Support for multiple uids (eppn, epuid, targetedid, ...)

Author: tauceti2

lib/Adapter.php

@@ -26,10 +26,10 @@ public static function getInstance($interface) {
 
 	/**
 	 * @param string $idpEntityId entity id of hosted idp used as extSourceName
-	 * @param string $uid user identifier received from remote idp used as userExtSourceLogin
+	 * @param string $uids list of user identifiers received from remote idp used as userExtSourceLogin
 	 * @return sspmod_perun_model_User or null if not exists
 	 */
-	public abstract function getPerunUser($idpEntityId, $uid);
+	public abstract function getPerunUser($idpEntityId, $uids);
 
 	/**
 	 * @param sspmod_perun_model_Vo $vo
@@ -86,4 +86,4 @@ protected function removeDuplicateEntities($entities) {
 		return $removed;
 
 	}
-}
+}

lib/AdapterLdap.php

@@ -9,12 +9,23 @@ class sspmod_perun_AdapterLdap extends sspmod_perun_Adapter
 {
 
 
-	public function getPerunUser($idpEntityId, $uid)
+	public function getPerunUser($idpEntityId, $uids)
 	{
+		# Build a LDAP query, we are searching for the user who has at least one of the uid
+		$query = '';
+                foreach ($uids as $uid) {
+			$query .= "(eduPersonPrincipalNames=$uid)";
+		}
+
+		if ($empty($query)) {
+			return null;
+		}
+
 		$user = sspmod_perun_LdapConnector::searchForEntity("ou=People,dc=perun,dc=cesnet,dc=cz",
-			"(eduPersonPrincipalNames=$uid)",
+			"(!$query)",
 			array("perunUserId", "displayName", "cn", "givenName", "sn", "preferredMail", "mail")
 		);
+
 		if (is_null($user)) {
 			return $user;
 		}

lib/AdapterRpc.php

@@ -9,32 +9,38 @@ class sspmod_perun_AdapterRpc extends sspmod_perun_Adapter
 {
 
 
-	public function getPerunUser($idpEntityId, $uid)
+	public function getPerunUser($idpEntityId, $uids)
 	{
-		try {
-			$user = sspmod_perun_RpcConnector::get('usersManager', 'getUserByExtSourceNameAndExtLogin', array(
-				'extSourceName' => $idpEntityId,
-				'extLogin' => $uid,
-			));
+		$user = null;
 
-			$name = '';
-			if (!empty($user['titleBefore'])) $name .= $user['titleBefore'].' ';
-			if (!empty($user['titleBefore'])) $name .= $user['firstName'].' ';
-			if (!empty($user['titleBefore'])) $name .= $user['middleName'].' ';
-			if (!empty($user['titleBefore'])) $name .= $user['lastName'];
-			if (!empty($user['titleBefore'])) $name .= ' '.$user['titleAfter'];
+		foreach ($uids as $uid) {
+			try {
+				$user = sspmod_perun_RpcConnector::get('usersManager', 'getUserByExtSourceNameAndExtLogin', array(
+					'extSourceName' => $idpEntityId,
+					'extLogin' => $uid,
+				));
 
-			return new sspmod_perun_model_User($user['id'], $name);
-		} catch (sspmod_perun_Exception $e) {
-			if ($e->getName() === 'UserExtSourceNotExistsException') {
-				return null;
-			} else if ($e->getName() === 'ExtSourceNotExistsException') {
-				// Because use of original/source entityID as extSourceName
-				return null;
-			} else {
-				throw $e;
+				$name = '';
+				if (!empty($user['titleBefore'])) $name .= $user['titleBefore'].' ';
+				if (!empty($user['titleBefore'])) $name .= $user['firstName'].' ';
+				if (!empty($user['titleBefore'])) $name .= $user['middleName'].' ';
+				if (!empty($user['titleBefore'])) $name .= $user['lastName'];
+				if (!empty($user['titleBefore'])) $name .= ' '.$user['titleAfter'];
+
+				return new sspmod_perun_model_User($user['id'], $name);
+			} catch (sspmod_perun_Exception $e) {
+				if ($e->getName() === 'UserExtSourceNotExistsException') {
+					continue;
+				} else if ($e->getName() === 'ExtSourceNotExistsException') {
+					// Because use of original/source entityID as extSourceName
+					continue;
+				} else {
+					throw $e;
+				}
 			}
 		}
+
+		return $user;
 	}
 
 

lib/Auth/Process/PerunIdentity.php

@@ -18,18 +18,19 @@
  * It relays on RetainIdPEntityID filter. Config it properly before this filter. (in SP context)
  *
  * @author Ondrej Velisek <[email protected]>
+ * @author Michal Prochazka <[email protected]>
  */
 class sspmod_perun_Auth_Process_PerunIdentity extends SimpleSAML_Auth_ProcessingFilter
 {
-	const UID_ATTR = 'uidAttr';
+	const UIDS_ATTR = 'uidsAttr';
 	const VO_SHORTNAME = 'voShortName';
 	const REGISTER_URL = 'registerUrl';
 	const CALLBACK_PARAM_NAME = 'callbackParamName';
 	const INTERFACE_PROPNAME = 'interface';
 	const SOURCE_IDP_ENTITY_ID_ATTR = 'sourceIdPEntityIDAttr';
 	const FORCE_REGISTRATION_TO_GROUPS = 'forceRegistrationToGroups';
 
-	private $uidAttr;
+	private $uidsAttr;
 	private $registerUrl;
 	private $voShortName;
 	private $callbackParamName;
@@ -47,8 +48,8 @@ public function __construct($config, $reserved)
 	{
 		parent::__construct($config, $reserved);
 
-		if (!isset($config[self::UID_ATTR])) {
-			throw new SimpleSAML_Error_Exception("perun:PerunIdentity: missing mandatory config option '".self::UID_ATTR."'.");
+		if (!isset($config[self::UIDS_ATTR])) {
+			throw new SimpleSAML_Error_Exception("perun:PerunIdentity: missing mandatory config option '".self::UIDS_ATTR."'.");
 		}
 		if (!isset($config[self::REGISTER_URL])) {
 			throw new SimpleSAML_Error_Exception("perun:PerunIdentity: missing mandatory config option '".self::REGISTER_URL."'.");
@@ -69,7 +70,7 @@ public function __construct($config, $reserved)
                         $config[self::FORCE_REGISTRATION_TO_GROUPS] = false;
                 }
 
-		$this->uidAttr = (string) $config[self::UID_ATTR];
+		$this->uidsAttr = $config[self::UIDS_ATTR];
 		$this->registerUrl = (string) $config[self::REGISTER_URL];
 		$this->voShortName = (string) $config[self::VO_SHORTNAME];
 		$this->callbackParamName = (string) $config[self::CALLBACK_PARAM_NAME];
@@ -84,11 +85,17 @@ public function process(&$request)
 	{
 		assert('is_array($request)');
 
-		if (isset($request['Attributes'][$this->uidAttr][0])) {
-			$uid = $request['Attributes'][$this->uidAttr][0];
-		} else {
+		# Store all user ids in an array
+		$uids = array();
+
+		foreach ($this->uidsAttr as $uidAttr) {
+			if (isset($request['Attributes'][$uidAttr][0])) {
+				array_push($uids,$request['Attributes'][$uidAttr][0]);
+			}
+		}
+		if (empty($uids)) {
 			throw new SimpleSAML_Error_Exception("perun:PerunIdentity: " .
-				"missing mandatory attribute " . $this->uidAttr . " in request.");
+				"missing one of the mandatory attribute " . implode(', ', $this->uidsAttr) . " in request.");
 		}
 
 		if (isset($request['Attributes'][$this->sourceIdPEntityIDAttr][0])) {
@@ -129,10 +136,10 @@ public function process(&$request)
 
 		SimpleSAML_Logger::debug("SP GROUPs - ".var_export($spGroups, true));
 
-		$user = $this->adapter->getPerunUser($idpEntityId, $uid);
+		$user = $this->adapter->getPerunUser($idpEntityId, $uids);
 
 		if ($user === null) {
-			SimpleSAML_Logger::info('Perun user with identity: '.$uid.' has NOT been found. He is being redirected to register.');
+			SimpleSAML_Logger::info('Perun user with identity/ies: '. implode(',', $uids).' has NOT been found. He is being redirected to register.');
 			$this->register($request, $this->registerUrl, $this->callbackParamName, $vo, $spGroups, $this->interface);
 		}
 
@@ -145,11 +152,11 @@ public function process(&$request)
 		$groups = $this->intersectById($spGroups, $memberGroups);
 
 		if (empty($groups)) {
-			SimpleSAML_Logger::warning('Perun user with identity: '.$uid.' is not member of any assigned group for resource (' . $spEntityId . ')');
+			SimpleSAML_Logger::warning('Perun user with identity/ies: '. implode(',', $uids) .' is not member of any assigned group for resource (' . $spEntityId . ')');
                         $this->unauthorized($request);
 		}
 
-		SimpleSAML_Logger::info('Perun user with identity: '.$uid.' has been found and SP has sufficient rights to get info about him. '.
+		SimpleSAML_Logger::info('Perun user with identity/ies: '. implode(',', $uids) .' has been found and SP has sufficient rights to get info about him. '.
 				'User '.$user->getName().' with id: '.$user->getId().' is being set to request');
 
 		if (!isset($request['perun'])) {
@@ -176,7 +183,7 @@ public function process(&$request)
 	protected function register($request, $registerUrl, $callbackParamName, $vo, $groups, $interface) {
 
 		$request['config'] = array(
-			self::UID_ATTR => $this->uidAttr,
+			self::UIDS_ATTR => $this->uidsAttr,
 			self::VO_SHORTNAME => $this->voShortName,
 			self::REGISTER_URL => $this->registerUrl,
 			self::CALLBACK_PARAM_NAME => $this->callbackParamName,