ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
consentAdmin.php
Go to the documentation of this file.
1 <?php
2 /*
3  * consentAdmin - Consent administration module
4  *
5  * This module enables the user to add and remove consents given for a given
6  * Service Provider.
7  *
8  * The module relies on methods and functions from the Consent module and can
9  * not be user without it.
10  *
11  * Author: Mads Freek <freek@ruc.dk>, Jacob Christiansen <jach@wayf.dk>
12  */
13 
14 /*
15  * Runs the processing chain and ignores all filter which have user
16  * interaction.
17  */
18 function driveProcessingChain(
19  $idp_metadata,
20  $source,
21  $sp_metadata,
22  $sp_entityid,
23  $attributes,
24  $userid,
25  $hashAttributes = false
26 ) {
27 
28  /*
29  * Create a new processing chain
30  */
31  $pc = new SimpleSAML_Auth_ProcessingChain($idp_metadata, $sp_metadata, 'idp');
32 
33  /*
34  * Construct the state.
35  * REMEMBER: Do not set Return URL if you are calling processStatePassive
36  */
37  $authProcState = array(
38  'Attributes' => $attributes,
39  'Destination' => $sp_metadata,
40  'Source' => $idp_metadata,
41  'isPassive' => true,
42  );
43 
44  /*
45  * Call processStatePAssive.
46  * We are not interested in any user interaction, only modifications to the attributes
47  */
48  $pc->processStatePassive($authProcState);
49 
50  $attributes = $authProcState['Attributes'];
51 
52  /*
53  * Generate identifiers and hashes
54  */
55  $destination = $sp_metadata['metadata-set'].'|'.$sp_entityid;
56 
57  $targeted_id = sspmod_consent_Auth_Process_Consent::getTargetedID($userid, $source, $destination);
58  $attribute_hash = sspmod_consent_Auth_Process_Consent::getAttributeHash($attributes, $hashAttributes);
59 
60  SimpleSAML\Logger::info('consentAdmin: user: '.$userid);
61  SimpleSAML\Logger::info('consentAdmin: target: '.$targeted_id);
62  SimpleSAML\Logger::info('consentAdmin: attribute: '.$attribute_hash);
63 
64  // Return values
65  return array($targeted_id, $attribute_hash, $attributes);
66 }
67 
68 // Get config object
69 $config = SimpleSAML_Configuration::getInstance();
70 $cA_config = SimpleSAML_Configuration::getConfig('module_consentAdmin.php');
71 $authority = $cA_config->getValue('authority');
72 
73 $as = new \SimpleSAML\Auth\Simple($authority);
74 
75 // If request is a logout request
76 if (array_key_exists('logout', $_REQUEST)) {
77  $returnURL = $cA_config->getValue('returnURL');
78  $as->logout($returnURL);
79 }
80 
81 $hashAttributes = $cA_config->getValue('attributes.hash');
82 
83 // Check if valid local session exists
84 $as->requireAuth();
85 
86 // Get released attributes
87 $attributes = $as->getAttributes();
88 
89 // Get metadata storage handler
90 $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
91 
92 /*
93  * Get IdP id and metadata
94  */
95 
96 
97 $local_idp_entityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
98 $local_idp_metadata = $metadata->getMetaData($local_idp_entityid, 'saml20-idp-hosted');
99 
100 if ($as->getAuthData('saml:sp:IdP') !== null) {
101  // from a remote idp (as bridge)
102  $idp_entityid = $as->getAuthData('saml:sp:IdP');
103  $idp_metadata = $metadata->getMetaData($idp_entityid, 'saml20-idp-remote');
104 } else {
105  // from the local idp
106  $idp_entityid = $local_idp_entityid;
107  $idp_metadata = $local_idp_metadata;
108 }
109 
110 // Get user ID
111 $userid_attributename = (isset($local_idp_metadata['userid.attribute']) && is_string($local_idp_metadata['userid.attribute'])) ? $local_idp_metadata['userid.attribute'] : 'eduPersonPrincipalName';
112 
113 $userids = $attributes[$userid_attributename];
114 
115 if (empty($userids)) {
116  throw new Exception('Could not generate useridentifier for storing consent. Attribute ['.
117  $userid_attributename.'] was not available.');
118 }
119 
120 $userid = $userids[0];
121 
122 // Get all SP metadata
123 $all_sp_metadata = $metadata->getList('saml20-sp-remote');
124 
125 // Parse action, if any
126 $action = null;
127 $sp_entityid = null;
128 if (!empty($_GET['cv'])) {
129  $sp_entityid = $_GET['cv'];
130 }
131 if (!empty($_GET['action'])) {
132  $action = $_GET["action"];
133 }
134 
135 SimpleSAML\Logger::critical('consentAdmin: sp: '.$sp_entityid.' action: '.$action);
136 
137 // Remove services, whitch have consent disabled
138 if (isset($idp_metadata['consent.disable'])) {
139  foreach ($idp_metadata['consent.disable'] AS $disable) {
140  if (array_key_exists($disable, $all_sp_metadata)) {
141  unset($all_sp_metadata[$disable]);
142  }
143  }
144 }
145 
146 SimpleSAML\Logger::info('consentAdmin: '.$idp_entityid);
147 
148 // Calc correct source
149 $source = $idp_metadata['metadata-set'].'|'.$idp_entityid;
150 
151 // Parse consent config
152 $consent_storage = sspmod_consent_Store::parseStoreConfig($cA_config->getValue('consentadmin'));
153 
154 // Calc correct user ID hash
155 $hashed_user_id = sspmod_consent_Auth_Process_Consent::getHashedUserID($userid, $source);
156 
157 // If a checkbox have been clicked
158 if ($action !== null && $sp_entityid !== null) {
159  // Get SP metadata
160  $sp_metadata = $metadata->getMetaData($sp_entityid, 'saml20-sp-remote');
161 
162  // Run AuthProc filters
163  list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata,
164  $sp_entityid, $attributes, $userid, $hashAttributes);
165 
166  // Add a consent (or update if attributes have changed and old consent for SP and IdP exists)
167  if ($action == 'true') {
168  $isStored = $consent_storage->saveConsent($hashed_user_id, $targeted_id, $attribute_hash);
169  if ($isStored) {
170  $res = "added";
171  } else {
172  $res = "updated";
173  }
174  // Remove consent
175  } else {
176  if ($action == 'false') {
177  // Got consent, so this is a request to remove it
178  $rowcount = $consent_storage->deleteConsent($hashed_user_id, $targeted_id, $attribute_hash);
179  if ($rowcount > 0) {
180  $res = "removed";
181  }
182  // Unknown action (should not happen)
183  } else {
184  SimpleSAML\Logger::info('consentAdmin: unknown action');
185  $res = "unknown";
186  }
187  }
188  // init template to enable translation of status messages
189  $template = new SimpleSAML_XHTML_Template($config, 'consentAdmin:consentadminajax.php', 'consentAdmin:consentadmin');
190  $template->data['res'] = $res;
191  $template->show();
192  exit;
193 }
194 
195 // Get all consents for user
196 $user_consent_list = $consent_storage->getConsents($hashed_user_id);
197 
198 // Parse list of consents
199 $user_consent = array();
200 foreach ($user_consent_list as $c) {
201  $user_consent[$c[0]] = $c[1];
202 }
203 
204 $template_sp_content = array();
205 
206 // Init template
207 $template = new SimpleSAML_XHTML_Template($config, 'consentAdmin:consentadmin.php', 'consentAdmin:consentadmin');
208 $translator = $template->getTranslator();
209 $translator->includeLanguageFile('attributes.php'); // attribute listings translated by this dictionary
210 $sp_empty_name = $translator->getTag('sp_empty_name');
211 $sp_empty_description = $translator->getTag('sp_empty_description');
212 
213 // Process consents for all SP
214 foreach ($all_sp_metadata as $sp_entityid => $sp_values) {
215  // Get metadata for SP
216  $sp_metadata = $metadata->getMetaData($sp_entityid, 'saml20-sp-remote');
217 
218  // Run attribute filters
219  list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata,
220  $sp_entityid, $attributes, $userid, $hashAttributes);
221 
222  // Check if consent exists
223  if (array_key_exists($targeted_id, $user_consent)) {
224  $sp_status = "changed";
225  SimpleSAML\Logger::info('consentAdmin: changed');
226  // Check if consent is valid. (Possible that attributes has changed)
227  if ($user_consent[$targeted_id] == $attribute_hash) {
228  SimpleSAML\Logger::info('consentAdmin: ok');
229  $sp_status = "ok";
230  }
231  // Consent does not exists
232  } else {
233  SimpleSAML\Logger::info('consentAdmin: none');
234  $sp_status = "none";
235  }
236 
237  // Set name of SP
238  if (isset($sp_values['name']) && is_array($sp_values['name'])) {
239  $sp_name = $sp_metadata['name'];
240  } else {
241  if (isset($sp_values['name']) && is_string($sp_values['name'])) {
242  $sp_name = $sp_metadata['name'];
243  } elseif (isset($sp_values['OrganizationDisplayName']) && is_array($sp_values['OrganizationDisplayName'])) {
244  $sp_name = $sp_metadata['OrganizationDisplayName'];
245  } else {
246  $sp_name = $sp_empty_name;
247  }
248  }
249 
250  // Set description of SP
251  if (empty($sp_metadata['description']) || !is_array($sp_metadata['description'])) {
252  $sp_description = $sp_empty_description;
253  } else {
254  $sp_description = $sp_metadata['description'];
255  }
256 
257  // Add a URL to the service if present in metadata
258  $sp_service_url = isset($sp_metadata['ServiceURL']) ? $sp_metadata['ServiceURL'] : null;
259 
260  // Fill out array for the template
261  $sp_list[$sp_entityid] = array(
262  'spentityid' => $sp_entityid,
263  'name' => $sp_name,
264  'description' => $sp_description,
265  'consentStatus' => $sp_status,
266  'consentValue' => $sp_entityid,
267  'attributes_by_sp' => $attributes_new,
268  'serviceurl' => $sp_service_url,
269  );
270 }
271 
272 $template->data['header'] = 'Consent Administration';
273 $template->data['spList'] = $sp_list;
274 $template->data['showDescription'] = $cA_config->getValue('showDescription');
275 $template->show();
$user_consent
$user_consent
Definition: consentAdmin.php:199
$local_idp_metadata
$local_idp_metadata
Definition: consentAdmin.php:98
sspmod_consent_Auth_Process_Consent\getTargetedID
static getTargetedID($userid, $source, $destination)
Generate a unique targeted identifier.
Definition: Consent.php:356
SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
Definition: MetaDataStorageHandler.php:40
$sp_empty_name
$sp_empty_name
Definition: consentAdmin.php:210
$userid_attributename
$userid_attributename
Definition: consentAdmin.php:111
$template
$template
Definition: consentAdmin.php:207
$action
$action
Definition: consentAdmin.php:126
sspmod_consent_Auth_Process_Consent\getHashedUserID
static getHashedUserID($userid, $source)
Generate a unique identifier of the user.
Definition: Consent.php:341
$sp_empty_description
$sp_empty_description
Definition: consentAdmin.php:211
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
$userid
if(empty($userids)) $userid
Definition: consentAdmin.php:120
$destination
$destination
Definition: saml2-logout.php:50
$userids
$userids
Definition: consentAdmin.php:113
$cA_config
$cA_config
Definition: consentAdmin.php:70
$hashed_user_id
$hashed_user_id
Definition: consentAdmin.php:155
$metadata
$metadata
Definition: consentAdmin.php:90
SimpleSAML\Logger\info
static info($string)
Definition: Logger.php:201
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15
$idp_metadata
$idp_metadata
Definition: consentAdmin.php:107
$all_sp_metadata
$all_sp_metadata
Definition: consentAdmin.php:123
$as
$as
Definition: consentAdmin.php:73
sspmod_consent_Auth_Process_Consent\getAttributeHash
static getAttributeHash($attributes, $includeValues=false)
Generate unique identifier for attributes.
Definition: Consent.php:373
$translator
$translator
Definition: consentAdmin.php:208
SimpleSAML_Configuration\getConfig
static getConfig($filename='config.php', $configSet='simplesaml')
Load a configuration file from a configuration set.
Definition: Configuration.php:209
$config
$config
Definition: consentAdmin.php:69
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
SimpleSAML\Logger\critical
static critical($string)
Definition: Logger.php:146
$sp_entityid
$sp_entityid
Definition: consentAdmin.php:127
$local_idp_entityid
$local_idp_entityid
Definition: consentAdmin.php:97
SimpleSAML_XHTML_Template
Definition: Template.php:16
$attributes
$attributes
Definition: consentAdmin.php:87
$user_consent_list
if($action !==null && $sp_entityid !==null) $user_consent_list
Definition: consentAdmin.php:196
driveProcessingChain
driveProcessingChain( $idp_metadata, $source, $sp_metadata, $sp_entityid, $attributes, $userid, $hashAttributes=false)
Definition: consentAdmin.php:18
$consent_storage
$consent_storage
Definition: consentAdmin.php:152
SimpleSAML_Auth_ProcessingChain
Definition: ProcessingChain.php:13
sspmod_consent_Store\parseStoreConfig
static parseStoreConfig($config)
Parse consent storage configuration.
Definition: Store.php:122
$hashAttributes
if(array_key_exists('logout', $_REQUEST)) $hashAttributes
Definition: consentAdmin.php:81
$authority
$authority
Definition: consentAdmin.php:71
SimpleSAML_Configuration\getInstance
static getInstance($instancename='simplesaml')
Get a configuration file by its instance name.
Definition: Configuration.php:297
$source
$source
Definition: consentAdmin.php:149
$template_sp_content
foreach($user_consent_list as $c) $template_sp_content
Definition: consentAdmin.php:204