GNUsocial/gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity

Upgrade from CAS 1.1.0RC6 to 1.1.2

Browse Source
This commit is contained in:
Craig Andrews 2010-08-30 16:53:32 -04:00
parent 7cd0706aef
commit 6b4607f073
5 changed files with 1243 additions and 1097 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

965
plugins/CasAuthentication/extlib/CAS.php
View File

File diff suppressed because it is too large Load Diff

28
plugins/CasAuthentication/extlib/CAS/PGTStorage/pgt-db.php
View File

@ -1,4 +1,32 @@
<?php
/*
* Copyright © 2003-2010, The ESUP-Portail consortium & the JA-SIG Collaborative.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* * Neither the name of the ESUP-Portail consortium & the JA-SIG
* Collaborative nor the names of its contributors may be used to endorse or
* promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* @file CAS/PGTStorage/pgt-db.php

27
plugins/CasAuthentication/extlib/CAS/PGTStorage/pgt-file.php
View File

@ -1,5 +1,32 @@
<?php
/*
* Copyright © 2003-2010, The ESUP-Portail consortium & the JA-SIG Collaborative.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* * Neither the name of the ESUP-Portail consortium & the JA-SIG
* Collaborative nor the names of its contributors may be used to endorse or
* promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* @file CAS/PGTStorage/pgt-file.php
* Basic class for PGT file storage

27
plugins/CasAuthentication/extlib/CAS/PGTStorage/pgt-main.php
View File

@ -1,5 +1,32 @@
<?php
/*
* Copyright © 2003-2010, The ESUP-Portail consortium & the JA-SIG Collaborative.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* * Neither the name of the ESUP-Portail consortium & the JA-SIG
* Collaborative nor the names of its contributors may be used to endorse or
* promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* @file CAS/PGTStorage/pgt-main.php
* Basic class for PGT storage

251
plugins/CasAuthentication/extlib/CAS/client.php
View File

@ -1,5 +1,34 @@
<?php
/*
* Copyright © 2003-2010, The ESUP-Portail consortium & the JA-SIG Collaborative.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* * Neither the name of the ESUP-Portail consortium & the JA-SIG
* Collaborative nor the names of its contributors may be used to endorse or
* promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* @file CAS/client.php
* Main class of the phpCAS library
@ -556,44 +585,20 @@ class CASClient
if (version_compare(PHP_VERSION,'5','>=') && ini_get('zend.ze1_compatibility_mode')) {
phpCAS::error('phpCAS cannot support zend.ze1_compatibility_mode. Sorry.');
}
$this->_start_session = $start_session;
if ($this->_start_session && session_id())
{
phpCAS :: error("Another session was started before phpcas. Either disable the session" .
" handling for phpcas in the client() call or modify your application to leave" .
" session handling to phpcas");
}
// skip Session Handling for logout requests and if don't want it'
if ($start_session && !$this->isLogoutRequest()) {
phpCAS::trace("Starting session handling");
// Check for Tickets from the CAS server
if (empty($_GET['ticket'])){
phpCAS::trace("No ticket found");
// only create a session if necessary
if (!isset($_SESSION)) {
phpCAS::trace("No session found, creating new session");
if ($start_session && !$this->isLogoutRequest())
{
phpCAS :: trace("Starting a new session");
session_start();
}
}else{
phpCAS::trace("Ticket found");
// We have to copy any old data before renaming the session
if (isset($_SESSION)) {
phpCAS::trace("Old active session found, saving old data and destroying session");
$old_session = $_SESSION;
session_destroy();
}else{
session_start();
phpCAS::trace("Starting possible old session to copy variables");
$old_session = $_SESSION;
session_destroy();
}
// set up a new session, of name based on the ticket
$session_id = preg_replace('/[^\w]/','',$_GET['ticket']);
phpCAS::LOG("Session ID: " . $session_id);
session_id($session_id);
session_start();
// restore old session vars
if(isset($old_session)){
phpCAS::trace("Restoring old session vars");
$_SESSION = $old_session;
}
}
}else{
phpCAS::trace("Skipping session creation");
}
// are we in proxy mode ?
@ -667,12 +672,8 @@ class CASClient
}
break;
case CAS_VERSION_2_0: // check for a Service or Proxy Ticket
if (preg_match('/^ST-/', $ticket)) {
phpCAS::trace('ST \'' . $ticket . '\' found');
$this->setST($ticket);
unset ($_GET['ticket']);
} else if (preg_match('/^PT-/', $ticket)) {
phpCAS::trace('PT \'' . $ticket . '\' found');
if( preg_match('/^[SP]T-/',$ticket) ) {
phpCAS::trace('ST or PT \''.$ticket.'\' found');
$this->setPT($ticket);
unset($_GET['ticket']);
} else if ( !empty($ticket) ) {
@ -697,6 +698,57 @@ class CASClient
/** @} */
// XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
// XX XX
// XX Session Handling XX
// XX XX
// XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
/**
* A variable to whether phpcas will use its own session handling. Default = true
* @hideinitializer
* @private
*/
var $_start_session = true;
function setStartSession($session)
{
$this->_start_session = session;
}
function getStartSession($session)
{
$this->_start_session = session;
}
/**
* Renaming the session
*/
function renameSession($ticket)
{
phpCAS::traceBegin();
if($this->_start_session){
if (!empty ($this->_user))
{
$old_session = $_SESSION;
session_destroy();
// set up a new session, of name based on the ticket
$session_id = preg_replace('/[^\w]/', '', $ticket);
phpCAS :: trace("Session ID: ".$session_id);
session_id($session_id);
session_start();
phpCAS :: trace("Restoring old session vars");
$_SESSION = $old_session;
} else
{
phpCAS :: error('Session should only be renamed after successfull authentication');
}
}else{
phpCAS :: trace("Skipping session rename since phpCAS is not handling the session.");
}
phpCAS::traceEnd();
}
// XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
// XX XX
// XX AUTHENTICATION XX
@ -919,9 +971,16 @@ class CASClient
$validate_url = '';
if ( $this->wasPreviouslyAuthenticated() ) {
if($this->hasST() || $this->hasPT() || $this->hasSA()){
// User has a additional ticket but was already authenticated
phpCAS::trace('ticket was present and will be discarded, use renewAuthenticate()');
header('Location: '.$this->getURL());
phpCAS::log( "Prepare redirect to remove ticket: ".$this->getURL() );
}else{
// the user has already (previously during the session) been
// authenticated, nothing to be done.
phpCAS::trace('user was already authenticated, no need to look for tickets');
}
$res = TRUE;
}
else {
@ -1072,29 +1131,6 @@ class CASClient
exit();
}
// /**
// * This method is used to logout from CAS.
// * @param $url a URL that will be transmitted to the CAS server (to come back to when logged out)
// * @public
// */
// function logout($url = "") {
// phpCAS::traceBegin();
// $cas_url = $this->getServerLogoutURL();
// // v0.4.14 sebastien.gougeon at univ-rennes1.fr
// // header('Location: '.$cas_url);
// if ( $url != "" ) {
// // Adam Moore 1.0.0RC2
// $url = '?service=' . $url . '&url=' . $url;
// }
// header('Location: '.$cas_url . $url);
// session_unset();
// session_destroy();
// $this->printHTMLHeader($this->getString(CAS_STR_LOGOUT));
// printf('<p>'.$this->getString(CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED).'</p>',$cas_url);
// $this->printHTMLFooter();
// phpCAS::traceExit();
// exit();
// }
/**
* This method is used to logout from CAS.
@ -1156,6 +1192,9 @@ class CASClient
phpCAS::traceEnd();
return;
}
if(!$this->_start_session){
phpCAS::log("phpCAS can't handle logout requests if it does not manage the session.");
}
phpCAS::log("Logout requested");
phpCAS::log("SAML REQUEST: ".$_POST['logoutRequest']);
if ($check_client) {
@ -1192,7 +1231,12 @@ class CASClient
$session_id = preg_replace('/[^\w]/','',$ticket2logout);
phpCAS::log("Session id: ".$session_id);
// fix New session ID
// destroy a possible application session created before phpcas
if(session_id()){
session_unset();
session_destroy();
}
// fix session ID
session_id($session_id);
$_COOKIE[session_name()]=$session_id;
$_GET[session_name()]=$session_id;
@ -1322,7 +1366,7 @@ class CASClient
* This method is used to validate a ST; halt on failure, and sets $validate_url,
* $text_reponse and $tree_response on success. These parameters are used later
* by CASClient::validatePGT() for CAS proxies.
*
* Used for all CAS 1.0 validations
* @param $validate_url the URL of the request to the CAS server.
* @param $text_response the response of the CAS server, as is (XML text).
* @param $tree_response the response of the CAS server, as a DOM XML tree.
@ -1338,7 +1382,7 @@ class CASClient
$validate_url = $this->getServerServiceValidateURL().'&ticket='.$this->getST();
if ( $this->isProxy() ) {
// pass the callback url for CAS proxies
$validate_url .= '&pgtUrl='.$this->getCallbackURL();
$validate_url .= '&pgtUrl='.urlencode($this->getCallbackURL());
}
// open and read the URL
@ -1434,7 +1478,7 @@ class CASClient
}
break;
}
$this->renameSession($this->getST());
// at this step, ST has been validated and $this->_user has been set,
phpCAS::traceEnd(TRUE);
return TRUE;
@ -1524,7 +1568,7 @@ class CASClient
}
break;
}
$this->renameSession($this->getSA());
// at this step, ST has been validated and $this->_user has been set,
phpCAS::traceEnd(TRUE);
return TRUE;
@ -1535,7 +1579,7 @@ class CASClient
* payload and put them into an array, then put the array into the session.
*
* @param $text_response the SAML payload.
* @return bool TRUE when successfull, halt otherwise by calling CASClient::authError().
* @return bool TRUE when successfull and FALSE if no attributes a found
*
* @private
*/
@ -1556,17 +1600,15 @@ class CASClient
$xPath->xpath_register_ns('samlp', 'urn:oasis:names:tc:SAML:1.0:protocol');
$xPath->xpath_register_ns('saml', 'urn:oasis:names:tc:SAML:1.0:assertion');
$nodelist = $xPath->xpath_eval("//saml:Attribute");
if($nodelist){
$attrs = $nodelist->nodeset;
phpCAS::trace($text_response);
foreach($attrs as $attr){
$xres = $xPath->xpath_eval("saml:AttributeValue", $attr);
$name = $attr->get_attribute("AttributeName");
$value_array = array();
foreach($xres->nodeset as $node){
$value_array[] = $node->get_content();
}
phpCAS::trace("* " . $name . "=" . $value_array);
$attr_array[$name] = $value_array;
}
$_SESSION[SAML_ATTRIBUTES] = $attr_array;
@ -1574,12 +1616,18 @@ class CASClient
foreach($attr_array as $attr_key => $attr_value) {
if(count($attr_value) > 1) {
$this->_attributes[$attr_key] = $attr_value;
phpCAS::trace("* " . $attr_key . "=" . $attr_value);
}
else {
$this->_attributes[$attr_key] = $attr_value[0];
phpCAS::trace("* " . $attr_key . "=" . $attr_value[0]);
}
}
$result = TRUE;
}else{
phpCAS::trace("SAML Attributes are empty");
$result = FALSE;
}
}
phpCAS::traceEnd($result);
return $result;
@ -2236,6 +2284,7 @@ class CASClient
function serviceWeb($url,&$err_code,&$output)
{
phpCAS::traceBegin();
$cookies = array();
// at first retrieve a PT
$pt = $this->retrievePT($url,$err_code,$output);
@ -2248,7 +2297,8 @@ class CASClient
$res = FALSE;
} else {
// add cookies if necessary
if ( is_array($_SESSION['phpCAS']['services'][$url]['cookies']) ) {
if ( isset($_SESSION['phpCAS']['services'][$url]['cookies']) &&
is_array($_SESSION['phpCAS']['services'][$url]['cookies']) ) {
foreach ( $_SESSION['phpCAS']['services'][$url]['cookies'] as $name => $val ) {
$cookies[] = $name.'='.$val;
}
@ -2433,8 +2483,8 @@ class CASClient
*/
/**
* This method is used to validate a PT; halt on failure
*
* This method is used to validate a ST or PT; halt on failure
* Used for all CAS 2.0 validations
* @return bool TRUE when successfull, halt otherwise by calling CASClient::authError().
*
* @private
@ -2447,7 +2497,7 @@ class CASClient
if ( $this->isProxy() ) {
// pass the callback url for CAS proxies
$validate_url .= '&pgtUrl='.$this->getCallbackURL();
$validate_url .= '&pgtUrl='.urlencode($this->getCallbackURL());
}
// open and read the URL
@ -2514,6 +2564,7 @@ class CASClient
$text_response);
}
$this->renameSession($this->getPT());
// at this step, PT has been validated and $this->_user has been set,
phpCAS::traceEnd(TRUE);
@ -2586,26 +2637,44 @@ class CASClient
}
}
$php_is_for_sissies = split("\?", $_SERVER['REQUEST_URI'], 2);
$final_uri .= $php_is_for_sissies[0];
if(sizeof($php_is_for_sissies) > 1){
$cgi_params = '?' . $php_is_for_sissies[1];
} else {
$cgi_params = '?';
$request_uri = explode('?', $_SERVER['REQUEST_URI'], 2);
$final_uri .= $request_uri[0];
if (isset($request_uri[1]) && $request_uri[1])
{
$query_string = $this->removeParameterFromQueryString('ticket', $request_uri[1]);
// If the query string still has anything left, append it to the final URI
if ($query_string !== '')
$final_uri .= "?$query_string";
}
// remove the ticket if present in the CGI parameters
$cgi_params = preg_replace('/&ticket=[^&]*/','',$cgi_params);
$cgi_params = preg_replace('/\?ticket=[^&;]*/','?',$cgi_params);
$cgi_params = preg_replace('/\?%26/','?',$cgi_params);
$cgi_params = preg_replace('/\?&/','?',$cgi_params);
$cgi_params = preg_replace('/\?$/','',$cgi_params);
$final_uri .= $cgi_params;
phpCAS::trace("Final URI: $final_uri");
$this->setURL($final_uri);
}
phpCAS::traceEnd($this->_url);
return $this->_url;
}
/**
* Removes a parameter from a query string
*
* @param string $parameterName
* @param string $queryString
* @return string
*
* @link http://stackoverflow.com/questions/1842681/regular-expression-to-remove-one-parameter-from-query-string
*/
function removeParameterFromQueryString($parameterName, $queryString)
{
$parameterName = preg_quote($parameterName);
return preg_replace("/&$parameterName(=[^&]*)?|^$parameterName(=[^&]*)?&?/", '', $queryString);
}
/**
* This method sets the URL of the current request
*
@ -2641,7 +2710,7 @@ class CASClient
phpCAS::traceBegin();
$this->printHTMLHeader($this->getString(CAS_STR_AUTHENTICATION_FAILED));
printf($this->getString(CAS_STR_YOU_WERE_NOT_AUTHENTICATED),$this->getURL(),$_SERVER['SERVER_ADMIN']);
printf($this->getString(CAS_STR_YOU_WERE_NOT_AUTHENTICATED),htmlentities($this->getURL()),$_SERVER['SERVER_ADMIN']);
phpCAS::trace('CAS URL: '.$cas_url);
phpCAS::trace('Authentication failure: '.$failure);
if ( $no_response ) {