diff options
author | Simon Rettberg | 2018-12-07 10:07:50 +0100 |
---|---|---|
committer | Simon Rettberg | 2018-12-07 10:07:50 +0100 |
commit | d308379fb30894f8652525f877facdec2d8d58c0 (patch) | |
tree | 8c5706b2b18662b97ddb11fbe3a38d0b5ff33d0b | |
parent | Update config example (diff) | |
download | bwlp-webadmin-d308379fb30894f8652525f877facdec2d8d58c0.tar.gz bwlp-webadmin-d308379fb30894f8652525f877facdec2d8d58c0.tar.xz bwlp-webadmin-d308379fb30894f8652525f877facdec2d8d58c0.zip |
Improve shibboleth eppn/affiliation handling
-rw-r--r-- | inc/user.inc.php | 7 | ||||
-rw-r--r-- | shib/api.php | 49 |
2 files changed, 47 insertions, 9 deletions
diff --git a/inc/user.inc.php b/inc/user.inc.php index 70a6cdb..fe43abe 100644 --- a/inc/user.inc.php +++ b/inc/user.inc.php @@ -148,6 +148,7 @@ class User public static function load() { + //file_put_contents('/tmp/test-' . time(), print_r($_SERVER, true)); if (self::isLoggedIn()) return true; $hasSession = Session::load(); @@ -208,8 +209,12 @@ class User else self::$user['role'] = 'STUDENT'; // Try to figure out organization - if (isset($_SERVER['affiliation']) && preg_match('/@([a-zA-Z\-\._]+)(;|$)/', $_SERVER['affiliation'], $out)) + if (isset($_SERVER['eppn']) && preg_match('/@([0-9a-zA-Z\-\._]+)$/', $_SERVER['eppn'], $out)) { self::$user['organization'] = $out[1]; + } + if (!isset(self::$user['organization']) && isset($_SERVER['affiliation']) && preg_match('/@([0-9a-zA-Z\-\._]+)(;|$)/', $_SERVER['affiliation'], $out)) { + self::$user['organization'] = $out[1]; + } // Get matching db entry if any $user = Database::queryFirst('SELECT userid, firstname, lastname, email, fixedname FROM user WHERE shibid = :shibid LIMIT 1', array('shibid' => $shibId)); if ($user === false) { diff --git a/shib/api.php b/shib/api.php index 54ebd55..2098765 100644 --- a/shib/api.php +++ b/shib/api.php @@ -27,7 +27,7 @@ if (empty($_SERVER['persistent-id'])) { // No persistent id given, should not happen! $response['status'] = 'error'; $response['error'] = 'Shibboleth meta data missing!'; - @file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true)); + @file_put_contents('/tmp/shib-nopid-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true)); } else { // Query database for user $shibId = md5($_SERVER['persistent-id']); @@ -43,8 +43,20 @@ if (empty($_SERVER['persistent-id'])) { || strpos(";{$_SERVER['affiliation']};", ';faculty@') !== false) { $role = 'TUTOR'; } else { - @file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true)); + @file_put_contents('/tmp/shib-student-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true)); $role = 'STUDENT'; + // NEW: Ignore students for now + $response = array( + 'status' => 'error', + 'error' => "Sie wurden als Student eingestuft und können sich daher nicht an der bwLehrpool-Suite anmelden." + . "\nFalls Ihr Nutzerkonto kein Studentenkonto ist stellen Sie sicher, dass Ihr IdP für berechtigte" + . "\nAccounts entweder das bwLehrpool-Entitlement ausliefert, oder das Attribut 'affiliation'" + . "\nausgeliefert wird, und es entweder 'employee@..', 'staff@..' oder 'faculty@..' enthält." + . "\n\nMehr Informationen finden Sie unter www.bwlehrpool.de" + ); + Header('Content-Type: text/plain; charset=utf-8'); + die(json_encode($response, JSON_PRETTY_PRINT)); + // end IGNORE STUDENTS } if ($user === false) { // Not found, so we don't know which satellite to use @@ -60,24 +72,42 @@ if (empty($_SERVER['persistent-id'])) { $response['mail'] = $_SERVER['mail']; } $response['userId'] = $shibId; - preg_match('/(^|;)[^@]+@([^;]+)/', $_SERVER['affiliation'], $out); - $out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array( - 'suffix' => $out[2] - )); - if ($out !== false) { - $response['organizationId'] = $out['organizationid']; + // Try to figure out orgId + if (!isset($response['organizationId']) && isset($_SERVER['eppn'])) { + if (preg_match('/@(.+)$/', $_SERVER['eppn'], $out)) { + $out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array( + 'suffix' => $out[1] + )); + if ($out !== false) { + $response['organizationId'] = $out['organizationid']; + } + } + } + if (!isset($response['organizationId']) && isset($_SERVER['affiliation'])) { + if (preg_match('/(^|;)[^@]+@([^;]+)/', $_SERVER['affiliation'], $out)) { + $out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array( + 'suffix' => $out[2] + )); + if ($out !== false) { + $response['organizationId'] = $out['organizationid']; + } + } } // This one we send to the running master server handler $rpc = $response; $rpc['role'] = $role; // This one we only send to the user + // TODO + /* $response['satellites'] = $sat1; $response['satellites2'] = $sat2; + */ } else { $response['status'] = 'unregistered'; } $response['id'] = $shibId; $response['url'] = 'https://bwlp-masterserver.ruf.uni-freiburg.de/webif/'; + @file_put_contents('/tmp/shib-unreg-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true)); } else { // Found, see if we got personal information, either temporarily through metadata, or from database $firstName = $user['firstname']; @@ -144,6 +174,9 @@ if (isset($rpc)) { if (empty($rpc['lastName'])) { $reply .= ' (No last name given)'; } + if (empty($rpc['organizationId'])) { + $reply .= ' (No organization id found)'; + } $response['error'] = $reply; $response['status'] = 'error'; } |