Revert "[R-2025-23]多要素認証機能の本番環境への設定作業"

cas-server-support-osf/src/main/java/io/cos/cas/web/flow/OpenScienceFrameworkAuthenticationExceptionHandler.java

@@ -29,7 +29,6 @@
 import io.cos.cas.authentication.exceptions.InstitutionLoginFailedAttributesMissingException;
 import io.cos.cas.authentication.exceptions.InstitutionLoginFailedAttributesParsingException;
 import io.cos.cas.authentication.exceptions.InstitutionLoginFailedOsfApiException;
-import io.cos.cas.authentication.exceptions.InstitutionLoginFailedOsfApiLoAException; // @R2022-48 loa
 import io.cos.cas.authentication.exceptions.InvalidUserStatusException;
 import io.cos.cas.authentication.exceptions.InvalidVerificationKeyException;
 import io.cos.cas.authentication.exceptions.OneTimePasswordFailedLoginException;
@@ -91,7 +90,6 @@ public class OpenScienceFrameworkAuthenticationExceptionHandler extends Authenti
         DEFAULT_ERROR_LIST.add(InstitutionLoginFailedAttributesMissingException.class);
         DEFAULT_ERROR_LIST.add(InstitutionLoginFailedAttributesParsingException.class);
         DEFAULT_ERROR_LIST.add(InstitutionLoginFailedOsfApiException.class);
-        DEFAULT_ERROR_LIST.add(InstitutionLoginFailedOsfApiLoAException.class); // @R2022-48 loa
         DEFAULT_ERROR_LIST.add(InvalidVerificationKeyException.class);
         DEFAULT_ERROR_LIST.add(InvalidUserStatusException.class);
         DEFAULT_ERROR_LIST.add(OneTimePasswordFailedLoginException.class);

cas-server-support-osf/src/main/java/io/cos/cas/web/flow/OpenScienceFrameworkTerminateSessionAction.java

@@ -91,11 +91,9 @@ public Event terminate(final RequestContext context) {
         String institutionId = null;
         Boolean remotePrincipal = Boolean.FALSE;
 
-        final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
-        final String serviceUrl = request.getParameter("service");
-        logger.info("[serviceUrl] Param: '{}'", serviceUrl);
         // for logout, we need to get the cookie's value
         if (tgtId == null) {
+            final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
             tgtId = this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request);
         }
         // for institution logout, get the institutionId stored in TGT
@@ -124,24 +122,16 @@ public Event terminate(final RequestContext context) {
         this.ticketGrantingTicketCookieGenerator.removeCookie(response);
         this.warnCookieGenerator.removeCookie(response);
 
-        final String institutionLogoutUrl;
         // if logged in through institutions, redirect to institution logout endpoint
         if (remotePrincipal && institutionId != null) {
-            if (serviceUrl != null) {
-                institutionLogoutUrl = serviceUrl;
-            } else {
-                institutionLogoutUrl = institutionHandler.findInstitutionLogoutUrlById(institutionId);
-            }
+            final String institutionLogoutUrl = institutionHandler.findInstitutionLogoutUrlById(institutionId);
             if (institutionLogoutUrl == null) {
                 logger.warn("Institution {} does not have a dedicated logout url, use default logout redirection instead", institutionId);
             } else {
                 context.getFlowScope().put("logoutRedirectUrl", institutionLogoutUrl);
                 // return `finish` event to prevent `logoutRedirectUrl` being overwritten
                 return new Event(this, "finish");
             }
-        } else if (serviceUrl != null) {
-            context.getFlowScope().put("logoutRedirectUrl", serviceUrl);
-            return new Event(this, "finish");
         }
 
         return this.eventFactorySupport.success(this);

cas-server-support-osf/src/test/java/io/cos/cas/AbstractTestUtils.java

@@ -45,8 +45,6 @@ public abstract class AbstractTestUtils {
 
     public static final String[] CONST_SINGLE_ENTITLEMENTS_OUTPUT = {"value1-1", "value1-2", "value1-3"};
 
-    public static final String CONST_JSON_STRING = "{\"key1-1\":\"value1-1\"}";
-
     private static final String REMOTE_USER = "REMOTE_USER";
 
     private static final String ATTRIBUTE_PREFIX = "AUTH-";

cas-server-support-osf/src/test/java/io/cos/cas/authentication/handler/support/OpenScienceFrameworkPrincipalFromRequestRemoteUserNonInteractiveCredentialsActionTests.java

@@ -117,8 +117,6 @@ public void handleInstitutionValidRemotePrincipal() throws Exception {
         final OpenScienceFrameworkCredential osfCredential = new OpenScienceFrameworkCredential();
         osfCredential.setUsername(AbstractTestUtils.CONST_MAIL);
         osfCredential.setInstitutionId(AbstractTestUtils.CONST_INSTITUTION_ID);
-        osfRemoteAuthenticate
-                .setInstitutionsLoginAvailabilityUrl(AbstractTestUtils.CONST_INSTITUTION_LOGIN_AVAILABILITY_URL);
         try {
             osfRemoteAuthenticate.notifyRemotePrincipalAuthenticated(osfCredential);
         } catch (final AccountException e) {
@@ -256,7 +254,7 @@ public void verifyLoginAvailabilityGetEntitlementFlow() throws Exception {
         List<String> entitlementList = new ArrayList<String>();
 
         // Verify in case single entitlement
-        entitlementList = osfRemoteAuthenticate.getStringList(AbstractTestUtils.CONST_SINGLE_ENTITLEMENT_INPUT);
+        entitlementList = osfRemoteAuthenticate.getEntitlements(AbstractTestUtils.CONST_SINGLE_ENTITLEMENT_INPUT);
         assertEquals(entitlementList.size(), AbstractTestUtils.CONST_SINGLE_ENTITLEMENTS_OUTPUT.length);
     }
 
@@ -274,7 +272,7 @@ public void verifyLoginAvailabilitySingleEntitlementFlow() throws Exception {
         osfCredential.setUsername(AbstractTestUtils.CONST_MAIL);
 
         osfRemoteAuthenticate.setSingleEntitlement(true);
-        osfRemoteAuthenticate.setLoginAvailability("can login");
+        osfRemoteAuthenticate.setLoginAvailability(true);
         osfRemoteAuthenticate
                 .setInstitutionsLoginAvailabilityUrl(AbstractTestUtils.CONST_INSTITUTION_LOGIN_AVAILABILITY_URL);
 
@@ -298,6 +296,7 @@ public void verifyLoginAvailabilityExceptionFlow() throws Exception {
         osfCredential.setUsername(AbstractTestUtils.CONST_MAIL);
 
         osfRemoteAuthenticate.setSingleEntitlement(true);
+        osfRemoteAuthenticate.setLoginAvailability(false);
         osfRemoteAuthenticate
                 .setInstitutionsLoginAvailabilityUrl(AbstractTestUtils.CONST_INSTITUTION_LOGIN_AVAILABILITY_URL);
         osfRemoteAuthenticate.notifyRemotePrincipalAuthenticated(osfCredential);

cas-server-support-osf/src/test/java/io/cos/cas/mock/MockNormalizeRemotePrincipalWithEntitlement.java

@@ -3,15 +3,12 @@
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 
-import org.apache.http.HttpStatus;
 import org.apache.http.HttpResponse;
-import org.apache.http.StatusLine;
 import org.apache.http.client.ClientProtocolException;
 import org.apache.http.entity.BasicHttpEntity;
 import org.jasig.cas.CentralAuthenticationService;
 import org.json.JSONObject;
 import org.mockito.Mockito;
-import org.springframework.util.StringUtils;
 
 import io.cos.cas.AbstractTestUtils;
 import io.cos.cas.authentication.OpenScienceFrameworkCredential;
@@ -24,12 +21,12 @@
 public class MockNormalizeRemotePrincipalWithEntitlement extends MockNormalizeRemotePrincipal {
 
     private boolean isSingleEntitlement;
-    private String loginAvailability;
+    private boolean isLoginAvailability;
 
     public MockNormalizeRemotePrincipalWithEntitlement(final CentralAuthenticationService centralAuthenticationService) {
         super(centralAuthenticationService);
         this.isSingleEntitlement = false;
-        this.loginAvailability = "";
+        this.isLoginAvailability = false;
     }
 
     @Override
@@ -41,7 +38,7 @@ protected JSONObject normalizeRemotePrincipal(final OpenScienceFrameworkCredenti
         user.put("fullname", AbstractTestUtils.CONST_DISPLAY_NAME);
 
         if (isSingleEntitlement) {
-            user.put("eduPersonEntitlement", AbstractTestUtils.CONST_SINGLE_ENTITLEMENT_INPUT);
+            user.put("entitlement", AbstractTestUtils.CONST_SINGLE_ENTITLEMENT_INPUT);
         }
 
         provider.put("id", credential.getInstitutionId());
@@ -52,18 +49,13 @@ protected JSONObject normalizeRemotePrincipal(final OpenScienceFrameworkCredenti
 
     protected HttpResponse callLoginAvailabilityAPI(final JSONObject bodyObj) throws IOException, ClientProtocolException {
         final HttpResponse mockedResponse = Mockito.mock(HttpResponse.class);
-        final StatusLine statusLine = Mockito.mock(StatusLine.class);
         final BasicHttpEntity entity = new BasicHttpEntity();
-        String bodyResponse = "{\"meta\":{\"version\":\"2.0\"}}";
-        if (StringUtils.hasText(this.loginAvailability)) {
-            bodyResponse = "{\"login_availability\":\"" + this.loginAvailability + "\",\"meta\":{\"version\":\"2.0\"}}";
-            Mockito.when(statusLine.getStatusCode()).thenReturn(HttpStatus.SC_OK);
-        } else {
-            Mockito.when(statusLine.getStatusCode()).thenReturn(HttpStatus.SC_FORBIDDEN);
+        String bodyResponse = "{\"login_availability\":false,\"meta\":{\"version\":\"2.0\"}}";
+        if (this.isLoginAvailability) {
+            bodyResponse = "{\"login_availability\":true,\"meta\":{\"version\":\"2.0\"}}";
         }
 
         entity.setContent(new ByteArrayInputStream(bodyResponse.getBytes()));
-        Mockito.when(mockedResponse.getStatusLine()).thenReturn(statusLine);
         Mockito.when(mockedResponse.getEntity()).thenReturn(entity);
         return mockedResponse;
     }
@@ -72,8 +64,8 @@ public void setSingleEntitlement(final boolean isSingleEntitlement) {
         this.isSingleEntitlement = isSingleEntitlement;
     }
 
-    public void setLoginAvailability(final String loginAvailability) {
-        this.loginAvailability = loginAvailability;
+    public void setLoginAvailability(final boolean isLoginAvailability) {
+        this.isLoginAvailability = isLoginAvailability;
     }
 
 }

cas-server-support-osf/src/test/java/io/cos/cas/mock/MockNotifyRemotePrincipalAuthenticated.java

@@ -23,9 +23,6 @@ public MockNotifyRemotePrincipalAuthenticated(final CentralAuthenticationService
     @Override
     protected PrincipalAuthenticationResult notifyRemotePrincipalAuthenticated(
             final OpenScienceFrameworkCredential credential) throws AccountException {
-        return new PrincipalAuthenticationResult(
-            AbstractTestUtils.CONST_MAIL,
-            AbstractTestUtils.CONST_INSTITUTION_ID,
-            AbstractTestUtils.CONST_JSON_STRING);
+        return new PrincipalAuthenticationResult(AbstractTestUtils.CONST_MAIL, AbstractTestUtils.CONST_INSTITUTION_ID);
     }
 }

cas-server-webapp/src/main/resources/messages.properties

@@ -164,13 +164,6 @@ screen.institutionloginfailed.message=Your request cannot be completed at this t
   is in error, please contact <a style="white-space: nowrap" href="mailto:rdm_support@nii.ac.jp">Support</a> for help and \
   include the error code below.
 
-# Institution Login Failure(LoA) Page
-screen.institutionloginfailedloa.heading=Institution login failed
-screen.institutionloginfailedloa.message=Does not meet the required AAL and IAL.</br></br>\
-  If you believe this is in error,\
-  please contact <a style="white-space: nowrap" href="mailto:rdm_support@nii.ac.jp">Support</a> for help and \
-  include the error code below.
-
 # OAuth
 screen.oauth.confirm.header=Authorize application
 screen.oauth.confirm.message=<h2>{0}</h2> has asked for the following permission(s) to access your GakuNin RDM account.

cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casInstitutionLoginAvailabilityFailedView.jsp

@@ -16,9 +16,26 @@
 
 --%>
 
-<%-- Login availability failed redirect page --%>
+<%-- Login availability failed page --%>
 
-<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
-<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<spring:eval var="osfUrl" expression="@casProperties.getProperty('osf.url')"/>
-<c:redirect url="${osfUrl}?login_not_available=true"/>
+<jsp:directive.include file="includes/top.jsp"/>
+
+<div id="msg" class="errors">
+    <h2><spring:message code="screen.login.availability.heading"/></h2>
+    <p><spring:message code="screen.login.availability.message"/></p>
+</div>
+
+<spring:message code="screen.osf.login.message.error" var="errorDescription"/>
+<script>
+    description = document.getElementById("description");
+    if (description != null) {
+        description.innerHTML = "<br><br>${errorDescription}";
+    }
+</script>
+
+<c:set var="linkSignIn" value="false"/>
+<c:set var="linkSignOut" value="false"/>
+<c:set var="linkCreateAccount" value="false"/>
+<c:set var="linkBackToOsf" value="true"/>
+
+<jsp:directive.include file="includes/bottom.jsp"/>

cas-server-webapp/src/main/webapp/WEB-INF/webflow/login/login-webflow.xml

@@ -209,7 +209,6 @@
         <transition on="InstitutionLoginFailedAttributesMissingException" to="casInstitutionLoginFailedAttributesMissingView"/>
         <transition on="InstitutionLoginFailedAttributesParsingException" to="casInstitutionLoginFailedAttributesParsingView"/>
         <transition on="InstitutionLoginFailedOsfApiException" to="casInstitutionLoginFailedOsfApiView"/>
-        <transition on="InstitutionLoginFailedOsfApiLoAException" to="casInstitutionLoginFailedOsfApiLoAView"/><!-- @R2022-48 loa -->
         <transition on="InvalidUserStatusException" to="casInvalidUserStatusView"/>
         <transition on="InvalidVerificationKeyException" to="casInvalidVerificationKeyView"/>
         <transition on="OneTimePasswordRequiredException" to="casOtpLoginView"/>
@@ -313,12 +312,6 @@
             <set name="flowScope.casViewErrorCode" value="2003"/>
         </on-entry>
     </end-state>
-    <!-- @R2022-48 loa -->
-    <end-state id="casInstitutionLoginFailedOsfApiLoAView" view="casInstitutionLoginFailedLoAView">
-        <on-entry>
-            <set name="flowScope.casViewErrorCode" value="2003"/>
-        </on-entry>
-    </end-state>
     <end-state id="casInvalidUserStatusView" view="casInvalidUserStatusView"/>
     <end-state id="casInvalidVerificationKeyView" view="casInvalidVerificationKeyView"/>
     <end-state id="delegatedLoginCasErrorView" view="delegatedLoginCasErrorView"/>

cas-server-webapp/src/main/webapp/WEB-INF/webflow/logout/logout-webflow.xml

@@ -25,10 +25,6 @@
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd">
 
-    <on-start>
-        <evaluate expression="initialFlowSetupAction"/>
-    </on-start>
-
     <action-state id="terminateSession">
         <evaluate expression="terminateSessionAction.terminate(flowRequestContext)" />
         <transition on="success" to="doLogout" />
@@ -52,14 +48,9 @@
     </view-state>
 
     <decision-state id="finishLogout">
-        <if test="flowScope.logoutRedirectUrl != null" then="serviceAuthorizationCheck" else="logoutView" />
+        <if test="flowScope.logoutRedirectUrl != null" then="redirectView" else="logoutView" />
     </decision-state>
 
-    <action-state id="serviceAuthorizationCheck">
-        <evaluate expression="serviceAuthorizationCheck"/>
-        <transition to="redirectView"/>
-    </action-state>
-
     <end-state id="redirectView" view="externalRedirect:#{flowScope.logoutRedirectUrl}" />
 
     <end-state id="logoutView" view="casLogoutView" />