Viewing file:  CAS.php (6.64 KB) -rwxrwxr-x
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
<?php
/**
* Authenticate using CAS.
*
* Based on www/auth/login-cas.php by Mads Freek, RUC.
*
* @author Danny Bollaert, UGent.
* @package simpleSAMLphp
* @version $Id$
*/
class sspmod_cas_Auth_Source_CAS extends SimpleSAML_Auth_Source {
/**
* The string used to identify our states.
*/
const STAGE_INIT = 'sspmod_cas_Auth_Source_CAS.state';
/**
* The key of the AuthId field in the state.
*/
const AUTHID = 'sspmod_cas_Auth_Source_CAS.AuthId';
/**
* @var array with ldap configuration
*/
private $_ldapConfig;
/**
* @var cas configuration
*/
private $_casConfig;
/**
* @var cas chosen validation method
*/
private $_validationMethod;
/**
* @var cas login method
*/
private $_loginMethod;
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config) {
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
if (!array_key_exists('cas', $config)){
throw new Exception('cas authentication source is not properly configured: missing [cas]');
}
if (!array_key_exists('ldap', $config)){
throw new Exception('ldap authentication source is not properly configured: missing [ldap]');
}
$this->_casConfig = $config['cas'];
$this->_ldapConfig = $config['ldap'];
if(isset($this->_casConfig['serviceValidate'])){
$this->_validationMethod = 'serviceValidate';
}elseif(isset($this->_casConfig['validate'])){
$this->_validationMethod = 'validate';
}else{
throw new Exception("validate or serviceValidate not specified");
}
if(isset($this->_casConfig['login'])){
$this->_loginMethod = $this->_casConfig['login'];
}else{
throw new Exception("cas login url not specified");
}
}
/**
* This the most simple version of validating, this provides only authentication validation
*
* @param string $ticket
* @param string $service
* @return list username and attributes
*/
private function casValidate($ticket, $service){
$url = SimpleSAML_Utilities::addURLparameter($this->_casConfig['validate'], array(
'ticket' => $ticket,
'service' => $service,
));
$result = SimpleSAML_Utilities::fetch($url);
$res = preg_split("/\r?\n/",$result);
if (strcmp($res[0], "yes") == 0) {
return array($res[1], array());
} else {
throw new Exception("Failed to validate CAS service ticket: $ticket");
}
}
/**
* Uses the cas service validate, this provides additional attributes
*
* @param string $ticket
* @param string $service
* @return list username and attributes
*/
private function casServiceValidate($ticket, $service){
$url = SimpleSAML_Utilities::addURLparameter($this->_casConfig['serviceValidate'], array(
'ticket' => $ticket,
'service' => $service,
));
$result = SimpleSAML_Utilities::fetch($url);
$dom = DOMDocument::loadXML($result);
$xPath = new DOMXpath($dom);
$xPath->registerNamespace("cas", 'http://www.yale.edu/tp/cas');
$success = $xPath->query("/cas:serviceResponse/cas:authenticationSuccess/cas:user");
if ($success->length == 0) {
$failure = $xPath->evaluate("/cas:serviceResponse/cas:authenticationFailure");
throw new Exception("Error when validating CAS service ticket: " . $failure->item(0)->textContent);
} else {
$attributes = array();
if ($casattributes = $this->_casConfig['attributes']) { # some has attributes in the xml - attributes is a list of XPath expressions to get them
foreach ($casattributes as $name => $query) {
$attrs = $xPath->query($query);
foreach ($attrs as $attrvalue) $attributes[$name][] = $attrvalue->textContent;
}
}
$casusername = $success->item(0)->textContent;
return array($casusername, $attributes);
}
}
/**
* Main validation method, redirects to correct method
* (keeps finalStep clean)
*
* @param string $ticket
* @param string $service
* @return list username and attributes
*/
protected function casValidation($ticket, $service){
switch($this->_validationMethod){
case 'validate':
return $this->casValidate($ticket, $service);
break;
case 'serviceValidate':
return $this->casServiceValidate($ticket, $service);
break;
default:
throw new Exception("validate or serviceValidate not specified");
}
}
/**
* Called by linkback, to finish validate/ finish logging in.
* @param state $state
* @return list username, casattributes/ldap attributes
*/
public function finalStep(&$state) {
$ticket = $state['cas:ticket'];
$stateID = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT);
$service = SimpleSAML_Module::getModuleURL('cas/linkback.php', array('stateID' => $stateID));
list($username, $casattributes) = $this->casValidation($ticket, $service);
$ldapattributes = array();
if ($this->_ldapConfig['servers']) {
$ldap = new SimpleSAML_Auth_LDAP($this->_ldapConfig['servers'], $this->_ldapConfig['enable_tls']);
$ldapattributes = $ldap->validate($this->_ldapConfig, $username);
}
$attributes = array_merge_recursive($casattributes, $ldapattributes);
$state['Attributes'] = $attributes;
SimpleSAML_Auth_Source::completeAuth($state);
}
/**
* Log-in using cas
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state) {
assert('is_array($state)');
/* We are going to need the authId in order to retrieve this authentication source later. */
$state[self::AUTHID] = $this->authId;
$stateID = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT);
$serviceUrl = SimpleSAML_Module::getModuleURL('cas/linkback.php', array('stateID' => $stateID));
SimpleSAML_Utilities::redirect($this->_loginMethod, array(
'service' => $serviceUrl));
}
/**
* Log out from this authentication source.
*
* This function should be overridden if the authentication source requires special
* steps to complete a logout operation.
*
* If the logout process requires a redirect, the state should be saved. Once the
* logout operation is completed, the state should be restored, and completeLogout
* should be called with the state. If this operation can be completed without
* showing the user a page, or redirecting, this function should return.
*
* @param array &$state Information about the current logout operation.
*/
public function logout(&$state) {
assert('is_array($state)');
$logoutUrl = $this->_casConfig['logout'];
SimpleSAML_Auth_State::deleteState($state);
// we want cas to log us out
SimpleSAML_Utilities::redirect($logoutUrl, array());
}
}
|