/** * Detect the remote SSO user by looping through all SSO * plugins. Once a detection is found, it is put into * the options parameter array and method is returned as * true. Uses the same plug-in group as JAuthTools SSO. * * @return Array|False Array containing username on success or False on failure. * * @since 1.0 */ public function detect() { $args = array(); // Event to trigger for detection $event = strtolower(self::DETECT_METHOD_NAME); // Check if any plugins are attached to the event. if (!isset($this->_methods[$event]) || empty($this->_methods[$event])) { // No Plugins Associated To Event SHLog::add(JText::_('LIB_SHSSO_DEBUG_15068'), 15068, JLog::DEBUG, 'sso'); return false; } // Loop through all plugins having a method matching our event foreach ($this->_methods[$event] as $key) { // Check if the plugin is present. if (!isset($this->_observers[$key])) { continue; } // Check if parameters exist for this observer/plugin if (property_exists($this->_observers[$key], 'params')) { $params = $this->_observers[$key]->params; // Get the rule and list from the plug-in parameters $ipRule = $params->get('ip_rule', false); $ipList = $params->get('ip_list', false); // Check that both the rule and list have been set if ($ipRule !== false && $ipList !== false) { // Get the IP address of this client jimport('joomla.application.input'); $input = new JInput($_SERVER); $myIp = $input->get('REMOTE_ADDR', false, 'string'); // Split the list into newline entries $ranges = preg_split('/\\r\\n|\\n|\\r/', $ipList); if (!SHSsoHelper::doIPCheck($myIp, $ranges, $ipRule)) { // IP address denies this plug-in from executing SHLog::add(JText::sprintf('LIB_SHSSO_DEBUG_15064', $this->_observers[$key]), 15064, JLog::DEBUG, 'sso'); continue; } } } // Fire the event for an object based observer. if (is_object($this->_observers[$key])) { $args['event'] = $event; $value = $this->_observers[$key]->update($args); } elseif (is_array($this->_observers[$key])) { $value = call_user_func_array($this->_observers[$key]['handler'], $args); } if (isset($value) && $value) { // Check if the detection has been successful for this plug-in if (is_string($value) || is_array($value) && isset($value['username'])) { if (is_string($value)) { // Convert the string to an array $value = array('username' => $value); } // Store the detection plug-in name $value['sso'] = get_class($this->_observers[$key]); // We have a detection result return $value; } else { // Error: invalid plug-in response SHLog::add(JText::sprintf('LIB_SHSSO_ERR_15061', get_class($this->_observers[$key])), 15061, JLog::ERROR, 'sso'); // Try another plug-in. continue; } } } // No detection result found. return false; }
/** * Method for attempting single sign on. * * @return boolean True on successful SSO or False on failure. * * @since 2.0 */ protected function _attemptSSO() { // Check the required SSO libraries exist if (!(class_exists('SHSsoHelper') && class_exists('SHSso'))) { // Error: classes missing SHLog::add(JText::_('LIB_SHSSOMONITOR_ERR_15001'), 15001, JLog::ERROR, 'sso'); return; } try { $config = SHFactory::getConfig(); // Check if SSO is disabled via the session if (SHSsoHelper::status() !== SHSsoHelper::STATUS_ENABLE) { // It is disabled so do not continue return; } SHSsoHelper::enable(); $forceLogin = false; $userId = JFactory::getUser()->get('id'); if ($config->get('sso.forcelogin', false)) { if ($userId) { // Log out current user if detect user is not equal $forceLogin = true; } } else { if ($userId) { // User already logged in and no forcelogout return; } } /* * Lets check the IP rule is valid before we continue - * if the IP rule is false then SSO is not allowed here. */ jimport('joomla.application.input'); $input = new JInput($_SERVER); // Get the IP address of this client $myIp = $input->get('REMOTE_ADDR', false, 'string'); // Get a list of the IP addresses specific to the specified rule $ipList = json_decode($config->get('sso.iplist')); // Get the rule value $ipRule = $config->get('sso.iprule', SHSsoHelper::RULE_ALLOW_ALL); if (!SHSsoHelper::doIPCheck($myIp, $ipList, $ipRule)) { if (!$forceLogin) { // This IP isn't allowed SHLog::add(JText::_('LIB_SHSSO_DEBUG_15004'), 15004, JLog::DEBUG, 'sso'); } return; } /* * We are going to check if we are in backend. * If so then we need to check if sso is allowed * to execute on the backend. */ if (JFactory::getApplication()->isAdmin()) { if (!$config->get('sso.backend', false)) { if (!$forceLogin) { // Not allowed to SSO on backend SHLog::add(JText::_('LIB_SHSSO_DEBUG_15006'), 15006, JLog::DEBUG, 'sso'); } return; } } // Instantiate the main SSO library for detection & authentication $sso = new SHSso($config->get('sso.plugintype', 'sso')); $detection = $sso->detect(); if ($detection) { // Check the detected user is not blacklisted $blacklist = (array) json_decode($config->get('user.blacklist')); if (in_array($detection['username'], $blacklist)) { SHLog::add(JText::sprintf('LIB_SHSSO_DEBUG_15007', $detection['username']), 15007, JLog::DEBUG, 'sso'); // Detected user is blacklisted return; } // Check if the current logged in user matches the detection if ($forceLogin && strtolower($detection['username']) != strtolower(JFactory::getUser()->get('username'))) { SHLog::add(JText::sprintf('LIB_SHSSO_DEBUG_15008', $detection['username']), 15008, JLog::DEBUG, 'sso'); // Need to logout the current user JFactory::getApplication()->logout(); } } // Attempt the login return $sso->login($detection); } catch (Exception $e) { SHLog::add($e, 15002, JLog::ERROR, 'sso'); } }