Search in sources :

Example 1 with ShibUserNameFields

use of edu.harvard.iq.dataverse.authorization.providers.shib.ShibUserNameFields in project dataverse by IQSS.

the class GitHubOAuth2AP method parseUserResponse.

@Override
protected ParsedUserResponse parseUserResponse(String responseBody) {
    try (StringReader rdr = new StringReader(responseBody);
        JsonReader jrdr = Json.createReader(rdr)) {
        JsonObject response = jrdr.readObject();
        // Github has no concept of a family name
        ShibUserNameFields shibUserNameFields = ShibUtil.findBestFirstAndLastName(null, null, response.getString("name", ""));
        AuthenticatedUserDisplayInfo displayInfo = new AuthenticatedUserDisplayInfo(shibUserNameFields.getFirstName(), shibUserNameFields.getLastName(), response.getString("email", ""), response.getString("company", ""), "");
        Integer persistentUserId = response.getInt("id");
        String username = response.getString("login");
        return new ParsedUserResponse(displayInfo, persistentUserId.toString(), username, displayInfo.getEmailAddress().length() > 0 ? Collections.singletonList(displayInfo.getEmailAddress()) : Collections.emptyList());
    }
}
Also used : ShibUserNameFields(edu.harvard.iq.dataverse.authorization.providers.shib.ShibUserNameFields) AuthenticatedUserDisplayInfo(edu.harvard.iq.dataverse.authorization.AuthenticatedUserDisplayInfo) StringReader(java.io.StringReader) JsonReader(javax.json.JsonReader) JsonObject(javax.json.JsonObject)

Example 2 with ShibUserNameFields

use of edu.harvard.iq.dataverse.authorization.providers.shib.ShibUserNameFields in project dataverse by IQSS.

the class Shib method init.

public void init() {
    state = State.INIT;
    ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
    request = (HttpServletRequest) context.getRequest();
    ShibUtil.printAttributes(request);
    /**
     * @todo Investigate why JkEnvVar is null since it may be useful for
     * debugging per https://github.com/IQSS/dataverse/issues/2916 . See
     * also
     * http://stackoverflow.com/questions/30193117/iterate-through-all-servletrequest-attributes#comment49933342_30193117
     * and
     * http://shibboleth.1660669.n2.nabble.com/Why-doesn-t-Java-s-request-getAttributeNames-show-Shibboleth-attributes-tp7616427p7616591.html
     */
    logger.fine("JkEnvVar: " + System.getenv("JkEnvVar"));
    shibService.possiblyMutateRequestInDev(request);
    try {
        shibIdp = getRequiredValueFromAssertion(ShibUtil.shibIdpAttribute);
    } catch (Exception ex) {
        /**
         * @todo is in an antipattern to throw exceptions to control flow?
         * http://c2.com/cgi/wiki?DontUseExceptionsForFlowControl
         *
         * All this exception handling should be handled in the new
         * ShibServiceBean so it's consistently handled by the API as well.
         */
        return;
    }
    String shibUserIdentifier;
    try {
        shibUserIdentifier = getRequiredValueFromAssertion(ShibUtil.uniquePersistentIdentifier);
    } catch (Exception ex) {
        return;
    }
    String firstName;
    try {
        firstName = getRequiredValueFromAssertion(ShibUtil.firstNameAttribute);
    } catch (Exception ex) {
        return;
    }
    String lastName;
    try {
        lastName = getRequiredValueFromAssertion(ShibUtil.lastNameAttribute);
    } catch (Exception ex) {
        return;
    }
    ShibUserNameFields shibUserNameFields = ShibUtil.findBestFirstAndLastName(firstName, lastName, null);
    if (shibUserNameFields != null) {
        String betterFirstName = shibUserNameFields.getFirstName();
        if (betterFirstName != null) {
            firstName = betterFirstName;
        }
        String betterLastName = shibUserNameFields.getLastName();
        if (betterLastName != null) {
            lastName = betterLastName;
        }
    }
    String emailAddressInAssertion = null;
    try {
        emailAddressInAssertion = getRequiredValueFromAssertion(ShibUtil.emailAttribute);
    } catch (Exception ex) {
        if (shibIdp.equals(ShibUtil.testShibIdpEntityId)) {
            logger.info("For " + shibIdp + " (which as of this writing doesn't provide the " + ShibUtil.emailAttribute + " attribute) setting email address to value of eppn: " + shibUserIdentifier);
            emailAddressInAssertion = shibUserIdentifier;
        } else {
            // forcing all other IdPs to send us an an email
            return;
        }
    }
    if (!EMailValidator.isEmailValid(emailAddressInAssertion, null)) {
        String msg = "The SAML assertion contained an invalid email address: \"" + emailAddressInAssertion + "\".";
        logger.info(msg);
        String singleEmailAddress = ShibUtil.findSingleValue(emailAddressInAssertion);
        if (EMailValidator.isEmailValid(singleEmailAddress, null)) {
            msg = "Multiple email addresses were asserted by the Identity Provider (" + emailAddressInAssertion + " ). These were sorted and the first was chosen: " + singleEmailAddress;
            logger.info(msg);
            emailAddress = singleEmailAddress;
        } else {
            msg += " A single valid address could not be found.";
            FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, identityProviderProblem, msg));
            return;
        }
    } else {
        emailAddress = emailAddressInAssertion;
    }
    String usernameAssertion = getValueFromAssertion(ShibUtil.usernameAttribute);
    internalUserIdentifer = ShibUtil.generateFriendlyLookingUserIdentifer(usernameAssertion, emailAddress);
    logger.fine("friendly looking identifer (backend will enforce uniqueness):" + internalUserIdentifer);
    String affiliation = shibService.getAffiliation(shibIdp, shibService.getDevShibAccountType());
    if (affiliation != null) {
        affiliationToDisplayAtConfirmation = affiliation;
        friendlyNameForInstitution = affiliation;
    }
    // emailAddress = "willFailBeanValidation"; // for testing createAuthenticatedUser exceptions
    displayInfo = new AuthenticatedUserDisplayInfo(firstName, lastName, emailAddress, affiliation, null);
    userPersistentId = shibIdp + persistentUserIdSeparator + shibUserIdentifier;
    ShibAuthenticationProvider shibAuthProvider = new ShibAuthenticationProvider();
    AuthenticatedUser au = authSvc.lookupUser(shibAuthProvider.getId(), userPersistentId);
    if (au != null) {
        state = State.REGULAR_LOGIN_INTO_EXISTING_SHIB_ACCOUNT;
        logger.fine("Found user based on " + userPersistentId + ". Logging in.");
        logger.fine("Updating display info for " + au.getName());
        authSvc.updateAuthenticatedUser(au, displayInfo);
        logInUserAndSetShibAttributes(au);
        String prettyFacesHomePageString = getPrettyFacesHomePageString(false);
        try {
            FacesContext.getCurrentInstance().getExternalContext().redirect(prettyFacesHomePageString);
        } catch (IOException ex) {
            logger.info("Unable to redirect user to homepage at " + prettyFacesHomePageString);
        }
    } else {
        state = State.PROMPT_TO_CREATE_NEW_ACCOUNT;
        displayNameToPersist = displayInfo.getTitle();
        emailToPersist = emailAddress;
        /**
         * @todo for Harvard we plan to use the value(s) from
         * eduPersonScopedAffiliation which
         * http://iam.harvard.edu/resources/saml-shibboleth-attributes says
         * can be One or more of the following values: faculty, staff,
         * student, affiliate, and member.
         *
         * http://dataverse.nl plans to use
         * urn:mace:dir:attribute-def:eduPersonAffiliation per
         * http://irclog.iq.harvard.edu/dataverse/2015-02-13#i_16265 . Can
         * they configure shibd to map eduPersonAffiliation to
         * eduPersonScopedAffiliation?
         */
        // positionToPersist = "FIXME";
        logger.fine("Couldn't find authenticated user based on " + userPersistentId);
        visibleTermsOfUse = true;
        /**
         * Using the email address from the IdP, try to find an existing
         * user. For TestShib we convert the "eppn" to an email address.
         *
         * If found, prompt for password and offer to convert.
         *
         * If not found, create a new account. It must be a new user.
         */
        String emailAddressToLookUp = emailAddress;
        if (existingEmail != null) {
            emailAddressToLookUp = existingEmail;
        }
        AuthenticatedUser existingAuthUserFoundByEmail = shibService.findAuthUserByEmail(emailAddressToLookUp);
        BuiltinUser existingBuiltInUserFoundByEmail = null;
        if (existingAuthUserFoundByEmail != null) {
            existingDisplayName = existingAuthUserFoundByEmail.getName();
            existingBuiltInUserFoundByEmail = shibService.findBuiltInUserByAuthUserIdentifier(existingAuthUserFoundByEmail.getUserIdentifier());
            if (existingBuiltInUserFoundByEmail != null) {
                state = State.PROMPT_TO_CONVERT_EXISTING_ACCOUNT;
                existingDisplayName = existingBuiltInUserFoundByEmail.getDisplayName();
                debugSummary = "getting username from the builtin user we looked up via email";
                builtinUsername = existingBuiltInUserFoundByEmail.getUserName();
            } else {
                debugSummary = "Could not find a builtin account based on the username. Here we should simply create a new Shibboleth user";
            }
        } else {
            debugSummary = "Could not find an auth user based on email address";
        }
    }
    logger.fine("Debug summary: " + debugSummary + " (state: " + state + ").");
    logger.fine("redirectPage: " + redirectPage);
}
Also used : ShibUserNameFields(edu.harvard.iq.dataverse.authorization.providers.shib.ShibUserNameFields) AuthenticatedUserDisplayInfo(edu.harvard.iq.dataverse.authorization.AuthenticatedUserDisplayInfo) ShibAuthenticationProvider(edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider) BuiltinUser(edu.harvard.iq.dataverse.authorization.providers.builtin.BuiltinUser) ExternalContext(javax.faces.context.ExternalContext) IOException(java.io.IOException) FacesMessage(javax.faces.application.FacesMessage) AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser) IOException(java.io.IOException) EJBException(javax.ejb.EJBException)

Aggregations

AuthenticatedUserDisplayInfo (edu.harvard.iq.dataverse.authorization.AuthenticatedUserDisplayInfo)2 ShibUserNameFields (edu.harvard.iq.dataverse.authorization.providers.shib.ShibUserNameFields)2 BuiltinUser (edu.harvard.iq.dataverse.authorization.providers.builtin.BuiltinUser)1 ShibAuthenticationProvider (edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider)1 AuthenticatedUser (edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser)1 IOException (java.io.IOException)1 StringReader (java.io.StringReader)1 EJBException (javax.ejb.EJBException)1 FacesMessage (javax.faces.application.FacesMessage)1 ExternalContext (javax.faces.context.ExternalContext)1 JsonObject (javax.json.JsonObject)1 JsonReader (javax.json.JsonReader)1