Skip to content

Commit

Permalink
Update code to improve local_info schema
Browse files Browse the repository at this point in the history
  • Loading branch information
Sae126V committed Sep 13, 2024
1 parent e91226c commit 7e7396c
Show file tree
Hide file tree
Showing 4 changed files with 69 additions and 26 deletions.
12 changes: 11 additions & 1 deletion config/local_info.xml
Original file line number Diff line number Diff line change
Expand Up @@ -180,12 +180,18 @@
<restrict_personal_data>false</restrict_personal_data>

<!-- identity_providers
ST:TODO Add descriotion what it is
Shib/CheckIn Token reads config file
for needed AAI entitlements.
This is to allow Admins so that they will be empowered
to make quicker changes to AAI references.
-->
<identity_providers>
<provider>
<idp>aai.egi.eu/auth/realms/egi</idp>
<name>EGI Proxy</name>
<authentication_realms>
<shib_realm_name>EGI Proxy IdP</shib_realm_name>
</authentication_realms>
<required_groups>
<group>urn:mace:egi.eu:res:gocdb#aai.egi.eu</group>
</required_groups>
Expand All @@ -194,9 +200,13 @@
<provider>
<idp>aai-demo.egi.eu/auth/realms/egi</idp>
<name>EGI Demo Proxy</name>
<authentication_realms>
<shib_realm_name>EGI Proxy IdP</shib_realm_name>
</authentication_realms>
<required_groups>
<group>urn:mace:egi.eu:res:gocdb#aai.egi.eu</group>
</required_groups>
<help_url>https://docs.egi.eu/internal/configuration-database/access/#using-institutional-account-via-egi-check-in</help_url>
</provider>
</identity_providers>

Expand Down
15 changes: 11 additions & 4 deletions config/local_info.xsd
Original file line number Diff line number Diff line change
Expand Up @@ -125,19 +125,26 @@
<xs:element name="identity_providers" minOccurs="0">
<xs:complexType>
<xs:sequence>
<xs:element name="provider" minOccurs="1">
<xs:element name="provider" minOccurs="1" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="idp" type="xs:string"/>
<xs:element name="name" type="xs:string"/>
<xs:element name="idp" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="authentication_realms" minOccurs="1" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="shib_realm_name" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="required_groups" minOccurs="0">
<xs:complexType>
<xs:sequence>
<xs:element name="group" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="help_url" type="xs:string" minOccurs="0"/>
<xs:element name="help_url" type="xs:string" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
Expand Down
41 changes: 24 additions & 17 deletions lib/Authentication/AuthTokens/ShibAuthToken.php
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ private function getAttributesInitToken(){
// specify location of the Shib Logout handler
\Factory::$properties['LOGOUTURL'] = 'https://'.$hostname.'/Shibboleth.sso/Logout';
$idp = isset($_SERVER['Shib-Identity-Provider']) ? $_SERVER['Shib-Identity-Provider'] : '';

if ($idp == 'https://unity.eudat-aai.fz-juelich.de:8443/saml-idp/metadata'
&& $_SERVER['distinguishedName'] != null){
$this->principal = $_SERVER['distinguishedName'];
Expand All @@ -103,38 +104,42 @@ private function getAttributesInitToken(){
foreach ($identityProviders as $provider) {
if ($provider['idp'] === $idp) {
$name = $provider['name'];
$helpUrl = $provider['help_url'] ?? '#';
$helpUrl = $provider['help_url'];

if (empty($_SERVER['voPersonID'])) {
die(
"Did not receive required attributes from the IDP $name to "
. "complete authentication. Please contact gocdb-admins."
"Did not receive required attributes from the "
. "IDP $name to complete authentication. "
. "Please contact gocdb-admins."
);
}

if (empty($_SERVER['entitlement'])) {
die(
"Did not receive the required entitlement attribute from "
. "the IDP $name. Please contact gocdb-admins."
"Did not receive the required entitlement "
. "attribute from the IDP $name. "
. "Please contact gocdb-admins."
);
}

if (!empty($provider['required_groups'])) {
$entitlementValues = explode(
';', $_SERVER['entitlement']
);

if (!array_intersect(
$entitlementValues, $provider['required_groups']
)) {
$entitlementValues = explode(';', $_SERVER['entitlement']);

if (
!array_intersect(
$entitlementValues,
$provider['required_groups']
)
) {
$HTML = "<ul>"
. "<li>Login requires the entitlement "
. "which was not provided for the IDP $name.</li>"
. "<li>Please see here for more information: "
. "<a href='$helpUrl' target='_blank'>$helpUrl</a>.</li>"
. "<li>Logout or restart your "
. "browser and attempt to login again using an IDP that "
. "provides a GOCDB entitlement.</li>"
. "<a href='$helpUrl' target='_blank'>"
. "$helpUrl</a>.</li>"
. "<li>Logout or restart your browser"
. "and attempt to login again using an IDP "
. "that provides a GOCDB entitlement.</li>"
. "</ul>";
$HTML .= "<div style='text-align: center;'>";
$HTML .= "<a href=\""
Expand All @@ -147,7 +152,9 @@ private function getAttributesInitToken(){
}

$this->principal = $_SERVER['voPersonID'];
$this->userDetails = ['AuthenticationRealm' => [$provider['idp']]];
$this->userDetails = [
'AuthenticationRealm' => $provider['authenticationRealms']
];

return;
}
Expand Down
27 changes: 23 additions & 4 deletions lib/Gocdb_Services/Config.php
Original file line number Diff line number Diff line change
Expand Up @@ -574,27 +574,46 @@ public function getIdentityProvidersInfo(): array
$identityProviders = [];

if (!empty($localInfo->identity_providers->provider)) {
foreach ($localInfo->identity_providers->provider as $providerDetails) {
foreach (
$localInfo
->identity_providers
->provider as $providerDetails
) {
/** idp */
$idp = (string) $providerDetails->idp;

/** name */
$name = (string) $providerDetails->name;

/** authentication_realms */
$authenticationRealms = [];
if ($providerDetails->authentication_realms) {
foreach (
$providerDetails
->authentication_realms
->shib_realm_name as $shibRealmName
) {
$authenticationRealms[] = (string) $shibRealmName;
}
}

/** required_groups */
$requiredGroups = [];
if ($providerDetails->required_groups->group) {
foreach($providerDetails->required_groups->group as $group) {
if ($providerDetails->required_groups) {
foreach (
$providerDetails->required_groups->group as $group
) {
$requiredGroups[] = (string) $group;
}
}

/** help_url */
$helpURL = $providerDetails->help_url ?? null;
$helpURL = (string) $providerDetails->help_url;

$identityProviders[] = [
'idp' => $idp,
'name' => $name,
'authenticationRealms' => $authenticationRealms,
'requiredGroups' => $requiredGroups,
'helpURL', $helpURL
];
Expand Down

0 comments on commit 7e7396c

Please sign in to comment.