Add authorize-module.

This module provides a filter for doing attribute-based access control for a service provider. Thanks to Ernesto Revilla for creating this filter. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1816 44740490-163a-0410-bde0-09ae8108e29a

Add authorize-module.
This module provides a filter for doing attribute-based access control for a service provider. Thanks to Ernesto Revilla for creating this filter. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1816 44740490-163a-0410-bde0-09ae8108e29a
f9b2480d · Olav Morken · e7710759 · f9b2480d · f9b2480d · f9b2480d
Commit f9b2480d authored 15 years ago by Olav Morken
--- a/modules/authorize/default-enable
+++ b/modules/authorize/default-enable
--- a/modules/authorize/dictionaries/Authorize.php
+++ b/modules/authorize/dictionaries/Authorize.php
+<?php
+
+$lang = array(
+	'403_header' => array (
+		'en' => 'Access forbidden',
+		'es' => 'Acceso denegado',
+	),
+	'403_text' => array (
+		'en' => "You don't have the needed privileges to access this application. Please contact the administrator if you find this to be incorrect.",
+		'es' => "No tiene los privilegios necesarios para acceder a esta aplicación. Si considera que esto no es correcto, consulte el administrador.",
+	),
+);
+
+
+?>
--- a/modules/authorize/docs/authorize.txt
+++ b/modules/authorize/docs/authorize.txt
+authorize Module
+================
+
+<!--
+	This file is written in Markdown syntax.
+	For more information about how to use the Markdown syntax, read here:
+	http://daringfireball.net/projects/markdown/syntax
+-->
+
+	* Version: `$Id$`
+	* Author: Ernesto Revilla <erny@yaco.es>, Yaco Sistemas
+	* Package simpleSAMLphp
+
+
+This module provides an user authorization filter based on regular
+expressions for those applications that do not cleanly separate
+authentication from authorization and set some default permissions
+for authenticated users.
+
+
+`authorize:Authorize`
+: Authorize certain users based on regular expressions.
+
+
+`authorize:Authorize`
+---------------------
+
+For each attribute you can specify a regular expression
+string or array of strings. If one of those attributes matches (OR operator)
+one of the regular expression, the user is authorized successfully.
+
+You must use the preg_match format, i.e. you have to enclose it with
+a delimiter that does not appear inside the regex
+(e.g. slash (/), at sign (@), number sign (#) or underscore (_)).
+
+The users not authorized will be shown a 403 Forbidden page.
+
+Problems:
+ * Once you get the forbidden page, you can't logout at the IdP directly,
+   (as far as I know), you have to close the browser.
+
+
+To use this filter configure it in `config/config.php`:
+	'authproc.sp' => array(
+		60 => array(
+			'class' => 'authorize:Authorize',
+			'uid'   =>  array(
+				'/.*@example.com/',
+				'/(user1|user2|user3)@example.edu/',
+			),
+			'schacUserStatus' => '@urn:mace:terena.org:userStatus:' .
+				'example.org:service:active.*@',
+	)
--- a/modules/authorize/lib/Auth/Process/Authorize.php
+++ b/modules/authorize/lib/Auth/Process/Authorize.php
+<?php
+
+/**
+ * Filter to authorize only certain users.
+ * See docs directory.
+ *
+ * @author Ernesto Revilla, Yaco Sistemas SL.
+ * @package simpleSAMLphp
+ * @version $Id$
+ */
+class sspmod_authorize_Auth_Process_Authorize extends SimpleSAML_Auth_ProcessingFilter {
+
+	/**
+	 * Array of valid users. Each element is a regular expression. You should
+	 * user \ to escape special chars, like '.' etc.
+	 *
+	 */
+	private $valid_attribute_values = array();
+
+
+	/**
+	 * Initialize this filter.
+	 * Validate configuration parameters.
+	 *
+	 * @param array $config  Configuration information about this filter.
+	 * @param mixed $reserved  For future use.
+	 */
+	public function __construct($config, $reserved) {
+		parent::__construct($config, $reserved);
+
+		assert('is_array($config)');
+
+		foreach ($config as $attribute => $values) {
+			if (is_string($values))
+				$values = array($values);
+			if (!is_array($values))
+				throw new Exception('Filter Authorize: Attribute values is neither string nor array: ' . var_export($attribute, TRUE));
+			foreach ($values as $value){
+				if(!is_string($value)) {
+					throw new Exception('Filter Authorize: Each value should be a string for attribute: ' . var_export($attribute, TRUE) . ' value: ' . var_export($value, TRUE) . ' Config is: ' . var_export($config, TRUE));
+				}
+			}
+			$this->valid_attribute_values[$attribute] = $values;
+		}
+	}
+
+
+	/**
+	 * Apply filter to validate attributes.
+	 *
+	 * @param array &$request  The current request
+	 */
+	public function process(&$request) {
+		$authorize = FALSE;
+		assert('is_array($request)');
+		assert('array_key_exists("Attributes", $request)');
+
+		$attributes =& $request['Attributes'];
+
+		foreach ($this->valid_attribute_values as $name => $patterns) {
+			if(array_key_exists($name, $attributes)) {
+				foreach ($patterns as $pattern){
+					$values = $attributes[$name];
+					if (!is_array($values))
+						$values = array($values);
+					foreach ($values as $value){
+						if(preg_match($pattern, $value)) {
+							$authorize = TRUE;
+							break 3;
+						}
+					}
+				}
+			}
+		}
+		if (!$authorize){
+			/* Save state and redirect to 403 page. */
+			$id = SimpleSAML_Auth_State::saveState($request,
+				'authorize:Authorize');
+			$url = SimpleSAML_Module::getModuleURL(
+				'authorize/authorize_403.php');
+			SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+		}
+	}
+}
+
+?>
--- a/modules/authorize/templates/authorize_403.php
+++ b/modules/authorize/templates/authorize_403.php
+<?php
+/**
+ * Template which is shown when there is only a short interval since the user was last authenticated.
+ *
+ * Parameters:
+ * - 'target': Target URL.
+ * - 'params': Parameters which should be included in the request.
+ *
+ * @package simpleSAMLphp
+ * @version $Id$
+ */
+
+
+$this->data['403_header'] = $this->t('{authorize:Authorize:403_header}');
+$this->data['403_text'] = $this->t('{authorize:Authorize:403_text}');
+
+$this->includeAtTemplateBase('includes/header.php');
+?>
+<h1><?php echo $this->data['403_header']; ?></h1>
+<p><?php echo $this->data['403_text']; ?></p>
+<?php
+$this->includeAtTemplateBase('includes/footer.php');
+?>
--- a/modules/authorize/www/authorize_403.php
+++ b/modules/authorize/www/authorize_403.php
+<?php
+/**
+ * Show a 403 Forbidden page about not authorized to access an application.
+ *
+ * @package simpleSAMLphp
+ * @version $Id$
+ */
+
+if (!array_key_exists('StateId', $_REQUEST)) {
+	throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
+}
+
+$id = $_REQUEST['StateId'];
+$state = SimpleSAML_Auth_State::loadState($id, 'authorize:Authorize');
+
+$globalConfig = SimpleSAML_Configuration::getInstance();
+$t = new SimpleSAML_XHTML_Template($globalConfig, 'authorize:authorize_403.php');
+header('HTTP/1.0 403 Forbidden');
+$t->show();
+
+
+?>