123 lines
3.7 KiB
PHP
123 lines
3.7 KiB
PHP
<?php
|
|
|
|
/**
|
|
* Observium
|
|
*
|
|
* This file is part of Observium.
|
|
*
|
|
* @package observium
|
|
* @subpackage authentication
|
|
* @copyright (C) Adam Armstrong
|
|
*
|
|
*/
|
|
|
|
/**
|
|
*
|
|
* CAS authentication support.
|
|
* Uses mysql (same schema as mysql module) for authorization but CAS for authentication.
|
|
* Requires phpCAS https://wiki.jasig.org/display/casc/phpcas
|
|
* New configuration settings:
|
|
*
|
|
* auth_cas_host
|
|
* auth_cas_port
|
|
* auth_cas_context
|
|
* auth_cas_ca_cert
|
|
*
|
|
* FIXME these should go into defaults and sql-config!
|
|
*/
|
|
|
|
require_once('CAS.php');
|
|
|
|
phpCAS ::client(CAS_VERSION_2_0, $config['auth_cas_host'], $config['auth_cas_port'], $config['auth_cas_context']);
|
|
phpCAS ::setCasServerCACert($config['auth_cas_ca_cert']);
|
|
phpCAS ::handleLogoutRequests(FALSE);
|
|
phpCAS ::forceAuthentication();
|
|
|
|
if (phpCAS ::getUser()) {
|
|
session_set_var('username', phpCAS ::getUser());
|
|
}
|
|
|
|
/**
|
|
* Check username against CAS authentication backend. User needs to exist in MySQL to be able to log in.
|
|
*
|
|
* @param string $username User name to check
|
|
* @param string $password User password to check
|
|
*
|
|
* @return int Authentication success (0 = fail, 1 = success) FIXME bool
|
|
*/
|
|
function cas_authenticate($username, $password)
|
|
{
|
|
$row = dbFetchRow("SELECT `username`, `password` FROM `users` WHERE `username`= ?", [$username]);
|
|
if ($row['username'] && $row['username'] == $username) {
|
|
if ($username == phpCAS ::getUser()) {
|
|
return 1;
|
|
}
|
|
|
|
dbInsert(['user' => $_SESSION['username'], 'address' => $_SERVER["REMOTE_ADDR"], 'result' => 'CAS: username does not match CAS user'], 'authlog');
|
|
} else {
|
|
dbInsert(['user' => $_SESSION['username'], 'address' => $_SERVER["REMOTE_ADDR"], 'result' => 'CAS: NOT found in DB'], 'authlog');
|
|
}
|
|
//session_logout();
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* Check if the backend allows users to log out.
|
|
* As the login is done outside our system, we don't allow users to log out.
|
|
*
|
|
* @return bool TRUE if logout is possible, FALSE if it is not
|
|
*/
|
|
function cas_auth_can_logout()
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
/**
|
|
* Check if the backend allows a specific user to change their password.
|
|
* This is not currently possible using the CAS backend.
|
|
*
|
|
* @param string $username Username to check
|
|
*
|
|
* @return bool TRUE if password change is possible, FALSE if it is not
|
|
*/
|
|
function cas_auth_can_change_password($username = "")
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
/**
|
|
* Check if the backend allows user management at all (create/delete/modify users).
|
|
* The CAS module requires users to exist in MySQL first, so we allow MySQL user management.
|
|
*
|
|
* @return bool TRUE if user management is possible, FALSE if it is not
|
|
*/
|
|
function cas_auth_usermanagement()
|
|
{
|
|
return 1;
|
|
}
|
|
|
|
/**
|
|
* Adds a new user to the user backend.
|
|
*
|
|
* @param string $username User's username
|
|
* @param string $password User's password (plain text)
|
|
* @param int $level User's auth level
|
|
* @param string $email User's e-mail address
|
|
* @param string $realname User's real name
|
|
* @param bool $can_modify_passwd TRUE if user can modify their own password, FALSE if not
|
|
* @param string $description User's description
|
|
*
|
|
* @return bool TRUE if user addition is successful, FALSE if it is not
|
|
*/
|
|
function cas_adduser($username, $password, $level, $email = "", $realname = "", $can_modify_passwd = '1', $description = "")
|
|
{
|
|
if (!cas_auth_user_exists($username)) {
|
|
$hash = password_hash($password, PASSWORD_DEFAULT);
|
|
return dbInsert(['username' => $username, 'password' => $hash, 'level' => $level, 'email' => $email, 'realname' => $realname, 'can_modify_passwd' => $can_modify_passwd, 'descr' => $description], 'users');
|
|
} else {
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
// EOF
|