diff options
Diffstat (limited to 'php/Attic/examples/sample-idp/singleSignOn.php')
-rw-r--r-- | php/Attic/examples/sample-idp/singleSignOn.php | 273 |
1 files changed, 154 insertions, 119 deletions
diff --git a/php/Attic/examples/sample-idp/singleSignOn.php b/php/Attic/examples/sample-idp/singleSignOn.php index 93d040f7..f137e73f 100644 --- a/php/Attic/examples/sample-idp/singleSignOn.php +++ b/php/Attic/examples/sample-idp/singleSignOn.php @@ -28,6 +28,12 @@ $config = unserialize(file_get_contents('config.inc')); session_start(); + + lasso_init(); + + // Create Lasso Server + $server_dump = file_get_contents($config['server_dump_filename']); + $server = LassoServer::newFromDump($server_dump); // Create the form $form = new HTML_QuickForm('frm'); @@ -41,87 +47,92 @@ $form->addRule('username', 'Please enter the Username', 'required', null, 'client'); $form->addRule('password', 'Please enter the Password', 'required', null, 'client'); - function singleSignOn_done($config, $db, $user_id = 0) + /* + * This function authentificate the user against the Postgres Database + */ + function authentificateUser($db, $username, $password) { - $server_dump = file_get_contents($config['server_dump_filename']); - - lasso_init(); - - $server = LassoServer::newFromDump($server_dump); - $login = LassoLogin::newFromDump($server, $_SESSION['login_dump']); + $query = "SELECT user_id FROM users WHERE username=".$db->quoteSmart($username); + $query .= " AND password=".$db->quoteSmart($password); + + $res =& $db->query($query); + if (DB::isError($res)) + die($res->getMessage()); + if ($res->numRows()) + { + $row = $res->fetchRow(); + return ($row[0]); + } + return (0); + } + + /* + * + */ + function doneSingleSignOn($db, $login, $user_id, $is_first_sso) + { $authenticationMethod = (($_SERVER["HTTPS"] == 'on') ? lassoSamlAuthenticationMethodSecureRemotePassword : lassoSamlAuthenticationMethodPassword); - // reauth in session_cache_expire default is 180 minutes + // reauth in session_cache_expire, default is 180 minutes $reauthenticateOnOrAfter = strftime("%Y-%m-%dT%H:%M:%SZ", time() + session_cache_expire() * 60); - - if ($login->protocolProfile == lassoLoginProtocolProfileBrwsArt) + + /* FIXME : there is a segfault when I use a switch statement + switch($login->protocolProfile) { - $login->buildArtifactMsg( - TRUE, // User is authenticated - $authenticationMethod, - $reauthenticateOnOrAfter, - lassoHttpMethodRedirect); - } + case lassoLoginProtocolProfileBrwsArt: + $login->buildArtifactMsg(TRUE, // User is authenticated + $authenticationMethod, $reauthenticateOnOrAfter, lassoHttpMethodRedirect); + break; + case lassoLoginProtocolProfileBrwsPost: + die("TODO : Post\n"); + default: + die("Unknown protocol profile\n"); + } */ + + if ($login->protocolProfile == lassoLoginProtocolProfileBrwsArt) + $login->buildArtifactMsg(TRUE, // User is authenticated + $authenticationMethod, $reauthenticateOnOrAfter, lassoHttpMethodRedirect); else if ($login->protocolProfile == lassoLoginProtocolProfileBrwsPost) - { - // TODO - print "TODO : Post\n"; - exit(); - } + die("TODO : Post\n"); // TODO else - die("Unknown protocol profile for login:" . $login->protocolProfile); - - if (empty($user_id)) - { - // Get user_id - $query = "SELECT user_id FROM nameidentifiers WHERE name_identifier='"; - $query .= $login->nameIdentifier . "'"; - - $res =& $db->query($query); - if (DB::isError($res)) - die($res->getMessage()); + die("Unknown protocol profile\n"); - $row = $res->fetchRow(); - $user_id = $row[0]; - } - else + if ($is_first_sso) { + // name_identifier $query = "INSERT INTO nameidentifiers (name_identifier, user_id) "; $query .= "VALUES ('" . $login->nameIdentifier . "','$user_id')"; - $res =& $db->query($query); + + $res =& $db->query($query); if (DB::isError($res)) - die($res->getMessage()); - $name_identifier = $login->nameIdentifier; + die($res->getMessage()); } + $identity = $login->identity; + // do we need to update identity dump? if ($login->isIdentityDirty) { - $identity = $login->identity; - $query = "UPDATE users SET user_dump=".$db->quoteSmart($identity->dump()); + $query = "UPDATE users SET identity_dump=".$db->quoteSmart($identity->dump()); $query .= " WHERE user_id='$user_id'"; $res =& $db->query($query); if (DB::isError($res)) die($res->getMessage()); - } + } - // Update identity dump - $identity = $login->identity; - $query = "UPDATE users SET user_dump=".$db->quoteSmart($identity->dump())." WHERE user_id='$user_id'"; - - $res =& $db->query($query); - if (DB::isError($res)) - die($res->getMessage()); - - // Update session dump $session = $login->session; - $query = "UPDATE users SET session_dump=".$db->quoteSmart($session->dump())." WHERE user_id='$user_id'"; + // do we need to update session dump? + if ($login->isSessionDirty) + { + $query = "UPDATE users SET session_dump=".$db->quoteSmart($identity->dump()); + $query .= " WHERE user_id='$user_id'"; - $res =& $db->query($query); - if (DB::isError($res)) - die($res->getMessage()); + $res =& $db->query($query); + if (DB::isError($res)) + die($res->getMessage()); + } if (empty($login->assertionArtifact)) die("assertion Artifact is empty"); @@ -131,7 +142,7 @@ if (empty($assertion_dump)) die("assertion dump is empty"); - + // Save assertion $query = "INSERT INTO assertions (assertion, response_dump, created) VALUES "; $query .= "('".$login->assertionArtifact."',".$db->quoteSmart($assertion_dump).", NOW())"; @@ -140,98 +151,122 @@ if (DB::isError($res)) die($res->getMessage()); - $_SESSION['login_dump'] = $login->dump(); + $_SESSION['login_dump'] = ''; // delete login_dump + $_SESSION['identity_dump'] = $session->dump(); $_SESSION['session_dump'] = $session->dump(); - if ($login->protocolProfile == lassoLoginProtocolProfileBrwsArt) - { - $url = $login->msgUrl; - - header("Request-URI: $url"); - header("Content-Location: $url"); - header("Location: $url"); - } - else if ($login->protocolProfile == lassoLoginProtocolProfileBrwsPost) + switch($login->protocolProfile) { + case lassoLoginProtocolProfileBrwsArt: + $url = $login->msgUrl; + + header("Request-URI: $url"); + header("Content-Location: $url"); + header("Location: $url\n\n"); + lasso_shutdown(); + exit; + case lassoLoginProtocolProfileBrwsPost: + die("TODO : lassoLoginProtocolProfileBrwsPost"); + break; + default: + die("Unknown Login Protocol Profile"); } - - lasso_shutdown(); } - if (!$form->validate()) + // validate login + if ($form->validate()) { - // Check for AuthnRequest - if (empty($_POST) && empty($_GET)) + if (empty($_SESSION['login_dump'])) + die("Login dump is not registred"); + + // conect to the data base + $db = &DB::connect($config['dsn']); + if (DB::isError($db)) + die($db->getMessage()); + + $login = LassoLogin::newfromdump($server, $_SESSION['login_dump']); + + if (($user_id = authentificateUser($db, $form->exportValue('username'), + $form->exportValue('password')))) { - die("Unknow login methode!"); - } + // User is authentificated + $query = "SELECT identity_dump,session_dump FROM users WHERE identity_dump"; + $query .= " IS NOT NULL AND session_dump IS NOT NULL AND user_id='$user_id'"; - lasso_init(); - - $server_dump = file_get_contents($config['server_dump_filename']); + $res =& $db->query($query); + if (DB::isError($res)) + die($res->getMessage()); - $server = LassoServer::newfromdump($server_dump); + $is_first_sso = FALSE; + if ($res->numRows()) + { + $row =& $res->fetchRow(); + $login->setIdentityFromDump($row[0]); + $login->setSessionFromDump($row[1]); + } + else + $is_first_sso = TRUE; - if (!empty($_SESSION['login_dump'])) - $login = LassoLogin::newFromDump($server, $_SESSION['login_dump']); - else - $login = new LassoLogin($server); + doneSingleSignOn($db, $login, $user_id, $is_first_sso); + $db->disconnect(); + exit; + } + } + else + { + $login = new LassoLogin($server); + // Get session and identity dump if there are available if (!empty($_SESSION['session_dump'])) $login->setSessionFromDump($_SESSION['session_dump']); + + if (!empty($_SESSION['identity_dump'])) + $login->setIdentityFromDump($_SESSION['identity_dump']); - if ($_SERVER['REQUEST_METHOD'] = 'GET') - $login->initFromAuthnRequestMsg($_SERVER['QUERY_STRING'], lassoHttpMethodRedirect); - else + switch ($_SERVER['REQUEST_METHOD']) { - // TODO - exit; + case 'GET': + $login->initFromAuthnRequestMsg($_SERVER['QUERY_STRING'], lassoHttpMethodRedirect); + break; + case 'POST': + die("methode POST not implemented"); // TODO + break; + default: + die("Unknown request method"); } - + // User must NOT Authenticate with the IdP if (!$login->mustAuthenticate()) { + // conect to the data base $db = &DB::connect($config['dsn']); if (DB::isError($db)) die($db->getMessage()); - singleSignOn_done($config, $db); + $query = "SELECT user_id FROM nameidentifiers WHERE name_identifier='"; + $query .= $login->nameIdentifier . "'"; + + $res =& $db->query($query); + if (DB::isError($res)) + die($res->getMessage()); + + if (!$res->numRows()) + die("Unknown User"); + + $row = $res->fetchRow(); + $user_id = $row[0]; + + doneSingleSignOn($db, $user_id); $db->disconnect(); exit; } - - $login_dump = $login->dump(); - $session = $login->session; - $_SESSION['login_dump'] = $login->dump(); - $_SESSION['session_dump'] = $session->dump(); - - lasso_shutdown(); - } - - - if (isset($_SESSION['login_dump']) && $form->validate()) - { - $db = &DB::connect($config['dsn']); - - if (DB::isError($db)) - die($db->getMessage()); - - $query = "SELECT user_id FROM users WHERE username=" . $db->quoteSmart($form->exportValue('username')); - $query .= " AND password=" . $db->quoteSmart($form->exportValue('password'));; - - $res =& $db->query($query); - if (DB::isError($res)) - die($res->getMessage()); - - if ($res->numRows()) + else { - $row = $res->fetchRow(); - $user_id = $row[0]; - singleSignOn_done($config, $db, $user_id); - $db->disconnect(); - exit(); + // register login dump in this session, + // we can not transfert xml dump with hidden input + $_SESSION['login_dump'] = $login->dump(); } - } + } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> |