-
Notifications
You must be signed in to change notification settings - Fork 10
/
lib.php
234 lines (208 loc) · 8.43 KB
/
lib.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
<?php
/**
* Mahara: Electronic portfolio, weblog, resume builder and social networking
* Copyright (C) 2006-2009 Catalyst IT Ltd (http://www.catalyst.net.nz)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* @package mahara
* @subpackage auth-cas
* @author Patrick Pollet <[email protected]>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL
* @copyright (C) 2006-2011 Catalyst IT Ltd http://catalyst.net.nz
* @copyright (C) 2011 INSA de Lyon France
*
* This file incorporates work covered by the following copyright and
* permission notice:
*
* Moodle - Modular Object-Oriented Dynamic Learning Environment
* http://moodle.com
*
* Copyright (C) 2001-3001 Martin Dougiamas http://dougiamas.com
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details:
*
* http://www.gnu.org/copyleft/gpl.html
*/
defined('INTERNAL') || die();
require_once(get_config('docroot') . 'auth/lib.php');
require_once(get_config('docroot') . 'auth/ldap/lib.php');
require_once(get_config('docroot') . 'auth/cas/CAS/CAS.php');
require_once(get_config('docroot') . 'auth/cas/PluginAuthCas.class.php');
/**
* Authenticates users with CAS and an associated Lightweight Directory Access Protocol
*/
class AuthCas extends AuthLdap {
const LANG_CLASS_PREFIX = 'CAS_Languages_';
private static $connected = false;
public function __construct($id = null) {
parent::__construct($id); //takes care of initing the config values if $id <>null
$this->type = 'cas';
$this->has_instance_config = true;
//$this->config['studentidfield2'] = 'supannEmpId'; INSA specific setting
// pp_error_log('constr',$this->config);
return true;
}
public function init($id = null) {
$this->ready = parent::init($id);
// Check that required fields are set
if (empty($this->config['cas_hostname']) ||
empty($this->config['cas_port']) ||
empty($this->config['cas_language'])
) {
$this->ready = false;
}
return $this->ready;
}
/**
* Attempt to authenticate user
*
* @param string $user The user record to authenticate with
* @param string $password The password being used for authentication
* @return bool True/False based on whether the user
* authenticated successfully
* @throws AuthUnknownUserException is no LDAP support
*/
public function authenticate_user_account($user, $password) {
global $CFG;
// First make sure we are called from auth/cas/index.php (Connected from CAS authentication).
// This may happen if CAS user typed its credentials in some Mahara login box...
if (!self::$connected) {
return false;
}
$this->must_be_ready();
$username = $user->username;
// check ldap functionality exists
if (!function_exists('ldap_bind')) {
throw new AuthUnknownUserException('LDAP is not available in your PHP environment. Check that it is properly installed');
}
// empty username is not allowed.
if (empty($username)) {
return false;
}
// For update user info on login
$update = false;
if ('1' == $this->config['updateuserinfoonlogin']) {
$update = true;
}
/*******************
NO NO
if current user is a new user, Mahara has cleared the session
so phpCAS::isAuthenticated fails ...
$this->connectCAS();
if (!(phpCAS::isAuthenticated() || (strtolower(phpCAS::getUser()) != $username) )) {
return false;
}
*********************/
/*
* note that if phpCAS::isAuthenticated() has not been called within the same session
* (only in auth/cas/index.php) before this phpCAS:getUser()
* this call will die with phpCAS fatal error , so no way to break in ;-)
* and we do not call connectCAS() either ! this should have been done already in auth/cas/index.php
*/
if (strtolower(phpCAS::getUser()) != strtolower($username)) {
return false;
}
if ($user->id && $update) {
// Retrieve information of user from LDAP via its public method
$ldapdetails = $this->get_user_info($username);
// this method returns an object and we want an array below
$ldapdetails = (array)$ldapdetails;
// Match database and ldap entries and update in database if required
$fieldstoimport = array('firstname', 'lastname', 'email', 'studentid', 'preferredname');
foreach ($fieldstoimport as $field) {
if (!isset($ldapdetails[$field])) {
continue;
}
$sanitizer = "sanitize_$field";
$ldapdetails[$field] = $sanitizer($ldapdetails[$field]);
if (!empty($ldapdetails[$field]) && ($user->$field != $ldapdetails[$field])) {
$user->$field = $ldapdetails[$field];
set_profile_field($user->id, $field, $ldapdetails[$field]);
if (('studentid' == $field) && ('mahara' != $this->institution)) {
// studentid is specific for the institution, so store it there too.
$dataobject = array(
'usr' => $user->id,
'institution' => $this->institution,
'ctime' => db_format_timestamp(time()),
'studentid' => $user->studentid,
);
$whereobject = $dataobject;
unset($whereobject['ctime']);
unset($whereobject['studentid']);
ensure_record_exists('usr_institution', $whereobject, $dataobject);
unset($dataobject);
unset($whereobject);
}
}
}
}
return true;
}
/**
* Connect to the CAS (clientcas connection or proxycas connection)
* borrowed from Moodle code
*/
public function connectCAS() {
global $CFG;
if (!self::$connected) {
// Make sure phpCAS doesn't try to start a new PHP session when connecting to the CAS server (false)
if ($this->config['cas_proxy']) {
phpCAS::proxy((string)$this->config['cas_version'], $this->config['cas_hostname'],
(int)$this->config['cas_port'], $this->config['cas_baseuri'], false);
} else {
phpCAS::client((string)$this->config['cas_version'], $this->config['cas_hostname'],
(int)$this->config['cas_port'], $this->config['cas_baseuri'], false);
}
if ($this->config['cas_certificatecheck'] && $this->config['cas_certificatepath']) {
phpCAS::setCasServerCACert($this->config['cas_certificatepath']);
} else {
// Don't try to validate the server SSL credentials
phpCAS::setNoCasServerValidation();
}
phpCAS::setLang(self::LANG_CLASS_PREFIX . $this->config['cas_language']);
self::$connected = true;
}
}
/**
* @override
* also logout from CAS is specified in the configuration
*/
public function logout() {
global $CFG;
if ($this->config['cas_logout']) {
$backurl = $CFG->wwwroot;
$this->connectCAS();
// phpCAS::logoutWithURL ($backurl);
//should be with CAS server >=3.3.5 see http://tracker.moodle.org/browse/MDL-27610 and https://wiki.jasig.org/display/CASC/phpCAS+logout
//phpCAS::logoutWithRedirectService($backurl);
if (method_exists('phpCAS', 'logoutWithRedirectService')) {
//pp_error_log ('logout via','phpCAS::logoutWithRedirectService');
phpCAS::logoutWithRedirectService($backurl);
}
else {
//pp_error_log('logout via ','phpCAS::logoutWithURL');
phpCAS::logoutWithURL($backurl);
}
}
}
}