From 676612f446f5df318343de1eb1c37b94a9c4ce50 Mon Sep 17 00:00:00 2001
From: "Stefan E. Funk" <funk@sub.uni-goettingen.de>
Date: Tue, 2 Jun 2015 15:42:22 +0200
Subject: [PATCH] Added WebAuthN and TextGrid-WebAuth again for local LDAP
 login. Can be configured in Puppet configuration of TextGrid VMs. Is to be
 set in the TextGrid confserv.

---
 .../WebAuthN/TextGrid-WebAuth.php             | 163 ++++++++++++++++++
 .../WebAuthN/WebAuthN.php                     |  68 ++++++++
 2 files changed, 231 insertions(+)
 create mode 100644 info.textgrid.middleware.tgauth.webauth/WebAuthN/TextGrid-WebAuth.php
 create mode 100644 info.textgrid.middleware.tgauth.webauth/WebAuthN/WebAuthN.php

diff --git a/info.textgrid.middleware.tgauth.webauth/WebAuthN/TextGrid-WebAuth.php b/info.textgrid.middleware.tgauth.webauth/WebAuthN/TextGrid-WebAuth.php
new file mode 100644
index 0000000..3cff6ce
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.webauth/WebAuthN/TextGrid-WebAuth.php
@@ -0,0 +1,163 @@
+<?php
+// #######################################################
+// Author: Martin Haase / DAASI International GmbH / TextGrid
+// Creation date: 2010-09-23
+// Modification date: 2010-10-19
+// Version: 0.2
+// #######################################################
+
+include("../tglib/LDAP.class.php");
+include("../tglib/RBAC.class.php");
+include("../tglib/WebUtils.class.php");
+
+$configfile = "/etc/textgrid/tgauth/conf/config_tgwebauth.xml";
+
+$util = new WebUtils;
+
+$authZinstance = $_REQUEST["authZinstance"];
+
+if ( !(isset($authZinstance)) || strlen($authZinstance) <= 0 ) {
+  $util->printAuthFailure("no_tgauth_instance_heading", 
+		      "no_tgauth_instance_detail", 
+		      null, 
+		      null );
+  exit;
+}
+
+$rbac = new RBAC ( $configfile, $authZinstance );
+
+// Variant 1: Authentication at Community LDAP
+if (isset ($_REQUEST["loginname"]) && strlen($_REQUEST["loginname"]) > 0
+    && isset ($_REQUEST["password"]) && strlen($_REQUEST["password"]) > 0) {
+  // now authenticating
+  $ldap = new LDAP ( $configfile );
+  $AuthNResult = $ldap->authenticate($_REQUEST["loginname"], $_REQUEST["password"]);
+  if (! $AuthNResult["success"]) {
+    $util->printAuthFailure("authn_failure_heading", 
+			$AuthNResult["detail"], 
+			$_REQUEST["loginname"], 
+			null ); 
+    exit;
+  }
+  $ProvidedAttributes = $ldap->getUserAttributes();
+  $_SERVER["REMOTE_USER"] = $AuthNResult["TGID"];
+}
+
+
+// Variant 2: Shibboleth gave us the right REMOTE_USER. 
+// We create a Session here in RBAC, also for Variant1
+if (isset ($_SERVER["REMOTE_USER"])) { // this holds for both shib and ldap authN
+
+  // now creating session, activating roles, etc, in RBAC
+
+  $CSResult = $rbac->createSession( $_SERVER["REMOTE_USER"] );
+  if (isset ($AuthNResult)) {
+    $CSResult["rbachash"]["identity_provider"] = $AuthNResult["LDAPname"];
+  } else {
+    $CSResult["rbachash"]["identity_provider"] = $_SERVER["Shib-Identity-Provider"];
+  }
+
+  if (!$CSResult["success"]) {
+    $util->printAuthFailure("sid_create_failure_heading", 
+			    $CSResult["detail"], 
+			    $_REQUEST["loginname"], 
+			    $CSResult["rbachash"]
+			    ); 
+    exit;
+  }
+  $Sid = $CSResult["rbachash"]["Sid"];
+
+  $AttributeMap = Array ('surname' => 'sn',
+			 'organisation' => 'o',
+			 'givenname' => 'givenName',
+			 'displayname' => 'cn',
+			 'mail' => 'mail'
+			 );
+  if (!isset ($ldap)) {
+    $ProvidedAttributes = Array();
+    // this is the list of attributes Shibboleth might give to us except from remote_user
+    foreach (array ("o", "sn", "givenName", "cn", "mail") as $a) {
+      if (isset($_SERVER[$a])) { $ProvidedAttributes[$a] = $_SERVER[$a];}
+    }
+  }
+} 
+// This is Variant 3: No Session Creation, but just a desire to see (and update) User Attributes
+else if (isset ($_REQUEST["Sid"]) && strlen($_REQUEST["Sid"]) > 0 )  {
+// we might have come directly here using the sid and use an earlier session
+  $Sid = $_REQUEST["Sid"];
+}
+// not enough information, exiting. 
+  else 
+  {
+     
+    // check if we came via Shibboleth, but without an eduPersonPrincipalName 
+    // (which would have been the REMOTE_USER)
+      if (isset( $_SERVER['Shib-Session-ID'] )) {
+	  $util->printAuthFailure("shib_login_failure_heading", 
+				  "shib_login_failure_detail",
+				  "(Shibboleth login, but no ePPN provided)", 
+				  null ); 
+	exit;
+      }
+    else
+      {	
+	$missing = 0;
+	if (!isset($_REQUEST["loginname"]) || strlen($_REQUEST["loginname"]) == 0) {
+	  $missing = 1;
+	}
+	if (!isset($_REQUEST["password"]) || strlen($_REQUEST["password"]) == 0) {
+	  $missing = $missing + 2;
+	}
+  
+	if ($missing == 0) {
+	  $util->printAuthFailure("authn_failure_heading", 
+				  "authn_failure_detail_nothing_to_do",
+				  $_REQUEST["loginname"], 
+				  null ); 
+	  trigger_error("WebAuth does not know what to do (no login or password provided, no remote user, and no session Id), exiting.", E_USER_WARNING);
+	} else if ($missing == 1) {
+	  $util->printAuthFailure("authn_failure_heading", 
+				  "authn_failure_detail_id_missing",
+				  '(null)', 
+				  null ); 
+	} else if ($missing == 2) {
+	  $util->printAuthFailure("authn_failure_heading", 
+				  "authn_failure_detail_password_missing",
+				  $_REQUEST["loginname"], 
+				  null ); 
+	} else if ($missing == 3) {
+	  $util->printAuthFailure("authn_failure_heading", 
+				  "authn_failure_detail_both_missing",
+				  '(null)', 
+				  null ); 
+	}
+	exit;
+      }
+  }
+
+// no matter where we came from we need to retrieve attributes from RBAC
+$attributes = $rbac->getUserAttributes( $Sid );
+
+// if we already have enough attributes and just created a session, possibly update
+// them if there came different ones, and then finally print welcome screen causing 
+// the TextGridLab to take over the Sid
+if ($rbac->enoughUserAttributes( $Sid ) && isset ($_SERVER["REMOTE_USER"])) {
+  $util->printAuthSuccess("authn_succeeded_heading",
+			  isset($_REQUEST["loginname"]) ? $_REQUEST["loginname"] : $_SERVER["REMOTE_USER"],
+			  $CSResult["rbachash"],
+			  $rbac->slcData()
+			  ); 
+  $rbac->updateAttributes ( $ProvidedAttributes, $AttributeMap, $Sid ); //  not vital and second-order
+} else {
+  // now presenting the form, let JavaScript take care for the non-empty-check and the help
+  // the form will return either displaying the Sid or just an ACK
+  if (isset ($_SERVER["REMOTE_USER"])) {
+    $util->printAttributeForm( $attributes, $ProvidedAttributes, $AttributeMap, $Sid, $authZinstance, $_SERVER["REMOTE_USER"], $rbac->ToUversion, $rbac->ToUtext);
+  } else if (isset ($_REQUEST["ePPN"]))  { // direct invocation of userdata modification dialogue
+    $util->printAttributeForm( $attributes, null, null, $Sid, $authZinstance, $_REQUEST["ePPN"], $rbac->ToUversion, $rbac->ToUtext);
+  } else {
+    echo "Could not modify attributes, not enough information";
+  }
+}
+
+?>
diff --git a/info.textgrid.middleware.tgauth.webauth/WebAuthN/WebAuthN.php b/info.textgrid.middleware.tgauth.webauth/WebAuthN/WebAuthN.php
new file mode 100644
index 0000000..5a40b1b
--- /dev/null
+++ b/info.textgrid.middleware.tgauth.webauth/WebAuthN/WebAuthN.php
@@ -0,0 +1,68 @@
+<?php
+// #######################################################
+// Author: Martin Haase / DAASI International GmbH
+// Creation date: 02.12.2008
+// Modification date: 01/14/2015 (fu)
+// Version: 3.0 (ab TextGridLab 2.2)
+// #######################################################
+
+ob_start();
+require_once '../i18n_inc/class.I18Nbase.inc.php';
+$t = new I18Ntranslator();
+
+
+header("Content-Type: text/html; charset=UTF-8");
+
+$authZinstance = $_REQUEST["authZinstance"];
+if ($authZinstance == null) {
+   echo $t->_('no_tgauth_instance_heading') . "\n";
+   echo $t->_('no_tgauth_instance_detail');
+   exit;
+}
+?>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+    <head>
+      <meta charset="utf-8">
+      <meta http-equiv="X-UA-Compatible" content="IE=edge">
+      <title>TextGrid WebAuth</title>
+      <!-- Bootstrap -->
+      <link href="./css/app-bootstrap.css" rel="stylesheet" media="screen">
+    </head>
+    <body class="login">
+    <header>
+      <div class="container">
+      <img class="login-headline" src="./img/textgridlab-login.png" alt="TextGridLab-Login" />
+      </div>
+    </header>
+    <div class="container">
+    <div class="row">
+      <div class="col-xs-6">
+        <h3><?php echo $t->_('login_option_ldap');?></h3>
+         <form action="TextGrid-WebAuth.php" method="post" name="textgriddeform">
+            <div class="form-group">
+              <label for="loginname"><?php echo $t->_('login_label_id');?></label>
+              <input type="text" class="form-control" name="loginname" id="loginname"
+	        value="Login ID" onclick="MachLeer()">
+            </div>
+            <div class="form-group">
+              <label for="password"><?php echo $t->_('login_label_password');?></label>
+              <input type="password" class="form-control" name="password" id="password">
+            </div>
+	    <?php echo "<input name=\"authZinstance\" type=\"hidden\" value=\"". $authZinstance . "\">"; ?>
+            <button type="submit" class="btn btn-primary btn-block primary-login">Login</button>
+        </form>
+	<script type="text/javascript">
+	  document.textgriddeform.loginname.focus();
+	  document.textgriddeform.loginname.select();
+	  function MachLeer () {
+	    if (document.textgriddeform.loginname.value == "Login ID") {
+              document.textgriddeform.loginname.value = "";
+	    }
+	  }
+	</script>
+      </div>
+    </div>
+    </div>
+    </body>
+</html>
-- 
GitLab