Skip to content
Snippets Groups Projects
Commit 30116e37 authored by Olav Morken's avatar Olav Morken
Browse files

statistics: Add ACL support.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1634 44740490-163a-0410-bde0-09ae8108e29a
parent 7973c222
No related branches found
No related tags found
No related merge requests found
...@@ -5,20 +5,24 @@ ...@@ -5,20 +5,24 @@
$config = array ( $config = array (
/* Authentication & authorization for statistics. */
/* Whether the statistics require authentication before use. */
'protected' => FALSE, 'protected' => FALSE,
/* The authentication source that should be used. */
'auth' => 'admin', 'auth' => 'admin',
'useridattr' => 'eduPersonPrincipalName',
/* Alternative 1: List of allowed users. */
'default' => 'sso', //'useridattr' => 'eduPersonPrincipalName',
//'allowedUsers' => array('andreas@uninett.no', 'ola.normann@sp.example.org'),
'allowedUsers' => array(
'admin' /* Alternative 2: External ACL list. */
), //'acl' => 'adminlist',
'default' => 'sso_hoursweek', 'default' => 'sso_hoursweek',
'useridattr' => 'eduPersonPrincipalName',
'allowedUsers' => array('andreas@uninett.no', 'ola.normann@sp.example.org'),
'statdir' => '/tmp/stats/', 'statdir' => '/tmp/stats/',
'inputfile' => '/var/log/simplesamlphp.stat', 'inputfile' => '/var/log/simplesamlphp.stat',
......
...@@ -13,6 +13,11 @@ $authsource = $statconfig->getString('auth', NULL); ...@@ -13,6 +13,11 @@ $authsource = $statconfig->getString('auth', NULL);
$allowedusers = $statconfig->getValue('allowedUsers', NULL); $allowedusers = $statconfig->getValue('allowedUsers', NULL);
$useridattr = $statconfig->getString('useridattr', 'eduPersonPrincipalName'); $useridattr = $statconfig->getString('useridattr', 'eduPersonPrincipalName');
$acl = $statconfig->getValue('acl', NULL);
if ($acl !== NULL && !is_string($acl) && !is_array($acl)) {
throw new SimpleSAML_Error_Exception('Invalid value for \'acl\'-option. Should be an array or a string.');
}
if ($protected) { if ($protected) {
if (SimpleSAML_Utilities::isAdmin()) { if (SimpleSAML_Utilities::isAdmin()) {
...@@ -26,18 +31,40 @@ if ($protected) { ...@@ -26,18 +31,40 @@ if ($protected) {
// Retrieving attributes // Retrieving attributes
$attributes = $session->getAttributes(); $attributes = $session->getAttributes();
// Check if userid exists $allow = FALSE;
if (!isset($attributes[$useridattr])) if (!empty($allowedusers)) {
throw new Exception('User ID is missing'); // Check if userid exists
if (!isset($attributes[$useridattr][0]))
// Check if userid is allowed access.. throw new Exception('User ID is missing');
if (!in_array($attributes[$useridattr][0], $allowedusers)) {
SimpleSAML_Logger::debug('Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']'); // Check if userid is allowed access..
throw new Exception('Access denied for this user.'); if (!in_array($attributes[$useridattr][0], $allowedusers)) {
SimpleSAML_Logger::debug('Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']');
} else {
SimpleSAML_Logger::debug('Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']');
$allow = TRUE;
}
} else {
SimpleSAML_Logger::debug('Statistics auth - no allowedUsers list.');
} }
SimpleSAML_Logger::debug('Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']');
if (!$allow && !is_null($acl)) {
$acl = new sspmod_core_ACL($acl);
if (!$acl->allows($attributes)) {
SimpleSAML_Logger::debug('Statistics auth - denied access by ACL.');
} else {
SimpleSAML_Logger::debug('Statistics auth - allowed access by ACL.');
$allow = TRUE;
}
} else {
SimpleSAML_Logger::debug('Statistics auth - no ACL configured.');
}
if (!$allow) {
throw new SimpleSAML_Error_Exception('Access denied to the current user.');
}
} elseif(isset($authsource)) { } elseif(isset($authsource)) {
// If user is not logged in init login with authrouce if authsousrce is defined. // If user is not logged in init login with authrouce if authsousrce is defined.
SimpleSAML_Auth_Default::initLogin($authsource, SimpleSAML_Utilities::selfURL()); SimpleSAML_Auth_Default::initLogin($authsource, SimpleSAML_Utilities::selfURL());
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment