ILIAS Release_3_9_x_branch .rev 46835: Services/AuthShibboleth/classes/class.ilShibboleth.php Source File

Go to the documentation of this file.
00001 <?php
00002 /*
00003         +-----------------------------------------------------------------------------+
00004         | ILIAS open source                                                           |
00005         +-----------------------------------------------------------------------------+
00006         | Copyright (c) 1998-2001 ILIAS open source, University of Cologne            |
00007         |                                                                             |
00008         | This program is free software; you can redistribute it and/or               |
00009         | modify it under the terms of the GNU General Public License                 |
00010         | as published by the Free Software Foundation; either version 2              |
00011         | of the License, or (at your option) any later version.                      |
00012         |                                                                             |
00013         | This program is distributed in the hope that it will be useful,             |
00014         | but WITHOUT ANY WARRANTY; without even the implied warranty of              |
00015         | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               |
00016         | GNU General Public License for more details.                                |
00017         |                                                                             |
00018         | You should have received a copy of the GNU General Public License           |
00019         | along with this program; if not, write to the Free Software                 |
00020         | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA. |
00021         +-----------------------------------------------------------------------------+
00022 */
00023 
00024 
00025 define('AUTH_IDLED',       -1);
00026 define('AUTH_EXPIRED',     -2);
00027 define('AUTH_WRONG_LOGIN', -3);
00028 
00039 class ShibAuth
00040 {
00046         var $username;
00047         
00053         var $_sessionName = '_authsession';
00054         
00060         var $status = '';
00061         
00070         var $expire = 0;
00071         
00082         var $idle = 0;
00083         
00090         var $idled = false;
00091         
00096         function ShibAuth($authParams, $updateUserData = false)
00097         {
00098                 $this->updateUserData = $updateUserData;
00099                 
00100                 if (!empty($authParams['sessionName'])) {
00101                         $this->_sessionName = $authParams['sessionName'];
00102                         unset($authParams['sessionName']);
00103                 }
00104                 
00105         }
00106         
00112         function getAuth()
00113         {
00114                 $session = &$this->_importGlobalVariable('session');
00115                 
00116                 if (!empty($session) &&
00117                 (isset($session[$this->_sessionName]['registered']) &&
00118                 $session[$this->_sessionName]['registered'] === true))
00119                 {
00120                         return true;
00121                 } else {
00122                         return false;
00123                 }
00124         }
00125         
00133         function setIdle($time, $add = false)
00134         {
00135                 if ($add) {
00136                         $this->idle += $time;
00137                 } else {
00138                         $this->idle = $time;
00139                 }
00140         }
00141         
00142 
00151         function setExpire($time, $add = false)
00152         {
00153                 if ($add) {
00154                         $this->expire += $time;
00155                 } else {
00156                         $this->expire = $time;
00157                 }
00158         }
00159         
00166         function checkAuth()
00167         {
00168                  $session = &$this->_importGlobalVariable('session');
00169 
00170                 if (isset($session[$this->_sessionName])) {
00171                         // Check if authentication session is expired
00172                         if ($this->expire > 0 &&
00173                                 isset($session[$this->_sessionName]['timestamp']) &&
00174                                 ($session[$this->_sessionName]['timestamp'] + $this->expire) < time()) {
00175                                 
00176                                 $this->logout();
00177                                 $this->expired = true;
00178                                 $this->status = AUTH_EXPIRED;
00179                                 
00180                                 return false;
00181                         }
00182                         
00183                         // Check if maximum idle time is reached
00184                         if ($this->idle > 0 &&
00185                                 isset($session[$this->_sessionName]['idle']) &&
00186                                 ($session[$this->_sessionName]['idle'] + $this->idle) < time()) {
00187                                 
00188                                 $this->logout();
00189                                 $this->idled = true;
00190                                 $this->status = AUTH_IDLED;
00191                                 
00192                                 return false;
00193                         }
00194                         
00195                         if (isset($session[$this->_sessionName]['registered']) &&
00196                                 isset($session[$this->_sessionName]['username']) &&
00197                                 $session[$this->_sessionName]['registered'] == true &&
00198                                 $session[$this->_sessionName]['username'] != '') {
00199                                 
00200                                 Auth::updateIdle();
00201                                 
00202                                 return true;
00203                         }
00204                 }
00205                 
00206                 return false;
00207         }
00208         
00215         function start()
00216         {
00217                 @session_start();
00218                 
00219                 if (!$this->checkAuth()) {
00220                         //$this->login();
00221                 }
00222         }
00223         
00230         function login()
00231         {
00232         
00233                 global $ilias, $rbacadmin;
00234                 
00235                 if (!empty($_SERVER[$ilias->getSetting('shib_login')]))
00236                 {
00237                         // Get loginname of user, new login name is generated if user is new
00238                         $username = $this->generateLogin();
00239                         
00240                         // Authorize this user
00241                         $this->setAuth($username);
00242                         
00243                         $userObj = new ilObjUser();
00244                         
00245                         // Check wether this account exists already, if not create it
00246                         if (!ilObjUser::getUserIdByLogin($username))
00247                         {
00248                                 
00249                                 $newUser["firstname"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]);
00250                                 $newUser["lastname"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]);
00251                                 $newUser["login"] = $username;
00252                                 
00253                                 // Password must be random to prevent users from manually log in using the login data from Shibboleth users
00254                                 $newUser["passwd"] = md5(end(ilUtil::generatePasswords(1))); 
00255                                 $newUser["passwd_type"] = IL_PASSWD_MD5; 
00256                                 
00257                                 if ( 
00258                                         $ilias->getSetting('shib_update_gender')
00259                                         && ($_SERVER[$ilias->getSetting('shib_gender')] == 'm'
00260                                         || $_SERVER[$ilias->getSetting('shib_gender')] =='f')
00261                                         )
00262                                 {
00263                                         $newUser["gender"] = $_SERVER[$ilias->getSetting('shib_gender')];
00264                                 }
00265                                 
00266                                 // Save mapping between ILIAS user and Shibboleth uniqueID
00267                                 $newUser["ext_account"] = $_SERVER[$ilias->getSetting('shib_login')];
00268                                 
00269                                 // other data
00270                                 $newUser["title"] = $_SERVER[$ilias->getSetting('shib_title')];
00271                                 $newUser["institution"] = $_SERVER[$ilias->getSetting('shib_institution')];
00272                                 $newUser["department"] = $_SERVER[$ilias->getSetting('shib_department')];
00273                                 $newUser["street"] = $_SERVER[$ilias->getSetting('shib_street')];
00274                                 $newUser["city"] = $_SERVER[$ilias->getSetting('shib_city')];
00275                                 $newUser["zipcode"] = $_SERVER[$ilias->getSetting('shib_zipcode')];
00276                                 $newUser["country"] = $_SERVER[$ilias->getSetting('shib_country')];
00277                                 $newUser["phone_office"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_office')]);
00278                                 $newUser["phone_home"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_home')]);
00279                                 $newUser["phone_mobile"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_mobile')]);
00280                                 $newUser["fax"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_fax')]);
00281                                 $newUser["matriculation"] = $_SERVER[$ilias->getSetting('shib_matriculation')];
00282                                 $newUser["email"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_email')]);
00283                                 $newUser["hobby"] = $_SERVER[$ilias->getSetting('shib_hobby')];
00284                                 $newUser["auth_mode"] = "shibboleth";
00285                                 
00286                                 
00287                                 // system data
00288                                 $userObj->assignData($newUser);
00289                                 $userObj->setTitle($userObj->getFullname());
00290                                 $userObj->setDescription($userObj->getEmail());
00291                                 $userObj->setLanguage($this->getFirstString($_SERVER[$ilias->getSetting('shib_language')]));
00292                                 
00293                                 // Time limit
00294                                 $userObj->setTimeLimitOwner(7);
00295                                 $userObj->setTimeLimitUnlimited(1);
00296                                 $userObj->setTimeLimitFrom(time());
00297                                 $userObj->setTimeLimitUntil(time());
00298                                 
00299                                 // Modify user data before creating the user
00300                                 // Include custom code that can be used to further modify
00301                                 // certain Shibboleth user attributes
00302                                 if (    $ilias->getSetting('shib_data_conv') 
00303                                                 && $ilias->getSetting('shib_data_conv') != ''
00304                                                 && is_readable($ilias->getSetting('shib_data_conv'))
00305                                                 )
00306                                 {
00307                                         include($ilias->getSetting('shib_data_conv'));
00308                                 }
00309                                 
00310                                 // Create use in DB
00311                                 $userObj->create();
00312                                 $userObj->setActive(1, 6);
00313                                 
00314                                 $userObj->updateOwner();
00315                                 
00316                                 //insert user data in table user_data
00317                                 $userObj->saveAsNew();
00318                                 
00319                                 // store acceptance of user agreement
00320                                 //$userObj->writeAccepted();
00321                                 
00322                                 // setup user preferences
00323                                 $userObj->writePrefs();
00324                                 
00325                                 //set role entries
00326                                 $rbacadmin->assignUser($ilias->getSetting('shib_user_default_role'), $userObj->getId(),true);
00327                                 
00328                                 unset($userObj);
00329                                 
00330                         }
00331                         else
00332                         {
00333                                 // Update user account
00334                                 $userObj->checkUserId();
00335                                 $userObj->read();
00336                                 
00337                                 if ( 
00338                                         $ilias->getSetting('shib_update_gender')
00339                                         && ($_SERVER[$ilias->getSetting('shib_gender')] == 'm'
00340                                         || $_SERVER[$ilias->getSetting('shib_gender')] =='f')
00341                                         )
00342                                         $userObj->setGender($_SERVER[$ilias->getSetting('shib_gender')]);
00343                                 
00344                                 if ($ilias->getSetting('shib_update_title'))
00345                                         $userObj->setTitle($_SERVER[$ilias->getSetting('shib_title')]);
00346                                 
00347                                 $userObj->setFirstname($this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]));
00348                                 $userObj->setLastname($this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]));
00349                                 $userObj->setFullname();
00350                                 if ($ilias->getSetting('shib_update_institution'))
00351                                         $userObj->setInstitution($_SERVER[$ilias->getSetting('shib_institution')]);
00352                                 if ($ilias->getSetting('shib_update_department'))
00353                                         $userObj->setDepartment($_SERVER[$ilias->getSetting('shib_department')]);
00354                                 if ($ilias->getSetting('shib_update_street'))
00355                                         $userObj->setStreet($_SERVER[$ilias->getSetting('shib_street')]);
00356                                 if ($ilias->getSetting('shib_update_city'))
00357                                         $userObj->setCity($_SERVER[$ilias->getSetting('shib_city')]);
00358                                 if ($ilias->getSetting('shib_update_zipcode'))
00359                                         $userObj->setZipcode($_SERVER[$ilias->getSetting('shib_zipcode')]);
00360                                 if ($ilias->getSetting('shib_update_country'))
00361                                         $userObj->setCountry($_SERVER[$ilias->getSetting('shib_country')]);
00362                                 if ($ilias->getSetting('shib_update_phone_office'))
00363                                         $userObj->setPhoneOffice($this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_office')]));
00364                                 if ($ilias->getSetting('shib_update_phone_home'))
00365                                         $userObj->setPhoneHome($this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_home')]));
00366                                 if ($ilias->getSetting('shib_update_phone_mobile'))
00367                                         $userObj->setPhoneMobile($this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_mobile')]));
00368                                 if ($ilias->getSetting('shib_update_fax'))
00369                                         $userObj->setFax($_SERVER[$ilias->getSetting('shib_fax')]);
00370                                 if ($ilias->getSetting('shib_update_matriculation'))
00371                                         $userObj->setMatriculation($_SERVER[$ilias->getSetting('shib_matriculation')]);
00372                                 if ($ilias->getSetting('shib_update_email'))
00373                                         $userObj->setEmail($this->getFirstString($_SERVER[$ilias->getSetting('shib_email')]));
00374                                 if ($ilias->getSetting('shib_update_hobby'))
00375                                         $userObj->setHobby($_SERVER[$ilias->getSetting('shib_hobby')]);
00376                                 
00377                                 if ($ilias->getSetting('shib_update_language'))
00378                                         $userObj->setLanguage($_SERVER[$ilias->getSetting('shib_language')]);
00379                                 
00380                                 // Include custom code that can be used to further modify
00381                                 // certain Shibboleth user attributes
00382                                 if (    $ilias->getSetting('shib_data_conv') 
00383                                                 && $ilias->getSetting('shib_data_conv') != ''
00384                                                 && is_readable($ilias->getSetting('shib_data_conv'))
00385                                                 )
00386                                 {
00387                                         include($ilias->getSetting('shib_data_conv'));
00388                                 }
00389 
00390                                 
00391                                 $userObj->update();
00392                         
00393                         }
00394                         
00395                         // we are authenticated: redirect, if possible
00396                         if ($_GET["target"] != "")
00397                         {
00398                                 ilUtil::redirect("goto.php?target=".$_GET["target"]."&client_id=".CLIENT_ID);
00399                         }
00400                 }
00401                 else
00402                 {
00403                         // This should never occur unless Shibboleth is not configured properly
00404                         $this->status = AUTH_WRONG_LOGIN;
00405                 }
00406         }
00407         
00416         function setAuth($username)
00417         {
00418                 $session = &$this->_importGlobalVariable('session');
00419                 
00420                 if (!isset($session[$this->_sessionName]) && !isset($_SESSION)) {
00421                         session_register($this->_sessionName);
00422                 }
00423                 
00424                 if (!isset($session[$this->_sessionName]) || !is_array($session[$this->_sessionName])) {
00425                         $session[$this->_sessionName] = array();
00426                 }
00427                 
00428                 if(!isset($session[$this->_sessionName]['data'])){
00429                         $session[$this->_sessionName]['data']       = array();
00430                 }
00431                         $session[$this->_sessionName]['registered'] = true;
00432                         $session[$this->_sessionName]['username']   = $username;
00433                         $session[$this->_sessionName]['timestamp']  = time();
00434                         $session[$this->_sessionName]['idle']       = time();
00435         }
00436         
00447         function logout()
00448         {
00449                 $session = &$this->_importGlobalVariable('session');
00450                 
00451                 
00452                 $this->username = '';
00453                 
00454                 $session[$this->_sessionName] = array();
00455                 if (isset($_SESSION)) {
00456                         unset($session[$this->_sessionName]);
00457                 } else {
00458                         session_unregister($this->_sessionName);
00459                 }
00460         }
00461         
00468         function getUsername()
00469         {
00470                 $session = &$this->_importGlobalVariable('session');
00471                 if (!isset($session[$this->_sessionName]['username'])) {
00472                         return '';
00473                 }
00474                 return $session[$this->_sessionName]['username'];
00475         }
00476         
00483         function getStatus()
00484         {
00485                 
00486                 return $status;
00487         }
00488         
00496         function &_importGlobalVariable($variable)
00497         {
00498                 $var = null;
00499                 
00500                 switch (strtolower($variable)) {
00501                 
00502                         case 'server' :
00503                                 if (isset($_SERVER)) {
00504                                         $var = &$_SERVER;
00505                                 } else {
00506                                         $var = &$GLOBALS['HTTP_SERVER_VARS'];
00507                                 }
00508                                 break;
00509                         
00510                         case 'session' :
00511                                 if (isset($_SESSION)) {
00512                                         $var = &$_SESSION;
00513                                 } else {
00514                                         $var = &$GLOBALS['HTTP_SESSION_VARS'];
00515                                 }
00516                                 break;
00517                         
00518                         case 'post' :
00519                                 if (isset($_POST)) {
00520                                         $var = &$_POST;
00521                                 } else {
00522                                         $var = &$GLOBALS['HTTP_POST_VARS'];
00523                                 }
00524                                 break;
00525                         
00526                         case 'cookie' :
00527                                 if (isset($_COOKIE)) {
00528                                         $var = &$_COOKIE;
00529                                 } else {
00530                                         $var = &$GLOBALS['HTTP_COOKIE_VARS'];
00531                                 }
00532                                 break;
00533                         
00534                         case 'get' :
00535                                 if (isset($_GET)) {
00536                                         $var = &$_GET;
00537                                 } else {
00538                                         $var = &$GLOBALS['HTTP_GET_VARS'];
00539                                 }
00540                                 break;
00541                         
00542                         default:
00543                                 break;
00544                 
00545                 }
00546 
00547                 return $var;
00548         }
00549         
00557         function generateLogin()
00558         {
00559                 global $ilias, $ilDB;
00560                 
00561                 $shibID = $_SERVER[$ilias->getSetting('shib_login')];
00562                 $lastname = $this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]);
00563                 $firstname = $this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]);
00564                 
00565                 if (trim($shibID) == "")
00566                 {
00567                         return;
00568                 }
00569 
00570                 //***********************************************//
00571                 // For backwards compatibility with previous versions
00572                 // We use the passwd field as mapping attribute for Shibboleth users
00573                 // because they don't need a password
00574                 $ilias->db->query("UPDATE usr_data SET auth_mode='shibboleth', passwd=".$ilDB->quote(md5(end(ilUtil::generatePasswords(1)))).", ext_account=".$ilDB->quote($shibID)." WHERE passwd=".$ilDB->quote($shibID));
00575                 //***********************************************//
00576                 
00577                 // Let's see if user already is registered
00578                 $local_user = ilObjUser::_checkExternalAuthAccount("shibboleth", $shibID);
00579                 if ($local_user)
00580                 {
00581                         return $local_user;
00582                 }
00583                 
00584                 // User doesn't seem to exist yet
00585                 
00586                 // Generate new username
00587                 // This can be overruled by the data conversion API but you have
00588                 // to do it yourself in that case
00589                 $prefix = $firstname.' '.$lastname;
00590                 
00591                 if (!ilObjUser::getUserIdByLogin($prefix))
00592                 {
00593                         return $prefix;
00594                 }
00595                 
00596                 // Add a number as prefix if the username already is taken
00597                 $number = 2;
00598                 $prefix .= ' ';
00599                 while (ilObjUser::getUserIdByLogin($prefix.$number))
00600                 {
00601                         $number++;
00602                 }
00603                 
00604                 return $prefix.$number;
00605         }
00606         
00614         function getFirstString($string){
00615         
00616                 
00617                 $list = split( ';', $string);
00618                 $clean_string = rtrim($list[0]);
00619                 
00620                 return $clean_string;
00621                 
00622         }
00623         
00624 } // END class.ilShibAuth
00625 ?>