From db0225db8ff4993e4c91024a42b002ba3c813564 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Wed, 19 Oct 2016 10:46:20 +0200 Subject: Handle missing meta data from IdP when logging in via api --- inc/user.inc.php | 3 ++- modules/register.inc.php | 11 ++++++-- shib/api.php | 67 ++++++++++++++++++++++++++++++++++++++---------- 3 files changed, 64 insertions(+), 17 deletions(-) diff --git a/inc/user.inc.php b/inc/user.inc.php index 16ec77d..70a6cdb 100644 --- a/inc/user.inc.php +++ b/inc/user.inc.php @@ -200,7 +200,8 @@ class User ); // Figure out whether the user should be considered a tutor if (isset($_SERVER['affiliation']) && (strpos(";{$_SERVER['affiliation']}", ';employee@') !== false - || strpos(";{$_SERVER['affiliation']}", ';staff@') !== false)) + || strpos(";{$_SERVER['affiliation']}", ';staff@') !== false + || strpos(";{$_SERVER['affiliation']}", ';faculty@') !== false)) self::$user['role'] = 'TUTOR'; elseif (isset($_SERVER['entitlement']) && strpos(";{$_SERVER['entitlement']};", ';http://bwidm.de/entitlement/bwLehrpool;') !== false) self::$user['role'] = 'TUTOR'; diff --git a/modules/register.inc.php b/modules/register.inc.php index f9a6ef5..c5c5cae 100644 --- a/modules/register.inc.php +++ b/modules/register.inc.php @@ -48,8 +48,15 @@ class Page_Register extends Page } if (Request::post('agb') === 'on') { - // Put stuff in DB - if (User::deploy(Request::post('share') !== 'on', Request::post('testlogin'))) { + // Check if everything's there + if (!User::isTutor()) { + Message::addError('Sie sind weder Mitglied einer Gruppe, die als Zugriffsberechtigt eingestuft wird, noch tragen Sie das bwLehrpool-Entitlement. Bitte kontaktieren Sie Ihren lokalen bwLehrpool-Support.'); + } elseif (empty(User::getMail())) { + Message::addError('Ihr Identity Provider hat keine E-Mail-Adresse zu Ihrem Account geliefert. Registrierung nicht möglich.'); + } elseif (!User::hasFullName()) { + Message::addError('Ihr Identity Provider hat keinen Namen zu Ihrem Account geliefert. Registrierung nicht möglich.'); + // Put stuff in DB + } elseif (User::deploy(Request::post('share') !== 'on', Request::post('testlogin'))) { Message::addSuccess('Ihr Konto wurde freigeschaltet'); } else { Message::addError('Fehler beim Zusammenführen mit Ihrem Test-Account. Bitte wenden Sie sich an den Support.'); diff --git a/shib/api.php b/shib/api.php index 0910c3d..54ebd55 100644 --- a/shib/api.php +++ b/shib/api.php @@ -35,10 +35,47 @@ if (empty($_SERVER['persistent-id'])) { . " FROM user " . " INNER JOIN organization USING (organizationid) " . " WHERE user.shibid = :shibid LIMIT 1", array('shibid' => $shibId)); + // Figure out role + if (strpos(";{$_SERVER['entitlement']};", ';http://bwidm.de/entitlement/bwLehrpool;') !== false) { + $role = 'TUTOR'; + } else if (strpos(";{$_SERVER['affiliation']};", ';employee@') !== false + || strpos(";{$_SERVER['affiliation']};", ';staff@') !== false + || strpos(";{$_SERVER['affiliation']};", ';faculty@') !== false) { + $role = 'TUTOR'; + } else { + @file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true)); + $role = 'STUDENT'; + } if ($user === false) { // Not found, so we don't know which satellite to use - // TODO: Support STUDENT mode - $response['status'] = 'unregistered'; + if ($role === 'STUDENT') { + $response['status'] = 'ok'; + if (isset($_SERVER['givenName'])) { + $response['firstName'] = $_SERVER['givenName']; + } + if (isset($_SERVER['sn'])) { + $response['lastName'] = $_SERVER['sn']; + } + if (isset($_SERVER['mail'])) { + $response['mail'] = $_SERVER['mail']; + } + $response['userId'] = $shibId; + preg_match('/(^|;)[^@]+@([^;]+)/', $_SERVER['affiliation'], $out); + $out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", array( + 'suffix' => $out[2] + )); + if ($out !== false) { + $response['organizationId'] = $out['organizationid']; + } + // This one we send to the running master server handler + $rpc = $response; + $rpc['role'] = $role; + // This one we only send to the user + $response['satellites'] = $sat1; + $response['satellites2'] = $sat2; + } else { + $response['status'] = 'unregistered'; + } $response['id'] = $shibId; $response['url'] = 'https://bwlp-masterserver.ruf.uni-freiburg.de/webif/'; } else { @@ -59,16 +96,6 @@ if (empty($_SERVER['persistent-id'])) { $response['status'] = 'anonymous'; } else { // Seems ok! - // Figure out role - if (strpos(";{$_SERVER['entitlement']};", ';http://bwidm.de/entitlement/bwLehrpool;') !== false) { - $role = 'TUTOR'; - } else if (strpos(";{$_SERVER['affiliation']};", ';employee@') !== false - || strpos(";{$_SERVER['affiliation']};", ';staff@') !== false) { - $role = 'TUTOR'; - } else { - @file_put_contents('/tmp/shib-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true)); - $role = 'STUDENT'; - } // Determine satellite(s) $res = Database::simpleQuery("SELECT satellitename, addresses, certsha256 FROM satellite" . " WHERE organizationid = :organizationid AND userid IS NULL", array('organizationid' => $user['organizationid'])); @@ -98,16 +125,28 @@ if (empty($_SERVER['persistent-id'])) { // This one we only send to the user $response['satellites'] = $sat1; $response['satellites2'] = $sat2; + } + } +} + +if (isset($rpc)) { $reply = RPC::submit($rpc); if (preg_match('/^TOKEN:(\w+) SESSIONID:(\w+)$/', $reply, $out)) { $response['token'] = $out[1]; $response['sessionId'] = $out[2]; } else { + if (empty($rpc['mail'])) { + $reply .= ' (No email given)'; + } + if (empty($rpc['firstName'])) { + $reply .= ' (No first name given)'; + } + if (empty($rpc['lastName'])) { + $reply .= ' (No last name given)'; + } $response['error'] = $reply; $response['status'] = 'error'; } - } - } } Header('Content-Type: text/plain; charset=utf-8'); -- cgit v1.2.3-55-g7522