From 2d60a46f120af8f65f5047a0d5b0806a900a6f58 Mon Sep 17 00:00:00 2001
From: Misagh Moayyed <mm1844@gmail.com>
Date: Tue, 8 Oct 2019 16:39:40 +0400
Subject: [PATCH] switch plugin to use external authn flow

---
 .../authn/Shibcas/shibcas-authn-beans.xml     | 67 -------------------
 .../authn/Shibcas/shibcas-authn-flow.xml      | 36 ----------
 README.md                                     | 45 ++++---------
 gradle.properties                             |  6 +-
 .../idp/externalauth/ShibcasAuthServlet.java  |  4 +-
 5 files changed, 17 insertions(+), 141 deletions(-)
 delete mode 100644 IDP_HOME/flows/authn/Shibcas/shibcas-authn-beans.xml
 delete mode 100644 IDP_HOME/flows/authn/Shibcas/shibcas-authn-flow.xml

diff --git a/IDP_HOME/flows/authn/Shibcas/shibcas-authn-beans.xml b/IDP_HOME/flows/authn/Shibcas/shibcas-authn-beans.xml
deleted file mode 100644
index e370b1a..0000000
--- a/IDP_HOME/flows/authn/Shibcas/shibcas-authn-beans.xml
+++ /dev/null
@@ -1,67 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
-       xmlns:context="http://www.springframework.org/schema/context"
-       xmlns:util="http://www.springframework.org/schema/util"
-       xmlns:p="http://www.springframework.org/schema/p"
-       xmlns:c="http://www.springframework.org/schema/c"
-       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
-                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
-                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
-       default-init-method="initialize"
-       default-destroy-method="destroy">
-
-    <!-- Based off of system/flows/authn/external-authn-beans.xml -->
-    <bean class="org.springframework.context.support.PropertySourcesPlaceholderConfigurer"
-          p:placeholderPrefix="%{" p:placeholderSuffix="}" />
-
-    <bean class="net.shibboleth.ext.spring.config.IdentifiableBeanPostProcessor" />
-    <bean class="net.shibboleth.idp.profile.impl.ProfileActionBeanPostProcessor" />
-
-    <!-- Default strategy function to obtain the external path. -->
-    <bean id="shibboleth.authn.Cas.externalAuthnPathStrategy"
-          class="com.google.common.base.Functions" factory-method="constant"
-          c:_0-ref="shibboleth.authn.Cas.externalAuthnPath" />
-
-    <bean id="ValidateExternalAuthentication"
-          class="net.shibboleth.idp.authn.impl.ValidateExternalAuthentication" scope="prototype"
-          p:matchExpression="#{getObject('shibboleth.authn.Cas.matchExpression')}"
-          p:addDefaultPrincipals="#{getObject('shibboleth.authn.Cas.addDefaultPrincipals') ?: true}"
-          p:classifiedMessages-ref="shibboleth.authn.Cas.ClassifiedMessageMap"
-          p:resultCachingPredicate="#{getObject('shibboleth.authn.Cas.resultCachingPredicate')}" />
-
-    <bean id="PopulateSubjectCanonicalizationContext"
-          class="net.shibboleth.idp.authn.impl.PopulateSubjectCanonicalizationContext" scope="prototype"
-          p:availableFlows-ref="shibboleth.PostLoginSubjectCanonicalizationFlows" />
-
-    <!-- Based off of conf/auth/external-authn-config.xml-->
-
-    <bean id="shibboleth.authn.Cas.externalAuthnPath" class="java.lang.String"
-          c:_0="contextRelative:Authn/ExtCas" />
-
-
-    <util:map id="shibboleth.authn.Cas.ClassifiedMessageMap">
-        <entry key="AuthenticationException">
-            <list>
-                <value>AuthenticationException</value>
-            </list>
-        </entry>
-        <entry key="InvalidAuthenticationContext">
-            <list>
-                <value>InvalidAuthenticationContext</value>
-            </list>
-        </entry>
-        <entry key="NoPassive">
-            <list>
-                <value>NoPassive</value>
-            </list>
-        </entry>
-        <entry key="NoCredentials">
-            <list>
-                <value>InvalidTicket</value>
-            </list>
-        </entry>
-    </util:map>
-
-</beans>
diff --git a/IDP_HOME/flows/authn/Shibcas/shibcas-authn-flow.xml b/IDP_HOME/flows/authn/Shibcas/shibcas-authn-flow.xml
deleted file mode 100644
index 1e7d8a9..0000000
--- a/IDP_HOME/flows/authn/Shibcas/shibcas-authn-flow.xml
+++ /dev/null
@@ -1,36 +0,0 @@
-<flow xmlns="http://www.springframework.org/schema/webflow"
-      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-      xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
-      parent="authn.abstract">
-
-    <!-- This is a login flow for external authentication handled outside the webflow engine. -->
-
-    <view-state id="ExternalTransfer" view="externalRedirect:#{T(net.shibboleth.idp.authn.ExternalAuthentication).getExternalRedirect(flowRequestContext.getActiveFlow().getApplicationContext().getBean('shibboleth.authn.Cas.externalAuthnPathStrategy').apply(opensamlProfileRequestContext), flowExecutionContext.getKey().toString())}">
-        <on-render>
-            <evaluate expression="opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationContext)).addSubcontext(new net.shibboleth.idp.authn.context.ExternalAuthenticationContext(), true).setFlowExecutionUrl(flowExecutionUrl + '&amp;_eventId_proceed=1')" />
-            <evaluate expression="externalContext.getNativeRequest().getSession().setAttribute('conversation' + flowExecutionContext.getKey().toString(), new net.shibboleth.idp.authn.impl.ExternalAuthenticationImpl(opensamlProfileRequestContext, calledAsExtendedFlow?:false))" />
-        </on-render>
-        <transition to="ValidateExternalAuthentication" />
-    </view-state>
-
-    <action-state id="ValidateExternalAuthentication">
-        <evaluate expression="ValidateExternalAuthentication" />
-        <evaluate expression="PopulateSubjectCanonicalizationContext" />
-        <evaluate expression="'proceed'" />
-
-        <transition on="proceed" to="CallSubjectCanonicalization" />
-    </action-state>
-
-    <!-- This runs a c14n step on the result of the authentication. -->
-    <subflow-state id="CallSubjectCanonicalization" subflow="c14n">
-        <input name="calledAsSubflow" value="true" />
-        <transition on="proceed" to="proceed" />
-
-        <!-- This shouldn't generally happen, but if c14n fails, it's allowable to fall through. -->
-        <transition on="SubjectCanonicalizationError" to="ReselectFlow" />
-    </subflow-state>
-
-
-    <bean-import resource="shibcas-authn-beans.xml" />
-
-</flow>
diff --git a/README.md b/README.md
index d8e3b59..a1fb078 100644
--- a/README.md
+++ b/README.md
@@ -27,21 +27,14 @@ Installation
 
 #### Overview
 
-1. Copy the Spring Webflow files, jsp, and included jar files into the IDP_HOME.
-1. Download and extract the "latest release" zip or tar from releases. The internal folder structure matches file locations in your IdP.
-1. Copy the Spring Webflow files (shibcas-autn-beans.xml and shibcas-authn-flow.xml) to your IDP_HOME/flows/authn/Shibcas folder. Note you may have to create the Shibcas folder.
-1. Copy the no-conversation-state.jsp file to your IDP_HOME/edit-webapp
-1. Copy two included jar files (cas-client-core-x.x.x.jar and shib-casuathenticator-x.x.x.jar) into the IDP_HOME/edit-webapp/WEB-INF/lib.1. Update the IdP's `web.xml`. (optional)
-1. Update the IdP's `idp.properties` file.
-1. Update the IdP's `general-authn.xml` file.
-1. Rebuild the war file.
-
-#### Copy the Spring Webflow files into the IDP_HOME
-Copy the two xml files from the IDP_HOME directory (in the src tree) to the corresponding layout in your Shibboleth IdP home directory.
-
-#### Update the IdP's `web.xml` (optional)
-> The servlet will register itself with the container when running under a Servlet 3.0 compliant container (such as Jetty 9).
-This step is provided for legacy reasons.
+- Download and extract the "latest release" zip or tar from releases. The internal folder structure matches file locations in your IdP.
+- Copy the no-conversation-state.jsp file to your `IDP_HOME/edit-webapp`
+- Copy two included jar files (`cas-client-core-x.x.x.jar` and `shib-casuathenticator-x.x.x.jar`) into the IDP_HOME/edit-webapp/WEB-INF/lib.
+- Update the IdP's `web.xml`.
+- Update the IdP's `idp.properties` file.
+- Rebuild the war file.
+
+#### Update the IdP's `web.xml`
 
 Add the ShibCas Auth Servlet entry in `IDP_HOME/edit-webapp/WEB-INF/web.xml` (Copy from `IDP_HOME/webapp/WEB-INF/web.xml`, if necessary.)
 
@@ -57,21 +50,21 @@ Example snippet `web.xml`:
     </servlet>
     <servlet-mapping>
         <servlet-name>ShibCas Auth Servlet</servlet-name>
-        <url-pattern>/Authn/ExtCas/*</url-pattern>
+        <url-pattern>/Authn/External/*</url-pattern>
     </servlet-mapping>
 ...
 ```
 
 #### Update the IdP's idp.properties file
 
-1. Set the `idp.authn.flows` to `Shibcas`. Or, for advance cases, add `Shibcas` to the list.
+1. Set the `idp.authn.flows` to `External`. Or, for advance cases, add `External` to the list.
 1. Add the additional properties.
 
 ```properties   
 ...
 # Regular expression matching login flows to enable, e.g. IPAddress|Password
 #idp.authn.flows = Password
-idp.authn.flows = Shibcas
+idp.authn.flows = External
 
 # CAS Client properties (usage loosely matches that of the Java CAS Client)
 ## CAS Server Properties
@@ -96,24 +89,10 @@ shibcas.serverName = https://shibserver.example.edu
 ...
 ```
 
-#### Update the IdP's `general-authn.xml` file.
-Register the module with the IdP by adding the `authn/Shibcas` bean in `IDP_HOME/conf/authn/general-authn.xml`:
-
-```xml
-...
-    <util:list id="shibboleth.AvailableAuthenticationFlows">
-
-        <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow"
-                p:passiveAuthenticationSupported="true"
-                p:forcedAuthenticationSupported="true"
-                p:nonBrowserSupported="false" />
-...
-```
-
 
 #### Rebuild the war file
-From the `IDP_HOME/bin` directory, run `./build.sh` or `build.bat` to rebuild the `idp.war`. Redeploy if necessary.
 
+From the `IDP_HOME/bin` directory, run `./build.sh` or `build.bat` to rebuild the `idp.war`. Redeploy if necessary.
 
 #### CAS Service Registry
 By setting `shibcas.entityIdLocation=embed`, shib-cas-authn will embed the entityId in the service string so that CAS Server
diff --git a/gradle.properties b/gradle.properties
index 8d25da0..8089261 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -1,11 +1,11 @@
 gradleVersion=4.5
 
-version=3.2.4
+version=3.3.0
 
-casClientVersion=3.5.1
+casClientVersion=3.6.0
 commonLangVersion=2.5
 junitVersion=4.12
 mockitoVersion=1.9.5
 powermockVersion=1.6.1
 servletVersion=3.0.1
-shibIdpVersion=3.3.0
+shibIdpVersion=3.4.6
diff --git a/src/main/java/net/unicon/idp/externalauth/ShibcasAuthServlet.java b/src/main/java/net/unicon/idp/externalauth/ShibcasAuthServlet.java
index 28d0450..1e6c7bb 100644
--- a/src/main/java/net/unicon/idp/externalauth/ShibcasAuthServlet.java
+++ b/src/main/java/net/unicon/idp/externalauth/ShibcasAuthServlet.java
@@ -41,7 +41,7 @@
  * @author jgasper@unicon.net
  * @author aremmes (GitHub)
  */
-@WebServlet(name = "ShibcasAuthServlet", urlPatterns = {"/Authn/ExtCas/*"})
+@WebServlet(name = "ShibcasAuthServlet", urlPatterns = {"/Authn/External/*"})
 public class ShibcasAuthServlet extends HttpServlet {
     private final Logger logger = LoggerFactory.getLogger(ShibcasAuthServlet.class);
     private static final long serialVersionUID = 1L;
@@ -140,7 +140,7 @@ protected void startLoginRequest(final HttpServletRequest request, final HttpSer
      * Uses the CAS CommonUtils to build the CAS Redirect URL.
      */
     private String constructRedirectUrl(final String serviceUrl, final boolean renew, final boolean gateway) {
-        return CommonUtils.constructRedirectUrl(casLoginUrl, "service", serviceUrl, renew, gateway);
+        return CommonUtils.constructRedirectUrl(casLoginUrl, "service", serviceUrl, renew, gateway, null);
     }
 
     /**