720: Implement attribute checker

Task-Url: https://minfba.de.dariah.eu/mantisbt/view.php?id=720

dariahsp-core/src/main/java/eu/dariah/de/dariahsp/Constants.java

+package eu.dariah.de.dariahsp;
+
+public class Constants {
+	public enum AUTHENTICATION_STAGE { AUTHENTICATION, ATTRIBUTES }
+	
+	public enum REQUIRED_ATTRIBUTE_CHECKLOGIC { AND, OR }
+}

dariahsp-core/src/main/java/eu/dariah/de/dariahsp/saml/attributequery/SAMLAttribute.java

+package eu.dariah.de.dariahsp.saml.attributequery;
+
+public class SAMLAttribute {
+    private String name;
+    private String nameFormat;
+    private String friendlyName;
+    
+    
+	public String getName() { return name; }
+	public void setName(String name) { this.name = name; }
+	
+	public String getNameFormat() { return nameFormat; }
+	public void setNameFormat(String nameFormat) { this.nameFormat = nameFormat; }
+	
+	public String getFriendlyName() { return friendlyName; }
+	public void setFriendlyName(String friendlyName) { this.friendlyName = friendlyName; }
+}

dariahsp-core/src/main/java/eu/dariah/de/dariahsp/saml/attributequery/SAMLAttributeAggregationService.java

@@ -36,12 +36,18 @@ public class SAMLAttributeAggregationService {
 		}
 		
 		boolean queryRequired = true;
-				
-		if (queryOptions.getNoAggregationRequiredForEndpoints().contains(credential.getRemoteEntityID()) && 
-				hasAllReqAttributes(credential.getAttributes())) {
-			queryRequired = false;
+			
+		if (queryOptions.getExclusionOptions()!=null) {
+			for (SAMLAttributeQueryExclusionOptions exOpt : queryOptions.getExclusionOptions()) {
+				if (exOpt.getExcludedEndpoints().contains(credential.getRemoteEntityID())) {
+					if (exOpt.isAssumeRequiredAttributes() || hasAllReqAttributes(credential.getAttributes())) {
+						queryRequired = false;
+					}
+					break;
+				}
+			}
 		}
-
+		
 		if (queryRequired) {
 			try {
 				aggregateAttributes(credential, attributeQuery.queryAttributes(credential, queryOptions));
@@ -54,16 +60,16 @@ public class SAMLAttributeAggregationService {
 	public boolean hasAllReqAttributes(List<Attribute> providedAttributes) {
 		
 		// Some shortcuts...
-		if (queryOptions.getRequiredAttributes() == null || queryOptions.getRequiredAttributes().length==0) {
+		if (queryOptions.getRequiredAttributes() == null || queryOptions.getRequiredAttributes().size()==0) {
 			return true;
 		} else if (providedAttributes == null) {
 			return false;
-		} else if (queryOptions.getRequiredAttributes().length > providedAttributes.size()) {
+		} else if (queryOptions.getRequiredAttributes().size() > providedAttributes.size()) {
 			return false;
 		}
 		
 		// Really checking individual attributes
-		for (String reqAttr : queryOptions.getRequiredAttributes()) {
+		/*for (String reqAttr : queryOptions.getRequiredAttributes()) {
 			boolean found = false;
 			for (Attribute attr : providedAttributes) {
 				if (attr.getFriendlyName().equals(reqAttr) || attr.getName().equals(reqAttr)) {
@@ -74,7 +80,7 @@ public class SAMLAttributeAggregationService {
 			if (!found) {
 				return false;
 			}
-		}
+		}*/
 		return true;
 	}
 	

dariahsp-core/src/main/java/eu/dariah/de/dariahsp/saml/attributequery/SAMLAttributeQueryExclusionOptions.java

+package eu.dariah.de.dariahsp.saml.attributequery;
+
+import java.util.List;
+
+public class SAMLAttributeQueryExclusionOptions {
+	private boolean assumeRequiredAttributes;
+	private List<String> excludedEndpoints;
+	
+	public boolean isAssumeRequiredAttributes() { return assumeRequiredAttributes; }
+	public void setAssumeRequiredAttributes(boolean assumeRequiredAttributes) { this.assumeRequiredAttributes = assumeRequiredAttributes; }
+	
+	public List<String> getExcludedEndpoints() { return excludedEndpoints; }
+	public void setExcludedEndpoints(List<String> excludedEndpoints) { this.excludedEndpoints = excludedEndpoints; }
+}
\ No newline at end of file

dariahsp-core/src/main/java/eu/dariah/de/dariahsp/saml/attributequery/SAMLAttributeQueryImpl.java

@@ -39,6 +39,7 @@ import org.opensaml.saml2.core.StatusMessage;
 import org.opensaml.saml2.core.Subject;
 import org.opensaml.saml2.core.SubjectConfirmation;
 import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.core.impl.AttributeImpl;
 import org.opensaml.saml2.core.impl.StatusCodeImpl;
 import org.opensaml.saml2.metadata.AssertionConsumerService;
 import org.opensaml.saml2.metadata.AttributeAuthorityDescriptor;

dariahsp-core/src/main/java/eu/dariah/de/dariahsp/saml/attributequery/SAMLAttributeQueryOptions.java

 package eu.dariah.de.dariahsp.saml.attributequery;
 
 import java.io.Serializable;
+import java.util.List;
+
+import org.opensaml.saml2.core.impl.AttributeImpl;
 
 public class SAMLAttributeQueryOptions implements Serializable, Cloneable {
 	private static final long serialVersionUID = -4144833937554662238L;
@@ -10,40 +13,43 @@ public class SAMLAttributeQueryOptions implements Serializable, Cloneable {
 	private String subjectIdAttributeFormat;
 	private String subjectIdAttributeName;
 	private boolean subjectIdAttributeIgnoreCase = true;
-	private String noAggregationRequiredForEndpoints;
+	
+	private List<SAMLRequiredAttributes> requiredAttributes;
 	
 	private boolean performAggregation = true;
 	
-	private String[] requiredAttributes;
 	
-	public String getAttributeAuthorityIDP() {
-		return attributeAuthorityIDP;
-	}
+	private List<SAMLAttributeQueryExclusionOptions> exclusionOptions;
+	
+	
+	
+	
+	public String getAttributeAuthorityIDP() { return attributeAuthorityIDP; }
+	public void setAttributeAuthorityIDP(String attributeAuthorityIDP) { this.attributeAuthorityIDP = attributeAuthorityIDP; }
 
-	public void setAttributeAuthorityIDP(String attributeAuthorityIDP) {
-		this.attributeAuthorityIDP = attributeAuthorityIDP;
-	}
+	public boolean isUseOriginalSubjectNameID() { return useOriginalSubjectNameID; }
+	public void setUseOriginalSubjectNameID(boolean useOriginalSubjectNameID) { this.useOriginalSubjectNameID = useOriginalSubjectNameID; }
 
-	public boolean isUseOriginalSubjectNameID() {
-		return useOriginalSubjectNameID;
-	}
+	public String getSubjectIdAttributeFormat() { return subjectIdAttributeFormat; }
+	public void setSubjectIdAttributeFormat(String subjectIdAttributeFormat) { this.subjectIdAttributeFormat = subjectIdAttributeFormat; }
 
-	public void setUseOriginalSubjectNameID(boolean useOriginalSubjectNameID) {
-		this.useOriginalSubjectNameID = useOriginalSubjectNameID;
-	}
+	public String getSubjectIdAttributeName() { return isSubjectIdAttributeIgnoreCase() ? subjectIdAttributeName.toLowerCase() : subjectIdAttributeName; }	
+	public void setSubjectIdAttributeName(String subjectIdAttributeName) { this.subjectIdAttributeName = subjectIdAttributeName; }
+	
+	public boolean isSubjectIdAttributeIgnoreCase() { return subjectIdAttributeIgnoreCase; }
+	public void setSubjectIdAttributeIgnoreCase(boolean subjectIdAttributeIgnoreCase) { this.subjectIdAttributeIgnoreCase = subjectIdAttributeIgnoreCase; }
 
-	public String getSubjectIdAttributeFormat() {
-		return subjectIdAttributeFormat;
-	}
+	public List<SAMLRequiredAttributes> getRequiredAttributes() { return requiredAttributes; }
+	public void setRequiredAttributes(List<SAMLRequiredAttributes> requiredAttributes) { this.requiredAttributes = requiredAttributes; }
 
-	public void setSubjectIdAttributeFormat(String subjectIdAttributeFormat) {
-		this.subjectIdAttributeFormat = subjectIdAttributeFormat;
-	}
+	public boolean isPerformAggregation() { return performAggregation; }
+ 	public void setPerformAggregation(boolean performAggregation) { this.performAggregation = performAggregation; }
 
-	public String getSubjectIdAttributeName() {
-		return isSubjectIdAttributeIgnoreCase() ? subjectIdAttributeName.toLowerCase() : subjectIdAttributeName;
-	}
 
+ 	public List<SAMLAttributeQueryExclusionOptions> getExclusionOptions() { return exclusionOptions; }
+	public void setExclusionOptions(List<SAMLAttributeQueryExclusionOptions> exclusionOptions) { this.exclusionOptions = exclusionOptions; }
+	
+	
 	public boolean isSubjectIdAttribute(String attributeName) {
 		if (useOriginalSubjectNameID) {
 			return false;
@@ -54,41 +60,4 @@ public class SAMLAttributeQueryOptions implements Serializable, Cloneable {
 			return attributeName.equals(subjectIdAttributeName);
 		}
 	}
-	
-	public void setSubjectIdAttributeName(String subjectIdAttributeName) {
-		this.subjectIdAttributeName = subjectIdAttributeName;
-	}
-
-	public boolean isSubjectIdAttributeIgnoreCase() {
-		return subjectIdAttributeIgnoreCase;
-	}
-
-	public void setSubjectIdAttributeIgnoreCase(boolean subjectIdAttributeIgnoreCase) {
-		this.subjectIdAttributeIgnoreCase = subjectIdAttributeIgnoreCase;
-	}
-
-	public String[] getRequiredAttributes() {
-		return requiredAttributes;
-	}
-
-	public void setRequiredAttributes(String[] requiredAttributes) {
-		this.requiredAttributes = requiredAttributes;
-	}
-
-	public boolean isPerformAggregation() {
-		return performAggregation;
-	}
-
-	public void setPerformAggregation(boolean performAggregation) {
-		this.performAggregation = performAggregation;
-	}
-
-	public String getNoAggregationRequiredForEndpoints() {
-		return noAggregationRequiredForEndpoints;
-	}
-
-	public void setNoAggregationRequiredForEndpoints(
-			String noAggregationRequiredForEndpoints) {
-		this.noAggregationRequiredForEndpoints = noAggregationRequiredForEndpoints;
-	}
-}
+}
\ No newline at end of file

dariahsp-core/src/main/java/eu/dariah/de/dariahsp/saml/attributequery/SAMLRequiredAttributes.java

+package eu.dariah.de.dariahsp.saml.attributequery;
+
+import java.util.List;
+import java.util.Map;
+
+import eu.dariah.de.dariahsp.Constants.AUTHENTICATION_STAGE;
+import eu.dariah.de.dariahsp.Constants.REQUIRED_ATTRIBUTE_CHECKLOGIC;
+
+public class SAMLRequiredAttributes {
+	private boolean required;
+	private AUTHENTICATION_STAGE stage;
+	private Map<REQUIRED_ATTRIBUTE_CHECKLOGIC, List<SAMLAttribute>> attributeMap;
+	
+	
+	public boolean isRequired() { return required; }
+	public void setRequired(boolean required) { this.required = required; }
+	
+	public AUTHENTICATION_STAGE getStage() { return stage; }
+	public void setStage(AUTHENTICATION_STAGE stage) { this.stage = stage; }
+	
+	public Map<REQUIRED_ATTRIBUTE_CHECKLOGIC, List<SAMLAttribute>> getAttributeMap() { return attributeMap; }
+	public void setAttributeMap(Map<REQUIRED_ATTRIBUTE_CHECKLOGIC, List<SAMLAttribute>> attributeMap) { this.attributeMap = attributeMap; }
+}

dariahsp-sample/src/main/resources/spring/root-context.xml

@@ -3,10 +3,8 @@
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:p="http://www.springframework.org/schema/p"
 	xmlns:context="http://www.springframework.org/schema/context"
-	xmlns:mongo="http://www.springframework.org/schema/data/mongo"
-	xsi:schemaLocation="http://www.springframework.org/schema/data/mongo http://www.springframework.org/schema/data/mongo/spring-mongo-1.7.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
 
 
 	<bean id="configLocation" class="java.lang.String">

dariahsp-sample/src/main/resources/spring/security/security-context-common.xml

@@ -2,8 +2,9 @@
        xmlns:security="http://www.springframework.org/schema/security"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:context="http://www.springframework.org/schema/context"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
-              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd 
+              http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
 
 	<!-- Enable auto-wiring -->
     <context:annotation-config/>

dariahsp-sample/src/main/resources/spring/security/security-context-local.xml

@@ -2,9 +2,9 @@
 	xmlns="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:context="http://www.springframework.org/schema/context"
-	xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
 				
 	<import resource="security-context-common.xml"/>	
 

dariahsp-sample/src/main/resources/spring/security/security-context-saml.xml

@@ -3,8 +3,11 @@
        xmlns:security="http://www.springframework.org/schema/security"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:context="http://www.springframework.org/schema/context"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
-              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
+       xmlns:util="http://www.springframework.org/schema/util"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd 
+              http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd
+               http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.3.xsd">
 
     
 
@@ -206,20 +209,51 @@
         <property name="useOriginalSubjectNameID" value="false" />
         <property name="subjectIdAttributeName" value="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"></property>
         <property name="subjectIdAttributeFormat" value="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" />
-        <property name="noAggregationRequiredForEndpoints">
-	        <array>
-	        	<value type="java.lang.String">https://ldap-dariah-clone.esc.rzg.mpg.de/idp/shibboleth</value>
-	        </array>
-        </property>
-        <property name="requiredAttributes">
-	        <array>
-	        	<value type="java.lang.String">eduPersonPrincipalName</value>
-	        	<value type="java.lang.String">mail</value>
-	        	<value type="java.lang.String">givenName</value>
-	        </array>
+        
+        <property name="exclusionOptions">
+        	<list>
+        		<bean class="eu.dariah.de.dariahsp.saml.attributequery.SAMLAttributeQueryExclusionOptions">
+        			<property name="assumeRequiredAttributes" value="true" />
+        			<property name="excludedEndpoints">
+        				 <list>
+				        	<value>https://ldap-dariah-clone.esc.rzg.mpg.de/idp/shibboleth</value>
+				        	<value>https://idp.de.dariah.eu/idp/shibboleth</value>
+				        </list>
+        			</property>
+        		</bean>
+        	</list>
         </property>
+        
+        
+        
+
+        <property name="requiredAttributes" ref="requiredAttributes" />
+	       
     </bean>
     
+    <util:list id="requiredAttributes" value-type="eu.dariah.de.dariahsp.saml.attributequery.SAMLRequiredAttributes">
+	    <bean class="eu.dariah.de.dariahsp.saml.attributequery.SAMLRequiredAttributes">
+	    	<property name="stage" value="ATTRIBUTES" />
+	    	<property name="required" value="true" />
+	    	<property name="attributeMap">
+	    		<map>
+	    			<entry key="AND">
+	    				<list value-type="eu.dariah.de.dariahsp.saml.attributequery.SAMLAttribute">
+		    				<bean class="eu.dariah.de.dariahsp.saml.attributequery.SAMLAttribute">
+		    					<property name="friendlyName" value="eduPersonPrincipalName" />
+		    					<property name="name" value="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" />
+		    					<property name="nameFormat" value="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" />
+		    				</bean>
+	    				</list>
+	    			</entry>
+	    		</map>
+	    	</property>
+	    </bean>
+	</util:list>
+    
+    
+    
+    
     <bean id="attributeQuery" class="eu.dariah.de.dariahsp.saml.attributequery.SAMLAttributeQueryImpl">
 		<constructor-arg>
 			<bean class="org.apache.commons.httpclient.HttpClient" />

dariahsp-sample/src/main/resources/spring/servlet/servlet-context.xml

@@ -4,10 +4,10 @@
 	xmlns:context="http://www.springframework.org/schema/context"
 	xmlns:mvc="http://www.springframework.org/schema/mvc"
 	xmlns:sec="http://www.springframework.org/schema/security"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
-						http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
-						http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd
-						http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+						http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
+						http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd
+						http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd">
 	
 	<mvc:annotation-driven />
 	<mvc:resources location="/resources/" mapping="/resources/**" cache-period="31556926"/>