Add ability to consume manifest groups as Authorities, update tests.

4f410bd7 · Benjamin Sousa · f4d758b5 · 4f410bd7 · 4f410bd7 · 4f410bd7
Commit 4f410bd7 authored 8 years ago by Benjamin Sousa
--- a/uw-spring-security-core/src/main/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapper.java
+++ b/uw-spring-security-core/src/main/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapper.java
@@ -60,6 +60,7 @@ public interface PreauthenticatedUserDetailsAttributeMapper {
    private String identityProviderHeader = "Shib-Identity-Provider";
    private String customLogoutPrefix = "/Shibboleth.sso/Logout?return=";
    private String customLogoutSuffix = "/logout/";
+    private String manifestHeader = "ismemberof";
    
    private static final Logger logger = LoggerFactory.getLogger(Default.class);
    /**
@@ -87,7 +88,12 @@ public interface PreauthenticatedUserDetailsAttributeMapper {
        uddsMembership = Collections.list(uddsHeaders);
      }
      String email = request.getHeader(emailAddressHeader);
-      UWUserDetailsImpl result = new UWUserDetailsImpl(pvi, uid, "", cn, email, uddsMembership);
+      Collection<String> manifestGroups = new ArrayList<>();
+      Enumeration<String> manifestHeaders = request.getHeaders(manifestHeader);
+      if(manifestHeaders != null) {
+        manifestGroups = Collections.list(manifestHeaders);
+      }
+      UWUserDetailsImpl result = UWUserDetailsImpl.newInstance(pvi, uid, "", cn, email, uddsMembership, manifestGroups);
      result.setSource("edu.wisc.uwss.preauth");
      result.setEppn(eppn);
      result.setIsisEmplid(emplid);
@@ -280,5 +286,18 @@ public interface PreauthenticatedUserDetailsAttributeMapper {
    public void setLastNameHeader(String lastNameHeader) {
      this.lastNameHeader = lastNameHeader;
    }
+    /**
+     * @return the manifestHeader
+     */
+    public String getManifestHeader() {
+      return manifestHeader;
+    }
+    /**
+     * @param manifestHeader the manifestHeader to set
+     */
+    @Value("${preauth.manifestHeader:ismemberof}")
+    public void setManifestHeader(String manifestHeader) {
+      this.manifestHeader = manifestHeader;
+    }
  }
 }
--- a/uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapperTest.java
+++ b/uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapperTest.java
@@ -6,6 +6,7 @@ package edu.wisc.uwss.preauth;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;

 import java.net.URL;
 import java.util.Collections;
@@ -41,6 +42,7 @@ public class PreauthenticatedUserDetailsAttributeMapperTest {
    String email = "some.body@wisc.edu";
    String emplid = "0000123456";
    List<String> uddsMembership = Collections.singletonList("udds1234");
+    List<String> manifestGroups = Collections.singletonList("uw:domain:something");
    
    request.addHeader("eppn", eppn);
    request.addHeader("wiscedupvi", pvi);
@@ -50,6 +52,7 @@ public class PreauthenticatedUserDetailsAttributeMapperTest {
    request.addHeader("wisceduudds", uddsMembership);
    request.addHeader("wisceduisisemplid", emplid);
    request.addHeader("Shib-Identity-Provider", "https://logintest.wisc.edu/idp/shibboleth");
+    request.addHeader("ismemberof",manifestGroups);
    
    UWUserDetails result = filter.mapUser(request);
    
@@ -62,6 +65,8 @@ public class PreauthenticatedUserDetailsAttributeMapperTest {
    assertEquals(uddsMembership, result.getUddsMembership()); 
    assertEquals(emplid, result.getIsisEmplid());
    assertEquals("/Shibboleth.sso/Logout?return=https://logintest.wisc.edu/logout/", result.getCustomLogoutUrl());
+    assertEquals(1,result.getAuthorities().size());
+    assertEquals(manifestGroups.toString(),result.getAuthorities().toString());
  }
  
  /**

--- a/uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/UWUserDetailsAuthenticationFilterTest.java
+++ b/uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/UWUserDetailsAuthenticationFilterTest.java
@@ -63,7 +63,24 @@ public class UWUserDetailsAuthenticationFilterTest {
 		assertEquals("Bucky Badger", userDetails.getFullName());
 		assertTrue(userDetails.getUddsMembership().isEmpty());
 	}
-	/**
+  /**
+   * Verify behavior for {@link UWUserDetailsAuthenticationFilter#getPreAuthenticatedPrincipal(HttpServletRequest)}
+   * when no "manifest" header is present, which is commonly true unless an the application is designed
+   * specifically to consume a manifest group.
+   */
+  @Test
+  public void getPreAuthenticatedPrincipal_no_manifestgroups() {
+    UWUserDetailsAuthenticationFilter filter = new UWUserDetailsAuthenticationFilter();
+    HttpServletRequest request = mock(HttpServletRequest.class);
+
+    when(request.getHeader("uid")).thenReturn("bbadger");
+    when(request.getHeader("cn")).thenReturn("Bucky Badger");
+    UWUserDetails userDetails = filter.getPreAuthenticatedPrincipal(request);
+    assertEquals("bbadger", userDetails.getUsername());
+    assertEquals("Bucky Badger", userDetails.getFullName());
+    assertTrue(userDetails.getAuthorities().isEmpty());
+  }
+  /**
 	 * Verify behavior for {@link UWUserDetailsAuthenticationFilter#getPreAuthenticatedPrincipal(HttpServletRequest)} when
 	 * no "uid" header is present. This would represent a scenario where our pre-authentication (shib) environment isn't correctly
 	 * configured; we want to make sure attempts to login would fail and not accidentially leak people in.