CESNET
diff --git a/‎CHANGELOG.md‎
Lines changed: 3 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎config-templates/processFilterConfigurations-example.md‎
Lines changed: 15 additions & 0 deletions b/‎config-templates/processFilterConfigurations-example.md‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎lib/AdapterLdap.php‎
Lines changed: 8 additions & 4 deletions b/‎lib/AdapterLdap.php‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎lib/AdapterRpc.php‎
Lines changed: 4 additions & 0 deletions b/‎lib/AdapterRpc.php‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎lib/Auth/Process/PerunEntitlement.php‎
Lines changed: 17 additions & 106 deletions b/‎lib/Auth/Process/PerunEntitlement.php‎
Lines changed: 17 additions & 106 deletions
@@ -3,6 +3,9 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+#### Added
+- Added extended PerunEntitlements
+
 ## [v4.1.1]
 #### Fixed
 - Fixed bad log message in PerunIdentity in mode USERONLY
 
@@ -57,6 +57,21 @@ Example how to enable/configure filter PerunEntitlement:
 ),
 ```
 
+## PerunEntitlementExtended
+
+Example how to enable/configure filter PerunEntitlement:
+
+```php
+33 => array(
+    'class' => 'perun:PerunEntitlementExtended',
+    'interface' => 'ldap',
+    'outputAttrName' => 'eduPersonEntitlementExtended',
+    # forwarded entitlement are released by default
+    #'releaseForwardedEntitlement' => false, OPTIONAL
+    'forwardedEduPersonEntitlement' => 'eduPersonEntitlement',
+),
+```
+
 ## ForceAup
 
 1.Create these attributes in Perun:
 
@@ -114,13 +114,14 @@ public function getMemberGroups($user, $vo)
             $group = $this->connector->searchForEntity(
                 $groupDn,
                 '(objectClass=perunGroup)',
-                ['perunGroupId', 'cn', 'perunUniqueGroupName', 'perunVoId', 'description']
+                ['perunGroupId', 'cn', 'perunUniqueGroupName', 'perunVoId', 'uuid', 'description']
             );
             array_push(
                 $groups,
                 new Group(
                     $group['perunGroupId'][0],
                     $group['perunVoId'][0],
+                    $group['uuid'][0],
                     $group['cn'][0],
                     $group['perunUniqueGroupName'][0],
                     $group['description'][0] ?? ''
@@ -154,13 +155,14 @@ public function getSpGroups($spEntityId)
                     $group = $this->connector->searchForEntity(
                         'perunGroupId=' . $groupId . ',perunVoId=' . $resource['perunVoId'][0] . ',' . $this->ldapBase,
                         '(objectClass=perunGroup)',
-                        ['perunGroupId', 'cn', 'perunUniqueGroupName', 'perunVoId', 'description']
+                        ['perunGroupId', 'cn', 'perunUniqueGroupName', 'perunVoId', 'uuid', 'description']
                     );
                     array_push(
                         $groups,
                         new Group(
                             $group['perunGroupId'][0],
                             $group['perunVoId'][0],
+                            $group['uuid'][0],
                             $group['cn'],
                             $group['perunUniqueGroupName'][0],
                             $group['description'][0] ?? ''
@@ -180,7 +182,7 @@ public function getGroupByName($vo, $name)
         $group = $this->connector->searchForEntity(
             'perunVoId=' . $voId . ',' . $this->ldapBase,
             '(&(objectClass=perunGroup)(perunUniqueGroupName=' . $name . '))',
-            ['perunGroupId', 'cn', 'perunUniqueGroupName', 'perunVoId', 'description']
+            ['perunGroupId', 'cn', 'perunUniqueGroupName', 'perunVoId', 'uuid', 'description']
         );
         if ($group === null) {
             throw new Exception(
@@ -190,6 +192,7 @@ public function getGroupByName($vo, $name)
         return new Group(
             $group['perunGroupId'][0],
             $group['perunVoId'][0],
+            $group['uuId'][0],
             $group['cn'][0],
             $group['perunUniqueGroupName'][0],
             $group['description'][0] ?? ''
@@ -404,7 +407,7 @@ public function getUsersGroupsOnFacility($spEntityId, $userId)
         $groups = $this->connector->searchForEntities(
             $this->ldapBase,
             '(&(uniqueMember=perunUserId=' . $userId . ', ou=People,' . $this->ldapBase . ')' . $resourcesString . ')',
-            ['perunGroupId', 'cn', 'perunUniqueGroupName', 'perunVoId', 'description']
+            ['perunGroupId', 'cn', 'perunUniqueGroupName', 'perunVoId', 'uuid', 'description']
         );
 
         foreach ($groups as $group) {
@@ -413,6 +416,7 @@ public function getUsersGroupsOnFacility($spEntityId, $userId)
                 new Group(
                     $group['perunGroupId'][0],
                     $group['perunVoId'][0],
+                    $group['uuid'][0],
                     $group['cn'][0],
                     $group['perunUniqueGroupName'][0],
                     $group['description'][0] ?? ''
 
@@ -139,6 +139,7 @@ public function getMemberGroups($user, $vo)
                     new Group(
                         $group['id'],
                         $group['voId'],
+                        $group['uuid'],
                         $group['name'],
                         $uniqueName,
                         $group['description']
@@ -194,6 +195,7 @@ public function getSpGroups($spEntityId)
                     new Group(
                         $group['id'],
                         $group['voId'],
+                        $group['uuid'],
                         $group['name'],
                         $uniqueName,
                         $group['description']
@@ -219,6 +221,7 @@ public function getGroupByName($vo, $name)
         return new Group(
             $group['id'],
             $group['voId'],
+            $group['uuid'],
             $group['name'],
             $uniqueName,
             $group['description']
@@ -360,6 +363,7 @@ public function getUsersGroupsOnFacility($spEntityId, $userId)
                 array_push($groups, new Group(
                     $usersGroupOnFacility['id'],
                     $usersGroupOnFacility['voId'],
+                    $usersGroupOnFacility['uuid'],
                     $usersGroupOnFacility['name'],
                     $uniqueName,
                     $usersGroupOnFacility['description']
 
@@ -7,6 +7,7 @@
 use \SimpleSAML\Auth\ProcessingFilter;
 use SimpleSAML\Module\perun\Adapter;
 use SimpleSAML\Logger;
+use SimpleSAML\Module\perun\EntitlementUtils;
 
 /**
  * Class PerunEntitlement
@@ -77,16 +78,25 @@ public function process(&$request)
 
         if (isset($request['perun']['groups'])) {
             $eduPersonEntitlement = $this->getEduPersonEntitlement($request);
-            $capabilities = $this->getCapabilities($request);
+            $capabilities = EntitlementUtils::getCapabilities(
+                $request,
+                $this->adapter,
+                $this->entitlementPrefix,
+                $this->entitlementAuthority
+            );
         } else {
             Logger::debug(
-                'perun:PerunEntitlement: There are no user groups assign to facility.' .
-                '=> Skipping getEduPersonEntitlement and getResourceCapabilities'
+                'perun:PerunEntitlement: There are no user groups assigned to facility.' .
+                '=> Skipping getEduPersonEntitlement and getCapabilities'
             );
         }
 
         if ($this->releaseForwardedEntitlement) {
-            $forwardedEduPersonEntitlement = $this->getForwardedEduPersonEntitlement($request);
+            $forwardedEduPersonEntitlement = EntitlementUtils::getForwardedEduPersonEntitlement(
+                $request,
+                $this->adapter,
+                $this->forwardedEduPersonEntitlement
+            );
         }
 
         $request['Attributes'][$this->eduPersonEntitlement] = array_unique(array_merge(
@@ -126,76 +136,11 @@ private function getEduPersonEntitlement(&$request)
         return $eduPersonEntitlement;
     }
 
-    private function getForwardedEduPersonEntitlement(&$request)
-    {
-        $forwardedEduPersonEntitlement = [];
-
-        if (!isset($request['perun']['user'])) {
-            Logger::debug(
-                'perun:PerunEntitlement: Object Perun User is not specified.' .
-                '=> Skipping getting forwardedEntitlement.'
-            );
-            return $forwardedEduPersonEntitlement;
-        }
-
-        $user = $request['perun']['user'];
-
-        try {
-            $forwardedEduPersonEntitlementMap = $this->adapter->getUserAttributesValues(
-                $user,
-                [$this->forwardedEduPersonEntitlement]
-            );
-        } catch (Exception $exception) {
-            Logger::error(
-                'perun:PerunEntitlement: Exception ' . $exception->getMessage() .
-                ' was thrown in method \'getForwardedEduPersonEntitlement\'.'
-            );
-        }
-
-        if (!empty($forwardedEduPersonEntitlementMap)) {
-            $forwardedEduPersonEntitlement = array_values($forwardedEduPersonEntitlementMap)[0];
-        }
-
-        return $forwardedEduPersonEntitlement;
-    }
-
-    private function getCapabilities(&$request)
-    {
-        $resourceCapabilities = [];
-        $facilityCapabilities = [];
-        $capabilitiesResult = [];
-
-        $spEntityId = $this->getSpEntityId($request);
-        try {
-            $resourceCapabilities = $this->adapter->getResourceCapabilities($spEntityId, $request['perun']['groups']);
-            $facilityCapabilities = $this->adapter->getFacilityCapabilities($spEntityId);
-        } catch (Exception $exception) {
-            Logger::error(
-                'perun:PerunEntitlement: Exception ' . $exception->getMessage() .
-                ' was thrown in method \'getCapabilities\'.'
-            );
-        }
-
-        $capabilities = array_unique(array_merge($resourceCapabilities, $facilityCapabilities));
-
-        foreach ($capabilities as $capability) {
-            $wrappedCapability = $this->capabilitiesWrapper($capability);
-            array_push($capabilitiesResult, $wrappedCapability);
-        }
-
-        return $capabilitiesResult;
-    }
-
     private function groupNameWrapper($groupName)
     {
-        return $this->entitlementPrefix . 'group:' . implode(':', $this->encodeName($groupName)) .
-               '#' . $this->entitlementAuthority;
-    }
-
-    private function capabilitiesWrapper($capabilities)
-    {
-        return $this->entitlementPrefix . implode(':', $this->encodeName($capabilities)) .
-               '#' . $this->entitlementAuthority;
+        return $this->entitlementPrefix . 'group:' .
+            implode(':', EntitlementUtils::encodeEntitlement($groupName)) .
+            '#' . $this->entitlementAuthority;
     }
 
     /**
@@ -228,38 +173,4 @@ protected function mapGroupName($request, $groupName)
             return $this->entitlementPrefix . 'group:' . $groupName;
         }
     }
-
-    private function encodeName($name)
-    {
-        $charsToSkip = [
-            '!' => '%21',
-            '$' => '%24',
-            '\'' => '%27',
-            '(' => '%28',
-            ')' => '%29',
-            '*' => '%2A',
-            ',' => '%2C',
-            ';' => '%3B',
-            '&' => '%26',
-            '=' => '%3D',
-            '@' => '%40',
-            ':' => '%3A',
-            '+' => '%2B'
-        ];
-
-        $name = array_map('rawurlencode', explode(':', $name));
-        $name = str_replace(array_values($charsToSkip), array_keys($charsToSkip), $name);
-
-        return $name;
-    }
-
-    private function getSpEntityId(&$request)
-    {
-        if (isset($request['SPMetadata']['entityid'])) {
-            return $request['SPMetadata']['entityid'];
-        } else {
-            throw new Exception('perun:PerunEntitlement: Cannot find entityID of remote SP. ' .
-                'hint: Do you have this filter in IdP context?');
-        }
-    }
 }