City-of-Helsinki
diff --git a/‎services/hanke-service/build.gradle.kts‎
Lines changed: 5 additions & 1 deletion b/‎services/hanke-service/build.gradle.kts‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎services/hanke-service/src/integrationTest/kotlin/fi/hel/haitaton/hanke/IntegrationTestConfiguration.kt‎
Lines changed: 0 additions & 3 deletions b/‎services/hanke-service/src/integrationTest/kotlin/fi/hel/haitaton/hanke/IntegrationTestConfiguration.kt‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎services/hanke-service/src/integrationTest/kotlin/fi/hel/haitaton/hanke/profiili/ProfiiliClientITest.kt‎
Lines changed: 23 additions & 0 deletions b/‎services/hanke-service/src/integrationTest/kotlin/fi/hel/haitaton/hanke/profiili/ProfiiliClientITest.kt‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎services/hanke-service/src/integrationTest/kotlin/fi/hel/haitaton/hanke/profiili/ProfiiliControllerITest.kt‎
Lines changed: 12 additions & 1 deletion b/‎services/hanke-service/src/integrationTest/kotlin/fi/hel/haitaton/hanke/profiili/ProfiiliControllerITest.kt‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎services/hanke-service/src/integrationTest/kotlin/fi/hel/haitaton/hanke/security/LogoutServiceITest.kt‎
Lines changed: 5 additions & 4 deletions b/‎services/hanke-service/src/integrationTest/kotlin/fi/hel/haitaton/hanke/security/LogoutServiceITest.kt‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎services/hanke-service/src/integrationTest/kotlin/fi/hel/haitaton/hanke/security/UserSessionServiceITest.kt‎
Lines changed: 47 additions & 19 deletions b/‎services/hanke-service/src/integrationTest/kotlin/fi/hel/haitaton/hanke/security/UserSessionServiceITest.kt‎
Lines changed: 47 additions & 19 deletions
diff --git a/‎services/hanke-service/src/integrationTest/kotlin/fi/hel/haitaton/hanke/testdata/TestDataControllerEnabledITest.kt‎
Lines changed: 13 additions & 0 deletions b/‎services/hanke-service/src/integrationTest/kotlin/fi/hel/haitaton/hanke/testdata/TestDataControllerEnabledITest.kt‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎services/hanke-service/src/main/kotlin/fi/hel/haitaton/hanke/HankeError.kt‎
Lines changed: 2 additions & 0 deletions b/‎services/hanke-service/src/main/kotlin/fi/hel/haitaton/hanke/HankeError.kt‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎services/hanke-service/src/main/kotlin/fi/hel/haitaton/hanke/profiili/ProfiiliClient.kt‎
Lines changed: 13 additions & 1 deletion b/‎services/hanke-service/src/main/kotlin/fi/hel/haitaton/hanke/profiili/ProfiiliClient.kt‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎services/hanke-service/src/main/kotlin/fi/hel/haitaton/hanke/profiili/ProfiiliController.kt‎
Lines changed: 25 additions & 5 deletions b/‎services/hanke-service/src/main/kotlin/fi/hel/haitaton/hanke/profiili/ProfiiliController.kt‎
Lines changed: 25 additions & 5 deletions
@@ -137,7 +137,11 @@ dependencies {
     annotationProcessor("org.springframework.boot:spring-boot-configuration-processor")
 }
 
-tasks.withType<KotlinCompile> { compilerOptions { freeCompilerArgs = listOf("-Xjsr305=strict") } }
+tasks.withType<KotlinCompile> {
+    compilerOptions {
+        freeCompilerArgs = listOf("-Xjsr305=strict", "-Xannotation-default-target=param-property")
+    }
+}
 
 kotlin { jvmToolchain { languageVersion.set(JavaLanguageVersion.of(21)) } }
 
 
@@ -31,7 +31,6 @@ import fi.hel.haitaton.hanke.profiili.ProfiiliClient
 import fi.hel.haitaton.hanke.profiili.ProfiiliService
 import fi.hel.haitaton.hanke.security.AccessRules
 import fi.hel.haitaton.hanke.security.LogoutService
-import fi.hel.haitaton.hanke.security.UserSessionCache
 import fi.hel.haitaton.hanke.security.UserSessionRepository
 import fi.hel.haitaton.hanke.security.UserSessionService
 import fi.hel.haitaton.hanke.taydennys.TaydennysAuthorizer
@@ -142,8 +141,6 @@ class IntegrationTestConfiguration {
 
     @Bean fun tormaystarkasteluLaskentaService(): TormaystarkasteluLaskentaService = mockk()
 
-    @Bean fun userSessionCache(): UserSessionCache = mockk(relaxed = true)
-
     @Bean fun userSessionRepository(): UserSessionRepository = mockk()
 
     @Bean fun userSessionService(): UserSessionService = mockk()
 
@@ -124,6 +124,29 @@ class ProfiiliClientITest {
             assertThat(request.headers["Accept"]).isEqualTo(MediaType.APPLICATION_JSON_VALUE)
         }
 
+        @Test
+        fun `throws exception when unauthorized`() {
+            mockApiTokensApi.enqueue(
+                MockResponse.Builder()
+                    .code(401)
+                    .setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
+                    .body(
+                        "{\"error\":\"invalid_grant\",\"error_description\":\"Invalid bearer token\"}"
+                    )
+                    .build()
+            )
+
+            val failure = assertFailure { profiiliClient.getVerifiedName(ACCESS_TOKEN) }
+
+            failure.all {
+                hasClass(UnauthorizedException::class)
+                messageContains("Profiili API token request was unauthorized.")
+                messageContains("invalid_grant")
+                messageContains("Invalid bearer token")
+            }
+            assertThat(mockApiTokensApi.requestCount).isEqualTo(1)
+        }
+
         @Test
         fun `throws exception when API tokens not found`() {
             mockApiTokensApi.enqueue(MockResponse.Builder().code(404).build())
 
@@ -68,7 +68,18 @@ class ProfiiliControllerITest(@Autowired override val mockMvc: MockMvc) : Contro
         }
 
         @Test
-        fun `returns 404 when profiili client throws expected exception`() {
+        fun `returns 401 when profiili client throws unauthorized exception`() {
+            every { profiiliService.getVerifiedName(any()) } throws
+                UnauthorizedException("Because of reasons.")
+
+            get(url).andExpect(MockMvcResultMatchers.status().isUnauthorized)
+
+            verifyAll { profiiliService.getVerifiedName(any()) }
+            verify { disclosureLogService wasNot Called }
+        }
+
+        @Test
+        fun `returns 404 when profiili client throws not found exception`() {
             every { profiiliService.getVerifiedName(any()) } throws
                 VerifiedNameNotFound("Because of reasons.")
 
 
@@ -1,7 +1,6 @@
 package fi.hel.haitaton.hanke.security
 
 import assertk.assertThat
-import assertk.assertions.isEmpty
 import assertk.assertions.isEqualTo
 import com.nimbusds.jose.JWSAlgorithm
 import com.nimbusds.jose.JWSHeader
@@ -52,7 +51,7 @@ class LogoutServiceITest(
     }
 
     @Test
-    fun `deletes matching user session`() {
+    fun `terminates matching user session`() {
         userSessionRepository.save(
             UserSessionEntity(subject = SUB, sessionId = SID, createdAt = Instant.now())
         )
@@ -61,7 +60,9 @@ class LogoutServiceITest(
 
         logoutService.logout(logoutToken)
 
-        assertThat(userSessionRepository.findAll()).isEmpty()
+        val session = userSessionRepository.findAll().single()
+        assertThat(session.sessionId).isEqualTo(SID)
+        assertThat(session.terminated).isEqualTo(true)
     }
 
     @Test
@@ -128,7 +129,7 @@ class LogoutServiceITest(
         iat: Instant? = Instant.now(),
         exp: Instant? = Instant.now().plusSeconds(60),
         jti: String? = "id",
-        events: Map<String, Any>? = mapOf(BACKCHANNEL_LOGOUT_EVENT to "{}"),
+        events: Map<String, Any>? = mapOf(BACKCHANNEL_LOGOUT_EVENT to emptyMap<String, Any>()),
         sid: String? = "session-id",
         nonce: String? = null,
     ): JWTClaimsSet =
 
@@ -24,12 +24,13 @@ class UserSessionServiceITest(
                 UserSessionEntity(
                     subject = "subject",
                     sessionId = UUID.randomUUID().toString(),
-                    createdAt = Instant.now().minusSeconds(10),
+                    createdAt = Instant.now(),
+                    expiresAt = Instant.now().minusSeconds(10),
                 )
             )
             assertThat(repository.findAll().single().subject).isEqualTo("subject")
 
-            service.cleanupExpiredSessions(5)
+            service.cleanupExpiredSessions()
 
             assertThat(repository.findAll()).isEmpty()
         }
@@ -40,50 +41,77 @@ class UserSessionServiceITest(
                 UserSessionEntity(
                     subject = "subject",
                     sessionId = UUID.randomUUID().toString(),
-                    createdAt = Instant.now().plusSeconds(60),
+                    createdAt = Instant.now(),
+                    expiresAt = Instant.now().plusSeconds(60),
                 )
             )
             assertThat(repository.findAll().single().subject).isEqualTo("subject")
 
-            service.cleanupExpiredSessions(5)
+            service.cleanupExpiredSessions()
 
             assertThat(repository.findAll().single().subject).isEqualTo("subject")
         }
     }
 
     @Nested
-    inner class SaveSessionIfNotExists {
+    inner class ValidateAndSaveSession {
 
         @Test
-        fun `saves non-existing session`() {
-            service.saveSessionIfNotExists(
-                subject = "subject",
-                sessionId = UUID.randomUUID().toString(),
-                createdAt = Instant.now(),
+        fun `returns true when session exists and is not terminated`() {
+            val sessionId = UUID.randomUUID().toString()
+            val expiresAt = Instant.now().plusSeconds(3600)
+            repository.save(
+                UserSessionEntity(
+                    subject = "subject",
+                    sessionId = sessionId,
+                    createdAt = Instant.now(),
+                    expiresAt = expiresAt,
+                    terminated = false,
+                )
             )
 
-            assertThat(repository.findAll().single().subject).isEqualTo("subject")
+            val isValid =
+                service.validateAndSaveSession("subject", sessionId, Instant.now(), expiresAt)
+
+            assertThat(isValid).isEqualTo(true)
         }
 
         @Test
-        fun `does not save existing session`() {
+        fun `returns true and saves new session`() {
             val sessionId = UUID.randomUUID().toString()
+            // Truncate to microseconds to match PostgreSQL TIMESTAMP precision
+            val expiresAt =
+                Instant.now().plusSeconds(3600).truncatedTo(java.time.temporal.ChronoUnit.MICROS)
+            assertThat(repository.findAll()).isEmpty()
+
+            val isValid =
+                service.validateAndSaveSession("subject", sessionId, Instant.now(), expiresAt)
+
+            assertThat(isValid).isEqualTo(true)
+            val saved = repository.findAll().single()
+            assertThat(saved.sessionId).isEqualTo(sessionId)
+            assertThat(saved.expiresAt).isEqualTo(expiresAt)
+            assertThat(saved.terminated).isEqualTo(false)
+        }
+
+        @Test
+        fun `returns false when session is terminated`() {
+            val sessionId = UUID.randomUUID().toString()
+            val expiresAt = Instant.now().plusSeconds(3600)
             repository.save(
                 UserSessionEntity(
                     subject = "subject",
                     sessionId = sessionId,
                     createdAt = Instant.now(),
+                    expiresAt = expiresAt,
+                    terminated = true,
                 )
             )
-            assertThat(repository.findAll().single().subject).isEqualTo("subject")
 
-            service.saveSessionIfNotExists(
-                subject = "subject",
-                sessionId = sessionId,
-                createdAt = Instant.now(),
-            )
+            val isValid =
+                service.validateAndSaveSession("subject", sessionId, Instant.now(), expiresAt)
 
-            assertThat(repository.findAll().single().subject).isEqualTo("subject")
+            assertThat(isValid).isEqualTo(false)
         }
     }
 }
@@ -129,4 +129,17 @@ class TestDataControllerEnabledITest(@Autowired override val mockMvc: MockMvc) :
             verify { testDataService wasNot Called }
         }
     }
+
+    @Nested
+    inner class TerminateCurrentSession {
+        private val url = "$BASE_URL/terminate-session"
+
+        @Test
+        @WithAnonymousUser
+        fun `returns 401 when not authenticated`() {
+            delete(url).andExpect(MockMvcResultMatchers.status().isUnauthorized)
+
+            verify { testDataService wasNot Called }
+        }
+    }
 }
@@ -13,6 +13,7 @@ enum class HankeError(val errorMessage: String) {
     HAI0003("Invalid data"),
     HAI0004("Resource does not exist"),
     HAI0005("Insufficient permissions"),
+    HAI0006("Session terminated"),
     HAI1001("Hanke not found"),
     HAI1002("Invalid Hanke data"),
     HAI1003("Internal error while saving Hanke"),
@@ -57,6 +58,7 @@ enum class HankeError(val errorMessage: String) {
     HAI4005("Could not verify user identity"),
     HAI4006("Duplicate hankekayttaja"),
     HAI4007("Verified name not found in Profiili"),
+    HAI4008("Verified name call was unauthorized"),
     HAI5001("Decision not found"),
     HAI6001("Taydennys not found"),
     HAI6002("Taydennys has no changes"),
 
@@ -7,12 +7,14 @@ import mu.KotlinLogging
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.context.annotation.Profile
 import org.springframework.core.ParameterizedTypeReference
+import org.springframework.http.HttpStatus
 import org.springframework.http.MediaType
 import org.springframework.stereotype.Component
 import org.springframework.web.reactive.function.BodyInserters
 import org.springframework.web.reactive.function.client.WebClient
 import org.springframework.web.reactive.function.client.WebClientResponseException
 import org.springframework.web.reactive.function.client.body
+import org.springframework.web.reactive.function.client.bodyToMono
 import reactor.core.publisher.Mono
 
 private val logger = KotlinLogging.logger {}
@@ -73,6 +75,13 @@ class ProfiiliClient(
                     .with("permission", TOKEN_API_PERMISSION)
             )
             .retrieve()
+            // handle 401 errors specifically to give a more informative error message
+            .onStatus({ responseStatus -> responseStatus == HttpStatus.UNAUTHORIZED }) { response ->
+                response.bodyToMono<String>().flatMap { body ->
+                    logger.error { "Error from Profiili API call. Response status=401, body=$body" }
+                    Mono.error(UnauthorizedException(body))
+                }
+            }
             .bodyToMono(JsonNode::class.java)
             .doOnError(WebClientResponseException::class.java) { ex ->
                 logger.error {
@@ -83,7 +92,7 @@ class ProfiiliClient(
     }
 
     private fun getTokenApiUrl(): String {
-        logger.info { "Loading Profiili token URI from OpenID configuration.." }
+        logger.info { "Loading Profiili token URI from OpenID configuration..." }
         val configurationUri = "$issuer/.well-known/openid-configuration"
 
         val conf =
@@ -130,5 +139,8 @@ class ProfiiliClient(
 class VerifiedNameNotFound(reason: String) :
     RuntimeException("Verified name of user could not be obtained. $reason")
 
+class UnauthorizedException(reason: String) :
+    RuntimeException("Profiili API token request was unauthorized. $reason")
+
 class ProfiiliConfigurationError(reason: String, cause: Exception? = null) :
     RuntimeException("Error in Profiili API connection: $reason", cause)
@@ -8,6 +8,7 @@ import io.swagger.v3.oas.annotations.Parameter
 import io.swagger.v3.oas.annotations.media.Content
 import io.swagger.v3.oas.annotations.media.Schema
 import io.swagger.v3.oas.annotations.responses.ApiResponse
+import io.swagger.v3.oas.annotations.responses.ApiResponses
 import io.swagger.v3.oas.annotations.security.SecurityRequirement
 import mu.KotlinLogging
 import org.springframework.http.HttpStatus
@@ -28,16 +29,35 @@ class ProfiiliController(private val profiiliService: ProfiiliService) {
 
     @GetMapping("/verified-name")
     @Operation(summary = "Get verified name from Profiili")
-    @ApiResponse(description = "Success", responseCode = "200")
-    @ApiResponse(
-        description = "Verification not found.",
-        responseCode = "404",
-        content = [Content(schema = Schema(implementation = HankeError::class))],
+    @ApiResponses(
+        value =
+            [
+                ApiResponse(description = "Success", responseCode = "200"),
+                ApiResponse(
+                    description = "Not authorized.",
+                    responseCode = "401",
+                    content = [Content(schema = Schema(implementation = HankeError::class))],
+                ),
+                ApiResponse(
+                    description = "Verification not found.",
+                    responseCode = "404",
+                    content = [Content(schema = Schema(implementation = HankeError::class))],
+                ),
+            ]
     )
     fun verifiedName(
         @Parameter(hidden = true) @CurrentSecurityContext securityContext: SecurityContext
     ): Names = profiiliService.getVerifiedName(securityContext)
 
+    @ExceptionHandler(UnauthorizedException::class)
+    @ResponseStatus(HttpStatus.UNAUTHORIZED)
+    @Hidden
+    fun unauthorized(ex: UnauthorizedException): HankeError {
+        logger.warn { ex.message }
+        Sentry.captureException(ex)
+        return HankeError.HAI4008
+    }
+
     @ExceptionHandler(VerifiedNameNotFound::class)
     @ResponseStatus(HttpStatus.NOT_FOUND)
     @Hidden
Original file line number	Diff line number	Diff line change
`@@ -129,4 +129,17 @@ class TestDataControllerEnabledITest(@Autowired override val mockMvc: MockMvc) :`
`129`	`129`	`verify { testDataService wasNot Called }`
`130`	`130`	`}`
`131`	`131`	`}`
	`132`	`+`
	`133`	`+ @Nested`
	`134`	`+ inner class TerminateCurrentSession {`
	`135`	`+ private val url = "$BASE_URL/terminate-session"`
	`136`	`+`
	`137`	`+ @Test`
	`138`	`+ @WithAnonymousUser`
	`139`	+ fun `returns 401 when not authenticated`() {
	`140`	`+ delete(url).andExpect(MockMvcResultMatchers.status().isUnauthorized)`
	`141`	`+`
	`142`	`+ verify { testDataService wasNot Called }`
	`143`	`+ }`
	`144`	`+ }`
`132`	`145`	`}`