func WayfAttributeHandler(idp_md, hub_md, sp_md, response *gosaml.Xp) (err error) {
sourceAttributes := response.Query(nil, `/samlp:Response/saml:Assertion/saml:AttributeStatement`)[0]
idp := response.Query1(nil, "/samlp:Response/saml:Issuer")
attCS := hub_md.Query(nil, "./md:SPSSODescriptor/md:AttributeConsumingService")[0]
// First check for mandatory and multiplicity
requestedAttributes := hub_md.Query(attCS, `md:RequestedAttribute[not(@computed)]`) // [@isRequired='true' or @isRequired='1']`)
for _, requestedAttribute := range requestedAttributes {
name := requestedAttribute.GetAttr("Name")
friendlyName := requestedAttribute.GetAttr("FriendlyName")
//nameFormat := requestedAttribute.GetAttr("NameFormat")
mandatory := hub_md.QueryBool(requestedAttribute, "@mandatory")
//must := hub_md.QueryBool(requestedAttribute, "@must")
singular := hub_md.QueryBool(requestedAttribute, "@singular")
// accept attributes in both uri and basic format
attributes := response.Query(sourceAttributes, `saml:Attribute[@Name="`+name+`" or @Name="`+friendlyName+`"]`)
if len(attributes) == 0 && mandatory {
err = fmt.Errorf("mandatory: %s", friendlyName)
return
}
for _, attribute := range attributes {
valueNodes := response.Query(attribute, `saml:AttributeValue`)
if len(valueNodes) > 1 && singular {
err = fmt.Errorf("multiple values for singular attribute: %s", name)
return
}
if len(valueNodes) != 1 && mandatory {
err = fmt.Errorf("mandatory: %s", friendlyName)
return
}
attribute.SetAttr("Name", name)
attribute.SetAttr("FriendlyName", friendlyName)
attribute.SetAttr("NameFormat", uri)
}
}
// check that the security domain of eppn is one of the domains in the shib:scope list
// we just check that everything after the (leftmost|rightmost) @ is in the scope list and save the value for later
eppn := response.Query1(sourceAttributes, "saml:Attribute[@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.6']/saml:AttributeValue")
eppnregexp := regexp.MustCompile(`^[^\@]+\@([a-zA-Z0-9\.-]+)$`)
matches := eppnregexp.FindStringSubmatch(eppn)
if len(matches) != 2 {
err = fmt.Errorf("eppn does not seem to be an eppn: %s", eppn)
return
}
securitydomain := matches[1]
scope := idp_md.Query(nil, "//shibmd:Scope[.='"+securitydomain+"']")
if len(scope) == 0 {
err = fmt.Errorf("security domain '%s' for eppn does not match any scopes", securitydomain)
}
val := idp_md.Query1(nil, "./md:Extensions/wayf:wayf/wayf:wayf_schacHomeOrganizationType")
gosaml.CpAndSet(sourceAttributes, response, hub_md, attCS, "schacHomeOrganizationType", val)
val = idp_md.Query1(nil, "./md:Extensions/wayf:wayf/wayf:wayf_schacHomeOrganization")
gosaml.CpAndSet(sourceAttributes, response, hub_md, attCS, "schacHomeOrganization", val)
if response.Query1(sourceAttributes, `saml:Attribute[@FriendlyName="displayName"]/saml:AttributeValue`) == "" {
if cn := response.Query1(sourceAttributes, `saml:Attribute[@FriendlyName="cn"]/saml:AttributeValue`); cn != "" {
gosaml.CpAndSet(sourceAttributes, response, hub_md, attCS, "displayName", cn)
}
}
salt := "6xfkhc7juin4vlbetmmc0eyxumelnoku"
sp := sp_md.Query1(nil, "@entityID")
uidhashbase := "uidhashbase" + salt
uidhashbase += strconv.Itoa(len(idp)) + ":" + idp
uidhashbase += strconv.Itoa(len(sp)) + ":" + sp
uidhashbase += strconv.Itoa(len(eppn)) + ":" + eppn
uidhashbase += salt
eptid := "WAYF-DK-" + hex.EncodeToString(gosaml.Hash(crypto.SHA1, uidhashbase))
gosaml.CpAndSet(sourceAttributes, response, hub_md, attCS, "eduPersonTargetedID", eptid)
dkcprpreg := regexp.MustCompile(`^urn:mace:terena.org:schac:personalUniqueID:dk:CPR:(\d\d)(\d\d)(\d\d)(\d)\d\d\d$`)
for _, cprelement := range response.Query(sourceAttributes, `saml:Attribute[@FriendlyName="schacPersonalUniqueID"]`) {
// schacPersonalUniqueID is multi - use the first DK cpr found
cpr := strings.TrimSpace(response.NodeGetContent(cprelement))
if matches := dkcprpreg.FindStringSubmatch(cpr); len(matches) > 0 {
cpryear, _ := strconv.Atoi(matches[3])
c7, _ := strconv.Atoi(matches[4])
year := strconv.Itoa(yearfromyearandcifferseven(cpryear, c7))
gosaml.CpAndSet(sourceAttributes, response, hub_md, attCS, "schacDateOfBirth", year+matches[2]+matches[1])
gosaml.CpAndSet(sourceAttributes, response, hub_md, attCS, "schacYearOfBirth", year)
break
}
}
subsecuritydomain := "." + securitydomain
epsas := make(map[string]bool)
for _, epsa := range response.QueryMulti(sourceAttributes, `saml:Attribute[@FriendlyName="eduPersonScopedAffiliation"]/saml:AttributeValue`) {
epsa = strings.TrimSpace(epsa)
epsaparts := strings.SplitN(epsa, "@", 2)
if len(epsaparts) != 2 {
fmt.Errorf("eduPersonScopedAffiliation: %s does not end with a domain", epsa)
return
}
if !strings.HasSuffix(epsaparts[1], subsecuritydomain) && epsaparts[1] != securitydomain {
fmt.Printf("eduPersonScopedAffiliation: %s has not '%s' as a domain suffix", epsa, securitydomain)
return
}
epsas[epsa] = true
}
// primaryaffiliation => affiliation
epaAdd := []string{}
eppa := response.Query1(sourceAttributes, `saml:Attribute[@FriendlyName="eduPersonPrimaryAffiliation"]`)
eppa = strings.TrimSpace(eppa)
epas := response.QueryMulti(sourceAttributes, `saml:Attribute[@FriendlyName="eduPersonAffiliation"]`)
epaset := make(map[string]bool)
for _, epa := range epas {
epaset[strings.TrimSpace(epa)] = true
}
if !epaset[eppa] {
epaAdd = append(epaAdd, eppa)
epaset[eppa] = true
}
// 'student', 'faculty', 'staff', 'employee' => member
if epaset["student"] || epaset["faculty"] || epaset["staff"] || epaset["employee"] {
epaAdd = append(epaAdd, "member")
epaset["member"] = true
}
d := sourceAttributes.AddChild(hub_md.CopyNode(hub_md.Query(attCS, `md:RequestedAttribute[@FriendlyName="eduPersonAffiliation"]`)[0], 2))
for i, epa := range epaAdd {
response.QueryDashP(d, `saml:AttributeValue[`+strconv.Itoa(i+1)+`]`, epa, nil)
}
d = sourceAttributes.AddChild(hub_md.CopyNode(hub_md.Query(attCS, `md:RequestedAttribute[@FriendlyName="eduPersonScopedAffiliation"]`)[0], 2))
i := 1
for epa, _ := range epaset {
if epsas[epa] {
continue
}
response.QueryDashP(d, `saml:AttributeValue[`+strconv.Itoa(i)+`]`, epa+"@"+securitydomain, nil)
i += 1
}
return
// legal affiliations 'student', 'faculty', 'staff', 'affiliate', 'alum', 'employee', 'library-walk-in', 'member'
// affiliations => scopedaffiliations
}
