From 7106bbe9e3a80a3d5d76523ec93a751bd796eb44 Mon Sep 17 00:00:00 2001
From: Sonia Zorba <zorba@oats.inaf.it>
Date: Mon, 3 Jul 2017 15:02:35 +0200
Subject: [PATCH] Added direct IdP login button (for IA2 users), join procedure
 bugfix

---
 classes/GrouperClient.php    |  59 +++++++++++++++++++++++++++++++++++
 classes/MySQLDAO.php         |   9 +++---
 classes/UserHandler.php      |  22 +++++++++++--
 config.php                   |   6 ++++
 img/ia2-logo-60x60.png       | Bin 0 -> 1832 bytes
 include/front-controller.php |  38 +++++++++++++---------
 include/user-data.php        |   2 +-
 views/confirm-join.php       |   2 +-
 views/index.php              |  26 +++++++++++----
 9 files changed, 135 insertions(+), 29 deletions(-)
 create mode 100644 img/ia2-logo-60x60.png

diff --git a/classes/GrouperClient.php b/classes/GrouperClient.php
index fb8927b..73029c3 100644
--- a/classes/GrouperClient.php
+++ b/classes/GrouperClient.php
@@ -85,6 +85,65 @@ class GrouperClient {
         }
     }
 
+    public function getSubjectPrivileges($subjectId) {
+
+        $params = $this->getBaseRequestParams();
+        $params['subjectId'] = $subjectId;
+        $params['subjectSourceId'] = 'RAP';
+
+        $response = $this->client->getGrouperPrivilegesLite($params);
+
+        $privilegesMap = [];
+        if ($this->isSuccess($response)) {
+            if ($response->return->privilegeResults !== null) {
+                foreach ($response->return->privilegeResults as $item) {
+                    $groupName = $item->wsGroup->name;
+                    $privilege = $item->privilegeName;
+
+                    if (!array_key_exists($groupName, $privilegesMap)) {
+                        $groupPrivileges = [];
+                    } else {
+                        $groupPrivileges = $privilegesMap[$groupName];
+                    }
+                    $groupPrivileges[] = $privilege;
+                    $privilegesMap[$groupName] = $groupPrivileges;
+                }
+            }
+        }
+
+        return $privilegesMap;
+    }
+
+    private function getBasePrivilegeRequestParams($subjectId, $groupName, $privilegeNames) {
+        $params = $this->getBaseRequestParams();
+        $params['wsSubjectLookups'] = array(
+            'subjectId' => $subjectId,
+            'subjectSourceId' => 'RAP'
+        );
+        $params['wsGroupLookup'] = array(
+            'groupName' => $groupName
+        );
+        $params['privilegeNames'] = $privilegeNames;
+
+        return $params;
+    }
+
+    public function assignPrivileges($subjectId, $groupName, $privilegeNames) {
+
+        $params = $this->getBasePrivilegeRequestParams($subjectId, $groupName, $privilegeNames);
+        $params['allowed'] = 'T'; // true
+
+        return $this->client->assignGrouperPrivileges($params);
+    }
+
+    public function removePrivileges($subjectId, $groupName, $privilegeNames) {
+
+        $params = $this->getBasePrivilegeRequestParams($subjectId, $groupName, $privilegeNames);
+        $params['allowed'] = 'F'; // false
+
+        return $this->client->assignGrouperPrivileges($params);
+    }
+
     public function addMemberships($subjectId, $groups) {
 
         foreach ($groups as $group) {
diff --git a/classes/MySQLDAO.php b/classes/MySQLDAO.php
index c5c5d9f..4dc5bcc 100644
--- a/classes/MySQLDAO.php
+++ b/classes/MySQLDAO.php
@@ -246,10 +246,10 @@ class MySQLDAO implements DAO {
 
     public function createJoinRequest($token, $applicantUserId, $targetUserId) {
 
-        if($applicantUserId === $targetUserId) {
+        if ($applicantUserId === $targetUserId) {
             throw new \Exception("Invalid target user id");
         }
-        
+
         $dbh = $this->getDBHandler();
 
         $stmt = $dbh->prepare("INSERT INTO `join_request`(`token`, `applicant_user_id`, `target_user_id`)"
@@ -303,8 +303,9 @@ class MySQLDAO implements DAO {
             $stmt1->execute();
 
             // Deleting user2 join requests
-            $stmt3 = $dbh->prepare("DELETE FROM `join_request` WHERE `target_user_id` = :id2");
-            $stmt3->bindParam(':id2', $userId2);
+            $stmt3 = $dbh->prepare("DELETE FROM `join_request` WHERE `target_user_id` = :tid2 OR `applicant_user_id` = :aid2");
+            $stmt3->bindParam(':tid2', $userId2);
+            $stmt3->bindParam(':aid2', $userId2);
             $stmt3->execute();
 
             // Deleting user2
diff --git a/classes/UserHandler.php b/classes/UserHandler.php
index 47824bb..b0b7330 100644
--- a/classes/UserHandler.php
+++ b/classes/UserHandler.php
@@ -65,9 +65,25 @@ class UserHandler {
         if ($this->grouperConfig !== null) {
             $gc = new GrouperClient($this->grouperConfig);
 
-            $groupsToMove = $gc->getSubjectGroups('RAP:' . $userId2);
-            $gc->addMemberships('RAP:' . $userId1, $groupsToMove);
-            $gc->removeMemberships('RAP:' . $userId2, $groupsToMove);
+            $grouperUser1 = 'RAP:' . $userId1;
+            $grouperUser2 = 'RAP:' . $userId2;
+
+            $groupsToMove = $gc->getSubjectGroups($grouperUser2);
+            $privilegesMap = $gc->getSubjectPrivileges($grouperUser2);
+
+            // Adding memberships
+            $gc->addMemberships($grouperUser1, $groupsToMove);
+            // Adding privileges
+            foreach ($privilegesMap as $groupName => $privileges) {
+                $gc->assignPrivileges($grouperUser1, $groupName, $privileges);
+            }
+
+            // Removing privileges
+            foreach ($privilegesMap as $groupName => $privileges) {
+                $gc->removePrivileges($grouperUser2, $groupName, $privileges);
+            }
+            // Removing memberships
+            $gc->removeMemberships($grouperUser2, $groupsToMove);
         }
 
         $this->dao->joinUsers($userId1, $userId2);
diff --git a/config.php b/config.php
index e13a8c3..d4cc396 100644
--- a/config.php
+++ b/config.php
@@ -64,6 +64,12 @@ $AUTHENTICATION_METHODS = array(
         'callback' => $BASE_PATH . '/auth/oauth2/linkedin_token.php'
     ),
     'X.509' => array(),
+    'DirectIdP' => array(
+        'url' => 'https://sso.ia2.inaf.it/Shibboleth.sso/Login?entityID=https://sso.ia2.inaf.it/idp/shibboleth&target=https://sso.ia2.inaf.it/rap-ia2/auth/saml2/aai.php',
+        'logo' => 'img/ia2-logo-60x60.png',
+        'logo_alt' => 'IA2 logo',
+        'description' => 'Use the IA2 Logo to Login if you have an account provided by IA2 or self registered'
+    )
 );
 
 $GROUPER = array(
diff --git a/img/ia2-logo-60x60.png b/img/ia2-logo-60x60.png
new file mode 100644
index 0000000000000000000000000000000000000000..f93ef2495577ed01ad2a5ac25578607dd9891670
GIT binary patch
literal 1832
zcmeAS@N?(olHy`uVBq!ia0y~yV6XvU4mJh`2CF|eix?Of*pj^6T^Rm@;DWu&Co?cG
za29w(7BevLUI$@DCym(^3=9nHC7!;n><`(5xp=uhpZ0ZSU|`$o>EalYaqsQy`kX1{
zvd81+zyEyTtETLN1CLBfl0&yyZZ=x7SG)OUpN09+vojA)%eCc-X8Fc#D6AR#aLLjG
z%O;6z<5{M?CE9TAtWM!rv9;$m+}m2(v(#hG>{+RXQoP<=cVb`K-tVv964?1Ru<_nj
z_4!Z!?WndpKl%OZpEdj5zyJQZ@?B%M8Q<G`&(-^{gdVegt@=>j*V}TrwP2-Tp;J~x
z;mY~v?)Q{GsJmQmZQva$K6(0?-}_Hw<p2C<&HV8F`F$4K^>0-OtX=laCM8Iaq3Tua
zv~ZPT;T>;ZxJ-U=m*ta!LFtF<lNGAh^j@E%{o@8pUUsocV1>hj&(3^NKYQ;#*Gqc3
z=imRYmy(MjjXF=uOYn&~w6>}}SZ}*LyFW0IbN*HL63=rC+E%~c*v0r)@18Au;6UfZ
zoJ~JUcb*kY_<1x^dCey+!IQiR*?-<T<j<16w7l)CrE&YpIsf~%R#_L+bSzePePi3w
ze0S&e%UO0MD-T94Jmth9dNuF$iSnKLU+VJSY&oUO8h5GIvnE>h{jD3OTG@YQXnme^
zE^mr!)|t%<CS5*IxwQ2A;v#;p`5kK*F3w?{Cz11GNrwqvU9FDX+Dhf}(}zEK%$r`Y
z*un77>CTL^xr;?(8O&d=oKqm(m^9&gtaj*P&e>l%s+WHC7P!?Ql5|S=B5%9fUZK-b
zDc;-SIzPN|P*jjMW}I#N!2kU`g=6)MGZtOuT6FS|zs<yrQP$ck-~6eS7P$21fW4nS
zr<i4T`n@@u5ByxHyIpAw>zc1>b`2A!B$ZvdGH-hEfw;)O$3wPC3J7kSYq#Us@urYw
zG0Ef6(~}PfHZPT&!6(%H{d@<*kB67iMC)2N&3nFU-5JRTe-`ZK+`;+7;pm;S`Qdye
zGOi(OD<uk!ZuNi4QV<t;I9()*LG-HV$&9b_&ljxFvhDgbWyQTmZ{F_6jbRqo$(f-T
z7R|_hL-PHa+RPJr?elMO{BdoaYa&0>#IG^*kKJ$E3;nkwC*SwGW3sz0;`(p#IRX>c
zH;YIKy*{qGA^g?{i9_OrXHNdpKhHg5wZ1?1qxR;tT>D)j-Mz1eKIXF6pHj@Z=qtmk
z*IA{${4W-7Ins6cS<7MNhK~2|Wz3HrzG69XWi8`(-h^om!8YH1aD9{0GJ5odqvZF)
z2fZf}LazvEAG>b6%1m&r;1j;UcVAXJ*~@$ue8;`RpLuhG{gJzz*=$pOw3Rz<*VZYB
zO8U-t;Z9-i#;O|}cmMwseA36rn!uj>mNnVx(9eatuCDrIGQlM5lwax9JwMks_p&pm
zooc`DG&9Mxz;xOA3xQ6~%eFn_nvyl)ZCPZ&-x(}=Gqyhs-nV#egZiq~kLGUO{eSi2
z3o^gwg#NX3TFl#iZHerieJ>mvUBgQF9&Sob)?T{4x@c1A7TymIbp|3j4q7rbt`8Yb
zIlrm?`)dnR+MC4+uU6PJ$IZ}t#>#x|`>!(1nC2JN!an~`eObNvH^+n$monjt503{}
z{+HcwKWxXv%+9-}X$^Y={>E~JI@n*^xqG{Ek<DAqhn4Ra?(z-wnxma``qIuQ|JRN7
zD>pUYy&JrVPe$YRufo7@Jm+@3a(Uj?H*rq-XLWnVKXI+<nQ!OWt$BRuC#T^j(+A3G
z6IPvFmvQ%&#D~7``}od;{)jXR``ntiyU$nlX<u^MoQbzqJw4F8!Y+CBsj%hZ8~WyR
z6m^>#^`Ck$u~_y~<<`u-{8jr|&#?Y`rf|Bw-PY#njD7Q0W&OKg@=0`-^*15CZeHv6
zSL;HLyewSv?o;Uhy@e-3T0VQf7F&Iyv2o*xvnSWhdMKZ?z0AM-_wVOCx(OAlE@>?~
z{>Q$}>7`uJ>{?mD3BF1#e+yQqCLf6N{OiNh-k7QM>ukjqv!XbsP3s>^E8KR8d>P*Q
zjpy}^EA!HQ>iAc&UaN3z>Gtp4moe2nrso~|GRE~s)8j(R_c<l)J!##Ltd;Y0=k+w6
z*E{woWwx}3Z0SDr`jKQ{rvAfgjdvJi)SrgUd;9;S@}{NN=WWXhW0W`YTc9{M8x(uF
zMV@ZY3gQa9TNkWna&y@)(tk~E$AYP6?!BmMSt=HJU{eD7;soWsf`flfEN$9naADQO
z_c0j}46D<04{<Ku)xFJ3z59S*a_#rZ2Sy953oqR_(28w-y0qT4)c8=$WSy9)rVsX9
zXvu0l&!oO)R<)&+rESz)q39VoEPV@1E?laOJl44P!m|Y{@}y!+!oQa0RaA%kt`im2
z)VAS?Ny_<u?aa1{rimxz^7svc6a9_8{qQnMS!TJ5f9a(|GSgb`o$_f(o*3u&s?mJ%
z$}3Su8P`(huG-_1_^3SP&bnS773pPG@9wWYwd=3&>BU{29>nA*GB7YOc)I$ztaD0e
F0swYXj6nbZ

literal 0
HcmV?d00001

diff --git a/include/front-controller.php b/include/front-controller.php
index 2c94ee4..bab647c 100644
--- a/include/front-controller.php
+++ b/include/front-controller.php
@@ -7,17 +7,19 @@
  */
 //
 
-function setCallback() {
+function setCallback($callback) {
     global $session, $callbackHandler;
 
-    $callback = Flight::request()->data['callback'];
-    $session->setCallbackURL($callbackHandler, isset($callback) ? $callback : null);
+    if (!isset($callback) || $callback === '') {
+        $callback = null;
+    }
+    $session->setCallbackURL($callbackHandler, $callback);
     return $session->getCallbackURL();
 }
 
 Flight::route('/', function() {
     startSession();
-    $callback = setCallback();
+    $callback = setCallback(Flight::request()->data['callback']);
     global $session, $callbackHandler, $AUTHENTICATION_METHODS;
     if ($callback !== null && $session->user !== null) {
         $redirectURL = $callbackHandler->getLoginWithTokenURL($session->user->id, $callback);
@@ -34,29 +36,37 @@ Flight::route('GET /logout', function() {
     Flight::redirect('/');
 });
 
-Flight::route('/google', function() {
+function sendAuthRedirect($url) {
     startSession();
-    Flight::redirect('/auth/oauth2/google_token.php');
+    // reload callback from query to avoid problem with session shared between 
+    // multiple browser tabs
+    setCallback(Flight::request()->query['callback']);
+    Flight::redirect($url);
+}
+
+Flight::route('/google', function() {
+    sendAuthRedirect('/auth/oauth2/google_token.php');
 });
 
 Flight::route('/facebook', function() {
-    startSession();
-    Flight::redirect('/auth/oauth2/facebook_login.php');
+    sendAuthRedirect('/auth/oauth2/facebook_login.php');
 });
 
 Flight::route('/linkedIn', function() {
-    startSession();
-    Flight::redirect('/auth/oauth2/linkedin_login.php');
+    sendAuthRedirect('/auth/oauth2/linkedin_login.php');
 });
 
 Flight::route('/eduGAIN', function() {
-    startSession();
-    Flight::redirect('/auth/saml2/aai.php');
+    sendAuthRedirect('/auth/saml2/aai.php');
 });
 
 Flight::route('/x509', function() {
-    startSession();
-    Flight::redirect('/auth/x509/certlogin.php');
+    sendAuthRedirect('/auth/x509/certlogin.php');
+});
+
+Flight::route('/direct', function() {
+    global $AUTHENTICATION_METHODS;
+    sendAuthRedirect($AUTHENTICATION_METHODS['DirectIdP']['url']);
 });
 
 Flight::route('GET /confirm-join', function() {
diff --git a/include/user-data.php b/include/user-data.php
index ca50bf0..e2e7b4a 100644
--- a/include/user-data.php
+++ b/include/user-data.php
@@ -1,7 +1,7 @@
 <?php foreach ($user->identities as $identity) { ?>
     <dl class="dl-horizontal">
         <dt>
-            <?php if (!isset($readonly)) { ?>
+            <?php if (!isset($readOnly)) { ?>
                 <?php if ($identity->primary) { ?>
                     <span class="primary-identity-icon" data-toggle="tooltip" data-placement="left" title="This is your primary identity. You will receive email messages on the address related to this identity.">
                         <span class="glyphicon glyphicon-star"></span>
diff --git a/views/confirm-join.php b/views/confirm-join.php
index 15372a6..1c22d6a 100644
--- a/views/confirm-join.php
+++ b/views/confirm-join.php
@@ -38,7 +38,7 @@ include 'include/header.php';
 <div class="row">
     <div class="col-xs-12 text-center">
         <p>Pressing the following button the identities listed above will be joined.</p>
-        <form action="confirm-join" method="POST">
+        <form action="confirm-join" method="POST" onsubmit="showWaiting()">
             <input type="hidden" name="token" value="<?php echo $token; ?>" />
             <input type="submit" class="btn btn-success btn-lg" value="Join users" />
         </form>
diff --git a/views/index.php b/views/index.php
index 053d478..bd9a127 100644
--- a/views/index.php
+++ b/views/index.php
@@ -9,12 +9,12 @@ include 'include/header.php';
             <h1 class="text-center page-title"><?php echo $session->getCallbackTitle(); ?></h1>
         </div>
     </div>
-    <div class="row">
+    <div class="row" id="auth-panel">
         <div class="col-xs-12 text-center">
             <?php if (isset($auth['eduGAIN'])) { ?>
                 <div class="home-box">
                     <div class="img-wrapper">
-                        <a href="edugain">
+                        <a href="edugain?callback=<?php echo $session->getCallbackURL(); ?>">
                             <img src="img/eduGain-200.png" alt="eduGAIN Logo" />
                         </a>
                     </div>
@@ -25,17 +25,17 @@ include 'include/header.php';
                 <div class="home-box">
                     <div class="img-wrapper">
                         <?php if (isset($auth['Google'])) { ?>
-                            <a href="google" class="animated pulse">
+                            <a href="google?callback=<?php echo $session->getCallbackURL(); ?>" class="animated pulse">
                                 <img src="img/google-60.png" alt="Google Logo" />
                             </a>
                         <?php } ?>
                         <?php if (isset($auth['Facebook'])) { ?>
-                            <a href="facebook">
+                            <a href="facebook?callback=<?php echo $session->getCallbackURL(); ?>">
                                 <img src="img/facebook-60.png" alt="Facebook Logo" />
                             </a>
                         <?php } ?>
                         <?php if (isset($auth['LinkedIn'])) { ?>
-                            <a href="linkedin">
+                            <a href="linkedin?callback=<?php echo $session->getCallbackURL(); ?>">
                                 <img src="img/linkedin-60.png" alt="LinkedIn Logo" />
                             </a>
                         <?php } ?>
@@ -46,13 +46,23 @@ include 'include/header.php';
             <?php if (isset($auth['X.509'])) { ?>
                 <div class="home-box">
                     <div class="img-wrapper">
-                        <a href="x509">
+                        <a href="x509?callback=<?php echo $session->getCallbackURL(); ?>">
                             <img src="img/x509-200.png" alt="X.509 Logo" />
                         </a>
                     </div>
                     Use the X.509 Logo to Login with your personal certificate (IGTF and TERENA-TACAR, are allowed).
                 </div>
             <?php } ?>
+            <?php if (isset($auth['DirectIdP'])) { ?>
+                <div class="home-box">
+                    <div class="img-wrapper">
+                        <a href="direct?callback=<?php echo $session->getCallbackURL(); ?>">
+                            <img src="<?php echo $auth['DirectIdP']['logo']; ?>" alt="<?php echo $auth['DirectIdP']['logo_alt']; ?>" />
+                        </a>
+                    </div>
+                    <?php echo $auth['DirectIdP']['description']; ?>
+                </div>
+            <?php } ?>
         </div>
     </div>
 <?php } else { ?>
@@ -124,6 +134,10 @@ include 'include/header.php';
     </div>
 <?php } ?>
 
+<script>
+    $(document).on('click', '#auth-panel a', showWaiting);
+</script>
+
 <?php
 include 'include/footer.php';
 
-- 
GitLab