From aa58f72e7192de0019dcdf4a4abb7f87a4e661a0 Mon Sep 17 00:00:00 2001
From: John Gasper <jtgasper3@gmail.com>
Date: Thu, 5 Jul 2018 17:10:17 -0700
Subject: [PATCH] SP-based authorization by entitlement attribute

---
 .../httpd/grouper-testapp.conf                | 12 +++++++++-
 base/container_files/seed-data/users.ldif     |  2 ++
 .../shibboleth-idp/conf/attribute-filter.xml  |  2 +-
 .../var-www-html/app/accessError.html         | 24 +++++++++++++++++++
 .../var-www-html/app/admin/index.html         |  9 +++++++
 5 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 base/container_files/var-www-html/app/accessError.html
 create mode 100644 base/container_files/var-www-html/app/admin/index.html

diff --git a/base/container_files/httpd/grouper-testapp.conf b/base/container_files/httpd/grouper-testapp.conf
index ccec3ab..933a741 100644
--- a/base/container_files/httpd/grouper-testapp.conf
+++ b/base/container_files/httpd/grouper-testapp.conf
@@ -2,10 +2,20 @@
   AuthType shibboleth
   ShibRequestSetting requireSession 1
   ShibRequireSession on
-  require shibboleth
+  Require shibboleth
 
   Options +ExecCGI
   AddHandler cgi-script .py
 
   DirectoryIndex index.py
+</Location>
+
+<Location /app/admin>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  ShibRequireSession on
+  Require shib-attr entitlement admin superuser
+  ErrorDocument 401 /app/accessError.html
+  
+  DirectoryIndex index.html
 </Location>
\ No newline at end of file
diff --git a/base/container_files/seed-data/users.ldif b/base/container_files/seed-data/users.ldif
index e5dd0b5..7f6e648 100644
--- a/base/container_files/seed-data/users.ldif
+++ b/base/container_files/seed-data/users.ldif
@@ -35,11 +35,13 @@ objectClass: organizationalPerson
 objectClass: person
 objectClass: top
 objectClass: inetOrgPerson
+objectClass: eduPerson
 givenName: Bob
 uid: banderson
 sn: Anderson
 cn: Bob Anderson
 userPassword: password
+eduPersonEntitlement: admin
 
 dn: cn=users,ou=Groups,dc=internet2,dc=edu
 objectClass: groupOfUniqueNames
diff --git a/base/container_files/shibboleth-idp/conf/attribute-filter.xml b/base/container_files/shibboleth-idp/conf/attribute-filter.xml
index 8e0e88f..9d78f5b 100644
--- a/base/container_files/shibboleth-idp/conf/attribute-filter.xml
+++ b/base/container_files/shibboleth-idp/conf/attribute-filter.xml
@@ -33,7 +33,7 @@
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
 
-        <afp:AttributeRule attributeID="eduPersonPrincipalEntitlement">
+        <afp:AttributeRule attributeID="eduPersonEntitlement">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
 
diff --git a/base/container_files/var-www-html/app/accessError.html b/base/container_files/var-www-html/app/accessError.html
new file mode 100644
index 0000000..6643c5a
--- /dev/null
+++ b/base/container_files/var-www-html/app/accessError.html
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html
+	PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+	"DTD/xhtml1-strict.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
+
+	<title>Authorization Failed</title>
+</head>
+
+<body>
+
+<h1>Authorization Failed</h1>
+
+<p>
+Based on the information provided to this application about you, you are
+not authorized to access the resource because you are not an admin or superuser.
+</p>
+
+
+</body>
+</html>
\ No newline at end of file
diff --git a/base/container_files/var-www-html/app/admin/index.html b/base/container_files/var-www-html/app/admin/index.html
new file mode 100644
index 0000000..36a3866
--- /dev/null
+++ b/base/container_files/var-www-html/app/admin/index.html
@@ -0,0 +1,9 @@
+<html>
+    <head>
+        <title>Secure Area</title>
+    </head>
+    <body>
+        <h1>Welcome to the Secure Area</h1>
+        <p>You are special so you were allowed in.</p>
+    </body>
+</html>
\ No newline at end of file