/**
* decoratePerson - get the supplied attributes and add to the correct
* fields in person
*
* This function is a bit fragile. The reason for this, is that it needs
* to 'bootstrap' the map for person-identifier (e.g. ePPN)
* through various encodings.
*
* One way would be to add a specific mapping for all known NRENs, but
* we'd rather add a generic approach and just try the known encodings
* and see if we find something there.
*
* If, for some reason, a new NREN/IdP fails to correctly decorate the
* person-object, the problem most likely starts here.
*
* @author Henrik Austad <*****@*****.**>
* @author Thomas Zangerl <*****@*****.**>
*
* @throws CGE_CriticalAttributeException If an attribute without which Confusa
* really can not work is not found
* @throws MapNotFoundException If the NREN-map is not found
*
* @param array $attributes
* @param String $idp
* @throws MapNotFoundException
*/
protected function decoratePerson($attributes, $idp)
{
$cnPrefix = "";
$oPrefix = "";
if (Config::get_config('capi_test')) {
$cnPrefix = ConfusaConstants::$CAPI_TEST_CN_PREFIX;
$oPrefix = ConfusaConstants::$CAPI_TEST_O_PREFIX;
}
if (is_null($idp)) {
throw new CGE_CriticalAttributeException("Need the URL of the IdP in order to create an NREN-object!");
}
if (is_null($attributes)) {
throw new CGE_CriticalAttributeException("Cannot find <b>any</b> attributes!");
}
/* From the IdP, find the NREN-details */
$this->person->setNREN(new NREN($idp));
if (is_null($this->person->getNREN()) || !$this->person->getNREN()->isValid()) {
$msg = "Could not map from the identity provider to the NREN. ";
$msg .= "Probably the idp_map in the database is not configured for your idp ({$idp}) ";
$msg .= "Please tell an administrator about that problem!";
throw new CGE_CriticalAttributeException($msg);
}
$nren_id = $this->person->getNREN()->getID();
Logger::logEvent(LOG_INFO, "Confusa_Auth", "decoratePerson(..., {$idp})", "Decorating person with map from NREN {$nren_id}.");
$map = $this->person->getMap();
/* Normal mapping, this is what we want. */
if ($this->mapSanityCheck($map)) {
/* Now that we have the NREN-map, reiterate getMap() in
* case we can find the subscriber-map. */
$this->person->setSubscriber(new Subscriber($attributes[$map['epodn']][0], $this->person->getNREN()));
$new_map = $this->person->getMap();
if ($this->mapSanityCheck($new_map)) {
$map = $new_map;
}
$eppn = Input::sanitizeEPPN($attributes[$map['eppn']][0]);
$this->person->setEPPN($eppn);
if (!is_null($map['eppn'])) {
$this->person->setEPPNKey($map['eppn']);
}
if (!is_null($map['cn'])) {
if (array_key_exists($map['cn'], $attributes)) {
$cn = mysql_real_escape_string($attributes[$map['cn']][0]);
$this->person->setName($cnPrefix . $cn);
}
}
/* end map has cn */
if (!is_null($map['mail'])) {
if (array_key_exists($map['mail'], $attributes)) {
$mail = Input::sanitizeEmail($attributes[$map['mail']]);
$this->person->setEmail($mail);
}
}
/* go through and add the relevant entitlement-parts.
* TODO: cleanup this and move to person::setEntitlement()
*/
if (!is_null($map['entitlement'])) {
if (array_key_exists($map['entitlement'], $attributes)) {
$entitlements = $attributes[$map['entitlement']];
}
}
if (isset($entitlements)) {
$namespace = Config::get_config('entitlement_namespace');
foreach ($entitlements as $key => $entitlementValue) {
$pos = strpos($entitlementValue, $namespace);
/* Note: we *must* check for both false *and*
* type, as we want pos to be 0 */
if ($pos === false || (int) $pos != 0) {
continue;
} else {
$val = explode(":", $entitlementValue);
if (count($val) !== count(explode(":", $namespace)) + 1) {
Framework::error_output("Error with namespace, too many objects in namespace (" . count($val) . ")");
continue;
}
/* only set the part *after*
* entitlement-namespace */
$entitlement = Input::sanitizeEntitlement($val[count($val) - 1]);
/* is the entitlement a valid entitlement? */
if ($entitlement == Config::get_config('entitlement_user') || $entitlement == Config::get_config('entitlement_admin')) {
$this->person->setEntitlement($entitlement);
}
}
}
}
} else {
/* At this point we're on shaky ground as we have to
* 'see if we can find anything'
*
* no map is set, can we find the ePPN in there?
*/
$eppnKey = $this->findEPPN($attributes);
if (!is_null($eppnKey)) {
$eppn = Input::sanitizeEPPN($eppnKey['value']);
$this->person->setEPPN($eppn);
$this->person->setEPPNKey($eppnKey['key']);
}
/* is ePPN registred as NREN admin (from bootstrap) */
if ($this->person->isNRENAdmin()) {
if (is_array($map)) {
Logger::log_event(LOG_WARNING, "Map for NREN {$nren_id} ({$idp}) corrupted. " . "Contains empty fields, consider dropping the map.");
}
$msg = "No NREN map found!";
if (Config::get_config('debug')) {
$msg .= "Raw-dump of supplied attributes:<br />\n";
$msg .= "<br /><pre>\n";
foreach ($attributes as $key => $val) {
$tabs = "\t";
if (strlen($key) < 8) {
$tabs .= "\t\t";
} else {
if (strlen($key) < 16) {
$tabs .= "\t";
}
}
$msg .= htmlentities("{$key}{$tabs}{$val[0]}") . "\n";
}
$msg .= "</pre><br />\n";
}
throw new MapNotFoundException($msg);
}
}
}
public function pre_process($person)
{
parent::pre_process($person);
/* IF user is not subscirber- or nren-admin, we stop here */
if (!($this->person->isSubscriberAdmin() || $this->person->isNRENAdmin())) {
return false;
}
if (isset($_POST['nren_operation'])) {
if (!$this->person->isNRENAdmin()) {
Framework::error_output("You need NREN-administrator privileges in order to complete this request.");
return false;
}
/* operations called by the NREN-admin */
switch (htmlentities($_POST['nren_operation'])) {
case 'delete_nren_admin':
$admin = Input::sanitizeEPPN($_POST['nren_admin']);
$this->deleteAdmin($admin, NREN_ADMIN);
break;
case 'downgrade_self':
if ($this->person->testEntitlementAttribute(Config::get_config('entitlement_admin'))) {
$this->downgradeNRENAdmin($this->person->getEPPN(), $this->person->getSubscriber()->getDBID());
}
break;
case 'upgrade_subs_admin':
$admin = Input::sanitizeEPPN($_POST['subs_admin']);
$this->upgradeSubscriberAdmin($admin);
break;
case 'add_nren_admin':
$admin = Input::sanitizeEPPN($_POST['nren_admin']);
$idp = htmlentities($_POST['idp']);
if ($idp === '-') {
$this->addNRENAdmin($admin, NULL);
} else {
$this->addNRENAdmin($admin, $idp);
}
break;
case 'delete_subs_admin':
$admin = Input::sanitizeEPPN($_POST['subs_admin']);
$this->deleteAdmin($admin, SUBSCRIBER_ADMIN);
break;
case 'add_subs_admin':
$admin = Input::sanitizeEPPN($_POST['subs_admin']);
$subscriberID = Input::sanitizeID($_POST['subscriberID']);
$this->addSubscriberAdmin($admin, SUBSCRIBER_ADMIN, $subscriberID);
break;
default:
break;
}
/* operations called by the subscriber admin */
} else {
if (isset($_POST['subs_operation'])) {
if (!$this->person->isSubscriberAdmin()) {
Framework::error_output("You do not have sufficient permissions in order to complete this transaction.");
return false;
}
switch (htmlentities($_POST['subs_operation'])) {
case 'delete_subs_admin':
$admin = Input::sanitizeEPPN($_POST['subs_admin']);
$this->deleteAdmin($admin, SUBSCRIBER_ADMIN);
break;
case 'add_subs_admin':
$admin = Input::sanitizeEPPN($_POST['subs_admin']);
$this->addSubscriberAdmin($admin, SUBSCRIBER_ADMIN, $this->person->getSubscriber()->getDBID());
break;
case 'downgrade_subs_admin':
$admin = Input::sanitizeEPPN($_POST['subs_admin']);
$this->downgradeSubscriberAdmin($admin, $this->person->getSubscriber()->getDBID());
break;
case 'upgrade_subs_sub_admin':
$admin = Input::sanitizeEPPN($_POST['subs_sub_admin']);
$this->upgradeSubscriberSubAdmin($admin, $this->person->getSubscriber()->getDBID());
break;
case 'delete_subs_sub_admin':
$admin = Input::sanitizeEPPN($_POST['subs_sub_admin']);
$this->deleteAdmin($admin, SUBSCRIBER_SUB_ADMIN);
break;
case 'add_subs_sub_admin':
$admin = Input::sanitizeEPPN($_POST['subs_sub_admin']);
$this->addSubscriberAdmin($admin, SUBSCRIBER_SUB_ADMIN, $this->person->getSubscriber()->getDBID());
break;
default:
break;
}
}
}
}
/**
* Display a list of distinguished names whose certificates will be revoked
* based on an uploaded CSV with a list of UIDs (e.g. eppns). Offer the
* possibility to revoke these certificates.
*
* @param $eppn_file string The name of the $_FILES parameter containining the
* CSV of unique identifiers
* @param $subscriber string The name of the subscriber by which the search is
* scoped
*
*/
private function search_list_display($eppn_file, $subscriber)
{
/* These can become a *lot* of auth_keys/order_numbers. Thus, save the list
* of auth_keys preferrably in the session, otherwise it will take forever
* to download the site and I am not sure if it is such a good idea to send
* an endless list of auth_keys as hidden parameters
* to the user and then from there back again with a POST to the server
*/
CS::deleteSessionKey('auth_keys');
$csvl = new CSV_Lib($eppn_file);
$eppn_list = $csvl->get_csv_entries();
$certs = array();
$auth_keys = array();
foreach ($eppn_list as $eppn) {
$eppn = Input::sanitizeEPPN($eppn);
$eppn_certs = $this->ca->getCertListForEPPN($eppn, $subscriber);
$certs = array_merge($certs, $eppn_certs);
}
if (count($certs) > 0) {
/* get the certificate owner/order number pairs into a ordering that
* permits us to send the order-numbers for each certificate owner
* to the revocation method */
foreach ($certs as $row) {
$owners[] = str_replace(",", ", ", $row['cert_owner']);
$auth_keys[] = $row['auth_key'];
}
$owners = array_unique($owners);
CS::setSessionKey('auth_keys', $auth_keys);
$this->tpl->assign('owners', $owners);
$this->tpl->assign('revoke_list', true);
$this->tpl->assign('nren_reasons', ConfusaConstants::$REVOCATION_REASONS);
$this->tpl->assign('selected', 'unspecified');
}
}
