Skip to content
Snippets Groups Projects
TextGrid-WebAuth-GetSid.php 3.19 KiB
Newer Older
Stefan E. Funk's avatar
Stefan E. Funk committed
// ##########################################################
// Author: Martin Haase / DAASI International GmbH / TextGrid
// Creation date: 2010-09-23
// Modification date: 2017-02-27
// Version: 0.3 - user management is done in DARIAH now
Stefan E. Funk's avatar
Stefan E. Funk committed
// ##########################################################
Stefan E. Funk's avatar
Stefan E. Funk committed
// This is a modified version of TextGridWebAuth.php
// to hand over SIDs to known services. it also contains code
// from the annotation sandbox getJWT script
// created 2020-12-03

Stefan E. Funk's avatar
Stefan E. Funk committed
// 2022-02-07 - Added redirect URL as URI fragment.

// /etc/dhrep/tgauth/redirectSidConfig.php contains allowed domains
// and is configured by puppet

include("../tglib/RBAC.class.php");
include("../tglib/WebUtils.class.php");

include_once('/etc/dhrep/tgauth/redirectSidConfig.php');
$configfile = "/etc/dhrep/tgauth/conf/config_tgwebauth.xml";

$util = new WebUtils;

$returnURL = urldecode($_GET['return']);
Stefan E. Funk's avatar
Stefan E. Funk committed
$returnType = urldecode($_GET['type']);

$returnUrlComponents=parse_url($_GET['return']);
if($returnUrlComponents['scheme'] != 'https') {
    echo 'error: no https domain';
    exit;
}

if ( !in_array ($returnUrlComponents['host'], $ALLOWED_DOMAINS)) {
   echo 'Error: the domain of '.$returnURL.' is not known to this service.';
   exit(0);
}

$authZinstance = $_REQUEST["authZinstance"];
if ( !(isset($authZinstance)) || strlen($authZinstance) <= 0 ) {
Stefan E. Funk's avatar
Stefan E. Funk committed
  $util->printAuthFailure("no_tgauth_instance_heading",
		      "no_tgauth_instance_detail",
		      null,
		      null );
  exit;
}

$rbac = new RBAC ( $configfile, $authZinstance );

// Variant 1: Authentication at Community LDAP
// now unsused

Stefan E. Funk's avatar
Stefan E. Funk committed
// Variant 2: Shibboleth gave us the right REMOTE_USER.
// We create a Session here in RBAC, also for Variant1
Stefan E. Funk's avatar
Stefan E. Funk committed
if (isset ($_SERVER["REMOTE_USER"])) {

  // now creating session, activating roles, etc, in RBAC

  $CSResult = $rbac->createSession( $_SERVER["REMOTE_USER"] );
  $CSResult["rbachash"]["identity_provider"] = $_SERVER["Shib-Identity-Provider"];

  if (!$CSResult["success"]) {
Stefan E. Funk's avatar
Stefan E. Funk committed
    $util->printAuthFailure("sid_create_failure_heading",
			    $CSResult["detail"],
			    $_REQUEST["loginname"],
			    $CSResult["rbachash"]
Stefan E. Funk's avatar
Stefan E. Funk committed
			    );
Stefan E. Funk's avatar
Stefan E. Funk committed
}
Stefan E. Funk's avatar
Stefan E. Funk committed
// not enough information, exiting.
else
Stefan E. Funk's avatar
Stefan E. Funk committed

    // check if we came via Shibboleth, but without an eduPersonPrincipalName
    // (which would have been the REMOTE_USER)
      if (isset( $_SERVER['Shib-Session-ID'] )) {
Stefan E. Funk's avatar
Stefan E. Funk committed
	  $util->printAuthFailure("shib_login_failure_heading",
				  "shib_login_failure_detail",
Stefan E. Funk's avatar
Stefan E. Funk committed
				  "(Shibboleth login, but no ePPN provided)",
				  null );
Stefan E. Funk's avatar
Stefan E. Funk committed
      {
      	  $util->printAuthFailure("authn_failure_heading",
				  "authn_failure_detail_nothing_to_do",
Stefan E. Funk's avatar
Stefan E. Funk committed
				  'XXXX',
				  null );
	  trigger_error("WebAutnN: reached /secure, but no Shibboleth Session ID. This should not have happened.", E_USER_WARNING);
 	  exit;
      }
}

if (preg_match('/\?/',$returnURL)) {
   $sep = '&';
} else {
   $sep = '?';
}

Stefan E. Funk's avatar
Stefan E. Funk committed
if ( $returnType == "hash" ) {
    // Redirect URL as URI fragment.
   $redirectURL = $returnURL . '#' . $CSResult['rbachash']['Sid'];
   header ('Location: ' . $redirectURL, TRUE, 303);
} else {
   $redirectURL = $returnURL . $sep . 'sid=' . $CSResult['rbachash']['Sid'];
   header ('Location: ' . $redirectURL, TRUE, 303);
}