From e7b830673da798e498a16b68e67257553f6c4384 Mon Sep 17 00:00:00 2001
From: Leone25 <39310565+Leone25@users.noreply.github.com>
Date: Tue, 30 Apr 2024 21:31:48 +0200
Subject: [PATCH 1/9] Now with added Sugo!

---
 public/index.php       |   3 +-
 public/sir.php         |   2 +-
 public/sugo.php        |  58 +++++++++++
 src/Authentication.php |  13 +++
 src/Ldap.php           |  15 ++-
 templates/index.php    |   2 +
 templates/navbar.php   |   3 +
 templates/sugo.php     | 226 +++++++++++++++++++++++++++++++++++++++++
 8 files changed, 315 insertions(+), 7 deletions(-)
 create mode 100644 public/sugo.php
 create mode 100644 templates/sugo.php

diff --git a/public/index.php b/public/index.php
index 04ce537..95f1458 100644
--- a/public/index.php
+++ b/public/index.php
@@ -10,5 +10,6 @@
 echo $template->render('index', [
 	'uid' => $_SESSION['uid'],
 	'id' => $_SESSION['id'],
-	'name' => $_SESSION['cn']
+	'name' => $_SESSION['cn'],
+	'hasSignedSIR' => $_SESSION['signedsir'],
 ]);
diff --git a/public/sir.php b/public/sir.php
index f8dae35..063317a 100644
--- a/public/sir.php
+++ b/public/sir.php
@@ -9,7 +9,7 @@
 
 require '..' . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';
 Authentication::requireLogin();
-if (!Authentication::isAdmin()) {
+if (!Authentication::isAdmin() && !isset($_GET['uid']) && $_GET['uid'] !== $_SESSION['uid']) {
 	$template = Template::create();
 	echo $template->render('403');
 	exit;
diff --git a/public/sugo.php b/public/sugo.php
new file mode 100644
index 0000000..544bbf3
--- /dev/null
+++ b/public/sugo.php
@@ -0,0 +1,58 @@
+<?php
+
+namespace WEEEOpen\Crauto;
+
+use DateTimeZone;
+
+require '..' . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';
+Authentication::requireLogin();
+
+
+
+$ldap = new Ldap(
+	CRAUTO_LDAP_URL,
+	CRAUTO_LDAP_BIND_DN,
+	CRAUTO_LDAP_PASSWORD,
+	CRAUTO_LDAP_USERS_DN,
+	CRAUTO_LDAP_GROUPS_DN,
+	CRAUTO_LDAP_STARTTLS
+);
+
+$users = [];
+$selectedUser = null;
+if (Authentication::isAdmin()) {
+	$ldap = new Ldap(
+		CRAUTO_LDAP_URL,
+		CRAUTO_LDAP_BIND_DN,
+		CRAUTO_LDAP_PASSWORD,
+		CRAUTO_LDAP_USERS_DN,
+		CRAUTO_LDAP_GROUPS_DN,
+		CRAUTO_LDAP_STARTTLS
+	);
+	$users = $ldap->getUsers(['givenname','sn','signedsir','nsaccountlock', 'mail']);
+	if (isset($_GET['uid'])) {
+		$selectedUser = $_GET['uid'];
+	}
+} else {
+	$users = [$ldap->getUser($_SESSION['uid'], ['givenname','sn','signedsir','nsaccountlock', 'mail'])];
+	$selectedUser = $_SESSION['uid'];
+}
+
+$mappedUsers = [];
+foreach ($users as $user) {
+	$mappedUsers[] = [
+		'id' => $user['uid'],
+		'name' => $user['givenname'] . ' ' . $user['sn'],
+		'needsToSign' => !($user['signedsir'] ?? false),
+		'isBlocked' => !($user['nsaccountlock'] ?? false),
+		'email' => $user['mail']
+	];
+}
+
+$template = Template::create();
+$template->addData(['currentSection' => 'sugo'], 'navbar');
+
+echo $template->render('sugo', [
+	'users' => $mappedUsers,
+	'selectedUser' => $selectedUser
+]);
\ No newline at end of file
diff --git a/src/Authentication.php b/src/Authentication.php
index 396e6e6..70c4b76 100644
--- a/src/Authentication.php
+++ b/src/Authentication.php
@@ -81,6 +81,7 @@ public static function authenticate()
 			$_SESSION['uid'] = 'test.administrator';
 			$_SESSION['id'] = 'fake:example:68048769-c06d-4873-adf6-dbfa6b0afcd3';
 			$_SESSION['cn'] = 'Test Administrator';
+			$_SESSION['hasSignedSIR'] = false;
 			$_SESSION['groups'] = ['HR'];
 			$_SESSION['expires'] = PHP_INT_MAX;
 			$_SESSION['refresh_token'] = 'refresh_token';
@@ -307,9 +308,21 @@ private static function setAttributes(OpenIDConnectClient $oidc, $claims = null,
 		$refresh_token = $oidc->getRefreshToken();
 		$id_token = $idt ?? $oidc->getIdToken();
 
+		$ldap = new Ldap(
+			CRAUTO_LDAP_URL,
+			CRAUTO_LDAP_BIND_DN,
+			CRAUTO_LDAP_PASSWORD,
+			CRAUTO_LDAP_USERS_DN,
+			CRAUTO_LDAP_GROUPS_DN,
+			CRAUTO_LDAP_STARTTLS
+		);
+
+		$ldapInfo = $ldap->getUser($uid, ['signedsir']);
+
 		$_SESSION['uid'] = $uid;
 		$_SESSION['id'] = $id;
 		$_SESSION['cn'] = $cn;
+		$_SESSION['signedsir'] = $ldapInfo['signedsir'] ?? false; // This won't updated until the next login but good enough
 		$_SESSION['groups'] = $groups;
 		$_SESSION['expires'] = $exp;
 
diff --git a/src/Ldap.php b/src/Ldap.php
index 74f4abd..40d442f 100644
--- a/src/Ldap.php
+++ b/src/Ldap.php
@@ -33,7 +33,8 @@ class Ldap
 			'weeelabnickname' => ['io'],
 			'websitedescription' => "Il capo supremo\nSu due righe",
 			'description' => '',
-			'nsaccountlock' => null
+			'nsaccountlock' => null,
+			'mail' => 'admin@example.com',
 		],
 		'alice' => [
 			'uid' => 'alice',
@@ -53,7 +54,8 @@ class Ldap
 			'weeelabnickname' => [],
 			'websitedescription' => 'Persona',
 			'description' => '',
-			'nsaccountlock' => 'true'
+			'nsaccountlock' => 'true',
+			'mail' => 'alice@example.com',
 		],
 		'brodino' => [
 			'uid' => 'brodino',
@@ -72,7 +74,8 @@ class Ldap
 			'sshpublickey' => [],
 			'weeelabnickname' => [],
 			'description' => '',
-			'telegramnickname' => 'brodino'
+			'telegramnickname' => 'brodino',
+			'mail' => 'brodino@example.com',
 		],
 		'bob' => [
 			'uid' => 'bob',
@@ -92,7 +95,8 @@ class Ldap
 			'sshpublickey' => [],
 			'weeelabnickname' => [],
 			'description' => '',
-			'nsaccountlock' => null
+			'nsaccountlock' => null,
+			'mail' => 'bob@example.com',
 		],
 		'broski' => [
 			'uid' => 'broski',
@@ -111,7 +115,8 @@ class Ldap
 			'sshpublickey' => [],
 			'weeelabnickname' => [],
 			'description' => '',
-			'telegramid' => '123456789'
+			'telegramid' => '123456789',
+			'mail' => 'bro@example.com',
 		],
 	];
 	private const EXAMPLE_GROUPS = ['Admin', 'Persone', 'Cloud'];
diff --git a/templates/index.php b/templates/index.php
index 0d4bd64..e48da56 100644
--- a/templates/index.php
+++ b/templates/index.php
@@ -2,10 +2,12 @@
 /** @var $uid string */
 /** @var $id string */
 /** @var $name string */
+/** @var $signedsir bool */
 $this->layout('base', ['title' => 'Welcome']) ?>
 
 <h1>Crauto</h1>
 <small>Creatore e Rimuovitore Autogestito di Utenti che Tutto Offre</small>
+<?php if (!$signedsir) echo "<p class=\"alert alert-warning\">You still haven't signed your SIR! <a href=\"/sugo.php?uid=" . urlencode($uid) . "\" class=\"btn btn-outline-warning text-right\" >Generate document</a></p>"; ?>
 <p>Hi <?= $name ?>, your username is <?= $uid ?> and your ID is <?= $id ?></p>
 <h2>Enabled services</h2>
 <p>What can I access with this account?</p>
diff --git a/templates/navbar.php b/templates/navbar.php
index 547cc35..40698da 100644
--- a/templates/navbar.php
+++ b/templates/navbar.php
@@ -16,6 +16,9 @@
 					<li class="nav-item">
 						<a class="nav-link <?= $currentSection === 'personal' ? 'active' : '' ?>" href="/personal.php">Personal</a>
 					</li>
+					<li class="nav-item">
+						<a class="nav-link <?= $currentSection === 'sugo' ? 'active' : '' ?>" href="/sugo.php">Sugo</a>
+					</li>
 					<li class="nav-item">
 						<a class="nav-link <?= $currentSection === 'authentication' ? 'active' : '' ?>"
 						   href="/authentication.php">Authentication</a>
diff --git a/templates/sugo.php b/templates/sugo.php
new file mode 100644
index 0000000..cf38796
--- /dev/null
+++ b/templates/sugo.php
@@ -0,0 +1,226 @@
+<?php
+$this->layout('base', ['title' => 'Welcome']) ?>
+
+<script src="https://unpkg.com/vue@3/dist/vue.global.js"></script>
+<script src="https://unpkg.com/pdf-lib/dist/pdf-lib.min.js"></script>
+
+<div id="app" class="sugo"></div>
+<script>
+	const app = Vue.createApp({
+		data() {
+			return {
+				users: <?= json_encode($users) ?>,
+				selectedUser: <?= $selectedUser ? "'" . str_replace("'", "\'", $selectedUser) . "'" : "null" ?>,
+				selectedUserData: null,
+				document: null,
+				finalDocument: null,
+				loading: false,
+				screen: <?= $selectedUser ? "'sign'" : "'chooseUser'" ?>,
+				mouseDown: false,
+				toEmail: null,
+			}
+		},
+		watch: {
+			screen() {
+				if (this.screen == 'sign') {
+					history.pushState(null, '', '/sugo.php?uid=' + encodeURIComponent(this.selectedUser));
+				} else {
+					history.pushState(null, '', '/sugo.php');
+				}
+			}
+		},
+		mounted() {
+			if (this.screen == 'sign') {
+				this.sign();
+			}
+		},
+		computed: {
+			needsToSign() {
+				return this.users.filter(user => user.needsToSign);
+			},
+			isBlocked() {
+				return this.users.filter(user => user.isBlocked);
+			},
+			everyoneElse() {
+				return this.users.filter(user => !user.needsToSign && !user.isBlocked);
+			},
+			selectedUserData() {
+				return this.users.find(user => user.id == this.selectedUser);
+			}
+		},
+		methods: {
+			async sign() {
+				if (!this.selectedUser || this.loading) {
+					return;
+				}
+				this.loading = true;
+				this.document = await fetch('/sir.php?uid=' + encodeURIComponent(this.selectedUser), {credentials: 'same-origin'}).then(res => {
+					if (!res.ok) {
+						throw new Error('An error occurred fetching the original document');
+					}
+					return res;
+				}).then(res => res.arrayBuffer()).catch(() => {
+					alert('An error occurred fetching the original document');
+					this.loading = false;
+				});
+				this.screen = 'sign';
+				this.loading = false;
+			},
+			handleMouseDown(e) {
+				e.preventDefault();
+				this.mouseDown = true;
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.beginPath();
+				ctx.moveTo(e.offsetX, e.offsetY);
+			},
+			handleMouseMove(e) {
+				e.preventDefault();
+				if (!this.mouseDown) return;
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.lineWidth = 3;
+				ctx.lineTo(e.offsetX, e.offsetY);
+				ctx.stroke();
+			},
+			handleMouseUp(e) {
+				e.preventDefault();
+				this.mouseDown = false;
+				const ctx = this.$refs.signature.getContext('2d');
+			},
+			handleTouchStart(e) {
+				e.preventDefault();
+				this.mouseDown = true;
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.beginPath();
+				ctx.moveTo(e.touches[0].clientX - this.$refs.signature.getBoundingClientRect().left, e.touches[0].clientY - this.$refs.signature.getBoundingClientRect().top);
+			},
+			handleTouchMove(e) {
+				e.preventDefault();
+				if (!this.mouseDown) return;
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.lineWidth = 3;
+				ctx.lineTo(e.touches[0].clientX - this.$refs.signature.getBoundingClientRect().left, e.touches[0].clientY - this.$refs.signature.getBoundingClientRect().top);
+				ctx.stroke();
+			},
+			handleTouchEnd(e) {
+				e.preventDefault();
+				this.mouseDown = false;
+				const ctx = this.$refs.signature.getContext('2d');
+			},
+			clear() {
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.clearRect(0, 0, 500, 250);
+			},
+			async generatePdf() {
+				// saving this at the beginning so that we can hide the canvas
+				let signatureData = this.$refs.signature.toDataURL("image/png");
+				this.loading = true;
+
+				let pdf = await PDFLib.PDFDocument.load(this.document).catch(() => {
+					alert('An error occurred while loading the original document');
+					this.loading = false;
+				});
+				let pages = pdf.getPages();
+				let thirdPage = pages[2];
+				// add the date
+				/*let now = new Date();
+				thirdPage.drawText(now.toLocaleDateString("en-GB"), {
+					x: 125,
+					y: 255,
+					size: 12,
+				});*/ // disabled because this is now added by the server
+				// add the signature
+				let signatureBuffer = Uint8Array.from(atob(signatureData.split(',')[1]), c => c.charCodeAt(0));
+				let signatureImage = await pdf.embedPng(signatureBuffer);
+				thirdPage.drawImage(signatureImage, {
+					x: 360,
+					y: 110,
+					width: 180,
+					height: 90,
+				});
+				this.finalDocument = await pdf.save();
+				//this.toEmail = this.selectedUserData.email;
+				//this.screen = 'sendEmail';
+				this.download(); // temp
+				this.loading = false;
+			},
+			send() {
+				if (!this.toEmail || this.loading) {
+					return;
+				}
+				this.loading = true;
+				let formData = new FormData();
+				formData.append('email', this.toEmail);
+				formData.append('document', new Blob([this.finalDocument], {type: 'application/pdf'}), 'sir.pdf');
+				fetch('/?page=email', {
+					method: 'POST',
+					body: formData,
+				}).then(res => {
+					if (res.status == 206) {
+						this.screen = 'chooseUser';
+						this.loading = false;
+					} else {
+						alert('An error occurred');
+						this.loading = false;
+					}
+				});
+			},
+			download() {
+				let pdfBlob = new Blob([this.finalDocument], {type: 'application/pdf'});
+				let pdfUrl = URL.createObjectURL(pdfBlob);
+				let a = document.createElement('a');
+				a.href = pdfUrl;
+				a.download = 'sir.pdf';
+				a.click();
+				URL.revokeObjectURL(pdfUrl);
+				if (this.users.length == 0) {
+					// just redirect to the home page
+					window.location.href = '/';
+				}
+				this.screen = 'chooseUser';
+			},
+		},
+		template: `
+			<div>
+				<h1>Sign the SIR</h1>
+				<div v-if="loading">Loading...</div>
+				<template v-else-if="screen == 'chooseUser'">
+					<div>Select the person:</div>
+					<select class="form-select" v-model="selectedUser">
+						<optgroup label="Needs to sign">
+							<option v-for="user in needsToSign" :value="user.id"><b>{{ user.name }}</b> ({{ user.id }})</option>
+						</optgroup>
+						<optgroup label="Active users">
+							<option v-for="user in everyoneElse" :value="user.id"><b>{{ user.name }}</b> ({{ user.id }})</option>
+						</optgroup>
+						<optgroup label="Is blocked">
+							<option v-for="user in isBlocked" :value="user.id"><b>{{ user.name }}</b> ({{ user.id }})</option>
+						</optgroup>
+					</select>
+					<button @click="sign" class="btn btn-primary">Sign</button>
+				</template>
+				<div v-else-if="screen == 'sign'">
+					<div style="display: flex; justify-content: space-between;">
+						<button v-if="users.length > 0" @click="screen = 'chooseUser'" class="btn btn-outline-secondary">Back</button>
+						<button @click="clear" class="btn btn-secondary">Clear</button>
+						<button @click="generatePdf" class="btn btn-primary">Download</button>
+					</div>
+					<div style="position: absolute; width: 500px; display: flex; border: dashed 2px black; margin-top: 40px; margin-left: auto; margin-right: auto; left: 0; right: 0;">
+						<div style="height: 2px; width: 100%; position: absolute; bottom: 75px; background: #bbb;"></div>
+						<canvas ref="signature" width="500" height="250" style="z-index: 1000;" @mousedown="handleMouseDown" @mousemove="handleMouseMove" @mouseup="handleMouseUp" @mouseleave="handleMouseUp" @touchstart="handleTouchStart" @touchmove="handleTouchMove" @touchend="handleTouchEnd"></canvas>
+					</div>
+				</div>
+				<template v-else-if="screen == 'sendEmail'">
+					<div>
+						<label for="email">Email:</label><br>
+						<input type="email" id="email" v-model="toEmail"><br><br>
+						<button @click="send">Send</button>
+					</div>
+					<div>
+						<button @click="download">Download</button>
+					</div>
+				</template>
+			</div>
+		` // there is some unused code for sending the email, for now we only allow downloads
+	});
+	app.mount('#app');
+</script>
\ No newline at end of file

From 2cb3db6b293ef20e9409fd98d4ceb6304a063549 Mon Sep 17 00:00:00 2001
From: Leone25 <39310565+Leone25@users.noreply.github.com>
Date: Wed, 1 May 2024 08:43:41 +0200
Subject: [PATCH 2/9] changed button

---
 src/Template.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Template.php b/src/Template.php
index 13c92d0..063b9f3 100644
--- a/src/Template.php
+++ b/src/Template.php
@@ -31,6 +31,6 @@ public static function telegramColumn($nickname, $id): string
 	public static function shortListEntry(string $uid, string $cn, ?string $schacpersonaluniquecode): string
 	{
 		$schacpersonaluniquecode = $schacpersonaluniquecode ?? 'no matricola';
-		return /** @lang HTML */ "<a href=\"/people.php?uid=$uid\">$cn</a>, $schacpersonaluniquecode <a class=\"btn btn-sm btn-outline-dark m-1 p-1\" href=\"/sir.php?uid=$uid\"><i class=\"fa fa-download mr-1\"></i>Get SIR</a>";
+		return /** @lang HTML */ "<a href=\"/people.php?uid=$uid\">$cn</a>, $schacpersonaluniquecode <a class=\"btn btn-sm btn-outline-dark m-1 p-1\" href=\"/sugo.php?uid=$uid\"><i class=\"fa-solid fa-signature\"></i>Sign SIR</a>";
 	}
 }

From cbc03a009e646145013c632b9904770c24ad62bb Mon Sep 17 00:00:00 2001
From: Leone25 <39310565+Leone25@users.noreply.github.com>
Date: Wed, 1 May 2024 09:26:22 +0200
Subject: [PATCH 3/9] lint fix

---
 public/sugo.php     | 8 +++-----
 templates/index.php | 4 +++-
 templates/sugo.php  | 6 ++++--
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/public/sugo.php b/public/sugo.php
index 544bbf3..0dd825e 100644
--- a/public/sugo.php
+++ b/public/sugo.php
@@ -7,8 +7,6 @@
 require '..' . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';
 Authentication::requireLogin();
 
-
-
 $ldap = new Ldap(
 	CRAUTO_LDAP_URL,
 	CRAUTO_LDAP_BIND_DN,
@@ -29,12 +27,12 @@
 		CRAUTO_LDAP_GROUPS_DN,
 		CRAUTO_LDAP_STARTTLS
 	);
-	$users = $ldap->getUsers(['givenname','sn','signedsir','nsaccountlock', 'mail']);
+	$users = $ldap->getUsers(['givenname', 'sn', 'signedsir', 'nsaccountlock', 'mail']);
 	if (isset($_GET['uid'])) {
 		$selectedUser = $_GET['uid'];
 	}
 } else {
-	$users = [$ldap->getUser($_SESSION['uid'], ['givenname','sn','signedsir','nsaccountlock', 'mail'])];
+	$users = [$ldap->getUser($_SESSION['uid'], ['givenname', 'sn', 'signedsir', 'nsaccountlock', 'mail'])];
 	$selectedUser = $_SESSION['uid'];
 }
 
@@ -55,4 +53,4 @@
 echo $template->render('sugo', [
 	'users' => $mappedUsers,
 	'selectedUser' => $selectedUser
-]);
\ No newline at end of file
+]);
diff --git a/templates/index.php b/templates/index.php
index e48da56..b6861e6 100644
--- a/templates/index.php
+++ b/templates/index.php
@@ -7,7 +7,9 @@
 
 <h1>Crauto</h1>
 <small>Creatore e Rimuovitore Autogestito di Utenti che Tutto Offre</small>
-<?php if (!$signedsir) echo "<p class=\"alert alert-warning\">You still haven't signed your SIR! <a href=\"/sugo.php?uid=" . urlencode($uid) . "\" class=\"btn btn-outline-warning text-right\" >Generate document</a></p>"; ?>
+<?php if (!$signedsir) {
+	echo "<p class=\"alert alert-warning\">You still haven't signed your SIR! <a href=\"/sugo.php?uid=" . urlencode($uid) . "\" class=\"btn btn-outline-warning text-right\" >Generate document</a></p>";
+} ?>
 <p>Hi <?= $name ?>, your username is <?= $uid ?> and your ID is <?= $id ?></p>
 <h2>Enabled services</h2>
 <p>What can I access with this account?</p>
diff --git a/templates/sugo.php b/templates/sugo.php
index cf38796..880e0fa 100644
--- a/templates/sugo.php
+++ b/templates/sugo.php
@@ -1,5 +1,7 @@
 <?php
-$this->layout('base', ['title' => 'Welcome']) ?>
+
+$this->layout('base', ['title' => 'Welcome'])
+?>
 
 <script src="https://unpkg.com/vue@3/dist/vue.global.js"></script>
 <script src="https://unpkg.com/pdf-lib/dist/pdf-lib.min.js"></script>
@@ -10,7 +12,7 @@
 		data() {
 			return {
 				users: <?= json_encode($users) ?>,
-				selectedUser: <?= $selectedUser ? "'" . str_replace("'", "\'", $selectedUser) . "'" : "null" ?>,
+				selectedUser: <?= $selectedUser ? "'" . str_replace("'", "\'", $selectedUser) . "'" : 'null' ?>,
 				selectedUserData: null,
 				document: null,
 				finalDocument: null,

From eff8ad4ec3933723ce77cc583e7a4da76dd3da83 Mon Sep 17 00:00:00 2001
From: Ludovico Pavesi <ludovico.pavesi@gmail.com>
Date: Sun, 5 May 2024 14:48:48 +0200
Subject: [PATCH 4/9] Text and alignment

---
 templates/index.php  | 6 +++---
 templates/navbar.php | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/templates/index.php b/templates/index.php
index b6861e6..d2126bc 100644
--- a/templates/index.php
+++ b/templates/index.php
@@ -7,10 +7,10 @@
 
 <h1>Crauto</h1>
 <small>Creatore e Rimuovitore Autogestito di Utenti che Tutto Offre</small>
-<?php if (!$signedsir) {
-	echo "<p class=\"alert alert-warning\">You still haven't signed your SIR! <a href=\"/sugo.php?uid=" . urlencode($uid) . "\" class=\"btn btn-outline-warning text-right\" >Generate document</a></p>";
-} ?>
 <p>Hi <?= $name ?>, your username is <?= $uid ?> and your ID is <?= $id ?></p>
+<?php if (!$signedsir): ?>
+	<p class="alert alert-warning">You need to sign your SIR! <a href="/sugo.php?uid=<?= urlencode($uid)?>" class="btn btn-sm btn-warning">Sign the SIR</a></p>
+<?php endif ?>
 <h2>Enabled services</h2>
 <p>What can I access with this account?</p>
 <ul>
diff --git a/templates/navbar.php b/templates/navbar.php
index 40698da..aa39e9a 100644
--- a/templates/navbar.php
+++ b/templates/navbar.php
@@ -16,9 +16,6 @@
 					<li class="nav-item">
 						<a class="nav-link <?= $currentSection === 'personal' ? 'active' : '' ?>" href="/personal.php">Personal</a>
 					</li>
-					<li class="nav-item">
-						<a class="nav-link <?= $currentSection === 'sugo' ? 'active' : '' ?>" href="/sugo.php">Sugo</a>
-					</li>
 					<li class="nav-item">
 						<a class="nav-link <?= $currentSection === 'authentication' ? 'active' : '' ?>"
 						   href="/authentication.php">Authentication</a>
@@ -34,6 +31,9 @@
 							<a class="nav-link  <?= $currentSection === 'groups' ? 'active' : '' ?>" href="/groups.php">Groups</a>
 						</li>
 					<?php endif ?>
+					<li class="nav-item">
+						<a class="nav-link <?= $currentSection === 'sugo' ? 'active' : '' ?>" href="/sugo.php">SIR</a>
+					</li>
 					<li class="nav-item">
 						<a class="nav-link" href="/logout.php">Logout</a>
 					</li>

From 45eb8ae57e4bc3a107b03b917ef34d08a88139eb Mon Sep 17 00:00:00 2001
From: Ludovico Pavesi <ludovico.pavesi@gmail.com>
Date: Sun, 5 May 2024 17:05:35 +0200
Subject: [PATCH 5/9] Add TEST_MODE_SSO, close #23

And fix a bunch of warnings
---
 config/config-example.php | 42 +++++++++++++++++++--------------------
 public/personal.php       |  4 ++--
 src/Authentication.php    | 42 +++++++++++++++++++++++++++++----------
 src/Ldap.php              |  3 ++-
 4 files changed, 57 insertions(+), 34 deletions(-)

diff --git a/config/config-example.php b/config/config-example.php
index 0aa3a61..b8a8b07 100644
--- a/config/config-example.php
+++ b/config/config-example.php
@@ -1,27 +1,27 @@
 <?php
-define('TEST_MODE', true); // Use false for production
-define('CRAUTO_PASS_MIN_LENGTH', 12);
-define('CRAUTO_SIR_TMP_DIR_CLEANUP', 30);
-define('CRAUTO_LDAP_URL', 'ldap://ldap1.sso.local');
-define('CRAUTO_LDAP_BIND_DN', 'cn=Directory Manager');
-define('CRAUTO_LDAP_PASSWORD', 'secret1');
-define('CRAUTO_LDAP_STARTTLS', true);
-define('CRAUTO_LDAP_USERS_DN', 'ou=People,dc=sso,dc=local');
-define('CRAUTO_LDAP_GROUPS_DN', 'ou=Groups,dc=sso,dc=local');
-define('CRAUTO_LDAP_INVITES_DN', 'ou=Invites,dc=sso,dc=local');
-define('CRAUTO_OIDC_ISSUER', 'https://wso2.sso.local:9443/oauth2/oidcdiscovery');
-define('CRAUTO_OIDC_CLIENT_ID', 'crauto'); // This is useless
-define('CRAUTO_OIDC_CLIENT_KEY', '3VEQd6YM2a9qXtCGQJs8nGfm2Dsa'); // This is important (generated by WSO2 IS)
-define('CRAUTO_OIDC_CLIENT_SECRET', 'Fd4BxUyaYYlByimKfAwv6_rDyl0a'); // This is even more important (generated by WSO2 IS)
+const TEST_MODE = true; // Use false for production
+const TEST_MODE_SSO = 1; // Use 1, 2 or 3 to log in as different test accounts, only used if TEST_MODE is true
+const CRAUTO_PASS_MIN_LENGTH = 12;
+const CRAUTO_SIR_TMP_DIR_CLEANUP = 30;
+const CRAUTO_LDAP_URL = 'ldap://ldap1.sso.local';
+const CRAUTO_LDAP_BIND_DN = 'cn=Directory Manager';
+const CRAUTO_LDAP_PASSWORD = 'secret1';
+const CRAUTO_LDAP_STARTTLS = true;
+const CRAUTO_LDAP_USERS_DN = 'ou=People,dc=example,dc=test';
+const CRAUTO_LDAP_GROUPS_DN = 'ou=Groups,dc=example,dc=test';
+const CRAUTO_LDAP_INVITES_DN = 'ou=Invites,dc=example,dc=test';
+const CRAUTO_OIDC_ISSUER = 'https://sso.example/oauth2/oidcdiscovery';
+const CRAUTO_OIDC_CLIENT_KEY = '3VEQd6YM2a9qXtCGQJs8nGfm2Dsa'; // This is important (generated by WSO2 IS)
+const CRAUTO_OIDC_CLIENT_SECRET = 'Fd4BxUyaYYlByimKfAwv6_rDyl0a'; // This is even more important (generated by WSO2 IS)
 // Also, you shouldn't commit the secret (and possibly the key) in a public repo. These are used only in development,
 // production key and secret are obviously different.
-define('VERIFY_CERTIFICATES', true); // Set to false for development with self-signed certificates
-define('CRAUTO_URL', 'http://[::1]:8200');
-define('CRAUTO_DEBUG_ALWAYS_REFRESH', false); // Set to true to use the refresh token to get a new id token on each request
-define('CRAUTO_DEFAULT_GROUPS', 'Test,Cloud,Admin');
-define('CRAUTO_WEBSITE_IGNORE_GROUPS', 'Docenti,Foo,Bar');
-define('CRAUTO_HOME_PAGE_SERVICES', [
+const VERIFY_CERTIFICATES = true; // Set to false for development with self-signed certificates
+const CRAUTO_URL = 'http://[::1]:8200';
+const CRAUTO_DEBUG_ALWAYS_REFRESH = false; // Set to true to use the refresh token to get a new id token on each request
+const CRAUTO_DEFAULT_GROUPS = 'Test,Cloud,Admin';
+const CRAUTO_WEBSITE_IGNORE_GROUPS = 'Docenti,Foo,Bar';
+const CRAUTO_HOME_PAGE_SERVICES = [
 	['Description description description', 'https://url.example.com', 'something'],
 	['Description', 'https://url.example.com'],
 	['Description without link']
-]);
+];
diff --git a/public/personal.php b/public/personal.php
index 82dec1f..8c1ab85 100644
--- a/public/personal.php
+++ b/public/personal.php
@@ -35,12 +35,12 @@
 		header('Content-Type: application/json');
 		header('Content-Transfer-Encoding: Binary');
 		header('Content-Description: File Transfer');
-		header("Content-Disposition: attachment; filename=${_SESSION['uid']}.json");
+		header("Content-Disposition: attachment; filename={$_SESSION['uid']}.json");
 		echo json_encode($attributes, JSON_PRETTY_PRINT);
 		exit;
 	}
 
-	if (isset($_POST) && !empty($_POST)) {
+	if (!empty($_POST)) {
 		Validation::handleUserEditPost($editableAttributes, $ldap, $_SESSION['uid'], $attributes);
 		http_response_code(303);
 		header('Location: personal.php');
diff --git a/src/Authentication.php b/src/Authentication.php
index 70c4b76..4385672 100644
--- a/src/Authentication.php
+++ b/src/Authentication.php
@@ -76,16 +76,38 @@ public static function authenticate()
 			session_start();
 		}
 
-		if (defined('TEST_MODE') && TEST_MODE) {
+		if (TEST_MODE) {
 			error_log('TEST_MODE, faking authentication');
-			$_SESSION['uid'] = 'test.administrator';
-			$_SESSION['id'] = 'fake:example:68048769-c06d-4873-adf6-dbfa6b0afcd3';
-			$_SESSION['cn'] = 'Test Administrator';
-			$_SESSION['hasSignedSIR'] = false;
-			$_SESSION['groups'] = ['HR'];
-			$_SESSION['expires'] = PHP_INT_MAX;
-			$_SESSION['refresh_token'] = 'refresh_token';
-			$_SESSION['id_token'] = 'id_token';
+			switch(TEST_MODE_SSO) {
+				case 1:
+				default:
+					$_SESSION['uid'] = 'test.administrator';
+					$_SESSION['id'] = 'fake:example:68048769-c06d-4873-adf6-dbfa6b0afcd3';
+					$_SESSION['cn'] = 'Test Administrator';
+					$_SESSION['groups'] = ['HR'];
+					$_SESSION['expires'] = PHP_INT_MAX;
+					$_SESSION['refresh_token'] = 'refresh_token';
+					$_SESSION['id_token'] = 'id_token';
+					break;
+				case 2:
+					$_SESSION['uid'] = 'alice';
+					$_SESSION['id'] = 'fake:example:9e071e1e-d0dd-4d58-9ac2-087ea0b41e97';
+					$_SESSION['cn'] = 'Alice Test';
+					$_SESSION['groups'] = ['Cloud', 'Gente', 'Riparatori'];
+					$_SESSION['expires'] = PHP_INT_MAX;
+					$_SESSION['refresh_token'] = 'refresh_token';
+					$_SESSION['id_token'] = 'id_token';
+					break;
+				case 3:
+					$_SESSION['uid'] = 'brodino';
+					$_SESSION['id'] = 'fake:example:c476f0de-e554-439e-af4f-35c8bed02b9b';
+					$_SESSION['cn'] = 'Bro Dino';
+					$_SESSION['groups'] = ['Admin', 'Gente'];
+					$_SESSION['expires'] = PHP_INT_MAX;
+					$_SESSION['refresh_token'] = 'refresh_token';
+					$_SESSION['id_token'] = 'id_token';
+					break;
+			}
 		} else {
 			$oidc = self::getOidc();
 			//$oidc->setCertPath('/path/to/my.cert');
@@ -111,7 +133,7 @@ public static function signOut()
 		$token = $_SESSION['id_token'];
 		session_destroy();
 
-		if (defined('TEST_MODE') && TEST_MODE) {
+		if (TEST_MODE) {
 			error_log('TEST_MODE, no need to log out');
 		} else {
 			$oidc->signOut($token, CRAUTO_URL . '/logout_done.php');
diff --git a/src/Ldap.php b/src/Ldap.php
index 40d442f..4936697 100644
--- a/src/Ldap.php
+++ b/src/Ldap.php
@@ -5,6 +5,7 @@
 use DateTime;
 use DateTimeZone;
 use InvalidArgumentException;
+use LDAP\Result;
 
 class Ldap
 {
@@ -269,7 +270,7 @@ public function getUsers(array $attributes): array
 	 * @param string $uid UID to search
 	 * @param array|null $attributes Attributes to include in search result ("null" for all)
 	 *
-	 * @return resource|null $sr from ldap_search or none if no users are found
+	 * @return array|Result|null $sr from ldap_search or none if no users are found
 	 * @throws LdapException if cannot search or more than one user is found
 	 */
 	private function searchByUid(string $uid, ?array $attributes = null)

From a09636fd65e2b9a0c35bc4ca13743664e6e10851 Mon Sep 17 00:00:00 2001
From: Ludovico Pavesi <ludovico.pavesi@gmail.com>
Date: Sun, 5 May 2024 17:11:36 +0200
Subject: [PATCH 6/9] SIR message updated in real time

---
 public/index.php       | 19 ++++++++++++++++++-
 src/Authentication.php |  3 ---
 templates/index.php    | 10 ++++++++--
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/public/index.php b/public/index.php
index 95f1458..04eafbd 100644
--- a/public/index.php
+++ b/public/index.php
@@ -5,11 +5,28 @@
 require '..' . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';
 Authentication::requireLogin();
 
+$error = null;
+$attributes = [];
+try {
+	$ldap = new Ldap(
+		CRAUTO_LDAP_URL,
+		CRAUTO_LDAP_BIND_DN,
+		CRAUTO_LDAP_PASSWORD,
+		CRAUTO_LDAP_USERS_DN,
+		CRAUTO_LDAP_GROUPS_DN,
+		CRAUTO_LDAP_STARTTLS
+	);
+	$attributes = $ldap->getUser($_SESSION['uid'], ['signedsir']);
+} catch (LdapException $e) {
+	$error = $e->getMessage();
+}
+
 $template = Template::create();
 $template->addData(['currentSection' => 'index'], 'navbar');
 echo $template->render('index', [
+	'error' => $error,
 	'uid' => $_SESSION['uid'],
 	'id' => $_SESSION['id'],
 	'name' => $_SESSION['cn'],
-	'hasSignedSIR' => $_SESSION['signedsir'],
+	'signedSir' => isset($attributes['signedsir']) && $attributes['signedsir'] === 'true',
 ]);
diff --git a/src/Authentication.php b/src/Authentication.php
index 4385672..d4dfc4e 100644
--- a/src/Authentication.php
+++ b/src/Authentication.php
@@ -339,12 +339,9 @@ private static function setAttributes(OpenIDConnectClient $oidc, $claims = null,
 			CRAUTO_LDAP_STARTTLS
 		);
 
-		$ldapInfo = $ldap->getUser($uid, ['signedsir']);
-
 		$_SESSION['uid'] = $uid;
 		$_SESSION['id'] = $id;
 		$_SESSION['cn'] = $cn;
-		$_SESSION['signedsir'] = $ldapInfo['signedsir'] ?? false; // This won't updated until the next login but good enough
 		$_SESSION['groups'] = $groups;
 		$_SESSION['expires'] = $exp;
 
diff --git a/templates/index.php b/templates/index.php
index d2126bc..c71c9a3 100644
--- a/templates/index.php
+++ b/templates/index.php
@@ -2,13 +2,19 @@
 /** @var $uid string */
 /** @var $id string */
 /** @var $name string */
-/** @var $signedsir bool */
+/** @var $signedSir bool */
+/** @var $error string|null */
 $this->layout('base', ['title' => 'Welcome']) ?>
 
 <h1>Crauto</h1>
 <small>Creatore e Rimuovitore Autogestito di Utenti che Tutto Offre</small>
 <p>Hi <?= $name ?>, your username is <?= $uid ?> and your ID is <?= $id ?></p>
-<?php if (!$signedsir): ?>
+<?php if ($error !== null) : ?>
+	<div class="alert alert-danger" role="alert">
+		Error: <?= $this->e($error) ?>
+	</div>
+<?php endif ?>
+<?php if (!$signedSir): ?>
 	<p class="alert alert-warning">You need to sign your SIR! <a href="/sugo.php?uid=<?= urlencode($uid)?>" class="btn btn-sm btn-warning">Sign the SIR</a></p>
 <?php endif ?>
 <h2>Enabled services</h2>

From abeb38afab447b1e0266757213b041fbc7896b29 Mon Sep 17 00:00:00 2001
From: Ludovico Pavesi <ludovico.pavesi@gmail.com>
Date: Sun, 5 May 2024 17:37:38 +0200
Subject: [PATCH 7/9] Rename variables to match LDAP attributes, rename text to
 match the variables, rename classes to match Bootstrap classes

And add another test account
---
 public/index.php       |  2 +-
 public/sugo.php        | 12 ++++++---
 src/Ldap.php           | 30 +++++++++++++++++++++
 templates/sugo.php     | 59 +++++++++++++++++++++++-------------------
 templates/userlist.php |  4 +--
 5 files changed, 73 insertions(+), 34 deletions(-)

diff --git a/public/index.php b/public/index.php
index 04eafbd..5f979c3 100644
--- a/public/index.php
+++ b/public/index.php
@@ -28,5 +28,5 @@
 	'uid' => $_SESSION['uid'],
 	'id' => $_SESSION['id'],
 	'name' => $_SESSION['cn'],
-	'signedSir' => isset($attributes['signedsir']) && $attributes['signedsir'] === 'true',
+	'signedSir' => Ldap::optionalBooleanToBool($attributes, 'signedsir')
 ]);
diff --git a/public/sugo.php b/public/sugo.php
index 0dd825e..3383639 100644
--- a/public/sugo.php
+++ b/public/sugo.php
@@ -39,14 +39,18 @@
 $mappedUsers = [];
 foreach ($users as $user) {
 	$mappedUsers[] = [
-		'id' => $user['uid'],
-		'name' => $user['givenname'] . ' ' . $user['sn'],
-		'needsToSign' => !($user['signedsir'] ?? false),
-		'isBlocked' => !($user['nsaccountlock'] ?? false),
+		'uid' => $user['uid'],
+		'cn' => $user['cn'],
+		'needsToSign' => Ldap::optionalBooleanToBool($user, 'signedsir'),
+		'isLocked' => Ldap::optionalBooleanToBool($user, 'nsaccountlock'),
 		'email' => $user['mail']
 	];
 }
 
+usort($mappedUsers, function (array $a, array $b): int {
+	return strcasecmp($a['uid'], $b['uid']);
+});
+
 $template = Template::create();
 $template->addData(['currentSection' => 'sugo'], 'navbar');
 
diff --git a/src/Ldap.php b/src/Ldap.php
index 4936697..e0d96fb 100644
--- a/src/Ldap.php
+++ b/src/Ldap.php
@@ -25,6 +25,7 @@ class Ldap
 			'createtimestamp' => '20191025105022Z',
 			'modifytimestamp' => '20191025155317Z',
 			'safetytestdate' => '20160909',
+			'degreecourse' => 'Ingegneria dell\'Ingegno',
 			'signedsir' => 'true',
 			'haskey' => 'true',
 			'schacpersonaluniquecode' => 's111111',
@@ -46,6 +47,7 @@ class Ldap
 			'createtimestamp' => '20191025105022Z',
 			'modifytimestamp' => '20191025155317Z',
 			'safetytestdate' => '20991104',
+			'degreecourse' => 'Architettura (dei calcolatori però)',
 			'signedsir' => null,
 			'haskey' => null,
 			'schacpersonaluniquecode' => 's22222',
@@ -67,6 +69,7 @@ class Ldap
 			'createtimestamp' => '20191025105022Z',
 			'modifytimestamp' => '20191025155317Z',
 			'safetytestdate' => '20201104',
+			'degreecourse' => 'Ingegneria dell\'Ingegnerizzazione',
 			'signedsir' => 'true',
 			'haskey' => null,
 			'nsaccountlock' => 'true',
@@ -108,6 +111,7 @@ class Ldap
 			'createtimestamp' => '20191025105022Z',
 			'modifytimestamp' => '20191025155317Z',
 			'safetytestdate' => '20201025',
+			'degreecourse' => 'Ingegneria dell\'Ingegnerizzazione',
 			'signedsir' => null,
 			'haskey' => null,
 			'nsaccountlock' => null,
@@ -119,6 +123,27 @@ class Ldap
 			'telegramid' => '123456789',
 			'mail' => 'bro@example.com',
 		],
+		'brobruh' => [
+			'uid' => 'brobruh',
+			'cn' => 'Bro Bruh',
+			'givenname' => 'Bro',
+			'sn' => 'Bruh',
+			'memberof' => ["cn=Admin,ou=Groups,dc=weeeopen,dc=it", "cn=Gente,ou=Groups,dc=weeeopen,dc=it"],
+			'createtimestamp' => '20191025105022Z',
+			'modifytimestamp' => '20191025155317Z',
+			'safetytestdate' => '20210926',
+			'degreecourse' => 'Ingegneria Disinformatica',
+			'signedsir' => null,
+			'haskey' => null,
+			'nsaccountlock' => 'true',
+			'schacpersonaluniquecode' => 's333444555666',
+			'telegramnickname' => null,
+			'sshpublickey' => [],
+			'weeelabnickname' => [],
+			'description' => '',
+			'telegramid' => '12345678912345',
+			'mail' => 'bro@bruh.example',
+		],
 	];
 	private const EXAMPLE_GROUPS = ['Admin', 'Persone', 'Cloud'];
 
@@ -490,6 +515,11 @@ public static function groupDnToName(string $dn): string
 		throw new InvalidArgumentException("$dn is not a group DN");
 	}
 
+	public static function optionalBooleanToBool(array $attributes, string $var): bool
+	{
+		return isset($attributes[$var]) && $attributes[$var] === 'true';
+	}
+
 	public function groupNamesToDn(array $names): array
 	{
 		if (count($names) <= 0) {
diff --git a/templates/sugo.php b/templates/sugo.php
index 880e0fa..1e8351a 100644
--- a/templates/sugo.php
+++ b/templates/sugo.php
@@ -1,5 +1,6 @@
 <?php
-
+/** @var string|null $selectedUser */
+/** @var array $users */
 $this->layout('base', ['title' => 'Welcome'])
 ?>
 
@@ -12,19 +13,19 @@
 		data() {
 			return {
 				users: <?= json_encode($users) ?>,
-				selectedUser: <?= $selectedUser ? "'" . str_replace("'", "\'", $selectedUser) . "'" : 'null' ?>,
+				selectedUser: <?= $selectedUser ? "'" . json_encode($selectedUser, JSON_UNESCAPED_UNICODE) . "'" : 'null' ?>,
 				selectedUserData: null,
 				document: null,
 				finalDocument: null,
 				loading: false,
-				screen: <?= $selectedUser ? "'sign'" : "'chooseUser'" ?>,
+				screen: '<?= $selectedUser ? "sign" : "chooseUser" ?>',
 				mouseDown: false,
 				toEmail: null,
 			}
 		},
 		watch: {
 			screen() {
-				if (this.screen == 'sign') {
+				if (this.screen === 'sign') {
 					history.pushState(null, '', '/sugo.php?uid=' + encodeURIComponent(this.selectedUser));
 				} else {
 					history.pushState(null, '', '/sugo.php');
@@ -32,7 +33,7 @@
 			}
 		},
 		mounted() {
-			if (this.screen == 'sign') {
+			if (this.screen === 'sign') {
 				this.sign();
 			}
 		},
@@ -40,14 +41,14 @@
 			needsToSign() {
 				return this.users.filter(user => user.needsToSign);
 			},
-			isBlocked() {
-				return this.users.filter(user => user.isBlocked);
+			isLocked() {
+				return this.users.filter(user => user.isLocked);
 			},
 			everyoneElse() {
-				return this.users.filter(user => !user.needsToSign && !user.isBlocked);
+				return this.users.filter(user => !user.needsToSign && !user.isLocked);
 			},
 			selectedUserData() {
-				return this.users.find(user => user.id == this.selectedUser);
+				return this.users.find(user => user.uid === this.selectedUser);
 			}
 		},
 		methods: {
@@ -157,7 +158,7 @@
 					method: 'POST',
 					body: formData,
 				}).then(res => {
-					if (res.status == 206) {
+					if (res.status === 206) {
 						this.screen = 'chooseUser';
 						this.loading = false;
 					} else {
@@ -174,7 +175,7 @@
 				a.download = 'sir.pdf';
 				a.click();
 				URL.revokeObjectURL(pdfUrl);
-				if (this.users.length == 0) {
+				if (this.users.length === 0) {
 					// just redirect to the home page
 					window.location.href = '/';
 				}
@@ -185,22 +186,26 @@
 			<div>
 				<h1>Sign the SIR</h1>
 				<div v-if="loading">Loading...</div>
-				<template v-else-if="screen == 'chooseUser'">
-					<div>Select the person:</div>
-					<select class="form-select" v-model="selectedUser">
-						<optgroup label="Needs to sign">
-							<option v-for="user in needsToSign" :value="user.id"><b>{{ user.name }}</b> ({{ user.id }})</option>
-						</optgroup>
-						<optgroup label="Active users">
-							<option v-for="user in everyoneElse" :value="user.id"><b>{{ user.name }}</b> ({{ user.id }})</option>
-						</optgroup>
-						<optgroup label="Is blocked">
-							<option v-for="user in isBlocked" :value="user.id"><b>{{ user.name }}</b> ({{ user.id }})</option>
-						</optgroup>
-					</select>
-					<button @click="sign" class="btn btn-primary">Sign</button>
+				<template v-else-if="screen === 'chooseUser'">
+					<form class="form-inline">
+						<div class="form-group mb-2">
+						<label class="sr-only" for="personSelect">Person</label>
+						<select class="form-control form-select" v-model="selectedUser">
+							<optgroup label="Needs to sign">
+								<option v-for="user in needsToSign" :value="user.uid"><b>{{ user.cn }}</b> ({{ user.uid }})</option>
+							</optgroup>
+							<optgroup label="Active users">
+								<option v-for="user in everyoneElse" :value="user.uid"><b>{{ user.cn }}</b> ({{ user.uid }})</option>
+							</optgroup>
+							<optgroup label="Locked accounts">
+								<option v-for="user in isLocked" :value="user.uid"><b>{{ user.cn }}</b> ({{ user.uid }})</option>
+							</optgroup>
+						</select>
+						<button @click="sign" class="btn btn-primary ml-2">View and Sign</button>
+						</div>
+					</form>
 				</template>
-				<div v-else-if="screen == 'sign'">
+				<div v-else-if="screen === 'sign'">
 					<div style="display: flex; justify-content: space-between;">
 						<button v-if="users.length > 0" @click="screen = 'chooseUser'" class="btn btn-outline-secondary">Back</button>
 						<button @click="clear" class="btn btn-secondary">Clear</button>
@@ -211,7 +216,7 @@
 						<canvas ref="signature" width="500" height="250" style="z-index: 1000;" @mousedown="handleMouseDown" @mousemove="handleMouseMove" @mouseup="handleMouseUp" @mouseleave="handleMouseUp" @touchstart="handleTouchStart" @touchmove="handleTouchMove" @touchend="handleTouchEnd"></canvas>
 					</div>
 				</div>
-				<template v-else-if="screen == 'sendEmail'">
+				<template v-else-if="screen === 'sendEmail'">
 					<div>
 						<label for="email">Email:</label><br>
 						<input type="email" id="email" v-model="toEmail"><br><br>
diff --git a/templates/userlist.php b/templates/userlist.php
index a806edb..9c754ed 100644
--- a/templates/userlist.php
+++ b/templates/userlist.php
@@ -35,7 +35,7 @@
 	</div>
 <?php endif ?>
 
-<!-- Non blocked user table -->
+<!-- Non Locked user table -->
 <table class="table" data-toggle="table">
 	<thead class="thead-dark">
 	<tr>
@@ -138,7 +138,7 @@
 
 <h2>Locked accounts</h2>
 
-<!-- Blocked user table -->
+<!-- Locked user table -->
 <table class="table" data-toggle="table">
 	<thead class="thead-dark">
 	<tr>

From 96dd9cace0085618d9a17ae1954dea8b705e53df Mon Sep 17 00:00:00 2001
From: Ludovico Pavesi <ludovico.pavesi@gmail.com>
Date: Sun, 5 May 2024 17:51:16 +0200
Subject: [PATCH 8/9] Cleanup and lint fix

---
 public/sugo.php        | 11 -----------
 src/Authentication.php |  2 +-
 templates/index.php    |  2 +-
 templates/sugo.php     |  1 +
 4 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/public/sugo.php b/public/sugo.php
index 3383639..ff70350 100644
--- a/public/sugo.php
+++ b/public/sugo.php
@@ -2,8 +2,6 @@
 
 namespace WEEEOpen\Crauto;
 
-use DateTimeZone;
-
 require '..' . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';
 Authentication::requireLogin();
 
@@ -16,17 +14,8 @@
 	CRAUTO_LDAP_STARTTLS
 );
 
-$users = [];
 $selectedUser = null;
 if (Authentication::isAdmin()) {
-	$ldap = new Ldap(
-		CRAUTO_LDAP_URL,
-		CRAUTO_LDAP_BIND_DN,
-		CRAUTO_LDAP_PASSWORD,
-		CRAUTO_LDAP_USERS_DN,
-		CRAUTO_LDAP_GROUPS_DN,
-		CRAUTO_LDAP_STARTTLS
-	);
 	$users = $ldap->getUsers(['givenname', 'sn', 'signedsir', 'nsaccountlock', 'mail']);
 	if (isset($_GET['uid'])) {
 		$selectedUser = $_GET['uid'];
diff --git a/src/Authentication.php b/src/Authentication.php
index d4dfc4e..6a38adf 100644
--- a/src/Authentication.php
+++ b/src/Authentication.php
@@ -78,7 +78,7 @@ public static function authenticate()
 
 		if (TEST_MODE) {
 			error_log('TEST_MODE, faking authentication');
-			switch(TEST_MODE_SSO) {
+			switch (TEST_MODE_SSO) {
 				case 1:
 				default:
 					$_SESSION['uid'] = 'test.administrator';
diff --git a/templates/index.php b/templates/index.php
index c71c9a3..b153128 100644
--- a/templates/index.php
+++ b/templates/index.php
@@ -14,7 +14,7 @@
 		Error: <?= $this->e($error) ?>
 	</div>
 <?php endif ?>
-<?php if (!$signedSir): ?>
+<?php if (!$signedSir) : ?>
 	<p class="alert alert-warning">You need to sign your SIR! <a href="/sugo.php?uid=<?= urlencode($uid)?>" class="btn btn-sm btn-warning">Sign the SIR</a></p>
 <?php endif ?>
 <h2>Enabled services</h2>
diff --git a/templates/sugo.php b/templates/sugo.php
index 1e8351a..501b2cf 100644
--- a/templates/sugo.php
+++ b/templates/sugo.php
@@ -1,4 +1,5 @@
 <?php
+
 /** @var string|null $selectedUser */
 /** @var array $users */
 $this->layout('base', ['title' => 'Welcome'])

From fefe5782619c1191776861586f1015f5b05cccc3 Mon Sep 17 00:00:00 2001
From: Leone25 <39310565+Leone25@users.noreply.github.com>
Date: Sun, 5 May 2024 22:01:53 +0200
Subject: [PATCH 9/9] added missing signatures, file name and download button

---
 templates/sugo.php | 33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/templates/sugo.php b/templates/sugo.php
index 501b2cf..864974d 100644
--- a/templates/sugo.php
+++ b/templates/sugo.php
@@ -14,8 +14,7 @@
 		data() {
 			return {
 				users: <?= json_encode($users) ?>,
-				selectedUser: <?= $selectedUser ? "'" . json_encode($selectedUser, JSON_UNESCAPED_UNICODE) . "'" : 'null' ?>,
-				selectedUserData: null,
+				selectedUser: <?= $selectedUser ? json_encode($selectedUser, JSON_UNESCAPED_UNICODE) : 'null' ?>,
 				document: null,
 				finalDocument: null,
 				loading: false,
@@ -135,7 +134,19 @@
 				// add the signature
 				let signatureBuffer = Uint8Array.from(atob(signatureData.split(',')[1]), c => c.charCodeAt(0));
 				let signatureImage = await pdf.embedPng(signatureBuffer);
-				thirdPage.drawImage(signatureImage, {
+				thirdPage.drawImage(signatureImage, { // guanti
+					x: 355,
+					y: 592,
+					width: 80,
+					height: 40,
+				});
+				thirdPage.drawImage(signatureImage, { // cappa
+					x: 260,
+					y: 460,
+					width: 80,
+					height: 40,
+				});
+				thirdPage.drawImage(signatureImage, { // end of document
 					x: 360,
 					y: 110,
 					width: 180,
@@ -147,7 +158,7 @@
 				this.download(); // temp
 				this.loading = false;
 			},
-			send() {
+			send() { // currently unused as we don't have an email endpoint
 				if (!this.toEmail || this.loading) {
 					return;
 				}
@@ -168,15 +179,22 @@
 					}
 				});
 			},
+			async downloadBlank() {
+				await this.sign();
+				this.loading = true;
+				this.finalDocument = this.document;
+				this.download();
+				this.loading = false;
+			},
 			download() {
 				let pdfBlob = new Blob([this.finalDocument], {type: 'application/pdf'});
 				let pdfUrl = URL.createObjectURL(pdfBlob);
 				let a = document.createElement('a');
 				a.href = pdfUrl;
-				a.download = 'sir.pdf';
+				a.download = `sir-${this.selectedUser}.pdf`;
 				a.click();
 				URL.revokeObjectURL(pdfUrl);
-				if (this.users.length === 0) {
+				if (this.users.length === 1) {
 					// just redirect to the home page
 					window.location.href = '/';
 				}
@@ -202,7 +220,8 @@
 								<option v-for="user in isLocked" :value="user.uid"><b>{{ user.cn }}</b> ({{ user.uid }})</option>
 							</optgroup>
 						</select>
-						<button @click="sign" class="btn btn-primary ml-2">View and Sign</button>
+						<button @click="sign" class="btn btn-primary ml-2">Sign</button>
+						<button @click="downloadBlank" class="btn btn-outline-secondary ml-2">View</button>
 						</div>
 					</form>
 				</template>