From 4b8274a85481deca16d26e424b5d779d9f5d04d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Fri, 9 Jan 2009 08:36:22 +0000
Subject: [PATCH] Removing deprecated attributealter. Use authproc instead.
 Questions on the mailinglist...

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1112 44740490-163a-0410-bde0-09ae8108e29a
---
 attributealter/edupersontargetedid.php        | 10 ---
 attributealter/feideaccess.php                | 39 ----------
 attributealter/groups.php                     | 75 -------------------
 attributealter/realm.php                      | 19 -----
 attributealter/test.php                       |  5 --
 www/saml2/idp/SingleLogoutServiceiFrame.php   | 12 ++-
 .../idp/SingleLogoutServiceiFrameResponse.php | 10 ++-
 7 files changed, 20 insertions(+), 150 deletions(-)
 delete mode 100644 attributealter/edupersontargetedid.php
 delete mode 100644 attributealter/feideaccess.php
 delete mode 100644 attributealter/groups.php
 delete mode 100644 attributealter/realm.php
 delete mode 100644 attributealter/test.php

diff --git a/attributealter/edupersontargetedid.php b/attributealter/edupersontargetedid.php
deleted file mode 100644
index b1d4e2ccb..000000000
--- a/attributealter/edupersontargetedid.php
+++ /dev/null
@@ -1,10 +0,0 @@
-<?php
-function attributealter_edupersontargetedid(&$attributes, $spEntityId = null, $idpEntityId = null) {
-	assert('$spEntityId !== NULL');
-	assert('$idpEntityId !== NULL');
-
-	$userid = SimpleSAML_Utilities::generateUserIdentifier($idpEntityId, $spEntityId, $attributes);
-
-	$attributes['eduPersonTargetedID'] = array($userid);
-}
-?>
\ No newline at end of file
diff --git a/attributealter/feideaccess.php b/attributealter/feideaccess.php
deleted file mode 100644
index d2972752d..000000000
--- a/attributealter/feideaccess.php
+++ /dev/null
@@ -1,39 +0,0 @@
-<?php
-function attributealter_feideaccess(&$attributes, $spEntityId = null, $idpEntityId = null) {
-	assert('$spEntityId !== NULL');
-	assert('$idpEntityId !== NULL');
-
-	$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-	$spMetadata = $metadata->getMetadata($spEntityId, 'saml20-sp-remote');
-	if(!array_key_exists('feide.allowedorgs', $spMetadata)) {
-		SimpleSAML_Logger::info('FEIDE access control: No limits set for SP: ' . $spEntityId);
-		return;
-	}
-	$allowedOrgs = $spMetadata['feide.allowedorgs'];
-
-	if(!array_key_exists('eduPersonPrincipalName', $attributes)) {
-		throw new Exception('FEIDE access control requires the eduPersonPrincipalName to be present.');
-	}
-
-	$eppn = $attributes['eduPersonPrincipalName'][0];
-	$org = explode('@', $eppn);
-	$org = $org[1];
-
-	if(!in_array($org, $allowedOrgs, TRUE)) {
-		SimpleSAML_Logger::error('FEIDE access control: Organization "' . $org .
-			'" not in list of allowed organization for SP "' . $spEntityId . '".');
-		$config = SimpleSAML_Configuration::getInstance();
-		$t = new SimpleSAML_XHTML_Template($config, 'no_access.php', 'no_access_dictionary');
-		if(array_key_exists('name', $spMetadata)) {
-			$t->data['sp_name'] = $spMetadata['name'];
-		} else {
-			$t->data['sp_name'] = $spEntityId;
-		}
-		$t->show();
-		exit();
-	}
-
-	SimpleSAML_Logger::info('FEIDE access control: Organization "' . $org .
-		'" is allowed for SP "' . $spEntityId . '".');
-}
-?>
\ No newline at end of file
diff --git a/attributealter/groups.php b/attributealter/groups.php
deleted file mode 100644
index acc7425c0..000000000
--- a/attributealter/groups.php
+++ /dev/null
@@ -1,75 +0,0 @@
-<?php
-function encodeIllegalChars($input) {
-	return preg_replace("/[^a-zA-Z0-9_@=.]/", "_", $input);
-}
-
-function getRealmPart($userid) {
-
-	$decomposedID = explode("@", $userid);
-	if (isset($decomposedID[1])) {
-		return encodeIllegalChars($decomposedID[1]);
-	}
-	return null;
-}
-
-function attributealter_groups(&$attributes, $spentityid = null, $idpentityid = null) {
-
-	// We start off with an empty list of groups.
-	$groups = array();
-	
-	/*
-	 * Then we add the realm of the user. The part after the @ of the eduPersonPrincipalName
-	 */
-	if(array_key_exists('eduPersonPrincipalName', $attributes)) {
-		$realmpart = getRealmPart($attributes['eduPersonPrincipalName'][0]);
-	} else {
-		$realmpart = NULL;
-	}
-	if (isset($realmpart)) {
-		$groups[] = 'realm-' . $realmpart;
-	} else {
-		$realmpart = 'NA';
-	}
-
-	
-	/*
-	 * Create group membership by the eduPersonAffiliation attribute.
-	 */
-	if (isset($attributes['eduPersonAffiliation']) && is_array($attributes['eduPersonAffiliation']) ) {
-		foreach ($attributes['eduPersonAffiliation'] AS $affiliation) {
-			$groups[] = 'affiliation-' . $realmpart . '-' . encodeIllegalChars($affiliation);
-		}
-	}
-	
-	/*
-	 * Create group membership by the eduPersonOrgUnitDN attribute.
-	 */
-	if (isset($attributes['eduPersonOrgUnitDN']) && is_array($attributes['eduPersonOrgUnitDN']) ) {
-		foreach ($attributes['eduPersonOrgUnitDN'] AS $orgunit) {
-			$groups[] = 'orgunit-' . $realmpart . '-' . encodeIllegalChars($orgunit);
-		}
-	}
-	
-	if (isset($attributes['eduPersonEntitlement']) && is_array($attributes['eduPersonEntitlement']) ) {
-		foreach ($attributes['eduPersonEntitlement'] AS $orgunit) {
-			$groups[] = 'entitlement-' . $realmpart . '-' . encodeIllegalChars($orgunit);
-		}
-	}
-	
-	
-	/*
-	 * Read custom groups from the group file specified in the 
-
-	if (file_exists('/etc/simplesamlphpgroups.txt')) {
-		include($conf['groupfile']);
-	}
-	if (isset($customgroups[$user]) && is_array($customgroups[$user])) {
-		foreach ($customgroups[$user] AS $ng) {
-			$groups[] = $ng;
-		}
-	}
-	 */
-	$attributes['groups'] = $groups;
-
-}
-?>
\ No newline at end of file
diff --git a/attributealter/realm.php b/attributealter/realm.php
deleted file mode 100644
index a279d50b1..000000000
--- a/attributealter/realm.php
+++ /dev/null
@@ -1,19 +0,0 @@
-<?php
-function attributealter_realm(&$attributes, $spentityid = null, $idpentityid = null) {
-
-	$attributename = 'eduPersonPrincipalName';
-#	$attributename = 'edupersonprincipalname';
-	if (array_key_exists($attributename, $attributes)) {
-		$eduppn = $attributes[$attributename][0];
-		$splitted = explode('@', $eduppn);
-		if (count($splitted) > 1) {
-			$attributes['realm'] = array($splitted[1]);
-		} else {
-			SimpleSAML_Logger::debug('attributealter_realm: Wrong format on ' . $attributename . ' (not including @)');
-		}
-	} else {
-		SimpleSAML_Logger::debug('attributealter_realm: Could not find ' . $attributename);
-	}
-
-}
-?>
\ No newline at end of file
diff --git a/attributealter/test.php b/attributealter/test.php
deleted file mode 100644
index 6f3c0f8bb..000000000
--- a/attributealter/test.php
+++ /dev/null
@@ -1,5 +0,0 @@
-<?php
-function attributealter_test(&$attributes, $spentityid = null, $idpentityid = null) {
-	$attributes['injected'] = array('newvalue');
-}
-?>
\ No newline at end of file
diff --git a/www/saml2/idp/SingleLogoutServiceiFrame.php b/www/saml2/idp/SingleLogoutServiceiFrame.php
index b839c446d..cfecd89d2 100644
--- a/www/saml2/idp/SingleLogoutServiceiFrame.php
+++ b/www/saml2/idp/SingleLogoutServiceiFrame.php
@@ -98,7 +98,12 @@ function updateslostatus() {
 
 	$idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
 	
-	$listofsps = $session->get_sp_list(SimpleSAML_Session::STATE_LOGGEDOUT);
+	$templistofsps = $session->get_sp_list(SimpleSAML_Session::STATE_LOGGEDOUT);
+	$listofsps = array();
+	foreach ($templistofsps AS $spentityid) {
+		if (!empty($_COOKIE['spstate-' . sha1($spentityid)])) $listofsps[] = $spentityid;
+	}
+
 
 	// Using template object to be able to translate name of service provider.
 	$t = new SimpleSAML_XHTML_Template($config, 'logout-iframe.php');
@@ -124,6 +129,11 @@ function updateslostatus() {
 	
 	if ($session->sp_logout_completed() === TRUE) {
 
+		$templistofsps = $session->get_sp_list(SimpleSAML_Session::STATE_LOGGEDOUT);
+		foreach ($templistofsps AS $spentityid) {
+			$session->set_sp_logout_completed($spentityid);
+		}
+
 		$objResponse->addScriptCall('slocompleted');
 
 		/**
diff --git a/www/saml2/idp/SingleLogoutServiceiFrameResponse.php b/www/saml2/idp/SingleLogoutServiceiFrameResponse.php
index c5a4a9693..90161d4f4 100644
--- a/www/saml2/idp/SingleLogoutServiceiFrameResponse.php
+++ b/www/saml2/idp/SingleLogoutServiceiFrameResponse.php
@@ -44,7 +44,15 @@ if (isset($_GET['SAMLResponse'])) {
 	$binding = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
 	$logoutresponse = $binding->decodeLogoutResponse($_GET);
 
-	$session->set_sp_logout_completed($logoutresponse->getIssuer());
+	/*
+	 * This would be the normal way to end SP sessions. But because we do not want concurrent 
+	 * updates on the session ojbect, we do set a cookie instead.
+	 *
+	 * $session->set_sp_logout_completed($logoutresponse->getIssuer());
+	 */
+	$sphash = sha1($logoutresponse->getIssuer());
+	setcookie('spstate-' . $sphash , '1'); // Duration: 2 hours
+	
 	
 	SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutServiceiFrameResponse: Logging out completed');
 	
-- 
GitLab