118 lines
3.9 KiB
PHP
118 lines
3.9 KiB
PHP
<?php
|
|
|
|
/** DomFramework
|
|
* @package domframework
|
|
* @author Dominique Fournier <dominique@fournier38.fr>
|
|
* @license BSD
|
|
*/
|
|
|
|
namespace Domframework;
|
|
|
|
/** User authentication against Shibboleth */
|
|
class Authshibboleth extends Auth
|
|
{
|
|
/** The Lastname parameter returned by Shibboleth server */
|
|
public $lastnameParam = "sn";
|
|
/** The Firstname parameter returned by Shibboleth server */
|
|
public $firstnameParam = "givenName";
|
|
/** The mail parameter returned by Shibboleth server */
|
|
public $mailParam = "mail";
|
|
/** The others parameters returned by Shibboleth server */
|
|
public $otherFields = array("ou", "o");
|
|
/** The optional URL use to authenticate the users */
|
|
public $urlAuthentificated = "";
|
|
/** The optional URL to disconnect the users */
|
|
public $urlLogout = "";
|
|
/** The optional URL to change the user password */
|
|
public $urlPasswd = "";
|
|
|
|
/** No connection to shibboleth */
|
|
public function connect()
|
|
{
|
|
return true;
|
|
}
|
|
|
|
/** Try to authenticate the email/password of the user
|
|
@param string $email Email to authenticate
|
|
@param string $password Password to authenticate */
|
|
public function authentication($email, $password)
|
|
{
|
|
if (!isset($_SERVER["mail"])) {
|
|
if ($this->urlAuthentificated !== "") {
|
|
$route = new Route();
|
|
$route->redirect($this->urlAuthentificated);
|
|
}
|
|
throw new \Exception("Unable to authenticate user '$email'", 401);
|
|
}
|
|
}
|
|
|
|
/** Return all the parameters recorded for the authenticate user */
|
|
public function getdetails()
|
|
{
|
|
if (! isset($_SERVER[$this->mailParam])) {
|
|
return array("lastname" => "anonymous",
|
|
"firstname" => "",
|
|
"email" => "anonymous");
|
|
}
|
|
$res = array("lastname" => $_SERVER[$this->lastnameParam],
|
|
"firstname" => $_SERVER[$this->firstnameParam],
|
|
"email" => $_SERVER[$this->mailParam]);
|
|
foreach ($this->otherFields as $field) {
|
|
if (array_key_exists($field, $_SERVER)) {
|
|
$res[$field] = $_SERVER[$field];
|
|
}
|
|
}
|
|
return $res;
|
|
}
|
|
|
|
/** Method to change the password : unavailable in SESSION auth
|
|
@param string $oldpassword The old password (to check if the user have the
|
|
rights to change the password)
|
|
@param string $newpassword The new password to be recorded */
|
|
public function changepassword($oldpassword, $newpassword)
|
|
{
|
|
// Redirect to Shibboleth IDP
|
|
if ($this->urlPasswdChange == "") {
|
|
throw new \Exception(
|
|
dgettext(
|
|
"domframework",
|
|
"The password can't be change for Shibboleth users"
|
|
),
|
|
405
|
|
);
|
|
}
|
|
$route = new Route();
|
|
$route->redirect($this->urlPasswdChange);
|
|
}
|
|
|
|
/** Method to overwrite the password (without oldpassword check)
|
|
Must be reserved to the administrators. For the users, use changepassword
|
|
method
|
|
@param string $email the user identifier to select
|
|
@param string $newpassword The new password to be recorded */
|
|
public function overwritepassword($email, $newpassword)
|
|
{
|
|
throw new \Exception(
|
|
dgettext(
|
|
"domframework",
|
|
"The password can't be overwrite for Shibboleth users"
|
|
),
|
|
405
|
|
);
|
|
}
|
|
|
|
/** Remove the information from the session */
|
|
public function logout()
|
|
{
|
|
// Redirect to Shibboleth IDP
|
|
if ($this->urlLogout === "") {
|
|
throw new \Exception(dgettext(
|
|
"domframework",
|
|
"Shibboleth is not configured to allow logout"
|
|
), 405);
|
|
}
|
|
$route = new Route();
|
|
$route->redirect($this->urlLogout);
|
|
}
|
|
}
|