\n";
foreach(array_keys($_COOKIE) as $key) {
if(preg_match('/^_shibsession[_0-9a-fA-F]+$/', $key))
setcookie($key, "", time() - 10, "/", $_SERVER['SERVER_NAME']);
}
# redirect to main select auth page
header("Location: " . BASEURL . SCRIPT . "?mode=selectauth");
dbDisconnect();
exit;
}
print "Error with Shibboleth authentication
\n";
print "You have attempted to log in using Shibboleth from an
\n";
print "institution that does not allow VCL to see your
\n";
print "eduPersonPrincipalName.
\n";
print "You need to contact the administrator of your institution's
\n";
print "IdP to have eduPersonPrincipalName made available to VCL in
\n";
print "order to log in using Shibboleth.\n";
$msg = "Someone tried to log in to VCL using Shibboleth from an IdP "
. "that does not release eppn to us.\n\n"
. "The following data was in \$_SERVER:\n\n";
foreach($_SERVER as $key => $val)
$msg .= "$key => $val\n";
$mailParams = "-f" . ENVELOPESENDER;
mail(ERROREMAIL, "Error with VCL pages (eppn not provided)", $msg, '', $mailParams);
dbDisconnect();
exit;
}
// open keys
$fp = fopen(".ht-inc/keys.pem", "r");
$key = fread($fp, 8192);
fclose($fp);
$keys["private"] = openssl_pkey_get_private($key, $pemkey);
if(! $keys['private'])
abort(6);
$fp = fopen(".ht-inc/pubkey.pem", "r");
$key = fread($fp, 8192);
fclose($fp);
$keys["public"] = openssl_pkey_get_public($key);
if(! $keys['public'])
abort(7);
# get VCL affiliation from shib affiliation
$tmp = explode(';', $_SERVER['eppn']);
$tmp = explode('@', $tmp[0]);
$username = strtolower($tmp[0]);
$tmp1 = mysql_escape_string(strtolower($tmp[1]));
$query = "SELECT name, shibonly FROM affiliation WHERE shibname = '$tmp1'";
$qh = doQuery($query, 101);
# if shib affiliation not already in VCL, create affiliation
if(! ($row = mysql_fetch_assoc($qh))) {
$affil = strtolower($tmp[1]);
$tmp = explode('.', $affil);
array_pop($tmp);
$affilname = strtoupper(implode('', $tmp));
$affilname = preg_replace('/[^A-Z0-9]/', '', $affilname);
$query = "SELECT name, "
. "shibname "
. "FROM affiliation "
. "WHERE name LIKE '$affilname%' "
. "ORDER BY name DESC "
. "LIMIT 1";
$qh = doQuery($query, 101);
if($row = mysql_fetch_assoc($qh)) {
if(preg_match("/$affilname([0-9]+)/", $row['name'], $matches)) {
$cnt = $matches[1];
$cnt++;
$newaffilname = $affilname . $cnt;
}
elseif($affilname != $row['name'] && $affil != $row['shibname']) {
$newaffilname = $affilname;
}
else {
$msg = "Someone tried to log in to VCL using Shibboleth from an IdP "
. "affiliation that could not be automatically added.\n\n"
. "eppn: {$_SERVER['eppn']}\n"
. "givenName: {$_SERVER['givenName']}\n"
. "sn: {$_SERVER['sn']}\n";
if(array_key_exists('mail', $_SERVER))
$msg .= "mail: {$_SERVER['mail']}\n\n";
$msg .="tried to add VCL affiliation name \"$affilname\" with "
. "shibname \"$affil\"";
$mailParams = "-f" . ENVELOPESENDER;
mail(ERROREMAIL, "Error with VCL pages (problem adding shib affil)", $msg, '', $mailParams);
print "\n";
print "Error encountered
\n";
print "You have attempted to log in to VCL using a Shibboleth
\n";
print "Identity Provider that VCL has not been configured to
\n";
print "work with. VCL administrators have been notified of the
\n";
print "problem.
\n";
print "\n";
dbDisconnect();
exit;
}
}
else
$newaffilname = $affilname;
$query = "INSERT INTO affiliation "
. "(name, "
. "shibname, "
. "shibonly) "
. "VALUES "
. "('$newaffilname', "
. "'" . mysql_escape_string($affil) . "', "
. "1)";
doQuery($query, 101, 'vcl', 1);
unset($row);
$row = array('name' => $newaffilname, 'shibonly' => 1);
}
$affil = $row['name'];
# create VCL userid
$userid = "$username@$affil";
if($row['shibonly']) {
$userdata = updateShibUser($userid);
updateShibGroups($userdata['id'], $_SERVER['affiliation']);
$usernid = $userdata['id'];
}
else {
$usernid = getUserlistID($userid, 1);
if(is_null($usernid)) {
$tmp = updateShibUser($userid);
$usernid = $tmp['id'];
}
}
$affilid = getAffiliationID($affil);
addLoginLog($userid, 'shibboleth', $affilid, 1);
# uncomment the following and change EXAMPLE1 to match your needs to add all
# users from a specific affiliation to a particular user group
/*if($affil == 'EXAMPLE1') {
$gid = getUserGroupID('All EXAMPLE1 Users', $affilid);
$query = "INSERT IGNORE INTO usergroupmembers "
. "(userid, usergroupid) "
. "VALUES ($usernid, $gid)";
doQuery($query, 307);
}*/
if(array_key_exists('Shib-logouturl', $_SERVER))
$logouturl = $_SERVER['Shib-logouturl'];
else
$logouturl = '';
# save data to shibauth table
$shibdata = array('Shib-Application-ID' => $_SERVER['Shib-Application-ID'],
'Shib-Identity-Provider' => $_SERVER['Shib-Identity-Provider'],
#'Shib-AuthnContext-Dec' => $_SERVER['Shib-AuthnContext-Decl'],
'Shib-logouturl' => $logouturl,
'eppn' => $_SERVER['eppn'],
'unscoped-affiliation' => $_SERVER['unscoped-affiliation'],
'affiliation' => $_SERVER['affiliation'],
);
$serdata = mysql_escape_string(serialize($shibdata));
$query = "SELECT id "
. "FROM shibauth "
. "WHERE sessid = '{$_SERVER['Shib-Session-ID']}'";
$qh = doQuery($query, 101);
if($row = mysql_fetch_assoc($qh)) {
$shibauthid = $row['id'];
}
else {
$ts = strtotime($_SERVER['Shib-Authentication-Instant']);
$ts = unixToDatetime($ts);
$query = "INSERT INTO shibauth "
. "(userid, "
. "ts, "
. "sessid, "
. "data) "
. "VALUES "
. "($usernid, "
. "'$ts', "
. "'{$_SERVER['Shib-Session-ID']}', "
. "'$serdata')";
doQuery($query, 101);
$qh = doQuery("SELECT LAST_INSERT_ID() FROM shibauth", 101);
if(! $row = mysql_fetch_row($qh)) {
# todo
}
$shibauthid = $row[0];
}
# get cookie data
$cookie = getAuthCookieData($userid, 600, $shibauthid);
# set cookie
if(version_compare(PHP_VERSION, "5.2", ">=") == true)
#setcookie("VCLAUTH", "{$cookie['data']}", $cookie['ts'], "/", COOKIEDOMAIN, 1, 1);
setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN, 0, 1);
else
#setcookie("VCLAUTH", "{$cookie['data']}", $cookie['ts'], "/", COOKIEDOMAIN, 1);
setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN);
# set skin cookie based on affiliation
switch($affil) {
case 'Example1':
case 'EXAMPLE2':
$skin = strtoupper($affil);
setcookie("VCLSKIN", $skin, (time() + 2678400), "/", COOKIEDOMAIN);
break;
default:
setcookie("VCLSKIN", "default", (time() + 2678400), "/", COOKIEDOMAIN);
}
header("Location: " . BASEURL . "/");
dbDisconnect();
?>