From d308379fb30894f8652525f877facdec2d8d58c0 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 7 Dec 2018 10:07:50 +0100
Subject: Improve shibboleth eppn/affiliation handling

---
 inc/user.inc.php |  7 ++++++-
 shib/api.php     | 49 +++++++++++++++++++++++++++++++++++++++++--------
 2 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/inc/user.inc.php b/inc/user.inc.php
index 70a6cdb..fe43abe 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -148,6 +148,7 @@ class User
 
 	public static function load()
 	{
+		//file_put_contents('/tmp/test-' . time(), print_r($_SERVER, true));
 		if (self::isLoggedIn())
 			return true;
 		$hasSession = Session::load();
@@ -208,8 +209,12 @@ class User
 		else
 			self::$user['role'] = 'STUDENT';
 		// Try to figure out organization
-		if (isset($_SERVER['affiliation']) && preg_match('/@([a-zA-Z\-\._]+)(;|$)/', $_SERVER['affiliation'], $out))
+		if (isset($_SERVER['eppn']) && preg_match('/@([0-9a-zA-Z\-\._]+)$/', $_SERVER['eppn'], $out)) {
 			self::$user['organization'] = $out[1];
+		}
+		if (!isset(self::$user['organization']) && isset($_SERVER['affiliation']) && preg_match('/@([0-9a-zA-Z\-\._]+)(;|$)/', $_SERVER['affiliation'], $out)) {
+			self::$user['organization'] = $out[1];
+		}
 		// Get matching db entry if any
 		$user = Database::queryFirst('SELECT userid, firstname, lastname, email, fixedname FROM user WHERE shibid = :shibid LIMIT 1', array('shibid' => $shibId));
 		if ($user === false) {
diff --git a/shib/api.php b/shib/api.php
index 54ebd55..2098765 100644
--- a/shib/api.php
+++ b/shib/api.php
@@ -27,7 +27,7 @@ if (empty($_SERVER['persistent-id'])) {
 	// No persistent id given, should not happen!
 	$response['status'] = 'error';
 	$response['error'] = 'Shibboleth meta data missing!';
-	@file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
+	@file_put_contents('/tmp/shib-nopid-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
 } else {
 	// Query database for user
 	$shibId = md5($_SERVER['persistent-id']);
@@ -43,8 +43,20 @@ if (empty($_SERVER['persistent-id'])) {
 			|| strpos(";{$_SERVER['affiliation']};", ';faculty@') !== false) {
 		$role = 'TUTOR';
 	} else {
-		@file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
+		@file_put_contents('/tmp/shib-student-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
 		$role = 'STUDENT';
+		// NEW: Ignore students for now
+		$response = array(
+			'status' => 'error',
+			'error' => "Sie wurden als Student eingestuft und können sich daher nicht an der bwLehrpool-Suite anmelden."
+				. "\nFalls Ihr Nutzerkonto kein Studentenkonto ist stellen Sie sicher, dass Ihr IdP für berechtigte"
+				. "\nAccounts entweder das bwLehrpool-Entitlement ausliefert, oder das Attribut 'affiliation'"
+				. "\nausgeliefert wird, und es entweder 'employee@..', 'staff@..' oder 'faculty@..' enthält."
+				. "\n\nMehr Informationen finden Sie unter www.bwlehrpool.de"
+		);
+		Header('Content-Type: text/plain; charset=utf-8');
+		die(json_encode($response, JSON_PRETTY_PRINT));
+		// end IGNORE STUDENTS
 	}
 	if ($user === false) {
 		// Not found, so we don't know which satellite to use
@@ -60,24 +72,42 @@ if (empty($_SERVER['persistent-id'])) {
 				$response['mail'] = $_SERVER['mail'];
 			}
 			$response['userId'] = $shibId;
-			preg_match('/(^|;)[^@]+@([^;]+)/', $_SERVER['affiliation'], $out);
-			$out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array(
-				'suffix' => $out[2]
-			));
-			if ($out !== false) {
-				$response['organizationId'] = $out['organizationid'];
+			// Try to figure out orgId
+			if (!isset($response['organizationId']) && isset($_SERVER['eppn'])) {
+				if (preg_match('/@(.+)$/', $_SERVER['eppn'], $out)) {
+					$out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array(
+						'suffix' => $out[1]
+					));
+					if ($out !== false) {
+						$response['organizationId'] = $out['organizationid'];
+					}
+				}
+			}
+			if (!isset($response['organizationId']) && isset($_SERVER['affiliation'])) {
+				if (preg_match('/(^|;)[^@]+@([^;]+)/', $_SERVER['affiliation'], $out)) {
+					$out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array(
+						'suffix' => $out[2]
+					));
+					if ($out !== false) {
+						$response['organizationId'] = $out['organizationid'];
+					}
+				}
 			}
 			// This one we send to the running master server handler
 			$rpc = $response;
 			$rpc['role'] = $role;
 			// This one we only send to the user
+			// TODO
+			/*
 			$response['satellites'] = $sat1;
 			$response['satellites2'] = $sat2;
+			*/
 		} else {
 			$response['status'] = 'unregistered';
 		}
 		$response['id'] = $shibId;
 		$response['url'] = 'https://bwlp-masterserver.ruf.uni-freiburg.de/webif/';
+		@file_put_contents('/tmp/shib-unreg-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
 	} else {
 		// Found, see if we got personal information, either temporarily through metadata, or from database
 		$firstName = $user['firstname'];
@@ -144,6 +174,9 @@ if (isset($rpc)) {
 				if (empty($rpc['lastName'])) {
 					$reply .= ' (No last name given)';
 				}
+				if (empty($rpc['organizationId'])) {
+					$reply .= ' (No organization id found)';
+				}
 				$response['error'] = $reply;
 				$response['status'] = 'error';
 			}
-- 
cgit v1.2.3-55-g7522