Add ability to consume manifest groups as Authorities, update tests.

uw-spring-security-core/src/main/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapper.java

@@ -60,6 +60,7 @@ public interface PreauthenticatedUserDetailsAttributeMapper {
     private String identityProviderHeader = "Shib-Identity-Provider";
     private String customLogoutPrefix = "/Shibboleth.sso/Logout?return=";
     private String customLogoutSuffix = "/logout/";
+    private String manifestHeader = "ismemberof";
     
     private static final Logger logger = LoggerFactory.getLogger(Default.class);
     /**
@@ -87,7 +88,12 @@ public interface PreauthenticatedUserDetailsAttributeMapper {
         uddsMembership = Collections.list(uddsHeaders);
       }
       String email = request.getHeader(emailAddressHeader);
-      UWUserDetailsImpl result = new UWUserDetailsImpl(pvi, uid, "", cn, email, uddsMembership);
+      Collection<String> manifestGroups = new ArrayList<>();
+      Enumeration<String> manifestHeaders = request.getHeaders(manifestHeader);
+      if(manifestHeaders != null) {
+        manifestGroups = Collections.list(manifestHeaders);
+      }
+      UWUserDetailsImpl result = UWUserDetailsImpl.newInstance(pvi, uid, "", cn, email, uddsMembership, manifestGroups);
       result.setSource("edu.wisc.uwss.preauth");
       result.setEppn(eppn);
       result.setIsisEmplid(emplid);
@@ -280,5 +286,18 @@ public interface PreauthenticatedUserDetailsAttributeMapper {
     public void setLastNameHeader(String lastNameHeader) {
       this.lastNameHeader = lastNameHeader;
     }
+    /**
+     * @return the manifestHeader
+     */
+    public String getManifestHeader() {
+      return manifestHeader;
+    }
+    /**
+     * @param manifestHeader the manifestHeader to set
+     */
+    @Value("${preauth.manifestHeader:ismemberof}")
+    public void setManifestHeader(String manifestHeader) {
+      this.manifestHeader = manifestHeader;
+    }
   }
 }

uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapperTest.java

@@ -6,6 +6,7 @@ package edu.wisc.uwss.preauth;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
 
 import java.net.URL;
 import java.util.Collections;
@@ -41,6 +42,7 @@ public class PreauthenticatedUserDetailsAttributeMapperTest {
     String email = "some.body@wisc.edu";
     String emplid = "0000123456";
     List<String> uddsMembership = Collections.singletonList("udds1234");
+    List<String> manifestGroups = Collections.singletonList("uw:domain:something");
     
     request.addHeader("eppn", eppn);
     request.addHeader("wiscedupvi", pvi);
@@ -50,6 +52,7 @@ public class PreauthenticatedUserDetailsAttributeMapperTest {
     request.addHeader("wisceduudds", uddsMembership);
     request.addHeader("wisceduisisemplid", emplid);
     request.addHeader("Shib-Identity-Provider", "https://logintest.wisc.edu/idp/shibboleth");
+    request.addHeader("ismemberof",manifestGroups);
     
     UWUserDetails result = filter.mapUser(request);
     
@@ -62,6 +65,8 @@ public class PreauthenticatedUserDetailsAttributeMapperTest {
     assertEquals(uddsMembership, result.getUddsMembership()); 
     assertEquals(emplid, result.getIsisEmplid());
     assertEquals("/Shibboleth.sso/Logout?return=https://logintest.wisc.edu/logout/", result.getCustomLogoutUrl());
+    assertEquals(1,result.getAuthorities().size());
+    assertEquals(manifestGroups.toString(),result.getAuthorities().toString());
   }
   
   /**

uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/UWUserDetailsAuthenticationFilterTest.java

@@ -63,7 +63,24 @@ public class UWUserDetailsAuthenticationFilterTest {
 		assertEquals("Bucky Badger", userDetails.getFullName());
 		assertTrue(userDetails.getUddsMembership().isEmpty());
 	}
-	/**
+  /**
+   * Verify behavior for {@link UWUserDetailsAuthenticationFilter#getPreAuthenticatedPrincipal(HttpServletRequest)}
+   * when no "manifest" header is present, which is commonly true unless an the application is designed
+   * specifically to consume a manifest group.
+   */
+  @Test
+  public void getPreAuthenticatedPrincipal_no_manifestgroups() {
+    UWUserDetailsAuthenticationFilter filter = new UWUserDetailsAuthenticationFilter();
+    HttpServletRequest request = mock(HttpServletRequest.class);
+
+    when(request.getHeader("uid")).thenReturn("bbadger");
+    when(request.getHeader("cn")).thenReturn("Bucky Badger");
+    UWUserDetails userDetails = filter.getPreAuthenticatedPrincipal(request);
+    assertEquals("bbadger", userDetails.getUsername());
+    assertEquals("Bucky Badger", userDetails.getFullName());
+    assertTrue(userDetails.getAuthorities().isEmpty());
+  }
+  /**
 	 * Verify behavior for {@link UWUserDetailsAuthenticationFilter#getPreAuthenticatedPrincipal(HttpServletRequest)} when
 	 * no "uid" header is present. This would represent a scenario where our pre-authentication (shib) environment isn't correctly
 	 * configured; we want to make sure attempts to login would fail and not accidentially leak people in.