Updates to CAS Authentication.

9c851a99 · Tim Steiner · 39bf75b7 · 9c851a99 · 9c851a99 · 9c851a99
Commit 9c851a99 authored Nov 17, 2011 by Tim Steiner
--- a/library/Unl/Cas.php
+++ b/library/Unl/Cas.php
@@ -110,7 +110,7 @@ class Unl_Cas
            }
        }
        $paramString = '';
-        $this->_serviceUrl = urlencode($serviceUrl . $paramString);
+        $this->_serviceUrl = $serviceUrl . $paramString;
    }
    
    /**
@@ -248,7 +248,7 @@ class Unl_Cas
     */
    public function getLoginUrl()
    {
-        $location = $this->_casUrl . '/login?service=' . $this->_serviceUrl;
+        $location = $this->_casUrl . '/login?service=' . urlencode($this->_serviceUrl);
        switch ($this->_gatewayOrRenew) {
            case self::PARAM_GATEWAY:
                $location .= '&gateway=true';
@@ -286,7 +286,7 @@ class Unl_Cas
    	}
    	
        require_once ('Zend/Http/Client.php');
-        $client = new Zend_Http_Client($this->_casUrl . '/serviceValidate?service=' . $this->_serviceUrl . '&ticket=' . $ticket);
+        $client = new Zend_Http_Client($this->_casUrl . '/serviceValidate?service=' . urlencode($this->_serviceUrl) . '&ticket=' . $ticket);
        $response = $client->request();
        if ($response->isSuccessful() && $this->_parseResponse($response->getBody())) {
            $this->_addValidTicket($ticket);

--- a/library/Unl/Controller/Action/Authenticate.php
+++ b/library/Unl/Controller/Action/Authenticate.php
@@ -12,28 +12,30 @@ abstract class Unl_Controller_Action_Authenticate extends Unl_Controller_Action
     */
    public function loginAction()
    {
-		$session = new Zend_Session_Namespace(get_called_class());
-		$baseUrl = Zend_Controller_Front::getInstance()->getBaseUrl();
-		try {
+        $session = new Zend_Session_Namespace(__CLASS__);
+        $baseUrl = Zend_Controller_Front::getInstance()->getBaseUrl();
+        try {
            $referer = Zend_Uri_Http::factory($_SERVER['HTTP_REFERER']);
-		} catch (Exception $e) {
-		}
-		if ($referer && 
-		    $referer->getHost() == $_SERVER['HTTP_HOST'] &&
-		    (!$referer->getPort() || $referer->getPort() == $_SERVER['SERVER_PORT']) &&
-		    substr($referer->getPath(), 0, strlen($baseUrl)) == $baseUrl) {
-		    $session->referer = substr($referer->getPath(), strlen($baseUrl));
-		    $session->referer = ltrim($session->referer, '/'); 
-		    if ($referer->getQuery()) {
-		    	$session->referer .= '?' . $referer->getQuery();
-		    }
-		    if ($referer->getFragment()) {
-		    	$session->referer .= '#' . $referer->getFragment();
-		    }
-		} else {
-			$session->referer = $this->_getDefaultLandingPath();
-		}
-		
+        } catch (Exception $e) {
+        }
+        if ($this->_getParam('referer')) {
+            $session->referer = $this->_getParam('referer');
+        } else if ($referer && 
+            $referer->getHost() == $_SERVER['HTTP_HOST'] &&
+            (!$referer->getPort() || $referer->getPort() == $_SERVER['SERVER_PORT']) &&
+            substr($referer->getPath(), 0, strlen($baseUrl)) == $baseUrl) {
+            $session->referer = substr($referer->getPath(), strlen($baseUrl));
+            $session->referer = ltrim($session->referer, '/'); 
+            if ($referer->getQuery()) {
+                $session->referer .= '?' . $referer->getQuery();
+            }
+            if ($referer->getFragment()) {
+                $session->referer .= '#' . $referer->getFragment();
+            }
+        } else {
+            $session->referer = $this->_getDefaultLandingPath();
+        }
+        
        $this->_redirect($this->_getCasAdapter()->getLoginUrl());
    }
    
@@ -65,33 +67,30 @@ abstract class Unl_Controller_Action_Authenticate extends Unl_Controller_Action
    public function casAction()
    {
        $auth = Zend_Auth::getInstance();
-		$casAdapter = $this->_getCasAdapter();
-		
-		if ($this->_getParam('logoutRequest')) {
-			$casAdapter->handleLogoutRequest($this->_getParam('logoutRequest'));
-		}
-		
-		try {
-			$result = $auth->authenticate(new Unl_Auth_Adapter_Cas($casAdapter));
-		} catch (Exception $e) {
-			//
-		}
-		
-		if ($result && $result->isValid()) {
-		    $this->_setupUser(Zend_Auth::getInstance()->getIdentity());
-		} else {
-			Zend_Auth::getInstance()->clearIdentity();
-			if (!isset($_COOKIE['unl_sso'])) {
-			    setcookie('unl_sso', 'fake', time() - 60*60*24, '/', '.unl.edu');
-			}
-		}
-		
-		$session = new Zend_Session_Namespace(get_called_class());
-		if ($session->referer) {
-			$this->_redirect($session->referer);
-		} else {
-        	$this->_redirect($this->_getDefaultLandingPath());
-		}
+        $casAdapter = $this->_getCasAdapter();
+        $casAdapter->setTicket($this->_getParam('ticket'));
+        
+        if ($this->_getParam('logoutRequest')) {
+            $casAdapter->handleLogoutRequest($this->_getParam('logoutRequest'));
+        }
+        
+        try {
+            $result = $auth->authenticate(new Unl_Auth_Adapter_Cas($casAdapter));
+        } catch (Exception $e) {
+            //
+        }
+        
+        if ($result && $result->isValid()) {
+            $this->_setupUser(Zend_Auth::getInstance()->getIdentity());
+        } else {
+            Zend_Auth::getInstance()->clearIdentity();
+            if (!isset($_COOKIE['unl_sso'])) {
+                setcookie('unl_sso', 'fake', time() - 60*60*24, '/', '.unl.edu');
+            }
+        }
+        
+        $session = new Zend_Session_Namespace(__CLASS__);
+        $this->_redirect($session->referer);
    }

    /**
@@ -117,26 +116,30 @@ abstract class Unl_Controller_Action_Authenticate extends Unl_Controller_Action
        return '/';
    }
    
-	/**
-	 * Sets up the CAS adapter and returns it.
-	 * Overide this if you need to initialize the CAS adapter with different settings.
-	 * @return Unl_Cas
-	 */
-	protected function _getCasAdapter()
-	{
-	    static $adapter = NULL;
-	    
-	    if (!$adapter) {
+    /**
+     * Sets up the CAS adapter and returns it.
+     * Overide this if you need to initialize the CAS adapter with different settings.
+     * @return Unl_Cas
+     */
+    protected function _getCasAdapter()
+    {
+        static $adapter = NULL;
+        
+        if (!$adapter) {
            if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
                $serviceUrl = 'https://';
            } else {
                $serviceUrl = 'http://';
            }
-            $path = Zend_Controller_Front::getInstance()->getRouter()->assemble(array('action' => 'cas'));
+            $path = Zend_Controller_Front::getInstance()->getRouter()->assemble(array(
+                'module' => $this->getRequest()->getModuleName(),
+                'controller' => $this->getRequest()->getControllerName(),
+                'action' => 'cas'
+            ));
            $serviceUrl .= $_SERVER['SERVER_NAME'] . $path;
-            $adapter = new Unl_Cas($serviceUrl, 'https://login.unl.edu/cas', $this->_getParam('ticket'));
-	    }
-	    
-	    return $adapter;
-	}
+            $adapter = new Unl_Cas($serviceUrl, 'https://login.unl.edu/cas');
+        }
+        
+        return $adapter;
+    }
 }
\ No newline at end of file
--- a/library/Unl/Controller/Plugin/Authenticate.php
+++ b/library/Unl/Controller/Plugin/Authenticate.php
+<?php
+
+/**
+ * A Zend Controller Plugin that facilitates using transparent CAS authentication.
+ * To enable this module, add the following lines to your application.ini:
+ * resources.frontController.plugins[] = Unl_Controller_Plugin_Authenticate
+ * unl.cas.controller = <name of the controller that extends Unl_Controller_Action_Authenticate>
+ * 
+ * @author tsteiner
+ *
+ */
+class Unl_Controller_Plugin_Authenticate extends Zend_Controller_Plugin_Abstract
+{
+    public function dispatchLoopStartup(Zend_Controller_Request_Abstract $request)
+    {
+        $front = Zend_Controller_Front::getInstance();
+        
+        $options = $front->getParam('bootstrap')->getOptions();
+        $casOptions = (isset($options['unl']['cas']) ? $options['unl']['cas'] : array());
+        
+        // Get the controller name.  This is required.
+        if (isset($casOptions['controller'])) {
+            $casController = $casOptions['controller'];
+        } else {
+            return;
+        }
+    
+        // Get the module name.  This is only required if using modules.
+        if (isset($casOptions['module'])) {
+            $casModule = $casOptions['module'];
+        } else if (!isset($options['resources']['modules'])) {
+            $casModule = 'default';
+        } else {
+            return;
+        }
+        
+        // Get the action name.  This isn't normally needed.
+        if (isset($casOptions['action'])) {
+            $casAction = $casOptions['action'];
+        } else {
+            $casAction = 'cas';
+        }
+        
+        // Transparent checks should not be done if the original request is an authentication request.
+        if ($request->getModuleName() == $casModule && $request->getControllerName() == $casController) {
+            return;
+        }
+        
+        // Transparent checks should not be done on non-HTTP, non-GET requests.
+        if (!$request instanceof Zend_Controller_Request_Http || !$request->isGet()) {
+            return;
+        }
+        
+        // If there's no SSO cookie, there's no need to do a transparent login unless a user is already logged in.
+        if (!array_key_exists('unl_sso', $_COOKIE) && !Zend_Auth::getInstance()->hasIdentity()) {
+            return;
+        }
+        
+        // Build the cas service URL.
+        if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
+            $serviceUrl = 'https://';
+        } else {
+            $serviceUrl = 'http://';
+        }
+        $casPath = Zend_Controller_Front::getInstance()->getRouter()->assemble(array(
+            'module' => $casModule,
+            'controller' => $casController,
+            'action' => $casAction,
+        ));
+        $serviceUrl .= $_SERVER['SERVER_NAME'] . $casPath;
+        
+        // Init the CAS Adapter.
+        $casAdapter = new Unl_Cas($serviceUrl, 'https://login.unl.edu/cas');
+        
+        // If either the user has no ticket, the ticket is expired, or a user isn't logged in, go ahead with transparent login.
+        if ($casAdapter->isTicketExpired() || !Zend_Auth::getInstance()->hasIdentity()) {
+            $currentPath = Zend_Controller_Front::getInstance()->getRouter()->assemble(array());
+            $currentPath = substr($currentPath, strlen($front->getBaseUrl()));
+            
+            $session = new Zend_Session_Namespace('Unl_Controller_Action_Authenticate');
+            $session->referer = $currentPath;
+            
+            $casAdapter->setGateway();
+            header('Location: ' . $casAdapter->getLoginUrl());
+            exit;
+        }
+    }
+}
\ No newline at end of file