Changed auth process for I2 login

internet2 · Jun 12, 2023 · 960154a · 960154a
1 parent dc1eabf
commit 960154a
Showing 1 changed file with 38 additions and 42 deletions.
diff --git a/Controller/GrouperGroupsController.php b/Controller/GrouperGroupsController.php
@@ -744,62 +744,42 @@ function isAuthorized()
   {
     $roles = $this->Role->calculateCMRoles();
 
-    //TODO - This is needed for my dev enviro since I do not log in via I2 IdP
-    // BEGIN ===============================================
-
+    /**
+     * The following code displays a few custom implementations of the
+     * login process used to crosswalk a user for Grouper authentication.
+     *
+     *  You may need to further customize this section to meet your organization
+     *  crosswalk needs.
+     */
+
+    /**
+     *  Default when login-id is the same as grouper id
+     */
+    // Default Begin ===============================================
 
     if ($this->Session->check('Auth.User.username')) {
         $this->userId = $this->Session->read('Auth.User.username');
     }
-    // END ===============================================
-
-    //TODO - Need to make the following code configurable in getting the user ID. In this case the code is
-    // specific to the needs of I2.
-    // BEGIN ===============================================
 
+    // Default End ===============================================
+
+    /**
+     *  Customized Crosswalk from login-id to Grouper Username
+     */
+    // Custom Begin ===============================================
     /*
-    $uid=$this->Session->read('Auth.User.co_person_id');
-    $username=$this->Session->read('Auth.User.username');
-    error_log("HUBING ================ " . $username);
-
-    switch ($username) {
-      case "chubing@internet2.edu":
-        error_log("username is " . $username);
-        $uid=32;
-        break;
-      case "pcaskey@internet2.edu":
-        error_log("username is " . $username);
-        $uid=28;
-        break;
-      case "ij@internet2.edu":
-        error_log("username is " . $username);
-        $uid=6842;
-        break;
-      case "aaschenbrener@internet2.edu":
-        error_log("username is " . $username);
-        $uid=13643;
-        // 12430 in dev
-        break;
-      case "sho@internet2.edu":
-        error_log("username is " . $username);
-        $uid=6103;
-        break;
-      case "wkaufman@internet2.edu":
-        error_log("username is " . $username);
-        $uid=6830;
-        break;
-    }
-    error_log("UID IS  ================ " . $uid);
+    $username = $this->Session->read('Auth.User.username');
 
     if ($this->Session->check('Plugin.Grouper.UserId')) {
       $this->userId = $this->Session->read('Plugin.Grouper.UserId');
     } else {
+      $uid          = $this->getPersonIdFromUsername($username);
       $this->userId = $this->getUserId($uid);
       $this->Session->write('Plugin.Grouper.UserId', $this->userId);
     }
-    
-    // END ===============================================
     */
+    // Custom End ===============================================
+
 
     // Determine what operations this user can perform
     // Construct the permission set for this user, which will also be passed to the view.
@@ -829,6 +809,22 @@ function isAuthorized()
     return ($p[$this->action]);
   }
 
+  private function getPersonIdFromUsername($username)
+  {
+    $args = array();
+    $args['conditions']['Identifier.identifier'] = $username;
+    $args['conditions']['Identifier.status'] = SuspendableStatusEnum::Active;
+    $args['conditions']['Identifier.deleted'] = false;
+    $args['conditions']['Identifier.identifier_id'] = null;
+    $args['conditions']['NOT']['Identifier.co_person_id'] = null;
+    $args['conditions']['Identifier.type'] = 'eppn';
+    $args['contain'] = false;
+
+    $Identifier = new Identifier();
+    $co_person_id = $Identifier->find('first', $args);
+
+    return $co_person_id['Identifier']['co_person_id'];
+  }
 
   private function getUserId($id)
   {