diff options
| -rw-r--r-- | config-templates/authsources.php | 26 | ||||
| -rw-r--r-- | dictionaries/errors.php | 6 | ||||
| -rw-r--r-- | lib/SimpleSAML/Auth/Default.php | 114 | ||||
| -rw-r--r-- | lib/SimpleSAML/Auth/Source.php | 140 | ||||
| -rw-r--r-- | lib/SimpleSAML/Auth/State.php | 171 | ||||
| -rw-r--r-- | modules/core/lib/Auth/UserPassBase.php | 136 | ||||
| -rw-r--r-- | modules/core/templates/default/loginuserpass.php | 61 | ||||
| -rw-r--r-- | modules/core/www/loginuserpass.php | 46 | ||||
| -rw-r--r-- | modules/exampleauth/default-disable | 3 | ||||
| -rw-r--r-- | modules/exampleauth/lib/Auth/Source/Static.php | 60 | ||||
| -rw-r--r-- | modules/exampleauth/lib/Auth/Source/UserPass.php | 93 | ||||
| -rw-r--r-- | www/saml2/idp/SSOService.php | 35 | ||||
| -rw-r--r-- | www/shib13/idp/SSOService.php | 36 |
13 files changed, 912 insertions, 15 deletions
diff --git a/config-templates/authsources.php b/config-templates/authsources.php new file mode 100644 index 0000000..85aec95 --- /dev/null +++ b/config-templates/authsources.php @@ -0,0 +1,26 @@ +<?php + +$config = array( + + 'example-static' => array( + 'exampleauth:Static', + 'uid' => 'testuser', + 'eduPersonAffiliation' => array('member', 'employee'), + 'cn' => array('Test User'), + ), + + 'example-userpass' => array( + 'exampleauth:UserPass', + 'student:studentpass' => array( + 'uid' => 'student', + 'eduPersonAffiliation' => array('member', 'student'), + ), + 'employee:employeepass' => array( + 'uid' => 'employee', + 'eduPersonAffiliation' => array('member', 'employee'), + ), + ), + +); + +?>
\ No newline at end of file diff --git a/dictionaries/errors.php b/dictionaries/errors.php index 556a0b5..56a8820 100644 --- a/dictionaries/errors.php +++ b/dictionaries/errors.php @@ -1036,6 +1036,12 @@ $lang = array( 'nn' => 'Det er ein feil i spørringa etter denne sida. Grunnen til dette er %REASON%', 'en' => 'There is an error in the request to this page. The reason was: %REASON%', ), + 'title_WRONGUSERPASS' => array ( + 'en' => 'Incorrect username or password', + ), + 'descr_WRONGUSERPASS' => array ( + 'en' => 'Either no user with the given username could be found, or the password you gave was wrong. Please check the username and try again.', + ), ); diff --git a/lib/SimpleSAML/Auth/Default.php b/lib/SimpleSAML/Auth/Default.php new file mode 100644 index 0000000..1013658 --- /dev/null +++ b/lib/SimpleSAML/Auth/Default.php @@ -0,0 +1,114 @@ +<?php + +/** + * Implements the default behaviour for authentication. + * + * This class contains an implementation for default behaviour when authenticating. It will + * save the session information it got from the authentication client in the users session. + * + * @author Olav Morken, UNINETT AS. + * @package simpleSAMLphp + * @version $Id$ + */ +class SimpleSAML_Auth_Default { + + + /** + * Start authentication. + * + * This function never returns. + * + * @param string $authId The identifier of the authentication source. + * @param string $returnURL The URL we should direct the user to after authentication. + * @param string|NULL $errorURL The URL we should direct the user to after failed authentication. + * Can be NULL, in which case a standard error page will be shown. + * @param array $hints Extra information about the login. Different authentication requestors may + * provide different information. Optional, will default to an empty array. + */ + public static function initLogin($authId, $returnURL, $errorURL = NULL, $hints = array()) { + assert('is_string($authId)'); + assert('is_string($returnURL)'); + assert('is_string($errorURL) || is_null($errorURL)'); + assert('is_array($hints)'); + + $state = array( + 'SimpleSAML_Auth_Default.id' => $authId, + 'SimpleSAML_Auth_Default.ReturnURL' => $returnURL, + 'SimpleSAML_Auth_Default.ErrorURL' => $errorURL, + 'LoginCompletedHandler' => array(get_class(), 'loginCompleted'), + 'LoginFailedHandler' => array(get_class(), 'loginFailed'), + ); + + if (array_key_exists('SPMetadata', $hints)) { + $state['SPMetadata'] = $hints['SPMetadata']; + } + if (array_key_exists('IdPMetadata', $hints)) { + $state['IdPMetadata'] = $hints['IdPMetadata']; + } + + $as = SimpleSAML_Auth_Source::getById($authId); + if ($as === NULL) { + throw new Exception('Invalid authentication source: ' . $authId); + } + + $as->authenticate($state); + self::loginCompleted($state); + } + + + /** + * Called when a login operation has finished. + * + * @param array $state The state after the login. + */ + public static function loginCompleted($state) { + assert('is_array($state)'); + assert('array_key_exists("SimpleSAML_Auth_Default.ReturnURL", $state)'); + assert('array_key_exists("SimpleSAML_Auth_Default.id", $state)'); + assert('array_key_exists("Attributes", $state)'); + + $returnURL = $state['SimpleSAML_Auth_Default.ReturnURL']; + + /* Save session state. */ + $session = SimpleSAML_Session::getInstance(); + $session->doLogin($state['SimpleSAML_Auth_Default.id']); + $session->setAttributes($state['Attributes']); + if(array_key_exists('Expires', $state)) { + $session->setSessionDuration($state['Expires'] - time()); + } + + /* Redirect... */ + SimpleSAML_Utilities::redirect($returnURL); + } + + + /** + * Called when a login operation fails. + * + * @param array $state The state array. + * @param string $statusCode A status code, in the form of an URI, which indicates why the login failed. + * @param string $statusMessage A text which describes why the login failed. + */ + public static function loginFailed($state, $statusCode, $statusMessage) { + assert('is_array($state)'); + assert('array_key_exists("SimpleSAML_Auth_Default.ErrorURL", $state)'); + assert('is_string($statusCode)'); + assert('is_string($statusMessage)'); + + $url = $state['SimpleSAML_Auth_Default.ErrorURL']; + if ($url === NULL) { + /* We don't have an error handler. Show an error page. */ + SimpleSAML_Utilities::fatalError($session->getTrackID(), 'RESPONSESTATUSNOSUCCESS', + new Exception('StatusCode = \'' . $statusCode . '\'; StatusMessage = \'' . + $statusMessage . '\';')); + } + + $info = array('StatusCode' => $statusCode, 'StatusMessage' => $statusMessage); + + /* Redirect... */ + SimpleSAML_Utilities::redirect($url, $info); + } + +} + +?>
\ No newline at end of file diff --git a/lib/SimpleSAML/Auth/Source.php b/lib/SimpleSAML/Auth/Source.php new file mode 100644 index 0000000..2c2f825 --- /dev/null +++ b/lib/SimpleSAML/Auth/Source.php @@ -0,0 +1,140 @@ +<?php + +/** + * This class defines a base class for authentication source. + * + * An authentication source is any system which somehow authenticate the user. + * + * @author Olav Morken, UNINETT AS. + * @package simpleSAMLphp + * @version $Id$ + */ +abstract class SimpleSAML_Auth_Source { + + + /** + * The authentication source identifier. + * + * This identifier can be used to look up this object, for example when returning from a login form. + */ + protected $authId; + + + /** + * Constructor for an authentication source. + * + * Any authentication source which implements its own constructor must call this + * constructor first. + * + * @param array $info Information about this authentication source. + * @param array &$config Configuration for this authentication source. + */ + public function __construct($info, &$config) { + assert('is_array($info)'); + assert('is_array($config)'); + + assert('array_key_exists("AuthId", $info)'); + $this->authId = $info['AuthId']; + } + + + /** + * Process a request. + * + * If an authentication source returns from this function, it is assumed to have + * authenticated the user, and should have set elements in $state with the attributes + * of the user. + * + * If the authentication process requires additional steps which make it impossible to + * complete before returning from this function, the authentication source should + * save the state, and at a later stage, load the state, update it with the authentication + * information about the user, and call completeAuth with the state array. + * + * @param array &$state Information about the current authentication. + */ + abstract public function authenticate(&$state); + + + /** + * Complete authentication. + * + * This function should be called if authentication has completed. It will never return, + * except in the case of exceptions. Exceptions thrown from this page should not be caught, + * but should instead be passed to the top-level exception handler. + * + * @param array &$state Information about the current authentication. + */ + public static function completeAuth(&$state) { + assert('is_array($state)'); + assert('array_key_exists("LoginCompletedHandler", $state)'); + + SimpleSAML_Auth_State::deleteState($state); + + $func = $state['LoginCompletedHandler']; + assert('is_callable($func)'); + + call_user_func($func, $state); + assert(FALSE); + } + + + /** + * Create authentication source object from configuration array. + * + * This function takes an array with the configuration for an authentication source object, + * and returns the object. + * + * @param string $authId The authentication source identifier. + * @param array $config The configuration. + * @return SimpleSAML_Auth_Source The parsed authentication source. + */ + private static function parseAuthSource($authId, $config) { + assert('is_string($authId)'); + assert('is_array($config)'); + + if (!array_key_exists(0, $config) || !is_string($config[0])) { + throw new Exception('Invalid authentication source \'' . $authId . + '\': First element must be a string which identifies the authentication source.'); + } + + $className = SimpleSAML_Module::resolveClass($config[0], 'Auth_Source', + 'SimpleSAML_Auth_Source'); + + $info = array('AuthId' => $authId); + unset($config[0]); + return new $className($info, $config); + } + + + /** + * Retrieve authentication source. + * + * This function takes an id of an authentication source, and returns the + * AuthSource object. + * + * @param string $authId The authentication source identifier. + * @return SimpleSAML_Auth_Source|NULL The AuthSource object, or NULL if no authentication + * source with the given identifier is found. + */ + public static function getById($authId) { + assert('is_string($authId)'); + + /* For now - load and parse config file. */ + $globalConfig = SimpleSAML_Configuration::getInstance(); + $config = $globalConfig->copyFromBase('authsources', 'authsources.php'); + + $authConfig = $config->getValue($authId, NULL); + if ($authConfig === NULL) { + return NULL; + } + + if (!is_array($authConfig)) { + throw new Exception('Invalid configuration for authentication source \'' . $authId . '\'.'); + } + + return self::parseAuthSource($authId, $authConfig); + } + +} + +?>
\ No newline at end of file diff --git a/lib/SimpleSAML/Auth/State.php b/lib/SimpleSAML/Auth/State.php new file mode 100644 index 0000000..8c16bc5 --- /dev/null +++ b/lib/SimpleSAML/Auth/State.php @@ -0,0 +1,171 @@ +<?php + +/** + * This is a helper class for saving and loading state information. + * + * The state must be an associative array. This class will add additional keys to this + * array. These keys will always start with 'SimpleSAML_Auth_State.'. + * + * It is also possible to add a restart URL to the state. If state information is lost, for + * example because it timed out, or the user loaded a bookmarked page, the loadState function + * will redirect to this URL. To use this, set $state[SimpleSAML_Auth_State::RESTART] to this + * URL. + * + * Both the saveState and the loadState function takes in a $stage parameter. This parameter is + * a security feature, and is used to prevent the user from taking a state saved one place and + * using it as input a different place. + * + * The $stage parameter must be a unique string. To maintain uniqueness, it must be on the form + * "<classname>.<identifier>" or "<module>:<identifier>". + * + * @author Olav Morken, UNINETT AS. + * @package simpleSAMLphp + * @version $Id$ + */ +class SimpleSAML_Auth_State { + + + /** + * The index in the state array which contains the identifier. + */ + const ID = 'SimpleSAML_Auth_State.id'; + + + /** + * The index in the state array which contains the current stage. + */ + const STAGE = 'SimpleSAML_Auth_State.stage'; + + + /** + * The index in the state array which contains the restart URL. + */ + const RESTART = 'SimpleSAML_Auth_State.restartURL'; + + + /** + * Save the state. + * + * This function saves the state, and returns an id which can be used to + * retrieve it later. It will also update the $state array with the identifier. + * + * @param array &$state The login request state. + * @param string $stage The current stage in the login process. + * @return string Identifier which can be used to retrieve the state later. + */ + public static function saveState(&$state, $stage) { + assert('is_array($state)'); + assert('is_string($stage)'); + + /* Save stage. */ + $state[self::STAGE] = $stage; + + if (!array_key_exists(self::ID, $state)) { + $state[self::ID] = SimpleSAML_Utilities::generateID(); + } + + $id = $state[self::ID]; + + /* Embed the restart URL in the state identifier, if it is available. */ + if (array_key_exists(self::RESTART, $state)) { + assert('is_string($state[self::RESTART])'); + $return = $id . ':' . $state[self::RESTART]; + } else { + $return = $id; + } + + $serializedState = serialize($state); + + $session = SimpleSAML_Session::getInstance(); + $session->setData('SimpleSAML_Auth_State', $id, $serializedState, 60*60); + + return $return; + } + + + /** + * Retrieve saved state. + * + * This function retrieves saved state information. If the state information has been lost, + * it will attempt to restart the request by calling the restart URL which is embedded in the + * state information. If there is no restart information available, an exception will be thrown. + * + * @param string $id State identifier (with embedded restart information). + * @param string $stage The stage the state should have been saved in. + * @return array State information. + */ + public static function loadState($id, $stage) { + assert('is_string($id)'); + assert('is_string($stage)'); + + $tmp = explode(':', $id, 2); + $id = $tmp[0]; + if (count($tmp) === 2) { + $restartURL = $tmp[1]; + } else { + $restartURL = NULL; + } + + $session = SimpleSAML_Session::getInstance(); + $state = $session->getData('SimpleSAML_Auth_State', $id); + + if ($state === NULL) { + /* Could not find saved data. Attempt to restart. */ + + if ($restartURL === NULL) { + throw new Exception('State information lost, and no way to restart the request.'); + } + + SimpleSAML_Utilities::redirect($restartURL); + } + + $state = unserialize($state); + assert('is_array($state)'); + assert('array_key_exists(self::ID, $state)'); + assert('array_key_exists(self::STAGE, $state)'); + + /* Verify stage. */ + if ($state[self::STAGE] !== $stage) { + /* This could be a user trying to bypass security, but most likely it is just + * someone using the back-button in the browser. We try to restart the + * request if that is possible. If not, show an error. + */ + + $msg = 'Wrong stage in state. Was \'' . $state[self::STAGE] . + '\', shoud be \'' . $stage . '\'.'; + + SimpleSAML_Logger::warning($msg); + + if ($restartURL === NULL) { + throw new Exception($msg); + } + + SimpleSAML_Utilities::redirect($restartURL); + } + + return $state; + } + + + /** + * Delete state. + * + * This function deletes the given state to prevent the user from reusing it later. + * + * @param array &$state The state which should be deleted. + */ + public static function deleteState(&$state) { + assert('is_array($state)'); + + if (!array_key_exists(self::ID, $state)) { + /* This state hasn't been saved. */ + return; + } + + $session = SimpleSAML_Session::getInstance(); + $session->deleteData('SimpleSAML_Auth_State', $state[self::ID]); + } + +} + +?>
\ No newline at end of file diff --git a/modules/core/lib/Auth/UserPassBase.php b/modules/core/lib/Auth/UserPassBase.php new file mode 100644 index 0000000..01a1b8f --- /dev/null +++ b/modules/core/lib/Auth/UserPassBase.php @@ -0,0 +1,136 @@ +<?php + +/** + * Helper class for username/password authentication. + * + * This helper class allows for implementations of username/password authentication by + * implementing a single function: login($username, $password) + * + * @author Olav Morken, UNINETT AS. + * @package simpleSAMLphp + * @version $Id$ + */ +abstract class sspmod_core_Auth_UserPassBase extends SimpleSAML_Auth_Source { + + + /** + * The string used to identify our states. + */ + const STAGEID = 'sspmod_core_Auth_UserPassBase.state'; + + + /** + * The key of the AuthId field in the state. + */ + const AUTHID = 'sspmod_core_Auth_UserPassBase.AuthId'; + + + /** + * Constructor for this authentication source. + * + * All subclasses who implement their own constructor must call this constructor before + * using $config for anything. + * + * @param array $info Information about this authentication source. + * @param array &$config Configuration for this authentication source. + */ + public function __construct($info, &$config) { + assert('is_array($info)'); + assert('is_array($config)'); + + /* Call the parent constructor first, as required by the interface. */ + parent::__construct($info, $config); + } + + + /** + * Initialize login. + * + * This function saves the information about the login, and redirects to a + * login page. + * + * @param array &$state Information about the current authentication. + */ + public function authenticate(&$state) { + assert('is_array($state)'); + + /* We are going to need the authId in order to retrieve this authentication source later. */ + $state[self::AUTHID] = $this->authId; + + $id = SimpleSAML_Auth_State::saveState($state, self::STAGEID); + + $url = SimpleSAML_Module::getModuleURL('core/loginuserpass.php'); + SimpleSAML_Utilities::redirect($url, array('AuthState' => $id)); + } + + + /** + * Attempt to log in using the given username and password. + * + * On a successful login, this function should return the users attributes. On failure, + * it should throw an exception/error. If the error was caused by the user entering the wrong + * username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown. + * + * Note that both the username and the password are UTF-8 encoded. + * + * @param string $username The username the user wrote. + * @param string $password The password the user wrote. + * @return array Associative array with the user's attributes. + */ + abstract protected function login($username, $password); + + + /** + * Handle login request. + * + * This function is used by the login form (core/www/loginuserpass.php) when the user + * enters a username and password. On success, it will not return. On wrong + * username/password failure, it will return the error code. Other failures will throw an + * exception. + * + * @param string $authStateId The identifier of the authentication state. + * @param string $username The username the user wrote. + * @param string $password The password the user wrote. + * @return string Error code in the case of an error. + */ + public static function handleLogin($authStateId, $username, $password) { + assert('is_string($authStateId)'); + assert('is_string($username)'); + assert('is_string($password)'); + + /* Retrieve the authentication state. */ + $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); + + /* Find authentication source. */ + assert('array_key_exists(self::AUTHID, $state)'); + $source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]); + if ($source === NULL) { + throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]); + } + + + try { + /* Attempt to log in. */ + $attributes = $source->login($username, $password); + } catch (SimpleSAML_Error_Error $e) { + /* An error occured during login. Check if it is because of the wrong + * username/password - if it is, we pass that error up to the login form, + * if not, we let the generic error handler deal with it. + */ + if ($e->getErrorCode() === 'WRONGUSERPASS') { + return 'WRONGUSERPASS'; + } + + /* Some other error occured. Rethrow exception and let the generic error + * handler deal with it. + */ + throw $e; + } + + $state['Attributes'] = $attributes; + SimpleSAML_Auth_Source::completeAuth($state); + } + +} + +?>
\ No newline at end of file diff --git a/modules/core/templates/default/loginuserpass.php b/modules/core/templates/default/loginuserpass.php new file mode 100644 index 0000000..810abda --- /dev/null +++ b/modules/core/templates/default/loginuserpass.php @@ -0,0 +1,61 @@ +<?php +$this->data['icon'] = 'lock.png'; +$this->data['header'] = $this->t('{login:user_pass_header}'); + +if (strlen($this->data['username']) > 0) { + $this->data['autofocus'] = 'password'; +} else { + $this->data['autofocus'] = 'username'; +} +$this->includeAtTemplateBase('includes/header.php'); + +?> +<div id="content"> + +<?php +if ($this->data['errorcode'] !== NULL) { +?> + <div style="border-left: 1px solid #e8e8e8; border-bottom: 1px solid #e8e8e8; background: #f5f5f5"> + <img src="/<?php echo $this->data['baseurlpath']; ?>resources/icons/bomb.png" style="float: left; margin: 15px " /> + <h2><?php echo $this->t('{login:error_header}'); ?></h2> + <p><b><?php echo $this->t('{errors:title_' . $this->data['errorcode'] . '}'); ?></b></p> + <p><?php echo $this->t('{errors:descr_' . $this->data['errorcode'] . '}'); ?></p> + </div> +<?php +} +?> + <h2 style="break: both"><?php echo $this->t('{login:user_pass_header}'); ?></h2> + + <p><?php echo $this->t('{login:user_pass_text}'); ?></p> + + <form action="?" method="post" name="f"> + + <table> + <tr> + <td rowspan="2"><img src="/<?php echo $this->data['baseurlpath']; ?>resources/icons/pencil.png" alt="" /></td> + <td style="padding: .3em;"><?php echo $this->t('{login:username}'); ?></td> + <td><input type="text" id="username" tabindex="1" name="username" value="<?php echo htmlspecialchars($this->data['username']); ?>" /></td> + <td style="padding: .4em;" rowspan="2"> + <input type="submit" tabindex="3" value="<?php echo $this->t('{login:login_button}'); ?>" /> + </td> + </tr> + <tr> + <td style="padding: .3em;"><?php echo $this->t('{login:password}'); ?></td> + <td><input id="password" type="password" tabindex="2" name="password" /></td> + </tr> + </table> + +<?php +foreach ($this->data['stateparams'] as $name => $value) { + echo('<input type="hidden" name="' . htmlspecialchars($name) . '" value="' . htmlspecialchars($value) . '" />'); +} +?> + + </form> + +<?php +echo('<h2>' . $this->t('{login:help_header}') . '</h2>'); +echo('<p>' . $this->t('{login:help_text}') . '</p>'); + +$this->includeAtTemplateBase('includes/footer.php'); +?>
\ No newline at end of file diff --git a/modules/core/www/loginuserpass.php b/modules/core/www/loginuserpass.php new file mode 100644 index 0000000..a7bfdb2 --- /dev/null +++ b/modules/core/www/loginuserpass.php @@ -0,0 +1,46 @@ +<?php + +/** + * This page shows a username/password login form, and passes information from it + * to the sspmod_core_Auth_UserPassBase class, which is a generic class for + * username/password authentication. + * + * @author Olav Morken, UNINETT AS. + * @package simpleSAMLphp + * @version $Id$ + */ + +if (!array_key_exists('AuthState', $_REQUEST)) { + throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.'); +} +$authStateId = $_REQUEST['AuthState']; + +if (array_key_exists('username', $_REQUEST)) { + $username = $_REQUEST['username']; +} else { + $username = ''; +} + +if (array_key_exists('password', $_REQUEST)) { + $password = $_REQUEST['password']; +} else { + $password = ''; +} + +if (!empty($username) || !empty($password)) { + /* Either username or password set - attempt to log in. */ + $errorCode = sspmod_core_Auth_UserPassBase::handleLogin($authStateId, $username, $password); +} else { + $errorCode = NULL; +} + +$globalConfig = SimpleSAML_Configuration::getInstance(); +$t = new SimpleSAML_XHTML_Template($globalConfig, 'core:loginuserpass.php'); +$t->data['stateparams'] = array('AuthState' => $authStateId); +$t->data['username'] = $username; +$t->data['errorcode'] = $errorCode; +$t->show(); +exit(); + + +?>
\ No newline at end of file diff --git a/modules/exampleauth/default-disable b/modules/exampleauth/default-disable new file mode 100644 index 0000000..fa0bd82 --- /dev/null +++ b/modules/exampleauth/default-disable @@ -0,0 +1,3 @@ +This file indicates that the default state of this module +is disabled. To enable, create a file named enable in the +same directory as this file. diff --git a/modules/exampleauth/lib/Auth/Source/Static.php b/modules/exampleauth/lib/Auth/Source/Static.php new file mode 100644 index 0000000..c2a07cc --- /dev/null +++ b/modules/exampleauth/lib/Auth/Source/Static.php @@ -0,0 +1,60 @@ +<?php + +/** + * Example authentication source. + * + * This class is an example authentication source which will always return a user with + * a static set of attributes. + * + * @author Olav Morken, UNINETT AS. + * @package simpleSAMLphp + * @version $Id$ + */ +class sspmod_exampleauth_Auth_Source_Static extends SimpleSAML_Auth_Source { + + + /** + * The attributes we return. + */ + private $attributes; + + + /** + * Constructor for this authentication source. + * + * @param array $info Information about this authentication source. + * @param array $config Configuration. + */ + public function __construct($info, $config) { + assert('is_array($info)'); + assert('is_array($config)'); + + /* Call the parent constructor first, as required by the interface. */ + parent::__construct($info, $config); + + + /* Parse attributes. */ + try { + $this->attributes = SimpleSAML_Utilities::parseAttributes($attributes); + } catch(Exception $e) { + throw new Exception('Invalid attributes for authentication source ' . + $this->authId . ': ' . $e->getMessage()); + } + + } + + + /** + * Log in using static attributes. + * + * @param array &$state Information about the current authentication. + */ + public function authenticate(&$state) { + assert('is_array($state)'); + + $state['Attributes'] = $this->attributes; + } + +} + +?>
\ No newline at end of file diff --git a/modules/exampleauth/lib/Auth/Source/UserPass.php b/modules/exampleauth/lib/Auth/Source/UserPass.php new file mode 100644 index 0000000..98440f5 --- /dev/null +++ b/modules/exampleauth/lib/Auth/Source/UserPass.php @@ -0,0 +1,93 @@ +<?php + +/** + * Example authentication source - username & password. + * + * This class is an example authentication source which stores all username/passwords in an array, + * and authenticates users against this array. + * + * @author Olav Morken, UNINETT AS. + * @package simpleSAMLphp + * @version $Id$ + */ +class sspmod_exampleauth_Auth_Source_UserPass extends sspmod_core_Auth_UserPassBase { + + + /** + * Our users, stored in an associative array. The key of the array is "<username>:<password>", + * while the value of each element is a new array with the attributes for each user. + */ + private $users; + + + /** + * Constructor for this authentication source. + * + * @param array $info Information about this authentication source. + * @param array $config Configuration. + */ + public function __construct($info, $config) { + assert('is_array($info)'); + assert('is_array($config)'); + + /* Call the parent constructor first, as required by the interface. */ + parent::__construct($info, $config); + + $this->users = array(); + + /* Validate and parse our configuration. */ + foreach ($config as $userpass => $attributes) { + if (!is_string($userpass)) { + throw new Exception('Invalid <username>:<password> for authentication source ' . + $this->authId . ': ' . $userpass); + } + + $userpass = explode(':', $userpass, 2); + if (count($userpass) !== 2) { + throw new Exception('Invalid <username>:<password> for authentication source ' . + $this->authId . ': ' . $userpass[0]); + } + $username = $userpass[0]; + $password = $userpass[1]; + + try { + $attributes = SimpleSAML_Utilities::parseAttributes($attributes); + } catch(Exception $e) { + throw new Exception('Invalid attributes for user ' . $username . + ' in authentication source ' . $this->authId . ': ' . + $e->getMessage()); + } + + $this->users[$username . ':' . $password] = $attributes; + } + } + + + /** + * Attempt to log in using the given username and password. + * + * On a successful login, this function should return the users attributes. On failure, + * it should throw an exception. If the error was caused by the user entering the wrong + * username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown. + * + * Note that both the username and the password are UTF-8 encoded. + * + * @param string $username The username the user wrote. + * @param string $password The password the user wrote. + * @return array Associative array with the users attributes. + */ + protected function login($username, $password) { + assert('is_string($username)'); + assert('is_string($password)'); + + $userpass = $username . ':' . $password; + if (!array_key_exists($userpass, $this->users)) { + throw new SimpleSAML_Error_Error('WRONGUSERPASS'); + } + + return $this->users[$userpass]; + } + +} + +?>
\ No newline at end of file diff --git a/www/saml2/idp/SSOService.php b/www/saml2/idp/SSOService.php index 7f024c7..55d53a0 100644 --- a/www/saml2/idp/SSOService.php +++ b/www/saml2/idp/SSOService.php @@ -144,7 +144,17 @@ if (isset($_GET['SAMLRequest'])) { } -$authority = isset($idpmetadata['authority']) ? $idpmetadata['authority'] : NULL; +/* Check whether we should authenticate with an AuthSource. Any time the auth-option matches a + * valid AuthSource, we assume that this is the case. + */ +if(SimpleSAML_Auth_Source::getById($idpmetadata['auth']) !== NULL) { + /* Authenticate with an AuthSource. */ + $authSource = TRUE; + $authority = $idpmetadata['auth']; +} else { + $authSource = FALSE; + $authority = isset($idpmetadata['authority']) ? $idpmetadata['authority'] : NULL; +} /** @@ -175,13 +185,24 @@ if($needAuth && !$isPassive) { $session->setAuthnRequest('saml2', $authId, $requestcache); $redirectTo = SimpleSAML_Utilities::selfURLNoQuery() . '?RequestID=' . urlencode($authId); - $authurl = '/' . $config->getBaseURL() . $idpmetadata['auth']; - SimpleSAML_Utilities::redirect($authurl, array( - 'RelayState' => $redirectTo, - 'AuthId' => $authId, - 'protocol' => 'saml2', - )); + if($authSource) { + /* Authenticate with an AuthSource. */ + $hints = array( + 'SPMetadata' => $metadata->getMetaData($requestcache['Issuer'], 'saml20-sp-remote'), + 'IdPMetadata' => $idpmetadata, + ); + + SimpleSAML_Auth_Default::initLogin($idpmetadata['auth'], $redirectTo, NULL, $hints); + } else { + $authurl = '/' . $config->getBaseURL() . $idpmetadata['auth']; + + SimpleSAML_Utilities::redirect($authurl, array( + 'RelayState' => $redirectTo, + 'AuthId' => $authId, + 'protocol' => 'saml2', + )); + } } elseif($needAuth) { /* We have a passive request, but need authentication. Send back a response indicating that diff --git a/www/shib13/idp/SSOService.php b/www/shib13/idp/SSOService.php index 9ae15e0..495f20d 100644 --- a/www/shib13/idp/SSOService.php +++ b/www/shib13/idp/SSOService.php @@ -96,7 +96,17 @@ if (isset($_GET['shire'])) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SSOSERVICEPARAMS'); } -$authority = isset($idpmetadata['authority']) ? $idpmetadata['authority'] : null; +/* Check whether we should authenticate with an AuthSource. Any time the auth-option matches a + * valid AuthSource, we assume that this is the case. + */ +if(SimpleSAML_Auth_Source::getById($idpmetadata['auth']) !== NULL) { + /* Authenticate with an AuthSource. */ + $authSource = TRUE; + $authority = $idpmetadata['auth']; +} else { + $authSource = FALSE; + $authority = isset($idpmetadata['authority']) ? $idpmetadata['authority'] : NULL; +} /* * As we have passed the code above, we have an accociated request that is already processed. @@ -113,14 +123,24 @@ if (!$session->isAuthenticated($authority) ) { $session->setAuthnRequest('shib13', $authId, $requestcache); $redirectTo = SimpleSAML_Utilities::selfURLNoQuery() . '?RequestID=' . urlencode($authId); - $authurl = '/' . $config->getBaseURL() . $idpmetadata['auth']; - SimpleSAML_Utilities::redirect($authurl, array( - 'RelayState' => $redirectTo, - 'AuthId' => $authId, - 'protocol' => 'shib13', - )); - + if($authSource) { + /* Authenticate with an AuthSource. */ + $hints = array( + 'SPMetadata' => $metadata->getMetaData($requestcache['Issuer'], 'shib13-sp-remote'), + 'IdPMetadata' => $idpmetadata, + ); + + SimpleSAML_Auth_Default::initLogin($idpmetadata['auth'], $redirectTo, NULL, $hints); + } else { + $authurl = '/' . $config->getBaseURL() . $idpmetadata['auth']; + + SimpleSAML_Utilities::redirect($authurl, array( + 'RelayState' => $redirectTo, + 'AuthId' => $authId, + 'protocol' => 'shib13', + )); + } /* * We got an request, and we hav a valid session. Then we send an AuthenticationResponse back to the |