-<?php\r
-\r
-/**\r
- * @file CAS/client.php\r
- * Main class of the phpCAS library\r
- */\r
-\r
-// include internationalization stuff\r
-include_once(dirname(__FILE__).'/languages/languages.php');\r
-\r
-// include PGT storage classes\r
-include_once(dirname(__FILE__).'/PGTStorage/pgt-main.php');\r
-\r
-/**\r
- * @class CASClient\r
- * The CASClient class is a client interface that provides CAS authentication\r
- * to PHP applications.\r
- *\r
- * @author Pascal Aubry <pascal.aubry at univ-rennes1.fr>\r
- */\r
-\r
-class CASClient\r
-{\r
- \r
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r
- // XX XX\r
- // XX CONFIGURATION XX\r
- // XX XX\r
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r
- \r
- // ########################################################################\r
- // HTML OUTPUT\r
- // ########################################################################\r
- /**\r
- * @addtogroup internalOutput\r
- * @{\r
- */ \r
- \r
- /**\r
- * This method filters a string by replacing special tokens by appropriate values\r
- * and prints it. The corresponding tokens are taken into account:\r
- * - __CAS_VERSION__\r
- * - __PHPCAS_VERSION__\r
- * - __SERVER_BASE_URL__\r
- *\r
- * Used by CASClient::PrintHTMLHeader() and CASClient::printHTMLFooter().\r
- *\r
- * @param $str the string to filter and output\r
- *\r
- * @private\r
- */\r
- function HTMLFilterOutput($str)\r
- {\r
- $str = str_replace('__CAS_VERSION__',$this->getServerVersion(),$str);\r
- $str = str_replace('__PHPCAS_VERSION__',phpCAS::getVersion(),$str);\r
- $str = str_replace('__SERVER_BASE_URL__',$this->getServerBaseURL(),$str);\r
- echo $str;\r
- }\r
- \r
- /**\r
- * A string used to print the header of HTML pages. Written by CASClient::setHTMLHeader(),\r
- * read by CASClient::printHTMLHeader().\r
- *\r
- * @hideinitializer\r
- * @private\r
- * @see CASClient::setHTMLHeader, CASClient::printHTMLHeader()\r
- */\r
- var $_output_header = '';\r
- \r
- /**\r
- * This method prints the header of the HTML output (after filtering). If\r
- * CASClient::setHTMLHeader() was not used, a default header is output.\r
- *\r
- * @param $title the title of the page\r
- *\r
- * @see HTMLFilterOutput()\r
- * @private\r
- */\r
- function printHTMLHeader($title)\r
- {\r
- $this->HTMLFilterOutput(str_replace('__TITLE__',\r
- $title,\r
- (empty($this->_output_header)\r
- ? '<html><head><title>__TITLE__</title></head><body><h1>__TITLE__</h1>'\r
- : $this->_output_header)\r
- )\r
- );\r
- }\r
- \r
- /**\r
- * A string used to print the footer of HTML pages. Written by CASClient::setHTMLFooter(),\r
- * read by printHTMLFooter().\r
- *\r
- * @hideinitializer\r
- * @private\r
- * @see CASClient::setHTMLFooter, CASClient::printHTMLFooter()\r
- */\r
- var $_output_footer = '';\r
- \r
- /**\r
- * This method prints the footer of the HTML output (after filtering). If\r
- * CASClient::setHTMLFooter() was not used, a default footer is output.\r
- *\r
- * @see HTMLFilterOutput()\r
- * @private\r
- */\r
- function printHTMLFooter()\r
- {\r
- $this->HTMLFilterOutput(empty($this->_output_footer)\r
- ?('<hr><address>phpCAS __PHPCAS_VERSION__ '.$this->getString(CAS_STR_USING_SERVER).' <a href="__SERVER_BASE_URL__">__SERVER_BASE_URL__</a> (CAS __CAS_VERSION__)</a></address></body></html>')\r
- :$this->_output_footer);\r
- }\r
- \r
- /**\r
- * This method set the HTML header used for all outputs.\r
- *\r
- * @param $header the HTML header.\r
- *\r
- * @public\r
- */\r
- function setHTMLHeader($header)\r
- {\r
- $this->_output_header = $header;\r
- }\r
- \r
- /**\r
- * This method set the HTML footer used for all outputs.\r
- *\r
- * @param $footer the HTML footer.\r
- *\r
- * @public\r
- */\r
- function setHTMLFooter($footer)\r
- {\r
- $this->_output_footer = $footer;\r
- }\r
- \r
- /** @} */\r
- // ########################################################################\r
- // INTERNATIONALIZATION\r
- // ########################################################################\r
- /**\r
- * @addtogroup internalLang\r
- * @{\r
- */ \r
- /**\r
- * A string corresponding to the language used by phpCAS. Written by \r
- * CASClient::setLang(), read by CASClient::getLang().\r
- \r
- * @note debugging information is always in english (debug purposes only).\r
- *\r
- * @hideinitializer\r
- * @private\r
- * @sa CASClient::_strings, CASClient::getString()\r
- */\r
- var $_lang = '';\r
- \r
- /**\r
- * This method returns the language used by phpCAS.\r
- *\r
- * @return a string representing the language\r
- *\r
- * @private\r
- */\r
- function getLang()\r
- {\r
- if ( empty($this->_lang) )\r
- $this->setLang(PHPCAS_LANG_DEFAULT);\r
- return $this->_lang;\r
- }\r
- \r
- /**\r
- * array containing the strings used by phpCAS. Written by CASClient::setLang(), read by \r
- * CASClient::getString() and used by CASClient::setLang().\r
- *\r
- * @note This array is filled by instructions in CAS/languages/<$this->_lang>.php\r
- *\r
- * @private\r
- * @see CASClient::_lang, CASClient::getString(), CASClient::setLang(), CASClient::getLang()\r
- */\r
- var $_strings;\r
- \r
- /**\r
- * This method returns a string depending on the language.\r
- *\r
- * @param $str the index of the string in $_string.\r
- *\r
- * @return the string corresponding to $index in $string.\r
- *\r
- * @private\r
- */\r
- function getString($str)\r
- {\r
- // call CASclient::getLang() to be sure the language is initialized\r
- $this->getLang();\r
- \r
- if ( !isset($this->_strings[$str]) ) {\r
- trigger_error('string `'.$str.'\' not defined for language `'.$this->getLang().'\'',E_USER_ERROR);\r
- }\r
- return $this->_strings[$str];\r
- }\r
- \r
- /**\r
- * This method is used to set the language used by phpCAS. \r
- * @note Can be called only once.\r
- *\r
- * @param $lang a string representing the language.\r
- *\r
- * @public\r
- * @sa CAS_LANG_FRENCH, CAS_LANG_ENGLISH\r
- */\r
- function setLang($lang)\r
- {\r
- // include the corresponding language file\r
- include_once(dirname(__FILE__).'/languages/'.$lang.'.php');\r
- \r
- if ( !is_array($this->_strings) ) {\r
- trigger_error('language `'.$lang.'\' is not implemented',E_USER_ERROR);\r
- }\r
- $this->_lang = $lang;\r
- }\r
- \r
- /** @} */\r
- // ########################################################################\r
- // CAS SERVER CONFIG\r
- // ########################################################################\r
- /**\r
- * @addtogroup internalConfig\r
- * @{\r
- */ \r
- \r
- /**\r
- * a record to store information about the CAS server.\r
- * - $_server["version"]: the version of the CAS server\r
- * - $_server["hostname"]: the hostname of the CAS server\r
- * - $_server["port"]: the port the CAS server is running on\r
- * - $_server["uri"]: the base URI the CAS server is responding on\r
- * - $_server["base_url"]: the base URL of the CAS server\r
- * - $_server["login_url"]: the login URL of the CAS server\r
- * - $_server["service_validate_url"]: the service validating URL of the CAS server\r
- * - $_server["proxy_url"]: the proxy URL of the CAS server\r
- * - $_server["proxy_validate_url"]: the proxy validating URL of the CAS server\r
- * - $_server["logout_url"]: the logout URL of the CAS server\r
- *\r
- * $_server["version"], $_server["hostname"], $_server["port"] and $_server["uri"]\r
- * are written by CASClient::CASClient(), read by CASClient::getServerVersion(), \r
- * CASClient::getServerHostname(), CASClient::getServerPort() and CASClient::getServerURI().\r
- *\r
- * The other fields are written and read by CASClient::getServerBaseURL(), \r
- * CASClient::getServerLoginURL(), CASClient::getServerServiceValidateURL(), \r
- * CASClient::getServerProxyValidateURL() and CASClient::getServerLogoutURL().\r
- *\r
- * @hideinitializer\r
- * @private\r
- */\r
- var $_server = array(\r
- 'version' => -1,\r
- 'hostname' => 'none',\r
- 'port' => -1,\r
- 'uri' => 'none'\r
- );\r
- \r
- /**\r
- * This method is used to retrieve the version of the CAS server.\r
- * @return the version of the CAS server.\r
- * @private\r
- */\r
- function getServerVersion()\r
- { \r
- return $this->_server['version']; \r
- }\r
- \r
- /**\r
- * This method is used to retrieve the hostname of the CAS server.\r
- * @return the hostname of the CAS server.\r
- * @private\r
- */\r
- function getServerHostname()\r
- { return $this->_server['hostname']; }\r
- \r
- /**\r
- * This method is used to retrieve the port of the CAS server.\r
- * @return the port of the CAS server.\r
- * @private\r
- */\r
- function getServerPort()\r
- { return $this->_server['port']; }\r
- \r
- /**\r
- * This method is used to retrieve the URI of the CAS server.\r
- * @return a URI.\r
- * @private\r
- */\r
- function getServerURI()\r
- { return $this->_server['uri']; }\r
- \r
- /**\r
- * This method is used to retrieve the base URL of the CAS server.\r
- * @return a URL.\r
- * @private\r
- */\r
- function getServerBaseURL()\r
- { \r
- // the URL is build only when needed\r
- if ( empty($this->_server['base_url']) ) {\r
- $this->_server['base_url'] = 'https://'\r
- .$this->getServerHostname()\r
- .':'\r
- .$this->getServerPort()\r
- .$this->getServerURI();\r
- }\r
- return $this->_server['base_url']; \r
- }\r
- \r
- /**\r
- * This method is used to retrieve the login URL of the CAS server.\r
- * @param $gateway true to check authentication, false to force it\r
- * @param $renew true to force the authentication with the CAS server\r
- * NOTE : It is recommended that CAS implementations ignore the\r
- "gateway" parameter if "renew" is set\r
- * @return a URL.\r
- * @private\r
- */\r
- function getServerLoginURL($gateway=false,$renew=false) {\r
- phpCAS::traceBegin();\r
- // the URL is build only when needed\r
- if ( empty($this->_server['login_url']) ) {\r
- $this->_server['login_url'] = $this->getServerBaseURL();\r
- $this->_server['login_url'] .= 'login?service=';\r
- // $this->_server['login_url'] .= preg_replace('/&/','%26',$this->getURL());\r
- $this->_server['login_url'] .= urlencode($this->getURL());\r
- if($renew) {\r
- // It is recommended that when the "renew" parameter is set, its value be "true"\r
- $this->_server['login_url'] .= '&renew=true';\r
- } elseif ($gateway) {\r
- // It is recommended that when the "gateway" parameter is set, its value be "true"\r
- $this->_server['login_url'] .= '&gateway=true';\r
- }\r
- }\r
- phpCAS::traceEnd($this->_server['login_url']);\r
- return $this->_server['login_url'];\r
- } \r
- \r
- /**\r
- * This method sets the login URL of the CAS server.\r
- * @param $url the login URL\r
- * @private\r
- * @since 0.4.21 by Wyman Chan\r
- */\r
- function setServerLoginURL($url)\r
- {\r
- return $this->_server['login_url'] = $url;\r
- }\r
- \r
- /**\r
- * This method is used to retrieve the service validating URL of the CAS server.\r
- * @return a URL.\r
- * @private\r
- */\r
- function getServerServiceValidateURL()\r
- { \r
- // the URL is build only when needed\r
- if ( empty($this->_server['service_validate_url']) ) {\r
- switch ($this->getServerVersion()) {\r
- case CAS_VERSION_1_0:\r
- $this->_server['service_validate_url'] = $this->getServerBaseURL().'validate';\r
- break;\r
- case CAS_VERSION_2_0:\r
- $this->_server['service_validate_url'] = $this->getServerBaseURL().'serviceValidate';\r
- break;\r
- }\r
- }\r
- // return $this->_server['service_validate_url'].'?service='.preg_replace('/&/','%26',$this->getURL()); \r
- return $this->_server['service_validate_url'].'?service='.urlencode($this->getURL()); \r
- }\r
- \r
- /**\r
- * This method is used to retrieve the proxy validating URL of the CAS server.\r
- * @return a URL.\r
- * @private\r
- */\r
- function getServerProxyValidateURL()\r
- { \r
- // the URL is build only when needed\r
- if ( empty($this->_server['proxy_validate_url']) ) {\r
- switch ($this->getServerVersion()) {\r
- case CAS_VERSION_1_0:\r
- $this->_server['proxy_validate_url'] = '';\r
- break;\r
- case CAS_VERSION_2_0:\r
- $this->_server['proxy_validate_url'] = $this->getServerBaseURL().'proxyValidate';\r
- break;\r
- }\r
- }\r
- // return $this->_server['proxy_validate_url'].'?service='.preg_replace('/&/','%26',$this->getURL()); \r
- return $this->_server['proxy_validate_url'].'?service='.urlencode($this->getURL()); \r
- }\r
- \r
- /**\r
- * This method is used to retrieve the proxy URL of the CAS server.\r
- * @return a URL.\r
- * @private\r
- */\r
- function getServerProxyURL()\r
- { \r
- // the URL is build only when needed\r
- if ( empty($this->_server['proxy_url']) ) {\r
- switch ($this->getServerVersion()) {\r
- case CAS_VERSION_1_0:\r
- $this->_server['proxy_url'] = '';\r
- break;\r
- case CAS_VERSION_2_0:\r
- $this->_server['proxy_url'] = $this->getServerBaseURL().'proxy';\r
- break;\r
- }\r
- }\r
- return $this->_server['proxy_url']; \r
- }\r
- \r
- /**\r
- * This method is used to retrieve the logout URL of the CAS server.\r
- * @return a URL.\r
- * @private\r
- */\r
- function getServerLogoutURL()\r
- { \r
- // the URL is build only when needed\r
- if ( empty($this->_server['logout_url']) ) {\r
- $this->_server['logout_url'] = $this->getServerBaseURL().'logout';\r
- }\r
- return $this->_server['logout_url']; \r
- }\r
- \r
- /**\r
- * This method sets the logout URL of the CAS server.\r
- * @param $url the logout URL\r
- * @private\r
- * @since 0.4.21 by Wyman Chan\r
- */\r
- function setServerLogoutURL($url)\r
- {\r
- return $this->_server['logout_url'] = $url;\r
- }\r
-\r
- /**\r
- * An array to store extra curl options.\r
- */ \r
- var $_curl_options = array();\r
-\r
- /**\r
- * This method is used to set additional user curl options.\r
- */\r
- function setExtraCurlOption($key, $value)\r
- {\r
- $this->_curl_options[$key] = $value;\r
- }\r
- \r
- /**\r
- * This method checks to see if the request is secured via HTTPS\r
- * @return true if https, false otherwise\r
- * @private\r
- */\r
- function isHttps() {\r
- //if ( isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) ) {\r
- //0.4.24 by Hinnack\r
- if ( isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {\r
- return true;\r
- } else {\r
- return false;\r
- }\r
- }\r
- \r
- // ########################################################################\r
- // CONSTRUCTOR\r
- // ########################################################################\r
- /**\r
- * CASClient constructor.\r
- *\r
- * @param $server_version the version of the CAS server\r
- * @param $proxy TRUE if the CAS client is a CAS proxy, FALSE otherwise\r
- * @param $server_hostname the hostname of the CAS server\r
- * @param $server_port the port the CAS server is running on\r
- * @param $server_uri the URI the CAS server is responding on\r
- * @param $start_session Have phpCAS start PHP sessions (default true)\r
- *\r
- * @return a newly created CASClient object\r
- *\r
- * @public\r
- */\r
- function CASClient(\r
- $server_version,\r
- $proxy,\r
- $server_hostname,\r
- $server_port,\r
- $server_uri,\r
- $start_session = true) {\r
- \r
- phpCAS::traceBegin();\r
- \r
- if (!$this->isLogoutRequest() && !empty($_GET['ticket']) && $start_session) {\r
- // copy old session vars and destroy the current session\r
- if (!isset($_SESSION)) {\r
- session_start();\r
- }\r
- $old_session = $_SESSION;\r
- session_destroy();\r
- // set up a new session, of name based on the ticket\r
- $session_id = preg_replace('/[^\w]/','',$_GET['ticket']);\r
- phpCAS::LOG("Session ID: " . $session_id);\r
- session_id($session_id);\r
- if (!isset($_SESSION)) {\r
- session_start();\r
- }\r
- // restore old session vars\r
+<?php
+
+/**
+ * @file CAS/client.php
+ * Main class of the phpCAS library
+ */
+
+// include internationalization stuff
+include_once(dirname(__FILE__).'/languages/languages.php');
+
+// include PGT storage classes
+include_once(dirname(__FILE__).'/PGTStorage/pgt-main.php');
+
+/**
+ * @class CASClient
+ * The CASClient class is a client interface that provides CAS authentication
+ * to PHP applications.
+ *
+ * @author Pascal Aubry <pascal.aubry at univ-rennes1.fr>
+ */
+
+class CASClient
+{
+
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ // XX XX
+ // XX CONFIGURATION XX
+ // XX XX
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ // ########################################################################
+ // HTML OUTPUT
+ // ########################################################################
+ /**
+ * @addtogroup internalOutput
+ * @{
+ */
+
+ /**
+ * This method filters a string by replacing special tokens by appropriate values
+ * and prints it. The corresponding tokens are taken into account:
+ * - __CAS_VERSION__
+ * - __PHPCAS_VERSION__
+ * - __SERVER_BASE_URL__
+ *
+ * Used by CASClient::PrintHTMLHeader() and CASClient::printHTMLFooter().
+ *
+ * @param $str the string to filter and output
+ *
+ * @private
+ */
+ function HTMLFilterOutput($str)
+ {
+ $str = str_replace('__CAS_VERSION__',$this->getServerVersion(),$str);
+ $str = str_replace('__PHPCAS_VERSION__',phpCAS::getVersion(),$str);
+ $str = str_replace('__SERVER_BASE_URL__',$this->getServerBaseURL(),$str);
+ echo $str;
+ }
+
+ /**
+ * A string used to print the header of HTML pages. Written by CASClient::setHTMLHeader(),
+ * read by CASClient::printHTMLHeader().
+ *
+ * @hideinitializer
+ * @private
+ * @see CASClient::setHTMLHeader, CASClient::printHTMLHeader()
+ */
+ var $_output_header = '';
+
+ /**
+ * This method prints the header of the HTML output (after filtering). If
+ * CASClient::setHTMLHeader() was not used, a default header is output.
+ *
+ * @param $title the title of the page
+ *
+ * @see HTMLFilterOutput()
+ * @private
+ */
+ function printHTMLHeader($title)
+ {
+ $this->HTMLFilterOutput(str_replace('__TITLE__',
+ $title,
+ (empty($this->_output_header)
+ ? '<html><head><title>__TITLE__</title></head><body><h1>__TITLE__</h1>'
+ : $this->_output_header)
+ )
+ );
+ }
+
+ /**
+ * A string used to print the footer of HTML pages. Written by CASClient::setHTMLFooter(),
+ * read by printHTMLFooter().
+ *
+ * @hideinitializer
+ * @private
+ * @see CASClient::setHTMLFooter, CASClient::printHTMLFooter()
+ */
+ var $_output_footer = '';
+
+ /**
+ * This method prints the footer of the HTML output (after filtering). If
+ * CASClient::setHTMLFooter() was not used, a default footer is output.
+ *
+ * @see HTMLFilterOutput()
+ * @private
+ */
+ function printHTMLFooter()
+ {
+ $this->HTMLFilterOutput(empty($this->_output_footer)
+ ?('<hr><address>phpCAS __PHPCAS_VERSION__ '.$this->getString(CAS_STR_USING_SERVER).' <a href="__SERVER_BASE_URL__">__SERVER_BASE_URL__</a> (CAS __CAS_VERSION__)</a></address></body></html>')
+ :$this->_output_footer);
+ }
+
+ /**
+ * This method set the HTML header used for all outputs.
+ *
+ * @param $header the HTML header.
+ *
+ * @public
+ */
+ function setHTMLHeader($header)
+ {
+ $this->_output_header = $header;
+ }
+
+ /**
+ * This method set the HTML footer used for all outputs.
+ *
+ * @param $footer the HTML footer.
+ *
+ * @public
+ */
+ function setHTMLFooter($footer)
+ {
+ $this->_output_footer = $footer;
+ }
+
+ /** @} */
+ // ########################################################################
+ // INTERNATIONALIZATION
+ // ########################################################################
+ /**
+ * @addtogroup internalLang
+ * @{
+ */
+ /**
+ * A string corresponding to the language used by phpCAS. Written by
+ * CASClient::setLang(), read by CASClient::getLang().
+
+ * @note debugging information is always in english (debug purposes only).
+ *
+ * @hideinitializer
+ * @private
+ * @sa CASClient::_strings, CASClient::getString()
+ */
+ var $_lang = '';
+
+ /**
+ * This method returns the language used by phpCAS.
+ *
+ * @return a string representing the language
+ *
+ * @private
+ */
+ function getLang()
+ {
+ if ( empty($this->_lang) )
+ $this->setLang(PHPCAS_LANG_DEFAULT);
+ return $this->_lang;
+ }
+
+ /**
+ * array containing the strings used by phpCAS. Written by CASClient::setLang(), read by
+ * CASClient::getString() and used by CASClient::setLang().
+ *
+ * @note This array is filled by instructions in CAS/languages/<$this->_lang>.php
+ *
+ * @private
+ * @see CASClient::_lang, CASClient::getString(), CASClient::setLang(), CASClient::getLang()
+ */
+ var $_strings;
+
+ /**
+ * This method returns a string depending on the language.
+ *
+ * @param $str the index of the string in $_string.
+ *
+ * @return the string corresponding to $index in $string.
+ *
+ * @private
+ */
+ function getString($str)
+ {
+ // call CASclient::getLang() to be sure the language is initialized
+ $this->getLang();
+
+ if ( !isset($this->_strings[$str]) ) {
+ trigger_error('string `'.$str.'\' not defined for language `'.$this->getLang().'\'',E_USER_ERROR);
+ }
+ return $this->_strings[$str];
+ }
+
+ /**
+ * This method is used to set the language used by phpCAS.
+ * @note Can be called only once.
+ *
+ * @param $lang a string representing the language.
+ *
+ * @public
+ * @sa CAS_LANG_FRENCH, CAS_LANG_ENGLISH
+ */
+ function setLang($lang)
+ {
+ // include the corresponding language file
+ include_once(dirname(__FILE__).'/languages/'.$lang.'.php');
+
+ if ( !is_array($this->_strings) ) {
+ trigger_error('language `'.$lang.'\' is not implemented',E_USER_ERROR);
+ }
+ $this->_lang = $lang;
+ }
+
+ /** @} */
+ // ########################################################################
+ // CAS SERVER CONFIG
+ // ########################################################################
+ /**
+ * @addtogroup internalConfig
+ * @{
+ */
+
+ /**
+ * a record to store information about the CAS server.
+ * - $_server["version"]: the version of the CAS server
+ * - $_server["hostname"]: the hostname of the CAS server
+ * - $_server["port"]: the port the CAS server is running on
+ * - $_server["uri"]: the base URI the CAS server is responding on
+ * - $_server["base_url"]: the base URL of the CAS server
+ * - $_server["login_url"]: the login URL of the CAS server
+ * - $_server["service_validate_url"]: the service validating URL of the CAS server
+ * - $_server["proxy_url"]: the proxy URL of the CAS server
+ * - $_server["proxy_validate_url"]: the proxy validating URL of the CAS server
+ * - $_server["logout_url"]: the logout URL of the CAS server
+ *
+ * $_server["version"], $_server["hostname"], $_server["port"] and $_server["uri"]
+ * are written by CASClient::CASClient(), read by CASClient::getServerVersion(),
+ * CASClient::getServerHostname(), CASClient::getServerPort() and CASClient::getServerURI().
+ *
+ * The other fields are written and read by CASClient::getServerBaseURL(),
+ * CASClient::getServerLoginURL(), CASClient::getServerServiceValidateURL(),
+ * CASClient::getServerProxyValidateURL() and CASClient::getServerLogoutURL().
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_server = array(
+ 'version' => -1,
+ 'hostname' => 'none',
+ 'port' => -1,
+ 'uri' => 'none'
+ );
+
+ /**
+ * This method is used to retrieve the version of the CAS server.
+ * @return the version of the CAS server.
+ * @private
+ */
+ function getServerVersion()
+ {
+ return $this->_server['version'];
+ }
+
+ /**
+ * This method is used to retrieve the hostname of the CAS server.
+ * @return the hostname of the CAS server.
+ * @private
+ */
+ function getServerHostname()
+ { return $this->_server['hostname']; }
+
+ /**
+ * This method is used to retrieve the port of the CAS server.
+ * @return the port of the CAS server.
+ * @private
+ */
+ function getServerPort()
+ { return $this->_server['port']; }
+
+ /**
+ * This method is used to retrieve the URI of the CAS server.
+ * @return a URI.
+ * @private
+ */
+ function getServerURI()
+ { return $this->_server['uri']; }
+
+ /**
+ * This method is used to retrieve the base URL of the CAS server.
+ * @return a URL.
+ * @private
+ */
+ function getServerBaseURL()
+ {
+ // the URL is build only when needed
+ if ( empty($this->_server['base_url']) ) {
+ $this->_server['base_url'] = 'https://'
+ .$this->getServerHostname()
+ .':'
+ .$this->getServerPort()
+ .$this->getServerURI();
+ }
+ return $this->_server['base_url'];
+ }
+
+ /**
+ * This method is used to retrieve the login URL of the CAS server.
+ * @param $gateway true to check authentication, false to force it
+ * @param $renew true to force the authentication with the CAS server
+ * NOTE : It is recommended that CAS implementations ignore the
+ "gateway" parameter if "renew" is set
+ * @return a URL.
+ * @private
+ */
+ function getServerLoginURL($gateway=false,$renew=false) {
+ phpCAS::traceBegin();
+ // the URL is build only when needed
+ if ( empty($this->_server['login_url']) ) {
+ $this->_server['login_url'] = $this->getServerBaseURL();
+ $this->_server['login_url'] .= 'login?service=';
+ // $this->_server['login_url'] .= preg_replace('/&/','%26',$this->getURL());
+ $this->_server['login_url'] .= urlencode($this->getURL());
+ if($renew) {
+ // It is recommended that when the "renew" parameter is set, its value be "true"
+ $this->_server['login_url'] .= '&renew=true';
+ } elseif ($gateway) {
+ // It is recommended that when the "gateway" parameter is set, its value be "true"
+ $this->_server['login_url'] .= '&gateway=true';
+ }
+ }
+ phpCAS::traceEnd($this->_server['login_url']);
+ return $this->_server['login_url'];
+ }
+
+ /**
+ * This method sets the login URL of the CAS server.
+ * @param $url the login URL
+ * @private
+ * @since 0.4.21 by Wyman Chan
+ */
+ function setServerLoginURL($url)
+ {
+ return $this->_server['login_url'] = $url;
+ }
+
+ /**
+ * This method is used to retrieve the service validating URL of the CAS server.
+ * @return a URL.
+ * @private
+ */
+ function getServerServiceValidateURL()
+ {
+ // the URL is build only when needed
+ if ( empty($this->_server['service_validate_url']) ) {
+ switch ($this->getServerVersion()) {
+ case CAS_VERSION_1_0:
+ $this->_server['service_validate_url'] = $this->getServerBaseURL().'validate';
+ break;
+ case CAS_VERSION_2_0:
+ $this->_server['service_validate_url'] = $this->getServerBaseURL().'serviceValidate';
+ break;
+ }
+ }
+ // return $this->_server['service_validate_url'].'?service='.preg_replace('/&/','%26',$this->getURL());
+ return $this->_server['service_validate_url'].'?service='.urlencode($this->getURL());
+ }
+
+ /**
+ * This method is used to retrieve the proxy validating URL of the CAS server.
+ * @return a URL.
+ * @private
+ */
+ function getServerProxyValidateURL()
+ {
+ // the URL is build only when needed
+ if ( empty($this->_server['proxy_validate_url']) ) {
+ switch ($this->getServerVersion()) {
+ case CAS_VERSION_1_0:
+ $this->_server['proxy_validate_url'] = '';
+ break;
+ case CAS_VERSION_2_0:
+ $this->_server['proxy_validate_url'] = $this->getServerBaseURL().'proxyValidate';
+ break;
+ }
+ }
+ // return $this->_server['proxy_validate_url'].'?service='.preg_replace('/&/','%26',$this->getURL());
+ return $this->_server['proxy_validate_url'].'?service='.urlencode($this->getURL());
+ }
+
+ /**
+ * This method is used to retrieve the proxy URL of the CAS server.
+ * @return a URL.
+ * @private
+ */
+ function getServerProxyURL()
+ {
+ // the URL is build only when needed
+ if ( empty($this->_server['proxy_url']) ) {
+ switch ($this->getServerVersion()) {
+ case CAS_VERSION_1_0:
+ $this->_server['proxy_url'] = '';
+ break;
+ case CAS_VERSION_2_0:
+ $this->_server['proxy_url'] = $this->getServerBaseURL().'proxy';
+ break;
+ }
+ }
+ return $this->_server['proxy_url'];
+ }
+
+ /**
+ * This method is used to retrieve the logout URL of the CAS server.
+ * @return a URL.
+ * @private
+ */
+ function getServerLogoutURL()
+ {
+ // the URL is build only when needed
+ if ( empty($this->_server['logout_url']) ) {
+ $this->_server['logout_url'] = $this->getServerBaseURL().'logout';
+ }
+ return $this->_server['logout_url'];
+ }
+
+ /**
+ * This method sets the logout URL of the CAS server.
+ * @param $url the logout URL
+ * @private
+ * @since 0.4.21 by Wyman Chan
+ */
+ function setServerLogoutURL($url)
+ {
+ return $this->_server['logout_url'] = $url;
+ }
+
+ /**
+ * An array to store extra curl options.
+ */
+ var $_curl_options = array();
+
+ /**
+ * This method is used to set additional user curl options.
+ */
+ function setExtraCurlOption($key, $value)
+ {
+ $this->_curl_options[$key] = $value;
+ }
+
+ /**
+ * This method checks to see if the request is secured via HTTPS
+ * @return true if https, false otherwise
+ * @private
+ */
+ function isHttps() {
+ //if ( isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) ) {
+ //0.4.24 by Hinnack
+ if ( isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
+ return true;
+ } else {
+ return false;
+ }
+ }
+
+ // ########################################################################
+ // CONSTRUCTOR
+ // ########################################################################
+ /**
+ * CASClient constructor.
+ *
+ * @param $server_version the version of the CAS server
+ * @param $proxy TRUE if the CAS client is a CAS proxy, FALSE otherwise
+ * @param $server_hostname the hostname of the CAS server
+ * @param $server_port the port the CAS server is running on
+ * @param $server_uri the URI the CAS server is responding on
+ * @param $start_session Have phpCAS start PHP sessions (default true)
+ *
+ * @return a newly created CASClient object
+ *
+ * @public
+ */
+ function CASClient(
+ $server_version,
+ $proxy,
+ $server_hostname,
+ $server_port,
+ $server_uri,
+ $start_session = true) {
+
+ phpCAS::traceBegin();
+
+ if (!$this->isLogoutRequest() && !empty($_GET['ticket']) && $start_session) {
+ // copy old session vars and destroy the current session
+ if (!isset($_SESSION)) {
+ session_start();
+ }
+ $old_session = $_SESSION;
+ session_destroy();
+ // set up a new session, of name based on the ticket
+ $session_id = preg_replace('/[^\w]/','',$_GET['ticket']);
+ phpCAS::LOG("Session ID: " . $session_id);
+ session_id($session_id);
+ if (!isset($_SESSION)) {
+ session_start();
+ }
+ // restore old session vars
$_SESSION = $old_session;
// Redirect to location without ticket.
- header('Location: '.$this->getURL());\r
- }\r
- \r
- //activate session mechanism if desired\r
- if (!$this->isLogoutRequest() && $start_session) {\r
- session_start();\r
- }\r
- \r
- $this->_proxy = $proxy;\r
- \r
- //check version\r
- switch ($server_version) {\r
- case CAS_VERSION_1_0:\r
- if ( $this->isProxy() )\r
- phpCAS::error('CAS proxies are not supported in CAS '\r
- .$server_version);\r
- break;\r
- case CAS_VERSION_2_0:\r
- break;\r
- default:\r
- phpCAS::error('this version of CAS (`'\r
- .$server_version\r
- .'\') is not supported by phpCAS '\r
- .phpCAS::getVersion());\r
- }\r
- $this->_server['version'] = $server_version;\r
- \r
- //check hostname\r
- if ( empty($server_hostname) \r
- || !preg_match('/[\.\d\-abcdefghijklmnopqrstuvwxyz]*/',$server_hostname) ) {\r
- phpCAS::error('bad CAS server hostname (`'.$server_hostname.'\')');\r
- }\r
- $this->_server['hostname'] = $server_hostname;\r
- \r
- //check port\r
- if ( $server_port == 0 \r
- || !is_int($server_port) ) {\r
- phpCAS::error('bad CAS server port (`'.$server_hostname.'\')');\r
- }\r
- $this->_server['port'] = $server_port;\r
- \r
- //check URI\r
- if ( !preg_match('/[\.\d\-_abcdefghijklmnopqrstuvwxyz\/]*/',$server_uri) ) {\r
- phpCAS::error('bad CAS server URI (`'.$server_uri.'\')');\r
- }\r
- //add leading and trailing `/' and remove doubles \r
- $server_uri = preg_replace('/\/\//','/','/'.$server_uri.'/');\r
- $this->_server['uri'] = $server_uri;\r
- \r
- //set to callback mode if PgtIou and PgtId CGI GET parameters are provided \r
- if ( $this->isProxy() ) {\r
- $this->setCallbackMode(!empty($_GET['pgtIou'])&&!empty($_GET['pgtId']));\r
- }\r
- \r
- if ( $this->isCallbackMode() ) {\r
- //callback mode: check that phpCAS is secured\r
- if ( !$this->isHttps() ) {\r
- phpCAS::error('CAS proxies must be secured to use phpCAS; PGT\'s will not be received from the CAS server');\r
- }\r
- } else {\r
- //normal mode: get ticket and remove it from CGI parameters for developpers\r
- $ticket = (isset($_GET['ticket']) ? $_GET['ticket'] : null);\r
- switch ($this->getServerVersion()) {\r
- case CAS_VERSION_1_0: // check for a Service Ticket\r
- if( preg_match('/^ST-/',$ticket) ) {\r
- phpCAS::trace('ST \''.$ticket.'\' found');\r
- //ST present\r
- $this->setST($ticket);\r
- //ticket has been taken into account, unset it to hide it to applications\r
- unset($_GET['ticket']);\r
- } else if ( !empty($ticket) ) {\r
- //ill-formed ticket, halt\r
- phpCAS::error('ill-formed ticket found in the URL (ticket=`'.htmlentities($ticket).'\')');\r
- }\r
- break;\r
- case CAS_VERSION_2_0: // check for a Service or Proxy Ticket\r
- if( preg_match('/^[SP]T-/',$ticket) ) {\r
- phpCAS::trace('ST or PT \''.$ticket.'\' found');\r
- $this->setPT($ticket);\r
- unset($_GET['ticket']);\r
- } else if ( !empty($ticket) ) {\r
- //ill-formed ticket, halt\r
- phpCAS::error('ill-formed ticket found in the URL (ticket=`'.htmlentities($ticket).'\')');\r
- } \r
- break;\r
- }\r
- }\r
- phpCAS::traceEnd();\r
- }\r
- \r
- /** @} */\r
- \r
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r
- // XX XX\r
- // XX AUTHENTICATION XX\r
- // XX XX\r
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r
- \r
- /**\r
- * @addtogroup internalAuthentication\r
- * @{\r
- */ \r
- \r
- /**\r
- * The Authenticated user. Written by CASClient::setUser(), read by CASClient::getUser().\r
- * @attention client applications should use phpCAS::getUser().\r
- *\r
- * @hideinitializer\r
- * @private\r
- */\r
- var $_user = '';\r
- \r
- /**\r
- * This method sets the CAS user's login name.\r
- *\r
- * @param $user the login name of the authenticated user.\r
- *\r
- * @private\r
- */\r
- function setUser($user)\r
- {\r
- $this->_user = $user;\r
- }\r
- \r
- /**\r
- * This method returns the CAS user's login name.\r
- * @warning should be called only after CASClient::forceAuthentication() or \r
- * CASClient::isAuthenticated(), otherwise halt with an error.\r
- *\r
- * @return the login name of the authenticated user\r
- */\r
- function getUser()\r
- {\r
- if ( empty($this->_user) ) {\r
- phpCAS::error('this method should be used only after '.__CLASS__.'::forceAuthentication() or '.__CLASS__.'::isAuthenticated()');\r
- }\r
- return $this->_user;\r
- }\r
- \r
- /**\r
- * This method is called to renew the authentication of the user\r
- * If the user is authenticated, renew the connection\r
- * If not, redirect to CAS\r
- * @public\r
- */\r
- function renewAuthentication(){\r
- phpCAS::traceBegin();\r
- // Either way, the user is authenticated by CAS\r
- if( isset( $_SESSION['phpCAS']['auth_checked'] ) )\r
- unset($_SESSION['phpCAS']['auth_checked']);\r
- if ( $this->isAuthenticated() ) {\r
- phpCAS::trace('user already authenticated; renew');\r
- $this->redirectToCas(false,true);\r
- } else {\r
- $this->redirectToCas();\r
- }\r
- phpCAS::traceEnd();\r
- }\r
-\r
- /**\r
- * This method is called to be sure that the user is authenticated. When not \r
- * authenticated, halt by redirecting to the CAS server; otherwise return TRUE.\r
- * @return TRUE when the user is authenticated; otherwise halt.\r
- * @public\r
- */\r
- function forceAuthentication()\r
- {\r
- phpCAS::traceBegin();\r
- \r
- if ( $this->isAuthenticated() ) {\r
- // the user is authenticated, nothing to be done.\r
- phpCAS::trace('no need to authenticate');\r
- $res = TRUE;\r
- } else {\r
- // the user is not authenticated, redirect to the CAS server\r
- if (isset($_SESSION['phpCAS']['auth_checked'])) {\r
- unset($_SESSION['phpCAS']['auth_checked']);\r
- }\r
- $this->redirectToCas(FALSE/* no gateway */); \r
- // never reached\r
- $res = FALSE;\r
- }\r
- phpCAS::traceEnd($res);\r
- return $res;\r
- }\r
- \r
- /**\r
- * An integer that gives the number of times authentication will be cached before rechecked.\r
- *\r
- * @hideinitializer\r
- * @private\r
- */\r
- var $_cache_times_for_auth_recheck = 0;\r
- \r
- /**\r
- * Set the number of times authentication will be cached before rechecked.\r
- *\r
- * @param $n an integer.\r
- *\r
- * @public\r
- */\r
- function setCacheTimesForAuthRecheck($n)\r
- {\r
- $this->_cache_times_for_auth_recheck = $n;\r
- }\r
- \r
- /**\r
- * This method is called to check whether the user is authenticated or not.\r
- * @return TRUE when the user is authenticated, FALSE otherwise.\r
- * @public\r
- */\r
- function checkAuthentication()\r
- {\r
- phpCAS::traceBegin();\r
- \r
- if ( $this->isAuthenticated() ) {\r
- phpCAS::trace('user is authenticated');\r
- $res = TRUE;\r
- } else if (isset($_SESSION['phpCAS']['auth_checked'])) {\r
- // the previous request has redirected the client to the CAS server with gateway=true\r
- unset($_SESSION['phpCAS']['auth_checked']);\r
- $res = FALSE;\r
- } else {\r
- // $_SESSION['phpCAS']['auth_checked'] = true;\r
- // $this->redirectToCas(TRUE/* gateway */); \r
- // // never reached\r
- // $res = FALSE;\r
- // avoid a check against CAS on every request\r
- if (! isset($_SESSION['phpCAS']['unauth_count']) )\r
- $_SESSION['phpCAS']['unauth_count'] = -2; // uninitialized\r
- \r
- if (($_SESSION['phpCAS']['unauth_count'] != -2 && $this->_cache_times_for_auth_recheck == -1) \r
- || ($_SESSION['phpCAS']['unauth_count'] >= 0 && $_SESSION['phpCAS']['unauth_count'] < $this->_cache_times_for_auth_recheck))\r
- {\r
- $res = FALSE;\r
- \r
- if ($this->_cache_times_for_auth_recheck != -1)\r
- {\r
- $_SESSION['phpCAS']['unauth_count']++;\r
- phpCAS::trace('user is not authenticated (cached for '.$_SESSION['phpCAS']['unauth_count'].' times of '.$this->_cache_times_for_auth_recheck.')');\r
- }\r
- else\r
- {\r
- phpCAS::trace('user is not authenticated (cached for until login pressed)');\r
- }\r
- }\r
- else\r
- {\r
- $_SESSION['phpCAS']['unauth_count'] = 0;\r
- $_SESSION['phpCAS']['auth_checked'] = true;\r
- phpCAS::trace('user is not authenticated (cache reset)');\r
- $this->redirectToCas(TRUE/* gateway */); \r
- // never reached\r
- $res = FALSE;\r
- }\r
- }\r
- phpCAS::traceEnd($res);\r
- return $res;\r
- }\r
- \r
- /**\r
- * This method is called to check if the user is authenticated (previously or by\r
- * tickets given in the URL).\r
- *\r
- * @return TRUE when the user is authenticated.\r
- *\r
- * @public\r
- */\r
- function isAuthenticated()\r
- {\r
- phpCAS::traceBegin();\r
- $res = FALSE;\r
- $validate_url = '';\r
- \r
- if ( $this->wasPreviouslyAuthenticated() ) {\r
- // the user has already (previously during the session) been \r
- // authenticated, nothing to be done.\r
- phpCAS::trace('user was already authenticated, no need to look for tickets');\r
- $res = TRUE;\r
- } \r
- elseif ( $this->hasST() ) {\r
- // if a Service Ticket was given, validate it\r
- phpCAS::trace('ST `'.$this->getST().'\' is present');\r
- $this->validateST($validate_url,$text_response,$tree_response); // if it fails, it halts\r
- phpCAS::trace('ST `'.$this->getST().'\' was validated');\r
- if ( $this->isProxy() ) {\r
- $this->validatePGT($validate_url,$text_response,$tree_response); // idem\r
- phpCAS::trace('PGT `'.$this->getPGT().'\' was validated');\r
- $_SESSION['phpCAS']['pgt'] = $this->getPGT();\r
- }\r
- $_SESSION['phpCAS']['user'] = $this->getUser();\r
- $res = TRUE;\r
- }\r
- elseif ( $this->hasPT() ) {\r
- // if a Proxy Ticket was given, validate it\r
- phpCAS::trace('PT `'.$this->getPT().'\' is present');\r
- $this->validatePT($validate_url,$text_response,$tree_response); // note: if it fails, it halts\r
- phpCAS::trace('PT `'.$this->getPT().'\' was validated');\r
- if ( $this->isProxy() ) {\r
- $this->validatePGT($validate_url,$text_response,$tree_response); // idem\r
- phpCAS::trace('PGT `'.$this->getPGT().'\' was validated');\r
- $_SESSION['phpCAS']['pgt'] = $this->getPGT();\r
- }\r
- $_SESSION['phpCAS']['user'] = $this->getUser();\r
- $res = TRUE;\r
- } \r
- else {\r
- // no ticket given, not authenticated\r
- phpCAS::trace('no ticket found');\r
- }\r
- \r
- phpCAS::traceEnd($res);\r
- return $res;\r
- }\r
- \r
- /**\r
- * This method tells if the current session is authenticated.\r
- * @return true if authenticated based soley on $_SESSION variable\r
- * @since 0.4.22 by Brendan Arnold\r
- */\r
- function isSessionAuthenticated ()\r
- {\r
- return !empty($_SESSION['phpCAS']['user']);\r
- }\r
- \r
- /**\r
- * This method tells if the user has already been (previously) authenticated\r
- * by looking into the session variables.\r
- *\r
- * @note This function switches to callback mode when needed.\r
- *\r
- * @return TRUE when the user has already been authenticated; FALSE otherwise.\r
- *\r
- * @private\r
- */\r
- function wasPreviouslyAuthenticated()\r
- {\r
- phpCAS::traceBegin();\r
- \r
- if ( $this->isCallbackMode() ) {\r
- $this->callback();\r
- }\r
- \r
- $auth = FALSE;\r
- \r
- if ( $this->isProxy() ) {\r
- // CAS proxy: username and PGT must be present\r
- if ( $this->isSessionAuthenticated() && !empty($_SESSION['phpCAS']['pgt']) ) {\r
- // authentication already done\r
- $this->setUser($_SESSION['phpCAS']['user']);\r
- $this->setPGT($_SESSION['phpCAS']['pgt']);\r
- phpCAS::trace('user = `'.$_SESSION['phpCAS']['user'].'\', PGT = `'.$_SESSION['phpCAS']['pgt'].'\''); \r
- $auth = TRUE;\r
- } elseif ( $this->isSessionAuthenticated() && empty($_SESSION['phpCAS']['pgt']) ) {\r
- // these two variables should be empty or not empty at the same time\r
- phpCAS::trace('username found (`'.$_SESSION['phpCAS']['user'].'\') but PGT is empty');\r
- // unset all tickets to enforce authentication\r
- unset($_SESSION['phpCAS']);\r
- $this->setST('');\r
- $this->setPT('');\r
- } elseif ( !$this->isSessionAuthenticated() && !empty($_SESSION['phpCAS']['pgt']) ) {\r
- // these two variables should be empty or not empty at the same time\r
- phpCAS::trace('PGT found (`'.$_SESSION['phpCAS']['pgt'].'\') but username is empty'); \r
- // unset all tickets to enforce authentication\r
- unset($_SESSION['phpCAS']);\r
- $this->setST('');\r
- $this->setPT('');\r
- } else {\r
- phpCAS::trace('neither user not PGT found'); \r
- }\r
- } else {\r
- // `simple' CAS client (not a proxy): username must be present\r
- if ( $this->isSessionAuthenticated() ) {\r
- // authentication already done\r
- $this->setUser($_SESSION['phpCAS']['user']);\r
- phpCAS::trace('user = `'.$_SESSION['phpCAS']['user'].'\''); \r
- $auth = TRUE;\r
- } else {\r
- phpCAS::trace('no user found');\r
- }\r
- }\r
- \r
- phpCAS::traceEnd($auth);\r
- return $auth;\r
- }\r
- \r
- /**\r
- * This method is used to redirect the client to the CAS server.\r
- * It is used by CASClient::forceAuthentication() and CASClient::checkAuthentication().\r
- * @param $gateway true to check authentication, false to force it\r
- * @param $renew true to force the authentication with the CAS server\r
- * @public\r
- */\r
- function redirectToCas($gateway=false,$renew=false){\r
- phpCAS::traceBegin();\r
- $cas_url = $this->getServerLoginURL($gateway,$renew);\r
- header('Location: '.$cas_url);\r
- phpCAS::log( "Redirect to : ".$cas_url );\r
- \r
- $this->printHTMLHeader($this->getString(CAS_STR_AUTHENTICATION_WANTED));\r
- \r
- printf('<p>'.$this->getString(CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED).'</p>',$cas_url);\r
- $this->printHTMLFooter();\r
- phpCAS::traceExit();\r
- exit();\r
- }\r
-\r
-// /**\r
-// * This method is used to logout from CAS.\r
-// * @param $url a URL that will be transmitted to the CAS server (to come back to when logged out)\r
-// * @public\r
-// */\r
-// function logout($url = "") {\r
-// phpCAS::traceBegin();\r
-// $cas_url = $this->getServerLogoutURL();\r
-// // v0.4.14 sebastien.gougeon at univ-rennes1.fr\r
-// // header('Location: '.$cas_url);\r
-// if ( $url != "" ) {\r
-// // Adam Moore 1.0.0RC2\r
-// $url = '?service=' . $url . '&url=' . $url;\r
-// }\r
-// header('Location: '.$cas_url . $url);\r
-// session_unset();\r
-// session_destroy();\r
-// $this->printHTMLHeader($this->getString(CAS_STR_LOGOUT));\r
-// printf('<p>'.$this->getString(CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED).'</p>',$cas_url);\r
-// $this->printHTMLFooter();\r
-// phpCAS::traceExit();\r
-// exit();\r
-// }\r
- \r
- /**\r
- * This method is used to logout from CAS.\r
- * @params $params an array that contains the optional url and service parameters that will be passed to the CAS server\r
- * @public\r
- */\r
- function logout($params) {\r
- phpCAS::traceBegin();\r
- $cas_url = $this->getServerLogoutURL();\r
- $paramSeparator = '?';\r
- if (isset($params['url'])) {\r
- $cas_url = $cas_url . $paramSeparator . "url=" . urlencode($params['url']); \r
- $paramSeparator = '&';\r
- }\r
- if (isset($params['service'])) {\r
- $cas_url = $cas_url . $paramSeparator . "service=" . urlencode($params['service']); \r
- }\r
- header('Location: '.$cas_url);\r
- session_unset();\r
- session_destroy();\r
- $this->printHTMLHeader($this->getString(CAS_STR_LOGOUT));\r
- printf('<p>'.$this->getString(CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED).'</p>',$cas_url);\r
- $this->printHTMLFooter();\r
- phpCAS::traceExit();\r
- exit();\r
- }\r
- \r
- /**\r
- * @return true if the current request is a logout request.\r
- * @private\r
- */\r
- function isLogoutRequest() {\r
- return !empty($_POST['logoutRequest']);\r
- }\r
- \r
- /**\r
- * @return true if a logout request is allowed.\r
- * @private\r
- */\r
- function isLogoutRequestAllowed() {\r
- }\r
- \r
- /**\r
- * This method handles logout requests.\r
- * @param $check_client true to check the client bofore handling the request, \r
- * false not to perform any access control. True by default.\r
- * @param $allowed_clients an array of host names allowed to send logout requests. \r
- * By default, only the CAs server (declared in the constructor) will be allowed.\r
- * @public\r
- */\r
- function handleLogoutRequests($check_client=true, $allowed_clients=false) {\r
- phpCAS::traceBegin();\r
- if (!$this->isLogoutRequest()) {\r
- phpCAS::log("Not a logout request");\r
- phpCAS::traceEnd();\r
- return;\r
- }\r
- phpCAS::log("Logout requested");\r
- phpCAS::log("SAML REQUEST: ".$_POST['logoutRequest']);\r
- if ($check_client) {\r
- if (!$allowed_clients) {\r
- $allowed_clients = array( $this->getServerHostname() ); \r
- }\r
- $client_ip = $_SERVER['REMOTE_ADDR'];\r
- $client = gethostbyaddr($client_ip);\r
- phpCAS::log("Client: ".$client);\r
- $allowed = false;\r
- foreach ($allowed_clients as $allowed_client) {\r
- if ($client == $allowed_client) {\r
- phpCAS::log("Allowed client '".$allowed_client."' matches, logout request is allowed");\r
- $allowed = true;\r
- break;\r
- } else {\r
- phpCAS::log("Allowed client '".$allowed_client."' does not match");\r
- }\r
- }\r
- if (!$allowed) {\r
- phpCAS::error("Unauthorized logout request from client '".$client."'");\r
- printf("Unauthorized!");\r
- phpCAS::traceExit();\r
- exit();\r
- }\r
- } else {\r
- phpCAS::log("No access control set");\r
- }\r
- // Extract the ticket from the SAML Request\r
- preg_match("|<samlp:SessionIndex>(.*)</samlp:SessionIndex>|", $_POST['logoutRequest'], $tick, PREG_OFFSET_CAPTURE, 3);\r
- $wrappedSamlSessionIndex = preg_replace('|<samlp:SessionIndex>|','',$tick[0][0]);\r
- $ticket2logout = preg_replace('|</samlp:SessionIndex>|','',$wrappedSamlSessionIndex);\r
- phpCAS::log("Ticket to logout: ".$ticket2logout);\r
- $session_id = preg_replace('/[^\w]/','',$ticket2logout);\r
- phpCAS::log("Session id: ".$session_id);\r
-\r
- // fix New session ID\r
- session_id($session_id);\r
- $_COOKIE[session_name()]=$session_id;\r
- $_GET[session_name()]=$session_id;\r
- \r
- // Overwrite session\r
- session_start(); \r
- session_unset();\r
- session_destroy();\r
- printf("Disconnected!");\r
- phpCAS::traceExit();\r
- exit();\r
- }\r
- \r
- /** @} */\r
- \r
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r
- // XX XX\r
- // XX BASIC CLIENT FEATURES (CAS 1.0) XX\r
- // XX XX\r
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r
- \r
- // ########################################################################\r
- // ST\r
- // ########################################################################\r
- /**\r
- * @addtogroup internalBasic\r
- * @{\r
- */ \r
- \r
- /**\r
- * the Service Ticket provided in the URL of the request if present\r
- * (empty otherwise). Written by CASClient::CASClient(), read by \r
- * CASClient::getST() and CASClient::hasPGT().\r
- *\r
- * @hideinitializer\r
- * @private\r
- */\r
- var $_st = '';\r
- \r
- /**\r
- * This method returns the Service Ticket provided in the URL of the request.\r
- * @return The service ticket.\r
- * @private\r
- */\r
- function getST()\r
- { return $this->_st; }\r
- \r
- /**\r
- * This method stores the Service Ticket.\r
- * @param $st The Service Ticket.\r
- * @private\r
- */\r
- function setST($st)\r
- { $this->_st = $st; }\r
- \r
- /**\r
- * This method tells if a Service Ticket was stored.\r
- * @return TRUE if a Service Ticket has been stored.\r
- * @private\r
- */\r
- function hasST()\r
- { return !empty($this->_st); }\r
- \r
- /** @} */\r
- \r
- // ########################################################################\r
- // ST VALIDATION\r
- // ########################################################################\r
- /**\r
- * @addtogroup internalBasic\r
- * @{\r
- */ \r
- \r
- /**\r
- * the certificate of the CAS server.\r
- *\r
- * @hideinitializer\r
- * @private\r
- */\r
- var $_cas_server_cert = '';\r
- \r
- /**\r
- * the certificate of the CAS server CA.\r
- *\r
- * @hideinitializer\r
- * @private\r
- */\r
- var $_cas_server_ca_cert = '';\r
- \r
- /**\r
- * Set to true not to validate the CAS server.\r
- *\r
- * @hideinitializer\r
- * @private\r
- */\r
- var $_no_cas_server_validation = false;\r
- \r
- /**\r
- * Set the certificate of the CAS server.\r
- *\r
- * @param $cert the PEM certificate\r
- */\r
- function setCasServerCert($cert)\r
- {\r
- $this->_cas_server_cert = $cert;\r
- }\r
- \r
- /**\r
- * Set the CA certificate of the CAS server.\r
- *\r
- * @param $cert the PEM certificate of the CA that emited the cert of the server\r
- */\r
- function setCasServerCACert($cert)\r
- {\r
- $this->_cas_server_ca_cert = $cert;\r
- }\r
- \r
- /**\r
- * Set no SSL validation for the CAS server.\r
- */\r
- function setNoCasServerValidation()\r
- {\r
- $this->_no_cas_server_validation = true;\r
- }\r
- \r
- /**\r
- * This method is used to validate a ST; halt on failure, and sets $validate_url,\r
- * $text_reponse and $tree_response on success. These parameters are used later\r
- * by CASClient::validatePGT() for CAS proxies.\r
- * \r
- * @param $validate_url the URL of the request to the CAS server.\r
- * @param $text_response the response of the CAS server, as is (XML text).\r
- * @param $tree_response the response of the CAS server, as a DOM XML tree.\r
- *\r
- * @return bool TRUE when successfull, halt otherwise by calling CASClient::authError().\r
- *\r
- * @private\r
- */\r
- function validateST($validate_url,&$text_response,&$tree_response)\r
- {\r
- phpCAS::traceBegin();\r
- // build the URL to validate the ticket\r
- $validate_url = $this->getServerServiceValidateURL().'&ticket='.$this->getST();\r
- if ( $this->isProxy() ) {\r
- // pass the callback url for CAS proxies\r
- $validate_url .= '&pgtUrl='.$this->getCallbackURL();\r
- }\r
- \r
- // open and read the URL\r
- if ( !$this->readURL($validate_url,''/*cookies*/,$headers,$text_response,$err_msg) ) {\r
- phpCAS::trace('could not open URL \''.$validate_url.'\' to validate ('.$err_msg.')');\r
- $this->authError('ST not validated',\r
- $validate_url,\r
- TRUE/*$no_response*/);\r
- }\r
- \r
- // analyze the result depending on the version\r
- switch ($this->getServerVersion()) {\r
- case CAS_VERSION_1_0:\r
- if (preg_match('/^no\n/',$text_response)) {\r
- phpCAS::trace('ST has not been validated');\r
- $this->authError('ST not validated',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- FALSE/*$bad_response*/,\r
- $text_response);\r
- }\r
- if (!preg_match('/^yes\n/',$text_response)) {\r
- phpCAS::trace('ill-formed response');\r
- $this->authError('ST not validated',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- TRUE/*$bad_response*/,\r
- $text_response);\r
- }\r
- // ST has been validated, extract the user name\r
- $arr = preg_split('/\n/',$text_response);\r
- $this->setUser(trim($arr[1]));\r
- break;\r
- case CAS_VERSION_2_0:\r
- // read the response of the CAS server into a DOM object\r
- if ( !($dom = domxml_open_mem($text_response))) {\r
- phpCAS::trace('domxml_open_mem() failed');\r
- $this->authError('ST not validated',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- TRUE/*$bad_response*/,\r
- $text_response);\r
- }\r
- // read the root node of the XML tree\r
- if ( !($tree_response = $dom->document_element()) ) {\r
- phpCAS::trace('document_element() failed');\r
- $this->authError('ST not validated',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- TRUE/*$bad_response*/,\r
- $text_response);\r
- }\r
- // insure that tag name is 'serviceResponse'\r
- if ( $tree_response->node_name() != 'serviceResponse' ) {\r
- phpCAS::trace('bad XML root node (should be `serviceResponse\' instead of `'.$tree_response->node_name().'\'');\r
- $this->authError('ST not validated',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- TRUE/*$bad_response*/,\r
- $text_response);\r
- }\r
- if ( sizeof($success_elements = $tree_response->get_elements_by_tagname("authenticationSuccess")) != 0) {\r
- // authentication succeded, extract the user name\r
- if ( sizeof($user_elements = $success_elements[0]->get_elements_by_tagname("user")) == 0) {\r
- phpCAS::trace('<authenticationSuccess> found, but no <user>');\r
- $this->authError('ST not validated',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- TRUE/*$bad_response*/,\r
- $text_response);\r
- }\r
- $user = trim($user_elements[0]->get_content());\r
- phpCAS::trace('user = `'.$user);\r
- $this->setUser($user);\r
- \r
- } else if ( sizeof($failure_elements = $tree_response->get_elements_by_tagname("authenticationFailure")) != 0) {\r
- phpCAS::trace('<authenticationFailure> found');\r
- // authentication failed, extract the error code and message\r
- $this->authError('ST not validated',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- FALSE/*$bad_response*/,\r
- $text_response,\r
- $failure_elements[0]->get_attribute('code')/*$err_code*/,\r
- trim($failure_elements[0]->get_content())/*$err_msg*/);\r
- } else {\r
- phpCAS::trace('neither <authenticationSuccess> nor <authenticationFailure> found');\r
- $this->authError('ST not validated',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- TRUE/*$bad_response*/,\r
- $text_response);\r
- }\r
- break;\r
- }\r
- \r
- // at this step, ST has been validated and $this->_user has been set,\r
- phpCAS::traceEnd(TRUE);\r
- return TRUE;\r
- }\r
- \r
- /** @} */\r
- \r
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r
- // XX XX\r
- // XX PROXY FEATURES (CAS 2.0) XX\r
- // XX XX\r
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r
- \r
- // ########################################################################\r
- // PROXYING\r
- // ########################################################################\r
- /**\r
- * @addtogroup internalProxy\r
- * @{\r
- */\r
- \r
- /**\r
- * A boolean telling if the client is a CAS proxy or not. Written by CASClient::CASClient(), \r
- * read by CASClient::isProxy().\r
- *\r
- * @private\r
- */\r
- var $_proxy;\r
- \r
- /**\r
- * Tells if a CAS client is a CAS proxy or not\r
- *\r
- * @return TRUE when the CAS client is a CAs proxy, FALSE otherwise\r
- *\r
- * @private\r
- */\r
- function isProxy()\r
- {\r
- return $this->_proxy;\r
- }\r
- \r
- /** @} */\r
- // ########################################################################\r
- // PGT\r
- // ########################################################################\r
- /**\r
- * @addtogroup internalProxy\r
- * @{\r
- */ \r
- \r
- /**\r
- * the Proxy Grnting Ticket given by the CAS server (empty otherwise). \r
- * Written by CASClient::setPGT(), read by CASClient::getPGT() and CASClient::hasPGT().\r
- *\r
- * @hideinitializer\r
- * @private\r
- */\r
- var $_pgt = '';\r
- \r
- /**\r
- * This method returns the Proxy Granting Ticket given by the CAS server.\r
- * @return The Proxy Granting Ticket.\r
- * @private\r
- */\r
- function getPGT()\r
- { return $this->_pgt; }\r
- \r
- /**\r
- * This method stores the Proxy Granting Ticket.\r
- * @param $pgt The Proxy Granting Ticket.\r
- * @private\r
- */\r
- function setPGT($pgt)\r
- { $this->_pgt = $pgt; }\r
- \r
- /**\r
- * This method tells if a Proxy Granting Ticket was stored.\r
- * @return TRUE if a Proxy Granting Ticket has been stored.\r
- * @private\r
- */\r
- function hasPGT()\r
- { return !empty($this->_pgt); }\r
- \r
- /** @} */\r
- \r
- // ########################################################################\r
- // CALLBACK MODE\r
- // ########################################################################\r
- /**\r
- * @addtogroup internalCallback\r
- * @{\r
- */ \r
- /**\r
- * each PHP script using phpCAS in proxy mode is its own callback to get the\r
- * PGT back from the CAS server. callback_mode is detected by the constructor\r
- * thanks to the GET parameters.\r
- */\r
- \r
- /**\r
- * a boolean to know if the CAS client is running in callback mode. Written by\r
- * CASClient::setCallBackMode(), read by CASClient::isCallbackMode().\r
- *\r
- * @hideinitializer\r
- * @private\r
- */\r
- var $_callback_mode = FALSE;\r
- \r
- /**\r
- * This method sets/unsets callback mode.\r
- *\r
- * @param $callback_mode TRUE to set callback mode, FALSE otherwise.\r
- *\r
- * @private\r
- */\r
- function setCallbackMode($callback_mode)\r
- {\r
- $this->_callback_mode = $callback_mode;\r
- }\r
- \r
- /**\r
- * This method returns TRUE when the CAs client is running i callback mode, \r
- * FALSE otherwise.\r
- *\r
- * @return A boolean.\r
- *\r
- * @private\r
- */\r
- function isCallbackMode()\r
- {\r
- return $this->_callback_mode;\r
- }\r
- \r
- /**\r
- * the URL that should be used for the PGT callback (in fact the URL of the \r
- * current request without any CGI parameter). Written and read by \r
- * CASClient::getCallbackURL().\r
- *\r
- * @hideinitializer\r
- * @private\r
- */\r
- var $_callback_url = '';\r
- \r
- /**\r
- * This method returns the URL that should be used for the PGT callback (in\r
- * fact the URL of the current request without any CGI parameter, except if\r
- * phpCAS::setFixedCallbackURL() was used).\r
- *\r
- * @return The callback URL\r
- *\r
- * @private\r
- */\r
- function getCallbackURL()\r
- {\r
- // the URL is built when needed only\r
- if ( empty($this->_callback_url) ) {\r
- $final_uri = '';\r
- // remove the ticket if present in the URL\r
- $final_uri = 'https://';\r
- /* replaced by Julien Marchal - v0.4.6\r
- * $this->uri .= $_SERVER['SERVER_NAME'];\r
- */\r
- if(empty($_SERVER['HTTP_X_FORWARDED_SERVER'])){\r
- /* replaced by teedog - v0.4.12\r
- * $final_uri .= $_SERVER['SERVER_NAME'];\r
- */\r
- if (empty($_SERVER['SERVER_NAME'])) {\r
- $final_uri .= $_SERVER['HTTP_HOST'];\r
- } else {\r
- $final_uri .= $_SERVER['SERVER_NAME'];\r
- }\r
- } else {\r
- $final_uri .= $_SERVER['HTTP_X_FORWARDED_SERVER'];\r
- }\r
- if ( ($this->isHttps() && $_SERVER['SERVER_PORT']!=443)\r
- || (!$this->isHttps() && $_SERVER['SERVER_PORT']!=80) ) {\r
- $final_uri .= ':';\r
- $final_uri .= $_SERVER['SERVER_PORT'];\r
- }\r
- $request_uri = $_SERVER['REQUEST_URI'];\r
- $request_uri = preg_replace('/\?.*$/','',$request_uri);\r
- $final_uri .= $request_uri;\r
- $this->setCallbackURL($final_uri);\r
- }\r
- return $this->_callback_url;\r
- }\r
- \r
- /**\r
- * This method sets the callback url.\r
- *\r
- * @param $callback_url url to set callback \r
- *\r
- * @private\r
- */\r
- function setCallbackURL($url)\r
- {\r
- return $this->_callback_url = $url;\r
- }\r
- \r
- /**\r
- * This method is called by CASClient::CASClient() when running in callback\r
- * mode. It stores the PGT and its PGT Iou, prints its output and halts.\r
- *\r
- * @private\r
- */\r
- function callback()\r
- {\r
- phpCAS::traceBegin();\r
- $this->printHTMLHeader('phpCAS callback');\r
- $pgt_iou = $_GET['pgtIou'];\r
- $pgt = $_GET['pgtId'];\r
- phpCAS::trace('Storing PGT `'.$pgt.'\' (id=`'.$pgt_iou.'\')');\r
- echo '<p>Storing PGT `'.$pgt.'\' (id=`'.$pgt_iou.'\').</p>';\r
- $this->storePGT($pgt,$pgt_iou);\r
- $this->printHTMLFooter();\r
- phpCAS::traceExit();\r
- }\r
- \r
- /** @} */\r
- \r
- // ########################################################################\r
- // PGT STORAGE\r
- // ########################################################################\r
- /**\r
- * @addtogroup internalPGTStorage\r
- * @{\r
- */ \r
- \r
- /**\r
- * an instance of a class inheriting of PGTStorage, used to deal with PGT\r
- * storage. Created by CASClient::setPGTStorageFile() or CASClient::setPGTStorageDB(), used \r
- * by CASClient::setPGTStorageFile(), CASClient::setPGTStorageDB() and CASClient::initPGTStorage().\r
- *\r
- * @hideinitializer\r
- * @private\r
- */\r
- var $_pgt_storage = null;\r
- \r
- /**\r
- * This method is used to initialize the storage of PGT's.\r
- * Halts on error.\r
- *\r
- * @private\r
- */\r
- function initPGTStorage()\r
- {\r
- // if no SetPGTStorageXxx() has been used, default to file\r
- if ( !is_object($this->_pgt_storage) ) {\r
- $this->setPGTStorageFile();\r
- }\r
- \r
- // initializes the storage\r
- $this->_pgt_storage->init();\r
- }\r
- \r
- /**\r
- * This method stores a PGT. Halts on error.\r
- *\r
- * @param $pgt the PGT to store\r
- * @param $pgt_iou its corresponding Iou\r
- *\r
- * @private\r
- */\r
- function storePGT($pgt,$pgt_iou)\r
- {\r
- // ensure that storage is initialized\r
- $this->initPGTStorage();\r
- // writes the PGT\r
- $this->_pgt_storage->write($pgt,$pgt_iou);\r
- }\r
- \r
- /**\r
- * This method reads a PGT from its Iou and deletes the corresponding storage entry.\r
- *\r
- * @param $pgt_iou the PGT Iou\r
- *\r
- * @return The PGT corresponding to the Iou, FALSE when not found.\r
- *\r
- * @private\r
- */\r
- function loadPGT($pgt_iou)\r
- {\r
- // ensure that storage is initialized\r
- $this->initPGTStorage();\r
- // read the PGT\r
- return $this->_pgt_storage->read($pgt_iou);\r
- }\r
- \r
- /**\r
- * This method is used to tell phpCAS to store the response of the\r
- * CAS server to PGT requests onto the filesystem. \r
- *\r
- * @param $format the format used to store the PGT's (`plain' and `xml' allowed)\r
- * @param $path the path where the PGT's should be stored\r
- *\r
- * @public\r
- */\r
- function setPGTStorageFile($format='',\r
- $path='')\r
- {\r
- // check that the storage has not already been set\r
- if ( is_object($this->_pgt_storage) ) {\r
- phpCAS::error('PGT storage already defined');\r
- }\r
- \r
- // create the storage object\r
- $this->_pgt_storage = &new PGTStorageFile($this,$format,$path);\r
- }\r
- \r
- /**\r
- * This method is used to tell phpCAS to store the response of the\r
- * CAS server to PGT requests into a database. \r
- * @note The connection to the database is done only when needed. \r
- * As a consequence, bad parameters are detected only when \r
- * initializing PGT storage.\r
- *\r
- * @param $user the user to access the data with\r
- * @param $password the user's password\r
- * @param $database_type the type of the database hosting the data\r
- * @param $hostname the server hosting the database\r
- * @param $port the port the server is listening on\r
- * @param $database the name of the database\r
- * @param $table the name of the table storing the data\r
- *\r
- * @public\r
- */\r
- function setPGTStorageDB($user,\r
- $password,\r
- $database_type,\r
- $hostname,\r
- $port,\r
- $database,\r
- $table)\r
- {\r
- // check that the storage has not already been set\r
- if ( is_object($this->_pgt_storage) ) {\r
- phpCAS::error('PGT storage already defined');\r
- }\r
- \r
- // warn the user that he should use file storage...\r
- trigger_error('PGT storage into database is an experimental feature, use at your own risk',E_USER_WARNING);\r
- \r
- // create the storage object\r
- $this->_pgt_storage = & new PGTStorageDB($this,$user,$password,$database_type,$hostname,$port,$database,$table);\r
- }\r
- \r
- // ########################################################################\r
- // PGT VALIDATION\r
- // ########################################################################\r
- /**\r
- * This method is used to validate a PGT; halt on failure.\r
- * \r
- * @param $validate_url the URL of the request to the CAS server.\r
- * @param $text_response the response of the CAS server, as is (XML text); result\r
- * of CASClient::validateST() or CASClient::validatePT().\r
- * @param $tree_response the response of the CAS server, as a DOM XML tree; result\r
- * of CASClient::validateST() or CASClient::validatePT().\r
- *\r
- * @return bool TRUE when successfull, halt otherwise by calling CASClient::authError().\r
- *\r
- * @private\r
- */\r
- function validatePGT(&$validate_url,$text_response,$tree_response)\r
- {\r
- phpCAS::traceBegin();\r
- if ( sizeof($arr = $tree_response->get_elements_by_tagname("proxyGrantingTicket")) == 0) {\r
- phpCAS::trace('<proxyGrantingTicket> not found');\r
- // authentication succeded, but no PGT Iou was transmitted\r
- $this->authError('Ticket validated but no PGT Iou transmitted',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- FALSE/*$bad_response*/,\r
- $text_response);\r
- } else {\r
- // PGT Iou transmitted, extract it\r
- $pgt_iou = trim($arr[0]->get_content());\r
- $pgt = $this->loadPGT($pgt_iou);\r
- if ( $pgt == FALSE ) {\r
- phpCAS::trace('could not load PGT');\r
- $this->authError('PGT Iou was transmitted but PGT could not be retrieved',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- FALSE/*$bad_response*/,\r
- $text_response);\r
- }\r
- $this->setPGT($pgt);\r
- }\r
- phpCAS::traceEnd(TRUE);\r
- return TRUE;\r
- }\r
- \r
- // ########################################################################\r
- // PGT VALIDATION\r
- // ########################################################################\r
- \r
- /**\r
- * This method is used to retrieve PT's from the CAS server thanks to a PGT.\r
- * \r
- * @param $target_service the service to ask for with the PT.\r
- * @param $err_code an error code (PHPCAS_SERVICE_OK on success).\r
- * @param $err_msg an error message (empty on success).\r
- *\r
- * @return a Proxy Ticket, or FALSE on error.\r
- *\r
- * @private\r
- */\r
- function retrievePT($target_service,&$err_code,&$err_msg)\r
- {\r
- phpCAS::traceBegin();\r
- \r
- // by default, $err_msg is set empty and $pt to TRUE. On error, $pt is\r
- // set to false and $err_msg to an error message. At the end, if $pt is FALSE \r
- // and $error_msg is still empty, it is set to 'invalid response' (the most\r
- // commonly encountered error).\r
- $err_msg = '';\r
- \r
- // build the URL to retrieve the PT\r
- // $cas_url = $this->getServerProxyURL().'?targetService='.preg_replace('/&/','%26',$target_service).'&pgt='.$this->getPGT();\r
- $cas_url = $this->getServerProxyURL().'?targetService='.urlencode($target_service).'&pgt='.$this->getPGT();\r
- \r
- // open and read the URL\r
- if ( !$this->readURL($cas_url,''/*cookies*/,$headers,$cas_response,$err_msg) ) {\r
- phpCAS::trace('could not open URL \''.$cas_url.'\' to validate ('.$err_msg.')');\r
- $err_code = PHPCAS_SERVICE_PT_NO_SERVER_RESPONSE;\r
- $err_msg = 'could not retrieve PT (no response from the CAS server)';\r
- phpCAS::traceEnd(FALSE);\r
- return FALSE;\r
- }\r
- \r
- $bad_response = FALSE;\r
- \r
- if ( !$bad_response ) {\r
- // read the response of the CAS server into a DOM object\r
- if ( !($dom = @domxml_open_mem($cas_response))) {\r
- phpCAS::trace('domxml_open_mem() failed');\r
- // read failed\r
- $bad_response = TRUE;\r
- } \r
- }\r
- \r
- if ( !$bad_response ) {\r
- // read the root node of the XML tree\r
- if ( !($root = $dom->document_element()) ) {\r
- phpCAS::trace('document_element() failed');\r
- // read failed\r
- $bad_response = TRUE;\r
- } \r
- }\r
- \r
- if ( !$bad_response ) {\r
- // insure that tag name is 'serviceResponse'\r
- if ( $root->node_name() != 'serviceResponse' ) {\r
- phpCAS::trace('node_name() failed');\r
- // bad root node\r
- $bad_response = TRUE;\r
- } \r
- }\r
- \r
- if ( !$bad_response ) {\r
- // look for a proxySuccess tag\r
- if ( sizeof($arr = $root->get_elements_by_tagname("proxySuccess")) != 0) {\r
- // authentication succeded, look for a proxyTicket tag\r
- if ( sizeof($arr = $root->get_elements_by_tagname("proxyTicket")) != 0) {\r
- $err_code = PHPCAS_SERVICE_OK;\r
- $err_msg = '';\r
- phpCAS::trace('original PT: '.trim($arr[0]->get_content()));\r
- $pt = trim($arr[0]->get_content());\r
- phpCAS::traceEnd($pt);\r
- return $pt;\r
- } else {\r
- phpCAS::trace('<proxySuccess> was found, but not <proxyTicket>');\r
- }\r
- } \r
- // look for a proxyFailure tag\r
- else if ( sizeof($arr = $root->get_elements_by_tagname("proxyFailure")) != 0) {\r
- // authentication failed, extract the error\r
- $err_code = PHPCAS_SERVICE_PT_FAILURE;\r
- $err_msg = 'PT retrieving failed (code=`'\r
- .$arr[0]->get_attribute('code')\r
- .'\', message=`'\r
- .trim($arr[0]->get_content())\r
- .'\')';\r
- phpCAS::traceEnd(FALSE);\r
- return FALSE;\r
- } else {\r
- phpCAS::trace('neither <proxySuccess> nor <proxyFailure> found');\r
- }\r
- }\r
- \r
- // at this step, we are sure that the response of the CAS server was ill-formed\r
- $err_code = PHPCAS_SERVICE_PT_BAD_SERVER_RESPONSE;\r
- $err_msg = 'Invalid response from the CAS server (response=`'.$cas_response.'\')';\r
- \r
- phpCAS::traceEnd(FALSE);\r
- return FALSE;\r
- }\r
- \r
- // ########################################################################\r
- // ACCESS TO EXTERNAL SERVICES\r
- // ########################################################################\r
- \r
- /**\r
- * This method is used to acces a remote URL.\r
- *\r
- * @param $url the URL to access.\r
- * @param $cookies an array containing cookies strings such as 'name=val'\r
- * @param $headers an array containing the HTTP header lines of the response\r
- * (an empty array on failure).\r
- * @param $body the body of the response, as a string (empty on failure).\r
- * @param $err_msg an error message, filled on failure.\r
- *\r
- * @return TRUE on success, FALSE otherwise (in this later case, $err_msg\r
- * contains an error message).\r
- *\r
- * @private\r
- */\r
- function readURL($url,$cookies,&$headers,&$body,&$err_msg)\r
- {\r
- phpCAS::traceBegin();\r
- $headers = '';\r
- $body = '';\r
- $err_msg = '';\r
- \r
- $res = TRUE;\r
- \r
- // initialize the CURL session\r
- $ch = curl_init($url);\r
- \r
- if (version_compare(PHP_VERSION,'5.1.3','>=')) {\r
- //only avaible in php5\r
- curl_setopt_array($ch, $this->_curl_options);\r
- } else {\r
- foreach ($this->_curl_options as $key => $value) {\r
- curl_setopt($ch, $key, $value);\r
- }\r
- }\r
-\r
- if ($this->_cas_server_cert == '' && $this->_cas_server_ca_cert == '' && !$this->_no_cas_server_validation) {\r
- phpCAS::error('one of the methods phpCAS::setCasServerCert(), phpCAS::setCasServerCACert() or phpCAS::setNoCasServerValidation() must be called.');\r
- }\r
- if ($this->_cas_server_cert != '' ) {\r
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);\r
- curl_setopt($ch, CURLOPT_SSLCERT, $this->_cas_server_cert);\r
- } else if ($this->_cas_server_ca_cert != '') {\r
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);\r
- curl_setopt($ch, CURLOPT_CAINFO, $this->_cas_server_ca_cert);\r
- } else {\r
- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);\r
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);\r
- }\r
- \r
- // return the CURL output into a variable\r
- curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);\r
- // get the HTTP header with a callback\r
- $this->_curl_headers = array(); // empty the headers array\r
- curl_setopt($ch, CURLOPT_HEADERFUNCTION, array($this, '_curl_read_headers'));\r
- // add cookies headers\r
- if ( is_array($cookies) ) {\r
- curl_setopt($ch,CURLOPT_COOKIE,implode(';',$cookies));\r
- }\r
- // perform the query\r
- $buf = curl_exec ($ch);\r
- if ( $buf === FALSE ) {\r
- phpCAS::trace('curl_exec() failed');\r
- $err_msg = 'CURL error #'.curl_errno($ch).': '.curl_error($ch);\r
- // close the CURL session\r
- curl_close ($ch);\r
- $res = FALSE;\r
- } else {\r
- // close the CURL session\r
- curl_close ($ch);\r
- \r
- $headers = $this->_curl_headers;\r
- $body = $buf;\r
- }\r
- \r
- phpCAS::traceEnd($res);\r
- return $res;\r
- }\r
- \r
- /**\r
- * This method is the callback used by readURL method to request HTTP headers.\r
- */\r
- var $_curl_headers = array();\r
- function _curl_read_headers($ch, $header)\r
- {\r
- $this->_curl_headers[] = $header;\r
- return strlen($header);\r
- }\r
-\r
- /**\r
- * This method is used to access an HTTP[S] service.\r
- * \r
- * @param $url the service to access.\r
- * @param $err_code an error code Possible values are PHPCAS_SERVICE_OK (on\r
- * success), PHPCAS_SERVICE_PT_NO_SERVER_RESPONSE, PHPCAS_SERVICE_PT_BAD_SERVER_RESPONSE,\r
- * PHPCAS_SERVICE_PT_FAILURE, PHPCAS_SERVICE_NOT AVAILABLE.\r
- * @param $output the output of the service (also used to give an error\r
- * message on failure).\r
- *\r
- * @return TRUE on success, FALSE otherwise (in this later case, $err_code\r
- * gives the reason why it failed and $output contains an error message).\r
- *\r
- * @public\r
- */\r
- function serviceWeb($url,&$err_code,&$output)\r
- {\r
- phpCAS::traceBegin();\r
- // at first retrieve a PT\r
- $pt = $this->retrievePT($url,$err_code,$output);\r
- \r
- $res = TRUE;\r
- \r
- // test if PT was retrieved correctly\r
- if ( !$pt ) {\r
- // note: $err_code and $err_msg are filled by CASClient::retrievePT()\r
- phpCAS::trace('PT was not retrieved correctly');\r
- $res = FALSE;\r
- } else {\r
- // add cookies if necessary\r
- if ( is_array($_SESSION['phpCAS']['services'][$url]['cookies']) ) {\r
- foreach ( $_SESSION['phpCAS']['services'][$url]['cookies'] as $name => $val ) { \r
- $cookies[] = $name.'='.$val;\r
- }\r
- }\r
- \r
- // build the URL including the PT\r
- if ( strstr($url,'?') === FALSE ) {\r
- $service_url = $url.'?ticket='.$pt;\r
- } else {\r
- $service_url = $url.'&ticket='.$pt;\r
- }\r
- \r
- phpCAS::trace('reading URL`'.$service_url.'\'');\r
- if ( !$this->readURL($service_url,$cookies,$headers,$output,$err_msg) ) {\r
- phpCAS::trace('could not read URL`'.$service_url.'\'');\r
- $err_code = PHPCAS_SERVICE_NOT_AVAILABLE;\r
- // give an error message\r
- $output = sprintf($this->getString(CAS_STR_SERVICE_UNAVAILABLE),\r
- $service_url,\r
- $err_msg);\r
- $res = FALSE;\r
- } else {\r
- // URL has been fetched, extract the cookies\r
- phpCAS::trace('URL`'.$service_url.'\' has been read, storing cookies:');\r
- foreach ( $headers as $header ) {\r
- // test if the header is a cookie\r
- if ( preg_match('/^Set-Cookie:/',$header) ) {\r
- // the header is a cookie, remove the beginning\r
- $header_val = preg_replace('/^Set-Cookie: */','',$header);\r
- // extract interesting information\r
- $name_val = strtok($header_val,'; ');\r
- // extract the name and the value of the cookie\r
- $cookie_name = strtok($name_val,'=');\r
- $cookie_val = strtok('=');\r
- // store the cookie \r
- $_SESSION['phpCAS']['services'][$url]['cookies'][$cookie_name] = $cookie_val;\r
- phpCAS::trace($cookie_name.' -> '.$cookie_val);\r
- }\r
- }\r
- }\r
- }\r
- \r
- phpCAS::traceEnd($res);\r
- return $res;\r
- }\r
- \r
- /**\r
- * This method is used to access an IMAP/POP3/NNTP service.\r
- * \r
- * @param $url a string giving the URL of the service, including the mailing box\r
- * for IMAP URLs, as accepted by imap_open().\r
- * @param $flags options given to imap_open().\r
- * @param $err_code an error code Possible values are PHPCAS_SERVICE_OK (on\r
- * success), PHPCAS_SERVICE_PT_NO_SERVER_RESPONSE, PHPCAS_SERVICE_PT_BAD_SERVER_RESPONSE,\r
- * PHPCAS_SERVICE_PT_FAILURE, PHPCAS_SERVICE_NOT AVAILABLE.\r
- * @param $err_msg an error message on failure\r
- * @param $pt the Proxy Ticket (PT) retrieved from the CAS server to access the URL\r
- * on success, FALSE on error).\r
- *\r
- * @return an IMAP stream on success, FALSE otherwise (in this later case, $err_code\r
- * gives the reason why it failed and $err_msg contains an error message).\r
- *\r
- * @public\r
- */\r
- function serviceMail($url,$flags,&$err_code,&$err_msg,&$pt)\r
- {\r
- phpCAS::traceBegin();\r
- // at first retrieve a PT\r
- $pt = $this->retrievePT($target_service,$err_code,$output);\r
- \r
- $stream = FALSE;\r
- \r
- // test if PT was retrieved correctly\r
- if ( !$pt ) {\r
- // note: $err_code and $err_msg are filled by CASClient::retrievePT()\r
- phpCAS::trace('PT was not retrieved correctly');\r
- } else {\r
- phpCAS::trace('opening IMAP URL `'.$url.'\'...');\r
- $stream = @imap_open($url,$this->getUser(),$pt,$flags);\r
- if ( !$stream ) {\r
- phpCAS::trace('could not open URL');\r
- $err_code = PHPCAS_SERVICE_NOT_AVAILABLE;\r
- // give an error message\r
- $err_msg = sprintf($this->getString(CAS_STR_SERVICE_UNAVAILABLE),\r
- $service_url,\r
- var_export(imap_errors(),TRUE));\r
- $pt = FALSE;\r
- $stream = FALSE;\r
- } else {\r
- phpCAS::trace('ok');\r
- }\r
- }\r
- \r
- phpCAS::traceEnd($stream);\r
- return $stream;\r
- }\r
- \r
- /** @} */\r
- \r
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r
- // XX XX\r
- // XX PROXIED CLIENT FEATURES (CAS 2.0) XX\r
- // XX XX\r
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r
- \r
- // ########################################################################\r
- // PT\r
- // ########################################################################\r
- /**\r
- * @addtogroup internalProxied\r
- * @{\r
- */ \r
- \r
- /**\r
- * the Proxy Ticket provided in the URL of the request if present\r
- * (empty otherwise). Written by CASClient::CASClient(), read by \r
- * CASClient::getPT() and CASClient::hasPGT().\r
- *\r
- * @hideinitializer\r
- * @private\r
- */\r
- var $_pt = '';\r
- \r
- /**\r
- * This method returns the Proxy Ticket provided in the URL of the request.\r
- * @return The proxy ticket.\r
- * @private\r
- */\r
- function getPT()\r
- {\r
- // return 'ST'.substr($this->_pt, 2);\r
- return $this->_pt;\r
- }\r
- \r
- /**\r
- * This method stores the Proxy Ticket.\r
- * @param $pt The Proxy Ticket.\r
- * @private\r
- */\r
- function setPT($pt)\r
- { $this->_pt = $pt; }\r
- \r
- /**\r
- * This method tells if a Proxy Ticket was stored.\r
- * @return TRUE if a Proxy Ticket has been stored.\r
- * @private\r
- */\r
- function hasPT()\r
- { return !empty($this->_pt); }\r
- \r
- /** @} */\r
- // ########################################################################\r
- // PT VALIDATION\r
- // ########################################################################\r
- /**\r
- * @addtogroup internalProxied\r
- * @{\r
- */ \r
- \r
- /**\r
- * This method is used to validate a PT; halt on failure\r
- * \r
- * @return bool TRUE when successfull, halt otherwise by calling CASClient::authError().\r
- *\r
- * @private\r
- */\r
- function validatePT(&$validate_url,&$text_response,&$tree_response)\r
- {\r
- phpCAS::traceBegin();\r
- // build the URL to validate the ticket\r
- $validate_url = $this->getServerProxyValidateURL().'&ticket='.$this->getPT();\r
- \r
- if ( $this->isProxy() ) {\r
- // pass the callback url for CAS proxies\r
- $validate_url .= '&pgtUrl='.$this->getCallbackURL();\r
- }\r
- \r
- // open and read the URL\r
- if ( !$this->readURL($validate_url,''/*cookies*/,$headers,$text_response,$err_msg) ) {\r
- phpCAS::trace('could not open URL \''.$validate_url.'\' to validate ('.$err_msg.')');\r
- $this->authError('PT not validated',\r
- $validate_url,\r
- TRUE/*$no_response*/);\r
- }\r
- \r
- // read the response of the CAS server into a DOM object\r
- if ( !($dom = domxml_open_mem($text_response))) {\r
- // read failed\r
- $this->authError('PT not validated',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- TRUE/*$bad_response*/,\r
- $text_response);\r
- }\r
- // read the root node of the XML tree\r
- if ( !($tree_response = $dom->document_element()) ) {\r
- // read failed\r
- $this->authError('PT not validated',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- TRUE/*$bad_response*/,\r
- $text_response);\r
- }\r
- // insure that tag name is 'serviceResponse'\r
- if ( $tree_response->node_name() != 'serviceResponse' ) {\r
- // bad root node\r
- $this->authError('PT not validated',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- TRUE/*$bad_response*/,\r
- $text_response);\r
- }\r
- if ( sizeof($arr = $tree_response->get_elements_by_tagname("authenticationSuccess")) != 0) {\r
- // authentication succeded, extract the user name\r
- if ( sizeof($arr = $tree_response->get_elements_by_tagname("user")) == 0) {\r
- // no user specified => error\r
- $this->authError('PT not validated',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- TRUE/*$bad_response*/,\r
- $text_response);\r
- }\r
- $this->setUser(trim($arr[0]->get_content()));\r
- \r
- } else if ( sizeof($arr = $tree_response->get_elements_by_tagname("authenticationFailure")) != 0) {\r
- // authentication succeded, extract the error code and message\r
- $this->authError('PT not validated',\r
- $validate_url,\r
- FALSE/*$no_response*/,\r
- FALSE/*$bad_response*/,\r
- $text_response,\r
- $arr[0]->get_attribute('code')/*$err_code*/,\r
- trim($arr[0]->get_content())/*$err_msg*/);\r
- } else {\r
- $this->authError('PT not validated',\r
- $validate_url, \r
- FALSE/*$no_response*/,\r
- TRUE/*$bad_response*/,\r
- $text_response);\r
- }\r
- \r
- // at this step, PT has been validated and $this->_user has been set,\r
- \r
- phpCAS::traceEnd(TRUE);\r
- return TRUE;\r
- }\r
- \r
- /** @} */\r
- \r
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r
- // XX XX\r
- // XX MISC XX\r
- // XX XX\r
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r
- \r
- /**\r
- * @addtogroup internalMisc\r
- * @{\r
- */ \r
- \r
- // ########################################################################\r
- // URL\r
- // ########################################################################\r
- /**\r
- * the URL of the current request (without any ticket CGI parameter). Written \r
- * and read by CASClient::getURL().\r
- *\r
- * @hideinitializer\r
- * @private\r
- */\r
- var $_url = '';\r
- \r
- /**\r
- * This method returns the URL of the current request (without any ticket\r
- * CGI parameter).\r
- *\r
- * @return The URL\r
- *\r
- * @private\r
- */\r
- function getURL()\r
- {\r
- phpCAS::traceBegin();\r
- // the URL is built when needed only\r
- if ( empty($this->_url) ) {\r
- $final_uri = '';\r
- // remove the ticket if present in the URL\r
- $final_uri = ($this->isHttps()) ? 'https' : 'http';\r
- $final_uri .= '://';\r
- /* replaced by Julien Marchal - v0.4.6\r
- * $this->_url .= $_SERVER['SERVER_NAME'];\r
- */\r
- if(empty($_SERVER['HTTP_X_FORWARDED_SERVER'])){\r
- /* replaced by teedog - v0.4.12\r
- * $this->_url .= $_SERVER['SERVER_NAME'];\r
- */\r
- if (empty($_SERVER['SERVER_NAME'])) {\r
- $server_name = $_SERVER['HTTP_HOST'];\r
- } else {\r
- $server_name = $_SERVER['SERVER_NAME'];\r
- }\r
- } else {\r
- $server_name = $_SERVER['HTTP_X_FORWARDED_SERVER'];\r
- }\r
- $final_uri .= $server_name;\r
- if (!strpos($server_name, ':')) {\r
- if ( ($this->isHttps() && $_SERVER['SERVER_PORT']!=443)\r
- || (!$this->isHttps() && $_SERVER['SERVER_PORT']!=80) ) {\r
- $final_uri .= ':';\r
- $final_uri .= $_SERVER['SERVER_PORT'];\r
- }\r
- }\r
- \r
- $final_uri .= strtok($_SERVER['REQUEST_URI'],"?");\r
- $cgi_params = '?'.strtok("?");\r
- // remove the ticket if present in the CGI parameters\r
- $cgi_params = preg_replace('/&ticket=[^&]*/','',$cgi_params);\r
- $cgi_params = preg_replace('/\?ticket=[^&;]*/','?',$cgi_params);\r
- $cgi_params = preg_replace('/\?%26/','?',$cgi_params);\r
- $cgi_params = preg_replace('/\?&/','?',$cgi_params);\r
- $cgi_params = preg_replace('/\?$/','',$cgi_params);\r
- $final_uri .= $cgi_params;\r
- $this->setURL($final_uri);\r
- }\r
- phpCAS::traceEnd($this->_url);\r
- return $this->_url;\r
- }\r
- \r
- /**\r
- * This method sets the URL of the current request \r
- *\r
- * @param $url url to set for service\r
- *\r
- * @private\r
- */\r
- function setURL($url)\r
- {\r
- $this->_url = $url;\r
- }\r
- \r
- // ########################################################################\r
- // AUTHENTICATION ERROR HANDLING\r
- // ########################################################################\r
- /**\r
- * This method is used to print the HTML output when the user was not authenticated.\r
- *\r
- * @param $failure the failure that occured\r
- * @param $cas_url the URL the CAS server was asked for\r
- * @param $no_response the response from the CAS server (other \r
- * parameters are ignored if TRUE)\r
- * @param $bad_response bad response from the CAS server ($err_code\r
- * and $err_msg ignored if TRUE)\r
- * @param $cas_response the response of the CAS server\r
- * @param $err_code the error code given by the CAS server\r
- * @param $err_msg the error message given by the CAS server\r
- *\r
- * @private\r
- */\r
- function authError($failure,$cas_url,$no_response,$bad_response='',$cas_response='',$err_code='',$err_msg='')\r
- {\r
- phpCAS::traceBegin();\r
- \r
- $this->printHTMLHeader($this->getString(CAS_STR_AUTHENTICATION_FAILED));\r
- printf($this->getString(CAS_STR_YOU_WERE_NOT_AUTHENTICATED),$this->getURL(),$_SERVER['SERVER_ADMIN']);\r
- phpCAS::trace('CAS URL: '.$cas_url);\r
- phpCAS::trace('Authentication failure: '.$failure);\r
- if ( $no_response ) {\r
- phpCAS::trace('Reason: no response from the CAS server');\r
- } else {\r
- if ( $bad_response ) {\r
- phpCAS::trace('Reason: bad response from the CAS server');\r
- } else {\r
- switch ($this->getServerVersion()) {\r
- case CAS_VERSION_1_0:\r
- phpCAS::trace('Reason: CAS error');\r
- break;\r
- case CAS_VERSION_2_0:\r
- if ( empty($err_code) )\r
- phpCAS::trace('Reason: no CAS error');\r
- else\r
- phpCAS::trace('Reason: ['.$err_code.'] CAS error: '.$err_msg);\r
- break;\r
- }\r
- }\r
- phpCAS::trace('CAS response: '.$cas_response);\r
- }\r
- $this->printHTMLFooter();\r
- phpCAS::traceExit();\r
- exit();\r
- }\r
- \r
- /** @} */\r
-}\r
-\r
+ header('Location: '.$this->getURL());
+ }
+
+ //activate session mechanism if desired
+ if (!$this->isLogoutRequest() && $start_session) {
+ session_start();
+ }
+
+ $this->_proxy = $proxy;
+
+ //check version
+ switch ($server_version) {
+ case CAS_VERSION_1_0:
+ if ( $this->isProxy() )
+ phpCAS::error('CAS proxies are not supported in CAS '
+ .$server_version);
+ break;
+ case CAS_VERSION_2_0:
+ break;
+ default:
+ phpCAS::error('this version of CAS (`'
+ .$server_version
+ .'\') is not supported by phpCAS '
+ .phpCAS::getVersion());
+ }
+ $this->_server['version'] = $server_version;
+
+ //check hostname
+ if ( empty($server_hostname)
+ || !preg_match('/[\.\d\-abcdefghijklmnopqrstuvwxyz]*/',$server_hostname) ) {
+ phpCAS::error('bad CAS server hostname (`'.$server_hostname.'\')');
+ }
+ $this->_server['hostname'] = $server_hostname;
+
+ //check port
+ if ( $server_port == 0
+ || !is_int($server_port) ) {
+ phpCAS::error('bad CAS server port (`'.$server_hostname.'\')');
+ }
+ $this->_server['port'] = $server_port;
+
+ //check URI
+ if ( !preg_match('/[\.\d\-_abcdefghijklmnopqrstuvwxyz\/]*/',$server_uri) ) {
+ phpCAS::error('bad CAS server URI (`'.$server_uri.'\')');
+ }
+ //add leading and trailing `/' and remove doubles
+ $server_uri = preg_replace('/\/\//','/','/'.$server_uri.'/');
+ $this->_server['uri'] = $server_uri;
+
+ //set to callback mode if PgtIou and PgtId CGI GET parameters are provided
+ if ( $this->isProxy() ) {
+ $this->setCallbackMode(!empty($_GET['pgtIou'])&&!empty($_GET['pgtId']));
+ }
+
+ if ( $this->isCallbackMode() ) {
+ //callback mode: check that phpCAS is secured
+ if ( !$this->isHttps() ) {
+ phpCAS::error('CAS proxies must be secured to use phpCAS; PGT\'s will not be received from the CAS server');
+ }
+ } else {
+ //normal mode: get ticket and remove it from CGI parameters for developpers
+ $ticket = (isset($_GET['ticket']) ? $_GET['ticket'] : null);
+ switch ($this->getServerVersion()) {
+ case CAS_VERSION_1_0: // check for a Service Ticket
+ if( preg_match('/^ST-/',$ticket) ) {
+ phpCAS::trace('ST \''.$ticket.'\' found');
+ //ST present
+ $this->setST($ticket);
+ //ticket has been taken into account, unset it to hide it to applications
+ unset($_GET['ticket']);
+ } else if ( !empty($ticket) ) {
+ //ill-formed ticket, halt
+ phpCAS::error('ill-formed ticket found in the URL (ticket=`'.htmlentities($ticket).'\')');
+ }
+ break;
+ case CAS_VERSION_2_0: // check for a Service or Proxy Ticket
+ if( preg_match('/^[SP]T-/',$ticket) ) {
+ phpCAS::trace('ST or PT \''.$ticket.'\' found');
+ $this->setPT($ticket);
+ unset($_GET['ticket']);
+ } else if ( !empty($ticket) ) {
+ //ill-formed ticket, halt
+ phpCAS::error('ill-formed ticket found in the URL (ticket=`'.htmlentities($ticket).'\')');
+ }
+ break;
+ }
+ }
+ phpCAS::traceEnd();
+ }
+
+ /** @} */
+
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ // XX XX
+ // XX AUTHENTICATION XX
+ // XX XX
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ /**
+ * @addtogroup internalAuthentication
+ * @{
+ */
+
+ /**
+ * The Authenticated user. Written by CASClient::setUser(), read by CASClient::getUser().
+ * @attention client applications should use phpCAS::getUser().
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_user = '';
+
+ /**
+ * This method sets the CAS user's login name.
+ *
+ * @param $user the login name of the authenticated user.
+ *
+ * @private
+ */
+ function setUser($user)
+ {
+ $this->_user = $user;
+ }
+
+ /**
+ * This method returns the CAS user's login name.
+ * @warning should be called only after CASClient::forceAuthentication() or
+ * CASClient::isAuthenticated(), otherwise halt with an error.
+ *
+ * @return the login name of the authenticated user
+ */
+ function getUser()
+ {
+ if ( empty($this->_user) ) {
+ phpCAS::error('this method should be used only after '.__CLASS__.'::forceAuthentication() or '.__CLASS__.'::isAuthenticated()');
+ }
+ return $this->_user;
+ }
+
+ /**
+ * This method is called to renew the authentication of the user
+ * If the user is authenticated, renew the connection
+ * If not, redirect to CAS
+ * @public
+ */
+ function renewAuthentication(){
+ phpCAS::traceBegin();
+ // Either way, the user is authenticated by CAS
+ if( isset( $_SESSION['phpCAS']['auth_checked'] ) )
+ unset($_SESSION['phpCAS']['auth_checked']);
+ if ( $this->isAuthenticated() ) {
+ phpCAS::trace('user already authenticated; renew');
+ $this->redirectToCas(false,true);
+ } else {
+ $this->redirectToCas();
+ }
+ phpCAS::traceEnd();
+ }
+
+ /**
+ * This method is called to be sure that the user is authenticated. When not
+ * authenticated, halt by redirecting to the CAS server; otherwise return TRUE.
+ * @return TRUE when the user is authenticated; otherwise halt.
+ * @public
+ */
+ function forceAuthentication()
+ {
+ phpCAS::traceBegin();
+
+ if ( $this->isAuthenticated() ) {
+ // the user is authenticated, nothing to be done.
+ phpCAS::trace('no need to authenticate');
+ $res = TRUE;
+ } else {
+ // the user is not authenticated, redirect to the CAS server
+ if (isset($_SESSION['phpCAS']['auth_checked'])) {
+ unset($_SESSION['phpCAS']['auth_checked']);
+ }
+ $this->redirectToCas(FALSE/* no gateway */);
+ // never reached
+ $res = FALSE;
+ }
+ phpCAS::traceEnd($res);
+ return $res;
+ }
+
+ /**
+ * An integer that gives the number of times authentication will be cached before rechecked.
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_cache_times_for_auth_recheck = 0;
+
+ /**
+ * Set the number of times authentication will be cached before rechecked.
+ *
+ * @param $n an integer.
+ *
+ * @public
+ */
+ function setCacheTimesForAuthRecheck($n)
+ {
+ $this->_cache_times_for_auth_recheck = $n;
+ }
+
+ /**
+ * This method is called to check whether the user is authenticated or not.
+ * @return TRUE when the user is authenticated, FALSE otherwise.
+ * @public
+ */
+ function checkAuthentication()
+ {
+ phpCAS::traceBegin();
+
+ if ( $this->isAuthenticated() ) {
+ phpCAS::trace('user is authenticated');
+ $res = TRUE;
+ } else if (isset($_SESSION['phpCAS']['auth_checked'])) {
+ // the previous request has redirected the client to the CAS server with gateway=true
+ unset($_SESSION['phpCAS']['auth_checked']);
+ $res = FALSE;
+ } else {
+ // $_SESSION['phpCAS']['auth_checked'] = true;
+ // $this->redirectToCas(TRUE/* gateway */);
+ // // never reached
+ // $res = FALSE;
+ // avoid a check against CAS on every request
+ if (! isset($_SESSION['phpCAS']['unauth_count']) )
+ $_SESSION['phpCAS']['unauth_count'] = -2; // uninitialized
+
+ if (($_SESSION['phpCAS']['unauth_count'] != -2 && $this->_cache_times_for_auth_recheck == -1)
+ || ($_SESSION['phpCAS']['unauth_count'] >= 0 && $_SESSION['phpCAS']['unauth_count'] < $this->_cache_times_for_auth_recheck))
+ {
+ $res = FALSE;
+
+ if ($this->_cache_times_for_auth_recheck != -1)
+ {
+ $_SESSION['phpCAS']['unauth_count']++;
+ phpCAS::trace('user is not authenticated (cached for '.$_SESSION['phpCAS']['unauth_count'].' times of '.$this->_cache_times_for_auth_recheck.')');
+ }
+ else
+ {
+ phpCAS::trace('user is not authenticated (cached for until login pressed)');
+ }
+ }
+ else
+ {
+ $_SESSION['phpCAS']['unauth_count'] = 0;
+ $_SESSION['phpCAS']['auth_checked'] = true;
+ phpCAS::trace('user is not authenticated (cache reset)');
+ $this->redirectToCas(TRUE/* gateway */);
+ // never reached
+ $res = FALSE;
+ }
+ }
+ phpCAS::traceEnd($res);
+ return $res;
+ }
+
+ /**
+ * This method is called to check if the user is authenticated (previously or by
+ * tickets given in the URL).
+ *
+ * @return TRUE when the user is authenticated.
+ *
+ * @public
+ */
+ function isAuthenticated()
+ {
+ phpCAS::traceBegin();
+ $res = FALSE;
+ $validate_url = '';
+
+ if ( $this->wasPreviouslyAuthenticated() ) {
+ // the user has already (previously during the session) been
+ // authenticated, nothing to be done.
+ phpCAS::trace('user was already authenticated, no need to look for tickets');
+ $res = TRUE;
+ }
+ elseif ( $this->hasST() ) {
+ // if a Service Ticket was given, validate it
+ phpCAS::trace('ST `'.$this->getST().'\' is present');
+ $this->validateST($validate_url,$text_response,$tree_response); // if it fails, it halts
+ phpCAS::trace('ST `'.$this->getST().'\' was validated');
+ if ( $this->isProxy() ) {
+ $this->validatePGT($validate_url,$text_response,$tree_response); // idem
+ phpCAS::trace('PGT `'.$this->getPGT().'\' was validated');
+ $_SESSION['phpCAS']['pgt'] = $this->getPGT();
+ }
+ $_SESSION['phpCAS']['user'] = $this->getUser();
+ $res = TRUE;
+ }
+ elseif ( $this->hasPT() ) {
+ // if a Proxy Ticket was given, validate it
+ phpCAS::trace('PT `'.$this->getPT().'\' is present');
+ $this->validatePT($validate_url,$text_response,$tree_response); // note: if it fails, it halts
+ phpCAS::trace('PT `'.$this->getPT().'\' was validated');
+ if ( $this->isProxy() ) {
+ $this->validatePGT($validate_url,$text_response,$tree_response); // idem
+ phpCAS::trace('PGT `'.$this->getPGT().'\' was validated');
+ $_SESSION['phpCAS']['pgt'] = $this->getPGT();
+ }
+ $_SESSION['phpCAS']['user'] = $this->getUser();
+ $res = TRUE;
+ }
+ else {
+ // no ticket given, not authenticated
+ phpCAS::trace('no ticket found');
+ }
+
+ phpCAS::traceEnd($res);
+ return $res;
+ }
+
+ /**
+ * This method tells if the current session is authenticated.
+ * @return true if authenticated based soley on $_SESSION variable
+ * @since 0.4.22 by Brendan Arnold
+ */
+ function isSessionAuthenticated ()
+ {
+ return !empty($_SESSION['phpCAS']['user']);
+ }
+
+ /**
+ * This method tells if the user has already been (previously) authenticated
+ * by looking into the session variables.
+ *
+ * @note This function switches to callback mode when needed.
+ *
+ * @return TRUE when the user has already been authenticated; FALSE otherwise.
+ *
+ * @private
+ */
+ function wasPreviouslyAuthenticated()
+ {
+ phpCAS::traceBegin();
+
+ if ( $this->isCallbackMode() ) {
+ $this->callback();
+ }
+
+ $auth = FALSE;
+
+ if ( $this->isProxy() ) {
+ // CAS proxy: username and PGT must be present
+ if ( $this->isSessionAuthenticated() && !empty($_SESSION['phpCAS']['pgt']) ) {
+ // authentication already done
+ $this->setUser($_SESSION['phpCAS']['user']);
+ $this->setPGT($_SESSION['phpCAS']['pgt']);
+ phpCAS::trace('user = `'.$_SESSION['phpCAS']['user'].'\', PGT = `'.$_SESSION['phpCAS']['pgt'].'\'');
+ $auth = TRUE;
+ } elseif ( $this->isSessionAuthenticated() && empty($_SESSION['phpCAS']['pgt']) ) {
+ // these two variables should be empty or not empty at the same time
+ phpCAS::trace('username found (`'.$_SESSION['phpCAS']['user'].'\') but PGT is empty');
+ // unset all tickets to enforce authentication
+ unset($_SESSION['phpCAS']);
+ $this->setST('');
+ $this->setPT('');
+ } elseif ( !$this->isSessionAuthenticated() && !empty($_SESSION['phpCAS']['pgt']) ) {
+ // these two variables should be empty or not empty at the same time
+ phpCAS::trace('PGT found (`'.$_SESSION['phpCAS']['pgt'].'\') but username is empty');
+ // unset all tickets to enforce authentication
+ unset($_SESSION['phpCAS']);
+ $this->setST('');
+ $this->setPT('');
+ } else {
+ phpCAS::trace('neither user not PGT found');
+ }
+ } else {
+ // `simple' CAS client (not a proxy): username must be present
+ if ( $this->isSessionAuthenticated() ) {
+ // authentication already done
+ $this->setUser($_SESSION['phpCAS']['user']);
+ phpCAS::trace('user = `'.$_SESSION['phpCAS']['user'].'\'');
+ $auth = TRUE;
+ } else {
+ phpCAS::trace('no user found');
+ }
+ }
+
+ phpCAS::traceEnd($auth);
+ return $auth;
+ }
+
+ /**
+ * This method is used to redirect the client to the CAS server.
+ * It is used by CASClient::forceAuthentication() and CASClient::checkAuthentication().
+ * @param $gateway true to check authentication, false to force it
+ * @param $renew true to force the authentication with the CAS server
+ * @public
+ */
+ function redirectToCas($gateway=false,$renew=false){
+ phpCAS::traceBegin();
+ $cas_url = $this->getServerLoginURL($gateway,$renew);
+ header('Location: '.$cas_url);
+ phpCAS::log( "Redirect to : ".$cas_url );
+
+ $this->printHTMLHeader($this->getString(CAS_STR_AUTHENTICATION_WANTED));
+
+ printf('<p>'.$this->getString(CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED).'</p>',$cas_url);
+ $this->printHTMLFooter();
+ phpCAS::traceExit();
+ exit();
+ }
+
+// /**
+// * This method is used to logout from CAS.
+// * @param $url a URL that will be transmitted to the CAS server (to come back to when logged out)
+// * @public
+// */
+// function logout($url = "") {
+// phpCAS::traceBegin();
+// $cas_url = $this->getServerLogoutURL();
+// // v0.4.14 sebastien.gougeon at univ-rennes1.fr
+// // header('Location: '.$cas_url);
+// if ( $url != "" ) {
+// // Adam Moore 1.0.0RC2
+// $url = '?service=' . $url . '&url=' . $url;
+// }
+// header('Location: '.$cas_url . $url);
+// session_unset();
+// session_destroy();
+// $this->printHTMLHeader($this->getString(CAS_STR_LOGOUT));
+// printf('<p>'.$this->getString(CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED).'</p>',$cas_url);
+// $this->printHTMLFooter();
+// phpCAS::traceExit();
+// exit();
+// }
+
+ /**
+ * This method is used to logout from CAS.
+ * @params $params an array that contains the optional url and service parameters that will be passed to the CAS server
+ * @public
+ */
+ function logout($params) {
+ phpCAS::traceBegin();
+ $cas_url = $this->getServerLogoutURL();
+ $paramSeparator = '?';
+ if (isset($params['url'])) {
+ $cas_url = $cas_url . $paramSeparator . "url=" . urlencode($params['url']);
+ $paramSeparator = '&';
+ }
+ if (isset($params['service'])) {
+ $cas_url = $cas_url . $paramSeparator . "service=" . urlencode($params['service']);
+ }
+ header('Location: '.$cas_url);
+ session_unset();
+ session_destroy();
+ $this->printHTMLHeader($this->getString(CAS_STR_LOGOUT));
+ printf('<p>'.$this->getString(CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED).'</p>',$cas_url);
+ $this->printHTMLFooter();
+ phpCAS::traceExit();
+ exit();
+ }
+
+ /**
+ * @return true if the current request is a logout request.
+ * @private
+ */
+ function isLogoutRequest() {
+ return !empty($_POST['logoutRequest']);
+ }
+
+ /**
+ * @return true if a logout request is allowed.
+ * @private
+ */
+ function isLogoutRequestAllowed() {
+ }
+
+ /**
+ * This method handles logout requests.
+ * @param $check_client true to check the client bofore handling the request,
+ * false not to perform any access control. True by default.
+ * @param $allowed_clients an array of host names allowed to send logout requests.
+ * By default, only the CAs server (declared in the constructor) will be allowed.
+ * @public
+ */
+ function handleLogoutRequests($check_client=true, $allowed_clients=false) {
+ phpCAS::traceBegin();
+ if (!$this->isLogoutRequest()) {
+ phpCAS::log("Not a logout request");
+ phpCAS::traceEnd();
+ return;
+ }
+ phpCAS::log("Logout requested");
+ phpCAS::log("SAML REQUEST: ".$_POST['logoutRequest']);
+ if ($check_client) {
+ if (!$allowed_clients) {
+ $allowed_clients = array( $this->getServerHostname() );
+ }
+ $client_ip = $_SERVER['REMOTE_ADDR'];
+ $client = gethostbyaddr($client_ip);
+ phpCAS::log("Client: ".$client);
+ $allowed = false;
+ foreach ($allowed_clients as $allowed_client) {
+ if ($client == $allowed_client) {
+ phpCAS::log("Allowed client '".$allowed_client."' matches, logout request is allowed");
+ $allowed = true;
+ break;
+ } else {
+ phpCAS::log("Allowed client '".$allowed_client."' does not match");
+ }
+ }
+ if (!$allowed) {
+ phpCAS::error("Unauthorized logout request from client '".$client."'");
+ printf("Unauthorized!");
+ phpCAS::traceExit();
+ exit();
+ }
+ } else {
+ phpCAS::log("No access control set");
+ }
+ // Extract the ticket from the SAML Request
+ preg_match("|<samlp:SessionIndex>(.*)</samlp:SessionIndex>|", $_POST['logoutRequest'], $tick, PREG_OFFSET_CAPTURE, 3);
+ $wrappedSamlSessionIndex = preg_replace('|<samlp:SessionIndex>|','',$tick[0][0]);
+ $ticket2logout = preg_replace('|</samlp:SessionIndex>|','',$wrappedSamlSessionIndex);
+ phpCAS::log("Ticket to logout: ".$ticket2logout);
+ $session_id = preg_replace('/[^\w]/','',$ticket2logout);
+ phpCAS::log("Session id: ".$session_id);
+
+ // fix New session ID
+ session_id($session_id);
+ $_COOKIE[session_name()]=$session_id;
+ $_GET[session_name()]=$session_id;
+
+ // Overwrite session
+ session_start();
+ session_unset();
+ session_destroy();
+ printf("Disconnected!");
+ phpCAS::traceExit();
+ exit();
+ }
+
+ /** @} */
+
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ // XX XX
+ // XX BASIC CLIENT FEATURES (CAS 1.0) XX
+ // XX XX
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ // ########################################################################
+ // ST
+ // ########################################################################
+ /**
+ * @addtogroup internalBasic
+ * @{
+ */
+
+ /**
+ * the Service Ticket provided in the URL of the request if present
+ * (empty otherwise). Written by CASClient::CASClient(), read by
+ * CASClient::getST() and CASClient::hasPGT().
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_st = '';
+
+ /**
+ * This method returns the Service Ticket provided in the URL of the request.
+ * @return The service ticket.
+ * @private
+ */
+ function getST()
+ { return $this->_st; }
+
+ /**
+ * This method stores the Service Ticket.
+ * @param $st The Service Ticket.
+ * @private
+ */
+ function setST($st)
+ { $this->_st = $st; }
+
+ /**
+ * This method tells if a Service Ticket was stored.
+ * @return TRUE if a Service Ticket has been stored.
+ * @private
+ */
+ function hasST()
+ { return !empty($this->_st); }
+
+ /** @} */
+
+ // ########################################################################
+ // ST VALIDATION
+ // ########################################################################
+ /**
+ * @addtogroup internalBasic
+ * @{
+ */
+
+ /**
+ * the certificate of the CAS server.
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_cas_server_cert = '';
+
+ /**
+ * the certificate of the CAS server CA.
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_cas_server_ca_cert = '';
+
+ /**
+ * Set to true not to validate the CAS server.
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_no_cas_server_validation = false;
+
+ /**
+ * Set the certificate of the CAS server.
+ *
+ * @param $cert the PEM certificate
+ */
+ function setCasServerCert($cert)
+ {
+ $this->_cas_server_cert = $cert;
+ }
+
+ /**
+ * Set the CA certificate of the CAS server.
+ *
+ * @param $cert the PEM certificate of the CA that emited the cert of the server
+ */
+ function setCasServerCACert($cert)
+ {
+ $this->_cas_server_ca_cert = $cert;
+ }
+
+ /**
+ * Set no SSL validation for the CAS server.
+ */
+ function setNoCasServerValidation()
+ {
+ $this->_no_cas_server_validation = true;
+ }
+
+ /**
+ * This method is used to validate a ST; halt on failure, and sets $validate_url,
+ * $text_reponse and $tree_response on success. These parameters are used later
+ * by CASClient::validatePGT() for CAS proxies.
+ *
+ * @param $validate_url the URL of the request to the CAS server.
+ * @param $text_response the response of the CAS server, as is (XML text).
+ * @param $tree_response the response of the CAS server, as a DOM XML tree.
+ *
+ * @return bool TRUE when successfull, halt otherwise by calling CASClient::authError().
+ *
+ * @private
+ */
+ function validateST($validate_url,&$text_response,&$tree_response)
+ {
+ phpCAS::traceBegin();
+ // build the URL to validate the ticket
+ $validate_url = $this->getServerServiceValidateURL().'&ticket='.$this->getST();
+ if ( $this->isProxy() ) {
+ // pass the callback url for CAS proxies
+ $validate_url .= '&pgtUrl='.$this->getCallbackURL();
+ }
+
+ // open and read the URL
+ if ( !$this->readURL($validate_url,''/*cookies*/,$headers,$text_response,$err_msg) ) {
+ phpCAS::trace('could not open URL \''.$validate_url.'\' to validate ('.$err_msg.')');
+ $this->authError('ST not validated',
+ $validate_url,
+ TRUE/*$no_response*/);
+ }
+
+ // analyze the result depending on the version
+ switch ($this->getServerVersion()) {
+ case CAS_VERSION_1_0:
+ if (preg_match('/^no\n/',$text_response)) {
+ phpCAS::trace('ST has not been validated');
+ $this->authError('ST not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ FALSE/*$bad_response*/,
+ $text_response);
+ }
+ if (!preg_match('/^yes\n/',$text_response)) {
+ phpCAS::trace('ill-formed response');
+ $this->authError('ST not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ TRUE/*$bad_response*/,
+ $text_response);
+ }
+ // ST has been validated, extract the user name
+ $arr = preg_split('/\n/',$text_response);
+ $this->setUser(trim($arr[1]));
+ break;
+ case CAS_VERSION_2_0:
+ // read the response of the CAS server into a DOM object
+ if ( !($dom = domxml_open_mem($text_response))) {
+ phpCAS::trace('domxml_open_mem() failed');
+ $this->authError('ST not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ TRUE/*$bad_response*/,
+ $text_response);
+ }
+ // read the root node of the XML tree
+ if ( !($tree_response = $dom->document_element()) ) {
+ phpCAS::trace('document_element() failed');
+ $this->authError('ST not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ TRUE/*$bad_response*/,
+ $text_response);
+ }
+ // insure that tag name is 'serviceResponse'
+ if ( $tree_response->node_name() != 'serviceResponse' ) {
+ phpCAS::trace('bad XML root node (should be `serviceResponse\' instead of `'.$tree_response->node_name().'\'');
+ $this->authError('ST not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ TRUE/*$bad_response*/,
+ $text_response);
+ }
+ if ( sizeof($success_elements = $tree_response->get_elements_by_tagname("authenticationSuccess")) != 0) {
+ // authentication succeded, extract the user name
+ if ( sizeof($user_elements = $success_elements[0]->get_elements_by_tagname("user")) == 0) {
+ phpCAS::trace('<authenticationSuccess> found, but no <user>');
+ $this->authError('ST not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ TRUE/*$bad_response*/,
+ $text_response);
+ }
+ $user = trim($user_elements[0]->get_content());
+ phpCAS::trace('user = `'.$user);
+ $this->setUser($user);
+
+ } else if ( sizeof($failure_elements = $tree_response->get_elements_by_tagname("authenticationFailure")) != 0) {
+ phpCAS::trace('<authenticationFailure> found');
+ // authentication failed, extract the error code and message
+ $this->authError('ST not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ FALSE/*$bad_response*/,
+ $text_response,
+ $failure_elements[0]->get_attribute('code')/*$err_code*/,
+ trim($failure_elements[0]->get_content())/*$err_msg*/);
+ } else {
+ phpCAS::trace('neither <authenticationSuccess> nor <authenticationFailure> found');
+ $this->authError('ST not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ TRUE/*$bad_response*/,
+ $text_response);
+ }
+ break;
+ }
+
+ // at this step, ST has been validated and $this->_user has been set,
+ phpCAS::traceEnd(TRUE);
+ return TRUE;
+ }
+
+ /** @} */
+
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ // XX XX
+ // XX PROXY FEATURES (CAS 2.0) XX
+ // XX XX
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ // ########################################################################
+ // PROXYING
+ // ########################################################################
+ /**
+ * @addtogroup internalProxy
+ * @{
+ */
+
+ /**
+ * A boolean telling if the client is a CAS proxy or not. Written by CASClient::CASClient(),
+ * read by CASClient::isProxy().
+ *
+ * @private
+ */
+ var $_proxy;
+
+ /**
+ * Tells if a CAS client is a CAS proxy or not
+ *
+ * @return TRUE when the CAS client is a CAs proxy, FALSE otherwise
+ *
+ * @private
+ */
+ function isProxy()
+ {
+ return $this->_proxy;
+ }
+
+ /** @} */
+ // ########################################################################
+ // PGT
+ // ########################################################################
+ /**
+ * @addtogroup internalProxy
+ * @{
+ */
+
+ /**
+ * the Proxy Grnting Ticket given by the CAS server (empty otherwise).
+ * Written by CASClient::setPGT(), read by CASClient::getPGT() and CASClient::hasPGT().
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_pgt = '';
+
+ /**
+ * This method returns the Proxy Granting Ticket given by the CAS server.
+ * @return The Proxy Granting Ticket.
+ * @private
+ */
+ function getPGT()
+ { return $this->_pgt; }
+
+ /**
+ * This method stores the Proxy Granting Ticket.
+ * @param $pgt The Proxy Granting Ticket.
+ * @private
+ */
+ function setPGT($pgt)
+ { $this->_pgt = $pgt; }
+
+ /**
+ * This method tells if a Proxy Granting Ticket was stored.
+ * @return TRUE if a Proxy Granting Ticket has been stored.
+ * @private
+ */
+ function hasPGT()
+ { return !empty($this->_pgt); }
+
+ /** @} */
+
+ // ########################################################################
+ // CALLBACK MODE
+ // ########################################################################
+ /**
+ * @addtogroup internalCallback
+ * @{
+ */
+ /**
+ * each PHP script using phpCAS in proxy mode is its own callback to get the
+ * PGT back from the CAS server. callback_mode is detected by the constructor
+ * thanks to the GET parameters.
+ */
+
+ /**
+ * a boolean to know if the CAS client is running in callback mode. Written by
+ * CASClient::setCallBackMode(), read by CASClient::isCallbackMode().
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_callback_mode = FALSE;
+
+ /**
+ * This method sets/unsets callback mode.
+ *
+ * @param $callback_mode TRUE to set callback mode, FALSE otherwise.
+ *
+ * @private
+ */
+ function setCallbackMode($callback_mode)
+ {
+ $this->_callback_mode = $callback_mode;
+ }
+
+ /**
+ * This method returns TRUE when the CAs client is running i callback mode,
+ * FALSE otherwise.
+ *
+ * @return A boolean.
+ *
+ * @private
+ */
+ function isCallbackMode()
+ {
+ return $this->_callback_mode;
+ }
+
+ /**
+ * the URL that should be used for the PGT callback (in fact the URL of the
+ * current request without any CGI parameter). Written and read by
+ * CASClient::getCallbackURL().
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_callback_url = '';
+
+ /**
+ * This method returns the URL that should be used for the PGT callback (in
+ * fact the URL of the current request without any CGI parameter, except if
+ * phpCAS::setFixedCallbackURL() was used).
+ *
+ * @return The callback URL
+ *
+ * @private
+ */
+ function getCallbackURL()
+ {
+ // the URL is built when needed only
+ if ( empty($this->_callback_url) ) {
+ $final_uri = '';
+ // remove the ticket if present in the URL
+ $final_uri = 'https://';
+ /* replaced by Julien Marchal - v0.4.6
+ * $this->uri .= $_SERVER['SERVER_NAME'];
+ */
+ if(empty($_SERVER['HTTP_X_FORWARDED_SERVER'])){
+ /* replaced by teedog - v0.4.12
+ * $final_uri .= $_SERVER['SERVER_NAME'];
+ */
+ if (empty($_SERVER['SERVER_NAME'])) {
+ $final_uri .= $_SERVER['HTTP_HOST'];
+ } else {
+ $final_uri .= $_SERVER['SERVER_NAME'];
+ }
+ } else {
+ $final_uri .= $_SERVER['HTTP_X_FORWARDED_SERVER'];
+ }
+ if ( ($this->isHttps() && $_SERVER['SERVER_PORT']!=443)
+ || (!$this->isHttps() && $_SERVER['SERVER_PORT']!=80) ) {
+ $final_uri .= ':';
+ $final_uri .= $_SERVER['SERVER_PORT'];
+ }
+ $request_uri = $_SERVER['REQUEST_URI'];
+ $request_uri = preg_replace('/\?.*$/','',$request_uri);
+ $final_uri .= $request_uri;
+ $this->setCallbackURL($final_uri);
+ }
+ return $this->_callback_url;
+ }
+
+ /**
+ * This method sets the callback url.
+ *
+ * @param $callback_url url to set callback
+ *
+ * @private
+ */
+ function setCallbackURL($url)
+ {
+ return $this->_callback_url = $url;
+ }
+
+ /**
+ * This method is called by CASClient::CASClient() when running in callback
+ * mode. It stores the PGT and its PGT Iou, prints its output and halts.
+ *
+ * @private
+ */
+ function callback()
+ {
+ phpCAS::traceBegin();
+ $this->printHTMLHeader('phpCAS callback');
+ $pgt_iou = $_GET['pgtIou'];
+ $pgt = $_GET['pgtId'];
+ phpCAS::trace('Storing PGT `'.$pgt.'\' (id=`'.$pgt_iou.'\')');
+ echo '<p>Storing PGT `'.$pgt.'\' (id=`'.$pgt_iou.'\').</p>';
+ $this->storePGT($pgt,$pgt_iou);
+ $this->printHTMLFooter();
+ phpCAS::traceExit();
+ }
+
+ /** @} */
+
+ // ########################################################################
+ // PGT STORAGE
+ // ########################################################################
+ /**
+ * @addtogroup internalPGTStorage
+ * @{
+ */
+
+ /**
+ * an instance of a class inheriting of PGTStorage, used to deal with PGT
+ * storage. Created by CASClient::setPGTStorageFile() or CASClient::setPGTStorageDB(), used
+ * by CASClient::setPGTStorageFile(), CASClient::setPGTStorageDB() and CASClient::initPGTStorage().
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_pgt_storage = null;
+
+ /**
+ * This method is used to initialize the storage of PGT's.
+ * Halts on error.
+ *
+ * @private
+ */
+ function initPGTStorage()
+ {
+ // if no SetPGTStorageXxx() has been used, default to file
+ if ( !is_object($this->_pgt_storage) ) {
+ $this->setPGTStorageFile();
+ }
+
+ // initializes the storage
+ $this->_pgt_storage->init();
+ }
+
+ /**
+ * This method stores a PGT. Halts on error.
+ *
+ * @param $pgt the PGT to store
+ * @param $pgt_iou its corresponding Iou
+ *
+ * @private
+ */
+ function storePGT($pgt,$pgt_iou)
+ {
+ // ensure that storage is initialized
+ $this->initPGTStorage();
+ // writes the PGT
+ $this->_pgt_storage->write($pgt,$pgt_iou);
+ }
+
+ /**
+ * This method reads a PGT from its Iou and deletes the corresponding storage entry.
+ *
+ * @param $pgt_iou the PGT Iou
+ *
+ * @return The PGT corresponding to the Iou, FALSE when not found.
+ *
+ * @private
+ */
+ function loadPGT($pgt_iou)
+ {
+ // ensure that storage is initialized
+ $this->initPGTStorage();
+ // read the PGT
+ return $this->_pgt_storage->read($pgt_iou);
+ }
+
+ /**
+ * This method is used to tell phpCAS to store the response of the
+ * CAS server to PGT requests onto the filesystem.
+ *
+ * @param $format the format used to store the PGT's (`plain' and `xml' allowed)
+ * @param $path the path where the PGT's should be stored
+ *
+ * @public
+ */
+ function setPGTStorageFile($format='',
+ $path='')
+ {
+ // check that the storage has not already been set
+ if ( is_object($this->_pgt_storage) ) {
+ phpCAS::error('PGT storage already defined');
+ }
+
+ // create the storage object
+ $this->_pgt_storage = &new PGTStorageFile($this,$format,$path);
+ }
+
+ /**
+ * This method is used to tell phpCAS to store the response of the
+ * CAS server to PGT requests into a database.
+ * @note The connection to the database is done only when needed.
+ * As a consequence, bad parameters are detected only when
+ * initializing PGT storage.
+ *
+ * @param $user the user to access the data with
+ * @param $password the user's password
+ * @param $database_type the type of the database hosting the data
+ * @param $hostname the server hosting the database
+ * @param $port the port the server is listening on
+ * @param $database the name of the database
+ * @param $table the name of the table storing the data
+ *
+ * @public
+ */
+ function setPGTStorageDB($user,
+ $password,
+ $database_type,
+ $hostname,
+ $port,
+ $database,
+ $table)
+ {
+ // check that the storage has not already been set
+ if ( is_object($this->_pgt_storage) ) {
+ phpCAS::error('PGT storage already defined');
+ }
+
+ // warn the user that he should use file storage...
+ trigger_error('PGT storage into database is an experimental feature, use at your own risk',E_USER_WARNING);
+
+ // create the storage object
+ $this->_pgt_storage = & new PGTStorageDB($this,$user,$password,$database_type,$hostname,$port,$database,$table);
+ }
+
+ // ########################################################################
+ // PGT VALIDATION
+ // ########################################################################
+ /**
+ * This method is used to validate a PGT; halt on failure.
+ *
+ * @param $validate_url the URL of the request to the CAS server.
+ * @param $text_response the response of the CAS server, as is (XML text); result
+ * of CASClient::validateST() or CASClient::validatePT().
+ * @param $tree_response the response of the CAS server, as a DOM XML tree; result
+ * of CASClient::validateST() or CASClient::validatePT().
+ *
+ * @return bool TRUE when successfull, halt otherwise by calling CASClient::authError().
+ *
+ * @private
+ */
+ function validatePGT(&$validate_url,$text_response,$tree_response)
+ {
+ phpCAS::traceBegin();
+ if ( sizeof($arr = $tree_response->get_elements_by_tagname("proxyGrantingTicket")) == 0) {
+ phpCAS::trace('<proxyGrantingTicket> not found');
+ // authentication succeded, but no PGT Iou was transmitted
+ $this->authError('Ticket validated but no PGT Iou transmitted',
+ $validate_url,
+ FALSE/*$no_response*/,
+ FALSE/*$bad_response*/,
+ $text_response);
+ } else {
+ // PGT Iou transmitted, extract it
+ $pgt_iou = trim($arr[0]->get_content());
+ $pgt = $this->loadPGT($pgt_iou);
+ if ( $pgt == FALSE ) {
+ phpCAS::trace('could not load PGT');
+ $this->authError('PGT Iou was transmitted but PGT could not be retrieved',
+ $validate_url,
+ FALSE/*$no_response*/,
+ FALSE/*$bad_response*/,
+ $text_response);
+ }
+ $this->setPGT($pgt);
+ }
+ phpCAS::traceEnd(TRUE);
+ return TRUE;
+ }
+
+ // ########################################################################
+ // PGT VALIDATION
+ // ########################################################################
+
+ /**
+ * This method is used to retrieve PT's from the CAS server thanks to a PGT.
+ *
+ * @param $target_service the service to ask for with the PT.
+ * @param $err_code an error code (PHPCAS_SERVICE_OK on success).
+ * @param $err_msg an error message (empty on success).
+ *
+ * @return a Proxy Ticket, or FALSE on error.
+ *
+ * @private
+ */
+ function retrievePT($target_service,&$err_code,&$err_msg)
+ {
+ phpCAS::traceBegin();
+
+ // by default, $err_msg is set empty and $pt to TRUE. On error, $pt is
+ // set to false and $err_msg to an error message. At the end, if $pt is FALSE
+ // and $error_msg is still empty, it is set to 'invalid response' (the most
+ // commonly encountered error).
+ $err_msg = '';
+
+ // build the URL to retrieve the PT
+ // $cas_url = $this->getServerProxyURL().'?targetService='.preg_replace('/&/','%26',$target_service).'&pgt='.$this->getPGT();
+ $cas_url = $this->getServerProxyURL().'?targetService='.urlencode($target_service).'&pgt='.$this->getPGT();
+
+ // open and read the URL
+ if ( !$this->readURL($cas_url,''/*cookies*/,$headers,$cas_response,$err_msg) ) {
+ phpCAS::trace('could not open URL \''.$cas_url.'\' to validate ('.$err_msg.')');
+ $err_code = PHPCAS_SERVICE_PT_NO_SERVER_RESPONSE;
+ $err_msg = 'could not retrieve PT (no response from the CAS server)';
+ phpCAS::traceEnd(FALSE);
+ return FALSE;
+ }
+
+ $bad_response = FALSE;
+
+ if ( !$bad_response ) {
+ // read the response of the CAS server into a DOM object
+ if ( !($dom = @domxml_open_mem($cas_response))) {
+ phpCAS::trace('domxml_open_mem() failed');
+ // read failed
+ $bad_response = TRUE;
+ }
+ }
+
+ if ( !$bad_response ) {
+ // read the root node of the XML tree
+ if ( !($root = $dom->document_element()) ) {
+ phpCAS::trace('document_element() failed');
+ // read failed
+ $bad_response = TRUE;
+ }
+ }
+
+ if ( !$bad_response ) {
+ // insure that tag name is 'serviceResponse'
+ if ( $root->node_name() != 'serviceResponse' ) {
+ phpCAS::trace('node_name() failed');
+ // bad root node
+ $bad_response = TRUE;
+ }
+ }
+
+ if ( !$bad_response ) {
+ // look for a proxySuccess tag
+ if ( sizeof($arr = $root->get_elements_by_tagname("proxySuccess")) != 0) {
+ // authentication succeded, look for a proxyTicket tag
+ if ( sizeof($arr = $root->get_elements_by_tagname("proxyTicket")) != 0) {
+ $err_code = PHPCAS_SERVICE_OK;
+ $err_msg = '';
+ phpCAS::trace('original PT: '.trim($arr[0]->get_content()));
+ $pt = trim($arr[0]->get_content());
+ phpCAS::traceEnd($pt);
+ return $pt;
+ } else {
+ phpCAS::trace('<proxySuccess> was found, but not <proxyTicket>');
+ }
+ }
+ // look for a proxyFailure tag
+ else if ( sizeof($arr = $root->get_elements_by_tagname("proxyFailure")) != 0) {
+ // authentication failed, extract the error
+ $err_code = PHPCAS_SERVICE_PT_FAILURE;
+ $err_msg = 'PT retrieving failed (code=`'
+ .$arr[0]->get_attribute('code')
+ .'\', message=`'
+ .trim($arr[0]->get_content())
+ .'\')';
+ phpCAS::traceEnd(FALSE);
+ return FALSE;
+ } else {
+ phpCAS::trace('neither <proxySuccess> nor <proxyFailure> found');
+ }
+ }
+
+ // at this step, we are sure that the response of the CAS server was ill-formed
+ $err_code = PHPCAS_SERVICE_PT_BAD_SERVER_RESPONSE;
+ $err_msg = 'Invalid response from the CAS server (response=`'.$cas_response.'\')';
+
+ phpCAS::traceEnd(FALSE);
+ return FALSE;
+ }
+
+ // ########################################################################
+ // ACCESS TO EXTERNAL SERVICES
+ // ########################################################################
+
+ /**
+ * This method is used to acces a remote URL.
+ *
+ * @param $url the URL to access.
+ * @param $cookies an array containing cookies strings such as 'name=val'
+ * @param $headers an array containing the HTTP header lines of the response
+ * (an empty array on failure).
+ * @param $body the body of the response, as a string (empty on failure).
+ * @param $err_msg an error message, filled on failure.
+ *
+ * @return TRUE on success, FALSE otherwise (in this later case, $err_msg
+ * contains an error message).
+ *
+ * @private
+ */
+ function readURL($url,$cookies,&$headers,&$body,&$err_msg)
+ {
+ phpCAS::traceBegin();
+ $headers = '';
+ $body = '';
+ $err_msg = '';
+
+ $res = TRUE;
+
+ // initialize the CURL session
+ $ch = curl_init($url);
+
+ if (version_compare(PHP_VERSION,'5.1.3','>=')) {
+ //only avaible in php5
+ curl_setopt_array($ch, $this->_curl_options);
+ } else {
+ foreach ($this->_curl_options as $key => $value) {
+ curl_setopt($ch, $key, $value);
+ }
+ }
+
+ if ($this->_cas_server_cert == '' && $this->_cas_server_ca_cert == '' && !$this->_no_cas_server_validation) {
+ phpCAS::error('one of the methods phpCAS::setCasServerCert(), phpCAS::setCasServerCACert() or phpCAS::setNoCasServerValidation() must be called.');
+ }
+ if ($this->_cas_server_cert != '' ) {
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
+ curl_setopt($ch, CURLOPT_SSLCERT, $this->_cas_server_cert);
+ } else if ($this->_cas_server_ca_cert != '') {
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
+ curl_setopt($ch, CURLOPT_CAINFO, $this->_cas_server_ca_cert);
+ } else {
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+ }
+
+ // return the CURL output into a variable
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+ // get the HTTP header with a callback
+ $this->_curl_headers = array(); // empty the headers array
+ curl_setopt($ch, CURLOPT_HEADERFUNCTION, array($this, '_curl_read_headers'));
+ // add cookies headers
+ if ( is_array($cookies) ) {
+ curl_setopt($ch,CURLOPT_COOKIE,implode(';',$cookies));
+ }
+ // perform the query
+ $buf = curl_exec ($ch);
+ if ( $buf === FALSE ) {
+ phpCAS::trace('curl_exec() failed');
+ $err_msg = 'CURL error #'.curl_errno($ch).': '.curl_error($ch);
+ // close the CURL session
+ curl_close ($ch);
+ $res = FALSE;
+ } else {
+ // close the CURL session
+ curl_close ($ch);
+
+ $headers = $this->_curl_headers;
+ $body = $buf;
+ }
+
+ phpCAS::traceEnd($res);
+ return $res;
+ }
+
+ /**
+ * This method is the callback used by readURL method to request HTTP headers.
+ */
+ var $_curl_headers = array();
+ function _curl_read_headers($ch, $header)
+ {
+ $this->_curl_headers[] = $header;
+ return strlen($header);
+ }
+
+ /**
+ * This method is used to access an HTTP[S] service.
+ *
+ * @param $url the service to access.
+ * @param $err_code an error code Possible values are PHPCAS_SERVICE_OK (on
+ * success), PHPCAS_SERVICE_PT_NO_SERVER_RESPONSE, PHPCAS_SERVICE_PT_BAD_SERVER_RESPONSE,
+ * PHPCAS_SERVICE_PT_FAILURE, PHPCAS_SERVICE_NOT AVAILABLE.
+ * @param $output the output of the service (also used to give an error
+ * message on failure).
+ *
+ * @return TRUE on success, FALSE otherwise (in this later case, $err_code
+ * gives the reason why it failed and $output contains an error message).
+ *
+ * @public
+ */
+ function serviceWeb($url,&$err_code,&$output)
+ {
+ phpCAS::traceBegin();
+ // at first retrieve a PT
+ $pt = $this->retrievePT($url,$err_code,$output);
+
+ $res = TRUE;
+
+ // test if PT was retrieved correctly
+ if ( !$pt ) {
+ // note: $err_code and $err_msg are filled by CASClient::retrievePT()
+ phpCAS::trace('PT was not retrieved correctly');
+ $res = FALSE;
+ } else {
+ // add cookies if necessary
+ if ( is_array($_SESSION['phpCAS']['services'][$url]['cookies']) ) {
+ foreach ( $_SESSION['phpCAS']['services'][$url]['cookies'] as $name => $val ) {
+ $cookies[] = $name.'='.$val;
+ }
+ }
+
+ // build the URL including the PT
+ if ( strstr($url,'?') === FALSE ) {
+ $service_url = $url.'?ticket='.$pt;
+ } else {
+ $service_url = $url.'&ticket='.$pt;
+ }
+
+ phpCAS::trace('reading URL`'.$service_url.'\'');
+ if ( !$this->readURL($service_url,$cookies,$headers,$output,$err_msg) ) {
+ phpCAS::trace('could not read URL`'.$service_url.'\'');
+ $err_code = PHPCAS_SERVICE_NOT_AVAILABLE;
+ // give an error message
+ $output = sprintf($this->getString(CAS_STR_SERVICE_UNAVAILABLE),
+ $service_url,
+ $err_msg);
+ $res = FALSE;
+ } else {
+ // URL has been fetched, extract the cookies
+ phpCAS::trace('URL`'.$service_url.'\' has been read, storing cookies:');
+ foreach ( $headers as $header ) {
+ // test if the header is a cookie
+ if ( preg_match('/^Set-Cookie:/',$header) ) {
+ // the header is a cookie, remove the beginning
+ $header_val = preg_replace('/^Set-Cookie: */','',$header);
+ // extract interesting information
+ $name_val = strtok($header_val,'; ');
+ // extract the name and the value of the cookie
+ $cookie_name = strtok($name_val,'=');
+ $cookie_val = strtok('=');
+ // store the cookie
+ $_SESSION['phpCAS']['services'][$url]['cookies'][$cookie_name] = $cookie_val;
+ phpCAS::trace($cookie_name.' -> '.$cookie_val);
+ }
+ }
+ }
+ }
+
+ phpCAS::traceEnd($res);
+ return $res;
+ }
+
+ /**
+ * This method is used to access an IMAP/POP3/NNTP service.
+ *
+ * @param $url a string giving the URL of the service, including the mailing box
+ * for IMAP URLs, as accepted by imap_open().
+ * @param $flags options given to imap_open().
+ * @param $err_code an error code Possible values are PHPCAS_SERVICE_OK (on
+ * success), PHPCAS_SERVICE_PT_NO_SERVER_RESPONSE, PHPCAS_SERVICE_PT_BAD_SERVER_RESPONSE,
+ * PHPCAS_SERVICE_PT_FAILURE, PHPCAS_SERVICE_NOT AVAILABLE.
+ * @param $err_msg an error message on failure
+ * @param $pt the Proxy Ticket (PT) retrieved from the CAS server to access the URL
+ * on success, FALSE on error).
+ *
+ * @return an IMAP stream on success, FALSE otherwise (in this later case, $err_code
+ * gives the reason why it failed and $err_msg contains an error message).
+ *
+ * @public
+ */
+ function serviceMail($url,$flags,&$err_code,&$err_msg,&$pt)
+ {
+ phpCAS::traceBegin();
+ // at first retrieve a PT
+ $pt = $this->retrievePT($target_service,$err_code,$output);
+
+ $stream = FALSE;
+
+ // test if PT was retrieved correctly
+ if ( !$pt ) {
+ // note: $err_code and $err_msg are filled by CASClient::retrievePT()
+ phpCAS::trace('PT was not retrieved correctly');
+ } else {
+ phpCAS::trace('opening IMAP URL `'.$url.'\'...');
+ $stream = @imap_open($url,$this->getUser(),$pt,$flags);
+ if ( !$stream ) {
+ phpCAS::trace('could not open URL');
+ $err_code = PHPCAS_SERVICE_NOT_AVAILABLE;
+ // give an error message
+ $err_msg = sprintf($this->getString(CAS_STR_SERVICE_UNAVAILABLE),
+ $service_url,
+ var_export(imap_errors(),TRUE));
+ $pt = FALSE;
+ $stream = FALSE;
+ } else {
+ phpCAS::trace('ok');
+ }
+ }
+
+ phpCAS::traceEnd($stream);
+ return $stream;
+ }
+
+ /** @} */
+
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ // XX XX
+ // XX PROXIED CLIENT FEATURES (CAS 2.0) XX
+ // XX XX
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ // ########################################################################
+ // PT
+ // ########################################################################
+ /**
+ * @addtogroup internalProxied
+ * @{
+ */
+
+ /**
+ * the Proxy Ticket provided in the URL of the request if present
+ * (empty otherwise). Written by CASClient::CASClient(), read by
+ * CASClient::getPT() and CASClient::hasPGT().
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_pt = '';
+
+ /**
+ * This method returns the Proxy Ticket provided in the URL of the request.
+ * @return The proxy ticket.
+ * @private
+ */
+ function getPT()
+ {
+ // return 'ST'.substr($this->_pt, 2);
+ return $this->_pt;
+ }
+
+ /**
+ * This method stores the Proxy Ticket.
+ * @param $pt The Proxy Ticket.
+ * @private
+ */
+ function setPT($pt)
+ { $this->_pt = $pt; }
+
+ /**
+ * This method tells if a Proxy Ticket was stored.
+ * @return TRUE if a Proxy Ticket has been stored.
+ * @private
+ */
+ function hasPT()
+ { return !empty($this->_pt); }
+
+ /** @} */
+ // ########################################################################
+ // PT VALIDATION
+ // ########################################################################
+ /**
+ * @addtogroup internalProxied
+ * @{
+ */
+
+ /**
+ * This method is used to validate a PT; halt on failure
+ *
+ * @return bool TRUE when successfull, halt otherwise by calling CASClient::authError().
+ *
+ * @private
+ */
+ function validatePT(&$validate_url,&$text_response,&$tree_response)
+ {
+ phpCAS::traceBegin();
+ // build the URL to validate the ticket
+ $validate_url = $this->getServerProxyValidateURL().'&ticket='.$this->getPT();
+
+ if ( $this->isProxy() ) {
+ // pass the callback url for CAS proxies
+ $validate_url .= '&pgtUrl='.$this->getCallbackURL();
+ }
+
+ // open and read the URL
+ if ( !$this->readURL($validate_url,''/*cookies*/,$headers,$text_response,$err_msg) ) {
+ phpCAS::trace('could not open URL \''.$validate_url.'\' to validate ('.$err_msg.')');
+ $this->authError('PT not validated',
+ $validate_url,
+ TRUE/*$no_response*/);
+ }
+
+ // read the response of the CAS server into a DOM object
+ if ( !($dom = domxml_open_mem($text_response))) {
+ // read failed
+ $this->authError('PT not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ TRUE/*$bad_response*/,
+ $text_response);
+ }
+ // read the root node of the XML tree
+ if ( !($tree_response = $dom->document_element()) ) {
+ // read failed
+ $this->authError('PT not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ TRUE/*$bad_response*/,
+ $text_response);
+ }
+ // insure that tag name is 'serviceResponse'
+ if ( $tree_response->node_name() != 'serviceResponse' ) {
+ // bad root node
+ $this->authError('PT not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ TRUE/*$bad_response*/,
+ $text_response);
+ }
+ if ( sizeof($arr = $tree_response->get_elements_by_tagname("authenticationSuccess")) != 0) {
+ // authentication succeded, extract the user name
+ if ( sizeof($arr = $tree_response->get_elements_by_tagname("user")) == 0) {
+ // no user specified => error
+ $this->authError('PT not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ TRUE/*$bad_response*/,
+ $text_response);
+ }
+ $this->setUser(trim($arr[0]->get_content()));
+
+ } else if ( sizeof($arr = $tree_response->get_elements_by_tagname("authenticationFailure")) != 0) {
+ // authentication succeded, extract the error code and message
+ $this->authError('PT not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ FALSE/*$bad_response*/,
+ $text_response,
+ $arr[0]->get_attribute('code')/*$err_code*/,
+ trim($arr[0]->get_content())/*$err_msg*/);
+ } else {
+ $this->authError('PT not validated',
+ $validate_url,
+ FALSE/*$no_response*/,
+ TRUE/*$bad_response*/,
+ $text_response);
+ }
+
+ // at this step, PT has been validated and $this->_user has been set,
+
+ phpCAS::traceEnd(TRUE);
+ return TRUE;
+ }
+
+ /** @} */
+
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ // XX XX
+ // XX MISC XX
+ // XX XX
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ /**
+ * @addtogroup internalMisc
+ * @{
+ */
+
+ // ########################################################################
+ // URL
+ // ########################################################################
+ /**
+ * the URL of the current request (without any ticket CGI parameter). Written
+ * and read by CASClient::getURL().
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_url = '';
+
+ /**
+ * This method returns the URL of the current request (without any ticket
+ * CGI parameter).
+ *
+ * @return The URL
+ *
+ * @private
+ */
+ function getURL()
+ {
+ phpCAS::traceBegin();
+ // the URL is built when needed only
+ if ( empty($this->_url) ) {
+ $final_uri = '';
+ // remove the ticket if present in the URL
+ $final_uri = ($this->isHttps()) ? 'https' : 'http';
+ $final_uri .= '://';
+ /* replaced by Julien Marchal - v0.4.6
+ * $this->_url .= $_SERVER['SERVER_NAME'];
+ */
+ if(empty($_SERVER['HTTP_X_FORWARDED_SERVER'])){
+ /* replaced by teedog - v0.4.12
+ * $this->_url .= $_SERVER['SERVER_NAME'];
+ */
+ if (empty($_SERVER['SERVER_NAME'])) {
+ $server_name = $_SERVER['HTTP_HOST'];
+ } else {
+ $server_name = $_SERVER['SERVER_NAME'];
+ }
+ } else {
+ $server_name = $_SERVER['HTTP_X_FORWARDED_SERVER'];
+ }
+ $final_uri .= $server_name;
+ if (!strpos($server_name, ':')) {
+ if ( ($this->isHttps() && $_SERVER['SERVER_PORT']!=443)
+ || (!$this->isHttps() && $_SERVER['SERVER_PORT']!=80) ) {
+ $final_uri .= ':';
+ $final_uri .= $_SERVER['SERVER_PORT'];
+ }
+ }
+
+ $final_uri .= strtok($_SERVER['REQUEST_URI'],"?");
+ $cgi_params = '?'.strtok("?");
+ // remove the ticket if present in the CGI parameters
+ $cgi_params = preg_replace('/&ticket=[^&]*/','',$cgi_params);
+ $cgi_params = preg_replace('/\?ticket=[^&;]*/','?',$cgi_params);
+ $cgi_params = preg_replace('/\?%26/','?',$cgi_params);
+ $cgi_params = preg_replace('/\?&/','?',$cgi_params);
+ $cgi_params = preg_replace('/\?$/','',$cgi_params);
+ $final_uri .= $cgi_params;
+ $this->setURL($final_uri);
+ }
+ phpCAS::traceEnd($this->_url);
+ return $this->_url;
+ }
+
+ /**
+ * This method sets the URL of the current request
+ *
+ * @param $url url to set for service
+ *
+ * @private
+ */
+ function setURL($url)
+ {
+ $this->_url = $url;
+ }
+
+ // ########################################################################
+ // AUTHENTICATION ERROR HANDLING
+ // ########################################################################
+ /**
+ * This method is used to print the HTML output when the user was not authenticated.
+ *
+ * @param $failure the failure that occured
+ * @param $cas_url the URL the CAS server was asked for
+ * @param $no_response the response from the CAS server (other
+ * parameters are ignored if TRUE)
+ * @param $bad_response bad response from the CAS server ($err_code
+ * and $err_msg ignored if TRUE)
+ * @param $cas_response the response of the CAS server
+ * @param $err_code the error code given by the CAS server
+ * @param $err_msg the error message given by the CAS server
+ *
+ * @private
+ */
+ function authError($failure,$cas_url,$no_response,$bad_response='',$cas_response='',$err_code='',$err_msg='')
+ {
+ phpCAS::traceBegin();
+
+ $this->printHTMLHeader($this->getString(CAS_STR_AUTHENTICATION_FAILED));
+ printf($this->getString(CAS_STR_YOU_WERE_NOT_AUTHENTICATED),$this->getURL(),$_SERVER['SERVER_ADMIN']);
+ phpCAS::trace('CAS URL: '.$cas_url);
+ phpCAS::trace('Authentication failure: '.$failure);
+ if ( $no_response ) {
+ phpCAS::trace('Reason: no response from the CAS server');
+ } else {
+ if ( $bad_response ) {
+ phpCAS::trace('Reason: bad response from the CAS server');
+ } else {
+ switch ($this->getServerVersion()) {
+ case CAS_VERSION_1_0:
+ phpCAS::trace('Reason: CAS error');
+ break;
+ case CAS_VERSION_2_0:
+ if ( empty($err_code) )
+ phpCAS::trace('Reason: no CAS error');
+ else
+ phpCAS::trace('Reason: ['.$err_code.'] CAS error: '.$err_msg);
+ break;
+ }
+ }
+ phpCAS::trace('CAS response: '.$cas_response);
+ }
+ $this->printHTMLFooter();
+ phpCAS::traceExit();
+ exit();
+ }
+
+ /** @} */
+}
+
?>
\ No newline at end of file