Merge branch 'main' into issue-3911issue-3911

author: Philipp Schüttlöffel <schuettloeffel@zqs.uni-hannover.de> 2024-09-24 10:53:31 +0200
committer: Philipp Schüttlöffel <schuettloeffel@zqs.uni-hannover.de> 2024-09-24 10:53:31 +0200
commit: 4459dd7917f4d1c34f40bb68f0e991e9c3d53e4c (patch)
tree: 5c07151ae61276d334e88f6309c30d439a85c12e /lib/classes/auth_plugins/StudipAuthShib.php
parent: da0022e5c1abbf9825ae76debaabdff7e8623bb4 (diff)
parent: 97a188592c679890a25c37ab78463add76a52ff7 (diff)
1 files changed, 139 insertions, 0 deletions
diff --git a/lib/classes/auth_plugins/StudipAuthShib.php b/lib/classes/auth_plugins/StudipAuthShib.php
new file mode 100644
index 0000000..135b3f6
--- /dev/null
+++ b/lib/classes/auth_plugins/StudipAuthShib.php
@@ -0,0 +1,139 @@
+<?php
+# Lifter007: TODO
+# Lifter003: TODO
+# Lifter010: TODO
+/*
+ * StudipAuthShib.php - Stud.IP authentication against Shibboleth server
+ * Copyright (c) 2007  Elmar Ludwig, Universitaet Osnabrueck
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ */
+
+class StudipAuthShib extends StudipAuthSSO
+{
+    public $env_remote_user = 'REMOTE_USER';
+    public $local_domain;
+    public $session_initiator;
+    public $validate_url;
+    public $userdata;
+    public $username_attribute = 'username';
+
+    /**
+     * Constructor: read auth information from remote SP.
+     */
+    public function __construct($config = [])
+    {
+        parent::__construct($config);
+
+        if (!isset($this->plugin_fullname)) {
+            $this->plugin_fullname = _('Shibboleth');
+        }
+        if (!isset($this->login_description)) {
+            $this->login_description = _('für Single Sign On mit Shibboleth');
+        }
+
+        if (Request::get('sso') === $this->plugin_name && isset($this->validate_url) && isset($_REQUEST['token'])) {
+            $context = get_default_http_stream_context($this->validate_url);
+            $auth = file_get_contents($this->validate_url . '/' . $_REQUEST['token'], false, $context);
+
+            $this->userdata = json_decode($auth, true);
+
+            if ($this->username_attribute !== 'username') {
+                $this->userdata['username'] = $this->userdata[$this->username_attribute];
+            }
+            if (isset($this->local_domain)) {
+                $this->userdata['username'] =
+                    str_replace('@' . $this->local_domain, '', $this->userdata['username']);
+            }
+        }
+    }
+
+    /**
+     * Return the current username.
+     */
+    function getUser()
+    {
+        return $this->userdata['username'];
+    }
+
+    /**
+     * Validate the username passed to the auth plugin.
+     * Note: This triggers authentication if needed.
+     */
+    function verifyUsername($username)
+    {
+        if (isset($this->userdata)) {
+            // use cached user information
+            return $this->getUser();
+        }
+
+        $remote_user = $_SERVER[$this->env_remote_user] ?? null;
+
+        if (empty($remote_user) || isset($this->validate_url)) {
+            if (Request::get('sso') === $this->plugin_name) {
+                // force Shibboleth authentication (lazy session)
+                $shib_url = URLHelper::getURL(
+                    $this->session_initiator,
+                    ['target' => Request::url()],
+                    true
+                );
+
+                // break redirection loop in case of misconfiguration
+                if (strpos($_SERVER['HTTP_REFERER'] ?? '', 'target=') === false) {
+                    header('Location: ' . $shib_url);
+                    exit();
+                }
+            }
+
+            // not authenticated
+            return NULL;
+        }
+
+        // import authentication information
+        $this->userdata['username'] = $remote_user;
+
+        foreach ($_SERVER as $key => $value) {
+            if (mb_substr($key, 0, 10) == 'HTTP_SHIB_') {
+                $key = mb_strtolower(mb_substr($key, 10));
+                $this->userdata[$key] = $value;
+            }
+        }
+
+        if ($this->username_attribute !== 'username') {
+            $this->userdata['username'] = $this->userdata[$this->username_attribute];
+        }
+        if (isset($this->local_domain)) {
+            $this->userdata['username'] =
+                str_replace('@' . $this->local_domain, '', $this->userdata['username']);
+        }
+        return $this->getUser();
+    }
+
+    /**
+     * Get the user domains to assign to the current user.
+     */
+    function getUserDomains()
+    {
+        $user = $this->getUser();
+        $pos = mb_strpos($user, '@');
+
+        if ($pos !== false) {
+            return [mb_substr($user, $pos + 1)];
+        }
+
+        return NULL;
+    }
+
+    /**
+     * Callback that can be used in user_data_mapping array.
+     */
+    function getUserData($key)
+    {
+        $data = explode(';', $this->userdata[$key]);
+
+        return $data[0];
+    }
+}
author	Philipp Schüttlöffel <schuettloeffel@zqs.uni-hannover.de>	2024-09-24 10:53:31 +0200
committer	Philipp Schüttlöffel <schuettloeffel@zqs.uni-hannover.de>	2024-09-24 10:53:31 +0200
commit	4459dd7917f4d1c34f40bb68f0e991e9c3d53e4c (patch)
tree	5c07151ae61276d334e88f6309c30d439a85c12e /lib/classes/auth_plugins/StudipAuthShib.php
parent	da0022e5c1abbf9825ae76debaabdff7e8623bb4 (diff)
parent	97a188592c679890a25c37ab78463add76a52ff7 (diff)