Set the login URL of the CAS server.
| public static setServerLoginURL ( string $url = '' ) : void | ||
| $url | string | the login URL |
| return | void | |
public function auth($isRedirect = true)
{
// 判断是否为退出操作
if ($this->ctrl == 'index' && $this->act == 'logout') {
$this->_logout();
} elseif ($this->ctrl == 'index' && $this->act == 'synlogout') {
$this->_synlogout();
} else {
if ($isRedirect) {
phpCAS::setServerLoginURL($this->loginUrl());
phpCAS::forceAuthentication();
$this->casInfo = $this->_getUser();
if ($backurl = $this->request->getQuery('backurl')) {
$backurl = 'http://' . $this->cfg['host'] . ':' . $this->cfg['port'] . '/index/sessid?backurl=' . urlencode($backurl) . '&st=' . session_id();
$this->response->redirect($backurl);
return;
}
if ($this->isAdmin && !$this->_checkPerm()) {
exit('无权限访问');
}
}
}
}
// ////////////////////////////////////////////////////////////////////////////////////////////////////
if ($connexion_mode == 'cas') {
// Pour tester, cette méthode statique créé un fichier de log sur ce qui se passe avec CAS
if (DEBUG_PHPCAS) {
if (HEBERGEUR_INSTALLATION == 'mono-structure' || !PHPCAS_ETABL_ID_LISTING || strpos(PHPCAS_ETABL_ID_LISTING, ',' . $BASE . ',') !== FALSE) {
$fichier_nom_debut = 'debugcas_' . $BASE;
$fichier_nom_fin = fabriquer_fin_nom_fichier__pseudo_alea($fichier_nom_debut);
phpCAS::setDebug(PHPCAS_CHEMIN_LOGS . $fichier_nom_debut . '_' . $fichier_nom_fin . '.txt');
}
}
// Initialiser la connexion avec CAS ; le premier argument est la version du protocole CAS ; le dernier argument indique qu'on utilise la session existante
phpCAS::client(CAS_VERSION_2_0, $cas_serveur_host, (int) $cas_serveur_port, $cas_serveur_root, FALSE);
phpCAS::setLang(PHPCAS_LANG_FRENCH);
// Surcharge éventuelle des URL
if ($cas_serveur_url_login) {
phpCAS::setServerLoginURL($cas_serveur_url_login);
}
if ($cas_serveur_url_logout) {
phpCAS::setServerLogoutURL($cas_serveur_url_logout);
}
if ($cas_serveur_url_validate) {
phpCAS::setServerServiceValidateURL($cas_serveur_url_validate);
}
// Suite à des attaques DDOS, Kosmos a décidé en avril 2015 de filtrer les requêtes en bloquant toutes celles sans User-Agent.
// C'est idiot car cette valeur n'est pas fiable, n'importe qui peut présenter n'importe quel User-Agent !
// En attendant qu'ils appliquent un remède plus intelligent, et au cas où un autre prestataire aurait la même mauvaise idée, on envoie un User-Agent bidon (défini dans le loader)...
phpCAS::setExtraCurlOption(CURLOPT_USERAGENT, CURL_AGENT);
// Appliquer un proxy si défini par le webmestre ; voir cURL::get_contents() pour les commentaires.
if (defined('SERVEUR_PROXY_USED') && SERVEUR_PROXY_USED) {
phpCAS::setExtraCurlOption(CURLOPT_PROXY, SERVEUR_PROXY_NAME);
phpCAS::setExtraCurlOption(CURLOPT_PROXYPORT, (int) SERVEUR_PROXY_PORT);
/**
* Initialize CAS client
*
*/
private function cas_init() {
if (!$this->cas_inited) {
// retrieve configurations
$cfg = rcmail::get_instance()->config->all();
// include phpCAS
require_once('/usr/share/php/CAS/CAS.php');
phpCAS::setDebug('/var/log/lcs/casdebug.log');
// initialize CAS client
if ($cfg['cas_proxy']) {
phpCAS::proxy(CAS_VERSION_2_0, $cfg['cas_hostname'], $cfg['cas_port'], $cfg['cas_uri'], false);
// set URL for PGT callback
phpCAS::setFixedCallbackURL($this->generate_url(array('action' => 'pgtcallback')));
// set PGT storage
#phpCAS::setPGTStorageFile('xml', $cfg['cas_pgt_dir']);
phpCAS::setPGTStorageFile($cfg['cas_pgt_dir']);
}
else {
phpCAS::client(CAS_VERSION_2_0, $cfg['cas_hostname'], $cfg['cas_port'], $cfg['cas_uri'], false);
}
// set service URL for authorization with CAS server
phpCAS::setFixedServiceURL($this->generate_url(array('action' => 'login', 'task' => 'mail')));
// set SSL validation for the CAS server
if ($cfg['cas_validation'] == 'self') {
phpCAS::setCasServerCert($cfg['cas_cert']);
}
else if ($cfg['cas_validation'] == 'ca') {
phpCAS::setCasServerCACert($cfg['cas_cert']);
}
else {
phpCAS::setNoCasServerValidation();
}
// set login and logout URLs of the CAS server
phpCAS::setServerLoginURL($cfg['cas_login_url']);
phpCAS::setServerLogoutURL($cfg['cas_logout_url']);
$this->cas_inited = true;
}
}
/**
* Modify phpCAS authentication properties.
*
* This is called after phpCAS has been configured with the basic server
* properties, but before phpCAS::forceAuthentication() is called.
*
* Users will generally not need to implement this hook, as most phpCAS
* configuration options are already provided in the CAS module UI.
*
* There are no parameters, instead the module should directly call the
* functions in the phpCAS namespace.
*/
function hook_cas_phpcas_alter()
{
// Set a custom server login URL.
phpCAS::setServerLoginURL('https://login.example.com/cas/login');
}
/**
* @todo make this options usable.
* @todo move to other class
*
* @param string $providerName defined in Settings.yaml
*
* @throws \TYPO3\Flow\Exception
*
* @return void
*/
private function setOptionalClientSettings($providerName)
{
$casClientSettings = $this->getClientSettingsByProviderName($providerName);
try {
if (!empty($casClientSettings['serverLoginURL'])) {
\phpCAS::setServerLoginURL($casClientSettings['serverLoginURL']);
}
if (!empty($casClientSettings['serverLogoutURL'])) {
\phpCAS::setServerLogoutURL($casClientSettings['serverLogoutURL']);
}
if (!empty($casClientSettings['serverProxyValidateURL'])) {
\phpCAS::setServerProxyValidateURL($casClientSettings['serverProxyValidateURL']);
}
if (!empty($casClientSettings['serverSamlValidateURL'])) {
\phpCAS::setServerSamlValidateURL($casClientSettings['serverSamlValidateURL']);
}
if (!empty($casClientSettings['serverServiceValidateURL'])) {
\phpCAS::setServerServiceValidateURL($casClientSettings['serverServiceValidateURL']);
}
// since CAS 4.0 disbled
if (!empty($casClientSettings['singleSignoutCallback'])) {
\phpCAS::setSingleSignoutCallback($casClientSettings['singleSignoutCallback']);
}
} catch (\Exception $exc) {
throw new \TYPO3\Flow\Exception('Can not set some optianal property in Jasigs phpCAS broken on: ' . $exc->getCode() . ' with message: ' . $exc->getMessage(), 1372519681);
}
}
/**
* Sets the URL to login to the CAS server.
*
* @param string $url The CAS url
*
* @return string
*/
public function setLoginUrl($url = '')
{
if (empty($url)) {
$url = $this->getUrl();
$url .= substr($url, -1) == '/' ? 'login?' : '/login?';
$queryParams = array($this->getServiceParam() => $this->getService(), "ssokey" => $this->getApiKey(), "extraParams" => $this->getExtraParams(), "sign" => $this->getSign(), "source" => $this->getSource(), 'redirect_uri' => $this->getRedirectUri());
$url .= http_build_query($queryParams);
}
$this->_loginUrl = $url;
// set login and logout URLs of the CAS server
phpCAS::setServerLoginURL($this->_loginUrl);
}
protected function iniciar_pedido_cas()
{
$this->instanciar_cliente_cas();
phpCAS::setExtraCurlOption(CURLOPT_SSLVERSION, 3);
// Se genera la URL de servicio
$param = array();
if (isset($this->parametros_url) && is_array($this->parametros_url)) {
$param = $this->parametros_url;
}
$url = $this->generar_url($param);
phpCAS::setFixedServiceURL($url);
// Tipo de auth
if (toba::instalacion()->es_produccion()) {
phpCAS::setCasServerCACert($this->archivo_certificado, $this->validar_cn);
} else {
phpCAS::setNoCasServerValidation();
}
phpCAS::setServerLoginURL('');
/** Llamada principal al authentificación de CAS, si no estás
autenticado te redirecciona ahí adentro y no sigue ejecutando
Si pasa está función significa que estás autenticado **/
phpCAS::forceAuthentication();
}
/**
* Checks to see if boilerkey is required, and if so, is present
*
* @param string $return the return location
* @return bool
**/
private function checkBoilerkey($return = '')
{
// If boilerkey isn't required, just return true for our check
if (!$this->isBoilerkeyRequired()) {
return true;
}
// Check the last auth time for boilerkey
$lastAuth = phpCAS::getAttribute('boilerkeyauthtime');
// If there is a last auth time, we just have to make sure it's not
// above the configurable threshold
if (isset($lastAuth) && !empty($lastAuth)) {
$current = time();
$lastAuth = strtotime($lastAuth);
// Take the absolute value just in case system times are slightly out of sync
$diff = abs($current - $lastAuth);
if ($diff / 60 < $this->params->get('boilerkey_timeout', 15)) {
return true;
}
}
// We either don't have a cas session with boilerkey, or it's too old.
// So we essentially make them reauth.
$return = !empty($return) ? '&return=' . base64_encode($return) : '';
$loginUrl = 'https://www.purdue.edu/apps/account/cas/logout?reauthWithBoilerkeyService=';
// Not sure why we need to encode twice. I think somewhere along the lines, the CAS server
// removes the encoding once.
$loginUrl .= urlencode(urlencode(self::getRedirectUri('pucas') . $return));
// Kill the session var holding the CAS ticket, otherwise it will find the old session
// and never actually redirect to the CAS server logout/login page
unset($_SESSION['phpCAS']);
phpCAS::setServerLoginURL($loginUrl);
phpCAS::forceAuthentication();
}
