Embedded Script Groovy in Attribute definition

[Matthew Gordon]

I am using this example for the JSON Attribute Definitions " Embedded Script" https://apereo.github.io/cas/7.0.x/integration/Attribute-Definitions.html

It does not appear to be working, and throws an error:

2025-02-18 11:03:12,125 WARN [org.apereo.cas.authentication.DefaultPrincipalAttributesMapper] - <Groovy-scripted attribute returned no value for [eduPersonPrincipalName]>
2025-02-18 11:03:12,132 ERROR [org.apereo.cas.util.scripting.GroovyShellScript] - <startup failed:
Script1.groovy: 1: Unexpected input: '}' @ line 1, column 109.
   Hi', attributes['firstname']] }, canonic
                                 ^

1 error

ErrorCollector.java:failIfErrors:292
ErrorCollector.java:addFatalError:148
AstBuilder.java:collectSyntaxError:4753
AstBuilder.java:access$100:169
>
2025-02-18 11:03:12,132 WARN [org.apereo.cas.authentication.DefaultPrincipalAttributesMapper] - <Groovy-scripted attribute returned no value for [eduPersonPrincipalName]>

Any idea what could be wrong?

Thank you,

Matt

[Ocean Liu]

Hi Matthew, looks like you don't have an attribute named `firstname`.

What's the attribute name in your source for the first name?

[Eugene Willis]

Switch single quotes to double quotes. With in your script.

Sent from my iPhone

On Feb 18, 2025, at 1:00 PM, 'Matthew Gordon' via CAS Community <cas-...@apereo.org> wrote:



--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfdad1b8-8e51-48f0-8ede-8193f7d2192dn%40apereo.org.

[Dmitriy Kopylenko]

Looks like your Groovy script is malformed in some way. 

D. 

--

[King, Robert]

There is a lot of context missing from your question.  You start by linking to JSON attribute definitions documentation.  Largely unrelated to the error you quote.

 

1. Are you trying to return an attribute value, via groovy scripting, in a service entry?
2. Or are you trying to rename an existing attribute to a new label via attribute definitions?

 

If you are trying to return an attribute with a new label, via groovy scripting, in a service entry (assumes original attribute named “giveName”):

 

…

attributeReleasePolicy:

{

@class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy

allowedAttributes:

{

@class: java.util.TreeMap

firstname:

[

java.util.ArrayList

[

‘’’

groovy{

return attributes[‘givenName’].get.(0)

}

‘’’

]

]

 

       }

}

…

 

 

If you are trying to use attribute definitions to rename an attribute label:

 

Do you have cas.authn.attribute-repository.attribute-definition-store.json.location defined in your cas.properties? 

Would expect:

cas.authn.attribute-repository.attribute-definition-store.json.location=file:/etc/cas/config/attributes.json

 

And then the following snippet in attributes.json

{

"@class" : "java.util.TreeMap",

…

    "firstname" : {

      "@class" : "org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",

      "key" : "firstname",

      "scoped" : false,

      "attribute" : "givenName"

    }

…

}

--

[Matthew Gordon]

I attached the full service that I started with "doesNotWork.json" and one I adjusted after getting an idea from Roberts reply that does seem to work "works.json". I have no idea why it will not run the groovy in the doesNotWork.json, but will when I do it like I did in works.json

Basically when trying to run inline groovy with the "script" attribute it fails. Any ideas?

Thank you all for the suggestions so far!

Thank you,

Matt

[King, Robert]

Ah ha, you are attempting to blend the attribute definition store into a service entry.  As far as I am aware, that is not possible.

 

You either have to do an attribute definition store and use the inline groovy script in the service entry to set the value, OR you have to use the service entry attributeNameFormats, attributeFriendlyNames and attributeValueTypes directives to get a similar effect.  I’ve included both examples.

 

Attribute definition store + service entry

 

Add the following to your cas.properties configuration:

 

cas.authn.attribute-repository.attribute-definition-store.json.location=file:/etc/cas/config/attributes.json

 

and add the following content to /etc/cas/config/attributes.json:

 

{

    @class : java.util.TreeMap

    eduPersonPrimaryAffiliation : {

      @class : org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition

      key : eduPersonPrimaryAffiliation

      name : eduPersonPrimaryAffiliation

      urn : urn:oid:1.3.6.1.4.1.5923.1.1.1.5

      friendlyName : eduPersonPrimaryAffiliation

      scoped : false

    }

}

 

Then use the works.json to set the value.

 

 

Service Entry Only (may work, not sure)

 

service entry  doesNotWork.json:

 

{

"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",

“serviceId" : "http://test.com/sp/11111111",

 

…snip…

 

"attributeReleasePolicy" : {

 

     "@class" : "org.apereo.cas.services.ChainingAttributeReleasePolicy",

     "mergingPolicy" : "REPLACE",

     "policies" : [ "java.util.ArrayList",

     [

           {

                "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",

                "allowedAttributes" : {

                     "@class" : "java.util.TreeMap",

                     "eduPersonPrimaryAffiliation" :

‘’’

groovy {

def roles = ['member'];

for( item in attributes['memberOf'] ){

if ( (item.matches('^CN=Adjuncts(.*)') || item.matches('^CN=Faculty(.*)')) && !roles.contains('faculty')) {

roles.add('faculty')

} else if (item.matches('^CN=(.*)Employees,(.*)') && !roles.contains('staff')) {

roles.add('staff')

} else if (item.matches('^CN=(.*)Students,(.*)') && !roles.contains('students')) {

roles.add('students')}

};

return roles;

}

‘’’

“givenName” : “giveName”

“userPrincipalName” : “userPrincipalName”

“displayName” : “displayName”

“sn” : “sn”

“cn” : “cn”

“employeeID” : “employeeID”

                }

           }

     ]

},

 

…snip…

 

  attributeNameFormats:

  {

    @class: java.util.LinkedHashMap

    "urn:oid:1.3.6.1.4.1.5923.1.1.1.5": urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

  }

  attributeFriendlyNames:

  {

    @class: java.util.LinkedHashMap

    "urn:oid:1.3.6.1.4.1.5923.1.1.1.5": eduPersonPrimaryAffiliation

  }

  attributeValueTypes:

  {

    @class: java.util.LinkedHashMap

    " urn:oid:1.3.6.1.4.1.5923.1.1.1.5": XSString

  }

 

…snip…

 

}

 

 

 

From: 'Matthew Gordon' via CAS Community <cas-...@apereo.org>
Sent: Wednesday, February 19, 2025 4:06 PM
To: CAS Community <cas-...@apereo.org>

--

- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a4bb7e3-6686-4fce-81a6-14564de0cf7fn%40apereo.org.

[Gordon, Matthew]

Thank you Robert, I will give that a try.

Interestingly enough it works under CAS 6.x, just not 7.x.

Thank you,

Matt

-----Original Message-----

From: "King, Robert" <ro...@mun.ca>

To: cas-...@apereo.org <cas-...@apereo.org>

Cc: Matthew Gordon <mago...@hacc.edu>

Subject: RE: [EXTERNAL SENDER] [cas-user] Re: Embedded Script Groovy in Attribute definition

Date: 02/20/2025 09:21:10 AM

	CAUTION: This email originated outside ofHACC. Please do not click links or open attachments unless you recognize and/or trust the sender. Forward this message tosuspi...@hacc.edu if you are unsure of the content.  id:HAb2e815ff6a8d6c97CC

To unsubscribe: email unsub...@hacc.edu with sender email address and subject.

This email and any files attached from HACC, Central Pennsylvania's Community College are confidential and intended solely for use by the individual or entity to whom addressed. If you have received this email in error please notify postm...@hacc.edu This message may contain confidential information and is intended only for the individual named. If you are not the named addressee do not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.