init

README.md

@@ -0,0 +1,81 @@
+
+Attributecollector
+==================
+
+simplesamlphp auth proc filter, that get attributes from backend database and set to attributes array.
+
+This code is delivered from:
+https://forja.rediris.es/svn/confia/attributecollector
+
+Basic configuration
+===================
+
+Configure this module as an Auth Proc Filter. More info at
+http://rnd.feide.no/content/authentication-processing-filters-simplesamlphp
+
+Example
+=======
+
+In the following example the filter is configured for only one hosted IdP
+editing the file saml20-idp-hosted
+
+```php
+$metadata = array(
+
+		'ssp-idp' => array(
+
+		...
+
+				'authproc' => array(
+						10 => array(
+								'existing' => 'preserve',
+								'class' => 'attributecollector:AttributeCollector',
+								'uidfield' => 'subject',
+								'collector' => array(
+										'class' => 'attributecollector:SQLCollector',
+										'dsn' => 'pgsql:host=localhost;dbname=ssp-extra',
+										'username' => 'ssp-extra',
+										'password' => 'ssp-extra',
+										'query' => 'SELECT * from extra where subject=:uidfield',
+								)
+						)
+				),
+
+		...
+
+		)
+);
+```
+
+Configuration Options explained
+===============================
+
+The filter needs the following options:
+
+- class: The filter class. Allways: 'attributecollector:AttributeCollector'
+- uidfield: The name of the field used as an unique user identifier. The
+            configured collector recives this uid so it can search for extra
+            attributes.
+- collector: The configuration of the collector used to retrieve the extra
+             attributes
+
+The following option is optional:
+
+- existing: Tell the filter what to do when a collected attribute already
+            exists in the user attributes. Values can be:
+            'preserve': Ignore collected attribute and preserve the old one.
+                        This one is the default behaviour.
+            'replace': Ignore original attribute and replace it with the
+                       collected one.
+            'merge': Merge the collected attribute into the array of the
+                     original one.
+
+Collector Configuration Options explained
+=========================================
+
+The collector configuration array needs at least one option:
+
+- class: The collector class.
+
+Some other options may be needed by the collector, refer to the collector
+documentation.

composer.json

@@ -0,0 +1,8 @@
+{
+    "name": "niif/simplesamlphp-module-attributecollector",
+    "description": "Collect attributes from backend databases like sql or ldap",
+    "type": "simplesamlphp-module",
+    "require": {
+        "simplesamlphp/composer-module-installer": "~1.0"
+    }
+}

docs/ldapcollector.txt

@@ -0,0 +1,37 @@
+LDAP Attributes Collector
+
+This class implements a collector that retrieves attributes from a directory
+server accessed via LDAP protocol.
+
+It has the following options:
+
+  - host: LDAP server host
+  - port: LDAP server port
+  - protocol: LDAP protocol
+  - binddn: The username which should be used when connecting to the LDAP
+            server.
+  - password: The password which should be used when connecting to the LDAP
+              server.
+  - basedn:   DN to start the LDAP search
+  - attrlist: An associative array of [LDAP attr1 => atr1, LDAP attr2 => atr2]. 
+              This parameter is optional. Remove this param to get all attrs
+  - searchfilter: filter used to search the directory. You can use the special
+  :uidfield string to refer the value of the field specified as an uidfield in
+  the processor
+
+  Example configuration:
+
+  'collector' => array(
+ 		 'class' => 'attributecollector:LDAPCollector',
+                'host' => 'myldap.srv',
+ 		 'port' => 389,
+ 		 'binddn' => 'cn=myuser',
+ 		 'password' => 'yaco0909',
+ 		 'basedn' => 'dc=my,dc=org',
+ 		 'searchfilter' => 'uid=:uidfield',
+         'protocol' => 3,
+ 		 'attrlist' => array(
+ 			 // LDAP attr => real attr
+ 			 'objectClass' => 'myClasses',
+                ),
+             ),

docs/sqlcollector.txt

@@ -0,0 +1,44 @@
+SQL Attributes Collector
+
+This class implements a collector that retrieves attributes from a database.
+It shoud word against both MySQL and PostgreSQL
+
+It has the following options:
+- dsn: The DSN which should be used to connect to the database server. Check the various
+       database drivers in http://php.net/manual/en/pdo.drivers.php for a description of
+       the various DSN formats.
+- username: The username which should be used when connecting to the database server.
+- password: The password which should be used when connecting to the database server.
+- query: The sql query for retrieve attributes. You can use the special :uidfield string
+         to refer the value of the field especified as an uidfield in the processor.
+
+
+Example - with PostgreSQL database:
+
+ 'collector' => array(
+	'class' => 'attributecollector:SQLCollector',
+	'dsn' => 'pgsql:host=localhost;dbname=simplesaml',
+	'username' => 'simplesaml',
+	'password' => 'secretpassword',
+	'query' => array("SELECT address, phone, country from extraattributes where uid=:uidfield"),
+	'get_all_query' => array("SELECT address, phone, country from extraattributes),
+ )
+
+SQLCollector allows to specify several database connections which will
+be used sequentially when a connection fails. This can be done
+by defining each parameter by using an array.
+
+Example:
+ 'collector' => array(
+         'class' => 'attributecollector:SQLCollector',
+         'dsn' => array('oci:dbname=first',
+                 'mysql:host=localhost;dbname=second'),
+         'username' => array('first', 'second'),
+         'password' => array('first', 'second'),
+         'query' => array("SELECT sid as SUBJECT from subjects where uid=:uidfield",
+                          "SELECT sid as SUBJECT from subjects2 where uid=:uidfield AND status='OK'"
+                         ),
+        'get_all_query' => array("SELECT sid as SUBJECT from subjects",
+                                 "SELECT sid as SUBJECT from subjects2"
+                         ),
+  )

lib/Auth/Process/AttributeCollector.php

@@ -0,0 +1,83 @@
+<?php
+
+/**
+ * Filter to collect attributes from diferent sources.
+ */
+class sspmod_attributecollector_Auth_Process_AttributeCollector extends SimpleSAML_Auth_ProcessingFilter {
+
+	private $existing = 'ignore';
+	private $collector = NULL;
+	private $uidfield = NULL;
+
+
+	/**
+	 * Get and initialize the configured collector
+	 *
+	 * @param array $config	 Configuration information about this filter.
+	 */
+	private function getCollector($config) {
+		if (!array_key_exists("collector", $config) || !array_key_exists("class", $config["collector"])) {
+			throw new Exception('No collector class specified in configuration');
+		}
+		$collectorConfig = $config["collector"];
+		$collectorClassName = SimpleSAML_Module::resolveClass($collectorConfig['class'], 'Collector', 'sspmod_attributecollector_SimpleCollector');
+		unset($collectorConfig['class']);
+		return new $collectorClassName($collectorConfig);
+	}
+
+	/**
+	 * Initialize this filter.
+	 *
+	 * @param array $config	 Configuration information about this filter.
+	 * @param mixed $reserved  For future use.
+	 */
+	public function __construct($config, $reserved) {
+		parent::__construct($config, $reserved);
+
+		assert('is_array($config)');
+
+		if (!array_key_exists("uidfield", $config)) {
+			throw new Exception('No uidfield specified in configuration');
+		}
+		$this->uidfield = $config["uidfield"];
+		$this->collector = $this->getCollector($config);
+		if (array_key_exists("existing", $config)) {
+			$this->existing = $config["existing"];
+		}
+	}
+
+
+	/**
+	 * Apply filter expand attributes with collected ones
+	 *
+	 * @param array &$request  The current request
+	 */
+	public function process(&$request) {
+		assert('is_array($request)');
+		assert('array_key_exists("Attributes", $request)');
+
+		if (array_key_exists($this->uidfield, $request['Attributes'])) {
+
+			$newAttributes = $this->collector->getAttributes($request['Attributes'], $this->uidfield);
+
+			if (is_array($newAttributes)) {
+				$attributes =& $request['Attributes'];
+
+				foreach($newAttributes as $name => $values) {
+					if (!is_array($values)) {
+						$values = array($values);
+					}
+					if (!array_key_exists($name, $attributes) || $this->existing === 'replace') {
+						$attributes[$name] = $values;
+					} else {
+						if ($this->existing === 'merge') {
+							$attributes[$name] = array_merge($attributes[$name], $values);
+						}
+					}
+				}
+			}
+		}
+	}
+}
+
+?>