Answer an attribute for the authenticated user.
| public static getAttribute ( string $key ) : mixed | ||
| $key | string | attribute name |
| return | mixed | string for a single value or an array if multiple values exist. |
private function setName()
{
if ($this->config->get('cas-name-attribute-key') !== null && phpCAS::hasAttribute($this->config->get('cas-name-attribute-key'))) {
$_SESSION[':cas']['name'] = phpCAS::getAttribute($this->config->get('cas-name-attribute-key'));
} else {
$_SESSION[':cas']['name'] = $this->getUser();
}
}
function getNick()
{
return phpCAS::getAttribute('displayName') ?: explode('@', phpCAS::getUser())[0];
}
public function newUserSession()
{
// Do nothing if this user is not AuthCAS type
$identity = $this->getEvent()->get('identity');
if ($identity->plugin != 'AuthCAS') {
return;
}
$sUser = $this->getUserName();
$oUser = $this->api->getUserByName($sUser);
if (is_null($oUser)) {
//LD
if ((int) $this->get('autoCreate') === 1) {
// auto-create
// Get configuration settings:
$ldapserver = $this->get('server');
$ldapport = $this->get('ldapport');
$ldapver = $this->get('ldapversion');
$ldaptls = $this->get('ldaptls');
$ldapoptreferrals = $this->get('ldapoptreferrals');
$searchuserattribute = $this->get('searchuserattribute');
$extrauserfilter = $this->get('extrauserfilter');
$usersearchbase = $this->get('usersearchbase');
$binddn = $this->get('binddn');
$bindpwd = $this->get('bindpwd');
$username = $sUser;
if (empty($ldapport)) {
$ldapport = 389;
}
// Try to connect
$ldapconn = ldap_connect($ldapserver, (int) $ldapport);
if (false == $ldapconn) {
$this->setAuthFailure(1, gT('Could not connect to LDAP server.'));
return;
}
// using LDAP version
if ($ldapver === null) {
// If the version hasn't been set, default = 2
$ldapver = 2;
}
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, $ldapver);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, $ldapoptreferrals);
if (!empty($ldaptls) && $ldaptls == '1' && $ldapver == 3 && preg_match("/^ldaps:\\/\\//", $ldapserver) == 0) {
// starting TLS secure layer
if (!ldap_start_tls($ldapconn)) {
$this->setAuthFailure(100, ldap_error($ldapconn));
ldap_close($ldapconn);
// all done? close connection
return;
}
}
// We first do a LDAP search from the username given
// to find the userDN and then we procced to the bind operation
if (empty($binddn)) {
// There is no account defined to do the LDAP search,
// let's use anonymous bind instead
$ldapbindsearch = @ldap_bind($ldapconn);
} else {
// An account is defined to do the LDAP search, let's use it
$ldapbindsearch = @ldap_bind($ldapconn, $binddn, $bindpwd);
}
if (!$ldapbindsearch) {
$this->setAuthFailure(100, ldap_error($ldapconn));
ldap_close($ldapconn);
// all done? close connection
return;
}
// Now prepare the search filter
if ($extrauserfilter != "") {
$usersearchfilter = "(&({$searchuserattribute}={$username}){$extrauserfilter})";
} else {
$usersearchfilter = "({$searchuserattribute}={$username})";
}
// Search for the user
$dnsearchres = ldap_search($ldapconn, $usersearchbase, $usersearchfilter, array($searchuserattribute, "displayname", "mail"));
$rescount = ldap_count_entries($ldapconn, $dnsearchres);
if ($rescount == 1) {
$userentry = ldap_get_entries($ldapconn, $dnsearchres);
$userdn = $userentry[0]["dn"];
$oUser = new User();
$oUser->users_name = $username;
$oUser->password = hash('sha256', createPassword());
$oUser->full_name = $userentry[0]["displayname"][0];
$oUser->parent_id = 1;
$oUser->email = $userentry[0]["mail"][0];
if ($oUser->save()) {
$permission = new Permission();
$permission->setPermissions($oUser->uid, 0, 'global', $this->api->getConfigKey('auth_cas_autocreate_permissions'), true);
// read again user from newly created entry
$this->setAuthSuccess($oUser);
return;
} else {
$this->setAuthFailure(self::ERROR_USERNAME_INVALID);
throw new CHttpException(401, 'User not saved : ' . $userentry[0]["mail"][0] . " / " . $userentry[0]["displayName"]);
return;
}
} else {
// if no entry or more than one entry returned
// then deny authentication
$this->setAuthFailure(100, ldap_error($ldapconn));
ldap_close($ldapconn);
// all done? close connection
throw new CHttpException(401, 'No authorized user found for login "' . $username . '"');
return;
}
} else {
if ((int) $this->get('autoCreate') === 2) {
try {
// import phpCAS lib
$basedir = dirname(__FILE__);
Yii::setPathOfAlias('myplugin', $basedir);
Yii::import('myplugin.third_party.CAS.*');
require_once 'CAS.php';
$cas_host = $this->get('casAuthServer');
$cas_context = $this->get('casAuthUri');
$cas_port = (int) $this->get('casAuthPort');
// Initialize phpCAS
//phpCAS::client($cas_version, $cas_host, $cas_port, $cas_context, false);
// disable SSL validation of the CAS server
//phpCAS::setNoCasServerValidation();
$cas_fullname = phpCAS::getAttribute($this->get('casFullnameAttr'));
$cas_login = phpCAS::getAttribute($this->get('casLoginAttr'));
} catch (Exception $e) {
$this->setAuthFailure(self::ERROR_USERNAME_INVALID);
throw new CHttpException(401, 'Cas attributes not found for "' . $username . '"');
return;
}
$oUser = new User();
$oUser->users_name = phpCAS::getUser();
$oUser->password = hash('sha256', createPassword());
$oUser->full_name = $cas_fullname;
$oUser->parent_id = 1;
$oUser->email = 'example' . $cas_fullname . '@example.com';
if ($oUser->save()) {
if ($this->api->getConfigKey('auth_cas_autocreate_permissions')) {
$permission = new Permission();
$permission->setPermissions($oUser->uid, 0, 'global', $this->api->getConfigKey('auth_cas_autocreate_permissions'), true);
}
$this->setAuthSuccess($oUser);
return;
} else {
$this->setAuthFailure(self::ERROR_USERNAME_INVALID);
throw new CHttpException(401, 'User not saved : ' . $sUser . ' / ' . $cas_fullname);
return;
}
}
}
} else {
$this->setAuthSuccess($oUser);
return;
}
}
if (judge_ip($client_ip)) {
//内网,则要求登陆CAS帐号
$isSchoolNET = TRUE;
//$cas=getCASUser();
//$username = getAttribute("employeeNumber");
phpCAS::setDebug();
$_cas_server_version = CAS_VERSION_2_0;
$_hostname = 'sso.buaa.edu.cn';
$_hostport = 443;
$_uri = '';
//initialize phpCAS
phpCAS::client($_cas_server_version, $_hostname, $_hostport, $_uri);
//no SSL validation for the CAS server
phpCAS::setNoCasServerValidation();
//force CAS authentication
phpCAS::forceAuthentication();
//showmessage("cas halt");
if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}
//获取学号或者教职工的教工号
///////////////
//////////////////////
$auth1 = phpCAS::checkAuthentication();
if ($auth1) {
$cas = phpCAS::getUser();
$username = phpCAS::getAttribute("employeeNumber");
}
}
$collegeid_len = strlen($username);
//print_r($username);exit;
$dg->set_col_title("sch1", mb_convert_encoding("Όνομα Σχολείου", "utf-8", "iso-8859-7"));
$dg->set_col_title("titel", mb_convert_encoding("Τίτλος προγράμματος", "utf-8", "iso-8859-7"));
//$dg ->set_col_title("done", mb_convert_encoding("Ξεκίνησε;", "utf-8","iso-8859-7" ));
//$dg ->set_col_title("agree", mb_convert_encoding("Δήλ.Ολοκλ.", "utf-8","iso-8859-7" ));
$dg->enable_search(true);
$dg->set_dimension(1100, 700);
$dg->set_pagesize(30);
$dg->set_col_dynalink("id", "prog.php", "id");
$dg->set_col_dynalink("titel", "prog.php", "id");
// get data from CAS server
if (!$prDebug) {
$_SESSION['admin'] = 0;
$sch_name = phpCAS::getAttribute('description');
$uid = phpCAS::getUser();
$em1 = $uid . "@sch.gr";
$em2 = phpCAS::getAttribute('mail');
if (!strcmp($uid, 'dipeira') || !strcmp($uid, 'taypeira')) {
$_SESSION['admin'] = 1;
}
$_SESSION['email1'] = $em1;
$_SESSION['email2'] = $em2;
} else {
$sch_name = $prsch_name;
$uid = $pruid;
$em1 = $prem1;
$em2 = $prem2;
}
if (isset($sch_name)) {
echo "<h2>" . iconv('Windows-1253', 'UTF-8', 'Σχολείο: ') . $sch_name . "</h2>";
}
if (isset($em1) || isset($em2)) {
/**
* Constructor
*
* @param AuthenticationAuthority $AuthenticationAuthority
* @return void
*/
public function __construct(AuthenticationAuthority $AuthenticationAuthority)
{
parent::__construct($AuthenticationAuthority);
if (!phpCAS::isAuthenticated()) {
phpCAS::forceAuthentication();
}
$this->setUserID(phpCAS::getUser());
if (!method_exists('phpCAS', 'getAttribute')) {
throw new KurogoConfigurationException('CASAuthentication attribute mapping requires phpCAS 1.2.0 or greater.');
}
foreach (self::$attributeMap as $property => $attribute) {
if (phpCAS::hasAttribute($attribute)) {
$method = 'set' . $property;
$this->{$method}(phpCAS::getAttribute($property));
}
}
}
/**
* Called after the user has been authenticated and found in iTop. This method can
* Update the user's definition (profiles...) on the fly to keep it in sync with an external source
* @param User $oUser The user to update/synchronize
* @param string $sLoginMode The login mode used (cas|form|basic|url)
* @param string $sAuthentication The authentication method used
* @return void
*/
public static function UpdateUser(User $oUser, $sLoginMode, $sAuthentication)
{
$bCASUpdateProfiles = MetaModel::GetConfig()->Get('cas_update_profiles');
if ($sLoginMode == 'cas' && $bCASUpdateProfiles && phpCAS::hasAttribute('memberOf')) {
$aMemberOf = phpCAS::getAttribute('memberOf');
if (!is_array($aMemberOf)) {
$aMemberOf = array($aMemberOf);
}
// Just one entry, turn it into an array
return self::SetProfilesFromCAS($oUser, $aMemberOf);
}
// No groups defined in CAS or not CAS at all: do nothing...
return true;
}
/**
* Checks to see if boilerkey is required, and if so, is present
*
* @param string $return the return location
* @return bool
**/
private function checkBoilerkey($return = '')
{
// If boilerkey isn't required, just return true for our check
if (!$this->isBoilerkeyRequired()) {
return true;
}
// Check the last auth time for boilerkey
$lastAuth = phpCAS::getAttribute('boilerkeyauthtime');
// If there is a last auth time, we just have to make sure it's not
// above the configurable threshold
if (isset($lastAuth) && !empty($lastAuth)) {
$current = time();
$lastAuth = strtotime($lastAuth);
// Take the absolute value just in case system times are slightly out of sync
$diff = abs($current - $lastAuth);
if ($diff / 60 < $this->params->get('boilerkey_timeout', 15)) {
return true;
}
}
// We either don't have a cas session with boilerkey, or it's too old.
// So we essentially make them reauth.
$return = !empty($return) ? '&return=' . base64_encode($return) : '';
$loginUrl = 'https://www.purdue.edu/apps/account/cas/logout?reauthWithBoilerkeyService=';
// Not sure why we need to encode twice. I think somewhere along the lines, the CAS server
// removes the encoding once.
$loginUrl .= urlencode(urlencode(self::getRedirectUri('pucas') . $return));
// Kill the session var holding the CAS ticket, otherwise it will find the old session
// and never actually redirect to the CAS server logout/login page
unset($_SESSION['phpCAS']);
phpCAS::setServerLoginURL($loginUrl);
phpCAS::forceAuthentication();
}
