Initial commit

Author: tauceti2

README.md

@@ -1,2 +1,4 @@
 # perun-simplesamlphp-module
-Module which allows simpleSAMLphp to get data from Perun
+Module which allows simpleSAMLphp to get data from Perun.
+
+

config-templates/idplists/README.txt

@@ -0,0 +1,3 @@
+This directory is needed to save and keeping whitelist and greylist of remote idps.
+Please add it to config folder and set sufficient write permissions to allow
+the module filter idps properly.

config-templates/module_discopower.php

@@ -0,0 +1,45 @@
+<?php
+/* 
+ * Configuration for the DiscoPower module.
+ */
+
+$config = array (
+
+	// Which tab should be set as default. 0 is the first tab
+	'defaulttab' => 0,
+	
+	/*
+	 * List a set of tags (Tabs) that should be listed in a specific order.
+	 * All other available tabs will be listed after the ones specified below.
+	 */
+	'taborder' => array('social, misc'),
+	/*
+	 * the 'tab' parameter allows you to limit the tabs to a specific list. (excluding unlisted tags)
+	 *
+	 * 'tabs' => array('norway', 'finland'),
+	 */
+	 
+	 /*
+	  * If you want to change the scoring algorithm to a more google suggest like one
+	  * (filters by start of words) uncomment this ... 
+	  */
+	'score' => 'suggest', 
+
+	/*
+	 * The domain to use for common domain cookie support.
+	 * This must be a parent domain of the domain hosting the discovery service.
+	 *
+	 * If this is NULL (the default), common domain cookie support will be disabled.
+	 */
+	'cdc.domain' => NULL,
+
+	/*
+	 * The lifetime of the common domain cookie, in seconds.
+	 *
+	 * If this is NULL (the default), the common domain cookie will be deleted when the browser closes.
+	 *
+	 * Example: 'cdc.lifetime' => 180*24*60*60, // 180 days
+	 */
+	'cdc.lifetime' => NULL,
+
+);

config-templates/module_perun.php

@@ -0,0 +1,40 @@
+<?php
+
+/**
+ * This is example configuration of SimpleSAMLphp Perun interface and additional features.
+ * Copy this file to default config directory and edit the properties.
+ *
+ * copy command (from SimpleSAML base dir)
+ * cp modules/perun/module_perun.php config/
+ */
+$config = array(
+
+	/**
+	 * base url to rpc with slash at the end.
+	 */
+	'rpc.url' => 'https://perun.inside.cz/krb/rpc/',
+
+	/**
+	 * rpc credentials if rpc url is protected with basic auth.
+	 */
+	'rpc.username' => '_proxy-idp',
+	'rpc.password' => 'password',
+
+	/**
+	 * hostname of perun ldap with ldap(s):// at the beginning.
+	 */
+	'ldap.hostname' => 'ldaps://perun.inside.cz',
+
+	/**
+	 * ldap credentials if ldap search is protected. If it is null or not set at all. No user is used for bind.
+	 */
+	//'ldap.username' => '_proxy-idp',
+	//'ldap.password' => 'password'
+
+	/**
+	 * specify if disco module should filter out IdPs which are not whitelisted neither commited to CoCo or RaS.
+	 * default is false.
+	 */
+	//'disco.disableWhitelisting' => true,
+
+);

default-disable

@@ -0,0 +1,89 @@
+<?php
+
+/**
+ * Interface sspmod_perun_Adapter
+ * specify interface to get information from Perun.
+ */
+abstract class sspmod_perun_Adapter
+{
+	const RPC = 'rpc';
+	const LDAP = 'ldap';
+
+	/**
+	 * @param string $interface code of interface. Check constants of this class.
+	 * @return sspmod_perun_Adapter instance of this class. note it is NOT singleton.
+	 * @throws SimpleSAML_Error_Exception thrown if interface does not match any supported interface
+	 */
+	public static function getInstance($interface) {
+		if ($interface === self::RPC) {
+			return new sspmod_perun_AdapterRpc();
+		} else if ($interface === self::LDAP) {
+			return new sspmod_perun_AdapterLdap();
+		} else {
+			throw new SimpleSAML_Error_Exception('Unknown perun interface. Hint: try ' . self::RPC . ' or ' . self::LDAP);
+		}
+	}
+
+	/**
+	 * @param string $idpEntityId entity id of hosted idp used as extSourceName
+	 * @param string $uid user identifier received from remote idp used as userExtSourceLogin
+	 * @return sspmod_perun_model_User or null if not exists
+	 */
+	public abstract function getPerunUser($idpEntityId, $uid);
+
+	/**
+	 * @param sspmod_perun_model_Vo $vo
+	 * @param string $name group name. Note that name of group is without VO name prefix.
+	 * @return sspmod_perun_model_Group
+	 * @throws SimpleSAML_Error_Exception if does not exists
+	 */
+	public abstract function getGroupByName($vo, $name);
+
+	/**
+	 * @param string $voShortName
+	 * @return sspmod_perun_model_Vo
+	 * @throws SimpleSAML_Error_Exception if does not exists
+	 */
+	public abstract function getVoByShortName($voShortName);
+
+	/**
+	 * @param sspmod_perun_model_User $user perun user
+	 * @param sspmod_perun_model_Vo $vo vo we are working with.
+	 * @return sspmod_perun_model_Group[] groups from vo which member is. Including VO members group.
+	 */
+	public abstract function getMemberGroups($user, $vo);
+
+	/**
+	 * @param string $spEntityId entity id of the sp
+	 * @param sspmod_perun_model_Vo $vo
+	 * @return sspmod_perun_model_Group[] from vo which are assigned to all facilities with spEntityId.
+	 * registering to those groups should should allow access to the service
+	 */
+	public abstract function getSpGroups($spEntityId, $vo);
+
+	/**
+	 * @param sspmod_perun_model_User $user
+	 * @param array $attrNames.
+	 * @return array associative of attributes. Keys are attribute names
+	 * and values are attr values (can be null, string, array, associative array)
+	 */
+	public abstract function getUserAttributes($user, $attrNames);
+
+
+	/**
+	 * @param sspmod_perun_model_HasId[] $entities
+	 * @return sspmod_perun_model_HasId[] without duplicates
+	 */
+	protected function removeDuplicateEntities($entities) {
+		$removed = array();
+		$ids = array();
+		foreach ($entities as $entity) {
+			if (!in_array($entity->getId(), $ids)) {
+				array_push($ids, $entity->getId());
+				array_push($removed, $entity);
+			}
+		}
+		return $removed;
+
+	}
+}

enable

@@ -0,0 +1,128 @@
+<?php
+
+/**
+ * Class sspmod_perun_AdapterLdap
+ *
+ * Perun adapter which uses Perun LDAP interface
+ */
+class sspmod_perun_AdapterLdap extends sspmod_perun_Adapter
+{
+
+
+	public function getPerunUser($idpEntityId, $uid)
+	{
+		$user = sspmod_perun_LdapConnector::searchForEntity("ou=People,dc=perun,dc=cesnet,dc=cz",
+			"(eduPersonPrincipalNames=$uid)",
+			array("perunUserId", "displayName", "cn", "givenName", "sn", "preferredMail", "mail")
+		);
+		if (is_null($user)) {
+			return $user;
+		}
+
+		if (isset($user['displayName'][0])) {
+			$name = $user['displayName'][0];
+		} else if (isset($user['cn'][0])) {
+			$name = $user['cn'][0];
+		} else {
+			$name = null;
+		}
+		return new sspmod_perun_model_User($user['perunUserId'][0], $name);
+	}
+
+
+	public function getMemberGroups($user, $vo)
+	{
+		$userId = $user->getId();
+		$userWithMembership = sspmod_perun_LdapConnector::searchForEntity("perunUserId=$userId,ou=People,dc=perun,dc=cesnet,dc=cz",
+			"(objectClass=perunUser)",
+			array("perunUserId", "memberOf")
+		);
+
+		$groups = array();
+		foreach ($userWithMembership['memberOf'] as $groupDn) {
+			$voId = explode('=', explode(',', $groupDn)[1], 2)[1];
+			if ($voId != $vo->getId()) {
+				continue;
+			}
+
+			$group = sspmod_perun_LdapConnector::searchForEntity($groupDn,
+				"(objectClass=perunGroup)",
+				array("perunGroupId", "cn", "perunUniqueGroupName", "perunVoId", "description")
+			);
+			# SHOULD BE REMOVED, because Perun cannot work with groupName which do not contain voName - edited on 28.6.2017 by michalp
+			#$groupName = substr($group['perunUniqueGroupName'][0], strlen($vo->getShortName().':'));
+			array_push($groups, new sspmod_perun_model_Group($group['perunGroupId'][0], $group['perunUniqueGroupName'][0], $group['description'][0]));
+		}
+
+		return $groups;
+	}
+
+
+	public function getSpGroups($spEntityId, $vo)
+	{
+		$resources = sspmod_perun_LdapConnector::searchForEntities("dc=perun,dc=cesnet,dc=cz",
+			"(&(objectClass=perunResource)(entityID=$spEntityId))",
+			array("perunResourceId", "assignedGroupId")
+		);
+		$voId = $vo->getId();
+
+		$groups = array();
+		foreach ($resources as $resource) {
+			foreach ($resource['assignedGroupId'] as $groupId) {
+				$group = sspmod_perun_LdapConnector::searchForEntity("perunGroupId=$groupId,perunVoId=$voId,dc=perun,dc=cesnet,dc=cz",
+					"(objectClass=perunGroup)",
+					array("perunGroupId", "cn", "perunUniqueGroupName", "perunVoId", "description")
+				);
+				# SHOULD BE REMOVED, because Perun cannot work with groupName which do not contain voName - edited on 28.6.2017 by michalp
+				#$groupName = substr($group['perunUniqueGroupName'][0], strlen($vo->getShortName().':'));
+				array_push($groups, new sspmod_perun_model_Group($group['perunGroupId'][0], $group['perunUniqueGroupName'][0], $group['description'][0]));
+			}
+		}
+
+		$groups = $this->removeDuplicateEntities($groups);
+
+		return $groups;
+	}
+
+
+	public function getGroupByName($vo, $name)
+	{
+		$voId = $vo->getId();
+		$group = sspmod_perun_LdapConnector::searchForEntity("perunVoId=$voId,dc=perun,dc=cesnet,dc=cz",
+			"(&(objectClass=perunGroup)(perunUniqueGroupName=$name))",
+			array("perunGroupId", "cn", "perunUniqueGroupName", "perunVoId", "description")
+		);
+		if (is_null($group)) {
+			throw new SimpleSAML_Error_Exception("Group with name: $name in VO: ".$vo->getName()." does not exists in Perun LDAP.");
+		}
+		$groupName = substr($group['perunUniqueGroupName'][0], strlen($vo->getShortName().':'));
+		return new sspmod_perun_model_Group($group['perunGroupId'][0], $groupName, $group['description'][0]);
+	}
+
+
+	public function getVoByShortName($voShortName)
+	{
+		$vo = sspmod_perun_LdapConnector::searchForEntity("dc=perun,dc=cesnet,dc=cz",
+			"(&(objectClass=perunVo)(o=$voShortName))",
+			array("perunVoId", "o", "description")
+		);
+		if (is_null($vo)) {
+			throw new SimpleSAML_Error_Exception("Vo with name: $vo does not exists in Perun LDAP.");
+		}
+
+		return new sspmod_perun_model_Vo($vo['perunVoId'][0], $vo['description'][0], $vo['o'][0]);
+	}
+
+
+	public function getUserAttributes($user, $attrNames)
+	{
+		$userId = $user->getId();
+		$attributes = sspmod_perun_LdapConnector::searchForEntity("perunUserId=$userId,ou=People,dc=perun,dc=cesnet,dc=cz",
+			"(objectClass=perunUser)",
+			$attrNames
+		);
+		// user in ldap (simplified by LdapConnector method) is actually set of its attributes
+		return $attributes;
+	}
+
+}