Java tutorial
/* * * Copyright 2016 Netflix, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ package com.netflix.genie.web.security.saml; import com.google.common.collect.Lists; import com.netflix.spectator.api.Registry; import com.netflix.spectator.api.Timer; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.saml.SAMLCredential; import org.springframework.security.saml.userdetails.SAMLUserDetailsService; import org.springframework.stereotype.Component; import javax.validation.constraints.NotNull; import java.util.Arrays; import java.util.List; import java.util.concurrent.TimeUnit; /** * Get the user and roles from a SAML certificate. * * @author tgianos * @since 3.0.0 */ @ConditionalOnProperty("genie.security.saml.enabled") @Component @Slf4j public class SAMLUserDetailsServiceImpl implements SAMLUserDetailsService { private static final GrantedAuthority USER = new SimpleGrantedAuthority("ROLE_USER"); private static final GrantedAuthority ADMIN = new SimpleGrantedAuthority("ROLE_ADMIN"); private final SAMLProperties samlProperties; private final Timer loadTimer; /** * Constructor. * * @param samlProperties The SAML properties to use * @param registry The metrics registry to use */ @Autowired public SAMLUserDetailsServiceImpl(@NotNull final SAMLProperties samlProperties, @NotNull final Registry registry) { this.samlProperties = samlProperties; this.loadTimer = registry.timer("genie.security.saml.parse.timer"); } /** * {@inheritDoc} */ @Override public Object loadUserBySAML(final SAMLCredential credential) throws UsernameNotFoundException { final long start = System.nanoTime(); try { if (credential == null) { throw new UsernameNotFoundException("No credential entered. Unable to get username."); } final String userAttributeName = this.samlProperties.getAttributes().getUser().getName(); final String userId = credential.getAttributeAsString(userAttributeName); if (StringUtils.isBlank(userId)) { throw new UsernameNotFoundException("No user id found using attribute: " + userAttributeName); } // User exists. Give them at least USER role final List<GrantedAuthority> authorities = Lists.newArrayList(USER); // See if we can get any other roles final String groupAttributeName = this.samlProperties.getAttributes().getGroups().getName(); final String adminGroup = this.samlProperties.getAttributes().getGroups().getAdmin(); final String[] groups = credential.getAttributeAsStringArray(groupAttributeName); if (groups == null) { log.warn("No groups found. User will only get ROLE_USER by default."); } else if (Arrays.asList(groups).contains(adminGroup)) { authorities.add(ADMIN); } // For debugging what's available in the credential from the IDP if (log.isDebugEnabled()) { log.debug("Attributes:"); credential.getAttributes().forEach(attribute -> { log.debug("Attribute: {}", attribute.getName()); log.debug("Values: {}", StringUtils.join(credential.getAttributeAsStringArray(attribute.getName()), ',')); }); } log.info("{} is logged in with authorities {}", userId, authorities); return new User(userId, "DUMMY", authorities); } finally { final long finished = System.nanoTime(); this.loadTimer.record(finished - start, TimeUnit.NANOSECONDS); } } }