Fix AARC G002 profile

- add left part to eduperson_scoped_affiliation
- fix urn namespace for eduperson_entitlement
- fix related jUnit tests
- add subnamespaces support

iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/profile/aarc/AarcClaimValueHelper.java

@@ -21,6 +21,8 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
+import com.google.common.base.Strings;
+
 import it.infn.mw.iam.persistence.model.IamGroup;
 import it.infn.mw.iam.persistence.model.IamUserInfo;
 
@@ -33,18 +35,23 @@ public class AarcClaimValueHelper {
   @Value("${iam.host}")
   String iamHost;
 
-  @Value("${iam.organisation.name}")
-  String organisationName;
-
   @Value("${iam.aarc-profile.urn-namespace}")
   String urnNamespace;
 
+  @Value("${iam.aarc-profile.urn-nid}")
+  String urnNid;
+
+  @Value("${iam.aarc-profile.urn-subnamespaces}")
+  String urnSubnamespaces;
+
+  final String URN_AFFILIATION = "member";
+
   public Object getClaimValueFromUserInfo(String claim, IamUserInfo info) {
 
     switch (claim) {
 
       case "eduperson_scoped_affiliation":
-        return organisationName;
+        return String.format("%s@%s", URN_AFFILIATION, urnNamespace);
 
       case "eduperson_entitlement":
         return resolveGroups(info);
@@ -63,7 +70,11 @@ public Set<String> resolveGroups(IamUserInfo userInfo) {
 
   private String encodeGroup(IamGroup group) {
     String encodedGroupName = group.getName().replaceAll("/", ":");
-    return String.format("urn:%s:group:%s#%s", urnNamespace, encodedGroupName, iamHost);
+    String encodedSubnamespace = "";
+    if (!Strings.isNullOrEmpty(urnSubnamespaces)) {
+      encodedSubnamespace = String.format(":%s", String.join(":", urnSubnamespaces.trim().split(" ")));
+    }
+    return String.format("urn:%s:%s%s:group:%s#%s", urnNid, urnNamespace, encodedSubnamespace, encodedGroupName, iamHost);
   }
 
 }

iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/profile/aarc/AarcJWTProfileUserinfoHelper.java

@@ -50,7 +50,7 @@ public UserInfo resolveUserInfo(OAuth2Authentication authentication) {
     IamUserInfo iamUserInfo = ((UserInfoAdapter) ui).getUserinfo();
 
     AarcDecoratedUserInfo aui = AarcDecoratedUserInfo.forUser(ui);
-    aui.setScopedAffiliation(getProperties().getOrganisation().getName());
+    aui.setScopedAffiliation(claimValueHelper.getClaimValueFromUserInfo("eduperson_scoped_affiliation", iamUserInfo).toString());
     aui.setEntitlements(claimValueHelper.resolveGroups(iamUserInfo));
 
     return aui;

iam-login-service/src/main/resources/application.yml

@@ -166,7 +166,9 @@ iam:
     - surname
 
   aarc-profile:
-    urn-namespace: ${IAM_AARC_PROFILE_URN_NAMESPACE:example:iam}
+    urn-namespace: ${IAM_AARC_PROFILE_URN_NAMESPACE:iam.example}
+    urn-nid: ${IAM_AARC_PROFILE_URN_NID:geant}
+    urn-subnamespaces: ${IAM_AARC_PROFILE_URN_SUBNAMESPACES:}
 
   external-connectivity-probe:
     enabled: ${IAM_HEALTH_EXTERNAL_CONNECTIVITY_PROBE_ENABLED:false}

iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/profile/AarcClaimValueHelperTests.java

@@ -47,8 +47,8 @@
 @TestPropertySource(properties = {
   // @formatter:off
   "iam.host=example.org",
-  "iam.organisation.name=org",
-  "iam.aarc-profile.urn-namespace=example:iam:test",
+  "iam.aarc-profile.urn-namespace=projectescape.eu",
+  "iam.aarc-profile.urn-subnamespaces=sub mission",
   // @formatter:on
 })
 @Transactional
@@ -81,7 +81,7 @@ public void testEmptyGroupsUrnEncode() {
   @Test
   public void testGroupUrnEncode() {
 
-    String s = "urn:example:iam:test:group:test#example.org";
+    String s = "urn:geant:projectescape.eu:sub:mission:group:test#example.org";
 
     IamGroup g = new IamGroup();
     g.setName("test");
@@ -98,9 +98,9 @@ public void testGroupUrnEncode() {
   @Test
   public void testGroupHierarchyUrnEncode() {
 
-    String parentUrn = "urn:example:iam:test:group:parent#example.org";
-    String childUrn = "urn:example:iam:test:group:parent:child#example.org";
-    String grandchildUrn = "urn:example:iam:test:group:parent:child:grandchild#example.org";
+    String parentUrn = "urn:geant:projectescape.eu:sub:mission:group:parent#example.org";
+    String childUrn = "urn:geant:projectescape.eu:sub:mission:group:parent:child#example.org";
+    String grandchildUrn = "urn:geant:projectescape.eu:sub:mission:group:parent:child:grandchild#example.org";
 
     IamGroup parent = new IamGroup();
     parent.setName("parent");

iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/profile/AarcProfileIntegrationTests.java

@@ -59,7 +59,6 @@
     // @formatter:off
     "iam.host=example.org",
     "iam.jwt-profile.default-profile=aarc",
-    "iam.organisation.name=org",
     // @formatter:on
 })
 public class AarcProfileIntegrationTests extends EndpointsTestUtils {
@@ -69,8 +68,8 @@ public class AarcProfileIntegrationTests extends EndpointsTestUtils {
   private static final String USERNAME = "test";
   private static final String PASSWORD = "password";
 
-  private static final String URN_GROUP_ANALYSIS = "urn:example:iam:group:Analysis#example.org";
-  private static final String URN_GROUP_PRODUCTION = "urn:example:iam:group:Production#example.org";
+  private static final String URN_GROUP_ANALYSIS = "urn:geant:iam.example:group:Analysis#example.org";
+  private static final String URN_GROUP_PRODUCTION = "urn:geant:iam.example:group:Production#example.org";
 
   protected static final Set<String> BASE_SCOPES = Sets.newHashSet("openid", "profile");
   protected static final Set<String> EDUPERSON_AFFILIATION_SCOPE =
@@ -138,7 +137,7 @@ public void testEdupersonScopedAffiliationScope() throws Exception {
     assertThat(token.getJWTClaimsSet().getClaim("email"), nullValue());
 
     assertThat(token.getJWTClaimsSet().getClaim(EDUPERSON_SCOPED_AFFILIATION_SCOPE),
-        equalTo("org"));
+        equalTo("[email protected]"));
   }
 
   @Test
@@ -152,7 +151,7 @@ public void testEdupersonScopedAffiliationAndEntitlementScopes() throws Exceptio
     assertThat(token.getJWTClaimsSet().getClaim("email"), nullValue());
 
     assertThat(token.getJWTClaimsSet().getClaim(EDUPERSON_SCOPED_AFFILIATION_SCOPE),
-        equalTo("org"));
+        equalTo("[email protected]"));
 
     List<String> groups = Lists
       .newArrayList(token.getJWTClaimsSet().getStringArrayClaim(EDUPERSON_ENTITLEMENT_CLAIM));
@@ -174,7 +173,7 @@ public void testAarcProfileIntrospect() throws Exception {
         .param("token", token.getParsedString()))
       .andExpect(status().isOk())
       .andExpect(jsonPath("$.active", equalTo(true)))
-      .andExpect(jsonPath("$." + EDUPERSON_SCOPED_AFFILIATION_CLAIM, equalTo("org")))
+      .andExpect(jsonPath("$." + EDUPERSON_SCOPED_AFFILIATION_CLAIM, equalTo("[email protected]")))
       .andExpect(jsonPath("$." + EDUPERSON_ENTITLEMENT_CLAIM, hasSize(equalTo(2))))
       .andExpect(jsonPath("$." + EDUPERSON_ENTITLEMENT_CLAIM, containsInAnyOrder(URN_GROUP_ANALYSIS, URN_GROUP_PRODUCTION)))
       .andExpect(jsonPath("$.name", equalTo("Test User")))
@@ -196,7 +195,7 @@ public void testAarcProfileUserinfo() throws Exception {
       .andExpect(jsonPath("$.sub").exists())
       .andExpect(jsonPath("$.organisation_name").doesNotExist())
       .andExpect(jsonPath("$.groups").doesNotExist())
-      .andExpect(jsonPath("$." + EDUPERSON_SCOPED_AFFILIATION_CLAIM, equalTo("org")))
+      .andExpect(jsonPath("$." + EDUPERSON_SCOPED_AFFILIATION_CLAIM, equalTo("[email protected]")))
       .andExpect(jsonPath("$." + EDUPERSON_ENTITLEMENT_CLAIM, hasSize(equalTo(2))))
       .andExpect(jsonPath("$." + EDUPERSON_ENTITLEMENT_CLAIM, containsInAnyOrder(URN_GROUP_ANALYSIS, URN_GROUP_PRODUCTION)))
       .andExpect(jsonPath("$.name", equalTo("Test User")))
@@ -216,7 +215,7 @@ public void testAarcProfileUserinfoWithEmail() throws Exception {
       .andExpect(jsonPath("$.sub").exists())
       .andExpect(jsonPath("$.organisation_name").doesNotExist())
       .andExpect(jsonPath("$.groups").doesNotExist())
-      .andExpect(jsonPath("$." + EDUPERSON_SCOPED_AFFILIATION_CLAIM, equalTo("org")))
+      .andExpect(jsonPath("$." + EDUPERSON_SCOPED_AFFILIATION_CLAIM, equalTo("[email protected]")))
       .andExpect(jsonPath("$." + EDUPERSON_ENTITLEMENT_CLAIM, hasSize(equalTo(2))))
       .andExpect(jsonPath("$." + EDUPERSON_ENTITLEMENT_CLAIM, containsInAnyOrder(URN_GROUP_ANALYSIS, URN_GROUP_PRODUCTION)))
       .andExpect(jsonPath("$.name", equalTo("Test User")))