wip: Break up AuthProvider

Move user shadowing, attribute processing, and authorities processing to their own classes.

Enable Authorities

Signed-off-by: Ivan Protsiuk <[email protected]>

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthentication.java

@@ -109,16 +109,6 @@ public UaaAuthentication(UaaPrincipal uaaPrincipal,
         this.userAttributes = new HashMap<>(userAttributes);
     }
 
-    public UaaAuthentication(UaaAuthentication existingAuthn, UaaPrincipal principal) {
-
-        this(principal, existingAuthn.getCredentials(), List.copyOf(existingAuthn.getAuthorities()), existingAuthn.getExternalGroups(),
-                existingAuthn.getUserAttributes(), existingAuthn.getUaaAuthenticationDetails(), existingAuthn.isAuthenticated(),
-                existingAuthn.getAuthenticatedTime(), existingAuthn.getExpiresAt());
-        this.authContextClassRef = existingAuthn.authContextClassRef;
-        this.authenticationMethods = existingAuthn.authenticationMethods;
-        this.lastLoginSuccessTime = existingAuthn.lastLoginSuccessTime;
-    }
-
     @Override
     public String getName() {
         // Should we return the ID for the principal name? (No, because the

server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSamlXmlUtils.java

@@ -0,0 +1,58 @@
+package org.cloudfoundry.identity.uaa.provider.saml;
+
+import lombok.extern.slf4j.Slf4j;
+import org.cloudfoundry.identity.uaa.provider.SamlIdentityProviderDefinition;
+import org.opensaml.core.xml.XMLObject;
+import org.opensaml.core.xml.schema.XSAny;
+import org.opensaml.core.xml.schema.XSBase64Binary;
+import org.opensaml.core.xml.schema.XSBoolean;
+import org.opensaml.core.xml.schema.XSBooleanValue;
+import org.opensaml.core.xml.schema.XSDateTime;
+import org.opensaml.core.xml.schema.XSInteger;
+import org.opensaml.core.xml.schema.XSQName;
+import org.opensaml.core.xml.schema.XSString;
+import org.opensaml.core.xml.schema.XSURI;
+
+import javax.xml.namespace.QName;
+import java.time.Instant;
+
+@Slf4j
+public class OpenSamlXmlUtils {
+
+    private OpenSamlXmlUtils() {
+        throw new java.lang.UnsupportedOperationException("This is a utility class and cannot be instantiated");
+    }
+
+    public static String getStringValue(String key, SamlIdentityProviderDefinition definition, XMLObject xmlObject) {
+        String value = null;
+        if (xmlObject instanceof XSString xsString) {
+            value = xsString.getValue();
+        } else if (xmlObject instanceof XSAny xsAny) {
+            value = xsAny.getTextContent();
+        } else if (xmlObject instanceof XSInteger xsInteger) {
+            Integer i = xsInteger.getValue();
+            value = i != null ? i.toString() : null;
+        } else if (xmlObject instanceof XSBoolean xsBoolean) {
+            XSBooleanValue b = xsBoolean.getValue();
+            value = b != null && b.getValue() != null ? b.getValue().toString() : null;
+        } else if (xmlObject instanceof XSDateTime xsDateTime) {
+            Instant d = xsDateTime.getValue();
+            value = d != null ? d.toString() : null;
+        } else if (xmlObject instanceof XSQName xsQName) {
+            QName name = xsQName.getValue();
+            value = name != null ? name.toString() : null;
+        } else if (xmlObject instanceof XSURI xsUri) {
+            value = xsUri.getURI();
+        } else if (xmlObject instanceof XSBase64Binary xsBase64Binary) {
+            value = xsBase64Binary.getValue();
+        }
+
+        if (value != null) {
+            log.debug("Found SAML user attribute {} of value {} [zone:{}, origin:{}]", key, value, definition.getZoneId(), definition.getIdpEntityAlias());
+            return value;
+        } else if (xmlObject != null) {
+            log.debug("SAML user attribute {} at is not of type XSString or other recognizable type, {} [zone:{}, origin:{}]", key, xmlObject.getClass().getName(), definition.getZoneId(), definition.getIdpEntityAlias());
+        }
+        return null;
+    }
+}

server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/Saml2Utils.java

@@ -39,6 +39,7 @@
 public final class Saml2Utils {
 
     private Saml2Utils() {
+        throw new java.lang.UnsupportedOperationException("This is a utility class and cannot be instantiated");
     }
 
     public static String samlEncode(byte[] b) {

server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlAuthenticationFilterConfig.java

@@ -1,9 +1,11 @@
 package org.cloudfoundry.identity.uaa.provider.saml;
 
 import org.cloudfoundry.identity.uaa.provider.JdbcIdentityProviderProvisioning;
+import org.cloudfoundry.identity.uaa.scim.ScimGroupExternalMembershipManager;
 import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
 import org.cloudfoundry.identity.uaa.zone.beans.IdentityZoneManager;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.convert.converter.Converter;
@@ -49,16 +51,23 @@ SecurityContextRepository securityContextRepository() {
     @Bean
     AuthenticationProvider samlAuthenticationProvider(IdentityZoneManager identityZoneManager,
                                                       final UaaUserDatabase userDatabase,
-                                                      final JdbcIdentityProviderProvisioning identityProviderProvisioning) {
+                                                      final JdbcIdentityProviderProvisioning identityProviderProvisioning,
+                                                      ScimGroupExternalMembershipManager externalMembershipManager,
 
-//        SamlUaaResponseAuthenticationConverter samlResponseAuthenticationConverter =
-//                new SamlUaaResponseAuthenticationConverter(identityZoneManager, userDatabase, identityProviderProvisioning);
-//
-//        OpenSaml4AuthenticationProvider authProvider = new OpenSaml4AuthenticationProvider();
-//        //authProvider.setAssertionValidator(OpenSaml40CompatibleAssertionValidators.createDefaultAssertionValidator());
-//        authProvider.setResponseAuthenticationConverter(samlResponseAuthenticationConverter);
+                                                      ApplicationEventPublisher applicationEventPublisher) {
 
-        return new SamlLoginAuthenticationProvider(identityZoneManager, userDatabase, identityProviderProvisioning);
+        SamlUaaUserManager samlUaaUserManager = new SamlUaaUserManager(userDatabase);
+        samlUaaUserManager.setApplicationEventPublisher(applicationEventPublisher);
+
+        SamlUaaAuthenticationAttributesConverter attributesConverter = new SamlUaaAuthenticationAttributesConverter();
+        SamlUaaAuthenticationAuthoritiesConverter authoritiesConverter = new SamlUaaAuthenticationAuthoritiesConverter(externalMembershipManager);
+
+        SamlUaaResponseAuthenticationConverter samlResponseAuthenticationConverter =
+                new SamlUaaResponseAuthenticationConverter(identityZoneManager, identityProviderProvisioning,
+                        samlUaaUserManager, attributesConverter, authoritiesConverter);
+        samlResponseAuthenticationConverter.setApplicationEventPublisher(applicationEventPublisher);
+
+        return new SamlLoginAuthenticationProvider(samlResponseAuthenticationConverter);
     }
 
     @Autowired