WIP for policies

Author: oharsta

.gitignore

@@ -48,4 +48,5 @@ jira.yml
 application-local.yml
 jira.yml
 spieldata
-PlayGroundTest.java
+PlayGroundTest.java
+LOCAL_USERS.md

client/src/App.jsx

@@ -120,7 +120,7 @@ const App = () => {
                 <Flash/>
                 {impersonator && <Impersonating/>}
                 <div className="container">
-                    <SharedMenu/>
+                    <SharedMenu currentLocation={currentLocation}/>
                     <div className="pages">
                         <AuthorizedHeader setIsAuthenticated={setIsAuthenticated}/>
                         <Routes>

client/src/components/SharedMenu.jsx

@@ -11,6 +11,7 @@ import {ORGANIZATION_STATUSES} from "../utils/Manage.js";
 import {allMenuGroups} from "../utils/MenuItems.js";
 import {isEmpty} from "../utils/Utils.js";
 import {useShallow} from "zustand/react/shallow";
+import {useLocation} from "react-router-dom";
 
 export const SharedMenu = () => {
 
@@ -21,7 +22,8 @@ export const SharedMenu = () => {
     })));
 
     const navigate = useNavigate();
-
+    const currentLocation = useLocation();
+        console.log(currentLocation.href)
     const filteredMenuGroups = useMemo(() => {
         return allMenuGroups
             .map(menuGroup => ({

client/src/pages/Profile.jsx

@@ -24,7 +24,7 @@ const Profile = ({setIsAuthenticated}) => {
     useEffect(() => {
         useAppStore.setState({
             breadcrumbPaths: [
-                {path: "/home", value: I18n.t("profile.title"), menuItemName: mainMenuItems.home},
+                {path: "/home", value: I18n.t("breadCrumb.home"), menuItemName: mainMenuItems.home},
                 {value: I18n.t("breadCrumb.profile")}
             ]
         });

client/src/pages/UserHome.jsx

@@ -1,11 +1,11 @@
 import "./UserHome.scss";
-import React, {useEffect} from "react";
+import React from "react";
 import {useAppStore} from "../stores/AppStore";
+import {Button, ButtonType} from "@surfnet/sds";
 import I18n from "../locale/I18n";
 import {isEmpty} from "../utils/Utils.js";
-import {useNavigate} from "react-router-dom";
+import {Navigate, useNavigate} from "react-router-dom";
 import {mainMenuItems} from "../utils/MenuItems.js";
-import {Button, ButtonType} from "@surfnet/sds";
 import DOMPurify from "dompurify";
 import {InfoBlock} from "../components/InfoBlock.jsx";
 
@@ -15,25 +15,21 @@ const UserHome = () => {
     const currentOrganization = useAppStore(state => state.currentOrganization);
 
     const navigate = useNavigate();
-
-    useEffect(() => {
-        let newLocation = null;
-        if (isEmpty(user.joinRequests) && isEmpty(currentOrganization?.id)) {
-            newLocation = "/landing"
-
-        } else if (!isEmpty(user.joinRequests) && isEmpty(currentOrganization?.id)) {
-            newLocation = "/relax"
-        }
-        if (newLocation !== null) {
-            navigate(newLocation, {replace: true});
-        } else {
-            useAppStore.setState({
-                breadcrumbPaths: [
-                    {path: "/home", value: I18n.t("breadCrumb.home"), menuItemName: mainMenuItems.home}
-                ]
-            });
-        }
-    }, [user.joinRequests, currentOrganization?.id, navigate]);
+    let newLocation = null;
+    if (isEmpty(user.joinRequests) && isEmpty(currentOrganization?.id)) {
+        newLocation = "/landing"
+    } else if (!isEmpty(user.joinRequests) && isEmpty(currentOrganization?.id)) {
+        newLocation = "/relax"
+    }
+    if (newLocation !== null) {
+        return <Navigate to={newLocation} replace/>;
+    } else {
+        useAppStore.setState({
+            breadcrumbPaths: [
+                {path: "/home", value: I18n.t("breadCrumb.home"), menuItemName: mainMenuItems.home}
+            ]
+        });
+    }
 
     const navigateInner = (menuItem, path) => {
         navigate(path);

server/src/main/java/access/api/ManageController.java

@@ -5,9 +5,7 @@
 import access.manage.*;
 import access.model.EntityType;
 import access.model.Environment;
-import access.model.Institution;
 import access.model.User;
-import access.security.InstitutionAdmin;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.SneakyThrows;
@@ -20,8 +18,6 @@
 import org.springframework.core.io.UrlResource;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.web.bind.annotation.*;
 
 import java.net.URI;
@@ -104,14 +100,13 @@ public ResponseEntity<List<Map<String, Object>>> identityProviders(@PathVariable
     @GetMapping("/policies")
     @SuppressWarnings("unchecked")
     public ResponseEntity<List<Map<String, Object>>> policies(User user,
-                                                              Authentication authentication,
                                                               @RequestParam("entityId") String entityId) {
         LOG.debug("/policies for " + entityId + " for " + user.getEmail());
 
         confirmInstitutionAdmin(user);
         //we need to ensure the application is connected to the IdP of the user - realtime
         if (!user.isSuperUser()) {
-            Map<String, Object> data = getIdentityProvider(authentication);
+            Map<String, Object> data = getIdentityProvider(user);
             boolean noneMatch = ((List<Map<String, String>>) data.getOrDefault("allowedEntities", List.of()))
                     .stream()
                     .noneMatch(allowedEntity -> allowedEntity.get("name").equals(entityId));
@@ -131,7 +126,7 @@ public ResponseEntity<List<Map<String, Object>>> policies(User user,
     public ResponseEntity<Map<String, Object>> createPolicy(User user, @RequestBody Map<String, Object> policy) {
         LOG.debug("/createPolicy for " + policy + " for " + user.getEmail());
 
-        policyAccessAllowed(user, policy);
+        policyAccessAllowed(user, policy, true);
         return ResponseEntity.ok(manage.createPolicy(policy));
     }
 
@@ -140,7 +135,7 @@ public ResponseEntity<Map<String, Object>> createPolicy(User user, @RequestBody
     public ResponseEntity<Map<String, Object>> updatePolicy(User user, @RequestBody Map<String, Object> policy) {
         LOG.debug("/updatePolicy for " + policy + " for " + user.getEmail());
 
-        policyAccessAllowed(user, policy);
+        policyAccessAllowed(user, policy, true);
         return ResponseEntity.ok(manage.updatePolicy(policy));
     }
 
@@ -151,7 +146,7 @@ public ResponseEntity<Void> deletePolicy(User user, @PathVariable String policyI
 
         LOG.debug("/deletePolicy for " + policy + " for " + user.getEmail());
 
-        policyAccessAllowed(user, policy);
+        policyAccessAllowed(user, policy, true);
         manage.deletePolicy(policy);
         return ResponseEntity.noContent().build();
     }
@@ -194,21 +189,17 @@ public ResponseEntity<Map<String, Object>> rejectChangeRequest(User user, @Reque
         return Results.okResult();
     }
 
-    private void policyAccessAllowed(User user, Map<String, Object> policy) {
+    private void policyAccessAllowed(User user, Map<String, Object> policy, boolean throwException) {
         confirmInstitutionAdmin(user);
         //We don't want to use PolicyDefinition as @RequestBody, because the template from Manage is leading
         PolicyDefinition policyDefinition = this.objectMapper.convertValue(policy.get("data"), PolicyDefinition.class);
         confirmPolicyAccess(user, policyDefinition, manage);
     }
 
-    private Map<String, Object> getIdentityProvider(Authentication authentication) {
-        OidcUser oidcUser = (OidcUser) authentication.getPrincipal();
-        Map<String, Object> claims = oidcUser.getUserInfo().getClaims();
-        Institution institution = (Institution) claims.get(InstitutionAdmin.INSTITUTION);
+    private Map<String, Object> getIdentityProvider(User user) {
         //We can't use any cache as this method is called right after automatic connection allowed
-        Map<String, Object> identityProvider = manage.providerById(EntityType.saml20_idp, institution.getManageIdentifier(), Environment.PROD);
-        Map<String, Object> data = getData(identityProvider);
-        return data;
+        Map<String, Object> identityProvider = manage.identityProviderByEntityID(user.getAuthenticatingAuthority());
+        return getData(identityProvider);
     }
 
 

server/src/main/java/access/mail/MailBox.java

@@ -140,7 +140,8 @@ public void sendJoinRequestMail(JoinRequest joinRequest) {
         if (!environment.equalsIgnoreCase("prod")) {
             variables.put("environment", environment);
         }
-        variables.put("url", String.format("%s/organization/%s/joins", clientUrl, organization.getId()));
+
+        variables.put("url", String.format("%s/users/%s/joins", clientUrl, organization.getId()));
         List<String> emails = organization.getOrganizationMemberships().stream()
                 .filter(organizationMembership -> organizationMembership.getAuthority().equals(Authority.ADMIN))
                 .map(organizationMembership -> organizationMembership.getUser().getEmail())

server/src/main/java/access/manage/PolicyAccessRights.java

@@ -1,18 +1,49 @@
 package access.manage;
 
+import access.exception.UserRestrictionException;
 import access.model.User;
 
+import java.util.List;
 import java.util.Map;
 
+import static access.manage.ManageData.getData;
+
 public interface PolicyAccessRights {
 
-    default void confirmPolicyAccess(User user, PolicyDefinition policyDefinition, Manage manage) {
+    @SuppressWarnings("unchecked")
+    default void confirmPolicyAccess(User user,
+                                     PolicyDefinition policyDefinition,
+                                     Manage manage) {
         if (user.isSuperUser()) {
             return;
         }
-        //TODO implement
+        List<String> authenticatingAuthority = List.of(user.getAuthenticatingAuthority());
         //Is the IdP of the Policy the same as the IdP of the User?
+        if (!policyDefinition.getIdentityProviderIds().stream()
+                .map(policyProvider -> policyProvider.getName())
+                .toList()
+                .equals(authenticatingAuthority)) {
+            throwUserRestrictionException(user, policyDefinition);
+        }
+        //All SP's must be linked to the IdP of the user (=organizationGUID of the instituitonAdmin)
+        List<String> serviceProviderIdentifiers = policyDefinition.getServiceProviderIds().stream()
+                .map(policyProvider -> policyProvider.getName())
+                .toList();
+        Map<String, Object> identityProvider = manage.identityProviderByEntityID(user.getAuthenticatingAuthority());
+        Map<String, Object> data = getData(identityProvider);
+        List<String> allowedEntities = ((List<Map<String, String>>) data.getOrDefault("allowedEntities", List.of()))
+                .stream()
+                .map(allowedEntry -> allowedEntry.get("name"))
+                .toList();
+        if (!allowedEntities.containsAll(serviceProviderIdentifiers)) {
+            throwUserRestrictionException(user, policyDefinition);
+        }
+    }
 
-        //No IdP, all SP's must be owned by the IdP of the user (=organizationGUID of the instituitonAdmin)
+    default void throwUserRestrictionException(User user,
+                                               PolicyDefinition policyDefinition) {
+        throw new UserRestrictionException(
+                String.format("User %s from %s is not allowed access to policy %s",
+                        user.getEmail(), user.getAuthenticatingAuthority(), policyDefinition.getIdentityProviderIds()));
     }
 }

server/src/main/java/access/manage/PolicyProvider.java

@@ -5,11 +5,13 @@
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
+import lombok.ToString;
 
 @NoArgsConstructor
 @Getter
 @Setter
 @AllArgsConstructor
+@ToString
 public class PolicyProvider {
 
     private String name;