simplification: output directly from included templates

53c3b122 · Guillaume ROUSSE · 86927a24 · 53c3b122 · 53c3b122 · 53c3b122
Commit 53c3b122 authored 7 years ago by Guillaume ROUSSE
--- a/bin/account-manager.pl.in
+++ b/bin/account-manager.pl.in
@@ -147,6 +147,7 @@ sub list_accounts {
            IdPAccountManager::Tools::update_ssp_authsources(
                $configuration->{templates_dir},
                $configuration->{idp_accounts_file},
+                $configuration->{idp_scope},
                $accounts
            );
        };

--- a/lib/IdPAccountManager/Tools.pm
+++ b/lib/IdPAccountManager/Tools.pm
@@ -6,23 +6,6 @@ use warnings;
 use Digest::SHA;
 use Encode;
 use Template;
-use Template::Stash;
-
-INIT {
-    ## a TT2 virtual method to get a variable type
-    $Template::Stash::LIST_OPS->{isa} = sub {
-        my ($list, $type) = @_;
-
-        return 1 if ($type eq 'ARRAY');
-        return 0;
-    };
-    $Template::Stash::SCALAR_OPS->{isa} = sub {
-        my ($list, $type) = @_;
-
-        return 1 if ($type eq 'SCALAR');
-        return 0;
-    };
-}

 # get SHA256 hash for a string
 sub sha256_hash {
@@ -80,14 +63,15 @@ sub generate_password {

 ## Updates simpleSamlPhp authsources.php configuration file
 sub update_ssp_authsources {
-    my ($templates_dir, $output, $accounts) = @_;
+    my ($templates_dir, $output, $idp_scope, $accounts) = @_;

    my $tt2 = Template->new({
        INCLUDE_PATH => $templates_dir
    });
    my $template = 'accountProfiles/valid-accounts.php.tt2';
    my $data = {
-        accounts => $accounts
+        accounts  => $accounts,
+        idp_scope => $idp_scope
    };

    $tt2->process($template, $data, $output) or die $tt2->error();

--- a/lib/IdPAccountManager/WebRequest.pm
+++ b/lib/IdPAccountManager/WebRequest.pm
@@ -489,7 +489,8 @@ sub req_validate_token {
    IdPAccountManager::Tools::update_ssp_authsources(
            $self->{configuration}->{templates_dir},
            $self->{configuration}->{idp_accounts_file},
-            \@accounts
+            $self->{configuration}->{idp_scope},
+            \@accounts,
        );
    };
    if ($EVAL_ERROR) {

--- a/templates/accountProfiles/alumni1.tt2
+++ b/templates/accountProfiles/alumni1.tt2
-[% account_sp_entityid = account.sp_entityid() %]
-[% account_id = account.id() %]
-
-[% SET account_profile = {
-	'type' => 'Alumni',
-	'comment' => 'Value "member" is not set for eduPersonAffiliation, contrary to current students.',
-  	'internal_uid' => "user${account_id}",
-	'eduPersonAffiliation' => ['alum'],
-	'eduPersonScopedAffiliation' => ["alum@${conf.idp_scope}"],
-        'displayName' => 'Åsold Wahlstrøm - eduGAIN Access Check account',
-        'cn' => 'Åsold Wahlstrøm - eduGAIN Access Check account',
-        'mail' => "asold.wahlstrom@${conf.idp_scope}",
-        'eduPersonPrincipalName' =>"${account_id}@${conf.idp_scope}",
-        'schacHomeOrganization' => "${conf.idp_scope}",
-        'schacHomeOrganizationType' => 'urn:schac:homeOrganizationType:int:other',
-} %]
-
+        /*
+            profile type: alumni
+            Value "member" is not set for eduPersonAffiliation, contrary to 
+            current students
+        */ 
+        'internal_uid' => 'user[% account.id() %]',
+        'cn'           => 'Åsold Wahlstrøm - eduGAIN Access Check account',
+        'displayName'  => 'Åsold Wahlstrøm - eduGAIN Access Check account',
+        'mail'         => 'asold.wahlstrom@[% idp_scope %]',
+        'eduPersonAffiliation'       => ['alum'],
+        'eduPersonScopedAffiliation' => ['alum@[% idp_scope %]'],
+        'eduPersonPrincipalName'     => '[% account.id() %]@[% idp_scope %]',
+        'schacHomeOrganization'      => '[% idp_scope %]',
+        'schacHomeOrganizationType'  => 'urn:schac:homeOrganizationType:int:other',
--- a/templates/accountProfiles/employee1.tt2
+++ b/templates/accountProfiles/employee1.tt2
-[% account_sp_entityid = account.sp_entityid() %]
-[% account_id = account.id() %]
-
-[% SET account_profile = {
-	'type' => 'Employee',
-	'comment' => 'There are conflicting definitions of "staff" and "employee" from country to country that make those values particularly unreliable in any international context. However in this example we set both values.',
-  	'internal_uid' => "user${account_id}",
-	'eduPersonAffiliation' => ['member','staff','employee'],
-	'eduPersonScopedAffiliation' => ["member@${conf.idp_scope}","staff@${conf.idp_scope}","employee@${conf.idp_scope}"],
-        'displayName' => 'Linnéa Hsu - eduGAIN Access Check account',
-        'cn' => 'Linnéa Hsu - eduGAIN Access Check account',
-        'mail' => "linnea.hsu@${conf.idp_scope}",
-        'eduPersonPrincipalName' =>"${account_id}@${conf.idp_scope}",
-        'schacHomeOrganization' => "${conf.idp_scope}",
-        'schacHomeOrganizationType' => 'urn:schac:homeOrganizationType:int:other',
-} %]
-
+        /*
+            profile type: employee
+            There are conflicting definitions of "staff" and "employee" from
+            country to country that make those values particularly unreliable
+            in any international context. However in this example we set both
+            values
+        */ 
+        'internal_uid' => 'user[% account.id() %]',
+        'cn'           => 'Linnéa Hsu - eduGAIN Access Check account',
+        'displayName'  => 'Linnéa Hsu - eduGAIN Access Check account',
+        'mail'         => 'linnea.hsu@[% idp_scope %]',
+        'eduPersonAffiliation'       => ['member','staff','employee'],
+        'eduPersonScopedAffiliation' => ['member@[% idp_scope %]','staff@[% idp_scope %]','employee@[% idp_scope %]'],
+        'eduPersonPrincipalName'     => '[% account.id() %]@[% idp_scope %]',
+        'schacHomeOrganization'      => '[% idp_scope %]',
+        'schacHomeOrganizationType'  => 'urn:schac:homeOrganizationType:int:other',
--- a/templates/accountProfiles/fullset1.tt2
+++ b/templates/accountProfiles/fullset1.tt2
-[% account_sp_entityid = account.sp_entityid() %]
-[% account_id = account.id() %]
-
-[% SET account_profile = {
-	'type' => 'FullSet',
-	'comment' => "This user profile respresents a researcher with all eduGAIN user attributes plus givenName and surname.",
-  	'internal_uid' => "user${account_id}",
-	'eduPersonAffiliation' => ['member', 'faculty'],
-	'eduPersonScopedAffiliation' => ["member@${conf.idp_scope}", "faculty@${conf.idp_scope}"],
-        'displayName' => 'Gundabald Lightfoot - eduGAIN Access Check account',
-        'cn' => 'Gundabald Lightfoot - eduGAIN Access Check account',
-        'givenName' => 'Gundabald',
-        'sn' => 'Lightfoot - eduGAIN Access Check account',
-        'mail' => "gundabald.lightfoot@${conf.idp_scope}",
-        'eduPersonPrincipalName' =>"${account_id}@${conf.idp_scope}",
-        'schacHomeOrganization' => "${conf.idp_scope}",
-        'schacHomeOrganizationType' => 'urn:schac:homeOrganizationType:int:other',
-} %]
-
-
+        /*
+            profile type: full set
+            This user profile respresents a researcher with all eduGAIN user
+            attributes plus givenName and surname.",
+        */
+        'internal_uid' => 'user[% account.id() %]',
+        'cn'           => 'Gundabald Lightfoot - eduGAIN Access Check account',
+        'displayName'  => 'Gundabald Lightfoot - eduGAIN Access Check account',
+        'givenName'    => 'Gundabald',
+        'sn'           => 'Lightfoot - eduGAIN Access Check account',
+        'mail'         => 'gundabald.lightfoot@[% idp_scope %]',
+        'eduPersonAffiliation'       => ['member', 'faculty'],
+        'eduPersonScopedAffiliation' => ['member@[% idp_scope %]', 'faculty@[% idp_scope %]'],
+        'eduPersonPrincipalName'     => '[% account.id() %]@[% idp_scope %]',
+        'schacHomeOrganization'      => '[% idp_scope %]',
+        'schacHomeOrganizationType'  => 'urn:schac:homeOrganizationType:int:other',
--- a/templates/accountProfiles/generic1.tt2
+++ b/templates/accountProfiles/generic1.tt2
-[% account_sp_entityid = account.sp_entityid() %]
-[% account_id = account.id() %]
-
-[% SET account_profile = {
-	'type' => 'Generic',
-	'comment' => 'This account provides a limited set of user attributes (eduPersonPrincipalName, mail and displayName).',
-  	'internal_uid' => "user${account_id}",
-        'displayName' => '山崎 弘子樫野 陽子 - eduGAIN Access Check account',
-        'mail' => "forearartian@${conf.idp_scope}",
-        'eduPersonPrincipalName' =>"${account_id}@${conf.idp_scope}",
-} %]
-
-
+        /*
+            profile type: generic
+            This account provides a limited set of user attributes
+            (eduPersonPrincipalName, mail and displayName)
+        */
+        'internal_uid' => 'user[% account.id() %]',
+        'displayName'  => '山崎 弘子樫野 陽子 - eduGAIN Access Check account',
+        'mail'         => 'forearartian@[% idp_scope %]',
+        'eduPersonPrincipalName' => '[% account.id() %]@[% idp_scope %]',
--- a/templates/accountProfiles/librarywalkin1.tt2
+++ b/templates/accountProfiles/librarywalkin1.tt2
-[% account_sp_entityid = account.sp_entityid() %]
-[% account_id = account.id() %]
-
-[% SET account_profile = {
-	'type' => 'Library walk-in',
-	'comment' => 'This term was created to cover the case where physical presence in a library facility grants someone access to electronic resources typically licensed for faculty, staff and students. In recent years the library walk-in provision has been extended to cover other cases such as library users on the campus network, or those using on-campus workstations. Licensed resource providers have often been willing to interpret their contracts with licensees to accept this broader definition of "library-walk-in," though specific terms may vary. For a more direct way of using eduPerson attributes to express library privilege information, see the eduPersonEntitlement value "urn:mace:dir:entitlement:common-lib-terms" as defined in the MACE-Dir Registry of eduPersonEntitlement values <a href="http://middleware.internet2.edu/urn-mace/urn-mace-dir-entitlement.html">http://middleware.internet2.edu/urn-mace/urn-mace-dir-entitlement.html</a>.',
-  	'internal_uid' => "user${account_id}",
-	'eduPersonAffiliation' => ['library-walk-in'],
-	'eduPersonScopedAffiliation' => ["library-walk-in@${conf.idp_scope}"],
-        'displayName' => 'Ramón Núñez - eduGAIN Access Check account',
-        'cn' => 'Ramón Núñez - eduGAIN Access Check account',
-        'mail' => "ramon.nunez@${conf.idp_scope}",
-        'eduPersonPrincipalName' =>"${account_id}@${conf.idp_scope}",
-        'schacHomeOrganization' => "${conf.idp_scope}",
-        'schacHomeOrganizationType' => 'urn:schac:homeOrganizationType:int:other',
-	'eduPersonEntitlement' => 'urn:mace:dir:entitlement:common-lib-terms',
-} %]
-
+        /*
+            profile type: library walk-in
+            This term was created to cover the case where physical presence in
+            a library facility grants someone access to electronic resources
+            typically licensed for faculty, staff and students. In recent years
+            the library walk-in provision has been extended to cover other
+            cases such as library users on the campus network, or those using
+            on-campus workstations.  Licensed resource providers have often
+            been willing to interpret their contracts with licensees to accept
+            this broader definition of "library-walk-in," though specific terms
+            may vary. For a more direct way of using eduPerson attributes to
+            express library privilege information, see the eduPersonEntitlement
+            value "urn:mace:dir:entitlement:common-lib-terms" as defined in the
+            MACE-Dir Registry of eduPersonEntitlement values http://middleware.internet2.edu/urn-mace/urn-mace-dir-entitlement.html
+        */
+        'internal_uid' => 'user[% account.id() %]',
+        'cn'           => 'Ramón Núñez - eduGAIN Access Check account',
+        'displayName'  => 'Ramón Núñez - eduGAIN Access Check account',
+        'mail'         => 'ramon.nunez@[% idp_scope %]',
+        'eduPersonAffiliation'       => ['library-walk-in'],
+        'eduPersonScopedAffiliation' => ['library-walk-in@[% idp_scope %]'],
+        'eduPersonPrincipalName'     => '[% account.id() %]@[% idp_scope %]',
+        'eduPersonEntitlement'       => 'urn:mace:dir:entitlement:common-lib-terms',
+        'schacHomeOrganization'      => '[% idp_scope %]',
+        'schacHomeOrganizationType'  => 'urn:schac:homeOrganizationType:int:other',
--- a/templates/accountProfiles/limitedset1.tt2
+++ b/templates/accountProfiles/limitedset1.tt2
-[% account_sp_entityid = account.sp_entityid() %]
-[% account_id = account.id() %]
-
-[% SET account_profile = {
-	'type' => 'LimitedSet',
-	'comment' => 'This account provides only an eduPersonTargetedID attribute.',
-  	'internal_uid' => "user${account_id}",
-} %]
-
-
+        /*
+            profile type: limited set
+            This account provides only an eduPersonTargetedID attribute
+        */
+        'internal_uid' => 'user[% account.id() %]',
--- a/templates/accountProfiles/researcher1.tt2
+++ b/templates/accountProfiles/researcher1.tt2
-[% account_sp_entityid = account.sp_entityid() %]
-[% account_id = account.id() %]
-
-[% SET account_profile = {
-	'type' => 'Researcher',
-	'comment' => "No standard value for eduPersonAffiliation can be used to represent a researcher. Therefore you can't differenciate a teacher from a researcher.",
-  	'internal_uid' => "user${account_id}",
-	'eduPersonAffiliation' => ['member', 'faculty'],
-	'eduPersonScopedAffiliation' => ["member@${conf.idp_scope}", "faculty@${conf.idp_scope}"],
-        'displayName' => 'Stéphane Larivière - eduGAIN Access Check account',
-        'cn' => 'Stéphane Larivière - eduGAIN Access Check account',
-        'mail' => "stephane.lariviere@${conf.idp_scope}",
-        'eduPersonPrincipalName' =>"${account_id}@${conf.idp_scope}",
-        'schacHomeOrganization' => "${conf.idp_scope}",
-        'schacHomeOrganizationType' => 'urn:schac:homeOrganizationType:int:other',
-} %]
-
-
+        /*
+            profile type: researcher
+            No standard value for eduPersonAffiliation can be used to represent
+            a researcher. Therefore you can't differenciate a teacher from a
+            researcher
+        */
+        'internal_uid' => 'user[% account.id() %]',
+        'cn'           => 'Stéphane Larivière - eduGAIN Access Check account',
+        'displayName'  => 'Stéphane Larivière - eduGAIN Access Check account',
+        'mail'         => 'stephane.lariviere@[% idp_scope %]',
+        'eduPersonAffiliation'       => ['member', 'faculty'],
+        'eduPersonScopedAffiliation' => ['member@[% idp_scope %]', 'faculty@[% idp_scope %]'],
+        'eduPersonPrincipalName'     => '[% account.id() %]@[% idp_scope %]',
+        'schacHomeOrganization'      => '[% idp_scope %]',
+        'schacHomeOrganizationType'  => 'urn:schac:homeOrganizationType:int:other',
--- a/templates/accountProfiles/student1.tt2
+++ b/templates/accountProfiles/student1.tt2
-[% account_sp_entityid = account.sp_entityid() %]
-[% account_id = account.id() %]
-
-[% SET account_profile = {
-	'type' => 'Student',
-	'comment' => 'An active student has both "member" and "student" values set for eduPersonAffiliation.',
-  	'internal_uid' => "user${account_id}",
-	'eduPersonAffiliation' => ['member', 'student'],
-	'eduPersonScopedAffiliation' => ["member@${conf.idp_scope}","student@${conf.idp_scope}"],
-        'displayName' => 'Ciarán MacCárthaigh - eduGAIN Access Check account',
-        'cn' => 'Ciarán MacCárthaigh - eduGAIN Access Check account',
-        'mail' => "ciaran.maccarthaigh@${conf.idp_scope}",
-        'eduPersonPrincipalName' =>"${account_id}@${conf.idp_scope}",
-        'schacHomeOrganization' => "${conf.idp_scope}",
-        'schacHomeOrganizationType' => 'urn:schac:homeOrganizationType:int:other',
-} %]
-
+        /*
+            profile type: student
+            An active student has both "member" and "student" values set for
+            eduPersonAffiliation
+        */
+        'internal_uid' => 'user[% account.id() %]',
+        'cn'           => 'Ciarán MacCárthaigh - eduGAIN Access Check account',
+        'displayName'  => 'Ciarán MacCárthaigh - eduGAIN Access Check account',
+        'mail'         => 'ciaran.maccarthaigh@[% idp_scope %]',
+        'eduPersonAffiliation'       => ['member', 'student'],
+        'eduPersonScopedAffiliation' => ['member@[% idp_scope %]','student@[% idp_scope %]'],
+        'eduPersonPrincipalName'     => '[% account.id() %]@[% idp_scope %]',
+        'schacHomeOrganization'      => '[% idp_scope %]',
+        'schacHomeOrganizationType'  => 'urn:schac:homeOrganizationType:int:other',
--- a/templates/accountProfiles/student2.tt2
+++ b/templates/accountProfiles/student2.tt2
-[% account_sp_entityid = account.sp_entityid() %]
-[% account_id = account.id() %]
-
-[% SET account_profile = {
-	'type' => 'Student',
-	'comment' => 'A PhD student, having three values set for eduPersonAffiliation: "member" and "student" and "faculty".',
-  	'internal_uid' => "user${account_id}",
-	'eduPersonAffiliation' => ['member', 'student','faculty'],
-	'eduPersonScopedAffiliation' => ["member@${conf.idp_scope}","student@${conf.idp_scope}","faculty@${conf.idp_scope}"],
-        'displayName' => 'Damiën Kuijper - eduGAIN Access Check account',
-        'cn' => 'Damiën Kuijper - eduGAIN Access Check account',
-        'mail' => "damien.kuijper@${conf.idp_scope}",
-        'eduPersonPrincipalName' =>"${account_id}@${conf.idp_scope}",
-        'schacHomeOrganization' => "${conf.idp_scope}",
-        'schacHomeOrganizationType' => 'urn:schac:homeOrganizationType:int:other',
-} %]
+        /*
+            profile type: student
+            A PhD student, having three values set for eduPersonAffiliation:
+            "member" and "student" and "faculty"
+        */

+        'internal_uid' => 'user[% account.id() %]',
+        'cn'           => 'Damiën Kuijper - eduGAIN Access Check account',
+        'displayName'  => 'Damiën Kuijper - eduGAIN Access Check account',
+        'mail'         => 'damien.kuijper@[% idp_scope %]',
+        'eduPersonAffiliation'       => ['member', 'student','faculty'],
+        'eduPersonScopedAffiliation' => ['member@[% idp_scope %]','student@[% idp_scope %]','faculty@[% idp_scope %]'],
+        'eduPersonPrincipalName'     => '[% account.id() %]@[% idp_scope %]',
+        'schacHomeOrganization'      => '[% idp_scope %]',
+        'schacHomeOrganizationType'  => 'urn:schac:homeOrganizationType:int:other',
--- a/templates/accountProfiles/teacher1.tt2
+++ b/templates/accountProfiles/teacher1.tt2
-[% account_sp_entityid = account.sp_entityid() %]
-[% account_id = account.id() %]
-
-[% SET account_profile = {
-	'type' => 'Teacher',
-	'comment' => 'An active teacher has both "member" and "faculty" values set for eduPersonAffiliation.',
-  	'internal_uid' => "user${account_id}",
-	'eduPersonAffiliation' => ['member', 'faculty'],
-	'eduPersonScopedAffiliation' => ["member@${conf.idp_scope}", "faculty@${conf.idp_scope}"],
-        'displayName' => 'Peter Müller - eduGAIN Access Check account',
-        'cn' => 'Peter Müller - eduGAIN Access Check account',
-        'mail' => "peter.muller@${conf.idp_scope}",
-        'eduPersonPrincipalName' =>"${account_id}@${conf.idp_scope}",
-        'schacHomeOrganization' => "${conf.idp_scope}",
-        'schacHomeOrganizationType' => 'urn:schac:homeOrganizationType:int:other',
-} %]
-
-
+        /*
+            profile type: teacher
+            An active teacher has both "member" and "faculty" values set for
+            eduPersonAffiliation
+        */
+        'internal_uid' => 'user[% account.id() %]',
+        'cn'           => 'Peter Müller - eduGAIN Access Check account',
+        'displayName'  => 'Peter Müller - eduGAIN Access Check account',
+        'mail'         => 'peter.muller@[% idp_scope %]',
+        'eduPersonAffiliation'       => ['member', 'faculty'],
+        'eduPersonScopedAffiliation' => ['member@[% idp_scope %]', 'faculty@[% idp_scope %]'],
+        'eduPersonPrincipalName'     => '[% account.id() %]@[% idp_scope %]',
+        'schacHomeOrganization'      => '[% idp_scope %]',
+        'schacHomeOrganizationType'  => 'urn:schac:homeOrganizationType:int:other',
--- a/templates/accountProfiles/teacher2.tt2
+++ b/templates/accountProfiles/teacher2.tt2
-[% account_sp_entityid = account.sp_entityid() %]
-[% account_id = account.id() %]
-
-[% SET account_profile = {
-	'type' => 'Teacher',
-	'comment' => 'This account provides a limited set of user attributes (eduPersonScopedAffiliation and eduPersonTargetedID).',
-  	'internal_uid' => "user${account_id}",
-	'eduPersonScopedAffiliation' => ["member@${conf.idp_scope}", "faculty@${conf.idp_scope}"],
-} %]
-
-
+        /*
+            profile type: teacher
+            This account provides a limited set of user attributes
+            (eduPersonScopedAffiliation and eduPersonTargetedID)
+        */
+        'internal_uid' => 'user[% account.id() %]',
+        'eduPersonScopedAffiliation' => ['member@[% idp_scope %]', 'faculty@[% idp_scope %]'],
--- a/templates/accountProfiles/valid-accounts.php.tt2
+++ b/templates/accountProfiles/valid-accounts.php.tt2
 <?php
-// template for a PhP configuration file loaded in simpleSamlPhp authsources.php file
+// PhP configuration file loaded in simpleSamlPhp authsources.php file
 $validTestAccounts = array (
    'authcrypt:Hash',

 [% FOREACH account IN accounts %]
-  [% PROCESS "accountProfiles/${account.account_profile()}.tt2" %]
-  'user[% account.id() %]:{SHA256}[% account.user_password_hash() %]=' => array(
-  [% FOREACH attribute IN account_profile.pairs -%]
-   [% NEXT IF attribute.key.match('^(type|comment)$') %]
-   [% IF attribute.value.isa('SCALAR') -%]
-	'[% attribute.key %]' => '[% attribute.value %]',
-   [% ELSE -%]
-	'[% attribute.key %]' => array('[% attribute.value.join("','") %]'),
-   [% END %]
-  [% END %]
-        'associatedSP' => "[% account.sp_entityid() %]",
-
-  ),
+    'user[% account.id() %]:{SHA256}[% account.user_password_hash() %]=' => array(
+[% INCLUDE "accountProfiles/${account.account_profile()}.tt2" -%]
+        'associatedSP'               => '[% account.sp_entityid() %]',
+    ),

 [% END %]
 );