public function __construct()
{
// Obligatoire
parent::__construct();
$this->data = array();
// System FED Oxylane
if (FEDACTIVE) {
require __DIR__ . '/../simplesaml/lib/_autoload.php';
$as = new SimpleSAML_Auth_Simple('Oxylane-sp');
$isAuth = $as->isAuthenticated();
if (!$isAuth) {
$as->requireAuth();
} else {
$attributes = $as->getAttributes();
$this->data['fed']['0'] = $attributes['uid'][0];
//identifiant
$this->data['fed']['1'] = $attributes['cn'][0];
//nom de la personne
$this->data['fed']['2'] = $attributes['mail'][0];
//mail de la personne
}
} else {
$this->data['fed']['0'] = "ID";
$this->data['fed']['1'] = "NOM";
$this->data['fed']['2'] = "MAIL";
}
// END FED
// Chargement des ressources pour tout le contrôleur
$this->load->database();
$this->load->helper('form');
$this->load->helper('titreUrl');
$this->load->helper('convertlien');
$this->load->library('form_validation');
$this->load->model('pages_model', 'pm');
$this->load->model('plannings_model', 'plm');
$this->load->model('types_model', 'tm');
$this->load->model('chaines_model', 'cm');
$this->load->model('groupes_model', 'gm');
$this->load->model('bandeau_model', 'bm');
if (FEDLOG) {
$this->load->model('logs_model', 'lm');
}
// Récupération de toute les chaines
$this->data['chaines'] = $this->cm->getAll();
$this->data['superadmin'] = true;
// Cette méthode permet de changer les délimiteurs par défaut des messages d'erreur (<p></p>).
$this->form_validation->set_error_delimiters('<p class="alert alert-error fade in"><a class="close" data-dismiss="alert" href="#">×</a>', '</p>');
}
/**
* Executes index action
*
* @param sfRequest $request A request object
*/
public function executeIndex(sfWebRequest $request)
{
if (!$request->getParameter('sf_culture')) {
$ssaml = new SimpleSAML_Auth_Simple('default-sp');
$attributes = $ssaml->getAttributes();
if ($this->getUser()->isFirstRequest()) {
if (array_key_exists('preferredLanguage', $attributes)) {
$culture = $attributes['preferredLanguage'];
if ($culture != 'hu' && $culture != 'en') {
$culture = $request->getPreferredCulture(array('en', 'hu'));
}
} else {
$culture = $request->getPreferredCulture(array('en', 'hu'));
}
$this->getUser()->setCulture($culture);
$this->getUser()->isFirstRequest(false);
} else {
$culture = $this->getUser()->getCulture();
}
$this->redirect('localized_homepage');
}
$p = Doctrine::getTable('Principal')->findOneByFedid($this->getUser()->getUsername());
if ($p) {
$oos = $p->getOrganization();
$ros = $p->getRelatedOrganizations(TRUE);
} else {
$p = new Principal();
$p->setFedid($this->getUser()->getUsername());
$p->save();
}
$this->oos = $oos;
$this->ros = $ros;
}
function get_attributes()
{
// Only run in step 5 or later ! So change when steps array is changed!
if (isset($_REQUEST['s'])) {
if ($_REQUEST['s'] >= 4) {
if ($ssp_location = issetweb('ssp_location')) {
$ssp_autoloader = $ssp_location . '/lib/_autoload.php';
if (is_readable($ssp_autoloader)) {
//echo "<pre>sesion:"; var_dump($_SESSION); echo "rquest"; var_dump($_REQUEST);
include_once $ssp_autoloader;
if ($ssp_authsource = issetweb('ssp_authsource')) {
$as = new SimpleSAML_Auth_Simple($ssp_authsource);
if (!$as->isAuthenticated()) {
$as->requireAuth();
}
$attributes = $as->getAttributes();
foreach (array_keys($attributes) as $at) {
// These are key|value pairs to populate the SELECT boxes
$simpleattrs[$at] = $at . " (" . $attributes[$at][0] . ")";
}
// Add attributes themselves as well, for later use
$simpleattrs['saml'] = $attributes;
// echo "<pre>"; var_dump($simpleattrs);
ksort($simpleattrs);
return $simpleattrs;
}
}
}
}
}
return false;
}
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
if ($this->auth->guest()) {
if ($request->ajax()) {
return response('Unauthorized.', 401);
} else {
//return redirect()->guest('auth/login')
//tsipizic for SAML
//login user and get attributes
$as = new \SimpleSAML_Auth_Simple('default-sp');
$as->requireAuth();
$attributes = $as->getAttributes();
//create user if he does not exist and log him in
$mail = $attributes['mail'][0];
$db_user = User::where('mail', $mail)->first();
if ($db_user) {
Auth::login($db_user);
} else {
$user = new User();
$user->mail = $mail;
$user->save();
Auth::login($user);
}
}
}
return $next($request);
}
/**
* Performs an authentication attempt using SimpleSAMLphp
*
* @throws Zend_Auth_Adapter_Exception If authentication cannot be performed
* @return Zend_Auth_Result
*/
public function authenticate()
{
require_once LIBRARY_PATH . '/simplesamlphp/lib/_autoload.php';
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->requireAuth();
// If SimpleSAMLphp didn't stop it, then the user is logged in.
return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $as->getAttributes(), array("Authentication Successful"));
}
/**
* Check that the user has access to the statistics.
*
* If the user doesn't have access, send the user to the login page.
*/
public static function checkAccess(SimpleSAML_Configuration $statconfig)
{
$protected = $statconfig->getBoolean('protected', FALSE);
$authsource = $statconfig->getString('auth', NULL);
$allowedusers = $statconfig->getValue('allowedUsers', NULL);
$useridattr = $statconfig->getString('useridattr', 'eduPersonPrincipalName');
$acl = $statconfig->getValue('acl', NULL);
if ($acl !== NULL && !is_string($acl) && !is_array($acl)) {
throw new SimpleSAML_Error_Exception('Invalid value for \'acl\'-option. Should be an array or a string.');
}
if (!$protected) {
return;
}
if (SimpleSAML\Utils\Auth::isAdmin()) {
// User logged in as admin. OK.
SimpleSAML_Logger::debug('Statistics auth - logged in as admin, access granted');
return;
}
if (!isset($authsource)) {
// If authsource is not defined, init admin login.
SimpleSAML\Utils\Auth::requireAdmin();
}
/* We are using an authsource for login. */
$as = new SimpleSAML_Auth_Simple($authsource);
$as->requireAuth();
// User logged in with auth source.
SimpleSAML_Logger::debug('Statistics auth - valid login with auth source [' . $authsource . ']');
// Retrieving attributes
$attributes = $as->getAttributes();
if (!empty($allowedusers)) {
// Check if userid exists
if (!isset($attributes[$useridattr][0])) {
throw new Exception('User ID is missing');
}
// Check if userid is allowed access..
if (in_array($attributes[$useridattr][0], $allowedusers)) {
SimpleSAML_Logger::debug('Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']');
return;
}
SimpleSAML_Logger::debug('Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']');
} else {
SimpleSAML_Logger::debug('Statistics auth - no allowedUsers list.');
}
if (!is_null($acl)) {
$acl = new sspmod_core_ACL($acl);
if ($acl->allows($attributes)) {
SimpleSAML_Logger::debug('Statistics auth - allowed access by ACL.');
return;
}
SimpleSAML_Logger::debug('Statistics auth - denied access by ACL.');
} else {
SimpleSAML_Logger::debug('Statistics auth - no ACL configured.');
}
throw new SimpleSAML_Error_Exception('Access denied to the current user.');
}
public static function checkLoggedAndSameAuth()
{
$session = SimpleSAML_Session::getSessionFromRequest();
$uregconf = SimpleSAML_Configuration::getConfig('module_selfregister.php');
$asId = $uregconf->getString('auth');
$as = new SimpleSAML_Auth_Simple($asId);
if ($as->isAuthenticated()) {
return $as;
}
return false;
}
/**
* @inheritDoc
*/
public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity)
{
$as = $this->config->getString('auth');
$auth = new \SimpleSAML_Auth_Simple($as);
// We should be authenticated so this returns the session user attributes (or [] if not)
$attributes = $auth->getAttributes();
$scopes = [];
foreach ($accessTokenEntity->getScopes() as $scope) {
$scopes[] = $scope->getIdentifier();
}
$this->conn->insert($this->getTableName(), ['id' => $accessTokenEntity->getIdentifier(), 'scopes' => $scopes, 'attributes' => $attributes, 'expires_at' => $accessTokenEntity->getExpiryDateTime(), 'user_id' => $accessTokenEntity->getUserIdentifier(), 'client_id' => $accessTokenEntity->getClient()->getIdentifier()], ['string', 'json_array', 'json_array', 'datetime', 'string', 'string']);
}
function procesarFormulario()
{
$saml_lib_path = '/var/simplesamlphp/lib/_autoload.php';
require_once $saml_lib_path;
// $aplication_base_url = 'http://10.20.0.38/splocal/';
$aplication_base_url = $this->host . $this->site . '/';
$source = 'SPcrono';
// Fuente de autenticación definida en el authsources del SP
$auth = new SimpleSAML_Auth_Simple($source);
// Se pasa como parametro la fuente de autenticación
$auth->logout($aplication_base_url . 'index.php');
return true;
}
/**
* Require admin access to the current page.
*
* This is a helper function for limiting a page to those with administrative access. It will redirect the user to
* a login page if the current user doesn't have admin access.
*
* @return void This function will only return if the user is admin.
* @throws \SimpleSAML_Error_Exception If no "admin" authentication source was configured.
*
* @author Olav Morken, UNINETT AS <*****@*****.**>
* @author Jaime Perez, UNINETT AS <*****@*****.**>
*/
public static function requireAdmin()
{
if (self::isAdmin()) {
return;
}
// not authenticated as admin user, start authentication
if (\SimpleSAML_Auth_Source::getById('admin') !== null) {
$as = new \SimpleSAML_Auth_Simple('admin');
$as->login();
} else {
throw new \SimpleSAML_Error_Exception('Cannot find "admin" auth source, and admin privileges are required.');
}
}
public function downloadAction()
{
$this->_helper->viewRenderer->setNoRender(true);
$this->_helper->layout->disableLayout();
$filename = APPLICATION_ROOT . '/public_html/files/' . $this->_getParam('filename');
$filename = realpath($filename);
try {
$file = new SxCms_File($filename);
$data = $file->getCleanFile();
$identity = Zend_Auth::getInstance()->getIdentity();
if (!$file->isAllowed($identity)) {
$this->_helper->redirector->setExit(true)->gotoSimple('unauthorized', 'index');
return;
}
if ($file->isApb()) {
$as = new SimpleSAML_Auth_Simple('klavsts');
$attributes = $as->getAttributes();
if (!$attributes) {
$this->_forward('unauthorized', 'index', null, array('url' => $this->view->url()));
return;
}
$attributes = $attributes['urn:klav:docmanager'];
$filecheck = new SxCms_Filesystem($file->getPath());
$filecheck->setApb($attributes);
if (!$filecheck->isAllowed()) {
$this->_helper->redirector->setExit(true)->gotoSimple('unauthorized', 'index');
return;
}
}
// workaround for when PECL class finfo is not installed
$mimeType = 'application/octet-stream';
if (@class_exists('finfo')) {
$finfo = new finfo(FILEINFO_MIME);
$mimeType = $finfo->file($filename);
}
// mimetype "unknown", let's figure it out by filename extension
if ($mimeType == 'application/octet-stream') {
$ext = strtolower(end(explode('.', $filename)));
$types = simplexml_load_file(APPLICATION_PATH . '/var/mime-types.xml');
$result = $types->xpath('//mime-types/mime-type/ext[. ="' . $ext . '"]/..');
$result = $result[0]->attributes();
$result = (string) $result['name'];
$mimeType = $result;
}
$size = mb_strlen($data);
$this->getResponse()->setHeader('Content-Type', $mimeType)->setHeader('Content-Length', $size);
echo $data;
} catch (Exception $e) {
throw new Zend_Controller_Action_Exception('File not found', 404);
}
}
public function logout()
{
//check for application session and invalidate
if (Auth::check()) {
Auth::logout();
}
//check for sso session and invalidate
$as = new \SimpleSAML_Auth_Simple('default-sp');
if ($as->isAuthenticated()) {
$as->logout();
}
//redirect to home
return Redirect::Action('mainController@index');
}
function procesarFormulario()
{
$saml_lib_path = '/var/simplesamlphp/lib/_autoload.php';
require_once $saml_lib_path;
// $aplication_base_url = 'http://10.20.0.38/splocal/';
$aplication_base_url = $this->host . $this->site . '/';
$source = 'SPcrono';
// Fuente de autenticación definida en el authsources del SP
$as = new SimpleSAML_Auth_Simple($source);
// Se pasa como parametro la fuente de autenticación
$login_params = array('ReturnTo' => $aplication_base_url . 'index.php');
$as->requireAuth($login_params);
$aaa = $as->getAttributes();
return false;
}
/**
* Hook on the forward function to make sure we can logout on SimpleSAML
*
* @param string $hook the name of the hook
* @param string $type the tpe of the hook
* @param bool $return_value the current url to forward to
* @param array $params supplied params
*
* @return void
*/
public static function forward($hook, $type, $return_value, $params)
{
global $SIMPLESAML_SOURCE;
if (elgg_is_logged_in() || empty($SIMPLESAML_SOURCE)) {
return;
}
// do we have a logout source
try {
$source = new \SimpleSAML_Auth_Simple($SIMPLESAML_SOURCE);
// logout of the external source
$source->logout(elgg_get_site_url());
} catch (Exception $e) {
// do nothing
}
}
public function beforeProcess(&$action)
{
if (CopixConfig::get('conf_Saml_actif') != 1) {
return;
}
require_once COPIX_UTILS_PATH . '../../simplesamlphp/lib/_autoload.php';
$asId = 'iconito-sql';
if (CopixConfig::exists('default|conf_Saml_authSource') && CopixConfig::get('default|conf_Saml_authSource')) {
$asId = CopixConfig::get('default|conf_Saml_authSource');
}
$as = new SimpleSAML_Auth_Simple($asId);
$ppo->user = _currentUser();
if ($as->isAuthenticated() && !$ppo->user->isConnected()) {
$attributes = $as->getAttributes();
$uidAttribute = 'login_dbuser';
if (CopixConfig::exists('default|conf_Saml_uidAttribute') && CopixConfig::get('default|conf_Saml_uidAttribute')) {
$uidAttribute = CopixConfig::get('default|conf_Saml_uidAttribute');
}
$ppo->saml_user = null;
if (isset($attributes[$uidAttribute]) && isset($attributes[$uidAttribute][0])) {
$ppo->saml_user = $attributes[$uidAttribute][0];
}
if ($ppo->saml_user) {
$ppo->iconito_user = Kernel::getUserInfo("LOGIN", $ppo->saml_user);
if ($ppo->iconito_user['login']) {
_currentUser()->login(array('login' => $ppo->iconito_user['login'], 'assistance' => true));
$url_return = CopixUrl::get('kernel||doSelectHome');
// $url_return = CopixUrl::get ('assistance||users');
return new CopixActionReturn(COPIX_AR_REDIRECT, $url_return);
} else {
$ppo->cas_error = 'no-iconito-user';
return _arPpo($ppo, 'cas.tpl');
}
}
}
if (!$as->isAuthenticated() && $ppo->user->isConnected()) {
$ppo->user = _currentUser();
if ($ppo->user->isConnected()) {
CopixAuth::getCurrentUser()->logout(array());
CopixEventNotifier::notify('logout', array('login' => CopixAuth::getCurrentUser()->getLogin()));
CopixAuth::destroyCurrentUser();
CopixSession::destroyNamespace('default');
}
}
}
public function __construct()
{
// Obligatoire
parent::__construct();
$this->data = array();
// System FED Oxylane
if (FEDACTIVE) {
require __DIR__ . '/../simplesaml/lib/_autoload.php';
$as = new SimpleSAML_Auth_Simple('Oxylane-sp');
$isAuth = $as->isAuthenticated();
$url = $as->getLoginURL();
if (!$isAuth) {
//$url = $as->getLoginURL();
//echo '<p>You are not authenticated. <a href="' . htmlspecialchars($url) . '">Log in</a>.</p>';
$as->requireAuth();
} else {
//$url = $as->getLogoutURL();
//echo '<p>You are currently authenticated. <a href="' . htmlspecialchars($url) . '">Log out</a>.</p>';
$attributes = $as->getAttributes();
$uid = $attributes['uid'][0];
$this->data['fed']['0'] = $uid;
$this->data['fed']['1'] = $attributes['cn'][0];
$this->data['fed']['2'] = $attributes['mail'][0];
$this->load->model('admins_model', 'am');
$admins = $this->am->getAll();
if (!$this->in_array_column($uid, $admins)) {
echo "Utilisateur non autorisés";
redirect('welcome', 'refresh');
}
}
} else {
$this->data['fed']['0'] = "ID";
$this->data['fed']['1'] = "NOM";
$this->data['fed']['2'] = "MAIL";
}
// END System FED Oxylane
// Chargement des ressources pour tout le contrôleur
$this->load->database();
$this->load->helper('form');
$this->load->library('form_validation');
$this->load->model('pages_model', 'pm');
$this->load->model('chaines_model', 'cm');
$this->load->model('groupes_model', 'gm');
$this->load->model('logs_model', 'lm');
}
function getUser(SimpleSAML_Auth_Simple $as, ConfigProxy $janus_config)
{
// Get data from config
/** @var string $useridattr */
$useridattr = $janus_config->getValue('useridattr', 'eduPersonPrincipalName');
// Validate user
$attributes = $as->getAttributes();
// Check if userid exists
if (!isset($attributes[$useridattr])) {
echo json_encode(array('status' => 'user_id_is_missing'));
exit;
}
$userid = $attributes[$useridattr][0];
$user = new sspmod_janus_User();
$user->setUserid($userid);
$user->load(sspmod_janus_User::USERID_LOAD);
return $user;
}
public function loginAction()
{
//$logger = Zend_Registry::get('logger');
//$logger->log('bericht hier', Zend_Log::INFO);
$this->_helper->viewRenderer->setNoRender(true);
$this->_helper->layout->disableLayout();
$config = Zend_Registry::get('config');
$url = $config->system->web->url . $config->system->web->baseurl;
$as = new SimpleSAML_Auth_Simple('klavsts');
$options = array('saml:IsPassive' => true, 'KeepPost' => false, 'ReturnTo' => $this->view->url(), 'ErrorURL' => $url . '/index/unauthorized');
$as->requireAuth($options);
$attributes = $as->getAttributes();
$user = new SxCms_User_Klav();
$user->setFirstName($attributes['urn:klav:data:Username'][0]);
$user->setEmail($attributes['urn:klav:data:Email'][0]);
$user->setDoccheck($attributes['urn:klav:data:doccheck'][0]);
$user->setFarmanager($attributes['urn:klav:data:farmanager']);
$user->setClientId($attributes['urn:klav:data:client'][0]);
$user->setLanguage($attributes['urn:klav:data:taal_cd'][0]);
$user->setGroups($attributes['urn:klav:groups']);
$user->setDocmanager($attributes['urn:klav:docmanager']);
$user->setClients($attributes['urn:klav:clients']);
$user->setNamed($attributes['urn:klav:data:named'][0]);
$user->setSessionId($attributes['urn:klav:sessionid'][0]);
$user->setUsername($attributes['UserName'][0]);
$mapper = new SxCms_Group_DataMapper();
$groups = $attributes['groups'];
foreach ($groups as $samlId) {
$group = $mapper->getBySamlId($samlId);
if ($group) {
$user->addGroup($group);
}
}
$auth = Zend_Auth::getInstance();
$storage = $auth->getStorage();
$storage->write($user);
// full requested url
$burl = $this->_getParam('url', '');
$burl = base64_decode($burl);
$burl = urldecode($burl);
$burl = 'http://' . $this->getRequest()->getHttpHost() . $burl;
$this->_helper->redirector->setGotoUrl($burl);
}
public static function isAuthenticated()
{
require_once SamlAuth::LIB_AUTOLOAD;
$source = null;
$config = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($config, 'core:authsource_list.tpl.php');
$t->data['sources'] = SimpleSAML_Auth_Source::getSourcesMatch('-sp');
foreach ($t->data['sources'] as &$_source) {
$as = new SimpleSAML_Auth_Simple($_source);
if ($as->isAuthenticated()) {
$source = $as;
break;
}
}
if ($source === null) {
return false;
}
return $source;
}
public function authenticate(TokenInterface $token)
{
/** @var string $authenticationType */
$authenticationType = $this->config->getValue('auth', 'login-admin');
if (php_sapi_name() === 'cli') {
return $this->getTokenForUsername($authenticationType);
}
$as = new \SimpleSAML_Auth_Simple($authenticationType);
if (!$as->isAuthenticated()) {
throw new AuthenticationException("Authsource '{$authenticationType}' is invalid");
}
/** @var string $userIdAttributeName */
$userIdAttributeName = $this->config->getValue('useridattr', 'eduPersonPrincipalName');
// Check if userid exists
$attributes = $as->getAttributes();
if (!isset($attributes[$userIdAttributeName])) {
throw new AuthenticationException("Attribute '{$userIdAttributeName}' with User ID is missing.");
}
return $this->getTokenForUsername($attributes[$userIdAttributeName][0]);
}
function mostrarBotonLogin()
{
//configuración de simplesaml para autenticación SSO (single sign ON)
$saml_lib_path = '/var/simplesamlphp/lib/_autoload.php';
require_once $saml_lib_path;
$aplication_base_url = $this->host . $this->site;
$source = 'SP_SNIES';
# Fuente de autenticación definida en el authsources del SP
$as = new SimpleSAML_Auth_Simple($source);
# Se pasa como parametro la fuente de autenticación
//var_dump($as->isAuthenticated());
if (!$as->isAuthenticated()) {
$this->formulario();
} else {
//$valorCodificado = "action=loginSso";
$valorCodificado = "&pagina=listadoVariablesSnies";
//$esteBloque=$this->miConfigurador->getVariableConfiguracion ( 'esteBloque' );
//$valorCodificado .= "&bloque=" . $esteBloque ['nombre'];
//$valorCodificado .= "&bloqueGrupo=" . $esteBloque ["grupo"];
$valorCodificado = $this->miConfigurador->fabricaConexiones->crypto->codificar($valorCodificado);
//Mostrar enlace
//Rescatar el parámetro enlace desde los datos de configuraión en la base de datos
$variable = $this->miConfigurador->getVariableConfiguracion("enlace");
$miEnlace = $this->host . $this->site . '/index.php?' . $variable . '=' . $valorCodificado;
header("Location: " . $miEnlace);
//var_dump($miEnlace);
$attributes = $as->getAttributes();
if (empty($attributes)) {
echo 'No se obtuvieron atributos del usuario';
} else {
echo '<table class="table table-bordered table-striped">';
foreach ($attributes as $key => $values) {
echo '<tr><td>' . $key . '</td><td>';
echo implode('<br>', $values);
echo '</td></tr>';
}
echo '</table>';
}
//echo '<p><a class="btn" href="logout.php">Cerrar sesión</a></p>';
}
}
/**
* Executes index action
*
* @param sfRequest $request A request object
*/
public function executeIndex(sfWebRequest $request)
{
if (!$request->getParameter('sf_culture')) {
$ssaml = new SimpleSAML_Auth_Simple('default-sp');
$attributes = $ssaml->getAttributes();
//die(var_dump($attributes['preferredLanguage']));
if ($this->getUser()->isFirstRequest()) {
if (array_key_exists('preferredLanguage', $attributes)) {
$culture = $attributes['preferredLanguage'];
if ($culture != 'hu' && $culture != 'en') {
$culture = $request->getPreferredCulture(array('hu', 'en'));
}
} else {
$culture = $request->getPreferredCulture(array('hu', 'en'));
}
$this->getUser()->setCulture($culture);
$this->getUser()->isFirstRequest(false);
} else {
$culture = $this->getUser()->getCulture();
}
$this->redirect('localized_homepage');
}
}
/**
* Executes this filter.
*
* @param sfFilterChain $filterChain A sfFilterChain instance
*/
public function execute($filterChain)
{
// disable security on login and secure actions
/*
if (
(sfConfig::get('sf_login_module') == $this->context->getModuleName()) && (sfConfig::get('sf_login_action') == $this->context->getActionName())
||
(sfConfig::get('sf_secure_module') == $this->context->getModuleName()) && (sfConfig::get('sf_secure_action') == $this->context->getActionName())
)
{
$filterChain->execute();
return;
}
*/
if ($this->context->getUser()->isAuthenticated()) {
$as = new SimpleSAML_Auth_Simple('default-sp');
if (!$as->isAuthenticated()) {
$this->context->getUser()->setAuthenticated(FALSE);
}
}
// the user has access, continue
$filterChain->execute();
}
/**
* Initialize a backwards-compatibility authsource for the given authentication page and authority.
*
* @param string $auth The authentication page.
* @param string|NULL $authority The authority we should validate the login against.
* @deprecated
*/
public function __construct($auth, $authority)
{
assert('is_string($auth)');
assert('is_string($authority) || is_null($authority)');
if ($authority === NULL) {
$candidates = array('auth/login-admin.php' => 'login-admin', 'auth/login-cas-ldap.php' => 'login-cas-ldap', 'auth/login-ldapmulti.php' => 'login-ldapmulti', 'auth/login-radius.php' => 'login-radius', 'auth/login-tlsclient.php' => 'tlsclient', 'auth/login-wayf-ldap.php' => 'login-wayf-ldap', 'auth/login.php' => 'login');
if (!isset($candidates[$auth])) {
throw new SimpleSAML_Error_Exception('You must provide an authority when using ' . $auth);
}
$authority = $candidates[$auth];
}
$this->auth = $auth;
$this->authority = $authority;
parent::__construct($authority);
}
/**
* Process a logout request.
*
* This function will never return.
*
* @param array &$state The logout request state.
* @param string|NULL $assocId The association we received the logout request from, or NULL if there was no association.
*/
public function handleLogoutRequest(array &$state, $assocId)
{
assert('isset($state["Responder"])');
assert('is_string($assocId) || is_null($assocId)');
$state['core:IdP'] = $this->id;
$state['core:TerminatedAssocId'] = $assocId;
if ($assocId !== NULL) {
$this->terminateAssociation($assocId);
}
/* Terminate the local session. */
$id = SimpleSAML_Auth_State::saveState($state, 'core:Logout:afterbridge');
$returnTo = SimpleSAML_Module::getModuleURL('core/idp/resumelogout.php', array('id' => $id));
$this->authSource->logout($returnTo);
$handler = $this->getLogoutHandler();
$handler->startLogout($state, $assocId);
assert('FALSE');
}
/**
* Process a logout request.
*
* This function will never return.
*
* @param array &$state The logout request state.
* @param string|null $assocId The association we received the logout request from, or null if there was no
* association.
*/
public function handleLogoutRequest(array &$state, $assocId)
{
assert('isset($state["Responder"])');
assert('is_string($assocId) || is_null($assocId)');
$state['core:IdP'] = $this->id;
$state['core:TerminatedAssocId'] = $assocId;
if ($assocId !== null) {
$this->terminateAssociation($assocId);
$session = SimpleSAML_Session::getSessionFromRequest();
$session->deleteData('core:idp-ssotime', $this->id . ':' . $state['saml:SPEntityId']);
}
// terminate the local session
$id = SimpleSAML_Auth_State::saveState($state, 'core:Logout:afterbridge');
$returnTo = SimpleSAML\Module::getModuleURL('core/idp/resumelogout.php', array('id' => $id));
$this->authSource->logout($returnTo);
$handler = $this->getLogoutHandler();
$handler->startLogout($state, $assocId);
assert('false');
}
/**
* Process a request.
*
* This function never returns.
*
* @param Auth_OpenID_Request $request The request we are processing.
*/
public function processRequest(array $state)
{
assert('isset($state["request"])');
SimpleSAML_Utilities::maskErrors(E_NOTICE | E_STRICT);
$request = $state['request'];
if (!$this->authSource->isAuthenticated()) {
if ($request->immediate) {
/* Not logged in, and we cannot show a login form. */
$this->sendResponse($request->answer(FALSE));
}
$resumeURL = $this->getStateURL('resume.php', $state);
$this->authSource->requireAuth(array('ReturnTo' => $resumeURL));
}
$identity = $this->getIdentity();
assert('$identity !== FALSE');
/* Should always be logged in here. */
if (!$request->idSelect() && $identity !== $request->identity) {
/* The identity in the request doesn't match the one of the logged in user. */
throw new SimpleSAML_Error_Exception('Logged in as different user than the one requested.');
}
if ($this->isTrusted($identity, $request->trust_root)) {
$trusted = TRUE;
} elseif (isset($state['TrustResponse'])) {
$trusted = (bool) $state['TrustResponse'];
} else {
if ($request->immediate) {
/* Not trusted, and we cannot show a trust-form. */
$this->sendResponse($request->answer(FALSE));
}
$trustURL = $this->getStateURL('trust.php', $state);
SimpleSAML_Utilities::redirect($trustURL);
}
if (!$trusted) {
/* The user doesn't trust this site. */
$this->sendResponse($request->answer(FALSE));
}
/* The user is authenticated, and trusts this site. */
$this->sendResponse($request->answer(TRUE, NULL, $identity));
}
/**
* Require admin access for current page.
*
* This is a helper-function for limiting a page to admin access. It will redirect
* the user to a login page if the current user doesn't have admin access.
*/
public static function requireAdmin()
{
if (self::isAdmin()) {
return;
}
$returnTo = self::selfURL();
/* Not authenticated as admin user. Start authentication. */
if (SimpleSAML_Auth_Source::getById('admin') !== NULL) {
$as = new SimpleSAML_Auth_Simple('admin');
$as->login();
} else {
/* For backwards-compatibility. */
$config = SimpleSAML_Configuration::getInstance();
self::redirectTrustedURL('/' . $config->getBaseURL() . 'auth/login-admin.php', array('RelayState' => $returnTo));
}
}
qui ensuite demande à l'IdP de tuer la session en cours.
*/
// Redirection mise en dure ici pour l'instant, tant que ça ne concerne que Bordeaux...
// Remarque : le code 307 peut causer des soucis ; le code 302 semble mieux. http://fr.wikipedia.org/wiki/Liste_des_codes_HTTP
header('Status: 302 Found', TRUE, 302);
header('Location: https://ent2d.ac-bordeaux.fr/Shibboleth.sso/Logout');
exit;
}
// ////////////////////////////////////////////////////////////////////////////////////////////////////
// Déconnexion de GEPI avec le protocole SAML
// ////////////////////////////////////////////////////////////////////////////////////////////////////
if ($connexion_mode == 'gepi') {
// Charger l'autoload de la librairie SimpleSAMLphp (qui ne peut être intégré de façon simple dans le _loader par un unique appel de classe (comme phpCAS).
require CHEMIN_DOSSIER_SACOCHE . '_lib' . DS . 'SimpleSAMLphp' . DS . 'lib' . DS . '_autoload.php';
// Mise en session d'informations dont SimpleSAMLphp a besoin ; utiliser des constantes ne va pas car Gepi fait un appel à SimpleSAMLphp en court-circuitant SACoche pour vérifier la légitimité de l'appel.
$_SESSION['SACoche-SimpleSAMLphp'] = array('GEPI_URL' => $gepi_url, 'GEPI_RNE' => $gepi_rne, 'GEPI_CERTIFICAT_EMPREINTE' => $gepi_certificat_empreinte, 'SIMPLESAMLPHP_BASEURLPATH' => substr($_SERVER['SCRIPT_NAME'], 1, -9) . '_lib/SimpleSAMLphp/www/', 'WEBMESTRE_NOM' => WEBMESTRE_NOM, 'WEBMESTRE_PRENOM' => WEBMESTRE_PRENOM, 'WEBMESTRE_COURRIEL' => WEBMESTRE_COURRIEL);
// Initialiser la classe
$auth = new SimpleSAML_Auth_Simple('distant-gepi-saml');
// Déconnexion de GEPI
if ($auth->isAuthenticated()) {
$auth->logout();
exit;
} elseif (isset($_SESSION['SimpleSAMLphp_SESSION'])) {
// On revient très probablement de la déconnexion de GEPI (en effet, au contraire de CAS, la page de déconnexion distante renvoie vers l'application au lieu de marquer un arrêt).
unset($_SESSION['SimpleSAMLphp_SESSION']);
exit_error('Deconnexion de Gepi', 'Déconnexion du service d\'authentification Gepi effectuée.<br />Fermez votre navigateur par sécurité.');
} else {
// Bizarre... a priori on n'était pas connecté à GEPI... appel direct ?
exit_error('Deconnexion de Gepi', 'Votre authentification sur Gepi n\'a pas été retrouvée.<br />Fermez votre navigateur par sécurité pour être certain d\'en être déconnecté.');
}
}
public function actionSlo()
{
$returnUrl = $this->_request->getParam('return');
\utilities\Registry::clearRegistry();
$auth = new \SimpleSAML_Auth_Simple('authinstance');
$auth->logout($returnUrl);
assert('FALSE');
}
