Merge pull request #2 from mheder/clean

Clean
ivan-novakov · Mar 13, 2014 · bd0b42a · bd0b42a
2 parents 1d2bb1f + 9ea83c1
commit bd0b42a
Show file tree

Hide file tree

Showing 8 changed files with 171 additions and 22 deletions.
diff --git a/src/main/java/com/liferay/portal/security/auth/ShibbolethAutoLogin.java b/src/main/java/com/liferay/portal/security/auth/ShibbolethAutoLogin.java
@@ -57,7 +57,7 @@ public String[] login(HttpServletRequest req, HttpServletResponse res) throws Au
 
 
         try {
-            _log.info("Shibboleth Autologin [modified 1]");
+            _log.info("Shibboleth Autologin [modified 2]");
 
             if (!Util.isEnabled(companyId)) {
                 return credentials;

diff --git a/src/main/java/com/liferay/portal/servlet/filters/sso/shibboleth/ShibbolethFilter.java b/src/main/java/com/liferay/portal/servlet/filters/sso/shibboleth/ShibbolethFilter.java
@@ -61,45 +61,148 @@ protected void processFilter(HttpServletRequest request, HttpServletResponse res
     }
 
     /**
-     * Extracts user data from AJP header
+     * Extracts user data from AJP or HTTP header
      *
      * @return true if any data is present
      */
     protected boolean extractData(HttpSession session, long companyId, HttpServletRequest request) throws Exception {
         String login = (String) session.getAttribute(ShibbolethPropsKeys.SHIBBOLETH_LOGIN);
         if (Validator.isNull(login)) {
-            processHeader(Util.getHeaderName(companyId), request, ShibbolethPropsKeys.SHIBBOLETH_LOGIN, true);
-            processHeader(Util.getEmailHeaderName(companyId), request, ShibbolethPropsKeys.SHIBBOLETH_HEADER_EMAIL,
-                    false);
-            processHeader(Util.getFirstnameHeaderName(companyId), request,
-                    ShibbolethPropsKeys.SHIBBOLETH_HEADER_FIRSTNAME, false);
-            processHeader(Util.getSurnameHeaderName(companyId), request,
-                    ShibbolethPropsKeys.SHIBBOLETH_HEADER_SURNAME, false);
-            processHeader(Util.getAffiliationHeaderName(companyId), request,
-                    ShibbolethPropsKeys.SHIBBOLETH_HEADER_AFFILIATION, false);
+
+            boolean headersEnabled = Util.isHeadersEnabled(companyId);
+
+            if (headersEnabled) {
+                _log.info("Using HTTP headers as source for attribute values");
+            } else {
+                _log.info("Using Environment variables as source for attribute values");
+            }
+
+            String aaiProvidedLoginName = getHeader(Util.getHeaderName(companyId), request, headersEnabled);
+
+            String aaiProvidedEmail = getHeader(Util.getEmailHeaderName(companyId), request, headersEnabled);
+
+            String aaiProvidedFirstname = getHeader(Util.getFirstnameHeaderName(companyId), request, headersEnabled);
+
+            String aaiProvidedSurname = getHeader(Util.getSurnameHeaderName(companyId), request, headersEnabled);
+
+            String aaiProvidedAffiliation = getHeader(Util.getAffiliationHeaderName(companyId), request, headersEnabled);
+
+            if (Validator.isNull(aaiProvidedLoginName)) {
+                _log.error("Required header [" + Util.getHeaderName(companyId) + "] not found");
+                _log.error("AAI authentication failed as login name header is empty.");
+                return false;
+            }
+            if (Util.isScreenNameTransformEnabled(companyId)) {
+                _log.info("ScreenName transform is enabled.");
+                //check validity of screen name 
+                if (Validator.isEmailAddress(aaiProvidedLoginName)) {
+                    // most probably it is an eduPersonPrincipalName. Make transformations
+                    _log.info("The login name provided by AAI looks like an "
+                            + "email (or eduPersonPrincipalName): "
+                            + aaiProvidedLoginName
+                            + " It needs to be converted to be a Liferay screen name.");
+                    aaiProvidedLoginName = aaiProvidedLoginName.replaceAll("@", ".at.");
+                    _log.info("Login name is converted to:" + aaiProvidedLoginName);
+                }
+                //Liferay does not like underscores
+                if (aaiProvidedLoginName.contains("_")) {
+                    _log.info("The login name provided by AAI contains underscores:"
+                            + aaiProvidedLoginName
+                            + "It needs to be converted to be a Liferay screen name.");
+                    aaiProvidedLoginName = aaiProvidedLoginName.replaceAll("_", "-");
+                    _log.info("Login name is converted to:" + aaiProvidedLoginName);
+                }
+            }
+            else {
+                _log.info("ScreenName transform is disabled.");
+            }
+
+            _log.info("AAI-provided screen name is:" + aaiProvidedLoginName);
+            session.setAttribute(ShibbolethPropsKeys.SHIBBOLETH_LOGIN, aaiProvidedLoginName);
+
+            //get the first of multi-valued email address
+            if (aaiProvidedEmail.contains(";")) {
+                _log.info("The email address string provided by AAI is multi-valued:"
+                        + aaiProvidedEmail
+                        + " Using the first value.");
+                String[] emails = aaiProvidedEmail.split(";");
+                aaiProvidedEmail = emails[0];
+            }
+            _log.info("AAI-provided email is:" + aaiProvidedEmail);
+            session.setAttribute(ShibbolethPropsKeys.SHIBBOLETH_HEADER_EMAIL, aaiProvidedEmail);
+
+            if (Validator.isNull(aaiProvidedFirstname)) {
+                _log.error("No First name provided in: "
+                        + Util.getFirstnameHeaderName(companyId)
+                        + " using a default value instead.");
+                aaiProvidedFirstname = "MissingFirstName";
+            }
+            _log.info("AAI-provided first name is:" + aaiProvidedFirstname);
+            session.setAttribute(ShibbolethPropsKeys.SHIBBOLETH_HEADER_FIRSTNAME, aaiProvidedFirstname);
+
+            if (Validator.isNull(aaiProvidedSurname)) {
+                _log.error("No Surname provided in: "
+                        + Util.getSurnameHeaderName(companyId)
+                        + " using a default value instead.");
+                aaiProvidedSurname = "MissingSurname";
+            }
+            _log.info("AAI-provided Surname is:" + aaiProvidedSurname);
+            session.setAttribute(ShibbolethPropsKeys.SHIBBOLETH_HEADER_SURNAME, aaiProvidedSurname);
+
+            if (Validator.isNull(aaiProvidedAffiliation)) {
+                _log.debug("No affiliation provided");
+                aaiProvidedAffiliation = "";
+            }
+            if (Util.isAffiliationTruncateEnabled(companyId) && aaiProvidedAffiliation.contains(":")) {
+                _log.info("affiliation contains ':' characters: "
+                        + aaiProvidedAffiliation
+                        + " assuming eduPersonEntitlement format");
+                // AAI-provided affiliation is multi-valued
+                if (aaiProvidedAffiliation.contains(";")) {
+                    _log.info("AAI-provided affiliation is multi-valued:"
+                            + aaiProvidedAffiliation
+                            + " Processing each vale");
+                    String[] affiliations = aaiProvidedAffiliation.split(";");
+                    aaiProvidedAffiliation = "";
+
+                    for (int i = 0; i < affiliations.length; i++) {
+                        aaiProvidedAffiliation += affiliations[i];
+                        if (i < affiliations.length - 1) {
+                            aaiProvidedAffiliation += ";";
+                        }
+                    }
+
+                } else {
+                    String[] parts = aaiProvidedAffiliation.split(":");
+                    aaiProvidedAffiliation = parts[parts.length - 1];
+                }
+            }
+            _log.info("AAI-provided affiliation is:" + aaiProvidedAffiliation);
+            session.setAttribute(ShibbolethPropsKeys.SHIBBOLETH_HEADER_AFFILIATION, aaiProvidedAffiliation);
 
             return true;
         } else {
             return false;
         }
     }
 
-    protected void processHeader(String headerName, HttpServletRequest request, String sessionIndex, boolean logError) {
-        HttpSession session = request.getSession();
+    protected String getHeader(String headerName, HttpServletRequest request, boolean headersEnabled) {
         if (Validator.isNull(headerName)) {
-            return;
+            return null;
+        }
+        String headerValue;
+
+        if (headersEnabled) {
+            headerValue = request.getHeader(headerName);
+        } else {
+            headerValue = (String) request.getAttribute(headerName);
         }
-        String headerValue = (String) request.getAttribute(headerName);
 
         _log.info("Header [" + headerName + "]: " + headerValue);
 
-        if (Validator.isNotNull(headerValue)) {
-            session.setAttribute(sessionIndex, headerValue);
-        } else if (logError) {
-            _log.error("Required header [" + headerName + "] not found");
-        }
+        return headerValue;
     }
 
-	private static Log _log = LogFactoryUtil.getLog(ShibbolethFilter.class);
+    private static final Log _log = LogFactoryUtil.getLog(ShibbolethFilter.class);
 
 }
diff --git a/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsKeys.java b/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsKeys.java
@@ -34,4 +34,10 @@ public class ShibbolethPropsKeys {
 
 	public static final String SHIBBOLETH_LOGOUT_URL = "shibboleth.logout.url";
 
+       	public static final String SHIBBOLETH_HEADERS_ENABLE = "shibboleth.headers.enabled";
+
+        public static final String SHIBBOLETH_AFFILIATION_TRUNCATE_ENABLE = "shibboleth.affiliation.truncate.enabled";
+
+        public static final String SHIBBOLETH_SCREENNAME_TRANSFORM_ENABLE = "shibboleth.screenname.transform.enabled";
+
 }
diff --git a/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsValues.java b/src/main/java/com/liferay/portal/shibboleth/util/ShibbolethPropsValues.java
@@ -32,6 +32,12 @@ public class ShibbolethPropsValues {
 
     public static final boolean SHIBBOLETH_LOGOUT_ENABLE = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_LOGOUT_ENABLE));
 
+    public static final boolean SHIBBOLETH_HEADERS_ENABLE = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_HEADERS_ENABLE));
+
+    public static final boolean SHIBBOLETH_AFFILIATION_TRUNCATE_ENABLE = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_AFFILIATION_TRUNCATE_ENABLE));
+
+    public static final boolean SHIBBOLETH_SCREENNAME_TRANSFORM_ENABLE = GetterUtil.getBoolean(PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_SCREENNAME_TRANSFORM_ENABLE));
+
     public static final String SHIBBOLETH_LOGOUT_URL = PropsUtil.get(ShibbolethPropsKeys.SHIBBOLETH_LOGOUT_URL);
 
 }
diff --git a/src/main/java/com/liferay/portal/shibboleth/util/Util.java b/src/main/java/com/liferay/portal/shibboleth/util/Util.java
@@ -24,6 +24,22 @@ public static boolean isLogoutEnabled(long companyId) throws Exception {
 				ShibbolethPropsValues.SHIBBOLETH_LOGOUT_ENABLE);
 	}
 
+        public static boolean isHeadersEnabled(long companyId) throws Exception {
+		return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_HEADERS_ENABLE),
+				ShibbolethPropsValues.SHIBBOLETH_HEADERS_ENABLE);
+	}
+
+        public static boolean isAffiliationTruncateEnabled(long companyId) throws Exception {
+		return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_AFFILIATION_TRUNCATE_ENABLE),
+				ShibbolethPropsValues.SHIBBOLETH_AFFILIATION_TRUNCATE_ENABLE);
+	}
+
+        public static boolean isScreenNameTransformEnabled(long companyId) throws Exception {
+		return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_SCREENNAME_TRANSFORM_ENABLE),
+				ShibbolethPropsValues.SHIBBOLETH_SCREENNAME_TRANSFORM_ENABLE);
+	}
+
+
 	public static boolean importUser(long companyId) throws Exception {
 		return GetterUtil.get(getValue(companyId, ShibbolethPropsKeys.SHIBBOLETH_USER_LDAP_IMPORT),
 				ShibbolethPropsValues.SHIBBOLETH_USER_LDAP_IMPORT);

diff --git a/src/main/resources/language.properties b/src/main/resources/language.properties
@@ -1,4 +1,7 @@
 shibboleth-logout-enable=Logout enable
+shibboleth-headers-enable=Extract attributes from HTTP Headers instead of environment variables (see: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall , the "AJP_" prefix part)
+shibboleth-affiliation-truncate-enable=Truncate affiliation values and keep only the last segment after ':'. Useful for standard eduPersonEntilement values. ('foo:bar:baz:qux:RoleName' becomes 'RoleName')
+shibboleth-screenname-transform-enable=Transform login ID to make it valid screen name. Replace '@' to '.at.' and '_' to '-'. ('[email protected]' becomes 'foo-bar.at.baz.org')
 import-shibboleth-users-from-ldap=Import from LDAP
 shibboleth-user-header=Shibboleth header name
 shibboleth-user-id-header=Shibboleth user ID header

diff --git a/src/main/resources/portal.properties b/src/main/resources/portal.properties
@@ -9,4 +9,7 @@ shibboleth.user.auto.create=false
 shibboleth.user.auto.update=false
 shibboleth.user.ldap.import=false
 shibboleth.logout.enabled=true
+shibboleth.headers.enabled=false
+shibboleth.affiliation.truncate.enabled=false
+shibboleth.screenname.transform.enabled=false
 shibboleth.logout.url=https://reu6.feld.cvut.cz/Shibboleth.sso/Logout?return=https://reu6.feld.cvut.cz/
diff --git a/src/main/webapp/WEB-INF/jsps/html/portlet/portal_settings/shibbolethconfiguration.jsp b/src/main/webapp/WEB-INF/jsps/html/portlet/portal_settings/shibbolethconfiguration.jsp
@@ -4,6 +4,9 @@
     final String SHIBBOLETH_USER_LDAP_IMPORT = "shibboleth.user.ldap.import";
     final String SHIBBOLETH_LOGOUT_ENABLE = "shibboleth.logout.enabled";
     final String SHIBBOLETH_LOGOUT_URL = "shibboleth.logout.url";
+    final String SHIBBOLETH_HEADERS_ENABLE = "shibboleth.headers.enabled";
+    final String SHIBBOLETH_AFFILIATION_TRUNCATE_ENABLE = "shibboleth.affiliation.truncate.enabled";
+    final String SHIBBOLETH_SCREENNAME_TRANSFORM_ENABLE = "shibboleth.screenname.transform.enabled";
     
     final String SHIBBOLETH_HEADER_EMAIL = "shibboleth.header.email";
     final String SHIBBOLETH_HEADER_FIRSTNAME = "shibboleth.header.firstname";
@@ -19,7 +22,10 @@
     String shibbolethUserLdapImport = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_USER_LDAP_IMPORT, "false");
     String shibbolethLogoutEnabled = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_LOGOUT_ENABLE, "false");
     String shibbolethLogoutUrl = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_LOGOUT_URL, "");
-
+    String shibbolethHeadersEnabled = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADERS_ENABLE, "false");
+    String shibbolethAffiliationTruncateEnabled = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_AFFILIATION_TRUNCATE_ENABLE, "false");
+    String shibbolethScreenNameTransformEnabled = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_SCREENNAME_TRANSFORM_ENABLE, "false");
+    
     String shibbolethHeaderEmail = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADER_EMAIL, "mail");
     String shibbolethHeaderFirtsname = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADER_FIRSTNAME, "givenname");
     String shibbolethHeaderSurname = PrefsPropsUtil.getString(company.getCompanyId(), SHIBBOLETH_HEADER_SURNAME, "sn");
@@ -35,6 +41,8 @@
                    value="<%= shibbolethEnabled %>"/>
         <aui:input cssClass="lfr-input-text-container" label="shibboleth-user-id-header"
                    name='<%= "settings--" + SHIBBOLETH_HEADER + "--" %>' type="text" value="<%= shibbolethHeader %>"/>
+        <aui:input label="shibboleth-screenname-transform-enable" name='<%= "settings--" + SHIBBOLETH_SCREENNAME_TRANSFORM_ENABLE + "--" %>'
+                   type="checkbox" value="<%= shibbolethScreenNameTransformEnabled %>"/>
         <aui:input cssClass="lfr-input-text-container" label="shibboleth-user-header-email"
                    name='<%= "settings--" + SHIBBOLETH_HEADER_EMAIL + "--" %>' type="text" value="<%= shibbolethHeaderEmail %>"/>    
         <aui:input cssClass="lfr-input-text-container" label="shibboleth-user-header-firstname"
@@ -43,6 +51,8 @@
                    name='<%= "settings--" + SHIBBOLETH_HEADER_SURNAME + "--" %>' type="text" value="<%= shibbolethHeaderSurname %>"/>    
         <aui:input cssClass="lfr-input-text-container" label="shibboleth-user-header-affiliation"
                    name='<%= "settings--" + SHIBBOLETH_HEADER_AFFILIATION + "--" %>' type="text" value="<%= shibbolethHeaderAffiliation %>"/>        
+        <aui:input label="shibboleth-affiliation-truncate-enable" name='<%= "settings--" + SHIBBOLETH_AFFILIATION_TRUNCATE_ENABLE + "--" %>'
+                   type="checkbox" value="<%= shibbolethAffiliationTruncateEnabled %>"/>
         <aui:input label="auto-create-users"
                    name='<%= "settings--" + SHIBBOLETH_USER_AUTO_CREATE + "--" %>' type="checkbox"
                    value="<%= shibbolethUserAutoCreate %>"/>
@@ -63,6 +73,8 @@
         <aui:input cssClass="lfr-input-text-container" label="logout-url"
                    name='<%= "settings--" + SHIBBOLETH_LOGOUT_URL + "--" %>' type="text"
                    value="<%= shibbolethLogoutUrl %>"/>
+        <aui:input label="shibboleth-headers-enable" name='<%= "settings--" + SHIBBOLETH_HEADERS_ENABLE + "--" %>'
+                   type="checkbox" value="<%= shibbolethHeadersEnabled %>"/>
     </aui:fieldset>
 </liferay-ui:section>