From 75196aef4175473ef501b067f7b348ca8ded3e84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Schneider?= <jschneider@entrouvert.com>
Date: Mon, 12 Aug 2013 16:08:51 +0200
Subject: [PATCH] Manage NameID and email as uniqueid this allow to change
 email

 * inc/simplesamlphp/metadata/saml20-idp-remote.php: add idp dev metadata
---
 balise/login_saml.php                         | 15 ++--
 base/saml.php                                 | 21 ++++++
 inc/simplesamlphp/config/authsources.php      |  8 +-
 .../metadata/saml20-idp-remote.php            | 75 +++++++++++++++++++
 plugin.xml                                    | 10 ++-
 saml_administrations.php                      | 25 +++++++
 6 files changed, 144 insertions(+), 10 deletions(-)
 create mode 100644 base/saml.php
 create mode 100644 saml_administrations.php

diff --git a/balise/login_saml.php b/balise/login_saml.php
index 445e61f..e88f495 100644
--- a/balise/login_saml.php
+++ b/balise/login_saml.php
@@ -69,12 +69,13 @@ function login_saml_successfull()
     $first_name = $attributes['gn'][0];
     $last_name = $attributes['sn'][0];
     $email = $attributes['email'][0];
+    $nameid = $attributes['NameID'][0];
     $display_name = $first_name . ' ' . $last_name;
 
     spip_log("[auth_saml] authentification reussi pour l'utilisateur =".$email);
 
     // Si l'utilisateur figure deja dans la base, y recuperer les infos
-    $result = spip_query("SELECT * FROM spip_auteurs WHERE email=" ._q($email). " AND statut<>'6form'" );
+    $result = spip_query("SELECT * FROM spip_auteurs WHERE (nameid=". _q($nameid) ." OR email=". _q($email) .") AND statut<>'6form'" );
     $row_auteur = spip_fetch_array($result);
 
     spip_log("[auth_saml] attribus utilisateur =".$row_auteur['login']);
@@ -82,7 +83,9 @@ function login_saml_successfull()
     if ($row_auteur) {
         spip_log("[auth_saml] updating user [" . $email . "]");
         spip_log("[auth_saml] display name : $display_name and login : $login");
-        spip_query("UPDATE spip_auteurs SET nom=" . _q($display_name) . ", login=" . _q($login) . " WHERE email="._q($email));
+        if (! $row_auteur['nameid'])
+            spip_query("UPDATE spip_auteurs SET nameid=" . _q($nameid) . " WHERE email="._q($email));
+        spip_query("UPDATE spip_auteurs SET nom=". _q($display_name) .", login=". _q($login) .", email="._q($email)." WHERE nameid="._q($nameid));
 
     }
     else
@@ -90,14 +93,14 @@ function login_saml_successfull()
         spip_log("[auth_saml] creating user [" . $login . "]");
         spip_log("[auth_saml] display name : $display_name and email : $email");
         $pass = hash('sha256', generate_password());
-        spip_query("INSERT INTO spip_auteurs (nom, login, email, pass, statut, webmestre) VALUES 
-            ('$display_name', '$login', '$email', '$pass', '6forum', 'non')");
+        spip_query("INSERT INTO spip_auteurs (nameid, nom, login, email, pass, statut, webmestre) VALUES
+            ('$nameid', '$display_name', '$login', '$email', '$pass', '6forum', 'non')");
         // On recupere l('utilisateur
-        $result = spip_query("SELECT * FROM spip_auteurs WHERE email=" ._q($email). " AND statut<>'6forum'" );
+        $result = spip_query("SELECT * FROM spip_auteurs WHERE nameid=" ._q($nameid). " AND statut<>'6forum'" );
         $row_auteur = spip_fetch_array($result);
     }
     // Debug
-    spip_log('[auth_saml] login :' . $row_auteur['login'] . ' status : ' . $row_auteur['statut'] . ' email : ' . $row_auteur['email']);
+    spip_log('[auth_saml] nameid :' . $row_auteur['nameid'] . ' status : ' . $row_auteur['statut'] . ' email : ' . $row_auteur['email']);
     // chargement de l'utilisateur en session
     $GLOBALS['auteur_session'] =  $row_auteur;
     $session = charger_fonction('session', 'inc');
diff --git a/base/saml.php b/base/saml.php
new file mode 100644
index 0000000..ff43b7f
--- /dev/null
+++ b/base/saml.php
@@ -0,0 +1,21 @@
+<?php
+/**
+ * Plugin SAML
+ *
+ */
+
+if (!defined("_ECRIRE_INC_VERSION")) return;
+
+/**
+ * Ajouter des champs a la table auteurs
+ * @param array $tables_principales
+ * @return array
+ */
+function saml_declarer_tables_principales(&$tables_principales) {
+        // Extension de la table auteurs
+        $tables_principales['spip_auteurs']['field']['nameid'] = "text DEFAULT '' NOT NULL";
+        
+        return $tables_principales;
+}
+
+?>
diff --git a/inc/simplesamlphp/config/authsources.php b/inc/simplesamlphp/config/authsources.php
index 24518c0..e096648 100644
--- a/inc/simplesamlphp/config/authsources.php
+++ b/inc/simplesamlphp/config/authsources.php
@@ -22,8 +22,12 @@ $config = array(
 
 		// The entity ID of the IdP this should SP should contact.
 		// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
-		// 'idp' => 'https://mon-meyzieu.recette.entrouvert.com/idp/saml2/metadata',
-		'idp' => 'https://mon.meyzieu.fr/idp/saml2/metadata',
+        // Production
+        'idp' => 'https://mon.meyzieu.fr/idp/saml2/metadata',
+        // Recette
+		//'idp' => 'https://mon-meyzieu.recette.entrouvert.com/idp/saml2/metadata',
+        // Dev
+		//'idp' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/metadata',
 
 		// The URL to the discovery service.
 		// Can be NULL/unset, in which case a builtin discovery service will be used.
diff --git a/inc/simplesamlphp/metadata/saml20-idp-remote.php b/inc/simplesamlphp/metadata/saml20-idp-remote.php
index 6b6aa6e..0634ab1 100644
--- a/inc/simplesamlphp/metadata/saml20-idp-remote.php
+++ b/inc/simplesamlphp/metadata/saml20-idp-remote.php
@@ -152,3 +152,78 @@ o2zbumirrLLqnt1gmBDvDvlOwC/zAAyL4chbz66eQHTiIYZZvYgy',
   ),
 );
 
+$metadata['http://mon.meyzieu.dev.entrouvert.org/idp/saml2/metadata'] = array (
+  'entityid' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/metadata',
+  'contacts' => 
+  array (
+  ),
+  'metadata-set' => 'saml20-idp-remote',
+  'SingleSignOnService' => 
+  array (
+    0 => 
+    array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+      'Location' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/sso',
+    ),
+    1 => 
+    array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+      'Location' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/sso',
+    ),
+  ),
+  'SingleLogoutService' => 
+  array (
+    0 => 
+    array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+      'Location' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/slo',
+      'ResponseLocation' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/slo_return',
+    ),
+    1 => 
+    array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+      'Location' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/slo',
+      'ResponseLocation' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/slo_return',
+    ),
+    2 => 
+    array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
+      'Location' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/slo/soap',
+    ),
+  ),
+  'ArtifactResolutionService' => 
+  array (
+    0 => 
+    array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
+      'Location' => 'http://mon.meyzieu.dev.entrouvert.org/idp/saml2/artifact',
+      'index' => 1,
+    ),
+  ),
+  'keys' => 
+  array (
+    0 => 
+    array (
+      'encryption' => true,
+      'signing' => true,
+      'type' => 'X509Certificate',
+      'X509Certificate' => 'MIIDIzCCAgugAwIBAgIJANUBoick1pDpMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
+BAoTCkVudHJvdXZlcnQwHhcNMTAxMjE0MTUzMzAyWhcNMTEwMTEzMTUzMzAyWjAV
+MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAvxFkfPdndlGgQPDZgFGXbrNAc/79PULZBuNdWFHDD9P5hNhZn9Kqm4Cp
+06Pe/A6u+g5wLnYvbZQcFCgfQAEzziJtb3J55OOlB7iMEI/T2AX2WzrUH8QT8NGh
+ABONKU2Gg4XiyeXNhH5R7zdHlUwcWq3ZwNbtbY0TVc+n665EbrfV/59xihSqsoFr
+kmBLH0CoepUXtAzA7WDYn8AzusIuMx3n8844pJwgxhTB7Gjuboptlz9Hri8JRdXi
+VT9OS9Wt69ubcNoM6zuKASmtm48UuGnhj8v6XwvbjKZrL9kA+xf8ziazZfvvw/VG
+Tm+IVFYB7d1x457jY5zjjXJvNysoowIDAQABo3YwdDAdBgNVHQ4EFgQUeF8ePnu0
+fcAK50iBQDgAhHkOu8kwRQYDVR0jBD4wPIAUeF8ePnu0fcAK50iBQDgAhHkOu8mh
+GaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQDVAaInJNaQ6TAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAy8l3GhUtpPHx0FxzbRHVaaUSgMwYKGPhE
+IdGhqekKUJIx8et4xpEMFBl5XQjBNq/mp5vO3SPb2h2PVSks7xWnG3cvEkqJSOeo
+fEEhkqnM45b2MH1S5uxp4i8UilPG6kmQiXU2rEUBdRk9xnRWos7epVivTSIv1Ncp
+lG6l41SXp6YgIb2ToT+rOKdIGIQuGDlzeR88fDxWEU0vEujZv/v1PE1YOV0xKjTT
+JumlBc6IViKhJeo1wiBBrVRIIkKKevHKQzteK8pWm9CYWculxT26TZ4VWzGbo06j
+o2zbumirrLLqnt1gmBDvDvlOwC/zAAyL4chbz66eQHTiIYZZvYgy',
+    ),
+  ),
+);
diff --git a/plugin.xml b/plugin.xml
index 3260173..c4b261a 100644
--- a/plugin.xml
+++ b/plugin.xml
@@ -1,8 +1,8 @@
 <plugin>
   <nom>SPIPSaml</nom>
   <auteur>[Jérôme Schneider->jschneider@entrouvert.org]</auteur>
-  <version>0.1</version>
-  <etat>experimental</etat>
+  <version>0.2</version>
+  <etat>test</etat>
   <description>
     <multi>
       [en]SAML plugin providing Shibboleth authentication.
@@ -13,8 +13,14 @@
     [http://repos.entrouvert.org/spip-saml.git->http://repos.entrouvert.org/spip-saml.git]
   </lien>
   <prefix>saml</prefix>
+  <install>saml_administrations.php</install>
   <pipeline>
     <nom>definir_session</nom>
     <inclure>saml_pipelines.php</inclure>
   </pipeline>
+  <pipeline>
+      <nom>declarer_tables_principales</nom>
+      <inclure>base/saml.php</inclure>
+  </pipeline>
+
 </plugin>
diff --git a/saml_administrations.php b/saml_administrations.php
new file mode 100644
index 0000000..eb91c13
--- /dev/null
+++ b/saml_administrations.php
@@ -0,0 +1,25 @@
+<?php
+
+if (!defined("_ECRIRE_INC_VERSION")) return;
+
+include_spip('inc/meta');
+include_spip('base/create');
+
+function saml_install($action) {
+    $plugins_actifs = liste_plugin_actifs();
+    $version_script = $plugins_actifs['SAML']['version'];
+
+    switch ($action) {
+        case 'test':
+            return ((isset($GLOBALS['meta']['saml_version'])) AND 
+                ($GLOBALS['meta']['saml_version'] == $version_script));
+        case 'install':
+            include_spip('base/saml');
+            maj_tables('spip_auteurs');
+            ecrire_meta('saml_version', $version_script);
+            ecrire_metas();
+            break;
+    }
+}
+
+?>