Merge branch 'develop' into 359-enhance-publishing-message-acknowledgement

Author: stevenwinship

doc/release-notes/11606-hide-spa-oidc-providers-from-jsf-login-screen.md

@@ -0,0 +1,7 @@
+This release fixes a bug where the value of the dataverse.auth.oidc.enabled setting, available when Provisioning an authentication provider via JVM options (see ref: https://guides.dataverse.org/en/latest/installation/oidc.html#provision-via-jvm-options) was not being not being propagated to the current Dataverse user interface (where enabled=false providers are not displayed for login/registration) or represented in the GET api/admin/authenticationProviders API call.
+
+A new JVM setting ('dataverse.auth.oidc.hidden-jsf') was added to hide an enabled OIDC Provider from the JSF UI. 
+
+For Dataverse instances deploying both the current JSF UI and the new SPA UI, this fix allows the OIDC Keycloak provider configured for the SPA to be hidden in the JSF UI (useful in cases where it would duplicate other configured providers).
+
+Note: The API to create a new Auth Provider can only be used to create a provider for both JSF and SPA. Use JVM / MicroProfile config setting to create SPA only providers.

doc/sphinx-guides/source/api/native-api.rst

@@ -7679,6 +7679,8 @@ Add new authentication provider. The POST data is in JSON format, similar to the
 
   POST http://$SERVER/api/admin/authenticationProviders
 
+.. note:: This endpoint will create providers for both JSF and SPA. Use :ref:`jvm-options` / *MicroProfile Config* if you need to create SPA only providers.
+
 Show Authentication Provider
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

doc/sphinx-guides/source/installation/oidc.rst

@@ -151,6 +151,10 @@ The following options are available:
     - Enable or disable provisioning the provider via MicroProfile.
     - N
     - ``false``
+  * - ``dataverse.auth.oidc.hidden-jsf``
+    - Show or Hide the provider from the JSF UI via MicroProfile.
+    - N
+    - ``false``
   * - ``dataverse.auth.oidc.client-id``
     - The client-id of the application to identify it at your provider.
     - Y
@@ -187,4 +191,4 @@ The following options are available:
     - Tune the maximum age, in seconds, of all OIDC providers' verifier cache entries. Default is 5 minutes, equivalent to lifetime
       of many OIDC access tokens.
     - N
-    - 300
+    - 300

docker-compose-dev.yml

@@ -22,6 +22,7 @@ services:
       DATAVERSE_MAIL_SYSTEM_EMAIL: "dataverse@localhost"
       DATAVERSE_MAIL_MTA_HOST: "smtp"
       DATAVERSE_AUTH_OIDC_ENABLED: "1"
+      DATAVERSE_AUTH_OIDC_HIDDEN_JSF: "1"
       DATAVERSE_AUTH_OIDC_CLIENT_ID: test
       DATAVERSE_AUTH_OIDC_CLIENT_SECRET: 94XHrfNRwXsjqTqApRrwWmhDLDHpIYV8
       DATAVERSE_AUTH_OIDC_AUTH_SERVER_URL: http://keycloak.mydomain.com:8090/realms/test

src/main/java/edu/harvard/iq/dataverse/LoginPage.java

@@ -143,7 +143,7 @@ public List<AuthenticationProviderDisplayInfo> listAuthenticationProviders() {
         Collections.sort(idps, Comparator.comparing(AuthenticationProvider::getOrder).thenComparing(AuthenticationProvider::getId));
 
         for (AuthenticationProvider idp : idps) {
-            if (idp != null) {
+            if (idp != null && !idp.isHidden()) {
                 infos.add(idp.getInfo());
             }
         }

src/main/java/edu/harvard/iq/dataverse/authorization/AuthenticationProvider.java

@@ -18,7 +18,7 @@
  *                "authenticationProvider.name." + "ship" ->
  *            (c)  Bundle.properties entry: "authenticationProvider.name.shib=Shibboleth"
  *          
- * {@code AuthenticationPrvider}s are normally registered at startup in {@link AuthenticationServiceBean#startup()}.
+ * {@code AuthenticationProvider}s are normally registered at startup in {@link AuthenticationServiceBean#startup()}.
  * 
  * @author michael
  */
@@ -33,9 +33,13 @@ public interface AuthenticationProvider {
     default boolean isUserInfoUpdateAllowed() { return false; };
     default boolean isUserDeletionAllowed() { return false; };
     default boolean isOAuthProvider() { return false; };
-    
-    
-    
+    default boolean isEnabled() {
+        return true;
+    };
+    default boolean isHidden() {
+        return false;
+    };
+
     /**
      * Some providers (e.g organizational ones) provide verified email addresses.
      * @return {@code true} if we can treat email addresses coming from this provider as verified, {@code false} otherwise.

src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/AbstractOAuth2AuthenticationProvider.java

@@ -93,6 +93,8 @@ public String toString() {
     protected String clientSecret;
     protected String baseUserEndpoint;
     protected String redirectUrl;
+    protected boolean enabled = true;
+    protected boolean hidden = false; // Special flag to hide this provider in JSF UI
 
     /**
      * List of scopes to be requested for authorization at identity provider.
@@ -272,6 +274,21 @@ public String getSubTitle() {
 
     public String getSpacedScope() { return String.join(" ", getScope()); }
 
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
+
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    public void setHidden(boolean hidden) {
+        this.hidden = hidden;
+    }
+    public boolean isHidden() {
+        return hidden;
+    }
+
     @Override
     public int hashCode() {
         int hash = 7;

src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/oidc/OIDCAuthenticationProviderFactory.java

@@ -49,6 +49,7 @@ public AuthenticationProvider buildProvider( AuthenticationProviderRow aRow ) th
         oidc.setId(aRow.getId());
         oidc.setTitle(aRow.getTitle());
         oidc.setSubTitle(aRow.getSubtitle());
+        oidc.setEnabled(aRow.isEnabled());
 
         return oidc;
     }
@@ -70,6 +71,8 @@ public static AuthenticationProvider buildFromSettings() throws AuthorizationSet
         oidc.setId("oidc-mpconfig");
         oidc.setTitle(JvmSettings.OIDC_TITLE.lookupOptional().orElse("OpenID Connect"));
         oidc.setSubTitle(JvmSettings.OIDC_SUBTITLE.lookupOptional().orElse("OpenID Connect"));
+        oidc.setEnabled(JvmSettings.OIDC_ENABLED.lookupOptional(Boolean.class).orElse(true));
+        oidc.setHidden(JvmSettings.OIDC_HIDDEN_JSF.lookupOptional(Boolean.class).orElse(false));
 
         return oidc;
     }

src/main/java/edu/harvard/iq/dataverse/settings/JvmSettings.java

@@ -247,6 +247,7 @@ public enum JvmSettings {
     // AUTH: OIDC SETTINGS
     SCOPE_OIDC(SCOPE_AUTH, "oidc"),
     OIDC_ENABLED(SCOPE_OIDC, "enabled"),
+    OIDC_HIDDEN_JSF(SCOPE_OIDC, "hidden-jsf"), // Special case when this provider needs to be hidden in JSF UI
     OIDC_TITLE(SCOPE_OIDC, "title"),
     OIDC_SUBTITLE(SCOPE_OIDC, "subtitle"),
     OIDC_AUTH_SERVER_URL(SCOPE_OIDC, "auth-server-url"),

src/test/java/edu/harvard/iq/dataverse/api/AdminIT.java

@@ -49,6 +49,8 @@ public class AdminIT {
     private static final Logger logger = Logger.getLogger(AdminIT.class.getCanonicalName());
 
     private final String testNonSuperuserApiToken = createTestNonSuperuserApiToken();
+    static final String clientId = "test";
+    static final String clientSecret = "94XHrfNRwXsjqTqApRrwWmhDLDHpIYV8";
 
     @BeforeAll
     public static void setUp() {
@@ -1117,4 +1119,48 @@ public void testSetSuperUserStatus(Boolean status) {
         toggleSuperuser.then().assertThat()
                 .statusCode(OK.getStatusCode());
     }
+
+    // Testing creating an OIDC Provider not intended for use in JSF UI
+    @Test
+    public void testAddAuthProviders() {
+        Response createSuperuser = UtilIT.createRandomUser();
+        String superuserUsername = UtilIT.getUsernameFromResponse(createSuperuser);
+        String superuserApiToken = UtilIT.getApiTokenFromResponse(createSuperuser);
+        Response toggleSuperuser = UtilIT.makeSuperUser(superuserUsername);
+        toggleSuperuser.then().assertThat()
+                .statusCode(OK.getStatusCode());
+
+        Response getAuthProviders = UtilIT.getAuthProviders(superuserApiToken);
+        getAuthProviders.prettyPrint();
+
+        String factoryData = String.format("type: oidc | issuer: http://keycloak.mydomain.com:8090/realms/test | clientId: %s | clientSecret: %s", clientId, clientSecret);
+        JsonObject jsonObject = Json.createObjectBuilder()
+                .add("id", "oidc1")
+                .add("factoryAlias", "oidc")
+                .add("title", "Open ID Connect SPA")
+                .add("subtitle", "SPA OIDC Provider")
+                .add("factoryData", factoryData)
+                .add("enabled", false)
+                .build();
+        Response addAuthProviders = UtilIT.addAuthProviders(superuserApiToken, jsonObject);
+        addAuthProviders.prettyPrint();
+        addAuthProviders.then().assertThat()
+                .statusCode(CREATED.getStatusCode());
+
+        getAuthProviders = UtilIT.getAuthProviders(superuserApiToken);
+        getAuthProviders.prettyPrint();
+        getAuthProviders.then().assertThat()
+                .statusCode(OK.getStatusCode());
+
+        boolean found = false;
+        List<Map<String, Object>> providers = getAuthProviders.body().jsonPath().getList("data");
+        for (Map<String, Object> provider : providers) {
+            if ("oidc1".equalsIgnoreCase((String) provider.get("id"))) {
+                found = true;
+                assertTrue(provider.get("title") != null && provider.get("title").equals("Open ID Connect SPA"));
+                assertTrue(provider.get("enabled") != null && !(Boolean) provider.get("enabled"));
+            }
+        }
+        assertTrue(found);
+    }
 }