<?php
// #######################################################
// Author: Martin Haase / DAASI International GmbH / TextGrid
// Creation date: 2010-09-23
// Modification date: 2010-10-19
// Version: 0.2
// #######################################################
include("../tglib/LDAP.class.php");
include("../tglib/RBAC.class.php");
include("../tglib/WebUtils.class.php");
$configfile = "../../../config_tgwebauth.xml";
$util = new WebUtils;
$authZinstance = $_REQUEST["authZinstance"];
if ( !(isset($authZinstance)) || strlen($authZinstance) <= 0 ) {
$util->printAuthFailure("No TgAuth Instance provided",
"Please provide a valid string in the authZinstance variable.",
null,
null );
exit;
}
$rbac = new RBAC ( $configfile, $authZinstance );
// Variant 1: Authentication at Community LDAP
if (isset ($_REQUEST["loginname"]) && strlen($_REQUEST["loginname"]) > 0
&& isset ($_REQUEST["password"]) && strlen($_REQUEST["password"]) > 0) {
// now authenticating
$ldap = new LDAP ( $configfile );
$AuthNResult = $ldap->authenticate($_REQUEST["loginname"], $_REQUEST["password"]);
if (! $AuthNResult["success"]) {
$util->printAuthFailure("Failure authenticating at TextGrid Community Account Server",
$AuthNResult["detail"],
$_REQUEST["loginname"],
null );
exit;
}
$ProvidedAttributes = $ldap->getUserAttributes();
$_SERVER["REMOTE_USER"] = $AuthNResult["TGID"];
}
// Variant 2: Shibboleth gave us the right REMOTE_USER.
// We create a Session here, also for Variant1
if (isset ($_SERVER["REMOTE_USER"])) { // this holds for shib, too
// now creating session, activating roles, etc, in RBAC
$CSResult = $rbac->createSession( $_SERVER["REMOTE_USER"] );
if (isset ($AuthNResult)) {
$CSResult["rbachash"]["identity_provider"] = $AuthNResult["LDAPname"];
} else {
$CSResult["rbachash"]["identity_provider"] = $_SERVER["Shib-Identity-Provider"];
}
if (!$CSResult["success"]) {
$util->printAuthFailure("Failure Creating Session in RBAC",
$CSResult["detail"],
$_REQUEST["loginname"],
$CSResult["rbachash"]
);
exit;
}
$Sid = $CSResult["rbachash"]["Sid"];
$AttributeMap = Array ('surname' => 'sn',
'organisation' => 'o',
'givenname' => 'givenName',
'displayname' => 'cn',
'mail' => 'mail'
);
if (!isset ($ldap)) {
$ProvidedAttributes = Array();
// this is the list of attributes Shibboleth might give to us except from remote_user
foreach (array ("o", "sn", "givenName", "cn", "mail") as $a) {
if (isset($_SERVER[$a])) { $ProvidedAttributes[$a] = $_SERVER[$a];}
}
}
}
// This is Variant 3: No Session Creation, but just a desire to see (and update) User Attributes
else if (isset ($_REQUEST["Sid"]) && strlen($_REQUEST["Sid"]) > 0 ) {
// we might have come directly here using the sid and use an earlier session
$Sid = $_REQUEST["Sid"];
} else {
trigger_error("WebAuth does not know what to do (no login provided, no remote user, and no session Id), exiting.", E_USER_WARNING);
exit;
}
// no matter where we came from we need to retrieve attributes from RBAC
$attributes = $rbac->getUserAttributes( $Sid );
// if we already have enough attributes and just created a session, possibly update
// them if there came different ones, and then finally print welcome screen causing
// the TextGridLab to take over the Sid
if ($rbac->enoughUserAttributes( $Sid ) && isset ($_SERVER["REMOTE_USER"])) {
$util->printAuthSuccess("Authentication Succeeded",
isset($_REQUEST["loginname"]) ? $_REQUEST["loginname"] : $_SERVER["REMOTE_USER"],
$CSResult["rbachash"],
$rbac->slcData()
);
$rbac->updateAttributes ( $ProvidedAttributes, $AttributeMap, $Sid ); // not vital and second-order
} else {
// now presenting the form, let JavaScript take care for the non-empty-check and the help
// the form will return either displaying the Sid or just an ACK
$util->printAttributeForm( $attributes, $ProvidedAttributes, $AttributeMap, $Sid, $authZinstance, $_SERVER["REMOTE_USER"]);
}
?>