Author: jfthomps
Date: Thu May 10 16:50:22 2012
New Revision: 1336790
URL: http://svn.apache.org/viewvc?rev=1336790&view=rev
Log:
VCL-576
Finalizing for 2.3 release
authmethods/shibauth.php: modified updateShibUser - cleaned up how names are
determined
conf-default.php:
-added ALLOWADDSHIBUSERS - this provides a way to add users to parts of the VCL
site without being to actually verify them via LDAP first
-removed $userlookupUsers - replaced by user group permission
-removed $affilValFunc, $addUserFunc, and $updateUserFunc examples for
shibboleth - moved to utils.php
privileges.php: modified userLookup - added section to display login history
utils.php:
-modified initGlobals - changed how $affilValFunc, $addUserFunc, and
$updateUserFunc get set based on ALLOWADDSHIBUSERS
-modified checkAccess and getNavMenu - removed global include for
$userlookupUsers
-modified getAffiliationTheme - added () around $row = mysql_fetch_assoc...
because the whole statement was always evaluating to false
shibauth/index.php:
-cleaned up a problem where a user could be passed through as authenticated
even though the IdP did not provide the eppn for the user
-added example for how to have all users for a specific affiliation added to a
user group
Modified:
incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php
incubator/vcl/trunk/web/.ht-inc/conf-default.php
incubator/vcl/trunk/web/.ht-inc/privileges.php
incubator/vcl/trunk/web/.ht-inc/utils.php
incubator/vcl/trunk/web/shibauth/index.php
Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php?rev=1336790&r1=1336789&r2=1336790&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php Thu May 10
16:50:22 2012
@@ -44,6 +44,7 @@ function updateShibUser($userid) {
if($rc == -1)
return NULL;
+ $displast = '';
if(array_key_exists('displayName', $_SERVER) &&
! empty($_SERVER['displayName'])) {
# split displayName into first and last names
@@ -60,9 +61,14 @@ function updateShibUser($userid) {
$user['firstname'] = array_shift($names);
}
}
- else
+ elseif(array_key_exists('givenName', $_SERVER) &&
+ ! empty($_SERVER['givenName']))
$user['firstname'] = $_SERVER['givenName'];
- if(array_key_exists('sn', $_SERVER))
+ else
+ $user['firstname'] = '';
+
+ if(array_key_exists('sn', $_SERVER) &&
+ ! empty($_SERVER['sn']))
$user["lastname"] = $_SERVER['sn'];
else
$user['lastname'] = $displast;
Modified: incubator/vcl/trunk/web/.ht-inc/conf-default.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/conf-default.php?rev=1336790&r1=1336789&r2=1336790&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/conf-default.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/conf-default.php Thu May 10 16:50:22 2012
@@ -88,10 +88,15 @@ define("FILTERINGSELECTTHRESHOLD", 1000)
define("DEFAULTTHEME", 'default'); // this is the theme that will be used when
the site is placed in maintenance if $_COOKIE['VCLSKIN'] is not set
define("HELPFAQURL", "http://vcl.example.org/help-faq/";);
-$ENABLE_ITECSAUTH = 0; // use ITECS accounts (also called "Non-NCSU"
accounts)
+define("ALLOWADDSHIBUSERS", 0); // this is only related to using Shibboleth
authentication for an affiliation that does not
+ // also have LDAP set up (i.e.
affiliation.shibonly = 1)
+ // set this to 1 to allow users be manually
added to VCL before they have ever logged in
+ // through things such as adding a user to a
user group or directly granting a user a
+ // privilege somewhere in the privilege tree.
Note that if you enable this and typo
+ // a userid, there is no way to verify that it
was entered incorrectly so the user
+ // will be added to the database with the
typoed userid
-$userlookupUsers = array(1, # admin
-);
+$ENABLE_ITECSAUTH = 0; // use ITECS accounts (also called "Non-NCSU"
accounts)
$xmlrpcBlockAPIUsers = array(3, # 3 = vclsystem
);
@@ -104,7 +109,7 @@ $authMechs = array(
"help" => "Only use Local Account if there
are no other options"),
/*"Shibboleth (UNC Federation)" => array("type" => "redirect",
"URL" =>
"https://federation.northcarolina.edu/wayf/wayf_framed.php?fed=FED_SHIB_UNC_DEV&version=dropdown&entityID=https%3A%2F%2Fvcl.ncsu.edu%2Fsp%2Fshibboleth&return=http%3A%2F%2Fvcl.ncsu.edu%2FShibboleth.sso%2FDS%3FSAMLDS%3D1%26target%3Dhttp%3A%2F%2Fvcl.ncsu.edu%2Fscheduling%2Fshibauth%2F";,
- "affiliationid" => 0,
+ "affiliationid" => 0, // this should always be 0
for Shibboleth authentication
"help" => "Use Shibboleth (UNC Federation) if you
are from a University in the UNC system and do not see another method
specifically for your university"),*/
/*"EXAMPLE1 LDAP" => array("type" => "ldap",
"server" => "ldap.example.com", # hostname
of the ldap server
@@ -153,16 +158,6 @@ foreach($authMechs as $key => $item) {
$updateUserFunc[$item['affiliationid']] = create_function('',
'return NULL;');
}
}
-# if adding a Shibboleth option, uncomment the following 4 lines and change
'4' to match the affiliation id, create additional entries for further
shibboleth affiliations
-#$affilValFunc[4] = create_function('', 'return 1;');
-#$addUserFunc[4] = 'addShibUserStub';
-#$addUserFuncArgs[4] = 4;
-#$updateUserFunc[4] = create_function('', 'return NULL;');
-
-# any affiliation that is shibboleth authenticated without a corresponding
-# LDAP server needs an entry in addUserFunc
-# $addUserFunc[affiliationid goes here] = create_function('', 'return 0;');
-
$findAffilFuncs = array("testGeneralAffiliation");
Modified: incubator/vcl/trunk/web/.ht-inc/privileges.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/privileges.php?rev=1336790&r1=1336789&r2=1336790&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/privileges.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/privileges.php Thu May 10 16:50:22 2012
@@ -1395,6 +1395,61 @@ function userLookup() {
print " </tr>\n";
print "</table>\n";
+ # login history
+ $query = "SELECT authmech, "
+ . "timestamp, "
+ . "passfail, "
+ . "remoteIP, "
+ . "code "
+ . "FROM loginlog "
+ . "WHERE user = '{$userdata['unityid']}' AND "
+ . "affiliationid = {$userdata['affiliationid']} "
+ . "ORDER BY timestamp DESC "
+ . "LIMIT 8";
+ $logins = array();
+ $qh = doQuery($query);
+ while($row = mysql_fetch_assoc($qh))
+ $logins[] = $row;
+ if(count($logins)) {
+ $logins = array_reverse($logins);
+ print "<h3>Login History (last 8 attempts)</h3>\n";
+ print "<table summary=\"login attempts\">\n";
+ print "<colgroup>\n";
+ print "<col class=\"logincol\" />\n";
+ print "<col class=\"logincol\" />\n";
+ print "<col class=\"logincol\" />\n";
+ print "<col class=\"logincol\" />\n";
+ print "<col />\n";
+ print "</colgroup>\n";
+ print " <tr>\n";
+ print " <th>Authentication Method</th>\n";
+ print " <th>Timestamp</th>\n";
+ print " <th>Result</th>\n";
+ print " <th>Remote IP</th>\n";
+ print " <th>Extra Info</th>\n";
+ print " </tr>\n";
+ foreach($logins as $login) {
+ print " <tr>\n";
+ print " <td
class=\"logincell\">{$login['authmech']}</td>\n";
+ $ts = prettyDatetime($login['timestamp'], 1);
+ print " <td class=\"logincell\">$ts</td>\n";
+ if($login['passfail'])
+ print " <td
class=\"logincell\"><font color=\"#008000\">Pass</font></td>\n";
+ else
+ print " <td
class=\"logincell\"><font color=\"red\">Fail</font></td>\n";
+ print " <td
class=\"logincell\">{$login['remoteIP']}</td>\n";
+ print " <td
class=\"logincell\">{$login['code']}</td>\n";
+ print " </tr>\n";
+ }
+ print "</table>\n";
+ }
+ else {
+ print "<h3>Login History</h3>\n";
+ print "There are no login attempts by this user.<br>\n";
+ }
+
+
+ # reservation history
$requests = array();
$query = "SELECT DATE_FORMAT(l.start, '%W, %b %D, %Y, %h:%i
%p') AS start, "
. "DATE_FORMAT(l.finalend, '%W, %b %D, %Y, %h:%i
%p') AS end, "
Modified: incubator/vcl/trunk/web/.ht-inc/utils.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/utils.php?rev=1336790&r1=1336789&r2=1336790&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/utils.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/utils.php Thu May 10 16:50:22 2012
@@ -239,10 +239,20 @@ function initGlobals() {
$qh = doQuery($query);
while($row = mysql_fetch_assoc($qh)) {
$id = $row['id'];
- if(! array_key_exists($id, $affilValFunc))
- $affilValFunc[$id] = create_function('', 'return 0;');
- if(! array_key_exists($id, $addUserFunc))
- $addUserFunc[$id] = create_function('', 'return 0;');
+ if(! array_key_exists($id, $affilValFunc)) {
+ if(ALLOWADDSHIBUSERS)
+ $affilValFunc[$id] = create_function('',
'return 1;');
+ else
+ $affilValFunc[$id] = create_function('',
'return 0;');
+ }
+ if(! array_key_exists($id, $addUserFunc)) {
+ if(ALLOWADDSHIBUSERS) {
+ $addUserFunc[$id] = 'addShibUserStub';
+ $addUserFuncArgs[$id] = $id;
+ }
+ else
+ $addUserFunc[$id] = create_function('', 'return
0;');
+ }
if(! array_key_exists($id, $updateUserFunc))
$updateUserFunc[$id] = create_function('', 'return
NULL;');
}
@@ -315,7 +325,7 @@ function initGlobals() {
function checkAccess() {
global $mode, $user, $actionFunction, $authMechs;
global $itecsauthkey, $ENABLE_ITECSAUTH, $actions, $noHTMLwrappers;
- global $inContinuation, $docreaders, $userlookupUsers;
+ global $inContinuation, $docreaders;
if($mode == 'xmlrpccall') {
// double check for SSL
if(! isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
@@ -3042,7 +3052,7 @@ function getAffiliationDataUpdateText($a
function getAffiliationTheme($affilid) {
$query = "SELECT theme FROM affiliation WHERE id = $affilid";
$qh = doQuery($query);
- if($row = mysql_fetch_assoc($qh) && ! empty($row['theme']))
+ if(($row = mysql_fetch_assoc($qh)) && ! empty($row['theme']))
return $row['theme'];
else
return 'default';
@@ -10327,7 +10337,7 @@ function printHTMLHeader() {
///
////////////////////////////////////////////////////////////////////////////////
function getNavMenu($inclogout, $inchome, $homeurl=HOMEURL) {
- global $user, $docreaders, $authed, $userlookupUsers;
+ global $user, $docreaders, $authed;
global $mode;
if($authed && $mode != 'expiredemouser') {
$computermetadata = getUserComputerMetaData();
Modified: incubator/vcl/trunk/web/shibauth/index.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/shibauth/index.php?rev=1336790&r1=1336789&r2=1336790&view=diff
==============================================================================
--- incubator/vcl/trunk/web/shibauth/index.php (original)
+++ incubator/vcl/trunk/web/shibauth/index.php Thu May 10 16:50:22 2012
@@ -29,13 +29,10 @@ dbConnect();
header("Cache-Control: no-cache, must-revalidate");
header("Expires: Sat, 1 Jan 2000 00:00:00 GMT");
-if(! array_key_exists('eppn', $_SERVER) ||
- (! (array_key_exists('sn', $_SERVER) &&
- array_key_exists('givenName', $_SERVER)) &&
- ! array_key_exists('displayName', $_SERVER))) {
-
+/*
# check for eppn; if there, see if it is a user we already have
if(array_key_exists('eppn', $_SERVER)) {
+ #$tmp = explode('@', $_SERVER['eppn']);
$tmp = explode(';', $_SERVER['eppn']);
$tmp = explode('@', $tmp[0]);
$query = "SELECT u.firstname, "
@@ -51,42 +48,41 @@ if(! array_key_exists('eppn', $_SERVER)
$_SERVER['givenName'] = $row['firstname'];
}
else {
- # check to see if any shib stuff in $_SERVER, if not
redirect
- $keys = array_keys($_SERVER);
- $allkeys = '{' . implode('{', $keys);
- if(! preg_match('/\{Shib-/', $allkeys)) {
- # no shib data, clear _shibsession cookie
- foreach(array_keys($_COOKIE) as $key) {
-
if(preg_match('/^_shibsession[_0-9a-fA-F]+$/', $key))
- setcookie($key, "", time() -
10, "/", $_SERVER['SERVER_NAME']);
- }
- # redirect to main select auth page
- header("Location: " . BASEURL . SCRIPT .
"?mode=selectauth");
- dbDisconnect();
- exit;
- }
- print "<h2>Error with Shibboleth authentication</h2>\n";
- print "You have attempted to log in using Shibboleth
from an<br>\n";
- print "institution that does not allow VCL to see all
of these<br>\n";
- print "attributes:<br>\n";
- print "<ul>\n";
- print "<li>eduPersonPrincipalName</li>\n";
- print "</ul>\n";
- print "and either:\n";
- print "<ul>\n";
- print "<li>sn and givenName</li>\n";
- print "</ul>\n";
- print "or:\n";
- print "<ul>\n";
- print "<li>displayName</li>\n";
- print "</ul>\n";
- print "You need to contact the administrator of your
institution's<br>\n";
- print "IdP to have all of those attributes be available
to VCL in<br>\n";
- print "order to log in using Shibboleth.\n";
- dbDisconnect();
- exit;
+*/
+
+if(! array_key_exists('eppn', $_SERVER)) {
+ # check to see if any shib stuff in $_SERVER, if not redirect
+ $keys = array_keys($_SERVER);
+ $allkeys = '{' . implode('{', $keys);
+ if(! preg_match('/\{Shib-/', $allkeys)) {
+ # no shib data, clear _shibsession cookie
+ #print "$allkeys<br>\n";
+ foreach(array_keys($_COOKIE) as $key) {
+ if(preg_match('/^_shibsession[_0-9a-fA-F]+$/', $key))
+ setcookie($key, "", time() - 10, "/",
$_SERVER['SERVER_NAME']);
}
+ # redirect to main select auth page
+ header("Location: " . BASEURL . SCRIPT . "?mode=selectauth");
+ dbDisconnect();
+ exit;
}
+ print "<h2>Error with Shibboleth authentication</h2>\n";
+ print "You have attempted to log in using Shibboleth from an<br>\n";
+ print "institution that does not allow VCL to see your<br><br>\n";
+ print "eduPersonPrincipalName.<br><br>\n";
+ print "You need to contact the administrator of your
institution's<br>\n";
+ print "IdP to have eduPersonPrincipalName made available to VCL
in<br>\n";
+ print "order to log in using Shibboleth.\n";
+
+ $msg = "Someone tried to log in to VCL using Shibboleth from an IdP "
+ . "that does not release eppn to us.\n\n"
+ . "The following data was in \$_SERVER:\n\n";
+ foreach($_SERVER as $key => $val)
+ $msg .= "$key => $val\n";
+ $mailParams = "-f" . ENVELOPESENDER;
+ mail(ERROREMAIL, "Error with VCL pages (eppn not provided)", $msg, '',
$mailParams);
+ dbDisconnect();
+ exit;
}
// open keys
@@ -134,7 +130,7 @@ if(! ($row = mysql_fetch_assoc($qh))) {
$newaffilname = $affilname;
}
else {
- $msg = "Someone tried to log in to VCL using Shibboleth
from an idp "
+ $msg = "Someone tried to log in to VCL using Shibboleth
from an IdP "
. "affiliation that could not be automatically
added.\n\n"
. "eppn: {$_SERVER['eppn']}\n"
. "givenName: {$_SERVER['givenName']}\n"
@@ -190,11 +186,26 @@ else {
$affilid = getAffiliationID($affil);
addLoginLog($userid, 'shibboleth', $affilid, 1);
+# uncomment the following and change EXAMPLE1 to match your needs to add all
+# users from a specific affiliation to a particular user group
+/*if($affil == 'EXAMPLE1') {
+ $gid = getUserGroupID('All EXAMPLE1 Users', $affilid);
+ $query = "INSERT IGNORE INTO usergroupmembers "
+ . "(userid, usergroupid) "
+ . "VALUES ($usernid, $gid)";
+ doQuery($query, 307);
+}*/
+
+if(array_key_exists('Shib-logouturl', $_SERVER))
+ $logouturl = $_SERVER['Shib-logouturl'];
+else
+ $logouturl = '';
+
# save data to shibauth table
$shibdata = array('Shib-Application-ID' => $_SERVER['Shib-Application-ID'],
'Shib-Identity-Provider' =>
$_SERVER['Shib-Identity-Provider'],
- 'Shib-AuthnContext-Dec' =>
$_SERVER['Shib-AuthnContext-Decl'],
- 'Shib-logouturl' => $_SERVER['Shib-logouturl'],
+ #'Shib-AuthnContext-Dec' =>
$_SERVER['Shib-AuthnContext-Decl'],
+ 'Shib-logouturl' => $logouturl,
'eppn' => $_SERVER['eppn'],
'unscoped-affiliation' => $_SERVER['unscoped-affiliation'],
'affiliation' => $_SERVER['affiliation'],
