ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
consentAdmin.php
Go to the documentation of this file.
1<?php
2/*
3 * consentAdmin - Consent administration module
4 *
5 * This module enables the user to add and remove consents given for a given
6 * Service Provider.
7 *
8 * The module relies on methods and functions from the Consent module and can
9 * not be user without it.
10 *
11 * Author: Mads Freek <freek@ruc.dk>, Jacob Christiansen <jach@wayf.dk>
12 */
13
14/*
15 * Runs the processing chain and ignores all filter which have user
16 * interaction.
17 */
20 $source,
21 $sp_metadata,
24 $userid,
25 $hashAttributes = false
26) {
27
28 /*
29 * Create a new processing chain
30 */
31 $pc = new SimpleSAML_Auth_ProcessingChain($idp_metadata, $sp_metadata, 'idp');
32
33 /*
34 * Construct the state.
35 * REMEMBER: Do not set Return URL if you are calling processStatePassive
36 */
37 $authProcState = array(
38 'Attributes' => $attributes,
39 'Destination' => $sp_metadata,
40 'Source' => $idp_metadata,
41 'isPassive' => true,
42 );
43
44 /*
45 * Call processStatePAssive.
46 * We are not interested in any user interaction, only modifications to the attributes
47 */
48 $pc->processStatePassive($authProcState);
49
50 $attributes = $authProcState['Attributes'];
51
52 /*
53 * Generate identifiers and hashes
54 */
55 $destination = $sp_metadata['metadata-set'].'|'.$sp_entityid;
56
59
60 SimpleSAML\Logger::info('consentAdmin: user: '.$userid);
61 SimpleSAML\Logger::info('consentAdmin: target: '.$targeted_id);
62 SimpleSAML\Logger::info('consentAdmin: attribute: '.$attribute_hash);
63
64 // Return values
65 return array($targeted_id, $attribute_hash, $attributes);
66}
67
68// Get config object
71$authority = $cA_config->getValue('authority');
72
73$as = new \SimpleSAML\Auth\Simple($authority);
74
75// If request is a logout request
76if (array_key_exists('logout', $_REQUEST)) {
77 $returnURL = $cA_config->getValue('returnURL');
78 $as->logout($returnURL);
79}
80
81$hashAttributes = $cA_config->getValue('attributes.hash');
82
83// Check if valid local session exists
84$as->requireAuth();
85
86// Get released attributes
87$attributes = $as->getAttributes();
88
89// Get metadata storage handler
91
92/*
93 * Get IdP id and metadata
94 */
95
96
97$local_idp_entityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
98$local_idp_metadata = $metadata->getMetaData($local_idp_entityid, 'saml20-idp-hosted');
99
100if ($as->getAuthData('saml:sp:IdP') !== null) {
101 // from a remote idp (as bridge)
102 $idp_entityid = $as->getAuthData('saml:sp:IdP');
103 $idp_metadata = $metadata->getMetaData($idp_entityid, 'saml20-idp-remote');
104} else {
105 // from the local idp
106 $idp_entityid = $local_idp_entityid;
108}
109
110// Get user ID
111$userid_attributename = (isset($local_idp_metadata['userid.attribute']) && is_string($local_idp_metadata['userid.attribute'])) ? $local_idp_metadata['userid.attribute'] : 'eduPersonPrincipalName';
112
114
115if (empty($userids)) {
116 throw new Exception('Could not generate useridentifier for storing consent. Attribute ['.
117 $userid_attributename.'] was not available.');
118}
119
121
122// Get all SP metadata
123$all_sp_metadata = $metadata->getList('saml20-sp-remote');
124
125// Parse action, if any
126$action = null;
128if (!empty($_GET['cv'])) {
129 $sp_entityid = $_GET['cv'];
130}
131if (!empty($_GET['action'])) {
132 $action = $_GET["action"];
133}
134
135SimpleSAML\Logger::critical('consentAdmin: sp: '.$sp_entityid.' action: '.$action);
136
137// Remove services, whitch have consent disabled
138if (isset($idp_metadata['consent.disable'])) {
139 foreach ($idp_metadata['consent.disable'] AS $disable) {
140 if (array_key_exists($disable, $all_sp_metadata)) {
141 unset($all_sp_metadata[$disable]);
142 }
143 }
144}
145
146SimpleSAML\Logger::info('consentAdmin: '.$idp_entityid);
147
148// Calc correct source
149$source = $idp_metadata['metadata-set'].'|'.$idp_entityid;
150
151// Parse consent config
153
154// Calc correct user ID hash
156
157// If a checkbox have been clicked
158if ($action !== null && $sp_entityid !== null) {
159 // Get SP metadata
160 $sp_metadata = $metadata->getMetaData($sp_entityid, 'saml20-sp-remote');
161
162 // Run AuthProc filters
163 list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata,
165
166 // Add a consent (or update if attributes have changed and old consent for SP and IdP exists)
167 if ($action == 'true') {
168 $isStored = $consent_storage->saveConsent($hashed_user_id, $targeted_id, $attribute_hash);
169 if ($isStored) {
170 $res = "added";
171 } else {
172 $res = "updated";
173 }
174 // Remove consent
175 } else {
176 if ($action == 'false') {
177 // Got consent, so this is a request to remove it
178 $rowcount = $consent_storage->deleteConsent($hashed_user_id, $targeted_id, $attribute_hash);
179 if ($rowcount > 0) {
180 $res = "removed";
181 }
182 // Unknown action (should not happen)
183 } else {
184 SimpleSAML\Logger::info('consentAdmin: unknown action');
185 $res = "unknown";
186 }
187 }
188 // init template to enable translation of status messages
189 $template = new SimpleSAML_XHTML_Template($config, 'consentAdmin:consentadminajax.php', 'consentAdmin:consentadmin');
190 $template->data['res'] = $res;
191 $template->show();
192 exit;
193}
194
195// Get all consents for user
197
198// Parse list of consents
200foreach ($user_consent_list as $c) {
201 $user_consent[$c[0]] = $c[1];
202}
203
205
206// Init template
207$template = new SimpleSAML_XHTML_Template($config, 'consentAdmin:consentadmin.php', 'consentAdmin:consentadmin');
208$translator = $template->getTranslator();
209$translator->includeLanguageFile('attributes.php'); // attribute listings translated by this dictionary
210$sp_empty_name = $translator->getTag('sp_empty_name');
211$sp_empty_description = $translator->getTag('sp_empty_description');
212
213// Process consents for all SP
214foreach ($all_sp_metadata as $sp_entityid => $sp_values) {
215 // Get metadata for SP
216 $sp_metadata = $metadata->getMetaData($sp_entityid, 'saml20-sp-remote');
217
218 // Run attribute filters
219 list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata,
221
222 // Check if consent exists
223 if (array_key_exists($targeted_id, $user_consent)) {
224 $sp_status = "changed";
225 SimpleSAML\Logger::info('consentAdmin: changed');
226 // Check if consent is valid. (Possible that attributes has changed)
227 if ($user_consent[$targeted_id] == $attribute_hash) {
228 SimpleSAML\Logger::info('consentAdmin: ok');
229 $sp_status = "ok";
230 }
231 // Consent does not exists
232 } else {
233 SimpleSAML\Logger::info('consentAdmin: none');
234 $sp_status = "none";
235 }
236
237 // Set name of SP
238 if (isset($sp_values['name']) && is_array($sp_values['name'])) {
239 $sp_name = $sp_metadata['name'];
240 } else {
241 if (isset($sp_values['name']) && is_string($sp_values['name'])) {
242 $sp_name = $sp_metadata['name'];
243 } elseif (isset($sp_values['OrganizationDisplayName']) && is_array($sp_values['OrganizationDisplayName'])) {
244 $sp_name = $sp_metadata['OrganizationDisplayName'];
245 } else {
246 $sp_name = $sp_empty_name;
247 }
248 }
249
250 // Set description of SP
251 if (empty($sp_metadata['description']) || !is_array($sp_metadata['description'])) {
252 $sp_description = $sp_empty_description;
253 } else {
254 $sp_description = $sp_metadata['description'];
255 }
256
257 // Add a URL to the service if present in metadata
258 $sp_service_url = isset($sp_metadata['ServiceURL']) ? $sp_metadata['ServiceURL'] : null;
259
260 // Fill out array for the template
261 $sp_list[$sp_entityid] = array(
262 'spentityid' => $sp_entityid,
263 'name' => $sp_name,
264 'description' => $sp_description,
265 'consentStatus' => $sp_status,
266 'consentValue' => $sp_entityid,
267 'attributes_by_sp' => $attributes_new,
268 'serviceurl' => $sp_service_url,
269 );
270}
271
272$template->data['header'] = 'Consent Administration';
273$template->data['spList'] = $sp_list;
274$template->data['showDescription'] = $cA_config->getValue('showDescription');
275$template->show();
$_GET["client_id"]
An exception for terminatinating execution or to throw for unit testing.
static info($string)
Definition: Logger.php:201
static critical($string)
Definition: Logger.php:146
static getInstance($instancename='simplesaml')
Get a configuration file by its instance name.
static getConfig($filename='config.php', $configSet='simplesaml')
Load a configuration file from a configuration set.
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
$sp_empty_name
$userid_attributename
$sp_empty_description
$user_consent
$local_idp_metadata
$userids
driveProcessingChain( $idp_metadata, $source, $sp_metadata, $sp_entityid, $attributes, $userid, $hashAttributes=false)
$config
foreach($user_consent_list as $c) $template_sp_content
$as
$idp_metadata
$cA_config
$all_sp_metadata
$consent_storage
$local_idp_entityid
$source
$template
$sp_entityid
$action
if(empty($userids)) $userid
$translator
$attributes
$hashed_user_id
$metadata
$authority
if(array_key_exists('logout', $_REQUEST)) $hashAttributes
if($action !==null && $sp_entityid !==null) $user_consent_list
$destination
foreach($_POST as $key=> $value) $res