1: <?php
2: /**
3: * The Horde_Auth_Shibboleth class only provides transparent authentication
4: * based on the headers set by a Shibboleth SP. Note that this class does
5: * not provide any actual SP functionality, it just takes the username
6: * from the HTTP headers that should be set by the Shibboleth SP.
7: *
8: * Copyright 9Star Research, Inc. 2006 http://www.protectnetwork.org/
9: *
10: * See the enclosed file COPYING for license information (LGPL). If you did
11: * not receive this file, http://www.horde.org/licenses/lgpl21
12: *
13: * @author Cassio Nishiguchi <cassio@protectnetwork.org>
14: * @category Horde
15: * @license http://www.horde.org/licenses/lgpl21 LGPL-2.1
16: * @package Auth
17: */
18: class Horde_Auth_Shibboleth extends Horde_Auth_Base
19: {
20: /**
21: * An array of capabilities, so that the driver can report which
22: * operations it supports and which it doesn't.
23: *
24: * @var array
25: */
26: protected $_capabilities = array(
27: 'transparent' => true
28: );
29:
30: /**
31: * Constructor.
32: *
33: * @param array $params Parameters:
34: * <pre>
35: * 'password_header' - (string) Name of the header holding the password of
36: * the logged in user.
37: * 'password_holder' - (string) Where the hordeauth password is stored.
38: * 'password_preference' - (string) Name of the Horde preference holding
39: * the password of the logged in user.
40: * 'username_header' - (string) [REQUIRED] Name of the header holding the
41: * username of the logged in user.
42: * </pre>
43: *
44: * @throws InvalidArgumentException
45: */
46: public function __construct(array $params = array())
47: {
48: if (!isset($params['username_header'])) {
49: throw new InvalidArgumentException('Missing username_header parameter.');
50: }
51:
52: $params = array_merge(array(
53: 'password_header' => '',
54: 'password_holder' => '',
55: 'password_preference' => ''
56: ), $params);
57:
58: parent::__construct($params);
59: }
60:
61: /**
62: * Authentication stub.
63: *
64: * On failure, Horde_Auth_Exception should pass a message string (if any)
65: * in the message field, and the Horde_Auth::REASON_* constant in the code
66: * field (defaults to Horde_Auth::REASON_MESSAGE).
67: *
68: * @param string $userID The userID to check.
69: * @param array $credentials An array of login credentials.
70: *
71: * @throws Horde_Auth_Exception
72: */
73: protected function _authenticate($userId, $credentials)
74: {
75: throw new Horde_Auth_Exception('Unsupported.');
76: }
77:
78: /**
79: * Automatic authentication: check if the username is set in the
80: * configured header.
81: *
82: * @return boolean Whether or not the client is allowed.
83: */
84: public function transparent()
85: {
86: if (empty($_SERVER[$this->_params['username_header']])) {
87: return false;
88: }
89:
90: $username = $_SERVER[$this->_params['username_header']];
91:
92: // Remove scope from username, if present.
93: $this->setCredential('userId', $this->_removeScope($username));
94:
95: // Set password for hordeauth login.
96: switch ($this->_params['password_holder']) {
97: case 'header':
98: $this->setCredential('credentials', array(
99: 'password' => $_SERVER[$this->_params['password_header']]
100: ));
101: break;
102:
103: case 'preferences':
104: $this->setCredential('credentials', array(
105: 'password' => $_SERVER[$this->_params['password_preference']]
106: ));
107: break;
108: }
109:
110: return true;
111: }
112:
113: /**
114: * Removes the scope from the user name, if present.
115: *
116: * @param string $username The full user name.
117: *
118: * @return string The user name without scope.
119: */
120: protected function _removeScope($username)
121: {
122: $pos = strrpos($username, '@');
123: return ($pos !== false)
124: ? substr($username, 0, $pos)
125: : $username;
126: }
127:
128: }
129: