Skip to content
Snippets Groups Projects

Added template with configurable message

Merged Added template with configurable message
github/fork/BaranekD/new_template into master
Merged Pavel Břoušek requested to merge github/fork/BaranekD/new_template into master
Compare
and
5 files
+ 178
35
Compare changes
  • Side-by-side
  • Inline
Files
5
lib/Auth/Process/Perunauthorize.php
+ 84
34
<?php
<?php
namespace SimpleSAML\Module\authorize\Auth\Process;
namespace SimpleSAML\Module\perunauthorize\Auth\Process;
use SimpleSAML\Auth\ProcessingFilter;
use SimpleSAML\Auth\ProcessingFilter;
use SimpleSAML\Error\Exception;
use SimpleSAML\Error\Exception;
use SimpleSAML\Auth\State;
use SimpleSAML\Auth\State;
use SimpleSAML\Module;
use SimpleSAML\Module;
use SimpleSAML\Utils\HTTP;
use SimpleSAML\Utils\HTTP;
 
use SimpleSAML\Configuration;
 
use SimpleSAML\Locale\Translate;
/**
/**
* Filter to authorize only certain users.
* Filter to authorize only certain users.
* See docs directory.
* See docs directory.
*
*
* @author Pavel Vyskocil vyskocilpavel@muni.cz
* @author Pavel Vyskocil vyskocilpavel@muni.cz
 
* @author Dominik Baranek baranek@ics.muni.cz
*/
*/
class Perunauthorize extends ProcessingFilter
class Perunauthorize extends ProcessingFilter
{
{
 
const DENY = 'deny';
 
const REGEX = 'regex';
 
const SERVICE_NAME_PLACEHOLDER = '%SERVICE_NAME%';
Please register or sign in to reply
 
const SERVICE_EMAIL_PLACEHOLDER = '%SERVICE_EMAIL%';
 
const SP_METADATA = 'SPMetadata';
 
const ADMINISTRATION_CONTACT = 'administrationContact';
 
const MESSAGE = 'message';
 
const NAME = 'name';
 
/**
/**
* Flag to deny/unauthorize the user a attribute filter IS found
* Flag to deny/unauthorize the user a attribute filter IS found
*
*
* @var bool
* @var bool
*/
*/
protected $deny = false;
protected $deny;
/**
/**
* Flag to turn the REGEX pattern matching on or off
* Flag to turn the REGEX pattern matching on or off
*
*
* @var bool
* @var bool
*/
*/
protected $regex = true;
protected $regex;
/**
/**
* Array of valid users. Each element is a regular expression. You should
* Array of valid users. Each element is a regular expression. You should
@@ -38,6 +50,10 @@ class Perunauthorize extends ProcessingFilter
@@ -38,6 +50,10 @@ class Perunauthorize extends ProcessingFilter
*/
*/
protected $valid_attribute_values = [];
protected $valid_attribute_values = [];
 
private $message;
 
 
private $administrationContactAttribute;
 
/**
/**
* Initialize this filter.
* Initialize this filter.
* Validate configuration parameters.
* Validate configuration parameters.
@@ -50,21 +66,23 @@ class Perunauthorize extends ProcessingFilter
@@ -50,21 +66,23 @@ class Perunauthorize extends ProcessingFilter
{
{
parent::__construct($config, $reserved);
parent::__construct($config, $reserved);
assert('is_array($config)');
$conf = Configuration::loadFromArray($config);
// Check for the deny option, get it and remove it
// Check for the deny option, get it and remove it
// Must be bool specifically, if not, it might be for a attrib filter below
// Must be bool specifically, if not, it might be for a attrib filter below
if (isset($config['deny']) && is_bool($config['deny'])) {
$this->deny = $conf->getBoolean(self::DENY, false);
$this->deny = $config['deny'];
unset($config[self::DENY]);
unset($config['deny']);
}
// Check for the regex option, get it and remove it
// Check for the regex option, get it and remove it
// Must be bool specifically, if not, it might be for a attrib filter below
// Must be bool specifically, if not, it might be for a attrib filter below
if (isset($config['regex']) && is_bool($config['regex'])) {
$this->regex = $conf->getBoolean(self::REGEX, true);
$this->regex = $config['regex'];
unset($config[self::REGEX]);
unset($config['regex']);
}
$this->administrationContactAttribute = $conf->getString(self::ADMINISTRATION_CONTACT, null);
 
unset($config[self::ADMINISTRATION_CONTACT]);
 
 
$this->message = $conf->getArray(self::MESSAGE, null);
 
unset($config[self::MESSAGE]);
foreach ($config as $attribute => $values) {
foreach ($config as $attribute => $values) {
if (is_string($values)) {
if (is_string($values)) {
@@ -93,32 +111,55 @@ class Perunauthorize extends ProcessingFilter
@@ -93,32 +111,55 @@ class Perunauthorize extends ProcessingFilter
public function process(&$request)
public function process(&$request)
{
{
$authorize = $this->deny;
$authorize = $this->deny;
assert('is_array($request)');
assert('array_key_exists("Attributes", $request)');
$attributes =& $request['Attributes'];
if (is_array($request) && array_key_exists("Attributes", $request)) {
 
if ($this->message !== null) {
 
$translate = new Translate(Configuration::getInstance());
 
$this->message = $translate->getPreferredTranslation($this->message);
foreach ($this->valid_attribute_values as $name => $patterns) {
$this->message = str_replace(
if (array_key_exists($name, $attributes)) {
self::SERVICE_NAME_PLACEHOLDER,
foreach ($patterns as $pattern) {
$translate->getPreferredTranslation($request[self::SP_METADATA][self::NAME]),
$values = $attributes[$name];
$this->message
if (!is_array($values)) {
);
$values = [$values];
}
if (is_string($request[self::SP_METADATA][$this->administrationContactAttribute])) {
foreach ($values as $value) {
$request[self::SP_METADATA][$this->administrationContactAttribute] =
if ($this->regex) {
[$request[self::SP_METADATA][$this->administrationContactAttribute]];
$matched = preg_match($pattern, $value);
}
} else {
$matched = ($value === $pattern);
$this->message = str_replace(
 
self::SERVICE_EMAIL_PLACEHOLDER,
 
$request[self::SP_METADATA][$this->administrationContactAttribute][0],
 
$this->message
 
);
 
}
 
 
$attributes =& $request['Attributes'];
 
 
foreach ($this->valid_attribute_values as $name => $patterns) {
 
if (array_key_exists($name, $attributes)) {
 
foreach ($patterns as $pattern) {
 
$values = $attributes[$name];
 
if (!is_array($values)) {
 
$values = [$values];
}
}
if ($matched) {
foreach ($values as $value) {
$authorize = ($this->deny ? false : true);
if ($this->regex) {
break 3;
$matched = preg_match($pattern, $value);
 
} else {
 
$matched = ($value === $pattern);
 
}
 
if ($matched) {
 
$authorize = !$this->deny;
 
break 3;
 
}
}
}
}
}
}
}
}
}
}
}
 
if (!$authorize) {
if (!$authorize) {
$this->unauthorized($request);
$this->unauthorized($request);
}
}
@@ -138,15 +179,24 @@ class Perunauthorize extends ProcessingFilter
@@ -138,15 +179,24 @@ class Perunauthorize extends ProcessingFilter
*/
*/
protected function unauthorized(&$request)
protected function unauthorized(&$request)
{
{
// Save state and redirect to 403 page
// Save state and redirect to 403 page
 
 
if (!empty($this->message)) {
 
$url = Module::getModuleURL(
 
'perunauthorize/perunauthorize_403_custom.php'
 
);
 
 
$request['message'] = $this->message;
 
} else {
 
$url = Module::getModuleURL(
 
'perunauthorize/perunauthorize_403.php'
 
);
 
}
 
$id = State::saveState(
$id = State::saveState(
$request,
$request,
'perunauthorize:Perunauthorize'
'perunauthorize:Perunauthorize'
);
);
$url = Module::getModuleURL(
'perunauthorize/perunauthorize_403.php'
);
HTTP::redirectTrustedURL($url, ['StateId' => $id]);
HTTP::redirectTrustedURL($url, ['StateId' => $id]);
}
}