diff --git a/perun-oidc-server-webapp/src/main/resources/logback.xml b/perun-oidc-server-webapp/src/main/resources/logback.xml index 1e3ce72f09a0a1b4f050b7bf0da3ebf4de6c2ca6..aada621d62d4d62c7b25aff751f181aae1836f51 100644 --- a/perun-oidc-server-webapp/src/main/resources/logback.xml +++ b/perun-oidc-server-webapp/src/main/resources/logback.xml @@ -34,8 +34,16 @@ <suffixPattern>${PATTERN_SYSLOG}</suffixPattern> </appender> + <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender"> + <encoder> + <pattern>${PATTERN}</pattern> + <charset>UTF-8</charset> + </encoder> + </appender> + <root level="${log.level}"> <appender-ref ref="${log.to}"/> + <appender-ref ref="CONSOLE"/> <appender-ref ref="SENTRY"/> </root> diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java index 0cdac9e78a308b0460fe916f472447202a8da4f4..d823ea00892f6c5a854052d00cf72dde6126e673 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java @@ -341,4 +341,6 @@ public interface PerunAdapterMethods { PerunUser getPerunUser(Long userId); + Set<Long> getUserVoIds(Long userId); + } diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java index 489c124bb0951e2e8a0bbb55bce70cc636d2623d..33ecd0a2bbaf1de67da66ace9cae886c7b54668d 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java @@ -414,4 +414,17 @@ public class PerunAdapterImpl extends PerunAdapter { } } + @Override + public Set<Long> getUserVoIds(Long userId) { + try { + return this.getAdapterPrimary().getUserVoIds(userId); + } catch (UnsupportedOperationException e) { + if (this.isCallFallback()) { + return this.getAdapterFallback().getUserVoIds(userId); + } else { + throw e; + } + } + } + } diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java index 5216f099de5e8497f84a34dc5bfdb122606f848c..ba6b673e17f0f33c0968a48274f08568c260bc05 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java @@ -531,6 +531,28 @@ public class PerunAdapterLdap extends PerunAdapterWithMappingServices implements return getPerunUser(filter); } + @Override + public Set<Long> getUserVoIds(Long userId) { + if (userId == null) { + throw new IllegalArgumentException("No userId"); + } + SearchScope scope = SearchScope.ONELEVEL; + final String[] attributes = {PERUN_VO_ID}; + + String uniqueMember = getDnPrefixForUserId(userId) + ',' + this.connectorLdap.getBaseDN(); + FilterBuilder filter = and(equal(UNIQUE_MEMBER, uniqueMember), equal(OBJECT_CLASS, PERUN_VO)); + EntryMapper<Long> mapper = e -> { + if (!checkHasAttributes(e, attributes)) { + return null; + } + + return Long.valueOf(e.get(PERUN_VO_ID).getString()); + }; + + List<Long> voIds = connectorLdap.search(null, filter, scope, attributes, mapper); + return voIds.stream().filter(Objects::nonNull).collect(Collectors.toSet()); + } + private PerunUser getPerunUser(FilterBuilder filter) { SearchScope scope = SearchScope.ONELEVEL; String[] attributes = new String[]{PERUN_USER_ID, GIVEN_NAME, SN}; diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java index 4f50438203a56101db29c2c9f48f6ae8a6741493..68be610d78885e878a27c757aed4819c5b5f0777 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java @@ -950,6 +950,23 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements return RpcMapper.mapPerunUser(response); } + @Override + public Set<Long> getUserVoIds(Long userId) { + if (!this.connectorRpc.isEnabled()) { + return Collections.emptySet(); + } else if (userId == null) { + throw new IllegalArgumentException("No userId"); + } + List<Member> members = getMembersByUser(userId); + Set<Long> voIds = new HashSet<>(); + for (Member member: members) { + if (VALID == member.getStatus()) { + voIds.add(member.getVoId()); + } + } + return voIds; + } + private Member getMemberByUser(Long userId, Long voId) { if (!this.connectorRpc.isEnabled()) { return null; diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/VoBasedEdupersonScopedAffiliationsClaimSource.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/VoBasedEdupersonScopedAffiliationsClaimSource.java new file mode 100644 index 0000000000000000000000000000000000000000..262e77d78aa84eb561b6e0e29344b2bf901635c4 --- /dev/null +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/VoBasedEdupersonScopedAffiliationsClaimSource.java @@ -0,0 +1,155 @@ +package cz.muni.ics.oidc.server.claims.sources; + +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.node.ArrayNode; +import com.fasterxml.jackson.databind.node.JsonNodeFactory; +import com.fasterxml.jackson.dataformat.yaml.YAMLMapper; +import cz.muni.ics.oidc.exceptions.ConfigurationException; +import cz.muni.ics.oidc.server.claims.ClaimSource; +import cz.muni.ics.oidc.server.claims.ClaimSourceInitContext; +import cz.muni.ics.oidc.server.claims.ClaimSourceProduceContext; +import lombok.extern.slf4j.Slf4j; +import org.springframework.util.StringUtils; + +import java.io.File; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +/** + * Claim source for generating affiliation values based on VO membership(s). + * + * Configuration (replace [claimName] with the name of the claim): + * <ul> + * <li> + * <b>custom.claim.[claimName].source.valueMap</b> - Mapping of voIds to affiliation values. Has to be specified + * in a format 'voId:aff,aff|voId:aff,aff', where 'voId' is an ID of the VO and 'aff' is the value of an + * affiliation to be added to the output if the user is a valid member of the respective VO with the specified + * identifier. + * </li> + * </ul> + * + * @author Dominik Frantisek Bucik <bucik@ics.muni.cz> + */ +@Slf4j +public class VoBasedEdupersonScopedAffiliationsClaimSource extends ClaimSource { + + private final Pattern epsaPattern = Pattern.compile( + "(member|student|faculty|staff|alum|affiliate|unknown|library-walk-in)@.+" + ); + + private static final String KEY_VALUE_MAP = "valueMap"; + + private final Map<Long, Set<String>> voIdValuesMap = new HashMap<>(); + + public VoBasedEdupersonScopedAffiliationsClaimSource(ClaimSourceInitContext ctx) { + super(ctx); + String valueMapProp = ctx.getProperty(KEY_VALUE_MAP, null); + if (!StringUtils.hasText(valueMapProp)) { + throw new ConfigurationException("Invalid configuration for claim " + getClaimName() + ": valueMap must be provided"); + } + voIdValuesMap.putAll(parseValueMap(valueMapProp)); + log.debug("{} - voIdAffiliationsMap: '{}'", getClaimName(), voIdValuesMap); + } + + @Override + public Set<String> getAttrIdentifiers() { + return Collections.emptySet(); + } + + @Override + public JsonNode produceValue(ClaimSourceProduceContext pctx) { + Long userId = pctx.getPerunUserId(); + Set<String> userAffiliations = new HashSet<>(); + Set<Long> userVoIds = pctx.getPerunAdapter().getUserVoIds(userId); + for (Long userVoId: userVoIds) { + Set<String> affiliationsToBeAdded = voIdValuesMap.getOrDefault(userVoId, new HashSet<>()); + if (!affiliationsToBeAdded.isEmpty()) { + log.trace("{} - added affiliations '{}' due to membership in vo '{}'", + getClaimName(), affiliationsToBeAdded, userVoId); + userAffiliations.addAll(affiliationsToBeAdded); + } + } + ArrayNode result = JsonNodeFactory.instance.arrayNode(); + for (String affiliation : userAffiliations) { + result.add(affiliation); + } + + log.debug("{} - produced value for user({}): '{}'", getClaimName(), userId, result); + return result; + } + + private Map<Long, Set<String>> parseValueMap(String valueMapProp) { + String[] valueMapParts = valueMapProp.split("\\|"); + if (valueMapParts.length == 0) { + throw getConfigurationException( + "Could not parse valueMap property. Needs to be in format voId1:aff1,aff2|voId2:aff3" + ); + } + for (String idValue: valueMapParts) { + if (!StringUtils.hasText(idValue)) { + throw getConfigurationException( + "Could not parse id and affiliations mapping, empty String encountered" + ); + } + String[] idValueParts = idValue.split(":"); + if (idValueParts.length != 2) { + throw getConfigurationException( + "Could not parse id and affiliations mapping. Needs to be in format voId:aff1,aff2" + ); + } + long voId; + try { + voId = Long.parseLong(idValueParts[0]); + } catch (NumberFormatException ex) { + throw getConfigurationException("Could not parse VO id out of subcomponent " + idValue, ex); + } + Set<String> voAffiliations = parseAffiliations(idValueParts[1]); + if (voAffiliations.isEmpty()) { + throw getConfigurationException("No affiliation values found for voId " + voId); + } + voIdValuesMap.put(voId, voAffiliations); + } + return voIdValuesMap; + } + + private Set<String> parseAffiliations(String idValuePart) { + String[] affiliations = idValuePart.split(","); + Set<String> resolvedAffiliations = new HashSet<>(); + for (String affiliation : affiliations) { + if (!epsaPattern.matcher(affiliation).matches()) { + throw getConfigurationException( + "Value '" + affiliation + "' is not a valid eduPersonScopedAffiliation value" + ); + } + resolvedAffiliations.add(affiliation); + } + return resolvedAffiliations; + } + + private ConfigurationException getConfigurationException(String message) { + return getConfigurationException(message, null); + } + + private ConfigurationException getConfigurationException(String message, Throwable cause) { + StringBuilder fullMessage = new StringBuilder(); + fullMessage.append("Invalid configuration for claim ").append(getClaimName()); + if (StringUtils.hasText(message)) { + fullMessage.append(": ").append(message); + } + + if (cause != null) { + throw new ConfigurationException(fullMessage.toString(), cause); + } else { + throw new ConfigurationException(fullMessage.toString()); + } + } + +}