From 0ff1e83d85842bd3db3c844207661e36bcd69b0a Mon Sep 17 00:00:00 2001
From: Sonia Zorba <sonia.zorba@inaf.it>
Date: Wed, 16 Oct 2019 17:59:40 +0200
Subject: [PATCH] Changes for X.509 and Shibboleth login

---
 .htaccess                         |  9 +++++++++
 auth/x509/index.php               | 19 +++++++++++++++++++
 classes/login/ShibbolethLogin.php | 18 ++++++------------
 classes/login/X509Login.php       |  2 +-
 config-example.json               |  2 +-
 5 files changed, 36 insertions(+), 14 deletions(-)
 create mode 100644 auth/x509/index.php

diff --git a/.htaccess b/.htaccess
index 0654970..c59e2c4 100644
--- a/.htaccess
+++ b/.htaccess
@@ -3,3 +3,12 @@ RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule ^(.*)$ index.php [QSA,L]
+
+# mod_rewrite changes some Shibboleth headers
+# this restores them:
+SetEnvIf REDIRECT_Shib-Session-ID (.+) Shib-Session-ID=$1
+SetEnvIf REDIRECT_eppn (.+) eppn=$1
+SetEnvIf REDIRECT_mail (.+) mail=$1
+SetEnvIf REDIRECT_givenName (.+) givenName=$1
+SetEnvIf REDIRECT_sn (.+) sn=$1
+
diff --git a/auth/x509/index.php b/auth/x509/index.php
new file mode 100644
index 0000000..fa7755b
--- /dev/null
+++ b/auth/x509/index.php
@@ -0,0 +1,19 @@
+<?php
+
+/* It is necessary to use this index file inside /auth/x509 
+ * because mod_rewrite (used by the Flight framework to
+ * create a front controller) changes some of the SSL headers
+ * and SSL client certificate is not recognized anymore */
+
+chdir(dirname(__FILE__));
+
+include '../../include/init.php';
+// Session must be started after classes inclusion in order
+// to avoid __PHP_Incomplete_Class Object error
+session_start();
+
+$x509Login = new \RAP\X509Login($locator);
+$url = $x509Login->login();
+header("Location: $url");
+die();
+
diff --git a/classes/login/ShibbolethLogin.php b/classes/login/ShibbolethLogin.php
index adce644..0d08f8f 100644
--- a/classes/login/ShibbolethLogin.php
+++ b/classes/login/ShibbolethLogin.php
@@ -10,26 +10,20 @@ class ShibbolethLogin extends LoginHandler {
 
     public function login() {
 
-        $prefix = '';
-
-        if (isset($_SERVER['Shib-Session-ID']) || $redirect = isset($_SERVER['REDIRECT_Shib-Session-ID'])) {
-
-            if (isset($_SERVER['REDIRECT_Shib-Session-ID'])) {
-                $prefix = 'REDIRECT_';
-            }
+        if (isset($_SERVER['Shib-Session-ID'])) {
 
             // Retrieving eduPersonPrincipalName (eppn)
-            $eppn = $_SERVER[$prefix . 'eppn'];
+            $eppn = $_SERVER['eppn'];
 
             // Search if the user is already registered into RAP using the eppn.
             // The persistent id should be a more appropriate identifier, however at IA2
             // we need to import all INAF user into RAP, even if they will never register,
             // and in that case we know only their eppn.
 
-            return $this->onIdentityDataReceived($eppn, function($identity) use($eppn, $prefix) {
-                $identity->email = $_SERVER[$prefix . 'mail'];
-                $identity->name = $_SERVER[$prefix . 'givenName'];
-                $identity->surname = $_SERVER[$prefix . 'sn'];
+            return $this->onIdentityDataReceived($eppn, function($identity) use($eppn) {
+                $identity->email = $_SERVER['mail'];
+                $identity->name = $_SERVER['givenName'];
+                $identity->surname = $_SERVER['sn'];
                 $identity->eppn = $eppn;
             });
         } else {
diff --git a/classes/login/X509Login.php b/classes/login/X509Login.php
index 33ce0a5..b050bba 100644
--- a/classes/login/X509Login.php
+++ b/classes/login/X509Login.php
@@ -14,7 +14,7 @@ class X509Login extends LoginHandler {
         if (isset($_SERVER['SSL_CLIENT_VERIFY']) && isset($_SERVER['SSL_CLIENT_V_REMAIN']) &&
                 $_SERVER['SSL_CLIENT_VERIFY'] === 'SUCCESS' && $_SERVER['SSL_CLIENT_V_REMAIN'] > 0) {
 
-            $x509Data = RAP\X509Data::parse($_SERVER);
+            $x509Data = X509Data::parse($_SERVER);
             $this->x509Data = $x509Data;
 
             return $this->onIdentityDataReceived($x509Data->serialNumber, function($identity) use ($x509Data) {
diff --git a/config-example.json b/config-example.json
index 909132e..9cf0321 100644
--- a/config-example.json
+++ b/config-example.json
@@ -31,7 +31,7 @@
             "secret": "XXXXXX",
             "callback": "/auth/social/linkedin/token"
         },
-        "X.509": {},
+        "X509": {},
         "LocalIdP": {
             "url": "https://sso.ia2.inaf.it/Shibboleth.sso/Login?entityID=https://sso.ia2.inaf.it/idp/shibboleth&target=https://sso.ia2.inaf.it/rap-ia2/auth/saml2/aai.php",
             "logo": "img/ia2-logo-60x60.png",
-- 
GitLab