X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=plugins%2FCasAuthentication%2Fextlib%2FCAS%2Fclient.php;h=d38c24d361eec4bc1a041f057fc254a65abcedf8;hb=f82dd4e14f8e4797f2a14cf10527bb71bc224b72;hp=ad5a23f8396bf6be3c307b064f8c652b10b92391;hpb=ca5612c451e4dabde107ff2cfbc737a2f69136df;p=quix0rs-gnu-social.git diff --git a/plugins/CasAuthentication/extlib/CAS/client.php b/plugins/CasAuthentication/extlib/CAS/client.php index ad5a23f839..d38c24d361 100644 --- a/plugins/CasAuthentication/extlib/CAS/client.php +++ b/plugins/CasAuthentication/extlib/CAS/client.php @@ -1,5 +1,34 @@ _server['login_url'] = $url; } - - + + /** * This method sets the serviceValidate URL of the CAS server. * @param $url the serviceValidate URL @@ -363,8 +392,8 @@ class CASClient { return $this->_server['service_validate_url'] = $url; } - - + + /** * This method sets the proxyValidate URL of the CAS server. * @param $url the proxyValidate URL @@ -375,8 +404,8 @@ class CASClient { return $this->_server['proxy_validate_url'] = $url; } - - + + /** * This method sets the samlValidate URL of the CAS server. * @param $url the samlValidate URL @@ -387,7 +416,7 @@ class CASClient { return $this->_server['saml_validate_url'] = $url; } - + /** * This method is used to retrieve the service validating URL of the CAS server. @@ -411,24 +440,24 @@ class CASClient return $this->_server['service_validate_url'].'?service='.urlencode($this->getURL()); } /** - * This method is used to retrieve the SAML validating URL of the CAS server. - * @return a URL. - * @private - */ + * This method is used to retrieve the SAML validating URL of the CAS server. + * @return a URL. + * @private + */ function getServerSamlValidateURL() - { - phpCAS::traceBegin(); - // the URL is build only when needed - if ( empty($this->_server['saml_validate_url']) ) { - switch ($this->getServerVersion()) { - case SAML_VERSION_1_1: - $this->_server['saml_validate_url'] = $this->getServerBaseURL().'samlValidate'; - break; + { + phpCAS::traceBegin(); + // the URL is build only when needed + if ( empty($this->_server['saml_validate_url']) ) { + switch ($this->getServerVersion()) { + case SAML_VERSION_1_1: + $this->_server['saml_validate_url'] = $this->getServerBaseURL().'samlValidate'; + break; } - } - phpCAS::traceEnd($this->_server['saml_validate_url'].'?TARGET='.urlencode($this->getURL())); - return $this->_server['saml_validate_url'].'?TARGET='.urlencode($this->getURL()); - } + } + phpCAS::traceEnd($this->_server['saml_validate_url'].'?TARGET='.urlencode($this->getURL())); + return $this->_server['saml_validate_url'].'?TARGET='.urlencode($this->getURL()); + } /** * This method is used to retrieve the proxy validating URL of the CAS server. * @return a URL. @@ -496,20 +525,20 @@ class CASClient { return $this->_server['logout_url'] = $url; } - + /** * An array to store extra curl options. */ var $_curl_options = array(); - + /** * This method is used to set additional user curl options. */ function setExtraCurlOption($key, $value) - { + { $this->_curl_options[$key] = $value; - } - + } + /** * This method checks to see if the request is secured via HTTPS * @return true if https, false otherwise @@ -556,45 +585,21 @@ class CASClient if (version_compare(PHP_VERSION,'5','>=') && ini_get('zend.ze1_compatibility_mode')) { phpCAS::error('phpCAS cannot support zend.ze1_compatibility_mode. Sorry.'); } + $this->_start_session = $start_session; + + if ($this->_start_session && session_id()) + { + phpCAS :: error("Another session was started before phpcas. Either disable the session" . + " handling for phpcas in the client() call or modify your application to leave" . + " session handling to phpcas"); + } // skip Session Handling for logout requests and if don't want it' - if ($start_session && !$this->isLogoutRequest()) { - phpCAS::trace("Starting session handling"); - // Check for Tickets from the CAS server - if (empty($_GET['ticket'])){ - phpCAS::trace("No ticket found"); - // only create a session if necessary - if (!isset($_SESSION)) { - phpCAS::trace("No session found, creating new session"); - session_start(); - } - }else{ - phpCAS::trace("Ticket found"); - // We have to copy any old data before renaming the session - if (isset($_SESSION)) { - phpCAS::trace("Old active session found, saving old data and destroying session"); - $old_session = $_SESSION; - session_destroy(); - }else{ - session_start(); - phpCAS::trace("Starting possible old session to copy variables"); - $old_session = $_SESSION; - session_destroy(); - } - // set up a new session, of name based on the ticket - $session_id = preg_replace('/[^\w]/','',$_GET['ticket']); - phpCAS::LOG("Session ID: " . $session_id); - session_id($session_id); - session_start(); - // restore old session vars - if(isset($old_session)){ - phpCAS::trace("Restoring old session vars"); - $_SESSION = $old_session; - } - } - }else{ - phpCAS::trace("Skipping session creation"); + if ($start_session && !$this->isLogoutRequest()) + { + phpCAS :: trace("Starting a new session"); + session_start(); } - + // are we in proxy mode ? $this->_proxy = $proxy; @@ -667,12 +672,8 @@ class CASClient } break; case CAS_VERSION_2_0: // check for a Service or Proxy Ticket - if (preg_match('/^ST-/', $ticket)) { - phpCAS::trace('ST \'' . $ticket . '\' found'); - $this->setST($ticket); - unset ($_GET['ticket']); - } else if (preg_match('/^PT-/', $ticket)) { - phpCAS::trace('PT \'' . $ticket . '\' found'); + if( preg_match('/^[SP]T-/',$ticket) ) { + phpCAS::trace('ST or PT \''.$ticket.'\' found'); $this->setPT($ticket); unset($_GET['ticket']); } else if ( !empty($ticket) ) { @@ -682,9 +683,9 @@ class CASClient break; case SAML_VERSION_1_1: // SAML just does Service Tickets if( preg_match('/^[SP]T-/',$ticket) ) { - phpCAS::trace('SA \''.$ticket.'\' found'); - $this->setSA($ticket); - unset($_GET['ticket']); + phpCAS::trace('SA \''.$ticket.'\' found'); + $this->setSA($ticket); + unset($_GET['ticket']); } else if ( !empty($ticket) ) { //ill-formed ticket, halt phpCAS::error('ill-formed ticket found in the URL (ticket=`'.htmlentities($ticket).'\')'); @@ -697,6 +698,57 @@ class CASClient /** @} */ + // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + // XX XX + // XX Session Handling XX + // XX XX + // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + + /** + * A variable to whether phpcas will use its own session handling. Default = true + * @hideinitializer + * @private + */ + var $_start_session = true; + + function setStartSession($session) + { + $this->_start_session = session; + } + + function getStartSession($session) + { + $this->_start_session = session; + } + + /** + * Renaming the session + */ + function renameSession($ticket) + { + phpCAS::traceBegin(); + if($this->_start_session){ + if (!empty ($this->_user)) + { + $old_session = $_SESSION; + session_destroy(); + // set up a new session, of name based on the ticket + $session_id = preg_replace('/[^\w]/', '', $ticket); + phpCAS :: trace("Session ID: ".$session_id); + session_id($session_id); + session_start(); + phpCAS :: trace("Restoring old session vars"); + $_SESSION = $old_session; + } else + { + phpCAS :: error('Session should only be renamed after successfull authentication'); + } + }else{ + phpCAS :: trace("Skipping session rename since phpCAS is not handling the session."); + } + phpCAS::traceEnd(); + } + // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX // XX XX // XX AUTHENTICATION XX @@ -743,8 +795,8 @@ class CASClient } return $this->_user; } - - + + /*********************************************************************************************************************** * Atrributes section @@ -760,23 +812,23 @@ class CASClient * @private */ var $_attributes = array(); - + function setAttributes($attributes) { $this->_attributes = $attributes; } - + function getAttributes() { if ( empty($this->_user) ) { // if no user is set, there shouldn't be any attributes also... phpCAS::error('this method should be used only after '.__CLASS__.'::forceAuthentication() or '.__CLASS__.'::isAuthenticated()'); } return $this->_attributes; } - + function hasAttributes() { return !empty($this->_attributes); } - + function hasAttribute($key) { return (is_array($this->_attributes) && array_key_exists($key, $this->_attributes)); } - + function getAttribute($key) { if($this->hasAttribute($key)) { return $this->_attributes[$key]; @@ -802,7 +854,7 @@ class CASClient } phpCAS::traceEnd(); } - + /** * This method is called to be sure that the user is authenticated. When not * authenticated, halt by redirecting to the CAS server; otherwise return TRUE. @@ -914,66 +966,73 @@ class CASClient */ function isAuthenticated() { - phpCAS::traceBegin(); - $res = FALSE; - $validate_url = ''; - - if ( $this->wasPreviouslyAuthenticated() ) { + phpCAS::traceBegin(); + $res = FALSE; + $validate_url = ''; + + if ( $this->wasPreviouslyAuthenticated() ) { + if($this->hasST() || $this->hasPT() || $this->hasSA()){ + // User has a additional ticket but was already authenticated + phpCAS::trace('ticket was present and will be discarded, use renewAuthenticate()'); + header('Location: '.$this->getURL()); + phpCAS::log( "Prepare redirect to remove ticket: ".$this->getURL() ); + }else{ // the user has already (previously during the session) been // authenticated, nothing to be done. phpCAS::trace('user was already authenticated, no need to look for tickets'); - $res = TRUE; } - else { - if ( $this->hasST() ) { - // if a Service Ticket was given, validate it - phpCAS::trace('ST `'.$this->getST().'\' is present'); - $this->validateST($validate_url,$text_response,$tree_response); // if it fails, it halts - phpCAS::trace('ST `'.$this->getST().'\' was validated'); - if ( $this->isProxy() ) { - $this->validatePGT($validate_url,$text_response,$tree_response); // idem - phpCAS::trace('PGT `'.$this->getPGT().'\' was validated'); - $_SESSION['phpCAS']['pgt'] = $this->getPGT(); - } - $_SESSION['phpCAS']['user'] = $this->getUser(); - $res = TRUE; - } - elseif ( $this->hasPT() ) { - // if a Proxy Ticket was given, validate it - phpCAS::trace('PT `'.$this->getPT().'\' is present'); - $this->validatePT($validate_url,$text_response,$tree_response); // note: if it fails, it halts - phpCAS::trace('PT `'.$this->getPT().'\' was validated'); - if ( $this->isProxy() ) { - $this->validatePGT($validate_url,$text_response,$tree_response); // idem - phpCAS::trace('PGT `'.$this->getPGT().'\' was validated'); - $_SESSION['phpCAS']['pgt'] = $this->getPGT(); - } - $_SESSION['phpCAS']['user'] = $this->getUser(); - $res = TRUE; - } - elseif ( $this->hasSA() ) { - // if we have a SAML ticket, validate it. - phpCAS::trace('SA `'.$this->getSA().'\' is present'); - $this->validateSA($validate_url,$text_response,$tree_response); // if it fails, it halts - phpCAS::trace('SA `'.$this->getSA().'\' was validated'); - $_SESSION['phpCAS']['user'] = $this->getUser(); - $_SESSION['phpCAS']['attributes'] = $this->getAttributes(); - $res = TRUE; - } - else { - // no ticket given, not authenticated - phpCAS::trace('no ticket found'); + $res = TRUE; + } + else { + if ( $this->hasST() ) { + // if a Service Ticket was given, validate it + phpCAS::trace('ST `'.$this->getST().'\' is present'); + $this->validateST($validate_url,$text_response,$tree_response); // if it fails, it halts + phpCAS::trace('ST `'.$this->getST().'\' was validated'); + if ( $this->isProxy() ) { + $this->validatePGT($validate_url,$text_response,$tree_response); // idem + phpCAS::trace('PGT `'.$this->getPGT().'\' was validated'); + $_SESSION['phpCAS']['pgt'] = $this->getPGT(); } - if ($res) { - // if called with a ticket parameter, we need to redirect to the app without the ticket so that CAS-ification is transparent to the browser (for later POSTS) - // most of the checks and errors should have been made now, so we're safe for redirect without masking error messages. - header('Location: '.$this->getURL()); - phpCAS::log( "Prepare redirect to : ".$this->getURL() ); + $_SESSION['phpCAS']['user'] = $this->getUser(); + $res = TRUE; + } + elseif ( $this->hasPT() ) { + // if a Proxy Ticket was given, validate it + phpCAS::trace('PT `'.$this->getPT().'\' is present'); + $this->validatePT($validate_url,$text_response,$tree_response); // note: if it fails, it halts + phpCAS::trace('PT `'.$this->getPT().'\' was validated'); + if ( $this->isProxy() ) { + $this->validatePGT($validate_url,$text_response,$tree_response); // idem + phpCAS::trace('PGT `'.$this->getPGT().'\' was validated'); + $_SESSION['phpCAS']['pgt'] = $this->getPGT(); } + $_SESSION['phpCAS']['user'] = $this->getUser(); + $res = TRUE; + } + elseif ( $this->hasSA() ) { + // if we have a SAML ticket, validate it. + phpCAS::trace('SA `'.$this->getSA().'\' is present'); + $this->validateSA($validate_url,$text_response,$tree_response); // if it fails, it halts + phpCAS::trace('SA `'.$this->getSA().'\' was validated'); + $_SESSION['phpCAS']['user'] = $this->getUser(); + $_SESSION['phpCAS']['attributes'] = $this->getAttributes(); + $res = TRUE; + } + else { + // no ticket given, not authenticated + phpCAS::trace('no ticket found'); + } + if ($res) { + // if called with a ticket parameter, we need to redirect to the app without the ticket so that CAS-ification is transparent to the browser (for later POSTS) + // most of the checks and errors should have been made now, so we're safe for redirect without masking error messages. + header('Location: '.$this->getURL()); + phpCAS::log( "Prepare redirect to : ".$this->getURL() ); } - - phpCAS::traceEnd($res); - return $res; + } + + phpCAS::traceEnd($res); + return $res; } /** @@ -1071,30 +1130,7 @@ class CASClient phpCAS::traceExit(); exit(); } - -// /** -// * This method is used to logout from CAS. -// * @param $url a URL that will be transmitted to the CAS server (to come back to when logged out) -// * @public -// */ -// function logout($url = "") { -// phpCAS::traceBegin(); -// $cas_url = $this->getServerLogoutURL(); -// // v0.4.14 sebastien.gougeon at univ-rennes1.fr -// // header('Location: '.$cas_url); -// if ( $url != "" ) { -// // Adam Moore 1.0.0RC2 -// $url = '?service=' . $url . '&url=' . $url; -// } -// header('Location: '.$cas_url . $url); -// session_unset(); -// session_destroy(); -// $this->printHTMLHeader($this->getString(CAS_STR_LOGOUT)); -// printf('
'.$this->getString(CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED).'
',$cas_url); -// $this->printHTMLFooter(); -// phpCAS::traceExit(); -// exit(); -// } + /** * This method is used to logout from CAS. @@ -1114,7 +1150,7 @@ class CASClient } header('Location: '.$cas_url); phpCAS::log( "Prepare redirect to : ".$cas_url ); - + session_unset(); session_destroy(); @@ -1156,6 +1192,9 @@ class CASClient phpCAS::traceEnd(); return; } + if(!$this->_start_session){ + phpCAS::log("phpCAS can't handle logout requests if it does not manage the session."); + } phpCAS::log("Logout requested"); phpCAS::log("SAML REQUEST: ".$_POST['logoutRequest']); if ($check_client) { @@ -1177,7 +1216,7 @@ class CASClient } if (!$allowed) { phpCAS::error("Unauthorized logout request from client '".$client."'"); - printf("Unauthorized!"); + printf("Unauthorized!"); phpCAS::traceExit(); exit(); } @@ -1191,8 +1230,13 @@ class CASClient phpCAS::log("Ticket to logout: ".$ticket2logout); $session_id = preg_replace('/[^\w]/','',$ticket2logout); phpCAS::log("Session id: ".$session_id); - - // fix New session ID + + // destroy a possible application session created before phpcas + if(session_id()){ + session_unset(); + session_destroy(); + } + // fix session ID session_id($session_id); $_COOKIE[session_name()]=$session_id; $_GET[session_name()]=$session_id; @@ -1200,8 +1244,8 @@ class CASClient // Overwrite session session_start(); session_unset(); - session_destroy(); - printf("Disconnected!"); + session_destroy(); + printf("Disconnected!"); phpCAS::traceExit(); exit(); } @@ -1322,7 +1366,7 @@ class CASClient * This method is used to validate a ST; halt on failure, and sets $validate_url, * $text_reponse and $tree_response on success. These parameters are used later * by CASClient::validatePGT() for CAS proxies. - * + * Used for all CAS 1.0 validations * @param $validate_url the URL of the request to the CAS server. * @param $text_response the response of the CAS server, as is (XML text). * @param $tree_response the response of the CAS server, as a DOM XML tree. @@ -1338,7 +1382,7 @@ class CASClient $validate_url = $this->getServerServiceValidateURL().'&ticket='.$this->getST(); if ( $this->isProxy() ) { // pass the callback url for CAS proxies - $validate_url .= '&pgtUrl='.$this->getCallbackURL(); + $validate_url .= '&pgtUrl='.urlencode($this->getCallbackURL()); } // open and read the URL @@ -1434,156 +1478,160 @@ class CASClient } break; } + $this->renameSession($this->getST()); + // at this step, ST has been validated and $this->_user has been set, + phpCAS::traceEnd(TRUE); + return TRUE; + } + + // ######################################################################## + // SAML VALIDATION + // ######################################################################## + /** + * @addtogroup internalBasic + * @{ + */ + + /** + * This method is used to validate a SAML TICKET; halt on failure, and sets $validate_url, + * $text_reponse and $tree_response on success. These parameters are used later + * by CASClient::validatePGT() for CAS proxies. + * + * @param $validate_url the URL of the request to the CAS server. + * @param $text_response the response of the CAS server, as is (XML text). + * @param $tree_response the response of the CAS server, as a DOM XML tree. + * + * @return bool TRUE when successfull, halt otherwise by calling CASClient::authError(). + * + * @private + */ + function validateSA($validate_url,&$text_response,&$tree_response) + { + phpCAS::traceBegin(); + + // build the URL to validate the ticket + $validate_url = $this->getServerSamlValidateURL(); + + // open and read the URL + if ( !$this->readURL($validate_url,''/*cookies*/,$headers,$text_response,$err_msg) ) { + phpCAS::trace('could not open URL \''.$validate_url.'\' to validate ('.$err_msg.')'); + $this->authError('SA not validated', $validate_url, TRUE/*$no_response*/); + } + + phpCAS::trace('server version: '.$this->getServerVersion()); + // analyze the result depending on the version + switch ($this->getServerVersion()) { + case SAML_VERSION_1_1: + + // read the response of the CAS server into a DOM object + if ( !($dom = domxml_open_mem($text_response))) { + phpCAS::trace('domxml_open_mem() failed'); + $this->authError('SA not validated', + $validate_url, + FALSE/*$no_response*/, + TRUE/*$bad_response*/, + $text_response); + } + // read the root node of the XML tree + if ( !($tree_response = $dom->document_element()) ) { + phpCAS::trace('document_element() failed'); + $this->authError('SA not validated', + $validate_url, + FALSE/*$no_response*/, + TRUE/*$bad_response*/, + $text_response); + } + // insure that tag name is 'Envelope' + if ( $tree_response->node_name() != 'Envelope' ) { + phpCAS::trace('bad XML root node (should be `Envelope\' instead of `'.$tree_response->node_name().'\''); + $this->authError('SA not validated', + $validate_url, + FALSE/*$no_response*/, + TRUE/*$bad_response*/, + $text_response); + } + // check for the NameIdentifier tag in the SAML response + if ( sizeof($success_elements = $tree_response->get_elements_by_tagname("NameIdentifier")) != 0) { + phpCAS::trace('NameIdentifier found'); + $user = trim($success_elements[0]->get_content()); + phpCAS::trace('user = `'.$user.'`'); + $this->setUser($user); + $this->setSessionAttributes($text_response); + } else { + phpCAS::trace('no