Révision dd54aff9
Ajouté par Assos Assos il y a plus de 10 ans
| htmltest/sites/all/modules/ldap/ldap_sso/ldap_sso.module | ||
|---|---|---|
| 26 | 26 |
* Implements hook_user_logout(). |
| 27 | 27 |
* |
| 28 | 28 |
* The user just logged out. |
| 29 |
* |
|
| 30 | 29 |
*/ |
| 31 |
|
|
| 32 | 30 |
function ldap_sso_user_logout($account) {
|
| 33 | 31 |
$auth_conf = ldap_authentication_get_valid_conf(); |
| 34 | 32 |
if ($auth_conf->seamlessLogin == 1) {
|
| 35 | 33 |
$cookie_string = 'do not auto login'; |
| 36 |
$cookie_timeout = (int)$auth_conf->cookieExpire; |
|
| 34 |
$cookie_timeout = (int) $auth_conf->cookieExpire;
|
|
| 37 | 35 |
setcookie('seamless_login', $cookie_string, (($cookie_timeout == -1) ? 0 : $cookie_timeout + time()), base_path(), "");
|
| 38 | 36 |
ldap_servers_set_globals('_SESSION', 'seamless_login', $cookie_string);
|
| 39 | 37 |
} |
| ... | ... | |
| 41 | 39 |
|
| 42 | 40 |
/** |
| 43 | 41 |
* Implements hook_boot(). |
| 44 |
* Perform setup tasks. This entry point is used because hook_user_load no |
|
| 45 |
* longer runs on anonymous users, and hook_boot is guaranteed to run, |
|
| 46 |
* regardless of cache |
|
| 42 |
* |
|
| 43 |
* Perform setup tasks. This entry point is used because hook_user_load no |
|
| 44 |
* longer runs on anonymous users, and hook_boot is guaranteed to run, |
|
| 45 |
* regardless of cache. |
|
| 47 | 46 |
*/ |
| 48 | 47 |
function ldap_sso_boot() {
|
| 49 | 48 |
|
| ... | ... | |
| 55 | 54 |
module_load_include('module', 'ldap_servers');
|
| 56 | 55 |
|
| 57 | 56 |
if (!(isset($_COOKIE['seamless_login'])) || $_COOKIE['seamless_login'] == 'auto login') {
|
| 58 |
if ((arg(0) == 'user' && !(is_numeric(arg(1)))) || arg(0) == 'logout' ) {
|
|
| 57 |
if ((arg(0) == 'user' && !(is_numeric(arg(1)))) || arg(0) == 'logout') {
|
|
| 59 | 58 |
return; |
| 60 | 59 |
} |
| 61 | 60 |
else {
|
| 62 |
if (isset($_COOKIE['seamless_login_attempted'])) |
|
| 61 |
if (isset($_COOKIE['seamless_login_attempted'])) {
|
|
| 63 | 62 |
$login_attempted = $_COOKIE['seamless_login_attempted']; |
| 63 |
} |
|
| 64 | 64 |
else {
|
| 65 | 65 |
$login_attempted = FALSE; |
| 66 | 66 |
} |
| 67 | 67 |
|
| 68 |
require_once(DRUPAL_ROOT . '/includes/common.inc');
|
|
| 69 |
require_once(DRUPAL_ROOT . '/includes/path.inc');
|
|
| 68 |
require_once DRUPAL_ROOT . '/includes/common.inc';
|
|
| 69 |
require_once DRUPAL_ROOT . '/includes/path.inc';
|
|
| 70 | 70 |
$ldap_authentication_conf = variable_get('ldap_authentication_conf', array());
|
| 71 | 71 |
|
| 72 | 72 |
if (isset($ldap_authentication_conf['seamlessLogin']) && $ldap_authentication_conf['seamlessLogin'] == 1 && ($login_attempted != 'true')) {
|
| ... | ... | |
| 74 | 74 |
setcookie("seamless_login_attempted", 'true', 0, base_path(), "");
|
| 75 | 75 |
} |
| 76 | 76 |
else {
|
| 77 |
setcookie('seamless_login_attempted', 'true', time() + (int)$ldap_authentication_conf['cookieExpire'], base_path(), "");
|
|
| 77 |
setcookie('seamless_login_attempted', 'true', time() + (int) $ldap_authentication_conf['cookieExpire'], base_path(), "");
|
|
| 78 | 78 |
} |
| 79 | 79 |
ldap_servers_set_globals('_SESSION', 'seamless_login_attempted', $login_attempted);
|
| 80 |
// removed with http://drupal.org/node/1485118 patch |
|
| 81 |
//$ldap_sso_q = (!isset($_GET['q']) || $_GET['q'] == '') ? 'user' : $_GET['q']; |
|
| 82 |
//drupal_goto('user/login/sso', array('query' => array('destination' => rawurlencode($ldap_sso_q))));
|
|
| 80 |
|
|
| 83 | 81 |
drupal_bootstrap(DRUPAL_BOOTSTRAP_LANGUAGE); |
| 84 |
if (ldap_sso_path_excluded_from_sso()) { // seems redundant, but need to check this again after additional bootstrap
|
|
| 82 |
// Seems redundant, but need to check this again after additional |
|
| 83 |
// bootstrap. |
|
| 84 |
if (ldap_sso_path_excluded_from_sso()) {
|
|
| 85 | 85 |
return; |
| 86 | 86 |
} |
| 87 | 87 |
// Add the query key to the drupal_goto() options array only if there |
| ... | ... | |
| 89 | 89 |
$options = array(); |
| 90 | 90 |
$destination = drupal_get_destination(); |
| 91 | 91 |
if (!empty($destination['destination'])) {
|
| 92 |
$options['query'] = $destination;
|
|
| 93 |
}
|
|
| 92 |
$options['query'] = $destination; |
|
| 93 |
} |
|
| 94 | 94 |
drupal_goto('user/login/sso', $options);
|
| 95 | 95 |
} |
| 96 | 96 |
else {
|
| ... | ... | |
| 101 | 101 |
} |
| 102 | 102 |
} |
| 103 | 103 |
|
| 104 |
/** |
|
| 105 |
* Default excluded paths. |
|
| 106 |
*/ |
|
| 104 | 107 |
function ldap_sso_default_excluded_paths() {
|
| 105 | 108 |
return array( |
| 106 |
'admin/config/search/clean-urls/check' |
|
| 109 |
'admin/config/search/clean-urls/check',
|
|
| 107 | 110 |
); |
| 108 | 111 |
} |
| 112 |
|
|
| 113 |
/** |
|
| 114 |
* Paths excluded from SSO. |
|
| 115 |
*/ |
|
| 109 | 116 |
function ldap_sso_path_excluded_from_sso($path = FALSE) {
|
| 110 | 117 |
module_load_include('module', 'ldap_servers');
|
| 111 | 118 |
$result = FALSE; |
| 112 | 119 |
if ($path) {
|
| 113 |
// don't derive
|
|
| 120 |
// Don't derive.
|
|
| 114 | 121 |
} |
| 115 | 122 |
elseif (ldap_servers_get_globals('_SERVER', 'PHP_SELF') == '/index.php') {
|
| 116 | 123 |
$path = $_GET['q']; |
| 117 | 124 |
} |
| 118 | 125 |
else {
|
| 119 |
$path = ltrim(ldap_servers_get_globals('_SERVER', 'PHP_SELF'), '/'); // cron.php, etc.
|
|
| 126 |
// Cron.php, etc. |
|
| 127 |
$path = ltrim(ldap_servers_get_globals('_SERVER', 'PHP_SELF'), '/');
|
|
| 120 | 128 |
} |
| 121 |
|
|
| 129 |
|
|
| 122 | 130 |
if (in_array($path, ldap_sso_default_excluded_paths())) {
|
| 123 | 131 |
return TRUE; |
| 124 | 132 |
} |
| 125 |
|
|
| 133 |
|
|
| 126 | 134 |
$ldap_authentication_conf = variable_get('ldap_authentication_conf', array());
|
| 127 | 135 |
|
| 128 | 136 |
if (isset($ldap_authentication_conf['ssoExcludedHosts']) && is_array($ldap_authentication_conf['ssoExcludedHosts'])) {
|
| ... | ... | |
| 133 | 141 |
} |
| 134 | 142 |
} |
| 135 | 143 |
} |
| 136 |
|
|
| 137 | 144 |
|
| 138 | 145 |
if (isset($ldap_authentication_conf['ssoExcludedPaths'])) {
|
| 139 |
$patterns = join("\r\n", $ldap_authentication_conf['ssoExcludedPaths']);
|
|
| 146 |
$patterns = implode("\r\n", $ldap_authentication_conf['ssoExcludedPaths']);
|
|
| 140 | 147 |
if ($patterns) {
|
| 141 | 148 |
if (function_exists('drupal_get_path_alias')) {
|
| 142 | 149 |
$path = drupal_get_path_alias($path); |
| ... | ... | |
| 144 | 151 |
$path = (function_exists('drupal_strtolower')) ? drupal_strtolower($path) : strtolower($path);
|
| 145 | 152 |
|
| 146 | 153 |
$to_replace = array( |
| 147 |
'/(\r\n?|\n)/', // newlines |
|
| 148 |
'/\\\\\*/', // asterisks |
|
| 149 |
'/(^|\|)\\\\<front\\\\>($|\|)/' // <front> |
|
| 154 |
// Newlines. |
|
| 155 |
'/(\r\n?|\n)/', |
|
| 156 |
// Asterisks. |
|
| 157 |
'/\\\\\*/', |
|
| 158 |
// <front>. |
|
| 159 |
'/(^|\|)\\\\<front\\\\>($|\|)/', |
|
| 150 | 160 |
); |
| 151 | 161 |
$replacements = array( |
| 152 | 162 |
'|', |
| 153 | 163 |
'.*', |
| 154 |
'\1' . preg_quote(variable_get('site_frontpage', 'node'), '/') . '\2'
|
|
| 164 |
'\1' . preg_quote(variable_get('site_frontpage', 'node'), '/') . '\2',
|
|
| 155 | 165 |
); |
| 156 | 166 |
$patterns_quoted = preg_quote($patterns, '/'); |
| 157 | 167 |
$regex = '/^(' . preg_replace($to_replace, $replacements, $patterns_quoted) . ')$/';
|
| 158 |
$result = (bool)preg_match($regex, $path); |
|
| 168 |
$result = (bool) preg_match($regex, $path);
|
|
| 159 | 169 |
} |
| 160 | 170 |
} |
| 161 | 171 |
|
| ... | ... | |
| 165 | 175 |
|
| 166 | 176 |
|
| 167 | 177 |
/** |
| 168 |
* A proxy function for the actual authentication routine. This is in place |
|
| 169 |
* so various implementations of grabbing NTLM credentials can be used and |
|
| 170 |
* selected from an administration page. This is the real gatekeeper since |
|
| 171 |
* this assumes that any NTLM authentication from the underlying web server |
|
| 172 |
* is good enough, and only checks that there are values in place for the |
|
| 178 |
* A proxy function for the actual authentication routine. |
|
| 179 |
* |
|
| 180 |
* This is in place so various implementations of grabbing NTLM credentials can |
|
| 181 |
* be used and selected from an administration page. This is the real gatekeeper |
|
| 182 |
* since this assumes that any NTLM authentication from the underlying web |
|
| 183 |
* server is good enough, and only checks that there are values in place for the |
|
| 173 | 184 |
* user name, and anything else that is set for a particular implementation. In |
| 174 | 185 |
* the case that there are no credentials set by the underlying web server, the |
| 175 | 186 |
* user is redirected to the normal user login form. |
| 176 |
* |
|
| 177 |
* @return false |
|
| 178 | 187 |
*/ |
| 179 | 188 |
function ldap_sso_user_login_sso() {
|
| 180 | 189 |
|
| ... | ... | |
| 188 | 197 |
'!server_remote_user' => @$_SERVER['REMOTE_USER'], |
| 189 | 198 |
'!server_redirect_remote_user' => @$_SERVER['REDIRECT_REMOTE_USER'], |
| 190 | 199 |
'!ssoRemoteUserStripDomainName' => $auth_conf->ssoRemoteUserStripDomainName, |
| 191 |
'!seamlessLogin' => $auth_conf->seamlessLogin |
|
| 200 |
'!seamlessLogin' => $auth_conf->seamlessLogin,
|
|
| 192 | 201 |
); |
| 193 | 202 |
|
| 194 | 203 |
watchdog( |
| ... | ... | |
| 199 | 208 |
); |
| 200 | 209 |
} |
| 201 | 210 |
|
| 202 |
/** |
|
| 203 |
* Step 1. Derive $remote_user, $realm, and $domain from $_SERVER variable |
|
| 204 |
*/ |
|
| 211 |
// Step 1. Derive $remote_user, $realm, and $domain from $_SERVER variable. |
|
| 205 | 212 |
$remote_user = NULL; |
| 206 | 213 |
$realm = NULL; |
| 207 | 214 |
$domain = NULL; |
| 208 | 215 |
|
| 209 | 216 |
switch ($auth_conf->ldapImplementation) {
|
| 210 |
case 'mod_auth_sspi' :
|
|
| 217 |
case 'mod_auth_sspi': |
|
| 211 | 218 |
$remote_user = FALSE; |
| 212 | 219 |
if ($remote_user = ldap_servers_get_globals('_SERVER', 'REMOTE_USER')) {
|
| 213 | 220 |
} |
| ... | ... | |
| 216 | 223 |
} |
| 217 | 224 |
break; |
| 218 | 225 |
|
| 219 |
case 'mod_auth_kerb' :
|
|
| 226 |
case 'mod_auth_kerb': |
|
| 220 | 227 |
if ($remote_user = ldap_servers_get_globals('_SERVER', 'REMOTE_USER')) {
|
| 221 | 228 |
} |
| 222 | 229 |
else {
|
| ... | ... | |
| 225 | 232 |
|
| 226 | 233 |
if ($remote_user && preg_match('/^([A-Za-z0-9_\-\.]+)@([A-Za-z0-9_\-.]+)$/', $remote_user, $matches)) {
|
| 227 | 234 |
$remote_user = $matches[1]; |
| 228 |
$realm = $matches[2]; // This can be used later if realms is ever supported properly |
|
| 235 |
// This can be used later if realms is ever supported properly. |
|
| 236 |
$realm = $matches[2]; |
|
| 229 | 237 |
} |
| 230 | 238 |
break; |
| 231 | 239 |
} |
| ... | ... | |
| 237 | 245 |
$watchdog_tokens, WATCHDOG_DEBUG); |
| 238 | 246 |
} |
| 239 | 247 |
|
| 240 |
|
|
| 241 | 248 |
if ($remote_user) {
|
| 242 | 249 |
if ($auth_conf->ssoRemoteUserStripDomainName) {
|
| 243 |
// might be in form <remote_user>@<domain> or <domain>\<remote_user>
|
|
| 250 |
// Might be in form <remote_user>@<domain> or <domain>\<remote_user>.
|
|
| 244 | 251 |
$domain = NULL; |
| 245 | 252 |
$exploded = preg_split('/[\@\\\\]/', $remote_user);
|
| 246 | 253 |
if (count($exploded) == 2) {
|
| ... | ... | |
| 274 | 281 |
'sso_login' => TRUE, |
| 275 | 282 |
); |
| 276 | 283 |
|
| 277 |
// Make sure we're populating the global user object so that we can log this user in. |
|
| 284 |
// Make sure we're populating the global user object so that we can log this |
|
| 285 |
// user in. |
|
| 278 | 286 |
global $user; |
| 279 | 287 |
$user = ldap_authentication_user_login_authenticate_validate(array(), $fake_form_state, TRUE); |
| 280 | 288 |
|
| ... | ... | |
| 295 | 303 |
ldap_servers_set_globals('_SESSION', 'seamless_login', 'auto login');
|
| 296 | 304 |
setcookie("seamless_login_attempted", '');
|
| 297 | 305 |
ldap_servers_delete_globals('_SESSION', 'seamless_login_attempted');
|
| 298 |
// Make sure we tell Drupal to create the session cookie for this authenticated user.
|
|
| 299 |
|
|
| 306 |
// Make sure we tell Drupal to create the session cookie for this |
|
| 307 |
// authenticated user. |
|
| 300 | 308 |
} |
| 301 | 309 |
user_login_finalize(); |
| 302 | 310 |
if ($auth_conf->ssoNotifyAuthentication) {
|
| ... | ... | |
| 316 | 324 |
setcookie("seamless_login", 'do not auto login', time() + $auth_conf->cookieExpire, base_path(), "");
|
| 317 | 325 |
ldap_servers_set_globals('_SESSION', 'seamless_login', 'do not auto login');
|
| 318 | 326 |
} |
| 319 |
drupal_set_message(theme('ldap_authentication_message_not_found',
|
|
| 320 |
array('message' => t('Sorry, your LDAP credentials were not found, ' .
|
|
| 321 |
'or the LDAP server is not available. You may log in ' . |
|
| 322 |
'with other credentials on the !user_login_form.', |
|
| 323 |
array('!user_login_form' => l(t('user login form'), 'user/login'))))
|
|
| 327 |
drupal_set_message(theme('ldap_authentication_message_not_found', array(
|
|
| 328 |
'message' => t('Sorry, your LDAP credentials were not found, or the LDAP server is not available. You may log in with other credentials on the !user_login_form.',
|
|
| 329 |
array('!user_login_form' => l(t('user login form'), 'user/login'))))
|
|
| 324 | 330 |
), 'error'); |
| 325 | 331 |
if ($detailed_watchdog_log) {
|
| 326 | 332 |
watchdog('ldap_authentication', 'ldap_sso_user_login_sso.remote_user.user_fail.drupal_goto user/logint', $watchdog_tokens, WATCHDOG_DEBUG);
|
| ... | ... | |
| 329 | 335 |
} |
| 330 | 336 |
} |
| 331 | 337 |
else {
|
| 332 |
watchdog('ldap_authentication', '$_SERVER[\'REMOTE_USER\'] not found', array(), WATCHDOG_DEBUG);
|
|
| 338 |
if ($detailed_watchdog_log) {
|
|
| 339 |
watchdog('ldap_authentication', '$_SERVER[\'REMOTE_USER\'] not found', array(), WATCHDOG_DEBUG);
|
|
| 340 |
} |
|
| 333 | 341 |
if ($auth_conf->seamlessLogin == 1) {
|
| 334 | 342 |
setcookie("seamless_login", 'do not auto login', time() + $auth_conf->cookieExpire, base_path(), "");
|
| 335 | 343 |
ldap_servers_set_globals('_SESSION', 'seamless_login', 'do not auto login');
|
| ... | ... | |
| 337 | 345 |
watchdog('ldap_authentication', 'ldap_sso_user_login_sso.no_remote_user.seamlessLogin', $watchdog_tokens, WATCHDOG_DEBUG);
|
| 338 | 346 |
} |
| 339 | 347 |
} |
| 340 |
drupal_set_message(theme('ldap_authentication_message_not_authenticated',
|
|
| 341 |
array('message' =>
|
|
| 342 |
t('You were not authenticated by the server.
|
|
| 343 |
You may log in with your credentials below.') |
|
| 344 |
) |
|
| 345 |
), 'error'); |
|
| 348 |
drupal_set_message(theme('ldap_authentication_message_not_authenticated', array(
|
|
| 349 |
'message' => t('You were not authenticated by the server. You may log in with your credentials below.'),
|
|
| 350 |
)), 'error'); |
|
| 346 | 351 |
if ($detailed_watchdog_log) {
|
| 347 | 352 |
watchdog('ldap_authentication', 'ldap_sso_user_login_sso.no_remote_user.drupal_goto user/login', $watchdog_tokens, WATCHDOG_DEBUG);
|
| 348 | 353 |
} |
| ... | ... | |
| 352 | 357 |
|
| 353 | 358 |
|
| 354 | 359 |
/** |
| 355 |
* used to mock $_SERVER, $_SESSION, etc globals for simpletests |
|
| 356 |
* @param string $global_type = _SERVER, _ENV, _COOKIE, _GET, _POST, _REQUEST |
|
| 357 |
* @param string $key such as 'SERVER_ADDR', 'SERVER_PROTOCAL', etc. |
|
| 358 |
* @param boolean $only_mock_values signifying, don't get actual values when mock values don't exist |
|
| 360 |
* Used to mock $_SERVER, $_SESSION, etc globals for simpletests. |
|
| 359 | 361 |
* |
| 360 |
* @return mixed value of ldap_simpletest_globals variable for global and key |
|
| 361 |
* or $_SERVER[][], $_ENV[][], etv value if not in a simpletes or mock variable not available |
|
| 362 |
* @param string $global_type |
|
| 363 |
* _SERVER, _ENV, _COOKIE, _GET, _POST, _REQUEST. |
|
| 364 |
* @param string $key |
|
| 365 |
* Such as 'SERVER_ADDR', 'SERVER_PROTOCOL', etc. |
|
| 366 |
* @param bool $only_mock_values |
|
| 367 |
* Don't get actual values when mock values don't exist. |
|
| 362 | 368 |
* |
| 363 |
* */ |
|
| 364 |
|
|
| 369 |
* @return mixed |
|
| 370 |
* ldap_simpletest_globals variable for global and key or $_SERVER[][], |
|
| 371 |
* $_ENV[][], etv value if not in a simpletest or mock variable not available. |
|
| 372 |
*/ |
|
| 365 | 373 |
function ldap_servers_get_globals($global_type, $key, $only_mock_values = FALSE) {
|
| 366 | 374 |
$simpletest_globals = variable_get('ldap_simpletest_globals', array());
|
| 367 | 375 |
$simpletest = variable_get('ldap_simpletest', FALSE);
|
| ... | ... | |
| 369 | 377 |
if ($simpletest && (isset($simpletest_globals[$global_type][$key]) || $only_mock_values)) {
|
| 370 | 378 |
return ($simpletest_globals[$global_type][$key]) ? $simpletest_globals[$global_type][$key] : NULL; |
| 371 | 379 |
} |
| 372 |
else {
|
|
| 380 |
else {
|
|
| 373 | 381 |
return (isset($GLOBALS[$global_type][$key]) && !$only_mock_values) ? $GLOBALS[$global_type][$key] : NULL; |
| 374 | 382 |
} |
| 375 | 383 |
|
| 376 | 384 |
} |
| 377 | 385 |
|
| 386 |
/** |
|
| 387 |
* Set globals. |
|
| 388 |
* |
|
| 389 |
* @param string $global_type |
|
| 390 |
* _SERVER, _ENV, _COOKIE, _GET, _POST, _REQUEST. |
|
| 391 |
* @param string $key |
|
| 392 |
* Such as 'SERVER_ADDR', 'SERVER_PROTOCOL', etc. |
|
| 393 |
* @param string $value |
|
| 394 |
* The value to be set. |
|
| 395 |
*/ |
|
| 378 | 396 |
function ldap_servers_set_globals($global_type, $key, $value) {
|
| 379 | 397 |
$simpletest_globals = variable_get('ldap_simpletest_globals', array());
|
| 380 | 398 |
$simpletest = variable_get('ldap_simpletest', FALSE);
|
| ... | ... | |
| 388 | 406 |
|
| 389 | 407 |
} |
| 390 | 408 |
|
| 409 |
/** |
|
| 410 |
* Delete globals. |
|
| 411 |
* |
|
| 412 |
* @param string $global_type |
|
| 413 |
* _SERVER, _ENV, _COOKIE, _GET, _POST, _REQUEST. |
|
| 414 |
* @param string $key |
|
| 415 |
* Such as 'SERVER_ADDR', 'SERVER_PROTOCOL', etc. |
|
| 416 |
* @param bool $only_mock_values |
|
| 417 |
* Don't get actual values when mock values don't exist. |
|
| 418 |
*/ |
|
| 391 | 419 |
function ldap_servers_delete_globals($global_type, $key, $only_mock_values = FALSE) {
|
| 392 | 420 |
$simpletest_globals = variable_get('ldap_simpletest_globals', array());
|
| 393 | 421 |
$simpletest = variable_get('ldap_simpletest', FALSE);
|
| ... | ... | |
| 400 | 428 |
} |
| 401 | 429 |
|
| 402 | 430 |
} |
| 403 |
|
|
Formats disponibles : Unified diff
Weekly update of contrib modules