AUP exemption

iam-common/src/main/java/it/infn/mw/iam/service/aup/DefaultAupSignatureCheckService.java

@@ -59,6 +59,12 @@ public boolean needsAupSignature(IamAccount account) {
       return false;
     }
 
+    if (account.isServiceAccount()) {
+      LOG.debug("AUP signature not needed for account '{}': Account is a service account",
+          account.getUsername());
+      return false;
+    }
+
     if (isNull(account.getAupSignature())) {
       LOG.debug("AUP signature needed for account '{}': no signature record found for user",
           account.getUsername());

iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignatureController.java

@@ -57,6 +57,7 @@
 import it.infn.mw.iam.persistence.model.IamAupSignature;
 import it.infn.mw.iam.persistence.repository.IamAupRepository;
 import it.infn.mw.iam.persistence.repository.IamAupSignatureRepository;
+import it.infn.mw.iam.persistence.repository.IamAupSignatureUpdateError;
 
 @SuppressWarnings("deprecation")
 @RestController
@@ -146,7 +147,7 @@ public AupSignatureDTO getSignatureForAccount(@PathVariable String accountId)
   @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public AupSignatureDTO updateSignatureForAccount(@PathVariable String accountId,
       @RequestBody(required = false) @Validated AupSignaturePatchRequestDTO dto,
-      Authentication authentication) throws AccountNotFoundException {
+      Authentication authentication) throws AccountNotFoundException, IamAupSignatureUpdateError {
 
     Optional<IamAccount> updaterAccount = accountUtils.getAuthenticatedUserAccount();
 
@@ -178,7 +179,7 @@ public AupSignatureDTO updateSignatureForAccount(@PathVariable String accountId,
   @ResponseStatus(value = HttpStatus.NO_CONTENT)
   @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public void deleteSignatureForAccount(@PathVariable String accountId,
-      Authentication authentication) throws AccountNotFoundException {
+      Authentication authentication) throws AccountNotFoundException, IamAupSignatureUpdateError {
 
     Optional<IamAccount> deleterAccount = accountUtils.getAuthenticatedUserAccount();
     IamAccount signatureAccount = accountUtils.getByAccountId(accountId)
@@ -225,4 +226,10 @@ public ErrorDTO accountNotFoundError(Exception ex) {
   public ErrorDTO aupNotFoundError(Exception ex) {
     return ErrorDTO.fromString(ex.getMessage());
   }
+
+  @ResponseStatus(value = HttpStatus.METHOD_NOT_ALLOWED)
+  @ExceptionHandler(IamAupSignatureUpdateError.class)
+  public ErrorDTO aupSignatureUpdateError(Exception ex) {
+    return ErrorDTO.fromString(ex.getMessage());
+  }
 }

iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignaturePageController.java

@@ -28,21 +28,26 @@
 import javax.servlet.http.HttpSession;
 
 import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.web.savedrequest.SavedRequest;
 import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.servlet.ModelAndView;
 
 import it.infn.mw.iam.api.account.AccountUtils;
+import it.infn.mw.iam.api.common.ErrorDTO;
 import it.infn.mw.iam.audit.events.aup.AupSignedEvent;
 import it.infn.mw.iam.core.time.TimeProvider;
 import it.infn.mw.iam.persistence.model.IamAccount;
 import it.infn.mw.iam.persistence.model.IamAup;
 import it.infn.mw.iam.persistence.model.IamAupSignature;
 import it.infn.mw.iam.persistence.repository.IamAupRepository;
 import it.infn.mw.iam.persistence.repository.IamAupSignatureRepository;
+import it.infn.mw.iam.persistence.repository.IamAupSignatureUpdateError;
 
 @Controller
 public class AupSignaturePageController {
@@ -97,7 +102,7 @@ private Optional<SavedRequest> checkForSavedSpringSecurityRequest(HttpSession se
   @PreAuthorize("hasRole('USER')")
   @PostMapping(value = "/iam/aup/sign")
   public ModelAndView signAup(HttpServletRequest request, HttpServletResponse response,
-      HttpSession session) {
+      HttpSession session) throws IamAupSignatureUpdateError {
 
     Optional<IamAup> aup = repo.findDefaultAup();
 
@@ -126,6 +131,12 @@ public ModelAndView signAup(HttpServletRequest request, HttpServletResponse resp
 
     return new ModelAndView("redirect:/dashboard");
   }
+
+  @ExceptionHandler(IamAupSignatureUpdateError.class)
+  public ResponseEntity<ErrorDTO> aupSignatureUpdateError(Exception ex) {
+    ErrorDTO errorResponse = ErrorDTO.fromString(ex.getMessage());
+    return new ResponseEntity<>(errorResponse, HttpStatus.METHOD_NOT_ALLOWED);
+  }
 }
 
 

iam-login-service/src/main/java/it/infn/mw/iam/api/scim/converter/UserConverter.java

@@ -91,6 +91,10 @@ public IamAccount entityFromDto(ScimUser scimUser) {
       account.setActive(scimUser.getActive());
     }
 
+    if (scimUser.hasServiceAccountStatus()) {
+      account.setServiceAccount(scimUser.getIndigoUser().getServiceAccount());
+    }
+
     if (scimUser.getPassword() != null) {
 
       account.setPassword(scimUser.getPassword());
@@ -190,6 +194,7 @@ public ScimUser dtoFromEntity(IamAccount entity) {
       .meta(getScimMeta(entity))
       .name(getScimName(entity))
       .active(entity.isActive())
+      .serviceAccount(entity.isServiceAccount())
       .displayName(entity.getUsername())
       .locale(entity.getUserInfo().getLocale())
       .nickName(entity.getUserInfo().getNickname())

iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimIndigoUser.java

@@ -83,20 +83,24 @@ public String toString() {
   @Valid
   private final List<ScimGroupRef> managedGroups;
 
+  private Boolean serviceAccount;
+
   @JsonCreator
   private ScimIndigoUser(@JsonProperty("oidcIds") List<ScimOidcId> oidcIds,
       @JsonProperty("sshKeys") List<ScimSshKey> sshKeys,
       @JsonProperty("samlIds") List<ScimSamlId> samlIds,
       @JsonProperty("x509Certificates") List<ScimX509Certificate> certs,
       @JsonProperty("aupSignatureTime") Date aupSignatureTime,
-      @JsonProperty("endTime") Date endTime) {
+      @JsonProperty("endTime") Date endTime, 
+      @JsonProperty("serviceAccount") Boolean serviceAccount) {
 
     this.oidcIds = oidcIds != null ? oidcIds : new LinkedList<>();
     this.sshKeys = sshKeys != null ? sshKeys : new LinkedList<>();
     this.samlIds = samlIds != null ? samlIds : new LinkedList<>();
     this.certificates = certs != null ? certs : new LinkedList<>();
     this.aupSignatureTime = aupSignatureTime;
     this.endTime = endTime;
+    this.serviceAccount = serviceAccount;
     this.labels = null;
     this.authorities = null;
     this.attributes = null;
@@ -110,6 +114,7 @@ private ScimIndigoUser(Builder b) {
     this.certificates = b.certificates;
     this.aupSignatureTime = b.aupSignatureTime;
     this.endTime = b.endTime;
+    this.serviceAccount = b.serviceAccount;
     this.labels = b.labels;
     this.attributes = b.attributes;
     this.managedGroups = b.managedGroups;
@@ -159,6 +164,10 @@ public Date getEndTime() {
     return endTime;
   }
 
+  public Boolean getServiceAccount() {
+    return serviceAccount;
+  }
+
   public static Builder builder() {
 
     return new Builder();
@@ -174,6 +183,7 @@ public static class Builder {
 
     private Date aupSignatureTime;
     private Date endTime;
+    private Boolean serviceAccount;
 
     private List<String> authorities = Lists.newLinkedList();
     private List<ScimAttribute> attributes = Lists.newLinkedList();
@@ -212,6 +222,11 @@ public Builder endTime(Date endTime) {
       return this;
     }
 
+    public Builder serviceAccount(Boolean serviceAccount) {
+      this.serviceAccount = serviceAccount;
+      return this;
+    }
+
     public Builder labels(List<ScimLabel> labels) {
       this.labels = labels;
       return this;

iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimUser.java

@@ -93,7 +93,8 @@ private ScimUser(@JsonProperty("id") String id, @JsonProperty("externalId") Stri
       @JsonProperty("userType") String userType,
       @JsonProperty("preferredLanguage") String preferredLanguage,
       @JsonProperty("locale") String locale, @JsonProperty("timezone") String timezone,
-      @JsonProperty("active") Boolean active, @JsonProperty("emails") List<ScimEmail> emails,
+      @JsonProperty("active") Boolean active,
+      @JsonProperty("emails") List<ScimEmail> emails,
       @JsonProperty("addresses") List<ScimAddress> addresses,
       @JsonProperty("photos") List<ScimPhoto> photos,
       @JsonProperty("groups") Set<ScimGroupRef> groups,
@@ -215,7 +216,7 @@ public Boolean getActive() {
 
     return active;
   }
-
+  
   public List<ScimEmail> getEmails() {
 
     return emails;
@@ -276,6 +277,11 @@ public boolean hasName() {
     return name != null;
   }
 
+  public boolean hasServiceAccountStatus() {
+
+    return indigoUser != null && indigoUser.getServiceAccount() != null;
+  }
+
   public static Builder builder(String username) {
 
     return new Builder(username);
@@ -465,6 +471,11 @@ public Builder endTime(Date endTime) {
       return this;
     }
 
+    public Builder serviceAccount(Boolean serviceAccount) {
+      indigoUserBuilder.serviceAccount(serviceAccount);
+      return this;
+    }
+
     public Builder addAuthority(String authority) {
 
       Preconditions.checkNotNull(authority, "Null authority");

iam-login-service/src/main/java/it/infn/mw/iam/api/scim/provisioning/ScimUserProvisioning.java

@@ -30,6 +30,7 @@
 import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_GIVEN_NAME;
 import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_PASSWORD;
 import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_PICTURE;
+import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_SERVICE_ACCOUNT;
 import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_USERNAME;
 
 import java.util.ArrayList;
@@ -79,7 +80,8 @@ public class ScimUserProvisioning
       ACCOUNT_ADD_SSH_KEY, ACCOUNT_REMOVE_SSH_KEY, ACCOUNT_ADD_X509_CERTIFICATE,
       ACCOUNT_REMOVE_X509_CERTIFICATE, ACCOUNT_REPLACE_ACTIVE, ACCOUNT_REPLACE_EMAIL,
       ACCOUNT_REPLACE_FAMILY_NAME, ACCOUNT_REPLACE_GIVEN_NAME, ACCOUNT_REPLACE_PASSWORD,
-      ACCOUNT_REPLACE_PICTURE, ACCOUNT_REPLACE_USERNAME, ACCOUNT_REMOVE_PICTURE);
+      ACCOUNT_REPLACE_PICTURE, ACCOUNT_REPLACE_USERNAME, ACCOUNT_REMOVE_PICTURE, 
+      ACCOUNT_REPLACE_SERVICE_ACCOUNT);
 
   private final IamAccountService accountService;
   private final IamAccountRepository accountRepository;
@@ -283,6 +285,13 @@ private void handleSpecificUpdateType(IamAccount account, AccountUpdater u) {
         notificationFactory.createAccountSuspendedMessage(account);
       }
     }
+    if (ACCOUNT_REPLACE_SERVICE_ACCOUNT.equals(u.getType())) {
+      if (account.isServiceAccount()) {
+        notificationFactory.createSetAsServiceAccountMessage(account);
+      } else {
+        notificationFactory.createRevokeServiceAccountMessage(account);
+      }
+    }
   }
 
   @Override

iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/UpdaterType.java

@@ -24,6 +24,7 @@ public enum UpdaterType {
   ACCOUNT_REPLACE_PICTURE("Replace user picture"),
   ACCOUNT_REPLACE_USERNAME("Replace user username"),
   ACCOUNT_REPLACE_ACTIVE("Replace user active status"),
+  ACCOUNT_REPLACE_SERVICE_ACCOUNT("Replace user service account status"),
 
   ACCOUNT_ADD_OIDC_ID("Add OpenID Connect account to user"),
   ACCOUNT_ADD_SAML_ID("Add SAML account to user"),

iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/builders/Replacers.java

@@ -16,6 +16,7 @@
 package it.infn.mw.iam.api.scim.updater.builders;
 
 import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_ACTIVE;
+import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_SERVICE_ACCOUNT;
 import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_EMAIL;
 import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_FAMILY_NAME;
 import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_GIVEN_NAME;
@@ -36,6 +37,7 @@
 import it.infn.mw.iam.api.scim.updater.util.AccountFinder;
 import it.infn.mw.iam.api.scim.updater.util.IdNotBoundChecker;
 import it.infn.mw.iam.audit.events.account.ActiveReplacedEvent;
+import it.infn.mw.iam.audit.events.account.ServiceAccountReplacedEvent;
 import it.infn.mw.iam.audit.events.account.EmailReplacedEvent;
 import it.infn.mw.iam.audit.events.account.FamilyNameReplacedEvent;
 import it.infn.mw.iam.audit.events.account.GivenNameReplacedEvent;
@@ -146,4 +148,9 @@ public AccountUpdater active(boolean isActive) {
         account::isActive, account::setActive, isActive, ActiveReplacedEvent::new);
   }
 
+  public AccountUpdater serviceAccount(boolean isServiceAccount) {
+    return new DefaultAccountUpdater<Boolean, ServiceAccountReplacedEvent>(account, ACCOUNT_REPLACE_SERVICE_ACCOUNT,
+        account::isServiceAccount, account::setServiceAccount, isServiceAccount, ServiceAccountReplacedEvent::new);
+  }
+
 }

iam-login-service/src/main/java/it/infn/mw/iam/api/scim/updater/factory/DefaultAccountUpdaterFactory.java

@@ -208,6 +208,10 @@ private void prepareReplacers(List<AccountUpdater> updaters, ScimUser user, IamA
     addUpdater(updaters, Objects::nonNull, user::getPassword, replace::password);
     addUpdater(updaters, Objects::nonNull, user::getActive, replace::active);
 
+    if (user.hasServiceAccountStatus()) {
+      addUpdater(updaters, Objects::nonNull, user.getIndigoUser()::getServiceAccount, replace::serviceAccount); 
+    }
+
     if (user.hasEmails()) {
       addUpdater(updaters, Objects::nonNull, user.getEmails().get(0)::getValue, replace::email);
     }

iam-login-service/src/main/java/it/infn/mw/iam/audit/events/account/ServiceAccountReplacedEvent.java

@@ -0,0 +1,41 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.audit.events.account;
+
+import static it.infn.mw.iam.api.scim.updater.UpdaterType.ACCOUNT_REPLACE_SERVICE_ACCOUNT;
+
+import it.infn.mw.iam.api.scim.updater.UpdaterType;
+import it.infn.mw.iam.persistence.model.IamAccount;
+
+public class ServiceAccountReplacedEvent extends AccountUpdatedEvent {
+
+  private static final long serialVersionUID = 5681737929767602266L;
+
+  private final Boolean serviceAccount;
+
+  public ServiceAccountReplacedEvent(Object source, IamAccount account, Boolean serviceAccount) {
+    super(source, account, ACCOUNT_REPLACE_SERVICE_ACCOUNT, buildMessage(ACCOUNT_REPLACE_SERVICE_ACCOUNT, serviceAccount));
+    this.serviceAccount = serviceAccount;
+  }
+
+  public Boolean getServiceAccount() {
+    return serviceAccount;
+  }
+
+  protected static String buildMessage(UpdaterType t, Boolean serviceAccount) {
+    return String.format("%s: %s", t.getDescription(), serviceAccount);
+  }
+}

iam-login-service/src/main/java/it/infn/mw/iam/core/web/aup/AupReminderTask.java

@@ -68,7 +68,7 @@ public void sendAupReminders() {
 
         // check if an email of type AUP_EXPIRATION does not already exist, because it is never deleted
         expiredSignatures.forEach(s -> {
-          if (isExpiredSignatureEmailNotAlreadySentFor(s.getAccount())) {
+          if (isExpiredSignatureEmailNotAlreadySentFor(s.getAccount()) && !s.getAccount().isServiceAccount()) {
             notification.createAupSignatureExpMessage(s.getAccount());
           }
         });
@@ -88,7 +88,7 @@ private void processRemindersForInterval(IamAup aup, LocalDate currentDate, Inte
 
     // check if an email of type AUP_REMINDER does not already exist, because it is never deleted
     signatures.forEach(s -> {
-      if (isAupReminderEmailNotAlreadySentFor(s.getAccount(), tomorrowAsDate)) {
+      if (isAupReminderEmailNotAlreadySentFor(s.getAccount(), tomorrowAsDate) && !s.getAccount().isServiceAccount()) {
         notification.createAupReminderMessage(s.getAccount(), aup);
       }
     });

iam-login-service/src/main/java/it/infn/mw/iam/notification/NotificationFactory.java

@@ -61,4 +61,8 @@ IamEmailNotification createClientStatusChangedMessageFor(ClientDetailsEntity cli
   IamEmailNotification createMfaDisableMessage(IamAccount account);
 
   IamEmailNotification createMfaEnableMessage(IamAccount account);
+
+  IamEmailNotification createSetAsServiceAccountMessage(IamAccount account);
+
+  IamEmailNotification createRevokeServiceAccountMessage(IamAccount account);
 }