CAS integration: added support of JA-SIG Central Authentication Service (CAS) with log-off support, using phpCAS API.

git-svn-id: http://svn.code.sf.net/p/itop/code/trunk@1280 a333f486-631f-4898-b8df-5754b55c2be0

application/itopwebpage.class.inc.php

@@ -144,7 +144,7 @@ class iTopWebPage extends NiceWebPage
 		// that the tabs aren't changed on click, and any custom event name can be
 		// specified. Note that if you define a callback for the 'select' event, it
 		// will be executed for the selected tab whenever the hash changes.
-		tabs.tabs({ event: 'change' });
+		tabs.tabs({ event: 'change'});
 	}
 	catch(err)
 	{
@@ -665,7 +665,7 @@ EOF
 		$sLogOffMenu = "<span id=\"logOffBtn\"><ul><li><img src=\"../images/onOffBtn.png\"><ul>";
 		$sLogOffMenu .= "<li><span>$sLogonMessage</span></li>\n";
 		
-		if (utils::CanLogOff() && UserRights::CanLogOff())
+		if (utils::CanLogOff())
 		{
 			//$sLogOffMenu .= "<li><a href=\"../pages/UI.php?loginop=logoff\">".Dict::S('UI:LogOffMenu')."</a></li>\n";
 			$sLogOffMenu .= "<li><a href=\"../pages/logoff.php\">".Dict::S('UI:LogOffMenu')."</a></li>\n";

application/loginwebpage.class.inc.php

@@ -27,8 +27,9 @@ require_once(APPROOT."/application/nicewebpage.class.inc.php");
 /**
  * Web page used for displaying the login form
  */
+
 class LoginWebPage extends NiceWebPage
-{
+{	
     public function __construct()
     {
         parent::__construct("iTop Login");
@@ -93,36 +94,7 @@ EOF
 		switch($sLoginType)
 		{
 			case 'cas':
-			$sCASIncludePath =  MetaModel::GetConfig()->Get('cas_include_path');
-			include_once($sCASIncludePath.'/CAS.php');
-			
-			$bCASDebug = MetaModel::GetConfig()->Get('cas_debug');
-			if ($bCASDebug)
-			{
-				phpCAS::setDebug(APPROOT.'/error.log');
-			}
-			
-			// Initialize phpCAS
-			$sCASVersion = MetaModel::GetConfig()->Get('cas_version');
-			$sCASHost = MetaModel::GetConfig()->Get('cas_host');
-			$iCASPort = MetaModel::GetConfig()->Get('cas_port');
-			$sCASContext = MetaModel::GetConfig()->Get('cas_context');
-			phpCAS::client(CAS_VERSION_2_0, $sCASHost, $iCASPort, $sCASContext);
-			
-			$sCASCACertPath = MetaModel::GetConfig()->Get('cas_server_ca_cert_path');
-			if (empty($sCASCACertPath))
-			{
-				// If no certificate authority is provided, do not attempt to validate
-				// the server's certificate
-				// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION. 
-				// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL! 
-				phpCAS::setNoCasServerValidation();
-			}
-			else
-			{
-				phpCAS::setCasServerCACert($sCASCACertPath);
-			}
-			
+			utils::InitCASClient();					
 			// force CAS authentication
 			phpCAS::forceAuthentication(); // Will redirect the user and exit since the user is not yet authenticated
 			break;
@@ -277,36 +249,7 @@ EOF
 				switch($sLoginType)
 				{
 					case 'cas':
-					$sCASIncludePath =  MetaModel::GetConfig()->Get('cas_include_path');
-					include_once($sCASIncludePath.'/CAS.php');
-					
-					$bCASDebug = MetaModel::GetConfig()->Get('cas_debug');
-					if ($bCASDebug)
-					{
-						phpCAS::setDebug(APPROOT.'/error.log');
-					}
-					
-					// Initialize phpCAS
-					$sCASVersion = MetaModel::GetConfig()->Get('cas_version');
-					$sCASHost = MetaModel::GetConfig()->Get('cas_host');
-					$iCASPort = MetaModel::GetConfig()->Get('cas_port');
-					$sCASContext = MetaModel::GetConfig()->Get('cas_context');
-					phpCAS::client(CAS_VERSION_2_0, $sCASHost, $iCASPort, $sCASContext);
-					
-					$sCASCACertPath = MetaModel::GetConfig()->Get('cas_server_ca_cert_path');
-					if (empty($sCASCACertPath))
-					{
-						// If no certificate authority is provided, do not attempt to validate
-						// the server's certificate
-						// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION. 
-						// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL! 
-						phpCAS::setNoCasServerValidation();
-					}
-					else
-					{
-						phpCAS::setCasServerCACert($sCASCACertPath);
-					}
-					
+					utils::InitCASClient();					
 					// check CAS authentication
 					if (phpCAS::isAuthenticated())
 					{

application/utils.inc.php

@@ -41,6 +41,7 @@ class utils
 {
 	private static $m_sConfigFile = ITOP_CONFIG_FILE;
 	private static $m_oConfig = null;
+	private static $m_bCASClient = false;
 
 	// Parameters loaded from a file, parameters of the page/command line still have precedence
 	private static $m_aParamsFromFile = null;
@@ -416,7 +417,65 @@ class utils
 	 */
 	static function CanLogOff()
 	{
-		return (isset($_SESSION['login_mode']) && $_SESSION['login_mode'] == 'form');
+		$bResult = false;
+		if(isset($_SESSION['login_mode']))
+		{
+			$sLoginMode = $_SESSION['login_mode'];
+			switch($sLoginMode)
+			{
+				case 'external':
+				$bResult = false;
+				break;
+	
+				case 'form':
+				case 'basic':
+				case 'url':
+				case 'cas':
+				default:
+				$bResult = true;
+				
+			}			
+		}
+		return $bResult;
 	}
+	
+	/**
+	 * Initializes the CAS client
+	 */
+	 static function InitCASClient()
+	 {
+		$sCASIncludePath =  MetaModel::GetConfig()->Get('cas_include_path');
+		include_once($sCASIncludePath.'/CAS.php');
+		
+		$bCASDebug = MetaModel::GetConfig()->Get('cas_debug');
+		if ($bCASDebug)
+		{
+			phpCAS::setDebug(APPROOT.'/error.log');
+		}
+		
+		if (!self::$m_bCASClient)
+		{
+			// Initialize phpCAS
+			$sCASVersion = MetaModel::GetConfig()->Get('cas_version');
+			$sCASHost = MetaModel::GetConfig()->Get('cas_host');
+			$iCASPort = MetaModel::GetConfig()->Get('cas_port');
+			$sCASContext = MetaModel::GetConfig()->Get('cas_context');
+			phpCAS::client($sCASVersion, $sCASHost, $iCASPort, $sCASContext, false /* session already started */);
+			self::$m_bCASClient = true;
+			$sCASCACertPath = MetaModel::GetConfig()->Get('cas_server_ca_cert_path');
+			if (empty($sCASCACertPath))
+			{
+				// If no certificate authority is provided, do not attempt to validate
+				// the server's certificate
+				// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION. 
+				// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL! 
+				phpCAS::setNoCasServerValidation();
+			}
+			else
+			{
+				phpCAS::setCasServerCACert($sCASCACertPath);
+			}			
+		}
+	 }
 }
 ?>

core/userrights.class.inc.php

@@ -405,18 +405,6 @@ class UserRights
 		}
 	}
 
-	public static function CanLogOff()
-	{
-		if (!is_null(self::$m_oUser))
-		{
- 			return self::$m_oUser->CanLogOff();
-		}
-		else
-		{
-			return false;
-		}
-	}
-
 	public static function ChangePassword($sOldPassword, $sNewPassword, $sName = '')
 	{
 		if (empty($sName))

modules/authent-external/model.authent-external.php

@@ -79,12 +79,6 @@ class UserExternal extends User
 		return false;
 	}
 
-	public function CanLogOff()
-	{
-		// External authentication: iTop has no way to force a log off
-		return false;
-	}
-
 	public function ChangePassword($sOldPassword, $sNewPassword)
 	{
 		return false;

modules/authent-ldap/model.authent-ldap.php

@@ -158,12 +158,6 @@ class UserLDAP extends UserInternal
 		return false;
 	}
 
-	public function CanLogOff()
-	{
-		// Internal authentication allows everybody to log off
-		return true;
-	}
-
 	public function ChangePassword($sOldPassword, $sNewPassword)
 	{
 		return false;

modules/authent-local/model.authent-local.php

@@ -77,12 +77,6 @@ class UserLocal extends UserInternal
 		return true;
 	}
 
-	public function CanLogOff()
-	{
-		// Internal authentication allows everybody to log off
-		return true;
-	}
-
 	public function ChangePassword($sOldPassword, $sNewPassword)
 	{
 		$oPassword = $this->Get('password'); // ormPassword object

pages/logoff.php

@@ -27,21 +27,31 @@ $operation = utils::ReadParam('operation', '');
 require_once(APPROOT.'/application/loginwebpage.class.inc.php');
 session_name(MetaModel::GetConfig()->Get('session_name'));
 session_start();
-LoginWebPage::ResetSession();
-$oPage = new LoginWebPage();
-$sVersionShort = Dict::Format('UI:iTopVersion:Short', ITOP_VERSION);
-$oPage->add("<div id=\"login-logo\"><a href=\"http://www.combodo.com/itop\"><img title=\"$sVersionShort\" src=\"../images/itop-logo-external.png\"></a></div>\n");
-$oPage->add("<div id=\"login\">\n");
-$oPage->add("<h1>".Dict::S('UI:LogOff:ThankYou')."</h1>\n");
 $bPortal = utils::ReadParam('portal', false);
+$sUrl = utils::GetAbsoluteUrlAppRoot('pages/logoff.php');
 if ($bPortal)
 {
-	$sUrl = '../portal/';
+	$sUrl .= 'portal/';
 }
 else
 {
-	$sUrl = '../pages/UI.php';
+	$sUrl .= 'pages/UI.php';
 }
+$sLoginMode = isset($_SESSION['login_mode']) ? $_SESSION['login_mode'] : '';
+LoginWebPage::ResetSession();
+switch($sLoginMode)
+{
+	case 'cas':
+	utils::InitCASClient();					
+	phpCAS::logoutWithUrl($sUrl); // Redirects to the CAS logout page
+	break;
+}
+$oPage = new LoginWebPage();
+$sVersionShort = Dict::Format('UI:iTopVersion:Short', ITOP_VERSION);
+$oPage->add("<div id=\"login-logo\"><a href=\"http://www.combodo.com/itop\"><img title=\"$sVersionShort\" src=\"../images/itop-logo-external.png\"></a></div>\n");
+$oPage->add("<div id=\"login\">\n");
+$oPage->add("<h1>".Dict::S('UI:LogOff:ThankYou')."</h1>\n");
+
 $oPage->add("<p><a href=\"$sUrl\">".Dict::S('UI:LogOff:ClickHereToLoginAgain')."</a></p>");
 $oPage->add("</div>\n");
 $oPage->output();