refactor: 💡 Refactored Perun filters as auth_proc filters
Dominik Frantisek Bucik
parent
cc4add710d
commit
cf358dc2dc
|
|
@ -489,7 +489,7 @@
|
|||
|
||||
<bean id="oidcTokenService" class="cz.muni.ics.oidc.server.PerunOIDCTokenService" primary="true"/>
|
||||
|
||||
<bean id="callPerunFiltersFilter" class="cz.muni.ics.oidc.server.filters.CallPerunFiltersFilter"/>
|
||||
<bean id="authProcFilters" class="cz.muni.ics.oidc.server.filters.AuthProcFiltersContainer"/>
|
||||
|
||||
<bean id="htmlClasses" class="cz.muni.ics.oidc.web.WebHtmlClasses">
|
||||
<constructor-arg name="perunOidcConfig" ref="perunOidcConfig"/>
|
||||
|
|
|
|||
|
|
@ -251,7 +251,7 @@
|
|||
<security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
|
||||
<security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
|
||||
<security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
|
||||
<security:custom-filter ref="callPerunFiltersFilter" before="LAST"/>
|
||||
<security:custom-filter ref="authProcFilters" before="LAST"/>
|
||||
<security:logout logout-url="/saml/logout"/>
|
||||
</security:http>
|
||||
|
||||
|
|
|
|||
|
|
@ -1,20 +1,14 @@
|
|||
package cz.muni.ics.oidc.server.filters;
|
||||
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_CHECK_CODE_REQ_PATTERN;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.security.Principal;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.servlet.http.HttpSession;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.OrRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
||||
/**
|
||||
* Abstract class for Perun filters. All filters called in CallPerunFiltersFilter has to extend this.
|
||||
|
|
@ -39,7 +33,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
|
|||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public abstract class PerunRequestFilter {
|
||||
public abstract class AuthProcFilter {
|
||||
|
||||
private static final String DELIMITER = ",";
|
||||
private static final String CLIENT_IDS = "clientIds";
|
||||
|
|
@ -49,7 +43,7 @@ public abstract class PerunRequestFilter {
|
|||
private Set<String> clientIds = new HashSet<>();
|
||||
private Set<String> subs = new HashSet<>();
|
||||
|
||||
public PerunRequestFilter(PerunRequestFilterParams params) {
|
||||
public AuthProcFilter(PerunRequestFilterParams params) {
|
||||
filterName = params.getFilterName();
|
||||
|
||||
if (params.hasProperty(CLIENT_IDS)) {
|
||||
|
|
@ -65,6 +59,8 @@ public abstract class PerunRequestFilter {
|
|||
log.debug("{} - skip execution for clients with CLIENT_ID in: {}", filterName, clientIds);
|
||||
}
|
||||
|
||||
protected abstract String getSessionAppliedParamName();
|
||||
|
||||
/**
|
||||
* In this method is done whole logic of filer
|
||||
*
|
||||
|
|
@ -73,31 +69,51 @@ public abstract class PerunRequestFilter {
|
|||
* @return boolean if filter was successfully done
|
||||
* @throws IOException this exception could be thrown because of failed or interrupted I/O operation
|
||||
*/
|
||||
protected abstract boolean process(ServletRequest request, ServletResponse response, FilterParams params)
|
||||
protected abstract boolean process(HttpServletRequest request, HttpServletResponse response, FilterParams params)
|
||||
throws IOException;
|
||||
|
||||
public boolean doFilter(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
if (!skip(request)) {
|
||||
public boolean doFilter(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
|
||||
if (!skip(req)) {
|
||||
log.trace("{} - executing filter", filterName);
|
||||
return this.process(req, res, params);
|
||||
return process(req, res, params);
|
||||
} else {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
private boolean skip(HttpServletRequest request) {
|
||||
String sub = (request.getUserPrincipal() != null) ? request.getUserPrincipal().getName() : null;
|
||||
String clientId = request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID);
|
||||
if (hasBeenApplied(request.getSession(true))) {
|
||||
return true;
|
||||
}
|
||||
log.debug("{} - marking filter as applied", filterName);
|
||||
request.getSession(true).setAttribute(getSessionAppliedParamName(), true);
|
||||
return skipForSub(request.getUserPrincipal())
|
||||
|| skipForClientId(request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID));
|
||||
}
|
||||
|
||||
private boolean hasBeenApplied(HttpSession sess) {
|
||||
String sessionParamName = getSessionAppliedParamName();
|
||||
if (sess.getAttribute(sessionParamName) != null) {
|
||||
log.debug("{} - skip filter execution: filter has been already applied", filterName);
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean skipForSub(Principal p) {
|
||||
String sub = (p != null) ? p.getName() : null;
|
||||
if (sub != null && subs.contains(sub)) {
|
||||
log.debug("{} - skip filter execution: matched one of the ignored SUBS ({})", filterName, sub);
|
||||
return true;
|
||||
} else if (clientId != null && clientIds.contains(clientId)){
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean skipForClientId(String clientId) {
|
||||
if (clientId != null && clientIds.contains(clientId)){
|
||||
log.debug("{} - skip filter execution: matched one of the ignored CLIENT_IDS ({})", filterName, clientId);
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -16,10 +16,12 @@ import java.util.List;
|
|||
import java.util.Properties;
|
||||
import javax.annotation.PostConstruct;
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.GenericFilter;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
|
||||
|
|
@ -36,7 +38,7 @@ import org.springframework.web.filter.GenericFilterBean;
|
|||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public class CallPerunFiltersFilter extends GenericFilterBean {
|
||||
public class AuthProcFiltersContainer extends GenericFilterBean {
|
||||
|
||||
private static final RequestMatcher AUTHORIZE_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN);
|
||||
private static final RequestMatcher AUTHORIZE_ALL_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN + "/**");
|
||||
|
|
@ -74,13 +76,15 @@ public class CallPerunFiltersFilter extends GenericFilterBean {
|
|||
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
|
||||
throws IOException, ServletException
|
||||
{
|
||||
HttpServletRequest request = (HttpServletRequest) servletRequest;
|
||||
if (!MATCHER.matches(request)) {
|
||||
log.debug("Custom filters have been skipped, did not match '/authorize' nor '/device/code' request");
|
||||
HttpServletRequest req = (HttpServletRequest) servletRequest;
|
||||
HttpServletResponse res = (HttpServletResponse) servletResponse;
|
||||
if (!MATCHER.matches(req)) {
|
||||
log.debug("Custom filters have been skipped, did not match '{}' nor '{}' request", AUTHORIZE_MATCHER,
|
||||
AUTHORIZE_REQ_PATTERN);
|
||||
} else {
|
||||
List<PerunRequestFilter> filters = perunFiltersContext.getFilters();
|
||||
List<AuthProcFilter> filters = perunFiltersContext.getFilters();
|
||||
if (filters != null && !filters.isEmpty()) {
|
||||
ClientDetailsEntity client = FiltersUtils.extractClientFromRequest(request, authRequestFactory,
|
||||
ClientDetailsEntity client = FiltersUtils.extractClientFromRequest(req, authRequestFactory,
|
||||
clientDetailsEntityService);
|
||||
Facility facility = null;
|
||||
if (client != null && StringUtils.hasText(client.getClientId())) {
|
||||
|
|
@ -88,20 +92,20 @@ public class CallPerunFiltersFilter extends GenericFilterBean {
|
|||
facility = perunAdapter.getFacilityByClientId(client.getClientId());
|
||||
} catch (Exception e) {
|
||||
log.warn("{} - could not fetch facility for client_id '{}'",
|
||||
CallPerunFiltersFilter.class.getSimpleName(), client.getClientId(), e);
|
||||
AuthProcFiltersContainer.class.getSimpleName(), client.getClientId(), e);
|
||||
}
|
||||
}
|
||||
PerunUser user = FiltersUtils.getPerunUser(request, perunAdapter,
|
||||
PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter,
|
||||
samlProperties.getUserIdentifierAttribute());
|
||||
FilterParams params = new FilterParams(client, facility, user);
|
||||
for (PerunRequestFilter filter : filters) {
|
||||
if (!filter.doFilter(servletRequest, servletResponse, params)) {
|
||||
for (AuthProcFilter filter : filters) {
|
||||
if (!filter.doFilter(req, res, params)) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
filterChain.doFilter(servletRequest, servletResponse);
|
||||
filterChain.doFilter(req, res);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -16,7 +16,7 @@ import org.springframework.util.StringUtils;
|
|||
* Filters are configured from configuration file in following way:
|
||||
* filter.names=filterName1,filterName2,...
|
||||
*
|
||||
* @see PerunRequestFilter for configuration of filter
|
||||
* @see AuthProcFilter for configuration of filter
|
||||
*
|
||||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
|
|
@ -27,7 +27,7 @@ public class PerunFiltersContext {
|
|||
private static final String FILTER_CLASS = ".class";
|
||||
private static final String PREFIX = "filter.";
|
||||
|
||||
private final List<PerunRequestFilter> filters;
|
||||
private final List<AuthProcFilter> filters;
|
||||
private final Properties properties;
|
||||
private final BeanUtil beanUtil;
|
||||
|
||||
|
|
@ -41,17 +41,17 @@ public class PerunFiltersContext {
|
|||
|
||||
log.debug("--------------------------------");
|
||||
for (String filterName: filterNames.split(",")) {
|
||||
PerunRequestFilter requestFilter = loadFilter(filterName);
|
||||
AuthProcFilter requestFilter = loadFilter(filterName);
|
||||
filters.add(requestFilter);
|
||||
log.debug("--------------------------------");
|
||||
}
|
||||
}
|
||||
|
||||
public List<PerunRequestFilter> getFilters() {
|
||||
public List<AuthProcFilter> getFilters() {
|
||||
return filters;
|
||||
}
|
||||
|
||||
private PerunRequestFilter loadFilter(String filterName) {
|
||||
private AuthProcFilter loadFilter(String filterName) {
|
||||
String propPrefix = PerunFiltersContext.PREFIX + filterName;
|
||||
String filterClass = properties.getProperty(propPrefix + FILTER_CLASS, null);
|
||||
if (!StringUtils.hasText(filterClass)) {
|
||||
|
|
@ -62,14 +62,14 @@ public class PerunFiltersContext {
|
|||
|
||||
try {
|
||||
Class<?> rawClazz = Class.forName(filterClass);
|
||||
if (!PerunRequestFilter.class.isAssignableFrom(rawClazz)) {
|
||||
if (!AuthProcFilter.class.isAssignableFrom(rawClazz)) {
|
||||
log.warn("{} - failed to initialized filter: class '{}' does not extend PerunRequestFilter",
|
||||
filterName, filterClass);
|
||||
return null;
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked") Class<PerunRequestFilter> clazz = (Class<PerunRequestFilter>) rawClazz;
|
||||
Constructor<PerunRequestFilter> constructor = clazz.getConstructor(PerunRequestFilterParams.class);
|
||||
@SuppressWarnings("unchecked") Class<AuthProcFilter> clazz = (Class<AuthProcFilter>) rawClazz;
|
||||
Constructor<AuthProcFilter> constructor = clazz.getConstructor(PerunRequestFilterParams.class);
|
||||
PerunRequestFilterParams params = new PerunRequestFilterParams(filterName, propPrefix, properties, beanUtil);
|
||||
return constructor.newInstance(params);
|
||||
} catch (ClassNotFoundException e) {
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
|
|||
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
|
||||
import java.util.Map;
|
||||
|
|
@ -31,7 +31,9 @@ import lombok.extern.slf4j.Slf4j;
|
|||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public class PerunAuthorizationFilter extends PerunRequestFilter {
|
||||
public class PerunAuthorizationFilter extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + PerunAuthorizationFilter.class.getSimpleName();
|
||||
|
||||
private final PerunAdapter perunAdapter;
|
||||
private final FacilityAttrsConfig facilityAttrsConfig;
|
||||
|
|
@ -48,10 +50,12 @@ public class PerunAuthorizationFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
|
||||
Facility facility = params.getFacility();
|
||||
if (facility == null || facility.getId() == null) {
|
||||
log.debug("{} - skip filter execution: no facility provided", filterName);
|
||||
|
|
@ -64,7 +68,7 @@ public class PerunAuthorizationFilter extends PerunRequestFilter {
|
|||
return true;
|
||||
}
|
||||
|
||||
return this.decideAccess(facility, user, request, response, params.getClientIdentifier(),
|
||||
return this.decideAccess(facility, user, req, res, params.getClientIdentifier(),
|
||||
perunAdapter, facilityAttrsConfig);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
|
|||
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import cz.muni.ics.oidc.web.controllers.ControllerUtils;
|
||||
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
|
||||
|
|
@ -21,6 +21,7 @@ import java.util.Map;
|
|||
import java.util.Set;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.apache.http.HttpHeaders;
|
||||
|
|
@ -39,7 +40,9 @@ import org.springframework.util.StringUtils;
|
|||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public class PerunEnsureVoMember extends PerunRequestFilter {
|
||||
public class PerunEnsureVoMember extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + PerunEnsureVoMember.class.getSimpleName();
|
||||
|
||||
private static final String TRIGGER_ATTR = "triggerAttr";
|
||||
private static final String VO_DEFS_ATTR = "voDefsAttr";
|
||||
|
|
@ -68,9 +71,12 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
|
||||
Facility facility = params.getFacility();
|
||||
if (facility == null || facility.getId() == null) {
|
||||
log.debug("{} - skip execution: no facility provided", filterName);
|
||||
|
|
@ -100,7 +106,7 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
|
|||
log.debug("{} - user allowed to continue", filterName);
|
||||
return true;
|
||||
} else {
|
||||
redirect(response, getLoginUrl(facility.getId()), voShortName);
|
||||
redirect(res, getLoginUrl(facility.getId()), voShortName);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
|
|||
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import cz.muni.ics.oidc.web.controllers.AupController;
|
||||
import java.io.IOException;
|
||||
|
|
@ -52,7 +52,9 @@ import org.springframework.util.StringUtils;
|
|||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public class PerunForceAupFilter extends PerunRequestFilter {
|
||||
public class PerunForceAupFilter extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + PerunForceAupFilter.class.getSimpleName();
|
||||
|
||||
private static final String DATE_FORMAT = "yyyy-MM-dd";
|
||||
|
||||
|
|
@ -93,18 +95,20 @@ public class PerunForceAupFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
if (request.getSession() != null && request.getSession().getAttribute(APPROVED) != null) {
|
||||
request.getSession().removeAttribute(APPROVED);
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
|
||||
if (req.getSession() != null && req.getSession().getAttribute(APPROVED) != null) {
|
||||
req.getSession().removeAttribute(APPROVED);
|
||||
log.debug("{} - skip filter execution: aups are already approved, check at next access to the service due" +
|
||||
" to a delayed propagation to LDAP", filterName);
|
||||
return true;
|
||||
}
|
||||
|
||||
PerunUser user = FiltersUtils.getPerunUser(request, perunAdapter, samlProperties.getUserIdentifierAttribute());
|
||||
PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter, samlProperties.getUserIdentifierAttribute());
|
||||
if (user == null || user.getId() == null) {
|
||||
log.debug("{} - skip filter execution: no user provider", filterName);
|
||||
return true;
|
||||
|
|
@ -147,13 +151,13 @@ public class PerunForceAupFilter extends PerunRequestFilter {
|
|||
log.trace("{} - AUPS to be approved: '{}'", filterName, newAups);
|
||||
String newAupsString = mapper.writeValueAsString(newAups);
|
||||
|
||||
request.getSession().setAttribute(AupController.RETURN_URL, request.getRequestURI()
|
||||
.replace(request.getContextPath(), "") + '?' + request.getQueryString());
|
||||
request.getSession().setAttribute(AupController.NEW_AUPS, newAupsString);
|
||||
request.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName);
|
||||
req.getSession().setAttribute(AupController.RETURN_URL, req.getRequestURI()
|
||||
.replace(req.getContextPath(), "") + '?' + req.getQueryString());
|
||||
req.getSession().setAttribute(AupController.NEW_AUPS, newAupsString);
|
||||
req.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName);
|
||||
|
||||
log.debug("{} - redirecting user '{}' to AUPs approval page", filterName, user);
|
||||
response.sendRedirect(request.getContextPath() + '/' + AupController.URL);
|
||||
res.sendRedirect(req.getContextPath() + '/' + AupController.URL);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -14,8 +14,7 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
|
|||
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunFilterConstants;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import cz.muni.ics.oidc.web.controllers.ControllerUtils;
|
||||
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
|
||||
|
|
@ -46,7 +45,9 @@ import org.apache.http.HttpHeaders;
|
|||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
|
||||
public class PerunIsCesnetEligibleFilter extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + PerunIsCesnetEligibleFilter.class.getSimpleName();
|
||||
|
||||
/* CONFIGURATION PROPERTIES */
|
||||
private static final String IS_CESNET_ELIGIBLE_ATTR_NAME = "isCesnetEligibleAttr";
|
||||
|
|
@ -84,11 +85,13 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
if (!FiltersUtils.isScopePresent(request.getParameter(PARAM_SCOPE), triggerScope)) {
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
|
||||
if (!FiltersUtils.isScopePresent(req.getParameter(PARAM_SCOPE), triggerScope)) {
|
||||
log.debug("{} - skip execution: scope '{}' is not present in request", filterName, triggerScope);
|
||||
return true;
|
||||
}
|
||||
|
|
@ -124,7 +127,7 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
log.debug("{} - attribute '{}' value is invalid, stop user at this point", filterName, attrValue);
|
||||
this.redirect(request, response, reason);
|
||||
this.redirect(req, res, reason);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -10,8 +10,7 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
|
|||
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunFilterConstants;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import cz.muni.ics.oidc.web.controllers.ControllerUtils;
|
||||
import cz.muni.ics.oidc.web.controllers.IsTestSpController;
|
||||
|
|
@ -37,7 +36,9 @@ import org.apache.http.HttpHeaders;
|
|||
* @author Pavol Pluta <500348@mail.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public class PerunIsTestSpFilter extends PerunRequestFilter {
|
||||
public class PerunIsTestSpFilter extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + PerunIsTestSpFilter.class.getSimpleName();
|
||||
|
||||
private static final String IS_TEST_SP_ATTR_NAME = "isTestSpAttr";
|
||||
|
||||
|
|
@ -56,14 +57,17 @@ public class PerunIsTestSpFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
|
||||
Facility facility = params.getFacility();
|
||||
if (facility == null || facility.getId() == null) {
|
||||
log.debug("{} - skip execution: no facility provided", filterName);
|
||||
return true;
|
||||
} else if (testSpWarningApproved(request)){
|
||||
} else if (testSpWarningApproved(req)){
|
||||
log.debug("{} - skip execution: warning already approved", filterName);
|
||||
return true;
|
||||
}
|
||||
|
|
@ -74,7 +78,7 @@ public class PerunIsTestSpFilter extends PerunRequestFilter {
|
|||
return true;
|
||||
} else if (attrValue.valueAsBoolean()) {
|
||||
log.debug("{} - redirecting user to test SP warning page", filterName);
|
||||
this.redirect(request, response);
|
||||
this.redirect(req, res);
|
||||
return false;
|
||||
}
|
||||
log.debug("{} - service is not testing, let user access it", filterName);
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ import cz.muni.ics.oidc.BeanUtil;
|
|||
import cz.muni.ics.oidc.saml.SamlProperties;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import java.sql.Connection;
|
||||
import java.sql.Date;
|
||||
|
|
@ -17,10 +17,10 @@ import java.sql.ResultSet;
|
|||
import java.sql.SQLException;
|
||||
import java.time.LocalDate;
|
||||
import java.util.Objects;
|
||||
import java.util.Properties;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.sql.DataSource;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.security.saml.SAMLCredential;
|
||||
|
|
@ -51,7 +51,9 @@ import org.springframework.util.StringUtils;
|
|||
*/
|
||||
@SuppressWarnings("SqlResolve")
|
||||
@Slf4j
|
||||
public class ProxyStatisticsFilter extends PerunRequestFilter {
|
||||
public class ProxyStatisticsFilter extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + ProxyStatisticsFilter.class.getSimpleName();
|
||||
|
||||
/* CONFIGURATION OPTIONS */
|
||||
private static final String IDP_NAME_ATTRIBUTE_NAME = "idpNameAttributeName";
|
||||
|
|
@ -97,9 +99,12 @@ public class ProxyStatisticsFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
|
||||
ClientDetailsEntity client = params.getClient();
|
||||
if (client == null) {
|
||||
log.warn("{} - skip execution: no client provided", filterName);
|
||||
|
|
@ -112,7 +117,7 @@ public class ProxyStatisticsFilter extends PerunRequestFilter {
|
|||
return true;
|
||||
}
|
||||
|
||||
SAMLCredential samlCredential = FiltersUtils.getSamlCredential(request);
|
||||
SAMLCredential samlCredential = FiltersUtils.getSamlCredential(req);
|
||||
if (samlCredential == null) {
|
||||
log.warn("{} - skip execution: no authN object available, cannot extract user identifier and idp identifier",
|
||||
filterName);
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
|
|||
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
|
||||
import java.util.HashSet;
|
||||
|
|
@ -46,7 +46,9 @@ import org.springframework.util.StringUtils;
|
|||
*/
|
||||
@SuppressWarnings("SqlResolve")
|
||||
@Slf4j
|
||||
public class ValidUserFilter extends PerunRequestFilter {
|
||||
public class ValidUserFilter extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + ValidUserFilter.class.getSimpleName();
|
||||
|
||||
/* CONFIGURATION OPTIONS */
|
||||
private static final String ALL_ENV_GROUPS = "allEnvGroups";
|
||||
|
|
@ -86,10 +88,12 @@ public class ValidUserFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
|
||||
Set<Long> additionalVos = new HashSet<>();
|
||||
Set<Long> additionalGroups = new HashSet<>();
|
||||
|
||||
|
|
@ -106,7 +110,7 @@ public class ValidUserFilter extends PerunRequestFilter {
|
|||
return true;
|
||||
}
|
||||
|
||||
if (!checkMemberValidInGroupsAndVos(user, facility, response, params, allEnvVos, allEnvGroups,
|
||||
if (!checkMemberValidInGroupsAndVos(user, facility, res, params, allEnvVos, allEnvGroups,
|
||||
PerunUnapprovedController.UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS)) {
|
||||
return false;
|
||||
}
|
||||
|
|
@ -121,7 +125,7 @@ public class ValidUserFilter extends PerunRequestFilter {
|
|||
additionalVos.addAll(testEnvVos);
|
||||
additionalGroups.addAll(testEnvGroups);
|
||||
|
||||
if (!checkMemberValidInGroupsAndVos(user, facility, response, params, additionalVos,
|
||||
if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos,
|
||||
additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_TEST_VOS_GROUPS)) {
|
||||
return false;
|
||||
}
|
||||
|
|
@ -129,7 +133,7 @@ public class ValidUserFilter extends PerunRequestFilter {
|
|||
additionalVos.addAll(prodEnvVos);
|
||||
additionalGroups.addAll(prodEnvGroups);
|
||||
|
||||
if (!checkMemberValidInGroupsAndVos(user, facility, response, params, additionalVos,
|
||||
if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos,
|
||||
additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_PROD_VOS_GROUPS)) {
|
||||
return false;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ public class AuthorizationEndpoint {
|
|||
|
||||
@RequestMapping(value = "/authorize")
|
||||
public RedirectView authorize(HttpServletRequest req) {
|
||||
log.debug("Handling authorize in endpoint");
|
||||
RedirectView view = new RedirectView("/auth/authorize?" + req.getQueryString());
|
||||
view.setContextRelative(true);
|
||||
view.setAttributesMap(req.getParameterMap());
|
||||
|
|
@ -20,4 +19,6 @@ public class AuthorizationEndpoint {
|
|||
return view;
|
||||
}
|
||||
|
||||
//TODO: handle also device endpoint
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue