From 1abc84f8272049aee760e228330dbf01c7ec59b4 Mon Sep 17 00:00:00 2001
From: Pavel Vyskocil <Pavel.Vyskocil@cesnet.cz>
Date: Tue, 8 Apr 2025 15:07:29 +0200
Subject: [PATCH] feat: allow to disable appending and verifying acrs

---
 .../src/main/webapp/WEB-INF/user-context.xml         |  3 +++
 .../src/main/webapp/WEB-INF/web-context.xml          |  1 +
 .../cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java   |  2 +-
 .../oidc/saml/PerunWebSSOProfileConsumerImpl.java    | 12 +++++++++++-
 .../java/cz/muni/ics/oidc/saml/SamlProperties.java   |  9 +++++++++
 5 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
index 7862afc1c..f5da60f3b 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
@@ -75,7 +75,9 @@
 				<prop key="saml.idp.metadataLocation"/> <!-- i.e. /etc/perun/login-cesnet-metadata.xml -->
 				<prop key="saml.idp.metadataUrl"/> <!-- i.e. https://login.cesnet.cz/proxy/module.php/metadata -->
 				<prop key="saml.acrs.reserverdPrefixes">urn:cesnet:</prop>
+				<prop key="saml.acrs.appendAcrs">true</prop>
 				<prop key="saml.acrs.onlyreserved.append">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,https://refeds.org/profile/sfa</prop>
+				<prop key="saml.acrs.verifyAuthnContext">true</prop>
 				<prop key="saml.user.attrIdentifier">eppn</prop><!-- eppn|epuid|eptid|uid|uniqueIdentifier|perunUserId -->
 				<prop key="saml.user.lookup">original_auth</prop><!-- original_auth|perun_user_id|static_ext_source -->
 				<prop key="saml.static_ext_idp"/>
@@ -160,6 +162,7 @@
 		<property name="idpMetadataFile" value="${saml.idp.metadataLocation}"/>
 		<property name="idpMetadataUrl" value="${saml.idp.metadataUrl}"/>
 		<property name="acrReservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
+		<property name="appendAcrs" value="#{'${saml.acrs.appendAcrs}'}"/>
 		<property name="acrsToBeAdded" value="#{'${saml.acrs.onlyreserved.append}'.split('\s*,\s*')}"/>
 		<property name="userIdentifierAttribute" value="${saml.user.attrIdentifier}"/>
 		<property name="userLookupMode" value="${saml.user.lookup}"/>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
index 6738b4869..1275123c0 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
@@ -647,6 +647,7 @@
     <bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
         <property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
         <property name="maxAuthenticationAge" value="360"/>
+        <property name="verifyAuthnContext" value="#{'${saml.acrs.verifyAuthnContext}'}"/>
         </bean>
 
     <bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
index 013cd6e65..f6842d774 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
@@ -306,7 +306,7 @@ public class PerunSamlEntryPoint extends SAMLEntryPoint {
             }
         }
 
-        if (!hasNonReserved) {
+        if (!hasNonReserved && samlProperties.shouldAppendAcrs()) {
             List<String> toBeAdded = new LinkedList<>(Arrays.asList(samlProperties.getAcrsToBeAdded()));
             log.debug("NO ACR with non reserved prefix found, adding following: {}", toBeAdded);
             acrs.addAll(toBeAdded);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java
index 4db683969..912c7653d 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java
@@ -18,11 +18,19 @@ import java.util.stream.Collectors;
 public class PerunWebSSOProfileConsumerImpl extends WebSSOProfileConsumerImpl {
 
     private Set<String> reservedPrefixes;
+    private String verifyAuthnContext;
+    private boolean shouldVerifyAuthnContext;
 
    public void setReservedPrefixes(Set<String> reservedPrefixes) {
         this.reservedPrefixes = reservedPrefixes;
     }
 
+    public void setVerifyAuthnContext(String verifyAuthnContext) {
+       this.verifyAuthnContext = verifyAuthnContext;
+       this.shouldVerifyAuthnContext = Boolean.parseBoolean(verifyAuthnContext);
+    }
+
+
     @Override
     protected void verifyAuthenticationStatement(AuthnStatement auth,
                                                  RequestedAuthnContext requestedAuthnContext,
@@ -66,7 +74,9 @@ public class PerunWebSSOProfileConsumerImpl extends WebSSOProfileConsumerImpl {
             log.debug("No Requested AuthnContext(s)");
         }
         log.debug("Received AuthnContext: {}", receivedContext.getAuthnContextClassRef().getAuthnContextClassRef());
-        super.verifyAuthnContext(requestedAuthnContext, receivedContext, context);
+        if (shouldVerifyAuthnContext) {
+            super.verifyAuthnContext(requestedAuthnContext, receivedContext, context);
+        }
     }
 
     private boolean filterOutConditionsMet(RequestedAuthnContext requestedAuthnContext) {
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java
index a25430a45..91bc2d717 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java
@@ -36,6 +36,7 @@ public class SamlProperties implements InitializingBean {
     private String idpMetadataUrl;
     private String[] acrReservedPrefixes;
     private String[] acrsToBeAdded;
+    private String appendAcrs;
     private String userIdentifierAttribute;
     private String userLookupMode;
     private String staticUserExtSource;
@@ -97,4 +98,12 @@ public class SamlProperties implements InitializingBean {
         }
     }
 
+    public void setAppendAcrs(String appendAcrs) {
+        this.appendAcrs = appendAcrs;
+    }
+
+    public boolean shouldAppendAcrs() {
+        return Boolean.parseBoolean(appendAcrs);
+    }
+
 }
-- 
GitLab