SP-based authorization by entitlement attribute

docker · Jul 6, 2018 · aa58f72 · aa58f72
1 parent e69e92a
commit aa58f72
Showing 5 changed files with 47 additions and 2 deletions.
diff --git a/base/container_files/httpd/grouper-testapp.conf b/base/container_files/httpd/grouper-testapp.conf
@@ -2,10 +2,20 @@
   AuthType shibboleth
   ShibRequestSetting requireSession 1
   ShibRequireSession on
-  require shibboleth
+  Require shibboleth
 
   Options +ExecCGI
   AddHandler cgi-script .py
 
   DirectoryIndex index.py
+</Location>
+
+<Location /app/admin>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  ShibRequireSession on
+  Require shib-attr entitlement admin superuser
+  ErrorDocument 401 /app/accessError.html
+
+  DirectoryIndex index.html
 </Location>
diff --git a/base/container_files/seed-data/users.ldif b/base/container_files/seed-data/users.ldif
@@ -35,11 +35,13 @@ objectClass: organizationalPerson
 objectClass: person
 objectClass: top
 objectClass: inetOrgPerson
+objectClass: eduPerson
 givenName: Bob
 uid: banderson
 sn: Anderson
 cn: Bob Anderson
 userPassword: password
+eduPersonEntitlement: admin
 
 dn: cn=users,ou=Groups,dc=internet2,dc=edu
 objectClass: groupOfUniqueNames

diff --git a/base/container_files/shibboleth-idp/conf/attribute-filter.xml b/base/container_files/shibboleth-idp/conf/attribute-filter.xml
@@ -33,7 +33,7 @@
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
 
-        <afp:AttributeRule attributeID="eduPersonPrincipalEntitlement">
+        <afp:AttributeRule attributeID="eduPersonEntitlement">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
 

diff --git a/base/container_files/var-www-html/app/accessError.html b/base/container_files/var-www-html/app/accessError.html
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html
+	PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+	"DTD/xhtml1-strict.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
+
+	<title>Authorization Failed</title>
+</head>
+
+<body>
+
+<h1>Authorization Failed</h1>
+
+<p>
+Based on the information provided to this application about you, you are
+not authorized to access the resource because you are not an admin or superuser.
+</p>
+
+
+</body>
+</html>
diff --git a/base/container_files/var-www-html/app/admin/index.html b/base/container_files/var-www-html/app/admin/index.html
@@ -0,0 +1,9 @@
+<html>
+    <head>
+        <title>Secure Area</title>
+    </head>
+    <body>
+        <h1>Welcome to the Secure Area</h1>
+        <p>You are special so you were allowed in.</p>
+    </body>
+</html>