[CAS] Use SAML attribute for profile identifier when provided

5b7e472e · Amine FILALI · Benaissa BENARBIA · c54e68ec · 5b7e472e · 5b7e472e
Commit 5b7e472e authored 3 years ago by Amine FILALI Committed by Benaissa BENARBIA 3 years ago
--- a/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/idp/service/IdentityProviderInternalService.java
+++ b/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/idp/service/IdentityProviderInternalService.java
@@ -275,9 +275,9 @@ public class IdentityProviderInternalService extends VitamUICrudService<Identity
                    entity.setMailAttribute(CastUtils.toString(entry.getValue()));
                    break;
                case "identifierAttribute" :
-                logbooks.add(new EventDiffDto(IdentityProviderConverter.IDENTIFIER_ATTRIBUTE_KEY, StringUtils.EMPTY, StringUtils.EMPTY));
+                    logbooks.add(new EventDiffDto(IdentityProviderConverter.IDENTIFIER_ATTRIBUTE_KEY, StringUtils.EMPTY, StringUtils.EMPTY));
-                entity.setIdentifierAttribute(CastUtils.toString(entry.getValue()));
+                    entity.setIdentifierAttribute(CastUtils.toString(entry.getValue()));
-                break;
+                    break;
                case "authnRequestBinding" :
                    final String authnRequestBindingAsString = CastUtils.toString(entry.getValue());
                    final AuthnRequestBindingEnum newAuthnRequestBinding = EnumUtils.stringToEnum(AuthnRequestBindingEnum.class, authnRequestBindingAsString);

--- a/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolver.java
+++ b/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolver.java
@@ -142,10 +142,24 @@ public class UserPrincipalResolver implements PrincipalResolver {
                    return NullPrincipal.getInstance();
                } else {
                    val mail = (String) mails.get(0);
-                    LOGGER.error("Provider: '{}' requested specific mail attribute: '{}' for id: '{}' replaced by: '{}'", providerName, mailAttribute, userId, mail);
+                    LOGGER.info("Provider: '{}' requested specific mail attribute: '{}' for id: '{}' replaced by: '{}'", providerName, mailAttribute, userId, mail);
                    email = mail;
                }
            }
+            val identifierAttribute = provider.getIdentifierAttribute();
+            String identifier = userId;
+            if (CommonHelper.isNotBlank(identifierAttribute)) {
+                val identifiers = principal.getAttributes().get(identifierAttribute);
+                if (identifiers == null || identifiers.size() == 0 || CommonHelper.isBlank((String) identifiers.get(0))) {
+                    LOGGER.error("Provider: '{}' requested specific identifier attribute: '{}' for id, but attribute does not exist or has no value", providerName, identifierAttribute);
+                    return NullPrincipal.getInstance();
+                } else {
+                    val identifierAttr = (String) identifiers.get(0);
+                    LOGGER.info("Provider: '{}' requested specific identifier attribute: '{}' for id: '{}' replaced by: '{}'", providerName, identifierAttribute, userId, identifierAttr);
+                    identifier = identifierAttr;
+                }
+            }
            val surrogateInSession = sessionStore.get(webContext, Constants.SURROGATE).orElse(null);
            if (surrogateInSession != null) {
                username = (String) surrogateInSession;
@@ -157,7 +171,7 @@ public class UserPrincipalResolver implements PrincipalResolver {
                username = email;
                superUsername = null;
                userProviderId = provider.getId();
-                technicalUserId = Optional.of(userId);
+                technicalUserId = Optional.of(identifier);
                surrogationCall = false;
            }
        }

--- a/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolverTest.java
+++ b/cas/cas-server/src/test/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolverTest.java
@@ -35,6 +35,7 @@ import org.springframework.test.context.junit4.SpringRunner;
 import java.util.*;
+import static fr.gouv.vitamui.commons.api.CommonConstants.IDENTIFIER_ATTRIBUTE;
 import static fr.gouv.vitamui.commons.api.CommonConstants.SUPER_USER_ATTRIBUTE;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.Assert.assertEquals;
@@ -56,9 +57,11 @@ public final class UserPrincipalResolverTest extends BaseWebflowActionTest {
    private static final String PROVIDER_NAME = "google";
    private static final String MAIL = "mail";
+    private static final String IDENTIFIER = "identifier";
    private static final String USERNAME = "jleleu@test.com";
    private static final String ADMIN = "admin@test.com";
+    private static final String IDENTIFIER_VALUE = "007";
    private static final String PWD = "password";
@@ -153,6 +156,28 @@ public final class UserPrincipalResolverTest extends BaseWebflowActionTest {
        assertNull(attributes.get(SUPER_USER_ATTRIBUTE));
    }
+    @Test
+    public void testResolveAuthnDelegationIdentifierAttribute() {
+        val provider = new IdentityProviderDto();
+        provider.setId(PROVIDER_ID);
+        provider.setIdentifierAttribute(IDENTIFIER);
+        when(casExternalRestClient.getUser(any(ExternalHttpContext.class), eq(USERNAME), eq(PROVIDER_ID), eq(Optional.of(IDENTIFIER_VALUE)),
+            eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)))).thenReturn(userProfile(UserStatusEnum.ENABLED));
+        when(sessionStore.get(any(JEEContext.class), eq(Constants.SURROGATE))).thenReturn(Optional.empty());
+        when(identityProviderHelper.findByTechnicalName(eq(providersService.getProviders()), eq(PROVIDER_NAME))).thenReturn(Optional.of(provider));
+        val princAttributes = new HashMap<String, List<Object>>();
+        princAttributes.put(IDENTIFIER, Collections.singletonList(IDENTIFIER_VALUE));
+        val principal = resolver.resolve(new ClientCredential(null, PROVIDER_NAME),
+            Optional.of(principalFactory.createPrincipal(USERNAME, princAttributes)), Optional.empty());
+        assertEquals(USERNAME_ID, principal.getId());
+        final Map<String, List<Object>> attributes = principal.getAttributes();
+        assertEquals(Arrays.asList(ROLE_NAME), attributes.get(CommonConstants.ROLES_ATTRIBUTE));
+        assertNull(attributes.get(SUPER_USER_ATTRIBUTE));
+    }
    @Test
    public void testResolveAuthnDelegationMailAttributeNoValue() {
        val provider = new IdentityProviderDto();
@@ -172,6 +197,24 @@ public final class UserPrincipalResolverTest extends BaseWebflowActionTest {
        assertEquals("nobody", principal.getId());
    }
+    @Test
+    public void testResolveAuthnDelegationIdentifierAttributeNoValue() {
+        val provider = new IdentityProviderDto();
+        provider.setId(PROVIDER_ID);
+        provider.setIdentifierAttribute(IDENTIFIER_ATTRIBUTE);
+        when(casExternalRestClient.getUser(any(ExternalHttpContext.class), eq(USERNAME), eq(PROVIDER_ID), eq(Optional.of("fake")),
+            eq(Optional.of(CommonConstants.AUTH_TOKEN_PARAMETER)))).thenReturn(userProfile(UserStatusEnum.ENABLED));
+        when(sessionStore.get(any(JEEContext.class), eq(Constants.SURROGATE))).thenReturn(Optional.empty());
+        when(identityProviderHelper.findByTechnicalName(eq(providersService.getProviders()), eq(PROVIDER_NAME))).thenReturn(Optional.of(provider));
+        val princAttributes = new HashMap<String, List<Object>>();
+        princAttributes.put(IDENTIFIER, Collections.emptyList());
+        val principal = resolver.resolve(new ClientCredential(null, PROVIDER_NAME),
+            Optional.of(principalFactory.createPrincipal("fake", princAttributes)), Optional.empty());
+        assertEquals("nobody", principal.getId());
+    }
    @Test
    public void testResolveSurrogateUser() {
        when(casExternalRestClient.getUser(any(ExternalHttpContext.class), eq(USERNAME), eq(null), eq(Optional.empty()),