summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Rettberg2022-11-22 17:11:38 +0100
committerSimon Rettberg2022-11-22 17:11:38 +0100
commit6e5647f25e26c2a31d7b4cf0ee6924a2db4916c5 (patch)
tree7f655584ec5f569ea565c4622eadd2f2eda46b87
parentapi: Refactor supplying satellite list to user (diff)
downloadbwlp-webadmin-6e5647f25e26c2a31d7b4cf0ee6924a2db4916c5.tar.gz
bwlp-webadmin-6e5647f25e26c2a31d7b4cf0ee6924a2db4916c5.tar.xz
bwlp-webadmin-6e5647f25e26c2a31d7b4cf0ee6924a2db4916c5.zip
user/api: Handle IdPs that supply multiple persistent-ids
To be backwards compat with the old way, in case we already have concatenated persistent-ids in our DB, just try all persistent-ids supplied, plus the unparsed concatenated one.
-rw-r--r--inc/user.inc.php16
-rw-r--r--shib/api.php11
2 files changed, 21 insertions, 6 deletions
diff --git a/inc/user.inc.php b/inc/user.inc.php
index a5a8e3c..539b6f8 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -159,7 +159,8 @@ class User
return false;
}
// Try user from local DB
- self::$user = Database::queryFirst('SELECT userid, shibid, organizationid AS organization, firstname, lastname, email FROM user WHERE userid = :uid LIMIT 1', array('uid' => Session::getUid()));
+ self::$user = Database::queryFirst('SELECT userid, shibid, organizationid AS organization, firstname, lastname, email
+ FROM user WHERE userid = :uid LIMIT 1', ['uid' => Session::getUid()]);
self::$isInDb = self::$user !== false;
if (!self::$isInDb) {
Session::delete();
@@ -187,10 +188,16 @@ class User
$_SERVER['givenName'] = '';
if (!isset($_SERVER['mail']))
$_SERVER['mail'] = '';
- $shibId = md5($_SERVER['persistent-id']);
+ $shibId = [];
+ if (strpos($_SERVER['persistent-id'], ';') !== false) {
+ foreach (explode(';', $_SERVER['persistent-id']) as $s) {
+ $shibId[] = md5($s);
+ }
+ }
+ $shibId[] = md5($_SERVER['persistent-id']);
self::$user = array(
'userid' => NULL,
- 'shibid' => $shibId,
+ 'shibid' => $shibId[0],
'firstname' => $_SERVER['givenName'],
'lastname' => $_SERVER[CONFIG_SURNAME],
'email' => $_SERVER['mail'],
@@ -212,7 +219,8 @@ class User
self::$user['organization'] = $out[1];
}
// Get matching db entry if any
- $user = Database::queryFirst('SELECT userid, firstname, lastname, email, fixedname FROM user WHERE shibid = :shibid LIMIT 1', array('shibid' => $shibId));
+ $user = Database::queryFirst('SELECT userid, firstname, lastname, email, fixedname FROM user
+ WHERE shibid IN (:shibid) LIMIT 1', ['shibid' => $shibId]);
if ($user === false) {
// No match in database, user is not signed up
return true;
diff --git a/shib/api.php b/shib/api.php
index 38b2d7a..0c32f9a 100644
--- a/shib/api.php
+++ b/shib/api.php
@@ -47,11 +47,18 @@ if (empty($_SERVER['persistent-id'])) {
file_put_contents('/tmp/shib-nopid-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
} else {
// Query database for user
- $shibId = md5($_SERVER['persistent-id']);
+ $shibId = [ md5($_SERVER['persistent-id']) ];
+ if (strpos($_SERVER['persistent-id'], ';') !== false) {
+ foreach (explode(';', $_SERVER['persistent-id']) as $s) {
+ if (empty($s))
+ continue;
+ $shibId[] = md5($s);
+ }
+ }
$user = Database::queryFirst("SELECT user.userid, user.organizationid, user.firstname, user.lastname, user.email "
. " FROM user "
. " INNER JOIN organization USING (organizationid) "
- . " WHERE user.shibid = :shibid LIMIT 1", array('shibid' => $shibId));
+ . " WHERE user.shibid IN (:shibid) LIMIT 1", array('shibid' => $shibId));
// Figure out role
if (strpos(";{$_SERVER['entitlement']};", CONFIG_ENTITLEMENT) !== false) {
$role = 'TUTOR';