diff options
Diffstat (limited to 'shib/api.php')
-rw-r--r-- | shib/api.php | 166 |
1 files changed, 3 insertions, 163 deletions
diff --git a/shib/api.php b/shib/api.php index 7f510d8..eec1e3d 100644 --- a/shib/api.php +++ b/shib/api.php @@ -11,175 +11,15 @@ die( json_encode($_SERVER, JSON_PRETTY_PRINT) ); // */ // Autoload classes from ./inc which adhere to naming scheme <lowercasename>.inc.php -function slxAutoloader($class) +spl_autoload_register(function ($class) { $file = 'inc/' . preg_replace('/[^a-z0-9]/', '', mb_strtolower($class)) . '.inc.php'; if (!file_exists($file)) return; require_once $file; -} -spl_autoload_register('slxAutoloader'); +}); -function getSatelliteList($orgId) -{ - // Determine satellite(s) - $res = Database::simpleQuery("SELECT satellitename, addresses, certsha256 FROM satellite" - . " WHERE organizationid = :organizationid AND userid IS NULL", array('organizationid' => $orgId)); - $sat2 = array(); - while ($row = $res->fetch(PDO::FETCH_ASSOC)) { - $addrs = json_decode($row['addresses'], true); - if (!is_array($addrs) || empty($addrs)) - continue; - $sat2[$row['satellitename']] = array( - 'addresses' => $addrs, - 'certHash' => $row['certsha256'] - ); - } - return $sat2; -} - -$response = array(); - -if (empty($_SERVER['persistent-id'])) { - // No persistent id given, should not happen! - $response['status'] = 'error'; - $response['error'] = 'Shibboleth meta data missing!'; - file_put_contents('/tmp/shib-nopid-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true)); -} else { - // Query database for user - $shibId = [ md5($_SERVER['persistent-id']) ]; - if (strpos($_SERVER['persistent-id'], ';') !== false) { - foreach (explode(';', $_SERVER['persistent-id']) as $s) { - if (empty($s)) - continue; - $shibId[] = md5($s); - } - } - $user = Database::queryFirst("SELECT user.userid, user.organizationid, user.firstname, user.lastname, user.email " - . " FROM user " - . " INNER JOIN organization USING (organizationid) " - . " WHERE user.shibid IN (:shibid) LIMIT 1", array('shibid' => $shibId)); - // Figure out role - if (strpos(";{$_SERVER['entitlement']};", CONFIG_ENTITLEMENT) !== false) { - $role = 'TUTOR'; - } else if (strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]};", ';employee@') !== false - || strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]};", ';staff@') !== false - || strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]};", ';faculty@') !== false) { - $role = 'TUTOR'; - } else { - file_put_contents('/tmp/shib-student-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true)); - $role = 'STUDENT'; - // NEW: Ignore students for now - $response = array( - 'status' => 'error', - 'error' => "Sie wurden als Student eingestuft und können sich daher nicht an der " . CONFIG_SUITE . "-Suite anmelden." - . "\nFalls Ihr Nutzerkonto kein Studentenkonto ist stellen Sie sicher, dass Ihr IdP für berechtigte" - . "\nAccounts entweder das " . CONFIG_SUITE . "-Entitlement ausliefert, oder das Attribut " . CONFIG_SCOPED_AFFILIATION - . "\nausgeliefert wird, und es entweder 'employee@..', 'staff@..' oder 'faculty@..' enthält." - . "\n\nMehr Informationen finden Sie unter " . CONFIG_HELPURL - ); - Header('Content-Type: text/plain; charset=utf-8'); - die(json_encode($response, JSON_PRETTY_PRINT)); - // end IGNORE STUDENTS - } - if ($user === false) { - // Not found, so we don't know which satellite to use - if ($role === 'STUDENT') { - $response['status'] = 'ok'; - $response['firstName'] = $_SERVER['givenName'] ?? 'Anonymous'; - $response['lastName'] = $_SERVER[CONFIG_SURNAME] ?? 'Student'; - $response['mail'] = $_SERVER['mail'] ?? 'void@none.invalid'; - $response['userId'] = $shibId; - // Try to figure out orgId - if (!isset($response['organizationId']) && isset($_SERVER[CONFIG_EPPN])) { - if (preg_match('/@(.+)$/', $_SERVER[CONFIG_EPPN], $out)) { - $out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array( - 'suffix' => $out[1] - )); - if ($out !== false) { - $response['organizationId'] = $out['organizationid']; - } - } - } - if (!isset($response['organizationId']) && isset($_SERVER[CONFIG_SCOPED_AFFILIATION])) { - if (preg_match('/(^|;)[^@]+@([^;]+)/', $_SERVER[CONFIG_SCOPED_AFFILIATION], $out)) { - $out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array( - 'suffix' => $out[2] - )); - if ($out !== false) { - $response['organizationId'] = $out['organizationid']; - } - } - } - // This one we send to the running master server handler - $rpc = $response; - $rpc['role'] = $role; - if (isset($response['organizationId'])) { - $response['satellites2'] = getSatelliteList($response['organizationId']); - } - } else { - $response['status'] = 'unregistered'; - } - $response['id'] = $shibId; - $response['url'] = CONFIG_MASTERWEBIF; - file_put_contents('/tmp/shib-unreg-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true)); - } else { - // Found, see if we got personal information, either temporarily through metadata, or from database - $firstName = $user['firstname']; - $lastName = $user['lastname']; - $mail = $user['email']; - if (empty($firstName) && isset($_SERVER['givenName'])) - $firstName = trim($_SERVER['givenName']); - if (empty($lastName) && isset($_SERVER[CONFIG_SURNAME])) - $lastName = trim($_SERVER[CONFIG_SURNAME]); - if (empty($mail) && isset($_SERVER['mail'])) - $mail = trim($_SERVER['mail']); - // - $login = (empty($user['userid']) ? $shibId : $user['userid'] ); - if (empty($firstName) || empty($lastName) || empty($login)) { - // This means the user did not provide personal information on signup, nor does the IdP send them - $response['status'] = 'anonymous'; - } else { - // Seems ok! - // - $response['status'] = 'ok'; - $response['firstName'] = $firstName; - $response['lastName'] = $lastName; - $response['mail'] = $mail; - $response['userId'] = $user['userid']; - $response['organizationId'] = $user['organizationid']; - // This one we send to the running master server handler - $rpc = $response; - $rpc['userId'] = $login; - $rpc['role'] = $role; - // This one we only send to the user - $response['satellites2'] = getSatelliteList($user['organizationid']); - } - } -} - -if (isset($rpc)) { - $reply = RPC::submit($rpc); - if (preg_match('/^TOKEN:(\w+) SESSIONID:(\w+)$/', $reply, $out)) { - $response['token'] = $out[1]; - $response['sessionId'] = $out[2]; - } else { - if (empty($rpc['mail'])) { - $reply .= ' (No email given)'; - } - if (empty($rpc['firstName'])) { - $reply .= ' (No first name given)'; - } - if (empty($rpc['lastName'])) { - $reply .= ' (No last name given)'; - } - if (empty($rpc['organizationId'])) { - $reply .= ' (No organization id found)'; - } - $response['error'] = $reply; - $response['status'] = 'error'; - } -} +$response = ShibAuth::login(); Header('Content-Type: text/plain; charset=utf-8'); echo json_encode($response, JSON_PRETTY_PRINT); |