter; +public class ScimX509CertificateConverterTests extends X509TestSupport { + + X509CertificateConverter converter = + new X509CertificateConverter(new PEMX509CertificateChainParser()); @Test - public void testConversionFromScimToIamWithCertificate() { + public void testScimToEntityConversion() { - ScimX509Certificate scimCert = - ScimX509Certificate.builder().value(TestUtils.x509Certs.get(0).certificate).build(); + ScimX509Certificate scimCert = ScimX509Certificate.builder() + .display("A label") + .primary(true) + .subjectDn(TEST_0_SUBJECT) + .pemEncodedCertificate(TEST_0_CERT_STRING) + .build(); IamX509Certificate iamCert = converter.fromScim(scimCert); - Assert.assertNull(iamCert.getLabel()); - Assert.assertFalse(iamCert.isPrimary()); - Assert.assertNotNull(iamCert.getCertificate()); - Assert.assertNotNull(iamCert.getCertificateSubject()); - Assert.assertNull(iamCert.getAccount()); + assertThat(iamCert.getLabel(), equalTo("A label")); + assertTrue(iamCert.isPrimary()); + assertThat(iamCert.getSubjectDn(), equalTo(TEST_0_SUBJECT)); + assertThat(iamCert.getCertificate(), equalTo(TEST_0_CERT_STRING)); + assertThat(iamCert.getAccount(), nullValue()); } @Test - public void testConversionFromScimToIamWithCertificateAndLabel() { + public void testEntityToScimConversion() { - ScimX509Certificate scimCert = ScimX509Certificate.builder() - .value(TestUtils.x509Certs.get(0).certificate) - .display("This is the label") - .build(); + IamX509Certificate cert = new IamX509Certificate(); + cert.setSubjectDn(TEST_0_SUBJECT); + cert.setCertificate(TEST_0_CERT_STRING); + cert.setLabel("A label"); + cert.setPrimary(false); - IamX509Certificate iamCert = converter.fromScim(scimCert); + ScimX509Certificate scimCert = converter.toScim(cert); + + assertThat(scimCert.getDisplay(), equalTo("A label")); + assertFalse(scimCert.getPrimary()); + assertThat(scimCert.getSubjectDn(), equalTo(TEST_0_SUBJECT)); + assertThat(scimCert.getPemEncodedCertificate(), equalTo(TEST_0_CERT_STRING)); - Assert.assertEquals(iamCert.getLabel(), "This is the label"); - Assert.assertFalse(iamCert.isPrimary()); - Assert.assertNotNull(iamCert.getCertificate()); - Assert.assertNotNull(iamCert.getCertificateSubject()); - Assert.assertNull(iamCert.getAccount()); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/core/provisioning/user/ScimUserProvisioningTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/core/provisioning/user/ScimUserProvisioningTests.java index c5b74ecdb..3e587c63e 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/core/provisioning/user/ScimUserProvisioningTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/core/provisioning/user/ScimUserProvisioningTests.java @@ -1,7 +1,10 @@ package it.infn.mw.iam.test.scim.core.provisioning.user; -import org.hamcrest.Matchers; -import org.junit.Assert; +import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertTrue; + import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Autowired; @@ -18,10 +21,10 @@ import it.infn.mw.iam.api.scim.model.ScimSamlId; import it.infn.mw.iam.api.scim.model.ScimSshKey; import it.infn.mw.iam.api.scim.model.ScimUser; -import it.infn.mw.iam.api.scim.model.ScimX509Certificate; import it.infn.mw.iam.api.scim.provisioning.ScimUserProvisioning; import it.infn.mw.iam.persistence.model.IamAccount; -import it.infn.mw.iam.test.TestUtils; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; +import it.infn.mw.iam.test.SshKeyUtils; @RunWith(SpringJUnit4ClassRunner.class) @SpringApplicationConfiguration(classes = IamLoginService.class) @@ -31,6 +34,9 @@ public class ScimUserProvisioningTests { @Autowired private ScimUserProvisioning userService; + @Autowired + private IamAccountRepository accountRepo; + @Autowired private PasswordEncoder passwordEncoder; @@ -45,12 +51,7 @@ public class ScimUserProvisioningTests { final ScimSshKey TESTUSER_SSHKEY = ScimSshKey.builder() .primary(true) .display("Personal Key") - .value(TestUtils.sshKeys.get(0).key) - .build(); - final ScimX509Certificate TESTUSER_X509CERT = ScimX509Certificate.builder() - .display("Personal X509 Certificate") - .value(TestUtils.x509Certs.get(0).certificate) - .primary(true) + .value(SshKeyUtils.sshKeys.get(0).key) .build(); @Test @@ -66,57 +67,40 @@ public void createUserTest() { .addOidcId(TESTUSER_OIDCID) .addSamlId(TESTUSER_SAMLID) .addSshKey(TESTUSER_SSHKEY) - .addX509Certificate(TESTUSER_X509CERT) .build(); - IamAccount iamAccount = userService.createAccount(scimUser); + userService.create(scimUser); - Assert.assertNotNull(iamAccount); + IamAccount iamAccount = accountRepo.findByUsername(scimUser.getUserName()) + .orElseThrow(() -> new AssertionError("Expected user not found by repo")); - Assert.assertTrue(iamAccount.isActive()); + assertNotNull(iamAccount); - Assert.assertThat(iamAccount.getUsername(), Matchers.equalTo(TESTUSER_USERNAME)); + assertThat(iamAccount.isActive(), equalTo(true)); - Assert.assertTrue(passwordEncoder.matches(TESTUSER_PASSWORD, iamAccount.getPassword())); + assertThat(iamAccount.getUsername(), equalTo(TESTUSER_USERNAME)); - Assert.assertThat(iamAccount.getUserInfo().getGivenName(), - Matchers.equalTo(TESTUSER_NAME.getGivenName())); - Assert.assertThat(iamAccount.getUserInfo().getMiddleName(), - Matchers.equalTo(TESTUSER_NAME.getMiddleName())); - Assert.assertThat(iamAccount.getUserInfo().getFamilyName(), - Matchers.equalTo(TESTUSER_NAME.getFamilyName())); + assertTrue(passwordEncoder.matches(TESTUSER_PASSWORD, iamAccount.getPassword())); - Assert.assertThat(iamAccount.getUserInfo().getPicture(), - Matchers.equalTo(TESTUSER_PHOTO.getValue())); + assertThat(iamAccount.getUserInfo().getGivenName(), equalTo(TESTUSER_NAME.getGivenName())); + assertThat(iamAccount.getUserInfo().getMiddleName(), equalTo(TESTUSER_NAME.getMiddleName())); + assertThat(iamAccount.getUserInfo().getFamilyName(), equalTo(TESTUSER_NAME.getFamilyName())); - Assert.assertThat(iamAccount.getUserInfo().getEmail(), - Matchers.equalTo(TESTUSER_EMAIL.getValue())); + assertThat(iamAccount.getUserInfo().getPicture(), equalTo(TESTUSER_PHOTO.getValue())); - Assert.assertThat(iamAccount.getOidcIds().get(0).getIssuer(), - Matchers.equalTo(TESTUSER_OIDCID.getIssuer())); - Assert.assertThat(iamAccount.getOidcIds().get(0).getSubject(), - Matchers.equalTo(TESTUSER_OIDCID.getSubject())); + assertThat(iamAccount.getUserInfo().getEmail(), equalTo(TESTUSER_EMAIL.getValue())); - Assert.assertThat(iamAccount.getSamlIds().get(0).getIdpId(), - Matchers.equalTo(TESTUSER_SAMLID.getIdpId())); - Assert.assertThat(iamAccount.getSamlIds().get(0).getUserId(), - Matchers.equalTo(TESTUSER_SAMLID.getUserId())); + assertThat(iamAccount.getOidcIds().get(0).getIssuer(), equalTo(TESTUSER_OIDCID.getIssuer())); + assertThat(iamAccount.getOidcIds().get(0).getSubject(), equalTo(TESTUSER_OIDCID.getSubject())); - Assert.assertThat(iamAccount.getSshKeys().get(0).getLabel(), - Matchers.equalTo(TESTUSER_SSHKEY.getDisplay())); - Assert.assertThat(iamAccount.getSshKeys().get(0).getFingerprint(), - Matchers.equalTo(TestUtils.sshKeys.get(0).fingerprintSHA256)); - Assert.assertThat(iamAccount.getSshKeys().get(0).getValue(), - Matchers.equalTo(TESTUSER_SSHKEY.getValue())); - Assert.assertThat(iamAccount.getSshKeys().get(0).isPrimary(), - Matchers.equalTo(TESTUSER_SSHKEY.isPrimary())); + assertThat(iamAccount.getSamlIds().get(0).getIdpId(), equalTo(TESTUSER_SAMLID.getIdpId())); + assertThat(iamAccount.getSamlIds().get(0).getUserId(), equalTo(TESTUSER_SAMLID.getUserId())); - Assert.assertThat(iamAccount.getX509Certificates().get(0).getLabel(), - Matchers.equalTo(TESTUSER_X509CERT.getDisplay())); - Assert.assertThat(iamAccount.getX509Certificates().get(0).getCertificate(), - Matchers.equalTo(TESTUSER_X509CERT.getValue())); - Assert.assertThat(iamAccount.getX509Certificates().get(0).isPrimary(), - Matchers.equalTo(TESTUSER_X509CERT.isPrimary())); + assertThat(iamAccount.getSshKeys().get(0).getLabel(), equalTo(TESTUSER_SSHKEY.getDisplay())); + assertThat(iamAccount.getSshKeys().get(0).getFingerprint(), + equalTo(SshKeyUtils.sshKeys.get(0).fingerprintSHA256)); + assertThat(iamAccount.getSshKeys().get(0).getValue(), equalTo(TESTUSER_SSHKEY.getValue())); + assertThat(iamAccount.getSshKeys().get(0).isPrimary(), equalTo(TESTUSER_SSHKEY.isPrimary())); userService.delete(iamAccount.getUuid()); } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupProvisioningAttributeFilterTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupProvisioningAttributeFilterTests.java index 1dad5565a..b9aed2435 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupProvisioningAttributeFilterTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupProvisioningAttributeFilterTests.java @@ -1,6 +1,5 @@ package it.infn.mw.iam.test.scim.group; -import static com.jayway.restassured.RestAssured.given; import static it.infn.mw.iam.api.scim.model.ScimConstants.SCIM_CONTENT_TYPE; import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.equalTo; @@ -8,88 +7,90 @@ import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.not; import static org.hamcrest.Matchers.nullValue; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import javax.transaction.Transactional; import org.hamcrest.Matchers; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; import it.infn.mw.iam.IamLoginService; import it.infn.mw.iam.api.scim.model.ScimListResponse; -import it.infn.mw.iam.test.TestUtils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.scim.ScimUtils; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +@Transactional +@WithMockOAuthUser(clientId = "scim-client-rw", scopes = {"scim:read"}) public class ScimGroupProvisioningAttributeFilterTests { - String accessToken; + @Autowired + private WebApplicationContext context; - @Before - public void initAccessToken() { + private MockMvc mvc; - accessToken = TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read"); + private final static String GROUPS_URI = ScimUtils.getGroupsLocation(); + + @Before + public void setup() { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); } @Test - public void testReuturnOnlyDisplayNameRequest() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("count", 1) - .param("attributes", "displayName") - .when() - .get("/scim/Groups") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(22)) - .body("itemsPerPage", equalTo(1)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(1))) - .body("Resources[0].id", is(Matchers.not(nullValue()))) - .body("Resources[0].schemas", is(Matchers.not(nullValue()))) - .body("Resources[0].displayName", is(Matchers.not(nullValue()))); + public void testReuturnOnlyDisplayNameRequest() throws Exception { + //@formatter:off + mvc.perform(get(GROUPS_URI) + .contentType(SCIM_CONTENT_TYPE) + .param("count", "1") + .param("attributes", "displayName")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.totalResults", equalTo(22))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(1))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(1)))) + .andExpect(jsonPath("$.Resources[0].id", is(Matchers.not(nullValue())))) + .andExpect(jsonPath("$.Resources[0].schemas", is(Matchers.not(nullValue())))) + .andExpect(jsonPath("$.Resources[0].displayName", is(Matchers.not(nullValue())))); + //@formatter:on } @Test - public void testMultipleAttrsRequest() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("count", 2) - .param("attributes", "displayName") - .when() - .get("/scim/Groups") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(22)) - .body("itemsPerPage", equalTo(2)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(2))) - .body("Resources[0].id", is(Matchers.not(nullValue()))) - .body("Resources[0].schemas", is(not(nullValue()))) - .body("Resources[0].displayName", is(not(nullValue()))); - + public void testMultipleAttrsRequest() throws Exception { + //@formatter:off + mvc.perform(get(GROUPS_URI) + .contentType(SCIM_CONTENT_TYPE) + .param("count", "2") + .param("attributes", "displayName")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.totalResults", equalTo(22))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(2))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(2)))) + .andExpect(jsonPath("$.Resources[0].id", is(Matchers.not(nullValue())))) + .andExpect(jsonPath("$.Resources[0].schemas", is(not(nullValue())))) + .andExpect(jsonPath("$.Resources[0].displayName", is(not(nullValue())))); + //@formatter:on } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupProvisioningListTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupProvisioningListTests.java index 7c433a75a..43b223639 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupProvisioningListTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupProvisioningListTests.java @@ -1,252 +1,212 @@ package it.infn.mw.iam.test.scim.group; -import static com.jayway.restassured.RestAssured.given; import static it.infn.mw.iam.api.scim.model.ScimConstants.SCIM_CONTENT_TYPE; import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasSize; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import javax.transaction.Transactional; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; import it.infn.mw.iam.IamLoginService; import it.infn.mw.iam.api.scim.model.ScimListResponse; -import it.infn.mw.iam.test.TestUtils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.scim.ScimUtils; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +@Transactional +@WithMockOAuthUser(clientId = "scim-client-rw", scopes = {"scim:read"}) public class ScimGroupProvisioningListTests { - String accessToken; + @Autowired + private WebApplicationContext context; - @Before - public void initAccessToken() { + private MockMvc mvc; - accessToken = TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read"); - } + private final static String GROUP_URI = ScimUtils.getGroupsLocation(); + private Integer totalResults = 22; + private Integer pageSize = 10; + + @Before + public void setup() { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } @Test - public void testNoParameterListRequest() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .when() - .get("/scim/Groups") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(22)) - .body("itemsPerPage", equalTo(10)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(10))); + public void testNoParameterListRequest() throws Exception { + + mvc.perform(get(GROUP_URI).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.totalResults", equalTo(totalResults))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(pageSize))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(pageSize)))); } @Test - public void testCountAs8Returns8Items() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("count", 8) - .when() - .get("/scim/Groups") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(22)) - .body("itemsPerPage", equalTo(8)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(8))); + public void testCountAs8Returns8Items() throws Exception { + Integer count = 8; + + //@formatter:off + mvc.perform(get(GROUP_URI) + .contentType(SCIM_CONTENT_TYPE) + .param("count", count.toString())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.totalResults", equalTo(totalResults))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(count))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(count)))); + //@formatter:on } @Test - public void testCount1Returns1Item() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("count", 1) - .when() - .get("/scim/Groups") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(22)) - .body("itemsPerPage", equalTo(1)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(1))); + public void testCount1Returns1Item() throws Exception { + Integer count = 1; + + //@formatter:off + mvc.perform(get(GROUP_URI) + .contentType(SCIM_CONTENT_TYPE) + .param("count", count.toString())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.totalResults", equalTo(totalResults))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(count))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(count)))); + //@formatter:on } @Test - public void testCountShouldBeLimitedToTen() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("count", 30) - .when() - .get("/scim/Groups") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(22)) - .body("itemsPerPage", equalTo(10)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(10))); + public void testCountShouldBeLimitedToTen() throws Exception { + Integer count = 30; + + //@formatter:off + mvc.perform(get(GROUP_URI) + .contentType(SCIM_CONTENT_TYPE) + .param("count", count.toString())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.totalResults", equalTo(totalResults))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(pageSize))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(pageSize)))); + //@formatter:on } @Test - public void testNegativeCountBecomesZero() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("count", -10) - .when() - .get("/scim/Groups") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(22)) - .body("itemsPerPage", equalTo(0)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(0))); + public void testNegativeCountBecomesZero() throws Exception { + Integer count = -10; + + //@formatter:off + mvc.perform(get(GROUP_URI) + .contentType(SCIM_CONTENT_TYPE) + .param("count", count.toString())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.totalResults", equalTo(totalResults))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(0))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(0)))); + //@formatter:on } @Test - public void testInvalidStartIndex() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("startIndex", 23) - .when() - .get("/scim/Groups") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(22)) - .body("itemsPerPage", equalTo(0)) - .body("startIndex", equalTo(23)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(0))); + public void testInvalidStartIndex() throws Exception { + Integer startIndex = 23; + + //@formatter:off + mvc.perform(get(GROUP_URI) + .contentType(SCIM_CONTENT_TYPE) + .param("startIndex", startIndex.toString())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.totalResults", equalTo(totalResults))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(0))) + .andExpect(jsonPath("$.startIndex", equalTo(startIndex))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(0)))); + //@formatter:on } @Test - public void testRightEndPagination() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("startIndex", 17) - .param("count", 10) - .when() - .get("/scim/Groups") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(22)) - .body("itemsPerPage", equalTo(6)) - .body("startIndex", equalTo(17)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(6))); + public void testRightEndPagination() throws Exception { + Integer count = 10; + Integer startIndex = 17; + Integer items = totalResults - startIndex + 1; + + //@formatter:off + mvc.perform(get(GROUP_URI) + .contentType(SCIM_CONTENT_TYPE) + .param("count", count.toString()) + .param("startIndex", startIndex.toString())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.totalResults", equalTo(totalResults))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(items))) + .andExpect(jsonPath("$.startIndex", equalTo(startIndex))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(items)))); + //@formatter:on } @Test - public void testLastElementPagination() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("startIndex", 22) - .param("count", 2) - .when() - .get("/scim/Groups") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(22)) - .body("itemsPerPage", equalTo(1)) - .body("startIndex", equalTo(22)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(1))); + public void testLastElementPagination() throws Exception { + Integer count = 2; + Integer startIndex = 22; + Integer items = totalResults - startIndex + 1; + + //@formatter:off + mvc.perform(get(GROUP_URI) + .contentType(SCIM_CONTENT_TYPE) + .param("count", count.toString()) + .param("startIndex", startIndex.toString())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.totalResults", equalTo(totalResults))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(items))) + .andExpect(jsonPath("$.startIndex", equalTo(startIndex))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(items)))); + //@formatter:on } @Test - public void testFirstElementPagination() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("startIndex", 1) - .param("count", 5) - .when() - .get("/scim/Groups") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(22)) - .body("itemsPerPage", equalTo(5)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(5))); + public void testFirstElementPagination() throws Exception { + Integer count = 5; + Integer startIndex = 1; + + //@formatter:off + mvc.perform(get(GROUP_URI) + .contentType(SCIM_CONTENT_TYPE) + .param("count", count.toString()) + .param("startIndex", startIndex.toString())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.totalResults", equalTo(totalResults))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(count))) + .andExpect(jsonPath("$.startIndex", equalTo(startIndex))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(count)))); + //@formatter:on } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupProvisioningTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupProvisioningTests.java index 1dde33cc4..ea5eaba17 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupProvisioningTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupProvisioningTests.java @@ -1,169 +1,233 @@ package it.infn.mw.iam.test.scim.group; -import static com.jayway.restassured.matcher.ResponseAwareMatcherComposer.and; -import static com.jayway.restassured.matcher.RestAssuredMatchers.endsWithPath; +import static it.infn.mw.iam.api.scim.model.ScimConstants.SCIM_CONTENT_TYPE; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasItems; import static org.hamcrest.Matchers.hasSize; import static org.hamcrest.Matchers.startsWith; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import java.util.UUID; +import javax.transaction.Transactional; + import org.junit.Before; -import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; + +import com.fasterxml.jackson.databind.ObjectMapper; import it.infn.mw.iam.IamLoginService; import it.infn.mw.iam.api.scim.model.ScimConstants; import it.infn.mw.iam.api.scim.model.ScimGroup; -import it.infn.mw.iam.test.ScimRestUtils; -import it.infn.mw.iam.test.TestUtils; -import it.infn.mw.iam.test.util.JacksonUtils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.scim.ScimUtils; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +@Transactional +@WithMockOAuthUser(clientId = "scim-client-rw", scopes = {"scim:read", "scim:write"}) public class ScimGroupProvisioningTests { - public static final String SCIM_CONTENT_TYPE = "application/scim+json"; + @Autowired + private WebApplicationContext context; - private String accessToken; - private ScimRestUtils restUtils; + @Autowired + private ObjectMapper objectMapper; - @BeforeClass - public static void init() { + private final static String GROUP_URI = ScimUtils.getGroupsLocation(); - JacksonUtils.initRestAssured(); - } + private MockMvc mvc; @Before - public void initAccessToken() { - - accessToken = TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read scim:write"); - restUtils = ScimRestUtils.getInstance(accessToken); + public void setup() { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); } @Test - public void testGetGroupNotFoundResponse() { + public void testGetGroupNotFoundResponse() throws Exception { String randomUuid = UUID.randomUUID().toString(); - restUtils.doGet("/scim/Groups/" + randomUuid, HttpStatus.NOT_FOUND) - .body("status", equalTo("404")) - .body("detail", equalTo("No group mapped to id '" + randomUuid + "'")) - .contentType(ScimRestUtils.SCIM_CONTENT_TYPE); + mvc.perform(get(GROUP_URI + "/{uuid}", randomUuid).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isNotFound()) + .andExpect(content().contentType(SCIM_CONTENT_TYPE)) + .andExpect(jsonPath("$.status", equalTo("404"))) + .andExpect(jsonPath("$.detail", equalTo("No group mapped to id '" + randomUuid + "'"))); } @Test - public void testUpdateGroupNotFoundResponse() { + public void testUpdateGroupNotFoundResponse() throws Exception { String randomUuid = UUID.randomUUID().toString(); - ScimGroup group = ScimGroup.builder("engineers").id(randomUuid).build(); - restUtils.doPut("/scim/Groups/" + randomUuid, group, HttpStatus.NOT_FOUND) - .body("status", equalTo("404")) - .body("detail", equalTo("No group mapped to id '" + randomUuid + "'")) - .contentType(ScimRestUtils.SCIM_CONTENT_TYPE); + mvc + .perform(put(GROUP_URI + "/{uuid}", randomUuid).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(group))) + .andExpect(status().isNotFound()) + .andExpect(content().contentType(SCIM_CONTENT_TYPE)) + .andExpect(jsonPath("$.status", equalTo("404"))) + .andExpect(jsonPath("$.detail", equalTo("No group mapped to id '" + randomUuid + "'"))); } - @SuppressWarnings("unchecked") @Test - public void testGetExistingGroup() { + public void testGetExistingGroup() throws Exception { // Some existing group as defined in the test db String groupId = "c617d586-54e6-411d-8e38-64967798fa8a"; - restUtils.doGet("/scim/Groups/" + groupId) - .body("id", equalTo(groupId)) - .body("displayName", equalTo("Production")) - .body("meta.resourceType", equalTo("Group")) - .body("meta.location", equalTo("http://localhost:8080/scim/Groups/" + groupId)) - .body("members", hasSize(equalTo(1))) - .body("members[0].$ref", - and(startsWith("http://localhost:8080/scim/Users/"), endsWithPath("members[0].value"))) - .body("schemas", hasItems(ScimGroup.GROUP_SCHEMA, ScimConstants.INDIGO_GROUP_SCHEMA)); - + mvc.perform(get(GROUP_URI + "/{uuid}", groupId).content(SCIM_CONTENT_TYPE)) + .andExpect(status().isOk()) + .andExpect(content().contentType(SCIM_CONTENT_TYPE)) + .andExpect(jsonPath("$.id", equalTo(groupId))) + .andExpect(jsonPath("$.displayName", equalTo("Production"))) + .andExpect(jsonPath("$.meta.resourceType", equalTo("Group"))) + .andExpect( + jsonPath("$.meta.location", equalTo("http://localhost:8080/scim/Groups/" + groupId))) + .andExpect(jsonPath("$.members", hasSize(equalTo(1)))) + .andExpect(jsonPath("$.members[0].$ref", startsWith("http://localhost:8080/scim/Users/"))) + .andExpect(jsonPath("$.schemas", + hasItems(ScimGroup.GROUP_SCHEMA, ScimConstants.INDIGO_GROUP_SCHEMA))); } @Test - public void testCreateAndDeleteGroupSuccessResponse() { + public void testCreateAndDeleteGroupSuccessResponse() throws Exception { String name = "engineers"; - ScimGroup group = ScimGroup.builder(name).build(); - ScimGroup createdGroup = restUtils.doPost("/scim/Groups/", group).extract().as(ScimGroup.class); - - restUtils.doGet(createdGroup.getMeta().getLocation()).body("displayName", equalTo(name)); - - restUtils.doDelete(createdGroup.getMeta().getLocation(), HttpStatus.NO_CONTENT); + String result = mvc + .perform(post(GROUP_URI).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(group))) + .andExpect(status().isCreated()) + .andReturn() + .getResponse() + .getContentAsString(); + + ScimGroup createdGroup = objectMapper.readValue(result, ScimGroup.class); + + //@formatter:off + mvc.perform(get(createdGroup.getMeta().getLocation())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.displayName", equalTo(name))); + + mvc.perform(delete(createdGroup.getMeta().getLocation())) + .andExpect(status().isNoContent()); + //@formatter:on } @Test - public void testUpdateGroupDisplaynameSuccessResponse() { + public void testUpdateGroupDisplaynameSuccessResponse() throws Exception { ScimGroup requestedGroup = ScimGroup.builder("engineers").build(); - ScimGroup createdGroup = - restUtils.doPost("/scim/Groups/", requestedGroup).extract().as(ScimGroup.class); + String result = mvc + .perform(post(GROUP_URI).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(requestedGroup))) + .andExpect(status().isCreated()) + .andReturn() + .getResponse() + .getContentAsString(); + + ScimGroup createdGroup = objectMapper.readValue(result, ScimGroup.class); requestedGroup = ScimGroup.builder("engineers_updated").build(); - restUtils.doPut(createdGroup.getMeta().getLocation(), requestedGroup).body("displayName", - equalTo(requestedGroup.getDisplayName())); + mvc + .perform(put(createdGroup.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(requestedGroup))) + .andExpect(jsonPath("$.displayName", equalTo(requestedGroup.getDisplayName()))); - restUtils.doDelete(createdGroup.getMeta().getLocation(), HttpStatus.NO_CONTENT); + mvc.perform(delete(createdGroup.getMeta().getLocation())).andExpect(status().isNoContent()); } @Test - public void testCreateGroupEmptyDisplayNameValidationError() { + public void testCreateGroupEmptyDisplayNameValidationError() throws Exception { String displayName = ""; - ScimGroup group = ScimGroup.builder(displayName).build(); - restUtils.doPost("/scim/Groups/", group, HttpStatus.BAD_REQUEST).body("detail", - containsString("scimGroup.displayName : may not be empty")); - + mvc + .perform(post(GROUP_URI).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(group))) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.detail", containsString("scimGroup.displayName : may not be empty"))); } @Test - public void testUpdateGroupEmptyDisplayNameValidationErro() { + public void testUpdateGroupEmptyDisplayNameValidationError() throws Exception { ScimGroup requestedGroup = ScimGroup.builder("engineers").build(); - ScimGroup createdGroup = - restUtils.doPost("/scim/Groups/", requestedGroup).extract().as(ScimGroup.class); + String result = mvc + .perform(post(GROUP_URI).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(requestedGroup))) + .andExpect(status().isCreated()) + .andReturn() + .getResponse() + .getContentAsString(); + + ScimGroup createdGroup = objectMapper.readValue(result, ScimGroup.class); requestedGroup = ScimGroup.builder("").build(); - restUtils.doPut(createdGroup.getMeta().getLocation(), requestedGroup, HttpStatus.BAD_REQUEST); + mvc + .perform(put(createdGroup.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsBytes(requestedGroup))) + .andExpect(status().isBadRequest()); - restUtils.doDelete(createdGroup.getMeta().getLocation(), HttpStatus.NO_CONTENT); + mvc.perform(delete(createdGroup.getMeta().getLocation())).andExpect(status().isNoContent()); } @Test - public void testUpdateGroupAlreadyUsedDisplaynameError() { - - ScimGroup engineers = restUtils.doPost("/scim/Groups/", ScimGroup.builder("engineers").build()) - .extract() - .as(ScimGroup.class); - - ScimGroup artists = restUtils.doPost("/scim/Groups/", ScimGroup.builder("artists").build()) - .extract() - .as(ScimGroup.class); - - restUtils.doPut(engineers.getMeta().getLocation(), ScimGroup.builder("artists").build(), - HttpStatus.CONFLICT); - - restUtils.doDelete(engineers.getMeta().getLocation(), HttpStatus.NO_CONTENT); - restUtils.doDelete(artists.getMeta().getLocation(), HttpStatus.NO_CONTENT); + public void testUpdateGroupAlreadyUsedDisplaynameError() throws Exception { + + String result = mvc + .perform(post(GROUP_URI).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(ScimGroup.builder("engineers").build()))) + .andExpect(status().isCreated()) + .andReturn() + .getResponse() + .getContentAsString(); + ScimGroup engineers = objectMapper.readValue(result, ScimGroup.class); + + result = mvc + .perform(post(GROUP_URI).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(ScimGroup.builder("artists").build()))) + .andExpect(status().isCreated()) + .andReturn() + .getResponse() + .getContentAsString(); + ScimGroup artists = objectMapper.readValue(result, ScimGroup.class); + + mvc + .perform(put(engineers.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(ScimGroup.builder("artists").build()))) + .andExpect(status().isConflict()); + + mvc.perform(delete(engineers.getMeta().getLocation())).andExpect(status().isNoContent()); + mvc.perform(delete(artists.getMeta().getLocation())).andExpect(status().isNoContent()); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimNestedGroupTests.java similarity index 68% rename from iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupTests.java rename to iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimNestedGroupTests.java index ed707de15..2c09afbbd 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimGroupTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/ScimNestedGroupTests.java @@ -4,7 +4,9 @@ import static it.infn.mw.iam.api.scim.model.ScimConstants.SCIM_CONTENT_TYPE; import static java.lang.String.format; import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThat; import static org.springframework.http.HttpStatus.BAD_REQUEST; import static org.springframework.http.HttpStatus.NOT_FOUND; import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; @@ -17,7 +19,6 @@ import javax.transaction.Transactional; -import org.junit.Assert; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; @@ -37,23 +38,24 @@ import it.infn.mw.iam.api.scim.model.ScimGroupRef; import it.infn.mw.iam.api.scim.model.ScimIndigoGroup; import it.infn.mw.iam.test.core.CoreControllerTestSupport; -import it.infn.mw.iam.test.util.JacksonUtils; import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) @SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) @WebAppConfiguration @Transactional -public class ScimGroupTests { +public class ScimNestedGroupTests { @Autowired private WebApplicationContext context; + @Autowired + private ObjectMapper objectMapper; + @Autowired private ScimResourceLocationProvider scimResourceLocationProvider; private MockMvc mvc; - private ObjectMapper objectMapper; @Before public void setup() { @@ -61,7 +63,6 @@ public void setup() { .apply(springSecurity()) .alwaysDo(print()) .build(); - objectMapper = JacksonUtils.createJacksonObjectMapper(); } @Test @@ -74,7 +75,7 @@ public void testCreateNewChildGroup() throws Exception { ScimGroup mammals = createGroup("mammals", animals); assertNotNull(mammals); - Assert.assertEquals(animals.getId(), mammals.getIndigoGroup().getParentGroup().getValue()); + assertEquals(animals.getId(), mammals.getIndigoGroup().getParentGroup().getValue()); } @Test @@ -167,11 +168,106 @@ public void testGetChildGroup() throws Exception { // @formatter:on } + @Test + @WithMockOAuthUser(clientId = "scim-client-rw", scopes = {"scim:read", "scim:write"}) + public void testCreateGroupWithASlashIntoDisplayName() throws Exception { + ScimGroup group = ScimGroup.builder("te/st").build(); + + // @formatter:off + mvc.perform(post("/scim/Groups").contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(group))) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.detail", equalTo("Group displayName cannot contain a slash character"))); + // @formatter:on + } + + @Test + @WithMockOAuthUser(clientId = "scim-client-rw", scopes = {"scim:read", "scim:write"}) + public void testCreateTwoGroupsWithSameNameButDifferentParent() throws Exception { + ScimGroup cms = createGroup("cms"); + ScimGroup alice = createGroup("alice"); + + ScimGroup cmsTest = createGroup("test", cms); + assertNotNull(cmsTest); + assertThat(cmsTest.getDisplayName(), equalTo("cms/test")); + + ScimGroup aliceTest = createGroup("test", alice); + assertNotNull(aliceTest); + assertThat(aliceTest.getDisplayName(), equalTo("alice/test")); + } + + @Test + @WithMockOAuthUser(clientId = "scim-client-rw", scopes = {"scim:read", "scim:write"}) + public void testCreateTwoGroupsWithSameNameAndSameParent() throws Exception { + ScimGroup cms = createGroup("cms"); + + ScimGroup cmsTest = createGroup("test", cms); + assertNotNull(cmsTest); + assertThat(cmsTest.getDisplayName(), equalTo("cms/test")); + + // @formatter:off + mvc.perform(post("/scim/Groups").contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(buildGroupObject("test", cms)))) + .andExpect(status().isConflict()) + .andExpect(jsonPath("$.detail", equalTo("Duplicated group 'cms/test'"))); + // @formatter:on + } + + @Test + @WithMockOAuthUser(clientId = "scim-client-rw", scopes = {"scim:read", "scim:write"}) + public void testCreateGroupWithFullNameTooLong() throws Exception { + String name = "group_with_fifty_characters_name_has_a_long_name_"; + ScimGroup group = createGroup(name); + + for (int i = 0; i < 9; i++) { + group = createGroup(name + i, group); + } + + group = buildGroupObject(name, group); + + // @formatter:off + mvc.perform(post("/scim/Groups").contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(group))) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.detail", equalTo("Group displayName length cannot be higher than 512 characters"))); + // @formatter:on + } + + @Test + @WithMockOAuthUser(clientId = "scim-client-rw", scopes = {"scim:read", "scim:write"}) + public void testCreateGroupWithNameTooLong() throws Exception { + ScimGroup group = + buildGroupObject("group_with_name_longer_than_fifty_characters_is_not_allowed", null); + + assertNotNull(group); + + // @formatter:off + mvc.perform(post("/scim/Groups").contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(group))) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.detail", equalTo("Group name length cannot be higher than 50 characters"))); + // @formatter:on + } + private ScimGroup createGroup(String name) throws Exception { return createGroup(name, null); } private ScimGroup createGroup(String name, ScimGroup parent) throws Exception { + ScimGroup group = buildGroupObject(name, parent); + + String response = mvc + .perform(post("/scim/Groups").contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(group))) + .andExpect(status().isCreated()) + .andReturn() + .getResponse() + .getContentAsString(); + + return objectMapper.readValue(response, ScimGroup.class); + } + + private ScimGroup buildGroupObject(String name, ScimGroup parent) { ScimGroup group = ScimGroup.builder(name).build(); if (parent != null) { ScimGroupRef parentGroupRef = ScimGroupRef.builder() @@ -185,16 +281,7 @@ private ScimGroup createGroup(String name, ScimGroup parent) throws Exception { group = ScimGroup.builder(name).indigoGroup(parentIndigoGroup).build(); } - - String response = mvc - .perform(post("/scim/Groups").contentType(SCIM_CONTENT_TYPE) - .content(objectMapper.writeValueAsString(group))) - .andExpect(status().isCreated()) - .andReturn() - .getResponse() - .getContentAsString(); - - return objectMapper.readValue(response, ScimGroup.class); + return group; } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupPatchUtils.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupPatchUtils.java index 6336c2417..e3f588118 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupPatchUtils.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupPatchUtils.java @@ -1,25 +1,118 @@ package it.infn.mw.iam.test.scim.group.patch; +import static it.infn.mw.iam.api.scim.model.ScimConstants.SCIM_CONTENT_TYPE; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasItem; +import static org.junit.Assert.assertThat; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + import java.util.List; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.web.servlet.MockMvc; + +import com.fasterxml.jackson.databind.ObjectMapper; + +import it.infn.mw.iam.api.scim.model.ScimGroup; import it.infn.mw.iam.api.scim.model.ScimGroupPatchRequest; +import it.infn.mw.iam.api.scim.model.ScimResource; import it.infn.mw.iam.api.scim.model.ScimUser; import it.infn.mw.iam.test.TestUtils; +import it.infn.mw.iam.test.scim.ScimUtils; public class ScimGroupPatchUtils { - public static ScimGroupPatchRequest getPatchAddUsersRequest(List users) { + public final static String GROUP_URI = ScimUtils.getGroupsLocation(); + public final static String USER_URI = ScimUtils.getUsersLocation(); + + @Autowired + protected ObjectMapper objectMapper; + + protected MockMvc mvc; + + protected ScimGroupPatchRequest getPatchAddUsersRequest(List users) { return ScimGroupPatchRequest.builder().add(TestUtils.buildScimMemberRefList(users)).build(); } - public static ScimGroupPatchRequest getPatchRemoveUsersRequest(List users) { + protected ScimGroupPatchRequest getPatchRemoveUsersRequest(List users) { return ScimGroupPatchRequest.builder().remove(TestUtils.buildScimMemberRefList(users)).build(); } - public static ScimGroupPatchRequest getPatchReplaceUsersRequest(List users) { + protected ScimGroupPatchRequest getPatchReplaceUsersRequest(List users) { return ScimGroupPatchRequest.builder().replace(TestUtils.buildScimMemberRefList(users)).build(); } + + protected ScimGroup addTestGroup(String displayName) throws Exception { + + ScimGroup group = ScimGroup.builder(displayName).build(); + String result = mvc + .perform(post(GROUP_URI).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(group))) + .andExpect(status().isCreated()) + .andReturn() + .getResponse() + .getContentAsString(); + + return objectMapper.readValue(result, ScimGroup.class); + } + + protected ScimUser addTestUser(String userName, String email, String firstName, String LastName) + throws Exception { + + ScimUser user = + ScimUser.builder(userName).buildEmail(email).buildName(firstName, LastName).build(); + + String result = mvc + .perform(post(USER_URI).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(user))) + .andExpect(status().isCreated()) + .andReturn() + .getResponse() + .getContentAsString(); + + return objectMapper.readValue(result, ScimUser.class); + } + + protected void addMembers(ScimGroup group, List members) throws Exception { + + ScimGroupPatchRequest patchAddReq = getPatchAddUsersRequest(members); + + mvc.perform(patch(group.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchAddReq))).andExpect(status().isNoContent()); + + ScimGroup g = getGroup(group.getMeta().getLocation()); + + assertThat(g.getMembers(), hasItem(TestUtils.getMemberRef(members.get(0)))); + assertThat(g.getMembers(), hasItem(TestUtils.getMemberRef(members.get(1)))); + assertThat(g.getMembers(), hasItem(TestUtils.getMemberRef(members.get(2)))); + } + + protected void assertMembership(ScimUser user, ScimGroup group, boolean isMember) { + + assertThat(group.getMembers().stream().anyMatch(m -> m.getValue().equals(user.getId())), + equalTo(isMember)); + } + + protected ScimGroup getGroup(String location) throws Exception { + String result = mvc.perform(get(location).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(); + return objectMapper.readValue(result, ScimGroup.class); + } + + protected void deleteScimResource(ScimResource resource) throws Exception { + //@formatter:off + mvc.perform(delete(resource.getMeta().getLocation())) + .andExpect(status().isNoContent()); + //@formatter:on + } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupProvisioningPatchAddTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupProvisioningPatchAddTests.java index 065e65793..4107c45d8 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupProvisioningPatchAddTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupProvisioningPatchAddTests.java @@ -1,55 +1,58 @@ package it.infn.mw.iam.test.scim.group.patch; +import static it.infn.mw.iam.api.scim.model.ScimConstants.SCIM_CONTENT_TYPE; import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasItem; import static org.hamcrest.Matchers.hasSize; +import static org.junit.Assert.assertThat; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import java.util.ArrayList; import java.util.List; import org.junit.After; -import org.junit.Assert; import org.junit.Before; -import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; import it.infn.mw.iam.IamLoginService; import it.infn.mw.iam.api.scim.model.ScimGroup; import it.infn.mw.iam.api.scim.model.ScimGroupPatchRequest; import it.infn.mw.iam.api.scim.model.ScimUser; -import it.infn.mw.iam.test.ScimRestUtils; import it.infn.mw.iam.test.TestUtils; -import it.infn.mw.iam.test.util.JacksonUtils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest -public class ScimGroupProvisioningPatchAddTests { +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +@WithMockOAuthUser(clientId = "scim-client-rw", scopes = {"scim:read", "scim:write"}) +public class ScimGroupProvisioningPatchAddTests extends ScimGroupPatchUtils { - public static final String SCIM_CONTENT_TYPE = "application/scim+json"; - - private String accessToken; - private ScimRestUtils restUtils; + @Autowired + private WebApplicationContext context; private ScimGroup engineers; - private ScimUser lennon; - private ScimUser lincoln; - - @BeforeClass - public static void init() { - - JacksonUtils.initRestAssured(); - } + private ScimUser lennon, lincoln; @Before - public void initAccessToken() { - - accessToken = TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read scim:write"); - restUtils = ScimRestUtils.getInstance(accessToken); + public void setup() throws Exception { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); engineers = addTestGroup("engineers"); lennon = addTestUser("john_lennon", "lennon@email.test", "John", "Lennon"); @@ -57,100 +60,103 @@ public void initAccessToken() { } @After - public void teardownTests() { - - restUtils.doDelete(lennon.getMeta().getLocation()); - restUtils.doDelete(lincoln.getMeta().getLocation()); - restUtils.doDelete(engineers.getMeta().getLocation()); - } - - private ScimGroup addTestGroup(String displayName) { - - ScimGroup group = ScimGroup.builder(displayName).build(); - - return restUtils.doPost("/scim/Groups/", group).extract().as(ScimGroup.class); - } - - private ScimUser addTestUser(String userName, String email, String firstName, String LastName) { - - ScimUser lennon = - ScimUser.builder(userName).buildEmail(email).buildName(firstName, LastName).build(); - - return restUtils.doPost("/scim/Users/", lennon).extract().as(ScimUser.class); + public void teardown() throws Exception { + deleteScimResource(lennon); + deleteScimResource(lincoln); + deleteScimResource(engineers); } @Test - public void testGroupPatchAddMember() { + public void testGroupPatchAddMember() throws Exception { List members = new ArrayList(); members.add(lennon); - ScimGroupPatchRequest patchReq = ScimGroupPatchUtils.getPatchAddUsersRequest(members); - - restUtils.doPatch(engineers.getMeta().getLocation(), patchReq); - - restUtils.doGet(engineers.getMeta().getLocation()) - .body("id", equalTo(engineers.getId())) - .body("displayName", equalTo(engineers.getDisplayName())) - .body("members", hasSize(equalTo(1))) - .body("members[0].display", equalTo(lennon.getDisplayName())) - .body("members[0].value", equalTo(lennon.getId())) - .body("members[0].$ref", equalTo(lennon.getMeta().getLocation())); - + ScimGroupPatchRequest patchReq = getPatchAddUsersRequest(members); + + //@formatter:off + mvc.perform(patch(engineers.getMeta().getLocation()) + .contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchReq))) + .andExpect(status().isNoContent()); + //@formatter:on + + mvc.perform(get(engineers.getMeta().getLocation())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.id", equalTo(engineers.getId()))) + .andExpect(jsonPath("$.displayName", equalTo(engineers.getDisplayName()))) + .andExpect(jsonPath("$.members", hasSize(equalTo(1)))) + .andExpect(jsonPath("$.members[0].display", equalTo(lennon.getDisplayName()))) + .andExpect(jsonPath("$.members[0].value", equalTo(lennon.getId()))) + .andExpect(jsonPath("$.members[0].$ref", equalTo(lennon.getMeta().getLocation()))); } @Test - public void testGroupPatchAddMembers() { + public void testGroupPatchAddMembers() throws Exception { List members = new ArrayList(); members.add(lennon); members.add(lincoln); - ScimGroupPatchRequest patchAddReq = ScimGroupPatchUtils.getPatchAddUsersRequest(members); - - restUtils.doPatch(engineers.getMeta().getLocation(), patchAddReq); - - ScimGroup group = restUtils.doGet(engineers.getMeta().getLocation()) - .body("id", equalTo(engineers.getId())) - .body("displayName", equalTo(engineers.getDisplayName())) - .extract() - .as(ScimGroup.class); - - Assert.assertTrue(group.getMembers().size() == 2); - Assert.assertTrue(group.getMembers().contains(TestUtils.getMemberRef(lennon))); - Assert.assertTrue(group.getMembers().contains(TestUtils.getMemberRef(lincoln))); + ScimGroupPatchRequest patchAddReq = getPatchAddUsersRequest(members); + + //@formatter:off + mvc.perform(patch(engineers.getMeta().getLocation()) + .contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchAddReq))) + .andExpect(status().isNoContent()); + //@formatter:on + + String result = + mvc.perform(get(engineers.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.id", equalTo(engineers.getId()))) + .andExpect(jsonPath("$.displayName", equalTo(engineers.getDisplayName()))) + .andReturn() + .getResponse() + .getContentAsString(); + + ScimGroup group = objectMapper.readValue(result, ScimGroup.class); + + assertThat(group.getMembers(), hasSize(2)); + assertThat(group.getMembers(), hasItem(TestUtils.getMemberRef(lennon))); + assertThat(group.getMembers(), hasItem(TestUtils.getMemberRef(lincoln))); } @Test - public void testGroupPatchAddMembersWithFakeUser() { + public void testGroupPatchAddMembersWithFakeUser() throws Exception { List members = new ArrayList(); ScimUser ringo = addTestUser("ringo", "mail@domain.com", "Ringo", "Star"); members.add(lennon); members.add(ringo); - restUtils.doDelete(ringo.getMeta().getLocation()); - ScimGroupPatchRequest patchAddReq = ScimGroupPatchUtils.getPatchAddUsersRequest(members); + mvc.perform(delete(ringo.getMeta().getLocation())); + + ScimGroupPatchRequest patchAddReq = getPatchAddUsersRequest(members); - restUtils.doPatch(engineers.getMeta().getLocation(), patchAddReq, HttpStatus.NOT_FOUND); + mvc.perform(patch(engineers.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchAddReq))).andExpect(status().isNotFound()); - restUtils.doGet(engineers.getMeta().getLocation()) - .body("id", equalTo(engineers.getId())) - .body("displayName", equalTo(engineers.getDisplayName())) - .body("members", equalTo(null)); + mvc.perform(get(engineers.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.id", equalTo(engineers.getId()))) + .andExpect(jsonPath("$.displayName", equalTo(engineers.getDisplayName()))) + .andExpect(jsonPath("$.members").doesNotExist()); } @Test - public void testGroupPatchAddEmptyMembersList() { + public void testGroupPatchAddEmptyMembersList() throws Exception { - ScimGroupPatchRequest patchAddReq = - ScimGroupPatchUtils.getPatchAddUsersRequest(new ArrayList()); + ScimGroupPatchRequest patchAddReq = getPatchAddUsersRequest(new ArrayList()); - restUtils.doPatch(engineers.getMeta().getLocation(), patchAddReq); + mvc.perform(patch(engineers.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchAddReq))).andExpect(status().isNoContent()); - restUtils.doGet(engineers.getMeta().getLocation()) - .body("id", equalTo(engineers.getId())) - .body("displayName", equalTo(engineers.getDisplayName())) - .body("members", equalTo(null)); + mvc.perform(get(engineers.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.id", equalTo(engineers.getId()))) + .andExpect(jsonPath("$.displayName", equalTo(engineers.getDisplayName()))) + .andExpect(jsonPath("$.members").doesNotExist()); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupProvisioningPatchRemoveTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupProvisioningPatchRemoveTests.java index 7c4745dfc..5681e905d 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupProvisioningPatchRemoveTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupProvisioningPatchRemoveTests.java @@ -1,23 +1,28 @@ package it.infn.mw.iam.test.scim.group.patch; +import static it.infn.mw.iam.api.scim.model.ScimConstants.SCIM_CONTENT_TYPE; +import static org.hamcrest.Matchers.empty; import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.lessThan; import static org.junit.Assert.assertThat; -import static org.junit.Assert.assertTrue; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import java.util.ArrayList; import java.util.List; -import org.joda.time.format.DateTimeFormatter; -import org.joda.time.format.ISODateTimeFormat; import org.junit.After; -import org.junit.Assert; import org.junit.Before; -import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; import com.google.common.collect.Lists; @@ -25,39 +30,29 @@ import it.infn.mw.iam.api.scim.model.ScimGroup; import it.infn.mw.iam.api.scim.model.ScimGroupPatchRequest; import it.infn.mw.iam.api.scim.model.ScimUser; -import it.infn.mw.iam.test.ScimRestUtils; -import it.infn.mw.iam.test.TestUtils; -import it.infn.mw.iam.test.util.JacksonUtils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest -public class ScimGroupProvisioningPatchRemoveTests { +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +@WithMockOAuthUser(clientId = "scim-client-rw", scopes = {"scim:read", "scim:write"}) +public class ScimGroupProvisioningPatchRemoveTests extends ScimGroupPatchUtils { - private final DateTimeFormatter dateTimeFormatter = ISODateTimeFormat.dateTime(); - public static final String SCIM_CONTENT_TYPE = "application/scim+json"; - - private String accessToken; - private ScimRestUtils restUtils; + @Autowired + private WebApplicationContext context; private ScimGroup engineers; - private ScimUser lennon; - private ScimUser lincoln; - private ScimUser kennedy; + private ScimUser lennon, lincoln, kennedy; List members; - @BeforeClass - public static void init() { - - JacksonUtils.initRestAssured(); - } - @Before - public void initTests() { - - accessToken = TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read scim:write"); - restUtils = ScimRestUtils.getInstance(accessToken); + public void initTests() throws Exception { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); engineers = addTestGroup("engineers"); lennon = addTestUser("john_lennon", "lennon@email.test", "John", "Lennon"); @@ -73,57 +68,18 @@ public void initTests() { } @After - public void teardownTests() { - - restUtils.doDelete(lennon.getMeta().getLocation()); - restUtils.doDelete(lincoln.getMeta().getLocation()); - restUtils.doDelete(kennedy.getMeta().getLocation()); - restUtils.doDelete(engineers.getMeta().getLocation()); - } - - private ScimGroup addTestGroup(String displayName) { - - ScimGroup group = ScimGroup.builder(displayName).build(); - - return restUtils.doPost("/scim/Groups/", group).extract().as(ScimGroup.class); - } - - private ScimUser addTestUser(String userName, String email, String firstName, String LastName) { - - ScimUser lennon = - ScimUser.builder(userName).buildEmail(email).buildName(firstName, LastName).build(); - - return restUtils.doPost("/scim/Users/", lennon).extract().as(ScimUser.class); - } - - private void addMembers(ScimGroup group, List members) { - - ScimGroupPatchRequest patchAddReq = ScimGroupPatchUtils.getPatchAddUsersRequest(members); - - restUtils.doPatch(group.getMeta().getLocation(), patchAddReq); - - ScimGroup g = getGroup(group.getMeta().getLocation()); - - Assert.assertTrue(g.getMembers().contains(TestUtils.getMemberRef(members.get(0)))); - Assert.assertTrue(g.getMembers().contains(TestUtils.getMemberRef(members.get(1)))); - Assert.assertTrue(g.getMembers().contains(TestUtils.getMemberRef(members.get(2)))); - } - - private void assertMembership(ScimUser user, ScimGroup group, boolean isMember) { - - assertThat(group.getMembers().stream().anyMatch(m -> m.getValue().equals(user.getId())), - equalTo(isMember)); - } - - private ScimGroup getGroup(String location) { - return restUtils.doGet(location).extract().as(ScimGroup.class); + public void teardownTests() throws Exception { + deleteScimResource(lennon); + deleteScimResource(lincoln); + deleteScimResource(kennedy); + deleteScimResource(engineers); } @Test - public void testGroupPatchRemoveMember() { + public void testGroupPatchRemoveMember() throws Exception { ScimGroupPatchRequest patchRemoveRequest = - ScimGroupPatchUtils.getPatchRemoveUsersRequest(Lists.newArrayList(lennon)); + getPatchRemoveUsersRequest(Lists.newArrayList(lennon)); ScimGroup engineersBeforeUpdate = getGroup(engineers.getMeta().getLocation()); @@ -137,7 +93,12 @@ public void testGroupPatchRemoveMember() { } catch (InterruptedException e) { } - restUtils.doPatch(engineers.getMeta().getLocation(), patchRemoveRequest); + //@formatter:off + mvc.perform(patch(engineers.getMeta().getLocation()) + .contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchRemoveRequest))) + .andExpect(status().isNoContent()); + //@formatter:on ScimGroup engineersAfterUpdate = getGroup(engineers.getMeta().getLocation()); @@ -149,21 +110,24 @@ public void testGroupPatchRemoveMember() { final long dateBeforeUpdate = engineersBeforeUpdate.getMeta().getLastModified().getTime(); final long dateAfterUpdate = engineersAfterUpdate.getMeta().getLastModified().getTime(); - assertTrue(dateBeforeUpdate < dateAfterUpdate); - + assertThat(dateBeforeUpdate, lessThan(dateAfterUpdate)); } @Test - public void testGroupPatchRemoveMultipleMembers() { + public void testGroupPatchRemoveMultipleMembers() throws Exception { List membersToRemove = new ArrayList(); membersToRemove.add(lennon); membersToRemove.add(lincoln); - ScimGroupPatchRequest patchReq = - ScimGroupPatchUtils.getPatchRemoveUsersRequest(membersToRemove); + ScimGroupPatchRequest patchReq = getPatchRemoveUsersRequest(membersToRemove); - restUtils.doPatch(engineers.getMeta().getLocation(), patchReq); + //@formatter:off + mvc.perform(patch(engineers.getMeta().getLocation()) + .contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchReq))) + .andExpect(status().isNoContent()); + //@formatter:on ScimGroup updatedGroup = getGroup(engineers.getMeta().getLocation()); @@ -173,17 +137,21 @@ public void testGroupPatchRemoveMultipleMembers() { } @Test - public void testGroupPatchRemoveAllListOfMembers() { + public void testGroupPatchRemoveAllListOfMembers() throws Exception { List membersToRemove = new ArrayList(); membersToRemove.add(lennon); membersToRemove.add(lincoln); membersToRemove.add(kennedy); - ScimGroupPatchRequest patchReq = - ScimGroupPatchUtils.getPatchRemoveUsersRequest(membersToRemove); + ScimGroupPatchRequest patchReq = getPatchRemoveUsersRequest(membersToRemove); - restUtils.doPatch(engineers.getMeta().getLocation(), patchReq); + //@formatter:off + mvc.perform(patch(engineers.getMeta().getLocation()) + .contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchReq))) + .andExpect(status().isNoContent()); + //@formatter:on ScimGroup updatedGroup = getGroup(engineers.getMeta().getLocation()); @@ -191,30 +159,43 @@ public void testGroupPatchRemoveAllListOfMembers() { } @Test - public void testGroupPatchRemoveAllMembers() { + public void testGroupPatchRemoveAllMembers() throws Exception { List emptyMembers = new ArrayList(); + ScimGroupPatchRequest patchReq = getPatchRemoveUsersRequest(emptyMembers); - ScimGroupPatchRequest patchReq = ScimGroupPatchUtils.getPatchRemoveUsersRequest(emptyMembers); - - restUtils.doPatch(engineers.getMeta().getLocation(), patchReq); + //@formatter:off + mvc.perform(patch(engineers.getMeta().getLocation()) + .contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchReq))) + .andExpect(status().isNoContent()); + //@formatter:on ScimGroup updatedGroup = getGroup(engineers.getMeta().getLocation()); - - Assert.assertTrue(updatedGroup.getMembers().isEmpty()); + assertThat(updatedGroup.getMembers(), empty()); } @Test - public void testGroupPatchRemoveMemberTwice() { + public void testGroupPatchRemoveMemberTwice() throws Exception { ScimGroupPatchRequest patchRemoveRequest = - ScimGroupPatchUtils.getPatchRemoveUsersRequest(Lists.newArrayList(lennon)); + getPatchRemoveUsersRequest(Lists.newArrayList(lennon)); - restUtils.doPatch(engineers.getMeta().getLocation(), patchRemoveRequest); + //@formatter:off + mvc.perform(patch(engineers.getMeta().getLocation()) + .contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchRemoveRequest))) + .andExpect(status().isNoContent()); + //@formatter:on ScimGroup engineersBeforeUpdate = getGroup(engineers.getMeta().getLocation()); - restUtils.doPatch(engineers.getMeta().getLocation(), patchRemoveRequest); + //@formatter:off + mvc.perform(patch(engineers.getMeta().getLocation()) + .contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchRemoveRequest))) + .andExpect(status().isNoContent()); + //@formatter:on ScimGroup engineersAfterUpdate = getGroup(engineers.getMeta().getLocation()); @@ -223,5 +204,4 @@ public void testGroupPatchRemoveMemberTwice() { assertThat(engineersBeforeUpdate.getMeta().getLastModified(), equalTo(engineersAfterUpdate.getMeta().getLastModified())); } - } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupProvisioningPatchReplaceTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupProvisioningPatchReplaceTests.java index f430460f9..1e31c4517 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupProvisioningPatchReplaceTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/group/patch/ScimGroupProvisioningPatchReplaceTests.java @@ -1,55 +1,58 @@ package it.infn.mw.iam.test.scim.group.patch; +import static it.infn.mw.iam.api.scim.model.ScimConstants.SCIM_CONTENT_TYPE; +import static org.hamcrest.Matchers.empty; import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasItem; import static org.hamcrest.Matchers.hasSize; import static org.junit.Assert.assertThat; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import java.util.ArrayList; import java.util.List; import org.junit.After; -import org.junit.Assert; import org.junit.Before; -import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; import it.infn.mw.iam.IamLoginService; import it.infn.mw.iam.api.scim.model.ScimGroup; import it.infn.mw.iam.api.scim.model.ScimGroupPatchRequest; import it.infn.mw.iam.api.scim.model.ScimUser; -import it.infn.mw.iam.test.ScimRestUtils; import it.infn.mw.iam.test.TestUtils; -import it.infn.mw.iam.test.util.JacksonUtils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest -public class ScimGroupProvisioningPatchReplaceTests { +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +@WithMockOAuthUser(clientId = "scim-client-rw", scopes = {"scim:read", "scim:write"}) +public class ScimGroupProvisioningPatchReplaceTests extends ScimGroupPatchUtils { - public static final String SCIM_CONTENT_TYPE = "application/scim+json"; - - private String accessToken; - private ScimRestUtils restUtils; + @Autowired + private WebApplicationContext context; private ScimGroup engineers; - private ScimUser lennon; - private ScimUser lincoln; - - @BeforeClass - public static void init() { - - JacksonUtils.initRestAssured(); - } + private ScimUser lennon, lincoln; @Before - public void initAccessToken() { - - accessToken = TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read scim:write"); - restUtils = ScimRestUtils.getInstance(accessToken); + public void initTests() throws Exception { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); engineers = addTestGroup("engineers"); lennon = addTestUser("john_lennon", "lennon@email.test", "John", "Lennon"); @@ -57,99 +60,128 @@ public void initAccessToken() { } @After - public void teardownTests() { - - restUtils.doDelete(lennon.getMeta().getLocation()); - restUtils.doDelete(lincoln.getMeta().getLocation()); - restUtils.doDelete(engineers.getMeta().getLocation()); - } - - private ScimGroup addTestGroup(String displayName) { - - ScimGroup group = ScimGroup.builder(displayName).build(); - - return restUtils.doPost("/scim/Groups/", group).extract().as(ScimGroup.class); - } - - private ScimUser addTestUser(String userName, String email, String firstName, String LastName) { - - ScimUser lennon = - ScimUser.builder(userName).buildEmail(email).buildName(firstName, LastName).build(); - - return restUtils.doPost("/scim/Users/", lennon).extract().as(ScimUser.class); + public void teardownTests() throws Exception { + deleteScimResource(lennon); + deleteScimResource(lincoln); + deleteScimResource(engineers); } @Test - public void testGroupPatchReplaceMember() { + public void testGroupPatchReplaceMember() throws Exception { List members = new ArrayList(); members.add(lennon); - ScimGroupPatchRequest patchReq = ScimGroupPatchUtils.getPatchAddUsersRequest(members); + ScimGroupPatchRequest patchReq = getPatchAddUsersRequest(members); - restUtils.doPatch(engineers.getMeta().getLocation(), patchReq); + //@formatter:off + mvc.perform(patch(engineers.getMeta().getLocation()) + .contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchReq))) + .andExpect(status().isNoContent()); + //@formatter:on - restUtils.doGet(engineers.getMeta().getLocation()) - .body("id", equalTo(engineers.getId())) - .body("displayName", equalTo(engineers.getDisplayName())) - .body("members", hasSize(equalTo(1))) - .body("members[0].display", equalTo(lennon.getDisplayName())) - .body("members[0].value", equalTo(lennon.getId())) - .body("members[0].$ref", equalTo(lennon.getMeta().getLocation())); + mvc.perform(get(engineers.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.id", equalTo(engineers.getId()))) + .andExpect(jsonPath("$.displayName", equalTo(engineers.getDisplayName()))) + .andExpect(jsonPath("$.members", hasSize(equalTo(1)))) + .andExpect(jsonPath("$.members[0].display", equalTo(lennon.getDisplayName()))) + .andExpect(jsonPath("$.members[0].value", equalTo(lennon.getId()))) + .andExpect(jsonPath("$.members[0].$ref", equalTo(lennon.getMeta().getLocation()))); members.remove(lennon); members.add(lincoln); - patchReq = ScimGroupPatchUtils.getPatchReplaceUsersRequest(members); - - restUtils.doPatch(engineers.getMeta().getLocation(), patchReq); - - ScimGroup updatedGroup = - restUtils.doGet(engineers.getMeta().getLocation()).extract().as(ScimGroup.class); - - Assert.assertTrue(updatedGroup.getMembers().size() == 1); - Assert.assertTrue(updatedGroup.getMembers().contains(TestUtils.getMemberRef(lincoln))); + patchReq = getPatchReplaceUsersRequest(members); + + //@formatter:off + mvc.perform(patch(engineers.getMeta().getLocation()) + .contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchReq))) + .andExpect(status().isNoContent()); + //@formatter:on + + String result = + mvc.perform(get(engineers.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(); + + ScimGroup updatedGroup = objectMapper.readValue(result, ScimGroup.class); + + assertThat(updatedGroup.getMembers(), hasSize(1)); + assertThat(updatedGroup.getMembers(), hasItem(TestUtils.getMemberRef(lincoln))); } @Test - public void testGroupPatchReplaceSameMember() { + public void testGroupPatchReplaceSameMember() throws Exception { List members = new ArrayList(); members.add(lennon); - ScimGroupPatchRequest patchReq = ScimGroupPatchUtils.getPatchAddUsersRequest(members); - - restUtils.doPatch(engineers.getMeta().getLocation(), patchReq); - - restUtils.doGet(engineers.getMeta().getLocation()) - .body("id", equalTo(engineers.getId())) - .body("displayName", equalTo(engineers.getDisplayName())) - .body("members", hasSize(equalTo(1))) - .body("members[0].display", equalTo(lennon.getDisplayName())) - .body("members[0].value", equalTo(lennon.getId())) - .body("members[0].$ref", equalTo(lennon.getMeta().getLocation())); + ScimGroupPatchRequest patchReq = getPatchAddUsersRequest(members); + + //@formatter:off + mvc.perform(patch(engineers.getMeta().getLocation()) + .contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchReq))) + .andExpect(status().isNoContent()); + //@formatter:on + + mvc.perform(get(engineers.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.id", equalTo(engineers.getId()))) + .andExpect(jsonPath("$.displayName", equalTo(engineers.getDisplayName()))) + .andExpect(jsonPath("$.members", hasSize(equalTo(1)))) + .andExpect(jsonPath("$.members[0].display", equalTo(lennon.getDisplayName()))) + .andExpect(jsonPath("$.members[0].value", equalTo(lennon.getId()))) + .andExpect(jsonPath("$.members[0].$ref", equalTo(lennon.getMeta().getLocation()))); + + patchReq = getPatchReplaceUsersRequest(members); + + //@formatter:off + mvc.perform(patch(engineers.getMeta().getLocation()) + .contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchReq))) + .andExpect(status().isNoContent()); + //@formatter:on + + String result = + mvc.perform(get(engineers.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(); + + ScimGroup updatedGroup = objectMapper.readValue(result, ScimGroup.class); + + assertThat(updatedGroup.getMembers(), hasSize(1)); + assertThat(updatedGroup.getMembers(), hasItem(TestUtils.getMemberRef(lennon))); + } - patchReq = ScimGroupPatchUtils.getPatchReplaceUsersRequest(members); + @Test + public void testGroupPatchReplaceWithEmptyMemberList() throws Exception { - restUtils.doPatch(engineers.getMeta().getLocation(), patchReq); + List members = new ArrayList(); + ScimGroupPatchRequest patchReq = getPatchReplaceUsersRequest(members); - ScimGroup updatedGroup = - restUtils.doGet(engineers.getMeta().getLocation()).extract().as(ScimGroup.class); + //@formatter:off + mvc.perform(patch(engineers.getMeta().getLocation()) + .contentType(SCIM_CONTENT_TYPE) + .content(objectMapper.writeValueAsString(patchReq))) + .andExpect(status().isNoContent()); + //@formatter:on - Assert.assertTrue(updatedGroup.getMembers().size() == 1); - Assert.assertTrue(updatedGroup.getMembers().contains(TestUtils.getMemberRef(lennon))); - } + String result = + mvc.perform(get(engineers.getMeta().getLocation()).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(); - @Test - public void testGroupPatchReplaceWithEmptyMemberList() { + ScimGroup updatedGroup = objectMapper.readValue(result, ScimGroup.class); - List members = new ArrayList(); - ScimGroupPatchRequest patchReq = ScimGroupPatchUtils.getPatchReplaceUsersRequest(members); - - restUtils.doPatch(engineers.getMeta().getLocation(), patchReq); - - ScimGroup updatedGroup = - restUtils.doGet(engineers.getMeta().getLocation()).extract().as(ScimGroup.class); - assertThat(updatedGroup.getMembers().isEmpty(), equalTo(true)); - + assertThat(updatedGroup.getMembers(), empty()); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/ScimMeEndpointTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/ScimMeEndpointTests.java index 55fce260b..f595ddf70 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/ScimMeEndpointTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/ScimMeEndpointTests.java @@ -1,69 +1,69 @@ package it.infn.mw.iam.test.scim.me; -import static com.jayway.restassured.RestAssured.given; import static it.infn.mw.iam.api.scim.model.ScimConstants.SCIM_CONTENT_TYPE; -import static it.infn.mw.iam.test.TestUtils.clientCredentialsTokenGetter; -import static it.infn.mw.iam.test.TestUtils.passwordTokenGetter; import static org.hamcrest.Matchers.equalTo; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import javax.transaction.Transactional; + +import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +@Transactional public class ScimMeEndpointTests { + private final static String ME_ENDPOINT = "/scim/Me"; - @Test - public void meEndpointUserInfo() { - - String accessToken = - passwordTokenGetter().username("test").password("password").getAccessToken(); + @Autowired + private WebApplicationContext context; - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .when() - .get("/scim/Me") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()); + private MockMvc mvc; + @Before + public void setup() throws Exception { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); } @Test - public void meEndpointFailsForClientWithoutUser() { + @WithMockOAuthUser(clientId = "password-grant", user = "test", authorities = {"ROLE_USER"}, + scopes = {"openid", "profile"}) + public void meEndpointUserInfo() throws Exception { + //@formatter:off + mvc.perform(get(ME_ENDPOINT) + .contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isOk()); + //@formatter:on + } - String accessToken = clientCredentialsTokenGetter("registration-client", "secret").getAccessToken(); - // TBD: the test that fails with + @Test + @WithMockOAuthUser(clientId = "registration-client", scopes = {"scim:read"}) + public void meEndpointFailsForClientWithoutUser() throws Exception { - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .when() - .get("/scim/Me") - .then() - .log() - .all(true) - .statusCode(HttpStatus.BAD_REQUEST.value()) - .body("status", equalTo("400")) - .body("detail", equalTo("No user linked to the current OAuth token")); + mvc.perform(get(ME_ENDPOINT).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.status", equalTo("400"))) + .andExpect(jsonPath("$.detail", equalTo("No user linked to the current OAuth token"))); } - } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchAddTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchAddTests.java index 1160dd0d4..94451ee4a 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchAddTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchAddTests.java @@ -1,289 +1,154 @@ package it.infn.mw.iam.test.scim.me.patch; -import static it.infn.mw.iam.test.TestUtils.passwordTokenGetter; +import static it.infn.mw.iam.api.scim.model.ScimPatchOperation.ScimPatchOperationType.add; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasSize; +import static org.junit.Assert.assertThat; -import org.junit.After; -import org.junit.Assert; -import org.junit.Before; -import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; - -import com.jayway.restassured.response.ValidatableResponse; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.transaction.annotation.Transactional; import it.infn.mw.iam.IamLoginService; -import it.infn.mw.iam.api.scim.model.ScimEmail; -import it.infn.mw.iam.api.scim.model.ScimName; import it.infn.mw.iam.api.scim.model.ScimOidcId; -import it.infn.mw.iam.api.scim.model.ScimPhoto; import it.infn.mw.iam.api.scim.model.ScimSamlId; import it.infn.mw.iam.api.scim.model.ScimSshKey; import it.infn.mw.iam.api.scim.model.ScimUser; -import it.infn.mw.iam.api.scim.model.ScimUserPatchRequest; import it.infn.mw.iam.api.scim.model.ScimX509Certificate; -import it.infn.mw.iam.test.ScimRestUtils; -import it.infn.mw.iam.test.TestUtils; -import it.infn.mw.iam.test.util.JacksonUtils; +import it.infn.mw.iam.test.SshKeyUtils; +import it.infn.mw.iam.test.X509Utils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.scim.ScimRestUtilsMvc; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest -public class ScimMeEndpointPatchAddTests { - - private ScimRestUtils adminRestUtils; - private ScimRestUtils userRestUtils; - - private final String TESTUSER_USERNAME = "patchAddUser"; - private final String TESTUSER_PASSWORD = "password"; - private final ScimEmail TESTUSER_EMAIL = - ScimEmail.builder().email("john.lennon@liverpool.uk").build(); - private final ScimName TESTUSER_NAME = - ScimName.builder().givenName("John").familyName("Lennon").build(); - private final ScimPhoto TESTUSER_PHOTO = - ScimPhoto.builder().value("http://site.org/user.png").build(); - - private ScimUser testUser; - - @BeforeClass - public static void init() { - - JacksonUtils.initRestAssured(); - } - - @Before - public void testSetup() { - - adminRestUtils = ScimRestUtils - .getInstance(TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read scim:write")); - - testUser = adminRestUtils - .doPost("/scim/Users/", - ScimUser.builder() - .active(true) - .userName(TESTUSER_USERNAME) - .password(TESTUSER_PASSWORD) - .addEmail(TESTUSER_EMAIL) - .name(TESTUSER_NAME) - .addPhoto(TESTUSER_PHOTO) - .build()) - .extract() - .as(ScimUser.class); - - userRestUtils = ScimRestUtils.getInstance(passwordTokenGetter().username(TESTUSER_USERNAME) - .password(TESTUSER_PASSWORD) - .getAccessToken()); - } - - @After - public void testTeardown() { - - adminRestUtils.doDelete(testUser.getMeta().getLocation()); - } - - private ScimUser doGet() { - - return userRestUtils.doGet("/scim/Me").extract().as(ScimUser.class); - } - - private ValidatableResponse doPatch(ScimUserPatchRequest patchRequest) { - - return doPatch(patchRequest, HttpStatus.NO_CONTENT); - } - - private ValidatableResponse doPatch(ScimUserPatchRequest patchRequest, HttpStatus expectedHttpStatus) { - - return userRestUtils.doPatch("/scim/Me", patchRequest, expectedHttpStatus); - } - - @Test - public void testPatchGivenAndFamilyName() { - - ScimName name = ScimName.builder().givenName("John").familyName("Kennedy").build(); - - ScimUserPatchRequest patchRequest = - ScimUserPatchRequest.builder().add(ScimUser.builder().name(name).build()).build(); - - doPatch(patchRequest); - - ScimName updatedName = doGet().getName(); - - Assert.assertTrue(updatedName.equals(name)); - } - - @Test - public void testPatchNameNoUpdates() { - - ScimUserPatchRequest patchRequest = - ScimUserPatchRequest.builder().add(ScimUser.builder().name(TESTUSER_NAME).build()).build(); - - doPatch(patchRequest); - - ScimName updatedName = doGet().getName(); - - Assert.assertTrue(updatedName.equals(TESTUSER_NAME)); - } - - @Test - public void testPatchPicture() { +@SpringApplicationConfiguration( + classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}) +@WebAppConfiguration +@WithMockOAuthUser(user = ScimMeEndpointPatchAddTests.TEST_USERNAME, authorities = {"ROLE_USER"}) +@Transactional +public class ScimMeEndpointPatchAddTests extends ScimMeEndpointUtils { - final ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .add(ScimUser.builder().addPhoto(TESTUSER_PHOTO).build()) - .build(); + final static String TEST_USERNAME = "test_103"; - doPatch(patchRequest); - - ScimPhoto updatedPhoto = doGet().getPhotos().get(0); - - Assert.assertTrue(updatedPhoto.equals(TESTUSER_PHOTO)); - } + @Autowired + private ScimRestUtilsMvc scimUtils; @Test - public void testPatchPictureNoUpdates() { + public void testPatchGivenAndFamilyName() throws Exception { - ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .add(ScimUser.builder().addPhoto(TESTUSER_PHOTO).build()) - .build(); + ScimUser updates = ScimUser.builder().name(TESTUSER_NEWNAME).build(); - doPatch(patchRequest); - doPatch(patchRequest); + scimUtils.patchMe(add, updates); - ScimPhoto updatedPhoto = doGet().getPhotos().get(0); + ScimUser userAfter = scimUtils.getMe(); - Assert.assertTrue(updatedPhoto.equals(TESTUSER_PHOTO)); + assertThat(userAfter.getName().getGivenName(), equalTo(updates.getName().getGivenName())); + assertThat(userAfter.getName().getFamilyName(), equalTo(updates.getName().getFamilyName())); } @Test - public void testPatchEmail() { - - final ScimEmail email = ScimEmail.builder().email("john.kennedy@washington.us").build(); + public void testPatchPicture() throws Exception { - final ScimUserPatchRequest patchRequest = - ScimUserPatchRequest.builder().add(ScimUser.builder().addEmail(email).build()).build(); + ScimUser updates = ScimUser.builder().addPhoto(TESTUSER_NEWPHOTO).build(); - doPatch(patchRequest); + scimUtils.patchMe(add, updates); - ScimEmail updatedEmail = doGet().getEmails().get(0); + ScimUser userAfter = scimUtils.getMe(); - Assert.assertTrue(updatedEmail.equals(email)); + assertThat(userAfter.getPhotos(), hasSize(equalTo(1))); + assertThat(userAfter.getPhotos().get(0), equalTo(TESTUSER_NEWPHOTO)); } @Test - public void testPatchEmailNoUpdates() { + public void testPatchEmail() throws Exception { - final ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .add(ScimUser.builder().addEmail(TESTUSER_EMAIL).build()) - .build(); + ScimUser updates = ScimUser.builder().addEmail(TESTUSER_NEWEMAIL).build(); - doPatch(patchRequest); + scimUtils.patchMe(add, updates); - ScimEmail updatedEmail = doGet().getEmails().get(0); + ScimUser userAfter = scimUtils.getMe(); - Assert.assertTrue(updatedEmail.equals(TESTUSER_EMAIL)); + assertThat(userAfter.getEmails().get(0), equalTo(TESTUSER_NEWEMAIL)); } @Test - public void testPatchAll() { - - final ScimName NEW_NAME = ScimName.builder().givenName("John").familyName("Kennedy").build(); - final ScimEmail NEW_EMAIL = ScimEmail.builder().email("john.kennedy@washington.us").build(); - final ScimPhoto NEW_PHOTO = - ScimPhoto.builder().value("http://notarealurl.com/image.jpg").build(); - - final ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .add(ScimUser.builder().name(NEW_NAME).addEmail(NEW_EMAIL).addPhoto(NEW_PHOTO).build()) - .build(); - - doPatch(patchRequest); + public void testPatchMultiple() throws Exception { - ScimUser updatedUser = doGet(); - - Assert.assertTrue(updatedUser.getName().equals(NEW_NAME)); - Assert.assertTrue(updatedUser.getPhotos().get(0).equals(NEW_PHOTO)); - Assert.assertTrue(updatedUser.getEmails().get(0).equals(NEW_EMAIL)); - } - - @Test - public void testPatchAllNoUpdates() { - - final ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .add(ScimUser.builder() - .name(TESTUSER_NAME) - .addEmail(TESTUSER_EMAIL) - .addPhoto(TESTUSER_PHOTO) - .build()) + final ScimUser updates = ScimUser.builder() + .name(TESTUSER_NEWNAME) + .addEmail(TESTUSER_NEWEMAIL) + .addPhoto(TESTUSER_NEWPHOTO) .build(); - doPatch(patchRequest); + scimUtils.patchMe(add, updates); - ScimUser updatedUser = doGet(); - - Assert.assertTrue(updatedUser.getName().equals(TESTUSER_NAME)); - Assert.assertTrue(updatedUser.getPhotos().get(0).equals(TESTUSER_PHOTO)); - Assert.assertTrue(updatedUser.getEmails().get(0).equals(TESTUSER_EMAIL)); + ScimUser userAfter = scimUtils.getMe(); + assertThat(userAfter.getName().getGivenName(), equalTo(updates.getName().getGivenName())); + assertThat(userAfter.getName().getFamilyName(), equalTo(updates.getName().getFamilyName())); + assertThat(userAfter.getPhotos(), hasSize(equalTo(1))); + assertThat(userAfter.getPhotos().get(0), equalTo(TESTUSER_NEWPHOTO)); + assertThat(userAfter.getEmails().get(0), equalTo(TESTUSER_NEWEMAIL)); } @Test - public void testPatchPasswordNotSupported() { + public void testPatchPasswordNotSupported() throws Exception { final String NEW_PASSWORD = "newpassword"; - ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .add(ScimUser.builder().password(NEW_PASSWORD).build()) - .build(); + ScimUser updates = ScimUser.builder().password(NEW_PASSWORD).build(); - doPatch(patchRequest, HttpStatus.BAD_REQUEST); + scimUtils.patchMe(add, updates, HttpStatus.BAD_REQUEST); } @Test - public void testPatchAddOidcIdNotSupported() { + public void testPatchAddOidcIdNotSupported() throws Exception { ScimOidcId NEW_TESTUSER_OIDCID = ScimOidcId.builder().issuer("new_test_issuer").subject("new_user_subject").build(); - ScimUserPatchRequest patchRequest = - ScimUserPatchRequest.builder().add(ScimUser.builder().addOidcId(NEW_TESTUSER_OIDCID).build()).build(); + ScimUser updates = ScimUser.builder().addOidcId(NEW_TESTUSER_OIDCID).build(); - doPatch(patchRequest, HttpStatus.BAD_REQUEST); + scimUtils.patchMe(add, updates, HttpStatus.BAD_REQUEST); } @Test - public void testPatchAddSamlIdNotSupported() { + public void testPatchAddSamlIdNotSupported() throws Exception { - ScimSamlId TESTUSER_SAMLID = - ScimSamlId.builder().idpId("AA").userId("BB").build(); + ScimSamlId TESTUSER_SAMLID = ScimSamlId.builder().idpId("AA").userId("BB").build(); - ScimUserPatchRequest patchRequest = - ScimUserPatchRequest.builder().add(ScimUser.builder().addSamlId(TESTUSER_SAMLID).build()).build(); + ScimUser updates = ScimUser.builder().addSamlId(TESTUSER_SAMLID).build(); - doPatch(patchRequest, HttpStatus.BAD_REQUEST); + scimUtils.patchMe(add, updates, HttpStatus.BAD_REQUEST); } @Test - public void testPatchAddSsHKeyNotSupported() { + public void testPatchAddSsHKeyNotSupported() throws Exception { ScimSshKey NEW_SSH_KEY = - ScimSshKey.builder().display("ssh-key").value(TestUtils.sshKeys.get(0).key).build(); + ScimSshKey.builder().display("ssh-key").value(SshKeyUtils.sshKeys.get(0).key).build(); - ScimUserPatchRequest patchRequest = - ScimUserPatchRequest.builder().add(ScimUser.builder().addSshKey(NEW_SSH_KEY).build()).build(); + ScimUser updates = ScimUser.builder().addSshKey(NEW_SSH_KEY).build(); - doPatch(patchRequest, HttpStatus.BAD_REQUEST); + scimUtils.patchMe(add, updates, HttpStatus.BAD_REQUEST); } @Test - public void testPatchAddX509CertificateNotSupported() { + public void testPatchAddX509CertificateNotSupported() throws Exception { - ScimX509Certificate NEW_X509_CERT = - ScimX509Certificate.builder().display("x509-cert").value(TestUtils.x509Certs.get(0).certificate).build(); + ScimX509Certificate NEW_X509_CERT = ScimX509Certificate.builder() + .display("x509-cert") + .pemEncodedCertificate(X509Utils.x509Certs.get(0).certificate) + .build(); - ScimUserPatchRequest patchRequest = - ScimUserPatchRequest.builder().add(ScimUser.builder().addX509Certificate(NEW_X509_CERT).build()).build(); + ScimUser updates = ScimUser.builder().addX509Certificate(NEW_X509_CERT).build(); - doPatch(patchRequest, HttpStatus.BAD_REQUEST); + scimUtils.patchMe(add, updates, HttpStatus.BAD_REQUEST); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchRemoveTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchRemoveTests.java index 76f399d89..c6ff74920 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchRemoveTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchRemoveTests.java @@ -1,147 +1,98 @@ package it.infn.mw.iam.test.scim.me.patch; -import static it.infn.mw.iam.test.TestUtils.passwordTokenGetter; +import static it.infn.mw.iam.api.scim.model.ScimPatchOperation.ScimPatchOperationType.remove; import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasSize; import static org.junit.Assert.assertThat; -import org.junit.After; -import org.junit.Assert; +import java.util.List; + import org.junit.Before; -import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.transaction.annotation.Transactional; + +import com.google.common.collect.Lists; import it.infn.mw.iam.IamLoginService; -import it.infn.mw.iam.api.scim.model.ScimEmail; -import it.infn.mw.iam.api.scim.model.ScimName; import it.infn.mw.iam.api.scim.model.ScimOidcId; +import it.infn.mw.iam.api.scim.model.ScimPatchOperation; import it.infn.mw.iam.api.scim.model.ScimPhoto; import it.infn.mw.iam.api.scim.model.ScimSamlId; import it.infn.mw.iam.api.scim.model.ScimUser; -import it.infn.mw.iam.api.scim.model.ScimUserPatchRequest; -import it.infn.mw.iam.test.ScimRestUtils; -import it.infn.mw.iam.test.TestUtils; -import it.infn.mw.iam.test.util.JacksonUtils; +import it.infn.mw.iam.api.scim.provisioning.ScimUserProvisioning; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.scim.ScimRestUtilsMvc; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@SpringApplicationConfiguration( + classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}) +@WebAppConfiguration +@WithMockOAuthUser(user = "test_104", authorities = {"ROLE_USER"}) +@Transactional public class ScimMeEndpointPatchRemoveTests { - private ScimRestUtils userRestUtils; - private ScimRestUtils adminRestUtils; - private ScimUser testUser; - - final String TESTUSER_USERNAME = "patchRemoveUser"; - final String TESTUSER_PASSWORD = "password"; - final ScimName TESTUSER_NAME = ScimName.builder().givenName("John").familyName("Lennon").build(); - final ScimEmail TESTUSER_EMAIL = ScimEmail.builder().email("john.lennon@liverpool.uk").build(); - final ScimPhoto TESTUSER_PHOTO = ScimPhoto.builder().value("http://site.org/user.png").build(); - final ScimOidcId TESTUSER_OIDCID = - ScimOidcId.builder().issuer("OIDC_ID_ISSUER").subject("OIDC_ID_SUBJECT").build(); - final ScimSamlId TESTUSER_SAMLID = - ScimSamlId.builder().idpId("SAML_ID_IDP").userId("SAML_ID_USER").build(); - - @BeforeClass - public static void init() { - - JacksonUtils.initRestAssured(); - } + @Autowired + private ScimRestUtilsMvc scimUtils; + @Autowired + private ScimUserProvisioning provider; @Before - public void testSetup() { - - adminRestUtils = ScimRestUtils - .getInstance(TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read scim:write")); - - testUser = adminRestUtils - .doPost("/scim/Users/", - ScimUser.builder() - .active(true) - .userName(TESTUSER_USERNAME) - .password(TESTUSER_PASSWORD) - .addEmail(TESTUSER_EMAIL) - .name(TESTUSER_NAME) - .addOidcId(TESTUSER_OIDCID) - .addSamlId(TESTUSER_SAMLID) - .build()) - .extract() - .as(ScimUser.class); - - userRestUtils = ScimRestUtils.getInstance(passwordTokenGetter().username(TESTUSER_USERNAME) - .password(TESTUSER_PASSWORD) - .getAccessToken()); - } + public void init() throws Exception { - @After - public void testTeardown() { + String uuid = scimUtils.getMe().getId(); - adminRestUtils.doDelete(testUser.getMeta().getLocation()); - } - - private ScimUser doGet() { + ScimUser updates = ScimUser.builder() + .buildPhoto("http://site.org/user.png") + .buildOidcId("ISS", "SUB") + .buildSamlId("IDP", "UID") + .build(); - return userRestUtils.doGet("/scim/Me").extract().as(ScimUser.class); - } + List> operations = Lists.newArrayList(); - private void doPatch(ScimUserPatchRequest patchRequest) { + operations.add(new ScimPatchOperation.Builder().add().value(updates).build()); - userRestUtils.doPatch("/scim/Me", patchRequest); + provider.update(uuid, operations); } @Test - public void testPatchRemovePicture() { - - final ScimUserPatchRequest patchAddRequest = ScimUserPatchRequest.builder() - .add(ScimUser.builder().addPhoto(TESTUSER_PHOTO).build()) - .build(); - - doPatch(patchAddRequest); - - ScimPhoto updatedPhoto = doGet().getPhotos().get(0); + public void testPatchRemovePicture() throws Exception { - Assert.assertTrue(updatedPhoto.equals(TESTUSER_PHOTO)); + ScimPhoto currentPhoto = scimUtils.getMe().getPhotos().get(0); - ScimUserPatchRequest patchRemoveRequest = ScimUserPatchRequest.builder() - .remove(ScimUser.builder().addPhoto(TESTUSER_PHOTO).build()) - .build(); - - doPatch(patchRemoveRequest); + ScimUser updates = ScimUser.builder().addPhoto(currentPhoto).build(); - ScimUser updatedUser = doGet(); + scimUtils.patchMe(remove, updates); - Assert.assertFalse(updatedUser.hasPhotos()); + assertThat(scimUtils.getMe().hasPhotos(), equalTo(false)); } @Test - public void testPatchRemoveOidcId() { + public void testPatchRemoveOidcId() throws Exception { - final ScimUserPatchRequest patchRemoveRequest = ScimUserPatchRequest.builder() - .remove(ScimUser.builder().addOidcId(TESTUSER_OIDCID).build()) - .build(); + ScimOidcId currentOidcId = scimUtils.getMe().getIndigoUser().getOidcIds().get(0); - doPatch(patchRemoveRequest); + ScimUser updates = ScimUser.builder().addOidcId(currentOidcId).build(); - ScimUser updatedUser = doGet(); + scimUtils.patchMe(remove, updates); - assertThat(updatedUser.hasOidcIds(), equalTo(false)); + assertThat(scimUtils.getMe().getIndigoUser().getOidcIds(), hasSize(equalTo(0))); } @Test - public void testPatchRemoveSamlId() { + public void testPatchRemoveSamlId() throws Exception { - final ScimUserPatchRequest patchRemoveRequest = ScimUserPatchRequest.builder() - .remove(ScimUser.builder().addSamlId(TESTUSER_SAMLID).build()) - .build(); + ScimSamlId currentSamlId = scimUtils.getMe().getIndigoUser().getSamlIds().get(0); - doPatch(patchRemoveRequest); + ScimUser updates = ScimUser.builder().addSamlId(currentSamlId).build(); - ScimUser updatedUser = doGet(); + scimUtils.patchMe(remove, updates); - assertThat(updatedUser.hasSamlIds(), equalTo(false)); + assertThat(scimUtils.getMe().getIndigoUser().getSamlIds(), hasSize(equalTo(0))); } - } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchReplaceTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchReplaceTests.java index b3e5f471b..faa3abf86 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchReplaceTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchReplaceTests.java @@ -1,267 +1,156 @@ package it.infn.mw.iam.test.scim.me.patch; -import static it.infn.mw.iam.test.TestUtils.passwordTokenGetter; -import static org.hamcrest.CoreMatchers.containsString; +import static it.infn.mw.iam.api.scim.model.ScimPatchOperation.ScimPatchOperationType.replace; +import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertThat; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; + +import java.util.List; -import org.junit.After; -import org.junit.Assert; import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.transaction.annotation.Transactional; + +import com.google.common.collect.Lists; import it.infn.mw.iam.IamLoginService; -import it.infn.mw.iam.api.scim.model.ScimEmail; -import it.infn.mw.iam.api.scim.model.ScimName; +import it.infn.mw.iam.api.scim.model.ScimPatchOperation; import it.infn.mw.iam.api.scim.model.ScimPhoto; import it.infn.mw.iam.api.scim.model.ScimUser; -import it.infn.mw.iam.api.scim.model.ScimUserPatchRequest; -import it.infn.mw.iam.test.ScimRestUtils; -import it.infn.mw.iam.test.TestUtils; -import it.infn.mw.iam.test.util.JacksonUtils; +import it.infn.mw.iam.api.scim.provisioning.ScimUserProvisioning; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.scim.ScimRestUtilsMvc; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest -public class ScimMeEndpointPatchReplaceTests { - - private ScimRestUtils adminRestUtils; - private ScimRestUtils userRestUtils; - private ScimUser testUser; - - final String ANOTHERUSER_USERNAME = "test"; - final ScimEmail ANOTHERUSER_EMAIL = ScimEmail.builder().email("test@iam.test").build(); - - final String TESTUSER_USERNAME = "patchReplaceUser"; - final String TESTUSER_PASSWORD = "password"; - final ScimName TESTUSER_NAME = ScimName.builder().givenName("John").familyName("Lennon").build(); - final ScimEmail TESTUSER_EMAIL = ScimEmail.builder().email("john.lennon@liverpool.uk").build(); - final ScimPhoto TESTUSER_PHOTO = ScimPhoto.builder().value("http://site.org/user.png").build(); - - @BeforeClass - public static void init() { - - JacksonUtils.initRestAssured(); - } +@SpringApplicationConfiguration( + classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}) +@WebAppConfiguration +@Transactional +@WithMockOAuthUser(user = "test_105", authorities = {"ROLE_USER"}) +public class ScimMeEndpointPatchReplaceTests extends ScimMeEndpointUtils { + + @Autowired + private ScimRestUtilsMvc scimUtils; + @Autowired + private ScimUserProvisioning provider; @Before - public void testSetup() { - - adminRestUtils = ScimRestUtils - .getInstance(TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read scim:write")); - - testUser = adminRestUtils - .doPost("/scim/Users/", - ScimUser.builder() - .active(true) - .userName(TESTUSER_USERNAME) - .password(TESTUSER_PASSWORD) - .addEmail(TESTUSER_EMAIL) - .name(TESTUSER_NAME) - .addPhoto(TESTUSER_PHOTO) - .build()) - .extract().as(ScimUser.class); - - userRestUtils = ScimRestUtils.getInstance(passwordTokenGetter().username(TESTUSER_USERNAME) - .password(TESTUSER_PASSWORD) - .getAccessToken()); - } - - @After - public void testTeardown() { + public void init() throws Exception { - adminRestUtils.doDelete(testUser.getMeta().getLocation()); - } - - private ScimUser doGet() { + String uuid = scimUtils.getMe().getId(); - return userRestUtils.doGet("/scim/Me").extract().as(ScimUser.class); - } - - private void doPatch(ScimUserPatchRequest patchRequest) { - - userRestUtils.doPatch("/scim/Me", patchRequest); - } - - @Test - @Ignore - public void testPatchReplacePassword() { - - final String NEW_PASSWORD = "newpassword"; - - ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .replace(ScimUser.builder().password(NEW_PASSWORD).build()) + ScimUser updates = ScimUser.builder() + .buildPhoto("http://site.org/user.png") + .addOidcId(TESTUSER_OIDCID) + .addSamlId(TESTUSER_SAMLID) + .addX509Certificate(TESTUSER_X509CERT) + .addSshKey(TESTUSER_SSHKEY) .build(); - doPatch(patchRequest); - - // Verify that password has been changed - passwordTokenGetter().username(TESTUSER_USERNAME).password(NEW_PASSWORD).getAccessToken(); + List> operations = Lists.newArrayList(); + operations.add(new ScimPatchOperation.Builder().add().value(updates).build()); + provider.update(uuid, operations); } @Test - @Ignore - public void testPatchReplacePasswordNoUpdates() { - - ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .replace(ScimUser.builder().password(TESTUSER_PASSWORD).build()) - .build(); - - doPatch(patchRequest); + public void testPatchReplacePasswordNotSupported() throws Exception { - passwordTokenGetter().username(TESTUSER_USERNAME).password(TESTUSER_PASSWORD).getAccessToken(); - } - - @Test - public void testPatchReplaceGivenAndFamilyName() { - - ScimName name = - ScimName.builder().givenName("John").familyName("Kennedy").build(); - - ScimUserPatchRequest patchRequest = - ScimUserPatchRequest.builder().replace(ScimUser.builder().name(name).build()).build(); - - doPatch(patchRequest); + final String NEW_PASSWORD = "newpassword"; - ScimName updatedName = doGet().getName(); + ScimUser updates = ScimUser.builder().password(NEW_PASSWORD).build(); - Assert.assertTrue(updatedName.equals(name)); + scimUtils.patchMe(replace, updates, HttpStatus.BAD_REQUEST); } @Test - public void testPatchReplaceNameNoUpdates() { + public void testPatchReplaceGivenAndFamilyName() throws Exception { - ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .replace(ScimUser.builder().name(TESTUSER_NAME).build()) - .build(); + ScimUser updates = ScimUser.builder().name(TESTUSER_NEWNAME).build(); - doPatch(patchRequest); + scimUtils.patchMe(replace, updates); - ScimName updatedName = doGet().getName(); + ScimUser userAfter = scimUtils.getMe(); - Assert.assertTrue(updatedName.equals(TESTUSER_NAME)); + assertThat(userAfter.getName().getGivenName(), equalTo(updates.getName().getGivenName())); + assertThat(userAfter.getName().getFamilyName(), equalTo(updates.getName().getFamilyName())); } @Test - public void testPatchReplacePicture() { - final ScimPhoto newPhoto = ScimPhoto.builder().value("http://site.org/user2.png").build(); + public void testPatchReplacePicture() throws Exception { - final ScimUserPatchRequest patchRequest = - ScimUserPatchRequest.builder().add(ScimUser.builder().addPhoto(newPhoto).build()).build(); + ScimUser updates = ScimUser.builder().addPhoto(TESTUSER_NEWPHOTO).build(); - doPatch(patchRequest); + scimUtils.patchMe(replace, updates); - ScimPhoto updatedPhoto = doGet().getPhotos().get(0); + ScimPhoto updatedPhoto = scimUtils.getMe().getPhotos().get(0); - Assert.assertTrue(updatedPhoto.equals(newPhoto)); + assertThat(updatedPhoto, equalTo(TESTUSER_NEWPHOTO)); } @Test - public void testPatchReplacePictureNoUpdates() { - ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .replace(ScimUser.builder().addPhoto(TESTUSER_PHOTO).build()) - .build(); + public void testPatchReplaceEmail() throws Exception { - doPatch(patchRequest); + ScimUser updates = ScimUser.builder().addEmail(TESTUSER_NEWEMAIL).build(); - ScimPhoto updatedPhoto = doGet().getPhotos().get(0); + scimUtils.patchMe(replace, updates); - Assert.assertTrue(updatedPhoto.equals(TESTUSER_PHOTO)); + ScimUser updatedUser = scimUtils.getMe(); + + assertThat(updatedUser.getEmails().get(0), equalTo(TESTUSER_NEWEMAIL)); } @Test - public void testPatchReplaceEmail() { - - final ScimEmail email = ScimEmail.builder().email("john.kennedy@washington.us").build(); - - final ScimUserPatchRequest patchRequest = - ScimUserPatchRequest.builder().replace(ScimUser.builder().addEmail(email).build()).build(); + public void testPatchReplaceAlreadyUsedEmail() throws Exception { - doPatch(patchRequest); + ScimUser updates = ScimUser.builder().addEmail(ANOTHERUSER_EMAIL).build(); - ScimEmail updatedEmail = doGet().getEmails().get(0); - - Assert.assertTrue(updatedEmail.equals(email)); + scimUtils.patchMe(replace, updates, HttpStatus.CONFLICT) + .andExpect(jsonPath("$.detail", containsString("already bound to another user"))); } @Test - public void testPatchReplaceAlreadyUsedEmail() { + public void testPatchReplaceOidcIdNotSupported() throws Exception { - final ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .replace(ScimUser.builder().addEmail(ANOTHERUSER_EMAIL).build()) - .build(); + ScimUser updates = ScimUser.builder().addOidcId(TESTUSER_OIDCID).build(); - userRestUtils.doPatch(testUser.getMeta().getLocation(), patchRequest, HttpStatus.CONFLICT) - .body("status", equalTo("409")) - .body("detail", containsString("already bound to another user")); + scimUtils.patchMe(replace, updates, HttpStatus.BAD_REQUEST) + .andExpect(jsonPath("$.detail", containsString("replace operation not supported"))); } @Test - public void testPatchReplaceEmailNoUpdates() { - - final ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .replace(ScimUser.builder().addEmail(TESTUSER_EMAIL).build()) - .build(); - - doPatch(patchRequest); + public void testPatchReplaceSamlIdNotSupported() throws Exception { - ScimEmail updatedEmail = doGet().getEmails().get(0); + ScimUser updates = ScimUser.builder().addSamlId(TESTUSER_SAMLID).build(); - Assert.assertTrue(updatedEmail.equals(TESTUSER_EMAIL)); + scimUtils.patchMe(replace, updates, HttpStatus.BAD_REQUEST) + .andExpect(jsonPath("$.detail", containsString("replace operation not supported"))); } @Test - public void testPatchReplaceAll() { - - final ScimName NEW_NAME = - ScimName.builder().givenName("John").familyName("Kennedy").build(); + public void testPatchReplaceX509CertificateNotSupported() throws Exception { - final ScimEmail NEW_EMAIL = ScimEmail.builder().email("john.kennedy@washington.us").build(); - final ScimPhoto NEW_PHOTO = - ScimPhoto.builder().value("http://notarealurl.com/image.jpg").build(); + ScimUser updates = ScimUser.builder().addX509Certificate(TESTUSER_X509CERT).build(); - final ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .replace(ScimUser.builder() - .name(NEW_NAME) - .addEmail(NEW_EMAIL) - .addPhoto(NEW_PHOTO) - .build()) - .build(); - - doPatch(patchRequest); - - ScimUser updatedUser = doGet(); - - Assert.assertTrue(updatedUser.getName().equals(NEW_NAME)); - Assert.assertTrue(updatedUser.getPhotos().get(0).equals(NEW_PHOTO)); - Assert.assertTrue(updatedUser.getEmails().get(0).equals(NEW_EMAIL)); + scimUtils.patchMe(replace, updates, HttpStatus.BAD_REQUEST) + .andExpect(jsonPath("$.detail", containsString("replace operation not supported"))); } @Test - public void testPatchReplaceAllNoUpdates() { - - final ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() - .replace(ScimUser.builder() - .name(TESTUSER_NAME) - .addEmail(TESTUSER_EMAIL) - .addPhoto(TESTUSER_PHOTO) - .build()) - .build(); - - doPatch(patchRequest); + public void testPatchReplaceSshKeyNotSupported() throws Exception { - ScimUser updatedUser = doGet(); + ScimUser updates = ScimUser.builder().addSshKey(TESTUSER_SSHKEY).build(); - Assert.assertTrue(updatedUser.getName().equals(TESTUSER_NAME)); - Assert.assertTrue(updatedUser.getPhotos().get(0).equals(TESTUSER_PHOTO)); - Assert.assertTrue(updatedUser.getEmails().get(0).equals(TESTUSER_EMAIL)); + scimUtils.patchMe(replace, updates, HttpStatus.BAD_REQUEST) + .andExpect(jsonPath("$.detail", containsString("replace operation not supported"))); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointUtils.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointUtils.java new file mode 100644 index 000000000..c116c856b --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointUtils.java @@ -0,0 +1,42 @@ +package it.infn.mw.iam.test.scim.me.patch; + +import static it.infn.mw.iam.test.SshKeyUtils.sshKeys; +import static it.infn.mw.iam.test.X509Utils.x509Certs; + +import it.infn.mw.iam.api.scim.model.ScimEmail; +import it.infn.mw.iam.api.scim.model.ScimName; +import it.infn.mw.iam.api.scim.model.ScimOidcId; +import it.infn.mw.iam.api.scim.model.ScimPhoto; +import it.infn.mw.iam.api.scim.model.ScimSamlId; +import it.infn.mw.iam.api.scim.model.ScimSshKey; +import it.infn.mw.iam.api.scim.model.ScimX509Certificate; + +public class ScimMeEndpointUtils { + + protected final ScimName TESTUSER_NEWNAME = + ScimName.builder().givenName("A").familyName("B").build(); + + protected final ScimPhoto TESTUSER_NEWPHOTO = + ScimPhoto.builder().value("http://fakesite.org/user.png").build(); + + protected final ScimEmail TESTUSER_NEWEMAIL = + ScimEmail.builder().email("fakeemail@iam.test").build(); + + protected final ScimEmail ANOTHERUSER_EMAIL = + ScimEmail.builder().email("test-100@test.org").build(); + + protected final ScimOidcId TESTUSER_OIDCID = + ScimOidcId.builder().issuer("ISS").subject("SUB").build(); + + protected final ScimSamlId TESTUSER_SAMLID = + ScimSamlId.builder().idpId("IDP").userId("UID").build(); + + protected final ScimSshKey TESTUSER_SSHKEY = + ScimSshKey.builder().display("KEY").value(sshKeys.get(0).key).primary(true).build(); + + protected final ScimX509Certificate TESTUSER_X509CERT = ScimX509Certificate.builder() + .display(x509Certs.get(0).display) + .pemEncodedCertificate(x509Certs.get(0).certificate) + .primary(true) + .build(); +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/updater/AccountUpdatersTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/updater/AccountUpdatersTests.java index c0b8548c1..05f33e8ab 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/updater/AccountUpdatersTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/updater/AccountUpdatersTests.java @@ -7,6 +7,7 @@ import static org.hamcrest.Matchers.hasSize; import static org.hamcrest.Matchers.is; import static org.junit.Assert.assertThat; +import static org.mockito.Matchers.anyObject; import static org.mockito.Matchers.anyString; import java.util.Optional; @@ -32,6 +33,7 @@ import it.infn.mw.iam.api.scim.updater.builders.Removers; import it.infn.mw.iam.api.scim.updater.builders.Replacers; import it.infn.mw.iam.api.scim.updater.util.CollectionHelpers; +import it.infn.mw.iam.authn.saml.util.Saml2Attribute; import it.infn.mw.iam.persistence.model.IamAccount; import it.infn.mw.iam.persistence.model.IamGroup; import it.infn.mw.iam.persistence.model.IamOidcId; @@ -40,9 +42,10 @@ import it.infn.mw.iam.persistence.model.IamUserInfo; import it.infn.mw.iam.persistence.model.IamX509Certificate; import it.infn.mw.iam.persistence.repository.IamAccountRepository; +import it.infn.mw.iam.test.ext_authn.x509.X509TestSupport; @RunWith(MockitoJUnitRunner.class) -public class AccountUpdatersTests { +public class AccountUpdatersTests extends X509TestSupport { public static final String OLD = "old"; public static final String NEW = "new"; @@ -50,15 +53,15 @@ public class AccountUpdatersTests { public static final IamOidcId OLD_OIDC_ID = new IamOidcId(OLD, OLD); public static final IamOidcId NEW_OIDC_ID = new IamOidcId(NEW, NEW); - public static final IamSamlId OLD_SAML_ID = new IamSamlId(OLD, OLD); - public static final IamSamlId NEW_SAML_ID = new IamSamlId(NEW, NEW); + public static final IamSamlId OLD_SAML_ID = + new IamSamlId(OLD, Saml2Attribute.EPUID.getAttributeName(), OLD); + + public static final IamSamlId NEW_SAML_ID = + new IamSamlId(NEW, Saml2Attribute.EPUID.getAttributeName(), NEW); public static final IamSshKey OLD_SSHKEY = new IamSshKey(OLD); public static final IamSshKey NEW_SSHKEY = new IamSshKey(NEW); - public static final IamX509Certificate OLD_X509_CERT = new IamX509Certificate(OLD); - public static final IamX509Certificate NEW_X509_CERT = new IamX509Certificate(NEW); - @Mock IamAccountRepository repo; @@ -104,13 +107,13 @@ public void before() { Mockito.when(repo.findByOidcId(anyString(), anyString())).thenReturn(Optional.empty()); - Mockito.when(repo.findBySamlId(anyString(), anyString())).thenReturn(Optional.empty()); + Mockito.when(repo.findBySamlId(anyObject())).thenReturn(Optional.empty()); Mockito.when(repo.findByEmail(anyString())).thenReturn(Optional.empty()); Mockito.when(repo.findBySshKeyValue(anyString())).thenReturn(Optional.empty()); - Mockito.when(repo.findByCertificate(anyString())).thenReturn(Optional.empty()); + Mockito.when(repo.findByCertificateSubject(anyString())).thenReturn(Optional.empty()); } private void repoBindOidcIdToAccount(IamOidcId id, IamAccount a) { @@ -120,7 +123,7 @@ private void repoBindOidcIdToAccount(IamOidcId id, IamAccount a) { private void repoBindSamlIdToAccount(IamSamlId id, IamAccount a) { - Mockito.when(repo.findBySamlId(id.getIdpId(), id.getUserId())).thenReturn(Optional.of(a)); + Mockito.when(repo.findBySamlId(id)).thenReturn(Optional.of(a)); } private void repoBindEmailToAccount(String email, IamAccount a) { @@ -135,23 +138,16 @@ private void repoBindSshKeyToAccount(IamSshKey key, IamAccount a) { private void repoBindX509CertificateToAccount(IamX509Certificate cert, IamAccount a) { - Mockito.when(repo.findByCertificate(cert.getCertificate())).thenReturn(Optional.of(a)); + Mockito.when(repo.findByCertificateSubject(cert.getSubjectDn())).thenReturn(Optional.of(a)); } @Test public void testCollectionHelperNotNullOrEmpty() { - new CollectionHelpers(); assertThat(CollectionHelpers.notNullOrEmpty(Lists.newArrayList()), equalTo(false)); assertThat(CollectionHelpers.notNullOrEmpty(null), equalTo(false)); } - @Test - public void testUpdatersClass() { - - new AccountUpdaters(); - } - @Test public void testUpdaterType() { @@ -660,23 +656,23 @@ public void testSshKeyRemoverWorksWithNullAndDuplicatesValues() { @Test public void testX509CertificateAdderWorks() { - Updater u = adder().x509Certificate(Lists.newArrayList(NEW_X509_CERT)); + Updater u = adder().x509Certificate(Lists.newArrayList(TEST_0_IAM_X509_CERT)); assertThat(u.update(), is(true)); assertThat(u.update(), is(false)); assertThat(account.getX509Certificates(), hasSize(1)); - assertThat(account.getX509Certificates(), hasItems(NEW_X509_CERT)); + assertThat(account.getX509Certificates(), hasItems(TEST_0_IAM_X509_CERT)); } @Test public void testX509CertificateAdderWorksWithNoUpdate() { - account.getX509Certificates().add(NEW_X509_CERT); - repoBindX509CertificateToAccount(NEW_X509_CERT, account); + account.getX509Certificates().add(TEST_0_IAM_X509_CERT); + repoBindX509CertificateToAccount(TEST_0_IAM_X509_CERT, account); - Updater u = adder().x509Certificate(Lists.newArrayList(NEW_X509_CERT)); + Updater u = adder().x509Certificate(Lists.newArrayList(TEST_0_IAM_X509_CERT)); assertThat(u.update(), is(false)); @@ -685,84 +681,85 @@ public void testX509CertificateAdderWorksWithNoUpdate() { @Test(expected = ScimResourceExistsException.class) public void testX509CertificateAdderFailsWhenX509CertificateIsLinkedToAnotherAccount() { - repoBindX509CertificateToAccount(NEW_X509_CERT, other); - adder().x509Certificate(Lists.newArrayList(NEW_X509_CERT)).update(); + repoBindX509CertificateToAccount(TEST_0_IAM_X509_CERT, other); + adder().x509Certificate(Lists.newArrayList(TEST_0_IAM_X509_CERT)).update(); } @Test public void testX509CertificateAdderWorksWithUpdate() { - repoBindX509CertificateToAccount(NEW_X509_CERT, account); + repoBindX509CertificateToAccount(TEST_0_IAM_X509_CERT, account); - Updater u = adder().x509Certificate(newArrayList(NEW_X509_CERT, OLD_X509_CERT)); + Updater u = adder().x509Certificate(newArrayList(TEST_0_IAM_X509_CERT, TEST_1_IAM_X509_CERT)); assertThat(u.update(), is(true)); assertThat(account.getX509Certificates(), hasSize(2)); - assertThat(account.getX509Certificates(), hasItems(NEW_X509_CERT, OLD_X509_CERT)); + assertThat(account.getX509Certificates(), hasItems(TEST_0_IAM_X509_CERT, TEST_1_IAM_X509_CERT)); - repoBindX509CertificateToAccount(OLD_X509_CERT, account); + repoBindX509CertificateToAccount(TEST_1_IAM_X509_CERT, account); assertThat(u.update(), is(false)); assertThat(account.getX509Certificates(), hasSize(2)); - assertThat(account.getX509Certificates(), hasItems(NEW_X509_CERT, OLD_X509_CERT)); + assertThat(account.getX509Certificates(), hasItems(TEST_0_IAM_X509_CERT, TEST_1_IAM_X509_CERT)); } @Test public void testX509CertificateAdderWorksWithListContainingNull() { - account.getX509Certificates().add(NEW_X509_CERT); - repoBindX509CertificateToAccount(NEW_X509_CERT, account); + account.getX509Certificates().add(TEST_0_IAM_X509_CERT); + repoBindX509CertificateToAccount(TEST_0_IAM_X509_CERT, account); - Updater u = adder().x509Certificate(newArrayList(NEW_X509_CERT, null)); + Updater u = adder().x509Certificate(newArrayList(TEST_0_IAM_X509_CERT, null)); assertThat(u.update(), is(false)); assertThat(account.getX509Certificates(), hasSize(1)); - assertThat(account.getX509Certificates(), hasItems(NEW_X509_CERT)); + assertThat(account.getX509Certificates(), hasItems(TEST_0_IAM_X509_CERT)); } @Test public void testX509CertificateAdderWorksWithListContainingDuplicates() { - account.getX509Certificates().add(NEW_X509_CERT); - repoBindX509CertificateToAccount(NEW_X509_CERT, account); + account.getX509Certificates().add(TEST_0_IAM_X509_CERT); + repoBindX509CertificateToAccount(TEST_0_IAM_X509_CERT, account); - Updater u = adder().x509Certificate(newArrayList(NEW_X509_CERT, NEW_X509_CERT, OLD_X509_CERT)); + Updater u = adder().x509Certificate( + newArrayList(TEST_0_IAM_X509_CERT, TEST_0_IAM_X509_CERT, TEST_1_IAM_X509_CERT)); assertThat(u.update(), is(true)); assertThat(account.getX509Certificates(), hasSize(2)); - assertThat(account.getX509Certificates(), hasItems(NEW_X509_CERT, OLD_X509_CERT)); + assertThat(account.getX509Certificates(), hasItems(TEST_0_IAM_X509_CERT, TEST_1_IAM_X509_CERT)); } @Test public void testX509CertificateRemoverWorks() { - account.getX509Certificates().add(NEW_X509_CERT); - repoBindX509CertificateToAccount(NEW_X509_CERT, account); + account.getX509Certificates().add(TEST_0_IAM_X509_CERT); + repoBindX509CertificateToAccount(TEST_0_IAM_X509_CERT, account); - Updater u = removers().x509Certificate(newArrayList(NEW_X509_CERT)); + Updater u = removers().x509Certificate(newArrayList(TEST_0_IAM_X509_CERT)); assertThat(u.update(), is(true)); assertThat(account.getX509Certificates(), hasSize(0)); } @Test public void testX509CertificateRemoverWorksWithNoUpdate() { - account.getX509Certificates().add(NEW_X509_CERT); - repoBindX509CertificateToAccount(NEW_X509_CERT, account); + account.getX509Certificates().add(TEST_0_IAM_X509_CERT); + repoBindX509CertificateToAccount(TEST_0_IAM_X509_CERT, account); - Updater u = removers().x509Certificate(newArrayList(OLD_X509_CERT)); + Updater u = removers().x509Certificate(newArrayList(TEST_1_IAM_X509_CERT)); assertThat(u.update(), is(false)); assertThat(account.getX509Certificates(), hasSize(1)); - assertThat(account.getX509Certificates(), hasItems(NEW_X509_CERT)); + assertThat(account.getX509Certificates(), hasItems(TEST_0_IAM_X509_CERT)); } @Test public void testX509CertificateRemoverNoUpdateWithEmptyList() { - Updater u = removers().x509Certificate(newArrayList(OLD_X509_CERT)); + Updater u = removers().x509Certificate(newArrayList(TEST_1_IAM_X509_CERT)); assertThat(u.update(), is(false)); assertThat(account.getX509Certificates(), hasSize(0)); @@ -779,10 +776,10 @@ public void testX509CertificateRemoverNoUpdateWithEmptyList2() { @Test public void testX509CertificateRemoverWorksWithMultipleValues() { - account.getX509Certificates().add(NEW_X509_CERT); - account.getX509Certificates().add(OLD_X509_CERT); + account.getX509Certificates().add(TEST_0_IAM_X509_CERT); + account.getX509Certificates().add(TEST_1_IAM_X509_CERT); - Updater u = removers().x509Certificate(newArrayList(NEW_X509_CERT, OLD_X509_CERT)); + Updater u = removers().x509Certificate(newArrayList(TEST_0_IAM_X509_CERT, TEST_1_IAM_X509_CERT)); assertThat(u.update(), is(true)); assertThat(account.getX509Certificates(), hasSize(0)); @@ -790,10 +787,10 @@ public void testX509CertificateRemoverWorksWithMultipleValues() { @Test public void testX509CertificateRemoverWorksWithNullAndDuplicatesValues() { - account.getX509Certificates().add(NEW_X509_CERT); + account.getX509Certificates().add(TEST_0_IAM_X509_CERT); Updater u = - removers().x509Certificate(newArrayList(NEW_X509_CERT, OLD_X509_CERT, null, OLD_X509_CERT)); + removers().x509Certificate(newArrayList(TEST_0_IAM_X509_CERT, TEST_1_IAM_X509_CERT, null, TEST_1_IAM_X509_CERT)); assertThat(u.update(), is(true)); assertThat(account.getX509Certificates(), hasSize(0)); diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/updater/factory/DefaultAccountUpdaterFactoryTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/updater/factory/DefaultAccountUpdaterFactoryTests.java index 002fb39bc..7d793b32a 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/updater/factory/DefaultAccountUpdaterFactoryTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/updater/factory/DefaultAccountUpdaterFactoryTests.java @@ -3,12 +3,10 @@ import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_ADD_OIDC_ID; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_ADD_SAML_ID; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_ADD_SSH_KEY; -import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_ADD_X509_CERTIFICATE; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_OIDC_ID; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_PICTURE; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_SAML_ID; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_SSH_KEY; -import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REMOVE_X509_CERTIFICATE; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_ACTIVE; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_EMAIL; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_FAMILY_NAME; @@ -16,10 +14,13 @@ import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_PASSWORD; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_PICTURE; import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_USERNAME; -import static it.infn.mw.iam.test.TestUtils.x509Certs; +import static it.infn.mw.iam.authn.saml.util.Saml2Attribute.EPUID; +import static it.infn.mw.iam.test.X509Utils.x509Certs; import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasSize; import static org.hamcrest.Matchers.isIn; import static org.junit.Assert.assertThat; +import static org.mockito.Matchers.anyObject; import static org.mockito.Mockito.when; import java.util.List; @@ -47,16 +48,16 @@ import it.infn.mw.iam.api.scim.model.ScimSshKey; import it.infn.mw.iam.api.scim.model.ScimUser; import it.infn.mw.iam.api.scim.model.ScimUserPatchRequest; -import it.infn.mw.iam.api.scim.model.ScimX509Certificate; import it.infn.mw.iam.api.scim.updater.AccountUpdater; import it.infn.mw.iam.api.scim.updater.UpdaterType; import it.infn.mw.iam.api.scim.updater.factory.DefaultAccountUpdaterFactory; +import it.infn.mw.iam.authn.saml.util.Saml2Attribute; +import it.infn.mw.iam.authn.x509.PEMX509CertificateChainParser; import it.infn.mw.iam.persistence.model.IamAccount; import it.infn.mw.iam.persistence.model.IamOidcId; import it.infn.mw.iam.persistence.model.IamSamlId; import it.infn.mw.iam.persistence.model.IamSshKey; import it.infn.mw.iam.persistence.model.IamUserInfo; -import it.infn.mw.iam.persistence.model.IamX509Certificate; import it.infn.mw.iam.persistence.repository.IamAccountRepository; import it.infn.mw.iam.test.util.JacksonUtils; @@ -88,7 +89,8 @@ private IamAccount newAccount(String username) { OidcIdConverter oidcConverter = new OidcIdConverter(); SamlIdConverter samlConverter = new SamlIdConverter(); SshKeyConverter sshKeyConverter = new SshKeyConverter(); - X509CertificateConverter x509Converter = new X509CertificateConverter(); + X509CertificateConverter x509Converter = + new X509CertificateConverter(new PEMX509CertificateChainParser()); DefaultAccountUpdaterFactory factory; @@ -192,11 +194,10 @@ public void testSshKeyPatchAddOpParsing() { @Test public void testPatchAddOpMultipleParsing() { - List expectedUpdatersType = - Lists.newArrayList(ACCOUNT_REPLACE_GIVEN_NAME, ACCOUNT_REPLACE_FAMILY_NAME, - ACCOUNT_REPLACE_EMAIL, ACCOUNT_REPLACE_PASSWORD, ACCOUNT_REPLACE_USERNAME, - ACCOUNT_REPLACE_ACTIVE, ACCOUNT_REPLACE_PICTURE, ACCOUNT_ADD_OIDC_ID, - ACCOUNT_ADD_SAML_ID, ACCOUNT_ADD_SSH_KEY, ACCOUNT_ADD_X509_CERTIFICATE); + List expectedUpdatersType = Lists.newArrayList(ACCOUNT_REPLACE_GIVEN_NAME, + ACCOUNT_REPLACE_FAMILY_NAME, ACCOUNT_REPLACE_EMAIL, ACCOUNT_REPLACE_PASSWORD, + ACCOUNT_REPLACE_USERNAME, ACCOUNT_REPLACE_ACTIVE, ACCOUNT_REPLACE_PICTURE, + ACCOUNT_ADD_OIDC_ID, ACCOUNT_ADD_SAML_ID, ACCOUNT_ADD_SSH_KEY); IamAccount account = newAccount(OLD); @@ -208,10 +209,13 @@ public void testPatchAddOpMultipleParsing() { account.setPassword(OLD); account.getUserInfo().setEmail(OLD); + IamSamlId newSamlId = new IamSamlId(NEW, Saml2Attribute.EPUID.getAttributeName(), NEW); + when(repo.findByUsername(NEW)).thenReturn(Optional.empty()); when(repo.findByEmail(NEW)).thenReturn(Optional.empty()); when(repo.findByOidcId(NEW, NEW)).thenReturn(Optional.empty()); - when(repo.findBySamlId(NEW, NEW)).thenReturn(Optional.empty()); + + when(repo.findBySamlId(anyObject())).thenReturn(Optional.empty()); when(repo.findBySshKeyValue(NEW)).thenReturn(Optional.empty()); when(repo.findByCertificate(x509Certs.get(0).certificate)).thenReturn(Optional.empty()); @@ -223,9 +227,9 @@ public void testPatchAddOpMultipleParsing() { .buildEmail(NEW) .password(NEW) .addOidcId(ScimOidcId.builder().issuer(NEW).subject(NEW).build()) - .addSamlId(ScimSamlId.builder().idpId(NEW).userId(NEW).build()) + .addSamlId( + ScimSamlId.builder().idpId(NEW).userId(NEW).attributeId(EPUID.getAttributeName()).build()) .addSshKey(ScimSshKey.builder().value(NEW).build()) - .addX509Certificate(ScimX509Certificate.builder().value(x509Certs.get(0).certificate).build()) .build(); ScimUserPatchRequest req = ScimUserPatchRequest.builder().add(user).build(); @@ -248,10 +252,9 @@ public void testPatchAddOpMultipleParsing() { assertThat(account.getUserInfo().getEmail(), equalTo(NEW)); assertThat(encoder.matches(NEW, account.getPassword()), equalTo(true)); assertThat(account.getOidcIds().get(0), equalTo(new IamOidcId(NEW, NEW))); - assertThat(account.getSamlIds().get(0), equalTo(new IamSamlId(NEW, NEW))); + assertThat(account.getSamlIds().get(0), equalTo(newSamlId)); + assertThat(account.getSshKeys().get(0), equalTo(new IamSshKey(NEW))); - assertThat(account.getX509Certificates().get(0), - equalTo(new IamX509Certificate(x509Certs.get(0).certificate))); } @@ -308,27 +311,27 @@ public void testPatchReplaceOpMultipleParsing() { @Test public void testPatchRemoveOpMultipleParsing() { - List expectedUpdatersType = Lists.newArrayList(ACCOUNT_REMOVE_OIDC_ID, - ACCOUNT_REMOVE_SAML_ID, ACCOUNT_REMOVE_SSH_KEY, ACCOUNT_REMOVE_X509_CERTIFICATE); + List expectedUpdatersType = + Lists.newArrayList(ACCOUNT_REMOVE_OIDC_ID, ACCOUNT_REMOVE_SAML_ID, ACCOUNT_REMOVE_SSH_KEY); IamAccount account = newAccount(OLD); account.setOidcIds(Lists.newArrayList(new IamOidcId(OLD, OLD))); - account.setSamlIds(Lists.newArrayList(new IamSamlId(OLD, OLD))); + account.setSamlIds( + Lists.newArrayList(new IamSamlId(OLD, Saml2Attribute.EPUID.getAttributeName(), OLD))); account.setSshKeys(Lists.newArrayList(new IamSshKey(OLD))); - account.setX509Certificates( - Lists.newArrayList(new IamX509Certificate(x509Certs.get(0).certificate))); + + IamSamlId oldId = new IamSamlId(OLD, Saml2Attribute.EPUID.getAttributeName(), OLD); when(repo.findByOidcId(OLD, OLD)).thenReturn(Optional.of(account)); - when(repo.findBySamlId(OLD, OLD)).thenReturn(Optional.of(account)); + when(repo.findBySamlId(oldId)).thenReturn(Optional.of(account)); when(repo.findBySshKeyValue(OLD)).thenReturn(Optional.of(account)); - when(repo.findByCertificate(x509Certs.get(0).certificate)) - .thenReturn(Optional.of(account)); + when(repo.findByCertificate(x509Certs.get(0).certificate)).thenReturn(Optional.of(account)); ScimUser user = ScimUser.builder() .addOidcId(ScimOidcId.builder().issuer(OLD).subject(OLD).build()) - .addSamlId(ScimSamlId.builder().idpId(OLD).userId(OLD).build()) + .addSamlId( + ScimSamlId.builder().idpId(OLD).userId(OLD).attributeId(EPUID.getAttributeName()).build()) .addSshKey(ScimSshKey.builder().value(OLD).build()) - .addX509Certificate(ScimX509Certificate.builder().value(x509Certs.get(0).certificate).build()) .build(); ScimUserPatchRequest req = ScimUserPatchRequest.builder().remove(user).build(); @@ -343,10 +346,10 @@ public void testPatchRemoveOpMultipleParsing() { updaters.forEach(u -> assertThat(u.update(), equalTo(true))); updaters.forEach(u -> assertThat(u.update(), equalTo(false))); - assertThat(account.getOidcIds().isEmpty(), equalTo(true)); - assertThat(account.getSamlIds().isEmpty(), equalTo(true)); - assertThat(account.getSshKeys().isEmpty(), equalTo(true)); - assertThat(account.getX509Certificates().isEmpty(), equalTo(true)); + assertThat(account.getOidcIds(), hasSize(0)); + assertThat(account.getSamlIds(), hasSize(0)); + assertThat(account.getSshKeys(), hasSize(0)); + assertThat(account.getX509Certificates(), hasSize(0)); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/updater/factory/DefaultGroupMembershipUpdaterFactoryTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/updater/factory/DefaultGroupMembershipUpdaterFactoryTests.java index 3850ee5a2..4149c84c6 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/updater/factory/DefaultGroupMembershipUpdaterFactoryTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/updater/factory/DefaultGroupMembershipUpdaterFactoryTests.java @@ -37,6 +37,7 @@ import it.infn.mw.iam.api.scim.updater.AccountUpdater; import it.infn.mw.iam.api.scim.updater.UpdaterType; import it.infn.mw.iam.api.scim.updater.factory.DefaultGroupMembershipUpdaterFactory; +import it.infn.mw.iam.authn.x509.PEMX509CertificateChainParser; import it.infn.mw.iam.persistence.model.IamAccount; import it.infn.mw.iam.persistence.model.IamGroup; import it.infn.mw.iam.persistence.model.IamUserInfo; @@ -86,7 +87,8 @@ private IamGroup newGroup(String name) { OidcIdConverter oidcConverter = new OidcIdConverter(); SamlIdConverter samlConverter = new SamlIdConverter(); SshKeyConverter sshKeyConverter = new SshKeyConverter(); - X509CertificateConverter x509Converter = new X509CertificateConverter(); + X509CertificateConverter x509Converter = + new X509CertificateConverter(new PEMX509CertificateChainParser()); DefaultGroupMembershipUpdaterFactory factory; @@ -150,7 +152,8 @@ public void testAddMembershipAlreadyAMemberPatchOpParsing() { assertThat(updaters.size(), equalTo(1)); assertThat(updaters.get(0).getType(), equalTo(ACCOUNT_ADD_GROUP_MEMBERSHIP)); - assertThat(updaters.get(0).update(), equalTo(false)); } + assertThat(updaters.get(0).update(), equalTo(false)); + } @Test public void testAddMultipleMembershipPatchOpParsing() { @@ -218,9 +221,8 @@ public void testRemoveMembershipPatchOpParsing() { @Test(expected = ScimResourceNotFoundException.class) public void testRemoveMembershipUserNotExistsPatchOpParsing() { - ScimGroupPatchRequest req = ScimGroupPatchRequest.builder() - .remove(Lists.newArrayList(ACCOUNT1_GROUP_REF)) - .build(); + ScimGroupPatchRequest req = + ScimGroupPatchRequest.builder().remove(Lists.newArrayList(ACCOUNT1_GROUP_REF)).build(); ScimPatchOperation> op = req.getOperations().get(0); diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserCreationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserCreationTests.java new file mode 100644 index 000000000..211245f70 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserCreationTests.java @@ -0,0 +1,385 @@ +package it.infn.mw.iam.test.scim.user; + +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_CLIENT_ID; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_READ_SCOPE; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_WRITE_SCOPE; +import static it.infn.mw.iam.test.scim.ScimUtils.buildUser; +import static it.infn.mw.iam.test.scim.ScimUtils.buildUserWithPassword; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasSize; +import static org.hamcrest.Matchers.notNullValue; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertThat; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; + +import java.util.List; +import java.util.Optional; + +import javax.transaction.Transactional; + +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.http.HttpStatus; +import org.springframework.security.crypto.password.PasswordEncoder; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.api.scim.model.ScimIndigoUser; +import it.infn.mw.iam.api.scim.model.ScimSshKey; +import it.infn.mw.iam.api.scim.model.ScimUser; +import it.infn.mw.iam.api.scim.model.ScimX509Certificate; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; +import it.infn.mw.iam.test.SshKeyUtils; +import it.infn.mw.iam.test.X509Utils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.scim.ScimRestUtilsMvc; +import it.infn.mw.iam.test.util.WithMockOAuthUser; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration( + classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}) +@WebAppConfiguration +@Transactional +public class ScimUserCreationTests extends ScimUserTestSupport { + + @Autowired + private IamAccountRepository accountRepo; + + @Autowired + private PasswordEncoder encoder; + + @Autowired + private ScimRestUtilsMvc scimUtils; + + @Test + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUserCreationAccessDeletion() throws Exception { + + ScimUser user = buildUser("paul_mccartney", "test@email.test", "Paul", "McCartney"); + ScimUser createdUser = scimUtils.postUser(user); + + assertThat(user.getUserName(), equalTo(createdUser.getUserName())); + assertThat(user.getEmails(), hasSize(equalTo(1))); + assertThat(user.getEmails().get(0).getValue(), + equalTo(createdUser.getEmails().get(0).getValue())); + } + + @Test + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUserCreationWithPassword() throws Exception { + + ScimUser user = + buildUserWithPassword("john_lennon", "password", "lennon@email.test", "John", "Lennon"); + + ScimUser createdUser = scimUtils.postUser(user); + + assertNull(createdUser.getPassword()); + + Optional createdAccount = accountRepo.findByUuid(createdUser.getId()); + if (!createdAccount.isPresent()) { + Assert.fail("Account not created"); + } + + assertThat(createdAccount.get().getPassword(), notNullValue()); + assertThat(encoder.matches("password", createdAccount.get().getPassword()), equalTo(true)); + } + + @Test + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUserCreationWithOidcAccount() throws Exception { + + ScimUser user = ScimUser.builder("user_with_oidc") + .buildEmail("test_user@test.org") + .buildName("User", "With OIDC Account") + .buildOidcId("urn:oidc:test:issuer", "1234") + .active(true) + .build(); + + ScimUser createdUser = scimUtils.postUser(user); + assertNotNull(createdUser.getIndigoUser()); + assertThat(createdUser.getIndigoUser().getOidcIds(), hasSize(equalTo(1))); + assertThat(createdUser.getIndigoUser().getOidcIds().get(0).getIssuer(), + equalTo("urn:oidc:test:issuer")); + assertThat(createdUser.getIndigoUser().getOidcIds().get(0).getSubject(), equalTo("1234")); + + createdUser = scimUtils.getUser(createdUser.getId()); + assertNotNull(createdUser.getIndigoUser()); + assertThat(createdUser.getIndigoUser().getOidcIds(), hasSize(equalTo(1))); + assertThat(createdUser.getIndigoUser().getOidcIds().get(0).getIssuer(), + equalTo("urn:oidc:test:issuer")); + assertThat(createdUser.getIndigoUser().getOidcIds().get(0).getSubject(), equalTo("1234")); + } + + @Test + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUserCreationWithStolenOidcAccountFailure() throws Exception { + + ScimUser user = ScimUser.builder("user_with_oidc") + .buildEmail("test_user@test.org") + .buildName("User", "With OIDC Account") + .buildOidcId("urn:oidc:test:issuer", "1234") + .active(true) + .build(); + + ScimUser createdUser = scimUtils.postUser(user); + assertNotNull(createdUser.getIndigoUser()); + assertThat(createdUser.getIndigoUser().getOidcIds(), hasSize(equalTo(1))); + assertThat(createdUser.getIndigoUser().getOidcIds().get(0).getIssuer(), + equalTo("urn:oidc:test:issuer")); + assertThat(createdUser.getIndigoUser().getOidcIds().get(0).getSubject(), equalTo("1234")); + + ScimUser anotherUser = ScimUser.builder("another_user_with_oidc") + .buildEmail("another_test_user@test.org") + .buildName("Another User", "With OIDC Account") + .buildOidcId("urn:oidc:test:issuer", "1234") + .active(true) + .build(); + + scimUtils.postUser(anotherUser, HttpStatus.CONFLICT) + .andExpect(jsonPath("$.detail", containsString("already bound to a user"))); + } + + @Test + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUserCreationWithSshKey() throws Exception { + + ScimUser user = ScimUser.builder("user_with_sshkey") + .buildEmail("test_user@test.org") + .buildName("User", "With ssh key Account") + .buildSshKey("Personal", SshKeyUtils.sshKeys.get(0).key, null, true) + .active(true) + .build(); + + ScimUser createdUser = scimUtils.postUser(user); + assertNotNull(createdUser.getIndigoUser()); + assertThat(createdUser.getIndigoUser().getSshKeys(), hasSize(equalTo(1))); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getDisplay(), equalTo("Personal")); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getValue(), + equalTo(SshKeyUtils.sshKeys.get(0).key)); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getFingerprint(), + equalTo(SshKeyUtils.sshKeys.get(0).fingerprintSHA256)); + + createdUser = scimUtils.getUser(createdUser.getId()); + assertNotNull(createdUser.getIndigoUser()); + assertThat(createdUser.getIndigoUser().getSshKeys(), hasSize(equalTo(1))); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getDisplay(), equalTo("Personal")); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getValue(), + equalTo(SshKeyUtils.sshKeys.get(0).key)); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getFingerprint(), + equalTo(SshKeyUtils.sshKeys.get(0).fingerprintSHA256)); + } + + @Test + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUserCreationWithSshKeyValueOnly() throws Exception { + + ScimUser user = ScimUser.builder("user_with_sshkey") + .buildEmail("test_user@test.org") + .buildName("User", "With ssh key Account") + .indigoUserInfo(ScimIndigoUser.builder() + .addSshKey(ScimSshKey.builder().value(SshKeyUtils.sshKeys.get(0).key).build()) + .build()) + .active(true) + .build(); + + ScimUser createdUser = scimUtils.postUser(user); + assertNotNull(createdUser.getIndigoUser()); + assertThat(createdUser.getIndigoUser().getSshKeys(), hasSize(equalTo(1))); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getDisplay(), + equalTo(user.getUserName() + "'s personal ssh key")); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getValue(), + equalTo(SshKeyUtils.sshKeys.get(0).key)); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getFingerprint(), + equalTo(SshKeyUtils.sshKeys.get(0).fingerprintSHA256)); + + createdUser = scimUtils.getUser(createdUser.getId()); + assertNotNull(createdUser.getIndigoUser()); + assertThat(createdUser.getIndigoUser().getSshKeys(), hasSize(equalTo(1))); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getDisplay(), + equalTo(user.getUserName() + "'s personal ssh key")); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getValue(), + equalTo(SshKeyUtils.sshKeys.get(0).key)); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getFingerprint(), + equalTo(SshKeyUtils.sshKeys.get(0).fingerprintSHA256)); + } + + @Test + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUserCreationWithStolenSshKeyFailure() throws Exception { + + ScimUser user = ScimUser.builder("user_with_sshkey") + .buildEmail("test_user@test.org") + .buildName("User", "With ssh key") + .buildSshKey("Personal", SshKeyUtils.sshKeys.get(0).key, null, true) + .active(true) + .build(); + + ScimUser createdUser = scimUtils.postUser(user); + assertNotNull(createdUser.getIndigoUser()); + assertThat(createdUser.getIndigoUser().getSshKeys(), hasSize(equalTo(1))); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getDisplay(), equalTo("Personal")); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getValue(), + equalTo(SshKeyUtils.sshKeys.get(0).key)); + assertThat(createdUser.getIndigoUser().getSshKeys().get(0).getFingerprint(), + equalTo(SshKeyUtils.sshKeys.get(0).fingerprintSHA256)); + + ScimUser anotherUser = ScimUser.builder("another_user_with_sshkey") + .buildEmail("another_test_user@test.org") + .buildName("Another User", "With ssh key") + .buildSshKey("Personal", SshKeyUtils.sshKeys.get(0).key, null, true) + .active(true) + .build(); + + scimUtils.postUser(anotherUser, HttpStatus.CONFLICT) + .andExpect(jsonPath("$.detail", containsString("already bound to a user"))); + } + + @Test + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUserCreationWithSamlId() throws Exception { + + ScimUser user = ScimUser.builder("user_with_samlId") + .buildEmail("test_user@test.org") + .buildName("User", "With saml id Account") + .buildSamlId("IdpID", "UserID") + .active(true) + .build(); + + ScimUser createdUser = scimUtils.postUser(user); + assertNotNull(createdUser.getIndigoUser()); + assertThat(createdUser.getIndigoUser().getSamlIds(), hasSize(equalTo(1))); + assertThat(createdUser.getIndigoUser().getSamlIds().get(0).getIdpId(), + equalTo(user.getIndigoUser().getSamlIds().get(0).getIdpId())); + assertThat(createdUser.getIndigoUser().getSamlIds().get(0).getUserId(), + equalTo(user.getIndigoUser().getSamlIds().get(0).getUserId())); + + createdUser = scimUtils.getUser(createdUser.getId()); + assertNotNull(createdUser.getIndigoUser()); + assertThat(createdUser.getIndigoUser().getSamlIds(), hasSize(equalTo(1))); + assertThat(createdUser.getIndigoUser().getSamlIds().get(0).getIdpId(), + equalTo(user.getIndigoUser().getSamlIds().get(0).getIdpId())); + assertThat(createdUser.getIndigoUser().getSamlIds().get(0).getUserId(), + equalTo(user.getIndigoUser().getSamlIds().get(0).getUserId())); + } + + @Test + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUserCreationWithX509Certificate() throws Exception { + + ScimX509Certificate cert = ScimX509Certificate.builder() + .display("Personal1") + .pemEncodedCertificate(X509Utils.x509Certs.get(0).certificate) + .primary(false) + .build(); + + ScimUser user = ScimUser.builder("user_with_x509") + .buildEmail("test_user@test.org") + .buildName("User", "With x509 Certificate") + .addX509Certificate(cert) + .active(true) + .build(); + + List userCertList = user.getIndigoUser().getCertificates(); + + ScimUser createdUser = scimUtils.postUser(user); + List createdUserCertList = createdUser.getIndigoUser().getCertificates(); + + assertNotNull(createdUserCertList); + assertThat(createdUserCertList, hasSize(equalTo(1))); + assertThat(createdUserCertList.get(0).getDisplay(), equalTo(userCertList.get(0).getDisplay())); + assertThat(createdUserCertList.get(0).getPemEncodedCertificate(), + equalTo(userCertList.get(0).getPemEncodedCertificate())); + + createdUser = scimUtils.getUser(createdUser.getId()); + assertNotNull(createdUserCertList); + assertThat(createdUserCertList, hasSize(equalTo(1))); + assertThat(createdUserCertList.get(0).getDisplay(), equalTo(userCertList.get(0).getDisplay())); + assertThat(createdUserCertList.get(0).getPemEncodedCertificate(), + equalTo(userCertList.get(0).getPemEncodedCertificate())); + } + + @Test + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUserCreationWithMultipleX509Certificate() throws Exception { + + ScimX509Certificate cert1 = ScimX509Certificate.builder() + .display("Personal1") + .pemEncodedCertificate(X509Utils.x509Certs.get(0).certificate) + .primary(false) + .build(); + + ScimX509Certificate cert2 = ScimX509Certificate.builder() + .display("Personal2") + .pemEncodedCertificate(X509Utils.x509Certs.get(1).certificate) + .primary(true) + .build(); + + ScimUser user = ScimUser.builder("user_with_x509") + .buildEmail("test_user@test.org") + .buildName("User", "With x509 Certificate") + .addX509Certificate(cert1) + .addX509Certificate(cert2) + .active(true) + .build(); + + List userCertList = user.getIndigoUser().getCertificates(); + + ScimUser createdUser = scimUtils.postUser(user); + List createdUserCertList = createdUser.getIndigoUser().getCertificates(); + + assertNotNull(createdUserCertList); + assertThat(createdUserCertList, hasSize(equalTo(2))); + assertThat(createdUserCertList.get(0).getDisplay(), equalTo(userCertList.get(0).getDisplay())); + assertThat(createdUserCertList.get(0).getPemEncodedCertificate(), + equalTo(userCertList.get(0).getPemEncodedCertificate())); + assertThat(createdUserCertList.get(0).getPrimary(), equalTo(userCertList.get(0).getPrimary())); + assertThat(createdUserCertList.get(1).getDisplay(), equalTo(userCertList.get(1).getDisplay())); + assertThat(createdUserCertList.get(1).getPrimary(), equalTo(userCertList.get(1).getPrimary())); + } + + @Test + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUserCreationWithMultipleX509CertificateAndNoPrimary() throws Exception { + + ScimX509Certificate cert1 = ScimX509Certificate.builder() + .display("Personal1") + .pemEncodedCertificate(X509Utils.x509Certs.get(0).certificate) + .primary(false) + .build(); + + ScimX509Certificate cert2 = ScimX509Certificate.builder() + .display("Personal2") + .pemEncodedCertificate(X509Utils.x509Certs.get(1).certificate) + .primary(false) + .build(); + + ScimUser user = ScimUser.builder("user_with_x509") + .buildEmail("test_user@test.org") + .buildName("User", "With x509 Certificate") + .addX509Certificate(cert1) + .addX509Certificate(cert2) + .active(true) + .build(); + + List userCertList = user.getIndigoUser().getCertificates(); + + ScimUser createdUser = scimUtils.postUser(user); + List createdUserCertList = createdUser.getIndigoUser().getCertificates(); + + assertNotNull(createdUserCertList); + assertThat(createdUserCertList, hasSize(equalTo(2))); + assertThat(createdUserCertList.get(0).getDisplay(), equalTo(userCertList.get(0).getDisplay())); + assertThat(createdUserCertList.get(0).getPemEncodedCertificate(), + equalTo(userCertList.get(0).getPemEncodedCertificate())); + assertThat(createdUserCertList.get(0).getPrimary(), equalTo(true)); + assertThat(createdUserCertList.get(1).getDisplay(), equalTo(userCertList.get(1).getDisplay())); + assertThat(createdUserCertList.get(1).getPrimary(), equalTo(false)); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningAttributeFilterTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningAttributeFilterTests.java index cdb0b1fd9..55dfa39c6 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningAttributeFilterTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningAttributeFilterTests.java @@ -1,124 +1,93 @@ package it.infn.mw.iam.test.scim.user; -import static com.jayway.restassured.RestAssured.given; -import static it.infn.mw.iam.api.scim.model.ScimConstants.SCIM_CONTENT_TYPE; +import static it.infn.mw.iam.api.scim.model.ScimConstants.INDIGO_USER_SCHEMA; +import static it.infn.mw.iam.api.scim.model.ScimListResponse.SCHEMA; import static it.infn.mw.iam.test.TestUtils.TOTAL_USERS_COUNT; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_CLIENT_ID; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_READ_SCOPE; import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasSize; -import static org.hamcrest.Matchers.is; -import static org.hamcrest.Matchers.not; -import static org.hamcrest.Matchers.nullValue; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; -import javax.transaction.Transactional; - -import org.hamcrest.Matchers; -import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; import it.infn.mw.iam.IamLoginService; -import it.infn.mw.iam.api.scim.model.ScimConstants; -import it.infn.mw.iam.api.scim.model.ScimListResponse; -import it.infn.mw.iam.test.TestUtils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.scim.ScimRestUtilsMvc; +import it.infn.mw.iam.test.scim.ScimUtils.ParamsBuilder; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest -@Transactional +@SpringApplicationConfiguration( + classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}) +@WebAppConfiguration +@WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE}) public class ScimUserProvisioningAttributeFilterTests { - String accessToken; - - @Before - public void initAccessToken() { - - accessToken = TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read"); - } + @Autowired + private ScimRestUtilsMvc scimUtils; @Test - public void testReuturnOnlyUsernameRequest() { + public void testReuturnOnlyUsernameRequest() throws Exception { - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("count", 1) - .param("attributes", "userName") - .when() - .get("/scim/Users") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(TOTAL_USERS_COUNT)) - .body("itemsPerPage", equalTo(1)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(1))) - .body("Resources[0].id", is(Matchers.not(nullValue()))) - .body("Resources[0].schemas", is(Matchers.not(nullValue()))) - .body("Resources[0].userName", is(Matchers.not(nullValue()))) - .body("Resources[0].emails", is(nullValue())) - .body("Resources[0].displayName", is(nullValue())) - .body("Resources[0].nickName", is(nullValue())) - .body("Resources[0].profileUrl", is(nullValue())) - .body("Resources[0].locale", is(nullValue())) - .body("Resources[0].timezone", is(nullValue())) - .body("Resources[0].active", is(nullValue())) - .body("Resources[0].title", is(nullValue())) - .body("Resources[0].addresses", is(nullValue())) - .body("Resources[0].certificates", is(nullValue())) - .body("Resources[0].groups", is(nullValue())) - .body("Resources[0].urn:indigo-dc:scim:schemas:IndigoUser", is(nullValue())); + scimUtils.getUsers(ParamsBuilder.builder().count(1).attributes("userName").build()) + .andExpect(jsonPath("$.totalResults", equalTo(TOTAL_USERS_COUNT))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(1))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(1)))) + .andExpect(jsonPath("$.Resources[0].id").exists()) + .andExpect(jsonPath("$.Resources[0].schemas").exists()) + .andExpect(jsonPath("$.Resources[0].userName").exists()) + .andExpect(jsonPath("$.Resources[0].emails").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].displayName").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].nickName").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].profileUrl").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].locale").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].timezone").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].active").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].title").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].addresses").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].certificates").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].groups").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].urn:indigo-dc:scim:schemas:IndigoUser").doesNotExist()); } @Test - public void testMultipleAttrsRequest() { + public void testMultipleAttrsRequest() throws Exception { - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("count", 2) - .param("attributes", "userName,emails," + ScimConstants.INDIGO_USER_SCHEMA) - .when() - .get("/scim/Users") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(TOTAL_USERS_COUNT)) - .body("itemsPerPage", equalTo(2)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(2))) - .body("Resources[0].id", is(Matchers.not(nullValue()))) - .body("Resources[0].schemas", is(not(nullValue()))) - .body("Resources[0].userName", is(not(nullValue()))) - .body("Resources[0].emails", is(not(nullValue()))) - .body("Resources[0].displayName", is(nullValue())) - .body("Resources[0].nickName", is(nullValue())) - .body("Resources[0].profileUrl", is(nullValue())) - .body("Resources[0].locale", is(nullValue())) - .body("Resources[0].timezone", is(nullValue())) - .body("Resources[0].active", is(nullValue())) - .body("Resources[0].title", is(nullValue())) - .body("Resources[0].addresses", is(nullValue())) - .body("Resources[0].certificates", is(nullValue())) - .body("Resources[0].groups", is(nullValue())) - .body("Resources[0].urn:indigo-dc:scim:schemas:IndigoUser", is(not(nullValue()))); + scimUtils + .getUsers(ParamsBuilder.builder() + .count(2) + .attributes("userName,emails," + INDIGO_USER_SCHEMA) + .build()) + .andExpect(jsonPath("$.totalResults", equalTo(TOTAL_USERS_COUNT))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(2))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(2)))) + .andExpect(jsonPath("$.Resources[0].id").exists()) + .andExpect(jsonPath("$.Resources[0].schemas").exists()) + .andExpect(jsonPath("$.Resources[0].userName").exists()) + .andExpect(jsonPath("$.Resources[0].emails").exists()) + .andExpect(jsonPath("$.Resources[0].displayName").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].nickName").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].profileUrl").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].locale").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].timezone").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].active").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].title").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].addresses").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].certificates").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].groups").doesNotExist()) + .andExpect(jsonPath("$.Resources[0].urn:indigo-dc:scim:schemas:IndigoUser").exists()); } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningListTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningListTests.java index b9718b995..cab3edee7 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningListTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningListTests.java @@ -1,256 +1,134 @@ package it.infn.mw.iam.test.scim.user; -import static com.jayway.restassured.RestAssured.given; -import static it.infn.mw.iam.api.scim.model.ScimConstants.SCIM_CONTENT_TYPE; +import static it.infn.mw.iam.api.scim.model.ScimListResponse.SCHEMA; import static it.infn.mw.iam.test.TestUtils.TOTAL_USERS_COUNT; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_CLIENT_ID; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_READ_SCOPE; import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasSize; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; -import javax.transaction.Transactional; - -import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; import it.infn.mw.iam.IamLoginService; import it.infn.mw.iam.api.scim.model.ScimListResponse; -import it.infn.mw.iam.test.TestUtils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.scim.ScimRestUtilsMvc; +import it.infn.mw.iam.test.scim.ScimUtils.ParamsBuilder; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest -@Transactional +@SpringApplicationConfiguration( + classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}) +@WebAppConfiguration +@WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE}) public class ScimUserProvisioningListTests { - String accessToken; - - @Before - public void initAccessToken() { - - accessToken = TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read"); - } - + @Autowired + private ScimRestUtilsMvc scimUtils; @Test - public void testNoParameterListRequest() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .when() - .get("/scim/Users") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(TOTAL_USERS_COUNT)) - .body("itemsPerPage", equalTo(100)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(100))); + public void testNoParameterListRequest() throws Exception { + + scimUtils.getUsers() + .andExpect(jsonPath("$.totalResults", equalTo(TOTAL_USERS_COUNT))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(100))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(100)))); } @Test - public void testCountAs10Returns10Items() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("count", 10) - .when() - .get("/scim/Users") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(TOTAL_USERS_COUNT)) - .body("itemsPerPage", equalTo(10)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(10))); + public void testCountAs10Returns10Items() throws Exception { + + scimUtils.getUsers(ParamsBuilder.builder().count(10).build()) + .andExpect(jsonPath("$.totalResults", equalTo(TOTAL_USERS_COUNT))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(10))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(10)))); } @Test - public void testCount1Returns1Item() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("count", 1) - .when() - .get("/scim/Users") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(TOTAL_USERS_COUNT)) - .body("itemsPerPage", equalTo(1)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(1))); + public void testCount1Returns1Item() throws Exception { + + scimUtils.getUsers(ParamsBuilder.builder().count(1).build()) + .andExpect(jsonPath("$.totalResults", equalTo(TOTAL_USERS_COUNT))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(1))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(1)))); } @Test - public void testCountShouldBeLimitedToOneHundred() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("count", 1000) - .when() - .get("/scim/Users") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(TOTAL_USERS_COUNT)) - .body("itemsPerPage", equalTo(100)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(100))); + public void testCountShouldBeLimitedToOneHundred() throws Exception { + + scimUtils.getUsers(ParamsBuilder.builder().count(1000).build()) + .andExpect(jsonPath("$.totalResults", equalTo(TOTAL_USERS_COUNT))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(100))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(100)))); } @Test - public void testNegativeCountBecomesZero() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("count", -10) - .when() - .get("/scim/Users") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(TOTAL_USERS_COUNT)) - .body("itemsPerPage", equalTo(0)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(0))); + public void testNegativeCountBecomesZero() throws Exception { + + scimUtils.getUsers(ParamsBuilder.builder().count(-10).build()) + .andExpect(jsonPath("$.totalResults", equalTo(TOTAL_USERS_COUNT))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(0))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(ScimListResponse.SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(0)))); } @Test - public void testInvalidStartIndex() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("startIndex", TOTAL_USERS_COUNT + 1) - .when() - .get("/scim/Users") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(TOTAL_USERS_COUNT)) - .body("itemsPerPage", equalTo(0)) - .body("startIndex", equalTo(TOTAL_USERS_COUNT + 1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(0))); + public void testInvalidStartIndex() throws Exception { + + scimUtils.getUsers(ParamsBuilder.builder().startIndex(TOTAL_USERS_COUNT + 1).build()) + .andExpect(jsonPath("$.totalResults", equalTo(TOTAL_USERS_COUNT))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(0))) + .andExpect(jsonPath("$.startIndex", equalTo(TOTAL_USERS_COUNT + 1))) + .andExpect(jsonPath("$.schemas", contains(SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(0)))); } @Test - public void testRightEndPagination() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("startIndex", TOTAL_USERS_COUNT - 5) - .param("count", 10) - .when() - .get("/scim/Users") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(TOTAL_USERS_COUNT)) - .body("itemsPerPage", equalTo(6)) - .body("startIndex", equalTo(TOTAL_USERS_COUNT - 5)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(6))); + public void testRightEndPagination() throws Exception { + + scimUtils.getUsers(ParamsBuilder.builder().startIndex(TOTAL_USERS_COUNT - 5).count(10).build()) + .andExpect(jsonPath("$.totalResults", equalTo(TOTAL_USERS_COUNT))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(6))) + .andExpect(jsonPath("$.startIndex", equalTo(TOTAL_USERS_COUNT - 5))) + .andExpect(jsonPath("$.schemas", contains(SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(6)))); } @Test - public void testLastElementPagination() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("startIndex", TOTAL_USERS_COUNT) - .param("count", 2) - .when() - .get("/scim/Users") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(TOTAL_USERS_COUNT)) - .body("itemsPerPage", equalTo(1)) - .body("startIndex", equalTo(TOTAL_USERS_COUNT)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(1))); + public void testLastElementPagination() throws Exception { + + scimUtils.getUsers(ParamsBuilder.builder().startIndex(TOTAL_USERS_COUNT).count(2).build()) + .andExpect(jsonPath("$.totalResults", equalTo(TOTAL_USERS_COUNT))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(1))) + .andExpect(jsonPath("$.startIndex", equalTo(TOTAL_USERS_COUNT))) + .andExpect(jsonPath("$.schemas", contains(SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(1)))); } @Test - public void testFirstElementPagination() { - - given().port(8080) - .auth() - .preemptive() - .oauth2(accessToken) - .accept(SCIM_CONTENT_TYPE) - .log() - .all(true) - .param("startIndex", 1) - .param("count", 5) - .when() - .get("/scim/Users") - .then() - .log() - .all(true) - .statusCode(HttpStatus.OK.value()) - .body("totalResults", equalTo(TOTAL_USERS_COUNT)) - .body("itemsPerPage", equalTo(5)) - .body("startIndex", equalTo(1)) - .body("schemas", contains(ScimListResponse.SCHEMA)) - .body("Resources", hasSize(equalTo(5))); + public void testFirstElementPagination() throws Exception { + + scimUtils.getUsers(ParamsBuilder.builder().startIndex(1).count(5).build()) + .andExpect(jsonPath("$.totalResults", equalTo(TOTAL_USERS_COUNT))) + .andExpect(jsonPath("$.itemsPerPage", equalTo(5))) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.schemas", contains(SCHEMA))) + .andExpect(jsonPath("$.Resources", hasSize(equalTo(5)))); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningPatchRemoveTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningPatchRemoveTests.java index 3875df8fc..e0d98c464 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningPatchRemoveTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningPatchRemoveTests.java @@ -1,320 +1,238 @@ package it.infn.mw.iam.test.scim.user; +import static it.infn.mw.iam.api.scim.model.ScimPatchOperation.ScimPatchOperationType.remove; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_CLIENT_ID; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_READ_SCOPE; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_WRITE_SCOPE; +import static org.hamcrest.Matchers.empty; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasSize; +import static org.junit.Assert.assertThat; import java.util.ArrayList; import java.util.List; import javax.transaction.Transactional; -import org.junit.After; import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; -import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; import it.infn.mw.iam.IamLoginService; -import it.infn.mw.iam.api.scim.model.ScimConstants; import it.infn.mw.iam.api.scim.model.ScimOidcId; -import it.infn.mw.iam.api.scim.model.ScimSamlId; -import it.infn.mw.iam.api.scim.model.ScimSshKey; import it.infn.mw.iam.api.scim.model.ScimUser; -import it.infn.mw.iam.api.scim.model.ScimUserPatchRequest; -import it.infn.mw.iam.api.scim.model.ScimX509Certificate; -import it.infn.mw.iam.persistence.repository.IamAccountRepository; -import it.infn.mw.iam.test.ScimRestUtils; -import it.infn.mw.iam.test.TestUtils; -import it.infn.mw.iam.test.util.JacksonUtils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.scim.ScimRestUtilsMvc; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest +@SpringApplicationConfiguration( + classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}) +@WebAppConfiguration @Transactional -@Ignore -public class ScimUserProvisioningPatchRemoveTests { - - private String accessToken; - private ScimRestUtils restUtils; +@WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) +public class ScimUserProvisioningPatchRemoveTests extends ScimUserTestSupport { @Autowired - IamAccountRepository iamAccountRepo; + private ScimRestUtilsMvc scimUtils; private List testUsers = new ArrayList(); - @BeforeClass - public static void init() { - - JacksonUtils.initRestAssured(); - } - - private void initTestUsers() { - - testUsers.add(restUtils.doPost("/scim/Users/", ScimUser.builder("john_lennon") - .buildEmail("lennon@email.test") - .buildName("John", "Lennon") - .addOidcId(ScimOidcId.builder() - .issuer(TestUtils.oidcIds.get(0).issuer) - .subject(TestUtils.oidcIds.get(0).subject) - .build()) - .addSshKey(ScimSshKey.builder() - .value(TestUtils.sshKeys.get(0).key) - .fingerprint(TestUtils.sshKeys.get(0).fingerprintSHA256) - .primary(true) - .build()) - .addSamlId(ScimSamlId.builder() - .idpId(TestUtils.samlIds.get(0).idpId) - .userId(TestUtils.samlIds.get(0).userId) - .build()) - .addX509Certificate(ScimX509Certificate.builder() - .display(TestUtils.x509Certs.get(0).display) - .value(TestUtils.x509Certs.get(0).certificate) - .primary(true) - .build()) - .build()).extract().as(ScimUser.class)); - - testUsers.add(restUtils.doPost("/scim/Users/", ScimUser.builder("abraham_lincoln") - .buildEmail("lincoln@email.test") - .buildName("Abraham", "Lincoln") - .addOidcId(ScimOidcId.builder() - .issuer(TestUtils.oidcIds.get(1).issuer) - .subject(TestUtils.oidcIds.get(1).subject) - .build()) - .addSshKey(ScimSshKey.builder() - .value(TestUtils.sshKeys.get(1).key) - .fingerprint(TestUtils.sshKeys.get(1).fingerprintSHA256) - .primary(true) - .build()) - .addSamlId(ScimSamlId.builder() - .idpId(TestUtils.samlIds.get(1).idpId) - .userId(TestUtils.samlIds.get(1).userId) - .build()) - .addX509Certificate(ScimX509Certificate.builder() - .display(TestUtils.x509Certs.get(1).display) - .value(TestUtils.x509Certs.get(1).certificate) - .primary(true) - .build()) - .build()).extract().as(ScimUser.class)); - } - @Before - public void setupTest() { - - accessToken = TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read scim:write"); - restUtils = ScimRestUtils.getInstance(accessToken); - - initTestUsers(); - } + public void setup() throws Exception { - @After - public void teardownTest() { - - restUtils.deleteUsers(testUsers.get(0), testUsers.get(1)); - } - - private ScimUserPatchRequest getPatchRemoveRequest(ScimUser updates) { - - return ScimUserPatchRequest.builder().remove(updates).build(); + testUsers = createTestUsers(); } @Test - public void testPatchRemoveOidcId() { + public void testPatchRemoveOidcId() throws Exception { ScimUser user = testUsers.get(0); - ScimUserPatchRequest req = getPatchRemoveRequest( - ScimUser.builder().addOidcId(user.getIndigoUser().getOidcIds().get(0)).build()); + ScimUser updates = + ScimUser.builder().addOidcId(user.getIndigoUser().getOidcIds().get(0)).build(); + + scimUtils.patchUser(user.getId(), remove, updates); - restUtils.doPatch(user.getMeta().getLocation(), req); + ScimUser updatedUser = scimUtils.getUser(user.getId()); - restUtils.doGet(user.getMeta().getLocation()).body("id", equalTo(user.getId())).body( - ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds", equalTo(null)); + assertThat(updatedUser.getIndigoUser().getOidcIds(), hasSize(equalTo(0))); } @Test - @Ignore - @Deprecated - public void testPatchRemoveAnotherUserOidcId() { + public void testPatchRemoveAnotherUserOidcId() throws Exception { ScimUser user1 = testUsers.get(0); ScimUser user2 = testUsers.get(1); - ScimUserPatchRequest req = getPatchRemoveRequest( - ScimUser.builder().addOidcId(user2.getIndigoUser().getOidcIds().get(0)).build()); + ScimUser updates = + ScimUser.builder().addOidcId(user2.getIndigoUser().getOidcIds().get(0)).build(); - restUtils.doPatch(user1.getMeta().getLocation(), req, HttpStatus.NOT_FOUND); + scimUtils.patchUser(user1.getId(), remove, updates); - restUtils.doGet(user1.getMeta().getLocation()).body("id", equalTo(user1.getId())).body( - ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds", hasSize(equalTo(1))); - restUtils.doGet(user2.getMeta().getLocation()).body("id", equalTo(user2.getId())).body( - ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds", hasSize(equalTo(1))); + ScimUser updatedUser1 = scimUtils.getUser(user1.getId()); + assertThat(updatedUser1.getIndigoUser().getOidcIds(), hasSize(equalTo(1))); + + ScimUser updatedUser2 = scimUtils.getUser(user2.getId()); + assertThat(updatedUser2.getIndigoUser().getOidcIds(), hasSize(equalTo(1))); } @Test - @Ignore - @Deprecated - public void testPatchRemoveNotFoundOidcId() { + public void testPatchRemoveNotFoundOidcId() throws Exception { ScimUser user = testUsers.get(0); - ScimUserPatchRequest req = getPatchRemoveRequest(ScimUser.builder() + ScimUser updates = ScimUser.builder() .addOidcId(ScimOidcId.builder().issuer("fake_issuer").subject("fake_subject").build()) - .build()); + .build(); - restUtils.doPatch(user.getMeta().getLocation(), req, HttpStatus.NOT_FOUND); + scimUtils.patchUser(user.getId(), remove, updates); - restUtils.doGet(user.getMeta().getLocation()).body("id", equalTo(user.getId())).body( - ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds", hasSize(equalTo(1))); + ScimUser updatedUser = scimUtils.getUser(user.getId()); + assertThat(updatedUser.getId(), equalTo(user.getId())); + assertThat(updatedUser.getIndigoUser().getOidcIds(), hasSize(equalTo(1))); } @Test - public void testPatchRemoveX509Certificate() { + public void testPatchRemoveX509Certificate() throws Exception { ScimUser user = testUsers.get(0); - ScimUserPatchRequest req = getPatchRemoveRequest( - ScimUser.builder().addX509Certificate(user.getX509Certificates().get(0)).build()); + ScimUser updates = ScimUser.builder() + .addX509Certificate(user.getIndigoUser().getCertificates().get(0)) + .build(); - restUtils.doPatch(user.getMeta().getLocation(), req); + scimUtils.patchUser(user.getId(), remove, updates); - restUtils.doGet(user.getMeta().getLocation()) - .body("id", equalTo(user.getId())) - .body("x509certificates", equalTo(null)); + ScimUser updatedUser = scimUtils.getUser(user.getId()); + assertThat(updatedUser.getId(), equalTo(user.getId())); + assertThat(updatedUser.getIndigoUser().getCertificates(), empty()); } @Test - @Ignore - @Deprecated - public void testPatchRemoveAnotherUserX509Certificate() { + public void testPatchRemoveAnotherUserX509Certificate() throws Exception { ScimUser user1 = testUsers.get(0); ScimUser user2 = testUsers.get(1); - ScimUserPatchRequest req = getPatchRemoveRequest( - ScimUser.builder().addX509Certificate(user2.getX509Certificates().get(0)).build()); + ScimUser updates = ScimUser.builder() + .addX509Certificate(user2.getIndigoUser().getCertificates().get(0)) + .build(); - restUtils.doPatch(user1.getMeta().getLocation(), req, HttpStatus.NOT_FOUND); + scimUtils.patchUser(user1.getId(), remove, updates); - restUtils.doGet(user1.getMeta().getLocation()) - .body("id", equalTo(user1.getId())) - .body("x509certificates", equalTo(null)); + ScimUser updatedUser = scimUtils.getUser(user1.getId()); + assertThat(updatedUser.getId(), equalTo(user1.getId())); + assertThat(updatedUser.getIndigoUser().getCertificates(), hasSize(equalTo(1))); } - @Test - @Ignore - @Deprecated - public void testPatchRemoveNotFoundX509Certificate() { + public void testPatchRemoveNotFoundX509Certificate() throws Exception { ScimUser user1 = testUsers.get(0); - ScimUserPatchRequest req = getPatchRemoveRequest( - ScimUser.builder().addX509Certificate(user1.getX509Certificates().get(0)).build()); + ScimUser updates = ScimUser.builder() + .addX509Certificate(user1.getIndigoUser().getCertificates().get(0)) + .build(); - restUtils.doPatch(user1.getMeta().getLocation(), req); - restUtils.doPatch(user1.getMeta().getLocation(), req, HttpStatus.NOT_FOUND); + scimUtils.patchUser(user1.getId(), remove, updates); + scimUtils.patchUser(user1.getId(), remove, updates); } @Test - public void testPatchRemoveSshKey() { + public void testPatchRemoveSshKey() throws Exception { ScimUser user = testUsers.get(0); - ScimUserPatchRequest req = getPatchRemoveRequest( - ScimUser.builder().addSshKey(user.getIndigoUser().getSshKeys().get(0)).build()); + ScimUser updates = + ScimUser.builder().addSshKey(user.getIndigoUser().getSshKeys().get(0)).build(); - restUtils.doPatch(user.getMeta().getLocation(), req); + scimUtils.patchUser(user.getId(), remove, updates); - restUtils.doGet(user.getMeta().getLocation()).body("id", equalTo(user.getId())).body( - ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys", equalTo(null)); + ScimUser updatedUser = scimUtils.getUser(user.getId()); + assertThat(updatedUser.getId(), equalTo(user.getId())); + assertThat(updatedUser.getIndigoUser().getSshKeys(), hasSize(equalTo(0))); } @Test - @Ignore - @Deprecated - public void testPatchRemoveAnotherUserSshKey() { + public void testPatchRemoveAnotherUserSshKey() throws Exception { ScimUser user1 = testUsers.get(0); ScimUser user2 = testUsers.get(1); - ScimUserPatchRequest req = getPatchRemoveRequest( - ScimUser.builder().addSshKey(user2.getIndigoUser().getSshKeys().get(0)).build()); + ScimUser updates = + ScimUser.builder().addSshKey(user2.getIndigoUser().getSshKeys().get(0)).build(); - restUtils.doPatch(user1.getMeta().getLocation(), req, HttpStatus.NOT_FOUND); + scimUtils.patchUser(user1.getId(), remove, updates); - restUtils.doGet(user1.getMeta().getLocation()).body("id", equalTo(user1.getId())).body( - ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys", hasSize(equalTo(1))); + ScimUser updatedUser = scimUtils.getUser(user1.getId()); + assertThat(updatedUser.getId(), equalTo(user1.getId())); + assertThat(updatedUser.getIndigoUser().getSshKeys(), hasSize(equalTo(1))); } @Test - @Ignore - @Deprecated - public void testPatchRemoveNotFoundSshKey() { + public void testPatchRemoveNotFoundSshKey() throws Exception { ScimUser user1 = testUsers.get(0); - ScimUserPatchRequest req = getPatchRemoveRequest( - ScimUser.builder().addSshKey(user1.getIndigoUser().getSshKeys().get(0)).build()); + ScimUser updates = + ScimUser.builder().addSshKey(user1.getIndigoUser().getSshKeys().get(0)).build(); - restUtils.doPatch(user1.getMeta().getLocation(), req); - restUtils.doPatch(user1.getMeta().getLocation(), req, HttpStatus.NOT_FOUND); + scimUtils.patchUser(user1.getId(), remove, updates); + scimUtils.patchUser(user1.getId(), remove, updates); } @Test - @Ignore - @Deprecated - public void testPatchRemoveSamlId() { + public void testPatchRemoveSamlId() throws Exception { ScimUser user = testUsers.get(0); - ScimUserPatchRequest req = getPatchRemoveRequest( - ScimUser.builder().addSamlId(user.getIndigoUser().getSamlIds().get(0)).build()); + ScimUser updates = + ScimUser.builder().addSamlId(user.getIndigoUser().getSamlIds().get(0)).build(); - restUtils.doPatch(user.getMeta().getLocation(), req); + scimUtils.patchUser(user.getId(), remove, updates); - restUtils.doGet(user.getMeta().getLocation()).body("id", equalTo(user.getId())).body( - ScimConstants.INDIGO_USER_SCHEMA + ".samlIds", equalTo(null)); + ScimUser updatedUser = scimUtils.getUser(user.getId()); + assertThat(updatedUser.getId(), equalTo(user.getId())); + assertThat(updatedUser.getIndigoUser().getSamlIds(), hasSize(equalTo(0))); } @Test - @Ignore - @Deprecated - public void testPatchRemoveAnotherUserSamlId() { + public void testPatchRemoveAnotherUserSamlId() throws Exception { ScimUser user1 = testUsers.get(0); ScimUser user2 = testUsers.get(1); - ScimUserPatchRequest req = getPatchRemoveRequest( - ScimUser.builder().addSamlId(user2.getIndigoUser().getSamlIds().get(0)).build()); + ScimUser updates = + ScimUser.builder().addSamlId(user2.getIndigoUser().getSamlIds().get(0)).build(); + + scimUtils.patchUser(user1.getId(), remove, updates); + + ScimUser updatedUser1 = scimUtils.getUser(user1.getId()); + assertThat(updatedUser1.getId(), equalTo(user1.getId())); + assertThat(updatedUser1.getIndigoUser().getSamlIds(), hasSize(equalTo(1))); - restUtils.doPatch(user1.getMeta().getLocation(), req, HttpStatus.NOT_FOUND); + ScimUser updatedUser2 = scimUtils.getUser(user2.getId()); + assertThat(updatedUser2.getId(), equalTo(user2.getId())); + assertThat(updatedUser2.getIndigoUser().getSamlIds(), hasSize(equalTo(1))); - restUtils.doGet(user1.getMeta().getLocation()).body("id", equalTo(user1.getId())).body( - ScimConstants.INDIGO_USER_SCHEMA + ".samlIds", hasSize(equalTo(1))); - restUtils.doGet(user2.getMeta().getLocation()).body("id", equalTo(user2.getId())).body( - ScimConstants.INDIGO_USER_SCHEMA + ".samlIds", hasSize(equalTo(1))); } @Test - @Ignore - @Deprecated - public void testPatchRemoveNotFoundSamlId() { + public void testPatchRemoveNotFoundSamlId() throws Exception { ScimUser user = testUsers.get(0); - ScimUserPatchRequest req = getPatchRemoveRequest(ScimUser.builder() - .addSamlId(ScimSamlId.builder().idpId("fake_idpid").userId("fake_userid").build()) - .build()); + ScimUser updates = ScimUser.builder().buildSamlId("fake_idpid", "fake_userid").build(); - restUtils.doPatch(user.getMeta().getLocation(), req, HttpStatus.NOT_FOUND); + scimUtils.patchUser(user.getId(), remove, updates); - restUtils.doGet(user.getMeta().getLocation()).body("id", equalTo(user.getId())).body( - ScimConstants.INDIGO_USER_SCHEMA + ".samlIds", hasSize(equalTo(1))); + ScimUser updatedUser = scimUtils.getUser(user.getId()); + assertThat(updatedUser.getId(), equalTo(user.getId())); + assertThat(updatedUser.getIndigoUser().getSamlIds(), hasSize(equalTo(1))); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningPatchReplaceTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningPatchReplaceTests.java index 21bfe22ab..4ed89124f 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningPatchReplaceTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningPatchReplaceTests.java @@ -1,440 +1,141 @@ package it.infn.mw.iam.test.scim.user; +import static it.infn.mw.iam.api.scim.model.ScimPatchOperation.ScimPatchOperationType.replace; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_CLIENT_ID; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_READ_SCOPE; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_WRITE_SCOPE; import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasSize; +import static org.junit.Assert.assertThat; +import static org.springframework.http.HttpStatus.BAD_REQUEST; +import static org.springframework.http.HttpStatus.CONFLICT; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; -import java.util.ArrayList; -import java.util.List; +import javax.transaction.Transactional; -import org.junit.After; -import org.junit.Assert; import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; import it.infn.mw.iam.IamLoginService; -import it.infn.mw.iam.api.scim.model.ScimOidcId; -import it.infn.mw.iam.api.scim.model.ScimSamlId; import it.infn.mw.iam.api.scim.model.ScimSshKey; import it.infn.mw.iam.api.scim.model.ScimUser; -import it.infn.mw.iam.api.scim.model.ScimUserPatchRequest; import it.infn.mw.iam.api.scim.model.ScimX509Certificate; -import it.infn.mw.iam.test.ScimRestUtils; -import it.infn.mw.iam.test.TestUtils; -import it.infn.mw.iam.test.util.JacksonUtils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.scim.ScimRestUtilsMvc; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest -public class ScimUserProvisioningPatchReplaceTests { +@SpringApplicationConfiguration( + classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}) +@WebAppConfiguration +@Transactional +@WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) +public class ScimUserProvisioningPatchReplaceTests extends ScimUserTestSupport { - private String accessToken; - private ScimRestUtils restUtils; + @Autowired + private ScimRestUtilsMvc scimUtils; - private List testUsers = new ArrayList(); - - @BeforeClass - public static void init() { - - JacksonUtils.initRestAssured(); - } - - private void initTestUsers() { - - testUsers.add(restUtils - .doPost("/scim/Users/", - ScimUser.builder("john_lennon") - .buildEmail("lennon@email.test") - .buildName("John", "Lennon") - .addOidcId(ScimOidcId.builder() - .issuer(TestUtils.oidcIds.get(0).issuer) - .subject(TestUtils.oidcIds.get(0).subject) - .build()) - .addSshKey(ScimSshKey.builder() - .value(TestUtils.sshKeys.get(0).key) - .fingerprint(TestUtils.sshKeys.get(0).fingerprintSHA256) - .primary(true) - .build()) - .addSshKey(ScimSshKey.builder() - .value(TestUtils.sshKeys.get(1).key) - .fingerprint(TestUtils.sshKeys.get(1).fingerprintSHA256) - .primary(false) - .build()) - .addSamlId(ScimSamlId.builder() - .idpId(TestUtils.samlIds.get(0).idpId) - .userId(TestUtils.samlIds.get(0).userId) - .build()) - .addX509Certificate(ScimX509Certificate.builder() - .display(TestUtils.x509Certs.get(0).display) - .value(TestUtils.x509Certs.get(0).certificate) - .primary(true) - .build()) - .addX509Certificate(ScimX509Certificate.builder() - .display(TestUtils.x509Certs.get(1).display) - .value(TestUtils.x509Certs.get(1).certificate) - .primary(false) - .build()) - .build()) - .extract().as(ScimUser.class)); - } + private ScimUser testUser; @Before - public void setupTest() { - - accessToken = TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read scim:write"); - restUtils = ScimRestUtils.getInstance(accessToken); - - initTestUsers(); - } - - @After - public void teardownTest() { - - testUsers.forEach(user -> restUtils.doDelete(user.getMeta().getLocation())); - } - - private ScimUserPatchRequest getPatchAddRequest(ScimUser updates) { + public void setup() throws Exception { - return ScimUserPatchRequest.builder().add(updates).build(); - } - - private ScimUserPatchRequest getPatchReplaceRequest(ScimUser updates) { - - return ScimUserPatchRequest.builder().replace(updates).build(); - } - - private ScimUserPatchRequest getPatchRemoveRequest(ScimUser updates) { - - return ScimUserPatchRequest.builder().remove(updates).build(); + testUser = createTestUsers().get(0); } @Test - @Ignore - public void testPatchReplaceX509CertificateDisplay() { + public void testReplaceEmailWithEmptyValue() throws Exception { - ScimUser user = testUsers.get(0); + ScimUser updates = ScimUser.builder().buildEmail("").build(); - ScimUserPatchRequest req = getPatchReplaceRequest(ScimUser.builder() - .buildX509Certificate(user.getX509Certificates().get(0).getDisplay() + "_updated", - user.getX509Certificates().get(0).getValue(), null) - .build()); - - restUtils.doPatch(user.getMeta().getLocation(), req); - - ScimUser updated_user = - restUtils.doGet(user.getMeta().getLocation()).extract().as(ScimUser.class); - - Assert - .assertTrue(updated_user.getX509Certificates() - .stream() - .filter(cert -> cert.getValue().equals(user.getX509Certificates().get(0).getValue()) && cert - .getDisplay().equals(user.getX509Certificates().get(0).getDisplay() + "_updated")) - .findFirst() - .isPresent()); + scimUtils.patchUser(testUser.getId(), replace, updates, BAD_REQUEST) + .andExpect(jsonPath("$.detail", containsString(": may not be empty"))); } @Test - @Ignore - public void testPatchReplaceX509CertificatePrimary() { - - ScimUser user = testUsers.get(0); - - ScimX509Certificate certToReplace = user.getX509Certificates().get(0); - ScimUserPatchRequest req = getPatchReplaceRequest( - ScimUser.builder().buildX509Certificate(null, certToReplace.getValue(), false).build()); + public void testReplaceEmailWithNullValue() throws Exception { - restUtils.doPatch(user.getMeta().getLocation(), req); + ScimUser updates = ScimUser.builder().buildEmail(null).build(); - ScimUser updated_user = - restUtils.doGet(user.getMeta().getLocation()).extract().as(ScimUser.class); - Assert.assertTrue( - updated_user.getX509Certificates().stream().filter(cert -> cert.isPrimary()).count() == 1); + scimUtils.patchUser(testUser.getId(), replace, updates, BAD_REQUEST) + .andExpect(jsonPath("$.detail", containsString(": may not be empty"))); } @Test - @Ignore - public void testPatchReplaceX509CertificatePrimarySwitch() { - - ScimUser user = testUsers.get(0); - - ScimUserPatchRequest req = getPatchReplaceRequest(ScimUser.builder() - .buildX509Certificate(null, user.getX509Certificates().get(0).getValue(), false) - .buildX509Certificate(null, user.getX509Certificates().get(1).getValue(), true) - .build()); - - restUtils.doPatch(user.getMeta().getLocation(), req); - - ScimUser updated_user = - restUtils.doGet(user.getMeta().getLocation()).extract().as(ScimUser.class); - - Assert.assertTrue(updated_user.getX509Certificates() - .stream() - .filter(cert -> cert.getValue().equals(user.getX509Certificates().get(0).getValue()) - && !cert.isPrimary()) - .findFirst() - .isPresent()); - - Assert.assertTrue(updated_user.getX509Certificates() - .stream() - .filter(cert -> cert.getValue().equals(user.getX509Certificates().get(1).getValue()) - && cert.isPrimary()) - .findFirst() - .isPresent()); - } - - @Test - @Ignore - public void testPatchReplaceX509CertificateNotFound() { - - ScimUser user = testUsers.get(0); - - ScimUserPatchRequest req = getPatchReplaceRequest( - ScimUser.builder().buildX509Certificate("fake_display", "fake_value", true).build()); - - restUtils.doPatch(user.getMeta().getLocation(), req, HttpStatus.NOT_FOUND); - } - - @Test - @Ignore - public void testPatchReplaceSshKeyDisplay() { - - ScimUser user = testUsers.get(0); - - ScimSshKey sshKeyToReplace = user.getIndigoUser().getSshKeys().get(0); - ScimUserPatchRequest req = getPatchReplaceRequest(ScimUser.builder() - .buildSshKey("New ssh key label", sshKeyToReplace.getValue(), - sshKeyToReplace.getFingerprint(), sshKeyToReplace.isPrimary()) - .build()); + public void testReplaceEmailWithSameValue() throws Exception { - restUtils.doPatch(user.getMeta().getLocation(), req); + ScimUser updates = + ScimUser.builder().buildEmail(testUser.getEmails().get(0).getValue()).build(); - ScimUser updated_user = - restUtils.doGet(user.getMeta().getLocation()).extract().as(ScimUser.class); - - Assert.assertTrue(updated_user.getIndigoUser() - .getSshKeys() - .stream() - .filter(sshKey -> sshKey.getValue().equals(sshKeyToReplace.getValue()) - && sshKey.getDisplay().equals("New ssh key label")) - .findFirst() - .isPresent()); + scimUtils.patchUser(testUser.getId(), replace, updates); } @Test - @Ignore - public void testPatchReplaceSshKeyPrimary() { - - ScimUser user = testUsers.get(0); - - ScimSshKey keyToReplace = user.getIndigoUser().getSshKeys().get(0); - ScimUserPatchRequest req = getPatchReplaceRequest(ScimUser.builder() - .buildSshKey(keyToReplace.getDisplay(), keyToReplace.getValue(), - keyToReplace.getFingerprint(), false) - .build()); + public void testReplaceEmailWithInvalidValue() throws Exception { - restUtils.doPatch(user.getMeta().getLocation(), req); + ScimUser updates = ScimUser.builder().buildEmail("fakeEmail").build(); - ScimUser updated_user = - restUtils.doGet(user.getMeta().getLocation()).extract().as(ScimUser.class); - - Assert.assertTrue(updated_user.getIndigoUser() - .getSshKeys() - .stream() - .filter(sshKey -> sshKey.isPrimary()) - .count() == 1); + scimUtils.patchUser(testUser.getId(), replace, updates, BAD_REQUEST) + .andExpect(jsonPath("$.detail", containsString(": not a well-formed email address"))); } @Test - @Ignore - public void testPatchReplaceSshKeyNotSupported() { + public void testReplacePicture() throws Exception { - String location = testUsers.get(0).getMeta().getLocation(); - String keyValue = testUsers.get(0).getIndigoUser().getSshKeys().get(0).getValue(); + assertThat(testUser.getPhotos(), hasSize(equalTo(1))); + assertThat(testUser.getPhotos().get(0).getValue(), equalTo(PICTURES.get(0))); - ScimUserPatchRequest req = getPatchReplaceRequest(ScimUser.builder() - .addSshKey(ScimSshKey.builder().value(keyValue).display("NEW LABEL").build()) - .build()); + ScimUser updates = ScimUser.builder().buildPhoto(PICTURES.get(1)).build(); - restUtils.doPatch(location, req, HttpStatus.BAD_REQUEST); - } + scimUtils.patchUser(testUser.getId(), replace, updates); - @Test - @Ignore - public void testPatchReplaceX509CertificateNotSupported() { - - String location = testUsers.get(0).getMeta().getLocation(); - String certValue = testUsers.get(0).getX509Certificates().get(0).getValue(); - - ScimUserPatchRequest req = - getPatchReplaceRequest( - ScimUser.builder() - .addX509Certificate( - ScimX509Certificate.builder().value(certValue).display("NEW LABEL").build()) - .build()); - - restUtils.doPatch(location, req, HttpStatus.BAD_REQUEST); + ScimUser updatedUser = scimUtils.getUser(testUser.getId()); + assertThat(updatedUser.getPhotos(), hasSize(equalTo(1))); + assertThat(updatedUser.getPhotos().get(0).getValue(), equalTo(PICTURES.get(1))); } @Test - @Ignore - public void testPatchReplaceSshKeyPrimarySwitch() { - - ScimUser user = testUsers.get(0); - - ScimUserPatchRequest req = getPatchReplaceRequest(ScimUser.builder() - .buildSshKey(null, user.getIndigoUser().getSshKeys().get(0).getValue(), null, false) - .buildSshKey(null, user.getIndigoUser().getSshKeys().get(1).getValue(), null, true) - .build()); - - restUtils.doPatch(user.getMeta().getLocation(), req); - - ScimUser updated_user = - restUtils.doGet(user.getMeta().getLocation()).extract().as(ScimUser.class); - - String sshKeyValue = user.getIndigoUser().getSshKeys().get(0).getValue(); - - Assert.assertTrue(updated_user.getIndigoUser() - .getSshKeys() - .stream() - .filter(sshKey -> (sshKey.getValue().equals(sshKeyValue) && !sshKey.isPrimary())) - .findFirst() - .isPresent()); - - Assert.assertTrue( - updated_user.getIndigoUser() - .getSshKeys() - .stream() - .filter(sshKey -> sshKey.getValue() - .equals(user.getIndigoUser().getSshKeys().get(1).getValue()) && sshKey.isPrimary()) - .findFirst() - .isPresent()); - } + public void testReplaceUsername() throws Exception { - @Test - @Ignore - @Deprecated - public void testPatchReplaceSshKeyNotFound() { - - ScimUser user = testUsers.get(0); - - ScimUserPatchRequest req = getPatchReplaceRequest( - ScimUser.builder().buildSshKey("fake_label", "fake_key", "fake_fingerprint", true).build()); - - restUtils.doPatch(user.getMeta().getLocation(), req, HttpStatus.NOT_FOUND); - } - - - @Test - public void testReplaceEmailWithEmptyValue() { - - ScimUser user = testUsers.get(0); - - ScimUserPatchRequest req = getPatchReplaceRequest(ScimUser.builder().buildEmail("").build()); - - restUtils.doPatch(user.getMeta().getLocation(), req, HttpStatus.BAD_REQUEST).body("detail", - containsString( - "scimUserPatchRequest.operations[0].value.emails[0].value : may not be empty")); - } - - @Test - public void testReplaceEmailWithNullValue() { - - ScimUser user = testUsers.get(0); - - ScimUserPatchRequest req = getPatchReplaceRequest(ScimUser.builder().buildEmail(null).build()); - - restUtils.doPatch(user.getMeta().getLocation(), req, HttpStatus.BAD_REQUEST).body("detail", - containsString( - "scimUserPatchRequest.operations[0].value.emails[0].value : may not be empty")); - } - - @Test - public void testReplaceEmailWithSameValue() { - - ScimUser user = testUsers.get(0); - - ScimUserPatchRequest req = getPatchReplaceRequest( - ScimUser.builder().buildEmail(user.getEmails().get(0).getValue()).build()); - - restUtils.doPatch(user.getMeta().getLocation(), req, HttpStatus.NO_CONTENT); - } - - @Test - public void testReplaceEmailWithInvalidValue() { - - ScimUser user = testUsers.get(0); + final String ANOTHERUSER_USERNAME = "test"; - ScimUserPatchRequest req = - getPatchReplaceRequest(ScimUser.builder().buildEmail("fakeEmail").build()); + ScimUser updates = ScimUser.builder().userName(ANOTHERUSER_USERNAME).build(); - restUtils.doPatch(user.getMeta().getLocation(), req, HttpStatus.BAD_REQUEST) - .body("detail", containsString( - "scimUserPatchRequest.operations[0].value.emails[0].value : not a well-formed email address")); + scimUtils.patchUser(testUser.getId(), replace, updates, CONFLICT); } @Test - public void testReplacePicture() { - - final String pictureURL = "http://iosicongallery.com/img/512/angry-birds-2-2016.png"; - final String pictureURL2 = "https://fallofthewall25.com/img/default-user.jpg"; - ScimUser user = testUsers.get(0); - - ScimUser uUser1 = restUtils.doGet(user.getMeta().getLocation()).extract().as(ScimUser.class); - - Assert.assertTrue(uUser1.getPhotos() == null); - - ScimUserPatchRequest req = - getPatchAddRequest(ScimUser.builder().buildPhoto(pictureURL).build()); - - restUtils.doPatch(user.getMeta().getLocation(), req); + public void testPatchReplaceSshKeyNotSupported() throws Exception { - uUser1 = restUtils.doGet(user.getMeta().getLocation()).extract().as(ScimUser.class); + String keyValue = testUser.getIndigoUser().getSshKeys().get(0).getValue(); - Assert.assertFalse(uUser1.getPhotos().isEmpty()); - Assert.assertTrue(uUser1.getPhotos().get(0).getValue().equals(pictureURL)); - - req = getPatchReplaceRequest(ScimUser.builder().buildPhoto(pictureURL).build()); - - restUtils.doPatch(user.getMeta().getLocation(), req); - - ScimUser uUser2 = restUtils.doGet(user.getMeta().getLocation()).extract().as(ScimUser.class); - - Assert.assertFalse(uUser2.getPhotos().isEmpty()); - Assert.assertTrue(uUser2.getPhotos().get(0).getValue().equals(pictureURL)); - // Assert - // .assertTrue(uUser2.getMeta().getLastModified().equals(uUser1.getMeta().getLastModified())); - - req = getPatchReplaceRequest(ScimUser.builder().buildPhoto(pictureURL2).build()); - - restUtils.doPatch(user.getMeta().getLocation(), req); - - ScimUser uUser3 = restUtils.doGet(user.getMeta().getLocation()).extract().as(ScimUser.class); - - Assert.assertFalse(uUser3.getPhotos().isEmpty()); - Assert.assertTrue(uUser3.getPhotos().get(0).getValue().equals(pictureURL2)); - // Assert - // .assertFalse(uUser3.getMeta().getLastModified().equals(uUser2.getMeta().getLastModified())); - - req = getPatchRemoveRequest(ScimUser.builder().buildPhoto(pictureURL2).build()); + ScimUser updates = ScimUser.builder() + .addSshKey(ScimSshKey.builder().value(keyValue).display("NEW LABEL").build()) + .build(); - restUtils.doPatch(user.getMeta().getLocation(), req); + scimUtils.patchUser(testUser.getId(), replace, updates, BAD_REQUEST); } @Test - public void testReplaceUsername() { + public void testPatchReplaceX509CertificateNotSupported() throws Exception { - final String ANOTHERUSER_USERNAME = "test"; + String certValue = testUser.getIndigoUser().getCertificates().get(0).getPemEncodedCertificate(); - ScimUser user = testUsers.get(0); + ScimX509Certificate cert = ScimX509Certificate.builder() + .display("NEW LABEL") + .pemEncodedCertificate(certValue) + .primary(true) + .build(); - ScimUserPatchRequest req = - getPatchReplaceRequest(ScimUser.builder().userName(ANOTHERUSER_USERNAME).build()); + ScimUser updates = ScimUser.builder().addX509Certificate(cert).build(); - restUtils.doPatch(user.getMeta().getLocation(), req, HttpStatus.CONFLICT); + scimUtils.patchUser(testUser.getId(), replace, updates, HttpStatus.BAD_REQUEST); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningPatchTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningPatchTests.java index 0b25042c3..1d8c980c3 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningPatchTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningPatchTests.java @@ -1,636 +1,439 @@ package it.infn.mw.iam.test.scim.user; -import static it.infn.mw.iam.test.TestUtils.passwordTokenGetter; +import static it.infn.mw.iam.api.scim.model.ScimPatchOperation.ScimPatchOperationType.add; +import static it.infn.mw.iam.api.scim.model.ScimPatchOperation.ScimPatchOperationType.remove; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_CLIENT_ID; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_READ_SCOPE; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_WRITE_SCOPE; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasSize; +import static org.hamcrest.Matchers.notNullValue; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertThat; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; import java.util.Base64; +import java.util.List; +import java.util.Optional; + +import javax.transaction.Transactional; import org.junit.After; import org.junit.Assert; import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; import org.springframework.http.HttpStatus; +import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; import it.infn.mw.iam.IamLoginService; -import it.infn.mw.iam.api.scim.model.ScimConstants; import it.infn.mw.iam.api.scim.model.ScimIndigoUser; import it.infn.mw.iam.api.scim.model.ScimName; -import it.infn.mw.iam.api.scim.model.ScimOidcId; -import it.infn.mw.iam.api.scim.model.ScimSamlId; import it.infn.mw.iam.api.scim.model.ScimSshKey; import it.infn.mw.iam.api.scim.model.ScimUser; -import it.infn.mw.iam.api.scim.model.ScimUserPatchRequest; -import it.infn.mw.iam.test.ScimRestUtils; -import it.infn.mw.iam.test.TestUtils; -import it.infn.mw.iam.test.util.JacksonUtils; +import it.infn.mw.iam.api.scim.model.ScimX509Certificate; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.scim.ScimRestUtilsMvc; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) -@WebIntegrationTest -public class ScimUserProvisioningPatchTests { - - private String accessToken; - private ScimRestUtils restUtils; - private ScimUser lennon; - private ScimUser lincoln; +@SpringApplicationConfiguration( + classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}) +@WebAppConfiguration +@Transactional +@WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) +public class ScimUserProvisioningPatchTests extends ScimUserTestSupport { - @BeforeClass - public static void init() { + @Autowired + private ScimRestUtilsMvc scimUtils; - JacksonUtils.initRestAssured(); - } + @Autowired + private IamAccountRepository accountRepo; - @Before - public void initAccessToken() { + @Autowired + private PasswordEncoder encoder; - accessToken = TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read scim:write"); - restUtils = ScimRestUtils.getInstance(accessToken); + private final String PICTURE_URL = "http://iosicongallery.com/img/512/angry-birds-2-2016.png"; - lennon = addTestUser("john_lennon", "lennon@email.test", "John", "Lennon"); - lincoln = addTestUser("abraham_lincoln", "lincoln@email.test", "Abraham", "Lincoln"); + private ScimUser lennon; + private ScimUser lincoln; - } + @Before + public void setup() throws Exception { - private ScimUser addTestUser(final String userName, final String email, final String firstName, - final String LastName) { - - return restUtils - .doPost("/scim/Users/", - ScimUser.builder(userName) - .buildEmail(email) - .buildName(firstName, LastName) - .active(true) - .build()) - .extract() - .as(ScimUser.class); + lennon = createScimUser("john_lennon", "lennon@email.test", "John", "Lennon"); + lincoln = createScimUser("abraham_lincoln", "lincoln@email.test", "Abraham", "Lincoln"); } @After - public void testsTeardown() { - - restUtils.deleteUsers(lennon, lincoln); - } - - private ScimUserPatchRequest getPatchAddRequest(final ScimUser updates) { - - return ScimUserPatchRequest.builder().add(updates).build(); - } - - private ScimUserPatchRequest getPatchRemoveRequest(final ScimUser updates) { + public void teardown() throws Exception { - return ScimUserPatchRequest.builder().remove(updates).build(); - } - - private ScimUserPatchRequest getPatchReplaceRequest(final ScimUser updates) { - - return ScimUserPatchRequest.builder().replace(updates).build(); + deleteScimUser(lennon); + deleteScimUser(lincoln); } @Test - public void testPatchUserInfo() { + public void testPatchUserInfo() throws Exception { ScimName name = ScimName.builder().givenName("John jr.").familyName("Lennon II").build(); /* * Update: - email - username - active - name - address */ - ScimUser lennon_update = ScimUser.builder("john_lennon_jr") + ScimUser lennon_updates = ScimUser.builder("john_lennon_jr") .buildEmail("john_lennon_jr@email.com") .active(!lennon.getActive()) .name(name) .build(); - ScimUserPatchRequest req = getPatchAddRequest(lennon_update); - - restUtils.doPatch(lennon.getMeta().getLocation(), req); - - restUtils.doGet(lennon.getMeta().getLocation()) - .body("userName", equalTo(lennon_update.getUserName())) - .body("displayName", equalTo(lennon_update.getUserName())) - .body("name.givenName", equalTo(name.getGivenName())) - .body("name.familyName", equalTo(name.getFamilyName())) - .body("name.middleName", equalTo(name.getMiddleName())) - .body("name.formatted", equalTo(name.getFormatted())) - .body("active", equalTo(lennon_update.getActive())) - .body("emails", hasSize(equalTo(1))) - .body("emails[0].value", equalTo(lennon_update.getEmails().get(0).getValue())); + scimUtils.patchUser(lennon.getId(), add, lennon_updates); + + ScimUser updatedUser = scimUtils.getUser(lennon.getId()); + assertThat(updatedUser.getId(), equalTo(lennon.getId())); + assertThat(updatedUser.getUserName(), equalTo(lennon_updates.getUserName())); + assertThat(updatedUser.getDisplayName(), equalTo(lennon_updates.getUserName())); + assertThat(updatedUser.getName().getGivenName(), + equalTo(lennon_updates.getName().getGivenName())); + assertThat(updatedUser.getName().getMiddleName(), + equalTo(lennon_updates.getName().getMiddleName())); + assertThat(updatedUser.getName().getFamilyName(), + equalTo(lennon_updates.getName().getFamilyName())); + assertThat(updatedUser.getActive(), equalTo(lennon_updates.getActive())); + assertThat(updatedUser.getEmails(), hasSize(equalTo(1))); + assertThat(updatedUser.getEmails().get(0).getValue(), + equalTo(lennon_updates.getEmails().get(0).getValue())); } @Test - public void testAddReassignAndRemoveOidcId() { + public void testAddReassignAndRemoveOidcId() throws Exception { - ScimIndigoUser indigoUser = ScimIndigoUser.builder() - .addOidcid(ScimOidcId.builder().issuer("test_issuer").subject("test_subject").build()) - .build(); + ScimIndigoUser indigoUser = ScimIndigoUser.builder().addOidcid(OIDCID_TEST).build(); ScimUser updateOidcId = ScimUser.builder().indigoUserInfo(indigoUser).build(); - ScimUserPatchRequest req = getPatchAddRequest(updateOidcId); + scimUtils.patchUser(lennon.getId(), add, updateOidcId); - restUtils.doPatch(lennon.getMeta().getLocation(), req); - - restUtils.doGet(lennon.getMeta().getLocation()) - .body("id", equalTo(lennon.getId())) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds[0].issuer", - equalTo(indigoUser.getOidcIds().stream().findFirst().get().getIssuer())) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds[0].subject", - equalTo(indigoUser.getOidcIds().stream().findFirst().get().getSubject())); + ScimUser updatedUser = scimUtils.getUser(lennon.getId()); + assertThat(updatedUser.getIndigoUser().getOidcIds(), hasSize(equalTo(1))); + assertThat(updatedUser.getIndigoUser().getOidcIds().get(0).getIssuer(), + equalTo(OIDCID_TEST.getIssuer())); + assertThat(updatedUser.getIndigoUser().getOidcIds().get(0).getSubject(), + equalTo(OIDCID_TEST.getSubject())); /* lincoln tryes to add the oidc account: */ - restUtils.doPatch(lincoln.getMeta().getLocation(), req, HttpStatus.CONFLICT); + scimUtils.patchUser(lincoln.getId(), add, updateOidcId, HttpStatus.CONFLICT); /* Remove oidc account */ - req = getPatchRemoveRequest(updateOidcId); - - restUtils.doPatch(lennon.getMeta().getLocation(), req); - - restUtils.doGet(lennon.getMeta().getLocation()).body("id", equalTo(lennon.getId())).body( - "urn:indigo-dc:scim:schemas:IndigoUser", equalTo(null)); + scimUtils.patchUser(lennon.getId(), remove, updateOidcId); + updatedUser = scimUtils.getUser(lennon.getId()); + assertNull(updatedUser.getIndigoUser()); } @Test - public void testAddReassignAndRemoveSamlId() { + public void testAddReassignAndRemoveSamlId() throws Exception { - ScimIndigoUser indigoUser = ScimIndigoUser.builder() - .addSamlId(ScimSamlId.builder().idpId("test_idp").userId("test_user").build()) + ScimUser updateSamlId = ScimUser.builder() + .indigoUserInfo(ScimIndigoUser.builder().addSamlId(SAMLID_TEST).build()) .build(); - ScimUser updateSamlId = ScimUser.builder().indigoUserInfo(indigoUser).build(); + scimUtils.patchUser(lennon.getId(), add, updateSamlId); - ScimUserPatchRequest req = getPatchAddRequest(updateSamlId); - - restUtils.doPatch(lennon.getMeta().getLocation(), req); - - restUtils.doGet(lennon.getMeta().getLocation()) - .body("id", equalTo(lennon.getId())) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".samlIds[0].idpId", - equalTo(indigoUser.getSamlIds().stream().findFirst().get().getIdpId())) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".samlIds[0].userId", - equalTo(indigoUser.getSamlIds().stream().findFirst().get().getUserId())); + ScimUser updatedUser = scimUtils.getUser(lennon.getId()); + assertThat(updatedUser.getIndigoUser().getSamlIds(), hasSize(equalTo(1))); + assertThat(updatedUser.getIndigoUser().getSamlIds().get(0).getIdpId(), + equalTo(SAMLID_TEST.getIdpId())); + assertThat(updatedUser.getIndigoUser().getSamlIds().get(0).getUserId(), + equalTo(SAMLID_TEST.getUserId())); /* lincoln tryes to add the oidc account: */ - restUtils.doPatch(lincoln.getMeta().getLocation(), req, HttpStatus.CONFLICT); + scimUtils.patchUser(lincoln.getId(), add, updateSamlId, HttpStatus.CONFLICT); /* Remove oidc account */ - req = getPatchRemoveRequest(updateSamlId); - - restUtils.doPatch(lennon.getMeta().getLocation(), req); - - restUtils.doGet(lennon.getMeta().getLocation()).body("id", equalTo(lennon.getId())).body( - "urn:indigo-dc:scim:schemas:IndigoUser", equalTo(null)); + scimUtils.patchUser(lennon.getId(), remove, updateSamlId); + updatedUser = scimUtils.getUser(lennon.getId()); + assertThat(updatedUser.getId(), equalTo(lennon.getId())); + assertNull(updatedUser.getIndigoUser()); } @Test - @Ignore - @Deprecated - public void testRemoveNotExistingOidcId() { + public void testRemoveNotExistingOidcId() throws Exception { - ScimUser lennon_update = ScimUser.builder() - .indigoUserInfo(ScimIndigoUser.builder() - .addOidcid(ScimOidcId.builder().issuer("test_issuer").subject("test_subject").build()) - .build()) + ScimUser updates = ScimUser.builder() + .indigoUserInfo(ScimIndigoUser.builder().addOidcid(OIDCID_TEST).build()) .build(); - ScimUserPatchRequest req = getPatchRemoveRequest(lennon_update); - - restUtils.doPatch(lennon.getMeta().getLocation(), req, HttpStatus.NOT_FOUND); - + scimUtils.patchUser(lennon.getId(), remove, updates); } @Test - public void testAddInvalidBase64X509Certificate() { + public void testAddInvalidBase64X509Certificate() throws Exception { - ScimUser lennon_update = ScimUser.builder() - .buildX509Certificate("Personal Certificate", "This is not a certificate", true) + ScimX509Certificate cert = ScimX509Certificate.builder() + .display("Personal Certificate") + .pemEncodedCertificate("This is not a certificate") + .primary(true) .build(); - ScimUserPatchRequest req = getPatchAddRequest(lennon_update); - - restUtils.doPatch(lennon.getMeta().getLocation(), req, HttpStatus.BAD_REQUEST); + ScimUser lennon_update = ScimUser.builder().addX509Certificate(cert).build(); + scimUtils.patchUser(lennon.getId(), add, lennon_update, HttpStatus.BAD_REQUEST); } @Test - public void testAddInvalidX509Certificate() { + public void testAddInvalidX509Certificate() throws Exception { String certificate = Base64.getEncoder().encodeToString("this is not a certificate".getBytes()); - ScimUser lennon_update = - ScimUser.builder().buildX509Certificate("Personal Certificate", certificate, true).build(); - - ScimUserPatchRequest req = getPatchAddRequest(lennon_update); + ScimX509Certificate cert = ScimX509Certificate.builder() + .display("Personal Certificate") + .pemEncodedCertificate(certificate) + .primary(true) + .build(); - restUtils.doPatch(lennon.getMeta().getLocation(), req, HttpStatus.BAD_REQUEST); + ScimUser lennon_update = ScimUser.builder().addX509Certificate(cert).build(); + scimUtils.patchUser(lennon.getId(), add, lennon_update, HttpStatus.BAD_REQUEST); } @Test - public void testAddAndRemoveX509Certificate() { + public void testAddAndRemoveX509Certificate() throws Exception { - ScimUser lennon_update = ScimUser.builder() - .buildX509Certificate("Personal Certificate", TestUtils.x509Certs.get(0).certificate, true) - .build(); + ScimUser lennon_update = ScimUser.builder().addX509Certificate(X509CERT_TEST).build(); - ScimUserPatchRequest req = getPatchAddRequest(lennon_update); + scimUtils.patchUser(lennon.getId(), add, lennon_update); - restUtils.doPatch(lennon.getMeta().getLocation(), req); + ScimUser updatedUser = scimUtils.getUser(lennon.getId()); + List updatedUserCertList = updatedUser.getIndigoUser().getCertificates(); - restUtils.doGet(lennon.getMeta().getLocation()) - .body("id", equalTo(lennon.getId())) - .body("userName", equalTo(lennon.getUserName())) - .body("x509Certificates", hasSize(equalTo(1))) - .body("x509Certificates[0].value", equalTo(TestUtils.x509Certs.get(0).certificate)); + assertThat(updatedUserCertList, hasSize(equalTo(1))); + assertThat(updatedUserCertList.get(0).getPemEncodedCertificate(), + equalTo(X509CERT_TEST.getPemEncodedCertificate())); + assertThat(updatedUserCertList.get(0).getDisplay(), equalTo(X509CERT_TEST.getDisplay())); - ScimUser lennon_remove = ScimUser.builder() - .buildX509Certificate(null, TestUtils.x509Certs.get(0).certificate, null) + ScimX509Certificate cert = ScimX509Certificate.builder() + .display(null) + .pemEncodedCertificate(X509CERT_TEST.getPemEncodedCertificate()) .build(); - req = getPatchRemoveRequest(lennon_remove); - - restUtils.doPatch(lennon.getMeta().getLocation(), req, HttpStatus.NO_CONTENT); + ScimUser lennon_remove = ScimUser.builder().addX509Certificate(cert).build(); - restUtils.doGet(lennon.getMeta().getLocation()) - .body("id", equalTo(lennon.getId())) - .body("userName", equalTo(lennon.getUserName())) - .body("x509Certificates", equalTo(null)); + scimUtils.patchUser(lennon.getId(), remove, lennon_remove); + updatedUser = scimUtils.getUser(lennon.getId()); + assertNull(updatedUser.getIndigoUser()); } @Test - public void testPatchUserPassword() { + public void testPatchUserPassword() throws Exception { + + final String NEW_PASSWORD = "new_password"; - ScimUser patchedPasswordUser = ScimUser.builder().password("new_password").build(); + ScimUser patchedPasswordUser = ScimUser.builder().password(NEW_PASSWORD).build(); - restUtils.doPatch(lennon.getMeta().getLocation(), - ScimUserPatchRequest.builder().add(patchedPasswordUser).build()); + scimUtils.patchUser(lennon.getId(), add, patchedPasswordUser); - passwordTokenGetter().scope("openid") - .username("john_lennon") - .password("new_password") - .getAccessToken(); + Optional lennonAccount = accountRepo.findByUuid(lennon.getId()); + if (!lennonAccount.isPresent()) { + Assert.fail("Account not found"); + } + assertThat(lennonAccount.get().getPassword(), notNullValue()); + assertThat(encoder.matches(NEW_PASSWORD, lennonAccount.get().getPassword()), equalTo(true)); } @Test - public void testAddReassignAndRemoveSshKey() { + public void testAddReassignAndRemoveSshKey() throws Exception { - ScimUser updateSshKey = ScimUser.builder() - .buildSshKey("Personal", TestUtils.sshKeys.get(0).key, null, true) - .build(); + ScimUser updateSshKey = ScimUser.builder().addSshKey(SSHKEY_TEST).build(); - restUtils.doPatch(lennon.getMeta().getLocation(), getPatchAddRequest(updateSshKey)); + scimUtils.patchUser(lennon.getId(), add, updateSshKey); - restUtils.doGet(lennon.getMeta().getLocation()) - .body("id", equalTo(lennon.getId())) - .body("userName", equalTo(lennon.getUserName())) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].display", equalTo("Personal")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].value", - equalTo(TestUtils.sshKeys.get(0).key)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].fingerprint", - equalTo(TestUtils.sshKeys.get(0).fingerprintSHA256)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].primary", equalTo(true)); + ScimUser updatedUser = scimUtils.getUser(lennon.getId()); + assertThat(updatedUser.getIndigoUser().getSshKeys(), hasSize(equalTo(1))); + assertThat(updatedUser.getIndigoUser().getSshKeys().get(0).getValue(), + equalTo(SSHKEY_TEST.getValue())); + assertThat(updatedUser.getIndigoUser().getSshKeys().get(0).getDisplay(), + equalTo(SSHKEY_TEST.getDisplay())); + assertThat(updatedUser.getIndigoUser().getSshKeys().get(0).getFingerprint(), + equalTo(SSHKEY_TEST_FINGERPRINT)); + assertThat(updatedUser.getIndigoUser().getSshKeys().get(0).isPrimary(), equalTo(true)); /* lincoln tryes to add the lennon ssh key: */ - restUtils.doPatch(lincoln.getMeta().getLocation(), getPatchAddRequest(updateSshKey), - HttpStatus.CONFLICT); - - restUtils.doPatch(lennon.getMeta().getLocation(), getPatchRemoveRequest(updateSshKey)); + scimUtils.patchUser(lincoln.getId(), add, updateSshKey, HttpStatus.CONFLICT); + scimUtils.patchUser(lennon.getId(), remove, updateSshKey); } @Test - public void testAddSshKeyWithInvalidBase64Value() { + public void testAddSshKeyWithInvalidBase64Value() throws Exception { - ScimUserPatchRequest req = getPatchAddRequest( - ScimUser.builder().buildSshKey("Personal", "Non Base64 String", null, true).build()); + ScimSshKey SSHKEY_INVALID_BASE64_VALUE = + ScimSshKey.builder().display("Personal").value("Non Base64 String").primary(true).build(); - restUtils.doPatch(lennon.getMeta().getLocation(), req, HttpStatus.BAD_REQUEST) - .body("status", equalTo("400")) - .body("detail", - equalTo("Error during fingerprint generation: RSA key is not base64 encoded")); + ScimUser updateSshKey = ScimUser.builder().addSshKey(SSHKEY_INVALID_BASE64_VALUE).build(); + scimUtils.patchUser(lennon.getId(), add, updateSshKey, HttpStatus.BAD_REQUEST) + .andExpect(jsonPath("$.status", equalTo("400"))) + .andExpect(jsonPath("$.detail", + equalTo("Error during fingerprint generation: RSA key is not base64 encoded"))); } @Test - @Ignore - public void testRemoveSshKeyWithLabel() { - - ScimUserPatchRequest req = getPatchAddRequest(ScimUser.builder() - .buildSshKey("Personal", TestUtils.sshKeys.get(0).key, null, true) - .build()); + public void testRemoveSshKeyWithValue() throws Exception { - restUtils.doPatch(lennon.getMeta().getLocation(), req); + ScimUser updateSshKey = ScimUser.builder().addSshKey(SSHKEY_TEST).build(); - restUtils.doGet(lennon.getMeta().getLocation()) - .body("id", equalTo(lennon.getId())) - .body("userName", equalTo(lennon.getUserName())) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].display", equalTo("Personal")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].value", - equalTo(TestUtils.sshKeys.get(0).key)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].fingerprint", - equalTo(TestUtils.sshKeys.get(0).fingerprintSHA256)); + scimUtils.patchUser(lennon.getId(), add, updateSshKey); - req = getPatchRemoveRequest(ScimUser.builder() + updateSshKey = ScimUser.builder() .indigoUserInfo(ScimIndigoUser.builder() - .addSshKey(ScimSshKey.builder().display("Personal").build()) + .addSshKey(ScimSshKey.builder().value(SSHKEY_TEST.getValue()).build()) .build()) - .build()); - - restUtils.doPatch(lennon.getMeta().getLocation(), req, HttpStatus.NO_CONTENT); - - restUtils.doGet(lennon.getMeta().getLocation()) - .body("id", equalTo(lennon.getId())) - .body("userName", equalTo(lennon.getUserName())) - .body("urn:indigo-dc:scim:schemas:IndigoUser", equalTo(null)); - - } + .build(); - @Test - @Ignore - public void testRemoveSshKeyWithFingerprint() { - - ScimUserPatchRequest req = getPatchAddRequest(ScimUser.builder() - .buildSshKey("Personal", TestUtils.sshKeys.get(0).key, null, true) - .build()); - - restUtils.doPatch(lennon.getMeta().getLocation(), req); - - restUtils.doGet(lennon.getMeta().getLocation()) - .body("id", equalTo(lennon.getId())) - .body("userName", equalTo(lennon.getUserName())) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].display", equalTo("Personal")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].value", - equalTo(TestUtils.sshKeys.get(0).key)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].fingerprint", - equalTo(TestUtils.sshKeys.get(0).fingerprintSHA256)); - - req = - getPatchRemoveRequest( - ScimUser.builder() - .indigoUserInfo(ScimIndigoUser.builder() - .addSshKey(ScimSshKey.builder() - .fingerprint(TestUtils.sshKeys.get(0).fingerprintSHA256) - .build()) - .build()) - .build()); - - restUtils.doPatch(lennon.getMeta().getLocation(), req, HttpStatus.NO_CONTENT); - - restUtils.doGet(lennon.getMeta().getLocation()) - .body("id", equalTo(lennon.getId())) - .body("userName", equalTo(lennon.getUserName())) - .body("urn:indigo-dc:scim:schemas:IndigoUser", equalTo(null)); + scimUtils.patchUser(lennon.getId(), remove, updateSshKey); + ScimUser updatedUser = scimUtils.getUser(lennon.getId()); + assertNull(updatedUser.getIndigoUser()); } @Test - public void testRemoveSshKeyWithValue() { - - ScimUserPatchRequest req = getPatchAddRequest(ScimUser.builder() - .buildSshKey("Personal", TestUtils.sshKeys.get(0).key, null, true) - .build()); + public void testAddOidcIdDuplicateInASingleRequest() throws Exception { - restUtils.doPatch(lennon.getMeta().getLocation(), req); + ScimUser updates = ScimUser.builder().addOidcId(OIDCID_TEST).addOidcId(OIDCID_TEST).build(); - restUtils.doGet(lennon.getMeta().getLocation()) - .body("id", equalTo(lennon.getId())) - .body("userName", equalTo(lennon.getUserName())) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].display", equalTo("Personal")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].value", - equalTo(TestUtils.sshKeys.get(0).key)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].fingerprint", - equalTo(TestUtils.sshKeys.get(0).fingerprintSHA256)); - - req = getPatchRemoveRequest(ScimUser.builder() - .indigoUserInfo(ScimIndigoUser.builder() - .addSshKey(ScimSshKey.builder().value(TestUtils.sshKeys.get(0).key).build()) - .build()) - .build()); - - restUtils.doPatch(lennon.getMeta().getLocation(), req, HttpStatus.NO_CONTENT); - - restUtils.doGet(lennon.getMeta().getLocation()) - .body("id", equalTo(lennon.getId())) - .body("userName", equalTo(lennon.getUserName())) - .body("urn:indigo-dc:scim:schemas:IndigoUser", equalTo(null)); + scimUtils.patchUser(lennon.getId(), add, updates); + ScimUser updatedUser = scimUtils.getUser(lennon.getId()); + assertThat(updatedUser.getId(), equalTo(lennon.getId())); + assertThat(updatedUser.getIndigoUser().getOidcIds(), hasSize(equalTo(1))); + assertThat(updatedUser.getIndigoUser().getOidcIds().get(0).getIssuer(), + equalTo(OIDCID_TEST.getIssuer())); + assertThat(updatedUser.getIndigoUser().getOidcIds().get(0).getSubject(), + equalTo(OIDCID_TEST.getSubject())); } @Test - public void testAddOidcIdDuplicateInASingleRequest() { - - ScimIndigoUser indigoUser = ScimIndigoUser.builder() - .addOidcid(ScimOidcId.builder().issuer("test_issuer").subject("test_subject").build()) - .addOidcid(ScimOidcId.builder().issuer("test_issuer").subject("test_subject").build()) - .build(); + public void testAddSshKeyDuplicateInASingleRequest() throws Exception { - ScimUserPatchRequest req = - getPatchAddRequest(ScimUser.builder().indigoUserInfo(indigoUser).build()); + ScimUser updates = ScimUser.builder().addSshKey(SSHKEY_TEST).addSshKey(SSHKEY_TEST).build(); - restUtils.doPatch(lennon.getMeta().getLocation(), req); + scimUtils.patchUser(lennon.getId(), add, updates); + ScimUser updatedUser = scimUtils.getUser(lennon.getId()); + assertThat(updatedUser.getIndigoUser().getSshKeys(), hasSize(equalTo(1))); + assertThat(updatedUser.getIndigoUser().getSshKeys().get(0).getValue(), + equalTo(SSHKEY_TEST.getValue())); + assertThat(updatedUser.getIndigoUser().getSshKeys().get(0).getDisplay(), + equalTo(SSHKEY_TEST.getDisplay())); + assertThat(updatedUser.getIndigoUser().getSshKeys().get(0).getFingerprint(), + equalTo(SSHKEY_TEST_FINGERPRINT)); + assertThat(updatedUser.getIndigoUser().getSshKeys().get(0).isPrimary(), equalTo(true)); } @Test - public void testAddSshKeyDuplicateInASingleRequest() { - - ScimSshKey sshKey = - ScimSshKey.builder().display("Personal key").value(TestUtils.sshKeys.get(0).key).build(); - - ScimIndigoUser indigoUser = - ScimIndigoUser.builder().addSshKey(sshKey).addSshKey(sshKey).build(); + public void testAddSamlIdDuplicateInASingleRequest() throws Exception { - ScimUserPatchRequest req = - getPatchAddRequest(ScimUser.builder().indigoUserInfo(indigoUser).build()); + ScimUser updates = ScimUser.builder().addSamlId(SAMLID_TEST).addSamlId(SAMLID_TEST).build(); - restUtils.doPatch(lennon.getMeta().getLocation(), req); + scimUtils.patchUser(lennon.getId(), add, updates); + ScimUser updatedUser = scimUtils.getUser(lennon.getId()); + assertThat(updatedUser.getIndigoUser().getSamlIds(), hasSize(equalTo(1))); + assertThat(updatedUser.getIndigoUser().getSamlIds().get(0).getIdpId(), + equalTo(SAMLID_TEST.getIdpId())); + assertThat(updatedUser.getIndigoUser().getSamlIds().get(0).getUserId(), + equalTo(SAMLID_TEST.getUserId())); } @Test - public void testAddSamlIdDuplicateInASingleRequest() { + public void testAddX509DuplicateInASingleRequest() throws Exception { - ScimIndigoUser indigoUser = ScimIndigoUser.builder() - .addSamlId(ScimSamlId.builder().idpId("Idp Test ID").userId("User Test Id").build()) - .addSamlId(ScimSamlId.builder().idpId("Idp Test ID").userId("User Test Id").build()) + ScimUser updates = ScimUser.builder() + .addX509Certificate(X509CERT_TEST) + .addX509Certificate(X509CERT_TEST) .build(); - ScimUserPatchRequest req = - getPatchAddRequest(ScimUser.builder().indigoUserInfo(indigoUser).build()); + scimUtils.patchUser(lennon.getId(), add, updates); - restUtils.doPatch(lennon.getMeta().getLocation(), req); + ScimUser updatedUser = scimUtils.getUser(lennon.getId()); + List updatedUserCertList = updatedUser.getIndigoUser().getCertificates(); + assertThat(updatedUserCertList, hasSize(equalTo(1))); + assertThat(updatedUserCertList.get(0).getPemEncodedCertificate(), + equalTo(X509CERT_TEST.getPemEncodedCertificate())); + assertThat(updatedUserCertList.get(0).getDisplay(), equalTo(X509CERT_TEST.getDisplay())); } @Test - public void testAddX509DuplicateInASingleRequest() { + public void testPatchAddOidIdAndSshKeyAndSamlId() throws Exception { - ScimUser lennon_update = ScimUser.builder() - .buildX509Certificate("Personal Certificate", TestUtils.x509Certs.get(0).certificate, true) - .buildX509Certificate("Personal Certificate", TestUtils.x509Certs.get(0).certificate, true) + ScimUser updates = ScimUser.builder() + .addX509Certificate(X509CERT_TEST) + .addOidcId(OIDCID_TEST) + .addSshKey(SSHKEY_TEST) + .addSamlId(SAMLID_TEST) .build(); - ScimUserPatchRequest req = getPatchAddRequest(lennon_update); - - restUtils.doPatch(lennon.getMeta().getLocation(), req); - + scimUtils.patchUser(lennon.getId(), add, updates); + + ScimUser updatedUser = scimUtils.getUser(lennon.getId()); + List updatedUserCertList = updatedUser.getIndigoUser().getCertificates(); + + assertThat(updatedUserCertList, hasSize(equalTo(1))); + assertThat(updatedUserCertList.get(0).getPemEncodedCertificate(), + equalTo(X509CERT_TEST.getPemEncodedCertificate())); + assertThat(updatedUserCertList.get(0).getDisplay(), equalTo(X509CERT_TEST.getDisplay())); + assertThat(updatedUser.getIndigoUser().getSamlIds(), hasSize(equalTo(1))); + assertThat(updatedUser.getIndigoUser().getSamlIds().get(0).getIdpId(), + equalTo(SAMLID_TEST.getIdpId())); + assertThat(updatedUser.getIndigoUser().getSamlIds().get(0).getUserId(), + equalTo(SAMLID_TEST.getUserId())); + assertThat(updatedUser.getIndigoUser().getSshKeys(), hasSize(equalTo(1))); + assertThat(updatedUser.getIndigoUser().getSshKeys().get(0).getValue(), + equalTo(SSHKEY_TEST.getValue())); + assertThat(updatedUser.getIndigoUser().getSshKeys().get(0).getDisplay(), + equalTo(SSHKEY_TEST.getDisplay())); + assertThat(updatedUser.getIndigoUser().getSshKeys().get(0).getFingerprint(), + equalTo(SSHKEY_TEST_FINGERPRINT)); + assertThat(updatedUser.getIndigoUser().getSshKeys().get(0).isPrimary(), equalTo(true)); + assertThat(updatedUser.getIndigoUser().getOidcIds(), hasSize(equalTo(1))); + assertThat(updatedUser.getIndigoUser().getOidcIds().get(0).getIssuer(), + equalTo(OIDCID_TEST.getIssuer())); + assertThat(updatedUser.getIndigoUser().getOidcIds().get(0).getSubject(), + equalTo(OIDCID_TEST.getSubject())); } @Test - public void testPatchAddOidIdAndSshKeyAndSamlId() { - - ScimOidcId oidcId = ScimOidcId.builder().issuer("test_issuer").subject("test_subject").build(); - ScimSshKey sshKey = - ScimSshKey.builder().display("personal key").value(TestUtils.sshKeys.get(0).key).build(); - ScimSamlId samlId = ScimSamlId.builder().idpId("Idp Test ID").userId("User Test Id").build(); - - ScimUserPatchRequest req = getPatchAddRequest( - ScimUser.builder().addOidcId(oidcId).addSshKey(sshKey).addSamlId(samlId).build()); - - restUtils.doPatch(lennon.getMeta().getLocation(), req); - - restUtils.doGet(lennon.getMeta().getLocation()) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds", hasSize(equalTo(1))) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds[0].issuer", equalTo("test_issuer")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds[0].subject", equalTo("test_subject")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys", hasSize(equalTo(1))) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].display", equalTo("personal key")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].value", - equalTo(TestUtils.sshKeys.get(0).key)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].fingerprint", - equalTo(TestUtils.sshKeys.get(0).fingerprintSHA256)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".samlIds", hasSize(equalTo(1))) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".samlIds[0].idpId", equalTo("Idp Test ID")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".samlIds[0].userId", equalTo("User Test Id")); - - } - - @Test - @Ignore - public void testPatchSshKeyLabelAndPrimary() { - - ScimUserPatchRequest req = getPatchAddRequest(ScimUser.builder() - .buildSshKey("Personal", TestUtils.sshKeys.get(0).key, null, true) - .build()); - - restUtils.doPatch(lennon.getMeta().getLocation(), req); - - ScimUserPatchRequest req_update = getPatchReplaceRequest(ScimUser.builder() - .buildSshKey("New label", null, TestUtils.sshKeys.get(0).fingerprintSHA256, false) - .build()); - - restUtils.doPatch(lennon.getMeta().getLocation(), req_update); - - /* expected primary = true because it's the only ssh key */ - restUtils.doGet(lennon.getMeta().getLocation()) - .body("id", equalTo(lennon.getId())) - .body("userName", equalTo(lennon.getUserName())) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].display", equalTo("New label")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].value", - equalTo(TestUtils.sshKeys.get(0).key)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].fingerprint", - equalTo(TestUtils.sshKeys.get(0).fingerprintSHA256)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].primary", equalTo(true)); - - } - - @Test - @Ignore - public void testAddMultipleX509CertificateAndNoPrimary() { - - ScimUserPatchRequest req = getPatchAddRequest(ScimUser.builder() - .buildX509Certificate("Personal1", TestUtils.x509Certs.get(0).certificate, false) - .buildX509Certificate("Personal2", TestUtils.x509Certs.get(1).certificate, false) - .build()); - - restUtils.doPatch(lennon.getMeta().getLocation(), req); - - restUtils.doGet(lennon.getMeta().getLocation()) - .body("x509Certificates", hasSize(equalTo(2))) - .body("x509Certificates[0].display", equalTo("Personal1")) - .body("x509Certificates[0].value", equalTo(TestUtils.x509Certs.get(0).certificate)) - .body("x509Certificates[0].primary", equalTo(true)) - .body("x509Certificates[1].display", equalTo("Personal2")) - .body("x509Certificates[1].value", equalTo(TestUtils.x509Certs.get(1).certificate)) - .body("x509Certificates[1].primary", equalTo(false)); - - } - - @Test - @Ignore - public void testReplacePrimaryWithMultipleX509Certificate() { - - ScimUserPatchRequest req = getPatchAddRequest(ScimUser.builder() - .buildX509Certificate("Personal1", TestUtils.x509Certs.get(0).certificate, false) - .buildX509Certificate("Personal2", TestUtils.x509Certs.get(1).certificate, false) - .build()); - - restUtils.doPatch(lennon.getMeta().getLocation(), req); - - restUtils.doGet(lennon.getMeta().getLocation()) - .body("x509Certificates", hasSize(equalTo(2))) - .body("x509Certificates[0].display", equalTo("Personal1")) - .body("x509Certificates[0].value", equalTo(TestUtils.x509Certs.get(0).certificate)) - .body("x509Certificates[0].primary", equalTo(true)) - .body("x509Certificates[1].display", equalTo("Personal2")) - .body("x509Certificates[1].value", equalTo(TestUtils.x509Certs.get(1).certificate)) - .body("x509Certificates[1].primary", equalTo(false)); - - req = getPatchReplaceRequest(ScimUser.builder() - .buildX509Certificate("Personal1", TestUtils.x509Certs.get(0).certificate, false) - .buildX509Certificate("Personal2", TestUtils.x509Certs.get(1).certificate, true) - .build()); - - restUtils.doPatch(lennon.getMeta().getLocation(), req); - - restUtils.doGet(lennon.getMeta().getLocation()) - .body("x509Certificates", hasSize(equalTo(2))) - .body("x509Certificates[0].display", equalTo("Personal1")) - .body("x509Certificates[0].value", equalTo(TestUtils.x509Certs.get(0).certificate)) - .body("x509Certificates[0].primary", equalTo(false)) - .body("x509Certificates[1].display", equalTo("Personal2")) - .body("x509Certificates[1].value", equalTo(TestUtils.x509Certs.get(1).certificate)) - .body("x509Certificates[1].primary", equalTo(true)); - - } - - @Test - public void testEmailIsNotAlreadyLinkedOnPatch() { + public void testEmailIsNotAlreadyLinkedOnPatch() throws Exception { String alreadyBoundEmail = lincoln.getEmails().get(0).getValue(); - ScimUser lennonUpdates = ScimUser.builder("john_lennon").buildEmail(alreadyBoundEmail).build(); - - ScimUserPatchRequest req = getPatchAddRequest(lennonUpdates); + ScimUser lennonUpdates = ScimUser.builder().buildEmail(alreadyBoundEmail).build(); - restUtils.doPatch(lennon.getMeta().getLocation(), req, HttpStatus.CONFLICT).body("detail", - containsString("Email " + alreadyBoundEmail + " already bound to another user")); + scimUtils.patchUser(lennon.getId(), add, lennonUpdates, HttpStatus.CONFLICT) + .andExpect(jsonPath("$.detail", + containsString("Email " + alreadyBoundEmail + " already bound to another user"))); } @Test - public void testAddPicture() { - - final String pictureURL = "http://iosicongallery.com/img/512/angry-birds-2-2016.png"; - - ScimUserPatchRequest req = - getPatchAddRequest(ScimUser.builder().buildPhoto(pictureURL).build()); + public void testAddPicture() throws Exception { - restUtils.doPatch(lennon.getMeta().getLocation(), req); + ScimUser updates = ScimUser.builder().buildPhoto(PICTURE_URL).build(); - ScimUser updatedUser = - restUtils.doGet(lennon.getMeta().getLocation()).extract().as(ScimUser.class); + scimUtils.patchUser(lennon.getId(), add, updates); - Assert.assertTrue(!updatedUser.getPhotos().isEmpty()); - Assert.assertTrue(updatedUser.getPhotos().get(0).getValue().equals(pictureURL)); + ScimUser updatedUser = scimUtils.getUser(lennon.getId()); + assertThat(updatedUser.getPhotos(), hasSize(equalTo(1))); + assertThat(updatedUser.getPhotos().get(0).getValue(), equalTo(PICTURE_URL)); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningTests.java index d941b7243..19e594b52 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserProvisioningTests.java @@ -1,620 +1,256 @@ package it.infn.mw.iam.test.scim.user; -import static com.jayway.restassured.matcher.ResponseAwareMatcherComposer.and; -import static com.jayway.restassured.matcher.RestAssuredMatchers.endsWithPath; -import static it.infn.mw.iam.test.TestUtils.passwordTokenGetter; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_CLIENT_ID; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_READ_SCOPE; +import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_WRITE_SCOPE; +import static it.infn.mw.iam.test.scim.ScimUtils.buildUser; +import static it.infn.mw.iam.test.scim.ScimUtils.buildUserWithUUID; +import static it.infn.mw.iam.test.scim.ScimUtils.getUserLocation; import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.greaterThan; import static org.hamcrest.Matchers.hasSize; -import static org.hamcrest.Matchers.startsWith; -import static org.junit.Assert.assertNull; -import static org.junit.Assert.assertTrue; - -import java.util.UUID; +import static org.junit.Assert.assertThat; +import static org.springframework.http.HttpStatus.BAD_REQUEST; +import static org.springframework.http.HttpStatus.CONFLICT; +import static org.springframework.http.HttpStatus.NOT_FOUND; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; import javax.transaction.Transactional; -import org.joda.time.format.DateTimeFormatter; -import org.joda.time.format.ISODateTimeFormat; -import org.junit.Before; -import org.junit.BeforeClass; +import org.hamcrest.Matchers; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.SpringApplicationConfiguration; -import org.springframework.boot.test.WebIntegrationTest; import org.springframework.http.HttpStatus; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; import it.infn.mw.iam.IamLoginService; -import it.infn.mw.iam.api.scim.model.ScimConstants; -import it.infn.mw.iam.api.scim.model.ScimIndigoUser; -import it.infn.mw.iam.api.scim.model.ScimSshKey; +import it.infn.mw.iam.api.scim.model.ScimEmail.ScimEmailType; +import it.infn.mw.iam.api.scim.model.ScimGroupRef; import it.infn.mw.iam.api.scim.model.ScimUser; -import it.infn.mw.iam.test.ScimRestUtils; -import it.infn.mw.iam.test.TestUtils; -import it.infn.mw.iam.test.util.JacksonUtils; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.scim.ScimRestUtilsMvc; +import it.infn.mw.iam.test.scim.ScimUtils; +import it.infn.mw.iam.test.util.WithMockOAuthUser; @RunWith(SpringJUnit4ClassRunner.class) -@SpringApplicationConfiguration(classes = IamLoginService.class) +@SpringApplicationConfiguration( + classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}) +@WebAppConfiguration @Transactional -@WebIntegrationTest -public class ScimUserProvisioningTests { - - private final DateTimeFormatter dateTimeFormatter = ISODateTimeFormat.dateTime(); - - private String accessToken; - private ScimRestUtils restUtils; - - @BeforeClass - public static void init() { +public class ScimUserProvisioningTests extends ScimUserTestSupport { - JacksonUtils.initRestAssured(); - } - - @Before - public void initAccessToken() { - - accessToken = TestUtils.getAccessToken("scim-client-rw", "secret", "scim:read scim:write"); - restUtils = ScimRestUtils.getInstance(accessToken); - } + @Autowired + private ScimRestUtilsMvc scimUtils; @Test - public void testGetUserNotFoundResponse() { + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE}) + public void testGetUserNotFoundResponse() throws Exception { - String randomUuid = UUID.randomUUID().toString(); + String randomUuid = getRandomUUid(); - restUtils.doGet("/scim/Users/" + randomUuid, HttpStatus.NOT_FOUND) - .body("status", equalTo("404")) - .body("detail", equalTo("No user mapped to id '" + randomUuid + "'")); + scimUtils.getUser(randomUuid, HttpStatus.NOT_FOUND) + .andExpect(jsonPath("$.status", equalTo("404"))) + .andExpect(jsonPath("$.detail", equalTo("No user mapped to id '" + randomUuid + "'"))); } @Test - public void testUpdateUserNotFoundResponse() { + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUpdateUserNotFoundResponse() throws Exception { - String randomUuid = UUID.randomUUID().toString(); + String randomUuid = getRandomUUid(); + ScimUser user = ScimUtils.buildUser("john_lennon", "lennon@email.test", "John", "Lennon"); - ScimUser user = ScimUser.builder("john_lennon") - .buildEmail("lennon@email.test") - .buildName("John", "Lennon") - .id(randomUuid) - .build(); - - restUtils.doPut("/scim/Users/" + randomUuid, user, HttpStatus.NOT_FOUND) - .body("status", equalTo("404")) - .body("detail", equalTo("No user mapped to id '" + randomUuid + "'")); + scimUtils.putUser(randomUuid, user, HttpStatus.NOT_FOUND) + .andExpect(jsonPath("$.status", equalTo("404"))) + .andExpect(jsonPath("$.detail", equalTo("No user mapped to id '" + randomUuid + "'"))); } - @SuppressWarnings("unchecked") @Test - public void testExistingUserAccess() { + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE}) + public void testExistingUserAccess() throws Exception { // Some existing user as defined in the test db - String userId = "80e5fb8d-b7c8-451a-89ba-346ae278a66f"; - - restUtils.doGet("/scim/Users/" + userId) - .body("id", equalTo(userId)) - .body("userName", equalTo("test")) - .body("displayName", equalTo("test")) - .body("active", equalTo(true)) - .body("name.formatted", equalTo("Test User")) - .body("name.givenName", equalTo("Test")) - .body("name.familyName", equalTo("User")) - .body("meta.resourceType", equalTo("User")) - .body("meta.location", equalTo("http://localhost:8080/scim/Users/" + userId)) - .body("emails", hasSize(equalTo(1))) - .body("emails[0].value", equalTo("test@iam.test")) - .body("emails[0].type", equalTo("work")) - .body("emails[0].primary", equalTo(true)) - .body("groups", hasSize(equalTo(2))) - .body("groups[0].$ref", - and(startsWith("http://localhost:8080/scim/Groups/"), endsWithPath("groups[0].value"))) - .body("groups[1].$ref", - and(startsWith("http://localhost:8080/scim/Groups/"), endsWithPath("groups[1].value"))) - .body("schemas", contains(ScimUser.USER_SCHEMA, ScimConstants.INDIGO_USER_SCHEMA)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds", hasSize(greaterThan(0))) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds[0].issuer", - equalTo("https://accounts.google.com")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds[0].subject", - equalTo("105440632287425289613")); - } + String uuid = "80e5fb8d-b7c8-451a-89ba-346ae278a66f"; - @Test - public void testUserCreationAccessDeletion() { - - String username = "paul_mccartney"; - - ScimUser user = ScimUser.builder() - .userName(username) - .buildEmail("test@email.test") - .buildName("Paul", "McCartney") + ScimGroupRef productionRef = ScimGroupRef.builder() + .display("Production") + .ref("http://localhost:8080/scim/Groups/c617d586-54e6-411d-8e38-64967798fa8a") + .value("c617d586-54e6-411d-8e38-64967798fa8a") .build(); - ScimUser createdUser = restUtils.doPost("/scim/Users/", user) - .statusCode(HttpStatus.CREATED.value()) - .extract() - .as(ScimUser.class); - - restUtils.doGet(createdUser.getMeta().getLocation()) - .body("id", equalTo(createdUser.getId())) - .body("userName", equalTo(createdUser.getUserName())) - .body("emails", hasSize(equalTo(1))) - .body("emails[0].value", equalTo(createdUser.getEmails().get(0).getValue())); + ScimGroupRef analysisRef = ScimGroupRef.builder() + .display("Analysis") + .ref("http://localhost:8080/scim/Groups/6a384bcd-d4b3-4b7f-a2fe-7d897ada0dd1") + .value("6a384bcd-d4b3-4b7f-a2fe-7d897ada0dd1") + .build(); - restUtils.doDelete(createdUser.getMeta().getLocation()); + ScimUser user = scimUtils.getUser(uuid); + + assertThat(user.getId(), equalTo(uuid)); + assertThat(user.getUserName(), equalTo("test")); + assertThat(user.getDisplayName(), equalTo("test")); + assertThat(user.getActive(), equalTo(true)); + assertThat(user.getName().getFamilyName(), equalTo("User")); + assertThat(user.getName().getGivenName(), equalTo("Test")); + assertThat(user.getName().getFormatted(), equalTo("Test User")); + assertThat(user.getMeta().getResourceType(), equalTo("User")); + assertThat(user.getMeta().getLocation(), + equalTo("http://localhost:8080" + getUserLocation(uuid))); + assertThat(user.getEmails(), hasSize(equalTo(1))); + assertThat(user.getEmails().get(0).getValue(), equalTo("test@iam.test")); + assertThat(user.getEmails().get(0).getType(), equalTo(ScimEmailType.work)); + assertThat(user.getEmails().get(0).getPrimary(), equalTo(true)); + assertThat(user.getGroups(), hasSize(equalTo(2))); + assertThat(user.getGroups(), contains(productionRef, analysisRef)); + assertThat(user.getIndigoUser().getOidcIds(), hasSize(greaterThan(0))); + assertThat(user.getIndigoUser().getOidcIds().get(0).getIssuer(), + equalTo("https://accounts.google.com")); + assertThat(user.getIndigoUser().getOidcIds().get(0).getSubject(), + equalTo("105440632287425289613")); } @Test - public void testEmptyUsernameValidationError() { - - String username = ""; + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testEmptyUsernameValidationError() throws Exception { - ScimUser user = ScimUser.builder(username) - .buildEmail("test@email.test") - .buildName("Paul", "McCartney") - .build(); + ScimUser user = buildUser("", "test@email.test", "Paul", "McCartney"); - restUtils.doPost("/scim/Users/", user, HttpStatus.BAD_REQUEST).body("detail", - containsString("scimUser.userName : may not be empty")); + scimUtils.postUser(user, HttpStatus.BAD_REQUEST) + .andExpect(jsonPath("$.status", equalTo("400"))) + .andExpect(jsonPath("$.detail", containsString("scimUser.userName : may not be empty"))); } @Test - public void testEmptyEmailValidationError() { + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testEmptyEmailValidationError() throws Exception { ScimUser user = ScimUser.builder("paul").buildName("Paul", "McCartney").build(); - restUtils.doPost("/scim/Users/", user, HttpStatus.BAD_REQUEST).body("detail", - containsString("scimUser.emails : may not be empty")); + scimUtils.postUser(user, HttpStatus.BAD_REQUEST) + .andExpect(jsonPath("$.status", equalTo("400"))) + .andExpect(jsonPath("$.detail", containsString("scimUser.emails : may not be empty"))); } @Test - public void testInvalidEmailValidationError() { + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testInvalidEmailValidationError() throws Exception { - ScimUser user = ScimUser.builder("paul") - .buildEmail("this_is_not_an_email") - .buildName("Paul", "McCartney") - .build(); + ScimUser user = buildUser("paul", "this_is_not_an_email", "Paul", "McCartney"); - restUtils.doPost("/scim/Users/", user, HttpStatus.BAD_REQUEST).body("detail", - containsString("scimUser.emails[0].value : not a well-formed email address")); + scimUtils.postUser(user, HttpStatus.BAD_REQUEST) + .andExpect(jsonPath("$.status", equalTo("400"))) + .andExpect(jsonPath("$.detail", + containsString("scimUser.emails[0].value : not a well-formed email address"))); } @Test - public void testUserUpdateChangeUsername() { + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUserUpdateChangeUsername() throws Exception { - ScimUser user = ScimUser.builder("john_lennon") - .buildEmail("lennon@email.test") - .buildName("John", "Lennon") - .build(); - - ScimUser createdUser = restUtils.doPost("/scim/Users/", user).extract().as(ScimUser.class); - - ScimUser updatedUser = ScimUser.builder("j.lennon") - .id(user.getId()) - .buildEmail("lennon@email.test") - .buildName("John", "Lennon") - .active(true) - .build(); + ScimUser user = buildUser("john_lennon", "lennon@email.test", "John", "Lennon"); + ScimUser createdUser = scimUtils.postUser(user); long creationTimeMs = createdUser.getMeta().getCreated().getTime(); - String returnedCreationTime = restUtils.doPut(createdUser.getMeta().getLocation(), updatedUser) - .body("id", equalTo(createdUser.getId())) - .body("userName", equalTo("j.lennon")) - .body("emails[0].value", equalTo(createdUser.getEmails().get(0).getValue())) - .body("active", equalTo(true)) - .extract() - .path("meta.created"); - - long returnedTimeMs = dateTimeFormatter.parseDateTime(returnedCreationTime).getMillis(); - - // We need to do this since milliseconds are truncated for the creation time in MySQL - assertTrue(Math.abs(returnedTimeMs - creationTimeMs) <= 1000); - - restUtils.doDelete(createdUser.getMeta().getLocation()); - - } - - @Test - public void testUpdateUserValidation() { - - ScimUser user = ScimUser.builder("john_lennon") - .buildEmail("lennon@email.test") - .buildName("John", "Lennon") - .build(); - - ScimUser createdUser = restUtils.doPost("/scim/Users/", user).extract().as(ScimUser.class); - - ScimUser updatedUser = ScimUser.builder("j.lennon").id(user.getId()).active(true).build(); - - restUtils.doPut(createdUser.getMeta().getLocation(), updatedUser, HttpStatus.BAD_REQUEST) - .body("detail", containsString("scimUser.emails : may not be empty")); - - restUtils.doDelete(createdUser.getMeta().getLocation()); - } - - @Test - public void testNonExistentUserDeletionReturns404() { - - String randomUserLocation = "http://localhost:8080/scim/Users/" + UUID.randomUUID().toString(); - - restUtils.doDelete(randomUserLocation, HttpStatus.NOT_FOUND); - - } - - @Test - public void testUserCreationWithPassword() { - - ScimUser user = ScimUser.builder("user_with_password") - .buildEmail("up@test.org") - .buildName("User", "With Password") - .password("a_password") - .active(true) - .build(); - - ScimUser creationResult = restUtils.doPost("/scim/Users/", user).extract().as(ScimUser.class); - - assertNull(creationResult.getPassword()); - - passwordTokenGetter().scope("openid") - .username("user_with_password") - .password("a_password") - .getAccessToken(); - - restUtils.doDelete(creationResult.getMeta().getLocation()); - } - - @Test - public void testUpdateUsernameChecksValidation() { - - ScimUser lennon = ScimUser.builder("john_lennon") - .buildEmail("lennon@email.test") - .buildName("John", "Lennon") - .build(); - - ScimUser lennonCreationResult = - restUtils.doPost("/scim/Users/", lennon).extract().as(ScimUser.class); - - ScimUser mccartney = ScimUser.builder("paul_mccartney") - .buildEmail("test@email.test") - .buildName("Paul", "McCartney") - .build(); - - ScimUser mccartneyCreationResult = - restUtils.doPost("/scim/Users/", mccartney).extract().as(ScimUser.class); - - ScimUser lennonWantsToBeMcCartney = ScimUser.builder("paul_mccartney") - .id(lennon.getId()) - .buildEmail("lennon@email.test") - .buildName("John", "Lennon") - .build(); - - restUtils - .doPut(lennonCreationResult.getMeta().getLocation(), lennonWantsToBeMcCartney, - HttpStatus.CONFLICT) - .body("detail", containsString("username paul_mccartney already assigned to another user")); - - restUtils.doDelete(lennonCreationResult.getMeta().getLocation()); - restUtils.doDelete(mccartneyCreationResult.getMeta().getLocation()); - - } - - @Test - public void testUserCreationWithOidcAccount() { - - ScimUser user = ScimUser.builder("user_with_oidc") - .buildEmail("test_user@test.org") - .buildName("User", "With OIDC Account") - .buildOidcId("urn:oidc:test:issuer", "1234") - .active(true) - .build(); - - ScimUser creationResult = restUtils.doPost("/scim/Users/", user) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds", hasSize(equalTo(1))) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds[0].issuer", - equalTo("urn:oidc:test:issuer")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds[0].subject", equalTo("1234")) - .extract() - .as(ScimUser.class); - - restUtils.doGet(creationResult.getMeta().getLocation()) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds", hasSize(equalTo(1))) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds[0].issuer", - equalTo("urn:oidc:test:issuer")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds[0].subject", equalTo("1234")); - - restUtils.doDelete(creationResult.getMeta().getLocation()); - } - - @Test - public void testUserCreationWithStolenOidcAccountFailure() { - - ScimUser user = ScimUser.builder("user_with_oidc") - .buildEmail("test_user@test.org") - .buildName("User", "With OIDC Account") - .buildOidcId("urn:oidc:test:issuer", "1234") - .active(true) - .build(); - - ScimUser creationResult = restUtils.doPost("/scim/Users/", user) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds", hasSize(equalTo(1))) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds[0].issuer", - equalTo("urn:oidc:test:issuer")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".oidcIds[0].subject", equalTo("1234")) - .extract() - .as(ScimUser.class); - - ScimUser anotherUser = ScimUser.builder("another_user_with_oidc") - .buildEmail("another_test_user@test.org") - .buildName("Another User", "With OIDC Account") - .buildOidcId("urn:oidc:test:issuer", "1234") - .active(true) - .build(); - - restUtils.doPost("/scim/Users/", anotherUser, HttpStatus.CONFLICT).body("detail", - containsString("already bounded to another user")); + ScimUser userWithUpdates = + buildUserWithUUID(createdUser.getId(), "j.lennon", user.getEmails().get(0).getValue(), + user.getName().getGivenName(), user.getName().getFamilyName()); - restUtils.doDelete(creationResult.getMeta().getLocation()); + ScimUser updatedUser = scimUtils.putUser(userWithUpdates.getId(), userWithUpdates); - } + assertThat(updatedUser.getUserName(), equalTo(userWithUpdates.getUserName())); + long returnedTimeMs = updatedUser.getMeta().getCreated().getTime(); - @Test - public void testUserCreationWithSshKey() { - - ScimUser user = ScimUser.builder("user_with_sshkey") - .buildEmail("test_user@test.org") - .buildName("User", "With ssh key Account") - .buildSshKey("Personal", TestUtils.sshKeys.get(0).key, null, true) - .active(true) - .build(); - - ScimUser creationResult = restUtils.doPost("/scim/Users/", user) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys", hasSize(equalTo(1))) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].display", equalTo("Personal")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].value", - equalTo(TestUtils.sshKeys.get(0).key)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].fingerprint", - equalTo(TestUtils.sshKeys.get(0).fingerprintSHA256)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].primary", equalTo(true)) - .extract() - .as(ScimUser.class); - - restUtils.doGet(creationResult.getMeta().getLocation()) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys", hasSize(equalTo(1))) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].display", equalTo("Personal")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].value", - equalTo(TestUtils.sshKeys.get(0).key)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].fingerprint", - equalTo(TestUtils.sshKeys.get(0).fingerprintSHA256)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].primary", equalTo(true)); - - restUtils.doDelete(creationResult.getMeta().getLocation()); - } - - @Test - public void testUserCreationWithSshKeyValueOnly() { - - ScimUser user = ScimUser.builder("user_with_sshkey") - .buildEmail("test_user@test.org") - .buildName("User", "With ssh key Account") - .indigoUserInfo(ScimIndigoUser.builder() - .addSshKey(ScimSshKey.builder().value(TestUtils.sshKeys.get(0).key).build()) - .build()) - .active(true) - .build(); - - ScimUser creationResult = restUtils.doPost("/scim/Users/", user) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys", hasSize(equalTo(1))) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].display", - equalTo(user.getUserName() + "'s personal ssh key")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].value", - equalTo(TestUtils.sshKeys.get(0).key)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].fingerprint", - equalTo(TestUtils.sshKeys.get(0).fingerprintSHA256)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].primary", equalTo(true)) - .extract() - .as(ScimUser.class); - - restUtils.doDelete(creationResult.getMeta().getLocation()); + // We need to do this since milliseconds are truncated for the creation time in MySQL + assertThat(Math.abs(returnedTimeMs - creationTimeMs), Matchers.lessThan(Long.valueOf(1000))); } @Test - public void testUserCreationWithStolenSshKeyFailure() { - - ScimUser user = ScimUser.builder("user_with_sshkey") - .buildEmail("test_user@test.org") - .buildName("User", "With ssh key") - .buildSshKey("Personal", TestUtils.sshKeys.get(0).key, null, true) - .active(true) - .build(); + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUpdateUserValidation() throws Exception { - ScimUser creationResult = restUtils.doPost("/scim/Users/", user) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys", hasSize(equalTo(1))) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].display", equalTo("Personal")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].value", - equalTo(TestUtils.sshKeys.get(0).key)) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".sshKeys[0].fingerprint", - equalTo(TestUtils.sshKeys.get(0).fingerprintSHA256)) - .extract() - .as(ScimUser.class); - - ScimUser anotherUser = ScimUser.builder("another_user_with_sshkey") - .buildEmail("another_test_user@test.org") - .buildName("Another User", "With ssh key") - .buildSshKey("Personal", TestUtils.sshKeys.get(0).key, null, true) - .active(true) - .build(); + ScimUser user = buildUser("john_lennon", "lennon@email.test", "John", "Lennon"); - restUtils.doPost("/scim/Users/", anotherUser, HttpStatus.CONFLICT).body("detail", - containsString("already bounded to another user")); + scimUtils.postUser(user); - restUtils.doDelete(creationResult.getMeta().getLocation()); + ScimUser userWithUpdates = ScimUser.builder("j.lennon").id(user.getId()).active(true).build(); + scimUtils.putUser(user.getId(), userWithUpdates, BAD_REQUEST) + .andExpect(jsonPath("$.detail", containsString("scimUser.emails : may not be empty"))); } @Test - public void testUserCreationWithSamlId() { - - ScimUser user = ScimUser.builder("user_with_samlId") - .buildEmail("test_user@test.org") - .buildName("User", "With saml id Account") - .buildSamlId("IdpID", "UserID") - .active(true) - .build(); - - ScimUser creationResult = restUtils.doPost("/scim/Users/", user) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".samlIds", hasSize(equalTo(1))) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".samlIds[0].idpId", equalTo("IdpID")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".samlIds[0].userId", equalTo("UserID")) - .extract() - .as(ScimUser.class); + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testNonExistentUserDeletionReturns404() throws Exception { - restUtils.doGet(creationResult.getMeta().getLocation()) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".samlIds", hasSize(equalTo(1))) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".samlIds[0].idpId", equalTo("IdpID")) - .body(ScimConstants.INDIGO_USER_SCHEMA + ".samlIds[0].userId", equalTo("UserID")); - - restUtils.doDelete(creationResult.getMeta().getLocation()); + scimUtils.deleteUser(getRandomUUid(), NOT_FOUND); } @Test - public void testUniqueUsernameCreationCheck() { - - ScimUser user = ScimUser.builder("user1") - .buildEmail("user1@test.org") - .buildName("User", "1") - .active(true) - .build(); + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testReplaceUserWithAlreadyUsedUsername() throws Exception { - ScimUser creationResult = restUtils.doPost("/scim/Users", user).extract().as(ScimUser.class); - restUtils.doPost("/scim/Users", user, HttpStatus.CONFLICT); + ScimUser lennon = buildUser("john_lennon", "lennon@email.test", "John", "Lennon"); - restUtils.doDelete(creationResult.getMeta().getLocation()); - } + ScimUser lennonCreationResult = scimUtils.postUser(lennon); + ScimUser mccartney = buildUser("paul_mccartney", "test@email.test", "Paul", "McCartney"); - @Test - public void testUserCreationWithX509Certificate() { - - ScimUser user = ScimUser.builder("user_with_x509") - .buildEmail("test_user@test.org") - .buildName("User", "With x509 Certificate") - .buildX509Certificate("Personal1", TestUtils.x509Certs.get(0).certificate, false) - .active(true) - .build(); + scimUtils.postUser(mccartney); - ScimUser creationResult = restUtils.doPost("/scim/Users/", user) - .body("x509Certificates", hasSize(equalTo(1))) - .body("x509Certificates[0].display", equalTo("Personal1")) - .body("x509Certificates[0].value", equalTo(TestUtils.x509Certs.get(0).certificate)) - .body("x509Certificates[0].primary", equalTo(true)) - .extract() - .as(ScimUser.class); + ScimUser lennonWantsToBeMcCartney = buildUserWithUUID(lennonCreationResult.getId(), + mccartney.getUserName(), mccartney.getEmails().get(0).getValue(), + mccartney.getName().getGivenName(), mccartney.getName().getFamilyName()); - restUtils.doDelete(creationResult.getMeta().getLocation()); + scimUtils.putUser(lennonCreationResult.getId(), lennonWantsToBeMcCartney, CONFLICT) + .andExpect(jsonPath("$.detail", + containsString("username paul_mccartney already assigned to another user"))); } @Test - public void testUserCreationWithMultipleX509Certificate() { - - ScimUser user = ScimUser.builder("user_with_x509") - .buildEmail("test_user@test.org") - .buildName("User", "With x509 Certificate") - .buildX509Certificate("Personal1", TestUtils.x509Certs.get(0).certificate, false) - .buildX509Certificate("Personal2", TestUtils.x509Certs.get(1).certificate, true) - .active(true) - .build(); + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testUniqueUsernameCreationCheck() throws Exception { - ScimUser creationResult = restUtils.doPost("/scim/Users/", user) - .body("x509Certificates", hasSize(equalTo(2))) - .body("x509Certificates[0].display", equalTo("Personal1")) - .body("x509Certificates[0].value", equalTo(TestUtils.x509Certs.get(0).certificate)) - .body("x509Certificates[0].primary", equalTo(false)) - .body("x509Certificates[1].display", equalTo("Personal2")) - .body("x509Certificates[1].value", equalTo(TestUtils.x509Certs.get(1).certificate)) - .body("x509Certificates[1].primary", equalTo(true)) - .extract() - .as(ScimUser.class); - - restUtils.doDelete(creationResult.getMeta().getLocation()); - } + ScimUser user = buildUser("john_lennon", "lennon@email.test", "John", "Lennon"); - @Test - public void testUserCreationWithMultipleX509CertificateAndNoPrimary() { - - ScimUser user = ScimUser.builder("user_with_x509") - .buildEmail("test_user@test.org") - .buildName("User", "With x509 Certificate") - .buildX509Certificate("Personal1", TestUtils.x509Certs.get(0).certificate, false) - .buildX509Certificate("Personal2", TestUtils.x509Certs.get(1).certificate, false) - .active(true) - .build(); - - ScimUser creationResult = restUtils.doPost("/scim/Users/", user) - .body("x509Certificates", hasSize(equalTo(2))) - .body("x509Certificates[0].display", equalTo("Personal1")) - .body("x509Certificates[0].value", equalTo(TestUtils.x509Certs.get(0).certificate)) - .body("x509Certificates[0].primary", equalTo(true)) - .body("x509Certificates[1].display", equalTo("Personal2")) - .body("x509Certificates[1].value", equalTo(TestUtils.x509Certs.get(1).certificate)) - .body("x509Certificates[1].primary", equalTo(false)) - .extract() - .as(ScimUser.class); - - restUtils.doDelete(creationResult.getMeta().getLocation()); + scimUtils.postUser(user); + scimUtils.postUser(user, HttpStatus.CONFLICT); } - @Test - public void testEmailIsNotAlreadyLinkedOnCreate() { - ScimUser user0 = ScimUser.builder("test_same_email_0") - .buildEmail("same_email@test.org") - .buildName("Test", "Same Email 0") - .active(true) - .build(); + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testEmailIsNotAlreadyLinkedOnCreate() throws Exception { - ScimUser user1 = ScimUser.builder("test_same_email_1") - .buildEmail("same_email@test.org") - .buildName("Test", "Same Email 1") - .active(true) - .build(); - - user0 = restUtils.doPost("/scim/Users/", user0).extract().as(ScimUser.class); + ScimUser user0 = buildUser("test_same_email_0", "same_email@test.org", "Test", "Same Email 0"); + ScimUser user1 = buildUser("test_same_email_1", "same_email@test.org", "Test", "Same Email 1"); - restUtils.doPost("/scim/Users/", user1, HttpStatus.CONFLICT).body("detail", - containsString("email already assigned to an existing user")); - - restUtils.deleteUsers(user0); + user0 = scimUtils.postUser(user0); + //@formatter:off + scimUtils.postUser(user1, HttpStatus.CONFLICT) + .andExpect(jsonPath("$.detail", containsString("A user linked with email 'same_email@test.org' already exists"))); + //@formatter:on } @Test - public void testEmailIsNotAlreadyLinkedOnUpdate() { - ScimUser user0 = ScimUser.builder("user0") - .buildEmail("user0@test.org") - .buildName("Test", "User 0") - .active(true) - .build(); + @WithMockOAuthUser(clientId = SCIM_CLIENT_ID, scopes = {SCIM_READ_SCOPE, SCIM_WRITE_SCOPE}) + public void testEmailIsNotAlreadyLinkedOnUpdate() throws Exception { - ScimUser user1 = ScimUser.builder("user1") - .buildEmail("user1@test.org") - .buildName("Test", "User 1") - .active(true) - .build(); - - user0 = restUtils.doPost("/scim/Users/", user0).extract().as(ScimUser.class); - user1 = restUtils.doPost("/scim/Users/", user1).extract().as(ScimUser.class); + ScimUser user0 = buildUser("user0", "user0@test.org", "Test", "User 0"); + ScimUser user1 = buildUser("user1", "user1@test.org", "Test", "User 1"); - ScimUser updatedUser0 = ScimUser.builder("user0") - .buildEmail("user1@test.org") - .buildName("Test", "User 0") - .active(true) - .build(); + user0 = scimUtils.postUser(user0); + user1 = scimUtils.postUser(user1); - restUtils.doPut(user0.getMeta().getLocation(), updatedUser0, HttpStatus.CONFLICT).body("detail", - containsString("email user1@test.org already assigned to another user")); + ScimUser updatedUser0 = + buildUserWithUUID(user0.getId(), "user0", "user1@test.org", "Test", "User 0"); - restUtils.deleteUsers(user0, user1); + scimUtils.putUser(user0.getId(), updatedUser0, CONFLICT).andExpect(jsonPath("$.detail", + containsString("email user1@test.org already assigned to another user"))); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserTestSupport.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserTestSupport.java new file mode 100644 index 000000000..476a91bc1 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserTestSupport.java @@ -0,0 +1,123 @@ +package it.infn.mw.iam.test.scim.user; + +import java.util.ArrayList; +import java.util.List; +import java.util.UUID; + +import org.springframework.beans.factory.annotation.Autowired; + +import com.google.common.collect.Lists; + +import it.infn.mw.iam.api.scim.model.ScimOidcId; +import it.infn.mw.iam.api.scim.model.ScimSamlId; +import it.infn.mw.iam.api.scim.model.ScimSshKey; +import it.infn.mw.iam.api.scim.model.ScimUser; +import it.infn.mw.iam.api.scim.model.ScimX509Certificate; +import it.infn.mw.iam.api.scim.provisioning.ScimUserProvisioning; +import it.infn.mw.iam.test.OidcIdUtils; +import it.infn.mw.iam.test.SamlIdUtils; +import it.infn.mw.iam.test.SshKeyUtils; +import it.infn.mw.iam.test.X509Utils; +import it.infn.mw.iam.test.scim.ScimUtils; + +public class ScimUserTestSupport { + + @Autowired + private ScimUserProvisioning provider; + + protected ScimOidcId OIDCID_TEST = + ScimOidcId.builder().issuer("test_issuer").subject("test_subject").build(); + + protected ScimSamlId SAMLID_TEST = + ScimSamlId.builder().idpId("test_idp").userId("test_user").build(); + + protected ScimX509Certificate X509CERT_TEST = ScimX509Certificate.builder() + .display("Personal Certificate") + .pemEncodedCertificate(X509Utils.x509Certs.get(0).certificate) + .primary(true) + .build(); + + protected String SSHKEY_TEST_FINGERPRINT = SshKeyUtils.sshKeys.get(0).fingerprintSHA256; + + protected ScimSshKey SSHKEY_TEST = ScimSshKey.builder() + .display("Personal") + .value(SshKeyUtils.sshKeys.get(0).key) + .primary(true) + .build(); + + protected List PICTURES = + Lists.newArrayList("http://iosicongallery.com/img/512/angry-birds-2-2016.png", + "https://fallofthewall25.com/img/default-user.jpg"); + + + protected List createTestUsers() { + List testUsers = new ArrayList(); + + ScimUser lennon = ScimUser.builder("john_lennon") + .buildEmail("lennon@email.test") + .buildName("John", "Lennon") + .buildPhoto(PICTURES.get(0)) + .addOidcId(ScimOidcId.builder() + .issuer(OidcIdUtils.oidcIds.get(0).issuer) + .subject(OidcIdUtils.oidcIds.get(0).subject) + .build()) + .addSshKey(ScimSshKey.builder() + .value(SshKeyUtils.sshKeys.get(0).key) + .fingerprint(SshKeyUtils.sshKeys.get(0).fingerprintSHA256) + .primary(true) + .build()) + .addSamlId(ScimSamlId.builder() + .idpId(SamlIdUtils.samlIds.get(0).idpId) + .userId(SamlIdUtils.samlIds.get(0).userId) + .build()) + .addX509Certificate(ScimX509Certificate.builder() + .display(X509Utils.x509Certs.get(0).display) + .pemEncodedCertificate(X509Utils.x509Certs.get(0).certificate) + .primary(true) + .build()) + .build(); + + testUsers.add(provider.create(lennon)); + + ScimUser lincoln = ScimUser.builder("abraham_lincoln") + .buildEmail("lincoln@email.test") + .buildName("Abraham", "Lincoln") + .addOidcId(ScimOidcId.builder() + .issuer(OidcIdUtils.oidcIds.get(1).issuer) + .subject(OidcIdUtils.oidcIds.get(1).subject) + .build()) + .addSshKey(ScimSshKey.builder() + .value(SshKeyUtils.sshKeys.get(1).key) + .fingerprint(SshKeyUtils.sshKeys.get(1).fingerprintSHA256) + .primary(true) + .build()) + .addSamlId(ScimSamlId.builder() + .idpId(SamlIdUtils.samlIds.get(1).idpId) + .userId(SamlIdUtils.samlIds.get(1).userId) + .build()) + .addX509Certificate(ScimX509Certificate.builder() + .display(X509Utils.x509Certs.get(1).display) + .pemEncodedCertificate(X509Utils.x509Certs.get(1).certificate) + .primary(true) + .build()) + .build(); + + testUsers.add(provider.create(lincoln)); + + return testUsers; + } + + protected ScimUser createScimUser(String username, String email, String givenName, + String familyName) { + ScimUser user = ScimUtils.buildUser(username, email, givenName, familyName); + return provider.create(user); + } + + protected void deleteScimUser(ScimUser user) { + provider.delete(user.getId()); + } + + protected String getRandomUUid() { + return UUID.randomUUID().toString(); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/x509/ScimX509Tests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/x509/ScimX509Tests.java new file mode 100644 index 000000000..ebaa1e6d3 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/x509/ScimX509Tests.java @@ -0,0 +1,446 @@ +package it.infn.mw.iam.test.scim.user.x509; + +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasSize; +import static org.junit.Assert.assertThat; +import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import javax.transaction.Transactional; + +import org.hamcrest.Matchers; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; + +import com.fasterxml.jackson.databind.ObjectMapper; + +import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.api.scim.model.ScimConstants; +import it.infn.mw.iam.api.scim.model.ScimUser; +import it.infn.mw.iam.api.scim.model.ScimUserPatchRequest; +import it.infn.mw.iam.api.scim.model.ScimX509Certificate; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; +import it.infn.mw.iam.test.ext_authn.x509.X509TestSupport; +import it.infn.mw.iam.test.util.WithMockOAuthUser; + +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = {IamLoginService.class, CoreControllerTestSupport.class}) +@WebAppConfiguration +@Transactional +@WithMockOAuthUser(clientId = "scim-client-rw", scopes = {"scim:read", "scim:write"}) +public class ScimX509Tests extends X509TestSupport implements ScimConstants { + + public static final Logger LOG = LoggerFactory.getLogger(ScimX509Tests.class); + public static final String JP_INDIGO_USER = "$." + INDIGO_USER_SCHEMA; + + @Autowired + private IamAccountRepository iamAccountRepo; + + @Autowired + private WebApplicationContext context; + + @Autowired + private ObjectMapper mapper; + + private MockMvc mvc; + + @Before + public void setup() { + mvc = MockMvcBuilders.webAppContextSetup(context) + .apply(springSecurity()) + .alwaysDo(print()) + .build(); + } + + @Test + public void testNoScimX509ForAccountWithoutCertificates() throws Exception { + IamAccount user = iamAccountRepo.findByUsername(TEST_USERNAME) + .orElseThrow(() -> new AssertionError("Expected test user not found")); + + mvc.perform(get("/scim/Users/{id}", user.getUuid())).andExpect(status().isOk()).andExpect( + jsonPath("$.%s.certificates", INDIGO_USER_SCHEMA).doesNotExist()); + + } + + @Test + public void testScimX509Answer() throws Exception { + IamAccount user = iamAccountRepo.findByUsername(TEST_USERNAME) + .orElseThrow(() -> new AssertionError("Expected test user not found")); + + linkTest0CertificateToAccount(user); + + iamAccountRepo.save(user); + + mvc.perform(get("/scim/Users/{id}", user.getUuid())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.%s.certificates", INDIGO_USER_SCHEMA).exists()) + .andExpect(jsonPath("$.%s.certificates", INDIGO_USER_SCHEMA).isArray()) + .andExpect(jsonPath("$.%s.certificates", INDIGO_USER_SCHEMA).value(hasSize(1))) + .andExpect(jsonPath("$.%s.certificates[0].created", INDIGO_USER_SCHEMA).exists()) + .andExpect(jsonPath("$.%s.certificates[0].lastModified", INDIGO_USER_SCHEMA).exists()) + .andExpect(jsonPath("$.%s.certificates[0].subjectDn", INDIGO_USER_SCHEMA) + .value(equalTo(TEST_0_SUBJECT))) + .andExpect(jsonPath("$.%s.certificates[0].issuerDn", INDIGO_USER_SCHEMA) + .value(equalTo(TEST_0_ISSUER))) + .andExpect(jsonPath("$.%s.certificates[0].pemEncodedCertificate", INDIGO_USER_SCHEMA) + .value(equalTo(TEST_0_CERT_STRING))) + .andExpect(jsonPath("$.%s.certificates[0].display", INDIGO_USER_SCHEMA) + .value(equalTo(TEST_0_CERT_LABEL))) + .andExpect(jsonPath("$.%s.certificates[0].primary", INDIGO_USER_SCHEMA).value(equalTo(true))); + } + + @Test + public void testScimX509AnswerMultipleCerts() throws Exception { + IamAccount user = iamAccountRepo.findByUsername(TEST_USERNAME) + .orElseThrow(() -> new AssertionError("Expected test user not found")); + + linkTest0CertificateToAccount(user); + linkTest1CertificateToAccount(user); + + iamAccountRepo.save(user); + + mvc.perform(get("/scim/Users/{id}", user.getUuid())) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.%s.certificates", INDIGO_USER_SCHEMA).exists()) + .andExpect(jsonPath("$.%s.certificates", INDIGO_USER_SCHEMA).isArray()) + .andExpect(jsonPath("$.%s.certificates", INDIGO_USER_SCHEMA).value(hasSize(2))); + } + + @Test + public void testScimCreateUserWithCertSucceeds() throws Exception { + + ScimX509Certificate cert = ScimX509Certificate.builder() + .display(TEST_1_CERT_LABEL) + .pemEncodedCertificate(TEST_1_CERT_STRING) + .build(); + + ScimUser user = ScimUser.builder("user_with_x509_cert") + .buildEmail("user_with_x509_cert@test.org") + .buildName("User", "With cert") + .active(true) + .addX509Certificate(cert) + .build(); + + + String scimUserString = mapper.writeValueAsString(user); + + mvc + .perform(MockMvcRequestBuilders.post("/scim/Users") + .content(scimUserString) + .contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isCreated()) + .andExpect(jsonPath("$.%s.certificates", INDIGO_USER_SCHEMA).exists()) + .andExpect(jsonPath("$.%s.certificates", INDIGO_USER_SCHEMA).isArray()) + .andExpect(jsonPath("$.%s.certificates", INDIGO_USER_SCHEMA).value(hasSize(1))) + .andExpect(jsonPath("$.%s.certificates[0].created", INDIGO_USER_SCHEMA).exists()) + .andExpect(jsonPath("$.%s.certificates[0].lastModified", INDIGO_USER_SCHEMA).exists()) + .andExpect(jsonPath("$.%s.certificates[0].subjectDn", INDIGO_USER_SCHEMA) + .value(equalTo(TEST_1_SUBJECT))) + .andExpect(jsonPath("$.%s.certificates[0].issuerDn", INDIGO_USER_SCHEMA) + .value(equalTo(TEST_1_ISSUER))) + .andExpect(jsonPath("$.%s.certificates[0].pemEncodedCertificate", INDIGO_USER_SCHEMA) + .value(equalTo(TEST_1_CERT_STRING))) + .andExpect(jsonPath("$.%s.certificates[0].display", INDIGO_USER_SCHEMA) + .value(equalTo(TEST_1_CERT_LABEL))) + .andExpect(jsonPath("$.%s.certificates[0].primary", INDIGO_USER_SCHEMA).value(equalTo(true))); + + } + + @Test + public void testScimCreateUserWithCertAndProvidedSubjectInfoSucceeds() throws Exception { + + ScimX509Certificate cert = ScimX509Certificate.builder() + .display(TEST_1_CERT_LABEL) + .pemEncodedCertificate(TEST_1_CERT_STRING) + .subjectDn("a fake subject") + .issuerDn("a fake issuer") + .build(); + + ScimUser user = ScimUser.builder("user_with_x509_cert") + .buildEmail("user_with_x509_cert@test.org") + .buildName("User", "With cert") + .active(true) + .addX509Certificate(cert) + .build(); + + + String scimUserString = mapper.writeValueAsString(user); + + mvc + .perform(MockMvcRequestBuilders.post("/scim/Users") + .content(scimUserString) + .contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isCreated()) + .andExpect(jsonPath("$.%s.certificates", INDIGO_USER_SCHEMA).exists()) + .andExpect(jsonPath("$.%s.certificates", INDIGO_USER_SCHEMA).isArray()) + .andExpect(jsonPath("$.%s.certificates", INDIGO_USER_SCHEMA).value(hasSize(1))) + .andExpect(jsonPath("$.%s.certificates[0].created", INDIGO_USER_SCHEMA).exists()) + .andExpect(jsonPath("$.%s.certificates[0].lastModified", INDIGO_USER_SCHEMA).exists()) + .andExpect(jsonPath("$.%s.certificates[0].subjectDn", INDIGO_USER_SCHEMA) + .value(equalTo(TEST_1_SUBJECT))) + .andExpect(jsonPath("$.%s.certificates[0].issuerDn", INDIGO_USER_SCHEMA) + .value(equalTo(TEST_1_ISSUER))) + .andExpect(jsonPath("$.%s.certificates[0].pemEncodedCertificate", INDIGO_USER_SCHEMA) + .value(equalTo(TEST_1_CERT_STRING))) + .andExpect(jsonPath("$.%s.certificates[0].display", INDIGO_USER_SCHEMA) + .value(equalTo(TEST_1_CERT_LABEL))) + .andExpect(jsonPath("$.%s.certificates[0].primary", INDIGO_USER_SCHEMA).value(equalTo(true))); + + } + + @Test + public void testScimCreateUserWithInvalidCertFails() throws Exception { + + ScimX509Certificate cert = ScimX509Certificate.builder() + .display(TEST_1_CERT_LABEL) + .pemEncodedCertificate("whatever") + .build(); + + ScimUser user = ScimUser.builder("user_with_x509_cert") + .buildEmail("user_with_x509_cert@test.org") + .buildName("User", "With cert") + .active(true) + .addX509Certificate(cert) + .build(); + + + String scimUserString = mapper.writeValueAsString(user); + + mvc + .perform(MockMvcRequestBuilders.post("/scim/Users") + .content(scimUserString) + .contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.status").exists()) + .andExpect(jsonPath("$.status").value(equalTo("400"))) + .andExpect(jsonPath("$.schemas").exists()) + .andExpect(jsonPath("$.schemas") + .value(Matchers.contains("urn:ietf:params:scim:api:messages:2.0:Error"))) + .andExpect(jsonPath("$.detail").exists()) + .andExpect(jsonPath("$.detail").value(containsString("Error parsing certificate chain"))); + } + + @Test + public void testScimCreateUserWithBoundCertFails() throws Exception { + ScimX509Certificate cert = ScimX509Certificate.builder() + .display(TEST_0_CERT_LABEL) + .pemEncodedCertificate(TEST_0_CERT_STRING) + .build(); + + ScimUser user = ScimUser.builder("user_with_x509_cert") + .buildEmail("user_with_x509_cert@test.org") + .buildName("User", "With cert") + .active(true) + .addX509Certificate(cert) + .build(); + + mvc + .perform(MockMvcRequestBuilders.post("/scim/Users") + .content(mapper.writeValueAsString(user)) + .contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isCreated()); + + ScimUser anotherUser = ScimUser.builder("another_user_with_x509_cert") + .buildEmail("another_user_with_x509_cert@test.org") + .buildName("Another User", "With cert") + .active(true) + .addX509Certificate(cert) + .build(); + + mvc + .perform(MockMvcRequestBuilders.post("/scim/Users") + .content(mapper.writeValueAsString(anotherUser)) + .contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isConflict()) + .andExpect(jsonPath("$.status").exists()) + .andExpect(jsonPath("$.status").value(equalTo("409"))) + .andExpect(jsonPath("$.schemas").exists()) + .andExpect(jsonPath("$.schemas") + .value(Matchers.contains("urn:ietf:params:scim:api:messages:2.0:Error"))) + .andExpect(jsonPath("$.detail").exists()) + .andExpect(jsonPath("$.detail").value(containsString( + "X509 certificate with subject 'CN=test0,O=IGI,C=IT' is already bound to another user"))); + + } + + @Test + public void testScimAddCertificateSuccess() throws Exception { + ScimX509Certificate cert = ScimX509Certificate.builder() + .display(TEST_0_CERT_LABEL) + .pemEncodedCertificate(TEST_0_CERT_STRING) + .build(); + + IamAccount testUser = iamAccountRepo.findByUsername(TEST_USERNAME) + .orElseThrow(() -> new AssertionError("Expected test user not found")); + + ScimUser user = ScimUser.builder().addX509Certificate(cert).build(); + + ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder().add(user).build(); + + mvc + .perform(patch("/scim/Users/{id}", testUser.getUuid()) + .content(mapper.writeValueAsString(patchRequest)).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isNoContent()); + + testUser = iamAccountRepo.findByCertificateSubject(TEST_0_SUBJECT) + .orElseThrow(() -> new AssertionError("Expected test user not found")); + + assertThat(testUser.getUsername(), equalTo(TEST_USERNAME)); + } + + @Test + public void testScimAddCertificateFailureInvalidCertificate() throws Exception { + + ScimX509Certificate cert = ScimX509Certificate.builder() + .display(TEST_0_CERT_LABEL) + .pemEncodedCertificate("whatever") + .build(); + + IamAccount testUser = iamAccountRepo.findByUsername(TEST_USERNAME) + .orElseThrow(() -> new AssertionError("Expected test user not found")); + + ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() + .add(ScimUser.builder().addX509Certificate(cert).build()) + .build(); + + mvc + .perform(patch("/scim/Users/{id}", testUser.getUuid()) + .content(mapper.writeValueAsString(patchRequest)).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.status").exists()) + .andExpect(jsonPath("$.status").value(equalTo("400"))) + .andExpect(jsonPath("$.schemas").exists()) + .andExpect(jsonPath("$.schemas") + .value(Matchers.contains("urn:ietf:params:scim:api:messages:2.0:Error"))) + .andExpect(jsonPath("$.detail").exists()) + .andExpect(jsonPath("$.detail").value(containsString("Error parsing certificate chain"))); + } + + @Test + public void testScimAddCertificateFailureCertificateAlreadyBound() throws Exception { + + ScimX509Certificate cert = ScimX509Certificate.builder() + .display(TEST_0_CERT_LABEL) + .pemEncodedCertificate(TEST_0_CERT_STRING) + .build(); + + ScimUser user = ScimUser.builder("user_with_x509_cert") + .buildEmail("user_with_x509_cert@test.org") + .buildName("User", "With cert") + .active(true) + .addX509Certificate(cert) + .build(); + + mvc + .perform(post("/scim/Users") + .content(mapper.writeValueAsString(user)) + .contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isCreated()); + + IamAccount testUser = iamAccountRepo.findByUsername(TEST_USERNAME) + .orElseThrow(() -> new AssertionError("Expected test user not found")); + + + ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() + .add(ScimUser.builder().addX509Certificate(cert).build()) + .build(); + + mvc + .perform(patch("/scim/Users/{id}", testUser.getUuid()) + .content(mapper.writeValueAsString(patchRequest)).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isConflict()) + .andExpect(jsonPath("$.status").exists()) + .andExpect(jsonPath("$.status").value(equalTo("409"))) + .andExpect(jsonPath("$.schemas").exists()) + .andExpect(jsonPath("$.schemas") + .value(Matchers.contains("urn:ietf:params:scim:api:messages:2.0:Error"))) + .andExpect(jsonPath("$.detail").exists()) + .andExpect(jsonPath("$.detail").value(containsString( + "X509 certificate with subject 'CN=test0,O=IGI,C=IT' is already bound to another user"))); + } + + @Test + public void testScimRemoveCertificateSuccess() throws Exception { + + ScimX509Certificate cert = ScimX509Certificate.builder() + .display(TEST_0_CERT_LABEL) + .pemEncodedCertificate(TEST_0_CERT_STRING) + .build(); + + ScimUser user = ScimUser.builder("user_with_x509_cert") + .buildEmail("user_with_x509_cert@test.org") + .buildName("User", "With cert") + .active(true) + .addX509Certificate(cert) + .build(); + + mvc + .perform(MockMvcRequestBuilders.post("/scim/Users") + .content(mapper.writeValueAsString(user)) + .contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isCreated()); + + IamAccount account = iamAccountRepo.findByCertificateSubject(TEST_0_SUBJECT) + .orElseThrow(() -> new AssertionError( + "Expected account bound to '" + TEST_0_SUBJECT + "' certificate not found")); + + ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() + .remove(ScimUser.builder().addX509Certificate(cert).build()) + .build(); + + mvc + .perform(patch("/scim/Users/{id}", account.getUuid()) + .content(mapper.writeValueAsString(patchRequest)).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isNoContent()); + + iamAccountRepo.findByCertificate(TEST_0_SUBJECT).ifPresent(a -> { + throw new AssertionError("Found unexpected account bound to '" + TEST_0_SUBJECT + + "' certificate: " + a.getUsername()); + }); + } + + @Test + public void testScimRemoveUnboundCertificateYeldsa204() throws Exception { + + ScimX509Certificate cert = ScimX509Certificate.builder() + .display(TEST_0_CERT_LABEL) + .pemEncodedCertificate(TEST_0_CERT_STRING) + .build(); + + iamAccountRepo.findByCertificate(TEST_0_SUBJECT).ifPresent(a -> { + throw new AssertionError("Found unexpected account bound to '" + TEST_0_SUBJECT + + "' certificate: " + a.getUsername()); + }); + + IamAccount testUser = iamAccountRepo.findByUsername(TEST_USERNAME) + .orElseThrow(() -> new AssertionError("Expected test user not found")); + + ScimUserPatchRequest patchRequest = ScimUserPatchRequest.builder() + .remove(ScimUser.builder().addX509Certificate(cert).build()) + .build(); + + mvc + .perform(patch("/scim/Users/{id}", testUser.getUuid()) + .content(mapper.writeValueAsString(patchRequest)).contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isNoContent()); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/service/IamAccountServiceTestSupport.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/service/IamAccountServiceTestSupport.java new file mode 100644 index 000000000..46ceff94c --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/service/IamAccountServiceTestSupport.java @@ -0,0 +1,116 @@ +package it.infn.mw.iam.test.service; + +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamAuthority; +import it.infn.mw.iam.persistence.model.IamOidcId; +import it.infn.mw.iam.persistence.model.IamSamlId; +import it.infn.mw.iam.persistence.model.IamSshKey; +import it.infn.mw.iam.persistence.model.IamX509Certificate; + +public class IamAccountServiceTestSupport { + + public static final String PASSWORD = "password"; + + public static final String TEST_UUID = "ceb173b4-28e3-43ad-aaf7-15d3730e2b90"; + public static final String TEST_USERNAME = "test"; + public static final String TEST_EMAIL = "test@example.org"; + public static final String TEST_GIVEN_NAME = "Test"; + public static final String TEST_FAMILY_NAME = "User"; + + public static final String CICCIO_UUID = "96294e50-fe83-4136-a77a-065e4368c421"; + public static final String CICCIO_USERNAME = "ciccio"; + public static final String CICCIO_EMAIL = "ciccio@example.org"; + public static final String CICCIO_GIVEN_NAME = "Ciccio"; + public static final String CICCIO_FAMILY_NAME = "Paglia"; + + public static final String TEST_SAML_ID_IDP_ID = "idpId"; + public static final String TEST_SAML_ID_USER_ID = "userId"; + public static final String TEST_SAML_ID_ATTRIBUTE_ID = "attributeId"; + + public static final String TEST_OIDC_ID_ISSUER = "oidcIssuer"; + public static final String TEST_OIDC_ID_SUBJECT = "oidcSubject"; + + public static final String TEST_SSH_KEY_VALUE_1 = "ssh-key-value-1"; + public static final String TEST_SSH_KEY_VALUE_2 = "ssh-key-value-2"; + + public static final String TEST_X509_CERTIFICATE_VALUE_1 = "x509-cert-value-1"; + public static final String TEST_X509_CERTIFICATE_SUBJECT_1 = "x509-cert-subject-1"; + public static final String TEST_X509_CERTIFICATE_ISSUER_1 = "x509-cert-issuer-1"; + public static final String TEST_X509_CERTIFICATE_LABEL_1 = "x509-cert-label-1"; + + public static final String TEST_X509_CERTIFICATE_VALUE_2 = "x509-cert-value-2"; + public static final String TEST_X509_CERTIFICATE_SUBJECT_2 = "x509-cert-subject-2"; + public static final String TEST_X509_CERTIFICATE_ISSUER_2 = "x509-cert-issuer-2"; + public static final String TEST_X509_CERTIFICATE_LABEL_2 = "x509-cert-label-2"; + + + protected final IamAccount TEST_ACCOUNT; + protected final IamAccount CICCIO_ACCOUNT; + protected final IamAuthority ROLE_USER_AUTHORITY; + protected final IamSamlId TEST_SAML_ID; + protected final IamOidcId TEST_OIDC_ID; + + protected final IamSshKey TEST_SSH_KEY_1; + protected final IamSshKey TEST_SSH_KEY_2; + protected final IamX509Certificate TEST_X509_CERTIFICATE_1; + protected final IamX509Certificate TEST_X509_CERTIFICATE_2; + + public IamAccountServiceTestSupport() { + TEST_ACCOUNT = IamAccount.newAccount(); + TEST_ACCOUNT.setUuid(TEST_UUID); + TEST_ACCOUNT.setUsername(TEST_USERNAME); + TEST_ACCOUNT.getUserInfo().setEmail(TEST_EMAIL); + TEST_ACCOUNT.getUserInfo().setGivenName(TEST_GIVEN_NAME); + TEST_ACCOUNT.getUserInfo().setFamilyName(TEST_FAMILY_NAME); + + ROLE_USER_AUTHORITY = new IamAuthority("ROLE_USER"); + + CICCIO_ACCOUNT = IamAccount.newAccount(); + CICCIO_ACCOUNT.setUuid(CICCIO_UUID); + CICCIO_ACCOUNT.setUsername(CICCIO_USERNAME); + CICCIO_ACCOUNT.getUserInfo().setEmail(CICCIO_EMAIL); + CICCIO_ACCOUNT.getUserInfo().setGivenName(CICCIO_GIVEN_NAME); + CICCIO_ACCOUNT.getUserInfo().setFamilyName(CICCIO_FAMILY_NAME); + + TEST_SAML_ID = + new IamSamlId(TEST_SAML_ID_IDP_ID, TEST_SAML_ID_ATTRIBUTE_ID, TEST_SAML_ID_USER_ID); + + TEST_OIDC_ID = + new IamOidcId(TEST_OIDC_ID_ISSUER, TEST_OIDC_ID_SUBJECT); + + TEST_SSH_KEY_1 = + new IamSshKey(TEST_SSH_KEY_VALUE_1); + + TEST_SSH_KEY_2 = + new IamSshKey(TEST_SSH_KEY_VALUE_2); + + TEST_X509_CERTIFICATE_1 = + new IamX509Certificate(); + + TEST_X509_CERTIFICATE_1.setLabel(TEST_X509_CERTIFICATE_LABEL_1); + TEST_X509_CERTIFICATE_1.setSubjectDn(TEST_X509_CERTIFICATE_SUBJECT_1); + TEST_X509_CERTIFICATE_1.setIssuerDn(TEST_X509_CERTIFICATE_ISSUER_1); + TEST_X509_CERTIFICATE_1.setCertificate(TEST_X509_CERTIFICATE_VALUE_1); + + TEST_X509_CERTIFICATE_2 = + new IamX509Certificate(); + + TEST_X509_CERTIFICATE_2.setLabel(TEST_X509_CERTIFICATE_LABEL_2); + TEST_X509_CERTIFICATE_2.setSubjectDn(TEST_X509_CERTIFICATE_SUBJECT_2); + TEST_X509_CERTIFICATE_2.setIssuerDn(TEST_X509_CERTIFICATE_ISSUER_2); + TEST_X509_CERTIFICATE_2.setCertificate(TEST_X509_CERTIFICATE_VALUE_2); + } + + public IamAccount cloneAccount(IamAccount account) { + IamAccount newAccount = IamAccount.newAccount(); + newAccount.setUuid(account.getUuid()); + newAccount.setUsername(account.getUsername()); + newAccount.getUserInfo().setEmail(account.getUserInfo().getEmail()); + newAccount.getUserInfo().setGivenName(account.getUserInfo().getGivenName()); + newAccount.getUserInfo().setFamilyName(account.getUserInfo().getFamilyName()); + + return newAccount; + } + + +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/service/IamAccountServiceTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/service/IamAccountServiceTests.java new file mode 100644 index 000000000..432eea4d6 --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/service/IamAccountServiceTests.java @@ -0,0 +1,710 @@ +package it.infn.mw.iam.test.service; + +import static java.util.Arrays.asList; +import static java.util.Collections.emptyList; +import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertTrue; +import static org.mockito.Matchers.anyObject; +import static org.mockito.Matchers.anyString; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +import java.util.Arrays; +import java.util.Calendar; +import java.util.Date; +import java.util.Optional; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.InjectMocks; +import org.mockito.Mock; +import org.mockito.Mockito; +import org.mockito.runners.MockitoJUnitRunner; +import org.springframework.context.ApplicationEventPublisher; +import org.springframework.security.crypto.password.PasswordEncoder; + +import it.infn.mw.iam.core.user.DefaultIamAccountService; +import it.infn.mw.iam.core.user.exception.CredentialAlreadyBoundException; +import it.infn.mw.iam.core.user.exception.InvalidCredentialException; +import it.infn.mw.iam.core.user.exception.UserAlreadyExistsException; +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamOidcId; +import it.infn.mw.iam.persistence.model.IamSamlId; +import it.infn.mw.iam.persistence.model.IamSshKey; +import it.infn.mw.iam.persistence.model.IamX509Certificate; +import it.infn.mw.iam.persistence.repository.IamAccountRepository; +import it.infn.mw.iam.persistence.repository.IamAuthoritiesRepository; + +@RunWith(MockitoJUnitRunner.class) +public class IamAccountServiceTests extends IamAccountServiceTestSupport { + + @Mock + private IamAccountRepository accountRepo; + + @Mock + private IamAuthoritiesRepository authoritiesRepo; + + @Mock + private PasswordEncoder passwordEncoder; + + @Mock + private ApplicationEventPublisher eventPublisher; + + + @InjectMocks + private DefaultIamAccountService accountService; + + + @Before + public void setup() { + + when(accountRepo.findProvisionedAccountsWithLastLoginTimeBeforeTimestamp(anyObject())) + .thenReturn(emptyList()); + when(accountRepo.findByCertificateSubject(anyString())).thenReturn(Optional.empty()); + when(accountRepo.findBySshKeyValue(anyString())).thenReturn(Optional.empty()); + when(accountRepo.findBySamlId(anyObject())).thenReturn(Optional.empty()); + when(accountRepo.findByOidcId(anyString(), anyString())).thenReturn(Optional.empty()); + when(accountRepo.findByUsername(anyString())).thenReturn(Optional.empty()); + when(accountRepo.findByEmail(anyString())).thenReturn(Optional.empty()); + when(accountRepo.findByUsername(TEST_USERNAME)).thenReturn(Optional.of(TEST_ACCOUNT)); + when(accountRepo.findByEmail(TEST_EMAIL)).thenReturn(Optional.of(TEST_ACCOUNT)); + when(authoritiesRepo.findByAuthority(anyString())).thenReturn(Optional.empty()); + when(authoritiesRepo.findByAuthority("ROLE_USER")).thenReturn(Optional.of(ROLE_USER_AUTHORITY)); + when(passwordEncoder.encode(anyObject())).thenReturn(PASSWORD); + } + + @Test(expected = NullPointerException.class) + public void testCreateNullAccountFails() { + try { + accountService.createAccount(null); + } catch (NullPointerException e) { + assertThat(e.getMessage(), equalTo("Cannot create a null account")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testNullUsernameFails() { + IamAccount account = IamAccount.newAccount(); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("Null or empty username")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testEmptyUsernameFails() { + IamAccount account = IamAccount.newAccount(); + account.setUsername(""); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("Null or empty username")); + throw e; + } + } + + @Test(expected = NullPointerException.class) + public void testNullUserinfoFails() { + IamAccount account = new IamAccount(); + account.setUsername("test"); + try { + accountService.createAccount(account); + } catch (NullPointerException e) { + assertThat(e.getMessage(), equalTo("Null userinfo object")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testNullEmailFails() { + IamAccount account = IamAccount.newAccount(); + account.setUsername("test"); + + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("Null or empty email")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testEmptyEmailFails() { + IamAccount account = IamAccount.newAccount(); + account.setUsername("test"); + account.getUserInfo().setEmail(""); + + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("Null or empty email")); + throw e; + } + } + + + @Test(expected = UserAlreadyExistsException.class) + public void testBoundUsernameChecksWorks() { + IamAccount account = IamAccount.newAccount(); + account.setUsername(TEST_USERNAME); + account.getUserInfo().setEmail("cicciopaglia@test.org"); + + try { + accountService.createAccount(account); + } catch (UserAlreadyExistsException e) { + assertThat(e.getMessage(), + equalTo(String.format("A user with username '%s' already exists", TEST_USERNAME))); + throw e; + } + + } + + @Test(expected = UserAlreadyExistsException.class) + public void testBoundEmailCheckWorks() { + IamAccount account = IamAccount.newAccount(); + account.setUsername("ciccio"); + account.getUserInfo().setEmail(TEST_EMAIL); + + try { + accountService.createAccount(account); + } catch (UserAlreadyExistsException e) { + assertThat(e.getMessage(), + equalTo(String.format("A user linked with email '%s' already exists", TEST_EMAIL))); + throw e; + } + } + + @Test(expected = IllegalStateException.class) + public void testCreationFailsIfRoleUserAuthorityIsNotDefined() { + + when(authoritiesRepo.findByAuthority("ROLE_USER")).thenReturn(Optional.empty()); + + try { + accountService.createAccount(CICCIO_ACCOUNT); + } catch (IllegalStateException e) { + assertThat(e.getMessage(), equalTo("ROLE_USER not found in database. This is a bug")); + throw e; + } + } + + + @Test + public void testUuidIfProvidedIsPreserved() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + + accountService.createAccount(account); + verify(accountRepo, Mockito.times(1)).save(account); + assertThat(account.getUuid(), equalTo(CICCIO_UUID)); + + } + + @Test + public void testUuidIfNotProvidedIsGenerated() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + + account.setUuid(null); + + accountService.createAccount(account); + verify(accountRepo, Mockito.times(1)).save(account); + assertNotNull(account.getUuid()); + } + + @Test + public void testCreationTimeIfProvidedIsPreserved() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + + Calendar cal = Calendar.getInstance(); + cal.add(Calendar.DAY_OF_MONTH, -1); + + Date yesterday = cal.getTime(); + + account.setCreationTime(yesterday); + accountService.createAccount(account); + verify(accountRepo, times(1)).save(account); + assertThat(account.getCreationTime(), equalTo(yesterday)); + } + + @Test + public void testPasswordIfProvidedIsPreservedAndEncoded() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + + account.setPassword(PASSWORD); + + accountService.createAccount(account); + verify(accountRepo, Mockito.times(1)).save(account); + verify(passwordEncoder, Mockito.times(1)).encode(PASSWORD); + + assertThat(account.getPassword(), equalTo(PASSWORD)); + } + + @Test(expected = NullPointerException.class) + public void testNullSamlIdIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + account.getSamlIds().add(null); + try { + accountService.createAccount(account); + } catch (NullPointerException e) { + assertThat(e.getMessage(), equalTo("null saml id")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testNullSamlIdpIdIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamSamlId samlId = new IamSamlId(); + account.linkSamlIds(asList(samlId)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty idpId")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testEmptySamlIdpIdIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamSamlId samlId = new IamSamlId(); + samlId.setIdpId(""); + account.linkSamlIds(asList(samlId)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty idpId")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testNullSamlUserIdIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamSamlId samlId = new IamSamlId(); + samlId.setIdpId(TEST_SAML_ID_IDP_ID); + + account.linkSamlIds(asList(samlId)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty userId")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testEmptySamlUserIdIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamSamlId samlId = new IamSamlId(); + samlId.setIdpId(TEST_SAML_ID_IDP_ID); + samlId.setUserId(""); + + account.linkSamlIds(asList(samlId)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty userId")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testNullSamlAttributeIdIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamSamlId samlId = new IamSamlId(); + samlId.setIdpId(TEST_SAML_ID_IDP_ID); + samlId.setUserId(TEST_SAML_ID_USER_ID); + + account.linkSamlIds(asList(samlId)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty attributeId")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testEmptySamlAttributeIdIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamSamlId samlId = new IamSamlId(); + samlId.setIdpId(TEST_SAML_ID_IDP_ID); + samlId.setUserId(TEST_SAML_ID_USER_ID); + samlId.setAttributeId(""); + + account.linkSamlIds(asList(samlId)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty attributeId")); + throw e; + } + } + + + @Test(expected = CredentialAlreadyBoundException.class) + public void testBoundSamlIdIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + when(accountRepo.findBySamlId(TEST_SAML_ID)).thenReturn(Optional.of(TEST_ACCOUNT)); + account.linkSamlIds(asList(TEST_SAML_ID)); + accountService.createAccount(account); + } + + @Test + public void testValidSamlIdLinkedPassesSanityChecks() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + + account.linkSamlIds(asList(TEST_SAML_ID)); + accountService.createAccount(account); + + } + + @Test(expected = NullPointerException.class) + public void testNullOidcIdIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + account.getOidcIds().add(null); + try { + accountService.createAccount(account); + } catch (NullPointerException e) { + assertThat(e.getMessage(), equalTo("null oidc id")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testNullOidcIdIssuerIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamOidcId oidcId = new IamOidcId(); + account.linkOidcIds(asList(oidcId)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty oidc id issuer")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testEmptyOidcIdIssuerIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamOidcId oidcId = new IamOidcId(); + oidcId.setIssuer(""); + account.linkOidcIds(asList(oidcId)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty oidc id issuer")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testNullOidcIdSubjectIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamOidcId oidcId = new IamOidcId(); + oidcId.setIssuer(TEST_OIDC_ID_ISSUER); + account.linkOidcIds(asList(oidcId)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty oidc id subject")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testEmptyOidcIdSubjectIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamOidcId oidcId = new IamOidcId(); + oidcId.setIssuer(TEST_OIDC_ID_ISSUER); + oidcId.setSubject(""); + account.linkOidcIds(asList(oidcId)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty oidc id subject")); + throw e; + } + } + + @Test(expected = CredentialAlreadyBoundException.class) + public void testBoundOidcIdIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + when(accountRepo.findByOidcId(TEST_OIDC_ID_ISSUER, TEST_OIDC_ID_SUBJECT)) + .thenReturn(Optional.of(TEST_ACCOUNT)); + + account.linkOidcIds(asList(TEST_OIDC_ID)); + accountService.createAccount(account); + } + + + @Test + public void testValidOidcIdPassesSanityChecks() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + account.linkOidcIds(asList(TEST_OIDC_ID)); + accountService.createAccount(account); + + } + + + @Test(expected = NullPointerException.class) + public void testNullSshKeyIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + account.getSshKeys().add(null); + try { + accountService.createAccount(account); + } catch (NullPointerException e) { + assertThat(e.getMessage(), equalTo("null ssh key")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testNoValueSshKeyIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamSshKey key = new IamSshKey(); + account.linkSshKeys(asList(key)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty ssh key value")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testEmptyValueSshKeyIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamSshKey key = new IamSshKey(); + key.setValue(""); + account.linkSshKeys(asList(key)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty ssh key value")); + throw e; + } + } + + @Test(expected = CredentialAlreadyBoundException.class) + public void testBoundSshKeyIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + account.linkSshKeys(asList(TEST_SSH_KEY_1)); + when(accountRepo.findBySshKeyValue(TEST_SSH_KEY_VALUE_1)).thenReturn(Optional.of(TEST_ACCOUNT)); + accountService.createAccount(account); + } + + @Test + public void testValidSshKeyPassesSanityChecks() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + account.linkSshKeys(asList(TEST_SSH_KEY_1)); + accountService.createAccount(account); + } + + @Test(expected = NullPointerException.class) + public void testNullX509CertificateIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + account.getX509Certificates().add(null); + try { + accountService.createAccount(account); + } catch (NullPointerException e) { + assertThat(e.getMessage(), equalTo("null X.509 certificate")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testNullX509CertificateSubjectIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamX509Certificate cert = new IamX509Certificate(); + account.linkX509Certificates(asList(cert)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty X.509 certificate subject DN")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testNullX509CertificateIssuerIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamX509Certificate cert = new IamX509Certificate(); + cert.setSubjectDn(TEST_X509_CERTIFICATE_SUBJECT_1); + account.linkX509Certificates(asList(cert)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty X.509 certificate issuer DN")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testNullX509CertificateLabelIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamX509Certificate cert = new IamX509Certificate(); + cert.setSubjectDn(TEST_X509_CERTIFICATE_SUBJECT_1); + cert.setIssuerDn(TEST_X509_CERTIFICATE_ISSUER_1); + account.linkX509Certificates(asList(cert)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty X.509 certificate label")); + throw e; + } + } + + @Test(expected = IllegalArgumentException.class) + public void testEmptyX509CertificateLabelIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + IamX509Certificate cert = new IamX509Certificate(); + cert.setSubjectDn(TEST_X509_CERTIFICATE_SUBJECT_1); + cert.setIssuerDn(TEST_X509_CERTIFICATE_ISSUER_1); + cert.setLabel(""); + account.linkX509Certificates(asList(cert)); + try { + accountService.createAccount(account); + } catch (IllegalArgumentException e) { + assertThat(e.getMessage(), equalTo("null or empty X.509 certificate label")); + throw e; + } + } + + @Test(expected = CredentialAlreadyBoundException.class) + public void testBoundX509CertificateIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + account.linkX509Certificates(asList(TEST_X509_CERTIFICATE_1)); + + when(accountRepo.findByCertificateSubject(TEST_X509_CERTIFICATE_SUBJECT_1)) + .thenReturn(Optional.of(TEST_ACCOUNT)); + + accountService.createAccount(account); + } + + @Test + public void testValidX509CertificatePassesSanityChecks() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + account.linkX509Certificates(asList(TEST_X509_CERTIFICATE_2)); + accountService.createAccount(account); + } + + @Test + public void testX509PrimaryIsBoundIfNotProvided() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + account.linkX509Certificates(asList(TEST_X509_CERTIFICATE_1, TEST_X509_CERTIFICATE_2)); + accountService.createAccount(account); + + assertTrue(account.getX509Certificates().get(0).isPrimary()); + assertFalse(account.getX509Certificates().get(1).isPrimary()); + + } + + @Test + public void testX509PrimaryIsRespected() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + TEST_X509_CERTIFICATE_2.setPrimary(true); + account.linkX509Certificates(asList(TEST_X509_CERTIFICATE_1, TEST_X509_CERTIFICATE_2)); + accountService.createAccount(account); + + assertFalse(account.getX509Certificates().get(0).isPrimary()); + assertTrue(account.getX509Certificates().get(1).isPrimary()); + + } + + @Test(expected = InvalidCredentialException.class) + public void testX509MultiplePrimaryIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + TEST_X509_CERTIFICATE_1.setPrimary(true); + TEST_X509_CERTIFICATE_2.setPrimary(true); + account.linkX509Certificates(asList(TEST_X509_CERTIFICATE_1, TEST_X509_CERTIFICATE_2)); + try { + accountService.createAccount(account); + } catch (InvalidCredentialException e) { + assertThat(e.getMessage(), equalTo("Only one X.509 certificate can be marked as primary")); + throw e; + } + } + + @Test + public void testSshKeyPrimaryIsBoundIfNotProvided() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + account.linkSshKeys(asList(TEST_SSH_KEY_1, TEST_SSH_KEY_2)); + accountService.createAccount(account); + + assertTrue(account.getSshKeys().get(0).isPrimary()); + assertFalse(account.getSshKeys().get(1).isPrimary()); + } + + @Test + public void testSshKeyPrimaryIsRespected() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + TEST_SSH_KEY_2.setPrimary(true); + account.linkSshKeys(asList(TEST_SSH_KEY_1, TEST_SSH_KEY_2)); + accountService.createAccount(account); + + assertFalse(account.getSshKeys().get(0).isPrimary()); + assertTrue(account.getSshKeys().get(1).isPrimary()); + } + + @Test(expected = InvalidCredentialException.class) + public void testMultiplePrimarySshKeysIsNotAccepted() { + IamAccount account = cloneAccount(CICCIO_ACCOUNT); + TEST_SSH_KEY_1.setPrimary(true); + TEST_SSH_KEY_2.setPrimary(true); + account.linkSshKeys(asList(TEST_SSH_KEY_1, TEST_SSH_KEY_2)); + try { + accountService.createAccount(account); + } catch (InvalidCredentialException e) { + assertThat(e.getMessage(), equalTo("Only one SSH key can be marked as primary")); + throw e; + } + } + + @Test(expected = NullPointerException.class) + public void testNullDeleteAccountFails() { + try { + accountService.deleteAccount(null); + } catch (NullPointerException e) { + assertThat(e.getMessage(), equalTo("cannot delete a null account")); + throw e; + } + } + + @Test + public void testAccountDeletion() { + accountService.deleteAccount(CICCIO_ACCOUNT); + verify(accountRepo, times(1)).delete(CICCIO_ACCOUNT); + verify(eventPublisher, times(1)).publishEvent(anyObject()); + } + + @Test(expected = NullPointerException.class) + public void testDeleteInactiveProvisionedAccountFailsWithNullTimestamp() { + try { + accountService.deleteInactiveProvisionedUsersSinceTime(null); + } catch (NullPointerException e) { + assertThat(e.getMessage(), equalTo("null timestamp")); + throw e; + } + } + + @Test + public void testDeleteInactiveProvisionedAccountWorks() { + + when(accountRepo.findProvisionedAccountsWithLastLoginTimeBeforeTimestamp(anyObject())) + .thenReturn(Arrays.asList(CICCIO_ACCOUNT, TEST_ACCOUNT)); + + accountService.deleteInactiveProvisionedUsersSinceTime(new Date()); + + verify(accountRepo, times(1)).delete(CICCIO_ACCOUNT); + verify(accountRepo, times(1)).delete(TEST_ACCOUNT); + verify(eventPublisher, times(2)).publishEvent(anyObject()); + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/util/MockSmtpServerUtils.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/util/MockSmtpServerUtils.java new file mode 100644 index 000000000..5b47afdcd --- /dev/null +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/util/MockSmtpServerUtils.java @@ -0,0 +1,67 @@ +package it.infn.mw.iam.test.util; + +import java.io.IOException; +import java.net.Socket; +import java.util.concurrent.TimeUnit; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.subethamail.wiser.Wiser; + +public class MockSmtpServerUtils { + public static final Logger LOG = LoggerFactory.getLogger(MockSmtpServerUtils.class); + + private static void waitUntilPortIsFree(String host, int port, int timeoutInSecs) { + + boolean portBusy = true; + int sleepTimeInSecs = 0; + + do { + try { + // Open a client socket to talk with host at port + (new Socket(host, port)).close(); + + // If we reach this far there's someone listening, + // i.e. the port is busy + LOG.warn("Port {} is in use", port); + + // So sleep 1 sec + Thread.sleep(TimeUnit.SECONDS.toMillis(1)); + sleepTimeInSecs++; + portBusy = true; + } catch (IOException e) { + portBusy = false; + } catch (InterruptedException e) { + } + } while (portBusy && sleepTimeInSecs < timeoutInSecs); + + if (sleepTimeInSecs >= timeoutInSecs) { + throw new AssertionError("Timeout reached waiting for port " + port); + } + } + + public static synchronized Wiser startMockSmtpServer(String hostname, int port) { + + waitUntilPortIsFree(hostname, port, 5); + + LOG.info("Starting Wiser SMTP server on: {}:{}", hostname, port); + + Wiser mockSmtpServer = new Wiser(); + + mockSmtpServer.setHostname(hostname); + mockSmtpServer.setPort(port); + + mockSmtpServer.start(); + + return mockSmtpServer; + } + + public static synchronized void stopMockSmtpServer(Wiser mockSmtpServer) { + + if (mockSmtpServer != null) { + LOG.info("Stopping Wiser SMTP server"); + mockSmtpServer.stop(); + } + + } +} diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/util/RSAPublicKeyTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/util/RSAPublicKeyTests.java index abf94d27b..5f4ad2099 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/util/RSAPublicKeyTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/util/RSAPublicKeyTests.java @@ -1,9 +1,12 @@ package it.infn.mw.iam.test.util; -import org.junit.Assert; +import static it.infn.mw.iam.test.SshKeyUtils.sshKeys; +import static org.hamcrest.Matchers.equalTo; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.fail; + import org.junit.Test; -import it.infn.mw.iam.test.TestUtils; import it.infn.mw.iam.util.ssh.InvalidSshKeyException; import it.infn.mw.iam.util.ssh.RSAPublicKeyUtils; @@ -12,28 +15,28 @@ public class RSAPublicKeyTests { @Test public void testMD5Fingerprint() { - String fp = RSAPublicKeyUtils.getMD5Fingerprint(TestUtils.sshKeys.get(0).key); - Assert.assertEquals(fp, TestUtils.sshKeys.get(0).fingerprintMDS); - fp = RSAPublicKeyUtils.getMD5Fingerprint(TestUtils.sshKeys.get(1).key); - Assert.assertEquals(fp, TestUtils.sshKeys.get(1).fingerprintMDS); + String fp = RSAPublicKeyUtils.getMD5Fingerprint(sshKeys.get(0).key); + assertThat(fp, equalTo(sshKeys.get(0).fingerprintMDS)); + fp = RSAPublicKeyUtils.getMD5Fingerprint(sshKeys.get(1).key); + assertThat(fp, equalTo(sshKeys.get(1).fingerprintMDS)); } @Test public void testFormattedMD5Fingerprint() { - String fp = RSAPublicKeyUtils.getFormattedMD5Fingerprint(TestUtils.sshKeys.get(0).key); - Assert.assertEquals(fp, TestUtils.sshKeys.get(0).fingerprintMD5Formatted); - fp = RSAPublicKeyUtils.getFormattedMD5Fingerprint(TestUtils.sshKeys.get(1).key); - Assert.assertEquals(fp, TestUtils.sshKeys.get(1).fingerprintMD5Formatted); + String fp = RSAPublicKeyUtils.getFormattedMD5Fingerprint(sshKeys.get(0).key); + assertThat(fp, equalTo(sshKeys.get(0).fingerprintMD5Formatted)); + fp = RSAPublicKeyUtils.getFormattedMD5Fingerprint(sshKeys.get(1).key); + assertThat(fp, equalTo(sshKeys.get(1).fingerprintMD5Formatted)); } @Test public void testSHA256Fingerprint() { - String fp = RSAPublicKeyUtils.getSHA256Fingerprint(TestUtils.sshKeys.get(0).key); - Assert.assertEquals(fp, TestUtils.sshKeys.get(0).fingerprintSHA256); - fp = RSAPublicKeyUtils.getSHA256Fingerprint(TestUtils.sshKeys.get(1).key); - Assert.assertEquals(fp, TestUtils.sshKeys.get(1).fingerprintSHA256); + String fp = RSAPublicKeyUtils.getSHA256Fingerprint(sshKeys.get(0).key); + assertThat(fp, equalTo(sshKeys.get(0).fingerprintSHA256)); + fp = RSAPublicKeyUtils.getSHA256Fingerprint(sshKeys.get(1).key); + assertThat(fp, equalTo(sshKeys.get(1).fingerprintSHA256)); } @Test @@ -41,17 +44,17 @@ public void testMD5FingerprintInvalidKeyError() { try { RSAPublicKeyUtils.getMD5Fingerprint("This is not an encoded base64 key"); - Assert.fail("InvalidSshKeyException expected"); + fail("InvalidSshKeyException expected"); } catch (InvalidSshKeyException e) { } } - + @Test public void testFormattedMD5FingerprintInvalidKeyError() { try { RSAPublicKeyUtils.getFormattedMD5Fingerprint("This is not an encoded base64 key"); - Assert.fail("InvalidSshKeyException expected"); + fail("InvalidSshKeyException expected"); } catch (InvalidSshKeyException e) { } } @@ -61,7 +64,7 @@ public void testSHA26FingerprintInvalidKeyError() { try { RSAPublicKeyUtils.getSHA256Fingerprint("This is not an encoded base64 key"); - Assert.fail("InvalidSshKeyException expected"); + fail("InvalidSshKeyException expected"); } catch (InvalidSshKeyException e) { } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/util/WithMockSAMLUser.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/util/WithMockSAMLUser.java index 3a71ee4e7..7aa6b7e08 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/util/WithMockSAMLUser.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/util/WithMockSAMLUser.java @@ -1,7 +1,7 @@ package it.infn.mw.iam.test.util; import static it.infn.mw.iam.authn.ExternalAuthenticationHandlerSupport.EXT_AUTHN_UNREGISTERED_USER_ROLE; -import static it.infn.mw.iam.test.ext_authn.saml.SamlExternalAuthenticationTestSupport.DEFAULT_IDP_ID; +import static it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport.DEFAULT_IDP_ID; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/util/oauth/WithMockOAuth2SecurityContextFactory.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/util/oauth/WithMockOAuth2SecurityContextFactory.java index 86ba6780b..081ce5be6 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/util/oauth/WithMockOAuth2SecurityContextFactory.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/util/oauth/WithMockOAuth2SecurityContextFactory.java @@ -51,7 +51,7 @@ private Authentication buildExternalUserAuthentication(WithMockOAuthUser annotat userAuth.setSourceClass(SamlExternalAuthenticationToken.class.getName()); additionalInfo.put("type", "saml"); - additionalInfo.put("epuid", "epuid"); + additionalInfo.put("EPUID", "EPUID"); additionalInfo.put("ipdId", "idpid"); } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/util/saml/SamlSecurityContextBuilder.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/util/saml/SamlSecurityContextBuilder.java index 364ba30a2..a3b4c2073 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/util/saml/SamlSecurityContextBuilder.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/util/saml/SamlSecurityContextBuilder.java @@ -12,7 +12,9 @@ import it.infn.mw.iam.authn.saml.SamlExternalAuthenticationToken; import it.infn.mw.iam.authn.saml.util.SamlAttributeNames; -import it.infn.mw.iam.test.ext_authn.saml.SamlExternalAuthenticationTestSupport; +import it.infn.mw.iam.persistence.model.IamSamlId; + +import it.infn.mw.iam.test.ext_authn.saml.SamlAuthenticationTestSupport; import it.infn.mw.iam.test.util.SecurityContextBuilderSupport; public class SamlSecurityContextBuilder extends SecurityContextBuilderSupport { @@ -23,7 +25,7 @@ public class SamlSecurityContextBuilder extends SecurityContextBuilderSupport { public SamlSecurityContextBuilder() { samlCredential = Mockito.mock(SAMLCredential.class); - issuer = SamlExternalAuthenticationTestSupport.DEFAULT_IDP_ID; + issuer = SamlAuthenticationTestSupport.DEFAULT_IDP_ID; subject = "test-saml-user"; } @@ -60,7 +62,9 @@ public SecurityContext buildSecurityContext() { ExpiringUsernameAuthenticationToken samlToken = new ExpiringUsernameAuthenticationToken( expirationTime, subject, samlCredential, authorities); - SamlExternalAuthenticationToken token = new SamlExternalAuthenticationToken(samlToken, + IamSamlId samlId = new IamSamlId(issuer, subjectAttribute, subject); + + SamlExternalAuthenticationToken token = new SamlExternalAuthenticationToken(samlId, samlToken, samlToken.getTokenExpiration(), subject, samlToken.getCredentials(), authorities); context.setAuthentication(token); diff --git a/iam-login-service/src/test/resources/x509/test0.cert.pem b/iam-login-service/src/test/resources/x509/test0.cert.pem new file mode 100644 index 000000000..3cd77ed08 --- /dev/null +++ b/iam-login-service/src/test/resources/x509/test0.cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM +MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX +DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG +A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw +hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R +BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc +CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK +2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al +xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop +kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU +fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG +CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF +BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe +gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB +AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx +d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu +SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf +49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg +C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N +vDxcPMc/wmnMa+smNal0sJ6m +-----END CERTIFICATE----- diff --git a/iam-login-service/src/test/resources/x509/test1.cert.pem b/iam-login-service/src/test/resources/x509/test1.cert.pem new file mode 100644 index 000000000..f9f30bb88 --- /dev/null +++ b/iam-login-service/src/test/resources/x509/test1.cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnjCCAoagAwIBAgIBCjANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM +MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNloX +DTIyMDkyNDE1MzkzNlowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG +A1UEAxMFdGVzdDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDO2F8D +NrQdKFgiCs4dN3kX2TyNHjU0dgT0f5qGDC4GJgKfk5t7Ng2NVyRV88K+0J0mDpFU +hkj62+c1q1NjrTIeeBNpoGTSGZxqmxrW6Hq1M14B4A4eDZ6YaAwebUI0fkVtBeBw +BYipD1GHdjc0k8hYHeCzGX0bHNBDZoO3ZJKY7eLs53XrfoFMUZk9/FtajYv9O62C +fSRlg0AFawE381MugItq9OtBnEqiLwPn0XTAERnWBFQECGAh46kwkRGj5lP0fvaf +pxS9cPPIlo0N3KYohvfwijQCfzwV3bx58Fji+zP7CqCIWTK8yA6Uo9XeOoAAYb4x +nRnl7vYIOozwRPDnAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU +3SXxWzgrZxUa87ZY5z/MyGoUSp4wDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG +CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF +BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe +gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB +AQBqK1U+qSmU1JTk4dweL6EMFJD9HDmGQ25ARdv1ZpDcIXSPnyjSRsYJ6Sjwwc2h +geaB6b7wrjhGBvlQcBJ6IzSVVcc/Y3VAACv71S4MXraVcBFhcGMUjOW+mw17PWii +kGEBu+i+oqaTYKiRFWGTDoe+acqvTQ897Qoe0r71VI0SkTgz94x1n5E2ZXKmKIqs +z1XZKUBiqC1I2bbc0wngjgAG7HvFY1de1bKFzF5bb/BUFdbhkmttdXJF95vRIU95 +gZFUheJM+2gn4eGiQ/eP3z6MSXIBZIHLL6R39sqnzFRiNjmKBMS5aiE6bMvX0zPO +SW48tIO/s70PbIKhetfAWddh +-----END CERTIFICATE----- diff --git a/iam-persistence/pom.xml b/iam-persistence/pom.xml index 237a322a8..0a4919884 100644 --- a/iam-persistence/pom.xml +++ b/iam-persistence/pom.xml @@ -7,7 +7,7 @@ it.infn.mw iam-parent - 0.6.0 + 1.0.0 iam-persistence diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/core/IamProperties.java b/iam-persistence/src/main/java/it/infn/mw/iam/core/IamProperties.java index 65e240b59..3a35dda4d 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/core/IamProperties.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/core/IamProperties.java @@ -4,7 +4,7 @@ public enum IamProperties { INSTANCE; - private String organisationName; + private String organisationName = "indigo-dc"; private IamProperties() { diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamAccount.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamAccount.java index e2f478422..03af1529b 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamAccount.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamAccount.java @@ -2,6 +2,7 @@ import static com.google.common.base.Preconditions.checkNotNull; +import java.io.Serializable; import java.util.Collection; import java.util.Date; import java.util.HashSet; @@ -35,7 +36,12 @@ */ @Entity @Table(name = "iam_account") -public class IamAccount { +public class IamAccount implements Serializable{ + + /** + * + */ + private static final long serialVersionUID = 1L; @Id @GeneratedValue(strategy = GenerationType.IDENTITY) @@ -56,15 +62,22 @@ public class IamAccount { @Temporal(TemporalType.TIMESTAMP) @Column(nullable = false) - Date creationTime; + private Date creationTime; @Temporal(TemporalType.TIMESTAMP) @Column(nullable = false) - Date lastUpdateTime; + private Date lastUpdateTime; + + @Column(name = "provisioned", nullable = false) + private boolean provisioned = false; @OneToOne(cascade = CascadeType.ALL) @JoinColumn(name = "user_info_id") private IamUserInfo userInfo; + + @Temporal(TemporalType.TIMESTAMP) + @Column(name="last_login_time", nullable = true) + private Date lastLoginTime; @ManyToMany @JoinTable(name = "iam_account_authority", @@ -330,8 +343,16 @@ public void unlinkSshKeys(Collection ids) { public void linkX509Certificates(Collection ids) { checkNotNull(ids); + for (IamX509Certificate id : ids) { - link(x509Certificates, id, this); + if (!getX509Certificates().contains(id)) { + Date addedTimestamp = new Date(); + id.setAccount(this); + id.setCreationTime(addedTimestamp); + id.setLastUpdateTime(addedTimestamp); + + getX509Certificates().add(id); + } } } @@ -455,15 +476,38 @@ public boolean equals(final Object obj) { return true; } + public boolean isProvisioned() { + return provisioned; + } + + public void setProvisioned(boolean provisioned) { + this.provisioned = provisioned; + } + + public Date getLastLoginTime() { + return lastLoginTime; + } + + public void setLastLoginTime(Date lastLoginTime) { + this.lastLoginTime = lastLoginTime; + } + @Override public String toString() { - return "IamAccount [id=" + id + ", uuid=" + uuid + ", username=" + username + ", password=" + password + ", active=" + active + ", creationTime=" + creationTime + ", lastUpdateTime=" - + lastUpdateTime + ", userInfo=" + userInfo + ", authorities=" + authorities + ", groups=" - + groups + ", samlIds=" + samlIds + ", oidcIds=" + oidcIds + ", sshKeys=" + sshKeys + + lastUpdateTime + ", provisioned=" + provisioned + ", userInfo=" + userInfo + + ", lastLoginTime=" + lastLoginTime + ", authorities=" + authorities + ", groups=" + groups + + ", samlIds=" + samlIds + ", oidcIds=" + oidcIds + ", sshKeys=" + sshKeys + ", x509Certificates=" + x509Certificates + ", confirmationKey=" + confirmationKey + ", resetKey=" + resetKey + ", registrationRequest=" + registrationRequest + "]"; } + public static IamAccount newAccount() { + IamAccount newAccount = new IamAccount(); + IamUserInfo userInfo = new IamUserInfo(); + userInfo.setIamAccount(newAccount); + newAccount.setUserInfo(userInfo); + return newAccount; + } } diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamAuthority.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamAuthority.java index 9aa641f46..a2706ff35 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamAuthority.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamAuthority.java @@ -1,5 +1,7 @@ package it.infn.mw.iam.persistence.model; +import java.io.Serializable; + import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.GeneratedValue; @@ -9,7 +11,12 @@ @Entity @Table(name = "iam_authority") -public class IamAuthority { +public class IamAuthority implements Serializable{ + + /** + * + */ + private static final long serialVersionUID = 1L; @Id @GeneratedValue(strategy = GenerationType.IDENTITY) diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamEmailNotification.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamEmailNotification.java index 30bc821b2..c8ab5f428 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamEmailNotification.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamEmailNotification.java @@ -1,5 +1,6 @@ package it.infn.mw.iam.persistence.model; +import java.io.Serializable; import java.util.Date; import java.util.List; @@ -21,7 +22,12 @@ @Entity @Table(name = "iam_email_notification") -public class IamEmailNotification { +public class IamEmailNotification implements Serializable{ + + /** + * + */ + private static final long serialVersionUID = 1L; @Id @GeneratedValue(strategy = GenerationType.IDENTITY) diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamExternalAuthenticationAttribute.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamExternalAuthenticationAttribute.java index 3c2be5b60..b2febae23 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamExternalAuthenticationAttribute.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamExternalAuthenticationAttribute.java @@ -1,5 +1,7 @@ package it.infn.mw.iam.persistence.model; +import java.io.Serializable; + import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.GeneratedValue; @@ -11,7 +13,12 @@ @Entity @Table(name = "iam_ext_authn_attr") -public class IamExternalAuthenticationAttribute { +public class IamExternalAuthenticationAttribute implements Serializable { + + /** + * + */ + private static final long serialVersionUID = 1L; @Id @GeneratedValue(strategy = GenerationType.IDENTITY) diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamExternalAuthenticationDetails.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamExternalAuthenticationDetails.java index a39894a7a..2c97be99a 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamExternalAuthenticationDetails.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamExternalAuthenticationDetails.java @@ -1,5 +1,6 @@ package it.infn.mw.iam.persistence.model; +import java.io.Serializable; import java.util.ArrayList; import java.util.Date; import java.util.List; @@ -17,7 +18,12 @@ @Entity @Table(name = "iam_ext_authn") -public class IamExternalAuthenticationDetails { +public class IamExternalAuthenticationDetails implements Serializable{ + + /** + * + */ + private static final long serialVersionUID = 1L; @Id @GeneratedValue(strategy = GenerationType.IDENTITY) diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamGroup.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamGroup.java index c68c61922..e02d7d544 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamGroup.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamGroup.java @@ -1,5 +1,6 @@ package it.infn.mw.iam.persistence.model; +import java.io.Serializable; import java.util.Date; import java.util.HashSet; import java.util.Set; @@ -20,8 +21,13 @@ @Entity @Table(name = "iam_group") -public class IamGroup { +public class IamGroup implements Serializable { + /** + * + */ + private static final long serialVersionUID = 1L; + @Id @GeneratedValue(strategy = GenerationType.IDENTITY) private Long id; @@ -29,7 +35,7 @@ public class IamGroup { @Column(nullable = false, length = 36, unique = true) private String uuid; - @Column(nullable = false, length = 255, unique = true) + @Column(nullable = false, length = 512, unique = true) private String name; @Column(nullable = true, length = 512) diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamNotificationReceiver.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamNotificationReceiver.java index d7500b781..e7fdb1d2a 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamNotificationReceiver.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamNotificationReceiver.java @@ -1,5 +1,7 @@ package it.infn.mw.iam.persistence.model; +import java.io.Serializable; + import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.GeneratedValue; @@ -11,7 +13,12 @@ @Entity @Table(name = "iam_notification_receiver") -public class IamNotificationReceiver { +public class IamNotificationReceiver implements Serializable { + + /** + * + */ + private static final long serialVersionUID = 1L; @Id @GeneratedValue(strategy = GenerationType.IDENTITY) diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamOidcId.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamOidcId.java index 4231ef36d..b9834b1b5 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamOidcId.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamOidcId.java @@ -1,5 +1,7 @@ package it.infn.mw.iam.persistence.model; +import java.io.Serializable; + import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.GeneratedValue; @@ -11,7 +13,12 @@ @Entity @Table(name = "iam_oidc_id") -public class IamOidcId implements IamAccountRef { +public class IamOidcId implements IamAccountRef, Serializable { + + /** + * + */ + private static final long serialVersionUID = 1L; @Id @GeneratedValue(strategy = GenerationType.IDENTITY) diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamRegistrationRequest.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamRegistrationRequest.java index f0d831b4a..c6c979767 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamRegistrationRequest.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamRegistrationRequest.java @@ -1,5 +1,6 @@ package it.infn.mw.iam.persistence.model; +import java.io.Serializable; import java.util.Date; import javax.persistence.Column; @@ -19,7 +20,12 @@ @Entity @Table(name = "iam_reg_request") -public class IamRegistrationRequest { +public class IamRegistrationRequest implements Serializable{ + + /** + * + */ + private static final long serialVersionUID = 1L; @Id @GeneratedValue(strategy = GenerationType.IDENTITY) @@ -44,7 +50,7 @@ public class IamRegistrationRequest { @Column(nullable = true) private Date lastUpdateTime; - @Column(nullable = true) + @Column(nullable = false) private String notes; public IamRegistrationRequest() {} diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamSamlId.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamSamlId.java index fd7b1dff0..d4ded8115 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamSamlId.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamSamlId.java @@ -1,17 +1,26 @@ package it.infn.mw.iam.persistence.model; +import java.io.Serializable; + import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.GeneratedValue; import javax.persistence.GenerationType; import javax.persistence.Id; +import javax.persistence.Index; import javax.persistence.JoinColumn; import javax.persistence.ManyToOne; import javax.persistence.Table; @Entity -@Table(name = "iam_saml_id") -public class IamSamlId implements IamAccountRef { +@Table(name = "iam_saml_id", +indexes = {@Index(columnList="idpId,attribute_id,userId", name="IDX_IAM_SAML_ID_1")}) +public class IamSamlId implements IamAccountRef, Serializable { + + /** + * + */ + private static final long serialVersionUID = 1L; @Id @GeneratedValue(strategy = GenerationType.IDENTITY) @@ -24,11 +33,16 @@ public class IamSamlId implements IamAccountRef { @Column(nullable = false, length = 256) String idpId; + @Column(name = "attribute_id", nullable=false, length = 256) + String attributeId; + @Column(nullable = false, length = 256) String userId; - public IamSamlId(String idpId, String userId) { + + public IamSamlId(String idpId, String attributeId, String userId) { setIdpId(idpId); + setAttributeId(attributeId); setUserId(userId); } @@ -76,11 +90,20 @@ public void setUserId(String userId) { this.userId = userId; } + + public String getAttributeId() { + return attributeId; + } + + public void setAttributeId(String attributeId) { + this.attributeId = attributeId; + } + @Override public int hashCode() { - final int prime = 31; int result = 1; + result = prime * result + ((attributeId == null) ? 0 : attributeId.hashCode()); result = prime * result + ((idpId == null) ? 0 : idpId.hashCode()); result = prime * result + ((userId == null) ? 0 : userId.hashCode()); return result; @@ -88,7 +111,6 @@ public int hashCode() { @Override public boolean equals(Object obj) { - if (this == obj) return true; if (obj == null) @@ -96,6 +118,11 @@ public boolean equals(Object obj) { if (getClass() != obj.getClass()) return false; IamSamlId other = (IamSamlId) obj; + if (attributeId == null) { + if (other.attributeId != null) + return false; + } else if (!attributeId.equals(other.attributeId)) + return false; if (idpId == null) { if (other.idpId != null) return false; @@ -111,8 +138,8 @@ public boolean equals(Object obj) { @Override public String toString() { - - return "IamSamlId [id=" + id + ", idpId=" + idpId + ", userId=" + userId + "]"; + return "IamSamlId [idpId=" + idpId + ", attributeId=" + attributeId + ", userId=" + userId + + "]"; } } diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamSshKey.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamSshKey.java index 0ecabbb9b..3717b1e0f 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamSshKey.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamSshKey.java @@ -1,5 +1,7 @@ package it.infn.mw.iam.persistence.model; +import java.io.Serializable; + import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.GeneratedValue; @@ -11,7 +13,12 @@ @Entity @Table(name = "iam_ssh_key") -public class IamSshKey implements IamAccountRef { +public class IamSshKey implements IamAccountRef, Serializable{ + + /** + * + */ + private static final long serialVersionUID = 1L; @Id @GeneratedValue(strategy = GenerationType.IDENTITY) @@ -39,7 +46,7 @@ public IamSshKey() { public IamSshKey(String value) { - setValue(value); + setValue(value); } public Long getId() { @@ -107,28 +114,34 @@ public void setPrimary(boolean primary) { @Override public int hashCode() { - final int prime = 31; - int result = 1; - result = prime * result + ((value == null) ? 0 : value.hashCode()); - return result; + final int prime = 31; + int result = 1; + result = prime * result + ((value == null) ? 0 : value.hashCode()); + return result; } @Override public boolean equals(Object obj) { - if (this == obj) - return true; - if (obj == null) - return false; - if (getClass() != obj.getClass()) - return false; - IamSshKey other = (IamSshKey) obj; - if (value == null) { - if (other.value != null) - return false; - } else if (!value.equals(other.value)) - return false; - return true; + if (this == obj) + return true; + if (obj == null) + return false; + if (getClass() != obj.getClass()) + return false; + IamSshKey other = (IamSshKey) obj; + if (value == null) { + if (other.value != null) + return false; + } else if (!value.equals(other.value)) + return false; + return true; + } + + @Override + public String toString() { + return String.format("IamSshKey [label=%s, fingerprint=%s, primary=%s, value=%s", label, + fingerprint, primary, value); } } diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamUserInfo.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamUserInfo.java index c2b53f3dc..5ffd8fc89 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamUserInfo.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamUserInfo.java @@ -2,6 +2,7 @@ import static it.infn.mw.iam.core.NameUtils.getFormatted; +import java.io.Serializable; import java.util.Set; import javax.persistence.Column; @@ -23,7 +24,7 @@ @Entity @Table(name = "iam_user_info") -public class IamUserInfo implements UserInfo { +public class IamUserInfo implements UserInfo, Serializable{ /** * diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamX509Certificate.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamX509Certificate.java index b0f18ea9c..96ac2f77e 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamX509Certificate.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/model/IamX509Certificate.java @@ -1,5 +1,8 @@ package it.infn.mw.iam.persistence.model; +import java.io.Serializable; +import java.util.Date; + import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.FetchType; @@ -10,10 +13,17 @@ import javax.persistence.Lob; import javax.persistence.ManyToOne; import javax.persistence.Table; +import javax.persistence.Temporal; +import javax.persistence.TemporalType; @Entity @Table(name = "iam_x509_cert") -public class IamX509Certificate implements IamAccountRef { +public class IamX509Certificate implements IamAccountRef, Serializable { + + /** + * + */ + private static final long serialVersionUID = 1L; @Id @GeneratedValue(strategy = GenerationType.IDENTITY) @@ -22,53 +32,57 @@ public class IamX509Certificate implements IamAccountRef { @Column(nullable = false, length = 36) private String label; - @Column(nullable = false, length = 128, unique = true) - private String certificateSubject; + @Column(name = "subject_dn", nullable = false, length = 128, unique = true) + private String subjectDn; + + @Column(name = "issuer_dn", nullable = false, length = 128) + private String issuerDn; @Lob - @Column(nullable = false, unique = true) + @Column(nullable=true, unique = true) private String certificate; @Column(name = "is_primary") private boolean primary; - @ManyToOne(fetch=FetchType.EAGER) - @JoinColumn(name="account_id") + @Temporal(TemporalType.TIMESTAMP) + @Column(name="creation_time", nullable = false) + Date creationTime; + + @Temporal(TemporalType.TIMESTAMP) + @Column(name="last_update_time", nullable = false) + Date lastUpdateTime; + + @ManyToOne(fetch = FetchType.EAGER) + @JoinColumn(name = "account_id") private IamAccount account; public IamX509Certificate() {} - - public IamX509Certificate(String certificate) { - - this.setCertificate(certificate); - } - + + @Override public int hashCode() { - - final int prime = 31; - int result = 1; - result = prime * result - + ((certificate == null) ? 0 : certificate.hashCode()); - return result; + final int prime = 31; + int result = 1; + result = prime * result + ((subjectDn == null) ? 0 : subjectDn.hashCode()); + return result; } @Override public boolean equals(Object obj) { - - if (this == obj) - return true; - if (obj == null) - return false; - if (getClass() != obj.getClass()) - return false; - IamX509Certificate other = (IamX509Certificate) obj; - if (certificate == null) { - if (other.certificate != null) - return false; - } else if (!certificate.equals(other.certificate)) - return false; - return true; + if (this == obj) + return true; + if (obj == null) + return false; + if (getClass() != obj.getClass()) + return false; + IamX509Certificate other = (IamX509Certificate) obj; + if (subjectDn == null) { + if (other.subjectDn != null) + return false; + } else if (!subjectDn.equals(other.subjectDn)) + return false; + return true; } @Override @@ -77,9 +91,9 @@ public IamAccount getAccount() { return account; } - public String getCertificateSubject() { + public String getSubjectDn() { - return certificateSubject; + return subjectDn; } public String getCertificate() { @@ -108,9 +122,9 @@ public void setAccount(IamAccount account) { this.account = account; } - public void setCertificateSubject(String certificateSubject) { + public void setSubjectDn(String certificateSubject) { - this.certificateSubject = certificateSubject; + this.subjectDn = certificateSubject; } public void setCertificate(String certificate) { @@ -133,4 +147,34 @@ public void setPrimary(boolean primary) { this.primary = primary; } + public String getIssuerDn() { + return issuerDn; + } + + public void setIssuerDn(String issuerDn) { + this.issuerDn = issuerDn; + } + + public Date getCreationTime() { + return creationTime; + } + + public void setCreationTime(Date creationTime) { + this.creationTime = creationTime; + } + + public Date getLastUpdateTime() { + return lastUpdateTime; + } + + public void setLastUpdateTime(Date lastUpdateTime) { + this.lastUpdateTime = lastUpdateTime; + } + + @Override + public String toString() { + return "IamX509Certificate [label=" + label + ", subjectDn=" + subjectDn + ", issuerDn=" + + issuerDn + ", certificate=" + certificate + ", primary=" + primary + ", creationTime=" + + creationTime + ", lastUpdateTime=" + lastUpdateTime + "]"; + } } diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamAccountRepository.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamAccountRepository.java index 9eba49314..a27fe8e44 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamAccountRepository.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamAccountRepository.java @@ -1,5 +1,6 @@ package it.infn.mw.iam.persistence.repository; +import java.util.Date; import java.util.List; import java.util.Optional; @@ -9,7 +10,9 @@ import it.infn.mw.iam.persistence.model.IamAccount; -public interface IamAccountRepository extends PagingAndSortingRepository { + +public interface IamAccountRepository + extends PagingAndSortingRepository, IamAccountRepositoryCustom { @Query("select count(a) from IamAccount a") int countAllUsers(); @@ -18,8 +21,10 @@ public interface IamAccountRepository extends PagingAndSortingRepository findByUsername(@Param("username") String username); - @Query("select a from IamAccount a join a.samlIds si where si.idpId = :idpId and si.userId = :subject") - Optional findBySamlId(@Param("idpId") String idpId, @Param("subject") String subject); + @Query("select a from IamAccount a join a.samlIds si where si.idpId = :idpId " + + "and si.attributeId = :attributeId and si.userId = :userId") + Optional findBySamlId(@Param("idpId") String idpId, + @Param("attributeId") String attributeId, @Param("userId") String userId); @Query("select a from IamAccount a join a.oidcIds oi where oi.issuer = :issuer and oi.subject = :subject") Optional findByOidcId(@Param("issuer") String issuer, @@ -45,7 +50,7 @@ Optional findByUsernameWithDifferentUUID(@Param("username") String u Optional findByEmailWithDifferentUUID(@Param("emailAddress") String emailAddress, @Param("uuid") String uuid); - @Query("select a from IamAccount a join a.x509Certificates c where c.certificateSubject = :subject") + @Query("select a from IamAccount a join a.x509Certificates c where c.subjectDn = :subject") Optional findByCertificateSubject(@Param("subject") String subject); @Query("select a from IamAccount a join a.x509Certificates c where c.certificate = :certificate") @@ -60,4 +65,9 @@ Optional findByEmailWithDifferentUUID(@Param("emailAddress") String @Query("select a from IamAccount a join a.authorities auth where auth.authority = :authority") List findByAuthority(@Param("authority") String authority); + + @Query("select a from IamAccount a where a.provisioned = true and a.lastLoginTime < :timestamp") + List findProvisionedAccountsWithLastLoginTimeBeforeTimestamp( + @Param("timestamp") Date timestamp); + } diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamAccountRepositoryCustom.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamAccountRepositoryCustom.java new file mode 100644 index 000000000..1bf991660 --- /dev/null +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamAccountRepositoryCustom.java @@ -0,0 +1,13 @@ +package it.infn.mw.iam.persistence.repository; + +import java.util.Optional; + +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamSamlId; + +public interface IamAccountRepositoryCustom { + + Optional findBySamlId(IamSamlId samlId); + void touchLastLoginTimeForUserWithUsername(String username); + +} diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamAccountRepositoryImpl.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamAccountRepositoryImpl.java new file mode 100644 index 000000000..4335e71bb --- /dev/null +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamAccountRepositoryImpl.java @@ -0,0 +1,34 @@ +package it.infn.mw.iam.persistence.repository; + + +import java.util.Date; +import java.util.Optional; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import it.infn.mw.iam.persistence.model.IamAccount; +import it.infn.mw.iam.persistence.model.IamSamlId; + +@Component +public class IamAccountRepositoryImpl implements IamAccountRepositoryCustom { + + @Autowired + IamAccountRepository repo; + + @Override + public Optional findBySamlId(IamSamlId samlId) { + return repo.findBySamlId(samlId.getIdpId(), samlId.getAttributeId(), + samlId.getUserId()); + } + + + @Override + public void touchLastLoginTimeForUserWithUsername(String username) { + repo.findByUsername(username).ifPresent( a -> { + a.setLastLoginTime(new Date()); + repo.save(a); + }); + } + +} diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamOAuthAccessTokenRepository.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamOAuthAccessTokenRepository.java index 4d5f5a53d..686c619ea 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamOAuthAccessTokenRepository.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamOAuthAccessTokenRepository.java @@ -1,8 +1,11 @@ package it.infn.mw.iam.persistence.repository; +import java.util.Date; import java.util.List; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; +import org.springframework.data.domain.Page; +import org.springframework.data.domain.Pageable; import org.springframework.data.jpa.repository.Query; import org.springframework.data.repository.PagingAndSortingRepository; import org.springframework.data.repository.query.Param; @@ -11,6 +14,36 @@ public interface IamOAuthAccessTokenRepository extends PagingAndSortingRepository { @Query("select t from OAuth2AccessTokenEntity t where t.authenticationHolder.userAuth.name = :userId " - + "and (t.expiration is NULL or t.expiration > CURRENT_TIMESTAMP)") - List findValidAccessTokensForUser(@Param("userId") String userId); + + "and (t.expiration is NULL or t.expiration > :timestamp)") + List findValidAccessTokensForUser(@Param("userId") String userId, + @Param("timestamp") Date timestamp); + + @Query("select t from OAuth2AccessTokenEntity t " + + "where (t.authenticationHolder.userAuth.name = :userId) " + + "and (t.expiration is NULL or t.expiration > :timestamp) " + + "order by t.expiration") + Page findValidAccessTokensForUser(@Param("userId") String userId, + @Param("timestamp") Date timestamp, Pageable op); + + @Query("select t from OAuth2AccessTokenEntity t " + + "where (t.authenticationHolder.clientId = :clientId) " + + "and (t.expiration is NULL or t.expiration > :timestamp) " + + "order by t.expiration") + Page findValidAccessTokensForClient(@Param("clientId") String clientId, + @Param("timestamp") Date timestamp, Pageable op); + + @Query("select t from OAuth2AccessTokenEntity t " + + "where (t.authenticationHolder.userAuth.name = :userId) " + + "and (t.authenticationHolder.clientId = :clientId) " + + "and (t.expiration is NULL or t.expiration > :timestamp) " + + "order by t.expiration") + Page findValidAccessTokensForUserAndClient( + @Param("userId") String userId, @Param("clientId") String clientId, + @Param("timestamp") Date timestamp, Pageable op); + + @Query("select t from OAuth2AccessTokenEntity t " + + "where (t.expiration is NULL or t.expiration > :timestamp) " + + "order by t.expiration") + Page findAllValidAccessTokens(@Param("timestamp") Date timestamp, + Pageable op); } diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamOAuthRefreshTokenRepository.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamOAuthRefreshTokenRepository.java index c6d38a383..963dc3951 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamOAuthRefreshTokenRepository.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamOAuthRefreshTokenRepository.java @@ -1,15 +1,45 @@ package it.infn.mw.iam.persistence.repository; -import java.util.List; - import org.mitre.oauth2.model.OAuth2RefreshTokenEntity; +import org.springframework.data.domain.Page; +import org.springframework.data.domain.Pageable; import org.springframework.data.jpa.repository.Query; import org.springframework.data.repository.PagingAndSortingRepository; import org.springframework.data.repository.query.Param; +import java.util.Date; +import java.util.List; + public interface IamOAuthRefreshTokenRepository extends PagingAndSortingRepository { + @Query("select t from OAuth2RefreshTokenEntity t where t.authenticationHolder.userAuth.name = :userId " - + "and (t.expiration is NULL or t.expiration > CURRENT_TIMESTAMP)") - List findValidRefreshTokensForUser(@Param("userId") String userId); + + "and (t.expiration is NULL or t.expiration > :timestamp)") + List findValidRefreshTokensForUser(@Param("userId") String userId, + @Param("timestamp") Date timestamp); + + @Query("select t from OAuth2RefreshTokenEntity t " + + "where (t.authenticationHolder.userAuth.name = :userId) " + + "and (t.expiration is NULL or t.expiration > :timestamp) " + " order by t.expiration") + Page findValidRefreshTokensForUser(@Param("userId") String userId, + @Param("timestamp") Date timestamp, Pageable op); + + @Query("select t from OAuth2RefreshTokenEntity t " + + "where (t.authenticationHolder.clientId = :clientId) " + + "and (t.expiration is NULL or t.expiration > :timestamp) " + "order by t.expiration") + Page findValidRefreshTokensForClient(@Param("clientId") String clientId, + @Param("timestamp") Date timestamp, Pageable op); + + @Query("select t from OAuth2RefreshTokenEntity t " + + "where (t.authenticationHolder.userAuth.name = :userId) " + + "and (t.authenticationHolder.clientId = :clientId) " + + "and (t.expiration is NULL or t.expiration > :timestamp) " + "order by t.expiration") + Page findValidRefreshTokensForUserAndClient( + @Param("userId") String userId, @Param("clientId") String clientId, + @Param("timestamp") Date timestamp, Pageable op); + + @Query("select t from OAuth2RefreshTokenEntity t " + + "where (t.expiration is NULL or t.expiration > :timestamp) " + "order by t.expiration") + Page findAllValidRefreshTokens(@Param("timestamp") Date timestamp, + Pageable op); } diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamRegistrationRequestRepository.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamRegistrationRequestRepository.java index 8034608c7..53e3fc3f8 100644 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamRegistrationRequestRepository.java +++ b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamRegistrationRequestRepository.java @@ -23,5 +23,5 @@ Optional findByAccountConfirmationKey( @Param("confirmationKey") String confirmationKey); @Query("select r from IamRegistrationRequest r where r.status = it.infn.mw.iam.core.IamRegistrationRequestStatus.NEW or r.status = it.infn.mw.iam.core.IamRegistrationRequestStatus.CONFIRMED") - Optional> findPendingRequests(); + List findPendingRequests(); } diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamX509CertificateRepository.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamX509CertificateRepository.java deleted file mode 100644 index 446e6c8b4..000000000 --- a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/repository/IamX509CertificateRepository.java +++ /dev/null @@ -1,22 +0,0 @@ -package it.infn.mw.iam.persistence.repository; - -import java.util.Optional; - -import org.springframework.data.jpa.repository.Query; -import org.springframework.data.repository.CrudRepository; -import org.springframework.data.repository.query.Param; - -import it.infn.mw.iam.persistence.model.IamX509Certificate; - -public interface IamX509CertificateRepository extends CrudRepository { - - Optional findByCertificate(@Param("Certificate") String certificate); - - @Query("select c from IamX509Certificate c join c.account a where c.certificate = :certificate and a.uuid = :uuid") - Optional findByCertificateAndUuid(@Param("certificate") String certificate, - @Param("uuid") String uuid); - - Optional findByCertificateAndLabelAndCertificateSubject( - @Param("Certificate") String certificate, @Param("Label") String label, - @Param("CertificateSubject") String certificateSubject); -} diff --git a/iam-persistence/src/main/resources/db/migration/h2/V13__add_attribute_id_to_saml_id_table.sql b/iam-persistence/src/main/resources/db/migration/h2/V13__add_attribute_id_to_saml_id_table.sql new file mode 100644 index 000000000..e3be8de1d --- /dev/null +++ b/iam-persistence/src/main/resources/db/migration/h2/V13__add_attribute_id_to_saml_id_table.sql @@ -0,0 +1,8 @@ +-- Add attribute_id column +ALTER TABLE iam_saml_id ADD COLUMN (attribute_id varchar(256)); +-- Create index +CREATE INDEX IDX_IAM_SAML_ID_1 ON iam_saml_id(IDPID, attribute_id, USERID); +-- Update existing records, so that epuid is the default attribute id +update iam_saml_id set attribute_id = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.13' where attribute_id is NULL; +-- Add not null constraint on attribute id +ALTER TABLE iam_saml_id ALTER COLUMN attribute_id varchar(256) NOT NULL; \ No newline at end of file diff --git a/iam-persistence/src/main/resources/db/migration/h2/V14___x509_certs_table_changes.sql b/iam-persistence/src/main/resources/db/migration/h2/V14___x509_certs_table_changes.sql new file mode 100644 index 000000000..06bfd8c20 --- /dev/null +++ b/iam-persistence/src/main/resources/db/migration/h2/V14___x509_certs_table_changes.sql @@ -0,0 +1,12 @@ +-- Drop not-null constraint on certificate +ALTER TABLE iam_x509_cert ALTER COLUMN CERTIFICATE SET NULL; +-- Add unique index on certificate +ALTER TABLE iam_x509_cert ADD CONSTRAINT uniq_iam_x509_cert_cerificate UNIQUE(certificate) CHECK; +-- Rename certificatesubject to subject_dn +ALTER TABLE iam_x509_cert ALTER COLUMN CERTIFICATESUBJECT RENAME TO subject_dn; +-- Add issuer_dn column +ALTER TABLE iam_x509_cert ADD COLUMN issuer_dn VARCHAR(128) NOT NULL; +-- Add creation_time column +ALTER TABLE iam_x509_cert ADD COLUMN creation_time TIMESTAMP NOT NULL; +-- Add last_update_time column +ALTER TABLE iam_x509_cert ADD COLUMN last_update_time TIMESTAMP NOT NULL; \ No newline at end of file diff --git a/iam-persistence/src/main/resources/db/migration/h2/V15__alter_iam_group.sql b/iam-persistence/src/main/resources/db/migration/h2/V15__alter_iam_group.sql new file mode 100644 index 000000000..5df225cb7 --- /dev/null +++ b/iam-persistence/src/main/resources/db/migration/h2/V15__alter_iam_group.sql @@ -0,0 +1 @@ +ALTER TABLE iam_group ALTER COLUMN name varchar(512) NOT NULL; \ No newline at end of file diff --git a/iam-persistence/src/main/resources/db/migration/h2/V16__add_provisioned_column_to_iam_account.sql b/iam-persistence/src/main/resources/db/migration/h2/V16__add_provisioned_column_to_iam_account.sql new file mode 100644 index 000000000..d74348850 --- /dev/null +++ b/iam-persistence/src/main/resources/db/migration/h2/V16__add_provisioned_column_to_iam_account.sql @@ -0,0 +1,6 @@ +ALTER TABLE iam_account ADD provisioned BOOLEAN; +update iam_account set provisioned = false; +ALTER TABLE iam_account ALTER COLUMN provisioned SET NOT NULL; +ALTER TABLE iam_account ALTER COLUMN provisioned SET DEFAULT false; +-- Add last login time column +ALTER TABLE iam_account ADD last_login_time TIMESTAMP; \ No newline at end of file diff --git a/iam-persistence/src/main/resources/db/migration/mysql/V13__add_attribute_id_to_saml_id_table.sql b/iam-persistence/src/main/resources/db/migration/mysql/V13__add_attribute_id_to_saml_id_table.sql new file mode 100644 index 000000000..c30f0b049 --- /dev/null +++ b/iam-persistence/src/main/resources/db/migration/mysql/V13__add_attribute_id_to_saml_id_table.sql @@ -0,0 +1,8 @@ +-- Add attribute_id column +ALTER TABLE iam_saml_id ADD COLUMN (attribute_id varchar(256)); +-- Create index +CREATE INDEX IDX_IAM_SAML_ID_1 ON iam_saml_id(IDPID, attribute_id, USERID); +-- Update existing records, so that epuid is the default attribute id +update iam_saml_id set attribute_id = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.13' where attribute_id is NULL; +-- Add not null constraint on attribute id +ALTER TABLE iam_saml_id MODIFY attribute_id varchar(256) NOT NULL; \ No newline at end of file diff --git a/iam-persistence/src/main/resources/db/migration/mysql/V14___x509_certs_table_changes.sql b/iam-persistence/src/main/resources/db/migration/mysql/V14___x509_certs_table_changes.sql new file mode 100644 index 000000000..dd0a905e7 --- /dev/null +++ b/iam-persistence/src/main/resources/db/migration/mysql/V14___x509_certs_table_changes.sql @@ -0,0 +1,14 @@ +-- Drop not-null constraint on certificate +ALTER TABLE iam_x509_cert MODIFY COLUMN CERTIFICATE TEXT NULL; +-- Add unique index on certificate +CREATE UNIQUE INDEX idx_iam_x509_cert_cerificate on iam_x509_cert(certificate(256)); +-- Drop certificatesubject unique index +ALTER TABLE iam_x509_cert drop index CERTIFICATESUBJECT; +-- Rename certificatesubject to subject_dn +ALTER TABLE iam_x509_cert CHANGE COLUMN CERTIFICATESUBJECT subject_dn VARCHAR(128) NOT NULL UNIQUE; +-- Add issuer_dn column +ALTER TABLE iam_x509_cert ADD COLUMN issuer_dn VARCHAR(128) NOT NULL; +-- Add creation_time column +ALTER TABLE iam_x509_cert ADD COLUMN creation_time DATETIME NOT NULL; +-- Add last_update_time column +ALTER TABLE iam_x509_cert ADD COLUMN last_update_time DATETIME NOT NULL; \ No newline at end of file diff --git a/iam-persistence/src/main/resources/db/migration/mysql/V15__alter_iam_group.sql b/iam-persistence/src/main/resources/db/migration/mysql/V15__alter_iam_group.sql new file mode 100644 index 000000000..823b989df --- /dev/null +++ b/iam-persistence/src/main/resources/db/migration/mysql/V15__alter_iam_group.sql @@ -0,0 +1 @@ +ALTER TABLE iam_group MODIFY name varchar(512) NOT NULL; \ No newline at end of file diff --git a/iam-persistence/src/main/resources/db/migration/mysql/V16__add_provisioned_column_to_iam_account.sql b/iam-persistence/src/main/resources/db/migration/mysql/V16__add_provisioned_column_to_iam_account.sql new file mode 100644 index 000000000..465198d58 --- /dev/null +++ b/iam-persistence/src/main/resources/db/migration/mysql/V16__add_provisioned_column_to_iam_account.sql @@ -0,0 +1,5 @@ +ALTER TABLE iam_account ADD provisioned TINYINT(1) default 0; +update iam_account set provisioned = false; +ALTER TABLE iam_account MODIFY provisioned TINYINT(1) default 0 NOT NULL; +-- Add last login time column +ALTER TABLE iam_account ADD last_login_time DATETIME; \ No newline at end of file diff --git a/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql b/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql index b0c70048f..53ee5b94c 100644 --- a/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql +++ b/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql @@ -101,6 +101,7 @@ INSERT INTO client_grant_type (owner_id, grant_type) VALUES (4, 'password'), (4, 'client_credentials'), (5, 'password'), + (5, 'refresh_token'), (6, 'client_credentials'), (7, 'client_credentials'), (8, 'urn:ietf:params:oauth:grant-type:token-exchange'), @@ -126,9 +127,35 @@ INSERT INTO iam_oidc_id(issuer, subject, account_id) VALUES ('https://accounts.google.com', '105440632287425289613', 2), ('urn:test-oidc-issuer', 'test-user', 2); -INSERT INTO iam_saml_id(idpid, userid, account_id) VALUES -('https://idptestbed/idp/shibboleth', 'andrea.ceccanti@example.org',2), -('https://idptestbed/idp/shibboleth', '78901@idptestbed',2); +INSERT INTO iam_saml_id(idpid, attribute_id, userid, account_id) VALUES +('https://idptestbed/idp/shibboleth', 'urn:oid:0.9.2342.19200300.100.1.3', 'andrea.ceccanti@example.org',2), +('https://idptestbed/idp/shibboleth', 'urn:oid:1.3.6.1.4.1.5923.1.1.1.13', '78901@idptestbed',2); + +INSERT INTO iam_x509_cert(label,subject_dn,issuer_dn, is_primary,certificate,creation_time, last_update_time,account_id) VALUES +('test2 cert', 'CN=test2,O=IGI,C=IT', 'CN=Test CA,O=IGI,C=IT',true, +'-----BEGIN CERTIFICATE----- +MIIDnjCCAoagAwIBAgIBCzANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM +MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzOFoX +DTIyMDkyNDE1MzkzOFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG +A1UEAxMFdGVzdDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEYYwo +eq5ucXGsIZqI5V30OmEZTLzz3TCtFSp+DWbFHAeiiZNNktK44udHV+kwTjSxHTUJ +P9RIvCAIMggtvibesXrTp1UHAF6p1d2GaUmU+mc/y7zRESxuSXx+SqWCwBOVxOzj +Dhm9oWlg3TSNctV2qv0HR2t8hsnfsQShULwaUJmQZ1fBfDN6HL5ITe77ptXB84Hz +MAmNv0ckoQmVGtlVhoasppTgMhoWvBSguT1FGw7A/a8ZzQZV8rC1BP/1LZtRitHm +stErUyULBjQekpu3VhGFJLCFD3fcyjoBKsIxCm62NhzHLOF8RE+kW05MRGrUu007 +CuV3yCDZOixIAxKVAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU +XNkN/hv+aBr6hqNqYm1VaiEAvpcwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG +CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF +BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe +gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB +AQBOavmIRcBqWnGFmcEp8zJ+cR3k02UcM0Xg7/vAnxJ7JziniMJLyBrxAaW1j2f6 +qJrap9rK+aukhovInTSrdWKM6y5ceY0w7u4nsu8Y3lRf3g9e766iuY3NfflDZE2N +s3JuHZljwx7NGEOrr/Wi5Q1g9JVJcK+A+aB3vPLoS/Uc95ibdqJKHVG0rcKLnqR6 +AVvzyPxJtpwk4yy4V+juBZib2SImBWJ7C5VHuHLMAOxtNV84CIXpdvLKfA1Bjf3W +UMrcvhN03L72j9IR0WEZlFMfYbxv1gbNbo+fhVo3itHI3lTl0K0BD5bOP0LqtARL +gZ9zFVlxWHcKUqQ41ZQXNg7U +-----END CERTIFICATE-----', +CURRENT_TIMESTAMP(), CURRENT_TIMESTAMP(),1); INSERT INTO iam_group(id, name, uuid, description, creationtime, lastupdatetime) VALUES (1, 'Production', 'c617d586-54e6-411d-8e38-64967798fa8a', 'The production group', CURRENT_TIMESTAMP(), CURRENT_TIMESTAMP()), diff --git a/iam-persistence/src/main/resources/db/migration/test/V11_1__no_attr_id_saml_account_for_admin_user.sql b/iam-persistence/src/main/resources/db/migration/test/V11_1__no_attr_id_saml_account_for_admin_user.sql new file mode 100644 index 000000000..ee66ffb5d --- /dev/null +++ b/iam-persistence/src/main/resources/db/migration/test/V11_1__no_attr_id_saml_account_for_admin_user.sql @@ -0,0 +1,5 @@ +-- Insert SAML account id for admin user to check that +-- the database migration logic in v12 updates the record as +-- expected +INSERT INTO iam_saml_id(idpid, userid, account_id) VALUES +('https://idptestbed/idp/shibboleth', 'admin@example.org',1); \ No newline at end of file diff --git a/iam-test-client/pom.xml b/iam-test-client/pom.xml index 70618cb89..fad4dca59 100644 --- a/iam-test-client/pom.xml +++ b/iam-test-client/pom.xml @@ -7,7 +7,7 @@ it.infn.mw iam-parent - 0.6.0 + 1.0.0 iam-test-client diff --git a/iam-test-protected-resource/pom.xml b/iam-test-protected-resource/pom.xml index 51833d763..f66ce12f8 100644 --- a/iam-test-protected-resource/pom.xml +++ b/iam-test-protected-resource/pom.xml @@ -7,7 +7,7 @@ it.infn.mw iam-parent - 0.6.0 + 1.0.0 iam-test-protected-resource diff --git a/jenkins/Jenkinsfile.coverage b/jenkins/Jenkinsfile.coverage new file mode 100644 index 000000000..34840c524 --- /dev/null +++ b/jenkins/Jenkinsfile.coverage @@ -0,0 +1,47 @@ +pipeline { + agent { label 'maven' } + + options { + timeout(time: 1, unit: 'HOURS') + buildDiscarder(logRotator(numToKeepStr: '5')) + } + + stages { + stage('checkout') { + steps { + git(url: 'https://github.com/indigo-iam/iam.git', branch: env.BRANCH_NAME) + stash name: 'code', useDefaultExcludes: false + } + } + + stage('coverage') { + steps { + unstash 'code' + sh 'mvn -B clean cobertura:cobertura' + + publishHTML(target: [ + reportName : 'Cobertura Report', + reportDir : 'iam-login-service/target/site/cobertura/', + reportFiles : 'index.html', + keepAll : true, + alwaysLinkToLastBuild: true, + allowMissing : false + ]) + } + } + } + + post { + success { + slackSend channel: "#iam", color: 'good', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Success (<${env.BUILD_URL}|Open>)" + } + + unstable { + slackSend channel: "#iam", color: 'danger', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Unstable (<${env.BUILD_URL}|Open>)" + } + + failure { + slackSend channel: "#iam", color: 'danger', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Failure (<${env.BUILD_URL}|Open>)" + } + } +} diff --git a/pom.xml b/pom.xml index 121fca9fb..76418c772 100644 --- a/pom.xml +++ b/pom.xml @@ -9,9 +9,9 @@ it.infn.mw iam-parent - 0.6.0 + 1.0.0 pom - IAM Parent POM + INDIGO Identity and Access Manager (IAM) UTF-8 @@ -23,15 +23,15 @@ 1.3.0.cnaf-SNAPSHOT 1.0.1.RELEASE - 1.3.5.RELEASE + 1.3.8.RELEASE - 0.32 + 0.32 1.5.3 1.3.3 1.0.0-beta.3 - 0.17.1 + 0.19.6 1.3.11 - 4.6.3 + 4.7.0 ?? 2.1.1 @@ -66,8 +66,8 @@ org.webjars - webjars-locator - ${webjars-locator.version} + webjars-locator-core + ${webjars-locator-core.version} org.webjars @@ -319,11 +319,19 @@ ${project.build.outputDirectory}/git.properties + + + org.jacoco + jacoco-maven-plugin + 0.7.9 + + org.codehaus.mojo cobertura-maven-plugin 2.7 + true html xml diff --git a/rpm/SOURCES/iam-login-service b/rpm/SOURCES/iam-login-service new file mode 100644 index 000000000..5632486ca --- /dev/null +++ b/rpm/SOURCES/iam-login-service @@ -0,0 +1,37 @@ +# Java VM arguments +IAM_JAVA_OPTS=-Dspring.profiles.active=prod,registration + +# Generic options +IAM_BASE_URL=https://iam.example.org +IAM_ISSUER=https://iam.example.org/ +IAM_USE_FORWARDED_HEADERS=true +#IAM_KEY_STORE_LOCATION=file:///var/lib/indigo/iam-login-service/keystore.jks +IAM_ORGANISATION_NAME=indigo-dc + +# Database connection settings +IAM_DB_HOST=localhost +IAM_DB_PORT=3306 +IAM_DB_NAME=iam_login_service +IAM_DB_USERNAME=iam +IAM_DB_PASSWORD=iam_login_service +IAM_DB_VALIDATION_QUERY=SELECT 1 + +## Google profile settings +#IAM_GOOGLE_CLIENT_ID=define_me_please +#IAM_GOOGLE_CLIENT_SECRET=define_me_please +#IAM_GOOGLE_REDIRECT_URIS=https://iam.example.org/openid_connect_login + +## SAML profile settings +#IAM_SAML_ENTITY_ID=https://iam.example.org +#IAM_SAML_KEYSTORE=file:///var/lib/indigo/iam/iam-login-service/example.ks +#IAM_SAML_KEYSTORE_PASSWORD=define_me_please +#IAM_SAML_KEY_ID=define_me_please +#IAM_SAML_KEY_PASSWORD=define_me_please +#IAM_SAML_IDP_METADATA=file:///var/lib/indigo/iam-login-service/example-metadata-sha256.xml + +# Notification settings +#IAM_NOTIFICATION_DISABLE=true +#IAM_NOTIFICATION_FROM=iam@example.org +#IAM_NOTIFICATION_TASK_DELAY=5000 +#IAM_NOTIFICATION_ADMIN_ADDRESS=iam-support@example.org +#IAM_MAIL_HOST=smtp.example.org diff --git a/rpm/SOURCES/iam-login-service.service b/rpm/SOURCES/iam-login-service.service new file mode 100644 index 000000000..7e51e5b7a --- /dev/null +++ b/rpm/SOURCES/iam-login-service.service @@ -0,0 +1,13 @@ +[Unit] +Description=INDIGO IAM Service +After=syslog.target network.target + +[Service] +EnvironmentFile=/etc/sysconfig/iam-login-service +WorkingDirectory=/var/lib/indigo/iam-login-service +ExecStart=/usr/bin/java ${IAM_JAVA_OPTS} -jar iam-login-service.war +KillMode=process +User=iam + +[Install] +WantedBy=multi-user.target