Author: jfthomps Date: Thu May 10 16:50:22 2012 New Revision: 1336790 URL: http://svn.apache.org/viewvc?rev=1336790&view=rev Log: VCL-576 Finalizing for 2.3 release
authmethods/shibauth.php: modified updateShibUser - cleaned up how names are determined conf-default.php: -added ALLOWADDSHIBUSERS - this provides a way to add users to parts of the VCL site without being to actually verify them via LDAP first -removed $userlookupUsers - replaced by user group permission -removed $affilValFunc, $addUserFunc, and $updateUserFunc examples for shibboleth - moved to utils.php privileges.php: modified userLookup - added section to display login history utils.php: -modified initGlobals - changed how $affilValFunc, $addUserFunc, and $updateUserFunc get set based on ALLOWADDSHIBUSERS -modified checkAccess and getNavMenu - removed global include for $userlookupUsers -modified getAffiliationTheme - added () around $row = mysql_fetch_assoc... because the whole statement was always evaluating to false shibauth/index.php: -cleaned up a problem where a user could be passed through as authenticated even though the IdP did not provide the eppn for the user -added example for how to have all users for a specific affiliation added to a user group Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php incubator/vcl/trunk/web/.ht-inc/conf-default.php incubator/vcl/trunk/web/.ht-inc/privileges.php incubator/vcl/trunk/web/.ht-inc/utils.php incubator/vcl/trunk/web/shibauth/index.php Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php?rev=1336790&r1=1336789&r2=1336790&view=diff ============================================================================== --- incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php (original) +++ incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php Thu May 10 16:50:22 2012 @@ -44,6 +44,7 @@ function updateShibUser($userid) { if($rc == -1) return NULL; + $displast = ''; if(array_key_exists('displayName', $_SERVER) && ! empty($_SERVER['displayName'])) { # split displayName into first and last names @@ -60,9 +61,14 @@ function updateShibUser($userid) { $user['firstname'] = array_shift($names); } } - else + elseif(array_key_exists('givenName', $_SERVER) && + ! empty($_SERVER['givenName'])) $user['firstname'] = $_SERVER['givenName']; - if(array_key_exists('sn', $_SERVER)) + else + $user['firstname'] = ''; + + if(array_key_exists('sn', $_SERVER) && + ! empty($_SERVER['sn'])) $user["lastname"] = $_SERVER['sn']; else $user['lastname'] = $displast; Modified: incubator/vcl/trunk/web/.ht-inc/conf-default.php URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/conf-default.php?rev=1336790&r1=1336789&r2=1336790&view=diff ============================================================================== --- incubator/vcl/trunk/web/.ht-inc/conf-default.php (original) +++ incubator/vcl/trunk/web/.ht-inc/conf-default.php Thu May 10 16:50:22 2012 @@ -88,10 +88,15 @@ define("FILTERINGSELECTTHRESHOLD", 1000) define("DEFAULTTHEME", 'default'); // this is the theme that will be used when the site is placed in maintenance if $_COOKIE['VCLSKIN'] is not set define("HELPFAQURL", "http://vcl.example.org/help-faq/"); -$ENABLE_ITECSAUTH = 0; // use ITECS accounts (also called "Non-NCSU" accounts) +define("ALLOWADDSHIBUSERS", 0); // this is only related to using Shibboleth authentication for an affiliation that does not + // also have LDAP set up (i.e. affiliation.shibonly = 1) + // set this to 1 to allow users be manually added to VCL before they have ever logged in + // through things such as adding a user to a user group or directly granting a user a + // privilege somewhere in the privilege tree. Note that if you enable this and typo + // a userid, there is no way to verify that it was entered incorrectly so the user + // will be added to the database with the typoed userid -$userlookupUsers = array(1, # admin -); +$ENABLE_ITECSAUTH = 0; // use ITECS accounts (also called "Non-NCSU" accounts) $xmlrpcBlockAPIUsers = array(3, # 3 = vclsystem ); @@ -104,7 +109,7 @@ $authMechs = array( "help" => "Only use Local Account if there are no other options"), /*"Shibboleth (UNC Federation)" => array("type" => "redirect", "URL" => "https://federation.northcarolina.edu/wayf/wayf_framed.php?fed=FED_SHIB_UNC_DEV&version=dropdown&entityID=https%3A%2F%2Fvcl.ncsu.edu%2Fsp%2Fshibboleth&return=http%3A%2F%2Fvcl.ncsu.edu%2FShibboleth.sso%2FDS%3FSAMLDS%3D1%26target%3Dhttp%3A%2F%2Fvcl.ncsu.edu%2Fscheduling%2Fshibauth%2F", - "affiliationid" => 0, + "affiliationid" => 0, // this should always be 0 for Shibboleth authentication "help" => "Use Shibboleth (UNC Federation) if you are from a University in the UNC system and do not see another method specifically for your university"),*/ /*"EXAMPLE1 LDAP" => array("type" => "ldap", "server" => "ldap.example.com", # hostname of the ldap server @@ -153,16 +158,6 @@ foreach($authMechs as $key => $item) { $updateUserFunc[$item['affiliationid']] = create_function('', 'return NULL;'); } } -# if adding a Shibboleth option, uncomment the following 4 lines and change '4' to match the affiliation id, create additional entries for further shibboleth affiliations -#$affilValFunc[4] = create_function('', 'return 1;'); -#$addUserFunc[4] = 'addShibUserStub'; -#$addUserFuncArgs[4] = 4; -#$updateUserFunc[4] = create_function('', 'return NULL;'); - -# any affiliation that is shibboleth authenticated without a corresponding -# LDAP server needs an entry in addUserFunc -# $addUserFunc[affiliationid goes here] = create_function('', 'return 0;'); - $findAffilFuncs = array("testGeneralAffiliation"); Modified: incubator/vcl/trunk/web/.ht-inc/privileges.php URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/privileges.php?rev=1336790&r1=1336789&r2=1336790&view=diff ============================================================================== --- incubator/vcl/trunk/web/.ht-inc/privileges.php (original) +++ incubator/vcl/trunk/web/.ht-inc/privileges.php Thu May 10 16:50:22 2012 @@ -1395,6 +1395,61 @@ function userLookup() { print " </tr>\n"; print "</table>\n"; + # login history + $query = "SELECT authmech, " + . "timestamp, " + . "passfail, " + . "remoteIP, " + . "code " + . "FROM loginlog " + . "WHERE user = '{$userdata['unityid']}' AND " + . "affiliationid = {$userdata['affiliationid']} " + . "ORDER BY timestamp DESC " + . "LIMIT 8"; + $logins = array(); + $qh = doQuery($query); + while($row = mysql_fetch_assoc($qh)) + $logins[] = $row; + if(count($logins)) { + $logins = array_reverse($logins); + print "<h3>Login History (last 8 attempts)</h3>\n"; + print "<table summary=\"login attempts\">\n"; + print "<colgroup>\n"; + print "<col class=\"logincol\" />\n"; + print "<col class=\"logincol\" />\n"; + print "<col class=\"logincol\" />\n"; + print "<col class=\"logincol\" />\n"; + print "<col />\n"; + print "</colgroup>\n"; + print " <tr>\n"; + print " <th>Authentication Method</th>\n"; + print " <th>Timestamp</th>\n"; + print " <th>Result</th>\n"; + print " <th>Remote IP</th>\n"; + print " <th>Extra Info</th>\n"; + print " </tr>\n"; + foreach($logins as $login) { + print " <tr>\n"; + print " <td class=\"logincell\">{$login['authmech']}</td>\n"; + $ts = prettyDatetime($login['timestamp'], 1); + print " <td class=\"logincell\">$ts</td>\n"; + if($login['passfail']) + print " <td class=\"logincell\"><font color=\"#008000\">Pass</font></td>\n"; + else + print " <td class=\"logincell\"><font color=\"red\">Fail</font></td>\n"; + print " <td class=\"logincell\">{$login['remoteIP']}</td>\n"; + print " <td class=\"logincell\">{$login['code']}</td>\n"; + print " </tr>\n"; + } + print "</table>\n"; + } + else { + print "<h3>Login History</h3>\n"; + print "There are no login attempts by this user.<br>\n"; + } + + + # reservation history $requests = array(); $query = "SELECT DATE_FORMAT(l.start, '%W, %b %D, %Y, %h:%i %p') AS start, " . "DATE_FORMAT(l.finalend, '%W, %b %D, %Y, %h:%i %p') AS end, " Modified: incubator/vcl/trunk/web/.ht-inc/utils.php URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/utils.php?rev=1336790&r1=1336789&r2=1336790&view=diff ============================================================================== --- incubator/vcl/trunk/web/.ht-inc/utils.php (original) +++ incubator/vcl/trunk/web/.ht-inc/utils.php Thu May 10 16:50:22 2012 @@ -239,10 +239,20 @@ function initGlobals() { $qh = doQuery($query); while($row = mysql_fetch_assoc($qh)) { $id = $row['id']; - if(! array_key_exists($id, $affilValFunc)) - $affilValFunc[$id] = create_function('', 'return 0;'); - if(! array_key_exists($id, $addUserFunc)) - $addUserFunc[$id] = create_function('', 'return 0;'); + if(! array_key_exists($id, $affilValFunc)) { + if(ALLOWADDSHIBUSERS) + $affilValFunc[$id] = create_function('', 'return 1;'); + else + $affilValFunc[$id] = create_function('', 'return 0;'); + } + if(! array_key_exists($id, $addUserFunc)) { + if(ALLOWADDSHIBUSERS) { + $addUserFunc[$id] = 'addShibUserStub'; + $addUserFuncArgs[$id] = $id; + } + else + $addUserFunc[$id] = create_function('', 'return 0;'); + } if(! array_key_exists($id, $updateUserFunc)) $updateUserFunc[$id] = create_function('', 'return NULL;'); } @@ -315,7 +325,7 @@ function initGlobals() { function checkAccess() { global $mode, $user, $actionFunction, $authMechs; global $itecsauthkey, $ENABLE_ITECSAUTH, $actions, $noHTMLwrappers; - global $inContinuation, $docreaders, $userlookupUsers; + global $inContinuation, $docreaders; if($mode == 'xmlrpccall') { // double check for SSL if(! isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") { @@ -3042,7 +3052,7 @@ function getAffiliationDataUpdateText($a function getAffiliationTheme($affilid) { $query = "SELECT theme FROM affiliation WHERE id = $affilid"; $qh = doQuery($query); - if($row = mysql_fetch_assoc($qh) && ! empty($row['theme'])) + if(($row = mysql_fetch_assoc($qh)) && ! empty($row['theme'])) return $row['theme']; else return 'default'; @@ -10327,7 +10337,7 @@ function printHTMLHeader() { /// //////////////////////////////////////////////////////////////////////////////// function getNavMenu($inclogout, $inchome, $homeurl=HOMEURL) { - global $user, $docreaders, $authed, $userlookupUsers; + global $user, $docreaders, $authed; global $mode; if($authed && $mode != 'expiredemouser') { $computermetadata = getUserComputerMetaData(); Modified: incubator/vcl/trunk/web/shibauth/index.php URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/shibauth/index.php?rev=1336790&r1=1336789&r2=1336790&view=diff ============================================================================== --- incubator/vcl/trunk/web/shibauth/index.php (original) +++ incubator/vcl/trunk/web/shibauth/index.php Thu May 10 16:50:22 2012 @@ -29,13 +29,10 @@ dbConnect(); header("Cache-Control: no-cache, must-revalidate"); header("Expires: Sat, 1 Jan 2000 00:00:00 GMT"); -if(! array_key_exists('eppn', $_SERVER) || - (! (array_key_exists('sn', $_SERVER) && - array_key_exists('givenName', $_SERVER)) && - ! array_key_exists('displayName', $_SERVER))) { - +/* # check for eppn; if there, see if it is a user we already have if(array_key_exists('eppn', $_SERVER)) { + #$tmp = explode('@', $_SERVER['eppn']); $tmp = explode(';', $_SERVER['eppn']); $tmp = explode('@', $tmp[0]); $query = "SELECT u.firstname, " @@ -51,42 +48,41 @@ if(! array_key_exists('eppn', $_SERVER) $_SERVER['givenName'] = $row['firstname']; } else { - # check to see if any shib stuff in $_SERVER, if not redirect - $keys = array_keys($_SERVER); - $allkeys = '{' . implode('{', $keys); - if(! preg_match('/\{Shib-/', $allkeys)) { - # no shib data, clear _shibsession cookie - foreach(array_keys($_COOKIE) as $key) { - if(preg_match('/^_shibsession[_0-9a-fA-F]+$/', $key)) - setcookie($key, "", time() - 10, "/", $_SERVER['SERVER_NAME']); - } - # redirect to main select auth page - header("Location: " . BASEURL . SCRIPT . "?mode=selectauth"); - dbDisconnect(); - exit; - } - print "<h2>Error with Shibboleth authentication</h2>\n"; - print "You have attempted to log in using Shibboleth from an<br>\n"; - print "institution that does not allow VCL to see all of these<br>\n"; - print "attributes:<br>\n"; - print "<ul>\n"; - print "<li>eduPersonPrincipalName</li>\n"; - print "</ul>\n"; - print "and either:\n"; - print "<ul>\n"; - print "<li>sn and givenName</li>\n"; - print "</ul>\n"; - print "or:\n"; - print "<ul>\n"; - print "<li>displayName</li>\n"; - print "</ul>\n"; - print "You need to contact the administrator of your institution's<br>\n"; - print "IdP to have all of those attributes be available to VCL in<br>\n"; - print "order to log in using Shibboleth.\n"; - dbDisconnect(); - exit; +*/ + +if(! array_key_exists('eppn', $_SERVER)) { + # check to see if any shib stuff in $_SERVER, if not redirect + $keys = array_keys($_SERVER); + $allkeys = '{' . implode('{', $keys); + if(! preg_match('/\{Shib-/', $allkeys)) { + # no shib data, clear _shibsession cookie + #print "$allkeys<br>\n"; + foreach(array_keys($_COOKIE) as $key) { + if(preg_match('/^_shibsession[_0-9a-fA-F]+$/', $key)) + setcookie($key, "", time() - 10, "/", $_SERVER['SERVER_NAME']); } + # redirect to main select auth page + header("Location: " . BASEURL . SCRIPT . "?mode=selectauth"); + dbDisconnect(); + exit; } + print "<h2>Error with Shibboleth authentication</h2>\n"; + print "You have attempted to log in using Shibboleth from an<br>\n"; + print "institution that does not allow VCL to see your<br><br>\n"; + print "eduPersonPrincipalName.<br><br>\n"; + print "You need to contact the administrator of your institution's<br>\n"; + print "IdP to have eduPersonPrincipalName made available to VCL in<br>\n"; + print "order to log in using Shibboleth.\n"; + + $msg = "Someone tried to log in to VCL using Shibboleth from an IdP " + . "that does not release eppn to us.\n\n" + . "The following data was in \$_SERVER:\n\n"; + foreach($_SERVER as $key => $val) + $msg .= "$key => $val\n"; + $mailParams = "-f" . ENVELOPESENDER; + mail(ERROREMAIL, "Error with VCL pages (eppn not provided)", $msg, '', $mailParams); + dbDisconnect(); + exit; } // open keys @@ -134,7 +130,7 @@ if(! ($row = mysql_fetch_assoc($qh))) { $newaffilname = $affilname; } else { - $msg = "Someone tried to log in to VCL using Shibboleth from an idp " + $msg = "Someone tried to log in to VCL using Shibboleth from an IdP " . "affiliation that could not be automatically added.\n\n" . "eppn: {$_SERVER['eppn']}\n" . "givenName: {$_SERVER['givenName']}\n" @@ -190,11 +186,26 @@ else { $affilid = getAffiliationID($affil); addLoginLog($userid, 'shibboleth', $affilid, 1); +# uncomment the following and change EXAMPLE1 to match your needs to add all +# users from a specific affiliation to a particular user group +/*if($affil == 'EXAMPLE1') { + $gid = getUserGroupID('All EXAMPLE1 Users', $affilid); + $query = "INSERT IGNORE INTO usergroupmembers " + . "(userid, usergroupid) " + . "VALUES ($usernid, $gid)"; + doQuery($query, 307); +}*/ + +if(array_key_exists('Shib-logouturl', $_SERVER)) + $logouturl = $_SERVER['Shib-logouturl']; +else + $logouturl = ''; + # save data to shibauth table $shibdata = array('Shib-Application-ID' => $_SERVER['Shib-Application-ID'], 'Shib-Identity-Provider' => $_SERVER['Shib-Identity-Provider'], - 'Shib-AuthnContext-Dec' => $_SERVER['Shib-AuthnContext-Decl'], - 'Shib-logouturl' => $_SERVER['Shib-logouturl'], + #'Shib-AuthnContext-Dec' => $_SERVER['Shib-AuthnContext-Decl'], + 'Shib-logouturl' => $logouturl, 'eppn' => $_SERVER['eppn'], 'unscoped-affiliation' => $_SERVER['unscoped-affiliation'], 'affiliation' => $_SERVER['affiliation'],