/**
* Detect the remote SSO user by looping through all SSO
* plugins. Once a detection is found, it is put into
* the options parameter array and method is returned as
* true. Uses the same plug-in group as JAuthTools SSO.
*
* @return Array|False Array containing username on success or False on failure.
*
* @since 1.0
*/
public function detect()
{
$args = array();
// Event to trigger for detection
$event = strtolower(self::DETECT_METHOD_NAME);
// Check if any plugins are attached to the event.
if (!isset($this->_methods[$event]) || empty($this->_methods[$event])) {
// No Plugins Associated To Event
SHLog::add(JText::_('LIB_SHSSO_DEBUG_15068'), 15068, JLog::DEBUG, 'sso');
return false;
}
// Loop through all plugins having a method matching our event
foreach ($this->_methods[$event] as $key) {
// Check if the plugin is present.
if (!isset($this->_observers[$key])) {
continue;
}
// Check if parameters exist for this observer/plugin
if (property_exists($this->_observers[$key], 'params')) {
$params = $this->_observers[$key]->params;
// Get the rule and list from the plug-in parameters
$ipRule = $params->get('ip_rule', false);
$ipList = $params->get('ip_list', false);
// Check that both the rule and list have been set
if ($ipRule !== false && $ipList !== false) {
// Get the IP address of this client
jimport('joomla.application.input');
$input = new JInput($_SERVER);
$myIp = $input->get('REMOTE_ADDR', false, 'string');
// Split the list into newline entries
$ranges = preg_split('/\\r\\n|\\n|\\r/', $ipList);
if (!SHSsoHelper::doIPCheck($myIp, $ranges, $ipRule)) {
// IP address denies this plug-in from executing
SHLog::add(JText::sprintf('LIB_SHSSO_DEBUG_15064', $this->_observers[$key]), 15064, JLog::DEBUG, 'sso');
continue;
}
}
}
// Fire the event for an object based observer.
if (is_object($this->_observers[$key])) {
$args['event'] = $event;
$value = $this->_observers[$key]->update($args);
} elseif (is_array($this->_observers[$key])) {
$value = call_user_func_array($this->_observers[$key]['handler'], $args);
}
if (isset($value) && $value) {
// Check if the detection has been successful for this plug-in
if (is_string($value) || is_array($value) && isset($value['username'])) {
if (is_string($value)) {
// Convert the string to an array
$value = array('username' => $value);
}
// Store the detection plug-in name
$value['sso'] = get_class($this->_observers[$key]);
// We have a detection result
return $value;
} else {
// Error: invalid plug-in response
SHLog::add(JText::sprintf('LIB_SHSSO_ERR_15061', get_class($this->_observers[$key])), 15061, JLog::ERROR, 'sso');
// Try another plug-in.
continue;
}
}
}
// No detection result found.
return false;
}
/**
* Method for attempting single sign on.
*
* @return boolean True on successful SSO or False on failure.
*
* @since 2.0
*/
protected function _attemptSSO()
{
// Check the required SSO libraries exist
if (!(class_exists('SHSsoHelper') && class_exists('SHSso'))) {
// Error: classes missing
SHLog::add(JText::_('LIB_SHSSOMONITOR_ERR_15001'), 15001, JLog::ERROR, 'sso');
return;
}
try {
$config = SHFactory::getConfig();
// Check if SSO is disabled via the session
if (SHSsoHelper::status() !== SHSsoHelper::STATUS_ENABLE) {
// It is disabled so do not continue
return;
}
SHSsoHelper::enable();
$forceLogin = false;
$userId = JFactory::getUser()->get('id');
if ($config->get('sso.forcelogin', false)) {
if ($userId) {
// Log out current user if detect user is not equal
$forceLogin = true;
}
} else {
if ($userId) {
// User already logged in and no forcelogout
return;
}
}
/*
* Lets check the IP rule is valid before we continue -
* if the IP rule is false then SSO is not allowed here.
*/
jimport('joomla.application.input');
$input = new JInput($_SERVER);
// Get the IP address of this client
$myIp = $input->get('REMOTE_ADDR', false, 'string');
// Get a list of the IP addresses specific to the specified rule
$ipList = json_decode($config->get('sso.iplist'));
// Get the rule value
$ipRule = $config->get('sso.iprule', SHSsoHelper::RULE_ALLOW_ALL);
if (!SHSsoHelper::doIPCheck($myIp, $ipList, $ipRule)) {
if (!$forceLogin) {
// This IP isn't allowed
SHLog::add(JText::_('LIB_SHSSO_DEBUG_15004'), 15004, JLog::DEBUG, 'sso');
}
return;
}
/*
* We are going to check if we are in backend.
* If so then we need to check if sso is allowed
* to execute on the backend.
*/
if (JFactory::getApplication()->isAdmin()) {
if (!$config->get('sso.backend', false)) {
if (!$forceLogin) {
// Not allowed to SSO on backend
SHLog::add(JText::_('LIB_SHSSO_DEBUG_15006'), 15006, JLog::DEBUG, 'sso');
}
return;
}
}
// Instantiate the main SSO library for detection & authentication
$sso = new SHSso($config->get('sso.plugintype', 'sso'));
$detection = $sso->detect();
if ($detection) {
// Check the detected user is not blacklisted
$blacklist = (array) json_decode($config->get('user.blacklist'));
if (in_array($detection['username'], $blacklist)) {
SHLog::add(JText::sprintf('LIB_SHSSO_DEBUG_15007', $detection['username']), 15007, JLog::DEBUG, 'sso');
// Detected user is blacklisted
return;
}
// Check if the current logged in user matches the detection
if ($forceLogin && strtolower($detection['username']) != strtolower(JFactory::getUser()->get('username'))) {
SHLog::add(JText::sprintf('LIB_SHSSO_DEBUG_15008', $detection['username']), 15008, JLog::DEBUG, 'sso');
// Need to logout the current user
JFactory::getApplication()->logout();
}
}
// Attempt the login
return $sso->login($detection);
} catch (Exception $e) {
SHLog::add($e, 15002, JLog::ERROR, 'sso');
}
}
