commit | author | age
|
64d82d
|
1 |
<?php |
JK |
2 |
// Thrown when internal error occurs |
|
3 |
class JasigException extends Exception {} |
|
4 |
// Thrown when CAS server return authentication error |
|
5 |
class JasigAuthException extends JasigException {} |
|
6 |
|
|
7 |
class JasigUser { |
|
8 |
public $user; |
|
9 |
public $attributes = array(); |
|
10 |
} |
|
11 |
|
|
12 |
class uphpCAS { |
|
13 |
const VERSION = '1.0'; |
|
14 |
protected $serverUrl = ''; |
|
15 |
protected $serviceUrl; |
|
16 |
|
|
17 |
function __construct($serverUrl = NULL, $serviceUrl = NULL) { |
|
18 |
if($serverUrl != NULL) { |
|
19 |
$this->serverUrl = rtrim($serverUrl, '/'); |
|
20 |
} |
|
21 |
|
|
22 |
if($serviceUrl != NULL) { |
|
23 |
$this->serviceUrl = $serviceUrl; |
|
24 |
} else { |
|
25 |
$url = 'http://'; |
|
26 |
$port = 0; |
|
27 |
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') { |
|
28 |
$url = 'https://'; |
90ae5b
|
29 |
if(isset($_SERVER['SERVER_PORT']) |
JK |
30 |
&& $_SERVER['SERVER_PORT'] != '443') { |
64d82d
|
31 |
$port = $_SERVER['SERVER_PORT']; |
JK |
32 |
} |
90ae5b
|
33 |
} elseif(isset($_SERVER['SERVER_PORT']) |
JK |
34 |
&& $_SERVER['SERVER_PORT'] != '80') { |
64d82d
|
35 |
$port = $_SERVER['SERVER_PORT']; |
JK |
36 |
} |
|
37 |
|
|
38 |
$url .= $_SERVER['SERVER_NAME']; |
|
39 |
|
|
40 |
if($port != 0) { |
|
41 |
$url .= ':'.$port; |
|
42 |
} |
|
43 |
$url .= $_SERVER['REQUEST_URI']; |
|
44 |
|
|
45 |
$this->serviceUrl = $url; |
|
46 |
} |
|
47 |
} |
|
48 |
|
|
49 |
public function setServerUrl($serverUrl) { |
|
50 |
$this->serverUrl = $serverUrl; |
|
51 |
} |
|
52 |
|
|
53 |
public function setServiceUrl($serviceUrl) { |
|
54 |
$this->serviceUrl = $serviceUrl; |
|
55 |
} |
|
56 |
|
|
57 |
public function loginUrl() { |
2092d3
|
58 |
return $this->serverUrl.'/login?method=POST&service='.urlencode($this->serviceUrl); |
64d82d
|
59 |
} |
JK |
60 |
|
|
61 |
public function logoutUrl() { |
|
62 |
return $this->serverUrl.'/logout'; |
|
63 |
} |
|
64 |
|
|
65 |
public function logout() { |
|
66 |
session_start(); |
|
67 |
if(isset($_SESSION['uphpCAS-user'])) { |
|
68 |
unset($_SESSION['uphpCAS-user']); |
|
69 |
} |
|
70 |
header('Location: '.$this->logoutUrl()); |
|
71 |
die(); |
|
72 |
} |
|
73 |
|
|
74 |
public function authenticate() { |
|
75 |
session_start(); |
|
76 |
if(isset($_SESSION['uphpCAS-user'])) { |
|
77 |
return $_SESSION['uphpCAS-user']; |
2092d3
|
78 |
} elseif(isset($_REQUEST['ticket'])) { |
JK |
79 |
$user = $this->verifyTicket($_REQUEST['ticket']); |
64d82d
|
80 |
$_SESSION['uphpCAS-user'] = $user; |
JK |
81 |
return $user; |
|
82 |
} else { |
|
83 |
header('Location: '.$this->loginUrl()); |
|
84 |
die(); |
|
85 |
} |
|
86 |
} |
|
87 |
|
|
88 |
public function verifyTicket($ticket) { |
|
89 |
$context = array( |
|
90 |
'http' => array( |
|
91 |
'method' => 'GET', |
|
92 |
'user_agent' => 'uphpCAS/'.self::VERSION, |
|
93 |
'max_redirects' => 3, |
|
94 |
), |
|
95 |
'ssl' => array( |
|
96 |
'verify_peer' => TRUE, |
90ae5b
|
97 |
'verify_peer_name' => TRUE, |
64d82d
|
98 |
'verify_depth' => 5, |
90ae5b
|
99 |
'allow_self_signed' => FALSE, |
JK |
100 |
'disable_compression' => TRUE, |
64d82d
|
101 |
), |
JK |
102 |
); |
|
103 |
|
d35cf4
|
104 |
if(version_compare(PHP_VERSION, '5.6', '<')) { |
JK |
105 |
$cafiles = array( |
|
106 |
'/etc/ssl/certs/ca-certificates.crt', |
|
107 |
'/etc/ssl/certs/ca-bundle.crt', |
|
108 |
'/etc/pki/tls/certs/ca-bundle.crt', |
|
109 |
); |
|
110 |
$cafile = NULL; |
|
111 |
foreach($cafiles as $file) { |
|
112 |
if(is_file($file)) { |
|
113 |
$cafile = $file; |
|
114 |
break; |
|
115 |
} |
|
116 |
} |
|
117 |
|
|
118 |
$url = parse_url($this->serverUrl); |
|
119 |
$context['ssl']['cafile'] = $cafile; |
|
120 |
$context['ssl']['ciphers'] = 'ECDH:DH:AES:CAMELLIA:!SSLv2:!aNULL' |
|
121 |
.':!eNULL:!EXPORT:!DES:!3DES:!MD5:!RC4:!ADH:!PSK:!SRP'; |
|
122 |
$context['ssl']['CN_match'] = $url['host']; |
|
123 |
} |
|
124 |
|
90ae5b
|
125 |
$data = file_get_contents($this->serverUrl |
JK |
126 |
.'/serviceValidate?service='.urlencode($this->serviceUrl) |
|
127 |
.'&ticket='.urlencode($ticket), |
64d82d
|
128 |
FALSE, stream_context_create($context)); |
JK |
129 |
if($data === FALSE) { |
|
130 |
throw new JasigException('Authentication error: CAS server is unavailable'); |
|
131 |
} |
|
132 |
|
|
133 |
$xmlEntityLoader = libxml_disable_entity_loader(TRUE); |
|
134 |
$xmlInternalErrors = libxml_use_internal_errors(TRUE); |
|
135 |
try { |
|
136 |
$xml = new DOMDocument(); |
|
137 |
$xml->loadXML($data); |
|
138 |
|
|
139 |
foreach(libxml_get_errors() as $error) { |
90ae5b
|
140 |
$e = new ErrorException($error->message, $error->code, 1, |
JK |
141 |
$error->file, $error->line); |
64d82d
|
142 |
switch ($error->level) { |
JK |
143 |
case LIBXML_ERR_ERROR: |
|
144 |
case LIBXML_ERR_FATAL: |
90ae5b
|
145 |
throw new Exception('Fatal error during XML parsing', |
JK |
146 |
0, $e); |
64d82d
|
147 |
break; |
JK |
148 |
} |
|
149 |
} |
|
150 |
} |
|
151 |
catch(Exception $e) { |
90ae5b
|
152 |
throw new JasigException('Authentication error: CAS server' |
JK |
153 |
.' response invalid - parse error', 0, $e); |
64d82d
|
154 |
} finally { |
JK |
155 |
libxml_clear_errors(); |
|
156 |
libxml_disable_entity_loader($xmlEntityLoader); |
|
157 |
libxml_use_internal_errors($xmlInternalErrors); |
|
158 |
} |
|
159 |
|
|
160 |
$failure = $xml->getElementsByTagName('authenticationFailure'); |
|
161 |
$success = $xml->getElementsByTagName('authenticationSuccess'); |
|
162 |
|
|
163 |
if($failure->length > 0) { |
|
164 |
$failure = $failure->item(0); |
|
165 |
if(!($failure instanceof DOMElement)) { |
90ae5b
|
166 |
throw new JasigException('Authentication error: CAS server' |
JK |
167 |
.' response invalid - authenticationFailure'); |
64d82d
|
168 |
} |
90ae5b
|
169 |
throw new JasigAuthException('Authentication error: ' |
JK |
170 |
.$failure->textContent); |
64d82d
|
171 |
} elseif($success->length > 0) { |
JK |
172 |
$success = $success->item(0); |
|
173 |
if(!($success instanceof DOMElement)) { |
90ae5b
|
174 |
throw new JasigException('Authentication error: CAS server' |
JK |
175 |
.' response invalid - authenticationSuccess'); |
64d82d
|
176 |
} |
JK |
177 |
|
|
178 |
$user = $success->getElementsByTagName('user'); |
|
179 |
if($user->length == 0) { |
90ae5b
|
180 |
throw new JasigException('Authentication error: CAS server' |
JK |
181 |
.' response invalid - user'); |
64d82d
|
182 |
} |
JK |
183 |
|
|
184 |
$user = trim($user->item(0)->textContent); |
|
185 |
if(strlen($user)<1) { |
90ae5b
|
186 |
throw new JasigException('Authentication error: CAS server' |
JK |
187 |
.' response invalid - user value'); |
64d82d
|
188 |
} |
JK |
189 |
|
|
190 |
$jusr = new JasigUser(); |
|
191 |
$jusr->user = $user; |
|
192 |
|
|
193 |
$attrs = $success->getElementsByTagName('attributes'); |
|
194 |
if($attrs->length > 0) { |
|
195 |
$attrs = $attrs->item(0); |
|
196 |
foreach($attrs->childNodes as $node) { |
|
197 |
$jusr->attributes[$node->localName] = $node->textContent; |
|
198 |
} |
|
199 |
} |
|
200 |
|
|
201 |
return $jusr; |
|
202 |
} |
|
203 |
else |
|
204 |
{ |
90ae5b
|
205 |
throw new JasigException('Authentication error: CAS server' |
JK |
206 |
.' response invalid - required tag not found'); |
64d82d
|
207 |
} |
JK |
208 |
} |
|
209 |
} |