Bugfix for connection request for guest user from eduID

Author: oharsta

client/src/locale/en.js

@@ -1040,10 +1040,10 @@ const en = {
             all: "Iedereen van de {{orgName}} heeft direct automatisch toegang",
             some: "Pas toegangsregels toe"
         },
-        memberRequestInfo: [
-            "Om een applicatie gekoppelde te krijgen met het SURF Access platform, moet akkoord gegeven worden worden door de SURF Access Verantwoordelijke van de {{orgName}}.",
-            "Geef hieronder aan waarom je deze applicatie geactiveerd wil hebben. Wij versturen het bericht naar hem of haar, je ontvangt zelf ook een kopie."
-        ],
+        memberRequestInfo: {
+            info:"Om een applicatie gekoppelde te krijgen met het SURF Access platform, moet akkoord gegeven worden worden door de SURF Access Verantwoordelijke van de {{orgName}} organisatie.",
+            subInfo:"Geef hieronder aan waarom je deze applicatie geactiveerd wil hebben. Wij versturen het bericht naar hem of haar, je ontvangt zelf ook een kopie."
+        },
         messagePlaceholder: "Your message",
         sendMessage: "Send message",
         flash: {

client/src/pages/ApplicationDetail.jsx

@@ -56,12 +56,13 @@ const confirmationModalOptions = {
 
 const ApplicationDetail = ({anonymous, refreshUser}) => {
 
-    const {arp, privacy, user, config, setFlash} = useAppStore(useShallow(state => ({
+    const {arp, privacy, user, config, setFlash, currentOrganization} = useAppStore(useShallow(state => ({
         arp: state.arp,
         privacy: state.privacy,
         user: state.user,
         config: state.config,
-        setFlash: state.setFlash
+        setFlash: state.setFlash,
+        currentOrganization: state.currentOrganization
     })));
 
     const navigate = useNavigate();
@@ -118,7 +119,7 @@ const ApplicationDetail = ({anonymous, refreshUser}) => {
                     return;
                 }
                 //See if this application is already connected
-                const { isAccessible, isReadOnly } = deriveAccess(user, res.data.entityid);
+                const {isAccessible, isReadOnly} = deriveAccess(user, res.data.entityid);
                 const adminUser = isAdmin(user, authorities);
                 setAccessible(isAccessible);
                 setIsAdminUser(adminUser);
@@ -245,10 +246,11 @@ const ApplicationDetail = ({anonymous, refreshUser}) => {
             return (
                 <div className="connect-options-container">
                     <h3>{I18n.t("applicationConnect.requestMember")}</h3>
-                    {I18n.translations[I18n.locale].applicationConnect.memberRequestInfo
-                        .map((info, index) =>
-                            <p key={index} dangerouslySetInnerHTML={{__html: info}}/>
-                        )}
+                    <p dangerouslySetInnerHTML={{
+                        __html: I18n.t("applicationConnect.memberRequestInfo.info",
+                            {orgName: currentOrganization.name})
+                    }}/>
+                    <p dangerouslySetInnerHTML={{__html: I18n.t("applicationConnect.memberRequestInfo.subInfo")}}/>
                     <InputField multiline={true}
                                 displayLabel={false}
                                 value={message}
@@ -278,6 +280,7 @@ const ApplicationDetail = ({anonymous, refreshUser}) => {
 
     const cancelConnectionRequest = (withConfirmation, e) => {
         stopEvent(e);
+        setConfirmationModalOption(null);
         if (withConfirmation) {
             setConfirmation({
                 open: true,
@@ -315,10 +318,11 @@ const ApplicationDetail = ({anonymous, refreshUser}) => {
         } else {
             cancelConfirmation();
             setLoading(true);
+            const manageIdentifierOrg = user.identityProvider?.id || currentOrganization.manageIdentifier;
             connectServiceProviderToIdentityProvider(
                 serviceProvider.id,
                 serviceProvider.type,
-                user.identityProvider.id,
+                manageIdentifierOrg,
                 message)
                 .then(() => {
                     if (confirmationModalOption === confirmationModalOptions.requestConnectionByMember) {

client/src/pages/MyOrganization.jsx

@@ -42,6 +42,7 @@ const MyOrganization = ({refreshUser}) => {
     const [section, setSection] = useState(externalUser ? sections.general : sections.contactPersons);
     const [focusedId, setFocusedId] = useState(null);
     const [initial, setInitial] = useState(true);
+    const [originalOrganizationName, setOriginalOrganizationName] = useState("");
     const [affectedIdentityProviders, setAffectedIdentityProviders] = useState([]);
     const [dirty, setDirty] = useState(new Date());
 
@@ -63,6 +64,7 @@ const MyOrganization = ({refreshUser}) => {
                 .then(res => {
                     const convertedOrganization = convertServerApplicationToClient(res);
                     setOrganization(convertedOrganization);
+                    setOriginalOrganizationName(res.name);
                     setLoading(false);
                 }).catch(() => {
                 navigate("/home")
@@ -261,7 +263,7 @@ const MyOrganization = ({refreshUser}) => {
                 <p dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t("myOrganization.info"))}}/>
             </div>
             <div className="my-organization">
-                <h1>{I18n.t("myOrganization.maintenance", {name: organization.name})}</h1>
+                <h1>{I18n.t("myOrganization.maintenance", {name: originalOrganizationName})}</h1>
                 <div className="menu-container">
                     <div className="left-menu">
                         {availableSections

client/src/utils/Permissions.js

@@ -79,9 +79,14 @@ export const hasApplicationDeleteAccess = (user, application) => {
 }
 
 export const deriveAccess = (user, spEntityId) => {
+    let isAccessible = false, isReadOnly = false;
+    if (isEmpty(user.identityProvider)) {
+        //External user
+        return {isAccessible, isReadOnly};
+    }
     const allowedEntities = user.identityProvider.data.allowedEntities.map(e => e.name);
-    let isAccessible = allowedEntities.includes(spEntityId);
-    let isReadOnly = !isAccessible;
+    isAccessible = allowedEntities.includes(spEntityId);
+    isReadOnly = !isAccessible;
 
     if (!isAccessible) {
         isAccessible = user.changeRequests.some(cr =>
@@ -91,10 +96,14 @@ export const deriveAccess = (user, spEntityId) => {
         );
     }
 
-    return { isAccessible, isReadOnly };
+    return {isAccessible, isReadOnly};
 }
 
 export const isAdmin = (user, authorities) => {
+    if (isEmpty(user.identityProvider)) {
+        //External user
+        return false;
+    }
     const idpId = user.identityProvider.id;
     const orgMembership = user.organizationMemberships.find(
         m => m.organization.manageIdentifier === idpId

server/src/main/java/access/api/IdentityProviderController.java

@@ -5,8 +5,18 @@
 import access.jira.JiraClient;
 import access.jira.JiraIssue;
 import access.mail.MailBox;
-import access.manage.*;
-import access.model.*;
+import access.manage.ChangeRequest;
+import access.manage.DashBoardConnectionOption;
+import access.manage.Manage;
+import access.manage.PathUpdateType;
+import access.manage.RequestType;
+import access.model.Authority;
+import access.model.ConnectionRequest;
+import access.model.EntityType;
+import access.model.Environment;
+import access.model.Organization;
+import access.model.OrganizationMembership;
+import access.model.User;
 import access.repository.OrganizationRepository;
 import access.repository.UserRepository;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
@@ -17,7 +27,6 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.util.CollectionUtils;
-import org.springframework.util.StringUtils;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -61,7 +70,10 @@ public IdentityProviderController(UserRepository userRepository,
 
     @PutMapping({"/connect"})
     public ResponseEntity<Map<String, Object>> connect(User user, @RequestBody @Validated ConnectionRequest connectionRequest) {
-        LOG.debug("/connect SP to IdP connection for " + user.getEmail());
+        String email = user.getEmail();
+        LOG.debug("/connect SP to IdP connection for " + email);
+
+        user = reinitializeUser(user, userRepository);
 
         String idpManageIdentifier = connectionRequest.getIdpManageIdentifier();
         Organization organization = organizationRepository.findByManageIdentifier(idpManageIdentifier)
@@ -70,15 +82,11 @@ public ResponseEntity<Map<String, Object>> connect(User user, @RequestBody @Vali
         Map<String, Object> serviceProvider = manage.providerById(connectionRequest.getEntityType(),
                 connectionRequest.getApplicationManageIdentifier(), Environment.PROD);
 
-        Map<String, Object> identityProvider = manage.providerById(EntityType.saml20_idp, idpManageIdentifier, Environment.PROD);
-
-        User userFromDB = reinitializeUser(user, userRepository);
-        //See https://github.com/OpenConext/OpenConext-access/wiki/Service-Connect-Flow
-        boolean memberRequest = !userFromDB.isSuperUser();
+        boolean memberRequest = !user.isSuperUser();
         if (memberRequest) {
-            OrganizationMembership organizationMembership = getOrganizationMembership(userFromDB, organization, Authority.GUEST)
+            OrganizationMembership organizationMembership = getOrganizationMembership(user, organization, Authority.GUEST)
                     .orElseThrow(() -> new NotAllowedException(
-                            String.format("User %s is not a member of organization %s", userFromDB.getEmail(), organization.getName())));
+                            String.format("User %s is not a member of organization %s", email, organization.getName())));
             memberRequest = !organizationMembership.getAuthority().equals(Authority.ADMIN);
         }
         if (memberRequest) {
@@ -97,10 +105,14 @@ public ResponseEntity<Map<String, Object>> connect(User user, @RequestBody @Vali
             //Avoid UnsupportedException for immutable collections
             admins = new ArrayList<>(admins);
             admins.add(user);
-            mailBox.sendConnectionRequest(userFromDB, admins, organization, getProviderName(serviceProvider),
+            mailBox.sendConnectionRequest(user, admins, organization, getProviderName(serviceProvider),
                     connectionRequest.getMessage(), deeplink);
             return Results.createResult();
         }
+
+        Map<String, Object> identityProvider = manage.providerById(EntityType.saml20_idp, idpManageIdentifier, Environment.PROD);
+
+        //See https://github.com/OpenConext/OpenConext-access/wiki/Service-Connect-Flow
         //Now check if the connection can be made automatically
         Map<String, Object> spMetaDataFields = getMetaDataFields(getData(serviceProvider));
         DashBoardConnectionOption connectOption = DashBoardConnectionOption
@@ -111,12 +123,12 @@ public ResponseEntity<Map<String, Object>> connect(User user, @RequestBody @Vali
                 .equals(idpInstitutionGUID);
         boolean connectWithoutInteraction = idpAndSpShareInstitution || !connectOption.equals(DashBoardConnectionOption.connectWithInteraction);
         if (connectWithoutInteraction) {
-                manage.connectWithoutInteraction(identityProvider, serviceProvider, userFromDB);
+            manage.connectWithoutInteraction(identityProvider, serviceProvider, user);
             if (connectOption.equals(DashBoardConnectionOption.connectWithoutInteractionWithEmail)) {
                 List<String> recipients = contactPersons(serviceProvider);
                 if (!CollectionUtils.isEmpty(recipients)) {
                     mailBox.sendNewConnectionCreated(
-                            userFromDB,
+                            user,
                             recipients,
                             getProviderName(identityProvider),
                             getProviderName(serviceProvider),
@@ -143,13 +155,13 @@ public ResponseEntity<Map<String, Object>> connect(User user, @RequestBody @Vali
                         changeRequestURL),
                 summary,
                 EntityType.valueOf((String) serviceProvider.get("type")),
-                user.getEmail()
+                email
         ));
         ChangeRequest changeRequest = new ChangeRequest(
                 idpManageIdentifier,
                 EntityType.saml20_idp,
                 Map.of("allowedEntities", Map.of("name", serviceProviderEntityID)),
-                Map.of("user", user.getEmail(),
+                Map.of("user", email,
                         "notes", String.format("Connection request requested by %s from %s for %s. See Jira %s",
                                 user.getName(),
                                 identityProviderEntityID,
@@ -164,5 +176,58 @@ public ResponseEntity<Map<String, Object>> connect(User user, @RequestBody @Vali
                 Map.of("status", HttpStatus.CREATED.value(), "jiraKey", jiraKey));
     }
 
+    @PutMapping({"/disconnect"})
+    public ResponseEntity<Map<String, Object>> disconnect(User user, @RequestBody @Validated ConnectionRequest connectionRequest) {
+        LOG.debug("/disconnect SP to IdP request by " + user.getEmail());
+
+        user = reinitializeUser(user, userRepository);
+
+        String idpManageIdentifier = connectionRequest.getIdpManageIdentifier();
+        Organization organization = organizationRepository.findByManageIdentifier(idpManageIdentifier)
+                .orElseThrow(() -> new NotFoundException("Organization with manageIdentifier not found: " + idpManageIdentifier));
+
+        Map<String, Object> serviceProvider = manage.providerById(connectionRequest.getEntityType(),
+                connectionRequest.getApplicationManageIdentifier(), Environment.PROD);
+
+        confirmOrganizationMembership(user, organization, Authority.ADMIN);
+        Map<String, Object> identityProvider = manage.providerById(EntityType.saml20_idp, idpManageIdentifier, Environment.PROD);
+
+        String changeRequestURL = manage.changeRequestURLConnectionRequest(EntityType.saml20_idp, idpManageIdentifier);
+
+        String identityProviderEntityID = getEntityID(identityProvider);
+        String serviceProviderEntityID = getEntityID(serviceProvider);
+        String lineSeparator = System.lineSeparator();
+        String summary = String.format("Disconnection request requested by %s for %s.",
+                user.getName(), getProviderName(identityProvider));
+        String jiraKey = jiraClient.create(new JiraIssue(
+                serviceProviderEntityID,
+                identityProviderEntityID,
+                String.format("%s%sA change request in manage has been created to merge this user request. See:%s%s",
+                        summary,
+                        lineSeparator,
+                        lineSeparator,
+                        changeRequestURL),
+                summary,
+                EntityType.valueOf((String) serviceProvider.get("type")),
+                user.getEmail()
+        ));
+        ChangeRequest changeRequest = new ChangeRequest(
+                idpManageIdentifier,
+                EntityType.saml20_idp,
+                Map.of("allowedEntities", Map.of("name", serviceProviderEntityID)),
+                Map.of("user", user.getEmail(),
+                        "notes", String.format("Disconnection request requested by %s from %s for %s. See Jira %s",
+                                user.getName(),
+                                identityProviderEntityID,
+                                serviceProviderEntityID,
+                                jiraKey)),
+                true,
+                PathUpdateType.REMOVAL,
+                RequestType.UnlinkRequest);
+        manage.createChangeRequest(Environment.PROD, changeRequest);
+
+        return ResponseEntity.status(HttpStatus.CREATED).body(
+                Map.of("status", HttpStatus.CREATED.value(), "jiraKey", jiraKey));
+    }
 
 }