OpenConext Attribute Aggregation
- Java 11
- Maven 3
- MySQL 5.5
- npm
- node 7.10.0 (use for example nvm to manage it - latest version of node does not work)
If you have yarn installed, it will be used in the build by 3rd party libs. Ensure you are on version 1.1.0, otherwise the sass node will break.
Connect to your local mysql database: mysql -uroot
Execute the following:
CREATE DATABASE aaserver;
grant all on aaserver.* to 'root'@'localhost';
This project uses Spring Boot and Maven. To run locally, type:
cd aa-server
mvn spring-boot:run -Drun.jvmArguments="-Dspring.profiles.active=dev"
When developing, it's convenient to just execute the applications main-method, which is in Application. Don't forget to set the active profile to dev.
The client is build with react.js and to get initially started:
cd aa-gui
To run locally:
npm run local
Browse to the application homepage.
When new npm dependencies are added:
npm install
When manually testing the aggregations in the Playground you have to provide input attributes for retrieving values from the attribute authorities.
- The attribute
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
with the valueurn:collab:person:example.com:admin
returns groups / isMemberOfs from VOOT - The attribute
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
with the valueurn:collab:person:surfnet.nl:henny
returns SAB roles - The attribute
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
with valueurn:collab:person:example.com:admin
returns a valid ORCID.
To mimic the behaviour of attribute aggregation for an internal client - e.g. EngineBlock - we need to post form data:
curl -X POST -H "Content-Type: application/json" --data-binary @./aa-server/src/test/resources/json/eb/request.json -u eb:secret https://aa.test2.surfconext.nl/aa/api/internal/attribute/aggregation
if you want to test all of the above curl commands against your locally running AttributeAggregation application then replace https://aa.test2.surfconext.nl
with http://localhost:8080
.
There is also an API for trusted clients to obtain account information based on the urn of the person:
curl -u eb:secret https://aa.test2.surfconext.nl/aa/api/internal/accounts/urn:collab:person:example.com:admin
And the API offers a end-point to delete accounts:
curl -u eb:secret -X "DELETE" "https://aa.test2.surfconext.nl/aa/api/internal/disconnect/${account_id}"
Which will return Json {"status": "OK"}
on success.
You can locally test the account linking with ORCID. You will need a valid orcid client id and secret. Copy & paste
the application.yml to application.local.yml and fill in the properties orcid.client_id
and orcid.secret
. Then use
this condiguration to start the server application:
mvn spring-boot:run -Drun.jvmArguments="-Dspring.profiles.active=dev" -Dspring.config.name=application.dev
If you go to the connected page you
can link the dummy institutional user provided by the MockShibbolethFilter
with an ORCID account.
If you don't specify a redirectUrl, then you will be redirected to the information page.
New Attribute Authorities first must be added and configured in attributeAuthoritiesProductionTemplate.yml
. Then add the new authority implementation to AttributeAggregatorConfiguration#attributeAggregatorById
.
To actually use the new authority in the test/acc/prod environment it also needs to be configured in OpenConext-deploy attributeAuthorities.yml.j2.
On its classpath, the application has an application.yml file that contains configuration defaults that are convenient when developing.
When the application actually gets deployed to a meaningful platform, it is pre-provisioned with ansible and the application.yml depends on environment specific properties in the group_vars. See the project OpenConext-deploy and the role aa for more information.
For details, see the Spring Boot manual.
When you want to run Attribute-Aggregator in a non-OpenConext environment you can use the aa script to stop / restart and start the application.
There is a LifeCycle API to deprovision users. The preview endpoint:
curl -u life:secret http://localhost:8080/aa/api/deprovision/saml2_user.com | jq
And the actual Deprovisioning
of the user:
curl -X DELETE -u life:secret http://localhost:8080/deprovision/aa/api/saml2_user.com | jq