Feature/gap 1935 redirect after one login #48
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jgunnCO
reviewed
Jul 7, 2023
jgunnCO
approved these changes
Jul 10, 2023
JohnJM
approved these changes
Jul 10, 2023
jgunnCO
added a commit
that referenced
this pull request
Aug 21, 2023
* Github action pipelines (#1) * Create main.yml * Create pushImage.yml * Rename main.yml to feature.yml * Github actions (#3) * Create main.yml * Create pushImage.yml * Rename main.yml to feature.yml * Create promoteToProd.yml * Spring Boot project initial commit (#2) * Create main.yml * Create pushImage.yml * Rename main.yml to feature.yml * adding spring boot project --------- Co-authored-by: dominicwest <[email protected]> Co-authored-by: Gavin Cook <[email protected]> * Adding a docker file to convert the jar to a docker image (#4) Co-authored-by: Dominic West <[email protected]> * Bug/rename dockerfile (#5) * Renaming docker file * Deleting redundant docker file --------- Co-authored-by: Dominic West <[email protected]> * Database setup (#6) * Adding JPA, flyway and a docker compose file * removing empty test class * fixing a typo in the pom.xml file --------- Co-authored-by: Gavin Cook <[email protected]> * Adding a health controller and some tests (#7) Co-authored-by: Gavin Cook <[email protected]> * Login endpoint (#10) * First pass at a login flow * Validating third parties JWT logic * Validating COLAs JWT * Starting unit tests * Adding tests and a small refactor * Starting unit tests * Updating implementation to match updated cookie-signature npm module * shifting static calls into a bean class * Mooooore unit tests * getSha256Mac bean tests & more ColaJwtService tests * Adding the last few tests for jwt verification * renaming a method * Using string constant for cola signature * renaming a variable and adding a constant * Fixing POM * moving a string to a constant and adding some dummy properties --------- Co-authored-by: Gavin Cook <[email protected]> Co-authored-by: Dominic West <[email protected]> * FGP-58: Custom jwt (#11) * First pass at a login flow * Validating third parties JWT logic * Validating COLAs JWT * Starting unit tests * Adding tests and a small refactor * Starting unit tests * Updating implementation to match updated cookie-signature npm module * shifting static calls into a bean class * Mooooore unit tests * getSha256Mac bean tests & more ColaJwtService tests * Adding the last few tests for jwt verification * renaming a method * Using string constant for cola signature * renaming a variable and adding a constant * Adding properties to application.properties * moving a string to a constant * first pass at custom JWT logic * Adding the remaining unit tests for different JWT states * small refactor to reduce lines of code * Making some constants public * Removing duplicate service class * Unit tests for CustomJwtServiceImpl & a couple small refactors * Final unit tests and fixes after testing the service * PR feedback on the custom token functionality * Adding code to trim the leading "s:" characters from the jwt * fixing an edge case bug * Making cookies http only and secure * broken test....doh * Fixing some issues * Reverting fetching redirectUrl from WebUtils.getCookie * Fixing tests --------- Co-authored-by: Gavin Cook <[email protected]> Co-authored-by: Dominic West <[email protected]> * FGP-34: added user validation with tests (#12) * added user validation with tests * Changed ValidateUser return type * Update src/main/java/gov/cabinetofice/gapuserservice/web/LoginController.java Co-authored-by: dominicwest <[email protected]> * changed validateUser return type * removed comment --------- Co-authored-by: Rachel-Swart <[email protected]> Co-authored-by: dominicwest <[email protected]> * Fgp 39: Logout (#14) * logout and blacklist functionality * logout and blacklist tests * finished tests and pr changes * Changed date to LocalDateTime * added clock bean * changed maven-compiler-plugin source and target versions --------- Co-authored-by: Rachel-Swart <[email protected]> * making the jwt cookie value mandatory when calling the logout endpoint (#17) Co-authored-by: Gavin Cook <[email protected]> * FGP-38: Refresh token (#15) * First pass at a login flow * Validating third parties JWT logic * Validating COLAs JWT * Starting unit tests * Adding tests and a small refactor * Starting unit tests * Updating implementation to match updated cookie-signature npm module * shifting static calls into a bean class * Mooooore unit tests * getSha256Mac bean tests & more ColaJwtService tests * Adding the last few tests for jwt verification * renaming a method * Using string constant for cola signature * renaming a variable and adding a constant * Adding properties to application.properties * moving a string to a constant * first pass at custom JWT logic * Adding the remaining unit tests for different JWT states * small refactor to reduce lines of code * Making some constants public * Removing duplicate service class * Unit tests for CustomJwtServiceImpl & a couple small refactors * Final unit tests and fixes after testing the service * PR feedback on the custom token functionality * Adding code to trim the leading "s:" characters from the jwt * fixing an edge case bug * Making cookies http only and secure * broken test....doh * Fixing some issues * Reverting fetching redirectUrl from WebUtils.getCookie * Fixing tests * Validating third parties JWT logic * Validating COLAs JWT * Starting unit tests * Starting unit tests * Updating implementation to match updated cookie-signature npm module * shifting static calls into a bean class * Mooooore unit tests * getSha256Mac bean tests & more ColaJwtService tests * Adding the last few tests for jwt verification * renaming a method * Using string constant for cola signature * first pass at custom JWT logic * Removing duplicate service class * Unit tests for CustomJwtServiceImpl & a couple small refactors * Final unit tests and fixes after testing the service * first pass at refreshing tokens * Adding a scheduled task to clear expired JWT tokens out of the blacklist * Adding a util method to add secure and http only flags to cookies * numerous changes - updated functionality to refresh a token to use new methods - changed the default expiry date in the database for tokens to be the actual time the token expires, rather than "now" - fixed tests - added a migration to create a missing shedlock table - sonarLint and intellij linting suggestions implemented. * removing a comment * Adding a missing scheduler config file and making the method it calls transactional --------- Co-authored-by: Gavin Cook <[email protected]> Co-authored-by: Dominic West <[email protected]> * Git ignoring application-local.properties * FGP-63: boilerplate security with JWT auth filter (#8) * feature: boilerplate security with jwt auth filter * fix: missing security dependency * fix: wrong health endpoint path in WebSecurityConfig * Addressing TODOs * Adding unit tests for the security filter --------- Co-authored-by: Chris Steele <[email protected]> Co-authored-by: Dominic West <[email protected]> * FGP 40: Register Account (#22) * initial commit of boilerplate register page and controller * Adding files to save users to cognito * Init GDS & basic register template setup * Adding tests * Refactoring * Finishing register html * Accessibility fix * Adding a TODO * Header changes * Adding some missing tests * Adding a missing application property * Numerous changes - Changing the name of the `UserController` to `RegistrationController` - Adding an endpoint to load the registration form - Adding tests * Unused imports * Creating footer/header components * Updating register-user page to use templates, and some small fixes * Re-adding get register page endpoint * First pass at form validation for the registration page * Duplicate account logic & user service interface * Numerous changes: - Adding a registration success page and a controller method to serve it - Added tests for the `doesUserExist` method - added a login url application property * adding layout to registration success page and resolving conflicts. --------- Co-authored-by: Gavin Cook <[email protected]> Co-authored-by: Dominic West <[email protected]> * Incorrectly secured endpoints (#23) - Adding some endpoints as security filter exceptions in `WebSecurityConfig.java` so that unauthenticated users can access them. - Fixing sonar lint suggestions Co-authored-by: Gavin Cook <[email protected]> * Adding a migration to create token blacklist table and an index on the jwt column (#24) Co-authored-by: Gavin Cook <[email protected]> * adding more paths to security exclusions (#25) Co-authored-by: Gavin Cook <[email protected]> * security and database updates (#26) - added a migration to create a missing sequence - added the error path to the security config Co-authored-by: Gavin Cook <[email protected]> * security and database updates (#27) - added a migration to create a missing sequence - added the error path to the security config Co-authored-by: Gavin Cook <[email protected]> * Fixing my previously badly configured migration (#28) Co-authored-by: Gavin Cook <[email protected]> * Fgp 103/jwks and token update (#30) * JWKS and Token update * Publish public keys in keyring format * Refactoring logout endpoint to be a GET * Refactoring refresh token endpoint to redirect to provided param * Ignoring /webjars & /register paths from security filter * security and database updates (#26) - added a migration to create a missing sequence - added the error path to the security config Co-authored-by: Gavin Cook <[email protected]> * JWKS and Token update * Tests are broken trying to fix * Fixed tests (thanks Dom!) * Delete unneeded migration * Update src/main/java/gov/cabinetofice/gapuserservice/web/LoginController.java Co-authored-by: dominicwest <[email protected]> * Update src/main/java/gov/cabinetofice/gapuserservice/web/LoginController.java Co-authored-by: dominicwest <[email protected]> --------- Co-authored-by: Dominic West <[email protected]> Co-authored-by: GavCookCO <[email protected]> Co-authored-by: Gavin Cook <[email protected]> Co-authored-by: dominicwest <[email protected]> * Adding a temporary exception for the OSS index in dependency check (#32) Co-authored-by: Gavin Cook <[email protected]> * Setting the cookie to apply for all paths on the domain (#31) * Setting the cookie to apply for all paths on the domain * Fixing tests --------- Co-authored-by: Dominic West <[email protected]> * Making logout an unauthenticated resource + fixing a cookie (#33) Co-authored-by: Gavin Cook <[email protected]> * adding additional logging (#34) Co-authored-by: Gavin Cook <[email protected]> * clearing tokens on logout (#35) Co-authored-by: Gavin Cook <[email protected]> * clearing tokens on logout (#36) Co-authored-by: Gavin Cook <[email protected]> * clearing tokens on logout (#37) Co-authored-by: Gavin Cook <[email protected]> * Fgp 112/error page (#38) * error page and page not found * Removing error controller --------- Co-authored-by: Rachel-Swart <[email protected]> Co-authored-by: Dominic West <[email protected]> * Fixing a header link and service name (#39) * Fixing a header link and service name * Reverting change to the security filter --------- Co-authored-by: Gavin Cook <[email protected]> * Fixing back link (#42) Co-authored-by: Dominic West <[email protected]> * Logout redirects to the COLA login page directly (#44) Co-authored-by: Dominic West <[email protected]> * Revert "Logout redirects to the COLA login page directly (#44)" This reverts commit 95d681c. * Feature/one login integration (#46) * feat(one login) adds redirect endpoint that will authenticate with One login and retrieve user info --------- Co-authored-by: Dylan Wright <[email protected]> * Feature/wiremock impl (#47) * feat(wiremock): adds docker-compose file to spin up wiremock server includes One Login stubs * docs(README): adds readme file to document Wiremock --------- Co-authored-by: Dylan Wright <[email protected]> * GAP-1847 | support cognito user migration (#45) * GAP-1847 | add users migration * GAP-1847 | allow hashed pwd * add departments table * add encryptedEmail * support roles table * add foreign key constraint * Adding pull request template * Feature/gap 1935 redirect after one login (#48) Implementing redirect logic based on users ROLE, and if they've used our service as a COLA or OneLogin user before. Also added a /v2/login endpoint that should redirect to OneLogins login endpoint * Adding roles & department name to JWT (#50) Co-authored-by: Dominic West <[email protected]> * Feature/gap 1850 spadmin (#52) feat (super admin dashboard): adds functionality for super admin dashboard --------- Co-authored-by: john-tco <[email protected]> Co-authored-by: Dylan Wright <[email protected]> Co-authored-by: Dominic West <[email protected]> * Feature/gap 1912 notice page (#51) Added notice-page redirect to the LoginControllerV2 * Adding getUserRolesFromJwt endpoint (#53) - Checking roles - Adding getUsersRolesFromJwt endpoint - Fixing redirects to admin dashboards - Adding wiremock for onelogin authorize * ignore query params in authorize wiremock (#54) * Feature/gap 1965 first time user privacy policy v2.0 (#55) * Privacy policy page html * GAP-1965 - Adds error handling for privacy policy page. * GAP-1965 - Added accepted_privacy_policy column to gap_users table. * GAP-1965 - Updated migration version number. * GAP-1965 - Created POST handler to update database when user accepts privacy policy * Added logic to redirect based on previous redirect url. * Redefined redirect logic for admins, super-admins and privacy-policy * GAP-1965 - Added privacy_policy fields to broken tests * GAP-1965 - Fixed bug in error handling and redirect * Fixed failing tests added test. * Added privacy policy tests to service * GAP-1965 - Unit tests for showPrivacyPolicyPage * GAP-1965 - Removed unnecessary span. --------- Co-authored-by: kiramarstonTCO <[email protected]> * Super admin misc fixes (#56) Adding a getRole function and returning this on some endpoints to get the users highest privilege Updating a users roles always preserves FIND & APPLICANT roles Adding a migration to add descriptions/labels to roles * Fixing redirect logic (#58) Co-authored-by: Dominic West <[email protected]> * Fixing back/find a grant links on notice page * Fixing tests * Requiring privacy policy to be checked to be considered logged in (#59) * Requiring privacy policy to be checked to be considered logged in * Adding link to find a grant home page --------- Co-authored-by: Dominic West <[email protected]> * Bug/refactor login controller v2 (#60) State design pattern / state machines Using the State design pattern/state machine to attempt to simplify our login journey. The premise of this is that during such journeys, there is a finite set of states. Defining them all, and how one transitions to another in a single place should greatly help with future maintainability & readability compared to the previous implementation. Implementation I've chosen an enum to achieve this: LoginJourneyState. Each value defines a nextState function, which describes how to reach the next step in the journey. Endpoints will call this function when needed, invoking the state machine which will perform actions until a state is reached that requires a redirect for the user. The endpoint can then grab this redirect from the enums other function: getLoginJourneyRedirect. I've defined a set of functions in the login controller that should greatly simplify how we do all of the above, so any future changes to the journey (such as the migration of old COLA users) will mainly take place in this enum state machine. If none of that makes any sense, reach out to me and I can try again! * After logging in - dont run state machine. Just redirect to current URL (#62) Co-authored-by: Dominic West <[email protected]> * Removing hasAcceptedPrivacyPolicy column (#63) * Removing hasAcceptedPrivacyPolicy column * Adding a default value to login_journey_state --------- Co-authored-by: Dominic West <[email protected]> * Shifting setting of login state to privacy_policy_accepted nextState() * GAP-1931 - Department Information (#61) * add department info endpoints * add edit dept, getSingleDept * unit test department controllers * add service unit tests * Update src/main/java/gov/cabinetofice/gapuserservice/service/DepartmentService.java Co-authored-by: dominicwest <[email protected]> * add ControllerExceptionHandler * add max size on department fields * remove annotation * Added create and delete endpoints * Added create and delete endpoints * add validation on dept create route * fix test * fix test * Unit tests for new endpoints * fix department type * refactor, add logs * Update src/main/java/gov/cabinetofice/gapuserservice/service/DepartmentService.java Co-authored-by: dominicwest <[email protected]> * Update src/main/java/gov/cabinetofice/gapuserservice/service/DepartmentService.java Co-authored-by: dominicwest <[email protected]> * fix tests * Unit tests for new endpoints --------- Co-authored-by: dominicwest <[email protected]> Co-authored-by: Ryan <[email protected]> * GAP-2012 - Added OneLogin migration feature flag and tests (#64) * fix GGIS validation (#66) * Migrating a COLA applicants data (#65) * Defining journey for migrating an applicant * Fixing migration logic so we can display a migration banner on first login Delegating migration to admin backend * Deleting redundant changes * Handling error/success migration redirect paths & invoking migrateUser endpoint in admin backend correctly * Fixing migrateUser endpoint call uri * Adding logs & updating applicant migration failure redirect * Adding tests --------- Co-authored-by: Dominic West <[email protected]> * Updating migration redirects to match frontend (#69) Co-authored-by: Dominic West <[email protected]> * When creating new user - checking if one exists with a matching email * Setting sub if null * Adding admin-backend env var * Feature/GAP-1930-Block-&-Delete (#67) * Added block and delete endpoints. * Added tests for new endpoints and service function * Feature/wiremock refactor (#73) * test(wiremock-mappings): adds more responses for each user type --------- Co-authored-by: Dylan Wright <[email protected]> * TMI2-178: adding technical support role (#72) * Adding code to handle the technical support user role * Updating migration to fill additional data in * Removing todo * Moving the technical support role higher to allow multiple roles to be assigned to those users. * Numerous - renaming the `getRole` method to `getHighestRole` on user object - moving tech support further up in the order of precedence * Moving tech support below admin as admin needs to be the default redirect * fix(userController): returns userDto instead of User entity (#74) Co-authored-by: Dylan Wright <[email protected]> * GAP-1994: View login start page (#77) * GAP-1994 - Removed notice page * GAP-1994 - Fixed tests * Update src/main/java/gov/cabinetofice/gapuserservice/web/LoginControllerV2.java * View app pages based on role (#76) * add isSuperAdmin * mv * Fuzzy search users on dashboard (#70) Updates to the main super-admin dashboard endpoint to accept optional query strings which filter users by department, roles and allow fuzzysearch on the email address. * format logs as JSON (#78) * GAP-1941 Using trigram search algorithm rather than levenshtein (#79) * GAP-1941 Using trigram search algorithm rather than levenshtein * GAP-1941 triggering pipeline --------- Co-authored-by: Dominic West <[email protected]> * GAP-1992: state and nonce in auth (#75) * GAP-1992|add wiremock response templating and return same state as in request * GAP-1992|add state/nonce/idtoken DTOs for feature * GAP-1992|add more cookie building utils * GAP-1992|generate and store state and nonce in cookies when logging in. check state from /auth and nonce from /token with cookie values. add and fix tests * GAP-1992|add setup docs into readme * GAP-1992|add Find a Grant banner.txt * GAP-1992|hash state and store nonce in db instead of cookie * GAP-1992|refactor and fix tests * GAP-1992|throw exception correctly, add null check for date, add tests for exception throwing * GAP-1992|revert change to superadmin wiremock response * GAP-1992|re-add local hardcode for nonce * GAP-1992|split getDecodedIdToken into 2 methods, refactor /redirect-after-login as per MR * GAP-1992|refactor as per MR, remove unnecessary files * GAP-1992|rename nonce migration script * GAP-1992|address MR comments, sanitise code for /token * GAP-1992|fix test * GAP-1992|remove EncryptedResponseDto and autowiring --------- Co-authored-by: conor <[email protected]> * add request and response data to logs (#82) * add request and response data to logs * remove unnecessary filter * Feat/add request response logging (#84) * add request and response data to logs * remove unnecessary filter * handle empty cookies * improve log formatting --------- Co-authored-by: dominicwest <[email protected]> Co-authored-by: GavCookCO <[email protected]> Co-authored-by: Gavin Cook <[email protected]> Co-authored-by: Dominic West <[email protected]> Co-authored-by: rachelswart <[email protected]> Co-authored-by: Rachel-Swart <[email protected]> Co-authored-by: Chris Steele TCO <[email protected]> Co-authored-by: Chris Steele <[email protected]> Co-authored-by: iaincooper-tco <[email protected]> Co-authored-by: dylanwrightCO <[email protected]> Co-authored-by: Dylan Wright <[email protected]> Co-authored-by: john-tco <[email protected]> Co-authored-by: john-tco <[email protected]> Co-authored-by: ryan-tco <[email protected]> Co-authored-by: kiramarstonTCO <[email protected]> Co-authored-by: Ryan <[email protected]> Co-authored-by: kiramarstonTCO <[email protected]> Co-authored-by: ConorFayleTCO <[email protected]> Co-authored-by: conor <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Ticket #1935
Implementing redirect logic based on users ROLE, and if they've used our service as a COLA or OneLogin user before.
Also added a /v2/login endpoint that should redirect to OneLogins login endpoint
Left appropriate TODOs for future work:
https://technologyprogramme.atlassian.net/browse/GAP-1922
https://technologyprogramme.atlassian.net/browse/GAP-1932
Type of change
Please check the relevant options.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes:
Unit Test
Integration Test (if applicable)
End to End Test (if applicable)
Screenshots (if appropriate):
Checklist: