Merge pull request #204 from dBucik/embl_lsaai

fix: 🐛 Fix displaying for consent for EMBL

Author: Dominik František Bučík

perun-oidc-server-webapp/src/main/resources/db/mysql/v10.0.0.sql

@@ -0,0 +1 @@
+ALTER TABLE client_details MODIFY jurisdiction VARCHAR(256) DEFAULT NULL;

perun-oidc-server-webapp/src/main/resources/db/psql/v10.0.0.sql

@@ -0,0 +1 @@
+ALTER TABLE client_details MODIFY jurisdiction VARCHAR(256) DEFAULT NULL;

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/approve.jsp

@@ -31,9 +31,10 @@
     </div>
 </div>
 </c:if>
-<c:if test="${not client.acceptedTos}">
+<c:if test="${isTestSp or (not client.acceptedTos)}">
     <div class="alert alert-warning" role="alert">
-        <h6>This service has not declared compliance with the <a target="_blank" href="https://lifescience-ri.eu/aai/terms-of-use">Terms of Use for service providers</a> that govern the service's use of Life Science Login.</h6>
+        <p>You are entering a service that is in the test environment of Life Science Login. The test environment is for service developers to test their relying service’s AAI integration before requesting to move them to the Life Science Login production environment.</p>
+        <p>The test environment is not intended for common users. You are able to access the service because you have opted in as a test user. You need to refresh your registration every 30 days.</p>
     </div>
 </c:if>
 <form name="confirmationForm" id="allow_consent_form" class="form-group"
@@ -102,17 +103,22 @@
     <div class="alert alert-danger" role="alert">
         <h6>
             This service is${' '}
-            <c:if test="${jurisdiction eq 'INT'}">provided by an international organization. </c:if>
-            <c:if test="${jurisdiction ne 'INT'}">in ${jurisdiction}</c:if>
+            <c:if test="${jurisdiction eq 'INT' or jurisdiction eq 'EMBL'}">provided by an international organization. </c:if>
+            <c:if test="${jurisdiction ne 'INT' and jurisdiction ne 'EMBL'}">in ${jurisdiction}</c:if>
         </h6>
         <p>
-            In order to access the requested services, the Life Science Login needs to transfer your personal data to a country outside EU/EEA.
-            We cannot guarantee that this country offers an adequately high level of personal data protection as EU/EEA countries.
-
-            <c:if test="${not empty(client.policyUri)}">
-                Please, read the <a target="_blank" href="<c:out value="${client.policyUri}" />">Privacy Policy</a> of the service provider to learn more about its commitments to protect your data.
+            <c:if test="${jurisdiction eq 'EMBL'}">
+                In order to access the requested services, the Life Science Login needs to transfer your personal data to an international organization outside EU/EEA jurisdictions.<br/>
+                <i>Please be aware that upon transfer your personal data will be protected by <a href="https://www.embl.org/documents/document/internal-policy-no-68-on-general-data-protection/" target="_blank">EMBL’s Internal Policy 68 on General Data Protection</a>.</i>
+            </c:if>
+            <c:if test="${jurisdiction ne 'EMBL'}">
+                In order to access the requested services, the Life Science Login needs to transfer your personal data to a country outside EU/EEA.
+                We cannot guarantee that this country offers an adequately high level of personal data protection as EU/EEA countries.
             </c:if>
         </p>
+        <c:if test="${not empty(client.policyUri)}">
+            <h6>Please, read the <a target="_blank" href="<c:out value="${client.policyUri}" />">Privacy Policy</a> of the service provider to learn more about its commitments to protect your data.</h6>
+        </c:if>
         <div class="form-check">
             <input class="form-check-input" type="checkbox" name="transfer" id="transfer" data-np-checked="1">
             <label class="form-check-label" for="transfer">To continue, consent to the transfer of your personal data.</label>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/approveDevice.jsp

@@ -31,9 +31,10 @@
     </div>
 </div>
 </c:if>
-<c:if test="${not client.acceptedTos}">
+<c:if test="${isTestSp or (not client.acceptedTos)}">
     <div class="alert alert-warning" role="alert">
-        <h6>This service has not declared compliance with the <a target="_blank" href="https://lifescience-ri.eu/aai/terms-of-use">Terms of Use for service providers</a> that govern the service's use of Life Science Login.</h6>
+        <p>You are entering a service that is in the test environment of Life Science Login. The test environment is for service developers to test their relying service’s AAI integration before requesting to move them to the Life Science Login production environment.</p>
+        <p>The test environment is not intended for common users. You are able to access the service because you have opted in as a test user. You need to refresh your registration every 30 days.</p>
     </div>
 </c:if>
 <form name="confirmationForm" id="allow_consent_form" class="form-group"
@@ -101,25 +102,30 @@
     </div>
 
     <c:if test="${not empty jurisdiction}">
-    <div class="alert alert-danger" role="alert">
-        <h6>
-            This service is${' '}
-            <c:if test="${jurisdiction eq 'INT'}">provided by an international organization. </c:if>
-            <c:if test="${jurisdiction ne 'INT'}">in ${jurisdiction}</c:if>
-        </h6>
-        <p>
-            In order to access the requested services, the Life Science Login needs to transfer your personal data to a country outside EU/EEA.
-            We cannot guarantee that this country offers an adequately high level of personal data protection as EU/EEA countries.
-
+        <div class="alert alert-danger" role="alert">
+            <h6>
+                This service is${' '}
+                <c:if test="${jurisdiction eq 'INT' or jurisdiction eq 'EMBL'}">provided by an international organization. </c:if>
+                <c:if test="${jurisdiction ne 'INT' and jurisdiction ne 'EMBL'}">in ${jurisdiction}</c:if>
+            </h6>
+            <p>
+                <c:if test="${jurisdiction eq 'EMBL'}">
+                    In order to access the requested services, the Life Science Login needs to transfer your personal data to an international organization outside EU/EEA jurisdictions.<br/>
+                    <i>Please be aware that upon transfer your personal data will be protected by <a href="https://www.embl.org/documents/document/internal-policy-no-68-on-general-data-protection/" target="_blank">EMBL’s Internal Policy 68 on General Data Protection</a>.</i>
+                </c:if>
+                <c:if test="${jurisdiction ne 'EMBL'}">
+                    In order to access the requested services, the Life Science Login needs to transfer your personal data to a country outside EU/EEA.
+                    We cannot guarantee that this country offers an adequately high level of personal data protection as EU/EEA countries.
+                </c:if>
+            </p>
             <c:if test="${not empty(client.policyUri)}">
-                Please, read the <a target="_blank" href="<c:out value="${client.policyUri}" />">Privacy Policy</a> of the service provider to learn more about its commitments to protect your data.
+                <h6>Please, read the <a target="_blank" href="<c:out value="${client.policyUri}" />">Privacy Policy</a> of the service provider to learn more about its commitments to protect your data.</h6>
             </c:if>
-        </p>
-        <div class="form-check">
-            <input class="form-check-input" type="checkbox" name="transfer" id="transfer" data-np-checked="1">
-            <label class="form-check-label" for="transfer">To continue, consent to the transfer of your personal data.</label>
+            <div class="form-check">
+                <input class="form-check-input" type="checkbox" name="transfer" id="transfer" data-np-checked="1">
+                <label class="form-check-label" for="transfer">To continue, consent to the transfer of your personal data.</label>
+            </div>
         </div>
-    </div>
     </c:if>
     <div class="outro">
         <p>

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java

@@ -28,7 +28,10 @@
 import cz.muni.ics.oauth2.model.SystemScope;
 import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
 import cz.muni.ics.oauth2.service.SystemScopeService;
+import cz.muni.ics.oidc.models.Facility;
+import cz.muni.ics.oidc.models.PerunAttributeValue;
 import cz.muni.ics.oidc.saml.SamlPrincipal;
+import cz.muni.ics.oidc.server.adapters.PerunAdapter;
 import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.web.WebHtmlClasses;
 import cz.muni.ics.oidc.web.controllers.ControllerUtils;
@@ -108,14 +111,17 @@ public class OAuthConfirmationController {
 	private PerunOidcConfig perunOidcConfig;
 	private WebHtmlClasses htmlClasses;
 
+	private PerunAdapter perunAdapter;
+
 	@Autowired
 	public OAuthConfirmationController(ClientDetailsEntityService clientService,
 									   SystemScopeService scopeService,
 									   ScopeClaimTranslationService scopeClaimTranslationService,
 									   UserInfoService userInfoService,
 									   RedirectResolver redirectResolver,
 									   PerunOidcConfig perunOidcConfig,
-									   WebHtmlClasses htmlClasses) {
+									   WebHtmlClasses htmlClasses,
+									   PerunAdapter perunAdapter) {
 
 		this.clientService = clientService;
 		this.scopeService = scopeService;
@@ -124,6 +130,7 @@ public OAuthConfirmationController(ClientDetailsEntityService clientService,
 		this.redirectResolver = redirectResolver;
 		this.perunOidcConfig = perunOidcConfig;
 		this.htmlClasses = htmlClasses;
+		this.perunAdapter = perunAdapter;
 	}
 
 	public OAuthConfirmationController(ClientDetailsEntityService clientService) {
@@ -200,15 +207,37 @@ public String confirmAccess(Map<String, Object> model, HttpServletRequest req, A
 		if (perunOidcConfig.getTheme().equalsIgnoreCase(LSAAI)) {
 			model.put("getsOfflineAccess", authRequest.getScope().contains("offline_access"));
 			model.put("jurisdiction", getJurisdiction(client));
+			model.put("isTestSp", isTestSp(client));
 			return "lsaai/approve";
 		}
 		return THEMED_APPROVE;
 	}
 
+	private boolean isTestSp(ClientDetailsEntity client) {
+		if (client == null || !StringUtils.hasText(client.getClientId())) {
+			return true;
+		}
+		Facility facility = perunAdapter.getFacilityByClientId(client.getClientId());
+		if (facility == null || facility.getId() == null) {
+			return true;
+		}
+
+		PerunAttributeValue attrValue = perunAdapter.getFacilityAttributeValue(facility.getId(), "urn:perun:facility:attribute-def:def:isTestSp");
+		if (attrValue == null) {
+			return false;
+		} else if (attrValue.valueAsBoolean()) {
+			return attrValue.valueAsBoolean();
+		}
+		return false;
+	}
+
 	private String getJurisdiction(ClientDetailsEntity client) {
 		if (!StringUtils.hasText(client.getJurisdiction()) || euEaa.contains(client.getJurisdiction())) {
 			return "";
 		} else if (client.getJurisdiction().length() > 2) {
+			if ("EMBL".equalsIgnoreCase(client.getJurisdiction())) {
+				return "EMBL";
+			}
 			return "INT";
 		}
 

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java

@@ -24,7 +24,10 @@
 import cz.muni.ics.oauth2.service.DeviceCodeService;
 import cz.muni.ics.oauth2.service.SystemScopeService;
 import cz.muni.ics.oauth2.token.DeviceTokenGranter;
+import cz.muni.ics.oidc.models.Facility;
+import cz.muni.ics.oidc.models.PerunAttributeValue;
 import cz.muni.ics.oidc.saml.SamlPrincipal;
+import cz.muni.ics.oidc.server.adapters.PerunAdapter;
 import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.server.userInfo.PerunUserInfo;
 import cz.muni.ics.oidc.web.WebHtmlClasses;
@@ -137,6 +140,8 @@ public class DeviceEndpoint {
 	private final ScopeClaimTranslationService scopeClaimTranslationService;
 	private final UserInfoService userInfoService;
 
+	private final PerunAdapter perunAdapter;
+
 	@Autowired
 	public DeviceEndpoint(ClientDetailsEntityService clientService,
 						  SystemScopeService scopeService,
@@ -145,7 +150,8 @@ public DeviceEndpoint(ClientDetailsEntityService clientService,
 						  PerunOidcConfig perunOidcConfig,
 						  WebHtmlClasses htmlClasses,
 						  ScopeClaimTranslationService scopeClaimTranslationService,
-						  UserInfoService userInfoService)
+						  UserInfoService userInfoService,
+						  PerunAdapter perunAdapter)
 	{
 		this.clientService = clientService;
 		this.scopeService = scopeService;
@@ -155,6 +161,7 @@ public DeviceEndpoint(ClientDetailsEntityService clientService,
 		this.htmlClasses = htmlClasses;
 		this.scopeClaimTranslationService = scopeClaimTranslationService;
 		this.userInfoService = userInfoService;
+		this.perunAdapter = perunAdapter;
 	}
 
 	@PostMapping(value = ENDPOINT_URL, consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE,
@@ -447,15 +454,37 @@ private String getApproveDeviceViewName(ModelMap model, SamlPrincipal p, HttpSer
 		if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
 			model.put("getsOfflineAccess", dc.getScope().contains("offline_access"));
 			model.put("jurisdiction", getJurisdiction(client));
+			model.put("isTestSp", isTestSp(client));
 			return "lsaai/" + APPROVE_DEVICE;
 		}
 		return THEMED_APPROVE_DEVICE;
 	}
 
+	private boolean isTestSp(ClientDetailsEntity client) {
+		if (client == null || !StringUtils.hasText(client.getClientId())) {
+			return true;
+		}
+		Facility facility = perunAdapter.getFacilityByClientId(client.getClientId());
+		if (facility == null || facility.getId() == null) {
+			return true;
+		}
+
+		PerunAttributeValue attrValue = perunAdapter.getFacilityAttributeValue(facility.getId(), "urn:perun:facility:attribute-def:def:isTestSp");
+		if (attrValue == null) {
+			return false;
+		} else if (attrValue.valueAsBoolean()) {
+			return attrValue.valueAsBoolean();
+		}
+		return false;
+	}
+
 	private String getJurisdiction(ClientDetailsEntity client) {
 		if (!StringUtils.hasText(client.getJurisdiction()) || euEaa.contains(client.getJurisdiction())) {
 			return "";
 		} else if (client.getJurisdiction().length() > 2) {
+			if ("EMBL".equalsIgnoreCase(client.getJurisdiction())) {
+				return "EMBL";
+			}
 			return "INT";
 		}