feat: entityId in entitlement filters can be now set in config (#151)

xpavlic · web-flow · commit 27503e5930ea · 2021-04-27T07:51:17.000+02:00
Co-authored-by: Jan Pavlicek &lt;469355@mail.muni.cz&gt;
diff --git a/lib/Auth/Process/PerunEntitlement.php b/lib/Auth/Process/PerunEntitlement.php
@@ -28,6 +28,7 @@ class PerunEntitlement extends ProcessingFilter
     const ENTITLEMENTAUTHORITY_ATTR = 'entitlementAuthority';
     const GROUPNAMEAARC_ATTR = 'groupNameAARC';
     const INTERFACE_PROPNAME = 'interface';
+    const ENTITY_ID = 'entityID';
 
     private $eduPersonEntitlement;
     private $releaseForwardedEntitlement;
@@ -36,6 +37,7 @@ class PerunEntitlement extends ProcessingFilter
     private $entitlementAuthority;
     private $groupNameAARC;
     private $adapter;
+    private $entityId;
 
     public function __construct($config, $reserved)
     {
@@ -62,6 +64,8 @@ public function __construct($config, $reserved)
             $this->groupNameAARC ? Configuration::REQUIRED_OPTION : ''
         );
 
+        $this->entityId = $modulePerunConfiguration->getString(self::ENTITY_ID, null);
+
         $interface = $configuration->getValueValidate(
             self::INTERFACE_PROPNAME,
             [Adapter::RPC, Adapter::LDAP],
@@ -76,13 +80,18 @@ public function process(&$request)
         $capabilities = [];
         $forwardedEduPersonEntitlement = [];
 
+        if ($this->entityId === null) {
+            $this->entityId = EntitlementUtils::getSpEntityId($request);
+        }
+
         if (isset($request['perun']['groups'])) {
             $eduPersonEntitlement = $this->getEduPersonEntitlement($request);
             $capabilities = EntitlementUtils::getCapabilities(
                 $request,
                 $this->adapter,
                 $this->entitlementPrefix,
-                $this->entitlementAuthority
+                $this->entitlementAuthority,
+                $this->entityId
             );
         } else {
             Logger::debug(
@@ -156,19 +165,19 @@ protected function mapGroupName($request, $groupName)
             isset($request['SPMetadata']['groupMapping'][$groupName])) {
             Logger::debug(
                 'Mapping ' . $groupName . ' to ' . $request['SPMetadata']['groupMapping'][$groupName] .
-                ' for SP ' . $request['SPMetadata']['entityid']
+                ' for SP ' . $this->entityId
             );
             return $request['SPMetadata']['groupMapping'][$groupName];
         } elseif (isset($request['SPMetadata'][self::ENTITLEMENTPREFIX_ATTR])) {
             Logger::debug(
-                'EntitlementPrefix overridden by a SP ' . $request['SPMetadata']['entityid'] .
+                'EntitlementPrefix overridden by a SP ' . $this->entityId .
                 ' to ' . $request['SPMetadata'][self::ENTITLEMENTPREFIX_ATTR]
             );
             return $request['SPMetadata'][self::ENTITLEMENTPREFIX_ATTR] . $groupName;
         } else {
             # No mapping defined, so just put groupNamePrefix in front of the group
             Logger::debug(
-                'No mapping found for group ' . $groupName . ' for SP ' . $request['SPMetadata']['entityid']
+                'No mapping found for group ' . $groupName . ' for SP ' . $this->entityId
             );
             return $this->entitlementPrefix . 'group:' . $groupName;
         }
diff --git a/lib/Auth/Process/PerunEntitlementExtended.php b/lib/Auth/Process/PerunEntitlementExtended.php
@@ -28,6 +28,7 @@ class PerunEntitlementExtended extends ProcessingFilter
     const ENTITLEMENTAUTHORITY_ATTR = 'entitlementAuthority';
     const GROUPNAMEAARC_ATTR = 'groupNameAARC';
     const INTERFACE_PROPNAME = 'interface';
+    const ENTITY_ID = 'entityID';
 
     private $outputAttrName;
     private $releaseForwardedEntitlement;
@@ -36,6 +37,7 @@ class PerunEntitlementExtended extends ProcessingFilter
     private $entitlementAuthority;
     private $groupNameAARC;
     private $adapter;
+    private $entityId;
 
     public function __construct($config, $reserved)
     {
@@ -62,6 +64,8 @@ public function __construct($config, $reserved)
             $this->groupNameAARC ? Configuration::REQUIRED_OPTION : ''
         );
 
+        $this->entityId = $modulePerunConfiguration->getString(self::ENTITY_ID, null);
+
         $interface = $configuration->getValueValidate(
             self::INTERFACE_PROPNAME,
             [Adapter::RPC, Adapter::LDAP],
@@ -76,14 +80,19 @@ public function process(&$request)
         $capabilities = [];
         $forwardedEduPersonEntitlement = [];
 
+        if ($this->entityId === null) {
+            $this->entityId = EntitlementUtils::getSpEntityId($request);
+        }
+
         if (isset($request['perun']['groups'])) {
             $eduPersonEntitlementExtended = $this->getEduPersonEntitlementExtended($request);
 
             $capabilities = EntitlementUtils::getCapabilities(
                 $request,
                 $this->adapter,
                 $this->entitlementPrefix,
-                $this->entitlementAuthority
+                $this->entitlementAuthority,
+                $this->entityId
             );
         } else {
             Logger::debug(
diff --git a/lib/EntitlementUtils.php b/lib/EntitlementUtils.php
@@ -53,13 +53,12 @@ public static function getForwardedEduPersonEntitlement(&$request, $adapter, $fo
         return $result;
     }
 
-    public static function getCapabilities(&$request, $adapter, $prefix, $authority)
+    public static function getCapabilities(&$request, $adapter, $prefix, $authority, $spEntityId)
     {
         $resourceCapabilities = [];
         $facilityCapabilities = [];
         $capabilitiesResult = [];
 
-        $spEntityId = self::getSpEntityId($request);
         try {
             $resourceCapabilities = $adapter->getResourceCapabilities($spEntityId, $request['perun']['groups']);
             $facilityCapabilities = $adapter->getFacilityCapabilities($spEntityId);
@@ -142,7 +141,7 @@ public static function groupEntitlementWithAttributesWrapper($uuid, $groupName,
             EntitlementUtils::encodeName($groupName) . '#' . $authority;
     }
 
-    private static function getSpEntityId(&$request)
+    public static function getSpEntityId(&$request)
     {
         if (isset($request['SPMetadata']['entityid'])) {
             return $request['SPMetadata']['entityid'];

Original file line number	Diff line number	Diff line change
`@@ -53,13 +53,12 @@ public static function getForwardedEduPersonEntitlement(&$request, $adapter, $fo`
`53`	`53`	`return $result;`
`54`	`54`	`}`
`55`	`55`
`56`		`- public static function getCapabilities(&$request, $adapter, $prefix, $authority)`
	`56`	`+ public static function getCapabilities(&$request, $adapter, $prefix, $authority, $spEntityId)`
`57`	`57`	`{`
`58`	`58`	`$resourceCapabilities = [];`
`59`	`59`	`$facilityCapabilities = [];`
`60`	`60`	`$capabilitiesResult = [];`
`61`	`61`
`62`		`- $spEntityId = self::getSpEntityId($request);`
`63`	`62`	`try {`
`64`	`63`	`$resourceCapabilities = $adapter->getResourceCapabilities($spEntityId, $request['perun']['groups']);`
`65`	`64`	`$facilityCapabilities = $adapter->getFacilityCapabilities($spEntityId);`
`@@ -142,7 +141,7 @@ public static function groupEntitlementWithAttributesWrapper($uuid, $groupName,`
`142`	`141`	`EntitlementUtils::encodeName($groupName) . '#' . $authority;`
`143`	`142`	`}`
`144`	`143`
`145`		`- private static function getSpEntityId(&$request)`
	`144`	`+ public static function getSpEntityId(&$request)`
`146`	`145`	`{`
`147`	`146`	`if (isset($request['SPMetadata']['entityid'])) {`
`148`	`147`	`return $request['SPMetadata']['entityid'];`