Browse files

auth/cas: MDL-25062 CAS authentication plugin does not validate the C…

…AS server certificate

The CAS protocol security model requires that you verify the cas server
certificate before you trust the answer (valid authentication and username
etc.).

Credit goes to Joachim Fritschi for reporting it and providing a patch.
  • Loading branch information...
1 parent 9afe740 commit d2bdcac8a917c132d1c86108943c2c9830f3b5f6 @iarenaza iarenaza committed Nov 18, 2010
Showing with 68 additions and 8 deletions.
  1. +12 −2 auth/cas/auth.php
  2. +49 −3 auth/cas/config.html
  3. +7 −3 lang/en_utf8/auth.php
View
14 auth/cas/auth.php
@@ -114,8 +114,12 @@ function loginpage_hook() {
// Connection to CAS server
$this->connectCAS();
- // Don't try to validate the server SSL credentials
- phpCAS::setNoCasServerValidation();
+ if($this->config->certificate_check && $this->config->certificate_path){
+ phpCAS::setCasServerCACert($this->config->certificate_path);
+ }else{
+ // Don't try to validate the server SSL credentials
+ phpCAS::setNoCasServerValidation();
+ }
// Gestion de la connection CAS si acc�s direct d'un ent ou autre
if (phpCAS::checkAuthentication()) {
@@ -244,6 +248,10 @@ function process_config($config) {
$config->logoutcas = '';
if (!isset ($config->multiauth))
$config->multiauth = '';
+ if (!isset ($config->certificate_check))
+ $config->certificate_check = '';
+ if (!isset ($config->certificate_path))
+ $config->certificate_path = '';
// LDAP settings
if (!isset($config->host_url))
{ $config->host_url = ''; }
@@ -286,6 +294,8 @@ function process_config($config) {
set_config('proxycas', $config->proxycas, 'auth/cas');
set_config('logoutcas', $config->logoutcas, 'auth/cas');
set_config('multiauth', $config->multiauth, 'auth/cas');
+ set_config('certificate_check', $config->certificate_check, 'auth/cas');
+ set_config('certificate_path', $config->certificate_path, 'auth/cas');
// save LDAP settings
set_config('host_url', $config->host_url, 'auth/cas');
set_config('ldapencoding', $config->ldapencoding, 'auth/cas');
View
52 auth/cas/config.html
@@ -48,6 +48,14 @@
$config->multiauth = '';
+ if (!isset ($config->certificate_check))
+
+ $config->certificate_check = '';
+
+ if (!isset ($config->certificate_path))
+
+ $config->certificate_path = '';
+
// set to defaults if undefined (LDAP)
if (!isset($config->host_url))
@@ -134,7 +142,7 @@
-<table cellspacing="0" cellpadding="5" border="0" align="center">
+<table cellspacing="0" cellpadding="5" border="0">
@@ -364,6 +372,44 @@
+<tr valign="top" class="required">
+
+ <td align="right"><?php print_string('auth_cas_certificate_check_key', 'auth') ?>:</td>
+
+ <td>
+
+ <?php choose_from_menu ($yesno, 'certificate_check', $config->certificate_check, ''); ?>
+
+ </td>
+
+ <td><?php print_string('auth_cas_certificate_check', 'auth') ?></td>
+
+</tr>
+
+
+
+<tr valign="top" class="required">
+
+ <td align="right"><?php print_string('auth_cas_certificate_path_key', 'auth') ?>:</td>
+
+ <td>
+
+ <input name="certificate_path" type="text" size="30" value="<?php echo $config->certificate_path ?>" />
+
+ <?php if (isset($err['certificate_path'])) formerr($err['certificate_path']); ?>
+
+ </td>
+
+ <td>
+
+ <?php print_string('auth_cas_certificate_path', 'auth') ?>
+
+ </td>
+
+</tr>
+
+
+
<tr>
<td colspan="2">
@@ -722,7 +768,7 @@
<tr valign="top" class="required">
- <td align="right"><label for="attrcreators_key"><?php print_string('auth_ldap_attrcreators_key','auth') ?></label></td>
+ <td align="right"><label for="attrcreators"><?php print_string('auth_ldap_attrcreators_key','auth') ?></label></td>
<td>
@@ -742,7 +788,7 @@
<tr valign="top" class="required">
- <td align="right"><label for="groupecreators_key"><?php print_string('auth_ldap_groupecreators_key','auth') ?></label></td>
+ <td align="right"><label for="groupecreators"><?php print_string('auth_ldap_groupecreators_key','auth') ?></label></td>
<td>
View
10 lang/en_utf8/auth.php
@@ -4,9 +4,13 @@
$string['auth_cas_proxycas_key'] = "Proxy mode";
$string['auth_cas_logoutcas_key'] = "Logout CAS";
$string['auth_cas_multiauth_key'] = "Multi-authentication";
-$string['auth_cas_proxycas'] = "Turn this to 'yes'' if you use CASin proxy-mode";
-$string['auth_cas_logoutcas'] = "Turn this to 'yes'' if tou want to logout from CAS when you deconnect from Moodle";
-$string['auth_cas_multiauth'] = "Turn this to 'yes'' if you want to have multi-authentication (CAS + other authentication)";
+$string['auth_cas_certificate_check_key'] = "Server validation";
+$string['auth_cas_certificate_path_key'] = "Certificate path";
+$string['auth_cas_proxycas'] = "Turn this to ''yes'' if you use CASin proxy-mode";
+$string['auth_cas_logoutcas'] = "Turn this to ''yes'' if tou want to logout from CAS when you deconnect from Moodle";
+$string['auth_cas_multiauth'] = "Turn this to ''yes'' if you want to have multi-authentication (CAS + other authentication)";
+$string['auth_cas_certificate_check'] = "Turn this to ''yes'' if you want to validate the server certificate";
+$string['auth_cas_certificate_path'] = "Path of the CA chain file (PEM Format) to validate the server certificate";
$string['accesCAS'] = "CAS users";
$string['accesNOCAS'] = "other users";
$string['CASform'] = "Authentication choice";

0 comments on commit d2bdcac

Please sign in to comment.