Commit 4979ee9f authored by Gradl, Tobias's avatar Gradl, Tobias
Browse files

720: Implement attribute checker

Task-Url: https://minfba.de.dariah.eu/mantisbt/view.php?id=720
parent f00c24ff
package eu.dariah.de.dariahsp;
public class Constants {
public enum AUTHENTICATION_STAGE { AUTHENTICATION, ATTRIBUTES }
public enum REQUIRED_ATTRIBUTE_CHECKLOGIC { AND, OR }
}
package eu.dariah.de.dariahsp.saml.attributequery;
public class SAMLAttribute {
private String name;
private String nameFormat;
private String friendlyName;
public String getName() { return name; }
public void setName(String name) { this.name = name; }
public String getNameFormat() { return nameFormat; }
public void setNameFormat(String nameFormat) { this.nameFormat = nameFormat; }
public String getFriendlyName() { return friendlyName; }
public void setFriendlyName(String friendlyName) { this.friendlyName = friendlyName; }
}
...@@ -36,12 +36,18 @@ public class SAMLAttributeAggregationService { ...@@ -36,12 +36,18 @@ public class SAMLAttributeAggregationService {
} }
boolean queryRequired = true; boolean queryRequired = true;
if (queryOptions.getNoAggregationRequiredForEndpoints().contains(credential.getRemoteEntityID()) && if (queryOptions.getExclusionOptions()!=null) {
hasAllReqAttributes(credential.getAttributes())) { for (SAMLAttributeQueryExclusionOptions exOpt : queryOptions.getExclusionOptions()) {
queryRequired = false; if (exOpt.getExcludedEndpoints().contains(credential.getRemoteEntityID())) {
if (exOpt.isAssumeRequiredAttributes() || hasAllReqAttributes(credential.getAttributes())) {
queryRequired = false;
}
break;
}
}
} }
if (queryRequired) { if (queryRequired) {
try { try {
aggregateAttributes(credential, attributeQuery.queryAttributes(credential, queryOptions)); aggregateAttributes(credential, attributeQuery.queryAttributes(credential, queryOptions));
...@@ -54,16 +60,16 @@ public class SAMLAttributeAggregationService { ...@@ -54,16 +60,16 @@ public class SAMLAttributeAggregationService {
public boolean hasAllReqAttributes(List<Attribute> providedAttributes) { public boolean hasAllReqAttributes(List<Attribute> providedAttributes) {
// Some shortcuts... // Some shortcuts...
if (queryOptions.getRequiredAttributes() == null || queryOptions.getRequiredAttributes().length==0) { if (queryOptions.getRequiredAttributes() == null || queryOptions.getRequiredAttributes().size()==0) {
return true; return true;
} else if (providedAttributes == null) { } else if (providedAttributes == null) {
return false; return false;
} else if (queryOptions.getRequiredAttributes().length > providedAttributes.size()) { } else if (queryOptions.getRequiredAttributes().size() > providedAttributes.size()) {
return false; return false;
} }
// Really checking individual attributes // Really checking individual attributes
for (String reqAttr : queryOptions.getRequiredAttributes()) { /*for (String reqAttr : queryOptions.getRequiredAttributes()) {
boolean found = false; boolean found = false;
for (Attribute attr : providedAttributes) { for (Attribute attr : providedAttributes) {
if (attr.getFriendlyName().equals(reqAttr) || attr.getName().equals(reqAttr)) { if (attr.getFriendlyName().equals(reqAttr) || attr.getName().equals(reqAttr)) {
...@@ -74,7 +80,7 @@ public class SAMLAttributeAggregationService { ...@@ -74,7 +80,7 @@ public class SAMLAttributeAggregationService {
if (!found) { if (!found) {
return false; return false;
} }
} }*/
return true; return true;
} }
......
package eu.dariah.de.dariahsp.saml.attributequery;
import java.util.List;
public class SAMLAttributeQueryExclusionOptions {
private boolean assumeRequiredAttributes;
private List<String> excludedEndpoints;
public boolean isAssumeRequiredAttributes() { return assumeRequiredAttributes; }
public void setAssumeRequiredAttributes(boolean assumeRequiredAttributes) { this.assumeRequiredAttributes = assumeRequiredAttributes; }
public List<String> getExcludedEndpoints() { return excludedEndpoints; }
public void setExcludedEndpoints(List<String> excludedEndpoints) { this.excludedEndpoints = excludedEndpoints; }
}
\ No newline at end of file
...@@ -39,6 +39,7 @@ import org.opensaml.saml2.core.StatusMessage; ...@@ -39,6 +39,7 @@ import org.opensaml.saml2.core.StatusMessage;
import org.opensaml.saml2.core.Subject; import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation; import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData; import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml2.core.impl.AttributeImpl;
import org.opensaml.saml2.core.impl.StatusCodeImpl; import org.opensaml.saml2.core.impl.StatusCodeImpl;
import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.AttributeAuthorityDescriptor; import org.opensaml.saml2.metadata.AttributeAuthorityDescriptor;
......
package eu.dariah.de.dariahsp.saml.attributequery; package eu.dariah.de.dariahsp.saml.attributequery;
import java.io.Serializable; import java.io.Serializable;
import java.util.List;
import org.opensaml.saml2.core.impl.AttributeImpl;
public class SAMLAttributeQueryOptions implements Serializable, Cloneable { public class SAMLAttributeQueryOptions implements Serializable, Cloneable {
private static final long serialVersionUID = -4144833937554662238L; private static final long serialVersionUID = -4144833937554662238L;
...@@ -10,40 +13,43 @@ public class SAMLAttributeQueryOptions implements Serializable, Cloneable { ...@@ -10,40 +13,43 @@ public class SAMLAttributeQueryOptions implements Serializable, Cloneable {
private String subjectIdAttributeFormat; private String subjectIdAttributeFormat;
private String subjectIdAttributeName; private String subjectIdAttributeName;
private boolean subjectIdAttributeIgnoreCase = true; private boolean subjectIdAttributeIgnoreCase = true;
private String noAggregationRequiredForEndpoints;
private List<SAMLRequiredAttributes> requiredAttributes;
private boolean performAggregation = true; private boolean performAggregation = true;
private String[] requiredAttributes;
public String getAttributeAuthorityIDP() { private List<SAMLAttributeQueryExclusionOptions> exclusionOptions;
return attributeAuthorityIDP;
}
public String getAttributeAuthorityIDP() { return attributeAuthorityIDP; }
public void setAttributeAuthorityIDP(String attributeAuthorityIDP) { this.attributeAuthorityIDP = attributeAuthorityIDP; }
public void setAttributeAuthorityIDP(String attributeAuthorityIDP) { public boolean isUseOriginalSubjectNameID() { return useOriginalSubjectNameID; }
this.attributeAuthorityIDP = attributeAuthorityIDP; public void setUseOriginalSubjectNameID(boolean useOriginalSubjectNameID) { this.useOriginalSubjectNameID = useOriginalSubjectNameID; }
}
public boolean isUseOriginalSubjectNameID() { public String getSubjectIdAttributeFormat() { return subjectIdAttributeFormat; }
return useOriginalSubjectNameID; public void setSubjectIdAttributeFormat(String subjectIdAttributeFormat) { this.subjectIdAttributeFormat = subjectIdAttributeFormat; }
}
public void setUseOriginalSubjectNameID(boolean useOriginalSubjectNameID) { public String getSubjectIdAttributeName() { return isSubjectIdAttributeIgnoreCase() ? subjectIdAttributeName.toLowerCase() : subjectIdAttributeName; }
this.useOriginalSubjectNameID = useOriginalSubjectNameID; public void setSubjectIdAttributeName(String subjectIdAttributeName) { this.subjectIdAttributeName = subjectIdAttributeName; }
}
public boolean isSubjectIdAttributeIgnoreCase() { return subjectIdAttributeIgnoreCase; }
public void setSubjectIdAttributeIgnoreCase(boolean subjectIdAttributeIgnoreCase) { this.subjectIdAttributeIgnoreCase = subjectIdAttributeIgnoreCase; }
public String getSubjectIdAttributeFormat() { public List<SAMLRequiredAttributes> getRequiredAttributes() { return requiredAttributes; }
return subjectIdAttributeFormat; public void setRequiredAttributes(List<SAMLRequiredAttributes> requiredAttributes) { this.requiredAttributes = requiredAttributes; }
}
public void setSubjectIdAttributeFormat(String subjectIdAttributeFormat) { public boolean isPerformAggregation() { return performAggregation; }
this.subjectIdAttributeFormat = subjectIdAttributeFormat; public void setPerformAggregation(boolean performAggregation) { this.performAggregation = performAggregation; }
}
public String getSubjectIdAttributeName() {
return isSubjectIdAttributeIgnoreCase() ? subjectIdAttributeName.toLowerCase() : subjectIdAttributeName;
}
public List<SAMLAttributeQueryExclusionOptions> getExclusionOptions() { return exclusionOptions; }
public void setExclusionOptions(List<SAMLAttributeQueryExclusionOptions> exclusionOptions) { this.exclusionOptions = exclusionOptions; }
public boolean isSubjectIdAttribute(String attributeName) { public boolean isSubjectIdAttribute(String attributeName) {
if (useOriginalSubjectNameID) { if (useOriginalSubjectNameID) {
return false; return false;
...@@ -54,41 +60,4 @@ public class SAMLAttributeQueryOptions implements Serializable, Cloneable { ...@@ -54,41 +60,4 @@ public class SAMLAttributeQueryOptions implements Serializable, Cloneable {
return attributeName.equals(subjectIdAttributeName); return attributeName.equals(subjectIdAttributeName);
} }
} }
}
public void setSubjectIdAttributeName(String subjectIdAttributeName) { \ No newline at end of file
this.subjectIdAttributeName = subjectIdAttributeName;
}
public boolean isSubjectIdAttributeIgnoreCase() {
return subjectIdAttributeIgnoreCase;
}
public void setSubjectIdAttributeIgnoreCase(boolean subjectIdAttributeIgnoreCase) {
this.subjectIdAttributeIgnoreCase = subjectIdAttributeIgnoreCase;
}
public String[] getRequiredAttributes() {
return requiredAttributes;
}
public void setRequiredAttributes(String[] requiredAttributes) {
this.requiredAttributes = requiredAttributes;
}
public boolean isPerformAggregation() {
return performAggregation;
}
public void setPerformAggregation(boolean performAggregation) {
this.performAggregation = performAggregation;
}
public String getNoAggregationRequiredForEndpoints() {
return noAggregationRequiredForEndpoints;
}
public void setNoAggregationRequiredForEndpoints(
String noAggregationRequiredForEndpoints) {
this.noAggregationRequiredForEndpoints = noAggregationRequiredForEndpoints;
}
}
package eu.dariah.de.dariahsp.saml.attributequery;
import java.util.List;
import java.util.Map;
import eu.dariah.de.dariahsp.Constants.AUTHENTICATION_STAGE;
import eu.dariah.de.dariahsp.Constants.REQUIRED_ATTRIBUTE_CHECKLOGIC;
public class SAMLRequiredAttributes {
private boolean required;
private AUTHENTICATION_STAGE stage;
private Map<REQUIRED_ATTRIBUTE_CHECKLOGIC, List<SAMLAttribute>> attributeMap;
public boolean isRequired() { return required; }
public void setRequired(boolean required) { this.required = required; }
public AUTHENTICATION_STAGE getStage() { return stage; }
public void setStage(AUTHENTICATION_STAGE stage) { this.stage = stage; }
public Map<REQUIRED_ATTRIBUTE_CHECKLOGIC, List<SAMLAttribute>> getAttributeMap() { return attributeMap; }
public void setAttributeMap(Map<REQUIRED_ATTRIBUTE_CHECKLOGIC, List<SAMLAttribute>> attributeMap) { this.attributeMap = attributeMap; }
}
...@@ -3,10 +3,8 @@ ...@@ -3,10 +3,8 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mongo="http://www.springframework.org/schema/data/mongo" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
xsi:schemaLocation="http://www.springframework.org/schema/data/mongo http://www.springframework.org/schema/data/mongo/spring-mongo-1.7.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<bean id="configLocation" class="java.lang.String"> <bean id="configLocation" class="java.lang.String">
......
...@@ -2,8 +2,9 @@ ...@@ -2,8 +2,9 @@
xmlns:security="http://www.springframework.org/schema/security" xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd"> http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<!-- Enable auto-wiring --> <!-- Enable auto-wiring -->
<context:annotation-config/> <context:annotation-config/>
......
...@@ -2,9 +2,9 @@ ...@@ -2,9 +2,9 @@
xmlns="http://www.springframework.org/schema/beans" xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"> http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<import resource="security-context-common.xml"/> <import resource="security-context-common.xml"/>
......
...@@ -3,8 +3,11 @@ ...@@ -3,8 +3,11 @@
xmlns:security="http://www.springframework.org/schema/security" xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd xmlns:util="http://www.springframework.org/schema/util"
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd"> xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.3.xsd">
...@@ -206,20 +209,51 @@ ...@@ -206,20 +209,51 @@
<property name="useOriginalSubjectNameID" value="false" /> <property name="useOriginalSubjectNameID" value="false" />
<property name="subjectIdAttributeName" value="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"></property> <property name="subjectIdAttributeName" value="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"></property>
<property name="subjectIdAttributeFormat" value="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> <property name="subjectIdAttributeFormat" value="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" />
<property name="noAggregationRequiredForEndpoints">
<array> <property name="exclusionOptions">
<value type="java.lang.String">https://ldap-dariah-clone.esc.rzg.mpg.de/idp/shibboleth</value> <list>
</array> <bean class="eu.dariah.de.dariahsp.saml.attributequery.SAMLAttributeQueryExclusionOptions">
</property> <property name="assumeRequiredAttributes" value="true" />
<property name="requiredAttributes"> <property name="excludedEndpoints">
<array> <list>
<value type="java.lang.String">eduPersonPrincipalName</value> <value>https://ldap-dariah-clone.esc.rzg.mpg.de/idp/shibboleth</value>
<value type="java.lang.String">mail</value> <value>https://idp.de.dariah.eu/idp/shibboleth</value>
<value type="java.lang.String">givenName</value> </list>
</array> </property>
</bean>
</list>
</property> </property>
<property name="requiredAttributes" ref="requiredAttributes" />
</bean> </bean>
<util:list id="requiredAttributes" value-type="eu.dariah.de.dariahsp.saml.attributequery.SAMLRequiredAttributes">
<bean class="eu.dariah.de.dariahsp.saml.attributequery.SAMLRequiredAttributes">
<property name="stage" value="ATTRIBUTES" />
<property name="required" value="true" />
<property name="attributeMap">
<map>
<entry key="AND">
<list value-type="eu.dariah.de.dariahsp.saml.attributequery.SAMLAttribute">
<bean class="eu.dariah.de.dariahsp.saml.attributequery.SAMLAttribute">
<property name="friendlyName" value="eduPersonPrincipalName" />
<property name="name" value="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" />
<property name="nameFormat" value="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" />
</bean>
</list>
</entry>
</map>
</property>
</bean>
</util:list>
<bean id="attributeQuery" class="eu.dariah.de.dariahsp.saml.attributequery.SAMLAttributeQueryImpl"> <bean id="attributeQuery" class="eu.dariah.de.dariahsp.saml.attributequery.SAMLAttributeQueryImpl">
<constructor-arg> <constructor-arg>
<bean class="org.apache.commons.httpclient.HttpClient" /> <bean class="org.apache.commons.httpclient.HttpClient" />
......
...@@ -4,10 +4,10 @@ ...@@ -4,10 +4,10 @@
xmlns:context="http://www.springframework.org/schema/context" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<mvc:annotation-driven /> <mvc:annotation-driven />
<mvc:resources location="/resources/" mapping="/resources/**" cache-period="31556926"/> <mvc:resources location="/resources/" mapping="/resources/**" cache-period="31556926"/>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment