openrat-cms

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs

commit e48a12dd8d7e50706f195e176e99a6719c44d6e8
parent 5b00d9db95e0cfefa62cf095117f239f0ece3e3c
Author: dankert <devnull@localhost>
Date:   Thu, 15 Feb 2007 23:16:43 +0100

Single-Sign-on und SSL-Client-Certificate

Diffstat:
actionClasses/IndexAction.class.php | 133+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 123 insertions(+), 10 deletions(-)

diff --git a/actionClasses/IndexAction.class.php b/actionClasses/IndexAction.class.php @@ -113,11 +113,11 @@ class IndexAction extends Action { // Login war erfolgreich! $user->load(); - $user->loadProjects(); +// $user->loadProjects(); //$user->loadRights(); $user->setCurrent(); - $user->loginDate = time(); - Session::setUser( $user ); +// $user->loginDate = time(); +// Session::setUser( $user ); Logger::info( 'login successful' ); return true; @@ -143,6 +143,112 @@ class IndexAction extends Action function showlogin() { global $conf; + $sso = $conf['security']['sso']; + $ssl = $conf['security']['ssl']; + + $ssl_trust = false; + $ssl_user_var = ''; + extract( $ssl, EXTR_PREFIX_ALL, 'ssl' ); + + if ( $sso['enable'] ) + { + $authid = $this->getRequestVar( $sso['auth_param_name']); + + if ( empty( $authid) ) + die( 'no authorization data (no auth-id)'); + + if ( $sso['auth_param_serialized'] ) + $authid = unserialize( $authid ); + + $purl = parse_url($sso['url']); + // Verbindung zu URL herstellen. + $errno=0; $errstr=''; + $fp = fsockopen ($purl['host'],80, $errno, $errstr, 30); + if ( !$fp ) + { + echo "Connection failed: $errstr ($errno)"; + } + else + { + $http_get = $purl['path']; + if ( !empty($purl['query']) ) + $http_get .= '?'.$purl['query']; + + $header = array(); + + $header[] = "GET $http_get HTTP/1.0"; + $header[] ="Host: ".$purl['host']; + $header[] = "User-Agent: Mozilla/5.0 (OpenRat CMS Single Sign-on Check)"; + $header[] = "Connection: Close"; + + if ( $sso['cookie'] ) + { + $cookie = 'Cookie: '; + if ( is_array($authid)) + foreach( $authid as $cookiename=>$cookievalue) + $cookie .= $cookiename.'='.$cookievalue."; "; + else + $cookie .= $sso['cookie_name'].'='.$authid; + + $header[] = $cookie; + } + +// Html::debug($header); + fputs ($fp, implode("\r\n",$header)."\r\n\r\n"); + + $inhalt=array(); + while (!feof($fp)) { + $inhalt[] = fgets($fp,128); + } + fclose($fp); + + $html = implode('',$inhalt); +// Html::debug($html); + if ( !preg_match($sso['expect_regexp'],$html) ) + die('auth failed'); + $treffer=0; + if ( !preg_match($sso['username_regexp'],$html,$treffer) ) + die('auth failed'); + if ( !isset($treffer[1]) ) + die('auth failed'); + + $username = $treffer[1]; + +// Html::debug( $treffer ); + $this->setDefaultDb(); + + $user = User::loadWithName( $username ); + + if ( ! $user->isValid( )) + die('auth failed: user not found: '.$username); + + $user->setCurrent(); + + $this->callSubAction('show'); + } + } + + elseif ( $ssl_trust ) + { + if ( empty($ssl_user_var) ) + die( 'please set environment variable name in ssl-configuration.' ); + + $username = getenv( $ssl_user_var ); + + if ( empty($username) ) + die( 'no username in client certificate ('.$ssl_user_var.') (or there is no client certificate...?)' ); + + $this->setDefaultDb(); + + $user = User::loadWithName( $username ); + + if ( !$user->isValid() ) + die( 'unknown username: '.$username ); + + $user->setCurrent(); + + $this->callSubAction('show'); + } foreach( $conf['database'] as $dbname=>$dbconf ) { @@ -158,18 +264,25 @@ class IndexAction extends Action else $this->setTemplateVar('actdbid',$conf['database']['default']); -// $this->setTemplateVar('logo' ,$conf['login' ]['logo' ] ); -// $this->setTemplateVar('logo_url' ,$conf['login' ]['logo_url'] ); -// $this->setTemplateVar('motd' ,$conf['login' ]['motd' ] ); -// $this->setTemplateVar('readonly' ,$conf['security']['readonly'] ); -// $this->setTemplateVar('nologin' ,$conf['login' ]['nologin' ] ); -// $this->setTemplateVar('nopublish' ,$conf['security']['nopublish']); + $ssl_user_var = $conf['security']['ssl']['user_var']; + if ( !empty($ssl_user_var) ) + { + $username = getenv( $ssl_user_var ); + + if ( empty($username) ) + die( 'no username in client certificate ('.$ssl_user_var.'). (or maybe there is no client certificate?)' ); +// Html::debug($username); + $this->setTemplateVar('force_username',$username); + } + $this->setTemplateVar('register' ,$conf['login' ]['register' ]); $this->setTemplateVar('send_password',$conf['login' ]['send_password']); $this->setTemplateVar('loginmessage',$this->getSessionVar('loginmessage')); $this->setSessionVar('loginmessage',''); } + + function projectmenu() { $user = Session::getUser(); @@ -226,7 +339,7 @@ class IndexAction extends Action // Ermitteln, ob der Baum angezeigt werden soll // Ist die Breite zu klein, dann wird der Baum nicht angezeigt Session::set('showtree',intval($this->getRequestVar('screenwidth')) > $conf['interface']['min_width'] ); - + $loginOk = $this->checkLogin( $loginName, $loginPassword, $newPassword1,