Set the certificate of the CAS server CA and if the CN should be properly
verified.
function check_cas_result($config)
{
require_once dirname(__DIR__) . '/vendor/autoload.php';
try {
$cas_version = $config->cas_version ? $config->cas_version : CAS_VERSION_2_0;
// phpCAS::setDebug();
phpCAS::client($cas_version, $config->cashostname, (int) $config->casport, $config->casbaseuri, false);
// don't automatically clear tickets from the url, we're taking care of that
phpCAS::setNoClearTicketsFromUrl();
// if a certificate is provided, use it, otherwise don't
if ($config->cas_server_ca_cert_path != "") {
// here we sould set the server certificate for production
// '/etc/pki/tls/certs/DigiCertCA.crt'
phpCAS::setCasServerCACert($config->cas_server_ca_cert_path);
} else {
// if you want to skip ssl verification
if ($config->cas_server_no_validation) {
phpCAS::setNoCasServerValidation();
}
}
// check authentication; returns true/false
if (phpCAS::checkAuthentication()) {
// grab username
$NetUsername = phpCAS::getUser();
return $NetUsername;
} else {
return false;
}
} catch (Exception $e) {
error_log("CAS ERROR: " . $e->getMessage());
register_error($e->getMessage());
return false;
}
}
public function __construct()
{
// These are default values for the first login and should be changed via GUI
$CAS_HOSTNAME = 'your.domain.org';
$CAS_PORT = '443';
$CAS_PATH = '/cas';
$this->autocreate = OCP\Config::getAppValue('user_cas', 'cas_autocreate', true);
$this->updateUserData = OCP\Config::getAppValue('user_cas', 'cas_update_user_data', true);
$this->defaultGroup = OCP\Config::getAppValue('user_cas', 'cas_default_group', '');
$this->protectedGroups = explode(',', str_replace(' ', '', OCP\Config::getAppValue('user_cas', 'cas_protected_groups', '')));
$this->mailMapping = OCP\Config::getAppValue('user_cas', 'cas_email_mapping', '');
$this->displayNameMapping = OCP\Config::getAppValue('user_cas', 'cas_displayName_mapping', '');
$this->groupMapping = OCP\Config::getAppValue('user_cas', 'cas_group_mapping', '');
$casVersion = OCP\Config::getAppValue('user_cas', 'cas_server_version', '2.0');
$casHostname = OCP\Config::getAppValue('user_cas', 'cas_server_hostname', $CAS_HOSTNAME);
$casPort = OCP\Config::getAppValue('user_cas', 'cas_server_port', $CAS_PORT);
$casPath = OCP\Config::getAppValue('user_cas', 'cas_server_path', $CAS_PATH);
$casCertPath = OCP\Config::getAppValue('user_cas', 'cas_cert_path', '');
global $initialized_cas;
if (!$initialized_cas) {
phpCAS::client($casVersion, $casHostname, (int) $casPort, $casPath, false);
if (!empty($casCertPath)) {
phpCAS::setCasServerCACert($casCertPath);
} else {
phpCAS::setNoCasServerValidation();
}
$initialized_cas = true;
}
}
/**
* Initialize the class, this must be called before anything else
* @param $config
* @param bool $changeSessionID Allow phpCAS to change the session_id (Single Sign Out/handleLogoutRequests is based on that change)
* @param $debugLog Set to a path to enable debug log
*/
public static function init($config, $changeSessionID = true, $debugLog = null)
{
if ($debugLog != null) {
phpCAS::setDebug($debugLog);
}
phpCAS::client(CAS_VERSION_2_0, $config['site'], $config['port'], "cas", $changeSessionID);
self::$config = $config;
$private_key = null;
if (isset($config['private_key'])) {
$key = static::resolve_filename($config['private_key']);
$private_key = openssl_get_privatekey("file:///{$key}");
if ($private_key === false) {
throw new NXAuthError("Failed to open private key {$key}");
}
}
if (isset($config['ca_cert']) && $config['ca_cert'] != null) {
self::$ca_cert = static::resolve_filename($config['ca_cert']);
phpCAS::setCasServerCACert(self::$ca_cert);
} else {
phpCAS::setNoCasServerValidation();
// Disable curl ssl verification
phpCAS::setExtraCurlOption(CURLOPT_SSL_VERIFYHOST, 0);
phpCAS::setExtraCurlOption(CURLOPT_SSL_VERIFYPEER, 0);
}
NXAPI::init(array('private_key' => $private_key, 'key_id' => $config['key_id'], 'url' => "https://" . $config['site'], 'ca_cert' => self::$ca_cert));
}
public static function initialized_php_cas()
{
if (!self::$_initialized_php_cas) {
$casVersion = OCP\Config::getAppValue('user_cas', 'cas_server_version', '2.0');
$casHostname = OCP\Config::getAppValue('user_cas', 'cas_server_hostname', $_SERVER['SERVER_NAME']);
$casPort = OCP\Config::getAppValue('user_cas', 'cas_server_port', 443);
$casPath = OCP\Config::getAppValue('user_cas', 'cas_server_path', '/cas');
$casDebugFile = OCP\Config::getAppValue('user_cas', 'cas_debug_file', '');
$casCertPath = OCP\Config::getAppValue('user_cas', 'cas_cert_path', '');
$php_cas_path = OCP\Config::getAppValue('user_cas', 'cas_php_cas_path', 'CAS.php');
if (!class_exists('phpCAS')) {
if (empty($php_cas_path)) {
$php_cas_path = 'CAS.php';
}
OC_Log::write('cas', "Try to load phpCAS library ({$php_cas_path})", OC_Log::DEBUG);
include_once $php_cas_path;
if (!class_exists('phpCAS')) {
OC_Log::write('cas', 'Fail to load phpCAS library !', OC_Log::ERROR);
return false;
}
}
if ($casDebugFile !== '') {
phpCAS::setDebug($casDebugFile);
}
phpCAS::client($casVersion, $casHostname, (int) $casPort, $casPath, false);
if (!empty($casCertPath)) {
phpCAS::setCasServerCACert($casCertPath);
} else {
phpCAS::setNoCasServerValidation();
}
self::$_initialized_php_cas = true;
}
return self::$_initialized_php_cas;
}
private function init_cas_client()
{
if (class_exists('phpCAS')) {
return true;
}
require getConfig('casldap_phpcas_path');
$cas_debug_file = getConfig('cas_debug_file_path');
if (!empty($cas_debug_file)) {
phpCAS::setDebug($cas_debug_file);
}
$cas_host = getConfig('cas_host');
$cas_port = getConfig('cas_port') or 443;
$cas_context = getConfig('cas_context');
switch (getConfig('cas_version')) {
case 1:
$cas_version = CAS_VERSION_1_0;
break;
case 2:
$cas_version = CAS_VERSION_2_0;
break;
case 3:
$cas_version = CAS_VERSION_3_0;
break;
default:
$cas_version = CAS_VERSION_2_0;
break;
}
phpCAS::client($cas_version, $cas_host, intval($cas_port), $cas_context);
$cas_server_ca_cert_path = getConfig('cas_server_ca_cert_path');
if ($cas_server_ca_cert_path) {
phpCAS::setCasServerCACert($cas_server_ca_cert_path);
} else {
phpCAS::setNoCasServerValidation();
}
}
public function __construct(ComponentCollection $collection, $settings)
{
$this->settings['host'] = 'cas.ucdavis.edu';
$this->settings['context'] = '/cas';
$this->settings['port'] = 443;
$this->settings['ca_cert_path'] = '/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt';
phpCAS::client(CAS_VERSION_2_0, $this->settings['host'], $this->settings['port'], $this->settings['context']);
phpCAS::setCasServerCACert($this->settings['ca_cert_path']);
parent::__construct($collection, $settings);
}
function initPhpCAS($host, $port, $context, $CA_certificate_file)
{
phpCAS::client(SAML_VERSION_1_1, $host, intval($port), $context, false);
if ($CA_certificate_file) {
phpCAS::setCasServerCACert($CA_certificate_file);
} else {
phpCAS::setNoCasServerValidation();
}
//phpCAS::setLang(PHPCAS_LANG_FRENCH);
}
/**
* Stores the configuration. Calls the parent configuration first,
* then does additional operations.
*
* @param object Properties $configuration
* @return object
* @access public
* @since 3/24/05
*/
function assignConfiguration(Properties $configuration)
{
parent::assignConfiguration($configuration);
$format = $configuration->getProperty('DISPLAY_NAME_FORMAT');
ArgumentValidator::validate($format, RegexValidatorRule::getRule('/\\[\\[([^]]+)\\]\\]/'));
$this->displayNameFormat = $format;
if ($debug = $configuration->getProperty('CAS_DEBUG_PATH')) {
ArgumentValidator::validate($debug, StringValidatorRule::getRule());
phpCAS::setDebug($debug);
}
$host = $configuration->getProperty('CAS_HOST');
ArgumentValidator::validate($host, RegexValidatorRule::getRule('/^[a-z0-9]+\\.[a-z0-9]+.[a-z]+$/'));
$port = $configuration->getProperty('CAS_PORT');
ArgumentValidator::validate($port, RegexValidatorRule::getRule('/^[0-9]+$/'));
$path = $configuration->getProperty('CAS_PATH');
ArgumentValidator::validate($path, RegexValidatorRule::getRule('/^\\/.*$/'));
phpCAS::client(CAS_VERSION_2_0, $host, intval($port), $path, false);
if ($cert = $configuration->getProperty('CAS_CERT')) {
phpCAS::setCasServerCACert($cert);
} else {
phpCAS::setNoCasServerValidation();
}
// Allow group lookup via a CASDirectory:
// https://mediawiki.middlebury.edu/wiki/LIS/CAS_Directory
$dirUrl = $configuration->getProperty('CASDIRECTORY_BASE_URL');
ArgumentValidator::validate($dirUrl, StringValidatorRule::getRule());
$this->directoryUrl = $dirUrl;
// set the callback URL for the PGT to be sent to. This must be an https url
// whose certificate is trusted by CAS.
// $callbackUrl = $configuration->getProperty('CALLBACK_URL');
// ArgumentValidator::validate($callbackUrl, RegexValidatorRule::getRule('/^https:\/\/.*$/'));
// phpCAS::setFixedCallbackURL($callbackUrl);
$adminAccess = $configuration->getProperty('CASDIRECTORY_ADMIN_ACCESS');
ArgumentValidator::validate($adminAccess, StringValidatorRule::getRule());
$this->adminAccess = $adminAccess;
$classRoot = $configuration->getProperty('CASDIRECTORY_CLASS_ROOT');
if ($classRoot) {
ArgumentValidator::validate($classRoot, StringValidatorRule::getRule());
$this->classRoot = $classRoot;
} else {
$this->classRoot = null;
}
$groupIdRegex = $configuration->getProperty('CASDIRECTORY_GROUP_ID_REGEX');
if ($groupIdRegex) {
ArgumentValidator::validate($groupIdRegex, StringValidatorRule::getRule());
$this->groupIdRegex = $groupIdRegex;
} else {
$this->groupIdRegex = null;
}
// Root Groups to expose
ArgumentValidator::validate($configuration->getProperty('ROOT_GROUPS'), ArrayValidatorRuleWithRule::getRule(StringValidatorRule::getRule()));
$this->rootGroups = array_unique($configuration->getProperty('ROOT_GROUPS'));
}
private function setCASSettings()
{
if ($this->options->IsCasDebugOn()) {
phpCAS::setDebug($this->options->DebugFile());
}
phpCAS::client($this->options->CasVersion(), $this->options->HostName(), $this->options->Port(), $this->options->ServerUri(), $this->options->ChangeSessionId());
if ($this->options->CasHandlesLogouts()) {
phpCAS::handleLogoutRequests(true, $this->options->LogoutServers());
}
if ($this->options->HasCertificate()) {
phpCAS::setCasServerCACert($this->options->Certificate());
}
phpCAS::setNoCasServerValidation();
}
function __construct()
{
if (!self::$initialized) {
global $cas_cfg;
phpCAS::client(CAS_VERSION_2_0, $cas_cfg['host'], $cas_cfg['port'], $cas_cfg['context']);
// Perform SSL validation only if server_ca_cert path is provided.
if (isset($cas_cfg['server_ca_cert'])) {
phpCAS::setCasServerCACert($cas_cfg['server_ca_cert']);
} else {
phpCAS::setNoCasServerValidation();
}
self::$initialized = true;
}
}
function __construct($collection, $settings)
{
$this->_Collection = $collection;
if (Configure::read('CAS.debug_log_enabled')) {
phpCAS::setDebug(TMP . 'phpCas.log.txt');
}
phpCAS::client(CAS_VERSION_2_0, Configure::read('CAS.hostname'), Configure::read('CAS.port'), Configure::read('CAS.uri'));
$certServer = Configure::read('CAS.cert_path');
if (empty($certServer)) {
phpCAS::setNoCasServerValidation();
} else {
phpCAS::setCasServerCACert($certServer);
}
}
function __construct()
{
if (!self::$initialized) {
global $cas_cfg;
phpCAS::client(CAS_VERSION_2_0, $cas_cfg['host'], $cas_cfg['port'], $cas_cfg['context']);
// Perform SSL validation only if server_ca_cert path is provided.
if (isset($cas_cfg['server_ca_cert'])) {
phpCAS::setCasServerCACert($cas_cfg['server_ca_cert']);
} else {
phpCAS::setNoCasServerValidation();
}
setcookie('org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE', explode('_', setlocale(LC_ALL, '0'))[0], 0, '/');
self::$initialized = true;
}
}
/**
* Initializes the authority objects based on an associative array of arguments
* @param array $args an associate array of arguments. The argument list is dependent on the authority
*
* General - Required keys:
* TITLE => The human readable title of the AuthorityImage
* INDEX => The tag used to identify this authority @see AuthenticationAuthority::getAuthenticationAuthority
*
* General - Optional keys:
* LOGGEDIN_IMAGE_URL => a url to an image/badge that is placed next to the user name when logged in
*
* CAS - Required keys:
* CAS_PROTOCOL => The protocol to use. Should be equivalent to one of the phpCAS constants, e.g. "2.0":
* CAS_VERSION_1_0 => '1.0', CAS_VERSION_2_0 => '2.0', SAML_VERSION_1_1 => 'S1'
* CAS_HOST => The host name of the CAS server, e.g. "cas.example.edu"
* CAS_PORT => The port the CAS server is listening on, e.g. "443"
* CAS_PATH => The path of the CAS application, e.g. "/cas/"
* CAS_CA_CERT => The filesystem path to a CA certificate that will be used to validate the authenticity
* of the CAS server, e.g. "/etc/tls/pki/certs/my_ca_cert.crt". If empty, no certificate
* validation will be performed (not recommended for production).
*
* CAS - Optional keys:
* ATTRA_EMAIL => Attribute name for the user's email adress, e.g. "email". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_FIRST_NAME => Attribute name for the user's first name, e.g. "givename". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_LAST_NAME => Attribute name for the user's last name, e.g. "surname". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_FULL_NAME => Attribute name for the user's full name, e.g. "displayname". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_MEMBER_OF => Attribute name for the user's groups, e.g. "memberof". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
*
* NOTE: Any subclass MUST call parent::init($args) to ensure proper operation
*
*/
public function init($args)
{
parent::init($args);
// include the PHPCAS library
if (empty($args['CAS_PHPCAS_PATH'])) {
require_once 'CAS.php';
} else {
require_once $args['CAS_PHPCAS_PATH'] . '/CAS.php';
}
if (empty($args['CAS_PROTOCOL'])) {
throw new KurogoConfigurationException('CAS_PROTOCOL value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_HOST'])) {
throw new KurogoConfigurationException('CAS_HOST value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PORT'])) {
throw new KurogoConfigurationException('CAS_PORT value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PATH'])) {
throw new KurogoConfigurationException('CAS_PATH value not set for ' . $this->AuthorityTitle);
}
phpCAS::client($args['CAS_PROTOCOL'], $args['CAS_HOST'], intval($args['CAS_PORT']), $args['CAS_PATH'], false);
if (empty($args['CAS_CA_CERT'])) {
phpCAS::setNoCasServerValidation();
} else {
phpCAS::setCasServerCACert($args['CAS_CA_CERT']);
}
// Record any attribute mapping configured.
if (!empty($args['ATTRA_EMAIL'])) {
CASUser::mapAttribute('Email', $args['ATTRA_EMAIL']);
}
if (!empty($args['ATTRA_FIRST_NAME'])) {
CASUser::mapAttribute('FirstName', $args['ATTRA_FIRST_NAME']);
}
if (!empty($args['ATTRA_LAST_NAME'])) {
CASUser::mapAttribute('LastName', $args['ATTRA_LAST_NAME']);
}
if (!empty($args['ATTRA_FULL_NAME'])) {
CASUser::mapAttribute('FullName', $args['ATTRA_FULL_NAME']);
}
// Store an attribute for group membership if configured.
if (!empty($args['ATTRA_MEMBER_OF'])) {
CASUser::mapAttribute('MemberOf', $args['ATTRA_MEMBER_OF']);
}
}
public function triggerAuth($service_url = null)
{
self::buildClient($this->config->get('cas-hostname'), $this->config->get('cas-port'), $this->config->get('cas-context'));
// Force set the CAS service URL to the osTicket login page.
if ($service_url) {
phpCAS::setFixedServiceURL($service_url);
}
// Verify the CAS server's certificate, if configured.
if ($this->config->get('cas-ca-cert-path')) {
phpCAS::setCasServerCACert($this->config->get('cas-ca-cert-path'));
} else {
phpCAS::setNoCasServerValidation();
}
// Trigger authentication and set the user fields when validated.
if (!phpCAS::isAuthenticated()) {
phpCAS::forceAuthentication();
} else {
$this->setUser();
$this->setEmail();
$this->setName();
}
}
public function __construct()
{
if (!function_exists('curl_init')) {
show_error('<strong>ERROR:</strong> You need to install the PHP module
<strong><a href="http://php.net/curl">curl</a></strong> to be able
to use CAS authentication.');
}
$CI =& get_instance();
$this->CI = $CI;
$CI->config->load('cas');
$this->phpcas_path = $CI->config->item('phpcas_path');
$this->cas_server_url = $CI->config->item('cas_server_url');
if (empty($this->phpcas_path) or filter_var($this->cas_server_url, FILTER_VALIDATE_URL) === FALSE) {
$this->_cas_show_config_error();
}
$cas_lib_file = $this->phpcas_path . '/CAS.php';
if (!file_exists($cas_lib_file)) {
show_error("<strong>ERROR:</strong> Could not find a file <em>CAS.php</em> in directory\n\t\t\t\t<strong>{$this->phpcas_path}</strong><br /><br />\n\t\t\t\tPlease, check your config file <strong>config/cas.php</strong> and make sure the\n\t\t\t\tconfiguration <em>phpcas_path</em> is a valid phpCAS installation.");
}
require_once $cas_lib_file;
if ($CI->config->item('cas_debug')) {
phpCAS::setDebug();
}
// init CAS client
$defaults = array('path' => '', 'port' => 443);
$cas_url = array_merge($defaults, parse_url($this->cas_server_url));
phpCAS::client(CAS_VERSION_2_0, $cas_url['host'], $cas_url['port'], $cas_url['path'], false);
// configures SSL behavior
if ($CI->config->item('cas_disable_server_validation')) {
phpCAS::setNoCasServerValidation();
} else {
$ca_cert_file = $CI->config->item('cas_server_ca_cert');
if (empty($ca_cert_file)) {
$this->_cas_show_config_error();
}
phpCAS::setCasServerCACert($ca_cert_file);
}
}
/**
* Connect to the CAS (clientcas connection or proxycas connection)
*
*/
function connectCAS()
{
global $CFG;
static $connected = false;
if (!$connected) {
// Make sure phpCAS doesn't try to start a new PHP session when connecting to the CAS server.
if ($this->config->proxycas) {
phpCAS::proxy($this->config->casversion, $this->config->hostname, (int) $this->config->port, $this->config->baseuri, false);
} else {
phpCAS::client($this->config->casversion, $this->config->hostname, (int) $this->config->port, $this->config->baseuri, false);
}
$connected = true;
}
// If Moodle is configured to use a proxy, phpCAS needs some curl options set.
if (!empty($CFG->proxyhost) && !is_proxybypass($this->config->hostname)) {
phpCAS::setExtraCurlOption(CURLOPT_PROXY, $CFG->proxyhost);
if (!empty($CFG->proxyport)) {
phpCAS::setExtraCurlOption(CURLOPT_PROXYPORT, $CFG->proxyport);
}
if (!empty($CFG->proxytype)) {
// Only set CURLOPT_PROXYTYPE if it's something other than the curl-default http
if ($CFG->proxytype == 'SOCKS5') {
phpCAS::setExtraCurlOption(CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
}
}
if (!empty($CFG->proxyuser) and !empty($CFG->proxypassword)) {
phpCAS::setExtraCurlOption(CURLOPT_PROXYUSERPWD, $CFG->proxyuser . ':' . $CFG->proxypassword);
if (defined('CURLOPT_PROXYAUTH')) {
// any proxy authentication if PHP 5.1
phpCAS::setExtraCurlOption(CURLOPT_PROXYAUTH, CURLAUTH_BASIC | CURLAUTH_NTLM);
}
}
}
if ($this->config->certificate_check && $this->config->certificate_path) {
phpCAS::setCasServerCACert($this->config->certificate_path);
} else {
// Don't try to validate the server SSL credentials
phpCAS::setNoCasServerValidation();
}
}
function cas_authenticate($auth, $new = false, $cas_host = null, $cas_port = null, $cas_context = null, $cas_cachain = null)
{
global $langConnectWith, $langNotSSL;
// SESSION does not exist if user has not been authenticated
$ret = array();
if (!$new) {
$cas = get_auth_settings($auth);
if ($cas) {
$cas_host = $cas['cas_host'];
$cas_port = $cas['cas_port'];
$cas_context = $cas['cas_context'];
$cas_cachain = $cas['cas_cachain'];
$casusermailattr = $cas['casusermailattr'];
$casuserfirstattr = $cas['casuserfirstattr'];
$casuserlastattr = $cas['casuserlastattr'];
$cas_altauth = $cas['cas_altauth'];
}
}
if ($new or $cas) {
$cas_url = 'https://' . $cas_host;
$cas_port = intval($cas_port);
if ($cas_port != '443') {
$cas_url = $cas_url . ':' . $cas_port;
}
$cas_url = $cas_url . $cas_context;
// The "real" hosts that send SAML logout messages
// Assumes the cas server is load balanced across multiple hosts
$cas_real_hosts = array($cas_host);
// Uncomment to enable debugging
// phpCAS::setDebug();
// Initialize phpCAS - keep session in application
$ret['message'] = "{$langConnectWith} {$cas_url}";
phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context, FALSE);
// Set the CA certificate that is the issuer of the cert on the CAS server
if (isset($cas_cachain) && !empty($cas_cachain) && is_readable($cas_cachain)) {
phpCAS::setCasServerCACert($cas_cachain);
} else {
phpCAS::setNoCasServerValidation();
$ret['error'] = "{$langNotSSL}";
}
// Single Sign Out
//phpCAS::handleLogoutRequests(true, $cas_real_hosts);
// Force CAS authentication on any page that includes this file
phpCAS::forceAuthentication();
//$ret['attrs'] = get_cas_attrs(phpCAS::getAttributes(), $cas);
if (phpCAS::checkAuthentication()) {
$ret['attrs'] = phpCAS::getAttributes();
}
return $ret;
} else {
return null;
}
}
/**
* Validate this user's credentials against CAS.
* @param array $auth_settings Plugin settings
* @return [mixed] Array containing 'email' and 'authenticated_by'
* strings for the successfully authenticated
* user, or WP_Error() object on failure.
*/
private function custom_authenticate_cas($auth_settings)
{
// Move on if CAS hasn't been requested here.
if (empty($_GET['external']) || $_GET['external'] !== 'cas') {
return new WP_Error('cas_not_available', 'CAS is not enabled.');
}
// Set the CAS client configuration
phpCAS::client(SAML_VERSION_1_1, $auth_settings['cas_host'], intval($auth_settings['cas_port']), $auth_settings['cas_path']);
// Update server certificate bundle if it doesn't exist or is older
// than 3 months, then use it to ensure CAS server is legitimate.
$cacert_path = plugin_dir_path(__FILE__) . 'inc/cacert.pem';
$time_90_days = 90 * 24 * 60 * 60;
// days * hours * minutes * seconds
$time_90_days_ago = time() - $time_90_days;
if (!file_exists($cacert_path) || filemtime($cacert_path) < $time_90_days_ago) {
$cacert_contents = file_get_contents('http://curl.haxx.se/ca/cacert.pem');
if ($cacert_contents !== false) {
file_put_contents($cacert_path, $cacert_contents);
} else {
return new WP_Error('cannot_update_cacert', 'Unable to update outdated server certificates from http://curl.haxx.se/ca/cacert.pem.');
}
}
phpCAS::setCasServerCACert($cacert_path);
// Authenticate against CAS
if (!phpCAS::isAuthenticated()) {
phpCAS::forceAuthentication();
die;
}
// Get the TLD from the CAS host for use in matching email addresses
// For example: example.edu is the TLD for authn.example.edu, so user
// 'bob' will have the following email address: bob@example.edu.
$tld = preg_match('/[^.]*\\.[^.]*$/', $auth_settings['cas_host'], $matches) === 1 ? $matches[0] : '';
// Get username that successfully authenticated against the external service (CAS).
$externally_authenticated_email = strtolower(phpCAS::getUser()) . '@' . $tld;
// We'll track how this user was authenticated in user meta.
$authenticated_by = 'cas';
return array('email' => $externally_authenticated_email, 'authenticated_by' => $authenticated_by);
}
*/
// Load the settings from the central config file
require_once 'config.php';
// Load the CAS lib
require_once $phpcas_path . '/CAS.php';
// Enable debugging
phpCAS::setDebug();
// Enable verbose error messages. Disable in production!
phpCAS::setVerbose(false);
// Harden session cookie to prevent some attacks on the cookie (e.g. XSS)
session_set_cookie_params($client_lifetime, $client_path, $client_domain, $client_secure, $client_httpOnly);
// Initialize phpCAS
phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context);
// For production use set the CA certificate that is the issuer of the cert
// on the CAS server and uncomment the line below
phpCAS::setCasServerCACert($cas_server_ca_cert_path);
// For quick testing you can disable SSL validation of the CAS server.
// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL!
// phpCAS::setNoCasServerValidation();
// Handle SAML logout requests that emanate from the CAS host exclusively.
// Failure to restrict SAML logout requests to authorized hosts could
// allow denial of service attacks where at the least the server is
// tied up parsing bogus XML messages.
phpCAS::handleLogoutRequests(true, $cas_real_hosts);
// Force CAS authentication on any page that includes this file
phpCAS::forceAuthentication();
// Some small code triggered by the logout button
if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}
/**
Etablis le status de visiteur si non connecté
**/
if (!isset($_SESSION['rang'])) {
$_SESSION['rang'] = 0;
}
/**
Récupération des informations sur la page actuelle
**/
if ($currentPageData = getCurrentPageData()) {
if ($currentPageData['fullRight'][$_SESSION['rang']] == 0) {
// On invite l'utilisateur à se connecter au CAS
phpCAS::client(CAS_VERSION_2_0, CAS_SERVER_URI, (int) constant('CAS_SERVER_PORT'), '');
phpCAS::setServerServiceValidateURL(CAS_SERVER_VALIDATEURI);
if (is_file(CAS_SERVER_CERTIFICATPATH)) {
phpCAS::setCasServerCACert(CAS_SERVER_CERTIFICATPATH);
} else {
phpCAS::setNoCasServerValidation();
}
phpCAS::forceAuthentication();
if (phpCAS::getUser()) {
//Si l'utilisateur s'est connecté
// Récupération des données serveur
$test = phpCAS::checkAuthentication();
// Récupération des données utilisateur
$sql = 'SELECT * FROM user WHERE nbEtudiant = :nbEtu LIMIT 1';
$res = $db->prepare($sql);
$res->execute(array('nbEtu' => phpCAS::getUser()));
if ($res_f = $res->fetch()) {
$_SESSION['id'] = $res_f['id'];
$_SESSION['nom'] = $res_f['nom'];
function tryToLogUser(&$httpVars, $isLast = false)
{
if (isset($_SESSION["CURRENT_MINISITE"])) {
return false;
}
$this->loadConfig();
if (isset($_SESSION['AUTHENTICATE_BY_CAS'])) {
$flag = $_SESSION['AUTHENTICATE_BY_CAS'];
} else {
$flag = 0;
}
$pgtIou = !empty($httpVars['pgtIou']);
$logged = isset($_SESSION['LOGGED_IN_BY_CAS']);
$enre = !empty($httpVars['put_action_enable_redirect']);
$ticket = !empty($httpVars['ticket']);
$pgt = !empty($_SESSION['phpCAS']['pgt']);
$clientModeTicketPendding = isset($_SESSION['AUTHENTICATE_BY_CAS_CLIENT_MOD_TICKET_PENDDING']);
if ($this->cas_modify_login_page) {
if ($flag == 0 && $enre && !$logged && !$pgtIou) {
$_SESSION['AUTHENTICATE_BY_CAS'] = 1;
} elseif ($flag == 1 && !$enre && !$logged && !$pgtIou && !$ticket && !$pgt) {
$_SESSION['AUTHENTICATE_BY_CAS'] = 0;
} elseif ($flag == 1 && $enre && !$logged && !$pgtIou) {
$_SESSION['AUTHENTICATE_BY_CAS'] = 1;
} elseif ($pgtIou || $pgt) {
$_SESSION['AUTHENTICATE_BY_CAS'] = 1;
} elseif ($ticket) {
$_SESSION['AUTHENTICATE_BY_CAS'] = 1;
$_SESSION['AUTHENTICATE_BY_CAS_CLIENT_MOD_TICKET_PENDDING'] = 1;
} elseif ($logged && $pgtIou) {
$_SESSION['AUTHENTICATE_BY_CAS'] = 2;
} else {
$_SESSION['AUTHENTICATE_BY_CAS'] = 0;
}
if ($_SESSION['AUTHENTICATE_BY_CAS'] < 1) {
if ($clientModeTicketPendding) {
unset($_SESSION['AUTHENTICATE_BY_CAS_CLIENT_MOD_TICKET_PENDDING']);
} else {
return false;
}
}
}
/**
* Depend on phpCAS mode configuration
*/
switch ($this->cas_mode) {
case PHPCAS_MODE_CLIENT:
if ($this->checkConfigurationForClientMode()) {
AJXP_Logger::info(__FUNCTION__, "Start phpCAS mode Client: ", "sucessfully");
phpCAS::client(CAS_VERSION_2_0, $this->cas_server, $this->cas_port, $this->cas_uri, false);
if (!empty($this->cas_certificate_path)) {
phpCAS::setCasServerCACert($this->cas_certificate_path);
} else {
phpCAS::setNoCasServerValidation();
}
/**
* Debug
*/
if ($this->cas_debug_mode) {
// logfile name by date:
$today = getdate();
$file_path = AJXP_DATA_PATH . '/logs/phpcas_' . $today['year'] . '-' . $today['month'] . '-' . $today['mday'] . '.txt';
empty($this->cas_debug_file) ? $file_path : ($file_path = $this->cas_debug_file);
phpCAS::setDebug($file_path);
}
phpCAS::forceAuthentication();
} else {
AJXP_Logger::error(__FUNCTION__, "Could not start phpCAS mode CLIENT, please verify the configuration", "");
return false;
}
break;
case PHPCAS_MODE_PROXY:
/**
* If in login page, user click on login via CAS, the page will be reload with manuallyredirectocas is set.
* Or force redirect to cas login page even the force redirect is set in configuration of this module
*
*/
if ($this->checkConfigurationForProxyMode()) {
AJXP_Logger::info(__FUNCTION__, "Start phpCAS mode Proxy: ", "sucessfully");
/**
* init phpCAS in mode proxy
*/
phpCAS::proxy(CAS_VERSION_2_0, $this->cas_server, $this->cas_port, $this->cas_uri, false);
if (!empty($this->cas_certificate_path)) {
phpCAS::setCasServerCACert($this->cas_certificate_path);
} else {
phpCAS::setNoCasServerValidation();
}
/**
* Debug
*/
if ($this->cas_debug_mode) {
// logfile name by date:
$today = getdate();
$file_path = AJXP_DATA_PATH . '/logs/phpcas_' . $today['year'] . '-' . $today['month'] . '-' . $today['mday'] . '.txt';
empty($this->cas_debug_file) ? $file_path : ($file_path = $this->cas_debug_file);
phpCAS::setDebug($file_path);
}
if (!empty($this->cas_setFixedCallbackURL)) {
phpCAS::setFixedCallbackURL($this->cas_setFixedCallbackURL);
}
//
/**
* PTG storage
*/
$this->setPTGStorage();
phpCAS::forceAuthentication();
/**
* Get proxy ticket (PT) for SAMBA to authentication at CAS via pam_cas
* In fact, we can use any other service. Of course, it should be enabled in CAS
*
*/
$err_code = null;
$serviceURL = $this->cas_proxied_service;
AJXP_Logger::debug(__FUNCTION__, "Try to get proxy ticket for service: ", $serviceURL);
$res = phpCAS::serviceSMB($serviceURL, $err_code);
if (!empty($res)) {
$_SESSION['PROXYTICKET'] = $res;
AJXP_Logger::info(__FUNCTION__, "Get Proxy ticket successfully ", "");
} else {
AJXP_Logger::info(__FUNCTION__, "Could not get Proxy ticket. ", "");
}
break;
} else {
AJXP_Logger::error(__FUNCTION__, "Could not start phpCAS mode PROXY, please verify the configuration", "");
return false;
}
default:
return false;
break;
}
AJXP_Logger::debug(__FUNCTION__, "Call phpCAS::getUser() after forceAuthentication ", "");
$cas_user = phpCAS::getUser();
if (!AuthService::userExists($cas_user) && $this->is_AutoCreateUser) {
AuthService::createUser($cas_user, openssl_random_pseudo_bytes(20));
}
if (AuthService::userExists($cas_user)) {
$res = AuthService::logUser($cas_user, "", true);
if ($res > 0) {
AJXP_Safe::storeCredentials($cas_user, $_SESSION['PROXYTICKET']);
$_SESSION['LOGGED_IN_BY_CAS'] = true;
if (!empty($this->cas_additional_role)) {
$userObj = ConfService::getConfStorageImpl()->createUserObject($cas_user);
$roles = $userObj->getRoles();
$cas_RoleID = $this->cas_additional_role;
$userObj->addRole(AuthService::getRole($cas_RoleID, true));
AuthService::updateUser($userObj);
}
return true;
}
}
return false;
}
/**
* Connect to the CAS (clientcas connection or proxycas connection)
*
*/
function connectCAS()
{
global $PHPCAS_CLIENT;
if (!is_object($PHPCAS_CLIENT)) {
// Make sure phpCAS doesn't try to start a new PHP session when connecting to the CAS server.
if ($this->config->proxycas) {
phpCAS::proxy($this->config->casversion, $this->config->hostname, (int) $this->config->port, $this->config->baseuri, false);
} else {
phpCAS::client($this->config->casversion, $this->config->hostname, (int) $this->config->port, $this->config->baseuri, false);
}
}
if ($this->config->certificate_check && $this->config->certificate_path) {
phpCAS::setCasServerCACert($this->config->certificate_path);
} else {
// Don't try to validate the server SSL credentials
phpCAS::setNoCasServerValidation();
}
}
/**
* Constructor
*
* Carry out sanity checks to ensure the object is
* able to operate. Set capabilities.
*
* @author Fabian Bircher <*****@*****.**>
*/
public function __construct()
{
parent::__construct();
global $config_cascade;
global $conf;
// allow the preloading to configure other user files
if (isset($config_cascade['plaincasauth.users']) && isset($config_cascade['plaincasauth.users']['default'])) {
$this->casuserfile = $config_cascade['plaincasauth.users']['default'];
} else {
$this->casuserfile = DOKU_CONF . 'users.auth.plaincas.php';
}
$this->localuserfile = $config_cascade['plainauth.users']['default'];
// check the state of the file with the users and attempt to create it.
if (!@is_readable($this->casuserfile)) {
if (!fopen($this->casuserfile, 'w')) {
msg("plainCAS: The CAS users file could not be opened.", -1);
$this->success = false;
} elseif (!@is_readable($this->casuserfile)) {
$this->success = false;
} else {
$this->success = true;
}
// die( "bitch!" );
}
if ($this->success) {
// the users are not managable through the wiki
$this->cando['addUser'] = false;
$this->cando['delUser'] = true;
$this->cando['modLogin'] = false;
//keep this false as CAS name is constant
$this->cando['modPass'] = false;
$this->cando['modName'] = false;
$this->cando['modMail'] = false;
$this->cando['modGroups'] = false;
$this->cando['getUsers'] = true;
$this->cando['getUserCount'] = true;
$this->cando['external'] = preg_match("#(bot)|(slurp)|(netvibes)#i", $_SERVER['HTTP_USER_AGENT']) ? false : true;
//Disable CAS redirection for bots/crawlers/readers
$this->cando['login'] = true;
$this->cando['logout'] = true;
$this->cando['logoff'] = true;
// The default options which need to be set in the settins file.
$defaults = array('logFile' => NULL, 'cert' => NULL, 'cacert' => NULL, 'debug' => false, 'settings_file' => DOKU_CONF . 'plaincas.settings.php', 'defaultgroup' => $conf['defaultgroup'], 'superuser' => $conf['superuser']);
$this->_options = (array) $conf['plugin']['authplaincas'] + $defaults;
// Options are set in the configuration and have a proper default value there.
$this->_options['server'] = $this->getConf('server');
$this->_options['rootcas'] = $this->getConf('rootcas');
$this->_options['port'] = $this->getConf('port');
$this->_options['samlValidate'] = $this->getConf('samlValidate');
$this->_options['autologin'] = $this->getConf('autologinout');
// $this->getConf('autologin');
$this->_options['caslogout'] = $this->getConf('autologinout');
// $this->getConf('caslogout');
$this->_options['handlelogoutrequest'] = $this->getConf('handlelogoutrequest');
$this->_options['handlelogoutrequestTrustedHosts'] = $this->getConf('handlelogoutrequestTrustedHosts');
$this->_options['minimalgroups'] = $this->getConf('minimalgroups');
$this->_options['localusers'] = $this->getConf('localusers');
// $this->_options['defaultgroup'] = $this->getConf('defaultgroup');
// $this->_options['superuser'] = $this->getConf('superuser');
// no local users at the moment
$this->_options['localusers'] = false;
if ($this->_options['localusers'] && !@is_readable($this->localuserfile)) {
msg("plainCAS: The local users file is not readable.", -1);
$this->success = false;
}
if ($this->_getOption("logFile")) {
phpCAS::setDebug($this->_getOption("logFile"));
}
//If $conf['auth']['cas']['logFile'] exist we start phpCAS in debug mode
$server_version = CAS_VERSION_2_0;
if ($this->_getOption("samlValidate")) {
$server_version = SAML_VERSION_1_1;
}
phpCAS::client($server_version, $this->_getOption('server'), (int) $this->_getOption('port'), $this->_getOption('rootcas'), true);
//Note the last argument true, to allow phpCAS to change the session_id so he will be able to destroy the session after a CAS logout request - Enable Single Sign Out
// curl extension is needed
if (!function_exists('curl_init')) {
if ($this->_getOption('debug')) {
msg("CAS err: CURL extension not found.", -1, __LINE__, __FILE__);
}
$this->success = false;
return;
}
// automatically log the user when there is a cas session opened
if ($this->_getOption('autologin')) {
phpCAS::setCacheTimesForAuthRecheck(1);
} else {
phpCAS::setCacheTimesForAuthRecheck(-1);
}
if ($this->_getOption('cert')) {
phpCAS::setCasServerCert($this->_getOption('cert'));
} elseif ($this->_getOption('cacert')) {
phpCAS::setCasServerCACert($this->_getOption('cacert'));
} else {
phpCAS::setNoCasServerValidation();
}
if ($this->_getOption('handlelogoutrequest')) {
phpCAS::handleLogoutRequests(true, $this->_getOption('handlelogoutrequestTrustedHosts'));
} else {
phpCAS::handleLogoutRequests(false);
}
if (@is_readable($this->_getOption('settings_file'))) {
include_once $this->_getOption('settings_file');
} else {
include_once DOKU_PLUGIN . 'authplaincas/plaincas.settings.php';
}
}
//
}
*/
return function (Slim\App $app) {
$container = $app->getContainer();
$events = $container['events'];
$events('on', 'app.autoload', function ($autoloader) {
$autoloader->addPsr4('SchSSO\\', __DIR__ . '/src/');
});
$events('on', 'app.services', function ($container) {
$container['init_cas'] = $container->protect(function () use($container) {
$settings = $container['settings']['sso']['phpcas'];
phpCAS::client($settings['serverVersion'], $settings['serverHostname'], $settings['serverPort'], $settings['serverUri'], $settings['changeSessionId']);
if ($casServerCaCert = $settings['casServerCaCert']) {
if ($settings['casServerCnValidate']) {
phpCAS::setCasServerCACert($casServerCaCert, true);
} else {
phpCAS::setCasServerCACert($casServerCaCert, false);
}
}
if ($settings['noCasServerValidation']) {
phpCAS::setNoCasServerValidation();
}
phpCAS::handleLogoutRequests();
});
$container['is_allowed'] = $container->protect(function ($attributes) use($container) {
$allowed = isset($container['settings']['sso']['allowed']) ? $container['settings']['sso']['allowed'] : [];
foreach ($allowed as $index => $ruleset) {
$isAllowed[$index] = true;
foreach ($ruleset as $attribute => $rule) {
if (!isset($attributes[$attribute])) {
$isAllowed[$index] = false;
break;
// C'est idiot car cette valeur n'est pas fiable, n'importe qui peut présenter n'importe quel User-Agent !
// En attendant qu'ils appliquent un remède plus intelligent, et au cas où un autre prestataire aurait la même mauvaise idée, on envoie un User-Agent bidon (défini dans le loader)...
phpCAS::setExtraCurlOption(CURLOPT_USERAGENT, CURL_AGENT);
// Appliquer un proxy si défini par le webmestre ; voir cURL::get_contents() pour les commentaires.
if (defined('SERVEUR_PROXY_USED') && SERVEUR_PROXY_USED) {
phpCAS::setExtraCurlOption(CURLOPT_PROXY, SERVEUR_PROXY_NAME);
phpCAS::setExtraCurlOption(CURLOPT_PROXYPORT, (int) SERVEUR_PROXY_PORT);
phpCAS::setExtraCurlOption(CURLOPT_PROXYTYPE, constant(SERVEUR_PROXY_TYPE));
if (SERVEUR_PROXY_AUTH_USED) {
phpCAS::setExtraCurlOption(CURLOPT_PROXYAUTH, constant(SERVEUR_PROXY_AUTH_METHOD));
phpCAS::setExtraCurlOption(CURLOPT_PROXYUSERPWD, SERVEUR_PROXY_AUTH_USER . ':' . SERVEUR_PROXY_AUTH_PASS);
}
}
// On indique qu'il faut vérifier la validité du certificat SSL, sauf exception paramétrée, mais alors dans ce cas ça ne sert à rien d'utiliser une connexion sécurisée.
if (strpos(PHPCAS_NO_CERTIF_LISTING, ',' . $connexion_nom . ',') === FALSE) {
phpCAS::setCasServerCACert(CHEMIN_FICHIER_CA_CERTS_FILE);
} else {
phpCAS::setNoCasServerValidation();
}
// Gestion du single sign-out
phpCAS::handleLogoutRequests(FALSE);
// Déconnexion de CAS
phpCAS::logout();
exit;
}
// ////////////////////////////////////////////////////////////////////////////////////////////////////
// Déconnexion avec Shibboleth
// ////////////////////////////////////////////////////////////////////////////////////////////////////
if ($connexion_mode == 'shibboleth') {
/*
Pour le moment, on a acté avec le Catice qu'une déconnexion depuis une application entrainera seulement une déconnexion de cette application.
/**
* Plugin initialization, action & filters register, etc
*/
function init($run_cas = true)
{
global $error;
if ($run_cas) {
/**
* phpCAS initialization
*/
include_once $this->phpcas_path;
if ($this->settings['server_hostname'] == '' || intval($this->settings['server_port']) == 0) {
$this->cas_configured = false;
}
if ($this->cas_configured) {
//If everything is alright, let's initialize the phpCAS client
phpCAS::client($this->settings['cas_version'], $this->settings['server_hostname'], intval($this->settings['server_port']), $this->settings['server_path'], false);
// function added in phpCAS v. 0.6.0
// checking for static method existance is frustrating in php4
$phpCas = new phpCas();
if (method_exists($phpCas, 'setCasServerCACert') && $this->settings['cert_path']) {
phpCAS::setCasServerCACert($this->settings['cert_path']);
} elseif (method_exists($phpCas, 'setNoCasServerValidation')) {
phpCAS::setNoCasServerValidation();
}
unset($phpCas);
if (defined('CAS_MAESTRO_DEBUG_ON') && CAS_MAESTRO_DEBUG_ON == true) {
phpCAS::setDebug(CAS_MAESTRO_PLUGIN_PATH . 'debug.log');
}
/**
* Filters and actions registration
*/
add_filter('authenticate', array(&$this, 'validate_login'), 30, 3);
add_filter('login_url', array(&$this, 'bypass_reauth'));
add_action('lost_password', array(&$this, 'disable_function'));
add_action('retrieve_password', array(&$this, 'disable_function'));
add_action('password_reset', array(&$this, 'disable_function'));
add_filter('show_password_fields', array(&$this, 'show_password_fields'));
} else {
$error = __("wpCAS is not configured. Please, login, go to the settings and configure with your credentials.", "CAS_Maestro");
//add_filter( 'login_head', array(&$this, 'display_login_notconfigured'));
}
}
add_action('wp_logout', array(&$this, 'process_logout'));
//Register the language initialization
add_action('init', array(&$this, 'lang_init'));
add_action('admin_init', array(&$this, 'add_meta_boxes'));
add_action('profile_update', array(&$this, 'onSaveProfile'), 10, 2);
add_action('admin_notices', array(&$this, 'notify_email_update'));
add_action('admin_menu', array(&$this, 'register_menus'), 50);
add_action('admin_enqueue_scripts', array(&$this, 'register_javascript'));
//Filter to rewrite the login form action to bypass cas
if ($this->bypass_cas) {
add_filter('site_url', array(&$this, 'bypass_cas_login_form'), 20, 3);
add_filter('authenticate', array(&$this, 'validate_noncas_login'), 30, 3);
}
}
* ownCloud - user_cas
*
* @author Sixto Martin <*****@*****.**>
* @copyright Sixto Martin Garcia. 2012
* @copyright Leonis. 2014 <*****@*****.**>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
* License as published by the Free Software Foundation; either
* version 3 of the License, or any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
*
* You should have received a copy of the GNU Affero General Public
* License along with this library. If not, see <http://www.gnu.org/licenses/>.
*
*/
global $initialized_cas;
if (!$initialized_cas) {
phpCAS::client($casVersion, $casHostname, (int) $casPort, $casPath, false);
if (!empty($casCertPath)) {
phpCAS::setCasServerCACert($casCertPath);
} else {
phpCAS::setNoCasServerValidation();
}
$initialized_cas = true;
}
phpCAS::forceAuthentication();
/**
* Initialize CAS client
*
*/
private function cas_init() {
if (!$this->cas_inited) {
// retrieve configurations
$cfg = rcmail::get_instance()->config->all();
// include phpCAS
require_once('/usr/share/php/CAS/CAS.php');
phpCAS::setDebug('/var/log/lcs/casdebug.log');
// initialize CAS client
if ($cfg['cas_proxy']) {
phpCAS::proxy(CAS_VERSION_2_0, $cfg['cas_hostname'], $cfg['cas_port'], $cfg['cas_uri'], false);
// set URL for PGT callback
phpCAS::setFixedCallbackURL($this->generate_url(array('action' => 'pgtcallback')));
// set PGT storage
#phpCAS::setPGTStorageFile('xml', $cfg['cas_pgt_dir']);
phpCAS::setPGTStorageFile($cfg['cas_pgt_dir']);
}
else {
phpCAS::client(CAS_VERSION_2_0, $cfg['cas_hostname'], $cfg['cas_port'], $cfg['cas_uri'], false);
}
// set service URL for authorization with CAS server
phpCAS::setFixedServiceURL($this->generate_url(array('action' => 'login', 'task' => 'mail')));
// set SSL validation for the CAS server
if ($cfg['cas_validation'] == 'self') {
phpCAS::setCasServerCert($cfg['cas_cert']);
}
else if ($cfg['cas_validation'] == 'ca') {
phpCAS::setCasServerCACert($cfg['cas_cert']);
}
else {
phpCAS::setNoCasServerValidation();
}
// set login and logout URLs of the CAS server
phpCAS::setServerLoginURL($cfg['cas_login_url']);
phpCAS::setServerLogoutURL($cfg['cas_logout_url']);
$this->cas_inited = true;
}
}
static function casLoginProcess()
{
global $config, $message, $ui;
self::init();
/* Reset error messages */
$message = '';
//~ phpCAS::setDebug();
// Initialize phpCAS
phpCAS::client(CAS_VERSION_2_0, $config->get_cfg_value('casHost', 'localhost'), (int) $config->get_cfg_value('casPort', 443), $config->get_cfg_value('casContext', ''));
// Set the CA certificate that is the issuer of the cert
phpCAS::setCasServerCACert($config->get_cfg_value('casServerCaCertPath'));
//~ phpCAS::setNoCasServerValidation();
// force CAS authentication
phpCAS::forceAuthentication();
self::$username = phpCAS::getUser();
$ldap = $config->get_ldap_link();
$ldap->cd($config->current['BASE']);
$verify_attr = explode(',', $config->get_cfg_value('loginAttribute', 'uid'));
$filter = '';
foreach ($verify_attr as $attr) {
$filter .= '(' . $attr . '=' . self::$username . ')';
}
$ldap->search('(&(|' . $filter . ')(objectClass=inetOrgPerson))');
$attrs = $ldap->fetch();
if ($ldap->count() < 1) {
msg_dialog::display(_('Error'), sprintf(_('CAS user "%s" could not be found in the LDAP'), self::$username), FATAL_ERROR_DIALOG);
exit;
} elseif ($ldap->count() > 1) {
msg_dialog::display(_('Error'), sprintf(_('CAS user "%s" match several users in the LDAP'), self::$username), FATAL_ERROR_DIALOG);
exit;
}
$ui = new userinfo($config, $attrs['dn']);
$ui->loadACL();
$success = self::runSteps(array('loginAndCheckExpired', 'runSchemaCheck', 'checkForLockingBranch'));
if ($success) {
/* Everything went well, redirect to main.php */
self::redirect();
}
}
/**
* Establishes phpCAS Configuration and Enables the phpCAS Client
*
* @return object Returns phpCAS Object
*/
protected function setupCAS()
{
$casauth = new \phpCAS();
// Check to see if phpCAS has already been setup. If it has, than skip as
// client can only be called once.
if (!$this->phpCASSetup) {
$cas = $this->getConfig()->CAS;
if (isset($cas->log) && !empty($cas->log) && isset($cas->debug) && $cas->debug) {
$casauth->setDebug($cas->log);
}
$casauth->client(SAML_VERSION_1_1, $cas->server, (int) $cas->port, $cas->context, false);
if (isset($cas->CACert) && !empty($cas->CACert)) {
$casauth->setCasServerCACert($cas->CACert);
} else {
$casauth->setNoCasServerValidation();
}
$this->phpCASSetup = true;
}
return $casauth;
}
