Commit 63c7c8d9 authored by Gradl, Tobias's avatar Gradl, Tobias
Browse files

729: Produce metadata based on defined attributes

Task-Url: https://minfba.de.dariah.eu/mantisbt/view.php?id=729
parent a58e9bce
......@@ -2,7 +2,9 @@ package eu.dariah.de.dariahsp.saml.metadata;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.saml2.metadata.AttributeConsumingService;
......@@ -11,53 +13,54 @@ import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.saml.metadata.MetadataGenerator;
import eu.dariah.de.dariahsp.exceptions.SecurityConfigException;
import eu.dariah.de.dariahsp.Constants.AUTHENTICATION_STAGE;
import eu.dariah.de.dariahsp.Constants.REQUIRED_ATTRIBUTE_CHECKLOGIC;
import eu.dariah.de.dariahsp.saml.attributequery.options.SAMLAttributeGroup;
import eu.dariah.de.dariahsp.saml.attributequery.options.SAMLRequiredAttributes;
import eu.dariah.de.dariahsp.saml.attributequery.options.SAMLRequiredAttributesList;
import eu.dariah.de.dariahsp.saml.model.SAMLAttribute;
public class AttributeMetadataGenerator extends MetadataGenerator implements InitializingBean {
private String[] attributeNames;
private String[] attributeFriendlyNames;
private String[] attributeNameFormats;
private String[] attributeRequired;
private List<RequestedAttribute> requestedAttributes;
public String[] getAttributeNames() { return attributeNames; }
public void setAttributeNames(String[] attributeNames) { this.attributeNames = attributeNames; }
public String[] getAttributeFriendlyNames() { return attributeFriendlyNames; }
public void setAttributeFriendlyNames(String[] attributeFriendlyNames) { this.attributeFriendlyNames = attributeFriendlyNames; }
public String[] getAttributeNameFormats() { return attributeNameFormats; }
public void setAttributeNameFormats(String[] attributeNameFormats) { this.attributeNameFormats = attributeNameFormats; }
private SAMLRequiredAttributesList requiredAttributes;
private Map<String, RequestedAttribute> renderedAttributeMap;
public String[] getAttributeRequired() { return attributeRequired; }
public void setAttributeRequired(String[] attributeRequired) { this.attributeRequired = attributeRequired; }
public SAMLRequiredAttributesList getRequiredAttributes() { return requiredAttributes; }
public void setRequiredAttributes(SAMLRequiredAttributesList requiredAttributes) { this.requiredAttributes = requiredAttributes; }
@Override
public void afterPropertiesSet() throws Exception {
if (attributeRequired!=null || attributeNames!=null || attributeFriendlyNames!=null || attributeNameFormats!=null) {
try {
if (attributeRequired.length!=attributeNames.length && attributeNames.length!=attributeFriendlyNames.length &&
attributeFriendlyNames.length!=attributeNameFormats.length) {
throw new SecurityConfigException("Array lengths do not match");
}
requestedAttributes = new ArrayList<RequestedAttribute>();
if (requiredAttributes!=null) {
List<SAMLRequiredAttributes> authAttributes = requiredAttributes.getForStage(AUTHENTICATION_STAGE.AUTHENTICATION, false);
if (authAttributes!=null) {
SAMLObjectBuilder<RequestedAttribute> attrbuilder = (SAMLObjectBuilder<RequestedAttribute>) builderFactory.getBuilder(RequestedAttribute.DEFAULT_ELEMENT_NAME);
RequestedAttribute attr;
for (int i=0; i<attributeRequired.length; i++) {
attr = attrbuilder.buildObject();
attr.setIsRequired(Boolean.parseBoolean(attributeRequired[i].trim()));
attr.setNameFormat(attributeNameFormats[i].trim());
attr.setName(attributeNames[i].trim());
attr.setFriendlyName(attributeFriendlyNames[i].trim());
requestedAttributes.add(attr);
renderedAttributeMap = new HashMap<String, RequestedAttribute>();
for (SAMLRequiredAttributes authAttribute : authAttributes) {
if (authAttribute.getAttributeGroup()!=null) {
for (SAMLAttributeGroup group : authAttribute.getAttributeGroup()) {
if (group.getAttributes()!=null) {
for (SAMLAttribute attribute : group.getAttributes()) {
if (renderedAttributeMap.containsKey(attribute.getName())) {
attr = renderedAttributeMap.get(attribute.getName());
attr.setIsRequired(attr.isRequired() || (group.getCheck().equals(REQUIRED_ATTRIBUTE_CHECKLOGIC.AND) && authAttribute.isRequired()));
} else {
attr = attrbuilder.buildObject();
attr.setIsRequired(group.getCheck().equals(REQUIRED_ATTRIBUTE_CHECKLOGIC.AND) && authAttribute.isRequired());
attr.setNameFormat(attribute.getNameFormat());
attr.setName(attribute.getName());
attr.setFriendlyName(attribute.getFriendlyName());
renderedAttributeMap.put(attr.getName(), attr);
}
}
}
}
}
}
} catch (Exception e) {
throw new SecurityConfigException("Failed to determine requested attributes specified. Numbers of arguments [required, names, friendlyNames, nameFormats] must match", e);
}
}
}
......@@ -65,7 +68,7 @@ public class AttributeMetadataGenerator extends MetadataGenerator implements Ini
@Override
protected SPSSODescriptor buildSPSSODescriptor(String entityBaseURL, String entityAlias, boolean requestSigned, boolean wantAssertionSigned, Collection<String> includedNameID) {
SPSSODescriptor spDescriptor = super.buildSPSSODescriptor(entityBaseURL, entityAlias, requestSigned, wantAssertionSigned, includedNameID);
if (this.requestedAttributes!=null && !this.requestedAttributes.isEmpty()) {
if (this.renderedAttributeMap!=null && !this.renderedAttributeMap.isEmpty()) {
spDescriptor.getAttributeConsumingServices().add(getAttributeConsumingService(entityBaseURL, entityAlias, true, 1));
}
return spDescriptor;
......@@ -87,7 +90,7 @@ public class AttributeMetadataGenerator extends MetadataGenerator implements Ini
SAMLObjectBuilder<AttributeConsumingService> builder = (SAMLObjectBuilder<AttributeConsumingService>) builderFactory.getBuilder(AttributeConsumingService.DEFAULT_ELEMENT_NAME);
AttributeConsumingService consumer = builder.buildObject();
for (RequestedAttribute attr : requestedAttributes) {
for (RequestedAttribute attr : renderedAttributeMap.values()) {
consumer.getRequestAttributes().add(attr);
}
......
......@@ -82,22 +82,21 @@ auth:
nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
value: foobar-service-agreement_version1.pdf
- stage: AUTHENTICATION
required: false
required: true
attributeGroup:
- check: OPTIONAL
- check: AND
attributes:
- friendlyName: eduPersonPrincipalName
name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
- stage: AUTHENTICATION
required: false
attributeGroup:
- check: OPTIONAL
attributes:
- friendlyName: mail
name: urn:oid:0.9.2342.19200300.100.1.3
nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
- friendlyName: eduPersonEntitlement
name: urn:oid:1.3.6.1.4.1.5923.1.1.1.7
nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
- friendlyName: eduPersonScopedAffiliation
name: urn:oid:1.3.6.1.4.1.5923.1.1.1.9
nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
- friendlyName: displayName
name: urn:oid:2.16.840.1.113730.3.1.241
nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
\ No newline at end of file
......@@ -73,10 +73,7 @@
<property name="nameID" value="#{'${auth.saml.sp.allowedNameIds:EMAIL,TRANSIENT,PERSISTENT,UNSPECIFIED,X509_SUBJECT}'.split(',')}" />
<property name="extendedMetadata" ref="localSpMetadata" />
<property name="attributeNames" value="${auth.saml.sp.attr.names:null}" />
<property name="attributeFriendlyNames" value="${auth.saml.sp.attr.friendlyNames:null}" />
<property name="attributeNameFormats" value="${auth.saml.sp.attr.nameFormats:null}" />
<property name="attributeRequired" value="${auth.saml.sp.attr.required:null}" />
<property name="requiredAttributes" ref="requiredAttributes" />
</bean>
</constructor-arg>
<constructor-arg ref="externalLocalSpMetadataConfigured" />
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment