add IP Address Authn Handler implementation (SIDP-5)
authorwnorris <wnorris@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Sat, 23 Feb 2008 00:13:11 +0000 (00:13 +0000)
committerwnorris <wnorris@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Sat, 23 Feb 2008 00:13:11 +0000 (00:13 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@2637 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

resources/classpath/schema/shibboleth-2.0-idp-profile-handler.xsd
src/edu/internet2/middleware/shibboleth/idp/config/profile/ProfileHandlerNamespaceHandler.java
src/edu/internet2/middleware/shibboleth/idp/config/profile/authn/IPAddressLoginHandlerBeanDefinitionParser.java [new file with mode: 0644]
src/edu/internet2/middleware/shibboleth/idp/config/profile/authn/IPAddressLoginHandlerFactoryBean.java [new file with mode: 0644]

index c1e0335..d2eb0ca 100644 (file)
@@ -32,8 +32,7 @@
             <xsd:sequence>
                 <xsd:element name="ErrorHandler" type="ErrorHandlerType" />
                 <xsd:element name="ProfileHandler" type="RequestHandlerType" minOccurs="0" maxOccurs="unbounded" />
-                <xsd:element name="LoginHandler" type="LoginHandlerType" minOccurs="0"
-                    maxOccurs="unbounded" />
+                <xsd:element name="LoginHandler" type="LoginHandlerType" minOccurs="0" maxOccurs="unbounded" />
             </xsd:sequence>
         </xsd:complexType>
     </xsd:element>
@@ -46,7 +45,7 @@
             <xsd:extension base="RequestURIMappedProfileHandlerType" />
         </xsd:complexContent>
     </xsd:complexType>
-    
+
     <xsd:complexType name="SAMLMetadata">
         <xsd:annotation>
             <xsd:documentation>Basic handler that returns a general status of the IdP.</xsd:documentation>
@@ -55,9 +54,7 @@
             <xsd:extension base="RequestURIMappedProfileHandlerType">
                 <xsd:attribute name="metadataFile" type="xsd:string" use="required">
                     <xsd:annotation>
-                        <xsd:documentation>
-                            Location of the static IdP metadata file.
-                        </xsd:documentation>
+                        <xsd:documentation>Location of the static IdP metadata file.</xsd:documentation>
                     </xsd:annotation>
                 </xsd:attribute>
             </xsd:extension>
@@ -90,7 +87,7 @@
             <xsd:extension base="SAML2ProfileHandler" />
         </xsd:complexContent>
     </xsd:complexType>
-    
+
     <xsd:complexType name="SAML2ArtifactResolution">
         <xsd:annotation>
             <xsd:documentation>Configuration type for SAML 2 artifact resolution profile handlers.</xsd:documentation>
                 <xsd:attribute name="artifactMapRef" type="xsd:string" default="shibboleth.ArtifactMap">
                     <xsd:annotation>
                         <xsd:documentation>
-                            Reference to SAMLArtifactMap used by handler to resolve artifact strings into artifact objects.
+                            Reference to SAMLArtifactMap used by handler to resolve artifact strings into artifact
+                            objects.
                         </xsd:documentation>
                     </xsd:annotation>
                 </xsd:attribute>
             <xsd:extension base="SAML1ProfileHandler" />
         </xsd:complexContent>
     </xsd:complexType>
-    
+
     <xsd:complexType name="SAML1ArtifactResolution">
         <xsd:annotation>
             <xsd:documentation>Configuration type for SAML 1 artifact resolution profile handlers.</xsd:documentation>
                 <xsd:attribute name="artifactMapRef" type="xsd:string" default="shibboleth.ArtifactMap">
                     <xsd:annotation>
                         <xsd:documentation>
-                            Reference to SAMLArtifactMap used by handler to resolve artifact strings into artifact objects.
+                            Reference to SAMLArtifactMap used by handler to resolve artifact strings into artifact
+                            objects.
                         </xsd:documentation>
                     </xsd:annotation>
                 </xsd:attribute>
                 </xsd:attribute>
                 <xsd:attribute name="inboundBinding" type="xsd:anyURI" use="required">
                     <xsd:annotation>
-                        <xsd:documentation>
-                            The SAML message binding used by inbound messages.
-                        </xsd:documentation>
+                        <xsd:documentation>The SAML message binding used by inbound messages.</xsd:documentation>
                     </xsd:annotation>
                 </xsd:attribute>
-                <xsd:attribute name="outboundBindingEnumeration" >
+                <xsd:attribute name="outboundBindingEnumeration">
                     <xsd:annotation>
                         <xsd:documentation>
                             An ordered list of outbound bindings supported by this profile handler. The order provided
             <xsd:extension base="ShibbolethProfileHandlerType" />
         </xsd:complexContent>
     </xsd:complexType>
-    
+
     <xsd:complexType name="PreviousSession">
         <xsd:complexContent>
             <xsd:extension base="LoginHandlerType">
                 <xsd:attribute name="reportPreviousSessionAuthnMethod" type="xsd:boolean" default="false">
                     <xsd:annotation>
                         <xsd:documentation>
-                            Whether this login handler should report its authentication method as PreviousSession 
-                            or the authentication method requested by the peer.
+                            Whether this login handler should report its authentication method as PreviousSession or the
+                            authentication method requested by the peer.
                         </xsd:documentation>
                     </xsd:annotation>
                 </xsd:attribute>
         </xsd:complexContent>
     </xsd:complexType>
 
+    <xsd:complexType name="IPAddress">
+        <xsd:complexContent>
+            <xsd:extension base="LoginHandlerType">
+                <xsd:sequence>
+                    <xsd:element name="IPEntry" type="xsd:string" maxOccurs="unbounded">
+                        <xsd:annotation>
+                            <xsd:documentation>
+                                An IP addresses in CIDR notation. For example, a single IP address of 192.168.1.1 would
+                                have the CIDR notation of 192.168.1.1/32. For the entire 192.168.0.0 class B network,
+                                the CIDR notation would be 192.168.0.0/16.
+                            </xsd:documentation>
+                        </xsd:annotation>
+                    </xsd:element>
+                </xsd:sequence>
+                <xsd:attribute name="username" type="xsd:string">
+                    <xsd:annotation>
+                        <xsd:documentation>
+                            The username that will be presented to the IdP for all IP-address authenticated users.
+                        </xsd:documentation>
+                    </xsd:annotation>
+                </xsd:attribute>
+                <xsd:attribute name="defaultDeny" type="xsd:boolean">
+                    <xsd:annotation>
+                        <xsd:documentation>
+                            If defaultDeny is true then only the IP addresses listed will be "authenticated." If
+                            defaultDeny is false, then all IP addresses except those listed will be authenticated.
+                        </xsd:documentation>
+                    </xsd:annotation>
+                </xsd:attribute>
+            </xsd:extension>
+        </xsd:complexContent>
+    </xsd:complexType>
+
     <xsd:complexType name="LoginHandlerType" abstract="true">
         <xsd:annotation>
             <xsd:documentation>Base type for authentication handler types.</xsd:documentation>
index a650933..8e6565e 100644 (file)
@@ -21,6 +21,7 @@ import javax.xml.namespace.QName;
 import edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler;
 import edu.internet2.middleware.shibboleth.common.config.profile.JSPErrorHandlerBeanDefinitionParser;
 import edu.internet2.middleware.shibboleth.common.config.profile.VelocityErrorHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.authn.IPAddressLoginHandlerBeanDefinitionParser;
 import edu.internet2.middleware.shibboleth.idp.config.profile.authn.PreviousSessionLoginHandlerBeanDefinitionParser;
 import edu.internet2.middleware.shibboleth.idp.config.profile.authn.RemoteUserLoginHandlerBeanDefinitionParser;
 import edu.internet2.middleware.shibboleth.idp.config.profile.authn.UsernamePasswordLoginHandlerBeanDefinitionParser;
@@ -82,5 +83,8 @@ public class ProfileHandlerNamespaceHandler extends BaseSpringNamespaceHandler {
 
         registerBeanDefinitionParser(UsernamePasswordLoginHandlerBeanDefinitionParser.SCHEMA_TYPE,
                 new UsernamePasswordLoginHandlerBeanDefinitionParser());
+        
+        registerBeanDefinitionParser(IPAddressLoginHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new IPAddressLoginHandlerBeanDefinitionParser());
     }
 }
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/config/profile/authn/IPAddressLoginHandlerBeanDefinitionParser.java b/src/edu/internet2/middleware/shibboleth/idp/config/profile/authn/IPAddressLoginHandlerBeanDefinitionParser.java
new file mode 100644 (file)
index 0000000..c3dc07d
--- /dev/null
@@ -0,0 +1,78 @@
+/*
+ * Copyright 2008 University Corporation for Advanced Internet Development, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.config.profile.authn;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import javax.xml.namespace.QName;
+
+import org.opensaml.xml.util.DatatypeHelper;
+import org.opensaml.xml.util.XMLHelper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.w3c.dom.Element;
+
+import edu.internet2.middleware.shibboleth.idp.config.profile.ProfileHandlerNamespaceHandler;
+
+/**
+ * Spring bean definition parser for IP address authentication handlers.
+ */
+public class IPAddressLoginHandlerBeanDefinitionParser extends AbstractLoginHandlerBeanDefinitionParser {
+
+    /** Schema type. */
+    public static final QName SCHEMA_TYPE = new QName(ProfileHandlerNamespaceHandler.NAMESPACE, "IPAddress");
+
+    /** Name of ip entry elements. */
+    public static final QName IP_ENTRY_ELEMENT_NAME = new QName(ProfileHandlerNamespaceHandler.NAMESPACE, "IPEntry");
+
+    /** Class logger. */
+    private final Logger log = LoggerFactory.getLogger(IPAddressLoginHandlerBeanDefinitionParser.class);
+
+    /** {@inheritDoc} */
+    protected Class getBeanClass(Element element) {
+        return IPAddressLoginHandlerFactoryBean.class;
+    }
+
+    /** {@inheritDoc} */
+    protected void doParse(Element config, BeanDefinitionBuilder builder) {
+        super.doParse(config, builder);
+
+        boolean defaultDeny = XMLHelper.getAttributeValueAsBoolean(config.getAttributeNodeNS(null, "defaultDeny"));
+        log.debug("Setting defaultDeny to: {}", defaultDeny);
+        builder.addPropertyValue("defaultDeny", defaultDeny);
+
+        String username = DatatypeHelper.safeTrim(config.getAttributeNS(null, "username"));
+        log.debug("Setting username to: {}", username);
+        builder.addPropertyValue("username", username);
+
+        Map<QName, List<Element>> children = XMLHelper.getChildElements(config);
+        List<Element> ipEntries = children.get(IP_ENTRY_ELEMENT_NAME);
+        List<String> addresses = new ArrayList<String>();
+
+        for (Element element : ipEntries) {
+            String address = DatatypeHelper.safeTrimOrNullString(element.getTextContent());
+            if (address != null) {
+                log.debug("Adding IP Address: {}", address);
+                addresses.add(address);
+            }
+        }
+        builder.addPropertyValue("addresses", addresses);
+    }
+}
diff --git a/src/edu/internet2/middleware/shibboleth/idp/config/profile/authn/IPAddressLoginHandlerFactoryBean.java b/src/edu/internet2/middleware/shibboleth/idp/config/profile/authn/IPAddressLoginHandlerFactoryBean.java
new file mode 100644 (file)
index 0000000..27067aa
--- /dev/null
@@ -0,0 +1,105 @@
+/*
+ * Copyright 2008 University Corporation for Advanced Internet Development, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.config.profile.authn;
+
+import java.util.List;
+
+import edu.internet2.middleware.shibboleth.idp.authn.provider.IPAddressLoginHandler;
+
+/**
+ * Spring factory for {@link IPAddressLoginHandler}.
+ */
+public class IPAddressLoginHandlerFactoryBean extends AbstractLoginHandlerFactoryBean {
+
+    /** The list of denied or permitted IPs. */
+    private List<String> addresses;
+
+    /** The username to use for IP-address "authenticated" users. */
+    private String username;
+
+    /** Are the IPs in ipList a permitted list or a deny list. */
+    private boolean defaultDeny;
+
+    /** {@inheritDoc} */
+    protected Object createInstance() throws Exception {
+        IPAddressLoginHandler handler = new IPAddressLoginHandler();
+        handler.setUsername(getUsername());
+        handler.setEntries(getAddresses(), isDefaultDeny());
+        populateHandler(handler);
+        return handler;
+    }
+
+    /** {@inheritDoc} */
+    public Class getObjectType() {
+        return IPAddressLoginHandler.class;
+    }
+
+    /**
+     * Get the list of denied or permitted IPs.
+     * 
+     * @return list of denied or permitted IPs
+     */
+    public List<String> getAddresses() {
+        return addresses;
+    }
+
+    /**
+     * Set the list of denied or permitted IPs.
+     * 
+     * @param newAddresses list of denied or permitted IPs
+     */
+    public void setAddresses(List<String> newAddresses) {
+        addresses = newAddresses;
+    }
+
+    /**
+     * Get the username to use for IP-address "authenticated" users.
+     * 
+     * @return username to use for IP-address "authenticated" users
+     */
+    public String getUsername() {
+        return username;
+    }
+
+    /**
+     * Set the username to use for IP-address "authenticated" users.
+     * 
+     * @param newUsername username to use for IP-address "authenticated" users
+     */
+    public void setUsername(String newUsername) {
+        username = newUsername;
+    }
+
+    /**
+     * Get whether the IPs in ipList a permitted list or a deny list.
+     * 
+     * @return whether the IPs in ipList a permitted list or a deny list
+     */
+    public boolean isDefaultDeny() {
+        return defaultDeny;
+    }
+
+    /**
+     * Set whether the IPs in ipList a permitted list or a deny list.
+     * 
+     * @param newDefaultDeny whether the IPs in ipList a permitted list or a deny list.
+     */
+    public void setDefaultDeny(boolean newDefaultDeny) {
+        defaultDeny = newDefaultDeny;
+    }
+
+}