From 316f5a90d6d565eb6b8e9567bb5e053a4603ac5a Mon Sep 17 00:00:00 2001
From: Alex Ivanov <alex@calmforce.com>
Date: Tue, 16 May 2017 17:41:00 -0400
Subject: [PATCH 1/4] Shibboleth SSO functionality

---
 .../iq/dataverse/DataverseHeaderFragment.java | 25 +++++++------------
 .../settings/SettingsServiceBean.java         |  7 +++++-
 src/main/webapp/dataverse_header.xhtml        |  3 ++-
 src/main/webapp/logout.xhtml                  | 24 ++++++++++++++++++
 4 files changed, 41 insertions(+), 18 deletions(-)
 create mode 100644 src/main/webapp/logout.xhtml

diff --git a/src/main/java/edu/harvard/iq/dataverse/DataverseHeaderFragment.java b/src/main/java/edu/harvard/iq/dataverse/DataverseHeaderFragment.java
index 53aea4ea674..0cdfebad095 100644
--- a/src/main/java/edu/harvard/iq/dataverse/DataverseHeaderFragment.java
+++ b/src/main/java/edu/harvard/iq/dataverse/DataverseHeaderFragment.java
@@ -13,6 +13,7 @@
 import static edu.harvard.iq.dataverse.util.JsfHelper.JH;
 import edu.harvard.iq.dataverse.util.StringUtil;
 import edu.harvard.iq.dataverse.util.SystemConfig;
+import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.net.URLEncoder;
@@ -24,6 +25,7 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.ejb.EJB;
+import javax.faces.context.ExternalContext;
 import javax.faces.context.FacesContext;
 import javax.faces.view.ViewScoped;
 import javax.inject.Inject;
@@ -222,23 +224,14 @@ private TreeNode getDataverseNode(Dataverse dataverse, TreeNode root, boolean ex
      return null;
      }
      */
-    public String logout() {
+    public void logout() throws IOException {
+        ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
+        
         dataverseSession.setUser(null);
-
-        String redirectPage = navigationWrapper.getPageFromContext();
-        try {
-            redirectPage = URLDecoder.decode(redirectPage, "UTF-8");
-        } catch (UnsupportedEncodingException ex) {
-            Logger.getLogger(LoginPage.class.getName()).log(Level.SEVERE, null, ex);
-            redirectPage = "dataverse.xhtml&alias=" + dataverseService.findRootDataverse().getAlias();
-        }
-
-        if (StringUtils.isEmpty(redirectPage)) {
-            redirectPage = "dataverse.xhtml&alias=" + dataverseService.findRootDataverse().getAlias();
-        }
-
-        logger.log(Level.INFO, "Sending user to = " + redirectPage);
-        return redirectPage + (redirectPage.indexOf("?") == -1 ? "?" : "&") + "faces-redirect=true";
+                
+        String safeDefaultIfKeyNotFound = "https://idp.dev-aws.qdr.org/idp/profile/Logout";
+        String shibLogoutUrl = settingsService.getValueForKey(SettingsServiceBean.Key.ShibLogoutUrl, safeDefaultIfKeyNotFound);
+        externalContext.redirect(shibLogoutUrl);
     }
 
     private Boolean signupAllowed = null;
diff --git a/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java
index caeaa3627ad..794577caec6 100644
--- a/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java
@@ -235,7 +235,12 @@ public enum Key {
         /*
         Whether Harvesting (OAI) service is enabled
         */
-        OAIServerEnabled;
+        OAIServerEnabled,
+        
+        /**
+         * URL for Shibboleth Single Logout
+         */
+        ShibLogoutUrl;
         
         @Override
         public String toString() {
diff --git a/src/main/webapp/dataverse_header.xhtml b/src/main/webapp/dataverse_header.xhtml
index 7ff37ce6430..5bae3a6f1ae 100644
--- a/src/main/webapp/dataverse_header.xhtml
+++ b/src/main/webapp/dataverse_header.xhtml
@@ -105,7 +105,8 @@
                                 </h:outputLink>
                             </li>
                             <li>
-                                <h:outputLink value="/loginpage.xhtml?#{loginRedirectPage}">
+                                <h:outputLink value="/Shibboleth.sso/Login">
+                                    <f:param name="target" value="#{request.contextPath.concat('/shib.xhtml').concat(navigationWrapper.redirectPage)}" />
                                     #{bundle.login}
                                 </h:outputLink>
                             </li>
diff --git a/src/main/webapp/logout.xhtml b/src/main/webapp/logout.xhtml
new file mode 100644
index 00000000000..8cf3066ca9e
--- /dev/null
+++ b/src/main/webapp/logout.xhtml
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml"
+      xmlns:h="http://java.sun.com/jsf/html"
+      xmlns:f="http://java.sun.com/jsf/core"
+      xmlns:ui="http://java.sun.com/jsf/facelets"
+      xmlns:p="http://primefaces.org/ui"
+      xmlns:jsf="http://xmlns.jcp.org/jsf">
+
+    <h:head>
+    </h:head>
+
+    <h:body>
+        <f:metadata>            
+            <f:viewAction action="#{dataverseHeaderFragment.logout}"/>
+        </f:metadata>
+        <ui:composition template="/dataverse_template.xhtml">
+            <ui:param name="pageTitle" value="Log Out"/>
+            <ui:param name="showDataverseHeader" value="false"/>
+            <ui:param name="showMessagePanel" value="#{true}"/>            
+            <ui:define name="body">
+            </ui:define>
+        </ui:composition>
+    </h:body>
+</html>

From 5883e1eed62aedebfe24ebbc6ad19cdfaa0bfb04 Mon Sep 17 00:00:00 2001
From: Alex Ivanov <alex@calmforce.com>
Date: Wed, 17 May 2017 15:08:56 -0400
Subject: [PATCH 2/4] passive authentication support for Shibboleth

---
 .../settings/SettingsServiceBean.java         |  4 ++
 .../iq/dataverse/util/SystemConfig.java       |  5 +++
 src/main/webapp/dataverse_template.xhtml      |  3 ++
 .../webapp/resources/js/shib/isPassive.js     | 42 +++++++++++++++++++
 4 files changed, 54 insertions(+)
 create mode 100644 src/main/webapp/resources/js/shib/isPassive.js

diff --git a/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java
index 794577caec6..c2d6d86b6b2 100644
--- a/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java
+++ b/src/main/java/edu/harvard/iq/dataverse/settings/SettingsServiceBean.java
@@ -237,6 +237,10 @@ Whether Harvesting (OAI) service is enabled
         */
         OAIServerEnabled,
         
+        /**
+        * Whether Shibboleth passive authentication mode is enabled
+        */
+        ShibPassiveLoginEnabled,
         /**
          * URL for Shibboleth Single Logout
          */
diff --git a/src/main/java/edu/harvard/iq/dataverse/util/SystemConfig.java b/src/main/java/edu/harvard/iq/dataverse/util/SystemConfig.java
index 0cb29add1d9..d44d224028c 100644
--- a/src/main/java/edu/harvard/iq/dataverse/util/SystemConfig.java
+++ b/src/main/java/edu/harvard/iq/dataverse/util/SystemConfig.java
@@ -639,5 +639,10 @@ public String getOAuth2CallbackUrl() {
         }
         return saneDefault;
     }
+    
+    public boolean isShibPassiveLoginEnabled() {
+        boolean defaultResponse = false;
+        return settingsService.isTrueForKey(SettingsServiceBean.Key.ShibPassiveLoginEnabled, defaultResponse);
+    }
 
 }
diff --git a/src/main/webapp/dataverse_template.xhtml b/src/main/webapp/dataverse_template.xhtml
index fa8b48994e5..f86b55d3045 100644
--- a/src/main/webapp/dataverse_template.xhtml
+++ b/src/main/webapp/dataverse_template.xhtml
@@ -77,6 +77,9 @@
         <script type="text/javascript" defer="defer" src="#{resource['js/owl.carousel.js']}?version=#{systemConfig.getVersion()}"></script>
         <script type="text/javascript" defer="defer" src="#{resource['js/jquery.matchHeight.js']}?version=#{systemConfig.getVersion()}"></script>
         <script type="text/javascript" defer="defer" src="#{resource['js/jquery.sharrre.js']}?version=#{systemConfig.getVersion()}"></script>
+        <ui:fragment rendered="#{systemConfig.isShibPassiveLoginEnabled()}">
+            <script type="text/javascript" language="javascript" src="#{resource['js/shib/isPassive.js']}"></script>
+        </ui:fragment>
         <script>
                     $(document).ready(function () {
                         // Navbar Search Toggle
diff --git a/src/main/webapp/resources/js/shib/isPassive.js b/src/main/webapp/resources/js/shib/isPassive.js
new file mode 100644
index 00000000000..478be662ec9
--- /dev/null
+++ b/src/main/webapp/resources/js/shib/isPassive.js
@@ -0,0 +1,42 @@
+/*
+ This isPassive script will automatically try to log in a user using the SAML2
+ isPassive feature.
+ In case a user already has an authenticated session at his Identity Provider and
+ given the Discovery Service can guess the user's Identity Provider, the user will
+ eventually be on the exact same page this script is embedded in but logged in
+ (= Shibboleth attributes are available and user has a valid session with the
+ Service Provider on the same host).
+ The user page also will be requested with the same GET arguments than the initial request.
+
+ Requirements:
+ - Only works if a Service Provider 2.x is installed on the same host
+ - JavaScript must be enabled. Otherwise the script won't have any effect.
+ - The script must be able to set cookies (required for Shibboleth Service Provider as well)
+ - In the shibboleth2.xml there must be defined a redirectErrors="#THIS PAGE#" in
+ the <Errors> element. #THIS PAGE# must be the relative/absolute URL of the page
+ this script is embedded in.
+ - It also makes sense to protect #THIS PAGE# with a lazy session in order to use
+ the Shibboleth attribute that should be available after authentication.
+ */
+
+// Check for session cookie that contains the initial location
+if(document.cookie && document.cookie.search(/_check_is_passive_dv=/) >= 0){
+    // If we have the opensaml::FatalProfileException GET arguments
+    // redirect to initial location because isPassive failed
+    if (
+        window.location.search.search(/errorType/) >= 0
+        && window.location.search.search(/RelayState/) >= 0
+        && window.location.search.search(/requestURL/) >= 0
+    ) {
+        var cookieStr = document.cookie + ";";
+        var startpos = (cookieStr.indexOf('_check_is_passive_dv=')+21);
+        var endpos = cookieStr.indexOf(';', startpos);
+        window.location = cookieStr.substring(startpos,endpos);
+    }
+} else {
+    // Mark browser as being isPassive checked
+    document.cookie = "_check_is_passive_dv=" + window.location;
+
+    // Redirect to Shibboleth handler
+    window.location = "/Shibboleth.sso/Login?isPassive=true&target=" + encodeURIComponent("https://" + window.location.hostname + "/shib.xhtml?redirectPage=" + window.location.pathname);
+}

From 3c94bbed86b627b40cd96804613469f5bbfd0319 Mon Sep 17 00:00:00 2001
From: Alex <alex@calmforce.com>
Date: Mon, 22 May 2017 22:46:51 -0400
Subject: [PATCH 3/4] Update dataverse_template.xhtml

---
 src/main/webapp/dataverse_template.xhtml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/main/webapp/dataverse_template.xhtml b/src/main/webapp/dataverse_template.xhtml
index 95d7c7b3f51..f86b55d3045 100644
--- a/src/main/webapp/dataverse_template.xhtml
+++ b/src/main/webapp/dataverse_template.xhtml
@@ -76,8 +76,7 @@
         <script type="text/javascript" defer="defer" src="#{resource['js/dv_rebind_bootstrap_ui.js']}?version=#{systemConfig.getVersion()}"></script>
         <script type="text/javascript" defer="defer" src="#{resource['js/owl.carousel.js']}?version=#{systemConfig.getVersion()}"></script>
         <script type="text/javascript" defer="defer" src="#{resource['js/jquery.matchHeight.js']}?version=#{systemConfig.getVersion()}"></script>
-        <script type="text/javascript" defer="defer" src="#{resource['js/jquery.sharrre.js']}?version=#{systemConfig.getVersion()}"></script>        
-        
+        <script type="text/javascript" defer="defer" src="#{resource['js/jquery.sharrre.js']}?version=#{systemConfig.getVersion()}"></script>
         <ui:fragment rendered="#{systemConfig.isShibPassiveLoginEnabled()}">
             <script type="text/javascript" language="javascript" src="#{resource['js/shib/isPassive.js']}"></script>
         </ui:fragment>

From 63b88283e5fe3f30040b1b2dbaab42e0010f524b Mon Sep 17 00:00:00 2001
From: Alex <alex@calmforce.com>
Date: Mon, 22 May 2017 22:54:45 -0400
Subject: [PATCH 4/4] Update dataverse_template.xhtml

---
 src/main/webapp/dataverse_template.xhtml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/webapp/dataverse_template.xhtml b/src/main/webapp/dataverse_template.xhtml
index f86b55d3045..7cd37cc13cd 100644
--- a/src/main/webapp/dataverse_template.xhtml
+++ b/src/main/webapp/dataverse_template.xhtml
@@ -76,7 +76,7 @@
         <script type="text/javascript" defer="defer" src="#{resource['js/dv_rebind_bootstrap_ui.js']}?version=#{systemConfig.getVersion()}"></script>
         <script type="text/javascript" defer="defer" src="#{resource['js/owl.carousel.js']}?version=#{systemConfig.getVersion()}"></script>
         <script type="text/javascript" defer="defer" src="#{resource['js/jquery.matchHeight.js']}?version=#{systemConfig.getVersion()}"></script>
-        <script type="text/javascript" defer="defer" src="#{resource['js/jquery.sharrre.js']}?version=#{systemConfig.getVersion()}"></script>
+        <script type="text/javascript" defer="defer" src="#{resource['js/jquery.sharrre.js']}?version=#{systemConfig.getVersion()}"></script>          
         <ui:fragment rendered="#{systemConfig.isShibPassiveLoginEnabled()}">
             <script type="text/javascript" language="javascript" src="#{resource['js/shib/isPassive.js']}"></script>
         </ui:fragment>