Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shib group in another group doesn't work #9369

Closed
scolapasta opened this issue Feb 7, 2023 · 4 comments · Fixed by #9597
Closed

Shib group in another group doesn't work #9369

scolapasta opened this issue Feb 7, 2023 · 4 comments · Fixed by #9597
Assignees
@landreev
Labels
Size: 3 A percentage of a sprint. 2.1 hours.
Milestone
5.14

Comments

@scolapasta
Copy link
Contributor

In Harvard Dataverse, we have a group of Shib groups. However granting a role assignment to this group doesn't seem to work.

If I add a user to that group, that user does get access, so it's not a group issue.

Similarly if I give the shib group access directly, it also works.
@scolapasta scolapasta mentioned this issue Feb 9, 2023
Closed
@mreekie mreekie added the Size: 3 A percentage of a sprint. 2.1 hours. label Feb 13, 2023
@DS-INRA DS-INRA mentioned this issue Feb 21, 2023
Closed
@mreekie mreekie added this to New in deleteMeAfterTesting via automation Feb 22, 2023
@mreekie mreekie removed this from New in deleteMeAfterTesting Feb 23, 2023
@mreekie mreekie added this to New in deleteMeAfterTesting via automation Feb 23, 2023
@mreekie mreekie removed this from New in deleteMeAfterTesting Feb 23, 2023
@mreekie mreekie added this to New in deleteMeAfterTesting via automation Feb 23, 2023
@mreekie mreekie removed this from New in deleteMeAfterTesting Feb 23, 2023
@mreekie mreekie added this to New in deleteMeAfterTesting via automation Feb 23, 2023
@mreekie mreekie removed this from New in deleteMeAfterTesting Feb 23, 2023
@landreev landreev moved this from ▶ SPRINT READY to This Sprint 🏃‍♀️ 🏃 in IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34) May 10, 2023
@landreev
Copy link
Contributor

Just curious, did somebody look into this and conclude that it was a trivial fix ("Size: 3")? - If so, please add a couple of words on what/where needs to be fixed. Gustavo's description did not imply that it was obvious (?).
To me at least, "3" suggests something along the lines of, yeah, this is in such and such class, just needs a recursive clause added to a lookup method. (Unless it's already obvious, to anyone who had done any work on shib groups - I haven't personally)

@pdurbin
Copy link
Member

pdurbin commented May 12, 2023

I don't know where the 3 came from. I mean, I can see above who added it and when, but there are no breadcrumbs about the reasoning.

I implemented Shib groups originally. I'm fairly uncertain as to how to size this issue. One challenge having an environment to test with. Hopefully the :DebugShibAccountType stuff here is helpful: https://guides.dataverse.org/en/5.13/developers/remote-users.html#shibboleth-and-oauth . I've never set up real Shibboleth on my Mac but @GPortas recently created https://github.com/GPortas/dockerized-idp-testbed/tree/poc which you can read about at https://iqss.slack.com/archives/C010LA04BCG/p1669192401072679?thread_ts=1669151276.670249&cid=C010LA04BCG

Another options is to set up Shibboleth for real on a server (well, I would recommend SAMLtest as a real-ish IdP: https://guides.dataverse.org/en/5.13/installation/shibboleth.html#exchange-metadata-with-your-identity-provider ), but then it's a bit of a pain to get code from your laptop onto the server.

I hope this helps!

@landreev
Copy link
Contributor

I'm generally not opposed to the idea of testing things like this on demo.dataverse.org; considering that it's quite rare that we need to test anything shib-related.

@landreev landreev moved this from This Sprint 🏃‍♀️ 🏃 to IQSS Team - In Progress 💻 in IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34) May 12, 2023
@landreev landreev self-assigned this May 12, 2023
landreev added a commit that referenced this issue May 15, 2023
@landreev
implements .contains() in ShibGroup. #9369
dca43f8
@landreev
Copy link
Contributor

Worth pointing out that it's actually working, partially. Specifically it's working for the purposes of granting a group member permission to view an object in the search results on the collection page. I.e., if I give curator role to a "shib groups in a group" group for a specific unpublished dataset, a logged in shib user can't go to the dataset, but can see the search card for it.

landreev added a commit that referenced this issue May 16, 2023
@landreev
This fixes the issue hand, whether the fix is particularly pretty - i…
beb799c 
…dk. #9369
@landreev landreev mentioned this issue May 16, 2023
Merged
landreev added a commit that referenced this issue May 16, 2023
@landreev
leftover whitespace removed #9369
f93cf48
landreev added a commit that referenced this issue May 25, 2023
@landreev
Extended the fix to cover IpGroups and MailDomainGroups as well. #9369.
52b316a
@pdurbin pdurbin added this to the 5.14 milestone Jun 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@landreev landreev

Labels
Size: 3 A percentage of a sprint. 2.1 hours.
Projects
IQSS Dataverse Project
Status: No status
Milestone
5.14
Development

Successfully merging a pull request may close this issue.

9369 Shib groups (and other custom groups), as subgroups of an explicit group IQSS/dataverse
4 participants
@pdurbin @landreev @scolapasta @mreekie