Integrate NameId substitution in AddIdentityAttributes

The output filter will handle the name id substitution logic. As it already juggles the correctly setting of the desired identity (nameid, collabpersonid) values.
OpenConext · Aug 15, 2024 · da3ea77 · da3ea77
1 parent fe47992
commit da3ea77
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 13 deletions.
diff --git a/library/EngineBlock/Corto/Filter/Command/AddIdentityAttributes.php b/library/EngineBlock/Corto/Filter/Command/AddIdentityAttributes.php
@@ -16,6 +16,7 @@
  * limitations under the License.
  */
 
+use OpenConext\EngineBlock\Metadata\AttributeReleasePolicy;
 use Psr\Log\LoggerInterface;
 use SAML2\Constants;
 
@@ -27,8 +28,14 @@ class EngineBlock_Corto_Filter_Command_AddIdentityAttributes extends EngineBlock
      */
     private $logger;
 
-    public function __construct(LoggerInterface $logger)
+    /**
+     * @var EngineBlock_Arp_NameIdSubstituteResolver
+     */
+    private $substituteResolver;
+
+    public function __construct(EngineBlock_Arp_NameIdSubstituteResolver $resolver, LoggerInterface $logger)
     {
+        $this->substituteResolver = $resolver;
         $this->logger = $logger;
     }
 
@@ -66,16 +73,25 @@ public function execute()
         $this->logger->info('Setting the NameId on the Assertion');
         $this->_response->getAssertion()->setNameId($nameId);
 
-
-        // Find out if the EduPersonTargetedId is in the ARP of the destination SP.
-        // If the ARP is NULL this means no ARP = let everything through including ePTI.
-        // Otherwise only add ePTI if it's acutally in the ARP.
         $arp = $destinationMetadata->getAttributeReleasePolicy();
-        if (!is_null($arp) && !$arp->hasAttribute(Constants::EPTI_URN_MACE)) {
-            return;
+        if (!is_null($arp)) {
+            // Now check if we should update the NameID value according to the 'use_as_nameid' directive in the ARP.
+            $arpSubstitute = $this->substituteResolver->findNameIdSubstitute($arp, $this->getResponseAttributes());
+            if ($arpSubstitute !== null) {
+                $nameId->setFormat(Constants::NAMEID_UNSPECIFIED);
+                $nameId->setValue($arpSubstitute);
+                $this->_response->getAssertion()->setNameId($nameId);
+            }
+
+            // Find out if the EduPersonTargetedId is in the ARP of the destination SP.
+            // If the ARP is NULL this means no ARP = let everything through including ePTI.
+            // Otherwise, only add ePTI if it's actually in the ARP.
+            if (!$arp->hasAttribute(Constants::EPTI_URN_MACE)) {
+                return;
+            }
         }
-        $this->logger->info('Adding the EduPersonTargetedId on the Assertion');
-        $this->_responseAttributes[Constants::EPTI_URN_MACE] = [ $nameId ];
 
+        $this->logger->info('Adding the EduPersonTargetedId on the Assertion');
+        $this->_responseAttributes[Constants::EPTI_URN_MACE] = [$nameId];
     }
 }
diff --git a/library/EngineBlock/Corto/Filter/Command/ProvisionUser.php b/library/EngineBlock/Corto/Filter/Command/ProvisionUser.php
@@ -16,13 +16,24 @@
  * limitations under the License.
  */
 
+use OpenConext\EngineBlockBridge\Authentication\Repository\UserDirectoryAdapter;
 use SAML2\Constants;
 use SAML2\XML\saml\NameID;
 
 class EngineBlock_Corto_Filter_Command_ProvisionUser extends EngineBlock_Corto_Filter_Command_Abstract
     implements EngineBlock_Corto_Filter_Command_ResponseModificationInterface,
     EngineBlock_Corto_Filter_Command_CollabPersonIdModificationInterface
 {
+    /**
+     * @var UserDirectoryAdapter
+     */
+    private $userDirectory;
+
+    public function __construct(UserDirectoryAdapter $userDirectory)
+    {
+        $this->userDirectory = $userDirectory;
+    }
+
     /**
      * {@inheritdoc}
      */
@@ -41,8 +52,7 @@ public function getCollabPersonId()
 
     public function execute()
     {
-        $userDirectory = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getUserDirectory();
-        $user = $userDirectory->identifyUser($this->_responseAttributes);
+        $user = $this->userDirectory->identifyUser($this->_responseAttributes);
 
         $collabPersonIdValue = $user->getCollabPersonId()->getCollabPersonId();
         $this->setCollabPersonId($collabPersonIdValue);

diff --git a/library/EngineBlock/Corto/Filter/Output.php b/library/EngineBlock/Corto/Filter/Output.php
@@ -62,7 +62,6 @@ public function getCommands()
     {
         $diContainer = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer();
         $logger = EngineBlock_ApplicationSingleton::getLog();
-
         return array(
             // If EngineBlock is in Processing mode (redirecting to it's self)
             // Then don't continue with the rest of the modifications
@@ -84,7 +83,7 @@ public function getCommands()
             new EngineBlock_Corto_Filter_Command_ApplyTrustedProxyBehavior($logger),
 
             // Add the appropriate NameID to the 'eduPeronTargetedID' and the Assertions NameId.
-            new EngineBlock_Corto_Filter_Command_AddIdentityAttributes($logger),
+            new EngineBlock_Corto_Filter_Command_AddIdentityAttributes($diContainer->getNameIdSubstituteResolver(), $logger),
 
             // Convert all attributes to their OID format (if known) and add these.
             new EngineBlock_Corto_Filter_Command_DenormalizeAttributes(),