[SHIBUI-855]

Added backend support for forceAuthn to Relying Party Overrides.
TIER · Sep 24, 2018 · 99ca8f0 · 99ca8f0
1 parent 0d10c77
commit 99ca8f0
Show file tree

Hide file tree

Showing 7 changed files with 117 additions and 3 deletions.
diff --git a/...ternet2/tier/shibboleth/admin/ui/domain/frontend/RelyingPartyOverridesRepresentation.java b/...ternet2/tier/shibboleth/admin/ui/domain/frontend/RelyingPartyOverridesRepresentation.java
@@ -26,6 +26,8 @@ public class RelyingPartyOverridesRepresentation implements Serializable {
 
     private List<String> authenticationMethods = new ArrayList<>();
 
+    private boolean forceAuthn;
+
     public boolean isSignAssertion() {
         return signAssertion;
     }
@@ -97,4 +99,12 @@ public List<String> getAuthenticationMethods() {
     public void setAuthenticationMethods(List<String> authenticationMethods) {
         this.authenticationMethods = authenticationMethods;
     }
+
+    public boolean isForceAuthn() {
+        return forceAuthn;
+    }
+
+    public void setForceAuthn(boolean forceAuthn) {
+        this.forceAuthn = forceAuthn;
+    }
 }
diff --git a/...n/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java b/...n/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java
@@ -530,6 +530,9 @@ public EntityDescriptorRepresentation createRepresentationFromDescriptor(org.ope
                     case MDDCConstants.RELEASE_ATTRIBUTES:
                         representation.setAttributeRelease(getStringListOfAttributeValues(attribute.getAttributeValues()));
                         break;
+                    case MDDCConstants.FORCE_AUTHN:
+                        relyingPartyOverridesRepresentation.setForceAuthn(getBooleanValueOfAttribute(jpaAttribute));
+                        break;
                     default:
                         break;
                 }

diff --git a/...nd/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityServiceImpl.java b/...nd/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityServiceImpl.java
@@ -26,6 +26,11 @@ public JPAEntityServiceImpl(OpenSamlObjects openSamlObjects) {
         this.openSamlObjects = openSamlObjects;
     }
 
+    public JPAEntityServiceImpl(OpenSamlObjects openSamlObjects, AttributeUtility attributeUtility) {
+        this.openSamlObjects = openSamlObjects;
+        this.attributeUtility = attributeUtility;
+    }
+
     @Override
     public List<Attribute> getAttributeListFromEntityRepresentation(EntityDescriptorRepresentation entityDescriptorRepresentation) {
         List<edu.internet2.tier.shibboleth.admin.ui.domain.Attribute> list = new ArrayList<>();
@@ -109,6 +114,9 @@ public List<Attribute> getAttributeListFromRelyingPartyOverridesRepresentation(R
             if (relyingPartyOverridesRepresentation.getAuthenticationMethods() != null && relyingPartyOverridesRepresentation.getAuthenticationMethods().size() > 0) {
                 list.add(attributeUtility.createAttributeWithArbitraryValues(MDDCConstants.DEFAULT_AUTHENTICATION_METHODS, MDDCConstants.DEFAULT_AUTHENTICATION_METHODS_FN, relyingPartyOverridesRepresentation.getAuthenticationMethods()));
             }
+            if (relyingPartyOverridesRepresentation.isForceAuthn()) {
+                list.add(attributeUtility.createAttributeWithBooleanValue(MDDCConstants.FORCE_AUTHN, MDDCConstants.FORCE_AUTHN_FN, true));
+            }
         }
 
         return (List<Attribute>)(List<? extends Attribute>)list;

diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/util/MDDCConstants.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/util/MDDCConstants.java
@@ -36,6 +36,9 @@ public class MDDCConstants {
     public static final String DEFAULT_AUTHENTICATION_METHODS = "http://shibboleth.net/ns/profiles/defaultAuthenticationMethods";
     public static final String DEFAULT_AUTHENTICATION_METHODS_FN = "defaultAuthenticationMethods";
 
+    public static final String FORCE_AUTHN = "http://shibboleth.net/ns/profiles/forceAuthn";
+    public static final String FORCE_AUTHN_FN = "forceAuthn";
+
     public static final Map<String, String> PROTOCOL_BINDINGS;
 
     static {

diff --git a/.../edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorControllerTests.groovy b/.../edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorControllerTests.groovy
@@ -457,7 +457,8 @@ class EntityDescriptorControllerTests extends Specification {
 		"omitNotBefore": false,
 		"responderId": null,
 		"nameIdFormats": [],
-		"authenticationMethods": []
+		"authenticationMethods": [],
+		"forceAuthn": false
 	},
 	"attributeRelease": [
 		"givenName",
@@ -585,7 +586,8 @@ class EntityDescriptorControllerTests extends Specification {
 		"omitNotBefore": false,
 		"responderId": null,
 		"nameIdFormats": [],
-		"authenticationMethods": []
+		"authenticationMethods": [],
+		"forceAuthn": false
 	},
 	"attributeRelease": [
 		"givenName",

diff --git a/...edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImplTests.groovy b/...edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImplTests.groovy
@@ -10,11 +10,13 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.EntityDescriptorRe
 import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.LogoutEndpointRepresentation
 import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.MduiRepresentation
 import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.OrganizationRepresentation
+import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.RelyingPartyOverridesRepresentation
 import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.SecurityInfoRepresentation
 import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.ServiceProviderSsoDescriptorRepresentation
 import edu.internet2.tier.shibboleth.admin.ui.opensaml.OpenSamlObjects
 import edu.internet2.tier.shibboleth.admin.ui.util.RandomGenerator
 import edu.internet2.tier.shibboleth.admin.ui.util.TestObjectGenerator
+import edu.internet2.tier.shibboleth.admin.util.AttributeUtility
 import org.springframework.boot.test.json.JacksonTester
 import org.xmlunit.builder.DiffBuilder
 import org.xmlunit.builder.Input
@@ -31,7 +33,8 @@ class JPAEntityDescriptorServiceImplTests extends Specification {
         it
     }
 
-    def service = new JPAEntityDescriptorServiceImpl(openSamlObjects, new JPAEntityServiceImpl(openSamlObjects))
+    def service = new JPAEntityDescriptorServiceImpl(openSamlObjects,
+            new JPAEntityServiceImpl(openSamlObjects, new AttributeUtility(openSamlObjects)))
 
     JacksonTester<EntityDescriptorRepresentation> jacksonTester
 
@@ -447,6 +450,46 @@ class JPAEntityDescriptorServiceImplTests extends Specification {
         !diff.hasDifferences()
     }
 
+    def "SHIBUI-855, generate forceAuthn XML"() {
+        when:
+
+        def expected = '''
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://test.example.org/test1">
+  <md:Extensions>
+    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
+      <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="forceAuthn" Name="http://shibboleth.net/ns/profiles/forceAuthn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+        <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:boolean">true</saml2:AttributeValue>
+      </saml2:Attribute>
+    </mdattr:EntityAttributes>
+  </md:Extensions>
+</md:EntityDescriptor>
+'''
+
+        def test = openSamlObjects.marshalToXmlString(service.createDescriptorFromRepresentation(new EntityDescriptorRepresentation().with {
+            it.entityId = 'http://test.example.org/test1'
+            it.relyingPartyOverrides = new RelyingPartyOverridesRepresentation().with {
+                it.forceAuthn = true;
+                it
+            }
+            it
+        }))
+
+        def diff = DiffBuilder.compare(Input.fromString(expected)).withTest(Input.fromString(test)).ignoreComments().ignoreWhitespace().build()
+
+        then:
+        !diff.hasDifferences()
+    }
+
+
+    def "SHIBUI-855, read forceAuthn from json"() {
+        when:
+        def representation = new ObjectMapper().readValue(this.class.getResource('/json/SHIBUI-855.json').bytes, EntityDescriptorRepresentation)
+        def output = service.createRepresentationFromDescriptor(service.createDescriptorFromRepresentation(representation))
+
+        then:
+        assert output.relyingPartyOverrides?.forceAuthn == true
+    }
+
     def "test ACS configuration"() {
         when:
         def expected = '''

diff --git a/backend/src/test/resources/json/SHIBUI-855.json b/backend/src/test/resources/json/SHIBUI-855.json
@@ -0,0 +1,45 @@
+{
+  "id": "",
+  "entityId": "test",
+  "serviceProviderName": "test",
+  "organization": {
+    "name": null,
+    "displayName": null,
+    "url": null
+  },
+  "contacts": [],
+  "mdui": {
+    "displayName": null,
+    "informationUrl": null,
+    "privacyStatementUrl": null,
+    "description": null,
+    "logoUrl": null,
+    "logoHeight": null,
+    "logoWidth": null
+  },
+  "securityInfo": {
+    "x509CertificateAvailable": false,
+    "authenticationRequestsSigned": false,
+    "wantAssertionsSigned": false,
+    "x509Certificates": []
+  },
+  "assertionConsumerServices": [
+    {
+      "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+      "locationUrl": "test",
+      "makeDefault": true
+    }
+  ],
+  "serviceProviderSsoDescriptor": {
+    "protocolSupportEnum": null,
+    "nameIdFormats": []
+  },
+  "logoutEndpoints": [],
+  "serviceEnabled": false,
+  "relyingPartyOverrides": {
+    "nameIdFormats": [],
+    "authenticationMethods": [],
+    "forceAuthn": true
+  },
+  "attributeRelease": []
+}