Inheritance diagram for sspmod_negotiate_Auth_Source_Negotiate:

Collaboration diagram for sspmod_negotiate_Auth_Source_Negotiate:

Public Member Functions
	__construct ($info, $config)
	Constructor for this authentication source. More...

	authenticate (&$state)
	The inner workings of the module. More...

	spDisabledInMetadata ($spMetadata)

	checkMask ()
	checkMask() looks up the subnet config option and verifies that the client is within that range. More...

	logout (&$state)
	Log out from this authentication source. More...

Public Member Functions inherited from SimpleSAML_Auth_Source
	__construct ($info, &$config)
	Constructor for an authentication source. More...

	getAuthId ()
	Retrieve the ID of this authentication source. More...

	authenticate (&$state)
	Process a request. More...

	reauthenticate (array &$state)
	Reauthenticate an user. More...

	initLogin ($return, $errorURL=null, array $params=array())
	Start authentication. More...

	logout (&$state)
	Log out from this authentication source. More...

Static Public Member Functions
static	fallBack (&$state)
	Passes control of the login process to a different module. More...

Static Public Member Functions inherited from SimpleSAML_Auth_Source
static	getSourcesOfType ($type)
	Get sources of a specific type. More...

static	completeAuth (&$state)
	Complete authentication. More...

static	loginCompleted ($state)
	Called when a login operation has finished. More...

static	completeLogout (&$state)
	Complete logout. More...

static	getById ($authId, $type=null)
	Retrieve authentication source. More...

static	logoutCallback ($state)
	Called when the authentication source receives an external logout request. More...

static	getSources ()
	Retrieve list of authentication sources. More...

Data Fields
const	STAGEID = 'sspmod_negotiate_Auth_Source_Negotiate.StageId'

Protected Member Functions
	sendNegotiate ($params)
	Send the actual headers and body of the 401. More...

	lookupUserData ($user)
	Strips away the realm of the Kerberos identifier, looks up what attributes to fetch from SP metadata and searches the directory. More...

	adminBind ()
	Elevates the LDAP connection to allow restricted lookups if so configured. More...

Protected Member Functions inherited from SimpleSAML_Auth_Source
	addLogoutCallback ($assoc, $state)
	Add a logout callback association. More...

	callLogoutCallback ($assoc)
	Call a logout callback based on association. More...

Protected Attributes
	$ldap = null

	$backend = ''

	$hostname = ''

	$port = 389

	$referrals = true

	$enableTLS = false

	$debugLDAP = false

	$timeout = 30

	$keytab = ''

	$base = array()

	$attr = 'uid'

	$subnet = null

	$admin_user = null

	$admin_pw = null

	$attributes = null

Protected Attributes inherited from SimpleSAML_Auth_Source
	$authId

Additional Inherited Members
Static Protected Member Functions inherited from SimpleSAML_Auth_Source
static	validateSource ($source, $id)
	Make sure that the first element of an auth source is its identifier. More...

Detailed Description

Definition at line 10 of file Negotiate.php.

Constructor & Destructor Documentation

◆ __construct()

sspmod_negotiate_Auth_Source_Negotiate::__construct	(	$info,
		$config
	)

Constructor for this authentication source.

Parameters

array	$info	Information about this authentication source.
array	$config	The configuration of the module

Exceptions

Exception If the KRB5 extension is not installed or active.

Definition at line 41 of file Negotiate.php.

References $config, $info, base(), and SimpleSAML_Configuration\loadFromArray().

     {
         assert(is_array($info));
         assert(is_array($config));
 
         if (!extension_loaded('krb5')) {
             throw new Exception('KRB5 Extension not installed');
         }
 
         // call the parent constructor first, as required by the interface
         parent::__construct($info, $config);
 
         $config = SimpleSAML_Configuration::loadFromArray($config);
 
         $this->backend = $config->getString('fallback');
         $this->hostname = $config->getString('hostname');
         $this->port = $config->getInteger('port', 389);
         $this->referrals = $config->getBoolean('referrals', true);
         $this->enableTLS = $config->getBoolean('enable_tls', false);
         $this->debugLDAP = $config->getBoolean('debugLDAP', false);
         $this->timeout = $config->getInteger('timeout', 30);
         $this->keytab = $config->getString('keytab');
         $this->base = $config->getArrayizeString('base');
         $this->attr = $config->getString('attr', 'uid');
         $this->subnet = $config->getArray('subnet', null);
         $this->admin_user = $config->getString('adminUser', null);
         $this->admin_pw = $config->getString('adminPassword', null);
         $this->attributes = $config->getArray('attributes', null);
     }

Here is the call graph for this function:

Member Function Documentation

◆ adminBind()

sspmod_negotiate_Auth_Source_Negotiate::adminBind ( )

protected

Elevates the LDAP connection to allow restricted lookups if so configured.

Does nothing if not.

Definition at line 323 of file Negotiate.php.

References SimpleSAML\Logger\debug(), and SimpleSAML\Logger\error().

Referenced by lookupUserData().

     {
         if ($this->admin_user === null) {
             // no admin user
             return;
         }
         SimpleSAML\Logger::debug(
             'Negotiate - authenticate(): Binding as system user '.var_export($this->admin_user, true)
         );
 
         if (!$this->ldap->bind($this->admin_user, $this->admin_pw)) {
             $msg = 'Unable to authenticate system user (LDAP_INVALID_CREDENTIALS) '.var_export($this->admin_user, true);
             SimpleSAML\Logger::error('Negotiate - authenticate(): '.$msg);
             throw new SimpleSAML_Error_AuthSource('negotiate', $msg);
         }
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ authenticate()

sspmod_negotiate_Auth_Source_Negotiate::authenticate ( & $state )

The inner workings of the module.

Checks to see if client is in the defined subnets (if defined in config). Sends the client a 401 Negotiate and responds to the result. If the client fails to provide a proper Kerberos ticket, the login process is handed over to the 'fallback' module defined in the config.

LDAP is used as a user metadata source.

Parameters

array &$state Information about the current authentication.

Definition at line 83 of file Negotiate.php.

References $_COOKIE, $_SERVER, $auth, SimpleSAML_Auth_Source\$authId, $id, $mask, PHPMailer\PHPMailer\$params, $session, $state, $user, checkMask(), SimpleSAML_Auth_Source\completeAuth(), SimpleSAML\Logger\debug(), SimpleSAML\Logger\error(), exit, fallBack(), SimpleSAML_Session\getSessionFromRequest(), SimpleSAML\Logger\info(), lookupUserData(), SimpleSAML_Auth_State\saveState(), sendNegotiate(), and spDisabledInMetadata().

     {
         assert(is_array($state));
 
         // set the default backend to config
         $state['LogoutState'] = array(
             'negotiate:backend' => $this->backend,
         );
         $state['negotiate:authId'] = $this->authId;
 
 
         // check for disabled SPs. The disable flag is store in the SP metadata
         if (array_key_exists('SPMetadata', $state) && $this->spDisabledInMetadata($state['SPMetadata'])) {
             $this->fallBack($state);
         }
         /* Go straight to fallback if Negotiate is disabled or if you are sent back to the IdP directly from the SP
         after having logged out. */
         $session = SimpleSAML_Session::getSessionFromRequest();
         $disabled = $session->getData('negotiate:disable', 'session');
 
         if ($disabled ||
             (!empty($_COOKIE['NEGOTIATE_AUTOLOGIN_DISABLE_PERMANENT']) &&
                 $_COOKIE['NEGOTIATE_AUTOLOGIN_DISABLE_PERMANENT'] == 'True')
         ) {
             SimpleSAML\Logger::debug('Negotiate - session disabled. falling back');
             $this->fallBack($state);
             // never executed
             assert(false);
         }
         $mask = $this->checkMask();
         if (!$mask) {
             $this->fallBack($state);
             // never executed
             assert(false);
         }
 
         SimpleSAML\Logger::debug('Negotiate - authenticate(): looking for Negotiate');
         if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
             SimpleSAML\Logger::debug('Negotiate - authenticate(): Negotiate found');
             $this->ldap = new SimpleSAML_Auth_LDAP(
                 $this->hostname,
                 $this->enableTLS,
                 $this->debugLDAP,
                 $this->timeout,
                 $this->port,
                 $this->referrals
             );
 
             list($mech,) = explode(' ', $_SERVER['HTTP_AUTHORIZATION'], 2);
             if (strtolower($mech) == 'basic') {
                 SimpleSAML\Logger::debug('Negotiate - authenticate(): Basic found. Skipping.');
             } else {
                 if (strtolower($mech) != 'negotiate') {
                     SimpleSAML\Logger::debug('Negotiate - authenticate(): No "Negotiate" found. Skipping.');
                 }
             }
 
             $auth = new KRB5NegotiateAuth($this->keytab);
             // attempt Kerberos authentication
             try {
                 $reply = $auth->doAuthentication();
             } catch (Exception $e) {
                 SimpleSAML\Logger::error('Negotiate - authenticate(): doAuthentication() exception: '.$e->getMessage());
                 $reply = null;
             }
 
             if ($reply) {
                 // success! krb TGS received
                 $user = $auth->getAuthenticatedUser();
                 SimpleSAML\Logger::info('Negotiate - authenticate(): '.$user.' authenticated.');
                 $lookup = $this->lookupUserData($user);
                 if ($lookup !== null) {
                     $state['Attributes'] = $lookup;
                     // Override the backend so logout will know what to look for
                     $state['LogoutState'] = array(
                         'negotiate:backend' => null,
                     );
                     SimpleSAML\Logger::info('Negotiate - authenticate(): '.$user.' authorized.');
                     SimpleSAML_Auth_Source::completeAuth($state);
                     // Never reached.
                     assert(false);
                 }
             } else {
                 // Some error in the received ticket. Expired?
                 SimpleSAML\Logger::info('Negotiate - authenticate(): Kerberos authN failed. Skipping.');
             }
         } else {
             // No auth token. Send it.
             SimpleSAML\Logger::debug('Negotiate - authenticate(): Sending Negotiate.');
             // Save the $state array, so that we can restore if after a redirect
             SimpleSAML\Logger::debug('Negotiate - fallback: '.$state['LogoutState']['negotiate:backend']);
             $id = SimpleSAML_Auth_State::saveState($state, self::STAGEID);
             $params = array('AuthState' => $id);
 
             $this->sendNegotiate($params);
             exit;
         }
 
         SimpleSAML\Logger::info('Negotiate - authenticate(): Client failed Negotiate. Falling back');
         $this->fallBack($state);
         /* The previous function never returns, so this code is never
            executed */
         assert(false);
     }

Here is the call graph for this function:

◆ checkMask()

sspmod_negotiate_Auth_Source_Negotiate::checkMask ( )

checkMask() looks up the subnet config option and verifies that the client is within that range.

Will return TRUE if no subnet option is configured.

Returns: boolean

Definition at line 213 of file Negotiate.php.

References $_SERVER, $ret, SimpleSAML\Logger\debug(), and SimpleSAML\Utils\Net\ipCIDRcheck().

Referenced by authenticate().

     {
         // No subnet means all clients are accepted.
         if ($this->subnet === null) {
             return true;
         }
         $ip = $_SERVER['REMOTE_ADDR'];
         foreach ($this->subnet as $cidr) {
             $ret = SimpleSAML\Utils\Net::ipCIDRcheck($cidr);
             if ($ret) {
                 SimpleSAML\Logger::debug('Negotiate: Client "'.$ip.'" matched subnet.');
                 return true;
             }
         }
         SimpleSAML\Logger::debug('Negotiate: Client "'.$ip.'" did not match subnet.');
         return false;
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fallBack()

static sspmod_negotiate_Auth_Source_Negotiate::fallBack ( & $state )

static

Passes control of the login process to a different module.

Parameters

array $state Information about the current authentication.

Exceptions

SimpleSAML_Error_Error	If couldn't determine the auth source.
SimpleSAML_Error_Exception
Exception

Definition at line 268 of file Negotiate.php.

References SimpleSAML_Auth_Source\$authId, $source, $state, SimpleSAML\Logger\debug(), SimpleSAML_Auth_Source\getById(), and SimpleSAML_Auth_State\throwException().

Referenced by authenticate().

     {
         $authId = $state['LogoutState']['negotiate:backend'];
 
         if ($authId === null) {
             throw new SimpleSAML_Error_Error(array(500, "Unable to determine auth source."));
         }
         $source = SimpleSAML_Auth_Source::getById($authId);
 
         try {
             $source->authenticate($state);
         } catch (SimpleSAML_Error_Exception $e) {
             SimpleSAML_Auth_State::throwException($state, $e);
         } catch (Exception $e) {
             $e = new SimpleSAML_Error_UnserializableException($e);
             SimpleSAML_Auth_State::throwException($state, $e);
         }
         // fallBack never returns after loginCompleted()
         SimpleSAML\Logger::debug('Negotiate: backend returned');
         self::loginCompleted($state);
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ logout()

sspmod_negotiate_Auth_Source_Negotiate::logout ( & $state )

Log out from this authentication source.

This method either logs the user out from Negotiate or passes the logout call to the fallback module.

Parameters

array &$state Information about the current logout operation.

Definition at line 349 of file Negotiate.php.

References SimpleSAML_Auth_Source\$authId, $session, $source, $state, SimpleSAML\Logger\debug(), SimpleSAML_Auth_Source\getById(), and SimpleSAML_Session\getSessionFromRequest().

     {
         assert(is_array($state));
         // get the source that was used to authenticate
         $authId = $state['negotiate:backend'];
         SimpleSAML\Logger::debug('Negotiate - logout has the following authId: "'.$authId.'"');
 
         if ($authId === null) {
             $session = SimpleSAML_Session::getSessionFromRequest();
             $session->setData('negotiate:disable', 'session', true, 24 * 60 * 60);
             parent::logout($state);
         } else {
             $source = SimpleSAML_Auth_Source::getById($authId);
             $source->logout($state);
         }
     }

Here is the call graph for this function:

◆ lookupUserData()

sspmod_negotiate_Auth_Source_Negotiate::lookupUserData ( $user )

protected

Strips away the realm of the Kerberos identifier, looks up what attributes to fetch from SP metadata and searches the directory.

Parameters

string $user The Kerberos user identifier.

Returns: string The DN to the user or NULL if not found.

Definition at line 299 of file Negotiate.php.

References $user, adminBind(), base(), and SimpleSAML\Logger\debug().

Referenced by authenticate().

     {
         // Kerberos user names include realm. Strip that away.
         $pos = strpos($user, '@');
         if ($pos === false) {
             return null;
         }
         $uid = substr($user, 0, $pos);
 
         $this->adminBind();
         try {
             $dn = $this->ldap->searchfordn($this->base, $this->attr, $uid);
             return $this->ldap->getAttributes($dn, $this->attributes);
         } catch (SimpleSAML_Error_Exception $e) {
             SimpleSAML\Logger::debug('Negotiate - ldap lookup failed: '.$e);
             return null;
         }
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ sendNegotiate()

sspmod_negotiate_Auth_Source_Negotiate::sendNegotiate ( $params )

protected

Send the actual headers and body of the 401.

Embedded in the body is a post that is triggered by JS if the client wants to show the 401 message.

Parameters

array $params additional parameters to the URL in the URL in the body.

Definition at line 238 of file Negotiate.php.

References PHPMailer\PHPMailer\$params, $url, EOF, and html().

Referenced by authenticate().

     {
         $url = htmlspecialchars(SimpleSAML\Module::getModuleURL('negotiate/backend.php', $params));
         $json_url = json_encode($url);
 
         header('HTTP/1.1 401 Unauthorized');
         header('WWW-Authenticate: Negotiate', false);
         echo <<<EOF
 <html>
  <head>
   <script type="text/javascript">window.location = $json_url</script>
   <title>Redirect to login</title>
  </head>
 <body>
  <p>Your browser seems to have Javascript disabled. Please click <a href="$url">here</a>.</p>
 </body>
 </html>
 EOF;
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ spDisabledInMetadata()

sspmod_negotiate_Auth_Source_Negotiate::spDisabledInMetadata ( $spMetadata )

Definition at line 189 of file Negotiate.php.

References $spMetadata, and SimpleSAML\Logger\debug().

Referenced by authenticate().

     {
         if (array_key_exists('negotiate:disable', $spMetadata)) {
             if ($spMetadata['negotiate:disable'] == true) {
                 SimpleSAML\Logger::debug('Negotiate - SP disabled. falling back');
                 return true;
             } else {
                 SimpleSAML\Logger::debug('Negotiate - SP disable flag found but set to FALSE');
             }
         } else {
             SimpleSAML\Logger::debug('Negotiate - SP disable flag not found');
         }
         return false;
     }

Here is the call graph for this function:

Here is the caller graph for this function:

Field Documentation

◆ $admin_pw

sspmod_negotiate_Auth_Source_Negotiate::$admin_pw = null

protected

Definition at line 29 of file Negotiate.php.

◆ $admin_user

sspmod_negotiate_Auth_Source_Negotiate::$admin_user = null

protected

Definition at line 28 of file Negotiate.php.

◆ $attr

sspmod_negotiate_Auth_Source_Negotiate::$attr = 'uid'

protected

Definition at line 26 of file Negotiate.php.

◆ $attributes

sspmod_negotiate_Auth_Source_Negotiate::$attributes = null

protected

Definition at line 30 of file Negotiate.php.

◆ $backend

sspmod_negotiate_Auth_Source_Negotiate::$backend = ''

protected

Definition at line 17 of file Negotiate.php.

◆ $base

sspmod_negotiate_Auth_Source_Negotiate::$base = array()

protected

Definition at line 25 of file Negotiate.php.

◆ $debugLDAP

sspmod_negotiate_Auth_Source_Negotiate::$debugLDAP = false

protected

Definition at line 22 of file Negotiate.php.

◆ $enableTLS

sspmod_negotiate_Auth_Source_Negotiate::$enableTLS = false

protected

Definition at line 21 of file Negotiate.php.

◆ $hostname

sspmod_negotiate_Auth_Source_Negotiate::$hostname = ''

protected

Definition at line 18 of file Negotiate.php.

◆ $keytab

sspmod_negotiate_Auth_Source_Negotiate::$keytab = ''

protected

Definition at line 24 of file Negotiate.php.

◆ $ldap

sspmod_negotiate_Auth_Source_Negotiate::$ldap = null

protected

Definition at line 16 of file Negotiate.php.

◆ $port

sspmod_negotiate_Auth_Source_Negotiate::$port = 389

protected

Definition at line 19 of file Negotiate.php.

◆ $referrals

sspmod_negotiate_Auth_Source_Negotiate::$referrals = true

protected

Definition at line 20 of file Negotiate.php.

◆ $subnet

sspmod_negotiate_Auth_Source_Negotiate::$subnet = null

protected

Definition at line 27 of file Negotiate.php.

◆ $timeout

sspmod_negotiate_Auth_Source_Negotiate::$timeout = 30

protected

Definition at line 23 of file Negotiate.php.

◆ STAGEID

const sspmod_negotiate_Auth_Source_Negotiate::STAGEID = 'sspmod_negotiate_Auth_Source_Negotiate.StageId'

Definition at line 14 of file Negotiate.php.

The documentation for this class was generated from the following file:

libs/composer/vendor/simplesamlphp/simplesamlphp/modules/negotiate/lib/Auth/Source/Negotiate.php

Public Member Functions

Static Public Member Functions

Data Fields

Protected Member Functions

Protected Attributes

Additional Inherited Members

Detailed Description

Constructor & Destructor Documentation

◆ __construct()

Member Function Documentation

◆ adminBind()

◆ authenticate()

◆ checkMask()

◆ fallBack()

◆ logout()

◆ lookupUserData()

◆ sendNegotiate()

◆ spDisabledInMetadata()

Field Documentation

◆ $admin_pw

◆ $admin_user

◆ $attr

◆ $attributes

◆ $backend

◆ $base

◆ $debugLDAP

◆ $enableTLS

◆ $hostname

◆ $keytab

◆ $ldap

◆ $port

◆ $referrals

◆ $subnet

◆ $timeout

◆ STAGEID