From 8af076abc531f3cd0e5035fb86f60c74cac7ee65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Schneider?= <jschneider@entrouvert.com>
Date: Wed, 10 Nov 2010 14:40:14 +0100
Subject: [PATCH] Initial import

---
 README                                        |   9 ++
 languages/en.php                              |  25 ++++
 languages/fr.php                              |  24 ++++
 manifest.xml                                  |  10 ++
 start.php                                     | 120 ++++++++++++++++++
 views/default/account/forms/default_login.php |  38 ++++++
 views/default/account/forms/login.php         |  44 +++++++
 views/default/settings/saml_auth/edit.php     |  30 +++++
 8 files changed, 300 insertions(+)
 create mode 100644 README
 create mode 100644 languages/en.php
 create mode 100644 languages/fr.php
 create mode 100644 manifest.xml
 create mode 100644 start.php
 create mode 100644 views/default/account/forms/default_login.php
 create mode 100644 views/default/account/forms/login.php
 create mode 100644 views/default/settings/saml_auth/edit.php

diff --git a/README b/README
new file mode 100644
index 0000000..2f57c4f
--- /dev/null
+++ b/README
@@ -0,0 +1,9 @@
+saml_auth plugin allows you to use SAML 2.0 protocol with Elgg.
+This plugin uses SimpleSAMLphp to "samlize" Elgg.
+
+= Installation on Debian =
+-> Install the fllowing packages : apache2, php5, simplesamlphp, memcached and php5-memcache
+-> Configure a SAML 2.0 SP in simpleSAMLphp (follow simpleSAMLphp documentation)
+-> Configure simpleSAMLphp to use memcache
+-> Install this plugin into Elgg
+
diff --git a/languages/en.php b/languages/en.php
new file mode 100644
index 0000000..311f943
--- /dev/null
+++ b/languages/en.php
@@ -0,0 +1,25 @@
+<?php
+
+    /**
+     * Elgg SAML authentication
+     *
+     * @package ElggSAMLAuth
+     * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
+     * @author Jerome Schneider <jschneider@entrouvert.com>
+     */
+
+    $en = array(
+        'saml_auth:settings:label:simplesamlphp' => "SimpleSAMLphp configuration",
+        'saml_auth:settings:label:sp_name' => "Service Provider name",
+        'saml_auth:settings:help:sp_name' => "The name of your SP in SimpleSAMLphp",
+        'saml_auth:settings:label:attributes' => "Attributes mapping",
+        'saml_auth:settings:label:username' => "Username",
+        'saml_auth:settings:label:firstname' => "Firstname",
+        'saml_auth:settings:label:surname' => "Surname",
+        'saml_auth:settings:label:email' => "Email address",
+        'saml_auth:account:authentication:text' => "Please click on the Log In button.",
+        'saml_auth:samlerror' => "The SAML plugin is misconfigured. It will not be used.",
+    );
+
+    add_translation('en', $en);
+?>
diff --git a/languages/fr.php b/languages/fr.php
new file mode 100644
index 0000000..9d22815
--- /dev/null
+++ b/languages/fr.php
@@ -0,0 +1,24 @@
+<?php
+
+    /**
+     * Elgg SAML authentication
+     *
+     * @package ElggSAMLAuth
+     * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
+     * @author Jerome Schneider <jschneider@entrouvert.com>
+     */
+
+    $fr = array(
+        'saml_auth:settings:label:simplesamlphp' => "Configuration de SimpleSAMLphp",
+        'saml_auth:settings:label:sp_name' => "Nom du fournisseur de service",
+        'saml_auth:settings:help:sp_name' => "Nom de votre fournisseur de service SimpleSAMLphp",
+        'saml_auth:settings:label:attributes' => "Attributs",
+        'saml_auth:settings:label:username' => "Nom d'utilisateur",
+        'saml_auth:settings:label:firstname' => "Prénom",
+        'saml_auth:settings:label:surname' => "Nom",
+        'saml_auth:settings:label:email' => "Courriel",
+        'saml_auth:samlerror' => "Le plugin SAML n'est pas configuré correctement. Il n'est pas utilisé.",
+    );
+
+    add_translation('fr', $fr);
+?>
diff --git a/manifest.xml b/manifest.xml
new file mode 100644
index 0000000..2579db3
--- /dev/null
+++ b/manifest.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<plugin_manifest>
+        <field key="author" value="Jerome Schneider" />
+        <field key="version" value="0.1" />
+        <field key="description" value="Provides SAML authentication" />
+        <field key="website" value="http://www.entrouvert.org/" />
+        <field key="copyright" value="(C) Entr'ouvert 2010" />
+        <field key="licence" value="GNU Public License version 2 or later" />
+        <field key="elgg_version" value="2009022701" />
+</plugin_manifest>
diff --git a/start.php b/start.php
new file mode 100644
index 0000000..b8e5241
--- /dev/null
+++ b/start.php
@@ -0,0 +1,120 @@
+<?php
+    require_once('/usr/share/simplesamlphp/lib/_autoload.php');
+    /**
+     * Elgg SAML v2.0 authentication
+     *
+     * @package ElggSAMLAuth
+     * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
+     * @author Jerome Schneider <jschneider@entrouvert.com>
+     */
+
+    // Register the events
+    register_elgg_event_handler('init','system','saml_auth_init');
+    register_elgg_event_handler('logout','user','saml_logout');
+
+    /**
+     * SAML Authentication init
+     *
+     * These parameters are required for the event API, but we won't use them:
+     */
+    function saml_auth_init()
+    {
+        global $CONFIG;
+
+        init_config();
+        $as = new SimpleSAML_Auth_Simple(get_plugin_setting('sp_name', 'saml_auth'));
+        $isAuth = $as->isAuthenticated();
+        $attributes = $as->getAttributes();
+        $elgg_user = saml_map_attributes($attributes);
+        if ($isAuth && ! isloggedin() && $elgg_user)
+        {
+            $user = get_user_by_username($elgg_user['username']);
+            if (! $user)
+            {
+                register_user($elgg_user['username'], $elgg_user['password'],
+                    $elgg_user['name'], $elgg_user['email']);
+                $user = get_user_by_username($elgg_user['username']);
+            }
+            else
+                saml_sync_user($user, $elgg_user);
+            if ($user)
+                return login($user);
+            // XXX: else return an error ?
+        }
+    }
+
+    function init_config()
+    {
+        $config = find_plugin_settings('saml_auth');
+        if (! $config->sp_name)
+            set_plugin_setting('sp_name', 'default-sp', 'saml_auth');
+        if (! $config->username)
+            set_plugin_setting('username', 'uid', 'saml_auth');
+        if (! $config->firstname)
+            set_plugin_setting('firstname', 'givenName', 'saml_auth');
+        if (! $config->surname)
+            set_plugin_setting('surname', 'sn', 'saml_auth');
+        if (! $config->email)
+            set_plugin_setting('email', 'mail', 'saml_auth');
+    }
+
+    function saml_sync_user($user, $elgg_user)
+    {
+        $user->name = $elgg_user['name'];
+        $user->email = $elgg_user['email'];
+        $user->save();
+    }
+
+
+    function gen_rand_pwd()
+    {
+        $password = "";
+        $chars = "0123456789_!@#$%&*()-=+/abcdfghjkmnpqrstvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_!@#$%&*()-=+/";
+        $i = 0;
+
+        while ($i < 18)
+        {
+            $char = substr($chars, rand(0, strlen($chars)-1), 1);
+            $password .= $char;
+            $i++;
+        }
+        return $password;
+    }
+
+    function saml_map_attributes($attributes)
+    {
+        $elgg_user = array();
+
+        $config = find_plugin_settings('saml_auth');
+        if (! $attributes[$config->username] or ! $attributes[$config->email])
+            return false;
+        $elgg_user['username'] = $attributes[$config->username][0];
+        $elgg_user['password'] = gen_rand_pwd();
+        $elgg_user['name'] = '';
+        if ($attributes[$config->surname] || $attributes[$config->firstname])
+        {
+            if ($attributes[$config->firstname])
+                $elgg_user['name'] = $attributes[$config->firstname][0];
+            if ($attributes[$config->surname])
+            {
+                if (! empty($elgg_user['name']))
+                    $elgg_user['name'] .= ' ';
+                $elgg_user['name'] .= $attributes[$config->surname][0];
+            }
+        }
+        else
+            $elgg_user['name'] = $elgg_user['username'];
+        $elgg_user['email'] = $attributes[$config->email][0];
+
+        return $elgg_user;
+    }
+
+    function saml_logout()
+    {
+        $as = new SimpleSAML_Auth_Simple(get_plugin_setting('sp_name', 'saml_auth'));
+        if ($as->isAuthenticated())
+            $as->logout();
+
+        return true;
+    }
+
diff --git a/views/default/account/forms/default_login.php b/views/default/account/forms/default_login.php
new file mode 100644
index 0000000..394c1ea
--- /dev/null
+++ b/views/default/account/forms/default_login.php
@@ -0,0 +1,38 @@
+<?php
+/**
+ * Elgg login form
+ *
+ * @package Elgg
+ * @subpackage Core
+ * @author Curverider Ltd
+ * @link http://elgg.org/
+ */
+
+global $CONFIG;
+
+$form_body = "<p class=\"loginbox\"><label>" . elgg_echo('username') . "<br />" . elgg_view('input/text', array('internalname' => 'username', 'class' => 'login-textarea')) . "</label>";
+$form_body .= "<br />";
+$form_body .= "<label>" . elgg_echo('password') . "<br />" . elgg_view('input/password', array('internalname' => 'password', 'class' => 'login-textarea')) . "</label><br />";
+
+$form_body .= elgg_view('login/extend');
+
+$form_body .= elgg_view('input/submit', array('value' => elgg_echo('login'))) . " <div id=\"persistent_login\"><label><input type=\"checkbox\" name=\"persistent\" value=\"true\" />".elgg_echo('user:persistent')."</label></div></p>";
+$form_body .= "<p class=\"loginbox\">";
+$form_body .= (!isset($CONFIG->disable_registration) || !($CONFIG->disable_registration)) ? "<a href=\"{$vars['url']}pg/register/\">" . elgg_echo('register') . "</a> | " : "";
+$form_body .= "<a href=\"{$vars['url']}account/forgotten_password.php\">" . elgg_echo('user:password:lost') . "</a></p>";
+
+$login_url = $vars['url'];
+if ((isset($CONFIG->https_login)) && ($CONFIG->https_login)) {
+	$login_url = str_replace("http", "https", $vars['url']);
+}
+?>
+
+<div id="login-box">
+<h2><?php echo elgg_echo('login'); ?></h2>
+	<?php
+		echo elgg_view('input/form', array('body' => $form_body, 'action' => "{$login_url}action/login"));
+	?>
+</div>
+<script type="text/javascript">
+	$(document).ready(function() { $('input[name=username]').focus(); });
+</script>
\ No newline at end of file
diff --git a/views/default/account/forms/login.php b/views/default/account/forms/login.php
new file mode 100644
index 0000000..9d14dde
--- /dev/null
+++ b/views/default/account/forms/login.php
@@ -0,0 +1,44 @@
+<?php
+/**
+ * Elgg SAML v2.0 authentication
+ *
+ * @package ElggSAMLAuth
+ * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
+ * @author Jerome Schneider <jschneider@entrouvert.com>
+ */
+require_once('/usr/share/simplesamlphp/lib/_autoload.php');
+
+$SAML = true;
+
+try {
+    $as = new SimpleSAML_Auth_Simple(get_plugin_setting('sp_name', 'saml_auth'));
+} catch (Exception $e) {
+    $SAML = false;
+    register_error(elgg_echo('saml_auth:samlerror'));
+}
+if (array_key_exists('login', $_REQUEST))
+{
+    try {
+        $as->requireAuth();
+    } catch (Exception $e) {
+        $SAML = false;
+        register_error(elgg_echo('saml_auth:samlerror'));
+    }
+}
+$isAuth = $as->isAuthenticated();
+
+?>
+
+<?php if ($SAML == true): ?>
+<div id="login-box">
+<h2><?php echo elgg_echo('login'); ?></h2>
+<form method="post" action=".">
+    <?php echo '<p>' . elgg_echo('saml_auth:account:authentication:text') . '</p>' ?>
+    <input type="hidden" value="1" name="login">
+    <input type="submit" value="Log in" class="submit_button" name="">
+</form>
+</div>
+<?php else: ?>
+<?php echo elgg_view("account/forms/default_login"); ?>
+<?php endif; ?>
+
diff --git a/views/default/settings/saml_auth/edit.php b/views/default/settings/saml_auth/edit.php
new file mode 100644
index 0000000..836f874
--- /dev/null
+++ b/views/default/settings/saml_auth/edit.php
@@ -0,0 +1,30 @@
+<?
+    /**
+	 * Elgg SAML authentication
+	 *
+	 * @package ElggSAMLAuth
+	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
+	 * @author Jerome Schneider <jschnneider@entrouvert.com>
+	 */
+?>
+<p>
+    <fieldset style="border: 1px solid; padding: 15px; margin: 0 10px 0 10px">
+        <legend><?php echo elgg_echo('saml_auth:settings:label:simplesamlphp');?></legend>
+
+        <label for="params[sp_name]"><?php echo elgg_echo('saml_auth:settings:label:sp_name');?></label><br/>
+        <div class="example"><?php echo elgg_echo('saml_auth:settings:help:sp_name');?></div>
+        <input type="text" name="params[sp_name]" value="<?php echo $vars['entity']->sp_name;?>"/><br/>
+    </fieldset>
+    <fieldset style="border: 1px solid; padding: 15px; margin: 0 10px 0 10px">
+        <legend><?php echo elgg_echo('saml_auth:settings:label:attributes');?></legend>
+
+        <label for="params[username]"><?php echo elgg_echo('saml_auth:settings:label:username');?></label><br/>
+        <input type="text" name="params[username]" value="<?php echo $vars['entity']->username;?>"/><br/>
+        <label for="params[firstname]"><?php echo elgg_echo('saml_auth:settings:label:firstname');?></label><br/>
+        <input type="text" name="params[firstname]" value="<?php echo $vars['entity']->firstname;?>"/><br/>
+        <label for="params[surname]"><?php echo elgg_echo('saml_auth:settings:label:surname');?></label><br/>
+        <input type="text" name="params[surname]" value="<?php echo $vars['entity']->surname;?>"/><br/>
+        <label for="params[email]"><?php echo elgg_echo('saml_auth:settings:label:email');?></label><br/>
+        <input type="text" name="params[email]" value="<?php echo $vars['entity']->email;?>"/><br/>
+    </fieldset>
+</p>