d3/df9/X509userCert_8php_source.html

<?php


class sspmod_authX509_Auth_Source_X509userCert extends SimpleSAML_Auth_Source

{


    private $x509attributes = array('UID' => 'uid');


    private $ldapusercert = array('userCertificate;binary');


    private $ldapcf;


    public function __construct($info, &$config)

    {

        assert('is_array($info)');

        assert('is_array($config)');


        if (isset($config['authX509:x509attributes'])) {

            $this->x509attributes = $config['authX509:x509attributes'];

        }


        if (array_key_exists('authX509:ldapusercert', $config)) {

            $this->ldapusercert = $config['authX509:ldapusercert'];

        }


        parent::__construct($info, $config);


        $this->ldapcf = new sspmod_ldap_ConfigHelper(

            $config,

            'Authentication source ' . var_export($this->authId, true)

        );


        return;

    }


    public function authFailed(&$state)

    {

        $config = SimpleSAML_Configuration::getInstance();


        $t = new SimpleSAML_XHTML_Template($config, 'authX509:X509error.php');

        $t->data['errorcode'] = $state['authX509.error'];

        $t->data['errorcodes'] = SimpleSAML\Error\ErrorCodes::getAllErrorCodeMessages();


        $t->show();

        exit();

    }


    public function authenticate(&$state)

    {

        assert('is_array($state)');

        $ldapcf = $this->ldapcf;


        if (!isset($_SERVER['SSL_CLIENT_CERT']) ||

            ($_SERVER['SSL_CLIENT_CERT'] == '')) {

            $state['authX509.error'] = "NOCERT";

            $this->authFailed($state);


            assert('false'); // should never be reached

            return;

        }


        $client_cert = $_SERVER['SSL_CLIENT_CERT'];

        $client_cert_data = openssl_x509_parse($client_cert);

        if ($client_cert_data === false) {

            SimpleSAML\Logger::error('authX509: invalid cert');

            $state['authX509.error'] = "INVALIDCERT";

            $this->authFailed($state);


            assert('false'); // should never be reached

            return;

        }


        $dn = null;

        foreach ($this->x509attributes as $x509_attr => $ldap_attr) {

            // value is scalar

            if (array_key_exists($x509_attr, $client_cert_data['subject'])) {

                $value = $client_cert_data['subject'][$x509_attr];

                SimpleSAML\Logger::info('authX509: cert '. $x509_attr.' = '.$value);

                $dn = $ldapcf->searchfordn($ldap_attr, $value, true);

                if ($dn !== null) {

                    break;

                }

            }

        }


        if ($dn === null) {

            SimpleSAML\Logger::error('authX509: cert has no matching user in LDAP.');

            $state['authX509.error'] = "UNKNOWNCERT";

            $this->authFailed($state);


            assert('false'); // should never be reached

            return;

        }


        if ($this->ldapusercert === null) { // do not check for certificate match

            $attributes = $ldapcf->getAttributes($dn);

            assert('is_array($attributes)');

            $state['Attributes'] = $attributes;

            $this->authSuccesful($state);


            assert('false'); // should never be reached

            return;

        }


        $ldap_certs = $ldapcf->getAttributes($dn, $this->ldapusercert);

        if ($ldap_certs === false) {

            SimpleSAML\Logger::error('authX509: no certificate found in LDAP for dn='.$dn);

            $state['authX509.error'] = "UNKNOWNCERT";

            $this->authFailed($state);


            assert('false'); // should never be reached

            return;

        }


        $merged_ldapcerts = array();

        foreach ($this->ldapusercert as $attr) {

            $merged_ldapcerts = array_merge($merged_ldapcerts, $ldap_certs[$attr]);

        }

        $ldap_certs = $merged_ldapcerts;


        foreach ($ldap_certs as $ldap_cert) {

            $pem = \SimpleSAML\Utils\Crypto::der2pem($ldap_cert);

            $ldap_cert_data = openssl_x509_parse($pem);

            if ($ldap_cert_data === false) {

                SimpleSAML\Logger::error('authX509: cert in LDAP is invalid for dn='.$dn);

                continue;

            }


            if ($ldap_cert_data === $client_cert_data) {

                $attributes = $ldapcf->getAttributes($dn);

                assert('is_array($attributes)');

                $state['Attributes'] = $attributes;

                $this->authSuccesful($state);


                assert('false'); // should never be reached

                return;

            }

        }


        SimpleSAML\Logger::error('authX509: no matching cert in LDAP for dn='.$dn);

        $state['authX509.error'] = "UNKNOWNCERT";

        $this->authFailed($state);


        assert('false'); // should never be reached

        return;

    }


    public function authSuccesful(&$state)

    {

        SimpleSAML_Auth_Source::completeAuth($state);


        assert('false'); // should never be reached

        return;

    }

}

$t
$t
Definition: 40duplicateStyle.php:28

$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10

php
An exception for terminatinating execution or to throw for unit testing.

SimpleSAML\Error\ErrorCodes\getAllErrorCodeMessages
static getAllErrorCodeMessages()
Get a map of both errorcode titles and descriptions.
Definition: ErrorCodes.php:135

SimpleSAML\Logger\info
static info($string)
Definition: Logger.php:201

SimpleSAML\Logger\error
static error($string)
Definition: Logger.php:168

SimpleSAML\Utils\Crypto\der2pem
static der2pem($der, $type='CERTIFICATE')
Convert data from DER to PEM encoding.
Definition: Crypto.php:160

SimpleSAML_Auth_Source
Definition: Source.php:13

SimpleSAML_Auth_Source\completeAuth
static completeAuth(&$state)
Complete authentication.
Definition: Source.php:135

SimpleSAML_Configuration\getInstance
static getInstance($instancename='simplesaml')
Get a configuration file by its instance name.
Definition: Configuration.php:297

SimpleSAML_XHTML_Template
Definition: Template.php:17

sspmod_authX509_Auth_Source_X509userCert
Definition: X509userCert.php:10

sspmod_authX509_Auth_Source_X509userCert\__construct
__construct($info, &$config)
Constructor for this authentication source.
Definition: X509userCert.php:38

sspmod_authX509_Auth_Source_X509userCert\authFailed
authFailed(&$state)
Finish a failed authentication.
Definition: X509userCert.php:69

sspmod_authX509_Auth_Source_X509userCert\authenticate
authenticate(&$state)
Validate certificate and login.
Definition: X509userCert.php:90

sspmod_authX509_Auth_Source_X509userCert\$ldapusercert
$ldapusercert
LDAP attribute containing the user certificate.
Definition: X509userCert.php:21

sspmod_authX509_Auth_Source_X509userCert\$x509attributes
$x509attributes
x509 attributes to use from the certificate for searching the user in the LDAP directory.
Definition: X509userCert.php:15

sspmod_authX509_Auth_Source_X509userCert\$ldapcf
$ldapcf
LDAPConfigHelper object.
Definition: X509userCert.php:27

sspmod_authX509_Auth_Source_X509userCert\authSuccesful
authSuccesful(&$state)
Finish a successful authentication.
Definition: X509userCert.php:199

sspmod_ldap_ConfigHelper
Definition: ConfigHelper.php:12

$config
$config
Definition: flush-definition-cache.php:23

$info
$info
Definition: index.php:5

exit
exit
Definition: old-extract-schema.php:9

$attributes
$attributes
Definition: serviceValidate.php:33

$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54