From 31415adb56d5611409c4945b22735980998ab1a4 Mon Sep 17 00:00:00 2001
From: Eric Rasmussen <erasmussen2@unl.edu>
Date: Tue, 22 Dec 2009 20:24:10 +0000
Subject: [PATCH] clean up the CAS login
---
cas_auth/start.php | 405 ++++++++++-----------------------------------
1 file changed, 88 insertions(+), 317 deletions(-)
diff --git a/cas_auth/start.php b/cas_auth/start.php
index 1ac305f3..160228c9 100644
--- a/cas_auth/start.php
+++ b/cas_auth/start.php
@@ -4,7 +4,7 @@
*
* @package cas_auth
* @license http://www.gnu.org/licenses/gpl.html
- * @author Xavier Roussel <xavier.roussel@uvsq.fr>
+ * @author Xavier Roussel <xavier.roussel@uvsq.fr> (Modified for UNL CAS by Eric Rasmussen)
* @copyright UVSQ 2008
* @link http://www.uvsq.fr
*/
@@ -52,8 +52,7 @@
* @param string
* @return array Associative array.
*/
- function formatPostalAddress()
- {
+ function formatPostalAddress() {
/* this is a faculty postal address
Currently of the form:
### ___ UNL 68588-####
@@ -92,63 +91,53 @@
}
return $address;
- }
+ }
}
// Include main cas lib
- include_once 'cas/CAS.php';
- $casInitialized = false;
+ include_once 'cas/CAS.php';
/**
* CAS Authentication init
*
*/
- function cas_auth_init()
- {
- // global config
+ function cas_auth_init() {
global $CONFIG;
// plugin config
$config = find_plugin_settings('cas_auth');
// todo : send message to user
- if (!$config) return false;
-
- // CAS auth required
- if ( $_REQUEST['loginwith'] == 'UNLlogin' && !isset($_REQUEST['ticket']) )
- {
- createCas();
- }
- // CAS auth done
- if ( $_REQUEST['loginwith'] == 'UNLlogin' && (isset($_REQUEST['ticket']) || isset($_REQUEST['email'])) )
- {
- // Check CAS auth the CAS way just in case
- if ( checkCas() ) {
+ if (!$config)
+ return false;
+
+ if ($_GET['loginwith'] == 'UNLlogin') {
+ if (checkCas()) {
$_SESSION['loggedWithCAS'] = true;
$cas_user = getUserCas();
- if(ldapAuthenticate( $cas_user )) {
+ if (casAuthenticate($cas_user)) {
system_message(elgg_echo('loginok'));
$cas_user = str_replace('-','_',$cas_user);
//user is logged in now, this is the last step - forward based on whether they have logged in before
$lastlogin_date = $_SESSION['user']->last_login;
- if (!$lastlogin_date){
+ if (!$lastlogin_date) {
forward('mod/profile/edit.php?firstlogin=yes');
}
forward("pg/profile/unl_" . $cas_user);
+ } else {
+ register_error(elgg_echo('loginerror'));
}
- else register_error(elgg_echo('loginerror'));
+ } else {
+ createCas();
}
- else register_error(elgg_echo('loginerror'));
}
+
// The CAS ticket is lost, log out
- if ( $_SESSION['loggedWithCAS'] && !checkCas() ) {
+ if ($_SESSION['loggedWithCAS'] && !checkCas()) {
$_SESSION['loggedWithCAS'] = false;
forward($CONFIG->url.'/action/logout');
- }
-
-
-
+ }
}
@@ -157,10 +146,9 @@
// Register the initialisation function
register_elgg_event_handler('init','system','cas_auth_init');
// Register CAS logout to main logout only if user logged with CAS
- if (isset($_SESSION['loggedWithCAS']) && $_SESSION['loggedWithCAS']===true) {
+ if (isset($_SESSION['loggedWithCAS']) && $_SESSION['loggedWithCAS']==true) {
register_elgg_event_handler('logout', 'user', 'logoutCas');
- }
-
+ }
/* set up login page */
register_page_handler('login', 'login_page_handler');
@@ -175,7 +163,6 @@
}
}
-
/**
* CAS client initialization
*
@@ -186,6 +173,7 @@
phpCAS::client(CAS_VERSION_2_0, $config->casurl, (int) $config->casport , $config->casuri );
$GLOBALS[casInitialized] = true;
}
+ return true;
}
/**
@@ -195,6 +183,7 @@
function createCas() {
initCas();
phpCAS::forceAuthentication();
+ return true;
}
/**
@@ -207,7 +196,8 @@
if (phpCAS::checkAuthentication()) {
return true;
}
- else return false;
+ else
+ return false;
}
/**
@@ -227,307 +217,88 @@
global $CONFIG;
initCas();
phpCAS::logout($CONFIG->url.'/action/logout');
+ return true;
}
-
-
- /**
- * LDAP authentication
- *
- * @param string $username Go around PAM handler credentials (CAS can't return a password)
- * @return boolean
- */
- function ldapAuthenticate($username)
- {
- // Nothing to do if LDAP module not installed
-// if (!function_exists('ldap_connect')) {
-// return false;
-// }
-
- // Get configuration settings
-// $config = find_plugin_settings('ldap_auth');
- // Nothing to do if not configured
-// if (!$config)
-// {
-// return false;
-// }
-
- if (empty($username)) {
+ /**
+ * Perform an CAS authentication check
+ *
+ * @param string $username
+ * @return boolean
+ */
+ function casAuthenticate($username){
+ if (empty($username))
return false;
- }
-
- // Perform the authentication
- return ldapCheck(/*$config, */$username);
- }
-
- /**
- * Perform an LDAP authentication check
- *
- * @param ElggPlugin $config
- * @param string $username
- * @return boolean
- */
- function ldapCheck(/*$config, */$username)
- {
-/* $host = $config->hostname;
-
- // No point continuing
- if(empty($host))
- {
- error_log("LDAP error: no host configured.");
- return;
- }
- $port = $config->port;
- $version = $config->version;
- $basedn = $config->basedn;
- $filter_attr = $config->filter_attr;
- $search_attr = $config->search_attr;
- $bind_dn = $config->ldap_bind_dn;
- $bind_pwd = $config->ldap_bind_pwd;
- $user_create = $config->user_create;
- $start_tls = $config->start_tls;
-
- ($user_create == 'on') ? $user_create = true : $user_create = false;
- ($start_tls == 'on') ? $start_tls = true : $start_tls = false;
-
- $port ? $port : $port = 389;
- $version ? $version : $version = 3;
- $filter_attr ? $filter_attr : $filter_attr = 'uid';
- $basedn ? $basedn = array_map('trim', explode(':', $basedn)) : $basedn = array();
-
- if (!empty($search_attr))
- {
- // $search_attr as in "email:email_address, name:name_name";
- $pairs = array_map('trim',explode(',', $search_attr));
+ // we're making this copy for use in the peoplefinderservices call later
+ // we dont want to call peoplefinderservices here since we dont need to every time a SSO user logs in
+ $casusername = $username;
+
+ //We're going to make every UNL SSO user have an elgg profile name as such: unl_erasmussen2
+ //and not allow friends of unl who register via elgg to pick names that begin with "unl_"
+ //This way, we won't have to deal with the case where someone registers erasmussen2 on elgg, then
+ //the real erasmussen2 signs in for the first time with UNL SSO and is logged in as the elgg user erasmussen2
+ //rather then having a new account created.
+ $username = 'unl_' . $username;
+ //Replace the hyphen in a student's name with an underscore
+ $username = str_replace('-','_',$username);
- $values = array();
+
+ if ($user = get_user_by_username($username)) {
+ // User exists, login
+ return login($user);
+ } else {
+ // Valid login but user doesn't exist
+ $pf_user_info = peoplefinderServices($casusername);
- foreach ($pairs as $pair)
- {
- $parts = array_map('trim', explode(':', $pair));
+ $name = $pf_user_info->cn;
- $values[$parts[0]] = $parts[1];
+ if (isset($_REQUEST['email'])) {
+ $email = $_REQUEST['email'];
+ } else {
+ if($pf_user_info->mail)
+ forward($CONFIG->url . 'mod/cas_auth/views/default/account/getemail.php?e=' . $pf_user_info->mail);
+ else
+ forward($CONFIG->url . 'mod/cas_auth/views/default/account/getemail.php');
}
-
- $search_attr = $values;
- }
- else
- {
- $search_attr = array('dn' => 'dn');
- }
-*/
-/* // Create a connection
- if ($ds = ldapConnect($host, $port, $version, $bind_dn, $bind_pwd))
- {
- if ($start_tls and !ldap_start_tls($ds)) return false;
-
- // Perform a search
- foreach ($basedn as $this_ldap_basedn)
- {
- $ldap_user_info = ldapDoAuth($ds, $this_ldap_basedn, $username, $filter_attr, $search_attr);
-
- if($ldap_user_info)
- {
-*/
-
- // we're making this copy for use in the peoplefinderservices call later
- // we dont want to call peoplefinderservices here since we dont need to every time a SSO user logs in
- $casusername = $username;
-
- //We're going to make every UNL SSO user have an elgg profile name as such: unl_erasmussen2
- //and not allow friends of unl who register via elgg to pick names that begin with "unl_"
- //This way, we won't have to deal with the case where someone registers erasmussen2 on elgg, then
- //the real erasmussen2 signs in for the first time with UNL SSO and is logged in as the elgg user erasmussen2
- //rather then having a new account created.
- $username = 'unl_' . $username;
- //Replace the hyphen in a student's name with an underscore
- $username = str_replace('-','_',$username);
-
+
+ try {
+ if ($user_guid = register_user($username, 'generic', $name, $email, false, 0, '', true)) {
+ $thisuser = get_user($user_guid);
- if ($user = get_user_by_username($username))
- {
- // User exists, login
- return login($user);
+ //pre-populate profile fields with data from Peoplefinder Services
+ $address = $pf_user_info->formatPostalAddress();
+ $thisuser->profile_country = 'USA';
+ $thisuser->profile_state = $address['region'];
+ $thisuser->profile_city = $address['locality'];
+ if($address['locality'] == 'Omaha') {
+ $thisuser->longitude = -95.9;
+ $thisuser->latitude = 41.25;
+ } else { //this is going to cover Lincoln and everyone else
+ $thisuser->longitude = -96.7;
+ $thisuser->latitude = 40.82;
}
- else
- {
- // Valid login but user doesn't exist
- $pf_user_info = peoplefinderServices($casusername);
-
- //if ($user_create)
- //{
- // $name = $ldap_user_info['firstname'];
- $name = $pf_user_info->cn;
-
- // if (isset($ldap_user_info['lastname']))
- // {
- // $name = $name . " " . $ldap_user_info['lastname'];
- // }
-
- //
- /* if(!empty($pf_user_info->mail))
- {
- ($pf_user_info->mail) ? $email = $pf_user_info->mail : $email = null;
- }
- else*/ if( isset($_REQUEST['email']) ){
- $email = $_REQUEST['email'];
- }
- else
- {
- if($pf_user_info->mail)
- forward($CONFIG->url . 'mod/cas_auth/views/default/account/getemail.php?e=' . $pf_user_info->mail);
- else
- forward($CONFIG->url . 'mod/cas_auth/views/default/account/getemail.php');
- }
-
- /* if ($user_guid = register_user($username, 'generic', $name, $email, false, 0, '', true))
- {
- // Success, credentials valid and account has been created
- return login(get_user($user_guid));
- }
- else
- {
- register_error(elgg_echo("registerbad"));
- return false;
- }
- */
-
-
- try {
- if ($user_guid = register_user($username, 'generic', $name, $email, false, 0, '', true))
- {
- $thisuser = get_user($user_guid);
-
- //pre-populate profile fields with data from Peoplefinder Services
- $address = $pf_user_info->formatPostalAddress();
- $thisuser->profile_country = 'USA';
- $thisuser->profile_state = $address['region'];
- $thisuser->profile_city = $address['locality'];
- if($address['locality'] == 'Omaha') {
- $thisuser->longitude = -95.9;
- $thisuser->latitude = 41.25;
- } else { //this is going to cover Lincoln and everyone else
- $thisuser->longitude = -96.7;
- $thisuser->latitude = 40.82;
- }
-
-
- return login($thisuser);
- } else {
- register_error(elgg_echo("registerbad"));
- }
- } catch (RegistrationException $r) {
- register_error($r->getMessage());
- }
- //}
- //else
- //{
- // register_error(elgg_echo("ldap_auth:no_account"));
- // return false;
- //}
- }
-/* }
- }
- // Close the connection
- ldap_close($ds);
- return false;
- }
- else
- {
- return false;
- }
-*/ }
-
- /**
- * Create an LDAP connection
- *
- * @param string $host
- * @param int $port
- * @param int $version
- * @param string $bind_dn
- * @param string $bind_pwd
- * @return mixed LDAP link identifier on success, or false on error
- */
-/* function ldapConnect($host, $port, $version, $bind_dn, $bind_pwd)
- {
- $ds = @ldap_connect($host, $port);
-
- @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $version);
- // Start the LDAP bind process
- $ldapbind = null;
-
- if ($ds)
- {
- if ($bind_dn != '')
- {
- $ldapbind = @ldap_bind($ds, $bind_dn, $bind_pwd);
- }
- else
- {
- // Anonymous bind
- $ldapbind = @ldap_bind($ds);
+
+ return login($thisuser);
+ } else {
+ register_error(elgg_echo("registerbad"));
+ }
+ } catch (RegistrationException $r) {
+ register_error($r->getMessage());
}
+
}
- else
- {
- // Unable to connect
- error_log('Unable to connect to the LDAP server: '.ldap_error($ds));
- return false;
- }
-
- if (!$ldapbind)
- {
- error_log('Unable to bind to the LDAP server with provided credentials: '.ldap_error($ds));
- ldap_close($ds);
- return false;
- }
- return $ds;
- }
-*/
- /**
- * Performs actual LDAP authentication
- *
- * @param object $ds LDAP link identifier
- * @param string $basedn
- * @param string $username
- * @param string $filter_attr
- * @param string $search_attr
- * @return mixed array with search attributes or false on error
- */
-/* function ldapDoAuth($ds, $basedn, $username, $filter_attr, $search_attr)
- {
- $sr = @ldap_search($ds, $basedn, $filter_attr ."=". $username, array_values($search_attr));
- if(!$sr)
- {
- error_log('Unable to perform LDAP search: '.ldap_error($ds));
- return false;
- }
-
- $entry = ldap_get_entries($ds, $sr);
- if(!$entry or !$entry[0])
- {
- return false; // didn't find username
- }
-
- // We have a bind, a valid login
- foreach (array_keys($search_attr) as $attr)
- {
- $ldap_user_info[$attr] = $entry[0][$search_attr[$attr]][0];
- }
- return $ldap_user_info;
- }
-*/
+
+ }
+
/**
* Gets a UNL SSO user's info from Peoplefinder Services
*
* @param string $username
* @return array of information from PF Services
*/
- function peoplefinderServices($username)
- {
+ function peoplefinderServices($username){
$pfrecord = unserialize(file_get_contents('http://peoplefinder.unl.edu/service.php?uid=' . $username . '&format=php'));
-
return $pfrecord;
}
?>
\ No newline at end of file
--
GitLab