mirror of https://github.com/jacekkow/uphpCAS
view | history | commit | commitdiff
Jacek Kowalski
2015-08-20 fc49b895ef2e38bbc820b3eda503a8afdbaabe44
commit | author | age
64d82d 1 <?php
JK 2 // Thrown when internal error occurs
3 class JasigException extends Exception {}
4 // Thrown when CAS server return authentication error
5 class JasigAuthException extends JasigException {}
6
7 class JasigUser {
8     public $user;
9     public $attributes = array();
10 }
11
12 class uphpCAS {
13     const VERSION = '1.0';
14     protected $serverUrl = '';
15     protected $serviceUrl;
16     
17     function __construct($serverUrl = NULL, $serviceUrl = NULL) {
18         if($serverUrl != NULL) {
19             $this->serverUrl = rtrim($serverUrl, '/');
20         }
21         
22         if($serviceUrl != NULL) {
23             $this->serviceUrl = $serviceUrl;
24         } else {
25             $url = 'http://';
26             $port = 0;
27             if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
28                 $url = 'https://';
90ae5b 29                 if(isset($_SERVER['SERVER_PORT'])
JK 30                         && $_SERVER['SERVER_PORT'] != '443') {
64d82d 31                     $port = $_SERVER['SERVER_PORT'];
JK 32                 }
90ae5b 33             } elseif(isset($_SERVER['SERVER_PORT'])
JK 34                     && $_SERVER['SERVER_PORT'] != '80') {
64d82d 35                 $port = $_SERVER['SERVER_PORT'];
JK 36             }
37             
38             $url .= $_SERVER['SERVER_NAME'];
39             
40             if($port != 0) {
41                 $url .= ':'.$port;
42             }
43             $url .= $_SERVER['REQUEST_URI'];
44             
45             $this->serviceUrl = $url;
46         }
47     }
48     
49     public function setServerUrl($serverUrl) {
50         $this->serverUrl = $serverUrl;
51     }
52     
53     public function setServiceUrl($serviceUrl) {
54         $this->serviceUrl = $serviceUrl;
55     }
56     
57     public function loginUrl() {
2092d3 58         return $this->serverUrl.'/login?method=POST&service='.urlencode($this->serviceUrl);
64d82d 59     }
JK 60     
61     public function logoutUrl() {
62         return $this->serverUrl.'/logout';
63     }
64     
65     public function logout() {
66         session_start();
67         if(isset($_SESSION['uphpCAS-user'])) {
68             unset($_SESSION['uphpCAS-user']);
69         }
70         header('Location: '.$this->logoutUrl());
71         die();
72     }
73     
fc49b8 74     public function isAuthenticated() {
JK 75         return isset($_SESSION['uphpCAS-user']);
76     }
77     
64d82d 78     public function authenticate() {
JK 79         session_start();
fc49b8 80         if($this->isAuthenticated()) {
64d82d 81             return $_SESSION['uphpCAS-user'];
2092d3 82         } elseif(isset($_REQUEST['ticket'])) {
JK 83             $user = $this->verifyTicket($_REQUEST['ticket']);
64d82d 84             $_SESSION['uphpCAS-user'] = $user;
JK 85             return $user;
86         } else {
87             header('Location: '.$this->loginUrl());
88             die();
89         }
90     }
91     
92     public function verifyTicket($ticket) {
93         $context = array(
94             'http' => array(
95                 'method' => 'GET',
96                 'user_agent' => 'uphpCAS/'.self::VERSION,
97                 'max_redirects' => 3,
98             ),
99             'ssl' => array(
100                 'verify_peer' => TRUE,
90ae5b 101                 'verify_peer_name' => TRUE,
64d82d 102                 'verify_depth' => 5,
90ae5b 103                 'allow_self_signed' => FALSE,
JK 104                 'disable_compression' => TRUE,
64d82d 105             ),
JK 106         );
107         
d35cf4 108         if(version_compare(PHP_VERSION, '5.6', '<')) {
JK 109             $cafiles = array(
110                 '/etc/ssl/certs/ca-certificates.crt',
111                 '/etc/ssl/certs/ca-bundle.crt',
112                 '/etc/pki/tls/certs/ca-bundle.crt',
113             );
114             $cafile = NULL;
115             foreach($cafiles as $file) {
116                 if(is_file($file)) {
117                     $cafile = $file;
118                     break;
119                 }
120             }
121             
122             $url = parse_url($this->serverUrl);
123             $context['ssl']['cafile'] = $cafile;
124             $context['ssl']['ciphers'] = 'ECDH:DH:AES:CAMELLIA:!SSLv2:!aNULL'
125                     .':!eNULL:!EXPORT:!DES:!3DES:!MD5:!RC4:!ADH:!PSK:!SRP';
126             $context['ssl']['CN_match'] = $url['host'];
127         }
128         
90ae5b 129         $data = file_get_contents($this->serverUrl
JK 130                     .'/serviceValidate?service='.urlencode($this->serviceUrl)
131                     .'&ticket='.urlencode($ticket),
64d82d 132                 FALSE, stream_context_create($context));
JK 133         if($data === FALSE) {
134             throw new JasigException('Authentication error: CAS server is unavailable');
135         }
136         
137         $xmlEntityLoader = libxml_disable_entity_loader(TRUE);
138         $xmlInternalErrors = libxml_use_internal_errors(TRUE);
139         try {
140             $xml = new DOMDocument();
141             $xml->loadXML($data);
142             
143             foreach(libxml_get_errors() as $error) {
90ae5b 144                 $e = new ErrorException($error->message, $error->code, 1,
JK 145                         $error->file, $error->line);
64d82d 146                 switch ($error->level) {
JK 147                     case LIBXML_ERR_ERROR:
148                     case LIBXML_ERR_FATAL:
90ae5b 149                         throw new Exception('Fatal error during XML parsing',
JK 150                                 0, $e);
64d82d 151                         break;
JK 152                 }
153             }
154         }
155         catch(Exception $e) {
90ae5b 156             throw new JasigException('Authentication error: CAS server'
JK 157                     .' response invalid - parse error', 0, $e);
64d82d 158         } finally {
JK 159             libxml_clear_errors();
160             libxml_disable_entity_loader($xmlEntityLoader);
161             libxml_use_internal_errors($xmlInternalErrors);
162         }
163         
164         $failure = $xml->getElementsByTagName('authenticationFailure');
165         $success = $xml->getElementsByTagName('authenticationSuccess');
166         
167         if($failure->length > 0) {
168             $failure = $failure->item(0);
169             if(!($failure instanceof DOMElement)) {
90ae5b 170                 throw new JasigException('Authentication error: CAS server'
JK 171                         .' response invalid - authenticationFailure');
64d82d 172             }
90ae5b 173             throw new JasigAuthException('Authentication error: '
JK 174                     .$failure->textContent);
64d82d 175         } elseif($success->length > 0) {
JK 176             $success = $success->item(0);
177             if(!($success instanceof DOMElement)) {
90ae5b 178                 throw new JasigException('Authentication error: CAS server'
JK 179                         .' response invalid - authenticationSuccess');
64d82d 180             }
JK 181             
182             $user = $success->getElementsByTagName('user');
183             if($user->length == 0) {
90ae5b 184                 throw new JasigException('Authentication error: CAS server'
JK 185                         .' response invalid - user');
64d82d 186             }
JK 187             
188             $user = trim($user->item(0)->textContent);
189             if(strlen($user)<1) {
90ae5b 190                 throw new JasigException('Authentication error: CAS server'
JK 191                         .' response invalid - user value');
64d82d 192             }
JK 193             
194             $jusr = new JasigUser();
195             $jusr->user = $user;
196             
197             $attrs = $success->getElementsByTagName('attributes');
198             if($attrs->length > 0) {
199                 $attrs = $attrs->item(0);
200                 foreach($attrs->childNodes as $node) {
201                     $jusr->attributes[$node->localName] = $node->textContent;
202                 }
203             }
204             
205             return $jusr;
206         }
207         else
208         {
90ae5b 209             throw new JasigException('Authentication error: CAS server'
JK 210                     .' response invalid - required tag not found');
64d82d 211         }
JK 212     }
213 }