/**
* This virtual method reads a PGT corresponding to a PGT Iou and deletes
* the corresponding storage entry.
*
* @param string $pgt_iou the PGT iou
*
* @return void
*
* @note Should never be called.
*/
function read($pgt_iou)
{
phpCAS::error(__CLASS__ . '::' . __FUNCTION__ . '() should never be called');
}
/**
* Change CURL options.
* CURL is used to connect through HTTPS to CAS server
* @param $key the option key
* @param $value the value to set
*/
function setExtraCurlOption($key, $value)
{
global $PHPCAS_CLIENT;
phpCAS::traceBegin();
if (!is_object($PHPCAS_CLIENT)) {
phpCAS::error('this method should only be called after ' . __CLASS__ . '::client() or' . __CLASS__ . '::proxy()');
}
$PHPCAS_CLIENT->setExtraCurlOption($key, $value);
phpCAS::traceEnd();
}
/**
* This method is used to add header parameters when rebroadcasting
* pgtIou/pgtId or logoutRequest.
*
* @param String $header Header to send when rebroadcasting.
*
* @return void
*/
public static function addRebroadcastHeader($header)
{
phpCAS::traceBegin();
phpCAS::_validateClientExists();
try {
self::$_PHPCAS_CLIENT->addRebroadcastHeader($header);
} catch (Exception $e) {
phpCAS::error(get_class($e) . ': ' . $e->getMessage());
}
phpCAS::traceEnd();
}
/**
* This method is used to initialize the storage. Halts on error.
*
* @public
*/
function init()
{
phpCAS::traceBegin();
// if the storage has already been initialized, return immediatly
if ($this->isInitialized()) {
return;
}
// call the ancestor's method (mark as initialized)
parent::init();
// try to connect to the database
$this->_link = DB::connect($this->getURL());
if (DB::isError($this->_link)) {
phpCAS::error('could not connect to database (' . DB::errorMessage($this->_link) . ')');
}
var_dump($this->_link);
phpCAS::traceBEnd();
}
/**
* This method stores a PGT and its corresponding PGT Iou into a file. Echoes a
* warning on error.
*
* @param $pgt the PGT
* @param $pgt_iou the PGT iou
*
* @public
*/
function write($pgt, $pgt_iou)
{
phpCAS::traceBegin();
$fname = $this->getPGTIouFilename($pgt_iou);
if (!file_exists($fname)) {
if ($f = fopen($fname, "w")) {
if (fputs($f, $pgt) === FALSE) {
phpCAS::error('could not write PGT to `' . $fname . '\'');
}
fclose($f);
} else {
phpCAS::error('could not open `' . $fname . '\'');
}
} else {
phpCAS::error('File exists: `' . $fname . '\'');
}
phpCAS::traceEnd();
}
/**
* This method is used to acces a remote URL.
*
* @param string $url the URL to access.
* @param string &$headers an array containing the HTTP header lines of the
* response (an empty array on failure).
* @param string &$body the body of the response, as a string (empty on
* failure).
* @param string &$err_msg an error message, filled on failure.
*
* @return true on success, false otherwise (in this later case, $err_msg
* contains an error message).
*/
private function _readURL($url, &$headers, &$body, &$err_msg)
{
phpCAS::traceBegin();
$className = $this->_requestImplementation;
$request = new $className();
if (count($this->_curl_options)) {
$request->setCurlOptions($this->_curl_options);
}
$request->setUrl($url);
if (empty($this->_cas_server_ca_cert) && !$this->_no_cas_server_validation) {
phpCAS::error('one of the methods phpCAS::setCasServerCACert() or phpCAS::setNoCasServerValidation() must be called.');
}
if ($this->_cas_server_ca_cert != '') {
$request->setSslCaCert($this->_cas_server_ca_cert, $this->_cas_server_cn_validate);
}
// add extra stuff if SAML
if ($this->getServerVersion() == SAML_VERSION_1_1) {
$request->addHeader("soapaction: http://www.oasis-open.org/committees/security");
$request->addHeader("cache-control: no-cache");
$request->addHeader("pragma: no-cache");
$request->addHeader("accept: text/xml");
$request->addHeader("connection: keep-alive");
$request->addHeader("content-type: text/xml");
$request->makePost();
$request->setPostBody($this->_buildSAMLPayload());
}
if ($request->send()) {
$headers = $request->getResponseHeaders();
$body = $request->getResponseBody();
$err_msg = '';
phpCAS::traceEnd(true);
return true;
} else {
$headers = '';
$body = '';
$err_msg = $request->getErrorMessage();
phpCAS::traceEnd(false);
return false;
}
}
/**
* Answer an array of proxies that are sitting in front of this application.
*
* This method will only return a non-empty array if we have received and validated
* a Proxy Ticket.
*
* @return array
* @access public
* @since 6/25/09
*/
public static function getProxies () {
global $PHPCAS_CLIENT;
if ( !is_object($PHPCAS_CLIENT) ) {
phpCAS::error('this method should only be called after '.__CLASS__.'::client()');
}
return($PHPCAS_CLIENT->getProxies());
}
/**
* This method stores a PGT and its corresponding PGT Iou in the database.
* Echoes a warning on error.
*
* @param string $pgt the PGT
* @param string $pgt_iou the PGT iou
*
* @return void
*/
public function write($pgt, $pgt_iou)
{
phpCAS::traceBegin();
// initialize the PDO object for this method
$pdo = $this->_getPdo();
$this->_setErrorMode();
try {
$pdo->beginTransaction();
$query = $pdo->prepare($this->storePgtSql());
$query->bindValue(':pgt', $pgt, PDO::PARAM_STR);
$query->bindValue(':pgt_iou', $pgt_iou, PDO::PARAM_STR);
$query->execute();
$query->closeCursor();
$pdo->commit();
} catch (PDOException $e) {
// attempt rolling back the transaction before throwing a phpCAS error
try {
$pdo->rollBack();
} catch (PDOException $e) {
}
phpCAS::error('error writing PGT to database: ' . $e->getMessage());
}
// reset the PDO object
$this->_resetErrorMode();
phpCAS::traceEnd();
}
/**
* This method reads a PGT corresponding to a PGT Iou and deletes the
* corresponding file.
*
* @param string $pgt_iou the PGT iou
*
* @return the corresponding PGT, or FALSE on error
*
* @public
*/
function read($pgt_iou)
{
phpCAS::traceBegin();
$pgt = false;
$fname = $this->getPGTIouFilename($pgt_iou);
if (file_exists($fname)) {
if (!($f = fopen($fname, "r"))) {
phpCAS::error('could not open `' . $fname . '\'');
} else {
if (($pgt = fgets($f)) === false) {
phpCAS::error('could not read PGT from `' . $fname . '\'');
}
phpCAS::trace('Successful read of PGT to `' . $fname . '\'');
fclose($f);
}
// delete the PGT file
@unlink($fname);
} else {
phpCAS::error('No such file `' . $fname . '\'');
}
phpCAS::traceEnd($pgt);
return $pgt;
}
/**
* Retrieve a Proxy Ticket from the CAS server.
*/
function retrievePT($target_service, &$err_code, &$err_msg)
{
global $PHPCAS_CLIENT;
if (!is_object($PHPCAS_CLIENT)) {
phpCAS::error('this method should only be called after ' . __CLASS__ . '::proxy()');
}
if (gettype($target_service) != 'string') {
phpCAS::error('type mismatched for parameter $target_service(should be `string\')');
}
return $PHPCAS_CLIENT->retrievePT($target_service, $err_code, $err_msg);
}
/**
* This method is used to add header parameters when rebroadcasting
* pgtIou/pgtId or logoutRequest.
*
* @param String $header Header to send when rebroadcasting.
*
* @return void
*/
public static function addRebroadcastHeader($header)
{
phpCAS::traceBegin();
if (!is_object(self::$_PHPCAS_CLIENT)) {
phpCAS::error('this method should only be called after ' . __CLASS__ . '::client() or' . __CLASS__ . '::proxy()');
}
self::$_PHPCAS_CLIENT->addRebroadcastHeader($header);
phpCAS::traceEnd();
}
/**
* This method is used to acces a remote URL.
*
* @param $url the URL to access.
* @param $cookies an array containing cookies strings such as 'name=val'
* @param $headers an array containing the HTTP header lines of the response
* (an empty array on failure).
* @param $body the body of the response, as a string (empty on failure).
* @param $err_msg an error message, filled on failure.
*
* @return TRUE on success, FALSE otherwise (in this later case, $err_msg
* contains an error message).
*
* @private
*/
function readURL($url, $cookies, &$headers, &$body, &$err_msg)
{
phpCAS::traceBegin();
$headers = '';
$body = '';
$err_msg = '';
$res = TRUE;
// initialize the CURL session
$ch = curl_init($url);
if (version_compare(PHP_VERSION, '5.1.3', '>=')) {
//only avaible in php5
curl_setopt_array($ch, $this->_curl_options);
} else {
foreach ($this->_curl_options as $key => $value) {
curl_setopt($ch, $key, $value);
}
}
if ($this->_cas_server_cert == '' && $this->_cas_server_ca_cert == '' && !$this->_no_cas_server_validation) {
phpCAS::error('one of the methods phpCAS::setCasServerCert(), phpCAS::setCasServerCACert() or phpCAS::setNoCasServerValidation() must be called.');
}
if ($this->_cas_server_cert != '') {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSLCERT, $this->_cas_server_cert);
} else {
if ($this->_cas_server_ca_cert != '') {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_CAINFO, $this->_cas_server_ca_cert);
} else {
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
}
}
// return the CURL output into a variable
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// get the HTTP header with a callback
$this->_curl_headers = array();
// empty the headers array
curl_setopt($ch, CURLOPT_HEADERFUNCTION, array($this, '_curl_read_headers'));
// add cookies headers
if (is_array($cookies)) {
curl_setopt($ch, CURLOPT_COOKIE, implode(';', $cookies));
}
// perform the query
$buf = curl_exec($ch);
if ($buf === FALSE) {
phpCAS::trace('curl_exec() failed');
$err_msg = 'CURL error #' . curl_errno($ch) . ': ' . curl_error($ch);
// close the CURL session
curl_close($ch);
$res = FALSE;
} else {
// close the CURL session
curl_close($ch);
$headers = $this->_curl_headers;
$body = $buf;
}
phpCAS::traceEnd($res);
return $res;
}
/**
* This method is used to acces a remote URL.
*
* @param $url the URL to access.
* @param $cookies an array containing cookies strings such as 'name=val'
* @param $headers an array containing the HTTP header lines of the response
* (an empty array on failure).
* @param $body the body of the response, as a string (empty on failure).
* @param $err_msg an error message, filled on failure.
*
* @return TRUE on success, FALSE otherwise (in this later case, $err_msg
* contains an error message).
*
* @private
*/
function readURL($url, $cookies, &$headers, &$body, &$err_msg)
{
phpCAS::traceBegin();
$headers = '';
$body = '';
$err_msg = '';
$res = TRUE;
// initialize the CURL session
$ch = curl_init($url);
if (version_compare(PHP_VERSION, '5.1.3', '>=')) {
//only avaible in php5
curl_setopt_array($ch, $this->_curl_options);
} else {
foreach ($this->_curl_options as $key => $value) {
curl_setopt($ch, $key, $value);
}
}
if ($this->_cas_server_cert == '' && $this->_cas_server_ca_cert == '' && !$this->_no_cas_server_validation) {
phpCAS::error('one of the methods phpCAS::setCasServerCert(), phpCAS::setCasServerCACert() or phpCAS::setNoCasServerValidation() must be called.');
}
if ($this->_cas_server_cert != '' && $this->_cas_server_ca_cert != '') {
// This branch added by IDMS. Seems phpCAS implementor got a bit confused about the curl options CURLOPT_SSLCERT and CURLOPT_CAINFO
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
curl_setopt($ch, CURLOPT_SSLCERT, $this->_cas_server_cert);
curl_setopt($ch, CURLOPT_CAINFO, $this->_cas_server_ca_cert);
curl_setopt($ch, CURLOPT_VERBOSE, '1');
phpCAS::trace('CURL: Set all required opts for mutual authentication ------');
} else {
if ($this->_cas_server_cert != '') {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSLCERT, $this->_cas_server_cert);
} else {
if ($this->_cas_server_ca_cert != '') {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_CAINFO, $this->_cas_server_ca_cert);
} else {
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
}
}
}
// return the CURL output into a variable
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// get the HTTP header with a callback
$this->_curl_headers = array();
// empty the headers array
curl_setopt($ch, CURLOPT_HEADERFUNCTION, array($this, '_curl_read_headers'));
// add cookies headers
if (is_array($cookies)) {
curl_setopt($ch, CURLOPT_COOKIE, implode(';', $cookies));
}
// add extra stuff if SAML
if ($this->hasSA()) {
$more_headers = array("soapaction: http://www.oasis-open.org/committees/security", "cache-control: no-cache", "pragma: no-cache", "accept: text/xml", "connection: keep-alive", "content-type: text/xml");
curl_setopt($ch, CURLOPT_HTTPHEADER, $more_headers);
curl_setopt($ch, CURLOPT_POST, 1);
$data = $this->buildSAMLPayload();
//phpCAS::trace('SAML Payload: '.print_r($data, TRUE));
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
// perform the query
$buf = curl_exec($ch);
//phpCAS::trace('CURL: Call completed. Response body is: \''.$buf.'\'');
if ($buf === FALSE) {
phpCAS::trace('curl_exec() failed');
$err_msg = 'CURL error #' . curl_errno($ch) . ': ' . curl_error($ch);
//phpCAS::trace('curl error: '.$err_msg);
// close the CURL session
curl_close($ch);
$res = FALSE;
} else {
// close the CURL session
curl_close($ch);
$headers = $this->_curl_headers;
$body = $buf;
}
phpCAS::traceEnd($res);
return $res;
}
/**
* Renaming the session
*
* @param string $ticket name of the ticket
*
* @return void
*/
private function _renameSession($ticket)
{
phpCAS::traceBegin();
if ($this->getChangeSessionID()) {
if (!empty($this->_user)) {
$old_session = $_SESSION;
session_destroy();
// set up a new session, of name based on the ticket
$session_id = preg_replace('/[^a-zA-Z0-9\\-]/', '', $ticket);
phpCAS::trace("Session ID: " . $session_id);
session_id($session_id);
session_start();
phpCAS::trace("Restoring old session vars");
$_SESSION = $old_session;
} else {
phpCAS::error('Session should only be renamed after successfull authentication');
}
} else {
phpCAS::trace("Skipping session rename since phpCAS is not handling the session.");
}
phpCAS::traceEnd();
}
/**
* This method is used to initialize the storage. Halts on error.
*
* @public
*/
function init()
{
phpCAS::traceBegin();
// if the storage has already been initialized, return immediatly
if ($this->isInitialized()) {
return;
}
// call the ancestor's method (mark as initialized)
parent::init();
//include phpDB library (the test was introduced in release 0.4.8 for
//the integration into Tikiwiki).
if (!class_exists('DB')) {
include_once 'DB.php';
}
// try to connect to the database
$this->_link = DB::connect($this->getURL());
if (DB::isError($this->_link)) {
phpCAS::error('could not connect to database (' . DB::errorMessage($this->_link) . ')');
}
var_dump($this->_link);
phpCAS::traceBEnd();
}
/**
* This method is used to tell phpCAS to store the response of the
* CAS server to PGT requests into a database.
* @note The connection to the database is done only when needed.
* As a consequence, bad parameters are detected only when
* initializing PGT storage.
*
* @param $user the user to access the data with
* @param $password the user's password
* @param $database_type the type of the database hosting the data
* @param $hostname the server hosting the database
* @param $port the port the server is listening on
* @param $database the name of the database
* @param $table the name of the table storing the data
*
* @public
*/
function setPGTStorageDB($user, $password, $database_type, $hostname, $port, $database, $table)
{
// check that the storage has not already been set
if (is_object($this->_pgt_storage)) {
phpCAS::error('PGT storage already defined');
}
// warn the user that he should use file storage...
trigger_error('PGT storage into database is an experimental feature, use at your own risk', E_USER_WARNING);
// create the storage object
$this->_pgt_storage =& new PGTStorageDB($this, $user, $password, $database_type, $hostname, $port, $database, $table);
}
/**
* This method is used to logout from CAS. Halts by redirecting to the CAS server.
* @param $url a URL that will be transmitted to the CAS server (to come back to when logged out)
*/
function logout($url = "")
{
global $PHPCAS_CLIENT;
phpCAS::traceBegin();
if (!is_object($PHPCAS_CLIENT)) {
phpCAS::error('this method should only be called after ' . __CLASS__ . '::client() or' . __CLASS__ . '::proxy()');
}
$PHPCAS_CLIENT->logout($url);
// never reached
phpCAS::traceEnd();
}
