Access control on statistics module

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1360 44740490-163a-0410-bde0-09ae8108e29a

Access control on statistics module
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1360 44740490-163a-0410-bde0-09ae8108e29a
4ec2368a · Andreas Åkre Solberg · b4243233 · 4ec2368a · 4ec2368a
Commit 4ec2368a authored 16 years ago by Andreas Åkre Solberg
--- a/modules/statistics/config-templates/module_statistics.php
+++ b/modules/statistics/config-templates/module_statistics.php
@@ -5,6 +5,18 @@

 $config = array (

+	// Access control on statistics page.
+	'protected' => FALSE,
+	
+	/*
+	 * Which authenticatino source should be used for authentication exception from admin module.
+	 * Set to NULL if only using admin auth.
+	 */
+	//'auth' => 'feide',
+	
+	'useridattr' => 'eduPersonPrincipalName',
+	'allowedUsers' => array('andreas@uninett.no', 'ola.normann@sp.example.org'),
+
 	'statdir' => '/tmp/stats/',
 	'inputfile' => '/var/log/simplesamlphp.stat',
 	'offset' => 60*60*2 + 60*60*24*3, // Two hours offset to match epoch and norwegian winter time.

--- a/modules/statistics/www/showstats.php
+++ b/modules/statistics/www/showstats.php
@@ -2,6 +2,53 @@

 $config = SimpleSAML_Configuration::getInstance();
 $statconfig = SimpleSAML_Configuration::getConfig('module_statistics.php');
+$session = SimpleSAML_Session::getInstance();
+
+
+$protected = $statconfig->getBoolean('protected', FALSE);
+$authsource = $statconfig->getString('auth', NULL);
+$allowedusers = $statconfig->getValue('allowedUsers', NULL);
+$useridattr = $statconfig->getString('useridattr', 'eduPersonPrincipalName');
+
+if ($protected) {
+
+	if ($session->isValid('login-admin') ) {
+		// User logged in as admin. OK.
+		SimpleSAML_Logger::debug('Statistics auth - logged in as admin, access granted');
+		
+	} elseif(isset($authsource) && $session->isValid($authsource) ) {
+	
+		// User logged in with auth source.
+		SimpleSAML_Logger::debug('Statistics auth - valid login with auth source [' . $authsource . ']');
+		
+		// Retrieving attributes
+		$attributes = $session->getAttributes();
+		
+		// Check if userid exists
+		if (!isset($attributes[$useridattr])) 
+			throw new Exception('User ID is missing');
+		
+		// Check if userid is allowed access..
+		if (!in_array($attributes[$useridattr][0], $allowedusers)) {
+			SimpleSAML_Logger::debug('Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']');
+			throw new Exception('Access denied for this user.');
+		}
+		SimpleSAML_Logger::debug('Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']');		
+		
+	} elseif(isset($authsource)) {
+		// If user is not logged in init login with authrouce if authsousrce is defined.
+		SimpleSAML_Auth_Default::initLogin($authsource, SimpleSAML_Utilities::selfURL());
+		
+	} else {
+		// If authsource is not defined, init admin login.
+		SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'auth/login-admin.php',
+			array('RelayState' => SimpleSAML_Utilities::selfURL())
+		);
+	}
+}
+
+
+

 $statdir = $statconfig->getValue('statdir');
 $inputfile = $statconfig->getValue('inputfile');