3
* Mahara: Electronic portfolio, weblog, resume builder and social networking
4
* Copyright (C) 2006-2009 Catalyst IT Ltd (http://www.catalyst.net.nz)
6
* This program is free software: you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation, either version 3 of the License, or
9
* (at your option) any later version.
11
* This program is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
* GNU General Public License for more details.
16
* You should have received a copy of the GNU General Public License
17
* along with this program. If not, see <http://www.gnu.org/licenses/>.
20
* @subpackage auth-saml
21
* @author Piers Harding <piers@catalyst.net.nz>
22
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL
23
* @copyright (C) 2006-2009 Catalyst IT Ltd http://catalyst.net.nz
25
* This file incorporates work covered by the following copyright and
28
* Moodle - Modular Object-Oriented Dynamic Learning Environment
31
* Copyright (C) 2001-3001 Martin Dougiamas http://dougiamas.com
33
* This program is free software; you can redistribute it and/or modify
34
* it under the terms of the GNU General Public License as published by
35
* the Free Software Foundation; either version 2 of the License, or
36
* (at your option) any later version.
38
* This program is distributed in the hope that it will be useful,
39
* but WITHOUT ANY WARRANTY; without even the implied warranty of
40
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
41
* GNU General Public License for more details:
43
* http://www.gnu.org/copyleft/gpl.html
46
define('INTERNAL', 1);
48
define('SAML_RETRIES', 5);
50
global $CFG, $USER, $SESSION;
52
// do our own partial initialisation so that we can get at the config
53
// this version of init.php has the user session initiation stuff ripped out
54
// this is because SimpleSAMLPHP does all kinds of things with the PHP session
55
// handling including changing the cookie names etc.
56
require(dirname(__FILE__) . '/init.php');
58
// get the config pointing to the SAML library - and load it
59
$samllib = get_config_plugin('auth', 'saml', 'simplesamlphplib');
60
require_once($samllib.'/lib/_autoload.php');
62
// point at the configured config directory
63
$samlconfig = get_config_plugin('auth', 'saml', 'simplesamlphpconfig');
65
// get all the things that we will need from the SAML authentication
66
// and then shutdown the session control
67
SimpleSAML_Configuration::init($samlconfig);
68
$as = new SimpleSAML_Auth_Simple('default-sp');
69
$saml_config = SimpleSAML_Configuration::getInstance();
70
$saml_session = SimpleSAML_Session::getInstance();
71
$valid_saml_session = $saml_session->isValid('default-sp');
73
// do we have a logout request?
74
if(isset($_GET["logout"])) {
75
// logout the saml session
76
$as->logout($CFG->wwwroot);
79
// now - are we logged in?
82
$saml_attributes = $as->getAttributes();
83
session_write_close();
85
// now - let's continue with the session handling that would normally be done
86
// by Maharas init.php
87
// the main thin is that it sets the session cookie name back to what it should be
88
// session_name(get_config('cookieprefix') . 'mahara');
89
// and starts the session again
91
// ***********************************************************************
92
// copied from original init.php
93
// ***********************************************************************
94
// Only do authentication once we know the page theme, so that the login form
95
// can have the correct theming.
96
require_once(dirname(dirname(dirname(__FILE__))) . '/auth/lib.php');
97
$SESSION = Session::singleton();
98
$USER = new LiveUser();
99
$THEME = new Theme($USER);
100
// The installer does its own auth_setup checking, because some upgrades may
101
// break logging in and so need to allow no logins.
102
if (!defined('INSTALLER')) {
106
if (get_config('siteclosed')) {
108
if (get_config('disablelogin')) {
111
else if (!defined('INSTALLER')) {
112
redirect('/admin/upgrade.php');
116
if ($USER->is_logged_in()) {
119
if (!defined('HOME') && !defined('INSTALLER')) {
125
// check to see if we're installed...
126
if (!get_config('installed')) {
127
ensure_install_sanity();
129
$scriptfilename = str_replace('\\', '/', $_SERVER['SCRIPT_FILENAME']);
130
if (false === strpos($scriptfilename, 'admin/index.php')
131
&& false === strpos($scriptfilename, 'admin/upgrade.php')
132
&& false === strpos($scriptfilename, 'admin/upgrade.json.php')) {
137
if (defined('JSON') && !defined('NOSESSKEY')) {
138
$sesskey = param_variable('sesskey', null);
140
if ($sesskey === null || $USER->get('sesskey') != $sesskey) {
142
json_reply('global', get_string('invalidsesskey'), 1);
145
// ***********************************************************************
146
// END of copied stuff from original init.php
147
// ***********************************************************************
150
// restart the session for Mahara
153
require_once(get_config('docroot') .'auth/saml/lib.php');
154
require_once(get_config('libroot') .'institution.php');
156
// if the user is not logged in, then lets start it going
157
if(!$USER->is_logged_in()) {
158
simplesaml_init($saml_config, $valid_saml_session, $saml_attributes, $as);
160
// they are logged in, so they dont need to be here
162
header('Location: '.$CFG->wwwroot);
167
* check the validity of the users current SAML 2.0 session
168
* if its bad, force log them out of Mahara, and redirect them to the IdP
169
* if it's good, find an applicable saml auth instance, and try logging them in with it
170
* passing in the attributes found from the IdP
172
* @param object $saml_config saml configuration object
173
* @param boolean $valid_saml_session is there a valid saml2 session
174
* @param array $saml_attributes saml attributes passed in by the IdP
175
* @param object $as new saml user object
178
function simplesaml_init($saml_config, $valid_saml_session, $saml_attributes, $as) {
179
global $CFG, $USER, $SESSION;
181
// $idp = get_config_plugin('auth', 'saml', 'idpidentity');
182
$retry = $SESSION->get('retry');
183
if ($retry > SAML_RETRIES) {
184
throw new AccessTotallyDeniedException(get_string('errorretryexceeded','auth.saml', $retry));
186
else if (!$valid_saml_session) { #
187
if ($USER->is_logged_in()) {
190
$SESSION->set('messages', array());
191
$SESSION->set('retry', $retry + 1);
192
// not valid session. Ship user off to the Identity Provider
195
// find all the possible institutions/auth instances
196
$instances = recordset_to_array(get_recordset_sql("SELECT * FROM auth_instance_config aic, auth_instance ai WHERE ai.id = aic.instance AND ai.authname = 'saml' AND aic.field = 'institutionattribute'"));
198
// find the one (it should be only one) that has the right field, and the right field value for institution
200
foreach ($instances as $row) {
201
if (isset($saml_attributes[$row->value])) {
202
// does this institution use a regex match against the institution check value?
203
if ($configvalue = get_record('auth_instance_config', 'instance', $row->instance, 'field', 'institutionregex')) {
204
$is_regex = (boolean) $configvalue->value;
209
if ($configvalue = get_record('auth_instance_config', 'instance', $row->instance, 'field', 'institutionvalue')) {
210
$institution_value = $configvalue->value;
213
$institution_value = $row->institution;
217
foreach ($saml_attributes[$row->value] as $attr) {
218
if (preg_match('/'.trim($institution_value).'/', $attr)) {
225
foreach ($saml_attributes[$row->value] as $attr) {
226
if ($attr == $institution_value) {
235
throw new UserNotFoundException(get_string('errorbadinstitution','auth.saml'));
238
$auth = new AuthSaml($instance->id);
239
if ($auth->request_user_authorise($saml_attributes)) {
240
session_write_close();
241
redirect($CFG->wwwroot);
244
throw new UserNotFoundException(get_string('errnosamluser','auth.saml'));
246
} catch (AccessDeniedException $e) {
247
throw new UserNotFoundException(get_string('errnosamluser','auth.saml'));
b'\\ No newline at end of file'