PLINK2-83: SAML2AuthenticationHandler should be able to generate mult…

…ivalue Role Attribute statements
anilsaldhana · May 22, 2013 · 4e82a5c · 4e82a5c
1 parent 9610e3e
commit 4e82a5c
Show file tree

Hide file tree

Showing 3 changed files with 134 additions and 15 deletions.
diff --git a/...rc/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java b/...rc/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java
@@ -42,6 +42,8 @@ public interface SAML2Handler {
 
     String DISABLE_ROLE_PICKING = "DISABLE_ROLE_PICKING";
 
+    String USE_MULTI_VALUED_ROLES = "USE_MULTI_VALUED_ROLES";
+
     String ROLE_KEY = "ROLE_KEY";
 
     /**

diff --git a/...ore/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java b/...ore/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java
@@ -22,10 +22,7 @@
 package org.picketlink.identity.federation.core.saml.v2.util;
 
 import java.net.URI;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 
 import javax.xml.datatype.XMLGregorianCalendar;
 import javax.xml.namespace.QName;
@@ -98,11 +95,7 @@ public static AttributeStatementType createAttributeStatement(Map<String, Object
                 Object value = attributes.get(key);
                 if (value instanceof Collection<?>) {
                     Collection<?> roles = (Collection<?>) value;
-                    for (Object role : roles) {
-                        AttributeType roleAttr = new AttributeType("Role");
-                        roleAttr.addAttributeValue(role);
-                        attrStatement.addAttribute(new ASTChoiceType(roleAttr));
-                    }
+                    attrStatement = createAttributeStatement(new ArrayList(roles));
                 }
             }
 
@@ -139,13 +132,33 @@ public static AttributeStatementType createAttributeStatement(List<String> roles
             if(attrStatement == null){
                 attrStatement = new AttributeStatementType();
             }
-            AttributeType attr = new AttributeType("Role");
+            AttributeType attr = new AttributeType(AttributeConstants.ROLE_IDENTIFIER_ASSERTION);
             attr.addAttributeValue(role);
             attrStatement.addAttribute(new ASTChoiceType(attr));
         }
         return attrStatement;
     }
 
+    /**
+     * Given a set of roles, create an attribute statement
+     * 
+     * @param roles
+     * @param multivalued if you want the attribute to be multi valued
+     * @return
+     */
+    public static AttributeStatementType createAttributeStatementForRoles(List<String> roles, boolean multivalued) {
+        if (multivalued == false) {
+            return createAttributeStatement(roles);
+        }
+        AttributeStatementType attrStatement = new AttributeStatementType();
+        AttributeType attr = new AttributeType(AttributeConstants.ROLE_IDENTIFIER_ASSERTION);
+        for (String role : roles) {
+            attr.addAttributeValue(role);
+        }
+        attrStatement.addAttribute(new ASTChoiceType(attr));
+        return attrStatement;
+    }
+
     /**
      * Given an attribute type and a value, create {@link AttributeStatementType}
      *

diff --git a/...nk/test/identity/federation/web/saml/handlers/SAML2AuthenticationHandlerUnitTestCase.java b/...nk/test/identity/federation/web/saml/handlers/SAML2AuthenticationHandlerUnitTestCase.java
@@ -23,12 +23,12 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 
 import java.security.KeyPair;
 import java.security.Principal;
 import java.security.PublicKey;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.*;
 
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
@@ -37,8 +37,10 @@
 import org.junit.Ignore;
 import org.junit.Test;
 import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
+import org.picketlink.identity.federation.core.config.IDPType;
 import org.picketlink.identity.federation.core.config.ProviderType;
 import org.picketlink.identity.federation.core.config.SPType;
+import org.picketlink.identity.federation.core.constants.AttributeConstants;
 import org.picketlink.identity.federation.core.parsers.saml.SAMLParser;
 import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
 import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
@@ -56,19 +58,19 @@
 import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
 import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
 import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
+import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
 import org.picketlink.identity.federation.core.util.KeyStoreUtil;
 import org.picketlink.identity.federation.core.util.XMLEncryptionUtil;
 import org.picketlink.identity.federation.core.wstrust.WSTrustUtil;
 import org.picketlink.identity.federation.saml.v2.SAML2Object;
-import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
-import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
-import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
+import org.picketlink.identity.federation.saml.v2.assertion.*;
 import org.picketlink.identity.federation.saml.v2.assertion.SubjectType.STSubType;
 import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
 import org.picketlink.identity.federation.saml.v2.protocol.NameIDPolicyType;
 import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
 import org.picketlink.identity.federation.web.constants.GeneralConstants;
 import org.picketlink.identity.federation.web.core.HTTPContext;
+import org.picketlink.identity.federation.web.core.IdentityServer;
 import org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler;
 import org.picketlink.test.identity.federation.web.mock.MockHttpServletRequest;
 import org.picketlink.test.identity.federation.web.mock.MockHttpServletResponse;
@@ -203,6 +205,108 @@ public String getName() {
 
         handler.handleStatusResponseType(request, response);
     }
+
+    @Test
+    public void testRoleAttributeMultipleValues() throws Exception {
+        SAML2AuthenticationHandler handler = new SAML2AuthenticationHandler();
+
+        SAML2HandlerChainConfig chainConfig = new DefaultSAML2HandlerChainConfig();
+        SAML2HandlerConfig handlerConfig = new DefaultSAML2HandlerConfig();
+        handlerConfig.addParameter(GeneralConstants.NAMEID_FORMAT, JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
+        handlerConfig.addParameter(SAML2Handler.USE_MULTI_VALUED_ROLES, "true");
+
+
+        Map<String, Object> chainOptions = new HashMap<String, Object>();
+        ProviderType spType = new SPType();
+        chainOptions.put(GeneralConstants.CONFIGURATION, spType);
+        chainOptions.put(GeneralConstants.ROLE_VALIDATOR_IGNORE, "true");
+        chainConfig.set(chainOptions);
+
+        // Initialize the handler
+        handler.initChainConfig(chainConfig);
+        handler.initHandlerConfig(handlerConfig);
+
+        // Create a Protocol Context
+        MockHttpSession session = new MockHttpSession();
+        MockServletContext servletContext = new MockServletContext();
+        MockHttpServletRequest servletRequest = new MockHttpServletRequest(session, "POST");
+        MockHttpServletResponse servletResponse = new MockHttpServletResponse();
+        HTTPContext httpContext = new HTTPContext(servletRequest, servletResponse, servletContext);
+
+        SAML2Object saml2Object = new SAML2Object() {
+        };
+
+        SAMLDocumentHolder docHolder = new SAMLDocumentHolder(saml2Object, null);
+        IssuerInfoHolder issuerInfo = new IssuerInfoHolder("http://localhost:8080/idp/");
+
+        SAML2HandlerRequest request = new DefaultSAML2HandlerRequest(httpContext, issuerInfo.getIssuer(), docHolder,
+                SAML2Handler.HANDLER_TYPE.SP);
+        request.setTypeOfRequestToBeGenerated(GENERATE_REQUEST_TYPE.AUTH);
+
+        SAML2HandlerResponse response = new DefaultSAML2HandlerResponse();
+        handler.generateSAMLRequest(request, response);
+
+        Document samlReq = response.getResultingDocument();
+        SAMLParser parser = new SAMLParser();
+        AuthnRequestType authnRequest = (AuthnRequestType) parser.parse(DocumentUtil.getNodeAsStream(samlReq));
+        NameIDPolicyType nameIDPolicy = authnRequest.getNameIDPolicy();
+        assertEquals(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get(), nameIDPolicy.getFormat().toString());
+
+        ProviderType idpType = new IDPType();
+        chainOptions = new HashMap<String, Object>();
+        chainOptions.put(GeneralConstants.CONFIGURATION, idpType);
+        chainConfig.set(chainOptions);
+
+        // Initialize the handler
+        handler.initChainConfig(chainConfig);
+        handler.initHandlerConfig(handlerConfig);
+
+        IdentityServer identityServer = new IdentityServer();
+        servletContext.setAttribute(GeneralConstants.IDENTITY_SERVER,identityServer);
+
+        //Add roles to session to be picked up by the handler
+        List<String> roles = new ArrayList<String>();
+        roles.add("role1");
+        roles.add("role2");
+        session.setAttribute(GeneralConstants.ROLES_ID,roles);
+
+        httpContext = new HTTPContext(servletRequest, servletResponse, servletContext);
+        docHolder = new SAMLDocumentHolder(authnRequest, null);
+        request = new DefaultSAML2HandlerRequest(httpContext, issuerInfo.getIssuer(), docHolder,
+                SAML2Handler.HANDLER_TYPE.IDP);
+
+        PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance();
+        sts.installDefaultConfiguration(null);
+
+        handler.handleRequestType(request,response);
+        samlReq = response.getResultingDocument();
+        parser = new SAMLParser();
+        ResponseType responseType = (ResponseType) parser.parse(DocumentUtil.getNodeAsStream(samlReq));
+        AssertionType assertion = responseType.getAssertions().get(0).getAssertion();
+        assertNotNull(assertion);
+
+        Set<StatementAbstractType> statements = assertion.getStatements();
+        Iterator<StatementAbstractType> iter = statements.iterator();
+        boolean processedAttributeStatement = false;
+        while(iter.hasNext()){
+            StatementAbstractType statement = iter.next();
+            if(statement instanceof AuthnStatementType){
+                continue;
+            }
+            if(statement instanceof AttributeStatementType){
+                AttributeStatementType attributeStatementType = (AttributeStatementType)statement;
+                assertNotNull(attributeStatementType);
+                assertEquals(1, attributeStatementType.getAttributes().size());
+                AttributeType attributeType = attributeStatementType.getAttributes().get(0).getAttribute();
+                assertEquals(AttributeConstants.ROLE_IDENTIFIER_ASSERTION, attributeType.getName());
+                List<Object> values = attributeType.getAttributeValue();
+                assertEquals(2, values.size()); //2 Roles
+                processedAttributeStatement = true;
+            }
+        }
+
+        assertTrue(processedAttributeStatement);
+    }
 
     @Test
     public void testPublishAssertionInHttpSession() throws Exception {