Search in sources :

Example 1 with RAS_AUTH_CODE_SCOPES

use of org.pmiops.workbench.ras.RasLinkConstants.RAS_AUTH_CODE_SCOPES in project workbench by all-of-us.

the class RasLinkService method linkRasLoginGovAccount.

/**
 * Links RAS login.gov account with AoU account.
 */
public DbUser linkRasLoginGovAccount(String authCode, String redirectUrl) {
    OpenIdConnectClient rasOidcClient = rasOidcClientProvider.get();
    JsonNode userInfoResponse;
    try {
        // Oauth dance to get id token and access token.
        TokenResponse tokenResponse = rasOidcClient.codeExchange(authCode, decodeUrl(redirectUrl), RAS_AUTH_CODE_SCOPES);
        // Validate IAL status.
        String acrClaim = decodedJwt(tokenResponse.get(Id_TOKEN_FIELD_NAME).toString()).getClaim(ACR_CLAIM).asString();
        if (!isIal2(acrClaim)) {
            log.warning(String.format("User does not have IAL2 enabled, acrClaim: %s", acrClaim));
            throw new ForbiddenException(String.format("User does not have IAL2 enabled, acrClaim: %s", acrClaim));
        }
        // Fetch user info.
        userInfoResponse = rasOidcClient.fetchUserInfo(tokenResponse.getAccessToken());
    } catch (IOException e) {
        log.log(Level.WARNING, "Failed to link RAS account", e);
        throw new ServerErrorException("Failed to link RAS account", e);
    }
    // If eRA is not already linked, check response from RAS see if RAS contains eRA Linking
    // information.
    DbUser user = userService.updateRasLinkLoginGovStatus(getLoginGovUsername(userInfoResponse));
    Optional<AccessModuleStatus> eRAModuleStatus = accessModuleService.getAccessModuleStatus(user).stream().filter(a -> a.getModuleName() == AccessModule.ERA_COMMONS).findFirst();
    if (eRAModuleStatus.isPresent() && (eRAModuleStatus.get().getCompletionEpochMillis() != null || eRAModuleStatus.get().getBypassEpochMillis() != null)) {
        return user;
    }
    Optional<String> eRaUserId = getEraUserId(userInfoResponse);
    if (eRaUserId.isPresent() && !eRaUserId.get().isEmpty()) {
        return userService.updateRasLinkEraStatus(eRaUserId.get());
    } else {
        log.info(String.format("User does not have valid eRA %s", userInfoResponse.get(FEDERATED_IDENTITIES)));
    }
    return user;
}
Also used : RAS_OIDC_CLIENT(org.pmiops.workbench.ras.RasOidcClientConfig.RAS_OIDC_CLIENT) ACR_CLAIM(org.pmiops.workbench.ras.RasLinkConstants.ACR_CLAIM) URLDecoder(java.net.URLDecoder) Provider(javax.inject.Provider) Id_TOKEN_FIELD_NAME(org.pmiops.workbench.ras.RasLinkConstants.Id_TOKEN_FIELD_NAME) AccessModuleStatus(org.pmiops.workbench.model.AccessModuleStatus) Autowired(org.springframework.beans.factory.annotation.Autowired) Level(java.util.logging.Level) Service(org.springframework.stereotype.Service) TokenResponse(com.google.api.client.auth.oauth2.TokenResponse) RAS_AUTH_CODE_SCOPES(org.pmiops.workbench.ras.RasLinkConstants.RAS_AUTH_CODE_SCOPES) Qualifier(org.springframework.beans.factory.annotation.Qualifier) JsonNode(com.fasterxml.jackson.databind.JsonNode) ERA_COMMONS_PROVIDER_NAME(org.pmiops.workbench.ras.RasLinkConstants.ERA_COMMONS_PROVIDER_NAME) PREFERRED_USERNAME_FIELD_NAME(org.pmiops.workbench.ras.RasLinkConstants.PREFERRED_USERNAME_FIELD_NAME) UserService(org.pmiops.workbench.db.dao.UserService) FEDERATED_IDENTITIES(org.pmiops.workbench.ras.RasLinkConstants.FEDERATED_IDENTITIES) LOGIN_GOV_IDENTIFIER_LOWER_CASE(org.pmiops.workbench.ras.RasLinkConstants.LOGIN_GOV_IDENTIFIER_LOWER_CASE) ACR_CLAIM_IAL_2_IDENTIFIER(org.pmiops.workbench.ras.RasLinkConstants.ACR_CLAIM_IAL_2_IDENTIFIER) IDENTITY_USERID(org.pmiops.workbench.ras.RasLinkConstants.IDENTITY_USERID) IOException(java.io.IOException) Logger(java.util.logging.Logger) StandardCharsets(java.nio.charset.StandardCharsets) AccessModule(org.pmiops.workbench.model.AccessModule) AccessModuleService(org.pmiops.workbench.access.AccessModuleService) IDENTITIES(org.pmiops.workbench.ras.RasLinkConstants.IDENTITIES) ServerErrorException(org.pmiops.workbench.exceptions.ServerErrorException) ForbiddenException(org.pmiops.workbench.exceptions.ForbiddenException) OpenIdConnectClient.decodedJwt(org.pmiops.workbench.ras.OpenIdConnectClient.decodedJwt) Optional(java.util.Optional) DbUser(org.pmiops.workbench.db.model.DbUser) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ForbiddenException(org.pmiops.workbench.exceptions.ForbiddenException) TokenResponse(com.google.api.client.auth.oauth2.TokenResponse) JsonNode(com.fasterxml.jackson.databind.JsonNode) AccessModuleStatus(org.pmiops.workbench.model.AccessModuleStatus) IOException(java.io.IOException) ServerErrorException(org.pmiops.workbench.exceptions.ServerErrorException) DbUser(org.pmiops.workbench.db.model.DbUser)

Aggregations

JsonNode (com.fasterxml.jackson.databind.JsonNode)1 TokenResponse (com.google.api.client.auth.oauth2.TokenResponse)1 IOException (java.io.IOException)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 URLDecoder (java.net.URLDecoder)1 StandardCharsets (java.nio.charset.StandardCharsets)1 Optional (java.util.Optional)1 Level (java.util.logging.Level)1 Logger (java.util.logging.Logger)1 Provider (javax.inject.Provider)1 AccessModuleService (org.pmiops.workbench.access.AccessModuleService)1 UserService (org.pmiops.workbench.db.dao.UserService)1 DbUser (org.pmiops.workbench.db.model.DbUser)1 ForbiddenException (org.pmiops.workbench.exceptions.ForbiddenException)1 ServerErrorException (org.pmiops.workbench.exceptions.ServerErrorException)1 AccessModule (org.pmiops.workbench.model.AccessModule)1 AccessModuleStatus (org.pmiops.workbench.model.AccessModuleStatus)1 OpenIdConnectClient.decodedJwt (org.pmiops.workbench.ras.OpenIdConnectClient.decodedJwt)1 ACR_CLAIM (org.pmiops.workbench.ras.RasLinkConstants.ACR_CLAIM)1 ACR_CLAIM_IAL_2_IDENTIFIER (org.pmiops.workbench.ras.RasLinkConstants.ACR_CLAIM_IAL_2_IDENTIFIER)1