Skip to content
Snippets Groups Projects
Commit 73866981 authored by Martin Haase's avatar Martin Haase
Browse files

SLC issuing now fully integrated into the new (test) WebAuth at ws3 

git-svn-id: https://textgridlab.org/svn/textgrid/trunk/middleware/tgauth@7784 7c539038-3410-0410-b1ec-0f2a7bf1c452
parent cd869a94
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 182 additions and 28 deletions
info.textgrid.middleware.tgauth.webauth/AutoReg/Autoreg.java
+ 10
10
View file @ 73866981
...@@ -4,12 +4,11 @@ import java.util.Arrays; ...@@ -4,12 +4,11 @@ import java.util.Arrays;
/** /**
* Class to Register Members at VOMRS automatically * Class to Register Members at VOMRS automatically
*/ */
public class Autoreg public class Autoreg {
{
public static void main(String [] args) throws Exception { public static void main(String [] args) throws Exception {
if (args.length < 7) { if (args.length < 5) {
System.out.println("Sorry, not enough information, cannot register"); System.out.println("Sorry, not enough information, cannot register");
System.out.println("I want: subject_dn issuer_dn serialNumber email Firstname Lastname Phone"); System.out.println("I want: subject_dn issuer_dn serialNumber email 'Attr1name,Attr1value,Attr2name,Attr2value,...'");
return; return;
} }
String r_dn = args[0]; // subject_dn String r_dn = args[0]; // subject_dn
...@@ -21,7 +20,7 @@ public class Autoreg ...@@ -21,7 +20,7 @@ public class Autoreg
String r_rights = "full"; // String r_rights = "full"; //
String r_email = args[3]; // email String r_email = args[3]; // email
String r_confirm = "N"; // String r_confirm = "N"; //
String r_pi = "First name,"+args[4]+ ",Last name,"+args[5]+ ",Phone,"+args[6]; String r_pi = args[4];
SoapClient sc = new SoapClient("https://voms.awi.de:8443/vomrs/tgtest1/services/VOMRS"); SoapClient sc = new SoapClient("https://voms.awi.de:8443/vomrs/tgtest1/services/VOMRS");
...@@ -32,11 +31,12 @@ public class Autoreg ...@@ -32,11 +31,12 @@ public class Autoreg
System.out.println(s); System.out.println(s);
}*/ }*/
if (Arrays.asList(members).contains(r_dn)) if (Arrays.asList(members).contains(r_dn)) {
{ // TODO XXXXXX check if Details have changed
System.out.println("Member is already registered: " + r_dn); System.out.println("Member is already registered: " + r_dn);
return; return;
} }
Object o2 = sc.execute("registerMember", new String[]{r_dn, r_ca, r_sn, r_in, r_repdn, r_repca, r_rights, r_email, r_confirm, r_pi}); Object o2 = sc.execute("registerMember", new String[]{r_dn, r_ca, r_sn, r_in, r_repdn, r_repca, r_rights, r_email, r_confirm, r_pi});
// o2 is null, this execute() returns nothing // o2 is null, this execute() returns nothing
......
info.textgrid.middleware.tgauth.webauth/AutoReg/auth.properties
+ 2
2
View file @ 73866981
sslCAFiles = /etc/grid-security/certificates/*.0 sslCAFiles = /etc/grid-security/certificates/*.0
sslKey = /var/www/.globus/userkey.pem sslKey = /var/.globus/userkey.pem
sslCertfile = /var/www/.globus/usercert.pem sslCertfile = /var/.globus/usercert.pem
info.textgrid.middleware.tgauth.webauth/WebAuthN/PutAttributes.php
+ 5
5
View file @ 73866981
...@@ -67,9 +67,9 @@ foreach ($attributes as $a) { ...@@ -67,9 +67,9 @@ foreach ($attributes as $a) {
} }
} }
$file = fopen ("/tmp/xxxUR.log", "w+"); //$file = fopen ("/tmp/xxxUR.log", "w+");
fwrite ($file, "putting these attrs: ". serialize ($newattributes) ."\n"); //fwrite ($file, "putting these attrs: ". serialize ($newattributes) ."\n");
fclose ($file); //fclose ($file);
$res = $rbac->setAttributes($newattributes, $Sid, $loginmode ); $res = $rbac->setAttributes($newattributes, $Sid, $loginmode );
...@@ -84,11 +84,11 @@ if ($loginmode) { ...@@ -84,11 +84,11 @@ if ($loginmode) {
array("remote_user" => $remote_user, array("remote_user" => $remote_user,
"scstatus" => "set Attributes", "scstatus" => "set Attributes",
"Sid" => $Sid, "Sid" => $Sid,
"rbacbase" => $authZinstance, "authZinstance" => $authZinstance,
"identity_provider" => "unknown", "identity_provider" => "unknown",
"identified_user" => array("authnmethod" => "ePPN") "identified_user" => array("authnmethod" => "ePPN")
), ),
array("slcmode" => FALSE) // SLCs only via Shibboleth $rbac->slcData()
); );
} else { } else {
$util->printSetAttributesSuccess($thedisplayname); $util->printSetAttributesSuccess($thedisplayname);
......
info.textgrid.middleware.tgauth.webauth/WebAuthN/TextGrid-WebAuth.php
+ 4
2
View file @ 73866981
...@@ -53,6 +53,8 @@ if (isset ($_SERVER["REMOTE_USER"])) { // this holds for shib, too ...@@ -53,6 +53,8 @@ if (isset ($_SERVER["REMOTE_USER"])) { // this holds for shib, too
$CSResult = $rbac->createSession( $_SERVER["REMOTE_USER"] ); $CSResult = $rbac->createSession( $_SERVER["REMOTE_USER"] );
if (isset ($AuthNResult)) { if (isset ($AuthNResult)) {
$CSResult["rbachash"]["identity_provider"] = $AuthNResult["LDAPname"]; $CSResult["rbachash"]["identity_provider"] = $AuthNResult["LDAPname"];
} else {
$CSResult["rbachash"]["identity_provider"] = $_SERVER["Shib-Identity-Provider"];
} }
if (!$CSResult["success"]) { if (!$CSResult["success"]) {
...@@ -96,9 +98,9 @@ $attributes = $rbac->getUserAttributes( $Sid ); ...@@ -96,9 +98,9 @@ $attributes = $rbac->getUserAttributes( $Sid );
// the TextGridLab to take over the Sid // the TextGridLab to take over the Sid
if ($rbac->enoughUserAttributes( $Sid ) && isset ($_SERVER["REMOTE_USER"])) { if ($rbac->enoughUserAttributes( $Sid ) && isset ($_SERVER["REMOTE_USER"])) {
$util->printAuthSuccess("Authentication Succeeded", $util->printAuthSuccess("Authentication Succeeded",
$_REQUEST["loginname"], isset($_REQUEST["loginname"]) ? $_REQUEST["loginname"] : $_SERVER["REMOTE_USER"],
$CSResult["rbachash"], $CSResult["rbachash"],
array("slcmode" => FALSE) // SLCs only via Shibboleth $rbac->slcData()
); );
$rbac->updateAttributes ( $ProvidedAttributes, $AttributeMap, $Sid ); // not vital and second-order $rbac->updateAttributes ( $ProvidedAttributes, $AttributeMap, $Sid ); // not vital and second-order
} else { } else {
......
info.textgrid.middleware.tgauth.webauth/secure/portal.cgi
+ 95
6
View file @ 73866981
...@@ -139,6 +139,8 @@ EOF ...@@ -139,6 +139,8 @@ EOF
registerUserAtVOMRS ( registerUserAtVOMRS (
"/usr/local/bin/VOMRSclient/bin/runAutoregClient.sh", "/usr/local/bin/VOMRSclient/bin/runAutoregClient.sh",
$certificate, $certificate,
$slcConfig->{rbacbase},
$sid
); );
print $cgi->end_html(); print $cgi->end_html();
...@@ -158,8 +160,85 @@ sub handleRejected ...@@ -158,8 +160,85 @@ sub handleRejected
# Utility functions # Utility functions
# #
### we cannot use &invokeWebservice as SOAP::Lite only unwillingly treats XML attributes right
### however, the Web Service returns datastructures with XML attributes, such as:
#<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://textgrid.info/namespaces/middleware/tgauth">
# <SOAP-ENV:Body>
# <ns1:getMyUserAttributesResponse>
# <attribute name="givenname" mandatory="true" displayname="Given Name">
# <value>Martin</value>
# <description>Your First Name</description>
# </attribute>
# <attribute name="surname" mandatory="true" displayname="Surname">
# <value>Haase</value>
# <description>Your Last Name</description>
# </attribute>
# ...
# The mapping onto D-Grid VOMRS attribute names from ours (e.g. 'street' => 'Street or P.O. Box') is also done here
sub getAttributes {
my ($rbacbase, $sid) = @_;
my ($endpointInWSDL,$namespace,$methodname,$arghash) =
($rbacbase . 'tgextra.php',
'http://textgrid.info/namespaces/middleware/tgauth',
'getMyUserAttributesRequest',
{'auth' => $sid }
);
use SOAP::Lite;
my $soap = SOAP::Lite->new( proxy => $endpointInWSDL);
$soap->default_ns($namespace);
@args = ();
foreach $k (keys %{$arghash}) {
push @args, SOAP::Data->name($k)->value( $arghash->{$k});
}
my $result = $soap->call( $methodname, @args );
die $result->fault->{ faultstring } if ($result->fault);
$i=0;
$attrs = $result->freeform->{'attribute'};
foreach my $a ($result->dataof("//attribute/")) {
$attrs->[$i]->{'name'} = $a->attr->{'name'};
$i++;
}
my %vomrsmap = ('givenname' => 'First name',
'surname' => 'Last name',
#'displayname' => '',
#'mail' => '',
'organisation' => 'Institute or Department',
#'orgunit' => '',
'street' => 'Street or P.O. Box',
'plz' => 'Zipcode',
'city' => 'City',
'country' => 'Country',
'tel' => 'Phone',
'citizenship' => 'Nationality',
#'interest' => '',
#'personid' => '',
#'agreesearch' => '',
);
%result = ();
foreach $entry (@{$attrs}) {
if (exists $vomrsmap{$entry->{'name'}}) {
$result{$vomrsmap{$entry->{'name'}}} = $entry->{'value'};
}
}
return \%result;
}
sub registerUserAtVOMRS { sub registerUserAtVOMRS {
my ($registerScript, $pem) = @_; my ($registerScript, $pem, $rbacbase, $sid) = @_;
$attrhash = getAttributes ($rbacbase, $sid);
use Crypt::OpenSSL::X509; use Crypt::OpenSSL::X509;
...@@ -170,14 +249,18 @@ sub registerUserAtVOMRS { ...@@ -170,14 +249,18 @@ sub registerUserAtVOMRS {
my $mail = $crt->email(); my $mail = $crt->email();
my $serial = $crt->serial(); my $serial = $crt->serial();
my ($firstname, $lastname ) = getSLCname ($dn_commas); # my ($firstname, $lastname ) = getSLCname ($dn_commas);
my $dn = commas2slashes ($dn_commas); my $dn = commas2slashes ($dn_commas);
my $ca = commas2slashes ($ca_commas); my $ca = commas2slashes ($ca_commas);
my $phone = "0123456789"; # well, we really don't have it anywhere $personalinfo = "";
foreach $key (keys %{$attrhash}) {
$personalinfo = $personalinfo . $key . ',' . $attrhash->{$key} . ',';
}
chop $personalinfo;
system "$registerScript '$dn' '$ca' '$serial' '$mail' '$firstname' '$lastname' '$phone' >/dev/null"; system "$registerScript '$dn' '$ca' '$serial' '$mail' '$personalinfo' >/dev/null";
} }
...@@ -210,10 +293,16 @@ sub getConfig { ...@@ -210,10 +293,16 @@ sub getConfig {
@instance = grep $_->{'instance'} eq $authZinstance, @{$data->{'authz'}}; @instance = grep $_->{'instance'} eq $authZinstance, @{$data->{'authz'}};
$SLCoptions = @instance[0]->{'SLCsupport'}; if (scalar @instance != 1) {
errorExit("Please specify valid and unique RBAC instance");
} else {
$rbacInstance = $instance[0];
}
$SLCoptions = $rbacInstance ->{'SLCsupport'};
return { return {
rbacbase => @instance[0]->{rbacbase}, rbacbase => $rbacInstance->{rbacbase},
noDelegationURL => $SLCoptions->{noDelegationURL}, noDelegationURL => $SLCoptions->{noDelegationURL},
portalDelegationURL => $SLCoptions->{portalDelegationURL}, portalDelegationURL => $SLCoptions->{portalDelegationURL},
SLCSaddress => $SLCoptions->{SLCSaddress} SLCSaddress => $SLCoptions->{SLCSaddress}
......
info.textgrid.middleware.tgauth.webauth/tglib/RBAC.class.php
+ 21
0
View file @ 73866981
...@@ -12,6 +12,8 @@ mb_internal_encoding("UTF-8"); ...@@ -12,6 +12,8 @@ mb_internal_encoding("UTF-8");
class RBAC { class RBAC {
// Global variables // Global variables
protected $authZinstance;
protected $rbacbase; protected $rbacbase;
protected $sessionCreatorUid; protected $sessionCreatorUid;
protected $sessionCreatorPw; protected $sessionCreatorPw;
...@@ -37,12 +39,25 @@ class RBAC { ...@@ -37,12 +39,25 @@ class RBAC {
echo "Error: '${authZinstance}' has no RBAC base configured!<br/>\n"; echo "Error: '${authZinstance}' has no RBAC base configured!<br/>\n";
return null; return null;
} }
$this->authZinstance = $authZinstance;
$this->rbacbase = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:rbacbase")->item(0)->nodeValue; $this->rbacbase = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:rbacbase")->item(0)->nodeValue;
$this->sessionCreatorUid = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:sessioncreator/c:user")->item(0)->nodeValue; $this->sessionCreatorUid = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:sessioncreator/c:user")->item(0)->nodeValue;
$this->sessionCreatorPw = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:sessioncreator/c:password")->item(0)->nodeValue; $this->sessionCreatorPw = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:sessioncreator/c:password")->item(0)->nodeValue;
$this->setnamessecret = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:setnamessecret")->item(0)->nodeValue; $this->setnamessecret = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:setnamessecret")->item(0)->nodeValue;
$this->SLCdata = array();
$slcSupportEnabling = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:SLCsupport/@enable");
if ($slcSupportEnabling->length > 0 && $slcSupportEnabling->item(0)->nodeValue === 'true') {
$this->SLCdata['slcMode'] = TRUE;
$this->SLCdata['slcEntitlementAttributeName'] = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:SLCsupport/c:entitlementAttr/@name")->item(0)->nodeValue;
$this->SLCdata['slcEntitlementAttributeValue'] = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:SLCsupport/c:entitlementAttr")->item(0)->nodeValue;
$this->SLCdata['slcPortalDelegationURL'] = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:SLCsupport/c:portalDelegationURL")->item(0)->nodeValue;
$this->SLCdata['slcNoDelegationURL'] = $xpath->query("/c:conf/c:authz[@instance='${authZinstance}']/c:SLCsupport/c:noDelegationURL")->item(0)->nodeValue;
} else {
$this->SLCdata['slcMode'] = FALSE;
}
// ----------------------------------------------------- // -----------------------------------------------------
// You'll need these services // You'll need these services
// ----------------------------------------------------- // -----------------------------------------------------
...@@ -53,11 +68,16 @@ class RBAC { ...@@ -53,11 +68,16 @@ class RBAC {
} }
public function slcData() {
return $this->SLCdata;
}
public function createSession ( $remote_user ) { public function createSession ( $remote_user ) {
$rbachash = array("scstatus" => "", // will collect all messages during authentication $rbachash = array("scstatus" => "", // will collect all messages during authentication
"Sid" => "none", // this will hold the final sessionId then "Sid" => "none", // this will hold the final sessionId then
"rbacbase" => $this->rbacbase, "rbacbase" => $this->rbacbase,
'authZinstance' => $this->authZinstance
); );
// ------------------------------------------------------------ // ------------------------------------------------------------
...@@ -299,6 +319,7 @@ class RBAC { ...@@ -299,6 +319,7 @@ class RBAC {
} }
} }
} }
return TRUE; return TRUE;
} }
......
info.textgrid.middleware.tgauth.webauth/tglib/WebUtils.class.php
+ 45
3
View file @ 73866981
...@@ -22,7 +22,7 @@ class WebUtils { ...@@ -22,7 +22,7 @@ class WebUtils {
echo "<meta name=\"remote_principal\" content=\"".$rbachash["remote_user"]."\"/>\n"; echo "<meta name=\"remote_principal\" content=\"".$rbachash["remote_user"]."\"/>\n";
echo "<meta name=\"rbac_session_status\" content=\"".$rbachash["scstatus"]."\"/>\n"; echo "<meta name=\"rbac_session_status\" content=\"".$rbachash["scstatus"]."\"/>\n";
echo "<meta name=\"rbac_sessionid\" content=\"".$rbachash["Sid"]."\"/>\n"; echo "<meta name=\"rbac_sessionid\" content=\"".$rbachash["Sid"]."\"/>\n";
if (!$slc["slcmode"]) { if (!$slc["slcMode"]) {
echo "<meta name=\"ePPNplusSID\" content=\"".$rbachash["remote_user"]."|".$rbachash["Sid"]."\"/>\n"; echo "<meta name=\"ePPNplusSID\" content=\"".$rbachash["remote_user"]."|".$rbachash["Sid"]."\"/>\n";
} }
echo "<style type=\"text/css\">"; echo "<style type=\"text/css\">";
...@@ -58,13 +58,55 @@ class WebUtils { ...@@ -58,13 +58,55 @@ class WebUtils {
echo "<tr><td>TgAuth Session ID</td><td>".$rbachash["Sid"]."</td></tr></table>\n"; echo "<tr><td>TgAuth Session ID</td><td>".$rbachash["Sid"]."</td></tr></table>\n";
echo "</div>"; echo "</div>";
if ($slc["slcmode"]) { if ($slc['slcMode']) {
echo "SLCButtons here"; echo "SLCMODE YES";
$isSLCScompatible = $this->scanEntitlements($slc);
if ($isSLCScompatible) {
echo "SLCcompatible YES";
$this->showCertificateButtons($slc,$rbachash);
} else {
$this->showCertificateInfoButton($slc,$rbachash);
}
} }
echo "\n</body>\n</html>"; echo "\n</body>\n</html>";
}
function showCertificateButtons ($slc,$rbachash) {
echo "<form method=\"get\" action=\"". $slc['slcPortalDelegationURL'] ."\">\n";
echo "<input type=\"hidden\" name=\"userDetails\" value=\"" . $rbachash['remote_user'] . "|" .$rbachash['Sid'] ."|". $rbachash['authZinstance'] . "\">\n";
echo "<input type=\"submit\" value=\"Request Certificate\">\n";
echo "</form>\n\n";
echo "<form method=\"post\" action=\"". $slc['slcNoDelegationURL'] ."\">\n";
echo "<input type=\"hidden\" name=\"ePPNplusSID\" value=\"" . $rbachash['remote_user'] . "|" .$rbachash['Sid'] . "\">\n";
echo "<input type=\"submit\" value=\"Use Existing Certificate\"/>\n";
echo "</form>\n";
}
function showCertificateInfoButton ($slc,$rbachash) {
echo "<br/><br/>Your account does not include certificate support.";
echo "<form method=\"post\" action=\"". $slc['slcNoDelegationURL'] ."\">\n";
echo "<input type=\"hidden\" name=\"ePPNplusSID\" value=\"" . $rbachash['remote_user'] . "|" .$rbachash['Sid'] . "\">\n";
echo "<input type=\"submit\" value=\"Work without Certificate\"/>\n";
echo "</form>\n";
}
function scanEntitlements ($slc) {
if (isset($_SERVER[$slc['slcEntitlementAttributeName']])) {
$entitlements = $_SERVER[$slc['slcEntitlementAttributeName']];
$arrEntitlements = explode( ";", $entitlements);
foreach ($arrEntitlements as $ent) {
if ($ent === $slc['slcEntitlementAttributeValue']) {
return TRUE;
}
}
}
return FALSE;
} }
public function printAuthFailure($heading,$detail,$loginname,$rbachash) { public function printAuthFailure($heading,$detail,$loginname,$rbachash) {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment