[ENG-8927] Add dev mode for forcing errors/exceptions (#93)

* Overlay CasServerProperties as of apereo-cas 6.2.8
* Create a new DevModeProperties to set dev mode options and add it to CasServerProperties
* Enable dev mode for SimpleUrlHandlerMapping and OsfPrincipalFromNonInteractiveCredentialsAction
* Only force-triggering selected http errors and authentication exceptions in dev mode

Author: cslzchen

etc/cas/config/cas.properties

@@ -15,6 +15,12 @@ cas.server.prefix=${cas.server.name}
 # Tomcat Server
 #
 cas.server.tomcat.server-name=OSF CAS
+#
+# Dev Mode Options
+#
+cas.server.dev-mode.allow-force-authn-exception=${ALLOW_FORCE_AUTHN_EXCEPTION:false}
+cas.server.dev-mode.allow-force-http-error=${ALLOW_FORCE_HTTP_ERROR:false}
+#
 ########################################################################################################################
 
 ########################################################################################################################

etc/cas/config/local/cas-local.properties

@@ -21,6 +21,11 @@ cas.server.tomcat.server-name=OSF CAS
 # cas.server.tomcat.http.enabled=true
 # cas.server.tomcat.http.attributes=
 # e.g. cas.server.tomcat.http.attributes.{attribute-name}={attributeValue}
+#
+# Dev Mode Options
+#
+cas.server.dev-mode.allow-force-authn-exception=true
+cas.server.dev-mode.allow-force-http-error=true
 ########################################################################################################################
 
 ########################################################################################################################

src/main/java/io/cos/cas/osf/configuration/model/DevModeProperties.java

@@ -0,0 +1,34 @@
+package io.cos.cas.osf.configuration.model;
+
+import lombok.Getter;
+import lombok.Setter;
+import lombok.experimental.Accessors;
+
+import java.io.Serializable;
+
+/**
+ * This is {@link DevModeProperties}.
+ *
+ * @author Longze Chen
+ * @since 25.1.0
+ */
+@Getter
+@Setter
+@Accessors(chain = true)
+public class DevModeProperties implements Serializable {
+
+    /**
+     * Serialization metadata.
+     */
+    private static final long serialVersionUID = -1725182183570276203L;
+
+    /**
+     * Allow CAS to force throw authentication exceptions and to render respective error pages for testing purpose.
+     */
+    private boolean allowForceAuthnException = Boolean.FALSE;
+
+    /**
+     * Allow CAS to force http errors which have built-in rendering template for rendering and testing.
+     */
+    private boolean allowForceHttpError = Boolean.FALSE;
+}

src/main/java/io/cos/cas/osf/web/config/OsfCasSupportActionsConfiguration.java

@@ -101,6 +101,7 @@ public Action osfNonInteractiveAuthenticationCheckAction() {
                 adaptiveAuthenticationPolicy.getObject(),
                 centralAuthenticationService.getObject(),
                 jpaOsfDao.getObject(),
+                casProperties.getServer().getDevMode(),
                 casProperties.getAuthn().getOsfUrl(),
                 casProperties.getAuthn().getOsfApi(),
                 authnDelegationClients

src/main/java/io/cos/cas/osf/web/flow/login/OsfPrincipalFromNonInteractiveCredentialsAction.java

@@ -18,6 +18,7 @@
 import io.cos.cas.osf.authentication.support.DelegationProtocol;
 import io.cos.cas.osf.authentication.support.OsfApiPermissionDenied;
 import io.cos.cas.osf.authentication.support.OsfInstitutionUtils;
+import io.cos.cas.osf.configuration.model.DevModeProperties;
 import io.cos.cas.osf.configuration.model.OsfApiProperties;
 import io.cos.cas.osf.configuration.model.OsfUrlProperties;
 import io.cos.cas.osf.dao.JpaOsfDao;
@@ -197,6 +198,9 @@ public class OsfPrincipalFromNonInteractiveCredentialsAction extends AbstractNon
     @NotNull
     private final JpaOsfDao jpaOsfDao;
 
+    @NotNull
+    private DevModeProperties devModeProperties;
+
     @NotNull
     private OsfUrlProperties osfUrlProperties;
 
@@ -214,6 +218,7 @@ public OsfPrincipalFromNonInteractiveCredentialsAction(
             final AdaptiveAuthenticationPolicy adaptiveAuthenticationPolicy,
             final CentralAuthenticationService centralAuthenticationService,
             final JpaOsfDao jpaOsfDao,
+            final DevModeProperties devModeProperties,
             final OsfUrlProperties osfUrlProperties,
             final OsfApiProperties osfApiProperties,
             final Map<String, List<String>> authnDelegationClients
@@ -225,6 +230,7 @@ public OsfPrincipalFromNonInteractiveCredentialsAction(
         );
         this.centralAuthenticationService = centralAuthenticationService;
         this.jpaOsfDao = jpaOsfDao;
+        this.devModeProperties = devModeProperties;
         this.osfUrlProperties = osfUrlProperties;
         this.osfApiProperties = osfApiProperties;
         this.authnDelegationClients = authnDelegationClients;
@@ -331,23 +337,24 @@ protected Credential constructCredentialsFromRequest(final RequestContext contex
         }
         LOGGER.debug("No valid username or verification key found in request parameters.");
 
-        // Check 4: check "forceException=" query parameter
-        // TODO: disable this for production environment
-        final String forcedException = request.getParameter(FORCE_EXCEPTION_PARAMETER_NAME);
-        if (StringUtils.isNotBlank(forcedException)) {
-            setSsoErrorContext(
-                    context,
-                    forcedException,
-                    String.format("This exception was thrown on purpose bypassing standard web flow: %s", Class.forName(forcedException).getSimpleName()),
-                    "N/A",
-                    "N/A",
-                    "N/A",
-                    "N/A"
-            );
-            try {
-                throw (LoginException) Class.forName(forcedException).getConstructor(String.class).newInstance(FORCE_EXCEPTION_PARAMETER_NAME);
-            } catch ( java.lang.ClassCastException e) {
-                throw (RuntimeException) Class.forName(forcedException).getConstructor(String.class).newInstance(FORCE_EXCEPTION_PARAMETER_NAME);
+        // Check 4: check "forceException=" query parameter if in dev mode
+        if (devModeProperties.isAllowForceAuthnException()) {
+            final String forcedException = request.getParameter(FORCE_EXCEPTION_PARAMETER_NAME);
+            if (StringUtils.isNotBlank(forcedException)) {
+                setSsoErrorContext(
+                        context,
+                        forcedException,
+                        String.format("This exception was thrown on purpose bypassing standard web flow: %s", Class.forName(forcedException).getSimpleName()),
+                        "N/A",
+                        "N/A",
+                        "N/A",
+                        "N/A"
+                );
+                try {
+                    throw (LoginException) Class.forName(forcedException).getConstructor(String.class).newInstance(FORCE_EXCEPTION_PARAMETER_NAME);
+                } catch (java.lang.ClassCastException e) {
+                    throw (RuntimeException) Class.forName(forcedException).getConstructor(String.class).newInstance(FORCE_EXCEPTION_PARAMETER_NAME);
+                }
             }
         }
 

src/main/java/org/apereo/cas/config/CasWebAppConfiguration.java

@@ -164,13 +164,15 @@ public SimpleUrlHandlerMapping handlerMapping() {
         val mapping = new SimpleUrlHandlerMapping();
 
         val root = rootController();
-        val forceHttpError = forceHttpErrorController();
         mapping.setOrder(1);
         mapping.setAlwaysUseFullPath(true);
         mapping.setRootHandler(root);
         val urls = new HashMap<String, Object>();
         urls.put("/", root);
-        urls.put("/forceHttpError", forceHttpError);
+        if (casProperties.getServer().getDevMode().isAllowForceHttpError()) {
+            val forceHttpError = forceHttpErrorController();
+            urls.put("/forceHttpError", forceHttpError);
+        }
 
         mapping.setUrlMap(urls);
         return mapping;

src/main/java/org/apereo/cas/configuration/model/core/CasServerProperties.java

@@ -0,0 +1,80 @@
+package org.apereo.cas.configuration.model.core;
+
+import io.cos.cas.osf.configuration.model.DevModeProperties;
+
+import org.apereo.cas.CasProtocolConstants;
+import org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatProperties;
+import org.apereo.cas.configuration.support.RequiredProperty;
+import org.apereo.cas.configuration.support.RequiresModule;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import lombok.Getter;
+import lombok.Setter;
+import lombok.experimental.Accessors;
+import org.springframework.boot.context.properties.NestedConfigurationProperty;
+
+import java.io.Serializable;
+
+/**
+ * This is {@link CasServerProperties}.
+ *
+ * <p>OSF CAS Customization: add {@link DevModeProperties devMode} to {@link CasServerProperties}; this allows
+ * dev mode options to be easily accessed from {@link org.apereo.cas.configuration.CasConfigurationProperties}
+ * by calling {@code casProperties.getServer().getDevMode()}.</p>
+ *
+ * @author Misagh Moayyed
+ * @since 5.0.0
+ *
+ * @author Longze Chen
+ * @since osf-cas 25.1.0
+ */
+@RequiresModule(name = "cas-server-core", automated = true)
+@Getter
+@Setter
+@Accessors(chain = true)
+public class CasServerProperties implements Serializable {
+
+    private static final long serialVersionUID = 7876382696803430817L;
+
+    /**
+     * Full name of the CAS server. This is the public-facing address
+     * of the CAS deployment and not the individual node address,
+     * in the event that CAS is clustered.
+     */
+    @RequiredProperty
+    private String name = "https://cas.example.org:8443";
+
+    /**
+     * A concatenation of the server name plus the CAS context path.
+     * Deployments at root likely need to blank out this value.
+     */
+    @RequiredProperty
+    private String prefix = name.concat("/cas");
+
+    /**
+     * The CAS Server scope.
+     */
+    @RequiredProperty
+    private String scope = "example.org";
+
+    /**
+     * Configuration settings that control the embedded Apache Tomcat container.
+     */
+    @NestedConfigurationProperty
+    private CasEmbeddedApacheTomcatProperties tomcat = new CasEmbeddedApacheTomcatProperties();
+
+    // OSF CAS Customization: a new private field devMode that stores osf-cas customized dev mode options
+    @NestedConfigurationProperty
+    private DevModeProperties devMode = new DevModeProperties();
+
+    @JsonIgnore
+    public String getLoginUrl() {
+        return getPrefix().concat(CasProtocolConstants.ENDPOINT_LOGIN);
+    }
+
+    @JsonIgnore
+    public String getLogoutUrl() {
+        return getPrefix().concat(CasProtocolConstants.ENDPOINT_LOGOUT);
+    }
+
+}