|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* Copyright (C) 2016 SURFnet. |
|
4
|
|
|
* |
|
5
|
|
|
* This program is free software: you can redistribute it and/or modify |
|
6
|
|
|
* it under the terms of the GNU Affero General Public License as |
|
7
|
|
|
* published by the Free Software Foundation, either version 3 of the |
|
8
|
|
|
* License, or (at your option) any later version. |
|
9
|
|
|
* |
|
10
|
|
|
* This program is distributed in the hope that it will be useful, |
|
11
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
12
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
13
|
|
|
* GNU Affero General Public License for more details. |
|
14
|
|
|
* |
|
15
|
|
|
* You should have received a copy of the GNU Affero General Public License |
|
16
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
17
|
|
|
*/ |
|
18
|
|
|
|
|
19
|
|
|
namespace SURFnet\VPN\Common\Http; |
|
20
|
|
|
|
|
21
|
|
|
use SURFnet\VPN\Common\Http\Exception\HttpException; |
|
22
|
|
|
|
|
23
|
|
|
class MellonAuthenticationHook implements BeforeHookInterface |
|
24
|
|
|
{ |
|
25
|
|
|
/** @var SessionInterface */ |
|
26
|
|
|
private $session; |
|
27
|
|
|
|
|
28
|
|
|
/** @var string */ |
|
29
|
|
|
private $userIdAttribute; |
|
30
|
|
|
|
|
31
|
|
|
/** @var bool */ |
|
32
|
|
|
private $addEntityId; |
|
33
|
|
|
|
|
34
|
|
|
/** @var array|null */ |
|
35
|
|
|
private $userIdAuthorization = null; |
|
36
|
|
|
|
|
37
|
|
|
/** @var string|null */ |
|
38
|
|
|
private $entitlementAttribute = null; |
|
39
|
|
|
|
|
40
|
|
|
/** @var array|null */ |
|
41
|
|
|
private $entitlementAuthorization = null; |
|
42
|
|
|
|
|
43
|
|
|
public function __construct(SessionInterface $session, $userIdAttribute, $addEntityId) |
|
44
|
|
|
{ |
|
45
|
|
|
$this->session = $session; |
|
46
|
|
|
$this->userIdAttribute = $userIdAttribute; |
|
47
|
|
|
$this->addEntityId = $addEntityId; |
|
48
|
|
|
} |
|
49
|
|
|
|
|
50
|
|
|
public function enableUserIdAuthorization(array $userIdAuthorization) |
|
51
|
|
|
{ |
|
52
|
|
|
$this->userIdAuthorization = $userIdAuthorization; |
|
53
|
|
|
} |
|
54
|
|
|
|
|
55
|
|
|
public function enableEntitlementAuthorization($entitlementAttribute, array $entitlementAuthorization) |
|
56
|
|
|
{ |
|
57
|
|
|
$this->entitlementAttribute = $entitlementAttribute; |
|
58
|
|
|
$this->entitlementAuthorization = $entitlementAuthorization; |
|
59
|
|
|
} |
|
60
|
|
|
|
|
61
|
|
|
public function executeBefore(Request $request, array $hookData) |
|
62
|
|
|
{ |
|
63
|
|
|
$userId = $request->getHeader($this->userIdAttribute); |
|
64
|
|
|
if ($this->addEntityId) { |
|
65
|
|
|
// add the entity ID to the user ID, this is used when we have |
|
66
|
|
|
// different IdPs that do not guarantee uniqueness among the used |
|
67
|
|
|
// user identifier attribute, e.g. NAME_ID or uid |
|
68
|
|
|
$userId = sprintf( |
|
69
|
|
|
'%s_%s', |
|
70
|
|
|
// strip out all "special" characters from the entityID, just |
|
71
|
|
|
// like mod_auth_mellon does |
|
72
|
|
|
preg_replace('/__*/', '_', preg_replace('/[^A-Za-z.]/', '_', $request->getHeader('MELLON_IDP'))), |
|
73
|
|
|
$userId |
|
74
|
|
|
); |
|
75
|
|
|
} |
|
76
|
|
|
|
|
77
|
|
|
$this->verifyUserIdAuthorization($request); |
|
78
|
|
|
$this->verifyEntitlementAuthorization($request); |
|
79
|
|
|
|
|
80
|
|
|
if ($this->session->has('_mellon_auth_user')) { |
|
81
|
|
|
if ($userId !== $this->session->get('_mellon_auth_user')) { |
|
82
|
|
|
// if we have an application session where the user_id does not |
|
83
|
|
|
// match the Mellon user_id we destroy the current session and |
|
84
|
|
|
// regenerate it below. |
|
85
|
|
|
$this->session->destroy(); |
|
86
|
|
|
} |
|
87
|
|
|
} |
|
88
|
|
|
$this->session->set('_mellon_auth_user', $userId); |
|
89
|
|
|
|
|
90
|
|
|
return $userId; |
|
91
|
|
|
} |
|
92
|
|
|
|
|
93
|
|
View Code Duplication |
private function verifyUserIdAuthorization(Request $request) |
|
|
|
|
|
|
94
|
|
|
{ |
|
95
|
|
|
if (!is_null($this->userIdAuthorization)) { |
|
96
|
|
|
$userIdCheck = sprintf( |
|
97
|
|
|
'%s|%s', |
|
98
|
|
|
$request->getHeader('MELLON_IDP'), |
|
99
|
|
|
$request->getHeader($this->userIdAttribute) |
|
100
|
|
|
); |
|
101
|
|
|
|
|
102
|
|
|
if (!in_array($userIdCheck, $this->userIdAuthorization)) { |
|
103
|
|
|
throw new HttpException('access forbidden (not allowed)', 403); |
|
104
|
|
|
} |
|
105
|
|
|
} |
|
106
|
|
|
} |
|
107
|
|
|
|
|
108
|
|
View Code Duplication |
private function verifyEntitlementAuthorization(Request $request) |
|
|
|
|
|
|
109
|
|
|
{ |
|
110
|
|
|
if (!is_null($this->entitlementAttribute)) { |
|
111
|
|
|
// XXX is this an array?! string? single value? multi value? |
|
112
|
|
|
$entitlementCheck = sprintf( |
|
113
|
|
|
'%s|%s', |
|
114
|
|
|
$request->getHeader('MELLON_IDP'), |
|
115
|
|
|
$request->getHeader($this->entitlementAttribute, false, 'NO_ENTITLEMENT') |
|
116
|
|
|
); |
|
117
|
|
|
|
|
118
|
|
|
if (!in_array($entitlementCheck, $this->entitlementAuthorization)) { |
|
119
|
|
|
throw new HttpException('access forbidden (not entitled)', 403); |
|
120
|
|
|
} |
|
121
|
|
|
} |
|
122
|
|
|
} |
|
123
|
|
|
} |
|
124
|
|
|
|
eduvpn /
vpn-lib-common
Loading history...
Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.
You can also find more detailed suggestions in the “Code” section of your repository.