use a GET parameter instead of a session variable to transmit return_url
This commit is contained in:
<bdauvergne@entrouvert.com> 1206722837 +0100
parent
b2cd02f414
commit
57ce2df5b0
|
|
@ -8,9 +8,7 @@ require_once("../include/lassospkit_utils_session.inc.php");
|
|||
require_once("../include/lassospkit_dummysession.inc.php");
|
||||
require_once("../include/lassospkit_autopersistentsession.inc.php");
|
||||
|
||||
function verifyReferer() {
|
||||
if (isset($_SERVER['HTTP_REFERER'])) {
|
||||
$host = $_SERVER['HTTP_REFERER'];
|
||||
function verifyUrl($host) {
|
||||
$host = strstr('//', $host);
|
||||
$pos = strpos($host, '/');
|
||||
if ($pos !== FALSE) {
|
||||
|
|
@ -21,70 +19,105 @@ function verifyReferer() {
|
|||
echo "Bad referer '$host' != '" . $_SERVER['HTTP_HOST'] . "'";
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
function verifyReferer() {
|
||||
if (isset($_SERVER['HTTP_REFERER'])) {
|
||||
$host = $_SERVER['HTTP_REFERER'];
|
||||
verifyUrl($host);
|
||||
}
|
||||
}
|
||||
|
||||
try {
|
||||
dispatch(array('/login' => 'login',
|
||||
'/federate' => 'federate',
|
||||
'/ssoAssertionConsumer' => 'ssoAssertionConsumer',
|
||||
'/slo' => 'slo',
|
||||
'/sloSoap' => 'sloSoap',
|
||||
'/sloRedirect' => 'sloRedirect',
|
||||
'/sloResponse' => 'sloResponse',
|
||||
'/defederate' => 'defederate',
|
||||
'/nidManagementInit' => 'nidManagementInit',
|
||||
'/nidManagementSoap' => 'nidManagementSoap',
|
||||
'/nidManagementRedirect' => 'nidManagementRedirect',
|
||||
'/nidManagementResponse' => 'nidManagementResponse',
|
||||
'/metadata' => 'metadata'));
|
||||
} catch (Exception $e) {
|
||||
$session = getSession();
|
||||
$dispatch_table = array(
|
||||
'/login' => 'login',
|
||||
'/federate' => 'federate',
|
||||
'/ssoAssertionConsumer' => 'ssoAssertionConsumer',
|
||||
'/slo' => 'slo',
|
||||
'/sloSoap' => 'sloSoap',
|
||||
'/sloRedirect' => 'sloRedirect',
|
||||
'/sloResponse' => 'sloResponse',
|
||||
'/defederate' => 'defederate',
|
||||
'/nidManagementInit' => 'nidManagementInit',
|
||||
'/nidManagementSoap' => 'nidManagementSoap',
|
||||
'/nidManagementRedirect' => 'nidManagementRedirect',
|
||||
'/nidManagementResponse' => 'nidManagementResponse',
|
||||
'/metadata' => 'metadata');
|
||||
try { dispatch($dispatch_table); } catch (Exception $e) {
|
||||
LassoSPKitUtilsSession::setLastError($e->__toString());
|
||||
$session->doRedirect(LassoSPKitUtilsSession::getRelayState('error'));
|
||||
finish();
|
||||
}
|
||||
// TODO fill implementation
|
||||
function finishRequest($method, $profileStr, $session, $ret) {
|
||||
|
||||
// Utils
|
||||
function getReturnUrl() {
|
||||
if (isset($_GET['return_url'])) {
|
||||
$return_url = $_GET['return_url'];
|
||||
verifyUrl($return_url);
|
||||
} else {
|
||||
$return_url = LassoSPKitConfig::get('default_return_url');
|
||||
}
|
||||
return $return_url;
|
||||
}
|
||||
|
||||
// Finish interaction by return to a given return_url, or if not
|
||||
// found one given in a parameter of the current url or lastly
|
||||
// to the value of the config fiel 'default_return_url'.
|
||||
function finish($return_url = null) {
|
||||
// Return url
|
||||
if (! $return_url) {
|
||||
$return_url = getReturnUrl();
|
||||
}
|
||||
if ($return_url) {
|
||||
getSession()->doRedirect($return_url);
|
||||
}
|
||||
}
|
||||
// For internal redirection use the relay state mechnism in the session
|
||||
function finishWithMethod($method, $relay_state_name)
|
||||
{
|
||||
if ($method == LASSO_HTTP_METHOD_SOAP) {
|
||||
if (! $ret) {
|
||||
$session->doRedirect(LassoSPKitUtilsSession::getRelayState($profileStr));
|
||||
} else {
|
||||
$session->doRedirect(LassoSPKitUtilsSession::getRelayState('error'));
|
||||
}
|
||||
finish();
|
||||
} else {
|
||||
if (! $ret) {
|
||||
$session->doRedirect(LassoSPKitUtilsSession::getRelayState('error'));
|
||||
}
|
||||
LassoSPKitUtilsSession::setRelayState($relay_state_name, getReturnUrl());
|
||||
}
|
||||
}
|
||||
function finishResponse($profileSTR, $session, $ret) {
|
||||
if (! $ret) {
|
||||
$session->doRedirect(LassoSPKitUtilsSession::getRelayState($profileSTR));
|
||||
} else {
|
||||
LassoSPKitUtilsSession::setLastError("Erreur: $ret");
|
||||
$session->doRedirect(LassoSPKitUtilsSession::getRelayState('error'));
|
||||
}
|
||||
|
||||
function finishResponse($relay_state_name) {
|
||||
finish(LassoSPKitUtilsSession::getRelayState($relay_state_name));
|
||||
}
|
||||
|
||||
function getSession() {
|
||||
$session_class = "LassoSPKit" . LassoSPKitConfig::get('session');
|
||||
return new $session_class();
|
||||
}
|
||||
|
||||
function login() {
|
||||
verifyReferer();
|
||||
$saml2 = new LassoSPKitSAML2(new LassoSPKitDummySession());
|
||||
$params = LassoSPKitUtilsSession::getParams('login');
|
||||
$federate = TRUE;
|
||||
if (isset($params['federate'])) {
|
||||
$federate = $params['federate'];
|
||||
$persistent = TRUE;
|
||||
if (isset($_GET['persistent'])) {
|
||||
switch ($_GET['persistent']) {
|
||||
case '0':
|
||||
$persistent = FALSE;
|
||||
break;
|
||||
case '1':
|
||||
$persistent = TRUE;
|
||||
break;
|
||||
default;
|
||||
$persistent = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
$saml2->sso(FALSE, $federate);
|
||||
LassoSPKitUtilsSession::setRelayState('sso',LassoSPKitUtilsSession::getRelayState('login'));
|
||||
// Do not allow creation of persistent federation,
|
||||
// but eventually permit transient ones
|
||||
$saml2->sso(FALSE, $persistent);
|
||||
LassoSPKitUtilsSession::setRelayState('sso', getReturnUrl());
|
||||
}
|
||||
function federate() {
|
||||
verifyReferer();
|
||||
$saml2 = new LassoSPKitSAML2(new LassoSPKitDummySession());
|
||||
// Allow creation
|
||||
// Only persistent federation
|
||||
$saml2->sso(TRUE, TRUE);
|
||||
LassoSPKitUtilsSession::setRelayState('sso',LassoSPKitUtilsSession::getRelayState('federate'));
|
||||
LassoSPKitUtilsSession::setRelayState('sso', getReturnUrl());
|
||||
}
|
||||
function ssoAssertionConsumer() {
|
||||
$session = getSession();
|
||||
|
|
@ -94,11 +127,8 @@ function ssoAssertionConsumer() {
|
|||
} elseif (isset($_POST)) {
|
||||
$ok = $saml2->ssoConsumer(LASSO_HTTP_METHOD_ARTIFACT_POST, $_SERVER['QUERY_STRING']);
|
||||
}
|
||||
if ($ok) {
|
||||
$session->doRedirect(LassoSPKitUtilsSession::getRelayState('sso'));
|
||||
} else {
|
||||
$session->doRedirect(LassoSPKitUtilsSession::getRelayState('error'));
|
||||
}
|
||||
$return_url = LassoSPKitUtilsSession::getRelayState('sso');
|
||||
finish($return_url);
|
||||
}
|
||||
function slo() {
|
||||
$session = getSession();
|
||||
|
|
@ -106,7 +136,7 @@ function slo() {
|
|||
$method = LASSO_HTTP_METHOD_SOAP;
|
||||
$ret = $saml2->initiateSLO($method);
|
||||
$headers = headers_list();
|
||||
finishRequest($method, 'slo', $session, $ret);
|
||||
finishWithMethod($method, 'slo');
|
||||
}
|
||||
function sloSoap() {
|
||||
$session = getSession();
|
||||
|
|
@ -132,9 +162,7 @@ function defederate() {
|
|||
$saml2 = new LassoSPKitSAML2($session);
|
||||
$method = LASSO_HTTP_METHOD_SOAP;
|
||||
$ret = $saml2->initiateFTNotification($method);
|
||||
finishRequest($method, 'defederation', $session, $ret);
|
||||
LassoSPKitUtilsSession::setRelayState('nidmanagement',LassoSPKitUtilsSession::getRelayState('defederation'));
|
||||
|
||||
finishWithMethod($method, 'nidmanagement');
|
||||
}
|
||||
function nidManagementInit() {
|
||||
}
|
||||
|
|
@ -147,8 +175,10 @@ function nidManagementResponse() {
|
|||
$session = getSession();
|
||||
$saml2 = new LassoSPKitSAML2($session);
|
||||
$ret = $saml2->processRedirectResponseNameIdManagement();
|
||||
finishResponse('nidmanagement', $session, $ret);
|
||||
finishResponse('nidmanagement');
|
||||
}
|
||||
|
||||
// Generate metadatas
|
||||
function metadata() {
|
||||
$datadir = LassoSPKitHelper::getMetadataDir(LASSO_PROTOCOL_SAML_2_0);
|
||||
$pkey = $datadir . "/" . PRIVATE_KEY;
|
||||
|
|
@ -163,4 +193,3 @@ function metadata() {
|
|||
throw $e;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -16,6 +16,25 @@ require_once('lassospkit_config.inc.php');
|
|||
a previously established federation).
|
||||
*/
|
||||
|
||||
/** Build an url for redirecting to one of the Liberty endpoints,
|
||||
use $endpoint as the endpoint name, $return_url as the destrination url
|
||||
after Liberty transaction, and params as key-value dictionarry for generating other params. */
|
||||
function _lassospkit_make_redirect_url($endpoint, $return_url, $params) {
|
||||
// Endpoints base
|
||||
$redirect = LassoSPKitConfig::get('baseUrl');
|
||||
// saml2 or liberty
|
||||
$redirect = $redirect . '/' . LassoSPKitConfig::get('conformance');
|
||||
// Specific endpoint
|
||||
$redirect = $redirect . '/' . $endpoint;
|
||||
// Return url param
|
||||
$redirect = $redirect . "?return_url=" . urlencode($return_url);
|
||||
// Other params
|
||||
foreach ($params as $key => $value) {
|
||||
$redirect = $redirect . '&' . urlencode($key) . "=" . urlencode($value);
|
||||
}
|
||||
return $redirect;
|
||||
}
|
||||
|
||||
/** If this session contains the result of a recent WebSSO return
|
||||
the retrieved nameID. */
|
||||
function lassospkit_nameid() {
|
||||
|
|
@ -56,19 +75,21 @@ function lassospkit_set_federation($federation) {
|
|||
/* Return the URL where to redirect a user when liberty authentification
|
||||
* is required for existing federation or to get a transient one.
|
||||
*/
|
||||
function lassospkit_login_redirect($relay, $federate = TRUE) {
|
||||
LassoSPKitUtilsSession::setRelayState('login',$relay);
|
||||
LassoSPKitUtilsSession::setParams('login',array('federate'=>$federate));
|
||||
return LassoSPKitConfig::get('baseUrl') . "/" . LassoSPKitConfig::get('conformance') . '/login';
|
||||
function lassospkit_login_redirect($return_url, $persistent = TRUE) {
|
||||
if ($persistent) {
|
||||
$params = array( 'persistent' => 1 );
|
||||
} else {
|
||||
$params = array( 'persistent' => 0 );
|
||||
}
|
||||
return _lassospkit_make_redirect_url('login',$return_url, $params);
|
||||
}
|
||||
|
||||
/* Return the URL where to redirect a user to create a new federation, or
|
||||
* get an existing one.
|
||||
* Eventually pass a username to auto-store the new federation.
|
||||
*/
|
||||
function lassospkit_federate_redirect($relay) {
|
||||
LassoSPKitUtilsSession::setRelayState('federate',$relay);
|
||||
return LassoSPKitConfig::get('baseUrl') . "/" . LassoSPKitConfig::get('conformance') . '/federate';
|
||||
function lassospkit_federate_redirect($return_url) {
|
||||
return _lassospkit_make_redirect_url('federate',$return_url, array());
|
||||
}
|
||||
|
||||
/** Sets the userid to associate to this nameID, during
|
||||
|
|
@ -79,12 +100,10 @@ function lassospkit_set_userid($userid) {
|
|||
}
|
||||
|
||||
/* Return the URL where to redirect a user to initiated defederation of the current nameid. */
|
||||
function lassospkit_defederation_redirect($relay) {
|
||||
LassoSPKitUtilsSession::setRelayState('defederation',$relay);
|
||||
return LassoSPKitConfig::get('baseUrl') . "/" . LassoSPKitConfig::get('conformance') . '/defederate';
|
||||
function lassospkit_defederation_redirect($return_url) {
|
||||
return _lassospkit_make_redirect_url('defederate',$return_url, array());
|
||||
}
|
||||
function lassospkit_logout_redirect($relay) {
|
||||
LassoSPKitUtilsSession::setRelayState('slo',$relay);
|
||||
return LassoSPKitConfig::get('baseUrl') . "/" . LassoSPKitConfig::get('conformance') . '/slo';
|
||||
|
||||
function lassospkit_logout_redirect($return_url) {
|
||||
return _lassospkit_make_redirect_url('slo',$return_url, array());
|
||||
}
|
||||
LassoSPKitUtilsSession::setRelayState('error', '../..');
|
||||
|
|
|
|||
Reference in New Issue