feat: 🎸 Return samlError from token in devicecode

Dominik František Bučík · Dominik František Bučík · commit ff184f1bfd19 · 2022-09-13T23:23:29.000+02:00
BREAKING CHANGE: requires DB update
diff --git a/perun-oidc-server-webapp/src/main/resources/db/mysql/v11.0.0.sql b/perun-oidc-server-webapp/src/main/resources/db/mysql/v11.0.0.sql
@@ -0,0 +1 @@
+ALTER TABLE device_code ADD recorded_error TEXT DEFAULT NULL;
diff --git a/perun-oidc-server-webapp/src/main/resources/db/psql/v11.0.0.sql b/perun-oidc-server-webapp/src/main/resources/db/psql/v11.0.0.sql
@@ -0,0 +1 @@
+ALTER TABLE device_code ADD COLUMN recorded_error TEXT DEFAULT NULL;
diff --git a/perun-oidc-server-webapp/src/main/resources/localization/messages_cs.properties b/perun-oidc-server-webapp/src/main/resources/localization/messages_cs.properties
@@ -184,3 +184,7 @@ login_success_msg=Byl(a) jste \u00FAsp\u011B\u0161n\u011B p\u0159ihl\u00E1\u0161
 logout_denied_title=Odhl\u00E1\u0161en\u00ED zru\u0161eno
 logout_denied_header=Odhl\u00E1\u0161en\u00ED zru\u0161eno
 logout_denied_msg=Proces odhl\u00E1\u0161en\u00ED byl zastaven.
+
+# Device flow error
+device_flow_error_header=Do\u0161lo ke chyb\u011B
+device_flow_error_message=P\u0159i schv\u00E1len\u00ED p\u0159\u00EDstupu aplikace/za\u0159\u00EDzen\u00ED k informac\u00EDm pod Va\u0161\u00ED identitou do\u0161lo ke chyb\u011B. Pro v\u00EDce informac\u00ED se vra\u0165te do aplikace, kter\u00E1 tento proces iniciovala.
diff --git a/perun-oidc-server-webapp/src/main/resources/localization/messages_en.properties b/perun-oidc-server-webapp/src/main/resources/localization/messages_en.properties
@@ -184,3 +184,6 @@ logout_denied_title=Logout denied
 logout_denied_header=Logout canceled
 logout_denied_msg=You have canceled the logout process.
 
+# Device flow error
+device_flow_error_header=Ooops, there was an error
+device_flow_error_message=There was an error in the approval process. To see the details, please get back to the application which has initiated your login.
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/device_flow_error.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/device_flow_error.jsp
@@ -0,0 +1,29 @@
+<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ page import="java.util.ArrayList" %>
+<%@ page import="java.util.List" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+
+<%
+
+List<String> cssLinks = new ArrayList<>();
+
+pageContext.setAttribute("cssLinks", cssLinks);
+
+%>
+
+<spring:message code="device_flow_error_header" var="title"/>
+<t:header title="${title}" reqURL="${reqURL}" baseURL="${baseURL}" cssLinks="${cssLinks}" theme="${theme}"/>
+
+<h1><spring:message code="device_flow_error_header"/></h1>
+
+</div> <%-- header --%>
+
+<div id="content">
+    <p><spring:message code="device_flow_error_message"/></p>
+</div>
+</div><!-- wrap -->
+
+<t:footer baseURL="${baseURL}" theme="${theme}"/>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/device_flow_error.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/device_flow_error.jsp
@@ -0,0 +1,13 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <h3><spring:message code="device_flow_error_header"/></h3>
+    <p><spring:message code="device_flow_error_message"/></p>
+
+<ls:footer/>
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/DeviceCode.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/DeviceCode.java
@@ -23,11 +23,14 @@
 import static cz.muni.ics.oauth2.model.DeviceCode.QUERY_BY_USER_CODE;
 import static cz.muni.ics.oauth2.model.DeviceCode.QUERY_EXPIRED_BY_DATE;
 
+import cz.muni.ics.oauth2.model.convert.ExtendedOAuth2ExceptionConverter;
+import cz.muni.ics.oidc.saml.ExtendedOAuth2Exception;
 import java.util.Date;
 import java.util.Map;
 import java.util.Set;
 import javax.persistence.CollectionTable;
 import javax.persistence.Column;
+import javax.persistence.Convert;
 import javax.persistence.ElementCollection;
 import javax.persistence.Entity;
 import javax.persistence.FetchType;
@@ -121,6 +124,10 @@ public class DeviceCode {
 	@JoinColumn(name = "auth_holder_id")
 	private AuthenticationHolderEntity authenticationHolder;
 
+	@Column(name = "recorded_error")
+	@Convert(converter = ExtendedOAuth2ExceptionConverter.class)
+	private ExtendedOAuth2Exception error;
+
 	public DeviceCode(String deviceCode,
 					  String userCode,
 					  Set<String> scope,
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/convert/ExtendedOAuth2ExceptionConverter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/convert/ExtendedOAuth2ExceptionConverter.java
@@ -0,0 +1,47 @@
+/*******************************************************************************
+ * Copyright 2018 The MIT Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package cz.muni.ics.oauth2.model.convert;
+
+import cz.muni.ics.oidc.saml.ExtendedOAuth2Exception;
+import javax.persistence.AttributeConverter;
+import javax.persistence.Converter;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Translates a Serializable object of certain primitive types
+ * into a String for storage in the database, for use with the
+ * OAuth2Request extensions map.
+ *
+ * This class does allow some extension data to be lost.
+ *
+ * @author jricher
+ */
+@Converter
+@Slf4j
+public class ExtendedOAuth2ExceptionConverter implements AttributeConverter<ExtendedOAuth2Exception, String> {
+
+	@Override
+	public String convertToDatabaseColumn(ExtendedOAuth2Exception attribute) {
+		return ExtendedOAuth2Exception.serialize(attribute);
+	}
+
+	@Override
+	public ExtendedOAuth2Exception convertToEntityAttribute(String dbData) {
+		return ExtendedOAuth2Exception.deserialize(dbData);
+	}
+
+}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/DeviceCodeService.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/DeviceCodeService.java
@@ -19,6 +19,8 @@
 import cz.muni.ics.oauth2.exception.DeviceCodeCreationException;
 import cz.muni.ics.oauth2.model.ClientDetailsEntity;
 import cz.muni.ics.oauth2.model.DeviceCode;
+import cz.muni.ics.oidc.saml.ExtendedOAuth2Exception;
+import cz.muni.ics.oidc.saml.SamlAuthenticationExceptionAuthenticationToken;
 import java.util.Map;
 import java.util.Set;
 import org.springframework.security.oauth2.provider.ClientDetails;
@@ -40,4 +42,6 @@ public interface DeviceCodeService {
 	DeviceCode createNewDeviceCode(Set<String> requestedScopes, ClientDetailsEntity client, Map<String, String> parameters) throws DeviceCodeCreationException;
 
 	void clearExpiredDeviceCodes();
+
+    void addErrorToCode(String userCode, ExtendedOAuth2Exception exc);
 }
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultDeviceCodeService.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultDeviceCodeService.java
@@ -16,12 +16,16 @@
 
 package cz.muni.ics.oauth2.service.impl;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import cz.muni.ics.data.AbstractPageOperationTemplate;
 import cz.muni.ics.oauth2.model.AuthenticationHolderEntity;
 import cz.muni.ics.oauth2.model.ClientDetailsEntity;
 import cz.muni.ics.oauth2.model.DeviceCode;
 import cz.muni.ics.oauth2.repository.impl.DeviceCodeRepository;
 import cz.muni.ics.oauth2.service.DeviceCodeService;
+import cz.muni.ics.oidc.saml.ExtendedOAuth2Exception;
+import cz.muni.ics.oidc.saml.SamlAuthenticationExceptionAuthenticationToken;
 import java.util.Collection;
 import java.util.Date;
 import java.util.Map;
@@ -153,4 +157,10 @@ public void clearDeviceCode(String deviceCode, ClientDetails client) {
 
 	}
 
+	@Override
+	public void addErrorToCode(String userCode, ExtendedOAuth2Exception exc) {
+		DeviceCode deviceCode = lookUpByUserCode(userCode);
+		deviceCode.setError(exc);
+		repository.save(deviceCode);
+	}
 }
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java
@@ -33,6 +33,7 @@
 import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
 import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
 import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
 
 /**
  * Implements https://tools.ietf.org/html/draft-ietf-oauth-device-flow
@@ -66,43 +67,29 @@ protected DeviceTokenGranter(AuthorizationServerTokenServices tokenServices, Cli
 	 */
 	@Override
 	protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
-
 		String deviceCode = tokenRequest.getRequestParameters().get("device_code");
-
 		// look up the device code and consume it
 		DeviceCode dc = deviceCodeService.findDeviceCode(deviceCode, client);
-
 		if (dc != null) {
-
 			// make sure the code hasn't expired yet
 			if (dc.getExpiration() != null && dc.getExpiration().before(new Date())) {
-				
 				deviceCodeService.clearDeviceCode(deviceCode, client);
-				
 				throw new DeviceCodeExpiredException("Device code has expired " + deviceCode);
-
+			} else if (dc.getError() != null) {
+				throw dc.getError();
 			} else if (!dc.isApproved()) {
-
 				// still waiting for approval
 				throw new AuthorizationPendingException("Authorization pending for code " + deviceCode);
-
 			} else {
 				// inherit the (approved) scopes from the original request
 				tokenRequest.setScope(dc.getScope());
-
 				OAuth2Authentication auth = new OAuth2Authentication(getRequestFactory().createOAuth2Request(client, tokenRequest), dc.getAuthenticationHolder().getUserAuth());
-
 				deviceCodeService.clearDeviceCode(deviceCode, client);
-				
 				return auth;
 			}
 		} else {
 			throw new InvalidGrantException("Invalid device code: " + deviceCode);
 		}
-
 	}
 
-
-
-
 }
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/AuthenticationUtilities.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/AuthenticationUtilities.java
@@ -17,10 +17,17 @@
 package cz.muni.ics.oauth2.web;
 
 import com.google.common.collect.ImmutableSet;
+import cz.muni.ics.oauth2.model.ClientDetailsEntity;
+import cz.muni.ics.oidc.models.Facility;
+import cz.muni.ics.oidc.models.PerunAttributeValue;
+import cz.muni.ics.oidc.server.adapters.PerunAdapter;
+import java.util.Locale;
+import java.util.Set;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.util.StringUtils;
 
 /**
  *
@@ -31,6 +38,9 @@
  */
 public abstract class AuthenticationUtilities {
 
+	public static final Set<String> EU_EAA = Set.of("AT", "BE", "BG", "HR", "CY", "CZ", "DK", "EE", "FI", "FR", "DE",
+			"EL", "HU", "IE", "IT", "LV", "LT", "LU", "MT", "NL", "PT", "RO", "SK", "SI", "ES", "SE", "NO", "IS", "LI", "GB");
+
 	/**
 	 * Makes sure the authentication contains the given scope, throws an exception otherwise
 	 * @param auth the authentication object to check
@@ -73,4 +83,36 @@ public static boolean hasRole(Authentication auth, String role) {
 
 	}
 
+	public static String getJurisdiction(ClientDetailsEntity client) {
+		if (!StringUtils.hasText(client.getJurisdiction()) || EU_EAA.contains(client.getJurisdiction())) {
+			return "";
+		} else if (client.getJurisdiction().length() > 2) {
+			if ("EMBL".equalsIgnoreCase(client.getJurisdiction())) {
+				return "EMBL";
+			}
+			return "INT";
+		}
+
+		Locale l = new Locale("", client.getJurisdiction());
+		return l.getDisplayCountry() + " (" + l.getISO3Country() + ")";
+	}
+
+	public static boolean isTestSp(ClientDetailsEntity client, PerunAdapter perunAdapter, String testSpAttrName) {
+		if (client == null || !StringUtils.hasText(client.getClientId())) {
+			return true;
+		}
+		Facility facility = perunAdapter.getFacilityByClientId(client.getClientId());
+		if (facility == null || facility.getId() == null) {
+			return true;
+		}
+
+		PerunAttributeValue attrValue = perunAdapter.getFacilityAttributeValue(facility.getId(), testSpAttrName);
+		if (attrValue == null) {
+			return false;
+		} else if (attrValue.valueAsBoolean()) {
+			return attrValue.valueAsBoolean();
+		}
+		return false;
+	}
+
 }
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/ExtendedOAuth2Exception.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/ExtendedOAuth2Exception.java
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlAuthenticationProvider.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlAuthenticationProvider.java
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlAuthenticationExceptionAuthenticationToken.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlAuthenticationExceptionAuthenticationToken.java
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/token/TofuUserApprovalHandler.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/token/TofuUserApprovalHandler.java

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ALTER TABLE device_code ADD recorded_error TEXT DEFAULT NULL;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ALTER TABLE device_code ADD COLUMN recorded_error TEXT DEFAULT NULL;`