Merge branch 'master' into production

Author: HejdaJakub

perun-base/src/main/java/cz/metacentrum/perun/core/api/CoreConfig.java

@@ -96,9 +96,12 @@ public void initBeansUtils() {
 	private List<String> userInfoEndpointExtSourceFriendlyName;
 	private String introspectionEndpointMfaAcrValue;
 	private int mfaAuthTimeout;
+	private int mfaAuthTimeoutPercentageForceLogIn;
 	private boolean enforceMfa;
 	private int idpLoginValidity;
 	private List<String> idpLoginValidityExceptions;
+	private int roleUpdateInterval;
+	private boolean forceHTMLSanitization;
 
 	public int getGroupMaxConcurentGroupsToSynchronize() {
 		return groupMaxConcurentGroupsToSynchronize;
@@ -798,6 +801,14 @@ public void setIntrospectionEndpointMfaAcrValue(String introspectionEndpointMfaA
 		this.introspectionEndpointMfaAcrValue = introspectionEndpointMfaAcrValue;
 	}
 
+	public boolean getForceHTMLSanitization() {
+        return forceHTMLSanitization;
+    }
+
+	public void setForceHTMLSanitization(boolean forceHTMLSanitization) {
+        this.forceHTMLSanitization = forceHTMLSanitization;
+    }
+
 	public int getMfaAuthTimeout() {
 		return mfaAuthTimeout;
 	}
@@ -806,6 +817,14 @@ public void setMfaAuthTimeout(int mfaAuthTimeout) {
 		this.mfaAuthTimeout = mfaAuthTimeout;
 	}
 
+	public int getMfaAuthTimeoutPercentageForceLogIn() {
+		return mfaAuthTimeoutPercentageForceLogIn;
+	}
+
+	public void setMfaAuthTimeoutPercentageForceLogIn(int mfaAuthTimeoutPercentageForceLogIn) {
+		this.mfaAuthTimeoutPercentageForceLogIn = mfaAuthTimeoutPercentageForceLogIn;
+	}
+
 	public boolean isEnforceMfa() {
 		return enforceMfa;
 	}
@@ -847,4 +866,12 @@ public Set<String> getBlockedLogins() {
 
 		return blockedLogins;
 	}
+
+	public int getRoleUpdateInterval() {
+		return roleUpdateInterval;
+	}
+
+	public void setRoleUpdateInterval(int roleUpdateInterval) {
+		this.roleUpdateInterval = roleUpdateInterval;
+	}
 }

perun-base/src/main/java/cz/metacentrum/perun/core/api/PerunPrincipal.java

@@ -20,6 +20,8 @@ public class PerunPrincipal {
 	private User user;
 	// Contains principal's roles together with objects which specifies the role, e.g. VOADMIN -> list contains VO names
 	private volatile AuthzRoles authzRoles = new AuthzRoles();
+	// Time of the last update of roles
+	private long rolesUpdatedAt = System.currentTimeMillis();
 	// Map contains additional attributes, e.g. from authentication system
 	private Map<String, String> additionalInformations = new HashMap<String, String>();
 	// Specifies if the principal has initialized authZResolver
@@ -75,6 +77,7 @@ public String toString() {
 				.append("user='").append((user != null ? user : "null")).append("', ")
 				.append("extSourceName='").append(extSourceName).append("', ")
 				.append("authzRoles='").append(authzRoles).append("', ")
+				.append("rolesUpdatedAt='").append(rolesUpdatedAt).append("' ")
 				.append("authzInitialized='").append(authzInitialized).append("']").toString();
 	}
 
@@ -142,6 +145,14 @@ public void setExtSourceLoa(int extSourceLoa) {
 		this.extSourceLoa = extSourceLoa;
 	}
 
+	public long getRolesUpdatedAt() {
+		return rolesUpdatedAt;
+	}
+
+	public void setRolesUpdatedAt(long rolesUpdatedAt) {
+		this.rolesUpdatedAt = rolesUpdatedAt;
+	}
+
 	@Override
 	public int hashCode() {
 		final int prime = 31;

perun-base/src/main/resources/perun-base.xml

@@ -21,6 +21,7 @@
 		<property name="enginePrincipals" value="#{'${perun.engine.principals}'.split('\s*,\s*')}"/>
 		<property name="generatedLoginNamespaces" value="#{'${perun.loginNamespace.generated}'.split('\s*,\s*')}"/>
 		<property name="groupSynchronizationInterval" value="${perun.group.synchronization.interval}"/>
+		<property name="roleUpdateInterval" value="${perun.roleUpdateInterval}"/>
 		<property name="groupSynchronizationTimeout" value="${perun.group.synchronization.timeout}"/>
 		<property name="groupStructureSynchronizationInterval" value="${perun.group.structure.synchronization.interval}"/>
 		<property name="groupStructureSynchronizationTimeout" value="${perun.group.structure.synchronization.timeout}"/>
@@ -78,10 +79,12 @@
 		<property name="userInfoEndpointExtSourceName" value="${perun.userInfoEndpoint.extSourceName}"/>
 		<property name="userInfoEndpointExtSourceFriendlyName" value="#{'${perun.userInfoEndpoint.extSourceFriendlyName}'.split('\s*,\s*')}"/>
 		<property name="mfaAuthTimeout" value="${perun.introspectionEndpoint.mfaAuthTimeout}"/>
+		<property name="mfaAuthTimeoutPercentageForceLogIn" value="${perun.introspectionEndpoint.mfaAuthTimeoutPercentageForceLogIn}"/>
 		<property name="enforceMfa" value="${perun.enforceMfa}"/>
 		<property name="introspectionEndpointMfaAcrValue" value="${perun.introspectionEndpoint.mfaAcrValue}"/>
 		<property name="idpLoginValidity" value="${perun.idpLoginValidity}"/>
 		<property name="idpLoginValidityExceptions" value="#{'${perun.idpLoginValidityExceptions}'.split('\s*,\s*')}"/>
+		<property name="forceHTMLSanitization" value="${perun.forceHtmlSanitization}"/>
 	</bean>
 
 
@@ -147,6 +150,7 @@
 				<prop key="perun.instanceName">LOCAL</prop>
 				<prop key="perun.allowedCorsDomains"></prop>
 				<prop key="perun.queryTimeout">-1</prop>
+				<prop key="perun.roleUpdateInterval">5</prop>
 				<prop key="perun.defaultLoa.idp">2</prop>
 				<prop key="perun.attributesToSearchUsersAndMembersBy">urn:perun:user:attribute-def:def:preferredMail, urn:perun:member:attribute-def:def:mail</prop>
 				<prop key="perun.attributesToAnonymize"></prop>
@@ -181,8 +185,10 @@
 				<prop key="perun.userInfoEndpoint.extSourceName">target_issuer</prop>
 				<prop key="perun.userInfoEndpoint.extSourceFriendlyName">target_backend, display_name, text</prop>
 				<prop key="perun.introspectionEndpoint.mfaAuthTimeout">1440</prop>
+				<prop key="perun.introspectionEndpoint.mfaAuthTimeoutPercentageForceLogIn">75</prop>
 				<prop key="perun.introspectionEndpoint.mfaAcrValue">https://refeds.org/profile/mfa</prop>
 				<prop key="perun.enforceMfa">false</prop>
+				<prop key="perun.forceHtmlSanitization">false</prop>
 			</props>
 		</property>
 	</bean>

perun-base/src/test/resources/test-schema.sql

@@ -1,4 +1,4 @@
--- database version 3.2.14 (don't forget to update insert statement at the end of file)
+-- database version 3.2.15 (don't forget to update insert statement at the end of file)
 CREATE EXTENSION IF NOT EXISTS "unaccent";
 CREATE EXTENSION IF NOT EXISTS "pgcrypto";
 
@@ -1905,7 +1905,7 @@ create index idx_fk_attr_critops ON attribute_critical_actions(attr_id);
 create index app_state_idx ON application (state);
 
 -- set initial Perun DB version
-insert into configurations values ('DATABASE VERSION','3.2.14');
+insert into configurations values ('DATABASE VERSION','3.2.15');
 -- insert membership types
 insert into membership_types (id, membership_type, description) values (1, 'DIRECT', 'Member is directly added into group');
 insert into membership_types (id, membership_type, description) values (2, 'INDIRECT', 'Member is added indirectly through UNION relation');

perun-cli-python/perun/oidc/__init__.py

@@ -28,7 +28,8 @@ class PerunInstance(str, Enum):
     cesnet = "cesnet",
     idm = "idm",
     idm_test = "idm-test",
-    perun_dev = "perun-dev"
+    perun_dev = "perun-dev",
+    elixir = "elixir"
 
 
 class DeviceCodeOAuth:
@@ -85,6 +86,13 @@ def __init__(self, perun_instance: PerunInstance, encryption_password: str, mfa:
                 'perun_api_url': 'https://idm.ics.muni.cz/oauth/rpc',
                 'mfa': True
             },
+            PerunInstance.elixir: {
+                'metadata_url': 'https://login.elixir-czech.org/oidc/.well-known/openid-configuration',
+                'client_id': 'da97db9f-b511-4c72-b71f-daab24b86884',
+                'scopes': 'openid perun_api perun_admin offline_access profile authn_details',
+                'perun_api_url': 'https://elixir-api.aai.lifescience-ri.eu/oauth/rpc',
+                'mfa': True
+            },
             # PerunInstance.idm_satosa: {
             #     'metadata_url': 'https://proxy.aai.muni.cz/OIDC/.well-known/openid-configuration',
             #     'client_id': '5a730abc-6553-4fc4-af9a-21c75c46e0c2',

perun-core/src/main/java/cz/metacentrum/perun/core/api/exceptions/MfaRoleTimeoutException.java

@@ -0,0 +1,23 @@
+package cz.metacentrum.perun.core.api.exceptions;
+
+import cz.metacentrum.perun.core.api.exceptions.rt.PerunRuntimeException;
+
+/**
+ * This exception is thrown when principal has roles always requiring MFA and the auth time is older than the limit defined in the config
+ * @author Jakub Hejda <[email protected]>
+ */
+public class MfaRoleTimeoutException extends PerunRuntimeException {
+	static final long serialVersionUID = 0;
+
+	public MfaRoleTimeoutException(String message) {
+		super(message);
+	}
+
+	public MfaRoleTimeoutException(String message, Throwable cause) {
+		super(message, cause);
+	}
+
+	public MfaRoleTimeoutException(Throwable cause) {
+		super(cause);
+	}
+}

perun-core/src/main/java/cz/metacentrum/perun/core/api/exceptions/MfaTimeoutException.java

@@ -2,6 +2,10 @@
 
 import cz.metacentrum.perun.core.api.exceptions.rt.PerunRuntimeException;
 
+/**
+ * This exception is thrown when principal is performing MFA-requiring action and the auth time is older than the limit defined in the config
+ * @author Jakub Hejda <[email protected]>
+ */
 public class MfaTimeoutException extends PerunRuntimeException {
 	static final long serialVersionUID = 0;
 

perun-core/src/main/java/cz/metacentrum/perun/core/blImpl/AuthzResolverBlImpl.java

@@ -55,6 +55,7 @@
 import cz.metacentrum.perun.core.api.exceptions.MfaInvalidRolesException;
 import cz.metacentrum.perun.core.api.exceptions.MfaPrivilegeException;
 import cz.metacentrum.perun.core.api.exceptions.MfaRolePrivilegeException;
+import cz.metacentrum.perun.core.api.exceptions.MfaRoleTimeoutException;
 import cz.metacentrum.perun.core.api.exceptions.MfaTimeoutException;
 import cz.metacentrum.perun.core.api.exceptions.PolicyNotExistsException;
 import cz.metacentrum.perun.core.api.exceptions.ResourceNotExistsException;
@@ -95,6 +96,7 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
+import java.util.concurrent.TimeUnit;
 import java.util.function.BiFunction;
 import java.util.function.Function;
 import java.util.stream.Collectors;
@@ -138,6 +140,8 @@ public static boolean authorized(PerunSession sess, String policyDefinition, Lis
 			refreshAuthz(sess);
 		}
 
+		periodicCheckAuthz(sess);
+
 		// If the user has no roles, deny access
 		if (sess.getPerunPrincipal().getRoles() == null) {
 			return false;
@@ -162,6 +166,20 @@ public static boolean authorized(PerunSession sess, String policyDefinition, Lis
 		return resolveAuthorization(sess, policyRoles, mapOfBeans);
 	}
 
+	/**
+	 * If the last check was earlier than the set interval then updates the roles.
+	 *
+	 * @param sess session
+	 */
+	private static void periodicCheckAuthz(PerunSession sess) {
+		if (System.currentTimeMillis() - sess.getPerunPrincipal().getRolesUpdatedAt() >= TimeUnit.MINUTES.toMillis(BeansUtils.getCoreConfig().getRoleUpdateInterval())) {
+			log.debug("Periodic update authz roles for session {}.", sess);
+
+			refreshAuthz(sess);
+			sess.getPerunPrincipal().setRolesUpdatedAt(System.currentTimeMillis());
+		}
+	}
+
 	/**
 	 * Checks authorization according to MFA rules.
 	 *
@@ -271,6 +289,8 @@ public static boolean authorizedToManageRole(PerunSession sess, PerunBean object
 			refreshAuthz(sess);
 		}
 
+		periodicCheckAuthz(sess);
+
 		// If the user has no roles, deny access
 		if (sess.getPerunPrincipal().getRoles() == null) {
 			return false;
@@ -302,6 +322,8 @@ public static boolean authorizedToReadRole(PerunSession sess, PerunBean object,
 			refreshAuthz(sess);
 		}
 
+		periodicCheckAuthz(sess);
+
 		// If the user has no roles, deny access
 		if (sess.getPerunPrincipal().getRoles() == null) {
 			return false;
@@ -1853,6 +1875,8 @@ private static boolean hasAccessByDefault(PerunSession sess, AttributeAction act
 			refreshAuthz(sess);
 		}
 
+		periodicCheckAuthz(sess);
+
 		if (sess.getPerunPrincipal().getRoles() == null || sess.getPerunPrincipal().getRoles().isEmpty()) {
 			return false;
 		}
@@ -4272,7 +4296,11 @@ private static void checkMfaForHavingRole(PerunSession sess, AuthzRoles roles) {
 		}
 
 		if (!requireMfaRoles.isEmpty() && !sess.getPerunPrincipal().getRoles().hasRole(Role.MFA)) {
-			throw new MfaRolePrivilegeException(sess, requireMfaRoles.get(0));
+			if (checkAuthValidityForMFA(sess)) {
+				throw new MfaRolePrivilegeException(sess, requireMfaRoles.get(0));
+			} else {
+				throw new MfaRoleTimeoutException("Your MFA timestamp is not valid anymore, you'll need to reauthenticate");
+			}
 		}
 	}
 
@@ -4368,6 +4396,27 @@ private static boolean isAuthorizedByMfa(PerunSession sess, boolean throwError)
 			return false;
 		}
 
+		if (checkAuthValidityForMFA(sess)) {
+			// true if user has MFA and it is still valid
+			return sessionHasMfa(sess);
+		} else {
+			if (!throwError) return false;
+			if (sessionHasMfa(sess)) {
+				// MFA is no longer valid
+				throw new MfaTimeoutException("Your MFA timestamp is not valid anymore, you'll need to reauthenticate");
+			} else {
+				// user is authenticated by SFA but the mfa timeout would cause an error, so we need to reauthenticate this user
+				throw new MfaTimeoutException("Your single factor authentication timestamp is not valid anymore, you'll need to reauthenticate");
+			}
+		}
+	}
+
+	/**
+	 * Check if the auth time + mfa timeout (reduced by percentage from config) > the current time
+	 * @param sess session
+	 * @return true if the auth timestamp is not too old to perform step-up
+	 */
+	private static boolean checkAuthValidityForMFA(PerunSession sess) {
 		String returnedAuthTime = sess.getPerunPrincipal().getAdditionalInformations().get(AUTH_TIME);
 		Instant parsedReturnedAuthTime;
 		try {
@@ -4380,21 +4429,27 @@ private static boolean isAuthorizedByMfa(PerunSession sess, boolean throwError)
 		}
 
 		long mfaTimeoutInSec = Duration.ofMinutes(BeansUtils.getCoreConfig().getMfaAuthTimeout()).getSeconds();
-		Instant mfaValidUntil = parsedReturnedAuthTime.plusSeconds(mfaTimeoutInSec);
-
-		// check if the auth time + mfa timeout > the current time
-		if (mfaValidUntil.isAfter(Instant.now())) {
-			// if user has MFA and it is still valid
-			return sess.getPerunPrincipal().getAdditionalInformations().containsKey(ACR_MFA);
-		} else {
-			if (!throwError) return false;
-			if (sess.getPerunPrincipal().getAdditionalInformations().containsKey(ACR_MFA)) {
-				// MFA is no longer valid
-				throw new MfaTimeoutException("Your MFA timestamp " + returnedAuthTime + " is not valid anymore, you'll need to reauthenticate");
-			} else {
-				// user is authenticated by SFA but the mfa timeout would cause an error, so we need to reauthenticate this user
-				throw new MfaTimeoutException("Your single factor authentication timestamp " + returnedAuthTime + " is not valid anymore, you'll need to reauthenticate");
+		double mfaTimeoutPercentage = 1;
+		// if the current session is SFA, we want to force log in with both factors earlier (e.g. 75% of mfaAuthTimeout) due to the first executed MFA since authentication time
+		// -> we want to avoid situation when the validity is e.g. 60 minutes, user executes MFA (just second factor) after 59 minutes and after one minute he/she would need to log in again with both factors
+		if (!sessionHasMfa(sess)) {
+			mfaTimeoutPercentage = (double) BeansUtils.getCoreConfig().getMfaAuthTimeoutPercentageForceLogIn() / 100;
+			if (mfaTimeoutPercentage < 0 || mfaTimeoutPercentage > 1) {
+				throw new InternalErrorException("MFA auth timestamp percentage force logout " + mfaTimeoutPercentage + " is not between 0 and 100");
 			}
 		}
+
+		Instant mfaValidUntil = parsedReturnedAuthTime.plusSeconds((long) (mfaTimeoutInSec * mfaTimeoutPercentage));
+
+		return mfaValidUntil.isAfter(Instant.now());
+	}
+
+	/**
+	 * Check if the perun principal contains acr_mfa. It means that user has been authenticated by MFA.
+	 * @param sess session
+	 * @return true if principal contains acr_mfa
+	 */
+	private static boolean sessionHasMfa(PerunSession sess) {
+		return sess.getPerunPrincipal().getAdditionalInformations().containsKey(ACR_MFA);
 	}
 }