Merge branch 'feature/#606-required-role-organization-guid'

Author: oharsta

client/src/api/index.js

@@ -240,8 +240,9 @@ export function generateToken() {
     return fetchJson("/api/v1/tokens/generate-token");
 }
 
-export function createToken(description) {
-    return postPutJson("/api/v1/tokens", {description: description}, "POST");
+export function createToken(description, organizationGUID) {
+    const body = {description: description, organizationGUID: organizationGUID};
+    return postPutJson("/api/v1/tokens", body, "POST");
 }
 
 export function deleteToken(token) {

client/src/tabs/Tokens.jsx

@@ -5,7 +5,7 @@ import {Entities} from "../components/Entities";
 import I18n from "../locale/I18n";
 import {Button, ButtonType, Checkbox, Loader} from "@surfnet/sds";
 import {useNavigate} from "react-router-dom";
-import {apiTokens, createToken, deleteToken, generateToken} from "../api";
+import {allIdentityProviders, apiTokens, createToken, deleteToken, generateToken} from "../api";
 import {dateFromEpoch} from "../utils/Date";
 import TrashIcon from "@surfnet/sds/icons/functional-icons/bin.svg";
 import ChevronLeft from "@surfnet/sds/icons/functional-icons/arrow-left-2.svg";
@@ -16,6 +16,7 @@ import ErrorIndicator from "../components/ErrorIndicator";
 import {isEmpty, stopEvent} from "../utils/Utils";
 import {Page} from "../components/Page";
 import {AUTHORITIES, highestAuthority} from "../utils/UserRole";
+import SelectField from "../components/SelectField";
 
 export const Tokens = () => {
     const {user, setFlash} = useAppStore(state => state);
@@ -31,6 +32,8 @@ export const Tokens = () => {
     const [initial, setInitial] = useState(true);
     const [confirmation, setConfirmation] = useState({});
     const [confirmationOpen, setConfirmationOpen] = useState(false);
+    const [identityProviders, setIdentityProviders] = useState([]);
+    const [organizationGUIDIdentityProvider, setOrganizationGUIDIdentityProvider] = useState({});
 
     const isGuest = authority === AUTHORITIES.GUEST;
 
@@ -43,6 +46,22 @@ export const Tokens = () => {
                 setDescription("");
                 setTokenValue(null);
                 setConfirmationOpen(false);
+                setInitial(true);
+                setDescription("");
+                setOrganizationGUIDIdentityProvider({});
+                //Now fetch all IdentityProviders for the superuser
+                if (user.superUser) {
+                    allIdentityProviders().then(idps => {
+                        const identityProviderOptions = idps
+                            .filter(idp => !isEmpty(idp.institutionGuid))
+                            .map(idp => ({
+                                value: idp.id,
+                                label: idp["name:en"],
+                                institutionGuid: idp.institutionGuid
+                            }))
+                        setIdentityProviders(identityProviderOptions);
+                    });
+                }
             });
     }, []);
 
@@ -70,11 +89,11 @@ export const Tokens = () => {
     };
 
     const submitNewToken = () => {
-        if (isEmpty(description)) {
+        if (isEmpty(description) || (user.superUser && isEmpty(organizationGUIDIdentityProvider))) {
             setInitial(false);
         } else {
             setLoading(true);
-            createToken(description).then(() => {
+            createToken(description, organizationGUIDIdentityProvider.institutionGuid).then(() => {
                 setFlash(I18n.t("tokens.createFlash"));
                 fetchTokens();
             });
@@ -84,18 +103,26 @@ export const Tokens = () => {
 
     const cancelSideScreen = e => {
         stopEvent(e);
+        setInitial(true);
         setNewToken(false);
+        setDescription("");
+        setOrganizationGUIDIdentityProvider({});
     }
 
     const createNewToken = () => {
         setLoading(true);
+        setInitial(true);
         generateToken().then(res => {
             setNewToken(true);
             setTokenValue(res.token);
             setLoading(false);
         });
     }
 
+    const changeOrganizationGUIDIdentityProvider = option => {
+        setOrganizationGUIDIdentityProvider(option);
+    }
+
     const renderNewToken = () => {
         return (
             <Page className={"page new-token"}>
@@ -125,12 +152,30 @@ export const Tokens = () => {
                     {(!initial && isEmpty(description)) && <ErrorIndicator
                         msg={I18n.t("tokens.required")}/>}
 
+                    {user.superUser &&
+                        <SelectField name={I18n.t("roles.identityProvider")}
+                                     toolTip={I18n.t("tooltips.roleIdentityProvider")}
+                                     value={identityProviders.find(idp => idp.value === organizationGUIDIdentityProvider.value)}
+                                     placeholder={I18n.t("roles.identityProviderPlaceholder")}
+                                     options={identityProviders}
+                                     onChange={changeOrganizationGUIDIdentityProvider}
+                                     searchable={true}
+                                     required={true}
+                        />}
+                    {(!initial && isEmpty(organizationGUIDIdentityProvider.institutionGuid) && user.superUser) &&
+                        <ErrorIndicator msg={I18n.t("forms.required", {
+                            attribute: I18n.t("roles.organizationGUID").toLowerCase()
+                        })}/>}
+                    {!isEmpty(organizationGUIDIdentityProvider.institutionGuid) &&
+                        <em className="info">{I18n.t("roles.organizationGUIDValue", {guid: organizationGUIDIdentityProvider.institutionGuid})}</em>}
+
                     <section className="actions">
                         <Button type={ButtonType.Secondary}
                                 txt={I18n.t("forms.cancel")}
                                 onClick={() => setNewToken(false)}/>
                         <Button txt={I18n.t("forms.save")}
-                                disabled={!initial && isEmpty(description)}
+                                disabled={!initial && (isEmpty(description) ||
+                                    (user.superUser && isEmpty(organizationGUIDIdentityProvider.institutionGuid)))}
                                 onClick={() => submitNewToken()}/>
                     </section>
                 </div>

server/src/main/java/invite/api/APITokenController.java

@@ -49,7 +49,7 @@ public ResponseEntity<List<APIToken>> apiTokensByInstitution(@Parameter(hidden =
         LOG.debug(String.format("GET /tokens for user %s", user.getEduPersonPrincipalName()));
         UserPermissions.assertAuthority(user, Authority.INVITER);
         List<APIToken> apiTokens = user.isSuperUser() ? apiTokenRepository.findAll() :
-                user.isInstitutionAdmin() ? apiTokenRepository.findByOrganizationGUID(user.getOrganizationGUID()) :
+                user.isInstitutionAdmin() ? apiTokenRepository.findByOrganizationGUIDAndSuperUserToken(user.getOrganizationGUID(), false) :
                         apiTokenRepository.findByOwner(user);
         return ResponseEntity.ok(apiTokens);
     }
@@ -75,10 +75,13 @@ public ResponseEntity<APIToken> create(@Validated @RequestBody APIToken apiToken
         if (!StringUtils.hasText(token)) {
             throw new UserRestrictionException();
         }
+        if (user.isSuperUser() && !StringUtils.hasText(apiTokenRequest.getOrganizationGUID())) {
+            throw new UserRestrictionException();
+        }
         APIToken apiToken;
         if (user.isSuperUser() || user.isInstitutionAdmin()) {
             apiToken = new APIToken(
-                    user.getOrganizationGUID(),
+                    user.isSuperUser() ? apiTokenRequest.getOrganizationGUID() : user.getOrganizationGUID(),
                     HashGenerator.hashToken(token),
                     user.isSuperUser(),
                     apiTokenRequest.getDescription(),

server/src/main/java/invite/api/RoleController.java

@@ -13,7 +13,6 @@
 import invite.repository.ApplicationRepository;
 import invite.repository.ApplicationUsageRepository;
 import invite.repository.RoleRepository;
-import invite.security.InstitutionAdmin;
 import invite.security.UserPermissions;
 import io.swagger.v3.oas.annotations.Parameter;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
@@ -156,15 +155,12 @@ public ResponseEntity<Role> newRole(@Validated @RequestBody RoleRequest roleRequ
                                         @Parameter(hidden = true) User user) {
         LOG.debug(String.format("POST /roles/ for user %s", user.getEduPersonPrincipalName()));
         UserPermissions.assertAuthority(user, Authority.INSTITUTION_ADMIN);
-        //For super_users we allow an organization GUID from the input form
-        Role role = new Role(roleRequest);
-        if (InstitutionAdmin.isInstitutionAdmin(user)) {
-            role.setOrganizationGUID(user.getOrganizationGUID());
-        } else if (user.isSuperUser()) {
-            role.setOrganizationGUID(roleRequest.getOrganizationGUID());
-        } else {
-            role.setOrganizationGUID(null);
+        //For super_users we require an organization GUID from the input form
+        if (user.isSuperUser() && !StringUtils.hasText(roleRequest.getOrganizationGUID())) {
+            throw new UserRestrictionException();
         }
+        Role role = new Role(roleRequest);
+        role.setOrganizationGUID(user.isSuperUser() ? roleRequest.getOrganizationGUID() : user.getOrganizationGUID());
         role.setShortName(GroupURN.sanitizeRoleShortName(roleRequest.getName()));
         role.setIdentifier(UUID.randomUUID().toString());
         role.setUrn(GroupURN.urnFromRole(this.groupUrnPrefix, role));

server/src/main/java/invite/internal/InternalInviteController.java

@@ -1,7 +1,9 @@
 package invite.internal;
 
 import invite.api.*;
+import invite.exception.InvalidInputException;
 import invite.exception.NotFoundException;
+import invite.exception.UserRestrictionException;
 import invite.logging.AccessLogger;
 import invite.logging.Event;
 import invite.mail.MailBox;
@@ -31,6 +33,7 @@
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.util.StringUtils;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
@@ -225,6 +228,14 @@ public ResponseEntity<Role> role(@PathVariable("id") Long id,
                                     )})})})
     public ResponseEntity<Role> newRole(@Validated @RequestBody RoleRequest roleRequest,
                                         @Parameter(hidden = true) @AuthenticationPrincipal RemoteUser remoteUser) {
+        if (!StringUtils.hasText(roleRequest.getOrganizationGUID())) {
+            roleRequest.setOrganizationGUID(remoteUser.getOrganizationGUIDFallback());
+        }
+        List<Map<String, Object>> providers = manage.identityProvidersByInstitutionalGUID(roleRequest.getOrganizationGUID());
+        if (providers.isEmpty()) {
+            throw new InvalidInputException("There is no identityProvider with InstitutionalGUID: "+remoteUser.getOrganizationGUIDFallback());
+        }
+
         Role role = new Role(roleRequest);
         role.setRemoteApiUser(remoteUser.getName());
 
@@ -246,7 +257,8 @@ public ResponseEntity<Role> updateRole(@Validated @RequestBody Role role,
                                            @Parameter(hidden = true) @AuthenticationPrincipal RemoteUser remoteUser) {
         LOG.debug(String.format("Update role '%s' by user %s", role.getName(), remoteUser.getName()));
 
-        return ResponseEntity.status(HttpStatus.CREATED).body(saveOrUpdate(role, remoteUser));
+        Role updatedRole = saveOrUpdate(role, remoteUser);
+        return ResponseEntity.status(HttpStatus.CREATED).body(updatedRole);
     }
 
     @DeleteMapping("/roles/{id}")

server/src/main/java/invite/repository/APITokenRepository.java

@@ -12,7 +12,7 @@
 @Repository
 public interface APITokenRepository extends JpaRepository<APIToken, Long> {
 
-    List<APIToken> findByOrganizationGUID(String organizationGUID);
+    List<APIToken> findByOrganizationGUIDAndSuperUserToken(String organizationGUID, boolean superUserToken);
 
     List<APIToken> findByOwner(User user);
 

server/src/main/java/invite/security/RemoteUser.java

@@ -26,6 +26,7 @@ public class RemoteUser implements UserDetails, CredentialsContainer, Provisiona
     private String username;
     private String password;
     private String displayName;
+    private String organizationGUIDFallback;
     private List<Scope> scopes = new ArrayList<>();
     private List<Application> applications = new ArrayList<>();
     private boolean localDevMode;
@@ -34,6 +35,7 @@ public RemoteUser(RemoteUser remoteUser) {
         this.username = remoteUser.username;
         this.password = remoteUser.password;
         this.displayName = remoteUser.displayName;
+        this.organizationGUIDFallback = remoteUser.organizationGUIDFallback;
         this.scopes = remoteUser.scopes;
         this.applications = remoteUser.applications;
         this.localDevMode = remoteUser.localDevMode;

server/src/main/java/invite/security/UserHandlerMethodArgumentResolver.java

@@ -76,11 +76,11 @@ public User resolveArgument(MethodParameter methodParameter,
             if (owner != null) {
                 apiUsers.add(apiToken.getOwner());
             } else {
-                //backward compatibility for tokens without an owner
-                if (apiToken.isSuperUserToken()) {
-                    apiUsers.addAll(userRepository.findBySuperUserTrue() );
-                } else if (StringUtils.hasText(organizationGUID)) {
+                //backward compatibility for tokens without an owner or superusers tokens without organizationGUID
+                if (StringUtils.hasText(organizationGUID)) {
                     apiUsers.addAll(userRepository.findByOrganizationGUIDAndInstitutionAdmin(organizationGUID, true));
+                } else if (apiToken.isSuperUserToken()) {
+                    apiUsers.addAll(userRepository.findBySuperUserTrue());
                 }
             }
             if (apiUsers.isEmpty()) {

server/src/main/resources/application.yml

@@ -158,6 +158,7 @@ external-api-configuration:
     - username: sp_dashboard
       displayName: "SP Dashboard"
       password: "secret"
+      organizationGUIDFallback: "ad93daef-0911-e511-80d0-005056956c1a"
       scopes:
         - sp_dashboard
       applications:
@@ -166,6 +167,7 @@ external-api-configuration:
     - username: access
       displayName: "Access"
       password: "secret"
+      organizationGUIDFallback: "5ede9c9b-3bbc-ea11-90fe-0050569571ea"
       scopes:
         - access
       applications:
@@ -174,6 +176,7 @@ external-api-configuration:
     - username: sp_dashboard_local_dev_mode
       displayName: "SP Dashboard"
       password: "secret"
+      organizationGUIDFallback: "ad93daef-0911-e511-80d0-005056956c1a"
       scopes:
         - sp_dashboard
       applications:

server/src/test/java/invite/api/APITokenControllerTest.java

@@ -8,6 +8,7 @@
 import io.restassured.common.mapper.TypeRef;
 import io.restassured.http.ContentType;
 import org.junit.jupiter.api.Test;
+import org.springframework.http.HttpStatus;
 
 import java.util.List;
 import java.util.Map;
@@ -88,6 +89,54 @@ void create() throws Exception {
         assertEquals(HashGenerator.hashToken(token), apiTokenFromDB.getHashedValue());
     }
 
+    @Test
+    void createSuperUserToken() throws Exception {
+        AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/me", SUPER_SUB);
+        //First get the value, otherwise the creation will fail
+        given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .accept(ContentType.JSON)
+                .header(accessCookieFilter.csrfToken().getHeaderName(), accessCookieFilter.csrfToken().getToken())
+                .contentType(ContentType.JSON)
+                .get("/api/v1/tokens/generate-token");
+
+        APIToken apiToken = given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .accept(ContentType.JSON)
+                .header(accessCookieFilter.csrfToken().getHeaderName(), accessCookieFilter.csrfToken().getToken())
+                .contentType(ContentType.JSON)
+                .body(Map.of("description", "test", "organizationGUID", "super-users-rule"))
+                .post("/api/v1/tokens")
+                .as(new TypeRef<>() {
+                });
+        assertEquals("super-users-rule", apiToken.getOrganizationGUID());
+    }
+
+    @Test
+    void createSuperUserTokenWithoutOrganizationGUID() throws Exception {
+        AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/me", SUPER_SUB);
+        //First get the value, otherwise the creation will fail
+        given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .accept(ContentType.JSON)
+                .contentType(ContentType.JSON)
+                .get("/api/v1/tokens/generate-token");
+
+        given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .accept(ContentType.JSON)
+                .header(accessCookieFilter.csrfToken().getHeaderName(), accessCookieFilter.csrfToken().getToken())
+                .contentType(ContentType.JSON)
+                .body(Map.of("description", "test", "organizationGUID", ""))
+                .post("/api/v1/tokens")
+                .then()
+                .statusCode(HttpStatus.FORBIDDEN.value());
+    }
+
     @Test
     void createWithFaultyToken() throws Exception {
         super.stubForManageProvidersAllowedByIdP(ORGANISATION_GUID);