Fix #1757: Backport fix of #1753 to 1.6.x branch

pom.xml

@@ -26,7 +26,7 @@
 
     <groupId>io.getlime.security</groupId>
     <artifactId>powerauth-server-parent</artifactId>
-    <version>1.6.5-SNAPSHOT</version>
+    <version>1.6.6</version>
     <packaging>pom</packaging>
 
     <parent>

powerauth-admin/pom.xml

@@ -11,7 +11,7 @@
     <parent>
         <groupId>io.getlime.security</groupId>
         <artifactId>powerauth-server-parent</artifactId>
-        <version>1.6.5-SNAPSHOT</version>
+        <version>1.6.6</version>
     </parent>
 
     <dependencies>

powerauth-client-model/pom.xml

@@ -28,7 +28,7 @@
     <parent>
         <groupId>io.getlime.security</groupId>
         <artifactId>powerauth-server-parent</artifactId>
-        <version>1.6.5-SNAPSHOT</version>
+        <version>1.6.6</version>
     </parent>
 
     <dependencies>

powerauth-java-server/pom.xml

@@ -29,7 +29,7 @@
     <parent>
         <groupId>io.getlime.security</groupId>
         <artifactId>powerauth-server-parent</artifactId>
-        <version>1.6.5-SNAPSHOT</version>
+        <version>1.6.6</version>
     </parent>
 
     <dependencies>

powerauth-java-server/src/main/java/io/getlime/security/powerauth/app/server/service/behavior/tasks/OperationServiceBehavior.java

@@ -265,7 +265,7 @@ public OperationUserActionResponse attemptApproveOperation(OperationApproveReque
         final ProximityCheckResult proximityCheckResult = fetchProximityCheckResult(operationEntity, request, currentInstant);
         final boolean activationIdMatches = activationIdMatches(request, operationEntity.getActivationId());
         final String expectedUserId = operationEntity.getUserId();
-        if (expectedUserId == null || expectedUserId.equals(userId) // correct user approved the operation
+        if ((expectedUserId == null || expectedUserId.equals(userId)) // correct user approved the operation
             && operationEntity.getApplications().contains(application.get()) // operation is approved by the expected application
             && isDataEqual(operationEntity, data) // operation data matched the expected value
             && factorsAcceptable(operationEntity, factorEnum) // auth factors are acceptable
@@ -308,7 +308,6 @@ && proximityCheckPassed(proximityCheckResult)
             final Long maxFailureCount = operationEntity.getMaxFailureCount();
 
             if (failureCount < maxFailureCount) {
-                operationEntity.setUserId(userId);
                 operationEntity.setFailureCount(failureCount);
                 operationEntity.setAdditionalData(mapMerge(operationEntity.getAdditionalData(), additionalData));
 
@@ -339,7 +338,6 @@ && proximityCheckPassed(proximityCheckResult)
                 response.setOperation(operationDetailResponse);
                 return response;
             } else {
-                operationEntity.setUserId(userId);
                 operationEntity.setStatus(OperationStatusDo.FAILED);
                 operationEntity.setTimestampFinalized(currentTimestamp);
                 operationEntity.setFailureCount(maxFailureCount); // just in case, set the failure count to max value
@@ -407,7 +405,7 @@ public OperationUserActionResponse rejectOperation(OperationRejectRequest reques
         }
 
         final String expectedUserId = operationEntity.getUserId();
-        if (expectedUserId == null || expectedUserId.equals(userId) // correct user rejects the operation
+        if ((expectedUserId == null || expectedUserId.equals(userId)) // correct user rejects the operation
                 && operationEntity.getApplications().contains(application.get())) { // operation is rejected by the expected application
 
             // Reject the operation

powerauth-java-server/src/test/java/io/getlime/security/powerauth/app/server/service/behavior/tasks/OperationServiceBehaviorTest.java

@@ -19,10 +19,7 @@
 
 import com.wultra.security.powerauth.client.model.enumeration.SignatureType;
 import com.wultra.security.powerauth.client.model.enumeration.UserActionResult;
-import com.wultra.security.powerauth.client.model.request.OperationApproveRequest;
-import com.wultra.security.powerauth.client.model.request.OperationCreateRequest;
-import com.wultra.security.powerauth.client.model.request.OperationDetailRequest;
-import com.wultra.security.powerauth.client.model.request.OperationTemplateCreateRequest;
+import com.wultra.security.powerauth.client.model.request.*;
 import com.wultra.security.powerauth.client.model.response.OperationDetailResponse;
 import com.wultra.security.powerauth.client.model.response.OperationListResponse;
 import com.wultra.security.powerauth.client.model.response.OperationUserActionResponse;
@@ -472,6 +469,108 @@ void testOperationClaim() throws Exception {
         assertEquals(userId, operationService.getOperation(detailRequest).getUserId());
     }
 
+    @Test
+    void testAnonymousOperationApprovedUserChanged() throws GenericServiceException {
+        final OperationCreateRequest operationCreateRequest = new OperationCreateRequest();
+        operationCreateRequest.setApplications(List.of("PA_Tests"));
+        operationCreateRequest.setTemplateName("test-template");
+        final OperationDetailResponse operation = operationService.createOperation(operationCreateRequest);
+        final OperationApproveRequest approveRequest = new OperationApproveRequest();
+        approveRequest.setOperationId(operation.getId());
+        approveRequest.setUserId("test_user");
+        approveRequest.setData("A2");
+        approveRequest.setApplicationId("PA_Tests");
+        approveRequest.setSignatureType(SignatureType.POSSESSION_KNOWLEDGE);
+        final OperationUserActionResponse response = operationService.attemptApproveOperation(approveRequest);
+        assertEquals(UserActionResult.APPROVED, response.getResult());
+        final OperationDetailRequest detailRequest = new OperationDetailRequest();
+        detailRequest.setOperationId(operation.getId());
+        final OperationDetailResponse operationDetail = operationService.getOperation(detailRequest);
+        assertEquals("test_user", operationDetail.getUserId());
+    }
+
+    @Test
+    void testAnonymousOperationFailedApproveUserNotChanged() throws GenericServiceException {
+        final OperationCreateRequest operationCreateRequest = new OperationCreateRequest();
+        operationCreateRequest.setApplications(List.of("PA_Tests"));
+        operationCreateRequest.setTemplateName("test-template");
+        final OperationDetailResponse operation = operationService.createOperation(operationCreateRequest);
+        final OperationApproveRequest approveRequest = new OperationApproveRequest();
+        approveRequest.setOperationId(operation.getId());
+        approveRequest.setUserId("invalid_user");
+        approveRequest.setData("invalid_data");
+        approveRequest.setApplicationId("PA_Tests");
+        approveRequest.setSignatureType(SignatureType.POSSESSION_KNOWLEDGE);
+        final OperationUserActionResponse response = operationService.attemptApproveOperation(approveRequest);
+        assertEquals(UserActionResult.APPROVAL_FAILED, response.getResult());
+        final OperationDetailRequest detailRequest = new OperationDetailRequest();
+        detailRequest.setOperationId(operation.getId());
+        final OperationDetailResponse operationDetail = operationService.getOperation(detailRequest);
+        assertNull(operationDetail.getUserId());
+    }
+
+    @Test
+    void testAnonymousOperationFailedOperationUserNotChanged() throws GenericServiceException {
+        final OperationCreateRequest operationCreateRequest = new OperationCreateRequest();
+        operationCreateRequest.setApplications(List.of("PA_Tests"));
+        operationCreateRequest.setTemplateName("test-template");
+        final OperationDetailResponse operation = operationService.createOperation(operationCreateRequest);
+        for (int i = 0; i < 5; i++) {
+            final OperationApproveRequest approveRequest = new OperationApproveRequest();
+            approveRequest.setOperationId(operation.getId());
+            approveRequest.setUserId("invalid_user");
+            approveRequest.setData("invalid_data");
+            approveRequest.setApplicationId("PA_Tests");
+            approveRequest.setSignatureType(SignatureType.POSSESSION_KNOWLEDGE);
+            final OperationUserActionResponse response = operationService.attemptApproveOperation(approveRequest);
+            if (i == 4) {
+                assertEquals(UserActionResult.OPERATION_FAILED, response.getResult());
+            } else {
+                assertEquals(UserActionResult.APPROVAL_FAILED, response.getResult());
+            }
+        }
+        final OperationDetailRequest detailRequest = new OperationDetailRequest();
+        detailRequest.setOperationId(operation.getId());
+        final OperationDetailResponse operationDetail = operationService.getOperation(detailRequest);
+        assertNull(operationDetail.getUserId());
+    }
+
+    @Test
+    void testAnonymousOperationRejectUserChanged() throws GenericServiceException {
+        final OperationCreateRequest operationCreateRequest = new OperationCreateRequest();
+        operationCreateRequest.setApplications(List.of("PA_Tests"));
+        operationCreateRequest.setTemplateName("test-template");
+        final OperationDetailResponse operation = operationService.createOperation(operationCreateRequest);
+        final OperationRejectRequest rejectRequest = new OperationRejectRequest();
+        rejectRequest.setOperationId(operation.getId());
+        rejectRequest.setUserId("test_user");
+        rejectRequest.setApplicationId("PA_Tests");
+        final OperationUserActionResponse response = operationService.rejectOperation(rejectRequest);
+        assertEquals(UserActionResult.REJECTED, response.getResult());
+        final OperationDetailRequest detailRequest = new OperationDetailRequest();
+        detailRequest.setOperationId(operation.getId());
+        final OperationDetailResponse operationDetail = operationService.getOperation(detailRequest);
+        assertEquals("test_user", operationDetail.getUserId());
+    }
+
+    @Test
+    void testAnonymousOperationRejectFailedUserNotChanged() throws GenericServiceException {
+        final OperationCreateRequest operationCreateRequest = new OperationCreateRequest();
+        operationCreateRequest.setApplications(List.of("PA_Tests"));
+        operationCreateRequest.setTemplateName("test-template");
+        final OperationDetailResponse operation = operationService.createOperation(operationCreateRequest);
+        final OperationRejectRequest rejectRequest = new OperationRejectRequest();
+        rejectRequest.setOperationId(operation.getId());
+        rejectRequest.setUserId("test_user");
+        rejectRequest.setApplicationId(APP_ID);
+        final OperationUserActionResponse response = operationService.rejectOperation(rejectRequest);
+        assertEquals(UserActionResult.REJECT_FAILED, response.getResult());
+        final OperationDetailRequest detailRequest = new OperationDetailRequest();
+        detailRequest.setOperationId(operation.getId());
+        final OperationDetailResponse operationDetail = operationService.getOperation(detailRequest);
+        assertNull(operationDetail.getUserId());
+    }
+
     private void createApplication() throws GenericServiceException {
         boolean appExists = applicationService.getApplicationList().getApplications().stream()
                 .anyMatch(app -> app.getApplicationId().equals(APP_ID));

powerauth-rest-client-spring/pom.xml

@@ -28,7 +28,7 @@
     <parent>
         <groupId>io.getlime.security</groupId>
         <artifactId>powerauth-server-parent</artifactId>
-        <version>1.6.5-SNAPSHOT</version>
+        <version>1.6.6</version>
     </parent>
 
     <dependencies>