Merge pull request #208 from dBucik/ice

feat: IsEligible authproc filter and claim source

Author: Dominik František Bučík

perun-oidc-server-webapp/src/main/resources/localization/messages_cs.properties

@@ -75,10 +75,6 @@ contact_p=V p\u0159\u00EDpad\u011B nejasnost\u00ED n\u00E1s kontaktujte na
 403_informationPage=Pro v\u00EDce informac\u00ED o slu\u017Eb\u011B nav\u0161tivte
 403_contactSupport=Pokud si mysl\u00EDte \u017Ee m\u00E1te m\u00EDt p\u0159\u00EDstup, kontaktujte administr\u00E1tora:
 403_subject=Probl\u00E9m s p\u0159ihl\u00E1\u0161en\u00EDm do slu\u017Eby
-403_isCesnetEligible_notSet_hdr=P\u0159\u00EDstup zam\u00EDtnut
-403_isCesnetEligible_notSet_msg=P\u0159\u00EDstup ke slu\u017Eb\u011B zam\u00EDtnut, proto\u017Ee V\u00E1\u0161 \u00FA\u010Det nen\u00ED z \u010Desk\u00E9 akademick\u00E9 instituce. P\u0159ihlaste se, pros\u00EDm, pomoc\u00ED sv\u00E9ho \u00FA\u010Dtu u akademick\u00E9 instituce.<br/><a class="mt-2 cw btn btn-primary btn-lg btn-block" href="%%TARGET%%">Znovu p\u0159ihl\u00E1sit</a>
-403_isCesnetEligible_expired_hdr=P\u0159\u00EDstup zam\u00EDtnut
-403_isCesnetEligible_expired_msg=P\u0159\u00EDstup ke slu\u017Eb\u011B zam\u00EDtnut, proto\u017Ee plynula doba 12 m\u011Bs\u00EDc\u016F od Va\u0161eho posledn\u00EDho p\u0159ihl\u00E1\u0161en\u00ED \u00FA\u010Dtem z \u010Desk\u00E9 akademick\u00E9 instituce. P\u0159ihlaste se, pros\u00EDm, pomoc\u00ED sv\u00E9ho \u00FA\u010Dtu u akademick\u00E9 instituce.<br/><a class="mt-2 cw btn btn-lg btn-primary btn-block" href="%%TARGET%%">Znovu p\u0159ihl\u00E1sit</a>
 403_ensure_vo_hdr=P\u0159\u00EDstup zam\u00EDtnut
 403_ensure_vo_msg=Nem\u00E1te dostate\u010Dn\u00E1 pr\u00E1va pro p\u0159\u00EDstup ke slu\u017Eb\u011B
 403_authorization_hdr=P\u0159\u00EDstup zam\u00EDtnut
@@ -92,6 +88,11 @@ contact_p=V p\u0159\u00EDpad\u011B nejasnost\u00ED n\u00E1s kontaktujte na
 403_not_logged_in_hdr=P\u0159\u00EDstup zam\u00EDtnut
 403_not_logged_in_msg=Zd\u00E1 se, \u017Ee p\u0159ihl\u00E1\u0161en\u00ED selhalo. Zkuste, pros\u00EDm, zav\u0159\u00EDt V\u00E1\u0161 prohl\u00ED\u017Ee\u010D a p\u0159ihl\u00E1sit se znovu.
 
+403_is_eligible_default_header_text=P\u0159\u00EDstup zam\u00EDtnut
+403_is_eligible_default_text=P\u0159\u00EDstup ke slu\u017Eb\u011B byl zam\u00EDtnut, proto\u017Ee V\u00E1\u0161 \u00FA\u010Det nespl\u0148uje pomd\u00EDnky p\u0159\u00EDstupu. P\u0159ihlaste se, pros\u00EDme, pomoc\u00ED jin\u00E9ho \u00FA\u010Dtu.
+403_is_eligible_default_button_text=Pokra\u010Dovat
+403_is_eligible_default_contact_text=Pokud si mysl\u00EDte, \u017Ee pou\u017E\u00EDv\u00E1te spr\u00E1vn\u00FD \u00FA\u010Det a p\u0159\u00EDstup je V\u00E1m odm\u00EDtnut nepr\u00E1vem, pros\u00EDme kontakujte n\u00E1s na
+
 #GO TO REGISTRATION
 go_to_registration_title=Je vy\u017Eadov\u00E1na Va\u0161e aktivita
 go_to_registration_header1=Pro p\u0159\u00EDstup ke slu\u017Eb\u011B

perun-oidc-server-webapp/src/main/resources/localization/messages_en.properties

@@ -74,10 +74,6 @@ contact_p=In case of any questions, do not hesitate to contact us at
 403_informationPage=For more information about this service please visit this
 403_contactSupport=If you think you should have an access contact service operator at
 403_subject=Problem with login to service:
-403_isCesnetEligible_notSet_hdr=Access denied
-403_isCesnetEligible_notSet_msg=Your account is not from Czech academic institution. Please log in with your account from academic institution.<a class="mt-2 cw btn btn-primary btn-lg btn-block" href="%%TARGET%%">Log in again</a>
-403_isCesnetEligible_expired_hdr=Access denied
-403_isCesnetEligible_expired_msg=Your last login, from Czech academic institution, has been registered 12 months ago. Please sign in with your account from academic institution.<a class="mt-2 cw btn btn-primary btn-lg btn-block" href="%%TARGET%%">Log in again</a>
 403_ensure_vo_hdr=Access denied
 403_ensure_vo_msg=You don't meet the prerequisites to access the service.
 403_authorization_hdr=Access denied
@@ -91,6 +87,11 @@ contact_p=In case of any questions, do not hesitate to contact us at
 403_not_logged_in_hdr=Access denied
 403_not_logged_in_msg=It appears the login process has failed. Please close your browser and try to log in again.
 
+403_is_eligible_default_header_text=Access denied
+403_is_eligible_default_text=Your account does not meet the criteria for accessing the service. Please log in with other account.
+403_is_eligible_default_button_text=Continue with other account.
+403_is_eligible_default_contact_text=If you think you have used an account which meets the criteria, and you are still prevented from logging in to the service, please contact us at
+
 #GO TO REGISTRATION
 go_to_registration_title=Your activity is necessary
 go_to_registration_header1=Your activity is necessary to access the

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/unapproved_is_eligible.jsp

@@ -0,0 +1,21 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+<div class="error_message" style="word-wrap: break-word;">
+    <h1><spring:message code="${outHeader}"/></h1>
+    <p><spring:message code="${outMessage}"/></p>
+    <c:if test="${hasTarget}">
+        <form method="POST" action="" class="mb-4">
+            <button class="btn btn-primary btn-block"><spring:message code="${outButton}"/></button>
+        </form>
+    </c:if>
+    <p><spring:message code="${outContactP}"/>${" "}<a href="mailto:${contactMail}">${contactMail}</a></p>
+</div>
+
+<ls:footer/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/unapproved_is_eligible.jsp

@@ -0,0 +1,35 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8" trimDirectiveWhitespaces="true" %>
+<%@ page import="java.util.ArrayList" %>
+<%@ page import="java.util.List" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common"%>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+
+<%
+
+List<String> cssLinks = new ArrayList<>();
+
+pageContext.setAttribute("cssLinks", cssLinks);
+
+%>
+
+<t:header title="${title}" reqURL="${reqURL}" baseURL="${baseURL}" cssLinks="${cssLinks}" theme="${theme}"/>
+
+</div> <%-- header --%>
+
+<div id="content">
+    <div class="error_message" style="word-wrap: break-word;">
+        <h1><spring:message code="${outHeader}"/></h1>
+        <p><spring:message code="${outMessage}"/></p>
+        <c:if test="${hasTarget}">
+            <form method="POST" action="" class="mb-4">
+                <button class="btn btn-primary btn-block"><spring:message code="${outButton}"/></button>
+            </form>
+        </c:if>
+        <p><spring:message code="${outContactP}"/>${" "}<a href="mailto:${contactMail}">${contactMail}</a></p>
+    </div>
+</div>
+</div><!-- ENDWRAP -->
+
+<t:footer baseURL="${baseURL}" theme="${theme}"/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml

@@ -65,7 +65,7 @@
             <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_MAPPING}**" />
             <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_AUTHORIZATION}**" />
             <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_ENSURE_VO_MAPPING}**" />
-            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_IS_CESNET_ELIGIBLE_MAPPING}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_IS_ELIGIBLE_MAPPING}**" />
             <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS}**" />
             <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_PROD_VOS_GROUPS}**" />
             <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_TEST_VOS_GROUPS}**" />

perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/ClaimUtils.java

@@ -65,6 +65,23 @@ private static boolean fillBooleanPropertyOrDefaultVal(String prop, boolean defa
         }
     }
 
+    public static int fillIntegerPropertyOrDefaultVal(String suffix, ClaimSourceInitContext ctx, int defaultVal) {
+        return fillIntegerPropertyOrDefaultVal(ctx.getProperty(suffix, NO_VALUE), defaultVal);
+    }
+
+    private static int fillIntegerPropertyOrDefaultVal(String prop, int defaultVal) {
+        if (StringUtils.hasText(prop)) {
+            try {
+                return Integer.parseInt(prop);
+            } catch (NumberFormatException e) {
+                log.warn("Caught {}", e.getClass().getSimpleName(), e);
+                return defaultVal;
+            }
+        } else {
+            return defaultVal;
+        }
+    }
+
     public static ArrayNode listToArrayNode(List<String> list) {
         ArrayNode res = JsonNodeFactory.instance.arrayNode();
         if (list != null && !list.isEmpty()) {

perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/IsEligibleClaimSource.java

@@ -0,0 +1,98 @@
+package cz.muni.ics.oidc.server.claims.sources;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.JsonNodeFactory;
+import cz.muni.ics.oauth2.model.SamlAuthenticationDetails;
+import cz.muni.ics.oidc.server.claims.ClaimSource;
+import cz.muni.ics.oidc.server.claims.ClaimSourceInitContext;
+import cz.muni.ics.oidc.server.claims.ClaimSourceProduceContext;
+import cz.muni.ics.oidc.server.claims.ClaimUtils;
+import java.time.LocalDate;
+import java.time.LocalDateTime;
+import java.time.format.DateTimeFormatter;
+import java.time.format.DateTimeParseException;
+import java.util.Collections;
+import java.util.Set;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.util.StringUtils;
+
+/**
+ * This source checks if the timestamp is within defined months subtracted from the current timestamp.
+ * If so, returns TRUE, FALSE otherwise.
+ *
+ * Configuration (replace [claimName] with the name of the claim):
+ * <ul>
+ *     <li><b>custom.claim.[claimName].source.attribute</b> - attribute containing the eligibility last seen timestamp passed via SAML authentication</li>
+ *     <li><b>custom.claim.[claimName].source.validityPeriodMonths</b> - amount of months that we subtract from the current timestamp and compare it with the eligibility timestamp. If not provided, default 12 months is used</li>
+ * </ul>
+ *
+ * @author Pavol Pluta <[email protected]>
+ * @author Dominik Frantisek Bucik <[email protected]>
+ */
+@Slf4j
+public class IsEligibleClaimSource extends ClaimSource {
+
+    private static final String TIMESTAMP_FORMAT = "yyyy-MM-dd HH:mm:ss";
+    private static final int DEFAULT_VALIDITY_PERIOD = 12; // 12 months
+
+    private static final String SOURCE_ATTR_NAME = "attribute";
+    private static final String VALIDITY_PERIOD_MONTHS = "validityPeriodMonths";
+
+    private final String sourceAttr;
+    private final int validityPeriodMonths;
+
+    public IsEligibleClaimSource(ClaimSourceInitContext ctx) {
+        super(ctx);
+
+        this.sourceAttr = ClaimUtils.fillStringMandatoryProperty(SOURCE_ATTR_NAME, ctx, getClaimName());
+        this.validityPeriodMonths = ClaimUtils.fillIntegerPropertyOrDefaultVal(VALIDITY_PERIOD_MONTHS, ctx, DEFAULT_VALIDITY_PERIOD);
+        log.debug("{} - SAML attribute: '{}', validity period in months: '{}'", getClaimName(), sourceAttr, validityPeriodMonths);
+    }
+
+    @Override
+    public Set<String> getAttrIdentifiers() {
+        return Collections.singleton(sourceAttr);
+    }
+
+    @Override
+    public JsonNode produceValue(ClaimSourceProduceContext pctx) {
+        SamlAuthenticationDetails details = pctx.getSamlAuthenticationDetails();
+        if (details == null || details.getAttributes() == null || details.getAttributes().isEmpty()) {
+            log.warn("{} - no attribute set to get the source attribute from, returning FALSE", getClaimName());
+            return JsonNodeFactory.instance.booleanNode(false);
+        }
+        String[] attrValue = details.getAttributes().getOrDefault(sourceAttr, new String[] {});
+        if (attrValue == null || attrValue.length == 0) {
+            log.warn("{} - no attribute to construct value from, returning FALSE", getClaimName());
+            return JsonNodeFactory.instance.booleanNode(false);
+        } else {
+            if (attrValue.length > 1)  {
+                log.warn("{} - configured source attribute '{}' has more than one value, will use just the first one", getClaimName(), sourceAttr);
+            }
+            String timestamp = attrValue[0];
+            return JsonNodeFactory.instance.booleanNode(isEligible(timestamp));
+        }
+    }
+
+    private boolean isEligible(String eligibleLastSeenValue) {
+        if (!StringUtils.hasText(eligibleLastSeenValue)) {
+            return false;
+        }
+        LocalDate eligibleLastSeenTimestamp;
+        try {
+            DateTimeFormatter formatter = DateTimeFormatter.ofPattern(TIMESTAMP_FORMAT);
+            eligibleLastSeenTimestamp = LocalDate.parse(eligibleLastSeenValue, formatter);
+        } catch (DateTimeParseException e) {
+            log.warn("{} - could not parse value '{}' as timestamp in format '{}'. Returning NOT ELIGIBLE.",
+                    getClaimName(), eligibleLastSeenValue, TIMESTAMP_FORMAT);
+            return false;
+        }
+
+        LocalDate now = LocalDateTime.now().toLocalDate();
+        boolean isValid = !eligibleLastSeenTimestamp.isBefore(now.minusMonths(validityPeriodMonths));
+        log.debug("{} - timestamp '{}' is time {} the defined period of '{} months'",
+                    getClaimName(), eligibleLastSeenTimestamp, isValid ? "within" : "out of", DEFAULT_VALIDITY_PERIOD);
+        return isValid;
+    }
+
+}

perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java

@@ -357,15 +357,23 @@ public static void redirectUserCannotAccess(String base,
 	public static String fillStringMandatoryProperty(String propertyName,
 													 String filterName,
 													 AuthProcFilterInitContext params) {
-		String filled = params.getProperty(propertyName);
+		String filled = fillStringProperty(propertyName, params, null);
 
-		if (!StringUtils.hasText(filled)) {
+		if (filled == null) {
 			throw new IllegalArgumentException("No value configured for '" + propertyName + "' in filter " + filterName);
 		}
 
 		return filled;
 	}
 
+	public static String fillStringProperty(String propertyName, AuthProcFilterInitContext params, String defaultValue) {
+		String filled = params.getProperty(propertyName);
+		if (!StringUtils.hasText(filled)) {
+			return defaultValue;
+		}
+		return filled;
+	}
+
 	private static void redirectToRegistrationForm(String base, HttpServletResponse response,
 												   String clientIdentifier, Facility facility, PerunUser user) {
 		Map<String, String> params = new HashMap<>();