indigo-iam · enricovianello · Jul 17, 2024 · Jul 22, 2024 · Jul 25, 2024 · Jul 25, 2024
diff --git a/iam-login-service/pom.xml b/iam-login-service/pom.xml
@@ -36,10 +36,13 @@
     <test-clock.version>1.0.2</test-clock.version>
     <eclipselink.version>2.7.9</eclipselink.version>
     <javax.persistence.version>2.2.1</javax.persistence.version>
+    <commons-collections.version>3.2.2</commons-collections.version>
 
     <!-- Sonar Jacoco massaging -->
     <sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
     <sonar.dynamicAnalysis>reuseReports</sonar.dynamicAnalysis>
+
+    <start-class>it.infn.mw.iam.IamLoginService</start-class>
   </properties>
 
   <dependencies>
@@ -191,6 +194,11 @@
       <version>${eclipselink.version}</version>
     </dependency>
 
+    <dependency>
+      <groupId>org.flywaydb</groupId>
+      <artifactId>flyway-mysql</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>io.rest-assured</groupId>
       <artifactId>rest-assured</artifactId>
@@ -310,9 +318,19 @@
           <groupId>xml-apis</groupId>
           <artifactId>xml-apis</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>commons-collections</groupId>
+          <artifactId>commons-collections</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
+    <dependency>
+      <groupId>commons-collections</groupId>
+      <artifactId>commons-collections</artifactId>
+      <version>${commons-collections.version}</version>
+    </dependency>
+
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-test</artifactId>

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/user/DefaultIamAccountService.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/user/DefaultIamAccountService.java
@@ -68,10 +68,12 @@
 import it.infn.mw.iam.persistence.model.IamOidcId;
 import it.infn.mw.iam.persistence.model.IamSamlId;
 import it.infn.mw.iam.persistence.model.IamSshKey;
+import it.infn.mw.iam.persistence.model.IamTotpMfa;
 import it.infn.mw.iam.persistence.model.IamX509Certificate;
 import it.infn.mw.iam.persistence.repository.IamAccountRepository;
 import it.infn.mw.iam.persistence.repository.IamAuthoritiesRepository;
 import it.infn.mw.iam.persistence.repository.IamGroupRepository;
+import it.infn.mw.iam.persistence.repository.IamTotpMfaRepository;
 import it.infn.mw.iam.persistence.repository.client.IamAccountClientRepository;
 
 @Service
@@ -89,13 +91,14 @@ public class DefaultIamAccountService implements IamAccountService, ApplicationE
   private final NotificationFactory notificationFactory;
   private final IamProperties iamProperties;
   private final DefaultIamGroupService iamGroupService;
+  private final IamTotpMfaRepository totpMfaRepository;
 
   public DefaultIamAccountService(Clock clock, IamAccountRepository accountRepo,
       IamGroupRepository groupRepo, IamAuthoritiesRepository authoritiesRepo,
       PasswordEncoder passwordEncoder, ApplicationEventPublisher eventPublisher,
       OAuth2TokenEntityService tokenService, IamAccountClientRepository accountClientRepo,
       NotificationFactory notificationFactory, IamProperties iamProperties,
-      DefaultIamGroupService iamGroupService) {
+      DefaultIamGroupService iamGroupService, IamTotpMfaRepository totpMfaRepository) {
 
     this.clock = clock;
     this.accountRepo = accountRepo;
@@ -108,6 +111,7 @@ public DefaultIamAccountService(Clock clock, IamAccountRepository accountRepo,
     this.notificationFactory = notificationFactory;
     this.iamProperties = iamProperties;
     this.iamGroupService = iamGroupService;
+    this.totpMfaRepository = totpMfaRepository;
   }
 
   private void labelSetEvent(IamAccount account, IamLabel label) {
@@ -212,6 +216,13 @@ protected void removeClientLinks(IamAccount account) {
 
   }
 
+  protected void deleteMfaSecretsForAccount(IamAccount account) {
+
+    Optional<IamTotpMfa> totpMfa = totpMfaRepository.findByAccount(account);
+    if (totpMfa.isPresent()) {
+      totpMfaRepository.delete(totpMfa.get());
+    }
+  }
 
   protected void deleteTokensForAccount(IamAccount account) {
 
@@ -233,6 +244,7 @@ protected void deleteTokensForAccount(IamAccount account) {
   @Override
   public IamAccount deleteAccount(IamAccount account) {
     checkNotNull(account, "cannot delete a null account");
+    deleteMfaSecretsForAccount(account);
     deleteTokensForAccount(account);
     removeClientLinks(account);
     accountRepo.delete(account);

diff --git a/iam-login-service/src/main/resources/application-h2.yml b/iam-login-service/src/main/resources/application-h2.yml
@@ -30,7 +30,9 @@ spring:
 
   datasource:
     type: org.h2.jdbcx.JdbcDataSource
-    url: jdbc:h2:mem:iam;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1
+    # Added MODE=LEGACY
+    # Read more here: https://stackoverflow.com/questions/73067624/function-identity-not-found-when-inserting-audited-revision-using-hibernate-en
+    url: jdbc:h2:mem:iam;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1;MODE=LEGACY;
     username: sa
     password:
 

diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/db_upgrade/Upgradev1_7_0DbTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/db_upgrade/Upgradev1_7_0DbTests.java
@@ -19,6 +19,7 @@
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.boot.SpringApplication;
@@ -31,6 +32,7 @@
 import it.infn.mw.iam.test.util.db.MySQL80TestContainer;
 
 @Testcontainers(disabledWithoutDocker = true)
+@Disabled("MySQL 5.7 no more supported")
 public class Upgradev1_7_0DbTests extends UpgradeDbTestSupport {
 
   public static final String DB_DUMP = "iam-v1.7.0-mysql5.7.sql";

diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/db_upgrade/Upgradev1_7_2Db57Tests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/db_upgrade/Upgradev1_7_2Db57Tests.java
@@ -20,6 +20,7 @@
 
 import java.io.IOException;
 
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
@@ -40,6 +41,7 @@
 @Transactional
 @ActiveProfiles({"mysql-test", "flyway-repair"})
 @DirtiesContext
+@Disabled("MySQL 5.7 no more supported")
 public class Upgradev1_7_2Db57Tests extends UpgradeDbTestSupport {
 
   public static final String DB_DUMP = "iam-v1.7.2-mysql5.7.sql";

diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/service/IamAccountServiceTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/service/IamAccountServiceTests.java
@@ -79,6 +79,7 @@
 import it.infn.mw.iam.persistence.repository.IamAccountRepository;
 import it.infn.mw.iam.persistence.repository.IamAuthoritiesRepository;
 import it.infn.mw.iam.persistence.repository.IamGroupRepository;
+import it.infn.mw.iam.persistence.repository.IamTotpMfaRepository;
 import it.infn.mw.iam.persistence.repository.client.IamAccountClientRepository;
 
 @RunWith(MockitoJUnitRunner.class)
@@ -115,6 +116,9 @@ public class IamAccountServiceTests extends IamAccountServiceTestSupport {
   @Mock
   private NotificationFactory notificationFactory;
 
+  @Mock
+  private IamTotpMfaRepository totpMfaRepository;
+
   private Clock clock = Clock.fixed(NOW, ZoneId.systemDefault());
 
   private DefaultIamAccountService accountService;
@@ -147,9 +151,11 @@ public void setup() {
     when(authoritiesRepo.findByAuthority("ROLE_USER")).thenReturn(Optional.of(ROLE_USER_AUTHORITY));
     when(passwordEncoder.encode(any())).thenReturn(PASSWORD);
     when(iamProperties.getRegistration()).thenReturn(registrationProperties);
+    when(totpMfaRepository.findByAccount(any())).thenReturn(Optional.empty());
 
     accountService = new DefaultIamAccountService(clock, accountRepo, groupRepo, authoritiesRepo,
-        passwordEncoder, eventPublisher, tokenService, accountClientRepo, notificationFactory, iamProperties, iamGroupService);
+        passwordEncoder, eventPublisher, tokenService, accountClientRepo, notificationFactory,
+        iamProperties, iamGroupService, totpMfaRepository);
   }
 
   @Test(expected = NullPointerException.class)

diff --git a/iam-persistence/src/main/java/it/infn/mw/iam/persistence/migrations/RemoveOrphanTokens.java b/iam-persistence/src/main/java/it/infn/mw/iam/persistence/migrations/RemoveOrphanTokens.java
@@ -43,16 +43,16 @@ public class RemoveOrphanTokens implements SpringJdbcFlywayMigration {
   public void migrate(JdbcTemplate jdbcTemplate) throws DataAccessException {
 
     int updateResult = jdbcTemplate.update(DELETE_ACCESS_TOKENS_OF_DELETED_USERS);
-    LOG.info("Removed {} access tokens owned by deleted users", updateResult);
+    LOG.debug("Removed {} access tokens owned by deleted users", updateResult);
 
     updateResult = jdbcTemplate.update(DELETE_REFRESH_TOKENS_OF_DELETED_USERS);
-    LOG.info("Removed {} refresh tokens owned by deleted users", updateResult);
+    LOG.debug("Removed {} refresh tokens owned by deleted users", updateResult);
 
     updateResult = jdbcTemplate.update(DELETE_ACCESS_TOKENS_WITH_INVALID_AUTH_HOLDER);
-    LOG.info("Removed {} access tokens with invalid authentication holder", updateResult);
+    LOG.debug("Removed {} access tokens with invalid authentication holder", updateResult);
 
     updateResult = jdbcTemplate.update(DELETE_REFRESH_TOKENS_WITH_INVALID_AUTH_HOLDER);
-    LOG.info("Removed {} refresh tokens with invalid authentication holder", updateResult);
+    LOG.debug("Removed {} refresh tokens with invalid authentication holder", updateResult);
   }
 
 }
diff --git a/...ce/src/main/java/it/infn/mw/iam/persistence/model/IamExternalAuthenticationAttribute.java b/...ce/src/main/java/it/infn/mw/iam/persistence/model/IamExternalAuthenticationAttribute.java