Merge pull request #39 from dBucik/acrs

Acrs

Author: Dominik František Bučík

perun-oidc-server-webapp/src/main/resources/db/hsql/hsql_database_tables.sql

@@ -86,6 +86,7 @@ CREATE TABLE IF NOT EXISTS authentication_holder_request_parameter (
 
 CREATE TABLE IF NOT EXISTS saved_user_auth (
 	id BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) PRIMARY KEY,
+	acr VARCHAR(1024),
 	name VARCHAR(1024),
 	authenticated BOOLEAN,
 	source_class VARCHAR(2048)

perun-oidc-server-webapp/src/main/resources/db/mysql/mysql_database_tables.sql

@@ -85,6 +85,7 @@ CREATE TABLE IF NOT EXISTS authentication_holder_request_parameter (
 
 CREATE TABLE IF NOT EXISTS saved_user_auth (
     id BIGINT AUTO_INCREMENT PRIMARY KEY,
+    acr VARCHAR(1024),
     name VARCHAR(1024),
     authenticated BOOLEAN,
     source_class VARCHAR(2048)

perun-oidc-server-webapp/src/main/resources/db/psql/psql_database_tables.sql

@@ -86,6 +86,7 @@ CREATE TABLE IF NOT EXISTS authentication_holder_request_parameter (
 
 CREATE TABLE IF NOT EXISTS saved_user_auth (
     id BIGSERIAL PRIMARY KEY,
+    acr VARCHAR(1024),
     name VARCHAR(1024),
     authenticated BOOLEAN,
     source_class VARCHAR(2048)

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/SavedUserAuthentication.java

@@ -17,8 +17,10 @@
 package cz.muni.ics.oauth2.model;
 
 import cz.muni.ics.oauth2.model.convert.SimpleGrantedAuthorityStringConverter;
+import cz.muni.ics.oidc.saml.SamlPrincipal;
 import java.util.Collection;
 import java.util.HashSet;
+import java.util.stream.Collectors;
 import javax.persistence.Basic;
 import javax.persistence.CollectionTable;
 import javax.persistence.Column;
@@ -32,8 +34,14 @@
 import javax.persistence.JoinColumn;
 import javax.persistence.Table;
 import javax.persistence.Transient;
+import lombok.ToString;
+import lombok.extern.slf4j.Slf4j;
+import org.opensaml.saml2.core.AuthnContext;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnStatement;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.providers.ExpiringUsernameAuthenticationToken;
 
 /**
  * This class stands in for an original Authentication object.
@@ -42,6 +50,8 @@
  */
 @Entity
 @Table(name="saved_user_auth")
+@Slf4j
+@ToString
 public class SavedUserAuthentication implements Authentication {
 
 	private static final long serialVersionUID = -1804249963940323488L;
@@ -50,18 +60,21 @@ public class SavedUserAuthentication implements Authentication {
 	private String name;
 	private Collection<GrantedAuthority> authorities;
 	private boolean authenticated;
-	private String sourceClass;
+	private String acr;
 
 	public SavedUserAuthentication(Authentication src) {
 		setName(src.getName());
 		setAuthorities(new HashSet<>(src.getAuthorities()));
 		setAuthenticated(src.isAuthenticated());
-
-		if (src instanceof SavedUserAuthentication) {
-			// if we're copying in a saved auth, carry over the original class name
-			setSourceClass(((SavedUserAuthentication) src).getSourceClass());
-		} else {
-			setSourceClass(src.getClass().getName());
+		if (src instanceof ExpiringUsernameAuthenticationToken) {
+			ExpiringUsernameAuthenticationToken token = (ExpiringUsernameAuthenticationToken) src;
+			this.acr = ((SamlPrincipal) token.getPrincipal()).getSamlCredential()
+					.getAuthenticationAssertion()
+					.getAuthnStatements().stream()
+					.map(AuthnStatement::getAuthnContext)
+					.map(AuthnContext::getAuthnContextClassRef)
+					.map(AuthnContextClassRef::getAuthnContextClassRef)
+					.collect(Collectors.joining());
 		}
 	}
 
@@ -85,6 +98,10 @@ public String getName() {
 		return name;
 	}
 
+	public void setName(String name) {
+		this.name = name;
+	}
+
 	@Override
 	@ElementCollection(fetch = FetchType.EAGER)
 	@CollectionTable(name="saved_user_auth_authority", joinColumns=@JoinColumn(name="owner_id"))
@@ -94,22 +111,18 @@ public Collection<GrantedAuthority> getAuthorities() {
 		return authorities;
 	}
 
-	@Override
-	@Transient
-	public Object getCredentials() {
-		return "";
+	public void setAuthorities(Collection<GrantedAuthority> authorities) {
+		this.authorities = authorities;
 	}
 
-	@Override
-	@Transient
-	public Object getDetails() {
-		return null;
+	@Basic
+	@Column(name = "acr")
+	public String getAcr() {
+		return acr;
 	}
 
-	@Override
-	@Transient
-	public Object getPrincipal() {
-		return getName();
+	public void setAcr(String acr) {
+		this.acr = acr;
 	}
 
 	@Override
@@ -124,22 +137,22 @@ public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentExce
 		this.authenticated = isAuthenticated;
 	}
 
-	@Basic
-	@Column(name="source_class")
-	public String getSourceClass() {
-		return sourceClass;
-	}
-
-	public void setSourceClass(String sourceClass) {
-		this.sourceClass = sourceClass;
+	@Override
+	@Transient
+	public Object getCredentials() {
+		return "";
 	}
 
-	public void setName(String name) {
-		this.name = name;
+	@Override
+	@Transient
+	public Object getDetails() {
+		return null;
 	}
 
-	public void setAuthorities(Collection<GrantedAuthority> authorities) {
-		this.authorities = authorities;
+	@Override
+	@Transient
+	public Object getPrincipal() {
+		return getName();
 	}
 
 }

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2AuthorizationCodeService.java

@@ -33,6 +33,7 @@
 import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices;
+import org.springframework.security.providers.ExpiringUsernameAuthenticationToken;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java

@@ -22,6 +22,7 @@
 import cz.muni.ics.oauth2.service.DeviceCodeService;
 import cz.muni.ics.oauth2.web.DeviceEndpoint;
 import java.util.Date;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
 import org.springframework.security.oauth2.provider.ClientDetails;
@@ -42,6 +43,7 @@
  *
  */
 @Component("deviceTokenGranter")
+@Slf4j
 public class DeviceTokenGranter extends AbstractTokenGranter {
 
 	public static final String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/DeviceEndpoint.java

@@ -243,8 +243,9 @@ public String readUserCode(@RequestParam("user_code") String userCode, ModelMap
 
 	@PreAuthorize("hasRole('ROLE_USER')")
 	@RequestMapping(value = "/" + USER_URL + "/approve", method = RequestMethod.POST)
-	public String approveDevice(@RequestParam("user_code") String userCode, @RequestParam(value = "user_oauth_approval") Boolean approve, ModelMap model, Authentication auth, HttpSession session) {
-
+	public String approveDevice(@RequestParam("user_code") String userCode,
+								@RequestParam(value = "user_oauth_approval") Boolean approve,
+								ModelMap model, Authentication auth, HttpSession session) {
 		AuthorizationRequest authorizationRequest = (AuthorizationRequest) session.getAttribute("authorizationRequest");
 		DeviceCode dc = (DeviceCode) session.getAttribute("deviceCode");
 

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlAuthenticationProvider.java

@@ -30,8 +30,7 @@ public PerunSamlAuthenticationProvider(List<String> adminIds) {
     @Override
     protected Object getPrincipal(SAMLCredential credential, Object userDetail) {
         PerunUser user = (PerunUser) userDetail;
-        return new User(String.valueOf(user.getId()), credential.getRemoteEntityID(),
-                getEntitlements(credential, userDetail));
+        return new SamlPrincipal(user.getId(), credential, getEntitlements(credential, userDetail));
     }
 
     @Override

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlUserDetailsService.java

@@ -1,6 +1,5 @@
 package cz.muni.ics.oidc.saml;
 
-import cz.muni.ics.oidc.server.PerunPrincipal;
 import cz.muni.ics.oidc.server.adapters.PerunAdapter;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
 import lombok.extern.slf4j.Slf4j;
@@ -24,9 +23,7 @@ public PerunSamlUserDetailsService(PerunAdapter perunAdapter, SamlProperties sam
     @Override
     public Object loadUserBySAML(SAMLCredential credential) throws UsernameNotFoundException {
         log.debug("Loading user for SAML credential");
-        PerunPrincipal p = FiltersUtils.getPerunPrincipal(credential, samlProperties.getUserIdentifierAttribute());
-        log.debug("Fetching user from perun ({})", p);
-        return perunAdapter.getPreauthenticatedUserId(p);
+        return FiltersUtils.getPerunUser(credential, perunAdapter, samlProperties.getUserIdentifierAttribute());
     }
 
 }

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlPrincipal.java

@@ -0,0 +1,27 @@
+package cz.muni.ics.oidc.saml;
+
+import java.util.Collection;
+import lombok.Getter;
+import lombok.Setter;
+import lombok.ToString;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.saml.SAMLCredential;
+
+@Getter
+@Setter
+@ToString
+public class SamlPrincipal extends User {
+
+    private Long perunUserId;
+    private SAMLCredential samlCredential;
+
+    public SamlPrincipal(Long perunUserId,
+                         SAMLCredential samlCredential,
+                         Collection<? extends GrantedAuthority> authorities) {
+        super(String.valueOf(perunUserId), "[PROTECTED]", authorities);
+        this.perunUserId = perunUserId;
+        this.samlCredential = samlCredential;
+    }
+
+}