Merge branch 'feature/validated-eduID-574'

Author: oharsta

client/src/api/index.js

@@ -163,6 +163,14 @@ export function allProviders() {
     return fetchJson("/api/v1/manage/providers");
 }
 
+export function eduidIdentityProvider() {
+    return fetchJson("/api/v1/manage/eduid-identity-provider");
+}
+
+export function requestedAuthnContextValues() {
+    return fetchJson("/api/v1/manage/requested-authn-context-values");
+}
+
 export function allApplications() {
     return fetchJson("/api/v1/manage/applications")
 }

client/src/components/SelectField.jsx

@@ -9,10 +9,11 @@ export default function SelectField({
                                         onChange, name, value, options, placeholder = "", disabled = false,
                                         toolTip = null, searchable = false, small = false,
                                         clearable = false, isMulti = false, creatable = false,
-                                        onInputChange = null, required = false
+                                        onInputChange = null, required = false, className = "",
+                                        children
                                     }) {
     return (
-        <div className="select-field">
+        <div className={`select-field ${className}`}>
             <label htmlFor={name}>{name}{required && <sup className="required">*</sup>}
                 {toolTip && <Tooltip tip={toolTip}/>}
             </label>
@@ -42,6 +43,7 @@ export default function SelectField({
                 isSearchable={searchable}
                 isClearable={clearable}
             />}
+            {children && children}
         </div>
     );
 }

client/src/components/SelectField.scss

@@ -25,11 +25,10 @@
         border: 1px solid var(--sds--color--gray--300);
         border-radius: vars.$br;
         font-size: 16px;
-        min-height: 48px;
+        height: 48px;
 
         &.creatable {
-            height: auto;
-            min-height: 48px;
+            height: 48px;
         }
 
         .select-inner__control {
@@ -43,13 +42,17 @@
             outline: none;
             box-shadow: 3px 3px 3px var(--sds--color--blue--200), -3px -3px 1px var(--sds--color--blue--200);
             border: 1px solid var(--sds--color--gray--300) !important;
+            height: 48px;
         }
 
         &[disabled] {
             background-color: vars.$background;
             cursor: not-allowed;
         }
 
+        .select-inner__indicators {
+            cursor: pointer;
+        }
     }
 
     .select-inner__single-value--is-disabled {

client/src/components/SwitchField.scss

@@ -2,10 +2,10 @@
     display: flex;
 
     margin-top: 20px;
-    padding-bottom: 10px;
 
     &:not(.last) {
         border-bottom: 1px solid var(--sds--color--gray--200);
+        padding-bottom: 10px;
     }
 
     align-items: center;

client/src/locale/en.js

@@ -1,4 +1,4 @@
-    const en = {
+const en = {
     code: "EN",
     name: "English",
     select_locale: "Change language to English",
@@ -244,6 +244,11 @@
         expired: "Expired",
         enforceEmailEquality: "Email equality",
         eduIDOnly: "eduID only",
+        requestedAuthnContext: "ACR value",
+        requestedAuthnContextPlaceHolder: "Choose a ACR value for user stepup...",
+        requestedAuthnContextWarning: "To enforce the selected ACR also on the application(s) {{applications}} associated " +
+            "with the role(s) {{roles}}, additional configuration is needed on the eduID identity provider. " +
+            "Please contact <a href=\"mailto:support@surfconext.nl\">support@surfconext.nl</a> to request this change.",
         new: "Invite role manager or inviter",
         newInvitation: "Invite inviter",
         newInvite: "New invite",
@@ -421,6 +426,7 @@
         defaultExpiryDays: "The default number of days the role will expire, from the moment a user has accepted the invitation for this role",
         enforceEmailEqualityTooltip: "When checked the invitee must accept the invitation with an account with the email address where the invitation was sent to",
         eduIDOnlyTooltip: "When checked the invitees will be required to log in with eduID",
+        requestedAuthnContextTooltip: "The user will be forced to step up the authentication when logging in with eduID with the specified ARC",
         roleExpiryDateTooltip: "The end date of this role. After this date the role is removed from the user.",
         expiryDateTooltip: "The date on which this invitation expires",
         inviterDisplayName: "The functional address which will used in the invitations of the role.<br><br>Default the name of the inviter is show.",
@@ -529,6 +535,13 @@
         title: "Roles to be expired the next month",
         searchPlaceHolder: "Zoek...",
         noResults: "Yeah, no user-roles to be expired within one month"
+    },
+    requestedAuthnContext: {
+        EduIDLinkedInstitution: "EduID linked institution",
+        EduIDValidatedName: "EduID validated name",
+        ValidateNamesExternal: "EduID validated name by an external (non institutional) source",
+        EduIDRequireStudentAffiliation: "EduID required student affiliation",
+        TransparentAuthnContext: "Application provides ACR value"
     }
 }
 

client/src/locale/nl.js

@@ -244,6 +244,11 @@ const nl = {
         expired: "Verlopen",
         enforceEmailEquality: "E-mailadres moet overeenkomen",
         eduIDOnly: "Uitsluitend eduID",
+        requestedAuthnContext: "ACR waarde",
+        requestedAuthnContextPlaceHolder: "Kies een ACR waarde voor de gebruiker stepup...",
+        requestedAuthnContextWarning: "Om de geselecteerde ACR ook af te dwingen op de applicatie(s) {{applications}} " +
+            "die gekoppeld zijn aan de rol(len) {{roles}}, is aanvullende configuratie nodig voor de eduID-identiteitsprovider. " +
+            "Neem contact op met <a href=\"mailto: support@surfconext.nl\">support@surfconext.nl</a> om deze wijziging aan te vragen.",
         new: "Nodig rolmanager of uitnodiger uit",
         newInvitation: "Nodig uitnodiger uit",
         newInvite: "Nieuwe uitnodiging",
@@ -421,6 +426,7 @@ const nl = {
         defaultExpiryDays: "Het standaardaantal dagen waarna de rol verloopt, gerekend vanaf het moment dat de gebruiker de uitnodiging voor de rol accepteert.",
         enforceEmailEqualityTooltip: "Indien ingeschakeld moet de genodigde de uitnodiging accepteren met een account dat hetzelfde e-mailadres voert als waarheen deze uitnodiging gestuurd is",
         eduIDOnlyTooltip: "Indien ingeschakeld moeten de genodigden eduID gebruiken om in te loggen bij het accepteren",
+        requestedAuthnContextTooltip: "De gebruiker wordt gedwongen de authenticatie te verhogen bij het inloggen met eduID met de opgegeven ARC",
         roleExpiryDateTooltip: "De einddatum van deze rol. Na deze datum wordt de rol verwijderd bij de gebruiker.",
         expiryDateTooltip: "De datum waarop deze uitnodiging verloopt",
         inviterDisplayName: "De specifieke naam van de uitnodiger zal worden getoond in de uitnodiging.<br><br>Standaard tonen we de naam van de daadwerkelijke uitnodiger.",
@@ -529,7 +535,15 @@ const nl = {
         title: "Roles to be expired the next month",
         searchPlaceHolder: "Zoek...",
         noResults: "Yeah, no user-roles to be expired within one month"
+    },
+    requestedAuthnContext: {
+        EduIDLinkedInstitution: "EduID gekoppelde instelling",
+        EduIDValidatedName: "EduID gevalideerde naam",
+        ValidateNamesExternal: "EduID gevalideerde naam bij een externe (niet institutioneel) bron",
+        EduIDRequireStudentAffiliation: "EduID verplicht student affiliation",
+        TransparentAuthnContext: "Application levert zelf ACR waarde"
     }
+
 }
 
 export default nl;

client/src/pages/InvitationForm.jsx

@@ -13,26 +13,38 @@ import {
 import UserIcon from "@surfnet/sds/icons/functional-icons/id-2.svg";
 import UpIcon from "@surfnet/sds/icons/functional-icons/arrow-up-2.svg";
 import DownIcon from "@surfnet/sds/icons/functional-icons/arrow-down-2.svg";
-import {newInvitation, organizationGUIDValidation, rolesByApplication} from "../api";
+import WarningIcon from "@surfnet/sds/icons/functional-icons/alert-triangle.svg";
+import {
+    eduidIdentityProvider,
+    newInvitation,
+    organizationGUIDValidation,
+    requestedAuthnContextValues,
+    rolesByApplication
+} from "../api";
 import {Button, ButtonType, Loader, Tooltip} from "@surfnet/sds";
 import "./InvitationForm.scss";
 import {UnitHeader} from "../components/UnitHeader";
 import InputField from "../components/InputField";
-import {isEmpty, stopEvent} from "../utils/Utils";
+import {isEmpty, splitListSemantically, stopEvent} from "../utils/Utils";
 import ErrorIndicator from "../components/ErrorIndicator";
 import SelectField from "../components/SelectField";
 import {DateField} from "../components/DateField";
 import EmailField from "../components/EmailField";
 import {displayExpiryDate, futureDate} from "../utils/Date";
 import SwitchField from "../components/SwitchField";
 import {InvitationRoleCard} from "../components/InvitationRoleCard";
+import DOMPurify from "dompurify";
+
 
 export const InviterContainer = ({isInviter, children}) => {
     return isInviter ?
         <div className="inviter-wrapper">{children}</div> : <>{children}</>
 
 }
 
+const requestedAuthnContextOptions = Object.entries(I18n.translations[I18n.locale].requestedAuthnContext)
+    .map(arr => ({value: arr[0], label: arr[1]}));
+
 export const InvitationForm = () => {
     const location = useLocation();
     const navigate = useNavigate();
@@ -59,6 +71,8 @@ export const InvitationForm = () => {
     const [customExpiryDate, setCustomExpiryDate] = useState(false);
     const [customRoleExpiryDate, setCustomRoleExpiryDate] = useState(false);
     const [initial, setInitial] = useState(true);
+    const [eduIDIdP, setEduIDIdP] = useState(null);
+    const [acrValues, setACRValues] = useState({});
     const [language, setLanguage] = useState(I18n.locale === "en" ? languageOptions[0] : languageOptions[1]);
     const required = ["intendedAuthority", "invites"];
 
@@ -158,7 +172,7 @@ export const InvitationForm = () => {
         return required.every(attr => !isEmpty(invitation[attr])) &&
             (!isEmpty(selectedRoles) || [AUTHORITIES.SUPER_USER, AUTHORITIES.INSTITUTION_ADMIN].includes(invitation.intendedAuthority))
             && (invitation.intendedAuthority !== AUTHORITIES.INSTITUTION_ADMIN || !user.superUser || validOrganizationGUID)
-        && !(user.superUser && invitation.intendedAuthority === AUTHORITIES.INSTITUTION_ADMIN && isEmpty(invitation.organizationGUID))
+            && !(user.superUser && invitation.intendedAuthority === AUTHORITIES.INSTITUTION_ADMIN && isEmpty(invitation.organizationGUID))
     }
 
     const addEmails = emails => {
@@ -196,6 +210,21 @@ export const InvitationForm = () => {
         }
     }
 
+    const eduIDOnlyChanged = val => {
+        const requestedAuthnContext = val ? invitation.requestedAuthnContext : null;
+        setInvitation({...invitation, eduIDOnly: val, requestedAuthnContext: requestedAuthnContext})
+    }
+
+    const requestedAuthnContextChanged = option => {
+        setInvitation({...invitation, requestedAuthnContext: option ? option.value : null});
+        if (option && isEmpty(eduIDIdP)) {
+            Promise.all([eduidIdentityProvider(), requestedAuthnContextValues()]).then(res => {
+                setEduIDIdP(res[0]);
+                setACRValues(res[1])
+            });
+        }
+    }
+
     const rolesChanged = selectedOptions => {
         if (selectedOptions === null) {
             setSelectedRoles([])
@@ -205,13 +234,17 @@ export const InvitationForm = () => {
             let intendedAuthority = invitation.intendedAuthority;
             //If the chosen authority is no longer allowed, then change it
             if (!allowedAuthorities.includes(invitation.intendedAuthority)) {
-               intendedAuthority = allowedAuthorities[0];
+                intendedAuthority = allowedAuthorities[0];
             }
             const newSelectedOptions = Array.isArray(selectedOptions) ? [...selectedOptions] : [selectedOptions];
             setSelectedRoles(newSelectedOptions);
-            const enforceEmailEquality = newSelectedOptions.some(role => role.enforceEmailEquality);
-            const eduIDOnly = newSelectedOptions.some(role => role.eduIDOnly);
-
+            const overrideSettingsAllowed = selectedRoles.every(role => role.overrideSettingsAllowed);
+            let enforceEmailEquality = invitation.enforceEmailEquality;
+            let eduIDOnly = invitation.eduIDOnly;
+            if (!overrideSettingsAllowed) {
+                enforceEmailEquality = newSelectedOptions.some(role => role.enforceEmailEquality) || enforceEmailEquality;
+                eduIDOnly = newSelectedOptions.some(role => role.eduIDOnly) || eduIDOnly;
+            }
             setInvitation({
                 ...invitation,
                 intendedAuthority: intendedAuthority,
@@ -222,6 +255,37 @@ export const InvitationForm = () => {
         }
     }
 
+    const renderACRWarnings = () => {
+        if (isEmpty(invitation.requestedAuthnContext) || isEmpty(eduIDIdP) || isEmpty(selectedRoles)) {
+            return null;
+        }
+        //Filter out the roles that are linked to applications that are not present in the mfaEntities of the eduIDIdp
+        //or where the MFA level does not equal the requestedAuthnContext. If the requestedAuthnContext === TransparentAuthnContext,
+        //then we skip the warning
+        const mfaEntities = eduIDIdP.mfaEntities;
+        const acrValue = acrValues[invitation.requestedAuthnContext];
+        const missingEntities = selectedRoles.reduce((acc, role) => {
+            const missingMfaApps = role.applicationMaps
+                .filter(app => {
+                    const mfa = mfaEntities.find(mfa => mfa.name === app.entityid);
+                    return isEmpty(mfa) || (mfa.level !== acrValue && mfa.level !== acrValues.TransparentAuthnContext);
+                });
+            if (!isEmpty(missingMfaApps)) {
+                acc.applications = acc.applications.concat(missingMfaApps.map(app => app[`name:${I18n.locale}`] || app["name:en"]));
+                acc.roles.push(role.name)
+            }
+            return acc;
+        }, {applications: [], roles: []})
+        if (isEmpty(missingEntities.roles)) {
+            return null;
+        }
+        const roleNames = splitListSemantically(missingEntities.roles, I18n.t("forms.and"));
+        const applicationNames = splitListSemantically(missingEntities.applications, I18n.t("forms.and"));
+        const html = DOMPurify.sanitize(I18n.t("invitations.requestedAuthnContextWarning",
+            {roles: roleNames, applications: applicationNames}));
+        return <p className="warning" dangerouslySetInnerHTML={{__html: html}}/>
+    }
+
     const authorityChanged = option => {
         setInvitation({
             ...invitation,
@@ -397,11 +461,26 @@ export const InvitationForm = () => {
                             {overrideSettingsAllowed &&
                                 <SwitchField name={"eduIDOnly"}
                                              value={invitation.eduIDOnly || false}
-                                             onChange={val => setInvitation({...invitation, eduIDOnly: val})}
+                                             onChange={eduIDOnlyChanged}
                                              label={I18n.t("invitations.eduIDOnly")}
                                              info={I18n.t("tooltips.eduIDOnlyTooltip")}
+                                             last={invitation.eduIDOnly}
                                 />}
 
+                            {(overrideSettingsAllowed && invitation.eduIDOnly) &&
+                                <SelectField
+                                    value={requestedAuthnContextOptions.find(option => option.value === invitation.requestedAuthnContext)}
+                                    options={requestedAuthnContextOptions}
+                                    className={"requested-authn-context"}
+                                    name={I18n.t("invitations.requestedAuthnContext")}
+                                    toolTip={I18n.t("tooltips.requestedAuthnContextTooltip")}
+                                    placeholder={I18n.t("invitations.requestedAuthnContextPlaceHolder")}
+                                    clearable={true}
+                                    onChange={requestedAuthnContextChanged}
+                                >
+                                    {renderACRWarnings()}
+                                </SelectField>}
+
                             {(invitation.intendedAuthority !== AUTHORITIES.GUEST && !isInviter &&
                                     !skipRoles) &&
                                 <SwitchField name={"guestRoleIncluded"}
@@ -410,6 +489,7 @@ export const InvitationForm = () => {
                                              label={I18n.t("invitations.guestRoleIncluded")}
                                              info={I18n.t("tooltips.guestRoleIncludedTooltip")}
                                 />
+
                             }
                             {(overrideSettingsAllowed && !skipRoles) &&
                                 <SwitchField name={"roleExpiryDate"}

client/src/pages/InvitationForm.scss

@@ -38,11 +38,25 @@
             grid-column-start: first;
         }
 
+        .advanced-settings-container {
+            .select-field.requested-authn-context {
+                margin-top: 0;
+                padding-bottom: 20px;
+                border-bottom: 1px solid var(--sds--color--gray--200);
+            }
+        }
+
         p.info {
             grid-column-start: first;
             margin-top: 4px;
         }
 
+        p.warning {
+            margin-top: 14px;
+            color: var(--sds--color--orange--500);
+
+        }
+
         .inviter-wrapper {
             margin-top: 25px;
             padding: 25px 155px 25px 25px;

server/src/main/java/invite/api/InvitationOperations.java

@@ -88,6 +88,7 @@ public ResponseEntity<InvitationResponse> sendInvitation(InvitationRequest invit
                         invite.getEmail(),
                         invitationRequest.isEnforceEmailEquality(),
                         invitationRequest.isEduIDOnly(),
+                        invitationRequest.getRequestedAuthnContext(),
                         invitationRequest.isGuestRoleIncluded(),
                         invitationRequest.getMessage(),
                         invitationRequest.getLanguage(),