public function authenticate()
{
$this->auth_domain = gCOSI_AUTH_LDAP_HOST;
$this->load->helper('ldap');
$LDAPAttributes = array();
$LDAPMessage = "";
$successful = authenticateWithLDAP($this->params['username'], $this->params['password'], $LDAPAttributes, $LDAPMessage);
if ($successful) {
$role = $this->cosi_db->get_where('roles', array('role_id' => $this->params['username'], 'authentication_service_id' => gCOSI_AUTH_METHOD_LDAP));
if ($role->num_rows() == 0) {
throw new Exception('Role ' . $this->params['username'] . ' not found!');
}
$user = $role->row(1);
$this->return_roles($user);
} else {
throw new Exception('Login failed. Bad credentials');
}
}
/**
* Return an array containing the success/failure of authentication
* using the parameters below. If a valid combination is supplied, also
* supplied a list of activities, functional and organisational roles
* which are associated with that user as well as other details specific to the
* authentication method (such as LDAP information, name, token, etc).
*
* @param $username Username to authenticate
* @param $password Plaintext password to use to authenticate
* @param $method Authentication method to use (built-in/ldap/shib...etc)
*/
function authenticate($username, $password, $method = gCOSI_AUTH_METHOD_SHIBBOLETH)
{
$result = $this->cosi_db->get_where("roles", array("role_id" => $username, "role_type_id" => "ROLE_USER", "enabled" => DB_TRUE));
if ($result->num_rows() > 0) {
$method = trim($result->row(1)->authentication_service_id);
//update persistent-id
if (isset($_SERVER['persistent-id'])) {
$this->cosi_db->where('role_id', $username);
$this->cosi_db->update('roles', array('persistent_id' => $_SERVER['persistent-id']));
}
//update email
if (isset($_SERVER['mail'])) {
$this->cosi_db->where('role_id', $username)->update('roles', array('email' => $_SERVER['mail']));
} elseif (isset($_SERVER['email'])) {
$this->cosi_db->where('role_id', $username)->update('roles', array('email' => $_SERVER['email']));
}
} else {
if ($method == gCOSI_AUTH_METHOD_SHIBBOLETH) {
//if first shib login
//check if there's an existing one
$name = isset($_SERVER['displayName']) ? $_SERVER['displayName'] : 'No Name Given';
if ($name != 'No Name Given') {
$result = $this->cosi_db->get_where('roles', array('name' => $name, 'authentication_service_id' => gCOSI_AUTH_METHOD_SHIBBOLETH));
if ($result->num_rows() > 0) {
//there's an existing user, update the edupersontargetID
$role_id = trim($result->row(1)->role_id);
// log_message('info','role_id is '. $role_id);
$username = $role_id;
if (isset($_SERVER['persistent-id'])) {
$this->cosi_db->where('role_id', $role_id);
$this->cosi_db->update('roles', array('persistent_id' => $_SERVER['persistent-id']));
}
if (isset($_SERVER['mail'])) {
$this->cosi_db->where('role_id', $username)->update('roles', array('email' => $_SERVER['mail']));
} elseif (isset($_SERVER['email'])) {
$this->cosi_db->where('role_id', $username)->update('roles', array('email' => $_SERVER['email']));
}
} else {
//there's no user has the same name, create the user
if (isset($_SERVER['mail'])) {
$email = $_SERVER['mail'];
} elseif (isset($_SERVER['email'])) {
$email = $_SERVER['email'];
} else {
$email = '';
}
$data = array('role_id' => $username, 'role_type_id' => 'ROLE_USER', 'authentication_service_id' => $method, 'enabled' => DB_TRUE, 'name' => $name, 'shared_token' => isset($_SERVER['shib-shared-token']) ? $_SERVER['shib-shared-token'] : '', 'persistent_id' => isset($_SERVER['persistent-id']) ? $_SERVER['persistent-id'] : '', 'email' => $email);
//send alert email to admin
$subject = 'A new shibboleth user has been automatically registered';
$message = 'A new shibboleth user with the name of ' . $name . ' has been automatically registered.';
if (isset($_SERVER['persistent-id'])) {
$message .= 'With the persistent ID of: ' . $_SERVER['persistent-id'] . '.';
}
if (isset($_SERVER['shib-shared-token'])) {
$message .= 'With the shared token of: ' . $_SERVER['shib-shared-token'] . '.';
}
if (isset($_SERVER['mail'])) {
$message .= 'With the email of: ' . $email . '.';
}
$to = get_config_item('site_admin_email');
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
mail($to, $subject, $message, $headers);
$this->cosi_db->insert('roles', $data);
$this->registerAffiliation($username, 'SHIB_AUTHENTICATED', 'SYSTEM');
$result = $this->cosi_db->get_where("roles", array("role_id" => $username, "role_type_id" => "ROLE_USER", "enabled" => DB_TRUE));
}
} else {
//no name given
throw new Exception('Bad Credentials. No name given');
}
}
}
//return array('result'=>0,'message'=>json_encode($result));
if ($method === gCOSI_AUTH_METHOD_BUILT_IN) {
if ($username == '') {
throw new Exception('Authentication Failed (0)');
}
if ($password == '') {
throw new Exception('Authentication Failed (1)');
}
$result = $this->cosi_db->get_where("roles", array("role_id" => $username, "role_type_id" => "ROLE_USER", "authentication_service_id" => gCOSI_AUTH_METHOD_BUILT_IN, "enabled" => DB_TRUE));
if ($result->num_rows() > 0) {
$valid_users = $this->cosi_db->get_where("authentication_built_in", array("role_id" => $username, "passphrase_sha1" => sha1($password)));
if ($valid_users->num_rows() > 0) {
$user_results = $this->getRolesAndActivitiesByRoleID($valid_users->row(1)->role_id);
return array('result' => 1, 'authentication_service_id' => $method, 'message' => 'Success', 'user_identifier' => $result->row(1)->role_id, 'name' => $result->row(1)->name, 'auth_domain' => gPIDS_IDENTIFIER_SUFFIX, 'last_login' => $result->row(1)->last_login, 'activities' => $user_results['activities'], 'organisational_roles' => $user_results['organisational_roles'], 'functional_roles' => $user_results['functional_roles']);
} else {
// Invalid password
throw new Exception('Authentication Failed (2)');
}
}
} else {
if ($method === gCOSI_AUTH_METHOD_SHIBBOLETH) {
if ($username == '') {
throw new Exception('Authentication Failed (0)');
}
$user_results = $this->getRolesAndActivitiesByRoleID($username);
return array('result' => 1, 'authentication_service_id' => $method, 'message' => 'Success', 'auth_method' => $method, 'user_identifier' => $username, 'name' => $result->row(1)->name, 'auth_domain' => 'aaf.edu.au', 'last_login' => $result->row(1)->last_login, 'activities' => $user_results['activities'], 'organisational_roles' => $user_results['organisational_roles'], 'functional_roles' => $user_results['functional_roles']);
} else {
if ($method === gCOSI_AUTH_METHOD_LDAP) {
/*
* Try using the LDAP Authentication Methods
*/
$this->load->helper('ldap');
if ($username == '') {
throw new Exception('Authentication Failed (00)');
}
if ($password == '') {
throw new Exception('Authentication Failed (01)');
}
$result = $this->cosi_db->get_where("roles", array("role_id" => $username, "role_type_id" => "ROLE_USER", "authentication_service_id" => gCOSI_AUTH_METHOD_LDAP, "enabled" => DB_TRUE));
if ($result->num_rows() > 0) {
$LDAPAttributes = array();
$LDAPMessage = "";
$successful = authenticateWithLDAP($username, $password, $LDAPAttributes, $LDAPMessage);
// if (count($LDAPAttributes) > 0)
if ($successful) {
$user_results = $this->getRolesAndActivitiesByRoleID($username);
return array('result' => 1, 'authentication_service_id' => $method, 'message' => 'Success', 'user_identifier' => $username, 'name' => isset($LDAPAttributes['cn'][0]) ? $LDAPAttributes['cn'][0] : $result->row(1)->name, 'auth_domain' => gCOSI_AUTH_LDAP_HOST, 'last_login' => $result->row(1)->last_login, 'activities' => $user_results['activities'], 'organisational_roles' => $user_results['organisational_roles'], 'functional_roles' => $user_results['functional_roles']);
} else {
// LDAP ERROR (Could not bind)
// You may wish to debug by appending $LDAPMessage to this response
throw new Exception('Authentication Failed (02)');
}
} else {
// No such user/disabled
throw new Exception('Authentication Failed (03)');
}
} else {
return array('result' => 0, 'message' => json_encode($result));
}
}
}
}
