admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

DJIN#36213 SAML/Authenticatie verbeteringen. Betere foutmeldingen vanuit de root

Browse Source 
svn path=/Website/trunk/; revision=33461
This commit is contained in:
Jos Groot Lipman
2017-04-11 13:51:31 +00:00
parent ec17c6c62b
commit db00f388a8
4 changed files with 77 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
APPL/AUT/Login.inc
View File

@@ -1318,12 +1318,14 @@ function process_claim(claim, idp_data, params)
__Log(claim);
params = params || {};
var hasIdentify = false;
var isFACFACinternal = idp_data.internal != 0;
for (var i =0; i < idp_data.idpmappings.length; i++)
{
var idpm = idp_data.idpmappings[i];
if (idpm.identify != 1)
continue;
hasIdentify = true;
if (!claim[idpm.from]) // niet meegegeven
continue;
switch (idpm.name.id)
@@ -1337,30 +1339,40 @@ function process_claim(claim, idp_data, params)
tryLogin(claim[idpm.from], null, { noPassword: true, idp_code: idp_data.code, noFacSession: params.by_bearer, isFACFACinternal: isFACFACinternal });
break;
case 99: // internal, prs_perslid_key
doLogin(claim[idpm.from], { noFacSession: params.by_bearer, idp_code: idp_data.code, isFACFACinternal: isFACFACinternal }); // je mag ook key meegeven
doLogin(parseInt(claim[idpm.from], 10), { noFacSession: params.by_bearer, idp_code: idp_data.code, isFACFACinternal: isFACFACinternal });
break;
default:
if (idpm.name.id > 1000)
if (idpm.name.id > 1000) // Flexkenmerk
{
FLEX_NOG_NIET;
var kenmerk_key = idpm.name.id - 1000;
var sql = "SELECT pp.prs_perslid_key"
+ " FROM prs_perslid pp"
+ " , prs_kenmerklink pkl"
+ " WHERE pp.prs_perslid_key = pkl.prs_link_key"
+ " AND prs_perslid_verwijder IS NULL"
+ " AND pkl.prs_kenmerklink_niveau = 'P'"
+ " AND pkl.prs_kenmerk_key = " + kenmerk_key
+ " AND pkl.prs_kenmerklink_waarde = " + safe.quoted_sql(claim[idpm.from])
var oRs = Oracle.Execute(sql);
if (!oRs.Eof)
{
doLogin(oRs("prs_perslid_key").Value, { noFacSession: params.by_bearer, idp_code: idp_data.code, isFACFACinternal: isFACFACinternal });
}
oRs.Close();
}
}
if (user_key < 0)
__DoLog("JWT Claimed {0} not found as {1}: {2}".format(idpm.name.name, idpm.from, claim[idpm.from]));
__DoLog("Claimed {0} not found as {1}: {2}".format(idpm.name.name, idpm.from, claim[idpm.from]));
else
break; // ingelogd, niet verder zoeken
}
if (!hasIdentify)
shared.internal_error("IdP {0} has no identifying attribute defined.".format(idp_data.code));
if ( user_key < 0 && idp_data.autocreate.id & 1 // Misschien dan maar aanmaken?
|| user_key > 0 && idp_data.autocreate.id & 2 // en/ of bijwerken
)
{
if (user_key < 0)
__Log("User automatically created with data:");
else
__Log("User automatically updated with data:");
var persdata = { };
for (var i =0; i < idp_data.idpmappings.length; i++)
{
@@ -1388,7 +1400,12 @@ function process_claim(claim, idp_data, params)
}
if (!("department" in persdata))
persdata["department"] = idp_data.department.id; // dan moet die ingevuld zijn
__DoLog(persdata)
if (user_key < 0)
__Log("User automatically created with data:");
else
__Log("User automatically updated with data:");
__Log(persdata);
var persparams = {};
var person = new model_prs_perslid({ internal: true }); // Internal: true om dit (nog) anoniem te mogen doen
@@ -1398,12 +1415,12 @@ __DoLog(persdata)
}
else // nieuwe
{
var prs = person.REST_POST( persparams, persdata);
var prs = person.REST_POST( persparams, persdata );
__DoLog("Created user '{0} {1}' with key {2} for idp '{3}'".format(persdata["firstname"], persdata["lastname"], prs.key, idp_data.code));
shared.trackaction("PRSLOG", prs.key, "Created user '{0} {1}' for idp '{2}'".format(persdata["firstname"], persdata["lastname"], idp_data.code));
// De nieuw aangemaakte gebruiker inloggen:
doLogin(prs.key, { idp_code: idp_data.code, isFACFACinternal: isFACFACinternal });
// En nu pas kunnen we tracken
shared.trackaction("PRSUPD", prs.key, "Created user '{0} {1}' for idp '{2}'".format(persdata["firstname"], persdata["lastname"], idp_data.code));
}
// Nu authorisatie groepen nog bijwerken
// Via het model was me even iets te hoog gegrepen: ik zou toch (nog) de id's er bij moeten halen
@@ -1414,7 +1431,7 @@ __DoLog(persdata)
The data should be interpreted as UTF-8, which is a superset of ASCII.
*/
var autharr = persdata["authorisation"].toLowerCase().split(/[;\|]/);
var autharr = persdata["authorisation"].toLowerCase().split(/[;\|]/); // lowerCase, insensitive dus
var sql = "DELETE FROM fac_gebruikersgroep"
+ " WHERE prs_perslid_key = " + user_key
+ " AND fac_groep_key NOT IN (SELECT fac_groep_key "

102
APPL/AUT/SAML/default.asp
View File

@@ -2,88 +2,74 @@
<% /*
$Revision$
$Id$
File: aut/saml/default.asp
Description: Single Sign On script
Parameters:
Context:
Note:
Note: In c:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml staat
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="xxxx.facilitor.nl">
<Path name="trunk/appl/aut/saml" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
ofwel trunk/appl/saml heeft een 'requireSession' en Shibboleth
grijpt automatisch in als je een bestand (deze default.asp) in
deze folder oproept. Je wordt geauthenticeerd tegen je identity
provider (via wat redirects) en komt uiteindelijk terug in dit
bestand met allerlei server variabelen gezet
*/ %>
<%
Response.Expires=-1;
ANONYMOUS_Allowed = 1;
%>
<!-- #include file="../../../appl/Shared/common.inc" -->
<!-- #include file="../../../appl/shared/login.inc" -->
<!-- #include file="../login.inc" -->
<!-- #include file="../../../appl/api2/api2.inc" -->
<!-- #include file="../../../appl/api2/model_aut_idp.inc" -->
<%
var claim = {};
if (Request.ServerVariables("HTTP_SHIBIDENTITYPROVIDER").Count == 0)
shared.internal_error("Shibboleth not installed?");
for (i=1; i <= Request.ServerVariables.Count; i++)
{
var name = Request.ServerVariables.key(i);
Response.Write("<p>" + Request.ServerVariables.key(i) + ": " + Request.ServerVariables(i));
if (name.match(/^HTTP_/))
claim[name] = String(Request.ServerVariables(i));
}
// Correct binnen? Dan ....
var return_to = getQParam("return_to", "");
// Als je dit punt bereikt ben je al geauthenticeerd door SAML
var issuer = String(Request.ServerVariables("HTTP_SHIBIDENTITYPROVIDER"));
__Log("Detected SAML identity provider (entityId): " + issuer);
var idp_data_arr = new model_aut_idp({ internal: true }).REST_GET({ filter: { type: 5, issuer: issuer }, include: [ "idpmappings" ]});
var idp_data_arr = new model_aut_idp({ internal: true }).REST_GET({ filter: { type: 5 /* SAML */, issuer: issuer }, include: [ "idpmappings" ]});
if (!idp_data_arr.length)
shared.internal_error("Unknown SAML issuer {0}".format(issuer));
var idp_data = idp_data_arr[0];
if (idp_data.loglevel > 0)
__Logging = loglevel;
__Log(idp_data);
__Logging = idp_data.loglevel;
var svars = ["<pre>"]; // Voor logging
var claim = {}; // We bouwen een claim op uit alle servervariabelen die met HTTP_ beginnen
for (i=1; i <= Request.ServerVariables.Count; i++)
{
var name = Request.ServerVariables.key(i);
if (name.match(/^HTTP_/))
{
claim[name] = String(Request.ServerVariables(i));
svars.push(Request.ServerVariables.key(i) + ": " + Request.ServerVariables(i));
}
}
svars.push("</pre>");
__SafeLog(svars.join("\n"));
process_claim(claim, idp_data);
Response.End;
/*
HTTP_SHIBAPPLICATIONID: default
HTTP_SHIBIDENTITYPROVIDER: https://idp.testshib.org/idp/shibboleth <--Hiermee terugzoeken
HTTP_EPPN: myself@testshib.org
HTTP_PERSISTENTID: https://idp.testshib.org/idp/shibboleth!https://grkl.facilitor.nl/saml!CzvtoBESvUuIJNQxudgsFEr8izM=
HTTP_UNSCOPEDAFFILIATION: Member;Staff
HTTP_REMOTEUSER: myself@testshib.org
*/
var uname = String(Request.ServerVariables("HTTP_EPPN"));
// __DoLog("uname: " + uname);
Response.Write("SAML user detected as: " + uname);
var sql = "SELECT prs_perslid_oslogin"
+ " FROM prs_perslid pp"
+ " , prs_kenmerklink pkl"
+ " WHERE pp.prs_perslid_key = pkl.prs_link_key"
+ " AND pkl.prs_kenmerklink_niveau = 'P'"
+ " AND pkl.prs_kenmerk_key = 1000" // IID
+ " AND pkl.prs_kenmerklink_waarde = " + safe.quoted_sql(uname)
var oRs = Oracle.Execute(sql);
if (!oRs.Eof)
if (user_key > 0)
{
uname = oRs("prs_perslid_oslogin").Value;
__Log("IID vertaald naar: " + uname);
}
var newUrl = rooturl + "/";
var sso_qs = String(Request.ServerVariables("QUERY_STRING"));
if (sso_qs)
newUrl += "?" + sso_qs;
if (tryLogin(uname, null))
{
//Response.Write("Hoera: je bent user: " + user_key);
Response.Redirect(newUrl);
var return_to = getQParam("return_to", "/") || "/";
Response.Redirect(rooturl + return_to);
}
else
{ // Automatisch naar het inlogscherm
__DoLog("SAML login not found in Facilitor: " + uname);
// TODO: Voorkomen dat je in oneindige loop komt als login_url op /saml is gezet
Response.Redirect(newUrl);
Response.Redirect(rooturl + "/?sso=0");
}
%>
Response.End;
%>

4
APPL/AUT/loginTry.asp
View File

@@ -297,10 +297,6 @@ if (user_key < 0 && S("os_logon")
//if (user_key < 0)
// trySSO("DEFAULT"); // zal je standaard naar het loginscherm sturen
if (user_key > 0)
{ // gelukt, teruggeven aan aanroeper
Session("user_key") = user_key;
}
__Log("== Leaving loginTry.asp ==");
%>

6
APPL/Shared/Common.inc
View File

@@ -38,8 +38,7 @@ if (typeof DOCTYPE_Disable == "undefined")
Response.write('<!DOCTYPE html>');
}
__Logging = Session("logging") || 0; // Voor robuustheid extra vroeg
/* global */ __Logging = Session("logging") || 0; // Voor robuustheid extra vroeg
%>
<!-- #include file="default.inc" -->
@@ -337,8 +336,7 @@ if (user_key > 0)
}
Session.Contents.Remove("fallback_user_key"); // uit shorturl.asp. Ondertussen niet meer nodig
Session.Contents.Remove("unauth_url"); // uit shorturl.asp. Ondertussen niet meer nodig
if (!(Session("locked_user_key") > 0))
Session("user_key") = user_key;
/* global */ user = new Perslid(user_key);
if (typeof EXPIRED_PASSWORD_OK == "undefined" && typeof ANONYMOUS_Allowed == "undefined")
{