From 13e8ac42cab7c169f5d115286314f17e8f814f71 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 26 Jun 2020 14:07:56 +0200
Subject: Make scoped affiliation attribute name configurable

---
 config.php.example |  1 +
 inc/user.inc.php   |  8 ++++----
 shib/api.php       | 12 ++++++------
 3 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/config.php.example b/config.php.example
index c6c926d..083c555 100644
--- a/config.php.example
+++ b/config.php.example
@@ -23,6 +23,7 @@ define('CONFIG_IDM_LINK_EPSA', 'https://www.bwidm.de/attribute/#eduPersonScopedA
 
 define('CONFIG_SURNAME', 'sn');
 define('CONFIG_EPPN', 'eppn');
+define('CONFIG_SCOPED_AFFILIATION', 'affiliation');
 
 // Have a properties file or set variables here manually.
 // Make sure properties file is not in webroot
diff --git a/inc/user.inc.php b/inc/user.inc.php
index e2523f9..a5a8e3c 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -196,9 +196,9 @@ class User
 			'email' => $_SERVER['mail'],
 		);
 		// Figure out whether the user should be considered a tutor
-		if (isset($_SERVER['affiliation']) && (strpos(";{$_SERVER['affiliation']}", ';employee@') !== false
-					|| strpos(";{$_SERVER['affiliation']}", ';staff@') !== false
-					|| strpos(";{$_SERVER['affiliation']}", ';faculty@') !== false))
+		if (isset($_SERVER[CONFIG_SCOPED_AFFILIATION]) && (strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]}", ';employee@') !== false
+					|| strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]}", ';staff@') !== false
+					|| strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]}", ';faculty@') !== false))
 			self::$user['role'] = 'TUTOR';
 		elseif (isset($_SERVER['entitlement']) && strpos(";{$_SERVER['entitlement']};", CONFIG_ENTITLEMENT) !== false)
 			self::$user['role'] = 'TUTOR';
@@ -208,7 +208,7 @@ class User
 		if (isset($_SERVER[CONFIG_EPPN]) && preg_match('/@([0-9a-zA-Z\-\._]+)$/', $_SERVER[CONFIG_EPPN], $out)) {
 			self::$user['organization'] = $out[1];
 		}
-		if (!isset(self::$user['organization']) && isset($_SERVER['affiliation']) && preg_match('/@([0-9a-zA-Z\-\._]+)(;|$)/', $_SERVER['affiliation'], $out)) {
+		if (!isset(self::$user['organization']) && isset($_SERVER[CONFIG_SCOPED_AFFILIATION]) && preg_match('/@([0-9a-zA-Z\-\._]+)(;|$)/', $_SERVER[CONFIG_SCOPED_AFFILIATION], $out)) {
 			self::$user['organization'] = $out[1];
 		}
 		// Get matching db entry if any
diff --git a/shib/api.php b/shib/api.php
index 2c80f37..533ae78 100644
--- a/shib/api.php
+++ b/shib/api.php
@@ -37,9 +37,9 @@ if (empty($_SERVER['persistent-id'])) {
 	// Figure out role
 	if (strpos(";{$_SERVER['entitlement']};", CONFIG_ENTITLEMENT) !== false) {
 		$role = 'TUTOR';
-	} else if (strpos(";{$_SERVER['affiliation']};", ';employee@') !== false
-			|| strpos(";{$_SERVER['affiliation']};", ';staff@') !== false
-			|| strpos(";{$_SERVER['affiliation']};", ';faculty@') !== false) {
+	} else if (strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]};", ';employee@') !== false
+			|| strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]};", ';staff@') !== false
+			|| strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]};", ';faculty@') !== false) {
 		$role = 'TUTOR';
 	} else {
 		file_put_contents('/tmp/shib-student-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
@@ -49,7 +49,7 @@ if (empty($_SERVER['persistent-id'])) {
 			'status' => 'error',
 			'error' => "Sie wurden als Student eingestuft und können sich daher nicht an der " . CONFIG_SUITE . "-Suite anmelden."
 				. "\nFalls Ihr Nutzerkonto kein Studentenkonto ist stellen Sie sicher, dass Ihr IdP für berechtigte"
-				. "\nAccounts entweder das " . CONFIG_SUITE . "-Entitlement ausliefert, oder das Attribut 'affiliation'"
+				. "\nAccounts entweder das " . CONFIG_SUITE . "-Entitlement ausliefert, oder das Attribut CONFIG_SCOPED_AFFILIATION"
 				. "\nausgeliefert wird, und es entweder 'employee@..', 'staff@..' oder 'faculty@..' enthält."
 				. "\n\nMehr Informationen finden Sie unter " . CONFIG_HELPURL
 		);
@@ -82,8 +82,8 @@ if (empty($_SERVER['persistent-id'])) {
 					}
 				}
 			}
-			if (!isset($response['organizationId']) && isset($_SERVER['affiliation'])) {
-				if (preg_match('/(^|;)[^@]+@([^;]+)/', $_SERVER['affiliation'], $out)) {
+			if (!isset($response['organizationId']) && isset($_SERVER[CONFIG_SCOPED_AFFILIATION])) {
+				if (preg_match('/(^|;)[^@]+@([^;]+)/', $_SERVER[CONFIG_SCOPED_AFFILIATION], $out)) {
 					$out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array(
 						'suffix' => $out[2]
 					));
-- 
cgit v1.2.3-55-g7522