Permalink
Browse files

auth/cas MDL-24789 phpCAS single sign-on module client needs updating…

… due to security issues

Upgraded phpCAS to 1.1.3 (latest stable version) in Moodle 1.8.x, which fixes them.

Also fixed as part of this update:
   MDL-20029
   MDL-23126
   MDL-23645
   MDL-23864
   MDL-16168
   MDL-18643
  • Loading branch information...
1 parent c3ff238 commit 2edb3c6a5c205aed99932a73b2b8d4f6ec262992 @iarenaza iarenaza committed Oct 24, 2010
View
5,381 auth/cas/CAS/CAS.php
1,531 additions, 3,850 deletions not shown because the diff is too large. Please use a local Git client to view these changes.
View
999 auth/cas/CAS/PGTStorage/pgt-file.php → auth/cas/CAS/CAS/PGTStorage/pgt-file.php
@@ -1,718 +1,283 @@
-<?php
-
-
-
-
-
-/**
-
-
- * @file CAS/PGTStorage/pgt-file.php
-
-
- * Basic class for PGT file storage
-
-
- */
-
-
-
-
-
-/**
-
-
- * @class PGTStorageFile
-
-
- * The PGTStorageFile class is a class for PGT file storage. An instance of
-
-
- * this class is returned by CASClient::SetPGTStorageFile().
-
-
- *
-
-
- * @author Pascal Aubry <pascal.aubry at univ-rennes1.fr>
-
-
- *
-
-
- * @ingroup internalPGTStorageFile
-
-
- */
-
-
-
-
-
-class PGTStorageFile extends PGTStorage
-
-
-{
-
-
- /**
-
-
- * @addtogroup internalPGTStorageFile
-
-
- * @{
-
-
- */
-
-
-
-
-
- /**
-
-
- * a string telling where PGT's should be stored on the filesystem. Written by
-
-
- * PGTStorageFile::PGTStorageFile(), read by getPath().
-
-
- *
-
-
- * @private
-
-
- */
-
-
- var $_path;
-
-
-
-
-
- /**
-
-
- * This method returns the name of the directory where PGT's should be stored
-
-
- * on the filesystem.
-
-
- *
-
-
- * @return the name of a directory (with leading and trailing '/')
-
-
- *
-
-
- * @private
-
-
- */
-
-
- function getPath()
-
-
- {
-
-
- return $this->_path;
-
-
- }
-
-
-
-
-
- /**
-
-
- * a string telling the format to use to store PGT's (plain or xml). Written by
-
-
- * PGTStorageFile::PGTStorageFile(), read by getFormat().
-
-
- *
-
-
- * @private
-
-
- */
-
-
- var $_format;
-
-
-
-
-
- /**
-
-
- * This method returns the format to use when storing PGT's on the filesystem.
-
-
- *
-
-
- * @return a string corresponding to the format used (plain or xml).
-
-
- *
-
-
- * @private
-
-
- */
-
-
- function getFormat()
-
-
- {
-
-
- return $this->_format;
-
-
- }
-
-
-
-
-
- // ########################################################################
-
-
- // DEBUGGING
-
-
- // ########################################################################
-
-
-
-
-
- /**
-
-
- * This method returns an informational string giving the type of storage
-
-
- * used by the object (used for debugging purposes).
-
-
- *
-
-
- * @return an informational string.
-
-
- * @public
-
-
- */
-
-
- function getStorageType()
-
-
- {
-
-
- return "file";
-
-
- }
-
-
-
-
-
- /**
-
-
- * This method returns an informational string giving informations on the
-
-
- * parameters of the storage.(used for debugging purposes).
-
-
- *
-
-
- * @return an informational string.
-
-
- * @public
-
-
- */
-
-
- function getStorageInfo()
-
-
- {
-
-
- return 'path=`'.$this->getPath().'\', format=`'.$this->getFormat().'\'';
-
-
- }
-
-
-
-
-
- // ########################################################################
-
-
- // CONSTRUCTOR
-
-
- // ########################################################################
-
-
-
-
-
- /**
-
-
- * The class constructor, called by CASClient::SetPGTStorageFile().
-
-
- *
-
-
- * @param $cas_parent the CASClient instance that creates the object.
-
-
- * @param $format the format used to store the PGT's (`plain' and `xml' allowed).
-
-
- * @param $path the path where the PGT's should be stored
-
-
- *
-
-
- * @public
-
-
- */
-
-
- function PGTStorageFile($cas_parent,$format,$path)
-
-
- {
-
-
- phpCAS::traceBegin();
-
-
- // call the ancestor's constructor
-
-
- $this->PGTStorage($cas_parent);
-
-
-
-
-
- if (empty($format) ) $format = CAS_PGT_STORAGE_FILE_DEFAULT_FORMAT;
-
-
- if (empty($path) ) $path = CAS_PGT_STORAGE_FILE_DEFAULT_PATH;
-
-
-
-
-
- // check that the path is an absolute path
-
-
- if ( $path[0] != '/' ) {
-
-
- phpCAS::error('an absolute path is needed for PGT storage to file');
-
-
- }
-
-
-
-
-
- // store the path (with a leading and trailing '/')
-
-
- $path = preg_replace('|[/]*$|','/',$path);
-
-
- $path = preg_replace('|^[/]*|','/',$path);
-
-
- $this->_path = $path;
-
-
-
-
-
- // check the format and store it
-
-
- switch ($format) {
-
-
- case CAS_PGT_STORAGE_FILE_FORMAT_PLAIN:
-
-
- case CAS_PGT_STORAGE_FILE_FORMAT_XML:
-
-
- $this->_format = $format;
-
-
- break;
-
-
- default:
-
-
- phpCAS::error('unknown PGT file storage format (`'.CAS_PGT_STORAGE_FILE_FORMAT_PLAIN.'\' and `'.CAS_PGT_STORAGE_FILE_FORMAT_XML.'\' allowed)');
-
-
- }
-
-
- phpCAS::traceEnd();
-
-
- }
-
-
-
-
-
- // ########################################################################
-
-
- // INITIALIZATION
-
-
- // ########################################################################
-
-
-
-
-
- /**
-
-
- * This method is used to initialize the storage. Halts on error.
-
-
- *
-
-
- * @public
-
-
- */
-
-
- function init()
-
-
- {
-
-
- phpCAS::traceBegin();
-
-
- // if the storage has already been initialized, return immediatly
-
-
- if ( $this->isInitialized() )
-
-
- return;
-
-
- // call the ancestor's method (mark as initialized)
-
-
- parent::init();
-
-
- phpCAS::traceEnd();
-
-
- }
-
-
-
-
-
- // ########################################################################
-
-
- // PGT I/O
-
-
- // ########################################################################
-
-
-
-
-
- /**
-
-
- * This method returns the filename corresponding to a PGT Iou.
-
-
- *
-
-
- * @param $pgt_iou the PGT iou.
-
-
- *
-
-
- * @return a filename
-
-
- * @private
-
-
- */
-
-
- function getPGTIouFilename($pgt_iou)
-
-
- {
-
-
- phpCAS::traceBegin();
-
-
- $filename = $this->getPath().$pgt_iou.'.'.$this->getFormat();
-
-
-
-
-
- phpCAS::traceEnd($filename);
-
-
- return $filename;
-
-
- }
-
-
-
-
-
- /**
-
-
- * This method stores a PGT and its corresponding PGT Iou into a file. Echoes a
-
-
- * warning on error.
-
-
- *
-
-
- * @param $pgt the PGT
-
-
- * @param $pgt_iou the PGT iou
-
-
- *
-
-
- * @public
-
-
- */
-
-
- function write($pgt,$pgt_iou)
-
-
- {
-
-
- phpCAS::traceBegin();
-
-
- $fname = $this->getPGTIouFilename($pgt_iou);
-
-
- if ( $f=fopen($fname,"w") ) {
-
-
- if ( fputs($f,$pgt) === FALSE ) {
-
-
- phpCAS::error('could not write PGT to `'.$fname.'\'');
-
-
- }
-
-
- fclose($f);
-
-
- } else {
-
-
- phpCAS::error('could not open `'.$fname.'\'');
-
-
- }
-
-
- phpCAS::traceEnd();
-
-
- }
-
-
-
-
-
- /**
-
-
- * This method reads a PGT corresponding to a PGT Iou and deletes the
-
-
- * corresponding file.
-
-
- *
-
-
- * @param $pgt_iou the PGT iou
-
-
- *
-
-
- * @return the corresponding PGT, or FALSE on error
-
-
- *
-
-
- * @public
-
-
- */
-
-
- function read($pgt_iou)
-
-
- {
-
-
- phpCAS::traceBegin();
-
-
- $pgt = FALSE;
-
-
- $fname = $this->getPGTIouFilename($pgt_iou);
-
-
-
-
-
- if ( !($f=fopen($fname,"r")) ) {
-
-
- phpCAS::trace('could not open `'.$fname.'\'');
-
-
- } else {
-
-
- if ( ($pgt=fgets($f)) === FALSE ) {
-
-
- phpCAS::trace('could not read PGT from `'.$fname.'\'');
-
-
- }
-
-
- fclose($f);
-
-
- }
-
-
-
-
-
- // delete the PGT file
-
-
- @unlink($fname);
-
-
-
-
-
- phpCAS::traceEnd($pgt);
-
-
- return $pgt;
-
-
- }
-
-
-
-
-
- /** @} */
-
-
-
-
-
-}
-
-
-
-
-
-
-
-
+<?php
+/*
+ * Copyright © 2003-2010, The ESUP-Portail consortium & the JA-SIG Collaborative.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * * Neither the name of the ESUP-Portail consortium & the JA-SIG
+ * Collaborative nor the names of its contributors may be used to endorse or
+ * promote products derived from this software without specific prior
+ * written permission.
+
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * @file CAS/PGTStorage/pgt-file.php
+ * Basic class for PGT file storage
+ */
+
+/**
+ * @class PGTStorageFile
+ * The PGTStorageFile class is a class for PGT file storage. An instance of
+ * this class is returned by CASClient::SetPGTStorageFile().
+ *
+ * @author Pascal Aubry <pascal.aubry at univ-rennes1.fr>
+ *
+ * @ingroup internalPGTStorageFile
+ */
+
+class PGTStorageFile extends PGTStorage
+{
+ /**
+ * @addtogroup internalPGTStorageFile
+ * @{
+ */
+
+ /**
+ * a string telling where PGT's should be stored on the filesystem. Written by
+ * PGTStorageFile::PGTStorageFile(), read by getPath().
+ *
+ * @private
+ */
+ var $_path;
+
+ /**
+ * This method returns the name of the directory where PGT's should be stored
+ * on the filesystem.
+ *
+ * @return the name of a directory (with leading and trailing '/')
+ *
+ * @private
+ */
+ function getPath()
+ {
+ return $this->_path;
+ }
+
+ /**
+ * a string telling the format to use to store PGT's (plain or xml). Written by
+ * PGTStorageFile::PGTStorageFile(), read by getFormat().
+ *
+ * @private
+ */
+ var $_format;
+
+ /**
+ * This method returns the format to use when storing PGT's on the filesystem.
+ *
+ * @return a string corresponding to the format used (plain or xml).
+ *
+ * @private
+ */
+ function getFormat()
+ {
+ return $this->_format;
+ }
+
+ // ########################################################################
+ // DEBUGGING
+ // ########################################################################
+
+ /**
+ * This method returns an informational string giving the type of storage
+ * used by the object (used for debugging purposes).
+ *
+ * @return an informational string.
+ * @public
+ */
+ function getStorageType()
+ {
+ return "file";
+ }
+
+ /**
+ * This method returns an informational string giving informations on the
+ * parameters of the storage.(used for debugging purposes).
+ *
+ * @return an informational string.
+ * @public
+ */
+ function getStorageInfo()
+ {
+ return 'path=`'.$this->getPath().'\', format=`'.$this->getFormat().'\'';
+ }
+
+ // ########################################################################
+ // CONSTRUCTOR
+ // ########################################################################
+
+ /**
+ * The class constructor, called by CASClient::SetPGTStorageFile().
+ *
+ * @param $cas_parent the CASClient instance that creates the object.
+ * @param $format the format used to store the PGT's (`plain' and `xml' allowed).
+ * @param $path the path where the PGT's should be stored
+ *
+ * @public
+ */
+ function PGTStorageFile($cas_parent,$format,$path)
+ {
+ phpCAS::traceBegin();
+ // call the ancestor's constructor
+ $this->PGTStorage($cas_parent);
+
+ if (empty($format) ) $format = CAS_PGT_STORAGE_FILE_DEFAULT_FORMAT;
+ if (empty($path) ) $path = CAS_PGT_STORAGE_FILE_DEFAULT_PATH;
+
+ // check that the path is an absolute path
+ if (getenv("OS")=="Windows_NT"){
+
+ if (!preg_match('`^[a-zA-Z]:`', $path)) {
+ phpCAS::error('an absolute path is needed for PGT storage to file');
+ }
+
+ }
+ else
+ {
+
+ if ( $path[0] != '/' ) {
+ phpCAS::error('an absolute path is needed for PGT storage to file');
+ }
+
+ // store the path (with a leading and trailing '/')
+ $path = preg_replace('|[/]*$|','/',$path);
+ $path = preg_replace('|^[/]*|','/',$path);
+ }
+
+ $this->_path = $path;
+ // check the format and store it
+ switch ($format) {
+ case CAS_PGT_STORAGE_FILE_FORMAT_PLAIN:
+ case CAS_PGT_STORAGE_FILE_FORMAT_XML:
+ $this->_format = $format;
+ break;
+ default:
+ phpCAS::error('unknown PGT file storage format (`'.CAS_PGT_STORAGE_FILE_FORMAT_PLAIN.'\' and `'.CAS_PGT_STORAGE_FILE_FORMAT_XML.'\' allowed)');
+ }
+ phpCAS::traceEnd();
+ }
+
+ // ########################################################################
+ // INITIALIZATION
+ // ########################################################################
+
+ /**
+ * This method is used to initialize the storage. Halts on error.
+ *
+ * @public
+ */
+ function init()
+ {
+ phpCAS::traceBegin();
+ // if the storage has already been initialized, return immediatly
+ if ( $this->isInitialized() )
+ return;
+ // call the ancestor's method (mark as initialized)
+ parent::init();
+ phpCAS::traceEnd();
+ }
+
+ // ########################################################################
+ // PGT I/O
+ // ########################################################################
+
+ /**
+ * This method returns the filename corresponding to a PGT Iou.
+ *
+ * @param $pgt_iou the PGT iou.
+ *
+ * @return a filename
+ * @private
+ */
+ function getPGTIouFilename($pgt_iou)
+ {
+ phpCAS::traceBegin();
+ $filename = $this->getPath().$pgt_iou.'.'.$this->getFormat();
+ phpCAS::traceEnd($filename);
+ return $filename;
+ }
+
+ /**
+ * This method stores a PGT and its corresponding PGT Iou into a file. Echoes a
+ * warning on error.
+ *
+ * @param $pgt the PGT
+ * @param $pgt_iou the PGT iou
+ *
+ * @public
+ */
+ function write($pgt,$pgt_iou)
+ {
+ phpCAS::traceBegin();
+ $fname = $this->getPGTIouFilename($pgt_iou);
+ if(!file_exists($fname)){
+ if ( $f=fopen($fname,"w") ) {
+ if ( fputs($f,$pgt) === FALSE ) {
+ phpCAS::error('could not write PGT to `'.$fname.'\'');
+ }
+ fclose($f);
+ } else {
+ phpCAS::error('could not open `'.$fname.'\'');
+ }
+ }else{
+ phpCAS::error('File exists: `'.$fname.'\'');
+ }
+ phpCAS::traceEnd();
+ }
+
+ /**
+ * This method reads a PGT corresponding to a PGT Iou and deletes the
+ * corresponding file.
+ *
+ * @param $pgt_iou the PGT iou
+ *
+ * @return the corresponding PGT, or FALSE on error
+ *
+ * @public
+ */
+ function read($pgt_iou)
+ {
+ phpCAS::traceBegin();
+ $pgt = FALSE;
+ $fname = $this->getPGTIouFilename($pgt_iou);
+ if (file_exists($fname)){
+ if ( !($f=fopen($fname,"r")) ) {
+ phpCAS::trace('could not open `'.$fname.'\'');
+ } else {
+ if ( ($pgt=fgets($f)) === FALSE ) {
+ phpCAS::trace('could not read PGT from `'.$fname.'\'');
+ }
+ fclose($f);
+ }
+
+ // delete the PGT file
+ @unlink($fname);
+ }else{
+ phpCAS::trace('No such file `'.$fname.'\'');
+ }
+ phpCAS::traceEnd($pgt);
+ return $pgt;
+ }
+
+ /** @} */
+
+}
+
+
?>
View
214 auth/cas/CAS/CAS/PGTStorage/pgt-main.php
@@ -0,0 +1,214 @@
+<?php
+/*
+ * Copyright © 2003-2010, The ESUP-Portail consortium & the JA-SIG Collaborative.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * * Neither the name of the ESUP-Portail consortium & the JA-SIG
+ * Collaborative nor the names of its contributors may be used to endorse or
+ * promote products derived from this software without specific prior
+ * written permission.
+
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * @file CAS/PGTStorage/pgt-main.php
+ * Basic class for PGT storage
+ */
+
+/**
+ * @class PGTStorage
+ * The PGTStorage class is a generic class for PGT storage. This class should
+ * not be instanciated itself but inherited by specific PGT storage classes.
+ *
+ * @author Pascal Aubry <pascal.aubry at univ-rennes1.fr>
+ *
+ * @ingroup internalPGTStorage
+ */
+
+class PGTStorage
+{
+ /**
+ * @addtogroup internalPGTStorage
+ * @{
+ */
+
+ // ########################################################################
+ // CONSTRUCTOR
+ // ########################################################################
+
+ /**
+ * The constructor of the class, should be called only by inherited classes.
+ *
+ * @param $cas_parent the CASclient instance that creates the current object.
+ *
+ * @protected
+ */
+ function PGTStorage($cas_parent)
+ {
+ phpCAS::traceBegin();
+ if ( !$cas_parent->isProxy() ) {
+ phpCAS::error('defining PGT storage makes no sense when not using a CAS proxy');
+ }
+ phpCAS::traceEnd();
+ }
+
+ // ########################################################################
+ // DEBUGGING
+ // ########################################################################
+
+ /**
+ * This virtual method returns an informational string giving the type of storage
+ * used by the object (used for debugging purposes).
+ *
+ * @public
+ */
+ function getStorageType()
+ {
+ phpCAS::error(__CLASS__.'::'.__FUNCTION__.'() should never be called');
+ }
+
+ /**
+ * This virtual method returns an informational string giving informations on the
+ * parameters of the storage.(used for debugging purposes).
+ *
+ * @public
+ */
+ function getStorageInfo()
+ {
+ phpCAS::error(__CLASS__.'::'.__FUNCTION__.'() should never be called');
+ }
+
+ // ########################################################################
+ // ERROR HANDLING
+ // ########################################################################
+
+ /**
+ * string used to store an error message. Written by PGTStorage::setErrorMessage(),
+ * read by PGTStorage::getErrorMessage().
+ *
+ * @hideinitializer
+ * @private
+ * @deprecated not used.
+ */
+ var $_error_message=FALSE;
+
+ /**
+ * This method sets en error message, which can be read later by
+ * PGTStorage::getErrorMessage().
+ *
+ * @param $error_message an error message
+ *
+ * @protected
+ * @deprecated not used.
+ */
+ function setErrorMessage($error_message)
+ {
+ $this->_error_message = $error_message;
+ }
+
+ /**
+ * This method returns an error message set by PGTStorage::setErrorMessage().
+ *
+ * @return an error message when set by PGTStorage::setErrorMessage(), FALSE
+ * otherwise.
+ *
+ * @public
+ * @deprecated not used.
+ */
+ function getErrorMessage()
+ {
+ return $this->_error_message;
+ }
+
+ // ########################################################################
+ // INITIALIZATION
+ // ########################################################################
+
+ /**
+ * a boolean telling if the storage has already been initialized. Written by
+ * PGTStorage::init(), read by PGTStorage::isInitialized().
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_initialized = FALSE;
+
+ /**
+ * This method tells if the storage has already been intialized.
+ *
+ * @return a boolean
+ *
+ * @protected
+ */
+ function isInitialized()
+ {
+ return $this->_initialized;
+ }
+
+ /**
+ * This virtual method initializes the object.
+ *
+ * @protected
+ */
+ function init()
+ {
+ $this->_initialized = TRUE;
+ }
+
+ // ########################################################################
+ // PGT I/O
+ // ########################################################################
+
+ /**
+ * This virtual method stores a PGT and its corresponding PGT Iuo.
+ * @note Should never be called.
+ *
+ * @param $pgt the PGT
+ * @param $pgt_iou the PGT iou
+ *
+ * @protected
+ */
+ function write($pgt,$pgt_iou)
+ {
+ phpCAS::error(__CLASS__.'::'.__FUNCTION__.'() should never be called');
+ }
+
+ /**
+ * This virtual method reads a PGT corresponding to a PGT Iou and deletes
+ * the corresponding storage entry.
+ * @note Should never be called.
+ *
+ * @param $pgt_iou the PGT iou
+ *
+ * @protected
+ */
+ function read($pgt_iou)
+ {
+ phpCAS::error(__CLASS__.'::'.__FUNCTION__.'() should never be called');
+ }
+
+ /** @} */
+
+}
+
+// include specific PGT storage classes
+include_once(dirname(__FILE__).'/pgt-file.php');
+
+?>
View
2,776 auth/cas/CAS/CAS/client.php
@@ -0,0 +1,2776 @@
+<?php
+
+/*
+ * Copyright © 2003-2010, The ESUP-Portail consortium & the JA-SIG Collaborative.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * * Neither the name of the ESUP-Portail consortium & the JA-SIG
+ * Collaborative nor the names of its contributors may be used to endorse or
+ * promote products derived from this software without specific prior
+ * written permission.
+
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * @file CAS/client.php
+ * Main class of the phpCAS library
+ */
+
+// include internationalization stuff
+include_once(dirname(__FILE__).'/languages/languages.php');
+
+// include PGT storage classes
+include_once(dirname(__FILE__).'/PGTStorage/pgt-main.php');
+
+/**
+ * @class CASClient
+ * The CASClient class is a client interface that provides CAS authentication
+ * to PHP applications.
+ *
+ * @author Pascal Aubry <pascal.aubry at univ-rennes1.fr>
+ */
+
+class CASClient
+{
+
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ // XX XX
+ // XX CONFIGURATION XX
+ // XX XX
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ // ########################################################################
+ // HTML OUTPUT
+ // ########################################################################
+ /**
+ * @addtogroup internalOutput
+ * @{
+ */
+
+ /**
+ * This method filters a string by replacing special tokens by appropriate values
+ * and prints it. The corresponding tokens are taken into account:
+ * - __CAS_VERSION__
+ * - __PHPCAS_VERSION__
+ * - __SERVER_BASE_URL__
+ *
+ * Used by CASClient::PrintHTMLHeader() and CASClient::printHTMLFooter().
+ *
+ * @param $str the string to filter and output
+ *
+ * @private
+ */
+ function HTMLFilterOutput($str)
+ {
+ $str = str_replace('__CAS_VERSION__',$this->getServerVersion(),$str);
+ $str = str_replace('__PHPCAS_VERSION__',phpCAS::getVersion(),$str);
+ $str = str_replace('__SERVER_BASE_URL__',$this->getServerBaseURL(),$str);
+ echo $str;
+ }
+
+ /**
+ * A string used to print the header of HTML pages. Written by CASClient::setHTMLHeader(),
+ * read by CASClient::printHTMLHeader().
+ *
+ * @hideinitializer
+ * @private
+ * @see CASClient::setHTMLHeader, CASClient::printHTMLHeader()
+ */
+ var $_output_header = '';
+
+ /**
+ * This method prints the header of the HTML output (after filtering). If
+ * CASClient::setHTMLHeader() was not used, a default header is output.
+ *
+ * @param $title the title of the page
+ *
+ * @see HTMLFilterOutput()
+ * @private
+ */
+ function printHTMLHeader($title)
+ {
+ $this->HTMLFilterOutput(str_replace('__TITLE__',
+ $title,
+ (empty($this->_output_header)
+ ? '<html><head><title>__TITLE__</title></head><body><h1>__TITLE__</h1>'
+ : $this->_output_header)
+ )
+ );
+ }
+
+ /**
+ * A string used to print the footer of HTML pages. Written by CASClient::setHTMLFooter(),
+ * read by printHTMLFooter().
+ *
+ * @hideinitializer
+ * @private
+ * @see CASClient::setHTMLFooter, CASClient::printHTMLFooter()
+ */
+ var $_output_footer = '';
+
+ /**
+ * This method prints the footer of the HTML output (after filtering). If
+ * CASClient::setHTMLFooter() was not used, a default footer is output.
+ *
+ * @see HTMLFilterOutput()
+ * @private
+ */
+ function printHTMLFooter()
+ {
+ $this->HTMLFilterOutput(empty($this->_output_footer)
+ ?('<hr><address>phpCAS __PHPCAS_VERSION__ '.$this->getString(CAS_STR_USING_SERVER).' <a href="__SERVER_BASE_URL__">__SERVER_BASE_URL__</a> (CAS __CAS_VERSION__)</a></address></body></html>')
+ :$this->_output_footer);
+ }
+
+ /**
+ * This method set the HTML header used for all outputs.
+ *
+ * @param $header the HTML header.
+ *
+ * @public
+ */
+ function setHTMLHeader($header)
+ {
+ $this->_output_header = $header;
+ }
+
+ /**
+ * This method set the HTML footer used for all outputs.
+ *
+ * @param $footer the HTML footer.
+ *
+ * @public
+ */
+ function setHTMLFooter($footer)
+ {
+ $this->_output_footer = $footer;
+ }
+
+ /** @} */
+ // ########################################################################
+ // INTERNATIONALIZATION
+ // ########################################################################
+ /**
+ * @addtogroup internalLang
+ * @{
+ */
+ /**
+ * A string corresponding to the language used by phpCAS. Written by
+ * CASClient::setLang(), read by CASClient::getLang().
+
+ * @note debugging information is always in english (debug purposes only).
+ *
+ * @hideinitializer
+ * @private
+ * @sa CASClient::_strings, CASClient::getString()
+ */
+ var $_lang = '';
+
+ /**
+ * This method returns the language used by phpCAS.
+ *
+ * @return a string representing the language
+ *
+ * @private
+ */
+ function getLang()
+ {
+ if ( empty($this->_lang) )
+ $this->setLang(PHPCAS_LANG_DEFAULT);
+ return $this->_lang;
+ }
+
+ /**
+ * array containing the strings used by phpCAS. Written by CASClient::setLang(), read by
+ * CASClient::getString() and used by CASClient::setLang().
+ *
+ * @note This array is filled by instructions in CAS/languages/<$this->_lang>.php
+ *
+ * @private
+ * @see CASClient::_lang, CASClient::getString(), CASClient::setLang(), CASClient::getLang()
+ */
+ var $_strings;
+
+ /**
+ * This method returns a string depending on the language.
+ *
+ * @param $str the index of the string in $_string.
+ *
+ * @return the string corresponding to $index in $string.
+ *
+ * @private
+ */
+ function getString($str)
+ {
+ // call CASclient::getLang() to be sure the language is initialized
+ $this->getLang();
+
+ if ( !isset($this->_strings[$str]) ) {
+ trigger_error('string `'.$str.'\' not defined for language `'.$this->getLang().'\'',E_USER_ERROR);
+ }
+ return $this->_strings[$str];
+ }
+
+ /**
+ * This method is used to set the language used by phpCAS.
+ * @note Can be called only once.
+ *
+ * @param $lang a string representing the language.
+ *
+ * @public
+ * @sa CAS_LANG_FRENCH, CAS_LANG_ENGLISH
+ */
+ function setLang($lang)
+ {
+ // include the corresponding language file
+ include_once(dirname(__FILE__).'/languages/'.$lang.'.php');
+
+ if ( !is_array($this->_strings) ) {
+ trigger_error('language `'.$lang.'\' is not implemented',E_USER_ERROR);
+ }
+ $this->_lang = $lang;
+ }
+
+ /** @} */
+ // ########################################################################
+ // CAS SERVER CONFIG
+ // ########################################################################
+ /**
+ * @addtogroup internalConfig
+ * @{
+ */
+
+ /**
+ * a record to store information about the CAS server.
+ * - $_server["version"]: the version of the CAS server
+ * - $_server["hostname"]: the hostname of the CAS server
+ * - $_server["port"]: the port the CAS server is running on
+ * - $_server["uri"]: the base URI the CAS server is responding on
+ * - $_server["base_url"]: the base URL of the CAS server
+ * - $_server["login_url"]: the login URL of the CAS server
+ * - $_server["service_validate_url"]: the service validating URL of the CAS server
+ * - $_server["proxy_url"]: the proxy URL of the CAS server
+ * - $_server["proxy_validate_url"]: the proxy validating URL of the CAS server
+ * - $_server["logout_url"]: the logout URL of the CAS server
+ *
+ * $_server["version"], $_server["hostname"], $_server["port"] and $_server["uri"]
+ * are written by CASClient::CASClient(), read by CASClient::getServerVersion(),
+ * CASClient::getServerHostname(), CASClient::getServerPort() and CASClient::getServerURI().
+ *
+ * The other fields are written and read by CASClient::getServerBaseURL(),
+ * CASClient::getServerLoginURL(), CASClient::getServerServiceValidateURL(),
+ * CASClient::getServerProxyValidateURL() and CASClient::getServerLogoutURL().
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_server = array(
+ 'version' => -1,
+ 'hostname' => 'none',
+ 'port' => -1,
+ 'uri' => 'none'
+ );
+
+ /**
+ * This method is used to retrieve the version of the CAS server.
+ * @return the version of the CAS server.
+ * @private
+ */
+ function getServerVersion()
+ {
+ return $this->_server['version'];
+ }
+
+ /**
+ * This method is used to retrieve the hostname of the CAS server.
+ * @return the hostname of the CAS server.
+ * @private
+ */
+ function getServerHostname()
+ { return $this->_server['hostname']; }
+
+ /**
+ * This method is used to retrieve the port of the CAS server.
+ * @return the port of the CAS server.
+ * @private
+ */
+ function getServerPort()
+ { return $this->_server['port']; }
+
+ /**
+ * This method is used to retrieve the URI of the CAS server.
+ * @return a URI.
+ * @private
+ */
+ function getServerURI()
+ { return $this->_server['uri']; }
+
+ /**
+ * This method is used to retrieve the base URL of the CAS server.
+ * @return a URL.
+ * @private
+ */
+ function getServerBaseURL()
+ {
+ // the URL is build only when needed
+ if ( empty($this->_server['base_url']) ) {
+ $this->_server['base_url'] = 'https://' . $this->getServerHostname();
+ if ($this->getServerPort()!=443) {
+ $this->_server['base_url'] .= ':'
+ .$this->getServerPort();
+ }
+ $this->_server['base_url'] .= $this->getServerURI();
+ }
+ return $this->_server['base_url'];
+ }
+
+ /**
+ * This method is used to retrieve the login URL of the CAS server.
+ * @param $gateway true to check authentication, false to force it
+ * @param $renew true to force the authentication with the CAS server
+ * NOTE : It is recommended that CAS implementations ignore the
+ "gateway" parameter if "renew" is set
+ * @return a URL.
+ * @private
+ */
+ function getServerLoginURL($gateway=false,$renew=false) {
+ phpCAS::traceBegin();
+ // the URL is build only when needed
+ if ( empty($this->_server['login_url']) ) {
+ $this->_server['login_url'] = $this->getServerBaseURL();
+ $this->_server['login_url'] .= 'login?service=';
+ // $this->_server['login_url'] .= preg_replace('/&/','%26',$this->getURL());
+ $this->_server['login_url'] .= urlencode($this->getURL());
+ if($renew) {
+ // It is recommended that when the "renew" parameter is set, its value be "true"
+ $this->_server['login_url'] .= '&renew=true';
+ } elseif ($gateway) {
+ // It is recommended that when the "gateway" parameter is set, its value be "true"
+ $this->_server['login_url'] .= '&gateway=true';
+ }
+ }
+ phpCAS::traceEnd($this->_server['login_url']);
+ return $this->_server['login_url'];
+ }
+
+ /**
+ * This method sets the login URL of the CAS server.
+ * @param $url the login URL
+ * @private
+ * @since 0.4.21 by Wyman Chan
+ */
+ function setServerLoginURL($url)
+ {
+ return $this->_server['login_url'] = $url;
+ }
+
+
+ /**
+ * This method sets the serviceValidate URL of the CAS server.
+ * @param $url the serviceValidate URL
+ * @private
+ * @since 1.1.0 by Joachim Fritschi
+ */
+ function setServerServiceValidateURL($url)
+ {
+ return $this->_server['service_validate_url'] = $url;
+ }
+
+
+ /**
+ * This method sets the proxyValidate URL of the CAS server.
+ * @param $url the proxyValidate URL
+ * @private
+ * @since 1.1.0 by Joachim Fritschi
+ */
+ function setServerProxyValidateURL($url)
+ {
+ return $this->_server['proxy_validate_url'] = $url;
+ }
+
+
+ /**
+ * This method sets the samlValidate URL of the CAS server.
+ * @param $url the samlValidate URL
+ * @private
+ * @since 1.1.0 by Joachim Fritschi
+ */
+ function setServerSamlValidateURL($url)
+ {
+ return $this->_server['saml_validate_url'] = $url;
+ }
+
+
+ /**
+ * This method is used to retrieve the service validating URL of the CAS server.
+ * @return a URL.
+ * @private
+ */
+ function getServerServiceValidateURL()
+ {
+ // the URL is build only when needed
+ if ( empty($this->_server['service_validate_url']) ) {
+ switch ($this->getServerVersion()) {
+ case CAS_VERSION_1_0:
+ $this->_server['service_validate_url'] = $this->getServerBaseURL().'validate';
+ break;
+ case CAS_VERSION_2_0:
+ $this->_server['service_validate_url'] = $this->getServerBaseURL().'serviceValidate';
+ break;
+ }
+ }
+ // return $this->_server['service_validate_url'].'?service='.preg_replace('/&/','%26',$this->getURL());
+ return $this->_server['service_validate_url'].'?service='.urlencode($this->getURL());
+ }
+ /**
+ * This method is used to retrieve the SAML validating URL of the CAS server.
+ * @return a URL.
+ * @private
+ */
+ function getServerSamlValidateURL()
+ {
+ phpCAS::traceBegin();
+ // the URL is build only when needed
+ if ( empty($this->_server['saml_validate_url']) ) {
+ switch ($this->getServerVersion()) {
+ case SAML_VERSION_1_1:
+ $this->_server['saml_validate_url'] = $this->getServerBaseURL().'samlValidate';
+ break;
+ }
+ }
+ phpCAS::traceEnd($this->_server['saml_validate_url'].'?TARGET='.urlencode($this->getURL()));
+ return $this->_server['saml_validate_url'].'?TARGET='.urlencode($this->getURL());
+ }
+ /**
+ * This method is used to retrieve the proxy validating URL of the CAS server.
+ * @return a URL.
+ * @private
+ */
+ function getServerProxyValidateURL()
+ {
+ // the URL is build only when needed
+ if ( empty($this->_server['proxy_validate_url']) ) {
+ switch ($this->getServerVersion()) {
+ case CAS_VERSION_1_0:
+ $this->_server['proxy_validate_url'] = '';
+ break;
+ case CAS_VERSION_2_0:
+ $this->_server['proxy_validate_url'] = $this->getServerBaseURL().'proxyValidate';
+ break;
+ }
+ }
+ // return $this->_server['proxy_validate_url'].'?service='.preg_replace('/&/','%26',$this->getURL());
+ return $this->_server['proxy_validate_url'].'?service='.urlencode($this->getURL());
+ }
+
+ /**
+ * This method is used to retrieve the proxy URL of the CAS server.
+ * @return a URL.
+ * @private
+ */
+ function getServerProxyURL()
+ {
+ // the URL is build only when needed
+ if ( empty($this->_server['proxy_url']) ) {
+ switch ($this->getServerVersion()) {
+ case CAS_VERSION_1_0:
+ $this->_server['proxy_url'] = '';
+ break;
+ case CAS_VERSION_2_0:
+ $this->_server['proxy_url'] = $this->getServerBaseURL().'proxy';
+ break;
+ }
+ }
+ return $this->_server['proxy_url'];
+ }
+
+ /**
+ * This method is used to retrieve the logout URL of the CAS server.
+ * @return a URL.
+ * @private
+ */
+ function getServerLogoutURL()
+ {
+ // the URL is build only when needed
+ if ( empty($this->_server['logout_url']) ) {
+ $this->_server['logout_url'] = $this->getServerBaseURL().'logout';
+ }
+ return $this->_server['logout_url'];
+ }
+
+ /**
+ * This method sets the logout URL of the CAS server.
+ * @param $url the logout URL
+ * @private
+ * @since 0.4.21 by Wyman Chan
+ */
+ function setServerLogoutURL($url)
+ {
+ return $this->_server['logout_url'] = $url;
+ }
+
+ /**
+ * An array to store extra curl options.
+ */
+ var $_curl_options = array();
+
+ /**
+ * This method is used to set additional user curl options.
+ */
+ function setExtraCurlOption($key, $value)
+ {
+ $this->_curl_options[$key] = $value;
+ }
+
+ /**
+ * This method checks to see if the request is secured via HTTPS
+ * @return true if https, false otherwise
+ * @private
+ */
+ function isHttps() {
+ //if ( isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) ) {
+ //0.4.24 by Hinnack
+ if ( isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
+ return true;
+ } else {
+ return false;
+ }
+ }
+
+ // ########################################################################
+ // CONSTRUCTOR
+ // ########################################################################
+ /**
+ * CASClient constructor.
+ *
+ * @param $server_version the version of the CAS server
+ * @param $proxy TRUE if the CAS client is a CAS proxy, FALSE otherwise
+ * @param $server_hostname the hostname of the CAS server
+ * @param $server_port the port the CAS server is running on
+ * @param $server_uri the URI the CAS server is responding on
+ * @param $start_session Have phpCAS start PHP sessions (default true)
+ *
+ * @return a newly created CASClient object
+ *
+ * @public
+ */
+ function CASClient(
+ $server_version,
+ $proxy,
+ $server_hostname,
+ $server_port,
+ $server_uri,
+ $start_session = true) {
+
+ phpCAS::traceBegin();
+
+ // the redirect header() call and DOM parsing code from domxml-php4-php5.php won't work in PHP4 compatibility mode
+ if (version_compare(PHP_VERSION,'5','>=') && ini_get('zend.ze1_compatibility_mode')) {
+ phpCAS::error('phpCAS cannot support zend.ze1_compatibility_mode. Sorry.');
+ }
+ $this->_start_session = $start_session;
+
+ if ($this->_start_session && session_id() !== "")
+ {
+ phpCAS :: error("Another session was started before phpcas. Either disable the session" .
+ " handling for phpcas in the client() call or modify your application to leave" .
+ " session handling to phpcas");
+ }
+ // skip Session Handling for logout requests and if don't want it'
+ if ($start_session && !$this->isLogoutRequest())
+ {
+ phpCAS :: trace("Starting a new session");
+ session_start();
+ }
+
+
+ // are we in proxy mode ?
+ $this->_proxy = $proxy;
+
+ //check version
+ switch ($server_version) {
+ case CAS_VERSION_1_0:
+ if ( $this->isProxy() )
+ phpCAS::error('CAS proxies are not supported in CAS '
+ .$server_version);
+ break;
+ case CAS_VERSION_2_0:
+ break;
+ case SAML_VERSION_1_1:
+ break;
+ default:
+ phpCAS::error('this version of CAS (`'
+ .$server_version
+ .'\') is not supported by phpCAS '
+ .phpCAS::getVersion());
+ }
+ $this->_server['version'] = $server_version;
+
+ // check hostname
+ if ( empty($server_hostname)
+ || !preg_match('/[\.\d\-abcdefghijklmnopqrstuvwxyz]*/',$server_hostname) ) {
+ phpCAS::error('bad CAS server hostname (`'.$server_hostname.'\')');
+ }
+ $this->_server['hostname'] = $server_hostname;
+
+ // check port
+ if ( $server_port == 0
+ || !is_int($server_port) ) {
+ phpCAS::error('bad CAS server port (`'.$server_hostname.'\')');
+ }
+ $this->_server['port'] = $server_port;
+
+ // check URI
+ if ( !preg_match('/[\.\d\-_abcdefghijklmnopqrstuvwxyz\/]*/',$server_uri) ) {
+ phpCAS::error('bad CAS server URI (`'.$server_uri.'\')');
+ }
+ // add leading and trailing `/' and remove doubles
+ $server_uri = preg_replace('/\/\//','/','/'.$server_uri.'/');
+ $this->_server['uri'] = $server_uri;
+
+ // set to callback mode if PgtIou and PgtId CGI GET parameters are provided
+ if ( $this->isProxy() ) {
+ $this->setCallbackMode(!empty($_GET['pgtIou'])&&!empty($_GET['pgtId']));
+ }
+
+ if ( $this->isCallbackMode() ) {
+ //callback mode: check that phpCAS is secured
+ if ( !$this->isHttps() ) {
+ phpCAS::error('CAS proxies must be secured to use phpCAS; PGT\'s will not be received from the CAS server');
+ }
+ } else {
+ //normal mode: get ticket and remove it from CGI parameters for developpers
+ $ticket = (isset($_GET['ticket']) ? $_GET['ticket'] : null);
+ switch ($this->getServerVersion()) {
+ case CAS_VERSION_1_0: // check for a Service Ticket
+ if( preg_match('/^ST-/',$ticket) ) {
+ phpCAS::trace('ST \''.$ticket.'\' found');
+ //ST present
+ $this->setST($ticket);
+ //ticket has been taken into account, unset it to hide it to applications
+ unset($_GET['ticket']);
+ } else if ( !empty($ticket) ) {
+ //ill-formed ticket, halt
+ phpCAS::error('ill-formed ticket found in the URL (ticket=`'.htmlentities($ticket).'\')');
+ }
+ break;
+ case CAS_VERSION_2_0: // check for a Service or Proxy Ticket
+ if( preg_match('/^[SP]T-/',$ticket) ) {
+ phpCAS::trace('ST or PT \''.$ticket.'\' found');
+ $this->setPT($ticket);
+ unset($_GET['ticket']);
+ } else if ( !empty($ticket) ) {
+ //ill-formed ticket, halt
+ phpCAS::error('ill-formed ticket found in the URL (ticket=`'.htmlentities($ticket).'\')');
+ }
+ break;
+ case SAML_VERSION_1_1: // SAML just does Service Tickets
+ if( preg_match('/^[SP]T-/',$ticket) ) {
+ phpCAS::trace('SA \''.$ticket.'\' found');
+ $this->setSA($ticket);
+ unset($_GET['ticket']);
+ } else if ( !empty($ticket) ) {
+ //ill-formed ticket, halt
+ phpCAS::error('ill-formed ticket found in the URL (ticket=`'.htmlentities($ticket).'\')');
+ }
+ break;
+ }
+ }
+ phpCAS::traceEnd();
+ }
+
+ /** @} */
+
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ // XX XX
+ // XX Session Handling XX
+ // XX XX
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ /**
+ * A variable to whether phpcas will use its own session handling. Default = true
+ * @hideinitializer
+ * @private
+ */
+ var $_start_session = true;
+
+ function setStartSession($session)
+ {
+ $this->_start_session = session;
+ }
+
+ function getStartSession($session)
+ {
+ $this->_start_session = session;
+ }
+
+ /**
+ * Renaming the session
+ */
+ function renameSession($ticket)
+ {
+ phpCAS::traceBegin();
+ if($this->_start_session){
+ if (!empty ($this->_user))
+ {
+ $old_session = $_SESSION;
+ session_destroy();
+ // set up a new session, of name based on the ticket
+ $session_id = preg_replace('/[^\w]/', '', $ticket);
+ phpCAS :: trace("Session ID: ".$session_id);
+ session_id($session_id);
+ session_start();
+ phpCAS :: trace("Restoring old session vars");
+ $_SESSION = $old_session;
+ } else
+ {
+ phpCAS :: error('Session should only be renamed after successfull authentication');
+ }
+ }else{
+ phpCAS :: trace("Skipping session rename since phpCAS is not handling the session.");
+ }
+ phpCAS::traceEnd();
+ }
+
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ // XX XX
+ // XX AUTHENTICATION XX
+ // XX XX
+ // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ /**
+ * @addtogroup internalAuthentication
+ * @{
+ */
+
+ /**
+ * The Authenticated user. Written by CASClient::setUser(), read by CASClient::getUser().
+ * @attention client applications should use phpCAS::getUser().
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_user = '';
+
+ /**
+ * This method sets the CAS user's login name.
+ *
+ * @param $user the login name of the authenticated user.
+ *
+ * @private
+ */
+ function setUser($user)
+ {
+ $this->_user = $user;
+ }
+
+ /**
+ * This method returns the CAS user's login name.
+ * @warning should be called only after CASClient::forceAuthentication() or
+ * CASClient::isAuthenticated(), otherwise halt with an error.
+ *
+ * @return the login name of the authenticated user
+ */
+ function getUser()
+ {
+ if ( empty($this->_user) ) {
+ phpCAS::error('this method should be used only after '.__CLASS__.'::forceAuthentication() or '.__CLASS__.'::isAuthenticated()');
+ }
+ return $this->_user;
+ }
+
+
+
+ /***********************************************************************************************************************
+ * Atrributes section
+ *
+ * @author Matthias Crauwels <matthias.crauwels@ugent.be>, Ghent University, Belgium
+ *
+ ***********************************************************************************************************************/
+ /**
+ * The Authenticated users attributes. Written by CASClient::setAttributes(), read by CASClient::getAttributes().
+ * @attention client applications should use phpCAS::getAttributes().
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_attributes = array();
+
+ function setAttributes($attributes)
+ { $this->_attributes = $attributes; }
+
+ function getAttributes() {
+ if ( empty($this->_user) ) { // if no user is set, there shouldn't be any attributes also...
+ phpCAS::error('this method should be used only after '.__CLASS__.'::forceAuthentication() or '.__CLASS__.'::isAuthenticated()');
+ }
+ return $this->_attributes;
+ }
+
+ function hasAttributes()
+ { return !empty($this->_attributes); }
+
+ function hasAttribute($key)
+ { return (is_array($this->_attributes) && array_key_exists($key, $this->_attributes)); }
+
+ function getAttribute($key) {
+ if($this->hasAttribute($key)) {
+ return $this->_attributes[$key];
+ }
+ }
+
+ /**
+ * This method is called to renew the authentication of the user
+ * If the user is authenticated, renew the connection
+ * If not, redirect to CAS
+ * @public
+ */
+ function renewAuthentication(){
+ phpCAS::traceBegin();
+ // Either way, the user is authenticated by CAS
+ if( isset( $_SESSION['phpCAS']['auth_checked'] ) )
+ unset($_SESSION['phpCAS']['auth_checked']);
+ if ( $this->isAuthenticated() ) {
+ phpCAS::trace('user already authenticated; renew');
+ $this->redirectToCas(false,true);
+ } else {
+ $this->redirectToCas();
+ }
+ phpCAS::traceEnd();
+ }
+
+ /**
+ * This method is called to be sure that the user is authenticated. When not
+ * authenticated, halt by redirecting to the CAS server; otherwise return TRUE.
+ * @return TRUE when the user is authenticated; otherwise halt.
+ * @public
+ */
+ function forceAuthentication()
+ {
+ phpCAS::traceBegin();
+
+ if ( $this->isAuthenticated() ) {
+ // the user is authenticated, nothing to be done.
+ phpCAS::trace('no need to authenticate');
+ $res = TRUE;
+ } else {
+ // the user is not authenticated, redirect to the CAS server
+ if (isset($_SESSION['phpCAS']['auth_checked'])) {
+ unset($_SESSION['phpCAS']['auth_checked']);
+ }
+ $this->redirectToCas(FALSE/* no gateway */);
+ // never reached
+ $res = FALSE;
+ }
+ phpCAS::traceEnd($res);
+ return $res;
+ }
+
+ /**
+ * An integer that gives the number of times authentication will be cached before rechecked.
+ *
+ * @hideinitializer
+ * @private
+ */
+ var $_cache_times_for_auth_recheck = 0;
+
+ /**
+ * Set the number of times authentication will be cached before rechecked.
+ *
+ * @param $n an integer.
+ *
+ * @public
+ */
+ function setCacheTimesForAuthRecheck($n)
+ {
+ $this->_cache_times_for_auth_recheck = $n;
+ }
+
+ /**
+ * This method is called to check whether the user is authenticated or not.
+ * @return TRUE when the user is authenticated, FALSE otherwise.
+ * @public
+ */
+ function checkAuthentication()
+ {
+ phpCAS::traceBegin();
+
+ if ( $this->isAuthenticated() ) {
+ phpCAS::trace('user is authenticated');
+ $res = TRUE;
+ } else if (isset($_SESSION['phpCAS']['auth_checked'])) {
+ // the previous request has redirected the client to the CAS server with gateway=true
+ unset($_SESSION['phpCAS']['auth_checked']);
+ $res = FALSE;
+ } else {
+ // $_SESSION['phpCAS']['auth_checked'] = true;
+ // $this->redirectToCas(TRUE/* gateway */);
+ // // never reached
+ // $res = FALSE;
+ // avoid a check against CAS on every request
+ if (! isset($_SESSION['phpCAS']['unauth_count']) )
+ $_SESSION['phpCAS']['unauth_count'] = -2; // uninitialized
+
+ if (($_SESSION['phpCAS']['unauth_count'] != -2 && $this->_cache_times_for_auth_recheck == -1)
+ || ($_SESSION['phpCAS']['unauth_count'] >= 0 && $_SESSION['phpCAS']['unauth_count'] < $this->_cache_times_for_auth_recheck))
+ {
+ $res = FALSE;
+
+ if ($this->_cache_times_for_auth_recheck != -1)
+ {
+ $_SESSION['phpCAS']['unauth_count']++;
+ phpCAS::trace('user is not authenticated (cached for '.$_SESSION['phpCAS']['unauth_count'].' times of '.$this->_cache_times_for_auth_recheck.')');
+ }
+ else
+ {
+ phpCAS::trace('user is not authenticated (cached for until login pressed)');
+ }
+ }
+ else
+ {
+ $_SESSION['phpCAS']['unauth_count'] = 0;
+ $_SESSION['phpCAS']['auth_checked'] = true;
+ phpCAS::trace('user is not authenticated (cache reset)');
+ $this->redirectToCas(TRUE/* gateway */);
+ // never reached
+ $res = FALSE;
+ }
+ }
+ phpCAS::traceEnd($res);
+ return $res;
+ }
+
+ /**
+ * This method is called to check if the user is authenticated (previously or by
+ * tickets given in the URL).
+ *
+ * @return TRUE when the user is authenticated. Also may redirect to the same URL without the ticket.
+ *
+ * @public
+ */
+ function isAuthenticated()
+ {
+ phpCAS::traceBegin();
+ $res = FALSE;
+ $validate_url = '';
+
+ if ( $this->wasPreviouslyAuthenticated() ) {
+ if($this->hasST() || $this->hasPT() || $this->hasSA()){
+ // User has a additional ticket but was already authenticated
+ phpCAS::trace('ticket was present and will be discarded, use renewAuthenticate()');
+ header('Location: '.$this->getURL());
+ phpCAS::log( "Prepare redirect to remove ticket: ".$this->getURL() );
+ phpCAS::traceExit();
+ exit();
+ }else{
+ // the user has already (previously during the session) been
+ // authenticated, nothing to be done.
+ phpCAS::trace('user was already authenticated, no need to look for tickets');
+ $res = TRUE;
+ }
+ }
+ else {
+ if ( $this->hasST() ) {
+ // if a Service Ticket was given, validate it
+ phpCAS::trace('ST `'.$this->getST().'\' is present');
+ $this->validateST($validate_url,$text_response,$tree_response); // if it fails, it halts
+ phpCAS::trace('ST `'.$this->getST().'\' was validated');
+ if ( $this->isProxy() ) {
+ $this->validatePGT($validate_url,$text_response,$tree_response); // idem
+ phpCAS::trace('PGT `'.$this->getPGT().'\' was validated');
+ $_SESSION['phpCAS']['pgt'] = $this->getPGT();
+ }
+ $_SESSION['phpCAS']['user'] = $this->getUser();
+ $res = TRUE;
+ }
+ elseif ( $this->hasPT() ) {
+ // if a Proxy Ticket was given, validate it
+ phpCAS::trace('PT `'.$this->getPT().'\' is present');
+ $this->validatePT($validate_url,$text_response,$tree_response); // note: if it fails, it halts
+ phpCAS::trace('PT `'.$this->getPT().'\' was validated');
+ if ( $this->isProxy() ) {
+ $this->validatePGT($validate_url,$text_response,$tree_response); // idem
+ phpCAS::trace('PGT `'.$this->getPGT().'\' was validated');
+ $_SESSION['phpCAS']['pgt'] = $this->getPGT();
+ }
+ $_SESSION['phpCAS']['user'] = $this->getUser();
+ $res = TRUE;
+ }
+ elseif ( $this->hasSA() ) {
+ // if we have a SAML ticket, validate it.
+ phpCAS::trace('SA `'.$this->getSA().'\' is present');
+ $this->validateSA($validate_url,$text_response,$tree_response); // if it fails, it halts
+ phpCAS::trace('SA `'.$this->getSA().'\' was validated');
+ $_SESSION['phpCAS']['user'] = $this->getUser();
+ $_SESSION['phpCAS']['attributes'] = $this->getAttributes();
+ $res = TRUE;
+ }
+ else {
+ // no ticket given, not authenticated
+ phpCAS::trace('no ticket found');
+ }
+ if ($res) {
+ // if called with a ticket parameter, we need to redirect to the app without the ticket so that CAS-ification is transparent to the browser (for later POSTS)
+ // most of the checks and errors should have been made now, so we're safe for redirect without masking error messages.
+ // remove the ticket as a security precaution to prevent a ticket in the HTTP_REFERRER
+ header('Location: '.$this->getURL());
+ phpCAS::log( "Prepare redirect to : ".$this->getURL() );
+ phpCAS::traceExit();
+ exit();
+ }
+ }
+
+ phpCAS::traceEnd($res);
+ return $res;
+ }
+
+ /**
+ * This method tells if the current session is authenticated.
+ * @return true if authenticated based soley on $_SESSION variable
+ * @since 0.4.22 by Brendan Arnold
+ */
+ function isSessionAuthenticated ()
+ {
+ return !empty($_SESSION['phpCAS']['user']);
+ }
+
+ /**
+ * This method tells if the user has already been (previously) authenticated
+ * by looking into the session variables.
+ *
+ * @note This function switches to callback mode when needed.
+ *
+ * @return TRUE when the user has already been authenticated; FALSE otherwise.
+ *
+ * @private
+ */
+ function wasPreviouslyAuthenticated()
+ {
+ phpCAS::traceBegin();
+
+ if ( $this->isCallbackMode() ) {
+ $this->callback();
+ }
+
+ $auth = FALSE;
+
+ if ( $this->isProxy() ) {
+ // CAS proxy: username and PGT must be present
+ if ( $this->isSessionAuthenticated() && !empty($_SESSION['phpCAS']['pgt']) ) {
+ // authentication already done
+ $this->setUser($_SESSION['phpCAS']['user']);
+ $this->setPGT($_SESSION['phpCAS']['pgt']);
+ phpCAS::trace('user = `'.$_SESSION['phpCAS']['user'].'\', PGT = `'.$_SESSION['phpCAS']['pgt'].'\'');
+ $auth = TRUE;
+ } elseif ( $this->isSessionAuthenticated() && empty($_SESSION['phpCAS']['pgt']) ) {
+ // these two variables should be empty or not empty at the same time
+ phpCAS::trace('username found (`'.$_SESSION['phpCAS']['user'].'\') but PGT is empty');
+ // unset all tickets to enforce authentication
+ unset($_SESSION['phpCAS']);
+ $this->setST('');
+ $this->setPT('');
+ } elseif ( !$this->isSessionAuthenticated() && !empty($_SESSION['phpCAS']['pgt']) ) {
+ // these two variables should be empty or not empty at the same time
+ phpCAS::trace('PGT found (`'.$_SESSION['phpCAS']['pgt'].'\') but username is empty');
+ // unset all tickets to enforce authentication
+ unset($_SESSION['phpCAS']);
+ $this->setST('');
+ $this->setPT('');
+ } else {
+ phpCAS::trace('neither user not PGT found');
+ }
+ } else {
+ // `simple' CAS client (not a proxy): username must be present
+ if ( $this->isSessionAuthenticated() ) {
+ // authentication already done
+ $this->setUser($_SESSION['phpCAS']['user']);
+ if(isset($_SESSION['phpCAS']['attributes'])){
+ $this->setAttributes($_SESSION['phpCAS']['attributes']);
+ }
+ phpCAS::trace('user = `'.$_SESSION['phpCAS']['user'].'\'');
+ $auth = TRUE;
+ } else {
+ phpCAS::trace('no user found');
+ }
+ }