From 6e5647f25e26c2a31d7b4cf0ee6924a2db4916c5 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Tue, 22 Nov 2022 17:11:38 +0100
Subject: user/api: Handle IdPs that supply multiple persistent-ids

To be backwards compat with the old way, in case we already have
concatenated persistent-ids in our DB, just try all persistent-ids
supplied, plus the unparsed concatenated one.
---
 shib/api.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'shib')

diff --git a/shib/api.php b/shib/api.php
index 38b2d7a..0c32f9a 100644
--- a/shib/api.php
+++ b/shib/api.php
@@ -47,11 +47,18 @@ if (empty($_SERVER['persistent-id'])) {
 	file_put_contents('/tmp/shib-nopid-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
 } else {
 	// Query database for user
-	$shibId = md5($_SERVER['persistent-id']);
+	$shibId = [ md5($_SERVER['persistent-id']) ];
+	if (strpos($_SERVER['persistent-id'], ';') !== false) {
+		foreach (explode(';', $_SERVER['persistent-id']) as $s) {
+			if (empty($s))
+				continue;
+			$shibId[] = md5($s);
+		}
+	}
 	$user = Database::queryFirst("SELECT user.userid, user.organizationid, user.firstname, user.lastname, user.email "
 		. " FROM user "
 		. " INNER JOIN organization USING (organizationid) "
-		. " WHERE user.shibid = :shibid LIMIT 1", array('shibid' => $shibId));
+		. " WHERE user.shibid IN (:shibid) LIMIT 1", array('shibid' => $shibId));
 	// Figure out role
 	if (strpos(";{$_SERVER['entitlement']};", CONFIG_ENTITLEMENT) !== false) {
 		$role = 'TUTOR';
-- 
cgit v1.2.3-55-g7522