Commit ac49110f authored by Gradl, Tobias's avatar Gradl, Tobias
Browse files

720: Implement attribute checker

Task-Url: https://minfba.de.dariah.eu/mantisbt/view.php?id=720
parent 591c79de
......@@ -7,8 +7,13 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.saml.SAMLCredential;
import eu.dariah.de.dariahsp.Constants.AUTHENTICATION_STAGE;
import eu.dariah.de.dariahsp.Constants.REQUIRED_ATTRIBUTE_CHECKLOGIC;
import eu.dariah.de.dariahsp.saml.SAMLAttribute;
import eu.dariah.de.dariahsp.saml.attributequery.options.SAMLAttributeGroup;
import eu.dariah.de.dariahsp.saml.attributequery.options.SAMLAttributeQueryExclusionOptions;
import eu.dariah.de.dariahsp.saml.attributequery.options.SAMLAttributeQueryOptions;
import eu.dariah.de.dariahsp.saml.attributequery.options.SAMLRequiredAttributes;
public class SAMLAttributeAggregationService {
......@@ -42,8 +47,8 @@ public class SAMLAttributeAggregationService {
if (queryOptions.getExclusionOptions()!=null) {
for (SAMLAttributeQueryExclusionOptions exOpt : queryOptions.getExclusionOptions()) {
if (exOpt.getExcludedEndpoints().contains(credential.getRemoteEntityID())) {
if (exOpt.isAssumeRequiredAttributes() || hasAllReqAttributes(credential.getAttributes())) {
if (exOpt.getExcludedEndpoints()!=null && exOpt.getExcludedEndpoints().contains(credential.getRemoteEntityID())) {
if (exOpt.isAssumeRequiredAttributes() || hasAllReqAttributes(credential.getAttributes(), AUTHENTICATION_STAGE.ATTRIBUTES)) {
queryRequired = false;
}
break;
......@@ -51,39 +56,75 @@ public class SAMLAttributeAggregationService {
}
}
this.logAttributes(credential.getAttributes(), " attribute(s) presented for credential ");
if (queryRequired) {
try {
aggregateAttributes(credential, attributeQuery.queryAttributes(credential, queryOptions));
List<Attribute> queryReturnedAttributes = attributeQuery.queryAttributes(credential, queryOptions);;
this.logAttributes(queryReturnedAttributes, " attribute(s) resolved by attribute query ");
aggregateAttributes(credential, queryReturnedAttributes);
} catch (Exception e) {
logger.error("An exception occured while attempting to permorm attribute query", e);
}
}
}
public boolean hasAllReqAttributes(List<Attribute> providedAttributes) {
// Some shortcuts...
private void logAttributes(List<Attribute> attributes, String message) {
if (logger.isDebugEnabled()) {
StringBuilder attrs = new StringBuilder();
attrs.append((attributes==null ? 0 : attributes.size()) + message);
if (attributes!=null) {
for (Attribute a : attributes) {
attrs.append(a.getName()).append(" (").append(a.getFriendlyName()).append("): ");
}
}
logger.debug(attrs.toString());
}
}
public boolean hasAllReqAttributes(List<Attribute> providedAttributes, AUTHENTICATION_STAGE stage) {
if (queryOptions.getRequiredAttributesList() == null || queryOptions.getRequiredAttributesList().size()==0) {
return true;
} else if (providedAttributes == null) {
return false;
} else if (queryOptions.getRequiredAttributesList().size() > providedAttributes.size()) {
return false;
}
// Really checking individual attributes
/*for (String reqAttr : queryOptions.getRequiredAttributes()) {
boolean found = false;
for (Attribute attr : providedAttributes) {
if (attr.getFriendlyName().equals(reqAttr) || attr.getName().equals(reqAttr)) {
found = true;
break;
List<SAMLRequiredAttributes> requiredAttributes = queryOptions.getRequiredAttributesList().getForStage(stage, true);
if (requiredAttributes==null || requiredAttributes.size()==0) {
return true;
}
for (SAMLRequiredAttributes attrs : requiredAttributes) {
if (attrs.getAttributeGroup()!=null) {
for (SAMLAttributeGroup attrGroup : attrs.getAttributeGroup()) {
boolean orMatch = false;
if (attrGroup.getAttributes()!=null) {
for (SAMLAttribute reqAttr : attrGroup.getAttributes()) {
boolean found = false;
for (Attribute attr : providedAttributes) {
if (attr.getNameFormat().equals(reqAttr.getNameFormat()) && attr.getName().equals(reqAttr.getName())) {
found = true;
orMatch = true;
break;
}
}
if (!found && attrGroup.getCheck().equals(REQUIRED_ATTRIBUTE_CHECKLOGIC.AND)) {
return false;
}
if (orMatch && attrGroup.getCheck().equals(REQUIRED_ATTRIBUTE_CHECKLOGIC.OR)) {
break;
}
}
}
if (!orMatch && attrGroup.getCheck().equals(REQUIRED_ATTRIBUTE_CHECKLOGIC.OR)) {
return false;
}
}
}
if (!found) {
return false;
}
}*/
}
return true;
}
......
......@@ -269,18 +269,7 @@ public class SAMLAttributeQueryImpl extends WebSSOProfileConsumerImpl implements
if (nameId == null) {
logger.debug("NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration");
throw new SAMLException("NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration");
}
if (logger.isInfoEnabled()) {
StringBuilder stbAttributes = new StringBuilder();
stbAttributes.append("Received the following attributes (at authentication) for " + nameId.getValue() +"\n");
for (Attribute attr : attributes) {
stbAttributes.append(String.format("- %s; %s; %s\n",attr.getName(), attr.getFriendlyName(), attr.getNameFormat()));
}
logger.info(stbAttributes.toString());
}
}
return attributes;
}
......
package eu.dariah.de.dariahsp.saml.attributequery.options;
import java.util.ArrayList;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.fasterxml.jackson.databind.ObjectMapper;
import eu.dariah.de.dariahsp.Constants.AUTHENTICATION_STAGE;
public class SAMLRequiredAttributesList {
private SAMLRequiredAttributes[] requiredAttributes;
protected static final Logger logger = LoggerFactory.getLogger(SAMLRequiredAttributesList.class);
private final SAMLRequiredAttributes[] requiredAttributes;
public SAMLRequiredAttributes[] getRequiredAttributes() { return requiredAttributes; }
public void setRequiredAttributes(SAMLRequiredAttributes[] requiredAttributes) { this.requiredAttributes = requiredAttributes; }
public SAMLRequiredAttributesList() {}
public SAMLRequiredAttributesList(ObjectMapper objectMapper, String strRequiredAttributes) {
public SAMLRequiredAttributesList(ObjectMapper objectMapper, String strRequiredAttributes) throws Exception {
try {
Object lolo = objectMapper.readValue(strRequiredAttributes, SAMLRequiredAttributes[].class);;
"aa".toString();
requiredAttributes = objectMapper.readValue(strRequiredAttributes, SAMLRequiredAttributes[].class);
} catch (Exception e) {
"aa".toString();
logger.error("Failed to deserialize required attributes from configuration", e);
throw e;
}
"aa".toString();
}
public List<SAMLRequiredAttributes> getForStage(AUTHENTICATION_STAGE stage, boolean requiredOnly) {
if (stage==null || this.size()==0) {
return null;
}
List<SAMLRequiredAttributes> result = new ArrayList<SAMLRequiredAttributes>();
for (int i=0; i<requiredAttributes.length; i++) {
if (requiredAttributes[i].getStage().equals(stage) && (!requiredOnly || requiredAttributes[i].isRequired())) {
result.add(requiredAttributes[i]);
}
}
return result;
}
public int size() {
return requiredAttributes.length;
return requiredAttributes==null ? 0 : requiredAttributes.length;
}
}
......@@ -44,7 +44,7 @@ auth:
enabled: true
excludedEndpoints:
urls: ["https://ldap-dariah-clone.esc.rzg.mpg.de/idp/shibboleth", "https://idp.de.dariah.eu/idp/shibboleth"]
assumeAttributesComplete: true
assumeAttributesComplete: false
queryIdp: https://ldap-dariah-clone.esc.rzg.mpg.de/idp/shibboleth
queryByNameID: false
queryAttribute:
......
......@@ -41,8 +41,8 @@
</logger> -->
<!-- SAML messages -->
<logger name="PROTOCOL_MESSAGE">
<!-- <logger name="PROTOCOL_MESSAGE">
<level value="debug" />
</logger>
</logger> -->
</configuration>
\ No newline at end of file
......@@ -213,43 +213,18 @@
<list>
<bean class="eu.dariah.de.dariahsp.saml.attributequery.options.SAMLAttributeQueryExclusionOptions">
<property name="assumeRequiredAttributes" value="${auth.saml.sp.attributeQuery.excludedEndpoints.assumeAttributesComplete:false}" />
<property name="excludedEndpoints" value="${auth.saml.sp.attributeQuery.excludedEndpoints.url:#{null}}" />
<property name="excludedEndpoints" value="${auth.saml.sp.attributeQuery.excludedEndpoints.urls:#{null}}" />
</bean>
</list>
</property>
<property name="requiredAttributesList" ref="requiredAttributes" />
</bean>
<bean id="requiredAttributesList" class="eu.dariah.de.dariahsp.saml.attributequery.options.SAMLRequiredAttributesList">
<bean id="requiredAttributes" class="eu.dariah.de.dariahsp.saml.attributequery.options.SAMLRequiredAttributesList">
<constructor-arg ref="objectMapper" />
<constructor-arg value="${auth.saml.sp.requiredAttributes:#{null}}" />
</bean>
<util:list id="requiredAttributes" value-type="eu.dariah.de.dariahsp.saml.attributequery.options.SAMLRequiredAttributes">
<!-- <bean class="eu.dariah.de.dariahsp.saml.attributequery.options.SAMLRequiredAttributes">
<property name="stage" value="ATTRIBUTES" />
<property name="required" value="true" />
<property name="attributeMap">
<map>
<entry key="AND">
<list value-type="eu.dariah.de.dariahsp.saml.SAMLAttribute">
<bean class="eu.dariah.de.dariahsp.saml.SAMLAttribute">
<property name="friendlyName" value="eduPersonPrincipalName" />
<property name="name" value="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" />
<property name="nameFormat" value="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" />
</bean>
</list>
</entry>
</map>
</property>
</bean> -->
</util:list>
<bean id="attributeQuery" class="eu.dariah.de.dariahsp.saml.attributequery.SAMLAttributeQueryImpl">
<constructor-arg>
<bean class="org.apache.commons.httpclient.HttpClient" />
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment