| commit | author | age | ||
| 64d82d | 1 | <?php |
| JK | 2 | // Thrown when internal error occurs |
| 3 | class JasigException extends Exception {} | |
| 4 | // Thrown when CAS server return authentication error | |
| 5 | class JasigAuthException extends JasigException {} | |
| 6 | ||
| 7 | class JasigUser { | |
| 8 | public $user; | |
| 9 | public $attributes = array(); | |
| 10 | } | |
| 11 | ||
| 12 | class uphpCAS { | |
| 13 | const VERSION = '1.0'; | |
| 14 | protected $serverUrl = ''; | |
| 15 | protected $serviceUrl; | |
| 16 | ||
| 17 | function __construct($serverUrl = NULL, $serviceUrl = NULL) { | |
| 18 | if($serverUrl != NULL) { | |
| 19 | $this->serverUrl = rtrim($serverUrl, '/'); | |
| 20 | } | |
| 21 | ||
| 22 | if($serviceUrl != NULL) { | |
| 23 | $this->serviceUrl = $serviceUrl; | |
| 24 | } else { | |
| 25 | $url = 'http://'; | |
| 26 | $port = 0; | |
| 27 | if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') { | |
| 28 | $url = 'https://'; | |
| 90ae5b | 29 | if(isset($_SERVER['SERVER_PORT']) |
| JK | 30 | && $_SERVER['SERVER_PORT'] != '443') { |
| 64d82d | 31 | $port = $_SERVER['SERVER_PORT']; |
| JK | 32 | } |
| 90ae5b | 33 | } elseif(isset($_SERVER['SERVER_PORT']) |
| JK | 34 | && $_SERVER['SERVER_PORT'] != '80') { |
| 64d82d | 35 | $port = $_SERVER['SERVER_PORT']; |
| JK | 36 | } |
| 37 | ||
| 38 | $url .= $_SERVER['SERVER_NAME']; | |
| 39 | ||
| 40 | if($port != 0) { | |
| 41 | $url .= ':'.$port; | |
| 42 | } | |
| 43 | $url .= $_SERVER['REQUEST_URI']; | |
| 44 | ||
| 45 | $this->serviceUrl = $url; | |
| 46 | } | |
| 47 | } | |
| 48 | ||
| 49 | public function setServerUrl($serverUrl) { | |
| 50 | $this->serverUrl = $serverUrl; | |
| 51 | } | |
| 52 | ||
| 53 | public function setServiceUrl($serviceUrl) { | |
| 54 | $this->serviceUrl = $serviceUrl; | |
| 55 | } | |
| 56 | ||
| 57 | public function loginUrl() { | |
| 2092d3 | 58 | return $this->serverUrl.'/login?method=POST&service='.urlencode($this->serviceUrl); |
| 64d82d | 59 | } |
| JK | 60 | |
| 61 | public function logoutUrl() { | |
| 62 | return $this->serverUrl.'/logout'; | |
| 63 | } | |
| 64 | ||
| 65 | public function logout() { | |
| 66 | session_start(); | |
| 67 | if(isset($_SESSION['uphpCAS-user'])) { | |
| 68 | unset($_SESSION['uphpCAS-user']); | |
| 69 | } | |
| 70 | header('Location: '.$this->logoutUrl()); | |
| 71 | die(); | |
| 72 | } | |
| 73 | ||
| 74 | public function authenticate() { | |
| 75 | session_start(); | |
| 76 | if(isset($_SESSION['uphpCAS-user'])) { | |
| 77 | return $_SESSION['uphpCAS-user']; | |
| 2092d3 | 78 | } elseif(isset($_REQUEST['ticket'])) { |
| JK | 79 | $user = $this->verifyTicket($_REQUEST['ticket']); |
| 64d82d | 80 | $_SESSION['uphpCAS-user'] = $user; |
| JK | 81 | return $user; |
| 82 | } else { | |
| 83 | header('Location: '.$this->loginUrl()); | |
| 84 | die(); | |
| 85 | } | |
| 86 | } | |
| 87 | ||
| 88 | public function verifyTicket($ticket) { | |
| 89 | $context = array( | |
| 90 | 'http' => array( | |
| 91 | 'method' => 'GET', | |
| 92 | 'user_agent' => 'uphpCAS/'.self::VERSION, | |
| 93 | 'max_redirects' => 3, | |
| 94 | ), | |
| 95 | 'ssl' => array( | |
| 96 | 'verify_peer' => TRUE, | |
| 90ae5b | 97 | 'verify_peer_name' => TRUE, |
| 64d82d | 98 | 'verify_depth' => 5, |
| 90ae5b | 99 | 'allow_self_signed' => FALSE, |
| JK | 100 | 'disable_compression' => TRUE, |
| 64d82d | 101 | ), |
| JK | 102 | ); |
| 103 | ||
| d35cf4 | 104 | if(version_compare(PHP_VERSION, '5.6', '<')) { |
| JK | 105 | $cafiles = array( |
| 106 | '/etc/ssl/certs/ca-certificates.crt', | |
| 107 | '/etc/ssl/certs/ca-bundle.crt', | |
| 108 | '/etc/pki/tls/certs/ca-bundle.crt', | |
| 109 | ); | |
| 110 | $cafile = NULL; | |
| 111 | foreach($cafiles as $file) { | |
| 112 | if(is_file($file)) { | |
| 113 | $cafile = $file; | |
| 114 | break; | |
| 115 | } | |
| 116 | } | |
| 117 | ||
| 118 | $url = parse_url($this->serverUrl); | |
| 119 | $context['ssl']['cafile'] = $cafile; | |
| 120 | $context['ssl']['ciphers'] = 'ECDH:DH:AES:CAMELLIA:!SSLv2:!aNULL' | |
| 121 | .':!eNULL:!EXPORT:!DES:!3DES:!MD5:!RC4:!ADH:!PSK:!SRP'; | |
| 122 | $context['ssl']['CN_match'] = $url['host']; | |
| 123 | } | |
| 124 | ||
| 90ae5b | 125 | $data = file_get_contents($this->serverUrl |
| JK | 126 | .'/serviceValidate?service='.urlencode($this->serviceUrl) |
| 127 | .'&ticket='.urlencode($ticket), | |
| 64d82d | 128 | FALSE, stream_context_create($context)); |
| JK | 129 | if($data === FALSE) { |
| 130 | throw new JasigException('Authentication error: CAS server is unavailable'); | |
| 131 | } | |
| 132 | ||
| 133 | $xmlEntityLoader = libxml_disable_entity_loader(TRUE); | |
| 134 | $xmlInternalErrors = libxml_use_internal_errors(TRUE); | |
| 135 | try { | |
| 136 | $xml = new DOMDocument(); | |
| 137 | $xml->loadXML($data); | |
| 138 | ||
| 139 | foreach(libxml_get_errors() as $error) { | |
| 90ae5b | 140 | $e = new ErrorException($error->message, $error->code, 1, |
| JK | 141 | $error->file, $error->line); |
| 64d82d | 142 | switch ($error->level) { |
| JK | 143 | case LIBXML_ERR_ERROR: |
| 144 | case LIBXML_ERR_FATAL: | |
| 90ae5b | 145 | throw new Exception('Fatal error during XML parsing', |
| JK | 146 | 0, $e); |
| 64d82d | 147 | break; |
| JK | 148 | } |
| 149 | } | |
| 150 | } | |
| 151 | catch(Exception $e) { | |
| 90ae5b | 152 | throw new JasigException('Authentication error: CAS server' |
| JK | 153 | .' response invalid - parse error', 0, $e); |
| 64d82d | 154 | } finally { |
| JK | 155 | libxml_clear_errors(); |
| 156 | libxml_disable_entity_loader($xmlEntityLoader); | |
| 157 | libxml_use_internal_errors($xmlInternalErrors); | |
| 158 | } | |
| 159 | ||
| 160 | $failure = $xml->getElementsByTagName('authenticationFailure'); | |
| 161 | $success = $xml->getElementsByTagName('authenticationSuccess'); | |
| 162 | ||
| 163 | if($failure->length > 0) { | |
| 164 | $failure = $failure->item(0); | |
| 165 | if(!($failure instanceof DOMElement)) { | |
| 90ae5b | 166 | throw new JasigException('Authentication error: CAS server' |
| JK | 167 | .' response invalid - authenticationFailure'); |
| 64d82d | 168 | } |
| 90ae5b | 169 | throw new JasigAuthException('Authentication error: ' |
| JK | 170 | .$failure->textContent); |
| 64d82d | 171 | } elseif($success->length > 0) { |
| JK | 172 | $success = $success->item(0); |
| 173 | if(!($success instanceof DOMElement)) { | |
| 90ae5b | 174 | throw new JasigException('Authentication error: CAS server' |
| JK | 175 | .' response invalid - authenticationSuccess'); |
| 64d82d | 176 | } |
| JK | 177 | |
| 178 | $user = $success->getElementsByTagName('user'); | |
| 179 | if($user->length == 0) { | |
| 90ae5b | 180 | throw new JasigException('Authentication error: CAS server' |
| JK | 181 | .' response invalid - user'); |
| 64d82d | 182 | } |
| JK | 183 | |
| 184 | $user = trim($user->item(0)->textContent); | |
| 185 | if(strlen($user)<1) { | |
| 90ae5b | 186 | throw new JasigException('Authentication error: CAS server' |
| JK | 187 | .' response invalid - user value'); |
| 64d82d | 188 | } |
| JK | 189 | |
| 190 | $jusr = new JasigUser(); | |
| 191 | $jusr->user = $user; | |
| 192 | ||
| 193 | $attrs = $success->getElementsByTagName('attributes'); | |
| 194 | if($attrs->length > 0) { | |
| 195 | $attrs = $attrs->item(0); | |
| 196 | foreach($attrs->childNodes as $node) { | |
| 197 | $jusr->attributes[$node->localName] = $node->textContent; | |
| 198 | } | |
| 199 | } | |
| 200 | ||
| 201 | return $jusr; | |
| 202 | } | |
| 203 | else | |
| 204 | { | |
| 90ae5b | 205 | throw new JasigException('Authentication error: CAS server' |
| JK | 206 | .' response invalid - required tag not found'); |
| 64d82d | 207 | } |
| JK | 208 | } |
| 209 | } | |
