HttpHeaderTester PAGS tester

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

HttpHeaderTester PAGS tester

Andrew Petro-3
Hi,

MyUW, based on uPortal 4.2.1, receives some group memberships via a muli-valued HTTP header "ismemberof". It flows from UW's localized Grouper ("Manifest"), through the Shibboleth IdP, through the Shibboleth SP, to MyUW.

We're trying out a custom PAGS "Tester" class to more cleanly check whether that header indicates a user is in a given group.

https://gist.github.com/apetro/cf1f3392ef12a3cc754f4c21d0447e82

Regular expressions are hard.
StringContainsTester is tempting but doesn't get the check quite correct.

The not-quite-correct-ness bit MyUW in production recently, which is the motivation for switching to a Tester that makes it easier to configure correctly.

This new HttpHeaderTester is as easy to configure as StringContainsTester, but checks more carefully to avoid the StringContainsTester false positive case.

Sharing the code in case anyone else finds it useful. It might even spare someone a production incident...

-Andrew

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
Reply | Threaded
Open this post in threaded view
|

Re: HttpHeaderTester PAGS tester

Andrew Petro-3
Pascal,

You're quite right.

I put together an enhanced uPortal 4.2 Snooper that displays user attributes, and it indeed shows that ismemberof is coming through as a multi-valued user attribute. MyUW could have been using included StringEqualsTester and saved some trouble.

Thanks,

Andrew

On Wednesday, March 27, 2019 at 6:45:49 AM UTC-5, Andrew Petro wrote:
Pascal,

Interesting, thanks for this.

-Andrew

On Wednesday, March 27, 2019 at 3:32:24 AM UTC-5, pascal.rigaux wrote:
Hi,

Two remarks:

- person-directory-impl 1.6.0 has the following fix:  
<a href="https://apereo.atlassian.net/browse/PERSONDIR-61" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fapereo.atlassian.net%2Fbrowse%2FPERSONDIR-61\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF2a_WnKF1gbPS-BcKbw_Futg6HSA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fapereo.atlassian.net%2Fbrowse%2FPERSONDIR-61\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF2a_WnKF1gbPS-BcKbw_Futg6HSA&#39;;return true;">https://apereo.atlassian.net/browse/PERSONDIR-61
   person-directory-impl 1.6.0 is included since uportal 4.2.0 . So  
you should be able to simply use StringEqualsTester

- the "standard" for HTTP headers is comma separated values (RFC  
7230). semicolon separated values is a shibboleth-SP convention. So  
our HttpHeaderTester is still needed, it should have another name  
(ShibHeaderTester?)

cu

PS: we had a similar issue in our CMS plugin, it was using substring  
comparison :-(

'Andrew Petro' via uPortal Community a écrit :

> Hi,
>
> MyUW, based on uPortal 4.2.1, receives some group memberships via a
> muli-valued HTTP header "ismemberof". It flows from UW's localized Grouper
> ("Manifest"), through the Shibboleth IdP, through the Shibboleth SP, to
> MyUW.
>
> We're trying out a custom PAGS "Tester" class to more cleanly check whether
> that header indicates a user is in a given group.
>
> <a href="https://gist.github.com/apetro/cf1f3392ef12a3cc754f4c21d0447e82" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgist.github.com%2Fapetro%2Fcf1f3392ef12a3cc754f4c21d0447e82\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETZOuSM9QN6MCC7bP4oHqzw1lL0A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgist.github.com%2Fapetro%2Fcf1f3392ef12a3cc754f4c21d0447e82\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETZOuSM9QN6MCC7bP4oHqzw1lL0A&#39;;return true;">https://gist.github.com/apetro/cf1f3392ef12a3cc754f4c21d0447e82
>
> Regular expressions are hard.
> StringContainsTester is tempting but doesn't get the check quite correct.
>
> The not-quite-correct-ness bit MyUW in production recently, which is the
> motivation for switching to a Tester that makes it easier to configure
> correctly.
>
> This new HttpHeaderTester is as easy to configure as StringContainsTester,
> but checks more carefully to avoid the StringContainsTester false positive
> case.
>
> Sharing the code in case anyone else finds it useful. It might even spare
> someone a production incident...
>
> -Andrew


--
Pascal Rigaux

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.