From 4a9d24b4463bbe6f8efbdc24e9970dce680edb3c Mon Sep 17 00:00:00 2001
From: Sonia Zorba <zorba@oats.inaf.it>
Date: Thu, 7 Sep 2017 14:29:18 +0200
Subject: [PATCH] Bugfix on search users query, added audit logging (to be
improved), various
---
.gitignore | 1 +
auth/oauth2/facebook_token.php | 1 +
auth/oauth2/google_token.php | 1 +
auth/oauth2/linkedin_token.php | 1 +
auth/saml2/aai.php | 1 +
auth/x509/certlogin.php | 1 +
classes/MySQLDAO.php | 4 +++-
config-example.php | 28 ++++++++++++----------------
include/front-controller.php | 4 +++-
include/init.php | 2 ++
sql/delete-user-procedure.sql | 8 ++++++++
11 files changed, 34 insertions(+), 18 deletions(-)
create mode 100644 sql/delete-user-procedure.sql
diff --git a/.gitignore b/.gitignore
index 0761b29..dcb5ce1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ composer.lock
nbproject
logs
config.php
+test
diff --git a/auth/oauth2/facebook_token.php b/auth/oauth2/facebook_token.php
index b914131..bd43165 100755
--- a/auth/oauth2/facebook_token.php
+++ b/auth/oauth2/facebook_token.php
@@ -96,5 +96,6 @@ if ($user === null) {
$userHandler->saveUser($user);
}
+$auditLog->info("LOGIN,Facebook," . $user->id);
$callbackHandler->manageLoginRedirect($user, $session);
?>
diff --git a/auth/oauth2/google_token.php b/auth/oauth2/google_token.php
index a44c19a..8f056d5 100644
--- a/auth/oauth2/google_token.php
+++ b/auth/oauth2/google_token.php
@@ -90,6 +90,7 @@ if ($client->getAccessToken()) {
$userHandler->saveUser($user);
}
+ $auditLog->info("LOGIN,Google," . $user->id);
$callbackHandler->manageLoginRedirect($user, $session);
die();
diff --git a/auth/oauth2/linkedin_token.php b/auth/oauth2/linkedin_token.php
index e2ec275..e38700a 100644
--- a/auth/oauth2/linkedin_token.php
+++ b/auth/oauth2/linkedin_token.php
@@ -116,6 +116,7 @@ if ($info2['http_code'] === 200) {
$userHandler->saveUser($user);
}
+ $auditLog->info("LOGIN,LinkedIn," . $user->id);
$callbackHandler->manageLoginRedirect($user, $session);
} else {
//show information regarding the error
diff --git a/auth/saml2/aai.php b/auth/saml2/aai.php
index cb93949..59723e0 100644
--- a/auth/saml2/aai.php
+++ b/auth/saml2/aai.php
@@ -47,6 +47,7 @@ if (isset($_SERVER['Shib-Session-ID'])) {
$userHandler->saveUser($user);
}
+ $auditLog->info("LOGIN,eduGAIN," . $user->id);
$callbackHandler->manageLoginRedirect($user, $session);
} else {
http_response_code(500);
diff --git a/auth/x509/certlogin.php b/auth/x509/certlogin.php
index e0ce9ea..ba9c20e 100644
--- a/auth/x509/certlogin.php
+++ b/auth/x509/certlogin.php
@@ -77,4 +77,5 @@ if ($session->x509DataToRegister !== null && $session->x509DataToRegister->name
}
}
+$auditLog->info("LOGIN,X.509," . $user->id);
$callbackHandler->manageLoginRedirect($user, $session);
diff --git a/classes/MySQLDAO.php b/classes/MySQLDAO.php
index d93d82d..03b492c 100644
--- a/classes/MySQLDAO.php
+++ b/classes/MySQLDAO.php
@@ -208,9 +208,11 @@ class MySQLDAO implements DAO {
. " i.`id`, `type`, `typed_id`, `email`, `name`, `surname`, `institution`, `eppn`"
. " FROM identity i"
. " JOIN `user` u on u.id = i.user_id"
+ . " WHERE i.user_id IN"
+ . " (SELECT user_id FROM identity"
. " WHERE `email` LIKE :email OR `email` LIKE :emailPart"
. " OR `name` LIKE :name OR `surname` LIKE :surname"
- . " OR CONCAT(`name`,' ',`surname`) LIKE :namesurname";
+ . " OR CONCAT(`name`,' ',`surname`) LIKE :namesurname)";
$stmt = $dbh->prepare($query);
diff --git a/config-example.php b/config-example.php
index d73e7e8..8a66713 100644
--- a/config-example.php
+++ b/config-example.php
@@ -29,6 +29,7 @@ $PROTOCOL = stripos($_SERVER['SERVER_PROTOCOL'], 'https') ? 'https://' : 'http:/
$BASE_PATH = $PROTOCOL . $_SERVER['HTTP_HOST'] . $CONTEXT_ROOT;
$LOG_PATH = ROOT . "/logs/rap-service.log";
+$AUDIT_LOG_PATH = ROOT . "/logs/rap-audit.log";
$LOG_LEVEL = Monolog\Logger::DEBUG;
$CALLBACKS = [
@@ -48,25 +49,25 @@ $DATABASE = array(
'dbtype' => 'MySQL',
'hostname' => 'localhost',
'port' => 3306,
- 'username' => 'rap',
- 'password' => '***REMOVED***',
+ 'username' => 'XXXXXX',
+ 'password' => 'XXXXXX',
'dbname' => 'rap'
);
$AUTHENTICATION_METHODS = array(
'eduGAIN' => array(),
'Google' => array(
- 'id' => "***REMOVED***.apps.googleusercontent.com",
- 'secret' => "***REMOVED***",
+ 'id' => "XXXXXX",
+ 'secret' => "XXXXXX",
'callback' => $BASE_PATH . "/auth/oauth2/google_token.php"),
'Facebook' => array(
- 'id' => "***REMOVED***",
- 'secret' => "***REMOVED***",
+ 'id' => "XXXXXX",
+ 'secret' => "XXXXXX",
'version' => "v2.2",
'callback' => $BASE_PATH . "/auth/oauth2/facebook_token.php"),
'LinkedIn' => array(
- 'id' => '***REMOVED***',
- 'secret' => '***REMOVED***',
+ 'id' => 'XXXXXX',
+ 'secret' => 'XXXXXX',
'callback' => $BASE_PATH . '/auth/oauth2/linkedin_token.php'
),
'X.509' => array(),
@@ -79,12 +80,7 @@ $AUTHENTICATION_METHODS = array(
);
$GROUPER = array(
- 'wsURL' => 'http://localhost:8087/grouper-ws/',
- 'user' => 'GrouperSystem',
- 'password' => '***REMOVED***'
+ 'wsURL' => 'http://hostname/grouper-ws/',
+ 'user' => 'XXXXXX',
+ 'password' => 'XXXXXX'
);
-/*$GROUPER = array(
- 'wsURL' => 'https://sso.ia2.inaf.it/grouper-ws/',
- 'user' => 'GrouperSystem',
- 'password' => '***REMOVED***321'
-);*/
diff --git a/include/front-controller.php b/include/front-controller.php
index 5010fcd..202806f 100644
--- a/include/front-controller.php
+++ b/include/front-controller.php
@@ -99,7 +99,7 @@ Flight::route('GET /confirm-join', function() {
Flight::route('POST /confirm-join', function() {
- global $dao, $userHandler;
+ global $dao, $userHandler, $auditLog;
$token = Flight::request()->data['token'];
@@ -114,6 +114,8 @@ Flight::route('POST /confirm-join', function() {
die("Invalid token");
}
+ $auditLog->info("JOIN," . $userIds[0] . "," . $userIds[1]);
+
$userHandler->joinUsers($userIds[0], $userIds[1]);
$dao->deleteJoinRequest($token);
diff --git a/include/init.php b/include/init.php
index 28f6587..568565e 100644
--- a/include/init.php
+++ b/include/init.php
@@ -44,6 +44,8 @@ include ROOT . '/config.php';
date_default_timezone_set("Europe/Rome");
$log = new Monolog\Logger('mainLogger');
$log->pushHandler(new Monolog\Handler\StreamHandler($LOG_PATH, $LOG_LEVEL));
+$auditLog = new Monolog\Logger('auditLogger');
+$auditLog->pushHandler(new Monolog\Handler\StreamHandler($AUDIT_LOG_PATH, $LOG_LEVEL));
switch ($DATABASE['dbtype']) {
case 'MySQL':
diff --git a/sql/delete-user-procedure.sql b/sql/delete-user-procedure.sql
new file mode 100644
index 0000000..836d8c7
--- /dev/null
+++ b/sql/delete-user-procedure.sql
@@ -0,0 +1,8 @@
+DELIMITER //
+CREATE PROCEDURE delete_user (userId INT)
+BEGIN
+ UPDATE user SET primary_identity = NULL WHERE id = userId;
+ DELETE FROM identity WHERE user_id = userId;
+ DELETE FROM user WHERE id = userId;
+END; //
+DELIMITER ;
--
GitLab