Fixes OpenConext/OpenConext-myconext#1041

Author: oharsta

oidc/src/main/java/oidc/eduid/AttributePseudonymisation.java

@@ -12,10 +12,7 @@
 import org.springframework.web.util.UriComponentsBuilder;
 
 import java.net.URI;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Optional;
+import java.util.*;
 
 @Service
 public class AttributePseudonymisation {
@@ -54,13 +51,23 @@ public AttributePseudonymisation(@Value("${eduid.uri}") URI eduIdUri,
      */
     public Optional<Map<String, String>> pseudonymise(OpenIDClient resourceServer, OpenIDClient openIDClient, String eduId) {
         boolean resourceServerEquals = resourceServer.getClientId().equals(openIDClient.getClientId());
+        String resourceServerInstitutionGuid = resourceServer.getInstitutionGuid();
+        String clientInstitutionGuid = openIDClient.getInstitutionGuid();
+        boolean institutionGuidEquals = StringUtils.hasText(resourceServerInstitutionGuid) &&
+            Objects.equals(resourceServerInstitutionGuid, clientInstitutionGuid);
 
         LOG.debug(String.format("Starting to pseudonymise for RS %s and openIDclient %s. " +
-                        "Enabled is %s, eduId is %s, resourceServerEquals is %s",
-                resourceServer.getClientId(), openIDClient.getClientId(), enabled, eduId, resourceServerEquals));
+                        "Enabled is %s, eduId is %s, resourceServerEquals is %s, institutionGuidEquals is %s",
+                resourceServer.getClientId(),
+            openIDClient.getClientId(),
+            enabled,
+            eduId,
+            resourceServerEquals,
+            institutionGuidEquals
+            ));
 
-        if (!enabled || !StringUtils.hasText(eduId) || resourceServerEquals) {
-            LOG.debug("Returning empty result for 'pseudonymise'");
+        if (!enabled || !StringUtils.hasText(eduId) || resourceServerEquals || institutionGuidEquals) {
+            LOG.debug("Skipping attribute manipulation and returning empty result for 'pseudonymise'");
             return Optional.empty();
         }
         Map<String, String> result = new HashMap<>();
@@ -69,7 +76,7 @@ public Optional<Map<String, String>> pseudonymise(OpenIDClient resourceServer, O
         String uriString = UriComponentsBuilder.fromUri(eduIdUri)
                 .queryParam("eduid", eduId)
                 .queryParam("sp_entity_id", resourceServer.getClientId())
-                .queryParam("sp_institution_guid", resourceServer.getInstitutionGuid())
+                .queryParam("sp_institution_guid", resourceServerInstitutionGuid)
                 .toUriString();
         ResponseEntity<Map<String, String>> responseEntity =
                 restTemplate.exchange(uriString, HttpMethod.GET, requestEntity, new ParameterizedTypeReference<>() {

oidc/src/test/java/oidc/eduid/AttributePseudonymisationTest.java

@@ -2,16 +2,14 @@
 
 import com.github.tomakehurst.wiremock.junit.WireMockRule;
 import oidc.AbstractIntegrationTest;
+import oidc.model.EntityType;
 import oidc.model.OpenIDClient;
 import org.junit.ClassRule;
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 
 import java.io.IOException;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Optional;
+import java.util.*;
 
 import static com.github.tomakehurst.wiremock.client.WireMock.*;
 import static org.junit.Assert.assertEquals;
@@ -47,7 +45,7 @@ public void pseudonymise() throws IOException {
     }
 
     @Test
-    public void pseudonymiseWithRSwithoutInstitutionIdentifier() throws IOException {
+    public void pseudonymiseWithRSWithoutInstitutionIdentifier() throws IOException {
         Map<String, String> res = new HashMap<>();
         String pseudoEduid = "rp-eduid";
         res.put("eduid", pseudoEduid);
@@ -70,6 +68,19 @@ public void pseudonymiseRpIsRs() throws IOException {
         assertFalse(pseudonymisedAttributes.isPresent());
     }
 
+    @Test
+    public void pseudonymiseRpIsRsForInstitutionGUID() {
+        String institutionGuid = UUID.randomUUID().toString();
+        OpenIDClient resourceServer = new OpenIDClient(Map.of(
+            "type", EntityType.OAUTH_RS.getType(),
+            "data", Map.of("entityid","rs", "metaDataFields", Map.of("coin:institution_guid", institutionGuid))));
+        OpenIDClient openIDClient = new OpenIDClient(Map.of(
+            "type", EntityType.OIDC_RP.getType(),
+            "data", Map.of("entityid","rp", "metaDataFields", Map.of("coin:institution_guid", institutionGuid))));
+        Optional<Map<String, String>> pseudonymisedAttributes = attributePseudonymisation.pseudonymise(resourceServer, openIDClient, "rs-eduid");
+
+        assertFalse(pseudonymisedAttributes.isPresent());
+    }
 
     @Test
     public void pseudonymiseNoEduid() throws IOException {
@@ -94,4 +105,4 @@ public void pseudonymiseWithError() throws IOException {
         assertFalse(pseudonymisedAttributes.isPresent());
     }
 
-}
+}