From 0ef695f072145738358235f3f22f71140a289fa8 Mon Sep 17 00:00:00 2001
From: Martin Haase <martin.haase@daasi.de>
Date: Mon, 10 May 2010 07:14:22 +0000
Subject: [PATCH] finally move to right place
git-svn-id: https://textgridlab.org/svn/textgrid/trunk/middleware/tgauth@6160 7c539038-3410-0410-b1ec-0f2a7bf1c452
---
.../WebAuthN/WebAuthN.php | 80 +++
.../WebAuthN/authenticate.php | 74 +++
.../config_tgwebauth-dist.xml | 28 +
.../secure/TextGrid-WebAuth.php | 446 +++++++++++++++
.../secure/index.php | 5 +
.../secure/soapTypes.inc.php | 528 ++++++++++++++++++
6 files changed, 1161 insertions(+)
create mode 100644 info.textgrid.middleware.tgauth.webauth/WebAuthN/WebAuthN.php
create mode 100644 info.textgrid.middleware.tgauth.webauth/WebAuthN/authenticate.php
create mode 100644 info.textgrid.middleware.tgauth.webauth/config_tgwebauth-dist.xml
create mode 100644 info.textgrid.middleware.tgauth.webauth/secure/TextGrid-WebAuth.php
create mode 100644 info.textgrid.middleware.tgauth.webauth/secure/index.php
create mode 100644 info.textgrid.middleware.tgauth.webauth/secure/soapTypes.inc.php
diff --git a/info.textgrid.middleware.tgauth.webauth/WebAuthN/WebAuthN.php b/info.textgrid.middleware.tgauth.webauth/WebAuthN/WebAuthN.php
new file mode 100644
index 0000000..499e4ea
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.webauth/WebAuthN/WebAuthN.php
@@ -0,0 +1,80 @@
+<?php
+// #######################################################
+// Author: Martin Haase / DAASI International GmbH
+// Creation date: 02.12.2008
+// Modification date: 07/05/2010
+// Version: 2.0
+// #######################################################
+
+header("Content-Type: text/html; charset=UTF-8");
+
+$authZinstance = $_REQUEST["authZinstance"];
+if ($authZinstance == null) {
+ echo "Error: no authZinstance provided!";
+ exit;
+}
+?>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
+ "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+<head>
+<meta http-equiv="content-type" content="text/html; charset=UTF-8">
+<title>TextGrid WebAuth</title>
+</head>
+<body>
+
+<h2>TextGridLab Login</h2>
+<table border="1" rules="cols" cellpadding="4">
+<tr>
+<td align="center" valign="top">
+<h3>textgrid.de account</h3>
+</td>
+
+<td align="center" valign="top">
+<h3>Home account</h3>
+</td>
+</tr>
+
+<tr>
+<td rowspan="2">
+<form action="authenticate.php" method="POST" name="textgriddeform">
+ <p>Login:<br><input name="loginname" type="text" size="30" maxlength="30" value="Login ID" onclick="MachLeer()"></p>
+ <p>Password:<br><input name="password" type="password" size="30"
+ maxlength="30"></p>
+<?php
+ echo "<input name=\"authZinstance\" type=\"hidden\" value=\"". $authZinstance . "\"/>";
+?>
+ <input type="submit" value="log in">
+</form>
+<script type="text/javascript">
+document.textgriddeform.loginname.focus();
+document.textgriddeform.loginname.select();
+function MachLeer () {
+ if (document.textgriddeform.loginname.value == "Login ID")
+ document.textgriddeform.loginname.value = "";
+}
+</script>
+</td>
+
+
+<td align="center" valign="top">
+<form action="../secure/TextGrid-WebAuth.php">
+<?php
+ echo "<input name=\"authZinstance\" type=\"hidden\" value=\"". $authZinstance . "\"/>";
+?>
+ <input type="submit" value="log in via DFN-AAI">
+</form>
+</td>
+</tr>
+
+<tr>
+<td>If your school is not listed among the organizations on the
+DFN-AAI page, or if you encounter problems during log-in, you are
+welcome to <b>request a textgrid.de account</b> using the form
+on <a href="http://www.textgrid.de/beta/installation.html">http://www.textgrid.de/beta/installation.html</a>.
+</td>
+</tr>
+</table>
+
+</body>
+</html>
diff --git a/info.textgrid.middleware.tgauth.webauth/WebAuthN/authenticate.php b/info.textgrid.middleware.tgauth.webauth/WebAuthN/authenticate.php
new file mode 100644
index 0000000..76cf728
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.webauth/WebAuthN/authenticate.php
@@ -0,0 +1,74 @@
+<?php
+// #######################################################
+// Author: Martin Haase / DAASI International GmbH
+// Creation date: 02.12.2008
+// Modification date: 07.05.2010
+// Version: 1.0
+// #######################################################
+
+mb_internal_encoding("UTF-8");
+
+$config = new DOMDocument();
+$config->load('../../../config_tgwebauth.xml');
+$xpath = new DOMXPath($config);
+$xpath->registerNamespace("c", "http://textgrid.info/namespaces/middleware/tgwebauth");
+
+$ldaphost = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='host']")->item(0)->nodeValue;
+$ldapport = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='port']")->item(0)->nodeValue;
+$binddn = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='binddn']")->item(0)->nodeValue;
+$basedn = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='basedn']")->item(0)->nodeValue;
+$filter = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='filter']")->item(0)->nodeValue;
+$IDattribute = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='IDattribute']")->item(0)->nodeValue;
+$LDAPname = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='name']")->item(0)->nodeValue;
+
+
+$authZinstance = $_REQUEST["authZinstance"];
+$login = $_REQUEST["loginname"];
+$password = $_REQUEST["password"];
+
+
+// LDAP
+$ldapconn = ldap_connect( $ldaphost, $ldapport )
+ or die( "Cannot connect to {$ldaphost}!" );
+ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
+ldap_start_tls( $ldapconn );
+
+$binddn = preg_replace ('/\${login}/', $login, $binddn);
+$bound = ldap_bind($ldapconn, $binddn , $password);
+if (!$bound) {
+ ?>
+ <html><head><title>Test</title>
+ </head><body>
+ Authentication failed, wrong login and/or password. Go <a href="javascript:history.back()">back</a> to login page.
+ </body></html>
+ <?php
+ exit;
+} else {
+ //echo "Could bind as user ${login}!";
+ $filter = preg_replace ('/\${login}/', $login, $filter);
+ $result = ldap_search( $ldapconn, $basedn, $filter);
+ $entry = ldap_first_entry( $ldapconn , $result );
+
+ $attrs = ldap_get_attributes ($ldapconn , $entry);
+
+ $TGID = $attrs[$IDattribute][0];
+
+ $_SERVER["REMOTE_USER"] = $TGID;
+
+ foreach (array("o", "sn", "givenName", "cn", "mail") as $a) {
+ if ( isset($attrs[$a])) {
+ $vals = array();
+ for ($i=0; $i<$attrs[$a]['count']; $i++) {
+ $vals[] = $attrs[$a][$i];
+ }
+ $_SERVER[$a] = implode (';', $vals);
+ }
+ }
+
+}
+
+$_SERVER["Shib-Identity-Provider"] = $LDAPname;
+
+include("../secure/TextGrid-WebAuth.php"); //assuming the request context remains
+
+?>
diff --git a/info.textgrid.middleware.tgauth.webauth/config_tgwebauth-dist.xml b/info.textgrid.middleware.tgauth.webauth/config_tgwebauth-dist.xml
new file mode 100644
index 0000000..20f0a4e
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.webauth/config_tgwebauth-dist.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<conf xmlns="http://textgrid.info/namespaces/middleware/tgwebauth">
+ <authn type="community">
+ <key name="host">ldap.example.org</key>
+ <key name="port">389</key>
+ <key name="binddn">uid=${login},ou=users,dc=example,dc=org</key>
+ <key name="basedn">ou=users,dc=example,dc=org</key>
+ <key name="filter">(uid=${login})</key>
+ <key name="IDattribute">eduPersonPrincipalName</key>
+ <key name="name">TextGrid Community Authentication Server</key>
+ </authn>
+ <authz instance="rbac1">
+ <rbacbase>http://www.example.org/rbac1/</rbacbase>
+ <sessioncreator>
+ <user>user1</user>
+ <password>password1</password>
+ </sessioncreator>
+ <setnamessecret>secret1</setnamessecret>
+ </authz>
+ <authz instance="rbac2">
+ <rbacbase>http://www.example.org/rbac2/</rbacbase>
+ <sessioncreator>
+ <user>user2</user>
+ <password>password2</password>
+ </sessioncreator>
+ <setnamessecret>secret2</setnamessecret>
+ </authz>
+</conf>
diff --git a/info.textgrid.middleware.tgauth.webauth/secure/TextGrid-WebAuth.php b/info.textgrid.middleware.tgauth.webauth/secure/TextGrid-WebAuth.php
new file mode 100644
index 0000000..b9dcb5a
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.webauth/secure/TextGrid-WebAuth.php
@@ -0,0 +1,446 @@
+<?php
+// #######################################################
+// Authors: Markus Widmer & Martin Haase
+// Creation date: 08.07.2007
+// Modification date: 07/05/010
+// Version: 2.0
+// #######################################################
+
+header('Content-Type: text/html; charset=utf-8');
+
+//phpinfo();
+require_once( "soapTypes.inc.php" );
+
+$config = new DOMDocument();
+$config->load('../../../config_tgwebauth.xml');
+$xpath = new DOMXPath($config);
+$xpath->registerNamespace("c", "http://textgrid.info/namespaces/middleware/tgwebauth");
+
+
+$authZinstance = $_REQUEST["authZinstance"];
+$rbacInstance = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']");
+if ($rbacInstance->length == 0)
+ {
+ echo "Error: '${authZinstance}' has no RBAC base configured!<br>\n";
+ exit;
+ }
+
+$rbacbase = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:rbacbase")->item(0)->nodeValue;
+$sessionCreatorUid = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:sessioncreator/c:user")->item(0)->nodeValue;
+$sessionCreatorPw = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:sessioncreator/c:password")->item(0)->nodeValue;
+$setnamessecret = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:setnamessecret")->item(0)->nodeValue;
+
+// the session creation status will collect all messages
+// during the course of authentication
+$scstatus = "";
+
+$remote_user = $_SERVER["REMOTE_USER"];
+$identity_provider = $_SERVER["Shib-Identity-Provider"];
+if (isset($_SERVER["givenName"])) { $givennames = $_SERVER["givenName"];} else { $givennames = "";}
+if (isset($_SERVER["sn"])) { $surnames = $_SERVER["sn"];} else { $surnames = "";}
+if (isset($_SERVER["cn"])) { $cns = $_SERVER["cn"];} else { $cns = "";}
+if (isset($_SERVER["mail"])) { $mails = $_SERVER["mail"];} else { $mails = "";}
+if (isset($_SERVER["o"])) { $organisations = $_SERVER["o"];} else { $organisations = "";}
+
+
+$identified_user = identify($remote_user, $identity_provider);
+
+if ($identified_user['authnmethod'] == 'none') {
+ format_error("User ID not given by home institution",
+ "Your school (its Identity Provider) did not provide a useable User ID to TextGrid.<br/>\n"
+ ."Please contact your school's computing centre and ask them to release to TextGrid's Service Provider "
+ ."at least one of the following attributes: eduPersonPrincipalName, PersistentID or TargetedID. Thank you.");
+ exit;
+} else {
+ $scstatus .= "Authentication Method: ". $identified_user['authnmethod'] . "; ";
+ $remote_user = $identified_user['user'] . "@" . $identified_user['scope'];
+}
+
+
+// -----------------------------------------------------
+// You'll need these services
+// -----------------------------------------------------
+$soapExtra = new SoapClient( $rbacbase . "wsdl/tgextra.wsdl" );
+$soapPolicy = new SoapClient( $rbacbase . "wsdl/tgsystem.wsdl" );
+$soapReview = new SoapClient( $rbacbase . "wsdl/tgreview.wsdl" );
+$soapAdministration = new SoapClient( $rbacbase . "wsdl/tgadministration.wsdl" );
+
+
+// -----------------------------------------------------
+// Before you can create a session you have to
+// authenticate. If this was successful you get a
+// session-ID that you should keep
+// -----------------------------------------------------
+$authReq = new authenticateRequest();
+$authReq->username = $sessionCreatorUid;
+$authReq->password = $sessionCreatorPw;
+
+
+//echo "<HR/>";
+//echo "Doing authentication...<BR/>";
+
+try {
+ $authResponse = $soapExtra->authenticate( $authReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $authResponse->auth ) ) {
+ $scstatus .= "WebAuth authenticated at RBAC, received an internal SessionId. ";
+ }
+
+} catch( SoapFault $f ) {
+ format_error("Internal Error",
+ "SOAP FAULT (authenticate)!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail );
+ exit;
+}
+
+
+
+// -----------------------------------------------------
+// Now you can try to add an active role to your session creator session
+// -----------------------------------------------------
+$addRoleReq = new addActiveRoleRequest();
+$addRoleReq->username = $sessionCreatorUid;
+$addRoleReq->role = "sessionCreator,Anwendung";
+$addRoleReq->auth = $authResponse->auth;
+
+//echo "<HR/>";
+//echo "Adding active role...<BR/>";
+
+try {
+
+ $addRoleResponse = $soapExtra->tgAddActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+
+ //echo "DONE.<BR/>";
+ $scstatus .= "Added active role of application; ";
+
+ } else {
+ format_error("Internal Error",
+ "Could not add Role for application.");
+ exit;
+ }
+}
+catch( SoapFault $f ) {
+ format_error("Internal Error",
+ "SOAP FAULT (tgAddActiveRole)!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail );
+ exit;
+}
+
+
+$userexistreq = new userExistsRequest();
+$userexistreq->auth = $authResponse->auth;
+$userexistreq->username = $remote_user;
+
+try {
+ $existresult = $soapExtra->userExists($userexistreq);
+ if (! $existresult->result) {
+ try {
+ $adduserrequest = new addUserRequest();
+ $adduserrequest->intSid = $authResponse->auth;
+ $adduserrequest->username = $remote_user;
+ $adduserrequest->password = "gnuelpfix"; // this is not relevant and will never be checked
+
+ $addedUser = $soapAdministration->addUser($adduserrequest);
+ if ($addedUser) {
+ $scstatus .= "Added user information to authorization database; ";
+ } else {
+ format_error("Internal Error",
+ "Could not add your user ID to authorization database." );
+ exit;
+ }
+
+ } catch(SoapFault $f) {
+ format_error("Internal Error",
+ "SOAP FAULT (AddUser)!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail );
+ exit;
+ }
+ } else {
+ $scstatus .= "user exists in authentication database; ";
+ }
+} catch (SoapFault $f) {
+ format_error("Internal Error",
+ "SOAP FAULT (UserExists)!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail );
+ exit;
+}
+
+
+// -----------------------------------------------------
+// If this was successful you have to add an appropriate
+// role to your active session that allows you to create
+// a session for someone else.
+// -----------------------------------------------------
+$creReq = new createSessionRequest();
+$creReq->intSid = $authResponse->auth;
+//$creReq->username = "mhaase@uni-tuebingen.de";
+$creReq->username = $remote_user;
+
+//$creReq->roleset = Array( "Projektleiter,Projekt-1,Projekt-Teilnehmer" );
+//$creReq->roleset = Array( "Bearbeiter,Projekt-1,Projekt-Teilnehmer" );
+
+// get ALL available roles...
+$rolesobject = new authorizedRolesRequest();
+$rolesobject->intSid = $authResponse->auth;
+$rolesobject->username = $remote_user;
+
+try {
+ $roleResponse = $soapReview->authorizedRoles($rolesobject);
+
+// cannot list roles here as they contain "s, which interfere with the
+// attribute eclosing quotes of the meta tag
+// $scstatus = $scstatus . "Received all available roles for user: ".serialize($roleResponse->role) . "; ";
+ $scstatus .= "Received all available roles for user; ";
+} catch (Soapfault $f) {
+ format_error("Internal Error",
+ "SOAP FAULT (authorizedRoles)!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail );
+ exit;
+}
+
+
+if (is_Array($roleResponse->role)) {
+ $creReq->roleset = $roleResponse->role;
+} elseif (is_string($roleResponse->role)) {
+ $creReq->roleset = Array($roleResponse->role);
+} else {
+ $creReq->roleset = Array();
+}
+
+
+// Get an newly generated sid from the RBAC system
+try {
+ $newSid = $soapExtra->getSid();
+ $newSid = $newSid->sid;
+} catch (Soapfault $f) {
+ format_error("Internal Error",
+ "RBAC down? Could not generate a new SessionID!" );
+ exit;
+}
+
+
+$creReq->sid = $newSid;
+//echo "Creating the session...<BR/>";
+try {
+ $creResponse = $soapPolicy->createSession( $creReq );
+
+ if( $creResponse->result ) {
+ //echo "DONE.<BR/>";
+ $scstatus .= "Created active role; ";
+ } else {
+ $scstatus .= "Could not create active role, proceeding without any role(s) in the session; ";
+ }
+
+} catch (SoapFault $f) {
+ format_error("Internal Error",
+ "SOAP FAULT (CreateSession)!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail );
+ exit;
+}
+
+// We will arrive here only if all went well.
+// Otherwise, format_error() will be called which prints its own header and footer
+echo "<HTML><HEAD>\n"; // Header -----------------------------
+
+echo "<meta name=\"remote_principal\" content=\"$remote_user\"/>\n";
+echo "<meta name=\"rbac_session_status\" content=\"$scstatus\"/>\n";
+echo "<meta name=\"rbac_sessionid\" content=\"$newSid\"/>\n";
+echo "<meta name=\"ePPNplusSID\" content=\"$remote_user|$newSid\"/>\n";
+echo "<style type=\"text/css\">";
+echo "#d123 {display:none;}";
+echo "</style>";
+echo "<script type=\"text/javascript\">\n";
+echo "<!--\n";
+echo "function toggle (target) {\n";
+echo " var obj=document.getElementById(target);\n";
+echo " obj.style.display=\"block\";\n";
+echo "}\n";
+echo "-->\n";
+echo "</script>\n";
+
+echo "</HEAD>\n\n<BODY>\n";
+ echo "<H2>Authentication Succeeded</H2>\n";
+
+ echo "You were successfully authenticated with User ID '<b>" . $remote_user . "</b>'. You may now access remote resources using the TextGrid Lab. This window can be closed.<br>\n";
+
+ // experimental: Logout
+ //echo "<br/><br/>";
+
+ // das hier beendet nur die SP-Session, IdP bleibt...
+ //echo "Click <A HREF=\"https://auth.textgrid.daasi.de/Shibboleth.sso/Logout\">here</A> if you want to log out.";
+
+ // das hier sollte den Browser schließen, tuts aber nicht...
+ //echo "<form action=\"\"><input type=\"button\" value=\"Log Out\" onclick=\"window.close()\"></form>";
+
+ // also cookies loeschen:
+ //s. http://de.selfhtml.org/javascript/objekte/document.htm#cookie...
+
+// Details -----------------------------------------------
+echo "More <A HREF=\"javascript:toggle('d123')\">Details</A>.\n";
+echo "<div id=\"d123\"> <H2>Authentication Details</H2>\n";
+echo "<table><tr><td>TgAuth Instance</td><td>". $rbacbase ."</td></tr>\n";
+echo "<tr><td>Shibboleth Identity ProviderID</td><td>". $identity_provider ."</td></tr>\n";
+echo "<tr><td>User ID Attribute Name</td><td>". $identified_user['authnmethod'] ."</td></tr>\n";
+echo "<tr><td>User ID Value </td><td>".$remote_user."</td></tr>\n";
+echo "<tr><td>Given Name(s)</td><td>".$givennames."</td></tr>\n";
+echo "<tr><td>Surname(s)</td><td>".$surnames."</td></tr>\n";
+echo "<tr><td>Common Name(s)</td><td>".$cns."</td></tr>\n";
+echo "<tr><td>Mail(s)</td><td>".$mails."</td></tr>\n";
+echo "<tr><td>Organisation(s)</td><td>".$organisations."</td></tr>\n";
+echo "<tr><td>TgAuth Session ID</td><td>".$newSid."</td></tr></table>\n";
+echo "</div>";
+
+setNameInRBAC();
+
+echo "\n</BODY>\n</HTML>";
+
+exit;
+
+/////////////////////// Functions ///////////////////////////////////////
+
+function format_error ($heading, $detail) {
+
+global $remote_user, $scstatus, $newSid, $rbacbase, $identity_provider, $identified_user;
+
+echo "<HTML><HEAD>\n";
+echo "<meta name=\"remote_principal\" content=\"$remote_user\"/>\n";
+echo "<meta name=\"rbac_session_status\" content=\"$scstatus\"/>\n";
+echo "<meta name=\"rbac_sessionid\" content=\"$newSid\"/>\n";
+echo "<style type=\"text/css\">";
+echo "#d123 {display:none;}";
+echo "</style>";
+echo "<script type=\"text/javascript\">\n";
+echo "<!--\n";
+echo "function toggle (target) {\n";
+echo " var obj=document.getElementById(target);\n";
+echo " obj.style.display=\"block\";\n";
+echo "}\n";
+echo "-->\n";
+echo "</script>\n";
+echo "</HEAD>\n\n<BODY>\n";
+
+echo "<H2>Authentication Failure, $heading</H2>\n";
+echo "The Authentication system could not authenticate you.<br/>\n";
+
+echo "More <A HREF=\"javascript:toggle('d123')\">Details</A>.\n";
+echo "<div id=\"d123\">";
+echo "<H2>Error Details</H2>\n";
+echo $detail;
+echo "<H2>Authentication Details</H2>\n";
+echo "<table><tr><td>TgAuth Instance</td><td>". $rbacbase ."</td></tr>\n";
+echo "<tr><td>Shibboleth Identity ProviderID</td><td>". $identity_provider ."</td></tr>\n";
+echo "<tr><td>User ID Attribute Name</td><td>". $identified_user['authnmethod'] ."</td></tr>\n";
+echo "<tr><td>User ID Value </td><td>".$remote_user."</td></tr>\n";
+echo "<tr><td>TgAuth Session ID</td><td>".$newSid."</td></tr></table>\n";
+echo "</div>";
+
+echo "<br/>If not indicated otherwise in the <A HREF=\"javascript:toggle('d123')\">details</A>, it could be that some service is not responding temporarily. In this case, please <a href=\"javascript:history.back()\">go back</a> or re-open the TextGridLab and try again.";
+echo "<br/>If the problem persists, please report this bug together with its time of occurence (" . date("Y-m-d H:i:s") . "). In the TextGridLab, choose 'Help->Report Bug'." ;
+
+echo "\n</BODY>\n</HTML>";
+}
+
+
+function identify ( $remote_user, $idp )
+{
+ $authnmethod = "undefined";
+ $user = "dummy";
+ $scope = "no-scope.xxx";
+ if (preg_match('/([^@]+)@([^@]+)/', $remote_user, $matches) == 1)
+ {
+ $authnmethod = "ePPN";
+ $user = $matches[1];
+ $scope = $matches[2];
+ }
+ else if (preg_match('/([^!]+)!([^!]+)!([^!]+)/', $remote_user, $matches) == 1)
+ {
+ $authnmethod = "persistentId";
+ $user = $matches[3];
+ $scope = $idp;
+ }
+ else if (strlen($remote_user) > 0)
+ {
+ $authnmethod = "targetedId";
+ $user = $remote_user;
+ $scope = $idp;
+ }
+ else
+ {
+ $authnmethod = "none";
+ }
+
+ $user = escapeForDN($user);
+ $scope = escapeForDN($scope);
+
+ return array("authnmethod" => $authnmethod,
+ "user" => $user,
+ "scope" => $scope );
+}
+
+
+function escapeForDN ($string)
+{
+ return preg_replace('/[";+<>,\\\]/', "X", $string);
+}
+
+function setNameInRBAC ()
+{
+
+ global $givennames, $surnames, $cns, $mails, $organisations, $soapExtra, $newSid, $identity_provider, $remote_user;
+ $setNameReq = new setNameRequest();
+ $setNameReq->auth = $newSid;
+ $setNameReq->log = "";
+ $setNameReq->webAuthSecret = $setnamessecret;
+
+ // name will be first cn with a space (s.t. no uid), or "gn1 gn2 gn3 sn1 sn2", or last resort ePPN
+ $cnarr = preg_split ("/;/", $cns );
+ if ( sizeof ($cnarr) > 0 && preg_match("/ /", $cns) > 0 )
+ {
+ for ($i = 0; $i < sizeof ($cnarr); $i++)
+ {
+ if (preg_match("/ /", $cnarr[$i]) > 0 )
+ {
+ $setNameReq->name = $cnarr[$i];
+ break;
+ }
+ }
+ }
+ elseif ( strlen ($givennames) > 0 && strlen ($surnames) > 0)
+ {
+ $givennameswithspaces = preg_replace ( "/;/", " ", $givennames );
+ $surnameswithspaces = preg_replace ( "/;/", " ", $surnames );
+ $setNameReq->name = $givennameswithspaces . " " . $surnameswithspaces;
+ }
+ else
+ {
+ $setNameReq->name = $remote_user;
+ }
+
+ $setNameReq->mail = $mails;
+
+ if ( strlen ($organisations) > 0)
+ {
+ $setNameReq->organisation = $organisations;
+ }
+ else
+ {
+ $setNameReq->organisation = $identity_provider;
+ }
+
+ $setNameReq->agreeSearch = TRUE;
+
+ try
+ {
+ $setNameResult = $soapExtra->setName( $setNameReq );
+
+ if (! $setNameResult->result ) {
+ // do NOT exit as setName is not vital
+ echo "setName: result=false";
+ }
+ }
+ catch (Soapfault $f)
+ {
+ // do NOT exit as setName is not vital
+ echo "SoapFault";
+ }
+
+}
+
+
+?>
diff --git a/info.textgrid.middleware.tgauth.webauth/secure/index.php b/info.textgrid.middleware.tgauth.webauth/secure/index.php
new file mode 100644
index 0000000..554a22c
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.webauth/secure/index.php
@@ -0,0 +1,5 @@
+<?php
+
+phpinfo();
+
+?>
diff --git a/info.textgrid.middleware.tgauth.webauth/secure/soapTypes.inc.php b/info.textgrid.middleware.tgauth.webauth/secure/soapTypes.inc.php
new file mode 100644
index 0000000..09f2371
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.webauth/secure/soapTypes.inc.php
@@ -0,0 +1,528 @@
+<?php
+class authenticateRequest {
+
+ public $username;
+ public $password;
+ public $log;
+
+}
+
+class setNameRequest {
+
+ public $auth;
+ public $log;
+ public $webAuthSecret;
+ public $name;
+ public $mail;
+ public $organisation;
+ public $agreeSearch;
+
+}
+
+class authenticateResponse {
+
+ public $sid;
+
+}
+
+class getSidResponse {
+
+ public $sid;
+
+}
+
+class checkAccessRequest {
+
+ public $intSid;
+ public $operation;
+ public $resource;
+ public $sid;
+
+}
+
+class tgCheckAccessRequest {
+
+ public $auth;
+ public $log;
+ public $operation;
+ public $resource;
+ public $sid;
+
+}
+
+class tgGrantPermissionRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+ public $resource;
+ public $operation;
+
+}
+
+class tgRevokePermissionRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+ public $resource;
+ public $operation;
+
+}
+
+class getOwnerRequest {
+
+ public $auth;
+ public $log;
+ public $resource;
+
+}
+
+class getOwnerResponse {
+
+ public $owner;
+
+}
+
+class getMembersRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class deactivateProjectRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class getRightsRequest {
+
+ public $auth;
+ public $log;
+ public $resource;
+ public $username;
+
+}
+
+class publishRequest {
+
+ public $auth;
+ public $log;
+ public $resource;
+
+}
+
+class getProjectDescriptionRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class getProjectDescriptionResponse {
+
+ public $description;
+
+}
+
+class createSessionRequest {
+
+ public $intSid;
+ public $username;
+ public $roleset;
+ public $sid;
+
+}
+
+class tgAddActiveRoleRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+
+}
+
+class tgAssignedRolesRequest {
+
+ public $auth;
+ public $log;
+ public $username;
+
+}
+
+class tgAssignedProjectsRequest {
+
+ public $auth;
+ public $log;
+
+}
+
+class deleteSessionRequest {
+
+ public $intSid;
+ public $username;
+ public $sid;
+
+}
+
+class addActiveRoleRequest {
+
+ public $intSid;
+ public $username;
+ public $role;
+ public $sid;
+
+}
+
+class addUserRequest {
+
+ public $intSid;
+ public $username;
+ public $password;
+
+}
+
+class deleteUserRequest {
+
+ public $intSid;
+ public $username;
+
+}
+
+class addInheritanceRequest {
+
+ public $intSid;
+ public $ascendant;
+ public $descendant;
+
+}
+
+class deleteInheritanceRequest {
+
+ public $intSid;
+ public $ascendant;
+ public $descendant;
+
+}
+
+class addAscendantRequest {
+
+ public $intSid;
+ public $ascendant;
+ public $descendant;
+
+}
+
+class addDescendantRequest {
+
+ public $intSid;
+ public $ascendant;
+ public $descendant;
+
+}
+
+class addRoleRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class deleteRoleRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class grantPermissionRequest {
+
+ public $intSid;
+ public $resource;
+ public $operation;
+ public $role;
+
+}
+
+class revokePermissionRequest {
+
+ public $intSid;
+ public $resource;
+ public $operation;
+ public $role;
+
+}
+
+class assignUserRequest {
+
+ public $intSid;
+ public $username;
+ public $role;
+
+}
+
+class deassignUserRequest {
+
+ public $intSid;
+ public $username;
+ public $role;
+
+}
+
+class sessionRolesRequest {
+
+ public $intSid;
+ public $sid;
+
+}
+
+class assignedRolesRequest {
+
+ public $intSid;
+ public $username;
+
+}
+
+class authorizedRolesRequest {
+
+ public $intSid;
+ public $username;
+
+}
+
+class roleOperationsOnObjectRequest {
+
+ public $intSid;
+ public $role;
+ public $resource;
+
+}
+
+class userOperationsOnObjectRequest {
+
+ public $intSid;
+ public $user;
+ public $resource;
+
+}
+
+class operationsetResponse {
+
+ public $operationset;
+
+}
+
+class assignedUsersRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class authorizedUsersRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class usersetResponse {
+
+ public $username;
+
+}
+
+class rolePermissionsRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class userPermissionsRequest {
+
+ public $intSid;
+ public $username;
+
+}
+
+class getLeaderRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class getObjectsRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class sessionPermissionsRequest {
+
+ public $intSid;
+ public $sid;
+
+}
+
+class rolesetResponse {
+
+ public $role;
+
+}
+
+class permissionsetResponse {
+
+ public $permissionset;
+
+}
+
+class resourcesetResponse {
+
+ public $resource;
+
+}
+
+class createProjectRequest {
+
+ public $auth;
+ public $log;
+ public $name;
+ public $description;
+
+}
+
+class registerResourceRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+ public $uri;
+
+}
+
+class unregisterResourceRequest {
+
+ public $auth;
+ public $log;
+ public $uri;
+
+}
+
+class addMemberRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+ public $username;
+
+}
+
+class deleteMemberRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+ public $username;
+
+}
+
+class createProjectResponse {
+
+ public $projectId;
+
+}
+
+class getAllProjectsResponse {
+
+ public $project;
+
+}
+
+class getAllProjectsRequest {
+
+ public $log;
+
+}
+
+class userExistsRequest {
+
+ public $auth;
+ public $log;
+ public $username;
+
+}
+
+
+class booleanResponse {
+
+ public $result;
+ public $errorCode;
+ public $errorDescription;
+
+}
+
+class filterBySidRequest {
+
+ public $auth;
+ public $log;
+ public $resource;
+ public $operation;
+
+}
+
+class filterResponse {
+
+ public $resource;
+
+}
+
+
+class permission {
+
+ public $resource;
+ public $operation;
+
+
+ public function __construct( $inOperation, $inResource ) {
+
+ $this->operation = $inOperation;
+ $this->resource = $inResource;
+
+ }
+
+}
+
+class projectInfo {
+
+ public $id;
+ public $description;
+ public $name;
+
+
+ public function __construct( $inId, $inName, $inDescription ) {
+
+ $this->id = $inId;
+ $this->description = $inDescription;
+ $this->name = $inName;
+
+ }
+
+}
+
+class checkXACMLaccessRequest {
+
+ public $request;
+
+}
+?>
--
GitLab