diff --git a/public_html/includes/class/class.LSauth.php b/public_html/includes/class/class.LSauth.php
index e83085bd..27274204 100644
--- a/public_html/includes/class/class.LSauth.php
+++ b/public_html/includes/class/class.LSauth.php
@@ -30,107 +30,103 @@
class LSauth {
static private $authData=NULL;
+ static private $authObject=NULL;
+ static private $config=array();
+ static private $provider=NULL;
- var $params = array (
+ static private $params = array (
'displayLoginForm' => true,
'displayLogoutBtn' => true
);
-
- /**
- * Check Post Data
- *
- * @retval boolean True if post data permit the authentification or False
- **/
- public function getPostData() {
- if (isset($_POST['LSsession_user']) && !empty($_POST['LSsession_user'])) {
- $this -> authData = array(
- 'username' => $_POST['LSsession_user'],
- 'password' => $_POST['LSsession_pwd'],
- 'ldapserver' => $_POST['LSsession_ldapserver'],
- 'topDn' => $_POST['LSsession_topDn']
- );
+
+ function start() {
+ LSdebug('LSauth :: start()');
+ // Load Config
+ if (isset(LSsession :: $ldapServer['LSauth']) && is_array(LSsession :: $ldapServer['LSauth'])) {
+ self :: $config = LSsession :: $ldapServer['LSauth'];
+ }
+ if (!LSsession :: loadLSclass('LSauthMethod')) {
+ LSdebug('LSauth :: Failed to load LSauthMethod');
+ return;
+ }
+ if (!isset(self :: $config['method'])) {
+ self :: $config['method']='basic';
+ }
+ $class='LSauthMethod_'.self :: $config['method'];
+ LSdebug('LSauth : provider -> '.$class);
+ if (LSsession :: loadLSclass($class)) {
+ self :: $provider = new $class();
+ if (!self :: $provider) {
+ LSerror :: addErrorCode('LSauth_05',self :: $config['method']);
+ }
+ LSdebug('LSauth : Provider Started !');
return true;
}
- return;
- }
-
- /**
- * Check user login
- *
- * @param[in] $username The username
- * @param[in] $password The password
- *
- * @retval LSldapObject|false The LSldapObject of the user authificated or false
- */
- public function authenticate() {
- if (LSsession :: loadLSobject(LSsession :: $ldapServer['authObjectType'])) {
- $authobject = new LSsession :: $ldapServer['authObjectType']();
- $result = $authobject -> searchObject(
- $this -> authData['username'],
- LSsession :: getTopDn(),
- LSsession :: $ldapServer['authObjectFilter']
- );
- $nbresult=count($result);
-
- if ($nbresult==0) {
- // identifiant incorrect
- LSdebug('identifiant incorrect');
- LSerror :: addErrorCode('LSauth_01');
- }
- else if ($nbresult>1) {
- // duplication d'authentité
- LSerror :: addErrorCode('LSauth_02');
- }
- elseif ( $this -> checkUserPwd($result[0],$this -> authData['password']) ) {
- // Authentication succeeded
- return $result[0];
- }
- else {
- LSerror :: addErrorCode('LSauth_01');
- LSdebug('mdp incorrect');
- }
- }
else {
- LSerror :: addErrorCode('LSauth_03');
+ LSerror :: addErrorCode('LSauth_04',self :: $config['method']);
+ return;
}
- return;
- }
-
- /**
- * Test un couple LSobject/pwd
- *
- * Test un bind sur le serveur avec le dn de l'objet et le mot de passe fourni.
- *
- * @param[in] LSobject L'object "user" pour l'authentification
- * @param[in] string Le mot de passe à tester
- *
- * @retval boolean True si l'authentification à réussi, false sinon.
- */
- public static function checkUserPwd($object,$pwd) {
- return LSldap :: checkBind($object -> getValue('dn'),$pwd);
- }
-
- /**
- * Define if login form can be displayed or not
- *
- * @retval boolean
- **/
- public function __get($key) {
- if ($key=='params') {
- return $this -> params;
- }
- return;
}
+ function forceAuthentication() {
+ LSdebug('LSauth :: forceAuthentication()');
+ if (!is_null(self :: $provider)) {
+ self :: $authData = self :: $provider -> getAuthData();
+ if (self :: $authData) {
+ self :: $authObject = self :: $provider -> authenticate();
+ return self :: $authObject;
+ }
+ // No data : user has not filled the login form
+ LSdebug('LSauth : No data -> user has not filled the login form');
+ return;
+ }
+ LSerror :: addErrorCode('LSauth_06');
+ return;
+ }
+
/**
* Logout
*
* @retval void
**/
public function logout() {
- // Do nothing in the standard LSauth class
+ if (!is_null(self :: $provider)) {
+ return self :: $provider -> logout();
+ }
+ LSerror :: addErrorCode('LSauth_06');
+ return;
}
+
+ /**
+ * Disable logout button in LSauth parameters
+ *
+ * @retval void
+ **/
+ public function disableLogoutBtn() {
+ self :: $params['displayLogoutBtn'] = false;
+ }
+
+ /**
+ * Can display or not logout button in LSauth parameters
+ *
+ * @retval boolean
+ **/
+ public function displayLogoutBtn() {
+ return self :: $params['displayLogoutBtn'];
+ }
+ /*
+ * For compatibillity until loginForm is migrated in LSauth
+ */
+ public function disableLoginForm() {
+ self :: $params['displayLoginForm'] = false;
+ }
+
+ public function displayLoginForm() {
+ return self :: $params['displayLoginForm'];
+ }
+
+
}
/*
@@ -143,6 +139,19 @@ LSerror :: defineError('LSauth_02',
_("LSauth : Impossible to identify you : Duplication of identities.")
);
LSerror :: defineError('LSauth_03',
-_("LSsession : Could not load type of identifiable objects.")
+_("LSauth : Could not load type of identifiable objects.")
);
+LSerror :: defineError('LSauth_04',
+_("LSauth : Can't load authentication method %{method}.")
+);
+LSerror :: defineError('LSauth_05',
+_("LSauth : Failed to build the authentication provider %{method}.")
+);
+LSerror :: defineError('LSauth_06',
+_("LSauth : Not correctly initialized.")
+);
+LSerror :: defineError('LSauth_07',
+_("LSauth : Failed to get authentication informations from provider.")
+);
+
?>
diff --git a/public_html/includes/class/class.LSauthHTTP.php b/public_html/includes/class/class.LSauthMethod.php
similarity index 50%
rename from public_html/includes/class/class.LSauthHTTP.php
rename to public_html/includes/class/class.LSauthMethod.php
index c5bc7317..b269e24b 100644
--- a/public_html/includes/class/class.LSauthHTTP.php
+++ b/public_html/includes/class/class.LSauthMethod.php
@@ -21,67 +21,61 @@
******************************************************************************/
/**
- * Gestion de l'authentification d'un utilisateur suite à une authentification
- * HTTP
+ * Base of a authentication provider for LSauth
*
* @author Benjamin Renard
*/
-class LSauthHTTP extends LSauth {
-
- var $params = array (
- 'displayLoginForm' => false,
- 'displayLogoutBtn' => false
- );
+class LSauthMethod {
+
+ var $authData = array();
+ function LSauthMethod() {
+ // Load config
+ LSsession :: includeFile(LS_CONF_DIR."LSauth/config.".get_class($this).".php");
+ LSdebug(LS_CONF_DIR."LSauth/config.".get_class($this).".php");
+ return true;
+ }
+
/**
- * Check Post Data
+ * Check Auth Data
*
- * @retval array|False Array of post data if exist or False
+ * Return authentication data or false
+ *
+ * @retval Array|false Array of authentication data or False
**/
- public function getPostData() {
- if (isset($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_USER'])) {
- $this -> authData = array(
- 'username' => $_SERVER['PHP_AUTH_USER'],
- 'password' => $_SERVER['PHP_AUTH_PW'],
- 'ldapserver' => $_REQUEST['LSsession_ldapserver'],
- 'topDn' => $_REQUEST['LSsession_topDn']
- );
- return true;
- }
- return;
+ public function getAuthData() {
+ // Do nothing in the standard LSauthMethod class
+ // This method have to define $this -> authData['username']
+ return false;
}
/**
- * Check user login
- *
- * @param[in] $username The username
- * @param[in] $password The password
+ * Check authentication
*
* @retval LSldapObject|false The LSldapObject of the user authificated or false
*/
public function authenticate() {
if (LSsession :: loadLSobject(LSsession :: $ldapServer['authObjectType'])) {
$authobject = new LSsession :: $ldapServer['authObjectType']();
- $result = $authobject -> searchObject(
- $this -> authData['username'],
- LSsession :: getTopDn(),
- LSsession :: $ldapServer['authObjectFilter']
- );
- $nbresult=count($result);
-
- if ($nbresult==0) {
- // identifiant incorrect
- LSdebug('identifiant incorrect');
- LSerror :: addErrorCode('LSauth_01');
- }
- else if ($nbresult>1) {
- // duplication d'authentité
- LSerror :: addErrorCode('LSauth_02');
- }
- else {
- // Authentication succeeded
- return $result[0];
- }
+ $result = $authobject -> searchObject(
+ $this -> authData['username'],
+ LSsession :: getTopDn(),
+ LSsession :: $ldapServer['authObjectFilter']
+ );
+ $nbresult=count($result);
+
+ if ($nbresult==0) {
+ // incorrect login
+ LSdebug('identifiant incorrect');
+ LSerror :: addErrorCode('LSauth_01');
+ }
+ else if ($nbresult>1) {
+ // duplication of identity
+ LSerror :: addErrorCode('LSauth_02');
+ }
+ else {
+ return $result[0];
+ }
}
else {
LSerror :: addErrorCode('LSauth_03');
@@ -89,5 +83,16 @@ class LSauthHTTP extends LSauth {
return;
}
+ /**
+ * Logout
+ *
+ * @retval boolean True on success or False
+ **/
+ public function logout() {
+ // Do nothing in the standard LSauthMethod class
+ return true;
+ }
+
}
+
?>
diff --git a/public_html/includes/class/class.LSauthCAS.php b/public_html/includes/class/class.LSauthMethod_CAS.php
similarity index 50%
rename from public_html/includes/class/class.LSauthCAS.php
rename to public_html/includes/class/class.LSauthMethod_CAS.php
index 8c25b4a9..fe9f71b2 100644
--- a/public_html/includes/class/class.LSauthCAS.php
+++ b/public_html/includes/class/class.LSauthMethod_CAS.php
@@ -11,32 +11,28 @@
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
******************************************************************************/
/**
- * Gestion de l'authentification d'un utilisateur via une authentification
- * CAS
+ * CAS Authentication provider for LSauth
*
* @author Benjamin Renard
*/
-class LSauthCAS extends LSauth {
-
- var $params = array (
- 'displayLoginForm' => false,
- 'displayLogoutBtn' => true
- );
+class LSauthMethod_CAS extends LSauthMethod {
+
+ function LSauthMethod_CAS() {
+ LSauth :: disableLoginForm();
+
+ if (!parent :: LSauthMethod())
+ return;
- /**
- * Constructor
- */
- public function LSauthCAS() {
if (LSsession :: includeFile(PHP_CAS_PATH)) {
if (defined('PHP_CAS_DEBUG_FILE')) {
phpCAS::setDebug(PHP_CAS_DEBUG_FILE);
@@ -55,89 +51,60 @@ class LSauthCAS extends LSauth {
}
if (LSAUTH_CAS_DISABLE_LOGOUT) {
- $this -> params['displayLogoutBtn'] = false;
+ LSauth :: disableLogoutBtn();
}
return true;
}
else {
- LSerror :: addErrorCode('LSauthCAS_01');
+ LSerror :: addErrorCode('LSauthMethod_CAS_01');
}
return false;
}
- /**
- * Check Post Data
- *
- * @retval array|False Array of post data if exist or False
- **/
- public function getPostData() {
+ /**
+ * Check Auth Data
+ *
+ * Return authentication data or false
+ *
+ * @retval Array|false Array of authentication data or False
+ **/
+ public function getAuthData() {
+
if (class_exists('phpCAS')) {
+
// Launch Auth
phpCAS::forceAuthentication();
$this -> authData = array(
- 'username' => phpCAS::getUser(),
- 'password' => '',
- 'ldapserver' => $_REQUEST['LSsession_ldapserver'],
- 'topDn' => $_REQUEST['LSsession_topDn']
+ 'username' => phpCAS::getUser()
);
- return true;
+ return $this -> authData;
}
return;
}
- /**
- * Check user login
- *
- * @param[in] $username The username
- * @param[in] $password The password
- *
- * @retval LSldapObject|false The LSldapObject of the user authificated or false
- */
- public function authenticate() {
- if (LSsession :: loadLSobject(LSsession :: $ldapServer['authObjectType'])) {
- $authobject = new LSsession :: $ldapServer['authObjectType']();
- $result = $authobject -> searchObject(
- $this -> authData['username'],
- LSsession :: getTopDn(),
- LSsession :: $ldapServer['authObjectFilter']
- );
- $nbresult=count($result);
-
- if ($nbresult==0) {
- // identifiant incorrect
- LSdebug('identifiant incorrect');
- LSerror :: addErrorCode('LSauth_01');
+ /**
+ * Logout
+ *
+ * @retval boolean True on success or False
+ **/
+ public function logout() {
+ if(class_exists('phpCAS')) {
+ if (LSauth :: displayLogoutBtn()) {
+ phpCAS :: forceAuthentication();
+ phpCAS :: logout();
+ return true;
}
- else if ($nbresult>1) {
- // duplication d'authentité
- LSerror :: addErrorCode('LSauth_02');
- }
- else {
- // Authentication succeeded
- return $result[0];
- }
- }
- else {
- LSerror :: addErrorCode('LSauth_03');
}
return;
}
- public function logout() {
- if(class_exists('phpCAS')) {
- if ($this -> params['displayLogoutBtn']) {
- phpCAS :: forceAuthentication();
- phpCAS :: logout();
- }
- }
- }
}
/*
* Error Codes
*/
-LSerror :: defineError('LSauthCAS_01',
-_("LSauthCAS : Failed to load phpCAS.")
+LSerror :: defineError('LSauthMethod_CAS_01',
+_("LSauthMethod_CAS : Failed to load phpCAS.")
);
?>
diff --git a/public_html/includes/class/class.LSauthMethod_HTTP.php b/public_html/includes/class/class.LSauthMethod_HTTP.php
new file mode 100644
index 00000000..9ef30c16
--- /dev/null
+++ b/public_html/includes/class/class.LSauthMethod_HTTP.php
@@ -0,0 +1,58 @@
+
+ */
+class LSauthMethod_HTTP extends LSauthMethod_basic {
+
+ function LSauthMethod_HTTP() {
+ LSauth :: disableLoginForm();
+ LSauth :: disableLogoutBtn();
+ return parent :: LSauthMethod_basic();
+ }
+
+ /**
+ * Check Auth Data
+ *
+ * Return authentication data or false
+ *
+ * @retval Array|false Array of authentication data or False
+ **/
+ public function getAuthData() {
+ if (isset($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_USER'])) {
+ $this -> authData = array(
+ 'username' => $_SERVER['PHP_AUTH_USER'],
+ 'password' => $_SERVER['PHP_AUTH_PW']
+ );
+ return $this -> authData;
+ }
+ return;
+ }
+
+}
+
+?>
diff --git a/public_html/includes/class/class.LSauthMethod_basic.php b/public_html/includes/class/class.LSauthMethod_basic.php
new file mode 100644
index 00000000..f1ae5a10
--- /dev/null
+++ b/public_html/includes/class/class.LSauthMethod_basic.php
@@ -0,0 +1,84 @@
+
+ */
+class LSauthMethod_basic extends LSauthMethod {
+
+ /**
+ * Check Auth Data
+ *
+ * Return authentication data or false
+ *
+ * @retval Array|false Array of authentication data or False
+ **/
+ public function getAuthData() {
+ if (isset($_POST['LSauth_user']) && !empty($_POST['LSauth_user'])) {
+ $this -> authData = array(
+ 'username' => $_POST['LSauth_user'],
+ 'password' => (isset($_POST['LSauth_pwd'])?$_POST['LSauth_pwd']:'')
+ );
+ return $this -> authData;
+ }
+ return;
+ }
+
+ /**
+ * Check authentication
+ *
+ * @retval LSldapObject|false The LSldapObject of the user authificated or false
+ */
+ public function authenticate() {
+ $authobject = parent :: authenticate();
+ if ($authobject) {
+ if ( $this -> checkUserPwd($authobject,$this -> authData['password']) ) {
+ // Authentication succeeded
+ return $authobject;
+ }
+ else {
+ LSerror :: addErrorCode('LSauth_01');
+ LSdebug('mdp incorrect');
+ }
+ }
+ return;
+ }
+
+ /**
+ * Test un couple LSobject/pwd
+ *
+ * Test un bind sur le serveur avec le dn de l'objet et le mot de passe fourni.
+ *
+ * @param[in] LSobject L'object "user" pour l'authentification
+ * @param[in] string Le mot de passe à tester
+ *
+ * @retval boolean True si l'authentification a reussi, false sinon.
+ **/
+ public static function checkUserPwd($object,$pwd) {
+ return LSldap :: checkBind($object -> getValue('dn'),$pwd);
+ }
+
+}
+
+?>
diff --git a/public_html/includes/class/class.LSsession.php b/public_html/includes/class/class.LSsession.php
index 0613e656..1bd90d68 100644
--- a/public_html/includes/class/class.LSsession.php
+++ b/public_html/includes/class/class.LSsession.php
@@ -50,9 +50,6 @@ class LSsession {
// Les droits d'accès de l'utilisateur
private static $LSaccess = array();
- // Authentification parameters
- private static $authParams = array();
-
// Les fichiers temporaires
private static $tmp_file = array();
@@ -292,23 +289,13 @@ class LSsession {
/**
* Chargement d'une classe d'authentification d'LdapSaisie
*
- * @param[in] $auth Nom de la classe d'authentification a charger (Exemple : HTTP)
- *
* @author Benjamin Renard stop");
+ return;
+ }
self :: $LSprofiles = $_SESSION['LSsession']['LSprofiles'];
self :: $LSaccess = $_SESSION['LSsession']['LSaccess'];
if (!self :: LSldapConnect())
@@ -510,6 +502,10 @@ class LSsession {
}
else {
self :: setLdapServer(self :: $ldapServerId);
+ if (!LSauth :: start()) {
+ LSdebug("LSsession : can't start LSauth -> stop");
+ return;
+ }
if (!self :: LSldapConnect())
return;
self :: loadLSprofiles();
@@ -524,10 +520,7 @@ class LSsession {
}
if (isset($_GET['LSsession_logout'])) {
- $authObj = self :: getLSauthObject();
- if ($authObj) {
- $authObj -> logout();
- }
+ LSauth :: logout();
session_destroy();
if (is_array($_SESSION['LSsession']['tmp_file'])) {
@@ -540,8 +533,6 @@ class LSsession {
return;
}
- self :: getLSuserObject();
-
if ( !self :: cacheLSprofiles() || isset($_REQUEST['LSsession_refresh']) ) {
self :: loadLSaccess();
}
@@ -559,6 +550,7 @@ class LSsession {
}
else {
+ // --------------------- Session inexistante --------------------- //
if (isset($_GET['LSsession_recoverPassword'])) {
session_destroy();
}
@@ -581,7 +573,12 @@ class LSsession {
self :: $topDn = self :: $ldapServer['ldap_config']['basedn'];
}
$_SESSION['LSsession_topDn']=self :: $topDn;
-
+
+ if (!LSauth :: start()) {
+ LSdebug("LSsession : can't start LSauth -> stop");
+ return;
+ }
+
if (isset($_GET['LSsession_recoverPassword'])) {
$recoveryPasswordInfos = self :: recoverPasswd(
$_REQUEST['LSsession_user'],
@@ -589,22 +586,17 @@ class LSsession {
);
}
else {
- $authObj=self :: getLSauthObject();
- if ($authObj) {
- if ($authObj -> getPostData()) {
- $LSuserObject = $authObj -> authenticate();
- if ($LSuserObject) {
- // Authentication successful
- self :: $LSuserObject = $LSuserObject;
- self :: $dn = $LSuserObject->getValue('dn');
- self :: $rdn = $LSuserObject->getValue('rdn');
- self :: loadLSprofiles();
- self :: loadLSaccess();
- $GLOBALS['Smarty'] -> assign('LSsession_username',self :: getLSuserObject() -> getDisplayName());
- $_SESSION['LSsession']=self :: getContextInfos();
- return true;
- }
- }
+ $LSuserObject = LSauth :: forceAuthentication();
+ if ($LSuserObject) {
+ // Authentication successful
+ self :: $LSuserObject = $LSuserObject;
+ self :: $dn = $LSuserObject->getValue('dn');
+ self :: $rdn = $LSuserObject->getValue('rdn');
+ self :: loadLSprofiles();
+ self :: loadLSaccess();
+ $GLOBALS['Smarty'] -> assign('LSsession_username',self :: getLSuserObject() -> getDisplayName());
+ $_SESSION['LSsession']=self :: getContextInfos();
+ return true;
}
}
}
@@ -619,7 +611,7 @@ class LSsession {
if (isset($_GET['LSsession_recoverPassword'])) {
self :: displayRecoverPasswordForm($recoveryPasswordInfos);
}
- elseif(self :: $authParams['displayLoginForm']) {
+ elseif(LSauth :: displayLoginForm()) {
self :: displayLoginForm();
}
else {
@@ -629,32 +621,6 @@ class LSsession {
return;
}
}
-
- /**
- * Get LSauthObject
- *
- * @retval LSauth object or false
- **/
- private static function getLSauthObject() {
- if (!self :: $LSauthObject) {
- if (self :: loadLSauth()) {
- if (isset(self :: $ldapServer['LSauth']['method'])) {
- $LSauthClass = 'LSauth'.self :: $ldapServer['LSauth']['method'];
- if (!self :: loadLSauth(self :: $ldapServer['LSauth']['method'])) {
- LSerror :: addErrorCode('LSsession_08',self :: $ldapServer['LSauth']['method']);
- $LSauthClass = 'LSauth';
- }
- }
- else {
- $LSauthClass = 'LSauth';
- }
-
- self :: $LSauthObject = new $LSauthClass();
- self :: $authParams = self :: $LSauthObject->params;
- }
- }
- return self :: $LSauthObject;
- }
/**
* Do recover password
@@ -896,8 +862,7 @@ class LSsession {
'ldapServerId' => self :: $ldapServerId,
'ldapServer' => self :: $ldapServer,
'LSprofiles' => self :: $LSprofiles,
- 'LSaccess' => self :: $LSaccess,
- 'authParams' => self :: $authParams
+ 'LSaccess' => self :: $LSaccess
);
}
@@ -1406,7 +1371,7 @@ class LSsession {
$GLOBALS['Smarty'] -> assign('LSencoding',self :: $encoding);
$GLOBALS['Smarty'] -> assign('lang_label',_('Language'));
- $GLOBALS['Smarty'] -> assign('displayLogoutBtn',self :: $authParams['displayLogoutBtn']);
+ $GLOBALS['Smarty'] -> assign('displayLogoutBtn',LSauth :: displayLogoutBtn());
// Infos
if((!empty($_SESSION['LSsession_infos']))&&(is_array($_SESSION['LSsession_infos']))) {
diff --git a/public_html/templates/default/login.tpl b/public_html/templates/default/login.tpl
index 830aae2d..8467fcfd 100644
--- a/public_html/templates/default/login.tpl
+++ b/public_html/templates/default/login.tpl
@@ -25,9 +25,9 @@
{$loginform_label_level}
{$loginform_label_user}
-
+
{$loginform_label_pwd}
-
+
{$lang_label}