merged from Benjamin's branch
This commit is contained in:
commit
d731cd8885
19
Makefile
19
Makefile
|
@ -10,8 +10,10 @@ PHPINCLUDEDIR=/usr/share/php
|
|||
DOCPREFIX=/usr/share/doc
|
||||
DOCDIR=$(DOCPREFIX)/$(NAME)
|
||||
HTTPD_USER=www-data
|
||||
VARPREFIX=/var/lib
|
||||
VARDIR=$(VARPREFIX)/$(NAME)
|
||||
|
||||
.PHONY: zip distclean dist install all clean
|
||||
.PHONY: zip distclean dist install all clean install-directories install-files
|
||||
|
||||
all:
|
||||
|
||||
|
@ -26,18 +28,21 @@ dist: distclean
|
|||
tar cvzf ../$(TGZ) $(FULL)
|
||||
|
||||
|
||||
install:
|
||||
install-directories:
|
||||
install -d $(DESTDIR)$(DATADIR) $(DESTDIR)$(DATADIR)/include $(DESTDIR)$(DATADIR)/endpoints $(DESTDIR)$(PHPINCLUDEDIR) $(DESTDIR)$(DOCDIR)/exemples
|
||||
install -d $(DESTDIR)$(DOCDIR)/html
|
||||
install -d $(DESTDIR)$(DOCDIR)
|
||||
install -d -o $(HTTPD_USER) -m 755 $(DESTDIR)$(VARDIR)
|
||||
ln -nfs $(DATADIR)/include $(DESTDIR)$(PHPINCLUDEDIR)/$(NAME)
|
||||
|
||||
install-files:
|
||||
install -m 644 -t $(DESTDIR)$(DATADIR)/include include/*
|
||||
install -m 644 -t $(DESTDIR)$(DATADIR)/endpoints endpoints/*
|
||||
install -m 644 -t $(DESTDIR)$(DOCDIR)/exemples exemples/*.*
|
||||
install -d $(DESTDIR)$(DOCDIR)
|
||||
ln -nfs $(DATADIR) $(DESTDIR)$(PHPINCLUDEDIR)/$(NAME)
|
||||
install -m 644 -t $(DESTDIR)$(DOCDIR)/html doc/*.html
|
||||
install -m 644 -t $(DESTDIR)$(DOCDIR) README INSTALL
|
||||
-mkdir -m 755 /var/lib/spkitlasso
|
||||
chown $(HTTPD_USER): /var/lib/spkitlasso
|
||||
install -m 644 -t $(DESTDIR)$(DOCDIR)/exemples exemples/*.*
|
||||
|
||||
install: install-directories install-files
|
||||
|
||||
distclean:
|
||||
rm -rf $(FULL)
|
||||
|
|
|
@ -1,3 +1,10 @@
|
|||
spkitlasso (0.2) unstable; urgency=low
|
||||
|
||||
* Setup the library into /usr/share/php/spkitlasso
|
||||
* Setup a datadir for hosts into /var/lib/spkitlasso
|
||||
|
||||
-- Benjamin Dauvergne <bdauvergne@entrouvert.com> Thu, 20 Mar 2008 14:23:09 +0100
|
||||
|
||||
spkitlasso (0.1-1) unstable; urgency=low
|
||||
|
||||
* Initial release
|
||||
|
|
|
@ -7,7 +7,7 @@ Standards-Version: 3.7.2
|
|||
|
||||
Package: spkitlasso
|
||||
Architecture: any
|
||||
Depends: lasso-php
|
||||
Depends: php-lasso
|
||||
Description: Simple library to use Lasso PHP bindings inside service providers
|
||||
This package provides PHP 5 classes and a procedural API to use Lasso basic
|
||||
protocols like SSO, Identity Federation, Identity Defederation and SLO,
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
var/lib
|
||||
usr/share/spkitlasso
|
||||
usr/share/doc
|
||||
usr/share/php
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
debian/tmp/usr/*
|
||||
debian/tmp/var/lib/*
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
#! /bin/sh -e
|
||||
# Automatically added by dh_installdocs
|
||||
if [ "$1" = configure ] && which install-docs >/dev/null 2>&1; then
|
||||
install-docs -i /usr/share/doc-base/spkitlasso
|
||||
fi
|
||||
chown www-data /var/lib/spkitlasso
|
||||
# End automatically added section
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
#! /bin/sh -e
|
||||
# Automatically added by dh_installdocs
|
||||
if [ "$1" = remove ] || [ "$1" = upgrade ] && \
|
||||
which install-docs >/dev/null 2>&1; then
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
<?php
|
||||
require_once('../include/lassospkit_configgen.inc.php');
|
||||
require_once('../include/lassospkit_config.inc.php');
|
||||
require_once('../include/lassospkit_debug.inc.php');
|
||||
require_once('../include/lassospkit_metadata.inc.php');
|
||||
require_once('../include/lassospkit_utils.inc.php');
|
||||
require_once('spkitlasso/lassospkit_configgen.inc.php');
|
||||
require_once('spkitlasso/lassospkit_config.inc.php');
|
||||
require_once('spkitlasso/lassospkit_debug.inc.php');
|
||||
require_once('spkitlasso/lassospkit_metadata.inc.php');
|
||||
require_once('spkitlasso/lassospkit_utils.inc.php');
|
||||
|
||||
$configgen = new LassoSPKitConfigUIGen();
|
||||
$error = null;
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
<?php
|
||||
require_once("../include/lassospkit_helper.inc.php");
|
||||
require_once("../include/lassospkit_dispatcher.inc.php");
|
||||
require_once("../include/lassospkit_metadata.inc.php");
|
||||
require_once("../include/lassospkit_utils.inc.php");
|
||||
require_once("spkitlasso/lassospkit_helper.inc.php");
|
||||
require_once("spkitlasso/lassospkit_dispatcher.inc.php");
|
||||
require_once("spkitlasso/lassospkit_metadata.inc.php");
|
||||
require_once("spkitlasso/lassospkit_utils.inc.php");
|
||||
|
||||
dispatch(array('/login' => login,
|
||||
'/federate' => federate,
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
<?php
|
||||
require_once("../include/lassospkit_helper.inc.php");
|
||||
require_once("../include/lassospkit_dispatcher.inc.php");
|
||||
require_once("../include/lassospkit_saml2.inc.php");
|
||||
require_once("../include/lassospkit_metadata.inc.php");
|
||||
require_once("../include/lassospkit_utils.inc.php");
|
||||
require_once("../include/lassospkit_utils_session.inc.php");
|
||||
require_once("../include/lassospkit_dummysession.inc.php");
|
||||
require_once("../include/lassospkit_autopersistentsession.inc.php");
|
||||
require_once("spkitlasso/lassospkit_helper.inc.php");
|
||||
require_once("spkitlasso/lassospkit_dispatcher.inc.php");
|
||||
require_once("spkitlasso/lassospkit_saml2.inc.php");
|
||||
require_once("spkitlasso/lassospkit_metadata.inc.php");
|
||||
require_once("spkitlasso/lassospkit_utils.inc.php");
|
||||
require_once("spkitlasso/lassospkit_utils_session.inc.php");
|
||||
require_once("spkitlasso/lassospkit_dummysession.inc.php");
|
||||
require_once("spkitlasso/lassospkit_autopersistentsession.inc.php");
|
||||
|
||||
function verifyUrl($host) {
|
||||
$host = strstr('//', $host);
|
||||
|
@ -94,6 +94,7 @@ function login() {
|
|||
$session = getSession();
|
||||
$saml2 = new LassoSPKitSAML2($session);
|
||||
$persistent = TRUE;
|
||||
$passive = FALSE;
|
||||
if (isset($_GET['persistent'])) {
|
||||
switch ($_GET['persistent']) {
|
||||
case '0':
|
||||
|
@ -107,9 +108,22 @@ function login() {
|
|||
break;
|
||||
}
|
||||
}
|
||||
if (isset($_GET['passive'])) {
|
||||
switch ($_GET['passive']) {
|
||||
case '0':
|
||||
$passive = FALSE;
|
||||
break;
|
||||
case '1':
|
||||
$passive = TRUE;
|
||||
break;
|
||||
default;
|
||||
$passive = FALSE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
// Do not allow creation of persistent federation,
|
||||
// but eventually permit transient ones
|
||||
$saml2->sso(FALSE, $persistent);
|
||||
$saml2->sso(FALSE, $persistent, $passive);
|
||||
LassoSPKitUtilsSession::setRelayState('sso', getReturnUrl());
|
||||
}
|
||||
function federate() {
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
<?php
|
||||
require_once('spkitlasso/include/lassospkit_public_api.inc.php');
|
||||
require_once('spkitlasso/include/lassospkit_debug.inc.php');
|
||||
require_once('spkitlasso/include/lassospkit_utils.inc.php');
|
||||
require_once('spkitlasso/lassospkit_public_api.inc.php');
|
||||
require_once('spkitlasso/lassospkit_debug.inc.php');
|
||||
require_once('spkitlasso/lassospkit_utils.inc.php');
|
||||
echo '<?xml version="1.0" encoding="UTF-8"?>';
|
||||
|
||||
function show($a) {
|
||||
|
|
|
@ -18,13 +18,13 @@ class LassoSPKitAutoPersistentSession extends LassoSPKitDummySession {
|
|||
function findFederation($nameID) {
|
||||
$federation = null;
|
||||
if ($nameID) {
|
||||
lassospkit_debuglog("looking for session using nameID from profile: $nameID");
|
||||
#lassospkit_debuglog("looking for session using nameID from profile: $nameID");
|
||||
$federation = $this->storage->get($nameID);
|
||||
}
|
||||
if (! $federation) {
|
||||
$userID = LassoSPKitUtilsSession::getUserID();
|
||||
if ($userID) {
|
||||
lassospkit_debuglog("looking for session using userID: $userID");
|
||||
#lassospkit_debuglog("looking for session using userID: $userID");
|
||||
$federation = $this->storage->get(md5($userID));
|
||||
}
|
||||
}
|
||||
|
@ -32,13 +32,13 @@ class LassoSPKitAutoPersistentSession extends LassoSPKitDummySession {
|
|||
$nameIDs = LassoSPKitUtilsSession::getNameID();
|
||||
if (is_array($nameIDs)) {
|
||||
foreach (LassoSPKitUtilsSession::getNameID() as $nameID) {
|
||||
lassospkit_debuglog("looking for session using nameID in session: $userID");
|
||||
#lassospkit_debuglog("looking for session using nameID in session: $userID");
|
||||
$federation = $this->storage->get($nameID);
|
||||
}
|
||||
}
|
||||
}
|
||||
if ($federation == null) {
|
||||
lassospkit_debuglog('did not found any session file...');
|
||||
#lassospkit_debuglog('did not found any session file...');
|
||||
return 0;
|
||||
}
|
||||
$this->explodeFederation($federation);
|
||||
|
|
|
@ -24,7 +24,10 @@ class LassoSPKitConfig {
|
|||
'storage' => "File",
|
||||
'cookiename' => 0,
|
||||
'default_return_url' => null,
|
||||
'showExtension' => 1 /* Shall we show the extension of scripts in public apis */
|
||||
'lasso_lib' => 'lasso.php',
|
||||
'showExtension' => 1, /* Shall we show the extension of scripts in public apis */
|
||||
'memcache_servers' => 'localhost:11211', /* Blank separated list of host:port pairs */
|
||||
'session_storage_class' => 'LassoSPKitSessionFile'
|
||||
);
|
||||
private static $instance = null;
|
||||
private static $file;
|
||||
|
@ -75,9 +78,12 @@ class LassoSPKitConfig {
|
|||
static function init() {
|
||||
if (! self::$instance) {
|
||||
/* Where is lasso PHP binding ? */
|
||||
self::$default_values['lasso_lib'] = ini_get('extension_dir').'/lasso.php';
|
||||
self::$file = lassospkit_datadir() . '/lassospkit_config.ini';
|
||||
self::$instance = self::loadIni(self::$file);
|
||||
if (file_exists(self::$file)) {
|
||||
self::$instance = self::loadIni(self::$file);
|
||||
} else {
|
||||
self::$instance = array();
|
||||
}
|
||||
}
|
||||
}
|
||||
/** Commit the content of the singleton table to the .ini file */
|
||||
|
|
|
@ -4,8 +4,7 @@
|
|||
* in an unique directory with you application, you can just make it return "../data".
|
||||
*/
|
||||
function lassospkit_datadir() {
|
||||
// $path = '/var/lib/spkitlasso/' . $_SERVER['HTTP_HOST'];
|
||||
$path = "/home/bdauvergne/public_html/data";
|
||||
$path = '/var/lib/spkitlasso/' . $_SERVER['HTTP_HOST'];
|
||||
// $path = $_SERVER['DOCUMENT_ROOT'] . '/data';
|
||||
if (! file_exists($path)) {
|
||||
@mkdir($path,755,1);
|
||||
|
|
|
@ -0,0 +1,60 @@
|
|||
<?php
|
||||
require_once('lassospkit_helper.inc.php');
|
||||
require_once('lassospkit_utils.inc.php');
|
||||
require_once('lassospkit_metadata.inc.php');
|
||||
|
||||
class LassoSPKitEndpoint {
|
||||
var $dispatch_table = array();
|
||||
var $protocol = null;
|
||||
|
||||
function LassoSPKitEndpoint($protocol) {
|
||||
$this->__construct($protocol);
|
||||
}
|
||||
function __construct($protocol) {
|
||||
$this->protocol = $protocol;
|
||||
$this->addDispatch('/metadata', 'metadata');
|
||||
}
|
||||
function addDispatch($point, $method) {
|
||||
$dispatch_table[$point] = $method;
|
||||
}
|
||||
function dispatchAndExit() {
|
||||
if (! isset($_SERVER['PATH_INFO'])) {
|
||||
throw new Exception('No PATH INFO');
|
||||
}
|
||||
$path_info = $_SERVER['PATH_INFO'];
|
||||
$fname = $this->dispatch_table[$path_info];
|
||||
if ($fname) {
|
||||
$fname();
|
||||
exit(0);
|
||||
} else {
|
||||
header("HTTP/1.0 404 Not Found");
|
||||
exit(0);
|
||||
}
|
||||
}
|
||||
|
||||
// Urls
|
||||
function metadata() {
|
||||
$datadir = LassoSPKitHelper::getMetadataDir($this->protocol);
|
||||
$pkey = $datadir . "/" . PRIVATE_KEY;
|
||||
LassoSPKitUtils::extractPublicKey($pkey, $publickey, $error);
|
||||
$content = LassoSPKitMetadataSAML2::generateMetadata(dirname(LassoSPKitUtils::mydir()), LassoSPKitConfig::get('organization'), $publickey);
|
||||
if ($content) {
|
||||
header('Content-type: text/xml');
|
||||
echo $content;
|
||||
}
|
||||
}
|
||||
// Verify that the host is the same has HTTP_HOST
|
||||
function verifyUrl($host) {
|
||||
$host = strstr('//', $host);
|
||||
$pos = strpos($host, '/');
|
||||
if ($pos !== FALSE) {
|
||||
$host = substr($host, 0, $pos);
|
||||
}
|
||||
|
||||
if ($host && isset($_SERVER['HTTP_HOST']) && $host != $_SERVER['HTTP_HOST']) {
|
||||
echo "Bad referer '$host' != '" . $_SERVER['HTTP_HOST'] . "'";
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -51,7 +51,7 @@ class LassoSPKitFileStore implements LassoSPKitStore {
|
|||
}
|
||||
function debug($ret, $mesg) {
|
||||
if ($ret === FALSE) {
|
||||
lassospkit_debuglog("SPKit File Storage: " . $mesg);
|
||||
#lassospkit_debuglog("SPKit File Storage: " . $mesg);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,7 +17,7 @@ class LassoSPKitGenericSession {
|
|||
header("Location: $url");
|
||||
}
|
||||
function doResponse($mimeType, $content) {
|
||||
lassospkit_debuglog("Renvoi la réponse de type $mimeType et contenu $content");
|
||||
#lassospkit_debuglog("Renvoi la réponse de type $mimeType et contenu $content");
|
||||
header("Content-type: $mimeType");
|
||||
echo $content;
|
||||
}
|
||||
|
@ -70,7 +70,7 @@ class LassoSPKitGenericSession {
|
|||
function explodeFederationBlob($blob) {
|
||||
$federation = @unserialize($blob);
|
||||
if ($federation === FALSE) {
|
||||
lassospkit_debuglog("LassoSPKitGenericSession: cannot deserialize the federation blob");
|
||||
#lassospkit_debuglog("LassoSPKitGenericSession: cannot deserialize the federation blob");
|
||||
return 0;
|
||||
}
|
||||
$this->explodeFederation($federation);
|
||||
|
|
|
@ -17,7 +17,7 @@ class LassoSPKitHelper {
|
|||
$profile->setSessionFromDump($sessionDump);
|
||||
}
|
||||
if ($identityDump) {
|
||||
lassospkit_debuglog("load dump " . $identityDump);
|
||||
#lassospkit_debuglog("load dump " . $identityDump);
|
||||
$profile->setIdentityFromDump($identityDump);
|
||||
}
|
||||
}
|
||||
|
@ -31,7 +31,6 @@ class LassoSPKitHelper {
|
|||
$ok = 0;
|
||||
if ($profile->hasDirtyIdentity()) {
|
||||
if ($profile->identity) {
|
||||
lassospkit_debuglog("save " . $profile->identity->dump());
|
||||
$session->setIdentityDump($profile->identity->dump());
|
||||
} else {
|
||||
$session->setIdentityDump(null);
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
<?php
|
||||
|
||||
class LassoSPKitHttpRequest {
|
||||
var $url;
|
||||
var $header = array();
|
||||
var $method = 'GET';
|
||||
var $mime_type = null;
|
||||
var $_content = null;
|
||||
|
||||
|
||||
function init($url = null) {
|
||||
if ($url) {
|
||||
$this->url = $url;
|
||||
} else {
|
||||
throw new Exception("LassoSPKitHttpRequest: __construct without arg not implemented");
|
||||
}
|
||||
$this->getCurrentCookies();
|
||||
}
|
||||
function setPOST($mime_type, $content) {
|
||||
$this->method = 'POST';
|
||||
$this->mime_type = $mime_type;
|
||||
$this->_content = $content;
|
||||
}
|
||||
function getCurrentCookies() {
|
||||
$this->headers = array();
|
||||
foreach ($_COOKIE as $cookie => $value) {
|
||||
$this->headers[] = "Cookie: " . urlencode($cookie) . "=" . urlencode($value);
|
||||
}
|
||||
}
|
||||
function perform() {
|
||||
$opts = array('http' =>
|
||||
array(
|
||||
'method' => $this->method,
|
||||
'header' => $this->header,
|
||||
'content' => $this->_content
|
||||
)
|
||||
);
|
||||
$context = stream_context_create($opts);
|
||||
$res = @file_get_contents($this->url,false,$context);
|
||||
return $res;
|
||||
}
|
||||
function buildPOST($url,$mime_type,$content) {
|
||||
$b = new LassoSPKitHttpRequest();
|
||||
$b->init($url);
|
||||
$b->setPost($mime_type,$content);
|
||||
return $b;
|
||||
}
|
||||
function buildGET($url) {
|
||||
$b = new LassoSPKitHttpRequest();
|
||||
$b->init($url);
|
||||
return $b;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,77 @@
|
|||
<?php
|
||||
|
||||
require_once('lassospkit_config.inc.php');
|
||||
require_once('lassospkit_debug.inc.php');
|
||||
|
||||
class LassoSPKitMemCache {
|
||||
function getInstance() {
|
||||
static $instance = null;
|
||||
|
||||
if ($instance == null) {
|
||||
$instance = new Memcache();
|
||||
$memcache_servers = LassoSPKitConfig::get('memcache_servers');
|
||||
if (! $memcache_servers) {
|
||||
lassospkit_errlog('There is no configuration for memcache servers, put one');
|
||||
throw new Exception('memcache config error');
|
||||
}
|
||||
$servers = self::validateServers($memcache_servers);
|
||||
foreach ($servers as $hostport) {
|
||||
$host = $hostport[0];
|
||||
$port = $hostport[1];
|
||||
$res = $instance->pconnect($host,intval($port));
|
||||
if ($res === FALSE) {
|
||||
lassospkit_errlog("LassoSPKitMemcache: could not connect to $host:$port");
|
||||
}
|
||||
}
|
||||
}
|
||||
return $instance;
|
||||
}
|
||||
function validateServers($str) {
|
||||
$pairs = split(" +", $str);
|
||||
$servers = array();
|
||||
|
||||
foreach ($pairs as $a_pair) {
|
||||
if (! ereg("^([[:alnum:]]+):([[:digit:]]+)$",$a_pair,$matches) ||
|
||||
intval($matches[2]) == 0) {
|
||||
lassospkit_errlog("$a_pair is not a valid memcache server ref");
|
||||
} else {
|
||||
$servers[] = array($matches[0],$matches[1]);
|
||||
}
|
||||
}
|
||||
if (count($servers)) {
|
||||
return $servers;
|
||||
} else {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
function add($key, $value, $timeout = 2592000) {
|
||||
$instance = LassoSPKitMemCache::getInstance();
|
||||
if (! $instance) {
|
||||
lassospkit_errlog("LassoSPKitMemCache: could not add key " . var_export($key,1) . ", no instance present");
|
||||
}
|
||||
$res = $instance->add($key, $value, false, $timeout);
|
||||
return $res;
|
||||
}
|
||||
function set($key, $value, $timeout = 2592000) {
|
||||
$instance = LassoSPKitMemCache::getInstance();
|
||||
if (! $instance) {
|
||||
lassospkit_errlog("LassoSPKitMemCache: could not set key " . var_export($key,1) . ", no instance present");
|
||||
}
|
||||
$res = $instance->set($key, $value, false, $timeout);
|
||||
return $res;
|
||||
}
|
||||
function get($key) {
|
||||
$instance = LassoSPKitMemCache::getInstance();
|
||||
if (! $instance) {
|
||||
lassospkit_errlog("LassoSPKitMemCache: could not get key " . var_export($key,1) . ", no instance present");
|
||||
}
|
||||
return $instance->get($key);
|
||||
}
|
||||
function delete($key) {
|
||||
$instance = LassoSPKitMemCache::getInstance();
|
||||
if (! $instance) {
|
||||
lassospkit_errlog("LassoSPKitMemCache: could not delete key " . var_export($key,1) . ", no instance present");
|
||||
}
|
||||
return $instance->delete($key);
|
||||
}
|
||||
}
|
|
@ -1,5 +1,6 @@
|
|||
<?php
|
||||
require_once('lassospkit_utils_session.inc.php');
|
||||
require_once('lassospkit_utils.inc.php');
|
||||
require_once('lassospkit_config.inc.php');
|
||||
|
||||
/** This file contains the public front-end API
|
||||
|
@ -35,6 +36,9 @@ function _lassospkit_make_redirect_url($endpoint, $return_url, $params) {
|
|||
$redirect = $redirect . "?return_url=" . urlencode($return_url);
|
||||
// Other params
|
||||
foreach ($params as $key => $value) {
|
||||
if (is_bool($value)) {
|
||||
$value = intval($value);
|
||||
}
|
||||
$redirect = $redirect . '&' . urlencode($key) . "=" . urlencode($value);
|
||||
}
|
||||
return $redirect;
|
||||
|
@ -77,15 +81,19 @@ function lassospkit_set_federation($federation) {
|
|||
LassoSPKitUtilsSession::setFederation($federation);
|
||||
}
|
||||
|
||||
/* Return the URL where to redirect a user when liberty authentification
|
||||
* is required for existing federation or to get a transient one.
|
||||
/* Return the URL where to redirect a user to ask for
|
||||
* an authentification assertion from the IdP without creating
|
||||
* new federation.
|
||||
* Second arguments is an array of options. Possible options are:
|
||||
* - "persistent" => Bool, wether to get an existing persistent
|
||||
* session or get a one-time federation identifier.
|
||||
* - "passive" => Bool, forbid user interaction by the IdP.
|
||||
* For example, to verify "transparently" (there is still the redirect latency)
|
||||
* if an user is currently logged to the IdP, just do:
|
||||
* header("Location: " . lassospkit_login_url($login_page, array("passive" => TRUE)))
|
||||
*/
|
||||
function lassospkit_login_url($return_url, $persistent = TRUE) {
|
||||
if ($persistent) {
|
||||
$params = array( 'persistent' => 1 );
|
||||
} else {
|
||||
$params = array( 'persistent' => 0 );
|
||||
}
|
||||
function lassospkit_login_url($return_url, $options = array() ) {
|
||||
$params = LassoSPKitUtils::extract_options(array('persistent' => 'b', 'passive' => 'b'), $options);
|
||||
return _lassospkit_make_redirect_url('login',$return_url, $params);
|
||||
}
|
||||
|
||||
|
|
|
@ -19,23 +19,35 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
|
|||
$nameidpolicy->format = $blob['nameIDFormat'];
|
||||
$nameidpolicy->allowCreate = $blob['allowCreate'];
|
||||
}
|
||||
public function sso($create = TRUE, $federate = TRUE) {
|
||||
/** Initiate a SSO exchange with a redirect.
|
||||
The federate parameter defines if we wish to get a
|
||||
persistent (federate = TRUE) or a transient federation
|
||||
(federate = FALSE).
|
||||
The create parameter specify if the IdP is allower
|
||||
to create a new federation if a persistent
|
||||
one is asked for federate = TRUE.
|
||||
*/
|
||||
function sso($create = TRUE, $federate = TRUE, $passive = FALSE) {
|
||||
if ($federate) {
|
||||
$format = LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT;
|
||||
} else {
|
||||
$format = LASSO_SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT;
|
||||
}
|
||||
return $this->ssoInit($create,$format);
|
||||
return $this->ssoInit(array('allowCreate' => $create, 'nameIDFormat' => $format, 'isPassive' => $passive));
|
||||
}
|
||||
public function ssoInit(
|
||||
$allowCreate = TRUE,
|
||||
$nameIDFormat = LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
|
||||
$remoteID = null,
|
||||
$method = LASSO_HTTP_METHOD_REDIRECT,
|
||||
$isConsentObtained = FALSE,
|
||||
$forceAuthn = FALSE,
|
||||
$isPassive = FALSE)
|
||||
function ssoInit($params = array())
|
||||
{
|
||||
$default_params = array(
|
||||
'allowCreate' => TRUE,
|
||||
'nameIDFormat' => LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
|
||||
'remoteID' => null,
|
||||
'method' => LASSO_HTTP_METHOD_REDIRECT,
|
||||
'isConsentObtained' => FALSE,
|
||||
'forceAuthn' => FALSE,
|
||||
'isPassive' => FALSE);
|
||||
$params = array_merge($default_params, $params);
|
||||
extract($params);
|
||||
#lassospkit_debuglog("Params isPassive: $isPassive allowCreate: $allowCreate format: $nameIDFormat");
|
||||
$login = null;
|
||||
return parent::ssoCommon($login, $remoteID, $method, $isConsentObtained, $forceAuthn, $isPassive, array('nameIDFormat'=>$nameIDFormat, 'allowCreate' => $allowCreate));
|
||||
}
|
||||
|
@ -49,20 +61,21 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
|
|||
/** Name Id Management, SP inititated */
|
||||
/* Request */
|
||||
public function initiateNameIdManagement($newNameID, $method = LASSO_HTTP_METHOD_SOAP, $remoteID = null) {
|
||||
$ret = 0;
|
||||
lassospkit_debuglog("initiateNIDManagement NNID: $newNameID Meth: $method RID: $remoteID ");
|
||||
$ok = 1 && $nidmanagement = new LassoNameIdManagement($this->server);
|
||||
$nidmanagement = new LassoNameIdManagement($this->server);
|
||||
$this->findFederation($nidmanagement);
|
||||
$ok = $ok && ! $ret = $nidmanagement->initRequest($remoteID, $newNameID, $method);
|
||||
$ok = $ok && ! $ret = $nidmanagement->buildRequestMsg();
|
||||
$retIR = $nidmanagement->initRequest($remoteID, $newNameID, $method);
|
||||
$retBRM = $nidmanagement->buildRequestMsg();
|
||||
if ($retIR || $retBRM) {
|
||||
lassospkit_errlog("initiateNIDManagement: retIR: $retIR retBRM: $retBRM");
|
||||
}
|
||||
switch ($method) {
|
||||
case LASSO_HTTP_METHOD_REDIRECT:
|
||||
$this->keepProfile($nidmanagement);
|
||||
$this->finishRedirectRequest($nidmanagement, $ret, $ok);
|
||||
$this->finishRedirectRequest($nidmanagement);
|
||||
break;
|
||||
case LASSO_HTTP_METHOD_SOAP:
|
||||
$this->finishSOAPRequest($nidmanagement, $ret, $ok, $response);
|
||||
$ok = $ok && $this->processResponseNameIdManagement($response, $nidmanagement);
|
||||
$this->finishSOAPRequest($nidmanagement, $response);
|
||||
$this->processResponseNameIdManagement($response, $nidmanagement);
|
||||
break;
|
||||
case LASSO_HTTP_METHOD_ARTIFACT_GET:
|
||||
case LASSO_HTTP_METHOD_ARTIFACT_POST:
|
||||
|
@ -70,38 +83,20 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
|
|||
default:
|
||||
LassoSPKitHelper::notImplemented();
|
||||
}
|
||||
if (! $ok) {
|
||||
lassospkit_debuglog("NID failed Ret: $ret Exp: " . $this->exception);
|
||||
$this->status = gettext('La défédération a échoué');
|
||||
}
|
||||
return $ok;
|
||||
}
|
||||
function processRedirectResponseNameIdManagement() {
|
||||
$ret = 0;
|
||||
$nidmanagement = null;
|
||||
$ok = $this->processResponseNameIdManagement($_SERVER['QUERY_STRING'], $nidmanagement);
|
||||
return $ok;
|
||||
$this->processResponseNameIdManagement($_SERVER['QUERY_STRING'], $nidmanagement);
|
||||
}
|
||||
/** Response **/
|
||||
public function processResponseNameIdManagement($message, &$nidmanagement)
|
||||
{
|
||||
$ret = 0;
|
||||
$ok = 1;
|
||||
lassospkit_debuglog("NameIdManagement SP initiated Response");
|
||||
if ($nidmanagement == null) {
|
||||
$ok = $ok && $nidmanagement = LassoNameIdManagement::newFromDump($this->server, $this->restoreProfile());
|
||||
if ($ok) {
|
||||
$this->findFederation($nidmanagement);
|
||||
}
|
||||
$nidmanagement = LassoNameIdManagement::newFromDump($this->server, $this->restoreProfile());
|
||||
$this->findFederation($nidmanagement);
|
||||
}
|
||||
$ok = $ok && ! $ret = $nidmanagement->processResponseMsg($message);
|
||||
if ($ok || $ret > 0) {
|
||||
$this->changeFederation($nidmanagement);
|
||||
}
|
||||
if ($ret != 0) {
|
||||
$this->setRet($ret);
|
||||
}
|
||||
return $ok;
|
||||
$retPRM = $nidmanagement->processResponseMsg($message);
|
||||
$this->changeFederation($nidmanagement);
|
||||
}
|
||||
/** Name Id Management request IdP iniated */
|
||||
public function processRedirectRequestNameIdManagement() {
|
||||
|
@ -115,38 +110,22 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
|
|||
}
|
||||
public function processRequestNameIdManagement($method, $message)
|
||||
{
|
||||
lassospkit_debuglog("NameIdManagement request handling");
|
||||
$ret = 0;
|
||||
$ok = 1;
|
||||
$ok = $ok && $nidmanagement = new LassoNameIdManagement($this->server);
|
||||
if (! $ok) {
|
||||
lassospkit_debuglog("Cannot build nameidManagement profile");
|
||||
return;
|
||||
$nidmanagement = new LassoNameIdManagement($this->server);
|
||||
$retPRM = $nidmanagement->processRequestMsg($message);
|
||||
$this->findFederation($nidmanagement);
|
||||
$retVR = $nidmanagement->validateRequest();
|
||||
if ($retPRM || $retVR) {
|
||||
lassospkit_errlog("initiateNIDManagement: retPRM: $retPRM retVR: $retVR");
|
||||
}
|
||||
lassospkit_debuglog("NID Request init ok: $ok ret: $ret " . strError($ret));
|
||||
$ok = $ok && ! $ret = $nidmanagement->processRequestMsg($message);
|
||||
lassospkit_debuglog("NID Request processRequestMsg ok: $ok ret: $ret " . strError($ret));
|
||||
if ($ok) {
|
||||
$this->findFederation($nidmanagement);
|
||||
}
|
||||
$ok = $ok && ! $ret = $nidmanagement->validateRequest();
|
||||
lassospkit_debuglog("NID Request validateRequest ok: $ok ret: $ret " . strError($ret));
|
||||
lassospkit_debuglog("NID request type: " . var_export($nidmanagement, 1));
|
||||
// if ($ok) {
|
||||
// $newid = null;
|
||||
// if (isset($nidmanagement->request) && isset($nidmanagement->request->NewID)) {
|
||||
// $newid = $nidmanagement->request->NewID;
|
||||
// }
|
||||
//// LassoSPKitHelper::changeFederation($nidmanagement, $this->session, $newid);
|
||||
// }
|
||||
lassospkit_debuglog("NID request just before finishResponse");
|
||||
$this->finishResponse($nidmanagement, $method, $ret, $ok);
|
||||
if (! $ok) {
|
||||
$this->status = gettext('La requête de défédération a échoué');
|
||||
}
|
||||
return $ok;
|
||||
$this->changeFederation($nidmanagement);
|
||||
$this->finishResponse($nidmanagement, $method);
|
||||
}
|
||||
/** Change federation with respect to nidmanagement request content.
|
||||
If a response is present
|
||||
*/
|
||||
function changeFederation(LassoNameIdManagement $nidmanagement) {
|
||||
LassoSPKitHelper::changeFederation($nidmanagement, $this->session, $nidmanagement->request->NewID);
|
||||
LassoSPKitHelper::changeFederation($nidmanagement,
|
||||
$this->session,
|
||||
$nidmanagement->request->NewID);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -60,7 +60,7 @@ class LassoSPKitSAMLCommon {
|
|||
&& ! $ret = $server->addProvider(LASSO_PROVIDER_ROLE_IDP
|
||||
,$idpmeta,null, null);
|
||||
if (! $ok) {
|
||||
lassospkit_debuglog("Erreur création serveur: Ret=$ret Msg=" . strError($ret));
|
||||
#lassospkit_debuglog("Erreur création serveur: Ret=$ret Msg=" . strError($ret));
|
||||
return 0;
|
||||
} else {
|
||||
$this->server = $server;
|
||||
|
@ -69,7 +69,7 @@ class LassoSPKitSAMLCommon {
|
|||
}
|
||||
public static function checkFile($file) {
|
||||
if (! file_exists($file)) {
|
||||
lassospkit_debuglog("File " . $file . " is absent, can't construct server object");
|
||||
#lassospkit_debuglog("File " . $file . " is absent, can't construct server object");
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
|
@ -84,18 +84,13 @@ class LassoSPKitSAMLCommon {
|
|||
}
|
||||
/** Return a normal HTTP response, for SOAP Response binding */
|
||||
public function doResponse(LassoProfile $profile) {
|
||||
lassospkit_debuglog("doResponse for profile");
|
||||
lassospkit_debuglog("with content " . $profile->msgBody);
|
||||
$this->session->doResponse('text/xml', $profile->msgBody);
|
||||
}
|
||||
/** Read a soap message from stdin */
|
||||
public function receiveSOAPMessage() {
|
||||
lassospkit_debuglog("Receiving a SOAP message");
|
||||
$contents = @file_get_contents("php://input");
|
||||
if ($contents === FALSE) {
|
||||
lassospkit_debuglog("Problem Receiving a SOAP message2");
|
||||
} else {
|
||||
lassospkit_debuglog("Received a SOAP message");
|
||||
lassospkit_errlog("Problem Receiving a SOAP message2");
|
||||
}
|
||||
return $contents;
|
||||
}
|
||||
|
@ -104,37 +99,45 @@ class LassoSPKitSAMLCommon {
|
|||
This method makes a soap call to resolve the artifact, it is synchronous
|
||||
so can potentially take times.
|
||||
*/
|
||||
public function artifactResolve(LassoProfile $profile, $query, $method, &$ok, &$ret) {
|
||||
$ok = $ok && ! $ret = $profile->initRequest($query, $method);
|
||||
$ok = $ok && ! $ret = $profile->buildRequestMsg();
|
||||
$ok = $ok && $content = LassoSPKitHelper::SoapCallWithProfile($profile);
|
||||
$ok = $ok && ! $ret = $profile->processResponseMsg($content);
|
||||
if (! $ok) {
|
||||
$this->setRet($ret);
|
||||
public function artifactResolve(LassoProfile $profile, $query, $method) {
|
||||
$retIR = $profile->initRequest($query, $method);
|
||||
$retBRM = $profile->buildRequestMsg();
|
||||
$content = @LassoSPKitHelper::SoapCallWithProfile($profile);
|
||||
if ($content === FALSE) {
|
||||
lassospkit_errlog("artifactResolve: soapCall result empty");
|
||||
$content = "";
|
||||
}
|
||||
return $ok;
|
||||
$retPRM = $profile->processResponseMsg($content);
|
||||
if ($retIR || $retBRM || $retPRM) {
|
||||
lassospkit_errlog("artifactResolve: retIR: $retIR retBRM: $retBRM retPRM: $retPRM");
|
||||
if ($retIR) {
|
||||
return $retIR;
|
||||
}
|
||||
if ($retBRM) {
|
||||
return $retBRM;
|
||||
}
|
||||
if ($retPRM) {
|
||||
return $retPRM;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
/** Finish a request with a redirect transport */
|
||||
public function finishRedirectRequest(LassoProfile $profile, &$ret, &$ok) {
|
||||
if ($ok) {
|
||||
$this->doRedirect($profile);
|
||||
}
|
||||
public function finishRedirectRequest(LassoProfile $profile) {
|
||||
$this->doRedirect($profile);
|
||||
}
|
||||
/** Finish a request with a SOAP transport */
|
||||
public function finishSOAPRequest(LassoProfile $profile, &$ret, &$ok, &$response) {
|
||||
if ($ok) {
|
||||
public function finishSOAPRequest(LassoProfile $profile, &$response) {
|
||||
$response = LassoSPKitHelper::SoapCallWithProfile($profile);
|
||||
}
|
||||
}
|
||||
|
||||
public function finishResponse(LassoProfile $profile, $method, &$ret, &$ok) {
|
||||
public function finishResponse(LassoProfile $profile, $method) {
|
||||
$ret = $profile->buildResponseMsg();
|
||||
switch ($method) {
|
||||
case LASSO_HTTP_METHOD_REDIRECT:
|
||||
$this->doRedirect($profile);
|
||||
break;
|
||||
case LASSO_HTTP_METHOD_SOAP:
|
||||
lassospkit_debuglog("Finishing response with method SOAP");
|
||||
$this->doResponse($profile);
|
||||
break;
|
||||
default:
|
||||
|
@ -150,173 +153,124 @@ class LassoSPKitSAMLCommon {
|
|||
Calls ssoNameIdPolicyConfig on the session object to initialize.
|
||||
*/
|
||||
public function ssoCommon(&$login,
|
||||
$remoteID,
|
||||
$method,
|
||||
$isConsentObtained,
|
||||
$forceAuthn,
|
||||
$isPassive,
|
||||
$blob) {
|
||||
lassospkit_debuglog("SSO request initiated RID: $remoteID Meth: $method Consent: $isConsentObtained ForceAuthn: $forceAuthn Passive: $isPassive " . var_export($blob,1) );
|
||||
$ok = 1 && $login = new LassoLogin($this->server);
|
||||
$this->findFederation($login);
|
||||
$ok = $ok && ! $ret = $login->initAuthnRequest($remoteID,$method);
|
||||
$ok = $ok && $request = $login->request;
|
||||
$ok = $ok && $nameidpolicy = $request->NameIDPolicy;
|
||||
if ($ok) {
|
||||
$remoteID,
|
||||
$method,
|
||||
$isConsentObtained,
|
||||
$forceAuthn,
|
||||
$isPassive,
|
||||
$blob) {
|
||||
$login = new LassoLogin($this->server);
|
||||
$retFF = $this->findFederation($login);
|
||||
$retIAR = $login->initAuthnRequest($remoteID,$method);
|
||||
$request = @$login->request;
|
||||
$nameidpolicy = @$request->NameIDPolicy;
|
||||
if ($nameidpolicy) {
|
||||
$this->ssoNameIdPolicyConfig($login, $blob);
|
||||
$request->consent = $isConsentObtained;
|
||||
$request->ForceAuthn = $forceAuthn;
|
||||
$request->IsPassive = $isPassive;
|
||||
}
|
||||
$ok = $ok && ! $ret = $login->buildAuthnRequestMsg();
|
||||
if (! $ok) {
|
||||
lassospkit_debuglog("SSO request failed ErrCode: $ret");
|
||||
$this->setStatus("Erreur durant l'authentification");
|
||||
$this->setRet($ret);
|
||||
} else {
|
||||
switch($method) {
|
||||
case LASSO_HTTP_METHOD_REDIRECT:
|
||||
$this->doRedirect($login);
|
||||
break;
|
||||
default:
|
||||
LassoSPKitHelper::notImplemented();
|
||||
}
|
||||
throw new Exception("SSO: Pas d'object NameIDPolicy");
|
||||
}
|
||||
$retBAR = $login->buildAuthnRequestMsg();
|
||||
switch($method) {
|
||||
case LASSO_HTTP_METHOD_REDIRECT:
|
||||
$this->doRedirect($login);
|
||||
break;
|
||||
default:
|
||||
LassoSPKitHelper::notImplemented();
|
||||
}
|
||||
return $ok;
|
||||
}
|
||||
/** Method to consume response to auth requests. */
|
||||
function ssoConsumer($method, $message) {
|
||||
$ret = 0;
|
||||
lassospkit_debuglog("Consuming SSO assertion");
|
||||
$ok = 1 && $login = new LassoLogin($this->server);
|
||||
$login = new LassoLogin($this->server);
|
||||
$retPRM = 0;
|
||||
$retAR = 0;
|
||||
switch ($method) {
|
||||
case LASSO_HTTP_METHOD_ARTIFACT_GET:
|
||||
case LASSO_HTTP_METHOD_ARTIFACT_POST:
|
||||
$ok = $ok && $this->artifactResolve($login,
|
||||
$retAR = $this->artifactResolve($login,
|
||||
$message,
|
||||
$method, $ok, $ret);
|
||||
$method);
|
||||
break;
|
||||
case LASSO_HTTP_METHOD_POST:
|
||||
$ok = $ok && ! $ret = $this->processResponseMsg($message);
|
||||
$retPRM = $this->processResponseMsg($message);
|
||||
break;
|
||||
}
|
||||
if ($ok) {
|
||||
try {
|
||||
$this->findFederation($login);
|
||||
} catch (LassoProfileFederationNotFoundError $error) {
|
||||
} catch (LassoProfileNameIdentifierNotFoundError $error) {
|
||||
$ok = 0;
|
||||
$ret = LASSO_PROFILE_ERROR_NAME_IDENTIFIER_NOT_FOUND;
|
||||
if ($retAR == LASSO_LOGIN_ERROR_FEDERATION_NOT_FOUND
|
||||
|| $retPRM == LASSO_LOGIN_ERROR_FEDERATION_NOT_FOUND) {
|
||||
$this->setMessage("Federation not found");
|
||||
}
|
||||
if ($retAR == LASSO_LOGIN_ERROR_STATUS_NOT_SUCCESS ||
|
||||
$retPRM == LASSO_LOGIN_ERROR_STATUS_NOT_SUCCESS) {
|
||||
$this->setMessage("Request denied");
|
||||
}
|
||||
if ($retAR || $retPRM) {
|
||||
lassospkit_errlog("ssoConsumer, retAR: $retAR retPRM: $retPRM");
|
||||
} else {
|
||||
$retFF = $this->findFederation($login);
|
||||
$retASSO = $login->acceptSso();
|
||||
if ($retASSO) {
|
||||
lassospkit_errlog("ssoConsumer, retASSO: $retASSO retFF: $retFF");
|
||||
}
|
||||
}
|
||||
$ok = $ok && ! $ret = $login->acceptSso();
|
||||
if ($login->response->assertion) {
|
||||
$attributes = LassoSPKitHelper::assertionExtractAttributes($login->response->assertion[0]);
|
||||
$this->session->setAssertionAttributes($attributes);
|
||||
}
|
||||
|
||||
if ($ok) {
|
||||
$this->saveFederation($login);
|
||||
}
|
||||
if (! $ok) {
|
||||
$this->setStatus("Le SSO a échoué");
|
||||
$this->setRet($ret);
|
||||
}
|
||||
return $ok;
|
||||
$this->saveFederation($login);
|
||||
}
|
||||
|
||||
/** Web SLO methods */
|
||||
/* SP initiated */
|
||||
public function initiateSLO($method = LASSO_HTTP_METHOD_SOAP, $remoteID = null)
|
||||
{
|
||||
$ret = 0;
|
||||
lassospkit_debuglog("SLO SP initiated request");
|
||||
$ok = 1 && $logout = new LassoLogout($this->server);
|
||||
$logout = new LassoLogout($this->server);
|
||||
$this->findFederation($logout);
|
||||
$ok = $ok && ! $ret = $logout->initRequest($remoteID, $method);
|
||||
$ok = $ok && ! $ret = $logout->buildRequestMsg();
|
||||
if ($ok) {
|
||||
switch ($method) {
|
||||
case LASSO_HTTP_METHOD_REDIRECT:
|
||||
$this->finishRedirectRequest($logout, $ret, $ok);
|
||||
break;
|
||||
case LASSO_HTTP_METHOD_SOAP:
|
||||
$this->finishSOAPRequest($logout, $ret, $ok, $response);
|
||||
$ok = $ok && $this->processResponseSLO($logout, $response);
|
||||
break;
|
||||
case LASSO_HTTP_METHOD_ARTIFACT_GET:
|
||||
case LASSO_HTTP_METHOD_ARTIFACT_POST:
|
||||
case LASSO_HTTP_METHOD_POST:
|
||||
default:
|
||||
LassoSPKitHelper::notImplemented();
|
||||
}
|
||||
$retIR = $logout->initRequest($remoteID, $method);
|
||||
$retBRM = $logout->buildRequestMsg();
|
||||
switch ($method) {
|
||||
case LASSO_HTTP_METHOD_REDIRECT:
|
||||
$this->finishRedirectRequest($logout);
|
||||
break;
|
||||
case LASSO_HTTP_METHOD_SOAP:
|
||||
$this->finishSOAPRequest($logout, $response);
|
||||
$this->processResponseSLO($logout, $response);
|
||||
break;
|
||||
case LASSO_HTTP_METHOD_ARTIFACT_GET:
|
||||
case LASSO_HTTP_METHOD_ARTIFACT_POST:
|
||||
case LASSO_HTTP_METHOD_POST:
|
||||
default:
|
||||
LassoSPKitHelper::notImplemented();
|
||||
}
|
||||
if (! $ok) {
|
||||
lassospkit_debuglog("SLO SP initiated request failed ErrCode: $ret");
|
||||
$this->setStatus("Le SSO a échoué");
|
||||
$this->setRet($ret);
|
||||
}
|
||||
return $ok;
|
||||
}
|
||||
public function processRedirectResponseSLO() {
|
||||
$ret = 0;
|
||||
$logout = null;
|
||||
$ok = $this->processResponseSLO($logout, $_SERVER['QUERY_STRING']);
|
||||
if (! $ok) {
|
||||
lassospkit_debuglog("SLO SP initiated response failed ErrCode: $ret");
|
||||
$this->setStatus("Le SLO a échoué");
|
||||
$this->setRet($ret);
|
||||
}
|
||||
return $ok;
|
||||
$this->processResponseSLO($logout, $_SERVER['QUERY_STRING']);
|
||||
}
|
||||
public function processResponseSLO(&$logout, $message) {
|
||||
$ret = 0;
|
||||
$ok = 1;
|
||||
lassospkit_debuglog("SLO SP initiated Response");
|
||||
if (! $logout) {
|
||||
$ok = $ok && $logout = new LassoLogout($this->server);
|
||||
$logout = new LassoLogout($this->server);
|
||||
$this->findFederation($logout);
|
||||
}
|
||||
$ok = $ok && ! $ret = $logout->processResponseMsg($message);
|
||||
$prefix = "";
|
||||
switch ($ret) {
|
||||
$retPRM = $logout->processResponseMsg($message);
|
||||
switch ($retPRM) {
|
||||
case 0:
|
||||
break;
|
||||
default:
|
||||
case LASSO_DS_ERROR_INVALID_SIGNATURE:
|
||||
lassospkit_debuglog("Logout warn: invalid signature");
|
||||
$prefix = "Warning: ";
|
||||
$ok = 1;
|
||||
break;
|
||||
case LASSO_LOGOUT_ERROR_REQUEST_DENIED:
|
||||
lassospkit_debuglog("Logout warn: request denied");
|
||||
$prefix = "Warning: ";
|
||||
$ok = 1;
|
||||
$this->setMessage("Logout request denied by IdP");
|
||||
break;
|
||||
case LASSO_LOGOUT_ERROR_UNKNOWN_PRINCIPAL:
|
||||
lassospkit_debuglog("Unknown principal on logout, probably session stopped already on IdP");
|
||||
$prefix = "Warning: ";
|
||||
$ok = 1;
|
||||
$this->setMessage("IdP said 'unknown principal'");
|
||||
break;
|
||||
case LASSO_PROFILE_ERROR_INVALID_QUERY:
|
||||
lassospkit_debuglog("Invalid response");
|
||||
$prefix = "Error: ";
|
||||
$ok = 0;
|
||||
break;
|
||||
default:
|
||||
lassospkit_debuglog("SLO Response ErrCode: $ret");
|
||||
$prefix = "Error: ";
|
||||
$ok = 0;
|
||||
$this->setMessage("IdP said 'logout request is invalid'");
|
||||
break;
|
||||
}
|
||||
if ($ok == 1) {
|
||||
$this->saveFederation($logout);
|
||||
$this->session->logout();
|
||||
}
|
||||
if ($ret != 0) {
|
||||
$this->setRet($ret, $prefix);
|
||||
lassospkit_debuglog("SLO Res Code: $ret");
|
||||
}
|
||||
return $ok;
|
||||
$this->saveFederation($logout);
|
||||
$this->session->logout();
|
||||
}
|
||||
/** IDP initiated SLO **/
|
||||
public function processRedirectRequestSLO() {
|
||||
|
@ -329,29 +283,20 @@ class LassoSPKitSAMLCommon {
|
|||
$contents);
|
||||
}
|
||||
public function processRequestSLO($method, $message) {
|
||||
$ret = 0;
|
||||
$ok = 1 && $logout = new LassoLogout($this->server);
|
||||
if (! $ok) {
|
||||
lassospkit_errlog("processRequestSLO: Cannot build logout profile");
|
||||
return;
|
||||
}
|
||||
$logout = new LassoLogout($this->server);
|
||||
$retPRM = $logout->processRequestMsg($message);
|
||||
if ($ret != 0) {
|
||||
lassospkit_warnlog("processResquestSLO: processRequestMsg returned non-0: " . strError($ret) . "($ret)");
|
||||
}
|
||||
$this->findFederation($logout);
|
||||
$retVR = $logout->validateRequest();
|
||||
$retBR = $this->finishResponse($logout, $logout->http_request_method, $ret, $ok);
|
||||
// if ($retBR != 0) {
|
||||
$retBR = $this->finishResponse($logout, $logout->http_request_method);
|
||||
$this->session->logout();
|
||||
// }
|
||||
lassospkit_infolog("Logout request handled for nameId: " . $logout->nameID . " retPRM: $retPRM retVR: $retVR retBR: $retBR");
|
||||
return $ok;
|
||||
}
|
||||
public function saveFederation(LassoProfile $profile) {
|
||||
LassoSPKitHelper::saveFederation($profile, $this->session);
|
||||
}
|
||||
public function findFederation(LassoProfile $profile) {
|
||||
LassoSPKitHelper::findFederation($profile, $this->session);
|
||||
return LassoSPKitHelper::findFederation($profile, $this->session);
|
||||
}
|
||||
/** Federation termination **/
|
||||
public function initiateFTNotification($method = LASSO_HTTP_METHOD_SOAP, $remoteID = null) {
|
||||
|
@ -384,4 +329,7 @@ class LassoSPKitSAMLCommon {
|
|||
LassoSPKitUtilsSession::setFederation(serialize($fed));
|
||||
return $profile;
|
||||
}
|
||||
function setMessage($message) {
|
||||
LassoSPKitUtilsSession::setLastError($message);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
<?php
|
||||
require_once('lassospkit_datadir.inc.php');
|
||||
require_once('lassospkit_debug.inc.php');
|
||||
|
||||
|
||||
|
||||
class LassoSPKitSessionFile {
|
||||
function retrieve($session, $timeout) {
|
||||
$LassoSPKitSessionFile_cookiename = 'lassospkit_file_' . LassoSPKitConfig::get('cookiename');
|
||||
|
||||
$content = null;
|
||||
if (isset($_COOKIE[$LassoSPKitSessionFile_cookiename])) {
|
||||
$session->id = $_COOKIE[$LassoSPKitSessionFile_cookiename];
|
||||
$valid = ereg("^[[:alnum:]]+$",$session->id);
|
||||
if ($valid) {
|
||||
$filepath = lassospkit_datadir() . "/cookie_session_" . $session->id;
|
||||
if (file_exists($filepath) && time()-filemtime($filepath) < $timeout) {
|
||||
$content = @file_get_contents($filepath);
|
||||
if ($content === FALSE) {
|
||||
lassospkit_errlog("cannot read $filepath");
|
||||
}
|
||||
} else {
|
||||
self::delete($session);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (! $content) {
|
||||
$session->id = md5("lasso" . rand());
|
||||
setcookie($LassoSPKitSessionFile_cookiename, $session->id, time()+3600, '/');
|
||||
}
|
||||
return $content;
|
||||
}
|
||||
function store($session, $content) {
|
||||
if ($session->id) {
|
||||
$ret = @file_put_contents(lassospkit_datadir() . "/cookie_session_" . $session->id, $content);
|
||||
if ($ret === FALSE) {
|
||||
lassospkit_errlog("cannot write into " . lassospkit_datadir() . "/cookie_session_" . $session->id);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
function delete($session) {
|
||||
$filepath = lassospkit_datadir() . "/cookie_session_" . $session->id;
|
||||
@unlink($filepath);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,48 @@
|
|||
<?php
|
||||
require_once('lassospkit_datadir.inc.php');
|
||||
require_once('lassospkit_debug.inc.php');
|
||||
require_once('lassospkit_memcache.inc.php');
|
||||
|
||||
|
||||
|
||||
class LassoSPKitSessionMemCache {
|
||||
function getkey($session) {
|
||||
return $session->id . "_cookie_session";
|
||||
}
|
||||
function retrieve($session, $timeout) {
|
||||
$LassoSPKitSessionMemCache_cookiename = 'lassospkit_memcache_' . LassoSPKitConfig::get('cookiename');
|
||||
|
||||
#lassospkit_debuglog("Retrieving $LassoSPKitSessionMemCache_cookiename : " . var_export($_COOKIE, 1));
|
||||
$content = null;
|
||||
if (isset($_COOKIE[$LassoSPKitSessionMemCache_cookiename])) {
|
||||
$session->id = $_COOKIE[$LassoSPKitSessionMemCache_cookiename];
|
||||
#lassospkit_debuglog("Retrieving " . $session->id);
|
||||
$valid = ereg("^[[:alnum:]]+$",$session->id);
|
||||
if ($valid) {
|
||||
$memcache_key = self::getkey($session);
|
||||
$content = LassoSPKitMemCache::get($memcache_key);
|
||||
}
|
||||
if (! $content) {
|
||||
self::delete($session);
|
||||
}
|
||||
}
|
||||
if (! $content) {
|
||||
$session->id = md5("lasso" . rand());
|
||||
setcookie($LassoSPKitSessionMemCache_cookiename, $session->id, time()+3600, '/');
|
||||
}
|
||||
return $content;
|
||||
}
|
||||
function store($session, $content) {
|
||||
if ($session->id) {
|
||||
$memcache_key = self::getkey($session);
|
||||
$ret = LassoSPKitMemCache::set($memcache_key, $content, LassoSPKitUtilsSession::$timeout);
|
||||
if ($ret === FALSE) {
|
||||
lassospkit_errlog("cannot write into Memcache for key cookie_session_" . $session->id);
|
||||
}
|
||||
}
|
||||
}
|
||||
function delete($session) {
|
||||
$memcache_key = self::getkey($session);
|
||||
LassoSPKitMemCache::delete($memcache_key);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
<?php
|
||||
require_once('lassospkit_datadir.inc.php');
|
||||
require_once('lassospkit_debug.inc.php');
|
||||
|
||||
$LassoSPKitSessionFile_key = "__LassoSPKitSessionObject";
|
||||
|
||||
class LassoSPKitSessionPHP {
|
||||
function retrieve($session, $timeout) {
|
||||
global $LassoSPKitSessionPHP_key;
|
||||
|
||||
$content = null;
|
||||
if (! isset($_SESSION)) {
|
||||
throw new Exception("LassoSPKit cannot work without PHP sessions if use_session is TRUE.");
|
||||
}
|
||||
if (isset($_SESSION[$LassoSPKitSessionFile_key])) {
|
||||
$content = $_SESSION[$LassoSPKitSessionFile_key];
|
||||
if (! isset($_SESSION[$LassoSPKitSessionFile_key . '_time']) ||
|
||||
$_SESSION[$LassoSPKitSessionFile_key . '_time'] - time() > $timeout) {
|
||||
$content = null;
|
||||
self::delete($session);
|
||||
}
|
||||
}
|
||||
return $content;
|
||||
}
|
||||
function store($session, $content) {
|
||||
global $LassoSPKitSessionPHP_key;
|
||||
$_SESSION[$LassoSPKitSessionFile_key] = $content;
|
||||
$_SESSION[$LassoSPKitSessionFile_key . '_time'] = time();
|
||||
}
|
||||
function delete($session) {
|
||||
unset($_SESSION[$LassoSPKitSessionFile_key]);
|
||||
unset($_SESSION[$LassoSPKitSessionFile_key . '_time']);
|
||||
}
|
||||
}
|
|
@ -2,13 +2,13 @@
|
|||
require_once('lassospkit_defines.inc.php');
|
||||
|
||||
class LassoSPKitUtils {
|
||||
static public function myself() {
|
||||
function myself() {
|
||||
return 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
|
||||
}
|
||||
static public function mydir() {
|
||||
function mydir() {
|
||||
return 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
|
||||
}
|
||||
static public function relativePathToURL($rel) {
|
||||
function relativePathToURL($rel) {
|
||||
$abs = "";
|
||||
if (isset($_SERVER['HTTPS'])) {
|
||||
$abs = "https://";
|
||||
|
@ -20,7 +20,7 @@ class LassoSPKitUtils {
|
|||
$abs = $abs . $rel;
|
||||
return $abs;
|
||||
}
|
||||
static function checkCanWrite($dir, &$error) {
|
||||
function checkCanWrite($dir, &$error) {
|
||||
$path = $dir . "/" . _CHECK_FILENAME;
|
||||
$ok = ! file_exists($path) || unlink($path);
|
||||
$ok = $ok && $file = fopen($path,"w");
|
||||
|
@ -31,25 +31,25 @@ class LassoSPKitUtils {
|
|||
}
|
||||
return $ok;
|
||||
}
|
||||
static function generatePrivateKey($file,&$error) {
|
||||
function generatePrivateKey($file,&$error) {
|
||||
if (! is_file(OPENSSL_BIN)) {
|
||||
$error = "SSL Generate: Can't find OpenSSL at " . OPENSSL_BIN;
|
||||
return 0;
|
||||
}
|
||||
exec('/usr/bin/openssl genrsa -out ' . $file . ' 2048', $foo, $ret);
|
||||
exec('/usr/bin/openssl genrsa -out ' . $file . ' 2048 2>/dev/null', $foo, $ret);
|
||||
if ($ret != 0) {
|
||||
$error = "SSL Generate: OpenSSL returned non-0 while computing the private key, check your ssl installation.";
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
public static function extractPublicKey($file,&$public,&$error) {
|
||||
function extractPublicKey($file,&$public,&$error) {
|
||||
if (! is_file(OPENSSL_BIN)) {
|
||||
$error = "SSL Generate: Can't find OpenSSL at " . OPENSSL_BIN;
|
||||
return 0;
|
||||
}
|
||||
$tempfname = tempnam(TEMPDIR, "lassospkit-public-key");
|
||||
$cmdline = '/usr/bin/openssl rsa -in ' . $file . ' -pubout -out ' . $tempfname;
|
||||
$cmdline = '/usr/bin/openssl rsa -in ' . $file . ' -pubout -out ' . $tempfname . ' 2>/dev/null';
|
||||
exec($cmdline, $foo, $ret);
|
||||
if ($ret != 0) {
|
||||
$error = "SSL Generate: OpenSSL return non-0 while extracting the public key from the private key file, check your ssl installation. $cmdline";
|
||||
|
@ -62,4 +62,31 @@ class LassoSPKitUtils {
|
|||
@unlink($tempfname);
|
||||
return 1;
|
||||
}
|
||||
function extract_options($template, $source) {
|
||||
$ret = array();
|
||||
if (! is_array($source)) {
|
||||
return $ret;
|
||||
}
|
||||
foreach ($template as $key => $type) {
|
||||
if (isset($source[$key])) {
|
||||
$value = $source[$key];
|
||||
$ok = FALSE;
|
||||
switch ($type) {
|
||||
case 'b':
|
||||
$ok = is_bool($value);
|
||||
break;
|
||||
case 's':
|
||||
$ok = is_string($value);
|
||||
break;
|
||||
case 'i':
|
||||
$ok = is_int($value);
|
||||
break;
|
||||
}
|
||||
if ($ok) {
|
||||
$ret[$key] = $value;
|
||||
}
|
||||
}
|
||||
}
|
||||
return $ret;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
<?php
|
||||
require_once("lassospkit_config.inc.php");
|
||||
require_once("lassospkit_datadir.inc.php");
|
||||
|
||||
require_once("lassospkit_session_file.inc.php");
|
||||
require_once("lassospkit_session_php.inc.php");
|
||||
require_once("lassospkit_session_memcache.inc.php");
|
||||
require_once("lassospkit_debug.inc.php");
|
||||
/** This object encapsulate the communication between the frontend and the
|
||||
backend of the LassoSPkit.
|
||||
|
||||
|
@ -13,19 +16,21 @@ require_once("lassospkit_datadir.inc.php");
|
|||
|
||||
*/
|
||||
LassoSPKitUtilsSession::$cookiename = LassoSPKitConfig::get('cookiename');
|
||||
if (LassoSPKitUtilsSession::$use_session) {
|
||||
LassoSPKitUtilsSession::$session_storage_class = LassoSPKitConfig::get('session_storage_class');
|
||||
LassoSPKitUtilsSession::$storage = new LassoSPKitUtilsSession::$session_storage_class();
|
||||
if (LassoSPKitUtilsSession::$use_session && ! isset($_SESSION)) {
|
||||
session_start();
|
||||
} else {
|
||||
LassoSPKitUtilsSession::getSingleton();
|
||||
}
|
||||
class LassoSPKitUtilsSession {
|
||||
private static $key = "__LassoSPKitSessionObject";
|
||||
static $key = "__LassoSPKitSessionObject";
|
||||
public static $cookiename;
|
||||
private static $THIS;
|
||||
private $vars;
|
||||
static $THIS;
|
||||
var $vars;
|
||||
|
||||
/** If we getted the last error, clear it. */
|
||||
private $clears = array();
|
||||
var $clears = array();
|
||||
/** The supported keys */
|
||||
static $keys = array(
|
||||
'NameID'=>0,
|
||||
|
@ -42,7 +47,8 @@ class LassoSPKitUtilsSession {
|
|||
'loginParams'=>0,
|
||||
'federateParams'=>0,
|
||||
'sloParams'=>0,
|
||||
'defederationParams'=>0);
|
||||
'defederationParams'=>0,
|
||||
'LogoutMethod'=>0);
|
||||
/** The keys that must not survive one communication (one set followed by one get). */
|
||||
static $keysToClearAfterGet = array(
|
||||
'LastError'=>0,
|
||||
|
@ -58,39 +64,20 @@ class LassoSPKitUtilsSession {
|
|||
'sloParams'=>0,
|
||||
'defederationParams'=>0);
|
||||
public static $use_session = 0;
|
||||
static private $timeout = 3600;
|
||||
private $id = null;
|
||||
static $session_storage_class;
|
||||
static $storage;
|
||||
static $timeout = 3600;
|
||||
var $id = null;
|
||||
|
||||
private function __construct() {
|
||||
function __construct() {
|
||||
$content = null;
|
||||
if (self::$use_session) {
|
||||
if (! isset($_SESSION)) {
|
||||
throw new Exception("LassoSPKit cannot work without sessions.");
|
||||
}
|
||||
if (isset($_SESSION[self::$key])) {
|
||||
$content = $_SESSION[self::$key];
|
||||
}
|
||||
} else {
|
||||
if (isset($_COOKIE[self::$cookiename])) {
|
||||
$this->id = $_COOKIE[self::$cookiename];
|
||||
$valid = ereg("^[[:alnum:]]+$",$this->id);
|
||||
if ($valid) {
|
||||
$filepath = lassospkit_datadir() . "/cookie_session_" . $this->id;
|
||||
if (file_exists($filepath) && time()-filemtime($filepath) < self::$timeout) {
|
||||
$content = @file_get_contents($filepath);
|
||||
if ($content === FALSE) {
|
||||
lassospkit_debuglog("cannot read $filepath");
|
||||
}
|
||||
} else {
|
||||
$this->delete();
|
||||
}
|
||||
}
|
||||
}
|
||||
if (! $content) {
|
||||
$this->id = md5("lasso" . rand());
|
||||
setcookie(self::$cookiename, $this->id, time()+3600, '/');
|
||||
}
|
||||
}
|
||||
# if (self::$use_session) {
|
||||
# $content = LassoSPKitSessionPHP::retrieve($this, self::$timeout);
|
||||
# } else {
|
||||
# $content = LassoSPKitSessionFile::retrieve($this, self::$timeout);
|
||||
# }
|
||||
$content = self::$storage->retrieve($this, self::$timeout);
|
||||
#lassospkit_debuglog("Session construct $content");
|
||||
if ($content) {
|
||||
$t = @unserialize($content);
|
||||
if ($t && is_array($t)) {
|
||||
|
@ -111,16 +98,13 @@ class LassoSPKitUtilsSession {
|
|||
unset($this->vars[$k]);
|
||||
}
|
||||
$content = serialize($this->vars);
|
||||
if (self::$use_session) {
|
||||
$_SESSION[self::$key] = $content;
|
||||
} else {
|
||||
if ($this->id) {
|
||||
$ret = @file_put_contents(lassospkit_datadir() . "/cookie_session_" . $this->id, $content);
|
||||
if ($ret === FALSE) {
|
||||
lassospkit_debuglog("cannot write into " . lassospkit_datadir() . "/cookie_session_" . $this->id);
|
||||
}
|
||||
}
|
||||
}
|
||||
self::$storage->store($this, $content);
|
||||
#lassospkit_debuglog("Session store $content");
|
||||
# if (self::$use_session) {
|
||||
# LassoSPKitSessionPHP::store($this, $content);
|
||||
# } else {
|
||||
# LassoSPKitSessionFile::store($this, $content);
|
||||
# }
|
||||
}
|
||||
|
||||
/** Get the singleton object to communicate
|
||||
|
@ -171,8 +155,13 @@ class LassoSPKitUtilsSession {
|
|||
/* Helper static functions */
|
||||
|
||||
function delete() {
|
||||
$filepath = lassospkit_datadir() . "/cookie_session_" . $this->id;
|
||||
@unlink($filepath);
|
||||
# if (self::$use_session) {
|
||||
# LassoSPKitSessionPHP::delete($this);
|
||||
# } else {
|
||||
# LassoSPKitSessionFile::delete($this);
|
||||
# }
|
||||
self::$storage->delete($this);
|
||||
|
||||
}
|
||||
/** Clear the session object of all communication
|
||||
from the LassoSPKit. */
|
||||
|
@ -184,6 +173,14 @@ class LassoSPKitUtilsSession {
|
|||
$athis = self::getSingleton();
|
||||
$athis->clear();
|
||||
}
|
||||
static function setLogoutMethod($logoutMethod) {
|
||||
$athis = self::getSingleton();
|
||||
$athis->set('LogoutMethod',$logoutMethod);
|
||||
}
|
||||
static function getLogoutMethod() {
|
||||
$athis = self::getSingleton();
|
||||
return $athis->get('LogoutMethod');
|
||||
}
|
||||
/** Set the NameID to transmit. */
|
||||
static function setNameID($NameID) {
|
||||
$athis = self::getSingleton();
|
||||
|
|
Reference in New Issue