From 49a33f9b047e7b34b32d3ad09a98d1b300b75eb2 Mon Sep 17 00:00:00 2001
From: Martin Haase <martin.haase@daasi.de>
Date: Mon, 18 Oct 2010 11:03:45 +0000
Subject: [PATCH] webauth redesign
git-svn-id: https://textgridlab.org/svn/textgrid/trunk/middleware/tgauth@7470 7c539038-3410-0410-b1ec-0f2a7bf1c452
---
.../WebAuthN/TextGrid-WebAuth-Community.php | 46 +-
.../WebAuthN/WebAuthN2.php | 79 +++
.../tglib/LDAP.class.php | 51 +-
.../tglib/RBAC.class.php | 269 +++++++++
.../tglib/WebUtils.class.php | 88 ++-
.../tglib/soapTypes.inc.php | 528 ++++++++++++++++++
6 files changed, 1007 insertions(+), 54 deletions(-)
create mode 100644 info.textgrid.middleware.tgauth.webauth/WebAuthN/WebAuthN2.php
create mode 100644 info.textgrid.middleware.tgauth.webauth/tglib/RBAC.class.php
create mode 100644 info.textgrid.middleware.tgauth.webauth/tglib/soapTypes.inc.php
diff --git a/info.textgrid.middleware.tgauth.webauth/WebAuthN/TextGrid-WebAuth-Community.php b/info.textgrid.middleware.tgauth.webauth/WebAuthN/TextGrid-WebAuth-Community.php
index 4d067e5..700e177 100644
--- a/info.textgrid.middleware.tgauth.webauth/WebAuthN/TextGrid-WebAuth-Community.php
+++ b/info.textgrid.middleware.tgauth.webauth/WebAuthN/TextGrid-WebAuth-Community.php
@@ -12,35 +12,51 @@ include("../tglib/WebUtils.class.php");
$configfile = "../../../config_tgwebauth.xml";
-$util = WebUtils->new();
+$util = new WebUtils;
$authZinstance = $_REQUEST["authZinstance"];
-if ( !isset($authZinstance) || $authZinstance->length <= 0 ) {
- $util->printFailure("No TgAuth Instance provided",
+
+if ( !(isset($authZinstance)) || strlen($authZinstance) <= 0 ) {
+ $util->printAuthFailure("No TgAuth Instance provided",
"Please provide a valid string in the authZinstance variable.",
null,
null );
exit;
}
-if (isset ($_REQUEST["loginname"]) && $_REQUEST["loginname"]->length > 0
- && isset ($_REQUEST["password"]) && $_REQUEST["password"]->length > 0) {
+if (isset ($_REQUEST["loginname"]) && strlen($_REQUEST["loginname"]) > 0
+ && isset ($_REQUEST["password"]) && strlen($_REQUEST["password"]) > 0) {
// now authenticating
- $ldap = LDAP->new($configfile);
- $AuthResult = $ldap->authenticate($_REQUEST["loginname"], $_REQUEST["password"]);
- if (! $AuthResult["success"]) {
- $util->printFailure("Failure authenticating at TextGrid Community Account Server",
- $AuthResult["detail"],
+ $ldap = new LDAP ( $configfile );
+ $AuthNResult = $ldap->authenticate($_REQUEST["loginname"], $_REQUEST["password"]);
+ if (! $AuthNResult["success"]) {
+ $util->printAuthFailure("Failure authenticating at TextGrid Community Account Server",
+ $AuthNResult["detail"],
$_REQUEST["loginname"],
null );
exit;
- } else {
-
-
-
}
+ // now creating session, activating roles, etc, in RBAC
+ $rbac = new RBAC ( $configfile, $authZinstance );
+ $CSResult = $rbac->createSession( $AuthNResult["TGID"], $AuthNResult["LDAPname"] );
+ if (! $CSResult["success"]) {
+ $util->printAuthFailure("Failure Creating Session in RBAC",
+ $CSResult["detail"],
+ $_REQUEST["loginname"],
+ array_merge( $CSResult["rbachash"],
+ array("identity_provider" => $AuthNResult["LDAPname"] )
+ )
+ );
+ exit;
+ }
+ $util->printAuthSuccess("Authentication Succeeded",
+ $_REQUEST["loginname"],
+ array_merge( $CSResult["rbachash"],array("identity_provider" => $AuthNResult["LDAPname"] ) ),
+ array("slcmode" => FALSE) // SLCs only via Shibboleth
+ );
+
-} else if (isset ($_REQUEST["sid"]) && $_REQUEST["sid"]->length > 0 ) {
+} else if (isset ($_REQUEST["sid"]) && strlen($_REQUEST["sid"]) > 0 ) {
// displaySID or completeDetails
}
diff --git a/info.textgrid.middleware.tgauth.webauth/WebAuthN/WebAuthN2.php b/info.textgrid.middleware.tgauth.webauth/WebAuthN/WebAuthN2.php
new file mode 100644
index 0000000..afe967c
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.webauth/WebAuthN/WebAuthN2.php
@@ -0,0 +1,79 @@
+<?php
+// #######################################################
+// Author: Martin Haase / DAASI International GmbH
+// Creation date: 02.12.2008
+// Modification date: 07/05/2010
+// Version: 2.0
+// #######################################################
+
+header("Content-Type: text/html; charset=UTF-8");
+
+$authZinstance = $_REQUEST["authZinstance"];
+if ($authZinstance == null) {
+ echo "Error: no authZinstance provided!";
+ exit;
+}
+?>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
+ "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+<head>
+<meta http-equiv="content-type" content="text/html; charset=UTF-8">
+<title>TextGrid WebAuth</title>
+</head>
+<body>
+
+<h2>TextGridLab Login</h2>
+<table border="1" rules="cols" cellpadding="4">
+<tr>
+<td align="center" valign="top">
+<h3>textgrid.de account</h3>
+</td>
+
+<td align="center" valign="top">
+<h3>Home account</h3>
+</td>
+</tr>
+
+<tr>
+<td rowspan="2">
+<form action="TextGrid-WebAuth-Community.php" method="POST" name="textgriddeform">
+ <p>Login:<br><input name="loginname" type="text" size="30" maxlength="30" value="Login ID" onclick="MachLeer()"></p>
+ <p>Password:<br><input name="password" type="password" size="30" maxlength="30"></p>
+<?php
+ echo "<input name=\"authZinstance\" type=\"hidden\" value=\"". $authZinstance . "\"/>";
+?>
+ <input type="submit" value="log in">
+</form>
+<script type="text/javascript">
+document.textgriddeform.loginname.focus();
+document.textgriddeform.loginname.select();
+function MachLeer () {
+ if (document.textgriddeform.loginname.value == "Login ID")
+ document.textgriddeform.loginname.value = "";
+}
+</script>
+</td>
+
+
+<td align="center" valign="top">
+<form action="../secure/TextGrid-WebAuth.php">
+<?php
+ echo "<input name=\"authZinstance\" type=\"hidden\" value=\"". $authZinstance . "\"/>";
+?>
+ <input type="submit" value="log in via DFN-AAI">
+</form>
+</td>
+</tr>
+
+<tr>
+<td>If your school is not listed among the organizations on the
+DFN-AAI page, or if you encounter problems during log-in, you are
+welcome to <b>request a textgrid.de account</b> using the form
+on <a href="http://www.textgrid.de/beta/installation.html">http://www.textgrid.de/beta/installation.html</a>.
+</td>
+</tr>
+</table>
+
+</body>
+</html>
diff --git a/info.textgrid.middleware.tgauth.webauth/tglib/LDAP.class.php b/info.textgrid.middleware.tgauth.webauth/tglib/LDAP.class.php
index 246f2e6..16abe8b 100644
--- a/info.textgrid.middleware.tgauth.webauth/tglib/LDAP.class.php
+++ b/info.textgrid.middleware.tgauth.webauth/tglib/LDAP.class.php
@@ -12,7 +12,13 @@ mb_internal_encoding("UTF-8");
class LDAP {
// Global variables
- $UserAttributes = array();
+ protected $UserAttributes = array();
+ protected $ldaphost;
+ protected $ldapport;
+ protected $binddn;
+ protected $filter;
+ protected $IDattribute;
+ protected $LDAPname;
public function __construct( $configfilepath ) {
$config = new DOMDocument();
@@ -20,49 +26,50 @@ class LDAP {
$xpath = new DOMXPath($config);
$xpath->registerNamespace("c", "http://textgrid.info/namespaces/middleware/tgwebauth");
- $ldaphost = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='host']")->item(0)->nodeValue;
- $ldapport = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='port']")->item(0)->nodeValue;
- $binddn = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='binddn']")->item(0)->nodeValue;
- $basedn = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='basedn']")->item(0)->nodeValue;
- $filter = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='filter']")->item(0)->nodeValue;
- $IDattribute = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='IDattribute']")->item(0)->nodeValue;
- $LDAPname = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='name']")->item(0)->nodeValue;
+ $this->ldaphost = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='host']")->item(0)->nodeValue;
+ $this->ldapport = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='port']")->item(0)->nodeValue;
+ $this->binddn = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='binddn']")->item(0)->nodeValue;
+ $this->basedn = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='basedn']")->item(0)->nodeValue;
+ $this->filter = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='filter']")->item(0)->nodeValue;
+ $this->IDattribute = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='IDattribute']")->item(0)->nodeValue;
+ $this->LDAPname = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='name']")->item(0)->nodeValue;
}
public function authenticate ($login, $password) {
- $ldapconn = ldap_connect( $ldaphost, $ldapport )
- or return array("success" => FALSE, "detail" => "Cannot connect to {$ldaphost}!");
+ $ldapconn = ldap_connect( $this->ldaphost, $this->ldapport );
+ // ldap_connect always returns a handle, does not connect yet
+ // or return array("success" => FALSE, "detail" => "Cannot connect to {$ldaphost}!");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
//ldap_start_tls( $ldapconn );
- $binddn = preg_replace ('/\${login}/', $login, $binddn);
+ $binddn = preg_replace ('/\${login}/', $login, $this->binddn);
$bound = ldap_bind($ldapconn, $binddn , $password);
if (!$bound) {
return array("success" => FALSE,
- "detail" => "Authentication failed, wrong login and/or password.");
+ "detail" => "Authentication failed, reason: " . ldap_error ($ldapconn));
} else {
//echo "Could bind as user ${login}!";
- $filter = preg_replace ('/\${login}/', $login, $filter);
- $result = ldap_search( $ldapconn, $basedn, $filter);
+ $filter = preg_replace ('/\${login}/', $login, $this->filter);
+ $result = ldap_search( $ldapconn, $this->basedn, $filter);
$entry = ldap_first_entry( $ldapconn , $result );
- $UserAttributes = ldap_get_attributes ($ldapconn , $entry);
+ $this->UserAttributes = ldap_get_attributes ($ldapconn , $entry);
- $TGID = $attrs[$IDattribute][0];
+ $TGID = $this->UserAttributes[$this->IDattribute][0];
- return array("success" => TRUE, "TGID" => $TGID);
+ return array("success" => TRUE, "TGID" => $TGID, "LDAPname" => $this->LDAPname);
}
}
public function getUserAttributes () {
$rethash = array();
foreach (array("o", "sn", "givenName", "cn", "mail") as $a) {
- if ( isset($UserAttributes[$a])) {
+ if ( isset($this->UserAttributes[$a])) {
$vals = array();
- for ($i=0; $i<$UserAttributes[$a]['count']; $i++) {
- $vals[] = $UserAttributes[$a][$i];
+ for ($i=0; $i<$this->UserAttributes[$a]['count']; $i++) {
+ $vals[] = $this->UserAttributes[$a][$i];
}
$rethash[$a] = implode (';', $vals);
}
@@ -70,6 +77,6 @@ class LDAP {
return $rethash;
}
+}
-
-}
\ No newline at end of file
+?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.webauth/tglib/RBAC.class.php b/info.textgrid.middleware.tgauth.webauth/tglib/RBAC.class.php
new file mode 100644
index 0000000..faf1273
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.webauth/tglib/RBAC.class.php
@@ -0,0 +1,269 @@
+<?php
+// #######################################################
+// Author: Martin Haase / DAASI International GmbH / TextGrid
+// Creation date: 2010-10-13
+// Modification date: 2010-10-13
+// Version: 0.1
+// based on TextGrid-Webauth.php
+// #######################################################
+
+mb_internal_encoding("UTF-8");
+
+class RBAC {
+
+ // Global variables
+ protected $rbacbase;
+ protected $sessionCreatorUid;
+ protected $sessionCreatorPw;
+ protected $setnamessecret;
+
+
+ public function __construct( $configfilepath , $authZinstance ) {
+ require_once( "soapTypes.inc.php" );
+
+ $config = new DOMDocument();
+ $config->load($configfilepath);
+ $xpath = new DOMXPath($config);
+ $xpath->registerNamespace("c", "http://textgrid.info/namespaces/middleware/tgwebauth");
+
+ $rbacInstance = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']");
+ if ($rbacInstance->length == 0) {
+ echo "Error: '${authZinstance}' has no RBAC base configured!<br/>\n";
+ return null;
+ }
+
+ $this->rbacbase = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:rbacbase")->item(0)->nodeValue;
+ $this->sessionCreatorUid = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:sessioncreator/c:user")->item(0)->nodeValue;
+ $this->sessionCreatorPw = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:sessioncreator/c:password")->item(0)->nodeValue;
+ $this->setnamessecret = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:setnamessecret")->item(0)->nodeValue;
+
+ }
+
+ public function createSession ( $remote_user ) {
+
+ $rbachash = array("scstatus" => "", // will collect all messages during authentication
+ "Sid" => "none", // this will hold the final sessionId then
+ "rbacbase" => $this->rbacbase,
+ );
+
+ // ------------------------------------------------------------
+ // check whether remote_user is set and has user@domain format
+ if (preg_match('/([^@]+)@([^@]+)/', $remote_user, $matches) == 1) {
+ $identified_user = array("authnmethod" => "eduPersonPrincipalName",
+ "user" => $matches[1],
+ "scope" => $matches[2] );
+
+ $identified_user['user'] = $this->escapeForDN ($identified_user['user']);
+ $identified_user['scope'] = $this->escapeForDN ($identified_user['scope']);
+
+ $remote_user = $identified_user['user'] . "@" . $identified_user['scope'];
+
+ $rbachash["identified_user"] = $identified_user;
+ $rbachash["remote_user"] = $remote_user; // TG User ID
+
+ } else {
+ return array("success" => FALSE,
+ "detail" => "User ID not given by home institution.<br/>\n"
+ ."Your school (its Identity Provider) did not provide a useable User ID to TextGrid (".$remote_user .").<br/>\n"
+ ."Please contact your school's computing centre and ask them to release to TextGrid's Service Provider "
+ ."the eduPersonPrincipalName attribute.<br/>Thank you.",
+ "rbachash" => $rbachash);
+ exit;
+ }
+ $$rbachash["scstatus"] .= "Authentication Method: ". $identified_user['authnmethod'] . "; ";
+
+ // -----------------------------------------------------
+ // You'll need these services
+ // -----------------------------------------------------
+ $soapExtra = new SoapClient( $this->rbacbase . "wsdl/tgextra.wsdl" );
+ $soapPolicy = new SoapClient( $this->rbacbase . "wsdl/tgsystem.wsdl" );
+ $soapReview = new SoapClient( $this->rbacbase . "wsdl/tgreview.wsdl" );
+ $soapAdministration = new SoapClient( $this->rbacbase . "wsdl/tgadministration.wsdl" );
+
+ // -----------------------------------------------------
+ // Before you can create a session you have to
+ // authenticate. If this was successful you get a
+ // session-ID that you should keep
+ // -----------------------------------------------------
+ $serviceAuthReq = new authenticateRequest();
+ $serviceAuthReq->username = $this->sessionCreatorUid;
+ $serviceAuthReq->password = $this->sessionCreatorPw;
+
+ try {
+ $serviceAuthResponse = $soapExtra->authenticate( $serviceAuthReq );
+
+ if( preg_match( "/[0-9a-z]{2,}/i", $serviceAuthResponse->auth ) ) {
+ $$rbachash["scstatus"] .= "WebAuth authenticated at RBAC, received a service SessionId. " ;
+ }
+
+ } catch( SoapFault $f ) {
+ return array("success" => FALSE,
+ "detail" => "SOAP FAULT (authenticate)!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail,
+ "rbachash" => $rbachash);
+ exit;
+ }
+
+
+ // -----------------------------------------------------
+ // Now you can try to add an active role to your session creator session
+ // -----------------------------------------------------
+ $addRoleReq = new addActiveRoleRequest();
+ $addRoleReq->username = $sessionCreatorUid;
+ $addRoleReq->role = "sessionCreator,Anwendung";
+ $addRoleReq->auth = $serviceAuthResponse->auth;
+
+ try {
+ $addRoleResponse = $soapExtra->tgAddActiveRole( $addRoleReq );
+
+ if( $addRoleResponse->result ) {
+ $$rbachash["scstatus"] .= "Added active role of application; ";
+ } else {
+ return array("success" => FALSE,
+ "rbachash" => $rbachash,
+ "detail" => "Internal Error, Could not add Role for application.");
+ exit;
+ }
+ } catch( SoapFault $f ) {
+ return array("success" => FALSE,
+ "rbachash" => $rbachash,
+ "detail" => "SOAP FAULT (tgAddActiveRole)!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail);
+ exit;
+ }
+
+ // -----------------------------------------------------
+ // Check whether user exists already in RBAC
+ // -----------------------------------------------------
+ $userexistreq = new userExistsRequest();
+ $userexistreq->auth = $serviceAuthResponse->auth;
+ $userexistreq->username = $remote_user;
+
+ try {
+ $existresult = $soapExtra->userExists($userexistreq);
+ if (! $existresult->result) {
+
+ // -----------------------------------------------
+ // User does not exist, so add 'em
+ $adduserrequest = new addUserRequest();
+ $adduserrequest->intSid = $serviceAuthResponse->auth;
+ $adduserrequest->username = $remote_user;
+ $adduserrequest->password = "gnuelpfix"; // this is not relevant and will never be checked
+
+ try {
+ $addedUser = $soapAdministration->addUser($adduserrequest);
+ if ($addedUser) {
+ $$rbachash["scstatus"] .= "Added user information to authorization database; ";
+ } else {
+ return array("success" => FALSE,
+ "rbachash" => $rbachash,
+ "detail" => "Could not add your user ID to authorization database." );
+ exit;
+ }
+
+ } catch(SoapFault $f) {
+ return array("success" => FALSE,
+ "rbachash" => $rbachash,
+ "detail" => "SOAP FAULT (AddUser)!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail );
+ exit;
+ }
+ } else {
+ $$rbachash["scstatus"] .= "user exists in authentication database; ";
+ }
+ } catch (SoapFault $f) {
+ return array("success" => FALSE,
+ "rbachash" => $rbachash,
+ "detail" => "SOAP FAULT (UserExists)!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail );
+ exit;
+ }
+
+ // -----------------------------------------------------
+ // If this was successful you can create the session for remote_user
+ // need to add active roles to the session
+ // -----------------------------------------------------
+ $creReq = new createSessionRequest();
+ $creReq->intSid = $serviceAuthResponse->auth;
+ //$creReq->username = "mhaase@uni-tuebingen.de";
+ $creReq->username = $remote_user;
+
+ //$creReq->roleset = Array( "Projektleiter,Projekt-1,Projekt-Teilnehmer" );
+ //$creReq->roleset = Array( "Bearbeiter,Projekt-1,Projekt-Teilnehmer" );
+
+ //---------------------------
+ // get ALL available roles...
+ $rolesobject = new authorizedRolesRequest();
+ $rolesobject->intSid = $serviceAuthResponse->auth;
+ $rolesobject->username = $remote_user;
+
+ try {
+ $roleResponse = $soapReview->authorizedRoles($rolesobject);
+
+ $$rbachash["scstatus"] .= "Received all available roles for user; ";
+ } catch (Soapfault $f) {
+ return array("success" => FALSE,
+ "rbachash" => $rbachash,
+ "detail" => "SOAP FAULT (authorizedRoles)!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail );
+ exit;
+ }
+ if (is_Array($roleResponse->role)) {
+ $creReq->roleset = $roleResponse->role;
+ } elseif (is_string($roleResponse->role)) {
+ $creReq->roleset = Array($roleResponse->role);
+ } else {
+ $creReq->roleset = Array();
+ }
+
+ // ------------------------------------------------
+ // Get a newly generated sid from the RBAC system
+ try {
+ $Sid = $soapExtra->getSid();
+ $Sid = $Sid->sid;
+ $rbachash["Sid"] = $Sid;
+ } catch (Soapfault $f) {
+ return array("success" => FALSE,
+ "rbachash" => $rbachash,
+ "detail" => "RBAC down? Could not generate a new SessionID!" );
+ exit;
+ }
+
+ // -------------------------------------
+ // Creating the session...
+ $creReq->sid = $Sid;
+ try {
+ $creResponse = $soapPolicy->createSession( $creReq );
+
+ if( $creResponse->result ) {
+
+ $$rbachash["scstatus"] .= "Created sessions with active roles; ";
+ } else {
+ return array("success" => FALSE,
+ "rbachash" => $rbachash,
+ "detail" => "Failed to create a new Session!" );
+ exit;
+ }
+
+ } catch (SoapFault $f) {
+ return array("success" => FALSE,
+ "rbachash" => $rbachash,
+ "detail" => "SOAP FAULT (CreateSession)!: " . $f->faultcode . " / " . $f->faultstring . " / " . $f->detail );
+ exit;
+ }
+
+ // --------------------------------------------------------
+ // now all went well, createSession worked, return success
+ return array("success" => TRUE,
+ "rbachash" => $rbachash);
+ }
+
+ // see RFC XYZ, DN Syntax
+ function escapeForDN ($string) {
+ return preg_replace('/[";+<>,\\\]/', "X", $string);
+ }
+
+ function setUserDetails ( $Sid, $stringhash ) {
+
+
+
+ }
+
+}
+
+?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.webauth/tglib/WebUtils.class.php b/info.textgrid.middleware.tgauth.webauth/tglib/WebUtils.class.php
index 8dbb091..8dd593b 100644
--- a/info.textgrid.middleware.tgauth.webauth/tglib/WebUtils.class.php
+++ b/info.textgrid.middleware.tgauth.webauth/tglib/WebUtils.class.php
@@ -16,14 +16,65 @@ class WebUtils {
}
+ public function printAuthSuccess($heading,$loginname,$rbachash,$slc) {
- public function printFailure($heading,$detail,$loginname,$rbachash) {
- printHeader("Authentication failed");
+ $this->printHeader($heading);
+
+ echo "<meta name=\"remote_principal\" content=\"".$rbachash["remote_user"]."\"/>\n";
+ echo "<meta name=\"rbac_session_status\" content=\"".$rbachash["scstatus"]."\"/>\n";
+ echo "<meta name=\"rbac_sessionid\" content=\"".$rbachash["Sid"]."\"/>\n";
+ if (!$slc["slcmode"]) {
+ echo "<meta name=\"ePPNplusSID\" content=\"".$rbachash["remote_user"]."|".$rbachash["Sid"]."\"/>\n";
+ }
+ echo "<style type=\"text/css\">";
+ echo "#d123 {display:none;}";
+ echo "</style>";
+ echo "<script type=\"text/javascript\">\n";
+ echo "<!--\n";
+ echo "function toggle (target) {\n";
+ echo "var obj=document.getElementById(target);\n";
+ echo "obj.style.display=\"block\";\n";
+ echo "}\n";
+ echo "-->\n";
+ echo "</script>\n";
+
+ echo "</head>\n<body>\n";
+ echo "<h2>Authentication Succeeded</h2>\n";
+
+ echo "<p>You were successfully authenticated with User ID '<b>" . $rbachash["remote_user"] . "</b>'. You may now access remote resources using the TextGrid Lab. This window can be closed.</p>\n";
+
+ // Details -----------------------------------------------
+ echo "<p>More <a href=\"javascript:toggle('d123')\">Details</a>.</p>\n";
+ echo "<div id=\"d123\"> <h2>Authentication Details</h2>\n";
+ echo "<table><tr><td>TgAuth Instance</td><td>". $rbachash["rbacbase"] ."</td></tr>\n";
+ echo "<tr><td>Shibboleth Identity ProviderID</td><td>". $rbachash["identity_provider"] ."</td></tr>\n";
+ echo "<tr><td>Login Name</td><td>". (isset($loginname) ? $loginname : "only known at your home organization") ."</td></tr>\n";
+ echo "<tr><td>User ID Attribute Name</td><td>". $rbachash["identified_user"]['authnmethod'] ."</td></tr>\n";
+ echo "<tr><td>User ID Value </td><td>".$rbachash["remote_user"]."</td></tr>\n";
+ // echo "<tr><td>Given Name(s)</td><td>".$givennames."</td></tr>\n";
+ // echo "<tr><td>Surname(s)</td><td>".$surnames."</td></tr>\n";
+ // echo "<tr><td>Common Name(s)</td><td>".$cns."</td></tr>\n";
+ // echo "<tr><td>Mail(s)</td><td>".$mails."</td></tr>\n";
+ // echo "<tr><td>Organisation(s)</td><td>".$organisations."</td></tr>\n";
+ echo "<tr><td>TgAuth Session ID</td><td>".$rbachash["Sid"]."</td></tr></table>\n";
+ echo "</div>";
+
+ if ($slc["slcmode"]) {
+ echo "SLCButtons here";
+ }
+
+ echo "\n</body>\n</html>";
+
+ }
+
+ public function printAuthFailure($heading,$detail,$loginname,$rbachash) {
+
+ $this->printHeader("Authentication failed");
if (isset($rbachash)) {
- echo "<meta name=\"remote_principal\" content=\"". $rbachash->remote_user."\"/>\n";
- echo "<meta name=\"rbac_session_status\" content=\"". $rbachash->scstatus."\"/>\n";
- echo "<meta name=\"rbac_sessionid\" content=\"". $rbachash->newSid."\"/>\n";
+ echo "<meta name=\"remote_principal\" content=\"". $rbachash["remote_user"]."\"/>\n";
+ echo "<meta name=\"rbac_session_status\" content=\"". $rbachash["scstatus"]."\"/>\n";
+ echo "<meta name=\"rbac_sessionid\" content=\"". $rbachash["Sid"]."\"/>\n";
}
echo "<style type=\"text/css\">";
echo "#d123 {display:none;}";
@@ -39,7 +90,8 @@ class WebUtils {
echo "</head>\n\n<body>\n";
- echo "<h2>Authentication Failure, $heading</h2>\n";
+ echo "<h2>Authentication Failure</h2>\n";
+ echo "<h3>$heading</h3>\n";
echo "<p>The Authentication system could not authenticate you.</p>\n";
echo "<p>More <a href=\"javascript:toggle('d123')\">Details</a>.</p>\n";
@@ -49,20 +101,20 @@ class WebUtils {
echo "<h2>Authentication Details</h2>\n";
echo "<table>\n";
echo "<tr><td>Login Name</td><td>". $loginname ."</td></tr>\n";
- if (isset($rbachash->rbacbase)) {
- echo "<tr><td>TgAuth Instance</td><td>". $rbachash->rbacbase ."</td></tr>\n";
+ if (isset($rbachash["rbacbase"])) {
+ echo "<tr><td>TgAuth Instance</td><td>". $rbachash["rbacbase"] ."</td></tr>\n";
}
- if (isset($rbachash->identity_provider)) {
- echo "<tr><td>Shibboleth Identity ProviderID</td><td>". $rbachash->identity_provider ."</td></tr>\n";
+ if (isset($rbachash["identity_provider"])) {
+ echo "<tr><td>Shibboleth Identity ProviderID</td><td>". $rbachash["identity_provider"] ."</td></tr>\n";
}
- if (isset($rbachash->$identified_user['authnmethod'] )) {
- echo "<tr><td>User ID Attribute Name</td><td>". $rbachash->identified_user['authnmethod'] ."</td></tr>\n";
+ if (isset($rbachash["$identified_user"]['authnmethod'] )) {
+ echo "<tr><td>User ID Attribute Name</td><td>". $rbachash["identified_user"]['authnmethod'] ."</td></tr>\n";
}
- if (isset($rbachash->remote_user.)) {
- echo "<tr><td>User ID Value </td><td>".$rbachash->remote_user."</td></tr>\n";
+ if (isset($rbachash["remote_user"])) {
+ echo "<tr><td>User ID Value </td><td>".$rbachash["remote_user"]."</td></tr>\n";
}
- if (isset($rbachash->newSid.)) {
- echo "<tr><td>TgAuth Session ID</td><td>".$rbachash->newSid."</td></tr>\n";
+ if (isset($rbachash["Sid"])) {
+ echo "<tr><td>TgAuth Session ID</td><td>".$rbachash["Sid"]."</td></tr>\n";
}
echo "</table>\n";
echo "</div>";
@@ -73,6 +125,7 @@ class WebUtils {
}
public function printHeader ($title) {
+ header('Content-Type: text/html; charset=utf-8');
echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n";
echo "<html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\">\n";
echo "<head>\n";
@@ -80,5 +133,6 @@ class WebUtils {
echo "<meta http-equiv=\"Content-Type\" content=\"text/html;charset=utf-8\" />\n";
}
-
}
+
+?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.webauth/tglib/soapTypes.inc.php b/info.textgrid.middleware.tgauth.webauth/tglib/soapTypes.inc.php
new file mode 100644
index 0000000..09f2371
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.webauth/tglib/soapTypes.inc.php
@@ -0,0 +1,528 @@
+<?php
+class authenticateRequest {
+
+ public $username;
+ public $password;
+ public $log;
+
+}
+
+class setNameRequest {
+
+ public $auth;
+ public $log;
+ public $webAuthSecret;
+ public $name;
+ public $mail;
+ public $organisation;
+ public $agreeSearch;
+
+}
+
+class authenticateResponse {
+
+ public $sid;
+
+}
+
+class getSidResponse {
+
+ public $sid;
+
+}
+
+class checkAccessRequest {
+
+ public $intSid;
+ public $operation;
+ public $resource;
+ public $sid;
+
+}
+
+class tgCheckAccessRequest {
+
+ public $auth;
+ public $log;
+ public $operation;
+ public $resource;
+ public $sid;
+
+}
+
+class tgGrantPermissionRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+ public $resource;
+ public $operation;
+
+}
+
+class tgRevokePermissionRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+ public $resource;
+ public $operation;
+
+}
+
+class getOwnerRequest {
+
+ public $auth;
+ public $log;
+ public $resource;
+
+}
+
+class getOwnerResponse {
+
+ public $owner;
+
+}
+
+class getMembersRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class deactivateProjectRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class getRightsRequest {
+
+ public $auth;
+ public $log;
+ public $resource;
+ public $username;
+
+}
+
+class publishRequest {
+
+ public $auth;
+ public $log;
+ public $resource;
+
+}
+
+class getProjectDescriptionRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class getProjectDescriptionResponse {
+
+ public $description;
+
+}
+
+class createSessionRequest {
+
+ public $intSid;
+ public $username;
+ public $roleset;
+ public $sid;
+
+}
+
+class tgAddActiveRoleRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+
+}
+
+class tgAssignedRolesRequest {
+
+ public $auth;
+ public $log;
+ public $username;
+
+}
+
+class tgAssignedProjectsRequest {
+
+ public $auth;
+ public $log;
+
+}
+
+class deleteSessionRequest {
+
+ public $intSid;
+ public $username;
+ public $sid;
+
+}
+
+class addActiveRoleRequest {
+
+ public $intSid;
+ public $username;
+ public $role;
+ public $sid;
+
+}
+
+class addUserRequest {
+
+ public $intSid;
+ public $username;
+ public $password;
+
+}
+
+class deleteUserRequest {
+
+ public $intSid;
+ public $username;
+
+}
+
+class addInheritanceRequest {
+
+ public $intSid;
+ public $ascendant;
+ public $descendant;
+
+}
+
+class deleteInheritanceRequest {
+
+ public $intSid;
+ public $ascendant;
+ public $descendant;
+
+}
+
+class addAscendantRequest {
+
+ public $intSid;
+ public $ascendant;
+ public $descendant;
+
+}
+
+class addDescendantRequest {
+
+ public $intSid;
+ public $ascendant;
+ public $descendant;
+
+}
+
+class addRoleRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class deleteRoleRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class grantPermissionRequest {
+
+ public $intSid;
+ public $resource;
+ public $operation;
+ public $role;
+
+}
+
+class revokePermissionRequest {
+
+ public $intSid;
+ public $resource;
+ public $operation;
+ public $role;
+
+}
+
+class assignUserRequest {
+
+ public $intSid;
+ public $username;
+ public $role;
+
+}
+
+class deassignUserRequest {
+
+ public $intSid;
+ public $username;
+ public $role;
+
+}
+
+class sessionRolesRequest {
+
+ public $intSid;
+ public $sid;
+
+}
+
+class assignedRolesRequest {
+
+ public $intSid;
+ public $username;
+
+}
+
+class authorizedRolesRequest {
+
+ public $intSid;
+ public $username;
+
+}
+
+class roleOperationsOnObjectRequest {
+
+ public $intSid;
+ public $role;
+ public $resource;
+
+}
+
+class userOperationsOnObjectRequest {
+
+ public $intSid;
+ public $user;
+ public $resource;
+
+}
+
+class operationsetResponse {
+
+ public $operationset;
+
+}
+
+class assignedUsersRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class authorizedUsersRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class usersetResponse {
+
+ public $username;
+
+}
+
+class rolePermissionsRequest {
+
+ public $intSid;
+ public $role;
+
+}
+
+class userPermissionsRequest {
+
+ public $intSid;
+ public $username;
+
+}
+
+class getLeaderRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class getObjectsRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+
+}
+
+class sessionPermissionsRequest {
+
+ public $intSid;
+ public $sid;
+
+}
+
+class rolesetResponse {
+
+ public $role;
+
+}
+
+class permissionsetResponse {
+
+ public $permissionset;
+
+}
+
+class resourcesetResponse {
+
+ public $resource;
+
+}
+
+class createProjectRequest {
+
+ public $auth;
+ public $log;
+ public $name;
+ public $description;
+
+}
+
+class registerResourceRequest {
+
+ public $auth;
+ public $log;
+ public $project;
+ public $uri;
+
+}
+
+class unregisterResourceRequest {
+
+ public $auth;
+ public $log;
+ public $uri;
+
+}
+
+class addMemberRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+ public $username;
+
+}
+
+class deleteMemberRequest {
+
+ public $auth;
+ public $log;
+ public $role;
+ public $username;
+
+}
+
+class createProjectResponse {
+
+ public $projectId;
+
+}
+
+class getAllProjectsResponse {
+
+ public $project;
+
+}
+
+class getAllProjectsRequest {
+
+ public $log;
+
+}
+
+class userExistsRequest {
+
+ public $auth;
+ public $log;
+ public $username;
+
+}
+
+
+class booleanResponse {
+
+ public $result;
+ public $errorCode;
+ public $errorDescription;
+
+}
+
+class filterBySidRequest {
+
+ public $auth;
+ public $log;
+ public $resource;
+ public $operation;
+
+}
+
+class filterResponse {
+
+ public $resource;
+
+}
+
+
+class permission {
+
+ public $resource;
+ public $operation;
+
+
+ public function __construct( $inOperation, $inResource ) {
+
+ $this->operation = $inOperation;
+ $this->resource = $inResource;
+
+ }
+
+}
+
+class projectInfo {
+
+ public $id;
+ public $description;
+ public $name;
+
+
+ public function __construct( $inId, $inName, $inDescription ) {
+
+ $this->id = $inId;
+ $this->description = $inDescription;
+ $this->name = $inName;
+
+ }
+
+}
+
+class checkXACMLaccessRequest {
+
+ public $request;
+
+}
+?>
--
GitLab