CESNET
diff --git a/‎config-templates/processFilterConfigurations-example.md‎
Lines changed: 24 additions & 0 deletions b/‎config-templates/processFilterConfigurations-example.md‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎dictionaries/perun.definition.json‎
Lines changed: 45 additions & 0 deletions b/‎dictionaries/perun.definition.json‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎lib/Adapter.php‎
Lines changed: 9 additions & 1 deletion b/‎lib/Adapter.php‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎lib/AdapterLdap.php‎
Lines changed: 12 additions & 14 deletions b/‎lib/AdapterLdap.php‎
Lines changed: 12 additions & 14 deletions
diff --git a/‎lib/AdapterRpc.php‎
Lines changed: 18 additions & 14 deletions b/‎lib/AdapterRpc.php‎
Lines changed: 18 additions & 14 deletions
@@ -285,3 +285,27 @@ Configuration options:
     ],
 ],
 ```
+## SpAuthorization
+
+Performs authorization check define dby the SP based on group membership in Perun. User has to be valid member of at least one of the groups assigned to resources of the facility representing the service. If not satisfied, the filter check if registration is enabled. In case of enabled registration, user is forwarded to custom registration link (if configured), or to a dynamic form, where user will select the combination of VO and group to which he/she applies for access. Form then forwards user to Perun registration component. In all other cases, user is forwarded to access denied page.
+NOTE: for correct functionality, RPC adapter must be available, as other adapters cannot fetch info about what groups allow registration (have registration forms) and similar data.
+
+Configuration options:
+* `interface`: specifies what interface of Perun should be used to fetch data. See class `SimpleSAML\Module\perun\PerunAdapter` for more details.
+* `registrar_url`: URL where Perun registration component is located. Expected URL is the base, without any parameters.
+* `check_group_membership_attr`: mapping to the attribute containing flag, if membership check should be performed.
+* `vo_short_names_attr`: mapping to the attribute containing shortnames of the VOs for which the service has resources (gives access to the groups).
+* `registration_link_attr`: mapping to the attribute containing custom service registration link. Filter adds the callback URL, to which to redirect user after the registration, as query string in form of 'callback=URL'.
+* `allow_registration_attr`: mapping to the attribute containing flag, if registration in case of denied access is enabled
+
+```php
+25 => [
+    'class' => 'perun:SpAuthorization',
+    'interface' => 'LDAP',
+    'registrar_url' => 'https://signup.perun.cesnet.cz/fed/registrar/',
+    'check_group_membership_attr' => 'check_group_membership',
+    'vo_short_names_attr' => 'vo_short_names',
+    'registration_link_attr' => 'registration_link',
+    'allow_registration_attr' => 'allow_registration',
+],
+```
@@ -110,5 +110,50 @@
   "aup_button": {
     "en": "Proceed to approval of the AUP",
     "cs": "Pokračovat na potvrzení souhlasu s AUP"
+  },
+  ,
+  "sp_authorize_403_header": {
+    "en": "Unauthorized",
+    "cs": "Přístup zamítnut"
+  },
+  "sp_authorize_403_text": {
+    "en": "You are not authorized to access the service ",
+    "cs": "Nesplňujete autorizační pravidla pro přístup ke službě "
+  },
+  "sp_authorize_403_information_page": {
+    "en": "For more information about the service, visit ",
+    "cs": "Pro více informací o službě, navštivte "
+  },
+  "sp_authorize_403_information_page_link_text": {
+    "en": "this page",
+    "cs": "tuhle stránku"
+  },
+  "sp_authorize_403_contact_support": {
+    "en": "If you think you should have access to the service, please contact the service administrator at ",
+    "cs": "Jestli máte mít přístup ke službě, kontaktujte správce služby na "
+  },
+  "sp_authorize_403_subject": {
+    "en": "Unauthorized access",
+    "cs": "Přístup zamítnut"
+  },
+  "sp_authorize_notify_text": {
+    "en": "You are not authorized to access the service ",
+    "cs": "Nesplňujete autorizační pravidla pro přístup ke službě"
+  },
+  "sp_authorize_notify_information_page": {
+    "en": "For more information about the service, visit ",
+    "cs": "Pro více informací o službě, navštivte "
+  },
+  "sp_authorize_notify_information_page_link_text": {
+    "en": "this page",
+    "cs": "tuhle stránku"
+  },
+  "sp_authorize_notify_text2": {
+    "en": "We will now redirect you to a registration page, where you will apply for the access.",
+    "cs": "Budete přesmerován(a) na stránku, kde můžete o p%rístup na službu zažádat."
+  },
+  "sp_authorize_notify_button": {
+    "en": "Proceed to registration",
+    "cs": "Pokračovat na registrační stránku"
   }
 }
@@ -90,7 +90,15 @@ abstract public function getMemberGroups($user, $vo);
      * @return Group[] from vo which are assigned to all facilities with spEntityId.
      *                 registering to those groups should should allow access to the service
      */
-    abstract public function getSpGroups($spEntityId);
+    abstract public function getSpGroups(string $spEntityId): array;
+
+    /**
+     * @param Facility $facility representing the SP
+     *
+     * @return Group[] from vo which are assigned to all facilities with spEntityId.
+     *                 registering to those groups should allow access to the service
+     */
+    abstract public function getSpGroupsByFacility(Facility $facility): array;
 
     /**
      * @param User  $user
 
@@ -152,14 +152,15 @@ public function getMemberGroups($user, $vo)
         return $groups;
     }
 
-    public function getSpGroups($spEntityId)
+    public function getSpGroups(string $spEntityId): array
     {
         $facility = $this->getFacilityByEntityId($spEntityId);
 
-        if (null === $facility) {
-            return [];
-        }
+        return $this->getSpGroupsByFacility($facility);
+    }
 
+    public function getSpGroupsByFacility(Facility $facility): array
+    {
         $id = $facility->getId();
 
         $resources = $this->connector->searchForEntities(
@@ -177,16 +178,13 @@ public function getSpGroups($spEntityId)
                         '(objectClass=perunGroup)',
                         ['perunGroupId', 'cn', 'perunUniqueGroupName', 'perunVoId', 'uuid', 'description']
                     );
-                    array_push(
-                        $groups,
-                        new Group(
-                            $group['perunGroupId'][0],
-                            $group['perunVoId'][0],
-                            $group['uuid'][0],
-                            $group['cn'],
-                            $group['perunUniqueGroupName'][0],
-                            $group['description'][0] ?? ''
-                        )
+                    $groups[] = new Group(
+                        $group['perunGroupId'][0],
+                        $group['perunVoId'][0],
+                        $group['uuid'][0],
+                        $group['cn'],
+                        $group['perunUniqueGroupName'][0],
+                        $group['description'][0] ?? ''
                     );
                 }
             }
 
@@ -154,23 +154,30 @@ public function getMemberGroups($user, $vo)
         return $convertedGroups;
     }
 
-    public function getSpGroups($spEntityId)
+    public function getSpGroups(string $spEntityId): array
     {
         $facility = $this->getFacilityByEntityId($spEntityId);
 
         if (null === $facility) {
             return [];
         }
 
+        return $this->getSpGroupsByFacility($facility);
+    }
+
+    public function getSpGroupsByFacility(Facility $facility): array
+    {
         $perunAttrs = $this->connector->get('facilitiesManager', 'getAssignedResources', [
             'facility' => $facility->getId(),
         ]);
 
         $resources = [];
         foreach ($perunAttrs as $perunAttr) {
-            array_push(
-                $resources,
-                new Resource($perunAttr['id'], $perunAttr['voId'], $perunAttr['facilityId'], $perunAttr['name'])
+            $resources[] = new Resource(
+                $perunAttr['id'],
+                $perunAttr['voId'],
+                $perunAttr['facilityId'],
+                $perunAttr['name']
             );
         }
 
@@ -186,16 +193,13 @@ public function getSpGroups($spEntityId)
                     'attributeName' => 'urn:perun:group:attribute-def:virt:voShortName',
                 ]);
                 $uniqueName = $attr['value'] . ':' . $group['name'];
-                array_push(
-                    $spGroups,
-                    new Group(
-                        $group['id'],
-                        $group['voId'],
-                        $group['uuid'],
-                        $group['name'],
-                        $uniqueName,
-                        $group['description']
-                    )
+                $spGroups[] = new Group(
+                    $group['id'],
+                    $group['voId'],
+                    $group['uuid'],
+                    $group['name'],
+                    $uniqueName,
+                    $group['description']
                 );
             }
         }