feat(shib): add support for configurable secondary header to get uniq…

…ue user ID

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "poetry.lock",
     "lines": null
   },
-  "generated_at": "2021-05-19T20:49:29Z",
+  "generated_at": "2021-05-25T17:14:14Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -84,7 +84,7 @@
       {
         "hashed_secret": "5d07e1b80e448a213b392049888111e1779a52db",
         "is_verified": false,
-        "line_number": 545,
+        "line_number": 551,
         "type": "Secret Keyword"
       }
     ],

fence/auth.py

@@ -183,6 +183,16 @@ def wrapper(*args, **kwargs):
             if enable_shib and "SHIBBOLETH_HEADER" in config:
                 eppn = flask.request.headers.get(config["SHIBBOLETH_HEADER"])
 
+                # if unique ID not in normal header, try secondary header
+                if not eppn and config["SHIBBOLETH_HEADER_SECONDARY"]:
+                    logger.debug(
+                        f"No user ID found in SHIBBOLETH_HEADER {config['SHIBBOLETH_HEADER']}. "
+                        f"Trying secondary header: {config['SHIBBOLETH_HEADER_SECONDARY']}"
+                    )
+                    eppn = flask.request.headers.get(
+                        config["SHIBBOLETH_HEADER_SECONDARY"]
+                    )
+
             if config.get("MOCK_AUTH") is True:
                 eppn = "test"
             # if there is authorization header for oauth

fence/config-default.yaml

@@ -439,6 +439,12 @@ SUPPORT_EMAIL_FOR_ERRORS: null
 # //////////////////////////////////////////////////////////////////////////////////////
 # assumes shibboleth is deployed under {{BASE_URL}}/shibboleth
 SHIBBOLETH_HEADER: 'persistent_id'
+
+# secondary header for getting unique ID
+# NOTE: For NIH's Shibboleth setup, NIH-internal employees (NIH/CIT setup no longer
+#       shares a common attribute for both internal/external employees)
+SHIBBOLETH_HEADER_SECONDARY: 'eduPersonPrincipalName'
+
 SSO_URL: 'https://auth.nih.gov/affwebservices/public/saml2sso?SPID={{BASE_URL}}/shibboleth&RelayState='
 ITRUST_GLOBAL_LOGOUT: 'https://auth.nih.gov/siteminderagent/smlogout.asp?mode=nih&AppReturnUrl='
 

tests/login/login_shib.py

@@ -11,13 +11,29 @@ def test_shib_login(app, client):
     assert r.status_code == 200
 
 
+def test_shib_login_secondary(app, client):
+    r = client.get(
+        "/login/shib/login", headers={config["SHIBBOLETH_HEADER_SECONDARY"]: "test"}
+    )
+    assert r.status_code == 200
+
+
 def test_shib_login_redirect(app, client):
     r = client.get("/login/shib?redirect=http://localhost")
     r = client.get("/login/shib/login", headers={config["SHIBBOLETH_HEADER"]: "test"})
     assert r.status_code == 302
     assert r.headers["Location"] == "http://localhost"
 
 
+def test_shib_login_redirect_secondary(app, client):
+    r = client.get("/login/shib?redirect=http://localhost")
+    r = client.get(
+        "/login/shib/login", headers={config["SHIBBOLETH_HEADER_SECONDARY"]: "test"}
+    )
+    assert r.status_code == 302
+    assert r.headers["Location"] == "http://localhost"
+
+
 def test_shib_login_fail(client):
     r = client.get("/login/shib/login")
     assert r.status_code == 401

tests/test-fence-config.yaml

@@ -300,6 +300,12 @@ SUPPORT_EMAIL_FOR_ERRORS: null
 # //////////////////////////////////////////////////////////////////////////////////////
 # assumes shibboleth is deployed under {{BASE_URL}}/shibboleth
 SHIBBOLETH_HEADER: 'persistent_id'
+
+# secondary header for getting unique ID
+# NOTE: For NIH's Shibboleth setup, NIH-internal employees (NIH/CIT setup no longer
+#       shares a common attribute for both internal/external employees)
+SHIBBOLETH_HEADER_SECONDARY: 'eduPersonPrincipalName'
+
 SSO_URL: 'https://auth.nih.gov/affwebservices/public/saml2sso?SPID={{BASE_URL}}/shibboleth&RelayState='
 ITRUST_GLOBAL_LOGOUT: 'https://auth.nih.gov/siteminderagent/smlogout.asp?mode=nih&AppReturnUrl='