3 * FusionForge authentication management
5 * Copyright 2011, Roland Mas
7 * This file is part of FusionForge.
9 * FusionForge is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published
11 * by the Free Software Foundation; either version 2 of the License,
12 * or (at your option) any later version.
14 * FusionForge is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with FusionForge; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
25 define('FORGE_AUTH_AUTHORITATIVE_ACCEPT', 1);
26 define('FORGE_AUTH_AUTHORITATIVE_REJECT', 2);
27 define('FORGE_AUTH_NOT_AUTHORITATIVE', 3);
29 abstract class AuthPlugin extends Plugin {
31 * AuthPlugin() - constructor
34 function AuthPlugin() {
36 // Common hooks that can be enabled per plugin:
37 // check_auth_session - is there a valid session?
38 // fetch_auth_info - what GFUser is logged in?
39 // display_auth_form - display a form to input credentials
40 // display_create_user_form - display a form to create a user from external auth
41 // sync_account_info - sync identity from external source (realname, email, etc.)
42 // get_extra_roles - add new roles not necessarily stored in the database
43 // restrict_roles - filter out unwanted roles
44 // close_auth_session - terminate an authentication session
49 function CallHook ($hookname, &$params) {
51 case 'check_auth_session':
52 $this->checkAuthSession($params);
54 case 'fetch_authenticated_user':
55 $this->fetchAuthUser($params);
57 case 'display_auth_form':
58 $this->displayAuthForm($params);
60 case 'display_create_user_form':
61 $this->displayCreateUserForm($params);
63 case 'sync_account_info':
64 $this->syncAccountInfo($params);
66 case 'get_extra_roles':
67 $this->getExtraRoles($params);
69 case 'restrict_roles':
70 $this->restrictRoles($params);
72 case 'close_auth_session':
73 $this->closeAuthSession($params);
81 protected $saved_user;
82 function checkAuthSession(&$params) {
83 if (isset($params['auth_token']) && $params['auth_token'] != '') {
84 $user_id = $this->checkSessionToken($params['auth_token']);
86 $user_id = $this->checkSessionCookie();
89 $this->saved_user = user_get_object($user_id);
90 if ($this->isSufficient()) {
91 $params['results'][$this->name] = FORGE_AUTH_AUTHORITATIVE_ACCEPT;
93 $params['results'][$this->name] = FORGE_AUTH_NOT_AUTHORITATIVE;
96 $this->saved_user = NULL;
97 if ($this->isRequired()) {
98 $params['results'][$this->name] = FORGE_AUTH_AUTHORITATIVE_REJECT;
100 $params['results'][$this->name] = FORGE_AUTH_NOT_AUTHORITATIVE;
105 function fetchAuthUser(&$params) {
106 $params['results'] = $this->saved_user;
109 function closeAuthSession($params) {
110 $this->unsetSessionCookie();
113 function getExtraRoles(&$params) {
114 // $params['new_roles'][] = RBACEngine::getInstance()->getRoleById(123);
117 function restrictRoles(&$params) {
118 // $params['dropped_roles'][] = RBACEngine::getInstance()->getRoleById(123);
121 // Helper functions for individual plugins
122 protected $cookie_name = 'session_ser';
124 protected function checkSessionToken($token) {
125 return session_check_session_cookie($token);
128 protected function checkSessionCookie() {
129 $token = getStringFromCookie($this->cookie_name);
130 return $this->checkSessionToken($token);
133 protected function setSessionCookie() {
134 $cookie = session_build_session_cookie($this->saved_user->getID());
135 session_cookie($this->cookie_name, $cookie, "", forge_get_config('session_expire'));
138 function login($user) {
139 if ($this->isSufficient() || $this->isRequired()) {
140 $this->saved_user = $user;
141 $this->setSessionCookie();
148 if ($this->isSufficient() || $this->isRequired()) {
149 $this->unsetSessionCookie();
155 protected function unsetSessionCookie() {
156 session_cookie($this->cookie_name, '');
159 public function isRequired() {
160 return forge_get_config('required', $this->name);
163 public function isSufficient() {
164 return forge_get_config('sufficient', $this->name);
167 public function syncDataOn($event) {
168 $configval = forge_get_config('sync_data_on', $this->name);
171 switch ($configval) {
173 $events = array('every-page','login','user-creation');
176 $events = array('login','user-creation');
178 case 'user-creation':
179 $events = array('user-creation');
186 return in_array($event, $events);
189 protected function declareConfigVars() {
190 forge_define_config_item ('required', $this->name, 'yes');
191 forge_set_config_item_bool ('required', $this->name) ;
193 forge_define_config_item ('sufficient', $this->name, 'yes');
194 forge_set_config_item_bool ('sufficient', $this->name) ;
196 forge_define_config_item ('sync_data_on', $this->name, 'never');
202 // c-file-style: "bsd"