From 0d3ab23ef5cff0b8d3d34d8f4f9cc15573580352 Mon Sep 17 00:00:00 2001
From: Sae126V <saitejav2021@gmail.com>
Date: Wed, 8 Nov 2023 17:48:28 +0000
Subject: [PATCH 1/4] Add support for admin to customize login layout

---
 .../it/infn/mw/iam/config/IamProperties.java  |  43 +++++
 .../DefaultLoginPageConfiguration.java        |  14 ++
 .../web/loginpage/LoginPageConfiguration.java |   4 +
 .../src/main/resources/application.yml        |   7 +
 .../webapp/WEB-INF/views/iam/login-form.jsp   |  17 +-
 .../main/webapp/WEB-INF/views/iam/login.jsp   | 157 +++++++++++++-----
 .../src/main/webapp/resources/iam/css/iam.css |   5 +-
 7 files changed, 199 insertions(+), 48 deletions(-)

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/IamProperties.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/IamProperties.java
index a6793d664..facb0a316 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/config/IamProperties.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/IamProperties.java
@@ -46,6 +46,11 @@ public enum LocalAuthenticationAllowedUsers {
     NONE
   }
 
+  public enum LoginPageLayoutOptions {
+    LOGIN_FORM,
+    LOGIN_EXTERNAL_AUTHN
+  }
+
   public enum LocalAuthenticationLoginPageMode {
     VISIBLE,
     HIDDEN,
@@ -390,6 +395,34 @@ public void setText(String text) {
     }
   }
 
+  public static class LoginPageLayout {
+
+    public enum ExternalAuthnOptions {
+      X509,
+      OIDC,
+      SAML
+    }
+
+    LoginPageLayoutOptions sectionToBeDisplayedFirst;
+    List<ExternalAuthnOptions> externalAuthnOrder;
+
+    public LoginPageLayoutOptions getSectionToBeDisplayedFirst() {
+      return sectionToBeDisplayedFirst;
+    }
+
+    public void setSectionToBeDisplayedFirst(LoginPageLayoutOptions sectionToBeDisplayedFirst) {
+      this.sectionToBeDisplayedFirst = sectionToBeDisplayedFirst;
+    }
+
+    public List<ExternalAuthnOptions> getExternalAuthnOrder() {
+      return externalAuthnOrder;
+    }
+
+    public void setExternalAuthnOrder(List<ExternalAuthnOptions> externalAuthnOrder) {
+      this.externalAuthnOrder = externalAuthnOrder;
+    }
+  }
+
   public static class RegistractionAccessToken {
     long lifetime = -1;
 
@@ -531,6 +564,8 @@ public void setLocation(String location) {
 
   private PrivacyPolicy privacyPolicy = new PrivacyPolicy();
 
+  private LoginPageLayout loginPageLayout = new LoginPageLayout();
+
   private ActuatorUserProperties actuatorUser = new ActuatorUserProperties();
 
   private JWTProfile jwtProfile = new JWTProfile();
@@ -631,6 +666,14 @@ public PrivacyPolicy getPrivacyPolicy() {
     return privacyPolicy;
   }
 
+  public LoginPageLayout getLoginPageLayout() {
+    return loginPageLayout;
+  }
+
+  public void setLoginLayout(LoginPageLayout loginPageLayout) {
+    this.loginPageLayout = loginPageLayout;
+  }
+
   public String getHost() {
     return host;
   }
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/loginpage/DefaultLoginPageConfiguration.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/loginpage/DefaultLoginPageConfiguration.java
index 46fe84bdc..850a5f094 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/loginpage/DefaultLoginPageConfiguration.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/loginpage/DefaultLoginPageConfiguration.java
@@ -31,6 +31,7 @@
 
 import it.infn.mw.iam.config.IamProperties;
 import it.infn.mw.iam.config.IamProperties.Logo;
+import it.infn.mw.iam.config.IamProperties.LoginPageLayout.ExternalAuthnOptions;
 import it.infn.mw.iam.config.oidc.OidcProvider;
 import it.infn.mw.iam.config.oidc.OidcValidatedProviders;
 
@@ -48,6 +49,7 @@ public class DefaultLoginPageConfiguration implements LoginPageConfiguration, En
   private boolean registrationEnabled;
   private boolean localAuthenticationVisible;
   private boolean showLinkToLocalAuthn;
+  private boolean defaultLoginPageLayout;
 
   @Value("${iam.account-linking.enable}")
   private Boolean accountLinkingEnabled;
@@ -74,6 +76,8 @@ public void init() {
       .equals(iamProperties.getLocalAuthn().getLoginPageVisibility());
     showLinkToLocalAuthn = IamProperties.LocalAuthenticationLoginPageMode.HIDDEN_WITH_LINK
       .equals(iamProperties.getLocalAuthn().getLoginPageVisibility());
+    defaultLoginPageLayout = IamProperties.LoginPageLayoutOptions.LOGIN_FORM
+      .equals(iamProperties.getLoginPageLayout().getSectionToBeDisplayedFirst());
   }
 
   @Override
@@ -179,4 +183,14 @@ public boolean isIncludeCustomContent() {
   public String getCustomContentUrl() {
     return iamProperties.getCustomization().getCustomLoginPageContentUrl();
   }
+
+  @Override
+  public boolean isDefaultLoginPageLayout() {
+    return defaultLoginPageLayout;
+  }
+
+  @Override
+  public List<ExternalAuthnOptions> getExternalAuthnOptionsOrder() {
+    return iamProperties.getLoginPageLayout().getExternalAuthnOrder();
+  }
 }
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/loginpage/LoginPageConfiguration.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/loginpage/LoginPageConfiguration.java
index ef428d68d..6e516855e 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/loginpage/LoginPageConfiguration.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/loginpage/LoginPageConfiguration.java
@@ -19,6 +19,7 @@
 import java.util.Optional;
 
 import it.infn.mw.iam.config.IamProperties.Logo;
+import it.infn.mw.iam.config.IamProperties.LoginPageLayout.ExternalAuthnOptions;
 import it.infn.mw.iam.config.oidc.OidcProvider;
 
 public interface LoginPageConfiguration {
@@ -55,4 +56,7 @@ public interface LoginPageConfiguration {
 
   Logo getLogo();
 
+  boolean isDefaultLoginPageLayout();
+
+  List<ExternalAuthnOptions> getExternalAuthnOptionsOrder();
 }
diff --git a/iam-login-service/src/main/resources/application.yml b/iam-login-service/src/main/resources/application.yml
index bf051419b..681cd9958 100644
--- a/iam-login-service/src/main/resources/application.yml
+++ b/iam-login-service/src/main/resources/application.yml
@@ -181,6 +181,13 @@ iam:
     
   account-linking:
     enable: ${IAM_ACCOUNT_LINKING_ENABLE:true}
+    
+  login-page-layout:
+    section-to-be-displayed-first: ${IAM_LOGIN_LAYOUT_PRIMARY_CHOICE:LOGIN_FORM}
+    external-authn-order:
+      - x509
+      - oidc
+      - saml
 
 redis-cache:
   enabled: ${IAM_REDIS_CACHE_ENABLED:false}
diff --git a/iam-login-service/src/main/webapp/WEB-INF/views/iam/login-form.jsp b/iam-login-service/src/main/webapp/WEB-INF/views/iam/login-form.jsp
index 5b5bf5918..bfe91c528 100644
--- a/iam-login-service/src/main/webapp/WEB-INF/views/iam/login-form.jsp
+++ b/iam-login-service/src/main/webapp/WEB-INF/views/iam/login-form.jsp
@@ -19,8 +19,21 @@
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
 <%@ taglib prefix="t" tagdir="/WEB-INF/tags/iam"%>
 <%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
-<form id="login-form" action="/login" method="post">
-  <div class="signin-preamble text-muted">Sign in with your ${iamOrganisationName} credentials</div>
+<c:if test="${loginPageConfiguration.defaultLoginPageLayout}">
+  <c:set value="container-spacer" var="containerSpacer"></c:set>
+</c:if>
+
+<form id="login-form" class="${containerSpacer}" action="/login" method="post">
+  <div class="signin-preamble text-muted">
+    <c:choose>
+      <c:when test="${loginPageConfiguration.defaultLoginPageLayout}">
+        Sign in with your ${iamOrganisationName} credentials
+      </c:when>
+      <c:otherwise>
+        Or sign in with your ${iamOrganisationName} credentials
+      </c:otherwise>
+    </c:choose>
+  </div>
   <div class="form-group">
     <div class="input-group">
       <span class="input-group-addon">
diff --git a/iam-login-service/src/main/webapp/WEB-INF/views/iam/login.jsp b/iam-login-service/src/main/webapp/WEB-INF/views/iam/login.jsp
index 9b6ee9a91..f238a0838 100644
--- a/iam-login-service/src/main/webapp/WEB-INF/views/iam/login.jsp
+++ b/iam-login-service/src/main/webapp/WEB-INF/views/iam/login.jsp
@@ -72,62 +72,129 @@
             <h3>Welcome to <strong>${iamOrganisationName}</strong>
       </h3>
         </div>
+
+        <c:if
+            test="${
+                (
+                    loginPageConfiguration.localAuthenticationVisible
+                    or param.sll != null
+                ) && loginPageConfiguration.defaultLoginPageLayout
+            }"
+        >
+            <jsp:include page="login-form.jsp" />
+        </c:if>
         
-        <c:if test="${loginPageConfiguration.localAuthenticationVisible or param.sll != null}">
-          <jsp:include page="login-form.jsp" />
+        <c:if
+            test="${
+                !loginPageConfiguration.defaultLoginPageLayout
+                || (
+                    !loginPageConfiguration.localAuthenticationVisible
+                    && (param.sll == null or !loginPageConfiguration.defaultLoginPageLayout)
+                )
+            }"
+        >
+            <c:set value="container-spacer" var="containerSpacer"></c:set>
         </c:if>
         
-        <div id="login-external-authn">
+        <div id="login-external-authn" class="${containerSpacer}">
             <c:if
-        test="${loginPageConfiguration.oidcEnabled or loginPageConfiguration.samlEnabled or IAM_X509_CAN_LOGIN}">
-              <div class="ext-login-preamble text-muted">
+                test="${loginPageConfiguration.oidcEnabled or loginPageConfiguration.samlEnabled or IAM_X509_CAN_LOGIN}"
+            >
+                <div class="ext-login-preamble text-muted">
+                    <c:choose>
+                        <c:when
+                            test="${
+                                (
+                                    loginPageConfiguration.localAuthenticationVisible
+                                    && loginPageConfiguration.defaultLoginPageLayout
+                                ) || (
+                                    loginPageConfiguration.defaultLoginPageLayout
+                                    && param.sll != null
+                                )
+                            }"
+                        >
+                            Or sign in with
+                        </c:when>
+                        <c:otherwise>
+                            Sign in with
+                        </c:otherwise>
+                    </c:choose>
+                </div>
+            </c:if>
+
+            <c:forEach items="${loginPageConfiguration.externalAuthnOptionsOrder}" var="externalAuthnMethodName">
                 <c:choose>
-                    <c:when test="${ loginPageConfiguration.localAuthenticationVisible}">Or sign in with</c:when>
-                    <c:otherwise>
-                        Sign in with
-                    </c:otherwise>
+                    <c:when test="${externalAuthnMethodName == 'X509'}">
+                        <c:if test="${IAM_X509_CAN_LOGIN}">
+                            <div id="x509-login" class="ext-authn-login-button">
+                                <a
+                                    class="btn btn-block btn-default"
+                                    href="/dashboard?x509ClientAuth=true"
+                                    title="${IAM_X509_CRED.subject}"
+                                >
+                                    Your X.509 certificate
+                                </a>
+                            </div>
+                        </c:if>
+                    </c:when>
+
+                    <c:when test="${externalAuthnMethodName == 'OIDC'}">
+                        <c:if test="${loginPageConfiguration.oidcEnabled}">
+                            <c:forEach items="${loginPageConfiguration.oidcProviders}" var="provider">
+                                <t:loginButton
+                                    cssClass="ext-authn-login-button"
+                                    href="/openid_connect_login?iss=${provider.issuer}"
+                                    btn="${provider.loginButton}"
+                                    id="oidc-login-${provider.name}"
+                                 />
+                            </c:forEach>
+                        </c:if>
+                    </c:when>
+
+                    <c:when test="${ externalAuthnMethodName == 'SAML'}">
+                        <c:if test="${loginPageConfiguration.samlEnabled}">
+
+                            <!-- WAYF login button -->
+                            <c:if test="${iamSamlProperties.wayfLoginButton.visible}">
+                                <t:loginButton
+                                    href="/saml/login"
+                                    btn="${iamSamlProperties.wayfLoginButton}"
+                                    cssClass="ext-authn-login-button"
+                                    id="saml-login"
+                                />
+                            </c:if>
+
+                            <!-- SAML login shortcuts -->
+                            <c:forEach items="${iamSamlProperties.loginShortcuts}" var="ls">
+                                <c:if test="${ls.enabled}">
+                                    <t:loginButton
+                                        cssClass="ext-authn-login-button"
+                                        href="/saml/login?idp=${ls.entityId}"
+                                        btn="${ls.loginButton}"
+                                        id="saml-login-${ls.name}"
+                                    />
+                                </c:if>
+                            </c:forEach>
+                        </c:if>
+                    </c:when>
                 </c:choose>
-              </div>
-            </c:if>
-            
-            <c:if test="${IAM_X509_CAN_LOGIN}">
-              <div id="x509-login" class="ext-authn-login-button">
-                <a class="btn btn-block btn-default" href="/dashboard?x509ClientAuth=true"
-            title="${IAM_X509_CRED.subject}">
-                  Your X.509 certificate 
-               </a>
-              </div>
-            </c:if>
-            
-            <c:if test="${loginPageConfiguration.oidcEnabled}">
-            	<c:forEach items="${loginPageConfiguration.oidcProviders}" var="provider">
-                <t:loginButton cssClass="ext-authn-login-button" href="/openid_connect_login?iss=${provider.issuer}"
-            btn="${provider.loginButton}" id="oidc-login-${provider.name}" />
-            	</c:forEach> 
-            </c:if>
+            </c:forEach>
 
-            <c:if test="${loginPageConfiguration.samlEnabled}">
-                
-                <!-- WAYF login button -->
-                <c:if test="${iamSamlProperties.wayfLoginButton.visible}">
-                  <t:loginButton href="/saml/login" btn="${iamSamlProperties.wayfLoginButton}"
-            cssClass="ext-authn-login-button" id="saml-login" />
-                </c:if>
-                
-                <!-- SAML login shortcuts -->
-                <c:forEach items="${iamSamlProperties.loginShortcuts}" var="ls">
-                  <c:if test="${ls.enabled}">
-                    <t:loginButton cssClass="ext-authn-login-button" href="/saml/login?idp=${ls.entityId}"
-              btn="${ls.loginButton}" id="saml-login-${ls.name}" />
-                  </c:if>
-                </c:forEach>
-            </c:if>
-            
             <c:if test="${loginPageConfiguration.showLinkToLocalAuthenticationPage and param.sll == null}">
                 <a class="btn btn-block btn-login" href="/login?sll=y">Local credentials</a>
             </c:if>
         </div>
-        
+
+        <c:if
+            test="${
+                (
+                    loginPageConfiguration.localAuthenticationVisible
+                    or param.sll != null
+                ) && !loginPageConfiguration.defaultLoginPageLayout
+            }"
+        >
+            <jsp:include page="login-form.jsp" />
+        </c:if>
 
         <c:if test="${loginPageConfiguration.registrationEnabled && loginPageConfiguration.showRegistrationButton}">
             
diff --git a/iam-login-service/src/main/webapp/resources/iam/css/iam.css b/iam-login-service/src/main/webapp/resources/iam/css/iam.css
index 28503cae3..2508b9319 100644
--- a/iam-login-service/src/main/webapp/resources/iam/css/iam.css
+++ b/iam-login-service/src/main/webapp/resources/iam/css/iam.css
@@ -66,7 +66,7 @@
 }
 
 #login-form {
-    padding-top: 1em;
+    padding-top: 2em;
     margin: 0 auto;
     max-width: 250px;
 }
@@ -684,3 +684,6 @@ body.skin-blue {
     border-bottom-right-radius: 5px;
 }
 
+.container-spacer {
+    padding-top: 1em !important;
+}

From a49d71f1ddd5871635d9a50969e1f9a191e01842 Mon Sep 17 00:00:00 2001
From: Sae126V <saitejav2021@gmail.com>
Date: Wed, 15 Nov 2023 08:15:00 +0000
Subject: [PATCH 2/4] Apply google style formatter

---
 .../iam/core/web/loginpage/DefaultLoginPageConfiguration.java   | 2 +-
 .../src/main/webapp/WEB-INF/views/iam/login-form.jsp            | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/loginpage/DefaultLoginPageConfiguration.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/loginpage/DefaultLoginPageConfiguration.java
index 850a5f094..044150624 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/loginpage/DefaultLoginPageConfiguration.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/loginpage/DefaultLoginPageConfiguration.java
@@ -77,7 +77,7 @@ public void init() {
     showLinkToLocalAuthn = IamProperties.LocalAuthenticationLoginPageMode.HIDDEN_WITH_LINK
       .equals(iamProperties.getLocalAuthn().getLoginPageVisibility());
     defaultLoginPageLayout = IamProperties.LoginPageLayoutOptions.LOGIN_FORM
-      .equals(iamProperties.getLoginPageLayout().getSectionToBeDisplayedFirst());
+        .equals(iamProperties.getLoginPageLayout().getSectionToBeDisplayedFirst());
   }
 
   @Override
diff --git a/iam-login-service/src/main/webapp/WEB-INF/views/iam/login-form.jsp b/iam-login-service/src/main/webapp/WEB-INF/views/iam/login-form.jsp
index bfe91c528..8c253e693 100644
--- a/iam-login-service/src/main/webapp/WEB-INF/views/iam/login-form.jsp
+++ b/iam-login-service/src/main/webapp/WEB-INF/views/iam/login-form.jsp
@@ -34,6 +34,7 @@
       </c:otherwise>
     </c:choose>
   </div>
+
   <div class="form-group">
     <div class="input-group">
       <span class="input-group-addon">

From 5eae0b1ea4073fb3c3551accf07726d0e0ae0dcc Mon Sep 17 00:00:00 2001
From: Sae126V <saitejav2021@gmail.com>
Date: Thu, 16 Nov 2023 11:24:57 +0000
Subject: [PATCH 3/4] Provide support to configure external authn order

---
 iam-login-service/src/main/resources/application.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/iam-login-service/src/main/resources/application.yml b/iam-login-service/src/main/resources/application.yml
index 681cd9958..6ffe70d57 100644
--- a/iam-login-service/src/main/resources/application.yml
+++ b/iam-login-service/src/main/resources/application.yml
@@ -183,11 +183,8 @@ iam:
     enable: ${IAM_ACCOUNT_LINKING_ENABLE:true}
     
   login-page-layout:
-    section-to-be-displayed-first: ${IAM_LOGIN_LAYOUT_PRIMARY_CHOICE:LOGIN_FORM}
-    external-authn-order:
-      - x509
-      - oidc
-      - saml
+    section-to-be-displayed-first: ${IAM_LOGIN_PAGE_LAYOUT_SECTION_TO_DISPLAY_FIRST:LOGIN_FORM}
+    external-authn-order: ${IAM_LOGIN_EXTERNAL_AUTHN_ORDER:x509,oidc,saml}
 
 redis-cache:
   enabled: ${IAM_REDIS_CACHE_ENABLED:false}

From 8234f56ea27e86818eb1ffbad5645349323414e3 Mon Sep 17 00:00:00 2001
From: Sae126V <saitejav2021@gmail.com>
Date: Tue, 5 Dec 2023 11:42:02 +0000
Subject: [PATCH 4/4] Update checks to be consistent and simple

---
 .../main/webapp/WEB-INF/views/iam/login.jsp   | 30 +++++++++----------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/iam-login-service/src/main/webapp/WEB-INF/views/iam/login.jsp b/iam-login-service/src/main/webapp/WEB-INF/views/iam/login.jsp
index f238a0838..5920117bc 100644
--- a/iam-login-service/src/main/webapp/WEB-INF/views/iam/login.jsp
+++ b/iam-login-service/src/main/webapp/WEB-INF/views/iam/login.jsp
@@ -76,9 +76,9 @@
         <c:if
             test="${
                 (
-                    loginPageConfiguration.localAuthenticationVisible
-                    or param.sll != null
-                ) && loginPageConfiguration.defaultLoginPageLayout
+                  loginPageConfiguration.localAuthenticationVisible
+                  or param.sll != null
+                ) and loginPageConfiguration.defaultLoginPageLayout
             }"
         >
             <jsp:include page="login-form.jsp" />
@@ -87,9 +87,9 @@
         <c:if
             test="${
                 !loginPageConfiguration.defaultLoginPageLayout
-                || (
-                    !loginPageConfiguration.localAuthenticationVisible
-                    && (param.sll == null or !loginPageConfiguration.defaultLoginPageLayout)
+                or (
+                  !loginPageConfiguration.localAuthenticationVisible
+                  and param.sll == null
                 )
             }"
         >
@@ -104,13 +104,11 @@
                     <c:choose>
                         <c:when
                             test="${
-                                (
-                                    loginPageConfiguration.localAuthenticationVisible
-                                    && loginPageConfiguration.defaultLoginPageLayout
-                                ) || (
-                                    loginPageConfiguration.defaultLoginPageLayout
-                                    && param.sll != null
-                                )
+                              loginPageConfiguration.defaultLoginPageLayout
+                              and (
+                                loginPageConfiguration.localAuthenticationVisible
+                                or param.sll != null
+                              )
                             }"
                         >
                             Or sign in with
@@ -188,9 +186,9 @@
         <c:if
             test="${
                 (
-                    loginPageConfiguration.localAuthenticationVisible
-                    or param.sll != null
-                ) && !loginPageConfiguration.defaultLoginPageLayout
+                  loginPageConfiguration.localAuthenticationVisible
+                  or param.sll != null
+                ) and !loginPageConfiguration.defaultLoginPageLayout
             }"
         >
             <jsp:include page="login-form.jsp" />