[sysconfig] Shibauth: Add option to require entitlement(s) for login

To be implemented on client-side.

5 files changed, 47 insertions, 10 deletions

diff --git a/modules-available/sysconfig/addmodule_shibauth.inc.php b/modules-available/sysconfig/addmodule_shibauth.inc.php
index 9f243abc..17c9d5b3 100644
--- a/modules-available/sysconfig/addmodule_shibauth.inc.php
+++ b/modules-available/sysconfig/addmodule_shibauth.inc.php
@@ -16,14 +16,14 @@ class ShibAuth_Start extends AddModule_Base
 			/* If coming via the back button, load the session data */
 			$session_data = Session::get(SHIB_SESSION_DATA);
 			if (!is_array($session_data)) {
-				$session_data = ['userlogin' => true];
+				$session_data = ['userlogin' => true, 'browser' => true];
 			}
 		} elseif ($this->edit !== null) {
 			$session_data = $this->edit->getData(null)
 				+ ['title' => $this->edit->title()];
 			Session::set(SHIB_SESSION_DATA, $session_data);
 		} else {
-			$session_data = ['userlogin' => true];
+			$session_data = ['userlogin' => true, 'browser' => true];
 			Session::set(SHIB_SESSION_DATA, $session_data);
 		}
 		Render::addDialog(Dictionary::translateFile('config-module', 'shibauth_title'), false, 'shibauth-start', [
@@ -49,13 +49,10 @@ class Shibauth_Orgs extends AddModule_Base
 
 	protected function preprocessInternal()
 	{
-		$title = trim(Request::post('title', '', 'string'));
-		if (empty($title)) {
-			Util::redirect('?do=sysconfig&action=addmodule&step=ShibAuth_Start&back=true');
-		}
 		$this->session_data = Session::get(SHIB_SESSION_DATA);
-		if (!is_array($this->session_data)) {
-			$this->session_data = [];
+		$title = trim(Request::post('title', null, 'string') ?? $this->session_data['title']);
+		if (empty($title) || !is_array($this->session_data)) {
+			Util::redirect('?do=sysconfig&action=addmodule&step=ShibAuth_Start&back=true');
 		}
 		$this->session_data['title'] = $title;
 		$this->session_data['browser'] = !empty(Request::post('browser', '', 'string'));
@@ -89,6 +86,7 @@ class Shibauth_Orgs extends AddModule_Base
 				'next' => 'ShibAuth_Finish',
 				'edit' => $this->edit !== null ? $this->edit->id() : 0,
 				'list' => $list,
+				'entitlements' => $this->session_data['entitlements'] ?? '',
 			]);
 	}
 
@@ -99,6 +97,7 @@ class ShibAuth_Finish extends AddModule_Base
 
 	protected function preprocessInternal()
 	{
+		$entitlements = Request::post('entitlements', '', 'string');
 		$userIdpList = Request::post('idp', [], 'array');
 		if (empty($userIdpList)) {
 			Message::addError('no-organization-selected');
@@ -155,6 +154,7 @@ class ShibAuth_Finish extends AddModule_Base
 		$module->setData('userlogin', $session_data['userlogin']);
 		$module->setData('idp', $userIdpList);
 		$module->setData('regs', $entireRegs);
+		$module->setData('entitlements', $entitlements);
 
 		/* Insert or update database entries */
 		if ($this->edit !== null) {
diff --git a/modules-available/sysconfig/inc/configmodule/shibauth.inc.php b/modules-available/sysconfig/inc/configmodule/shibauth.inc.php
index b99c201e..801b30bf 100644
--- a/modules-available/sysconfig/inc/configmodule/shibauth.inc.php
+++ b/modules-available/sysconfig/inc/configmodule/shibauth.inc.php
@@ -47,6 +47,9 @@ class ConfigModule_ShibAuth extends ConfigModule
 		case 'idp':
 		case 'regs':
 			break;
+		case 'entitlements':
+			$value = str_replace(["\r", "\n", " ", "\t"], ';', $value);
+			break;
 		default:
 			return false;
 		}
@@ -82,7 +85,6 @@ class ConfigModule_ShibAuth extends ConfigModule
 			$userlogin = "user-session-enabled = false";
 		}
 		return [
-			"/opt/openslx/pam/shibboleth/whitelist/shib-$id.idp" => implode("\n", $this->moduleData['idp']) . "\n",
 			"/etc/lightdm/qt-lightdm-greeter.conf.d/shib-$id.conf" => <<<EOF
 [General]
 shib-url = $url
@@ -90,12 +92,13 @@ $browser
 $qrcode
 $userlogin
 EOF,
+			"/opt/openslx/pam/shibboleth/whitelist/shib-$id.idp" => $this->generateIdpList(),
 			"/opt/openslx/pam/shibboleth/whitelist/shib-$id.suffix" => $this->generateSuffixList(),
 		];
 	}
 
 	/**
-	 * Generate plain text file of suffixes belonging to all enabled entities.
+	 * Generate plain-text file of suffixes belonging to all enabled entities.
 	 * Used by pam-part on client to verify login.
 	 */
 	private function generateSuffixList(): string
@@ -122,4 +125,26 @@ EOF,
 		return $return;
 	}
 
+	/**
+	 * Generates a list of Identity Providers (IdPs) based on the module's configuration data.
+	 * Expands registrar data and merges with IdP data into a single list.
+	 * If one or more entitlements are required, they're put on the first line.
+	 *
+	 * @return string A newline-separated string containing the list of IdPs.
+	 */
+	private function generateIdpList(): string
+	{
+		$idps = [];
+		if (!empty($this->moduleData['entitlements'])) {
+			$idps[] = '# entitlements=' . $this->moduleData['entitlements'];
+		}
+		if (is_array($this->moduleData['regs'] ?? 0)) {
+			$idps = array_merge($idps, Shib::explodeRegistrars($this->moduleData['regs']));
+		}
+		if (is_array($this->moduleData['idp'])) {
+			$idps = array_merge($idps, $this->moduleData['idp']);
+		}
+		return implode("\n", $idps) . "\n";
+	}
+
 }
diff --git a/modules-available/sysconfig/lang/de/template-tags.json b/modules-available/sysconfig/lang/de/template-tags.json
index d547d4cc..eb9efb09 100644
--- a/modules-available/sysconfig/lang/de/template-tags.json
+++ b/modules-available/sysconfig/lang/de/template-tags.json
@@ -139,6 +139,8 @@
     "lang_shareOther": "Andere (Saved Games, Kontakte, Favoriten, ...)",
     "lang_shareRemapMode": "Einbindemodus",
     "lang_shibEnabledMethods": "Aktivierte Anmeldemethoden",
+    "lang_shibEntitlements": "Entitlements",
+    "lang_shibEntitlementsPretext": "Wenn Sie den Login der unten ausgew\u00e4hlten Einrichtungen weiter einschr\u00e4nken wollen, k\u00f6nnen Sie in diesem Feld eine Liste von erforderlichen Entitlements angeben. Alle hier angegebenen Entitlements m\u00fcssen bei einem Nutzer vorhanden sein. Trennen Sie mehrere Attribute mit einem Semikolon.",
     "lang_shibIntroText": "Hier k\u00f6nnen Sie die Anmeldung am Client mittels Single-Sign-on (SSO, z.B. Shibboleth) aktivieren. Dies erm\u00f6glicht einen Login via Browser, oder QR-Code. Dadurch wird z.B. die Nutzung von 2FA m\u00f6glich, sofern dies durch den genutzten IdP umgesetzt wird.\r\nBitte beachten Sie, dass es zur Zeit nicht m\u00f6glich ist, automatisiert ein Home-Verzeichnis f\u00fcr den Nutzer einzubinden, da die erforderlichen Daten beim Anmeldevorgang nicht \u00fcbertragen werden.",
     "lang_shibSelectOrgs": "Organisationen ausw\u00e4hlen, denen die Anmeldung gew\u00e4hrt wird.",
     "lang_shibUseBrowser": "Anmeldung durch Browser im Login-Screen erlauben",
diff --git a/modules-available/sysconfig/lang/en/template-tags.json b/modules-available/sysconfig/lang/en/template-tags.json
index cb5e973e..8b765b58 100644
--- a/modules-available/sysconfig/lang/en/template-tags.json
+++ b/modules-available/sysconfig/lang/en/template-tags.json
@@ -139,6 +139,8 @@
     "lang_shareOther": "Other (Saved Games, Contacts, Favorites, ...)",
     "lang_shareRemapMode": "Mapping mode",
     "lang_shibEnabledMethods": "Enabled login methods",
+    "lang_shibEntitlements": "Entitlements",
+    "lang_shibEntitlementsPretext": "If you want to further restrict login for the institutions selected below, you can specify a list of required entitlements in this field. All entitlements listed here must be present for a user. Separate multiple attributes with a semicolon.",
     "lang_shibIntroText": "Here you can activate client login using single sign-on (SSO, e.g. Shibboleth). This enables login via browser or QR code. This makes it possible to use 2FA, for example, provided that this is implemented by the IdP being used. Please note that this makes it impossible to automatically mount the user's home directory, as the according meta-data is not provided.",
     "lang_shibSelectOrgs": "Select organizations that should be allowed to login.",
     "lang_shibUseBrowser": "Allow logging in via browser embedded in login screen",
diff --git a/modules-available/sysconfig/templates/shibauth-orgs.html b/modules-available/sysconfig/templates/shibauth-orgs.html
index 98ebe5d1..97cdf69d 100644
--- a/modules-available/sysconfig/templates/shibauth-orgs.html
+++ b/modules-available/sysconfig/templates/shibauth-orgs.html
@@ -3,7 +3,15 @@
 <input type="hidden" name="edit" value="{{edit}}">
 
 <div>{{lang_shibSelectOrgs}}</div>
+<p>
+	{{lang_shibEntitlementsPretext}}
+</p>
+<div class="form-group">
+	<label for="entitlements">{{lang_shibEntitlements}}</label>
+	<input class="form-control" id="entitlements" name="entitlements" type="text" value="{{entitlements}}">
+</div>
 <div class="slx-space"></div>
+<hr>
 
 {{#list}}