Scope IDP list of invitation to the IdP which have access

Author: oharsta

server/src/main/java/invite/manage/LocalManage.java

@@ -1,8 +1,8 @@
 package invite.manage;
 
-import invite.exception.NotFoundException;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import invite.exception.NotFoundException;
 import lombok.SneakyThrows;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -83,6 +83,23 @@ public Map<String, Object> providerById(EntityType entityType, String id) {
                 .orElseThrow(() -> new NotFoundException("Provider not found"));
     }
 
+    @Override
+    public List<String> idpEntityIdentifiersByServiceEntityId(List<String> serviceEntityIdentifiers) {
+        if (serviceEntityIdentifiers.isEmpty()) {
+            return emptyList();
+        }
+        List<Map<String, Object>> allIdentityProviders = this.providers(EntityType.SAML20_IDP);
+        return allIdentityProviders.stream()
+                .filter(idp -> {
+                    List<Map<String, String>> allowedEntities = (List<Map<String, String>>) idp.getOrDefault("allowedEntities", emptyList());
+                    return allowedEntities.stream()
+                            .map(entity -> entity.get("name"))
+                            .anyMatch(name -> serviceEntityIdentifiers.contains(name));
+                })
+                .map(idp -> (String) ((Map) idp.get("data")).get("entityid"))
+                .toList();
+    }
+
     @Override
     public List<Map<String, Object>> provisioning(Collection<String> applicationIdentifiers) {
         LOG.debug("provisioning for : " + applicationIdentifiers);
@@ -115,7 +132,6 @@ public List<Map<String, Object>> providersAllowedByIdPs(List<Map<String, Object>
                 .distinct()
                 .toList();
         return allProviders.stream().filter(provider -> entityIdentifiers.contains((String) provider.get("entityid"))).toList();
-
     }
 
     @Override

server/src/main/java/invite/manage/Manage.java

@@ -15,6 +15,8 @@ public interface Manage {
 
     Map<String, Object> providerById(EntityType entityType, String id);
 
+    List<String> idpEntityIdentifiersByServiceEntityId(List<String> serviceEntityIdentifiers);
+
     Optional<Map<String, Object>> providerByEntityID(EntityType entityType, String entityID);
 
     List<Map<String, Object>> providersByIdIn(EntityType entityType, List<String> identifiers);

server/src/main/java/invite/manage/RemoteManage.java

@@ -1,18 +1,13 @@
 package invite.manage;
 
-import com.fasterxml.jackson.core.type.TypeReference;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.client.support.BasicAuthenticationInterceptor;
 import org.springframework.util.CollectionUtils;
 import org.springframework.web.client.ResponseErrorHandler;
 import org.springframework.web.client.RestTemplate;
 
-import java.io.IOException;
 import java.util.*;
-import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 import static java.util.Collections.emptyList;
@@ -43,7 +38,7 @@ public List<Map<String, Object>> providers(EntityType... entityTypes) {
 
     @Override
     public List<Map<String, Object>> providersByIdIn(EntityType entityType, List<String> identifiers) {
-        LOG.debug(String.format("providersByIdIn (%s) %s", entityType, identifiers.stream().collect(joining(") (", "(", ")"))));
+        LOG.debug(String.format("providersByIdIn (%s) %s", entityType, identifiers));
         if (CollectionUtils.isEmpty(identifiers)) {
             LOG.debug("No identifiers in providersByIdIn");
             return emptyList();
@@ -58,6 +53,27 @@ public List<Map<String, Object>> providersByIdIn(EntityType entityType, List<Str
         return transformProvider(providers);
     }
 
+    @Override
+    public List<String> idpEntityIdentifiersByServiceEntityId(List<String> serviceEntityIdentifiers) {
+        LOG.debug(String.format("idpEntityIdentifiersByServiceEntityId %s",
+                serviceEntityIdentifiers));
+        if (CollectionUtils.isEmpty(serviceEntityIdentifiers)) {
+            LOG.debug("No identifiers in idpEntityIdentifiersByServiceEntityId");
+            return emptyList();
+        }
+        Map<String, Object> body = Map.of(
+          "allowedEntities.name",serviceEntityIdentifiers,
+          "REQUESTED_ATTRIBUTES", List.of("entityid")
+        );
+        String manageUrl = String.format("%s/manage/api/internal/search/%s", url, EntityType.SAML20_IDP.collectionName());
+        List<Map<String, Object>> providers = restTemplate.postForObject(manageUrl, body, List.class);
+        if (providers != null) {
+            LOG.debug(String.format("Got %d results for idpEntityIdentifiersByServiceEntityId", providers.size()));
+        }
+        return providers.stream().map(m -> (String)((Map)m.get("data")).get("entityid")).toList();
+
+    }
+
     @Override
     public Optional<Map<String, Object>> providerByEntityID(EntityType entityType, String entityID) {
         LOG.debug(String.format("providerByEntityID (%s) %s", entityType, entityID));

server/src/main/java/invite/security/AuthorizationRequestCustomizer.java

@@ -1,5 +1,7 @@
 package invite.security;
 
+import invite.manage.Manage;
+import invite.model.ApplicationUsage;
 import invite.model.Authority;
 import invite.model.Invitation;
 import invite.repository.InvitationRepository;
@@ -10,17 +12,26 @@
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.function.Consumer;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 public class AuthorizationRequestCustomizer implements Consumer<OAuth2AuthorizationRequest.Builder> {
 
     private final InvitationRepository invitationRepository;
     private final String eduidEntityId;
+    private final Manage manage;
 
-    public AuthorizationRequestCustomizer(InvitationRepository invitationRepository, String eduidEntityId) {
+    public AuthorizationRequestCustomizer(InvitationRepository invitationRepository,
+                                          String eduidEntityId,
+                                          Manage manage) {
         this.invitationRepository = invitationRepository;
         this.eduidEntityId = eduidEntityId;
+        this.manage = manage;
     }
 
     @Override
@@ -41,8 +52,23 @@ public void accept(OAuth2AuthorizationRequest.Builder builder) {
             if (hash != null && hash.length == 1) {
                 Optional<Invitation> optionalInvitation = invitationRepository.findByHash(hash[0]);
                 optionalInvitation.ifPresent(invitation -> {
-                    if (invitation.isEduIDOnly() && invitation.getIntendedAuthority().equals(Authority.GUEST)) {
+                    boolean guestInvitation = invitation.getIntendedAuthority().equals(Authority.GUEST);
+                    if (invitation.isEduIDOnly() && guestInvitation) {
                         params.put("login_hint", eduidEntityId);
+                    } else if (!invitation.isEduIDOnly() && guestInvitation) {
+                        //Fetch all IdentityProviders that have one the manage role applications in their allowList
+                        // First, get all entity identifiers of the applications connected to the roles of the invitation
+                        List<String> entityIdentifiers = invitation.getRoles().stream()
+                                .map(role -> role.getRole().getApplicationUsages())
+                                .flatMap(Collection::stream)
+                                .map(applicationUsage -> applicationUsage.getApplication())
+                                .map(application -> manage.providerById(application.getManageType(), application.getManageId()))
+                                .map(provider -> (String) ((Map) provider.get("data")).get("entityid"))
+                                .distinct()
+                                .toList();
+                        //Now get all entityIdentifiers of the IdP's
+                        List<String> idpList = manage.idpEntityIdentifiersByServiceEntityId(entityIdentifiers);
+                        params.put("login_hint", idpList.stream().collect(Collectors.joining(",")));
                     }
                 });
             }

server/src/main/java/invite/security/SecurityConfig.java

@@ -61,6 +61,7 @@ public class SecurityConfig {
     private final ProvisioningService provisioningService;
     private final ExternalApiConfiguration externalApiConfiguration;
     private final Environment environment;
+    private final Manage manage;
 
     private final RequestHeaderRequestMatcher apiTokenRequestMatcher = new RequestHeaderRequestMatcher(API_TOKEN_HEADER);
 
@@ -73,7 +74,7 @@ public SecurityConfig(ClientRegistrationRepository clientRegistrationRepository,
                           @Value("${config.eduid-entity-id}") String eduidEntityId,
                           @Value("${oidcng.introspect-url}") String introspectionUri,
                           @Value("${oidcng.resource-server-id}") String clientId,
-                          @Value("${oidcng.resource-server-secret}") String secret) {
+                          @Value("${oidcng.resource-server-secret}") String secret, Manage manage) {
         this.clientRegistrationRepository = clientRegistrationRepository;
         this.invitationRepository = invitationRepository;
         this.provisioningService = provisioningService;
@@ -83,6 +84,7 @@ public SecurityConfig(ClientRegistrationRepository clientRegistrationRepository,
         this.secret = secret;
         this.externalApiConfiguration = externalApiConfiguration;
         this.environment = environment;
+        this.manage = manage;
     }
 
     @Configuration
@@ -182,7 +184,7 @@ private OAuth2AuthorizationRequestResolver authorizationRequestResolver(
                 new DefaultOAuth2AuthorizationRequestResolver(
                         clientRegistrationRepository, "/oauth2/authorization");
         authorizationRequestResolver.setAuthorizationRequestCustomizer(
-                new AuthorizationRequestCustomizer(invitationRepository, eduidEntityId));
+                new AuthorizationRequestCustomizer(invitationRepository, eduidEntityId, manage));
         return authorizationRequestResolver;
     }