added aa-statistics script

dockerfiles/Dockerfile.nginx

@@ -56,6 +56,9 @@ COPY commul-customization/webpage/ /opt/nginx/html/
 RUN mkdir /opt/nginx/html/secure
 COPY commul-customization/shib_test.pl /opt/nginx/html/secure/
 
+# copy over aa-statistics script
+RUN mkdir /opt/nginx/html/php
+COPY commul-customization/aa-statistics.php /opt/nginx/html/php/
 # get aai project
 RUN apt-get install -y git
 RUN git clone https://github.com/ufal/lindat-aai-discovery.git /opt/repository/sources/lindat-aai-discovery

dockerfiles/commul-customization/aa-statistics.php

+<?php
+
+// redirect to the correct destination
+header('Location: ' . $_GET['return'], true, 302);
+
+
+// This script finds exported header names from shibboleth and sends them to an aggregator.
+//
+// The main goal is to monitor attribute release and provide a central place where "bad" IdPs can be
+// easily blackmailed...
+//
+// See: https://github.com/ufal/clarin-sp-aaggregator
+// by lindat-dev team (ok, jm)
+//
+
+//====== CONFIGURATION ======
+// REST api of the aggregator
+$aggregator_url='https://clarin-aa.ms.mff.cuni.cz/aaggreg/v1/got';
+//your SP entity id
+$sp='https://clarin.eurac.edu/Shibboleth.sso/Metadata';
+//====== /CONFIGURATION ======
+
+
+/**
+ * Build the request url and execute curl on it.
+ * @todo test asynch...
+ */
+function send_info($idp, $sp, $ts, $attrs, $suspicious) 
+{
+    global $aggregator_url, $sp;
+    $attributes_encoded = "attributes[]=" . implode('&attributes[]=', array_map('urlencode', $attrs));
+    // -g does not allow curl to interpret []{}
+    $cmd = "curl -g '$aggregator_url?idp=$idp&sp=$sp&timestamp=$ts&$attributes_encoded&warn=$suspicious'";
+    $cmd .= " > /dev/null 2>&1 &";
+    echo '<pre>'.$cmd.'</pre>';
+
+    //exec($cmd, $output, $exit);
+    return $exit == 0;
+}
+
+/**
+ * Array version of getenv - corner cases for 0, null etc.
+ */
+function getenvs($envarray, &$ret)
+{
+    foreach($envarray as $value)
+    {
+        $ret = getenv($value);
+        if ($ret) {
+            return true;
+        }
+    }
+    return false;
+}
+
+
+$idps = array();
+
+// we need the count so we can iterate over the exported assertions
+// - the env variable can be exposed under different names!
+//
+$assertion_count = 0;
+$assertion_count_name = "Shib-Assertion-Count";
+if (!getenvs(
+        array($assertion_count_name, str_replace('-','_',strtoupper("http_".$assertion_count_name))), 
+        $assertion_count
+    ))
+{
+    http_response_code(400);
+    echo("$assertion_count_name not found");
+    exit;
+}
+$assertion_count = (int)$assertion_count;
+
+
+// idp that was used to authenicate
+$idp = null;
+// timestamp
+$dt = new DateTime();
+$ts = $dt->format("Y-m-d\TH:i:s.z\Z");
+
+// obtain the assertions
+// - the env variable can be exposed under different names!
+//
+$assertion_link_attr_name = "Shib-Assertion-"; 
+$assertion_link_attr_name_upper = str_replace('-','_',strtoupper("http_". "Shib-Assertion-")); 
+for ($i=$assertion_count; 0 < $i; --$i) 
+{
+    // why would there be more than one assertion?
+    $n = str_pad($i, 2, "0", STR_PAD_LEFT);
+
+    //$n is 00, or 01
+    $assertion_link = "";
+    getenvs(array($assertion_link_attr_name . $n, $assertion_link_attr_name_upper . $n), $assertion_link);
+    
+    if(!empty($assertion_link))
+    {
+        $assertion_link = str_replace("https://" . getenv("SERVER_NAME"), "https://127.0.0.1", $assertion_link);
+        //TODO add a timeout
+        $xml = simplexml_load_file($assertion_link);
+        // echo $xml->asXML()."=====\n\n";
+        try{
+            $idp = (string)$xml->xpath('//*[local-name()="Issuer"]')[0];
+        } catch(Exception $e){
+            echo 'Caught exception: ',  $e->getMessage(), "\nProbably no Issuer or xml.\n";
+            exit;
+        }
+        if (!array_key_exists($idp, $idps)) 
+        {
+            $idps[$idp] = array();
+        }
+        foreach ($xml->xpath('//*[local-name()="Attribute"]/@Name') as $name)
+        {
+            array_push($idps[$idp], (string)$name);
+        }
+        // AudienceRestriction/Audience and NameID/@SPNameQualifier usually
+        // have the value of spEntityId, it's not guaranteed though.
+        //$sp = (string)$xml->xpath('//@SPNameQualifier')[0];
+    }
+}
+
+// anything strange?
+$suspicious = "";
+if (1 < count($idps)) {
+    $suspicious = "more than 1 idp";
+}
+
+// aggregate the info
+send_info($idp, $sp, $ts, $idps[$idp], $suspicious);
+
+exit;

dockerfiles/commul-customization/clarin.eurac.edu.template.metadata.xml

@@ -11,6 +11,10 @@
                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                 <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
             </saml:Attribute>
+            <saml:Attribute 
+               xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+                <saml:AttributeValue>http://clarin.eu/category/clarin-member</saml:AttributeValue>
+            </saml:Attribute>
         </mdattr:EntityAttributes>
     </md:Extensions>
     <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">

dockerfiles/commul-customization/default-ssl

@@ -87,6 +87,12 @@ server {
 #    }
   }
 
+  location /php/aa-statistics.php {
+     shib_request /shibauthorizer;
+     include proxy_params;
+     proxy_pass http://apache;
+   }
+
   location /repository {
 
     client_body_buffer_size 32K;
@@ -163,7 +169,6 @@ server {
   }
  
   location /secure {
-    alias /opt/repository/sources/secure;
     include shib_clear_headers;
          #Add your attributes here. They get introduced as headers
          #by the FastCGI authorizer so we must prevent spoofing.

dockerfiles/commul-customization/shibboleth2.xml

@@ -26,6 +26,7 @@
         <Host name="clarin-dev.eurac.edu"
                 authType="shibboleth"
                 requireSession="true"
+				exportAssertion="true"
                 redirectToSSL="443">
             <Path name="/secure" />
         </Host>
@@ -36,6 +37,7 @@
     <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
     <ApplicationDefaults entityID="https://clarin-dev.eurac.edu/Shibboleth.sso/Metadata"
                          REMOTE_USER="eppn persistent-id targeted-id"
+						 sessionHook="/php/aa-statistics.php"
                          cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">
 
         <!--
@@ -47,8 +49,14 @@
         Note that while we default checkAddress to "false", this has a negative impact on the
         security of your site. Stealing sessions via cookie theft is much easier with this disabled.
         -->
-        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
-                  checkAddress="false" handlerSSL="false" cookieProps="http">
+        <Sessions lifetime="28800"
+				  timeout="3600"
+				  relayState="ss:mem"
+                  checkAddress="false"
+                  handlerSSL="false"
+				  cookieProps="http"
+				  exportLocation="/GetAssertion"
+                  exportACL="127.0.0.1">
 
             <!--
             Configures SSO for a default IdP. To allow for >1 IdP, remove