Skip to content
Snippets Groups Projects
Commit 31415adb authored by Eric Rasmussen's avatar Eric Rasmussen
Browse files

clean up the CAS login

parent 70a6ad2e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 88 additions and 317 deletions
cas_auth/start.php
+ 88
317
View file @ 31415adb
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
* *
* @package cas_auth * @package cas_auth
* @license http://www.gnu.org/licenses/gpl.html * @license http://www.gnu.org/licenses/gpl.html
* @author Xavier Roussel <xavier.roussel@uvsq.fr> * @author Xavier Roussel <xavier.roussel@uvsq.fr> (Modified for UNL CAS by Eric Rasmussen)
* @copyright UVSQ 2008 * @copyright UVSQ 2008
* @link http://www.uvsq.fr * @link http://www.uvsq.fr
*/ */
...@@ -52,8 +52,7 @@ ...@@ -52,8 +52,7 @@
* @param string * @param string
* @return array Associative array. * @return array Associative array.
*/ */
function formatPostalAddress() function formatPostalAddress() {
{
/* this is a faculty postal address /* this is a faculty postal address
Currently of the form: Currently of the form:
### ___ UNL 68588-#### ### ___ UNL 68588-####
...@@ -92,63 +91,53 @@ ...@@ -92,63 +91,53 @@
} }
return $address; return $address;
} }
} }
// Include main cas lib // Include main cas lib
include_once 'cas/CAS.php'; include_once 'cas/CAS.php';
$casInitialized = false;
/** /**
* CAS Authentication init * CAS Authentication init
* *
*/ */
function cas_auth_init() function cas_auth_init() {
{
// global config
global $CONFIG; global $CONFIG;
// plugin config // plugin config
$config = find_plugin_settings('cas_auth'); $config = find_plugin_settings('cas_auth');
// todo : send message to user // todo : send message to user
if (!$config) return false; if (!$config)
return false;
// CAS auth required
if ( $_REQUEST['loginwith'] == 'UNLlogin' && !isset($_REQUEST['ticket']) ) if ($_GET['loginwith'] == 'UNLlogin') {
{ if (checkCas()) {
createCas();
}
// CAS auth done
if ( $_REQUEST['loginwith'] == 'UNLlogin' && (isset($_REQUEST['ticket']) || isset($_REQUEST['email'])) )
{
// Check CAS auth the CAS way just in case
if ( checkCas() ) {
$_SESSION['loggedWithCAS'] = true; $_SESSION['loggedWithCAS'] = true;
$cas_user = getUserCas(); $cas_user = getUserCas();
if(ldapAuthenticate( $cas_user )) { if (casAuthenticate($cas_user)) {
system_message(elgg_echo('loginok')); system_message(elgg_echo('loginok'));
$cas_user = str_replace('-','_',$cas_user); $cas_user = str_replace('-','_',$cas_user);
//user is logged in now, this is the last step - forward based on whether they have logged in before //user is logged in now, this is the last step - forward based on whether they have logged in before
$lastlogin_date = $_SESSION['user']->last_login; $lastlogin_date = $_SESSION['user']->last_login;
if (!$lastlogin_date){ if (!$lastlogin_date) {
forward('mod/profile/edit.php?firstlogin=yes'); forward('mod/profile/edit.php?firstlogin=yes');
} }
forward("pg/profile/unl_" . $cas_user); forward("pg/profile/unl_" . $cas_user);
} else {
register_error(elgg_echo('loginerror'));
} }
else register_error(elgg_echo('loginerror')); } else {
createCas();
} }
else register_error(elgg_echo('loginerror'));
} }
// The CAS ticket is lost, log out // The CAS ticket is lost, log out
if ( $_SESSION['loggedWithCAS'] && !checkCas() ) { if ($_SESSION['loggedWithCAS'] && !checkCas()) {
$_SESSION['loggedWithCAS'] = false; $_SESSION['loggedWithCAS'] = false;
forward($CONFIG->url.'/action/logout'); forward($CONFIG->url.'/action/logout');
} }
} }
...@@ -157,10 +146,9 @@ ...@@ -157,10 +146,9 @@
// Register the initialisation function // Register the initialisation function
register_elgg_event_handler('init','system','cas_auth_init'); register_elgg_event_handler('init','system','cas_auth_init');
// Register CAS logout to main logout only if user logged with CAS // Register CAS logout to main logout only if user logged with CAS
if (isset($_SESSION['loggedWithCAS']) && $_SESSION['loggedWithCAS']===true) { if (isset($_SESSION['loggedWithCAS']) && $_SESSION['loggedWithCAS']==true) {
register_elgg_event_handler('logout', 'user', 'logoutCas'); register_elgg_event_handler('logout', 'user', 'logoutCas');
} }
/* set up login page */ /* set up login page */
register_page_handler('login', 'login_page_handler'); register_page_handler('login', 'login_page_handler');
...@@ -175,7 +163,6 @@ ...@@ -175,7 +163,6 @@
} }
} }
/** /**
* CAS client initialization * CAS client initialization
* *
...@@ -186,6 +173,7 @@ ...@@ -186,6 +173,7 @@
phpCAS::client(CAS_VERSION_2_0, $config->casurl, (int) $config->casport , $config->casuri ); phpCAS::client(CAS_VERSION_2_0, $config->casurl, (int) $config->casport , $config->casuri );
$GLOBALS[casInitialized] = true; $GLOBALS[casInitialized] = true;
} }
return true;
} }
/** /**
...@@ -195,6 +183,7 @@ ...@@ -195,6 +183,7 @@
function createCas() { function createCas() {
initCas(); initCas();
phpCAS::forceAuthentication(); phpCAS::forceAuthentication();
return true;
} }
/** /**
...@@ -207,7 +196,8 @@ ...@@ -207,7 +196,8 @@
if (phpCAS::checkAuthentication()) { if (phpCAS::checkAuthentication()) {
return true; return true;
} }
else return false; else
return false;
} }
/** /**
...@@ -227,307 +217,88 @@ ...@@ -227,307 +217,88 @@
global $CONFIG; global $CONFIG;
initCas(); initCas();
phpCAS::logout($CONFIG->url.'/action/logout'); phpCAS::logout($CONFIG->url.'/action/logout');
return true;
} }
/**
* LDAP authentication
*
* @param string $username Go around PAM handler credentials (CAS can't return a password)
* @return boolean
*/
function ldapAuthenticate($username)
{
// Nothing to do if LDAP module not installed
// if (!function_exists('ldap_connect')) {
// return false;
// }
// Get configuration settings
// $config = find_plugin_settings('ldap_auth');
// Nothing to do if not configured /**
// if (!$config) * Perform an CAS authentication check
// { *
// return false; * @param string $username
// } * @return boolean
*/
if (empty($username)) { function casAuthenticate($username){
if (empty($username))
return false; return false;
}
// Perform the authentication
return ldapCheck(/*$config, */$username);
}
/**
* Perform an LDAP authentication check
*
* @param ElggPlugin $config
* @param string $username
* @return boolean
*/
function ldapCheck(/*$config, */$username)
{
/* $host = $config->hostname;
// No point continuing
if(empty($host))
{
error_log("LDAP error: no host configured.");
return;
}
$port = $config->port;
$version = $config->version;
$basedn = $config->basedn;
$filter_attr = $config->filter_attr;
$search_attr = $config->search_attr;
$bind_dn = $config->ldap_bind_dn;
$bind_pwd = $config->ldap_bind_pwd;
$user_create = $config->user_create;
$start_tls = $config->start_tls;
($user_create == 'on') ? $user_create = true : $user_create = false;
($start_tls == 'on') ? $start_tls = true : $start_tls = false;
$port ? $port : $port = 389;
$version ? $version : $version = 3;
$filter_attr ? $filter_attr : $filter_attr = 'uid';
$basedn ? $basedn = array_map('trim', explode(':', $basedn)) : $basedn = array();
if (!empty($search_attr))
{
// $search_attr as in "email:email_address, name:name_name";
$pairs = array_map('trim',explode(',', $search_attr)); // we're making this copy for use in the peoplefinderservices call later
// we dont want to call peoplefinderservices here since we dont need to every time a SSO user logs in
$casusername = $username;
//We're going to make every UNL SSO user have an elgg profile name as such: unl_erasmussen2
//and not allow friends of unl who register via elgg to pick names that begin with "unl_"
//This way, we won't have to deal with the case where someone registers erasmussen2 on elgg, then
//the real erasmussen2 signs in for the first time with UNL SSO and is logged in as the elgg user erasmussen2
//rather then having a new account created.
$username = 'unl_' . $username;
//Replace the hyphen in a student's name with an underscore
$username = str_replace('-','_',$username);
$values = array();
if ($user = get_user_by_username($username)) {
// User exists, login
return login($user);
} else {
// Valid login but user doesn't exist
$pf_user_info = peoplefinderServices($casusername);
foreach ($pairs as $pair) $name = $pf_user_info->cn;
{
$parts = array_map('trim', explode(':', $pair));
$values[$parts[0]] = $parts[1]; if (isset($_REQUEST['email'])) {
$email = $_REQUEST['email'];
} else {
if($pf_user_info->mail)
forward($CONFIG->url . 'mod/cas_auth/views/default/account/getemail.php?e=' . $pf_user_info->mail);
else
forward($CONFIG->url . 'mod/cas_auth/views/default/account/getemail.php');
} }
$search_attr = $values; try {
} if ($user_guid = register_user($username, 'generic', $name, $email, false, 0, '', true)) {
else $thisuser = get_user($user_guid);
{
$search_attr = array('dn' => 'dn');
}
*/
/* // Create a connection
if ($ds = ldapConnect($host, $port, $version, $bind_dn, $bind_pwd))
{
if ($start_tls and !ldap_start_tls($ds)) return false;
// Perform a search
foreach ($basedn as $this_ldap_basedn)
{
$ldap_user_info = ldapDoAuth($ds, $this_ldap_basedn, $username, $filter_attr, $search_attr);
if($ldap_user_info)
{
*/
// we're making this copy for use in the peoplefinderservices call later
// we dont want to call peoplefinderservices here since we dont need to every time a SSO user logs in
$casusername = $username;
//We're going to make every UNL SSO user have an elgg profile name as such: unl_erasmussen2
//and not allow friends of unl who register via elgg to pick names that begin with "unl_"
//This way, we won't have to deal with the case where someone registers erasmussen2 on elgg, then
//the real erasmussen2 signs in for the first time with UNL SSO and is logged in as the elgg user erasmussen2
//rather then having a new account created.
$username = 'unl_' . $username;
//Replace the hyphen in a student's name with an underscore
$username = str_replace('-','_',$username);
if ($user = get_user_by_username($username)) //pre-populate profile fields with data from Peoplefinder Services
{ $address = $pf_user_info->formatPostalAddress();
// User exists, login $thisuser->profile_country = 'USA';
return login($user); $thisuser->profile_state = $address['region'];
$thisuser->profile_city = $address['locality'];
if($address['locality'] == 'Omaha') {
$thisuser->longitude = -95.9;
$thisuser->latitude = 41.25;
} else { //this is going to cover Lincoln and everyone else
$thisuser->longitude = -96.7;
$thisuser->latitude = 40.82;
} }
else
{ return login($thisuser);
// Valid login but user doesn't exist } else {
$pf_user_info = peoplefinderServices($casusername); register_error(elgg_echo("registerbad"));
}
//if ($user_create) } catch (RegistrationException $r) {
//{ register_error($r->getMessage());
// $name = $ldap_user_info['firstname'];
$name = $pf_user_info->cn;
// if (isset($ldap_user_info['lastname']))
// {
// $name = $name . " " . $ldap_user_info['lastname'];
// }
//
/* if(!empty($pf_user_info->mail))
{
($pf_user_info->mail) ? $email = $pf_user_info->mail : $email = null;
}
else*/ if( isset($_REQUEST['email']) ){
$email = $_REQUEST['email'];
}
else
{
if($pf_user_info->mail)
forward($CONFIG->url . 'mod/cas_auth/views/default/account/getemail.php?e=' . $pf_user_info->mail);
else
forward($CONFIG->url . 'mod/cas_auth/views/default/account/getemail.php');
}
/* if ($user_guid = register_user($username, 'generic', $name, $email, false, 0, '', true))
{
// Success, credentials valid and account has been created
return login(get_user($user_guid));
}
else
{
register_error(elgg_echo("registerbad"));
return false;
}
*/
try {
if ($user_guid = register_user($username, 'generic', $name, $email, false, 0, '', true))
{
$thisuser = get_user($user_guid);
//pre-populate profile fields with data from Peoplefinder Services
$address = $pf_user_info->formatPostalAddress();
$thisuser->profile_country = 'USA';
$thisuser->profile_state = $address['region'];
$thisuser->profile_city = $address['locality'];
if($address['locality'] == 'Omaha') {
$thisuser->longitude = -95.9;
$thisuser->latitude = 41.25;
} else { //this is going to cover Lincoln and everyone else
$thisuser->longitude = -96.7;
$thisuser->latitude = 40.82;
}
return login($thisuser);
} else {
register_error(elgg_echo("registerbad"));
}
} catch (RegistrationException $r) {
register_error($r->getMessage());
}
//}
//else
//{
// register_error(elgg_echo("ldap_auth:no_account"));
// return false;
//}
}
/* }
}
// Close the connection
ldap_close($ds);
return false;
}
else
{
return false;
}
*/ }
/**
* Create an LDAP connection
*
* @param string $host
* @param int $port
* @param int $version
* @param string $bind_dn
* @param string $bind_pwd
* @return mixed LDAP link identifier on success, or false on error
*/
/* function ldapConnect($host, $port, $version, $bind_dn, $bind_pwd)
{
$ds = @ldap_connect($host, $port);
@ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $version);
// Start the LDAP bind process
$ldapbind = null;
if ($ds)
{
if ($bind_dn != '')
{
$ldapbind = @ldap_bind($ds, $bind_dn, $bind_pwd);
}
else
{
// Anonymous bind
$ldapbind = @ldap_bind($ds);
} }
} }
else
{ }
// Unable to connect
error_log('Unable to connect to the LDAP server: '.ldap_error($ds));
return false;
}
if (!$ldapbind)
{
error_log('Unable to bind to the LDAP server with provided credentials: '.ldap_error($ds));
ldap_close($ds);
return false;
}
return $ds;
}
*/
/**
* Performs actual LDAP authentication
*
* @param object $ds LDAP link identifier
* @param string $basedn
* @param string $username
* @param string $filter_attr
* @param string $search_attr
* @return mixed array with search attributes or false on error
*/
/* function ldapDoAuth($ds, $basedn, $username, $filter_attr, $search_attr)
{
$sr = @ldap_search($ds, $basedn, $filter_attr ."=". $username, array_values($search_attr));
if(!$sr)
{
error_log('Unable to perform LDAP search: '.ldap_error($ds));
return false;
}
$entry = ldap_get_entries($ds, $sr);
if(!$entry or !$entry[0])
{
return false; // didn't find username
}
// We have a bind, a valid login
foreach (array_keys($search_attr) as $attr)
{
$ldap_user_info[$attr] = $entry[0][$search_attr[$attr]][0];
}
return $ldap_user_info;
}
*/
/** /**
* Gets a UNL SSO user's info from Peoplefinder Services * Gets a UNL SSO user's info from Peoplefinder Services
* *
* @param string $username * @param string $username
* @return array of information from PF Services * @return array of information from PF Services
*/ */
function peoplefinderServices($username) function peoplefinderServices($username){
{
$pfrecord = unserialize(file_get_contents('http://peoplefinder.unl.edu/service.php?uid=' . $username . '&format=php')); $pfrecord = unserialize(file_get_contents('http://peoplefinder.unl.edu/service.php?uid=' . $username . '&format=php'));
return $pfrecord; return $pfrecord;
} }
?> ?>
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment