ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
Public Member Functions | Private Attributes
sspmod_authX509_Auth_Source_X509userCert Class Reference
+ Inheritance diagram for sspmod_authX509_Auth_Source_X509userCert:
+ Collaboration diagram for sspmod_authX509_Auth_Source_X509userCert:

Public Member Functions

 __construct ($info, &$config)
 Constructor for this authentication source. More...
 
 authFailed (&$state)
 Finish a failed authentication. More...
 
 authenticate (&$state)
 Validate certificate and login. More...
 
 authSuccesful (&$state)
 Finish a successful authentication. More...
 
- Public Member Functions inherited from SimpleSAML_Auth_Source
 __construct ($info, &$config)
 Constructor for an authentication source. More...
 
 getAuthId ()
 Retrieve the ID of this authentication source. More...
 
 authenticate (&$state)
 Process a request. More...
 
 reauthenticate (array &$state)
 Reauthenticate an user. More...
 
 initLogin ($return, $errorURL=null, array $params=array())
 Start authentication. More...
 
 logout (&$state)
 Log out from this authentication source. More...
 

Private Attributes

 $x509attributes = array('UID' => 'uid')
 x509 attributes to use from the certificate for searching the user in the LDAP directory. More...
 
 $ldapusercert = array('userCertificate;binary')
 LDAP attribute containing the user certificate. More...
 
 $ldapcf
 LDAPConfigHelper object. More...
 

Additional Inherited Members

- Static Public Member Functions inherited from SimpleSAML_Auth_Source
static getSourcesOfType ($type)
 Get sources of a specific type. More...
 
static completeAuth (&$state)
 Complete authentication. More...
 
static loginCompleted ($state)
 Called when a login operation has finished. More...
 
static completeLogout (&$state)
 Complete logout. More...
 
static getById ($authId, $type=null)
 Retrieve authentication source. More...
 
static logoutCallback ($state)
 Called when the authentication source receives an external logout request. More...
 
static getSources ()
 Retrieve list of authentication sources. More...
 
- Protected Member Functions inherited from SimpleSAML_Auth_Source
 addLogoutCallback ($assoc, $state)
 Add a logout callback association. More...
 
 callLogoutCallback ($assoc)
 Call a logout callback based on association. More...
 
- Static Protected Member Functions inherited from SimpleSAML_Auth_Source
static validateSource ($source, $id)
 Make sure that the first element of an auth source is its identifier. More...
 
- Protected Attributes inherited from SimpleSAML_Auth_Source
 $authId
 

Detailed Description

Definition at line 9 of file X509userCert.php.

Constructor & Destructor Documentation

◆ __construct()

sspmod_authX509_Auth_Source_X509userCert::__construct (   $info,
$config 
)

Constructor for this authentication source.

All subclasses who implement their own constructor must call this constructor before using $config for anything.

Parameters
array$infoInformation about this authentication source.
array&$configConfiguration for this authentication source.

Definition at line 38 of file X509userCert.php.

References $config, and $info.

39  {
40  assert('is_array($info)');
41  assert('is_array($config)');
42 
43  if (isset($config['authX509:x509attributes'])) {
44  $this->x509attributes = $config['authX509:x509attributes'];
45  }
46 
47  if (array_key_exists('authX509:ldapusercert', $config)) {
48  $this->ldapusercert = $config['authX509:ldapusercert'];
49  }
50 
51  parent::__construct($info, $config);
52 
53  $this->ldapcf = new sspmod_ldap_ConfigHelper(
54  $config,
55  'Authentication source ' . var_export($this->authId, true)
56  );
57 
58  return;
59  }
sspmod_ldap_ConfigHelper
Definition: ConfigHelper.php:11
$info
$info
Definition: index.php:5

Member Function Documentation

◆ authenticate()

sspmod_authX509_Auth_Source_X509userCert::authenticate ( $state)

Validate certificate and login.

This function try to validate the certificate. On success, the user is logged in without going through the login page. On failure, The authX509:X509error.php template is loaded.

Parameters
array&$stateInformation about the current authentication.

Definition at line 90 of file X509userCert.php.

References $_SERVER, $attributes, $ldapcf, $state, array, authFailed(), authSuccesful(), SimpleSAML\Utils\Crypto\der2pem(), SimpleSAML\Logger\error(), and SimpleSAML\Logger\info().

91  {
92  assert('is_array($state)');
93  $ldapcf = $this->ldapcf;
94 
95  if (!isset($_SERVER['SSL_CLIENT_CERT']) ||
96  ($_SERVER['SSL_CLIENT_CERT'] == '')) {
97  $state['authX509.error'] = "NOCERT";
98  $this->authFailed($state);
99 
100  assert('false'); // should never be reached
101  return;
102  }
103 
104  $client_cert = $_SERVER['SSL_CLIENT_CERT'];
105  $client_cert_data = openssl_x509_parse($client_cert);
106  if ($client_cert_data === false) {
107  SimpleSAML\Logger::error('authX509: invalid cert');
108  $state['authX509.error'] = "INVALIDCERT";
109  $this->authFailed($state);
110 
111  assert('false'); // should never be reached
112  return;
113  }
114 
115  $dn = null;
116  foreach ($this->x509attributes as $x509_attr => $ldap_attr) {
117  // value is scalar
118  if (array_key_exists($x509_attr, $client_cert_data['subject'])) {
119  $value = $client_cert_data['subject'][$x509_attr];
120  SimpleSAML\Logger::info('authX509: cert '. $x509_attr.' = '.$value);
121  $dn = $ldapcf->searchfordn($ldap_attr, $value, true);
122  if ($dn !== null) {
123  break;
124  }
125  }
126  }
127 
128  if ($dn === null) {
129  SimpleSAML\Logger::error('authX509: cert has no matching user in LDAP.');
130  $state['authX509.error'] = "UNKNOWNCERT";
131  $this->authFailed($state);
132 
133  assert('false'); // should never be reached
134  return;
135  }
136 
137  if ($this->ldapusercert === null) { // do not check for certificate match
138  $attributes = $ldapcf->getAttributes($dn);
139  assert('is_array($attributes)');
140  $state['Attributes'] = $attributes;
141  $this->authSuccesful($state);
142 
143  assert('false'); // should never be reached
144  return;
145  }
146 
147  $ldap_certs = $ldapcf->getAttributes($dn, $this->ldapusercert);
148  if ($ldap_certs === false) {
149  SimpleSAML\Logger::error('authX509: no certificate found in LDAP for dn='.$dn);
150  $state['authX509.error'] = "UNKNOWNCERT";
151  $this->authFailed($state);
152 
153  assert('false'); // should never be reached
154  return;
155  }
156 
157 
158  $merged_ldapcerts = array();
159  foreach ($this->ldapusercert as $attr) {
160  $merged_ldapcerts = array_merge($merged_ldapcerts, $ldap_certs[$attr]);
161  }
162  $ldap_certs = $merged_ldapcerts;
163 
164  foreach ($ldap_certs as $ldap_cert) {
165  $pem = \SimpleSAML\Utils\Crypto::der2pem($ldap_cert);
166  $ldap_cert_data = openssl_x509_parse($pem);
167  if ($ldap_cert_data === false) {
168  SimpleSAML\Logger::error('authX509: cert in LDAP is invalid for dn='.$dn);
169  continue;
170  }
171 
172  if ($ldap_cert_data === $client_cert_data) {
173  $attributes = $ldapcf->getAttributes($dn);
174  assert('is_array($attributes)');
175  $state['Attributes'] = $attributes;
176  $this->authSuccesful($state);
177 
178  assert('false'); // should never be reached
179  return;
180  }
181  }
182 
183  SimpleSAML\Logger::error('authX509: no matching cert in LDAP for dn='.$dn);
184  $state['authX509.error'] = "UNKNOWNCERT";
185  $this->authFailed($state);
186 
187  assert('false'); // should never be reached
188  return;
189  }
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54
SimpleSAML\Utils\Crypto\der2pem
static der2pem($der, $type='CERTIFICATE')
Convert data from DER to PEM encoding.
Definition: Crypto.php:160
sspmod_authX509_Auth_Source_X509userCert\$ldapcf
$ldapcf
LDAPConfigHelper object.
Definition: X509userCert.php:27
$attributes
$attributes
Definition: serviceValidate.php:33
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
SimpleSAML\Logger\info
static info($string)
Definition: Logger.php:201
SimpleSAML\Logger\error
static error($string)
Definition: Logger.php:168
sspmod_authX509_Auth_Source_X509userCert\authFailed
authFailed(&$state)
Finish a failed authentication.
Definition: X509userCert.php:69
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
sspmod_authX509_Auth_Source_X509userCert\authSuccesful
authSuccesful(&$state)
Finish a successful authentication.
Definition: X509userCert.php:199
+ Here is the call graph for this function:

◆ authFailed()

sspmod_authX509_Auth_Source_X509userCert::authFailed ( $state)

Finish a failed authentication.

This function can be overloaded by a child authentication class that wish to perform some operations on failure.

Parameters
array&$stateInformation about the current authentication.

Definition at line 69 of file X509userCert.php.

References $config, $state, $t, exit, SimpleSAML\Error\ErrorCodes\getAllErrorCodeMessages(), and SimpleSAML_Configuration\getInstance().

Referenced by authenticate().

70  {
71  $config = SimpleSAML_Configuration::getInstance();
72 
73  $t = new SimpleSAML_XHTML_Template($config, 'authX509:X509error.php');
74  $t->data['errorcode'] = $state['authX509.error'];
75  $t->data['errorcodes'] = SimpleSAML\Error\ErrorCodes::getAllErrorCodeMessages();
76 
77  $t->show();
78  exit();
79  }
SimpleSAML\Error\ErrorCodes\getAllErrorCodeMessages
static getAllErrorCodeMessages()
Get a map of both errorcode titles and descriptions.
Definition: ErrorCodes.php:135
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
SimpleSAML_XHTML_Template
Definition: Template.php:16
SimpleSAML_Configuration\getInstance
static getInstance($instancename='simplesaml')
Get a configuration file by its instance name.
Definition: Configuration.php:297
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ authSuccesful()

sspmod_authX509_Auth_Source_X509userCert::authSuccesful ( $state)

Finish a successful authentication.

This function can be overloaded by a child authentication class that wish to perform some operations after login.

Parameters
array&$stateInformation about the current authentication.

Definition at line 199 of file X509userCert.php.

References $state, and SimpleSAML_Auth_Source\completeAuth().

Referenced by authenticate().

200  {
201  SimpleSAML_Auth_Source::completeAuth($state);
202 
203  assert('false'); // should never be reached
204  return;
205  }
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
SimpleSAML_Auth_Source\completeAuth
static completeAuth(&$state)
Complete authentication.
Definition: Source.php:135
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

Field Documentation

◆ $ldapcf

sspmod_authX509_Auth_Source_X509userCert::$ldapcf
private

LDAPConfigHelper object.

Definition at line 27 of file X509userCert.php.

Referenced by authenticate().

◆ $ldapusercert

sspmod_authX509_Auth_Source_X509userCert::$ldapusercert = array('userCertificate;binary')
private

LDAP attribute containing the user certificate.

Definition at line 21 of file X509userCert.php.

◆ $x509attributes

sspmod_authX509_Auth_Source_X509userCert::$x509attributes = array('UID' => 'uid')
private

x509 attributes to use from the certificate for searching the user in the LDAP directory.

Definition at line 15 of file X509userCert.php.

The documentation for this class was generated from the following file: