From a3a38c9bb66d3bd13a20acd17db27fab65d5e2da Mon Sep 17 00:00:00 2001
From: Arturo Gonzalez <arturo.gonzalez@artica.es>
Date: Wed, 17 Feb 2016 13:05:22 +0100
Subject: [PATCH] New login method (saml). Ticket#3393

---
 pandora_console/general/login_page.php       |  3 +++
 pandora_console/godmode/setup/setup_auth.php |  6 ++++--
 pandora_console/include/auth/mysql.php       |  3 +--
 pandora_console/include/constants.php        |  8 ++++++++
 pandora_console/index.php                    | 12 +++++++++++-
 5 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/pandora_console/general/login_page.php b/pandora_console/general/login_page.php
index 43d3d0a82b..45228d3957 100755
--- a/pandora_console/general/login_page.php
+++ b/pandora_console/general/login_page.php
@@ -124,6 +124,9 @@ echo '<div id="login_in">';
 				'', 'class="login login_password" placeholder="'.__('Password').'"', false, true);
 			echo '</div>';
 			echo '<div class="login_button">';
+			if ($config['auth'] == 'saml') {
+				html_print_submit_button(__("Login with SAML"), "login_button_saml", false, 'class="sub login_boton"');
+			}
 			html_print_submit_button(__("Login"), "login_button", false, 'class="sub next_login"');
 			echo '</div>';
 			break;
diff --git a/pandora_console/godmode/setup/setup_auth.php b/pandora_console/godmode/setup/setup_auth.php
index 237f6ba41c..466eacc4a3 100644
--- a/pandora_console/godmode/setup/setup_auth.php
+++ b/pandora_console/godmode/setup/setup_auth.php
@@ -252,8 +252,8 @@ echo '</form>';
 	// Event callback for the auth select
 	function show_selected_rows (event) {
 		var auth_method = $(this).val();
-		
-		if (auth_method !== 'mysql') {
+
+		if ((auth_method !== 'mysql') && (auth_method !== 'saml')) {
 			$('tr.remote').show();
 			show_autocreate_options(null);
 		}
@@ -266,8 +266,10 @@ echo '</form>';
 			if (value !== 'mysql')
 				$('tr.' + value).hide();
 		});
+
 		// Show the selected auth method
 		$('tr.' + auth_method).show();
+
 	}
 	
 	// Event callback for the autocreate remote users radio buttons
diff --git a/pandora_console/include/auth/mysql.php b/pandora_console/include/auth/mysql.php
index 038b0c33f5..296037be31 100644
--- a/pandora_console/include/auth/mysql.php
+++ b/pandora_console/include/auth/mysql.php
@@ -538,8 +538,7 @@ function update_user_password ($user, $password_new) {
 			$config['rpandora_dbname'], $config['rpandora_user'],
 			$config['rpandora_pass']);
 		$remote_pass_update = db_process_sql ($sql, 'affected_rows', $connection);
-		html_debug_print($remote_pass_update, true);
-		html_debug_print($sql, true);
+
 		if (!$remote_pass_update) {
 			$config["auth_error"] = __('Could not changes password on remote pandora');
 			return false;
diff --git a/pandora_console/include/constants.php b/pandora_console/include/constants.php
index d32d6e1b2e..f9d9717809 100644
--- a/pandora_console/include/constants.php
+++ b/pandora_console/include/constants.php
@@ -460,4 +460,12 @@ define("OPTION_TREE_GROUP_SELECT",		6);
 define("OPTION_SINGLE_SELECT_TIME",		7);
 define("OPTION_CUSTOM_INPUT",			8);
 define("OPTION_AGENT_AUTOCOMPLETE",		9);
+
+/* SAML attributes constants */
+define("ROLES_AND_TAGS", "urn:mace:rediris.es:entitlement:monitoring:");
+define("USER_DESC", "commonName");
+define("ID_USER_IN_PANDORA", "eduPersonTargetedId");
+define("GROUP_IN_PANDORA", "schacHomeOrganization");
+define("MAIL_IN_PANDORA", "mail");
+
 ?>
diff --git a/pandora_console/index.php b/pandora_console/index.php
index 446738c514..7813340752 100755
--- a/pandora_console/index.php
+++ b/pandora_console/index.php
@@ -282,12 +282,17 @@ if (! isset ($config['id_user'])) {
 				exit ("</html>");
 			}
 		}
-		
+		$login_button_saml = get_parameter("login_button_saml", false);
 		if (isset ($double_auth_success) && $double_auth_success) {
 			// This values are true cause there are checked before complete the 2nd auth step
 			$nick_in_db = $_SESSION["prepared_login_da"]['id_user'];
 			$expired_pass = false;
 		}
+		else if (($config['auth'] == 'saml') && $login_button_saml) {
+			include_once(ENTERPRISE_DIR . "/include/auth/saml.php");
+			$saml_user_id = saml_process_user_login();
+			$nick_in_db = $saml_user_id;
+		}
 		else {
 			// process_user_login is a virtual function which should be defined in each auth file.
 			// It accepts username and password. The rest should be internal to the auth file.
@@ -496,6 +501,11 @@ if (isset ($_GET["bye"])) {
 	// Unregister Session (compatible with 5.2 and 6.x, old code was deprecated
 	unset($_SESSION['id_usuario']);
 	unset($iduser);
+	if ($config['auth'] == 'saml') {
+		require_once('/opt/simplesamlphp/lib/_autoload.php');
+		$as = new SimpleSAML_Auth_Simple('example-userpass');
+		$as->logout();
+	}
 	while (@ob_end_flush ());
 	exit ("</html>");
 }