Major updates to the Unl_Auth_Adapter_Cas with API changes.

2ce29c77 · Tim Steiner · 3966b809 · 2ce29c77
Commit 2ce29c77 authored 15 years ago by Tim Steiner
--- a/library/Unl/Auth/Adapter/Cas.php
+++ b/library/Unl/Auth/Adapter/Cas.php
@@ -33,11 +33,21 @@ class Unl_Auth_Adapter_Cas implements Zend_Auth_Adapter_Interface
    private $_ticket;
    /**
-     * Whether or not to force a login.
+     * Whether or not to set either the gateway or renew parameters in the login request.
     * 
-     * @var bool
+     * @var int
     */
-    private $_forceLogin;
+    private $_gatewayOrRenew;
+    const PARAM_GATEWAY = 1;
+    const PARAM_DEFAULT = 2;
+    const PARAM_RENEW   = 3;
+    /**
+     * Session storage use to prevent infinate redirect loops when in gateway mode.
+     * @var Zend_Session_Namespace
+     */
+    private $_session;
    /**
     * Constructor
     *
@@ -47,16 +57,17 @@ class Unl_Auth_Adapter_Cas implements Zend_Auth_Adapter_Interface
     * @param bool $forceLogin
     * @return void
     */
-    public function __construct($serviceUrl, $casUrl, $ticket = null, $forceLogin = false)
+    public function __construct($serviceUrl, $casUrl, $ticket = null, $gatewayOrRenew = self::PARAM_DEFAULT)
    {
        $this->setServiceUrl($serviceUrl);
        $this->_casUrl = $casUrl;
-        $this->_forceLogin = $forceLogin;
+        $this->_gatewayOrRenew = $gatewayOrRenew;
        if ($ticket) {
            $this->_ticket = $ticket;
        } elseif (! empty($_GET["ticket"])) {
            $this->_ticket = $_GET['ticket'];
        }
+        $this->_session = new Zend_Session_Namespace(__CLASS__);
    }
    /**
@@ -83,6 +94,7 @@ class Unl_Auth_Adapter_Cas implements Zend_Auth_Adapter_Interface
            	$paramString = "?" . implode("&", $params);
            }
        }
+        $paramString = '';
        $this->_serviceUrl = urlencode($serviceUrl . $paramString);
    }
@@ -146,14 +158,110 @@ class Unl_Auth_Adapter_Cas implements Zend_Auth_Adapter_Interface
        return $this->_ticket;
    }
+    /**
+     * Sets the "renew" parameter in the login request, causing the CAS server
+     * to _always_ ask for the user to authenticate.
+     * 
+     * @param bool $renew
+     */
+    public function setRenew($renew = TRUE)
+    {
+        if ($renew) {
+            $this->_gatewayOrRenew = self::PARAM_RENEW;
+        } else {
+            $this->_gatewayOrRenew = self::PARAM_DEFAULT;
+        }
+    }
+    /**
+     * Returns whether or not the login request will have the "renew" parameter set.
+     * @return bool
+     */
+    public function getRenew()
+    {
+        return ($this->_gatewayOrRenew == self::PARAM_RENEW);
+    }
+    /**
+     * Alias to setRenew()
+     * 
+     * @deprecated
+     * @param bool $forceLogin
+     */
    public function setForceLogin($forceLogin)
    {
-        $this->_forceLogin = $forceLogin;
+        return $this->setRenew($forceLogin);
    }
+    /**
+     * Alias to getRenew()
+     * 
+     * @deprecated
+     * @return bool
+     */
    public function getForceLogin()
    {
-        return $this->_forceLogin;
+        return $this->_getRenew();
+    }
+    /**
+     * Sets the "gateway" parameter in the login request, causing the CAS server
+     * to _never_ ask for the user to authenticate.
+     * @param bool $gateway
+     */
+    public function setGateway($gateway = TRUE)
+    {
+        if ($gateway) {
+            $this->_gatewayOrRenew = self::PARAM_GATEWAY;
+        } else {
+            $this->_gatewayOrRenew = self::PARAM_DEFAULT;
+        }
+    }
+    /**
+     * Returns whether or not the login request will have the "gateway" parameter set.
+     * @return bool
+     */
+    public function getGateway()
+    {
+        return ($this->_gatewayOrRenew == self::PARAM_GATEWAY);
+    }
+    /**
+     * Returns the URL to the CAS login page.
+     * Intended usage: $this->_redirect($cas->getLoginUrl());
+     */
+    public function getLoginUrl()
+    {
+        $location = $this->_casUrl . '/login?service=' . $this->_serviceUrl;
+        switch ($this->_gatewayOrRenew) {
+            case self::PARAM_GATEWAY:
+                $location .= '&gateway=true';
+                $this->_session->gatewayTried = TRUE;
+                break;
+            case self::PARAM_RENEW:
+                $location .= '&renew=true';
+                break;
+        }
+        return $location;
+    }
+    /**
+     * Returns the URL to the CAS logout page.
+     * Intended usage: $this->_redirect($cas->getLogoutUrl());
+     */
+    public function getLogoutUrl()
+    {
+    	return $this->_casUrl . '/logout';
+    }
+    /**
+     * This is a stop-gap measure until the CAS server handles the uni-wide cookie on its own.
+     * This should be called whenever you would redirect a user to the logout URL.
+     */
+    public function clearIdentity()
+    {
+    	$this->_authenticationFailed('N/A');
    }
    /**
@@ -170,13 +278,13 @@ class Unl_Auth_Adapter_Cas implements Zend_Auth_Adapter_Interface
    {
        if ($this->_ticket) {
            if ($this->_validateTicket($this->_ticket)) {
+            	setcookie('sso', $this->getUsername(), 0, '/', '.unl.edu');
                return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $this->getUsername(), array('Authentication successful.'));
            } else {
-                return new Zend_Auth_Result(Zend_Auth_Result::FAILURE, null, array('Authentication failed.'));
+                return $this->_authenticationFailed('Invalid or expired CAS ticket.');
            }
        } else {
-            header("Location: " . $this->_casUrl . "/login?service=" . $this->_serviceUrl . ($this->_forceLogin ? "&renew=true" : ""));
+            return $this->_authenticationFailed('No CAS Ticktet.');
-            return new Zend_Auth_Result(Zend_Auth_Result::FAILURE, null, array('No CAS Ticktet.'));
        }
    }
@@ -216,4 +324,14 @@ class Unl_Auth_Adapter_Cas implements Zend_Auth_Adapter_Interface
        }
        return false;
    }
+    /**
+     * Helper function called when a failure result needs to be returned.
+     * @param $message Failure message
+     */
+    private function _authenticationFailed($message)
+    {
+        setcookie('sso', '', 1, '/', '.unl.edu');
+    	return new Zend_Auth_Result(Zend_Auth_Result::FAILURE, null, array($message));
+    }
 }
\ No newline at end of file