/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
}
/**
* Constructor for Google authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
if (!array_key_exists('key', $config)) {
throw new Exception('Google authentication source is not properly configured: missing [key]');
}
$this->key = $config['key'];
if (!array_key_exists('secret', $config)) {
throw new Exception('Google authentication source is not properly configured: missing [secret]');
}
$this->secret = $config['secret'];
$this->linkback = SimpleSAML_Module::getModuleURL('authgoogleOIDC') . '/linkback.php';
// Create Client
$this->client = new Google_Client();
$this->client->setApplicationName('Google gateway');
$this->client->setClientId($this->key);
$this->client->setClientSecret($this->secret);
$this->client->setRedirectUri($this->linkback);
$this->client->addScope('openid');
$this->client->addScope('profile');
$this->client->addScope('email');
}
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
$cfgParse = SimpleSAML_Configuration::loadFromArray($config, 'authsources[' . var_export($this->authId, TRUE) . ']');
$this->api_key = $cfgParse->getString('api_key');
$this->secret = $cfgParse->getString('secret');
$this->req_perms = $cfgParse->getString('req_perms', NULL);
}
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
$configObject = SimpleSAML_Configuration::loadFromArray($config, 'authsources[' . var_export($this->authId, TRUE) . ']');
$this->key = $configObject->getString('key');
$this->secret = $configObject->getString('secret');
$this->force_login = $configObject->getBoolean('force_login', FALSE);
}
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
if (!array_key_exists('uid', $config) || !is_string($config['uid'])) {
throw new SimpleSAML_Error_Exception("AA configuration error, 'uid' not found or not a string.");
}
SimpleSAML_Logger::debug('[aa] auth source Bypass: config uid: ' . $config['uid']);
$this->uid = $config['uid'];
}
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
/* Parse attributes. */
try {
$this->attributes = SimpleSAML\Utils\Arrays::normalizeAttributesArray($config);
} catch (Exception $e) {
throw new Exception('Invalid attributes for authentication source ' . $this->authId . ': ' . $e->getMessage());
}
}
/**
* Require admin access to the current page.
*
* This is a helper function for limiting a page to those with administrative access. It will redirect the user to
* a login page if the current user doesn't have admin access.
*
* @return void This function will only return if the user is admin.
* @throws \SimpleSAML_Error_Exception If no "admin" authentication source was configured.
*
* @author Olav Morken, UNINETT AS <*****@*****.**>
* @author Jaime Perez, UNINETT AS <*****@*****.**>
*/
public static function requireAdmin()
{
if (self::isAdmin()) {
return;
}
// not authenticated as admin user, start authentication
if (\SimpleSAML_Auth_Source::getById('admin') !== null) {
$as = new \SimpleSAML_Auth_Simple('admin');
$as->login();
} else {
throw new \SimpleSAML_Error_Exception('Cannot find "admin" auth source, and admin privileges are required.');
}
}
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
if (!array_key_exists('site', $config)) {
throw new Exception('PAPI authentication source is not properly configured: missing [site]');
}
$this->_poa = new PoA($config['site']);
if (array_key_exists('hli', $config)) {
$this->_hli = $config['hli'];
}
}
/**
* Hook to add the metadata for hosted entities to the frontpage.
*
* @param array &$metadataHosted The metadata links for hosted metadata on the frontpage.
*/
function saml_hook_metadata_hosted(&$metadataHosted)
{
assert('is_array($metadataHosted)');
$sources = SimpleSAML_Auth_Source::getSourcesOfType('saml:SP');
foreach ($sources as $source) {
$metadata = $source->getMetadata();
$name = $metadata->getValue('name', NULL);
if ($name === NULL) {
$name = $source->getAuthID();
}
$md = array('entityid' => $source->getEntityId(), 'metadata-index' => $source->getEntityId(), 'metadata-set' => 'saml20-sp-hosted', 'metadata-url' => $source->getMetadataURL() . '?output=xhtml', 'name' => $name);
$metadataHosted[] = $md;
}
}
public static function handleLogin($authStateId, $xmlToken)
{
assert('is_string($authStateId)');
$config = SimpleSAML_Configuration::getInstance();
$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
$idp_key = $autoconfig->getValue('idp_key');
$idp_pass = $autoconfig->getValue('idp_key_pass', NULL);
$sts_crt = $autoconfig->getValue('sts_crt');
$Infocard = $autoconfig->getValue('InfoCard');
$infocard = new sspmod_InfoCard_RP_InfoCard();
$infocard->addIDPKey($idp_key, $idp_pass);
$infocard->addSTSCertificate($sts_crt);
if (!$xmlToken) {
SimpleSAML_Logger::debug("XMLtoken: " . $xmlToken);
} else {
SimpleSAML_Logger::debug("NOXMLtoken: " . $xmlToken);
}
$claims = $infocard->process($xmlToken);
if ($claims->isValid()) {
$attributes = array();
foreach ($Infocard['requiredClaims'] as $claim => $data) {
$attributes[$claim] = array($claims->{$claim});
}
foreach ($Infocard['optionalClaims'] as $claim => $data) {
$attributes[$claim] = array($claims->{$claim});
}
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($authStateId);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
/* Find authentication source. */
assert('array_key_exists(self::AUTHID, $state)');
$source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
}
$state['Attributes'] = $attributes;
unset($infocard);
unset($claims);
SimpleSAML_Auth_Source::completeAuth($state);
} else {
unset($infocard);
unset($claims);
return 'wrong_IC';
}
}
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
assert('is_array($info)');
assert('is_array($config)');
// Call the parent constructor first, as required by the interface
parent::__construct($info, $config);
if (!array_key_exists('key', $config)) {
throw new Exception('LinkedIn authentication source is not properly configured: missing [key]');
}
$this->key = $config['key'];
if (!array_key_exists('secret', $config)) {
throw new Exception('LinkedIn authentication source is not properly configured: missing [secret]');
}
$this->secret = $config['secret'];
}
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
if (!array_key_exists('key', $config)) {
throw new Exception('Bnet authentication source is not properly configured: missing [key]');
}
$this->key = $config['key'];
if (!array_key_exists('secret', $config)) {
throw new Exception('Bnet authentication source is not properly configured: missing [secret]');
}
$this->secret = $config['secret'];
$this->linkback = SimpleSAML_Module::getModuleURL('authbnet') . '/linkback.php';
}
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
if (!array_key_exists('key', $config)) {
throw new Exception('Twitter authentication source is not properly configured: missing [key]');
}
$this->key = $config['key'];
if (!array_key_exists('secret', $config)) {
throw new Exception('Twitter authentication source is not properly configured: missing [secret]');
}
$this->secret = $config['secret'];
// require_once(dirname(dirname(dirname(dirname(__FILE__)))) . '/extlibinc/facebook.php');
}
/**
* Start logout.
*
* This function starts a logout operation from the current authentication
* source. This function will return if the logout operation does not
* require a redirect.
*
* @param string $returnURL The URL we should redirect the user to after
* logging out. No checking is performed on the URL, so make sure to verify
* it on beforehand if the URL is obtained from user input. Refer to
* \SimpleSAML\Utils\HTTP::checkURLAllowed() for more information.
* @param string $authority The authentication source we are logging
* out from.
*/
public static function initLogoutReturn($returnURL, $authority)
{
assert('is_string($returnURL)');
assert('is_string($authority)');
$session = SimpleSAML_Session::getSessionFromRequest();
$state = $session->getAuthData($authority, 'LogoutState');
$session->doLogout($authority);
$state['SimpleSAML_Auth_Default.ReturnURL'] = $returnURL;
$state['LogoutCompletedHandler'] = array(get_class(), 'logoutCompleted');
$as = SimpleSAML_Auth_Source::getById($authority);
if ($as === NULL) {
/* The authority wasn't an authentication source... */
self::logoutCompleted($state);
}
$as->logout($state);
}
/**
* Check the credentials that the user got from the A-Select server.
* This function is called after the user returns from the A-Select server.
*
* @author Wessel Dankers, Tilburg University
*/
function check_credentials()
{
if (!array_key_exists('ssp_state', $_REQUEST)) {
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing ssp_state parameter"));
}
$id = $_REQUEST['ssp_state'];
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($id);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
$state = SimpleSAML_Auth_State::loadState($id, 'aselect:login');
if (!array_key_exists('a-select-server', $_REQUEST)) {
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing a-select-server parameter"));
}
$server_id = $_REQUEST['a-select-server'];
if (!array_key_exists('aselect_credentials', $_REQUEST)) {
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing aselect_credentials parameter"));
}
$credentials = $_REQUEST['aselect_credentials'];
if (!array_key_exists('rid', $_REQUEST)) {
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing rid parameter"));
}
$rid = $_REQUEST['rid'];
try {
if (!array_key_exists('aselect::authid', $state)) {
throw new SimpleSAML_Error_Exception("ASelect authentication source missing in state");
}
$authid = $state['aselect::authid'];
$aselect = SimpleSAML_Auth_Source::getById($authid);
if (is_null($aselect)) {
throw new SimpleSAML_Error_Exception("Could not find authentication source with id {$authid}");
}
$creds = $aselect->verify_credentials($server_id, $credentials, $rid);
if (array_key_exists('attributes', $creds)) {
$state['Attributes'] = $creds['attributes'];
} else {
$res = $creds['res'];
$state['Attributes'] = array('uid' => array($res['uid']), 'organization' => array($res['organization']));
}
} catch (Exception $e) {
SimpleSAML_Auth_State::throwException($state, $e);
}
SimpleSAML_Auth_Source::completeAuth($state);
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Internal error in A-Select component"));
}
public static function isAuthenticated()
{
require_once SamlAuth::LIB_AUTOLOAD;
$source = null;
$config = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($config, 'core:authsource_list.tpl.php');
$t->data['sources'] = SimpleSAML_Auth_Source::getSourcesMatch('-sp');
foreach ($t->data['sources'] as &$_source) {
$as = new SimpleSAML_Auth_Simple($_source);
if ($as->isAuthenticated()) {
$source = $as;
break;
}
}
if ($source === null) {
return false;
}
return $source;
}
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
$cfg = SimpleSAML_Configuration::loadFromArray($config, 'Authentication source ' . var_export($this->authId, true));
$cfg->getValueValidate('type', array('app'), 'app');
$this->app_id = $cfg->getString('app_id');
$this->private_key = $cfg->getString('private_key', null);
// accept these arguments with '_' for consistency
// accept these arguments without '_' for backwards compatibility
$this->server_id = $cfg->getString('serverid', null);
if ($this->server_id === null) {
$this->server_id = $cfg->getString('server_id');
}
$this->server_url = $cfg->getString('serverurl', null);
if ($this->server_url === null) {
$this->server_url = $cfg->getString('server_url');
}
}
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
if (!array_key_exists('key', $config)) {
throw new Exception('Google authentication source is not properly configured: missing [key]');
}
$this->key = $config['key'];
if (!array_key_exists('secret', $config)) {
throw new Exception('Google authentication source is not properly configured: missing [secret]');
}
$this->secret = $config['secret'];
$this->linkback = SimpleSAML_Module::getModuleURL('authgoogle') . '/linkback.php';
// Google Discovery Document
/*$dd = 'https://accounts.google.com/.well-known/openid-configuration';
$xmlddresponse = $this->curl_file_get_contents($dd);
SimpleSAML_Logger::debug('Google Response: '.$xmlddresponse);*/
}
/**
* Initialize an IdP.
*
* @param string $id The identifier of this IdP.
*/
private function __construct($id)
{
assert('is_string($id)');
$this->id = $id;
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$globalConfig = SimpleSAML_Configuration::getInstance();
if (substr($id, 0, 6) === 'saml2:') {
if (!$globalConfig->getBoolean('enable.saml20-idp', FALSE)) {
throw new SimpleSAML_Error_Exception('enable.saml20-idp disabled in config.php.');
}
$this->config = $metadata->getMetaDataConfig(substr($id, 6), 'saml20-idp-hosted');
} elseif (substr($id, 0, 6) === 'saml1:') {
if (!$globalConfig->getBoolean('enable.shib13-idp', FALSE)) {
throw new SimpleSAML_Error_Exception('enable.shib13-idp disabled in config.php.');
}
$this->config = $metadata->getMetaDataConfig(substr($id, 6), 'shib13-idp-hosted');
} elseif (substr($id, 0, 5) === 'adfs:') {
if (!$globalConfig->getBoolean('enable.adfs-idp', FALSE)) {
throw new SimpleSAML_Error_Exception('enable.adfs-idp disabled in config.php.');
}
$this->config = $metadata->getMetaDataConfig(substr($id, 5), 'adfs-idp-hosted');
try {
/* This makes the ADFS IdP use the same SP associations as the SAML 2.0 IdP. */
$saml2EntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$this->associationGroup = 'saml2:' . $saml2EntityId;
} catch (Exception $e) {
/* Probably no SAML 2 IdP configured for this host. Ignore the error. */
}
} else {
assert(FALSE);
}
if ($this->associationGroup === NULL) {
$this->associationGroup = $this->id;
}
$auth = $this->config->getString('auth');
if (SimpleSAML_Auth_Source::getById($auth) !== NULL) {
$this->authSource = new SimpleSAML_Auth_Simple($auth);
} else {
$this->authSource = new SimpleSAML_Auth_BWC($auth, $this->config->getString('authority', NULL));
}
}
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
assert('is_array($info)');
assert('is_array($config)');
// Call the parent constructor first, as required by the interface
parent::__construct($info, $config);
if (!array_key_exists('key', $config)) {
throw new Exception('LinkedIn authentication source is not properly configured: missing [key]');
}
$this->key = $config['key'];
if (!array_key_exists('secret', $config)) {
throw new Exception('LinkedIn authentication source is not properly configured: missing [secret]');
}
$this->secret = $config['secret'];
if (array_key_exists('attributes', $config)) {
$this->attributes = $config['attributes'];
} else {
// Default values if the attributes are not set in config (ref https://developer.linkedin.com/docs/fields)
$this->attributes = 'id,first-name,last-name,headline,summary,specialties,picture-url,email-address';
}
}
/**
* Attempt to log in using the given username and password.
*
* On a successful login, this function should return the users attributes. On failure,
* it should throw an exception. If the error was caused by the user entering the wrong
* username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown.
*
* Note that both the username and the password are UTF-8 encoded.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the users attributes.
*/
protected function login($username, $password)
{
assert('is_string($username)');
assert('is_string($password)');
$userpass = $username . ':' . $password;
$qaLogin = SimpleSAML_Auth_Source::getById('auth2factor');
$uid = $username;
foreach (array_keys($this->users) as $user) {
$u = explode(':', $user)[0];
// lets see if we matched the username, and if we have a uid!
if ($u == $username) {
$uid = $this->users[$user]['uid'][0];
}
}
if (!array_key_exists($userpass, $this->users)) {
$qaLogin->failedLoginAttempt($uid, 'login_count', array('name' => $username, 'mail' => $this->users[$user]['mail'][0], 'uid' => $uid));
$failedAttempts = $qaLogin->getFailedAttempts($uid);
$loginCount = (int) (!empty($failedAttempts)) ? $failedAttempts[0]['login_count'] : 0;
$answerCount = (int) (!empty($failedAttempts)) ? $failedAttempts[0]['answer_count'] : 0;
$failCount = $loginCount + $answerCount;
$firstFailCount = $qaLogin->getmaxFailLogin() - 2;
$secondFailCount = $qaLogin->getmaxFailLogin() - 1;
if ($failCount == $firstFailCount) {
throw new SimpleSAML_Error_Error('2FAILEDATTEMPTWARNING');
}
if ($failCount == $secondFailCount) {
throw new SimpleSAML_Error_Error('1FAILEDATTEMPTWARNING');
}
if ($qaLogin->isLocked($uid)) {
throw new SimpleSAML_Error_Error('ACCOUNTLOCKED');
}
// both username and password are wrong
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
// make sure login counter is zero!
$qaLogin->resetFailedLoginAttempts($uid);
return $this->users[$userpass];
}
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config)
{
assert('is_array($info)');
assert('is_array($config)');
// Call the parent constructor first, as required by the interface.
parent::__construct($info, $config);
if (array_key_exists('db.dsn', $config)) {
$this->db_dsn = $config['db.dsn'];
}
if (array_key_exists('db.username', $config)) {
$this->db_username = $config['db.username'];
}
if (array_key_exists('db.password', $config)) {
$this->db_password = $config['db.password'];
}
$this->tfa_authencontextclassref = self::TFAAUTHNCONTEXTCLASSREF;
try {
$this->dbh = new PDO($this->db_dsn, $this->db_username, $this->db_password);
} catch (PDOException $e) {
var_dump($this->db_dsn, $this->db_username, $this->db_password);
echo 'Connection failed: ' . $e->getMessage();
}
$this->createTables();
}
/**
* Resume authentication process.
*
* This function resumes the authentication process after the user has
* entered his or her credentials.
*
* @param array &$state The authentication state.
*/
public static function resume()
{
/*
* First we need to restore the $state-array. We should have the identifier for
* it in the 'State' request parameter.
*/
if (!isset($_REQUEST['State'])) {
throw new SimpleSAML_Error_BadRequest('Missing "State" parameter.');
}
$stateId = (string) $_REQUEST['State'];
/*
* Once again, note the second parameter to the loadState function. This must
* match the string we used in the saveState-call above.
*/
$state = SimpleSAML_Auth_State::loadState($stateId, 'drupalauth:External');
/*
* Now we have the $state-array, and can use it to locate the authentication
* source.
*/
$source = SimpleSAML_Auth_Source::getById($state['drupalauth:AuthID']);
if ($source === NULL) {
/*
* The only way this should fail is if we remove or rename the authentication source
* while the user is at the login page.
*/
throw new SimpleSAML_Error_Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
}
/*
* Make sure that we haven't switched the source type while the
* user was at the authentication page. This can only happen if we
* change config/authsources.php while an user is logging in.
*/
if (!$source instanceof self) {
throw new SimpleSAML_Error_Exception('Authentication source type changed.');
}
/*
* OK, now we know that our current state is sane. Time to actually log the user in.
*
* First we check that the user is acutally logged in, and didn't simply skip the login page.
*/
$attributes = $source->getUser();
if ($attributes === NULL) {
/*
* The user isn't authenticated.
*
* Here we simply throw an exception, but we could also redirect the user back to the
* login page.
*/
throw new SimpleSAML_Error_Exception('User not authenticated after login page.');
}
/*
* So, we have a valid user. Time to resume the authentication process where we
* paused it in the authenticate()-function above.
*/
$state['Attributes'] = $attributes;
SimpleSAML_Auth_Source::completeAuth($state);
/*
* The completeAuth-function never returns, so we never get this far.
*/
assert('FALSE');
}
<?php
/**
* Handle linkback() response from CAS.
*/
if (!isset($_GET['stateID'])) {
throw new SimpleSAML_Error_BadRequest('Missing stateID parameter.');
}
$stateId = (string) $_GET['stateID'];
if (!isset($_GET['ticket'])) {
throw new SimpleSAML_Error_BadRequest('Missing ticket parameter.');
}
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($stateId);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_cas_Auth_Source_CAS::STAGE_INIT);
$state['cas:ticket'] = (string) $_GET['ticket'];
/* Find authentication source. */
assert('array_key_exists(sspmod_cas_Auth_Source_CAS::AUTHID, $state)');
$sourceId = $state[sspmod_cas_Auth_Source_CAS::AUTHID];
$source = SimpleSAML_Auth_Source::getById($sourceId);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $sourceId);
}
$source->finalStep($state);
/**
* This page shows a username/password/organization login form, and passes information from
* itto the sspmod_core_Auth_UserPassBase class, which is a generic class for
* username/password/organization authentication.
*
* @author Olav Morken, UNINETT AS.
* @package simpleSAMLphp
* @version $Id$
*/
if (!array_key_exists('AuthState', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.');
}
$authStateId = $_REQUEST['AuthState'];
/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_core_Auth_UserPassOrgBase::STAGEID);
$source = SimpleSAML_Auth_Source::getById($state[sspmod_core_Auth_UserPassOrgBase::AUTHID]);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $state[sspmod_core_Auth_UserPassOrgBase::AUTHID]);
}
$organizations = sspmod_core_Auth_UserPassOrgBase::listOrganizations($authStateId);
if (array_key_exists('username', $_REQUEST)) {
$username = $_REQUEST['username'];
} elseif ($source->getRememberUsernameEnabled() && array_key_exists($source->getAuthId() . '-username', $_COOKIE)) {
$username = $_COOKIE[$source->getAuthId() . '-username'];
} elseif (isset($state['core:username'])) {
$username = (string) $state['core:username'];
} else {
$username = '';
}
if (array_key_exists('password', $_REQUEST)) {
$password = $_REQUEST['password'];
/**
* Require admin access for current page.
*
* This is a helper-function for limiting a page to admin access. It will redirect
* the user to a login page if the current user doesn't have admin access.
*/
public static function requireAdmin()
{
if (self::isAdmin()) {
return;
}
$returnTo = self::selfURL();
/* Not authenticated as admin user. Start authentication. */
if (SimpleSAML_Auth_Source::getById('admin') !== NULL) {
$as = new SimpleSAML_Auth_Simple('admin');
$as->login();
} else {
/* For backwards-compatibility. */
$config = SimpleSAML_Configuration::getInstance();
self::redirectTrustedURL('/' . $config->getBaseURL() . 'auth/login-admin.php', array('RelayState' => $returnTo));
}
}
/**
* Finish a succesfull authentication.
*
* This function can be overloaded by a child authentication
* class that wish to perform some operations after login.
*
* @param array &$state Information about the current authentication.
*/
public function authSuccesful(&$state)
{
SimpleSAML_Auth_Source::completeAuth($state);
assert('FALSE');
/* NOTREACHED */
return;
}
/**
* Log the user out.
*
* This function logs the user out. It will never return. By default,
* it will cause a redirect to the current page after logging the user
* out, but a different URL can be given with the $params parameter.
*
* Generic parameters are:
* - 'ReturnTo': The URL the user should be returned to after logout.
* - 'ReturnCallback': The function that should be called after logout.
* - 'ReturnStateParam': The parameter we should return the state in when redirecting.
* - 'ReturnStateStage': The stage the state array should be saved with.
*
* @param string|array|NULL $params Either the URL the user should be redirected to after logging out,
* or an array with parameters for the logout. If this parameter is
* NULL, we will return to the current page.
*/
public function logout($params = NULL)
{
assert('is_array($params) || is_string($params) || is_null($params)');
if ($params === NULL) {
$params = SimpleSAML_Utilities::selfURL();
}
if (is_string($params)) {
$params = array('ReturnTo' => $params);
}
assert('is_array($params)');
assert('isset($params["ReturnTo"]) || isset($params["ReturnCallback"])');
if (isset($params['ReturnStateParam']) || isset($params['ReturnStateStage'])) {
assert('isset($params["ReturnStateParam"]) && isset($params["ReturnStateStage"])');
}
$session = SimpleSAML_Session::getSessionFromRequest();
if ($session->isValid($this->authSource)) {
$state = $session->getAuthData($this->authSource, 'LogoutState');
if ($state !== NULL) {
$params = array_merge($state, $params);
}
$session->doLogout($this->authSource);
$params['LogoutCompletedHandler'] = array(get_class(), 'logoutCompleted');
$as = SimpleSAML_Auth_Source::getById($this->authSource);
if ($as !== NULL) {
$as->logout($params);
}
}
self::logoutCompleted($params);
}
sspmod_saml_Message::validateMessage($idpMetadata, $spMetadata, $message);
$destination = $message->getDestination();
//if ($destination !== NULL && $destination !== SimpleSAML_Utilities::selfURLNoQuery()) {
// throw new SimpleSAML_Error_Exception('Destination in logout message is wrong.');
//}
if ($message instanceof SAML2_LogoutResponse) {
$relayState = $message->getRelayState();
if ($relayState === NULL) {
/* Somehow, our RelayState has been lost. */
throw new SimpleSAML_Error_BadRequest('Missing RelayState in logout response.');
}
if (!$message->isSuccess()) {
SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml_Message::getResponseError($message));
}
$state = SimpleSAML_Auth_State::loadState($relayState, 'saml:slosent');
SimpleSAML_Auth_Source::completeLogout($state);
} elseif ($message instanceof SAML2_LogoutRequest) {
SimpleSAML_Logger::debug('module/saml2/sp/logout: Request from ' . $idpEntityId);
SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId);
if ($message->isNameIdEncrypted()) {
try {
$keys = sspmod_saml_Message::getDecryptionKeys($srcMetadata, $dstMetadata);
} catch (Exception $e) {
throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage());
}
$lastException = NULL;
foreach ($keys as $i => $key) {
try {
$message->decryptNameId($key);
SimpleSAML_Logger::debug('Decryption with key #' . $i . ' succeeded.');
} catch (Exception $e) {
/**
* Log out from this authentication source.
*
* This method retrieves the authentication source used for this
* session and then call the logout method on it.
*
* @param array &$state Information about the current logout operation.
*/
public function logout(&$state)
{
assert('is_array($state)');
/* Get the source that was used to authenticate */
$session = SimpleSAML_Session::getSessionFromRequest();
$authId = $session->getData(self::SESSION_SOURCE, $this->authId);
$source = SimpleSAML_Auth_Source::getById($authId);
if ($source === NULL) {
throw new Exception('Invalid authentication source during logout: ' . $source);
}
/* Then, do the logout on it */
$source->logout($state);
}
