Examples with HeaderCheckResult org.orcid.pojo.HeaderCheckResult used on opensource projects

Example 1 with HeaderCheckResult

use of org.orcid.pojo.HeaderCheckResult in project ORCID-Source by ORCID.

the class InstitutionalSignInManagerImpl method checkHeaders.

@Override
public HeaderCheckResult checkHeaders(Map<String, String> originalHeaders, Map<String, String> currentHeaders) {
    HeaderCheckResult result = new HeaderCheckResult();
    List<String> headersToCheck = new ArrayList<>();
    headersToCheck.addAll(Arrays.asList(POSSIBLE_REMOTE_USER_HEADERS));
    headersToCheck.add(EPPN_HEADER);
    for (String headerName : headersToCheck) {
        String original = originalHeaders.get(headerName);
        String current = currentHeaders.get(headerName);
        // just be an IdP config change to add/remove the attribute
        if (StringUtils.isNoneBlank(original, current)) {
            Set<String> originalDeduped = dedupe(original);
            Set<String> currentDeduped = dedupe(current);
            if (!currentDeduped.equals(originalDeduped)) {
                result.addMismatch(new HeaderMismatch(headerName, original, current));
            }
        }
    }
    if (!result.isSuccess()) {
        String message = String.format("Institutional sign in header check failed: %s, originalHeaders=%s", result, originalHeaders);
        LOGGER.info(message);
        slackManager.sendSystemAlert(message);
    }
    return result;
}

Example 2 with HeaderCheckResult

use of org.orcid.pojo.HeaderCheckResult in project ORCID-Source by ORCID.

the class ShibbolethController method post2FAVerificationCode.

@RequestMapping(value = { "/2FA/submitCode.json" }, method = RequestMethod.POST)
@ResponseBody
public TwoFactorAuthenticationCodes post2FAVerificationCode(@RequestBody TwoFactorAuthenticationCodes codes, HttpServletRequest request, HttpServletResponse response, @RequestHeader Map<String, String> headers) {
    checkEnabled();
    String shibIdentityProvider = headers.get(InstitutionalSignInManager.SHIB_IDENTITY_PROVIDER_HEADER);
    RemoteUser remoteUser = institutionalSignInManager.retrieveRemoteUser(headers);
    if (remoteUser == null) {
        LOGGER.info("Failed federated log in for {}", shibIdentityProvider);
        identityProviderManager.incrementFailedCount(shibIdentityProvider);
        codes.setRedirectUrl(orcidUrlManager.getBaseUrl() + "/shibboleth/signin");
        return codes;
    }
    UserconnectionEntity userConnectionEntity = userConnectionManager.findByProviderIdAndProviderUserIdAndIdType(remoteUser.getUserId(), shibIdentityProvider, remoteUser.getIdType());
    if (userConnectionEntity != null) {
        LOGGER.info("Found existing user connection: {}", userConnectionEntity);
        HeaderCheckResult checkHeadersResult = institutionalSignInManager.checkHeaders(parseOriginalHeaders(userConnectionEntity.getHeadersJson()), headers);
        if (!checkHeadersResult.isSuccess()) {
            codes.setRedirectUrl(orcidUrlManager.getBaseUrl() + "/shibboleth/signin");
            return codes;
        }
        validate2FACodes(userConnectionEntity.getOrcid(), codes);
        if (!codes.getErrors().isEmpty()) {
            return codes;
        }
        try {
            notifyUser(shibIdentityProvider, userConnectionEntity);
            processAuthentication(remoteUser, userConnectionEntity);
        } catch (AuthenticationException e) {
            // this should never happen
            SecurityContextHolder.getContext().setAuthentication(null);
            LOGGER.warn("User {0} should have been logged-in via Shibboleth, but was unable to due to a problem", remoteUser, e);
        }
        codes.setRedirectUrl(calculateRedirectUrl(request, response));
        return codes;
    } else {
        codes.setRedirectUrl(orcidUrlManager.getBaseUrl() + "/shibboleth/signin");
        return codes;
    }
}

Example 3 with HeaderCheckResult

use of org.orcid.pojo.HeaderCheckResult in project ORCID-Source by ORCID.

the class InstitutionalSignInManagerTest method testCheckHeaders.

@Test
public void testCheckHeaders() throws IOException {
    @SuppressWarnings("unchecked") Map<String, String> originalHeaders = JsonUtils.readObjectFromJsonString(IOUtils.toString(getClass().getResource("shibboleth_headers_original.json")), Map.class);
    Map<String, String> currentHeaders = new HashMap<>(originalHeaders);
    // When all headers are the same
    HeaderCheckResult result = institutionalSignInManager.checkHeaders(originalHeaders, currentHeaders);
    assertTrue(result.isSuccess());
    assertEquals(0, result.getMismatches().size());
    // When eppn is different
    currentHeaders.put("eppn", "someoneelse@testshib.org");
    result = institutionalSignInManager.checkHeaders(originalHeaders, currentHeaders);
    assertFalse(result.isSuccess());
    assertEquals(1, result.getMismatches().size());
    HeaderMismatch mismatch = result.getMismatches().get(0);
    assertEquals("eppn", mismatch.getHeaderName());
    assertEquals("myself@testshib.org", mismatch.getOriginalValue());
    assertEquals("someoneelse@testshib.org", mismatch.getCurrentValue());
    // When eppn was originally there, but is not now
    currentHeaders.remove("eppn");
    result = institutionalSignInManager.checkHeaders(originalHeaders, currentHeaders);
    assertTrue(result.isSuccess());
    assertEquals(0, result.getMismatches().size());
    // When eppn is duplicated but unchanged
    currentHeaders.put("eppn", "myself@testshib.org;myself@testshib.org");
    result = institutionalSignInManager.checkHeaders(originalHeaders, currentHeaders);
    assertTrue(result.isSuccess());
    assertEquals(0, result.getMismatches().size());
    // When eppn is duplicated and changed
    currentHeaders.put("eppn", "someoneelse@testshib.org;someoneelse@testshib.org");
    result = institutionalSignInManager.checkHeaders(originalHeaders, currentHeaders);
    assertFalse(result.isSuccess());
    assertEquals(1, result.getMismatches().size());
    mismatch = result.getMismatches().get(0);
    assertEquals("eppn", mismatch.getHeaderName());
    assertEquals("myself@testshib.org", mismatch.getOriginalValue());
    assertEquals("someoneelse@testshib.org;someoneelse@testshib.org", mismatch.getCurrentValue());
    // When eppn is duplicated and one of values changed
    currentHeaders.put("eppn", "myself@testshib.org;someoneelse@testshib.org");
    result = institutionalSignInManager.checkHeaders(originalHeaders, currentHeaders);
    assertFalse(result.isSuccess());
    assertEquals(1, result.getMismatches().size());
    mismatch = result.getMismatches().get(0);
    assertEquals("eppn", mismatch.getHeaderName());
    assertEquals("myself@testshib.org", mismatch.getOriginalValue());
    assertEquals("myself@testshib.org;someoneelse@testshib.org", mismatch.getCurrentValue());
}

Example 4 with HeaderCheckResult

use of org.orcid.pojo.HeaderCheckResult in project ORCID-Source by ORCID.

the class ShibbolethController method signinHandler.

@RequestMapping(value = { "/signin" }, method = RequestMethod.GET)
public ModelAndView signinHandler(HttpServletRequest request, HttpServletResponse response, @RequestHeader Map<String, String> headers, ModelAndView mav) {
    LOGGER.info("Headers for shibboleth sign in: {}", headers);
    checkEnabled();
    mav.setViewName("social_link_signin");
    String shibIdentityProvider = headers.get(InstitutionalSignInManager.SHIB_IDENTITY_PROVIDER_HEADER);
    mav.addObject("providerId", shibIdentityProvider);
    String displayName = institutionalSignInManager.retrieveDisplayName(headers);
    mav.addObject("accountId", displayName);
    RemoteUser remoteUser = institutionalSignInManager.retrieveRemoteUser(headers);
    if (remoteUser == null) {
        LOGGER.info("Failed federated log in for {}", shibIdentityProvider);
        identityProviderManager.incrementFailedCount(shibIdentityProvider);
        mav.addObject("unsupportedInstitution", true);
        mav.addObject("institutionContactEmail", identityProviderManager.retrieveContactEmailByProviderid(shibIdentityProvider));
        return mav;
    }
    // Check if the Shibboleth user is already linked to an ORCID account.
    // If so sign them in automatically.
    UserconnectionEntity userConnectionEntity = userConnectionManager.findByProviderIdAndProviderUserIdAndIdType(remoteUser.getUserId(), shibIdentityProvider, remoteUser.getIdType());
    if (userConnectionEntity != null) {
        LOGGER.info("Found existing user connection: {}", userConnectionEntity);
        HeaderCheckResult checkHeadersResult = institutionalSignInManager.checkHeaders(parseOriginalHeaders(userConnectionEntity.getHeadersJson()), headers);
        if (!checkHeadersResult.isSuccess()) {
            mav.addObject("headerCheckFailed", true);
            return mav;
        }
        ProfileEntity profile = profileEntityCacheManager.retrieve(userConnectionEntity.getOrcid());
        if (profile.getUsing2FA()) {
            return new ModelAndView("institutional_2FA");
        }
        try {
            notifyUser(shibIdentityProvider, userConnectionEntity);
            processAuthentication(remoteUser, userConnectionEntity);
        } catch (AuthenticationException e) {
            // this should never happen
            SecurityContextHolder.getContext().setAuthentication(null);
            LOGGER.warn("User {0} should have been logged-in via Shibboleth, but was unable to due to a problem", remoteUser, e);
        }
        return new ModelAndView("redirect:" + calculateRedirectUrl(request, response));
    } else {
        // To avoid confusion, force the user to login to ORCID again
        mav.addObject("linkType", "shibboleth");
        mav.addObject("firstName", (headers.get(InstitutionalSignInManager.GIVEN_NAME_HEADER) == null) ? "" : headers.get(InstitutionalSignInManager.GIVEN_NAME_HEADER));
        mav.addObject("lastName", (headers.get(InstitutionalSignInManager.SN_HEADER) == null) ? "" : headers.get(InstitutionalSignInManager.SN_HEADER));
    }
    return mav;
}