/**
* Send the request and store the results.
*
* @return bool true on success, false on failure.
*/
protected function sendRequest()
{
phpCAS::traceBegin();
/*********************************************************
* initialize the CURL session
*********************************************************/
$ch = $this->_initAndConfigure();
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
phpCAS::log(var_dump($ch) . ' [' . basename($dbg[0]['file']) . ':' . $dbg[0]['line'] . ']');
/*********************************************************
* Perform the query
*********************************************************/
$buf = curl_exec($ch);
if ($buf === false) {
phpCAS::trace('curl_exec() failed');
$this->storeErrorMessage('CURL error #' . curl_errno($ch) . ': ' . curl_error($ch));
$res = false;
} else {
$this->storeResponseBody($buf);
phpCAS::trace("Response Body: \n" . $buf . "\n");
$res = true;
}
// close the CURL session
curl_close($ch);
phpCAS::traceEnd($res);
return $res;
}
/**
* This method is used to indicate the end of the execution of the program
*/
function traceExit()
{
global $PHPCAS_DEBUG;
phpCAS::log('exit()');
while ($PHPCAS_DEBUG['indent'] > 0) {
phpCAS::log('-');
$PHPCAS_DEBUG['indent']--;
}
}
/**
* Add a pgtIou/pgtId and logoutRequest rebroadcast node.
*
* @param string $rebroadcastNodeUrl The rebroadcast node URL. Can be
* hostname or IP.
*
* @return void
*/
public static function addRebroadcastNode($rebroadcastNodeUrl)
{
phpCAS::traceBegin();
phpCAS::log('rebroadcastNodeUrl:' . $rebroadcastNodeUrl);
phpCAS::_validateClientExists();
try {
self::$_PHPCAS_CLIENT->addRebroadcastNode($rebroadcastNodeUrl);
} catch (Exception $e) {
phpCAS::error(get_class($e) . ': ' . $e->getMessage());
}
phpCAS::traceEnd();
}
/**
* Add a pgtIou/pgtId and logoutRequest rebroadcast node.
*
* @param string $rebroadcastNodeUrl The rebroadcast node URL. Can be
* hostname or IP.
*
* @return void
*/
public static function addRebroadcastNode($rebroadcastNodeUrl)
{
phpCAS::traceBegin();
phpCAS::log('rebroadcastNodeUrl:' . $rebroadcastNodeUrl);
if (!is_object(self::$_PHPCAS_CLIENT)) {
phpCAS::error('this method should only be called after ' . __CLASS__ . '::client() or' . __CLASS__ . '::proxy()');
}
if (!(bool) preg_match("/^(http|https):\\/\\/([A-Z0-9][A-Z0-9_-]*(?:\\.[A-Z0-9][A-Z0-9_-]*)+):?(\\d+)?\\/?/i", $rebroadcastNodeUrl)) {
phpCAS::error('type mismatched for parameter $rebroadcastNodeUrl (should be `url\')');
}
self::$_PHPCAS_CLIENT->addRebroadcastNode($rebroadcastNodeUrl);
phpCAS::traceEnd();
}
/**
* This method handles logout requests.
* @param $check_client true to check the client bofore handling the request,
* false not to perform any access control. True by default.
* @param $allowed_clients an array of host names allowed to send logout requests.
* By default, only the CAs server (declared in the constructor) will be allowed.
* @public
*/
function handleLogoutRequests($check_client = true, $allowed_clients = false)
{
phpCAS::traceBegin();
if (!$this->isLogoutRequest()) {
phpCAS::log("Not a logout request");
phpCAS::traceEnd();
return;
}
phpCAS::log("Logout requested");
phpCAS::log("SAML REQUEST: " . $_POST['logoutRequest']);
if ($check_client) {
if (!$allowed_clients) {
$allowed_clients = array($this->getServerHostname());
}
$client_ip = $_SERVER['REMOTE_ADDR'];
$client = gethostbyaddr($client_ip);
phpCAS::log("Client: " . $client);
$allowed = false;
foreach ($allowed_clients as $allowed_client) {
if ($client == $allowed_client) {
phpCAS::log("Allowed client '" . $allowed_client . "' matches, logout request is allowed");
$allowed = true;
break;
} else {
phpCAS::log("Allowed client '" . $allowed_client . "' does not match");
}
}
if (!$allowed) {
phpCAS::error("Unauthorized logout request from client '" . $client . "'");
printf("Unauthorized!");
phpCAS::traceExit();
exit;
}
} else {
phpCAS::log("No access control set");
}
// Extract the ticket from the SAML Request
preg_match("|<samlp:SessionIndex>(.*)</samlp:SessionIndex>|", $_POST['logoutRequest'], $tick, PREG_OFFSET_CAPTURE, 3);
$wrappedSamlSessionIndex = preg_replace('|<samlp:SessionIndex>|', '', $tick[0][0]);
$ticket2logout = preg_replace('|</samlp:SessionIndex>|', '', $wrappedSamlSessionIndex);
phpCAS::log("Ticket to logout: " . $ticket2logout);
$session_id = preg_replace('/[^\\w]/', '', $ticket2logout);
phpCAS::log("Session id: " . $session_id);
// fix New session ID
session_id($session_id);
$_COOKIE[session_name()] = $session_id;
$_GET[session_name()] = $session_id;
// Overwrite session
if (!isset($_SESSION)) {
session_start();
}
session_unset();
session_destroy();
printf("Disconnected!");
phpCAS::traceExit();
exit;
}
/**
* This method is used to validate a PGT; halt on failure.
*
* @param $validate_url the URL of the request to the CAS server.
* @param $text_response the response of the CAS server, as is (XML text); result
* of CASClient::validateST() or CASClient::validatePT().
* @param $tree_response the response of the CAS server, as a DOM XML tree; result
* of CASClient::validateST() or CASClient::validatePT().
*
* @return bool TRUE when successfull, halt otherwise by calling CASClient::authError().
*
* @private
*/
function validatePGT(&$validate_url, $text_response, $tree_response)
{
// here cannot use phpCAS::traceBegin(); alongside domxml-php4-to-php5.php
phpCAS::log('start validatePGT()');
if (sizeof($arr = $tree_response->get_elements_by_tagname("proxyGrantingTicket")) == 0) {
phpCAS::trace('<proxyGrantingTicket> not found');
// authentication succeded, but no PGT Iou was transmitted
$this->authError('Ticket validated but no PGT Iou transmitted', $validate_url, FALSE, FALSE, $text_response);
} else {
// PGT Iou transmitted, extract it
$pgt_iou = trim($arr[0]->get_content());
$pgt = $this->loadPGT($pgt_iou);
if ($pgt == FALSE) {
phpCAS::trace('could not load PGT');
$this->authError('PGT Iou was transmitted but PGT could not be retrieved', $validate_url, FALSE, FALSE, $text_response);
}
$this->setPGT($pgt);
}
// here, cannot use phpCAS::traceEnd(TRUE); alongside domxml-php4-to-php5.php
phpCAS::log('end validatePGT()');
return TRUE;
}
protected static function SetProfilesFromCAS($oUser, $aGroups)
{
if (!MetaModel::IsValidClass('URP_Profiles')) {
phpCAS::log("URP_Profiles is not a valid class. Automatic creation of Users is not supported in this context, sorry.");
return false;
}
// read all the existing profiles
$oProfilesSearch = new DBObjectSearch('URP_Profiles');
$oProfilesSet = new DBObjectSet($oProfilesSearch);
$aAllProfiles = array();
while ($oProfile = $oProfilesSet->Fetch()) {
$aAllProfiles[strtolower($oProfile->GetName())] = $oProfile->GetKey();
}
// Translate the CAS/LDAP group names into iTop profile names
$aProfiles = array();
$sPattern = MetaModel::GetConfig()->Get('cas_profile_pattern');
foreach ($aGroups as $sGroupName) {
if (preg_match($sPattern, $sGroupName, $aMatches)) {
if (array_key_exists(strtolower($aMatches[1]), $aAllProfiles)) {
$aProfiles[] = $aAllProfiles[strtolower($aMatches[1])];
phpCAS::log("Info: Adding the profile '{$aMatches[1]}' from CAS.");
} else {
phpCAS::log("Warning: {$aMatches[1]} is not a valid iTop profile (extracted from group name: '{$sGroupName}'). Ignored.");
}
} else {
phpCAS::log("Info: The CAS group '{$sGroupName}' does not seem to match an iTop pattern. Ignored.");
}
}
if (count($aProfiles) == 0) {
phpCAS::log("Info: The user '" . $oUser->GetName() . "' has no profiles retrieved from CAS. Default profile(s) will be used.");
// Second attempt: check if there is/are valid default profile(s)
$sCASDefaultProfiles = MetaModel::GetConfig()->Get('cas_default_profiles');
$aCASDefaultProfiles = explode(';', $sCASDefaultProfiles);
foreach ($aCASDefaultProfiles as $sDefaultProfileName) {
if (array_key_exists(strtolower($sDefaultProfileName), $aAllProfiles)) {
$aProfiles[] = $aAllProfiles[strtolower($sDefaultProfileName)];
phpCAS::log("Info: Adding the default profile '" . $aAllProfiles[strtolower($sDefaultProfileName)] . "' from CAS.");
} else {
phpCAS::log("Warning: the default profile {$sDefaultProfileName} is not a valid iTop profile. Ignored.");
}
}
if (count($aProfiles) == 0) {
phpCAS::log("Error: The user '" . $oUser->GetName() . "' has no profiles in iTop, and therefore cannot be created.");
return false;
}
}
// Now synchronize the profiles
$oProfilesSet = DBObjectSet::FromScratch('URP_UserProfile');
foreach ($aProfiles as $iProfileId) {
$oLink = new URP_UserProfile();
$oLink->Set('profileid', $iProfileId);
$oLink->Set('reason', 'CAS/LDAP Synchro');
$oProfilesSet->AddObject($oLink);
}
$oUser->Set('profile_list', $oProfilesSet);
phpCAS::log("Info: the user '" . $oUser->GetName() . "' (id=" . $oUser->GetKey() . ") now has the following profiles: '" . implode("', '", $aProfiles) . "'.");
if ($oUser->IsModified()) {
$oMyChange = MetaModel::NewObject("CMDBChange");
$oMyChange->Set("date", time());
$oMyChange->Set("userinfo", 'CAS/LDAP Synchro');
$oMyChange->DBInsert();
if ($oUser->IsNew()) {
$oUser->DBInsertTracked($oMyChange);
} else {
$oUser->DBUpdateTracked($oMyChange);
}
}
return true;
}
public function logout()
{
if (phpCAS::isSessionAuthenticated()) {
if (isset($_SESSION['phpCAS'])) {
$serialized = serialize($_SESSION['phpCAS']);
}
phpCAS::log('Logout requested, but no session data found for user:' . PHP_EOL . $serialized);
}
phpCAS::logout();
}
