WIP for #453

Author: oharsta

client/src/utils/Policy.js

@@ -0,0 +1,15 @@
+export const policyTemplate = {
+    "active": true,
+    "allAttributesMustMatch": false,
+    "attributes": [],
+    "denyAdvice": "",
+    "denyAdviceNl": "",
+    "denyRule": false,
+    "description": "",
+    "entityid": "",
+    "identityProviderIds": [],
+    "metaDataFields": {},
+    "name": "",
+    "serviceProviderIds": [],
+    "type": "reg"
+}

server/src/main/java/access/api/ManageController.java

@@ -103,12 +103,11 @@ public ResponseEntity<List<Map<String, Object>>> policies(User user,
         //We can't use any cache as this method is called right after automatic connection allowed
         Map<String, Object> identityProvider = manage.providerById(EntityType.saml20_idp, institution.getManageIdentifier(), Environment.PROD);
         Map<String, Object> data = getData(identityProvider);
-        List<String> allowedEntities = ((List<Map<String, String>>) data.getOrDefault("allowedEntities", List.of()))
+        boolean noneMatch = ((List<Map<String, String>>) data.getOrDefault("allowedEntities", List.of()))
                 .stream()
-                .map(allowedEntity -> allowedEntity.get("name"))
-                .toList();
+                .noneMatch(allowedEntity -> allowedEntity.get("name").equals(entityId));
 
-        if (!allowedEntities.contains(entityId)) {
+        if (noneMatch) {
             throw new UserRestrictionException(String.format("User %s is not allowed to request policies for %s",
                     user.getEmail(), entityId));
         }

server/src/main/java/access/manage/LocalManage.java

@@ -7,6 +7,7 @@
 import lombok.SneakyThrows;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.core.io.ClassPathResource;
 import org.springframework.core.io.DefaultResourceLoader;
 import org.springframework.core.io.Resource;
 import org.springframework.util.StringUtils;
@@ -28,6 +29,7 @@ public final class LocalManage implements Manage {
     private final DefaultResourceLoader defaultResourceLoader = new DefaultResourceLoader();
     private final ConnectionProviderConverter converter;
     private final ObjectMapper objectMapper;
+    private final Map<String, Map<String, Object>> policies = new HashMap<>();
 
     public LocalManage(ConnectionProviderConverter converter, ObjectMapper objectMapper, String staticManageDirectory) {
         this.converter = converter;
@@ -262,6 +264,32 @@ public List<Map<String, Object>> policiesByServiceProvider(String identityProvid
                 .toList();
     }
 
+    @Override
+    public Map<String, Object> createPolicy(Map<String, Object> policy) {
+        String id = UUID.randomUUID().toString();
+        policy.put("id", id);
+        policies.put(id, policy);
+        return policy;
+    }
+
+    @Override
+    public Map<String, Object> updatePolicy(Map<String, Object> policy) {
+        policies.put((String) policy.get("id"), policy);
+        return policy;
+    }
+
+    @SneakyThrows
+    @Override
+    public List<Map<String, String>> allowedAttributes() {
+        return objectMapper.readValue(new ClassPathResource("/manage/allowed_attributes.json").getInputStream(), new TypeReference<>() {
+        });
+    }
+
+    @Override
+    public void deletePolicy(Map<String, Object> policy) {
+        policies.remove((String) policy.get("id"));
+    }
+
     @Override
     public void connectWithoutInteraction(Map<String, Object> identityProvider, Map<String, Object> serviceProvider, User currentUser) {
         //nope

server/src/main/java/access/manage/Manage.java

@@ -49,6 +49,14 @@ public interface Manage {
     List<Map<String, Object>> policiesByServiceProvider(String identityProviderEntityId,
                                                         String serviceProviderEntityId);
 
+    Map<String, Object> createPolicy(Map<String, Object> policy);
+
+    Map<String, Object> updatePolicy(Map<String, Object> policy);
+
+    List<Map<String, String>> allowedAttributes();
+
+    void deletePolicy(Map<String, Object> policy);
+
     void connectWithoutInteraction(Map<String, Object> identityProvider, Map<String, Object> serviceProvider, User currentUser);
 
     default Map<String, Object> sanitizeProvider(Map<String, Object> provider) {

server/src/main/java/access/manage/RemoteManage.java

@@ -363,6 +363,38 @@ public List<Map<String, Object>> policiesByServiceProvider(String identityProvid
         return restTemplate.postForEntity(url, query, List.class).getBody();
     }
 
+    @Override
+    public Map<String, Object> createPolicy(Map<String, Object> policy) {
+        RestTemplate restTemplate = environmentRestTemplate(Environment.PROD);
+        String url = String.format("%s/manage/api/internal/internal/metadata",
+                environmentUrl(Environment.PROD));
+        return restTemplate.postForEntity(url, policy, Map.class).getBody();
+    }
+
+    @Override
+    public Map<String, Object> updatePolicy(Map<String, Object> policy) {
+        RestTemplate restTemplate = environmentRestTemplate(Environment.PROD);
+        String url = String.format("%s/manage/api/internal/internal/metadata",
+                environmentUrl(Environment.PROD));
+        return restTemplate.exchange(url, HttpMethod.PUT, new HttpEntity<>(policy), Map.class).getBody();
+    }
+
+    @Override
+    public List<Map<String, String>> allowedAttributes() {
+        RestTemplate restTemplate = environmentRestTemplate(Environment.PROD);
+        String url = String.format("%s/manage/api/internal/protected/allowed-attributes",
+                environmentUrl(Environment.PROD));
+        return restTemplate.getForObject(url, List.class);
+    }
+
+    @Override
+    public void deletePolicy(Map<String, Object> policy) {
+        RestTemplate restTemplate = environmentRestTemplate(Environment.PROD);
+        String url = String.format("%s/manage/api/internal/internal/metadata/%s/%s",
+                environmentUrl(Environment.PROD), EntityType.policy.name(), policy.get("id"));
+        restTemplate.delete(url);
+    }
+
     @Override
     public void connectWithoutInteraction(Map<String, Object> identityProvider, Map<String, Object> serviceProvider, User user) {
         RestTemplate restTemplate = environmentRestTemplate(Environment.PROD);

server/src/main/resources/manage/allowed_attributes.json

@@ -0,0 +1,56 @@
+[
+  {
+    "value": "urn:mace:terena.org:attribute-def:schacHomeOrganization",
+    "validationRegex": "^[a-z]+(\\.[a-z]+)+$",
+    "allowedInDenyRule": true,
+    "label": "Schac home organization"
+  },
+  {
+    "value": "urn:mace:terena.org:attribute-def:schacHomeOrganizationType",
+    "validationRegex": "^[a-z]+$",
+    "allowedInDenyRule": true,
+    "label": "Schac home organization type"
+  },
+  {
+    "value": "urn:mace:dir:attribute-def:eduPersonAffiliation",
+    "validationRegex": "^(student|staff|faculty|employee|member)$",
+    "allowedInDenyRule": true,
+    "label": "Edu person affiliation"
+  },
+  {
+    "value": "urn:mace:dir:attribute-def:eduPersonScopedAffiliation",
+    "validationRegex": "^(student|staff|faculty|employee|member)@[a-z]+(\\.[a-z]+)+$",
+    "allowedInDenyRule": true,
+    "label": "Edu person scoped affiliation"
+  },
+  {
+    "value": "urn:mace:dir:attribute-def:eduPersonEntitlement",
+    "validationRegex": "^[a-z]+$",
+    "allowedInDenyRule": true,
+    "label": "Edu person entitlement"
+  },
+  {
+    "value": "urn:mace:dir:attribute-def:isMemberOf",
+    "validationRegex": "^.*$",
+    "allowedInDenyRule": true,
+    "label": "Is-member-of"
+  },
+  {
+    "value": "urn:collab:group:surfteams.nl",
+    "validationRegex": "^(urn:mace:surf\\.nl:invite:|urn:collab:group:)[a-z0-9_]+$",
+    "allowedInDenyRule": false,
+    "label": "SURFconext Invite (voot) role urn"
+  },
+  {
+    "value": "urn:collab:sab:surfnet.nl",
+    "validationRegex": "^(Superuser|Instellingsbevoegde|OperationeelBeheerder|SURFconextbeheerder|DNS-Beheerder)$",
+    "allowedInDenyRule": false,
+    "label": "SAB role"
+  },
+  {
+    "value": "urn:mace:dir:attribute-def:mail",
+    "validationRegex": "^[^@]+@[^@]+\\.[^@]+$",
+    "allowedInDenyRule": true,
+    "label": "Mail address"
+  }
+]

server/src/test/java/access/api/ManageControllerTest.java

@@ -4,19 +4,15 @@
 import access.AccessCookieFilter;
 import access.model.EntityType;
 import access.model.Environment;
-import access.model.Institution;
 import access.security.InstitutionAdmin;
 import com.nimbusds.jose.util.IOUtils;
 import io.restassured.common.mapper.TypeRef;
 import io.restassured.http.ContentType;
-import io.restassured.response.Response;
 import lombok.SneakyThrows;
 import org.junit.jupiter.api.Test;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.HttpStatus;
 
-import java.io.Serializable;
-import java.lang.reflect.Type;
 import java.util.List;
 import java.util.Map;
 
@@ -109,7 +105,10 @@ void policyByServiceProvider() {
         AccessCookieFilter accessCookieFilter = mockLoginFlow(attributes);
 
         String serviceProviderEntityId = "https://network";
+        //Stub the actual call to fetch the policies for a SP
         this.stubForPolicyByServiceProvider("http://mock-idp", serviceProviderEntityId);
+        //The IdP is fetched to check the allowed entities
+        this.stubForGetProvider(EntityType.saml20_idp, "7", Environment.PROD);
 
         List<Map<String, Object>> policies = given()
                 .when()
@@ -119,7 +118,8 @@ void policyByServiceProvider() {
                 .contentType(ContentType.JSON)
                 .queryParam("entityId", serviceProviderEntityId)
                 .get("/api/v1/manage/policies")
-                .as(new TypeRef<>() {});
+                .as(new TypeRef<>() {
+                });
         assertEquals(1, policies.size());
     }