'
- : $this->_output_header)
- )
- );
- }
-
- /**
- * A string used to print the footer of HTML pages. Written by
- * CAS_Client::setHTMLFooter(), read by printHTMLFooter().
- *
- * @hideinitializer
- * @see CAS_Client::setHTMLFooter, CAS_Client::printHTMLFooter()
- */
- private $_output_footer = '';
-
- /**
- * This method prints the footer of the HTML output (after filtering). If
- * CAS_Client::setHTMLFooter() was not used, a default footer is output.
- *
- * @return void
- * @see _htmlFilterOutput()
- */
- public function printHTMLFooter()
- {
- if (!phpCAS::getVerbose()) {
- return;
- }
-
- $lang = $this->getLangObj();
- $message = empty($this->_output_footer)
- ? 'phpCAS __PHPCAS_VERSION__ ' . $lang->getUsingServer() .
- ' __SERVER_BASE_URL__ (CAS __CAS_VERSION__)'
- : $this->_output_footer;
-
- $this->_htmlFilterOutput($message);
- }
-
- /**
- * This method set the HTML header used for all outputs.
- *
- * @param string $header the HTML header.
- *
- * @return void
- */
- public function setHTMLHeader($header)
- {
- // Argument Validation
- if (gettype($header) != 'string')
- throw new CAS_TypeMismatchException($header, '$header', 'string');
-
- $this->_output_header = $header;
- }
-
- /**
- * This method set the HTML footer used for all outputs.
- *
- * @param string $footer the HTML footer.
- *
- * @return void
- */
- public function setHTMLFooter($footer)
- {
- // Argument Validation
- if (gettype($footer) != 'string')
- throw new CAS_TypeMismatchException($footer, '$footer', 'string');
-
- $this->_output_footer = $footer;
- }
-
- /**
- * Simple wrapper for printf function, that respects
- * phpCAS verbosity setting.
- *
- * @param string $format
- * @param string|int|float ...$values
- *
- * @see printf()
- */
- private function printf(string $format, ...$values): void
- {
- if (phpCAS::getVerbose()) {
- printf($format, ...$values);
- }
- }
-
- /** @} */
-
-
- // ########################################################################
- // INTERNATIONALIZATION
- // ########################################################################
- /**
- * @addtogroup internalLang
- * @{
- */
- /**
- * A string corresponding to the language used by phpCAS. Written by
- * CAS_Client::setLang(), read by CAS_Client::getLang().
-
- * @note debugging information is always in english (debug purposes only).
- */
- private $_lang = PHPCAS_LANG_DEFAULT;
-
- /**
- * This method is used to set the language used by phpCAS.
- *
- * @param string $lang representing the language.
- *
- * @return void
- */
- public function setLang($lang)
- {
- // Argument Validation
- if (gettype($lang) != 'string')
- throw new CAS_TypeMismatchException($lang, '$lang', 'string');
-
- phpCAS::traceBegin();
- $obj = new $lang();
- if (!($obj instanceof CAS_Languages_LanguageInterface)) {
- throw new CAS_InvalidArgumentException(
- '$className must implement the CAS_Languages_LanguageInterface'
- );
- }
- $this->_lang = $lang;
- phpCAS::traceEnd();
- }
- /**
- * Create the language
- *
- * @return CAS_Languages_LanguageInterface object implementing the class
- */
- public function getLangObj()
- {
- $classname = $this->_lang;
- return new $classname();
- }
-
- /** @} */
- // ########################################################################
- // CAS SERVER CONFIG
- // ########################################################################
- /**
- * @addtogroup internalConfig
- * @{
- */
-
- /**
- * a record to store information about the CAS server.
- * - $_server['version']: the version of the CAS server
- * - $_server['hostname']: the hostname of the CAS server
- * - $_server['port']: the port the CAS server is running on
- * - $_server['uri']: the base URI the CAS server is responding on
- * - $_server['base_url']: the base URL of the CAS server
- * - $_server['login_url']: the login URL of the CAS server
- * - $_server['service_validate_url']: the service validating URL of the
- * CAS server
- * - $_server['proxy_url']: the proxy URL of the CAS server
- * - $_server['proxy_validate_url']: the proxy validating URL of the CAS server
- * - $_server['logout_url']: the logout URL of the CAS server
- *
- * $_server['version'], $_server['hostname'], $_server['port'] and
- * $_server['uri'] are written by CAS_Client::CAS_Client(), read by
- * CAS_Client::getServerVersion(), CAS_Client::_getServerHostname(),
- * CAS_Client::_getServerPort() and CAS_Client::_getServerURI().
- *
- * The other fields are written and read by CAS_Client::_getServerBaseURL(),
- * CAS_Client::getServerLoginURL(), CAS_Client::getServerServiceValidateURL(),
- * CAS_Client::getServerProxyValidateURL() and CAS_Client::getServerLogoutURL().
- *
- * @hideinitializer
- */
- private $_server = array(
- 'version' => '',
- 'hostname' => 'none',
- 'port' => -1,
- 'uri' => 'none');
-
- /**
- * This method is used to retrieve the version of the CAS server.
- *
- * @return string the version of the CAS server.
- */
- public function getServerVersion()
- {
- return $this->_server['version'];
- }
-
- /**
- * This method is used to retrieve the hostname of the CAS server.
- *
- * @return string the hostname of the CAS server.
- */
- private function _getServerHostname()
- {
- return $this->_server['hostname'];
- }
-
- /**
- * This method is used to retrieve the port of the CAS server.
- *
- * @return int the port of the CAS server.
- */
- private function _getServerPort()
- {
- return $this->_server['port'];
- }
-
- /**
- * This method is used to retrieve the URI of the CAS server.
- *
- * @return string a URI.
- */
- private function _getServerURI()
- {
- return $this->_server['uri'];
- }
-
- /**
- * This method is used to retrieve the base URL of the CAS server.
- *
- * @return string a URL.
- */
- private function _getServerBaseURL()
- {
- // the URL is build only when needed
- if ( empty($this->_server['base_url']) ) {
- $this->_server['base_url'] = 'https://' . $this->_getServerHostname();
- if ($this->_getServerPort()!=443) {
- $this->_server['base_url'] .= ':'
- .$this->_getServerPort();
- }
- $this->_server['base_url'] .= $this->_getServerURI();
- }
- return $this->_server['base_url'];
- }
-
- /**
- * This method is used to retrieve the login URL of the CAS server.
- *
- * @param bool $gateway true to check authentication, false to force it
- * @param bool $renew true to force the authentication with the CAS server
- *
- * @return string a URL.
- * @note It is recommended that CAS implementations ignore the "gateway"
- * parameter if "renew" is set
- */
- public function getServerLoginURL($gateway=false,$renew=false)
- {
- phpCAS::traceBegin();
- // the URL is build only when needed
- if ( empty($this->_server['login_url']) ) {
- $this->_server['login_url'] = $this->_buildQueryUrl($this->_getServerBaseURL().'login','service='.urlencode($this->getURL()));
- }
- $url = $this->_server['login_url'];
- if ($renew) {
- // It is recommended that when the "renew" parameter is set, its
- // value be "true"
- $url = $this->_buildQueryUrl($url, 'renew=true');
- } elseif ($gateway) {
- // It is recommended that when the "gateway" parameter is set, its
- // value be "true"
- $url = $this->_buildQueryUrl($url, 'gateway=true');
- }
- phpCAS::traceEnd($url);
- return $url;
- }
-
- /**
- * This method sets the login URL of the CAS server.
- *
- * @param string $url the login URL
- *
- * @return string login url
- */
- public function setServerLoginURL($url)
- {
- // Argument Validation
- if (gettype($url) != 'string')
- throw new CAS_TypeMismatchException($url, '$url', 'string');
-
- return $this->_server['login_url'] = $url;
- }
-
-
- /**
- * This method sets the serviceValidate URL of the CAS server.
- *
- * @param string $url the serviceValidate URL
- *
- * @return string serviceValidate URL
- */
- public function setServerServiceValidateURL($url)
- {
- // Argument Validation
- if (gettype($url) != 'string')
- throw new CAS_TypeMismatchException($url, '$url', 'string');
-
- return $this->_server['service_validate_url'] = $url;
- }
-
-
- /**
- * This method sets the proxyValidate URL of the CAS server.
- *
- * @param string $url the proxyValidate URL
- *
- * @return string proxyValidate URL
- */
- public function setServerProxyValidateURL($url)
- {
- // Argument Validation
- if (gettype($url) != 'string')
- throw new CAS_TypeMismatchException($url, '$url', 'string');
-
- return $this->_server['proxy_validate_url'] = $url;
- }
-
-
- /**
- * This method sets the samlValidate URL of the CAS server.
- *
- * @param string $url the samlValidate URL
- *
- * @return string samlValidate URL
- */
- public function setServerSamlValidateURL($url)
- {
- // Argument Validation
- if (gettype($url) != 'string')
- throw new CAS_TypeMismatchException($url, '$url', 'string');
-
- return $this->_server['saml_validate_url'] = $url;
- }
-
-
- /**
- * This method is used to retrieve the service validating URL of the CAS server.
- *
- * @return string serviceValidate URL.
- */
- public function getServerServiceValidateURL()
- {
- phpCAS::traceBegin();
- // the URL is build only when needed
- if ( empty($this->_server['service_validate_url']) ) {
- switch ($this->getServerVersion()) {
- case CAS_VERSION_1_0:
- $this->_server['service_validate_url'] = $this->_getServerBaseURL()
- .'validate';
- break;
- case CAS_VERSION_2_0:
- $this->_server['service_validate_url'] = $this->_getServerBaseURL()
- .'serviceValidate';
- break;
- case CAS_VERSION_3_0:
- $this->_server['service_validate_url'] = $this->_getServerBaseURL()
- .'p3/serviceValidate';
- break;
- }
- }
- $url = $this->_buildQueryUrl(
- $this->_server['service_validate_url'],
- 'service='.urlencode($this->getURL())
- );
- phpCAS::traceEnd($url);
- return $url;
- }
- /**
- * This method is used to retrieve the SAML validating URL of the CAS server.
- *
- * @return string samlValidate URL.
- */
- public function getServerSamlValidateURL()
- {
- phpCAS::traceBegin();
- // the URL is build only when needed
- if ( empty($this->_server['saml_validate_url']) ) {
- switch ($this->getServerVersion()) {
- case SAML_VERSION_1_1:
- $this->_server['saml_validate_url'] = $this->_getServerBaseURL().'samlValidate';
- break;
- }
- }
-
- $url = $this->_buildQueryUrl(
- $this->_server['saml_validate_url'],
- 'TARGET='.urlencode($this->getURL())
- );
- phpCAS::traceEnd($url);
- return $url;
- }
-
- /**
- * This method is used to retrieve the proxy validating URL of the CAS server.
- *
- * @return string proxyValidate URL.
- */
- public function getServerProxyValidateURL()
- {
- phpCAS::traceBegin();
- // the URL is build only when needed
- if ( empty($this->_server['proxy_validate_url']) ) {
- switch ($this->getServerVersion()) {
- case CAS_VERSION_1_0:
- $this->_server['proxy_validate_url'] = '';
- break;
- case CAS_VERSION_2_0:
- $this->_server['proxy_validate_url'] = $this->_getServerBaseURL().'proxyValidate';
- break;
- case CAS_VERSION_3_0:
- $this->_server['proxy_validate_url'] = $this->_getServerBaseURL().'p3/proxyValidate';
- break;
- }
- }
- $url = $this->_buildQueryUrl(
- $this->_server['proxy_validate_url'],
- 'service='.urlencode($this->getURL())
- );
- phpCAS::traceEnd($url);
- return $url;
- }
-
-
- /**
- * This method is used to retrieve the proxy URL of the CAS server.
- *
- * @return string proxy URL.
- */
- public function getServerProxyURL()
- {
- // the URL is build only when needed
- if ( empty($this->_server['proxy_url']) ) {
- switch ($this->getServerVersion()) {
- case CAS_VERSION_1_0:
- $this->_server['proxy_url'] = '';
- break;
- case CAS_VERSION_2_0:
- case CAS_VERSION_3_0:
- $this->_server['proxy_url'] = $this->_getServerBaseURL().'proxy';
- break;
- }
- }
- return $this->_server['proxy_url'];
- }
-
- /**
- * This method is used to retrieve the logout URL of the CAS server.
- *
- * @return string logout URL.
- */
- public function getServerLogoutURL()
- {
- // the URL is build only when needed
- if ( empty($this->_server['logout_url']) ) {
- $this->_server['logout_url'] = $this->_getServerBaseURL().'logout';
- }
- return $this->_server['logout_url'];
- }
-
- /**
- * This method sets the logout URL of the CAS server.
- *
- * @param string $url the logout URL
- *
- * @return string logout url
- */
- public function setServerLogoutURL($url)
- {
- // Argument Validation
- if (gettype($url) != 'string')
- throw new CAS_TypeMismatchException($url, '$url', 'string');
-
- return $this->_server['logout_url'] = $url;
- }
-
- /**
- * An array to store extra curl options.
- */
- private $_curl_options = array();
-
- /**
- * This method is used to set additional user curl options.
- *
- * @param string $key name of the curl option
- * @param string $value value of the curl option
- *
- * @return void
- */
- public function setExtraCurlOption($key, $value)
- {
- $this->_curl_options[$key] = $value;
- }
-
- /** @} */
-
- // ########################################################################
- // Change the internal behaviour of phpcas
- // ########################################################################
-
- /**
- * @addtogroup internalBehave
- * @{
- */
-
- /**
- * The class to instantiate for making web requests in readUrl().
- * The class specified must implement the CAS_Request_RequestInterface.
- * By default CAS_Request_CurlRequest is used, but this may be overridden to
- * supply alternate request mechanisms for testing.
- */
- private $_requestImplementation = 'CAS_Request_CurlRequest';
-
- /**
- * Override the default implementation used to make web requests in readUrl().
- * This class must implement the CAS_Request_RequestInterface.
- *
- * @param string $className name of the RequestImplementation class
- *
- * @return void
- */
- public function setRequestImplementation ($className)
- {
- $obj = new $className;
- if (!($obj instanceof CAS_Request_RequestInterface)) {
- throw new CAS_InvalidArgumentException(
- '$className must implement the CAS_Request_RequestInterface'
- );
- }
- $this->_requestImplementation = $className;
- }
-
- /**
- * @var boolean $_clearTicketsFromUrl; If true, phpCAS will clear session
- * tickets from the URL after a successful authentication.
- */
- private $_clearTicketsFromUrl = true;
-
- /**
- * Configure the client to not send redirect headers and call exit() on
- * authentication success. The normal redirect is used to remove the service
- * ticket from the client's URL, but for running unit tests we need to
- * continue without exiting.
- *
- * Needed for testing authentication
- *
- * @return void
- */
- public function setNoClearTicketsFromUrl ()
- {
- $this->_clearTicketsFromUrl = false;
- }
-
- /**
- * @var callback $_attributeParserCallbackFunction;
- */
- private $_casAttributeParserCallbackFunction = null;
-
- /**
- * @var array $_attributeParserCallbackArgs;
- */
- private $_casAttributeParserCallbackArgs = array();
-
- /**
- * Set a callback function to be run when parsing CAS attributes
- *
- * The callback function will be passed a XMLNode as its first parameter,
- * followed by any $additionalArgs you pass.
- *
- * @param string $function callback function to call
- * @param array $additionalArgs optional array of arguments
- *
- * @return void
- */
- public function setCasAttributeParserCallback($function, array $additionalArgs = array())
- {
- $this->_casAttributeParserCallbackFunction = $function;
- $this->_casAttributeParserCallbackArgs = $additionalArgs;
- }
-
- /** @var callable $_postAuthenticateCallbackFunction;
- */
- private $_postAuthenticateCallbackFunction = null;
-
- /**
- * @var array $_postAuthenticateCallbackArgs;
- */
- private $_postAuthenticateCallbackArgs = array();
-
- /**
- * Set a callback function to be run when a user authenticates.
- *
- * The callback function will be passed a $logoutTicket as its first parameter,
- * followed by any $additionalArgs you pass. The $logoutTicket parameter is an
- * opaque string that can be used to map a session-id to the logout request
- * in order to support single-signout in applications that manage their own
- * sessions (rather than letting phpCAS start the session).
- *
- * phpCAS::forceAuthentication() will always exit and forward client unless
- * they are already authenticated. To perform an action at the moment the user
- * logs in (such as registering an account, performing logging, etc), register
- * a callback function here.
- *
- * @param callable $function callback function to call
- * @param array $additionalArgs optional array of arguments
- *
- * @return void
- */
- public function setPostAuthenticateCallback ($function, array $additionalArgs = array())
- {
- $this->_postAuthenticateCallbackFunction = $function;
- $this->_postAuthenticateCallbackArgs = $additionalArgs;
- }
-
- /**
- * @var callable $_signoutCallbackFunction;
- */
- private $_signoutCallbackFunction = null;
-
- /**
- * @var array $_signoutCallbackArgs;
- */
- private $_signoutCallbackArgs = array();
-
- /**
- * Set a callback function to be run when a single-signout request is received.
- *
- * The callback function will be passed a $logoutTicket as its first parameter,
- * followed by any $additionalArgs you pass. The $logoutTicket parameter is an
- * opaque string that can be used to map a session-id to the logout request in
- * order to support single-signout in applications that manage their own sessions
- * (rather than letting phpCAS start and destroy the session).
- *
- * @param callable $function callback function to call
- * @param array $additionalArgs optional array of arguments
- *
- * @return void
- */
- public function setSingleSignoutCallback ($function, array $additionalArgs = array())
- {
- $this->_signoutCallbackFunction = $function;
- $this->_signoutCallbackArgs = $additionalArgs;
- }
-
- // ########################################################################
- // Methods for supplying code-flow feedback to integrators.
- // ########################################################################
-
- /**
- * Ensure that this is actually a proxy object or fail with an exception
- *
- * @throws CAS_OutOfSequenceBeforeProxyException
- *
- * @return void
- */
- public function ensureIsProxy()
- {
- if (!$this->isProxy()) {
- throw new CAS_OutOfSequenceBeforeProxyException();
- }
- }
-
- /**
- * Mark the caller of authentication. This will help client integraters determine
- * problems with their code flow if they call a function such as getUser() before
- * authentication has occurred.
- *
- * @param bool $auth True if authentication was successful, false otherwise.
- *
- * @return null
- */
- public function markAuthenticationCall ($auth)
- {
- // store where the authentication has been checked and the result
- $dbg = debug_backtrace();
- $this->_authentication_caller = array (
- 'file' => $dbg[1]['file'],
- 'line' => $dbg[1]['line'],
- 'method' => $dbg[1]['class'] . '::' . $dbg[1]['function'],
- 'result' => (boolean)$auth
- );
- }
- private $_authentication_caller;
-
- /**
- * Answer true if authentication has been checked.
- *
- * @return bool
- */
- public function wasAuthenticationCalled ()
- {
- return !empty($this->_authentication_caller);
- }
-
- /**
- * Ensure that authentication was checked. Terminate with exception if no
- * authentication was performed
- *
- * @throws CAS_OutOfSequenceBeforeAuthenticationCallException
- *
- * @return void
- */
- private function _ensureAuthenticationCalled()
- {
- if (!$this->wasAuthenticationCalled()) {
- throw new CAS_OutOfSequenceBeforeAuthenticationCallException();
- }
- }
-
- /**
- * Answer the result of the authentication call.
- *
- * Throws a CAS_OutOfSequenceException if wasAuthenticationCalled() is false
- * and markAuthenticationCall() didn't happen.
- *
- * @return bool
- */
- public function wasAuthenticationCallSuccessful ()
- {
- $this->_ensureAuthenticationCalled();
- return $this->_authentication_caller['result'];
- }
-
-
- /**
- * Ensure that authentication was checked. Terminate with exception if no
- * authentication was performed
- *
- * @throws CAS_OutOfSequenceException
- *
- * @return void
- */
- public function ensureAuthenticationCallSuccessful()
- {
- $this->_ensureAuthenticationCalled();
- if (!$this->_authentication_caller['result']) {
- throw new CAS_OutOfSequenceException(
- 'authentication was checked (by '
- . $this->getAuthenticationCallerMethod()
- . '() at ' . $this->getAuthenticationCallerFile()
- . ':' . $this->getAuthenticationCallerLine()
- . ') but the method returned false'
- );
- }
- }
-
- /**
- * Answer information about the authentication caller.
- *
- * Throws a CAS_OutOfSequenceException if wasAuthenticationCalled() is false
- * and markAuthenticationCall() didn't happen.
- *
- * @return string the file that called authentication
- */
- public function getAuthenticationCallerFile ()
- {
- $this->_ensureAuthenticationCalled();
- return $this->_authentication_caller['file'];
- }
-
- /**
- * Answer information about the authentication caller.
- *
- * Throws a CAS_OutOfSequenceException if wasAuthenticationCalled() is false
- * and markAuthenticationCall() didn't happen.
- *
- * @return int the line that called authentication
- */
- public function getAuthenticationCallerLine ()
- {
- $this->_ensureAuthenticationCalled();
- return $this->_authentication_caller['line'];
- }
-
- /**
- * Answer information about the authentication caller.
- *
- * Throws a CAS_OutOfSequenceException if wasAuthenticationCalled() is false
- * and markAuthenticationCall() didn't happen.
- *
- * @return string the method that called authentication
- */
- public function getAuthenticationCallerMethod ()
- {
- $this->_ensureAuthenticationCalled();
- return $this->_authentication_caller['method'];
- }
-
- /** @} */
-
- // ########################################################################
- // CONSTRUCTOR
- // ########################################################################
- /**
- * @addtogroup internalConfig
- * @{
- */
-
- /**
- * CAS_Client constructor.
- *
- * @param string $server_version the version of the CAS server
- * @param bool $proxy true if the CAS client is a CAS proxy
- * @param string $server_hostname the hostname of the CAS server
- * @param int $server_port the port the CAS server is running on
- * @param string $server_uri the URI the CAS server is responding on
- * @param bool $changeSessionID Allow phpCAS to change the session_id
- * (Single Sign Out/handleLogoutRequests
- * is based on that change)
- * @param string|string[]|CAS_ServiceBaseUrl_Interface
- * $service_base_url the base URL (protocol, host and the
- * optional port) of the CAS client; pass
- * in an array to use auto discovery with
- * an allowlist; pass in
- * CAS_ServiceBaseUrl_Interface for custom
- * behavior. Added in 1.6.0. Similar to
- * serverName config in other CAS clients.
- * @param \SessionHandlerInterface $sessionHandler the session handler
- *
- * @return self a newly created CAS_Client object
- */
- public function __construct(
- $server_version,
- $proxy,
- $server_hostname,
- $server_port,
- $server_uri,
- $service_base_url,
- $changeSessionID = true,
- \SessionHandlerInterface $sessionHandler = null
- ) {
- // Argument validation
- if (gettype($server_version) != 'string')
- throw new CAS_TypeMismatchException($server_version, '$server_version', 'string');
- if (gettype($proxy) != 'boolean')
- throw new CAS_TypeMismatchException($proxy, '$proxy', 'boolean');
- if (gettype($server_hostname) != 'string')
- throw new CAS_TypeMismatchException($server_hostname, '$server_hostname', 'string');
- if (gettype($server_port) != 'integer')
- throw new CAS_TypeMismatchException($server_port, '$server_port', 'integer');
- if (gettype($server_uri) != 'string')
- throw new CAS_TypeMismatchException($server_uri, '$server_uri', 'string');
- if (gettype($changeSessionID) != 'boolean')
- throw new CAS_TypeMismatchException($changeSessionID, '$changeSessionID', 'boolean');
-
- $this->_setServiceBaseUrl($service_base_url);
-
- if (empty($sessionHandler)) {
- $sessionHandler = new CAS_Session_PhpSession;
- }
-
- phpCAS::traceBegin();
- // true : allow to change the session_id(), false session_id won't be
- // changed and logout won't be handled because of that
- $this->_setChangeSessionID($changeSessionID);
-
- $this->setSessionHandler($sessionHandler);
-
- if (!$this->_isLogoutRequest()) {
- if (session_id() === "") {
- // skip Session Handling for logout requests and if don't want it
- session_start();
- phpCAS :: trace("Starting a new session " . session_id());
- }
- }
-
- // Only for debug purposes
- if ($this->isSessionAuthenticated()){
- phpCAS :: trace("Session is authenticated as: " . $this->getSessionValue('user'));
- } else {
- phpCAS :: trace("Session is not authenticated");
- }
- // are we in proxy mode ?
- $this->_proxy = $proxy;
-
- // Make cookie handling available.
- if ($this->isProxy()) {
- if (!$this->hasSessionValue('service_cookies')) {
- $this->setSessionValue('service_cookies', array());
- }
- // TODO remove explicit call to $_SESSION
- $this->_serviceCookieJar = new CAS_CookieJar(
- $_SESSION[static::PHPCAS_SESSION_PREFIX]['service_cookies']
- );
- }
-
- // check version
- $supportedProtocols = phpCAS::getSupportedProtocols();
- if (isset($supportedProtocols[$server_version]) === false) {
- phpCAS::error(
- 'this version of CAS (`'.$server_version
- .'\') is not supported by phpCAS '.phpCAS::getVersion()
- );
- }
-
- if ($server_version === CAS_VERSION_1_0 && $this->isProxy()) {
- phpCAS::error(
- 'CAS proxies are not supported in CAS '.$server_version
- );
- }
-
- $this->_server['version'] = $server_version;
-
- // check hostname
- if ( empty($server_hostname)
- || !preg_match('/[\.\d\-a-z]*/', $server_hostname)
- ) {
- phpCAS::error('bad CAS server hostname (`'.$server_hostname.'\')');
- }
- $this->_server['hostname'] = $server_hostname;
-
- // check port
- if ( $server_port == 0
- || !is_int($server_port)
- ) {
- phpCAS::error('bad CAS server port (`'.$server_hostname.'\')');
- }
- $this->_server['port'] = $server_port;
-
- // check URI
- if ( !preg_match('/[\.\d\-_a-z\/]*/', $server_uri) ) {
- phpCAS::error('bad CAS server URI (`'.$server_uri.'\')');
- }
- // add leading and trailing `/' and remove doubles
- if(strstr($server_uri, '?') === false) $server_uri .= '/';
- $server_uri = preg_replace('/\/\//', '/', '/'.$server_uri);
- $this->_server['uri'] = $server_uri;
-
- // set to callback mode if PgtIou and PgtId CGI GET parameters are provided
- if ( $this->isProxy() ) {
- if(!empty($_GET['pgtIou'])&&!empty($_GET['pgtId'])) {
- $this->_setCallbackMode(true);
- $this->_setCallbackModeUsingPost(false);
- } elseif (!empty($_POST['pgtIou'])&&!empty($_POST['pgtId'])) {
- $this->_setCallbackMode(true);
- $this->_setCallbackModeUsingPost(true);
- } else {
- $this->_setCallbackMode(false);
- $this->_setCallbackModeUsingPost(false);
- }
-
-
- }
-
- if ( $this->_isCallbackMode() ) {
- //callback mode: check that phpCAS is secured
- if ( !$this->getServiceBaseUrl()->isHttps() ) {
- phpCAS::error(
- 'CAS proxies must be secured to use phpCAS; PGT\'s will not be received from the CAS server'
- );
- }
- } else {
- //normal mode: get ticket and remove it from CGI parameters for
- // developers
- $ticket = (isset($_GET['ticket']) ? $_GET['ticket'] : '');
- if (preg_match('/^[SP]T-/', $ticket) ) {
- phpCAS::trace('Ticket \''.$ticket.'\' found');
- $this->setTicket($ticket);
- unset($_GET['ticket']);
- } else if ( !empty($ticket) ) {
- //ill-formed ticket, halt
- phpCAS::error(
- 'ill-formed ticket found in the URL (ticket=`'
- .htmlentities($ticket).'\')'
- );
- }
-
- }
- phpCAS::traceEnd();
- }
-
- /** @} */
-
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- // XX XX
- // XX Session Handling XX
- // XX XX
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
- /**
- * @addtogroup internalConfig
- * @{
- */
-
- /** The session prefix for phpCAS values */
- const PHPCAS_SESSION_PREFIX = 'phpCAS';
-
- /**
- * @var bool A variable to whether phpcas will use its own session handling. Default = true
- * @hideinitializer
- */
- private $_change_session_id = true;
-
- /**
- * @var SessionHandlerInterface
- */
- private $_sessionHandler;
-
- /**
- * Set a parameter whether to allow phpCAS to change session_id
- *
- * @param bool $allowed allow phpCAS to change session_id
- *
- * @return void
- */
- private function _setChangeSessionID($allowed)
- {
- $this->_change_session_id = $allowed;
- }
-
- /**
- * Get whether phpCAS is allowed to change session_id
- *
- * @return bool
- */
- public function getChangeSessionID()
- {
- return $this->_change_session_id;
- }
-
- /**
- * Set the session handler.
- *
- * @param \SessionHandlerInterface $sessionHandler
- *
- * @return bool
- */
- public function setSessionHandler(\SessionHandlerInterface $sessionHandler)
- {
- $this->_sessionHandler = $sessionHandler;
- if (session_status() !== PHP_SESSION_ACTIVE) {
- return session_set_save_handler($this->_sessionHandler, true);
- }
- return true;
- }
-
- /**
- * Get a session value using the given key.
- *
- * @param string $key
- * @param mixed $default default value if the key is not set
- *
- * @return mixed
- */
- protected function getSessionValue($key, $default = null)
- {
- $this->validateSession($key);
-
- if (isset($_SESSION[static::PHPCAS_SESSION_PREFIX][$key])) {
- return $_SESSION[static::PHPCAS_SESSION_PREFIX][$key];
- }
-
- return $default;
- }
-
- /**
- * Determine whether a session value is set or not.
- *
- * To check if a session value is empty or not please use
- * !!(getSessionValue($key)).
- *
- * @param string $key
- *
- * @return bool
- */
- protected function hasSessionValue($key)
- {
- $this->validateSession($key);
-
- return isset($_SESSION[static::PHPCAS_SESSION_PREFIX][$key]);
- }
-
- /**
- * Set a session value using the given key and value.
- *
- * @param string $key
- * @param mixed $value
- *
- * @return string
- */
- protected function setSessionValue($key, $value)
- {
- $this->validateSession($key);
-
- $this->ensureSessionArray();
- $_SESSION[static::PHPCAS_SESSION_PREFIX][$key] = $value;
- }
-
- /**
- * Ensure that the session array is initialized before writing to it.
- */
- protected function ensureSessionArray() {
- // init phpCAS session array
- if (!isset($_SESSION[static::PHPCAS_SESSION_PREFIX])
- || !is_array($_SESSION[static::PHPCAS_SESSION_PREFIX])) {
- $_SESSION[static::PHPCAS_SESSION_PREFIX] = array();
- }
- }
-
- /**
- * Remove a session value with the given key.
- *
- * @param string $key
- */
- protected function removeSessionValue($key)
- {
- $this->validateSession($key);
-
- if (isset($_SESSION[static::PHPCAS_SESSION_PREFIX][$key])) {
- unset($_SESSION[static::PHPCAS_SESSION_PREFIX][$key]);
- return true;
- }
-
- return false;
- }
-
- /**
- * Remove all phpCAS session values.
- */
- protected function clearSessionValues()
- {
- unset($_SESSION[static::PHPCAS_SESSION_PREFIX]);
- }
-
- /**
- * Ensure $key is a string for session utils input
- *
- * @param string $key
- *
- * @return bool
- */
- protected function validateSession($key)
- {
- if (!is_string($key)) {
- throw new InvalidArgumentException('Session key must be a string.');
- }
-
- return true;
- }
-
- /**
- * Renaming the session
- *
- * @param string $ticket name of the ticket
- *
- * @return void
- */
- protected function _renameSession($ticket)
- {
- phpCAS::traceBegin();
- if ($this->getChangeSessionID()) {
- if (!empty($this->_user)) {
- $old_session = $_SESSION;
- phpCAS :: trace("Killing session: ". session_id());
- session_destroy();
- // set up a new session, of name based on the ticket
- $session_id = $this->_sessionIdForTicket($ticket);
- phpCAS :: trace("Starting session: ". $session_id);
- session_id($session_id);
- session_start();
- phpCAS :: trace("Restoring old session vars");
- $_SESSION = $old_session;
- } else {
- phpCAS :: trace (
- 'Session should only be renamed after successfull authentication'
- );
- }
- } else {
- phpCAS :: trace(
- "Skipping session rename since phpCAS is not handling the session."
- );
- }
- phpCAS::traceEnd();
- }
-
- /** @} */
-
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- // XX XX
- // XX AUTHENTICATION XX
- // XX XX
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
- /**
- * @addtogroup internalAuthentication
- * @{
- */
-
- /**
- * The Authenticated user. Written by CAS_Client::_setUser(), read by
- * CAS_Client::getUser().
- *
- * @hideinitializer
- */
- private $_user = '';
-
- /**
- * This method sets the CAS user's login name.
- *
- * @param string $user the login name of the authenticated user.
- *
- * @return void
- */
- private function _setUser($user)
- {
- $this->_user = $user;
- }
-
- /**
- * This method returns the CAS user's login name.
- *
- * @return string the login name of the authenticated user
- *
- * @warning should be called only after CAS_Client::forceAuthentication() or
- * CAS_Client::isAuthenticated(), otherwise halt with an error.
- */
- public function getUser()
- {
- // Sequence validation
- $this->ensureAuthenticationCallSuccessful();
-
- return $this->_getUser();
- }
-
- /**
- * This method returns the CAS user's login name.
- *
- * @return string the login name of the authenticated user
- *
- * @warning should be called only after CAS_Client::forceAuthentication() or
- * CAS_Client::isAuthenticated(), otherwise halt with an error.
- */
- private function _getUser()
- {
- // This is likely a duplicate check that could be removed....
- if ( empty($this->_user) ) {
- phpCAS::error(
- 'this method should be used only after '.__CLASS__
- .'::forceAuthentication() or '.__CLASS__.'::isAuthenticated()'
- );
- }
- return $this->_user;
- }
-
- /**
- * The Authenticated users attributes. Written by
- * CAS_Client::setAttributes(), read by CAS_Client::getAttributes().
- * @attention client applications should use phpCAS::getAttributes().
- *
- * @hideinitializer
- */
- private $_attributes = array();
-
- /**
- * Set an array of attributes
- *
- * @param array $attributes a key value array of attributes
- *
- * @return void
- */
- public function setAttributes($attributes)
- {
- $this->_attributes = $attributes;
- }
-
- /**
- * Get an key values arry of attributes
- *
- * @return array of attributes
- */
- public function getAttributes()
- {
- // Sequence validation
- $this->ensureAuthenticationCallSuccessful();
- // This is likely a duplicate check that could be removed....
- if ( empty($this->_user) ) {
- // if no user is set, there shouldn't be any attributes also...
- phpCAS::error(
- 'this method should be used only after '.__CLASS__
- .'::forceAuthentication() or '.__CLASS__.'::isAuthenticated()'
- );
- }
- return $this->_attributes;
- }
-
- /**
- * Check whether attributes are available
- *
- * @return bool attributes available
- */
- public function hasAttributes()
- {
- // Sequence validation
- $this->ensureAuthenticationCallSuccessful();
-
- return !empty($this->_attributes);
- }
- /**
- * Check whether a specific attribute with a name is available
- *
- * @param string $key name of attribute
- *
- * @return bool is attribute available
- */
- public function hasAttribute($key)
- {
- // Sequence validation
- $this->ensureAuthenticationCallSuccessful();
-
- return $this->_hasAttribute($key);
- }
-
- /**
- * Check whether a specific attribute with a name is available
- *
- * @param string $key name of attribute
- *
- * @return bool is attribute available
- */
- private function _hasAttribute($key)
- {
- return (is_array($this->_attributes)
- && array_key_exists($key, $this->_attributes));
- }
-
- /**
- * Get a specific attribute by name
- *
- * @param string $key name of attribute
- *
- * @return string attribute values
- */
- public function getAttribute($key)
- {
- // Sequence validation
- $this->ensureAuthenticationCallSuccessful();
-
- if ($this->_hasAttribute($key)) {
- return $this->_attributes[$key];
- }
- }
-
- /**
- * This method is called to renew the authentication of the user
- * If the user is authenticated, renew the connection
- * If not, redirect to CAS
- *
- * @return bool true when the user is authenticated; otherwise halt.
- */
- public function renewAuthentication()
- {
- phpCAS::traceBegin();
- // Either way, the user is authenticated by CAS
- $this->removeSessionValue('auth_checked');
- if ( $this->isAuthenticated(true) ) {
- phpCAS::trace('user already authenticated');
- $res = true;
- } else {
- $this->redirectToCas(false, true);
- // never reached
- $res = false;
- }
- phpCAS::traceEnd();
- return $res;
- }
-
- /**
- * This method is called to be sure that the user is authenticated. When not
- * authenticated, halt by redirecting to the CAS server; otherwise return true.
- *
- * @return bool true when the user is authenticated; otherwise halt.
- */
- public function forceAuthentication()
- {
- phpCAS::traceBegin();
-
- if ( $this->isAuthenticated() ) {
- // the user is authenticated, nothing to be done.
- phpCAS::trace('no need to authenticate');
- $res = true;
- } else {
- // the user is not authenticated, redirect to the CAS server
- $this->removeSessionValue('auth_checked');
- $this->redirectToCas(false/* no gateway */);
- // never reached
- $res = false;
- }
- phpCAS::traceEnd($res);
- return $res;
- }
-
- /**
- * An integer that gives the number of times authentication will be cached
- * before rechecked.
- *
- * @hideinitializer
- */
- private $_cache_times_for_auth_recheck = 0;
-
- /**
- * Set the number of times authentication will be cached before rechecked.
- *
- * @param int $n number of times to wait for a recheck
- *
- * @return void
- */
- public function setCacheTimesForAuthRecheck($n)
- {
- if (gettype($n) != 'integer')
- throw new CAS_TypeMismatchException($n, '$n', 'string');
-
- $this->_cache_times_for_auth_recheck = $n;
- }
-
- /**
- * This method is called to check whether the user is authenticated or not.
- *
- * @return bool true when the user is authenticated, false when a previous
- * gateway login failed or the function will not return if the user is
- * redirected to the cas server for a gateway login attempt
- */
- public function checkAuthentication()
- {
- phpCAS::traceBegin();
- $res = false; // default
- if ( $this->isAuthenticated() ) {
- phpCAS::trace('user is authenticated');
- /* The 'auth_checked' variable is removed just in case it's set. */
- $this->removeSessionValue('auth_checked');
- $res = true;
- } else if ($this->getSessionValue('auth_checked')) {
- // the previous request has redirected the client to the CAS server
- // with gateway=true
- $this->removeSessionValue('auth_checked');
- } else {
- // avoid a check against CAS on every request
- // we need to write this back to session later
- $unauth_count = $this->getSessionValue('unauth_count', -2);
-
- if (($unauth_count != -2
- && $this->_cache_times_for_auth_recheck == -1)
- || ($unauth_count >= 0
- && $unauth_count < $this->_cache_times_for_auth_recheck)
- ) {
- if ($this->_cache_times_for_auth_recheck != -1) {
- $unauth_count++;
- phpCAS::trace(
- 'user is not authenticated (cached for '
- .$unauth_count.' times of '
- .$this->_cache_times_for_auth_recheck.')'
- );
- } else {
- phpCAS::trace(
- 'user is not authenticated (cached for until login pressed)'
- );
- }
- $this->setSessionValue('unauth_count', $unauth_count);
- } else {
- $this->setSessionValue('unauth_count', 0);
- $this->setSessionValue('auth_checked', true);
- phpCAS::trace('user is not authenticated (cache reset)');
- $this->redirectToCas(true/* gateway */);
- // never reached
- }
- }
- phpCAS::traceEnd($res);
- return $res;
- }
-
- /**
- * This method is called to check if the user is authenticated (previously or by
- * tickets given in the URL).
- *
- * @param bool $renew true to force the authentication with the CAS server
- *
- * @return bool true when the user is authenticated. Also may redirect to the
- * same URL without the ticket.
- */
- public function isAuthenticated($renew=false)
- {
- phpCAS::traceBegin();
- $res = false;
-
- if ( $this->_wasPreviouslyAuthenticated() ) {
- if ($this->hasTicket()) {
- // User has a additional ticket but was already authenticated
- phpCAS::trace(
- 'ticket was present and will be discarded, use renewAuthenticate()'
- );
- if ($this->_clearTicketsFromUrl) {
- phpCAS::trace("Prepare redirect to : ".$this->getURL());
- session_write_close();
- header('Location: '.$this->getURL());
- flush();
- phpCAS::traceExit();
- throw new CAS_GracefullTerminationException();
- } else {
- phpCAS::trace(
- 'Already authenticated, but skipping ticket clearing since setNoClearTicketsFromUrl() was used.'
- );
- $res = true;
- }
- } else {
- // the user has already (previously during the session) been
- // authenticated, nothing to be done.
- phpCAS::trace(
- 'user was already authenticated, no need to look for tickets'
- );
- $res = true;
- }
-
- // Mark the auth-check as complete to allow post-authentication
- // callbacks to make use of phpCAS::getUser() and similar methods
- $this->markAuthenticationCall($res);
- } else {
- if ($this->hasTicket()) {
- $validate_url = '';
- $text_response = '';
- $tree_response = '';
-
- switch ($this->getServerVersion()) {
- case CAS_VERSION_1_0:
- // if a Service Ticket was given, validate it
- phpCAS::trace(
- 'CAS 1.0 ticket `'.$this->getTicket().'\' is present'
- );
- $this->validateCAS10(
- $validate_url, $text_response, $tree_response, $renew
- ); // if it fails, it halts
- phpCAS::trace(
- 'CAS 1.0 ticket `'.$this->getTicket().'\' was validated'
- );
- $this->setSessionValue('user', $this->_getUser());
- $res = true;
- $logoutTicket = $this->getTicket();
- break;
- case CAS_VERSION_2_0:
- case CAS_VERSION_3_0:
- // if a Proxy Ticket was given, validate it
- phpCAS::trace(
- 'CAS '.$this->getServerVersion().' ticket `'.$this->getTicket().'\' is present'
- );
- $this->validateCAS20(
- $validate_url, $text_response, $tree_response, $renew
- ); // note: if it fails, it halts
- phpCAS::trace(
- 'CAS '.$this->getServerVersion().' ticket `'.$this->getTicket().'\' was validated'
- );
- if ( $this->isProxy() ) {
- $this->_validatePGT(
- $validate_url, $text_response, $tree_response
- ); // idem
- phpCAS::trace('PGT `'.$this->_getPGT().'\' was validated');
- $this->setSessionValue('pgt', $this->_getPGT());
- }
- $this->setSessionValue('user', $this->_getUser());
- if (!empty($this->_attributes)) {
- $this->setSessionValue('attributes', $this->_attributes);
- }
- $proxies = $this->getProxies();
- if (!empty($proxies)) {
- $this->setSessionValue('proxies', $this->getProxies());
- }
- $res = true;
- $logoutTicket = $this->getTicket();
- break;
- case SAML_VERSION_1_1:
- // if we have a SAML ticket, validate it.
- phpCAS::trace(
- 'SAML 1.1 ticket `'.$this->getTicket().'\' is present'
- );
- $this->validateSA(
- $validate_url, $text_response, $tree_response, $renew
- ); // if it fails, it halts
- phpCAS::trace(
- 'SAML 1.1 ticket `'.$this->getTicket().'\' was validated'
- );
- $this->setSessionValue('user', $this->_getUser());
- $this->setSessionValue('attributes', $this->_attributes);
- $res = true;
- $logoutTicket = $this->getTicket();
- break;
- default:
- phpCAS::trace('Protocol error');
- break;
- }
- } else {
- // no ticket given, not authenticated
- phpCAS::trace('no ticket found');
- }
-
- // Mark the auth-check as complete to allow post-authentication
- // callbacks to make use of phpCAS::getUser() and similar methods
- $this->markAuthenticationCall($res);
-
- if ($res) {
- // call the post-authenticate callback if registered.
- if ($this->_postAuthenticateCallbackFunction) {
- $args = $this->_postAuthenticateCallbackArgs;
- array_unshift($args, $logoutTicket);
- call_user_func_array(
- $this->_postAuthenticateCallbackFunction, $args
- );
- }
-
- // if called with a ticket parameter, we need to redirect to the
- // app without the ticket so that CAS-ification is transparent
- // to the browser (for later POSTS) most of the checks and
- // errors should have been made now, so we're safe for redirect
- // without masking error messages. remove the ticket as a
- // security precaution to prevent a ticket in the HTTP_REFERRER
- if ($this->_clearTicketsFromUrl) {
- phpCAS::trace("Prepare redirect to : ".$this->getURL());
- session_write_close();
- header('Location: '.$this->getURL());
- flush();
- phpCAS::traceExit();
- throw new CAS_GracefullTerminationException();
- }
- }
- }
- phpCAS::traceEnd($res);
- return $res;
- }
-
- /**
- * This method tells if the current session is authenticated.
- *
- * @return bool true if authenticated based soley on $_SESSION variable
- */
- public function isSessionAuthenticated ()
- {
- return !!$this->getSessionValue('user');
- }
-
- /**
- * This method tells if the user has already been (previously) authenticated
- * by looking into the session variables.
- *
- * @note This function switches to callback mode when needed.
- *
- * @return bool true when the user has already been authenticated; false otherwise.
- */
- private function _wasPreviouslyAuthenticated()
- {
- phpCAS::traceBegin();
-
- if ( $this->_isCallbackMode() ) {
- // Rebroadcast the pgtIou and pgtId to all nodes
- if ($this->_rebroadcast&&!isset($_POST['rebroadcast'])) {
- $this->_rebroadcast(self::PGTIOU);
- }
- $this->_callback();
- }
-
- $auth = false;
-
- if ( $this->isProxy() ) {
- // CAS proxy: username and PGT must be present
- if ( $this->isSessionAuthenticated()
- && $this->getSessionValue('pgt')
- ) {
- // authentication already done
- $this->_setUser($this->getSessionValue('user'));
- if ($this->hasSessionValue('attributes')) {
- $this->setAttributes($this->getSessionValue('attributes'));
- }
- $this->_setPGT($this->getSessionValue('pgt'));
- phpCAS::trace(
- 'user = `'.$this->getSessionValue('user').'\', PGT = `'
- .$this->getSessionValue('pgt').'\''
- );
-
- // Include the list of proxies
- if ($this->hasSessionValue('proxies')) {
- $this->_setProxies($this->getSessionValue('proxies'));
- phpCAS::trace(
- 'proxies = "'
- .implode('", "', $this->getSessionValue('proxies')).'"'
- );
- }
-
- $auth = true;
- } elseif ( $this->isSessionAuthenticated()
- && !$this->getSessionValue('pgt')
- ) {
- // these two variables should be empty or not empty at the same time
- phpCAS::trace(
- 'username found (`'.$this->getSessionValue('user')
- .'\') but PGT is empty'
- );
- // unset all tickets to enforce authentication
- $this->clearSessionValues();
- $this->setTicket('');
- } elseif ( !$this->isSessionAuthenticated()
- && $this->getSessionValue('pgt')
- ) {
- // these two variables should be empty or not empty at the same time
- phpCAS::trace(
- 'PGT found (`'.$this->getSessionValue('pgt')
- .'\') but username is empty'
- );
- // unset all tickets to enforce authentication
- $this->clearSessionValues();
- $this->setTicket('');
- } else {
- phpCAS::trace('neither user nor PGT found');
- }
- } else {
- // `simple' CAS client (not a proxy): username must be present
- if ( $this->isSessionAuthenticated() ) {
- // authentication already done
- $this->_setUser($this->getSessionValue('user'));
- if ($this->hasSessionValue('attributes')) {
- $this->setAttributes($this->getSessionValue('attributes'));
- }
- phpCAS::trace('user = `'.$this->getSessionValue('user').'\'');
-
- // Include the list of proxies
- if ($this->hasSessionValue('proxies')) {
- $this->_setProxies($this->getSessionValue('proxies'));
- phpCAS::trace(
- 'proxies = "'
- .implode('", "', $this->getSessionValue('proxies')).'"'
- );
- }
-
- $auth = true;
- } else {
- phpCAS::trace('no user found');
- }
- }
-
- phpCAS::traceEnd($auth);
- return $auth;
- }
-
- /**
- * This method is used to redirect the client to the CAS server.
- * It is used by CAS_Client::forceAuthentication() and
- * CAS_Client::checkAuthentication().
- *
- * @param bool $gateway true to check authentication, false to force it
- * @param bool $renew true to force the authentication with the CAS server
- *
- * @return void
- */
- public function redirectToCas($gateway=false,$renew=false)
- {
- phpCAS::traceBegin();
- $cas_url = $this->getServerLoginURL($gateway, $renew);
- session_write_close();
- if (php_sapi_name() === 'cli') {
- @header('Location: '.$cas_url);
- } else {
- header('Location: '.$cas_url);
- }
- phpCAS::trace("Redirect to : ".$cas_url);
- $lang = $this->getLangObj();
- $this->printHTMLHeader($lang->getAuthenticationWanted());
- $this->printf('
'. $lang->getShouldHaveBeenRedirected(). '
', $cas_url);
- $this->printHTMLFooter();
- phpCAS::traceExit();
- throw new CAS_GracefullTerminationException();
- }
-
-
- /**
- * This method is used to logout from CAS.
- *
- * @param array $params an array that contains the optional url and service
- * parameters that will be passed to the CAS server
- *
- * @return void
- */
- public function logout($params)
- {
- phpCAS::traceBegin();
- $cas_url = $this->getServerLogoutURL();
- $paramSeparator = '?';
- if (isset($params['url'])) {
- $cas_url = $cas_url . $paramSeparator . "url="
- . urlencode($params['url']);
- $paramSeparator = '&';
- }
- if (isset($params['service'])) {
- $cas_url = $cas_url . $paramSeparator . "service="
- . urlencode($params['service']);
- }
- header('Location: '.$cas_url);
- phpCAS::trace("Prepare redirect to : ".$cas_url);
-
- phpCAS::trace("Destroying session : ".session_id());
- session_unset();
- session_destroy();
- if (session_status() === PHP_SESSION_NONE) {
- phpCAS::trace("Session terminated");
- } else {
- phpCAS::error("Session was not terminated");
- phpCAS::trace("Session was not terminated");
- }
- $lang = $this->getLangObj();
- $this->printHTMLHeader($lang->getLogout());
- $this->printf('
'.$lang->getShouldHaveBeenRedirected(). '
', $cas_url);
- $this->printHTMLFooter();
- phpCAS::traceExit();
- throw new CAS_GracefullTerminationException();
- }
-
- /**
- * Check of the current request is a logout request
- *
- * @return bool is logout request.
- */
- private function _isLogoutRequest()
- {
- return !empty($_POST['logoutRequest']);
- }
-
- /**
- * This method handles logout requests.
- *
- * @param bool $check_client true to check the client bofore handling
- * the request, false not to perform any access control. True by default.
- * @param array $allowed_clients an array of host names allowed to send
- * logout requests.
- *
- * @return void
- */
- public function handleLogoutRequests($check_client=true, $allowed_clients=array())
- {
- phpCAS::traceBegin();
- if (!$this->_isLogoutRequest()) {
- phpCAS::trace("Not a logout request");
- phpCAS::traceEnd();
- return;
- }
- if (!$this->getChangeSessionID()
- && is_null($this->_signoutCallbackFunction)
- ) {
- phpCAS::trace(
- "phpCAS can't handle logout requests if it is not allowed to change session_id."
- );
- }
- phpCAS::trace("Logout requested");
- $decoded_logout_rq = urldecode($_POST['logoutRequest']);
- phpCAS::trace("SAML REQUEST: ".$decoded_logout_rq);
- $allowed = false;
- if ($check_client) {
- if ($allowed_clients === array()) {
- $allowed_clients = array( $this->_getServerHostname() );
- }
- $client_ip = $_SERVER['REMOTE_ADDR'];
- $client = gethostbyaddr($client_ip);
- phpCAS::trace("Client: ".$client."/".$client_ip);
- foreach ($allowed_clients as $allowed_client) {
- if (($client == $allowed_client)
- || ($client_ip == $allowed_client)
- ) {
- phpCAS::trace(
- "Allowed client '".$allowed_client
- ."' matches, logout request is allowed"
- );
- $allowed = true;
- break;
- } else {
- phpCAS::trace(
- "Allowed client '".$allowed_client."' does not match"
- );
- }
- }
- } else {
- phpCAS::trace("No access control set");
- $allowed = true;
- }
- // If Logout command is permitted proceed with the logout
- if ($allowed) {
- phpCAS::trace("Logout command allowed");
- // Rebroadcast the logout request
- if ($this->_rebroadcast && !isset($_POST['rebroadcast'])) {
- $this->_rebroadcast(self::LOGOUT);
- }
- // Extract the ticket from the SAML Request
- preg_match(
- "|(.*)|",
- $decoded_logout_rq, $tick, PREG_OFFSET_CAPTURE, 3
- );
- $wrappedSamlSessionIndex = preg_replace(
- '||', '', $tick[0][0]
- );
- $ticket2logout = preg_replace(
- '||', '', $wrappedSamlSessionIndex
- );
- phpCAS::trace("Ticket to logout: ".$ticket2logout);
-
- // call the post-authenticate callback if registered.
- if ($this->_signoutCallbackFunction) {
- $args = $this->_signoutCallbackArgs;
- array_unshift($args, $ticket2logout);
- call_user_func_array($this->_signoutCallbackFunction, $args);
- }
-
- // If phpCAS is managing the session_id, destroy session thanks to
- // session_id.
- if ($this->getChangeSessionID()) {
- $session_id = $this->_sessionIdForTicket($ticket2logout);
- phpCAS::trace("Session id: ".$session_id);
-
- // destroy a possible application session created before phpcas
- if (session_id() !== "") {
- session_unset();
- session_destroy();
- }
- // fix session ID
- session_id($session_id);
- $_COOKIE[session_name()]=$session_id;
- $_GET[session_name()]=$session_id;
-
- // Overwrite session
- session_start();
- session_unset();
- session_destroy();
- phpCAS::trace("Session ". $session_id . " destroyed");
- }
- } else {
- phpCAS::error("Unauthorized logout request from client '".$client."'");
- phpCAS::trace("Unauthorized logout request from client '".$client."'");
- }
- flush();
- phpCAS::traceExit();
- throw new CAS_GracefullTerminationException();
-
- }
-
- /** @} */
-
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- // XX XX
- // XX BASIC CLIENT FEATURES (CAS 1.0) XX
- // XX XX
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
- // ########################################################################
- // ST
- // ########################################################################
- /**
- * @addtogroup internalBasic
- * @{
- */
-
- /**
- * The Ticket provided in the URL of the request if present
- * (empty otherwise). Written by CAS_Client::CAS_Client(), read by
- * CAS_Client::getTicket() and CAS_Client::_hasPGT().
- *
- * @hideinitializer
- */
- private $_ticket = '';
-
- /**
- * This method returns the Service Ticket provided in the URL of the request.
- *
- * @return string service ticket.
- */
- public function getTicket()
- {
- return $this->_ticket;
- }
-
- /**
- * This method stores the Service Ticket.
- *
- * @param string $st The Service Ticket.
- *
- * @return void
- */
- public function setTicket($st)
- {
- $this->_ticket = $st;
- }
-
- /**
- * This method tells if a Service Ticket was stored.
- *
- * @return bool if a Service Ticket has been stored.
- */
- public function hasTicket()
- {
- return !empty($this->_ticket);
- }
-
- /** @} */
-
- // ########################################################################
- // ST VALIDATION
- // ########################################################################
- /**
- * @addtogroup internalBasic
- * @{
- */
-
- /**
- * @var string the certificate of the CAS server CA.
- *
- * @hideinitializer
- */
- private $_cas_server_ca_cert = null;
-
-
- /**
-
- * validate CN of the CAS server certificate
-
- *
-
- * @hideinitializer
-
- */
-
- private $_cas_server_cn_validate = true;
-
- /**
- * Set to true not to validate the CAS server.
- *
- * @hideinitializer
- */
- private $_no_cas_server_validation = false;
-
-
- /**
- * Set the CA certificate of the CAS server.
- *
- * @param string $cert the PEM certificate file name of the CA that emited
- * the cert of the server
- * @param bool $validate_cn valiate CN of the CAS server certificate
- *
- * @return void
- */
- public function setCasServerCACert($cert, $validate_cn)
- {
- // Argument validation
- if (gettype($cert) != 'string') {
- throw new CAS_TypeMismatchException($cert, '$cert', 'string');
- }
- if (gettype($validate_cn) != 'boolean') {
- throw new CAS_TypeMismatchException($validate_cn, '$validate_cn', 'boolean');
- }
- if (!file_exists($cert)) {
- throw new CAS_InvalidArgumentException("Certificate file does not exist " . $this->_requestImplementation);
- }
- $this->_cas_server_ca_cert = $cert;
- $this->_cas_server_cn_validate = $validate_cn;
- }
-
- /**
- * Set no SSL validation for the CAS server.
- *
- * @return void
- */
- public function setNoCasServerValidation()
- {
- $this->_no_cas_server_validation = true;
- }
-
- /**
- * This method is used to validate a CAS 1,0 ticket; halt on failure, and
- * sets $validate_url, $text_reponse and $tree_response on success.
- *
- * @param string &$validate_url reference to the the URL of the request to
- * the CAS server.
- * @param string &$text_response reference to the response of the CAS
- * server, as is (XML text).
- * @param string &$tree_response reference to the response of the CAS
- * server, as a DOM XML tree.
- * @param bool $renew true to force the authentication with the CAS server
- *
- * @return bool true when successfull and issue a CAS_AuthenticationException
- * and false on an error
- * @throws CAS_AuthenticationException
- */
- public function validateCAS10(&$validate_url,&$text_response,&$tree_response,$renew=false)
- {
- phpCAS::traceBegin();
- // build the URL to validate the ticket
- $validate_url = $this->getServerServiceValidateURL()
- .'&ticket='.urlencode($this->getTicket());
-
- if ( $renew ) {
- // pass the renew
- $validate_url .= '&renew=true';
- }
-
- $headers = '';
- $err_msg = '';
- // open and read the URL
- if ( !$this->_readURL($validate_url, $headers, $text_response, $err_msg) ) {
- phpCAS::trace(
- 'could not open URL \''.$validate_url.'\' to validate ('.$err_msg.')'
- );
- throw new CAS_AuthenticationException(
- $this, 'CAS 1.0 ticket not validated', $validate_url,
- true/*$no_response*/
- );
- }
-
- if (preg_match('/^no\n/', $text_response)) {
- phpCAS::trace('Ticket has not been validated');
- throw new CAS_AuthenticationException(
- $this, 'ST not validated', $validate_url, false/*$no_response*/,
- false/*$bad_response*/, $text_response
- );
- } else if (!preg_match('/^yes\n/', $text_response)) {
- phpCAS::trace('ill-formed response');
- throw new CAS_AuthenticationException(
- $this, 'Ticket not validated', $validate_url,
- false/*$no_response*/, true/*$bad_response*/, $text_response
- );
- }
- // ticket has been validated, extract the user name
- $arr = preg_split('/\n/', $text_response);
- $this->_setUser(trim($arr[1]));
-
- $this->_renameSession($this->getTicket());
-
- // at this step, ticket has been validated and $this->_user has been set,
- phpCAS::traceEnd(true);
- return true;
- }
-
- /** @} */
-
-
- // ########################################################################
- // SAML VALIDATION
- // ########################################################################
- /**
- * @addtogroup internalSAML
- * @{
- */
-
- /**
- * This method is used to validate a SAML TICKET; halt on failure, and sets
- * $validate_url, $text_reponse and $tree_response on success. These
- * parameters are used later by CAS_Client::_validatePGT() for CAS proxies.
- *
- * @param string &$validate_url reference to the the URL of the request to
- * the CAS server.
- * @param string &$text_response reference to the response of the CAS
- * server, as is (XML text).
- * @param string &$tree_response reference to the response of the CAS
- * server, as a DOM XML tree.
- * @param bool $renew true to force the authentication with the CAS server
- *
- * @return bool true when successfull and issue a CAS_AuthenticationException
- * and false on an error
- *
- * @throws CAS_AuthenticationException
- */
- public function validateSA(&$validate_url,&$text_response,&$tree_response,$renew=false)
- {
- phpCAS::traceBegin();
- $result = false;
- // build the URL to validate the ticket
- $validate_url = $this->getServerSamlValidateURL();
-
- if ( $renew ) {
- // pass the renew
- $validate_url .= '&renew=true';
- }
-
- $headers = '';
- $err_msg = '';
- // open and read the URL
- if ( !$this->_readURL($validate_url, $headers, $text_response, $err_msg) ) {
- phpCAS::trace(
- 'could not open URL \''.$validate_url.'\' to validate ('.$err_msg.')'
- );
- throw new CAS_AuthenticationException(
- $this, 'SA not validated', $validate_url, true/*$no_response*/
- );
- }
-
- phpCAS::trace('server version: '.$this->getServerVersion());
-
- // analyze the result depending on the version
- switch ($this->getServerVersion()) {
- case SAML_VERSION_1_1:
- // create new DOMDocument Object
- $dom = new DOMDocument();
- // Fix possible whitspace problems
- $dom->preserveWhiteSpace = false;
- // read the response of the CAS server into a DOM object
- if (!($dom->loadXML($text_response))) {
- phpCAS::trace('dom->loadXML() failed');
- throw new CAS_AuthenticationException(
- $this, 'SA not validated', $validate_url,
- false/*$no_response*/, true/*$bad_response*/,
- $text_response
- );
- }
- // read the root node of the XML tree
- if (!($tree_response = $dom->documentElement)) {
- phpCAS::trace('documentElement() failed');
- throw new CAS_AuthenticationException(
- $this, 'SA not validated', $validate_url,
- false/*$no_response*/, true/*$bad_response*/,
- $text_response
- );
- } else if ( $tree_response->localName != 'Envelope' ) {
- // insure that tag name is 'Envelope'
- phpCAS::trace(
- 'bad XML root node (should be `Envelope\' instead of `'
- .$tree_response->localName.'\''
- );
- throw new CAS_AuthenticationException(
- $this, 'SA not validated', $validate_url,
- false/*$no_response*/, true/*$bad_response*/,
- $text_response
- );
- } else if ($tree_response->getElementsByTagName("NameIdentifier")->length != 0) {
- // check for the NameIdentifier tag in the SAML response
- $success_elements = $tree_response->getElementsByTagName("NameIdentifier");
- phpCAS::trace('NameIdentifier found');
- $user = trim($success_elements->item(0)->nodeValue);
- phpCAS::trace('user = `'.$user.'`');
- $this->_setUser($user);
- $this->_setSessionAttributes($text_response);
- $result = true;
- } else {
- phpCAS::trace('no tag found in SAML payload');
- throw new CAS_AuthenticationException(
- $this, 'SA not validated', $validate_url,
- false/*$no_response*/, true/*$bad_response*/,
- $text_response
- );
- }
- }
- if ($result) {
- $this->_renameSession($this->getTicket());
- }
- // at this step, ST has been validated and $this->_user has been set,
- phpCAS::traceEnd($result);
- return $result;
- }
-
- /**
- * This method will parse the DOM and pull out the attributes from the SAML
- * payload and put them into an array, then put the array into the session.
- *
- * @param string $text_response the SAML payload.
- *
- * @return bool true when successfull and false if no attributes a found
- */
- private function _setSessionAttributes($text_response)
- {
- phpCAS::traceBegin();
-
- $result = false;
-
- $attr_array = array();
-
- // create new DOMDocument Object
- $dom = new DOMDocument();
- // Fix possible whitspace problems
- $dom->preserveWhiteSpace = false;
- if (($dom->loadXML($text_response))) {
- $xPath = new DOMXPath($dom);
- $xPath->registerNamespace('samlp', 'urn:oasis:names:tc:SAML:1.0:protocol');
- $xPath->registerNamespace('saml', 'urn:oasis:names:tc:SAML:1.0:assertion');
- $nodelist = $xPath->query("//saml:Attribute");
-
- if ($nodelist) {
- foreach ($nodelist as $node) {
- $xres = $xPath->query("saml:AttributeValue", $node);
- $name = $node->getAttribute("AttributeName");
- $value_array = array();
- foreach ($xres as $node2) {
- $value_array[] = $node2->nodeValue;
- }
- $attr_array[$name] = $value_array;
- }
- // UGent addition...
- foreach ($attr_array as $attr_key => $attr_value) {
- if (count($attr_value) > 1) {
- $this->_attributes[$attr_key] = $attr_value;
- phpCAS::trace("* " . $attr_key . "=" . print_r($attr_value, true));
- } else {
- $this->_attributes[$attr_key] = $attr_value[0];
- phpCAS::trace("* " . $attr_key . "=" . $attr_value[0]);
- }
- }
- $result = true;
- } else {
- phpCAS::trace("SAML Attributes are empty");
- $result = false;
- }
- }
- phpCAS::traceEnd($result);
- return $result;
- }
-
- /** @} */
-
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- // XX XX
- // XX PROXY FEATURES (CAS 2.0) XX
- // XX XX
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
- // ########################################################################
- // PROXYING
- // ########################################################################
- /**
- * @addtogroup internalProxy
- * @{
- */
-
- /**
- * @var bool is the client a proxy
- * A boolean telling if the client is a CAS proxy or not. Written by
- * CAS_Client::CAS_Client(), read by CAS_Client::isProxy().
- */
- private $_proxy;
-
- /**
- * @var CAS_CookieJar Handler for managing service cookies.
- */
- private $_serviceCookieJar;
-
- /**
- * Tells if a CAS client is a CAS proxy or not
- *
- * @return bool true when the CAS client is a CAS proxy, false otherwise
- */
- public function isProxy()
- {
- return $this->_proxy;
- }
-
-
- /** @} */
- // ########################################################################
- // PGT
- // ########################################################################
- /**
- * @addtogroup internalProxy
- * @{
- */
-
- /**
- * the Proxy Grnting Ticket given by the CAS server (empty otherwise).
- * Written by CAS_Client::_setPGT(), read by CAS_Client::_getPGT() and
- * CAS_Client::_hasPGT().
- *
- * @hideinitializer
- */
- private $_pgt = '';
-
- /**
- * This method returns the Proxy Granting Ticket given by the CAS server.
- *
- * @return string the Proxy Granting Ticket.
- */
- private function _getPGT()
- {
- return $this->_pgt;
- }
-
- /**
- * This method stores the Proxy Granting Ticket.
- *
- * @param string $pgt The Proxy Granting Ticket.
- *
- * @return void
- */
- private function _setPGT($pgt)
- {
- $this->_pgt = $pgt;
- }
-
- /**
- * This method tells if a Proxy Granting Ticket was stored.
- *
- * @return bool true if a Proxy Granting Ticket has been stored.
- */
- private function _hasPGT()
- {
- return !empty($this->_pgt);
- }
-
- /** @} */
-
- // ########################################################################
- // CALLBACK MODE
- // ########################################################################
- /**
- * @addtogroup internalCallback
- * @{
- */
- /**
- * each PHP script using phpCAS in proxy mode is its own callback to get the
- * PGT back from the CAS server. callback_mode is detected by the constructor
- * thanks to the GET parameters.
- */
-
- /**
- * @var bool a boolean to know if the CAS client is running in callback mode. Written by
- * CAS_Client::setCallBackMode(), read by CAS_Client::_isCallbackMode().
- *
- * @hideinitializer
- */
- private $_callback_mode = false;
-
- /**
- * This method sets/unsets callback mode.
- *
- * @param bool $callback_mode true to set callback mode, false otherwise.
- *
- * @return void
- */
- private function _setCallbackMode($callback_mode)
- {
- $this->_callback_mode = $callback_mode;
- }
-
- /**
- * This method returns true when the CAS client is running in callback mode,
- * false otherwise.
- *
- * @return bool A boolean.
- */
- private function _isCallbackMode()
- {
- return $this->_callback_mode;
- }
-
- /**
- * @var bool a boolean to know if the CAS client is using POST parameters when in callback mode.
- * Written by CAS_Client::_setCallbackModeUsingPost(), read by CAS_Client::_isCallbackModeUsingPost().
- *
- * @hideinitializer
- */
- private $_callback_mode_using_post = false;
-
- /**
- * This method sets/unsets usage of POST parameters in callback mode (default/false is GET parameters)
- *
- * @param bool $callback_mode_using_post true to use POST, false to use GET (default).
- *
- * @return void
- */
- private function _setCallbackModeUsingPost($callback_mode_using_post)
- {
- $this->_callback_mode_using_post = $callback_mode_using_post;
- }
-
- /**
- * This method returns true when the callback mode is using POST, false otherwise.
- *
- * @return bool A boolean.
- */
- private function _isCallbackModeUsingPost()
- {
- return $this->_callback_mode_using_post;
- }
-
- /**
- * the URL that should be used for the PGT callback (in fact the URL of the
- * current request without any CGI parameter). Written and read by
- * CAS_Client::_getCallbackURL().
- *
- * @hideinitializer
- */
- private $_callback_url = '';
-
- /**
- * This method returns the URL that should be used for the PGT callback (in
- * fact the URL of the current request without any CGI parameter, except if
- * phpCAS::setFixedCallbackURL() was used).
- *
- * @return string The callback URL
- */
- private function _getCallbackURL()
- {
- // the URL is built when needed only
- if ( empty($this->_callback_url) ) {
- // remove the ticket if present in the URL
- $final_uri = $this->getServiceBaseUrl()->get();
- $request_uri = $_SERVER['REQUEST_URI'];
- $request_uri = preg_replace('/\?.*$/', '', $request_uri);
- $final_uri .= $request_uri;
- $this->_callback_url = $final_uri;
- }
- return $this->_callback_url;
- }
-
- /**
- * This method sets the callback url.
- *
- * @param string $url url to set callback
- *
- * @return string the callback url
- */
- public function setCallbackURL($url)
- {
- // Sequence validation
- $this->ensureIsProxy();
- // Argument Validation
- if (gettype($url) != 'string')
- throw new CAS_TypeMismatchException($url, '$url', 'string');
-
- return $this->_callback_url = $url;
- }
-
- /**
- * This method is called by CAS_Client::CAS_Client() when running in callback
- * mode. It stores the PGT and its PGT Iou, prints its output and halts.
- *
- * @return void
- */
- private function _callback()
- {
- phpCAS::traceBegin();
- if ($this->_isCallbackModeUsingPost()) {
- $pgtId = $_POST['pgtId'];
- $pgtIou = $_POST['pgtIou'];
- } else {
- $pgtId = $_GET['pgtId'];
- $pgtIou = $_GET['pgtIou'];
- }
- if (preg_match('/^PGTIOU-[\.\-\w]+$/', $pgtIou)) {
- if (preg_match('/^[PT]GT-[\.\-\w]+$/', $pgtId)) {
- phpCAS::trace('Storing PGT `'.$pgtId.'\' (id=`'.$pgtIou.'\')');
- $this->_storePGT($pgtId, $pgtIou);
- if ($this->isXmlResponse()) {
- echo '' . "\r\n";
- echo '';
- phpCAS::traceExit("XML response sent");
- } else {
- $this->printHTMLHeader('phpCAS callback');
- echo '
Storing PGT `'.$pgtId.'\' (id=`'.$pgtIou.'\').
';
- $this->printHTMLFooter();
- phpCAS::traceExit("HTML response sent");
- }
- phpCAS::traceExit("Successfull Callback");
- } else {
- phpCAS::error('PGT format invalid' . $pgtId);
- phpCAS::traceExit('PGT format invalid' . $pgtId);
- }
- } else {
- phpCAS::error('PGTiou format invalid' . $pgtIou);
- phpCAS::traceExit('PGTiou format invalid' . $pgtIou);
- }
-
- // Flush the buffer to prevent from sending anything other then a 200
- // Success Status back to the CAS Server. The Exception would normally
- // report as a 500 error.
- flush();
- throw new CAS_GracefullTerminationException();
- }
-
- /**
- * Check if application/xml or text/xml is pressent in HTTP_ACCEPT header values
- * when return value is complex and contains attached q parameters.
- * Example: HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9
- * @return bool
- */
- private function isXmlResponse()
- {
- if (!array_key_exists('HTTP_ACCEPT', $_SERVER)) {
- return false;
- }
- if (strpos($_SERVER['HTTP_ACCEPT'], 'application/xml') === false && strpos($_SERVER['HTTP_ACCEPT'], 'text/xml') === false) {
- return false;
- }
-
- return true;
- }
-
- /** @} */
-
- // ########################################################################
- // PGT STORAGE
- // ########################################################################
- /**
- * @addtogroup internalPGTStorage
- * @{
- */
-
- /**
- * @var CAS_PGTStorage_AbstractStorage
- * an instance of a class inheriting of PGTStorage, used to deal with PGT
- * storage. Created by CAS_Client::setPGTStorageFile(), used
- * by CAS_Client::setPGTStorageFile() and CAS_Client::_initPGTStorage().
- *
- * @hideinitializer
- */
- private $_pgt_storage = null;
-
- /**
- * This method is used to initialize the storage of PGT's.
- * Halts on error.
- *
- * @return void
- */
- private function _initPGTStorage()
- {
- // if no SetPGTStorageXxx() has been used, default to file
- if ( !is_object($this->_pgt_storage) ) {
- $this->setPGTStorageFile();
- }
-
- // initializes the storage
- $this->_pgt_storage->init();
- }
-
- /**
- * This method stores a PGT. Halts on error.
- *
- * @param string $pgt the PGT to store
- * @param string $pgt_iou its corresponding Iou
- *
- * @return void
- */
- private function _storePGT($pgt,$pgt_iou)
- {
- // ensure that storage is initialized
- $this->_initPGTStorage();
- // writes the PGT
- $this->_pgt_storage->write($pgt, $pgt_iou);
- }
-
- /**
- * This method reads a PGT from its Iou and deletes the corresponding
- * storage entry.
- *
- * @param string $pgt_iou the PGT Iou
- *
- * @return string mul The PGT corresponding to the Iou, false when not found.
- */
- private function _loadPGT($pgt_iou)
- {
- // ensure that storage is initialized
- $this->_initPGTStorage();
- // read the PGT
- return $this->_pgt_storage->read($pgt_iou);
- }
-
- /**
- * This method can be used to set a custom PGT storage object.
- *
- * @param CAS_PGTStorage_AbstractStorage $storage a PGT storage object that
- * inherits from the CAS_PGTStorage_AbstractStorage class
- *
- * @return void
- */
- public function setPGTStorage($storage)
- {
- // Sequence validation
- $this->ensureIsProxy();
-
- // check that the storage has not already been set
- if ( is_object($this->_pgt_storage) ) {
- phpCAS::error('PGT storage already defined');
- }
-
- // check to make sure a valid storage object was specified
- if ( !($storage instanceof CAS_PGTStorage_AbstractStorage) )
- throw new CAS_TypeMismatchException($storage, '$storage', 'CAS_PGTStorage_AbstractStorage object');
-
- // store the PGTStorage object
- $this->_pgt_storage = $storage;
- }
-
- /**
- * This method is used to tell phpCAS to store the response of the
- * CAS server to PGT requests in a database.
- *
- * @param string|PDO $dsn_or_pdo a dsn string to use for creating a PDO
- * object or a PDO object
- * @param string $username the username to use when connecting to the
- * database
- * @param string $password the password to use when connecting to the
- * database
- * @param string $table the table to use for storing and retrieving
- * PGTs
- * @param string $driver_options any driver options to use when connecting
- * to the database
- *
- * @return void
- */
- public function setPGTStorageDb(
- $dsn_or_pdo, $username='', $password='', $table='', $driver_options=null
- ) {
- // Sequence validation
- $this->ensureIsProxy();
-
- // Argument validation
- if (!(is_object($dsn_or_pdo) && $dsn_or_pdo instanceof PDO) && !is_string($dsn_or_pdo))
- throw new CAS_TypeMismatchException($dsn_or_pdo, '$dsn_or_pdo', 'string or PDO object');
- if (gettype($username) != 'string')
- throw new CAS_TypeMismatchException($username, '$username', 'string');
- if (gettype($password) != 'string')
- throw new CAS_TypeMismatchException($password, '$password', 'string');
- if (gettype($table) != 'string')
- throw new CAS_TypeMismatchException($table, '$password', 'string');
-
- // create the storage object
- $this->setPGTStorage(
- new CAS_PGTStorage_Db(
- $this, $dsn_or_pdo, $username, $password, $table, $driver_options
- )
- );
- }
-
- /**
- * This method is used to tell phpCAS to store the response of the
- * CAS server to PGT requests onto the filesystem.
- *
- * @param string $path the path where the PGT's should be stored
- *
- * @return void
- */
- public function setPGTStorageFile($path='')
- {
- // Sequence validation
- $this->ensureIsProxy();
-
- // Argument validation
- if (gettype($path) != 'string')
- throw new CAS_TypeMismatchException($path, '$path', 'string');
-
- // create the storage object
- $this->setPGTStorage(new CAS_PGTStorage_File($this, $path));
- }
-
-
- // ########################################################################
- // PGT VALIDATION
- // ########################################################################
- /**
- * This method is used to validate a PGT; halt on failure.
- *
- * @param string &$validate_url the URL of the request to the CAS server.
- * @param string $text_response the response of the CAS server, as is
- * (XML text); result of
- * CAS_Client::validateCAS10() or
- * CAS_Client::validateCAS20().
- * @param DOMElement $tree_response the response of the CAS server, as a DOM XML
- * tree; result of CAS_Client::validateCAS10() or CAS_Client::validateCAS20().
- *
- * @return bool true when successfull and issue a CAS_AuthenticationException
- * and false on an error
- *
- * @throws CAS_AuthenticationException
- */
- private function _validatePGT(&$validate_url,$text_response,$tree_response)
- {
- phpCAS::traceBegin();
- if ( $tree_response->getElementsByTagName("proxyGrantingTicket")->length == 0) {
- phpCAS::trace(' not found');
- // authentication succeded, but no PGT Iou was transmitted
- throw new CAS_AuthenticationException(
- $this, 'Ticket validated but no PGT Iou transmitted',
- $validate_url, false/*$no_response*/, false/*$bad_response*/,
- $text_response
- );
- } else {
- // PGT Iou transmitted, extract it
- $pgt_iou = trim(
- $tree_response->getElementsByTagName("proxyGrantingTicket")->item(0)->nodeValue
- );
- if (preg_match('/^PGTIOU-[\.\-\w]+$/', $pgt_iou)) {
- $pgt = $this->_loadPGT($pgt_iou);
- if ( $pgt == false ) {
- phpCAS::trace('could not load PGT');
- throw new CAS_AuthenticationException(
- $this,
- 'PGT Iou was transmitted but PGT could not be retrieved',
- $validate_url, false/*$no_response*/,
- false/*$bad_response*/, $text_response
- );
- }
- $this->_setPGT($pgt);
- } else {
- phpCAS::trace('PGTiou format error');
- throw new CAS_AuthenticationException(
- $this, 'PGT Iou was transmitted but has wrong format',
- $validate_url, false/*$no_response*/, false/*$bad_response*/,
- $text_response
- );
- }
- }
- phpCAS::traceEnd(true);
- return true;
- }
-
- // ########################################################################
- // PGT VALIDATION
- // ########################################################################
-
- /**
- * This method is used to retrieve PT's from the CAS server thanks to a PGT.
- *
- * @param string $target_service the service to ask for with the PT.
- * @param int &$err_code an error code (PHPCAS_SERVICE_OK on success).
- * @param string &$err_msg an error message (empty on success).
- *
- * @return string|false a Proxy Ticket, or false on error.
- */
- public function retrievePT($target_service,&$err_code,&$err_msg)
- {
- // Argument validation
- if (gettype($target_service) != 'string')
- throw new CAS_TypeMismatchException($target_service, '$target_service', 'string');
-
- phpCAS::traceBegin();
-
- // by default, $err_msg is set empty and $pt to true. On error, $pt is
- // set to false and $err_msg to an error message. At the end, if $pt is false
- // and $error_msg is still empty, it is set to 'invalid response' (the most
- // commonly encountered error).
- $err_msg = '';
-
- // build the URL to retrieve the PT
- $cas_url = $this->getServerProxyURL().'?targetService='
- .urlencode($target_service).'&pgt='.$this->_getPGT();
-
- $headers = '';
- $cas_response = '';
- // open and read the URL
- if ( !$this->_readURL($cas_url, $headers, $cas_response, $err_msg) ) {
- phpCAS::trace(
- 'could not open URL \''.$cas_url.'\' to validate ('.$err_msg.')'
- );
- $err_code = PHPCAS_SERVICE_PT_NO_SERVER_RESPONSE;
- $err_msg = 'could not retrieve PT (no response from the CAS server)';
- phpCAS::traceEnd(false);
- return false;
- }
-
- $bad_response = false;
-
- // create new DOMDocument object
- $dom = new DOMDocument();
- // Fix possible whitspace problems
- $dom->preserveWhiteSpace = false;
- // read the response of the CAS server into a DOM object
- if ( !($dom->loadXML($cas_response))) {
- phpCAS::trace('dom->loadXML() failed');
- // read failed
- $bad_response = true;
- }
-
- if ( !$bad_response ) {
- // read the root node of the XML tree
- if ( !($root = $dom->documentElement) ) {
- phpCAS::trace('documentElement failed');
- // read failed
- $bad_response = true;
- }
- }
-
- if ( !$bad_response ) {
- // insure that tag name is 'serviceResponse'
- if ( $root->localName != 'serviceResponse' ) {
- phpCAS::trace('localName failed');
- // bad root node
- $bad_response = true;
- }
- }
-
- if ( !$bad_response ) {
- // look for a proxySuccess tag
- if ( $root->getElementsByTagName("proxySuccess")->length != 0) {
- $proxy_success_list = $root->getElementsByTagName("proxySuccess");
-
- // authentication succeded, look for a proxyTicket tag
- if ( $proxy_success_list->item(0)->getElementsByTagName("proxyTicket")->length != 0) {
- $err_code = PHPCAS_SERVICE_OK;
- $err_msg = '';
- $pt = trim(
- $proxy_success_list->item(0)->getElementsByTagName("proxyTicket")->item(0)->nodeValue
- );
- phpCAS::trace('original PT: '.trim($pt));
- phpCAS::traceEnd($pt);
- return $pt;
- } else {
- phpCAS::trace(' was found, but not ');
- }
- } else if ($root->getElementsByTagName("proxyFailure")->length != 0) {
- // look for a proxyFailure tag
- $proxy_failure_list = $root->getElementsByTagName("proxyFailure");
-
- // authentication failed, extract the error
- $err_code = PHPCAS_SERVICE_PT_FAILURE;
- $err_msg = 'PT retrieving failed (code=`'
- .$proxy_failure_list->item(0)->getAttribute('code')
- .'\', message=`'
- .trim($proxy_failure_list->item(0)->nodeValue)
- .'\')';
- phpCAS::traceEnd(false);
- return false;
- } else {
- phpCAS::trace('neither nor found');
- }
- }
-
- // at this step, we are sure that the response of the CAS server was
- // illformed
- $err_code = PHPCAS_SERVICE_PT_BAD_SERVER_RESPONSE;
- $err_msg = 'Invalid response from the CAS server (response=`'
- .$cas_response.'\')';
-
- phpCAS::traceEnd(false);
- return false;
- }
-
- /** @} */
-
- // ########################################################################
- // READ CAS SERVER ANSWERS
- // ########################################################################
-
- /**
- * @addtogroup internalMisc
- * @{
- */
-
- /**
- * This method is used to acces a remote URL.
- *
- * @param string $url the URL to access.
- * @param string &$headers an array containing the HTTP header lines of the
- * response (an empty array on failure).
- * @param string &$body the body of the response, as a string (empty on
- * failure).
- * @param string &$err_msg an error message, filled on failure.
- *
- * @return bool true on success, false otherwise (in this later case, $err_msg
- * contains an error message).
- */
- private function _readURL($url, &$headers, &$body, &$err_msg)
- {
- phpCAS::traceBegin();
- $className = $this->_requestImplementation;
- $request = new $className();
-
- if (count($this->_curl_options)) {
- $request->setCurlOptions($this->_curl_options);
- }
-
- $request->setUrl($url);
-
- if (empty($this->_cas_server_ca_cert) && !$this->_no_cas_server_validation) {
- phpCAS::error(
- 'one of the methods phpCAS::setCasServerCACert() or phpCAS::setNoCasServerValidation() must be called.'
- );
- }
- if ($this->_cas_server_ca_cert != '') {
- $request->setSslCaCert(
- $this->_cas_server_ca_cert, $this->_cas_server_cn_validate
- );
- }
-
- // add extra stuff if SAML
- if ($this->getServerVersion() == SAML_VERSION_1_1) {
- $request->addHeader("soapaction: http://www.oasis-open.org/committees/security");
- $request->addHeader("cache-control: no-cache");
- $request->addHeader("pragma: no-cache");
- $request->addHeader("accept: text/xml");
- $request->addHeader("connection: keep-alive");
- $request->addHeader("content-type: text/xml");
- $request->makePost();
- $request->setPostBody($this->_buildSAMLPayload());
- }
-
- if ($request->send()) {
- $headers = $request->getResponseHeaders();
- $body = $request->getResponseBody();
- $err_msg = '';
- phpCAS::traceEnd(true);
- return true;
- } else {
- $headers = '';
- $body = '';
- $err_msg = $request->getErrorMessage();
- phpCAS::traceEnd(false);
- return false;
- }
- }
-
- /**
- * This method is used to build the SAML POST body sent to /samlValidate URL.
- *
- * @return string the SOAP-encased SAMLP artifact (the ticket).
- */
- private function _buildSAMLPayload()
- {
- phpCAS::traceBegin();
-
- //get the ticket
- $sa = urlencode($this->getTicket());
-
- $body = SAML_SOAP_ENV.SAML_SOAP_BODY.SAMLP_REQUEST
- .SAML_ASSERTION_ARTIFACT.$sa.SAML_ASSERTION_ARTIFACT_CLOSE
- .SAMLP_REQUEST_CLOSE.SAML_SOAP_BODY_CLOSE.SAML_SOAP_ENV_CLOSE;
-
- phpCAS::traceEnd($body);
- return ($body);
- }
-
- /** @} **/
-
- // ########################################################################
- // ACCESS TO EXTERNAL SERVICES
- // ########################################################################
-
- /**
- * @addtogroup internalProxyServices
- * @{
- */
-
-
- /**
- * Answer a proxy-authenticated service handler.
- *
- * @param string $type The service type. One of:
- * PHPCAS_PROXIED_SERVICE_HTTP_GET, PHPCAS_PROXIED_SERVICE_HTTP_POST,
- * PHPCAS_PROXIED_SERVICE_IMAP
- *
- * @return CAS_ProxiedService
- * @throws InvalidArgumentException If the service type is unknown.
- */
- public function getProxiedService ($type)
- {
- // Sequence validation
- $this->ensureIsProxy();
- $this->ensureAuthenticationCallSuccessful();
-
- // Argument validation
- if (gettype($type) != 'string')
- throw new CAS_TypeMismatchException($type, '$type', 'string');
-
- switch ($type) {
- case PHPCAS_PROXIED_SERVICE_HTTP_GET:
- case PHPCAS_PROXIED_SERVICE_HTTP_POST:
- $requestClass = $this->_requestImplementation;
- $request = new $requestClass();
- if (count($this->_curl_options)) {
- $request->setCurlOptions($this->_curl_options);
- }
- $proxiedService = new $type($request, $this->_serviceCookieJar);
- if ($proxiedService instanceof CAS_ProxiedService_Testable) {
- $proxiedService->setCasClient($this);
- }
- return $proxiedService;
- case PHPCAS_PROXIED_SERVICE_IMAP;
- $proxiedService = new CAS_ProxiedService_Imap($this->_getUser());
- if ($proxiedService instanceof CAS_ProxiedService_Testable) {
- $proxiedService->setCasClient($this);
- }
- return $proxiedService;
- default:
- throw new CAS_InvalidArgumentException(
- "Unknown proxied-service type, $type."
- );
- }
- }
-
- /**
- * Initialize a proxied-service handler with the proxy-ticket it should use.
- *
- * @param CAS_ProxiedService $proxiedService service handler
- *
- * @return void
- *
- * @throws CAS_ProxyTicketException If there is a proxy-ticket failure.
- * The code of the Exception will be one of:
- * PHPCAS_SERVICE_PT_NO_SERVER_RESPONSE
- * PHPCAS_SERVICE_PT_BAD_SERVER_RESPONSE
- * PHPCAS_SERVICE_PT_FAILURE
- * @throws CAS_ProxiedService_Exception If there is a failure getting the
- * url from the proxied service.
- */
- public function initializeProxiedService (CAS_ProxiedService $proxiedService)
- {
- // Sequence validation
- $this->ensureIsProxy();
- $this->ensureAuthenticationCallSuccessful();
-
- $url = $proxiedService->getServiceUrl();
- if (!is_string($url)) {
- throw new CAS_ProxiedService_Exception(
- "Proxied Service ".get_class($proxiedService)
- ."->getServiceUrl() should have returned a string, returned a "
- .gettype($url)." instead."
- );
- }
- $pt = $this->retrievePT($url, $err_code, $err_msg);
- if (!$pt) {
- throw new CAS_ProxyTicketException($err_msg, $err_code);
- }
- $proxiedService->setProxyTicket($pt);
- }
-
- /**
- * This method is used to access an HTTP[S] service.
- *
- * @param string $url the service to access.
- * @param int &$err_code an error code Possible values are
- * PHPCAS_SERVICE_OK (on success), PHPCAS_SERVICE_PT_NO_SERVER_RESPONSE,
- * PHPCAS_SERVICE_PT_BAD_SERVER_RESPONSE, PHPCAS_SERVICE_PT_FAILURE,
- * PHPCAS_SERVICE_NOT_AVAILABLE.
- * @param string &$output the output of the service (also used to give an error
- * message on failure).
- *
- * @return bool true on success, false otherwise (in this later case, $err_code
- * gives the reason why it failed and $output contains an error message).
- */
- public function serviceWeb($url,&$err_code,&$output)
- {
- // Sequence validation
- $this->ensureIsProxy();
- $this->ensureAuthenticationCallSuccessful();
-
- // Argument validation
- if (gettype($url) != 'string')
- throw new CAS_TypeMismatchException($url, '$url', 'string');
-
- try {
- $service = $this->getProxiedService(PHPCAS_PROXIED_SERVICE_HTTP_GET);
- $service->setUrl($url);
- $service->send();
- $output = $service->getResponseBody();
- $err_code = PHPCAS_SERVICE_OK;
- return true;
- } catch (CAS_ProxyTicketException $e) {
- $err_code = $e->getCode();
- $output = $e->getMessage();
- return false;
- } catch (CAS_ProxiedService_Exception $e) {
- $lang = $this->getLangObj();
- $output = sprintf(
- $lang->getServiceUnavailable(), $url, $e->getMessage()
- );
- $err_code = PHPCAS_SERVICE_NOT_AVAILABLE;
- return false;
- }
- }
-
- /**
- * This method is used to access an IMAP/POP3/NNTP service.
- *
- * @param string $url a string giving the URL of the service, including
- * the mailing box for IMAP URLs, as accepted by imap_open().
- * @param string $serviceUrl a string giving for CAS retrieve Proxy ticket
- * @param string $flags options given to imap_open().
- * @param int &$err_code an error code Possible values are
- * PHPCAS_SERVICE_OK (on success), PHPCAS_SERVICE_PT_NO_SERVER_RESPONSE,
- * PHPCAS_SERVICE_PT_BAD_SERVER_RESPONSE, PHPCAS_SERVICE_PT_FAILURE,
- * PHPCAS_SERVICE_NOT_AVAILABLE.
- * @param string &$err_msg an error message on failure
- * @param string &$pt the Proxy Ticket (PT) retrieved from the CAS
- * server to access the URL on success, false on error).
- *
- * @return object|false an IMAP stream on success, false otherwise (in this later
- * case, $err_code gives the reason why it failed and $err_msg contains an
- * error message).
- */
- public function serviceMail($url,$serviceUrl,$flags,&$err_code,&$err_msg,&$pt)
- {
- // Sequence validation
- $this->ensureIsProxy();
- $this->ensureAuthenticationCallSuccessful();
-
- // Argument validation
- if (gettype($url) != 'string')
- throw new CAS_TypeMismatchException($url, '$url', 'string');
- if (gettype($serviceUrl) != 'string')
- throw new CAS_TypeMismatchException($serviceUrl, '$serviceUrl', 'string');
- if (gettype($flags) != 'integer')
- throw new CAS_TypeMismatchException($flags, '$flags', 'string');
-
- try {
- $service = $this->getProxiedService(PHPCAS_PROXIED_SERVICE_IMAP);
- $service->setServiceUrl($serviceUrl);
- $service->setMailbox($url);
- $service->setOptions($flags);
-
- $stream = $service->open();
- $err_code = PHPCAS_SERVICE_OK;
- $pt = $service->getImapProxyTicket();
- return $stream;
- } catch (CAS_ProxyTicketException $e) {
- $err_msg = $e->getMessage();
- $err_code = $e->getCode();
- $pt = false;
- return false;
- } catch (CAS_ProxiedService_Exception $e) {
- $lang = $this->getLangObj();
- $err_msg = sprintf(
- $lang->getServiceUnavailable(),
- $url,
- $e->getMessage()
- );
- $err_code = PHPCAS_SERVICE_NOT_AVAILABLE;
- $pt = false;
- return false;
- }
- }
-
- /** @} **/
-
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- // XX XX
- // XX PROXIED CLIENT FEATURES (CAS 2.0) XX
- // XX XX
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
- // ########################################################################
- // PT
- // ########################################################################
- /**
- * @addtogroup internalService
- * @{
- */
-
- /**
- * This array will store a list of proxies in front of this application. This
- * property will only be populated if this script is being proxied rather than
- * accessed directly.
- *
- * It is set in CAS_Client::validateCAS20() and can be read by
- * CAS_Client::getProxies()
- *
- * @access private
- */
- private $_proxies = array();
-
- /**
- * Answer an array of proxies that are sitting in front of this application.
- *
- * This method will only return a non-empty array if we have received and
- * validated a Proxy Ticket.
- *
- * @return array
- * @access public
- */
- public function getProxies()
- {
- return $this->_proxies;
- }
-
- /**
- * Set the Proxy array, probably from persistant storage.
- *
- * @param array $proxies An array of proxies
- *
- * @return void
- * @access private
- */
- private function _setProxies($proxies)
- {
- $this->_proxies = $proxies;
- if (!empty($proxies)) {
- // For proxy-authenticated requests people are not viewing the URL
- // directly since the client is another application making a
- // web-service call.
- // Because of this, stripping the ticket from the URL is unnecessary
- // and causes another web-service request to be performed. Additionally,
- // if session handling on either the client or the server malfunctions
- // then the subsequent request will not complete successfully.
- $this->setNoClearTicketsFromUrl();
- }
- }
-
- /**
- * A container of patterns to be allowed as proxies in front of the cas client.
- *
- * @var CAS_ProxyChain_AllowedList
- */
- private $_allowed_proxy_chains;
-
- /**
- * Answer the CAS_ProxyChain_AllowedList object for this client.
- *
- * @return CAS_ProxyChain_AllowedList
- */
- public function getAllowedProxyChains ()
- {
- if (empty($this->_allowed_proxy_chains)) {
- $this->_allowed_proxy_chains = new CAS_ProxyChain_AllowedList();
- }
- return $this->_allowed_proxy_chains;
- }
-
- /** @} */
- // ########################################################################
- // PT VALIDATION
- // ########################################################################
- /**
- * @addtogroup internalProxied
- * @{
- */
-
- /**
- * This method is used to validate a cas 2.0 ST or PT; halt on failure
- * Used for all CAS 2.0 validations
- *
- * @param string &$validate_url the url of the reponse
- * @param string &$text_response the text of the repsones
- * @param DOMElement &$tree_response the domxml tree of the respones
- * @param bool $renew true to force the authentication with the CAS server
- *
- * @return bool true when successfull and issue a CAS_AuthenticationException
- * and false on an error
- *
- * @throws CAS_AuthenticationException
- */
- public function validateCAS20(&$validate_url,&$text_response,&$tree_response, $renew=false)
- {
- phpCAS::traceBegin();
- phpCAS::trace($text_response);
- // build the URL to validate the ticket
- if ($this->getAllowedProxyChains()->isProxyingAllowed()) {
- $validate_url = $this->getServerProxyValidateURL().'&ticket='
- .urlencode($this->getTicket());
- } else {
- $validate_url = $this->getServerServiceValidateURL().'&ticket='
- .urlencode($this->getTicket());
- }
-
- if ( $this->isProxy() ) {
- // pass the callback url for CAS proxies
- $validate_url .= '&pgtUrl='.urlencode($this->_getCallbackURL());
- }
-
- if ( $renew ) {
- // pass the renew
- $validate_url .= '&renew=true';
- }
-
- // open and read the URL
- if ( !$this->_readURL($validate_url, $headers, $text_response, $err_msg) ) {
- phpCAS::trace(
- 'could not open URL \''.$validate_url.'\' to validate ('.$err_msg.')'
- );
- throw new CAS_AuthenticationException(
- $this, 'Ticket not validated', $validate_url,
- true/*$no_response*/
- );
- }
-
- // create new DOMDocument object
- $dom = new DOMDocument();
- // Fix possible whitspace problems
- $dom->preserveWhiteSpace = false;
- // CAS servers should only return data in utf-8
- $dom->encoding = "utf-8";
- // read the response of the CAS server into a DOMDocument object
- if ( !($dom->loadXML($text_response))) {
- // read failed
- throw new CAS_AuthenticationException(
- $this, 'Ticket not validated', $validate_url,
- false/*$no_response*/, true/*$bad_response*/, $text_response
- );
- } else if ( !($tree_response = $dom->documentElement) ) {
- // read the root node of the XML tree
- // read failed
- throw new CAS_AuthenticationException(
- $this, 'Ticket not validated', $validate_url,
- false/*$no_response*/, true/*$bad_response*/, $text_response
- );
- } else if ($tree_response->localName != 'serviceResponse') {
- // insure that tag name is 'serviceResponse'
- // bad root node
- throw new CAS_AuthenticationException(
- $this, 'Ticket not validated', $validate_url,
- false/*$no_response*/, true/*$bad_response*/, $text_response
- );
- } else if ( $tree_response->getElementsByTagName("authenticationFailure")->length != 0) {
- // authentication failed, extract the error code and message and throw exception
- $auth_fail_list = $tree_response
- ->getElementsByTagName("authenticationFailure");
- throw new CAS_AuthenticationException(
- $this, 'Ticket not validated', $validate_url,
- false/*$no_response*/, false/*$bad_response*/,
- $text_response,
- $auth_fail_list->item(0)->getAttribute('code')/*$err_code*/,
- trim($auth_fail_list->item(0)->nodeValue)/*$err_msg*/
- );
- } else if ($tree_response->getElementsByTagName("authenticationSuccess")->length != 0) {
- // authentication succeded, extract the user name
- $success_elements = $tree_response
- ->getElementsByTagName("authenticationSuccess");
- if ( $success_elements->item(0)->getElementsByTagName("user")->length == 0) {
- // no user specified => error
- throw new CAS_AuthenticationException(
- $this, 'Ticket not validated', $validate_url,
- false/*$no_response*/, true/*$bad_response*/, $text_response
- );
- } else {
- $this->_setUser(
- trim(
- $success_elements->item(0)->getElementsByTagName("user")->item(0)->nodeValue
- )
- );
- $this->_readExtraAttributesCas20($success_elements);
- // Store the proxies we are sitting behind for authorization checking
- $proxyList = array();
- if ( sizeof($arr = $success_elements->item(0)->getElementsByTagName("proxy")) > 0) {
- foreach ($arr as $proxyElem) {
- phpCAS::trace("Found Proxy: ".$proxyElem->nodeValue);
- $proxyList[] = trim($proxyElem->nodeValue);
- }
- $this->_setProxies($proxyList);
- phpCAS::trace("Storing Proxy List");
- }
- // Check if the proxies in front of us are allowed
- if (!$this->getAllowedProxyChains()->isProxyListAllowed($proxyList)) {
- throw new CAS_AuthenticationException(
- $this, 'Proxy not allowed', $validate_url,
- false/*$no_response*/, true/*$bad_response*/,
- $text_response
- );
- } else {
- $result = true;
- }
- }
- } else {
- throw new CAS_AuthenticationException(
- $this, 'Ticket not validated', $validate_url,
- false/*$no_response*/, true/*$bad_response*/,
- $text_response
- );
- }
-
- $this->_renameSession($this->getTicket());
-
- // at this step, Ticket has been validated and $this->_user has been set,
-
- phpCAS::traceEnd($result);
- return $result;
- }
-
- /**
- * This method recursively parses the attribute XML.
- * It also collapses name-value pairs into a single
- * array entry. It parses all common formats of
- * attributes and well formed XML files.
- *
- * @param string $root the DOM root element to be parsed
- * @param string $namespace namespace of the elements
- *
- * @return an array of the parsed XML elements
- *
- * Formats tested:
- *
- * "Jasig Style" Attributes:
- *
- *
- *
- * jsmith
- *
- * RubyCAS
- * Smith
- * John
- * CN=Staff,OU=Groups,DC=example,DC=edu
- * CN=Spanish Department,OU=Departments,OU=Groups,DC=example,DC=edu
- *
- * PGTIOU-84678-8a9d2sfa23casd
- *
- *
- *
- * "Jasig Style" Attributes (longer version):
- *
- *
- *
- * jsmith
- *
- *
- * surname
- * Smith
- *
- *
- * givenName
- * John
- *
- *
- * memberOf
- * ['CN=Staff,OU=Groups,DC=example,DC=edu', 'CN=Spanish Department,OU=Departments,OU=Groups,DC=example,DC=edu']
- *
- *
- * PGTIOU-84678-8a9d2sfa23casd
- *
- *
- *
- * "RubyCAS Style" attributes
- *
- *
- *
- * jsmith
- *
- * RubyCAS
- * Smith
- * John
- * CN=Staff,OU=Groups,DC=example,DC=edu
- * CN=Spanish Department,OU=Departments,OU=Groups,DC=example,DC=edu
- *
- * PGTIOU-84678-8a9d2sfa23casd
- *
- *
- *
- * "Name-Value" attributes.
- *
- * Attribute format from these mailing list thread:
- * http://jasig.275507.n4.nabble.com/CAS-attributes-and-how-they-appear-in-the-CAS-response-td264272.html
- * Note: This is a less widely used format, but in use by at least two institutions.
- *
- *
- *
- * jsmith
- *
- *
- *
- *
- *
- *
- *
- * PGTIOU-84678-8a9d2sfa23casd
- *
- *
- *
- * result:
- *
- * Array (
- * [surname] => Smith
- * [givenName] => John
- * [memberOf] => Array (
- * [0] => CN=Staff, OU=Groups, DC=example, DC=edu
- * [1] => CN=Spanish Department, OU=Departments, OU=Groups, DC=example, DC=edu
- * )
- * )
- */
- private function _xml_to_array($root, $namespace = "cas")
- {
- $result = array();
- if ($root->hasAttributes()) {
- $attrs = $root->attributes;
- $pair = array();
- foreach ($attrs as $attr) {
- if ($attr->name === "name") {
- $pair['name'] = $attr->value;
- } elseif ($attr->name === "value") {
- $pair['value'] = $attr->value;
- } else {
- $result[$attr->name] = $attr->value;
- }
- if (array_key_exists('name', $pair) && array_key_exists('value', $pair)) {
- $result[$pair['name']] = $pair['value'];
- }
- }
- }
- if ($root->hasChildNodes()) {
- $children = $root->childNodes;
- if ($children->length == 1) {
- $child = $children->item(0);
- if ($child->nodeType == XML_TEXT_NODE) {
- $result['_value'] = $child->nodeValue;
- return (count($result) == 1) ? $result['_value'] : $result;
- }
- }
- $groups = array();
- foreach ($children as $child) {
- $child_nodeName = str_ireplace($namespace . ":", "", $child->nodeName);
- if (in_array($child_nodeName, array("user", "proxies", "proxyGrantingTicket"))) {
- continue;
- }
- if (!isset($result[$child_nodeName])) {
- $res = $this->_xml_to_array($child, $namespace);
- if (!empty($res)) {
- $result[$child_nodeName] = $this->_xml_to_array($child, $namespace);
- }
- } else {
- if (!isset($groups[$child_nodeName])) {
- $result[$child_nodeName] = array($result[$child_nodeName]);
- $groups[$child_nodeName] = 1;
- }
- $result[$child_nodeName][] = $this->_xml_to_array($child, $namespace);
- }
- }
- }
- return $result;
- }
-
- /**
- * This method parses a "JSON-like array" of strings
- * into an array of strings
- *
- * @param string $json_value the json-like string:
- * e.g.:
- * ['CN=Staff,OU=Groups,DC=example,DC=edu', 'CN=Spanish Department,OU=Departments,OU=Groups,DC=example,DC=edu']
- *
- * @return array of strings Description
- * e.g.:
- * Array (
- * [0] => CN=Staff,OU=Groups,DC=example,DC=edu
- * [1] => CN=Spanish Department,OU=Departments,OU=Groups,DC=example,DC=edu
- * )
- */
- private function _parse_json_like_array_value($json_value)
- {
- $parts = explode(",", trim($json_value, "[]"));
- $out = array();
- $quote = '';
- foreach ($parts as $part) {
- $part = trim($part);
- if ($quote === '') {
- $value = "";
- if ($this->_startsWith($part, '\'')) {
- $quote = '\'';
- } elseif ($this->_startsWith($part, '"')) {
- $quote = '"';
- } else {
- $out[] = $part;
- }
- $part = ltrim($part, $quote);
- }
- if ($quote !== '') {
- $value .= $part;
- if ($this->_endsWith($part, $quote)) {
- $out[] = rtrim($value, $quote);
- $quote = '';
- } else {
- $value .= ", ";
- };
- }
- }
- return $out;
- }
-
- /**
- * This method recursively removes unneccessary hirarchy levels in array-trees.
- * into an array of strings
- *
- * @param array $arr the array to flatten
- * e.g.:
- * Array (
- * [attributes] => Array (
- * [attribute] => Array (
- * [0] => Array (
- * [name] => surname
- * [value] => Smith
- * )
- * [1] => Array (
- * [name] => givenName
- * [value] => John
- * )
- * [2] => Array (
- * [name] => memberOf
- * [value] => ['CN=Staff,OU=Groups,DC=example,DC=edu', 'CN=Spanish Department,OU=Departments,OU=Groups,DC=example,DC=edu']
- * )
- * )
- * )
- * )
- *
- * @return array the flattened array
- * e.g.:
- * Array (
- * [attribute] => Array (
- * [surname] => Smith
- * [givenName] => John
- * [memberOf] => Array (
- * [0] => CN=Staff, OU=Groups, DC=example, DC=edu
- * [1] => CN=Spanish Department, OU=Departments, OU=Groups, DC=example, DC=edu
- * )
- * )
- * )
- */
- private function _flatten_array($arr)
- {
- if (!is_array($arr)) {
- if ($this->_startsWith($arr, '[') && $this->_endsWith($arr, ']')) {
- return $this->_parse_json_like_array_value($arr);
- } else {
- return $arr;
- }
- }
- $out = array();
- foreach ($arr as $key => $val) {
- if (!is_array($val)) {
- $out[$key] = $val;
- } else {
- switch (count($val)) {
- case 1 : {
- $key = key($val);
- if (array_key_exists($key, $out)) {
- $value = $out[$key];
- if (!is_array($value)) {
- $out[$key] = array();
- $out[$key][] = $value;
- }
- $out[$key][] = $this->_flatten_array($val[$key]);
- } else {
- $out[$key] = $this->_flatten_array($val[$key]);
- };
- break;
- };
- case 2 : {
- if (array_key_exists("name", $val) && array_key_exists("value", $val)) {
- $key = $val['name'];
- if (array_key_exists($key, $out)) {
- $value = $out[$key];
- if (!is_array($value)) {
- $out[$key] = array();
- $out[$key][] = $value;
- }
- $out[$key][] = $this->_flatten_array($val['value']);
- } else {
- $out[$key] = $this->_flatten_array($val['value']);
- };
- } else {
- $out[$key] = $this->_flatten_array($val);
- }
- break;
- };
- default: {
- $out[$key] = $this->_flatten_array($val);
- }
- }
- }
- }
- return $out;
- }
-
- /**
- * This method will parse the DOM and pull out the attributes from the XML
- * payload and put them into an array, then put the array into the session.
- *
- * @param DOMNodeList $success_elements payload of the response
- *
- * @return bool true when successfull, halt otherwise by calling
- * CAS_Client::_authError().
- */
- private function _readExtraAttributesCas20($success_elements)
- {
- phpCAS::traceBegin();
-
- $extra_attributes = array();
- if ($this->_casAttributeParserCallbackFunction !== null
- && is_callable($this->_casAttributeParserCallbackFunction)
- ) {
- array_unshift($this->_casAttributeParserCallbackArgs, $success_elements->item(0));
- phpCAS :: trace("Calling attritubeParser callback");
- $extra_attributes = call_user_func_array(
- $this->_casAttributeParserCallbackFunction,
- $this->_casAttributeParserCallbackArgs
- );
- } else {
- phpCAS :: trace("Parse extra attributes: ");
- $attributes = $this->_xml_to_array($success_elements->item(0));
- phpCAS :: trace(print_r($attributes,true). "\nFLATTEN Array: ");
- $extra_attributes = $this->_flatten_array($attributes);
- phpCAS :: trace(print_r($extra_attributes, true)."\nFILTER : ");
- if (array_key_exists("attribute", $extra_attributes)) {
- $extra_attributes = $extra_attributes["attribute"];
- } elseif (array_key_exists("attributes", $extra_attributes)) {
- $extra_attributes = $extra_attributes["attributes"];
- };
- phpCAS :: trace(print_r($extra_attributes, true)."return");
- }
- $this->setAttributes($extra_attributes);
- phpCAS::traceEnd();
- return true;
- }
-
- /**
- * Add an attribute value to an array of attributes.
- *
- * @param array &$attributeArray reference to array
- * @param string $name name of attribute
- * @param string $value value of attribute
- *
- * @return void
- */
- private function _addAttributeToArray(array &$attributeArray, $name, $value)
- {
- // If multiple attributes exist, add as an array value
- if (isset($attributeArray[$name])) {
- // Initialize the array with the existing value
- if (!is_array($attributeArray[$name])) {
- $existingValue = $attributeArray[$name];
- $attributeArray[$name] = array($existingValue);
- }
-
- $attributeArray[$name][] = trim($value);
- } else {
- $attributeArray[$name] = trim($value);
- }
- }
-
- /** @} */
-
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- // XX XX
- // XX MISC XX
- // XX XX
- // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
- /**
- * @addtogroup internalMisc
- * @{
- */
-
- // ########################################################################
- // URL
- // ########################################################################
- /**
- * the URL of the current request (without any ticket CGI parameter). Written
- * and read by CAS_Client::getURL().
- *
- * @hideinitializer
- */
- private $_url = '';
-
-
- /**
- * This method sets the URL of the current request
- *
- * @param string $url url to set for service
- *
- * @return void
- */
- public function setURL($url)
- {
- // Argument Validation
- if (gettype($url) != 'string')
- throw new CAS_TypeMismatchException($url, '$url', 'string');
-
- $this->_url = $url;
- }
-
- /**
- * This method returns the URL of the current request (without any ticket
- * CGI parameter).
- *
- * @return string The URL
- */
- public function getURL()
- {
- phpCAS::traceBegin();
- // the URL is built when needed only
- if ( empty($this->_url) ) {
- // remove the ticket if present in the URL
- $final_uri = $this->getServiceBaseUrl()->get();
- $request_uri = explode('?', $_SERVER['REQUEST_URI'], 2);
- $final_uri .= $request_uri[0];
-
- if (isset($request_uri[1]) && $request_uri[1]) {
- $query_string= $this->_removeParameterFromQueryString('ticket', $request_uri[1]);
-
- // If the query string still has anything left,
- // append it to the final URI
- if ($query_string !== '') {
- $final_uri .= "?$query_string";
- }
- }
-
- phpCAS::trace("Final URI: $final_uri");
- $this->setURL($final_uri);
- }
- phpCAS::traceEnd($this->_url);
- return $this->_url;
- }
-
- /**
- * This method sets the base URL of the CAS server.
- *
- * @param string $url the base URL
- *
- * @return string base url
- */
- public function setBaseURL($url)
- {
- // Argument Validation
- if (gettype($url) != 'string')
- throw new CAS_TypeMismatchException($url, '$url', 'string');
-
- return $this->_server['base_url'] = $url;
- }
-
- /**
- * The ServiceBaseUrl object that provides base URL during service URL
- * discovery process.
- *
- * @var CAS_ServiceBaseUrl_Interface
- *
- * @hideinitializer
- */
- private $_serviceBaseUrl = null;
-
- /**
- * Answer the CAS_ServiceBaseUrl_Interface object for this client.
- *
- * @return CAS_ServiceBaseUrl_Interface
- */
- public function getServiceBaseUrl()
- {
- if (empty($this->_serviceBaseUrl)) {
- phpCAS::error("ServiceBaseUrl object is not initialized");
- }
- return $this->_serviceBaseUrl;
- }
-
- /**
- * This method sets the service base URL used during service URL discovery process.
- *
- * This is required since phpCAS 1.6.0 to protect the integrity of the authentication.
- *
- * @since phpCAS 1.6.0
- *
- * @param $name can be any of the following:
- * - A base URL string. The service URL discovery will always use this (protocol,
- * hostname and optional port number) without using any external host names.
- * - An array of base URL strings. The service URL discovery will check against
- * this list before using the auto discovered base URL. If there is no match,
- * the first base URL in the array will be used as the default. This option is
- * helpful if your PHP website is accessible through multiple domains without a
- * canonical name, or through both HTTP and HTTPS.
- * - A class that implements CAS_ServiceBaseUrl_Interface. If you need to customize
- * the base URL discovery behavior, you can pass in a class that implements the
- * interface.
- *
- * @return void
- */
- private function _setServiceBaseUrl($name)
- {
- if (is_array($name)) {
- $this->_serviceBaseUrl = new CAS_ServiceBaseUrl_AllowedListDiscovery($name);
- } else if (is_string($name)) {
- $this->_serviceBaseUrl = new CAS_ServiceBaseUrl_Static($name);
- } else if ($name instanceof CAS_ServiceBaseUrl_Interface) {
- $this->_serviceBaseUrl = $name;
- } else {
- throw new CAS_TypeMismatchException($name, '$name', 'array, string, or CAS_ServiceBaseUrl_Interface object');
- }
- }
-
- /**
- * Removes a parameter from a query string
- *
- * @param string $parameterName name of parameter
- * @param string $queryString query string
- *
- * @return string new query string
- *
- * @link http://stackoverflow.com/questions/1842681/regular-expression-to-remove-one-parameter-from-query-string
- */
- private function _removeParameterFromQueryString($parameterName, $queryString)
- {
- $parameterName = preg_quote($parameterName);
- return preg_replace(
- "/&$parameterName(=[^&]*)?|^$parameterName(=[^&]*)?&?/",
- '', $queryString
- );
- }
-
- /**
- * This method is used to append query parameters to an url. Since the url
- * might already contain parameter it has to be detected and to build a proper
- * URL
- *
- * @param string $url base url to add the query params to
- * @param string $query params in query form with & separated
- *
- * @return string url with query params
- */
- private function _buildQueryUrl($url, $query)
- {
- $url .= (strstr($url, '?') === false) ? '?' : '&';
- $url .= $query;
- return $url;
- }
-
- /**
- * This method tests if a string starts with a given character.
- *
- * @param string $text text to test
- * @param string $char character to test for
- *
- * @return bool true if the $text starts with $char
- */
- private function _startsWith($text, $char)
- {
- return (strpos($text, $char) === 0);
- }
-
- /**
- * This method tests if a string ends with a given character
- *
- * @param string $text text to test
- * @param string $char character to test for
- *
- * @return bool true if the $text ends with $char
- */
- private function _endsWith($text, $char)
- {
- return (strpos(strrev($text), $char) === 0);
- }
-
- /**
- * Answer a valid session-id given a CAS ticket.
- *
- * The output must be deterministic to allow single-log-out when presented with
- * the ticket to log-out.
- *
- *
- * @param string $ticket name of the ticket
- *
- * @return string
- */
- private function _sessionIdForTicket($ticket)
- {
- // Hash the ticket to ensure that the value meets the PHP 7.1 requirement
- // that session-ids have a length between 22 and 256 characters.
- return hash('sha256', $this->_sessionIdSalt . $ticket);
- }
-
- /**
- * Set a salt/seed for the session-id hash to make it harder to guess.
- *
- * @var string $_sessionIdSalt
- */
- private $_sessionIdSalt = '';
-
- /**
- * Set a salt/seed for the session-id hash to make it harder to guess.
- *
- * @param string $salt
- *
- * @return void
- */
- public function setSessionIdSalt($salt) {
- $this->_sessionIdSalt = (string)$salt;
- }
-
- // ########################################################################
- // AUTHENTICATION ERROR HANDLING
- // ########################################################################
- /**
- * This method is used to print the HTML output when the user was not
- * authenticated.
- *
- * @param string $failure the failure that occured
- * @param string $cas_url the URL the CAS server was asked for
- * @param bool $no_response the response from the CAS server (other
- * parameters are ignored if true)
- * @param bool $bad_response bad response from the CAS server ($err_code
- * and $err_msg ignored if true)
- * @param string $cas_response the response of the CAS server
- * @param int $err_code the error code given by the CAS server
- * @param string $err_msg the error message given by the CAS server
- *
- * @return void
- */
- private function _authError(
- $failure,
- $cas_url,
- $no_response=false,
- $bad_response=false,
- $cas_response='',
- $err_code=-1,
- $err_msg=''
- ) {
- phpCAS::traceBegin();
- $lang = $this->getLangObj();
- $this->printHTMLHeader($lang->getAuthenticationFailed());
- $this->printf(
- $lang->getYouWereNotAuthenticated(), htmlentities($this->getURL()),
- isset($_SERVER['SERVER_ADMIN']) ? $_SERVER['SERVER_ADMIN']:''
- );
- phpCAS::trace('CAS URL: '.$cas_url);
- phpCAS::trace('Authentication failure: '.$failure);
- if ( $no_response ) {
- phpCAS::trace('Reason: no response from the CAS server');
- } else {
- if ( $bad_response ) {
- phpCAS::trace('Reason: bad response from the CAS server');
- } else {
- switch ($this->getServerVersion()) {
- case CAS_VERSION_1_0:
- phpCAS::trace('Reason: CAS error');
- break;
- case CAS_VERSION_2_0:
- case CAS_VERSION_3_0:
- if ( $err_code === -1 ) {
- phpCAS::trace('Reason: no CAS error');
- } else {
- phpCAS::trace(
- 'Reason: ['.$err_code.'] CAS error: '.$err_msg
- );
- }
- break;
- }
- }
- phpCAS::trace('CAS response: '.$cas_response);
- }
- $this->printHTMLFooter();
- phpCAS::traceExit();
- throw new CAS_GracefullTerminationException();
- }
-
- // ########################################################################
- // PGTIOU/PGTID and logoutRequest rebroadcasting
- // ########################################################################
-
- /**
- * Boolean of whether to rebroadcast pgtIou/pgtId and logoutRequest, and
- * array of the nodes.
- */
- private $_rebroadcast = false;
- private $_rebroadcast_nodes = array();
-
- /**
- * Constants used for determining rebroadcast node type.
- */
- const HOSTNAME = 0;
- const IP = 1;
-
- /**
- * Determine the node type from the URL.
- *
- * @param String $nodeURL The node URL.
- *
- * @return int hostname
- *
- */
- private function _getNodeType($nodeURL)
- {
- phpCAS::traceBegin();
- if (preg_match("/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/", $nodeURL)) {
- phpCAS::traceEnd(self::IP);
- return self::IP;
- } else {
- phpCAS::traceEnd(self::HOSTNAME);
- return self::HOSTNAME;
- }
- }
-
- /**
- * Store the rebroadcast node for pgtIou/pgtId and logout requests.
- *
- * @param string $rebroadcastNodeUrl The rebroadcast node URL.
- *
- * @return void
- */
- public function addRebroadcastNode($rebroadcastNodeUrl)
- {
- // Argument validation
- if ( !(bool)preg_match("/^(http|https):\/\/([A-Z0-9][A-Z0-9_-]*(?:\.[A-Z0-9][A-Z0-9_-]*)+):?(\d+)?\/?/i", $rebroadcastNodeUrl))
- throw new CAS_TypeMismatchException($rebroadcastNodeUrl, '$rebroadcastNodeUrl', 'url');
-
- // Store the rebroadcast node and set flag
- $this->_rebroadcast = true;
- $this->_rebroadcast_nodes[] = $rebroadcastNodeUrl;
- }
-
- /**
- * An array to store extra rebroadcast curl options.
- */
- private $_rebroadcast_headers = array();
-
- /**
- * This method is used to add header parameters when rebroadcasting
- * pgtIou/pgtId or logoutRequest.
- *
- * @param string $header Header to send when rebroadcasting.
- *
- * @return void
- */
- public function addRebroadcastHeader($header)
- {
- if (gettype($header) != 'string')
- throw new CAS_TypeMismatchException($header, '$header', 'string');
-
- $this->_rebroadcast_headers[] = $header;
- }
-
- /**
- * Constants used for determining rebroadcast type (logout or pgtIou/pgtId).
- */
- const LOGOUT = 0;
- const PGTIOU = 1;
-
- /**
- * This method rebroadcasts logout/pgtIou requests. Can be LOGOUT,PGTIOU
- *
- * @param int $type type of rebroadcasting.
- *
- * @return void
- */
- private function _rebroadcast($type)
- {
- phpCAS::traceBegin();
-
- $rebroadcast_curl_options = array(
- CURLOPT_FAILONERROR => 1,
- CURLOPT_FOLLOWLOCATION => 1,
- CURLOPT_RETURNTRANSFER => 1,
- CURLOPT_CONNECTTIMEOUT => 1,
- CURLOPT_TIMEOUT => 4);
-
- // Try to determine the IP address of the server
- if (!empty($_SERVER['SERVER_ADDR'])) {
- $ip = $_SERVER['SERVER_ADDR'];
- } else if (!empty($_SERVER['LOCAL_ADDR'])) {
- // IIS 7
- $ip = $_SERVER['LOCAL_ADDR'];
- }
- // Try to determine the DNS name of the server
- if (!empty($ip)) {
- $dns = gethostbyaddr($ip);
- }
- $multiClassName = 'CAS_Request_CurlMultiRequest';
- $multiRequest = new $multiClassName();
-
- for ($i = 0; $i < sizeof($this->_rebroadcast_nodes); $i++) {
- if ((($this->_getNodeType($this->_rebroadcast_nodes[$i]) == self::HOSTNAME) && !empty($dns) && (stripos($this->_rebroadcast_nodes[$i], $dns) === false))
- || (($this->_getNodeType($this->_rebroadcast_nodes[$i]) == self::IP) && !empty($ip) && (stripos($this->_rebroadcast_nodes[$i], $ip) === false))
- ) {
- phpCAS::trace(
- 'Rebroadcast target URL: '.$this->_rebroadcast_nodes[$i]
- .$_SERVER['REQUEST_URI']
- );
- $className = $this->_requestImplementation;
- $request = new $className();
-
- $url = $this->_rebroadcast_nodes[$i].$_SERVER['REQUEST_URI'];
- $request->setUrl($url);
-
- if (count($this->_rebroadcast_headers)) {
- $request->addHeaders($this->_rebroadcast_headers);
- }
-
- $request->makePost();
- if ($type == self::LOGOUT) {
- // Logout request
- $request->setPostBody(
- 'rebroadcast=false&logoutRequest='.$_POST['logoutRequest']
- );
- } else if ($type == self::PGTIOU) {
- // pgtIou/pgtId rebroadcast
- $request->setPostBody('rebroadcast=false');
- }
-
- $request->setCurlOptions($rebroadcast_curl_options);
-
- $multiRequest->addRequest($request);
- } else {
- phpCAS::trace(
- 'Rebroadcast not sent to self: '
- .$this->_rebroadcast_nodes[$i].' == '.(!empty($ip)?$ip:'')
- .'/'.(!empty($dns)?$dns:'')
- );
- }
- }
- // We need at least 1 request
- if ($multiRequest->getNumRequests() > 0) {
- $multiRequest->send();
- }
- phpCAS::traceEnd();
- }
-
- /** @} */
-}
diff --git a/phpCAS-1.6.1/source/CAS/CookieJar.php b/phpCAS-1.6.1/source/CAS/CookieJar.php
deleted file mode 100644
index b243937..0000000
--- a/phpCAS-1.6.1/source/CAS/CookieJar.php
+++ /dev/null
@@ -1,385 +0,0 @@
-
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
- * @link https://wiki.jasig.org/display/CASC/phpCAS
- */
-
-/**
- * This class provides access to service cookies and handles parsing of response
- * headers to pull out cookie values.
- *
- * @class CAS_CookieJar
- * @category Authentication
- * @package PhpCAS
- * @author Adam Franco
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
- * @link https://wiki.jasig.org/display/CASC/phpCAS
- */
-class CAS_CookieJar
-{
-
- private $_cookies;
-
- /**
- * Create a new cookie jar by passing it a reference to an array in which it
- * should store cookies.
- *
- * @param array &$storageArray Array to store cookies
- *
- * @return void
- */
- public function __construct (array &$storageArray)
- {
- $this->_cookies =& $storageArray;
- }
-
- /**
- * Store cookies for a web service request.
- * Cookie storage is based on RFC 2965: http://www.ietf.org/rfc/rfc2965.txt
- *
- * @param string $request_url The URL that generated the response headers.
- * @param array $response_headers An array of the HTTP response header strings.
- *
- * @return void
- *
- * @access private
- */
- public function storeCookies ($request_url, $response_headers)
- {
- $urlParts = parse_url($request_url);
- $defaultDomain = $urlParts['host'];
-
- $cookies = $this->parseCookieHeaders($response_headers, $defaultDomain);
-
- foreach ($cookies as $cookie) {
- // Enforce the same-origin policy by verifying that the cookie
- // would match the url that is setting it
- if (!$this->cookieMatchesTarget($cookie, $urlParts)) {
- continue;
- }
-
- // store the cookie
- $this->storeCookie($cookie);
-
- phpCAS::trace($cookie['name'].' -> '.$cookie['value']);
- }
- }
-
- /**
- * Retrieve cookies applicable for a web service request.
- * Cookie applicability is based on RFC 2965: http://www.ietf.org/rfc/rfc2965.txt
- *
- * @param string $request_url The url that the cookies will be for.
- *
- * @return array An array containing cookies. E.g. array('name' => 'val');
- *
- * @access private
- */
- public function getCookies ($request_url)
- {
- if (!count($this->_cookies)) {
- return array();
- }
-
- // If our request URL can't be parsed, no cookies apply.
- $target = parse_url($request_url);
- if ($target === false) {
- return array();
- }
-
- $this->expireCookies();
-
- $matching_cookies = array();
- foreach ($this->_cookies as $key => $cookie) {
- if ($this->cookieMatchesTarget($cookie, $target)) {
- $matching_cookies[$cookie['name']] = $cookie['value'];
- }
- }
- return $matching_cookies;
- }
-
-
- /**
- * Parse Cookies without PECL
- * From the comments in http://php.net/manual/en/function.http-parse-cookie.php
- *
- * @param array $header array of header lines.
- * @param string $defaultDomain The domain to use if none is specified in
- * the cookie.
- *
- * @return array of cookies
- */
- protected function parseCookieHeaders( $header, $defaultDomain )
- {
- phpCAS::traceBegin();
- $cookies = array();
- foreach ( $header as $line ) {
- if ( preg_match('/^Set-Cookie2?: /i', $line)) {
- $cookies[] = $this->parseCookieHeader($line, $defaultDomain);
- }
- }
-
- phpCAS::traceEnd($cookies);
- return $cookies;
- }
-
- /**
- * Parse a single cookie header line.
- *
- * Based on RFC2965 http://www.ietf.org/rfc/rfc2965.txt
- *
- * @param string $line The header line.
- * @param string $defaultDomain The domain to use if none is specified in
- * the cookie.
- *
- * @return array
- */
- protected function parseCookieHeader ($line, $defaultDomain)
- {
- if (!$defaultDomain) {
- throw new CAS_InvalidArgumentException(
- '$defaultDomain was not provided.'
- );
- }
-
- // Set our default values
- $cookie = array(
- 'domain' => $defaultDomain,
- 'path' => '/',
- 'secure' => false,
- );
-
- $line = preg_replace('/^Set-Cookie2?: /i', '', trim($line));
-
- // trim any trailing semicolons.
- $line = trim($line, ';');
-
- phpCAS::trace("Cookie Line: $line");
-
- // This implementation makes the assumption that semicolons will not
- // be present in quoted attribute values. While attribute values that
- // contain semicolons are allowed by RFC2965, they are hopefully rare
- // enough to ignore for our purposes. Most browsers make the same
- // assumption.
- $attributeStrings = explode(';', $line);
-
- foreach ( $attributeStrings as $attributeString ) {
- // split on the first equals sign and use the rest as value
- $attributeParts = explode('=', $attributeString, 2);
-
- $attributeName = trim($attributeParts[0]);
- $attributeNameLC = strtolower($attributeName);
-
- if (isset($attributeParts[1])) {
- $attributeValue = trim($attributeParts[1]);
- // Values may be quoted strings.
- if (strpos($attributeValue, '"') === 0) {
- $attributeValue = trim($attributeValue, '"');
- // unescape any escaped quotes:
- $attributeValue = str_replace('\"', '"', $attributeValue);
- }
- } else {
- $attributeValue = null;
- }
-
- switch ($attributeNameLC) {
- case 'expires':
- $cookie['expires'] = strtotime($attributeValue);
- break;
- case 'max-age':
- $cookie['max-age'] = (int)$attributeValue;
- // Set an expiry time based on the max-age
- if ($cookie['max-age']) {
- $cookie['expires'] = time() + $cookie['max-age'];
- } else {
- // If max-age is zero, then the cookie should be removed
- // imediately so set an expiry before now.
- $cookie['expires'] = time() - 1;
- }
- break;
- case 'secure':
- $cookie['secure'] = true;
- break;
- case 'domain':
- case 'path':
- case 'port':
- case 'version':
- case 'comment':
- case 'commenturl':
- case 'discard':
- case 'httponly':
- case 'samesite':
- $cookie[$attributeNameLC] = $attributeValue;
- break;
- default:
- $cookie['name'] = $attributeName;
- $cookie['value'] = $attributeValue;
- }
- }
-
- return $cookie;
- }
-
- /**
- * Add, update, or remove a cookie.
- *
- * @param array $cookie A cookie array as created by parseCookieHeaders()
- *
- * @return void
- *
- * @access protected
- */
- protected function storeCookie ($cookie)
- {
- // Discard any old versions of this cookie.
- $this->discardCookie($cookie);
- $this->_cookies[] = $cookie;
-
- }
-
- /**
- * Discard an existing cookie
- *
- * @param array $cookie An cookie
- *
- * @return void
- *
- * @access protected
- */
- protected function discardCookie ($cookie)
- {
- if (!isset($cookie['domain'])
- || !isset($cookie['path'])
- || !isset($cookie['path'])
- ) {
- throw new CAS_InvalidArgumentException('Invalid Cookie array passed.');
- }
-
- foreach ($this->_cookies as $key => $old_cookie) {
- if ( $cookie['domain'] == $old_cookie['domain']
- && $cookie['path'] == $old_cookie['path']
- && $cookie['name'] == $old_cookie['name']
- ) {
- unset($this->_cookies[$key]);
- }
- }
- }
-
- /**
- * Go through our stored cookies and remove any that are expired.
- *
- * @return void
- *
- * @access protected
- */
- protected function expireCookies ()
- {
- foreach ($this->_cookies as $key => $cookie) {
- if (isset($cookie['expires']) && $cookie['expires'] < time()) {
- unset($this->_cookies[$key]);
- }
- }
- }
-
- /**
- * Answer true if cookie is applicable to a target.
- *
- * @param array $cookie An array of cookie attributes.
- * @param array|false $target An array of URL attributes as generated by parse_url().
- *
- * @return bool
- *
- * @access private
- */
- protected function cookieMatchesTarget ($cookie, $target)
- {
- if (!is_array($target)) {
- throw new CAS_InvalidArgumentException(
- '$target must be an array of URL attributes as generated by parse_url().'
- );
- }
- if (!isset($target['host'])) {
- throw new CAS_InvalidArgumentException(
- '$target must be an array of URL attributes as generated by parse_url().'
- );
- }
-
- // Verify that the scheme matches
- if ($cookie['secure'] && $target['scheme'] != 'https') {
- return false;
- }
-
- // Verify that the host matches
- // Match domain and mulit-host cookies
- if (strpos($cookie['domain'], '.') === 0) {
- // .host.domain.edu cookies are valid for host.domain.edu
- if (substr($cookie['domain'], 1) == $target['host']) {
- // continue with other checks
- } else {
- // non-exact host-name matches.
- // check that the target host a.b.c.edu is within .b.c.edu
- $pos = strripos($target['host'], $cookie['domain']);
- if (!$pos) {
- return false;
- }
- // verify that the cookie domain is the last part of the host.
- if ($pos + strlen($cookie['domain']) != strlen($target['host'])) {
- return false;
- }
- // verify that the host name does not contain interior dots as per
- // RFC 2965 section 3.3.2 Rejecting Cookies
- // http://www.ietf.org/rfc/rfc2965.txt
- $hostname = substr($target['host'], 0, $pos);
- if (strpos($hostname, '.') !== false) {
- return false;
- }
- }
- } else {
- // If the cookie host doesn't begin with '.',
- // the host must case-insensitive match exactly
- if (strcasecmp($target['host'], $cookie['domain']) !== 0) {
- return false;
- }
- }
-
- // Verify that the port matches
- if (isset($cookie['ports'])
- && !in_array($target['port'], $cookie['ports'])
- ) {
- return false;
- }
-
- // Verify that the path matches
- if (strpos($target['path'], $cookie['path']) !== 0) {
- return false;
- }
-
- return true;
- }
-
-}
-
-?>
diff --git a/phpCAS-1.6.1/source/CAS/Exception.php b/phpCAS-1.6.1/source/CAS/Exception.php
deleted file mode 100644
index 2ff7cd6..0000000
--- a/phpCAS-1.6.1/source/CAS/Exception.php
+++ /dev/null
@@ -1,59 +0,0 @@
-
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
- * @link https://wiki.jasig.org/display/CASC/phpCAS
- */
-
-/**
- * A root exception interface for all exceptions in phpCAS.
- *
- * All exceptions thrown in phpCAS should implement this interface to allow them
- * to be caught as a category by clients. Each phpCAS exception should extend
- * an appropriate SPL exception class that best fits its type.
- *
- * For example, an InvalidArgumentException in phpCAS should be defined as
- *
- * class CAS_InvalidArgumentException
- * extends InvalidArgumentException
- * implements CAS_Exception
- * { }
- *
- * This definition allows the CAS_InvalidArgumentException to be caught as either
- * an InvalidArgumentException or as a CAS_Exception.
- *
- * @class CAS_Exception
- * @category Authentication
- * @package PhpCAS
- * @author Adam Franco
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
- * @link https://wiki.jasig.org/display/CASC/phpCAS
- *
- */
-interface CAS_Exception
-{
-
-}
-?>
diff --git a/phpCAS-1.6.1/source/CAS/GracefullTerminationException.php b/phpCAS-1.6.1/source/CAS/GracefullTerminationException.php
deleted file mode 100644
index 29aa638..0000000
--- a/phpCAS-1.6.1/source/CAS/GracefullTerminationException.php
+++ /dev/null
@@ -1,86 +0,0 @@
-
- * @author Adam Franco
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
- * @link https://wiki.jasig.org/display/CASC/phpCAS
- */
-
-/**
- * An exception for terminatinating execution or to throw for unit testing
- *
- * @class CAS_GracefullTerminationException.php
- * @category Authentication
- * @package PhpCAS
- * @author Joachim Fritschi
- * @author Adam Franco
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
- * @link https://wiki.jasig.org/display/CASC/phpCAS
- */
-
-class CAS_GracefullTerminationException
-extends RuntimeException
-implements CAS_Exception
-{
-
- /**
- * Test if exceptions should be thrown or if we should just exit.
- * In production usage we want to just exit cleanly when prompting the user
- * for a redirect without filling the error logs with uncaught exceptions.
- * In unit testing scenarios we cannot exit or we won't be able to continue
- * with our tests.
- *
- * @param string $message Message Text
- * @param int $code Error code
- *
- * @return self
- */
- public function __construct ($message = 'Terminate Gracefully', $code = 0)
- {
- // Exit cleanly to avoid filling up the logs with uncaught exceptions.
- if (self::$_exitWhenThrown) {
- exit;
- } else {
- // Throw exceptions to allow unit testing to continue;
- parent::__construct($message, $code);
- }
- }
-
- private static $_exitWhenThrown = true;
- /**
- * Force phpcas to thow Exceptions instead of calling exit()
- * Needed for unit testing. Generally shouldn't be used in production due to
- * an increase in Apache error logging if CAS_GracefulTerminiationExceptions
- * are not caught and handled.
- *
- * @return void
- */
- public static function throwInsteadOfExiting()
- {
- self::$_exitWhenThrown = false;
- }
-
-}
-?>
diff --git a/phpCAS-1.6.1/source/CAS/InvalidArgumentException.php b/phpCAS-1.6.1/source/CAS/InvalidArgumentException.php
deleted file mode 100644
index 99be2ac..0000000
--- a/phpCAS-1.6.1/source/CAS/InvalidArgumentException.php
+++ /dev/null
@@ -1,46 +0,0 @@
-
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
- * @link https://wiki.jasig.org/display/CASC/phpCAS
- */
-
-/**
- * Exception that denotes invalid arguments were passed.
- *
- * @class CAS_InvalidArgumentException
- * @category Authentication
- * @package PhpCAS
- * @author Adam Franco
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
- * @link https://wiki.jasig.org/display/CASC/phpCAS
- */
-class CAS_InvalidArgumentException
-extends InvalidArgumentException
-implements CAS_Exception
-{
-
-}
-?>
diff --git a/phpCAS-1.6.1/source/CAS/Languages/Catalan.php b/phpCAS-1.6.1/source/CAS/Languages/Catalan.php
deleted file mode 100644
index 1ead905..0000000
--- a/phpCAS-1.6.1/source/CAS/Languages/Catalan.php
+++ /dev/null
@@ -1,114 +0,0 @@
-
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
- * @link https://wiki.jasig.org/display/CASC/phpCAS
- */
-
-/**
- * Catalan language class
- *
- * @class CAS_Languages_Catalan
- * @category Authentication
- * @package PhpCAS
- * @author Iván-Benjamín García Torà
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
- * @link https://wiki.jasig.org/display/CASC/phpCAS
- *
- * @sa @link internalLang Internationalization @endlink
- * @ingroup internalLang
- */
-class CAS_Languages_Catalan implements CAS_Languages_LanguageInterface
-{
- /**
- * Get the using server string
- *
- * @return string using server
- */
- public function getUsingServer()
- {
- return 'usant servidor';
- }
-
- /**
- * Get authentication wanted string
- *
- * @return string authentication wanted
- */
- public function getAuthenticationWanted()
- {
- return 'Autentificació CAS necessària!';
- }
-
- /**
- * Get logout string
- *
- * @return string logout
- */
- public function getLogout()
- {
- return 'Sortida de CAS necessària!';
- }
-
- /**
- * Get the should have been redirected string
- *
- * @return string should habe been redirected
- */
- public function getShouldHaveBeenRedirected()
- {
- return 'Ja hauria d\ haver estat redireccionat al servidor CAS. Feu click aquí per a continuar.';
- }
-
- /**
- * Get authentication failed string
- *
- * @return string authentication failed
- */
- public function getAuthenticationFailed()
- {
- return 'Autentificació CAS fallida!';
- }
-
- /**
- * Get the your were not authenticated string
- *
- * @return string not authenticated
- */
- public function getYouWereNotAuthenticated()
- {
- return '