ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
Public Member Functions | Private Attributes
sspmod_authX509_Auth_Source_X509userCert Class Reference
+ Inheritance diagram for sspmod_authX509_Auth_Source_X509userCert:
+ Collaboration diagram for sspmod_authX509_Auth_Source_X509userCert:

Public Member Functions

 __construct ($info, &$config)
 Constructor for this authentication source. More...
 
 authFailed (&$state)
 Finish a failed authentication. More...
 
 authenticate (&$state)
 Validate certificate and login. More...
 
 authSuccesful (&$state)
 Finish a successful authentication. More...
 
- Public Member Functions inherited from SimpleSAML_Auth_Source
 __construct ($info, &$config)
 Constructor for an authentication source. More...
 
 getAuthId ()
 Retrieve the ID of this authentication source. More...
 
 authenticate (&$state)
 Process a request. More...
 
 reauthenticate (array &$state)
 Reauthenticate an user. More...
 
 initLogin ($return, $errorURL=null, array $params=array())
 Start authentication. More...
 
 logout (&$state)
 Log out from this authentication source. More...
 

Private Attributes

 $x509attributes = array('UID' => 'uid')
 x509 attributes to use from the certificate for searching the user in the LDAP directory. More...
 
 $ldapusercert = array('userCertificate;binary')
 LDAP attribute containing the user certificate. More...
 
 $ldapcf
 LDAPConfigHelper object. More...
 

Additional Inherited Members

- Static Public Member Functions inherited from SimpleSAML_Auth_Source
static getSourcesOfType ($type)
 Get sources of a specific type. More...
 
static completeAuth (&$state)
 Complete authentication. More...
 
static loginCompleted ($state)
 Called when a login operation has finished. More...
 
static completeLogout (&$state)
 Complete logout. More...
 
static getById ($authId, $type=null)
 Retrieve authentication source. More...
 
static logoutCallback ($state)
 Called when the authentication source receives an external logout request. More...
 
static getSources ()
 Retrieve list of authentication sources. More...
 
- Protected Member Functions inherited from SimpleSAML_Auth_Source
 addLogoutCallback ($assoc, $state)
 Add a logout callback association. More...
 
 callLogoutCallback ($assoc)
 Call a logout callback based on association. More...
 
- Static Protected Member Functions inherited from SimpleSAML_Auth_Source
static validateSource ($source, $id)
 Make sure that the first element of an auth source is its identifier. More...
 
- Protected Attributes inherited from SimpleSAML_Auth_Source
 $authId
 

Detailed Description

Definition at line 9 of file X509userCert.php.

Constructor & Destructor Documentation

◆ __construct()

sspmod_authX509_Auth_Source_X509userCert::__construct (   $info,
$config 
)

Constructor for this authentication source.

All subclasses who implement their own constructor must call this constructor before using $config for anything.

Parameters
array$infoInformation about this authentication source.
array&$configConfiguration for this authentication source.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 38 of file X509userCert.php.

39 {
40 assert(is_array($info));
41 assert(is_array($config));
42
43 if (isset($config['authX509:x509attributes'])) {
44 $this->x509attributes = $config['authX509:x509attributes'];
45 }
46
47 if (array_key_exists('authX509:ldapusercert', $config)) {
48 $this->ldapusercert = $config['authX509:ldapusercert'];
49 }
50
51 parent::__construct($info, $config);
52
53 $this->ldapcf = new sspmod_ldap_ConfigHelper(
54 $config,
55 'Authentication source ' . var_export($this->authId, true)
56 );
57
58 return;
59 }
sspmod_ldap_ConfigHelper
Definition: ConfigHelper.php:12
$config
$config
Definition: bootstrap.php:15
$info
$info
Definition: index.php:5

References $config, and $info.

Member Function Documentation

◆ authenticate()

sspmod_authX509_Auth_Source_X509userCert::authenticate ( $state)

Validate certificate and login.

This function try to validate the certificate. On success, the user is logged in without going through the login page. On failure, The authX509:X509error.php template is loaded.

Parameters
array&$stateInformation about the current authentication.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 90 of file X509userCert.php.

91 {
92 assert(is_array($state));
93 $ldapcf = $this->ldapcf;
94
95 if (!isset($_SERVER['SSL_CLIENT_CERT']) ||
96 ($_SERVER['SSL_CLIENT_CERT'] == '')) {
97 $state['authX509.error'] = "NOCERT";
98 $this->authFailed($state);
99
100 assert(false); // should never be reached
101 return;
102 }
103
104 $client_cert = $_SERVER['SSL_CLIENT_CERT'];
105 $client_cert_data = openssl_x509_parse($client_cert);
106 if ($client_cert_data === false) {
107 SimpleSAML\Logger::error('authX509: invalid cert');
108 $state['authX509.error'] = "INVALIDCERT";
109 $this->authFailed($state);
110
111 assert(false); // should never be reached
112 return;
113 }
114
115 $dn = null;
116 foreach ($this->x509attributes as $x509_attr => $ldap_attr) {
117 // value is scalar
118 if (array_key_exists($x509_attr, $client_cert_data['subject'])) {
119 $value = $client_cert_data['subject'][$x509_attr];
120 SimpleSAML\Logger::info('authX509: cert '. $x509_attr.' = '.$value);
121 $dn = $ldapcf->searchfordn($ldap_attr, $value, true);
122 if ($dn !== null) {
123 break;
124 }
125 }
126 }
127
128 if ($dn === null) {
129 SimpleSAML\Logger::error('authX509: cert has no matching user in LDAP.');
130 $state['authX509.error'] = "UNKNOWNCERT";
131 $this->authFailed($state);
132
133 assert(false); // should never be reached
134 return;
135 }
136
137 if ($this->ldapusercert === null) { // do not check for certificate match
138 $attributes = $ldapcf->getAttributes($dn);
139 assert(is_array($attributes));
140 $state['Attributes'] = $attributes;
141 $this->authSuccesful($state);
142
143 assert(false); // should never be reached
144 return;
145 }
146
147 $ldap_certs = $ldapcf->getAttributes($dn, $this->ldapusercert);
148 if ($ldap_certs === false) {
149 SimpleSAML\Logger::error('authX509: no certificate found in LDAP for dn='.$dn);
150 $state['authX509.error'] = "UNKNOWNCERT";
151 $this->authFailed($state);
152
153 assert(false); // should never be reached
154 return;
155 }
156
157
158 $merged_ldapcerts = array();
159 foreach ($this->ldapusercert as $attr) {
160 $merged_ldapcerts = array_merge($merged_ldapcerts, $ldap_certs[$attr]);
161 }
162 $ldap_certs = $merged_ldapcerts;
163
164 foreach ($ldap_certs as $ldap_cert) {
165 $pem = \SimpleSAML\Utils\Crypto::der2pem($ldap_cert);
166 $ldap_cert_data = openssl_x509_parse($pem);
167 if ($ldap_cert_data === false) {
168 SimpleSAML\Logger::error('authX509: cert in LDAP is invalid for dn='.$dn);
169 continue;
170 }
171
172 if ($ldap_cert_data === $client_cert_data) {
173 $attributes = $ldapcf->getAttributes($dn);
174 assert(is_array($attributes));
175 $state['Attributes'] = $attributes;
176 $this->authSuccesful($state);
177
178 assert(false); // should never be reached
179 return;
180 }
181 }
182
183 SimpleSAML\Logger::error('authX509: no matching cert in LDAP for dn='.$dn);
184 $state['authX509.error'] = "UNKNOWNCERT";
185 $this->authFailed($state);
186
187 assert(false); // should never be reached
188 return;
189 }
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
SimpleSAML\Logger\info
static info($string)
Definition: Logger.php:199
SimpleSAML\Logger\error
static error($string)
Definition: Logger.php:166
SimpleSAML\Utils\Crypto\der2pem
static der2pem($der, $type='CERTIFICATE')
Convert data from DER to PEM encoding.
Definition: Crypto.php:160
sspmod_authX509_Auth_Source_X509userCert\authFailed
authFailed(&$state)
Finish a failed authentication.
Definition: X509userCert.php:69
sspmod_authX509_Auth_Source_X509userCert\$ldapcf
$ldapcf
LDAPConfigHelper object.
Definition: X509userCert.php:27
sspmod_authX509_Auth_Source_X509userCert\authSuccesful
authSuccesful(&$state)
Finish a successful authentication.
Definition: X509userCert.php:199
$attributes
if(array_key_exists('yes', $_REQUEST)) $attributes
Definition: getconsent.php:85
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54

References $_SERVER, $attributes, $ldapcf, $state, authFailed(), authSuccesful(), SimpleSAML\Utils\Crypto\der2pem(), SimpleSAML\Logger\error(), and SimpleSAML\Logger\info().

+ Here is the call graph for this function:

◆ authFailed()

sspmod_authX509_Auth_Source_X509userCert::authFailed ( $state)

Finish a failed authentication.

This function can be overloaded by a child authentication class that wish to perform some operations on failure.

Parameters
array&$stateInformation about the current authentication.

Definition at line 69 of file X509userCert.php.

70 {
71 $config = SimpleSAML_Configuration::getInstance();
72
73 $t = new SimpleSAML_XHTML_Template($config, 'authX509:X509error.php');
74 $t->data['errorcode'] = $state['authX509.error'];
75 $t->data['errorcodes'] = SimpleSAML\Error\ErrorCodes::getAllErrorCodeMessages();
76
77 $t->show();
78 exit();
79 }
exit
exit
Definition: backend.php:16
SimpleSAML\Error\ErrorCodes\getAllErrorCodeMessages
static getAllErrorCodeMessages()
Get a map of both errorcode titles and descriptions.
Definition: ErrorCodes.php:135
SimpleSAML_Configuration\getInstance
static getInstance($instancename='simplesaml')
Get a configuration file by its instance name.
Definition: Configuration.php:325
SimpleSAML_XHTML_Template
Definition: Template.php:15
$t
$t
Definition: authorize_403.php:14

References $config, $state, $t, exit, SimpleSAML\Error\ErrorCodes\getAllErrorCodeMessages(), and SimpleSAML_Configuration\getInstance().

Referenced by authenticate().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ authSuccesful()

sspmod_authX509_Auth_Source_X509userCert::authSuccesful ( $state)

Finish a successful authentication.

This function can be overloaded by a child authentication class that wish to perform some operations after login.

Parameters
array&$stateInformation about the current authentication.

Definition at line 199 of file X509userCert.php.

200 {
201 SimpleSAML_Auth_Source::completeAuth($state);
202
203 assert(false); // should never be reached
204 return;
205 }
SimpleSAML_Auth_Source\completeAuth
static completeAuth(&$state)
Complete authentication.
Definition: Source.php:136

References $state, and SimpleSAML_Auth_Source\completeAuth().

Referenced by authenticate().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

Field Documentation

◆ $ldapcf

sspmod_authX509_Auth_Source_X509userCert::$ldapcf
private

LDAPConfigHelper object.

Definition at line 27 of file X509userCert.php.

Referenced by authenticate().

◆ $ldapusercert

sspmod_authX509_Auth_Source_X509userCert::$ldapusercert = array('userCertificate;binary')
private

LDAP attribute containing the user certificate.

Definition at line 21 of file X509userCert.php.

◆ $x509attributes

sspmod_authX509_Auth_Source_X509userCert::$x509attributes = array('UID' => 'uid')
private

x509 attributes to use from the certificate for searching the user in the LDAP directory.

Definition at line 15 of file X509userCert.php.

The documentation for this class was generated from the following file: