clarin-dspace
clarin-dspace copied to clipboard
ufal
Shibboleth AAI
The scenarios in this section test various header release policies by IDPs, in some cases they describe expected UI look. There are expectations on what needs to be configurable:
- It must be possible to change the source of the IDPs (the discovery feed url) displayed in the discojuice component
- All users logging in via shibboleth must be assigned to a special group, the group name must be configurable (cf. https://github.com/ufal/clarin-dspace/blob/8a6ba5c98547942d7115b74cf4978e0b29ca50e4/dspace/config/modules/authentication-shibboleth.cfg#L196)
- It must be possible to use any header to map a user to a group. Note that the headers may be multivalued. Examples from the v5 configuration follows, keeping the same syntax is optional. o “header.shib-identity-provider = https://auth.nfa.cz:4443/idp/shibboleth => NFA”; i.e., if the shib-identity-provider header has a value matching what’s before “=>” (…auth.nfa.cz…) assign the user to the group after “=>” (NFA in this case). o “header.unscoped-affiliation = member => MEMBERS, staff=> STAFF, employee => EMPLOYEES, alum => ALUMS”; this handles 4 different values of the unscoped-affiliation header
- The headers used by the software to perform lookup or creation of an EPerson must be configurable as well. I.e., the service provider configuration will not rename the attributes to accommodate the software, cf. https://github.com/ufal/clarin-dspace/blob/8a6ba5c98547942d7115b74cf4978e0b29ca50e4/dspace/config/modules/authentication-shibboleth.cfg#L90 and other lines in that file. Note especially that netid-header is configured with both eppn and persistent-id. These are used in the order they appear; i.e., when searching for an EPerson the eppn header is used first and when that fails persistent-id is used. The environment will include https://github.com/ufal/dockerized-idp-testbed which provides a shibboleth-sp and two shibboleth idps (idp1: entityID=https://idptestbed/idp/shibboleth; idp2: entityID=https://someother/idp/shibboleth). It’s expected that the configuration will need changes. Changes to https://github.com/ufal/dockerized-idp-testbed/blob/master/sp3/etc-httpd/conf.d/sp.conf and https://github.com/ufal/dockerized-idp-testbed/blob/master/httpd-proxy/etc-httpd/conf.d/httpd.conf should document what dspace endpoints need to be shibboleth protected. All the users have the same password: “password”. Idp2 does not release eduPersonPrincipalName and for accounts that contain the string “no_netid”, neither the eduPersonTargetedID (persistent-id) is released.
1.3.1. Testing discojuice
What we test here is that discojuice appears when expected, it looks ok and is configurable. For these tests the “master” source of the idp feed will be https://lindat.mff.cuni.cz/Shibboleth.sso/DiscoFeed (The actual url configured in discojuice might differ. Compare with how the current version uses https://lindat.mff.cuni.cz/repository/xmlui/discojuice/feeds?callback=dj_md_1). Currently, discojuice has a default configuration at https://lindat.mff.cuni.cz/aai/aai.js and local overrides in https://github.com/ufal/clarin-dspace/blob/clarin/dspace-xmlui/src/main/webapp/themes/UFAL/lib/js/aai_config.js. If this is different, this must be documented. E.g., how does one change the heading of the modal (currently “LINDAT/CLARIAH-CZ Repository”).
1.3.1.1. User initiated login
Users clicks the login button; a list of universities appears. If they have Unicode characters in their name or description (for example Chinese universities), these must be displayed correctly. The login button should always display the discojuice modal, it must not take the user to /login (or any other url).
1.3.1.2. System initiated login
When there’s no user logged in and this anonymous user tries to do an action that requires a login (accessing a restricted resource, going directly to “my submissions”, etc.), the system must ask him to log in. It should be using discojuice as well. As an example go to http://hdl.handle.net/11234/1-1664 (https://lindat.mff.cuni.cz/repository/xmlui/handle/11234/1-1664 ) and try downloading the file.
1.3.1.3. Local authentication
The list of IDPs shown by discojuice must contain a “Local authentication” option. This allows the user to use accounts local to the DSpace installation, i.e., no IDP is involved. This might redirect the user to some other url (in the repository space) such as /login. The method must accept correct credentials on the first attempt, i.e., CSRF tokens or other forms of protection must be used correctly.
1.3.2. Testing the log in process
The following test cases try to cover various attribute release policies, local authentication, logout, correct display of accents, etc. The “master” source of the idp feed will be Shibboleth.sso/DiscoFeed provided by the dockerized-idp-testbed sp (by default the url is https://localhost/Shibboleth.sso/DiscoFeed ). It is expected that after a successful login the user will be taken back to the page where the login was initiated. After a successful login the red “Login” button is replaced with a username that links to user’s profile and a logout button. Clicking logout signs the user out of the application (no need to chain sp logout nor idp logout). If a user is logged in for the first time a welcome page is displayed. This lists the attributes provided by the idp and links to a privacy policy page. It should be documented how to change the linked page. The shibboleth default.auth.group will be configured to “Authenticated”. This group will be created before the tests. All successful shibboleth logins (the users) must be assigned to that group. The header names exposed by the sp will match the old configuration
- netid-header = eppn,persistent-id
- email-header = mail
- firstname-header = givenName
- lastname-header = sn
- lastname-header-fallback = cn The configuration should map all users from idp2 (https://someother/idp/shibboleth) to group IDP2 and map the unscoped-affiliation header values like this (value => group):
- member => MEMBERS,
- staff=> STAFF,
- employee => EMPLOYEES,
- alum => ALUMS It should map the entitlement header values like this:
- urn:cuni:affiliation:[email protected] => UFAL_MEMBER,
- urn:cuni:affiliation:[email protected] => CUNI_STAFF The groups will be created manually.
In v5 every user belongs to the Anonymous group. Logging in must not reduce what a user can see or do. The test system will have a valid smtp configuration. That said, with mail.server.disabled = true, the system should log the message and the addresses it would mail to (see https://github.com/ufal/clarin-dspace/blob/8a6ba5c98547942d7115b74cf4978e0b29ca50e4/dspace-api/src/main/java/org/dspace/core/Email.java#L465-L484). This should allow to go through all the test cases even without a functional mail server. When the tests ending up in a successful login are run for the first time a new user account is created. When repeated the existing account should be found. The implementation should describe what happens when an email changes at the idp see 1.3.2.9.
1.3.2.1. Local authentication
Discojuice is invoked and local authentication is selected. The system has an administrator account created via the cli create-administrator. This is used to log in. This is not a shibboleth login, user profile should not contain the “Authenticated” group.
1.3.2.2. Shibboleth login with eppn header and email available
Invoke discojuice select idp1 (entityID=https://idptestbed/idp/shibboleth), on the idp login page use “bfu” as the username. Back in the repository the displayed user name should be “Franta Uživatel Běžný”, the accents should be displayed correctly. Visiting the user profile should show the “Authenticated” group. This should use the eppn header, i.e., the stored netid should contain [email protected]. V5 does modify the netid before storing it (see https://github.com/ufal/clarin-dspace/blob/8a6ba5c98547942d7115b74cf4978e0b29ca50e4/dspace-api/src/main/java/cz/cuni/mff/ufal/dspace/authenticate/shibboleth/ShibEPerson.java#L259). V7.5 should do the same, or the netids won’t match (when we migrate the production setup).
1.3.2.3. Shibboleth login with persistent-id header and email available
Use idp2 and “anon” as the username; the user should be logged in successfully, be in the “Authenticated” and “IDP2” groups (there’s no mapping for the unscoped-affiliation with value “student”), the netid column should be filled in.
1.3.2.4. Group mapping
Login using idp1 and username “person”. The user should be assigned to the following groups: Authenticated, MEMBER, STAFF, UFAL_MEMBER and CUNI_STAFF
1.3.2.5. Same email different idp
After performing the 1.3.2.2 case. Logout, https://localhost/Shibboleth.sso/Logout, https://localhost/idp/profile/Logout (or test in a private tab). Select idp2 and use the “bfu” username. This should not sign the user in but display an error message.
Sufficient details should be logged into dspace (authentication) logs as well.
1.3.2.6. No mail header
Use idp1 and “no_email” username. This exposes a netid header but there’s no mail header. The system must ask the user to fill his email. It must accept valid emails, especially those using the + sign ([email protected]). An email with a verification token/link will be sent to this address. Following the verification link should sign the user in and display the welcome login with idp information (released attributes). Logout Log in again using idp1 and “no_email” username. The email prompt should not be shown this time, the user should be registered right away.
1.3.2.7. Neither netid nor mail
Use idp2, username “no_netid_no_email”. This should fail with a message similar to these two (https://github.com/ufal/clarin-dspace/blob/8a6ba5c98547942d7115b74cf4978e0b29ca50e4/dspace-xmlui/src/main/webapp/themes/UFAL/lib/js/messages/messages.js#L31-L32).
1.3.2.8. No netid
Use idp2, username “no_netid”. This should succeed. The netid column should be null. A first login should create an eperson a second login should find that eperson just by email.
1.3.2.9. Email change (documentation)
Use idp1, “bfu” username to login. Change https://github.com/ufal/dockerized-idp-testbed/blob/c4305f9628230c107f4e4ba7477d3bd1f895e116/ldap/users.ldif#L16 and rebuild the idp -testbed. Use idp1, “bfu” username. Is the email updated or not?
@milanmajchrak with BE @ fb252cf576458e3cab4b054e4a3ee8b2fc5518bb the no_email (1.3.2.6) does not work. the FE shows some basic "can't send email" error; underneath it gets a 400 bad request from /api/autoregistration
the tomcat logs (cf. #1033 ) contain:
Oct 04 16:27:40 dspace-dev tomcat9[3422607]: Error parsing HTTP request header
Oct 04 16:27:40 dspace-dev tomcat9[3422607]: Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
Oct 04 16:27:40 dspace-dev tomcat9[3422607]: java.lang.IllegalArgumentException: Invalid character found in the request target [/server/api/[email protected][https://ufal-point-dev.ufal.hide.ms.mff.cuni.cz/idp/shibboleth]&[email protected] ]. The valid characters are defined in RFC 723>Oct 04 16:27:40 dspace-dev tomcat9[3422607]: at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:494)
Oct 04 16:27:40 dspace-dev tomcat9[3422607]: at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:271)
Oct 04 16:27:40 dspace-dev tomcat9[3422607]: at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
Oct 04 16:27:40 dspace-dev tomcat9[3422607]: at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889)
Oct 04 16:27:40 dspace-dev tomcat9[3422607]: at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1735)
Oct 04 16:27:40 dspace-dev tomcat9[3422607]: at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
Oct 04 16:27:40 dspace-dev tomcat9[3422607]: at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
Oct 04 16:27:40 dspace-dev tomcat9[3422607]: at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
Oct 04 16:27:40 dspace-dev tomcat9[3422607]: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
Oct 04 16:27:40 dspace-dev tomcat9[3422607]: at java.base/java.lang.Thread.run(Thread.java:833)
Is percent encoding (or base64?) of the params a solution?
I haven't tested the other use cases, yet.
re: 1.3.2.9. Email change (documentation): The email is updated (if the eperson is identified by a netid). If the new email is already assigned to an existing eperson the server throws, shows a whitelabel error page (500)...this seems tolerable
relabeling as in progress as the underlying issues are marked as in progress