Merge branch 'main' into j-s/complete-indictment-review

island-is · May 13, 2024 · 64a6583 · 64a6583
2 parents 5d726a2 + 0e6e5bd
commit 64a6583
Show file tree

Hide file tree

Showing 8 changed files with 79 additions and 17 deletions.
diff --git a/apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts b/apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts
@@ -1,24 +1,25 @@
+import { getModelToken } from '@nestjs/sequelize'
 import faker from 'faker'
 import request from 'supertest'
 
-import { AdminPortalScope } from '@island.is/auth/scopes'
 import {
   AdminCreateClientDto,
   AdminPatchClientDto,
   Client,
   clientBaseAttributes,
   ClientGrantType,
+  defaultAcrValue,
   RefreshTokenExpiration,
   SequelizeConfigService,
   translateRefreshTokenExpiration,
 } from '@island.is/auth-api-lib'
 import { User } from '@island.is/auth-nest-tools'
+import { AdminPortalScope } from '@island.is/auth/scopes'
 import { FixtureFactory } from '@island.is/services/auth/testing'
 import { createCurrentUser } from '@island.is/testing/fixtures'
 import { getRequestMethod, setupApp, TestApp } from '@island.is/testing/nest'
 
 import { AppModule } from '../../../app.module'
-import { getModelToken } from '@nestjs/sequelize'
 
 const tenantId = '@test.is'
 const clientId = '@test.is/test-client'
@@ -80,6 +81,7 @@ const createTestClientData = async (app: TestApp, user: User) => {
     supportsProcuringHolders: false,
     promptDelegations: false,
     singleSession: false,
+    allowedAcr: [defaultAcrValue],
   }
 }
 
@@ -313,6 +315,7 @@ describe('MeClientsController with auth', () => {
         promptDelegations: false,
         customClaims: [],
         singleSession: false,
+        allowedAcr: [defaultAcrValue],
       })
 
       // Assert - db record
@@ -412,6 +415,7 @@ describe('MeClientsController with auth', () => {
         promptDelegations: false,
         customClaims: [],
         singleSession: false,
+        allowedAcr: [defaultAcrValue],
       })
 
       // Assert - db record
@@ -534,6 +538,7 @@ describe('MeClientsController with auth', () => {
           : false,
         customClaims: typeSpecificDefaults.customClaims ?? [],
         singleSession: typeSpecificDefaults.singleSession ?? false,
+        allowedAcr: [defaultAcrValue],
       })
 
       // Assert - db record
@@ -824,6 +829,7 @@ describe('MeClientsController with auth', () => {
               value: 'value1',
             },
           ],
+          allowedAcr: ['some-acr-value'],
         }
 
         // Act

diff --git a/libs/application/templates/parental-leave/src/lib/ParentalLeaveTemplate.ts b/libs/application/templates/parental-leave/src/lib/ParentalLeaveTemplate.ts
@@ -995,6 +995,14 @@ const ParentalLeaveTemplate: ApplicationTemplate<
                 goToState(application, States.VINNUMALASTOFNUN_APPROVAL),
               target: States.VINNUMALASTOFNUN_APPROVAL,
             },
+            {
+              cond: (application) =>
+                goToState(
+                  application,
+                  States.EMPLOYER_WAITING_TO_ASSIGN_FOR_EDITS,
+                ),
+              target: States.EMPLOYER_WAITING_TO_ASSIGN_FOR_EDITS,
+            },
             {
               target: States.VINNUMALASTOFNUN_APPROVE_EDITS,
             },
@@ -1007,6 +1015,7 @@ const ParentalLeaveTemplate: ApplicationTemplate<
           'setEmployerReviewerNationalRegistryId',
           'restorePeriodsFromTemp',
           'restoreEmployersFromTemp',
+          'setPreviousState',
         ],
         meta: {
           name: States.EMPLOYER_WAITING_TO_ASSIGN_FOR_EDITS,

diff --git a/libs/auth-api-lib/migrations/20240502142738-add-allowed-acr-to-clients.js b/libs/auth-api-lib/migrations/20240502142738-add-allowed-acr-to-clients.js
@@ -0,0 +1,15 @@
+'use strict'
+
+module.exports = {
+  async up(queryInterface, Sequelize) {
+    queryInterface.addColumn('client', 'allowed_acr', {
+      type: Sequelize.ARRAY(Sequelize.STRING),
+      defaultValue: ['eidas-loa-high'],
+      allowNull: false,
+    })
+  },
+
+  async down(queryInterface) {
+    queryInterface.removeColumn('client', 'allowed_acr')
+  },
+}
diff --git a/libs/auth-api-lib/src/lib/clients/admin/admin-clients.service.ts b/libs/auth-api-lib/src/lib/clients/admin/admin-clients.service.ts
@@ -4,15 +4,17 @@ import {
   Injectable,
 } from '@nestjs/common'
 import { InjectModel } from '@nestjs/sequelize'
+import omit from 'lodash/omit'
 import { Includeable, Op, Transaction } from 'sequelize'
 import { Sequelize } from 'sequelize-typescript'
-import omit from 'lodash/omit'
 
 import { User } from '@island.is/auth-nest-tools'
 import { AdminPortalScope } from '@island.is/auth/scopes'
-import { NoContentException } from '@island.is/nest/problem'
 import { validateClientId } from '@island.is/auth/shared'
+import { NoContentException } from '@island.is/nest/problem'
 
+import { AdminScopeDTO } from '../../resources/admin/dto/admin-scope.dto'
+import { AdminTranslationService } from '../../resources/admin/services/admin-translation.service'
 import { ApiScope } from '../../resources/models/api-scope.model'
 import { Domain } from '../../resources/models/domain.model'
 import { TranslatedValueDto } from '../../translation/dto/translated-value.dto'
@@ -24,21 +26,19 @@ import {
   translateRefreshTokenExpiration,
 } from '../../types'
 import { ClientsService } from '../clients.service'
-import { Client } from '../models/client.model'
 import { ClientAllowedScope } from '../models/client-allowed-scope.model'
 import { ClientClaim } from '../models/client-claim.model'
 import { ClientGrantType } from '../models/client-grant-type.model'
-import { ClientRedirectUri } from '../models/client-redirect-uri.model'
 import { ClientPostLogoutRedirectUri } from '../models/client-post-logout-redirect-uri.model'
+import { ClientRedirectUri } from '../models/client-redirect-uri.model'
+import { Client } from '../models/client.model'
+import { AdminClientClaimDto } from './dto/admin-client-claim.dto'
 import { AdminClientDto } from './dto/admin-client.dto'
 import { AdminCreateClientDto } from './dto/admin-create-client.dto'
 import {
   AdminPatchClientDto,
   superUserFields,
 } from './dto/admin-patch-client.dto'
-import { AdminClientClaimDto } from './dto/admin-client-claim.dto'
-import { AdminTranslationService } from '../../resources/admin/services/admin-translation.service'
-import { AdminScopeDTO } from '../../resources/admin/dto/admin-scope.dto'
 
 export const clientBaseAttributes: Partial<Client> = {
   absoluteRefreshTokenLifetime: 8 * 60 * 60, // 8 hours
@@ -548,6 +548,7 @@ export class AdminClientsService {
           type: claim.type,
           value: claim.value,
         })) ?? [],
+      allowedAcr: client.allowedAcr ?? [],
     }
   }
 

diff --git a/libs/auth-api-lib/src/lib/clients/admin/dto/admin-client.dto.ts b/libs/auth-api-lib/src/lib/clients/admin/dto/admin-client.dto.ts
@@ -104,4 +104,11 @@ export class AdminClientDto {
     type: [AdminClientClaimDto],
   })
   customClaims?: AdminClientClaimDto[]
+
+  @ApiProperty({
+    description: 'Array of allowed acr values for the client.',
+    example: '[eidas-loa-high]',
+  })
+  @ApiProperty()
+  allowedAcr!: string[]
 }
diff --git a/libs/auth-api-lib/src/lib/clients/admin/dto/admin-patch-client.dto.ts b/libs/auth-api-lib/src/lib/clients/admin/dto/admin-patch-client.dto.ts
@@ -182,6 +182,13 @@ export class AdminPatchClientDto {
   })
   @IsOptional()
   contactEmail?: string
+
+  @ApiPropertyOptional({
+    description: 'Array of allowed acr values for the client.',
+    example: '[eidas-loa-high]',
+  })
+  @IsOptional()
+  allowedAcr?: string[]
 }
 
 export const superUserFields = [
@@ -198,4 +205,5 @@ export const superUserFields = [
   'accessTokenLifetime',
   'customClaims',
   'singleSession',
+  'allowedAcr',
 ]
diff --git a/libs/auth-api-lib/src/lib/clients/models/client.model.ts b/libs/auth-api-lib/src/lib/clients/models/client.model.ts
@@ -1,25 +1,27 @@
+import { ApiProperty } from '@nestjs/swagger'
 import {
   BelongsTo,
   Column,
   CreatedAt,
   DataType,
   ForeignKey,
+  HasMany,
   Model,
+  PrimaryKey,
   Table,
   UpdatedAt,
-  PrimaryKey,
-  HasMany,
 } from 'sequelize-typescript'
-import { ApiProperty } from '@nestjs/swagger'
-import { ClientAllowedScope } from './client-allowed-scope.model'
+
+import { Domain } from '../../resources/models/domain.model'
+import { defaultAcrValue } from '../../types'
 import { ClientAllowedCorsOrigin } from './client-allowed-cors-origin.model'
+import { ClientAllowedScope } from './client-allowed-scope.model'
+import { ClientClaim } from './client-claim.model'
+import { ClientGrantType } from './client-grant-type.model'
+import { ClientIdpRestrictions } from './client-idp-restrictions.model'
 import { ClientPostLogoutRedirectUri } from './client-post-logout-redirect-uri.model'
 import { ClientRedirectUri } from './client-redirect-uri.model'
-import { ClientIdpRestrictions } from './client-idp-restrictions.model'
 import { ClientSecret } from './client-secret.model'
-import { ClientGrantType } from './client-grant-type.model'
-import { ClientClaim } from './client-claim.model'
-import { Domain } from '../../resources/models/domain.model'
 
 @Table({
   tableName: 'client',
@@ -547,6 +549,13 @@ export class Client extends Model {
   @HasMany(() => ClientClaim)
   claims?: ClientClaim[]
 
+  @Column({
+    type: DataType.ARRAY(DataType.STRING),
+    defaultValue: [defaultAcrValue],
+  })
+  @ApiProperty()
+  allowedAcr!: string[]
+
   // Signing algorithm for identity token. If empty, will use the server default signing algorithm.
   // readonly allowedIdentityTokenSigningAlgorithms
 }
diff --git a/libs/auth-api-lib/src/lib/types.ts b/libs/auth-api-lib/src/lib/types.ts
@@ -1,5 +1,12 @@
 export const DEFAULT_DOMAIN = '@island.is'
 
+export enum AcrEnum {
+  EidasLoaHigh = 'eidas-loa-high',
+  IslandIsPasskey = 'islandis-passkey',
+}
+
+export const defaultAcrValue = AcrEnum.EidasLoaHigh
+
 export enum GrantTypeEnum {
   AuthorizationCode = 'authorization_code',
   ClientCredentials = 'client_credentials',