aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorJan-Hendrik Willms <tleilax+studip@gmail.com>2024-10-22 11:52:33 +0000
committerJan-Hendrik Willms <tleilax+studip@gmail.com>2024-10-22 11:52:33 +0000
commitc73036f21001220bd77ef6b92842e18a7364e6e7 (patch)
tree7d24cd130855f535211900c2813b2631467c83eb /lib
parent38df3d04cc2293bb6950ed9105acaef8f9aeed18 (diff)
fail safe sso logouts, fixes #4731
Closes #4731 Merge request studip/studip!3528
Diffstat (limited to 'lib')
-rw-r--r--lib/classes/auth_plugins/StudipAuthAbstract.php2
-rw-r--r--lib/classes/auth_plugins/StudipAuthCAS.php54
-rw-r--r--lib/classes/auth_plugins/StudipAuthOAuth2.php19
-rw-r--r--lib/classes/auth_plugins/StudipAuthOIDC.php41
4 files changed, 70 insertions, 46 deletions
diff --git a/lib/classes/auth_plugins/StudipAuthAbstract.php b/lib/classes/auth_plugins/StudipAuthAbstract.php
index c394952..65da54b 100644
--- a/lib/classes/auth_plugins/StudipAuthAbstract.php
+++ b/lib/classes/auth_plugins/StudipAuthAbstract.php
@@ -125,7 +125,7 @@ class StudipAuthAbstract
self::$plugin_instances[strtoupper($plugin)] = new $plugin_class($config);
}
}
- return ($plugin_name) ? self::$plugin_instances[strtoupper($plugin_name)]??null : self::$plugin_instances;
+ return $plugin_name ? self::$plugin_instances[strtoupper($plugin_name)] ?? null : self::$plugin_instances;
}
/**
diff --git a/lib/classes/auth_plugins/StudipAuthCAS.php b/lib/classes/auth_plugins/StudipAuthCAS.php
index 129cbd5..69a4e34 100644
--- a/lib/classes/auth_plugins/StudipAuthCAS.php
+++ b/lib/classes/auth_plugins/StudipAuthCAS.php
@@ -18,41 +18,53 @@ class StudipAuthCAS extends StudipAuthSSO
public $userdata;
+ private $initialized = false;
+
/**
* Constructor
*/
public function __construct($config = [])
{
parent::__construct($config);
+
if (!isset($this->plugin_fullname)) {
$this->plugin_fullname = _('CAS');
}
if (!isset($this->login_description)) {
$this->login_description = _('für Single Sign On mit CAS');
}
- if (Request::get('sso') === $this->plugin_name) {
- if ($this->proxy) {
- URLHelper::setBaseUrl($GLOBALS['ABSOLUTE_URI_STUDIP']);
- phpCAS::proxy(CAS_VERSION_2_0, $this->host, $this->port, $this->uri, false);
- phpCAS::setPGTStorage(new CAS_PGTStorage_Cache(phpCAS::getCasClient()));
- phpCAS::setFixedCallbackURL(URLHelper::getURL('dispatch.php/cas/proxy'));
- } else {
- phpCAS::client(CAS_VERSION_2_0, $this->host, $this->port, $this->uri, false);
- }
-
- if (isset($this->cacert)) {
- phpCAS::setCasServerCACert($this->cacert);
- } else {
- phpCAS::setNoCasServerValidation();
- }
+ }
+
+ private function initializeClient(): void
+ {
+ if ($this->initialized) {
+ return;
+ }
+
+ if ($this->proxy) {
+ URLHelper::setBaseUrl($GLOBALS['ABSOLUTE_URI_STUDIP']);
+ phpCAS::proxy(CAS_VERSION_2_0, $this->host, $this->port, $this->uri, false);
+ phpCAS::setPGTStorage(new CAS_PGTStorage_Cache(phpCAS::getCasClient()));
+ phpCAS::setFixedCallbackURL(URLHelper::getURL('dispatch.php/cas/proxy'));
+ } else {
+ phpCAS::client(CAS_VERSION_2_0, $this->host, $this->port, $this->uri, false);
+ }
+
+ if (isset($this->cacert)) {
+ phpCAS::setCasServerCACert($this->cacert);
+ } else {
+ phpCAS::setNoCasServerValidation();
}
+
+ $this->initialized = true;
}
/**
* Return the current username.
*/
- function getUser()
+ public function getUser()
{
+ $this->initializeClient();
return phpCAS::getUser();
}
@@ -60,19 +72,23 @@ class StudipAuthCAS extends StudipAuthSSO
* Validate the username passed to the auth plugin.
* Note: This triggers authentication if needed.
*/
- function verifyUsername($username)
+ public function verifyUsername($username)
{
+ $this->initializeClient();
phpCAS::forceAuthentication();
return $this->getUser();
}
- function getUserData($key)
+ public function getUserData($key)
{
$userdataclassname = $this->user_data_mapping_class;
if (!class_exists($userdataclassname)) {
Log::error($this->plugin_name . ': no userdataclassname specified or found.');
return;
}
+
+ $this->initializeClient();
+
// get the userdata
if (empty($this->userdata)) {
$this->userdata = new $userdataclassname();
@@ -82,6 +98,8 @@ class StudipAuthCAS extends StudipAuthSSO
public function logout(): void
{
+ $this->initializeClient();
+
// do a global cas logout
phpCAS::client(CAS_VERSION_2_0, $this->host, $this->port, $this->uri, false);
phpCAS::logout();
diff --git a/lib/classes/auth_plugins/StudipAuthOAuth2.php b/lib/classes/auth_plugins/StudipAuthOAuth2.php
index 98ee90b..2ed2a0f 100644
--- a/lib/classes/auth_plugins/StudipAuthOAuth2.php
+++ b/lib/classes/auth_plugins/StudipAuthOAuth2.php
@@ -20,7 +20,7 @@ final class StudipAuthOAuth2 extends StudipAuthSSO
protected ?string $logout_url = null;
- private GenericProvider $oauth2_provider;
+ private ?GenericProvider $client = null;
private ?array $user_data = null;
@@ -31,8 +31,11 @@ final class StudipAuthOAuth2 extends StudipAuthSSO
if (!isset($this->plugin_fullname)) {
$this->plugin_fullname = _('OAuth2');
}
+ }
- if (Request::option('sso') === $this->plugin_name) {
+ private function getProvider(): GenericProvider
+ {
+ if ($this->client === null) {
$options = [
'clientId' => $this->client_id,
'clientSecret' => $this->client_secret,
@@ -47,8 +50,10 @@ final class StudipAuthOAuth2 extends StudipAuthSSO
$options['verify'] = false;
}
- $this->oauth2_provider = new GenericProvider($options);
+ $this->client = new GenericProvider($options);
}
+
+ return $this->client;
}
public function getUser()
@@ -63,10 +68,10 @@ final class StudipAuthOAuth2 extends StudipAuthSSO
}
if (!Request::get('code')) {
- $authorizationUrl = $this->oauth2_provider->getAuthorizationUrl(['scope' => 'profile email']);
+ $authorizationUrl = $this->getProvider()->getAuthorizationUrl(['scope' => 'profile email']);
$_SESSION[self::class] = [
- 'state' => $this->oauth2_provider->getState(),
+ 'state' => $this->getProvider()->getState(),
'redirect' => Request::url(),
];
@@ -82,11 +87,11 @@ final class StudipAuthOAuth2 extends StudipAuthSSO
unset($_SESSION[self::class]);
}
} else {
- $accessToken = $this->oauth2_provider->getAccessToken('authorization_code', [
+ $accessToken = $this->getProvider()->getAccessToken('authorization_code', [
'code' => Request::get('code'),
]);
- $resourceOwner = $this->oauth2_provider->getResourceOwner($accessToken);
+ $resourceOwner = $this->getProvider()->getResourceOwner($accessToken);
$this->user_data = $resourceOwner->toArray();
diff --git a/lib/classes/auth_plugins/StudipAuthOIDC.php b/lib/classes/auth_plugins/StudipAuthOIDC.php
index 1c77cb4..0487c6c 100644
--- a/lib/classes/auth_plugins/StudipAuthOIDC.php
+++ b/lib/classes/auth_plugins/StudipAuthOIDC.php
@@ -17,7 +17,7 @@ class StudipAuthOIDC extends StudipAuthSSO
/**
* @var OpenIDConnectClient
*/
- private $oidc;
+ private $oidc = null;
/**
* @var string
@@ -32,14 +32,9 @@ class StudipAuthOIDC extends StudipAuthSSO
*/
public $client_secret;
-
- /**
- * @param array $config
- */
- public function __construct($config = [])
+ private function getClient(): OpenIDConnectClient
{
- parent::__construct($config);
- if (Request::get('sso') === $this->plugin_name) {
+ if ($this->oidc === null) {
$this->oidc = new OpenIDConnectClient($this->provider_url, $this->client_id, $this->client_secret);
if (isset($this->ssl_options)) {
foreach ($this->ssl_options as $option_key => $option_value) {
@@ -47,14 +42,18 @@ class StudipAuthOIDC extends StudipAuthSSO
$this->oidc->{'set' . $option_key}($option_value);
}
}
- if (Config::get()->HTTP_PROXY) {
- $this->oidc->setHttpProxy(Config::get()->HTTP_PROXY);
- }
- $return_url = URLHelper::getScriptURL($GLOBALS['ABSOLUTE_URI_STUDIP'] . 'index.php', ['sso' => $this->plugin_name, 'again' => 'yes']);
- $this->oidc->setRedirectURL($return_url);
- $this->oidc->addScope(['openid', 'email', 'profile']);
}
+
+ if (Config::get()->HTTP_PROXY) {
+ $this->oidc->setHttpProxy(Config::get()->HTTP_PROXY);
+ }
+
+ $return_url = URLHelper::getScriptURL($GLOBALS['ABSOLUTE_URI_STUDIP'] . 'index.php', ['sso' => $this->plugin_name, 'again' => 'yes']);
+ $this->oidc->setRedirectURL($return_url);
+ $this->oidc->addScope(['openid', 'email', 'profile']);
}
+
+ return $this->oidc;
}
/**
@@ -68,8 +67,8 @@ class StudipAuthOIDC extends StudipAuthSSO
*/
public function verifyUsername($username)
{
- $this->oidc->authenticate();
- $this->userdata = (array)$this->oidc->requestUserInfo();
+ $this->getClient()->authenticate();
+ $this->userdata = (array) $this->getClient()->requestUserInfo();
if (isset($this->userdata['sub'])) {
return $this->userdata['username'] = $this->userdata['sub'] . '@' . $this->domain;
} else {
@@ -82,7 +81,7 @@ class StudipAuthOIDC extends StudipAuthSSO
*/
public function getUser()
{
- return $this->userdata['username'];
+ return $this->getUserData('username');
}
/**
@@ -100,8 +99,7 @@ class StudipAuthOIDC extends StudipAuthSSO
*
* @see https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims
*
- * @param string key
- *
+ * @param string $key
* @return string parameter value (null if not set)
*/
public function getUserData($key)
@@ -111,6 +109,9 @@ class StudipAuthOIDC extends StudipAuthSSO
public function logout(): void
{
- $this->oidc->signOut($this->oidc->getIdToken(), null);
+ $this->getClient()->signOut(
+ $this->getClient()->getIdToken(),
+ null
+ );
}
}
generated by cgit v1.0 at 2026-05-27 05:43:21 +0000