Merge pull request #206 from dBucik/refactor_filters

refactor: Refactoring AuthProcFilters

Author: Dominik František Bučík

perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml

@@ -252,7 +252,7 @@
         <security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"
                                 access="permitAll()"/>
         <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
-        <security:custom-filter ref="mdcMuFilter" before="FIRST"/>
+        <security:custom-filter ref="mdcFilter" before="FIRST"/>
         <security:custom-filter ref="metadataGeneratorFilter" before="CHANNEL_FILTER"/>
         <security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
         <security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
@@ -337,8 +337,6 @@
         <property name="order" value="1" />
     </bean>
 
-    <bean id="mdcMuFilter" class="cz.muni.ics.oidc.server.filters.impl.MultiMDCFilter"/>
-
     <!-- SAML -->
     <bean id="clearSessionFilter" class="cz.muni.ics.oidc.saml.SamlInvalidateSessionFilter">
         <constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
@@ -362,7 +360,7 @@
 
     <bean id="successLogoutHandler" class="cz.muni.ics.oidc.saml.PerunOidcLogoutSuccessHandler">
         <property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"/>
-        <property name="targetUrlParameter" value="#{T(cz.muni.ics.oidc.server.filters.PerunFilterConstants).PARAM_TARGET}"/>
+        <property name="targetUrlParameter" value="#{T(cz.muni.ics.oidc.server.filters.AuthProcFilterConstants).PARAM_TARGET}"/>
     </bean>
 
     <bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">

perun-oidc-server/src/main/java/cz/muni/ics/mdc/RemoteAddressMDCFilter.java

@@ -20,10 +20,10 @@ public class RemoteAddressMDCFilter {
             "REMOTE_ADDR"
     };
 
-    private static final String REMOTE_ADDR = "remoteAddr";
+    private static final String REMOTE_ADDRESS = "remoteAddr";
 
     public void doFilter(ServletRequest servletRequest) {
-        MDC.put(REMOTE_ADDR, getRemoteAddr((HttpServletRequest) servletRequest));
+        MDC.put(REMOTE_ADDRESS, getRemoteAddr((HttpServletRequest) servletRequest));
     }
 
     private String getRemoteAddr(HttpServletRequest request) {
@@ -37,7 +37,7 @@ private String getRemoteAddr(HttpServletRequest request) {
                 return ipList.split(",")[0];
             }
         }
-        return "";
+        return "-";
     }
 
 }

perun-oidc-server/src/main/java/cz/muni/ics/oidc/PerunConstants.java

@@ -0,0 +1,11 @@
+package cz.muni.ics.oidc;
+
+public interface PerunConstants {
+
+    String REGISTRAR_TARGET_NEW = "targetnew";
+    String REGISTRAR_TARGET_EXISTING = "targetexisting";
+    String REGISTRAR_TARGET_EXTENDED = "targetextended";
+
+    String REGISTRAR_PARAM_VO = "vo";
+
+}

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunHTTPRedirectDeflateEncoder.java

@@ -7,7 +7,7 @@
 import org.opensaml.xml.util.Pair;
 import org.springframework.util.StringUtils;
 
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AARC_IDP_HINT;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.AARC_IDP_HINT;
 
 public class PerunHTTPRedirectDeflateEncoder extends HTTPRedirectDeflateEncoder {
 

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunOidcLogoutSuccessHandler.java

@@ -1,7 +1,7 @@
 package cz.muni.ics.oidc.saml;
 
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_POST_LOGOUT_REDIRECT_URI;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_STATE;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_POST_LOGOUT_REDIRECT_URI;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_STATE;
 
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java

@@ -1,20 +1,20 @@
 package cz.muni.ics.oidc.saml;
 
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AARC_IDP_HINT;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.CLIENT_ID_PREFIX;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.EFILTER_PREFIX;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.FILTER_PREFIX;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.IDP_ENTITY_ID_PREFIX;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_CLIENT_ID;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_PROMPT;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.REFEDS_MFA;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.AARC_IDP_HINT;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.CLIENT_ID_PREFIX;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.EFILTER_PREFIX;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.FILTER_PREFIX;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.IDP_ENTITY_ID_PREFIX;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_CLIENT_ID;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_PROMPT;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.REFEDS_MFA;
 
 import cz.muni.ics.oidc.models.Facility;
 import cz.muni.ics.oidc.models.PerunAttributeValue;
 import cz.muni.ics.oidc.server.adapters.PerunAdapter;
 import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
 import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
-import cz.muni.ics.oidc.server.filters.PerunFilterConstants;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterConstants;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -160,12 +160,12 @@ private void processPrompt(HttpServletRequest request, WebSSOProfileOptions opti
     }
 
     private void processAcrValues(HttpServletRequest request, WebSSOProfileOptions options) {
-        String acrValues = request.getParameter(PerunFilterConstants.PARAM_ACR_VALUES);
+        String acrValues = request.getParameter(AuthProcFilterConstants.PARAM_ACR_VALUES);
         log.debug("Processing acr_values parameter: {}", acrValues);
         List<String> acrs = convertAcrValuesToList(acrValues);
 
         if (!hasAcrForcingIdp(acrs)) {
-            String clientId = request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID);
+            String clientId = request.getParameter(AuthProcFilterConstants.PARAM_CLIENT_ID);
             String idpFilter = extractIdpFilterForRp(clientId);
             if (idpFilter != null) {
                 log.debug("Added IdP filter as SAML AuthnContextClassRef ({})", idpFilter);

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlUtils.java

@@ -1,12 +1,12 @@
 package cz.muni.ics.oidc.saml;
 
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_ACR_VALUES;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_FORCE_AUTHN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_PROMPT;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PROMPT_LOGIN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PROMPT_SELECT_ACCOUNT;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_ACR_VALUES;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_FORCE_AUTHN;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_PROMPT;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PROMPT_LOGIN;
+import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PROMPT_SELECT_ACCOUNT;
 
-import cz.muni.ics.oidc.server.filters.PerunFilterConstants;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterConstants;
 import javax.servlet.ServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.util.StringUtils;
@@ -32,7 +32,7 @@ public static boolean needsReAuthByForceAuthn(ServletRequest request) {
     public static boolean needsReAuthByMfa(ServletRequest request) {
         String acrValues = request.getParameter(PARAM_ACR_VALUES);
         boolean res = StringUtils.hasText(acrValues)
-            && acrValues.contains(PerunFilterConstants.REFEDS_MFA);
+            && acrValues.contains(AuthProcFilterConstants.REFEDS_MFA);
         log.debug("requires reAuth by MFA acr - {}", res);
         return res;
     }

perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java

@@ -1,65 +1,95 @@
 package cz.muni.ics.oidc.server.filters;
 
+import cz.muni.ics.oidc.exceptions.ConfigurationException;
+import cz.muni.ics.oidc.saml.SamlProperties;
 import java.io.IOException;
-import java.security.Principal;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
+import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
 
 /**
- * Abstract class for Perun filters. All filters called in CallPerunFiltersFilter has to extend this.
- *
- * Configuration of filter names:
- * <ul>
- *     <li><b>filter.names</b> - comma separated list of names of the request filters</li>
- * </ul>
+ * Abstract class for Perun AuthProc filters. All filters defined and called in the
+ * {@link cz.muni.ics.oidc.server.filters.AuthProcFiltersContainer} instance have to extend this base class.
  *
  * Configuration of filter (replace [name] part with the name defined for the filter):
  * <ul>
  *     <li><b>filter.[name].class</b> - Class the filter instantiates</li>
- *     <li><b>filter.[name].subs</b> - comma separated list of sub values for which execution of filter will be skipped
- *         if user's SUB is in the list</li>
- *     <li><b>filter.[name].clientIds</b> - comma separated list of client_id values for which execution of filter
- *         will be skipped if client_id is in the list</li>
+ *     <li><b>filter.[name].skip_for_users</b> - comma separated list of users for whom the execution of the filter
+ *     will be skipped if the users' SUB matches any value in the list</li>
+ *     <li><b>filter.[name].skip_for_clients</b> - comma separated list of clients for which the execution of the filter
+ *     will be skipped if the CLIENT_ID matches any value in the list</li>
+ *     <li><b>filter.[name].execute_for_users</b> - comma separated list of users for whom the filter will be executed
+ *     if the users' SUB matches any value in the list</li>
+ *     <li><b>filter.[name].execute_for_clients</b> - comma separated list of clients for whom the filter will be executed
+ *     if the CLIENT_ID matches any value in the list</li>
  * </ul>
+ * <i>NOTE: if none of the SKIP/EXECUTE conditions is specified (or the lists are empty), filter is run for all users
+ * and all clients</i>
  *
  * @see cz.muni.ics.oidc.server.filters.impl package for specific filters and their configuration
  *
  * @author Dominik Baranek <[email protected]>
  * @author Dominik Frantisek Bucik <[email protected]>
  */
 @Slf4j
+@Getter
 public abstract class AuthProcFilter {
 
+    public static final String APPLIED = "APPLIED_";
+
     private static final String DELIMITER = ",";
-    private static final String CLIENT_IDS = "clientIds";
+    private static final String EXECUTE = "execute";
+    private static final String EXECUTE_FOR_CLIENTS = "execute_for_clients";
+    private static final String EXECUTE_FOR_USERS = "execute_for_users";
+    private static final String SKIP_FOR_CLIENTS = "skip_for_clients";
+    private static final String SKIP_FOR_USERS = "skip_for_users";
     private static final String SUBS = "subs";
+    private static final String CLIENT_IDS = "clientIds";
 
     private final String filterName;
-    private Set<String> clientIds = new HashSet<>();
-    private Set<String> subs = new HashSet<>();
-
-    public AuthProcFilter(AuthProcFilterParams params) {
-        filterName = params.getFilterName();
-
-        if (params.hasProperty(CLIENT_IDS)) {
-            this.clientIds = new HashSet<>(Arrays.asList(params.getProperty(CLIENT_IDS).split(DELIMITER)));
+    private final Set<String> executeForClients = new HashSet<>();
+    private final Set<String> executeForUsers = new HashSet<>();
+    private final Set<String> skipForClients = new HashSet<>();
+    private final Set<String> skipForUsers = new HashSet<>();
+
+    private final SamlProperties samlProperties;
+
+    public AuthProcFilter(AuthProcFilterInitContext ctx) throws ConfigurationException {
+        filterName = ctx.getFilterName();
+        this.samlProperties = ctx.getBeanUtil().getBean(SamlProperties.class);
+        initializeExecutionRulesLists(ctx);
+
+        if (!Collections.disjoint(executeForClients, skipForClients)) {
+            throw new ConfigurationException("Filter '" + filterName + "' is configured to be run and skipped for the same client");
+        } else if (!Collections.disjoint(executeForUsers, skipForUsers)) {
+            throw new ConfigurationException("Filter '" + filterName + "' is configured to be run and skipped for the same user");
         }
 
-        if (params.hasProperty(SUBS)) {
-            this.subs = new HashSet<>(Arrays.asList(params.getProperty(SUBS).split(DELIMITER)));
+        log.info("{} - filter initialized", filterName);
+        if (!skipForUsers.isEmpty()) {
+            log.info("{} - skip execution for users with SUB in: '{}'", filterName, skipForUsers);
+        }
+        if (!skipForClients.isEmpty()) {
+            log.info("{} - skip execution for clients with CLIENT_ID in: '{}'", filterName, skipForClients);
+        }
+        if (!executeForUsers.isEmpty()) {
+            log.info("{} - execute for users with SUB in: '{}'", filterName, executeForUsers);
+        }
+        if (!executeForClients.isEmpty()) {
+            log.info("{} - execute for clients with CLIENT_ID in: '{}'", filterName, executeForClients);
         }
-
-        log.debug("{} - filter initialized", filterName);
-        log.debug("{} - skip execution for users with SUB in: {}", filterName, subs);
-        log.debug("{} - skip execution for clients with CLIENT_ID in: {}", filterName, clientIds);
     }
 
-    protected abstract String getSessionAppliedParamName();
+    protected String getSessionAppliedParamName() {
+        return APPLIED + getClass().getSimpleName() + '_' + getFilterName();
+    }
 
     /**
      * In this method is done whole logic of filer
@@ -69,10 +99,10 @@ public AuthProcFilter(AuthProcFilterParams params) {
      * @return boolean if filter was successfully done
      * @throws IOException this exception could be thrown because of failed or interrupted I/O operation
      */
-    protected abstract boolean process(HttpServletRequest request, HttpServletResponse response, FilterParams params)
+    protected abstract boolean process(HttpServletRequest request, HttpServletResponse response, AuthProcFilterCommonVars params)
             throws IOException;
 
-    public boolean doFilter(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
+    public boolean doFilter(HttpServletRequest req, HttpServletResponse res, AuthProcFilterCommonVars params) throws IOException {
         if (!skip(req)) {
             log.trace("{} - executing filter", filterName);
             return process(req, res, params);
@@ -81,14 +111,18 @@ public boolean doFilter(HttpServletRequest req, HttpServletResponse res, FilterP
         }
     }
 
-    private boolean skip(HttpServletRequest request) {
-        if (hasBeenApplied(request.getSession(true))) {
+    private boolean skip(HttpServletRequest req) {
+        if (hasBeenApplied(req.getSession(true))) {
             return true;
         }
         log.debug("{} - marking filter as applied", filterName);
-        request.getSession(true).setAttribute(getSessionAppliedParamName(), true);
-        return skipForSub(request.getUserPrincipal())
-                || skipForClientId(request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID));
+        req.getSession(true).setAttribute(getSessionAppliedParamName(), true);
+        String sub = FiltersUtils.getUserIdentifier(req, samlProperties.getUserIdentifierAttribute());
+        String clientId = FiltersUtils.getClientId(req);
+
+        boolean explicitExecution = executeForSub(sub) || executeForClientId(clientId);
+        boolean explicitSkip = skipForClientId(clientId) || skipForSub(sub);
+        return !explicitExecution && explicitSkip;
     }
 
     private boolean hasBeenApplied(HttpSession sess) {
@@ -100,21 +134,45 @@ private boolean hasBeenApplied(HttpSession sess) {
         return false;
     }
 
-    private boolean skipForSub(Principal p) {
-        String sub = (p != null) ? p.getName() : null;
-        if (sub != null && subs.contains(sub)) {
-            log.debug("{} - skip filter execution: matched one of the ignored SUBS ({})", filterName, sub);
-            return true;
-        }
-        return false;
+    private boolean executeForSub(String sub) {
+        return checkRule(sub, executeForUsers, "{} - execute filter: matched one of the explicit SUBS ({})");
+    }
+
+    private boolean executeForClientId(String clientId) {
+        return checkRule(clientId, executeForClients, "{} - execute filter: matched one of the explicit CLIENT_IDS ({})");
+    }
+
+    private boolean skipForSub(String sub) {
+        return checkRule(sub, skipForUsers, "{} - skip filter execution: matched one of the ignored SUBS ({})");
     }
 
     private boolean skipForClientId(String clientId) {
-        if (clientId != null && clientIds.contains(clientId)){
-            log.debug("{} - skip filter execution: matched one of the ignored CLIENT_IDS ({})", filterName, clientId);
+        return checkRule(clientId, skipForClients, "{} - skip filter execution: matched one of the ignored CLIENT_IDS ({})");
+    }
+
+    private boolean checkRule(String param, Set<String> ruleSet, String logMsg) {
+        if (param != null && ruleSet.contains(param)){
+            log.debug(logMsg, filterName, param);
             return true;
         }
         return false;
     }
 
+    private void initializeExecutionRulesLists(AuthProcFilterInitContext ctx) {
+        initializeExecutionRuleList(ctx, EXECUTE_FOR_CLIENTS, executeForClients);
+        initializeExecutionRuleList(ctx, SKIP_FOR_CLIENTS, skipForClients);
+        initializeExecutionRuleList(ctx, CLIENT_IDS, skipForClients);
+
+        initializeExecutionRuleList(ctx, EXECUTE_FOR_USERS, executeForUsers);
+        initializeExecutionRuleList(ctx, SKIP_FOR_USERS, skipForUsers);
+        initializeExecutionRuleList(ctx, SUBS, skipForUsers);
+    }
+
+    private void initializeExecutionRuleList(AuthProcFilterInitContext ctx, String property, Set<String> list) {
+        if (ctx.hasProperty(property)) {
+            String value = ctx.getProperty(property, "");
+            list.addAll(Arrays.asList(value.split(DELIMITER)));
+        }
+    }
+
 }