GOCDB · gregcorbett · May 18, 2022 · May 19, 2022 · Jun 30, 2022 · Jun 30, 2022
@@ -116,7 +116,12 @@ function Get_User_AuthToken(){
         MyStaticAuthTokenHolder::getInstance()->setAuthToken($auth);
         return $auth;
     }
-    return null;
+
+    // We don't want the portal to be exposed without authentication (even
+    // though no actual info is displayed to an unauthenticated user),
+    // so if we have not set the principle/userDetails,
+    // re-direct to our Discovery Service.
+    redirectUserToDiscoveryPage();
 }
 
 /**
@@ -190,7 +195,12 @@ function Get_User_Principle(){
         }
         return $principleString;
     }
-    return null;
+
+    // We don't want the portal to be exposed without authentication (even
+    // though no actual info is displayed to an unauthenticated user),
+    // so if we have not set the principle/userDetails,
+    // re-direct to our Discovery Service.
+    redirectUserToDiscoveryPage();
 }
 
 /**
@@ -217,9 +227,21 @@ function Get_User_Principle_PI() {
         }
     }
 
+    # Returning null here is necessary, because parts of the API are exposed
+    # publically, without authentication.
     return null;
 }
 
+/*
+ * Prevent the current page from being loaded and redirect the user
+ * to the IdP discovery page (a.k.a the landing page).
+ */
+function redirectUserToDiscoveryPage()
+{
+    $url = \Factory::getConfigService()->getServerBaseUrl();
+    header("Location: " . $url);
+    die();
+}
 
 
 

@@ -79,11 +79,11 @@ public function getDetails() {
     public function getPrinciple() {
        return $this->principal;
     }
-    
-    
-    
+
+
+
     private function getAttributesInitToken(){
-        $hostname = $_SERVER['HTTP_HOST']; // don't use $_SERVER['SERVER_NAME'] as this don't support DNS 
+        $hostname = $_SERVER['HTTP_HOST']; // don't use $_SERVER['SERVER_NAME'] as this don't support DNS
         // specify location of the Shib Logout handler
         \Factory::$properties['LOGOUTURL'] = 'https://'.$hostname.'/Shibboleth.sso/Logout';
         $idp = isset($_SERVER['Shib-Identity-Provider']) ? $_SERVER['Shib-Identity-Provider'] : '';
@@ -152,8 +152,8 @@ private function getAttributesInitToken(){
             }
             if(empty($_SERVER['entitlement'])){
                 die('Did not receive the required entitlement attribute from the EGI Dev Proxy IdP, please contact gocdb-admins');
-            } 
-            $entitlementValuesArray = explode(';', $_SERVER['entitlement']); 
+            }
+            $entitlementValuesArray = explode(';', $_SERVER['entitlement']);
             if( !in_array('urn:mace:egi.eu:res:gocdb#aai.egi.eu', $entitlementValuesArray) ){
                  $HTML = '<ul><li>You authenticated to the EGI Dev Identity Provider using a method that does not provide a GOCDB entitlement.</li><li>Login is required with a gocdb entitlement.</li><li>To gain access, you will need to login to the Proxy IdP using a scheme that provides a gocdb entitlement.</li><li>Please logout or restart your browser and attempt to login again.</li></ul>';
                  $HTML .= "<div style='text-align: center;'>";
@@ -166,6 +166,46 @@ private function getAttributesInitToken(){
             $this->userDetails = array('AuthenticationRealm' => array('EGI Proxy IdP'));
             return;
         }
+        else if($idp == 'https://aai-demo.eosc-portal.eu/proxy/saml2/idp/metadata.php'){
+            if( empty($_SERVER['voPersonID'])){
+                die('Did not receive required voPersonID attributes from the EOSC Demo Proxy Identity Provider to complete authentication, please contact gocdb-admins');
+            }
+            if(empty($_SERVER['entitlement'])){
+                die('Did not receive the required entitlement attribute from the EOSC Demo Proxy Identity Provider, please contact gocdb-admins');
+            }
+            $entitlementValuesArray = explode(';', $_SERVER['entitlement']);
+            if( !in_array('urn:geant:eosc-portal.eu:res:gocdb.eosc-portal.eu', $entitlementValuesArray) ){
+                 $HTML = '<ul><li>You authenticated to the EOSC Demo Proxy Identity Provider using a method that does not provide a GOCDB entitlement.</li><li>Login is required with a GOCDB entitlement.</li><li>To gain access, you will need to login to the Proxy IdP using a scheme that provides a gocdb entitlement.</li><li>Please logout or restart your browser and attempt to login again.</li></ul>';
+                 $HTML .= "<div style='text-align: center;'>";
+                 $HTML .= '<a href="'.htmlspecialchars(\Factory::$properties['LOGOUTURL']).'"><b><font colour="red">Logout</font></b></a>';
+                 $HTML .= "</div>";
+                 echo ($HTML);
+                 die();
+            }
+            $this->principal = $_SERVER['voPersonID'];
+            $this->userDetails = array('AuthenticationRealm' => array('EOSC Demo Proxy IdP'));
+            return;
+        }
+        else if($idp == 'https://aai.eosc-portal.eu/proxy/saml2/idp/metadata.php'){
+            if( empty($_SERVER['voPersonID'])){
+                die('Did not receive required voPersonID attributes from the EOSC Proxy Identity Provider to complete authentication, please contact gocdb-admins');
+            }
+            if(empty($_SERVER['entitlement'])){
+                die('Did not receive the required entitlement attribute from the EOSC Proxy Identity Provider, please contact gocdb-admins');
+            }
+            $entitlementValuesArray = explode(';', $_SERVER['entitlement']);
+            if( !in_array('urn:geant:eosc-portal.eu:res:gocdb.eosc-portal.eu', $entitlementValuesArray) ){
+                 $HTML = '<ul><li>You authenticated to the EOSC Proxy Identity Provider using a method that does not provide a GOCDB entitlement.</li><li>Login is required with a GOCDB entitlement.</li><li>To gain access, you will need to login to the Proxy IdP using a scheme that provides a gocdb entitlement.</li><li>Please logout or restart your browser and attempt to login again.</li></ul>';
+                 $HTML .= "<div style='text-align: center;'>";
+                 $HTML .= '<a href="'.htmlspecialchars(\Factory::$properties['LOGOUTURL']).'"><b><font colour="red">Logout</font></b></a>';
+                 $HTML .= "</div>";
+                 echo ($HTML);
+                 die();
+            }
+            $this->principal = $_SERVER['voPersonID'];
+            $this->userDetails = array('AuthenticationRealm' => array('EOSC Proxy IdP'));
+            return;
+        }
     }
 
     /**

@@ -285,6 +285,7 @@ private function getXML(){
                             $xmlContact->addChild('CERTDN', $serv->getIdStringByAuthType($user, 'X.509'));
                             $xmlContact->addChild('EGICHECKIN', $serv->getIdStringByAuthType($user, 'EGI Proxy IdP'));
                             $xmlContact->addChild('IRISIAM', $serv->getIdStringByAuthType($user, 'IRIS IAM - OIDC'));
+                            $xmlContact->addChild('EOSCAAI', $serv->getIdStringByAuthType($user, 'EOSC Proxy IdP'));
                         } else {
                             $xmlContact->addChild('CERTDN', $serv->getDefaultIdString($user));
                         }
@@ -359,4 +360,4 @@ public function getPostExecutionPageInfo(){
         $pageInfo['count'] = $this->resultSetSize;
         return $pageInfo;
     }
-}
+}
@@ -264,6 +264,7 @@ private function getXML(){
                             $xmlContact->addChild('CERTDN', $serv->getIdStringByAuthType($user, 'X.509'));
                             $xmlContact->addChild('EGICHECKIN', $serv->getIdStringByAuthType($user, 'EGI Proxy IdP'));
                             $xmlContact->addChild('IRISIAM', $serv->getIdStringByAuthType($user, 'IRIS IAM - OIDC'));
+                            $xmlContact->addChild('EOSCAAI', $serv->getIdStringByAuthType($user, 'EOSC Proxy IdP'));
                         } else {
                             $xmlContact->addChild('CERTDN', $serv->getDefaultIdString($user));
                         }
@@ -339,4 +340,4 @@ public function getPostExecutionPageInfo(){
         $pageInfo['count'] = $this->resultSetSize;
         return $pageInfo;
     }
-}
+}
@@ -299,6 +299,7 @@ private function getXML(){
                     $xmlUser->addChild ( 'CERTDN', $serv->getIdStringByAuthType ( $user, 'X.509' ) );
                     $xmlUser->addChild ( 'EGICHECKIN', $serv->getIdStringByAuthType ( $user, 'EGI Proxy IdP' ) );
                     $xmlUser->addChild ( 'IRISIAM', $serv->getIdStringByAuthType ( $user, 'IRIS IAM - OIDC' ) );
+                    $xmlUser->addChild('EOSCAAI', $serv->getIdStringByAuthType($user, 'EOSC Proxy IdP'));
                 } else {
                     $xmlUser->addChild ( 'CERTDN', $serv->getDefaultIdString ( $user ) );
                 }
@@ -374,4 +375,4 @@ public function getPostExecutionPageInfo(){
         $pageInfo['count'] = $this->resultSetSize;
         return $pageInfo;
     }
-}
+}
@@ -315,6 +315,7 @@ private function getXML(){
                             $xmlContact->addChild ( 'CERTDN', $serv->getIdStringByAuthType ( $user, 'X.509' ) );
                             $xmlContact->addChild ( 'EGICHECKIN', $serv->getIdStringByAuthType ( $user, 'EGI Proxy IdP' ) );
                             $xmlContact->addChild ( 'IRISIAM', $serv->getIdStringByAuthType ( $user, 'IRIS IAM - OIDC' ) );
+                            $xmlContact->addChild('EOSCAAI', $serv->getIdStringByAuthType($user, 'EOSC Proxy IdP'));
                         } else {
                             $xmlContact->addChild ( 'CERTDN', $serv->getDefaultIdString ( $user ) );
                         }
@@ -388,4 +389,4 @@ public function getPostExecutionPageInfo(){
         $pageInfo['count'] = $this->resultSetSize;
         return $pageInfo;
     }
-}
+}
@@ -306,6 +306,7 @@ private function getXML() {
                 $xmlUser->addChild('CERTDN', $serv->getIdStringByAuthType($user, 'X.509'));
                 $xmlUser->addChild('EGICHECKIN', $serv->getIdStringByAuthType($user, 'EGI Proxy IdP'));
                 $xmlUser->addChild('IRISIAM', $serv->getIdStringByAuthType($user, 'IRIS IAM - OIDC'));
+                $xmlUser->addChild('EOSCAAI', $serv->getIdStringByAuthType($user, 'EOSC Proxy IdP'));
             } else {
                 $xmlUser->addChild('CERTDN', $serv->getDefaultIdString($user));
             }

@@ -490,9 +490,9 @@ public function getAuthTypes($reducedRealms=true) {
         // Hardcoded authentication realms in same order as in token definitions
         $x509Realms = ['X.509'];
         if ($reducedRealms) {
-            $shibRealms = ['EGI Proxy IdP'];
+            $shibRealms = ['EGI Proxy IdP', 'EOSC Proxy IdP'];
         } else {
-            $shibRealms = ['EUDAT_SSO_IDP', 'UK_ACCESS_FED', 'EGI Proxy IdP'];
+            $shibRealms = ['EUDAT_SSO_IDP', 'UK_ACCESS_FED', 'EGI Proxy IdP', 'EOSC Proxy IdP'];
         }
         $irisRealms = ['IRIS IAM - OIDC'];
 
@@ -721,9 +721,6 @@ protected function addUserIdentifierValidation($keyName, $keyValue) {
 
         // Check the ID string does not already exist
         $this->valdidateUniqueIdString($keyValue);
-
-        // Check auth type is valid
-        $this->valdidateAuthType($keyName);
     }
 
     /**
@@ -808,9 +805,6 @@ protected function editUserIdentifierValidation(\User $user, \UserIdentifier $id
             $this->valdidateUniqueIdString($keyValue);
         }
 
-        // Check auth type is valid
-        $this->valdidateAuthType($keyName);
-
         // If the identifiers key has changed, check there isn't an existing identifier with that key
         if ($keyName !== $identifier->getKeyName()) {
             $existingIdentifiers = $user->getUserIdentifiers();
@@ -822,17 +816,6 @@ protected function editUserIdentifierValidation(\User $user, \UserIdentifier $id
         }
     }
 
-    /**
-     * Validate authentication type based on known list.
-     * @param string $authType
-     * @throws \Exception
-     */
-    protected function valdidateAuthType($authType) {
-        if (!in_array($authType, $this->getAuthTypes(false))) {
-            throw new \Exception("The authentication type entered is invalid");
-        }
-    }
-
     /**
      * Validate ID string is unique.
      * Checks both user identifiers and certificateDns