use of edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider in project dataverse by IQSS.
the class AuthUtilTest method testIsNonLocalLoginEnabled.
/**
* Test of isNonLocalLoginEnabled method, of class AuthUtil.
*/
@Test
public void testIsNonLocalLoginEnabled() {
System.out.println("isNonLocalLoginEnabled");
AuthUtil authUtil = new AuthUtil();
assertEquals(false, AuthUtil.isNonLocalLoginEnabled(null));
Collection<AuthenticationProvider> shibOnly = new HashSet<>();
shibOnly.add(new ShibAuthenticationProvider());
assertEquals(true, AuthUtil.isNonLocalLoginEnabled(shibOnly));
Collection<AuthenticationProvider> manyNonLocal = new HashSet<>();
manyNonLocal.add(new ShibAuthenticationProvider());
manyNonLocal.add(new GitHubOAuth2AP(null, null));
manyNonLocal.add(new GoogleOAuth2AP(null, null));
manyNonLocal.add(new OrcidOAuth2AP(null, null, null));
assertEquals(true, AuthUtil.isNonLocalLoginEnabled(manyNonLocal));
Collection<AuthenticationProvider> onlyBuiltin = new HashSet<>();
onlyBuiltin.add(new BuiltinAuthenticationProvider(null, null));
// only builtin provider
assertEquals(false, AuthUtil.isNonLocalLoginEnabled(onlyBuiltin));
}
use of edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider in project dataverse by IQSS.
the class Shib method confirmAndCreateAccount.
public String confirmAndCreateAccount() {
ShibAuthenticationProvider shibAuthProvider = new ShibAuthenticationProvider();
String lookupStringPerAuthProvider = userPersistentId;
AuthenticatedUser au = null;
try {
au = authSvc.createAuthenticatedUser(new UserRecordIdentifier(shibAuthProvider.getId(), lookupStringPerAuthProvider), internalUserIdentifer, displayInfo, true);
} catch (EJBException ex) {
/**
* @todo Show the ConstraintViolationException, if any.
*/
logger.info("Couldn't create user " + userPersistentId + " due to exception: " + ex.getCause());
}
if (au != null) {
logger.fine("created user " + au.getIdentifier());
logInUserAndSetShibAttributes(au);
/**
* @todo Move this to
* AuthenticationServiceBean.createAuthenticatedUser
*/
userNotificationService.sendNotification(au, new Timestamp(new Date().getTime()), UserNotification.Type.CREATEACC, null);
return "/dataverseuser.xhtml?selectTab=accountInfo&faces-redirect=true";
} else {
JsfHelper.addErrorMessage("Couldn't create user.");
}
return getPrettyFacesHomePageString(true);
}
use of edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider in project dataverse by IQSS.
the class Shib method init.
public void init() {
state = State.INIT;
ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
request = (HttpServletRequest) context.getRequest();
ShibUtil.printAttributes(request);
/**
* @todo Investigate why JkEnvVar is null since it may be useful for
* debugging per https://github.com/IQSS/dataverse/issues/2916 . See
* also
* http://stackoverflow.com/questions/30193117/iterate-through-all-servletrequest-attributes#comment49933342_30193117
* and
* http://shibboleth.1660669.n2.nabble.com/Why-doesn-t-Java-s-request-getAttributeNames-show-Shibboleth-attributes-tp7616427p7616591.html
*/
logger.fine("JkEnvVar: " + System.getenv("JkEnvVar"));
shibService.possiblyMutateRequestInDev(request);
try {
shibIdp = getRequiredValueFromAssertion(ShibUtil.shibIdpAttribute);
} catch (Exception ex) {
/**
* @todo is in an antipattern to throw exceptions to control flow?
* http://c2.com/cgi/wiki?DontUseExceptionsForFlowControl
*
* All this exception handling should be handled in the new
* ShibServiceBean so it's consistently handled by the API as well.
*/
return;
}
String shibUserIdentifier;
try {
shibUserIdentifier = getRequiredValueFromAssertion(ShibUtil.uniquePersistentIdentifier);
} catch (Exception ex) {
return;
}
String firstName;
try {
firstName = getRequiredValueFromAssertion(ShibUtil.firstNameAttribute);
} catch (Exception ex) {
return;
}
String lastName;
try {
lastName = getRequiredValueFromAssertion(ShibUtil.lastNameAttribute);
} catch (Exception ex) {
return;
}
ShibUserNameFields shibUserNameFields = ShibUtil.findBestFirstAndLastName(firstName, lastName, null);
if (shibUserNameFields != null) {
String betterFirstName = shibUserNameFields.getFirstName();
if (betterFirstName != null) {
firstName = betterFirstName;
}
String betterLastName = shibUserNameFields.getLastName();
if (betterLastName != null) {
lastName = betterLastName;
}
}
String emailAddressInAssertion = null;
try {
emailAddressInAssertion = getRequiredValueFromAssertion(ShibUtil.emailAttribute);
} catch (Exception ex) {
if (shibIdp.equals(ShibUtil.testShibIdpEntityId)) {
logger.info("For " + shibIdp + " (which as of this writing doesn't provide the " + ShibUtil.emailAttribute + " attribute) setting email address to value of eppn: " + shibUserIdentifier);
emailAddressInAssertion = shibUserIdentifier;
} else {
// forcing all other IdPs to send us an an email
return;
}
}
if (!EMailValidator.isEmailValid(emailAddressInAssertion, null)) {
String msg = "The SAML assertion contained an invalid email address: \"" + emailAddressInAssertion + "\".";
logger.info(msg);
String singleEmailAddress = ShibUtil.findSingleValue(emailAddressInAssertion);
if (EMailValidator.isEmailValid(singleEmailAddress, null)) {
msg = "Multiple email addresses were asserted by the Identity Provider (" + emailAddressInAssertion + " ). These were sorted and the first was chosen: " + singleEmailAddress;
logger.info(msg);
emailAddress = singleEmailAddress;
} else {
msg += " A single valid address could not be found.";
FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, identityProviderProblem, msg));
return;
}
} else {
emailAddress = emailAddressInAssertion;
}
String usernameAssertion = getValueFromAssertion(ShibUtil.usernameAttribute);
internalUserIdentifer = ShibUtil.generateFriendlyLookingUserIdentifer(usernameAssertion, emailAddress);
logger.fine("friendly looking identifer (backend will enforce uniqueness):" + internalUserIdentifer);
String affiliation = shibService.getAffiliation(shibIdp, shibService.getDevShibAccountType());
if (affiliation != null) {
affiliationToDisplayAtConfirmation = affiliation;
friendlyNameForInstitution = affiliation;
}
// emailAddress = "willFailBeanValidation"; // for testing createAuthenticatedUser exceptions
displayInfo = new AuthenticatedUserDisplayInfo(firstName, lastName, emailAddress, affiliation, null);
userPersistentId = shibIdp + persistentUserIdSeparator + shibUserIdentifier;
ShibAuthenticationProvider shibAuthProvider = new ShibAuthenticationProvider();
AuthenticatedUser au = authSvc.lookupUser(shibAuthProvider.getId(), userPersistentId);
if (au != null) {
state = State.REGULAR_LOGIN_INTO_EXISTING_SHIB_ACCOUNT;
logger.fine("Found user based on " + userPersistentId + ". Logging in.");
logger.fine("Updating display info for " + au.getName());
authSvc.updateAuthenticatedUser(au, displayInfo);
logInUserAndSetShibAttributes(au);
String prettyFacesHomePageString = getPrettyFacesHomePageString(false);
try {
FacesContext.getCurrentInstance().getExternalContext().redirect(prettyFacesHomePageString);
} catch (IOException ex) {
logger.info("Unable to redirect user to homepage at " + prettyFacesHomePageString);
}
} else {
state = State.PROMPT_TO_CREATE_NEW_ACCOUNT;
displayNameToPersist = displayInfo.getTitle();
emailToPersist = emailAddress;
/**
* @todo for Harvard we plan to use the value(s) from
* eduPersonScopedAffiliation which
* http://iam.harvard.edu/resources/saml-shibboleth-attributes says
* can be One or more of the following values: faculty, staff,
* student, affiliate, and member.
*
* http://dataverse.nl plans to use
* urn:mace:dir:attribute-def:eduPersonAffiliation per
* http://irclog.iq.harvard.edu/dataverse/2015-02-13#i_16265 . Can
* they configure shibd to map eduPersonAffiliation to
* eduPersonScopedAffiliation?
*/
// positionToPersist = "FIXME";
logger.fine("Couldn't find authenticated user based on " + userPersistentId);
visibleTermsOfUse = true;
/**
* Using the email address from the IdP, try to find an existing
* user. For TestShib we convert the "eppn" to an email address.
*
* If found, prompt for password and offer to convert.
*
* If not found, create a new account. It must be a new user.
*/
String emailAddressToLookUp = emailAddress;
if (existingEmail != null) {
emailAddressToLookUp = existingEmail;
}
AuthenticatedUser existingAuthUserFoundByEmail = shibService.findAuthUserByEmail(emailAddressToLookUp);
BuiltinUser existingBuiltInUserFoundByEmail = null;
if (existingAuthUserFoundByEmail != null) {
existingDisplayName = existingAuthUserFoundByEmail.getName();
existingBuiltInUserFoundByEmail = shibService.findBuiltInUserByAuthUserIdentifier(existingAuthUserFoundByEmail.getUserIdentifier());
if (existingBuiltInUserFoundByEmail != null) {
state = State.PROMPT_TO_CONVERT_EXISTING_ACCOUNT;
existingDisplayName = existingBuiltInUserFoundByEmail.getDisplayName();
debugSummary = "getting username from the builtin user we looked up via email";
builtinUsername = existingBuiltInUserFoundByEmail.getUserName();
} else {
debugSummary = "Could not find a builtin account based on the username. Here we should simply create a new Shibboleth user";
}
} else {
debugSummary = "Could not find an auth user based on email address";
}
}
logger.fine("Debug summary: " + debugSummary + " (state: " + state + ").");
logger.fine("redirectPage: " + redirectPage);
}
use of edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider in project dataverse by IQSS.
the class Shib method confirmAndConvertAccount.
public String confirmAndConvertAccount() {
visibleTermsOfUse = false;
ShibAuthenticationProvider shibAuthProvider = new ShibAuthenticationProvider();
String lookupStringPerAuthProvider = userPersistentId;
UserIdentifier userIdentifier = new UserIdentifier(lookupStringPerAuthProvider, internalUserIdentifer);
logger.fine("builtin username: " + builtinUsername);
AuthenticatedUser builtInUserToConvert = authSvc.canLogInAsBuiltinUser(builtinUsername, builtinPassword);
if (builtInUserToConvert != null) {
AuthenticatedUser au = authSvc.convertBuiltInToShib(builtInUserToConvert, shibAuthProvider.getId(), userIdentifier);
if (au != null) {
authSvc.updateAuthenticatedUser(au, displayInfo);
logInUserAndSetShibAttributes(au);
debugSummary = "Local account validated and successfully converted to a Shibboleth account. The old account username was " + builtinUsername;
JsfHelper.addSuccessMessage("Your Dataverse account is now associated with your institutional account.");
return "/dataverseuser.xhtml?selectTab=accountInfo&faces-redirect=true";
} else {
debugSummary = "Local account validated but unable to convert to Shibboleth account.";
}
} else {
passwordRejected = true;
debugSummary = "Username/password combination for local account was invalid";
}
return null;
}
Aggregations