ILIAS  eassessment Revision 61809
 All Data Structures Namespaces Files Functions Variables Groups Pages
class.ilAuthUtils.php
Go to the documentation of this file.
1 <?php
2 
3 /* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4 
5 
6 // define auth modes
7 define ("AUTH_LOCAL",1);
8 define ("AUTH_LDAP",2);
9 define ("AUTH_RADIUS",3);
10 define ("AUTH_SCRIPT",4);
11 define ("AUTH_SHIBBOLETH",5);
12 define ("AUTH_CAS",6);
13 define ("AUTH_SOAP",7);
14 // BEGIN WebDAV: Add support for HTTP authentication
15 define ("AUTH_HTTP",8);
16 // END WebDAV: Add support for HTTP authentication
17 define ("AUTH_ECS",9);
18 define('AUTH_OPENID',10);
19 
20 define ("AUTH_APACHE",11);
21 
22 define ("AUTH_INACTIVE",18);
23 
24 define('AUTH_MULTIPLE',20);
25 
26 define('AUTH_SOAP_NO_ILIAS_USER', -100);
27 define('AUTH_LDAP_NO_ILIAS_USER',-200);
28 define('AUTH_RADIUS_NO_ILIAS_USER',-300);
29 define('AUTH_OPENID_NO_ILIAS_USER',-400);
30 
31 // apache auhtentication failed...
32 // maybe no (valid) certificate or
33 // username could not be extracted
34 define('AUTH_APACHE_FAILED', -500);
35 
36 
37 define('AUTH_MODE_INACTIVE',-1000);
38 
39 
40 // an external user cannot be found in ilias, but his email address
41 // matches one or more ILIAS users
42 define('AUTH_SOAP_NO_ILIAS_USER_BUT_EMAIL', -101);
43 define('AUTH_CAS_NO_ILIAS_USER', -90);
44 
45 include_once './Services/Authentication/classes/class.ilAuthFactory.php';
46 require_once('Services/Authentication/classes/class.ilSessionControl.php');
47 
48 
56 class ilAuthUtils
57 {
58  const LOCAL_PWV_FULL = 1;
59  const LOCAL_PWV_NO = 2;
60  const LOCAL_PWV_USER = 3;
61 
62 
66  function _initAuth()
67  {
68  global $ilAuth, $ilSetting, $ilDB, $ilClientIniFile,$ilBench;
69 
70  $user_auth_mode = false;
71  $ilBench->start('Auth','initAuth');
72 
73 
74  // get default auth mode
75  //$default_auth_mode = $this->getSetting("auth_mode");
76  define ("AUTH_DEFAULT", $ilSetting->get("auth_mode") ? $ilSetting->get("auth_mode") : AUTH_LOCAL);
77 
78  // determine authentication method if no session is found and username & password is posted
79  // does this if statement make any sense? we enter this block nearly everytime.
80 
81  if (empty($_SESSION) ||
82  (!isset($_SESSION['_authsession']['registered']) ||
83  $_SESSION['_authsession']['registered'] !== true))
84  {
85  // no sesssion found
86  if (isset($_POST['username']) and $_POST['username'] != '' and $_POST['password'] != '' or isset($_GET['ecs_hash']) or isset($_POST['oid_username']) or isset($_GET['oid_check_status']))
87  {
88  $user_auth_mode = ilAuthUtils::_getAuthModeOfUser($_POST['username'], $_POST['password'], $ilDB);
89 
90  if ($user_auth_mode == AUTH_CAS && $ilSetting->get("cas_allow_local"))
91  {
92  $user_auth_mode = AUTH_LOCAL;
93  }
94  if ($user_auth_mode == AUTH_SOAP && $ilSetting->get("soap_auth_allow_local"))
95  {
96  $user_auth_mode = AUTH_LOCAL;
97  }
98  if ($user_auth_mode == AUTH_SHIBBOLETH && $ilSetting->get("shib_auth_allow_local"))
99  {
100  $user_auth_mode = AUTH_LOCAL;
101  }
102  }
103  else if ($_POST['auth_mode'] == AUTH_APACHE) {
104  $user_auth_mode = AUTH_APACHE;
105  }
106  }
107 
108  // to do: other solution?
109  if (!$ilSetting->get("soap_auth_active") && $user_auth_mode == AUTH_SOAP)
110  {
111  $user_auth_mode = AUTH_LOCAL;
112  }
113 
114  if($ilSetting->get("cas_active") && $_GET['forceCASLogin'])
115  {
116  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_CAS);
117  $user_auth_mode = AUTH_CAS;
118  }
119 
120  if($ilSetting->get("apache_active") && $user_auth_mode == AUTH_APACHE)
121  {
122  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_APACHE);
123  $user_auth_mode = AUTH_APACHE;
124  }
125 
126  // BEGIN WebDAV: Share session between browser and WebDAV client.
127  // The realm is needed to support a common session between Auth_HTTP and Auth.
128  // It also helps us to distinguish between parallel sessions run on different clients.
129  // Common session only works if we use a common session name starting with "_authhttp".
130  // We must use the "_authttp" prefix, because it is hardcoded in the session name of
131  // class Auth_HTTP.
132  // Whenever we use Auth_HTTP, we need to explicitly switch off "sessionSharing", because
133  // it interfers with the session mechanism of the other Auth modules. If we would
134  // keep this switched on, then users could steal each others session, which would cause
135  // a major security breach.
136  // Note: The realm and sessionName used here, must be the same as in
137  // class ilBaseAuthentication. Otherwise, Soap clients won't be able to log
138  // in to ILIAS.
139  $realm = CLIENT_ID;
140  //$this->writelog('ilias.php realm='.$realm);
141  // END WebDAV: Share session between browser and WebDAV client.
142 
143 //var_dump($_SESSION);
144 //echo "1-".$ilSetting->get("soap_auth_active")."-";
145  // if soap authentication activated and soap credentials given
146  if (($ilSetting->get("soap_auth_active") && !empty($_GET["ext_uid"])
147  && !empty($_GET["soap_pw"])) || $user_auth_mode == AUTH_SOAP)
148  {
149 
150  define('AUTH_CURRENT',AUTH_SOAP);
151  }
152  // if Shibboleth is active and the user is authenticated
153  // we set auth_mode to Shibboleth
154  else if ( $ilSetting->get("shib_active")
155  && $_SERVER[$ilSetting->get("shib_login")])
156  {
157  define ("AUTH_CURRENT", AUTH_SHIBBOLETH);
158  }
159  else
160  {
161  define ("AUTH_CURRENT", $user_auth_mode);
162  }
163 //var_dump($_SESSION);
164 
165  // Determine the authentication method to use
166  if (defined("WebDAV_Authentication") && WebDAV_Authentication == 'HTTP') {
167  // Since WebDAV clients create the login form by
168  // themselves, we can not provide buttons on the form for
169  // choosing an authentication method.
170  // If the user is already logged in, we continue using
171  // the current authentication method. If the user is
172  // not logged in yet, we use the "multiple authentication"
173  // method using a predefined sequence of authentication methods.
174  $authmode = AUTH_CURRENT ? AUTH_CURRENT : AUTH_MULTIPLE;
175  }
176  else
177  {
178  $authmode = AUTH_CURRENT;
179  }
180 //var_dump($authmode);
181  // if no auth mode selected AND default mode is AUTH_APACHE then use it...
182  if ($authmode == null && AUTH_DEFAULT == AUTH_APACHE)
183  $authmode = AUTH_APACHE;
184 
185  switch ($authmode)
186  {
187  case AUTH_LDAP:
188 
189  include_once './Services/LDAP/classes/class.ilAuthContainerLDAP.php';
190  $ilAuth = ilAuthFactory::factory(new ilAuthContainerLDAP());
191  break;
192 
193  case AUTH_RADIUS:
194 
195  include_once './Services/Radius/classes/class.ilAuthContainerRadius.php';
196  $ilAuth = ilAuthFactory::factory(new ilAuthContainerRadius());
197  break;
198 
199  case AUTH_SHIBBOLETH:
200  // build option string for SHIB::Auth
201  $auth_params = array();
202  $auth_params['sessionName'] = "_authhttp".md5($realm);
203  $ilAuth = new ShibAuth($auth_params,true);
204  break;
205 
206  case AUTH_CAS:
207 
208  include_once './Services/CAS/classes/class.ilAuthContainerCAS.php';
209  $ilAuth = ilAuthFactory::factory(new ilAuthContainerCAS());
210  break;
211 
212  case AUTH_SOAP:
213 
214  include_once './Services/SOAPAuth/classes/class.ilAuthContainerSOAP.php';
215  $ilAuth = ilAuthFactory::factory(new ilAuthContainerSOAP());
216  break;
217 
218  case AUTH_MULTIPLE:
219 
220  include_once './Services/Authentication/classes/class.ilAuthContainerMultiple.php';
221  $ilAuth = ilAuthFactory::factory(new ilAuthContainerMultiple());
222  break;
223 
224  case AUTH_ECS:
225  include_once './Services/WebServices/ECS/classes/class.ilAuthContainerECS.php';
226  $ilAuth = ilAuthFactory::factory(new ilAuthContainerECS());
227  break;
228 
229  case AUTH_OPENID:
230 
231  include_once './Services/OpenId/classes/class.ilAuthContainerOpenId.php';
232  $ilAuth = ilAuthFactory::factory(new ilAuthContainerOpenId());
233  break;
234 
235  case AUTH_INACTIVE:
236  require_once('./Services/Authentication/classes/class.ilAuthInactive.php');
237  $ilAuth = new ilAuthInactive(AUTH_MODE_INACTIVE);
238  break;
239 
240  case AUTH_APACHE:
241  include_once './Services/AuthApache/classes/class.ilAuthContainerApache.php';
242  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_APACHE);
243  $ilAuth = ilAuthFactory::factory(new ilAuthContainerApache());
244  break;
245 
246  case AUTH_LOCAL:
247  default:
248 
249  global $ilLog;
250 
251  include_once './Services/Database/classes/class.ilAuthContainerMDB2.php';
252  $ilAuth = ilAuthFactory::factory(new ilAuthContainerMDB2());
253  break;
254  }
255 
256  // Due to a bug in Pear Auth_HTTP, we can't use idle time
257  // with WebDAV clients. If we used it, users could never log
258  // back into ILIAS once their session idled out. :(
259  if (!defined("WebDAV_Authentication") || WebDAV_Authentication != 'HTTP') {
260  $ilAuth->setIdle($ilClientIniFile->readVariable("session","expire"), false);
261  }
262  $ilAuth->setExpire(0);
263 
264  ini_set("session.cookie_lifetime", "0");
265 //echo "-".get_class($ilAuth)."-";
266  $GLOBALS['ilAuth'] =& $ilAuth;
267 
268  ilSessionControl::checkExpiredSession();
269 
270  $ilBench->stop('Auth','initAuth');
271  }
272 
273  function _getAuthModeOfUser($a_username,$a_password,$a_db_handler = '')
274  {
275  global $ilDB;
276 
277  if(isset($_GET['ecs_hash']))
278  {
279  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_ECS);
280  return AUTH_ECS;
281  }
282  if(isset($_POST['auth_mode']))
283  {
284  return (int) $_POST['auth_mode'];
285  }
286  if(isset($_POST['oid_username']) or $_GET['oid_check_status'])
287  {
288  $GLOBALS['ilLog']->write(__METHOD__.' set context to open id');
289  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_OPENID);
290  return AUTH_OPENID;
291  }
292 
293  include_once('./Services/Authentication/classes/class.ilAuthModeDetermination.php');
294  $det = ilAuthModeDetermination::_getInstance();
295 
296  if(!$det->isManualSelection() and $det->getCountActiveAuthModes() > 1)
297  {
298  return AUTH_MULTIPLE;
299  }
300 
301 
302  $db =& $ilDB;
303 
304  if ($a_db_handler != '')
305  {
306  $db =& $a_db_handler;
307  }
308 
309  // Is it really necessary to check the auth mode with password ?
310  // Changed: smeyer
311  $q = "SELECT auth_mode FROM usr_data WHERE ".
312  "login = ".$ilDB->quote($a_username);
313  //"passwd = ".$ilDB->quote(md5($a_password))."";
314 
315 
316  $r = $db->query($q);
317  $row = $r->fetchRow(DB_FETCHMODE_OBJECT);
318 //echo "+".$row->auth_mode."+";
319 
320  $auth_mode = self::_getAuthMode($row->auth_mode,$db);
321 
322  return in_array($auth_mode,self::_getActiveAuthModes()) ? $auth_mode : AUTH_INACTIVE;
323  }
324 
325  function _getAuthMode($a_auth_mode,$a_db_handler = '')
326  {
327  global $ilDB, $ilSetting;
328 
329  $db =& $ilDB;
330 
331  if ($a_db_handler != '')
332  {
333  $db =& $a_db_handler;
334  }
335 
336  switch ($a_auth_mode)
337  {
338  case "local":
339  return AUTH_LOCAL;
340  break;
341 
342  case "ldap":
343  return AUTH_LDAP;
344  break;
345 
346  case "radius":
347  return AUTH_RADIUS;
348  break;
349 
350  case "script":
351  return AUTH_SCRIPT;
352  break;
353 
354  case "shibboleth":
355  return AUTH_SHIBBOLETH;
356  break;
357 
358  case "cas":
359  return AUTH_CAS;
360  break;
361 
362  case "soap":
363  return AUTH_SOAP;
364  break;
365 
366  case 'ecs':
367  return AUTH_ECS;
368 
369  case 'openid':
370  return AUTH_OPENID;
371 
372  case 'apache':
373  return AUTH_APACHE;
374 
375  default:
376  return $ilSetting->get("auth_mode");
377  break;
378  }
379  }
380 
381  function _getAuthModeName($a_auth_key)
382  {
383  global $ilias;
384 
385  switch ($a_auth_key)
386  {
387  case AUTH_LOCAL:
388  return "local";
389  break;
390 
391  case AUTH_LDAP:
392  return "ldap";
393  break;
394 
395  case AUTH_RADIUS:
396  return "radius";
397  break;
398 
399  case AUTH_CAS:
400  return "cas";
401  break;
402 
403  case AUTH_SCRIPT:
404  return "script";
405  break;
406 
407  case AUTH_SHIBBOLETH:
408  return "shibboleth";
409  break;
410 
411  case AUTH_SOAP:
412  return "soap";
413  break;
414 
415  case AUTH_ECS:
416  return 'ecs';
417 
418  case AUTH_APACHE:
419  return 'apache';
420 
421  case AUTH_OPENID:
422  return 'open_id';
423 
424  default:
425  return "default";
426  break;
427  }
428  }
429 
430  function _getActiveAuthModes()
431  {
432  global $ilias,$ilSetting;
433 
434  $modes = array(
435  'default' => $ilSetting->get("auth_mode"),
436  'local' => AUTH_LOCAL
437  );
438  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
439  if(count(ilLDAPServer::_getActiveServerList()))
440  {
441  $modes['ldap'] = AUTH_LDAP;
442  }
443  if ($ilSetting->get("radius_active")) $modes['radius'] = AUTH_RADIUS;
444  if ($ilSetting->get("shib_active")) $modes['shibboleth'] = AUTH_SHIBBOLETH;
445  if ($ilSetting->get("script_active")) $modes['script'] = AUTH_SCRIPT;
446  if ($ilSetting->get("cas_active")) $modes['cas'] = AUTH_CAS;
447  if ($ilSetting->get("soap_auth_active")) $modes['soap'] = AUTH_SOAP;
448  if ($ilSetting->get("apache_active")) $modes['apache'] = AUTH_APACHE;
449 
450  include_once('./Services/WebServices/ECS/classes/class.ilECSSettings.php');
451  if(ilECSSettings::_getInstance()->isEnabled())
452  {
453  $modes['ecs'] = AUTH_ECS;
454  }
455 
456  include_once './Services/OpenId/classes/class.ilOpenIdSettings.php';
457  if(ilOpenIdSettings::getInstance()->isActive())
458  {
459  $modes['openid'] = AUTH_OPENID;
460  }
461 
462  return $modes;
463  }
464 
465  function _getAllAuthModes()
466  {
467  return array(
468  AUTH_LOCAL => ilAuthUtils::_getAuthModeName(AUTH_LOCAL),
469  AUTH_LDAP => ilAuthUtils::_getAuthModeName(AUTH_LDAP),
470  AUTH_SHIBBOLETH => ilAuthUtils::_getAuthModeName(AUTH_SHIBBOLETH),
471  AUTH_CAS => ilAuthUtils::_getAuthModeName(AUTH_CAS),
472  AUTH_SOAP => ilAuthUtils::_getAuthModeName(AUTH_SOAP),
473  AUTH_RADIUS => ilAuthUtils::_getAuthModeName(AUTH_RADIUS),
474  AUTH_ECS => ilAuthUtils::_getAuthModeName(AUTH_ECS),
475  AUTH_OPENID => ilAuthUtils::_getAuthModeName(AUTH_OPENID),
476  AUTH_APACHE => ilAuthUtils::_getAuthModeName(AUTH_APACHE)
477  );
478  }
479 
484  function _generateLogin($a_login)
485  {
486  global $ilDB;
487 
488  // Check if username already exists
489  $found = false;
490  $postfix = 0;
491  $c_login = $a_login;
492  while(!$found)
493  {
494  $r = $ilDB->query("SELECT login FROM usr_data WHERE login = ".
495  $ilDB->quote($c_login));
496  if ($r->numRows() > 0)
497  {
498  $postfix++;
499  $c_login = $a_login.$postfix;
500  }
501  else
502  {
503  $found = true;
504  }
505  }
506 
507  return $c_login;
508  }
509 
510  public static function _hasMultipleAuthenticationMethods()
511  {
512  include_once('Services/Radius/classes/class.ilRadiusSettings.php');
513 
514  $rad_settings = ilRadiusSettings::_getInstance();
515  if($rad_settings->isActive())
516  {
517  return true;
518  }
519  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
520 
521  if (count(ilLDAPServer::_getActiveServerList()))
522  return true;
523 
524  global $ilSetting;
525 
526  if ($ilSetting->get('apache_active')) {
527  return true;
528  }
529  return false;
530  }
531 
532  public static function _getMultipleAuthModeOptions($lng)
533  {
534  global $ilSetting;
535 
536  // in the moment only ldap is activated as additional authentication method
537  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
538 
539  $options[AUTH_LOCAL]['txt'] = $lng->txt('authenticate_ilias');
540 
541  // LDAP
542  if($ldap_id = ilLDAPServer::_getFirstActiveServer())
543  {
544  $ldap_server = new ilLDAPServer($ldap_id);
545  $options[AUTH_LDAP]['txt'] = $ldap_server->getName();
546  }
547  include_once('Services/Radius/classes/class.ilRadiusSettings.php');
548  $rad_settings = ilRadiusSettings::_getInstance();
549  if($rad_settings->isActive())
550  {
551  $options[AUTH_RADIUS]['txt'] = $rad_settings->getName();
552  }
553 
554  if ($ilSetting->get('apache_active')) {
555  global $lng;
556  $apache_settings = new ilSetting('apache_auth');
557  $options[AUTH_APACHE]['txt'] = $apache_settings->get('name', $lng->txt('apache_auth'));
558  }
559 
560  if($ilSetting->get('auth_mode',AUTH_LOCAL) == AUTH_LDAP)
561  {
562  $default = AUTH_LDAP;
563  }
564  elseif($ilSetting->get('auth_mode',AUTH_LOCAL) == AUTH_RADIUS)
565  {
566  $default = AUTH_RADIUS;
567  }
568  else
569  {
570  $default = AUTH_LOCAL;
571  }
572 
573  $default = $ilSetting->get('default_auth_mode',$default);
574  $default = (int) $_REQUEST['auth_mode'] ? (int) $_REQUEST['auth_mode'] : $default;
575 
576  $options[$default]['checked'] = true;
577  return $options ? $options : array();
578  }
579 
589  public static function _isExternalAccountEnabled()
590  {
591  global $ilSetting;
592 
593  if($ilSetting->get("cas_active"))
594  {
595  return true;
596  }
597  if($ilSetting->get("soap_auth_active"))
598  {
599  return true;
600  }
601  if($ilSetting->get("shib_active"))
602  {
603  return true;
604  }
605  if($ilSetting->get('radius_active'))
606  {
607  return true;
608  }
609  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
610  if(count(ilLDAPServer::_getActiveServerList()))
611  {
612  return true;
613  }
614  include_once './Services/OpenId/classes/class.ilOpenIdSettings.php';
615  if(ilOpenIdSettings::getInstance()->isActive())
616  {
617  return true;
618  }
619  return false;
620  }
621 
630  public static function _allowPasswordModificationByAuthMode($a_auth_mode)
631  {
632  switch($a_auth_mode)
633  {
634  case AUTH_LDAP:
635  case AUTH_RADIUS:
636  case AUTH_ECS:
637  case AUTH_OPENID:
638  return false;
639  default:
640  return true;
641  }
642  }
643 
652  public static function _needsExternalAccountByAuthMode($a_auth_mode)
653  {
654  switch($a_auth_mode)
655  {
656  case AUTH_LOCAL:
657  return false;
658  default:
659  return true;
660  }
661  }
662 
668  public static function isPasswordModificationEnabled($a_authmode)
669  {
670  global $ilSetting;
671 
672  if($ilSetting->get('usr_settings_hide_password') or $ilSetting->get('usr_settings_disable_password'))
673  {
674  return false;
675  }
676 
677  switch($a_authmode)
678  {
679  // No local passwords for these auth modes
680  case AUTH_LDAP:
681  case AUTH_RADIUS:
682  case AUTH_ECS:
683  case AUTH_SCRIPT:
684  return false;
685 
686  // Always for openid and local
687  case AUTH_LOCAL:
688  case AUTH_OPENID:
689  return true;
690 
691  // Read setting:
692  case AUTH_SHIBBOLETH:
693  return $ilSetting->get("shib_auth_allow_local");
694  case AUTH_SOAP:
695  return $ilSetting->get("soap_auth_allow_local");
696  case AUTH_CAS:
697  return $ilSetting->get("cas_allow_local");
698  }
699  }
700 
706  public static function supportsLocalPasswordValidation($a_authmode)
707  {
708  switch($a_authmode)
709  {
710  case AUTH_LDAP:
711  case AUTH_LOCAL:
712  case AUTH_RADIUS:
713  return ilAuthUtils::LOCAL_PWV_FULL;
714 
715  case AUTH_SHIBBOLETH:
716  case AUTH_SOAP:
717  case AUTH_CAS:
718  if(!ilAuthUtils::isPasswordModificationEnabled($a_authmode))
719  {
720  return ilAuthUtils::LOCAL_PWV_NO;
721  }
722  return ilAuthUtils::LOCAL_PWV_USER;
723 
724  case AUTH_ECS:
725  case AUTH_OPENID:
726  case AUTH_SCRIPT:
727  case AUTH_APACHE:
728  default:
729  return ilAuthUtils::LOCAL_PWV_USER;
730  }
731  }
732 }
733 ?>