Commit d7fad2d0 authored by haemmer's avatar haemmer

Added code and documentation to improve #3139

Updated year in copyright
Some minor code refactoring
parent a33dc861
Copyright (c) 2014
Copyright (c) 2015
See LICENSE file for details.
-------------------------------------------------------------------------------
......
Copyright (c) 2014, SWITCH
Copyright (c) 2015, SWITCH
See LICENSE file for details.
-------------------------------------------------------------------------------
......@@ -101,12 +101,26 @@ above information for each custom file.
Logging
-------
Errors are generally written to syslog. Error messages might be cases where
files cannot be read or written due to permission problems.
The SWITCHwayf currently uses two types of logs:
If the configuration option $useLogging is true, a log file will be written to
the path specified in $WAYFLogFile. This log file is an audit log file where
each line is an entry of the form:
* General Log
Whenever a warning or an error message is thrown, this goes
to the system log file. Errors occur when for example files
cannot be read or written due to permission problems.
* Audit Log
This is file-based logging. Whenever a user is redirected
to an Identity Provider, a new entry is added to the file
$WAYFLogFile which typically is in the same directory as
the web server access log files (because it's the web server
that writes to this file)
On the Audit log:
If the configuration option $useLogging is true, an audit log
file will be written to the path specified in $WAYFLogFile.
This log file is an audit log file where each line is an entry
of the form:
{DATE} {TIME} {IP} {IDP-SELECTION} {REQUEST-TYPE} {IDP-ENTITYID} {FORWARDING-URL}
......
<?php // Copyright (c) 2014, SWITCH
<?php // Copyright (c) 2015, SWITCH
// WAYF Identity Provider Configuration file
......
License note for the SWITCHwayf code
-----------------------------------
Copyright 2014, SWITCH
Copyright 2015, SWITCH
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
......@@ -91,4 +91,4 @@ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Copyright (c) 2014, SWITCH
Copyright (c) 2015, SWITCH
See LICENSE file for details.
-------------------------------------------------------------------------------
......@@ -251,6 +251,7 @@ and potentially
in case the metadata loaded by SWITCHwayf does not include DiscoveryResponse
elements for many Service Providers.
-------------------------------------------------------------------------------
Troubleshooting
......
......@@ -5,21 +5,21 @@
SWITCHwayf
Version: 1.20
Contact: aai@switch.ch
Web site: http://www.switch.ch/aai/wayf
Web site: https://www.switch.ch/aai/support/tools/wayf/
******************************************************************************
*/
// Init connection to system logger
openlog("SWITCHwayf", LOG_ODELAY, LOG_USER);
/*------------------------------------------------*/
// Load general configuration and template file
/*------------------------------------------------*/
require_once('templates.php');
require_once('functions.php');
require_once('languages.php');
require_once('config.php');
// Set P3P headers just in case they were not set in Apache already
header('P3P: CP="NOI CUR DEVa OUR IND COM NAV PRE"');
require_once('languages.php');
require_once('functions.php');
require_once('templates.php');
// Set default config options
initConfigOptions();
......@@ -75,6 +75,9 @@ foreach ($IDProviders as $key => $values){
// Back-wards compatibility logic
/*------------------------------------------------*/
// Set P3P headers just in case they were not set in Apache already
header('P3P: CP="NOI CUR DEVa OUR IND COM NAV PRE"');
// This is for back-wards compatibility with very old versions of the WAYF
if (isset($_GET['getArguments']) && isset($_GET['origin']) && isset($_GET['redirect'])){
redirectTo($_SERVER['PHP_SELF'].'/redirect/'.$_GET['origin'].'?'.$_GET['getArguments']);
......@@ -91,6 +94,7 @@ if(isValidDSRequest()){
if(!$returnURL){
// Show error
$message = sprintf(getLocalString('invalid_return_url'), htmlentities($_GET['return']));
logWarning('Invalid return URL: '.$_GET['return']);
printError($message);
exit;
}
......@@ -100,6 +104,7 @@ if(isValidDSRequest()){
if(!isset($SProviders[$_GET['entityID']])){
// Show error
$message = sprintf(getLocalString('unknown_sp'), htmlentities($_GET['entityID']));
logWarning('Unknown SP: '.$_GET['entityID']);
printError($message);
exit;
}
......@@ -109,6 +114,7 @@ if(isValidDSRequest()){
if(!$returnURLOK){
// Show error
$message = sprintf(getLocalString('unverified_return_url'), htmlentities($returnURL), htmlentities($_GET['entityID']));
logWarning('Unverified return URL: '.$returnURL.' for SP: '.$_GET['entityID']);
printError($message);
exit;
}
......@@ -498,6 +504,7 @@ if (
$message = getLocalString('arguments_missing') . '<pre>';
$message .= '<code>'.htmlentities($invalidstring).'</code></pre></p>';
$message .= '<p>'. getLocalString('valid_request_description');
logWarning('Invalid GET arguments for Shibboleth discovery requests: '.$invalidstring);
printError($message);
exit;
} elseif(
......@@ -513,6 +520,7 @@ if (
$message = getLocalString('arguments_missing') . '</p><pre>';
$message .= '<code>'.htmlentities($invalidstring).'</code></pre>';
$message .= '<p>'. getLocalString('valid_saml2_request_description');
logWarning('Invalid GET arguments for SAML discovery requests: '.$invalidstring);
printError($message);
exit;
......
<?php // Copyright (c) 2014, SWITCH
<?php // Copyright (c) 2015, SWITCH
//******************************************************************************
// This file contains the configuration of SWITCHwayf, a light-weight
......@@ -164,7 +164,9 @@
// If turned on make sure to also configure $WAYFLogFile
//$useLogging = true;
// Where to log the access
// Where to log the access requests
// This log is only an audit log for access requests.
// Errors (e.g. when parsing SAML metadata) go to the syslog.
// Make sure the web server user has write access to this file!
//$WAYFLogFile = '/var/log/apache2/wayf.log';
......
<?php // Copyright (c) 2014, SWITCH ?>
<?php // Copyright (c) 2015, SWITCH ?>
<!-- Identity Provider Selection: Start -->
<h1><?php echo getLocalString('header'); ?></h1>
......
<?php // Copyright (c) 2014, SWITCH ?>
<?php // Copyright (c) 2015, SWITCH ?>
<!-- EMBEDDED-WAYF-START -->
<script type="text/javascript"><!--
......
<?php // Copyright (c) 2014, SWITCH ?>
<?php // Copyright (c) 2015, SWITCH ?>
<!-- Error Message: Start-->
<h1><?php echo getLocalString('invalid_query') ?></h1>
......
<?php // Copyright (c) 2014, SWITCH ?>
<?php // Copyright (c) 2015, SWITCH ?>
<!-- Body: End -->
</div>
......
<?php // Copyright (c) 2014, SWITCH ?>
<?php // Copyright (c) 2015, SWITCH ?>
<!DOCTYPE HTML>
<html>
<head>
......
<?php // Copyright (c) 2014, SWITCH ?>
<?php // Copyright (c) 2015, SWITCH ?>
<!-- Identity Provider Selection: Start -->
<h1><?php echo getLocalString('settings'); ?></h1>
......
<?php // Copyright (c) 2014, SWITCH ?>
<?php // Copyright (c) 2015, SWITCH ?>
<!-- Identity Provider Selection: Start -->
<h1><?php echo getLocalString('permanent_select_header'); ?></h1>
......
<?php // Copyright (c) 2014, SWITCH
<?php // Copyright (c) 2015, SWITCH
/*
******************************************************************************
This file contains common functions of the SWITCHwayf
******************************************************************************
*/
if(!isset($_SERVER['REMOTE_ADDR']) || basename($_SERVER['SCRIPT_NAME']) == 'templates.php'){
exit('No direct script access allowed');
}
/******************************************************************************/
// Commonly used functions for the WAYF
/******************************************************************************/
// Initilizes default configuration options if they were not set already
......@@ -759,7 +767,7 @@ function logInfo($infoMsg){
global $developmentMode;
syslog(LOG_INFO, $infoMsg);
if ($developmentMode){
if ($developmentMode && isRun){
echo $infoMsg;
}
}
......@@ -768,9 +776,10 @@ function logInfo($infoMsg){
// Logs an warnimg message
function logWarning($warnMsg){
global $developmentMode;
syslog(LOG_WARNING, $warnMsg);
if ($developmentMode){
if ($developmentMode && isRunViaCLI()){
echo $warnMsg;
}
}
......@@ -779,6 +788,7 @@ function logWarning($warnMsg){
// Logs an error message
function logError($errorMsg){
global $developmentMode;
syslog(LOG_ERR, $errorMsg);
if ($developmentMode){
......@@ -1009,4 +1019,17 @@ function isRequestRefererMatchingSPHost(){
return false;
}
/******************************************************************************/
// Is this script run in CLI mode
function isRunViaCLI(){
return !isset($_SERVER['REMOTE_ADDR']);
}
/******************************************************************************/
// Is this script run in CLI mode
function isRunViaInclude(){
return basename($_SERVER['SCRIPT_NAME']) != 'readMetadata.php';
}
?>
<?php // Copyright (c) 2014, SWITCH
<?php // Copyright (c) 2015, SWITCH
// Localized language strings for SWITCHwayf
// Make sure to use HTML entities instead of plain UTF-8 characters for
......
<?php // Copyright (c) 2014, SWITCH
<?php // Copyright (c) 2015, SWITCH
// This file is used to dynamically create the list of IdPs and SP to be
// displayed for the WAYF/DS service based on the federation metadata.
......@@ -17,14 +17,12 @@ if (!isset($_SERVER['SERVER_NAME'])){
require_once('functions.php');
require_once('config.php');
// Init log file
openlog("SWITCHwayf SAML Metadata Processing (readMetadata.php)", LOG_PID | LOG_PERROR, LOG_LOCAL0);
// Make sure this script is not accessed directly
if(isRunViaCLI()){
// Run in cli mode.
// Could be used for testing purposes or to facilitate startup confiduration.
// Results are dumped in $metadataIDPFile (see config.php)
// Init log file
openlog("SWITCHwayf.readMetadata.php", LOG_ODELAY, LOG_USER);
// Set default config options
initConfigOptions();
......@@ -293,18 +291,6 @@ function parseMetadata($metadataFile, $defaultLanguage){
return Array($metadataIDProviders, $metadataSProviders);
}
/******************************************************************************/
// Is this script run in CLI mode
function isRunViaCLI(){
return !isset($_SERVER['REMOTE_ADDR']);
}
/******************************************************************************/
// Is this script run in CLI mode
function isRunViaInclude(){
return basename($_SERVER['SCRIPT_NAME']) != 'readMetadata.php';
}
/******************************************************************************/
// Processes an IDPRoleDescriptor XML node and returns an IDP entry or false if
// something went wrong
......
<?php // Copyright (c) 2014, SWITCH
<?php // Copyright (c) 2015, SWITCH
/*
******************************************************************************
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment