Commit 6549e477 authored by Craig Andrews's avatar Craig Andrews

First version of a CAS authentication plugin

parent c9c316db
<?php
/**
* StatusNet, the distributed open-source microblogging tool
*
* Plugin to enable Single Sign On via CAS (Central Authentication Service)
*
* PHP version 5
*
* LICENCE: This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* @category Plugin
* @package StatusNet
* @author Craig Andrews <candrews@integralblue.com>
* @copyright 2009 Craig Andrews http://candrews.integralblue.com
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
* @link http://status.net/
*/
if (!defined('STATUSNET') && !defined('LACONICA')) {
exit(1);
}
// We bundle the phpCAS library...
set_include_path(get_include_path() . PATH_SEPARATOR . dirname(__FILE__) . '/extlib/CAS');
class CasAuthenticationPlugin extends AuthenticationPlugin
{
public $server;
public $port = 443;
public $path = '';
function checkPassword($username, $password)
{
global $casTempPassword;
return ($casTempPassword == $password);
}
function onAutoload($cls)
{
switch ($cls)
{
case 'phpCAS':
require_once(INSTALLDIR.'/plugins/CasAuthentication/extlib/CAS.php');
return false;
case 'CasloginAction':
require_once(INSTALLDIR.'/plugins/CasAuthentication/' . strtolower(mb_substr($cls, 0, -6)) . '.php');
return false;
default:
return parent::onAutoload($cls);
}
}
function onStartInitializeRouter($m)
{
$m->connect('main/cas', array('action' => 'caslogin'));
return true;
}
function onEndLoginGroupNav(&$action)
{
$action_name = $action->trimmed('action');
$action->menuItem(common_local_url('caslogin'),
_m('CAS'),
_m('Login or register with CAS'),
$action_name === 'caslogin');
return true;
}
function onEndShowPageNotice($action)
{
$name = $action->trimmed('action');
switch ($name)
{
case 'login':
$instr = '(Have an account with CAS? ' .
'Try our [CAS login]'.
'(%%action.caslogin%%)!)';
break;
default:
return true;
}
$output = common_markup_to_html($instr);
$action->raw($output);
return true;
}
function onLoginAction($action, &$login)
{
switch ($action)
{
case 'caslogin':
$login = true;
return false;
default:
return true;
}
}
function onInitializePlugin(){
parent::onInitializePlugin();
if(!isset($this->server)){
throw new Exception("must specify a server");
}
if(!isset($this->port)){
throw new Exception("must specify a port");
}
if(!isset($this->path)){
throw new Exception("must specify a path");
}
//These values need to be accessible to a action object
//I can't think of any other way than global variables
//to allow the action instance to be able to see values :-(
global $casSettings;
$casSettings = array();
$casSettings['server']=$this->server;
$casSettings['port']=$this->port;
$casSettings['path']=$this->path;
}
}
The CAS Authentication plugin allows for StatusNet to handle authentication
through CAS (Central Authentication Service).
Installation
============
add "addPlugin('casAuthentication',
array('setting'=>'value', 'setting2'=>'value2', ...);"
to the bottom of your config.php
Settings
========
provider_name*: a unique name for this authentication provider.
authoritative (false): Set to true if CAS's responses are authoritative
(if authorative and CAS fails, no other password checking will be done).
autoregistration (false): Set to true if users should be automatically created
when they attempt to login.
email_changeable (true): Are users allowed to change their email address?
(true or false)
password_changeable*: must be set to false. This plugin does not support changing passwords.
server*: CAS server to authentication against
port (443): Port the CAS server listens on. Almost always 443
path (): Path on the server to CAS. Usually blank.
* required
default values are in (parenthesis)
Example
=======
addPlugin('casAuthentication', array(
'provider_name'=>'Example',
'authoritative'=>true,
'autoregistration'=>true,
'server'=>'sso-cas.univ-rennes1.fr',
'port'=>443,
'path'=>''
));
<?php
/*
* StatusNet - the distributed open-source microblogging tool
* Copyright (C) 2008, 2009, StatusNet, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); }
class CasloginAction extends Action
{
function handle($args)
{
parent::handle($args);
if (common_is_real_login()) {
$this->clientError(_m('Already logged in.'));
} else {
global $casSettings;
phpCAS::client(CAS_VERSION_2_0,$casSettings['server'],$casSettings['port'],$casSettings['path']);
phpCAS::setNoCasServerValidation();
phpCAS::handleLogoutRequests();
phpCAS::forceAuthentication();
global $casTempPassword;
$casTempPassword = common_good_rand(16);
$user = common_check_user(phpCAS::getUser(), $casTempPassword);
if (!$user) {
$this->serverError(_('Incorrect username or password.'));
return;
}
// success!
if (!common_set_user($user)) {
$this->serverError(_('Error setting user. You are probably not authorized.'));
return;
}
common_real_login(true);
$url = common_get_returnto();
if ($url) {
// We don't have to return to it again
common_set_returnto(null);
} else {
$url = common_local_url('all',
array('nickname' =>
$user->nickname));
}
common_redirect($url, 303);
}
}
}
This diff is collapsed.
<?php
/**
* @file CAS/PGTStorage/pgt-db.php
* Basic class for PGT database storage
*/
/**
* @class PGTStorageDB
* The PGTStorageDB class is a class for PGT database storage. An instance of
* this class is returned by CASClient::SetPGTStorageDB().
*
* @author Pascal Aubry <pascal.aubry at univ-rennes1.fr>
*
* @ingroup internalPGTStorageDB
*/
class PGTStorageDB extends PGTStorage
{
/**
* @addtogroup internalPGTStorageDB
* @{
*/
/**
* a string representing a PEAR DB URL to connect to the database. Written by
* PGTStorageDB::PGTStorageDB(), read by getURL().
*
* @hideinitializer
* @private
*/
var $_url='';
/**
* This method returns the PEAR DB URL to use to connect to the database.
*
* @return a PEAR DB URL
*
* @private
*/
function getURL()
{
return $this->_url;
}
/**
* The handle of the connection to the database where PGT's are stored. Written by
* PGTStorageDB::init(), read by getLink().
*
* @hideinitializer
* @private
*/
var $_link = null;
/**
* This method returns the handle of the connection to the database where PGT's are
* stored.
*
* @return a handle of connection.
*
* @private
*/
function getLink()
{
return $this->_link;
}
/**
* The name of the table where PGT's are stored. Written by
* PGTStorageDB::PGTStorageDB(), read by getTable().
*
* @hideinitializer
* @private
*/
var $_table = '';
/**
* This method returns the name of the table where PGT's are stored.
*
* @return the name of a table.
*
* @private
*/
function getTable()
{
return $this->_table;
}
// ########################################################################
// DEBUGGING
// ########################################################################
/**
* This method returns an informational string giving the type of storage
* used by the object (used for debugging purposes).
*
* @return an informational string.
* @public
*/
function getStorageType()
{
return "database";
}
/**
* This method returns an informational string giving informations on the
* parameters of the storage.(used for debugging purposes).
*
* @public
*/
function getStorageInfo()
{
return 'url=`'.$this->getURL().'\', table=`'.$this->getTable().'\'';
}
// ########################################################################
// CONSTRUCTOR
// ########################################################################
/**
* The class constructor, called by CASClient::SetPGTStorageDB().
*
* @param $cas_parent the CASClient instance that creates the object.
* @param $user the user to access the data with
* @param $password the user's password
* @param $database_type the type of the database hosting the data
* @param $hostname the server hosting the database
* @param $port the port the server is listening on
* @param $database the name of the database
* @param $table the name of the table storing the data
*
* @public
*/
function PGTStorageDB($cas_parent,$user,$password,$database_type,$hostname,$port,$database,$table)
{
phpCAS::traceBegin();
// call the ancestor's constructor
$this->PGTStorage($cas_parent);
if ( empty($database_type) ) $database_type = CAS_PGT_STORAGE_DB_DEFAULT_DATABASE_TYPE;
if ( empty($hostname) ) $hostname = CAS_PGT_STORAGE_DB_DEFAULT_HOSTNAME;
if ( $port==0 ) $port = CAS_PGT_STORAGE_DB_DEFAULT_PORT;
if ( empty($database) ) $database = CAS_PGT_STORAGE_DB_DEFAULT_DATABASE;
if ( empty($table) ) $table = CAS_PGT_STORAGE_DB_DEFAULT_TABLE;
// build and store the PEAR DB URL
$this->_url = $database_type.':'.'//'.$user.':'.$password.'@'.$hostname.':'.$port.'/'.$database;
// XXX should use setURL and setTable
phpCAS::traceEnd();
}
// ########################################################################
// INITIALIZATION
// ########################################################################
/**
* This method is used to initialize the storage. Halts on error.
*
* @public
*/
function init()
{
phpCAS::traceBegin();
// if the storage has already been initialized, return immediatly
if ( $this->isInitialized() )
return;
// call the ancestor's method (mark as initialized)
parent::init();
//include phpDB library (the test was introduced in release 0.4.8 for
//the integration into Tikiwiki).
if (!class_exists('DB')) {
include_once('DB.php');
}
// try to connect to the database
$this->_link = DB::connect($this->getURL());
if ( DB::isError($this->_link) ) {
phpCAS::error('could not connect to database ('.DB::errorMessage($this->_link).')');
}
var_dump($this->_link);
phpCAS::traceBEnd();
}
/** @} */
}
?>
\ No newline at end of file
<?php
/**
* @file CAS/PGTStorage/pgt-file.php
* Basic class for PGT file storage
*/
/**
* @class PGTStorageFile
* The PGTStorageFile class is a class for PGT file storage. An instance of
* this class is returned by CASClient::SetPGTStorageFile().
*
* @author Pascal Aubry <pascal.aubry at univ-rennes1.fr>
*
* @ingroup internalPGTStorageFile
*/
class PGTStorageFile extends PGTStorage
{
/**
* @addtogroup internalPGTStorageFile
* @{
*/
/**
* a string telling where PGT's should be stored on the filesystem. Written by
* PGTStorageFile::PGTStorageFile(), read by getPath().
*
* @private
*/
var $_path;
/**
* This method returns the name of the directory where PGT's should be stored
* on the filesystem.
*
* @return the name of a directory (with leading and trailing '/')
*
* @private
*/
function getPath()
{
return $this->_path;
}
/**
* a string telling the format to use to store PGT's (plain or xml). Written by
* PGTStorageFile::PGTStorageFile(), read by getFormat().
*
* @private
*/
var $_format;
/**
* This method returns the format to use when storing PGT's on the filesystem.
*
* @return a string corresponding to the format used (plain or xml).
*
* @private
*/
function getFormat()
{
return $this->_format;
}
// ########################################################################
// DEBUGGING
// ########################################################################
/**
* This method returns an informational string giving the type of storage
* used by the object (used for debugging purposes).
*
* @return an informational string.
* @public
*/
function getStorageType()
{
return "file";
}
/**
* This method returns an informational string giving informations on the
* parameters of the storage.(used for debugging purposes).
*
* @return an informational string.
* @public
*/
function getStorageInfo()
{
return 'path=`'.$this->getPath().'\', format=`'.$this->getFormat().'\'';
}
// ########################################################################
// CONSTRUCTOR
// ########################################################################
/**
* The class constructor, called by CASClient::SetPGTStorageFile().
*
* @param $cas_parent the CASClient instance that creates the object.
* @param $format the format used to store the PGT's (`plain' and `xml' allowed).
* @param $path the path where the PGT's should be stored
*
* @public
*/
function PGTStorageFile($cas_parent,$format,$path)
{
phpCAS::traceBegin();
// call the ancestor's constructor
$this->PGTStorage($cas_parent);
if (empty($format) ) $format = CAS_PGT_STORAGE_FILE_DEFAULT_FORMAT;
if (empty($path) ) $path = CAS_PGT_STORAGE_FILE_DEFAULT_PATH;
// check that the path is an absolute path
if (getenv("OS")=="Windows_NT"){
if (!preg_match('`^[a-zA-Z]:`', $path)) {
phpCAS::error('an absolute path is needed for PGT storage to file');
}
}
else
{
if ( $path[0] != '/' ) {
phpCAS::error('an absolute path is needed for PGT storage to file');
}
// store the path (with a leading and trailing '/')
$path = preg_replace('|[/]*$|','/',$path);
$path = preg_replace('|^[/]*|','/',$path);
}
$this->_path = $path;
// check the format and store it
switch ($format) {
case CAS_PGT_STORAGE_FILE_FORMAT_PLAIN:
case CAS_PGT_STORAGE_FILE_FORMAT_XML:
$this->_format = $format;
break;
default:
phpCAS::error('unknown PGT file storage format (`'.CAS_PGT_STORAGE_FILE_FORMAT_PLAIN.'\' and `'.CAS_PGT_STORAGE_FILE_FORMAT_XML.'\' allowed)');
}
phpCAS::traceEnd();
}
// ########################################################################
// INITIALIZATION
// ########################################################################
/**
* This method is used to initialize the storage. Halts on error.
*
* @public
*/
function init()
{
phpCAS::traceBegin();
// if the storage has already been initialized, return immediatly
if ( $this->isInitialized() )
return;
// call the ancestor's method (mark as initialized)
parent::init();
phpCAS::traceEnd();
}
// ########################################################################
// PGT I/O
// ########################################################################
/**
* This method returns the filename corresponding to a PGT Iou.
*
* @param $pgt_iou the PGT iou.
*
* @return a filename
* @private
*/
function getPGTIouFilename($pgt_iou)
{
phpCAS::traceBegin();
$filename = $this->getPath().$pgt_iou.'.'.$this->getFormat();
phpCAS::traceEnd($filename);
return $filename;
}
/**
* This method stores a PGT and its corresponding PGT Iou into a file. Echoes a
* warning on error.
*
* @param $pgt the PGT
* @param $pgt_iou the PGT iou
*
* @public
*/
function write($pgt,$pgt_iou)
{
phpCAS::traceBegin();
$fname = $this->getPGTIouFilename($pgt_iou);
if ( $f=fopen($fname,"w") ) {
if ( fputs($f,$pgt) === FALSE ) {
phpCAS::error('could not write PGT to `'.$fname.'\'');
}
fclose($f);
} else {
phpCAS::error('could not open `'.$fname.'\'');
}
phpCAS::traceEnd();
}
/**
* This method reads a PGT corresponding to a PGT Iou and deletes the
* corresponding file.
*
* @param $pgt_iou the PGT iou
*
* @return the corresponding PGT, or FALSE on error
*
* @public
*/
function read($pgt_iou)
{
phpCAS::traceBegin();
$pgt = FALSE;
$fname = $this->getPGTIouFilename($pgt_iou);
if ( !($f=fopen($fname,"r")) ) {
phpCAS::trace('could not open `'.$fname.'\'');
} else {
if ( ($pgt=fgets($f)) === FALSE ) {
phpCAS::trace('could not read PGT from `'.$fname.'\'');
}
fclose($f);
}
// delete the PGT file
@unlink($fname);
phpCAS::traceEnd