Allow App Context Specific Invitations

- Add support for wildcards in redirect uris

[#100343056] https://www.pivotaltracker.com/story/show/100343056

Signed-off-by: Jonathan Lo <jlo@us.ibm.com>

login/src/main/java/org/cloudfoundry/identity/uaa/login/EmailInvitationsService.java

@@ -10,6 +10,7 @@
 import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning;
 import org.cloudfoundry.identity.uaa.scim.exception.ScimResourceAlreadyExistsException;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
+import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
 import org.springframework.security.oauth2.provider.ClientDetails;
@@ -22,22 +23,21 @@
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.TimeUnit;
+import java.util.regex.Pattern;
 
 @Service
 public class EmailInvitationsService implements InvitationsService {
     private final Log logger = LogFactory.getLog(getClass());
 
-    public static final String INVITATION_REDIRECT_URL = "invitation_redirect_url";
     public static final int INVITATION_EXPIRY_DAYS = 365;
 
     private final SpringTemplateEngine templateEngine;
     private final MessageService messageService;
 
     @Autowired
     private ScimUserProvisioning scimUserProvisioning;
-
-
     private String brand;
 
     public EmailInvitationsService(SpringTemplateEngine templateEngine, MessageService messageService, String brand) {
@@ -84,12 +84,13 @@ private String getEmailHtml(String currentUser, String code) {
     }
 
     @Override
-    public void inviteUser(String email, String currentUser, String redirectUri) {
+    public void inviteUser(String email, String currentUser, String clientId, String redirectUri) {
         try {
             ScimUser user = accountCreationService.createUser(email, new RandomValueStringGenerator().generate());
             Map<String,String> data = new HashMap<>();
             data.put("user_id", user.getId());
             data.put("email", email);
+            data.put("client_id", clientId);
             data.put("redirect_uri", redirectUri);
             String code = expiringCodeService.generateCode(data, INVITATION_EXPIRY_DAYS, TimeUnit.DAYS);
             sendInvitationEmail(email, currentUser, code);
@@ -102,6 +103,7 @@ public void inviteUser(String email, String currentUser, String redirectUri) {
                 Map<String,String> data = new HashMap<>();
                 data.put("user_id", existingUserResponse.getUserId());
                 data.put("email", email);
+                data.put("client_id", clientId);
                 data.put("redirect_uri", redirectUri);
                 String code = expiringCodeService.generateCode(data, INVITATION_EXPIRY_DAYS, TimeUnit.DAYS);
                 sendInvitationEmail(email, currentUser, code);
@@ -116,25 +118,26 @@ public void inviteUser(String email, String currentUser, String redirectUri) {
     }
 
     @Override
-    public String acceptInvitation(String userId, String email, String password, String clientId) {
+    public String acceptInvitation(String userId, String email, String password, String clientId, String redirectUri) {
         ScimUser user = scimUserProvisioning.retrieve(userId);
         scimUserProvisioning.verifyUser(user.getId(), user.getVersion());
 
         PasswordChangeRequest request = new PasswordChangeRequest();
         request.setPassword(password);
-
         scimUserProvisioning.changePassword(userId, null, password);
 
-        String redirectLocation = null;
-        if (clientId != null && !clientId.equals("")) {
+        String redirectLocation = "/home";
+        if (!clientId.equals("")) {
             try {
                 ClientDetails clientDetails = clientAdminEndpoints.getClientDetails(clientId);
-                redirectLocation = (String) clientDetails.getAdditionalInformation().get(INVITATION_REDIRECT_URL);
-            }catch (Exception x) {
-                throw new RuntimeException(x);
+                Set<Pattern> wildcards = UaaStringUtils.constructWildcards(clientDetails.getRegisteredRedirectUri());
+                if (UaaStringUtils.matches(wildcards, redirectUri)) {
+                    redirectLocation = redirectUri;
+                }
+            } catch (Exception x) {
+                return redirectLocation;
             }
         }
-
         return redirectLocation;
     }
 }

login/src/main/java/org/cloudfoundry/identity/uaa/login/InvitationsController.java

@@ -42,30 +42,35 @@ public InvitationsController(InvitationsService invitationsService) {
     }
 
     @RequestMapping(value = "/new", method = GET)
-    public String newInvitePage(Model model, @RequestParam(required = false, value = "redirect_uri") String redirectUri) {
+    public String newInvitePage(Model model, @RequestParam(required = false, value = "client_id") String clientId,
+                                @RequestParam(required = false, value = "redirect_uri") String redirectUri) {
+        model.addAttribute("client_id", clientId);
         model.addAttribute("redirect_uri", redirectUri);
         return "invitations/new_invite";
     }
 
 
     @RequestMapping(value = "/new.do", method = POST, params = {"email"})
-    public String sendInvitationEmail(@Valid @ModelAttribute("email") ValidEmail email, BindingResult result, @RequestParam("redirect_uri") String redirectUri, Model model, HttpServletResponse response) {
+    public String sendInvitationEmail(@Valid @ModelAttribute("email") ValidEmail email, BindingResult result,
+                                       @RequestParam(defaultValue = "", value = "client_id") String clientId,
+                                      @RequestParam(defaultValue = "", value = "redirect_uri") String redirectUri,
+                                      Model model, HttpServletResponse response) {
         if (result.hasErrors()) {
             return handleUnprocessableEntity(model, response, "error_message_code", "invalid_email", "invitations/new_invite");
         }
 
         UaaPrincipal p = ((UaaPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal());
         String currentUser = p.getName();
         try {
-           invitationsService.inviteUser(email.getEmail(), currentUser, redirectUri);
+           invitationsService.inviteUser(email.getEmail(), currentUser, clientId, redirectUri);
         } catch (UaaException e) {
            return handleUnprocessableEntity(model, response, "error_message_code", "existing_user", "invitations/new_invite");
         }
         return "redirect:sent";
     }
 
     @RequestMapping(value = "sent", method = GET)
-    public String inviteSentPage(Model model) {
+    public String inviteSentPage() {
         return "invitations/invite_sent";
     }
 
@@ -86,8 +91,8 @@ public String acceptInvitePage(@RequestParam String code, Model model, HttpServl
     @RequestMapping(value = "/accept.do", method = POST)
     public String acceptInvitation(@RequestParam("password") String password,
                                    @RequestParam("password_confirmation") String passwordConfirmation,
-                                   @RequestParam("client_id") String clientId,
-                                   @RequestParam("redirect_uri") String redirectUri,
+                                   @RequestParam(defaultValue = "", value = "client_id") String clientId,
+                                   @RequestParam(defaultValue = "", value = "redirect_uri") String redirectUri,
                                    Model model, HttpServletResponse servletResponse) throws IOException {
 
         PasswordConfirmationValidation validation = new PasswordConfirmationValidation(password, passwordConfirmation);
@@ -104,15 +109,9 @@ public String acceptInvitation(@RequestParam("password") String password,
             model.addAttribute("email", principal.getEmail());
             return handleUnprocessableEntity(model, servletResponse, "error_message", e.getMessagesAsOneString(), "invitations/accept_invite");
         }
-        String redirectLocation = invitationsService.acceptInvitation(principal.getId(), principal.getEmail(), password, clientId);
 
-        if (!redirectUri.equals("")) {
-            return "redirect:" + redirectUri;
-        }
-        if (redirectLocation != null) {
-            return "redirect:" + redirectLocation;
-        }
-        return "redirect:/home";
+        String redirectLocation = invitationsService.acceptInvitation(principal.getId(), principal.getEmail(), password, clientId, redirectUri);
+        return "redirect:" + redirectLocation;
     }
 
     private String handleUnprocessableEntity(Model model, HttpServletResponse response, String attributeKey, String attributeValue, String view) {

login/src/main/java/org/cloudfoundry/identity/uaa/login/InvitationsService.java

@@ -1,7 +1,7 @@
 package org.cloudfoundry.identity.uaa.login;
 
 public interface InvitationsService {
-    void inviteUser(String email, String currentUser, String redirectUri);
+    void inviteUser(String email, String currentUser, String clientId, String redirectUri);
 
-    String acceptInvitation(String userId, String email, String password, String clientId);
+    String acceptInvitation(String userId, String email, String password, String clientId, String redirectUri);
 }

login/src/main/resources/templates/web/invitations/new_invite.html

@@ -19,6 +19,7 @@ <h1>Send an invite</h1>
                 <p th:text="#{'new_invite.' + ${error_message_code}}">Error Message</p>
             </div>
             <input name="email" type="email" placeholder="Enter email" autofocus="autofocus" class="form-control"/>
+            <input name="client_id" type="hidden" th:value="${client_id}"/>
             <input name="redirect_uri" type="hidden" th:value="${redirect_uri}"/>
             <input type="submit" value="Send invite" class="island-button"/>
         </form>

login/src/test/java/org/cloudfoundry/identity/uaa/login/EmailInvitationsServiceTests.java

@@ -7,12 +7,13 @@
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.not;
 import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThat;
 import static org.mockito.Matchers.anyInt;
 import static org.mockito.Matchers.anyString;
 import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 
@@ -102,10 +103,11 @@ public void testSendInviteEmail() throws Exception {
         ArgumentCaptor<Map<String,String>> captor = ArgumentCaptor.forClass((Class)Map.class);
 
         when(expiringCodeService.generateCode(captor.capture(), anyInt(), eq(TimeUnit.DAYS))).thenReturn("the_secret_code");
-        emailInvitationsService.inviteUser("user@example.com", "current-user", "blah.example.com");
+        emailInvitationsService.inviteUser("user@example.com", "current-user", "client-id", "blah.example.com");
 
         Map<String,String> data = captor.getValue();
         assertEquals("existing-user-id", data.get("user_id"));
+        assertEquals("client-id", data.get("client_id"));
         assertEquals("blah.example.com", data.get("redirect_uri"));
 
         ArgumentCaptor<String> emailBodyArgument = ArgumentCaptor.forClass(String.class);
@@ -121,14 +123,32 @@ public void testSendInviteEmail() throws Exception {
         assertThat(emailBody, containsString("<a href=\"http://localhost/login/invitations/accept?code=the_secret_code\">Accept Invite</a>"));
         assertThat(emailBody, not(containsString("Cloud Foundry")));
     }
-
+
+    @Test
+    public void inviteUserWithoutClientIdOrRedirectUri() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setProtocol("http");
+        request.setContextPath("/login");
+        RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));
+
+        ArgumentCaptor<Map<String,String>> captor = ArgumentCaptor.forClass((Class)Map.class);
+
+        when(expiringCodeService.generateCode(captor.capture(), anyInt(), eq(TimeUnit.DAYS))).thenReturn("the_secret_code");
+        emailInvitationsService.inviteUser("user@example.com", "current-user", "", "");
+
+        Map<String,String> data = captor.getValue();
+        assertEquals("existing-user-id", data.get("user_id"));
+        assertEquals("", data.get("client_id"));
+        assertEquals("", data.get("redirect_uri"));
+    }
+
     @Test(expected = UaaException.class)
     public void testSendInviteEmailToUserThatIsAlreadyVerified() throws Exception {
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.setProtocol("http");
         request.setContextPath("/login");
 
-        emailInvitationsService.inviteUser("alreadyverified@example.com", "current-user", "");
+        emailInvitationsService.inviteUser("alreadyverified@example.com", "current-user", "", "");
     }
 
     @Test
@@ -139,12 +159,10 @@ public void testSendInviteEmailToUnverifiedUser() throws Exception {
 		request.setContextPath("/login");
 		RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));
 
-		byte[] errorResponse = "{\"error\":\"invalid_user\",\"message\":\"error message\",\"user_id\":\"existing-user-id\",\"verified\":false,\"active\":true}".getBytes();
-
         ArgumentCaptor<Map<String,String>> captor = ArgumentCaptor.forClass((Class)Map.class);
 
         when(expiringCodeService.generateCode(captor.capture(), anyInt(), eq(TimeUnit.DAYS))).thenReturn("the_secret_code");
-        emailInvitationsService.inviteUser("existingunverified@example.com", "current-user", "blah.example.com");
+        emailInvitationsService.inviteUser("existingunverified@example.com", "current-user", "", "blah.example.com");
 
         Map<String,String> data = captor.getValue();
         assertEquals("existing-user-id", data.get("user_id"));
@@ -172,10 +190,10 @@ public void testSendInviteEmailWithOSSBrand() throws Exception {
         request.setContextPath("/login");
         RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));
 
-        ArgumentCaptor<Map<String,String>> captor = ArgumentCaptor.forClass((Class)Map.class);
+        ArgumentCaptor<Map<String,String>> captor = ArgumentCaptor.forClass((Class) Map.class);
 
         when(expiringCodeService.generateCode(captor.capture(), anyInt(), eq(TimeUnit.DAYS))).thenReturn("the_secret_code");
-        emailInvitationsService.inviteUser("user@example.com", "current-user", "");
+        emailInvitationsService.inviteUser("user@example.com", "current-user", "", "");
 
         Map<String,String> data = captor.getValue();
         assertEquals("existing-user-id", data.get("user_id"));
@@ -195,29 +213,56 @@ public void testSendInviteEmailWithOSSBrand() throws Exception {
     }
 
     @Test
-    public void testAcceptInvitation() throws Exception {
+    public void acceptInvitationNoClientId() throws Exception {
+        ScimUser user = new ScimUser("user-id-001", "user@example.com", "first", "last");
+        when(scimUserProvisioning.retrieve(eq("user-id-001"))).thenReturn(user);
+        String redirectLocation = emailInvitationsService.acceptInvitation("user-id-001", "user@example.com", "secret", "", "");
 
+        verify(scimUserProvisioning).verifyUser(user.getId(), user.getVersion());
+        verify(scimUserProvisioning).changePassword(user.getId(), null, "secret");
+        Mockito.verifyZeroInteractions(expiringCodeService);
+        assertEquals("/home", redirectLocation);
+    }
 
+    @Test
+    public void acceptInvitationWithClientNotFound() throws Exception {
         ScimUser user = new ScimUser("user-id-001", "user@example.com", "first", "last");
-        BaseClientDetails clientDetails = new BaseClientDetails("app", null, null, null, null, "http://example.com/redirect");
-        clientDetails.addAdditionalInformation("invitation_redirect_url", "http://example.com/redirect");
         when(scimUserProvisioning.retrieve(eq("user-id-001"))).thenReturn(user);
-        when(clientAdminEndpoints.getClientDetails(eq("app"))).thenReturn(clientDetails);
-        String redirectLocation = emailInvitationsService.acceptInvitation("user-id-001", "user@example.com", "secret", "app");
+        doThrow(new Exception("Client not found")).when(clientAdminEndpoints).getClientDetails("client-not-found");
+        String redirectLocation = emailInvitationsService.acceptInvitation("user-id-001", "user@example.com", "secret", "client-not-found", "");
 
+        verify(scimUserProvisioning).verifyUser(user.getId(), user.getVersion());
+        verify(scimUserProvisioning).changePassword(user.getId(), null, "secret");
         Mockito.verifyZeroInteractions(expiringCodeService);
-        assertEquals("http://example.com/redirect", redirectLocation);
+        assertEquals("/home", redirectLocation);
     }
 
     @Test
-    public void testAcceptInvitationWithNoClientRedirect() throws Exception {
+    public void acceptInvitationWithValidRedirectUri() throws Exception {
+        ScimUser user = new ScimUser("user-id-001", "user@example.com", "first", "last");
+        BaseClientDetails clientDetails = new BaseClientDetails("client-id", null, null, null, null, "http://example.com/*/");
+        when(scimUserProvisioning.retrieve(eq("user-id-001"))).thenReturn(user);
+        when(clientAdminEndpoints.getClientDetails("client-id")).thenReturn(clientDetails);
+        String redirectLocation = emailInvitationsService.acceptInvitation("user-id-001", "user@example.com", "secret", "client-id", "http://example.com/redirect/");
 
+        verify(scimUserProvisioning).verifyUser(user.getId(), user.getVersion());
+        verify(scimUserProvisioning).changePassword(user.getId(), null, "secret");
+        Mockito.verifyZeroInteractions(expiringCodeService);
+        assertEquals("http://example.com/redirect/", redirectLocation);
+    }
+
+    @Test
+    public void acceptInvitationWithInvalidRedirectUri() throws Exception {
         ScimUser user = new ScimUser("user-id-001", "user@example.com", "first", "last");
+        BaseClientDetails clientDetails = new BaseClientDetails("client-id", null, null, null, null, "http://example.com/redirect");
         when(scimUserProvisioning.retrieve(eq("user-id-001"))).thenReturn(user);
+        when(clientAdminEndpoints.getClientDetails("client-id")).thenReturn(clientDetails);
+        String redirectLocation = emailInvitationsService.acceptInvitation("user-id-001", "user@example.com", "secret", "client-id", "http://example.com/other/redirect");
 
-        String redirectLocation = emailInvitationsService.acceptInvitation("user-id-001", "user@example.com", "secret", "");
+        verify(scimUserProvisioning).verifyUser(user.getId(), user.getVersion());
+        verify(scimUserProvisioning).changePassword(user.getId(), null, "secret");
         Mockito.verifyZeroInteractions(expiringCodeService);
-        assertNull(redirectLocation);
+        assertEquals("/home", redirectLocation);
     }
 
     @Configuration