feat: allow to disable appending and verifying acrs

1abc84f8 · Pavel Vyskočil · 60ee1db7 · 1abc84f8 · 1abc84f8 · 1abc84f8
Verified Commit 1abc84f8 authored 2 months ago by Pavel Vyskočil
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
@@ -75,7 +75,9 @@
 				<prop key="saml.idp.metadataLocation"/> <!-- i.e. /etc/perun/login-cesnet-metadata.xml -->
 				<prop key="saml.idp.metadataUrl"/> <!-- i.e. https://login.cesnet.cz/proxy/module.php/metadata -->
 				<prop key="saml.acrs.reserverdPrefixes">urn:cesnet:</prop>
+				<prop key="saml.acrs.appendAcrs">true</prop>
 				<prop key="saml.acrs.onlyreserved.append">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,https://refeds.org/profile/sfa</prop>
+				<prop key="saml.acrs.verifyAuthnContext">true</prop>
 				<prop key="saml.user.attrIdentifier">eppn</prop><!-- eppn|epuid|eptid|uid|uniqueIdentifier|perunUserId -->
 				<prop key="saml.user.lookup">original_auth</prop><!-- original_auth|perun_user_id|static_ext_source -->
 				<prop key="saml.static_ext_idp"/>
@@ -160,6 +162,7 @@
 		<property name="idpMetadataFile" value="${saml.idp.metadataLocation}"/>
 		<property name="idpMetadataUrl" value="${saml.idp.metadataUrl}"/>
 		<property name="acrReservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
+		<property name="appendAcrs" value="#{'${saml.acrs.appendAcrs}'}"/>
 		<property name="acrsToBeAdded" value="#{'${saml.acrs.onlyreserved.append}'.split('\s*,\s*')}"/>
 		<property name="userIdentifierAttribute" value="${saml.user.attrIdentifier}"/>
 		<property name="userLookupMode" value="${saml.user.lookup}"/>

--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
@@ -647,6 +647,7 @@
    <bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
        <property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
        <property name="maxAuthenticationAge" value="360"/>
+        <property name="verifyAuthnContext" value="#{'${saml.acrs.verifyAuthnContext}'}"/>
        </bean>

    <bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>

--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
@@ -306,7 +306,7 @@ public class PerunSamlEntryPoint extends SAMLEntryPoint {
            }
        }

-        if (!hasNonReserved) {
+        if (!hasNonReserved && samlProperties.shouldAppendAcrs()) {
            List<String> toBeAdded = new LinkedList<>(Arrays.asList(samlProperties.getAcrsToBeAdded()));
            log.debug("NO ACR with non reserved prefix found, adding following: {}", toBeAdded);
            acrs.addAll(toBeAdded);

--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java
@@ -18,11 +18,19 @@ import java.util.stream.Collectors;
 public class PerunWebSSOProfileConsumerImpl extends WebSSOProfileConsumerImpl {

    private Set<String> reservedPrefixes;
+    private String verifyAuthnContext;
+    private boolean shouldVerifyAuthnContext;

   public void setReservedPrefixes(Set<String> reservedPrefixes) {
        this.reservedPrefixes = reservedPrefixes;
    }

+    public void setVerifyAuthnContext(String verifyAuthnContext) {
+       this.verifyAuthnContext = verifyAuthnContext;
+       this.shouldVerifyAuthnContext = Boolean.parseBoolean(verifyAuthnContext);
+    }
+
+
    @Override
    protected void verifyAuthenticationStatement(AuthnStatement auth,
                                                 RequestedAuthnContext requestedAuthnContext,
@@ -66,7 +74,9 @@ public class PerunWebSSOProfileConsumerImpl extends WebSSOProfileConsumerImpl {
            log.debug("No Requested AuthnContext(s)");
        }
        log.debug("Received AuthnContext: {}", receivedContext.getAuthnContextClassRef().getAuthnContextClassRef());
-        super.verifyAuthnContext(requestedAuthnContext, receivedContext, context);
+        if (shouldVerifyAuthnContext) {
+            super.verifyAuthnContext(requestedAuthnContext, receivedContext, context);
+        }
    }

    private boolean filterOutConditionsMet(RequestedAuthnContext requestedAuthnContext) {

--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java
@@ -36,6 +36,7 @@ public class SamlProperties implements InitializingBean {
    private String idpMetadataUrl;
    private String[] acrReservedPrefixes;
    private String[] acrsToBeAdded;
+    private String appendAcrs;
    private String userIdentifierAttribute;
    private String userLookupMode;
    private String staticUserExtSource;
@@ -97,4 +98,12 @@ public class SamlProperties implements InitializingBean {
        }
    }

+    public void setAppendAcrs(String appendAcrs) {
+        this.appendAcrs = appendAcrs;
+    }
+
+    public boolean shouldAppendAcrs() {
+        return Boolean.parseBoolean(appendAcrs);
+    }
+
 }