summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJérôme Schneider <jschneider@entrouvert.com>2013-08-12 14:08:51 (GMT)
committerJérôme Schneider <jschneider@entrouvert.com>2013-08-12 14:10:44 (GMT)
commit75196aef4175473ef501b067f7b348ca8ded3e84 (patch)
tree1e3b82b6d92be35c2ce45653e92cbb702efe639c
parentafe7016670b2e9d29095d6c271625e0ab70ebb8d (diff)
downloadspip-saml-75196aef4175473ef501b067f7b348ca8ded3e84.zip
spip-saml-75196aef4175473ef501b067f7b348ca8ded3e84.tar.gz
spip-saml-75196aef4175473ef501b067f7b348ca8ded3e84.tar.bz2
Manage NameID and email as uniqueid this allow to change email
* inc/simplesamlphp/metadata/saml20-idp-remote.php: add idp dev metadata
-rw-r--r--balise/login_saml.php15
-rw-r--r--base/saml.php21
-rw-r--r--inc/simplesamlphp/config/authsources.php8
-rw-r--r--inc/simplesamlphp/metadata/saml20-idp-remote.php75
-rw-r--r--plugin.xml10
-rw-r--r--saml_administrations.php25
6 files changed, 144 insertions, 10 deletions
diff --git a/balise/login_saml.php b/balise/login_saml.php
index 445e61f..e88f495 100644
--- a/balise/login_saml.php
+++ b/balise/login_saml.php
@@ -69,12 +69,13 @@ function login_saml_successfull()
$first_name = $attributes['gn'][0];
$last_name = $attributes['sn'][0];
$email = $attributes['email'][0];
+ $nameid = $attributes['NameID'][0];
$display_name = $first_name . ' ' . $last_name;
spip_log("[auth_saml] authentification reussi pour l'utilisateur =".$email);
// Si l'utilisateur figure deja dans la base, y recuperer les infos
- $result = spip_query("SELECT * FROM spip_auteurs WHERE email=" ._q($email). " AND statut<>'6form'" );
+ $result = spip_query("SELECT * FROM spip_auteurs WHERE (nameid=". _q($nameid) ." OR email=". _q($email) .") AND statut<>'6form'" );
$row_auteur = spip_fetch_array($result);
spip_log("[auth_saml] attribus utilisateur =".$row_auteur['login']);
@@ -82,7 +83,9 @@ function login_saml_successfull()
if ($row_auteur) {
spip_log("[auth_saml] updating user [" . $email . "]");
spip_log("[auth_saml] display name : $display_name and login : $login");
- spip_query("UPDATE spip_auteurs SET nom=" . _q($display_name) . ", login=" . _q($login) . " WHERE email="._q($email));
+ if (! $row_auteur['nameid'])
+ spip_query("UPDATE spip_auteurs SET nameid=" . _q($nameid) . " WHERE email="._q($email));
+ spip_query("UPDATE spip_auteurs SET nom=". _q($display_name) .", login=". _q($login) .", email="._q($email)." WHERE nameid="._q($nameid));
}
else
@@ -90,14 +93,14 @@ function login_saml_successfull()
spip_log("[auth_saml] creating user [" . $login . "]");
spip_log("[auth_saml] display name : $display_name and email : $email");
$pass = hash('sha256', generate_password());
- spip_query("INSERT INTO spip_auteurs (nom, login, email, pass, statut, webmestre) VALUES
- ('$display_name', '$login', '$email', '$pass', '6forum', 'non')");
+ spip_query("INSERT INTO spip_auteurs (nameid, nom, login, email, pass, statut, webmestre) VALUES
+ ('$nameid', '$display_name', '$login', '$email', '$pass', '6forum', 'non')");
// On recupere l('utilisateur
- $result = spip_query("SELECT * FROM spip_auteurs WHERE email=" ._q($email). " AND statut<>'6forum'" );
+ $result = spip_query("SELECT * FROM spip_auteurs WHERE nameid=" ._q($nameid). " AND statut<>'6forum'" );
$row_auteur = spip_fetch_array($result);
}
// Debug
- spip_log('[auth_saml] login :' . $row_auteur['login'] . ' status : ' . $row_auteur['statut'] . ' email : ' . $row_auteur['email']);
+ spip_log('[auth_saml] nameid :' . $row_auteur['nameid'] . ' status : ' . $row_auteur['statut'] . ' email : ' . $row_auteur['email']);
// chargement de l'utilisateur en session
$GLOBALS['auteur_session'] = $row_auteur;
$session = charger_fonction('session', 'inc');
diff --git a/base/saml.php b/base/saml.php
new file mode 100644
index 0000000..ff43b7f
--- /dev/null
+++ b/base/saml.php
@@ -0,0 +1,21 @@
+<?php
+/**
+ * Plugin SAML
+ *
+ */
+
+if (!defined("_ECRIRE_INC_VERSION")) return;
+
+/**
+ * Ajouter des champs a la table auteurs
+ * @param array $tables_principales
+ * @return array
+ */
+function saml_declarer_tables_principales(&$tables_principales) {
+ // Extension de la table auteurs
+ $tables_principales['spip_auteurs']['field']['nameid'] = "text DEFAULT '' NOT NULL";
+
+ return $tables_principales;
+}
+
+?>
diff --git a/inc/simplesamlphp/config/authsources.php b/inc/simplesamlphp/config/authsources.php
index 24518c0..e096648 100644
--- a/inc/simplesamlphp/config/authsources.php
+++ b/inc/simplesamlphp/config/authsources.php
@@ -22,8 +22,12 @@ $config = array(
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
- // 'idp' => 'https://mon-meyzieu.recette.entrouvert.com/idp/saml2/metadata',
- 'idp' => 'https://mon.meyzieu.fr/idp/saml2/metadata',
+ // Production
+ 'idp' => 'https://mon.meyzieu.fr/idp/saml2/metadata',
+ // Recette
+ //'idp' => 'https://mon-meyzieu.recette.entrouvert.com/idp/saml2/metadata',
+ // Dev
+ //'idp' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/metadata',
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
diff --git a/inc/simplesamlphp/metadata/saml20-idp-remote.php b/inc/simplesamlphp/metadata/saml20-idp-remote.php
index 6b6aa6e..0634ab1 100644
--- a/inc/simplesamlphp/metadata/saml20-idp-remote.php
+++ b/inc/simplesamlphp/metadata/saml20-idp-remote.php
@@ -152,3 +152,78 @@ o2zbumirrLLqnt1gmBDvDvlOwC/zAAyL4chbz66eQHTiIYZZvYgy',
),
);
+$metadata['http://mon.meyzieu.dev.entrouvert.org/idp/saml2/metadata'] = array (
+ 'entityid' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/metadata',
+ 'contacts' =>
+ array (
+ ),
+ 'metadata-set' => 'saml20-idp-remote',
+ 'SingleSignOnService' =>
+ array (
+ 0 =>
+ array (
+ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+ 'Location' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/sso',
+ ),
+ 1 =>
+ array (
+ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+ 'Location' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/sso',
+ ),
+ ),
+ 'SingleLogoutService' =>
+ array (
+ 0 =>
+ array (
+ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+ 'Location' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/slo',
+ 'ResponseLocation' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/slo_return',
+ ),
+ 1 =>
+ array (
+ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+ 'Location' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/slo',
+ 'ResponseLocation' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/slo_return',
+ ),
+ 2 =>
+ array (
+ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
+ 'Location' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/slo/soap',
+ ),
+ ),
+ 'ArtifactResolutionService' =>
+ array (
+ 0 =>
+ array (
+ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
+ 'Location' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/artifact',
+ 'index' => 1,
+ ),
+ ),
+ 'keys' =>
+ array (
+ 0 =>
+ array (
+ 'encryption' => true,
+ 'signing' => true,
+ 'type' => 'X509Certificate',
+ 'X509Certificate' => 'MIIDIzCCAgugAwIBAgIJANUBoick1pDpMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
+BAoTCkVudHJvdXZlcnQwHhcNMTAxMjE0MTUzMzAyWhcNMTEwMTEzMTUzMzAyWjAV
+MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAvxFkfPdndlGgQPDZgFGXbrNAc/79PULZBuNdWFHDD9P5hNhZn9Kqm4Cp
+06Pe/A6u+g5wLnYvbZQcFCgfQAEzziJtb3J55OOlB7iMEI/T2AX2WzrUH8QT8NGh
+ABONKU2Gg4XiyeXNhH5R7zdHlUwcWq3ZwNbtbY0TVc+n665EbrfV/59xihSqsoFr
+kmBLH0CoepUXtAzA7WDYn8AzusIuMx3n8844pJwgxhTB7Gjuboptlz9Hri8JRdXi
+VT9OS9Wt69ubcNoM6zuKASmtm48UuGnhj8v6XwvbjKZrL9kA+xf8ziazZfvvw/VG
+Tm+IVFYB7d1x457jY5zjjXJvNysoowIDAQABo3YwdDAdBgNVHQ4EFgQUeF8ePnu0
+fcAK50iBQDgAhHkOu8kwRQYDVR0jBD4wPIAUeF8ePnu0fcAK50iBQDgAhHkOu8mh
+GaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQDVAaInJNaQ6TAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAy8l3GhUtpPHx0FxzbRHVaaUSgMwYKGPhE
+IdGhqekKUJIx8et4xpEMFBl5XQjBNq/mp5vO3SPb2h2PVSks7xWnG3cvEkqJSOeo
+fEEhkqnM45b2MH1S5uxp4i8UilPG6kmQiXU2rEUBdRk9xnRWos7epVivTSIv1Ncp
+lG6l41SXp6YgIb2ToT+rOKdIGIQuGDlzeR88fDxWEU0vEujZv/v1PE1YOV0xKjTT
+JumlBc6IViKhJeo1wiBBrVRIIkKKevHKQzteK8pWm9CYWculxT26TZ4VWzGbo06j
+o2zbumirrLLqnt1gmBDvDvlOwC/zAAyL4chbz66eQHTiIYZZvYgy',
+ ),
+ ),
+);
diff --git a/plugin.xml b/plugin.xml
index 3260173..c4b261a 100644
--- a/plugin.xml
+++ b/plugin.xml
@@ -1,8 +1,8 @@
<plugin>
<nom>SPIPSaml</nom>
<auteur>[Jérôme Schneider->jschneider@entrouvert.org]</auteur>
- <version>0.1</version>
- <etat>experimental</etat>
+ <version>0.2</version>
+ <etat>test</etat>
<description>
<multi>
[en]SAML plugin providing Shibboleth authentication.
@@ -13,8 +13,14 @@
[http://repos.entrouvert.org/spip-saml.git->http://repos.entrouvert.org/spip-saml.git]
</lien>
<prefix>saml</prefix>
+ <install>saml_administrations.php</install>
<pipeline>
<nom>definir_session</nom>
<inclure>saml_pipelines.php</inclure>
</pipeline>
+ <pipeline>
+ <nom>declarer_tables_principales</nom>
+ <inclure>base/saml.php</inclure>
+ </pipeline>
+
</plugin>
diff --git a/saml_administrations.php b/saml_administrations.php
new file mode 100644
index 0000000..eb91c13
--- /dev/null
+++ b/saml_administrations.php
@@ -0,0 +1,25 @@
+<?php
+
+if (!defined("_ECRIRE_INC_VERSION")) return;
+
+include_spip('inc/meta');
+include_spip('base/create');
+
+function saml_install($action) {
+ $plugins_actifs = liste_plugin_actifs();
+ $version_script = $plugins_actifs['SAML']['version'];
+
+ switch ($action) {
+ case 'test':
+ return ((isset($GLOBALS['meta']['saml_version'])) AND
+ ($GLOBALS['meta']['saml_version'] == $version_script));
+ case 'install':
+ include_spip('base/saml');
+ maj_tables('spip_auteurs');
+ ecrire_meta('saml_version', $version_script);
+ ecrire_metas();
+ break;
+ }
+}
+
+?>