ISSUE-192 add check for project membership

bwreg-service/src/main/java/edu/kit/scc/webreg/service/oidc/OidcOpLoginImpl.java

@@ -41,6 +41,7 @@ import com.nimbusds.oauth2.sdk.token.RefreshToken;
 import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
 import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
 
+import edu.kit.scc.webreg.annotations.RetryTransaction;
 import edu.kit.scc.webreg.dao.identity.IdentityDao;
 import edu.kit.scc.webreg.dao.jpa.oidc.OidcClientConsumerDao;
 import edu.kit.scc.webreg.dao.oidc.OidcClientConfigurationDao;
@@ -63,6 +64,8 @@ import edu.kit.scc.webreg.service.saml.CryptoHelper;
 import edu.kit.scc.webreg.service.saml.exc.OidcAuthenticationException;
 import edu.kit.scc.webreg.session.SessionManager;
 import jakarta.ejb.Stateless;
+import jakarta.ejb.TransactionManagement;
+import jakarta.ejb.TransactionManagementType;
 import jakarta.inject.Inject;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
@@ -70,6 +73,7 @@ import jakarta.ws.rs.core.MultivaluedMap;
 import net.minidev.json.JSONObject;
 
 @Stateless
+@TransactionManagement(TransactionManagementType.BEAN)
 public class OidcOpLoginImpl implements OidcOpLogin {
 
 	@Inject
@@ -121,6 +125,7 @@ public class OidcOpLoginImpl implements OidcOpLogin {
 	}
 
 	@Override
+	@RetryTransaction
 	public String registerAuthRequest(String realm, String responseType, String redirectUri, String scope, String state,
 			String nonce, String clientId, String codeChallange, String codeChallangeMethod, String acrValues,
 			HttpServletRequest request, HttpServletResponse response) throws IOException, OidcAuthenticationException {
@@ -263,6 +268,7 @@ public class OidcOpLoginImpl implements OidcOpLogin {
 	}
 
 	@Override
+	@RetryTransaction
 	public String registerAuthRequestReturn(String realm, HttpServletRequest request, HttpServletResponse response)
 			throws IOException, OidcAuthenticationException {
 
@@ -295,6 +301,7 @@ public class OidcOpLoginImpl implements OidcOpLogin {
 	}
 
 	@Override
+	@RetryTransaction
 	public JSONObject serveToken(String realm, HttpServletRequest request, HttpServletResponse response,
 			String clientId, String clientSecret, String codeVerifier, MultivaluedMap<String, String> formParams)
 			throws OidcAuthenticationException {
@@ -377,6 +384,7 @@ public class OidcOpLoginImpl implements OidcOpLogin {
 	}
 
 	@Override
+	@RetryTransaction
 	public JSONObject serveIntrospection(String realm, HttpServletRequest request, HttpServletResponse response,
 			String authType, String authData, MultivaluedMap<String, String> formParams)
 			throws OidcAuthenticationException {
@@ -447,6 +455,7 @@ public class OidcOpLoginImpl implements OidcOpLogin {
 	}
 
 	@Override
+	@RetryTransaction
 	public JSONObject serveUserInfo(String realm, String tokeType, String tokenId, HttpServletRequest request,
 			HttpServletResponse response) throws OidcAuthenticationException {
 
@@ -457,7 +466,10 @@ public class OidcOpLoginImpl implements OidcOpLogin {
 		}
 
 		OidcOpConfigurationEntity opConfig = flowState.getOpConfiguration();
-		OidcClientConfigurationEntity clientConfig = flowState.getClientConfiguration();
+		OidcClientConsumerEntity clientConfig = flowState.getClientConsumer();
+		if (clientConfig == null) {
+			clientConfig = flowState.getClientConfiguration();
+		}
 
 		ErrorObject error = verifyConfig(opConfig, clientConfig);
 
@@ -474,6 +486,7 @@ public class OidcOpLoginImpl implements OidcOpLogin {
 	}
 
 	@Override
+	@RetryTransaction
 	public JSONObject serveUserJwt(String realm, HttpServletRequest request, HttpServletResponse response)
 			throws OidcAuthenticationException {
 

bwreg-service/src/main/java/edu/kit/scc/webreg/service/oidc/OidcOpScopeLoginProcessor.java

@@ -9,6 +9,7 @@ import com.nimbusds.jwt.SignedJWT;
 import com.nimbusds.oauth2.sdk.OAuth2Error;
 import com.nimbusds.openid.connect.sdk.claims.UserInfo;
 
+import edu.kit.scc.webreg.dao.project.ProjectDao;
 import edu.kit.scc.webreg.entity.attribute.AttributeReleaseEntity;
 import edu.kit.scc.webreg.entity.attribute.ReleaseStatusType;
 import edu.kit.scc.webreg.entity.attribute.value.PairwiseIdentifierValueEntity;
@@ -20,6 +21,8 @@ import edu.kit.scc.webreg.entity.oidc.OidcClientConsumerEntity;
 import edu.kit.scc.webreg.entity.oidc.OidcFlowStateEntity;
 import edu.kit.scc.webreg.entity.oidc.OidcOpConfigurationEntity;
 import edu.kit.scc.webreg.entity.oidc.ProjectOidcClientConfigurationEntity;
+import edu.kit.scc.webreg.entity.project.ProjectEntity;
+import edu.kit.scc.webreg.entity.project.ProjectMembershipEntity;
 import edu.kit.scc.webreg.service.attribute.release.AttributeReleaseHandler;
 import edu.kit.scc.webreg.service.saml.exc.OidcAuthenticationException;
 import jakarta.enterprise.context.ApplicationScoped;
@@ -38,6 +41,9 @@ public class OidcOpScopeLoginProcessor extends AbstractOidcOpLoginProcessor {
 	@Inject
 	private AttributeReleaseHandler attributeReleaseHandler;
 
+	@Inject
+	private ProjectDao projectDao;
+	
 	public boolean matches(OidcClientConsumerEntity clientConsumer) {
 		if (clientConsumer instanceof ProjectOidcClientConfigurationEntity) {
 			return true;
@@ -58,6 +64,20 @@ public class OidcOpScopeLoginProcessor extends AbstractOidcOpLoginProcessor {
 		if (clientConfig == null) 
 			clientConfig = flowState.getClientConfiguration();
 		
+		if (clientConfig instanceof ProjectOidcClientConfigurationEntity) {
+			ProjectOidcClientConfigurationEntity projectClient = (ProjectOidcClientConfigurationEntity) clientConfig;
+			ProjectEntity project = projectClient.getProject();
+			logger.debug("Login for Identity {} and Project {}. Checking membership", identity.getId(), project.getShortName());
+			ProjectMembershipEntity pme = projectDao.findByIdentityAndProject(identity, project);
+			if (pme == null) {
+				logger.debug("Login for Identity {} and Project {} is not a member", identity.getId(), project.getShortName());
+				return "/user/oidc/project-access-denied.xhtml?id=" + project.getId();
+			}
+			else {
+				logger.debug("Login for Identity {} and Project {} is member: ", identity.getId(), project.getShortName(), pme.getMembershipType());
+			}
+		}
+		
 		AttributeReleaseEntity attributeRelease = attributeReleaseHandler.requestAttributeRelease(clientConfig,
 				identity);
 		flowState.setAttributeRelease(attributeRelease);

regapp-idty/src/main/java/edu/kit/scc/webreg/service/attribute/release/AttributeReleaseHandler.java

@@ -79,6 +79,8 @@ public class AttributeReleaseHandler {
 			} else if (scope.equals("profile")) {
 				changed |= resolveSingleStringValue(attributeRelease, "family_name", identity);
 				changed |= resolveSingleStringValue(attributeRelease, "given_name", identity);
+			} else if (scope.equals("voperson")) {
+				changed |= resolveSingleStringValue(attributeRelease, "voperson_id", identity.getGeneratedLocalUsername());
 			}
 		}
 		return changed;
@@ -86,7 +88,12 @@ public class AttributeReleaseHandler {
 
 	private Boolean resolveSingleStringValue(AttributeReleaseEntity attributeRelease, String name,
 			IdentityEntity identity) {
-		return resolveSingleStringValue(attributeRelease, name,
+		return resolveSingleStringValue(attributeRelease, name, name, identity);
+	}
+
+	private Boolean resolveSingleStringValue(AttributeReleaseEntity attributeRelease, String name, String outgoingName,
+			IdentityEntity identity) {
+		return resolveSingleStringValue(attributeRelease, outgoingName,
 				attributeResolver.resolveSingleStringValue(identity, name));
 	}