Skip to content

modifed shib #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
freetolio wants to merge 1 commit into
base: master
Choose a base branch
from
Open

modifed shib #52

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
225 changes: 182 additions & 43 deletions library/Ot/Auth/Adapter/Shib.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,105 +1,244 @@
<?php
/**
* Cyclone
*
* LICENSE
*
* This source file is subject to the new BSD license that is bundled
* with this package in the file LICENSE.txt.
*
* This license is also available via the world-wide-web at
* http://itdapps.ncsu.edu/bsd.txt
* http://itdapps.ncsu.edu/billboard_bsd.txt
*
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to itappdev@ncsu.edu so we can send you a copy immediately.
*
* @package Ot_Auth_Adapter_Shib
* @category Authentication Adapter
* @copyright Copyright (c) 2007 NC State University Office of
* Information Technology
* @license http://itdapps.ncsu.edu/bsd.txt BSD License
* @version SVN: $Id: $
* @package Cyclone
* @category Authenticaiton Adapter
* @copyright Copyright (c) 2007 NC State University Information Technology Division
* @license http://itdapps.ncsu.edu/billboard_bsd.txt BSD License
* @author Jason Austin <jason_austin@ncsu.edu>
* @author Garrison Locke <garrison_locke@ncsu.edu>
* @see http://itdapps.ncsu.edu
* @version SVN: $Id: WrapAuth.php 175 2007-04-17 18:25:58Z jfaustin@EOS.NCSU.EDU $
*/

/**
* This adapter users the Shib authentication mechanism that is provided on campus
* This adapter users the WRAP authentication mechanism that is provided on campus
* webservers at NC State. The default username and password passed to the constructor
* are blank because WRAP handles the kerberos authentication to ensure the user is
* an NCSU user.
*
* @package Ot_Auth_Adapter_Wrap
* @category Authentication Adapter
* @copyright Copyright (c) 2007 NC State University Office of
* Information Technology
* @category Authenticaiton Adapter
* @see http://shib.ncsu.edu/
* @copyright Copyright (c) 2007 NC State University Information Technology Division
*
*/

use NCSU\Auth\AuthService,
NCSU\Auth\Http\Request,
NCSU\Auth\Adapter\ShibAuthAdapter;

class Ot_Auth_Adapter_Shib implements Zend_Auth_Adapter_Interface, Ot_Auth_Adapter_Interface
{
/**
* Shib IDP string template
*
* @var string
*/
const IDP_TEMPLATE = '%s/Shibboleth.sso/Login?target=%s';

/**
* Name of application. Used for Shib authentication
*
* @var string
*/
#const APPLICATION = 'cyclone/login';
const APPLICATION = 'login';

/**
* Username of the user to authenticate
*
* @var string
*/
protected $_username = '';

/**
* Password of the user to authenticate
*
* @var string
*/
protected $_password = '';

/**
* Constant for default username for auto-login
*
*/
const defaultUsername = '';

/**
* Constant for default password for auto-login
*
*/
const defaultPassword = '';

/**
* Authenticates the user passed by the constructor, however in this case we
* user the Shib server variable "UNITY USERID" to get this appropriate username.
* user the WRAP server variable "WRAP_USERID" to get this appropriate username.
*
* @return new Zend_Auth_Result object
*/
public function authenticate()
{
$request = Request::createFromGlobals();
//$session = new Zend_Session_Namespace('ot_auth_adapter_shib');

if (!$this->hasShibbolethSession()) {
header(sprintf("Location: %s", $this->resolveLoginUriFromTemplate()));
exit();
}

// Technically, this is not specific enough. This is being done as a non-BC change
// to allow previous WRAP users to not have to re-identify users with correct scopes.
$username = $this->getShibbolethIdentifierFromEnvironment();

$shibAuthAdapter = new ShibAuthAdapter($request);
$service = new AuthService($shibAuthAdapter);
if (empty($username)) {
return new Zend_Auth_Result(false, $username, array());
}

$result = $service->authenticate();
$class = new stdClass();
$class->username = $username;
$class->realm = 'wrap';
error_log('username '.$username);
//$session->authed = serialize($class);

if ($result->isValid()) {
$class = new stdClass();
$class->username = $result->getIdentity();
$class->realm = 'wrap';
return new Zend_Auth_Result(true, $class, array());
}

return new Zend_Auth_Result(true, $class, array());
} else {
echo "Failed to authenticate!";
/**
* Returns Shib $_SERVER variable
*
* @return string|null
*/
private function getShibbolethIdentifierFromEnvironment()
{
if (isset($_SERVER['SHIB_UID'])) {
return $_SERVER['SHIB_UID'];
}
if (isset($_SERVER['REDIRECT_SHIB_UID'])) {
return $_SERVER['REDIRECT_SHIB_UID'];
}
return null;
}

/**
* @return string
*/
private function resolveLoginUriFromTemplate()
{
return sprintf(self::IDP_TEMPLATE, $this->getHost(), $this->getCurrentUri());
//return sprintf(self::IDP_TEMPLATE, $this->getHost(), $cleanUri);
}

/**
* Setup this adapter to autoLogin
* Checks if session already has Shib values
*
* @return boolean
*/
public static function autoLogin()
private function hasShibbolethSession()
{
return true;
return isset($_SERVER['Shib-Session-ID']) ||
isset($_SERVER['Shib_Session_ID']) ||
isset($_SERVER['REDIRECT_Shib_Session_ID']);
}

/**
* Logs the user out by removing all the Shib cookies that are created.
* Gets the current URL
*
* @return string
*/
public static function autoLogout()
protected function _getURL()
{
$s = empty($_SERVER["HTTPS"]) ? '' : ($_SERVER["HTTPS"] == "on") ? "s" : "";

foreach (array_keys($_COOKIE) as $name) {
if (preg_match('/^WRAP.*/', $name)) {
$protocol = substr(
strtolower($_SERVER["SERVER_PROTOCOL"]), 0, strpos(strtolower($_SERVER["SERVER_PROTOCOL"]), "/")
) . $s;

// Set the expiration date to one hour ago
setcookie($name, "", time() - 3600, "/", "ncsu.edu");
}
}
$port = ($_SERVER["SERVER_PORT"] == "80") ? "" : (":".$_SERVER["SERVER_PORT"]);

return $protocol."://".$_SERVER['SERVER_NAME'].$port.$_SERVER['REQUEST_URI'];
}

/**
* Returns true if user is authenticated, false otherwise
*
* @return bool
*/
private function isAuthenticated()
{
return $this->hasShibbolethSession();
}

/**
* Flag to tell the app where the authenticaiton is managed
* Get the requested URI
*
* @return boolean
* @return string
*/
public static function manageLocally()
private function getCurrentUri()
{
return false;
return sprintf(
'%s%s',
$this->getHost(),
$_SERVER['REQUEST_URI']
);
}

/**
* Get requests server hostname
*
* @return string
*/
private function getHost()
{
return sprintf(
'http%s://%s',
(empty($_SERVER['HTTPS']) ? '' : 's'),
$_SERVER['SERVER_NAME']
);
}

/**
* Setup this adapter to autoLogin
*
* @return boolean
*/
public static function autoLogin()
{
return true;
}

/**
* Logs the user out via the Shib IDP
*
*/
public static function autoLogout()
{
$host = sprintf('http%s://%s', (empty($_SERVER['HTTPS']) ? '' : 's'), $_SERVER['SERVER_NAME']);
//header(sprintf("Location: %s", $host . '/' . self::APPLICATION));
//header(sprintf("Location: %s/Shibboleth.sso/Logout?return=%s", $host , $host. '/' . self::APPLICATION));
header(sprintf("Location: %s/Shibboleth.sso/Logout?return=%s", $host , "https://shib.ncsu.edu/idp/profile/Logout"));
//$session = new Zend_Session_Namespace('ot_auth_adapter_shib');
//$session->unsetAll();
exit();
}

/**
* Flag to tell the app where the authenticaiton is managed
*
* @return boolean
*/
public static function manageLocally()
{
return false;
}

/**
* flag to tell the app whether a user can sign up or not
*
Expand Down