From 93d1acd95d1bf99d3f428abdd85078d1bac7119f Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 10 Sep 2015 15:15:28 +0200
Subject: Adapt to master-server changes (Db scheme)

---
 inc/image.inc.php         |  8 ++++----
 inc/user.inc.php          | 34 +++++++++++++++++++---------------
 modules/adduser.inc.php   |  6 +++---
 modules/logout.inc.php    |  4 +---
 modules/main.inc.php      |  2 +-
 shib/api.php              | 39 +++++++++++++++++++++++++++------------
 templates/main/guest.html |  2 +-
 7 files changed, 56 insertions(+), 39 deletions(-)

diff --git a/inc/image.inc.php b/inc/image.inc.php
index 5b8f077..1bad04f 100644
--- a/inc/image.inc.php
+++ b/inc/image.inc.php
@@ -7,14 +7,14 @@ class Image
 	{
 		if ($userid === false || !is_numeric($userid))
 			return false;
-		return Database::exec('DELETE FROM image WHERE ownerid = :userid', array('userid' => $userid));
+		//return Database::exec('DELETE FROM image WHERE ownerid = :userid', array('userid' => $userid));
+		// TODO
 	}
 	
 	public static function getImageCount($login)
 	{
-		$ret = Database::queryFirst('SELECT Count(*) AS cnt FROM image '
-			. ' INNER JOIN user ON (image.ownerid = user.userid) '
-			. ' WHERE user.login = :login', array('login' => $login));
+		$ret = Database::queryFirst('SELECT Count(*) AS cnt FROM imagebase '
+			. ' WHERE imagebase.ownerid = :userid', array('userid' => $login));
 		if ($ret === false)
 			return 0;
 		return $ret['cnt'];
diff --git a/inc/user.inc.php b/inc/user.inc.php
index c09e936..28a1fd5 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -43,7 +43,7 @@ class User
 	{
 		if (!isset(self::$user['userid']))
 			return false;
-		return (int) self::$user['userid'];
+		return self::$user['userid'];
 	}
 
 	public static function getMail()
@@ -152,10 +152,16 @@ class User
 			return true;
 		$hasSession = Session::load();
 		if (empty($_SERVER['persistent-id'])) {
-			if (Session::getUid() === false)
+			if (Session::getUid() === false) {
+				if (!empty($_SERVER['Shib-Session-ID'])) {
+					Message::addError('Sie haben sich erfolgreich mittels bwIDM authentifiziert,'
+						. ' aber der IdP Ihrer Einrichtung scheint die benötigten Metadaten nicht'
+						. ' an den bwLehrpool-SP zu übermitteln. Bitte wenden Sie sich an den Support.');
+				}
 				return false;
+			}
 			// Try user from local DB
-			self::$user = Database::queryFirst('SELECT userid, shibid, login, organizationid AS organization, firstname, lastname, email FROM user WHERE userid = :uid LIMIT 1', array('uid' => Session::getUid()));
+			self::$user = Database::queryFirst('SELECT userid, shibid, organizationid AS organization, firstname, lastname, email FROM user WHERE userid = :uid LIMIT 1', array('uid' => Session::getUid()));
 			self::$isInDb = self::$user !== false;
 			return self::$isInDb;
 		}
@@ -174,9 +180,8 @@ class User
 			$_SERVER['mail'] = '';
 		$shibId = md5($_SERVER['persistent-id']);
 		self::$user = array(
-			'userid' => 0,
+			'userid' => NULL,
 			'shibid' => $shibId,
-			'login' => NULL,
 			'firstname' => $_SERVER['givenName'],
 			'lastname' => $_SERVER['sn'],
 			'email' => $_SERVER['mail'],
@@ -190,7 +195,7 @@ class User
 		if (isset($_SERVER['affiliation']) && preg_match('/@([a-zA-Z\-\._]+)(;|$)/', $_SERVER['affiliation'], $out))
 			self::$user['organization'] = $out[1];
 		// Get matching db entry if any
-		$user = Database::queryFirst('SELECT userid, login, firstname, lastname, email, fixedname FROM user WHERE shibid = :shibid LIMIT 1', array('shibid' => $shibId));
+		$user = Database::queryFirst('SELECT userid, firstname, lastname, email, fixedname FROM user WHERE shibid = :shibid LIMIT 1', array('shibid' => $shibId));
 		if ($user === false) {
 			// No match in database, user is not signed up
 			return true;
@@ -201,7 +206,6 @@ class User
 			Session::save();
 		}
 		// Already signed up, see if we can fetch missing fields from DB
-		self::$user['login'] = $user['login'];
 		self::$isInDb = true;
 		self::$isAnonymous = (empty($user['firstname']) && empty($user['lastname']));
 		foreach (array('firstname', 'lastname', 'email') as $key) {
@@ -220,15 +224,15 @@ class User
 		if (!empty($existingLogin)) {
 			if ($anonymous) {
 				$ret = Database::exec("UPDATE user SET shibid = :shibid, firstname = '', lastname = '', email = '', password = '' "
-					. " WHERE login = :login LIMIT 1", array(
+					. " WHERE userid = :userid LIMIT 1", array(
 						'shibid' => self::$user['shibid'],
-						'login' => $existingLogin
+						'userid' => $existingLogin
 					));
 			} else {
 				$ret = Database::exec("UPDATE user SET shibid = :shibid, password = '', firstname = :firstname, lastname = :lastname, email = :email "
-					. " WHERE login = :login LIMIT 1", array(
+					. " WHERE userid = :userid LIMIT 1", array(
 						'shibid' => self::$user['shibid'],
-						'login' => $existingLogin,
+						'userid' => $existingLogin,
 						'firstname' => self::$user['firstname'],
 						'lastname' => self::$user['lastname'],
 						'email' => self::$user['email']
@@ -239,14 +243,14 @@ class User
 		
 		// New account
 		if ($anonymous) {
-			Database::exec("INSERT INTO user (shibid, login, organizationid, firstname, lastname, email) "
+			Database::exec("INSERT INTO user (shibid, userid, organizationid, firstname, lastname, email) "
 				. " VALUES (:shibid, :shibid, :org, '', '', '') "
 				. " ON DUPLICATE KEY UPDATE firstname = '', lastname = '', email = '', password = ''", array(
 				'shibid' => self::$user['shibid'],
 				'org' => self::getOrganizationId()
 			));
 		} else {
-			Database::exec("INSERT INTO user (shibid, login, organizationid, firstname, lastname, email) "
+			Database::exec("INSERT INTO user (shibid, userid, organizationid, firstname, lastname, email) "
 				. " VALUES (:shibid, :shibid, :org, :firstname, :lastname, :email) "
 				. " ON DUPLICATE KEY UPDATE firstname = VALUES(firstname), lastname = VALUES(lastname), email = VALUES(email), password = ''", array(
 				'shibid' => self::$user['shibid'],
@@ -284,7 +288,7 @@ class User
 
 	public static function login($user, $pass)
 	{
-		$ret = Database::queryFirst('SELECT userid, password FROM user WHERE login = :user LIMIT 1', array(':user' => $user));
+		$ret = Database::queryFirst('SELECT userid, password FROM user WHERE userid = :user LIMIT 1', array(':user' => $user));
 		if ($ret === false)
 			return false;
 		if (!Crypto::verify($pass, $ret['password']))
@@ -305,7 +309,7 @@ class User
 		}
 		Session::delete();
 		if (self::$isShib) {
-			Header('Location: ' . CONFIG_PREFIX . '?do=Logout&noredirect=yes');
+			Header('Location: /Shibboleth.sso/Logout');
 		} else {
 			Header('Location: ?do=Main');
 		}
diff --git a/modules/adduser.inc.php b/modules/adduser.inc.php
index f27717b..7bb6c1f 100644
--- a/modules/adduser.inc.php
+++ b/modules/adduser.inc.php
@@ -47,9 +47,9 @@ class Page_AddUser extends Page
 				if ($ok === false) {
 					Message::addError('Login-Suffix @{{0}} ist ungültig.', $suffix);
 				} else {
-					Database::exec('INSERT INTO user (login, password, organizationid, firstname, lastname, email) '
-						. ' VALUES (:login, :password, :organization, :firstname, :lastname, :email)', array(
-							'login' => $login,
+					Database::exec('INSERT INTO user (userid, password, organizationid, firstname, lastname, email) '
+						. ' VALUES (:userid, :password, :organization, :firstname, :lastname, :email)', array(
+							'userid' => $login,
 							'password' => Crypto::hash6($password),
 							'organization' => $organizationid,
 							'firstname' => $firstname,
diff --git a/modules/logout.inc.php b/modules/logout.inc.php
index f1379d6..7351abc 100644
--- a/modules/logout.inc.php
+++ b/modules/logout.inc.php
@@ -8,9 +8,7 @@ class Page_Logout extends Page
 		if (!User::load()) {
 			Util::redirect('?do=Main');
 		}
-		if (User::isLocalOnly()) {
-			User::logout();
-		}
+		User::logout();
 	}
 
 	public function doRender()
diff --git a/modules/main.inc.php b/modules/main.inc.php
index 3e3aff8..2581a59 100644
--- a/modules/main.inc.php
+++ b/modules/main.inc.php
@@ -13,7 +13,7 @@ class Page_Main extends Page
 		Render::addTemplate('main/_page');
 		if (!User::isLoggedIn()) {
 			// Guest
-			Render::addTemplate('main/guest');
+			Render::addTemplate('main/guest', array('prefix' => CONFIG_PREFIX));
 			return;
 		}
 		// Logged in user --
diff --git a/shib/api.php b/shib/api.php
index 58b9c80..6772e86 100644
--- a/shib/api.php
+++ b/shib/api.php
@@ -27,12 +27,13 @@ if (empty($_SERVER['persistent-id'])) {
 	// No persistent id given, should not happen!
 	$response['status'] = 'error';
 	$response['error'] = 'Shibboleth meta data missing!';
+	@file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
 } else {
 	// Query database for user
 	$shibId = md5($_SERVER['persistent-id']);
-	$user = Database::queryFirst("SELECT user.userid, user.login, user.organizationid, user.firstname, user.lastname, user.email, satellite.address "
+	$user = Database::queryFirst("SELECT user.userid, user.organizationid, user.firstname, user.lastname, user.email "
 		. " FROM user "
-		. " INNER JOIN satellite USING (organizationid) "
+		. " INNER JOIN organization USING (organizationid) "
 		. " WHERE user.shibid = :shibid LIMIT 1", array('shibid' => $shibId));
 	if ($user === false) {
 		// Not found, so we don't know which satellite to use
@@ -51,7 +52,7 @@ if (empty($_SERVER['persistent-id'])) {
 		if (empty($mail) && isset($_SERVER['mail']))
 			$mail = trim($_SERVER['mail']);
 		//
-		$login = ( empty($user['login']) ? $shibId : $user['login'] );
+		$login = ( empty($user['userid']) ? $shibId : $user['userid'] );
 		if (empty($firstName) || empty($lastName) || empty($login)) {
 			// This means the user did not provide personal information on signup, nor does the IdP send them
 			$response['status'] = 'anonymous';
@@ -59,27 +60,41 @@ if (empty($_SERVER['persistent-id'])) {
 			// Seems ok!
 			// Figure out role
 			if (strpos(";{$_SERVER['entitlement']};", ';http://bwidm.de/entitlement/bwLehrpool;') !== false) {
-				$role = 'tutor';
+				$role = 'TUTOR';
 			} else if (strpos(";{$_SERVER['affiliation']};", ';employee@') !== false) {
-				$role = 'tutor';
+				$role = 'TUTOR';
 			} else {
-				$role = 'student';
+				$role = 'STUDENT';
+			}
+			// Determine satellite(s)
+			$res = Database::simpleQuery("SELECT satellitename, addresses, certsha256 FROM satellite"
+				. " WHERE organizationid = :organizationid AND userid IS NULL", array('organizationid' => $user['organizationid']));
+			$sat1 = array(); // Legacy
+			$sat2 = array();
+			while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
+				$addrs = json_decode($row['addresses'], true);
+				if (!is_array($addrs) || empty($addrs))
+					continue;
+				$sat1[$row['satellitename']] = $addrs[0];
+				$sat2[$row['satellitename']] = array(
+					'addresses' => $addrs,
+					'certHash' => $row['certsha256']
+				);
 			}
 			//
 			$response['status'] = 'ok';
 			$response['firstName'] = $firstName;
 			$response['lastName'] = $lastName;
 			$response['mail'] = $mail;
+			$response['userId'] = $user['userid'];
+			$response['organizationId'] = $user['organizationid'];
 			// This one we send to the running master server handler
 			$rpc = $response;
-			$rpc['userId'] = $user['userid'];
+			$rpc['userId'] = $login;
 			$rpc['role'] = $role;
-			$rpc['organizationid'] = $user['organizationid'];
-			$rpc['login'] = $login;
 			// This one we only send to the user
-			$response['satellites'] = array(
-				'default' => $user['address']
-			);
+			$response['satellites'] = $sat1;
+			$response['satellites2'] = $sat2;
 			$reply = RPC::submit($rpc);
 			if (preg_match('/^TOKEN:(\w+) SESSIONID:(\w+)$/', $reply, $out)) {
 				$response['token'] = $out[1];
diff --git a/templates/main/guest.html b/templates/main/guest.html
index 14cc902..3788633 100644
--- a/templates/main/guest.html
+++ b/templates/main/guest.html
@@ -1,7 +1,7 @@
 <div class="form-narrow">
 	Sie sind nicht authentifiziert. Bitte wählen Sie:
 	<ul>
-		<li><a href="shib/">Anmelden oder registrieren über bwIDM</a></li>
+		<li><a href="{{prefix}}shib/">Anmelden oder registrieren über bwIDM</a></li>
 		<li><a href="?do=Login">Anmelden mit einem bwLehrpool-Testaccount</a></li>
 	</ul>
 </div>
-- 
cgit v1.2.3-55-g7522