ILIAS  Release_4_4_x_branch Revision 61816
 All Data Structures Namespaces Files Functions Variables Groups Pages
Public Member Functions | Static Public Member Functions | Data Fields | Static Private Member Functions
ShibAuth Class Reference
+ Inheritance diagram for ShibAuth:
+ Collaboration diagram for ShibAuth:

Public Member Functions

 __construct ($authParams, $updateUserData=false)
 supportsRedirects ()
 setIdle ($time, $add=false)
 Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa.
 setExpire ($time, $add=false)
 Set the maximum expire time.
 login ()
 Login function.
 setAuth ($username, ilObjUser $userObj=NULL)
 logout ()
 Logout function.
 generateLogin ()
 Automatically generates the username/screenname of a Shibboleth user or returns the user's already existing username.
- Public Member Functions inherited from Auth
 Auth ($storageDriver, $options= '', $loginFunction= '', $showLogin=true)
 Constructor.
applyAuthOptions (&$options)
 Set the Auth options.
 _loadStorage ()
 Load Storage Driver if not already loaded.
 assignData ()
 Assign data from login form to internal values.
 start ()
 Start new auth session.
 setSessionName ($name= 'session')
 Set name of the session to a customized value.
 setShowLogin ($showLogin=true)
 Should the login form be displayed if neccessary?
 setAllowLogin ($allowLogin=true)
 Should the login form be displayed if neccessary?
 setCheckAuthCallback ($checkAuthCallback)
 Register a callback function to be called whenever the validity of the login is checked The function will receive two parameters, the username and a reference to the auth object.
 setLoginCallback ($loginCallback)
 Register a callback function to be called on user login.
 setFailedLoginCallback ($loginFailedCallback)
 Register a callback function to be called on failed user login.
 setLogoutCallback ($logoutCallback)
 Register a callback function to be called on user logout.
 setAuthData ($name, $value, $overwrite=true)
 Register additional information that is to be stored in the session.
 getAuthData ($name=null)
 Get additional information that is stored in the session.
 setAuth ($username)
 Register variable in a session telling that the user has logged in successfully.
 setAdvancedSecurity ($flag=true)
 Enables advanced security checks.
 checkAuth ()
 Checks if there is a session with valid auth information.
 getAuth ()
 Has the user been authenticated?
 updateIdle ()
 Update the idletime.
 getUsername ()
 Get the username.
 getStatus ()
 Get the current status.
 getPostUsernameField ()
 Gets the post varible used for the username.
 getPostPasswordField ()
 Gets the post varible used for the username.
 sessionValidThru ()
 Returns the time up to the session is valid.
 listUsers ()
 List all users that are currently available in the storage container.
 addUser ($username, $password, $additional= '')
 Add user to the storage container.
 removeUser ($username)
 Remove user from the storage container.
 changePassword ($username, $password)
 Change password for user in the storage container.
 log ($message, $level=AUTH_LOG_DEBUG)
 Log a message from the Auth system.
 _loadLogger ()
 Load Log object if not already loaded.
 attachLogObserver (&$observer)
 Attach an Observer to the Auth Log Source.
 _isAdvancedSecurityEnabled ($feature=null)
 Is advanced security enabled?
- Public Member Functions inherited from ilAuthBase
 getContainer ()
 Get container object.
 getExceededUserName ()

Static Public Member Functions

static toAscii ($string)
 Replaces any non-ASCII character by its linguistically most logical substitution.
- Static Public Member Functions inherited from Auth
_factory ($driver, $options= '')
 Return a storage driver based on $driver and $options.
 staticCheckAuth ($options=null)
 Statically checks if there is a session with valid auth information.

Data Fields

 $username
 $_sessionName = '_authsession'
 $status = ''
 $expire = 0
 $idle = 0
 $idled = false
- Data Fields inherited from Auth
 $expire = 0
 $expired = false
 $idle = 0
 $idled = false
 $storage = ''
 $loginFunction = ''
 $showLogin = true
 $allowLogin = true
 $status = ''
 $username = ''
 $password = ''
 $checkAuthCallback = ''
 $loginCallback = ''
 $loginFailedCallback = ''
 $logoutCallback = ''
 $_sessionName = '_authsession'
 $version = "@version@"
 $advancedsecurity = false
 $_postUsername = 'username'
 $_postPassword = 'password'
 $session
 $server
 $post
 $cookie
 $authdata
 $authChecks = 0
 $logger = null
 $enableLogging = false
 $regenerateSessionId = false

Static Private Member Functions

static getFirstString ($string)
 Cleans and returns first of potential many values (multi-valued attributes)

Additional Inherited Members

- Protected Member Functions inherited from ilAuthBase
 initAuth ()
 Init auth object Enable logging, set callbacks...
 loginObserver ($a_username, $a_auth)
 Called after successful login.
 failedLoginObserver ($a_username, $a_auth)
 Called after failed login.
 checkAuthObserver ($a_username, $a_auth)
 Called after each check auth request.
 logoutObserver ($a_username, $a_auth)
 Called after logout.
- Protected Attributes inherited from ilAuthBase
 $sub_status = null
 $exceeded_user_name

Detailed Description

Definition at line 40 of file class.ilShibboleth.php.

Constructor & Destructor Documentation

ShibAuth::__construct (   $authParams,
  $updateUserData = false 
)
Parameters
$authParams
bool$updateUserData

Definition at line 93 of file class.ilShibboleth.php.

References Auth\Auth(), and Auth\setSessionName().

{
if ($authParams['sessionName'] != '') {
parent::Auth('', array( 'sessionName' => $authParams['sessionName'] ));
} else {
parent::Auth('');
}
$this->updateUserData = $updateUserData;
if (! empty($authParams['sessionName'])) {
$this->setSessionName($authParams['sessionName']);
unset($authParams['sessionName']);
}
}

+ Here is the call graph for this function:

Member Function Documentation

ShibAuth::generateLogin ( )

Automatically generates the username/screenname of a Shibboleth user or returns the user's already existing username.

private

Returns
String Generated username

Definition at line 368 of file class.ilShibboleth.php.

References ilObjUser\_checkExternalAuthAccount(), ilUtil\generatePasswords(), getFirstString(), ilObjUser\getUserIdByLogin(), and toAscii().

Referenced by login().

{
global $ilias, $ilDB;
$shibID = $_SERVER[$ilias->getSetting('shib_login')];
$lastname = self::getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]);
$firstname = self::getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]);
if (trim($shibID) == '') {
return;
}
//***********************************************//
// For backwards compatibility with previous versions
// We use the passwd field as mapping attribute for Shibboleth users
// because they don't need a password
$ilias->db->query("UPDATE usr_data SET auth_mode='shibboleth', passwd="
. $ilDB->quote(md5(end(ilUtil::generatePasswords(1)))) . ', ext_account=' . $ilDB->quote($shibID)
. ' WHERE passwd=' . $ilDB->quote($shibID));
//***********************************************//
// Let's see if user already is registered
$local_user = ilObjUser::_checkExternalAuthAccount('shibboleth', $shibID);
if ($local_user) {
return $local_user;
}
// Let's see if user already is registered but authenticates by ldap
$local_user = ilObjUser::_checkExternalAuthAccount('ldap', $shibID);
if ($local_user) {
return $local_user;
}
// User doesn't seem to exist yet
// Generate new username
// This can be overruled by the data conversion API but you have
// to do it yourself in that case
// Generate the username out of the first character of firstname and the
// first word in lastname (adding the second one if the login is too short,
// avoiding meaningless last names like 'von' or 'd' and eliminating
// non-ASCII-characters, spaces, dashes etc.
$ln_arr = preg_split("/[ ' -;]/", $lastname);
$login = substr($this->toAscii($firstname), 0, 1) . '.' . $this->toAscii($ln_arr[0]);
if (strlen($login) < 6) {
$login .= $this->toAscii($ln_arr[1]);
}
$prefix = strtolower($login);
// If the user name didn't contain any ASCII characters, assign the
// name 'shibboleth' followed by a number, starting with 1.
if (strlen($prefix) == 0) {
$prefix = 'shibboleth';
$number = 1;
} else {
// Try if the login name is not already taken
if (! ilObjUser::getUserIdByLogin($prefix)) {
return $prefix;
}
// If the login name is in use, append a number, starting with 2.
$number = 2;
}
// Append a number, if the username is already taken
while (ilObjUser::getUserIdByLogin($prefix . $number)) {
$number ++;
}
return $prefix . $number;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

static ShibAuth::getFirstString (   $string)
staticprivate

Cleans and returns first of potential many values (multi-valued attributes)

private

Parameters
A$string

Definition at line 441 of file class.ilShibboleth.php.

Referenced by generateLogin(), and login().

{
$list = explode(';', $string);
$clean_string = rtrim($list[0]);
return $clean_string;
}

+ Here is the caller graph for this function:

ShibAuth::login ( )

Login function.

private

Returns
void

Reimplemented from Auth.

Definition at line 162 of file class.ilShibboleth.php.

References $_GET, $ilSetting, $username, ilObjUser\_updateLastLogin(), AUTH_WRONG_LOGIN, ilShibbolethRoleAssignmentRules\doAssignments(), generateLogin(), ilUtil\generatePasswords(), getFirstString(), ilShibbolethPluginWrapper\getInstance(), ilObjUser\getUserIdByLogin(), IL_PASSWD_MD5, ilUtil\redirect(), setAuth(), and ilShibbolethRoleAssignmentRules\updateAssignments().

{
global $ilias, $ilSetting;
if (! empty($_SERVER[$ilias->getSetting('shib_login')])) {
// Store user's Shibboleth sessionID for logout
$this->session['shibboleth_session_id'] = $_SERVER['Shib-Session-ID'];
// Get loginname of user, new login name is generated if user is new
$username = $this->generateLogin();
// Authorize this user
$userObj = new ilObjUser();
$this->setAuth($username, $userObj);
// Check wether this account exists already, if not create it
if (! ilObjUser::getUserIdByLogin($username)) {
$newUser['firstname'] = self::getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]);
$newUser['lastname'] = self::getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]);
$newUser['login'] = $username;
// Password must be random to prevent users from manually log in using the login data from Shibboleth users
$newUser['passwd'] = md5(end(ilUtil::generatePasswords(1)));
$newUser['passwd_type'] = IL_PASSWD_MD5;
if ($ilias->getSetting('shib_update_gender') AND ($_SERVER[$ilias->getSetting('shib_gender')] == 'm' OR
$_SERVER[$ilias->getSetting('shib_gender')] == 'f')
) {
$newUser['gender'] = $_SERVER[$ilias->getSetting('shib_gender')];
}
// Save mapping between ILIAS user and Shibboleth uniqueID
$newUser['ext_account'] = $_SERVER[$ilias->getSetting('shib_login')];
// other data
$newUser['title'] = $_SERVER[$ilias->getSetting('shib_title')];
$newUser['institution'] = $_SERVER[$ilias->getSetting('shib_institution')];
$newUser['department'] = $_SERVER[$ilias->getSetting('shib_department')];
$newUser['street'] = $_SERVER[$ilias->getSetting('shib_street')];
$newUser['city'] = $_SERVER[$ilias->getSetting('shib_city')];
$newUser['zipcode'] = $_SERVER[$ilias->getSetting('shib_zipcode')];
$newUser['country'] = $_SERVER[$ilias->getSetting('shib_country')];
$newUser['phone_office'] = self::getFirstString($_SERVER[$ilias->getSetting('shib_phone_office')]);
$newUser['phone_home'] = self::getFirstString($_SERVER[$ilias->getSetting('shib_phone_home')]);
$newUser['phone_mobile'] = self::getFirstString($_SERVER[$ilias->getSetting('shib_phone_mobile')]);
$newUser['fax'] = self::getFirstString($_SERVER[$ilias->getSetting('shib_fax')]);
$newUser['matriculation'] = $_SERVER[$ilias->getSetting('shib_matriculation')];
$newUser['email'] = self::getFirstString($_SERVER[$ilias->getSetting('shib_email')]);
$newUser['hobby'] = $_SERVER[$ilias->getSetting('shib_hobby')];
$newUser['auth_mode'] = 'shibboleth';
// system data
$userObj->assignData($newUser);
$userObj->setTitle($userObj->getFullname());
$userObj->setDescription($userObj->getEmail());
$userObj->setLanguage(self::getFirstString($_SERVER[$ilias->getSetting('shib_language')]));
// Time limit
$userObj->setTimeLimitOwner(7);
$userObj->setTimeLimitUnlimited(1);
$userObj->setTimeLimitFrom(time());
$userObj->setTimeLimitUntil(time());
// Modify user data before creating the user
// Include custom code that can be used to further modify
// certain Shibboleth user attributes
if ($ilias->getSetting('shib_data_conv') AND
$ilias->getSetting('shib_data_conv') != '' AND is_readable($ilias->getSetting('shib_data_conv'))
) {
include($ilias->getSetting('shib_data_conv'));
}
// Create use in DB
$userObj = ilShibbolethPluginWrapper::getInstance()->beforeCreateUser($userObj);
$userObj->create();
$userObj->setActive(1);
$userObj->updateOwner();
//insert user data in table user_data
$userObj->saveAsNew();
// store acceptance of user agreement
//$userObj->writeAccepted();
// Default prefs
$userObj->setPref('hits_per_page', $ilSetting->get('hits_per_page', 30));
$userObj->setPref('show_users_online', $ilSetting->get('show_users_online', 'y'));
// setup user preferences
$userObj->writePrefs();
$userObj = ilShibbolethPluginWrapper::getInstance()->afterCreateUser($userObj);
//set role entries
#$rbacadmin->assignUser($ilias->getSetting('shib_user_default_role'), $userObj->getId(),true);
// New role assignment
ilShibbolethRoleAssignmentRules::doAssignments($userObj->getId(), $_SERVER);
// Authorize this user
$this->setAuth($userObj->getLogin(), $userObj);
} else {
// Update user account
$uid = $userObj->checkUserId();
$userObj->setId($uid);
$userObj->read($uid);
if ($ilias->getSetting('shib_update_gender') AND ($_SERVER[$ilias->getSetting('shib_gender')] == 'm' OR
$_SERVER[$ilias->getSetting('shib_gender')] == 'f')
) {
$userObj->setGender($_SERVER[$ilias->getSetting('shib_gender')]);
}
if ($ilias->getSetting('shib_update_title')) {
$userObj->setTitle($_SERVER[$ilias->getSetting('shib_title')]);
}
$userObj->setFirstname(self::getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]));
$userObj->setLastname(self::getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]));
$userObj->setFullname();
$userObj->setTitle($userObj->getFullname());
$userObj->setDescription($userObj->getEmail());
if ($ilias->getSetting('shib_update_institution')) {
$userObj->setInstitution($_SERVER[$ilias->getSetting('shib_institution')]);
}
if ($ilias->getSetting('shib_update_department')) {
$userObj->setDepartment($_SERVER[$ilias->getSetting('shib_department')]);
}
if ($ilias->getSetting('shib_update_street')) {
$userObj->setStreet($_SERVER[$ilias->getSetting('shib_street')]);
}
if ($ilias->getSetting('shib_update_city')) {
$userObj->setCity($_SERVER[$ilias->getSetting('shib_city')]);
}
if ($ilias->getSetting('shib_update_zipcode')) {
$userObj->setZipcode($_SERVER[$ilias->getSetting('shib_zipcode')]);
}
if ($ilias->getSetting('shib_update_country')) {
$userObj->setCountry($_SERVER[$ilias->getSetting('shib_country')]);
}
if ($ilias->getSetting('shib_update_phone_office')) {
$userObj->setPhoneOffice(self::getFirstString($_SERVER[$ilias->getSetting('shib_phone_office')]));
}
if ($ilias->getSetting('shib_update_phone_home')) {
$userObj->setPhoneHome(self::getFirstString($_SERVER[$ilias->getSetting('shib_phone_home')]));
}
if ($ilias->getSetting('shib_update_phone_mobile')) {
$userObj->setPhoneMobile(self::getFirstString($_SERVER[$ilias->getSetting('shib_phone_mobile')]));
}
if ($ilias->getSetting('shib_update_fax')) {
$userObj->setFax($_SERVER[$ilias->getSetting('shib_fax')]);
}
if ($ilias->getSetting('shib_update_matriculation')) {
$userObj->setMatriculation($_SERVER[$ilias->getSetting('shib_matriculation')]);
}
if ($ilias->getSetting('shib_update_email')) {
$userObj->setEmail(self::getFirstString($_SERVER[$ilias->getSetting('shib_email')]));
}
if ($ilias->getSetting('shib_update_hobby')) {
$userObj->setHobby($_SERVER[$ilias->getSetting('shib_hobby')]);
}
if ($ilias->getSetting('shib_update_language')) {
$userObj->setLanguage($_SERVER[$ilias->getSetting('shib_language')]);
}
// Include custom code that can be used to further modify
// certain Shibboleth user attributes
if ($ilias->getSetting('shib_data_conv') AND
$ilias->getSetting('shib_data_conv') != '' AND is_readable($ilias->getSetting('shib_data_conv'))
) {
include($ilias->getSetting('shib_data_conv'));
}
$userObj = ilShibbolethPluginWrapper::getInstance()->beforeUpdateUser($userObj);
$userObj->update();
$userObj = ilShibbolethPluginWrapper::getInstance()->afterUpdateUser($userObj);
// Update role assignments
ilShibbolethRoleAssignmentRules::updateAssignments($userObj->getId(), $_SERVER);
}
ilObjUser::_updateLastLogin($userObj->getId());
// we are authenticated: redirect, if possible
if ($_GET['target'] != '') {
ilUtil::redirect('goto.php?target=' . $_GET['target'] . '&client_id=' . CLIENT_ID);
}
} else {
// This should never occur unless Shibboleth is not configured properly
$this->status = AUTH_WRONG_LOGIN;
}
}

+ Here is the call graph for this function:

ShibAuth::logout ( )

Logout function.

This function clears any auth tokens in the currently active session and executes the logout callback function, if any

public

Returns
void

Reimplemented from Auth.

Definition at line 353 of file class.ilShibboleth.php.

References $ilUser, and ilShibbolethPluginWrapper\getInstance().

{
global $ilUser;
ilShibbolethPluginWrapper::getInstance()->beforeLogout($ilUser);
parent::logout();
ilShibbolethPluginWrapper::getInstance()->afterLogout($ilUser);
}

+ Here is the call graph for this function:

ShibAuth::setAuth (   $username,
ilObjUser  $userObj = NULL 
)
Parameters
$username
ilObjUser$userObj

Definition at line 332 of file class.ilShibboleth.php.

References $username, and ilShibbolethPluginWrapper\getInstance().

Referenced by login().

{
if ($userObj) {
ilShibbolethPluginWrapper::getInstance()->beforeLogin($userObj);
}
parent::setAuth($username);
if ($userObj) {
ilShibbolethPluginWrapper::getInstance()->afterLogin($userObj);
}
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ShibAuth::setExpire (   $time,
  $add = false 
)

Set the maximum expire time.

public

Parameters
integertime in seconds
booladd time to current expire time or not
Returns
void

Reimplemented from Auth.

Definition at line 147 of file class.ilShibboleth.php.

{
if ($add) {
$this->expire += $time;
} else {
$this->expire = $time;
}
}
ShibAuth::setIdle (   $time,
  $add = false 
)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa.

public

Parameters
$time
bool$add

Reimplemented from Auth.

Definition at line 128 of file class.ilShibboleth.php.

{
if ($add) {
$this->idle += $time;
} else {
$this->idle = $time;
}
}
ShibAuth::supportsRedirects ( )
Returns
bool

Reimplemented from ilAuthBase.

Definition at line 110 of file class.ilShibboleth.php.

{
return true;
}
static ShibAuth::toAscii (   $string)
static

Replaces any non-ASCII character by its linguistically most logical substitution.

private

Parameters
A$string

Definition at line 462 of file class.ilShibboleth.php.

References UtfNormal\toNFKD().

Referenced by generateLogin().

{
// Normalize to NFKD.
// This separates letters from combining marks.
// See http://unicode.org/reports/tr15
$string = UtfNormal::toNFKD($string);
// Replace german usages of diaeresis by appending an e
$string = preg_replace('/([aouAOU])\\xcc\\x88/', '\\1e', $string);
// Replace the combined ae character by separated a and e
$string = preg_replace('/\\xc3\\x86/', 'AE', $string);
$string = preg_replace('/\\xc3\\xa6/', 'ae', $string);
// Replace the combined thorn character by th
$string = preg_replace('/\\xc3\\x9e/', 'TH', $string);
$string = preg_replace('/\\xc3\\xbe/', 'th', $string);
// Replace the letter eth by d
$string = preg_replace('/\\xc3\\x90/', 'D', $string);
$string = preg_replace('/\\xc4\\x91/', 'd', $string);
$string = preg_replace('/\\xc4\\x90/', 'D', $string);
// Replace the combined ss character
$string = preg_replace('/\\xc3\\x9f/', 'ss', $string);
// Get rid of everything except the characters a to z and the hyphen
$string = preg_replace('/[^a-zA-Z\-]/i', '', $string);
return $string;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Field Documentation

ShibAuth::$_sessionName = '_authsession'

Definition at line 53 of file class.ilShibboleth.php.

ShibAuth::$expire = 0

Definition at line 68 of file class.ilShibboleth.php.

ShibAuth::$idle = 0

Definition at line 79 of file class.ilShibboleth.php.

ShibAuth::$idled = false

Definition at line 86 of file class.ilShibboleth.php.

ShibAuth::$status = ''

Definition at line 59 of file class.ilShibboleth.php.

ShibAuth::$username

Definition at line 47 of file class.ilShibboleth.php.

Referenced by login(), and setAuth().

The documentation for this class was generated from the following file: