From 6e5647f25e26c2a31d7b4cf0ee6924a2db4916c5 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Tue, 22 Nov 2022 17:11:38 +0100
Subject: user/api: Handle IdPs that supply multiple persistent-ids

To be backwards compat with the old way, in case we already have
concatenated persistent-ids in our DB, just try all persistent-ids
supplied, plus the unparsed concatenated one.
---
 inc/user.inc.php | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

(limited to 'inc')

diff --git a/inc/user.inc.php b/inc/user.inc.php
index a5a8e3c..539b6f8 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -159,7 +159,8 @@ class User
 				return false;
 			}
 			// Try user from local DB
-			self::$user = Database::queryFirst('SELECT userid, shibid, organizationid AS organization, firstname, lastname, email FROM user WHERE userid = :uid LIMIT 1', array('uid' => Session::getUid()));
+			self::$user = Database::queryFirst('SELECT userid, shibid, organizationid AS organization, firstname, lastname, email
+					FROM user WHERE userid = :uid LIMIT 1', ['uid' => Session::getUid()]);
 			self::$isInDb = self::$user !== false;
 			if (!self::$isInDb) {
 				Session::delete();
@@ -187,10 +188,16 @@ class User
 			$_SERVER['givenName'] = '';
 		if (!isset($_SERVER['mail']))
 			$_SERVER['mail'] = '';
-		$shibId = md5($_SERVER['persistent-id']);
+		$shibId = [];
+		if (strpos($_SERVER['persistent-id'], ';') !== false) {
+			foreach (explode(';', $_SERVER['persistent-id']) as $s) {
+				$shibId[] = md5($s);
+			}
+		}
+		$shibId[] = md5($_SERVER['persistent-id']);
 		self::$user = array(
 			'userid' => NULL,
-			'shibid' => $shibId,
+			'shibid' => $shibId[0],
 			'firstname' => $_SERVER['givenName'],
 			'lastname' => $_SERVER[CONFIG_SURNAME],
 			'email' => $_SERVER['mail'],
@@ -212,7 +219,8 @@ class User
 			self::$user['organization'] = $out[1];
 		}
 		// Get matching db entry if any
-		$user = Database::queryFirst('SELECT userid, firstname, lastname, email, fixedname FROM user WHERE shibid = :shibid LIMIT 1', array('shibid' => $shibId));
+		$user = Database::queryFirst('SELECT userid, firstname, lastname, email, fixedname FROM user
+				WHERE shibid IN (:shibid) LIMIT 1', ['shibid' => $shibId]);
 		if ($user === false) {
 			// No match in database, user is not signed up
 			return true;
-- 
cgit v1.2.3-55-g7522