Search in sources :

Example 1 with ShibAuthenticationProvider

use of edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider in project dataverse by IQSS.

the class AuthUtilTest method testIsNonLocalLoginEnabled.

/**
 * Test of isNonLocalLoginEnabled method, of class AuthUtil.
 */
@Test
public void testIsNonLocalLoginEnabled() {
    System.out.println("isNonLocalLoginEnabled");
    AuthUtil authUtil = new AuthUtil();
    assertEquals(false, AuthUtil.isNonLocalLoginEnabled(null));
    Collection<AuthenticationProvider> shibOnly = new HashSet<>();
    shibOnly.add(new ShibAuthenticationProvider());
    assertEquals(true, AuthUtil.isNonLocalLoginEnabled(shibOnly));
    Collection<AuthenticationProvider> manyNonLocal = new HashSet<>();
    manyNonLocal.add(new ShibAuthenticationProvider());
    manyNonLocal.add(new GitHubOAuth2AP(null, null));
    manyNonLocal.add(new GoogleOAuth2AP(null, null));
    manyNonLocal.add(new OrcidOAuth2AP(null, null, null));
    assertEquals(true, AuthUtil.isNonLocalLoginEnabled(manyNonLocal));
    Collection<AuthenticationProvider> onlyBuiltin = new HashSet<>();
    onlyBuiltin.add(new BuiltinAuthenticationProvider(null, null));
    // only builtin provider
    assertEquals(false, AuthUtil.isNonLocalLoginEnabled(onlyBuiltin));
}
Also used : ShibAuthenticationProvider(edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider) GoogleOAuth2AP(edu.harvard.iq.dataverse.authorization.providers.oauth2.impl.GoogleOAuth2AP) OrcidOAuth2AP(edu.harvard.iq.dataverse.authorization.providers.oauth2.impl.OrcidOAuth2AP) BuiltinAuthenticationProvider(edu.harvard.iq.dataverse.authorization.providers.builtin.BuiltinAuthenticationProvider) ShibAuthenticationProvider(edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider) BuiltinAuthenticationProvider(edu.harvard.iq.dataverse.authorization.providers.builtin.BuiltinAuthenticationProvider) GitHubOAuth2AP(edu.harvard.iq.dataverse.authorization.providers.oauth2.impl.GitHubOAuth2AP) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 2 with ShibAuthenticationProvider

use of edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider in project dataverse by IQSS.

the class Shib method confirmAndCreateAccount.

public String confirmAndCreateAccount() {
    ShibAuthenticationProvider shibAuthProvider = new ShibAuthenticationProvider();
    String lookupStringPerAuthProvider = userPersistentId;
    AuthenticatedUser au = null;
    try {
        au = authSvc.createAuthenticatedUser(new UserRecordIdentifier(shibAuthProvider.getId(), lookupStringPerAuthProvider), internalUserIdentifer, displayInfo, true);
    } catch (EJBException ex) {
        /**
         * @todo Show the ConstraintViolationException, if any.
         */
        logger.info("Couldn't create user " + userPersistentId + " due to exception: " + ex.getCause());
    }
    if (au != null) {
        logger.fine("created user " + au.getIdentifier());
        logInUserAndSetShibAttributes(au);
        /**
         * @todo Move this to
         * AuthenticationServiceBean.createAuthenticatedUser
         */
        userNotificationService.sendNotification(au, new Timestamp(new Date().getTime()), UserNotification.Type.CREATEACC, null);
        return "/dataverseuser.xhtml?selectTab=accountInfo&faces-redirect=true";
    } else {
        JsfHelper.addErrorMessage("Couldn't create user.");
    }
    return getPrettyFacesHomePageString(true);
}
Also used : ShibAuthenticationProvider(edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider) UserRecordIdentifier(edu.harvard.iq.dataverse.authorization.UserRecordIdentifier) EJBException(javax.ejb.EJBException) AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser) Timestamp(java.sql.Timestamp) Date(java.util.Date)

Example 3 with ShibAuthenticationProvider

use of edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider in project dataverse by IQSS.

the class Shib method init.

public void init() {
    state = State.INIT;
    ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
    request = (HttpServletRequest) context.getRequest();
    ShibUtil.printAttributes(request);
    /**
     * @todo Investigate why JkEnvVar is null since it may be useful for
     * debugging per https://github.com/IQSS/dataverse/issues/2916 . See
     * also
     * http://stackoverflow.com/questions/30193117/iterate-through-all-servletrequest-attributes#comment49933342_30193117
     * and
     * http://shibboleth.1660669.n2.nabble.com/Why-doesn-t-Java-s-request-getAttributeNames-show-Shibboleth-attributes-tp7616427p7616591.html
     */
    logger.fine("JkEnvVar: " + System.getenv("JkEnvVar"));
    shibService.possiblyMutateRequestInDev(request);
    try {
        shibIdp = getRequiredValueFromAssertion(ShibUtil.shibIdpAttribute);
    } catch (Exception ex) {
        /**
         * @todo is in an antipattern to throw exceptions to control flow?
         * http://c2.com/cgi/wiki?DontUseExceptionsForFlowControl
         *
         * All this exception handling should be handled in the new
         * ShibServiceBean so it's consistently handled by the API as well.
         */
        return;
    }
    String shibUserIdentifier;
    try {
        shibUserIdentifier = getRequiredValueFromAssertion(ShibUtil.uniquePersistentIdentifier);
    } catch (Exception ex) {
        return;
    }
    String firstName;
    try {
        firstName = getRequiredValueFromAssertion(ShibUtil.firstNameAttribute);
    } catch (Exception ex) {
        return;
    }
    String lastName;
    try {
        lastName = getRequiredValueFromAssertion(ShibUtil.lastNameAttribute);
    } catch (Exception ex) {
        return;
    }
    ShibUserNameFields shibUserNameFields = ShibUtil.findBestFirstAndLastName(firstName, lastName, null);
    if (shibUserNameFields != null) {
        String betterFirstName = shibUserNameFields.getFirstName();
        if (betterFirstName != null) {
            firstName = betterFirstName;
        }
        String betterLastName = shibUserNameFields.getLastName();
        if (betterLastName != null) {
            lastName = betterLastName;
        }
    }
    String emailAddressInAssertion = null;
    try {
        emailAddressInAssertion = getRequiredValueFromAssertion(ShibUtil.emailAttribute);
    } catch (Exception ex) {
        if (shibIdp.equals(ShibUtil.testShibIdpEntityId)) {
            logger.info("For " + shibIdp + " (which as of this writing doesn't provide the " + ShibUtil.emailAttribute + " attribute) setting email address to value of eppn: " + shibUserIdentifier);
            emailAddressInAssertion = shibUserIdentifier;
        } else {
            // forcing all other IdPs to send us an an email
            return;
        }
    }
    if (!EMailValidator.isEmailValid(emailAddressInAssertion, null)) {
        String msg = "The SAML assertion contained an invalid email address: \"" + emailAddressInAssertion + "\".";
        logger.info(msg);
        String singleEmailAddress = ShibUtil.findSingleValue(emailAddressInAssertion);
        if (EMailValidator.isEmailValid(singleEmailAddress, null)) {
            msg = "Multiple email addresses were asserted by the Identity Provider (" + emailAddressInAssertion + " ). These were sorted and the first was chosen: " + singleEmailAddress;
            logger.info(msg);
            emailAddress = singleEmailAddress;
        } else {
            msg += " A single valid address could not be found.";
            FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, identityProviderProblem, msg));
            return;
        }
    } else {
        emailAddress = emailAddressInAssertion;
    }
    String usernameAssertion = getValueFromAssertion(ShibUtil.usernameAttribute);
    internalUserIdentifer = ShibUtil.generateFriendlyLookingUserIdentifer(usernameAssertion, emailAddress);
    logger.fine("friendly looking identifer (backend will enforce uniqueness):" + internalUserIdentifer);
    String affiliation = shibService.getAffiliation(shibIdp, shibService.getDevShibAccountType());
    if (affiliation != null) {
        affiliationToDisplayAtConfirmation = affiliation;
        friendlyNameForInstitution = affiliation;
    }
    // emailAddress = "willFailBeanValidation"; // for testing createAuthenticatedUser exceptions
    displayInfo = new AuthenticatedUserDisplayInfo(firstName, lastName, emailAddress, affiliation, null);
    userPersistentId = shibIdp + persistentUserIdSeparator + shibUserIdentifier;
    ShibAuthenticationProvider shibAuthProvider = new ShibAuthenticationProvider();
    AuthenticatedUser au = authSvc.lookupUser(shibAuthProvider.getId(), userPersistentId);
    if (au != null) {
        state = State.REGULAR_LOGIN_INTO_EXISTING_SHIB_ACCOUNT;
        logger.fine("Found user based on " + userPersistentId + ". Logging in.");
        logger.fine("Updating display info for " + au.getName());
        authSvc.updateAuthenticatedUser(au, displayInfo);
        logInUserAndSetShibAttributes(au);
        String prettyFacesHomePageString = getPrettyFacesHomePageString(false);
        try {
            FacesContext.getCurrentInstance().getExternalContext().redirect(prettyFacesHomePageString);
        } catch (IOException ex) {
            logger.info("Unable to redirect user to homepage at " + prettyFacesHomePageString);
        }
    } else {
        state = State.PROMPT_TO_CREATE_NEW_ACCOUNT;
        displayNameToPersist = displayInfo.getTitle();
        emailToPersist = emailAddress;
        /**
         * @todo for Harvard we plan to use the value(s) from
         * eduPersonScopedAffiliation which
         * http://iam.harvard.edu/resources/saml-shibboleth-attributes says
         * can be One or more of the following values: faculty, staff,
         * student, affiliate, and member.
         *
         * http://dataverse.nl plans to use
         * urn:mace:dir:attribute-def:eduPersonAffiliation per
         * http://irclog.iq.harvard.edu/dataverse/2015-02-13#i_16265 . Can
         * they configure shibd to map eduPersonAffiliation to
         * eduPersonScopedAffiliation?
         */
        // positionToPersist = "FIXME";
        logger.fine("Couldn't find authenticated user based on " + userPersistentId);
        visibleTermsOfUse = true;
        /**
         * Using the email address from the IdP, try to find an existing
         * user. For TestShib we convert the "eppn" to an email address.
         *
         * If found, prompt for password and offer to convert.
         *
         * If not found, create a new account. It must be a new user.
         */
        String emailAddressToLookUp = emailAddress;
        if (existingEmail != null) {
            emailAddressToLookUp = existingEmail;
        }
        AuthenticatedUser existingAuthUserFoundByEmail = shibService.findAuthUserByEmail(emailAddressToLookUp);
        BuiltinUser existingBuiltInUserFoundByEmail = null;
        if (existingAuthUserFoundByEmail != null) {
            existingDisplayName = existingAuthUserFoundByEmail.getName();
            existingBuiltInUserFoundByEmail = shibService.findBuiltInUserByAuthUserIdentifier(existingAuthUserFoundByEmail.getUserIdentifier());
            if (existingBuiltInUserFoundByEmail != null) {
                state = State.PROMPT_TO_CONVERT_EXISTING_ACCOUNT;
                existingDisplayName = existingBuiltInUserFoundByEmail.getDisplayName();
                debugSummary = "getting username from the builtin user we looked up via email";
                builtinUsername = existingBuiltInUserFoundByEmail.getUserName();
            } else {
                debugSummary = "Could not find a builtin account based on the username. Here we should simply create a new Shibboleth user";
            }
        } else {
            debugSummary = "Could not find an auth user based on email address";
        }
    }
    logger.fine("Debug summary: " + debugSummary + " (state: " + state + ").");
    logger.fine("redirectPage: " + redirectPage);
}
Also used : ShibUserNameFields(edu.harvard.iq.dataverse.authorization.providers.shib.ShibUserNameFields) AuthenticatedUserDisplayInfo(edu.harvard.iq.dataverse.authorization.AuthenticatedUserDisplayInfo) ShibAuthenticationProvider(edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider) BuiltinUser(edu.harvard.iq.dataverse.authorization.providers.builtin.BuiltinUser) ExternalContext(javax.faces.context.ExternalContext) IOException(java.io.IOException) FacesMessage(javax.faces.application.FacesMessage) AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser) IOException(java.io.IOException) EJBException(javax.ejb.EJBException)

Example 4 with ShibAuthenticationProvider

use of edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider in project dataverse by IQSS.

the class Shib method confirmAndConvertAccount.

public String confirmAndConvertAccount() {
    visibleTermsOfUse = false;
    ShibAuthenticationProvider shibAuthProvider = new ShibAuthenticationProvider();
    String lookupStringPerAuthProvider = userPersistentId;
    UserIdentifier userIdentifier = new UserIdentifier(lookupStringPerAuthProvider, internalUserIdentifer);
    logger.fine("builtin username: " + builtinUsername);
    AuthenticatedUser builtInUserToConvert = authSvc.canLogInAsBuiltinUser(builtinUsername, builtinPassword);
    if (builtInUserToConvert != null) {
        AuthenticatedUser au = authSvc.convertBuiltInToShib(builtInUserToConvert, shibAuthProvider.getId(), userIdentifier);
        if (au != null) {
            authSvc.updateAuthenticatedUser(au, displayInfo);
            logInUserAndSetShibAttributes(au);
            debugSummary = "Local account validated and successfully converted to a Shibboleth account. The old account username was " + builtinUsername;
            JsfHelper.addSuccessMessage("Your Dataverse account is now associated with your institutional account.");
            return "/dataverseuser.xhtml?selectTab=accountInfo&faces-redirect=true";
        } else {
            debugSummary = "Local account validated but unable to convert to Shibboleth account.";
        }
    } else {
        passwordRejected = true;
        debugSummary = "Username/password combination for local account was invalid";
    }
    return null;
}
Also used : ShibAuthenticationProvider(edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider) UserIdentifier(edu.harvard.iq.dataverse.authorization.UserIdentifier) AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser)

Aggregations

ShibAuthenticationProvider (edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider)4 AuthenticatedUser (edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser)3 EJBException (javax.ejb.EJBException)2 AuthenticatedUserDisplayInfo (edu.harvard.iq.dataverse.authorization.AuthenticatedUserDisplayInfo)1 UserIdentifier (edu.harvard.iq.dataverse.authorization.UserIdentifier)1 UserRecordIdentifier (edu.harvard.iq.dataverse.authorization.UserRecordIdentifier)1 BuiltinAuthenticationProvider (edu.harvard.iq.dataverse.authorization.providers.builtin.BuiltinAuthenticationProvider)1 BuiltinUser (edu.harvard.iq.dataverse.authorization.providers.builtin.BuiltinUser)1 GitHubOAuth2AP (edu.harvard.iq.dataverse.authorization.providers.oauth2.impl.GitHubOAuth2AP)1 GoogleOAuth2AP (edu.harvard.iq.dataverse.authorization.providers.oauth2.impl.GoogleOAuth2AP)1 OrcidOAuth2AP (edu.harvard.iq.dataverse.authorization.providers.oauth2.impl.OrcidOAuth2AP)1 ShibUserNameFields (edu.harvard.iq.dataverse.authorization.providers.shib.ShibUserNameFields)1 IOException (java.io.IOException)1 Timestamp (java.sql.Timestamp)1 Date (java.util.Date)1 HashSet (java.util.HashSet)1 FacesMessage (javax.faces.application.FacesMessage)1 ExternalContext (javax.faces.context.ExternalContext)1 Test (org.junit.Test)1