/**
* Check that the user has access to the statistics.
*
* If the user doesn't have access, send the user to the login page.
*/
public static function checkAccess(SimpleSAML_Configuration $statconfig)
{
$protected = $statconfig->getBoolean('protected', FALSE);
$authsource = $statconfig->getString('auth', NULL);
$allowedusers = $statconfig->getValue('allowedUsers', NULL);
$useridattr = $statconfig->getString('useridattr', 'eduPersonPrincipalName');
$acl = $statconfig->getValue('acl', NULL);
if ($acl !== NULL && !is_string($acl) && !is_array($acl)) {
throw new SimpleSAML_Error_Exception('Invalid value for \'acl\'-option. Should be an array or a string.');
}
if (!$protected) {
return;
}
if (SimpleSAML\Utils\Auth::isAdmin()) {
// User logged in as admin. OK.
SimpleSAML_Logger::debug('Statistics auth - logged in as admin, access granted');
return;
}
if (!isset($authsource)) {
// If authsource is not defined, init admin login.
SimpleSAML\Utils\Auth::requireAdmin();
}
/* We are using an authsource for login. */
$as = new SimpleSAML_Auth_Simple($authsource);
$as->requireAuth();
// User logged in with auth source.
SimpleSAML_Logger::debug('Statistics auth - valid login with auth source [' . $authsource . ']');
// Retrieving attributes
$attributes = $as->getAttributes();
if (!empty($allowedusers)) {
// Check if userid exists
if (!isset($attributes[$useridattr][0])) {
throw new Exception('User ID is missing');
}
// Check if userid is allowed access..
if (in_array($attributes[$useridattr][0], $allowedusers)) {
SimpleSAML_Logger::debug('Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']');
return;
}
SimpleSAML_Logger::debug('Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']');
} else {
SimpleSAML_Logger::debug('Statistics auth - no allowedUsers list.');
}
if (!is_null($acl)) {
$acl = new sspmod_core_ACL($acl);
if ($acl->allows($attributes)) {
SimpleSAML_Logger::debug('Statistics auth - allowed access by ACL.');
return;
}
SimpleSAML_Logger::debug('Statistics auth - denied access by ACL.');
} else {
SimpleSAML_Logger::debug('Statistics auth - no ACL configured.');
}
throw new SimpleSAML_Error_Exception('Access denied to the current user.');
}
// Check if userid exists
if (!isset($attributes[$useridattr][0])) {
throw new Exception('User ID is missing');
}
// Check if userid is allowed access..
if (!in_array($attributes[$useridattr][0], $allowedusers)) {
SimpleSAML_Logger::debug('Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']');
} else {
SimpleSAML_Logger::debug('Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']');
$allow = TRUE;
}
} else {
SimpleSAML_Logger::debug('Statistics auth - no allowedUsers list.');
}
if (!$allow && !is_null($acl)) {
$acl = new sspmod_core_ACL($acl);
if (!$acl->allows($attributes)) {
SimpleSAML_Logger::debug('Statistics auth - denied access by ACL.');
} else {
SimpleSAML_Logger::debug('Statistics auth - allowed access by ACL.');
$allow = TRUE;
}
} else {
SimpleSAML_Logger::debug('Statistics auth - no ACL configured.');
}
if (!$allow) {
throw new SimpleSAML_Error_Exception('Access denied to the current user.');
}
} elseif (isset($authsource)) {
// If user is not logged in init login with authrouce if authsousrce is defined.
SimpleSAML_Auth_Default::initLogin($authsource, SimpleSAML_Utilities::selfURL());
} elseif (is_null($userId)) {
throw new Exception('User ID is missing');
} else {
if (!in_array($userId, $orgAllowedUsers)) {
SimpleSAML_Logger::debug('LDAPStatus auth - org adminAccess: User ' . var_export($userId, TRUE) . ' not in allowed user list.');
} else {
$isAdmin = TRUE;
SimpleSAML_Logger::debug('LDAPStatus auth - org adminAccess: User ' . var_export($userId, TRUE) . ' granted access by allowed user list.');
}
}
} elseif (!$isAdmin) {
SimpleSAML_Logger::debug('LDAPStatus auth - org adminAccess: Not configured.');
}
/* Organization admin ACL list. */
if (!$isAdmin && !is_null($orgAdminACL)) {
$orgAdminACL = new sspmod_core_ACL($orgAdminACL);
if ($authsource === NULL) {
throw new SimpleSAML_Error_Exception('The \'ldapstatusAuth\' option must be set if the \'adminACL\' option is set.');
}
if (!$session->isValid($authsource)) {
SimpleSAML_Logger::debug('LDAPStatus auth - org ACL: Not logged in with authsource ' . var_export($authsource, TRUE));
} elseif (!$orgAdminACL->allows($attributes)) {
SimpleSAML_Logger::debug('LDAPStatus auth - org ACL: ACL does not grant this user access.');
} else {
$isAdmin = TRUE;
SimpleSAML_Logger::debug('LDAPStatus auth - org ACL: Admin access granted.');
}
} elseif (!$isAdmin) {
SimpleSAML_Logger::debug('LDAPStatus auth - org ACL: Not configured.');
}
}
