From 29f00955071e419842541be069671520dc2e4e51 Mon Sep 17 00:00:00 2001
From: Clayton Maxwell <camaxwel@ncsu.edu>
Date: Fri, 9 Dec 2016 10:22:06 -0500
Subject: [PATCH] modifed shib

---
 library/Ot/Auth/Adapter/Shib.php | 225 +++++++++++++++++++++++++------
 1 file changed, 182 insertions(+), 43 deletions(-)

diff --git a/library/Ot/Auth/Adapter/Shib.php b/library/Ot/Auth/Adapter/Shib.php
index 5c5e7e3..a7904f2 100644
--- a/library/Ot/Auth/Adapter/Shib.php
+++ b/library/Ot/Auth/Adapter/Shib.php
@@ -1,105 +1,244 @@
 <?php
 /**
+ * Cyclone
+ *
  * LICENSE
  *
  * This source file is subject to the new BSD license that is bundled
  * with this package in the file LICENSE.txt.
  *
  * This license is also available via the world-wide-web at
- * http://itdapps.ncsu.edu/bsd.txt
+ * http://itdapps.ncsu.edu/billboard_bsd.txt
  *
  * If you did not receive a copy of the license and are unable to
  * obtain it through the world-wide-web, please send an email
  * to itappdev@ncsu.edu so we can send you a copy immediately.
  *
- * @package    Ot_Auth_Adapter_Shib
- * @category   Authentication Adapter
- * @copyright  Copyright (c) 2007 NC State University Office of
- *             Information Technology
- * @license    http://itdapps.ncsu.edu/bsd.txt  BSD License
- * @version    SVN: $Id: $
+ * @package    Cyclone
+ * @category   Authenticaiton Adapter
+ * @copyright  Copyright (c) 2007 NC State University Information Technology Division
+ * @license    http://itdapps.ncsu.edu/billboard_bsd.txt  BSD License
+ * @author     Jason Austin <jason_austin@ncsu.edu>
+ * @author     Garrison Locke <garrison_locke@ncsu.edu>
+ * @see        http://itdapps.ncsu.edu
+ * @version    SVN: $Id: WrapAuth.php 175 2007-04-17 18:25:58Z jfaustin@EOS.NCSU.EDU $
  */
 
 /**
- * This adapter users the Shib authentication mechanism that is provided on campus
+ * This adapter users the WRAP authentication mechanism that is provided on campus
  * webservers at NC State.  The default username and password passed to the constructor
  * are blank because WRAP handles the kerberos authentication to ensure the user is
  * an NCSU user.
  *
  * @package    Ot_Auth_Adapter_Wrap
- * @category   Authentication Adapter
- * @copyright  Copyright (c) 2007 NC State University Office of
- *             Information Technology
+ * @category   Authenticaiton Adapter
+ * @see        http://shib.ncsu.edu/
+ * @copyright  Copyright (c) 2007 NC State University Information Technology Division
+ *
  */
-
-use NCSU\Auth\AuthService,
-    NCSU\Auth\Http\Request,
-    NCSU\Auth\Adapter\ShibAuthAdapter;
-
 class Ot_Auth_Adapter_Shib implements Zend_Auth_Adapter_Interface, Ot_Auth_Adapter_Interface
 {
+    /**
+     * Shib IDP string template
+     *
+     * @var string
+     */
+    const IDP_TEMPLATE = '%s/Shibboleth.sso/Login?target=%s';
+
+    /**
+     * Name of application. Used for Shib authentication
+     *
+     * @var string
+     */
+    #const APPLICATION  = 'cyclone/login';
+    const APPLICATION  = 'login';
+
+    /**
+     * Username of the user to authenticate
+     *
+     * @var string
+     */
+    protected $_username = '';
+
+    /**
+     * Password of the user to authenticate
+     *
+     * @var string
+     */
+    protected $_password = '';
+
+    /**
+     * Constant for default username for auto-login
+     *
+     */
+    const defaultUsername = '';
+
+    /**
+     * Constant for default password for auto-login
+     *
+     */
+    const defaultPassword = '';
+
     /**
      * Authenticates the user passed by the constructor, however in this case we
-     * user the Shib server variable "UNITY USERID" to get this appropriate username.
+     * user the WRAP server variable "WRAP_USERID" to get this appropriate username.
      *
      * @return new Zend_Auth_Result object
      */
     public function authenticate()
     {
-        $request = Request::createFromGlobals();
+	//$session = new Zend_Session_Namespace('ot_auth_adapter_shib');
+
+        if (!$this->hasShibbolethSession()) {
+            header(sprintf("Location: %s", $this->resolveLoginUriFromTemplate()));
+            exit();
+        }
+
+        // Technically, this is not specific enough. This is being done as a non-BC change
+        // to allow previous WRAP users to not have to re-identify users with correct scopes.
+        $username = $this->getShibbolethIdentifierFromEnvironment();
 
-        $shibAuthAdapter = new ShibAuthAdapter($request);
-        $service = new AuthService($shibAuthAdapter);
+        if (empty($username)) {
+            return new Zend_Auth_Result(false, $username, array());
+        }
 
-        $result = $service->authenticate();
+	$class = new stdClass();
+        $class->username = $username;
+        $class->realm    = 'wrap';
+        error_log('username '.$username);
+        //$session->authed = serialize($class);
 
-        if ($result->isValid()) {
-            $class = new stdClass();
-            $class->username = $result->getIdentity();
-            $class->realm    = 'wrap';
+        return new Zend_Auth_Result(true, $class, array());
+    }
 
-            return new Zend_Auth_Result(true, $class, array());
-        } else {
-            echo "Failed to authenticate!";
+    /**
+     * Returns Shib $_SERVER variable
+     *
+     * @return string|null
+     */
+    private function getShibbolethIdentifierFromEnvironment()
+    {
+        if (isset($_SERVER['SHIB_UID'])) {
+            return $_SERVER['SHIB_UID'];
         }
+        if (isset($_SERVER['REDIRECT_SHIB_UID'])) {
+            return $_SERVER['REDIRECT_SHIB_UID'];
+        }
+        return null;
+    }
+
+    /**
+     * @return string
+     */
+    private function resolveLoginUriFromTemplate()
+    {
+        return sprintf(self::IDP_TEMPLATE, $this->getHost(), $this->getCurrentUri());
+        //return sprintf(self::IDP_TEMPLATE, $this->getHost(), $cleanUri);
     }
 
     /**
-     * Setup this adapter to autoLogin
+     * Checks if session already has Shib values
      *
      * @return boolean
      */
-    public static function autoLogin()
+    private function hasShibbolethSession()
     {
-        return true;
+        return isset($_SERVER['Shib-Session-ID']) ||
+               isset($_SERVER['Shib_Session_ID']) ||
+               isset($_SERVER['REDIRECT_Shib_Session_ID']);
     }
 
     /**
-     * Logs the user out by removing all the Shib cookies that are created.
+     * Gets the current URL
      *
+     * @return string
      */
-    public static function autoLogout()
+    protected function _getURL()
     {
+        $s = empty($_SERVER["HTTPS"]) ? '' : ($_SERVER["HTTPS"] == "on") ? "s" : "";
 
-        foreach (array_keys($_COOKIE) as $name) {
-            if (preg_match('/^WRAP.*/', $name)) {
+        $protocol = substr(
+            strtolower($_SERVER["SERVER_PROTOCOL"]), 0, strpos(strtolower($_SERVER["SERVER_PROTOCOL"]), "/")
+        ) . $s;
 
-                // Set the expiration date to one hour ago
-                setcookie($name, "", time() - 3600, "/", "ncsu.edu");
-            }
-        }
+        $port = ($_SERVER["SERVER_PORT"] == "80") ? "" : (":".$_SERVER["SERVER_PORT"]);
+
+        return $protocol."://".$_SERVER['SERVER_NAME'].$port.$_SERVER['REQUEST_URI'];
+     }
+
+    /**
+     * Returns true if user is authenticated, false otherwise
+     *
+     * @return bool
+     */
+    private function isAuthenticated()
+    {
+        return $this->hasShibbolethSession();
     }
 
     /**
-     * Flag to tell the app where the authenticaiton is managed
+     * Get the requested URI
      *
-     * @return boolean
+     * @return string
      */
-    public static function manageLocally()
+    private function getCurrentUri()
     {
-        return false;
+        return sprintf(
+            '%s%s',
+            $this->getHost(),
+            $_SERVER['REQUEST_URI']
+        );
     }
 
+    /**
+     * Get requests server hostname
+     *
+     * @return string
+     */
+    private function getHost()
+    {
+        return sprintf(
+            'http%s://%s',
+            (empty($_SERVER['HTTPS']) ? '' : 's'),
+            $_SERVER['SERVER_NAME']
+        );
+    }
+
+    /**
+  	 * Setup this adapter to autoLogin
+  	 *
+  	 * @return boolean
+  	 */
+  	public static function autoLogin()
+  	{
+  	    return true;
+  	}
+
+  	/**
+  	 * Logs the user out via the Shib IDP
+  	 *
+  	 */
+  	public static function autoLogout()
+  	{
+            $host = sprintf('http%s://%s', (empty($_SERVER['HTTPS']) ? '' : 's'), $_SERVER['SERVER_NAME']);
+            //header(sprintf("Location: %s", $host . '/' . self::APPLICATION));
+            //header(sprintf("Location: %s/Shibboleth.sso/Logout?return=%s", $host ,  $host. '/' . self::APPLICATION));
+            header(sprintf("Location: %s/Shibboleth.sso/Logout?return=%s", $host ,  "https://shib.ncsu.edu/idp/profile/Logout"));
+            //$session = new Zend_Session_Namespace('ot_auth_adapter_shib');
+            //$session->unsetAll();
+            exit();
+  	}
+
+  	/**
+  	 * Flag to tell the app where the authenticaiton is managed
+  	 *
+  	 * @return boolean
+  	 */
+  	public static function manageLocally()
+  	{
+  	    return false;
+  	}
+
     /**
      * flag to tell the app whether a user can sign up or not
      *