Cleanup wiki auth

WISVCH · Aug 12, 2023 · 1cd17f2 · 1cd17f2
1 parent 3896c4a
commit 1cd17f2
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 91 deletions.
diff --git a/.env.example b/.env.example
@@ -1,4 +1,3 @@
 # IAP_DEV_TOKEN=
-CONNECT2_HOST=connect2
 IAP_DEV_TOKEN=
 IAP_EXPECTED_AUDIENCE=
diff --git a/src/conf/local.php b/src/conf/local.php
@@ -18,5 +18,4 @@
 $conf['useheading'] = 1;
 
 $conf['authtype']    = 'authiapconnect2';
-$conf['plugin']['authiapconnect2']['connect2_endpoint'] = getenv('CONNECT2_HOST') . '/groups/slugs';
 $conf['plugin']['authiapconnect2']['iap_expected_audience'] = getenv('IAP_EXPECTED_AUDIENCE');
diff --git a/src/plugins/authiapconnect2/auth.php b/src/plugins/authiapconnect2/auth.php
@@ -1,8 +1,5 @@
 <?php
 
-use dokuwiki\Logger;
-use dokuwiki\Utf8\Sort;
-
 require "validate_jwt.php";
 
 /**
@@ -45,94 +42,42 @@ private function getIapToken()
         throw new Exception('No token found');
     }
 
-    /**
-     * Get user data from Connect2
-     * @param string $token
-     * @return array
-     */
-    private function getUserDataByTokenFromConnect2($token)
-    {
-        // Get request to Connect2
-        $url = $this->getConf('connect2_endpoint');
-
-        $curl = curl_init();
-
-        curl_setopt_array($curl, array(
-            CURLOPT_URL => $url,
-            CURLOPT_RETURNTRANSFER => true,
-            CURLOPT_ENCODING => '',
-            CURLOPT_MAXREDIRS => 10,
-            CURLOPT_TIMEOUT => 0,
-            CURLOPT_FOLLOWLOCATION => true,
-            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
-            CURLOPT_CUSTOMREQUEST => 'GET',
-            CURLOPT_HTTPHEADER => array(
-                'X-Goog-IAP-JWT-Assertion: ' . $token
-            ),
-        ));
-
-        $response = curl_exec($curl);
-
-        curl_close($curl);
-        $httpcode = curl_getinfo($curl, CURLINFO_HTTP_CODE);
-
-        if ($httpcode != 200) {
-            throw new Exception('Could not get user data');
-        }
-
-        return json_decode($response, true);
-    }
-
-
-    /**
-     * Validate user data from Connect2
-     * @param array $data
-     * @return bool
-     */
-    private function validateUserData($data)
-    {
-        // Check if data has email and groups
-        if (!isset($data['email'])) {
-            throw new Exception('No email found');
-        }
-
-        if (!isset($data['groups'])) {
-            throw new Exception('No groups found');
-        }
-
-        return true;
-    }
-
     public function trustExternal($user, $pass, $sticky = false)
     {
         global $USERINFO;
 
-        $token = $this->getIapToken();
-
-        try {
-            $data = validate_jwt($token, $this->getConf('iap_expected_audience'));
-            $USERINFO = [
-                'name' => $data['gcip']['name'],
-                'mail' => $data['gcip']['email'],
-                'grps' => array_merge(explode(',',$data['gcip']['groups']), ['user'])
-            ];
-        } catch (Exception $e) {
-            $data = $this->getUserDataByTokenFromConnect2($token);
-            if (!$this->validateUserData($data)) {
+        $sticky ? $sticky = true : $sticky = false; //sanity check
+
+		if (!empty($_SESSION[DOKU_COOKIE]['auth']['info'])) {
+			$USERINFO['name'] = $_SESSION[DOKU_COOKIE]['auth']['info']['name'];
+			$USERINFO['mail'] = $_SESSION[DOKU_COOKIE]['auth']['info']['mail'];
+			$USERINFO['grps'] = $_SESSION[DOKU_COOKIE]['auth']['info']['grps'];
+			$_SERVER['REMOTE_USER'] = $_SESSION[DOKU_COOKIE]['auth']['user'];
+			return true;
+		}
+
+        if (!empty($user)) {
+
+            $token = $this->getIapToken();
+
+            try {
+                $data = validate_jwt($token, $this->getConf('iap_expected_audience'));
+                $USERINFO = [
+                    'name' => $data['gcip']['name'],
+                    'mail' => $data['gcip']['email'],
+                    'grps' => array_merge(explode(',',$data['gcip']['groups']), ['user'])
+                ];
+            } catch (Exception $e) {
                 return false;
-            }
-
-            $USERINFO = [
-                'name' => str_replace('@ch.tudelft.nl', '', $data['email']),
-                'mail' => $data['email'],
-                'grps' => array_merge($data['groups'], ['user']),
-            ];
-        }        
+            }        
 
-        $_SERVER['REMOTE_USER']                = $USERINFO['name'];
-        $_SESSION[DOKU_COOKIE]['auth']['user'] = $USERINFO['name'];
-        $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
+            $_SERVER['REMOTE_USER']                = $USERINFO['name'];
+            $_SESSION[DOKU_COOKIE]['auth']['user'] = $USERINFO['name'];
+            $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
 
-        return true;
+            return true;
+        }
+
+        return false;
     }
 }
diff --git a/src/plugins/authiapconnect2/conf/default.php b/src/plugins/authiapconnect2/conf/default.php
@@ -1,4 +1,3 @@
 <?php
 
-$conf['CONNECT2_HOST'] = 'http://localhost:3001/groups/slugs';
 $conf['IAP_EXPECTED_AUDIENCE'] = '';
diff --git a/src/plugins/authiapconnect2/conf/metadata.php b/src/plugins/authiapconnect2/conf/metadata.php
@@ -1,3 +1,2 @@
 <?php
-$meta['CONNECT2_HOST']      = array('string', '_caution' => 'danger');
 $meta['IAP_EXPECTED_AUDIENCE']      = array('string', '_caution' => 'danger');
diff --git a/src/plugins/authiapconnect2/plugin.info.txt b/src/plugins/authiapconnect2/plugin.info.txt
@@ -2,6 +2,6 @@ base   authiapconnect2
 author Joep de Jong
 email  [email protected]
 date   2023-06-04
-name   IAP - Connect2 Auth
-desc   Provides user authentication using GCE IAP and Connect2 for Groups
+name   IAP -  Auth
+desc   Provides user authentication using GCE IAP for groups
 url    https://github.com/wisvch/wiki