f1a6e2baa6f3b68b0209bdc62aeea6501d504ac1
[piwik-CASLogin.git] / Auth.php
1 <?php
2 /**
3  * Piwik - Open source web analytics
4  * 
5  * @link http://piwik.org
6  * @license http://www.gnu.org/licenses/gpl-3.0.html Gpl v3 or later
7  * @version $Id:$
8  * 
9  * @package Piwik_CASLogin
10  */
11
12 /**
13  * Class that implements an authentication mechanism via CAS (Central Authentication Services)
14  *
15  * @package Piwik_CASLogin
16  */
17 class Piwik_CASLogin_Auth implements Piwik_Auth
18 {
19         protected $login = null;
20         protected $token_auth = null;
21
22         public function getName()
23         {
24                 return 'CASLogin';
25         }
26
27         public function authenticate()
28         {
29                 $user = '';
30                 $rootLogin = Zend_Registry::get('config')->superuser->login;
31
32                 $additionalSuperUsers = array();
33                 $oAdditionalSuperUsers = Zend_Registry::get('config')->caslogin->additionalsuperusers;
34                 if(is_object($oAdditionalSuperUsers)) {
35                         $additionalSuperUsers = $oAdditionalSuperUsers->toArray();
36                 }
37
38                 require_once PIWIK_INCLUDE_PATH . '/plugins/CASLogin/CAS/CAS.php';
39
40                 // initialize phpCAS
41
42                 // What happens here: in some piwik functionality, some additional API-style calls are
43                 // made from a controller action, where the authenticate() method will be called *again*.
44                 // This happens for instance when an admin changes some permissions in Settings->Users.
45                 // The first authenticate() is from the page, and the second is due to an API call.
46                 // This checks if there was already a phpcas instance already initialized, otherwize
47                 // phpCAS::client() would fail.
48                 global $PHPCAS_CLIENT;
49                 if(!is_object($PHPCAS_CLIENT)) {
50                         phpCAS::client(
51                                 constant( Zend_Registry::get('config')->caslogin->protocol ),
52                                 Zend_Registry::get('config')->caslogin->host,
53                                 (integer) Zend_Registry::get('config')->caslogin->port,
54                 '',
55                 false
56                         );
57                 }
58
59                 // no SSL validation for the CAS server
60                 phpCAS::setNoCasServerValidation();
61
62                 // Handle single signout requests from CAS server
63                 phpCAS::handleLogoutRequests();
64
65                 // force CAS authentication only if it has been requested by action argument
66                 $action = Piwik::getAction();
67                 
68                 $auth = phpCAS::checkAuthentication();
69                 if(!$auth) {
70                         if($action == 'redirectToCAS') {
71                                 phpCAS::forceAuthentication();
72                         }
73
74                         if($action != 'login' && Piwik::getModule() != 'CoreUpdater') {
75                                 Piwik::redirectToModule('CASLogin', 'login');
76                                 return;
77                         } elseif($action == 'redirectToCAS') {
78                                 phpCAS::forceAuthentication();
79                         } else {
80                                 return new Piwik_Auth_Result( Piwik_Auth_Result::FAILURE, $user, NULL );
81                         }
82                 }
83
84                 // Additional Attributes
85                 // For future retrieval of attributes; they _might_ be of some use, but are highly
86                 // dependable on a specific installation. CAS|piwik hackers can do some magic
87                 // here with SAML attributes etc.
88                 /*
89                 foreach (phpCAS::getAttributes() as $key => $value) {
90                         // syslog(LOG_DEBUG, "attribute: $key - ". print_r($value, true));
91                 }
92                  */
93
94                 if (isset($_SESSION['phpCAS']) && isset($_SESSION['phpCAS']['user'])) {
95                         $user = $_SESSION['phpCAS']['user'];
96                 }
97
98                 if($user) {
99                         if($user == $rootLogin || in_array($user, $additionalSuperUsers)) {
100                                 // Root / Admin login
101                                 return new Piwik_Auth_Result(Piwik_Auth_Result::SUCCESS_SUPERUSER_AUTH_CODE, $user, NULL );
102                         }
103
104                         $login = Zend_Registry::get('db')->fetchOne(
105                                         'SELECT login FROM '.Piwik_Common::prefixTable('user').' WHERE login = ?',
106                                         array($user)
107                         );
108                         if($login === false) {
109                                 // ***User Autocreate***
110                                 // We can either add the authenticated but not-yet-authorized user to the piwik users
111                                 // database, or ignore that.
112                                 // TODO: make this a config option
113                                 // $this->_populateDb($user);
114                                 $login = $user;
115                         }
116
117                         if($login == $user)
118                         {
119                                 return new Piwik_Auth_Result(Piwik_Auth_Result::SUCCESS, $login, NULL );
120                         }
121                 }
122
123                 return new Piwik_Auth_Result( Piwik_Auth_Result::FAILURE, $user, NULL );
124         }
125
126         public function setLogin($login)
127         {
128                 $this->login = $login;
129         }
130         
131     public function setTokenAuth($token_auth)
132         {
133                 $this->token_auth = $token_auth;
134         }
135
136         /**
137          * This method is used to inject user into Piwik's tables.
138          * @todo Alias could be the 'cn' returned from CAS attributes.
139          */
140         private function _populateDb($user)
141         {
142                 $result = null;
143                 $dummy = md5('abcd1234');
144                 if ($this->_helper_userExists($user)) {
145                         $this->_helper_updateUser($user, $dummy, '', 'alias');
146                 } else {
147                         $this->_helper_addUser($user, $dummy, '', 'alias');
148                 }
149         }
150
151
152         ///// The following methods are taken from Piwik's UserManager, but in order to inject data into piwik's user and access tables, we need
153         ///// to make sure we don't wreck things. The UserManager API uses authenticate() to check if we're eligable to look this up,
154         ///// soi we can't use it - we need superuser permissions anyway.
155         //
156         ///// Warning - these methods are of course under Piwik's license.
157         private function _helper_userExists($name)
158         {
159                 $count = Zend_Registry::get('db')->fetchOne("SELECT count(*)
160                                                                         FROM ".Piwik_Common::prefixTable("user"). "
161                                                                         WHERE login = ?", $name);
162                 return $count > 0;
163         }
164
165         private function _helper_updateUser( $userLogin, $password = false, $email = false, $alias = false ) 
166         {
167                 $token_auth = Piwik_UsersManager_API::getTokenAuth($userLogin, $password);
168
169                 $db = Zend_Registry::get('db');
170
171                 $db->update( Piwik_Common::prefixTable("user"),
172                                         array(
173                                                 'password' => $password,
174                                                 'alias' => $alias,
175                                                 'email' => $email,
176                                                 'token_auth' => $token_auth,
177                                                 ),
178                                         "login = '$userLogin'"
179                         );
180         }
181
182         private function _helper_addUser( $userLogin, $password, $email, $alias = false )
183         {               
184                 $token_auth = Piwik_UsersManager_API::getTokenAuth($userLogin, $password);
185
186                 $db = Zend_Registry::get('db');
187
188                 $db->insert( Piwik_Common::prefixTable("user"), array(
189                                                                         'login' => $userLogin,
190                                                                         'password' => $password,
191                                                                         'alias' => $alias,
192                                                                         'email' => $email,
193                                                                         'token_auth' => $token_auth,
194                                                                         )
195                 );
196         }
197     
198 }
199