fix: publish an external group auth event only with registered IDPs (#…

…2941) * fix: publish external group event only with registered IDPs When authenticating a user with oauth, only publish the external group event for registered IDPs, thereby skipping the event if authentication is through uaa itself, such as when using the JWT bearer token grant. Change-Id: Ie62720a4f0d8933e35fe4d46921fd9b5b1293d58 * fix the name of the test that skips publishing the event Change-Id: I19f435d622afc3858d72500ca89b5ad9a3c84aee
cloudfoundry · Jun 26, 2024 · 1308dde · 1308dde
1 parent c95f6dd
commit 1308dde
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 3 deletions.
diff --git a/...java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java b/...java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
@@ -480,8 +480,10 @@ protected UaaUser userAuthenticated(Authentication request, UaaUser userFromRequ
             userFromDb = new UaaUser(getUserDatabase().retrieveUserPrototypeById(invitedUserId));
         }
 
+        boolean isRegisteredIdpAuthentication = isRegisteredIdpAuthentication(request);
+
         //we must check and see if the email address has changed between authentications
-        if (haveUserAttributesChanged(userFromDb, userFromRequest) && isRegisteredIdpAuthentication(request)) {
+        if (haveUserAttributesChanged(userFromDb, userFromRequest) && isRegisteredIdpAuthentication) {
             logger.debug("User attributed have changed, updating them.");
             userFromDb = userFromDb.modifyAttributes(email,
                                                      userFromRequest.getGivenName(),
@@ -493,8 +495,10 @@ protected UaaUser userAuthenticated(Authentication request, UaaUser userFromRequ
             userModified = true;
         }
 
-        ExternalGroupAuthorizationEvent event = new ExternalGroupAuthorizationEvent(userFromDb, userModified, userFromRequest.getAuthorities(), true);
-        publish(event);
+        if (isRegisteredIdpAuthentication) {
+            ExternalGroupAuthorizationEvent event = new ExternalGroupAuthorizationEvent(userFromDb, userModified, userFromRequest.getAuthorities(), true);
+            publish(event);
+        }
         return getUserDatabase().retrieveUserById(userFromDb.getId());
     }
 

diff --git a/...va/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java b/...va/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java
@@ -7,6 +7,7 @@
 import org.apache.commons.lang3.RandomStringUtils;
 import org.cloudfoundry.identity.uaa.authentication.AccountNotPreCreatedException;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
+import org.cloudfoundry.identity.uaa.authentication.event.IdentityProviderAuthenticationSuccessEvent;
 import org.cloudfoundry.identity.uaa.authentication.manager.ExternalGroupAuthorizationEvent;
 import org.cloudfoundry.identity.uaa.authentication.manager.InvitedUserAuthenticatedEvent;
 import org.cloudfoundry.identity.uaa.authentication.manager.NewUserAuthenticatedEvent;
@@ -908,6 +909,37 @@ void updateShadowUser_IfAlreadyExists() {
         assertEquals(OriginKeys.UAA, uaaUser.getZoneId());
     }
 
+    @Test
+    void publishExternalGroupAuthorizationEvent_skippedIf_notIsRegisteredIdpAuthentication() {
+        claims.put("user_name", "12345");
+        claims.put("origin", "the_origin");
+        claims.put("iss", UAA_ISSUER_URL);
+
+        UaaUser existingShadowUser = new UaaUser(new UaaUserPrototype()
+                .withUsername("12345")
+                .withPassword("")
+                .withEmail("marissa_old@bloggs.com")
+                .withGivenName("Marissa_Old")
+                .withFamilyName("Bloggs_Old")
+                .withId("user-id")
+                .withOrigin("the_origin")
+                .withZoneId("uaa")
+                .withAuthorities(UaaAuthority.USER_AUTHORITIES));
+
+        userDatabase.addUser(existingShadowUser);
+
+        CompositeToken token = getCompositeAccessToken();
+        String idToken = token.getIdTokenValue();
+        xCodeToken = new ExternalOAuthCodeToken(null, null, null, idToken, null, null);
+
+        externalOAuthAuthenticationManager.authenticate(xCodeToken);
+
+        ArgumentCaptor<ApplicationEvent> userArgumentCaptor = ArgumentCaptor.forClass(ApplicationEvent.class);
+        verify(publisher, times(1)).publishEvent(userArgumentCaptor.capture());
+        assertEquals(1, userArgumentCaptor.getAllValues().size());
+        assertTrue(userArgumentCaptor.getAllValues().get(0) instanceof IdentityProviderAuthenticationSuccessEvent);
+    }
+
     @Test
     void invitedUser_becomesVerifiedOnAccept() {
         setUpInvitedUser();