diff --git a/.env.example b/.env.example index 813762e..3b52d37 100644 --- a/.env.example +++ b/.env.example @@ -1,4 +1,3 @@ # IAP_DEV_TOKEN= -CONNECT2_HOST=connect2 IAP_DEV_TOKEN= IAP_EXPECTED_AUDIENCE= \ No newline at end of file diff --git a/src/conf/local.php b/src/conf/local.php index 790f1d8..77c0f56 100644 --- a/src/conf/local.php +++ b/src/conf/local.php @@ -18,5 +18,4 @@ $conf['useheading'] = 1; $conf['authtype'] = 'authiapconnect2'; -$conf['plugin']['authiapconnect2']['connect2_endpoint'] = getenv('CONNECT2_HOST') . '/groups/slugs'; $conf['plugin']['authiapconnect2']['iap_expected_audience'] = getenv('IAP_EXPECTED_AUDIENCE'); diff --git a/src/plugins/authiapconnect2/auth.php b/src/plugins/authiapconnect2/auth.php index 16cbde8..9c727a0 100644 --- a/src/plugins/authiapconnect2/auth.php +++ b/src/plugins/authiapconnect2/auth.php @@ -1,8 +1,5 @@ getConf('connect2_endpoint'); - - $curl = curl_init(); - - curl_setopt_array($curl, array( - CURLOPT_URL => $url, - CURLOPT_RETURNTRANSFER => true, - CURLOPT_ENCODING => '', - CURLOPT_MAXREDIRS => 10, - CURLOPT_TIMEOUT => 0, - CURLOPT_FOLLOWLOCATION => true, - CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, - CURLOPT_CUSTOMREQUEST => 'GET', - CURLOPT_HTTPHEADER => array( - 'X-Goog-IAP-JWT-Assertion: ' . $token - ), - )); - - $response = curl_exec($curl); - - curl_close($curl); - $httpcode = curl_getinfo($curl, CURLINFO_HTTP_CODE); - - if ($httpcode != 200) { - throw new Exception('Could not get user data'); - } - - return json_decode($response, true); - } - - - /** - * Validate user data from Connect2 - * @param array $data - * @return bool - */ - private function validateUserData($data) - { - // Check if data has email and groups - if (!isset($data['email'])) { - throw new Exception('No email found'); - } - - if (!isset($data['groups'])) { - throw new Exception('No groups found'); - } - - return true; - } - public function trustExternal($user, $pass, $sticky = false) { global $USERINFO; - $token = $this->getIapToken(); - - try { - $data = validate_jwt($token, $this->getConf('iap_expected_audience')); - $USERINFO = [ - 'name' => $data['gcip']['name'], - 'mail' => $data['gcip']['email'], - 'grps' => array_merge(explode(',',$data['gcip']['groups']), ['user']) - ]; - } catch (Exception $e) { - $data = $this->getUserDataByTokenFromConnect2($token); - if (!$this->validateUserData($data)) { + $sticky ? $sticky = true : $sticky = false; //sanity check + + if (!empty($_SESSION[DOKU_COOKIE]['auth']['info'])) { + $USERINFO['name'] = $_SESSION[DOKU_COOKIE]['auth']['info']['name']; + $USERINFO['mail'] = $_SESSION[DOKU_COOKIE]['auth']['info']['mail']; + $USERINFO['grps'] = $_SESSION[DOKU_COOKIE]['auth']['info']['grps']; + $_SERVER['REMOTE_USER'] = $_SESSION[DOKU_COOKIE]['auth']['user']; + return true; + } + + if (!empty($user)) { + + $token = $this->getIapToken(); + + try { + $data = validate_jwt($token, $this->getConf('iap_expected_audience')); + $USERINFO = [ + 'name' => $data['gcip']['name'], + 'mail' => $data['gcip']['email'], + 'grps' => array_merge(explode(',',$data['gcip']['groups']), ['user']) + ]; + } catch (Exception $e) { return false; - } - - $USERINFO = [ - 'name' => str_replace('@ch.tudelft.nl', '', $data['email']), - 'mail' => $data['email'], - 'grps' => array_merge($data['groups'], ['user']), - ]; - } + } - $_SERVER['REMOTE_USER'] = $USERINFO['name']; - $_SESSION[DOKU_COOKIE]['auth']['user'] = $USERINFO['name']; - $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; + $_SERVER['REMOTE_USER'] = $USERINFO['name']; + $_SESSION[DOKU_COOKIE]['auth']['user'] = $USERINFO['name']; + $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; - return true; + return true; + } + + return false; } } diff --git a/src/plugins/authiapconnect2/conf/default.php b/src/plugins/authiapconnect2/conf/default.php index 0a39d05..40b4cbe 100644 --- a/src/plugins/authiapconnect2/conf/default.php +++ b/src/plugins/authiapconnect2/conf/default.php @@ -1,4 +1,3 @@ 'danger'); $meta['IAP_EXPECTED_AUDIENCE'] = array('string', '_caution' => 'danger'); diff --git a/src/plugins/authiapconnect2/plugin.info.txt b/src/plugins/authiapconnect2/plugin.info.txt index 3bfffbe..ca60d90 100644 --- a/src/plugins/authiapconnect2/plugin.info.txt +++ b/src/plugins/authiapconnect2/plugin.info.txt @@ -2,6 +2,6 @@ base authiapconnect2 author Joep de Jong email joep@joepdejong.com date 2023-06-04 -name IAP - Connect2 Auth -desc Provides user authentication using GCE IAP and Connect2 for Groups +name IAP - Auth +desc Provides user authentication using GCE IAP for groups url https://github.com/wisvch/wiki \ No newline at end of file