[SHIBUI-1058]

WIP

backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/DevConfig.groovy

@@ -79,6 +79,14 @@ class DevConfig {
                 emailAddress = 'anon@institution.edu'
                 roles.add(roleRepository.findByName('ROLE_ADMIN').get())
                 it
+            }, new User().with { // allow some shady fella
+                username = 'scalding@scaldingspoon.com'
+                password = '{noop}anonymous'
+                firstName = 'Jj!'
+                lastName = 'Jj!'
+                emailAddress = 'scalding@scaldingspoon.com'
+                roles.add(roleRepository.findByName('ROLE_ADMIN').get())
+                it
             }]
             users.each {
                 adminUserRepository.save(it)

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java

@@ -23,6 +23,7 @@
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.client.HttpClientErrorException;
 
+import java.security.Principal;
 import java.util.List;
 import java.util.Optional;
 
@@ -58,13 +59,8 @@ public List<User> getAll() {
 
     @Transactional(readOnly = true)
     @GetMapping("/current")
-    public ResponseEntity<?> getCurrentUser() {
-        User user = userService.getCurrentUser();
-        if (user != null) {
-            return ResponseEntity.ok(user);
-        } else {
-            return ResponseEntity.notFound().build();
-        }
+    public Principal getCurrentUser(Principal principal) {
+        return principal;
     }
 
     @Secured("ROLE_ADMIN")

pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java

@@ -1,17 +1,28 @@
 package net.unicon.shibui.pac4j;
 
+import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository;
 import org.pac4j.core.client.Clients;
 import org.pac4j.core.config.Config;
+import org.pac4j.core.context.Pac4jConstants;
+import org.pac4j.core.profile.definition.CommonProfileDefinition;
 import org.pac4j.saml.client.SAML2Client;
 import org.pac4j.saml.client.SAML2ClientConfiguration;
-import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.pac4j.saml.credentials.authenticator.SAML2Authenticator;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
+import java.util.HashMap;
+import java.util.Map;
+
 @Configuration
 public class Pac4jConfiguration {
     @Bean
-    public Config config(final Pac4jConfigurationProperties pac4jConfigurationProperties) {
+    public SAML2ModelAuthorizationGenerator saml2ModelAuthorizationGenerator(UserRepository userRepository) {
+        return new SAML2ModelAuthorizationGenerator(userRepository);
+    }
+
+    @Bean
+    public Config config(final Pac4jConfigurationProperties pac4jConfigurationProperties, final SAML2ModelAuthorizationGenerator saml2ModelAuthorizationGenerator) {
         final SAML2ClientConfiguration saml2ClientConfiguration = new SAML2ClientConfiguration();
         saml2ClientConfiguration.setKeystorePath(pac4jConfigurationProperties.getKeystorePath());
         saml2ClientConfiguration.setKeystorePassword(pac4jConfigurationProperties.getKeystorePassword());
@@ -22,9 +33,16 @@ public Config config(final Pac4jConfigurationProperties pac4jConfigurationProper
         saml2ClientConfiguration.setServiceProviderMetadataPath(pac4jConfigurationProperties.getServiceProviderMetadataPath());
         saml2ClientConfiguration.setForceServiceProviderMetadataGeneration(pac4jConfigurationProperties.isForceServiceProviderMetadataGeneration());
         saml2ClientConfiguration.setWantsAssertionsSigned(pac4jConfigurationProperties.isWantAssertionsSigned());
+        // TODO: make not hardcoded
+        saml2ClientConfiguration.setAttributeAsId("email");
+        Map<String, String> mappedAttributes = new HashMap<>();
+        // TODO: make not hardcoded
+        mappedAttributes.put("email", Pac4jConstants.USERNAME);
+        saml2ClientConfiguration.setMappedAttributes(mappedAttributes);
 
         final SAML2Client saml2Client = new SAML2Client(saml2ClientConfiguration);
         saml2Client.setName("Saml2Client");
+        saml2Client.addAuthorizationGenerator(saml2ModelAuthorizationGenerator);
 
         final Clients clients = new Clients(pac4jConfigurationProperties.getCallbackUrl(), saml2Client);
 

pac4j-module/src/main/java/net/unicon/shibui/pac4j/SAML2ModelAuthorizationGenerator.java

@@ -0,0 +1,24 @@
+package net.unicon.shibui.pac4j;
+
+import edu.internet2.tier.shibboleth.admin.ui.security.model.User;
+import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository;
+import org.pac4j.core.authorization.generator.AuthorizationGenerator;
+import org.pac4j.core.context.WebContext;
+import org.pac4j.saml.profile.SAML2Profile;
+
+import java.util.Optional;
+
+public class SAML2ModelAuthorizationGenerator implements AuthorizationGenerator<SAML2Profile> {
+    private final UserRepository userRepository;
+
+    public SAML2ModelAuthorizationGenerator(UserRepository userRepository) {
+        this.userRepository = userRepository;
+    }
+
+    @Override
+    public SAML2Profile generate(WebContext context, SAML2Profile profile) {
+        Optional<User> user = userRepository.findByUsername(profile.getUsername());
+        user.ifPresent( u -> profile.addRole(u.getRole()));
+        return profile;
+    }
+}

pac4j-module/src/main/java/org/pac4j/core/profile/CommonProfile.java

@@ -0,0 +1,141 @@
+package org.pac4j.core.profile;
+
+import org.pac4j.core.context.Pac4jConstants;
+import org.pac4j.core.profile.definition.CommonProfileDefinition;
+
+import java.net.URI;
+import java.security.Principal;
+import java.util.Collection;
+import java.util.Locale;
+
+/**
+ * This class is the base implementation with the default attribute getters which can be retrieved for most profiles.
+ *
+ * @author Jerome Leleu
+ * @since 1.3.0
+ */
+public class CommonProfile extends UserProfile {
+
+    private static final long serialVersionUID = -1856159870249261877L;
+
+    public CommonProfile() {
+        //default constructor for backwards compatibility
+    }
+
+    /**
+     * Create a profile with possibility to merge attributes with the same name and collection-type values
+     * @param canMergeAttributes if true - merge attributes with the same name and collection-type values, if false - overwrite them
+     * @since 3.1.0
+     */
+    public CommonProfile( boolean canMergeAttributes ) {
+        super( canMergeAttributes );
+    }
+
+    /**
+     * Return the email of the user.
+     *
+     * @return the email of the user
+     */
+    public String getEmail() {
+        return (String) getAttribute(CommonProfileDefinition.EMAIL);
+    }
+
+    /**
+     * Return the first name of the user.
+     *
+     * @return the first name of the user
+     */
+    public String getFirstName() {
+        return (String) getAttribute(CommonProfileDefinition.FIRST_NAME);
+    }
+
+    /**
+     * Return the family name of the user.
+     *
+     * @return the family name of the user
+     */
+    public String getFamilyName() {
+        return (String) getAttribute(CommonProfileDefinition.FAMILY_NAME);
+    }
+
+    /**
+     * Return the displayed name of the user. It can be the username or the first and last names (separated by a space).
+     *
+     * @return the displayed name of the user
+     */
+    public String getDisplayName() {
+        return (String) getAttribute(CommonProfileDefinition.DISPLAY_NAME);
+    }
+
+    /**
+     * Return the username of the user. It can be a login or a specific username.
+     *
+     * @return the username of the user
+     */
+    public String getUsername() {
+        Object username = getAttribute(Pac4jConstants.USERNAME);
+        if (username instanceof Collection) {
+            return (String) ((Collection)username).toArray()[0];
+        } else {
+            return (String) username;
+        }
+    }
+
+    /**
+     * Return the gender of the user.
+     *
+     * @return the gender of the user
+     */
+    public Gender getGender() {
+        final Gender gender = (Gender) getAttribute(CommonProfileDefinition.GENDER);
+        if (gender == null) {
+            return Gender.UNSPECIFIED;
+        } else {
+            return gender;
+        }
+    }
+
+    /**
+     * Return the locale of the user.
+     *
+     * @return the locale of the user
+     */
+    public Locale getLocale() {
+        return (Locale) getAttribute(CommonProfileDefinition.LOCALE);
+    }
+
+    /**
+     * Return the url of the picture of the user.
+     *
+     * @return the url of the picture of the user.
+     */
+    public URI getPictureUrl() {
+        return (URI) getAttribute(CommonProfileDefinition.PICTURE_URL);
+    }
+
+    /**
+     * Return the url of the profile of the user.
+     *
+     * @return the url of the profile of the user.
+     */
+    public URI getProfileUrl() {
+        return (URI) getAttribute(CommonProfileDefinition.PROFILE_URL);
+    }
+
+    /**
+     * Return the location of the user.
+     *
+     * @return the location of the user
+     */
+    public String getLocation() {
+        return (String) getAttribute(CommonProfileDefinition.LOCATION);
+    }
+
+    public Principal asPrincipal() {
+        return new Pac4JPrincipal(this);
+    }
+
+    public boolean isExpired() {
+        return false;
+    }
+}

pac4j-module/src/test/docker/conf/application.yml

@@ -1,3 +1,6 @@
+spring:
+  profiles:
+    include: dev
 server:
   port: 8443
   ssl: