UY-1510 QA fixes, add debug log, consent screen shows unfiltered

attributes

Author: ppiernik

oauth/src/main/java/pl/edu/icm/unity/oauth/as/AttributeFilteringSpec.java

@@ -7,8 +7,13 @@
 
 import java.util.Set;
 
+
 public record AttributeFilteringSpec(
 		String attributeName,
 		Set<String> values)
 {
+	public String toString()
+	{
+		return attributeName + "=" + values.toString();
+	}
 }

oauth/src/main/java/pl/edu/icm/unity/oauth/as/AttributeValueFilter.java

@@ -12,12 +12,17 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
+import org.apache.logging.log4j.Logger;
+
 import pl.edu.icm.unity.base.attribute.Attribute;
+import pl.edu.icm.unity.base.utils.Log;
 import pl.edu.icm.unity.engine.api.attributes.DynamicAttribute;
 
-class AttributeValueFilter
+public class AttributeValueFilter
 {
-	static Set<DynamicAttribute> filterAttributes(List<AttributeFilteringSpec> filter,
+	private static final Logger log = Log.getLogger(Log.U_SERVER_OAUTH, AttributeValueFilter.class);
+
+	public static Set<DynamicAttribute> filterAttributes(List<AttributeFilteringSpec> filter,
 			Collection<DynamicAttribute> attributes)
 	{
 		if(filter == null)
@@ -41,6 +46,8 @@ static Set<DynamicAttribute> filterAttributes(List<AttributeFilteringSpec> filte
 								.values()
 								.contains(v))
 						.toList();
+				log.debug("Filtered by claim filter attributes values for attribute {}: {}", attribute.getAttribute().getName(), filteredValues);
+				
 				if (filteredValues.isEmpty())
 				{
 					continue;

oauth/src/main/java/pl/edu/icm/unity/oauth/as/AttributeValueFilterUtils.java

@@ -70,10 +70,18 @@ public static List<AttributeFilteringSpec> getFiltersFromScopes(Scope scopes)
 			}
 		}
 
-		return filterByAttrName.entrySet()
+		 List<AttributeFilteringSpec> mappedFilters = filterByAttrName.entrySet()
 				.stream()
 				.map(e -> new AttributeFilteringSpec(e.getKey(), e.getValue()))
 				.toList();
+		 
+		if (!mappedFilters.isEmpty())
+		{
+			log.debug("Requested claim value filters: {}", mappedFilters);
+		}
+		 
+		 return mappedFilters;
+	
 	}
 
 	public static List<AttributeFilteringSpec> mergeFiltersWithPreservingLast(List<AttributeFilteringSpec> firstStageFilters,

oauth/src/main/java/pl/edu/icm/unity/oauth/as/token/ClientCredentialsProcessor.java

@@ -111,7 +111,7 @@ public OAuthToken processClientFlowRequest(String scope) throws OAuthValidationE
 			throw new OAuthValidationException("Internal error");
 		}
 		Set<DynamicAttribute> filteredAttributes = OAuthProcessor.filterAttributes(
-				translationResult, requestedAttributes, AttributeValueFilterUtils.getFiltersFromScopes(parsedScope));
+				translationResult, requestedAttributes);
 		UserInfo userInfo = OAuthProcessor.prepareUserInfoClaimSet(client, filteredAttributes);
 		internalToken.setUserInfo(userInfo.toJSONObject().toJSONString());
 		return internalToken;

oauth/src/main/java/pl/edu/icm/unity/oauth/as/webauthz/ASConsentDeciderServlet.java

@@ -12,6 +12,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.stream.Collectors;
 
 import org.apache.logging.log4j.Logger;
@@ -44,6 +45,7 @@
 import pl.edu.icm.unity.engine.api.idp.IdPEngine;
 import pl.edu.icm.unity.engine.api.policyAgreement.PolicyAgreementManagement;
 import pl.edu.icm.unity.engine.api.translation.out.TranslationResult;
+import pl.edu.icm.unity.oauth.as.AttributeValueFilter;
 import pl.edu.icm.unity.oauth.as.OAuthAuthzContext;
 import pl.edu.icm.unity.oauth.as.OAuthErrorResponseException;
 import pl.edu.icm.unity.oauth.as.OAuthIdpStatisticReporter;
@@ -209,9 +211,10 @@ protected void autoReplay(OAuthClientSettings clientPreferences, OAuthAuthzConte
 					oauthCtx.getConfig().getSubjectIdentityType());
 			log.info("Authentication of " + selectedIdentity);
 			Collection<DynamicAttribute> attributes =  OAuthProcessor.filterAttributes(userInfo,
-					oauthCtx.getEffectiveRequestedAttrs(), oauthCtx.getClaimValueFilters());
-			ACRConsistencyValidator.verifyACRAttribute(oauthCtx, attributes);
-			respDoc = oauthProcessor.prepareAuthzResponseAndRecordInternalState(attributes, selectedIdentity, oauthCtx,
+					oauthCtx.getEffectiveRequestedAttrs());
+			Set<DynamicAttribute> filteredAttributes = AttributeValueFilter.filterAttributes(oauthCtx.getClaimValueFilters(), attributes);
+			ACRConsistencyValidator.verifyACRAttribute(oauthCtx, filteredAttributes);
+			respDoc = oauthProcessor.prepareAuthzResponseAndRecordInternalState(filteredAttributes, selectedIdentity, oauthCtx,
 					statReporter, InvocationContext.getCurrent().getLoginSession().getAuthenticationTime(), oauthCtx.getClaimValueFilters());
 		} catch (OAuthErrorResponseException e)
 		{

oauth/src/main/java/pl/edu/icm/unity/oauth/as/webauthz/OAuthAuthzView.java

@@ -61,6 +61,7 @@
 import pl.edu.icm.unity.engine.api.translation.out.TranslationResult;
 import pl.edu.icm.unity.engine.api.utils.FreemarkerAppHandler;
 import pl.edu.icm.unity.oauth.as.AttributeFilteringSpec;
+import pl.edu.icm.unity.oauth.as.AttributeValueFilter;
 import pl.edu.icm.unity.oauth.as.AttributeValueFilterUtils;
 import pl.edu.icm.unity.oauth.as.OAuthASProperties;
 import pl.edu.icm.unity.oauth.as.OAuthAuthzContext;
@@ -198,14 +199,16 @@ private void activeValueSelectionAndConsentStage(OAuthAuthzContext ctx, OAuthASP
 		identity = idpEngine.getIdentity(translationResult, ctx.getConfig().getSubjectIdentityType());
 
 		Set<DynamicAttribute> allAttributes = OAuthProcessor.filterAttributes(translationResult,
-				ctx.getEffectiveRequestedAttrs(), ctx.getClaimValueFilters());
+				ctx.getEffectiveRequestedAttrs());
+		
+		Set<DynamicAttribute> filteredByClaimAttributes = AttributeValueFilter.filterAttributes(ctx.getClaimValueFilters(), allAttributes);
 
 		Optional<ActiveValueSelectionConfig> activeValueSelectionConfig = ActiveValueClientHelper
-				.getActiveValueSelectionConfig(config.getActiveValueClients(), ctx.getClientUsername(), allAttributes);
+				.getActiveValueSelectionConfig(config.getActiveValueClients(), ctx.getClientUsername(), filteredByClaimAttributes);
 
 		try
 		{
-			ACRConsistencyValidator.verifyACRAttribute(ctx, allAttributes);
+			ACRConsistencyValidator.verifyACRAttribute(ctx, filteredByClaimAttributes);
 		} catch (OAuthErrorResponseException e)
 		{
 			oauthResponseHandler.returnOauthResponseNotThrowingAndReportStatistic(e.getOauthResponse(), false, ctx,
@@ -214,19 +217,18 @@ private void activeValueSelectionAndConsentStage(OAuthAuthzContext ctx, OAuthASP
 		}
 
 		if (activeValueSelectionConfig.isPresent())
-			showActiveValueSelectionScreen(activeValueSelectionConfig.get());
+			showActiveValueSelectionScreen(activeValueSelectionConfig.get(), ctx);
 		else
-			gotoConsentStage(allAttributes, null);
+			gotoConsentStage(allAttributes, null, ctx);
 	}
 
-	private void gotoConsentStage(Collection<DynamicAttribute> attributes, Collection<DynamicAttribute> filteredAttributes)
+	private void gotoConsentStage(Collection<DynamicAttribute> attributes, Collection<DynamicAttribute> filteredAttributes, OAuthAuthzContext context)
 	{
-		OAuthAuthzContext context = OAuthSessionService.getVaadinContext();
 		if (!forceConsentIfConsentPrompt(context))
 		{
 			if (context.getConfig().isSkipConsent())
 			{
-				onFinalConfirm(identity, attributes, filteredAttributes);
+				onFinalConfirm(identity, AttributeValueFilter.filterAttributes(context.getClaimValueFilters(), attributes), filteredAttributes);
 				return;
 			} else if (isNonePrompt(context))
 			{
@@ -236,7 +238,7 @@ private void gotoConsentStage(Collection<DynamicAttribute> attributes, Collectio
 		}
 		OAuthConsentScreen consentScreen = new OAuthConsentScreen(msg, handlersRegistry, preferencesMan,
 				authnProcessor, idTypeSupport, aTypeSupport, identity, attributes,
-				this::onDecline,  (i,a) -> onFinalConfirm(i, a, filteredAttributes), oauthResponseHandler);
+				this::onDecline,  (i,a) -> onFinalConfirm(i, AttributeValueFilter.filterAttributes(context.getClaimValueFilters(), a) , filteredAttributes), oauthResponseHandler);
 		getContent().removeAll();
 		getContent().add(consentScreen);
 	}
@@ -260,11 +262,11 @@ private boolean forceConsentIfConsentPrompt(OAuthAuthzContext oauthCtx)
 		return oauthCtx.getPrompts().contains(Prompt.CONSENT);
 	}
 
-	private void showActiveValueSelectionScreen(ActiveValueSelectionConfig config)
+	private void showActiveValueSelectionScreen(ActiveValueSelectionConfig config, OAuthAuthzContext ctx)
 	{
 		ActiveValueSelectionScreen valueSelectionScreen = new ActiveValueSelectionScreen(msg, handlersRegistry,
 				authnProcessor, config.singleSelectableAttributes, config.multiSelectableAttributes,
-				config.remainingAttributes, OAUTH_CONSENT_DECIDER_SERVLET_PATH, this::onDecline, (selectionResult) -> gotoConsentStage(selectionResult.allAttributes(), selectionResult.filteredAttributes()));
+				config.remainingAttributes, OAUTH_CONSENT_DECIDER_SERVLET_PATH, this::onDecline, (selectionResult) -> gotoConsentStage(selectionResult.allAttributes(), selectionResult.filteredAttributes(), ctx));
 		getContent().removeAll();
 		getContent().add(valueSelectionScreen);
 	}