3 * External authentication via CAS for FusionForge
4 * Copyright 2007, Benoit Lavenier <benoit.lavenier@ifremer.fr>
5 * Copyright 2011, Roland Mas
7 * This file is part of FusionForge. FusionForge is free software;
8 * you can redistribute it and/or modify it under the terms of the
9 * GNU General Public License as published by the Free Software
10 * Foundation; either version 2 of the Licence, or (at your option)
13 * FusionForge is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License along
19 * with FusionForge; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 require_once $gfcommon.'include/User.class.php';
24 require_once $gfcommon.'include/AuthPlugin.class.php';
27 * Authentication manager for FusionForge CASification
30 class AuthCASPlugin extends ForgeAuthPlugin {
31 function __construct() {
32 parent::__construct();
33 $this->name = "authcas";
34 $this->text = _("CAS authentication");
36 _("This plugin contains a CAS authentication mechanism for
37 FusionForge. It allows users to authenticate against an external CAS
39 $this->_addHook('display_auth_form');
40 $this->_addHook("check_auth_session");
41 $this->_addHook("fetch_authenticated_user");
42 $this->_addHook("close_auth_session");
44 $this->saved_login = '';
45 $this->saved_user = NULL;
47 $this->declareConfigVars();
50 private static $init = false;
53 // from phpCAS (https://wiki.jasig.org/display/CASC/phpCAS)
54 require_once 'CAS.php';
60 // Uncomment this to activate phpCAS logs in /tmp
63 phpCAS::client(forge_get_config('cas_version', $this->name),
64 forge_get_config('cas_server', $this->name),
65 intval(forge_get_config('cas_port', $this->name)),
66 forge_get_config('cas_context', $this->name));
67 if (forge_get_config('validate_server_certificate', $this->name)) {
70 phpCAS::setNoCasServerValidation();
77 * Display a form to input credentials
78 * @param unknown_type $params
81 function displayAuthForm(&$params) {
82 if (!$this->isRequired() && !$this->isSufficient()) {
86 $return_to = $params['return_to'];
90 $result = html_e('p', array(), _('Cookies must be enabled past this point.'));
92 $result .= $HTML->openForm(array('action' => '/plugins/'.$this->name.'/post-login.php', 'method' => 'get'));
93 $result .= '<input type="hidden" name="form_key" value="' . form_generate_key() . '"/>
94 <input type="hidden" name="return_to" value="' . htmlspecialchars(stripslashes($return_to)) . '" />
95 <p><input type="submit" name="login" value="' . _('Login via CAS') . '" />
97 $result .= $HTML->closeForm();
98 $params['html_snippets'][$this->name] = $result;
100 $params['transparent_redirect_urls'][$this->name] = util_make_url('/plugins/'.$this->name.'/post-login.php?return_to='.htmlspecialchars(stripslashes($return_to)).'&login=1');
104 * Is there a valid session?
105 * @param unknown_type $params
107 function checkAuthSession(&$params) {
110 $this->saved_user = NULL;
113 // FIXME: couldn't we just check parent::checkAuthSession() to take into account auth_token ? or I missed something
114 // if we already have a session/user active, use it
115 $user_id_from_cookie = $this->checkSessionCookie();
116 if ($user_id_from_cookie) {
117 $user = user_get_object($user_id_from_cookie);
118 $this->saved_user = $user;
119 $this->setSessionCookie();
120 } elseif (phpCAS::isAuthenticated()) {
121 // otherwise, use the CAS user
122 $user = $this->startSession(phpCAS::getUser());
125 // TODO : document this
127 if ($this->isSufficient()) {
128 $this->saved_user = $user;
129 $params['results'][$this->name] = FORGE_AUTH_AUTHORITATIVE_ACCEPT;
131 $params['results'][$this->name] = FORGE_AUTH_NOT_AUTHORITATIVE;
134 if ($this->isRequired()) {
135 $params['results'][$this->name] = FORGE_AUTH_AUTHORITATIVE_REJECT;
137 $params['results'][$this->name] = FORGE_AUTH_NOT_AUTHORITATIVE;
143 * What FFUser is logged in?
144 * @param unknown_type $params
146 function fetchAuthUser(&$params) {
147 if ($this->saved_user && $this->isSufficient()) {
148 $params['results'] = $this->saved_user;
152 function closeAuthSession($params) {
155 if ($this->isSufficient() || $this->isRequired()) {
156 $this->unsetSessionCookie();
157 // logs user out from CAS
158 // TODO : make it optional to not mess with other apps' SSO sessions with CAS
159 phpCAS::logoutWithRedirectService(util_make_url('/'));
166 * Terminate an authentication session
167 * @param unknown_type $params
170 protected function declareConfigVars() {
171 parent::declareConfigVars();
173 forge_define_config_item ('cas_server', $this->name, 'cas.example.com');
174 forge_define_config_item ('cas_port', $this->name, 443);
175 forge_define_config_item ('cas_version', $this->name, '2.0');
176 forge_define_config_item ('cas_context', $this->name, '/cas');
178 forge_define_config_item('validate_server_certificate', $this->name, 'no');
179 forge_set_config_item_bool('validate_server_certificate', $this->name);
186 // c-file-style: "bsd"