ILIAS Release_3_7_x_branch .rev 46817: classes/class.ilShibboleth.php Source File

Go to the documentation of this file.
00001 <?php
00002 /*
00003         +-----------------------------------------------------------------------------+
00004         | ILIAS open source                                                           |
00005         +-----------------------------------------------------------------------------+
00006         | Copyright (c) 1998-2001 ILIAS open source, University of Cologne            |
00007         |                                                                             |
00008         | This program is free software; you can redistribute it and/or               |
00009         | modify it under the terms of the GNU General Public License                 |
00010         | as published by the Free Software Foundation; either version 2              |
00011         | of the License, or (at your option) any later version.                      |
00012         |                                                                             |
00013         | This program is distributed in the hope that it will be useful,             |
00014         | but WITHOUT ANY WARRANTY; without even the implied warranty of              |
00015         | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               |
00016         | GNU General Public License for more details.                                |
00017         |                                                                             |
00018         | You should have received a copy of the GNU General Public License           |
00019         | along with this program; if not, write to the Free Software                 |
00020         | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA. |
00021         +-----------------------------------------------------------------------------+
00022 */
00023 
00024 
00025 define('AUTH_IDLED',       -1);
00026 define('AUTH_EXPIRED',     -2);
00027 define('AUTH_WRONG_LOGIN', -3);
00028 
00036 class ShibAuth
00037 {
00043         var $username;
00044         
00050         var $_sessionName = '_authsession';
00051         
00057         var $status = '';
00058         
00067         var $expire = 0;
00068         
00079         var $idle = 0;
00080         
00087         var $idled = false;
00088         
00093         function ShibAuth($authParams, $updateUserData = false)
00094         {
00095                 $this->updateUserData = $updateUserData;
00096                 
00097                 if (!empty($authParams['sessionName'])) {
00098                         $this->_sessionName = $authParams['sessionName'];
00099                         unset($authParams['sessionName']);
00100                 }
00101                 
00102         }
00103         
00109         function getAuth()
00110         {
00111                 $session = &$this->_importGlobalVariable('session');
00112                 
00113                 if (!empty($session) &&
00114                 (isset($session[$this->_sessionName]['registered']) &&
00115                 $session[$this->_sessionName]['registered'] === true))
00116                 {
00117                         return true;
00118                 } else {
00119                         return false;
00120                 }
00121         }
00122         
00130         function setIdle($time, $add = false)
00131         {
00132                 if ($add) {
00133                         $this->idle += $time;
00134                 } else {
00135                         $this->idle = $time;
00136                 }
00137         }
00138         
00139 
00148         function setExpire($time, $add = false)
00149         {
00150                 if ($add) {
00151                         $this->expire += $time;
00152                 } else {
00153                         $this->expire = $time;
00154                 }
00155         }
00156         
00163         function checkAuth()
00164         {
00165                  $session = &$this->_importGlobalVariable('session');
00166 
00167                 if (isset($session[$this->_sessionName])) {
00168                         // Check if authentication session is expired
00169                         if ($this->expire > 0 &&
00170                                 isset($session[$this->_sessionName]['timestamp']) &&
00171                                 ($session[$this->_sessionName]['timestamp'] + $this->expire) < time()) {
00172                                 
00173                                 $this->logout();
00174                                 $this->expired = true;
00175                                 $this->status = AUTH_EXPIRED;
00176                                 
00177                                 return false;
00178                         }
00179                         
00180                         // Check if maximum idle time is reached
00181                         if ($this->idle > 0 &&
00182                                 isset($session[$this->_sessionName]['idle']) &&
00183                                 ($session[$this->_sessionName]['idle'] + $this->idle) < time()) {
00184                                 
00185                                 $this->logout();
00186                                 $this->idled = true;
00187                                 $this->status = AUTH_IDLED;
00188                                 
00189                                 return false;
00190                         }
00191                         
00192                         if (isset($session[$this->_sessionName]['registered']) &&
00193                                 isset($session[$this->_sessionName]['username']) &&
00194                                 $session[$this->_sessionName]['registered'] == true &&
00195                                 $session[$this->_sessionName]['username'] != '') {
00196                                 
00197                                 Auth::updateIdle();
00198                                 
00199                                 return true;
00200                         }
00201                 }
00202                 
00203                 return false;
00204         }
00205         
00212         function start()
00213         {
00214                 @session_start();
00215                 
00216                 if (!$this->checkAuth()) {
00217                         //$this->login();
00218                 }
00219         }
00220         
00227         function login()
00228         {
00229         
00230                 global $ilias, $rbacadmin;
00231                 
00232                 if (!empty($_SERVER[$ilias->getSetting('shib_login')]))
00233                 {
00234                         // Get loginname of user, new login name is generated if user is new
00235                         $username = $this->generateLogin();
00236                         
00237                         // Authorize this user
00238                         $this->setAuth($username);
00239                         
00240                         $userObj = new ilObjUser();
00241                         
00242                         // Check wether this account exists already, if not create it
00243                         if (!ilObjUser::getUserIdByLogin($username))
00244                         {
00245                                 
00246                                 $newUser["firstname"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]);
00247                                 $newUser["lastname"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]);
00248                                 $newUser["login"] = $username;
00249                                 
00250                                 // Password must be random to prevent users from manually log in using the login data from Shibboleth users
00251                                 $newUser["passwd"] = md5(end(ilUtil::generatePasswords(1))); 
00252                                 $newUser["passwd_type"] = IL_PASSWD_MD5; 
00253                                 
00254                                 if ( 
00255                                         $ilias->getSetting('shib_update_gender')
00256                                         && ($_SERVER[$ilias->getSetting('shib_gender')] == 'm'
00257                                         || $_SERVER[$ilias->getSetting('shib_gender')] =='f')
00258                                         )
00259                                 {
00260                                         $newUser["gender"] = $_SERVER[$ilias->getSetting('shib_gender')];
00261                                 }
00262                                 
00263                                 // Save mapping between ILIAS user and Shibboleth uniqueID
00264                                 $newUser["ext_account"] = $_SERVER[$ilias->getSetting('shib_login')];
00265                                 
00266                                 // other data
00267                                 $newUser["title"] = $_SERVER[$ilias->getSetting('shib_title')];
00268                                 $newUser["institution"] = $_SERVER[$ilias->getSetting('shib_institution')];
00269                                 $newUser["department"] = $_SERVER[$ilias->getSetting('shib_department')];
00270                                 $newUser["street"] = $_SERVER[$ilias->getSetting('shib_street')];
00271                                 $newUser["city"] = $_SERVER[$ilias->getSetting('shib_city')];
00272                                 $newUser["zipcode"] = $_SERVER[$ilias->getSetting('shib_zipcode')];
00273                                 $newUser["country"] = $_SERVER[$ilias->getSetting('shib_country')];
00274                                 $newUser["phone_office"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_office')]);
00275                                 $newUser["phone_home"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_home')]);
00276                                 $newUser["phone_mobile"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_mobile')]);
00277                                 $newUser["fax"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_fax')]);
00278                                 $newUser["matriculation"] = $_SERVER[$ilias->getSetting('shib_matriculation')];
00279                                 $newUser["email"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_email')]);
00280                                 $newUser["hobby"] = $_SERVER[$ilias->getSetting('shib_hobby')];
00281                                 $newUser["auth_mode"] = "shibboleth";
00282                                 
00283                                 
00284                                 // system data
00285                                 $userObj->assignData($newUser);
00286                                 $userObj->setTitle($userObj->getFullname());
00287                                 $userObj->setDescription($userObj->getEmail());
00288                                 $userObj->setLanguage($this->getFirstString($_SERVER[$ilias->getSetting('shib_language')]));
00289                                 
00290                                 // Time limit
00291                                 $userObj->setTimeLimitOwner(7);
00292                                 $userObj->setTimeLimitUnlimited(1);
00293                                 $userObj->setTimeLimitFrom(time());
00294                                 $userObj->setTimeLimitUntil(time());
00295                                 
00296                                 // Modify user data before creating the user
00297                                 // Include custom code that can be used to further modify
00298                                 // certain Shibboleth user attributes
00299                                 if (    $ilias->getSetting('shib_data_conv') 
00300                                                 && $ilias->getSetting('shib_data_conv') != ''
00301                                                 && is_readable($ilias->getSetting('shib_data_conv'))
00302                                                 )
00303                                 {
00304                                         include($ilias->getSetting('shib_data_conv'));
00305                                 }
00306                                 
00307                                 // Create use in DB
00308                                 $userObj->create();
00309                                 $userObj->setActive(1, 6);
00310                                 
00311                                 $userObj->updateOwner();
00312                                 
00313                                 //insert user data in table user_data
00314                                 $userObj->saveAsNew();
00315                                 
00316                                 // store acceptance of user agreement
00317                                 //$userObj->writeAccepted();
00318                                 
00319                                 // setup user preferences
00320                                 $userObj->writePrefs();
00321                                 
00322                                 //set role entries
00323                                 $rbacadmin->assignUser($ilias->getSetting('shib_user_default_role'), $userObj->getId(),true);
00324                                 
00325                                 unset($userObj);
00326                                 
00327                         }
00328                         else
00329                         {
00330                                 // Update user account
00331                                 $userObj->checkUserId();
00332                                 $userObj->read();
00333                                 
00334                                 if ( 
00335                                         $ilias->getSetting('shib_update_gender')
00336                                         && ($_SERVER[$ilias->getSetting('shib_gender')] == 'm'
00337                                         || $_SERVER[$ilias->getSetting('shib_gender')] =='f')
00338                                         )
00339                                         $userObj->setGender($_SERVER[$ilias->getSetting('shib_gender')]);
00340                                 
00341                                 if ($ilias->getSetting('shib_update_title'))
00342                                         $userObj->setTitle($_SERVER[$ilias->getSetting('shib_title')]);
00343                                 
00344                                 $userObj->setFirstname($this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]));
00345                                 $userObj->setLastname($this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]));
00346                                 $userObj->setFullname();
00347                                 if ($ilias->getSetting('shib_update_institution'))
00348                                         $userObj->setInstitution($_SERVER[$ilias->getSetting('shib_institution')]);
00349                                 if ($ilias->getSetting('shib_update_department'))
00350                                         $userObj->setDepartment($_SERVER[$ilias->getSetting('shib_department')]);
00351                                 if ($ilias->getSetting('shib_update_street'))
00352                                         $userObj->setStreet($_SERVER[$ilias->getSetting('shib_street')]);
00353                                 if ($ilias->getSetting('shib_update_city'))
00354                                         $userObj->setCity($_SERVER[$ilias->getSetting('shib_city')]);
00355                                 if ($ilias->getSetting('shib_update_zipcode'))
00356                                         $userObj->setZipcode($_SERVER[$ilias->getSetting('shib_zipcode')]);
00357                                 if ($ilias->getSetting('shib_update_country'))
00358                                         $userObj->setCountry($_SERVER[$ilias->getSetting('shib_country')]);
00359                                 if ($ilias->getSetting('shib_update_phone_office'))
00360                                         $userObj->setPhoneOffice($this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_office')]));
00361                                 if ($ilias->getSetting('shib_update_phone_home'))
00362                                         $userObj->setPhoneHome($this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_home')]));
00363                                 if ($ilias->getSetting('shib_update_phone_mobile'))
00364                                         $userObj->setPhoneMobile($this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_mobile')]));
00365                                 if ($ilias->getSetting('shib_update_fax'))
00366                                         $userObj->setFax($_SERVER[$ilias->getSetting('shib_fax')]);
00367                                 if ($ilias->getSetting('shib_update_matriculation'))
00368                                         $userObj->setMatriculation($_SERVER[$ilias->getSetting('shib_matriculation')]);
00369                                 if ($ilias->getSetting('shib_update_email'))
00370                                         $userObj->setEmail($this->getFirstString($_SERVER[$ilias->getSetting('shib_email')]));
00371                                 if ($ilias->getSetting('shib_update_hobby'))
00372                                         $userObj->setHobby($_SERVER[$ilias->getSetting('shib_hobby')]);
00373                                 
00374                                 if ($ilias->getSetting('shib_update_language'))
00375                                         $userObj->setLanguage($_SERVER[$ilias->getSetting('shib_language')]);
00376                                 
00377                                 // Include custom code that can be used to further modify
00378                                 // certain Shibboleth user attributes
00379                                 if (    $ilias->getSetting('shib_data_conv') 
00380                                                 && $ilias->getSetting('shib_data_conv') != ''
00381                                                 && is_readable($ilias->getSetting('shib_data_conv'))
00382                                                 )
00383                                 {
00384                                         include($ilias->getSetting('shib_data_conv'));
00385                                 }
00386 
00387                                 
00388                                 $userObj->update();
00389                         
00390                         }
00391                 }
00392                 else
00393                 {
00394                         // This should never occur unless Shibboleth is not configured properly
00395                         $this->status = AUTH_WRONG_LOGIN;
00396                 }
00397         }
00398         
00407         function setAuth($username)
00408         {
00409                 $session = &$this->_importGlobalVariable('session');
00410                 
00411                 if (!isset($session[$this->_sessionName]) && !isset($_SESSION)) {
00412                         session_register($this->_sessionName);
00413                 }
00414                 
00415                 if (!isset($session[$this->_sessionName]) || !is_array($session[$this->_sessionName])) {
00416                         $session[$this->_sessionName] = array();
00417                 }
00418                 
00419                 if(!isset($session[$this->_sessionName]['data'])){
00420                         $session[$this->_sessionName]['data']       = array();
00421                 }
00422                         $session[$this->_sessionName]['registered'] = true;
00423                         $session[$this->_sessionName]['username']   = $username;
00424                         $session[$this->_sessionName]['timestamp']  = time();
00425                         $session[$this->_sessionName]['idle']       = time();
00426         }
00427         
00438         function logout()
00439         {
00440                 $session = &$this->_importGlobalVariable('session');
00441                 
00442                 
00443                 $this->username = '';
00444                 
00445                 $session[$this->_sessionName] = array();
00446                 if (isset($_SESSION)) {
00447                         unset($session[$this->_sessionName]);
00448                 } else {
00449                         session_unregister($this->_sessionName);
00450                 }
00451         }
00452         
00459         function getUsername()
00460         {
00461                 $session = &$this->_importGlobalVariable('session');
00462                 if (!isset($session[$this->_sessionName]['username'])) {
00463                         return '';
00464                 }
00465                 return $session[$this->_sessionName]['username'];
00466         }
00467         
00474         function getStatus()
00475         {
00476                 
00477                 return $status;
00478         }
00479         
00487         function &_importGlobalVariable($variable)
00488         {
00489                 $var = null;
00490                 
00491                 switch (strtolower($variable)) {
00492                 
00493                         case 'server' :
00494                                 if (isset($_SERVER)) {
00495                                         $var = &$_SERVER;
00496                                 } else {
00497                                         $var = &$GLOBALS['HTTP_SERVER_VARS'];
00498                                 }
00499                                 break;
00500                         
00501                         case 'session' :
00502                                 if (isset($_SESSION)) {
00503                                         $var = &$_SESSION;
00504                                 } else {
00505                                         $var = &$GLOBALS['HTTP_SESSION_VARS'];
00506                                 }
00507                                 break;
00508                         
00509                         case 'post' :
00510                                 if (isset($_POST)) {
00511                                         $var = &$_POST;
00512                                 } else {
00513                                         $var = &$GLOBALS['HTTP_POST_VARS'];
00514                                 }
00515                                 break;
00516                         
00517                         case 'cookie' :
00518                                 if (isset($_COOKIE)) {
00519                                         $var = &$_COOKIE;
00520                                 } else {
00521                                         $var = &$GLOBALS['HTTP_COOKIE_VARS'];
00522                                 }
00523                                 break;
00524                         
00525                         case 'get' :
00526                                 if (isset($_GET)) {
00527                                         $var = &$_GET;
00528                                 } else {
00529                                         $var = &$GLOBALS['HTTP_GET_VARS'];
00530                                 }
00531                                 break;
00532                         
00533                         default:
00534                                 break;
00535                 
00536                 }
00537 
00538                 return $var;
00539         }
00540         
00548         function generateLogin()
00549         {
00550                 global $ilias;
00551                 
00552                 $shibID = $_SERVER[$ilias->getSetting('shib_login')];
00553                 $lastname = $this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]);
00554                 $firstname = $this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]);
00555                 
00556                 
00557                 if (trim($shibID) == "")
00558                 {
00559                         return;
00560                 }
00561                 
00562                 //***********************************************//
00563                 // For backwards compatibility with previous versions
00564                 // We use the passwd field as mapping attribute for Shibboleth users
00565                 // because they don't need a password
00566                 $ilias->db->query("UPDATE usr_data SET auth_mode='shibboleth', passwd='".md5(end(ilUtil::generatePasswords(1)))."', ext_account='".$shibID."' WHERE passwd='".$shibID."'");
00567                 //***********************************************//
00568                 
00569                 // Let's see if user already is registered
00570                 $local_user = ilObjUser::_checkExternalAuthAccount("shibboleth", $shibID);
00571                 if ($local_user)
00572                 {
00573                         return $local_user;
00574                 }
00575                 
00576                 // User doesn't seem to exist yet
00577                 
00578                 // Generate new username
00579                 // This can be overruled by the data conversion API but you have
00580                 // to do it yourself in that case
00581                 $prefix = $firstname.' '.$lastname;
00582                 
00583                 if (!ilObjUser::getUserIdByLogin($prefix))
00584                 {
00585                         return $prefix;
00586                 }
00587                 
00588                 // Add a number as prefix if the username already is taken
00589                 $number = 2;
00590                 $prefix .= ' ';
00591                 while (ilObjUser::getUserIdByLogin($prefix.$number))
00592                 {
00593                         $number++;
00594                 }
00595                 
00596                 return $prefix.$number;
00597         }
00598         
00606         function getFirstString($string){
00607         
00608                 
00609                 $list = split( ';', $string);
00610                 $clean_string = rtrim($list[0]);
00611                 
00612                 return $clean_string;
00613                 
00614         }
00615         
00616 } // END class.ilShibAuth
00617 ?>