OIDC versions of user add/del/renew resources

src/legacy/legacy.controller.ts

@@ -265,7 +265,7 @@ export class LegacyController {
     const token: JWTToken = req.headers.token;
     try {
       let userServices;
-      if (token.authzKey == null) {
+      if (token.authzKey == null) { // is OIDC token
         userServices = await this.legacyServiceOidc.getUserResources(token.email);
       } else {
         userServices = await this.legacyService.getUserResources(token.username, token.authzKey);
@@ -307,6 +307,14 @@ export class LegacyController {
 
   @Post('user/resources/renew')
   @ApiOperation({ title: 'Renew access to a restricted access dataset for an existing user.' })
+  @ApiImplicitHeader({
+    name: 'Cookie',
+    description: 'The JWT token containing user information',
+  })
+  @ApiImplicitHeader({
+    name: 'X-Xsrf-Token',
+    description: 'Cross Site reference token contained in the JWT token',
+  })
   @ApiImplicitHeader({
     name: 'Cookie',
     description: 'The JWT token is sent by the browser as a cookie (refer to the config of the Authentication project to know which key is used)',
@@ -320,7 +328,11 @@ export class LegacyController {
   async renewUserResource(@Req() req, @Body() body: AccessRequest[]) {
     const token: JWTToken = req.headers.token;
     try {
-      return await this.legacyService.renewUserResource(token, body);
+      if (token.authzKey == null) { // is OIDC token
+        return await this.legacyServiceOidc.renewUserResource(token, body);
+      } else {
+        return await this.legacyService.renewUserResource(token, body);
+      }
     } catch (error) {
       if (error instanceof HttpException) {
         throw error;
@@ -343,7 +355,12 @@ export class LegacyController {
   async deleteUserResource(@Req() req, @Body() body) {
     const token: JWTToken = req.headers.token;
     try {
-      return await this.legacyService.deleteUserResource(token, body);
+      
+      if (token.authzKey == null) { // is OIDC token
+        return await this.legacyServiceOidc.deleteUserResource(token, body);
+      } else {
+        return await this.legacyService.deleteUserResource(token, body);
+      }
     } catch (error) {
       if (error instanceof HttpException) {
         throw error;

src/legacy/legacy.service.oidc.ts

@@ -149,12 +149,6 @@ export class LegacyServiceOIDC extends LegacyService {
   async addUserResource(token: JWTToken, accessRequests: AccessRequest[]): Promise<AccessRequestResponse> {
     this.logger.log('Entering function', `${LegacyServiceOIDC.name} - ${this.addUserResource.name}`);
     try {
-      // Decrypt the password
-      const password = decrypt(token.authzKey, await this.configService.getPrivateKey());
-
-      if (!password) {
-        throw new UnauthorizedException('Invalid user credentials.');
-      }
 
       // Get the list of datasets
       const datasets = await this.getRestrictedAccessDatasets();
@@ -169,8 +163,7 @@ export class LegacyServiceOIDC extends LegacyService {
         // Request access the the specified service and the specified modes
         let res = await request.post(`${this.conf.legacyAuthServiceUrl}/add_user_service/`).form(
           {
-            password,
-            username: token.username,
+            username: token.email,
             service_id: accessRequest.id,
             modes: accessRequest.servicesId.toString(),
           },
@@ -251,16 +244,8 @@ export class LegacyServiceOIDC extends LegacyService {
   async renewUserResource(token: JWTToken, accessRequests: AccessRequest[]): Promise<AccessRenewalResponse> {
     this.logger.log('Entering function', `${LegacyServiceOIDC.name} - ${this.renewUserResource.name}`);
     try {
-      // Decrypt the password
-      const password = decrypt(token.authzKey, await this.configService.getPrivateKey());
-
-      if (!password) {
-        this.logger.warn('Invalid user credentials.', `${LegacyServiceOIDC.name} - ${this.renewUserResource.name}`);
-        throw new UnauthorizedException('Invalid user credentials.');
-      }
-
       // Get the list of user access
-      const userAccess = await this.getUserResources(token.username);
+      const userAccess = await this.getUserResources(token.email);
       // Get the list of datasets
       const datasets = await this.getRestrictedAccessDatasets();
       // Get the list of services
@@ -354,13 +339,6 @@ export class LegacyServiceOIDC extends LegacyService {
   async deleteUserResource(token: JWTToken, accessRequests: AccessRequest[]): Promise<AccessDeletionResponse> {
     this.logger.log('Entering function', `${LegacyServiceOIDC.name} - ${this.deleteUserResource.name}`);
     try {
-      // Decrypt the password
-      const password = decrypt(token.authzKey, await this.configService.getPrivateKey());
-
-      if (!password) {
-        this.logger.warn('Invalid user credentials.', `${LegacyServiceOIDC.name} - ${this.deleteUserResource.name}`);
-        throw new UnauthorizedException('Invalid user credentials.');
-      }
 
       // Get the list of datasets
       const datasets = await this.getRestrictedAccessDatasets();
@@ -373,10 +351,9 @@ export class LegacyServiceOIDC extends LegacyService {
 
       for (const accessRequest of accessRequests) {
         // Delete access to the specified service and the specified modes
-        let res = await request.post(`${this.conf.legacyAuthServiceUrl}/del_user_service/`).form(
+        let res = await request.post(`${this.conf.legacyAuthServiceUrl}/del_user_service_oidc/`).form(
           {
-            password,
-            username: token.username,
+            username: token.email,
             service_id: accessRequest.id,
             modes: accessRequest.servicesId.toString(),
           },