From 3abdb616b726c6344927fb8f0ea725c3d60a444b Mon Sep 17 00:00:00 2001
From: Mark Janssen <mark@praseodym.net>
Date: Wed, 27 May 2015 14:04:45 +0200
Subject: [PATCH] A-Select: option to always add uid+organization to attributes
uid and organization attributes are not always in `$creds['attributes']`, so
we add an option for that.
---
modules/aselect/docs/aselect.txt | 7 ++++++-
modules/aselect/lib/Auth/Source/aselect.php | 4 ++++
modules/aselect/www/credentials.php | 22 ++++++++++++++++++---
3 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/modules/aselect/docs/aselect.txt b/modules/aselect/docs/aselect.txt
index c43421920..c411cf245 100644
--- a/modules/aselect/docs/aselect.txt
+++ b/modules/aselect/docs/aselect.txt
@@ -21,7 +21,8 @@ named 'aselect':
'app_id' => 'simplesamlphp',
'server_id' => 'sso.example.com',
'server_url' => 'https://test.sso.example.com/server',
- 'private_key' => 'file:///etc/ssl/private/aselect.key'
+ 'private_key' => 'file:///etc/ssl/private/aselect.key',
+ 'add_default_attributes' => FALSE
),
The parameters:
@@ -34,6 +35,10 @@ The parameters:
- private_key: the key you want to use for signing requests.
If you're really sure you do not want request signing, you
can set this option to a null value.
+- add_default_attributes: true to add default attributes
+ (uid and organization) to resulting attributes, false
+ to never do this, and null to do this only when no
+ attributes are returned.
Options 'serverurl' and 'serverid' (without underscore) are
supported for backwards compatibility.
diff --git a/modules/aselect/lib/Auth/Source/aselect.php b/modules/aselect/lib/Auth/Source/aselect.php
index f4fd0f601..b8e115edf 100644
--- a/modules/aselect/lib/Auth/Source/aselect.php
+++ b/modules/aselect/lib/Auth/Source/aselect.php
@@ -10,6 +10,7 @@ class sspmod_aselect_Auth_Source_aselect extends SimpleSAML_Auth_Source {
private $server_id;
private $server_url;
private $private_key;
+ private $add_default_attributes;
/**
* Constructor for this authentication source.
@@ -37,6 +38,8 @@ class sspmod_aselect_Auth_Source_aselect extends SimpleSAML_Auth_Source {
$this->server_url = $cfg->getString('serverurl', null);
if($this->server_url === null)
$this->server_url = $cfg->getString('server_url');
+
+ $this->add_default_attributes = $cfg->getBoolean('add_default_attributes', null);
}
/**
@@ -46,6 +49,7 @@ class sspmod_aselect_Auth_Source_aselect extends SimpleSAML_Auth_Source {
*/
public function authenticate(&$state) {
$state['aselect::authid'] = $this->authId;
+ $state['aselect::add_default_attributes'] = $this->add_default_attributes;
$id = SimpleSAML_Auth_State::saveState($state, 'aselect:login', true);
try {
diff --git a/modules/aselect/www/credentials.php b/modules/aselect/www/credentials.php
index a1bb00434..6271a48c6 100644
--- a/modules/aselect/www/credentials.php
+++ b/modules/aselect/www/credentials.php
@@ -38,10 +38,26 @@ try {
}
$creds = $aselect->verify_credentials($server_id, $credentials, $rid);
- if (array_key_exists('attributes', $creds)) {
- $state['Attributes'] = $creds['attributes'];
- } else {
+ if ($state['aselect::add_default_attributes'] === true) {
+ // Add default attributes
$state['Attributes'] = array('uid' => array($creds['uid']), 'organization' => array($creds['organization']));
+ if (array_key_exists('attributes', $creds)) {
+ $state['Attributes'] = array_merge($state['Attributes'], $creds['attributes']);
+ }
+ } elseif ($state['aselect::add_default_attributes'] === false) {
+ // Do not add default attributes
+ if (array_key_exists('attributes', $creds)) {
+ $state['Attributes'] = $creds['attributes'];
+ } else {
+ $state['Attributes'] = array();
+ }
+ } else {
+ // Legacy behaviour: add default attributes if no attributes are returned
+ if (array_key_exists('attributes', $creds)) {
+ $state['Attributes'] = $creds['attributes'];
+ } else {
+ $state['Attributes'] = array('uid' => array($creds['uid']), 'organization' => array($creds['organization']));
+ }
}
} catch (Exception $e) {
SimpleSAML_Auth_State::throwException($state, $e);
--
GitLab