729: Produce metadata based on defined attributes

Task-Url: https://minfba.de.dariah.eu/mantisbt/view.php?id=729

729: Produce metadata based on defined attributes
Task-Url: https://minfba.de.dariah.eu/mantisbt/view.php?id=729
63c7c8d9 · Gradl, Tobias · a58e9bce · 63c7c8d9 · 63c7c8d9 · 63c7c8d9
Commit 63c7c8d9 authored Apr 20, 2017 by Gradl, Tobias
--- a/dariahsp-core/src/main/java/eu/dariah/de/dariahsp/saml/metadata/AttributeMetadataGenerator.java
+++ b/dariahsp-core/src/main/java/eu/dariah/de/dariahsp/saml/metadata/AttributeMetadataGenerator.java
@@ -2,7 +2,9 @@ package eu.dariah.de.dariahsp.saml.metadata;

 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;

 import org.opensaml.common.SAMLObjectBuilder;
 import org.opensaml.saml2.metadata.AttributeConsumingService;
@@ -11,53 +13,54 @@ import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.saml.metadata.MetadataGenerator;

-import eu.dariah.de.dariahsp.exceptions.SecurityConfigException;
+import eu.dariah.de.dariahsp.Constants.AUTHENTICATION_STAGE;
+import eu.dariah.de.dariahsp.Constants.REQUIRED_ATTRIBUTE_CHECKLOGIC;
+import eu.dariah.de.dariahsp.saml.attributequery.options.SAMLAttributeGroup;
+import eu.dariah.de.dariahsp.saml.attributequery.options.SAMLRequiredAttributes;
+import eu.dariah.de.dariahsp.saml.attributequery.options.SAMLRequiredAttributesList;
+import eu.dariah.de.dariahsp.saml.model.SAMLAttribute;

 public class AttributeMetadataGenerator extends MetadataGenerator implements InitializingBean {
-	
-	private String[] attributeNames;
-	private String[] attributeFriendlyNames;
-	private String[] attributeNameFormats;
-	private String[] attributeRequired;
-	
-	private List<RequestedAttribute> requestedAttributes;
-	
-	
-	public String[] getAttributeNames() { return attributeNames; }
-	public void setAttributeNames(String[] attributeNames) { this.attributeNames = attributeNames; }

-	public String[] getAttributeFriendlyNames() { return attributeFriendlyNames; }
-	public void setAttributeFriendlyNames(String[] attributeFriendlyNames) { this.attributeFriendlyNames = attributeFriendlyNames; }
-
-	public String[] getAttributeNameFormats() { return attributeNameFormats; }
-	public void setAttributeNameFormats(String[] attributeNameFormats) { this.attributeNameFormats = attributeNameFormats; }
+	private SAMLRequiredAttributesList requiredAttributes;
+	private Map<String, RequestedAttribute> renderedAttributeMap;
 	
-	public String[] getAttributeRequired() { return attributeRequired; }
-	public void setAttributeRequired(String[] attributeRequired) { this.attributeRequired = attributeRequired; }
 	
+	public SAMLRequiredAttributesList getRequiredAttributes() { return requiredAttributes; }
+	public void setRequiredAttributes(SAMLRequiredAttributesList requiredAttributes) { this.requiredAttributes = requiredAttributes; }
+
 	
 	@Override
 	public void afterPropertiesSet() throws Exception {
-		if (attributeRequired!=null || attributeNames!=null || attributeFriendlyNames!=null || attributeNameFormats!=null) {
-			try {
-				if (attributeRequired.length!=attributeNames.length && attributeNames.length!=attributeFriendlyNames.length &&
-						attributeFriendlyNames.length!=attributeNameFormats.length) {
-					throw new SecurityConfigException("Array lengths do not match");
-				}
-				requestedAttributes = new ArrayList<RequestedAttribute>();
-				
+		if (requiredAttributes!=null) {
+			
+			List<SAMLRequiredAttributes> authAttributes = requiredAttributes.getForStage(AUTHENTICATION_STAGE.AUTHENTICATION, false);
+			if (authAttributes!=null) {
 				SAMLObjectBuilder<RequestedAttribute> attrbuilder = (SAMLObjectBuilder<RequestedAttribute>) builderFactory.getBuilder(RequestedAttribute.DEFAULT_ELEMENT_NAME);
 				RequestedAttribute attr;
-				for (int i=0; i<attributeRequired.length; i++) {
-					attr = attrbuilder.buildObject();
-			        attr.setIsRequired(Boolean.parseBoolean(attributeRequired[i].trim()));
-			        attr.setNameFormat(attributeNameFormats[i].trim());
-			        attr.setName(attributeNames[i].trim());
-			        attr.setFriendlyName(attributeFriendlyNames[i].trim());
-			        requestedAttributes.add(attr);
+				renderedAttributeMap = new HashMap<String, RequestedAttribute>();
+				for (SAMLRequiredAttributes authAttribute : authAttributes) {
+					if (authAttribute.getAttributeGroup()!=null) {
+						for (SAMLAttributeGroup group : authAttribute.getAttributeGroup()) {
+							if (group.getAttributes()!=null) {
+								for (SAMLAttribute attribute : group.getAttributes()) {
+									if (renderedAttributeMap.containsKey(attribute.getName())) {
+										attr = renderedAttributeMap.get(attribute.getName());
+										attr.setIsRequired(attr.isRequired() || (group.getCheck().equals(REQUIRED_ATTRIBUTE_CHECKLOGIC.AND) && authAttribute.isRequired()));
+									} else {
+										attr = attrbuilder.buildObject();
+								        attr.setIsRequired(group.getCheck().equals(REQUIRED_ATTRIBUTE_CHECKLOGIC.AND) && authAttribute.isRequired());
+								        attr.setNameFormat(attribute.getNameFormat());
+								        attr.setName(attribute.getName());
+								        attr.setFriendlyName(attribute.getFriendlyName());
+								        
+								        renderedAttributeMap.put(attr.getName(), attr);
+									}
+								}
+							}
+						}
+					}
 				}
-			} catch (Exception e) {
-				throw new SecurityConfigException("Failed to determine requested attributes specified. Numbers of arguments [required, names, friendlyNames, nameFormats] must match", e);
 			}
 		}
 	}
@@ -65,7 +68,7 @@ public class AttributeMetadataGenerator extends MetadataGenerator implements Ini
 	@Override
 	protected SPSSODescriptor buildSPSSODescriptor(String entityBaseURL, String entityAlias, boolean requestSigned, boolean wantAssertionSigned, Collection<String> includedNameID) {
 		SPSSODescriptor spDescriptor = super.buildSPSSODescriptor(entityBaseURL, entityAlias, requestSigned, wantAssertionSigned, includedNameID);
-		if (this.requestedAttributes!=null && !this.requestedAttributes.isEmpty()) {
+		if (this.renderedAttributeMap!=null && !this.renderedAttributeMap.isEmpty()) {
 			spDescriptor.getAttributeConsumingServices().add(getAttributeConsumingService(entityBaseURL, entityAlias, true, 1));
 		}
        return spDescriptor;
@@ -87,7 +90,7 @@ public class AttributeMetadataGenerator extends MetadataGenerator implements Ini
        SAMLObjectBuilder<AttributeConsumingService> builder = (SAMLObjectBuilder<AttributeConsumingService>) builderFactory.getBuilder(AttributeConsumingService.DEFAULT_ELEMENT_NAME);
        AttributeConsumingService consumer = builder.buildObject();
        
-        for (RequestedAttribute attr : requestedAttributes) {
+        for (RequestedAttribute attr : renderedAttributeMap.values()) {
        	consumer.getRequestAttributes().add(attr);
        }
        

--- a/dariahsp-sample/src/main/resources/dariahsp.yml
+++ b/dariahsp-sample/src/main/resources/dariahsp.yml
@@ -82,22 +82,21 @@ auth:
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
                  value: foobar-service-agreement_version1.pdf     
        - stage: AUTHENTICATION
-          required: false
+          required: true
          attributeGroup:
-            - check: OPTIONAL
+            - check: AND
              attributes:
                - friendlyName: eduPersonPrincipalName
                  name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
+        - stage: AUTHENTICATION
+          required: false
+          attributeGroup:
+            - check: OPTIONAL
+              attributes:
                - friendlyName: mail
                  name: urn:oid:0.9.2342.19200300.100.1.3
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
-                - friendlyName: eduPersonEntitlement
-                  name: urn:oid:1.3.6.1.4.1.5923.1.1.1.7
-                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
-                - friendlyName: eduPersonScopedAffiliation
-                  name: urn:oid:1.3.6.1.4.1.5923.1.1.1.9
-                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
                - friendlyName: displayName
                  name: urn:oid:2.16.840.1.113730.3.1.241
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
\ No newline at end of file
--- a/dariahsp-sample/src/main/resources/spring/security/security-context-saml.xml
+++ b/dariahsp-sample/src/main/resources/spring/security/security-context-saml.xml
@@ -73,10 +73,7 @@
            	<property name="nameID" value="#{'${auth.saml.sp.allowedNameIds:EMAIL,TRANSIENT,PERSISTENT,UNSPECIFIED,X509_SUBJECT}'.split(',')}" />
                <property name="extendedMetadata" ref="localSpMetadata" />
                
-                <property name="attributeNames" value="${auth.saml.sp.attr.names:null}" />
-                <property name="attributeFriendlyNames" value="${auth.saml.sp.attr.friendlyNames:null}" />
-                <property name="attributeNameFormats" value="${auth.saml.sp.attr.nameFormats:null}" />
-                <property name="attributeRequired" value="${auth.saml.sp.attr.required:null}" />
+                <property name="requiredAttributes" ref="requiredAttributes" />
            </bean>
        </constructor-arg>
        <constructor-arg ref="externalLocalSpMetadataConfigured" />