/* Load simpleSAMLphp, configuration and metadata */
$casconfig = SimpleSAML_Configuration::getConfig('module_casserver.php');
$path = $casconfig->resolvePath($casconfig->getValue('ticketcache', 'ticketcache'));
$ticketcontent = retrieveTicket($ticket, $path);
$usernamefield = $casconfig->getValue('attrname', 'eduPersonPrincipalName');
$dosendattributes = $casconfig->getValue('attributes', FALSE);
$attributes = $ticketcontent['attributes'];
$pgtiouxml = "";
if ($ticketcontent['service'] == $service && $ticketcontent['forceAuthn'] == $forceAuthn && array_key_exists($usernamefield, $attributes) && $ticketcontent['validbefore'] > time()) {
if (isset($_GET['pgtUrl'])) {
$pgtUrl = $_GET['pgtUrl'];
$pgtiou = str_replace('_', 'PGTIOU-', SimpleSAML_Utilities::generateID());
$pgt = str_replace('_', 'PGT-', SimpleSAML_Utilities::generateID());
$content = array('attributes' => $attributes, 'forceAuthn' => false, 'proxies' => array_merge(array($service), $ticketcontent['proxies']), 'validbefore' => time() + 60);
SimpleSAML_Utilities::fetch($pgtUrl . '?pgtIou=' . $pgtiou . '&pgtId=' . $pgt);
storeTicket($pgt, $path, $content);
$pgtiouxml = "\n<cas:proxyGrantingTicket>{$pgtiou}</cas:proxyGrantingTicket>\n";
}
$proxiesxml = join("\n", array_map(create_function('$a', 'return "<cas:proxy>$a</cas:proxy>";'), $ticketcontent['proxies']));
if ($proxiesxml) {
$proxiesxml = "<cas:proxies>\n{$proxiesxml}\n</cas:proxies>\n";
}
returnResponse('YES', $function, $attributes[$usernamefield][0], $dosendattributes ? $attributes : array(), $pgtiouxml . $proxiesxml);
} else {
returnResponse('NO', $function);
}
} catch (Exception $e) {
returnResponse('NO', $function, $e->getMessage());
}
function returnResponse($value, $function, $usrname = '', $attributes = array(), $xtraxml = "")
{
if (array_key_exists('targetService', $_GET)) {
$targetService = $_GET['targetService'];
$pgt = $_GET['pgt'];
} else {
throw new Exception('Required URL query parameter [targetService] not provided. (CAS Server)');
}
$casconfig = SimpleSAML_Configuration::getConfig('module_casserver.php');
$legal_service_urls = $casconfig->getValue('legal_service_urls');
if (!checkServiceURL($targetService, $legal_service_urls)) {
throw new Exception('Service parameter provided to CAS server is not listed as a legal service: [service] = ' . $service);
}
$path = $casconfig->resolvePath($casconfig->getValue('ticketcache', 'ticketcache'));
$ticket = retrieveTicket($pgt, $path, false);
if ($ticket['validbefore'] > time()) {
$pt = str_replace('_', 'PT-', SimpleSAML\Utils\Random::generateID());
storeTicket($pt, $path, array('service' => $targetService, 'forceAuthn' => false, 'attributes' => $ticket['attributes'], 'proxies' => $ticket['proxies'], 'validbefore' => time() + 5));
print <<<eox
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:proxySuccess>
<cas:proxyTicket>{$pt}</cas:proxyTicket>
</cas:proxySuccess>
</cas:serviceResponse>
eox;
} else {
print <<<eox
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:proxyFailure code="INVALID_REQUEST">
Proxygranting ticket to old - ssp casserver only supports shortlived (30 secs) pgts.
</cas:proxyFailure>
</cas:serviceResponse>
eox;
* service
* renew
* gateway
*
*/
if (!array_key_exists('service', $_GET)) {
throw new Exception('Required URL query parameter [service] not provided. (CAS Server)');
}
$service = $_GET['service'];
$forceAuthn = isset($_GET['renew']) && $_GET['renew'];
$isPassive = isset($_GET['gateway']) && $_GET['gateway'];
$config = SimpleSAML_Configuration::getInstance();
$casconfig = SimpleSAML_Configuration::getConfig('module_casserver.php');
$legal_service_urls = $casconfig->getValue('legal_service_urls');
if (!checkServiceURL($service, $legal_service_urls)) {
throw new Exception('Service parameter provided to CAS server is not listed as a legal service: [service] = ' . $service);
}
$auth = $casconfig->getValue('auth', 'saml2');
if (!in_array($auth, array('saml2', 'shib13'))) {
throw new Exception('CAS Service configured to use [auth] = ' . $auth . ' only [saml2,shib13] is legal.');
}
$as = new SimpleSAML_Auth_Simple($auth);
if (!$as->isAuthenticated()) {
$params = array('ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive);
$as->login($params);
}
$attributes = $as->getAttributes();
$path = $casconfig->resolvePath($casconfig->getValue('ticketcache', '/tmp'));
$ticket = str_replace('_', 'ST-', SimpleSAML_Utilities::generateID());
storeTicket($ticket, $path, array('service' => $service, 'forceAuthn' => $forceAuthn, 'attributes' => $attributes, 'proxies' => array(), 'validbefore' => time() + 5));
SimpleSAML_Utilities::redirectTrustedURL(SimpleSAML_Utilities::addURLparameter($service, array('ticket' => $ticket)));
$session = SimpleSAML_Session::getInstance();
$legal_service_urls = $casconfig->getValue('legal_service_urls');
if (!checkServiceURL($service, $legal_service_urls)) {
throw new Exception('Service parameter provided to CAS server is not listed as a legal service: [service] = ' . $service);
}
$auth = $casconfig->getValue('auth', 'saml2');
if (!in_array($auth, array('saml2', 'shib13'))) {
throw new Exception('CAS Service configured to use [auth] = ' . $auth . ' only [saml2,shib13] is legal.');
}
if (!$session->isValid($auth)) {
SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . $auth . '/sp/initSSO.php', array('RelayState' => SimpleSAML_Utilities::selfURL()));
}
$attributes = $session->getAttributes();
$path = $casconfig->resolvePath($casconfig->getValue('ticketcache', 'ticketcache'));
$ticket = SimpleSAML_Utilities::generateID();
storeTicket($ticket, $path, $attributes);
// $test = retrieveTicket($ticket, $path);
SimpleSAML_Utilities::redirect(SimpleSAML_Utilities::addURLparameter($service, array('ticket' => $ticket)));
function storeTicket($ticket, $path, &$value)
{
if (!is_dir($path)) {
throw new Exception('Directory for CAS Server ticket storage [' . $path . '] does not exists. ');
}
if (!is_writable($path)) {
throw new Exception('Directory for CAS Server ticket storage [' . $path . '] is not writable. ');
}
$filename = $path . '/' . $ticket;
file_put_contents($filename, serialize($value));
}
function retrieveTicket($ticket, $path)
{
