From cf358dc2dc69de9d5b68b7b8c3b220293775ac4f Mon Sep 17 00:00:00 2001 From: Dominik Frantisek Bucik Date: Thu, 27 Jan 2022 11:04:15 +0100 Subject: [PATCH] =?UTF-8?q?refactor:=20=F0=9F=92=A1=20Refactored=20Perun?= =?UTF-8?q?=20filters=20as=20auth=5Fproc=20filters?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/main/webapp/WEB-INF/user-context.xml | 2 +- .../src/main/webapp/WEB-INF/web-context.xml | 2 +- ...RequestFilter.java => AuthProcFilter.java} | 56 ++++++++++++------- ...ter.java => AuthProcFiltersContainer.java} | 26 +++++---- .../server/filters/PerunFiltersContext.java | 16 +++--- .../impl/PerunAuthorizationFilter.java | 16 ++++-- .../filters/impl/PerunEnsureVoMember.java | 16 ++++-- .../filters/impl/PerunForceAupFilter.java | 30 +++++----- .../impl/PerunIsCesnetEligibleFilter.java | 19 ++++--- .../filters/impl/PerunIsTestSpFilter.java | 20 ++++--- .../filters/impl/ProxyStatisticsFilter.java | 17 ++++-- .../server/filters/impl/ValidUserFilter.java | 20 ++++--- .../web/endpoint/AuthorizationEndpoint.java | 3 +- 13 files changed, 147 insertions(+), 96 deletions(-) rename perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/{PerunRequestFilter.java => AuthProcFilter.java} (65%) rename perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/{CallPerunFiltersFilter.java => AuthProcFiltersContainer.java} (81%) diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml index e369125cc..babcb8f80 100644 --- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml +++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml @@ -489,7 +489,7 @@ - + diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml index ea927b36c..39d6253a2 100644 --- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml +++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml @@ -251,7 +251,7 @@ - + diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java similarity index 65% rename from perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilter.java rename to perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java index 3d5503c97..f7266b3a1 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilter.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java @@ -1,20 +1,14 @@ package cz.muni.ics.oidc.server.filters; -import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN; -import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN; -import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_CHECK_CODE_REQ_PATTERN; - import java.io.IOException; +import java.security.Principal; import java.util.Arrays; import java.util.HashSet; import java.util.Set; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import lombok.extern.slf4j.Slf4j; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; -import org.springframework.security.web.util.matcher.OrRequestMatcher; -import org.springframework.security.web.util.matcher.RequestMatcher; /** * Abstract class for Perun filters. All filters called in CallPerunFiltersFilter has to extend this. @@ -39,7 +33,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher; * @author Dominik Frantisek Bucik */ @Slf4j -public abstract class PerunRequestFilter { +public abstract class AuthProcFilter { private static final String DELIMITER = ","; private static final String CLIENT_IDS = "clientIds"; @@ -49,7 +43,7 @@ public abstract class PerunRequestFilter { private Set clientIds = new HashSet<>(); private Set subs = new HashSet<>(); - public PerunRequestFilter(PerunRequestFilterParams params) { + public AuthProcFilter(PerunRequestFilterParams params) { filterName = params.getFilterName(); if (params.hasProperty(CLIENT_IDS)) { @@ -65,6 +59,8 @@ public abstract class PerunRequestFilter { log.debug("{} - skip execution for clients with CLIENT_ID in: {}", filterName, clientIds); } + protected abstract String getSessionAppliedParamName(); + /** * In this method is done whole logic of filer * @@ -73,31 +69,51 @@ public abstract class PerunRequestFilter { * @return boolean if filter was successfully done * @throws IOException this exception could be thrown because of failed or interrupted I/O operation */ - protected abstract boolean process(ServletRequest request, ServletResponse response, FilterParams params) + protected abstract boolean process(HttpServletRequest request, HttpServletResponse response, FilterParams params) throws IOException; - public boolean doFilter(ServletRequest req, ServletResponse res, FilterParams params) throws IOException { - HttpServletRequest request = (HttpServletRequest) req; - if (!skip(request)) { + public boolean doFilter(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException { + if (!skip(req)) { log.trace("{} - executing filter", filterName); - return this.process(req, res, params); + return process(req, res, params); } else { return true; } } private boolean skip(HttpServletRequest request) { - String sub = (request.getUserPrincipal() != null) ? request.getUserPrincipal().getName() : null; - String clientId = request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID); + if (hasBeenApplied(request.getSession(true))) { + return true; + } + log.debug("{} - marking filter as applied", filterName); + request.getSession(true).setAttribute(getSessionAppliedParamName(), true); + return skipForSub(request.getUserPrincipal()) + || skipForClientId(request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID)); + } + private boolean hasBeenApplied(HttpSession sess) { + String sessionParamName = getSessionAppliedParamName(); + if (sess.getAttribute(sessionParamName) != null) { + log.debug("{} - skip filter execution: filter has been already applied", filterName); + return true; + } + return false; + } + + private boolean skipForSub(Principal p) { + String sub = (p != null) ? p.getName() : null; if (sub != null && subs.contains(sub)) { log.debug("{} - skip filter execution: matched one of the ignored SUBS ({})", filterName, sub); return true; - } else if (clientId != null && clientIds.contains(clientId)){ + } + return false; + } + + private boolean skipForClientId(String clientId) { + if (clientId != null && clientIds.contains(clientId)){ log.debug("{} - skip filter execution: matched one of the ignored CLIENT_IDS ({})", filterName, clientId); return true; } - return false; } diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/CallPerunFiltersFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java similarity index 81% rename from perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/CallPerunFiltersFilter.java rename to perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java index a4ce091d9..2faea8d35 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/CallPerunFiltersFilter.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java @@ -16,10 +16,12 @@ import java.util.List; import java.util.Properties; import javax.annotation.PostConstruct; import javax.servlet.FilterChain; +import javax.servlet.GenericFilter; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.oauth2.provider.OAuth2RequestFactory; @@ -36,7 +38,7 @@ import org.springframework.web.filter.GenericFilterBean; * @author Dominik Frantisek Bucik */ @Slf4j -public class CallPerunFiltersFilter extends GenericFilterBean { +public class AuthProcFiltersContainer extends GenericFilterBean { private static final RequestMatcher AUTHORIZE_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN); private static final RequestMatcher AUTHORIZE_ALL_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN + "/**"); @@ -74,13 +76,15 @@ public class CallPerunFiltersFilter extends GenericFilterBean { public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { - HttpServletRequest request = (HttpServletRequest) servletRequest; - if (!MATCHER.matches(request)) { - log.debug("Custom filters have been skipped, did not match '/authorize' nor '/device/code' request"); + HttpServletRequest req = (HttpServletRequest) servletRequest; + HttpServletResponse res = (HttpServletResponse) servletResponse; + if (!MATCHER.matches(req)) { + log.debug("Custom filters have been skipped, did not match '{}' nor '{}' request", AUTHORIZE_MATCHER, + AUTHORIZE_REQ_PATTERN); } else { - List filters = perunFiltersContext.getFilters(); + List filters = perunFiltersContext.getFilters(); if (filters != null && !filters.isEmpty()) { - ClientDetailsEntity client = FiltersUtils.extractClientFromRequest(request, authRequestFactory, + ClientDetailsEntity client = FiltersUtils.extractClientFromRequest(req, authRequestFactory, clientDetailsEntityService); Facility facility = null; if (client != null && StringUtils.hasText(client.getClientId())) { @@ -88,20 +92,20 @@ public class CallPerunFiltersFilter extends GenericFilterBean { facility = perunAdapter.getFacilityByClientId(client.getClientId()); } catch (Exception e) { log.warn("{} - could not fetch facility for client_id '{}'", - CallPerunFiltersFilter.class.getSimpleName(), client.getClientId(), e); + AuthProcFiltersContainer.class.getSimpleName(), client.getClientId(), e); } } - PerunUser user = FiltersUtils.getPerunUser(request, perunAdapter, + PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter, samlProperties.getUserIdentifierAttribute()); FilterParams params = new FilterParams(client, facility, user); - for (PerunRequestFilter filter : filters) { - if (!filter.doFilter(servletRequest, servletResponse, params)) { + for (AuthProcFilter filter : filters) { + if (!filter.doFilter(req, res, params)) { return; } } } } - filterChain.doFilter(servletRequest, servletResponse); + filterChain.doFilter(req, res); } } diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java index 411b1ec97..04a9b5082 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java @@ -16,7 +16,7 @@ import org.springframework.util.StringUtils; * Filters are configured from configuration file in following way: * filter.names=filterName1,filterName2,... * - * @see PerunRequestFilter for configuration of filter + * @see AuthProcFilter for configuration of filter * * @author Dominik Frantisek Bucik */ @@ -27,7 +27,7 @@ public class PerunFiltersContext { private static final String FILTER_CLASS = ".class"; private static final String PREFIX = "filter."; - private final List filters; + private final List filters; private final Properties properties; private final BeanUtil beanUtil; @@ -41,17 +41,17 @@ public class PerunFiltersContext { log.debug("--------------------------------"); for (String filterName: filterNames.split(",")) { - PerunRequestFilter requestFilter = loadFilter(filterName); + AuthProcFilter requestFilter = loadFilter(filterName); filters.add(requestFilter); log.debug("--------------------------------"); } } - public List getFilters() { + public List getFilters() { return filters; } - private PerunRequestFilter loadFilter(String filterName) { + private AuthProcFilter loadFilter(String filterName) { String propPrefix = PerunFiltersContext.PREFIX + filterName; String filterClass = properties.getProperty(propPrefix + FILTER_CLASS, null); if (!StringUtils.hasText(filterClass)) { @@ -62,14 +62,14 @@ public class PerunFiltersContext { try { Class rawClazz = Class.forName(filterClass); - if (!PerunRequestFilter.class.isAssignableFrom(rawClazz)) { + if (!AuthProcFilter.class.isAssignableFrom(rawClazz)) { log.warn("{} - failed to initialized filter: class '{}' does not extend PerunRequestFilter", filterName, filterClass); return null; } - @SuppressWarnings("unchecked") Class clazz = (Class) rawClazz; - Constructor constructor = clazz.getConstructor(PerunRequestFilterParams.class); + @SuppressWarnings("unchecked") Class clazz = (Class) rawClazz; + Constructor constructor = clazz.getConstructor(PerunRequestFilterParams.class); PerunRequestFilterParams params = new PerunRequestFilterParams(filterName, propPrefix, properties, beanUtil); return constructor.newInstance(params); } catch (ClassNotFoundException e) { diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java index f5679b096..35fef0e17 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java @@ -9,7 +9,7 @@ import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig; import cz.muni.ics.oidc.server.configurations.PerunOidcConfig; import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FiltersUtils; -import cz.muni.ics.oidc.server.filters.PerunRequestFilter; +import cz.muni.ics.oidc.server.filters.AuthProcFilter; import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams; import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController; import java.util.Map; @@ -31,7 +31,9 @@ import lombok.extern.slf4j.Slf4j; * @author Dominik Frantisek Bucik */ @Slf4j -public class PerunAuthorizationFilter extends PerunRequestFilter { +public class PerunAuthorizationFilter extends AuthProcFilter { + + public static final String APPLIED = "APPLIED_" + PerunAuthorizationFilter.class.getSimpleName(); private final PerunAdapter perunAdapter; private final FacilityAttrsConfig facilityAttrsConfig; @@ -48,10 +50,12 @@ public class PerunAuthorizationFilter extends PerunRequestFilter { } @Override - protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) { - HttpServletRequest request = (HttpServletRequest) req; - HttpServletResponse response = (HttpServletResponse) res; + protected String getSessionAppliedParamName() { + return APPLIED; + } + @Override + protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) { Facility facility = params.getFacility(); if (facility == null || facility.getId() == null) { log.debug("{} - skip filter execution: no facility provided", filterName); @@ -64,7 +68,7 @@ public class PerunAuthorizationFilter extends PerunRequestFilter { return true; } - return this.decideAccess(facility, user, request, response, params.getClientIdentifier(), + return this.decideAccess(facility, user, req, res, params.getClientIdentifier(), perunAdapter, facilityAttrsConfig); } diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java index e3467b0ef..dfae70056 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java @@ -7,7 +7,7 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter; import cz.muni.ics.oidc.server.configurations.PerunOidcConfig; import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FiltersUtils; -import cz.muni.ics.oidc.server.filters.PerunRequestFilter; +import cz.muni.ics.oidc.server.filters.AuthProcFilter; import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams; import cz.muni.ics.oidc.web.controllers.ControllerUtils; import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController; @@ -21,6 +21,7 @@ import java.util.Map; import java.util.Set; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import lombok.extern.slf4j.Slf4j; import org.apache.http.HttpHeaders; @@ -39,7 +40,9 @@ import org.springframework.util.StringUtils; * @author Dominik Frantisek Bucik */ @Slf4j -public class PerunEnsureVoMember extends PerunRequestFilter { +public class PerunEnsureVoMember extends AuthProcFilter { + + public static final String APPLIED = "APPLIED_" + PerunEnsureVoMember.class.getSimpleName(); private static final String TRIGGER_ATTR = "triggerAttr"; private static final String VO_DEFS_ATTR = "voDefsAttr"; @@ -68,9 +71,12 @@ public class PerunEnsureVoMember extends PerunRequestFilter { } @Override - protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException { - HttpServletResponse response = (HttpServletResponse) res; + protected String getSessionAppliedParamName() { + return APPLIED; + } + @Override + protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) { Facility facility = params.getFacility(); if (facility == null || facility.getId() == null) { log.debug("{} - skip execution: no facility provided", filterName); @@ -100,7 +106,7 @@ public class PerunEnsureVoMember extends PerunRequestFilter { log.debug("{} - user allowed to continue", filterName); return true; } else { - redirect(response, getLoginUrl(facility.getId()), voShortName); + redirect(res, getLoginUrl(facility.getId()), voShortName); return false; } } diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java index 25d630e81..62c912d9b 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java @@ -14,7 +14,7 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter; import cz.muni.ics.oidc.server.configurations.PerunOidcConfig; import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FiltersUtils; -import cz.muni.ics.oidc.server.filters.PerunRequestFilter; +import cz.muni.ics.oidc.server.filters.AuthProcFilter; import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams; import cz.muni.ics.oidc.web.controllers.AupController; import java.io.IOException; @@ -52,7 +52,9 @@ import org.springframework.util.StringUtils; * @author Dominik Frantisek Bucik */ @Slf4j -public class PerunForceAupFilter extends PerunRequestFilter { +public class PerunForceAupFilter extends AuthProcFilter { + + public static final String APPLIED = "APPLIED_" + PerunForceAupFilter.class.getSimpleName(); private static final String DATE_FORMAT = "yyyy-MM-dd"; @@ -93,18 +95,20 @@ public class PerunForceAupFilter extends PerunRequestFilter { } @Override - protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException { - HttpServletRequest request = (HttpServletRequest) req; - HttpServletResponse response = (HttpServletResponse) res; + protected String getSessionAppliedParamName() { + return APPLIED; + } - if (request.getSession() != null && request.getSession().getAttribute(APPROVED) != null) { - request.getSession().removeAttribute(APPROVED); + @Override + protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException { + if (req.getSession() != null && req.getSession().getAttribute(APPROVED) != null) { + req.getSession().removeAttribute(APPROVED); log.debug("{} - skip filter execution: aups are already approved, check at next access to the service due" + " to a delayed propagation to LDAP", filterName); return true; } - PerunUser user = FiltersUtils.getPerunUser(request, perunAdapter, samlProperties.getUserIdentifierAttribute()); + PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter, samlProperties.getUserIdentifierAttribute()); if (user == null || user.getId() == null) { log.debug("{} - skip filter execution: no user provider", filterName); return true; @@ -147,13 +151,13 @@ public class PerunForceAupFilter extends PerunRequestFilter { log.trace("{} - AUPS to be approved: '{}'", filterName, newAups); String newAupsString = mapper.writeValueAsString(newAups); - request.getSession().setAttribute(AupController.RETURN_URL, request.getRequestURI() - .replace(request.getContextPath(), "") + '?' + request.getQueryString()); - request.getSession().setAttribute(AupController.NEW_AUPS, newAupsString); - request.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName); + req.getSession().setAttribute(AupController.RETURN_URL, req.getRequestURI() + .replace(req.getContextPath(), "") + '?' + req.getQueryString()); + req.getSession().setAttribute(AupController.NEW_AUPS, newAupsString); + req.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName); log.debug("{} - redirecting user '{}' to AUPs approval page", filterName, user); - response.sendRedirect(request.getContextPath() + '/' + AupController.URL); + res.sendRedirect(req.getContextPath() + '/' + AupController.URL); return false; } diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java index a51236965..6076b4ca4 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java @@ -14,8 +14,7 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter; import cz.muni.ics.oidc.server.configurations.PerunOidcConfig; import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FiltersUtils; -import cz.muni.ics.oidc.server.filters.PerunFilterConstants; -import cz.muni.ics.oidc.server.filters.PerunRequestFilter; +import cz.muni.ics.oidc.server.filters.AuthProcFilter; import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams; import cz.muni.ics.oidc.web.controllers.ControllerUtils; import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController; @@ -46,7 +45,9 @@ import org.apache.http.HttpHeaders; * @author Dominik Frantisek Bucik */ @Slf4j -public class PerunIsCesnetEligibleFilter extends PerunRequestFilter { +public class PerunIsCesnetEligibleFilter extends AuthProcFilter { + + public static final String APPLIED = "APPLIED_" + PerunIsCesnetEligibleFilter.class.getSimpleName(); /* CONFIGURATION PROPERTIES */ private static final String IS_CESNET_ELIGIBLE_ATTR_NAME = "isCesnetEligibleAttr"; @@ -84,11 +85,13 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter { } @Override - protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) { - HttpServletRequest request = (HttpServletRequest) req; - HttpServletResponse response = (HttpServletResponse) res; + protected String getSessionAppliedParamName() { + return APPLIED; + } - if (!FiltersUtils.isScopePresent(request.getParameter(PARAM_SCOPE), triggerScope)) { + @Override + protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) { + if (!FiltersUtils.isScopePresent(req.getParameter(PARAM_SCOPE), triggerScope)) { log.debug("{} - skip execution: scope '{}' is not present in request", filterName, triggerScope); return true; } @@ -124,7 +127,7 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter { } log.debug("{} - attribute '{}' value is invalid, stop user at this point", filterName, attrValue); - this.redirect(request, response, reason); + this.redirect(req, res, reason); return false; } diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java index d027eed43..2001378c9 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java @@ -10,8 +10,7 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter; import cz.muni.ics.oidc.server.configurations.PerunOidcConfig; import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FiltersUtils; -import cz.muni.ics.oidc.server.filters.PerunFilterConstants; -import cz.muni.ics.oidc.server.filters.PerunRequestFilter; +import cz.muni.ics.oidc.server.filters.AuthProcFilter; import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams; import cz.muni.ics.oidc.web.controllers.ControllerUtils; import cz.muni.ics.oidc.web.controllers.IsTestSpController; @@ -37,7 +36,9 @@ import org.apache.http.HttpHeaders; * @author Pavol Pluta <500348@mail.muni.cz> */ @Slf4j -public class PerunIsTestSpFilter extends PerunRequestFilter { +public class PerunIsTestSpFilter extends AuthProcFilter { + + public static final String APPLIED = "APPLIED_" + PerunIsTestSpFilter.class.getSimpleName(); private static final String IS_TEST_SP_ATTR_NAME = "isTestSpAttr"; @@ -56,14 +57,17 @@ public class PerunIsTestSpFilter extends PerunRequestFilter { } @Override - protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException { - HttpServletRequest request = (HttpServletRequest) req; - HttpServletResponse response = (HttpServletResponse) res; + protected String getSessionAppliedParamName() { + return APPLIED; + } + + @Override + protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException { Facility facility = params.getFacility(); if (facility == null || facility.getId() == null) { log.debug("{} - skip execution: no facility provided", filterName); return true; - } else if (testSpWarningApproved(request)){ + } else if (testSpWarningApproved(req)){ log.debug("{} - skip execution: warning already approved", filterName); return true; } @@ -74,7 +78,7 @@ public class PerunIsTestSpFilter extends PerunRequestFilter { return true; } else if (attrValue.valueAsBoolean()) { log.debug("{} - redirecting user to test SP warning page", filterName); - this.redirect(request, response); + this.redirect(req, res); return false; } log.debug("{} - service is not testing, let user access it", filterName); diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java index 6a9f90326..771ca3e3d 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java @@ -8,7 +8,7 @@ import cz.muni.ics.oidc.BeanUtil; import cz.muni.ics.oidc.saml.SamlProperties; import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FiltersUtils; -import cz.muni.ics.oidc.server.filters.PerunRequestFilter; +import cz.muni.ics.oidc.server.filters.AuthProcFilter; import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams; import java.sql.Connection; import java.sql.Date; @@ -17,10 +17,10 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.time.LocalDate; import java.util.Objects; -import java.util.Properties; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import javax.sql.DataSource; import lombok.extern.slf4j.Slf4j; import org.springframework.security.saml.SAMLCredential; @@ -51,7 +51,9 @@ import org.springframework.util.StringUtils; */ @SuppressWarnings("SqlResolve") @Slf4j -public class ProxyStatisticsFilter extends PerunRequestFilter { +public class ProxyStatisticsFilter extends AuthProcFilter { + + public static final String APPLIED = "APPLIED_" + ProxyStatisticsFilter.class.getSimpleName(); /* CONFIGURATION OPTIONS */ private static final String IDP_NAME_ATTRIBUTE_NAME = "idpNameAttributeName"; @@ -97,9 +99,12 @@ public class ProxyStatisticsFilter extends PerunRequestFilter { } @Override - protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) { - HttpServletRequest request = (HttpServletRequest) req; + protected String getSessionAppliedParamName() { + return APPLIED; + } + @Override + protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) { ClientDetailsEntity client = params.getClient(); if (client == null) { log.warn("{} - skip execution: no client provided", filterName); @@ -112,7 +117,7 @@ public class ProxyStatisticsFilter extends PerunRequestFilter { return true; } - SAMLCredential samlCredential = FiltersUtils.getSamlCredential(request); + SAMLCredential samlCredential = FiltersUtils.getSamlCredential(req); if (samlCredential == null) { log.warn("{} - skip execution: no authN object available, cannot extract user identifier and idp identifier", filterName); diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java index bf05d8c69..07b948f48 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java @@ -9,7 +9,7 @@ import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig; import cz.muni.ics.oidc.server.configurations.PerunOidcConfig; import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FiltersUtils; -import cz.muni.ics.oidc.server.filters.PerunRequestFilter; +import cz.muni.ics.oidc.server.filters.AuthProcFilter; import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams; import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController; import java.util.HashSet; @@ -46,7 +46,9 @@ import org.springframework.util.StringUtils; */ @SuppressWarnings("SqlResolve") @Slf4j -public class ValidUserFilter extends PerunRequestFilter { +public class ValidUserFilter extends AuthProcFilter { + + public static final String APPLIED = "APPLIED_" + ValidUserFilter.class.getSimpleName(); /* CONFIGURATION OPTIONS */ private static final String ALL_ENV_GROUPS = "allEnvGroups"; @@ -86,10 +88,12 @@ public class ValidUserFilter extends PerunRequestFilter { } @Override - protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) { - HttpServletRequest request = (HttpServletRequest) req; - HttpServletResponse response = (HttpServletResponse) res; + protected String getSessionAppliedParamName() { + return APPLIED; + } + @Override + protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) { Set additionalVos = new HashSet<>(); Set additionalGroups = new HashSet<>(); @@ -106,7 +110,7 @@ public class ValidUserFilter extends PerunRequestFilter { return true; } - if (!checkMemberValidInGroupsAndVos(user, facility, response, params, allEnvVos, allEnvGroups, + if (!checkMemberValidInGroupsAndVos(user, facility, res, params, allEnvVos, allEnvGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS)) { return false; } @@ -121,7 +125,7 @@ public class ValidUserFilter extends PerunRequestFilter { additionalVos.addAll(testEnvVos); additionalGroups.addAll(testEnvGroups); - if (!checkMemberValidInGroupsAndVos(user, facility, response, params, additionalVos, + if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos, additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_TEST_VOS_GROUPS)) { return false; } @@ -129,7 +133,7 @@ public class ValidUserFilter extends PerunRequestFilter { additionalVos.addAll(prodEnvVos); additionalGroups.addAll(prodEnvGroups); - if (!checkMemberValidInGroupsAndVos(user, facility, response, params, additionalVos, + if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos, additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_PROD_VOS_GROUPS)) { return false; } diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java index 4191449c6..f2d6022bf 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java @@ -12,7 +12,6 @@ public class AuthorizationEndpoint { @RequestMapping(value = "/authorize") public RedirectView authorize(HttpServletRequest req) { - log.debug("Handling authorize in endpoint"); RedirectView view = new RedirectView("/auth/authorize?" + req.getQueryString()); view.setContextRelative(true); view.setAttributesMap(req.getParameterMap()); @@ -20,4 +19,6 @@ public class AuthorizationEndpoint { return view; } + //TODO: handle also device endpoint + }