Bug #3135
Siteminder authentication plugin is too HP specific - needs to be generalized
| Status: | New | Start date: | 07/18/2012 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | UI | |||
| Target version: | - | |||
| Rank: | 99 | Tester: |
Description
The siteminder authentication plugin makes too many assumptions about the siteminder environment, assuming that the UID provided by Siteminder is an HP email address.
We need to generalize the siteminder plugin so that it can handle any UID provided by Siteminder.
in src/www/ui/core-smauth.php there is a function called CheckUser. CheckUser checks the FOSSology database for an existing user identified by the Siteminder UID, but it expects that the UID will be an email address with an ‘@’ sign in it.
function CheckUser($Email) {
global $PG_CONN;
global $SysConf;if (empty($Email)) {
return;
}
$Email = str_replace("'", "''", $Email); /* protect DB */
$FolderName = substr($Email, 0, strpos($Email,'@'));
$FolderName = trim($FolderName);
if (empty($FolderName)) {
return;
}
$FolderDes = "Folder created for " . $FolderName;The CheckUser() function is filtering the $Email parameter to remove the ‘@domain.com’ part of an email address. BUT the PHP strops() function will return FALSE if the expected string (‘@’ in this case) is not found, which will (I think) cause the whole CheckUser() function to fail.
The UID provided by Siteminder can be anything - an email address (joe-somebody@domain.com), a simple login name (joesombody), or even a number (18527342).
We need to alter this logic to make sure that the Siteminder auth can handle a generic UID string.
Also please add more comments to the code to explain what it is doing, and why.
Also please check the rest of the siteminder authentication logic to make sure it is not making any HP-specific assumptions about the environment.
History
Updated by Dan Stangel 10 months ago
Additional changes are needed (I think).
According to Harald, there are still problems with the CheckUser() function. At line 198:
/* See if the user exists */
$sql = "SELECT * FROM users WHERE user_email = '$Email';";
$result = pg_query($PG_CONN, $sql);
DBCheckResult($result, $sql, FILE, LINE);In the case of Harald's installation, the Siteminder authenticated UID that is provided is NOT an email address. Thus the authenticated user will need to first login, and then manually update his or her email address in FOSSology before receiving any email notifications.
However the code above assumes the user_email field is the UID. Which in the non-HP case may not be true. To be more robust, we should use the actual user name as the UID:
/* See if the user exists */
$sql = "SELECT * FROM users WHERE user_name = '$Email';";
$result = pg_query($PG_CONN, $sql);
DBCheckResult($result, $sql, FILE, LINE);However I may be missing some further nuances here that will fall out in testing.
Updated by Bob Gobeille 7 months ago
- Rank set to 99
Change unranked issues to rank 99 so they show up in a ranking report at the bottom. Otherwise, they show up on top.