From 789fbb27243b0f0990e8431704099b2713986ba5 Mon Sep 17 00:00:00 2001
From: Christophe Nowicki <cnowicki@easter-eggs.com>
Date: Wed, 8 Sep 2004 12:56:49 +0000
Subject: SOAP request read problem fixed SSO is now working much better

---
 php/Attic/examples/Makefile.am                     |   2 +-
 php/Attic/examples/sample-idp/singleSignOn.php     | 205 ++++++++++++---------
 php/Attic/examples/sample-sp/assertionConsumer.php |  40 +++-
 php/Attic/examples/sample-sp/logout.php            |  38 +++-
 4 files changed, 177 insertions(+), 108 deletions(-)

(limited to 'php')

diff --git a/php/Attic/examples/Makefile.am b/php/Attic/examples/Makefile.am
index 98397c0d..8f1a498a 100644
--- a/php/Attic/examples/Makefile.am
+++ b/php/Attic/examples/Makefile.am
@@ -1 +1 @@
-SUBDIRS=sample-sp
+SUBDIRS=sample-sp sample-idp
diff --git a/php/Attic/examples/sample-idp/singleSignOn.php b/php/Attic/examples/sample-idp/singleSignOn.php
index 2569d2fa..27ae27b6 100644
--- a/php/Attic/examples/sample-idp/singleSignOn.php
+++ b/php/Attic/examples/sample-idp/singleSignOn.php
@@ -41,83 +41,27 @@
   $form->addRule('username', 'Please enter the Username', 'required', null, 'client');
   $form->addRule('password', 'Please enter the Password', 'required', null, 'client');
 
-  // Login dump is not available, show the login form
-  if (!isset($_SESSION['login_dump']) && !$form->validate())
+  function singleSignOn_done($config, $db, $user_id = 0) 
   {
-	// Check for AuthnRequest
-	if (empty($_POST) && empty($_GET))
-	{
-	  die("Unknow login methode!");
-	}
-
-	lasso_init();
-  
-	$server_dump = file_get_contents($config['server_dump_filename']);
-
-	$server = LassoServer::newfromdump($server_dump);
-
-	$login = new LassoLogin($server);
-
-	if ($_SERVER['REQUEST_METHOD'] = 'GET')
-	  $login->initFromAuthnRequestMsg($_SERVER['QUERY_STRING'], lassoHttpMethodRedirect);
-	else
-	{
-	  // TODO
-	  exit;
-	}
-
-	// User must NOT Authenticate with the IdP 
-	if (!$login->mustAuthenticate()) 
-	{
-	  // TODO
-	  exit;
-	}
-
-	$login_dump = $login->dump();
-
-	$_SESSION['login_dump'] = $login->dump();
-
-	lasso_shutdown();
-  }
-  
- 
-
-  if (isset($_SESSION['login_dump']) && $form->validate())
-  {
-	$db = &DB::connect($config['dsn']);
-
-	if (DB::isError($db)) 
-	  die($db->getMessage());
-
-	$query = "SELECT user_id FROM users WHERE username=" . $db->quoteSmart($form->exportValue('username'));
-	$query .= " AND password=" . $db->quoteSmart($form->exportValue('password'));;
-
-	$res =& $db->query($query);
-	if (DB::isError($res)) 
-	  die($res->getMessage());
-
-	if ($res->numRows()) 
-	{
-	  // Get user_id from users
-	  $row = $res->fetchRow();
-	  $user_id = $row[0];
-	
 	  $server_dump = file_get_contents($config['server_dump_filename']);
-
+	  
 	  lasso_init();
 	  
-	  $server = LassoServer::newfromdump($server_dump);
+	  $server = LassoServer::newFromDump($server_dump);
+	  $login = LassoLogin::newFromDump($server, $_SESSION['login_dump']);
 
-	  $login = LassoLogin::newfromdump($server, $_SESSION['login_dump']);
+	  $authenticationMethod = 
+	  (($_SERVER["HTTPS"] == 'on') ? lassoSamlAuthenticationMethodSecureRemotePassword : lassoSamlAuthenticationMethodPassword);
 
-	  $authenticationMethod = (($_SERVER["HTTPS"] == 'on') ? lassoSamlAuthenticationMethodSecureRemotePassword : lassoSamlAuthenticationMethodPassword);
+	  // reauth in session_cache_expire default is 180 minutes
+	  $reauthenticateOnOrAfter = strftime("%Y-%m-%dT%H:%M:%SZ", time() + session_cache_expire() * 60);
 	  
       if ($login->protocolProfile == lassoLoginProtocolProfileBrwsArt)
 	  {
 		$login->buildArtifactMsg(
 		  TRUE, // User is authenticated 
 		  $authenticationMethod,
-		  "2005-05-03T16:12:00Z", # FIXME: reauthenticateOnOrAfter
+		  $reauthenticateOnOrAfter,
 		  lassoHttpMethodRedirect);
 	  }
 	  else if ($login->protocolProfile == lassoLoginProtocolProfileBrwsPost)
@@ -129,39 +73,43 @@
 	  else
 		die("Unknown protocol profile for login:" . $login->protocolProfile);
 	
-	  if ($login->isIdentityDirty)
+	  if (empty($user_id))
 	  {
-		$identity = $login->identity;
-		$query = "UPDATE users SET user_dump=".$db->quoteSmart($identity->dump());
-		$query .= " WHERE user_id='$user_id'";
+		// Get user_id
+		$query = "SELECT user_id FROM nameidentifiers WHERE name_identifier='";
+		$query .= $login->nameIdentifier . "'";
 
 		$res =& $db->query($query);
 		if (DB::isError($res)) 
 		  die($res->getMessage());
-	  } 
-	  
-	  // Get name identifier
-	  $query = "SELECT user_id FROM nameidentifiers WHERE name_identifier='";
-	  $query .= $login->nameIdentifier . "'";
-	  $res =& $db->query($query);
-	  if (DB::isError($res)) 
-		die($res->getMessage());
 
-	  // Save name identifier
-	  if (!$res->numRows())
+		$row = $res->fetchRow();
+		$user_id = $row[0];
+	  } 
+	  else
 	  {
-		$query = "INSERT INTO nameidentifiers (name_identifier, user_id) ";
-		$query .= "VALUES ('" . $login->nameIdentifier . "','$user_id')";
-		$res =& $db->query($query);
-		if (DB::isError($res)) 
+		// Save name identifier
+		if (!$res->numRows())
+		{
+		  $query = "INSERT INTO nameidentifiers (name_identifier, user_id) ";
+		  $query .= "VALUES ('" . $login->nameIdentifier . "','$user_id')";
+		  $res =& $db->query($query);
+		  if (DB::isError($res)) 
   		  die($res->getMessage());
-		$name_identifier = $login->nameIdentifier;
+		  $name_identifier = $login->nameIdentifier;
+		}
 	  }
-	  else 
+
+	  if ($login->isIdentityDirty)
 	  {
-		$row = $res->fetchRow();
-		$name_identifier = $row[0];
-	  }
+		$identity = $login->identity;
+		$query = "UPDATE users SET user_dump=".$db->quoteSmart($identity->dump());
+		$query .= " WHERE user_id='$user_id'";
+
+		$res =& $db->query($query);
+		if (DB::isError($res)) 
+		  die($res->getMessage());
+	  } 
 
 	  // Update identity dump
 	  $identity = $login->identity;
@@ -174,7 +122,7 @@
 	  // Update session dump
 	  $session = $login->session;
 	  $query = "UPDATE users SET session_dump=".$db->quoteSmart($session->dump())." WHERE user_id='$user_id'";
-	  
+
 	  $res =& $db->query($query);
   	  if (DB::isError($res)) 
 		die($res->getMessage());
@@ -188,15 +136,17 @@
 	  if (empty($assertion_dump))
 		die("assertion dump is empty");
 
-	  
 	  // Save assertion 
 	  $query = 	"INSERT INTO assertions (assertion, response_dump, created) VALUES ";
 	  $query .= "('".$login->assertionArtifact."',".$db->quoteSmart($assertion_dump).", NOW())";
-	  
+
 	  $res =& $db->query($query);
   	  if (DB::isError($res)) 
 		die($res->getMessage());
 
+	  $_SESSION['login_dump'] = $login->dump();
+	  $_SESSION['session_dump'] = $session->dump();
+
 	  if ($login->protocolProfile == lassoLoginProtocolProfileBrwsArt)
 	  {
 		$url = $login->msgUrl;
@@ -210,6 +160,79 @@
 	  }
 
 	  lasso_shutdown();
+  }
+
+  if (!$form->validate())
+  {
+	// Check for AuthnRequest
+	if (empty($_POST) && empty($_GET))
+	{
+	  die("Unknow login methode!");
+	}
+
+	lasso_init();
+  
+	$server_dump = file_get_contents($config['server_dump_filename']);
+
+	$server = LassoServer::newfromdump($server_dump);
+
+	if (!empty($_SESSION['login_dump']))
+	  $login = LassoLogin::newFromDump($server, $_SESSION['login_dump']);
+	else
+	  $login = new LassoLogin($server);
+
+	if (!empty($_SESSION['session_dump']))
+	  $login->setSessionFromDump($_SESSION['session_dump']);
+	
+	if ($_SERVER['REQUEST_METHOD'] = 'GET')
+	  $login->initFromAuthnRequestMsg($_SERVER['QUERY_STRING'], lassoHttpMethodRedirect);
+	else
+	{
+	  // TODO
+	  exit;
+	}
+
+	// User must NOT Authenticate with the IdP 
+	if (!$login->mustAuthenticate()) 
+	{
+	  $db = &DB::connect($config['dsn']);
+	  if (DB::isError($db)) 
+		die($db->getMessage());
+
+	  singleSignOn_done($config, $db);
+	  $db->disconnect();
+	  exit;
+	}
+
+	$login_dump = $login->dump();
+	$session = $login->session;
+	$_SESSION['login_dump'] = $login->dump();
+	$_SESSION['session_dump'] = $session->dump();
+
+	lasso_shutdown();
+  }
+  
+ 
+  if (isset($_SESSION['login_dump']) && $form->validate())
+  {
+	$db = &DB::connect($config['dsn']);
+
+	if (DB::isError($db)) 
+	  die($db->getMessage());
+
+	$query = "SELECT user_id FROM users WHERE username=" . $db->quoteSmart($form->exportValue('username'));
+	$query .= " AND password=" . $db->quoteSmart($form->exportValue('password'));;
+
+	$res =& $db->query($query);
+	if (DB::isError($res)) 
+	  die($res->getMessage());
+
+	if ($res->numRows()) 
+	{
+	  $row = $res->fetchRow();
+	  $user_id = $row[0];
+	  singleSignOn_done($config, $db, $user_id);
+	  $db->disconnect();
 	  exit();
 	}
   }
diff --git a/php/Attic/examples/sample-sp/assertionConsumer.php b/php/Attic/examples/sample-sp/assertionConsumer.php
index fc62aec1..575356e0 100644
--- a/php/Attic/examples/sample-sp/assertionConsumer.php
+++ b/php/Attic/examples/sample-sp/assertionConsumer.php
@@ -52,22 +52,44 @@
 
   # PHP 4.3.0 with OpenSSL support required
   $fp = fsockopen("ssl://" . $url['host'], $url['port'], $errno, $errstr, 30) or die($errstr ($errno));
+  socket_set_timeout($fp, 10);
   fwrite($fp, $soap);
-  $ret = fgets($fp);
 
-  if (!preg_match("/^HTTP\/1\\.. 200/i", $ret)) {
-	die("Wrong artifact");
-  }
+  // header
+  do $header .= fread($fp, 1); while (!preg_match('/\\r\\n\\r\\n$/',$header));
 
-  while (!feof($fp)) {
-  	$reponse .= @fread($fp, 8192);
+  // chunked encoding
+  if (preg_match('/Transfer\\-Encoding:\\s+chunked\\r\\n/',$header))
+  {
+	do {
+	  $byte = '';
+	  $chunk_size = '';
+	  
+	  do {
+		$chunk_size .= $byte;
+		$byte = fread($fp, 1);
+	  } while ($byte != "\\r");     
+	  
+	  fread($fp, 1);    
+	  $chunk_size = hexdec($chunk_size); 
+  	  $response .= fread($fp, $chunk_size);
+	  fread($fp, 2);          
+  	} while ($chunk_size);        
+  }
+  else
+  {
+	if (preg_match('/Content\\-Length:\\s+([0-9]+)\\r\\n/', $header, $matches))
+	  $response = fread($fp, $matches[1]);
+	else 
+	  while (!feof($fp)) $response .= fread($fp, 1024);
   }
-
   fclose($fp);
 
-  list($header, $body) = preg_split("/(\r\n\r\n|\n\n)/", $reponse, 2);
+  if (!preg_match("/^HTTP\/1\\.. 200/i", $header)) {
+	die("Wrong artifact");
+  }
 
-  $login->processResponseMsg($body); 
+  $login->processResponseMsg($response); 
 
   $db = &DB::connect($config['dsn']);
 
diff --git a/php/Attic/examples/sample-sp/logout.php b/php/Attic/examples/sample-sp/logout.php
index b4fd66a6..10a9ca81 100644
--- a/php/Attic/examples/sample-sp/logout.php
+++ b/php/Attic/examples/sample-sp/logout.php
@@ -75,18 +75,42 @@
   # PHP 4.3.0 with OpenSSL support required
   $fp = fsockopen("ssl://" . $url['host'], $url['port'], $errno, $errstr, 30) or die($errstr ($errno));
  
+  socket_set_timeout($fp, 10);
   fwrite($fp, $soap);
-  $ret = fgets($fp);
 
-  if (!preg_match("/^HTTP\/1\\.. 200/i", $ret)) {
-	die("User is already logged out");
+  // header
+  do $header .= fread($fp, 1); while (!preg_match('/\\r\\n\\r\\n$/',$header));
+
+  // chunked encoding
+  if (preg_match('/Transfer\\-Encoding:\\s+chunked\\r\\n/',$header))
+  {
+	do {
+	  $byte = '';
+	  $chunk_size = '';
+	  
+	  do {
+		$chunk_size .= $byte;
+		$byte = fread($fp, 1);
+	  } while ($byte != "\\r");     
+	  
+	  fread($fp, 1);    
+	  $chunk_size = hexdec($chunk_size); 
+  	  $response .= fread($fp, $chunk_size);
+	  fread($fp, 2);          
+  	} while ($chunk_size);        
   }
-
-  while (!feof($fp)) {
-  	$reponse .= @fread($fp, 8192);
+  else
+  {
+	if (preg_match('/Content\\-Length:\\s+([0-9]+)\\r\\n/', $header, $matches))
+	  $response = fread($fp, $matches[1]);
+	else 
+	  while (!feof($fp)) $response .= fread($fp, 1024);
   }
-
   fclose($fp);
+  
+  if (!preg_match("/^HTTP\/1\\.. 200/i", $header)) {
+	die("User is already logged out");
+  }
 
   # Destroy The PHP Session
   $_SESSION = array();
-- 
cgit