LGDataverses: src/main/java/edu/harvard/iq/dataverse/Shib.java comparison

comparison src/main/java/edu/harvard/iq/dataverse/Shib.java @ 10:a50cf11e5178

Rewrite LGDataverse completely upgrading to dataverse4.0

author	Zoe Hong <zhong@mpiwg-berlin.mpg.de>
date	Tue, 08 Sep 2015 17:00:21 +0200
parents
children

comparison

equal deleted inserted replaced

-:5926d6419569
+:a50cf11e5178
+package edu.harvard.iq.dataverse;
+import com.google.gson.JsonArray;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonIOException;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+import com.google.gson.JsonSyntaxException;
+import edu.harvard.iq.dataverse.authorization.AuthenticatedUserDisplayInfo;
+import edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean;
+import edu.harvard.iq.dataverse.authorization.UserIdentifier;
+import edu.harvard.iq.dataverse.authorization.UserRecordIdentifier;
+import edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean;
+import edu.harvard.iq.dataverse.authorization.providers.builtin.BuiltinUser;
+import edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider;
+import edu.harvard.iq.dataverse.authorization.providers.shib.ShibServiceBean;
+import edu.harvard.iq.dataverse.authorization.providers.shib.ShibUserNameFields;
+import edu.harvard.iq.dataverse.authorization.providers.shib.ShibUtil;
+import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
+import edu.harvard.iq.dataverse.util.JsfHelper;
+import edu.harvard.iq.dataverse.util.SystemConfig;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.net.HttpURLConnection;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.UUID;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import javax.ejb.EJB;
+import javax.faces.application.FacesMessage;
+import javax.faces.context.ExternalContext;
+import javax.faces.context.FacesContext;
+import javax.faces.view.ViewScoped;
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.lang.StringUtils;
+@ViewScoped
+@Named("Shib")
+public class Shib implements java.io.Serializable {
+private static final Logger logger = Logger.getLogger(Shib.class.getCanonicalName());
+@Inject
+DataverseSession session;
+@EJB
+AuthenticationServiceBean authSvc;
+@EJB
+ShibServiceBean shibService;
+@EJB
+ShibGroupServiceBean shibGroupService;
+@EJB
+SettingsServiceBean settingsService;
+@EJB
+SystemConfig systemConfig;
+@EJB
+DataverseServiceBean dataverseService;
+HttpServletRequest request;
+/**
+* @todo these are the attributes we are getting from the IdP at
+* testshib.org. What other attributes should we expect?
+*
+* Here is a dump from https://pdurbin.pagekite.me/Shibboleth.sso/Session
+*
+* Miscellaneous
+*
+* Session Expiration (barring inactivity): 479 minute(s)
+*
+* Client Address: 10.0.2.2
+*
+* SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
+*
+* Identity Provider: https://idp.testshib.org/idp/shibboleth
+*
+* Authentication Time: 2014-09-12T17:07:36.137Z
+*
+* Authentication Context Class:
+* urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+*
+* Authentication Context Decl: (none)
+*
+*
+*
+* Attributes
+*
+* affiliation: Member@testshib.org;Staff@testshib.org
+*
+* cn: Me Myself And I
+*
+* entitlement: urn:mace:dir:entitlement:common-lib-terms
+*
+* eppn: myself@testshib.org
+*
+* givenName: Me Myself
+*
+* persistent-id:
+* https://idp.testshib.org/idp/shibboleth!https://pdurbin.pagekite.me/shibboleth!zylzL+NruovU5OOGXDOL576jxfo=
+*
+* sn: And I
+*
+* telephoneNumber: 555-5555
+*
+* uid: myself
+*
+* unscoped-affiliation: Member;Staff
+*/
+/**
+* @todo Resolve potential confusing of having attibutes like "eppn" defined
+* twice in this class.
+*
+* This was used early on in development and should be removed at some
+* point.
+*/
+@Deprecated
+List<String> shibAttrs = Arrays.asList(
+"Shib-Identity-Provider",
+"uid",
+"cn",
+"sn",
+"givenName",
+"telephoneNumber",
+"eppn",
+"affiliation",
+"unscoped-affiliation",
+"entitlement",
+"persistent-id"
+);
+List<String> shibValues = new ArrayList<>();
+/**
+* @todo make this configurable?
+*/
+private final String shibIdpAttribute = "Shib-Identity-Provider";
+/**
+* @todo Make attribute used (i.e. "eppn") configurable:
+* https://github.com/IQSS/dataverse/issues/1422
+*
+* OR *maybe* we can rely on people installing Dataverse to configure shibd
+* to always send "eppn" as an attribute, via attribute mappings or what
+* have you.
+*/
+private final String uniquePersistentIdentifier = "eppn";
+private String userPersistentId;
+private String internalUserIdentifer;
+private final String usernameAttribute = "uid";
+private final String displayNameAttribute = "cn";
+private final String firstNameAttribute = "givenName";
+private final String lastNameAttribute = "sn";
+private final String emailAttribute = "mail";
+AuthenticatedUserDisplayInfo displayInfo;
+/**
+* @todo Remove this boolean some day? Now the mockups show a popup. Should
+* be re-worked. See also the comment about the lack of a Cancel button.
+*/
+private boolean visibleTermsOfUse;
+private final String loginpage = "/loginpage.xhtml";
+private final String identityProviderProblem = "Problem with Identity Provider";
+/**
+* We only have one field in which to store a unique
+* useridentifier/persistentuserid so we have to jam the the "entityId" for
+* a Shibboleth Identity Provider (IdP) and the unique persistent identifier
+* per user into the same field and a separator between these two would be
+* nice, in case we ever want to answer questions like "How many users
+* logged in from Harvard's Identity Provider?".
+*
+* A pipe ("|") is used as a separator because it's considered "unwise" to
+* use in a URL and the "entityId" for a Shibboleth Identity Provider (IdP)
+* looks like a URL:
+* http://stackoverflow.com/questions/1547899/which-characters-make-a-url-invalid
+*/
+private String persistentUserIdSeparator = "|";
+/**
+* The Shibboleth Identity Provider (IdP), an "entityId" which often but not
+* always looks like a URL.
+*/
+String shibIdp;
+private String builtinUsername;
+private String builtinPassword;
+private String existingEmail;
+private String existingDisplayName;
+private boolean passwordRejected;
+private String displayNameToPersist = "(Blank: display name not received from Institution Log In)";
+//    private String firstNameToPersist = "(Blank: first name not received from Institution Log In)";
+//    private String lastNameToPersist = "(Blank: last name not received from Institution Log In)";
+private String emailToPersist = "(Blank: email received from Institution Log In)";
+/**
+* @todo We're not really doing anything with affiliation yet, even though
+* the mockups show it. The plan is to parse the JSON from
+* https://dataverse.harvard.edu/Shibboleth.sso/DiscoFeed for example. Check
+* the "ShibUtil" class
+*/
+private String affiliationToDisplayAtConfirmation = "Affiliation not provided by institution log in";
+/**
+* @todo Once we can persist "position" to the authenticateduser table, we
+* can revisit this. Maybe we'll use ORCID instead. Dunno.
+*/
+//    private String positionToPersist = "Position not provided by institution log in";
+/**
+* @todo localize this
+*/
+private String friendlyNameForInstitution = "your institution";
+private State state;
+private String debugSummary;
+//    private boolean debug = false;
+private String emailAddress;
+public enum State {
+INIT,
+REGULAR_LOGIN_INTO_EXISTING_SHIB_ACCOUNT,
+PROMPT_TO_CREATE_NEW_ACCOUNT,
+PROMPT_TO_CONVERT_EXISTING_ACCOUNT,
+};
+public void init() {
+state = State.INIT;
+ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
+request = (HttpServletRequest) context.getRequest();
+possiblyMutateRequestInDev();
+try {
+shibIdp = getRequiredValueFromAttribute(shibIdpAttribute);
+} catch (Exception ex) {
+/**
+* @todo is in an antipattern to throw exceptions to control flow?
+* http://c2.com/cgi/wiki?DontUseExceptionsForFlowControl
+*
+* All this exception handling should be handled in the new
+* ShibServiceBean so it's consistently handled by the API as well.
+*/
+return;
+}
+String shibUserIdentifier;
+try {
+shibUserIdentifier = getRequiredValueFromAttribute(uniquePersistentIdentifier);
+} catch (Exception ex) {
+return;
+}
+String firstName;
+try {
+firstName = getRequiredValueFromAttribute(firstNameAttribute);
+} catch (Exception ex) {
+return;
+}
+String lastName;
+try {
+lastName = getRequiredValueFromAttribute(lastNameAttribute);
+} catch (Exception ex) {
+return;
+}
+ShibUserNameFields shibUserNameFields = ShibUtil.findBestFirstAndLastName(firstName, lastName, null);
+if (shibUserNameFields != null) {
+String betterFirstName = shibUserNameFields.getFirstName();
+if (betterFirstName != null) {
+firstName = betterFirstName;
+}
+String betterLastName = shibUserNameFields.getLastName();
+if (betterLastName != null) {
+lastName = betterLastName;
+}
+}
+try {
+emailAddress = getRequiredValueFromAttribute(emailAttribute);
+} catch (Exception ex) {
+String testShibIdpEntityId = "https://idp.testshib.org/idp/shibboleth";
+if (shibIdp.equals(testShibIdpEntityId)) {
+logger.info("For " + testShibIdpEntityId + " (which as of this writing doesn't provide the " + emailAttribute + " attribute) setting email address to value of eppn: " + shibUserIdentifier);
+emailAddress = shibUserIdentifier;
+} else {
+// forcing all other IdPs to send us an an email
+return;
+}
+}
+internalUserIdentifer = generateFriendlyLookingUserIdentifer(usernameAttribute, emailAttribute);
+logger.info("friendly looking identifer (backend will enforce uniqueness):" + internalUserIdentifer);
+/**
+* @todo Remove, longer term. For now, commenting out special logic for
+* always showing Terms of Use for TestShib accounts. The Terms of Use
+* workflow is captured at
+* http://datascience.iq.harvard.edu/blog/try-out-single-sign-shibboleth-40-beta
+*/
+//        if (shibIdp.equals("https://idp.testshib.org/idp/shibboleth")) {
+//            StringBuilder sb = new StringBuilder();
+//            String freshNewShibUser = sb.append(userIdentifier).append(UUID.randomUUID()).toString();
+//            logger.info("Will create a new, unique user so the account Terms of Use will be displayed.");
+//            userIdentifier = freshNewShibUser;
+//        }
+/**
+* @todo Shouldn't we persist the displayName too? It still exists on
+* the authenticateduser table.
+*/
+//        String displayName = getDisplayName(displayNameAttribute, firstNameAttribute, lastNameAttribute);
+String affiliation = getAffiliation();
+displayInfo = new AuthenticatedUserDisplayInfo(firstName, lastName, emailAddress, affiliation, null);
+userPersistentId = shibIdp + persistentUserIdSeparator + shibUserIdentifier;
+ShibAuthenticationProvider shibAuthProvider = new ShibAuthenticationProvider();
+AuthenticatedUser au = authSvc.lookupUser(shibAuthProvider.getId(), userPersistentId);
+if (au != null) {
+state = State.REGULAR_LOGIN_INTO_EXISTING_SHIB_ACCOUNT;
+logger.info("Found user based on " + userPersistentId + ". Logging in.");
+logger.info("Updating display info for " + au.getName());
+authSvc.updateAuthenticatedUser(au, displayInfo);
+logInUserAndSetShibAttributes(au);
+String prettyFacesHomePageString = getPrettyFacesHomePageString(false);
+try {
+FacesContext.getCurrentInstance().getExternalContext().redirect(prettyFacesHomePageString);
+} catch (IOException ex) {
+logger.info("Unable to redirect user to homepage at " + prettyFacesHomePageString);
+}
+} else {
+state = State.PROMPT_TO_CREATE_NEW_ACCOUNT;
+displayNameToPersist = displayInfo.getTitle();
+//            firstNameToPersist = "foo";
+//            lastNameToPersist = "bar";
+emailToPersist = emailAddress;
+/**
+* @todo For Harvard at least, we plan to use "Harvard University"
+* for affiliation because it's what we get from
+* https://dataverse.harvard.edu/Shibboleth.sso/DiscoFeed
+*/
+//            affiliationToPersist = "FIXME";
+/**
+* @todo for Harvard we plan to use the value(s) from
+* eduPersonScopedAffiliation which
+* http://iam.harvard.edu/resources/saml-shibboleth-attributes says
+* can be One or more of the following values: faculty, staff,
+* student, affiliate, and member.
+*
+* http://dataverse.nl plans to use
+* urn:mace:dir:attribute-def:eduPersonAffiliation per
+* http://irclog.iq.harvard.edu/dataverse/2015-02-13#i_16265 . Can
+* they configure shibd to map eduPersonAffiliation to
+* eduPersonScopedAffiliation?
+*/
+//            positionToPersist = "FIXME";
+logger.info("Couldn't find authenticated user based on " + userPersistentId);
+visibleTermsOfUse = true;
+/**
+* Using the email address from the IdP, try to find an existing
+* user. For TestShib we convert the "eppn" to an email address.
+*
+* If found, prompt for password and offer to convert.
+*
+* If not found, create a new account. It must be a new user.
+*/
+String emailAddressToLookUp = emailAddress;
+if (existingEmail != null) {
+emailAddressToLookUp = existingEmail;
+}
+AuthenticatedUser existingAuthUserFoundByEmail = shibService.findAuthUserByEmail(emailAddressToLookUp);
+BuiltinUser existingBuiltInUserFoundByEmail = null;
+if (existingAuthUserFoundByEmail != null) {
+existingDisplayName = existingAuthUserFoundByEmail.getName();
+existingBuiltInUserFoundByEmail = shibService.findBuiltInUserByAuthUserIdentifier(existingAuthUserFoundByEmail.getUserIdentifier());
+if (existingBuiltInUserFoundByEmail != null) {
+state = State.PROMPT_TO_CONVERT_EXISTING_ACCOUNT;
+existingDisplayName = existingBuiltInUserFoundByEmail.getDisplayName();
+debugSummary = "getting username from the builtin user we looked up via email";
+builtinUsername = existingBuiltInUserFoundByEmail.getUserName();
+} else {
+debugSummary = "Could not find a builtin account based on the username. Here we should simply create a new Shibboleth user";
+}
+} else {
+debugSummary = "Could not find an auth user based on email address";
+}
+}
+//        if (debug) {
+//            printAttributes(request);
+//        }
+}
+/**
+* @todo Move this to the shib service bean.
+*/
+private String getAffiliation() {
+JsonArray emptyJsonArray = new JsonArray();
+String discoFeedJson = emptyJsonArray.toString();
+String discoFeedUrl;
+if (getDevShibAccountType().equals(DevShibAccountType.PRODUCTION)) {
+discoFeedUrl = systemConfig.getDataverseSiteUrl() + "/Shibboleth.sso/DiscoFeed";
+} else {
+String devUrl = "http://localhost:8080/resources/dev/sample-shib-identities.json";
+discoFeedUrl = devUrl;
+}
+logger.info("Trying to get affiliation from disco feed URL: " + discoFeedUrl);
+URL url = null;
+try {
+url = new URL(discoFeedUrl);
+} catch (MalformedURLException ex) {
+logger.info(ex.toString());
+return null;
+}
+if (url == null) {
+logger.info("url object was null after parsing " + discoFeedUrl);
+return null;
+}
+HttpURLConnection discoFeedRequest = null;
+try {
+discoFeedRequest = (HttpURLConnection) url.openConnection();
+} catch (IOException ex) {
+logger.info(ex.toString());
+return null;
+}
+if (discoFeedRequest == null) {
+logger.info("disco feed request was null");
+return null;
+}
+try {
+discoFeedRequest.connect();
+} catch (IOException ex) {
+logger.info(ex.toString());
+return null;
+}
+JsonParser jp = new JsonParser();
+JsonElement root = null;
+try {
+root = jp.parse(new InputStreamReader((InputStream) discoFeedRequest.getInputStream()));
+} catch (IOException ex) {
+logger.info(ex.toString());
+return null;
+}
+if (root == null) {
+logger.info("root was null");
+return null;
+}
+JsonArray rootArray = root.getAsJsonArray();
+if (rootArray == null) {
+logger.info("Couldn't get JSON Array from URL");
+return null;
+}
+discoFeedJson = rootArray.toString();
+logger.fine("Dump of disco feed:" + discoFeedJson);
+String affiliation = ShibUtil.getDisplayNameFromDiscoFeed(shibIdp, discoFeedJson);
+if (affiliation != null) {
+affiliationToDisplayAtConfirmation = affiliation;
+friendlyNameForInstitution = affiliation;
+return affiliation;
+} else {
+logger.info("Couldn't find an affiliation from  " + shibIdp);
+return null;
+}
+}
+/**
+* "Production" means "don't mess with the HTTP request".
+*/
+public enum DevShibAccountType {
+PRODUCTION,
+RANDOM,
+TESTSHIB1,
+HARVARD1,
+HARVARD2,
+};
+private DevShibAccountType getDevShibAccountType() {
+DevShibAccountType saneDefault = DevShibAccountType.PRODUCTION;
+String settingReturned = settingsService.getValueForKey(SettingsServiceBean.Key.DebugShibAccountType);
+logger.fine("setting returned: " + settingReturned);
+if (settingReturned != null) {
+try {
+DevShibAccountType parsedValue = DevShibAccountType.valueOf(settingReturned);
+return parsedValue;
+} catch (IllegalArgumentException ex) {
+logger.info("Couldn't parse value: " + ex + " - returning a sane default: " + saneDefault);
+return saneDefault;
+}
+} else {
+logger.fine("Shibboleth dev mode has not been configured. Returning a sane default: " + saneDefault);
+return saneDefault;
+}
+}
+/**
+* This method exists so developers don't have to run Shibboleth locally.
+* You can populate the request with Shibboleth attributes by changing a
+* setting like this:
+*
+* curl -X PUT -d RANDOM
+* http://localhost:8080/api/admin/settings/:DebugShibAccountType
+*
+* When you're done, feel free to delete the setting:
+*
+* curl -X DELETE
+* http://localhost:8080/api/admin/settings/:DebugShibAccountType
+*/
+private void possiblyMutateRequestInDev() {
+switch (getDevShibAccountType()) {
+case PRODUCTION:
+logger.fine("Request will not be mutated");
+break;
+case RANDOM:
+mutateRequestForDevRandom();
+break;
+case TESTSHIB1:
+mutateRequestForDevConstantTestShib1();
+break;
+case HARVARD1:
+mutateRequestForDevConstantHarvard1();
+break;
+case HARVARD2:
+mutateRequestForDevConstantHarvard2();
+break;
+default:
+logger.info("Should never reach here");
+break;
+}
+}
+public String confirmAndCreateAccount() {
+ShibAuthenticationProvider shibAuthProvider = new ShibAuthenticationProvider();
+String lookupStringPerAuthProvider = userPersistentId;
+AuthenticatedUser au = authSvc.createAuthenticatedUser(
+new UserRecordIdentifier(shibAuthProvider.getId(), lookupStringPerAuthProvider), internalUserIdentifer, displayInfo, true);
+if (au != null) {
+logger.info("created user " + au.getIdentifier());
+} else {
+logger.info("couldn't create user " + userPersistentId);
+}
+logInUserAndSetShibAttributes(au);
+return getPrettyFacesHomePageString(true);
+}
+public String confirmAndConvertAccount() {
+visibleTermsOfUse = false;
+ShibAuthenticationProvider shibAuthProvider = new ShibAuthenticationProvider();
+String lookupStringPerAuthProvider = userPersistentId;
+UserIdentifier userIdentifier = new UserIdentifier(lookupStringPerAuthProvider, internalUserIdentifer);
+logger.info("builtin username: " + builtinUsername);
+AuthenticatedUser builtInUserToConvert = shibService.canLogInAsBuiltinUser(builtinUsername, builtinPassword);
+if (builtInUserToConvert != null) {
+AuthenticatedUser au = authSvc.convertBuiltInToShib(builtInUserToConvert, shibAuthProvider.getId(), userIdentifier);
+if (au != null) {
+authSvc.updateAuthenticatedUser(au, displayInfo);
+logInUserAndSetShibAttributes(au);
+debugSummary = "Local account validated and successfully converted to a Shibboleth account. The old account username was " + builtinUsername;
+JsfHelper.addSuccessMessage("Your Dataverse account is now associated with your institutional account.");
+return getPrettyFacesHomePageString(true);
+} else {
+debugSummary = "Local account validated but unable to convert to Shibboleth account.";
+}
+} else {
+passwordRejected = true;
+debugSummary = "Username/password combination for local account was invalid";
+}
+return null;
+}
+private void logInUserAndSetShibAttributes(AuthenticatedUser au) {
+au.setShibIdentityProvider(shibIdp);
+session.setUser(au);
+}
+/**
+* @todo The mockups show a Cancel button but because we're using the
+* "requiredCheckboxValidator" you are forced to agree to Terms of Use
+* before clicking Cancel! Argh! The mockups show how we want to display
+* Terms of Use in a popup anyway so this should all be re-done. No time
+* now. Here's the mockup:
+* https://iqssharvard.mybalsamiq.com/projects/loginwithshibboleth-version3-dataverse40/Dataverse%20Account%20III%20-%20Agree%20Terms%20of%20Use
+*/
+public String cancel() {
+return loginpage + "?faces-redirect=true";
+}
+public List<String> getShibValues() {
+return shibValues;
+}
+//    private void printAttributes(HttpServletRequest request) {
+//        for (String attr : shibAttrs) {
+//
+//            /**
+//             * @todo explain in Installers Guide that in order for these
+//             * attributes to be found attributePrefix="AJP_" must be added to
+//             * /etc/shibboleth/shibboleth2.xml like this:
+//             *
+//             * <ApplicationDefaults entityID="https://dataverse.org/shibboleth"
+//             * REMOTE_USER="eppn" attributePrefix="AJP_">
+//             *
+//             */
+//            Object attrObject = request.getAttribute(attr);
+//            if (attrObject != null) {
+//                shibValues.add(attr + ": " + attrObject.toString());
+//            }
+//        }
+//        logger.info("shib values: " + shibValues);
+//    }
+/**
+* @return The value of a Shib attribute (if non-empty) or null.
+*/
+private String getValueFromAttribute(String attribute) {
+Object attributeObject = request.getAttribute(attribute);
+if (attributeObject != null) {
+String attributeValue = attributeObject.toString();
+if (!attributeValue.isEmpty()) {
+return attributeValue;
+}
+}
+return null;
+}
+private String getRequiredValueFromAttribute(String attribute) throws Exception {
+Object attributeObject = request.getAttribute(attribute);
+if (attributeObject == null) {
+String msg = " the attribute \"" + attribute + "\" was null. Please contact support.";
+logger.info(msg);
+FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, identityProviderProblem, msg));
+throw new Exception(msg);
+}
+String attributeValue = attributeObject.toString();
+if (attributeValue.isEmpty()) {
+throw new Exception(attribute + " was empty");
+}
+return attributeValue;
+}
+/**
+* @todo Move logic to ShibServiceBean
+*/
+private String generateFriendlyLookingUserIdentifer(String usernameNameAttribute, String emailAttribute) {
+Object usernameObject = request.getAttribute(usernameNameAttribute);
+if (usernameObject != null) {
+String userIdentifier = usernameObject.toString();
+if (!userIdentifier.isEmpty()) {
+return userIdentifier;
+}
+} else {
+logger.info("username attribute not sent by IdP");
+}
+Object emailObject = request.getAttribute(emailAttribute);
+if (emailObject != null) {
+String email = emailObject.toString();
+if (!email.isEmpty()) {
+/**
+* @todo Just grab the first part of the email
+*/
+String[] parts = email.split("@");
+try {
+String firstPart = parts[0];
+return firstPart;
+} catch (ArrayIndexOutOfBoundsException ex) {
+logger.info("odd email address. no @ sign: " + email);
+}
+}
+} else {
+logger.info("email attribute not sent by IdP");
+}
+logger.info("the best we can do is generate a random UUID");
+return UUID.randomUUID().toString();
+}
+/**
+* @return The best display name we can retrieve or construct based on
+* attributes received from Shibboleth. Shouldn't be null, maybe "Unknown"
+*
+* @deprecated AuthenticatedUserDisplayInfo has no place for a display name.
+*/
+@Deprecated
+private String getDisplayName(String displayNameAttribute, String firstNameAttribute, String lastNameAttribute) {
+Object displayNameObject = request.getAttribute(displayNameAttribute);
+if (displayNameObject != null) {
+String displayName = displayNameObject.toString();
+if (!displayName.isEmpty()) {
+return displayName;
+} else {
+return getDisplayNameFromFirstNameLastName(firstNameAttribute, lastNameAttribute);
+}
+} else {
+return getDisplayNameFromFirstNameLastName(firstNameAttribute, lastNameAttribute);
+}
+}
+/**
+* @return First name plus last name if available, just first name or just
+* last name or "Unknown".
+*
+* @deprecated AuthenticatedUserDisplayInfo has no place for a display name.
+*/
+@Deprecated
+private String getDisplayNameFromFirstNameLastName(String firstNameAttribute, String lastNameAttribute) {
+/**
+* @todo Should the first name attribute be required?
+*/
+String firstName = getValueFromAttribute(firstNameAttribute);
+/**
+* @todo Should the last name attribute be required?
+*/
+String lastName = getValueFromAttribute(lastNameAttribute);
+if (firstName != null && lastName != null) {
+return firstName + " " + lastName;
+} else if (firstName != null) {
+return firstName;
+} else if (lastName != null) {
+return lastName;
+} else {
+return "Unknown";
+}
+}
+public String getRootDataverseAlias() {
+Dataverse rootDataverse = dataverseService.findRootDataverse();
+if (rootDataverse != null) {
+String rootDvAlias = rootDataverse.getAlias();
+if (rootDvAlias != null) {
+return rootDvAlias;
+}
+}
+return null;
+}
+/**
+* @param includeFacetDashRedirect if true, include "faces-redirect=true" in
+* the string
+*
+* @todo Once https://github.com/IQSS/dataverse/issues/1519 is done, revisit
+* this method and have the home page be "/" rather than "/dataverses/root".
+*
+* @todo Like builtin users, Shibboleth should benefit from redirectPage
+* logic per https://github.com/IQSS/dataverse/issues/1551
+*/
+public String getPrettyFacesHomePageString(boolean includeFacetDashRedirect) {
+String plainHomepageString = "/dataverse.xhtml";
+String rootDvAlias = getRootDataverseAlias();
+if (includeFacetDashRedirect) {
+if (rootDvAlias != null) {
+return plainHomepageString + "?alias=" + rootDvAlias + "&faces-redirect=true";
+} else {
+return plainHomepageString + "?faces-redirect=true";
+}
+} else {
+if (rootDvAlias != null) {
+/**
+* @todo Is there a constant for "/dataverse/" anywhere? I guess
+* we'll just hard-code it here.
+*/
+return "/dataverse/" + rootDvAlias;
+} else {
+return plainHomepageString;
+}
+}
+}
+public boolean isDebug() {
+return systemConfig.isDebugEnabled();
+}
+public boolean isInit() {
+return state.equals(State.INIT);
+}
+public boolean isOfferToCreateNewAccount() {
+return state.equals(State.PROMPT_TO_CREATE_NEW_ACCOUNT);
+}
+public boolean isOfferToConvertExistingAccount() {
+return state.equals(State.PROMPT_TO_CONVERT_EXISTING_ACCOUNT);
+}
+public String getDisplayNameToPersist() {
+return displayNameToPersist;
+}
+//    public String getFirstNameToPersist() {
+//        return firstNameToPersist;
+//    }
+//    public String getLastNameToPersist() {
+//        return lastNameToPersist;
+//    }
+public String getEmailToPersist() {
+return emailToPersist;
+}
+public String getAffiliationToDisplayAtConfirmation() {
+return affiliationToDisplayAtConfirmation;
+}
+//    public String getPositionToPersist() {
+//        return positionToPersist;
+//    }
+public String getExistingEmail() {
+return existingEmail;
+}
+public void setExistingEmail(String existingEmail) {
+this.existingEmail = existingEmail;
+}
+public String getExistingDisplayName() {
+return existingDisplayName;
+}
+public boolean isPasswordRejected() {
+return passwordRejected;
+}
+public String getFriendlyNameForInstitution() {
+return friendlyNameForInstitution;
+}
+public void setFriendlyNameForInstitution(String friendlyNameForInstitution) {
+this.friendlyNameForInstitution = friendlyNameForInstitution;
+}
+public State getState() {
+return state;
+}
+public boolean isVisibleTermsOfUse() {
+return visibleTermsOfUse;
+}
+public String getBuiltinUsername() {
+return builtinUsername;
+}
+public void setBuiltinUsername(String builtinUsername) {
+this.builtinUsername = builtinUsername;
+}
+public String getBuiltinPassword() {
+return builtinPassword;
+}
+public void setBuiltinPassword(String builtinPassword) {
+this.builtinPassword = builtinPassword;
+}
+public String getDebugSummary() {
+return debugSummary;
+}
+public void setDebugSummary(String debugSummary) {
+this.debugSummary = debugSummary;
+}
+private void mutateRequestForDevRandom() throws JsonSyntaxException, JsonIOException {
+// set *something*, at least, even if it's just shortened UUIDs
+//        for (String attr : shibAttrs) {
+// in dev we don't care if a new, random user is created each time
+//            request.setAttribute(attr, UUID.randomUUID().toString().substring(0, 8));
+//        }
+String sURL = "http://api.randomuser.me";
+URL url = null;
+try {
+url = new URL(sURL);
+} catch (MalformedURLException ex) {
+Logger.getLogger(Shib.class.getName()).log(Level.SEVERE, null, ex);
+}
+HttpURLConnection randomUserRequest = null;
+try {
+randomUserRequest = (HttpURLConnection) url.openConnection();
+} catch (IOException ex) {
+Logger.getLogger(Shib.class.getName()).log(Level.SEVERE, null, ex);
+}
+try {
+randomUserRequest.connect();
+} catch (IOException ex) {
+Logger.getLogger(Shib.class.getName()).log(Level.SEVERE, null, ex);
+}
+JsonParser jp = new JsonParser(); //from gson
+JsonElement root = null;
+try {
+root = jp.parse(new InputStreamReader((InputStream) randomUserRequest.getContent())); //convert the input stream to a json element
+} catch (IOException ex) {
+Logger.getLogger(Shib.class.getName()).log(Level.SEVERE, null, ex);
+}
+JsonObject rootObject = root.getAsJsonObject();
+logger.fine(rootObject.toString());
+JsonElement results = rootObject.get("results");
+logger.fine(results.toString());
+JsonElement firstResult = results.getAsJsonArray().get(0);
+logger.fine(firstResult.toString());
+JsonElement user = firstResult.getAsJsonObject().get("user");
+JsonElement username = user.getAsJsonObject().get("username");
+JsonElement email = user.getAsJsonObject().get("email");
+JsonElement password = user.getAsJsonObject().get("password");
+JsonElement name = user.getAsJsonObject().get("name");
+JsonElement firstName = name.getAsJsonObject().get("first");
+JsonElement lastName = name.getAsJsonObject().get("last");
+/**
+* @todo Does Harvard really send displayName? At one point they didn't.
+* Let's simulate the non-sending of displayName here.
+*/
+//        request.setAttribute(displayNameAttribute, StringUtils.capitalise(firstName.getAsString()) + " " + StringUtils.capitalise(lastName.getAsString()));
+request.setAttribute(lastNameAttribute, StringUtils.capitalise(lastName.getAsString()));
+request.setAttribute(firstNameAttribute, StringUtils.capitalise(firstName.getAsString()));
+request.setAttribute(emailAttribute, email.getAsString());
+// random IDP
+request.setAttribute(shibIdpAttribute, "https://idp." + password.getAsString() + ".com/idp/shibboleth");
+/**
+* Harvard's IdP doesn't send a username so let's test without it by
+* commenting it out here.
+*/
+//        request.setAttribute(usernameAttribute, username.getAsString());
+// eppn
+request.setAttribute(uniquePersistentIdentifier, UUID.randomUUID().toString().substring(0, 8));
+}
+private void mutateRequestForDevConstantTestShib1() {
+request.setAttribute(shibIdpAttribute, "https://idp.testshib.org/idp/shibboleth");
+// the TestShib "eppn" looks like an email address
+request.setAttribute(uniquePersistentIdentifier, "saml@testshib.org");
+//        request.setAttribute(displayNameAttribute, "Sam El");
+request.setAttribute(firstNameAttribute, "Samuel;Sam");
+request.setAttribute(lastNameAttribute, "El");
+// TestShib doesn't send "mail" attribute so let's mimic that.
+//        request.setAttribute(emailAttribute, "saml@mailinator.com");
+request.setAttribute(usernameAttribute, "saml");
+}
+private void mutateRequestForDevConstantHarvard1() {
+request.setAttribute(shibIdpAttribute, "https://fed.huit.harvard.edu/idp/shibboleth");
+request.setAttribute(uniquePersistentIdentifier, "constantHarvard");
+//        request.setAttribute(displayNameAttribute, "John Harvard");
+request.setAttribute(firstNameAttribute, "John");
+request.setAttribute(lastNameAttribute, "Harvard");
+request.setAttribute(emailAttribute, "jharvard@mailinator.com");
+request.setAttribute(usernameAttribute, "jharvard");
+}
+private void mutateRequestForDevConstantHarvard2() {
+request.setAttribute(shibIdpAttribute, "https://fed.huit.harvard.edu/idp/shibboleth");
+request.setAttribute(uniquePersistentIdentifier, "constantHarvard2");
+//        request.setAttribute(displayNameAttribute, "Grace Hopper");
+request.setAttribute(firstNameAttribute, "Grace");
+request.setAttribute(lastNameAttribute, "Hopper");
+request.setAttribute(emailAttribute, "ghopper@mailinator.com");
+request.setAttribute(usernameAttribute, "ghopper");
+}
+}

Mercurial > hg > LGDataverses

comparison src/main/java/edu/harvard/iq/dataverse/Shib.java @ 10:a50cf11e5178