* Incomming parameters: * service * renew * gateway * */ if (!array_key_exists('service', $_GET)) { throw new Exception('Required URL query parameter [service] not provided. (CAS Server)'); } $service = $_GET['service']; $forceAuthn = isset($_GET['renew']) && $_GET['renew']; $isPassive = isset($_GET['gateway']) && $_GET['gateway']; $config = SimpleSAML_Configuration::getInstance(); $casconfig = SimpleSAML_Configuration::getConfig('module_casserver.php'); $legal_service_urls = $casconfig->getValue('legal_service_urls'); if (!checkServiceURL($service, $legal_service_urls)) { throw new Exception('Service parameter provided to CAS server is not listed as a legal service: [service] = ' . $service); } $auth = $casconfig->getValue('auth', 'saml2'); if (!in_array($auth, array('saml2', 'shib13'))) { throw new Exception('CAS Service configured to use [auth] = ' . $auth . ' only [saml2,shib13] is legal.'); } $as = new SimpleSAML_Auth_Simple($auth); if (!$as->isAuthenticated()) { $params = array('ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive); $as->login($params); } $attributes = $as->getAttributes(); $path = $casconfig->resolvePath($casconfig->getValue('ticketcache', '/tmp')); $ticket = str_replace('_', 'ST-', SimpleSAML_Utilities::generateID()); storeTicket($ticket, $path, array('service' => $service, 'forceAuthn' => $forceAuthn, 'attributes' => $attributes, 'proxies' => array(), 'validbefore' => time() + 5));
if (!is_null($sessionTicket) && $ticketFactory->isSessionTicket($sessionTicket) && !$ticketFactory->isExpired($sessionTicket)) { $proxyTicket = $ticketFactory->createProxyTicket(array('service' => $_GET['targetService'], 'forceAuthn' => $proxyGrantingTicket['forceAuthn'], 'attributes' => $proxyGrantingTicket['attributes'], 'proxies' => $proxyGrantingTicket['proxies'], 'sessionId' => $proxyGrantingTicket['sessionId'])); $ticketStore->addTicket($proxyTicket); echo $protocol->getProxySuccessResponse($proxyTicket['id']); } else { $message = 'Ticket ' . var_export($_GET['pgt'], true) . ' has expired'; SimpleSAML_Logger::debug('casserver:' . $message); echo $protocol->getProxyFailureResponse('BAD_PGT', $message); } } elseif (!$ticketFactory->isProxyGrantingTicket($proxyGrantingTicket)) { $message = 'Not a valid proxy granting ticket id: ' . var_export($_GET['pgt'], true); SimpleSAML_Logger::debug('casserver:' . $message); echo $protocol->getProxyFailureResponse('BAD_PGT', $message); } else { $message = 'Ticket ' . var_export($_GET['pgt'], true) . ' not recognized'; SimpleSAML_Logger::debug('casserver:' . $message); echo $protocol->getProxyFailureResponse('BAD_PGT', $message); } } elseif (!array_key_exists('targetService', $_GET)) { $message = 'Missing target service parameter [targetService]'; SimpleSAML_Logger::debug('casserver:' . $message); echo $protocol->getProxyFailureResponse('INVALID_REQUEST', $message); } elseif (!checkServiceURL(sanitize($_GET['targetService']), $legal_target_service_urls)) { $message = 'Target service parameter not listed as a legal service: [targetService] = ' . var_export($_GET['targetService'], true); SimpleSAML_Logger::debug('casserver:' . $message); echo $protocol->getProxyFailureResponse('INVALID_REQUEST', $message); } else { $message = 'Missing proxy granting ticket parameter: [pgt]'; SimpleSAML_Logger::debug('casserver:' . $message); echo $protocol->getProxyFailureResponse('INVALID_REQUEST', $message); }
require 'tickets.php'; /* * Incoming parameters: * targetService * ptg * */ if (array_key_exists('targetService', $_GET)) { $targetService = $_GET['targetService']; $pgt = $_GET['pgt']; } else { throw new Exception('Required URL query parameter [targetService] not provided. (CAS Server)'); } $casconfig = SimpleSAML_Configuration::getConfig('module_casserver.php'); $legal_service_urls = $casconfig->getValue('legal_service_urls'); if (!checkServiceURL($targetService, $legal_service_urls)) { throw new Exception('Service parameter provided to CAS server is not listed as a legal service: [service] = ' . $service); } $path = $casconfig->resolvePath($casconfig->getValue('ticketcache', 'ticketcache')); $ticket = retrieveTicket($pgt, $path, false); if ($ticket['validbefore'] > time()) { $pt = str_replace('_', 'PT-', SimpleSAML\Utils\Random::generateID()); storeTicket($pt, $path, array('service' => $targetService, 'forceAuthn' => false, 'attributes' => $ticket['attributes'], 'proxies' => $ticket['proxies'], 'validbefore' => time() + 5)); print <<<eox <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:proxySuccess> <cas:proxyTicket>{$pt}</cas:proxyTicket> </cas:proxySuccess> </cas:serviceResponse> eox; } else {
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * * Incoming parameters: * service * renew * gateway * entityId * scope * language */ require_once 'utility/urlUtils.php'; $forceAuthn = isset($_GET['renew']) && $_GET['renew']; $isPassive = isset($_GET['gateway']) && $_GET['gateway']; $casconfig = SimpleSAML_Configuration::getConfig('module_casserver.php'); $legal_service_urls = $casconfig->getValue('legal_service_urls'); if (isset($_GET['service']) && !checkServiceURL(sanitize($_GET['service']), $legal_service_urls)) { $message = 'Service parameter provided to CAS server is not listed as a legal service: [service] = ' . var_export($_GET['service'], true); SimpleSAML_Logger::debug('casserver:' . $message); throw new Exception($message); } $as = new SimpleSAML_Auth_Simple($casconfig->getValue('authsource')); if (array_key_exists('scope', $_GET) && is_string($_GET['scope'])) { $scopes = $casconfig->getValue('scopes', array()); if (array_key_exists($_GET['scope'], $scopes)) { $idpList = $scopes[$_GET['scope']]; } else { $message = 'Scope parameter provided to CAS server is not listed as legal scope: [scope] = ' . var_export($_GET['scope'], true); SimpleSAML_Logger::debug('casserver:' . $message); throw new Exception($message); } }