summaryrefslogtreecommitdiffstats
path: root/php
diff options
context:
space:
mode:
authorChristophe Nowicki <cnowicki@easter-eggs.com>2004-09-10 15:17:36 +0000
committerChristophe Nowicki <cnowicki@easter-eggs.com>2004-09-10 15:17:36 +0000
commit0abfa7d0c8bac90e291cf7664a0302aa286f716d (patch)
tree29495885f98dc1080fc426ef08792dd0caf739a6 /php
parent5be8519c1f44c4cbaecc659762bc5b23d36e2bfe (diff)
downloadlasso-0abfa7d0c8bac90e291cf7664a0302aa286f716d.tar.gz
lasso-0abfa7d0c8bac90e291cf7664a0302aa286f716d.tar.xz
lasso-0abfa7d0c8bac90e291cf7664a0302aa286f716d.zip
Use header("Location: $url\n\n") instead of header("Location: $url")
Secure every SQL query with the quoteSmart methode. Completely rewrite singleSignOn.php, now the code is more easy to understand and more clean.
Diffstat (limited to 'php')
-rw-r--r--php/Attic/examples/sample-idp/admin_user.php16
-rw-r--r--php/Attic/examples/sample-idp/login.php2
-rw-r--r--php/Attic/examples/sample-idp/logout.php3
-rw-r--r--php/Attic/examples/sample-idp/setup.php2
-rw-r--r--php/Attic/examples/sample-idp/singleSignOn.php273
-rw-r--r--php/Attic/examples/sample-sp/admin_user.php17
-rw-r--r--php/Attic/examples/sample-sp/assertionConsumer.php3
-rw-r--r--php/Attic/examples/sample-sp/index.php2
-rw-r--r--php/Attic/examples/sample-sp/login.php2
-rw-r--r--php/Attic/examples/sample-sp/logout.php3
-rw-r--r--php/Attic/examples/sample-sp/register.php10
11 files changed, 186 insertions, 147 deletions
diff --git a/php/Attic/examples/sample-idp/admin_user.php b/php/Attic/examples/sample-idp/admin_user.php
index b797580d..56b1f7e4 100644
--- a/php/Attic/examples/sample-idp/admin_user.php
+++ b/php/Attic/examples/sample-idp/admin_user.php
@@ -36,8 +36,8 @@
// Show XML dump
if (!empty($_GET['dump']) && !empty($_GET['type']))
{
- $query = "SELECT " . ($_GET['type'] == 'user' ? 'user' : 'session') .
- $query .= "_dump FROM users WHERE user_id='" . $_GET['dump'] . "'";
+ $query = "SELECT " . ($_GET['type'] == 'identity' ? 'identity' : 'session') .
+ $query .= "_dump FROM users WHERE user_id=".$db->quoteSmart($_GET['dump']);
$res =& $db->query($query);
if (DB::isError($res))
die($res->getMessage());
@@ -67,15 +67,15 @@
if (!empty($_GET['del'])) {
- $query = "DELETE FROM nameidentifiers WHERE user_id='" . $_GET['del'] . "'" ;
+ $query = "DELETE FROM nameidentifiers WHERE user_id=".$db->quoteSmart($_GET['del']);
$res =& $db->query($query);
if (DB::isError($res))
- print $res->getMessage(). "\n";
+ die($res->getMessage());
- $query = "DELETE FROM users WHERE user_id='" . $_GET['del'] . "'" ;
+ $query = "DELETE FROM users WHERE user_id=".$db->quoteSmart($_GET['del']);
$res =& $db->query($query);
if (DB::isError($res))
- print $res->getMessage(). "\n";
+ die($res->getMessage());
}
@@ -193,8 +193,8 @@
<?php
switch ($tableinfo[$i]['name'])
{
- case "user_dump":
- echo "<a href=javascript:openpopup('". $PHP_SELF . '?dump=' . $row[0] . "&type=user')>view</a>";
+ case "identity_dump":
+ echo "<a href=javascript:openpopup('". $PHP_SELF . '?dump=' . $row[0] . "&type=identity')>view</a>";
break;
case "session_dump":
echo "<a href=javascript:openpopup('". $PHP_SELF . '?dump=' . $row[0] . "&type=session')>view</a>";
diff --git a/php/Attic/examples/sample-idp/login.php b/php/Attic/examples/sample-idp/login.php
index b61a933b..4c4e4979 100644
--- a/php/Attic/examples/sample-idp/login.php
+++ b/php/Attic/examples/sample-idp/login.php
@@ -66,7 +66,7 @@
$url = 'index.php';
header("Request-URI: $url");
header("Content-Location: $url");
- header("Location: $url");
+ header("Location: $url\n\n");
exit;
}
}
diff --git a/php/Attic/examples/sample-idp/logout.php b/php/Attic/examples/sample-idp/logout.php
index 7f187cab..83c23a33 100644
--- a/php/Attic/examples/sample-idp/logout.php
+++ b/php/Attic/examples/sample-idp/logout.php
@@ -32,5 +32,6 @@
$url = "index.php";
header("Request-URI: $url");
header("Content-Location: $url");
- header("Location: $url");
+ header("Location: $url\n\n");
+ exit;
?>
diff --git a/php/Attic/examples/sample-idp/setup.php b/php/Attic/examples/sample-idp/setup.php
index 631b753c..b1cc113f 100644
--- a/php/Attic/examples/sample-idp/setup.php
+++ b/php/Attic/examples/sample-idp/setup.php
@@ -210,7 +210,7 @@
user_id varchar(100) primary key,
username varchar(255) unique,
password varchar(255),
- user_dump text,
+ identity_dump text,
session_dump text)";
$res =& $db->query($query);
if (DB::isError($res))
diff --git a/php/Attic/examples/sample-idp/singleSignOn.php b/php/Attic/examples/sample-idp/singleSignOn.php
index 93d040f7..f137e73f 100644
--- a/php/Attic/examples/sample-idp/singleSignOn.php
+++ b/php/Attic/examples/sample-idp/singleSignOn.php
@@ -28,6 +28,12 @@
$config = unserialize(file_get_contents('config.inc'));
session_start();
+
+ lasso_init();
+
+ // Create Lasso Server
+ $server_dump = file_get_contents($config['server_dump_filename']);
+ $server = LassoServer::newFromDump($server_dump);
// Create the form
$form = new HTML_QuickForm('frm');
@@ -41,87 +47,92 @@
$form->addRule('username', 'Please enter the Username', 'required', null, 'client');
$form->addRule('password', 'Please enter the Password', 'required', null, 'client');
- function singleSignOn_done($config, $db, $user_id = 0)
+ /*
+ * This function authentificate the user against the Postgres Database
+ */
+ function authentificateUser($db, $username, $password)
{
- $server_dump = file_get_contents($config['server_dump_filename']);
-
- lasso_init();
-
- $server = LassoServer::newFromDump($server_dump);
- $login = LassoLogin::newFromDump($server, $_SESSION['login_dump']);
+ $query = "SELECT user_id FROM users WHERE username=".$db->quoteSmart($username);
+ $query .= " AND password=".$db->quoteSmart($password);
+
+ $res =& $db->query($query);
+ if (DB::isError($res))
+ die($res->getMessage());
+ if ($res->numRows())
+ {
+ $row = $res->fetchRow();
+ return ($row[0]);
+ }
+ return (0);
+ }
+
+ /*
+ *
+ */
+ function doneSingleSignOn($db, $login, $user_id, $is_first_sso)
+ {
$authenticationMethod =
(($_SERVER["HTTPS"] == 'on') ? lassoSamlAuthenticationMethodSecureRemotePassword : lassoSamlAuthenticationMethodPassword);
- // reauth in session_cache_expire default is 180 minutes
+ // reauth in session_cache_expire, default is 180 minutes
$reauthenticateOnOrAfter = strftime("%Y-%m-%dT%H:%M:%SZ", time() + session_cache_expire() * 60);
-
- if ($login->protocolProfile == lassoLoginProtocolProfileBrwsArt)
+
+ /* FIXME : there is a segfault when I use a switch statement
+ switch($login->protocolProfile)
{
- $login->buildArtifactMsg(
- TRUE, // User is authenticated
- $authenticationMethod,
- $reauthenticateOnOrAfter,
- lassoHttpMethodRedirect);
- }
+ case lassoLoginProtocolProfileBrwsArt:
+ $login->buildArtifactMsg(TRUE, // User is authenticated
+ $authenticationMethod, $reauthenticateOnOrAfter, lassoHttpMethodRedirect);
+ break;
+ case lassoLoginProtocolProfileBrwsPost:
+ die("TODO : Post\n");
+ default:
+ die("Unknown protocol profile\n");
+ } */
+
+ if ($login->protocolProfile == lassoLoginProtocolProfileBrwsArt)
+ $login->buildArtifactMsg(TRUE, // User is authenticated
+ $authenticationMethod, $reauthenticateOnOrAfter, lassoHttpMethodRedirect);
else if ($login->protocolProfile == lassoLoginProtocolProfileBrwsPost)
- {
- // TODO
- print "TODO : Post\n";
- exit();
- }
+ die("TODO : Post\n"); // TODO
else
- die("Unknown protocol profile for login:" . $login->protocolProfile);
-
- if (empty($user_id))
- {
- // Get user_id
- $query = "SELECT user_id FROM nameidentifiers WHERE name_identifier='";
- $query .= $login->nameIdentifier . "'";
-
- $res =& $db->query($query);
- if (DB::isError($res))
- die($res->getMessage());
+ die("Unknown protocol profile\n");
- $row = $res->fetchRow();
- $user_id = $row[0];
- }
- else
+ if ($is_first_sso)
{
+ // name_identifier
$query = "INSERT INTO nameidentifiers (name_identifier, user_id) ";
$query .= "VALUES ('" . $login->nameIdentifier . "','$user_id')";
- $res =& $db->query($query);
+
+ $res =& $db->query($query);
if (DB::isError($res))
- die($res->getMessage());
- $name_identifier = $login->nameIdentifier;
+ die($res->getMessage());
}
+ $identity = $login->identity;
+ // do we need to update identity dump?
if ($login->isIdentityDirty)
{
- $identity = $login->identity;
- $query = "UPDATE users SET user_dump=".$db->quoteSmart($identity->dump());
+ $query = "UPDATE users SET identity_dump=".$db->quoteSmart($identity->dump());
$query .= " WHERE user_id='$user_id'";
$res =& $db->query($query);
if (DB::isError($res))
die($res->getMessage());
- }
+ }
- // Update identity dump
- $identity = $login->identity;
- $query = "UPDATE users SET user_dump=".$db->quoteSmart($identity->dump())." WHERE user_id='$user_id'";
-
- $res =& $db->query($query);
- if (DB::isError($res))
- die($res->getMessage());
-
- // Update session dump
$session = $login->session;
- $query = "UPDATE users SET session_dump=".$db->quoteSmart($session->dump())." WHERE user_id='$user_id'";
+ // do we need to update session dump?
+ if ($login->isSessionDirty)
+ {
+ $query = "UPDATE users SET session_dump=".$db->quoteSmart($identity->dump());
+ $query .= " WHERE user_id='$user_id'";
- $res =& $db->query($query);
- if (DB::isError($res))
- die($res->getMessage());
+ $res =& $db->query($query);
+ if (DB::isError($res))
+ die($res->getMessage());
+ }
if (empty($login->assertionArtifact))
die("assertion Artifact is empty");
@@ -131,7 +142,7 @@
if (empty($assertion_dump))
die("assertion dump is empty");
-
+
// Save assertion
$query = "INSERT INTO assertions (assertion, response_dump, created) VALUES ";
$query .= "('".$login->assertionArtifact."',".$db->quoteSmart($assertion_dump).", NOW())";
@@ -140,98 +151,122 @@
if (DB::isError($res))
die($res->getMessage());
- $_SESSION['login_dump'] = $login->dump();
+ $_SESSION['login_dump'] = ''; // delete login_dump
+ $_SESSION['identity_dump'] = $session->dump();
$_SESSION['session_dump'] = $session->dump();
- if ($login->protocolProfile == lassoLoginProtocolProfileBrwsArt)
- {
- $url = $login->msgUrl;
-
- header("Request-URI: $url");
- header("Content-Location: $url");
- header("Location: $url");
- }
- else if ($login->protocolProfile == lassoLoginProtocolProfileBrwsPost)
+ switch($login->protocolProfile)
{
+ case lassoLoginProtocolProfileBrwsArt:
+ $url = $login->msgUrl;
+
+ header("Request-URI: $url");
+ header("Content-Location: $url");
+ header("Location: $url\n\n");
+ lasso_shutdown();
+ exit;
+ case lassoLoginProtocolProfileBrwsPost:
+ die("TODO : lassoLoginProtocolProfileBrwsPost");
+ break;
+ default:
+ die("Unknown Login Protocol Profile");
}
-
- lasso_shutdown();
}
- if (!$form->validate())
+ // validate login
+ if ($form->validate())
{
- // Check for AuthnRequest
- if (empty($_POST) && empty($_GET))
+ if (empty($_SESSION['login_dump']))
+ die("Login dump is not registred");
+
+ // conect to the data base
+ $db = &DB::connect($config['dsn']);
+ if (DB::isError($db))
+ die($db->getMessage());
+
+ $login = LassoLogin::newfromdump($server, $_SESSION['login_dump']);
+
+ if (($user_id = authentificateUser($db, $form->exportValue('username'),
+ $form->exportValue('password'))))
{
- die("Unknow login methode!");
- }
+ // User is authentificated
+ $query = "SELECT identity_dump,session_dump FROM users WHERE identity_dump";
+ $query .= " IS NOT NULL AND session_dump IS NOT NULL AND user_id='$user_id'";
- lasso_init();
-
- $server_dump = file_get_contents($config['server_dump_filename']);
+ $res =& $db->query($query);
+ if (DB::isError($res))
+ die($res->getMessage());
- $server = LassoServer::newfromdump($server_dump);
+ $is_first_sso = FALSE;
+ if ($res->numRows())
+ {
+ $row =& $res->fetchRow();
+ $login->setIdentityFromDump($row[0]);
+ $login->setSessionFromDump($row[1]);
+ }
+ else
+ $is_first_sso = TRUE;
- if (!empty($_SESSION['login_dump']))
- $login = LassoLogin::newFromDump($server, $_SESSION['login_dump']);
- else
- $login = new LassoLogin($server);
+ doneSingleSignOn($db, $login, $user_id, $is_first_sso);
+ $db->disconnect();
+ exit;
+ }
+ }
+ else
+ {
+ $login = new LassoLogin($server);
+ // Get session and identity dump if there are available
if (!empty($_SESSION['session_dump']))
$login->setSessionFromDump($_SESSION['session_dump']);
+
+ if (!empty($_SESSION['identity_dump']))
+ $login->setIdentityFromDump($_SESSION['identity_dump']);
- if ($_SERVER['REQUEST_METHOD'] = 'GET')
- $login->initFromAuthnRequestMsg($_SERVER['QUERY_STRING'], lassoHttpMethodRedirect);
- else
+ switch ($_SERVER['REQUEST_METHOD'])
{
- // TODO
- exit;
+ case 'GET':
+ $login->initFromAuthnRequestMsg($_SERVER['QUERY_STRING'], lassoHttpMethodRedirect);
+ break;
+ case 'POST':
+ die("methode POST not implemented"); // TODO
+ break;
+ default:
+ die("Unknown request method");
}
-
+
// User must NOT Authenticate with the IdP
if (!$login->mustAuthenticate())
{
+ // conect to the data base
$db = &DB::connect($config['dsn']);
if (DB::isError($db))
die($db->getMessage());
- singleSignOn_done($config, $db);
+ $query = "SELECT user_id FROM nameidentifiers WHERE name_identifier='";
+ $query .= $login->nameIdentifier . "'";
+
+ $res =& $db->query($query);
+ if (DB::isError($res))
+ die($res->getMessage());
+
+ if (!$res->numRows())
+ die("Unknown User");
+
+ $row = $res->fetchRow();
+ $user_id = $row[0];
+
+ doneSingleSignOn($db, $user_id);
$db->disconnect();
exit;
}
-
- $login_dump = $login->dump();
- $session = $login->session;
- $_SESSION['login_dump'] = $login->dump();
- $_SESSION['session_dump'] = $session->dump();
-
- lasso_shutdown();
- }
-
-
- if (isset($_SESSION['login_dump']) && $form->validate())
- {
- $db = &DB::connect($config['dsn']);
-
- if (DB::isError($db))
- die($db->getMessage());
-
- $query = "SELECT user_id FROM users WHERE username=" . $db->quoteSmart($form->exportValue('username'));
- $query .= " AND password=" . $db->quoteSmart($form->exportValue('password'));;
-
- $res =& $db->query($query);
- if (DB::isError($res))
- die($res->getMessage());
-
- if ($res->numRows())
+ else
{
- $row = $res->fetchRow();
- $user_id = $row[0];
- singleSignOn_done($config, $db, $user_id);
- $db->disconnect();
- exit();
+ // register login dump in this session,
+ // we can not transfert xml dump with hidden input
+ $_SESSION['login_dump'] = $login->dump();
}
- }
+ }
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
diff --git a/php/Attic/examples/sample-sp/admin_user.php b/php/Attic/examples/sample-sp/admin_user.php
index 6893ad72..4c219432 100644
--- a/php/Attic/examples/sample-sp/admin_user.php
+++ b/php/Attic/examples/sample-sp/admin_user.php
@@ -33,7 +33,7 @@
die($db->getMessage());
if (!empty($_GET['dump'])) {
- $query = "SELECT identity_dump FROM users WHERE user_id='" . $_GET['dump'] . "'";
+ $query = "SELECT identity_dump FROM users WHERE user_id='".$db->quoteSmart($_GET['dump']);
$res =& $db->query($query);
if (DB::isError($res))
print $res->getMessage(). "\n";
@@ -64,21 +64,20 @@
exit;
}
- if (!empty($_GET['del'])) {
+ if (!empty($_GET['del']))
+ {
- $query = "DELETE FROM nameidentifiers WHERE user_id='" . $_GET['del'] . "'" ;
+ $query = "DELETE FROM nameidentifiers WHERE user_id=".$db->quoteSmart($_GET['del']);
$res =& $db->query($query);
if (DB::isError($res))
- print $res->getMessage(). "\n";
+ die($res->getMessage());
- $query = "DELETE FROM users WHERE user_id='" . $_GET['del'] . "'" ;
+ $query = "DELETE FROM users WHERE user_id='".$db->quoteSmart($_GET['del']);
$res =& $db->query($query);
if (DB::isError($res))
- print $res->getMessage(). "\n";
-
- }
+ die($res->getMessage());
+ }
-
$query = "SELECT * FROM users";
$res =& $db->query($query);
if (DB::isError($res))
diff --git a/php/Attic/examples/sample-sp/assertionConsumer.php b/php/Attic/examples/sample-sp/assertionConsumer.php
index 575356e0..fd0c9fe9 100644
--- a/php/Attic/examples/sample-sp/assertionConsumer.php
+++ b/php/Attic/examples/sample-sp/assertionConsumer.php
@@ -25,7 +25,6 @@
$config = unserialize(file_get_contents('config.inc'));
require_once 'DB.php';
-
if (!$_GET['SAMLart']) {
exit(1);
@@ -182,6 +181,6 @@
header("Request-URI: $url");
header("Content-Location: $url");
- header("Location: $url");
+ header("Location: $url\n\n");
exit();
?>
diff --git a/php/Attic/examples/sample-sp/index.php b/php/Attic/examples/sample-sp/index.php
index 99c39bb9..c7b2d39b 100644
--- a/php/Attic/examples/sample-sp/index.php
+++ b/php/Attic/examples/sample-sp/index.php
@@ -127,7 +127,7 @@ You can get more informations about <b>Lasso</b> at <br>
if (DB::isError($res))
print $res->getMessage(). "\n";
- list($user_id, $identity_dump, $first_name, $last_name, $created, $last_login) = $res->fetchRow();
+ list($user_id, $identity_dump, $first_name, $last_name, $last_login, $created) = $res->fetchRow();
?>
<tr>
diff --git a/php/Attic/examples/sample-sp/login.php b/php/Attic/examples/sample-sp/login.php
index 199c52da..a78589af 100644
--- a/php/Attic/examples/sample-sp/login.php
+++ b/php/Attic/examples/sample-sp/login.php
@@ -48,6 +48,6 @@
header("Request-URI: $url");
header("Content-Location: $url");
- header("Location: $url");
+ header("Location: $url\n\n");
exit();
?>
diff --git a/php/Attic/examples/sample-sp/logout.php b/php/Attic/examples/sample-sp/logout.php
index 10a9ca81..fedae253 100644
--- a/php/Attic/examples/sample-sp/logout.php
+++ b/php/Attic/examples/sample-sp/logout.php
@@ -124,5 +124,6 @@
header("Request-URI: $url");
header("Content-Location: $url");
- header("Location: $url");
+ header("Location: $url\n\n");
+ exit;
?>
diff --git a/php/Attic/examples/sample-sp/register.php b/php/Attic/examples/sample-sp/register.php
index 7e61d4f7..317c3460 100644
--- a/php/Attic/examples/sample-sp/register.php
+++ b/php/Attic/examples/sample-sp/register.php
@@ -43,7 +43,11 @@
if (DB::isError($db))
die($db->getMessage());
- $query = "UPDATE users SET first_name='" . $_POST['first_name'] . "',last_name='". $_POST['last_name'] ."' WHERE user_id='".$_SESSION["user_id"]."'";
+ // Update User info
+ $query = "UPDATE users SET first_name=" . $db->quoteSmart($_POST['first_name']);
+ $query .= ",last_name=" . $db->quoteSmart($_POST['last_name']);
+ $query .= " WHERE user_id='".$_SESSION["user_id"]."'";
+
$res =& $db->query($query);
if (DB::isError($res))
print $res->getMessage(). "\n";
@@ -51,8 +55,8 @@
$url = "index.php";
header("Request-URI: $url");
header("Content-Location: $url");
- header("Location: $url");
- break;
+ header("Location: $url\n\n");
+ exit();
default:
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
generated by cgit (git 2.34.1) at 2026-01-09 14:06:24 +0000