CESNET
diff --git a/‎config-templates/processFilterConfigurations-example.md‎
Lines changed: 149 additions & 0 deletions b/‎config-templates/processFilterConfigurations-example.md‎
Lines changed: 149 additions & 0 deletions
diff --git a/‎dictionaries/perun.definition.json‎
Lines changed: 61 additions & 0 deletions b/‎dictionaries/perun.definition.json‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎lib/Adapter.php‎
Lines changed: 10 additions & 2 deletions b/‎lib/Adapter.php‎
Lines changed: 10 additions & 2 deletions
diff --git a/‎lib/AdapterLdap.php‎
Lines changed: 12 additions & 14 deletions b/‎lib/AdapterLdap.php‎
Lines changed: 12 additions & 14 deletions
diff --git a/‎lib/AdapterRpc.php‎
Lines changed: 18 additions & 14 deletions b/‎lib/AdapterRpc.php‎
Lines changed: 18 additions & 14 deletions
@@ -160,3 +160,152 @@ Example how to enable filter AttributeMap:
     // 'interface' => 'rpc', # optional, rpc/ldap, default rpc
 ],
 ```
+
+## ExtractRequestAttribute
+
+Filter is intended to extract an attribute specified by set of keys forming the chain of keys in the `$request` variable into the configured destination attribute.
+
+Configuration options:
+* `attr_name`: specifies attribute name, into which the extracted value will be stored
+* `request_keys`: string, which contains a semicolon (`;`) separated chain of keys that are examined in the state. Numeric keys are automatically treated as array indexes. For instance, value `'saml:AuthenticatingAuthority;0'` will be treated as code `$request['saml:AuthenticatingAuthority'][0]`. In case of this value being empty, exception is thrown. Otherwise, extracted value is stored into the configured destination attribute.
+* `fail_on_nonexisting_keys`: `true` or `false`, specifies if in case of missing key in the request variable the filter should terminate with an exception or not
+* `default_value`: array, which will be set as default value, if the configured keys did not lead to value
+
+```php
+// EXTRACT AUTHENTICATING ENTITY INTO authenticating_idp attribute
+1 => [ 
+    'class' => 'perun:ExtractRequestAttribute',
+    'attr_name' => 'authenticating_idp',
+    'request_keys' => 'saml:AuthenticatingAuthority;0',
+    'fail_on_nonexisting_keys' => 'true',
+    'default_value' => null,
+],
+```
+
+## PerunUser
+
+Filter tries to identify the Perun user. It uses the combination of user identifier and IdP identifier to find the user (or to be more precise, the user identity and associated user account). If it can, the user object is set to `$request` parameter into `$request[PerunConstants::PERUN][PerunConstants::USER]`. Otherwise, user is forwarded to configured registration.
+
+Configuration options:
+* `interface`: specifies what interface of Perun should be used to fetch data. See class `SimpleSAML\Module\perun\PerunAdapter` for more details.
+* `uid_attrs`: list of attributes that contain user identifiers to be used for identification. The order of the items in the list represents the priority.
+* `idp_id_attr`: name of the attribute (from `$request['Attributes']` array), which holds EntityID of the identity provider that has performed the authentication.
+* `register_url`: URL to which the user will be forwarded for registration. Leave empty to use the Perun registrar.
+* `callback_parameter_name`: name of the parameter wich will hold callback URL, where the user should be redirected after the registration on URL configured in the `register_url` property.
+* `perun_register_url`: the complete URL (including vo and group) to which user will be redirected, if `register_url` has not been configured. Parameters targetnew, targetexisting and targetextended will be set to callback URL to continue after the registration is completed.
+
+```php
+2 => [
+    'class' => 'perun:PerunUser',
+    'interface' => 'LDAP',
+    'uid_attrs' => ['eduPersonUniqueId', 'eduPersonPrincipalName'],
+    'idp_id_attr' => 'authenticating_idp',
+    'register_url' => 'https://signup.cesnet.cz/',
+    'callback_parameter_name' => 'callback',
+    'perun_register_url' => 'https://signup.perun.cesnet.cz/fed/registrar/?vo=cesnet'
+],
+```
+
+## PerunAup
+
+Filter fetches the given attribute holding approved AUP and checks, if expected value is set in the attribute or not. If not, it redirects the user to specified registration component, where user will be asked to approve the AUP.
+
+Configuration options:
+* `interface`: specifies what interface of Perun should be used to fetch data. See class `SimpleSAML\Module\perun\PerunAdapter` for more details.
+* `attribute`: name of the attribute, which will be fetched from Perun and holds the value of approved AUP.
+* `value`: value that is expected in the attribute as mark of approved AUP. Expected is a string.
+* `approval_url`: URL to which the user will be forwarded for registration. Leave empty to use the Perun registrar.
+* `callback_parameter_name`: name of the parameter wich will hold callback URL, where the user should be redirected after the AUP approval on URL configured in the `approval_url` property.
+* `perun_register_url`: the complete URL (including vo and group) to which user will be redirected, if `approval_url` has not been configured. Parameters targetnew, targetexisting and targetextended will be set to callback URL to continue after the AUP approval is completed.
+
+```php
+3 => [
+    'class' => 'perun:PerunAup',
+    'interface' => 'LDAP',
+    'value' => 'aup_2020_01_01',
+    'attribute' => 'approved_aup',
+    'approval_url' => 'https://signup.cesnet.cz/aup/',
+    'callback_parameter_name' => 'callback',
+    'perun_approval_url' => 'https://signup.perun.cesnet.cz/fed/registrar/?vo=cesnet&group=aup'
+],
+```
+
+## DropUserAttributes
+
+Drops specified user attributes from the `$request['Attributes']` variable.
+
+Configuration options:
+* `attribute_names`: list of attribute names which will be dropped.
+
+```php
+10 => [
+    'class' => 'perun:DropUserAttributes',
+    'attribute_names' => ['aup', 'eppn', 'eduPersonTargetedID']
+],
+```
+
+## QualifyNameID
+
+Adds qualifiers into NameID based on the configuration
+
+Configuration options:
+* `name_id_attribute`: Attribute (NameID) which should be qualified
+* `name_qualifier_attribute`: User attribute with value, which will be set as the NameQualifier part of the NameID. Leave empty to use static value configured via option `name_qualifier`.
+* `name_qualifier`: Static value which will be set as the NameQualifier part of the NameID.
+* `sp_name_qualifier_attribute`: User attribute with value, which will be set as the SPNameQualifier part of the NameID. Leave empty to use static value configured via option `sp_name_qualifier`.
+* `sp_name_qualifier`: Static value which will be set as the SPNameQualifier part of the NameID.
+
+```php
+11 => [
+    'class' => 'perun:QualifyNameID',
+    'name_id_attribute' => 'eduPersonTargetedID',
+    'name_qualifier_attribute' => 'SourceIdPEntityID',
+    'name_qualifier' => 'https://login.cesnet.cz/idp/',
+    'sp_name_qualifier_attribute' => 'ProxyEntityID',
+    'sp_name_qualifier' => 'https://login.cesnet.cz/proxy/',
+],
+```
+
+## GenerateIdPAttributes
+
+Gets metadata of the IdP specified by `idp_identifier_attribute` value and tries to set the specified keys from IdP metadata into attributes.
+
+Configuration options:
+* `idp_identifier_attribute`: Attribute holding the identifier of the Authenticating IdP
+* `attribute_map`: Map of IdP metadata attributes, where keys are the colon separated keys that will be searched in IdP metadata and values are the destination attribute names.
+
+```php
+20 => [
+    'class' => 'perun:GenerateIdPAttributes',
+    'idp_identifier_attribute' => 'sourceIdPEntityID',
+    'attribute_map' => [
+        'name:en' => 'sourceIdPName',
+        'OrganizationName:en' => 'sourceIdPOrganizationName',
+        'OrganizationURL:en' => 'sourceIdPOrganizationURL',
+    ],
+],
+```
+## SpAuthorization
+
+Performs authorization check define dby the SP based on group membership in Perun. User has to be valid member of at least one of the groups assigned to resources of the facility representing the service. If not satisfied, the filter check if registration is enabled. In case of enabled registration, user is forwarded to custom registration link (if configured), or to a dynamic form, where user will select the combination of VO and group to which he/she applies for access. Form then forwards user to Perun registration component. In all other cases, user is forwarded to access denied page.
+NOTE: for correct functionality, RPC adapter must be available, as other adapters cannot fetch info about what groups allow registration (have registration forms) and similar data.
+
+Configuration options:
+* `interface`: specifies what interface of Perun should be used to fetch data. See class `SimpleSAML\Module\perun\PerunAdapter` for more details.
+* `registrar_url`: URL where Perun registration component is located. Expected URL is the base, without any parameters.
+* `check_group_membership_attr`: mapping to the attribute containing flag, if membership check should be performed.
+* `vo_short_names_attr`: mapping to the attribute containing shortnames of the VOs for which the service has resources (gives access to the groups).
+* `registration_link_attr`: mapping to the attribute containing custom service registration link. Filter adds the callback URL, to which to redirect user after the registration, as query string in form of 'callback=URL'.
+* `allow_registration_attr`: mapping to the attribute containing flag, if registration in case of denied access is enabled
+
+```php
+25 => [
+    'class' => 'perun:SpAuthorization',
+    'interface' => 'LDAP',
+    'registrar_url' => 'https://signup.perun.cesnet.cz/fed/registrar/',
+    'check_group_membership_attr' => 'check_group_membership',
+    'vo_short_names_attr' => 'vo_short_names',
+    'registration_link_attr' => 'registration_link',
+    'allow_registration_attr' => 'allow_registration',
+],
+```
@@ -94,5 +94,66 @@
   "unauthorized-access_redirect_to_registration": {
     "en": "Now you will be redirected to registration to Perun system.",
     "cs": "Nyní budete přesměrování na registraci do systému Perun."
+  },
+  "register_text": {
+    "en": "Oops! It seems you have tried to access service via Perun AAI, but yo do not have an account. Let's fix that!",
+    "cs": "Ups! Zdá se, že jste se pokusil(a) přihlásit ke službě skrz Perun AAI, no nemáte uživatelský účet. Pojďme to napravit!"
+  },
+  "register_button": {
+    "en": "Proceed to register for an account",
+    "cs": "Pokračovat na registraci ůčtu"
+  },
+  "aup_text": {
+    "en": "Oops! It seems you have tried to access service via Perun AAI, but you have not approved the Acceptable Use Policy (AUP). Let's fix that!",
+    "cs": "Ups! Vyzerá to, že jste se pokousil(a) přihlásit ke službě skrze Perun AAI, no neschválili jste Podmínky užití služby (AUP). Pojďme to napravit!"
+  },
+  "aup_button": {
+    "en": "Proceed to approval of the AUP",
+    "cs": "Pokračovat na potvrzení souhlasu s AUP"
+  },
+  ,
+  "sp_authorize_403_header": {
+    "en": "Unauthorized",
+    "cs": "Přístup zamítnut"
+  },
+  "sp_authorize_403_text": {
+    "en": "You are not authorized to access the service ",
+    "cs": "Nesplňujete autorizační pravidla pro přístup ke službě "
+  },
+  "sp_authorize_403_information_page": {
+    "en": "For more information about the service, visit ",
+    "cs": "Pro více informací o službě, navštivte "
+  },
+  "sp_authorize_403_information_page_link_text": {
+    "en": "this page",
+    "cs": "tuhle stránku"
+  },
+  "sp_authorize_403_contact_support": {
+    "en": "If you think you should have access to the service, please contact the service administrator at ",
+    "cs": "Jestli máte mít přístup ke službě, kontaktujte správce služby na "
+  },
+  "sp_authorize_403_subject": {
+    "en": "Unauthorized access",
+    "cs": "Přístup zamítnut"
+  },
+  "sp_authorize_notify_text": {
+    "en": "You are not authorized to access the service ",
+    "cs": "Nesplňujete autorizační pravidla pro přístup ke službě"
+  },
+  "sp_authorize_notify_information_page": {
+    "en": "For more information about the service, visit ",
+    "cs": "Pro více informací o službě, navštivte "
+  },
+  "sp_authorize_notify_information_page_link_text": {
+    "en": "this page",
+    "cs": "tuhle stránku"
+  },
+  "sp_authorize_notify_text2": {
+    "en": "We will now redirect you to a registration page, where you will apply for the access.",
+    "cs": "Budete přesmerován(a) na stránku, kde můžete o p%rístup na službu zažádat."
+  },
+  "sp_authorize_notify_button": {
+    "en": "Proceed to registration",
+    "cs": "Pokračovat na registrační stránku"
   }
 }
@@ -48,7 +48,7 @@ public static function getInstance($interface)
 
     /**
      * @param string $idpEntityId entity id of hosted idp used as extSourceName
-     * @param string $uids        list of user identifiers received from remote idp used as userExtSourceLogin
+     * @param array  $uids        list of user identifiers received from remote idp used as userExtSourceLogin
      *
      * @return User or null if not exists
      */
@@ -90,7 +90,15 @@ abstract public function getMemberGroups($user, $vo);
      * @return Group[] from vo which are assigned to all facilities with spEntityId.
      *                 registering to those groups should should allow access to the service
      */
-    abstract public function getSpGroups($spEntityId);
+    abstract public function getSpGroups(string $spEntityId): array;
+
+    /**
+     * @param Facility $facility representing the SP
+     *
+     * @return Group[] from vo which are assigned to all facilities with spEntityId.
+     *                 registering to those groups should allow access to the service
+     */
+    abstract public function getSpGroupsByFacility(Facility $facility): array;
 
     /**
      * @param User  $user
 
@@ -152,14 +152,15 @@ public function getMemberGroups($user, $vo)
         return $groups;
     }
 
-    public function getSpGroups($spEntityId)
+    public function getSpGroups(string $spEntityId): array
     {
         $facility = $this->getFacilityByEntityId($spEntityId);
 
-        if (null === $facility) {
-            return [];
-        }
+        return $this->getSpGroupsByFacility($facility);
+    }
 
+    public function getSpGroupsByFacility(Facility $facility): array
+    {
         $id = $facility->getId();
 
         $resources = $this->connector->searchForEntities(
@@ -177,16 +178,13 @@ public function getSpGroups($spEntityId)
                         '(objectClass=perunGroup)',
                         ['perunGroupId', 'cn', 'perunUniqueGroupName', 'perunVoId', 'uuid', 'description']
                     );
-                    array_push(
-                        $groups,
-                        new Group(
-                            $group['perunGroupId'][0],
-                            $group['perunVoId'][0],
-                            $group['uuid'][0],
-                            $group['cn'],
-                            $group['perunUniqueGroupName'][0],
-                            $group['description'][0] ?? ''
-                        )
+                    $groups[] = new Group(
+                        $group['perunGroupId'][0],
+                        $group['perunVoId'][0],
+                        $group['uuid'][0],
+                        $group['cn'],
+                        $group['perunUniqueGroupName'][0],
+                        $group['description'][0] ?? ''
                     );
                 }
             }
 
@@ -154,23 +154,30 @@ public function getMemberGroups($user, $vo)
         return $convertedGroups;
     }
 
-    public function getSpGroups($spEntityId)
+    public function getSpGroups(string $spEntityId): array
     {
         $facility = $this->getFacilityByEntityId($spEntityId);
 
         if (null === $facility) {
             return [];
         }
 
+        return $this->getSpGroupsByFacility($facility);
+    }
+
+    public function getSpGroupsByFacility(Facility $facility): array
+    {
         $perunAttrs = $this->connector->get('facilitiesManager', 'getAssignedResources', [
             'facility' => $facility->getId(),
         ]);
 
         $resources = [];
         foreach ($perunAttrs as $perunAttr) {
-            array_push(
-                $resources,
-                new Resource($perunAttr['id'], $perunAttr['voId'], $perunAttr['facilityId'], $perunAttr['name'])
+            $resources[] = new Resource(
+                $perunAttr['id'],
+                $perunAttr['voId'],
+                $perunAttr['facilityId'],
+                $perunAttr['name']
             );
         }
 
@@ -186,16 +193,13 @@ public function getSpGroups($spEntityId)
                     'attributeName' => 'urn:perun:group:attribute-def:virt:voShortName',
                 ]);
                 $uniqueName = $attr['value'] . ':' . $group['name'];
-                array_push(
-                    $spGroups,
-                    new Group(
-                        $group['id'],
-                        $group['voId'],
-                        $group['uuid'],
-                        $group['name'],
-                        $uniqueName,
-                        $group['description']
-                    )
+                $spGroups[] = new Group(
+                    $group['id'],
+                    $group['voId'],
+                    $group['uuid'],
+                    $group['name'],
+                    $uniqueName,
+                    $group['description']
                 );
             }
         }