diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
index 19b4c10cb..cec77325e 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
@@ -252,7 +252,7 @@
-
+
@@ -337,8 +337,6 @@
-
-
@@ -362,7 +360,7 @@
-
+
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/mdc/RemoteAddressMDCFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/mdc/RemoteAddressMDCFilter.java
index 9739424f1..63db4f10f 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/mdc/RemoteAddressMDCFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/mdc/RemoteAddressMDCFilter.java
@@ -20,10 +20,10 @@ public class RemoteAddressMDCFilter {
"REMOTE_ADDR"
};
- private static final String REMOTE_ADDR = "remoteAddr";
+ private static final String REMOTE_ADDRESS = "remoteAddr";
public void doFilter(ServletRequest servletRequest) {
- MDC.put(REMOTE_ADDR, getRemoteAddr((HttpServletRequest) servletRequest));
+ MDC.put(REMOTE_ADDRESS, getRemoteAddr((HttpServletRequest) servletRequest));
}
private String getRemoteAddr(HttpServletRequest request) {
@@ -37,7 +37,7 @@ public class RemoteAddressMDCFilter {
return ipList.split(",")[0];
}
}
- return "";
+ return "-";
}
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/PerunConstants.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/PerunConstants.java
new file mode 100644
index 000000000..b0463689c
--- /dev/null
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/PerunConstants.java
@@ -0,0 +1,11 @@
+package cz.muni.ics.oidc;
+
+public interface PerunConstants {
+
+ String REGISTRAR_TARGET_NEW = "targetnew";
+ String REGISTRAR_TARGET_EXISTING = "targetexisting";
+ String REGISTRAR_TARGET_EXTENDED = "targetextended";
+
+ String REGISTRAR_PARAM_VO = "vo";
+
+}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunHTTPRedirectDeflateEncoder.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunHTTPRedirectDeflateEncoder.java
index d325f1f3a..82de4ada5 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunHTTPRedirectDeflateEncoder.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunHTTPRedirectDeflateEncoder.java
@@ -7,7 +7,7 @@ import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.util.Pair;
import org.springframework.util.StringUtils;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AARC_IDP_HINT;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.AARC_IDP_HINT;
public class PerunHTTPRedirectDeflateEncoder extends HTTPRedirectDeflateEncoder {
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunOidcLogoutSuccessHandler.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunOidcLogoutSuccessHandler.java
index 3c2dcea93..ca1ad9f8e 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunOidcLogoutSuccessHandler.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunOidcLogoutSuccessHandler.java
@@ -1,7 +1,7 @@
package cz.muni.ics.oidc.saml;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_POST_LOGOUT_REDIRECT_URI;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_STATE;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_POST_LOGOUT_REDIRECT_URI;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_STATE;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
index 4e2b33ce3..f8861ae29 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
@@ -1,20 +1,20 @@
package cz.muni.ics.oidc.saml;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AARC_IDP_HINT;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.CLIENT_ID_PREFIX;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.EFILTER_PREFIX;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.FILTER_PREFIX;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.IDP_ENTITY_ID_PREFIX;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_CLIENT_ID;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_PROMPT;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.REFEDS_MFA;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.AARC_IDP_HINT;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.CLIENT_ID_PREFIX;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.EFILTER_PREFIX;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.FILTER_PREFIX;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.IDP_ENTITY_ID_PREFIX;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_CLIENT_ID;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_PROMPT;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.REFEDS_MFA;
import cz.muni.ics.oidc.models.Facility;
import cz.muni.ics.oidc.models.PerunAttributeValue;
import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
-import cz.muni.ics.oidc.server.filters.PerunFilterConstants;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterConstants;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
@@ -160,12 +160,12 @@ public class PerunSamlEntryPoint extends SAMLEntryPoint {
}
private void processAcrValues(HttpServletRequest request, WebSSOProfileOptions options) {
- String acrValues = request.getParameter(PerunFilterConstants.PARAM_ACR_VALUES);
+ String acrValues = request.getParameter(AuthProcFilterConstants.PARAM_ACR_VALUES);
log.debug("Processing acr_values parameter: {}", acrValues);
List acrs = convertAcrValuesToList(acrValues);
if (!hasAcrForcingIdp(acrs)) {
- String clientId = request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID);
+ String clientId = request.getParameter(AuthProcFilterConstants.PARAM_CLIENT_ID);
String idpFilter = extractIdpFilterForRp(clientId);
if (idpFilter != null) {
log.debug("Added IdP filter as SAML AuthnContextClassRef ({})", idpFilter);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlUtils.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlUtils.java
index 8742fe6f4..530c6a5e8 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlUtils.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlUtils.java
@@ -1,12 +1,12 @@
package cz.muni.ics.oidc.saml;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_ACR_VALUES;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_FORCE_AUTHN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_PROMPT;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PROMPT_LOGIN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PROMPT_SELECT_ACCOUNT;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_ACR_VALUES;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_FORCE_AUTHN;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_PROMPT;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PROMPT_LOGIN;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PROMPT_SELECT_ACCOUNT;
-import cz.muni.ics.oidc.server.filters.PerunFilterConstants;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterConstants;
import javax.servlet.ServletRequest;
import lombok.extern.slf4j.Slf4j;
import org.springframework.util.StringUtils;
@@ -32,7 +32,7 @@ public class PerunSamlUtils {
public static boolean needsReAuthByMfa(ServletRequest request) {
String acrValues = request.getParameter(PARAM_ACR_VALUES);
boolean res = StringUtils.hasText(acrValues)
- && acrValues.contains(PerunFilterConstants.REFEDS_MFA);
+ && acrValues.contains(AuthProcFilterConstants.REFEDS_MFA);
log.debug("requires reAuth by MFA acr - {}", res);
return res;
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java
index d736dc4f8..120e6a5c1 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java
@@ -1,31 +1,37 @@
package cz.muni.ics.oidc.server.filters;
+import cz.muni.ics.oidc.exceptions.ConfigurationException;
+import cz.muni.ics.oidc.saml.SamlProperties;
import java.io.IOException;
-import java.security.Principal;
import java.util.Arrays;
+import java.util.Collections;
import java.util.HashSet;
+import java.util.List;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
+import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
/**
- * Abstract class for Perun filters. All filters called in CallPerunFiltersFilter has to extend this.
- *
- * Configuration of filter names:
- *
- * - filter.names - comma separated list of names of the request filters
- *
+ * Abstract class for Perun AuthProc filters. All filters defined and called in the
+ * {@link cz.muni.ics.oidc.server.filters.AuthProcFiltersContainer} instance have to extend this base class.
*
* Configuration of filter (replace [name] part with the name defined for the filter):
*
* - filter.[name].class - Class the filter instantiates
- * - filter.[name].subs - comma separated list of sub values for which execution of filter will be skipped
- * if user's SUB is in the list
- * - filter.[name].clientIds - comma separated list of client_id values for which execution of filter
- * will be skipped if client_id is in the list
+ * - filter.[name].skip_for_users - comma separated list of users for whom the execution of the filter
+ * will be skipped if the users' SUB matches any value in the list
+ * - filter.[name].skip_for_clients - comma separated list of clients for which the execution of the filter
+ * will be skipped if the CLIENT_ID matches any value in the list
+ * - filter.[name].execute_for_users - comma separated list of users for whom the filter will be executed
+ * if the users' SUB matches any value in the list
+ * - filter.[name].execute_for_clients - comma separated list of clients for whom the filter will be executed
+ * if the CLIENT_ID matches any value in the list
*
+ * NOTE: if none of the SKIP/EXECUTE conditions is specified (or the lists are empty), filter is run for all users
+ * and all clients
*
* @see cz.muni.ics.oidc.server.filters.impl package for specific filters and their configuration
*
@@ -33,33 +39,57 @@ import lombok.extern.slf4j.Slf4j;
* @author Dominik Frantisek Bucik
*/
@Slf4j
+@Getter
public abstract class AuthProcFilter {
+ public static final String APPLIED = "APPLIED_";
+
private static final String DELIMITER = ",";
- private static final String CLIENT_IDS = "clientIds";
+ private static final String EXECUTE = "execute";
+ private static final String EXECUTE_FOR_CLIENTS = "execute_for_clients";
+ private static final String EXECUTE_FOR_USERS = "execute_for_users";
+ private static final String SKIP_FOR_CLIENTS = "skip_for_clients";
+ private static final String SKIP_FOR_USERS = "skip_for_users";
private static final String SUBS = "subs";
+ private static final String CLIENT_IDS = "clientIds";
private final String filterName;
- private Set clientIds = new HashSet<>();
- private Set subs = new HashSet<>();
+ private final Set executeForClients = new HashSet<>();
+ private final Set executeForUsers = new HashSet<>();
+ private final Set skipForClients = new HashSet<>();
+ private final Set skipForUsers = new HashSet<>();
- public AuthProcFilter(AuthProcFilterParams params) {
- filterName = params.getFilterName();
+ private final SamlProperties samlProperties;
- if (params.hasProperty(CLIENT_IDS)) {
- this.clientIds = new HashSet<>(Arrays.asList(params.getProperty(CLIENT_IDS).split(DELIMITER)));
+ public AuthProcFilter(AuthProcFilterInitContext ctx) throws ConfigurationException {
+ filterName = ctx.getFilterName();
+ this.samlProperties = ctx.getBeanUtil().getBean(SamlProperties.class);
+ initializeExecutionRulesLists(ctx);
+
+ if (!Collections.disjoint(executeForClients, skipForClients)) {
+ throw new ConfigurationException("Filter '" + filterName + "' is configured to be run and skipped for the same client");
+ } else if (!Collections.disjoint(executeForUsers, skipForUsers)) {
+ throw new ConfigurationException("Filter '" + filterName + "' is configured to be run and skipped for the same user");
}
- if (params.hasProperty(SUBS)) {
- this.subs = new HashSet<>(Arrays.asList(params.getProperty(SUBS).split(DELIMITER)));
+ log.info("{} - filter initialized", filterName);
+ if (!skipForUsers.isEmpty()) {
+ log.info("{} - skip execution for users with SUB in: '{}'", filterName, skipForUsers);
+ }
+ if (!skipForClients.isEmpty()) {
+ log.info("{} - skip execution for clients with CLIENT_ID in: '{}'", filterName, skipForClients);
+ }
+ if (!executeForUsers.isEmpty()) {
+ log.info("{} - execute for users with SUB in: '{}'", filterName, executeForUsers);
+ }
+ if (!executeForClients.isEmpty()) {
+ log.info("{} - execute for clients with CLIENT_ID in: '{}'", filterName, executeForClients);
}
-
- log.debug("{} - filter initialized", filterName);
- log.debug("{} - skip execution for users with SUB in: {}", filterName, subs);
- log.debug("{} - skip execution for clients with CLIENT_ID in: {}", filterName, clientIds);
}
- protected abstract String getSessionAppliedParamName();
+ protected String getSessionAppliedParamName() {
+ return APPLIED + getClass().getSimpleName() + '_' + getFilterName();
+ }
/**
* In this method is done whole logic of filer
@@ -69,10 +99,10 @@ public abstract class AuthProcFilter {
* @return boolean if filter was successfully done
* @throws IOException this exception could be thrown because of failed or interrupted I/O operation
*/
- protected abstract boolean process(HttpServletRequest request, HttpServletResponse response, FilterParams params)
+ protected abstract boolean process(HttpServletRequest request, HttpServletResponse response, AuthProcFilterCommonVars params)
throws IOException;
- public boolean doFilter(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
+ public boolean doFilter(HttpServletRequest req, HttpServletResponse res, AuthProcFilterCommonVars params) throws IOException {
if (!skip(req)) {
log.trace("{} - executing filter", filterName);
return process(req, res, params);
@@ -81,14 +111,18 @@ public abstract class AuthProcFilter {
}
}
- private boolean skip(HttpServletRequest request) {
- if (hasBeenApplied(request.getSession(true))) {
+ private boolean skip(HttpServletRequest req) {
+ if (hasBeenApplied(req.getSession(true))) {
return true;
}
log.debug("{} - marking filter as applied", filterName);
- request.getSession(true).setAttribute(getSessionAppliedParamName(), true);
- return skipForSub(request.getUserPrincipal())
- || skipForClientId(request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID));
+ req.getSession(true).setAttribute(getSessionAppliedParamName(), true);
+ String sub = FiltersUtils.getUserIdentifier(req, samlProperties.getUserIdentifierAttribute());
+ String clientId = FiltersUtils.getClientId(req);
+
+ boolean explicitExecution = executeForSub(sub) || executeForClientId(clientId);
+ boolean explicitSkip = skipForClientId(clientId) || skipForSub(sub);
+ return !explicitExecution && explicitSkip;
}
private boolean hasBeenApplied(HttpSession sess) {
@@ -100,21 +134,45 @@ public abstract class AuthProcFilter {
return false;
}
- private boolean skipForSub(Principal p) {
- String sub = (p != null) ? p.getName() : null;
- if (sub != null && subs.contains(sub)) {
- log.debug("{} - skip filter execution: matched one of the ignored SUBS ({})", filterName, sub);
- return true;
- }
- return false;
+ private boolean executeForSub(String sub) {
+ return checkRule(sub, executeForUsers, "{} - execute filter: matched one of the explicit SUBS ({})");
+ }
+
+ private boolean executeForClientId(String clientId) {
+ return checkRule(clientId, executeForClients, "{} - execute filter: matched one of the explicit CLIENT_IDS ({})");
+ }
+
+ private boolean skipForSub(String sub) {
+ return checkRule(sub, skipForUsers, "{} - skip filter execution: matched one of the ignored SUBS ({})");
}
private boolean skipForClientId(String clientId) {
- if (clientId != null && clientIds.contains(clientId)){
- log.debug("{} - skip filter execution: matched one of the ignored CLIENT_IDS ({})", filterName, clientId);
+ return checkRule(clientId, skipForClients, "{} - skip filter execution: matched one of the ignored CLIENT_IDS ({})");
+ }
+
+ private boolean checkRule(String param, Set ruleSet, String logMsg) {
+ if (param != null && ruleSet.contains(param)){
+ log.debug(logMsg, filterName, param);
return true;
}
return false;
}
+ private void initializeExecutionRulesLists(AuthProcFilterInitContext ctx) {
+ initializeExecutionRuleList(ctx, EXECUTE_FOR_CLIENTS, executeForClients);
+ initializeExecutionRuleList(ctx, SKIP_FOR_CLIENTS, skipForClients);
+ initializeExecutionRuleList(ctx, CLIENT_IDS, skipForClients);
+
+ initializeExecutionRuleList(ctx, EXECUTE_FOR_USERS, executeForUsers);
+ initializeExecutionRuleList(ctx, SKIP_FOR_USERS, skipForUsers);
+ initializeExecutionRuleList(ctx, SUBS, skipForUsers);
+ }
+
+ private void initializeExecutionRuleList(AuthProcFilterInitContext ctx, String property, Set list) {
+ if (ctx.hasProperty(property)) {
+ String value = ctx.getProperty(property, "");
+ list.addAll(Arrays.asList(value.split(DELIMITER)));
+ }
+ }
+
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FilterParams.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterCommonVars.java
similarity index 51%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FilterParams.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterCommonVars.java
index f6f1dc661..e4818bd5d 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FilterParams.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterCommonVars.java
@@ -3,31 +3,18 @@ package cz.muni.ics.oidc.server.filters;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oidc.models.Facility;
import cz.muni.ics.oidc.models.PerunUser;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
-public class FilterParams {
+@Getter
+@AllArgsConstructor
+public class AuthProcFilterCommonVars {
private final ClientDetailsEntity client;
private final Facility facility;
private final PerunUser user;
- public FilterParams(ClientDetailsEntity client, Facility facility, PerunUser user) {
- this.client = client;
- this.facility = facility;
- this.user = user;
- }
-
- public ClientDetailsEntity getClient() {
- return client;
- }
-
- public Facility getFacility() {
- return facility;
- }
-
- public PerunUser getUser() {
- return user;
- }
-
public String getClientIdentifier() {
if (client != null) {
return client.getClientId();
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterConstants.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterConstants.java
new file mode 100644
index 000000000..170e86cc8
--- /dev/null
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterConstants.java
@@ -0,0 +1,55 @@
+package cz.muni.ics.oidc.server.filters;
+
+import java.util.Map;
+
+/**
+ * Class containing common constants used by Perun request filters.
+ *
+ * @author Dominik Baranek
+ * @author Dominik Frantisek Bucik
+ */
+public interface AuthProcFilterConstants {
+
+ String AUTHORIZE_REQ_PATTERN = "/auth/authorize";
+ String DEVICE_APPROVE_REQ_PATTERN = "/auth/device/authorize";
+
+ String PARAM_CLIENT_ID = "client_id";
+ String PARAM_SCOPE = "scope";
+ String PARAM_MESSAGE = "message";
+ String PARAM_HEADER = "header";
+ String PARAM_TARGET = "target";
+ String PARAM_FORCE_AUTHN = "forceAuthn";
+ String PARAM_PROMPT = "prompt";
+ String PARAM_REASON = "reason";
+ String PARAM_ACCEPTED = "accepted";
+ String PARAM_ACR_VALUES = "acr_values";
+ String PARAM_POST_LOGOUT_REDIRECT_URI = "post_logout_redirect_uri";
+ String PARAM_STATE = "state";
+ String CLIENT_ID_PREFIX = "urn:cesnet:proxyidp:client_id:";
+ String AARC_IDP_HINT = "aarc_idp_hint";
+
+ String IDP_ENTITY_ID_PREFIX = "urn:cesnet:proxyidp:idpentityid:";
+ String FILTER_PREFIX = "urn:cesnet:proxyidp:filter:";
+ String EFILTER_PREFIX = "urn:cesnet:proxyidp:efilter:";
+
+ String SAML_EPUID = "urn:oid:1.3.6.1.4.1.5923.1.1.1.13";
+ String SAML_EPPN = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6";
+ String SAML_EPTID = "urn:oid:1.3.6.1.4.1.5923.1.1.1.10";
+ String SAML_UID = "urn:oid:0.9.2342.19200300.100.1.1";
+ String SAML_UNIQUE_IDENTIFIER = "urn:oid:0.9.2342.19200300.100.1.44";
+ String SAML_PERUN_USERID_IDENTIFIER = "urn:cesnet:proxyidp:attribute:perunUserId";
+
+ String REFEDS_MFA = "https://refeds.org/profile/mfa";
+ String PROMPT_LOGIN = "login";
+ String PROMPT_SELECT_ACCOUNT = "select_account";
+
+ Map SAML_IDS = Map.of(
+ "eppn", SAML_EPPN,
+ "epuid", SAML_EPUID,
+ "eptid", SAML_EPTID,
+ "uid", SAML_UID,
+ "uniqueIdentifier", SAML_UNIQUE_IDENTIFIER,
+ "perunUserId", SAML_PERUN_USERID_IDENTIFIER
+ );
+
+}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterInitContext.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterInitContext.java
new file mode 100644
index 000000000..86120da2b
--- /dev/null
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterInitContext.java
@@ -0,0 +1,53 @@
+package cz.muni.ics.oidc.server.filters;
+
+import cz.muni.ics.oidc.BeanUtil;
+import cz.muni.ics.oidc.server.adapters.PerunAdapter;
+import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
+import java.util.Properties;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+
+/**
+ * Class holding parameters for AuthProcFilter instantiation.
+ *
+ * @author Dominik Frantisek Bucik
+ */
+@Getter
+@AllArgsConstructor
+public class AuthProcFilterInitContext {
+
+ public static final String PROP_CLASS = "class";
+
+ private final String filterName;
+ private final String filterPropertyPrefix;
+ private final Properties properties;
+ private final BeanUtil beanUtil;
+
+ public boolean hasProperty(String name) {
+ return this.properties.containsKey(filterPropertyPrefix + '.' + name);
+ }
+
+ public String getProperty(String name) {
+ return this.properties.getProperty(filterPropertyPrefix + '.' + name);
+ }
+
+ public String getProperty(String name, String defaultValue) {
+ if (this.properties.containsKey(filterPropertyPrefix + '.' + name)) {
+ return this.properties.getProperty(filterPropertyPrefix + '.' + name);
+ }
+ return defaultValue;
+ }
+
+ public String getFilterClass() {
+ return (String) properties.getOrDefault(filterPropertyPrefix + '.' + PROP_CLASS, null);
+ }
+
+ public PerunAdapter getPerunAdapterBean() {
+ return beanUtil.getBean(PerunAdapter.class);
+ }
+
+ public PerunOidcConfig getPerunOidcConfigBean() {
+ return beanUtil.getBean(PerunOidcConfig.class);
+ }
+
+}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterParams.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterParams.java
deleted file mode 100644
index 749fce772..000000000
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterParams.java
+++ /dev/null
@@ -1,52 +0,0 @@
-package cz.muni.ics.oidc.server.filters;
-
-import cz.muni.ics.oidc.BeanUtil;
-import java.util.Properties;
-
-/**
- * Class holding parameters for filter instantiation
- *
- * @author Dominik Frantisek Bucik
- */
-public class AuthProcFilterParams {
-
- private final String filterName;
-
- private final String propertyPrefix;
- private final Properties properties;
- private final BeanUtil beanUtil;
-
- public AuthProcFilterParams(String filterName, String propertyPrefix, Properties properties, BeanUtil beanUtil) {
- this.filterName = filterName;
- this.propertyPrefix = propertyPrefix;
- this.properties = properties;
- this.beanUtil = beanUtil;
- }
-
- public boolean hasProperty(String name) {
- return this.properties.containsKey(propertyPrefix + '.' + name);
- }
-
- public String getProperty(String name) {
- return this.properties.getProperty(propertyPrefix + '.' + name);
- }
-
- public String getProperty(String name, String defaultValue) {
- if (this.properties.containsKey(propertyPrefix + '.' + name)) {
- return this.properties.getProperty(propertyPrefix + '.' + name);
- }
- return defaultValue;
- }
-
- public BeanUtil getBeanUtil() {
- return beanUtil;
- }
-
- public String getFilterName() {
- return filterName;
- }
-
- public Properties getProperties() {
- return properties;
- }
-}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
index 19632b5f1..9431a6fd9 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
@@ -1,7 +1,7 @@
package cz.muni.ics.oidc.server.filters;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.AUTHORIZE_REQ_PATTERN;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
@@ -23,6 +23,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
@@ -31,7 +32,8 @@ import org.springframework.util.StringUtils;
import org.springframework.web.filter.GenericFilterBean;
/**
- * This filter calls other Perun filters saved in the PerunFiltersContext
+ * Wrapper filter for the AuthProcFilters in the security chain. Takes care of providing most basic parameters
+ * and calls the custom AuthProcFilter chain.
*
* @author Dominik Baranek
* @author Dominik Frantisek Bucik
@@ -46,29 +48,34 @@ public class AuthProcFiltersContainer extends GenericFilterBean {
private static final RequestMatcher MATCHER = new OrRequestMatcher(
Arrays.asList(AUTHORIZE_MATCHER, AUTHORIZE_ALL_MATCHER, DEVICE_CODE_MATCHER, DEVICE_CODE_ALL_MATCHER));
- @Autowired
- private Properties coreProperties;
+ private final Properties properties;
+ private final BeanUtil beanUtil;
+ private final OAuth2RequestFactory authRequestFactory;
+ private final ClientDetailsEntityService clientDetailsEntityService;
+ private final PerunAdapter perunAdapter;
+ private final SamlProperties samlProperties;
+
+ private List filters;
@Autowired
- private BeanUtil beanUtil;
-
- @Autowired
- private OAuth2RequestFactory authRequestFactory;
-
- @Autowired
- private ClientDetailsEntityService clientDetailsEntityService;
-
- @Autowired
- private PerunAdapter perunAdapter;
-
- @Autowired
- private SamlProperties samlProperties;
-
- private AuthProcFiltersContext perunFiltersContext;
+ public AuthProcFiltersContainer(@Qualifier("coreProperties")Properties properties,
+ BeanUtil beanUtil,
+ OAuth2RequestFactory authRequestFactory,
+ ClientDetailsEntityService clientDetailsEntityService,
+ PerunAdapter perunAdapter,
+ SamlProperties samlProperties)
+ {
+ this.properties = properties;
+ this.beanUtil = beanUtil;
+ this.authRequestFactory = authRequestFactory;
+ this.clientDetailsEntityService = clientDetailsEntityService;
+ this.perunAdapter = perunAdapter;
+ this.samlProperties = samlProperties;
+ }
@PostConstruct
public void postConstruct() {
- this.perunFiltersContext = new AuthProcFiltersContext(coreProperties, beanUtil);
+ this.filters = AuthProcFiltersInitializer.initialize(properties, beanUtil);
}
@Override
@@ -80,7 +87,6 @@ public class AuthProcFiltersContainer extends GenericFilterBean {
if (!MATCHER.matches(req)) {
log.debug("AuthProc filters have been skipped, did not match authorization nor device req URL");
} else {
- List filters = perunFiltersContext.getFilters();
if (filters != null && !filters.isEmpty()) {
ClientDetailsEntity client = FiltersUtils.extractClientFromRequest(req, authRequestFactory,
clientDetailsEntityService);
@@ -94,7 +100,7 @@ public class AuthProcFiltersContainer extends GenericFilterBean {
}
}
PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter, samlProperties);
- FilterParams params = new FilterParams(client, facility, user);
+ AuthProcFilterCommonVars params = new AuthProcFilterCommonVars(client, facility, user);
for (AuthProcFilter filter : filters) {
if (!filter.doFilter(req, res, params)) {
return;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContext.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContext.java
deleted file mode 100644
index c6f324a2b..000000000
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContext.java
+++ /dev/null
@@ -1,91 +0,0 @@
-package cz.muni.ics.oidc.server.filters;
-
-import cz.muni.ics.oidc.BeanUtil;
-import java.lang.reflect.Constructor;
-import java.lang.reflect.InvocationTargetException;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Properties;
-import lombok.extern.slf4j.Slf4j;
-import org.springframework.util.StringUtils;
-
-/**
- * Class that contains all custom Perun request filters. Filters are stored in the LinkedList
- * and executed in the order they are added to the list.
- *
- * Filters are configured from configuration file in following way:
- * filter.names=filterName1,filterName2,...
- *
- * @see AuthProcFilter for configuration of filter
- *
- * @author Dominik Frantisek Bucik
- */
-@Slf4j
-public class AuthProcFiltersContext {
-
- private static final String FILTER_NAMES = "filter.names";
- private static final String FILTER_CLASS = ".class";
- private static final String PREFIX = "filter.";
-
- private final List filters;
- private final Properties properties;
- private final BeanUtil beanUtil;
-
- public AuthProcFiltersContext(Properties properties, BeanUtil beanUtil) {
- this.properties = properties;
- this.beanUtil = beanUtil;
- this.filters = new LinkedList<>();
-
- String filterNames = properties.getProperty(FILTER_NAMES);
- log.debug("Filters to be initialized '{}'", filterNames);
-
- log.debug("--------------------------------");
- for (String filterName: filterNames.split(",")) {
- AuthProcFilter requestFilter = loadFilter(filterName);
- filters.add(requestFilter);
- log.debug("--------------------------------");
- }
- }
-
- public List getFilters() {
- return filters;
- }
-
- private AuthProcFilter loadFilter(String filterName) {
- String propPrefix = AuthProcFiltersContext.PREFIX + filterName;
- String filterClass = properties.getProperty(propPrefix + FILTER_CLASS, null);
- if (!StringUtils.hasText(filterClass)) {
- log.warn("{} - failed to initialized filter: no class has ben configured", filterName);
- return null;
- }
- log.trace("{} - loading class '{}'", filterName, filterClass);
-
- try {
- Class rawClazz = Class.forName(filterClass);
- if (!AuthProcFilter.class.isAssignableFrom(rawClazz)) {
- log.warn("{} - failed to initialized filter: class '{}' does not extend AuthProcFilter",
- filterName, filterClass);
- return null;
- }
-
- @SuppressWarnings("unchecked") Class clazz = (Class) rawClazz;
- Constructor constructor = clazz.getConstructor(AuthProcFilterParams.class);
- AuthProcFilterParams params = new AuthProcFilterParams(filterName, propPrefix, properties, beanUtil);
- return constructor.newInstance(params);
- } catch (ClassNotFoundException e) {
- log.warn("{} - failed to initialize filter: class '{}' was not found", filterName, filterClass);
- log.trace("{} - details:", filterName, e);
- return null;
- } catch (NoSuchMethodException e) {
- log.warn("{} - failed to initialize filter: class '{}' does not have proper constructor",
- filterName, filterClass);
- log.trace("{} - details:", filterName, e);
- return null;
- } catch (IllegalAccessException | InvocationTargetException | InstantiationException e) {
- log.warn("{} - failed to initialize filter: class '{}' cannot be instantiated", filterName, filterClass);
- log.trace("{} - details:", filterName, e);
- return null;
- }
- }
-
-}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersInitializer.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersInitializer.java
new file mode 100644
index 000000000..5e00d5233
--- /dev/null
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersInitializer.java
@@ -0,0 +1,77 @@
+package cz.muni.ics.oidc.server.filters;
+
+import cz.muni.ics.oidc.BeanUtil;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Properties;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.util.StringUtils;
+
+/**
+ * Initialization class for AuthProcFilters. Takes care of loading the filters and putting them into the custom
+ * authentication processing chain.
+ *
+ * @author Dominik Baranek
+ * @author Dominik Frantisek Bucik
+ */
+@Slf4j
+public class AuthProcFiltersInitializer {
+
+ private static final String FILTER_NAMES = "filter.names";
+ private static final String FILTERS_PROP_BASE_PREFIX = "filter.";
+
+ public static List initialize(Properties coreProperties, BeanUtil beanUtil) {
+ List filters = new LinkedList<>();
+
+ String filterNames = coreProperties.getProperty(FILTER_NAMES);
+ log.debug("Filters to be initialized '{}'", filterNames);
+
+ log.debug("--------------------------------");
+ for (String filterName: filterNames.split(",")) {
+ String filterPropertyPrefix = FILTERS_PROP_BASE_PREFIX + filterName;
+ AuthProcFilterInitContext ctx = new AuthProcFilterInitContext(filterName, filterPropertyPrefix, coreProperties, beanUtil);
+ AuthProcFilter requestFilter = loadFilter(ctx);
+ filters.add(requestFilter);
+ log.debug("--------------------------------");
+ }
+ return filters;
+ }
+
+ private static AuthProcFilter loadFilter(AuthProcFilterInitContext ctx) {
+ String filterClass = ctx.getFilterClass();
+ if (!StringUtils.hasText(filterClass)) {
+ log.warn("{} - failed to initialized filter: no class has ben configured", ctx.getFilterName());
+ return null;
+ }
+ log.debug("{} - loading class '{}'", ctx.getFilterName(), filterClass);
+
+ try {
+ Class rawClazz = Class.forName(filterClass);
+ if (!AuthProcFilter.class.isAssignableFrom(rawClazz)) {
+ log.warn("{} - failed to initialized filter: class '{}' does not extend AuthProcFilter",
+ ctx.getFilterName(), filterClass);
+ return null;
+ }
+
+ @SuppressWarnings("unchecked") Class clazz = (Class) rawClazz;
+ Constructor constructor = clazz.getConstructor(AuthProcFilterInitContext.class);
+ return constructor.newInstance(ctx);
+ } catch (ClassNotFoundException e) {
+ log.warn("{} - failed to initialize filter: class '{}' was not found", ctx.getFilterName(), filterClass);
+ log.debug("{} - details:", ctx.getFilterName(), e);
+ return null;
+ } catch (NoSuchMethodException e) {
+ log.warn("{} - failed to initialize filter: class '{}' does not have proper constructor",
+ ctx.getFilterName(), filterClass);
+ log.debug("{} - details:", ctx.getFilterName(), e);
+ return null;
+ } catch (IllegalAccessException | InvocationTargetException | InstantiationException e) {
+ log.warn("{} - failed to initialize filter: class '{}' cannot be instantiated", ctx.getFilterName(), filterClass);
+ log.debug("{} - details:", ctx.getFilterName(), e);
+ return null;
+ }
+ }
+
+}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
index 729a8399e..cad8be75d 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
@@ -1,7 +1,7 @@
package cz.muni.ics.oidc.server.filters;
import static cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint.DEVICE_CODE_SESSION_ATTRIBUTE;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_FORCE_AUTHN;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_FORCE_AUTHN;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.DeviceCode;
@@ -9,8 +9,11 @@ import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oidc.models.Facility;
import cz.muni.ics.oidc.models.PerunAttributeValue;
import cz.muni.ics.oidc.models.PerunUser;
+import cz.muni.ics.oidc.saml.SamlPrincipal;
import cz.muni.ics.oidc.saml.SamlProperties;
import cz.muni.ics.oidc.server.adapters.PerunAdapter;
+import cz.muni.ics.oidc.server.claims.ClaimInitContext;
+import cz.muni.ics.oidc.server.claims.ClaimSourceInitContext;
import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
import cz.muni.ics.oidc.web.controllers.ControllerUtils;
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController;
@@ -35,6 +38,42 @@ import org.springframework.util.StringUtils;
@Slf4j
public class FiltersUtils {
+ public static final String NO_VALUE = null;
+
+ public static String fillStringMandatoryProperty(String suffix, AuthProcFilterInitContext ctx) {
+ String filled = fillStringPropertyOrDefaultVal(ctx.getProperty(suffix, NO_VALUE), NO_VALUE);
+
+ if (filled == null) {
+ throw new IllegalArgumentException(ctx.getFilterName() + " - missing mandatory configuration option: " + suffix);
+ }
+
+ return filled;
+ }
+
+ public static String fillStringPropertyOrDefaultVal(String suffix, AuthProcFilterInitContext ctx, String defaultVal) {
+ return fillStringPropertyOrDefaultVal(ctx.getProperty(suffix, NO_VALUE), defaultVal);
+ }
+
+ private static String fillStringPropertyOrDefaultVal(String prop, String defaultVal) {
+ if (StringUtils.hasText(prop)) {
+ return prop;
+ } else {
+ return defaultVal;
+ }
+ }
+
+ public static boolean fillBooleanPropertyOrDefaultVal(String suffix, AuthProcFilterInitContext ctx, boolean defaultVal) {
+ return fillBooleanPropertyOrDefaultVal(ctx.getProperty(suffix, NO_VALUE), defaultVal);
+ }
+
+ private static boolean fillBooleanPropertyOrDefaultVal(String prop, boolean defaultVal) {
+ if (StringUtils.hasText(prop)) {
+ return Boolean.parseBoolean(prop);
+ } else {
+ return defaultVal;
+ }
+ }
+
/**
* Create map of request params in format key = name, value = paramValue.
*
@@ -173,7 +212,7 @@ public class FiltersUtils {
} else if (!StringUtils.hasText(idAttribute)) {
throw new IllegalArgumentException("No identifier from SAML configured");
}
- String identifierAttrOid = PerunFilterConstants.SAML_IDS.getOrDefault(idAttribute, null);
+ String identifierAttrOid = AuthProcFilterConstants.SAML_IDS.getOrDefault(idAttribute, null);
if (identifierAttrOid == null) {
throw new IllegalStateException("SAML credentials has no value for attribute: " + idAttribute);
}
@@ -283,10 +322,11 @@ public class FiltersUtils {
PerunUser user,
String clientIdentifier,
FacilityAttrsConfig facilityAttrsConfig,
- Map facilityAttributes,
PerunAdapter perunAdapter,
String redirectUrl)
{
+ Map facilityAttributes = perunAdapter.getFacilityAttributeValues(
+ facility, facilityAttrsConfig.getMembershipAttrNames());
if (facilityAttributes.get(facilityAttrsConfig.getAllowRegistrationAttr()).valueAsBoolean()) {
boolean canRegister = perunAdapter.getAdapterRpc().groupWhereCanRegisterExists(facility);
if (canRegister) {
@@ -316,7 +356,7 @@ public class FiltersUtils {
public static String fillStringMandatoryProperty(String propertyName,
String filterName,
- AuthProcFilterParams params) {
+ AuthProcFilterInitContext params) {
String filled = params.getProperty(propertyName);
if (!StringUtils.hasText(filled)) {
@@ -366,4 +406,11 @@ public class FiltersUtils {
return new AbstractMap.SimpleImmutableEntry<>(key, value);
}
+ public static String getUserIdentifier(HttpServletRequest req, String identifierSamlAttribute) {
+ return getExtLogin(getSamlCredential(req), identifierSamlAttribute);
+ }
+
+ public static String getClientId(HttpServletRequest req) {
+ return req.getParameter(AuthProcFilterConstants.PARAM_CLIENT_ID);
+ }
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java
deleted file mode 100644
index 11c053255..000000000
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java
+++ /dev/null
@@ -1,57 +0,0 @@
-package cz.muni.ics.oidc.server.filters;
-
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- * Class containing common constants used by Perun request filters.
- *
- * @author Dominik Baranek
- * @author Dominik Frantisek Bucik
- */
-public class PerunFilterConstants {
-
- public static final String AUTHORIZE_REQ_PATTERN = "/auth/authorize";
- public static final String DEVICE_APPROVE_REQ_PATTERN = "/auth/device/authorize";
-
- public static final String PARAM_CLIENT_ID = "client_id";
- public static final String PARAM_SCOPE = "scope";
- public static final String PARAM_MESSAGE = "message";
- public static final String PARAM_HEADER = "header";
- public static final String PARAM_TARGET = "target";
- public static final String PARAM_FORCE_AUTHN = "forceAuthn";
- public static final String PARAM_PROMPT = "prompt";
- public static final String PARAM_REASON = "reason";
- public static final String PARAM_ACCEPTED = "accepted";
- public static final String PARAM_ACR_VALUES = "acr_values";
- public static final String PARAM_POST_LOGOUT_REDIRECT_URI = "post_logout_redirect_uri";
- public static final String PARAM_STATE = "state";
- public static final String CLIENT_ID_PREFIX = "urn:cesnet:proxyidp:client_id:";
- public static final String AARC_IDP_HINT = "aarc_idp_hint";
-
- public static final String IDP_ENTITY_ID_PREFIX = "urn:cesnet:proxyidp:idpentityid:";
- public static final String FILTER_PREFIX = "urn:cesnet:proxyidp:filter:";
- public static final String EFILTER_PREFIX = "urn:cesnet:proxyidp:efilter:";
-
- public static final String SAML_EPUID = "urn:oid:1.3.6.1.4.1.5923.1.1.1.13";
- public static final String SAML_EPPN = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6";
- public static final String SAML_EPTID = "urn:oid:1.3.6.1.4.1.5923.1.1.1.10";
- public static final String SAML_UID = "urn:oid:0.9.2342.19200300.100.1.1";
- public static final String SAML_UNIQUE_IDENTIFIER = "urn:oid:0.9.2342.19200300.100.1.44";
- public static final String SAML_PERUN_USERID_IDENTIFIER = "urn:cesnet:proxyidp:attribute:perunUserId";
-
- public static final String REFEDS_MFA = "https://refeds.org/profile/mfa";
- public static final String PROMPT_LOGIN = "login";
- public static final String PROMPT_SELECT_ACCOUNT = "select_account";
-
- public static final Map SAML_IDS = new HashMap<>();
- static {
- SAML_IDS.put("eppn", SAML_EPPN);
- SAML_IDS.put("epuid", SAML_EPUID);
- SAML_IDS.put("eptid", SAML_EPTID);
- SAML_IDS.put("uid", SAML_UID);
- SAML_IDS.put("uniqueIdentifier", SAML_UNIQUE_IDENTIFIER);
- SAML_IDS.put("perunUserId", SAML_PERUN_USERID_IDENTIFIER);
- }
-
-}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/MultiMDCFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/MultiMDCFilter.java
deleted file mode 100644
index e4980c8ee..000000000
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/MultiMDCFilter.java
+++ /dev/null
@@ -1,33 +0,0 @@
-package cz.muni.ics.oidc.server.filters.impl;
-
-import cz.muni.ics.oidc.server.filters.impl.mdc.RemoteAddressMDCFilter;
-import cz.muni.ics.oidc.server.filters.impl.mdc.SessionIdMDCFilter;
-import java.io.IOException;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import org.slf4j.MDC;
-import org.springframework.web.filter.GenericFilterBean;
-
-public class MultiMDCFilter extends GenericFilterBean {
-
- private final RemoteAddressMDCFilter remoteAddressMDCFilter;
- private final SessionIdMDCFilter sessionIdMDCFilter;
-
- public MultiMDCFilter() {
- this.remoteAddressMDCFilter = new RemoteAddressMDCFilter();
- this.sessionIdMDCFilter = new SessionIdMDCFilter();
- }
-
- @Override
- public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
- throws IOException, ServletException
- {
- remoteAddressMDCFilter.doFilter(servletRequest);
- sessionIdMDCFilter.doFilter(servletRequest);
- filterChain.doFilter(servletRequest, servletResponse);
- MDC.clear();
- }
-
-}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
index 4ef27d2c0..cb3d3c8b7 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
@@ -1,17 +1,18 @@
package cz.muni.ics.oidc.server.filters.impl;
-import cz.muni.ics.oidc.BeanUtil;
+import static cz.muni.ics.oidc.web.controllers.PerunUnapprovedController.UNAPPROVED_AUTHORIZATION;
+
+import cz.muni.ics.oidc.exceptions.ConfigurationException;
import cz.muni.ics.oidc.models.Facility;
import cz.muni.ics.oidc.models.PerunAttributeValue;
import cz.muni.ics.oidc.models.PerunUser;
import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
-import cz.muni.ics.oidc.server.filters.FilterParams;
-import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
-import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterCommonVars;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterInitContext;
+import cz.muni.ics.oidc.server.filters.FiltersUtils;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -25,44 +26,35 @@ import lombok.extern.slf4j.Slf4j;
* Configuration:
* - based on the configuration of bean "facilityAttrsConfig"
* @see FacilityAttrsConfig
+ * @see cz.muni.ics.oidc.server.filters.AuthProcFilter (basic configuration options)
*
* @author Dominik Frantisek Bucik
*/
@Slf4j
public class PerunAuthorizationFilter extends AuthProcFilter {
- public static final String APPLIED = "APPLIED_" + PerunAuthorizationFilter.class.getSimpleName();
-
private final PerunAdapter perunAdapter;
private final FacilityAttrsConfig facilityAttrsConfig;
- private final String filterName;
private final PerunOidcConfig config;
- public PerunAuthorizationFilter(AuthProcFilterParams params) {
- super(params);
- BeanUtil beanUtil = params.getBeanUtil();
- this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
- this.facilityAttrsConfig = beanUtil.getBean(FacilityAttrsConfig.class);
- this.filterName = params.getFilterName();
- this.config = beanUtil.getBean(PerunOidcConfig.class);
+ public PerunAuthorizationFilter(AuthProcFilterInitContext ctx) throws ConfigurationException {
+ super(ctx);
+ this.perunAdapter = ctx.getPerunAdapterBean();
+ this.config = ctx.getPerunOidcConfigBean();
+ this.facilityAttrsConfig = ctx.getBeanUtil().getBean(FacilityAttrsConfig.class);
}
@Override
- protected String getSessionAppliedParamName() {
- return APPLIED;
- }
-
- @Override
- protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, AuthProcFilterCommonVars params) {
Facility facility = params.getFacility();
if (facility == null || facility.getId() == null) {
- log.debug("{} - skip filter execution: no facility provided", filterName);
+ log.debug("{} - skip filter execution: no facility provided", getFilterName());
return true;
}
PerunUser user = params.getUser();
if (user == null || user.getId() == null) {
- log.debug("{} - skip filter execution: no user provided", filterName);
+ log.debug("{} - skip filter execution: no user provided", getFilterName());
return true;
}
@@ -78,17 +70,16 @@ public class PerunAuthorizationFilter extends AuthProcFilter {
facility, facilityAttrsConfig.getMembershipAttrNames());
if (!facilityAttributes.get(facilityAttrsConfig.getCheckGroupMembershipAttr()).valueAsBoolean()) {
- log.debug("{} - skip filter execution: membership check not requested", filterName);
+ log.debug("{} - skip filter execution: membership check not requested", getFilterName());
return true;
}
if (perunAdapter.canUserAccessBasedOnMembership(facility, user.getId())) {
- log.info("{} - user allowed to access the service", filterName);
+ log.info("{} - user allowed to access the service", getFilterName());
return true;
} else {
- FiltersUtils.redirectUserCannotAccess(config.getConfigBean().getIssuer(), response, facility, user, clientIdentifier,
- facilityAttrsConfig, facilityAttributes, perunAdapter,
- PerunUnapprovedController.UNAPPROVED_AUTHORIZATION);
+ FiltersUtils.redirectUserCannotAccess(config.getConfigBean().getIssuer(), response, facility, user,
+ clientIdentifier, facilityAttrsConfig, perunAdapter, UNAPPROVED_AUTHORIZATION);
return false;
}
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java
index cb736dabe..844e26f56 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java
@@ -1,19 +1,21 @@
package cz.muni.ics.oidc.server.filters.impl;
-import cz.muni.ics.oidc.BeanUtil;
+import cz.muni.ics.oidc.PerunConstants;
+import cz.muni.ics.oidc.exceptions.ConfigurationException;
import cz.muni.ics.oidc.models.Facility;
import cz.muni.ics.oidc.models.PerunAttributeValue;
import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
-import cz.muni.ics.oidc.server.filters.FilterParams;
-import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterInitContext;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterCommonVars;
+import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.web.controllers.ControllerUtils;
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
import cz.muni.ics.oidc.web.controllers.RegistrationController;
import java.util.Arrays;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -26,6 +28,7 @@ import org.springframework.util.StringUtils;
* Otherwise, user can to access the service.
*
* Configuration (replace [name] part with the name defined for the filter):
+ * @see cz.muni.ics.oidc.server.filters.AuthProcFilter (basic configuration options)
*
* - filter.[name].triggerAttr - mapping to attribute which contains flag if this is enabled for facility
* - filter.[name].voDefsAttr - mapping to attribute which contains VO(s) to check
@@ -36,8 +39,6 @@ import org.springframework.util.StringUtils;
@Slf4j
public class PerunEnsureVoMember extends AuthProcFilter {
- public static final String APPLIED = "APPLIED_" + PerunEnsureVoMember.class.getSimpleName();
-
private static final String TRIGGER_ATTR = "triggerAttr";
private static final String VO_DEFS_ATTR = "voDefsAttr";
private static final String LOGIN_URL_ATTR = "loginURL";
@@ -46,50 +47,45 @@ public class PerunEnsureVoMember extends AuthProcFilter {
private final String voDefsAttr;
private final String loginUrlAttr;
private final PerunAdapter perunAdapter;
- private final String filterName;
private final PerunOidcConfig perunOidcConfig;
- public PerunEnsureVoMember(AuthProcFilterParams params) {
- super(params);
- BeanUtil beanUtil = params.getBeanUtil();
+ public PerunEnsureVoMember(AuthProcFilterInitContext ctx) throws ConfigurationException {
+ super(ctx);
+ this.perunOidcConfig = ctx.getPerunOidcConfigBean();
+ this.perunAdapter = ctx.getPerunAdapterBean();
- this.perunOidcConfig = beanUtil.getBean(PerunOidcConfig.class);
- this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
- this.filterName = params.getFilterName();
-
- this.triggerAttr = FiltersUtils.fillStringMandatoryProperty(TRIGGER_ATTR, filterName, params);
- this.voDefsAttr = FiltersUtils.fillStringMandatoryProperty(VO_DEFS_ATTR, filterName, params);
-
- this.loginUrlAttr = params.getProperty(LOGIN_URL_ATTR);
- log.debug("{} - initialized filter: {}", filterName, this);
+ this.triggerAttr = FiltersUtils.fillStringMandatoryProperty(TRIGGER_ATTR, ctx);
+ this.voDefsAttr = FiltersUtils.fillStringMandatoryProperty(VO_DEFS_ATTR, ctx);
+ this.loginUrlAttr = FiltersUtils.fillStringPropertyOrDefaultVal(LOGIN_URL_ATTR, ctx, null);
}
@Override
- protected String getSessionAppliedParamName() {
- return APPLIED;
- }
-
- @Override
- protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, AuthProcFilterCommonVars params) {
Facility facility = params.getFacility();
if (facility == null || facility.getId() == null) {
- log.debug("{} - skip execution: no facility provided", filterName);
+ log.debug("{} - skip execution: no facility provided", getFilterName());
return true;
}
- Map attrs = perunAdapter.getFacilityAttributeValues(facility,
- Arrays.asList(voDefsAttr, triggerAttr, loginUrlAttr));
+ List attrsToFetch = Arrays.asList(voDefsAttr, triggerAttr, loginUrlAttr);
+ Map attrs = perunAdapter.getFacilityAttributeValues(facility, attrsToFetch);
+
+ if (attrs == null) {
+ log.debug("{} - skip filter execution: could not fetch attributes '{}' for facility '{}'",
+ getFilterName(), attrsToFetch, facility);
+ return true;
+ }
PerunAttributeValue triggerAttrValue = attrs.getOrDefault(triggerAttr, null);
if (triggerAttrValue == null || !triggerAttrValue.valueAsBoolean()) {
log.debug("{} - skip execution: attribute '{}' is null or false, which disables the filter",
- filterName, triggerAttr);
+ getFilterName(), triggerAttr);
return true;
}
PerunAttributeValue voDefsAttrValue = getVoDefsAttrValue(attrs.getOrDefault(voDefsAttr, null));
if (voDefsAttrValue == null) {
- log.debug("{} - skip execution: attribute '{}' has null or no value", filterName, voDefsAttr);
+ log.debug("{} - skip execution: attribute '{}' has null or no value", getFilterName(), voDefsAttr);
return true;
}
String voShortName = voDefsAttrValue.valueAsString();
@@ -97,7 +93,7 @@ public class PerunEnsureVoMember extends AuthProcFilter {
boolean canAccess = perunAdapter.isUserInVo(params.getUser().getId(), voShortName);
if (canAccess) {
- log.debug("{} - user allowed to continue", filterName);
+ log.debug("{} - user allowed to continue", getFilterName());
return true;
} else {
redirect(res, getLoginUrl(facility.getId()), voShortName);
@@ -144,10 +140,11 @@ public class PerunEnsureVoMember extends AuthProcFilter {
private void redirectDirectly(HttpServletResponse res, String loginUrl, String voShortName) {
String registrarUrl = perunOidcConfig.getRegistrarUrl();
Map params = new HashMap<>();
- params.put("vo", voShortName);
+ params.put(PerunConstants.REGISTRAR_PARAM_VO, voShortName);
if (StringUtils.hasText(loginUrl)) {
- params.put("targetnew", loginUrl);
- params.put("targetexisting", loginUrl);
+ params.put(PerunConstants.REGISTRAR_TARGET_NEW, loginUrl);
+ params.put(PerunConstants.REGISTRAR_TARGET_EXISTING, loginUrl);
+ params.put(PerunConstants.REGISTRAR_TARGET_EXTENDED, loginUrl);
}
String target = ControllerUtils.createUrl(registrarUrl, params);
@@ -156,7 +153,7 @@ public class PerunEnsureVoMember extends AuthProcFilter {
params.put(RegistrationController.PARAM_TARGET, target);
String redirectUrl = ControllerUtils.createUrl(url, params);
- log.debug("{} - redirecting user to '{}'", filterName, redirectUrl);
+ log.debug("{} - redirecting user to '{}'", getFilterName(), redirectUrl);
res.reset();
res.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY);
res.setHeader(HttpHeaders.LOCATION, redirectUrl);
@@ -166,7 +163,7 @@ public class PerunEnsureVoMember extends AuthProcFilter {
String redirectUrl = ControllerUtils.constructRequestUrl(perunOidcConfig,
PerunUnapprovedController.UNAPPROVED_ENSURE_VO_MAPPING);
- log.debug("{} - redirecting user to '{}'", filterName, redirectUrl);
+ log.debug("{} - redirecting user to '{}'", getFilterName(), redirectUrl);
res.reset();
res.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY);
res.setHeader(HttpHeaders.LOCATION, redirectUrl);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java
index 8cd73168e..2c2db1f30 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java
@@ -4,6 +4,7 @@ import static cz.muni.ics.oidc.web.controllers.AupController.APPROVED;
import com.fasterxml.jackson.databind.ObjectMapper;
import cz.muni.ics.oidc.BeanUtil;
+import cz.muni.ics.oidc.exceptions.ConfigurationException;
import cz.muni.ics.oidc.models.Aup;
import cz.muni.ics.oidc.models.Facility;
import cz.muni.ics.oidc.models.PerunAttribute;
@@ -12,10 +13,10 @@ import cz.muni.ics.oidc.models.PerunUser;
import cz.muni.ics.oidc.saml.SamlProperties;
import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
-import cz.muni.ics.oidc.server.filters.FilterParams;
-import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterCommonVars;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterInitContext;
+import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.web.controllers.AupController;
import java.io.IOException;
import java.text.ParseException;
@@ -36,6 +37,7 @@ import org.springframework.util.StringUtils;
* AUP filter checks if there are new AUPs which user hasn't accepted yet and forces him to do that.
*
* Configuration (replace [name] part with the name defined for the filter):
+ * @see cz.muni.ics.oidc.server.filters.AuthProcFilter (basic configuration options)
*
* - filter.[name].orgAupsAttrName - Mapping to Perun entityless attribute containing organization AUPs
* - filter.[name].userAupsAttrName - Mapping to Perun user attribute containing list of AUPS approved by user
@@ -52,8 +54,6 @@ import org.springframework.util.StringUtils;
@Slf4j
public class PerunForceAupFilter extends AuthProcFilter {
- public static final String APPLIED = "APPLIED_" + PerunForceAupFilter.class.getSimpleName();
-
private static final String DATE_FORMAT = "yyyy-MM-dd";
/* CONFIGURATION PROPERTIES */
@@ -75,46 +75,39 @@ public class PerunForceAupFilter extends AuthProcFilter {
private final PerunAdapter perunAdapter;
private final PerunOidcConfig perunOidcConfig;
private final SamlProperties samlProperties;
- private final String filterName;
- public PerunForceAupFilter(AuthProcFilterParams params) {
- super(params);
- BeanUtil beanUtil = params.getBeanUtil();
- this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
- this.perunOidcConfig = beanUtil.getBean(PerunOidcConfig.class);
+ public PerunForceAupFilter(AuthProcFilterInitContext ctx) throws ConfigurationException {
+ super(ctx);
+ BeanUtil beanUtil = ctx.getBeanUtil();
+ this.perunAdapter = ctx.getPerunAdapterBean();
+ this.perunOidcConfig = ctx.getPerunOidcConfigBean();
this.samlProperties = beanUtil.getBean(SamlProperties.class);
- this.perunOrgAupsAttrName = params.getProperty(ORG_AUPS_ATTR_NAME);
- this.perunUserAupsAttrName = params.getProperty(USER_AUPS_ATTR_NAME);
- this.perunVoAupAttrName = params.getProperty(VO_AUP_ATTR_NAME);
- this.perunFacilityRequestedAupsAttrName = params.getProperty(FACILITY_REQUESTED_AUPS_ATTR_NAME);
- this.perunFacilityVoShortNamesAttrName = params.getProperty(VO_SHORT_NAMES_ATTR_NAME);
- this.filterName = params.getFilterName();
+ this.perunOrgAupsAttrName = FiltersUtils.fillStringMandatoryProperty(ORG_AUPS_ATTR_NAME, ctx);
+ this.perunUserAupsAttrName = FiltersUtils.fillStringMandatoryProperty(USER_AUPS_ATTR_NAME, ctx);
+ this.perunVoAupAttrName = FiltersUtils.fillStringMandatoryProperty(VO_AUP_ATTR_NAME, ctx);
+ this.perunFacilityRequestedAupsAttrName = FiltersUtils.fillStringMandatoryProperty(FACILITY_REQUESTED_AUPS_ATTR_NAME, ctx);
+ this.perunFacilityVoShortNamesAttrName = FiltersUtils.fillStringMandatoryProperty(VO_SHORT_NAMES_ATTR_NAME, ctx);
}
@Override
- protected String getSessionAppliedParamName() {
- return APPLIED;
- }
-
- @Override
- protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, AuthProcFilterCommonVars params) throws IOException {
if (req.getSession() != null && req.getSession().getAttribute(APPROVED) != null) {
req.getSession().removeAttribute(APPROVED);
log.debug("{} - skip filter execution: aups are already approved, check at next access to the service due" +
- " to a delayed propagation to LDAP", filterName);
+ " to a delayed propagation to LDAP", getFilterName());
return true;
}
PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter, samlProperties);
if (user == null || user.getId() == null) {
- log.debug("{} - skip filter execution: no user provider", filterName);
+ log.debug("{} - skip filter execution: no user provider", getFilterName());
return true;
}
Facility facility = params.getFacility();
if (facility == null || facility.getId() == null) {
- log.debug("{} - skip filter execution: no facility provider", filterName);
+ log.debug("{} - skip filter execution: no facility provider", getFilterName());
return true;
}
@@ -124,13 +117,13 @@ public class PerunForceAupFilter extends AuthProcFilter {
if (facilityAttributes == null) {
log.debug("{} - skip filter execution: could not fetch attributes '{}' for facility '{}'",
- filterName, attrsToFetch, facility);
+ getFilterName(), attrsToFetch, facility);
return true;
} else if (!facilityAttributes.containsKey(perunFacilityRequestedAupsAttrName) &&
!facilityAttributes.containsKey(perunFacilityVoShortNamesAttrName))
{
log.debug("{} - skip filter execution: could not fetch required attributes '{}' and '{}' for facility '{}'",
- filterName, perunFacilityRequestedAupsAttrName, perunFacilityVoShortNamesAttrName, facility);
+ getFilterName(), perunFacilityRequestedAupsAttrName, perunFacilityVoShortNamesAttrName, facility);
return true;
}
@@ -139,30 +132,36 @@ public class PerunForceAupFilter extends AuthProcFilter {
try {
newAups = getAupsToApprove(user, facilityAttributes);
} catch (ParseException | IOException e) {
- log.warn("{} - caught parse exception when processing AUPs to approve", filterName);
- log.trace("{} - details:", filterName, e);
+ log.warn("{} - caught parse exception when processing AUPs to approve", getFilterName());
+ log.debug("{} - details:", getFilterName(), e);
return true;
}
if (!newAups.isEmpty()) {
- log.debug("{} - user has to approve some AUPs", filterName);
- log.trace("{} - AUPS to be approved: '{}'", filterName, newAups);
- String newAupsString = mapper.writeValueAsString(newAups);
-
- req.getSession().setAttribute(AupController.RETURN_URL, req.getRequestURI()
- .replace(req.getContextPath(), "") + '?' + req.getQueryString());
- req.getSession().setAttribute(AupController.NEW_AUPS, newAupsString);
- req.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName);
-
- log.debug("{} - redirecting user '{}' to AUPs approval page", filterName, user);
- res.sendRedirect(req.getContextPath() + '/' + AupController.URL);
+ log.info("{} - user has to approve some AUPs", getFilterName());
+ log.debug("{} - AUPS to be approved: '{}'", getFilterName(), newAups);
+ redirectToApproval(req, res, newAups, user);
return false;
}
- log.debug("{} - no need to approve any AUPs", filterName);
+ log.debug("{} - no need to approve any AUPs", getFilterName());
return true;
}
+ private void redirectToApproval(HttpServletRequest req, HttpServletResponse res, Map newAups,
+ PerunUser user) throws IOException
+ {
+ String newAupsString = mapper.writeValueAsString(newAups);
+
+ req.getSession().setAttribute(AupController.RETURN_URL, req.getRequestURI()
+ .replace(req.getContextPath(), "") + '?' + req.getQueryString());
+ req.getSession().setAttribute(AupController.NEW_AUPS, newAupsString);
+ req.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName);
+
+ log.debug("{} - redirecting user '{}' to AUPs approval page", getFilterName(), user);
+ res.sendRedirect(req.getContextPath() + '/' + AupController.URL);
+ }
+
private Map getAupsToApprove(PerunUser user, Map facilityAttributes)
throws ParseException, IOException
{
@@ -220,12 +219,12 @@ public class PerunForceAupFilter extends AuthProcFilter {
continue;
}
}
- log.debug("{} - need to approve AUP with key '{}' ({})", filterName, keyToVoAup.getKey(), voLatestAup);
+ log.debug("{} - need to approve AUP with key '{}' ({})", getFilterName(), keyToVoAup.getKey(), voLatestAup);
aupsToApprove.put(keyToVoAup.getKey(), voLatestAup);
}
}
- log.trace("{} - VO AUPs to approve: {}", filterName, aupsToApprove);
+ log.trace("{} - VO AUPs to approve: {}", getFilterName(), aupsToApprove);
return aupsToApprove;
}
@@ -246,7 +245,7 @@ public class PerunForceAupFilter extends AuthProcFilter {
}
}
}
- log.debug("{} - Mapped ORG aups: {}", filterName, orgAups);
+ log.debug("{} - Mapped ORG aups: {}", getFilterName(), orgAups);
if (!orgAups.isEmpty()) {
for (String requiredOrgAupKey : requestedAups) {
@@ -260,12 +259,12 @@ public class PerunForceAupFilter extends AuthProcFilter {
continue;
}
}
- log.debug("{} - need to approve AUP with key '{}' ({})", filterName, requiredOrgAupKey, orgLatestAup);
+ log.debug("{} - need to approve AUP with key '{}' ({})", getFilterName(), requiredOrgAupKey, orgLatestAup);
aupsToApprove.put(requiredOrgAupKey, orgLatestAup);
}
}
- log.debug("{} - ORG AUPs to approve: {}", filterName, aupsToApprove);
+ log.debug("{} - ORG AUPs to approve: {}", getFilterName(), aupsToApprove);
return aupsToApprove;
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java
deleted file mode 100644
index 50a41686e..000000000
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java
+++ /dev/null
@@ -1,147 +0,0 @@
-package cz.muni.ics.oidc.server.filters.impl;
-
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_FORCE_AUTHN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_REASON;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_SCOPE;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_TARGET;
-import static cz.muni.ics.oidc.web.controllers.PerunUnapprovedController.REASON_EXPIRED;
-import static cz.muni.ics.oidc.web.controllers.PerunUnapprovedController.REASON_NOT_SET;
-
-import cz.muni.ics.oidc.BeanUtil;
-import cz.muni.ics.oidc.models.PerunAttributeValue;
-import cz.muni.ics.oidc.models.PerunUser;
-import cz.muni.ics.oidc.server.adapters.PerunAdapter;
-import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
-import cz.muni.ics.oidc.server.filters.FilterParams;
-import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
-import cz.muni.ics.oidc.web.controllers.ControllerUtils;
-import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
-import java.time.LocalDateTime;
-import java.time.format.DateTimeFormatter;
-import java.time.format.DateTimeParseException;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import lombok.extern.slf4j.Slf4j;
-import org.apache.http.HttpHeaders;
-
-/**
- * This filter verifies that user attribute isCesnetEligible is not older than given time frame.
- * In case the value is older, denies access to the service and forces user to use verified identity.
- * Otherwise, user can to access the service.
- *
- * Configuration (replace [name] part with the name defined for the filter):
- *
- * - filter.[name].isCesnetEligibleAttr - mapping to isCesnetEligible attribute
- * - filter.[name].validityPeriod - specify in months, how long the value can be old, if no value
- * or invalid value has been provided, defaults to 12 months
- *
- * @author Dominik Frantisek Bucik
- */
-@Slf4j
-public class PerunIsCesnetEligibleFilter extends AuthProcFilter {
-
- public static final String APPLIED = "APPLIED_" + PerunIsCesnetEligibleFilter.class.getSimpleName();
-
- /* CONFIGURATION PROPERTIES */
- private static final String IS_CESNET_ELIGIBLE_ATTR_NAME = "isCesnetEligibleAttr";
- private static final String IS_CESNET_ELIGIBLE_SCOPE = "isCesnetEligibleScope";
- private static final String VALIDITY_PERIOD = "validityPeriod";
- private static final String DATE_TIME_FORMAT = "yyyy-MM-dd HH:mm:ss";
-
- private final String isCesnetEligibleAttrName;
- private final String triggerScope;
- private final int validityPeriod;
- /* END OF CONFIGURATION PROPERTIES */
-
- private final PerunOidcConfig config;
- private final PerunAdapter perunAdapter;
- private final String filterName;
-
- public PerunIsCesnetEligibleFilter(AuthProcFilterParams params) {
- super(params);
- BeanUtil beanUtil = params.getBeanUtil();
- this.config = beanUtil.getBean(PerunOidcConfig.class);
- this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
- this.isCesnetEligibleAttrName = params.getProperty(IS_CESNET_ELIGIBLE_ATTR_NAME);
- this.triggerScope = params.getProperty(IS_CESNET_ELIGIBLE_SCOPE);
- int validityPeriodParam = 12;
- if (params.hasProperty(VALIDITY_PERIOD)) {
- try {
- validityPeriodParam = Integer.parseInt(params.getProperty(VALIDITY_PERIOD));
- } catch (NumberFormatException ignored) {
- //no problem, we have default value
- }
- }
-
- this.validityPeriod = validityPeriodParam;
- this.filterName = params.getFilterName();
- }
-
- @Override
- protected String getSessionAppliedParamName() {
- return APPLIED;
- }
-
- @Override
- protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
- if (!FiltersUtils.isScopePresent(req.getParameter(PARAM_SCOPE), triggerScope)) {
- log.debug("{} - skip execution: scope '{}' is not present in request", filterName, triggerScope);
- return true;
- }
-
- PerunUser user = params.getUser();
- if (user == null || user.getId() == null) {
- log.debug("{} - skip execution: no user provider", filterName);
- return true;
- }
-
- String reason = REASON_NOT_SET;
- PerunAttributeValue attrValue = perunAdapter.getUserAttributeValue(user.getId(), isCesnetEligibleAttrName);
- if (attrValue != null) {
- LocalDateTime timeStamp;
- try {
- DateTimeFormatter formatter = DateTimeFormatter.ofPattern(DATE_TIME_FORMAT);
- timeStamp = LocalDateTime.parse(attrValue.valueAsString(), formatter);
- } catch (DateTimeParseException e) {
- log.warn("{} - could not parse timestamp from attribute '{}' value: '{}'",
- filterName, isCesnetEligibleAttrName, attrValue.valueAsString());
- log.debug("{} - skip execution: no timestamp to compare to", filterName);
- log.trace("{} - details:", filterName, e);
- return true;
- }
-
- LocalDateTime now = LocalDateTime.now();
- if (now.minusMonths(validityPeriod).isBefore(timeStamp)) {
- log.debug("{} - attribute '{}' value is valid", filterName, isCesnetEligibleAttrName);
- return true;
- } else {
- reason = REASON_EXPIRED;
- }
- }
-
- log.debug("{} - attribute '{}' value is invalid, stop user at this point", filterName, attrValue);
- this.redirect(req, res, reason);
- return false;
- }
-
- private void redirect(HttpServletRequest req, HttpServletResponse res, String reason) {
- Map params = new HashMap<>();
-
- String targetURL = FiltersUtils.buildRequestURL(req, Collections.singletonMap(PARAM_FORCE_AUTHN, "true"));
- params.put(PARAM_TARGET, targetURL);
- params.put(PARAM_REASON, reason);
-
- String redirectUrl = ControllerUtils.createRedirectUrl(config.getConfigBean().getIssuer(),
- PerunUnapprovedController.UNAPPROVED_IS_CESNET_ELIGIBLE_MAPPING, params);
- log.debug("{} - redirecting user to unapproved: URL '{}'", filterName, redirectUrl);
- res.reset();
- res.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY);
- res.setHeader(HttpHeaders.LOCATION, redirectUrl);
- }
-
-}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java
index 06fc36676..aa34f95aa 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java
@@ -1,17 +1,17 @@
package cz.muni.ics.oidc.server.filters.impl;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_TARGET;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_TARGET;
import static cz.muni.ics.oidc.web.controllers.IsTestSpController.IS_TEST_SP_APPROVED_SESS;
-import cz.muni.ics.oidc.BeanUtil;
+import cz.muni.ics.oidc.exceptions.ConfigurationException;
import cz.muni.ics.oidc.models.Facility;
import cz.muni.ics.oidc.models.PerunAttributeValue;
import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
-import cz.muni.ics.oidc.server.filters.FilterParams;
-import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterInitContext;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterCommonVars;
+import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.web.controllers.ControllerUtils;
import cz.muni.ics.oidc.web.controllers.IsTestSpController;
import java.io.IOException;
@@ -27,8 +27,9 @@ import org.apache.http.HttpHeaders;
* Otherwise, user can to access the service.
*
* Configuration (replace [name] part with the name defined for the filter):
+ * @see cz.muni.ics.oidc.server.filters.AuthProcFilter (basic configuration options)
*
- * - filter.[name].isTestSpAttr - mapping to isCesnetEligible attribute
+ * - filter.[name].isTestSpAttr - mapping to isTestSp attribute
*
* @author Dominik Frantisek Bucik
* @author Pavol Pluta <500348@mail.muni.cz>
@@ -36,50 +37,40 @@ import org.apache.http.HttpHeaders;
@Slf4j
public class PerunIsTestSpFilter extends AuthProcFilter {
- public static final String APPLIED = "APPLIED_" + PerunIsTestSpFilter.class.getSimpleName();
-
private static final String IS_TEST_SP_ATTR_NAME = "isTestSpAttr";
private final String isTestSpAttrName;
private final PerunAdapter perunAdapter;
- private final String filterName;
private final PerunOidcConfig config;
- public PerunIsTestSpFilter(AuthProcFilterParams params) {
- super(params);
- BeanUtil beanUtil = params.getBeanUtil();
- this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
- this.isTestSpAttrName = params.getProperty(IS_TEST_SP_ATTR_NAME);
- this.filterName = params.getFilterName();
- this.config = beanUtil.getBean(PerunOidcConfig.class);
+ public PerunIsTestSpFilter(AuthProcFilterInitContext ctx) throws ConfigurationException {
+ super(ctx);
+ this.perunAdapter = ctx.getPerunAdapterBean();
+ this.config = ctx.getPerunOidcConfigBean();
+ this.isTestSpAttrName = FiltersUtils.fillStringMandatoryProperty(IS_TEST_SP_ATTR_NAME, ctx);
}
@Override
- protected String getSessionAppliedParamName() {
- return APPLIED;
- }
-
- @Override
- protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, AuthProcFilterCommonVars params) throws IOException {
Facility facility = params.getFacility();
if (facility == null || facility.getId() == null) {
- log.debug("{} - skip execution: no facility provided", filterName);
+ log.debug("{} - skip execution: no facility provided", getFilterName());
return true;
} else if (testSpWarningApproved(req)){
- log.debug("{} - skip execution: warning already approved", filterName);
+ log.debug("{} - skip execution: warning already approved", getFilterName());
return true;
}
PerunAttributeValue attrValue = perunAdapter.getFacilityAttributeValue(facility.getId(), isTestSpAttrName);
if (attrValue == null) {
- log.debug("{} - skip execution: attribute {} has null value", filterName, isTestSpAttrName);
+ log.debug("{} - skip execution: attribute {} has null value", getFilterName(), isTestSpAttrName);
return true;
} else if (attrValue.valueAsBoolean()) {
- log.debug("{} - redirecting user to test SP warning page", filterName);
+ log.debug("{} - redirecting user to test SP warning page", getFilterName());
this.redirect(req, res);
return false;
}
- log.debug("{} - service is not testing, let user access it", filterName);
+ log.debug("{} - service is not testing, let user access it", getFilterName());
return true;
}
@@ -102,7 +93,7 @@ public class PerunIsTestSpFilter extends AuthProcFilter {
params.put(PARAM_TARGET, targetURL);
String redirectUrl = ControllerUtils.createRedirectUrl(config.getConfigBean().getIssuer(),
IsTestSpController.MAPPING, params);
- log.debug("{} - redirecting user to testSP warning page: {}", filterName, redirectUrl);
+ log.debug("{} - redirecting user to testSP warning page: {}", getFilterName(), redirectUrl);
res.reset();
res.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY);
res.setHeader(HttpHeaders.LOCATION, redirectUrl);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunLogIdentityFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunLogIdentityFilter.java
index e00a30f6c..e54b63d45 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunLogIdentityFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunLogIdentityFilter.java
@@ -1,11 +1,12 @@
package cz.muni.ics.oidc.server.filters.impl;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
+import cz.muni.ics.oidc.exceptions.ConfigurationException;
import cz.muni.ics.oidc.models.PerunUser;
import cz.muni.ics.oidc.saml.SamlProperties;
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
-import cz.muni.ics.oidc.server.filters.FilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterInitContext;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterCommonVars;
import cz.muni.ics.oidc.server.filters.FiltersUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -13,29 +14,23 @@ import lombok.extern.slf4j.Slf4j;
import org.springframework.security.saml.SAMLCredential;
/**
- * This filter logs information about the user who has logged in INFO level in the format:
- * 'User ID: {}, User identifier: {}, User name: {}, service ID: {}, service name: {}'.
+ * This filter logs information about the user who has logged in INFO level in the format
+ * {} - user_id '{}', user_identifier '{}', user_name '{}', service_identifier '{}', service_name: '{}'.
+ * @see cz.muni.ics.oidc.server.filters.AuthProcFilter (basic configuration options)
* @author Dominik Frantisek Bucik
*/
@Slf4j
public class PerunLogIdentityFilter extends AuthProcFilter {
- public static final String APPLIED = "APPLIED_" + PerunLogIdentityFilter.class.getSimpleName();
-
private final String userIdentifierAttr;
- public PerunLogIdentityFilter(AuthProcFilterParams params) {
+ public PerunLogIdentityFilter(AuthProcFilterInitContext params) throws ConfigurationException {
super(params);
userIdentifierAttr = params.getBeanUtil().getBean(SamlProperties.class).getUserIdentifierAttribute();
}
@Override
- protected String getSessionAppliedParamName() {
- return APPLIED;
- }
-
- @Override
- protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, AuthProcFilterCommonVars params) {
PerunUser user = params.getUser();
ClientDetailsEntity client = params.getClient();
SAMLCredential samlCredential = FiltersUtils.getSamlCredential(req);
@@ -57,8 +52,8 @@ public class PerunLogIdentityFilter extends AuthProcFilter {
identifier = FiltersUtils.getExtLogin(samlCredential, userIdentifierAttr);
}
- log.info("User ID: {}, User identifier: {}, User name: {}, service ID: {}, service name: {}",
- id, identifier, name, clientId, clientName);
+ log.info("{} - user_id '{}', user_identifier '{}', user_name '{}', service_identifier '{}', service_name: '{}'",
+ getFilterName(), id, identifier, name, clientId, clientName);
return true;
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java
index b33b8d067..0051cc545 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java
@@ -5,11 +5,12 @@ import static java.nio.charset.StandardCharsets.UTF_8;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oidc.BeanUtil;
+import cz.muni.ics.oidc.exceptions.ConfigurationException;
import cz.muni.ics.oidc.saml.SamlProperties;
-import cz.muni.ics.oidc.server.filters.FilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterCommonVars;
import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterInitContext;
import java.sql.Connection;
import java.sql.Date;
import java.sql.PreparedStatement;
@@ -29,6 +30,7 @@ import org.springframework.util.StringUtils;
* Filter for collecting data about login.
*
* Configuration (replace [name] part with the name defined for the filter):
+ * @see cz.muni.ics.oidc.server.filters.AuthProcFilter (basic configuration options)
*
* - filter.[name].idpNameAttributeName - Mapping to Request attribute containing name of used
* Identity Provider
@@ -51,8 +53,6 @@ import org.springframework.util.StringUtils;
@Slf4j
public class ProxyStatisticsFilter extends AuthProcFilter {
- public static final String APPLIED = "APPLIED_" + ProxyStatisticsFilter.class.getSimpleName();
-
/* CONFIGURATION OPTIONS */
private static final String IDP_NAME_ATTRIBUTE_NAME = "idpNameAttributeName";
private static final String IDP_ENTITY_ID_ATTRIBUTE_NAME = "idpEntityIdAttributeName";
@@ -74,62 +74,55 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
/* END OF CONFIGURATION OPTIONS */
private final DataSource mitreIdStats;
- private final String filterName;
private final SamlProperties samlProperties;
- public ProxyStatisticsFilter(AuthProcFilterParams params) {
- super(params);
- BeanUtil beanUtil = params.getBeanUtil();
+ public ProxyStatisticsFilter(AuthProcFilterInitContext ctx) throws ConfigurationException {
+ super(ctx);
+ BeanUtil beanUtil = ctx.getBeanUtil();
this.mitreIdStats = beanUtil.getBean("mitreIdStats", DataSource.class);
this.samlProperties = beanUtil.getBean(SamlProperties.class);
- this.idpNameAttributeName = params.getProperty(IDP_NAME_ATTRIBUTE_NAME,
+ this.idpNameAttributeName = FiltersUtils.fillStringPropertyOrDefaultVal(IDP_NAME_ATTRIBUTE_NAME, ctx,
"urn:cesnet:proxyidp:attribute:sourceIdPName");
- this.idpEntityIdAttributeName = params.getProperty(IDP_ENTITY_ID_ATTRIBUTE_NAME,
+ this.idpEntityIdAttributeName = FiltersUtils.fillStringPropertyOrDefaultVal(IDP_ENTITY_ID_ATTRIBUTE_NAME, ctx,
"urn:cesnet:proxyidp:attribute:sourceIdPEntityID");
- this.statisticsTableName = params.getProperty(STATISTICS_TABLE_NAME, "statistics_per_user");
- this.identityProvidersMapTableName = params.getProperty(IDENTITY_PROVIDERS_MAP_TABLE_NAME, "statistics_idp");
- this.serviceProvidersMapTableName = params.getProperty(SERVICE_PROVIDERS_MAP_TABLE_NAME, "statistics_sp");
- this.idpIdColumnName = params.getProperty(IDP_ID_COLUMN_NAME, "idpId");
- this.spIdColumnName = params.getProperty(SP_ID_COLUMN_NAME, "spId");
- this.usernameColumnName = params.getProperty(USERNAME_COLUMN_NAME, "user");
- this.filterName = params.getFilterName();
+ this.statisticsTableName = FiltersUtils.fillStringPropertyOrDefaultVal(STATISTICS_TABLE_NAME, ctx, "statistics_per_user");
+ this.identityProvidersMapTableName = FiltersUtils.fillStringPropertyOrDefaultVal(IDENTITY_PROVIDERS_MAP_TABLE_NAME, ctx, "statistics_idp");
+ this.serviceProvidersMapTableName = FiltersUtils.fillStringPropertyOrDefaultVal(SERVICE_PROVIDERS_MAP_TABLE_NAME, ctx, "statistics_sp");
+ this.idpIdColumnName = FiltersUtils.fillStringPropertyOrDefaultVal(IDP_ID_COLUMN_NAME, ctx, "idpId");
+ this.spIdColumnName = FiltersUtils.fillStringPropertyOrDefaultVal(SP_ID_COLUMN_NAME, ctx, "spId");
+ this.usernameColumnName = FiltersUtils.fillStringPropertyOrDefaultVal(USERNAME_COLUMN_NAME, ctx, "user");
}
@Override
- protected String getSessionAppliedParamName() {
- return APPLIED;
- }
-
- @Override
- protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, AuthProcFilterCommonVars params) {
ClientDetailsEntity client = params.getClient();
if (client == null) {
- log.warn("{} - skip execution: no client provided", filterName);
+ log.warn("{} - skip execution: no client provided", getFilterName());
return true;
} else if (!StringUtils.hasText(client.getClientId())) {
- log.warn("{} - skip execution: no client identifier provided", filterName);
+ log.warn("{} - skip execution: no client identifier provided", getFilterName());
return true;
} else if (!StringUtils.hasText(client.getClientName())) {
- log.warn("{} - skip execution: no client name provided", filterName);
+ log.warn("{} - skip execution: no client name provided", getFilterName());
return true;
}
SAMLCredential samlCredential = FiltersUtils.getSamlCredential(req);
if (samlCredential == null) {
log.warn("{} - skip execution: no authN object available, cannot extract user identifier and idp identifier",
- filterName);
+ getFilterName());
return true;
}
String userIdentifier = FiltersUtils.getExtLogin(samlCredential, samlProperties.getUserIdentifierAttribute());
if (!StringUtils.hasText(userIdentifier)) {
- log.warn("{} - skip execution: no user identifier provided", filterName);
+ log.warn("{} - skip execution: no user identifier provided", getFilterName());
return true;
} else if (!StringUtils.hasText(samlCredential.getAttributeAsString(idpEntityIdAttributeName))) {
- log.warn("{} - skip execution: no authenticating idp identifier provided", filterName);
+ log.warn("{} - skip execution: no authenticating idp identifier provided", getFilterName());
return true;
} else if (!StringUtils.hasText(samlCredential.getAttributeAsString(idpNameAttributeName))) {
- log.warn("{} - skip execution: no authenticating idp identifier provided", filterName);
+ log.warn("{} - skip execution: no authenticating idp identifier provided", getFilterName());
return true;
}
@@ -141,7 +134,7 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
insertOrUpdateLogin(idpEntityId, idpName, clientId, clientName, userIdentifier);
log.info("{} - User identity: {}, service: {}, serviceName: {}, via IdP: {}",
- filterName, userIdentifier, client.getClientId(), client.getClientName(), idpEntityId);
+ getFilterName(), userIdentifier, client.getClientId(), client.getClientName(), idpEntityId);
return true;
}
@@ -158,12 +151,12 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
if (spId == null) {
return;
}
- log.trace("{} - Extracted IDs for SP and IdP: spId={}({}), idpId={}({})",
- filterName, spId, spIdentifier, idpId, idpEntityId);
+ log.debug("{} - Extracted IDs for SP and IdP: spId={}({}), idpId={}({})",
+ getFilterName(), spId, spIdentifier, idpId, idpEntityId);
insertOrUpdateLogin(c, idpId, spId, userId);
} catch (SQLException ex) {
- log.warn("{} - caught SQLException", filterName);
- log.debug("{} - details:", filterName, ex);
+ log.warn("{} - caught SQLException", getFilterName());
+ log.debug("{} - details:", getFilterName(), ex);
}
}
@@ -174,6 +167,7 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
} else {
updateLogin(c, idpId, spId, userId);
}
+ log.info("{} - login info stored in statistics", getFilterName());
}
private boolean fetchLogin(Connection c, Long idpId, Long spId, String userId) {
@@ -193,8 +187,8 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
return rs.getInt("res") > 0;
}
} catch (SQLException e) {
- log.warn("{} - caught SQLException when fetching login entry", filterName);
- log.debug("{} - details:", filterName, e);
+ log.warn("{} - caught SQLException when fetching login entry", getFilterName());
+ log.debug("{} - details:", getFilterName(), e);
}
return false;
}
@@ -210,8 +204,8 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
return rs.getLong(spIdColumnName);
}
} catch (SQLException ex) {
- log.warn("{} - caught SQLException when extracting SP ID", filterName);
- log.debug("{} - details:", filterName, ex);
+ log.warn("{} - caught SQLException when extracting SP ID", getFilterName());
+ log.debug("{} - details:", getFilterName(), ex);
}
return null;
}
@@ -227,8 +221,8 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
return rs.getLong(idpIdColumnName);
}
} catch (SQLException ex) {
- log.warn("{} - caught SQLException when extracting IdP ID", filterName);
- log.debug("{} - details:", filterName, ex);
+ log.warn("{} - caught SQLException when extracting IdP ID", getFilterName());
+ log.debug("{} - details:", getFilterName(), ex);
}
return null;
}
@@ -238,11 +232,11 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
if (!Objects.equals(idpName, idpNameInDb)) {
if (idpNameInDb == null) {
if (insertIdpMap(c, idpEntityId, idpName)) {
- log.trace("{} - IdP map entry inserted", filterName);
+ log.debug("{} - IdP map entry inserted", getFilterName());
}
} else {
if (updateIdpMap(c, idpEntityId, idpName)) {
- log.trace("{} - IdP map entry updated", filterName);
+ log.debug("{} - IdP map entry updated", getFilterName());
}
}
}
@@ -276,11 +270,11 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
if (!Objects.equals(spName, spNameInDb)) {
if (spNameInDb == null) {
if (insertSpMap(c, spIdentifier, spName)) {
- log.trace("{} - SP map entry inserted", filterName);
+ log.debug("{} - SP map entry inserted", getFilterName());
}
} else {
if (updateSpMap(c, spIdentifier, spName)) {
- log.trace("{} - SP map entry updated", filterName);
+ log.debug("{} - SP map entry updated", getFilterName());
}
}
}
@@ -307,10 +301,10 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
ps.setString(4, userId);
ps.execute();
log.debug("{} - Inserted first login for combination: idpId={}, spId={}, userId={}",
- filterName, idpId, spId, userId);
+ getFilterName(), idpId, spId, userId);
} catch (SQLException ex) {
- log.warn("{} - caught SQLException when inserting login entry", filterName);
- log.debug("{} - details:", filterName, ex);
+ log.warn("{} - caught SQLException when inserting login entry", getFilterName());
+ log.debug("{} - details:", getFilterName(), ex);
}
}
@@ -329,10 +323,10 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
ps.setString(4, userId);
ps.execute();
log.debug("{} - Updated login count by 1 for combination: idpId={}, spId={}, userId={}",
- filterName, idpId, spId, userId);
+ getFilterName(), idpId, spId, userId);
} catch (SQLException ex) {
- log.warn("{} - caught SQLException when updating login entry", filterName);
- log.debug("{} - details:", filterName, ex);
+ log.warn("{} - caught SQLException when updating login entry", getFilterName());
+ log.debug("{} - details:", getFilterName(), ex);
}
}
@@ -352,12 +346,12 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
ps.setString(1, identifier);
ps.setString(2, name);
ps.execute();
- log.debug("{} - {} entry inserted", filterName, table);
+ log.debug("{} - {} entry inserted", getFilterName(), table);
return true;
} catch (SQLException ex) {
// someone has already inserted it
- log.trace("{} - {} entry failed to insert", filterName, table);
- log.trace("{} - details", filterName, ex);
+ log.debug("{} - {} entry failed to insert", getFilterName(), table);
+ log.debug("{} - details", getFilterName(), ex);
}
return false;
}
@@ -377,11 +371,11 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
ps.setString(1, name);
ps.setString(2, identifier);
ps.execute();
- log.debug("{} - {} entry updated", filterName, table);
+ log.debug("{} - {} entry updated", getFilterName(), table);
return true;
} catch (SQLException ex) {
- log.trace("{} - {} map entry failed to update", filterName, table);
- log.trace("{} - details", filterName);
+ log.debug("{} - {} map entry failed to update", getFilterName(), table);
+ log.debug("{} - details", getFilterName());
}
return false;
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java
index e3d4d2cf9..25f8e6b69 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java
@@ -1,19 +1,18 @@
package cz.muni.ics.oidc.server.filters.impl;
-import cz.muni.ics.oidc.BeanUtil;
+import cz.muni.ics.oidc.exceptions.ConfigurationException;
import cz.muni.ics.oidc.models.Facility;
import cz.muni.ics.oidc.models.PerunAttributeValue;
import cz.muni.ics.oidc.models.PerunUser;
import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
-import cz.muni.ics.oidc.server.filters.FilterParams;
-import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterCommonVars;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterInitContext;
+import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
import java.util.HashSet;
-import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -27,6 +26,7 @@ import org.springframework.util.StringUtils;
* the environment the service is in.
*
* Configuration (replace [name] part with the name defined for the filter):
+ * @see cz.muni.ics.oidc.server.filters.AuthProcFilter (basic configuration options)
*
* - filter.[name].allEnvGroups - Comma separated list of GROUP IDs the user must be always member of
* - filter.[name].allEnvGroups - Comma separated list of VO IDs the user must be always member of
@@ -46,8 +46,6 @@ import org.springframework.util.StringUtils;
@Slf4j
public class ValidUserFilter extends AuthProcFilter {
- public static final String APPLIED = "APPLIED_" + ValidUserFilter.class.getSimpleName();
-
/* CONFIGURATION OPTIONS */
private static final String ALL_ENV_GROUPS = "allEnvGroups";
private static final String ALL_ENV_VOS = "allEnvVos";
@@ -66,85 +64,92 @@ public class ValidUserFilter extends AuthProcFilter {
private final PerunAdapter perunAdapter;
private final FacilityAttrsConfig facilityAttrsConfig;
- private final String filterName;
private final PerunOidcConfig config;
- public ValidUserFilter(AuthProcFilterParams params) {
- super(params);
- BeanUtil beanUtil = params.getBeanUtil();
- this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
- this.facilityAttrsConfig = beanUtil.getBean(FacilityAttrsConfig.class);
+ public ValidUserFilter(AuthProcFilterInitContext ctx) throws ConfigurationException {
+ super(ctx);
+ this.perunAdapter = ctx.getPerunAdapterBean();
+ this.config = ctx.getPerunOidcConfigBean();
+ this.facilityAttrsConfig = ctx.getBeanUtil().getBean(FacilityAttrsConfig.class);
- this.allEnvGroups = this.getIdsFromParam(params, ALL_ENV_GROUPS);
- this.allEnvVos = this.getIdsFromParam(params, ALL_ENV_VOS);
- this.testEnvGroups = this.getIdsFromParam(params, TEST_ENV_GROUPS);
- this.testEnvVos = this.getIdsFromParam(params, TEST_ENV_VOS);
- this.prodEnvGroups = this.getIdsFromParam(params, PROD_ENV_GROUPS);
- this.prodEnvVos = this.getIdsFromParam(params, PROD_ENV_VOS);
- this.filterName = params.getFilterName();
- this.config = beanUtil.getBean(PerunOidcConfig.class);
+ this.allEnvGroups = getIdsFromParam(ctx, ALL_ENV_GROUPS);
+ this.allEnvVos = getIdsFromParam(ctx, ALL_ENV_VOS);
+ this.testEnvGroups = getIdsFromParam(ctx, TEST_ENV_GROUPS);
+ this.testEnvVos = getIdsFromParam(ctx, TEST_ENV_VOS);
+ this.prodEnvGroups = getIdsFromParam(ctx, PROD_ENV_GROUPS);
+ this.prodEnvVos = getIdsFromParam(ctx, PROD_ENV_VOS);
+
+ if (allSetsEmpty()) {
+ throw new ConfigurationException("All sets are configured to be empty");
+ }
+ }
+
+ private boolean allSetsEmpty() {
+ return allEnvVos.isEmpty() && allEnvGroups.isEmpty()
+ && prodEnvVos.isEmpty() && prodEnvGroups.isEmpty()
+ && testEnvVos.isEmpty() && testEnvGroups.isEmpty();
}
@Override
- protected String getSessionAppliedParamName() {
- return APPLIED;
- }
-
- @Override
- protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
- Set additionalVos = new HashSet<>();
- Set additionalGroups = new HashSet<>();
-
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, AuthProcFilterCommonVars params) {
PerunUser user = params.getUser();
-
if (user == null || user.getId() == null) {
- log.debug("{} - skip filter execution: no user provided", filterName);
+ log.debug("{} - skip filter execution: no user provided", getFilterName());
return true;
}
Facility facility = params.getFacility();
if (facility == null || facility.getId() == null) {
- log.debug("{} - skip filter execution: no facility provided", filterName);
+ log.debug("{} - skip filter execution: no facility provided", getFilterName());
return true;
}
- if (!checkMemberValidInGroupsAndVos(user, facility, res, params, allEnvVos, allEnvGroups,
- PerunUnapprovedController.UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS)) {
+ if (!checkMemberValidInGroupsAndVos(user, allEnvVos, allEnvGroups)) {
+ redirectCannotAccess(res, facility, user, params.getClientIdentifier(), PerunUnapprovedController.UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS);
return false;
}
- PerunAttributeValue isTestSp = perunAdapter.getFacilityAttributeValue(facility.getId(), facilityAttrsConfig.getTestSpAttr());
- boolean isTestSpBool = false;
- if (isTestSp != null) {
- isTestSpBool = isTestSp.valueAsBoolean();
+ PerunAttributeValue isTestSpAttrValue = perunAdapter.getFacilityAttributeValue(facility.getId(), facilityAttrsConfig.getTestSpAttr());
+ boolean testService = false;
+ if (isTestSpAttrValue != null) {
+ testService = isTestSpAttrValue.valueAsBoolean();
}
- log.debug("{} - service {} in test env", filterName, (isTestSpBool ? "is" : "is not"));
- if (isTestSpBool) {
- additionalVos.addAll(testEnvVos);
- additionalGroups.addAll(testEnvGroups);
- if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos,
- additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_TEST_VOS_GROUPS)) {
- return false;
- }
+ log.debug("{} - service {} in test env", getFilterName(), (testService ? "is" : "is not"));
+
+ Set vos = new HashSet<>();
+ Set groups = new HashSet<>();
+ String unapprovedMapping;
+ if (testService) {
+ vos.addAll(testEnvVos);
+ groups.addAll(testEnvGroups);
+ unapprovedMapping = PerunUnapprovedController.UNAPPROVED_NOT_IN_TEST_VOS_GROUPS;
} else {
- additionalVos.addAll(prodEnvVos);
- additionalGroups.addAll(prodEnvGroups);
-
- if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos,
- additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_PROD_VOS_GROUPS)) {
- return false;
- }
+ vos.addAll(prodEnvVos);
+ groups.addAll(prodEnvGroups);
+ unapprovedMapping = PerunUnapprovedController.UNAPPROVED_NOT_IN_PROD_VOS_GROUPS;
+ }
+ if (!checkMemberValidInGroupsAndVos(user, vos, groups)) {
+ log.info("{} - Redirecting to unapproved page with mapping '{}'", getFilterName(), unapprovedMapping);
+ redirectCannotAccess(res, facility, user, params.getClientIdentifier(), unapprovedMapping);
+ return false;
}
- log.info("{} - user satisfies the membership criteria", filterName);
+ log.info("{} - user satisfies the membership criteria", getFilterName());
return true;
}
- private Set getIdsFromParam(AuthProcFilterParams params, String propKey) {
+ private void redirectCannotAccess(HttpServletResponse res, Facility facility, PerunUser user,
+ String clientId, String mapping)
+ {
+ FiltersUtils.redirectUserCannotAccess(config.getConfigBean().getIssuer(), res, facility, user,
+ clientId, facilityAttrsConfig, perunAdapter, mapping);
+ }
+
+ private Set getIdsFromParam(AuthProcFilterInitContext params, String propKey) {
Set result = new HashSet<>();
- String prop = params.getProperty(propKey);
+ String prop = params.getProperty(propKey, "");
if (StringUtils.hasText(prop)) {
String[] parts = prop.split(",");
for (String idStr: parts) {
@@ -155,26 +160,11 @@ public class ValidUserFilter extends AuthProcFilter {
return result;
}
- private boolean checkMemberValidInGroupsAndVos(
- PerunUser user,
- Facility facility,
- HttpServletResponse response,
- FilterParams params,
- Set vos,
- Set groups,
- String redirectUrl
- ) {
+ private boolean checkMemberValidInGroupsAndVos(PerunUser user, Set vos, Set groups) {
if (!perunAdapter.isValidMemberInGroupsAndVos(user.getId(), vos, groups)) {
- log.info("{} - user is not member in required set of vos and groups", filterName);
+ log.info("{} - user is not member in required set of vos and groups", getFilterName());
log.debug("{} - user: '{}', vos: '{}', groups: '{}'",
- filterName, user.getId(), vos, groups);
-
- Map facilityAttributes = perunAdapter.getFacilityAttributeValues(
- facility, facilityAttrsConfig.getMembershipAttrNames());
-
- FiltersUtils.redirectUserCannotAccess(config.getConfigBean().getIssuer(), response, facility, user,
- params.getClientIdentifier(), facilityAttrsConfig, facilityAttributes, perunAdapter, redirectUrl);
-
+ getFilterName(), user.getId(), vos, groups);
return false;
}
return true;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/mdc/RemoteAddressMDCFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/mdc/RemoteAddressMDCFilter.java
deleted file mode 100644
index 541b39c0d..000000000
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/mdc/RemoteAddressMDCFilter.java
+++ /dev/null
@@ -1,43 +0,0 @@
-package cz.muni.ics.oidc.server.filters.impl.mdc;
-
-import javax.servlet.ServletRequest;
-import javax.servlet.http.HttpServletRequest;
-import org.slf4j.MDC;
-
-public class RemoteAddressMDCFilter {
-
- private static final String[] IP_HEADER_CANDIDATES = {
- "X-Forwarded-For",
- "Proxy-Client-IP",
- "WL-Proxy-Client-IP",
- "HTTP_X_FORWARDED_FOR",
- "HTTP_X_FORWARDED",
- "HTTP_X_CLUSTER_CLIENT_IP",
- "HTTP_CLIENT_IP",
- "HTTP_FORWARDED_FOR",
- "HTTP_FORWARDED",
- "HTTP_VIA",
- "REMOTE_ADDR"
- };
-
- private static final String REMOTE_ADDR = "remoteAddr";
-
- public void doFilter(ServletRequest servletRequest) {
- MDC.put(REMOTE_ADDR, getRemoteAddr((HttpServletRequest) servletRequest));
- }
-
- private String getRemoteAddr(HttpServletRequest request) {
- if (request.getRemoteAddr() != null) {
- return request.getRemoteAddr();
- }
-
- for (String header: IP_HEADER_CANDIDATES) {
- String ipList = request.getHeader(header);
- if (ipList != null && ipList.length() != 0 && !"unknown".equalsIgnoreCase(ipList)) {
- return ipList.split(",")[0];
- }
- }
- return "-";
- }
-
-}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/mdc/SessionIdMDCFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/mdc/SessionIdMDCFilter.java
deleted file mode 100644
index f4ba622ed..000000000
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/mdc/SessionIdMDCFilter.java
+++ /dev/null
@@ -1,23 +0,0 @@
-package cz.muni.ics.oidc.server.filters.impl.mdc;
-
-import javax.servlet.ServletRequest;
-import javax.servlet.http.HttpServletRequest;
-import org.slf4j.MDC;
-
-public class SessionIdMDCFilter {
-
- private static final int SIZE = 12;
- private static final String SESSION_ID = "sessionID";
-
- public void doFilter(ServletRequest servletRequest) {
- HttpServletRequest req = (HttpServletRequest) servletRequest;
- if (req.getSession() != null) {
- String id = req.getSession().getId();
- if (id != null && id.length() > SIZE) {
- id = id.substring(0, SIZE);
- }
- MDC.put(SESSION_ID, id);
- }
- }
-
-}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/AupController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/AupController.java
index 673801627..9a2055f4a 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/AupController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/AupController.java
@@ -36,7 +36,7 @@ public class AupController {
public static final String URL = "aup";
public static final String NEW_AUPS = "newAups";
- public static final String APPROVED = "approved";
+ public static final String APPROVED = "aup_approved";
public static final String RETURN_URL = "returnUrl";
public static final String USER_ATTR = "userAttr";
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/IsTestSpController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/IsTestSpController.java
index 8445758bc..bac4c8ed0 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/IsTestSpController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/IsTestSpController.java
@@ -1,7 +1,7 @@
package cz.muni.ics.oidc.web.controllers;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_ACCEPTED;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_TARGET;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_ACCEPTED;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_TARGET;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.web.WebHtmlClasses;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/PerunUnapprovedController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/PerunUnapprovedController.java
index f56ba35bb..ae1114a99 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/PerunUnapprovedController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/PerunUnapprovedController.java
@@ -1,10 +1,10 @@
package cz.muni.ics.oidc.web.controllers;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_CLIENT_ID;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_HEADER;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_MESSAGE;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_REASON;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_TARGET;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_CLIENT_ID;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_HEADER;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_MESSAGE;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_REASON;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_TARGET;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
@@ -12,8 +12,6 @@ import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.web.WebHtmlClasses;
import cz.muni.ics.openid.connect.view.HttpCodeView;
import java.util.Map;
-import java.util.Properties;
-import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
index 2d36b5e11..3cbb000bc 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
@@ -16,9 +16,9 @@
package cz.muni.ics.openid.connect.web.endpoint;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_POST_LOGOUT_REDIRECT_URI;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_STATE;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_TARGET;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_POST_LOGOUT_REDIRECT_URI;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_STATE;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_TARGET;
import com.google.common.base.Strings;
import com.google.common.collect.Iterables;