mirror of https://github.com/jacekkow/uphpCAS
view | history | commit | commitdiff
Jacek Kowalski
2015-08-31 7d715afabcc688a6e8fe2e44a55accd291f9ec9c
commit | author | age
64d82d 1 <?php
JK 2 // Thrown when internal error occurs
3 class JasigException extends Exception {}
2f13b1 4 // Thrown when CAS server returns authentication error
64d82d 5 class JasigAuthException extends JasigException {}
JK 6
7 class JasigUser {
8     public $user;
9     public $attributes = array();
10 }
11
12 class uphpCAS {
13     const VERSION = '1.0';
14     protected $serverUrl = '';
15     protected $serviceUrl;
16     
17     function __construct($serverUrl = NULL, $serviceUrl = NULL) {
18         if($serverUrl != NULL) {
19             $this->serverUrl = rtrim($serverUrl, '/');
20         }
21         
22         if($serviceUrl != NULL) {
23             $this->serviceUrl = $serviceUrl;
24         } else {
25             $url = 'http://';
26             $port = 0;
27             if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
28                 $url = 'https://';
90ae5b 29                 if(isset($_SERVER['SERVER_PORT'])
JK 30                         && $_SERVER['SERVER_PORT'] != '443') {
64d82d 31                     $port = $_SERVER['SERVER_PORT'];
JK 32                 }
90ae5b 33             } elseif(isset($_SERVER['SERVER_PORT'])
JK 34                     && $_SERVER['SERVER_PORT'] != '80') {
64d82d 35                 $port = $_SERVER['SERVER_PORT'];
JK 36             }
37             
38             $url .= $_SERVER['SERVER_NAME'];
39             
40             if($port != 0) {
41                 $url .= ':'.$port;
42             }
43             $url .= $_SERVER['REQUEST_URI'];
44             
45             $this->serviceUrl = $url;
46         }
47     }
48     
bae7f7 49     public function getServerUrl($serverUrl) {
JK 50         return $this->serverUrl;
51     }
64d82d 52     public function setServerUrl($serverUrl) {
JK 53         $this->serverUrl = $serverUrl;
54     }
55     
bae7f7 56     public function getServiceUrl() {
JK 57         return $this->serviceUrl;
58     }
64d82d 59     public function setServiceUrl($serviceUrl) {
JK 60         $this->serviceUrl = $serviceUrl;
61     }
62     
63     public function loginUrl() {
2092d3 64         return $this->serverUrl.'/login?method=POST&service='.urlencode($this->serviceUrl);
64d82d 65     }
JK 66     
f124d4 67     public function logoutUrl($returnUrl = NULL) {
JK 68         return $this->serverUrl.'/logout'.($returnUrl ? '?service='.urlencode($returnUrl) : '');
64d82d 69     }
JK 70     
71     public function logout() {
72         session_start();
73         if(isset($_SESSION['uphpCAS-user'])) {
74             unset($_SESSION['uphpCAS-user']);
75         }
76         header('Location: '.$this->logoutUrl());
77         die();
78     }
79     
fc49b8 80     public function isAuthenticated() {
JK 81         return isset($_SESSION['uphpCAS-user']);
82     }
83     
64d82d 84     public function authenticate() {
JK 85         session_start();
fc49b8 86         if($this->isAuthenticated()) {
64d82d 87             return $_SESSION['uphpCAS-user'];
2092d3 88         } elseif(isset($_REQUEST['ticket'])) {
JK 89             $user = $this->verifyTicket($_REQUEST['ticket']);
64d82d 90             $_SESSION['uphpCAS-user'] = $user;
JK 91             return $user;
92         } else {
93             header('Location: '.$this->loginUrl());
94             die();
95         }
96     }
97     
98     public function verifyTicket($ticket) {
99         $context = array(
100             'http' => array(
101                 'method' => 'GET',
102                 'user_agent' => 'uphpCAS/'.self::VERSION,
103                 'max_redirects' => 3,
104             ),
105             'ssl' => array(
106                 'verify_peer' => TRUE,
90ae5b 107                 'verify_peer_name' => TRUE,
64d82d 108                 'verify_depth' => 5,
90ae5b 109                 'allow_self_signed' => FALSE,
JK 110                 'disable_compression' => TRUE,
64d82d 111             ),
JK 112         );
113         
d35cf4 114         if(version_compare(PHP_VERSION, '5.6', '<')) {
JK 115             $cafiles = array(
116                 '/etc/ssl/certs/ca-certificates.crt',
117                 '/etc/ssl/certs/ca-bundle.crt',
118                 '/etc/pki/tls/certs/ca-bundle.crt',
119             );
120             $cafile = NULL;
121             foreach($cafiles as $file) {
122                 if(is_file($file)) {
123                     $cafile = $file;
124                     break;
125                 }
126             }
127             
128             $url = parse_url($this->serverUrl);
129             $context['ssl']['cafile'] = $cafile;
130             $context['ssl']['ciphers'] = 'ECDH:DH:AES:CAMELLIA:!SSLv2:!aNULL'
131                     .':!eNULL:!EXPORT:!DES:!3DES:!MD5:!RC4:!ADH:!PSK:!SRP';
132             $context['ssl']['CN_match'] = $url['host'];
133         }
134         
90ae5b 135         $data = file_get_contents($this->serverUrl
JK 136                     .'/serviceValidate?service='.urlencode($this->serviceUrl)
137                     .'&ticket='.urlencode($ticket),
64d82d 138                 FALSE, stream_context_create($context));
JK 139         if($data === FALSE) {
140             throw new JasigException('Authentication error: CAS server is unavailable');
141         }
142         
143         $xmlEntityLoader = libxml_disable_entity_loader(TRUE);
144         $xmlInternalErrors = libxml_use_internal_errors(TRUE);
145         try {
146             $xml = new DOMDocument();
147             $xml->loadXML($data);
148             
149             foreach(libxml_get_errors() as $error) {
90ae5b 150                 $e = new ErrorException($error->message, $error->code, 1,
JK 151                         $error->file, $error->line);
64d82d 152                 switch ($error->level) {
JK 153                     case LIBXML_ERR_ERROR:
154                     case LIBXML_ERR_FATAL:
90ae5b 155                         throw new Exception('Fatal error during XML parsing',
JK 156                                 0, $e);
64d82d 157                         break;
JK 158                 }
159             }
2f13b1 160         } catch(Exception $e) {
90ae5b 161             throw new JasigException('Authentication error: CAS server'
JK 162                     .' response invalid - parse error', 0, $e);
64d82d 163         } finally {
JK 164             libxml_clear_errors();
165             libxml_disable_entity_loader($xmlEntityLoader);
166             libxml_use_internal_errors($xmlInternalErrors);
167         }
168         
169         $failure = $xml->getElementsByTagName('authenticationFailure');
170         $success = $xml->getElementsByTagName('authenticationSuccess');
171         
172         if($failure->length > 0) {
173             $failure = $failure->item(0);
174             if(!($failure instanceof DOMElement)) {
90ae5b 175                 throw new JasigException('Authentication error: CAS server'
JK 176                         .' response invalid - authenticationFailure');
64d82d 177             }
90ae5b 178             throw new JasigAuthException('Authentication error: '
JK 179                     .$failure->textContent);
64d82d 180         } elseif($success->length > 0) {
JK 181             $success = $success->item(0);
182             if(!($success instanceof DOMElement)) {
90ae5b 183                 throw new JasigException('Authentication error: CAS server'
JK 184                         .' response invalid - authenticationSuccess');
64d82d 185             }
JK 186             
187             $user = $success->getElementsByTagName('user');
188             if($user->length == 0) {
90ae5b 189                 throw new JasigException('Authentication error: CAS server'
JK 190                         .' response invalid - user');
64d82d 191             }
JK 192             
193             $user = trim($user->item(0)->textContent);
2f13b1 194             if(strlen($user) < 1) {
90ae5b 195                 throw new JasigException('Authentication error: CAS server'
JK 196                         .' response invalid - user value');
64d82d 197             }
JK 198             
199             $jusr = new JasigUser();
200             $jusr->user = $user;
201             
202             $attrs = $success->getElementsByTagName('attributes');
203             if($attrs->length > 0) {
204                 $attrs = $attrs->item(0);
205                 foreach($attrs->childNodes as $node) {
206                     $jusr->attributes[$node->localName] = $node->textContent;
207                 }
208             }
209             
210             return $jusr;
2f13b1 211         } else {
90ae5b 212             throw new JasigException('Authentication error: CAS server'
JK 213                     .' response invalid - required tag not found');
64d82d 214         }
JK 215     }
216 }