<?php

   /* IDEM + Entity Category + Custom SPs Attribute Release Policies:
    * 1) Release "eduPersonTargetedID" ONLY IF the preferred "<md:NameIDFormat>" of the SP
    *    IS NOT the "persistent" ones.
    * 2) Release the "eduPersonScopedAffiliation" to all IDEM SPs
    * 3) Release all required (isRequired="true") attributes to all IDEM SPs
    * 4) Release all required (isRequired="true") attributes to all CoCo SP
    * 5) Release all R&S subset attributes (mail,givenName,sn,displayName,eduPersonScopedAffiliation,eduPersonPrincipalName,eduPersonTargetedID)
    * 6) Release attributes to those SPs that do not request attributes by their metadata,
    *    or that has needed to receive a specific value for one or more attributes
    */

   use SimpleSAML\Logger;

   // Require the SimpleSAMLphp 'oid2name.php' file needed to use the $attributemap array
   require("/var/simplesamlphp/vendor/simplesamlphp/simplesamlphp/attributemap/oid2name.php");

   $persistent_NameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent";
   $sp_NameIDFormat = (isset($state["SPMetadata"]["NameIDFormat"])) ? $state["SPMetadata"]["NameIDFormat"] : "";
   $sp_attributes_all_array = [];
   $sp_attributes_required_array = [];
   $remaining_attributes = [];
   $sp_regAuth = (isset($state["SPMetadata"]["RegistrationInfo"]["authority"])) ? $state["SPMetadata"]["RegistrationInfo"]["authority"] : "";
   $sp_ec_array = [];
   $sp_subject_id_array = [];
   $subject_id = "subject-id";
   $pairwise_id = "pairwise-id";
   $any_id = "any";
   $esi = "https://myacademicid.org/entity-categories/esi";
   $coco = "http://www.geant.net/uri/dataprotection-code-of-conduct/v1";
   $rs = "http://refeds.org/category/research-and-scholarship";
   $rs_attributes_allowed = [
      "mail",
      "givenName",
      "sn",
      "displayName",
      "eduPersonPrincipalName",
      "eduPersonScopedAffiliation",
      "eduPersonTargetedID"
   ];
   $sp_idem_attributes_allowed = [
      "mail",
      "eduPersonPrincipalName",
      "displayName",
      "eduPersonOrcid",
      "sn",
      "givenName",
      "eduPersonEntitlement",
      "cn",
      "eduPersonOrgDN",
      "title",
      "telephoneNumber",
      "eduPersonOrgUnitDN",
      "schacPersonalTitle",
      "schacPersonalUniqueID",
      "schacHomeOrganization",
      "schacHomeOrganizationType",
      "schacUserPresenceID",
      "mobile",
      "schacMotherTongue",
      "preferredLanguage",
      "schacGender",
      "schacDateOfBirth",
      "schacPlaceOfBirth",
      "schacCountryOfCitizenship",
      "schacSn1",
      "schacSn2",
      "schacCountryOfResidence",
      "schacPersonalUniqueCode",
      "schacExpiryDate",
      "schacUserPrivateAttribute",
      "schacUserStatus",
      "schacProjectMembership",
      "schacProjectSpecificRole",
      "schacYearOfBirth",
      "eduPersonNickname",
      "eduPersonPrimaryAffiliation",
      "eduPersonPrimaryOrgUnitDN",
      "eduPersonAssurance",
      "eduPersonPrincipalNamePrior",
      "eduPersonUniqueId"
   ];

   // Needed by persistence of Consent module
   if (empty($attributes["uid"])) {
      throw new Exception("Missing uid attribute.");
   }
   $uid = $attributes["uid"];

   if (isset($state["SPMetadata"]["EntityAttributes"]["http://macedir.org/entity-category"]))
      $sp_ec_array = $state["SPMetadata"]["EntityAttributes"]["http://macedir.org/entity-category"];

   if (isset($state["SPMetadata"]["EntityAttributes"]["urn:oasis:names:tc:SAML:profiles:subject-id:req"]))
      $sp_subject_id_array = $state["SPMetadata"]["EntityAttributes"]["urn:oasis:names:tc:SAML:profiles:subject-id:req"];

   // Transform OID (provided by Metadata) into Name
   if (isset($state["SPMetadata"]["attributes.required"])){
      foreach ($state["SPMetadata"]["attributes.required"] as $sp_req_attr){
         array_push($sp_attributes_required_array, $attributemap[$sp_req_attr]);
      }
   }

   // Transform OID (provided by Metadata) into Name
   if (isset($state["SPMetadata"]["attributes"])){
      foreach ($state["SPMetadata"]["attributes"] as $sp_req_attr){
         array_push($sp_attributes_all_array, $attributemap[$sp_req_attr]);
      }
   }

   if ($sp_regAuth == "http://www.idem.garr.it/"){
      // IF ePTID is NOT present as an <md:RequestedAttributes> 
      // and <md:NameIDFormat> is NOT 'persistent'
      // then ePTID has to be released to the IDEM SPs.
      if (strcmp($persistent_NameIDFormat, $sp_NameIDFormat) !== 0){
         array_push($remaining_attributes, "eduPersonTargetedID");
      }

      // epSA mandatory for IDEM SP a tutti, anche se non tra i RequestedAttributes
      array_push($remaining_attributes, "eduPersonScopedAffiliation");

      if ( ($state["SPMetadata"]["entityid"] == "https://sp.aai-test.garr.it/shibboleth") or 
           ($state["SPMetadata"]["entityid"] == "https://sp-demo.idem.garr.it/shibboleth") ){

           foreach ($sp_idem_attributes_allowed as $sp_idem_allowed_attr){
              array_push($remaining_attributes, $sp_idem_allowed_attr);
           }
      } else {

        // If ePTID is present as <md:RequestedAttributes> with isRequired="true"
        // and <md:NameIDFormat> 'persistent' is present
        // then ePTID has not to be released to the IDEM SPs.
        foreach ($sp_attributes_required_array as $sp_req_attr){
           if (strcmp("eduPersonTargetedID", $sp_req_attr) == 0)
              if (strcmp($persistent_NameIDFormat,$sp_NameIDFormat) == 0)
                 continue;
           //Else
           array_push($remaining_attributes, $sp_req_attr);
        }
      }
   }

   // Subject-ID and/or Pairwise-ID attribute release
   if ($sp_subject_id_array){
      foreach ($sp_subject_id_array as $sp_id){
	 if (strcmp($sp_id, $subject_id) == 0){
            array_push($remaining_attributes, "urn:oasis:names:tc:SAML:attribute:subject-id");
	 }

	 if ((strcmp($sp_id, $pairwise_id) == 0) or (strcmp($sp_id, $any_id) == 0)){
            array_push($remaining_attributes, "urn:oasis:names:tc:SAML:attribute:pairwise-id");
         }
      }
   }

   // EC Rules - R & S + CoCo:
   // 1) Check if the SP implements EC,
   // 2) For each EC supported by the IdP, check which ones are implemented by the SP
   //    and add the attributes to the resulting "$remaining_attributes" array

   if ($sp_ec_array){
      foreach ($sp_ec_array as $sp_ec){
         if (strcmp($sp_ec, $coco) == 0){
            foreach ($sp_attributes_required_array as $sp_required_attr){
               if (strcmp("eduPersonTargetedID", $sp_required_attr) == 0)
                  if (strcmp($persistent_NameIDFormat, $sp_NameIDFormat) == 0) continue;
               //Else
               array_push($remaining_attributes, $sp_required_attr);
            }
         }
         if (strcmp($sp_ec, $rs) == 0){
            foreach ($sp_attributes_all_array as $sp_requested_attr){
               if (in_array($sp_requested_attr, $rs_attributes_allowed)){
                  if (strcmp("eduPersonTargetedID", $sp_requested_attr) == 0)
                     if (strcmp($persistent_NameIDFormat, $sp_NameIDFormat) == 0)
                        continue;
                  //Else
                  array_push($remaining_attributes, $sp_requested_attr);
               }
            }
         }
         if (strcmp($sp_ec, $esi) == 0){
            $pattern = "/^urn:schac:personalUniqueCode:int:esi:.*$/";
            $sPUC_array = [];
            foreach ($attributes["schacPersonalUniqueCode"] as $sPUC_val)
               if (preg_match($pattern,$sPUC_val)){
                  array_push($sPUC_array, $sPUC_val);
                  array_push($remaining_attributes, "schacPersonalUniqueCode");
               }
            $attributes["schacPersonalUniqueCode"] = $sPUC_array;
         }
      }
   }

   // Into $remaining_attributes will be inserted all attributes to released
   // or nothing
   if ($remaining_attributes){

      // Unset all unallowed attributes
      foreach ($attributes as $key => $value){
         if (!in_array($key, array_unique($remaining_attributes)))
            unset($attributes[$key]);
      }

      $attributes["uid"] = $uid; // Needed by the persistence of Consent module
   }

   // Else the SP is not registered into IDEM or has not implemented any EC
   // so the $attributes array is kept untouched for other filters
   // OR the SP is registered into IDEM or has implemented an EC,
   // but needs other rules on the attributes released to it.

   switch ($state["SPMetadata"]["entityid"]){
      case "https://sdauth.sciencedirect.com/":
      case "https://www.tandfonline.com/shibboleth":
         if ($sp_regAuth == "http://www.idem.garr.it/"){
            $pattern = "/urn:mace:dir:entitlement:common-lib-terms/";
            $entitlement_allowed = [];

            if (isset($attributes["eduPersonEntitlement"])){
               foreach ($attributes["eduPersonEntitlement"] as $ent){
                  if (preg_match($pattern, $ent) == 1){
                     array_push($entitlement_allowed, $ent);
                  }
               }
            }
         }
         $attributes = [];
         $attributes["eduPersonEntitlement"] = $entitlement_allowed;
         $attributes["uid"] = $uid; // Needed by the persistence of Consent module
         break;
      case "https://proxy.prod.erasmus.eduteams.org/metadata/backend.xml":
         $pattern = "/^urn:schac:personalUniqueCode:int:esi:.*$/";
         $new_sPUC_array = [];

         if (isset($attributes["schacPersonalUniqueCode"])){
            foreach ($attributes["schacPersonalUniqueCode"] as $sPUC_val)
               if (preg_match($pattern,$sPUC_val))
                  array_push($new_sPUC_array, $sPUC_val);
         }
         $attributes["schacPersonalUniqueCode"] = $new_sPUC_array;
         $attributes["uid"] = $uid; // Needed by the persistence of Consent module
         break;
      case "https://cert-manager.com/shibboleth":
         $pattern = "/^urn:mace:terena.org:tcs:.*$/";
         $entitlement_allowed = [];
         $attributes_new = [];
         $attributes_allowed = [
            "eduPersonPrincipalName",
            "mail",
            "displayName",
            "givenName",
            "sn",
            "cn",
            "schacHomeOrganization",
            "eduPersonEntitlement"
         ];

         // Unset all unallowed attributes
         foreach ($attributes as $key => $value){
            if (!in_array($key, $attributes_allowed))
               unset($attributes[$key]);
         }

         $attributes["uid"] = $uid; // Needed by the persistence of Consent module
         break;
      case "https://pubs.acs.org/shibboleth":
         $attributes_allowed = [
            "eduPersonTargetedID",
            "eduPersonScopedAffiliation"
         ];

         // Unset all unallowed attributes
         foreach ($attributes as $key => $value){
            if (!in_array($key, $attributes_allowed))
               unset($attributes[$key]);
         }

         if (strcmp($persistent_NameIDFormat, $sp_NameIDFormat) == 0)
            unset($attributes["eduPersonTargetedID"]);

         $attributes["uid"] = $uid; // Needed by the persistence of Consent module
         break;
      case "https://oneId.wolterskluwer.com/oa/entity":
         $attributes_allowed = [
            "mail",
            "givenName",
            "sn"
         ];

         // Unset all unallowed attributes
         foreach ($attributes as $key => $value){
            if (!in_array($key, $attributes_allowed))
               unset($attributes[$key]);
         }

         $attributes["uid"] = $uid; // Needed by the persistence of Consent module
         break;
      case "https://www.mathworks.com/edu-sp":
         $attributes_allowed = [
            "eduPersonTargetedID",
            "mail",
            "givenName",
            "sn",
            "eduPersonScopedAffiliation"
         ];
         $attributes_new = [];
         $epsa_allowed = [];

         // Unset all unallowed attributes
         foreach ($attributes as $key => $value){
            if (!in_array($key, $attributes_allowed))
               unset($attributes[$key]);
         }

         foreach ($attributes["eduPersonScopedAffiliation"] as $epsa)
            if (preg_match("/(^student)|(^faculty)|(^staff)|(^employee)/", $epsa))
                   array_push($epsa_allowed, $epsa);

         $attributes["eduPersonScopedAffiliation"] = $epsa_allowed;

         if (strcmp($persistent_NameIDFormat, $sp_NameIDFormat) == 0)
            unset($attributes["eduPersonTargetedID"]);

         $attributes["uid"] = $uid; // Needed by the persistence of Consent module
         break;
      case "https://iam.atypon.com/shibboleth":
         $attributes_allowed = [
            "eduPersonScopedAffiliation"
         ];

         // Unset all unallowed attributes
         foreach ($attributes as $key => $value){
            if (!in_array($key, $attributes_allowed))
               unset($attributes[$key]);
         }

         $attributes["uid"] = $uid; // Needed by the persistence of Consent module
         break;
      default:
         // If the SP has been not considered by the previously cases
         // and it is not an IDEM SP
         // than the IdP does not release any attributes.
         if ($sp_regAuth != "http://www.idem.garr.it/" and empty($remaining_attributes)) $attributes = [];
         $attributes["uid"] = $uid; // Needed by the persistence of Consent module
   }

   foreach ($attributes as $key => $value){
      if (empty($attributes[$key]))
         Logger::debug($state["SPMetadata"]["entityid"].' - '.$key.' attribute is not valued');
   }

?>