Merge pull request indigo-iam#488 from indigo-iam/changes-for-AARC-G0…

…02-profile

Changes on AARC profile

iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/profile/aarc/AarcClaimValueHelper.java

@@ -21,34 +21,42 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
+import com.google.common.base.Strings;
+import com.google.common.collect.Sets;
+
 import it.infn.mw.iam.persistence.model.IamGroup;
 import it.infn.mw.iam.persistence.model.IamUserInfo;
 
 @Component
 public class AarcClaimValueHelper {
 
   public static final Set<String> ADDITIONAL_CLAIMS =
-      Set.of("eduperson_scoped_affiliation", "eduperson_entitlement");
-
-  @Value("${iam.host}")
-  String iamHost;
-
-  @Value("${iam.organisation.name}")
-  String organisationName;
+      Set.of("eduperson_scoped_affiliation", "eduperson_entitlement", "eduperson_assurance");
 
   @Value("${iam.aarc-profile.urn-namespace}")
   String urnNamespace;
 
+  @Value("${iam.aarc-profile.urn-nid}")
+  String urnNid;
+
+  @Value("${iam.aarc-profile.urn-subnamespaces}")
+  String urnSubnamespaces;
+
+  final String URN_AFFILIATION = "member";
+
   public Object getClaimValueFromUserInfo(String claim, IamUserInfo info) {
 
     switch (claim) {
 
       case "eduperson_scoped_affiliation":
-        return organisationName;
+        return String.format("%s@%s", URN_AFFILIATION, urnNamespace);
 
       case "eduperson_entitlement":
         return resolveGroups(info);
 
+      case "eduperson_assurance":
+        return resolveLOA();
+
       default:
         return null;
     }
@@ -63,7 +71,16 @@ public Set<String> resolveGroups(IamUserInfo userInfo) {
 
   private String encodeGroup(IamGroup group) {
     String encodedGroupName = group.getName().replaceAll("/", ":");
-    return String.format("urn:%s:group:%s#%s", urnNamespace, encodedGroupName, iamHost);
+    String encodedSubnamespace = "";
+    if (!Strings.isNullOrEmpty(urnSubnamespaces)) {
+      encodedSubnamespace = String.format(":%s", String.join(":", urnSubnamespaces.trim().split(" ")));
+    }
+    return String.format("urn:%s:%s%s:group:%s", urnNid, urnNamespace, encodedSubnamespace, encodedGroupName);
+  }
+
+  public Set<String> resolveLOA() {
+
+    return Sets.newHashSet("https://refeds.org/assurance/IAP/low");
   }
 
 }

iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/profile/aarc/AarcJWTProfileTokenIntrospectionHelper.java

@@ -72,6 +72,11 @@ public Map<String, Object> assembleIntrospectionResult(OAuth2AccessTokenEntity a
         result.put(EDUPERSON_ENTITLEMENT,
             claimValueHelper.getClaimValueFromUserInfo(EDUPERSON_ENTITLEMENT, iamUserInfo));
       }
+
+      if (scopes.contains(EDUPERSON_ASSURANCE)) {
+        result.put(EDUPERSON_ASSURANCE,
+            claimValueHelper.getClaimValueFromUserInfo(EDUPERSON_ASSURANCE, iamUserInfo));
+      }
     }
 
     return result;

iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/profile/aarc/AarcJWTProfileUserinfoHelper.java

@@ -50,8 +50,9 @@ public UserInfo resolveUserInfo(OAuth2Authentication authentication) {
     IamUserInfo iamUserInfo = ((UserInfoAdapter) ui).getUserinfo();
 
     AarcDecoratedUserInfo aui = AarcDecoratedUserInfo.forUser(ui);
-    aui.setScopedAffiliation(getProperties().getOrganisation().getName());
+    aui.setScopedAffiliation(claimValueHelper.getClaimValueFromUserInfo("eduperson_scoped_affiliation", iamUserInfo).toString());
     aui.setEntitlements(claimValueHelper.resolveGroups(iamUserInfo));
+    aui.setAssurance(claimValueHelper.resolveLOA());
 
     return aui;
   }

iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/profile/common/BaseIntrospectionHelper.java

@@ -52,6 +52,7 @@ public abstract class BaseIntrospectionHelper implements IntrospectionResultHelp
   public static final String ISSUER = "iss";
   public static final String EDUPERSON_SCOPED_AFFILIATION = "eduperson_scoped_affiliation";
   public static final String EDUPERSON_ENTITLEMENT = "eduperson_entitlement";
+  public static final String EDUPERSON_ASSURANCE = "eduperson_assurance";
 
   private final IamProperties properties;
   private final IntrospectionResultAssembler assembler;

iam-login-service/src/main/java/it/infn/mw/iam/core/userinfo/AarcDecoratedUserInfo.java

@@ -29,9 +29,11 @@ public class AarcDecoratedUserInfo extends DelegateUserInfoAdapter implements Aa
 
   public static final String EDUPERSON_SCOPED_AFFILIATION_CLAIM = "eduperson_scoped_affiliation";
   public static final String EDUPERSON_ENTITLEMENT_CLAIM = "eduperson_entitlement";
+  public static final String EDUPERSON_ASSURANCE_CLAIM = "eduperson_assurance";
 
   private String scopedAffiliation;
   private Set<String> entitlements;
+  private Set<String> assurance;
 
   public AarcDecoratedUserInfo(UserInfo delegate) {
     super(delegate);
@@ -44,10 +46,14 @@ public JsonObject toJson() {
     json.remove("groups");
     json.remove("organisation_name");
 
-    json.add(EDUPERSON_SCOPED_AFFILIATION_CLAIM, new JsonPrimitive(scopedAffiliation));
+    json.add(EDUPERSON_SCOPED_AFFILIATION_CLAIM, new JsonPrimitive(getScopedAffiliation()));
+
+    JsonArray values = new JsonArray();
+    getAssurance().forEach(value -> values.add(new JsonPrimitive(value)));
+    json.add(EDUPERSON_ASSURANCE_CLAIM, values);
 
     JsonArray urns = new JsonArray();
-    entitlements.forEach(urn -> urns.add(new JsonPrimitive(urn)));
+    getEntitlements().forEach(urn -> urns.add(new JsonPrimitive(urn)));
     json.add(EDUPERSON_ENTITLEMENT_CLAIM, urns);
 
     return json;
@@ -73,7 +79,18 @@ public void setEntitlements(Set<String> entitlements) {
     this.entitlements = entitlements;
   }
 
+  @Override
+  public Set<String> getAssurance() {
+    return assurance;
+  }
+
+  @Override
+  public void setAssurance(Set<String> assurance) {
+    this.assurance = assurance;
+  }
+
   public static AarcDecoratedUserInfo forUser(UserInfo u) {
     return new AarcDecoratedUserInfo(u);
   }
+
 }

iam-login-service/src/main/java/it/infn/mw/iam/core/userinfo/AarcUserInfo.java

@@ -26,4 +26,7 @@ public interface AarcUserInfo extends UserInfo {
 
   Set<String> getEntitlements();
   void setEntitlements(Set<String> entitlements);
+
+  Set<String> getAssurance();
+  void setAssurance(Set<String> assurance);
 }

iam-login-service/src/main/java/it/infn/mw/iam/core/userinfo/IamScopeClaimTranslationService.java

@@ -20,6 +20,7 @@
 import static it.infn.mw.iam.core.userinfo.UserInfoClaim.BIRTHDATE;
 import static it.infn.mw.iam.core.userinfo.UserInfoClaim.EDUPERSON_ENTITLEMENT;
 import static it.infn.mw.iam.core.userinfo.UserInfoClaim.EDUPERSON_SCOPED_AFFILIATION;
+import static it.infn.mw.iam.core.userinfo.UserInfoClaim.EDUPERSON_ASSURANCE;
 import static it.infn.mw.iam.core.userinfo.UserInfoClaim.EMAIL;
 import static it.infn.mw.iam.core.userinfo.UserInfoClaim.EMAIL_VERIFIED;
 import static it.infn.mw.iam.core.userinfo.UserInfoClaim.EXTERNAL_AUTHN;
@@ -69,6 +70,7 @@ public class IamScopeClaimTranslationService implements ScopeClaimTranslationSer
   public static final String ADDRESS_SCOPE = "address";
   public static final String EDUPERSON_SCOPED_AFFILIATION_SCOPE = "eduperson_scoped_affiliation";
   public static final String EDUPERSON_ENTITLEMENT_SCOPE = "eduperson_entitlement";
+  public static final String EDUPERSON_ASSURANCE_SCOPE = "eduperson_assurance";
   public static final String ATTR_SCOPE = "attr";
   public static final String SSH_KEYS_SCOPE = "ssh-keys";
   public static final String WLCG_GROUPS_SCOPE = "wlcg.groups";
@@ -90,6 +92,7 @@ public IamScopeClaimTranslationService() {
     mapScopeToClaim(ADDRESS_SCOPE, ADDRESS);
     mapScopeToClaim(EDUPERSON_SCOPED_AFFILIATION_SCOPE, EDUPERSON_SCOPED_AFFILIATION);
     mapScopeToClaim(EDUPERSON_ENTITLEMENT_SCOPE, EDUPERSON_ENTITLEMENT);
+    mapScopeToClaim(EDUPERSON_ASSURANCE_SCOPE, EDUPERSON_ASSURANCE);
     mapScopeToClaim(ATTR_SCOPE, ATTR);
     mapScopeToClaim(SSH_KEYS_SCOPE, SSH_KEYS);
     mapScopeToClaim(WLCG_GROUPS_SCOPE, WLCG_GROUPS);

iam-login-service/src/main/java/it/infn/mw/iam/core/userinfo/UserInfoClaim.java

@@ -43,6 +43,7 @@ public enum UserInfoClaim {
   EXTERNAL_AUTHN("external_authn"),
   EDUPERSON_SCOPED_AFFILIATION("eduperson_scoped_affiliation"),
   EDUPERSON_ENTITLEMENT("eduperson_entitlement"),
+  EDUPERSON_ASSURANCE("eduperson_assurance"),
   SSH_KEYS("ssh_keys");
 
   private UserInfoClaim(String claimName) {

iam-login-service/src/main/resources/application.yml

@@ -169,7 +169,9 @@ iam:
     - surname
 
   aarc-profile:
-    urn-namespace: ${IAM_AARC_PROFILE_URN_NAMESPACE:example:iam}
+    urn-namespace: ${IAM_AARC_PROFILE_URN_NAMESPACE:iam.example}
+    urn-nid: ${IAM_AARC_PROFILE_URN_NID:geant}
+    urn-subnamespaces: ${IAM_AARC_PROFILE_URN_SUBNAMESPACES:}
 
   external-connectivity-probe:
     enabled: ${IAM_HEALTH_EXTERNAL_CONNECTIVITY_PROBE_ENABLED:false}

iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/profile/AarcClaimValueHelperTests.java

@@ -46,9 +46,8 @@
 @IamMockMvcIntegrationTest
 @TestPropertySource(properties = {
   // @formatter:off
-  "iam.host=example.org",
-  "iam.organisation.name=org",
-  "iam.aarc-profile.urn-namespace=example:iam:test",
+  "iam.aarc-profile.urn-namespace=projectescape.eu",
+  "iam.aarc-profile.urn-subnamespaces=sub mission",
   // @formatter:on
 })
 @Transactional
@@ -81,7 +80,7 @@ public void testEmptyGroupsUrnEncode() {
   @Test
   public void testGroupUrnEncode() {
 
-    String s = "urn:example:iam:test:group:test#example.org";
+    String s = "urn:geant:projectescape.eu:sub:mission:group:test";
 
     IamGroup g = new IamGroup();
     g.setName("test");
@@ -98,9 +97,9 @@ public void testGroupUrnEncode() {
   @Test
   public void testGroupHierarchyUrnEncode() {
 
-    String parentUrn = "urn:example:iam:test:group:parent#example.org";
-    String childUrn = "urn:example:iam:test:group:parent:child#example.org";
-    String grandchildUrn = "urn:example:iam:test:group:parent:child:grandchild#example.org";
+    String parentUrn = "urn:geant:projectescape.eu:sub:mission:group:parent";
+    String childUrn = "urn:geant:projectescape.eu:sub:mission:group:parent:child";
+    String grandchildUrn = "urn:geant:projectescape.eu:sub:mission:group:parent:child:grandchild";
 
     IamGroup parent = new IamGroup();
     parent.setName("parent");