Shibboleth dynamic login handler #1607

jchssystems · 2020-05-27T13:39:41Z

This feature allows to add Shibboleth users in a dynamic way from configuration.

Configuration is located in mh-default-org.xml.
Shibboleth attributes are mapped using SpEL.
It uses a new class DynamicLoginHander instead of ConfigurableLoginHandler.

lkiesow

I haven't actually compiled or even tested this but just skimmed through the code. I didn't find any critical issues, just a bunch of minor comments so far…

modules/security-aai/src/main/java/org/opencastproject/security/aai/api/AttributeMapper.java

modules/userdirectory/src/main/java/org/opencastproject/userdirectory/JpaGroupRoleProvider.java

.../userdirectory/src/main/java/org/opencastproject/userdirectory/JpaUserReferenceProvider.java

modules/security-aai/src/main/java/org/opencastproject/security/aai/DynamicLoginHandler.java

hsssystems · 2020-06-11T11:29:29Z

modules/userdirectory/src/main/java/org/opencastproject/userdirectory/JpaGroupRoleProvider.java

@@ -81,7 +82,7 @@
  immediate = true,
  service = { RoleProvider.class, JpaGroupRoleProvider.class }
 )
-public class JpaGroupRoleProvider extends AbstractIndexProducer implements RoleProvider, GroupProvider {
+public class JpaGroupRoleProvider extends AbstractIndexProducer implements RoleProvider, GroupProvider, GroupRoleProvider {


Isn't it sufficient to implement only GroupRoleProvider?

modules/security-aai/src/main/java/org/opencastproject/security/aai/DynamicLoginHandler.java

jchssystems · 2020-06-23T15:05:27Z

Please, review tthe code again. Some changes were made.
I'm still not sure if both logins should exist or if the new one will replace the old one.
And about the documentation, should I have a totally independent page for the new login handler? when the code is ok, fix the documentation.

gregorydlogan · 2020-07-22T21:29:26Z

@staubesv any chance you can take another pass through this? I'm unfamiliar with any other major adopter using Shibboleth.

hsssystems · 2020-07-23T10:41:13Z

@staubesv any chance you can take another pass through this? I'm unfamiliar with any other major adopter using Shibboleth.

Yesterday we made another integration test on a OC9 test installation with this branch and it worked. However, we found some issues:

we need to adapt the the documentation (example configuration) and the unit test
Updating the displayName or group memberships (only removing users from groups) needs several logins. Do we need some index / cache invalidation?
The GroupRoleProvider interface needs refactoring

otti-ssystems · 2020-07-29T10:22:44Z

Hi.

I adjusted the structure of the interfaces.
DynamicLoginHandler is not extending GroupRoleProvider anymore.
Instead we are using now AAIRoleProvider which contains getRoles, so
i haven't had to touch RoleProvider.

I also ajusted the Tests, because the mapping of givenName and sn is not
needed in this context.

Travis is not able to build because of a weird Exception.

https://travis-ci.com/github/opencast/opencast/jobs/366125028

refs #502450 ADD Shibboleth Dynamic Loginhandler refs #501517 FIX Update group memberships in Shibboleth LoginHandler refs #501517 ADD Dynamic login handler based on spring expressions refs #501517 ADD Tests for dynamic login handler based on spring expressions refs #501517 FIX Interfaces and maven-dependency-plugin refs opencast#4870 FIX map email and name refs opencast#4943 FIX Fallback to user create when there is no user reference for existing users - FIXME Check for existence of non-ref user first FIX securitty.aai Checkstyle FIX userdirectory Checkstyle FIX all refs #502450 FIX Shibboleth Dynamic Loginhandler refs opencast#2965 FIX Example configuration for Dynamic loginhandler refs opencast#2965 FIX Use spring util 3.1 xsd - not tested - FIXME We may need to update pom.xml refs opencast#2965 FIX Mockdata

…displayName in OC

…in Handler

jchssystems · 2020-09-08T08:11:16Z

@lkiesow @gregorydlogan
I have fixed the problem that was there some time ago and it compiles well. The code was also refactored. Could you please check it again? So we can close the issue as soon as possible.
Thanks in advance.

otti-ssystems · 2020-09-08T14:25:50Z

Hi Guys.
Sorry but i dont get it.

Is there still something to be done or is this ready to merge?

gregorydlogan · 2020-09-10T03:17:54Z

Hi @jchssystems @otti-ssystems we don't get notifications when things change, so unless someone manually checks we don't know that you'd pushed changes. If you don't see something happen within a week or so please ping the people who have been active in the ticket, or pipe up on the dev list.

I have no way to test this unfortunately, so I"m somewhat hamstrung in terms of getting it merged. I'm assuming you're writing this for a client, can they verify that it's working in prod?

hsssystems · 2020-09-10T08:46:14Z

Hi Greg,

the handler is in production on several clients! However, we will deploy again an Opencast 9 with the handler and test it another time systematically (we did already twice). Is that OK for you?

Our QA guys will test it, not the programmers, so it should be safe :-)

gregorydlogan · 2020-09-11T00:00:53Z

Ok, sounds fair. Let's merge this then.

jchssystems force-pushed the Shibboleth_Dynamic_login_handler branch 3 times, most recently from 823b691 to c66e404 Compare June 3, 2020 10:47

lkiesow requested changes Jun 6, 2020

View reviewed changes

staubesv reviewed Jun 8, 2020

View reviewed changes