commit | author | age
|
64d82d
|
1 |
<?php |
JK |
2 |
// Thrown when internal error occurs |
|
3 |
class JasigException extends Exception {} |
2f13b1
|
4 |
// Thrown when CAS server returns authentication error |
64d82d
|
5 |
class JasigAuthException extends JasigException {} |
JK |
6 |
|
|
7 |
class JasigUser { |
|
8 |
public $user; |
|
9 |
public $attributes = array(); |
|
10 |
} |
|
11 |
|
|
12 |
class uphpCAS { |
|
13 |
const VERSION = '1.0'; |
|
14 |
protected $serverUrl = ''; |
|
15 |
protected $serviceUrl; |
|
16 |
|
|
17 |
function __construct($serverUrl = NULL, $serviceUrl = NULL) { |
|
18 |
if($serverUrl != NULL) { |
|
19 |
$this->serverUrl = rtrim($serverUrl, '/'); |
|
20 |
} |
|
21 |
|
|
22 |
if($serviceUrl != NULL) { |
|
23 |
$this->serviceUrl = $serviceUrl; |
|
24 |
} else { |
|
25 |
$url = 'http://'; |
|
26 |
$port = 0; |
|
27 |
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') { |
|
28 |
$url = 'https://'; |
90ae5b
|
29 |
if(isset($_SERVER['SERVER_PORT']) |
JK |
30 |
&& $_SERVER['SERVER_PORT'] != '443') { |
64d82d
|
31 |
$port = $_SERVER['SERVER_PORT']; |
JK |
32 |
} |
90ae5b
|
33 |
} elseif(isset($_SERVER['SERVER_PORT']) |
JK |
34 |
&& $_SERVER['SERVER_PORT'] != '80') { |
64d82d
|
35 |
$port = $_SERVER['SERVER_PORT']; |
JK |
36 |
} |
|
37 |
|
|
38 |
$url .= $_SERVER['SERVER_NAME']; |
|
39 |
|
|
40 |
if($port != 0) { |
|
41 |
$url .= ':'.$port; |
|
42 |
} |
|
43 |
$url .= $_SERVER['REQUEST_URI']; |
|
44 |
|
|
45 |
$this->serviceUrl = $url; |
|
46 |
} |
|
47 |
} |
|
48 |
|
deadb1
|
49 |
public function getServerUrl() { |
bae7f7
|
50 |
return $this->serverUrl; |
JK |
51 |
} |
64d82d
|
52 |
public function setServerUrl($serverUrl) { |
JK |
53 |
$this->serverUrl = $serverUrl; |
|
54 |
} |
|
55 |
|
bae7f7
|
56 |
public function getServiceUrl() { |
JK |
57 |
return $this->serviceUrl; |
|
58 |
} |
64d82d
|
59 |
public function setServiceUrl($serviceUrl) { |
JK |
60 |
$this->serviceUrl = $serviceUrl; |
|
61 |
} |
|
62 |
|
|
63 |
public function loginUrl() { |
2092d3
|
64 |
return $this->serverUrl.'/login?method=POST&service='.urlencode($this->serviceUrl); |
64d82d
|
65 |
} |
JK |
66 |
|
f124d4
|
67 |
public function logoutUrl($returnUrl = NULL) { |
JK |
68 |
return $this->serverUrl.'/logout'.($returnUrl ? '?service='.urlencode($returnUrl) : ''); |
64d82d
|
69 |
} |
JK |
70 |
|
|
71 |
public function logout() { |
|
72 |
session_start(); |
|
73 |
if(isset($_SESSION['uphpCAS-user'])) { |
|
74 |
unset($_SESSION['uphpCAS-user']); |
|
75 |
} |
|
76 |
header('Location: '.$this->logoutUrl()); |
|
77 |
die(); |
|
78 |
} |
|
79 |
|
fc49b8
|
80 |
public function isAuthenticated() { |
JK |
81 |
return isset($_SESSION['uphpCAS-user']); |
|
82 |
} |
|
83 |
|
64d82d
|
84 |
public function authenticate() { |
JK |
85 |
session_start(); |
fc49b8
|
86 |
if($this->isAuthenticated()) { |
64d82d
|
87 |
return $_SESSION['uphpCAS-user']; |
2092d3
|
88 |
} elseif(isset($_REQUEST['ticket'])) { |
JK |
89 |
$user = $this->verifyTicket($_REQUEST['ticket']); |
64d82d
|
90 |
$_SESSION['uphpCAS-user'] = $user; |
JK |
91 |
return $user; |
|
92 |
} else { |
|
93 |
header('Location: '.$this->loginUrl()); |
|
94 |
die(); |
|
95 |
} |
|
96 |
} |
|
97 |
|
|
98 |
public function verifyTicket($ticket) { |
|
99 |
$context = array( |
|
100 |
'http' => array( |
|
101 |
'method' => 'GET', |
|
102 |
'user_agent' => 'uphpCAS/'.self::VERSION, |
|
103 |
'max_redirects' => 3, |
|
104 |
), |
|
105 |
'ssl' => array( |
|
106 |
'verify_peer' => TRUE, |
90ae5b
|
107 |
'verify_peer_name' => TRUE, |
64d82d
|
108 |
'verify_depth' => 5, |
90ae5b
|
109 |
'allow_self_signed' => FALSE, |
JK |
110 |
'disable_compression' => TRUE, |
64d82d
|
111 |
), |
JK |
112 |
); |
|
113 |
|
d35cf4
|
114 |
if(version_compare(PHP_VERSION, '5.6', '<')) { |
JK |
115 |
$cafiles = array( |
|
116 |
'/etc/ssl/certs/ca-certificates.crt', |
|
117 |
'/etc/ssl/certs/ca-bundle.crt', |
|
118 |
'/etc/pki/tls/certs/ca-bundle.crt', |
|
119 |
); |
|
120 |
$cafile = NULL; |
|
121 |
foreach($cafiles as $file) { |
|
122 |
if(is_file($file)) { |
|
123 |
$cafile = $file; |
|
124 |
break; |
|
125 |
} |
|
126 |
} |
|
127 |
|
|
128 |
$url = parse_url($this->serverUrl); |
|
129 |
$context['ssl']['cafile'] = $cafile; |
|
130 |
$context['ssl']['ciphers'] = 'ECDH:DH:AES:CAMELLIA:!SSLv2:!aNULL' |
|
131 |
.':!eNULL:!EXPORT:!DES:!3DES:!MD5:!RC4:!ADH:!PSK:!SRP'; |
|
132 |
$context['ssl']['CN_match'] = $url['host']; |
|
133 |
} |
|
134 |
|
90ae5b
|
135 |
$data = file_get_contents($this->serverUrl |
JK |
136 |
.'/serviceValidate?service='.urlencode($this->serviceUrl) |
|
137 |
.'&ticket='.urlencode($ticket), |
64d82d
|
138 |
FALSE, stream_context_create($context)); |
JK |
139 |
if($data === FALSE) { |
|
140 |
throw new JasigException('Authentication error: CAS server is unavailable'); |
|
141 |
} |
|
142 |
|
|
143 |
$xmlEntityLoader = libxml_disable_entity_loader(TRUE); |
|
144 |
$xmlInternalErrors = libxml_use_internal_errors(TRUE); |
|
145 |
try { |
|
146 |
$xml = new DOMDocument(); |
|
147 |
$xml->loadXML($data); |
|
148 |
|
|
149 |
foreach(libxml_get_errors() as $error) { |
90ae5b
|
150 |
$e = new ErrorException($error->message, $error->code, 1, |
JK |
151 |
$error->file, $error->line); |
64d82d
|
152 |
switch ($error->level) { |
JK |
153 |
case LIBXML_ERR_ERROR: |
|
154 |
case LIBXML_ERR_FATAL: |
90ae5b
|
155 |
throw new Exception('Fatal error during XML parsing', |
JK |
156 |
0, $e); |
64d82d
|
157 |
break; |
JK |
158 |
} |
|
159 |
} |
2f13b1
|
160 |
} catch(Exception $e) { |
90ae5b
|
161 |
throw new JasigException('Authentication error: CAS server' |
JK |
162 |
.' response invalid - parse error', 0, $e); |
64d82d
|
163 |
} finally { |
JK |
164 |
libxml_clear_errors(); |
|
165 |
libxml_disable_entity_loader($xmlEntityLoader); |
|
166 |
libxml_use_internal_errors($xmlInternalErrors); |
|
167 |
} |
|
168 |
|
|
169 |
$failure = $xml->getElementsByTagName('authenticationFailure'); |
|
170 |
$success = $xml->getElementsByTagName('authenticationSuccess'); |
|
171 |
|
|
172 |
if($failure->length > 0) { |
|
173 |
$failure = $failure->item(0); |
|
174 |
if(!($failure instanceof DOMElement)) { |
90ae5b
|
175 |
throw new JasigException('Authentication error: CAS server' |
JK |
176 |
.' response invalid - authenticationFailure'); |
64d82d
|
177 |
} |
90ae5b
|
178 |
throw new JasigAuthException('Authentication error: ' |
JK |
179 |
.$failure->textContent); |
64d82d
|
180 |
} elseif($success->length > 0) { |
JK |
181 |
$success = $success->item(0); |
|
182 |
if(!($success instanceof DOMElement)) { |
90ae5b
|
183 |
throw new JasigException('Authentication error: CAS server' |
JK |
184 |
.' response invalid - authenticationSuccess'); |
64d82d
|
185 |
} |
JK |
186 |
|
|
187 |
$user = $success->getElementsByTagName('user'); |
|
188 |
if($user->length == 0) { |
90ae5b
|
189 |
throw new JasigException('Authentication error: CAS server' |
JK |
190 |
.' response invalid - user'); |
64d82d
|
191 |
} |
JK |
192 |
|
|
193 |
$user = trim($user->item(0)->textContent); |
2f13b1
|
194 |
if(strlen($user) < 1) { |
90ae5b
|
195 |
throw new JasigException('Authentication error: CAS server' |
JK |
196 |
.' response invalid - user value'); |
64d82d
|
197 |
} |
JK |
198 |
|
|
199 |
$jusr = new JasigUser(); |
|
200 |
$jusr->user = $user; |
|
201 |
|
|
202 |
$attrs = $success->getElementsByTagName('attributes'); |
|
203 |
if($attrs->length > 0) { |
|
204 |
$attrs = $attrs->item(0); |
|
205 |
foreach($attrs->childNodes as $node) { |
|
206 |
$jusr->attributes[$node->localName] = $node->textContent; |
|
207 |
} |
|
208 |
} |
|
209 |
|
|
210 |
return $jusr; |
2f13b1
|
211 |
} else { |
90ae5b
|
212 |
throw new JasigException('Authentication error: CAS server' |
JK |
213 |
.' response invalid - required tag not found'); |
64d82d
|
214 |
} |
JK |
215 |
} |
|
216 |
} |