[Prod/Test] Implement ProfileController/InvitationsController zone path

Author: fhanik

docs/path-based-zones-endpoints-without-z-support.md

@@ -19,7 +19,7 @@ This document lists endpoints that do **not** yet have a dual path mapping for `
 6.  ✅ [Home and error pages (UI)](#6-home-and-error-pages-ui)
 7.  ✅ [Session (UI)](#7-session-ui)
 8.  ✅ [Invitations (UI + API)](#8-invitations-ui--api)
-9.  ❌ [Profile (UI)](#9-profile-ui)
+9.  ✅ [Profile (UI)](#9-profile-ui)
 10. ❌ [Passcode (API / UI)](#10-passcode-api--ui)
 11. ❌ [OAuth / token / client admin (API)](#11-oauth--token--client-admin-api-not-yet-covered-by-z)
 12. ❌ [Authenticate (API)](#12-authenticate-api)

server/src/main/java/org/cloudfoundry/identity/uaa/account/ProfileController.java

@@ -57,7 +57,7 @@ public ProfileController(final ApprovalStore approvalsService,
     /**
      * Display the current user's approvals
      */
-    @GetMapping("/profile")
+    @GetMapping({"/profile", "/z/{subdomain}/profile"})
     public String get(Authentication authentication, Model model) {
         Map<String, List<DescribedApproval>> approvals = getCurrentApprovalsForUser(getCurrentUserId());
         Map<String, String> clientNames = getClientNames(approvals);
@@ -70,7 +70,7 @@ public String get(Authentication authentication, Model model) {
     /**
      * Handle form post for revoking chosen approvals
      */
-    @PostMapping({"/profile", "/profile/"})
+    @PostMapping({"/profile", "/profile/", "/z/{subdomain}/profile", "/z/{subdomain}/profile/"})
     public String post(@RequestParam(required = false) Collection<String> checkedScopes,
             @RequestParam(required = false) String update,
             @RequestParam(required = false) String delete,

server/src/main/java/org/cloudfoundry/identity/uaa/invitations/InvitationsController.java

@@ -308,10 +308,11 @@ private String processErrorReload(String code, Model model, HttpServletResponse
         try {
             String newCode = expiringCodeStore.generateCode(expiringCode.getData(), new Timestamp(System.currentTimeMillis() + (10 * 60 * 1000)), expiringCode.getIntent(), identityZoneManager.getCurrentIdentityZoneId()).getCode();
 
+            // Add in order so RedirectView produces accept?error_message_code=...&code=... (pattern expected by tests)
             model.addAttribute(errorCode, error);
             model.addAttribute("code", newCode);
-            String redirectTarget = (pathPrefix != null && !pathPrefix.isEmpty()) ? pathPrefix + "/invitations/accept" : "accept";
-            return "redirect:" + redirectTarget;
+            String baseTarget = (pathPrefix != null && !pathPrefix.isEmpty()) ? pathPrefix + "/invitations/accept" : "accept";
+            return "redirect:" + baseTarget;
         } catch (EmptyResultDataAccessException noProviderFound) {
             log.debug("No available invitation providers for email:%s, id:%s".formatted(codeData.get(EMAIL), codeData.get("user_id")));
             model.addAttribute("pathPrefix", pathPrefix);

server/src/main/resources/templates/web/invitations/accept_invite.html

@@ -12,11 +12,25 @@ <h1><th:block th:unless="${isLdap}">Create</th:block><th:block th:if="${isLdap}"
             <p th:text="#{'account_activation.' + ${error_message_code}}">Error Message</p>
         </div>
         <div th:if="${error_message}" class="alert alert-error">
-            <p th:text="#{'account_activation.' + ${error_message}}">Error Message</p>
+            <p th:text="${#messages.msgOrNull('account_activation.' + error_message) ?: error_message}">Error Message</p>
         </div>
         <th:block th:unless="${error_message_code == 'code_expired'}" >
           <th:block th:if="${provider == 'uaa'}">
-            <form th:action="${pathPrefix != null && !#strings.isEmpty(pathPrefix) ? pathPrefix + '/invitations/accept.do' : '/invitations/accept.do'}" method="post" novalidate="novalidate">
+            <form th:if="${pathPrefix != null && !#strings.isEmpty(pathPrefix)}" th:action="${pathPrefix + '/invitations/accept.do'}" method="post" novalidate="novalidate">
+                <input name="code" type="hidden" value="code" th:value="${code}"/>
+                <input name="password" type="password" placeholder="Password" aria-label="Password" autocomplete="off" class="form-control"/>
+                <input name="password_confirmation" type="password" placeholder="Confirm" aria-label="Confirm Password" autocomplete="off" class="form-control"/>
+
+                <label th:if="${consent_text}" style="margin-bottom: 20px">
+                    <input name="does_user_consent" type="checkbox" style="display: inline">
+                    <span>I agree to </span>
+                    <span th:if="!${consent_link}" th:text="${consent_text}"></span>
+                    <a th:if="${consent_link}" th:text="${consent_text}" name="consent-link" th:href="@{${consent_link}}" target="_blank" rel="noopener noreferrer"></a>
+                </label>
+
+                <input type="submit" th:value="${!companyName.equals('Cloud Foundry') and isUaa ? 'Create ' + companyName + ' account' : 'Create account'}" class="island-button"/>
+            </form>
+            <form th:unless="${pathPrefix != null && !#strings.isEmpty(pathPrefix)}" th:action="@{/invitations/accept.do}" method="post" novalidate="novalidate">
                 <input name="code" type="hidden" value="code" th:value="${code}"/>
                 <input name="password" type="password" placeholder="Password" aria-label="Password" autocomplete="off" class="form-control"/>
                 <input name="password_confirmation" type="password" placeholder="Confirm" aria-label="Confirm Password" autocomplete="off" class="form-control"/>
@@ -33,7 +47,14 @@ <h1><th:block th:unless="${isLdap}">Create</th:block><th:block th:if="${isLdap}"
           </th:block>
             <th:block th:if="${isLdap}">
                 <p>Sign in with enterprise credentials: </p>
-                <form th:action="${pathPrefix != null && !#strings.isEmpty(pathPrefix) ? pathPrefix + '/invitations/accept_enterprise.do' : '/invitations/accept_enterprise.do'}" method="post" novalidate="novalidate">
+                <form th:if="${pathPrefix != null && !#strings.isEmpty(pathPrefix)}" th:action="${pathPrefix + '/invitations/accept_enterprise.do'}" method="post" novalidate="novalidate">
+                <input name="enterprise_email" type="hidden" th:value="${email}"/>
+                <input name="code" type="hidden" value="code" th:value="${code}"/>
+                <input name="enterprise_username" type="text" placeholder="Username" aria-label="Username" autocomplete="off" class="form-control"/>
+                <input name="enterprise_password" type="password" placeholder="Password" aria-label="Password" autocomplete="off" class="form-control"/>
+                <input type="submit" value="Sign in" class="island-button"/>
+            </form>
+            <form th:unless="${pathPrefix != null && !#strings.isEmpty(pathPrefix)}" th:action="@{/invitations/accept_enterprise.do}" method="post" novalidate="novalidate">
                     <input name="enterprise_email" type="hidden" th:value="${email}"/>
                     <input name="code" type="hidden" value="code" th:value="${code}"/>
                     <input name="enterprise_username" type="text" placeholder="Username" aria-label="Username" autocomplete="off" class="form-control"/>

server/src/main/resources/templates/web/nav.html

@@ -14,9 +14,9 @@
             <span sec:authentication="name">user@example.com</span>
             <i class="fa fa-chevron-down"></i>
         </button>
-        <ul class="dropdown-content" id="nav-dropdown-content">
-            <li><a href="/profile" id="nav-dropdown-content-profile" th:href="${pathPrefix != null && !#strings.isEmpty(pathPrefix) ? pathPrefix + '/profile' : '/profile'}">Account Settings</a></li>
-            <li><a href="/logout.do" id="nav-dropdown-content-logout" th:href="${pathPrefix != null && !#strings.isEmpty(pathPrefix) ? pathPrefix + '/logout.do' : '/logout.do'}">Sign Out</a></li>
+        <ul class="dropdown-content" id="nav-dropdown-content" th:with="defaultProfileUrl=@{/profile}, defaultLogoutUrl=@{/logout.do}">
+            <li><a href="/profile" id="nav-dropdown-content-profile" th:href="${pathPrefix != null && !#strings.isEmpty(pathPrefix) ? pathPrefix + '/profile' : defaultProfileUrl}">Account Settings</a></li>
+            <li><a href="/logout.do" id="nav-dropdown-content-logout" th:href="${pathPrefix != null && !#strings.isEmpty(pathPrefix) ? pathPrefix + '/logout.do' : defaultLogoutUrl}">Sign Out</a></li>
         </ul>
     </div>
 </th:block>

server/src/test/java/org/cloudfoundry/identity/uaa/login/ProfileControllerMockMvcTests.java

@@ -10,17 +10,23 @@
 import org.cloudfoundry.identity.uaa.constants.OriginKeys;
 import org.cloudfoundry.identity.uaa.extensions.PollutionPreventionExtension;
 import org.cloudfoundry.identity.uaa.home.BuildInfo;
+import org.cloudfoundry.identity.uaa.util.ZoneResolutionMode;
 import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
 import org.cloudfoundry.identity.uaa.security.beans.SecurityContextAccessor;
 import org.cloudfoundry.identity.uaa.util.beans.TestBuildInfo;
 import org.cloudfoundry.identity.uaa.zone.MultitenantClientServices;
 import org.cloudfoundry.identity.uaa.zone.beans.IdentityZoneManager;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.EnumSource;
+import org.junit.jupiter.params.provider.MethodSource;
 import org.junit.jupiter.params.provider.ValueSource;
+import org.springframework.http.HttpMethod;
+
+import java.util.stream.Stream;
 import org.mockito.ArgumentCaptor;
 import org.mockito.Mockito;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -67,6 +73,10 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+/**
+ * MockMvc tests for ProfileController. Parameterized by {@link ZoneResolutionMode} (SUBDOMAIN and ZONE_PATH).
+ * ZONE_PATH tests are expected to fail until ProfileController adds mappings for {@code /z/{subdomain}/profile}.
+ */
 @ExtendWith(PollutionPreventionExtension.class)
 @WebAppConfiguration
 @SpringJUnitConfig(classes = ProfileControllerMockMvcTests.ContextConfiguration.class)
@@ -128,6 +138,8 @@ ProfileController profileController(ApprovalStore approvalsService,
 
     private static final String THE_ULTIMATE_APP = "The Ultimate App";
     private static final String USER_ID = "userId";
+    /** Non-empty subdomain for ZONE_PATH so request goes to /z/{subdomain}/profile (expected 404 until controller has zone path). */
+    private static final String ZONE_PATH_SUBDOMAIN = "test-zone";
 
     @Autowired
     private WebApplicationContext webApplicationContext;
@@ -195,53 +207,75 @@ void tearDown() {
         SecurityContextHolder.clearContext();
     }
 
-    @Test
-    void getProfile() throws Exception {
-        getProfile(mockMvc, THE_ULTIMATE_APP, currentIdentityZoneId);
+    private String subdomainFor(ZoneResolutionMode mode) {
+        return mode == ZoneResolutionMode.ZONE_PATH ? ZONE_PATH_SUBDOMAIN : "";
     }
 
-    @Test
-    void getProfileNoAppName() throws Exception {
+    @ParameterizedTest
+    @EnumSource(ZoneResolutionMode.class)
+    void getProfile(ZoneResolutionMode mode) throws Exception {
+        String subdomain = subdomainFor(mode);
+        getProfile(mockMvc, mode, subdomain, THE_ULTIMATE_APP, currentIdentityZoneId);
+    }
+
+    @ParameterizedTest
+    @EnumSource(ZoneResolutionMode.class)
+    void getProfileNoAppName(ZoneResolutionMode mode) throws Exception {
         UaaClientDetails appClient = new UaaClientDetails("app", "thing", "thing.read,thing.write", GRANT_TYPE_AUTHORIZATION_CODE, "");
         when(clientDetailsService.loadClientByClientId("app", currentIdentityZoneId)).thenReturn(appClient);
-        getProfile(mockMvc, "app", currentIdentityZoneId);
+        String subdomain = subdomainFor(mode);
+        getProfile(mockMvc, mode, subdomain, "app", currentIdentityZoneId);
     }
 
-    @Test
-    void specialMessageWhenNoAppsAreAuthorized() throws Exception {
+    @ParameterizedTest
+    @EnumSource(ZoneResolutionMode.class)
+    void specialMessageWhenNoAppsAreAuthorized(ZoneResolutionMode mode) throws Exception {
         when(approvalStore.getApprovalsForUser(anyString(), eq(currentIdentityZoneId))).thenReturn(Collections.emptyList());
 
         UaaPrincipal uaaPrincipal = new UaaPrincipal("fake-user-id", "username", "email@example.com", OriginKeys.UAA, null, currentIdentityZoneId);
         UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(uaaPrincipal, null);
+        String subdomain = subdomainFor(mode);
 
-        mockMvc.perform(get("/profile").principal(authentication))
+        mockMvc.perform(mode.createRequestBuilder(subdomain, HttpMethod.GET, "/profile").principal(authentication))
                 .andExpect(status().isOk())
                 .andExpect(model().attributeExists("approvals"))
                 .andExpect(content().contentTypeCompatibleWith(TEXT_HTML))
                 .andExpect(content().string(containsString("You have not yet authorized any third party applications.")));
     }
 
-    @Test
-    void passwordLinkHiddenWhenUsersOriginIsNotUaa() throws Exception {
+    @ParameterizedTest
+    @EnumSource(ZoneResolutionMode.class)
+    void passwordLinkHiddenWhenUsersOriginIsNotUaa(ZoneResolutionMode mode) throws Exception {
         UaaPrincipal uaaPrincipal = new UaaPrincipal("fake-user-id", "username", "email@example.com", OriginKeys.LDAP, "dnEntryForLdapUser", currentIdentityZoneId);
         UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(uaaPrincipal, null);
+        String subdomain = subdomainFor(mode);
 
-        mockMvc.perform(get("/profile").principal(authentication))
+        mockMvc.perform(mode.createRequestBuilder(subdomain, HttpMethod.GET, "/profile").principal(authentication))
                 .andExpect(status().isOk())
                 .andExpect(model().attribute("isUaaManagedUser", false))
                 .andExpect(model().attributeDoesNotExist("email"))
                 .andExpect(content().string(not(containsString("Change Password"))));
     }
 
+    static Stream<Arguments> updateProfilePaths() {
+        return Stream.of(
+                Arguments.of(ZoneResolutionMode.SUBDOMAIN, "/profile"),
+                Arguments.of(ZoneResolutionMode.SUBDOMAIN, "/profile/"),
+                Arguments.of(ZoneResolutionMode.ZONE_PATH, "/profile"),
+                Arguments.of(ZoneResolutionMode.ZONE_PATH, "/profile/")
+        );
+    }
+
     @ParameterizedTest
-    @ValueSource(strings = {"/profile", "/profile/"})
-    void updateProfile(String url) throws Exception {
-        MockHttpServletRequestBuilder post = post(url)
+    @MethodSource("updateProfilePaths")
+    void updateProfile(ZoneResolutionMode mode, String url) throws Exception {
+        String subdomain = subdomainFor(mode);
+        MockHttpServletRequestBuilder postReq = mode.createRequestBuilder(subdomain, HttpMethod.POST, url)
                 .param("checkedScopes", "app-thing.read")
                 .param("update", "")
                 .param("clientId", "app");
 
-        mockMvc.perform(post)
+        mockMvc.perform(postReq)
                 .andExpect(status().isFound())
                 .andExpect(redirectedUrl("profile"));
 
@@ -267,25 +301,27 @@ void updateProfile(String url) throws Exception {
         assertThat(writeApproval.getStatus()).isEqualTo(DENIED);
     }
 
-    @Test
-    void revokeApp() throws Exception {
-        MockHttpServletRequestBuilder post = post("/profile")
+    @ParameterizedTest
+    @EnumSource(ZoneResolutionMode.class)
+    void revokeApp(ZoneResolutionMode mode) throws Exception {
+        String subdomain = subdomainFor(mode);
+        MockHttpServletRequestBuilder postReq = mode.createRequestBuilder(subdomain, HttpMethod.POST, "/profile")
                 .param("checkedScopes", "app-resource.read")
                 .param("delete", "")
                 .param("clientId", "app");
 
-        mockMvc.perform(post)
+        mockMvc.perform(postReq)
                 .andExpect(status().isFound())
                 .andExpect(redirectedUrl("profile"));
 
         Mockito.verify(approvalStore, Mockito.times(1)).revokeApprovalsForClientAndUser("app", USER_ID, currentIdentityZoneId);
     }
 
-    private static void getProfile(final MockMvc mockMvc, final String name, final String currentIdentityZoneId) throws Exception {
+    private static void getProfile(final MockMvc mockMvc, final ZoneResolutionMode mode, final String subdomain, final String name, final String currentIdentityZoneId) throws Exception {
         UaaPrincipal uaaPrincipal = new UaaPrincipal("fake-user-id", "username", "email@example.com", OriginKeys.UAA, null, currentIdentityZoneId);
         UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(uaaPrincipal, null);
 
-        mockMvc.perform(get("/profile").principal(authentication))
+        mockMvc.perform(mode.createRequestBuilder(subdomain, HttpMethod.GET, "/profile").principal(authentication))
                 .andExpect(status().isOk())
                 .andExpect(model().attributeExists("clientnames"))
                 .andExpect(model().attribute("clientnames", hasKey("app")))