admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FCLT#53818 Logcentre link met SSO vanuit klant FACILITOR

Browse Source 
svn path=/Website/branches/v2018.2/; revision=39918
This commit is contained in:
Jos Groot Lipman
2018-11-22 11:58:45 +00:00
parent 5f4d89014d
commit 21fbabeec2
2 changed files with 77 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
APPL/AUT/Login.inc
View File

@@ -1011,7 +1011,7 @@ function jwt_verify(decoded_jwt, secret, skew, duration)
}
if (claim.payload.exp && now > claim.payload.exp + skew) {
return { err: 'Token expired' };
return { err: 'Token expired at {0}'.format(toISODateTimeString(new Date(claim.payload.exp * 1000), true)) };
}
// Onze eigen duration/expiration controleren we ook nog
@@ -1019,7 +1019,7 @@ function jwt_verify(decoded_jwt, secret, skew, duration)
__DoLog("Token expired. Now is {0}, got {1}, skew {2}".format(toISODateTimeString(new Date(now * 1000), true),
toISODateTimeString(new Date(claim.payload.iat * 1000), true),
skew));
return { err: 'Token expired' };
return { err: 'Token expired at {0}'.format(toISODateTimeString(new Date((claim.payload.iat + duration) * 1000), true)) };
}
if (claim.payload.iat > now + skew) {
__DoLog("Token not yet active. Now is {0}, got {1}, skew {2}".format(toISODateTimeString(new Date(now * 1000), true),
@@ -1080,7 +1080,7 @@ function trySSO(ssocode)
var issuer = oRs("aut_idp_issuer").Value;
var url = oRs("aut_idp_remote_loginurl").Value;
if (!url) // regulier bij Logcenter-sso CUSTOMER als gebruiker (nog) niet bekend is
shared.internal_error("User unknown and Identity Provider '{0}' has no login url".format(ssocode));
shared.internal_error("User unknown and Identity Provider '{0}' has no Remote Login URL".format(ssocode));
if (url.indexOf("://") < 0) // geen protocol?
url = HTTP.urlzelf() + "/" + url;
url += (url.indexOf("?")>=0?"&":"?") + "aud=" + safe.url(audience) + "&iss=" + safe.url(issuer) ;
@@ -1124,8 +1124,12 @@ function process_claim(claim, idp_data, params)
if (!claim[idpm.from]) // niet meegegeven
continue;
if (idpm.identify == 1)
{
if (idpm.name.id == 21) // afdeling doen we apart
continue;
hasIdentifyVal = true;
switch (idpm.name.id)
}
switch (idpm.name.id) // zie model_aut_idp_map.inc voor codering
{
case 1: // login
settings.overrule_setting("login_use_email", 0);
@@ -1135,7 +1139,7 @@ function process_claim(claim, idp_data, params)
settings.overrule_setting("login_use_email", 1);
tryLogin(claim[idpm.from], null, { noPassword: true, idp_code: idp_data.code, stateless: params.by_bearer, isFACFACinternal: isFACFACinternal });
break;
case 12: // externalid
case 12: // externalid
var sql = "SELECT pp.prs_perslid_key"
+ " FROM prs_perslid pp"
+ " WHERE prs_perslid_verwijder IS NULL"
@@ -1176,22 +1180,75 @@ function process_claim(claim, idp_data, params)
{
shared.auditfail(L("lcl_autfai_loginnotfound").format(idpm.name.name, idpm.from, claim[idpm.from]));
}
else
{
if (idp_data.authorization && !user.has(idp_data.authorization.id))
{
doLogoff();
shared.simpel_page(L("lcl_no_auth"))
}
break; // ingelogd, niet verder zoeken
}
break; // ingelogd, niet verder zoeken
// We zijn nu in principe ingelogd maar er kunnen nog extra voorwaarden zijn waarom het toch niet mag
// Dan wordt je alsnog uitgelogd
var alles_ok = user_key > 0;
if (alles_ok && idp_data.authorization && !user.has(idp_data.authorization.id)) // gebruiker moet deze autorisatie hebben
alles_ok = false;
if (alles_ok)
{
for (var i = 0; i < idp_data.idpmappings.length; i++)
{
var idpm = idp_data.idpmappings[i];
// 21=afdeling, deze is van zichzelf niet identificerend genoeg,
// we controleren dat je er *ook* onder moet vallen
if (idpm.name.id == 21 && idpm.identify == 1)
{
var IdentifyDept = claim[idpm.from];
// Zoek afdeling eerst op
var sql = "SELECT prs_afdeling_key"
+ " FROM prs_v_afdeling"
+ " WHERE prs_afdeling_verwijder IS NULL"
+ " AND prs_afdeling_upper = " + safe.quoted_sql_upper(IdentifyDept);
if (idp_data.company)
sql += " AND prs_bedrijf_key = " + idp_data.company.id;
var oRs = Oracle.Execute(sql);
if (oRs.EOF)
{
__DoLog("Claimed department {0} not found".format(IdentifyDept), "#ff8800");
alles_ok = false;
}
else
{
var afd_key = oRs("prs_afdeling_key").Value;
oRs.MoveNext();
if (!oRs.EOF)
{
__DoLog("Claimed department {0} not unique".format(IdentifyDept), "#ff8800");
alles_ok = false;
}
else
{
var sql = "SELECT ab.prs_bedrijf_key"
+ " FROM prs_v_afdeling_boom ab"
+ " WHERE ab.prs_afdeling_key = " + user.prs_afdeling_key()
+ " AND ab.prs_afdeling_key1 = " + afd_key;
var oRs2 = Oracle.Execute(sql);
if (oRs2.EOF)
{
__DoLog("User is not a member of department {0}".format(IdentifyDept), "#ff8800");
alles_ok = false;
}
oRs2.close();
}
}
oRs.Close();
}
}
}
if (!alles_ok)
{
doLogoff(); // Toch maar niet
}
if (!hasIdentify)
shared.internal_error("IdP {0} has no identifying attribute defined.".format(idp_data.code));
if (!hasIdentifyVal)
shared.internal_error("IdP {0} has not supplied a value for any identifying attribute.".format(idp_data.code));
shared.internal_error("IdP {0} has not supplied a value for any identifying attribute.".format(idp_data.code));
if ( user_key < 0 && idp_data.autocreate.id & 1 // Misschien dan maar aanmaken?
|| user_key > 0 && idp_data.autocreate.id & 2 // en/ of bijwerken

9
APPL/FAC/fac_goto_logcenter.asp
View File

@@ -16,16 +16,17 @@
<!-- #include file="../Shared/json2.js" -->
<%
user.checkAutorisation("WEB_PRSSYS"); // we zijn nog streng
if (!user.prs_perslid_email())
shared.internal_error("User needs to have an e-mail address");
var logcenterurl = S("logcenter_url"); // "http://fclt.facws001/branch20162/"; //
var logcenterurl = S("logcenter_url"); // "http://logc.facws001.sg.nl/branch20182/"; om te testen
var config = {
aud: "fclt.facilitor.nl",
aud: "logc.facilitor.nl",
iss: "FACILITOR",
secret: S("logcenter_secret")
}
}
var oCrypto = new ActiveXObject("SLNKDWF.Crypto");
var header =
{
"typ":"JWT",