Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Add support classes to invert and join BiPredicates.

Description

In bean shibboleth.SessionManager, property consistentAddressCondition required a Predicate in 3.x, but in 4.0.0 requires a BiPredicate. Class net.shibboleth.idp.session.logic.IPRangeBiPredicate for the condition probably works (untried). But it is no longer compatible with using the support logic Predicate beans (AND, NOT, OR, etc.), and there is no BiPredicate version of them.

In our case, we need the negation of the IP range check. See below

 

From: users <users-bounces@shibboleth.net> on behalf of Redman, Chad <chad_redman@unc.edu>
Sent: Tuesday, March 24, 2020 2:02 PM
To: users@shibboleth.net <users@shibboleth.net>
Subject: Upgrading IPRangePredicate and predicate logic to idp 4.0.0
 
Our idp 3.4.6 configuration had a condition on the shibboleth.SessionManager, which enforced consistent address checks for a range outside of a set of CIDR blocks. In 3.4.6, the configuration was

 
idp.properties:
idp.session.consistentAddressCondition = custom.CheckAddressForNonLocalOnly
 
global.xml
    <bean id="custom.CheckAddressForNonLocalOnly" parent="shibboleth.Conditions.NOT">
        <constructor-arg ref="custom.WhitelistIPCheck" />
    </bean>
    <bean id="custom.WhitelistIPCheck"
        class="org.opensaml.profile.logic.IPRangePredicate"
        p:httpServletRequest-ref="shibboleth.HttpServletRequest"
    >
        <property name="ranges">
            <list>
                <bean class="net.shibboleth.utilities.java.support.net.IPRange"  factory-method="parseCIDRBlock" c:cidrBlock="..."/>
                ...
            </list>
         </property>
    </bean>
 
 
In idp 4.0.0, the consistentAddressCondition property in the shibboleth.SessionManager bean now uses a BiPredicate instead of a Predicate. For the IP check itself, it appears I need to change the class from org.opensaml.profile.logic.IPRangePredicate to net.shibboleth.idp.session.logic.IPRangeBiPredicate. However, trying to invert that result with a shibboleth.Conditions.NOT predicate no longer works, as there is no conversion between Predicate and BiPredicate.
 
Is there a better way of configuring this so that there is no Predicate/BiPredicate mismatch?
 
Thanks,
Chad

 

Environment

Tomcat 9.0.33

openjdk version "11.0.6" 2020-01-14 LTS

Red Hat Enterprise Linux Server release 7.7 (Maipo)

Activity

Show:

Scott CantorJune 8, 2020 at 9:26 PM

Added parent beans to utilities.xml

Scott CantorJune 8, 2020 at 8:23 PM

Applied to master.

Scott CantorMarch 31, 2020 at 8:00 PM
Edited

Pushed new support classes on a feature branch for now.

Will add parent beans to IdP once the branch is merged to finish out issue.

Chad RedmanMarch 31, 2020 at 2:20 PM

Yes, the helper class as suggested was straightforward to develop and use.

Scott CantorMarch 25, 2020 at 2:04 PM

All you need to do is write a Java class that implements BiPredicate, takes an existing BiPredicate as a property or constructor argument, and implements its test method by calling the supplied BiPredicate's negate() method to invert it.

We can do that with a helper class like we did with NOT, but you certainly shouldn't be waiting for a feature enhancement, that's months off.

Done

Details

Assignee

Reporter

Components

Fix versions

Created March 25, 2020 at 1:56 PM
Updated December 16, 2020 at 4:10 PM
Resolved April 7, 2020 at 5:01 PM