From 30116e37ea7ca8db8c96495ed5f0f795d9c9e076 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 6 Aug 2009 11:26:28 +0000
Subject: [PATCH] statistics: Add ACL support.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1634 44740490-163a-0410-bde0-09ae8108e29a
---
 .../config-templates/module_statistics.php    | 26 +++++-----
 modules/statistics/www/showstats.php          | 49 ++++++++++++++-----
 2 files changed, 53 insertions(+), 22 deletions(-)

diff --git a/modules/statistics/config-templates/module_statistics.php b/modules/statistics/config-templates/module_statistics.php
index cda18ab6e..00d01ec71 100644
--- a/modules/statistics/config-templates/module_statistics.php
+++ b/modules/statistics/config-templates/module_statistics.php
@@ -5,20 +5,24 @@
 
 $config = array (
 
+	/* Authentication & authorization for statistics. */
+
+	/* Whether the statistics require authentication before use. */
 	'protected' => FALSE,
+
+	/* The authentication source that should be used. */
 	'auth' => 'admin',
-	'useridattr' => 'eduPersonPrincipalName',
-	
-	'default' => 'sso',
-	
-	'allowedUsers' => array(
-		'admin'
-	),
-	
+
+	/* Alternative 1: List of allowed users. */
+	//'useridattr' => 'eduPersonPrincipalName',
+	//'allowedUsers' => array('andreas@uninett.no', 'ola.normann@sp.example.org'),
+
+	/* Alternative 2: External ACL list. */
+	//'acl' => 'adminlist',
+
+
+
 	'default' => 'sso_hoursweek',
-	
-	'useridattr' => 'eduPersonPrincipalName',
-	'allowedUsers' => array('andreas@uninett.no', 'ola.normann@sp.example.org'),
 
 	'statdir' => '/tmp/stats/',
 	'inputfile' => '/var/log/simplesamlphp.stat',
diff --git a/modules/statistics/www/showstats.php b/modules/statistics/www/showstats.php
index d93563491..db434ee8d 100644
--- a/modules/statistics/www/showstats.php
+++ b/modules/statistics/www/showstats.php
@@ -13,6 +13,11 @@ $authsource = $statconfig->getString('auth', NULL);
 $allowedusers = $statconfig->getValue('allowedUsers', NULL);
 $useridattr = $statconfig->getString('useridattr', 'eduPersonPrincipalName');
 
+$acl = $statconfig->getValue('acl', NULL);
+if ($acl !== NULL && !is_string($acl) && !is_array($acl)) {
+	throw new SimpleSAML_Error_Exception('Invalid value for \'acl\'-option. Should be an array or a string.');
+}
+
 if ($protected) {
 
 	if (SimpleSAML_Utilities::isAdmin()) {
@@ -26,18 +31,40 @@ if ($protected) {
 		
 		// Retrieving attributes
 		$attributes = $session->getAttributes();
-		
-		// Check if userid exists
-		if (!isset($attributes[$useridattr])) 
-			throw new Exception('User ID is missing');
-		
-		// Check if userid is allowed access..
-		if (!in_array($attributes[$useridattr][0], $allowedusers)) {
-			SimpleSAML_Logger::debug('Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']');
-			throw new Exception('Access denied for this user.');
+
+		$allow = FALSE;
+		if (!empty($allowedusers)) {
+			// Check if userid exists
+			if (!isset($attributes[$useridattr][0]))
+				throw new Exception('User ID is missing');
+
+			// Check if userid is allowed access..
+			if (!in_array($attributes[$useridattr][0], $allowedusers)) {
+				SimpleSAML_Logger::debug('Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']');
+			} else {
+				SimpleSAML_Logger::debug('Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']');
+				$allow = TRUE;
+			}
+		} else {
+			SimpleSAML_Logger::debug('Statistics auth - no allowedUsers list.');
 		}
-		SimpleSAML_Logger::debug('Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']');		
-		
+
+		if (!$allow && !is_null($acl)) {
+			$acl = new sspmod_core_ACL($acl);
+			if (!$acl->allows($attributes)) {
+				SimpleSAML_Logger::debug('Statistics auth - denied access by ACL.');
+			} else {
+				SimpleSAML_Logger::debug('Statistics auth - allowed access by ACL.');
+				$allow = TRUE;
+			}
+		} else {
+			SimpleSAML_Logger::debug('Statistics auth - no ACL configured.');
+		}
+
+		if (!$allow) {
+			throw new SimpleSAML_Error_Exception('Access denied to the current user.');
+		}
+
 	} elseif(isset($authsource)) {
 		// If user is not logged in init login with authrouce if authsousrce is defined.
 		SimpleSAML_Auth_Default::initLogin($authsource, SimpleSAML_Utilities::selfURL());
-- 
GitLab