Merge pull request #1549 from ppanero/shibbsso

warining due to session start fixed, warning due to org assigment wh…
2016-09-20 16:20:22 +02:00 · 2016-09-20 16:20:22 +02:00 · 5bb79549e9
parent aa03830643 7493107634
commit 5bb79549e9
2 changed files with 13 additions and 12 deletions
--- a/app/Plugin/ShibbAuth/Controller/Component/Auth/ApacheShibbAuthenticate.php
+++ b/app/Plugin/ShibbAuth/Controller/Component/Auth/ApacheShibbAuthenticate.php
@ -3,7 +3,9 @@
 App::uses('BaseAuthenticate', 'Controller/Component/Auth');
 App::uses('RandomTool', 'Tools');

-session_start();
+if (session_status() == PHP_SESSION_NONE) {
+    session_start();
+}
 session_regenerate_id();
 /*
 * custom class for Apache-based authentication
@ -95,7 +97,10 @@ class ApacheShibbAuthenticate extends BaseAuthenticate {

 		//Get user role from its list of groups
 		list($roleChanged, $roleId) = $this->getUserRoleFromGroup($groupTag, $groupRoleMatching, $roleId);
-		if($roleId < 0) return false; //Deny if the user is not in any egroup
+		if($roleId < 0) {
+			CakeLog::write('error', 'No role was assigned, no egorup matched the configuration.');
+			return false; //Deny if the user is not in any egroup
+		}

 		// Database model object
 		$userModel = ClassRegistry::init($this->settings['userModel']);
@ -209,7 +214,6 @@ class ApacheShibbAuthenticate extends BaseAuthenticate {
 				'conditions' => array('name' => $org),
 			)
 		);
-		$orgId = $orgAux['Organisation']['id'];
 		if ($orgAux == null) {
 			$organisations = new Organisation();
 			$orgUserId = 1; //By default created by the admin
@ -217,6 +221,7 @@ class ApacheShibbAuthenticate extends BaseAuthenticate {
 			$orgId = $organisations->createOrgFromName($org, $orgUserId, 0); //Created with local set to 0 by default
 			CakeLog::write('info', "User organisation ${org} created with id ${orgId}.");
 		} else {
+			$orgId = $orgAux['Organisation']['id'];
 			CakeLog::write('info', "User organisation ${org} found with id ${orgId}.");
 		}
 		return $orgId;
--- a/app/Plugin/ShibbAuth/README.md
+++ b/app/Plugin/ShibbAuth/README.md
@ -18,8 +18,7 @@ Uncomment the following line to enable SSO authorization
 'auth'=>array('ShibbAuth.ApacheShibb'),
 ```

-And configure it. apacheEnv ans ssoAuth are parametert that come by default which values should not be changed unless
-it is explicitly needed. MailTag, OrgTag and GroupTag are the string that represent the key for the values needed by the plugin.
+And configure it. MailTag, OrgTag and GroupTag are the string that represent the key for the values needed by the plugin.
 For example if you are using ADFS OrgTag will be ADFS_FEDERATION, GroupTag will be ADFS_GROUP, etc. meaning the key for the values needed.
 DefaultRoleId and DefaultOrg are values that come by default just in case they are not defined or obtained from the environment variables.
 The GroupRoleMatching is an array that allows the definition and correlation between groups and roles in MISP, being them updated
@ -30,18 +29,15 @@ in the list given by apache.
 ```php
 'ApacheShibbAuth' =>                      // Configuration for shibboleth authentication
    array(
-   	     'apacheEnv' => 'REMOTE_USER',        // If proxy variable = HTTP_REMOTE_USER
-         'ssoAuth' => 'AUTH_TYPE',
         'MailTag' => 'EMAIL_TAG',
         'OrgTag' => 'FEDERATION_TAG',
-	     'GroupTag' => 'GROUP_TAG',
-	     'GroupSeparator' => ';',
+	 'GroupTag' => 'GROUP_TAG',
+	 'GroupSeparator' => ';',
         'GroupRoleMatching' => array(                // 3:User, 1:admin. May be good to set "1" for the first user
               'group_three' => '3',
-	           'group_two' => 2,
-	           'group_one' => 1,
+	       'group_two' => 2,
+	       'group_one' => 1,
          ),
-         'DefaultRoleId' => 3,
         'DefaultOrg' => 'DEFAULT_ORG',
    ),
 ```