final tests on surrogation

437ab1ec · Jérôme LELEU · Makhtar DIAGNE · 28eabd76 · 437ab1ec · 437ab1ec
Commit 437ab1ec authored 4 years ago by Jérôme LELEU Committed by Makhtar DIAGNE 4 years ago
--- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebflowConfig.java
+++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebflowConfig.java
@@ -306,4 +306,9 @@ public class WebflowConfig {
        return new ResetPasswordController(casProperties, passwordManagementService, communicationsManager, ticketRegistry,
            messageSource, utils, pmTicketFactory());
    }
+
+    @Bean
+    public Action loadSurrogatesListAction() {
+        return new AlwaysSuccessAction();
+    }
 }
--- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementService.java
+++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementService.java
@@ -41,17 +41,15 @@ import java.util.Map;
 import java.util.Optional;

 import lombok.val;
-import org.apache.commons.lang.StringUtils;
 import org.apereo.cas.CentralAuthenticationService;
-import org.apereo.cas.authentication.Authentication;
 import org.apereo.cas.authentication.Credential;
 import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
+import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationService;
 import org.apereo.cas.configuration.model.support.pm.PasswordManagementProperties;
 import org.apereo.cas.pm.BasePasswordManagementService;
 import org.apereo.cas.pm.InvalidPasswordException;
 import org.apereo.cas.pm.PasswordChangeRequest;
 import org.apereo.cas.pm.PasswordHistoryService;
-import org.apereo.cas.ticket.TicketGrantingTicket;
 import org.apereo.cas.ticket.registry.TicketRegistry;
 import org.apereo.cas.util.crypto.CipherExecutor;
 import org.apereo.cas.web.support.WebUtils;
@@ -71,6 +69,8 @@ import fr.gouv.vitamui.iam.external.client.CasExternalRestClient;
 import lombok.Getter;
 import lombok.Setter;

+import static fr.gouv.vitamui.commons.api.CommonConstants.SUPER_USER_ATTRIBUTE;
+
 /**
 * Specific password management service based on the IAM API.
 *
@@ -115,16 +115,13 @@ public class IamPasswordManagementService extends BasePasswordManagementService

    protected RequestContext blockIfSubrogation() {
        val requestContext = RequestContextHolder.getRequestContext();
-        Authentication authentication = WebUtils.getAuthentication(requestContext);
-        if (authentication == null) {
-            val tgtId = WebUtils.getTicketGrantingTicketId(requestContext);
-            if (StringUtils.isNotBlank(tgtId)) {
-                val tgt = centralAuthenticationService.getTicket(tgtId, TicketGrantingTicket.class);
-                authentication = tgt.getAuthentication();
-            }
-        }
+        val authentication = WebUtils.getAuthentication(requestContext);
        if (authentication != null) {
-            val superUsername = utils.getSuperUsername(authentication);
+            String superUsername = (String) utils.getAttributeValue(authentication.getAttributes(), SurrogateAuthenticationService.AUTHENTICATION_ATTR_SURROGATE_PRINCIPAL);
+            if (superUsername == null) {
+                superUsername = (String) utils.getAttributeValue(authentication.getPrincipal().getAttributes(), SUPER_USER_ATTRIBUTE);
+            }
+            LOGGER.debug("is it currently a superUser: {}", superUsername);
            Assert.isNull(superUsername, "cannot use password management with subrogation");
        }


--- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Utils.java
+++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Utils.java
@@ -47,8 +47,6 @@ import javax.servlet.http.HttpServletResponse;
 import lombok.RequiredArgsConstructor;
 import lombok.val;
 import org.apereo.cas.CasProtocolConstants;
-import org.apereo.cas.authentication.Authentication;
-import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationService;
 import org.apereo.cas.configuration.model.support.cookie.TicketGrantingCookieProperties;
 import org.apereo.cas.web.flow.CasWebflowConstants;
 import org.apereo.cas.web.support.WebUtils;
@@ -106,12 +104,6 @@ public class Utils {
        return new Event(action, CasWebflowConstants.TRANSITION_ID_STOP);
    }

-    public String getSuperUsername(final Authentication authentication) {
-        final String username = (String) getAttributeValue(authentication.getAttributes() ,SurrogateAuthenticationService.AUTHENTICATION_ATTR_SURROGATE_PRINCIPAL);
-        LOGGER.debug("is it currently a superUser: {}", username);
-        return username;
-    }
-
    public Cookie buildIdpCookie(final String value, final TicketGrantingCookieProperties tgc) {
        final Cookie cookie = new Cookie(CommonConstants.IDP_PARAMETER, value);
        cookie.setPath(tgc.getPath());

--- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/AlwaysSuccessAction.java
+++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/AlwaysSuccessAction.java
+package fr.gouv.vitamui.cas.webflow.actions;
+
+import org.springframework.webflow.action.AbstractAction;
+import org.springframework.webflow.execution.Event;
+import org.springframework.webflow.execution.RequestContext;
+
+/**
+ * An always "success" action.
+ */
+public class AlwaysSuccessAction extends AbstractAction {
+
+    @Override
+    protected Event doExecute(final RequestContext requestContext) {
+        return success();
+    }
+}
--- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementServiceTest.java
+++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/pm/IamPasswordManagementServiceTest.java
@@ -30,6 +30,7 @@ import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.context.junit4.SpringRunner;

+import static fr.gouv.vitamui.commons.api.CommonConstants.SUPER_USER_ATTRIBUTE;
 import static org.junit.Assert.*;
 import static org.mockito.Matchers.*;
 import static org.mockito.Mockito.*;
@@ -59,6 +60,8 @@ public final class IamPasswordManagementServiceTest extends BaseWebflowActionTes

    private IdentityProviderHelper identityProviderHelper;

+    private Principal principal;
+
    @Before
    public void setUp() {
        super.setUp();
@@ -74,9 +77,10 @@ public final class IamPasswordManagementServiceTest extends BaseWebflowActionTes
        final Map<String, AuthenticationHandlerExecutionResult> successes = new HashMap<>();
        successes.put("fake", null);
        authAttributes = new HashMap<>();
+        principal = mock(Principal.class);
        flowParameters.put("authentication", new DefaultAuthentication(
            ZonedDateTime.now(),
-            mock(Principal.class),
+            principal,
            authAttributes,
            successes,
            new ArrayList<>()
@@ -101,6 +105,21 @@ public final class IamPasswordManagementServiceTest extends BaseWebflowActionTes
        }
    }

+    @Test
+    public void testChangePasswordFailsBecauseOfASuperUser2() {
+        val attributes = new HashMap<String, List<Object>>();
+        attributes.put(SUPER_USER_ATTRIBUTE, Collections.singletonList("fakeSuperUser"));
+        when(principal.getAttributes()).thenReturn(attributes);
+
+        try {
+            service.change(new UsernamePasswordCredential(EMAIL, "password"), new PasswordChangeRequest());
+            fail("should fail");
+        }
+        catch (final IllegalArgumentException e) {
+            assertEquals("cannot use password management with subrogation", e.getMessage());
+        }
+    }
+
    @Test
    public void testChangePasswordFailsBecauseUserIsExternal() {
        identityProviderDto.setInternal(null);