admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

DJIN#36213 SAML/Authenticatie verbeteringen, nu ook (virutele) werkplekken

Browse Source 
svn path=/Website/trunk/; revision=33685
This commit is contained in:
Jos Groot Lipman
2017-05-04 12:16:17 +00:00
parent 07d4374194
commit 1f8b6db5db
3 changed files with 111 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
APPL/API2/model_aut_idp_map.inc
View File

@@ -45,13 +45,27 @@ function model_aut_idp_map(params)
"LOV": "1;" + L("lcl_prs_person_login")
+ ";2;" + L("lcl_prs_person_achternaam")
+ ";3;" + L("lcl_prs_person_name")
+ ";4;" + L("lcl_prs_person_email")
+ ";5;" + L("lcl_prs_organisatie")
+ ";6;" + L("lcl_account") // te overwegen of 5;organisatie niet genoeg is
+ ";7;" + L("lcl_prs_person_function")
+ ";4;" + L("lcl_prs_person_tussen")
+ ";5;" + L("lcl_prs_person_initials")
+ ";6;" + L("lcl_prs_person_geslacht")
+ ";7;" + L("lcl_prs_person_phone")
+ ";8;" + L("lcl_prs_person_title")
+ ";9;" + L("lcl_prs_person_email")
+ ";10;" + L("lcl_prs_person_phone")
+ ";11;" + L("lcl_prs_person_mobile")
// De foreign's
+ ";20;" + L("lcl_prs_person_function")
+ ";21;" + L("lcl_prs_organisatie")
//+ kostenplaats ondersteunen we niet, dat is in FACILITOR een organisatie of mandatering
// ";99;prs_perslid_key" gereserveerd voor intern gebruik
+ ";100;*" + L("lcl_workplace")
+ ";101;*" + L("fac_groep_m")
// De 1-n
+ ";100;*" + L("fac_groep_m")
+ ";101;*" + L("lcl_workplace")
+ ";102;*" + L("lcl_workplace") + " " + L("lcl_estate_wp_virt")
//+ ";103;*" + L("lcl_prs_mandatering") reserved voor mandatering
// 1000 + kenmerk_key komt hier nog achter
},
"from": {

92
APPL/AUT/Login.inc
View File

@@ -169,13 +169,13 @@ function doLogin(prs_key, params)
}
else
{
__Log("Welcome.asp expired?");
var sql = "DELETE FROM fac_menu"
+ " WHERE fac_menu_altgroep = 5"
+ " AND fac_menu_alturl = " + safe.quoted_sql(S("fac_firstlogin_url"))
+ " AND prs_perslid_key = " + user_key
+ " AND fac_menu_aanmaak < SYSDATE - " + S("fac_firstlogin_expire");
Oracle.Execute(sql, true);
__Log("Welcome.asp expired and removed");
}
var fac_lang = getQParamSafe("fac_lang", "").toUpperCase(); // overrule via param
@@ -1099,7 +1099,7 @@ function jwt_create(perslid_key, aud)
// break;
// case "name": claim[clm] = thisPrs.naam();
// break;
case 4: claim[clm] = thisPrs.prs_perslid_email();
case 9: claim[clm] = thisPrs.prs_perslid_email();
break;
// case "gender": claim[clm] = { "0": "female", "1": "male" }[thisPrs.prs_perslid_geslacht()] || "";
// break;
@@ -1115,7 +1115,7 @@ function jwt_create(perslid_key, aud)
// case "zoneinfo": claim[clm] = thisPrs.prs_perslid_timezone();
// break;
// de custom claims
case 101: /* fclt_authorization */
case 100: /* fclt_authorization */
var sql = "SELECT fac_groep_omschrijving"
+ " FROM fac_gebruikersgroep fgg, fac_groep fg"
+ " WHERE fgg.fac_groep_key = fg.fac_groep_key"
@@ -1131,13 +1131,14 @@ function jwt_create(perslid_key, aud)
oRs2.Close();
claim[clm] = aarr.join("|");
break;
case 100: /* fclt_occupation */
case 101: /* fclt_occupation */
var wps = user.werkplekken();
var warr = [];
for (var i2 = 0; i2 < wps.length; i2++)
warr.push(wps[i2].prs_werkplek_aanduiding());
claim[clm] = warr.join("|");
break;
// case 102 virtuele ondersteunen we nog niet
}
oRs.MoveNext();
}
@@ -1324,7 +1325,8 @@ function trySSO(ssocode)
}
// idp_data is inclusief include idpmappings
// Er is elders vastgesteld dat 'claim' geldige informatie over een gebruiker bevat. Verwerk dat nu
// Er is elders vastgesteld dat 'claim' geldige informatie over een gebruiker bevat.
// Verwerk dat nu: probeer in te loggen als de gebruiker en/of maak hem eventueel aan
function process_claim(claim, idp_data, params)
{
__Log("Entering process_claim")
@@ -1347,7 +1349,7 @@ function process_claim(claim, idp_data, params)
settings.overrule_setting("login_use_email", 0);
tryLogin(claim[idpm.from], null, { noPassword: true, idp_code: idp_data.code, noFacSession: params.by_bearer, isFACFACinternal: isFACFACinternal });
break;
case 4: // email
case 9: // email
settings.overrule_setting("login_use_email", 1);
tryLogin(claim[idpm.from], null, { noPassword: true, idp_code: idp_data.code, noFacSession: params.by_bearer, isFACFACinternal: isFACFACinternal });
break;
@@ -1393,26 +1395,50 @@ function process_claim(claim, idp_data, params)
var val = idpm["default"];
if (idpm.from in claim)
val = claim[idpm.from];
switch (idpm.name.id) // zie model_aut_idp_map.inc voor codering
{
case 1: persdata["login"] = val; break;
case 2: persdata["lastname"] = val; break;
case 3: persdata["firstname"] = val; break;
case 4: persdata["email"] = val; break;
case 5: if (val)
case 1: persdata["login"] = val; break;
case 2: persdata["lastname"] = val; break;
case 3: persdata["firstname"] = val; break;
case 4: persdata["prefix"] = val; break;
case 5: persdata["initials"] = val; break;
case 6: persdata["gender"] = val; break;
case 7: persdata["phone"] = val; break;
case 8: persdata["title"] = val; break;
case 9: persdata["email"] = val; break;
case 10: persdata["phone"] = val; break;
case 11: persdata["mobile"] = val; break;
// de foreigns
case 20: if (val)
persdata["function"] = { name: val }; break;
case 21: if (val)
persdata["department"] = { name: val }; break;
// kostenplaats case 6: persdata["costcenter"] = { name: val }; break;
case 7: if (val) persdata["function"] = { name: val }; break;
//case 100: persdata.werkplekken = val; break;
case 101: persdata.authorisation = val; break;
// De 1-n
case 100: persdata.authorisation = val; break;
case 101: persdata.workplace = val; break;
// case 102: persdata.workplacevirtual = val; break;
// case 103: reserved voor mandatering?
default:
if (idpm.name.id > 1000)
set_custom_field(persdata, idpm.name.id - 1000, val, "C");
break;
}
}
// Klantspecifieke check functie (hookfunction) voor de invoer
var pResult = new HookResult();
if (!custfunc.aut_process_claim(persdata, claim, idp_data, pResult))
{
abort_with_warning(pResult.errmsg);
}
if (!("department" in persdata))
{
if (!idp_data.department)
shared.internal_error("Department is not configured for Identity Provider {0} ({1})".format(idp_data.code, idp_data.name));
persdata["department"] = idp_data.department.id; // dan moet die ingevuld zijn
}
if (user_key < 0)
__Log("User automatically created with data:");
@@ -1464,7 +1490,41 @@ function process_claim(claim, idp_data, params)
+ " AND fg2.prs_perslid_key = " + user_key + ")";
Oracle.Execute(sql);
}
// TODO: werkplekken verwerken
if ("workplace" in persdata)
{ // workplace bevat ruimtes gescheiden door '|' of ';'
// (we ondersteunen alleen impliciete werkplekken, geen 'named')
// Codering moet volgens alg_v_plaatsaanduiding zijn (locatiecode-gebouwcode-verdiepingcode-ruimtenr)
// Als er een '@' voor staat is het een virtuele werkplek
var workplacearr = persdata["workplace"].split(/[;\|]/);
var keepwp = [];
for (var i = 0; i < workplacearr.length; i++)
{
var wpcode = workplacearr[i];
var virtual = 0;
if (wpcode.substr(0, 1) == '@')
{
virtual = 1;
wpcode = wpcode.substr(1);
}
var sql = "SELECT alg_onroerendgoed_keys, alg_onroerendgoed_type"
+ " FROM alg_v_plaatsaanduiding"
+ " WHERE alg_plaatsaanduiding = " + safe.quoted_sql_upper(wpcode);
var oRs = Oracle.Execute(sql);
if (!oRs.Eof)
{
var okey = oRs("alg_onroerendgoed_keys").Value;
var otype = oRs("alg_onroerendgoed_type").Value;
sql = "BEGIN"
+ " prs.movetoruimte ({0}, {1}, '{2}', {3}); ".format(user_key, okey, 'G', virtual) // G want maar <20><>n werkplek per gebouw
+ "END;";
Oracle.Execute(sql);
}
else
__Log("Workplace '{0}' not found".format(workplacearr[i]));
oRs.Close();
}
}
}
}

15
APPL/Shared/hookfunctions.inc
View File

@@ -297,4 +297,19 @@ custfunc.API_PHONEBOOK =
}
return result;
};
custfunc.aut_process_claim =
function (persdata, claim, idp_data, presult)
{
var result = true;
var hook = custfunc.gethook();
if (hook)
{
if ('aut_process_claim' in hook)
result = hook.aut_process_claim(persdata, claim, idp_data, presult);
hook = null; // zorg dat de GC het object kan opruimen.
}
return result;
};
%>