Examples with CoreConfig cz.metacentrum.perun.core.api.CoreConfig used on opensource projects

Example 1 with CoreConfig

use of cz.metacentrum.perun.core.api.CoreConfig in project perun by CESNET.

the class urn_perun_group_attribute_def_def_uniqueIDTest method setUp.

@Before
public void setUp() throws Exception {
    classInstance = new urn_perun_group_attribute_def_def_uniqueID();
    attributeToCheck = new Attribute(classInstance.getAttributeDefinition());
    sess = mock(PerunSessionImpl.class);
    // prepare core config for this test
    CoreConfig cfNew = new CoreConfig();
    cfNew.setInstanceId("test");
    BeansUtils.setConfig(cfNew);
}

Example 2 with CoreConfig

use of cz.metacentrum.perun.core.api.CoreConfig in project perun by CESNET.

the class urn_perun_user_attribute_def_def_login_namespace_mu_admTest method setUp.

@Before
public void setUp() throws Exception {
    // prepare core config for this test
    CoreConfig cfNew = new CoreConfig();
    cfNew.setInstanceId("test");
    BeansUtils.setConfig(cfNew);
    classInstance = new urn_perun_user_attribute_def_def_login_namespace_mu_adm();
    session = mock(PerunSessionImpl.class);
    user = new User();
    attributeToCheck = new Attribute();
    attributeToCheck.setNamespace(AttributesManager.NS_USER_ATTR_DEF);
    attributeToCheck.setFriendlyName("login-namespace:mu-adm");
    PerunBl perunBl = mock(PerunBl.class);
    when(session.getPerunBl()).thenReturn(perunBl);
    UsersManagerBl usersManagerBl = mock(UsersManagerBl.class);
    when(session.getPerunBl().getUsersManagerBl()).thenReturn(usersManagerBl);
    PasswordManagerModule module = mock(GenericPasswordManagerModule.class);
    when(session.getPerunBl().getUsersManagerBl().getPasswordManagerModule(session, "mu-adm")).thenReturn(module);
    ModulesUtilsBl modulesUtilsBl = mock(ModulesUtilsBl.class);
    when(perunBl.getModulesUtilsBl()).thenReturn(modulesUtilsBl);
}

Example 3 with CoreConfig

use of cz.metacentrum.perun.core.api.CoreConfig in project perun by CESNET.

the class Api method setupPerunPrincipal.

private static PerunPrincipal setupPerunPrincipal(HttpServletRequest req, Deserializer des) throws UserNotExistsException {
    String extSourceLoaString = null;
    String extLogin = null;
    String extSourceName = null;
    String extSourceType = null;
    int extSourceLoa;
    Map<String, String> additionalInformations = new HashMap<>();
    String shibIdentityProvider = getStringAttribute(req, SHIB_IDENTITY_PROVIDER);
    String sourceIdpEntityId = getStringAttribute(req, SOURCE_IDP_ENTITY_ID);
    String remoteUser = req.getRemoteUser();
    CoreConfig config = BeansUtils.getCoreConfig();
    // If we have header Shib-Identity-Provider, then the user uses identity federation to authenticate
    if (isNotEmpty(shibIdentityProvider)) {
        extSourceName = getOriginalIdP(shibIdentityProvider, sourceIdpEntityId);
        extSourceType = ExtSourcesManager.EXTSOURCE_IDP;
        extSourceLoaString = getStringAttribute(req, LOA);
        if (isEmpty(extSourceLoaString))
            extSourceLoaString = BeansUtils.getCoreConfig().getDefaultLoaIdP();
        // FIXME: find better place where do the operation with attributes from federation
        String eppn = getStringAttribute(req, "eppn");
        if (isNotEmpty(eppn)) {
            // Remove scope from the eppn attribute
            additionalInformations.put("eppnwoscope", StringUtils.substringBefore(eppn, "@"));
        }
        // Store IdP used by user to session, since for IdentityConsolidator and Registrar we need to know,
        // if user logged in through proxy or not - we provide different links etc.
        additionalInformations.put(UsersManagerBl.ORIGIN_IDENTITY_PROVIDER_KEY, shibIdentityProvider);
        if (isNotEmpty(remoteUser)) {
            extLogin = remoteUser;
        }
    } else // If OIDC_CLAIM_sub header is present, it means user authenticated via OAuth2 with MITRE.
    if (isNotEmpty(req.getHeader(OIDC_CLAIM_SUB))) {
        extLogin = req.getHeader(OIDC_CLAIM_SUB);
        // this is configurable, as the OIDC server has the source of sub claim also configurable
        String iss = req.getHeader(OIDC_CLAIM_ISS);
        if (iss != null) {
            extSourceName = BeansUtils.getCoreConfig().getOidcIssuersExtsourceNames().get(iss);
            extSourceType = BeansUtils.getCoreConfig().getOidcIssuersExtsourceTypes().get(iss);
            if (extSourceName == null || extSourceType == null) {
                throw new InternalErrorException("OIDC issuer " + iss + " not configured");
            }
        } else {
            throw new InternalErrorException("OIDC issuer not send by Authorization Server");
        }
        extSourceLoaString = "-1";
        log.debug("detected OIDC/OAuth2 client for sub={},iss={}", extLogin, iss);
    } else // EXT_SOURCE was defined in Apache configuration (e.g. Kerberos or Local)
    if (req.getAttribute(EXTSOURCE) != null) {
        extSourceName = getStringAttribute(req, EXTSOURCE);
        extSourceType = getStringAttribute(req, EXTSOURCETYPE);
        extSourceLoaString = getStringAttribute(req, EXTSOURCELOA);
        extLogin = getExtLogin(req, extSourceName, remoteUser);
    } else // Cert must be last since Apache asks for certificate everytime and fills cert properties even when Kerberos is in place.
    if (Objects.equals(req.getAttribute(SSL_CLIENT_VERIFY), SUCCESS)) {
        String certDN = getStringAttribute(req, SSL_CLIENT_SUBJECT_DN);
        String caDN = getStringAttribute(req, SSL_CLIENT_ISSUER_DN);
        String wholeCert = getStringAttribute(req, SSL_CLIENT_CERT);
        extSourceName = caDN;
        extSourceType = ExtSourcesManager.EXTSOURCE_X509;
        extSourceLoaString = getStringAttribute(req, EXTSOURCELOA);
        extLogin = certDN;
        // Store X509 certificate in the additionalInformations structure
        // FIXME: duplicit
        additionalInformations.put("userCertificates", AttributesManagerBlImpl.escapeMapAttributeValue(certDN) + AttributesManagerImpl.KEY_VALUE_DELIMITER + AttributesManagerBlImpl.escapeMapAttributeValue(wholeCert));
        additionalInformations.put("userCertDNs", AttributesManagerBlImpl.escapeMapAttributeValue(certDN) + AttributesManagerImpl.KEY_VALUE_DELIMITER + AttributesManagerBlImpl.escapeMapAttributeValue(caDN));
        additionalInformations.put(SSL_CLIENT_SUBJECT_DN, certDN);
        // Store X509
        additionalInformations.put("dn", certDN);
        additionalInformations.put("cadn", caDN);
        additionalInformations.put("certificate", wholeCert);
        // Get organization from the certificate
        Pattern p = Pattern.compile("[oO]\\s*=\\s*([^/]*)");
        Matcher m = p.matcher(certDN);
        if (m.find()) {
            additionalInformations.put("o", m.group(1));
        }
        // Get CN from the certificate
        Pattern p2 = Pattern.compile("CN=([^/]*)");
        Matcher m2 = p2.matcher(certDN);
        if (m2.find()) {
            additionalInformations.put("cn", m2.group(1));
        }
        // Get the X.509 certificate object
        X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
        // Get the emails
        if (certs != null && certs.length > 0 && certs[0] != null) {
            String emails = "";
            Collection<List<?>> altNames;
            try {
                altNames = certs[0].getSubjectAlternativeNames();
                if (altNames != null) {
                    for (List<?> entry : altNames) {
                        if (((Integer) entry.get(0)) == 1) {
                            emails = (String) entry.get(1);
                        }
                    }
                }
            } catch (CertificateParsingException e) {
                log.error("Error during parsing certificate {}", Arrays.asList(certs));
            }
            additionalInformations.put("mail", emails);
        }
    }
    // store selected attributes for update
    for (AttributeDefinition attr : config.getAttributesForUpdate().getOrDefault(extSourceType, Collections.emptyList())) {
        String attrValue = (String) req.getAttribute(attr.getFriendlyName());
        if (attrValue != null) {
            // fix shibboleth encoding
            if (ExtSourcesManager.EXTSOURCE_IDP.equals(extSourceType)) {
                attrValue = new String(attrValue.getBytes(StandardCharsets.ISO_8859_1), StandardCharsets.UTF_8);
            }
            log.debug("storing {}={} to additionalInformations", attr.getFriendlyName(), attrValue);
            additionalInformations.put(attr.getFriendlyName(), attrValue);
        }
    }
    // If the RPC was called by the user who can do delegation and delegatedLogin is set, set the values sent in the request
    if (des != null && extLogin != null) {
        List<String> powerUsers = config.getRpcPowerusers();
        if (powerUsers.contains(extLogin) && des.contains(DELEGATED_LOGIN)) {
            // Rewrite the remoteUser and extSource
            extLogin = des.readString(DELEGATED_LOGIN);
            extSourceName = des.readString(DELEGATED_EXTSOURCE_NAME);
            extSourceType = des.readString(DELEGATED_EXTSOURCE_TYPE);
            // Clear additionalInformations because they were valid only to the user who can do delegation
            additionalInformations.clear();
        }
    }
    // extSourceLoa must be number, if any specified then set to 0
    if (isEmpty(extSourceLoaString)) {
        extSourceLoa = 0;
    } else {
        try {
            extSourceLoa = Integer.parseInt(extSourceLoaString);
        } catch (NumberFormatException ex) {
            extSourceLoa = 0;
        }
    }
    // Check if any of authentication system returns extLogin and extSourceName
    if (isEmpty(extLogin) || isEmpty(extSourceName)) {
        throw new UserNotExistsException("extLogin or extSourceName is empty");
    }
    log.trace("creating PerunPrincipal(actor={},extSourceName={},extSourceType={},extSourceLoa={},additionalInformations={})", extLogin, extSourceName, extSourceType, extSourceLoa, additionalInformations);
    return new PerunPrincipal(extLogin, extSourceName, extSourceType, extSourceLoa, additionalInformations);
}