auth/cas: MDL-25062 CAS authentication plugin does not validate the C…

…AS server certificate The CAS protocol security model requires that you verify the cas server certificate before you trust the answer (valid authentication and username etc.). Credit goes to Joachim Fritschi for reporting it and providing a patch.
moodle · Nov 18, 2010 · d2bdcac · d2bdcac
1 parent 9afe740
commit d2bdcac
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 8 deletions.
diff --git a/auth/cas/auth.php b/auth/cas/auth.php
@@ -114,8 +114,12 @@ function loginpage_hook() {
 // Connection to CAS server
 	 $this->connectCAS();
 
-     // Don't try to validate the server SSL credentials
-     phpCAS::setNoCasServerValidation();
+     if($this->config->certificate_check && $this->config->certificate_path){
+         phpCAS::setCasServerCACert($this->config->certificate_path);
+     }else{
+         // Don't try to validate the server SSL credentials
+         phpCAS::setNoCasServerValidation();
+     }
 
 	  // Gestion de la connection CAS si acc�s direct d'un ent ou autre	 
 	 if (phpCAS::checkAuthentication()) {
@@ -244,6 +248,10 @@ function process_config($config) {
             $config->logoutcas = '';
         if (!isset ($config->multiauth))
             $config->multiauth = '';
+        if (!isset ($config->certificate_check))
+            $config->certificate_check = '';
+        if (!isset ($config->certificate_path))
+            $config->certificate_path = '';
         // LDAP settings
         if (!isset($config->host_url))
             { $config->host_url = ''; }
@@ -286,6 +294,8 @@ function process_config($config) {
         set_config('proxycas',     $config->proxycas,     'auth/cas');
         set_config('logoutcas',     $config->logoutcas,     'auth/cas');
         set_config('multiauth',     $config->multiauth,     'auth/cas');
+        set_config('certificate_check',     $config->certificate_check,     'auth/cas');
+        set_config('certificate_path',     $config->certificate_path,     'auth/cas');
         // save LDAP settings
         set_config('host_url', $config->host_url, 'auth/cas');
         set_config('ldapencoding', $config->ldapencoding, 'auth/cas');

diff --git a/auth/cas/config.html b/auth/cas/config.html
@@ -48,6 +48,14 @@
 
         $config->multiauth = '';
 
+    if (!isset ($config->certificate_check)) 
+
+        $config->certificate_check = '';
+
+    if (!isset ($config->certificate_path))
+
+        $config->certificate_path = '';
+
   // set to defaults if undefined (LDAP)
 
     if (!isset($config->host_url))
@@ -134,7 +142,7 @@
 
 
 
-<table cellspacing="0" cellpadding="5" border="0" align="center">
+<table cellspacing="0" cellpadding="5" border="0">
 
 
 
@@ -364,6 +372,44 @@ <h4><?php print_string('auth_cas_server_settings', 'auth') ?> </h4>
 
 
 
+<tr valign="top"  class="required">
+
+    <td align="right"><?php print_string('auth_cas_certificate_check_key', 'auth') ?>:</td>
+
+    <td>
+
+        <?php choose_from_menu ($yesno, 'certificate_check', $config->certificate_check, ''); ?>
+
+    </td>
+
+    <td><?php print_string('auth_cas_certificate_check', 'auth') ?></td>
+
+</tr>
+
+
+
+<tr valign="top" class="required">
+
+    <td align="right"><?php print_string('auth_cas_certificate_path_key', 'auth') ?>:</td>
+
+    <td>
+
+        <input name="certificate_path" type="text" size="30" value="<?php echo $config->certificate_path ?>" />
+
+        <?php if (isset($err['certificate_path'])) formerr($err['certificate_path']); ?>
+
+    </td>
+
+    <td>
+
+        <?php print_string('auth_cas_certificate_path', 'auth') ?>
+
+    </td>
+
+</tr>
+
+
+
 <tr>
 
    <td colspan="2">
@@ -722,7 +768,7 @@ <h4><?php print_string('coursecreators') ?> </h4>
 
 <tr valign="top" class="required">
 
-        <td align="right"><label for="attrcreators_key"><?php print_string('auth_ldap_attrcreators_key','auth') ?></label></td>
+        <td align="right"><label for="attrcreators"><?php print_string('auth_ldap_attrcreators_key','auth') ?></label></td>
 
         <td>
 
@@ -742,7 +788,7 @@ <h4><?php print_string('coursecreators') ?> </h4>
 
 <tr valign="top" class="required">
 
-        <td align="right"><label for="groupecreators_key"><?php print_string('auth_ldap_groupecreators_key','auth') ?></label></td>
+        <td align="right"><label for="groupecreators"><?php print_string('auth_ldap_groupecreators_key','auth') ?></label></td>
 
         <td>
 

diff --git a/lang/en_utf8/auth.php b/lang/en_utf8/auth.php
@@ -4,9 +4,13 @@
 $string['auth_cas_proxycas_key'] = "Proxy mode";
 $string['auth_cas_logoutcas_key'] = "Logout CAS";
 $string['auth_cas_multiauth_key'] = "Multi-authentication";
-$string['auth_cas_proxycas'] = "Turn this to 'yes'' if you use CASin proxy-mode";
-$string['auth_cas_logoutcas'] = "Turn this to 'yes'' if tou want to logout from CAS when you deconnect from Moodle";
-$string['auth_cas_multiauth'] = "Turn this to 'yes'' if you want to have multi-authentication (CAS + other authentication)";
+$string['auth_cas_certificate_check_key'] = "Server validation";
+$string['auth_cas_certificate_path_key'] = "Certificate path";
+$string['auth_cas_proxycas'] = "Turn this to ''yes'' if you use CASin proxy-mode";
+$string['auth_cas_logoutcas'] = "Turn this to ''yes'' if tou want to logout from CAS when you deconnect from Moodle";
+$string['auth_cas_multiauth'] = "Turn this to ''yes'' if you want to have multi-authentication (CAS + other authentication)";
+$string['auth_cas_certificate_check'] = "Turn this to ''yes'' if you want to validate the server certificate";
+$string['auth_cas_certificate_path'] = "Path of the CA chain file (PEM Format) to validate the server certificate";
 $string['accesCAS'] = "CAS users";
 $string['accesNOCAS'] = "other users";
 $string['CASform'] = "Authentication choice";