summaryrefslogtreecommitdiffstats
path: root/shib
diff options
context:
space:
mode:
authorSimon Rettberg2018-12-07 10:07:50 +0100
committerSimon Rettberg2018-12-07 10:07:50 +0100
commitd308379fb30894f8652525f877facdec2d8d58c0 (patch)
tree8c5706b2b18662b97ddb11fbe3a38d0b5ff33d0b /shib
parentUpdate config example (diff)
downloadbwlp-webadmin-d308379fb30894f8652525f877facdec2d8d58c0.tar.gz
bwlp-webadmin-d308379fb30894f8652525f877facdec2d8d58c0.tar.xz
bwlp-webadmin-d308379fb30894f8652525f877facdec2d8d58c0.zip
Improve shibboleth eppn/affiliation handling
Diffstat (limited to 'shib')
-rw-r--r--shib/api.php49
1 files changed, 41 insertions, 8 deletions
diff --git a/shib/api.php b/shib/api.php
index 54ebd55..2098765 100644
--- a/shib/api.php
+++ b/shib/api.php
@@ -27,7 +27,7 @@ if (empty($_SERVER['persistent-id'])) {
// No persistent id given, should not happen!
$response['status'] = 'error';
$response['error'] = 'Shibboleth meta data missing!';
- @file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
+ @file_put_contents('/tmp/shib-nopid-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
} else {
// Query database for user
$shibId = md5($_SERVER['persistent-id']);
@@ -43,8 +43,20 @@ if (empty($_SERVER['persistent-id'])) {
|| strpos(";{$_SERVER['affiliation']};", ';faculty@') !== false) {
$role = 'TUTOR';
} else {
- @file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
+ @file_put_contents('/tmp/shib-student-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
$role = 'STUDENT';
+ // NEW: Ignore students for now
+ $response = array(
+ 'status' => 'error',
+ 'error' => "Sie wurden als Student eingestuft und können sich daher nicht an der bwLehrpool-Suite anmelden."
+ . "\nFalls Ihr Nutzerkonto kein Studentenkonto ist stellen Sie sicher, dass Ihr IdP für berechtigte"
+ . "\nAccounts entweder das bwLehrpool-Entitlement ausliefert, oder das Attribut 'affiliation'"
+ . "\nausgeliefert wird, und es entweder 'employee@..', 'staff@..' oder 'faculty@..' enthält."
+ . "\n\nMehr Informationen finden Sie unter www.bwlehrpool.de"
+ );
+ Header('Content-Type: text/plain; charset=utf-8');
+ die(json_encode($response, JSON_PRETTY_PRINT));
+ // end IGNORE STUDENTS
}
if ($user === false) {
// Not found, so we don't know which satellite to use
@@ -60,24 +72,42 @@ if (empty($_SERVER['persistent-id'])) {
$response['mail'] = $_SERVER['mail'];
}
$response['userId'] = $shibId;
- preg_match('/(^|;)[^@]+@([^;]+)/', $_SERVER['affiliation'], $out);
- $out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array(
- 'suffix' => $out[2]
- ));
- if ($out !== false) {
- $response['organizationId'] = $out['organizationid'];
+ // Try to figure out orgId
+ if (!isset($response['organizationId']) && isset($_SERVER['eppn'])) {
+ if (preg_match('/@(.+)$/', $_SERVER['eppn'], $out)) {
+ $out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array(
+ 'suffix' => $out[1]
+ ));
+ if ($out !== false) {
+ $response['organizationId'] = $out['organizationid'];
+ }
+ }
+ }
+ if (!isset($response['organizationId']) && isset($_SERVER['affiliation'])) {
+ if (preg_match('/(^|;)[^@]+@([^;]+)/', $_SERVER['affiliation'], $out)) {
+ $out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array(
+ 'suffix' => $out[2]
+ ));
+ if ($out !== false) {
+ $response['organizationId'] = $out['organizationid'];
+ }
+ }
}
// This one we send to the running master server handler
$rpc = $response;
$rpc['role'] = $role;
// This one we only send to the user
+ // TODO
+ /*
$response['satellites'] = $sat1;
$response['satellites2'] = $sat2;
+ */
} else {
$response['status'] = 'unregistered';
}
$response['id'] = $shibId;
$response['url'] = 'https://bwlp-masterserver.ruf.uni-freiburg.de/webif/';
+ @file_put_contents('/tmp/shib-unreg-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
} else {
// Found, see if we got personal information, either temporarily through metadata, or from database
$firstName = $user['firstname'];
@@ -144,6 +174,9 @@ if (isset($rpc)) {
if (empty($rpc['lastName'])) {
$reply .= ' (No last name given)';
}
+ if (empty($rpc['organizationId'])) {
+ $reply .= ' (No organization id found)';
+ }
$response['error'] = $reply;
$response['status'] = 'error';
}