diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebflowConfig.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebflowConfig.java
index c34f6e6143875dbb770dfa8666db31b04bb3a839..9c5fe517facf3c9a09e8ba5051f7f12755c7119c 100644
--- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebflowConfig.java
+++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebflowConfig.java
@@ -306,4 +306,9 @@ public class WebflowConfig {
return new ResetPasswordController(casProperties, passwordManagementService, communicationsManager, ticketRegistry,
messageSource, utils, pmTicketFactory());
}
+
+ @Bean
+ public Action loadSurrogatesListAction() {
+ return new AlwaysSuccessAction();
+ }
}
diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementService.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementService.java
index 5636e5e0c33e9cfd18a3dda52ac13e8c8ccb91f9..346b9d098ab2d2bb8990c1421d3f59d2a4cadeac 100644
--- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementService.java
+++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementService.java
@@ -41,17 +41,15 @@ import java.util.Map;
import java.util.Optional;
import lombok.val;
-import org.apache.commons.lang.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
-import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
+import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationService;
import org.apereo.cas.configuration.model.support.pm.PasswordManagementProperties;
import org.apereo.cas.pm.BasePasswordManagementService;
import org.apereo.cas.pm.InvalidPasswordException;
import org.apereo.cas.pm.PasswordChangeRequest;
import org.apereo.cas.pm.PasswordHistoryService;
-import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.web.support.WebUtils;
@@ -71,6 +69,8 @@ import fr.gouv.vitamui.iam.external.client.CasExternalRestClient;
import lombok.Getter;
import lombok.Setter;
+import static fr.gouv.vitamui.commons.api.CommonConstants.SUPER_USER_ATTRIBUTE;
+
/**
* Specific password management service based on the IAM API.
*
@@ -115,16 +115,13 @@ public class IamPasswordManagementService extends BasePasswordManagementService
protected RequestContext blockIfSubrogation() {
val requestContext = RequestContextHolder.getRequestContext();
- Authentication authentication = WebUtils.getAuthentication(requestContext);
- if (authentication == null) {
- val tgtId = WebUtils.getTicketGrantingTicketId(requestContext);
- if (StringUtils.isNotBlank(tgtId)) {
- val tgt = centralAuthenticationService.getTicket(tgtId, TicketGrantingTicket.class);
- authentication = tgt.getAuthentication();
- }
- }
+ val authentication = WebUtils.getAuthentication(requestContext);
if (authentication != null) {
- val superUsername = utils.getSuperUsername(authentication);
+ String superUsername = (String) utils.getAttributeValue(authentication.getAttributes(), SurrogateAuthenticationService.AUTHENTICATION_ATTR_SURROGATE_PRINCIPAL);
+ if (superUsername == null) {
+ superUsername = (String) utils.getAttributeValue(authentication.getPrincipal().getAttributes(), SUPER_USER_ATTRIBUTE);
+ }
+ LOGGER.debug("is it currently a superUser: {}", superUsername);
Assert.isNull(superUsername, "cannot use password management with subrogation");
}
diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Utils.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Utils.java
index 3ac4fb37ebcc0727d48843d1576baadc7314bee3..2078d1f5963c26d3156911cc788ac5a347c1766f 100644
--- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Utils.java
+++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Utils.java
@@ -47,8 +47,6 @@ import javax.servlet.http.HttpServletResponse;
import lombok.RequiredArgsConstructor;
import lombok.val;
import org.apereo.cas.CasProtocolConstants;
-import org.apereo.cas.authentication.Authentication;
-import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationService;
import org.apereo.cas.configuration.model.support.cookie.TicketGrantingCookieProperties;
import org.apereo.cas.web.flow.CasWebflowConstants;
import org.apereo.cas.web.support.WebUtils;
@@ -106,12 +104,6 @@ public class Utils {
return new Event(action, CasWebflowConstants.TRANSITION_ID_STOP);
}
- public String getSuperUsername(final Authentication authentication) {
- final String username = (String) getAttributeValue(authentication.getAttributes() ,SurrogateAuthenticationService.AUTHENTICATION_ATTR_SURROGATE_PRINCIPAL);
- LOGGER.debug("is it currently a superUser: {}", username);
- return username;
- }
-
public Cookie buildIdpCookie(final String value, final TicketGrantingCookieProperties tgc) {
final Cookie cookie = new Cookie(CommonConstants.IDP_PARAMETER, value);
cookie.setPath(tgc.getPath());
diff --git a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/AlwaysSuccessAction.java b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/AlwaysSuccessAction.java
new file mode 100644
index 0000000000000000000000000000000000000000..523e3870db0a0901297e95353c3ec1d71c00a80f
--- /dev/null
+++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/AlwaysSuccessAction.java
@@ -0,0 +1,16 @@
+package fr.gouv.vitamui.cas.webflow.actions;
+
+import org.springframework.webflow.action.AbstractAction;
+import org.springframework.webflow.execution.Event;
+import org.springframework.webflow.execution.RequestContext;
+
+/**
+ * An always "success" action.
+ */
+public class AlwaysSuccessAction extends AbstractAction {
+
+ @Override
+ protected Event doExecute(final RequestContext requestContext) {
+ return success();
+ }
+}
diff --git a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementServiceTest.java b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementServiceTest.java
index 04887a3c25737698354412c43e9fc372b6c0a312..9d6df080d0f3e3b3532f7e5c32052252b2deb9bc 100644
--- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementServiceTest.java
+++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementServiceTest.java
@@ -30,6 +30,7 @@ import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.TestPropertySource;
import org.springframework.test.context.junit4.SpringRunner;
+import static fr.gouv.vitamui.commons.api.CommonConstants.SUPER_USER_ATTRIBUTE;
import static org.junit.Assert.*;
import static org.mockito.Matchers.*;
import static org.mockito.Mockito.*;
@@ -59,6 +60,8 @@ public final class IamPasswordManagementServiceTest extends BaseWebflowActionTes
private IdentityProviderHelper identityProviderHelper;
+ private Principal principal;
+
@Before
public void setUp() {
super.setUp();
@@ -74,9 +77,10 @@ public final class IamPasswordManagementServiceTest extends BaseWebflowActionTes
final Map<String, AuthenticationHandlerExecutionResult> successes = new HashMap<>();
successes.put("fake", null);
authAttributes = new HashMap<>();
+ principal = mock(Principal.class);
flowParameters.put("authentication", new DefaultAuthentication(
ZonedDateTime.now(),
- mock(Principal.class),
+ principal,
authAttributes,
successes,
new ArrayList<>()
@@ -101,6 +105,21 @@ public final class IamPasswordManagementServiceTest extends BaseWebflowActionTes
}
}
+ @Test
+ public void testChangePasswordFailsBecauseOfASuperUser2() {
+ val attributes = new HashMap<String, List<Object>>();
+ attributes.put(SUPER_USER_ATTRIBUTE, Collections.singletonList("fakeSuperUser"));
+ when(principal.getAttributes()).thenReturn(attributes);
+
+ try {
+ service.change(new UsernamePasswordCredential(EMAIL, "password"), new PasswordChangeRequest());
+ fail("should fail");
+ }
+ catch (final IllegalArgumentException e) {
+ assertEquals("cannot use password management with subrogation", e.getMessage());
+ }
+ }
+
@Test
public void testChangePasswordFailsBecauseUserIsExternal() {
identityProviderDto.setInternal(null);