From 6d686e6271049e15a4c498ac098d630097e8862c Mon Sep 17 00:00:00 2001
From: Ioannis Igoumenos <ioigoume@admin.grnet.gr>
Date: Wed, 9 Mar 2022 15:01:34 +0200
Subject: [PATCH] Support multiple configurations for AttributeResolver
 Shibboleth plugin

---
 roles/shibboleth-sp/defaults/main.yml         | 17 +++++++++++++++-
 .../templates/shibboleth2.xml.j2              | 20 ++++++++++++++-----
 2 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/roles/shibboleth-sp/defaults/main.yml b/roles/shibboleth-sp/defaults/main.yml
index ad2c95f5..9e3055ae 100644
--- a/roles/shibboleth-sp/defaults/main.yml
+++ b/roles/shibboleth-sp/defaults/main.yml
@@ -145,9 +145,24 @@ shibboleth_sp_attribute_extractors:
       reloadChanges: "false"
       path: "attribute-map.xml"
 
+
+# In order to create the Shibboleth configuration below:
+#   <AttributeResolver type="Query" subjectMatch="true"></AttributeResolver>
+#   <AttributeResolver type="Transform" source="eduPersonScopedAffiliation">
+#       <Regex match="^(.+)@(.+)" dest="eduPersonPrimaryAffiliation">$1</Regex>
+#   </AttributeResolver>
+#
+# the yaml structure should be the following:
 shibboleth_sp_attribute_resolvers:
   - type: "Query"
-    subject_match: "true"
+    subjectMatch: "true"
+#  - type: "Transform"
+#    source: "eduPersonScopedAffiliation"
+#    regex:
+#    - value: "$1"
+#      properties:
+#        match: "^(.+)@(.+)"
+#        dest: "eduPersonPrimaryAffiliation"
 
 # The default settings can be overridden by creating ApplicationOverride
 # elements. When you use virtual hosting, there is no special handler
diff --git a/roles/shibboleth-sp/templates/shibboleth2.xml.j2 b/roles/shibboleth-sp/templates/shibboleth2.xml.j2
index 2a7feac2..f63e477b 100644
--- a/roles/shibboleth-sp/templates/shibboleth2.xml.j2
+++ b/roles/shibboleth-sp/templates/shibboleth2.xml.j2
@@ -205,11 +205,21 @@
 {% endfor %}
 
 {% for resolver in shibboleth_sp_attribute_resolvers %}
-        <AttributeResolver type="{{ resolver.type }}" 
-{% if resolver.subject_match is defined %}
-            subjectMatch="{{ resolver.subject_match }}"
-{% endif %}
-        />
+        <AttributeResolver
+    {%- for key, value in resolver.items() -%}
+        {% if "regex" not in key %}
+ {{ key }}="{{ value }}"
+        {%- endif -%}
+    {%- endfor %}>
+    {% if resolver.regex is defined %}
+        {% for regex_properties in resolver.regex -%}
+           <Regex
+        {%- for key, value in regex_properties.properties.items() %}
+ {{ key }}="{{ value }}"
+        {%- endfor %}>{{ regex_properties.value | default('') }}</Regex>
+        {% endfor %}
+    {%-  endif -%}
+        </AttributeResolver>
 {% endfor %}
 
         <!-- Default filtering policy for recognized attributes, lets other data pass. -->