Skip to content
Snippets Groups Projects
Commit 5d34287b authored by Jeff Geerling's avatar Jeff Geerling Committed by John Barclay
Browse files

Issue #2104117-1 patch for coder cleanup of ldap sso

parent 1b7fd4cd
No related branches found
No related tags found
No related merge requests found
......@@ -26,14 +26,12 @@ function ldap_sso_menu() {
* Implements hook_user_logout().
*
* The user just logged out.
*
*/
function ldap_sso_user_logout($account) {
$auth_conf = ldap_authentication_get_valid_conf();
if ($auth_conf->seamlessLogin == 1) {
$cookie_string = 'do not auto login';
$cookie_timeout = (int)$auth_conf->cookieExpire;
$cookie_timeout = (int) $auth_conf->cookieExpire;
setcookie('seamless_login', $cookie_string, (($cookie_timeout == -1) ? 0 : $cookie_timeout + time()), base_path(), "");
ldap_servers_set_globals('_SESSION', 'seamless_login', $cookie_string);
}
......@@ -41,9 +39,10 @@ function ldap_sso_user_logout($account) {
/**
* Implements hook_boot().
* Perform setup tasks. This entry point is used because hook_user_load no
* longer runs on anonymous users, and hook_boot is guaranteed to run,
* regardless of cache
*
* Perform setup tasks. This entry point is used because hook_user_load no
* longer runs on anonymous users, and hook_boot is guaranteed to run,
* regardless of cache.
*/
function ldap_sso_boot() {
......@@ -55,18 +54,19 @@ function ldap_sso_boot() {
module_load_include('module', 'ldap_servers');
if (!(isset($_COOKIE['seamless_login'])) || $_COOKIE['seamless_login'] == 'auto login') {
if ((arg(0) == 'user' && !(is_numeric(arg(1)))) || arg(0) == 'logout' ) {
if ((arg(0) == 'user' && !(is_numeric(arg(1)))) || arg(0) == 'logout') {
return;
}
else {
if (isset($_COOKIE['seamless_login_attempted']))
if (isset($_COOKIE['seamless_login_attempted'])) {
$login_attempted = $_COOKIE['seamless_login_attempted'];
}
else {
$login_attempted = FALSE;
}
require_once(DRUPAL_ROOT . '/includes/common.inc');
require_once(DRUPAL_ROOT . '/includes/path.inc');
require_once DRUPAL_ROOT . '/includes/common.inc';
require_once DRUPAL_ROOT . '/includes/path.inc';
$ldap_authentication_conf = variable_get('ldap_authentication_conf', array());
if (isset($ldap_authentication_conf['seamlessLogin']) && $ldap_authentication_conf['seamlessLogin'] == 1 && ($login_attempted != 'true')) {
......@@ -74,14 +74,14 @@ function ldap_sso_boot() {
setcookie("seamless_login_attempted", 'true', 0, base_path(), "");
}
else {
setcookie('seamless_login_attempted', 'true', time() + (int)$ldap_authentication_conf['cookieExpire'], base_path(), "");
setcookie('seamless_login_attempted', 'true', time() + (int) $ldap_authentication_conf['cookieExpire'], base_path(), "");
}
ldap_servers_set_globals('_SESSION', 'seamless_login_attempted', $login_attempted);
// removed with http://drupal.org/node/1485118 patch
//$ldap_sso_q = (!isset($_GET['q']) || $_GET['q'] == '') ? 'user' : $_GET['q'];
//drupal_goto('user/login/sso', array('query' => array('destination' => rawurlencode($ldap_sso_q))));
drupal_bootstrap(DRUPAL_BOOTSTRAP_LANGUAGE);
if (ldap_sso_path_excluded_from_sso()) { // seems redundant, but need to check this again after additional bootstrap
// Seems redundant, but need to check this again after additional
// bootstrap.
if (ldap_sso_path_excluded_from_sso()) {
return;
}
// Add the query key to the drupal_goto() options array only if there
......@@ -89,8 +89,8 @@ function ldap_sso_boot() {
$options = array();
$destination = drupal_get_destination();
if (!empty($destination['destination'])) {
$options['query'] = $destination;
}
$options['query'] = $destination;
}
drupal_goto('user/login/sso', $options);
}
else {
......@@ -101,28 +101,36 @@ function ldap_sso_boot() {
}
}
/**
* Default excluded paths.
*/
function ldap_sso_default_excluded_paths() {
return array(
'admin/config/search/clean-urls/check'
'admin/config/search/clean-urls/check',
);
}
/**
* Paths excluded from SSO.
*/
function ldap_sso_path_excluded_from_sso($path = FALSE) {
module_load_include('module', 'ldap_servers');
$result = FALSE;
if ($path) {
// don't derive
// Don't derive.
}
elseif (ldap_servers_get_globals('_SERVER', 'PHP_SELF') == '/index.php') {
$path = $_GET['q'];
}
else {
$path = ltrim(ldap_servers_get_globals('_SERVER', 'PHP_SELF'), '/'); // cron.php, etc.
// Cron.php, etc.
$path = ltrim(ldap_servers_get_globals('_SERVER', 'PHP_SELF'), '/');
}
if (in_array($path, ldap_sso_default_excluded_paths())) {
return TRUE;
}
$ldap_authentication_conf = variable_get('ldap_authentication_conf', array());
if (isset($ldap_authentication_conf['ssoExcludedHosts']) && is_array($ldap_authentication_conf['ssoExcludedHosts'])) {
......@@ -133,10 +141,9 @@ function ldap_sso_path_excluded_from_sso($path = FALSE) {
}
}
}
if (isset($ldap_authentication_conf['ssoExcludedPaths'])) {
$patterns = join("\r\n", $ldap_authentication_conf['ssoExcludedPaths']);
$patterns = implode("\r\n", $ldap_authentication_conf['ssoExcludedPaths']);
if ($patterns) {
if (function_exists('drupal_get_path_alias')) {
$path = drupal_get_path_alias($path);
......@@ -144,18 +151,21 @@ function ldap_sso_path_excluded_from_sso($path = FALSE) {
$path = (function_exists('drupal_strtolower')) ? drupal_strtolower($path) : strtolower($path);
$to_replace = array(
'/(\r\n?|\n)/', // newlines
'/\\\\\*/', // asterisks
'/(^|\|)\\\\<front\\\\>($|\|)/' // <front>
// Newlines.
'/(\r\n?|\n)/',
// Asterisks.
'/\\\\\*/',
// <front>.
'/(^|\|)\\\\<front\\\\>($|\|)/',
);
$replacements = array(
'|',
'.*',
'\1' . preg_quote(variable_get('site_frontpage', 'node'), '/') . '\2'
'\1' . preg_quote(variable_get('site_frontpage', 'node'), '/') . '\2',
);
$patterns_quoted = preg_quote($patterns, '/');
$regex = '/^(' . preg_replace($to_replace, $replacements, $patterns_quoted) . ')$/';
$result = (bool)preg_match($regex, $path);
$result = (bool) preg_match($regex, $path);
}
}
......@@ -165,16 +175,15 @@ function ldap_sso_path_excluded_from_sso($path = FALSE) {
/**
* A proxy function for the actual authentication routine. This is in place
* so various implementations of grabbing NTLM credentials can be used and
* selected from an administration page. This is the real gatekeeper since
* this assumes that any NTLM authentication from the underlying web server
* is good enough, and only checks that there are values in place for the
* A proxy function for the actual authentication routine.
*
* This is in place so various implementations of grabbing NTLM credentials can
* be used and selected from an administration page. This is the real gatekeeper
* since this assumes that any NTLM authentication from the underlying web
* server is good enough, and only checks that there are values in place for the
* user name, and anything else that is set for a particular implementation. In
* the case that there are no credentials set by the underlying web server, the
* user is redirected to the normal user login form.
*
* @return false
*/
function ldap_sso_user_login_sso() {
......@@ -188,7 +197,7 @@ function ldap_sso_user_login_sso() {
'!server_remote_user' => @$_SERVER['REMOTE_USER'],
'!server_redirect_remote_user' => @$_SERVER['REDIRECT_REMOTE_USER'],
'!ssoRemoteUserStripDomainName' => $auth_conf->ssoRemoteUserStripDomainName,
'!seamlessLogin' => $auth_conf->seamlessLogin
'!seamlessLogin' => $auth_conf->seamlessLogin,
);
watchdog(
......@@ -199,15 +208,13 @@ function ldap_sso_user_login_sso() {
);
}
/**
* Step 1. Derive $remote_user, $realm, and $domain from $_SERVER variable
*/
// Step 1. Derive $remote_user, $realm, and $domain from $_SERVER variable.
$remote_user = NULL;
$realm = NULL;
$domain = NULL;
switch ($auth_conf->ldapImplementation) {
case 'mod_auth_sspi' :
case 'mod_auth_sspi':
$remote_user = FALSE;
if ($remote_user = ldap_servers_get_globals('_SERVER', 'REMOTE_USER')) {
}
......@@ -216,7 +223,7 @@ function ldap_sso_user_login_sso() {
}
break;
case 'mod_auth_kerb' :
case 'mod_auth_kerb':
if ($remote_user = ldap_servers_get_globals('_SERVER', 'REMOTE_USER')) {
}
else {
......@@ -225,7 +232,8 @@ function ldap_sso_user_login_sso() {
if ($remote_user && preg_match('/^([A-Za-z0-9_\-\.]+)@([A-Za-z0-9_\-.]+)$/', $remote_user, $matches)) {
$remote_user = $matches[1];
$realm = $matches[2]; // This can be used later if realms is ever supported properly
// This can be used later if realms is ever supported properly.
$realm = $matches[2];
}
break;
}
......@@ -237,10 +245,9 @@ function ldap_sso_user_login_sso() {
$watchdog_tokens, WATCHDOG_DEBUG);
}
if ($remote_user) {
if ($auth_conf->ssoRemoteUserStripDomainName) {
// might be in form <remote_user>@<domain> or <domain>\<remote_user>
// Might be in form <remote_user>@<domain> or <domain>\<remote_user>.
$domain = NULL;
$exploded = preg_split('/[\@\\\\]/', $remote_user);
if (count($exploded) == 2) {
......@@ -274,7 +281,8 @@ function ldap_sso_user_login_sso() {
'sso_login' => TRUE,
);
// Make sure we're populating the global user object so that we can log this user in.
// Make sure we're populating the global user object so that we can log this
// user in.
global $user;
$user = ldap_authentication_user_login_authenticate_validate(array(), $fake_form_state, TRUE);
......@@ -295,8 +303,8 @@ function ldap_sso_user_login_sso() {
ldap_servers_set_globals('_SESSION', 'seamless_login', 'auto login');
setcookie("seamless_login_attempted", '');
ldap_servers_delete_globals('_SESSION', 'seamless_login_attempted');
// Make sure we tell Drupal to create the session cookie for this authenticated user.
// Make sure we tell Drupal to create the session cookie for this
// authenticated user.
}
user_login_finalize();
if ($auth_conf->ssoNotifyAuthentication) {
......@@ -316,11 +324,9 @@ function ldap_sso_user_login_sso() {
setcookie("seamless_login", 'do not auto login', time() + $auth_conf->cookieExpire, base_path(), "");
ldap_servers_set_globals('_SESSION', 'seamless_login', 'do not auto login');
}
drupal_set_message(theme('ldap_authentication_message_not_found',
array('message' => t('Sorry, your LDAP credentials were not found, ' .
'or the LDAP server is not available. You may log in ' .
'with other credentials on the !user_login_form.',
array('!user_login_form' => l(t('user login form'), 'user/login'))))
drupal_set_message(theme('ldap_authentication_message_not_found', array(
'message' => t('Sorry, your LDAP credentials were not found, or the LDAP server is not available. You may log in with other credentials on the !user_login_form.',
array('!user_login_form' => l(t('user login form'), 'user/login'))))
), 'error');
if ($detailed_watchdog_log) {
watchdog('ldap_authentication', 'ldap_sso_user_login_sso.remote_user.user_fail.drupal_goto user/logint', $watchdog_tokens, WATCHDOG_DEBUG);
......@@ -337,12 +343,9 @@ function ldap_sso_user_login_sso() {
watchdog('ldap_authentication', 'ldap_sso_user_login_sso.no_remote_user.seamlessLogin', $watchdog_tokens, WATCHDOG_DEBUG);
}
}
drupal_set_message(theme('ldap_authentication_message_not_authenticated',
array('message' =>
t('You were not authenticated by the server.
You may log in with your credentials below.')
)
), 'error');
drupal_set_message(theme('ldap_authentication_message_not_authenticated', array(
'message' => t('You were not authenticated by the server. You may log in with your credentials below.'),
)), 'error');
if ($detailed_watchdog_log) {
watchdog('ldap_authentication', 'ldap_sso_user_login_sso.no_remote_user.drupal_goto user/login', $watchdog_tokens, WATCHDOG_DEBUG);
}
......@@ -352,16 +355,19 @@ function ldap_sso_user_login_sso() {
/**
* used to mock $_SERVER, $_SESSION, etc globals for simpletests
* @param string $global_type = _SERVER, _ENV, _COOKIE, _GET, _POST, _REQUEST
* @param string $key such as 'SERVER_ADDR', 'SERVER_PROTOCAL', etc.
* @param boolean $only_mock_values signifying, don't get actual values when mock values don't exist
* Used to mock $_SERVER, $_SESSION, etc globals for simpletests.
*
* @return mixed value of ldap_simpletest_globals variable for global and key
* or $_SERVER[][], $_ENV[][], etv value if not in a simpletes or mock variable not available
* @param string $global_type
* _SERVER, _ENV, _COOKIE, _GET, _POST, _REQUEST.
* @param string $key
* Such as 'SERVER_ADDR', 'SERVER_PROTOCOL', etc.
* @param bool $only_mock_values
* Don't get actual values when mock values don't exist.
*
* */
* @return mixed
* ldap_simpletest_globals variable for global and key or $_SERVER[][],
* $_ENV[][], etv value if not in a simpletest or mock variable not available.
*/
function ldap_servers_get_globals($global_type, $key, $only_mock_values = FALSE) {
$simpletest_globals = variable_get('ldap_simpletest_globals', array());
$simpletest = variable_get('ldap_simpletest', FALSE);
......@@ -369,12 +375,22 @@ function ldap_servers_get_globals($global_type, $key, $only_mock_values = FALSE)
if ($simpletest && (isset($simpletest_globals[$global_type][$key]) || $only_mock_values)) {
return ($simpletest_globals[$global_type][$key]) ? $simpletest_globals[$global_type][$key] : NULL;
}
else {
else {
return (isset($GLOBALS[$global_type][$key]) && !$only_mock_values) ? $GLOBALS[$global_type][$key] : NULL;
}
}
/**
* Set globals.
*
* @param string $global_type
* _SERVER, _ENV, _COOKIE, _GET, _POST, _REQUEST.
* @param string $key
* Such as 'SERVER_ADDR', 'SERVER_PROTOCOL', etc.
* @param string $value
* The value to be set.
*/
function ldap_servers_set_globals($global_type, $key, $value) {
$simpletest_globals = variable_get('ldap_simpletest_globals', array());
$simpletest = variable_get('ldap_simpletest', FALSE);
......@@ -388,6 +404,16 @@ function ldap_servers_set_globals($global_type, $key, $value) {
}
/**
* Delete globals.
*
* @param string $global_type
* _SERVER, _ENV, _COOKIE, _GET, _POST, _REQUEST.
* @param string $key
* Such as 'SERVER_ADDR', 'SERVER_PROTOCOL', etc.
* @param bool $only_mock_values
* Don't get actual values when mock values don't exist.
*/
function ldap_servers_delete_globals($global_type, $key, $only_mock_values = FALSE) {
$simpletest_globals = variable_get('ldap_simpletest_globals', array());
$simpletest = variable_get('ldap_simpletest', FALSE);
......@@ -400,4 +426,3 @@ function ldap_servers_delete_globals($global_type, $key, $only_mock_values = FAL
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment