Merge branch 'develop'

.gitignore

@@ -3,3 +3,4 @@
 /target
 /.idea
 *.iml
+.env

doc/Configuration.md

@@ -21,7 +21,8 @@ _CAS tarkvaras tehtud kohanduste ja täienduste kirjeldus._
   * [2.10 Audit logging](#audit_logging)
   * [2.11 Enabling additional OpenID Connect endpoints](#oidc_optional_endpoints)
   * [2.12 Client secret handling](#oidc_client_secret)
-  * [2.13 Always force re-authentication](#oidc_force_reauthentication)    
+  * [2.13 Always force re-authentication](#oidc_force_reauthentication)
+  * [2.14 Default authentication methods on login page](#default_auth_methods)
 - [3. TARA truststore](#tara_truststore)
   * [3.1 Mobile-ID CA certs](#dds_ca_certs)
   * [3.2 Smart-ID CA certs](#smart-id_ca_certs)
@@ -771,6 +772,22 @@ Example:
 
 ````
 oidc.authorize.force-auth-renewal.enabled=false
+````
+
+<a name="default_auth_methods"></a>
+### 2.14 Default list of authentication methods
+Change the list of authentication methods displayed to the user on the Login page by default.
+
+Table 2.14.1 - Parameters used to spec 
+
+| Property        | Mandatory | Description |
+| :---------------- | :---------- | :----------------|
+| `tara.default-authentication-methods` | N | A comma separated list of authentication methods that will be displayed to the user by default (if the OpenID Connect client does not specify authentication method by scope explicitly). Allowed values: `idcard`, `mobileid`, `banklink`, `eidas`, `smartid` . Defaults to `idcard, mid`, if not specified.  |
+
+Example:
+
+````
+tara.default-authentication-methods=idcard, mobileid, eidas, banklink, smartid
 ````    
 
 

pom.xml

@@ -6,10 +6,10 @@
     <groupId>ee.ria.tara</groupId>
     <artifactId>tara-server</artifactId>
     <packaging>war</packaging>
-    <version>1.4.15</version>
+    <version>1.4.16</version>
 
     <properties>
-        <cas.version>5.3.15</cas.version>
+        <cas.version>5.3.15.1</cas.version>
         <banklink.version>2.1.15</banklink.version>
         <!-- app.server could be -jetty, -undertow, -tomcat, or blank if you plan to provide appserver -->
         <app.server>-tomcat</app.server>
@@ -138,7 +138,7 @@
             <dependency>
                 <groupId>com.fasterxml.jackson.core</groupId>
                 <artifactId>jackson-databind</artifactId>
-                <version>2.9.10.1</version>
+                <version>2.9.10.3</version>
             </dependency>
 
             <!-- Override dependency needed for mid-rest-java-client -->

src/main/java/ee/ria/sso/config/TaraOidcConfiguration.java

@@ -250,7 +250,7 @@ protected HttpAction unauthorized(J2EContext context, List<Client> currentClient
     public FilterRegistrationBean oidcAuthorizeCheckingServletFilter(OidcAuthorizeRequestValidator oidcAuthorizeRequestValidator) {
         final Map<String, String> initParams = new HashMap<>();
         final FilterRegistrationBean bean = new FilterRegistrationBean();
-        bean.setFilter(new OidcAuthorizeRequestValidationServletFilter(oidcAuthorizeRequestValidator, eidasConfigurationProvider));
+        bean.setFilter(new OidcAuthorizeRequestValidationServletFilter(oidcAuthorizeRequestValidator, eidasConfigurationProvider, taraProperties));
         bean.setUrlPatterns(Collections.singleton("/oidc/authorize"));
         bean.setInitParameters(initParams);
         bean.setName("oidcAuthorizeCheckingServletFilter");

src/main/java/ee/ria/sso/config/TaraProperties.java

@@ -1,11 +1,19 @@
 package ee.ria.sso.config;
 
-import lombok.*;
+import ee.ria.sso.authentication.AuthenticationType;
+import lombok.AccessLevel;
+import lombok.Data;
+import lombok.Getter;
+import lombok.Setter;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.core.env.Environment;
 
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
 @Data
 @ConfigurationProperties("tara")
 public class TaraProperties {
@@ -18,6 +26,10 @@ public class TaraProperties {
     @Value("${env.test.message:#{null}}")
     private String testEnvironmentWarningMessage;
 
+    private List<AuthenticationType> defaultAuthenticationMethods = Arrays.asList(
+            AuthenticationType.IDCard,
+            AuthenticationType.MobileID);
+
     @Getter(AccessLevel.NONE)
     @Setter(AccessLevel.NONE)
     private final Environment environment;

src/main/java/ee/ria/sso/flow/ThymeleafSupport.java

@@ -105,7 +105,7 @@ public String getInformationUrl() {
                     })
                     .getInformationUrl();
         } else {
-            log.error("Could not find home url from session");
+            log.debug("Could not find home url from session");
             return "#";
         }
     }

src/main/java/ee/ria/sso/oidc/OidcAuthorizeRequestValidationServletFilter.java

@@ -3,6 +3,7 @@
 import ee.ria.sso.Constants;
 import ee.ria.sso.authentication.AuthenticationType;
 import ee.ria.sso.authentication.LevelOfAssurance;
+import ee.ria.sso.config.TaraProperties;
 import ee.ria.sso.config.eidas.EidasConfigurationProvider;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -38,6 +39,8 @@ public class OidcAuthorizeRequestValidationServletFilter implements Filter {
 
     private final EidasConfigurationProvider eidasConfigurationProvider;
 
+    private final TaraProperties taraProperties;
+
     @Override
     public void init(FilterConfig filterConfig) {
         log.debug("Initialize filter: {}", OidcAuthorizeRequestValidationServletFilter.class.getName());
@@ -103,8 +106,11 @@ private void saveOidcRequestParametersToSession(final HttpServletRequest request
         session.setAttribute(Constants.TARA_OIDC_SESSION_REDIRECT_URI,
                 request.getParameter(OidcAuthorizeRequestParameter.REDIRECT_URI.getParameterKey())
         );
+
+        List<AuthenticationType> authenticationMethodsList = getListOfAllowedAuthenticationMethods(scopes);
+        log.debug("List of authentication methods to display on login page: {}", authenticationMethodsList);
         session.setAttribute(Constants.TARA_OIDC_SESSION_AUTH_METHODS,
-                getListOfAllowedAuthenticationMethods(scopes)
+                authenticationMethodsList
         );
 
         final String acrValues = request.getParameter(OidcAuthorizeRequestParameter.ACR_VALUES.getParameterKey());
@@ -165,7 +171,7 @@ private List<AuthenticationType> getListOfAllowedAuthenticationMethods(final Lis
                     .filter(e -> scopes.contains(e.getScope()) )
                     .collect(Collectors.toList());
         } else {
-            return Arrays.asList(AuthenticationType.values());
+            return taraProperties.getDefaultAuthenticationMethods();
         }
     }
 

src/test/java/ee/ria/sso/oidc/OidcAuthorizeRequestValidationServletFilterTest.java

@@ -3,6 +3,7 @@
 import ee.ria.sso.Constants;
 import ee.ria.sso.authentication.AuthenticationType;
 import ee.ria.sso.authentication.LevelOfAssurance;
+import ee.ria.sso.config.TaraProperties;
 import ee.ria.sso.config.eidas.EidasConfigurationProvider;
 import org.junit.After;
 import org.junit.Assert;
@@ -26,6 +27,7 @@
 import java.util.List;
 import java.util.stream.Collectors;
 
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 @RunWith(SpringJUnit4ClassRunner.class)
@@ -44,13 +46,16 @@ public class OidcAuthorizeRequestValidationServletFilterTest {
     @Mock
     private EidasConfigurationProvider eidasConfigurationProvider;
 
+    @Mock
+    private TaraProperties taraProperties;
+
     private OidcAuthorizeRequestValidationServletFilter servletFilter;
 
     @Before
     public void setUp() {
         when(eidasConfigurationProvider.getAllowedEidasCountryScopeAttributes()).thenReturn(ALLOWED_EIDAS_COUNTRY_ATTRIBUTES);
 
-        servletFilter = new OidcAuthorizeRequestValidationServletFilter(oidcRequestValidator, eidasConfigurationProvider);
+        servletFilter = new OidcAuthorizeRequestValidationServletFilter(oidcRequestValidator, eidasConfigurationProvider, taraProperties);
         servletFilter.init(Mockito.mock(FilterConfig.class));
     }
 
@@ -127,19 +132,6 @@ public void assertLoaNotInSessionWhenValidationSucceedsAndAcrValuesNotProvided()
         Assert.assertNull(request.getSession(false).getAttribute(Constants.TARA_OIDC_SESSION_LOA));
     }
 
-    @Test
-    public void assertAllAuthMethodsInSession() throws Exception {
-        assertAllAuthMethodsInSession(TaraScope.OPENID.getFormalName());
-        assertAllAuthMethodsInSession(String.join(" ", TaraScope.OPENID.getFormalName(), "unkonwn"));
-        assertAllAuthMethodsInSession(String.join(" ", TaraScope.OPENID.getFormalName(), "IDCARD"));
-        assertAllAuthMethodsInSession(String.join(" ", TaraScope.OPENID.getFormalName() ,
-                TaraScope.IDCARD.getFormalName(),
-                TaraScope.MID.getFormalName(),
-                TaraScope.EIDAS.getFormalName(),
-                TaraScope.BANKLINK.getFormalName(),
-                TaraScope.SMARTID.getFormalName()));
-    }
-
     @Test
     public void assertSingleAuthMethodsInSession() throws Exception {
         for (AuthenticationType authenticationType : Arrays.stream(AuthenticationType.values()).collect(Collectors.toList())) {
@@ -189,23 +181,43 @@ public void assertSelectionOfAuthMethodsInSession() throws Exception {
             );
     }
 
-
     @Test
-    public void assertAllAuthMethodsInSessionWhenValidationSucceedsAndOnlyOpenidScopeProvided() throws Exception {
-
-        MockHttpServletRequest request = new MockHttpServletRequest();
-        request.addParameter(OidcAuthorizeRequestParameter.SCOPE.getParameterKey(),
-                TaraScope.OPENID.getFormalName()
+    public void assertConfiguredListOfAuthMethodsInSessionWhenNoScopesProvided() throws Exception {
+        AuthenticationType authenticationType1 = AuthenticationType.IDCard;
+        AuthenticationType authenticationType2 = AuthenticationType.eIDAS;
+
+        when(taraProperties.getDefaultAuthenticationMethods()).thenReturn(Arrays.asList(authenticationType1));
+        assertAuthMethodInSession("Assert default auth methods allowed when not scopes specified",
+                "",
+                authenticationType1
         );
 
-        servletFilter.doFilter(request, new MockHttpServletResponse(), Mockito.mock(FilterChain.class));
-        Assert.assertEquals(
-                Arrays.asList(AuthenticationType.values()).stream().collect(Collectors.toList()),
-                request.getSession(false).getAttribute(Constants.TARA_OIDC_SESSION_AUTH_METHODS)
+        when(taraProperties.getDefaultAuthenticationMethods()).thenReturn(Arrays.asList(authenticationType1, authenticationType2));
+        assertAuthMethodInSession("Assert default auth methods allowed when not scopes specified",
+                String.join(" ", TaraScope.OPENID.getFormalName()),
+                authenticationType1
+                , authenticationType2
         );
     }
 
+    @Test
+    public void assertConfiguredListOfAuthMethodsInSessionWhenOnlyOpenIdScopeProvided() throws Exception {
+        AuthenticationType authenticationType1 = AuthenticationType.IDCard;
+        AuthenticationType authenticationType2 = AuthenticationType.eIDAS;
+
+        when(taraProperties.getDefaultAuthenticationMethods()).thenReturn(Arrays.asList(authenticationType1));
+        assertAuthMethodInSession("Assert default auth methods allowed when not scopes specified",
+                String.join(" ", TaraScope.OPENID.getFormalName()),
+                authenticationType1
+        );
 
+        when(taraProperties.getDefaultAuthenticationMethods()).thenReturn(Arrays.asList(authenticationType1, authenticationType2));
+        assertAuthMethodInSession("Assert default auth methods allowed when not scopes specified",
+                String.join(" ", TaraScope.OPENID.getFormalName()),
+                authenticationType1
+                , authenticationType2
+        );
+    }
 
     @Test
     public void assertOnlyEidasAuthMethodInSessionWhenValidationSucceedsAndEidasonlyScopeProvided() throws Exception {
@@ -284,6 +296,8 @@ public void assertScopeAndItsValuedAttributesOrderParsedFromScopeIsNotImportant(
 
     @Test
     public void assertOnlyEidasCountryAttributeParsedFromScope() throws Exception {
+        when(taraProperties.getDefaultAuthenticationMethods()).thenReturn(Arrays.asList(AuthenticationType.values()));
+
         MockHttpServletRequest request = new MockHttpServletRequest();
         String eidasCountry = "gb";
         String eidasCountryScopeAttribute = scopeValuedAttribute(TaraScopeValuedAttributeName.EIDAS_COUNTRY, eidasCountry);
@@ -386,18 +400,6 @@ private OidcAuthorizeRequestParameter[] getAllParametersExcept(OidcAuthorizeRequ
         return parameters.toArray(new OidcAuthorizeRequestParameter[parameters.size()]);
     }
 
-
-    private void assertAllAuthMethodsInSession(String scopeValue) throws IOException, ServletException {
-        MockHttpServletRequest request = new MockHttpServletRequest();
-        request.addParameter(OidcAuthorizeRequestParameter.SCOPE.getParameterKey(), scopeValue);
-
-        servletFilter.doFilter(request, new MockHttpServletResponse(), Mockito.mock(FilterChain.class));
-        Assert.assertEquals(
-                Arrays.asList(AuthenticationType.values()).stream().collect(Collectors.toList()),
-                request.getSession(false).getAttribute(Constants.TARA_OIDC_SESSION_AUTH_METHODS)
-        );
-    }
-
     private void assertAuthMethodInSession(String message, String scopeValue, AuthenticationType... authMethodInSession) throws IOException, ServletException {
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.addParameter(OidcAuthorizeRequestParameter.SCOPE.getParameterKey(), scopeValue);

src/test/resources/application-test.properties

@@ -5,6 +5,8 @@ ocsp.enabled=false
 
 logging.level.com.nortal=DEBUG
 
+tara.default-authentication-methods=idcard, mobileid
+
 #====================================================#
 # ID-kaardi liidestuse spetsiifilised parameetrid    #
 #====================================================#