ILIAS  release_4-3 Revision
 All Data Structures Namespaces Files Functions Variables Groups Pages
class.ilAuthUtils.php
Go to the documentation of this file.
1 <?php
2 
3 /* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4 
5 
6 // define auth modes
7 define ("AUTH_LOCAL",1);
8 define ("AUTH_LDAP",2);
9 define ("AUTH_RADIUS",3);
10 define ("AUTH_SCRIPT",4);
11 define ("AUTH_SHIBBOLETH",5);
12 define ("AUTH_CAS",6);
13 define ("AUTH_SOAP",7);
14 // BEGIN WebDAV: Add support for HTTP authentication
15 define ("AUTH_HTTP",8);
16 // END WebDAV: Add support for HTTP authentication
17 define ("AUTH_ECS",9);
18 define('AUTH_OPENID',10);
19 
20 define ("AUTH_APACHE",11);
21 
22 define ("AUTH_INACTIVE",18);
23 
24 define('AUTH_MULTIPLE',20);
25 
26 define('AUTH_SOAP_NO_ILIAS_USER', -100);
27 define('AUTH_LDAP_NO_ILIAS_USER',-200);
28 define('AUTH_RADIUS_NO_ILIAS_USER',-300);
29 define('AUTH_OPENID_NO_ILIAS_USER',-400);
30 
31 // apache auhtentication failed...
32 // maybe no (valid) certificate or
33 // username could not be extracted
34 define('AUTH_APACHE_FAILED', -500);
35 
36 
37 define('AUTH_MODE_INACTIVE',-1000);
38 
39 // an external user cannot be found in ilias, but his email address
40 // matches one or more ILIAS users
41 define('AUTH_SOAP_NO_ILIAS_USER_BUT_EMAIL', -101);
42 define('AUTH_CAS_NO_ILIAS_USER', -90);
43 
44 // ilUser validation (no login)
45 define('AUTH_USER_WRONG_IP', -600);
46 define('AUTH_USER_INACTIVE', -601);
47 define('AUTH_USER_TIME_LIMIT_EXCEEDED', -602);
48 define('AUTH_USER_SIMULTANEOUS_LOGIN', -603);
49 
50 
51 include_once './Services/Authentication/classes/class.ilAuthFactory.php';
52 require_once('Services/Authentication/classes/class.ilSessionControl.php');
53 
54 
62 class ilAuthUtils
63 {
64  const LOCAL_PWV_FULL = 1;
65  const LOCAL_PWV_NO = 2;
66  const LOCAL_PWV_USER = 3;
67 
68 
72  function _initAuth()
73  {
74  global $ilAuth, $ilSetting, $ilDB, $ilClientIniFile,$ilBench;
75 
76  $user_auth_mode = false;
77  $ilBench->start('Auth','initAuth');
78 
79 
80  // get default auth mode
81  //$default_auth_mode = $this->getSetting("auth_mode");
82  define ("AUTH_DEFAULT", $ilSetting->get("auth_mode") ? $ilSetting->get("auth_mode") : AUTH_LOCAL);
83 
84  // determine authentication method if no session is found and username & password is posted
85  // does this if statement make any sense? we enter this block nearly everytime.
86 
87  if (empty($_SESSION) ||
88  (!isset($_SESSION['_authsession']['registered']) ||
89  $_SESSION['_authsession']['registered'] !== true))
90  {
91  // no sesssion found
92  if (isset($_POST['username']) and $_POST['username'] != '' and $_POST['password'] != '' or isset($_GET['ecs_hash']) or isset($_GET['ecs_hash_url']) or isset($_POST['oid_username']) or isset($_GET['oid_check_status']))
93  {
94  $user_auth_mode = ilAuthUtils::_getAuthModeOfUser($_POST['username'], $_POST['password'], $ilDB);
95 
96  if ($user_auth_mode == AUTH_CAS && $ilSetting->get("cas_allow_local"))
97  {
98  $user_auth_mode = AUTH_LOCAL;
99  }
100  if ($user_auth_mode == AUTH_SOAP && $ilSetting->get("soap_auth_allow_local"))
101  {
102  $user_auth_mode = AUTH_LOCAL;
103  }
104  if ($user_auth_mode == AUTH_SHIBBOLETH && $ilSetting->get("shib_auth_allow_local"))
105  {
106  $user_auth_mode = AUTH_LOCAL;
107  }
108  }
109  else if ($_POST['auth_mode'] == AUTH_APACHE)
110  {
111  $user_auth_mode = AUTH_APACHE;
112  }
113  }
114 
115  // to do: other solution?
116  if (!$ilSetting->get("soap_auth_active") && $user_auth_mode == AUTH_SOAP)
117  {
118  $user_auth_mode = AUTH_LOCAL;
119  }
120 
121  if($ilSetting->get("cas_active") && $_GET['forceCASLogin'])
122  {
123  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_CAS);
124  $user_auth_mode = AUTH_CAS;
125  }
126 
127  if($ilSetting->get("apache_active") && $user_auth_mode == AUTH_APACHE)
128  {
129  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_APACHE);
130  $user_auth_mode = AUTH_APACHE;
131  }
132 
133  // BEGIN WebDAV: Share session between browser and WebDAV client.
134  // The realm is needed to support a common session between Auth_HTTP and Auth.
135  // It also helps us to distinguish between parallel sessions run on different clients.
136  // Common session only works if we use a common session name starting with "_authhttp".
137  // We must use the "_authttp" prefix, because it is hardcoded in the session name of
138  // class Auth_HTTP.
139  // Whenever we use Auth_HTTP, we need to explicitly switch off "sessionSharing", because
140  // it interfers with the session mechanism of the other Auth modules. If we would
141  // keep this switched on, then users could steal each others session, which would cause
142  // a major security breach.
143  // Note: The realm and sessionName used here, must be the same as in
144  // class ilBaseAuthentication. Otherwise, Soap clients won't be able to log
145  // in to ILIAS.
146  $realm = CLIENT_ID;
147  //$this->writelog('ilias.php realm='.$realm);
148  // END WebDAV: Share session between browser and WebDAV client.
149 
150 //var_dump($_SESSION);
151 //echo "1-".$ilSetting->get("soap_auth_active")."-";
152  // if soap authentication activated and soap credentials given
153  if (($ilSetting->get("soap_auth_active") && !empty($_GET["ext_uid"])
154  && !empty($_GET["soap_pw"])) || $user_auth_mode == AUTH_SOAP)
155  {
156 
157  define('AUTH_CURRENT',AUTH_SOAP);
158  }
159  // if Shibboleth is active and the user is authenticated
160  // we set auth_mode to Shibboleth
161  else if ( $ilSetting->get("shib_active")
162  && $_SERVER[$ilSetting->get("shib_login")])
163  {
164  define ("AUTH_CURRENT", AUTH_SHIBBOLETH);
165  }
166  else
167  {
168  define ("AUTH_CURRENT", $user_auth_mode);
169  }
170 //var_dump($_SESSION);
171 
172  // Determine the authentication method to use
173  if (defined("WebDAV_Authentication") && WebDAV_Authentication == 'HTTP') {
174  // Since WebDAV clients create the login form by
175  // themselves, we can not provide buttons on the form for
176  // choosing an authentication method.
177  // If the user is already logged in, we continue using
178  // the current authentication method. If the user is
179  // not logged in yet, we use the "multiple authentication"
180  // method using a predefined sequence of authentication methods.
181  $authmode = AUTH_CURRENT ? AUTH_CURRENT : AUTH_MULTIPLE;
182  }
183  else
184  {
185  $authmode = AUTH_CURRENT;
186  }
187 //var_dump($authmode);
188  // if no auth mode selected AND default mode is AUTH_APACHE then use it...
189  if ($authmode == null && AUTH_DEFAULT == AUTH_APACHE)
190  $authmode = AUTH_APACHE;
191 
192  switch ($authmode)
193  {
194  case AUTH_LDAP:
195 
196  include_once './Services/LDAP/classes/class.ilAuthContainerLDAP.php';
197  $ilAuth = ilAuthFactory::factory(new ilAuthContainerLDAP());
198  break;
199 
200  case AUTH_RADIUS:
201 
202  include_once './Services/Radius/classes/class.ilAuthContainerRadius.php';
203  $ilAuth = ilAuthFactory::factory(new ilAuthContainerRadius());
204  break;
205 
206  case AUTH_SHIBBOLETH:
207  // build option string for SHIB::Auth
208  $auth_params = array();
209  $auth_params['sessionName'] = "_authhttp".md5($realm);
210  $ilAuth = new ShibAuth($auth_params,true);
211  break;
212 
213  case AUTH_CAS:
214 
215  include_once './Services/CAS/classes/class.ilAuthContainerCAS.php';
216  $ilAuth = ilAuthFactory::factory(new ilAuthContainerCAS());
217  break;
218 
219  case AUTH_SOAP:
220 
221  include_once './Services/SOAPAuth/classes/class.ilAuthContainerSOAP.php';
222  $ilAuth = ilAuthFactory::factory(new ilAuthContainerSOAP());
223  break;
224 
225  case AUTH_MULTIPLE:
226 
227  include_once './Services/Authentication/classes/class.ilAuthContainerMultiple.php';
228  $ilAuth = ilAuthFactory::factory(new ilAuthContainerMultiple());
229  break;
230 
231  case AUTH_ECS:
232  include_once './Services/WebServices/ECS/classes/class.ilAuthContainerECS.php';
233  $ilAuth = ilAuthFactory::factory(new ilAuthContainerECS());
234  break;
235 
236  case AUTH_OPENID:
237 
238  include_once './Services/OpenId/classes/class.ilAuthContainerOpenId.php';
239  $ilAuth = ilAuthFactory::factory(new ilAuthContainerOpenId());
240  break;
241 
242  case AUTH_INACTIVE:
243  require_once('./Services/Authentication/classes/class.ilAuthInactive.php');
244  $ilAuth = new ilAuthInactive(AUTH_MODE_INACTIVE);
245  break;
246 
247  case AUTH_APACHE:
248  include_once './Services/AuthApache/classes/class.ilAuthContainerApache.php';
249  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_APACHE);
250  $ilAuth = ilAuthFactory::factory(new ilAuthContainerApache());
251  break;
252 
253  case AUTH_LOCAL:
254  default:
255 
256  global $ilLog;
257 
258  include_once './Services/Database/classes/class.ilAuthContainerMDB2.php';
259  $ilAuth = ilAuthFactory::factory(new ilAuthContainerMDB2());
260  break;
261  }
262 
263  // Due to a bug in Pear Auth_HTTP, we can't use idle time
264  // with WebDAV clients. If we used it, users could never log
265  // back into ILIAS once their session idled out. :(
266  if (!defined("WebDAV_Authentication") || WebDAV_Authentication != 'HTTP')
267  {
268  $ilAuth->setIdle(ilSession::getIdleValue(), false);
269  }
270  $ilAuth->setExpire(0);
271 
272  ini_set("session.cookie_lifetime", "0");
273 //echo "-".get_class($ilAuth)."-";
274  $GLOBALS['ilAuth'] =& $ilAuth;
275 
276  ilSessionControl::checkExpiredSession();
277 
278  $ilBench->stop('Auth','initAuth');
279  }
280 
281  function _getAuthModeOfUser($a_username,$a_password,$a_db_handler = '')
282  {
283  global $ilDB;
284 
285  if(isset($_GET['ecs_hash']) or isset($_GET['ecs_hash_url']))
286  {
287  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_ECS);
288  return AUTH_ECS;
289  }
290  if(isset($_POST['auth_mode']))
291  {
292  return (int) $_POST['auth_mode'];
293  }
294  if(isset($_POST['oid_username']) or $_GET['oid_check_status'])
295  {
296  $GLOBALS['ilLog']->write(__METHOD__.' set context to open id');
297  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_OPENID);
298  return AUTH_OPENID;
299  }
300 
301  include_once('./Services/Authentication/classes/class.ilAuthModeDetermination.php');
302  $det = ilAuthModeDetermination::_getInstance();
303 
304  if(!$det->isManualSelection() and $det->getCountActiveAuthModes() > 1)
305  {
306  return AUTH_MULTIPLE;
307  }
308 
309 
310  $db =& $ilDB;
311 
312  if ($a_db_handler != '')
313  {
314  $db =& $a_db_handler;
315  }
316 
317  // Is it really necessary to check the auth mode with password ?
318  // Changed: smeyer
319  $q = "SELECT auth_mode FROM usr_data WHERE ".
320  "login = ".$ilDB->quote($a_username);
321  //"passwd = ".$ilDB->quote(md5($a_password))."";
322 
323 
324  $r = $db->query($q);
325  $row = $r->fetchRow(DB_FETCHMODE_OBJECT);
326 //echo "+".$row->auth_mode."+";
327 
328  $auth_mode = self::_getAuthMode($row->auth_mode,$db);
329 
330  return in_array($auth_mode,self::_getActiveAuthModes()) ? $auth_mode : AUTH_INACTIVE;
331  }
332 
333  function _getAuthMode($a_auth_mode,$a_db_handler = '')
334  {
335  global $ilDB, $ilSetting;
336 
337  $db =& $ilDB;
338 
339  if ($a_db_handler != '')
340  {
341  $db =& $a_db_handler;
342  }
343 
344  switch ($a_auth_mode)
345  {
346  case "local":
347  return AUTH_LOCAL;
348  break;
349 
350  case "ldap":
351  return AUTH_LDAP;
352  break;
353 
354  case "radius":
355  return AUTH_RADIUS;
356  break;
357 
358  case "script":
359  return AUTH_SCRIPT;
360  break;
361 
362  case "shibboleth":
363  return AUTH_SHIBBOLETH;
364  break;
365 
366  case "cas":
367  return AUTH_CAS;
368  break;
369 
370  case "soap":
371  return AUTH_SOAP;
372  break;
373 
374  case 'ecs':
375  return AUTH_ECS;
376 
377  case 'openid':
378  return AUTH_OPENID;
379 
380  case 'apache':
381  return AUTH_APACHE;
382 
383  default:
384  return $ilSetting->get("auth_mode");
385  break;
386  }
387  }
388 
389  public static function _getAuthModeName($a_auth_key)
390  {
391  global $ilias;
392 
393  switch ($a_auth_key)
394  {
395  case AUTH_LOCAL:
396  return "local";
397  break;
398 
399  case AUTH_LDAP:
400  return "ldap";
401  break;
402 
403  case AUTH_RADIUS:
404  return "radius";
405  break;
406 
407  case AUTH_CAS:
408  return "cas";
409  break;
410 
411  case AUTH_SCRIPT:
412  return "script";
413  break;
414 
415  case AUTH_SHIBBOLETH:
416  return "shibboleth";
417  break;
418 
419  case AUTH_SOAP:
420  return "soap";
421  break;
422 
423  case AUTH_ECS:
424  return 'ecs';
425 
426  case AUTH_APACHE:
427  return 'apache';
428 
429  case AUTH_OPENID:
430  return 'open_id';
431 
432  default:
433  return "default";
434  break;
435  }
436  }
437 
438  function _getActiveAuthModes()
439  {
440  global $ilias,$ilSetting;
441 
442  $modes = array(
443  'default' => $ilSetting->get("auth_mode"),
444  'local' => AUTH_LOCAL
445  );
446  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
447  if(count(ilLDAPServer::_getActiveServerList()))
448  {
449  $modes['ldap'] = AUTH_LDAP;
450  }
451  if ($ilSetting->get("radius_active")) $modes['radius'] = AUTH_RADIUS;
452  if ($ilSetting->get("shib_active")) $modes['shibboleth'] = AUTH_SHIBBOLETH;
453  if ($ilSetting->get("script_active")) $modes['script'] = AUTH_SCRIPT;
454  if ($ilSetting->get("cas_active")) $modes['cas'] = AUTH_CAS;
455  if ($ilSetting->get("soap_auth_active")) $modes['soap'] = AUTH_SOAP;
456  if ($ilSetting->get("apache_active")) $modes['apache'] = AUTH_APACHE;
457 
458  include_once './Services/WebServices/ECS/classes/class.ilECSServerSettings.php';
459  if(ilECSServerSettings::getInstance()->activeServerExists())
460  {
461  $modes['ecs'] = AUTH_ECS;
462  }
463 
464  include_once './Services/OpenId/classes/class.ilOpenIdSettings.php';
465  if(ilOpenIdSettings::getInstance()->isActive())
466  {
467  $modes['openid'] = AUTH_OPENID;
468  }
469 
470  return $modes;
471  }
472 
473  function _getAllAuthModes()
474  {
475  return array(
476  AUTH_LOCAL => ilAuthUtils::_getAuthModeName(AUTH_LOCAL),
477  AUTH_LDAP => ilAuthUtils::_getAuthModeName(AUTH_LDAP),
478  AUTH_SHIBBOLETH => ilAuthUtils::_getAuthModeName(AUTH_SHIBBOLETH),
479  AUTH_CAS => ilAuthUtils::_getAuthModeName(AUTH_CAS),
480  AUTH_SOAP => ilAuthUtils::_getAuthModeName(AUTH_SOAP),
481  AUTH_RADIUS => ilAuthUtils::_getAuthModeName(AUTH_RADIUS),
482  AUTH_ECS => ilAuthUtils::_getAuthModeName(AUTH_ECS),
483  AUTH_OPENID => ilAuthUtils::_getAuthModeName(AUTH_OPENID),
484  AUTH_APACHE => ilAuthUtils::_getAuthModeName(AUTH_APACHE)
485  );
486  }
487 
492  function _generateLogin($a_login)
493  {
494  global $ilDB;
495 
496  // Check if username already exists
497  $found = false;
498  $postfix = 0;
499  $c_login = $a_login;
500  while(!$found)
501  {
502  $r = $ilDB->query("SELECT login FROM usr_data WHERE login = ".
503  $ilDB->quote($c_login));
504  if ($r->numRows() > 0)
505  {
506  $postfix++;
507  $c_login = $a_login.$postfix;
508  }
509  else
510  {
511  $found = true;
512  }
513  }
514 
515  return $c_login;
516  }
517 
518  public static function _hasMultipleAuthenticationMethods()
519  {
520  include_once('Services/Radius/classes/class.ilRadiusSettings.php');
521 
522  $rad_settings = ilRadiusSettings::_getInstance();
523  if($rad_settings->isActive())
524  {
525  return true;
526  }
527  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
528 
529  if (count(ilLDAPServer::_getActiveServerList()))
530  return true;
531 
532  global $ilSetting;
533 
534  if ($ilSetting->get('apache_active')) {
535  return true;
536  }
537  return false;
538  }
539 
540  public static function _getMultipleAuthModeOptions($lng)
541  {
542  global $ilSetting;
543 
544  // in the moment only ldap is activated as additional authentication method
545  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
546 
547  $options[AUTH_LOCAL]['txt'] = $lng->txt('authenticate_ilias');
548 
549  // LDAP
550  if($ldap_id = ilLDAPServer::_getFirstActiveServer())
551  {
552  $ldap_server = new ilLDAPServer($ldap_id);
553  $options[AUTH_LDAP]['txt'] = $ldap_server->getName();
554  }
555  include_once('Services/Radius/classes/class.ilRadiusSettings.php');
556  $rad_settings = ilRadiusSettings::_getInstance();
557  if($rad_settings->isActive())
558  {
559  $options[AUTH_RADIUS]['txt'] = $rad_settings->getName();
560  }
561 
562  if ($ilSetting->get('apache_active'))
563  {
564  global $lng;
565  $apache_settings = new ilSetting('apache_auth');
566  $options[AUTH_APACHE]['txt'] = $apache_settings->get('name', $lng->txt('apache_auth'));
567  $options[AUTH_APACHE]['hide_in_ui'] = true;
568  }
569 
570  if($ilSetting->get('auth_mode',AUTH_LOCAL) == AUTH_LDAP)
571  {
572  $default = AUTH_LDAP;
573  }
574  elseif($ilSetting->get('auth_mode',AUTH_LOCAL) == AUTH_RADIUS)
575  {
576  $default = AUTH_RADIUS;
577  }
578  else
579  {
580  $default = AUTH_LOCAL;
581  }
582 
583  $default = $ilSetting->get('default_auth_mode',$default);
584  $default = (int) $_REQUEST['auth_mode'] ? (int) $_REQUEST['auth_mode'] : $default;
585 
586  $options[$default]['checked'] = true;
587  return $options ? $options : array();
588  }
589 
599  public static function _isExternalAccountEnabled()
600  {
601  global $ilSetting;
602 
603  if($ilSetting->get("cas_active"))
604  {
605  return true;
606  }
607  if($ilSetting->get("soap_auth_active"))
608  {
609  return true;
610  }
611  if($ilSetting->get("shib_active"))
612  {
613  return true;
614  }
615  if($ilSetting->get('radius_active'))
616  {
617  return true;
618  }
619  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
620  if(count(ilLDAPServer::_getActiveServerList()))
621  {
622  return true;
623  }
624  include_once './Services/OpenId/classes/class.ilOpenIdSettings.php';
625  if(ilOpenIdSettings::getInstance()->isActive())
626  {
627  return true;
628  }
629  return false;
630  }
631 
640  public static function _allowPasswordModificationByAuthMode($a_auth_mode)
641  {
642  switch($a_auth_mode)
643  {
644  case AUTH_LDAP:
645  case AUTH_RADIUS:
646  case AUTH_ECS:
647  case AUTH_OPENID:
648  return false;
649  default:
650  return true;
651  }
652  }
653 
662  public static function _needsExternalAccountByAuthMode($a_auth_mode)
663  {
664  switch($a_auth_mode)
665  {
666  case AUTH_LOCAL:
667  case AUTH_APACHE:
668  return false;
669  default:
670  return true;
671  }
672  }
673 
679  public static function isPasswordModificationEnabled($a_authmode)
680  {
681  global $ilSetting;
682 
683  if($ilSetting->get('usr_settings_hide_password') or $ilSetting->get('usr_settings_disable_password'))
684  {
685  return false;
686  }
687 
688  switch($a_authmode)
689  {
690  // No local passwords for these auth modes
691  case AUTH_LDAP:
692  case AUTH_RADIUS:
693  case AUTH_ECS:
694  case AUTH_SCRIPT:
695  return false;
696 
697  // Always for openid and local
698  case AUTH_LOCAL:
699  case AUTH_OPENID:
700  case AUTH_APACHE:
701  return true;
702 
703  // Read setting:
704  case AUTH_SHIBBOLETH:
705  return $ilSetting->get("shib_auth_allow_local");
706  case AUTH_SOAP:
707  return $ilSetting->get("soap_auth_allow_local");
708  case AUTH_CAS:
709  return $ilSetting->get("cas_allow_local");
710  }
711  }
712 
718  public static function supportsLocalPasswordValidation($a_authmode)
719  {
720  switch($a_authmode)
721  {
722  case AUTH_LDAP:
723  case AUTH_LOCAL:
724  case AUTH_RADIUS:
725  return ilAuthUtils::LOCAL_PWV_FULL;
726 
727  case AUTH_SHIBBOLETH:
728  case AUTH_SOAP:
729  case AUTH_CAS:
730  if(!ilAuthUtils::isPasswordModificationEnabled($a_authmode))
731  {
732  return ilAuthUtils::LOCAL_PWV_NO;
733  }
734  return ilAuthUtils::LOCAL_PWV_USER;
735 
736  case AUTH_ECS:
737  case AUTH_OPENID:
738  case AUTH_SCRIPT:
739  case AUTH_APACHE:
740  default:
741  return ilAuthUtils::LOCAL_PWV_USER;
742  }
743  }
744 }
745 ?>