Merge branch 'develop'

Author: priitr

doc/Configuration.md

@@ -620,7 +620,7 @@ Table 20 - Relevant parameters for enabling/disabling additional OpenID Connect
 | Property        | Mandatory | Description |
 | :---------------- | :---------- | :----------------|
 | `oidc.dynamic-client-registration.enabled` | N | Enables/disables the CAS built-in /oidc/registration endpoint and displays/hides the related information at the /oidc/.well-known/openid-configuration. Defaults to `false`, if not specified. |
-| `oidc.profile-endpoint.enabled` | N | Enables/disables the CAS built-in /oidc/profile endpoint and displays/hides the related information at the /oidc/.well-known/openid-configuration. Defaults to `false`, if not specified. |
+| `oidc.profile-endpoint.enabled` | N | Enables/disables the CAS built-in /oidc/profile endpoint and displays/hides the related information at the /oidc/.well-known/openid-configuration. Defaults to `true`, if not specified. |
 | `oidc.revocation-endpoint.enabled` | N | Enables/disables the CAS built-in /oidc/revocation endpoint and displays/hides the related information at the /oidc/.well-known/openid-configuration. Defaults to `false`, if not specified. |
 | `oidc.introspection-endpoint.enabled` | N | Enables/disables the CAS built-in /oidc/introspection endpoint and displays/hides the related information at the /oidc/.well-known/openid-configuration. Defaults to `false`, if not specified. |
 

pom.xml

@@ -6,7 +6,7 @@
     <groupId>ee.ria.tara</groupId>
     <artifactId>tara-server</artifactId>
     <packaging>war</packaging>
-    <version>1.4.1</version>
+    <version>1.4.2</version>
 
     <properties>
         <cas.version>5.3.7</cas.version>
@@ -401,6 +401,12 @@
             <version>1.4.0</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.apereo.cas</groupId>
+            <artifactId>cas-server-core-cookie</artifactId>
+            <version>${cas.version}</version>
+            <scope>test</scope>
+        </dependency>
 
     </dependencies>
 

src/main/java/ee/ria/sso/authentication/TaraAuthenticationHandler.java

@@ -13,9 +13,7 @@
 import org.springframework.util.Assert;
 
 import java.security.GeneralSecurityException;
-import java.util.ArrayList;
-import java.util.LinkedHashMap;
-import java.util.Map;
+import java.util.*;
 
 import static ee.ria.sso.authentication.principal.TaraPrincipal.Attribute.*;
 
@@ -42,7 +40,7 @@ protected AuthenticationHandlerExecutionResult doAuthentication(Credential crede
                 principalAttributes.put(EMAIL_VERIFIED.name(), ((IdCardCredential)taraCredential).getEmailVerified());
             } else if (credential instanceof EidasCredential) {
                 principalAttributes.put(DATE_OF_BIRTH.name(), ((EidasCredential)taraCredential).getDateOfBirth());
-                principalAttributes.put(LEVEL_OF_ASSURANCE.name(), ((EidasCredential)taraCredential).getLevelOfAssurance().getAcrName());
+                principalAttributes.put(ACR.name(),((EidasCredential)taraCredential).getLevelOfAssurance().getAcrName());
             }
 
             return this.createHandlerResult(credential, this.principalFactory
@@ -60,10 +58,10 @@ private Map<String, Object> getMandatoryPrincipalParameters(TaraCredential taraC
         }, "Cannot authenticate without missing mandatory credential parameters! Provided credential: " + taraCredential);
 
         final Map<String, Object> map = new LinkedHashMap<>();
-        map.put(PRINCIPAL_CODE.name(), taraCredential.getPrincipalCode());
+        map.put(SUB.name(), taraCredential.getPrincipalCode());
         map.put(GIVEN_NAME.name(), taraCredential.getFirstName());
         map.put(FAMILY_NAME.name(), taraCredential.getLastName());
-        map.put(AUTHENTICATION_TYPE.name(), taraCredential.getType().getAmrName());
+        map.put(AMR.name(), Arrays.asList(Arrays.asList(taraCredential.getType().getAmrName())));
 
         if (EstonianIdCodeUtil.isEEPrefixedEstonianIdCode(taraCredential.getPrincipalCode())) {
             map.put(DATE_OF_BIRTH.name(), EstonianIdCodeUtil.extractDateOfBirthFromEEPrefixedEstonianIdCode(taraCredential.getPrincipalCode()));

src/main/java/ee/ria/sso/authentication/principal/TaraPrincipal.java

@@ -12,14 +12,14 @@
 public class TaraPrincipal implements Principal {
 
     public enum Attribute {
-        PRINCIPAL_CODE,
+        SUB,
         GIVEN_NAME,
         FAMILY_NAME,
-        AUTHENTICATION_TYPE,
         DATE_OF_BIRTH,
+        AMR,
         EMAIL,
         EMAIL_VERIFIED,
-        LEVEL_OF_ASSURANCE;
+        ACR;
     }
 
     private String id;

src/main/java/ee/ria/sso/authentication/principal/TaraPrincipalFactory.java

@@ -4,9 +4,12 @@
 import lombok.NoArgsConstructor;
 import org.apereo.cas.authentication.principal.Principal;
 import org.apereo.cas.authentication.principal.PrincipalFactory;
+import org.apereo.cas.ticket.TicketGrantingTicket;
 import org.springframework.util.Assert;
 
+import java.util.List;
 import java.util.Map;
+import java.util.stream.Collectors;
 
 @NoArgsConstructor
 @EqualsAndHashCode
@@ -23,4 +26,24 @@ public Principal createPrincipal(String id, Map<String, Object> attributes) {
         Assert.notEmpty(attributes, "No attributes found when creating principal");
         return new TaraPrincipal(id, attributes);
     }
+
+    public static Principal createPrincipal(TicketGrantingTicket tgt) {
+        Assert.notNull(tgt, "TGT cannot be null!");
+        final Principal principal = tgt.getAuthentication().getPrincipal();
+        Assert.notNull(tgt, "No authentication associated with TGT!");
+
+        Map<String, Object> attributes = principal.getAttributes()
+                .entrySet()
+                .stream()
+                .filter(
+                        entry -> entry.getValue() instanceof List
+                                && !((List)entry.getValue()).isEmpty()
+                ).collect(
+                        Collectors.toMap(
+                                entry -> entry.getKey().toLowerCase(),
+                                entry -> ((List)entry.getValue()).stream().findFirst().get()
+                        )
+                );
+        return new TaraPrincipal(principal.getId(), attributes);
+    }
 }

src/main/java/ee/ria/sso/config/TaraOidcConfiguration.java

@@ -32,6 +32,7 @@
 import org.apereo.cas.support.oauth.web.response.accesstoken.ext.BaseAccessTokenGrantRequestExtractor;
 import org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationResponseBuilder;
 import org.apereo.cas.support.oauth.web.views.ConsentApprovalViewResolver;
+import org.apereo.cas.support.oauth.web.views.OAuth20UserProfileViewRenderer;
 import org.apereo.cas.ticket.ExpirationPolicy;
 import org.apereo.cas.ticket.UniqueTicketIdGenerator;
 import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;

src/main/java/ee/ria/sso/flow/AbstractFlowExecutionException.java

@@ -12,7 +12,7 @@
 
 public abstract class AbstractFlowExecutionException extends ActionExecutionException {
 
-    protected final ModelAndView modelAndView;
+    protected final transient ModelAndView modelAndView;
 
     public AbstractFlowExecutionException(String flowId, ModelAndView modelAndView, Exception e) {
         super(flowId, null, null, new LocalAttributeMap(), e);

src/main/java/ee/ria/sso/oidc/TaraOidcIdTokenGeneratorService.java

@@ -1,7 +1,7 @@
 package ee.ria.sso.oidc;
 
-import ee.ria.sso.authentication.AuthenticationType;
 import ee.ria.sso.authentication.principal.TaraPrincipal;
+import ee.ria.sso.authentication.principal.TaraPrincipalFactory;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.codec.digest.MessageDigestAlgorithms;
@@ -18,7 +18,6 @@
 import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
 import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
 import org.apereo.cas.ticket.accesstoken.AccessToken;
-import org.apereo.cas.util.CollectionUtils;
 import org.apereo.cas.util.DigestUtils;
 import org.apereo.cas.util.EncodingUtils;
 import org.apereo.cas.util.Pac4jUtils;
@@ -33,7 +32,6 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.util.*;
-import java.util.stream.Collectors;
 
 import static ee.ria.sso.authentication.principal.TaraPrincipal.Attribute.*;
 
@@ -47,9 +45,9 @@ public class TaraOidcIdTokenGeneratorService extends OidcIdTokenGeneratorService
     public static final String CLAIM_EMAIL = "email";
     public static final String CLAIM_EMAIL_VERIFIED = "email_verified";
 
-    private static final List<TaraPrincipal.Attribute> validProfileAttributesToClaimsList = Arrays.asList(
+    public static final List<TaraPrincipal.Attribute> validProfileAttributesToClaimsList = Collections.unmodifiableList(Arrays.asList(
         FAMILY_NAME, GIVEN_NAME, DATE_OF_BIRTH
-    );
+    ));
 
     public TaraOidcIdTokenGeneratorService(final CasConfigurationProperties casProperties,
                                            final OidcIdTokenSigningAndEncryptionService signingService,
@@ -105,10 +103,7 @@ protected JwtClaims produceIdTokenClaims(final HttpServletRequest request,
         claims.setJwtId(UUID.randomUUID().toString());
         claims.setIssuer(oidc.getIssuer());
         claims.setAudience(service.getClientId());
-
-        final NumericDate expirationDate = NumericDate.now();
-        expirationDate.addSeconds(timeoutInSeconds);
-        claims.setExpirationTime(expirationDate);
+        claims.setExpirationTime( getExpirationDate(timeoutInSeconds));
         claims.setIssuedAtToNow();
         claims.setNotBeforeMinutesInThePast(oidc.getSkew());
 
@@ -117,59 +112,43 @@ protected JwtClaims produceIdTokenClaims(final HttpServletRequest request,
         claims.setClaim(OAuth20Constants.STATE, authentication.getAttributes().get(OAuth20Constants.STATE));
         claims.setClaim(OAuth20Constants.NONCE, authentication.getAttributes().get(OAuth20Constants.NONCE));
         claims.setClaim(OidcConstants.CLAIM_AT_HASH, generateAccessTokenHash(accessTokenId));
-
         return claims;
     }
 
-    private void setTaraClaims(AccessToken accessTokenId, JwtClaims claims) {
-        Assert.notNull(accessTokenId.getTicketGrantingTicket(), "No TGT associated with this access token!");
-        Assert.notNull(accessTokenId.getTicketGrantingTicket().getAuthentication(), "No authentication associated with this TGT!");
 
-        Principal taraPrincipal = accessTokenId.getTicketGrantingTicket().getAuthentication().getPrincipal();
-        claims.setSubject(getMandatoryPrincipalAttribute(PRINCIPAL_CODE, taraPrincipal));
+    private void setTaraClaims(AccessToken accessToken, JwtClaims claims) {
+        Assert.notNull(accessToken.getTicketGrantingTicket(), "No TGT associated with this access token!");
+        Assert.notNull(accessToken.getTicketGrantingTicket().getAuthentication(), "No authentication associated with this TGT!");
+        Principal taraPrincipal = TaraPrincipalFactory.createPrincipal(accessToken.getTicketGrantingTicket());
 
-        if (isEmailClaimsRequested(taraPrincipal)) {
-            claims.setStringClaim(CLAIM_EMAIL, getMandatoryPrincipalAttribute(TaraPrincipal.Attribute.EMAIL, taraPrincipal));
-            claims.setClaim(CLAIM_EMAIL_VERIFIED, getMandatoryPrincipalAttribute(TaraPrincipal.Attribute.EMAIL_VERIFIED, taraPrincipal, Boolean.class));
+        claims.setSubject(getAttributeValue(SUB, taraPrincipal));
+
+        if (taraPrincipal.getAttributes().containsKey(EMAIL.name()) && taraPrincipal.getAttributes().containsKey(EMAIL_VERIFIED.name())) {
+            claims.setStringClaim(CLAIM_EMAIL, getAttributeValue(EMAIL, taraPrincipal));
+            claims.setClaim(CLAIM_EMAIL_VERIFIED, getAttributeValue(EMAIL_VERIFIED, taraPrincipal, Boolean.class));
         }
 
         claims.setClaim(CLAIM_PROFILE_ATTRIBUTES, getProfileAttributesMap(taraPrincipal));
-        claims.setStringListClaim(OidcConstants.AMR, getAmrValuesList(taraPrincipal));
+        claims.setStringListClaim(OidcConstants.AMR, getAttributeValue(AMR, taraPrincipal, List.class));
 
-        if (isOfAuthenticationType(taraPrincipal, AuthenticationType.eIDAS)) {
-            String levelOfAssurance = getMandatoryPrincipalAttribute(LEVEL_OF_ASSURANCE, taraPrincipal);
-            claims.setStringClaim(OidcConstants.ACR, levelOfAssurance);
+        if (taraPrincipal.getAttributes().containsKey(ACR.name())) {
+            claims.setStringClaim(OidcConstants.ACR, getAttributeValue(ACR, taraPrincipal));
         }
     }
 
-    private boolean isEmailClaimsRequested(Principal taraPrincipal) {
-        return taraPrincipal.getAttributes().get(TaraPrincipal.Attribute.EMAIL.name()) != null;
-    }
-
     private Map<String, Object> getProfileAttributesMap(Principal principal) {
         final Map<String, Object> principalAttributes = principal.getAttributes();
         final Map<String, Object> profileAttributes = new TreeMap(String.CASE_INSENSITIVE_ORDER);
 
         validProfileAttributesToClaimsList.forEach(key -> {
             Object value = principalAttributes.get(key.name().toLowerCase());
             if (value != null)
-                profileAttributes.put(key.name().toLowerCase(), ((List)value).get(0));
+                profileAttributes.put(key.name().toLowerCase(), value);
         });
 
         return profileAttributes;
     }
 
-    private static boolean isOfAuthenticationType(Principal principal, AuthenticationType type) {
-        String authenticationType = getMandatoryPrincipalAttribute(AUTHENTICATION_TYPE, principal);
-        return type.getAmrName().equals(authenticationType);
-    }
-
-    private List<String> getAmrValuesList(Principal principal) {
-        String authenticationType = getMandatoryPrincipalAttribute(AUTHENTICATION_TYPE, principal);
-        return CollectionUtils.toCollection(authenticationType).stream()
-                .map(e -> e.toString()).collect(Collectors.toList());
-    }
-
     private String generateAccessTokenHash(final AccessToken accessTokenId) {
         final byte[] tokenBytes = accessTokenId.getId().getBytes();
         final String hashAlg;
@@ -189,18 +168,20 @@ private String generateAccessTokenHash(final AccessToken accessTokenId) {
         return EncodingUtils.encodeBase64(hashBytesLeftHalf);
     }
 
-    private static String getMandatoryPrincipalAttribute(TaraPrincipal.Attribute attribute, Principal principal) {
-        return getMandatoryPrincipalAttribute(attribute, principal, String.class);
+    private static String getAttributeValue(TaraPrincipal.Attribute attribute, Principal principal) {
+        return getAttributeValue(attribute, principal, String.class);
     }
 
-    private static <T> T getMandatoryPrincipalAttribute(TaraPrincipal.Attribute attribute, Principal principal, Class<T> clazz) {
+    private static <T> T getAttributeValue(TaraPrincipal.Attribute attribute, Principal principal, Class<T> clazz) {
         String attributeName = attribute.name();
         Assert.notNull(principal.getAttributes().get(attributeName), "Mandatory attribute " + attributeName + " not found when generating OIDC token");
-        List list = ((List)(principal.getAttributes().get(attributeName)));
-        Assert.isTrue(list.size() == 1, "Expected a single profile attribute. Found " + list.size());
-        Object o = list.get(0);
-        Assert.isTrue(o.getClass().isAssignableFrom(clazz), "Cannot assign principal value of type " + o.getClass() + " to " + clazz);
-        return (T)o;
+        return (T)principal.getAttributes().get(attributeName);
+    }
+
+    private NumericDate getExpirationDate(long timeoutInSeconds) {
+        final NumericDate expirationDate = NumericDate.now();
+        expirationDate.addSeconds(timeoutInSeconds);
+        return expirationDate;
     }
 }
 

src/main/java/ee/ria/sso/oidc/TaraOidcUserProfileDataCreator.java

@@ -0,0 +1,37 @@
+package ee.ria.sso.oidc;
+
+import ee.ria.sso.authentication.principal.TaraPrincipalFactory;
+import lombok.extern.slf4j.Slf4j;
+import org.apereo.cas.authentication.principal.Principal;
+import org.apereo.cas.oidc.OidcConstants;
+import org.apereo.cas.support.oauth.profile.OAuth20UserProfileDataCreator;
+import org.apereo.cas.ticket.accesstoken.AccessToken;
+import org.apereo.inspektr.audit.annotation.Audit;
+import org.pac4j.core.context.J2EContext;
+
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+
+
+@Slf4j
+public class TaraOidcUserProfileDataCreator implements OAuth20UserProfileDataCreator {
+
+    @Override
+    @Audit(action = "OAUTH2_USER_PROFILE_DATA",
+            actionResolverName = "OAUTH2_USER_PROFILE_DATA_ACTION_RESOLVER",
+            resourceResolverName = "OAUTH2_USER_PROFILE_DATA_RESOURCE_RESOLVER")
+    public Map<String, Object> createFrom(final AccessToken accessToken, final J2EContext context) {
+        Principal principal = TaraPrincipalFactory.createPrincipal(accessToken.getTicketGrantingTicket());
+
+        final Map<String, Object> map = new LinkedHashMap<>();
+        for (Map.Entry<String, Object> entry : principal.getAttributes().entrySet()) {
+            map.put(entry.getKey(), entry.getValue());
+        }
+
+        map.put(OidcConstants.CLAIM_AUTH_TIME, accessToken.getTicketGrantingTicket().getAuthentication().getAuthenticationDate().toEpochSecond());
+
+        return map;
+    }
+}
+

src/main/java/org/apereo/cas/oidc/config/OidcConfiguration.java

@@ -5,6 +5,7 @@
 import com.github.benmanes.caffeine.cache.LoadingCache;
 import ee.ria.sso.Constants;
 import ee.ria.sso.config.TaraProperties;
+import ee.ria.sso.oidc.TaraOidcUserProfileDataCreator;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.apereo.cas.CentralAuthenticationService;
@@ -403,7 +404,7 @@ discoverySettings, profileScopeToAttributesFilter(),
                 ticketGrantingTicketCookieGenerator.getIfAvailable());
     }
 
-    @ConditionalOnProperty(name = Constants.TARA_OIDC_PROFILE_ENDPOINT_ENABLED)
+    @ConditionalOnProperty(name = Constants.TARA_OIDC_PROFILE_ENDPOINT_ENABLED, matchIfMissing = true)
     @RefreshScope
     @Bean
     public OidcUserProfileEndpointController oidcProfileController() {
@@ -413,12 +414,13 @@ public OidcUserProfileEndpointController oidcProfileController() {
                 profileScopeToAttributesFilter(),
                 casProperties,
                 ticketGrantingTicketCookieGenerator.getIfAvailable(),
-                oauthUserProfileViewRenderer, oidcUserProfileDataCreator());
+                oauthUserProfileViewRenderer,
+                taraOidcUserProfileDataCreator());
     }
 
     @Bean
-    public OAuth20UserProfileDataCreator oidcUserProfileDataCreator() {
-        return new OidcUserProfileDataCreator(servicesManager, profileScopeToAttributesFilter());
+    public OAuth20UserProfileDataCreator taraOidcUserProfileDataCreator() {
+        return new TaraOidcUserProfileDataCreator();
     }
 
     @ConditionalOnMissingBean(name = "oidcAuthorizeController")