From d5bb2d39ad243a406aec3e8442a155f788875bbf Mon Sep 17 00:00:00 2001
From: Mike Roda <mike.roda@sas.com>
Date: Fri, 27 Sep 2024 14:43:25 -0400
Subject: [PATCH] Add tests, serialize/deserialize idpIdToken

Change-Id: Ie532f64f59ef7f0ed359af7975c95a8066c9d43c
---
 .../UaaAuthenticationDeserializer.java        |  4 +++
 .../UaaAuthenticationJsonBase.java            |  1 +
 .../UaaAuthenticationSerializer.java          |  1 +
 ...henticationSerializerDeserializerTest.java |  2 ++
 ...xternalOAuthAuthenticationManagerTest.java | 35 +++++++++++++++++++
 5 files changed, 43 insertions(+)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationDeserializer.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationDeserializer.java
index dcc51eb1aed..fd042956124 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationDeserializer.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationDeserializer.java
@@ -43,6 +43,7 @@ public UaaAuthentication deserialize(JsonParser jp, DeserializationContext ctxt)
         long authenticatedTime = -1;
         boolean authenticated = false;
         long previousLoginSuccessTime = -1;
+        String idpIdToken = null;
         Map<String,List<String>> userAttributes = EMPTY_MAP;
         while (jp.nextToken() != JsonToken.END_OBJECT) {
             if (jp.getCurrentToken() == JsonToken.FIELD_NAME) {
@@ -72,6 +73,8 @@ public UaaAuthentication deserialize(JsonParser jp, DeserializationContext ctxt)
                     authNContextClassRef = jp.readValueAs(new TypeReference<Set<String>>() {});
                 } else if (PREVIOIUS_LOGIN_SUCCESS_TIME.equals(fieldName)){
                     previousLoginSuccessTime = jp.getLongValue();
+                } else if (IDP_ID_TOKEN.equals(fieldName)){
+                    idpIdToken = jp.readValueAs(new TypeReference<String>() {});
                 }
             }
         }
@@ -90,6 +93,7 @@ public UaaAuthentication deserialize(JsonParser jp, DeserializationContext ctxt)
         uaaAuthentication.setAuthenticationMethods(authenticationMethods);
         uaaAuthentication.setAuthContextClassRef(authNContextClassRef);
         uaaAuthentication.setLastLoginSuccessTime(previousLoginSuccessTime);
+        uaaAuthentication.setIdpIdToken(idpIdToken);
         return uaaAuthentication;
     }
 }
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationJsonBase.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationJsonBase.java
index 45e7f828357..c1bb19a2710 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationJsonBase.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationJsonBase.java
@@ -32,6 +32,7 @@ public interface UaaAuthenticationJsonBase {
     String AUTHENTICATION_METHODS = "authenticationMethods";
     String AUTHN_CONTEXT_CLASS_REF = "authContextClassRef";
     String PREVIOIUS_LOGIN_SUCCESS_TIME = "previousLoginSuccessTime";
+    String IDP_ID_TOKEN = "idpIdToken";
     String NULL_STRING = "null";
 
     default Set<String> serializeAuthorites(Collection<? extends GrantedAuthority> authorities) {
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationSerializer.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationSerializer.java
index d0d987d6cbf..1c6ca4a79c6 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationSerializer.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationSerializer.java
@@ -36,6 +36,7 @@ public void serialize(UaaAuthentication value, JsonGenerator gen, SerializerProv
         gen.writeObjectField(USER_ATTRIBUTES, value.getUserAttributesAsMap());
         gen.writeObjectField(AUTHENTICATION_METHODS, value.getAuthenticationMethods());
         gen.writeObjectField(AUTHN_CONTEXT_CLASS_REF, value.getAuthContextClassRef());
+        gen.writeObjectField(IDP_ID_TOKEN, value.getIdpIdToken());
         gen.writeEndObject();
     }
 }
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationSerializerDeserializerTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationSerializerDeserializerTest.java
index 75f12ac749d..fc1637b2554 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationSerializerDeserializerTest.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationSerializerDeserializerTest.java
@@ -21,6 +21,7 @@ public void serializeUaaAuthentication() {
         auth.setAuthContextClassRef(Collections.singleton("test:uri"));
         auth.setAuthenticatedTime(1485314434675L);
         auth.setLastLoginSuccessTime(1485305759366L);
+        auth.setIdpIdToken("idtoken");
 
         UaaAuthentication deserializedUaaAuthentication = JsonUtils.readValue(JsonUtils.writeValueAsString(auth), UaaAuthentication.class);
 
@@ -35,5 +36,6 @@ public void serializeUaaAuthentication() {
         assertEquals(auth.getAuthenticationMethods(), deserializedUaaAuthentication.getAuthenticationMethods());
         assertEquals(auth.getAuthContextClassRef(), deserializedUaaAuthentication.getAuthContextClassRef());
         assertEquals(auth.getLastLoginSuccessTime(), deserializedUaaAuthentication.getLastLoginSuccessTime());
+        assertEquals(auth.getIdpIdToken(), deserializedUaaAuthentication.getIdpIdToken());
     }
 }
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerTest.java
index 3e3241b725a..117d2f88dba 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerTest.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerTest.java
@@ -5,6 +5,9 @@
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSSigner;
+
+import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
+import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
 import org.cloudfoundry.identity.uaa.cache.StaleUrlCache;
 import org.cloudfoundry.identity.uaa.oauth.KeyInfo;
 import org.cloudfoundry.identity.uaa.oauth.KeyInfoService;
@@ -14,6 +17,7 @@
 import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
 import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
 import org.cloudfoundry.identity.uaa.provider.OIDCIdentityProviderDefinition;
+import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationManager.AuthenticationData;
 import org.cloudfoundry.identity.uaa.scim.jdbc.JdbcScimGroupExternalMembershipManager;
 import org.cloudfoundry.identity.uaa.user.UaaUser;
 import org.cloudfoundry.identity.uaa.util.TimeServiceImpl;
@@ -437,4 +441,35 @@ public void getUser_doesThrowWhenIdTokenMappingIsWrongType() {
         ExternalOAuthCodeToken oidcAuthentication = new ExternalOAuthCodeToken(null, origin, "http://google.com", idTokenJwt, "accesstoken", "signedrequest");
         authManager.getUser(oidcAuthentication, authManager.getExternalAuthenticationDetails(oidcAuthentication));
     }
+
+    @Test
+    public void populateAuthenticationAttributes_setsIdpIdToken() {
+        UaaAuthentication authentication = new UaaAuthentication(new UaaPrincipal("user-guid", "marissa", "marissa@test.org", "uaa", "", ""), Collections.emptyList(), null);
+        Map<String, Object> header = map(
+            entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.RS256.getName()),
+            entry(HeaderParameterNames.KEY_ID, OIDC_PROVIDER_KEY)
+        );
+        JWSSigner signer = new KeyInfo("uaa-key", oidcProviderTokenSigningKey, DEFAULT_UAA_URL).getSigner();
+        Map<String, Object> entryMap = map(
+            entry("external_map_name", Arrays.asList("bar", "baz"))
+        );
+        Map<String, Object> claims = map(
+            entry("external_family_name", entryMap),
+            entry(ISS, oidcConfig.getIssuer()),
+            entry(AUD, "uaa-relying-party"),
+            entry(EXPIRY_IN_SECONDS, ((int) (System.currentTimeMillis()/1000L)) + 60),
+            entry(SUB, "abc-def-asdf")
+        );
+        Map<String, Object> externalGroupMapping = map(
+            entry(FAMILY_NAME_ATTRIBUTE_NAME, "external_family_name")
+        );
+        oidcConfig.setAttributeMappings(externalGroupMapping);
+        provider.setConfig(oidcConfig);
+        IdentityZoneHolder.get().getConfig().getTokenPolicy().setKeys(Collections.singletonMap("uaa-key", uaaIdentityZoneTokenSigningKey));
+        String idTokenJwt = UaaTokenUtils.constructToken(header, claims, signer);
+        ExternalOAuthCodeToken oidcAuthentication = new ExternalOAuthCodeToken(null, origin, "http://google.com", idTokenJwt, "accesstoken", "signedrequest");
+        AuthenticationData authenticationData = authManager.getExternalAuthenticationDetails(oidcAuthentication);
+        authManager.populateAuthenticationAttributes(authentication, oidcAuthentication, authenticationData);
+        assertEquals(idTokenJwt, authentication.getIdpIdToken());
+    }
 }
\ No newline at end of file