First part of fixing #161. refactored test code

oa4mp-server-oauth2/buildNumber.properties

@@ -1,3 +1,3 @@
 #maven.buildNumber.plugin properties file
-#Wed Jan 24 08:12:17 CST 2024
-buildNumber\\d*=11545
+#Tue Jan 30 09:58:11 CST 2024
+buildNumber\\d*=11573

qdl/buildNumber.properties

@@ -1,3 +1,3 @@
 #maven.buildNumber.plugin properties file
-#Wed Jan 24 08:13:21 CST 2024
-buildNumber\\d*=11711
+#Tue Jan 30 09:59:17 CST 2024
+buildNumber\\d*=11755

server-loader/src/main/java/edu/uiuc/ncsa/myproxy/oa4mp/oauth2/claims/IDTokenHandler.java

@@ -331,6 +331,9 @@ protected void restrictiveFinish(Collection<String> scopes, String execPhase) th
             setCurrentClaim(c, finalClaims, NAME);
             setCurrentClaim(c, finalClaims, GIVEN_NAME);
             setCurrentClaim(c, finalClaims, FAMILY_NAME);
+            setCurrentClaim(c, finalClaims, MIDDLE_NAME);
+            setCurrentClaim(c, finalClaims, NICKNAME);
+            setCurrentClaim(c, finalClaims, DISPLAY_NAME);
             setCurrentClaim(c, finalClaims, PREFERRED_USERNAME);
         }
         if (scopes.contains(OA2Scopes.SCOPE_ADDRESS)) {
@@ -397,6 +400,8 @@ protected void permissiveFinish(Collection<String> scopes, String execPhase) thr
         }
         if (!scopes.contains(OA2Scopes.SCOPE_PROFILE)) {
             getUserMetaData().remove(NAME);
+            getUserMetaData().remove(MIDDLE_NAME);
+            getUserMetaData().remove(NICKNAME);
             getUserMetaData().remove(GIVEN_NAME);
             getUserMetaData().remove(FAMILY_NAME);
             getUserMetaData().remove(PREFERRED_USERNAME);
@@ -412,17 +417,7 @@ protected void permissiveFinish(Collection<String> scopes, String execPhase) thr
             for(String claim: USER_INFO_CLAIMS){
                 getUserMetaData().remove(claim);
             }
-/*
-            getUserMetaData().remove(IS_MEMBER_OF);
-            getUserMetaData().remove(VO_PERSON_EXTERNALID);
-            getUserMetaData().remove(EDU_PERSON_ENTITLEMENT);
-            getUserMetaData().remove(VO_PERSON_ID);
-            getUserMetaData().remove(EPPN);
-            getUserMetaData().remove(EPTID);
-*/
         }
-
-
         // everything else gets passed back.
     }
 

server-loader/src/main/java/edu/uiuc/ncsa/myproxy/oa4mp/oauth2/cm/oidc_cm/OIDCCMServlet.java

@@ -11,6 +11,7 @@
 import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.clients.OA2Client;
 import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.clients.OA2ClientConverter;
 import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.clients.OA2ClientKeys;
+import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.vo.VirtualOrganization;
 import edu.uiuc.ncsa.myproxy.oa4mp.server.admin.adminClient.AdminClient;
 import edu.uiuc.ncsa.myproxy.oa4mp.server.admin.permissions.Permission;
 import edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.EnvServlet;
@@ -115,11 +116,7 @@ public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse htt
             if (!getOA2SE().getCmConfigs().hasRFC7592Config()) {
                 throw new IllegalAccessError("RFC 7592 not supported on this server. Request rejected.");
             }
-            String[] query = httpServletRequest.getParameterValues(QUERY_PARAMETER);
-            if (query != null && query.length != 0) {
-                handleServerQuery(Arrays.asList(query), httpServletRequest, httpServletResponse);
-                return;
-            }
+
             boolean isAnonymous = false;  // Meaning that a client is trying to get information
             AdminClient adminClient = null;
             try {
@@ -130,6 +127,11 @@ public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse htt
                 }
                 isAnonymous = true;
             }
+            String[] query = httpServletRequest.getParameterValues(QUERY_PARAMETER);
+            if (query != null && query.length != 0) {
+                handleServerQuery(adminClient, Arrays.asList(query), httpServletRequest, httpServletResponse);
+                return;
+            }
             OA2Client oa2Client = null;
             MetaDebugUtil debugger;
             if (isAnonymous) {
@@ -221,7 +223,7 @@ public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse htt
      * @param request
      * @param response
      */
-    private void handleServerQuery(List<String> queries, HttpServletRequest request, HttpServletResponse response) throws IOException {
+    private void handleServerQuery(AdminClient adminClient, List<String> queries, HttpServletRequest request, HttpServletResponse response) throws IOException {
         JSONObject jsonObject = new JSONObject();
         // improvement for https://github.com/ncsa/oa4mp/issues/154
         if (queries.contains("org.oa4mp:/server/defaults")) {
@@ -236,6 +238,14 @@ private void handleServerQuery(List<String> queries, HttpServletRequest request,
             jsonObject.put(AUTH_GRANT_TOKEN_LIFETIME, getOA2SE().getAuthorizationGrantLifetime() / 1000);
             jsonObject.put("use_server_default", OA2Client.USE_SERVER_DEFAULT);
             jsonObject.put(OA2ConfigurationLoader.REFRESH_TOKEN_GRACE_PERIOD_TAG, getOA2SE().getRtGracePeriod() / 1000);
+            if(adminClient==null){
+                jsonObject.put("issuer", getOA2SE().getIssuer());
+                jsonObject.put("at_issuer", getOA2SE().getIssuer());
+            }else{
+                VirtualOrganization vo = (VirtualOrganization) getOA2SE().getVOStore().get(adminClient.getVirtualOrganization());
+                jsonObject.put("issuer", vo.getIssuer());
+                jsonObject.put("at_issuer", vo.getAtIssuer());
+            }
         }
         writeOK(response, jsonObject);
     }
@@ -307,10 +317,15 @@ protected JSONObject toJSONObject(OA2Client client) {
         JSONArray cbs = new JSONArray();
         cbs.addAll(client.getCallbackURIs());
         json.put(OIDCCMConstants.REDIRECT_URIS, cbs);
+        boolean gotJWKSURI = false;
         if (client.hasJWKSURI()) {
+            gotJWKSURI = true;
             json.put(JWKS_URI, client.getJwksURI().toString());
         }
         if (client.hasJWKS()) {
+            if(gotJWKSURI){
+                throw new IllegalStateException("The specification explicitly forbids having both keys and a jwks uri. Request rejected");
+            }
             JSONObject jwks = JSONWebKeyUtil.toJSON(client.getJWKS());
             json.put(JWKS, jwks);
         }
@@ -391,7 +406,11 @@ protected JSONObject toJSONObject(OA2Client client) {
         if (client.hasOIDC_CM_Attributes()) {
             // add them back
             for (Object key : client.getOIDC_CM_Attributes().keySet()) {
-                json.put(key, client.getOIDC_CM_Attributes().get(key));
+                if(!key.equals(OA2Constants.CLIENT_ID)) {
+                    // had a case where a client uploaded client_id as an extra attribute
+                    // Don't allow the user to hot-rod the client id even by accident.
+                    json.put(key, client.getOIDC_CM_Attributes().get(key));
+                }
             }
         }
         return json;

server-loader/src/main/java/edu/uiuc/ncsa/myproxy/oa4mp/oauth2/storage/clients/OA2Client.java

@@ -403,6 +403,7 @@ public JSONObject getOIDC_CM_Attributes() {
     }
 
     public void setOIDC_CM_attributes(JSONObject attr) {
+        attr.remove(OA2Constants.CLIENT_ID); // do not allow clients to set a client id.
         setNamedAttributes(oidc_cm_attributes, attr);
     }
 

server-test/buildNumber.properties

@@ -1,3 +1,3 @@
 #maven.buildNumber.plugin properties file
-#Wed Jan 24 08:12:15 CST 2024
-buildNumber\\d*=10581
+#Tue Jan 30 09:58:10 CST 2024
+buildNumber\\d*=10609

server-test/src/main/resources/flow-tests/auto/clients/basic-with-qdl.json

@@ -42,4 +42,4 @@
     }
   }
 }
-}
+

server-test/src/main/resources/flow-tests/auto/clients/rfc9068-qdl.json

@@ -0,0 +1,12 @@
+{
+  "comment": [
+    "Client with various overrides. These are in the client configuration and test ",
+    "overriding the server defaults, but not using the cfg."
+  ],
+  "client_name": "Basic test client with overrides",
+  "token_endpoint_auth_method": "private_key_jwt",
+  "client_id":"auto-test:/oauth/rfc9068/qdl",
+  "grant_types":["refresh_token"],
+  "strict_scopes": false
+}
+

server-test/src/main/resources/flow-tests/auto/install.qdl

@@ -6,8 +6,7 @@
 
 */
 // /home/ncsa/dev/csd/config/auto-test/auto-test.ini
-say(args().0);
-ini. := file_read(args().0,2);
+ini. := file_read($$OA4MP_AUTO_TEST_INI,2);
 admin.:=ini.'admin';
 say('ini:\n' + print(ini.));
 print(info());

server-test/src/main/resources/flow-tests/auto/server/at.qdl

@@ -6,7 +6,10 @@ epe.:=claims#get_claims(claims#create_source(cfg.), claims.'sub').'eduPersonEnti
 debugger(1, '  epe = ' + to_string(epe.));
 out. := claims#template_substitution(epe., claims.);
 debugger(1, '  after subst = ' + to_string(out.));
-out. := claims#resolve_templates(out., scopes., 'post_token'==exec_phase);
+real_scopes.:=size(tx_scopes.)==0?scopes.:tx_scopes.;
+say('at.qdl scopes.\n' + print(scopes.));
+say('at.qdl tx_scopes.\n' + print(tx_scopes.));
+out. := claims#resolve_templates(out., real_scopes., 'post_token'==exec_phase);
 debugger(1, '  after resolve = ' + to_string(out.));
 
 access_token.'scope' := detokenize(out., ' ');

server-test/src/main/resources/flow-tests/auto/server/rfc9068-script.cfg

@@ -0,0 +1,31 @@
+// This has the configuration for a client that invokes QDL scripts on
+// the server.
+
+ tokens{
+  identity{
+     type=identity
+     lifetime=1200000 // 20 minutes
+     qdl{
+         load="auto/server/idt.qdl"
+         xmd={exec_phase=["post_token","post_refresh","post_user_info"]}
+       }// end qdl
+     } //end identity token
+     access{
+        type="rfc9068"
+        audience="https://aethelthrythe.edu/histrionics"
+        lifetime=3600000 // 1 hour
+        qdl{
+           load="auto/server/at.qdl"
+           xmd={exec_phase=["post_token","post_refresh","post_exchange"]}
+        } //end QDL
+     } // end access token
+     refresh{
+      type="refresh"
+      audience="https://aethelthrythe.edu/histrionics/refresh"
+      lifetime=259200000 // 3 days
+      qdl{
+          load="auto/server/process-xas.qdl"
+          xmd={exec_phase=["post_token","post_refresh","post_exchange"]}
+        } //end QDL
+      } // end refresh
+   } //end tokens

server-test/src/main/resources/flow-tests/auto/server/script.cfg → server-test/src/main/resources/flow-tests/auto/server/scitoken-script.cfg

@@ -4,16 +4,16 @@
  tokens{
   identity{
      type=identity
+     lifetime=1200000 // 20 minutes
      qdl{
          load="auto/server/idt.qdl"
-         lifetime=1200
          xmd={exec_phase=["post_token","post_refresh","post_user_info"]}
        }// end qdl
      } //end identity token
      access{
         type="scitoken"
         audience="https://wærstan.edu/physics"
-        lifetime=3600000
+        lifetime=3600000 // 1 hour
         qdl{
            load="auto/server/at.qdl"
            xmd={exec_phase=["post_token","post_refresh","post_exchange"]}
@@ -22,6 +22,7 @@
      refresh{
       type="refresh"
       audience="https://wærstan.edu/physics/refresh"
+      lifetime=259200000 // 3 days
       qdl{
           load="auto/server/process-xas.qdl"
           xmd={exec_phase=["post_token","post_refresh","post_exchange"]}