options to auto-assign user roles based on a Shibboleth attribute

ivan-novakov · Dec 4, 2012 · 85cb1b9 · 85cb1b9
1 parent 39bb7e9
commit 85cb1b9
Show file tree

Hide file tree

Showing 7 changed files with 182 additions and 78 deletions.
diff --git a/src/main/java/com/liferay/portal/security/auth/ShibbolethAutoLogin.java b/src/main/java/com/liferay/portal/security/auth/ShibbolethAutoLogin.java
@@ -1,14 +1,18 @@
 package com.liferay.portal.security.auth;
 
 import com.liferay.portal.NoSuchUserException;
+import com.liferay.portal.kernel.exception.PortalException;
+import com.liferay.portal.kernel.exception.SystemException;
 import com.liferay.portal.kernel.log.Log;
 import com.liferay.portal.kernel.log.LogFactoryUtil;
 import com.liferay.portal.kernel.util.StringPool;
 import com.liferay.portal.kernel.util.Validator;
 import com.liferay.portal.model.CompanyConstants;
 import com.liferay.portal.model.User;
+import com.liferay.portal.model.Role;
 import com.liferay.portal.security.ldap.PortalLDAPImporterUtil;
 import com.liferay.portal.service.UserLocalServiceUtil;
+import com.liferay.portal.service.RoleLocalServiceUtil;
 import com.liferay.portal.service.ServiceContext;
 import com.liferay.portal.shibboleth.util.ShibbolethPropsKeys;
 import com.liferay.portal.shibboleth.util.Util;
@@ -18,6 +22,9 @@
 import javax.servlet.http.HttpSession;
 import java.util.Locale;
 import java.util.Calendar;
+import java.util.Arrays;
+import java.util.List;
+import java.util.ArrayList;
 
 /**
  * Performs autologin based on the header values passed by Shibboleth.
@@ -97,7 +104,7 @@ private User loginFromSession(long companyId, HttpSession session) throws Except
 			}
 
 		} catch (NoSuchUserException e) {
-			_log.info("User not found");
+			_log.error("User not found");
 
 			if (Util.autoCreateUser(companyId)) {
 				_log.info("Importing user from session...");
@@ -109,6 +116,12 @@ private User loginFromSession(long companyId, HttpSession session) throws Except
 			}
 		}
 
+		try {
+			updateUserRolesFromSession(companyId, user, session);
+		} catch (Exception e) {
+			_log.error("Exception while updating user roles from session: " + e.getMessage());
+		}
+
 		return user;
 	}
 
@@ -213,7 +226,66 @@ private void updateUserFromSession(User user, HttpSession session) throws Except
 		UserLocalServiceUtil.updateUser(user);
 	}
 
-	public void logError(Exception e) {
+	private void updateUserRolesFromSession(long companyId, User user, HttpSession session) throws Exception {
+		if (!Util.autoAssignUserRole(companyId)) {
+			return;
+		}
+
+		List<Role> currentFelRoles = getRolesFromSession(companyId, session);
+		long[] currentFelRoleIds = roleListToLongArray(currentFelRoles);
+
+		List<Role> felRoles = getAllRolesWithConfiguredSubtype(companyId);
+		long[] felRoleIds = roleListToLongArray(felRoles);
+
+		RoleLocalServiceUtil.unsetUserRoles(user.getUserId(), felRoleIds);
+		RoleLocalServiceUtil.addUserRoles(user.getUserId(), currentFelRoleIds);
+
+		_log.info("User '" + user.getScreenName() + "' has been assigned " + currentFelRoleIds.length + " role(s): "
+				+ Arrays.toString(currentFelRoleIds));
+	}
+
+	private long[] roleListToLongArray(List<Role> roles) {
+		long[] roleIds = new long[roles.size()];
+
+		for (int i = 0; i < roles.size(); i++) {
+			roleIds[i] = roles.get(i).getRoleId();
+		}
+
+		return roleIds;
+	}
+
+	private List<Role> getAllRolesWithConfiguredSubtype(long companyId) throws Exception {
+		String roleSubtype = Util.autoAssignUserRoleSubtype(companyId);
+		return RoleLocalServiceUtil.getSubtypeRoles(roleSubtype);
+	}
+
+	private List<Role> getRolesFromSession(long companyId, HttpSession session) throws SystemException {
+		List<Role> currentFelRoles = new ArrayList<Role>();
+		String affiliation = (String) session.getAttribute(ShibbolethPropsKeys.SHIBBOLETH_HEADER_AFFILIATION);
+
+		if (Validator.isNull(affiliation)) {
+			return currentFelRoles;
+		}
+
+		String[] affiliationList = affiliation.split(";");
+
+		for (int i = 0; i < affiliationList.length; i++) {
+			String roleName = affiliationList[i];
+			Role role;
+			try {
+				role = RoleLocalServiceUtil.getRole(companyId, roleName);
+			} catch (PortalException e) {
+				_log.debug("Exception while getting role with name '" + roleName + "': " + e.getMessage());
+				continue;
+			}
+
+			currentFelRoles.add(role);
+		}
+
+		return currentFelRoles;
+	}
+
+	private void logError(Exception e) {
 		_log.error("Exception message = " + e.getMessage() + " cause = " + e.getCause());
 		if (_log.isDebugEnabled()) {
 			e.printStackTrace();

diff --git a/src/main/java/com/liferay/portal/servlet/filters/sso/shibboleth/ShibbolethFilter.java b/src/main/java/com/liferay/portal/servlet/filters/sso/shibboleth/ShibbolethFilter.java
@@ -63,6 +63,8 @@ protected void processFilter(HttpServletRequest request, HttpServletResponse res
 						ShibbolethPropsKeys.SHIBBOLETH_HEADER_FIRSTNAME, false);
 				processHeader(Util.getSurnameHeaderName(companyId), request,
 						ShibbolethPropsKeys.SHIBBOLETH_HEADER_SURNAME, false);
+				processHeader(Util.getAffiliationHeaderName(companyId), request,
+						ShibbolethPropsKeys.SHIBBOLETH_HEADER_AFFILIATION, false);
 			}
 		}
 		processFilter(ShibbolethFilter.class, request, response, filterChain);

diff --git a/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsKeys.java b/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsKeys.java
@@ -16,10 +16,16 @@ public class ShibbolethPropsKeys {
 
 	public static final String SHIBBOLETH_HEADER_SURNAME = "shibboleth.header.surname";
 
+	public static final String SHIBBOLETH_HEADER_AFFILIATION = "shibboleth.header.affiliation";
+
 	public static final String SHIBBOLETH_USER_AUTO_CREATE = "shibboleth.user.auto.create";
 
 	public static final String SHIBBOLETH_USER_AUTO_UPDATE = "shibboleth.user.auto.update";
 
+	public static final String SHIBBOLETH_USER_ROLE_AUTO_ASSIGN = "shibboleth.user.role.auto.assign";
+
+	public static final String SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE = "shibboleth.user.role.auto.assign.subtype";
+
 	public static final String SHIBBOLETH_LOGIN = "shibboleth.login";
 
 	public static final String SHIBBOLETH_USER_LDAP_IMPORT = "shibboleth.user.ldap.import";

diff --git a/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsValues.java b/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsValues.java
@@ -18,11 +18,17 @@ public class ShibbolethPropsValues {
 
     public static final String SHIBBOLETH_HEADER_SURNAME = PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_HEADER_SURNAME);
 
+    public static final String SHIBBOLETH_HEADER_AFFILIATION = PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_HEADER_AFFILIATION);
+
     public static final boolean SHIBBOLETH_USER_AUTO_CREATE = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_USER_AUTO_CREATE));
 
     public static final boolean SHIBBOLETH_USER_AUTO_UPDATE = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_USER_AUTO_UPDATE));
 
     public static final boolean SHIBBOLETH_USER_LDAP_IMPORT = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_USER_LDAP_IMPORT));
+
+    public static final boolean SHIBBOLETH_USER_ROLE_AUTO_ASSIGN = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_USER_ROLE_AUTO_ASSIGN));
+
+    public static final String SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE = PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE);
 
     public static final boolean SHIBBOLETH_LOGOUT_ENABLE = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_LOGOUT_ENABLE));
 

diff --git a/src/main/java/com/liferay/portal/shibboleth/util/Util.java b/src/main/java/com/liferay/portal/shibboleth/util/Util.java
@@ -11,80 +11,81 @@
  * @author Ivan Novakov <[email protected]>
  */
 public final class Util {
-    private Util() {
-    }
-
-    public static boolean isEnabled(long companyId) throws Exception {
-        return GetterUtil.get(
-                getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_ENABLED),
-                ShibbolethPropsValues.SHIBBOLETH_ENABLED);
-    }
-
-    public static boolean isLogoutEnabled(long companyId) throws Exception {
-        return GetterUtil.get(
-                getValue(companyId,
-                        ShibbolethPropsKeys.SHIBBOLETH_LOGOUT_ENABLE),
-                ShibbolethPropsValues.SHIBBOLETH_LOGOUT_ENABLE);
-    }
-
-    public static boolean importUser(long companyId) throws Exception {
-        return GetterUtil.get(
-                getValue(companyId,
-                        ShibbolethPropsKeys.SHIBBOLETH_USER_LDAP_IMPORT),
-                ShibbolethPropsValues.SHIBBOLETH_USER_LDAP_IMPORT);
-    }
-
-    public static String getLogoutUrl(long companyId) throws Exception {
-        return GetterUtil.getString(
-                getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_LOGOUT_URL),
-                ShibbolethPropsValues.SHIBBOLETH_LOGOUT_URL);
-    }
-
-    public static String getHeaderName(long companyId) throws Exception {
-        return GetterUtil.getString(
-                getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER),
-                ShibbolethPropsValues.SHIBBOLETH_HEADER);
-    }
-
-    public static String getEmailHeaderName(long companyId) throws Exception {
-        return GetterUtil.getString(
-                getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_EMAIL),
-                ShibbolethPropsValues.SHIBBOLETH_HEADER_EMAIL);
-    }
-
-    public static String getFirstnameHeaderName(long companyId) throws Exception {
-        return GetterUtil.getString(
-                getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_FIRSTNAME),
-                ShibbolethPropsValues.SHIBBOLETH_HEADER_FIRSTNAME);
-    }
-
-    public static String getSurnameHeaderName(long companyId) throws Exception {
-        return GetterUtil.getString(
-                getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_SURNAME),
-                ShibbolethPropsValues.SHIBBOLETH_HEADER_SURNAME);
-    }
-
-    public static boolean autoCreateUser(long companyId) throws Exception {
-        return GetterUtil.get(
-                getValue(companyId,
-                        ShibbolethPropsKeys.SHIBBOLETH_USER_AUTO_CREATE),
-                ShibbolethPropsValues.SHIBBOLETH_USER_AUTO_CREATE);
-    }
-
-    public static boolean autoUpdateUser(long companyId) throws Exception {
-        return GetterUtil.get(
-                getValue(companyId,
-                        ShibbolethPropsKeys.SHIBBOLETH_USER_AUTO_UPDATE),
-                ShibbolethPropsValues.SHIBBOLETH_USER_AUTO_UPDATE);
-    }
-
-    public static String getAuthType(long companyId) throws Exception {
-        return GetterUtil.getString(
-                getValue(companyId, PropsKeys.COMPANY_SECURITY_AUTH_TYPE), CompanyConstants.AUTH_TYPE_EA);
-    }
-
-    private static String getValue(long companyId, String key) throws Exception {
-        return PrefsPropsUtil.getString(companyId, key);
-    }
+	private Util() {
+	}
+
+	public static boolean isEnabled(long companyId) throws Exception {
+		return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_ENABLED),
+				ShibbolethPropsValues.SHIBBOLETH_ENABLED);
+	}
+
+	public static boolean isLogoutEnabled(long companyId) throws Exception {
+		return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_LOGOUT_ENABLE),
+				ShibbolethPropsValues.SHIBBOLETH_LOGOUT_ENABLE);
+	}
+
+	public static boolean importUser(long companyId) throws Exception {
+		return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_USER_LDAP_IMPORT),
+				ShibbolethPropsValues.SHIBBOLETH_USER_LDAP_IMPORT);
+	}
+
+	public static String getLogoutUrl(long companyId) throws Exception {
+		return GetterUtil.getString(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_LOGOUT_URL),
+				ShibbolethPropsValues.SHIBBOLETH_LOGOUT_URL);
+	}
+
+	public static String getHeaderName(long companyId) throws Exception {
+		return GetterUtil.getString(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER),
+				ShibbolethPropsValues.SHIBBOLETH_HEADER);
+	}
+
+	public static String getEmailHeaderName(long companyId) throws Exception {
+		return GetterUtil.getString(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_EMAIL),
+				ShibbolethPropsValues.SHIBBOLETH_HEADER_EMAIL);
+	}
+
+	public static String getFirstnameHeaderName(long companyId) throws Exception {
+		return GetterUtil.getString(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_FIRSTNAME),
+				ShibbolethPropsValues.SHIBBOLETH_HEADER_FIRSTNAME);
+	}
+
+	public static String getSurnameHeaderName(long companyId) throws Exception {
+		return GetterUtil.getString(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_SURNAME),
+				ShibbolethPropsValues.SHIBBOLETH_HEADER_SURNAME);
+	}
+
+	public static String getAffiliationHeaderName(long companyId) throws Exception {
+		return GetterUtil.getString(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_AFFILIATION),
+				ShibbolethPropsValues.SHIBBOLETH_HEADER_AFFILIATION);
+	}
+
+	public static boolean autoCreateUser(long companyId) throws Exception {
+		return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_USER_AUTO_CREATE),
+				ShibbolethPropsValues.SHIBBOLETH_USER_AUTO_CREATE);
+	}
+
+	public static boolean autoUpdateUser(long companyId) throws Exception {
+		return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_USER_AUTO_UPDATE),
+				ShibbolethPropsValues.SHIBBOLETH_USER_AUTO_UPDATE);
+	}
+
+	public static boolean autoAssignUserRole(long companyId) throws Exception {
+		return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_USER_ROLE_AUTO_ASSIGN),
+				ShibbolethPropsValues.SHIBBOLETH_USER_ROLE_AUTO_ASSIGN);
+	}
+
+	public static String autoAssignUserRoleSubtype(long companyId) throws Exception {
+		return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE),
+				ShibbolethPropsValues.SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE);
+	}
+
+	public static String getAuthType(long companyId) throws Exception {
+		return GetterUtil.getString(getValue(companyId, PropsKeys.COMPANY_SECURITY_AUTH_TYPE),
+				CompanyConstants.AUTH_TYPE_EA);
+	}
+
+	private static String getValue(long companyId, String key) throws Exception {
+		return PrefsPropsUtil.getString(companyId, key);
+	}
 
 }
diff --git a/src/main/resources/language.properties b/src/main/resources/language.properties
@@ -5,6 +5,9 @@ shibboleth-user-id-header=Shibboleth user ID header
 shibboleth-user-header-email=Shibboleth user email header
 shibboleth-user-header-firstname=Shibboleth user first name header
 shibboleth-user-header-surname=Shibboleth user surname header
+shibboleth-user-header-affiliation=Shibboleth user affiliation header
 auto-create-users=Auto-create users
 auto-update-users=Auto-update users
+auto-assign-user-role=Auto-assign roles to users (based on the affiliation)
+auto-assign-user-role-subtype=Role subtype for auto-assign roles
 shibboleth=Shibboleth
diff --git a/src/main/webapp/WEB-INF/jsps/html/portlet/portal_settings/shibbolethconfiguration.jsp b/src/main/webapp/WEB-INF/jsps/html/portlet/portal_settings/shibbolethconfiguration.jsp
@@ -8,8 +8,11 @@
     final String SHIBBOLETH_HEADER_EMAIL = "shibboleth.header.email";
     final String SHIBBOLETH_HEADER_FIRSTNAME = "shibboleth.header.firstname";
     final String SHIBBOLETH_HEADER_SURNAME = "shibboleth.header.surname";
+    final String SHIBBOLETH_HEADER_AFFILIATION = "shibboleth.header.affiliation";
     final String SHIBBOLETH_USER_AUTO_CREATE  = "shibboleth.user.auto.create";
     final String SHIBBOLETH_USER_AUTO_UPDATE = "shibboleth.user.auto.update";
+    final String SHIBBOLETH_USER_ROLE_AUTO_ASSIGN = "shibboleth.user.role.auto.assign";
+    final String SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE = "shibboleth.user.role.auto.assign.subtype";
 
     String shibbolethEnabled = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_ENABLED, "false");
     String shibbolethHeader = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADER, "");
@@ -20,8 +23,11 @@
     String shibbolethHeaderEmail = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADER_EMAIL, "mail");
     String shibbolethHeaderFirtsname = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADER_FIRSTNAME, "givenname");
     String shibbolethHeaderSurname = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADER_SURNAME, "sn");
+    String shibbolethHeaderAffiliation = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADER_AFFILIATION, "affiliation");
     String shibbolethUserAutoCreate = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_USER_AUTO_CREATE, "false");
     String shibbolethUserAutoUpdate = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_USER_AUTO_UPDATE, "false");
+    String shibbolethUserRoleAutoAssign = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_USER_ROLE_AUTO_ASSIGN, "false");
+    String shibbolethUserRoleAutoAssignSubtype = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE, "");
 %>
 <liferay-ui:section>
     <aui:fieldset>
@@ -34,7 +40,9 @@
         <aui:input cssClass="lfr-input-text-container" label="shibboleth-user-header-firstname"
                    name='<%= "settings--" + SHIBBOLETH_HEADER_FIRSTNAME + "--" %>' type="text" value="<%= shibbolethHeaderFirtsname %>"/>  
         <aui:input cssClass="lfr-input-text-container" label="shibboleth-user-header-surname"
-                   name='<%= "settings--" + SHIBBOLETH_HEADER_SURNAME + "--" %>' type="text" value="<%= shibbolethHeaderSurname %>"/>                                                       
+                   name='<%= "settings--" + SHIBBOLETH_HEADER_SURNAME + "--" %>' type="text" value="<%= shibbolethHeaderSurname %>"/>    
+        <aui:input cssClass="lfr-input-text-container" label="shibboleth-user-header-affiliation"
+                   name='<%= "settings--" + SHIBBOLETH_HEADER_AFFILIATION + "--" %>' type="text" value="<%= shibbolethHeaderAffiliation %>"/>        
         <aui:input label="auto-create-users"
                    name='<%= "settings--" + SHIBBOLETH_USER_AUTO_CREATE + "--" %>' type="checkbox"
                    value="<%= shibbolethUserAutoCreate %>"/>
@@ -44,6 +52,12 @@
         <aui:input label="import-shibboleth-users-from-ldap"
                    name='<%= "settings--" + SHIBBOLETH_USER_LDAP_IMPORT + "--" %>' type="checkbox"
                    value="<%= shibbolethUserLdapImport %>"/>
+        <aui:input label="auto-assign-user-role"
+                   name='<%= "settings--" + SHIBBOLETH_USER_ROLE_AUTO_ASSIGN + "--" %>' type="checkbox"
+                   value="<%= shibbolethUserRoleAutoAssign %>"/>
+        <aui:input cssClass="lfr-input-text-container" label="auto-assign-user-role-subtype"
+                   name='<%= "settings--" + SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE + "--" %>' type="text"
+                   value="<%= shibbolethUserRoleAutoAssignSubtype %>"/>                   
         <aui:input label="shibboleth-logout-enable" name='<%= "settings--" + SHIBBOLETH_LOGOUT_ENABLE + "--" %>'
                    type="checkbox" value="<%= shibbolethLogoutEnabled %>"/>
         <aui:input cssClass="lfr-input-text-container" label="logout-url"