Update code to improve local_info schema

Author: Sae126V

config/local_info.xml

@@ -186,6 +186,9 @@
       <provider>
         <idp>aai.egi.eu/auth/realms/egi</idp>
         <name>EGI Proxy</name>
+        <authentication_realms>
+          <shib_realm_name>EGI Proxy IdP</shib_realm_name>
+        </authentication_realms>
         <required_groups>
           <group>urn:mace:egi.eu:res:gocdb#aai.egi.eu</group>
         </required_groups>
@@ -194,9 +197,13 @@
       <provider>
         <idp>aai-demo.egi.eu/auth/realms/egi</idp>
         <name>EGI Demo Proxy</name>
+        <authentication_realms>
+          <shib_realm_name>EGI Proxy IdP</shib_realm_name>
+        </authentication_realms>
         <required_groups>
           <group>urn:mace:egi.eu:res:gocdb#aai.egi.eu</group>
         </required_groups>
+        <help_url>https://docs.egi.eu/internal/configuration-database/access/#using-institutional-account-via-egi-check-in</help_url>
       </provider>
     </identity_providers>
 

config/local_info.xsd

@@ -125,19 +125,26 @@
               <xs:element name="identity_providers" minOccurs="0">
                 <xs:complexType>
                   <xs:sequence>
-                    <xs:element name="provider" minOccurs="1">
+                    <xs:element name="provider" minOccurs="1" maxOccurs="unbounded">
                       <xs:complexType>
                         <xs:sequence>
-                          <xs:element name="idp" type="xs:string"/>
-                          <xs:element name="name" type="xs:string"/>
+                          <xs:element name="idp" type="xs:string" minOccurs="1" maxOccurs="1"/>
+                          <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
+                          <xs:element name="authentication_realms" minOccurs="1" maxOccurs="1">
+                            <xs:complexType>
+                              <xs:sequence>
+                                <xs:element name="shib_realm_name" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+                              </xs:sequence>
+                            </xs:complexType>
+                          </xs:element>
                           <xs:element name="required_groups" minOccurs="0">
                             <xs:complexType>
                               <xs:sequence>
                                 <xs:element name="group" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
                               </xs:sequence>
                             </xs:complexType>
                           </xs:element>
-                          <xs:element name="help_url" type="xs:string" minOccurs="0"/>
+                          <xs:element name="help_url" type="xs:string" minOccurs="1" maxOccurs="1"/>
                         </xs:sequence>
                       </xs:complexType>
                     </xs:element>

lib/Authentication/AuthTokens/ShibAuthToken.php

@@ -85,6 +85,7 @@ private function getAttributesInitToken(){
         // specify location of the Shib Logout handler
         \Factory::$properties['LOGOUTURL'] = 'https://'.$hostname.'/Shibboleth.sso/Logout';
         $idp = isset($_SERVER['Shib-Identity-Provider']) ? $_SERVER['Shib-Identity-Provider'] : '';
+
         if ($idp == 'https://unity.eudat-aai.fz-juelich.de:8443/saml-idp/metadata'
                 &&  $_SERVER['distinguishedName'] != null){
             $this->principal = $_SERVER['distinguishedName'];
@@ -103,38 +104,42 @@ private function getAttributesInitToken(){
         foreach ($identityProviders as $provider) {
             if ($provider['idp'] === $idp) {
                 $name = $provider['name'];
-                $helpUrl = $provider['help_url'] ?? '#';
+                $helpUrl = $provider['help_url'];
 
                 if (empty($_SERVER['voPersonID'])) {
                     die(
-                        "Did not receive required attributes from the IDP $name to "
-                        . "complete authentication. Please contact gocdb-admins."
+                        "Did not receive required attributes from the "
+                        . "IDP $name to complete authentication. "
+                        . "Please contact gocdb-admins."
                     );
                 }
 
                 if (empty($_SERVER['entitlement'])) {
                     die(
-                        "Did not receive the required entitlement attribute from "
-                        . "the IDP $name. Please contact gocdb-admins."
+                        "Did not receive the required entitlement "
+                        . "attribute from the IDP $name. "
+                        . "Please contact gocdb-admins."
                     );
                 }
 
                 if (!empty($provider['required_groups'])) {
-                    $entitlementValues = explode(
-                        ';', $_SERVER['entitlement']
-                    );
-
-                    if (!array_intersect(
-                        $entitlementValues, $provider['required_groups']
-                    )) {
+                    $entitlementValues = explode(';', $_SERVER['entitlement']);
+
+                    if (
+                        !array_intersect(
+                            $entitlementValues,
+                            $provider['required_groups']
+                        )
+                    ) {
                         $HTML = "<ul>"
                             . "<li>Login requires the entitlement "
                             . "which was not provided for the IDP $name.</li>"
                             . "<li>Please see here for more information: "
-                            . "<a href='$helpUrl' target='_blank'>$helpUrl</a>.</li>"
-                            . "<li>Logout or restart your "
-                            . "browser and attempt to login again using an IDP that "
-                            . "provides a GOCDB entitlement.</li>"
+                            . "<a href='$helpUrl' target='_blank'>"
+                            . "$helpUrl</a>.</li>"
+                            . "<li>Logout or restart your browser"
+                            . "and attempt to login again using an IDP "
+                            . "that provides a GOCDB entitlement.</li>"
                             . "</ul>";
                         $HTML .= "<div style='text-align: center;'>";
                         $HTML .= "<a href=\""
@@ -147,7 +152,9 @@ private function getAttributesInitToken(){
                 }
 
                 $this->principal = $_SERVER['voPersonID'];
-                $this->userDetails = ['AuthenticationRealm' => [$provider['idp']]];
+                $this->userDetails = [
+                    'AuthenticationRealm' => $provider['authenticationRealms']
+                ];
 
                 return;
             }

lib/Gocdb_Services/Config.php

@@ -574,27 +574,46 @@ public function getIdentityProvidersInfo(): array
         $identityProviders = [];
 
         if (!empty($localInfo->identity_providers->provider)) {
-            foreach ($localInfo->identity_providers->provider as $providerDetails) {
+            foreach (
+                $localInfo
+                    ->identity_providers
+                    ->provider as $providerDetails
+            ) {
                 /** idp */
                 $idp = (string) $providerDetails->idp;
 
                 /** name */
                 $name = (string) $providerDetails->name;
 
+                /** authentication_realms */
+                $authenticationRealms = [];
+                if ($providerDetails->authentication_realms) {
+                    foreach (
+                        $providerDetails
+                            ->authentication_realms
+                            ->shib_realm_name as $shibRealmName
+                    ) {
+                        $authenticationRealms[] = (string) $shibRealmName;
+                    }
+                }
+
                 /** required_groups */
                 $requiredGroups = [];
-                if ($providerDetails->required_groups->group) {
-                    foreach($providerDetails->required_groups->group as $group) {
+                if ($providerDetails->required_groups) {
+                    foreach (
+                        $providerDetails->required_groups->group as $group
+                    ) {
                         $requiredGroups[] = (string) $group;
                     }
                 }
 
                 /** help_url */
-                $helpURL = $providerDetails->help_url ?? null;
+                $helpURL = (string) $providerDetails->help_url;
 
                 $identityProviders[] = [
                     'idp' => $idp,
                     'name' => $name,
+                    'authenticationRealms' => $authenticationRealms,
                     'requiredGroups' => $requiredGroups,
                     'helpURL', $helpURL
                 ];