auth : Add Shibboleth support

git-svn-id: https://svn.fournier38.fr/svn/ProgSVN/trunk@2702 bf3deb0d-5f1a-0410-827f-c0cc1f45334c

authparams.php

@@ -79,4 +79,12 @@ class authparams
     }
   }
 
+  /** Get the information from a shibboleth provider */
+  public function shibboleth ()
+  {
+    if (! isset ($_SERVER["Shib-Session-ID"]))
+      throw new Exception ("No Shibboleth information available", 401);
+    return array ("email"=>$_SERVER["mail"],
+                  "password"=>"NONE IN SHIBBOLETH");
+  }
 }

authshibboleth.php

@@ -0,0 +1,95 @@
+<?php
+/** DomFramework
+    @package domframework
+    @author Dominique Fournier <dominique@fournier38.fr> */
+
+/** User authentication against Shibboleth */
+class authshibboleth extends auth
+{
+  /** The parameters returned by Shibboleth server */
+  public $lastnameParam = "sn";
+  public $firstnameParam = "givenname";
+  public $mailParam = "mail";
+  public $otherFields = array ("ou", "o");
+  public $urlAuthentificated = "";
+  public $urlLogout = "";
+  public $urlPasswd = "";
+
+  /** No connection to shibboleth */
+  public function connect ()
+  {
+    return TRUE;
+  }
+
+  /** Try to authenticate the email/password of the user
+      @param string $email Email to authenticate
+      @param string $password Password to authenticate */
+  public function authentication ($email, $password)
+  {
+    if (!isset ($_SERVER["mail"]))
+    {
+      if ($this->urlAuthentificated !== "")
+      {
+        $route = new route ();
+        $route->redirect ($this->urlAuthentificated);
+      }
+      throw new Exception ("Unable to authenticate user '$email'", 401);
+    }
+  }
+
+  /** Return all the parameters recorded for the authenticate user */
+  public function getdetails ()
+  {
+    if (! isset ($_SERVER[$this->mailParam]))
+      return array ("lastname"=>"anonymous",
+                    "firstname"=>"",
+                    "email"=>"anonymous");
+    $res = array ("lastname"=>$_SERVER[$this->lastnameParam],
+                  "firstname"=>$_SERVER[$this->firstnameParam],
+                  "email"=>$_SERVER[$this->mailParam]);
+    foreach ($this->otherFields as $field)
+    {
+      if (array_key_exists ($field, $_SERVER))
+        $res[$field] = $_SERVER[$field];
+    }
+    return $res;
+  }
+
+  /** Method to change the password : unavailable in SESSION auth
+      @param string $oldpassword The old password (to check if the user have the
+         rights to change the password)
+      @param string $newpassword The new password to be recorded */
+  public function changepassword ($oldpassword, $newpassword)
+  {
+    // Redirect to Shibboleth IDP
+    if ($this->urlPasswdChange == "")
+      throw new Exception (dgettext("domframework", 
+                           "The password can't be change for Shibboleth users"),
+                           405);
+    $route = new route ();
+    $route->redirect ($this->urlPasswdChange);
+  }
+
+  /** Method to overwrite the password (without oldpassword check)
+      Must be reserved to the administrators. For the users, use changepassword
+      method
+      @param string $email the user identifier to select
+      @param string $newpassword The new password to be recorded */
+  public function overwritepassword ($email, $newpassword)
+  {
+    throw new exception (dgettext("domframework",
+                        "The password can't be overwrite for Shibboleth users"),
+                         405);
+  }
+
+  /** Remove the information from the session */
+  public function logout ()
+  {
+    // Redirect to Shibboleth IDP
+    if ($this->urlLogout === "")
+      throw new \Exception (_("Shibboleth is not configured to allow logout"),
+                            405);
+    $route = new route ();
+    $route->redirect ($this->urlLogout);
+  }
+}