From 85cb1b9b8e66b87eed054e560924b4de41d42eb7 Mon Sep 17 00:00:00 2001 From: Ivan Novakov Date: Tue, 4 Dec 2012 17:23:12 +0100 Subject: [PATCH] options to auto-assign user roles based on a Shibboleth attribute --- .../security/auth/ShibbolethAutoLogin.java | 76 ++++++++- .../sso/shibboleth/ShibbolethFilter.java | 2 + .../shibboleth/util/ShibbolethPropsKeys.java | 6 + .../util/ShibbolethPropsValues.java | 6 + .../liferay/portal/shibboleth/util/Util.java | 151 +++++++++--------- src/main/resources/language.properties | 3 + .../shibbolethconfiguration.jsp | 16 +- 7 files changed, 182 insertions(+), 78 deletions(-) diff --git a/src/main/java/com/liferay/portal/security/auth/ShibbolethAutoLogin.java b/src/main/java/com/liferay/portal/security/auth/ShibbolethAutoLogin.java index 360143e..b26ce61 100644 --- a/src/main/java/com/liferay/portal/security/auth/ShibbolethAutoLogin.java +++ b/src/main/java/com/liferay/portal/security/auth/ShibbolethAutoLogin.java @@ -1,14 +1,18 @@ package com.liferay.portal.security.auth; import com.liferay.portal.NoSuchUserException; +import com.liferay.portal.kernel.exception.PortalException; +import com.liferay.portal.kernel.exception.SystemException; import com.liferay.portal.kernel.log.Log; import com.liferay.portal.kernel.log.LogFactoryUtil; import com.liferay.portal.kernel.util.StringPool; import com.liferay.portal.kernel.util.Validator; import com.liferay.portal.model.CompanyConstants; import com.liferay.portal.model.User; +import com.liferay.portal.model.Role; import com.liferay.portal.security.ldap.PortalLDAPImporterUtil; import com.liferay.portal.service.UserLocalServiceUtil; +import com.liferay.portal.service.RoleLocalServiceUtil; import com.liferay.portal.service.ServiceContext; import com.liferay.portal.shibboleth.util.ShibbolethPropsKeys; import com.liferay.portal.shibboleth.util.Util; @@ -18,6 +22,9 @@ import javax.servlet.http.HttpSession; import java.util.Locale; import java.util.Calendar; +import java.util.Arrays; +import java.util.List; +import java.util.ArrayList; /** * Performs autologin based on the header values passed by Shibboleth. @@ -97,7 +104,7 @@ private User loginFromSession(long companyId, HttpSession session) throws Except } } catch (NoSuchUserException e) { - _log.info("User not found"); + _log.error("User not found"); if (Util.autoCreateUser(companyId)) { _log.info("Importing user from session..."); @@ -109,6 +116,12 @@ private User loginFromSession(long companyId, HttpSession session) throws Except } } + try { + updateUserRolesFromSession(companyId, user, session); + } catch (Exception e) { + _log.error("Exception while updating user roles from session: " + e.getMessage()); + } + return user; } @@ -213,7 +226,66 @@ private void updateUserFromSession(User user, HttpSession session) throws Except UserLocalServiceUtil.updateUser(user); } - public void logError(Exception e) { + private void updateUserRolesFromSession(long companyId, User user, HttpSession session) throws Exception { + if (!Util.autoAssignUserRole(companyId)) { + return; + } + + List currentFelRoles = getRolesFromSession(companyId, session); + long[] currentFelRoleIds = roleListToLongArray(currentFelRoles); + + List felRoles = getAllRolesWithConfiguredSubtype(companyId); + long[] felRoleIds = roleListToLongArray(felRoles); + + RoleLocalServiceUtil.unsetUserRoles(user.getUserId(), felRoleIds); + RoleLocalServiceUtil.addUserRoles(user.getUserId(), currentFelRoleIds); + + _log.info("User '" + user.getScreenName() + "' has been assigned " + currentFelRoleIds.length + " role(s): " + + Arrays.toString(currentFelRoleIds)); + } + + private long[] roleListToLongArray(List roles) { + long[] roleIds = new long[roles.size()]; + + for (int i = 0; i < roles.size(); i++) { + roleIds[i] = roles.get(i).getRoleId(); + } + + return roleIds; + } + + private List getAllRolesWithConfiguredSubtype(long companyId) throws Exception { + String roleSubtype = Util.autoAssignUserRoleSubtype(companyId); + return RoleLocalServiceUtil.getSubtypeRoles(roleSubtype); + } + + private List getRolesFromSession(long companyId, HttpSession session) throws SystemException { + List currentFelRoles = new ArrayList(); + String affiliation = (String) session.getAttribute(ShibbolethPropsKeys.SHIBBOLETH_HEADER_AFFILIATION); + + if (Validator.isNull(affiliation)) { + return currentFelRoles; + } + + String[] affiliationList = affiliation.split(";"); + + for (int i = 0; i < affiliationList.length; i++) { + String roleName = affiliationList[i]; + Role role; + try { + role = RoleLocalServiceUtil.getRole(companyId, roleName); + } catch (PortalException e) { + _log.debug("Exception while getting role with name '" + roleName + "': " + e.getMessage()); + continue; + } + + currentFelRoles.add(role); + } + + return currentFelRoles; + } + + private void logError(Exception e) { _log.error("Exception message = " + e.getMessage() + " cause = " + e.getCause()); if (_log.isDebugEnabled()) { e.printStackTrace(); diff --git a/src/main/java/com/liferay/portal/servlet/filters/sso/shibboleth/ShibbolethFilter.java b/src/main/java/com/liferay/portal/servlet/filters/sso/shibboleth/ShibbolethFilter.java index 0cf740d..a196f62 100644 --- a/src/main/java/com/liferay/portal/servlet/filters/sso/shibboleth/ShibbolethFilter.java +++ b/src/main/java/com/liferay/portal/servlet/filters/sso/shibboleth/ShibbolethFilter.java @@ -63,6 +63,8 @@ protected void processFilter(HttpServletRequest request, HttpServletResponse res ShibbolethPropsKeys.SHIBBOLETH_HEADER_FIRSTNAME, false); processHeader(Util.getSurnameHeaderName(companyId), request, ShibbolethPropsKeys.SHIBBOLETH_HEADER_SURNAME, false); + processHeader(Util.getAffiliationHeaderName(companyId), request, + ShibbolethPropsKeys.SHIBBOLETH_HEADER_AFFILIATION, false); } } processFilter(ShibbolethFilter.class, request, response, filterChain); diff --git a/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsKeys.java b/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsKeys.java index d8ad263..65b43d8 100644 --- a/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsKeys.java +++ b/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsKeys.java @@ -16,10 +16,16 @@ public class ShibbolethPropsKeys { public static final String SHIBBOLETH_HEADER_SURNAME = "shibboleth.header.surname"; + public static final String SHIBBOLETH_HEADER_AFFILIATION = "shibboleth.header.affiliation"; + public static final String SHIBBOLETH_USER_AUTO_CREATE = "shibboleth.user.auto.create"; public static final String SHIBBOLETH_USER_AUTO_UPDATE = "shibboleth.user.auto.update"; + public static final String SHIBBOLETH_USER_ROLE_AUTO_ASSIGN = "shibboleth.user.role.auto.assign"; + + public static final String SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE = "shibboleth.user.role.auto.assign.subtype"; + public static final String SHIBBOLETH_LOGIN = "shibboleth.login"; public static final String SHIBBOLETH_USER_LDAP_IMPORT = "shibboleth.user.ldap.import"; diff --git a/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsValues.java b/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsValues.java index aeb4c03..111e20a 100644 --- a/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsValues.java +++ b/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsValues.java @@ -18,11 +18,17 @@ public class ShibbolethPropsValues { public static final String SHIBBOLETH_HEADER_SURNAME = PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_HEADER_SURNAME); + public static final String SHIBBOLETH_HEADER_AFFILIATION = PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_HEADER_AFFILIATION); + public static final boolean SHIBBOLETH_USER_AUTO_CREATE = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_USER_AUTO_CREATE)); public static final boolean SHIBBOLETH_USER_AUTO_UPDATE = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_USER_AUTO_UPDATE)); public static final boolean SHIBBOLETH_USER_LDAP_IMPORT = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_USER_LDAP_IMPORT)); + + public static final boolean SHIBBOLETH_USER_ROLE_AUTO_ASSIGN = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_USER_ROLE_AUTO_ASSIGN)); + + public static final String SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE = PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE); public static final boolean SHIBBOLETH_LOGOUT_ENABLE = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_LOGOUT_ENABLE)); diff --git a/src/main/java/com/liferay/portal/shibboleth/util/Util.java b/src/main/java/com/liferay/portal/shibboleth/util/Util.java index d0ec29b..d2e91c0 100644 --- a/src/main/java/com/liferay/portal/shibboleth/util/Util.java +++ b/src/main/java/com/liferay/portal/shibboleth/util/Util.java @@ -11,80 +11,81 @@ * @author Ivan Novakov */ public final class Util { - private Util() { - } - - public static boolean isEnabled(long companyId) throws Exception { - return GetterUtil.get( - getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_ENABLED), - ShibbolethPropsValues.SHIBBOLETH_ENABLED); - } - - public static boolean isLogoutEnabled(long companyId) throws Exception { - return GetterUtil.get( - getValue(companyId, - ShibbolethPropsKeys.SHIBBOLETH_LOGOUT_ENABLE), - ShibbolethPropsValues.SHIBBOLETH_LOGOUT_ENABLE); - } - - public static boolean importUser(long companyId) throws Exception { - return GetterUtil.get( - getValue(companyId, - ShibbolethPropsKeys.SHIBBOLETH_USER_LDAP_IMPORT), - ShibbolethPropsValues.SHIBBOLETH_USER_LDAP_IMPORT); - } - - public static String getLogoutUrl(long companyId) throws Exception { - return GetterUtil.getString( - getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_LOGOUT_URL), - ShibbolethPropsValues.SHIBBOLETH_LOGOUT_URL); - } - - public static String getHeaderName(long companyId) throws Exception { - return GetterUtil.getString( - getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER), - ShibbolethPropsValues.SHIBBOLETH_HEADER); - } - - public static String getEmailHeaderName(long companyId) throws Exception { - return GetterUtil.getString( - getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_EMAIL), - ShibbolethPropsValues.SHIBBOLETH_HEADER_EMAIL); - } - - public static String getFirstnameHeaderName(long companyId) throws Exception { - return GetterUtil.getString( - getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_FIRSTNAME), - ShibbolethPropsValues.SHIBBOLETH_HEADER_FIRSTNAME); - } - - public static String getSurnameHeaderName(long companyId) throws Exception { - return GetterUtil.getString( - getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_SURNAME), - ShibbolethPropsValues.SHIBBOLETH_HEADER_SURNAME); - } - - public static boolean autoCreateUser(long companyId) throws Exception { - return GetterUtil.get( - getValue(companyId, - ShibbolethPropsKeys.SHIBBOLETH_USER_AUTO_CREATE), - ShibbolethPropsValues.SHIBBOLETH_USER_AUTO_CREATE); - } - - public static boolean autoUpdateUser(long companyId) throws Exception { - return GetterUtil.get( - getValue(companyId, - ShibbolethPropsKeys.SHIBBOLETH_USER_AUTO_UPDATE), - ShibbolethPropsValues.SHIBBOLETH_USER_AUTO_UPDATE); - } - - public static String getAuthType(long companyId) throws Exception { - return GetterUtil.getString( - getValue(companyId, PropsKeys.COMPANY_SECURITY_AUTH_TYPE), CompanyConstants.AUTH_TYPE_EA); - } - - private static String getValue(long companyId, String key) throws Exception { - return PrefsPropsUtil.getString(companyId, key); - } + private Util() { + } + + public static boolean isEnabled(long companyId) throws Exception { + return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_ENABLED), + ShibbolethPropsValues.SHIBBOLETH_ENABLED); + } + + public static boolean isLogoutEnabled(long companyId) throws Exception { + return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_LOGOUT_ENABLE), + ShibbolethPropsValues.SHIBBOLETH_LOGOUT_ENABLE); + } + + public static boolean importUser(long companyId) throws Exception { + return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_USER_LDAP_IMPORT), + ShibbolethPropsValues.SHIBBOLETH_USER_LDAP_IMPORT); + } + + public static String getLogoutUrl(long companyId) throws Exception { + return GetterUtil.getString(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_LOGOUT_URL), + ShibbolethPropsValues.SHIBBOLETH_LOGOUT_URL); + } + + public static String getHeaderName(long companyId) throws Exception { + return GetterUtil.getString(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER), + ShibbolethPropsValues.SHIBBOLETH_HEADER); + } + + public static String getEmailHeaderName(long companyId) throws Exception { + return GetterUtil.getString(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_EMAIL), + ShibbolethPropsValues.SHIBBOLETH_HEADER_EMAIL); + } + + public static String getFirstnameHeaderName(long companyId) throws Exception { + return GetterUtil.getString(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_FIRSTNAME), + ShibbolethPropsValues.SHIBBOLETH_HEADER_FIRSTNAME); + } + + public static String getSurnameHeaderName(long companyId) throws Exception { + return GetterUtil.getString(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_SURNAME), + ShibbolethPropsValues.SHIBBOLETH_HEADER_SURNAME); + } + + public static String getAffiliationHeaderName(long companyId) throws Exception { + return GetterUtil.getString(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADER_AFFILIATION), + ShibbolethPropsValues.SHIBBOLETH_HEADER_AFFILIATION); + } + + public static boolean autoCreateUser(long companyId) throws Exception { + return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_USER_AUTO_CREATE), + ShibbolethPropsValues.SHIBBOLETH_USER_AUTO_CREATE); + } + + public static boolean autoUpdateUser(long companyId) throws Exception { + return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_USER_AUTO_UPDATE), + ShibbolethPropsValues.SHIBBOLETH_USER_AUTO_UPDATE); + } + + public static boolean autoAssignUserRole(long companyId) throws Exception { + return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_USER_ROLE_AUTO_ASSIGN), + ShibbolethPropsValues.SHIBBOLETH_USER_ROLE_AUTO_ASSIGN); + } + + public static String autoAssignUserRoleSubtype(long companyId) throws Exception { + return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE), + ShibbolethPropsValues.SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE); + } + + public static String getAuthType(long companyId) throws Exception { + return GetterUtil.getString(getValue(companyId, PropsKeys.COMPANY_SECURITY_AUTH_TYPE), + CompanyConstants.AUTH_TYPE_EA); + } + + private static String getValue(long companyId, String key) throws Exception { + return PrefsPropsUtil.getString(companyId, key); + } } diff --git a/src/main/resources/language.properties b/src/main/resources/language.properties index c98c421..73edf4c 100644 --- a/src/main/resources/language.properties +++ b/src/main/resources/language.properties @@ -5,6 +5,9 @@ shibboleth-user-id-header=Shibboleth user ID header shibboleth-user-header-email=Shibboleth user email header shibboleth-user-header-firstname=Shibboleth user first name header shibboleth-user-header-surname=Shibboleth user surname header +shibboleth-user-header-affiliation=Shibboleth user affiliation header auto-create-users=Auto-create users auto-update-users=Auto-update users +auto-assign-user-role=Auto-assign roles to users (based on the affiliation) +auto-assign-user-role-subtype=Role subtype for auto-assign roles shibboleth=Shibboleth diff --git a/src/main/webapp/WEB-INF/jsps/html/portlet/portal_settings/shibbolethconfiguration.jsp b/src/main/webapp/WEB-INF/jsps/html/portlet/portal_settings/shibbolethconfiguration.jsp index 4743522..0d2ed04 100644 --- a/src/main/webapp/WEB-INF/jsps/html/portlet/portal_settings/shibbolethconfiguration.jsp +++ b/src/main/webapp/WEB-INF/jsps/html/portlet/portal_settings/shibbolethconfiguration.jsp @@ -8,8 +8,11 @@ final String SHIBBOLETH_HEADER_EMAIL = "shibboleth.header.email"; final String SHIBBOLETH_HEADER_FIRSTNAME = "shibboleth.header.firstname"; final String SHIBBOLETH_HEADER_SURNAME = "shibboleth.header.surname"; + final String SHIBBOLETH_HEADER_AFFILIATION = "shibboleth.header.affiliation"; final String SHIBBOLETH_USER_AUTO_CREATE = "shibboleth.user.auto.create"; final String SHIBBOLETH_USER_AUTO_UPDATE = "shibboleth.user.auto.update"; + final String SHIBBOLETH_USER_ROLE_AUTO_ASSIGN = "shibboleth.user.role.auto.assign"; + final String SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE = "shibboleth.user.role.auto.assign.subtype"; String shibbolethEnabled = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_ENABLED, "false"); String shibbolethHeader = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADER, ""); @@ -20,8 +23,11 @@ String shibbolethHeaderEmail = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADER_EMAIL, "mail"); String shibbolethHeaderFirtsname = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADER_FIRSTNAME, "givenname"); String shibbolethHeaderSurname = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADER_SURNAME, "sn"); + String shibbolethHeaderAffiliation = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADER_AFFILIATION, "affiliation"); String shibbolethUserAutoCreate = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_USER_AUTO_CREATE, "false"); String shibbolethUserAutoUpdate = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_USER_AUTO_UPDATE, "false"); + String shibbolethUserRoleAutoAssign = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_USER_ROLE_AUTO_ASSIGN, "false"); + String shibbolethUserRoleAutoAssignSubtype = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_USER_ROLE_AUTO_ASSIGN_SUBTYPE, ""); %> @@ -34,7 +40,9 @@ + name='<%= "settings--" + SHIBBOLETH_HEADER_SURNAME + "--" %>' type="text" value="<%= shibbolethHeaderSurname %>"/> + @@ -44,6 +52,12 @@ + +