ILIAS Release_3_5_x_branch .rev 46805: classes/class.ilShibboleth.php Source File

Go to the documentation of this file.
00001 <?php
00002 /*
00003         +-----------------------------------------------------------------------------+
00004         | ILIAS open source                                                           |
00005         +-----------------------------------------------------------------------------+
00006         | Copyright (c) 1998-2001 ILIAS open source, University of Cologne            |
00007         |                                                                             |
00008         | This program is free software; you can redistribute it and/or               |
00009         | modify it under the terms of the GNU General Public License                 |
00010         | as published by the Free Software Foundation; either version 2              |
00011         | of the License, or (at your option) any later version.                      |
00012         |                                                                             |
00013         | This program is distributed in the hope that it will be useful,             |
00014         | but WITHOUT ANY WARRANTY; without even the implied warranty of              |
00015         | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               |
00016         | GNU General Public License for more details.                                |
00017         |                                                                             |
00018         | You should have received a copy of the GNU General Public License           |
00019         | along with this program; if not, write to the Free Software                 |
00020         | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA. |
00021         +-----------------------------------------------------------------------------+
00022 */
00023 
00024 
00025 define('AUTH_IDLED',       -1);
00026 define('AUTH_EXPIRED',     -2);
00027 define('AUTH_WRONG_LOGIN', -3);
00028 
00038 class ShibAuth
00039 {
00045         var $username;
00046         
00052         var $_sessionName = '_authsession';
00053         
00059         var $status = '';
00060         
00069         var $expire = 0;
00070         
00081         var $idle = 0;
00082         
00089         var $idled = false;
00090         
00095         function ShibAuth($authParams, $updateUserData = false)
00096         {
00097                 $this->updateUserData = $updateUserData;
00098                 
00099                 if (!empty($authParams['sessionName'])) {
00100                         $this->_sessionName = $authParams['sessionName'];
00101                         unset($authParams['sessionName']);
00102                 }
00103                 
00104         }
00105         
00111         function getAuth()
00112         {
00113                 $session = &$this->_importGlobalVariable('session');
00114                 
00115                 if (!empty($session) &&
00116                 (isset($session[$this->_sessionName]['registered']) &&
00117                 $session[$this->_sessionName]['registered'] === true))
00118                 {
00119                         return true;
00120                 } else {
00121                         return false;
00122                 }
00123         }
00124         
00132         function setIdle($time, $add = false)
00133         {
00134                 if ($add) {
00135                         $this->idle += $time;
00136                 } else {
00137                         $this->idle = $time;
00138                 }
00139         }
00140         
00141 
00150         function setExpire($time, $add = false)
00151         {
00152                 if ($add) {
00153                         $this->expire += $time;
00154                 } else {
00155                         $this->expire = $time;
00156                 }
00157         }
00158         
00165         function checkAuth()
00166         {
00167                  $session = &$this->_importGlobalVariable('session');
00168 
00169         if (isset($session[$this->_sessionName])) {
00170             // Check if authentication session is expired
00171             if ($this->expire > 0 &&
00172                 isset($session[$this->_sessionName]['timestamp']) &&
00173                 ($session[$this->_sessionName]['timestamp'] + $this->expire) < time()) {
00174 
00175                 $this->logout();
00176                 $this->expired = true;
00177                 $this->status = AUTH_EXPIRED;
00178 
00179                 return false;
00180             }
00181 
00182             // Check if maximum idle time is reached
00183             if ($this->idle > 0 &&
00184                 isset($session[$this->_sessionName]['idle']) &&
00185                 ($session[$this->_sessionName]['idle'] + $this->idle) < time()) {
00186 
00187                 $this->logout();
00188                 $this->idled = true;
00189                 $this->status = AUTH_IDLED;
00190 
00191                 return false;
00192             }
00193 
00194             if (isset($session[$this->_sessionName]['registered']) &&
00195                 isset($session[$this->_sessionName]['username']) &&
00196                 $session[$this->_sessionName]['registered'] == true &&
00197                 $session[$this->_sessionName]['username'] != '') {
00198 
00199                 Auth::updateIdle();
00200 
00201                 return true;
00202             }
00203         }
00204 
00205         return false;
00206         }
00207         
00214         function start()
00215         {
00216                 @session_start();
00217                 
00218                 if (!$this->checkAuth()) {
00219                         //$this->login();
00220                 }
00221         }
00222         
00229         function login()
00230         {
00231         
00232                 global $ilias, $rbacadmin;
00233                 
00234                 if (!empty($_SERVER[$ilias->getSetting('shib_login')]))
00235                 {
00236                         $username = $this->generateLogin();
00237                         
00238                         // Authorize this user
00239                         $this->setAuth($username);
00240                         
00241                         $userObj = new ilObjUser();
00242                         
00243                         // Check wether this account exists already, if not create it
00244                         if (!loginExists($username))
00245                         {
00246                                 
00247                                 $newUser["firstname"] = $_SERVER[$ilias->getSetting('shib_firstname')];
00248                                 $newUser["lastname"] = $_SERVER[$ilias->getSetting('shib_lastname')];
00249                                 
00250                                 $newUser["login"] = $username;
00251                                 
00252                                 // Password must be random to prevent users from manually log in using the login data from Shibboleth users
00253                                 $newUser["passwd"] = rand(); 
00254                                 $newUser["passwd_type"] = IL_PASSWD_PLAIN; 
00255                                 
00256                                 if ( 
00257                                         $ilias->getSetting('shib_update_gender')
00258                                         && ($_SERVER[$ilias->getSetting('shib_gender')] == 'm'
00259                                         || $_SERVER[$ilias->getSetting('shib_gender')] =='f')
00260                                         )
00261                                         $newUser["gender"] = $_SERVER[$ilias->getSetting('shib_gender')];
00262                                 
00263                                 // other data
00264                                 
00265                                 $newUser["title"] = $_SERVER[$ilias->getSetting('shib_title')];
00266                                 $newUser["institution"] = $_SERVER[$ilias->getSetting('shib_institution')];
00267                                 $newUser["department"] = $_SERVER[$ilias->getSetting('shib_department')];
00268                                 $newUser["street"] = $_SERVER[$ilias->getSetting('shib_street')];
00269                                 $newUser["city"] = $_SERVER[$ilias->getSetting('shib_city')];
00270                                 $newUser["zipcode"] = $_SERVER[$ilias->getSetting('shib_zipcode')];
00271                                 $newUser["country"] = $_SERVER[$ilias->getSetting('shib_country')];
00272                                 $newUser["phone_office"] = $_SERVER[$ilias->getSetting('shib_phone_office')];
00273                                 $newUser["phone_home"] = $_SERVER[$ilias->getSetting('shib_phone_home')];
00274                                 $newUser["phone_mobile"] = $_SERVER[$ilias->getSetting('shib_phone_mobile')];
00275                                 $newUser["fax"] = $_SERVER[$ilias->getSetting('shib_fax')];
00276                                 $newUser["matriculation"] = $_SERVER[$ilias->getSetting('shib_matriculation')];
00277                                 $newUser["email"] = $_SERVER[$ilias->getSetting('shib_email')];
00278                                 $newUser["hobby"] = $_SERVER[$ilias->getSetting('shib_hobby')];
00279                                 $newUser["auth_mode"] = "shibboleth";
00280                                 
00281                                 // system data
00282                                 $userObj->assignData($newUser);
00283                                 $userObj->setTitle($userObj->getFullname());
00284                                 $userObj->setDescription($userObj->getEmail());
00285                                 $userObj->setLanguage($_SERVER[$ilias->getSetting('shib_language')]);
00286                                 
00287                                 // Time limit
00288                                 $userObj->setTimeLimitOwner(7);
00289                                 $userObj->setTimeLimitUnlimited(1);
00290                                 $userObj->setTimeLimitFrom(time());
00291                                 $userObj->setTimeLimitUntil(time());
00292                                 
00293                                 // Modify user data before creating the user
00294                                 // Include custom code that can be used to further modify
00295                                 // certain Shibboleth user attributes
00296                                 if (    $ilias->getSetting('shib_data_conv') 
00297                                                 && $ilias->getSetting('shib_data_conv') != ''
00298                                                 && is_readable($ilias->getSetting('shib_data_conv'))
00299                                                 )
00300                                 {
00301                                         include($ilias->getSetting('shib_data_conv'));
00302                                 }
00303                                 
00304                                 // Create use in DB
00305                                 $userObj->create();
00306                                 $userObj->setActive(1, 6);
00307                                 
00308                                 $userObj->updateOwner();
00309                                 
00310                                 //insert user data in table user_data
00311                                 $userObj->saveAsNew();
00312                                 
00313                                 // store acceptance of user agreement
00314                                 //$userObj->writeAccepted();
00315                                 
00316                                 // setup user preferences
00317                                 $userObj->writePrefs();
00318                                 
00319                                 //set role entries
00320                                 $rbacadmin->assignUser($ilias->getSetting('shib_user_default_role'), $userObj->getId(),true);
00321                                 
00322                                 // Save mapping
00323                                 // We save this mapping directly to prevent this value getting hashed
00324                                 // That way local users cannot login using the Shibboleth unique login ID as password
00325                                 $ilias->db->query("UPDATE usr_data SET passwd='".$_SERVER[$ilias->getSetting('shib_login')]."' WHERE login='".$username."'");
00326                                 
00327                                 unset($userObj);
00328                                 
00329                         }
00330                         else
00331                         {
00332                                 // Update user account
00333                                 $userObj->checkUserId();
00334                                 $userObj->read();
00335                                 
00336                                 if ( 
00337                                         $ilias->getSetting('shib_update_gender')
00338                                         && ($_SERVER[$ilias->getSetting('shib_gender')] == 'm'
00339                                         || $_SERVER[$ilias->getSetting('shib_gender')] =='f')
00340                                         )
00341                                         $userObj->setGender($_SERVER[$ilias->getSetting('shib_gender')]);
00342                                 
00343                                 if ($ilias->getSetting('shib_update_title'))
00344                                         $userObj->setTitle($_SERVER[$ilias->getSetting('shib_title')]);
00345                                 
00346                                 $userObj->setFirstname($_SERVER[$ilias->getSetting('shib_firstname')]);
00347                                 $userObj->setLastname($_SERVER[$ilias->getSetting('shib_lastname')]);
00348                                 $userObj->setFullname();
00349                                 if ($ilias->getSetting('shib_update_institution'))
00350                                         $userObj->setInstitution($_SERVER[$ilias->getSetting('shib_institution')]);
00351                                 if ($ilias->getSetting('shib_update_department'))
00352                                         $userObj->setDepartment($_SERVER[$ilias->getSetting('shib_department')]);
00353                                 if ($ilias->getSetting('shib_update_street'))
00354                                         $userObj->setStreet($_SERVER[$ilias->getSetting('shib_street')]);
00355                                 if ($ilias->getSetting('shib_update_city'))
00356                                         $userObj->setCity($_SERVER[$ilias->getSetting('shib_city')]);
00357                                 if ($ilias->getSetting('shib_update_zipcode'))
00358                                         $userObj->setZipcode($_SERVER[$ilias->getSetting('shib_zipcode')]);
00359                                 if ($ilias->getSetting('shib_update_country'))
00360                                         $userObj->setCountry($_SERVER[$ilias->getSetting('shib_country')]);
00361                                 if ($ilias->getSetting('shib_update_phone_office'))
00362                                         $userObj->setPhoneOffice($_SERVER[$ilias->getSetting('shib_phone_office')]);
00363                                 if ($ilias->getSetting('shib_update_phone_home'))
00364                                         $userObj->setPhoneHome($_SERVER[$ilias->getSetting('shib_phone_home')]);
00365                                 if ($ilias->getSetting('shib_update_phone_mobile'))
00366                                         $userObj->setPhoneMobile($_SERVER[$ilias->getSetting('shib_phone_mobile')]);
00367                                 if ($ilias->getSetting('shib_update_fax'))
00368                                         $userObj->setFax($_SERVER[$ilias->getSetting('shib_fax')]);
00369                                 if ($ilias->getSetting('shib_update_matriculation'))
00370                                         $userObj->setMatriculation($_SERVER[$ilias->getSetting('shib_matriculation')]);
00371                                 if ($ilias->getSetting('shib_update_email'))
00372                                         $userObj->setEmail($_SERVER[$ilias->getSetting('shib_email')]);
00373                                 if ($ilias->getSetting('shib_update_hobby'))
00374                                         $userObj->setHobby($_SERVER[$ilias->getSetting('shib_hobby')]);
00375                                 
00376                                 if ($ilias->getSetting('shib_update_language'))
00377                                         $userObj->setLanguage($_SERVER[$ilias->getSetting('shib_language')]);
00378                                 
00379                                 // Include custom code that can be used to further modify
00380                                 // certain Shibboleth user attributes
00381                                 if (    $ilias->getSetting('shib_data_conv') 
00382                                                 && $ilias->getSetting('shib_data_conv') != ''
00383                                                 && is_readable($ilias->getSetting('shib_data_conv'))
00384                                                 )
00385                                 {
00386                                         include($ilias->getSetting('shib_data_conv'));
00387                                 }
00388 
00389                                 
00390                                 $userObj->update();
00391                         
00392                         }
00393                 }
00394                 else
00395                 {
00396                         // This should never occur unless Shibboleth is not configured properly
00397                         $this->status = AUTH_WRONG_LOGIN;
00398                 }
00399         }
00400         
00409         function setAuth($username)
00410         {
00411                 $session = &Auth::_importGlobalVariable('session');
00412                 
00413                 if (!isset($session[$this->_sessionName]) && !isset($_SESSION)) {
00414                         session_register($this->_sessionName);
00415                 }
00416                 
00417                 if (!isset($session[$this->_sessionName]) || !is_array($session[$this->_sessionName])) {
00418                         $session[$this->_sessionName] = array();
00419                 }
00420                 
00421                 if(!isset($session[$this->_sessionName]['data'])){
00422                         $session[$this->_sessionName]['data']       = array();
00423                 }
00424                         $session[$this->_sessionName]['registered'] = true;
00425                         $session[$this->_sessionName]['username']   = $username;
00426                         $session[$this->_sessionName]['timestamp']  = time();
00427                         $session[$this->_sessionName]['idle']       = time();
00428         }
00429         
00440         function logout()
00441         {
00442                 $session = &$this->_importGlobalVariable('session');
00443                 
00444                 
00445                 $this->username = '';
00446                 
00447                 $session[$this->_sessionName] = array();
00448                 if (isset($_SESSION)) {
00449                         unset($session[$this->_sessionName]);
00450                 } else {
00451                         session_unregister($this->_sessionName);
00452                 }
00453         }
00454         
00461         function getUsername()
00462         {
00463                 $session = &$this->_importGlobalVariable('session');
00464                 if (!isset($session[$this->_sessionName]['username'])) {
00465                         return '';
00466                 }
00467                 return $session[$this->_sessionName]['username'];
00468         }
00469         
00476         function getStatus()
00477         {
00478                 
00479                 return $status;
00480         }
00481         
00489         function &_importGlobalVariable($variable)
00490         {
00491                 $var = null;
00492                 
00493                 switch (strtolower($variable)) {
00494                 
00495                         case 'server' :
00496                                 if (isset($_SERVER)) {
00497                                         $var = &$_SERVER;
00498                                 } else {
00499                                         $var = &$GLOBALS['HTTP_SERVER_VARS'];
00500                                 }
00501                                 break;
00502                         
00503                         case 'session' :
00504                                 if (isset($_SESSION)) {
00505                                         $var = &$_SESSION;
00506                                 } else {
00507                                         $var = &$GLOBALS['HTTP_SESSION_VARS'];
00508                                 }
00509                                 break;
00510                         
00511                         case 'post' :
00512                                 if (isset($_POST)) {
00513                                         $var = &$_POST;
00514                                 } else {
00515                                         $var = &$GLOBALS['HTTP_POST_VARS'];
00516                                 }
00517                                 break;
00518                         
00519                         case 'cookie' :
00520                                 if (isset($_COOKIE)) {
00521                                         $var = &$_COOKIE;
00522                                 } else {
00523                                         $var = &$GLOBALS['HTTP_COOKIE_VARS'];
00524                                 }
00525                                 break;
00526                         
00527                         case 'get' :
00528                                 if (isset($_GET)) {
00529                                         $var = &$_GET;
00530                                 } else {
00531                                         $var = &$GLOBALS['HTTP_GET_VARS'];
00532                                 }
00533                                 break;
00534                         
00535                         default:
00536                                 break;
00537                 
00538                 }
00539 
00540                 return $var;
00541         }
00542         
00553         function generateLogin()
00554         {
00555                 global $ilias;
00556                 
00557                 $shibID = $_SERVER[$ilias->getSetting('shib_login')];
00558                 $lastname = $_SERVER[$ilias->getSetting('shib_lastname')];
00559                 $firstname = $_SERVER[$ilias->getSetting('shib_firstname')];
00560                 
00561                 // We use the passwd field as mapping attribute for Shibboleth users
00562                 // because they don't need a password
00563                 $r = $ilias->db->query("SELECT login FROM usr_data WHERE passwd='".$shibID."'");
00564                 
00565                 //query has got a result
00566                 if ($r->numRows() > 0)
00567                 {
00568                         $data = $r->fetchRow();
00569                         return $data[0];
00570                 }
00571                 
00572                 
00573                 // Generate new username
00574                 // This can be overruled by the data conversion API but you have
00575                 // to do it yourself in that case
00576                 $prefix = $firstname." ".$lastname;
00577                 
00578                 if (!$this->checkMapping($prefix))
00579                 {
00580                         return $prefix;
00581                 }
00582                 
00583                 // Add a number as prefix if the username already is taken
00584                 $number = 2;
00585                 $prefix .= " ";
00586                 while ($this->checkMapping($prefix.$number))
00587                 {
00588                         $number++;
00589                 }
00590                 
00591                 return $prefix.$number;
00592         }
00593         
00601         function checkMapping($login)
00602         {
00603                 global $ilias;
00604                 
00605                 // Check if username already exists
00606                 $r = $ilias->db->query("SELECT passwd FROM usr_data WHERE login='".$login."'");
00607                 
00608                 //query has got a result
00609                 if ($r->numRows() > 0)
00610                 {
00611                         return true;
00612                 }
00613                 else
00614                 {
00615                         return false;
00616                 }
00617         }
00618         
00619         
00620 } // END class.ilShibAuth
00621 ?>