WIP for Policies

oharsta · oharsta · commit 386b6be391f2 · 2026-01-21T11:33:27.000+01:00
diff --git a/server/src/main/java/access/api/InviteController.java b/server/src/main/java/access/api/InviteController.java
@@ -1,10 +1,8 @@
 package access.api;
 
-import access.exception.NotFoundException;
+import access.exception.InvalidInputException;
 import access.exception.UserRestrictionException;
 import access.invite.InviteClient;
-import access.model.Authority;
-import access.model.Organization;
 import access.model.User;
 import access.repository.OrganizationRepository;
 import access.repository.UserRepository;
@@ -60,6 +58,10 @@ public ResponseEntity<List<Map<String, Object>>> rolesPerOrganizationInviteAppli
                     String.format("User %s is not authorized for organizationGUID %s",
                             user.getEmail(), organizationGUID));
         }
+        if (!applicationManageId.matches("^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$")) {
+            throw new InvalidInputException(
+                    String.format("ApplicationManageId %s is not a valid UUID", applicationManageId));
+        }
         List<Map<String, Object>> inviteRoles = this.inviteClient.rolesPerOrganizationApplicationId(organizationGUID, applicationManageId);
         return ResponseEntity.ok(inviteRoles);
     }
diff --git a/server/src/main/java/access/api/LoginController.java b/server/src/main/java/access/api/LoginController.java
@@ -33,7 +33,7 @@ public LoginController(Environment environment, SecurityContextRepository securi
     }
 
     @PutMapping("/login")
-    public ResponseEntity<Void> login(@RequestBody Map<String, String> body,
+    public ResponseEntity<Void> login(@RequestBody Map<String, Object> body,
                                       HttpServletRequest servletRequest,
                                       HttpServletResponse servletResponse) {
         if (!environment.acceptsProfiles(Profiles.of("test"))) {
diff --git a/server/src/main/java/access/api/ManageController.java b/server/src/main/java/access/api/ManageController.java
@@ -1,8 +1,10 @@
 package access.api;
 
 import access.exception.InvalidInputException;
+import access.exception.UserRestrictionException;
 import access.manage.*;
 import access.model.*;
+import access.security.InstitutionAdmin;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.SneakyThrows;
@@ -27,7 +29,7 @@
 
 @RestController
 @RequestMapping(value = {"/api/v1/manage"}, produces = MediaType.APPLICATION_JSON_VALUE)
-public class ManageController {
+public class ManageController implements UserAccessRights{
 
     private static final Log LOG = LogFactory.getLog(ManageController.class);
 
@@ -86,17 +88,21 @@ public ResponseEntity<List<Map<String, Object>>> identityProviders(@PathVariable
     }
 
     @SneakyThrows
-    @GetMapping("/policies/{entityId}")
-    public ResponseEntity<List<Map<String, Object>>> policies(Authentication authentication,
-                                                              @PathVariable String entityId) {
+    @GetMapping("/policies")
+    public ResponseEntity<List<Map<String, Object>>> policies(User user,
+                                                              Authentication authentication,
+                                                              @RequestParam("entityId") String entityId) {
+        confirmInstitutionAdmin(user);
         //we need to ensure the application is connected to the IdP of the user
         OidcUser oidcUser = (OidcUser) authentication.getPrincipal();
         Map<String, Object> claims = oidcUser.getUserInfo().getClaims();
-        String authenticatingAuthority = (String) claims.get("authenticating_authority");
-        Map<String, Object> identityProvider = manage.identityProviderByEntityID(authenticatingAuthority);
-        Map<String, Object> data = ManageData.getData(identityProvider);
-        List<Map<String, Object>> providers = manage.providers(environment, EntityType.policy);
-        return ResponseEntity.ok(providers);
+        Institution institution = (Institution) claims.get(InstitutionAdmin.INSTITUTION);
+        if (!institution.getAllowedEntities().contains(entityId)) {
+            throw new UserRestrictionException(String.format("User %s is not allowed to request policies for %s",
+                    user.getEmail(), entityId));
+        }
+        List<Map<String, Object>> policies = this.manage.policiesByServiceProvider(institution.getEntityID(), entityId);
+        return ResponseEntity.ok(policies);
     }
 
     @SneakyThrows
diff --git a/server/src/main/java/access/api/UserAccessRights.java b/server/src/main/java/access/api/UserAccessRights.java
@@ -92,4 +92,12 @@ default void confirmSuperUser(User user) {
         }
     }
 
+    default void confirmInstitutionAdmin(User user) {
+        if (!user.isSuperUser() && !user.isInstitutionAdmin()) {
+            throw new UserRestrictionException(String.format("User %s, %s is no super user or institution admin",
+                    user.getEmail(), user.getAuthenticatingAuthority()));
+        }
+
+    }
+
 }
diff --git a/server/src/main/java/access/manage/LocalManage.java b/server/src/main/java/access/manage/LocalManage.java
@@ -44,7 +44,6 @@ private List<Map<String, Object>> initialize(EntityType entityType, String stati
         List<Map<String, Object>> providers = objectMapper.readValue(resource.getInputStream(), new TypeReference<>() {
         });
         //Need mutability
-
         return providers.stream().map(provider -> sanitizeProvider(provider))
                 .collect(Collectors.toCollection(ArrayList::new));
     }
@@ -245,6 +244,24 @@ public List<Map<String, Object>> identityProvidersByAllowedConnections(List<Conn
                 .toList();
     }
 
+    @Override
+    public List<Map<String, Object>> policiesByServiceProvider(String identityProviderEntityId, String serviceProviderEntityId) {
+        return this.allProviders.get(EntityType.policy).stream()
+                .filter(policy -> {
+                    Map<String, Object> data = getData(policy);
+                    List<Map<String, String>> serviceProviderIds = (List<Map<String, String>>)
+                            data.getOrDefault("serviceProviderIds", List.of());
+                    List<Map<String, String>> identityProviderIds = (List<Map<String, String>>)
+                            data.getOrDefault("identityProviderIds", List.of());
+                    return serviceProviderIds.stream()
+                            .anyMatch(m -> m.get("name").equals(serviceProviderEntityId))
+                            && (identityProviderIds.isEmpty() ||
+                            identityProviderIds.stream()
+                                    .anyMatch(m -> m.get("name").equals(identityProviderEntityId)));
+                })
+                .toList();
+    }
+
     @Override
     public void connectWithoutInteraction(Map<String, Object> identityProvider, Map<String, Object> serviceProvider, User currentUser) {
         //nope
diff --git a/server/src/main/java/access/manage/Manage.java b/server/src/main/java/access/manage/Manage.java
@@ -46,6 +46,9 @@ public interface Manage {
 
     List<Map<String, Object>> identityProvidersByAllowedConnections(List<Connection> connections);
 
+    List<Map<String, Object>> policiesByServiceProvider(String identityProviderEntityId,
+                                                        String serviceProviderEntityId);
+
     void connectWithoutInteraction(Map<String, Object> identityProvider, Map<String, Object> serviceProvider, User currentUser);
 
     default Map<String, Object> sanitizeProvider(Map<String, Object> provider) {
diff --git a/server/src/main/java/access/manage/RemoteManage.java b/server/src/main/java/access/manage/RemoteManage.java
@@ -10,7 +10,10 @@
 import org.apache.commons.logging.LogFactory;
 import org.springframework.core.ParameterizedTypeReference;
 import org.springframework.core.io.ClassPathResource;
-import org.springframework.http.*;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
 import org.springframework.util.StringUtils;
 import org.springframework.web.client.ResponseErrorHandler;
 import org.springframework.web.client.RestTemplate;
@@ -257,7 +260,7 @@ public List<Map<String, Object>> serviceProvidersByEntityID(List<String> entityI
     public List<Map<String, Object>> identityProvidersByInstitutionalGUID(Environment environment, String organisationGUID) {
         LOG.debug("identityProviderByInstitutionalGUID for : " + organisationGUID);
 
-        Map<String, Object> baseQuery = getBaseQuery(false);
+        Map<String, Object> baseQuery = getBaseQuery(true);
         baseQuery.put("metaDataFields.coin:institution_guid", organisationGUID);
 
         String url = String.format("%s/manage/api/internal/search/%s",
@@ -341,6 +344,25 @@ public List<Map<String, Object>> identityProvidersByAllowedConnections(List<Conn
         return restTemplate.postForEntity(URI.create(url), body, List.class).getBody();
     }
 
+    @Override
+    public List<Map<String, Object>> policiesByServiceProvider(String identityProviderEntityId,
+                                                               String serviceProviderEntityId) {
+        String query = """
+                {
+                "data.serviceProviderIds.name": "%s",
+                $or: [
+                    { "data.identityProviderIds": { $size: 0 } },
+                    { "data.identityProviderIds": { $exists: false } },
+                    { "data.identityProviderIds.name": "%s" }
+                ]
+                })
+                """.formatted(serviceProviderEntityId, identityProviderEntityId);
+        RestTemplate restTemplate = environmentRestTemplate(Environment.PROD);
+        String url = String.format("%s/manage/api/internal/rawSearch/%s",
+                environmentUrl(Environment.PROD), EntityType.policy);
+        return restTemplate.postForEntity(url, query, List.class).getBody();
+    }
+
     @Override
     public void connectWithoutInteraction(Map<String, Object> identityProvider, Map<String, Object> serviceProvider, User user) {
         RestTemplate restTemplate = environmentRestTemplate(Environment.PROD);
diff --git a/server/src/main/java/access/model/Institution.java b/server/src/main/java/access/model/Institution.java
@@ -5,6 +5,7 @@
 import lombok.Setter;
 
 import java.io.Serializable;
+import java.util.List;
 import java.util.Map;
 
 import static access.manage.ManageData.getData;
@@ -19,10 +20,17 @@ public class Institution implements Serializable {
     private String entityID;
     private String name;
     private String organizationName;
+    private boolean allowedall;
+    private List<String> allowedEntities;
 
     public Institution(Map<String, Object> provider) {
         Map<String, Object> data = getData(provider);
-        Map<String, Object> metaDataFields = getMetaDataFields (data);
+        this.allowedall = (boolean) data.getOrDefault("allowedall", false);
+        this.allowedEntities = ((List<Map<String, String>>) data.getOrDefault("allowedEntities", Map.of()))
+                .stream()
+                .map(allowedEntity -> allowedEntity.get("name"))
+                .toList();
+        Map<String, Object> metaDataFields = getMetaDataFields(data);
         this.entityID = (String) data.get("entityid");
         this.name = (String) metaDataFields.get("name:en");
         this.organizationName = (String) metaDataFields.get("OrganizationName:en");
diff --git a/server/src/main/java/access/model/User.java b/server/src/main/java/access/model/User.java
@@ -61,6 +61,9 @@ public class User implements Serializable, NameHolder {
     @Column(name = "schac_home_organization")
     private String schacHomeOrganization;
 
+    @Column(name = "authenticating_authority")
+    private String authenticatingAuthority;
+
     @Column
     private String email;
 
@@ -107,6 +110,7 @@ public User(boolean superUser, Map<String, Object> attributes) {
         this.sub = (String) attributes.get("sub");
         this.eduPersonPrincipalName = (String) attributes.get("eduperson_principal_name");
         this.schacHomeOrganization = (String) attributes.get("schac_home_organization");
+        this.authenticatingAuthority = (String) attributes.get("authenticating_authority");
         this.email = (String) attributes.get("email");
         this.givenName = (String) attributes.get("given_name");
         this.familyName = (String) attributes.get("family_name");
@@ -117,7 +121,7 @@ public User(boolean superUser, Map<String, Object> attributes) {
         this.lastActivity = this.createdAt;
         this.institutionAdmin = (boolean) attributes.getOrDefault(INSTITUTION_ADMIN, false);
         this.organizationGUID = (String) attributes.get(ORGANIZATION_GUID);
-        this.institution = (Institution) attributes.getOrDefault(INSTITUTION, null);
+        this.institution = (Institution) attributes.get(INSTITUTION);
 
         //Defensive mode, EPPN is not a required attribute for access RP
         if (!StringUtils.hasText(this.eduPersonPrincipalName)) {
diff --git a/server/src/main/java/access/security/CustomOidcUserService.java b/server/src/main/java/access/security/CustomOidcUserService.java
@@ -69,6 +69,7 @@ public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2Authenticatio
         if (institutionAdmin && StringUtils.hasText(organizationGuid)) {
             String authenticatingAuthority = (String) claims.get("authenticating_authority");
             List<Map<String, Object>> identityProviders = manage.identityProvidersByInstitutionalGUID(Environment.PROD, organizationGuid);
+            //If there are multiple identityProviders with the same organizationGuid, we pick the one that was used to login
             Optional<Map<String, Object>> optionalIdentityProvider = identityProviders.isEmpty() ? Optional.empty() :
                     Optional.of(identityProviders.stream()
                             .filter(idp -> entityID(idp).equals(authenticatingAuthority))
diff --git a/server/src/main/java/access/security/InstitutionAdmin.java b/server/src/main/java/access/security/InstitutionAdmin.java
@@ -17,6 +17,7 @@ public class InstitutionAdmin {
     public static final String INSTITUTION_ADMIN = "INSTITUTION_ADMIN";
     public static final String ORGANIZATION_GUID = "ORGANIZATION_GUID";
     public static final String INSTITUTION = "INSTITUTION";
+    public static final String IDENTITY_PROVIDER = "IDENTITY_PROVIDER";
 
     private InstitutionAdmin() {
     }
diff --git a/server/src/main/java/access/security/LocalDevelopmentAuthenticationFilter.java b/server/src/main/java/access/security/LocalDevelopmentAuthenticationFilter.java
@@ -1,5 +1,6 @@
 package access.security;
 
+import access.model.Institution;
 import jakarta.servlet.*;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -17,6 +18,9 @@
 import java.util.Map;
 import java.util.UUID;
 
+import static access.security.InstitutionAdmin.IDENTITY_PROVIDER;
+import static access.security.InstitutionAdmin.INSTITUTION;
+
 public class LocalDevelopmentAuthenticationFilter implements Filter {
 
     private static final String sub = "urn:collab:person:example.com:mos";
@@ -32,7 +36,8 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
         filterChain.doFilter(servletRequest, servletResponse);
     }
 
-    public static void populateSecurityContext(Map<String, String> body) {
+    @SuppressWarnings("unchecked")
+    public static void populateSecurityContext(Map<String, Object> body) {
         List<SimpleGrantedAuthority> authorities = List.of(new SimpleGrantedAuthority("OPENID"));
         Map<String, Object> defaultClaims = Map.of(
                 "eduperson_principal_name", "urn:collab:person:example.com:super",
@@ -47,6 +52,10 @@ public static void populateSecurityContext(Map<String, String> body) {
                 "uids", List.of("super"));
         //We can't rely on the mutability of the body
         Map<String, Object> claims = new HashMap<>(defaultClaims);
+        if (body.containsKey(IDENTITY_PROVIDER)) {
+            body.put(INSTITUTION, new Institution((Map<String, Object>) body.get(IDENTITY_PROVIDER)));
+            body.remove(IDENTITY_PROVIDER);
+        }
         claims.putAll(body);
 
         OidcIdToken idToken = new OidcIdToken(
diff --git a/server/src/main/resources/db/mysql/migration/V13_0__users_authenticating_authority.sql b/server/src/main/resources/db/mysql/migration/V13_0__users_authenticating_authority.sql
@@ -0,0 +1,2 @@
+ALTER TABLE users
+    ADD COLUMN authenticating_authority varchar(255) DEFAULT NULL;
diff --git a/server/src/main/resources/manage/policy.json b/server/src/main/resources/manage/policy.json
@@ -0,0 +1,92 @@
+[
+  {
+    "_id": "fab50830-9551-46ec-9eb6-5db98ba8f2bd",
+    "version": 0,
+    "type": "policy",
+    "revision": {
+      "number": 0,
+      "created": "2025-12-19T14:43:49.818+00:00",
+      "updatedBy": "urn:collab:person:example.com:admin"
+    },
+    "data": {
+      "metaDataFields": {},
+      "name": "Regular Test Policy",
+      "entityid": "Regular Test Policy",
+      "description": "A user from 'okke' is only allowed to access all connected Service Providers when he/she has the value 'test' for attribute 'urn:mace:dir:attribute-def:eduPersonAffiliation'",
+      "serviceProviderIds": [
+        {
+          "name": "https://network"
+        }
+      ],
+      "identityProviderIds": [
+        {
+          "name": "http://mock-idp"
+        }
+      ],
+      "attributes": [
+        {
+          "name": "urn:mace:dir:attribute-def:eduPersonAffiliation",
+          "value": "test",
+          "groupID": 0,
+          "negated": false,
+          "index": 0
+        }
+      ],
+      "loas": [],
+      "denyAdvice": "Access Denied EN",
+      "denyRule": false,
+      "allAttributesMustMatch": false,
+      "userDisplayName": "",
+      "authenticatingAuthorityName": "",
+      "denyAdviceNl": "Access Denied NL",
+      "active": true,
+      "type": "reg",
+      "revisionnote": "test",
+      "policyId": "urn:surfconext:xacml:policy:id:regular_test_policy",
+      "eid": 88260
+    }
+  },
+  {
+    "_id": "29d9c813-441e-4cb7-adda-7a8b03d0b50f",
+    "version": 1,
+    "type": "policy",
+    "revision": {
+      "number": 1,
+      "created": "2026-01-20T15:00:50.287+00:00",
+      "updatedBy": "urn:collab:person:surfnet.nl:test"
+    },
+    "data": {
+      "metaDataFields": {},
+      "name": "Test",
+      "entityid": "Test",
+      "description": "A user is only allowed something",
+      "serviceProviderIds": [
+        {
+          "name": "https://wiki"
+        }
+      ],
+      "identityProviderIds": [],
+      "attributes": [
+        {
+          "name": "urn:mace:dir:attribute-def:isMemberOf",
+          "value": "test-team",
+          "groupID": 0,
+          "negated": false,
+          "index": 0
+        }
+      ],
+      "loas": [],
+      "denyAdvice": "en",
+      "denyRule": false,
+      "allAttributesMustMatch": false,
+      "userDisplayName": "",
+      "authenticatingAuthorityName": "",
+      "denyAdviceNl": "nl",
+      "active": true,
+      "type": "reg",
+      "revisionnote": "test",
+      "policyId": "urn:surfconext:xacml:policy:id:test",
+      "eid": 88263
+    }
+  }
+]
diff --git a/server/src/test/java/access/AbstractTest.java b/server/src/test/java/access/AbstractTest.java
diff --git a/server/src/test/java/access/api/InviteControllerTest.java b/server/src/test/java/access/api/InviteControllerTest.java
diff --git a/server/src/test/java/access/api/ManageControllerTest.java b/server/src/test/java/access/api/ManageControllerTest.java
diff --git a/server/src/test/java/access/api/UserControllerTest.java b/server/src/test/java/access/api/UserControllerTest.java

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ public LoginController(Environment environment, SecurityContextRepository securi`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`@PutMapping("/login")`
`36`		`- public ResponseEntity<Void> login(@RequestBody Map<String, String> body,`
	`36`	`+ public ResponseEntity<Void> login(@RequestBody Map<String, Object> body,`
`37`	`37`	`HttpServletRequest servletRequest,`
`38`	`38`	`HttpServletResponse servletResponse) {`
`39`	`39`	`if (!environment.acceptsProfiles(Profiles.of("test"))) {`
Original file line number	Diff line number	Diff line change
`@@ -92,4 +92,12 @@ default void confirmSuperUser(User user) {`
`92`	`92`	`}`
`93`	`93`	`}`
`94`	`94`
	`95`	`+ default void confirmInstitutionAdmin(User user) {`
	`96`	`+ if (!user.isSuperUser() && !user.isInstitutionAdmin()) {`
	`97`	`+ throw new UserRestrictionException(String.format("User %s, %s is no super user or institution admin",`
	`98`	`+ user.getEmail(), user.getAuthenticatingAuthority()));`
	`99`	`+ }`
	`100`	`+`
	`101`	`+ }`
	`102`	`+`
`95`	`103`	`}`