From 37f25e82381095bb5a968b1a98b9085d81b9cd96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Vysko=C4=8Dil?= <vyskocilpavel@muni.cz>
Date: Fri, 29 Mar 2019 11:19:31 +0100
Subject: [PATCH] Fixed problem with certificates, which contains scope

* Description of problem: Class RemoteUserSSL.php used only the part of certificate before '@' and this identifier didn't match with certificate stored in Perun (with scope).

* Solution: Try to use  $_SERVER['SSL_CLIENT_S_DN'] as first
---
 CHANGELOG.md                      | 2 ++
 lib/Auth/Source/RemoteUserSSL.php | 6 +++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a2caf89..c5deb4d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,8 @@
 All notable changes to this project will be documented in this file.
  
 ## [Unreleased]
+[Fixed]
+- Fixed problem with certificates, which contains scope
 
 ## [v1.0.0]
 - First release
diff --git a/lib/Auth/Source/RemoteUserSSL.php b/lib/Auth/Source/RemoteUserSSL.php
index f879a79..d15dc75 100644
--- a/lib/Auth/Source/RemoteUserSSL.php
+++ b/lib/Auth/Source/RemoteUserSSL.php
@@ -45,10 +45,10 @@ class sspmod_remoteUserSSL_Auth_Source_RemoteUserSSL extends SimpleSAML_Auth_Sou
 	assert(is_array($state));
 
         $login = null;
-        if (isset($_SERVER['REMOTE_USER'])) {
-            $login = preg_replace('/^([^@]*).*/', '\1', $_SERVER['REMOTE_USER']);
-        } elseif (isset($_SERVER['SSL_CLIENT_S_DN'])) {
+        if (isset($_SERVER['SSL_CLIENT_S_DN'])) {
             $login = $_SERVER['SSL_CLIENT_S_DN'];
+        } elseif (isset($_SERVER['REMOTE_USER'])) {
+            $login = preg_replace('/^([^@]*).*/', '\1', $_SERVER['REMOTE_USER']);
         } else {
             // Both variables were empty, this shouldn't happen if the web server is properly configured
             \SimpleSAML\Logger::error('remoteUserSSL: user entered protected area without being properly authenticated');
-- 
GitLab