Open Journal Systems: plugins/implicitAuth/shibboleth/ShibAuthPlugin.inc.php Source File

00001 <?php
00002 
00003 import('classes.plugins.ImplicitAuthPlugin');
00004 
00005 class ShibAuthPlugin extends ImplicitAuthPlugin {
00006 
00007    function register($category, $path) {
00008    
00009       // We use the callback mechanism to call the implicitAuth function.
00010       //
00011       // If there ends up being another implicitAuth plugin - then this registration statement 
00012       // should be removed - so that the other plugin gets called
00013       
00014       HookRegistry::register('ImplicitAuthPlugin::implicitAuth', array(&$this, 'implicitAuth'));
00015          
00016       $success = parent::register($category, $path);
00017       $this->addLocaleData();
00018       return $success;
00019    }
00020    
00021    
00022    function getName() {
00023       return "ShibAuthPlugin";
00024    }
00025 
00026    function getDisplayName() {
00027       return Locale::translate('plugins.implicitAuth.shibboleth.displayName');
00028    }  
00029    
00030    function getDescription() {
00031       return Locale::translate('plugins.implicitAuth.shibboleth.description');
00032    }
00033    
00034    
00039    function isSitePlugin() {
00040       return true;
00041    }
00042    
00043    // Log a user in after they have been authenticated via Shibboleth
00044    
00045    function implicitAuth($hookname, $args) { 
00046    
00047          // Set retuser to point to the user that was passed by reference
00048          
00049          $retuser =& $args[0];
00050                   
00051          // Get the name of the field to use a UIN (primary key) from config file
00052          
00053          $uin = Config::getVar('security', 'implicit_auth_header_uin'); // For TDL this is HTTP_TDL_TDLUID
00054          
00055          if ($uin == "") 
00056             die("Implicit Auth enabled in config file - but implicit_auth_uin not defined.");
00057 
00058          // If we can't find the user's UIN - this is a problem - send back to login screen (for the lack of something better to do)
00059          
00060          if (!isset($_SERVER[$uin])) {
00061 
00062             syslog(LOG_ERR, "Implicit Auth enabled in config file - but expected header variables not found.");
00063          
00064             Validation::logout();
00065             Validation::redirectLogin();
00066          }
00067          
00068          // Get the header variable indicated by the config variable
00069             
00070          $uid = $_SERVER[$uin];     
00071          
00072          // If we dont have a UIN in the header then we can't continue - so send them back to the login screen.
00073 
00074          if ($uid == null) {
00075             
00076             Validation::logout();
00077             Validation::redirectLogin();
00078          }
00079             
00080          // Get email from header -- after consulting the map 
00081          
00082          $email_key = Config::getVar('security', 'implicit_auth_header_email');
00083          
00084          if ($email_key == "") 
00085             die("Implicit Auth enabled in config file - but email is not defined.");
00086          
00087          $email = $_SERVER[$email_key];
00088          
00089          // Get the user dao - so we can look up the user
00090          
00091          $userDao = &DAORegistry::getDAO('UserDAO');
00092    
00093          // Get user by auth string
00094          
00095          $user = &$userDao->getUserByAuthStr($uid, true);   
00096          
00097          if (isset($user)) {
00098             syslog(LOG_ERR, "Found user by uid: " . $uid . " Returning user.");
00099             syslog(LOG_ERR, "Users UID: " . $user->getAuthStr());
00100             
00101             // Go see if this user should be an admin
00102             
00103             ShibAuthPlugin::implicitAuthAdmin($user->getUserId(), $user->getAuthStr());
00104             $retuser = $user;
00105             
00106             syslog(LOG_ERR, " In ShibAuthPlugin username: " . $retuser->getUsername());
00107             return true;
00108          }
00109             
00110 
00111          // If we were not succsessful getting user by UIN - see if we can get the user by email.
00112          // If we find a user with this email - but with an existing UID - then this is a problem
00113             
00114          $user = &$userDao->getUserByEmail($email);
00115          
00116          if (isset($user)) {
00117                      
00118             if ($user->getAuthStr() != "") {
00119                unset($user);
00120                die("Implicit Auth: New email with existing UID");
00121             }
00122             
00123             $user->setAuthStr($uid);
00124             $userDao->updateUser($user);
00125             
00126             // Go see if this user should be made an admin
00127             
00128             ShibAuthPlugin::implicitAuthAdmin($user->getUserId(), $user->getAuthStr());
00129             
00130             $retuser = $user;
00131             return true;
00132          }
00133          
00134          // User not found via UID or by email - so they are new - so just create them
00135          
00136          $user = $this->registerUserFromShib(); 
00137          
00138          // Go see if this new user should be made an admin
00139          
00140          ShibAuthPlugin::implicitAuthAdmin($user->getUserId(), $user->getAuthStr());      
00141          
00142          $retuser = $user;
00143          
00144          return true;
00145    }
00146    
00147    
00152    function registerUserFromShib() {
00153 
00154       // Grab the names of the header fields from the config file
00155       
00156       $uin = Config::getVar('security', 'implicit_auth_header_uin'); // For TDL this is HTTP_TDL_TDLUID
00157          
00158       $first_name = Config::getVar('security', 'implicit_auth_header_first_name');
00159       $last_name = Config::getVar('security', 'implicit_auth_header_last_name');
00160       $email = Config::getVar('security', 'implicit_auth_header_email');
00161       $phone = Config::getVar('security', 'implicit_auth_header_phone');
00162       $initials = Config::getVar('security', 'implicit_auth_header_initials');
00163       $mailing_address = Config::getVar('security', 'implicit_auth_header_mailing_address');
00164       $uin = Config::getVar('security', 'implicit_auth_header_uin');
00165       
00166       // Create a new user object and set it's fields from the header variables
00167       
00168       $user = &new User();
00169       
00170       $user->setAuthStr($_SERVER[$uin]);
00171 
00172       $user->setUsername($_SERVER[$email]); # Mail is userid
00173       
00174       $user->setFirstName($_SERVER[$first_name]);
00175       $user->setLastName($_SERVER[$last_name]);
00176       $user->setEmail($_SERVER[$email]);
00177       $user->setPhone($_SERVER[$phone]);
00178       $user->setMailingAddress($_SERVER[$mailing_address]);
00179       $user->setDateRegistered(Core::getCurrentDate());
00180 
00181       // Set the user's  password to their email address. This may or may not be necessary 
00182       
00183       $email = Config::getVar('security', 'implicit_auth_header_email');
00184       $user->setPassword(Validation::encryptCredentials($email, $email . 'pass'));
00185 
00186       // Now go insert the user in the db
00187       
00188       $userDao = &DAORegistry::getDAO('UserDAO');
00189       
00190       $userDao->insertUser($user); 
00191    
00192       $userId = $user->getUserId();
00193       
00194       if (!$userId) {
00195          return false;
00196       }
00197 
00198       // Go put the user into the session and return it.
00199       
00200       $sessionManager = &SessionManager::getManager();
00201       $session = &$sessionManager->getUserSession();
00202       $session->setSessionVar('username', $user->getUsername());
00203 
00204       return $user;
00205    }  
00206    
00207    // If this user is in the list of admins then make sure they are set up as an admin.
00208    // If they are not in the list - make sure they are not an admin. This is so you can
00209    // take someone off the admin list - and their admin privelege will be revoked.
00210    
00211    function implicitAuthAdmin($userID, $authStr) {
00212    
00213       $adminstr=Config::getVar('security', "implicit_auth_admin_list");
00214       
00215       $adminlist=explode(" ", $adminstr);
00216             
00217       $key = array_search($authStr, $adminlist);
00218       
00219       $roleDao = &DAORegistry::getDAO('RoleDAO');
00220                
00221       // If they are in the list of users who should be admins
00222       
00223       if ($key !== false) {
00224       
00225          // and if they are not already an admin
00226          
00227          if(!$roleDao->roleExists(0, $userID, ROLE_ID_SITE_ADMIN)) {
00228 
00229             syslog(LOG_ERR, "Implicit Auth - Making Admin: " . $userID);
00230             
00231             // make them an admin
00232             
00233             $role = &new Role();
00234             $role->setJournalId(0);
00235             $role->setUserId($userID);
00236             $role->setRoleId(ROLE_ID_SITE_ADMIN);
00237             $roleDao->insertRole($role);  
00238          }
00239       } else {
00240          
00241          // If they are not in the admin list - then be sure they are not an admin in the role table
00242          
00243          syslog(LOG_ERR, "removing admin for: " . $userID);
00244          
00245          $roleDao->deleteRoleByUserId($userID,0, ROLE_ID_SITE_ADMIN);   
00246       }
00247    
00248    }
00249 }
00250 
00251 ?>