From d4b2bc3f7ae40c4a0b6f0b019d36813df3302ecf Mon Sep 17 00:00:00 2001
From: Daniel Gerhardt <code@dgerhardt.net>
Date: Sun, 29 Sep 2019 20:53:58 +0200
Subject: [PATCH] Allow SAML attribute used for loginId to be configured

---
 .../AuthenticationProviderProperties.java        |  9 +++++++++
 .../security/pac4j/OauthUserDetailsService.java  | 16 ++++++++++++++--
 src/main/resources/config/defaults.yml           |  1 +
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/config/properties/AuthenticationProviderProperties.java b/src/main/java/de/thm/arsnova/config/properties/AuthenticationProviderProperties.java
index 4b259c7f6..aacb4af6c 100644
--- a/src/main/java/de/thm/arsnova/config/properties/AuthenticationProviderProperties.java
+++ b/src/main/java/de/thm/arsnova/config/properties/AuthenticationProviderProperties.java
@@ -297,6 +297,7 @@ public class AuthenticationProviderProperties {
 		private Idp idp;
 		private Sp sp;
 		private Keystore keystore;
+		private String userIdAttribute;
 		private int assertionConsumerServiceIndex;
 		private int maxAuthenticationLifetime;
 
@@ -334,6 +335,14 @@ public class AuthenticationProviderProperties {
 			this.keystore = keystore;
 		}
 
+		public String getUserIdAttribute() {
+			return userIdAttribute;
+		}
+
+		public void setUserIdAttribute(final String userIdAttribute) {
+			this.userIdAttribute = userIdAttribute;
+		}
+
 		public int getAssertionConsumerServiceIndex() {
 			return assertionConsumerServiceIndex;
 		}
diff --git a/src/main/java/de/thm/arsnova/security/pac4j/OauthUserDetailsService.java b/src/main/java/de/thm/arsnova/security/pac4j/OauthUserDetailsService.java
index 6c6eb1dcb..dace643aa 100644
--- a/src/main/java/de/thm/arsnova/security/pac4j/OauthUserDetailsService.java
+++ b/src/main/java/de/thm/arsnova/security/pac4j/OauthUserDetailsService.java
@@ -20,6 +20,7 @@ package de.thm.arsnova.security.pac4j;
 
 import java.util.Collection;
 import java.util.HashSet;
+import java.util.List;
 import org.pac4j.oauth.profile.facebook.FacebookProfile;
 import org.pac4j.oauth.profile.twitter.TwitterProfile;
 import org.pac4j.oidc.profile.OidcProfile;
@@ -31,6 +32,7 @@ import org.springframework.security.core.userdetails.AuthenticationUserDetailsSe
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Service;
 
+import de.thm.arsnova.config.properties.AuthenticationProviderProperties;
 import de.thm.arsnova.model.UserProfile;
 import de.thm.arsnova.security.User;
 import de.thm.arsnova.service.UserService;
@@ -44,10 +46,13 @@ import de.thm.arsnova.service.UserService;
 @Service
 public class OauthUserDetailsService implements AuthenticationUserDetailsService<OAuthToken> {
 	private final UserService userService;
+	private final AuthenticationProviderProperties.Saml samlProperties;
 	protected final Collection<GrantedAuthority> grantedAuthorities;
 
-	public OauthUserDetailsService(final UserService userService) {
+	public OauthUserDetailsService(final UserService userService,
+			final AuthenticationProviderProperties authenticationProviderProperties) {
 		this.userService = userService;
+		this.samlProperties = authenticationProviderProperties.getSaml();
 		grantedAuthorities = new HashSet<>();
 		grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_USER"));
 		grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_OAUTH_USER"));
@@ -77,7 +82,14 @@ public class OauthUserDetailsService implements AuthenticationUserDetailsService
 					grantedAuthorities, true);
 		} else if (token.getDetails() instanceof SAML2Profile) {
 			final SAML2Profile profile = (SAML2Profile) token.getDetails();
-			user = userService.loadUser(UserProfile.AuthProvider.SAML, profile.getId(),
+			final String uidAttr = samlProperties.getUserIdAttribute();
+			final String uid;
+			if (uidAttr == null || "".equals(uidAttr)) {
+				uid = profile.getId();
+			} else {
+				uid = profile.getAttribute(uidAttr, List.class).get(0).toString();
+			}
+			user = userService.loadUser(UserProfile.AuthProvider.SAML, uid,
 					grantedAuthorities, true);
 		} else {
 			throw new IllegalArgumentException("AuthenticationToken not supported");
diff --git a/src/main/resources/config/defaults.yml b/src/main/resources/config/defaults.yml
index c3b95f45b..e6fa3dc7d 100644
--- a/src/main/resources/config/defaults.yml
+++ b/src/main/resources/config/defaults.yml
@@ -179,6 +179,7 @@ arsnova:
           store-password: arsnova
           key-alias: saml
           key-password: arsnova
+        user-id-attribute: uid
         assertion-consumer-service-index: 0
         max-authentication-lifetime: 3600
 
-- 
GitLab