Merge branch 'master' into production

Author: HejdaJakub

package-lock.json

@@ -73,6 +73,14 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-logging</artifactId>
 		</dependency>
+		<!-- logback appender for writing into systemd-journald which in turn writes into syslog
+			see https://github.com/gnieh/logback-journal
+			-->
+		<dependency>
+			<groupId>org.gnieh</groupId>
+			<artifactId>logback-journal</artifactId>
+			<version>${logback-journal.version}</version>
+		</dependency>
 
 		<!-- OTHER -->
 		<dependency>

perun-base/pom.xml

@@ -94,9 +94,7 @@ public void initBeansUtils() {
 	private List<String> userInfoEndpointExtSourceLogin;
 	private String userInfoEndpointExtSourceName;
 	private List<String> userInfoEndpointExtSourceFriendlyName;
-	private String userInfoEndpointAcrPropertyName;
-	private String userInfoEndpointMfaAcrValue;
-	private String userInfoEndpointMfaAuthTimestampPropertyName;
+	private String introspectionEndpointMfaAcrValue;
 	private int mfaAuthTimeout;
 	private boolean enforceMfa;
 	private int idpLoginValidity;
@@ -792,28 +790,12 @@ public void setUserInfoEndpointExtSourceFriendlyName(List<String> userInfoEndpoi
 		this.userInfoEndpointExtSourceFriendlyName = userInfoEndpointExtSourceFriendlyName;
 	}
 
-	public String getUserInfoEndpointAcrPropertyName() {
-		return userInfoEndpointAcrPropertyName;
+	public String getIntrospectionEndpointMfaAcrValue() {
+		return introspectionEndpointMfaAcrValue;
 	}
 
-	public void setUserInfoEndpointAcrPropertyName(String userInfoEndpointAcrPropertyName) {
-		this.userInfoEndpointAcrPropertyName = userInfoEndpointAcrPropertyName;
-	}
-
-	public String getUserInfoEndpointMfaAuthTimestampPropertyName() {
-		return userInfoEndpointMfaAuthTimestampPropertyName;
-	}
-
-	public void setUserInfoEndpointMfaAuthTimestampPropertyName(String userInfoEndpointMfaAuthTimestampPropertyName) {
-		this.userInfoEndpointMfaAuthTimestampPropertyName = userInfoEndpointMfaAuthTimestampPropertyName;
-	}
-
-	public String getUserInfoEndpointMfaAcrValue() {
-		return userInfoEndpointMfaAcrValue;
-	}
-
-	public void setUserInfoEndpointMfaAcrValue(String userInfoEndpointAcrValue) {
-		this.userInfoEndpointMfaAcrValue = userInfoEndpointAcrValue;
+	public void setIntrospectionEndpointMfaAcrValue(String introspectionEndpointMfaAcrValue) {
+		this.introspectionEndpointMfaAcrValue = introspectionEndpointMfaAcrValue;
 	}
 
 	public int getMfaAuthTimeout() {

perun-base/src/main/java/cz/metacentrum/perun/core/api/CoreConfig.java

@@ -25,7 +25,8 @@ public class PerunPrincipal {
 	// Specifies if the principal has initialized authZResolver
 	private volatile boolean authzInitialized = false;
 	// Keywords of additionalInformations
-	public static final String MFA_TIMESTAMP = "mfaTimestamp";
+	public static final String AUTH_TIME = "authTime";
+	public static final String ACR_MFA = "acrMfa";
 	public static final String ISSUER = "issuer";
 	public static final String ACCESS_TOKEN = "accessToken";
 

perun-base/src/main/java/cz/metacentrum/perun/core/api/PerunPrincipal.java

@@ -112,12 +112,20 @@ public boolean equals(Object obj) {
 			return false;
 		}
 		if (attributes == null) {
-			if (other.getAttributes() != null) {
-				return false;
-			}
-		} else if (!this.getAttributes().equals(other.getAttributes())) {
+			return other.getAttributes() == null;
+		}
+		if (this.getAttributes().size() != other.getAttributes().size()) {
 			return false;
 		}
-		return true;
+
+		List<Attribute> sortedThis = this.getAttributes().stream()
+			.sorted()
+			.toList();
+
+		List<Attribute> sortedOther = other.getAttributes().stream()
+			.sorted()
+			.toList();
+
+		return sortedThis.equals(sortedOther);
 	}
 }

perun-base/src/main/java/cz/metacentrum/perun/core/api/RichGroup.java

@@ -36,11 +36,12 @@ public class Role {
 	public static final String PASSWORDRESETMANAGER = "PASSWORDRESETMANAGER";
 	public static final String MEMBERSHIP = "MEMBERSHIP";
 	public static final String MFA = "MFA";
+	public static final String PROXY = "PROXY";
 
 	public static List<String> rolesAsList() {
 		return Arrays.asList(AUDITCONSUMERADMIN, CABINETADMIN, ENGINE, FACILITYADMIN, FACILITYOBSERVER, TRUSTEDFACILITYADMIN, GROUPADMIN,
 			 GROUPOBSERVER, GROUPMEMBERSHIPMANAGER, MEMBERSHIP, NOTIFICATIONS, PASSWORDRESETMANAGER, PERUNADMIN, PERUNOBSERVER, REGISTRAR, RESOURCEADMIN, RESOURCEOBSERVER,
 			 RESOURCESELFSERVICE, RPC, SECURITYADMIN, SELF, SERVICEUSER, SPREGAPPLICATION, SPONSOR, TOPGROUPCREATOR, UNKNOWNROLENAME,
-			 VOADMIN, VOOBSERVER, SPONSORSHIP, MFA);
+			 VOADMIN, VOOBSERVER, SPONSORSHIP, MFA, PROXY);
 	}
 }

perun-base/src/main/java/cz/metacentrum/perun/core/api/Role.java

@@ -0,0 +1,35 @@
+package cz.metacentrum.perun.core.api.exceptions;
+
+/**
+ * This exception is thrown when the form item does not exist in any application form
+ *
+ * @author Jakub Hejda <[email protected]>
+ */
+public class FormItemNotExistsException extends PerunException {
+	static final long serialVersionUID = 0;
+
+	/**
+	 * Simple constructor with a message
+	 * @param message message with details about the cause
+	 */
+	public FormItemNotExistsException(String message) {
+		super(message);
+	}
+
+	/**
+	 * Constructor with a message and Throwable object
+	 * @param message message with details about the cause
+	 * @param cause Throwable that caused throwing of this exception
+	 */
+	public FormItemNotExistsException(String message, Throwable cause) {
+		super(message, cause);
+	}
+
+	/**
+	 * Constructor with a Throwable object
+	 * @param cause Throwable that caused throwing of this exception
+	 */
+	public FormItemNotExistsException(Throwable cause) {
+		super(cause);
+	}
+}

perun-base/src/main/java/cz/metacentrum/perun/core/api/exceptions/FormItemNotExistsException.java

@@ -0,0 +1,39 @@
+package cz.metacentrum.perun.core.api.exceptions;
+
+/**
+ * Exception thrown when relation of two groups as parent-sub should exist, but does not.
+ *
+ * @author Dominik Frantisek Bucik <[email protected]>
+ */
+public class GroupIsNotASubgroupException extends PerunException {
+
+	/**
+	 * Constructor without arguments
+	 */
+	public GroupIsNotASubgroupException() {}
+
+	/**
+	 * Simple constructor with a message
+	 * @param message message with details about the cause
+	 */
+	public GroupIsNotASubgroupException(String message) {
+		super(message);
+	}
+
+	/**
+	 * Constructor with a message and Throwable object
+	 * @param message message with details about the cause
+	 * @param cause Throwable that caused throwing of this exception
+	 */
+	public GroupIsNotASubgroupException(String message, Throwable cause) {
+		super(message, cause);
+	}
+
+	/**
+	 * Constructor with a Throwable object
+	 * @param cause Throwable that caused throwing of this exception
+	 */
+	public GroupIsNotASubgroupException(Throwable cause) {
+		super(cause);
+	}
+}

perun-base/src/main/java/cz/metacentrum/perun/core/api/exceptions/GroupIsNotASubgroupException.java

@@ -19,7 +19,6 @@
 
 import org.apache.commons.lang3.StringUtils;
 
-import static cz.metacentrum.perun.core.api.PerunPrincipal.MFA_TIMESTAMP;
 
 /**
  * Class for executing call to User info endpoint.
@@ -35,29 +34,11 @@ public UserInfoEndpointResponse getUserInfoEndpointData(String accessToken, Stri
 
 		fillAdditionalInformationWithDataFromUserInfo(userInfo, additionalInformation);
 
-		String mfaTimestamp = getMfaTimestamp(userInfo);
-		if (mfaTimestamp != null && !mfaTimestamp.isEmpty()) {
-			additionalInformation.put(MFA_TIMESTAMP, mfaTimestamp);
-		}
-
 		String extSourceName = getExtSourceName(userInfo);
 		String extSourceLogin = getExtSourceLogin(userInfo);
 		return new UserInfoEndpointResponse(extSourceName, extSourceLogin);
 	}
 
-	/**
-	 * Calls UserInfo endpoint and returns MFA timestamp if available and acr is equal to MFA acr
-	 * @param accessToken access token
-	 * @param issuer issuer
-	 * @throws ExpiredTokenException if access token is expired
-	 * @return mfa timestamp or null
-	 */
-	public String getUserInfoEndpointMfaData(String accessToken, String issuer) throws ExpiredTokenException {
-		JsonNode userInfo = callUserInfo(accessToken, issuer);
-
-		return getMfaTimestamp(userInfo);
-	}
-
 	private static JsonNode callUserInfo(String accessToken, String issuer) throws ExpiredTokenException {
 		RestTemplate restTemplate = new RestTemplate();
 		JsonNode config = restTemplate.getForObject(issuer + "/.well-known/openid-configuration", JsonNode.class);
@@ -168,22 +149,4 @@ private void fillAdditionalInformationWithDataFromUserInfo(JsonNode userInfo, Ma
 			additionalInformation.put("sourceIdPName", idpName);
 		}
 	}
-
-	/**
-	 * Returns mfa timestamp if acr value is equal to MFA acr value
-	 * @param userInfo parsed response from userInfo endpoint
-	 */
-	private String getMfaTimestamp(JsonNode userInfo) {
-		String acrProperty = BeansUtils.getCoreConfig().getUserInfoEndpointAcrPropertyName();
-		String acr = userInfo.path(acrProperty).asText();
-		if (StringUtils.isNotEmpty(acr) && acr.equals(BeansUtils.getCoreConfig().getUserInfoEndpointMfaAcrValue())) {
-			String mfaTimestampProperty = BeansUtils.getCoreConfig().getUserInfoEndpointMfaAuthTimestampPropertyName();
-			String mfaTimestamp = userInfo.path(mfaTimestampProperty).asText();
-			if (StringUtils.isNotEmpty(mfaTimestamp)) {
-				return mfaTimestamp;
-			}
-		}
-
-		return null;
-	}
 }

perun-base/src/main/java/cz/metacentrum/perun/oidc/UserInfoEndpointCall.java

@@ -248,8 +248,8 @@ public static enum Type {
 		 */
 		TIMEZONE,
 		/**
-		 * Special type for specifying if will be allowed to register to group(s) through VO application form. This type
-		 * is represented by standard HTML checkbox.
+		 * Special type for specifying if it will be allowed to register to group(s) through single application form.
+		 * This type is represented by standard HTML checkbox.
 		 */
 		EMBEDDED_GROUP_APPLICATION,
 		/**