treat REMOTE_USER as UID

CONTRIBUTING.md

@@ -55,9 +55,9 @@ When accessing locked down portions of the portal, you will be asked for a usern
 The password is always `password`. `tools/docker-dev/web/htpasswd` contains all valid usernames.
 
 Notable users:
-* `[email protected]` - admin, PI
-* `[email protected]` - not admin, not PI
-* `[email protected]` - does not yet have an account
+* `user1_org1_test` - admin, PI
+* `user2_org1_test` - not admin, not PI
+* `user2000_org2_test` - does not yet have an account
 
 ### Changes to Dev Environment
 

README.md

@@ -49,8 +49,9 @@ See the Docker Compose environment (`tools/docker-dev/`) for an (unsafe for prod
             * `COMPOSER_ALLOW_SUPERUSER=1 composer --no-dev --no-scripts --no-plugins install`
     * `httpd` `DocumentRoot` set to `webroot/`
     * `httpd` Authentication
-        * Any authentication will do as long as it defines `REMOTE_USER`, `givenName`, `sn`, and `mail`
-            * `REMOTE_USER` must also be unique, non-reassignable, and persistent
+        * Any authentication will do as long as it defines `REMOTE_USER`, `eppn`, `givenName`, `sn`, and `mail`
+            * `REMOTE_USER` is used for the UID attribute for users in LDAP
+            * Unity uses Shibboleth `AttributeResolver type=Transform` to convert `eppn` into `REMOTE_USER` ([private link to config](https://gitlab.rc.umass.edu/unity/admin/ansible/-/blob/fe42ba30f722b75a7980a0b07d93be90055e4f83/roles/shibboleth/templates/shibboleth2.xml.j2))
         * Unity uses Shibboleth SP and the Apache Shibboleth module (`apt install shibboleth-sp-utils libapache2-mod-shib` on Ubuntu)
     * `httpd` Authorization
         * Global access to `webroot/panel/`

resources/lib/UnitySSO.php

@@ -7,13 +7,6 @@
 
 class UnitySSO
 {
-    private static function eppnToUID($eppn)
-    {
-        $eppn_output = str_replace(".", "_", $eppn);
-        $eppn_output = str_replace("@", "_", $eppn_output);
-        return strtolower($eppn_output);
-    }
-
     private static function eppnToOrg($eppn)
     {
         $parts = explode("@", $eppn);
@@ -58,8 +51,8 @@ private static function getAttribute($attributeName, $fallbackAttributeName = nu
     public static function getSSO()
     {
         return array(
-            "user" => self::eppnToUID(self::getAttribute("REMOTE_USER")),
-            "org" => self::eppnToOrg(self::getAttribute("REMOTE_USER")),
+            "user" => self::getAttribute("REMOTE_USER"),
+            "org" => self::eppnToOrg(self::getAttribute("eppn")),
             "firstname" => self::getAttribute("givenName"),
             "lastname" => self::getAttribute("sn"),
             "name" => self::getAttribute("givenName") . " " . self::getAttribute("sn"),

test/functional/InvalidEPPNTest.php

@@ -9,15 +9,15 @@ class InvalidEPPNTest extends TestCase
     public static function provider()
     {
         return [
-            ["",      false],
-            ["a",     false],
-            ["a@b",   true],
-            ["a@b@c", false],
+            ["",      "",      false],
+            ["a",     "a",     false],
+            ["a@b",   "a_b",   true],
+            ["a@b@c", "a_b_c", false],
         ];
     }
 
     #[DataProvider("provider")]
-    public function testInitGetSSO(string $eppn, bool $is_valid): void
+    public function testInitGetSSO(string $eppn, string $uid, bool $is_valid): void
     {
         global $SSO;
         $original_server = $_SERVER;
@@ -30,7 +30,7 @@ public function testInitGetSSO(string $eppn, bool $is_valid): void
             $this->expectException(SSOException::class);
         }
         try {
-            $_SERVER["REMOTE_USER"] = $eppn;
+            $_SERVER["REMOTE_USER"] = $uid;
             $_SERVER["REMOTE_ADDR"] = "127.0.0.1";
             $_SERVER["eppn"] = $eppn;
             $_SERVER["givenName"] = "foo";

test/phpunit-bootstrap.php

@@ -60,6 +60,7 @@ function arraysAreEqualUnOrdered(array $a, array $b): bool
 
 
 function switchUser(
+    string $uid,
     string $eppn,
     string $given_name,
     string $sn,
@@ -74,7 +75,7 @@ function switchUser(
         session_id($session_id);
     }
     // session_start will be called on the first post()
-    $_SERVER["REMOTE_USER"] = $eppn;
+    $_SERVER["REMOTE_USER"] = $uid;
     $_SERVER["REMOTE_ADDR"] = "127.0.0.1";
     $_SERVER["HTTP_HOST"] = "phpunit"; // used for config override
     $_SERVER["eppn"] = $eppn;
@@ -127,85 +128,86 @@ function http_get(string $phpfile, array $get_data = array()): void
 
 function getNormalUser()
 {
-    return ["[email protected]", "foo", "bar", "[email protected]"];
+    return ["user2_org1_test", "[email protected]", "foo", "bar", "[email protected]"];
 }
 
 function getNormalUser2()
 {
-    return ["[email protected]", "foo", "bar", "[email protected]"];
+    return ["user2_org1_test", "[email protected]", "foo", "bar", "[email protected]"];
 }
 
 function getUserHasNotRequestedAccountDeletionHasGroup()
 {
-    return ["[email protected]", "foo", "bar", "[email protected]"];
+    return ["user1_org1_test", "[email protected]", "foo", "bar", "[email protected]"];
 }
 
 function getUserHasNotRequestedAccountDeletionHasNoGroups()
 {
-    return ["[email protected]", "foo", "bar", "[email protected]"];
+    return ["user2_org1_test", "[email protected]", "foo", "bar", "[email protected]"];
 }
 
 function getUserHasNoSshKeys()
 {
-    return ["[email protected]", "foo", "bar", "[email protected]"];
+    return ["user3_org1_test", "[email protected]", "foo", "bar", "[email protected]"];
 }
 
 function getUserNotPiNotRequestedBecomePi()
 {
-    return ["[email protected]", "foo", "bar", "[email protected]"];
+    return ["user2_org1_test", "[email protected]", "foo", "bar", "[email protected]"];
 }
 
 function getUserNotPiNotRequestedBecomePiRequestedAccountDeletion()
 {
-    return ["[email protected]", "foo", "bar", "[email protected]"];
+    return ["user4_org1_test", "[email protected]", "foo", "bar", "[email protected]"];
 }
 
 function getUserWithOneKey()
 {
-    return ["[email protected]", "foo", "bar", "[email protected]"];
+    return ["user5_org2_test", "[email protected]", "foo", "bar", "[email protected]"];
 }
 
 function getUserIsPIHasNoMembersNoMemberRequests()
 {
-    return ["[email protected]", "foo", "bar", "[email protected]"];
+    return ["user5_org2_test", "[email protected]", "foo", "bar", "[email protected]"];
 }
 
 function getUserIsPIHasAtLeastOneMember()
 {
-    return ["[email protected]", "foo", "bar", "[email protected]"];
+    return ["user1_org1_test", "[email protected]", "foo", "bar", "[email protected]"];
 }
 
 function getNonExistentUser()
 {
-    return ["[email protected]", "foo", "bar", "[email protected]"];
+    return ["user2001_org998_test", "[email protected]", "foo", "bar", "[email protected]"];
 }
 
 function getNonexistentUsersWithExistentOrg()
 {
     return [
-        ["[email protected]", "foo", "bar", "[email protected]"],
-        ["[email protected]", "foo", "bar", "[email protected]"],
+        ["user2003_org1_test", "[email protected]", "foo", "bar", "[email protected]"],
+        ["user2004_org1_test", "[email protected]", "foo", "bar", "[email protected]"],
     ];
 }
 
 function getNonExistentUserAndExpectedUIDGIDNoCustomMapping()
 {
     // defaults/config.ini.default: ldap.offset_UIDGID=1000000
     // test/custom_user_mappings/test.csv has reservations for 1000000-1000004
-    return [["[email protected]", "foo", "bar", "[email protected]"], 1000005];
+    return [["user2002_org998_test", "[email protected]", "foo", "bar", "[email protected]"], 1000005];
 }
 
 function getNonExistentUserAndExpectedUIDGIDWithCustomMapping()
 {
     // test/custom_user_mappings/test.csv: {user2001: 555}
-    return [["[email protected]", "foo", "bar", "[email protected]"], 555];
+    return [["user2001_org998_test", "[email protected]", "foo", "bar", "[email protected]"], 555];
 }
 
 function getMultipleValueAttributesAndExpectedSSO()
 {
     return [
         [
-            "REMOTE_USER" => "[email protected]",
+            "REMOTE_USER" => "user2003_org998_test",
+            "eppn" => "[email protected]",
             "givenName" => "foo;foo",
             "sn" => "bar;bar",
             "mail" => "[email protected];[email protected]",
@@ -220,5 +222,5 @@ function getMultipleValueAttributesAndExpectedSSO()
 
 function getAdminUser()
 {
-    return ["[email protected]", "foo", "bar", "[email protected]"];
+    return ["user1_org1_test", "[email protected]", "foo", "bar", "[email protected]"];
 }

tools/docker-dev/web/Dockerfile

@@ -17,6 +17,7 @@ RUN apt-get update && apt-get install -y \
     php-xml \
     php-intl \
     php-xdebug
+RUN a2enmod rewrite
 COPY htpasswd /etc/apache2/.htpasswd
 RUN chown www-data /etc/apache2/.htpasswd
 COPY unity-apache.conf /etc/apache2/sites-available/unity.conf

tools/docker-dev/web/unity-apache.conf

@@ -11,17 +11,35 @@
         SetEnv givenName "DevFirstname"
         SetEnv sn "DevLastname"
         SetEnv mail "[email protected]"
+
+        RewriteEngine On
+        # copy REMOTE_USER to eppn
+        RewriteCond %{ENV:REMOTE_USER} (.*)
+        RewriteRule .* - [E=eppn:%1]
+        # substitute '@' and '.' with '_' in REMOTE_USER
+        # this is only garunteed to work for the simple usernames in htpasswd
+        RewriteCond %{ENV:REMOTE_USER} ^(.*)@(.*)\.(.*)$
+        RewriteRule .* - [E=REMOTE_USER:%1_%2_%3]
     </Location>
 
     <Location /admin>
         AuthType Basic
         AuthName "Unity Admin Panel"
         AuthUserFile /etc/apache2/.htpasswd
-        Require user [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
+        Require user user1_org1_test user2_org1_test user3_org1_test user4_org1_test user5_org2_test user6_org1_test user7_org1_test user8_org1_test user9_org3_test user10_org1_test user11_org1_test user12_org1_test user13_org1_test user14_org3_test
 
         SetEnv givenName "DevFirstname"
         SetEnv sn "DevLastname"
         SetEnv mail "[email protected]"
+
+        RewriteEngine On
+        # copy REMOTE_USER to eppn
+        RewriteCond %{ENV:REMOTE_USER} (.*)
+        RewriteRule .* - [E=eppn:%1]
+        # substitute '@' and '.' with '_' in REMOTE_USER
+        # this is only garunteed to work for the simple usernames in htpasswd
+        RewriteCond %{ENV:REMOTE_USER} ^(.*)@(.*)\.(.*)$
+        RewriteRule .* - [E=REMOTE_USER:%1_%2_%3]
     </Location>
 
 </VirtualHost>