From 11b2a674d95003957749cb57d3f74ce914c8ec9d Mon Sep 17 00:00:00 2001 From: Sae126V Date: Fri, 13 Sep 2024 10:09:36 +0000 Subject: [PATCH] Update code to improve local_info schema --- config/local_info.xml | 12 +++++- config/local_info.xsd | 15 +++++-- .../AuthTokens/ShibAuthToken.php | 43 +++++++++++-------- lib/Gocdb_Services/Config.php | 27 ++++++++++-- 4 files changed, 70 insertions(+), 27 deletions(-) diff --git a/config/local_info.xml b/config/local_info.xml index e50ce0f9e..ea192d59e 100755 --- a/config/local_info.xml +++ b/config/local_info.xml @@ -180,12 +180,18 @@ false aai.egi.eu/auth/realms/egi EGI Proxy + + EGI Proxy IdP + urn:mace:egi.eu:res:gocdb#aai.egi.eu @@ -194,9 +200,13 @@ aai-demo.egi.eu/auth/realms/egi EGI Demo Proxy + + EGI Proxy IdP + urn:mace:egi.eu:res:gocdb#aai.egi.eu + https://docs.egi.eu/internal/configuration-database/access/#using-institutional-account-via-egi-check-in diff --git a/config/local_info.xsd b/config/local_info.xsd index 816f39a57..4e7b42dc3 100755 --- a/config/local_info.xsd +++ b/config/local_info.xsd @@ -125,11 +125,18 @@ - + - - + + + + + + + + + @@ -137,7 +144,7 @@ - + diff --git a/lib/Authentication/AuthTokens/ShibAuthToken.php b/lib/Authentication/AuthTokens/ShibAuthToken.php index 648fd814b..03b129d86 100644 --- a/lib/Authentication/AuthTokens/ShibAuthToken.php +++ b/lib/Authentication/AuthTokens/ShibAuthToken.php @@ -85,6 +85,7 @@ private function getAttributesInitToken(){ // specify location of the Shib Logout handler \Factory::$properties['LOGOUTURL'] = 'https://'.$hostname.'/Shibboleth.sso/Logout'; $idp = isset($_SERVER['Shib-Identity-Provider']) ? $_SERVER['Shib-Identity-Provider'] : ''; + if ($idp == 'https://unity.eudat-aai.fz-juelich.de:8443/saml-idp/metadata' && $_SERVER['distinguishedName'] != null){ $this->principal = $_SERVER['distinguishedName']; @@ -103,38 +104,42 @@ private function getAttributesInitToken(){ foreach ($identityProviders as $provider) { if ($provider['idp'] === $idp) { $name = $provider['name']; - $helpUrl = $provider['help_url'] ?? '#'; + $helpUrl = $provider['help_url']; if (empty($_SERVER['voPersonID'])) { die( - "Did not receive required attributes from the IDP $name to " - . "complete authentication. Please contact gocdb-admins." + "Did not receive required attributes from the " + . "IDP $name to complete authentication. " + . "Please contact gocdb-admins." ); } if (empty($_SERVER['entitlement'])) { die( - "Did not receive the required entitlement attribute from " - . "the IDP $name. Please contact gocdb-admins." + "Did not receive the required entitlement " + . "attribute from the IDP $name. " + . "Please contact gocdb-admins." ); } if (!empty($provider['required_groups'])) { - $entitlementValues = explode( - ';', $_SERVER['entitlement'] - ); - - if (!array_intersect( - $entitlementValues, $provider['required_groups'] - )) { + $entitlementValues = explode(';', $_SERVER['entitlement']); + + if ( + !array_intersect( + $entitlementValues, + $provider['required_groups'] + ) + ) { $HTML = "
    " - . "
  • Login requires the entitlement " + . "
  • Login requires a GOCDB entitlement value " . "which was not provided for the IDP $name.
    • " . "
  • Please see here for more information: " - . "$helpUrl.
    • " - . "
  • Logout or restart your " - . "browser and attempt to login again using an IDP that " - . "provides a GOCDB entitlement.
    • " + . "" + . "$helpUrl." + . "
  • Logout or restart your browser" + . "and attempt to login again using an IDP " + . "that provides a GOCDB entitlement.
    • " . "
"; $HTML .= "
"; $HTML .= "principal = $_SERVER['voPersonID']; - $this->userDetails = ['AuthenticationRealm' => [$provider['idp']]]; + $this->userDetails = [ + 'AuthenticationRealm' => $provider['authenticationRealms'] + ]; return; } diff --git a/lib/Gocdb_Services/Config.php b/lib/Gocdb_Services/Config.php index d167f55dc..34a9e63cb 100644 --- a/lib/Gocdb_Services/Config.php +++ b/lib/Gocdb_Services/Config.php @@ -574,27 +574,46 @@ public function getIdentityProvidersInfo(): array $identityProviders = []; if (!empty($localInfo->identity_providers->provider)) { - foreach ($localInfo->identity_providers->provider as $providerDetails) { + foreach ( + $localInfo + ->identity_providers + ->provider as $providerDetails + ) { /** idp */ $idp = (string) $providerDetails->idp; /** name */ $name = (string) $providerDetails->name; + /** authentication_realms */ + $authenticationRealms = []; + if ($providerDetails->authentication_realms) { + foreach ( + $providerDetails + ->authentication_realms + ->shib_realm_name as $shibRealmName + ) { + $authenticationRealms[] = (string) $shibRealmName; + } + } + /** required_groups */ $requiredGroups = []; - if ($providerDetails->required_groups->group) { - foreach($providerDetails->required_groups->group as $group) { + if ($providerDetails->required_groups) { + foreach ( + $providerDetails->required_groups->group as $group + ) { $requiredGroups[] = (string) $group; } } /** help_url */ - $helpURL = $providerDetails->help_url ?? null; + $helpURL = (string) $providerDetails->help_url; $identityProviders[] = [ 'idp' => $idp, 'name' => $name, + 'authenticationRealms' => $authenticationRealms, 'requiredGroups' => $requiredGroups, 'helpURL', $helpURL ];