Merge branch 'dev-3.6'

Author: Jenkins CI

documentation/src/main/doc/input-translation.txt

@@ -95,8 +95,10 @@ MVEL context reference:
 is multi-valued then the first value is returned. If the attribute has no value then empty string is returned. 
 . +attrs+ Map indexed with attribute names. Value of each entry is a list of the attribute values.
 . +id+ Value of the authenticated identity. If remote IdP returned multiple identities, then a random one is available,
-though this is a very exotic case. 
-. +idType+ The type of the identity stored in the +id+ variable.
+though this is a very exotic case. In rare cases (typically with SMAL IdPs) it may happen that IdP is not providing any 
+unique identifier of the identity. In such case this variable is set to +null+, and user should be identified 
+by some (combination of) attributes.
+. +idType+ The type of the identity stored in the +id+ variable. +null+ only if +id+ is null.
 . +idsByType+ Map of identity values indexed by type. Rarely useful.
 . +groups+ List of all remote groups. 
 

engine-api/src/main/java/pl/edu/icm/unity/engine/api/translation/in/InputTranslationContextFactory.java

@@ -50,6 +50,10 @@ public static Map<String, Object> createMvelContext(RemotelyAuthenticatedInput i
 			RemoteIdentity ri = input.getIdentities().values().iterator().next();
 			ret.put(ContextKey.id.name(), ri.getName());
 			ret.put(ContextKey.idType.name(), ri.getIdentityType());
+		} else
+		{
+			ret.put(ContextKey.id.name(), null);
+			ret.put(ContextKey.idType.name(), null);
 		}
 
 		Map<String, List<String>> idsByType = new HashMap<String, List<String>>();

engine/src/main/java/pl/edu/icm/unity/engine/forms/enquiry/EnquiryManagementImpl.java

@@ -44,6 +44,7 @@
 import pl.edu.icm.unity.engine.forms.RegistrationConfirmationSupport;
 import pl.edu.icm.unity.engine.forms.RegistrationConfirmationSupport.Phase;
 import pl.edu.icm.unity.exceptions.EngineException;
+import pl.edu.icm.unity.exceptions.IllegalIdentityValueException;
 import pl.edu.icm.unity.exceptions.WrongArgumentException;
 import pl.edu.icm.unity.stdext.attr.StringAttribute;
 import pl.edu.icm.unity.store.api.generic.EnquiryFormDB;
@@ -497,14 +498,16 @@ private void addToAttribute(long entityId, String attributeName, String value) t
 		dbAttributes.addAttribute(entityId, attribute, true, false);
 	}
 
-	private void removeAllPendingRequestsOfForm(String enquiryId, EntityParam entity)
+	private void removeAllPendingRequestsOfForm(String enquiryId, EntityParam entity) throws IllegalIdentityValueException
 	{
 		for (EnquiryResponseState en : requestDB.getAll())
 		{
 			if (!en.getStatus().equals(RegistrationRequestStatus.pending))
 				continue;
 			EnquiryResponse res = en.getRequest();
-			if (res.getFormId().equals(enquiryId))
+			long entityId = identitiesResolver.getEntityId(entity);
+
+			if (res.getFormId().equals(enquiryId) && en.getEntityId() == entityId)
 			{
 				requestDB.delete(en.getRequestId());
 			}

engine/src/test/java/pl/edu/icm/unity/engine/forms/enquiry/TestStickyEnquiries.java

@@ -208,6 +208,46 @@ public void shouldOverwriteSubmitedRequest() throws Exception
 		assertThat(res.getRequest().getGroupSelections().get(1).getSelectedGroups().get(0), is("/B"));
 	}
 
+	@Test
+	public void shouldRemovePendingRequestOnlyForGivenEntity() throws Exception
+	{
+		
+		initAndCreateEnquiry("false");
+		EnquiryResponse response = new EnquiryResponseBuilder()
+			.withFormId("sticky")
+			.withAddedGroupSelection()
+			.withGroup("/")
+			.withGroup("/A")
+			.endGroupSelection()
+			.withAddedGroupSelection()
+			.withGroup("/B")
+			.endGroupSelection()
+			.withAddedAttribute(null)
+			.build();
+		
+		Identity addEntity1 = idsMan.addEntity(new IdentityParam(UsernameIdentity.ID, "tuser"), 
+				CRED_REQ_PASS, EntityState.valid);
+		Identity addEntity2 = idsMan.addEntity(new IdentityParam(UsernameIdentity.ID, "tuser2"), 
+				CRED_REQ_PASS, EntityState.valid);
+		
+		
+		setupUserContext("tuser", null);
+
+		enquiryManagement.submitEnquiryResponse(response,
+				new RegistrationContext(false, TriggeringMode.manualStandalone));
+		
+		setupUserContext("tuser2", null);
+
+		enquiryManagement.submitEnquiryResponse(response,
+				new RegistrationContext(false, TriggeringMode.manualStandalone));
+
+		setupAdmin();
+		enquiryManagement.removePendingStickyRequest("sticky", new EntityParam(addEntity1.getEntityId()));
+
+		assertThat(enquiryManagement.getEnquiryResponses().stream().filter(e -> e.getEntityId() == addEntity1.getEntityId()).count(), is(0L));
+		assertThat(enquiryManagement.getEnquiryResponses().stream().filter(e -> e.getEntityId() == addEntity2.getEntityId()).count(), is(1L));
+	}
+	
 	@Test
 	public void shouldBlockMultiSelectGroupInSingleSelectGroupParam() throws Exception
 	{

pom.xml

@@ -468,7 +468,7 @@
 			<dependency>
 				<groupId>io.imunity.samly</groupId>
 				<artifactId>samly2</artifactId>
-				<version>2.7.0</version>
+				<version>2.7.1</version>
 			</dependency>
 			<dependency>
 				<groupId>io.imunity.samly</groupId>

saml/src/main/java/pl/edu/icm/unity/saml/SAMLResponseValidatorUtil.java

@@ -120,7 +120,8 @@ private List<RemoteIdentity> getAuthenticatedIdentities(SSOAuthnResponseValidato
 		for (int i=0; i<authnAssertions.size(); i++)
 		{
 			NameIDType samlName = authnAssertions.get(i).getAssertion().getSubject().getNameID();
-			ret.add(new RemoteIdentity(samlName.getStringValue(), samlName.getFormat()));
+			if (samlName != null && !samlName.isNil())
+				ret.add(new RemoteIdentity(samlName.getStringValue(), samlName.getFormat()));
 		}
 		return ret;
 	}
@@ -141,7 +142,7 @@ private void addSessionParticipants(SSOAuthnResponseValidator validator,
 			for (AuthnStatementType authNStatement: authNAss.getAuthnStatementArray())
 			{
 				sessionIndex = authNStatement.getSessionIndex();
-				if (sessionIndex != null)
+				if (sessionIndex != null && authNAss.getSubject().getNameID() != null)
 				{
 					SAMLSessionParticipant participant = new SAMLSessionParticipant(
 							issuer.getStringValue(), 

saml/src/main/java/pl/edu/icm/unity/saml/sp/SAMLResponseVerificator.java

@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 2014 ICM Uniwersytet Warszawski All rights reserved.
+ * See LICENCE.txt file for licensing information.
+ */
+package pl.edu.icm.unity.saml.sp;
+
+import java.net.URL;
+import java.util.Optional;
+
+import org.apache.logging.log4j.Logger;
+import org.apache.xmlbeans.XmlException;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import eu.unicore.samly2.SAMLBindings;
+import eu.unicore.samly2.validators.ReplayAttackChecker;
+import pl.edu.icm.unity.base.utils.Log;
+import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
+import pl.edu.icm.unity.engine.api.authn.AuthenticationResult.ResolvableError;
+import pl.edu.icm.unity.engine.api.authn.RemoteAuthenticationException;
+import pl.edu.icm.unity.engine.api.authn.RemoteAuthenticationResult;
+import pl.edu.icm.unity.engine.api.authn.remote.RedirectedAuthnState;
+import pl.edu.icm.unity.engine.api.authn.remote.RemoteAuthnResultTranslator;
+import pl.edu.icm.unity.engine.api.authn.remote.RemotelyAuthenticatedInput;
+import pl.edu.icm.unity.engine.api.endpoint.SharedEndpointManagement;
+import pl.edu.icm.unity.engine.api.server.AdvertisedAddressProvider;
+import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
+import pl.edu.icm.unity.saml.SAMLResponseValidatorUtil;
+import pl.edu.icm.unity.types.translation.TranslationProfile;
+import xmlbeans.org.oasis.saml2.protocol.ResponseDocument;
+
+@PrototypeComponent
+public class SAMLResponseVerificator
+{
+	private static final Logger log = Log.getLogger(Log.U_SERVER_SAML, SAMLResponseVerificator.class);
+	private final String responseConsumerAddress;
+	private final ReplayAttackChecker replayAttackChecker;
+	private final RemoteAuthnResultTranslator translator;
+	
+	@Autowired
+	public SAMLResponseVerificator(
+			ReplayAttackChecker replayAttackChecker,
+			SharedEndpointManagement sharedEndpointManagement,
+			AdvertisedAddressProvider advertisedAddrProvider,
+			RemoteAuthnResultTranslator translator)
+	{
+		this(replayAttackChecker, 
+				assembleResponseConsumerAddress(sharedEndpointManagement, advertisedAddrProvider), 
+				translator);
+	}
+
+	public SAMLResponseVerificator(
+			ReplayAttackChecker replayAttackChecker,
+			String responseConsumerAddress,
+			RemoteAuthnResultTranslator translator)
+	{
+		this.replayAttackChecker = replayAttackChecker;
+		this.translator = translator;
+		this.responseConsumerAddress = responseConsumerAddress;
+	}
+	
+	private static String assembleResponseConsumerAddress(SharedEndpointManagement sharedEndpointManagement,
+			AdvertisedAddressProvider advertisedAddrProvider)
+	{
+		URL baseAddress = advertisedAddrProvider.get();
+		String baseContext = sharedEndpointManagement.getBaseContextPath();
+		return baseAddress + baseContext + SAMLResponseConsumerServlet.PATH;
+	}
+
+	
+	AuthenticationResult processResponse(RedirectedAuthnState remoteAuthnState, TranslationProfile profile)
+	{
+		RemoteAuthnContext castedState = (RemoteAuthnContext) remoteAuthnState;
+		try
+		{
+			return verifySAMLResponse(castedState, profile);
+		} catch (Exception e)
+		{
+			log.error("Runtime error during SAML response processing or principal mapping", e);
+			return RemoteAuthenticationResult.failed(null, e,
+					new ResolvableError("WebSAMLRetrieval.authnFailedError"));
+		}
+	}
+	
+	private AuthenticationResult verifySAMLResponse(RemoteAuthnContext context, TranslationProfile profile)
+	{
+		try
+		{
+			RemotelyAuthenticatedInput input = getRemotelyAuthenticatedInput(context);
+			return translator.getTranslatedResult(input, profile, 
+					context.getAuthenticationTriggeringContext().isSandboxTriggered(), 
+					Optional.empty(),
+					context.getRegistrationFormForUnknown(),
+					context.isEnableAssociation());
+		} catch (RemoteAuthenticationException e)
+		{
+			log.info("SAML response verification or processing failed", e);
+			return RemoteAuthenticationResult.failed(e.getResult().getRemotelyAuthenticatedPrincipal(), e,
+					new ResolvableError("WebSAMLRetrieval.authnFailedError"));
+		}
+	}
+	
+	private RemotelyAuthenticatedInput getRemotelyAuthenticatedInput(RemoteAuthnContext context) 
+			throws RemoteAuthenticationException 
+	{
+		ResponseDocument responseDocument;
+		try
+		{
+			responseDocument = ResponseDocument.Factory.parse(context.getResponse());
+		} catch (XmlException e)
+		{
+			throw new RemoteAuthenticationException("The SAML response can not be parsed - " +
+					"XML data is corrupted", e);
+		}
+		
+		SAMLResponseValidatorUtil responseValidatorUtil = new SAMLResponseValidatorUtil(
+				context.getContextConfig(), replayAttackChecker, responseConsumerAddress);
+
+		RemotelyAuthenticatedInput input = responseValidatorUtil.verifySAMLResponse(responseDocument, 
+				context.getVerifiableResponse(),
+				context.getRequestId(), 
+				SAMLBindings.valueOf(context.getResponseBinding().toString()), 
+				context.getGroupAttribute(), context.getContextIdpKey());
+		return input;
+	}
+}
+
+