|
|
|
# Entitlement Check Example Rule
|
|
|
|
|
|
|
|
```
|
|
|
|
package edu.kit.scc.webreg.dools.unicluster
|
|
|
|
|
|
|
|
import edu.kit.scc.webreg.entity.SamlUserEntity;
|
|
|
|
import edu.kit.scc.webreg.drools.UnauthorizedUser;
|
|
|
|
import edu.kit.scc.webreg.entity.SamlIdpMetadataEntity;
|
|
|
|
|
|
|
|
global org.slf4j.Logger logger;
|
|
|
|
|
|
|
|
rule "is bwIdm Member"
|
|
|
|
|
|
|
|
when
|
|
|
|
$user : SamlUserEntity( idp.getEntityCategoryList() not contains "http://aai.dfn.de/category/bwidm-member" )
|
|
|
|
then
|
|
|
|
logger.info( "User {} is not bwIdm Member", $user.getEppn() );
|
|
|
|
insert( new UnauthorizedUser($user, "not-bwidm-member") );
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
rule "Email is set"
|
|
|
|
|
|
|
|
when
|
|
|
|
$user : SamlUserEntity( email == null )
|
|
|
|
then
|
|
|
|
logger.info( "E-Mail for user {} is not set", $user.getEppn() );
|
|
|
|
insert( new UnauthorizedUser($user, "e-mail-missing") );
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
rule "Entitlement is set"
|
|
|
|
|
|
|
|
when
|
|
|
|
$user : SamlUserEntity(
|
|
|
|
attributeStore["urn:oid:1.3.6.1.4.1.5923.1.1.1.7"]
|
|
|
|
not matches ".*(^|;)http://evil-corp.com/entitlement/svc01(;|$).*" )
|
|
|
|
then
|
|
|
|
logger.info( "Entitlement for user {} is missing", $user.getEppn() );
|
|
|
|
insert( new UnauthorizedUser($user, "entitlement-missing") );
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
rule "uidNumber above 1000"
|
|
|
|
|
|
|
|
when
|
|
|
|
$user : SamlUserEntity( (uidNumber == null) || (uidNumber < 1000) )
|
|
|
|
then
|
|
|
|
logger.info( "User {} has uidNumber null or lesser thean 1000", $user.getEppn() );
|
|
|
|
insert( new UnauthorizedUser($user, "uid-number-wrong") );
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
rule "primary group is set"
|
|
|
|
|
|
|
|
when
|
|
|
|
$user : SamlUserEntity( (primaryGroup == null) || (primaryGroup.getName() == "invalid") )
|
|
|
|
then
|
|
|
|
logger.info( "User {} has no or invalid primary group", $user.getEppn() );
|
|
|
|
insert( new UnauthorizedUser($user, "primary-gid-wrong") );
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
rule "Home ID is set"
|
|
|
|
|
|
|
|
when
|
|
|
|
$user : SamlUserEntity(
|
|
|
|
attributeStore["http://bwidm.de/bwidmOrgId"] == null )
|
|
|
|
then
|
|
|
|
logger.info( "Home ID for user {} is missing", $user.getEppn() );
|
|
|
|
insert( new UnauthorizedUser($user, "home-id-missing") );
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
rule "Home UID is set"
|
|
|
|
|
|
|
|
when
|
|
|
|
$user : SamlUserEntity(
|
|
|
|
attributeStore["urn:oid:0.9.2342.19200300.100.1.1"] == null )
|
|
|
|
then
|
|
|
|
logger.info( "Home UID for user {} is missing", $user.getEppn() );
|
|
|
|
insert( new UnauthorizedUser($user, "home-uid-missing") );
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
``` |
|
|
|
\ No newline at end of file |
