use of edu.harvard.iq.dataverse.authorization.providers.shib.ShibUserNameFields in project dataverse by IQSS.
the class GitHubOAuth2AP method parseUserResponse.
@Override
protected ParsedUserResponse parseUserResponse(String responseBody) {
try (StringReader rdr = new StringReader(responseBody);
JsonReader jrdr = Json.createReader(rdr)) {
JsonObject response = jrdr.readObject();
// Github has no concept of a family name
ShibUserNameFields shibUserNameFields = ShibUtil.findBestFirstAndLastName(null, null, response.getString("name", ""));
AuthenticatedUserDisplayInfo displayInfo = new AuthenticatedUserDisplayInfo(shibUserNameFields.getFirstName(), shibUserNameFields.getLastName(), response.getString("email", ""), response.getString("company", ""), "");
Integer persistentUserId = response.getInt("id");
String username = response.getString("login");
return new ParsedUserResponse(displayInfo, persistentUserId.toString(), username, displayInfo.getEmailAddress().length() > 0 ? Collections.singletonList(displayInfo.getEmailAddress()) : Collections.emptyList());
}
}
use of edu.harvard.iq.dataverse.authorization.providers.shib.ShibUserNameFields in project dataverse by IQSS.
the class Shib method init.
public void init() {
state = State.INIT;
ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
request = (HttpServletRequest) context.getRequest();
ShibUtil.printAttributes(request);
/**
* @todo Investigate why JkEnvVar is null since it may be useful for
* debugging per https://github.com/IQSS/dataverse/issues/2916 . See
* also
* http://stackoverflow.com/questions/30193117/iterate-through-all-servletrequest-attributes#comment49933342_30193117
* and
* http://shibboleth.1660669.n2.nabble.com/Why-doesn-t-Java-s-request-getAttributeNames-show-Shibboleth-attributes-tp7616427p7616591.html
*/
logger.fine("JkEnvVar: " + System.getenv("JkEnvVar"));
shibService.possiblyMutateRequestInDev(request);
try {
shibIdp = getRequiredValueFromAssertion(ShibUtil.shibIdpAttribute);
} catch (Exception ex) {
/**
* @todo is in an antipattern to throw exceptions to control flow?
* http://c2.com/cgi/wiki?DontUseExceptionsForFlowControl
*
* All this exception handling should be handled in the new
* ShibServiceBean so it's consistently handled by the API as well.
*/
return;
}
String shibUserIdentifier;
try {
shibUserIdentifier = getRequiredValueFromAssertion(ShibUtil.uniquePersistentIdentifier);
} catch (Exception ex) {
return;
}
String firstName;
try {
firstName = getRequiredValueFromAssertion(ShibUtil.firstNameAttribute);
} catch (Exception ex) {
return;
}
String lastName;
try {
lastName = getRequiredValueFromAssertion(ShibUtil.lastNameAttribute);
} catch (Exception ex) {
return;
}
ShibUserNameFields shibUserNameFields = ShibUtil.findBestFirstAndLastName(firstName, lastName, null);
if (shibUserNameFields != null) {
String betterFirstName = shibUserNameFields.getFirstName();
if (betterFirstName != null) {
firstName = betterFirstName;
}
String betterLastName = shibUserNameFields.getLastName();
if (betterLastName != null) {
lastName = betterLastName;
}
}
String emailAddressInAssertion = null;
try {
emailAddressInAssertion = getRequiredValueFromAssertion(ShibUtil.emailAttribute);
} catch (Exception ex) {
if (shibIdp.equals(ShibUtil.testShibIdpEntityId)) {
logger.info("For " + shibIdp + " (which as of this writing doesn't provide the " + ShibUtil.emailAttribute + " attribute) setting email address to value of eppn: " + shibUserIdentifier);
emailAddressInAssertion = shibUserIdentifier;
} else {
// forcing all other IdPs to send us an an email
return;
}
}
if (!EMailValidator.isEmailValid(emailAddressInAssertion, null)) {
String msg = "The SAML assertion contained an invalid email address: \"" + emailAddressInAssertion + "\".";
logger.info(msg);
String singleEmailAddress = ShibUtil.findSingleValue(emailAddressInAssertion);
if (EMailValidator.isEmailValid(singleEmailAddress, null)) {
msg = "Multiple email addresses were asserted by the Identity Provider (" + emailAddressInAssertion + " ). These were sorted and the first was chosen: " + singleEmailAddress;
logger.info(msg);
emailAddress = singleEmailAddress;
} else {
msg += " A single valid address could not be found.";
FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, identityProviderProblem, msg));
return;
}
} else {
emailAddress = emailAddressInAssertion;
}
String usernameAssertion = getValueFromAssertion(ShibUtil.usernameAttribute);
internalUserIdentifer = ShibUtil.generateFriendlyLookingUserIdentifer(usernameAssertion, emailAddress);
logger.fine("friendly looking identifer (backend will enforce uniqueness):" + internalUserIdentifer);
String affiliation = shibService.getAffiliation(shibIdp, shibService.getDevShibAccountType());
if (affiliation != null) {
affiliationToDisplayAtConfirmation = affiliation;
friendlyNameForInstitution = affiliation;
}
// emailAddress = "willFailBeanValidation"; // for testing createAuthenticatedUser exceptions
displayInfo = new AuthenticatedUserDisplayInfo(firstName, lastName, emailAddress, affiliation, null);
userPersistentId = shibIdp + persistentUserIdSeparator + shibUserIdentifier;
ShibAuthenticationProvider shibAuthProvider = new ShibAuthenticationProvider();
AuthenticatedUser au = authSvc.lookupUser(shibAuthProvider.getId(), userPersistentId);
if (au != null) {
state = State.REGULAR_LOGIN_INTO_EXISTING_SHIB_ACCOUNT;
logger.fine("Found user based on " + userPersistentId + ". Logging in.");
logger.fine("Updating display info for " + au.getName());
authSvc.updateAuthenticatedUser(au, displayInfo);
logInUserAndSetShibAttributes(au);
String prettyFacesHomePageString = getPrettyFacesHomePageString(false);
try {
FacesContext.getCurrentInstance().getExternalContext().redirect(prettyFacesHomePageString);
} catch (IOException ex) {
logger.info("Unable to redirect user to homepage at " + prettyFacesHomePageString);
}
} else {
state = State.PROMPT_TO_CREATE_NEW_ACCOUNT;
displayNameToPersist = displayInfo.getTitle();
emailToPersist = emailAddress;
/**
* @todo for Harvard we plan to use the value(s) from
* eduPersonScopedAffiliation which
* http://iam.harvard.edu/resources/saml-shibboleth-attributes says
* can be One or more of the following values: faculty, staff,
* student, affiliate, and member.
*
* http://dataverse.nl plans to use
* urn:mace:dir:attribute-def:eduPersonAffiliation per
* http://irclog.iq.harvard.edu/dataverse/2015-02-13#i_16265 . Can
* they configure shibd to map eduPersonAffiliation to
* eduPersonScopedAffiliation?
*/
// positionToPersist = "FIXME";
logger.fine("Couldn't find authenticated user based on " + userPersistentId);
visibleTermsOfUse = true;
/**
* Using the email address from the IdP, try to find an existing
* user. For TestShib we convert the "eppn" to an email address.
*
* If found, prompt for password and offer to convert.
*
* If not found, create a new account. It must be a new user.
*/
String emailAddressToLookUp = emailAddress;
if (existingEmail != null) {
emailAddressToLookUp = existingEmail;
}
AuthenticatedUser existingAuthUserFoundByEmail = shibService.findAuthUserByEmail(emailAddressToLookUp);
BuiltinUser existingBuiltInUserFoundByEmail = null;
if (existingAuthUserFoundByEmail != null) {
existingDisplayName = existingAuthUserFoundByEmail.getName();
existingBuiltInUserFoundByEmail = shibService.findBuiltInUserByAuthUserIdentifier(existingAuthUserFoundByEmail.getUserIdentifier());
if (existingBuiltInUserFoundByEmail != null) {
state = State.PROMPT_TO_CONVERT_EXISTING_ACCOUNT;
existingDisplayName = existingBuiltInUserFoundByEmail.getDisplayName();
debugSummary = "getting username from the builtin user we looked up via email";
builtinUsername = existingBuiltInUserFoundByEmail.getUserName();
} else {
debugSummary = "Could not find a builtin account based on the username. Here we should simply create a new Shibboleth user";
}
} else {
debugSummary = "Could not find an auth user based on email address";
}
}
logger.fine("Debug summary: " + debugSummary + " (state: " + state + ").");
logger.fine("redirectPage: " + redirectPage);
}
Aggregations