public function initializeForCommand()
{
if (!Kurogo::getSiteVar('AUTHENTICATION_ENABLED')) {
throw new KurogoConfigurationException("Authentication is not enabled on this site");
}
switch ($this->command) {
case 'logout':
if (!$this->isLoggedIn()) {
$this->redirectTo('session');
} else {
$session = $this->getSession();
$user = $this->getUser();
$hard = $this->getArg('hard', false);
$authorityIndex = $this->getArg('authority', false);
if ($authorityIndex) {
$authority = AuthenticationAuthority::getAuthenticationAuthority($authorityIndex);
} else {
$authority = $user->getAuthenticationAuthority();
}
$session->logout($authority, $hard);
$this->redirectTo('session');
}
$this->setResponse($response);
$this->setResponseVersion(1);
break;
case 'getuserdata':
$key = $this->getArg('key', null);
$user = $this->getUser();
$response = $user->getUserData($key);
$this->setResponse($response);
$this->setResponseVersion(1);
break;
case 'session':
$session = $this->getSession();
$response = array('session_id' => $session->getSessionID(), 'token' => $session->getLoginToken());
// version 2 implements multiple identities into the response
if ($this->requestedVersion == 2) {
$response['users'] = array();
$users = $session->getUsers();
foreach ($users as $user) {
$authority = $user->getAuthenticationAuthority();
$response['users'][$authority->getAuthorityIndex()] = array('authority' => $authority->getAuthorityIndex(), 'authorityTitle' => $authority->getAuthorityTitle(), 'userID' => $user->getUserID(), 'name' => $user->getFullName(), 'sessiondata' => $user->getSessionData());
}
$this->setResponseVersion(2);
} else {
// version 1 assumes only 1 user
$user = $this->getUser();
$response['user'] = array('authority' => $user->getAuthenticationAuthorityIndex(), 'userID' => $user->getUserID(), 'name' => $user->getFullName(), 'sessiondata' => $user->getSessionData());
$this->setResponseVersion(1);
}
$this->setResponse($response);
break;
default:
$this->invalidCommand();
break;
}
}
public function init($args)
{
parent::init($args);
if (!$this->authority) {
if ($authority = AuthenticationAuthority::getAuthenticationAuthority('GoogleAppsAuthentication')) {
$this->setAuthority($authority);
}
}
}
/**
* Initializes the authority objects based on an associative array of arguments
* @param array $args an associate array of arguments. The argument list is dependent on the authority
*
* General - Required keys:
* TITLE => The human readable title of the AuthorityImage
* INDEX => The tag used to identify this authority @see AuthenticationAuthority::getAuthenticationAuthority
*
* General - Optional keys:
* LOGGEDIN_IMAGE_URL => a url to an image/badge that is placed next to the user name when logged in
*
* CAS - Required keys:
* CAS_PROTOCOL => The protocol to use. Should be equivalent to one of the phpCAS constants, e.g. "2.0":
* CAS_VERSION_1_0 => '1.0', CAS_VERSION_2_0 => '2.0', SAML_VERSION_1_1 => 'S1'
* CAS_HOST => The host name of the CAS server, e.g. "cas.example.edu"
* CAS_PORT => The port the CAS server is listening on, e.g. "443"
* CAS_PATH => The path of the CAS application, e.g. "/cas/"
* CAS_CA_CERT => The filesystem path to a CA certificate that will be used to validate the authenticity
* of the CAS server, e.g. "/etc/tls/pki/certs/my_ca_cert.crt". If empty, no certificate
* validation will be performed (not recommended for production).
*
* CAS - Optional keys:
* ATTRA_EMAIL => Attribute name for the user's email adress, e.g. "email". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_FIRST_NAME => Attribute name for the user's first name, e.g. "givename". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_LAST_NAME => Attribute name for the user's last name, e.g. "surname". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_FULL_NAME => Attribute name for the user's full name, e.g. "displayname". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_MEMBER_OF => Attribute name for the user's groups, e.g. "memberof". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
*
* NOTE: Any subclass MUST call parent::init($args) to ensure proper operation
*
*/
public function init($args)
{
parent::init($args);
// include the PHPCAS library
if (empty($args['CAS_PHPCAS_PATH'])) {
require_once 'CAS.php';
} else {
require_once $args['CAS_PHPCAS_PATH'] . '/CAS.php';
}
if (empty($args['CAS_PROTOCOL'])) {
throw new KurogoConfigurationException('CAS_PROTOCOL value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_HOST'])) {
throw new KurogoConfigurationException('CAS_HOST value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PORT'])) {
throw new KurogoConfigurationException('CAS_PORT value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PATH'])) {
throw new KurogoConfigurationException('CAS_PATH value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PROXY_INIT'])) {
phpCAS::client($args['CAS_PROTOCOL'], $args['CAS_HOST'], intval($args['CAS_PORT']), $args['CAS_PATH'], false);
} else {
phpCAS::proxy($args['CAS_PROTOCOL'], $args['CAS_HOST'], intval($args['CAS_PORT']), $args['CAS_PATH'], false);
if (!empty($args['CAS_PROXY_TICKET_PATH'])) {
phpCAS::setPGTStorageFile('', $args['CAS_PROXY_TICKET_PATH']);
}
if (!empty($args['CAS_PROXY_FIXED_CALLBACK_URL'])) {
phpCAS::setFixedCallbackURL($args['CAS_PROXY_FIXED_CALLBACK_URL']);
}
}
if (empty($args['CAS_CA_CERT'])) {
phpCAS::setNoCasServerValidation();
} else {
phpCAS::setCasServerCACert($args['CAS_CA_CERT']);
}
// Record any attribute mapping configured.
if (!empty($args['ATTRA_EMAIL'])) {
CASUser::mapAttribute('Email', $args['ATTRA_EMAIL']);
}
if (!empty($args['ATTRA_FIRST_NAME'])) {
CASUser::mapAttribute('FirstName', $args['ATTRA_FIRST_NAME']);
}
if (!empty($args['ATTRA_LAST_NAME'])) {
CASUser::mapAttribute('LastName', $args['ATTRA_LAST_NAME']);
}
if (!empty($args['ATTRA_FULL_NAME'])) {
CASUser::mapAttribute('FullName', $args['ATTRA_FULL_NAME']);
}
// Store an attribute for group membership if configured.
if (!empty($args['ATTRA_MEMBER_OF'])) {
CASUser::mapAttribute('MemberOf', $args['ATTRA_MEMBER_OF']);
}
}
protected function init($args)
{
parent::init($args);
//either get the specified authority or attempt to get a GoogleApps authority
$authorityIndex = isset($args['AUTHORITY']) ? $args['AUTHORITY'] : 'GoogleAppsAuthentication';
$authority = AuthenticationAuthority::getAuthenticationAuthority($authorityIndex);
//make sure we're getting a google apps authority
if ($authority instanceof GoogleAppsAuthentication) {
$this->authority = $authority;
}
$this->addStandardFilters();
}
public function init($args)
{
parent::init($args);
// set field map using SHIB_XXX_FIELD = "" maps to $_SERVER values
foreach ($args as $arg => $value) {
if (preg_match("/^shib_(email|firstname|lastname|fullname)_field\$/", strtolower($arg), $bits)) {
$key = strtolower($bits[1]);
$this->fieldMap[$key] = $value;
}
}
if (isset($args['SHIB_ATTRIBUTES']) && is_array($args['SHIB_ATTRIBUTES'])) {
$this->attributes = $args['SHIB_ATTRIBUTES'];
}
}
public function __construct()
{
if (!isset($_SESSION)) {
if (!is_dir(CACHE_DIR . "/session")) {
mkdir(CACHE_DIR . "/session",0700,true);
}
ini_set('session.save_path', CACHE_DIR . "/session");
ini_set('session.name', SITE_KEY);
ini_set('session.use_only_cookies', 1);
ini_set('session.cookie_path', COOKIE_PATH);
session_start();
}
$user = new AnonymousUser();
if (isset($_SESSION['auth'])) {
$maxIdleTime = intval($GLOBALS['siteConfig']->getVar('AUTHENTICATION_IDLE_TIMEOUT'));
$lastPing = isset($_SESSION['ping']) ? $_SESSION['ping'] : 0;
$diff = time() - $lastPing;
if ( $maxIdleTime && ($diff > $maxIdleTime)) {
// right now nothing happens, but we could show and error if necessary.
} elseif ($authority = AuthenticationAuthority::getAuthenticationAuthority($_SESSION['auth'])) {
$auth_userID = isset($_SESSION['auth_userID']) ? $_SESSION['auth_userID'] : '';
if ($auth_userID) {
if ($_user = $authority->getUser($auth_userID)) {
$user = $_user;
} else {
error_log("Error trying to load user $auth_userID");
}
}
}
}
$this->setUser($user);
}
protected function init($args)
{
$this->initArgs = $args;
if (isset($args['DEBUG_MODE'])) {
$this->setDebugMode($args['DEBUG_MODE']);
}
if (isset($args['OPTIONS']) && is_array($args['OPTIONS'])) {
$this->setOptions($args['OPTIONS']);
}
if (isset($args['AUTHORITY'])) {
if ($authority = AuthenticationAuthority::getAuthenticationAuthority($args['AUTHORITY'])) {
$this->setAuthority($authority);
}
}
if (!isset($args['PARSER_CLASS'])) {
if ($this->DEFAULT_PARSER_CLASS) {
$args['PARSER_CLASS'] = $this->DEFAULT_PARSER_CLASS;
} elseif (isset($args['DEFAULT_PARSER_CLASS']) && strlen($args['DEFAULT_PARSER_CLASS'])) {
$args['PARSER_CLASS'] = $args['DEFAULT_PARSER_CLASS'];
} else {
$args['PARSER_CLASS'] = 'PassthroughDataParser';
}
}
if (!isset($args['CACHE_LIFETIME'])) {
$args['CACHE_LIFETIME'] = $this->DEFAULT_CACHE_LIFETIME;
}
// instantiate the parser class
$parser = DataParser::factory($args['PARSER_CLASS'], $args);
$this->setParser($parser);
$cacheClass = isset($args['CACHE_CLASS']) ? $args['CACHE_CLASS'] : 'DataCache';
$this->cache = DataCache::factory($cacheClass, $args);
}
/**
* attempts to see if a valid login cookie is present.
*/
private function getLoginCookie()
{
$token = '';
$hash = '';
if (isset($_COOKIE[self::TOKEN_COOKIE], $_COOKIE[self::USERHASH_COOKIE])) {
$token = $_COOKIE[self::TOKEN_COOKIE];
$hash = $_COOKIE[self::USERHASH_COOKIE];
} elseif (isset($_COOKIE[self::API_TOKEN_COOKIE], $_COOKIE[self::API_USERHASH_COOKIE])) {
$token = $_COOKIE[self::API_TOKEN_COOKIE];
$hash = $_COOKIE[self::API_USERHASH_COOKIE];
}
// a token exists
if ($token) {
//get the token data
if ($data = $this->getLoginTokenData($token)) {
$this->login_token = $token;
$users = array();
//validate the hash
if ($this->getUserHash($data['data']) == $hash) {
foreach ($data['data'] as $userData) {
// attempt to get the user
if ($authority = AuthenticationAuthority::getAuthenticationAuthority($userData['auth'])) {
if ($user = $authority->getUser($userData['userID'])) {
$user->setSessionData($userData['data']);
$users[] = $user;
} else {
Kurogo::log(LOG_WARNING, "Unable to load user " . $userData['userID'] . " for " . $userData['auth'], 'session');
}
} else {
Kurogo::log(LOG_WARNING, "Unable to load authority " . $userData['auth'], 'session');
}
}
if (count($users) > 0) {
return $users;
}
}
}
// something did not match so clean up
$this->clearLoginToken();
}
return false;
}
public function init($args)
{
parent::init($args);
$args = is_array($args) ? $args : array();
$this->userFile = isset($args['PASSWD_USER_FILE']) ? $args['PASSWD_USER_FILE'] : null;
$this->groupFile = isset($args['PASSWD_GROUP_FILE']) ? $args['PASSWD_GROUP_FILE'] : null;
if ($this->userLogin != 'NONE') {
if (!is_readable($this->userFile)) {
throw new Exception("Unable to load password file $this->userFile");
}
}
}
public function initializeForCommand() {
if (!Kurogo::getSiteVar('AUTHENTICATION_ENABLED')) {
throw new Exception("Authentication is not enabled on this site");
}
switch ($this->command) {
case 'logout':
if (!$this->isLoggedIn()) {
$this->redirectTo('session');
} else {
$session = $this->getSession();
$user = $this->getUser();
$hard = $this->getArg('hard', false);
$authorityIndex = $this->getArg('authority', false);
if ($authorityIndex) {
$authority = AuthenticationAuthority::getAuthenticationAuthority($authorityIndex);
} else {
$authority = $user->getAuthenticationAuthority();
}
$session->logout($authority, $hard);
$this->redirectTo('session');
}
$this->setResponse($response);
$this->setResponseVersion(1);
break;
case 'getuserdata':
$key = $this->getArg('key', null);
$user = $this->getUser();
$response = $user->getUserData($key);
$this->setResponse($response);
$this->setResponseVersion(1);
break;
case 'session':
$session = $this->getSession();
$user = $this->getUser();
$response = array(
'session_id'=>$session->getSessionID(),
'token'=>$session->getLoginToken(),
'user'=>array(
'authority'=>$user->getAuthenticationAuthorityIndex(),
'userID'=>$user->getUserID(),
'name'=>$user->getFullName(),
'sessiondata'=>$user->getSessionData()
)
);
$this->setResponse($response);
$this->setResponseVersion(1);
break;
default:
$this->invalidCommand();
break;
}
}
public function getMembers()
{
$property = $this->AuthenticationAuthority->getField('group_groupmember');
if ($this->AuthenticationAuthority->getField('group_authority')) {
$sql = sprintf("SELECT `%s`,`%s` FROM `%s` WHERE %s=?", $this->AuthenticationAuthority->getField('groupmember_authority'), $this->AuthenticationAuthority->getField('groupmember_user'), $this->AuthenticationAuthority->getTable('groupmembers'), $this->AuthenticationAuthority->getField('groupmember_group'));
} else {
$sql = sprintf("SELECT `%s` FROM `%s` WHERE %s=?", $this->AuthenticationAuthority->getField('groupmember_user'), $this->AuthenticationAuthority->getTable('groupmembers'), $this->AuthenticationAuthority->getField('groupmember_group'));
}
$connection = $this->AuthenticationAuthority->connection();
$result = $connection->query($sql, array($this->{$property}));
$members = array();
while ($row = $result->fetch()) {
$userID = $row[$this->AuthenticationAuthority->getField('userID')];
if ($this->AuthenticationAuthority->getField('groupmember_authority')) {
if (!($authority = AuthenticationAuthority::getAuthenticationAuthority($row[$this->AuthenticationAuthority->getField('authority')]))) {
continue;
}
} else {
$authority = $this->getAuthenticationAuthority();
}
if ($user = $authority->getUser($userID)) {
$members[] = $user;
}
}
return $members;
}
public function init($args)
{
parent::init($args);
$args = is_array($args) ? $args : array();
if (!isset($args['API_KEY'], $args['API_SECRET']) ||
strlen($args['API_KEY'])==0 || strlen($args['API_SECRET'])==0) {
throw new Exception("API key and secret not set");
}
$this->api_key = $args['API_KEY'];
$this->api_secret = $args['API_SECRET'];
if (isset($_SESSION['fb_access_token'])) {
$this->access_token = $_SESSION['fb_access_token'];
}
}
/**
* Sees if the given user matches the rule
* @param User $user a valid user object
* @return mixed, the action if the user matches the rule or false if the rule did not match
*/
public function evaluateForUser(User $user)
{
switch ($this->ruleType)
{
case self::RULE_TYPE_AUTHORITY:
/* if the value is all then see if the userID and authority are set and it's a MATCH
this will NOT match an anonymous user
*/
if ($this->ruleValue==self::RULE_VALUE_ALL) {
if ($user->getUserID() && $user->getAuthenticationAuthority()) {
return $this->ruleAction;
}
/* Otherwise see if the userID is set and the authority matches the rule value */
} elseif ($user->getUserID() && $user->getAuthenticationAuthorityIndex()==$this->ruleValue) {
return $this->ruleAction;
}
break;
case self::RULE_TYPE_USER:
/* if the value is all then see if the userID is set
this will NOT match an anonymous user
*/
if ($this->ruleValue==self::RULE_VALUE_ALL) {
if ($user->getUserID()) {
return $this->ruleAction;
}
} else {
/* user values are specified as AUTHORITY|userID */
$values = explode("|", $this->ruleValue);
switch (count($values)) {
case 1:
$authority = AuthenticationAuthority::getDefaultAuthenticationAuthorityIndex();
$userID = $values[0];
break;
case 2:
$authority = $values[0];
$userID = $values[1];
break;
}
/* see if the userID/email and authority match */
if ($user->getAuthenticationAuthorityIndex()==$authority) {
/* can match either userID or email */
if ($userID==self::RULE_VALUE_ALL) {
if ($user->getUserID()) {
return $this->ruleAction;
}
} else if ($user->getUserID()==$userID ||
(Validator::isValidEmail($userID) && $user->getEmail()==$userID)) {
return $this->ruleAction;
}
}
}
break;
case self::RULE_TYPE_GROUP:
/* Note: a group value of ALL is not valid */
/* group values are specified as AUTHORITY|group */
$values = explode("|", $this->ruleValue);
switch (count($values)) {
case 1:
$authority = AuthenticationAuthority::getDefaultAuthenticationAuthorityIndex();
$group = $values[0];
break;
case 2:
$authority = $values[0];
$group = $values[1];
break;
}
/* attempt to load the authority, then get the group */
if ($authority = AuthenticationAuthority::getAuthenticationAuthority($authority)) {
if ($group = $authority->getGroup($group)) {
/* see if the user is a member of the group */
if ($group->userIsMember($user)) {
return $this->ruleAction;
}
}
}
break;
case self::RULE_TYPE_EVERYONE:
/* always matches */
return $this->ruleAction;
break;
}
return false;
}
protected function setAuthority(AuthenticationAuthority $authority)
{
if ($authority instanceof OAuthAuthentication) {
$this->OAuthProvider = $authority->getOAuthProvider();
$this->initOAuthProvider($this->OAuthProvider);
}
parent::setAuthority($authority);
}
public function init($args)
{
parent::init($args);
$args = is_array($args) ? $args : array();
if (!isset($args['FACEBOOK_API_KEY'], $args['FACEBOOK_API_SECRET']) || strlen($args['FACEBOOK_API_KEY']) == 0 || strlen($args['FACEBOOK_API_SECRET']) == 0) {
throw new KurogoConfigurationException("API key and secret not set");
}
$this->api_key = $args['FACEBOOK_API_KEY'];
$this->api_secret = $args['FACEBOOK_API_SECRET'];
if (isset($_SESSION['fb_access_token'])) {
$this->access_token = $_SESSION['fb_access_token'];
}
if (isset($args['FACEBOOK_API_PERMS'])) {
$this->perms = array_unique(array_merge($this->perms, $args['FACEBOOK_API_PERMS']));
}
}
/**
* Sees if the given user matches the rule
* @param User $user a valid user object
* @return mixed, the action if the user matches the rule or false if the rule did not match
*/
public function evaluateForUser(User $user)
{
switch ($this->ruleScope) {
case self::RULE_SCOPE_USER:
/* if the value is all then see if the userID is set
this will NOT match an anonymous user
*/
if ($this->ruleAuthority) {
if ($user->getAuthenticationAuthorityIndex() == $this->ruleAuthority) {
/* can match either userID or email */
if ($this->ruleValue == self::RULE_VALUE_ALL) {
if ($user->getUserID()) {
return $this->ruleAction;
}
} else {
if ($user->getUserID() == $this->ruleValue || Validator::isValidEmail($this->ruleValue) && $user->getEmail() == $this->ruleValue) {
return $this->ruleAction;
}
}
}
} elseif ($this->ruleValue == self::RULE_VALUE_ALL) {
if ($user->getUserID()) {
return $this->ruleAction;
}
} else {
if ($user->getUserID() == $this->ruleValue || Validator::isValidEmail($this->ruleValue) && $user->getEmail() == $this->ruleValue) {
return $this->ruleAction;
}
}
break;
case self::RULE_SCOPE_GROUP:
/* Note: a group value of ALL is not valid */
if ($authority = AuthenticationAuthority::getAuthenticationAuthority($this->ruleAuthority)) {
if ($group = $authority->getGroup($this->ruleValue)) {
/* see if the user is a member of the group */
if ($group->userIsMember($user)) {
return $this->ruleAction;
}
}
}
break;
case self::RULE_SCOPE_EVERYONE:
/* always matches */
return $this->ruleAction;
break;
}
return false;
}
protected function initializeForPage() {
if (!$this->getSiteVar('AUTHENTICATION_ENABLED')) {
throw new Exception("Authentication is not enabled on this site");
}
$url = $this->getArg('url', ''); //return url
$this->assign('url', $url);
$session = $this->getSession();
$authenticationAuthorities = array();
$authenticationAuthorityLinks = array();
foreach (AuthenticationAuthority::getDefinedAuthenticationAuthorities() as $authorityIndex=>$authorityData) {
$USER_LOGIN = $this->argVal($authorityData, 'USER_LOGIN', 'NONE');
if ($USER_LOGIN=='FORM') {
$authenticationAuthorities[$authorityIndex] = $authorityData;
} elseif ($USER_LOGIN=='LINK') {
$authorityData['LINK'] = $this->buildBreadcrumbURL('login', array(
'url'=>$url,
'authority'=>$authorityIndex,
'startOver'=>true), false);
$authenticationAuthorityLinks[$authorityIndex] = $authorityData;
}
}
if (count($authenticationAuthorities)==0 && count($authenticationAuthorityLinks)==0) {
throw new Exception("No authentication authorities have been defined");
}
$this->assign('authenticationAuthorities', $authenticationAuthorities);
$this->assign('authenticationAuthorityLinks', $authenticationAuthorityLinks);
$multipleAuthorities = count($authenticationAuthorities) + count($authenticationAuthorityLinks) > 1;
switch ($this->page)
{
case 'logout':
$this->setTemplatePage('message');
if (!$this->isLoggedIn()) {
$this->redirectTo('login');
} else {
$user = $this->getUser();
$authority = $user->getAuthenticationAuthority();
$authority->logout($this);
$this->assign('message', 'Logout Successful');
}
break;
case 'login':
$login = $this->argVal($_POST, 'loginUser', '');
$password = $this->argVal($_POST, 'loginPassword', '');
$authorityIndex = $this->getArg('authority', AuthenticationAuthority::getDefaultAuthenticationAuthorityIndex());
$this->assign('authority', $authorityIndex);
if ($this->isLoggedIn()) {
$this->redirectTo('index');
}
if ($this->argVal($_POST, 'login_submit') && empty($login)) {
$this->redirectTo('index');
}
if ($authority = AuthenticationAuthority::getAuthenticationAuthority($authorityIndex)) {
$result = $authority->login($login, $password, $this);
} else {
error_log("Invalid authority $authorityIndex");
$this->redirectTo('index');
}
switch ($result)
{
case AUTH_OK:
if ($url) {
header("Location: $url");
exit();
}
$this->setTemplatePage('message');
$this->assign('message', 'Login Successful');
break;
case AUTH_FAILED:
case AUTH_USER_NOT_FOUND:
$this->setTemplatePage('index');
$this->assign('message', 'Login Failed. Please check your login and password');
break;
default:
$this->setTemplatePage('index');
$this->assign('message', "Login Failed. An unknown error occurred $result");
}
break;
case 'index':
if ($this->isLoggedIn()) {
$user = $this->getUser();
$authority = $user->getAuthenticationAuthority();
$this->setTemplatePage('message');
$this->assign('message', sprintf("You are logged in as %s %s", $user->getFullName(), $multipleAuthorities ? '(' . $authority->getAuthorityTitle() . ')' : ''));
$this->assign('url', $this->buildURL('logout'));
$this->assign('linkText', 'Logout');
} else {
$this->assign('loginMessage', $this->getModuleVar('LOGIN_MESSAGE'));
$this->assign('loginLabel', $this->getModuleVar('LOGIN_LABEL'));
$this->assign('passwordLabel', $this->getModuleVar('PASSWORD_LABEL'));
}
break;
}
}
/**
* Initializes the authority objects based on an associative array of arguments
* @param array $args an associate array of arguments. The argument list is dependent on the authority
*
* General - Required keys:
* TITLE => The human readable title of the AuthorityImage
* INDEX => The tag used to identify this authority @see AuthenticationAuthority::getAuthenticationAuthority
*
* General - Optional keys:
* LOGGEDIN_IMAGE_URL => a url to an image/badge that is placed next to the user name when logged in
*
* CAS - Required keys:
* CAS_PROTOCOL => The protocol to use. Should be equivalent to one of the phpCAS constants, e.g. "2.0":
* CAS_VERSION_1_0 => '1.0', CAS_VERSION_2_0 => '2.0', SAML_VERSION_1_1 => 'S1'
* CAS_HOST => The host name of the CAS server, e.g. "cas.example.edu"
* CAS_PORT => The port the CAS server is listening on, e.g. "443"
* CAS_PATH => The path of the CAS application, e.g. "/cas/"
* CAS_CA_CERT => The filesystem path to a CA certificate that will be used to validate the authenticity
* of the CAS server, e.g. "/etc/tls/pki/certs/my_ca_cert.crt". If empty, no certificate
* validation will be performed (not recommended for production).
*
* CAS - Optional keys:
* ATTRA_EMAIL => Attribute name for the user's email adress, e.g. "email". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_FIRST_NAME => Attribute name for the user's first name, e.g. "givename". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_LAST_NAME => Attribute name for the user's last name, e.g. "surname". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_FULL_NAME => Attribute name for the user's full name, e.g. "displayname". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_MEMBER_OF => Attribute name for the user's groups, e.g. "memberof". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
*
* NOTE: Any subclass MUST call parent::init($args) to ensure proper operation
*
*/
public function init($args)
{
parent::init($args);
// include the PHPCAS library
if (empty($args['CAS_PHPCAS_PATH'])) {
require_once 'CAS.php';
} else {
require_once $args['CAS_PHPCAS_PATH'] . '/CAS.php';
}
if (!empty($args['CAS_DEBUG_LOG'])) {
phpCAS::setDebug($args['CAS_DEBUG_LOG']);
}
if (empty($args['CAS_PROTOCOL'])) {
throw new KurogoConfigurationException('CAS_PROTOCOL value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_HOST'])) {
throw new KurogoConfigurationException('CAS_HOST value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PORT'])) {
throw new KurogoConfigurationException('CAS_PORT value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PATH'])) {
throw new KurogoConfigurationException('CAS_PATH value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PROXY_INIT'])) {
phpCAS::client($args['CAS_PROTOCOL'], $args['CAS_HOST'], intval($args['CAS_PORT']), $args['CAS_PATH'], false);
} else {
phpCAS::proxy($args['CAS_PROTOCOL'], $args['CAS_HOST'], intval($args['CAS_PORT']), $args['CAS_PATH'], false);
if (!empty($args['CAS_PROXY_TICKET_PATH']) && !empty($args['CAS_PROXY_TICKET_DB_DSN'])) {
throw new KurogoConfigurationException('Only one of CAS_PROXY_TICKET_PATH or CAS_PROXY_TICKET_DB_DSN may be set for ' . $this->AuthorityTitle);
}
if (!empty($args['CAS_PROXY_TICKET_PATH'])) {
if (version_compare(PHPCAS_VERSION, '1.3', '>=')) {
phpCAS::setPGTStorageFile($args['CAS_PROXY_TICKET_PATH']);
} else {
phpCAS::setPGTStorageFile('', $args['CAS_PROXY_TICKET_PATH']);
}
}
if (!empty($args['CAS_PROXY_TICKET_DB_DSN'])) {
$user = $pass = $table = $driver_opts = '';
if (!empty($args['CAS_PROXY_TICKET_DB_USER'])) {
$user = $args['CAS_PROXY_TICKET_DB_USER'];
}
if (!empty($args['CAS_PROXY_TICKET_DB_PASS'])) {
$pass = $args['CAS_PROXY_TICKET_DB_PASS'];
}
if (!empty($args['CAS_PROXY_TICKET_DB_TABLE'])) {
$table = $args['CAS_PROXY_TICKET_DB_TABLE'];
}
if (!empty($args['CAS_PROXY_TICKET_DB_DRIVER_OPTS'])) {
$driver_opts = $args['CAS_PROXY_TICKET_DB_DRIVER_OPTS'];
}
phpCAS::setPGTStorageDb($args['CAS_PROXY_TICKET_DB_DSN'], $user, $pass, $table, $driver_opts);
}
if (!empty($args['CAS_PROXY_FIXED_CALLBACK_URL'])) {
phpCAS::setFixedCallbackURL($args['CAS_PROXY_FIXED_CALLBACK_URL']);
}
}
if (empty($args['CAS_CA_CERT'])) {
phpCAS::setNoCasServerValidation();
} else {
phpCAS::setCasServerCACert($args['CAS_CA_CERT']);
}
// Record any attribute mapping configured.
if (!empty($args['ATTRA_EMAIL'])) {
CASUser::mapAttribute('Email', $args['ATTRA_EMAIL']);
}
if (!empty($args['ATTRA_FIRST_NAME'])) {
CASUser::mapAttribute('FirstName', $args['ATTRA_FIRST_NAME']);
}
if (!empty($args['ATTRA_LAST_NAME'])) {
CASUser::mapAttribute('LastName', $args['ATTRA_LAST_NAME']);
}
if (!empty($args['ATTRA_FULL_NAME'])) {
CASUser::mapAttribute('FullName', $args['ATTRA_FULL_NAME']);
}
// Store an attribute for group membership if configured.
if (!empty($args['ATTRA_MEMBER_OF'])) {
CASUser::mapAttribute('MemberOf', $args['ATTRA_MEMBER_OF']);
}
}
protected function initializeForPage() {
if (!Kurogo::getSiteVar('AUTHENTICATION_ENABLED')) {
throw new Exception("Authentication is not enabled on this site");
}
$session = $this->getSession();
$url = $this->getArg('url','');
$allowRemainLoggedIn = Kurogo::getOptionalSiteVar('AUTHENTICATION_REMAIN_LOGGED_IN_TIME');
if ($allowRemainLoggedIn) {
$remainLoggedIn = $this->getArg('remainLoggedIn', 0);
} else {
$remainLoggedIn = 0;
}
$authenticationAuthorities = array(
'direct'=>array(),
'indirect'=>array()
);
$invalidAuthorities = array();
foreach (AuthenticationAuthority::getDefinedAuthenticationAuthorities() as $authorityIndex=>$authorityData) {
$USER_LOGIN = $this->argVal($authorityData, 'USER_LOGIN', 'NONE');
try {
$authority = AuthenticationAuthority::getAuthenticationAuthority($authorityIndex);
$authorityData['listclass'] = $authority->getAuthorityClass();
$authorityData['title'] = $authorityData['TITLE'];
$authorityData['url'] = $this->buildURL('login', array(
'authority'=>$authorityIndex,
'url'=>$url,
'remainLoggedIn'=>$remainLoggedIn,
'startOver'=>1
));
if ($USER_LOGIN=='FORM') {
$authenticationAuthorities['direct'][$authorityIndex] = $authorityData;
} elseif ($USER_LOGIN=='LINK') {
$authenticationAuthorities['indirect'][$authorityIndex] = $authorityData;
}
} catch (Exception $e) {
error_log(sprintf("Invalid authority data for %s: %s", $authorityIndex, $e->getMessage()));
$invalidAuthorities[$authorityIndex] = $e->getMessage();
}
}
if (count($authenticationAuthorities['direct'])==0 && count($authenticationAuthorities['indirect'])==0) {
$message = "No authentication authorities have been defined.";
if (count($invalidAuthorities)>0) {
$message .= sprintf(" %s invalid authorit%s found:\n", count($invalidAuthorities), count($invalidAuthorities)>1 ?'ies':'y');
foreach ($invalidAuthorities as $authorityIndex=>$invalidAuthority) {
$message .= sprintf("%s: %s\n", $authorityIndex, $invalidAuthority);
}
}
throw new Exception($message);
}
$this->assign('authenticationAuthorities', $authenticationAuthorities);
$this->assign('allowRemainLoggedIn', $allowRemainLoggedIn);
if ($forgetPasswordURL = $this->getOptionalModuleVar('FORGET_PASSWORD_URL')) {
$this->assign('FORGET_PASSWORD_URL', $this->buildBreadcrumbURL('forgotpassword', array()));
}
$multipleAuthorities = count($authenticationAuthorities['direct']) + count($authenticationAuthorities['indirect']) > 1;
switch ($this->page)
{
case 'logoutConfirm':
$authorityIndex = $this->getArg('authority');
if (!$this->isLoggedIn($authorityIndex)) {
$this->redirectTo('index', array());
} elseif ($user = $this->getUser($authorityIndex)) {
$authority = $user->getAuthenticationAuthority();
$this->assign('message', sprintf("You are signed in to %s %s as %s",
Kurogo::getSiteString('SITE_NAME'),
$multipleAuthorities ? "(using ". $authority->getAuthorityTitle() . ")" : '',
$user->getFullName()));
$this->assign('url', $this->buildURL('logout', array('authority'=>$authorityIndex)));
$this->assign('linkText', 'Sign out');
$this->setTemplatePage('message');
} else {
$this->redirectTo('index', array());
}
break;
case 'logout':
$authorityIndex = $this->getArg('authority');
$hard = $this->getArg('hard', false);
if (!$this->isLoggedIn($authorityIndex)) {
$this->redirectTo('index', array());
} elseif ($authority = AuthenticationAuthority::getAuthenticationAuthority($authorityIndex)) {
$result = $session->logout($authority, $hard);
} else {
$this->redirectTo('index', array());
}
if ($result) {
if ($this->isLoggedIn()) {
$this->redirectTo('index', array('logout'=>$authorityIndex));
} else {
$this->redirectToModule('home','',array('logout'=>$authorityIndex));
}
} else {
$this->setTemplatePage('message');
$this->assign('message', 'Sign out failed');
}
break;
case 'forgotpassword':
if ($forgetPasswordURL = $this->getOptionalModuleVar('FORGET_PASSWORD_URL')) {
header("Location: $forgetPasswordURL");
exit();
} else {
$this->redirectTo('index', array());
}
break;
case 'login':
$login = $this->argVal($_POST, 'loginUser', '');
$password = $this->argVal($_POST, 'loginPassword', '');
$options = array(
'url'=>$url,
'remainLoggedIn'=>$remainLoggedIn
);
$session = $this->getSession();
$session->setRemainLoggedIn($remainLoggedIn);
$authorityIndex = $this->getArg('authority', '');
if (!$authorityData = AuthenticationAuthority::getAuthenticationAuthorityData($authorityIndex)) {
$this->redirectTo('index', $options);
}
if ($this->isLoggedIn($authorityIndex)) {
$this->redirectTo('index', $options);
}
$this->assign('authority', $authorityIndex);
$this->assign('remainLoggedIn', $remainLoggedIn);
$this->assign('authorityTitle', $authorityData['TITLE']);
if ($authorityData['USER_LOGIN']=='FORM' && empty($login)) {
break;
} elseif ($authority = AuthenticationAuthority::getAuthenticationAuthority($authorityIndex)) {
$authority->setDebugMode(Kurogo::getSiteVar('DATA_DEBUG'));
$result = $authority->login($login, $password, $session, $options);
} else {
$this->redirectTo('index', $options);
}
switch ($result)
{
case AUTH_OK:
if ($url) {
header("Location: $url");
exit();
} else {
$this->redirectToModule('home','',array('login'=>$authorityIndex));
}
break;
case AUTH_OAUTH_VERIFY:
$this->assign('verifierKey',$authority->getVerifierKey());
$this->setTemplatePage('oauth_verify.tpl');
break;
default:
if ($authorityData['USER_LOGIN']=='FORM') {
$this->assign('message', "We're sorry, but there was a problem with your sign-in. Please check your username and password and try again.");
$this->setTemplatePage('index');
} else {
$this->redirectTo('index', array_merge(
array('message'=>"We're sorry, but there was a problem with your sign-in."),
$options));
}
}
case 'index':
if ($message = $this->getArg('message')) {
$this->assign('message', $message);
}
if ($this->isLoggedIn()) {
if ($url) {
header("Location: $url");
exit();
}
if (!$multipleAuthorities) {
$user = $this->getUser();
$this->redirectTo('logoutConfirm', array('authority'=>$user->getAuthenticationAuthorityIndex()));
}
$sessionUsers = $session->getUsers();
$users = array();
foreach ($sessionUsers as $authorityIndex=>$user) {
$authority = $user->getAuthenticationAuthority();
$users[] = array(
'class'=>$authority->getAuthorityClass(),
'title'=>count($sessionUsers)>1 ? $authority->getAuthorityTitle() . " as " . $user->getFullName() : 'Sign out',
'subtitle'=>count($sessionUsers)>1 ? 'Sign out' : '',
'url' =>$this->buildBreadcrumbURL('logout', array('authority'=>$authorityIndex), false)
);
if (isset($authenticationAuthorities['direct'][$authorityIndex])) {
unset($authenticationAuthorities['direct'][$authorityIndex]);
}
if (isset($authenticationAuthorities['indirect'][$authorityIndex])) {
unset($authenticationAuthorities['indirect'][$authorityIndex]);
}
}
$this->assign('users', $users);
$this->assign('authenticationAuthorities', $authenticationAuthorities);
$this->assign('moreAuthorities', count($authenticationAuthorities['direct']) + count($authenticationAuthorities['indirect']));
$this->setTemplatePage('loggedin');
} else {
if (!$multipleAuthorities && count($authenticationAuthorities['direct'])) {
$this->redirectTo('login', array('authority'=>AuthenticationAuthority::getDefaultAuthenticationAuthorityIndex()));
}
$this->assign('multipleAuthorities', $multipleAuthorities);
}
break;
}
}
public function init($args)
{
parent::init($args);
$args = is_array($args) ? $args : array();
$this->ldapServer = isset($args['LDAP_HOST']) ? $args['LDAP_HOST'] : null;
$this->ldapPort = isset($args['LDAP_PORT']) ? $args['LDAP_PORT'] : 389;
$this->ldapSearchBase = isset($args['LDAP_SEARCH_BASE']) ? $args['LDAP_SEARCH_BASE'] : null;
$this->ldapUserSearchBase = isset($args['LDAP_USER_SEARCH_BASE']) ? $args['LDAP_USER_SEARCH_BASE'] : null;
$this->ldapGroupSearchBase = isset($args['LDAP_GROUP_SEARCH_BASE']) ? $args['LDAP_GROUP_SEARCH_BASE'] : null;
//used if anonymous searches are not permitted (i.e. AD)
$this->ldapAdminDN = isset($args['LDAP_ADMIN_DN']) ? $args['LDAP_ADMIN_DN'] : null;
$this->ldapAdminPassword = isset($args['LDAP_ADMIN_PASSWORD']) ? $args['LDAP_ADMIN_PASSWORD'] : null;
$this->fieldMap = $this->defaultFieldMap();
foreach ($args as $arg => $value) {
if (preg_match("/^ldap_(user|group)_(.*?)_field\$/", strtolower($arg), $bits)) {
if (isset($this->fieldMap[$bits[2]])) {
$this->fieldMap[$bits[2]] = strtolower($value);
}
}
}
if (empty($this->ldapServer)) {
throw new KurogoConfigurationException("Invalid LDAP Server");
}
if (empty($this->ldapPort)) {
throw new KurogoConfigurationException("Invalid LDAP Port");
}
}
public function init($args) {
parent::init($args);
$args = is_array($args) ? $args : array();
$this->tokenSessionVar = sprintf("%s_token", $this->getAuthorityIndex());
$this->tokenSecretSessionVar = sprintf("%s_tokenSecret", $this->getAuthorityIndex());
if (isset($_SESSION[$this->tokenSessionVar], $_SESSION[$this->tokenSecretSessionVar])) {
$this->setToken($_SESSION[$this->tokenSessionVar]);
$this->setTokenSecret($_SESSION[$this->tokenSecretSessionVar]);
}
}
protected function initializeForPage()
{
$nativeApp = (bool) $this->getArg('nativeApp', false);
$this->assign('nativeApp', $nativeApp);
// Default args to pass through forms and urls
$defaultArgs = array();
if ($nativeApp) {
$defaultArgs['nativeApp'] = 1;
}
// If this is a native app, use the native app GA id
if ($nativeApp) {
$this->assign('GOOGLE_ANALYTICS_ID', Kurogo::getOptionalSiteVar('GOOGLE_ANALYTICS_NATIVE_ID'));
}
if (!Kurogo::getSiteVar('AUTHENTICATION_ENABLED')) {
throw new KurogoConfigurationException($this->getLocalizedString("ERROR_AUTHENTICATION_DISABLED"));
}
$session = $this->getSession();
//return URL
$urlArray = $this->extractModuleArray($this->args);
//see if remain logged in is enabled by the administrator, then if the value has been passed (i.e. the user checked the "remember me" box)
$allowRemainLoggedIn = Kurogo::getOptionalSiteVar('AUTHENTICATION_REMAIN_LOGGED_IN_TIME');
if ($allowRemainLoggedIn) {
$remainLoggedIn = $this->getArg('remainLoggedIn', 0);
} else {
$remainLoggedIn = 0;
}
// initialize
$authenticationAuthorities = array('total' => 0, 'direct' => array(), 'indirect' => array(), 'auto' => array());
$invalidAuthorities = array();
// cycle through the defined authorities in the config
foreach (AuthenticationAuthority::getDefinedAuthenticationAuthorities() as $authorityIndex => $authorityData) {
// USER_LOGIN property determines whether the authority is used for logins (or just groups or oauth)
$USER_LOGIN = $this->argVal($authorityData, 'USER_LOGIN', 'NONE');
// trap the exception if the authority is invalid (usually due to misconfiguration)
try {
$authority = AuthenticationAuthority::getAuthenticationAuthority($authorityIndex);
$authorityData['listclass'] = $authority->getAuthorityClass();
$authorityData['title'] = $authorityData['TITLE'];
$authorityData['url'] = $this->buildURL('login', array_merge($urlArray, array('authority' => $authorityIndex, 'remainLoggedIn' => $remainLoggedIn, 'startOver' => 1)));
if ($USER_LOGIN == 'FORM') {
$authenticationAuthorities['direct'][$authorityIndex] = $authorityData;
$authenticationAuthorities['total']++;
} elseif ($USER_LOGIN == 'LINK') {
$authenticationAuthorities['indirect'][$authorityIndex] = $authorityData;
$authenticationAuthorities['total']++;
} elseif ($USER_LOGIN == 'AUTO') {
$authenticationAuthorities['auto'][$authorityIndex] = $authorityData;
$authenticationAuthorities['total']++;
}
} catch (KurogoConfigurationException $e) {
Kurogo::log(LOG_WARNING, "Invalid authority data for %s: %s", $authorityIndex, $e->getMessage(), 'auth');
$invalidAuthorities[$authorityIndex] = $e->getMessage();
}
}
//see if we have any valid authorities
if ($authenticationAuthorities['total'] == 0) {
$message = $this->getLocalizedString("ERROR_NO_AUTHORITIES");
if (count($invalidAuthorities) > 0) {
$message .= sprintf(" %s invalid authorit%s found:\n", count($invalidAuthorities), count($invalidAuthorities) > 1 ? 'ies' : 'y');
foreach ($invalidAuthorities as $authorityIndex => $invalidAuthority) {
$message .= sprintf("%s: %s\n", $authorityIndex, $invalidAuthority);
}
}
//we don't
throw new KurogoConfigurationException($message);
}
//assign template variables
$this->assign('authenticationAuthorities', $authenticationAuthorities);
$this->assign('allowRemainLoggedIn', $allowRemainLoggedIn);
if ($forgetPasswordURL = $this->getOptionalModuleVar('FORGET_PASSWORD_URL')) {
$this->assign('FORGET_PASSWORD_URL', $this->buildBreadcrumbURL('forgotpassword', array()));
$this->assign('FORGET_PASSWORD_TEXT', $this->getOptionalModuleVar('FORGET_PASSWORD_TEXT', $this->getLocalizedString('FORGET_PASSWORD_TEXT')));
}
$multipleAuthorities = count($authenticationAuthorities['direct']) + count($authenticationAuthorities['indirect']) > 1;
switch ($this->page) {
case 'logoutConfirm':
//this page is presented when a specific authority is chosen and the user is presented the option to actually log out.
$authorityIndex = $this->getArg('authority');
if (!$this->isLoggedIn($authorityIndex)) {
// they aren't logged in
$this->redirectTo('index', $defaultArgs);
} elseif ($user = $this->getUser($authorityIndex)) {
$authority = $user->getAuthenticationAuthority();
$this->assign('message', $this->getLocalizedString('LOGIN_SIGNED_IN_SINGLE', Kurogo::getSiteString('SITE_NAME'), $authority->getAuthorityTitle(), $user->getFullName()));
$this->assign('url', $this->buildURL('logout', array('authority' => $authorityIndex)));
$this->assign('linkText', $this->getLocalizedString('SIGN_OUT'));
$this->setTemplatePage('message');
} else {
//This honestly should never happen
$this->redirectTo('index', $defaultArgs);
}
break;
case 'logout':
$authorityIndex = $this->getArg('authority');
//hard logouts attempt to logout of the indirect service provider (must be implemented by the authority)
$hard = $this->getArg('hard', false);
if (!$this->isLoggedIn($authorityIndex)) {
//not logged in
$this->redirectTo('index', $defaultArgs);
} elseif ($authority = AuthenticationAuthority::getAuthenticationAuthority($authorityIndex)) {
$user = $this->getUser($authority);
//log them out
$result = $session->logout($authority, $hard);
} else {
//This honestly should never happen
$this->redirectTo('index', $defaultArgs);
}
if ($result) {
$this->setLogData($user, $user->getFullName());
$this->logView();
//if they are still logged in return to the login page, otherwise go home.
if ($this->isLoggedIn()) {
$this->redirectTo('index', array_merge(array('logout' => $authorityIndex), $defaultArgs));
} else {
$this->redirectToModule($this->getHomeModuleID(), '', array('logout' => $authorityIndex));
}
} else {
//there was an error logging out
$this->setTemplatePage('message');
$this->assign('message', $this->getLocalizedString("ERROR_SIGN_OUT"));
}
break;
case 'forgotpassword':
//redirect to forgot password url
if ($forgetPasswordURL = $this->getOptionalModuleVar('FORGET_PASSWORD_URL')) {
Kurogo::redirectToURL($forgetPasswordURL);
} else {
$this->redirectTo('index', $defaultArgs);
}
break;
case 'login':
//get arguments
$login = $this->argVal($_POST, 'loginUser', '');
$password = $this->argVal($_POST, 'loginPassword', '');
$options = array_merge($urlArray, array('remainLoggedIn' => $remainLoggedIn), $defaultArgs);
$session = $this->getSession();
$session->setRemainLoggedIn($remainLoggedIn);
$authorityIndex = $this->getArg('authority', '');
if (!($authorityData = AuthenticationAuthority::getAuthenticationAuthorityData($authorityIndex))) {
//invalid authority
$this->redirectTo('index', $options);
}
if ($this->isLoggedIn($authorityIndex)) {
//we're already logged in
$this->redirectTo('index', $options);
}
$this->assign('authority', $authorityIndex);
$this->assign('remainLoggedIn', $remainLoggedIn);
$this->assign('authorityTitle', $authorityData['TITLE']);
//if they haven't submitted the form and it's a direct login show the form
if ($authorityData['USER_LOGIN'] == 'FORM' && empty($login)) {
if (!($loginMessage = $this->getOptionalModuleVar('LOGIN_DIRECT_MESSAGE'))) {
$loginMessage = $this->getLocalizedString('LOGIN_DIRECT_MESSAGE', Kurogo::getSiteString('SITE_NAME'));
}
$this->assign('LOGIN_DIRECT_MESSAGE', $loginMessage);
$this->assign('urlArray', array_merge($urlArray, $defaultArgs));
break;
} elseif ($authority = AuthenticationAuthority::getAuthenticationAuthority($authorityIndex)) {
//indirect logins handling the login process themselves. Send a return url so the indirect authority can come back here
if ($authorityData['USER_LOGIN'] == 'LINK') {
$options['return_url'] = FULL_URL_BASE . $this->configModule . '/login?' . http_build_query(array_merge($options, array('authority' => $authorityIndex)));
}
$options['startOver'] = $this->getArg('startOver', 0);
$result = $authority->login($login, $password, $session, $options);
} else {
$this->redirectTo('index', $options);
}
switch ($result) {
case AUTH_OK:
$user = $this->getUser($authority);
$this->setLogData($user, $user->getFullName());
$this->logView();
if ($urlArray) {
self::redirectToArray(array_merge($urlArray, $defaultArgs));
} else {
$this->redirectToModule($this->getHomeModuleID(), '', array('login' => $authorityIndex));
}
break;
case AUTH_OAUTH_VERIFY:
// authorities that require a manual oauth verification key
$this->assign('verifierKey', $authority->getVerifierKey());
$this->setTemplatePage('oauth_verify.tpl');
break 2;
default:
//there was a problem.
if ($authorityData['USER_LOGIN'] == 'FORM') {
$this->assign('message', $this->getLocalizedString('ERROR_LOGIN_DIRECT'));
break 2;
} else {
$this->redirectTo('index', array_merge(array('messagekey' => 'ERROR_LOGIN_INDIRECT'), $options, $defaultArgs));
}
}
case 'index':
//sometimes messages are passed. This probably has some
if ($messagekey = $this->getArg('messagekey')) {
$this->assign('messagekey', $this->getLocalizedString($messagekey));
try {
$message = $this->getLocalizedString($messagekey);
$this->assign('message', $message);
} catch (KurogoException $e) {
}
}
if ($this->isLoggedIn()) {
//if the url is set then redirect
if ($urlArray) {
self::redirectToArray(array_merge($urlArray, $defaultArgs));
}
//if there is only 1 authority then redirect to logout confirm
if (!$multipleAuthorities) {
$user = $this->getUser();
$this->redirectTo('logoutConfirm', array_merge(array('authority' => $user->getAuthenticationAuthorityIndex()), $defaultArgs));
}
//more than 1 authority. There could be 1 or more actual logged in users
$sessionUsers = $session->getUsers();
$users = array();
//cycle through the logged in users to build a list
foreach ($sessionUsers as $authorityIndex => $user) {
$authority = $user->getAuthenticationAuthority();
$users[] = array('class' => $authority->getAuthorityClass(), 'title' => count($sessionUsers) > 1 ? $this->getLocalizedString("SIGN_OUT_AUTHORITY", array($authority->getAuthorityTitle(), $user->getFullName())) : $this->getLocalizedString('SIGN_OUT'), 'subtitle' => count($sessionUsers) > 1 ? $this->getLocalizedString('SIGN_OUT') : '', 'url' => $this->buildBreadcrumbURL('logout', array('authority' => $authorityIndex), false));
//remove the authority from the list of available authorities (since they are logged in)
if (isset($authenticationAuthorities['direct'][$authorityIndex])) {
unset($authenticationAuthorities['direct'][$authorityIndex]);
}
if (isset($authenticationAuthorities['indirect'][$authorityIndex])) {
unset($authenticationAuthorities['indirect'][$authorityIndex]);
}
}
$this->assign('users', $users);
// navlist of users
$this->assign('authenticationAuthorities', $authenticationAuthorities);
//list of authorities not logged in
$this->assign('moreAuthorities', count($authenticationAuthorities['direct']) + count($authenticationAuthorities['indirect']));
//see if there are any left
if (count($sessionUsers) == 1) {
//there's only on logged in user
$user = current($sessionUsers);
$authority = $user->getAuthenticationAuthority();
$this->assign('LOGIN_SIGNED_IN_MESSAGE', $this->getLocalizedString('LOGIN_SIGNED_IN_SINGLE', Kurogo::getSiteString('SITE_NAME'), $authority->getAuthorityTitle(), $user->getFullName()));
} else {
//there are multiple logged in users
$this->assign('LOGIN_SIGNED_IN_MESSAGE', $this->getLocalizedString('LOGIN_SIGNED_IN_MULTIPLE', array(Kurogo::getSiteString('SITE_NAME'))));
}
//use loggedin.tpl
$this->setTemplatePage('loggedin');
} else {
// not logged in
// if there is only 1 direct authority then redirect to the login page for that authority
if (!$multipleAuthorities && count($authenticationAuthorities['direct'])) {
$this->redirectTo('login', array_merge($urlArray, array('authority' => key($authenticationAuthorities['direct'])), $defaultArgs));
}
// if there is only 1 auto authority then redirect to the login page for that authority
if (!$multipleAuthorities && count($authenticationAuthorities['auto']) && !$messagekey) {
$this->redirectTo('login', array_merge($urlArray, array('authority' => key($authenticationAuthorities['auto'])), $defaultArgs));
}
// do we have any indirect authorities?
if (count($authenticationAuthorities['indirect'])) {
if (!($indirectMessage = $this->getOptionalModuleVar('LOGIN_INDIRECT_MESSAGE'))) {
$indirectMessage = $this->getLocalizedString('LOGIN_INDIRECT_MESSAGE', Kurogo::getSiteString('SITE_NAME'));
}
$this->assign('LOGIN_INDIRECT_MESSAGE', $indirectMessage);
}
// the site can create their own message at the top, or it will use the default message
if (!($loginMessage = $this->getOptionalModuleVar('LOGIN_INDEX_MESSAGE'))) {
if ($multipleAuthorities) {
$loginMessage = $this->getLocalizedString('LOGIN_INDEX_MESSAGE_MULTIPLE', Kurogo::getSiteString('SITE_NAME'));
} else {
$loginMessage = $this->getLocalizedString('LOGIN_INDEX_MESSAGE_SINGLE', Kurogo::getSiteString('SITE_NAME'));
}
}
$this->assign('LOGIN_INDEX_MESSAGE', $loginMessage);
}
break;
}
}
protected function init($args)
{
//get global options from the site data_retriever section
$args = array_merge(Kurogo::getOptionalSiteSection('data_retriever'), $args);
$this->initArgs = $args;
if (isset($args['DEBUG_MODE'])) {
$this->setDebugMode($args['DEBUG_MODE']);
}
if (isset($args['DEFAULT_CACHE_LIFETIME'])) {
$this->DEFAULT_CACHE_LIFETIME = $args['DEFAULT_CACHE_LIFETIME'];
}
if (isset($args['OPTIONS']) && is_array($args['OPTIONS'])) {
$this->setOptions($args['OPTIONS']);
}
if (isset($args['AUTHORITY'])) {
if ($authority = AuthenticationAuthority::getAuthenticationAuthority($args['AUTHORITY'])) {
$this->setAuthority($authority);
}
}
if (!isset($args['PARSER_CLASS'])) {
if ($this->DEFAULT_PARSER_CLASS) {
$args['PARSER_CLASS'] = $this->DEFAULT_PARSER_CLASS;
} elseif (isset($args['DEFAULT_PARSER_CLASS']) && strlen($args['DEFAULT_PARSER_CLASS'])) {
$args['PARSER_CLASS'] = $args['DEFAULT_PARSER_CLASS'];
} else {
$args['PARSER_CLASS'] = 'PassthroughDataParser';
}
}
if (isset($args['CACHE_LIFETIME'])) {
$this->cacheLifetime = $args['CACHE_LIFETIME'];
} else {
$args['CACHE_LIFETIME'] = $this->DEFAULT_CACHE_LIFETIME;
}
if (isset($args['SHOW_WARNINGS'])) {
$this->showWarnings = (bool) $args['SHOW_WARNINGS'];
}
// instantiate the parser class
$parser = DataParser::factory($args['PARSER_CLASS'], $args);
$this->setParser($parser);
$cacheClass = isset($args['CACHE_CLASS']) ? $args['CACHE_CLASS'] : 'DataCache';
$this->cache = DataCache::factory($cacheClass, $args);
}
protected function initializeForPage() {
if (!$this->getSiteVar('AUTHENTICATION_ENABLED')) {
throw new Exception("Authentication is not enabled on this site");
}
$url = $this->getArg('url', ''); //return url
$this->assign('url', $url);
$session = $this->getSession();
$authenticationAuthorities = array();
$authenticationAuthorityLinks = array();
foreach (AuthenticationAuthority::getDefinedAuthenticationAuthorities() as $authorityIndex=>$authorityData) {
$USER_LOGIN = $this->argVal($authorityData, 'USER_LOGIN', 'NONE');
if ($USER_LOGIN=='FORM') {
$authenticationAuthorities[$authorityIndex] = $authorityData;
} elseif ($USER_LOGIN=='LINK') {
$authenticationAuthorityLinks[$authorityIndex] = $authorityData;
}
}
if (count($authenticationAuthorities)==0 && count($authenticationAuthorityLinks)==0) {
throw new Exception("No authentication authorities have been defined");
}
$this->assign('authenticationAuthorities', $authenticationAuthorities);
$this->assign('authenticationAuthorityLinks', $authenticationAuthorityLinks);
$this->assign('allowRemainLoggedIn', $this->getSiteVar('AUTHENTICATION_REMAIN_LOGGED_IN_TIME'));
if ($forgetPasswordURL = $this->getModuleVar('FORGET_PASSWORD_URL')) {
$this->assign('FORGET_PASSWORD_URL', $this->buildBreadcrumbURL('forgotpassword', array()));
}
$multipleAuthorities = count($authenticationAuthorities) + count($authenticationAuthorityLinks) > 1;
switch ($this->page)
{
case 'logoutConfirm':
$authorityIndex = $this->getArg('authority');
if (!$this->isLoggedIn($authorityIndex)) {
$this->redirectTo('index', array());
} elseif ($user = $this->getUser($authorityIndex)) {
$authority = $user->getAuthenticationAuthority();
$this->assign('message', sprintf("You are logged in as %s %s", $user->getFullName(), $multipleAuthorities ? '(' . $authority->getAuthorityTitle() . ')' : ''));
$this->assign('url', $this->buildURL('logout', array('authority'=>$authorityIndex)));
$this->assign('linkText', 'Logout');
$this->setTemplatePage('message');
} else {
$this->redirectTo('index', array());
}
break;
case 'logout':
$this->setTemplatePage('message');
$authorityIndex = $this->getArg('authority');
$hard = $this->getArg('hard', false);
if (!$this->isLoggedIn($authorityIndex)) {
$this->redirectTo('index', array());
} elseif ($authority = AuthenticationAuthority::getAuthenticationAuthority($authorityIndex)) {
$result = $session->logout($authority, $hard);
} else {
$this->redirectTo('index', array());
}
$this->assign('message', $result ? 'Logout Successful' : 'Logout failed');
break;
case 'login':
$login = $this->argVal($_POST, 'loginUser', '');
$password = $this->argVal($_POST, 'loginPassword', '');
$options = array(
'url'=>$url
);
$referrer = $this->argVal($_SERVER, 'HTTP_REFERER', '');
$session = $this->getSession();
$session->setRemainLoggedIn($this->getArg('remainLoggedIn', 0));
if ($this->argVal($_POST, 'login_link')) {
$authorityIndex = key($this->argVal($_POST, 'login_link'));
} else {
$authorityIndex = $this->getArg('authority', AuthenticationAuthority::getDefaultAuthenticationAuthorityIndex());
}
$this->assign('authority', $authorityIndex);
if ($this->isLoggedIn($authorityIndex)) {
$this->redirectTo('index', $options);
}
if ($this->argVal($_POST, 'login_submit') && empty($login)) {
$this->redirectTo('index', $options);
}
if ($authority = AuthenticationAuthority::getAuthenticationAuthority($authorityIndex)) {
$authority->setDebugMode($this->getSiteVar('DATA_DEBUG'));
$result = $authority->login($login, $password, $session, $options);
} else {
error_log("Invalid authority $authorityIndex");
$this->redirectTo('index', $options);
}
switch ($result)
{
case AUTH_OK:
if ($url) {
header("Location: $url");
exit();
}
$this->setTemplatePage('message');
$this->assign('message', 'Login Successful');
break;
case AUTH_FAILED:
case AUTH_USER_NOT_FOUND:
$this->setTemplatePage('login');
$this->assign('message', 'Login Failed. Please check your login and password');
break;
default:
$this->setTemplatePage('login');
$this->assign('message', "Login Failed. An unknown error occurred $result");
}
break;
case 'forgotpassword':
if ($forgetPasswordURL = $this->getModuleVar('FORGET_PASSWORD_URL')) {
header("Location: $forgetPasswordURL");
exit();
} else {
$this->redirectTo('index', array());
}
break;
case 'index':
if ($this->isLoggedIn()) {
if ($url) {
header("Location: $url");
exit();
}
if (!$multipleAuthorities) {
$user = $this->getUser();
$this->redirectTo('logoutConfirm', array('authority'=>$user->getAuthenticationAuthorityIndex()));
}
$sessionUsers = $session->getUsers();
$users = array();
foreach ($sessionUsers as $authority=>$user) {
$users[] = array(
'title'=>sprintf("%s", $user->getFullName()),
'subtitle'=>$user->getAuthenticationAuthorityIndex(),
'url' =>$this->buildBreadcrumbURL('logoutConfirm', array('authority'=>$user->getAuthenticationAuthorityIndex()), false)
);
if (isset($authenticationAuthorities[$authority])) {
unset($authenticationAuthorities[$authority]);
}
if (isset($authenticationAuthorityLinks[$authority])) {
unset($authenticationAuthorityLinks[$authority]);
}
}
$this->assign('users', $users);
$this->assign('authenticationAuthorities', $authenticationAuthorities);
$this->assign('authenticationAuthorityLinks', $authenticationAuthorityLinks);
$this->setTemplatePage('loggedin');
} else {
$this->setTemplatePage('login');
}
break;
}
}
public function getCredentials(AuthenticationAuthority $authority)
{
$value = null;
if ($cache = Kurogo::arrayVal($_SESSION, 'KurogoCredentialsCache')) {
$value = Kurogo::arrayVal($cache, $authority->getAuthorityIndex());
}
try {
$credentials = Kurogo::decrypt($value);
} catch (KurogoException $e) {
$credentials = $value;
}
return $credentials;
}
/**
* attempts to see if a valid login cookie is present.
*/
private function getLoginCookie() {
if (isset($_COOKIE[self::TOKEN_COOKIE], $_COOKIE[self::USERHASH_COOKIE])) {
if ($this->useDB) {
$conn = SiteDB::connection();
// see if we have on record the token and it hasn't expired
$sql = "SELECT data FROM login_tokens WHERE token=? and expires>?";
$result = $conn->query($sql,array($_COOKIE[self::TOKEN_COOKIE], time()));
if ($data = $result->fetch()) {
$data['data'] = unserialize($data['data']);
}
} else {
$file = $this->loginTokenFile($_COOKIE[self::TOKEN_COOKIE]);
$data = false;
if (file_exists($file)) {
if ($data = file_get_contents($file)) {
$data = unserialize($data);
if ($data['expires']<time()) {
$data = false;
}
}
}
}
if ($data) {
$users = array();
if ($this->getUserHash($data['data']) == $_COOKIE[self::USERHASH_COOKIE]) {
foreach ($data['data'] as $userData) {
if ($authority = AuthenticationAuthority::getAuthenticationAuthority($userData['auth'])) {
if ($user = $authority->getUser($userData['userID'])) {
$user->setSessionData($userData['data']);
$users[] = $user;
} else {
error_log("Unable to load user " . $userData['userID'] . " for " . $userData['auth']);
}
} else {
error_log("Unable to load authority ". $userData['auth']);
}
}
if (count($users)>0) {
return $users;
}
}
}
// something did not match so clean up
$this->clearLoginCookie();
}
return false;
}
public function init($args)
{
parent::init($args);
$args = is_array($args) ? $args : array();
$this->userFile = isset($args['PASSWD_USER_FILE']) ? $args['PASSWD_USER_FILE'] : null;
$this->groupFile = isset($args['PASSWD_GROUP_FILE']) ? $args['PASSWD_GROUP_FILE'] : null;
if (isset($args['PASSWD_HASH'])) {
$hashAlgo = $args['PASSWD_HASH'];
if ($hashAlgo == 'site') {
$hashAlgo = 'hmac_sha1';
$args['PASSWD_KEY'] = SITE_KEY;
}
if ($hashAlgo == 'server') {
$hashAlgo = 'hmac_sha1';
$args['PASSWD_KEY'] = SERVER_KEY;
}
if (preg_match("/^hmac_(.+)\$/", $hashAlgo, $bits)) {
if (!isset($args['PASSWD_KEY'])) {
throw new KurogoConfigurationException("HMAC hash requires PASSWD_KEY");
}
$this->hmac = true;
$this->hashKey = $args['PASSWD_KEY'];
$hashAlgo = $bits[1];
}
if (!in_array($hashAlgo, hash_algos())) {
throw new KurogoConfigurationException("Hashing algorithm {$hashAlgo} not available");
}
$this->hashAlgo = $hashAlgo;
}
if ($this->userLogin != 'NONE') {
if (!is_readable($this->userFile)) {
throw new KurogoConfigurationException("Unable to load password file {$this->userFile}");
}
}
}