/**
* Copyright (C) 2008-2013 Ulteo SAS
* http://www.ulteo.com
* Author Julien LANGLOIS <*****@*****.**> 2008-2013
* Author Laurent CLOUET <*****@*****.**> 2008-2011
* Author Jeremy DESVAGES <*****@*****.**> 2008-2011
* Author Vincent ROULLIER <*****@*****.**> 2013
* Author David LECHEVALIER <*****@*****.**> 2012
* Author David PHAM-VAN <*****@*****.**> 2013
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; version 2
* of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
**/
function init_db($prefs_)
{
// prefs must be valid
Logger::debug('main', 'init_db');
$modules_enable = $prefs_->get('general', 'module_enable');
foreach ($modules_enable as $module_name) {
if (!is_null($prefs_->get($module_name, 'enable'))) {
$enable = $prefs_->get($module_name, 'enable');
if (is_string($enable)) {
$mod_name = $module_name . '_' . $enable;
$ret_eval = call_user_func(array($mod_name, 'init'), $prefs_);
if ($ret_eval !== true) {
Logger::error('main', 'init_db init module \'' . $mod_name . '\' failed');
return false;
}
} elseif (is_array($enable)) {
foreach ($enable as $sub_module) {
$mod_name = $module_name . '_' . $sub_module;
$ret_eval = call_user_func(array($mod_name, 'init'), $prefs_);
if ($ret_eval !== true) {
Logger::error('main', 'init_db init module \'' . $mod_name . '\' failed');
return false;
}
}
}
}
}
Logger::debug('main', 'init_db modules inited');
// Init of Abstract
Abstract_Server::init($prefs_);
Abstract_ServersGroup::init($prefs_);
Abstract_Session::init($prefs_);
Abstract_Token::init($prefs_);
Abstract_News::init($prefs_);
Abstract_Script::init($prefs_);
Abstract_Liaison::init($prefs_);
if (class_exists("PremiumManager")) {
PremiumManager::initdb($prefs_);
}
Abstract_Task::init($prefs_);
Abstract_ReportServer::init($prefs_);
Abstract_ReportSession::init($prefs_);
Abstract_User_Preferences::init($prefs_);
Abstract_UserGroup_Preferences::init($prefs_);
Abstract_UserGroup_Rule::init($prefs_);
Abstract_VDI::init($prefs_);
Abstract_Network_Folder::init($prefs_);
Abstract_AdminAction::init($prefs_);
return true;
}
public function getSessionSettings($container_)
{
$prefs = Preferences::getInstance();
$overriden = array();
$default_settings = $prefs->get('general', $container_);
// load rules (overriden settings)
$user_groups_preferences = Abstract_UserGroup_Preferences::load_all('general', $container_);
$users_group_id = array();
foreach ($user_groups_preferences as $key => $pref) {
if (in_array($pref->usergroup_id, $users_group_id)) {
continue;
}
array_push($users_group_id, $pref->usergroup_id);
}
// from this group, which are these I am into
$users_groups_mine_ids = $this->get_my_usersgroups_from_list($users_group_id);
// Finnaly, overwrite default settings with users groups settings
foreach ($user_groups_preferences as $pref) {
$key = $pref->element_id;
if (!in_array($pref->usergroup_id, $users_groups_mine_ids)) {
continue;
}
$element = $pref->toConfigElement();
if (isset($overriden[$key]) && $overriden[$key] == true && $element->content != $default_settings[$key]) {
ErrorManager::report('User "' . $this->getAttribute('login') . '" has at least two groups with the same overriden rule but with different values, the result will be unpredictable.');
}
$default_settings[$key] = $element->content;
$overriden[$key] = true;
}
$prefs_of_a_user_unsort = Abstract_User_Preferences::loadByUserLogin($this->getAttribute('login'), 'general', $container_);
foreach ($prefs_of_a_user_unsort as $key => $pref) {
$element = $pref->toConfigElement();
if (isset($overriden[$key]) && $overriden[$key] == true && $element->content != $default_settings[$key]) {
Logger::debug("User '" . $this->getAttribute('login') . "' has at least overriden preferences but with different values, the result will be unpredictable.");
}
$default_settings[$key] = $element->content;
$overriden[$key] = true;
}
return $default_settings;
}
public function get_login()
{
Logger::debug('main', 'AuthMethod_SAML2::get_login()');
$my_settings = $this->prefs->get('AuthMethod', 'SAML2');
$saml_node = $this->user_node_request->getElementsByTagname('saml_ticket')->item(0);
if (is_null($saml_node)) {
Logger::error('main', 'Authentication SAML2: No incoming SAML ticket');
return NULL;
}
$saml_response_ticket = NULL;
for ($child = $saml_node->firstChild; $child != NULL; $child = $child->nextSibling) {
if ($child->nodeType != XML_TEXT_NODE) {
Logger::error('main', 'Authentication SAML2: node is not text');
continue;
}
$saml_response_ticket = $child->wholeText;
}
if (is_null($saml_response_ticket)) {
Logger::error('main', 'Authentication SAML2: No incoming SAML ticket (bad protocol)');
return NULL;
}
$settings = $this->build_saml_settings($my_settings['idp_url'], $my_settings['idp_fingerprint'], $my_settings['idp_cert']);
try {
$response = new OneLogin_Saml2_Response($settings, $saml_response_ticket);
ob_start();
// Catch debug messages
if (!$response->isValid()) {
Logger::error('main', 'Authentication SAML2: the SAML response is not valid ' . ob_get_contents());
ob_end_clean();
return NULL;
}
ob_end_clean();
$sessionExpiration = $response->getSessionNotOnOrAfter();
if (!empty($sessionExpiration) && $sessionExpiration <= time() || !$response->validateTimestamps()) {
Logger::error('main', 'Authentication SAML2: Session expired');
return NULL;
}
} catch (Exception $e) {
Logger::error('main', 'Authentication SAML2: ' . $e->getMessage());
return NULL;
}
$attributes = $response->getAttributes();
$user = $this->userDB->import($response->getNameId());
if ($user == NULL) {
Logger::error('main', 'Authentication SAML2: user not found');
throw new Exception();
}
$login = $user->getAttribute('login');
// we recognize following attributes:
// * ovd.group_member: for user group matching
// * ovd.setting.*: for settings
if (array_key_exists("ovd.group_member", $attributes) && is_array($attributes["ovd.group_member"])) {
$userGroupDB = UserGroupDB::getInstance();
$to_delete = array();
$current_groups = array_keys(Abstract_Liaison::loadGroups('UsersGroup', $login));
foreach ($attributes["ovd.group_member"] as $group_name) {
$found = false;
list($groups, $sizelimit_exceeded) = $userGroupDB->getGroupsContains($group_name, array('name'));
foreach ($groups as $group) {
if ($group->name == $group_name) {
$found = True;
if (!in_array($group->getUniqueID(), $current_groups)) {
Logger::info('main', 'Authentication SAML2: Add user "' . $login . '" to group "' . $group->name . '"');
$ret = Abstract_Liaison::save('UsersGroup', $login, $group->getUniqueID());
if ($ret !== true) {
Logger::error('main', 'Authentication SAML2: Unable to add user "' . $login . '" to group "' . $group->name . '"');
throw new Exception();
}
} else {
unset($current_groups[array_search($group->getUniqueID(), $current_groups)]);
}
}
}
if (!$found) {
Logger::error('main', 'Authentication SAML2: group "' . $group_name . '" not found');
throw new Exception();
}
}
foreach ($current_groups as $group) {
Logger::info('main', 'Authentication SAML2: remove group "' . $group . '" from ' . $login);
Abstract_Liaison::delete('UsersGroup', $login, $group);
}
}
$prefs = Preferences::getInstance();
foreach ($attributes as $attribute => $value) {
if (is_array($value) && count($value) == 1) {
$value = $value[0];
}
if (substr($attribute, 0, 12) == 'ovd.setting.') {
$attribute = explode('.', $attribute);
if (count($attribute) != 4) {
Logger::error('main', 'Authentication SAML2: incorrect setting : "' . implode('.', $attribute) . '"');
throw new Exception();
}
$container = $attribute[2];
$setting = $attribute[3];
$session_settings_defaults = $prefs->getElements('general', $container);
if (!array_key_exists($setting, $session_settings_defaults)) {
Logger::error('main', 'Authentication SAML2: setting "' . implode('.', $attribute) . '" does not exists');
throw new Exception();
}
$config_element = clone $session_settings_defaults[$setting];
$ugp = new User_Preferences($login, 'general', $container, $setting, $config_element->content);
Logger::info('main', 'Authentication SAML2: set setting "' . implode('.', $attribute) . '" to ' . str_replace("\n", "", print_r($value, true)));
$ugp->value = $value;
Abstract_User_Preferences::delete($login, 'general', $container, $setting);
$ret = Abstract_User_Preferences::save($ugp);
if (!$ret) {
Logger::error('main', 'Authentication SAML2: impossible to save setting "' . implode('.', $attribute) . '"');
throw new Exception();
}
}
}
// return true or false.. No redirection to any IdP. We must have a valid ticket at this point. No artifact method
return $response->getNameId();
}
public function user_settings_remove($user_id_, $container_, $setting_)
{
$this->check_authorized('manageUsers');
$userDB = UserDB::getInstance();
$user = $userDB->import($user_id_);
if (!is_object($user)) {
return false;
}
$prefs = Preferences::getInstance();
$session_settings_defaults = $prefs->getElements('general', $container_);
if (!array_key_exists($setting_, $session_settings_defaults)) {
return false;
}
$ret = Abstract_User_Preferences::delete($user->getAttribute('login'), 'general', $container_, $setting_);
if (!$ret) {
return false;
}
$this->log_action('user_settings_remove', array('login' => $user->getAttribute('login'), $container_ . '_' . $setting_ => null));
return true;
}