From 69639836c60deb4b1dd9a0f1215831b916336537 Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Mon, 21 Nov 2022 13:17:36 -0500
Subject: [PATCH 1/2] Add an extra check for username and its shib attribute
 during SSO

---
 etc/cas/config/instn-authn-prod.xsl           |  6 +++---
 ...alFromNonInteractiveCredentialsAction.java | 16 +++++++++++++++
 ...OsfApiInstitutionAuthenticationResult.java | 20 +++++++++++++++++++
 3 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/etc/cas/config/instn-authn-prod.xsl b/etc/cas/config/instn-authn-prod.xsl
index f61f09ea..46fd644a 100644
--- a/etc/cas/config/instn-authn-prod.xsl
+++ b/etc/cas/config/instn-authn-prod.xsl
@@ -239,7 +239,7 @@
                     <xsl:when test="$idp='https://login.iit.edu/cas/idp'">
                         <id>iit</id>
                         <user>
-                            <username><xsl:value-of select="//attribute[@name='email']/@value"/></username>
+                            <username><xsl:value-of select="//attribute[@name='mailother']/@value"/></username>
                             <familyName><xsl:value-of select="//attribute[@name='sn']/@value"/></familyName>
                             <givenName><xsl:value-of select="//attribute[@name='givenname']/@value"/></givenName>
                             <fullname><xsl:value-of select="//attribute[@name='displayname']/@value"/></fullname>
@@ -397,7 +397,7 @@
                     <xsl:when test="$idp='https://www.rediris.es/sir/csicidp'">
                         <id>csic</id>
                         <user>
-                            <username><xsl:value-of select="//attribute[@name='irismailmainaddress']/@value"/></username>
+                            <username><xsl:value-of select="//attribute[@name='mailother']/@value"/></username>
                             <fullname><xsl:value-of select="//attribute[@name='displayname']/@value"/></fullname>
                             <familyName/>
                             <givenName/>
@@ -653,7 +653,7 @@
                     <xsl:when test="$idp='https://shibboleth.usc.edu/shibboleth-idp'">
                         <id>usc</id>
                         <user>
-                            <username><xsl:value-of select="//attribute[@name='uscemailprimaryaddress']/@value"/></username>
+                            <username><xsl:value-of select="//attribute[@name='mailother']/@value"/></username>
                             <fullname><xsl:value-of select="//attribute[@name='uscdisplaygivenname']/@value"/><xsl:text> </xsl:text><xsl:value-of select="//attribute[@name='uscdisplaysn']/@value"/></fullname>
                             <familyName><xsl:value-of select="//attribute[@name='uscdisplaysn']/@value"/></familyName>
                             <givenName><xsl:value-of select="//attribute[@name='uscdisplaygivenname']/@value"/></givenName>
diff --git a/src/main/java/io/cos/cas/osf/web/flow/login/OsfPrincipalFromNonInteractiveCredentialsAction.java b/src/main/java/io/cos/cas/osf/web/flow/login/OsfPrincipalFromNonInteractiveCredentialsAction.java
index a5b973f0..3e7fcc85 100644
--- a/src/main/java/io/cos/cas/osf/web/flow/login/OsfPrincipalFromNonInteractiveCredentialsAction.java
+++ b/src/main/java/io/cos/cas/osf/web/flow/login/OsfPrincipalFromNonInteractiveCredentialsAction.java
@@ -249,6 +249,22 @@ protected Credential constructCredentialsFromRequest(final RequestContext contex
             final OsfPostgresCredential osfPostgresCredential = constructCredentialsFromShibbolethAuthentication(context, request);
 
             final OsfApiInstitutionAuthenticationResult remoteUserInfo = notifyOsfApiOfInstnAuthnSuccess(osfPostgresCredential);
+            final String ssoEppn = osfPostgresCredential.getDelegationAttributes().get("eppn");
+            final String ssoMail = osfPostgresCredential.getDelegationAttributes().get("mail");
+            final String ssoMailOther = osfPostgresCredential.getDelegationAttributes().get("mailother");
+            if (!remoteUserInfo.verifyOsfUsername(ssoEppn, ssoMail, ssoMailOther)) {
+                LOGGER.error(
+                        "[SAML Shibboleth] Critical Error: eppn={}, mail={}, mailOther={}, entityId={}, username={}, institutionId={}",
+                        ssoEppn,
+                        ssoMail,
+                        ssoMailOther,
+                        osfPostgresCredential.getDelegationAttributes().get("shib-session-id"),
+                        remoteUserInfo.getUsername(),
+                        remoteUserInfo.getInstitutionId()
+                );
+                throw new InstitutionSsoFailedException("Critical SAML-Shibboleth SSO Failure");
+            }
+
             osfPostgresCredential.setUsername(remoteUserInfo.getUsername());
             osfPostgresCredential.setInstitutionId(remoteUserInfo.getInstitutionId());
             if (StringUtils.isBlank(osfPostgresCredential.getInstitutionalIdentity())) {
diff --git a/src/main/java/io/cos/cas/osf/web/support/OsfApiInstitutionAuthenticationResult.java b/src/main/java/io/cos/cas/osf/web/support/OsfApiInstitutionAuthenticationResult.java
index 8e5b26bf..39adb4a4 100644
--- a/src/main/java/io/cos/cas/osf/web/support/OsfApiInstitutionAuthenticationResult.java
+++ b/src/main/java/io/cos/cas/osf/web/support/OsfApiInstitutionAuthenticationResult.java
@@ -5,6 +5,9 @@
 import lombok.NoArgsConstructor;
 import lombok.Setter;
 import lombok.ToString;
+import lombok.extern.slf4j.Slf4j;
+
+import org.apache.commons.lang.StringUtils;
 
 import java.io.Serializable;
 
@@ -19,6 +22,7 @@
 @NoArgsConstructor
 @ToString
 @Setter
+@Slf4j
 public class OsfApiInstitutionAuthenticationResult implements Serializable {
 
     private static final long serialVersionUID = 3971349776123204760L;
@@ -26,4 +30,20 @@ public class OsfApiInstitutionAuthenticationResult implements Serializable {
     private String username;
 
     private String institutionId;
+
+    /**
+     * Verify that the username comes from one of the three attributes in Shibboleth SSO headers.
+     *
+     * @param ssoEppn eppn
+     * @param ssoMail mail
+     * @param ssoMailOther customized attribute for email
+     * @return true if username equals to any of the three else false
+     */
+    public Boolean verifyOsfUsername(final String ssoEppn, final String ssoMail, final String ssoMailOther) {
+        if (StringUtils.isBlank(username)) {
+            LOGGER.error("[CAS XSLT] Username={} is blank", username);
+            return false;
+        }
+        return username.equalsIgnoreCase(ssoEppn) || username.equalsIgnoreCase(ssoMail) || username.equalsIgnoreCase(ssoMailOther);
+    }
 }

From ad763d6df38d7e49701a9053ad5185085526ea8b Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Mon, 21 Nov 2022 15:03:19 -0500
Subject: [PATCH 2/2] Update change log for hotfix 22.1.2

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ab5debc5..f89185cb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 We follow the CalVer (https://calver.org/) versioning scheme: YY.MINOR.MICRO.
 
+22.1.2 (11-21-2022)
+===================
+
+* Add an extra check for username and its shib attribute during SSO
+
 22.1.1 (11-11-2022)
 ===================