From 0ff1e83d85842bd3db3c844207661e36bcd69b0a Mon Sep 17 00:00:00 2001 From: Sonia Zorba <sonia.zorba@inaf.it> Date: Wed, 16 Oct 2019 17:59:40 +0200 Subject: [PATCH] Changes for X.509 and Shibboleth login --- .htaccess | 9 +++++++++ auth/x509/index.php | 19 +++++++++++++++++++ classes/login/ShibbolethLogin.php | 18 ++++++------------ classes/login/X509Login.php | 2 +- config-example.json | 2 +- 5 files changed, 36 insertions(+), 14 deletions(-) create mode 100644 auth/x509/index.php diff --git a/.htaccess b/.htaccess index 0654970..c59e2c4 100644 --- a/.htaccess +++ b/.htaccess @@ -3,3 +3,12 @@ RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ index.php [QSA,L] + +# mod_rewrite changes some Shibboleth headers +# this restores them: +SetEnvIf REDIRECT_Shib-Session-ID (.+) Shib-Session-ID=$1 +SetEnvIf REDIRECT_eppn (.+) eppn=$1 +SetEnvIf REDIRECT_mail (.+) mail=$1 +SetEnvIf REDIRECT_givenName (.+) givenName=$1 +SetEnvIf REDIRECT_sn (.+) sn=$1 + diff --git a/auth/x509/index.php b/auth/x509/index.php new file mode 100644 index 0000000..fa7755b --- /dev/null +++ b/auth/x509/index.php @@ -0,0 +1,19 @@ +<?php + +/* It is necessary to use this index file inside /auth/x509 + * because mod_rewrite (used by the Flight framework to + * create a front controller) changes some of the SSL headers + * and SSL client certificate is not recognized anymore */ + +chdir(dirname(__FILE__)); + +include '../../include/init.php'; +// Session must be started after classes inclusion in order +// to avoid __PHP_Incomplete_Class Object error +session_start(); + +$x509Login = new \RAP\X509Login($locator); +$url = $x509Login->login(); +header("Location: $url"); +die(); + diff --git a/classes/login/ShibbolethLogin.php b/classes/login/ShibbolethLogin.php index adce644..0d08f8f 100644 --- a/classes/login/ShibbolethLogin.php +++ b/classes/login/ShibbolethLogin.php @@ -10,26 +10,20 @@ class ShibbolethLogin extends LoginHandler { public function login() { - $prefix = ''; - - if (isset($_SERVER['Shib-Session-ID']) || $redirect = isset($_SERVER['REDIRECT_Shib-Session-ID'])) { - - if (isset($_SERVER['REDIRECT_Shib-Session-ID'])) { - $prefix = 'REDIRECT_'; - } + if (isset($_SERVER['Shib-Session-ID'])) { // Retrieving eduPersonPrincipalName (eppn) - $eppn = $_SERVER[$prefix . 'eppn']; + $eppn = $_SERVER['eppn']; // Search if the user is already registered into RAP using the eppn. // The persistent id should be a more appropriate identifier, however at IA2 // we need to import all INAF user into RAP, even if they will never register, // and in that case we know only their eppn. - return $this->onIdentityDataReceived($eppn, function($identity) use($eppn, $prefix) { - $identity->email = $_SERVER[$prefix . 'mail']; - $identity->name = $_SERVER[$prefix . 'givenName']; - $identity->surname = $_SERVER[$prefix . 'sn']; + return $this->onIdentityDataReceived($eppn, function($identity) use($eppn) { + $identity->email = $_SERVER['mail']; + $identity->name = $_SERVER['givenName']; + $identity->surname = $_SERVER['sn']; $identity->eppn = $eppn; }); } else { diff --git a/classes/login/X509Login.php b/classes/login/X509Login.php index 33ce0a5..b050bba 100644 --- a/classes/login/X509Login.php +++ b/classes/login/X509Login.php @@ -14,7 +14,7 @@ class X509Login extends LoginHandler { if (isset($_SERVER['SSL_CLIENT_VERIFY']) && isset($_SERVER['SSL_CLIENT_V_REMAIN']) && $_SERVER['SSL_CLIENT_VERIFY'] === 'SUCCESS' && $_SERVER['SSL_CLIENT_V_REMAIN'] > 0) { - $x509Data = RAP\X509Data::parse($_SERVER); + $x509Data = X509Data::parse($_SERVER); $this->x509Data = $x509Data; return $this->onIdentityDataReceived($x509Data->serialNumber, function($identity) use ($x509Data) { diff --git a/config-example.json b/config-example.json index 909132e..9cf0321 100644 --- a/config-example.json +++ b/config-example.json @@ -31,7 +31,7 @@ "secret": "XXXXXX", "callback": "/auth/social/linkedin/token" }, - "X.509": {}, + "X509": {}, "LocalIdP": { "url": "https://sso.ia2.inaf.it/Shibboleth.sso/Login?entityID=https://sso.ia2.inaf.it/idp/shibboleth&target=https://sso.ia2.inaf.it/rap-ia2/auth/saml2/aai.php", "logo": "img/ia2-logo-60x60.png", -- GitLab