Merge branch 'release/23.1.0'

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 We follow the CalVer (https://calver.org/) versioning scheme: YY.MINOR.MICRO.
 
+23.1.0 (01-25-2023)
+===================
+
+* Institution Rework Project - CAS Part
+
 22.1.3 (12-20-2022)
 ===================
 

src/main/java/io/cos/cas/osf/authentication/credential/OsfPostgresCredential.java

@@ -72,7 +72,7 @@ public class OsfPostgresCredential extends RememberMeUsernamePasswordCredential
     /**
      * The user's institutional identity when authenticated via institutional SSO.
      */
-    private String institutionalIdentity = "";
+    private String ssoIdentity = "";
 
     /**
      * The authentication delegation protocol that is used between CAS / Shib and institutions.

src/main/java/io/cos/cas/osf/authentication/exception/InstitutionSsoAccountInactiveException.java

@@ -0,0 +1,30 @@
+package io.cos.cas.osf.authentication.exception;
+
+import lombok.NoArgsConstructor;
+
+import javax.security.auth.login.AccountException;
+
+/**
+ * Describes an authentication error condition where institution SSO has failed
+ * due to the OSF account is not active or not eligible for activation.
+ *
+ * @author Longze Chen
+ * @since 23.1.0
+ */
+@NoArgsConstructor
+public class InstitutionSsoAccountInactiveException extends AccountException {
+
+    /**
+     * Serialization metadata.
+     */
+    private static final long serialVersionUID = -430454081442388569L;
+
+    /**
+     * Instantiates a new {@link InstitutionSsoAccountInactiveException}.
+     *
+     * @param msg the msg
+     */
+    public InstitutionSsoAccountInactiveException(final String msg) {
+        super(msg);
+    }
+}

src/main/java/io/cos/cas/osf/authentication/exception/InstitutionSsoAttributeMissingException.java

@@ -0,0 +1,30 @@
+package io.cos.cas.osf.authentication.exception;
+
+import lombok.NoArgsConstructor;
+
+import javax.security.auth.login.AccountException;
+
+/**
+ * Describes an authentication error condition where institution SSO has failed
+ * due to missing required attributes from IdP.
+ *
+ * @author Longze Chen
+ * @since 23.1.0
+ */
+@NoArgsConstructor
+public class InstitutionSsoAttributeMissingException extends AccountException {
+
+    /**
+     * Serialization metadata.
+     */
+    private static final long serialVersionUID = 1412743002614665584L;
+
+    /**
+     * Instantiates a new {@link InstitutionSsoAttributeMissingException}.
+     *
+     * @param msg the msg
+     */
+    public InstitutionSsoAttributeMissingException(final String msg) {
+        super(msg);
+    }
+}

src/main/java/io/cos/cas/osf/authentication/exception/InstitutionSsoAttributeParsingException.java

@@ -0,0 +1,30 @@
+package io.cos.cas.osf.authentication.exception;
+
+import lombok.NoArgsConstructor;
+
+import javax.security.auth.login.AccountException;
+
+/**
+ * Describes an authentication error condition where institution SSO has failed
+ * due to attribute normalization or parsing failure.
+ *
+ * @author Longze Chen
+ * @since 23.1.0
+ */
+@NoArgsConstructor
+public class InstitutionSsoAttributeParsingException extends AccountException {
+
+    /**
+     * Serialization metadata.
+     */
+    private static final long serialVersionUID = 4319114898092268727L;
+
+    /**
+     * Instantiates a new {@link InstitutionSsoAttributeParsingException}.
+     *
+     * @param msg the msg
+     */
+    public InstitutionSsoAttributeParsingException(final String msg) {
+        super(msg);
+    }
+}

src/main/java/io/cos/cas/osf/authentication/exception/InstitutionSsoDuplicateIdentityException.java

@@ -0,0 +1,30 @@
+package io.cos.cas.osf.authentication.exception;
+
+import lombok.NoArgsConstructor;
+
+import javax.security.auth.login.AccountException;
+
+/**
+ * Describes an authentication error condition where institution SSO has failed
+ * due to duplicate SSO identity.
+ *
+ * @author Longze Chen
+ * @since 23.1.0
+ */
+@NoArgsConstructor
+public class InstitutionSsoDuplicateIdentityException extends AccountException {
+
+    /**
+     * Serialization metadata.
+     */
+    private static final long serialVersionUID = 1412743002614665584L;
+
+    /**
+     * Instantiates a new {@link InstitutionSsoDuplicateIdentityException}.
+     *
+     * @param msg the msg
+     */
+    public InstitutionSsoDuplicateIdentityException(final String msg) {
+        super(msg);
+    }
+}

src/main/java/io/cos/cas/osf/authentication/exception/InstitutionSsoFailedException.java

@@ -5,7 +5,8 @@
 import javax.security.auth.login.AccountException;
 
 /**
- * Describes an authentication error condition where institution SSO has failed.
+ * Describes an authentication error condition where institution SSO has failed
+ * in a way that doesn't fit into any specific exception.
  *
  * @author Longze Chen
  * @since 21.0.0

src/main/java/io/cos/cas/osf/authentication/exception/InstitutionSsoOsfApiFailureException.java → src/main/java/io/cos/cas/osf/authentication/exception/InstitutionSsoOsfApiFailedException.java

@@ -5,26 +5,26 @@
 import javax.security.auth.login.AccountException;
 
 /**
- * Describes an authentication error condition when connection failures and/or server errors happen between
- * CAS and OSF API during institution SSO.
+ * Describes an authentication error condition when connection failures and/or server errors happen
+ * between CAS and OSF API during institution SSO.
  *
  * @author Longze Chen
  * @since 22.1.3
  */
 @NoArgsConstructor
-public class InstitutionSsoOsfApiFailureException extends AccountException {
+public class InstitutionSsoOsfApiFailedException extends AccountException {
 
     /**
      * Serialization metadata.
      */
     private static final long serialVersionUID = -620313210360224932L;
 
     /**
-     * Instantiates a new {@link InstitutionSsoOsfApiFailureException}.
+     * Instantiates a new {@link InstitutionSsoOsfApiFailedException}.
      *
      * @param msg the msg
      */
-    public InstitutionSsoOsfApiFailureException(final String msg) {
+    public InstitutionSsoOsfApiFailedException(final String msg) {
         super(msg);
     }
 }

src/main/java/io/cos/cas/osf/authentication/exception/InstitutionSelectiveSsoFailedException.java → src/main/java/io/cos/cas/osf/authentication/exception/InstitutionSsoSelectiveLoginDeniedException.java

@@ -5,25 +5,26 @@
 import javax.security.auth.login.AccountException;
 
 /**
- * Describes an authentication error condition where user is not allowed to access OSF via institution SSO.
+ * Describes an authentication error condition where user is not allowed to access OSF
+ * via institution SSO due to Selective SSO rules.
  *
  * @author Longze Chen
  * @since 22.0.1
  */
 @NoArgsConstructor
-public class InstitutionSelectiveSsoFailedException extends AccountException {
+public class InstitutionSsoSelectiveLoginDeniedException extends AccountException {
 
     /**
      * Serialization metadata.
      */
     private static final long serialVersionUID = -7613915260905373074L;
 
     /**
-     * Instantiates a new {@link InstitutionSelectiveSsoFailedException}.
+     * Instantiates a new {@link InstitutionSsoSelectiveLoginDeniedException}.
      *
      * @param msg the msg
      */
-    public InstitutionSelectiveSsoFailedException(final String msg) {
+    public InstitutionSsoSelectiveLoginDeniedException(final String msg) {
         super(msg);
     }
 }

src/main/java/io/cos/cas/osf/authentication/support/OsfApiPermissionDenied.java

@@ -10,7 +10,11 @@ public enum OsfApiPermissionDenied {
 
     DEFAULT("PermissionDenied"),
 
-    INSTITUTION_SELECTIVE_SSO_FAILURE("InstitutionSsoSelectiveNotAllowed");
+    INSTITUTION_SSO_DUPLICATE_IDENTITY("InstitutionSsoDuplicateIdentity"),
+
+    INSTITUTION_SSO_ACCOUNT_INACTIVE("InstitutionSsoAccountInactive"),
+
+    INSTITUTION_SSO_SELECTIVE_LOGIN_DENIED("InstitutionSsoSelectiveLoginDenied");
 
     private final String id;
 

src/main/java/io/cos/cas/osf/web/flow/config/OsfCasCoreWebflowConfiguration.java

@@ -2,9 +2,13 @@
 
 import io.cos.cas.osf.authentication.exception.AccountNotConfirmedIdpException;
 import io.cos.cas.osf.authentication.exception.AccountNotConfirmedOsfException;
-import io.cos.cas.osf.authentication.exception.InstitutionSelectiveSsoFailedException;
-import io.cos.cas.osf.authentication.exception.InstitutionSsoOsfApiFailureException;
+import io.cos.cas.osf.authentication.exception.InstitutionSsoAccountInactiveException;
+import io.cos.cas.osf.authentication.exception.InstitutionSsoAttributeMissingException;
+import io.cos.cas.osf.authentication.exception.InstitutionSsoAttributeParsingException;
+import io.cos.cas.osf.authentication.exception.InstitutionSsoDuplicateIdentityException;
 import io.cos.cas.osf.authentication.exception.InstitutionSsoFailedException;
+import io.cos.cas.osf.authentication.exception.InstitutionSsoOsfApiFailedException;
+import io.cos.cas.osf.authentication.exception.InstitutionSsoSelectiveLoginDeniedException;
 import io.cos.cas.osf.authentication.exception.InvalidOneTimePasswordException;
 import io.cos.cas.osf.authentication.exception.InvalidPasswordException;
 import io.cos.cas.osf.authentication.exception.InvalidUserStatusException;
@@ -44,14 +48,18 @@ public Set<Class<? extends Throwable>> handledAuthenticationExceptions() {
         Set<Class<? extends Throwable>> errors = new LinkedHashSet<>();
         errors.add(AccountNotConfirmedIdpException.class);
         errors.add(AccountNotConfirmedOsfException.class);
-        errors.add(InvalidOneTimePasswordException.class);
+        errors.add(InstitutionSsoAccountInactiveException.class);
+        errors.add(InstitutionSsoAttributeMissingException.class);
+        errors.add(InstitutionSsoAttributeParsingException.class);
+        errors.add(InstitutionSsoDuplicateIdentityException.class);
         errors.add(InstitutionSsoFailedException.class);
+        errors.add(InstitutionSsoOsfApiFailedException.class);
+        errors.add(InstitutionSsoSelectiveLoginDeniedException.class);
+        errors.add(InvalidOneTimePasswordException.class);
         errors.add(InvalidPasswordException.class);
         errors.add(InvalidUserStatusException.class);
         errors.add(InvalidVerificationKeyException.class);
         errors.add(OneTimePasswordRequiredException.class);
-        errors.add(InstitutionSelectiveSsoFailedException.class);
-        errors.add(InstitutionSsoOsfApiFailureException.class);
         errors.add(TermsOfServiceConsentRequiredException.class);
 
         // Add built-in exceptions after OSF-specific exceptions since order matters

src/main/java/io/cos/cas/osf/web/flow/configurer/OsfCasLoginWebflowConfigurer.java

@@ -3,9 +3,13 @@
 import io.cos.cas.osf.authentication.credential.OsfPostgresCredential;
 import io.cos.cas.osf.authentication.exception.AccountNotConfirmedIdpException;
 import io.cos.cas.osf.authentication.exception.AccountNotConfirmedOsfException;
-import io.cos.cas.osf.authentication.exception.InstitutionSelectiveSsoFailedException;
-import io.cos.cas.osf.authentication.exception.InstitutionSsoOsfApiFailureException;
+import io.cos.cas.osf.authentication.exception.InstitutionSsoAccountInactiveException;
+import io.cos.cas.osf.authentication.exception.InstitutionSsoAttributeMissingException;
+import io.cos.cas.osf.authentication.exception.InstitutionSsoAttributeParsingException;
+import io.cos.cas.osf.authentication.exception.InstitutionSsoDuplicateIdentityException;
 import io.cos.cas.osf.authentication.exception.InstitutionSsoFailedException;
+import io.cos.cas.osf.authentication.exception.InstitutionSsoOsfApiFailedException;
+import io.cos.cas.osf.authentication.exception.InstitutionSsoSelectiveLoginDeniedException;
 import io.cos.cas.osf.authentication.exception.InvalidOneTimePasswordException;
 import io.cos.cas.osf.authentication.exception.InvalidUserStatusException;
 import io.cos.cas.osf.authentication.exception.InvalidVerificationKeyException;
@@ -231,6 +235,41 @@ protected void createHandleAuthenticationFailureAction(final Flow flow) {
                 AccountNotConfirmedOsfException.class.getSimpleName(),
                 OsfCasWebflowConstants.VIEW_ID_ACCOUNT_NOT_CONFIRMED_OSF
         );
+        createTransitionForState(
+                handler,
+                InstitutionSsoAccountInactiveException.class.getSimpleName(),
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_ACCOUNT_INACTIVE
+        );
+        createTransitionForState(
+                handler,
+                InstitutionSsoAttributeMissingException.class.getSimpleName(),
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_ATTRIBUTE_MISSING
+        );
+        createTransitionForState(
+                handler,
+                InstitutionSsoAttributeParsingException.class.getSimpleName(),
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_ATTRIBUTE_PARSING_FAILED
+        );
+        createTransitionForState(
+                handler,
+                InstitutionSsoDuplicateIdentityException.class.getSimpleName(),
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_DUPLICATE_IDENTITY
+        );
+        createTransitionForState(
+                handler,
+                InstitutionSsoFailedException.class.getSimpleName(),
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_FAILED
+        );
+        createTransitionForState(
+                handler,
+                InstitutionSsoOsfApiFailedException.class.getSimpleName(),
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_OSF_API_FAILED
+        );
+        createTransitionForState(
+                handler,
+                InstitutionSsoSelectiveLoginDeniedException.class.getSimpleName(),
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_SELECTIVE_LOGIN_DENIED
+        );
         createTransitionForState(
                 handler,
                 InvalidUserStatusException.class.getSimpleName(),
@@ -256,21 +295,6 @@ protected void createHandleAuthenticationFailureAction(final Flow flow) {
                 TermsOfServiceConsentRequiredException.class.getSimpleName(),
                 OsfCasWebflowConstants.VIEW_ID_TERMS_OF_SERVICE_CONSENT_REQUIRED
         );
-        createTransitionForState(
-                handler,
-                InstitutionSsoFailedException.class.getSimpleName(),
-                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_FAILED
-        );
-        createTransitionForState(
-                handler,
-                InstitutionSelectiveSsoFailedException.class.getSimpleName(),
-                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SELECTIVE_SSO_FAILED
-        );
-        createTransitionForState(
-                handler,
-                InstitutionSsoOsfApiFailureException.class.getSimpleName(),
-                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_OSF_API_FAILURE
-        );
 
         // The default transition
         createStateDefaultTransition(handler, CasWebflowConstants.STATE_ID_INIT_LOGIN_FORM);
@@ -411,20 +435,40 @@ private void createOsfCasAuthenticationExceptionViewStates(final Flow flow) {
                 OsfCasWebflowConstants.VIEW_ID_INVALID_VERIFICATION_KEY,
                 OsfCasWebflowConstants.VIEW_ID_INVALID_VERIFICATION_KEY
         );
+        createViewState(
+                flow,
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_ACCOUNT_INACTIVE,
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_ACCOUNT_INACTIVE
+        );
+        createViewState(
+                flow,
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_ATTRIBUTE_MISSING,
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_ATTRIBUTE_MISSING
+        );
+        createViewState(
+                flow,
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_ATTRIBUTE_PARSING_FAILED,
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_ATTRIBUTE_PARSING_FAILED
+        );
+        createViewState(
+                flow,
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_DUPLICATE_IDENTITY,
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_DUPLICATE_IDENTITY
+        );
         createViewState(
                 flow,
                 OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_FAILED,
                 OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_FAILED
         );
         createViewState(
                 flow,
-                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SELECTIVE_SSO_FAILED,
-                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SELECTIVE_SSO_FAILED
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_OSF_API_FAILED,
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_OSF_API_FAILED
         );
         createViewState(
                 flow,
-                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_OSF_API_FAILURE,
-                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_OSF_API_FAILURE
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_SELECTIVE_LOGIN_DENIED,
+                OsfCasWebflowConstants.VIEW_ID_INSTITUTION_SSO_SELECTIVE_LOGIN_DENIED
         );
     }