/** * decoratePerson - get the supplied attributes and add to the correct * fields in person * * This function is a bit fragile. The reason for this, is that it needs * to 'bootstrap' the map for person-identifier (e.g. ePPN) * through various encodings. * * One way would be to add a specific mapping for all known NRENs, but * we'd rather add a generic approach and just try the known encodings * and see if we find something there. * * If, for some reason, a new NREN/IdP fails to correctly decorate the * person-object, the problem most likely starts here. * * @author Henrik Austad <*****@*****.**> * @author Thomas Zangerl <*****@*****.**> * * @throws CGE_CriticalAttributeException If an attribute without which Confusa * really can not work is not found * @throws MapNotFoundException If the NREN-map is not found * * @param array $attributes * @param String $idp * @throws MapNotFoundException */ protected function decoratePerson($attributes, $idp) { $cnPrefix = ""; $oPrefix = ""; if (Config::get_config('capi_test')) { $cnPrefix = ConfusaConstants::$CAPI_TEST_CN_PREFIX; $oPrefix = ConfusaConstants::$CAPI_TEST_O_PREFIX; } if (is_null($idp)) { throw new CGE_CriticalAttributeException("Need the URL of the IdP in order to create an NREN-object!"); } if (is_null($attributes)) { throw new CGE_CriticalAttributeException("Cannot find <b>any</b> attributes!"); } /* From the IdP, find the NREN-details */ $this->person->setNREN(new NREN($idp)); if (is_null($this->person->getNREN()) || !$this->person->getNREN()->isValid()) { $msg = "Could not map from the identity provider to the NREN. "; $msg .= "Probably the idp_map in the database is not configured for your idp ({$idp}) "; $msg .= "Please tell an administrator about that problem!"; throw new CGE_CriticalAttributeException($msg); } $nren_id = $this->person->getNREN()->getID(); Logger::logEvent(LOG_INFO, "Confusa_Auth", "decoratePerson(..., {$idp})", "Decorating person with map from NREN {$nren_id}."); $map = $this->person->getMap(); /* Normal mapping, this is what we want. */ if ($this->mapSanityCheck($map)) { /* Now that we have the NREN-map, reiterate getMap() in * case we can find the subscriber-map. */ $this->person->setSubscriber(new Subscriber($attributes[$map['epodn']][0], $this->person->getNREN())); $new_map = $this->person->getMap(); if ($this->mapSanityCheck($new_map)) { $map = $new_map; } $eppn = Input::sanitizeEPPN($attributes[$map['eppn']][0]); $this->person->setEPPN($eppn); if (!is_null($map['eppn'])) { $this->person->setEPPNKey($map['eppn']); } if (!is_null($map['cn'])) { if (array_key_exists($map['cn'], $attributes)) { $cn = mysql_real_escape_string($attributes[$map['cn']][0]); $this->person->setName($cnPrefix . $cn); } } /* end map has cn */ if (!is_null($map['mail'])) { if (array_key_exists($map['mail'], $attributes)) { $mail = Input::sanitizeEmail($attributes[$map['mail']]); $this->person->setEmail($mail); } } /* go through and add the relevant entitlement-parts. * TODO: cleanup this and move to person::setEntitlement() */ if (!is_null($map['entitlement'])) { if (array_key_exists($map['entitlement'], $attributes)) { $entitlements = $attributes[$map['entitlement']]; } } if (isset($entitlements)) { $namespace = Config::get_config('entitlement_namespace'); foreach ($entitlements as $key => $entitlementValue) { $pos = strpos($entitlementValue, $namespace); /* Note: we *must* check for both false *and* * type, as we want pos to be 0 */ if ($pos === false || (int) $pos != 0) { continue; } else { $val = explode(":", $entitlementValue); if (count($val) !== count(explode(":", $namespace)) + 1) { Framework::error_output("Error with namespace, too many objects in namespace (" . count($val) . ")"); continue; } /* only set the part *after* * entitlement-namespace */ $entitlement = Input::sanitizeEntitlement($val[count($val) - 1]); /* is the entitlement a valid entitlement? */ if ($entitlement == Config::get_config('entitlement_user') || $entitlement == Config::get_config('entitlement_admin')) { $this->person->setEntitlement($entitlement); } } } } } else { /* At this point we're on shaky ground as we have to * 'see if we can find anything' * * no map is set, can we find the ePPN in there? */ $eppnKey = $this->findEPPN($attributes); if (!is_null($eppnKey)) { $eppn = Input::sanitizeEPPN($eppnKey['value']); $this->person->setEPPN($eppn); $this->person->setEPPNKey($eppnKey['key']); } /* is ePPN registred as NREN admin (from bootstrap) */ if ($this->person->isNRENAdmin()) { if (is_array($map)) { Logger::log_event(LOG_WARNING, "Map for NREN {$nren_id} ({$idp}) corrupted. " . "Contains empty fields, consider dropping the map."); } $msg = "No NREN map found!"; if (Config::get_config('debug')) { $msg .= "Raw-dump of supplied attributes:<br />\n"; $msg .= "<br /><pre>\n"; foreach ($attributes as $key => $val) { $tabs = "\t"; if (strlen($key) < 8) { $tabs .= "\t\t"; } else { if (strlen($key) < 16) { $tabs .= "\t"; } } $msg .= htmlentities("{$key}{$tabs}{$val[0]}") . "\n"; } $msg .= "</pre><br />\n"; } throw new MapNotFoundException($msg); } } }
public function pre_process($person) { parent::pre_process($person); /* IF user is not subscirber- or nren-admin, we stop here */ if (!($this->person->isSubscriberAdmin() || $this->person->isNRENAdmin())) { return false; } if (isset($_POST['nren_operation'])) { if (!$this->person->isNRENAdmin()) { Framework::error_output("You need NREN-administrator privileges in order to complete this request."); return false; } /* operations called by the NREN-admin */ switch (htmlentities($_POST['nren_operation'])) { case 'delete_nren_admin': $admin = Input::sanitizeEPPN($_POST['nren_admin']); $this->deleteAdmin($admin, NREN_ADMIN); break; case 'downgrade_self': if ($this->person->testEntitlementAttribute(Config::get_config('entitlement_admin'))) { $this->downgradeNRENAdmin($this->person->getEPPN(), $this->person->getSubscriber()->getDBID()); } break; case 'upgrade_subs_admin': $admin = Input::sanitizeEPPN($_POST['subs_admin']); $this->upgradeSubscriberAdmin($admin); break; case 'add_nren_admin': $admin = Input::sanitizeEPPN($_POST['nren_admin']); $idp = htmlentities($_POST['idp']); if ($idp === '-') { $this->addNRENAdmin($admin, NULL); } else { $this->addNRENAdmin($admin, $idp); } break; case 'delete_subs_admin': $admin = Input::sanitizeEPPN($_POST['subs_admin']); $this->deleteAdmin($admin, SUBSCRIBER_ADMIN); break; case 'add_subs_admin': $admin = Input::sanitizeEPPN($_POST['subs_admin']); $subscriberID = Input::sanitizeID($_POST['subscriberID']); $this->addSubscriberAdmin($admin, SUBSCRIBER_ADMIN, $subscriberID); break; default: break; } /* operations called by the subscriber admin */ } else { if (isset($_POST['subs_operation'])) { if (!$this->person->isSubscriberAdmin()) { Framework::error_output("You do not have sufficient permissions in order to complete this transaction."); return false; } switch (htmlentities($_POST['subs_operation'])) { case 'delete_subs_admin': $admin = Input::sanitizeEPPN($_POST['subs_admin']); $this->deleteAdmin($admin, SUBSCRIBER_ADMIN); break; case 'add_subs_admin': $admin = Input::sanitizeEPPN($_POST['subs_admin']); $this->addSubscriberAdmin($admin, SUBSCRIBER_ADMIN, $this->person->getSubscriber()->getDBID()); break; case 'downgrade_subs_admin': $admin = Input::sanitizeEPPN($_POST['subs_admin']); $this->downgradeSubscriberAdmin($admin, $this->person->getSubscriber()->getDBID()); break; case 'upgrade_subs_sub_admin': $admin = Input::sanitizeEPPN($_POST['subs_sub_admin']); $this->upgradeSubscriberSubAdmin($admin, $this->person->getSubscriber()->getDBID()); break; case 'delete_subs_sub_admin': $admin = Input::sanitizeEPPN($_POST['subs_sub_admin']); $this->deleteAdmin($admin, SUBSCRIBER_SUB_ADMIN); break; case 'add_subs_sub_admin': $admin = Input::sanitizeEPPN($_POST['subs_sub_admin']); $this->addSubscriberAdmin($admin, SUBSCRIBER_SUB_ADMIN, $this->person->getSubscriber()->getDBID()); break; default: break; } } } }
/** * Display a list of distinguished names whose certificates will be revoked * based on an uploaded CSV with a list of UIDs (e.g. eppns). Offer the * possibility to revoke these certificates. * * @param $eppn_file string The name of the $_FILES parameter containining the * CSV of unique identifiers * @param $subscriber string The name of the subscriber by which the search is * scoped * */ private function search_list_display($eppn_file, $subscriber) { /* These can become a *lot* of auth_keys/order_numbers. Thus, save the list * of auth_keys preferrably in the session, otherwise it will take forever * to download the site and I am not sure if it is such a good idea to send * an endless list of auth_keys as hidden parameters * to the user and then from there back again with a POST to the server */ CS::deleteSessionKey('auth_keys'); $csvl = new CSV_Lib($eppn_file); $eppn_list = $csvl->get_csv_entries(); $certs = array(); $auth_keys = array(); foreach ($eppn_list as $eppn) { $eppn = Input::sanitizeEPPN($eppn); $eppn_certs = $this->ca->getCertListForEPPN($eppn, $subscriber); $certs = array_merge($certs, $eppn_certs); } if (count($certs) > 0) { /* get the certificate owner/order number pairs into a ordering that * permits us to send the order-numbers for each certificate owner * to the revocation method */ foreach ($certs as $row) { $owners[] = str_replace(",", ", ", $row['cert_owner']); $auth_keys[] = $row['auth_key']; } $owners = array_unique($owners); CS::setSessionKey('auth_keys', $auth_keys); $this->tpl->assign('owners', $owners); $this->tpl->assign('revoke_list', true); $this->tpl->assign('nren_reasons', ConfusaConstants::$REVOCATION_REASONS); $this->tpl->assign('selected', 'unspecified'); } }