Merge pull request #221 from OpenConext/develop

EB 4.7.1

Author: Boy Baukema

application/configs/application.ini

@@ -209,6 +209,15 @@ serviceRegistry.caching.backend.name = "File"
 serviceRegistry.caching.backend.options.file_name_prefix = "eb_sr_cache"
 serviceRegistry.caching.backend.options.lifetime = 1;
 
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;; API VO VALIDATION SETTINGS ;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Base URL that engineblock can use to validate that a given use belongs to a given Virtual Organization.
+api.vovalidate.baseUrl = "https://api.demo.openconext.org"
+api.vovalidate.key = "oauth_key"
+api.vovalidate.secret = "oauth_secret"
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;; EngineBlock API credentials ;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

application/modules/Authentication/Controller/Feedback.php

@@ -2,6 +2,12 @@
 
 class Authentication_Controller_Feedback extends EngineBlock_Controller_Abstract
 {
+    public function vomembershiprequiredAction()
+    {
+        $this->_getResponse()->setStatus(403, 'Forbidden');
+        session_start();
+    }
+
     public function unableToReceiveMessageAction()
     {
         $this->_getResponse()->setStatus(400, 'Bad Request');

application/modules/Authentication/Controller/IdentityProvider.php

@@ -36,8 +36,8 @@ protected function _singleSignOn($service = 'singleSignOn', array $arguments = a
 
             $idPEntityId = NULL;
 
-            // Optionally allow /single-sign-on/remoteIdPHash or
-            // /single-sign-on/remoteIdPHash/key:20140420
+            // Optionally allow /single-sign-on/vo:myVoId/remoteIdPHash or
+            // /single-sign-on/remoteIdPHash/vo:myVoId/key:20140420
             foreach ($arguments as $argument) {
                 if (substr($argument, 0, 3) == 'vo:') {
                     $proxyServer->setVirtualOrganisationContext(substr($argument, 3));
@@ -68,6 +68,14 @@ protected function _singleSignOn($service = 'singleSignOn', array $arguments = a
             $application->handleExceptionWithFeedback($e,
                 '/authentication/feedback/unable-to-receive-message');
         }
+        catch (EngineBlock_Corto_Exception_UserNotMember $e) {
+            $application->getLogInstance()->notice(
+                "User is not a member",
+                array('exception' => $e)
+            );
+            $application->handleExceptionWithFeedback($e,
+                '/authentication/feedback/vomembershiprequired');
+        }
         catch (EngineBlock_Corto_Module_Services_SessionLostException $e) {
             $application->getLogInstance()->notice(
                 "Session lost",
@@ -176,6 +184,10 @@ public function processConsentAction()
             $application->handleExceptionWithFeedback($e,
                 '/authentication/feedback/unable-to-receive-message');
         }
+        catch (EngineBlock_Corto_Exception_UserNotMember $e) {
+            $application->handleExceptionWithFeedback($e,
+                '/authentication/feedback/vomembershiprequired');
+        }
         catch (EngineBlock_Corto_Module_Services_SessionLostException $e) {
             $application->handleExceptionWithFeedback($e,
                 '/authentication/feedback/session-lost');

application/modules/Authentication/Controller/Proxy.php

@@ -95,6 +95,16 @@ public function processedAssertionAction()
             $proxyServer = new EngineBlock_Corto_Adapter();
             $proxyServer->processedAssertionConsumer();
         }
+        catch (EngineBlock_Corto_Exception_UserNotMember $e) {
+            $application->getLogInstance()->notice(
+                "VO membership required",
+                array('exception' => $e)
+            );
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/vomembershiprequired'
+            );
+        }
         catch (EngineBlock_Attributes_Manipulator_CustomException $e) {
             $application->getLogInstance()->notice(
                 "Custom attribute manipulator exception",

application/modules/Authentication/Controller/ServiceProvider.php

@@ -12,6 +12,16 @@ public function consumeAssertionAction()
         try {
             $proxyServer->consumeAssertion();
         }
+        catch (EngineBlock_Corto_Exception_UserNotMember $e) {
+            $application->getLogInstance()->notice(
+                "VO membership required",
+                array('exception' => $e)
+            );
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/vomembershiprequired'
+            );
+        }
         catch (EngineBlock_Corto_Exception_PEPNoAccess $e) {
             $application->getLogInstance()->notice(
                 "PEP authorization rule violation",
@@ -135,6 +145,10 @@ public function processConsentAction()
             $application->handleExceptionWithFeedback($e,
                 '/authentication/feedback/session-lost');
         }
+        catch (EngineBlock_Corto_Exception_UserNotMember $e) {
+            $application->handleExceptionWithFeedback($e,
+                '/authentication/feedback/vomembershiprequired');
+        }
         catch (EngineBlock_Corto_Exception_PEPNoAccess $e) {
             $application->getLogInstance()->notice(
                 "PEP authorization rule violation",

application/modules/Authentication/View/Feedback/Vomembershiprequired.phtml

@@ -0,0 +1,23 @@
+<?php /* This file is generated. Please edit the files of the appropriate theme in the 'theme/' directory. */ ?>
+<?php
+
+/**
+ * @var Zend_Layout $layout
+ */
+$layout = $this->layout();
+
+// Set Layout properties
+$layout->title = $layout->title. ' - ' .$this->t('error_vo_membership_required');
+$layout->header = $layout->title;
+$layout->subheader = $this->t('error_vo_membership_required');
+$layout->wide = true;
+
+?>
+<div class="box">
+  <div class="mod-content">
+    <h1><?php echo htmlentities($this->layout()->subheader, 0, "UTF-8"); ?></h1>
+    <p><?= $this->t('error_vo_membership_required_desc') ?></p>
+
+    <?php require_once realpath(__DIR__ . '/../../../Default/View/Error/include/footer.php') ?>
+  </div>
+</div>

application/modules/Authentication/View/Proxy/form.phtml

@@ -58,9 +58,9 @@ $layout->title = $layout->title.' - '.$this->t('post_data');
 
         <?php if ($trace): ?>
             <input id="submitbutton" type="submit" value="Submit" class="c-button" />
-            <pre>
+            <pre style="text-align: left; margin: 0 auto; width: 500px; height: 800px;">
             <?= $trace ?>
-        </pre>
+            </pre>
             <script type="text/javascript">
                 document.getElementById('submitbutton').focus();
             </script>

docs/release_notes/4.7.1.md

@@ -0,0 +1,3 @@
+# OpenConext EngineBlock v4.7.1 Release Notes #
+
+Bring back VO support, executed before policy enforcement.

languages/en.php

@@ -267,6 +267,8 @@
     'error_unknown_issuer_desc'     => '<p>
         The service you are trying to log in to is unknown to SURFconext. Possibly your institution has never enabled access to this service. Please contact the helpdesk of your institution and provide them with the following information:
     </p>',
+    'error_vo_membership_required'      => 'Membership of a Virtual Organisation required',
+    'error_vo_membership_required_desc' => 'You have successfully authenticated at your Identity Provider, however in order to use this service you have to be a member of a Virtual Organisation.',
     'error_generic'                     => 'Error - An error occurred',
     'error_generic_desc'                => '<p>
         It is not possible to sign in. Please try again.

languages/nl.php

@@ -263,6 +263,8 @@
     'error_unknown_issuer_desc'     => '<p>
         De dienst waarop je probeert in te loggen is niet bekend bij SURFconext. Mogelijk heeft jouw instelling de toegang tot deze dienst nooit aangevraagd. Neem contact op met de helpdesk van je instelling en geef daarbij de volgende informatie door:
     </p>',
+    'error_vo_membership_required'      => 'Lidmaatschap van een Virtuele Organisatie vereist',
+    'error_vo_membership_required_desc' => 'Je bent succesvol ingelogd bij jouw instelling, maar om gebruik te kunnen maken van deze dienst moet je ook lid zijn van een Virtuele Organisatie.',
     'error_generic'                     => 'Error - Foutmelding',
     'error_generic_desc'                => '<p>
         Het is niet mogelijk om in te loggen. Probeer het alstublieft opnieuw.