From 4ec2368a2232a0a894e080e279d88a4810528563 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Mon, 2 Mar 2009 13:01:13 +0000
Subject: [PATCH] Access control on statistics module

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1360 44740490-163a-0410-bde0-09ae8108e29a
---
 .../config-templates/module_statistics.php    | 12 +++++
 modules/statistics/www/showstats.php          | 47 +++++++++++++++++++
 2 files changed, 59 insertions(+)

diff --git a/modules/statistics/config-templates/module_statistics.php b/modules/statistics/config-templates/module_statistics.php
index 0f19120f7..f54327037 100644
--- a/modules/statistics/config-templates/module_statistics.php
+++ b/modules/statistics/config-templates/module_statistics.php
@@ -5,6 +5,18 @@
 
 $config = array (
 
+	// Access control on statistics page.
+	'protected' => FALSE,
+	
+	/*
+	 * Which authenticatino source should be used for authentication exception from admin module.
+	 * Set to NULL if only using admin auth.
+	 */
+	//'auth' => 'feide',
+	
+	'useridattr' => 'eduPersonPrincipalName',
+	'allowedUsers' => array('andreas@uninett.no', 'ola.normann@sp.example.org'),
+
 	'statdir' => '/tmp/stats/',
 	'inputfile' => '/var/log/simplesamlphp.stat',
 	'offset' => 60*60*2 + 60*60*24*3, // Two hours offset to match epoch and norwegian winter time.
diff --git a/modules/statistics/www/showstats.php b/modules/statistics/www/showstats.php
index 53fc2c7ff..2f8900267 100644
--- a/modules/statistics/www/showstats.php
+++ b/modules/statistics/www/showstats.php
@@ -2,6 +2,53 @@
 
 $config = SimpleSAML_Configuration::getInstance();
 $statconfig = SimpleSAML_Configuration::getConfig('module_statistics.php');
+$session = SimpleSAML_Session::getInstance();
+
+
+$protected = $statconfig->getBoolean('protected', FALSE);
+$authsource = $statconfig->getString('auth', NULL);
+$allowedusers = $statconfig->getValue('allowedUsers', NULL);
+$useridattr = $statconfig->getString('useridattr', 'eduPersonPrincipalName');
+
+if ($protected) {
+
+	if ($session->isValid('login-admin') ) {
+		// User logged in as admin. OK.
+		SimpleSAML_Logger::debug('Statistics auth - logged in as admin, access granted');
+		
+	} elseif(isset($authsource) && $session->isValid($authsource) ) {
+	
+		// User logged in with auth source.
+		SimpleSAML_Logger::debug('Statistics auth - valid login with auth source [' . $authsource . ']');
+		
+		// Retrieving attributes
+		$attributes = $session->getAttributes();
+		
+		// Check if userid exists
+		if (!isset($attributes[$useridattr])) 
+			throw new Exception('User ID is missing');
+		
+		// Check if userid is allowed access..
+		if (!in_array($attributes[$useridattr][0], $allowedusers)) {
+			SimpleSAML_Logger::debug('Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']');
+			throw new Exception('Access denied for this user.');
+		}
+		SimpleSAML_Logger::debug('Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']');		
+		
+	} elseif(isset($authsource)) {
+		// If user is not logged in init login with authrouce if authsousrce is defined.
+		SimpleSAML_Auth_Default::initLogin($authsource, SimpleSAML_Utilities::selfURL());
+		
+	} else {
+		// If authsource is not defined, init admin login.
+		SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'auth/login-admin.php',
+			array('RelayState' => SimpleSAML_Utilities::selfURL())
+		);
+	}
+}
+
+
+
 
 $statdir = $statconfig->getValue('statdir');
 $inputfile = $statconfig->getValue('inputfile');
-- 
GitLab