Dedupe ssoEmail when creating credential after OSF API success

Author: cslzchen

src/main/java/io/cos/cas/osf/web/flow/login/OsfPrincipalFromNonInteractiveCredentialsAction.java

@@ -98,9 +98,12 @@
 import java.io.IOException;
 import java.io.StringWriter;
 import java.util.Collections;
+import java.util.Arrays;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.TimeUnit;
 
 /**
@@ -166,6 +169,8 @@ public class OsfPrincipalFromNonInteractiveCredentialsAction extends AbstractNon
 
     private static final String ATTRIBUTE_PREFIX = "auth-";
 
+    private static final String MULTIPLE_ATTRIBUTE_DELIMITER = ";";
+
     private static final String SHIBBOLETH_SESSION_HEADER = ATTRIBUTE_PREFIX + "shib-session-id";
 
     private static final String SHIBBOLETH_COOKIE_PREFIX = "_shibsession_";
@@ -720,7 +725,7 @@ private OsfApiInstitutionAuthenticationResult notifyOsfApiOfInstnAuthnSuccess(
                 // CAS expects OSF API to return HTTP 204 OK with no content if authentication succeeds
                 if (statusCode == HttpStatus.SC_NO_CONTENT) {
                     LOGGER.info("[OSF API] Success - API request succeeded: {}, attempt={}, status={}", ssoUser, retry, statusCode);
-                    return new OsfApiInstitutionAuthenticationResult(institutionId, ssoEmail, ssoIdentity);
+                    return new OsfApiInstitutionAuthenticationResult(institutionId, deduplicateSsoEmail(ssoEmail, ssoUser), ssoIdentity);
                 }
                 if (OSF_API_RETRY_STATUS.contains(statusCode)) {
                     LOGGER.error("[OSF API] Failure - Server Error: {}, attempt={}, status={}", ssoUser, retry, statusCode);
@@ -869,4 +874,32 @@ private void setSsoErrorContext(
         );
         context.getFlowScope().put(PARAMETER_SSO_ERROR_CONTEXT, ssoErrorContext);
     }
+
+    /**
+     * Attempt to deduplicate the {@code ssoEmail} attribute. This method is only called after OSF API has already
+     * successfully deduplicated the attribute and thus should throw {@link InstitutionSsoFailedException} if failed.
+     *
+     * @param ssoEmail the SSO email to deduplicate
+     * @param ssoUser the SSO user information
+     * @return deduplicated SSO email on success
+     * @throws InstitutionSsoFailedException if deduplication failed
+     */
+    private String deduplicateSsoEmail(
+            final String ssoEmail,
+            final String ssoUser
+    ) throws InstitutionSsoFailedException {
+        if (StringUtils.isBlank(ssoEmail)) {
+            LOGGER.error("[OSF CAS] Critical Error: SSO email should not be blank after OSF API success: [{}]", ssoUser);
+            throw new InstitutionSsoFailedException("SSO email should not be blank");
+        }
+        if (!ssoEmail.contains(MULTIPLE_ATTRIBUTE_DELIMITER)) {
+            return ssoEmail;
+        }
+        Set<String> ssoEmailSet = new HashSet<>(Arrays.asList(ssoEmail.split(MULTIPLE_ATTRIBUTE_DELIMITER)));
+        if (ssoEmailSet.size() != 1) {
+            LOGGER.error("[OSF CAS] Critical Error: SSO email should not fail deduplication after OSF API success: [{}]", ssoUser);
+            throw new InstitutionSsoFailedException("SSO email should not fail deduplication");
+        }
+        return ssoEmailSet.iterator().next();
+    }
 }

src/main/java/io/cos/cas/osf/web/support/OsfApiInstitutionAuthenticationResult.java

@@ -25,6 +25,9 @@
 @Slf4j
 public class OsfApiInstitutionAuthenticationResult implements Serializable {
 
+    /**
+     * Serialization metadata.
+     */
     private static final long serialVersionUID = 3971349776123204760L;
 
     /**
@@ -44,10 +47,11 @@ public class OsfApiInstitutionAuthenticationResult implements Serializable {
 
     /**
      * Verify that the SSO email comes from one of the three attributes in Shibboleth SSO headers.
-     *
-     * Note: From OSF API's perspective, the email provided by SSO is stored in {@link #ssoEmail} which doesn't have to be
-     *       the {@code username} f a candidate OSF user. From CAS's perspective, this {@link #ssoEmail} comes from three
-     *       SSO attributes provided by Shibboleth's authn request: {@code eppn}, {@code mail} and {@code mailOther}.
+     * From OSF API's perspective, the email provided by SSO is stored in {@link #ssoEmail} which doesn't have to be
+     * the {@code username} f a candidate OSF user. From CAS's perspective, this {@link #ssoEmail} comes from three
+     * SSO attributes provided by Shibboleth's authn request: {@code eppn}, {@code mail} and {@code mailOther}.
+     * Since {@link #ssoEmail} may have already been deduplicated after successful OSF API request, this method does
+     * substring check instead of equality check.
      *
      * @param eppn the eppn attribute
      * @param mail the mail attribute
@@ -59,6 +63,18 @@ public Boolean verifyOsfSsoEmail(final String eppn, final String mail, final Str
             LOGGER.error("[CAS XSLT] SSO Email cannot be blank!");
             return false;
         }
-        return ssoEmail.equalsIgnoreCase(eppn) || ssoEmail.equalsIgnoreCase(mail) || ssoEmail.equalsIgnoreCase(mailOther);
+        boolean isPartOfEppn = Boolean.FALSE;
+        boolean isPartOfMail = Boolean.FALSE;
+        boolean isPartOfMailOther = Boolean.FALSE;
+        if (!StringUtils.isBlank(eppn)) {
+            isPartOfEppn =  eppn.toLowerCase().contains(ssoEmail.toLowerCase());
+        }
+        if (!StringUtils.isBlank(mail)) {
+            isPartOfMail = mail.toLowerCase().contains(ssoEmail.toLowerCase());
+        }
+        if (!StringUtils.isBlank(mailOther)) {
+            isPartOfMailOther = mailOther.toLowerCase().contains(ssoEmail.toLowerCase());
+        }
+        return isPartOfEppn || isPartOfMail || isPartOfMailOther;
     }
 }