3 * FusionForge authentication management
5 * Copyright 2011, Roland Mas
7 * This file is part of FusionForge.
9 * FusionForge is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published
11 * by the Free Software Foundation; either version 2 of the License,
12 * or (at your option) any later version.
14 * FusionForge is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with FusionForge; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
25 define('FORGE_AUTH_AUTHORITATIVE_ACCEPT', 1);
26 define('FORGE_AUTH_AUTHORITATIVE_REJECT', 2);
27 define('FORGE_AUTH_NOT_AUTHORITATIVE', 3);
29 abstract class ForgeAuthPlugin extends Plugin {
31 * ForgeAuthPlugin() - constructor
34 function ForgeAuthPlugin() {
36 // Common hooks that can be enabled per plugin:
37 // check_auth_session - is there a valid session?
38 // fetch_auth_info - what GFUser is logged in?
39 // display_auth_form - display a form to input credentials
40 // display_create_user_form - display a form to create a user from external auth
41 // sync_account_info - sync identity from external source (realname, email, etc.)
42 // get_extra_roles - add new roles not necessarily stored in the database
43 // restrict_roles - filter out unwanted roles
44 // close_auth_session - terminate an authentication session
46 $this->saved_user = NULL;
50 function CallHook ($hookname, &$params) {
52 case 'check_auth_session':
53 $this->checkAuthSession($params);
55 case 'fetch_authenticated_user':
56 $this->fetchAuthUser($params);
58 case 'display_auth_form':
59 $this->displayAuthForm($params);
61 case 'display_create_user_form':
62 $this->displayCreateUserForm($params);
64 case 'sync_account_info':
65 $this->syncAccountInfo($params);
67 case 'get_extra_roles':
68 $this->getExtraRoles($params);
70 case 'restrict_roles':
71 $this->restrictRoles($params);
73 case 'close_auth_session':
74 $this->closeAuthSession($params);
82 protected $saved_user;
83 function checkAuthSession(&$params) {
84 if (isset($params['auth_token']) && $params['auth_token'] != '') {
85 $user_id = $this->checkSessionToken($params['auth_token']);
87 $user_id = $this->checkSessionCookie();
90 $this->saved_user = user_get_object($user_id);
91 if ($this->isSufficient()) {
92 $params['results'][$this->name] = FORGE_AUTH_AUTHORITATIVE_ACCEPT;
95 $params['results'][$this->name] = FORGE_AUTH_NOT_AUTHORITATIVE;
98 $this->saved_user = NULL;
99 if ($this->isRequired()) {
100 $params['results'][$this->name] = FORGE_AUTH_AUTHORITATIVE_REJECT;
102 $params['results'][$this->name] = FORGE_AUTH_NOT_AUTHORITATIVE;
107 function fetchAuthUser(&$params) {
108 if ($this->saved_user && $this->isSufficient()) {
109 $params['results'] = $this->saved_user;
113 function closeAuthSession($params) {
114 if ($this->isSufficient() || $this->isRequired()) {
115 $this->unsetSessionCookie();
121 function getExtraRoles(&$params) {
122 // $params['new_roles'][] = RBACEngine::getInstance()->getRoleById(123);
125 function restrictRoles(&$params) {
126 // $params['dropped_roles'][] = RBACEngine::getInstance()->getRoleById(123);
129 // Helper functions for individual plugins
130 protected $cookie_name = 'forge_session';
132 protected function checkSessionToken($token) {
133 return session_check_session_token($token);
136 protected function checkSessionCookie() {
137 $token = getStringFromCookie($this->cookie_name);
138 return $this->checkSessionToken($token);
141 protected function setSessionCookie() {
142 $cookie = session_build_session_token($this->saved_user->getID());
143 session_set_cookie($this->cookie_name, $cookie, "", forge_get_config('session_expire'));
146 function login($username) {
147 if ($this->isSufficient() || $this->isRequired()) {
149 $params['username'] = $username;
150 $params['event'] = 'login';
151 plugin_hook('sync_account_info', $params);
152 $user = user_get_object_by_name($username);
153 $this->saved_user = $user;
154 $this->setSessionCookie();
160 protected function unsetSessionCookie() {
161 session_set_cookie($this->cookie_name, '');
164 public function isRequired() {
165 return forge_get_config('required', $this->name);
168 public function isSufficient() {
169 return forge_get_config('sufficient', $this->name);
172 public function syncDataOn($event) {
173 $configval = forge_get_config('sync_data_on', $this->name);
176 switch ($configval) {
178 $events = array('every-page','login','user-creation');
181 $events = array('login','user-creation');
183 case 'user-creation':
184 $events = array('user-creation');
191 return in_array($event, $events);
194 protected function declareConfigVars() {
195 forge_define_config_item ('required', $this->name, 'yes');
196 forge_set_config_item_bool ('required', $this->name) ;
198 forge_define_config_item ('sufficient', $this->name, 'yes');
199 forge_set_config_item_bool ('sufficient', $this->name) ;
201 forge_define_config_item ('sync_data_on', $this->name, 'never');
207 // c-file-style: "bsd"