From caabfd7f7299e31f31325dab59d26e9ad0de712d Mon Sep 17 00:00:00 2001 From: Jj! Date: Tue, 12 Feb 2019 11:59:51 -0600 Subject: [PATCH 1/3] [SHIBUI-1220] bug configuration --- .../src/test/docker/conf/application.yml | 111 ++++++++++++++++++ 1 file changed, 111 insertions(+) diff --git a/pac4j-module/src/test/docker/conf/application.yml b/pac4j-module/src/test/docker/conf/application.yml index 54c9c0a6b..e5986c1c1 100644 --- a/pac4j-module/src/test/docker/conf/application.yml +++ b/pac4j-module/src/test/docker/conf/application.yml @@ -26,6 +26,117 @@ shibui: firstName: urn:oid:2.5.4.42 lastName: urn:oid:2.5.4.4 email: urn:oid:0.9.2342.19200300.100.1.3 +custom: + attributes: + # Default attributes + - name: eduPersonPrincipalName + displayName: label.attribute-eduPersonPrincipalName + - name: uid + displayName: label.attribute-uid + - name: mail + displayName: label.attribute-mail + - name: surname + displayName: label.attribute-surname + - name: givenName + displayName: label.attribute-givenName + - name: eduPersonAffiliation + displayName: label.attribute-eduPersonAffiliation + - name: eduPersonScopedAffiliation + displayName: label.attribute-eduPersonScopedAffiliation + - name: eduPersonPrimaryAffiliation + displayName: label.attribute-eduPersonPrimaryAffiliation + - name: eduPersonEntitlement + displayName: label.attribute-eduPersonEntitlement + - name: eduPersonAssurance + displayName: label.attribute-eduPersonAssurance + - name: eduPersonUniqueId + displayName: label.attribute-eduPersonUniqueId + - name: employeeNumber + displayName: label.attribute-employeeNumber + # Custom attributes + overrides: + # Default overrides + - name: signAssertion + displayName: label.sign-the-assertion + displayType: boolean + defaultValue: false + helpText: tooltip.sign-assertion + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions + attributeFriendlyName: signAssertions + - name: dontSignResponse + displayName: label.dont-sign-the-response + displayType: boolean + defaultValue: false + helpText: tooltip.dont-sign-response + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses + attributeFriendlyName: signResponses + - name: turnOffEncryption + displayName: label.turn-off-encryption-of-response + displayType: boolean + defaultValue: false + helpText: tooltip.turn-off-encryption + attributeName: http://shibboleth.net/ns/profiles/encryptAssertions + attributeFriendlyName: encryptAssertions + - name: useSha + displayName: label.use-sha1-signing-algorithm + displayType: boolean + defaultValue: false + helpText: tooltip.usa-sha-algorithm + persistType: string + persistValue: shibboleth.SecurityConfiguration.SHA1 + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + attributeFriendlyName: securityConfiguration + - name: ignoreAuthenticationMethod + displayName: label.ignore-any-sp-requested-authentication-method + displayType: boolean + defaultValue: false + helpText: tooltip.ignore-auth-method + persistType: string + persistValue: 0x1 + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + attributeFriendlyName: disallowedFeatures + - name: omitNotBefore + displayName: label.omit-not-before-condition + displayType: boolean + defaultValue: false + helpText: tooltip.omit-not-before-condition + attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore + attributeFriendlyName: includeConditionsNotBefore + - name: responderId + displayName: label.responder-id + displayType: string + defaultValue: null + helpText: tooltip.responder-id + attributeName: http://shibboleth.net/ns/profiles/responderId + attributeFriendlyName: responderId + - name: nameIdFormats + displayName: label.nameid-format-to-send + displayType: set + helpText: tooltip.nameid-format + defaultValues: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence + attributeFriendlyName: nameIDFormatPrecedence + - name: authenticationMethods + displayName: label.authentication-methods-to-use + displayType: set + helpText: tooltip.authentication-methods-to-use + defaultValues: + - https://refeds.org/profile/mfa + - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken + - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + - name: forceAuthn + displayName: label.force-authn + displayType: boolean + defaultValue: false + helpText: tooltip.force-authn + attributeName: http://shibboleth.net/ns/profiles/forceAuthn + attributeFriendlyName: forceAuthn logging: level: org.pac4j: "TRACE" From a098276a9c3a90021958337b241fe011c08d2f7d Mon Sep 17 00:00:00 2001 From: Bill Smith Date: Tue, 12 Feb 2019 13:33:22 -0700 Subject: [PATCH 2/3] [SHIBUI-1220] Refactored getValueFromXSStringOrXSAny to getValueFromXMLObject which now supports Any, String, and Boolean. Includes tests. --- .../JPAEntityDescriptorServiceImpl.java | 22 +++++--- ...JPAEntityDescriptorServiceImplTests.groovy | 56 +++++++++++++++++++ 2 files changed, 70 insertions(+), 8 deletions(-) diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java index e21be8a29..6bf5ac294 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java @@ -522,7 +522,7 @@ public EntityDescriptorRepresentation createRepresentationFromDescriptor(org.ope if (jpaAttribute.getAttributeValues().size() != 1) { throw new RuntimeException("Multiple/No values detected where one is expected!"); } - attributeValues = getValueFromXSStringOrXSAny(jpaAttribute.getAttributeValues().get(0)); + attributeValues = getValueFromXMLObject(jpaAttribute.getAttributeValues().get(0)); break; case INTEGER: if (jpaAttribute.getAttributeValues().size() != 1) { @@ -536,7 +536,7 @@ public EntityDescriptorRepresentation createRepresentationFromDescriptor(org.ope } if (overrideProperty.getPersistType() != null && !overrideProperty.getPersistType().equals(overrideProperty.getDisplayType())) { - attributeValues = getValueFromXSStringOrXSAny(jpaAttribute.getAttributeValues().get(0)); + attributeValues = getValueFromXMLObject(jpaAttribute.getAttributeValues().get(0)); } else { attributeValues = Boolean.valueOf(((XSBoolean) jpaAttribute.getAttributeValues() .get(0)).getStoredValue()); @@ -545,7 +545,7 @@ public EntityDescriptorRepresentation createRepresentationFromDescriptor(org.ope case SET: case LIST: attributeValues = jpaAttribute.getAttributeValues().stream() - .map(attributeValue -> getValueFromXSStringOrXSAny(attributeValue)) + .map(attributeValue -> getValueFromXMLObject(attributeValue)) .collect(Collectors.toList()); } relyingPartyOverrides.put(((RelyingPartyOverrideProperty) override.get()).getName(), attributeValues); @@ -559,11 +559,17 @@ public EntityDescriptorRepresentation createRepresentationFromDescriptor(org.ope return representation; } - private String getValueFromXSStringOrXSAny(XMLObject xmlObject) { - if (xmlObject instanceof XSAny) { - return ((XSAny)xmlObject).getTextContent(); - } else { - return ((XSString)xmlObject).getValue(); + private String getValueFromXMLObject(XMLObject xmlObject) { + String objectType = xmlObject.getClass().getSimpleName(); + switch (objectType) { + case "XSAny": + return ((XSAny)xmlObject).getTextContent(); + case "XSString": + return ((XSString)xmlObject).getValue(); + case "XSBoolean": + return ((XSBoolean)xmlObject).getStoredValue(); + default: + throw new RuntimeException(String.format("Unsupported XML Object type [%s]", objectType)); } } diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImplTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImplTests.groovy index 8bec07d33..0c4057678 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImplTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImplTests.groovy @@ -6,7 +6,10 @@ import edu.internet2.tier.shibboleth.admin.ui.configuration.CoreShibUiConfigurat import edu.internet2.tier.shibboleth.admin.ui.configuration.CustomPropertiesConfiguration import edu.internet2.tier.shibboleth.admin.ui.domain.EntityDescriptor import edu.internet2.tier.shibboleth.admin.ui.domain.XSAny +import edu.internet2.tier.shibboleth.admin.ui.domain.XSAnyBuilder import edu.internet2.tier.shibboleth.admin.ui.domain.XSBoolean +import edu.internet2.tier.shibboleth.admin.ui.domain.XSBooleanBuilder +import edu.internet2.tier.shibboleth.admin.ui.domain.XSStringBuilder import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.AssertionConsumerServiceRepresentation import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.ContactRepresentation import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.EntityDescriptorRepresentation @@ -786,6 +789,59 @@ class JPAEntityDescriptorServiceImplTests extends Specification { expectedVersion == actualVersion } + def "SHIBUI-1220 getValueFromXMLObject handles XSAny"() { + given: + def builder = new XSAnyBuilder() + def xsAny = builder.buildObject('namespace', 'localname', 'prefix') + def expectedTextContent = 'expectedTextContent' + xsAny.setTextContent(expectedTextContent) + + when: + def result = service.getValueFromXMLObject(xsAny) + + then: + result == expectedTextContent + } + + def "SHIBUI-1220 getValueFromXMLObject handles XSString"() { + given: + def builder = new XSStringBuilder() + def xsString = builder.buildObject('namespace', 'localname', 'prefix') + def expectedValue = 'expectedValue' + xsString.setValue(expectedValue) + + when: + def result = service.getValueFromXMLObject(xsString) + + then: + result == expectedValue + } + + def "SHIBUI-1220 getValueFromXMLObject handles XSBoolean"() { + given: + def builder = new XSBooleanBuilder() + def xsBoolean = builder.buildObject('namespace', 'localname', 'prefix') + def expectedValue = 'true' + xsBoolean.setStoredValue(expectedValue) + + when: + def result = service.getValueFromXMLObject(xsBoolean) + + then: + result == expectedValue + } + + def "SHIBUI-1220 getValueFromXMLObject throws RuntimeException for unhandled object type"() { + given: + def unhandledObject = new Object() + + when: + service.getValueFromXMLObject(unhandledObject) + + then: + thrown RuntimeException + } + EntityDescriptor generateRandomEntityDescriptor() { EntityDescriptor ed = new EntityDescriptor() From 471886bb2a3decd57f6a39fbed7cdd4097ed045e Mon Sep 17 00:00:00 2001 From: Jj! Date: Tue, 12 Feb 2019 15:16:15 -0600 Subject: [PATCH 3/3] [NOJIRA] update default configuration --- backend/src/main/resources/application.properties | 2 ++ pac4j-module/src/test/docker/conf/users.csv | 1 + 2 files changed, 3 insertions(+) create mode 100644 pac4j-module/src/test/docker/conf/users.csv diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties index ab466cce6..3a18fb01a 100644 --- a/backend/src/main/resources/application.properties +++ b/backend/src/main/resources/application.properties @@ -77,3 +77,5 @@ spring.mail.properties.mail.smtp.starttls.enable=false shibui.mail.text-email-template-path-prefix=/mail/text/ shibui.mail.html.email-template-path-prefix=/mail/html/ shibui.mail.system-email-address=doNotReply@shibui.org + +shibui.roles=ROLE_ADMIN,ROLE_USER,ROLE_NONE diff --git a/pac4j-module/src/test/docker/conf/users.csv b/pac4j-module/src/test/docker/conf/users.csv new file mode 100644 index 000000000..8dee02dd4 --- /dev/null +++ b/pac4j-module/src/test/docker/conf/users.csv @@ -0,0 +1 @@ +shibui-admin1,{bcrypt}$2a$10$ssM2LpFqceRQ/ta0JehGcu0BawFQDbxjQGSyVmKS6qa09hHLigtAO,test,test,ROLE_ADMIN,test@example.com \ No newline at end of file