Real impersonation

dashboard-gui/src/javascripts/pages/mfa.jsx

@@ -76,7 +76,7 @@ export default function MFA({app}) {
                 window.scrollTo(0, 0)
             })
     }
-    const loaRequired = currentUser.isMFARequired(3)
+    const loaRequired = currentUser.isMFARequired(2)
     return (
         <div className="mod-ssid-panel">
             <div className={"title-container"}>

dashboard-gui/src/javascripts/pages/search_user.jsx

@@ -62,9 +62,9 @@ class SearchUser extends React.Component {
       <tr key={idp.name}>
         <td>{idp.name}</td>
         <td className="center">
-          {this.state.roles.map((role) => {
+          <div className="switch-roles">{this.state.roles.map((role) => {
             return this.renderSwitchToRole(idp, role)
-          })}
+          })}</div>
         </td>
       </tr>
     )

dashboard-gui/src/stylesheets/modules/super-user.sass

@@ -13,11 +13,9 @@
   table
     @extend %box
 
-    .center
-      text-align: center
-
-    .c-button
-      margin-left: 10px
+    .switch-roles
+      display: flex
+      gap: 20px
 
 .mod-super-user-search
   @extend %box, %search-box

dashboard-server/src/main/java/dashboard/control/UsersController.java

@@ -314,7 +314,7 @@ public ResponseEntity<Void> currentIdp(
     public ResponseEntity<RestResponse<Object>> updateConsentSettings(@RequestHeader(HTTP_X_IDP_ENTITY_ID) String idpEntityId,
                                                                       @RequestBody Consent consent) {
         CoinUser currentUser = SpringSecurity.getCurrentUser();
-        if (currentUser.isSuperUser() || (!currentUser.isDashboardAdmin() && currentUser.isDashboardViewer())) {
+        if ((currentUser.isSuperUser() && !currentUser.isImpersonating()) || (!currentUser.isDashboardAdmin() && currentUser.isDashboardViewer())) {
             LOG.warn("Consent endpoint is not allowed for superUser / dashboardViewer, currentUser {}", currentUser);
             return new ResponseEntity<>(HttpStatus.FORBIDDEN);
         }
@@ -369,7 +369,7 @@ public ResponseEntity<RestResponse<Object>> updateConsentSettings(@RequestHeader
     public ResponseEntity<RestResponse<Object>> updateSurfSecureId(@RequestHeader(HTTP_X_IDP_ENTITY_ID) String idpEntityId,
                                                                    @RequestBody LoaLevelChange loaLevelChange) throws IOException {
         CoinUser currentUser = SpringSecurity.getCurrentUser();
-        if (currentUser.isSuperUser() || !currentUser.isDashboardAdmin()) {
+        if ((currentUser.isSuperUser() && !currentUser.isImpersonating()) || !currentUser.isDashboardAdmin()) {
             LOG.warn("SURF secure ID endpoint is not allowed for superUser / dashboardViewer, currentUser {}", currentUser);
             return new ResponseEntity<>(HttpStatus.FORBIDDEN);
         }
@@ -431,12 +431,12 @@ public ResponseEntity<RestResponse<Object>> updateSurfSecureId(@RequestHeader(HT
     public ResponseEntity<RestResponse<Object>> updateMFA(@RequestHeader(HTTP_X_IDP_ENTITY_ID) String idpEntityId,
                                                           @RequestBody MFAChange mfaChange) throws IOException {
         CoinUser currentUser = SpringSecurity.getCurrentUser();
-        if (currentUser.isSuperUser() || !currentUser.isDashboardAdmin()) {
+        if ((currentUser.isSuperUser() && !currentUser.isImpersonating()) || !currentUser.isDashboardAdmin()) {
             LOG.warn("SURF secure ID endpoint is not allowed for superUser / dashboardViewer, currentUser {}", currentUser);
             return new ResponseEntity<>(HttpStatus.FORBIDDEN);
         }
-        if (currentUser.getCurrentLoaLevel() < 3 && dashboardStepupEnabled) {
-            LOG.warn("MFA endpoint is not allowed without LOA level 3, currentUser {}", currentUser);
+        if (currentUser.getCurrentLoaLevel() < 2 && dashboardStepupEnabled) {
+            LOG.warn("MFA endpoint is not allowed without LOA level 2, currentUser {}", currentUser);
             return new ResponseEntity<>(HttpStatus.FORBIDDEN);
         }
         IdentityProvider idp = currentUser.getSwitchedToIdp().orElse(currentUser.getIdp());
@@ -483,7 +483,7 @@ public ResponseEntity<RestResponse<Object>> updateMFA(@RequestHeader(HTTP_X_IDP_
     public ResponseEntity<RestResponse<Object>> updateSettings(@RequestHeader(HTTP_X_IDP_ENTITY_ID) String idpEntityId,
                                                                @RequestBody Settings settings) throws IOException {
         CoinUser currentUser = SpringSecurity.getCurrentUser();
-        if (currentUser.isSuperUser() || (!currentUser.isDashboardAdmin() && currentUser.isDashboardViewer())) {
+        if ((currentUser.isSuperUser() && !currentUser.isImpersonating()) || (!currentUser.isDashboardAdmin() && currentUser.isDashboardViewer())) {
             LOG.warn("Settings endpoint is not allowed for superUser / dashboardViewer, currentUser {}", currentUser);
             return new ResponseEntity<>(HttpStatus.FORBIDDEN);
         }

dashboard-server/src/main/java/dashboard/domain/CoinUser.java

@@ -99,6 +99,11 @@ public boolean isSuperUser() {
         return hasAuthority(new CoinAuthority(ROLE_DASHBOARD_SUPER_USER));
     }
 
+    public boolean isImpersonating() {
+        return this.isSuperUser() && this.getSwitchedToIdp().isPresent() &&
+                this.isDashboardAdmin();
+    }
+
     public boolean isDashboardAdmin() {
         return hasAuthority(new CoinAuthority(ROLE_DASHBOARD_ADMIN));
     }

dashboard-server/src/main/java/dashboard/shibboleth/mock/MockShibbolethFilter.java

@@ -24,7 +24,7 @@
 public class MockShibbolethFilter extends GenericFilterBean {
 
     public static final String idp = "http://mock-idp";//,"https://idp.surfnet.nl";//"https://localhost.surf.id"; //"https://idp.surf.nl"
-    public String role = "admin";//"";
+    public String role = "super";//"";
 
     @Override
     public void doFilter(ServletRequest servletRequest, ServletResponse response, FilterChain chain) throws IOException,