Development

/plugins/sfShibbolethPlugin/trunk/modules/sfShibbolethAuth/actions/actions.class.php

You must first sign up to be able to contribute.

root/plugins/sfShibbolethPlugin/trunk/modules/sfShibbolethAuth/actions/actions.class.php

Revision 15116, 4.5 kB (checked in by agilbert, 4 years ago)

enforceLoginOnSecure now works even if it's a subdir of https:// that is shibbed and not the entire secure side.

Line 
1 <?php
2
3 /**
4  * Shibboleth support module.
5  *
6  * This module's job is simply to (a) simulate Shibboleth well enough
7  * to exercise the Shibboleth filter, and (b) in real production
8  * with real Shibboleth, act as a landing point that redirects to
9  * the more interesting URL of your choice after login.
10  *
11  * The principle here: in production Shibboleth should be configured to protect
12  * this module's URL (via a <Location> block).
13  *
14  * If login_on_secure is true (which is typical in production environments,
15  * because Shibboleth usually isn't set up to protect non-secure pages),
16  * attempts to reach executeLogin or executeLogout via an http URL get
17  * kicked over to the https version of the same URL.
18  *
19  * This is NOT the place to call sfGuard's signIn. That logic belongs in the
20  * Shibboleth filter.
21  *
22  */
23 class sfShibbolethAuthActions extends sfActions
24 {
25   /**
26    * Executes login action
27    *
28    */
29   public function executeLogin()
30   {
31     if ($this->enforceLoginOnSecure() !== false)
32     {
33       return;
34     }
35
36     // In production the only job of this action is to get shibbolized and
37     // then redirect somewhere else. If you wish, use the 'shibboleth_after'
38     // attribute to specify a 'somewhere' other than the home page.
39
40     // In development, with shibboleth_fake set to true,
41     // this action lets the developer pick one of a number of
42     // test users in a manner that exercises the code in
43     // the shibboleth filter just as much as real Shibboleth would.
44
45     $sfUser = $this->getUser();
46
47     if (sfConfig::get('app_sfShibboleth_fake', false)) {
48       // Let them pick a fake user
49       $fakeUsers = sfConfig::get('app_sfShibboleth_fake_users', false);
50       if (!$fakeUsers) {
51         return $this->forward404();
52       }
53       $this->options = array();
54       foreach ($fakeUsers as $id => $data)
55       {
56         $this->options[$id] = $data['display_name'];
57       }
58       if ($this->hasRequestParameter('fake_user')) {
59         $fakeUser = $this->getRequestParameter('fake_user');
60         if (!isset($fakeUsers[$fakeUser])) {
61           return $this->forward404();
62         }
63         $fakeDisplayName = $fakeUsers[$fakeUser]['display_name'];
64         $sfUser->setAttribute('sfShibboleth_fake_user', $fakeUser);
65         $sfUser->setAttribute('sfShibboleth_fake_display_name', $fakeDisplayName);
66       } else {
67         // Display the fake user picker
68         return sfView::SUCCESS;
69       }
70     } else {
71       if (!isset($_SERVER['REMOTE_USER']))
72       {
73         return 'Misconfigured';
74       }
75     }
76     # TBB: @homepage rather than /, which doesn't work properly
77     $after = $sfUser->getAttribute('sfShibboleth_after', '@homepage');
78     $sfUser->setAttribute('sfShibboleth_after', null);
79     return $this->redirect($after);
80   }
81   // This action signs the user out of Symfony, and then out of
82   // Shibboleth as well. In production the latter is done by redirecting
83   // to the Shibboleth logout URL. If your Apache configuration uses
84   // a different logout URL, you'll need to make the appropriate change
85   // in app.yml.
86
87   // In development this action purges the attributes we use for fake
88   // shibboleth auth first, then goes to the home page. Keep in mind
89   // that typical shibboleth webauth systems unfortunately do NOT send you
90   // home, they just dump you on a useless external "goodbye" page somewhere.
91   // But sending users home in dev is a good test of whether the Symfony-layer
92   // signout worked properly.
93
94   public function executeLogout()
95   {
96     if ($this->enforceLoginOnSecure() !== false)
97     {
98       return;
99     }
100     $sfUser = $this->getUser();
101     if ($sfUser) {
102       $sfUser->signOut();
103     }
104     if (!sfConfig::get('app_sfShibboleth_fake', false)) {
105       $to = sfConfig::get('app_sfShibboleth_logout');
106       return $this->redirect($to,
107         $this->getRequest()->getUriPrefix() . '/Shibboleth.sso/Logout');
108     }
109     $sfUser = $this->getUser();
110     $sfUser->setAttribute('sf_shibboleth_fake_user', null);
111     $sfUser->setAttribute('sf_shibboleth_fake_display_name', null);
112     // @homepage works, / doesn't (at least not in all routing setups)
113     return $this->redirect('@homepage');
114   }
115
116   private function enforceLoginOnSecure()
117   {
118     if (sfConfig::get('app_sfShibboleth_login_on_secure', false))
119     {
120       $request = $this->getRequest();
121       if (!$request->isSecure())
122       {
123                 $controller = sfContext::getInstance()->getController();
124                 $url = $controller->genUrl("sfShibbolethAuth/login", true);
125                 $url = preg_replace("/^http:/", "https:", $url);
126         return $this->redirect($url);
127       }
128       return false;
129     }
130     else
131     {
132       return false;
133     }
134   }
135 }
136
Note: See TracBrowser for help on using the browser.