WIP

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/AbstractAttributeExtensibleXMLObject.java

@@ -1,6 +1,7 @@
 package edu.internet2.tier.shibboleth.admin.ui.domain;
 
 import lombok.EqualsAndHashCode;
+import org.hibernate.annotations.Type;
 import org.hibernate.envers.Audited;
 import org.hibernate.envers.NotAudited;
 import org.opensaml.core.xml.AttributeExtensibleXMLObject;
@@ -34,10 +35,7 @@ public AttributeMap getUnknownAttributes() {
         return this.unknownAttributes;
     }
 
-    //@ElementCollection
-    //@MapKeyColumn(length = 1000)
-    //@NotAudited
-    @Transient
+    @ElementCollection
     private Map<QName,String> storageAttributeMap = new HashMap<>();
 
     @PrePersist

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/RequestInitiator.java

@@ -53,9 +53,7 @@ public void setResponseLocation(String location) {
         this.responseLocation = location;
     }
 
-    //@ElementCollection
-    //@MapKeyColumn(length = 1000)
-    @Transient
+    @ElementCollection
     private Map<QName,String> storageAttributeMap = new HashMap<>();
 
     @Transient

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/hibernate/QNameTypeContributor.java

@@ -0,0 +1,15 @@
+package edu.internet2.tier.shibboleth.admin.ui.hibernate;
+
+import org.hibernate.boot.model.TypeContributions;
+import org.hibernate.boot.model.TypeContributor;
+import org.hibernate.service.ServiceRegistry;
+
+import javax.xml.namespace.QName;
+
+public class QNameTypeContributor implements TypeContributor {
+
+    @Override
+    public void contribute(TypeContributions typeContributions, ServiceRegistry serviceRegistry) {
+        typeContributions.contributeType(new QNameUserType(), "qname", QName.class.getName());
+    }
+}

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/hibernate/QNameUserType.java

@@ -0,0 +1,150 @@
+package edu.internet2.tier.shibboleth.admin.ui.hibernate;
+
+import org.hibernate.HibernateException;
+import org.hibernate.engine.spi.SharedSessionContractImplementor;
+import org.hibernate.usertype.UserType;
+
+import javax.xml.namespace.QName;
+import java.io.Serializable;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Types;
+
+public class QNameUserType implements UserType {
+
+    private static final int[] SQL_TYPES = new int[] { Types.VARCHAR };
+
+    /*
+     * (non-Javadoc)
+     *
+     * @see org.hibernate.usertype.UserType#assemble(java.io.Serializable, java.lang.Object)
+     */
+    public Object assemble(Serializable cached, Object owner) throws HibernateException {
+        return cached;
+    }
+
+    /*
+     * (non-Javadoc)
+     *
+     * @see org.hibernate.usertype.UserType#deepCopy(java.lang.Object)
+     */
+    public Object deepCopy(Object value) throws HibernateException {
+        return value;
+    }
+
+    /*
+     * (non-Javadoc)
+     *
+     * @see org.hibernate.usertype.UserType#disassemble(java.lang.Object)
+     */
+    public Serializable disassemble(Object value) throws HibernateException {
+        return (Serializable) value;
+    }
+
+    /** Compares the int values of the enumerates */
+    public boolean equals(Object x, Object y) throws HibernateException {
+        // todo: check compare on null values
+        if (x == null && y == null) {
+            return true;
+        }
+
+        if (x == null || y == null) {
+            return false;
+        }
+
+        if (x.getClass() != y.getClass()) {
+            return false;
+        }
+
+        final QName q1 = (QName) x;
+        final QName q2 = (QName) y;
+
+        return q1.toString().compareTo(q2.toString()) == 0;
+    }
+
+    /*
+     * (non-Javadoc)
+     *
+     * @see org.hibernate.usertype.UserType#hashCode(java.lang.Object)
+     */
+    public int hashCode(Object x) throws HibernateException {
+        return x.toString().hashCode();
+    }
+
+    /** Not mutable */
+    public boolean isMutable() {
+        return false;
+    }
+
+    /*
+     * (non-Javadoc)
+     *
+     * @see org.hibernate.usertype.UserType#nullSafeGet(java.sql.ResultSet, java.lang.String[],
+     *      java.lang.Object)
+     */
+    public Object nullSafeGet(ResultSet rs, String[] names, SharedSessionContractImplementor sessionContractImplementor, Object owner) throws HibernateException, SQLException {
+        final String str = rs.getString(names[0]);
+        if (rs.wasNull()) {
+            return null;
+        }
+        return convertFromString(str);
+    }
+
+    /*
+     * (non-Javadoc)
+     *
+     * @see org.hibernate.usertype.UserType#nullSafeSet(java.sql.PreparedStatement,
+     *      java.lang.Object, int)
+     */
+    public void nullSafeSet(PreparedStatement st, Object value, int index, SharedSessionContractImplementor sessionContractImplementor) throws HibernateException, SQLException {
+        if (value == null) {
+            st.setNull(index, Types.VARCHAR);
+        } else {
+            st.setString(index, convertToString((QName) value));
+        }
+    }
+
+    /*
+     * (non-Javadoc)
+     *
+     * @see org.hibernate.usertype.UserType#replace(java.lang.Object, java.lang.Object,
+     *      java.lang.Object)
+     */
+    public Object replace(Object original, Object target, Object owner) throws HibernateException {
+        return original;
+    }
+
+    /** Returns the parameterizezd enumType */
+    public Class<?> returnedClass() {
+        return QName.class;
+    }
+
+    /** An enum is stored in one varchar */
+    public int[] sqlTypes() {
+        return SQL_TYPES;
+    }
+
+    protected String convertToString(QName qName) {
+        return "{" + qName.getNamespaceURI() + "}" + qName.getPrefix() + ":" + qName.getLocalPart();
+    }
+
+    protected QName convertFromString(String str) {
+        if (str.indexOf("{") == -1) {
+            throw new HibernateException("String " + str + " can not be converted to a QName, missing starting {");
+        }
+        final int endIndexNS = str.indexOf("}");
+        if (endIndexNS == -1) {
+            throw new HibernateException("String " + str +
+                    " can not be converted to a QName, missing end ns delimiter } ");
+        }
+        final int prefixIndex = str.indexOf(":", endIndexNS);
+        if (prefixIndex == -1) {
+            throw new HibernateException("String " + str + " can not be converted to a QName, missing prefix delimiter :");
+        }
+        final String ns = str.substring(1, endIndexNS);
+        final String prefix = str.substring(endIndexNS + 1, prefixIndex);
+        final String localPart = str.substring(prefixIndex + 1);
+        return new QName(ns, localPart, prefix);
+    }
+}

backend/src/main/resources/META-INF/services/org.hibernate.boot.model.TypeContributor

@@ -0,0 +1 @@
+edu.internet2.tier.shibboleth.admin.ui.hibernate.QNameTypeContributor

testbed/mariadb/conf/application.yml

@@ -0,0 +1,138 @@
+spring:
+  profiles:
+    include:
+  datasource:
+    platform: mysql
+    driver-class-name: org.mariadb.jdbc.Driver
+    url: jdbc:mariadb://db:3306/shibui
+    username: shibui
+    password: shibui
+  jpa:
+    properties:
+      hibernate:
+        dialect: org.hibernate.dialect.MariaDBDialect
+server:
+  port: 8443
+  ssl:
+    key-store: "/conf/keystore.p12"
+    key-store-password: "changeit"
+    keyStoreType: "PKCS12"
+    keyAlias: "tomcat"
+shibui:
+  user-bootstrap-resource: file:/conf/users.csv
+  roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_PONY
+custom:
+  attributes:
+    # Default attributes
+    - name: eduPersonPrincipalName
+      displayName: label.attribute-eduPersonPrincipalName
+    - name: uid
+      displayName: label.attribute-uid
+    - name: mail
+      displayName: label.attribute-mail
+    - name: surname
+      displayName: label.attribute-surname
+    - name: givenName
+      displayName: label.attribute-givenName
+    - name: eduPersonAffiliation
+      displayName: label.attribute-eduPersonAffiliation
+    - name: eduPersonScopedAffiliation
+      displayName: label.attribute-eduPersonScopedAffiliation
+    - name: eduPersonPrimaryAffiliation
+      displayName: label.attribute-eduPersonPrimaryAffiliation
+    - name: eduPersonEntitlement
+      displayName: label.attribute-eduPersonEntitlement
+    - name: eduPersonAssurance
+      displayName: label.attribute-eduPersonAssurance
+    - name: eduPersonUniqueId
+      displayName: label.attribute-eduPersonUniqueId
+    - name: employeeNumber
+      displayName: label.attribute-employeeNumber
+  # Custom attributes
+  overrides:
+    # Default overrides
+    - name: signAssertion
+      displayName: label.sign-the-assertion
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.sign-assertion
+      attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions
+      attributeFriendlyName: signAssertions
+    - name: dontSignResponse
+      displayName: label.dont-sign-the-response
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.dont-sign-response
+      attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses
+      attributeFriendlyName: signResponses
+    - name: turnOffEncryption
+      displayName: label.turn-off-encryption-of-response
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.turn-off-encryption
+      attributeName: http://shibboleth.net/ns/profiles/encryptAssertions
+      attributeFriendlyName: encryptAssertions
+    - name: useSha
+      displayName: label.use-sha1-signing-algorithm
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.usa-sha-algorithm
+      persistType: string
+      persistValue: shibboleth.SecurityConfiguration.SHA1
+      attributeName: http://shibboleth.net/ns/profiles/securityConfiguration
+      attributeFriendlyName: securityConfiguration
+    - name: ignoreAuthenticationMethod
+      displayName: label.ignore-any-sp-requested-authentication-method
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.ignore-auth-method
+      persistType: string
+      persistValue: 0x1
+      attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures
+      attributeFriendlyName: disallowedFeatures
+    - name: omitNotBefore
+      displayName: label.omit-not-before-condition
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.omit-not-before-condition
+      attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore
+      attributeFriendlyName: includeConditionsNotBefore
+    - name: responderId
+      displayName: label.responder-id
+      displayType: string
+      defaultValue: null
+      helpText: tooltip.responder-id
+      attributeName: http://shibboleth.net/ns/profiles/responderId
+      attributeFriendlyName: responderId
+    - name: nameIdFormats
+      displayName: label.nameid-format-to-send
+      displayType: set
+      helpText: tooltip.nameid-format
+      defaultValues:
+        - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+        - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+        - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+        - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+      attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence
+      attributeFriendlyName: nameIDFormatPrecedence
+    - name: authenticationMethods
+      displayName: label.authentication-methods-to-use
+      displayType: set
+      helpText: tooltip.authentication-methods-to-use
+      defaultValues:
+        - https://refeds.org/profile/mfa
+        - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
+        - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+      attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods
+      attributeFriendlyName: defaultAuthenticationMethods
+    - name: forceAuthn
+      displayName: label.force-authn
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.force-authn
+      attributeName: http://shibboleth.net/ns/profiles/forceAuthn
+      attributeFriendlyName: forceAuthn
+logging:
+  level:
+    org.pac4j: "TRACE"
+    org.opensaml: "INFO"

testbed/mariadb/conf/users.csv

@@ -0,0 +1,2 @@
+root,{bcrypt}$2a$10$V1jeTIc0b2u7Y3yU.LqkXOPRVTBFc7SW07QaJR4KrBAmWGgTcO9H.,first,last,ROLE_ADMIN,user1@example.org
+jj,{bcrypt}$2a$10$V1jeTIc0b2u7Y3yU.LqkXOPRVTBFc7SW07QaJR4KrBAmWGgTcO9H.,first,last,ROLE_ADMIN,jj@example.org

testbed/mariadb/docker-compose.yml

@@ -0,0 +1,41 @@
+version: "3.7"
+
+services:
+  db:
+    image: mariadb
+    container_name: db
+    environment:
+      MYSQL_DATABASE: shibui
+      MYSQL_USER: shibui
+      MYSQL_PASSWORD: shibui
+      MYSQL_ROOT_PASSWORD: root
+
+    networks:
+      - front
+    ports:
+      - 3306:3306
+  shibui:
+    image: unicon/shibui
+    ports:
+      - 8080:8080
+      - 5005:5005
+      - 8443:8443
+    volumes:
+      - ./conf:/conf
+      - ./conf/application.yml:/application.yml
+    networks:
+      - front
+    depends_on:
+      - db
+  mailhog:
+    image: mailhog/mailhog:latest
+    ports:
+      - 1025:1025
+      - 8025:8025
+    container_name: mailhog
+    networks:
+      - front
+
+networks:
+  front:
+    driver: bridge