Merge branch 'feature/shibui-2380' of bitbucket.org:unicon/shib-idp-u…

…i into feature/shibui-2380
TIER · Oct 21, 2022 · 1f63ada · 1f63ada
2 parents 64cdc99 + a2768fb
commit 1f63ada
Show file tree

Hide file tree

Showing 16 changed files with 2,806 additions and 62 deletions.
diff --git a/backend/src/enversTest/resources/application.yml b/backend/src/enversTest/resources/application.yml
@@ -0,0 +1,166 @@
+#spring:
+#  jpa:
+#    show-sql: false
+#    properties:
+#      hibernate:
+#        format_sql: true
+#        dialect: org.hibernate.dialect.PostgreSQL95Dialect
+# OR SEE: https://access.redhat.com/webassets/avalon/d/red-hat-jboss-enterprise-application-platform/7.2/javadocs/org/hibernate/dialect/package-summary.html
+
+#shibui:
+## Default password must be set for the default user to be configured and setup
+#  default-rootuser:root
+## need to include the encoding for the password - be sure to quote the entire value as shown
+#  default-password: "{noop}foopassword"
+#  pac4j-enabled: true
+#  pac4j:
+#    keystorePath: "/etc/shibui/samlKeystore.jks"
+#    keystorePassword: "changeit"
+#    privateKeyPassword: "changeit"
+#    serviceProviderEntityId: "https://idp.example.com/shibui"
+#    serviceProviderMetadataPath: "/etc/shibui/sp-metadata.xml"
+#    identityProviderMetadataPath: "/etc/shibui/idp-metadata.xml"
+#    forceServiceProviderMetadataGeneration: false
+#    callbackUrl: "https://localhost:8443/callback"
+#    postLogoutURL: "https://idp.example.com/idp/profile/Logout"  # Must set this to get IDP logout
+#    maximumAuthenticationLifetime: 3600000
+#    requireAssertedRoleForNewUsers: false
+#    saml2ProfileMapping:
+#      username: urn:oid:0.9.2342.19200300.100.1.1
+#      firstname: urn:oid:2.5.4.42
+#      lastname: urn:oid:2.5.4.4
+#      email: urn:oid:0.9.2342.19200300.100.1.3
+#      groups: urn:oid:1.3.6.1.4.1.5923.1.5.1.1 # attributeId - isMemberOf
+#      roles: --define name of the attribute containing the incoming user roles--
+
+custom:
+  attributes:
+    # Default attributes
+    - name: eduPersonPrincipalName
+      displayName: label.attribute-eduPersonPrincipalName
+    - name: uid
+      displayName: label.attribute-uid
+    - name: mail
+      displayName: label.attribute-mail
+    - name: surname
+      displayName: label.attribute-surname
+    - name: givenName
+      displayName: label.attribute-givenName
+    - name: eduPersonAffiliation
+      displayName: label.attribute-eduPersonAffiliation
+    - name: eduPersonScopedAffiliation
+      displayName: label.attribute-eduPersonScopedAffiliation
+    - name: eduPersonPrimaryAffiliation
+      displayName: label.attribute-eduPersonPrimaryAffiliation
+    - name: eduPersonEntitlement
+      displayName: label.attribute-eduPersonEntitlement
+    - name: eduPersonAssurance
+      displayName: label.attribute-eduPersonAssurance
+    - name: eduPersonUniqueId
+      displayName: label.attribute-eduPersonUniqueId
+    - name: employeeNumber
+      displayName: label.attribute-employeeNumber
+  # Custom attributes
+
+  # The following contains a map of "relying party overrides".
+  # The structure of an entry is as follows:
+  # - name: The name of the entry. used to uniquely identify this entry.
+  #   displayName: This will normally be the label used when displaying this override in the UI
+  #   displayType: The type to use when displaying this option
+  #   helpText: This is the help-icon hover-over text
+  #   defaultValues: One or more values to be displayed as default options in the UI
+  #   persistType: Optional. If it is necessary to persist something different than the override's display type,
+  #                set that type here. For example, display a boolean, but persist a string.
+  #   persistValue: Required only when persistType is used. Defines the value to be persisted.
+  #   attributeName: This is the name of the attribute to be used in the xml. This is assumed to be a URI.
+  #   attributeFriendlyName: This is the friendly name associated with the above attributeName.
+  #
+  # It is imperative when defining these that the "displayType" and "persistType" are known types.
+  # Typos or unsupported values here will result in that override being skipped!
+  # Supported types are as follows: boolean, integer, string, set, list
+  # Note that "persistType" doesn't have to match "displayType". However, the only unmatching combination currently
+  # supported is a "displayType" of "boolean" and "persistType" of "string".
+  overrides:
+    # Default overrides
+    - name: signAssertion
+      displayName: label.sign-the-assertion
+      displayType: boolean
+      helpText: tooltip.sign-assertion
+      attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions
+      attributeFriendlyName: signAssertions
+    - name: dontSignResponse
+      displayName: label.dont-sign-the-response
+      displayType: boolean
+      helpText: tooltip.dont-sign-response
+      attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses
+      attributeFriendlyName: signResponses
+      invert: true
+    - name: turnOffEncryption
+      displayName: label.turn-off-encryption-of-response
+      displayType: boolean
+      helpText: tooltip.turn-off-encryption
+      attributeName: http://shibboleth.net/ns/profiles/encryptAssertions
+      attributeFriendlyName: encryptAssertions
+      invert: true
+    - name: useSha
+      displayName: label.use-sha1-signing-algorithm
+      displayType: boolean
+      helpText: tooltip.usa-sha-algorithm
+      persistType: string
+      persistValue: shibboleth.SecurityConfiguration.SHA1
+      attributeName: http://shibboleth.net/ns/profiles/securityConfiguration
+      attributeFriendlyName: securityConfiguration
+    - name: ignoreAuthenticationMethod
+      displayName: label.ignore-any-sp-requested-authentication-method
+      displayType: boolean
+      helpText: tooltip.ignore-auth-method
+      persistType: string
+      persistValue: 0x1
+      attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures
+      attributeFriendlyName: disallowedFeatures
+    - name: omitNotBefore
+      displayName: label.omit-not-before-condition
+      displayType: boolean
+      helpText: tooltip.omit-not-before-condition
+      attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore
+      attributeFriendlyName: includeConditionsNotBefore
+      invert: true
+    - name: responderId
+      displayName: label.responder-id
+      displayType: string
+      helpText: tooltip.responder-id
+      attributeName: http://shibboleth.net/ns/profiles/responderId
+      attributeFriendlyName: responderId
+    - name: nameIdFormats
+      displayName: label.nameid-format-to-send
+      displayType: set
+      helpText: tooltip.nameid-format
+      defaultValues:
+        - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+        - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+        - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+        - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+      attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence
+      attributeFriendlyName: nameIDFormatPrecedence
+    - name: authenticationMethods
+      displayName: label.authentication-methods-to-use
+      displayType: set
+      helpText: tooltip.authentication-methods-to-use
+      defaultValues:
+        - https://refeds.org/profile/mfa
+        - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
+        - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+      attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods
+      attributeFriendlyName: defaultAuthenticationMethods
+    - name: forceAuthn
+      displayName: label.force-authn
+      displayType: boolean
+      helpText: tooltip.force-authn
+      attributeName: http://shibboleth.net/ns/profiles/forceAuthn
+      attributeFriendlyName: forceAuthn
+    - name: ignoreRequestSignatures
+      displayName: label.ignore-request-signatures
+      displayType: boolean
+      helpText: tooltip.ignore-request-signatures
+      attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures
+      attributeFriendlyName: ignoreRequestSignatures
diff --git a/...n/java/edu/internet2/tier/shibboleth/admin/ui/domain/CustomEntityAttributeDefinition.java b/...n/java/edu/internet2/tier/shibboleth/admin/ui/domain/CustomEntityAttributeDefinition.java
@@ -1,8 +1,9 @@
 package edu.internet2.tier.shibboleth.admin.ui.domain;
 
-import java.util.HashSet;
-import java.util.Set;
-import java.util.UUID;
+import lombok.Data;
+import org.hibernate.annotations.Fetch;
+import org.hibernate.annotations.FetchMode;
+import org.hibernate.envers.Audited;
 
 import javax.persistence.CollectionTable;
 import javax.persistence.Column;
@@ -11,14 +12,9 @@
 import javax.persistence.Id;
 import javax.persistence.JoinColumn;
 import javax.persistence.Transient;
-
-import liquibase.pro.packaged.O;
-import org.apache.commons.lang3.StringUtils;
-import org.hibernate.annotations.Fetch;
-import org.hibernate.annotations.FetchMode;
-import org.hibernate.envers.Audited;
-
-import lombok.Data;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.UUID;
 
 @Entity(name = "custom_entity_attribute_definition")
 @Audited

diff --git a/...in/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorProjection.java b/...in/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorProjection.java
@@ -1,22 +1,61 @@
 package edu.internet2.tier.shibboleth.admin.ui.repository;
 
+import com.fasterxml.jackson.annotation.JsonGetter;
+import com.fasterxml.jackson.annotation.JsonInclude;
 import edu.internet2.tier.shibboleth.admin.ui.domain.EntityDescriptorProtocol;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.Setter;
 
 import java.time.LocalDateTime;
 
-public interface EntityDescriptorProjection {
-    default String getId() {
-        return getResourceId();
+public class EntityDescriptorProjection {
+    @Getter
+    String id;
+    String entityID;
+    String entityId;
+    @Getter
+    String resourceId;
+    @Getter
+    String serviceProviderName;
+    @Getter
+    String createdBy;
+    @Getter
+    LocalDateTime createdDate;
+    @Getter
+    boolean serviceEnabled;
+    @Getter
+    String idOfOwner;
+    EntityDescriptorProtocol protocol;
+
+    public EntityDescriptorProjection(String entityID, String resourceId, String serviceProviderName, String createdBy,
+                                      LocalDateTime createdDate, boolean serviceEnabled, String idOfOwner, String protocol) {
+        this.entityID = entityID;
+        this.entityId = entityID;
+        this.resourceId = resourceId;
+        this.id = resourceId;
+        this.serviceProviderName = serviceProviderName;
+        this.createdBy = createdBy;
+        this.createdDate = createdDate;
+        this.serviceEnabled = serviceEnabled;
+        this.idOfOwner = idOfOwner;
+        setProtocol(protocol);
+    }
+
+    public String getEntityID() {
+        return entityID;
+    }
+
+    public String getEntityId() {
+        return entityId;
+    }
+
+    public EntityDescriptorProtocol getProtocol() {
+        return protocol == null ? EntityDescriptorProtocol.SAML : protocol;
     }
-    String getEntityID();
-    default String getEntityId() {
-        return getEntityID();
+
+    public void setProtocol(String index) {
+        int i = Integer.valueOf(index);
+        protocol = EntityDescriptorProtocol.values()[i];
     }
-    String getResourceId();
-    String getServiceProviderName();
-    String getCreatedBy();
-    LocalDateTime getCreatedDate();
-    boolean getServiceEnabled();
-    String getIdOfOwner();
-    EntityDescriptorProtocol getProtocol();
 }
diff --git a/...in/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorRepository.java b/...in/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorRepository.java
@@ -3,6 +3,7 @@
 import edu.internet2.tier.shibboleth.admin.ui.domain.EntityDescriptor;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
 
 import java.util.List;
 import java.util.stream.Stream;
@@ -12,9 +13,16 @@
  * Repository to manage {@link EntityDescriptor} instances.
  */
 public interface EntityDescriptorRepository extends JpaRepository<EntityDescriptor, Long> {
+    @Query(value = "select new edu.internet2.tier.shibboleth.admin.ui.repository.EntityDescriptorProjection(e.entityID, e.resourceId, e.serviceProviderName, e.createdBy, " +
+                   "e.createdDate, e.serviceEnabled, e.idOfOwner, case e.protocol when null then 'SAML' else e.protocol end ) " +
+                    "from EntityDescriptor e")
     List<EntityDescriptorProjection> findAllBy();
 
-    List<EntityDescriptorProjection> findAllByIdOfOwner(String ownerId);
+    @Query(value = "select new edu.internet2.tier.shibboleth.admin.ui.repository.EntityDescriptorProjection(e.entityID, e.resourceId, e.serviceProviderName, e.createdBy, " +
+                   "e.createdDate, e.serviceEnabled, e.idOfOwner, case e.protocol when null then 'SAML' else e.protocol end ) " +
+                   "from EntityDescriptor e " +
+                   "where e.idOfOwner = :ownerId")
+    List<EntityDescriptorProjection> findAllByIdOfOwner(@Param("ownerId") String ownerId);
 
     EntityDescriptor findByEntityID(String entityId);