From 1abc84f8272049aee760e228330dbf01c7ec59b4 Mon Sep 17 00:00:00 2001 From: Pavel Vyskocil <Pavel.Vyskocil@cesnet.cz> Date: Tue, 8 Apr 2025 15:07:29 +0200 Subject: [PATCH] feat: allow to disable appending and verifying acrs --- .../src/main/webapp/WEB-INF/user-context.xml | 3 +++ .../src/main/webapp/WEB-INF/web-context.xml | 1 + .../cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java | 2 +- .../oidc/saml/PerunWebSSOProfileConsumerImpl.java | 12 +++++++++++- .../java/cz/muni/ics/oidc/saml/SamlProperties.java | 9 +++++++++ 5 files changed, 25 insertions(+), 2 deletions(-) diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml index 7862afc1c..f5da60f3b 100644 --- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml +++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml @@ -75,7 +75,9 @@ <prop key="saml.idp.metadataLocation"/> <!-- i.e. /etc/perun/login-cesnet-metadata.xml --> <prop key="saml.idp.metadataUrl"/> <!-- i.e. https://login.cesnet.cz/proxy/module.php/metadata --> <prop key="saml.acrs.reserverdPrefixes">urn:cesnet:</prop> + <prop key="saml.acrs.appendAcrs">true</prop> <prop key="saml.acrs.onlyreserved.append">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,https://refeds.org/profile/sfa</prop> + <prop key="saml.acrs.verifyAuthnContext">true</prop> <prop key="saml.user.attrIdentifier">eppn</prop><!-- eppn|epuid|eptid|uid|uniqueIdentifier|perunUserId --> <prop key="saml.user.lookup">original_auth</prop><!-- original_auth|perun_user_id|static_ext_source --> <prop key="saml.static_ext_idp"/> @@ -160,6 +162,7 @@ <property name="idpMetadataFile" value="${saml.idp.metadataLocation}"/> <property name="idpMetadataUrl" value="${saml.idp.metadataUrl}"/> <property name="acrReservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/> + <property name="appendAcrs" value="#{'${saml.acrs.appendAcrs}'}"/> <property name="acrsToBeAdded" value="#{'${saml.acrs.onlyreserved.append}'.split('\s*,\s*')}"/> <property name="userIdentifierAttribute" value="${saml.user.attrIdentifier}"/> <property name="userLookupMode" value="${saml.user.lookup}"/> diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml index 6738b4869..1275123c0 100644 --- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml +++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml @@ -647,6 +647,7 @@ <bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl"> <property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/> <property name="maxAuthenticationAge" value="360"/> + <property name="verifyAuthnContext" value="#{'${saml.acrs.verifyAuthnContext}'}"/> </bean> <bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/> diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java index 013cd6e65..f6842d774 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java @@ -306,7 +306,7 @@ public class PerunSamlEntryPoint extends SAMLEntryPoint { } } - if (!hasNonReserved) { + if (!hasNonReserved && samlProperties.shouldAppendAcrs()) { List<String> toBeAdded = new LinkedList<>(Arrays.asList(samlProperties.getAcrsToBeAdded())); log.debug("NO ACR with non reserved prefix found, adding following: {}", toBeAdded); acrs.addAll(toBeAdded); diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java index 4db683969..912c7653d 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java @@ -18,11 +18,19 @@ import java.util.stream.Collectors; public class PerunWebSSOProfileConsumerImpl extends WebSSOProfileConsumerImpl { private Set<String> reservedPrefixes; + private String verifyAuthnContext; + private boolean shouldVerifyAuthnContext; public void setReservedPrefixes(Set<String> reservedPrefixes) { this.reservedPrefixes = reservedPrefixes; } + public void setVerifyAuthnContext(String verifyAuthnContext) { + this.verifyAuthnContext = verifyAuthnContext; + this.shouldVerifyAuthnContext = Boolean.parseBoolean(verifyAuthnContext); + } + + @Override protected void verifyAuthenticationStatement(AuthnStatement auth, RequestedAuthnContext requestedAuthnContext, @@ -66,7 +74,9 @@ public class PerunWebSSOProfileConsumerImpl extends WebSSOProfileConsumerImpl { log.debug("No Requested AuthnContext(s)"); } log.debug("Received AuthnContext: {}", receivedContext.getAuthnContextClassRef().getAuthnContextClassRef()); - super.verifyAuthnContext(requestedAuthnContext, receivedContext, context); + if (shouldVerifyAuthnContext) { + super.verifyAuthnContext(requestedAuthnContext, receivedContext, context); + } } private boolean filterOutConditionsMet(RequestedAuthnContext requestedAuthnContext) { diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java index a25430a45..91bc2d717 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java @@ -36,6 +36,7 @@ public class SamlProperties implements InitializingBean { private String idpMetadataUrl; private String[] acrReservedPrefixes; private String[] acrsToBeAdded; + private String appendAcrs; private String userIdentifierAttribute; private String userLookupMode; private String staticUserExtSource; @@ -97,4 +98,12 @@ public class SamlProperties implements InitializingBean { } } + public void setAppendAcrs(String appendAcrs) { + this.appendAcrs = appendAcrs; + } + + public boolean shouldAppendAcrs() { + return Boolean.parseBoolean(appendAcrs); + } + } -- GitLab