From bc48c35453b78ef2d6f0574e5466e4cafe5622b0 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 13 Dec 2007 09:19:09 +0000
Subject: [PATCH] Implemented the login_auto authentication handler.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@94 44740490-163a-0410-bde0-09ae8108e29a
---
config/config-template.php | 58 ++++++++++++++
www/auth/login-auto.php | 151 +++++++++++++++++++------------------
2 files changed, 134 insertions(+), 75 deletions(-)
diff --git a/config/config-template.php b/config/config-template.php
index 235a5158a..fa10c95f6 100644
--- a/config/config-template.php
+++ b/config/config-template.php
@@ -170,6 +170,64 @@ $config = array (
*/
'memcache_store.expires' => 36 * (60*60), // 36 hours.
+
+
+ /*
+ * This option enables or disables the login-auto authentication
+ * handler. This handler is implemented in 'www/auth/login-auto.php'.
+ *
+ * When this option is set to true, a user can go to the
+ * 'auth/login-auto.php' web page to be authenticated as an example
+ * user. The user will receive the attributes set in the
+ * 'login_auto.attributes' option.
+ *
+ * WARNING: setting this option to true will make it possible to use
+ * this authenticator for all users, irrespectively of the 'auth'
+ * setting in the IdP's metadata. They can always use it by opening the
+ * 'auth/login-auto.php' webpage manually.
+ */
+ 'login_auto.enable' => false,
+
+ /*
+ * This option configures which attributes the login-auto
+ * authentication handler will set for the user. It is an array of
+ * arrays. The name of the attribute is the index in the first array,
+ * and all the values for the attribute is given in the array
+ * referenced to by the name.
+ *
+ * Example:
+ * 'login_auto.attributes' => array(
+ * 'edupersonaffiliation' => array('student', 'member'),
+ * 'uid' => array('example_uid'),
+ * 'mail' => array('example@example.com'),
+ * ),
+ */
+ 'login_auto.attributes' => array(
+ 'edupersonaffiliation' => array('student', 'member'),
+ 'title' => array('Example user title'),
+ 'uid' => array('example_uid'),
+ 'mail' => array('example@example.com'),
+ 'cn' => array('Example user commonname'),
+ 'givenname' => array('Example user givenname'),
+ 'sn' => array("Example surname"),
+ ),
+
+ /*
+ * When this option is set to true, the login-auto authentication
+ * handler will ask for a username and a password. This can be used to
+ * test the IdP. The username and password isn't verified, and the
+ * user/script can enter anything.
+ */
+ 'login_auto.ask_login' => false,
+
+ /*
+ * This option configures a delay in the login-auto authentication
+ * handler. The script will wait for the given number of milliseconds
+ * before authenticating the user. This can, for example, be used in
+ * a simple simulation of a slow LDAP server.
+ */
+ 'login_auto.delay_login' => 0,
+
);
diff --git a/www/auth/login-auto.php b/www/auth/login-auto.php
index f06c29baf..9a40f388a 100644
--- a/www/auth/login-auto.php
+++ b/www/auth/login-auto.php
@@ -1,95 +1,96 @@
<?php
+/*
+ * This php script implements an automatic login handler which gives the user
+ * a default set of attributes.
+ *
+ * To use this login handler, the 'login_auto.enable' configuration option
+ * must be set to true. The attributes which are returned is configured in the
+ * 'login_auto.attributes' configuration option.
+ *
+ * There are also two other options for use in simulation:
+ * - 'login_auto.ask_login' - ask for username and password.
+ * - 'login_auto.delay_login' - delay the login process for the given number
+ * of milliseconds.
+ *
+ * See 'config/config-template.php' for documentation about these configuration
+ * options.
+ */
require_once('../../www/_include.php');
-
-require_once('SimpleSAML/Utilities.php');
+require_once('SimpleSAML/Configuration.php');
require_once('SimpleSAML/Session.php');
-require_once('SimpleSAML/XML/MetaDataStore.php');
-require_once('SimpleSAML/XML/SAML20/AuthnRequest.php');
-require_once('SimpleSAML/Bindings/SAML20/HTTPRedirect.php');
+require_once('SimpleSAML/Utilities.php');
require_once('SimpleSAML/XHTML/Template.php');
-session_start();
-
+/* Load the configuration. */
$config = SimpleSAML_Configuration::getInstance();
-$metadata = new SimpleSAML_XML_MetaDataStore($config);
+$enable = (bool)$config->getValue('login_auto.enable');
+$attributes = $config->getValue('login_auto.attributes');
+$ask_login = (bool)$config->getValue('login_auto.ask_login');
+$delay_login = (int)$config->getValue('login_auto.delay_login');
+
+/* Verify that this authentication handler is enabled. */
+if(!$enable) {
+ $e = 'You attempted to use the login-auto authentication handler,' .
+ 'but this handler isn\'t enabled in the configuration. If you' .
+ ' want to enable this authentication handler, set' .
+ ' \'login_auto.enable\' to true.';
+ error_log($e);
+ /* TODO: show error page. */
+ exit(1);
+}
-
-$session = SimpleSAML_Session::getInstance();
+/* Verify that the 'login_auto.attributes' option is configured. */
+if(!is_array($attributes)) {
+ $e = 'The login-auto authentication handler is enabled, but no' .
+ ' attributes are configured. Please set' .
+ ' \'login_auto.attributes\' to the attributes you want to give' .
+ ' users.';
+ error_log($e);
+ /* TODO: show error page. */
+ exit(1);
+}
-$error = null;
-$attributes = array();
-
-if (isset($_POST['username'])) {
-
-
- $dn = str_replace('%username%', $_POST['username'], $config->getValue('auth.ldap.dnpattern'));
- $pwd = $_POST['password'];
-
- $ds = ldap_connect($config->getValue('auth.ldap.hostname'));
-
- if ($ds) {
-
- if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
- echo "Failed to set LDAP Protocol version to 3";
- exit;
- }
- /*
- if (!ldap_start_tls($ds)) {
- echo "Failed to start TLS";
- exit;
- }
- */
- if (!ldap_bind($ds, $dn, $pwd)) {
- $error = "Bind failed, wrong username or password. Tried with DN=[" . $dn . "] DNPattern=[" . $config->getValue('auth.ldap.dnpattern') . "]";
-
-
- } else {
- $sr = ldap_read($ds, $dn, $config->getValue('auth.ldap.attributes'));
- $ldapentries = ldap_get_entries($ds, $sr);
-
-
- for ($i = 0; $i < $ldapentries[0]['count']; $i++) {
- $values = array();
- if ($ldapentries[0][$i] == 'jpegphoto') continue;
- for ($j = 0; $j < $ldapentries[0][$ldapentries[0][$i]]['count']; $j++) {
- $values[] = $ldapentries[0][$ldapentries[0][$i]][$j];
- }
-
- $attributes[$ldapentries[0][$i]] = $values;
- }
-
- // generelt ldap_next_entry for flere, men bare ett her
- //print_r($ldapentries);
- //print_r($attributes);
-
- $session->setAuthenticated(true);
- $session->setAttributes($attributes);
- $returnto = $_SESSION['webssourl']. '?RequestID=' . $_REQUEST['RequestID'];
- header("Location: " . $returnto);
-
- }
- // ldap_close() om du vil, men frigjoeres naar skriptet slutter
- }
-
-
-
-
+
+/* Check if we should display a login page. */
+if($ask_login && !array_key_exists('username', $_POST)) {
+ /* Show login page. */
+
+ $t = new SimpleSAML_XHTML_Template($config, 'login.php');
+
+ $t->data['header'] = 'simpleSAMLphp: Enter username and password';
+ $t->data['relaystate'] = $_REQUEST['RelayState'];
+
+ $t->show();
+ exit(0);
}
-$t = new SimpleSAML_XHTML_Template($config, 'login.php');
+/* Delay the execution of the script to simulate the login process taking
+ * time.
+ */
+usleep($delay_login * 1000);
+
-$t->data['header'] = 'simpleSAMLphp: Enter username and password';
-$t->data['requestid'] = $_REQUEST['RequestID'];
-$t->data['error'] = $error;
-if (isset($error)) {
- $t->data['username'] = $_POST['username'];
+/* Load the session of the current user. */
+$session = SimpleSAML_Session::getInstance();
+if($session == NULL) {
+ $e = 'No session was found. Are cookies disabled?';
+ error_log($e);
+ /* TODO: show error page. */
+ exit(1);
}
-$t->show();
+/* Set the user as authenticated and add the attributes from the
+ * configuration.
+ */
+$session->setAuthenticated(true);
+$session->setAttributes($attributes);
+/* Return the user to the page set in the RelayState parameter. */
+$returnto = $_REQUEST['RelayState'];
+header("Location: " . $returnto);
?>
--
GitLab