Merge pull request #98 from vyskocilpavel/entitlements

Entitlements

Author: vyskocilpavel

CHANGELOG.md

@@ -2,6 +2,8 @@
 All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
+#### Changed
+- Releasing forwardedEduPersonEntitlement is now optional (forwardedEduPersonEntitlement are released by default)
 
 ## [v3.7.4]
 #### Added

config-templates/processFilterConfigurations-example.md

@@ -38,6 +38,21 @@ Example how to enable filter IdPAttribute:
 'OrganizationName:en' => 'idp_organizationName' means that the $IdPMetadata['Organization']['en'] will be save into 
 $request['Attributes']['idp_organizationName']
 
+## PerunEntitlement
+
+Example how to enable/configure filter PerunEntitlement:
+
+```php
+33 => array(
+    'class' => 'perun:PerunEntitlement',
+    'interface' => 'ldap',
+    'eduPersonEntitlement' => 'eduPersonEntitlement',
+    # forwarded entitlement are released by default
+    #'releaseForwardedEntitlement' => false, OPTIONAL
+    'forwardedEduPersonEntitlement' => 'eduPersonEntitlement',
+),
+```
+
 ## ForceAup
 
 1.Create these attributes in Perun:

lib/Auth/Process/PerunEntitlement.php

@@ -14,18 +14,21 @@
  * This filter joins eduPersonEntitlement, forwardedEduPersonEntitlement and resource capabilities
  *
  * @author Dominik Baránek <[email protected]>
+ * @author Pavel Vyskočil <[email protected]>
  */
 class PerunEntitlement extends ProcessingFilter
 {
     const CONFIG_FILE_NAME = 'module_perun.php';
     const EDU_PERSON_ENTITLEMENT = 'eduPersonEntitlement';
+    const RELEASE_FORWARDED_ENTITLEMENT = 'releaseForwardedEntitlement';
     const FORWARDED_EDU_PERSON_ENTITLEMENT = 'forwardedEduPersonEntitlement';
     const ENTITLEMENTPREFIX_ATTR = 'entitlementPrefix';
     const ENTITLEMENTAUTHORITY_ATTR = 'entitlementAuthority';
     const GROUPNAMEAARC_ATTR = 'groupNameAARC';
     const INTERFACE_PROPNAME = 'interface';
 
     private $eduPersonEntitlement;
+    private $releaseForwardedEntitlement;
     private $forwardedEduPersonEntitlement;
     private $entitlementPrefix;
     private $entitlementAuthority;
@@ -45,8 +48,12 @@ public function __construct($config, $reserved)
                 self::EDU_PERSON_ENTITLEMENT . '.'
             );
         }
+        $configuration = Configuration::loadFromArray($config);
+
         $this->eduPersonEntitlement = $config[self::EDU_PERSON_ENTITLEMENT];
 
+        $this->releaseForwardedEntitlement = $configuration->getBoolean(self::RELEASE_FORWARDED_ENTITLEMENT, true);
+
         if (!isset($config[self::FORWARDED_EDU_PERSON_ENTITLEMENT])) {
             throw new Exception(
                 'perun:PerunEntitlement: missing mandatory configuration option ' .
@@ -77,7 +84,10 @@ public function __construct($config, $reserved)
     public function process(&$request)
     {
         $eduPersonEntitlement = $this->getEduPersonEntitlement($request);
-        $forwardedEduPersonEntitlement = $this->getForwardedEduPersonEntitlement($request);
+        $forwardedEduPersonEntitlement = [];
+        if ($this->releaseForwardedEntitlement) {
+            $forwardedEduPersonEntitlement = $this->getForwardedEduPersonEntitlement($request);
+        }
         $resourceCapabilities = $this->getResourceCapabilities($request);
 
         $request['Attributes'][$this->eduPersonEntitlement] = array_unique(array_merge(