Fixes #319

Author: oharsta

Changelog.md

@@ -1,44 +1,64 @@
 # Changelog
 
+## 8.5.0
+
+- Only replace the `eduId` in the `/introspect` during attribute pseudonymisation when the result from
+  `/attribute-manipulation` contains an eduID ([#319](https://github.com/OpenConext/OpenConext-oidcng/issues/319))
+
 ## 8.4.0
-- Only call the `/attribute-manipulation` in the `/introspect` endpoint when the Resource Server has an institutionGUID ([#1050](https://github.com/OpenConext/OpenConext-myconext/issues/1050))
+
+- Only call the `/attribute-manipulation` in the `/introspect` endpoint when the Resource Server has an
+  institutionGUID ([#1050](https://github.com/OpenConext/OpenConext-myconext/issues/1050))
 - Upgrade to Spring Boot 3.5.8
 - Avoid `NullPointerException` in comparing redirect URI's with defensive comparisons
 - Support for native applications with IPV6 [::1] as the hostname
 - Upped dependencies for logstash, zxing, commons-io, jakarta.xml, actions/cache and codecov-action
 
 ## 8.3.0
-- Only call the `/attribute-manipulation` in the `/introspect` endpoint when entityID's and institutionGUID's are different ([#1041](https://github.com/OpenConext/OpenConext-myconext/issues/1041))
+
+- Only call the `/attribute-manipulation` in the `/introspect` endpoint when entityID's and institutionGUID's are
+  different ([#1041](https://github.com/OpenConext/OpenConext-myconext/issues/1041))
 
 ## 8.2.0
+
 - Added the authenticating authority to the user_info endpoint
-- Upped dependencies for nimbusds, bouncycastle and opensaml 
+- Upped dependencies for nimbusds, bouncycastle and opensaml
 
 ## 8.1.1
+
 - Bugfix for Spring Crypto not accepting BCrypt secrets longer than 72 bytes
 
 ## 8.1.0
-- Allow POST requests to `/oidc/authorize` (enables form_post submissions) ([#263](https://github.com/OpenConext/OpenConext-oidcng/issues/263))
-- Ensure URIs passed in the `login_hint` are absolute (PR [#271](https://github.com/OpenConext/OpenConext-oidcng/pull/271))
+
+- Allow POST requests to `/oidc/authorize` (enables form_post
+  submissions) ([#263](https://github.com/OpenConext/OpenConext-oidcng/issues/263))
+- Ensure URIs passed in the `login_hint` are absolute (
+  PR [#271](https://github.com/OpenConext/OpenConext-oidcng/pull/271))
 - Prevent duplicate keys ([#239](https://github.com/OpenConext/OpenConext-oidcng/issues/239))
 - Do not expose mappings
 - Add eduPersonAssurance claim
 - Support preferred language user attribute
-- Switch to JDK 21 and upgrade Spring Boot and dependencies (oauth2-oidc-sdk 11.23.1, OpenSAML 5.1.4, xmlsec 4.0.4, BouncyCastle 1.80, logstash-logback-encoder 8.1)
+- Switch to JDK 21 and upgrade Spring Boot and dependencies (oauth2-oidc-sdk 11.23.1, OpenSAML 5.1.4, xmlsec 4.0.4,
+  BouncyCastle 1.80, logstash-logback-encoder 8.1)
 - Enable @Scheduled annotations in standalone mode
 - Include SRAM services
 - Build improvements: ARM images, Docker deployment refactoring, multi-module Maven structure
 - CI and plugin upgrades
 
 ## 8.0.1
-- Backward compatibility for comma-separated scope values ([#238](https://github.com/OpenConext/OpenConext-oidcng/issues/238))
+
+- Backward compatibility for comma-separated scope
+  values ([#238](https://github.com/OpenConext/OpenConext-oidcng/issues/238))
 - Device code flow textual fixes (NL)
 
 ## 8.0.0
+
 - Migrate to Spring Boot 3 (incl. Spring Security 6) and align codebase accordingly
 - Migrate SAML stack to OpenSAML 5; adapt request/response handling and validations
 - Update OAuth 2.0 / OIDC SDK to 11.22.1 (PR [#229](https://github.com/OpenConext/OpenConext-oidcng/pull/229))
-- Update GitHub Actions: setup-java to v4 (PR [#210](https://github.com/OpenConext/OpenConext-oidcng/pull/210)), codecov-action to 5.3.1 (PR [#227](https://github.com/OpenConext/OpenConext-oidcng/pull/227)), mongodb action to 1.12.0 (PR [#222](https://github.com/OpenConext/OpenConext-oidcng/pull/222))
+- Update GitHub Actions: setup-java to v4 (PR [#210](https://github.com/OpenConext/OpenConext-oidcng/pull/210)),
+  codecov-action to 5.3.1 (PR [#227](https://github.com/OpenConext/OpenConext-oidcng/pull/227)), mongodb action to
+  1.12.0 (PR [#222](https://github.com/OpenConext/OpenConext-oidcng/pull/222))
 - Ensure the original SAML AuthnRequest ID is preserved in the authentication flow
 - Upgrade mail SMTP dependency and related test adjustments
 - update PKCE-related test vectors to compliant values

oidc/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.openconext</groupId>
         <artifactId>oidcng-parent</artifactId>
-        <version>8.4.0</version>
+        <version>8.5.0</version>
     </parent>
 
     <dependencyManagement>

oidc/src/main/java/oidc/eduid/AttributePseudonymisation.java

@@ -83,6 +83,7 @@ public Optional<Map<String, String>> pseudonymise(OpenIDClient resourceServer, O
             .queryParam("sp_entity_id", resourceServer.getClientId())
             .queryParam("sp_institution_guid", resourceServerInstitutionGuid)
             .toUriString();
+
         ResponseEntity<Map<String, String>> responseEntity =
             restTemplate.exchange(uriString, HttpMethod.GET, requestEntity, new ParameterizedTypeReference<>() {
             });

oidc/src/main/java/oidc/endpoints/IntrospectEndpoint.java

@@ -152,13 +152,15 @@ public ResponseEntity<Map<String, Object>> introspect(HttpServletRequest request
     @SuppressWarnings("unchecked")
     private boolean validPseudonymisation(Map<String, Object> userAttributes, OpenIDClient resourceServer, OpenIDClient openIDClient) {
         String eduId = (String) userAttributes.get("eduid");
-        Optional<Map<String, String>> pseudonymiseResult = attributePseudonymisation.pseudonymise(resourceServer, openIDClient, eduId);
-        if (pseudonymiseResult.isPresent() && !pseudonymiseResult.get().containsKey("eduperson_principal_name")) {
-            //The user is not linked to an IdP belonging to this RS
-            userAttributes.put("eduid", pseudonymiseResult.get().get("eduid"));
+        Map<String, String> pseudonymiseResult = attributePseudonymisation.pseudonymise(resourceServer, openIDClient, eduId)
+            .orElseGet(Collections::emptyMap);
+        if (pseudonymiseResult.containsKey("eduid") &&
+            !pseudonymiseResult.containsKey("eduperson_principal_name")) {
+            //The user is not linked to an IdP belonging to this RS - only replace the pseudo eduid and not other attributes
+            userAttributes.put("eduid", pseudonymiseResult.get("eduid"));
             return false;
         }
-        userAttributes.putAll(pseudonymiseResult.orElseGet(Collections::emptyMap));
+        userAttributes.putAll(pseudonymiseResult);
         return true;
     }
 

oidc/src/test/java/oidc/endpoints/IntrospectEndpointDisabledEduIDEnforcementTest.java

@@ -0,0 +1,180 @@
+package oidc.endpoints;
+
+import com.github.tomakehurst.wiremock.junit.WireMockRule;
+import com.nimbusds.oauth2.sdk.GrantType;
+import io.restassured.response.Response;
+import oidc.AbstractIntegrationTest;
+import org.apache.http.HttpStatus;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+
+import static com.github.tomakehurst.wiremock.client.WireMock.*;
+import static io.restassured.RestAssured.given;
+import static org.junit.Assert.assertEquals;
+
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,
+    properties = {
+        "cron.node-cron-job-responsible=false",
+        "eduid.uri=http://localhost:8099/attribute-manipulation",
+        "features.enforce-eduid-resource-server-linked-account=false"
+
+    })
+public class IntrospectEndpointDisabledEduIDEnforcementTest extends AbstractIntegrationTest {
+
+    @ClassRule
+    public static WireMockRule wireMockRule = new WireMockRule(8099);
+
+    @Test
+    public void introspectionEduIdEmptyPseudonymisation() throws IOException {
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("scope", "openid");
+        queryParams.put("client_id", "mock-sp");
+        queryParams.put("response_type", "code");
+        queryParams.put("redirect_uri", openIDClient("mock-sp").getRedirectUrls().get(0));
+
+        Response response = given().redirects().follow(false)
+            .when()
+            .header("Content-type", "application/json")
+            .queryParams(queryParams)
+            .get("oidc/authorize?user=eduid");
+
+        String code = getCode(response);
+        Map<String, Object> body = doToken(code, "mock-sp", "secret", GrantType.AUTHORIZATION_CODE);
+        String accessToken = (String) body.get("access_token");
+
+        stubFor(get(urlPathMatching("/attribute-manipulation")).willReturn(aResponse()
+            .withHeader("Content-Type", "application/json")
+            .withBody(objectMapper.writeValueAsString(Map.of()))));
+        Map<String, Object> results = given()
+            .when()
+            .header("Content-type", "application/x-www-form-urlencoded")
+            .auth()
+            .preemptive()
+            .basic("resource-server-playground-client", "secret")
+            .formParam("token", accessToken)
+            .post("oidc/introspect")
+            .as(mapTypeRef);
+        //See src/main/resources/data/eduid.json
+        assertEquals("3415570f-be91-4ba8-b9ba-e479d18094d5", results.get("eduid"));
+    }
+
+    @Test
+    public void introspectionEduIdValidPseudonymisation() throws IOException {
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("scope", "openid");
+        queryParams.put("client_id", "mock-sp");
+        queryParams.put("response_type", "code");
+        queryParams.put("redirect_uri", openIDClient("mock-sp").getRedirectUrls().get(0));
+
+        Response response = given().redirects().follow(false)
+            .when()
+            .header("Content-type", "application/json")
+            .queryParams(queryParams)
+            .get("oidc/authorize?user=eduid");
+
+        String code = getCode(response);
+        Map<String, Object> body = doToken(code, "mock-sp", "secret", GrantType.AUTHORIZATION_CODE);
+        String accessToken = (String) body.get("access_token");
+
+        Map<Object, Object> pseudonymiseResults = Map.of("eduid", UUID.randomUUID().toString());
+        stubFor(get(urlPathMatching("/attribute-manipulation")).willReturn(aResponse()
+            .withHeader("Content-Type", "application/json")
+            .withBody(objectMapper.writeValueAsString(pseudonymiseResults))));
+
+        Map<String, Object> results = given()
+            .when()
+            .header("Content-type", "application/x-www-form-urlencoded")
+            .auth()
+            .preemptive()
+            .basic("resource-server-playground-client", "secret")
+            .formParam("token", accessToken)
+            .post("oidc/introspect")
+            .as(mapTypeRef);
+        //Replaced pseudo eduID
+        assertEquals(pseudonymiseResults.get("eduid"), results.get("eduid"));
+    }
+
+    @Test
+    public void introspectionEduIdErrorPseudonymisation() throws IOException {
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("scope", "openid");
+        queryParams.put("client_id", "mock-sp");
+        queryParams.put("response_type", "code");
+        queryParams.put("redirect_uri", openIDClient("mock-sp").getRedirectUrls().get(0));
+
+        Response response = given().redirects().follow(false)
+            .when()
+            .header("Content-type", "application/json")
+            .queryParams(queryParams)
+            .get("oidc/authorize?user=eduid");
+
+        String code = getCode(response);
+        Map<String, Object> body = doToken(code, "mock-sp", "secret", GrantType.AUTHORIZATION_CODE);
+        String accessToken = (String) body.get("access_token");
+
+        stubFor(get(urlPathMatching("/attribute-manipulation"))
+            .willReturn(aResponse()
+                .withHeader("Content-Type", "application/json")
+                .withStatus(HttpStatus.SC_BAD_REQUEST)));
+
+        Map<String, Object> results = given()
+            .when()
+            .header("Content-type", "application/x-www-form-urlencoded")
+            .auth()
+            .preemptive()
+            .basic("resource-server-playground-client", "secret")
+            .formParam("token", accessToken)
+            .post("oidc/introspect")
+            .as(mapTypeRef);
+        //See src/main/resources/data/eduid.json
+        assertEquals("3415570f-be91-4ba8-b9ba-e479d18094d5", results.get("eduid"));
+    }
+
+    @Test
+    public void introspectionEduIdRSNotLinkedPseudonymisation() throws IOException {
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("scope", "openid");
+        queryParams.put("client_id", "mock-sp");
+        queryParams.put("response_type", "code");
+        queryParams.put("redirect_uri", openIDClient("mock-sp").getRedirectUrls().get(0));
+
+        Response response = given().redirects().follow(false)
+            .when()
+            .header("Content-type", "application/json")
+            .queryParams(queryParams)
+            .get("oidc/authorize?user=eduid");
+
+        String code = getCode(response);
+        Map<String, Object> body = doToken(code, "mock-sp", "secret", GrantType.AUTHORIZATION_CODE);
+        String accessToken = (String) body.get("access_token");
+
+        Map<Object, Object> pseudonymiseResults = Map.of(
+            "eduid", UUID.randomUUID().toString(),
+            "eduperson_principal_name", "some-eppn"
+        );
+        stubFor(get(urlPathMatching("/attribute-manipulation")).willReturn(aResponse()
+            .withHeader("Content-Type", "application/json")
+            .withBody(objectMapper.writeValueAsString(pseudonymiseResults))));
+
+        Map<String, Object> results = given()
+            .when()
+            .header("Content-type", "application/x-www-form-urlencoded")
+            .auth()
+            .preemptive()
+            .basic("resource-server-playground-client", "secret")
+            .formParam("token", accessToken)
+            .post("oidc/introspect")
+            .as(mapTypeRef);
+        //See the pseudonymiseResults with an eduperson_principal_name
+        assertEquals(pseudonymiseResults.get("eduid"), results.get("eduid"));
+        assertEquals(pseudonymiseResults.get("eduperson_principal_name"), results.get("eduperson_principal_name"));
+    }
+
+
+}

pom.xml

@@ -11,7 +11,7 @@
 
     <groupId>org.openconext</groupId>
     <artifactId>oidcng-parent</artifactId>
-    <version>8.4.0</version>
+    <version>8.5.0</version>
     <name>oidcng</name>
     <packaging>pom</packaging>
 

release/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.openconext</groupId>
         <artifactId>oidcng-parent</artifactId>
-        <version>8.4.0</version>
+        <version>8.5.0</version>
     </parent>
 
     <artifactId>oidcng-release</artifactId>