From 7be2692c914604b69eb01f8ed46913ad75e38605 Mon Sep 17 00:00:00 2001 From: Dominique Fournier Date: Fri, 22 Apr 2016 11:30:17 +0000 Subject: [PATCH] auth : Add Shibboleth support git-svn-id: https://svn.fournier38.fr/svn/ProgSVN/trunk@2702 bf3deb0d-5f1a-0410-827f-c0cc1f45334c --- authparams.php | 8 ++++ authshibboleth.php | 95 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+) create mode 100644 authshibboleth.php diff --git a/authparams.php b/authparams.php index d26f625..d8a013b 100644 --- a/authparams.php +++ b/authparams.php @@ -79,4 +79,12 @@ class authparams } } + /** Get the information from a shibboleth provider */ + public function shibboleth () + { + if (! isset ($_SERVER["Shib-Session-ID"])) + throw new Exception ("No Shibboleth information available", 401); + return array ("email"=>$_SERVER["mail"], + "password"=>"NONE IN SHIBBOLETH"); + } } diff --git a/authshibboleth.php b/authshibboleth.php new file mode 100644 index 0000000..8030d52 --- /dev/null +++ b/authshibboleth.php @@ -0,0 +1,95 @@ + */ + +/** User authentication against Shibboleth */ +class authshibboleth extends auth +{ + /** The parameters returned by Shibboleth server */ + public $lastnameParam = "sn"; + public $firstnameParam = "givenname"; + public $mailParam = "mail"; + public $otherFields = array ("ou", "o"); + public $urlAuthentificated = ""; + public $urlLogout = ""; + public $urlPasswd = ""; + + /** No connection to shibboleth */ + public function connect () + { + return TRUE; + } + + /** Try to authenticate the email/password of the user + @param string $email Email to authenticate + @param string $password Password to authenticate */ + public function authentication ($email, $password) + { + if (!isset ($_SERVER["mail"])) + { + if ($this->urlAuthentificated !== "") + { + $route = new route (); + $route->redirect ($this->urlAuthentificated); + } + throw new Exception ("Unable to authenticate user '$email'", 401); + } + } + + /** Return all the parameters recorded for the authenticate user */ + public function getdetails () + { + if (! isset ($_SERVER[$this->mailParam])) + return array ("lastname"=>"anonymous", + "firstname"=>"", + "email"=>"anonymous"); + $res = array ("lastname"=>$_SERVER[$this->lastnameParam], + "firstname"=>$_SERVER[$this->firstnameParam], + "email"=>$_SERVER[$this->mailParam]); + foreach ($this->otherFields as $field) + { + if (array_key_exists ($field, $_SERVER)) + $res[$field] = $_SERVER[$field]; + } + return $res; + } + + /** Method to change the password : unavailable in SESSION auth + @param string $oldpassword The old password (to check if the user have the + rights to change the password) + @param string $newpassword The new password to be recorded */ + public function changepassword ($oldpassword, $newpassword) + { + // Redirect to Shibboleth IDP + if ($this->urlPasswdChange == "") + throw new Exception (dgettext("domframework", + "The password can't be change for Shibboleth users"), + 405); + $route = new route (); + $route->redirect ($this->urlPasswdChange); + } + + /** Method to overwrite the password (without oldpassword check) + Must be reserved to the administrators. For the users, use changepassword + method + @param string $email the user identifier to select + @param string $newpassword The new password to be recorded */ + public function overwritepassword ($email, $newpassword) + { + throw new exception (dgettext("domframework", + "The password can't be overwrite for Shibboleth users"), + 405); + } + + /** Remove the information from the session */ + public function logout () + { + // Redirect to Shibboleth IDP + if ($this->urlLogout === "") + throw new \Exception (_("Shibboleth is not configured to allow logout"), + 405); + $route = new route (); + $route->redirect ($this->urlLogout); + } +}