Fixes #442

oharsta · oharsta · commit 83945d9a3b3b · 2026-02-18T16:33:54.000+01:00
diff --git a/client/src/locale/en.js b/client/src/locale/en.js
@@ -131,7 +131,7 @@ const en = {
         register: "Register new organisation: ‘<strong>{{name}}</strong>’",
         confirmation: "Are you sure you want to register a new organisation called {{name}}?",
         confirmationAfter: "Your organisation is created. You can continue to create applications. You will be contacted by mail within <strong>3 working days</strong>. Your reference number of our internal ticketing system is <strong>{{jiraKey}}</strong></strong>",
-        neworganisation: "New organisation created",
+        newOrganization: "New organisation created",
         flash: "Created organisation {{name}}."
     },
     userHome: {
diff --git a/server/src/main/java/access/api/PublicController.java b/server/src/main/java/access/api/PublicController.java
@@ -1,39 +1,69 @@
 package access.api;
 
+import access.config.Config;
 import access.manage.Manage;
-import access.manage.ManageData;
 import access.model.EntityType;
 import access.model.Environment;
 import lombok.SneakyThrows;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import static access.manage.ManageData.getData;
+import static access.manage.ManageData.getMetaDataFields;
 
 @RestController
 @RequestMapping(value = {"/api/v1/public"}, produces = MediaType.APPLICATION_JSON_VALUE)
+@SuppressWarnings("unchecked")
 public class PublicController {
 
     private static final Log LOG = LogFactory.getLog(PublicController.class);
 
     private final Manage manage;
+    private final Config config;
 
     @SneakyThrows
-    public PublicController(Manage manage) {
+    public PublicController(Manage manage, Config config) {
         this.manage = manage;
+        this.config = config;
     }
 
     @GetMapping("/service-providers")
-    public ResponseEntity<List<Map<String, Object>>> serviceProviders() {
+    public ResponseEntity<List<Map<String, Object>>> serviceProviders(Authentication authentication) {
         LOG.debug("/serviceProviders");
-        return ResponseEntity.ok(manage.serviceProvidersLight(Environment.PROD));
+        List<Map<String, Object>> providers = manage.serviceProvidersLight(Environment.PROD);
+        if (authentication == null) {
+            providers.removeIf(provider -> removeNonPublicProvider(provider));
+        } else {
+            DefaultOidcUser user = (DefaultOidcUser) authentication.getPrincipal();
+            String schacHomeOrganization = (String) user.getClaims().get("schac_home_organization");
+            boolean isExternalUserFromSchacHome = schacHomeOrganization.equals(config.getEduIdSchacHomeOrganization());
+            if (isExternalUserFromSchacHome) {
+                providers.removeIf(provider -> removeNonPublicProvider(provider));
+            } else {
+                //We need the identity provider to see which providers are connected and are therefore visiblle
+                String authenticatingAuthority = (String) user.getClaims().get("authenticating_authority");
+                Map<String, Object> identityProvider = manage.identityProviderByEntityID(authenticatingAuthority);
+                Set<String> allowedEntities = ((List<Map<String, String>>) getData(identityProvider).getOrDefault("allowedEntities", List.of()))
+                        .stream()
+                        .map(allowedEntity -> allowedEntity.get("name"))
+                        .collect(Collectors.toSet());
+                providers.removeIf(provider -> removeNonPublicProvider(provider, allowedEntities));
+            }
+        }
+        return ResponseEntity.ok(providers);
     }
 
     @GetMapping("/identity-providers")
@@ -49,10 +79,23 @@ public ResponseEntity<Map<String, Object>> serviceProviderDetail(
         LOG.debug("/identityProviders");
         Map<String, Object> provider = manage
                 .providerById(entityType, identifier, Environment.PROD);
-        ManageData.getMetaDataFields(ManageData.getData(provider)).keySet()
+        getMetaDataFields(getData(provider)).keySet()
                 .removeIf(key -> key.startsWith("contacts:"));
         return ResponseEntity.ok(provider);
     }
 
+    private boolean removeNonPublicProvider(Map<String, Object> provider) {
+        Map<String, Object> metaDataFields = getMetaDataFields(getData(provider));
+        boolean hidden = (boolean) metaDataFields.getOrDefault("coin:ss:hidden", false);
+        boolean idpVisibleOnly = (boolean) metaDataFields.getOrDefault("coin:ss:idp_visible_only", false);
+        return hidden || idpVisibleOnly;
+    }
 
+    private boolean removeNonPublicProvider(Map<String, Object> provider, Set<String> allowedEntities) {
+        Map<String, Object> data = getData(provider);
+        Map<String, Object> metaDataFields = getMetaDataFields(data);
+        boolean hidden = (boolean) metaDataFields.getOrDefault("coin:ss:hidden", false);
+        boolean idpVisibleOnly = (boolean) metaDataFields.getOrDefault("coin:ss:idp_visible_only", false);
+        return hidden || (idpVisibleOnly && !allowedEntities.contains((String) data.get("entityid")));
+    }
 }
diff --git a/server/src/main/java/access/manage/RemoteManage.java b/server/src/main/java/access/manage/RemoteManage.java
@@ -289,6 +289,8 @@ public List<Map<String, Object>> serviceProvidersLight(Environment environment)
         Map<String, Object> baseQuery = getBaseQuery(false);
         List requestedAttributes = (List) baseQuery.get("REQUESTED_ATTRIBUTES");
         requestedAttributes.add("metaDataFields.coin:interfed_source");
+        requestedAttributes.add("metaDataFields.coin:ss:hidden");
+        requestedAttributes.add("metaDataFields.coin:ss:idp_visible_only");
         requestedAttributes.add("metaDataFields.application_tags");
 
         String url = String.format("%s/manage/api/internal/search/%s",
diff --git a/server/src/main/resources/manage/oidc10_rp.json b/server/src/main/resources/manage/oidc10_rp.json
@@ -32,7 +32,8 @@
         "OrganizationName:en": "SURF bv",
         "logo:0:url": "https://static.surfconext.nl/media/idp/surfconext.png",
         "coin:application_url": "https://default-url-cloud.org",
-        "coin:dashboard_connect_option": "connect_without_interaction_without_email"
+        "coin:dashboard_connect_option": "connect_without_interaction_without_email",
+        "coin:ss:idp_visible_only": true
       }
     }
   },
@@ -48,7 +49,8 @@
         "name:nl": "Unused NL",
         "OrganizationName:en": "SURF bv",
         "logo:0:url": "https://static.surfconext.nl/media/idp/surfconext.png",
-        "coin:application_url": "https://default-url-unused.org"
+        "coin:application_url": "https://default-url-unused.org",
+        "coin:ss:hidden": true
       }
     }
   },
diff --git a/server/src/main/resources/manage/saml20_sp.json b/server/src/main/resources/manage/saml20_sp.json
@@ -13,7 +13,8 @@
         "coin:institution_guid": "ad93daef-0911-e511-80d0-005056956c1a",
         "coin:application_url": "https://default-url-wiki.org",
         "application_tags": ["education"],
-        "coin:interfed_source": "WO"
+        "coin:interfed_source": "WO",
+        "coin:ss:idp_visible_only": true
       },
       "arp": {
         "enabled": true,
diff --git a/server/src/test/java/access/api/PublicControllerTest.java b/server/src/test/java/access/api/PublicControllerTest.java
@@ -1,6 +1,7 @@
 package access.api;
 
 import access.AbstractTest;
+import access.AccessCookieFilter;
 import access.model.EntityType;
 import access.model.Environment;
 import io.restassured.common.mapper.TypeRef;
@@ -27,7 +28,45 @@ void serviceProviders() {
                 .get("/api/v1/public/service-providers")
                 .as(new TypeRef<>() {
                 });
-        assertEquals(8, serviceProviders.size());
+        //Three are filtered out because of coin:ss:hidden and coin:ss:idp_visible_only
+        assertEquals(5, serviceProviders.size());
+    }
+
+    @Test
+    void serviceProvidersWithAuthenticatedInternalUser() {
+        AccessCookieFilter accessCookieFilter = mockLoginFlow(MANAGE_SUB);
+        this.stubForServiceProviders();
+        this.stubForIdentityProviderByEntityId("http://mock-idp");
+        List<Map<String, Object>> serviceProviders = given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .header(csrfHeader(accessCookieFilter))
+                .accept(ContentType.JSON)
+                .contentType(ContentType.JSON)
+                .get("/api/v1/public/service-providers")
+                .as(new TypeRef<>() {
+                });
+        //Only two are filtered out because of coin:ss:hidden and coin:ss:idp_visible_only and internal user
+        assertEquals(6, serviceProviders.size());
+    }
+
+    @Test
+    void serviceProvidersWithAuthenticatedExternalUser() {
+        Map<String, Object> body = Map.of("sub", MANAGE_SUB, "schac_home_organization", "eduid.nl");
+        AccessCookieFilter accessCookieFilter = mockLoginFlow(body);
+        this.stubForServiceProviders();
+        this.stubForIdentityProviderByEntityId("http://mock-idp");
+        List<Map<String, Object>> serviceProviders = given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .header(csrfHeader(accessCookieFilter))
+                .accept(ContentType.JSON)
+                .contentType(ContentType.JSON)
+                .get("/api/v1/public/service-providers")
+                .as(new TypeRef<>() {
+                });
+        //Three are filtered out because of coin:ss:hidden and coin:ss:idp_visible_only and external user
+        assertEquals(5, serviceProviders.size());
     }
 
     @Test

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,8 @@`
`32`	`32`	`"OrganizationName:en": "SURF bv",`
`33`	`33`	`"logo:0:url": "https://static.surfconext.nl/media/idp/surfconext.png",`
`34`	`34`	`"coin:application_url": "https://default-url-cloud.org",`
`35`		`- "coin:dashboard_connect_option": "connect_without_interaction_without_email"`
	`35`	`+ "coin:dashboard_connect_option": "connect_without_interaction_without_email",`
	`36`	`+ "coin:ss:idp_visible_only": true`
`36`	`37`	`}`
`37`	`38`	`}`
`38`	`39`	`},`
`@@ -48,7 +49,8 @@`
`48`	`49`	`"name:nl": "Unused NL",`
`49`	`50`	`"OrganizationName:en": "SURF bv",`
`50`	`51`	`"logo:0:url": "https://static.surfconext.nl/media/idp/surfconext.png",`
`51`		`- "coin:application_url": "https://default-url-unused.org"`
	`52`	`+ "coin:application_url": "https://default-url-unused.org",`
	`53`	`+ "coin:ss:hidden": true`
`52`	`54`	`}`
`53`	`55`	`}`
`54`	`56`	`},`