Merge branch 'feature/saml-login-everywhere'

Author: io7m

org.thepalaceproject.android.platform

@@ -114,7 +114,28 @@ class AccessibilityService private constructor(
 
       is BookStatus.ReachedLoanLimit ->
         if (this.previousStatusIsNot(event, BookStatus.ReachedLoanLimit::class.java)) {
-          this.speak(this.strings.bookLoanLimitReached())
+          this.speak(this.strings.bookLoanLimitReached(book.entry.title))
+        } else {
+          // Nothing to do
+        }
+
+      is BookStatus.FailedLoanBadCredentials ->
+        if (this.previousStatusIsNot(event, BookStatus.FailedLoanBadCredentials::class.java)) {
+          this.speak(this.strings.bookFailedLoanLoginRequired(book.entry.title))
+        } else {
+          // Nothing to do
+        }
+
+      is BookStatus.FailedRevokeBadCredentials ->
+        if (this.previousStatusIsNot(event, BookStatus.FailedRevokeBadCredentials::class.java)) {
+          this.speak(this.strings.bookFailedRevokeLoginRequired(book.entry.title))
+        } else {
+          // Nothing to do
+        }
+
+      is BookStatus.FailedDownloadBadCredentials ->
+        if (this.previousStatusIsNot(event, BookStatus.FailedDownloadBadCredentials::class.java)) {
+          this.speak(this.strings.bookFailedDownloadLoginRequired(book.entry.title))
         } else {
           // Nothing to do
         }

palace-accessibility/src/main/java/org/nypl/simplified/accessibility/AccessibilityService.kt

@@ -11,26 +11,35 @@ class AccessibilityStrings(
   private val resources: Resources
 ) : AccessibilityStringsType {
   override fun bookHasDownloaded(title: String): String =
-    this.resources.getString(R.string.bookHasDownloaded, title)
+    this.resources.getString(R.string.accessBookHasDownloaded, title)
 
   override fun bookIsDownloading(title: String): String =
-    this.resources.getString(R.string.bookIsDownloading, title)
+    this.resources.getString(R.string.accessBookIsDownloading, title)
 
   override fun bookIsOnHold(title: String): String =
-    this.resources.getString(R.string.bookIsOnHold, title)
+    this.resources.getString(R.string.accessBookIsOnHold, title)
 
   override fun bookReturned(title: String): String =
-    this.resources.getString(R.string.bookReturned, title)
+    this.resources.getString(R.string.accessBookReturned, title)
 
   override fun bookFailedReturn(title: String): String =
-    this.resources.getString(R.string.bookFailedReturn, title)
+    this.resources.getString(R.string.accessBookFailedReturn, title)
 
   override fun bookFailedLoan(title: String): String =
-    this.resources.getString(R.string.bookFailedLoan, title)
+    this.resources.getString(R.string.accessBookFailedLoan, title)
 
   override fun bookFailedDownload(title: String): String =
-    this.resources.getString(R.string.bookFailedDownload, title)
+    this.resources.getString(R.string.accessBookFailedDownload, title)
 
-  override fun bookLoanLimitReached(): String =
-    this.resources.getString(R.string.reachedLoanLimit)
+  override fun bookLoanLimitReached(title: String): String =
+    this.resources.getString(R.string.accessBookReachedLoanLimit, title)
+
+  override fun bookFailedLoanLoginRequired(title: String): String =
+    this.resources.getString(R.string.accessBookFailedLoanLoginRequired, title)
+
+  override fun bookFailedRevokeLoginRequired(title: String): String =
+    this.resources.getString(R.string.accessBookFailedRevokeLoginRequired, title)
+
+  override fun bookFailedDownloadLoginRequired(title: String): String =
+    this.resources.getString(R.string.accessBookFailedDownloadLoginRequired, title)
 }

palace-accessibility/src/main/java/org/nypl/simplified/accessibility/AccessibilityStrings.kt

@@ -12,5 +12,8 @@ interface AccessibilityStringsType {
   fun bookFailedReturn(title: String): String
   fun bookFailedLoan(title: String): String
   fun bookFailedDownload(title: String): String
-  fun bookLoanLimitReached(): String
+  fun bookLoanLimitReached(title: String): String
+  fun bookFailedLoanLoginRequired(title: String): String
+  fun bookFailedRevokeLoginRequired(title: String): String
+  fun bookFailedDownloadLoginRequired(title: String): String
 }

palace-accessibility/src/main/java/org/nypl/simplified/accessibility/AccessibilityStringsType.kt

@@ -1,12 +1,15 @@
 <?xml version="1.0" encoding="utf-8"?>
 
 <resources>
-  <string name="bookFailedDownload">@string/bookFailedLoan</string>
-  <string name="bookFailedLoan">The book \'%1$s\' could not be downloaded</string>
-  <string name="bookFailedReturn">The book \'%1$s\' could not be returned</string>
-  <string name="bookHasDownloaded">The book \'%1$s\' has finished downloading</string>
-  <string name="bookIsDownloading">The book \'%1$s\' has started downloading</string>
-  <string name="bookIsOnHold">A reservation has been placed for the book \'%1$s\'</string>
-  <string name="bookReturned">The book \'%1$s\' has been successfully returned</string>
-  <string name="reachedLoanLimit">You have reached your loan limit</string>
+  <string name="accessBookFailedDownload">@string/accessBookFailedLoan</string>
+  <string name="accessBookFailedLoan">The book \'%1$s\' could not be downloaded</string>
+  <string name="accessBookFailedReturn">The book \'%1$s\' could not be returned</string>
+  <string name="accessBookHasDownloaded">The book \'%1$s\' has finished downloading</string>
+  <string name="accessBookIsDownloading">The book \'%1$s\' has started downloading</string>
+  <string name="accessBookIsOnHold">A reservation has been placed for the book \'%1$s\'</string>
+  <string name="accessBookReturned">The book \'%1$s\' has been successfully returned</string>
+  <string name="accessBookReachedLoanLimit">The book \'%1$s\' could not be borrowed because you have reached your loan limit</string>
+  <string name="accessBookFailedLoanLoginRequired">The book \'%1$s\' could not be downloaded because your login session has expired.</string>
+  <string name="accessBookFailedRevokeLoginRequired">The book \'%1$s\' could not be returned because your login session has expired.</string>
+  <string name="accessBookFailedDownloadLoginRequired">@string/accessBookFailedLoanLoginRequired</string>
 </resources>

palace-accessibility/src/main/res/values/strings.xml

@@ -3,9 +3,12 @@ package org.nypl.simplified.accounts.api
 import org.librarysimplified.http.api.LSHTTPAuthorizationBasic
 import org.librarysimplified.http.api.LSHTTPAuthorizationBearerToken
 import org.librarysimplified.http.api.LSHTTPAuthorizationType
+import org.librarysimplified.http.api.LSHTTPProblemReport
 import org.librarysimplified.http.api.LSHTTPRequestBuilderType
 import org.librarysimplified.http.api.LSHTTPRequestConstants
 import org.librarysimplified.http.api.LSHTTPResponseStatus
+import org.nypl.simplified.accounts.api.AccountAuthenticatedHTTP.Handled401.ErrorIsRecoverableCredentialsExpired
+import org.nypl.simplified.accounts.api.AccountAuthenticatedHTTP.Handled401.ErrorIsUnrecoverable
 
 /**
  * Convenient functions to construct authenticated HTTP instances from sets of credentials.
@@ -22,6 +25,7 @@ object AccountAuthenticatedHTTP {
           userName = credentials.userName.value,
           password = credentials.password.value
         )
+
       is AccountAuthenticationCredentials.BasicToken ->
         if (credentials.authenticationTokenInfo.accessToken.isNotBlank()) {
           LSHTTPAuthorizationBearerToken.ofToken(
@@ -33,10 +37,12 @@ object AccountAuthenticatedHTTP {
             password = credentials.password.value
           )
         }
+
       is AccountAuthenticationCredentials.OAuthWithIntermediary ->
         LSHTTPAuthorizationBearerToken.ofToken(
           token = credentials.accessToken
         )
+
       is AccountAuthenticationCredentials.SAML2_0 ->
         LSHTTPAuthorizationBearerToken.ofToken(
           token = credentials.accessToken
@@ -50,13 +56,18 @@ object AccountAuthenticatedHTTP {
     return credentials?.let(this::createAuthorization)
   }
 
-  fun LSHTTPRequestBuilderType.addCredentialsToProperties(
+  fun LSHTTPRequestBuilderType.addBasicTokenPropertiesIfApplicable(
     credentials: AccountAuthenticationCredentials?
   ): LSHTTPRequestBuilderType {
     if (credentials !is AccountAuthenticationCredentials.BasicToken) {
       return this
     }
+    return addBasicTokenProperties(credentials)
+  }
 
+  fun LSHTTPRequestBuilderType.addBasicTokenProperties(
+    credentials: AccountAuthenticationCredentials.BasicToken
+  ): LSHTTPRequestBuilderType {
     return apply {
       setExtensionProperty(
         LSHTTPRequestConstants.PROPERTY_KEY_USERNAME,
@@ -76,4 +87,47 @@ object AccountAuthenticatedHTTP {
   fun LSHTTPResponseStatus.getAccessToken(): String? {
     return properties?.header(LSHTTPRequestConstants.PROPERTY_KEY_ACCESS_TOKEN)
   }
+
+  /**
+   * A handled 401 status code.
+   */
+
+  sealed class Handled401 {
+    /** A recoverable error; ask the user to log in again. */
+    data object ErrorIsUnrecoverable : Handled401()
+
+    /** An unrecoverable error; just fail. */
+    data object ErrorIsRecoverableCredentialsExpired : Handled401()
+  }
+
+  /**
+   * Handle a 401 error along with a possibly-not-present problem report.
+   *
+   * The server will return useful problem reports that indicate whether a 401 error is
+   * recoverable or not. If an error _is_ recoverable, then the app should ask the user to log
+   * in again. If an error isn't recoverable, then it shouldn't be treated any differently to
+   * any other kind of error.
+   */
+
+  fun handle401Error(
+    problemReport: LSHTTPProblemReport?
+  ): Handled401 {
+    return if (problemReport != null) {
+      val type = problemReport.type
+      if (type != null) {
+        // XXX: Deprecated: The server will soon stop serving this type.
+        if (type.startsWith("http://librarysimplified.org/terms/problem/")) {
+          ErrorIsRecoverableCredentialsExpired
+        } else if (type.startsWith("http://palaceproject.io/terms/problem/auth/recoverable")) {
+          ErrorIsRecoverableCredentialsExpired
+        } else {
+          ErrorIsUnrecoverable
+        }
+      } else {
+        ErrorIsUnrecoverable
+      }
+    } else {
+      ErrorIsUnrecoverable
+    }
+  }
 }

palace-accounts-api/src/main/java/org/nypl/simplified/accounts/api/AccountAuthenticatedHTTP.kt

@@ -9,15 +9,27 @@ import org.nypl.simplified.taskrecorder.api.TaskResult
 
 sealed class AccountLoginState {
 
+  /**
+   * The previous credentials, if credentials are being refreshed.
+   */
+
+  abstract val previousCredentials: AccountAuthenticationCredentials?
+
+  /**
+   * The current assumed-valid credentials.
+   */
+
   abstract val credentials: AccountAuthenticationCredentials?
 
   /**
    * The account is not logged in.
    */
 
-  object AccountNotLoggedIn : AccountLoginState() {
+  data class AccountNotLoggedIn(
+    override val previousCredentials: AccountAuthenticationCredentials?
+  ) : AccountLoginState() {
     override val credentials: AccountAuthenticationCredentials?
-      get() = null
+      get() = this.previousCredentials
 
     override fun toString(): String =
       this.javaClass.simpleName
@@ -28,6 +40,7 @@ sealed class AccountLoginState {
    */
 
   data class AccountLoggingIn(
+    override val previousCredentials: AccountAuthenticationCredentials?,
 
     /**
      * A humanly-readable status message.
@@ -50,14 +63,19 @@ sealed class AccountLoginState {
     val cancellable: Boolean
   ) : AccountLoginState() {
     override val credentials: AccountAuthenticationCredentials?
-      get() = null
+      get() = this.previousCredentials
   }
 
   /**
    * The account is currently waiting for an external authentication mechanism to complete.
    */
 
   data class AccountLoggingInWaitingForExternalAuthentication(
+    /**
+     * The previous credentials, if credentials are being refreshed.
+     */
+
+    override val previousCredentials: AccountAuthenticationCredentials?,
 
     /**
      * The description being used to log in.
@@ -74,14 +92,19 @@ sealed class AccountLoginState {
     val status: String
   ) : AccountLoginState() {
     override val credentials: AccountAuthenticationCredentials?
-      get() = null
+      get() = this.previousCredentials
   }
 
   /**
    * The account failed to log in.
    */
 
   data class AccountLoginFailed(
+    /**
+     * The previous credentials, if credentials are being refreshed.
+     */
+
+    override val previousCredentials: AccountAuthenticationCredentials?,
     val taskResult: TaskResult.Failure<*>
   ) : AccountLoginState(), PresentableErrorType {
     override val message: String =
@@ -92,7 +115,7 @@ sealed class AccountLoginState {
       this.taskResult.attributes
 
     override val credentials: AccountAuthenticationCredentials?
-      get() = null
+      get() = this.previousCredentials
   }
 
   /**
@@ -101,7 +124,22 @@ sealed class AccountLoginState {
 
   data class AccountLoggedIn(
     override val credentials: AccountAuthenticationCredentials
-  ) : AccountLoginState()
+  ) : AccountLoginState() {
+    override val previousCredentials: AccountAuthenticationCredentials =
+      this.credentials
+  }
+
+  /**
+   * The account is currently logged in but the credentials appear to be stale. This can be due
+   * to, for example, expired SAML or OIDC sessions.
+   */
+
+  data class AccountLoggedInStaleCredentials(
+    override val credentials: AccountAuthenticationCredentials
+  ) : AccountLoginState() {
+    override val previousCredentials: AccountAuthenticationCredentials =
+      this.credentials
+  }
 
   /**
    * The account is currently logging out.
@@ -117,7 +155,10 @@ sealed class AccountLoginState {
      */
 
     val status: String
-  ) : AccountLoginState()
+  ) : AccountLoginState() {
+    override val previousCredentials: AccountAuthenticationCredentials =
+      this.credentials
+  }
 
   /**
    * The account failed to log out
@@ -127,6 +168,8 @@ sealed class AccountLoginState {
     val taskResult: TaskResult.Failure<*>,
     override val credentials: AccountAuthenticationCredentials
   ) : AccountLoginState(), PresentableErrorType {
+    override val previousCredentials: AccountAuthenticationCredentials =
+      this.credentials
     override val message: String =
       this.taskResult.message
     override val exception: Throwable? =

palace-accounts-api/src/main/java/org/nypl/simplified/accounts/api/AccountLoginState.kt

@@ -11,10 +11,6 @@ import org.nypl.simplified.books.book_database.api.BookDatabaseType
  * The interface exposed by accounts.
  *
  * An account aggregates a set of credentials and a book database.
- * Account are assigned monotonically increasing identifiers by the
- * application, but the identifiers themselves carry no meaning. It is
- * an error to depend on the values of identifiers for any kind of
- * program logic.
  */
 
 interface AccountType : AccountReadableType {
@@ -73,14 +69,16 @@ interface AccountType : AccountReadableType {
     return when (val state = this.loginState) {
       is AccountLoginState.AccountLoggedIn ->
         this.setLoginState(state.copy(update.invoke(state.credentials)))
+      is AccountLoginState.AccountLoggedInStaleCredentials ->
+        this.setLoginState(state.copy(update.invoke(state.credentials)))
       is AccountLoginState.AccountLoggingOut ->
         this.setLoginState(state.copy(update.invoke(state.credentials)))
 
       is AccountLoginState.AccountLoggingIn,
       is AccountLoginState.AccountLoggingInWaitingForExternalAuthentication,
       is AccountLoginState.AccountLoginFailed,
       is AccountLoginState.AccountLogoutFailed,
-      AccountLoginState.AccountNotLoggedIn ->
+      is AccountLoginState.AccountNotLoggedIn ->
         Unit
     }
   }
@@ -112,4 +110,11 @@ interface AccountType : AccountReadableType {
   fun isBookmarkSyncable(): Boolean {
     return this.loginState.credentials?.annotationsURI != null
   }
+
+  /**
+   * Mark the current credentials as having expired, assuming they are credentials of a type
+   * that does expire.
+   */
+
+  fun expireCredentialsIfApplicable()
 }