Skip to content

Commit

Permalink
Add config for identity_providers in local_info.xml
Browse files Browse the repository at this point in the history
  • Loading branch information
@Sae126V
Sae126V committed Sep 11, 2024
1 parent 48faa12 commit e91226c
Show file tree
Hide file tree
Showing 4 changed files with 133 additions and 66 deletions.
21 changes: 21 additions & 0 deletions config/local_info.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,27 @@
-->
<restrict_personal_data>false</restrict_personal_data>

<!-- identity_providers
ST:TODO Add descriotion what it is
-->
<identity_providers>
<provider>
<idp>aai.egi.eu/auth/realms/egi</idp>
<name>EGI Proxy</name>
<required_groups>
<group>urn:mace:egi.eu:res:gocdb#aai.egi.eu</group>
</required_groups>
<help_url>https://docs.egi.eu/internal/configuration-database/access/#using-institutional-account-via-egi-check-in</help_url>
</provider>
<provider>
<idp>aai-demo.egi.eu/auth/realms/egi</idp>
<name>EGI Demo Proxy</name>
<required_groups>
<group>urn:mace:egi.eu:res:gocdb#aai.egi.eu</group>
</required_groups>
</provider>
</identity_providers>

</local_info>

<!--
Expand Down
23 changes: 23 additions & 0 deletions config/local_info.xsd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,29 @@
</xs:complexType>
</xs:element>
<xs:element name="send_email" type="xs:boolean" minOccurs="0"/>

<xs:element name="identity_providers" minOccurs="0">
<xs:complexType>
<xs:sequence>
<xs:element name="provider" minOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="idp" type="xs:string"/>
<xs:element name="name" type="xs:string"/>
<xs:element name="required_groups" minOccurs="0">
<xs:complexType>
<xs:sequence>
<xs:element name="group" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="help_url" type="xs:string" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
<xs:attribute name="url" type="xs:anyURI"/>
</xs:complexType>
Expand Down
119 changes: 53 additions & 66 deletions lib/Authentication/AuthTokens/ShibAuthToken.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,73 +96,61 @@ private function getAttributesInitToken(){
$this->userDetails = array('AuthenticationRealm' => array('UK_ACCESS_FED'));
return;
}
else if($idp == 'https://aai.egi.eu/auth/realms/egi'){
// assurance is the old way EGI checkIn used to pass LoA attributes
/*if( empty($_SERVER['voPersonID'])){// || empty($_SERVER['displayName']) ){
die('Did not recieve required attributes from the EGI Proxy Identity Provider to complete authentication, please contact gocdb-admins');
}
if(empty($_SERVER['assurance'])){
die('Did not receive the required assurance attribute from the EGI Proxy IdP, please contact gocdb-admins');
}
if($_SERVER['assurance'] != 'https://aai.egi.eu/LoA#Substantial'){
$HTML = '<ul><li>You authenticated to the EGI Identity Provider using a method that provides an inadequate Level of Assurance for GOCDB (weak user verification).</li><li>Login is required with an assurance level of [Substantial].</li><li>To gain access, you will need to login to the Proxy IdP using a scheme that provides [LoA#Substantial].</li><li>Please logout or restart your browser and attempt to login again.</li></ul>';
$HTML .= "<div style='text-align: center;'>";
$HTML .= '<a href="'.htmlspecialchars(\Factory::$properties['LOGOUTURL']).'"><b><font colour="red">Logout</font></b></a>';
$HTML .= "</div>";
echo ($HTML);
die();
}
$this->principal = $_SERVER['voPersonID'];
$this->userDetails = array('AuthenticationRealm' => array('EGI Proxy IdP'));
return;
*/

if( empty($_SERVER['voPersonID'])){// || empty($_SERVER['displayName']) ){
die('Did not recieve required attributes from the EGI Proxy Identity Provider to complete authentication, please contact gocdb-admins');
$configService = \Factory::getConfigService();
$identityProviders = $configService->getIdentityProvidersInfo();

foreach ($identityProviders as $provider) {
if ($provider['idp'] === $idp) {
$name = $provider['name'];
$helpUrl = $provider['help_url'] ?? '#';

if (empty($_SERVER['voPersonID'])) {
die(
"Did not receive required attributes from the IDP $name to "
. "complete authentication. Please contact gocdb-admins."
);
}

if (empty($_SERVER['entitlement'])) {
die(
"Did not receive the required entitlement attribute from "
. "the IDP $name. Please contact gocdb-admins."
);
}

if (!empty($provider['required_groups'])) {
$entitlementValues = explode(
';', $_SERVER['entitlement']
);

if (!array_intersect(
$entitlementValues, $provider['required_groups']
)) {
$HTML = "<ul>"
. "<li>Login requires the entitlement "
. "which was not provided for the IDP $name.</li>"
. "<li>Please see here for more information: "
. "<a href='$helpUrl' target='_blank'>$helpUrl</a>.</li>"
. "<li>Logout or restart your "
. "browser and attempt to login again using an IDP that "
. "provides a GOCDB entitlement.</li>"
. "</ul>";
$HTML .= "<div style='text-align: center;'>";
$HTML .= "<a href=\""
. htmlspecialchars(\Factory::$properties['LOGOUTURL'])
. "\"><b><font color=\"red\">Logout</font></b></a>";
$HTML .= "</div>";
echo ($HTML);
die();
}
}

$this->principal = $_SERVER['voPersonID'];
$this->userDetails = ['AuthenticationRealm' => [$provider['idp']]];

return;
}
if(empty($_SERVER['entitlement'])){
//die('Did not recieve the required entitlement attribute from the EGI Proxy IdP, please contact gocdb-admins');
$HTML = '<ul><li>Login requires a GOCDB entitlement value <a href="https://wiki.egi.eu/wiki/URN_Registry:aai.egi.eu:gocdb" target="_blank">https://wiki.egi.eu/wiki/URN_Registry:aai.egi.eu:gocdb</a></li><li>Please, logout or restart your browser and attempt to login again using an identity provider that provides a GOCDB entitlement</li></ul>';
$HTML .= "<div style='text-align: center;'>";
$HTML .= '<a href="'.htmlspecialchars(\Factory::$properties['LOGOUTURL']).'"><b><font colour="red">Logout</font></b></a>';
$HTML .= "</div>";
echo ($HTML);
die();
}

$entitlementValuesArray = explode(';', $_SERVER['entitlement']);
if( !in_array('urn:mace:egi.eu:res:gocdb#aai.egi.eu', $entitlementValuesArray) ){
$HTML = '<ul><li>Login requires a GOCDB entitlement <a href="https://wiki.egi.eu/wiki/URN_Registry:aai.egi.eu:gocdb" target="_blank">https://wiki.egi.eu/wiki/URN_Registry:aai.egi.eu:gocdb</a></li><li>Please, logout or restart your browser and attempt to login again using an identity provider that provides a GOCDB entitlement</li></ul>';
$HTML .= "<div style='text-align: center;'>";
$HTML .= '<a href="'.htmlspecialchars(\Factory::$properties['LOGOUTURL']).'"><b><font colour="red">Logout</font></b></a>';
$HTML .= "</div>";
echo ($HTML);
die();
}
$this->principal = $_SERVER['voPersonID'];
$this->userDetails = array('AuthenticationRealm' => array('EGI Proxy IdP'));
return;

}
else if($idp == 'https://aai-demo.egi.eu/auth/realms/egi'){
if( empty($_SERVER['voPersonID'])){
die('Did not receive required voPersonID attributes from the EGI Demo Proxy Identity Provider to complete authentication, please contact gocdb-admins');
}
if(empty($_SERVER['entitlement'])){
die('Did not receive the required entitlement attribute from the EGI Demo Proxy IdP, please contact gocdb-admins');
}
$entitlementValuesArray = explode(';', $_SERVER['entitlement']);
if( !in_array('urn:mace:egi.eu:res:gocdb#aai.egi.eu', $entitlementValuesArray) ){
$HTML = '<ul><li>You authenticated to the EGI Demo Identity Provider using a method that does not provide a GOCDB entitlement.</li><li>Login is required with a gocdb entitlement.</li><li>To gain access, you will need to login to the Proxy IdP using a scheme that provides a gocdb entitlement.</li><li>Please logout or restart your browser and attempt to login again.</li></ul>';
$HTML .= "<div style='text-align: center;'>";
$HTML .= '<a href="'.htmlspecialchars(\Factory::$properties['LOGOUTURL']).'"><b><font colour="red">Logout</font></b></a>';
$HTML .= "</div>";
echo ($HTML);
die();
}
$this->principal = $_SERVER['voPersonID'];
$this->userDetails = array('AuthenticationRealm' => array('EGI Proxy IdP'));
return;
}
}

Expand Down Expand Up @@ -203,5 +191,4 @@ public static function isPreAuthenticating() {
public static function isStateless() {
return true;
}

}
36 changes: 36 additions & 0 deletions lib/Gocdb_Services/Config.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -567,4 +567,40 @@ public function getEmailTo()

return $emailTo;
}

public function getIdentityProvidersInfo(): array
{
$localInfo = $this->GetLocalInfoXML();
$identityProviders = [];

if (!empty($localInfo->identity_providers->provider)) {
foreach ($localInfo->identity_providers->provider as $providerDetails) {
/** idp */
$idp = (string) $providerDetails->idp;

/** name */
$name = (string) $providerDetails->name;

/** required_groups */
$requiredGroups = [];
if ($providerDetails->required_groups->group) {
foreach($providerDetails->required_groups->group as $group) {
$requiredGroups[] = (string) $group;
}
}

/** help_url */
$helpURL = $providerDetails->help_url ?? null;

$identityProviders[] = [
'idp' => $idp,
'name' => $name,
'requiredGroups' => $requiredGroups,
'helpURL', $helpURL
];
}
}

return $identityProviders;
}
}

0 comments on commit e91226c

Please sign in to comment.