From 382f3361cee5cc794c1a0e7a5565a3d77348e702 Mon Sep 17 00:00:00 2001
From: Terry Fleury <tfleury@illinois.edu>
Date: Thu, 25 Jan 2018 08:18:48 -0600
Subject: [PATCH] CIL-450 Get Shib member / group attributes.

---
 src/Service/Content.php   | 10 ++++++++++
 src/Service/DBService.php | 22 ++++++++++++++++++----
 src/Service/IdpList.php   |  1 +
 src/Service/Loggit.php    |  5 +++--
 src/Service/Util.php      | 13 ++++++++++---
 5 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/src/Service/Content.php b/src/Service/Content.php
index d86a3e8..288cf54 100644
--- a/src/Service/Content.php
+++ b/src/Service/Content.php
@@ -1476,6 +1476,8 @@ public static function handleGotUser()
         $idp          = Util::getSessionVar('idp');
         $idpname      = Util::getSessionVar('idpname');
         $affiliation  = Util::getSessionVar('affiliation');
+        $ou           = Util::getSessionVar('ou');
+        $memberof     = Util::getSessionVar('memberof');
         $clientparams = json_decode(Util::getSessionVar('clientparams'), true);
         $failureuri   = Util::getSessionVar('failureuri');
 
@@ -1628,6 +1630,8 @@ public static function handleGotUser()
                         $idp,
                         $idpname,
                         $affiliation,
+                        $ou,
+                        $memberof,
                         $clientparams,
                         $redirect,
                         $redirectform
@@ -1676,6 +1680,8 @@ public static function handleGotUser()
                 $idp,
                 $idpname,
                 $affiliation,
+                $ou,
+                $memberof,
                 $clientparams,
                 $redirect,
                 $redirectform
@@ -2483,6 +2489,8 @@ public static function getCompositeIdPList($incommonidps = false)
      * @param string $idp
      * @param string $idpname
      * @param string $affiliation
+     * @param string $ou
+     * @param string $memberof
      * @param string $clientparams
      * @param string $redirect
      * @param string $redirectform (Optional)
@@ -2497,6 +2505,8 @@ public static function printAttributeReleaseErrorMessage(
         $idp,
         $idpname,
         $affiliation,
+        $ou,
+        $memberof,
         $clientparams,
         $redirect,
         $redirectform = ''
diff --git a/src/Service/DBService.php b/src/Service/DBService.php
index bfcb0e7..880145f 100644
--- a/src/Service/DBService.php
+++ b/src/Service/DBService.php
@@ -183,6 +183,11 @@ class DBService
      */
     public $ou;
 
+    /**
+     * @var string $member_of isMemberOf group information
+     */
+    public $member_of;
+
     /**
      * @var string $serial_string CILogon serial string (e.g., A34201)
      */
@@ -330,6 +335,7 @@ public function clearUser()
         $this->two_factor = null;
         $this->affiliation = null;
         $this->ou = null;
+        $this->member_of = null;
     }
 
     /**
@@ -387,7 +393,8 @@ public function clearClient()
      *        For more than 1 parameter, parameters can include:
      *            $remote_user, $idp, $idp_display_name,
      *            $first_name, $last_name, $display_name, $email,
-     *            $eppn, $eptid, $openid, $oidc, $affiliation, $ou
+     *            $eppn, $eptid, $openid, $oidc, $affiliation,
+     *            $ou, $member_of
      *
      * @return bool True if the servlet returned correctly. Else false.
      */
@@ -401,9 +408,10 @@ public function getUser(...$args)
             $retval = $this->call('action=getUser&user_uid=' .
                 urlencode($args[0]));
         } elseif ($numargs > 1) {
-            $params = array('remote_user','idp','idp_display_name',
-                            'first_name','last_name','display_name','email',
-                            'eppn','eptid','open_id','oidc','affiliation','ou');
+            $params = array('remote_user', 'idp', 'idp_display_name',
+                            'first_name', 'last_name', 'display_name', 'email',
+                            'eppn', 'eptid', 'open_id', 'oidc', 'affiliation',
+                            'ou', 'member_of');
             $cmd = 'action=getUser';
             for ($i = 0; $i < $numargs; $i++) {
                 $arg = $args[$i];
@@ -782,6 +790,9 @@ public function call($params)
                     if (preg_match('/ou=([^\r\n]+)/', $output, $match)) {
                         $this->ou = urldecode($match[1]);
                     }
+                    if (preg_match('/member_of=([^\r\n]+)/', $output, $match)) {
+                        $this->member_of = urldecode($match[1]);
+                    }
                     if (preg_match('/serial_string=([^\r\n]+)/', $output, $match)) {
                         $this->serial_string = urldecode($match[1]);
                     }
@@ -887,6 +898,9 @@ public function dump()
         if (!is_null($this->ou)) {
             echo "ou=$this->ou\n";
         }
+        if (!is_null($this->member_of)) {
+            echo "member_of=$this->member_of\n";
+        }
         if (!is_null($this->serial_string)) {
             echo "serial_string=$this->serial_string\n";
         }
diff --git a/src/Service/IdpList.php b/src/Service/IdpList.php
index 2977e73..00e8b40 100644
--- a/src/Service/IdpList.php
+++ b/src/Service/IdpList.php
@@ -1087,6 +1087,7 @@ public function getShibInfo($entityID = '')
         $shibarray['Level of Assurance'] = Util::getServerVar('HTTP_ASSURANCE');
         $shibarray['Affiliation'] = Util::getServerVar('HTTP_AFFILIATION');
         $shibarray['OU'] = Util::getServerVar('HTTP_OU');
+        $shibarray['Member'] = Util::getServerVar('HTTP_MEMBER');
         $shibarray['Authn Context'] = Util::getServerVar('HTTP_SHIB_AUTHNCONTEXT_CLASS');
 
         // Make sure to use only the first of multiple values.
diff --git a/src/Service/Loggit.php b/src/Service/Loggit.php
index 1db874f..051250b 100644
--- a/src/Service/Loggit.php
+++ b/src/Service/Loggit.php
@@ -117,8 +117,9 @@ public function info($message, $missing = false, $level = PEAR_LOG_INFO)
         }
 
         if ($missing) { // Output any important missing user session vars
-            $uservars = array('ePPN','ePTID','openidID','oidcID','firstname',
-                'lastname','displayname','emailaddr','affiliation');
+            $uservars = array('ePPN', 'ePTID', 'openidID', 'oidcID',
+                'firstname', 'lastname', 'displayname', 'emailaddr',
+                'affiliation', 'ou', 'memberof');
             foreach ($uservars as $uv) {
                 if (!isset($_SESSION[$uv])) {
                     $envstr .= $uv . '="MISSING" ';
diff --git a/src/Service/Util.php b/src/Service/Util.php
index 3f09392..bb4805e 100644
--- a/src/Service/Util.php
+++ b/src/Service/Util.php
@@ -673,6 +673,7 @@ public static function sendErrorAlert(
             'loa'          => 'LOA',
             'affiliation'  => 'Affiliation',
             'ou'           => 'OU',
+            'memberof'     => 'MemberOf',
             'cilogon_skin' => 'Skin Name',
             'twofactor'    => 'Two-Factor',
             'authntime'    => 'Authn Time'
@@ -863,6 +864,7 @@ public static function getAuthzIdP($url)
      * @param string $oidcid (optional) User's OpenID Connect Identifier
      * @param string $affiliation (optional) User's affiliation
      * @param string $ou (optional) User's organizational unit (OU)
+     * @param string $memberof (optional) User's isMemberOf group info
      */
     public static function saveUserToDataStore(
         $remoteuser,
@@ -878,7 +880,8 @@ public static function saveUserToDataStore(
         $openidid = '',
         $oidcid = '',
         $affiliation = '',
-        $ou = ''
+        $ou = '',
+        $memberof = ''
     ) {
         $dbs = new DBService();
 
@@ -899,6 +902,7 @@ public static function saveUserToDataStore(
         static::setSessionVar('oidcID', $oidcid);
         static::setSessionVar('affiliation', $affiliation);
         static::setSessionVar('ou', $ou);
+        static::setSessionVar('memberof', $memberof);
         static::setSessionVar('idp', $providerId); // Enable error message
         static::setSessionVar('idpname', $providerName); // Enable check for Google
         static::setSessionVar('submit', static::getSessionVar('responsesubmit'));
@@ -949,7 +953,8 @@ public static function saveUserToDataStore(
                 $openidid,
                 $oidcid,
                 $affiliation,
-                $ou
+                $ou,
+                $memberof
             );
             static::setSessionVar('uid', $dbs->user_uid);
             static::setSessionVar('dn', $dbs->distinguished_name);
@@ -972,7 +977,6 @@ public static function saveUserToDataStore(
         // If 'status' is not STATUS_OK*, then send an error email
         $status = static::getSessionVar('status');
         if ($status & 1) { // Bad status codes are odd
-
             // For missing parameter errors, log an error message
             if ($status ==
                 DBService::$STATUS['STATUS_MISSING_PARAMETER_ERROR']) {
@@ -1030,6 +1034,8 @@ public static function saveUserToDataStore(
                         $affiliation : '<MISSING>') . "\n" .
                     'OU            = ' . ((strlen($ou) > 0) ?
                         $ou : '<MISSING>') . "\n" .
+                    'MemberOf      = ' . ((strlen($memberof) > 0) ?
+                        $memberof : '<MISSING>') . "\n" .
                     'Database UID  = ' . ((strlen(
                         $i = static::getSessionVar('uid')
                     ) > 0) ?  $i : '<MISSING>') . "\n" .
@@ -1114,6 +1120,7 @@ public static function unsetUserSessionVars()
         static::unsetSessionVar('oidcID');
         static::unsetSessionVar('affiliation');
         static::unsetSessionVar('ou');
+        static::unsetSessionVar('memberof');
 
         // Current skin
         static::unsetSessionVar('cilogon_skin');