Example 1 with FEDERATED_IDENTITIES
use of org.pmiops.workbench.ras.RasLinkConstants.FEDERATED_IDENTITIES in project workbench by all-of-us.
the class RasLinkService method linkRasLoginGovAccount.
/**
* Links RAS login.gov account with AoU account.
*/
public DbUser linkRasLoginGovAccount(String authCode, String redirectUrl) {
OpenIdConnectClient rasOidcClient = rasOidcClientProvider.get();
JsonNode userInfoResponse;
try {
// Oauth dance to get id token and access token.
TokenResponse tokenResponse = rasOidcClient.codeExchange(authCode, decodeUrl(redirectUrl), RAS_AUTH_CODE_SCOPES);
// Validate IAL status.
String acrClaim = decodedJwt(tokenResponse.get(Id_TOKEN_FIELD_NAME).toString()).getClaim(ACR_CLAIM).asString();
if (!isIal2(acrClaim)) {
log.warning(String.format("User does not have IAL2 enabled, acrClaim: %s", acrClaim));
throw new ForbiddenException(String.format("User does not have IAL2 enabled, acrClaim: %s", acrClaim));
}
// Fetch user info.
userInfoResponse = rasOidcClient.fetchUserInfo(tokenResponse.getAccessToken());
} catch (IOException e) {
log.log(Level.WARNING, "Failed to link RAS account", e);
throw new ServerErrorException("Failed to link RAS account", e);
}
// If eRA is not already linked, check response from RAS see if RAS contains eRA Linking
// information.
DbUser user = userService.updateRasLinkLoginGovStatus(getLoginGovUsername(userInfoResponse));
Optional<AccessModuleStatus> eRAModuleStatus = accessModuleService.getAccessModuleStatus(user).stream().filter(a -> a.getModuleName() == AccessModule.ERA_COMMONS).findFirst();
if (eRAModuleStatus.isPresent() && (eRAModuleStatus.get().getCompletionEpochMillis() != null || eRAModuleStatus.get().getBypassEpochMillis() != null)) {
return user;
}
Optional<String> eRaUserId = getEraUserId(userInfoResponse);
if (eRaUserId.isPresent() && !eRaUserId.get().isEmpty()) {
return userService.updateRasLinkEraStatus(eRaUserId.get());
} else {
log.info(String.format("User does not have valid eRA %s", userInfoResponse.get(FEDERATED_IDENTITIES)));
}
return user;
}
Also used :
RAS_OIDC_CLIENT(org.pmiops.workbench.ras.RasOidcClientConfig.RAS_OIDC_CLIENT)
ACR_CLAIM(org.pmiops.workbench.ras.RasLinkConstants.ACR_CLAIM)
URLDecoder(java.net.URLDecoder)
Provider(javax.inject.Provider)
Id_TOKEN_FIELD_NAME(org.pmiops.workbench.ras.RasLinkConstants.Id_TOKEN_FIELD_NAME)
AccessModuleStatus(org.pmiops.workbench.model.AccessModuleStatus)
Autowired(org.springframework.beans.factory.annotation.Autowired)
Level(java.util.logging.Level)
Service(org.springframework.stereotype.Service)
TokenResponse(com.google.api.client.auth.oauth2.TokenResponse)
RAS_AUTH_CODE_SCOPES(org.pmiops.workbench.ras.RasLinkConstants.RAS_AUTH_CODE_SCOPES)
Qualifier(org.springframework.beans.factory.annotation.Qualifier)
JsonNode(com.fasterxml.jackson.databind.JsonNode)
ERA_COMMONS_PROVIDER_NAME(org.pmiops.workbench.ras.RasLinkConstants.ERA_COMMONS_PROVIDER_NAME)
PREFERRED_USERNAME_FIELD_NAME(org.pmiops.workbench.ras.RasLinkConstants.PREFERRED_USERNAME_FIELD_NAME)
UserService(org.pmiops.workbench.db.dao.UserService)
FEDERATED_IDENTITIES(org.pmiops.workbench.ras.RasLinkConstants.FEDERATED_IDENTITIES)
LOGIN_GOV_IDENTIFIER_LOWER_CASE(org.pmiops.workbench.ras.RasLinkConstants.LOGIN_GOV_IDENTIFIER_LOWER_CASE)
ACR_CLAIM_IAL_2_IDENTIFIER(org.pmiops.workbench.ras.RasLinkConstants.ACR_CLAIM_IAL_2_IDENTIFIER)
IDENTITY_USERID(org.pmiops.workbench.ras.RasLinkConstants.IDENTITY_USERID)
IOException(java.io.IOException)
Logger(java.util.logging.Logger)
StandardCharsets(java.nio.charset.StandardCharsets)
AccessModule(org.pmiops.workbench.model.AccessModule)
AccessModuleService(org.pmiops.workbench.access.AccessModuleService)
IDENTITIES(org.pmiops.workbench.ras.RasLinkConstants.IDENTITIES)
ServerErrorException(org.pmiops.workbench.exceptions.ServerErrorException)
ForbiddenException(org.pmiops.workbench.exceptions.ForbiddenException)
OpenIdConnectClient.decodedJwt(org.pmiops.workbench.ras.OpenIdConnectClient.decodedJwt)
Optional(java.util.Optional)
DbUser(org.pmiops.workbench.db.model.DbUser)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
ForbiddenException(org.pmiops.workbench.exceptions.ForbiddenException)
TokenResponse(com.google.api.client.auth.oauth2.TokenResponse)
JsonNode(com.fasterxml.jackson.databind.JsonNode)
AccessModuleStatus(org.pmiops.workbench.model.AccessModuleStatus)
IOException(java.io.IOException)
ServerErrorException(org.pmiops.workbench.exceptions.ServerErrorException)
DbUser(org.pmiops.workbench.db.model.DbUser)
Aggregations
JsonNode (com.fasterxml.jackson.databind.JsonNode)1
TokenResponse (com.google.api.client.auth.oauth2.TokenResponse)1
IOException (java.io.IOException)1
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
URLDecoder (java.net.URLDecoder)1
StandardCharsets (java.nio.charset.StandardCharsets)1
Optional (java.util.Optional)1
Level (java.util.logging.Level)1
Logger (java.util.logging.Logger)1
Provider (javax.inject.Provider)1
AccessModuleService (org.pmiops.workbench.access.AccessModuleService)1
UserService (org.pmiops.workbench.db.dao.UserService)1
DbUser (org.pmiops.workbench.db.model.DbUser)1
ForbiddenException (org.pmiops.workbench.exceptions.ForbiddenException)1
ServerErrorException (org.pmiops.workbench.exceptions.ServerErrorException)1
AccessModule (org.pmiops.workbench.model.AccessModule)1
AccessModuleStatus (org.pmiops.workbench.model.AccessModuleStatus)1
OpenIdConnectClient.decodedJwt (org.pmiops.workbench.ras.OpenIdConnectClient.decodedJwt)1
ACR_CLAIM (org.pmiops.workbench.ras.RasLinkConstants.ACR_CLAIM)1
ACR_CLAIM_IAL_2_IDENTIFIER (org.pmiops.workbench.ras.RasLinkConstants.ACR_CLAIM_IAL_2_IDENTIFIER)1
