Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
L
ldap-3192905
Manage
Activity
Members
Labels
Plan
Custom issue tracker
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Model registry
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Issue forks
ldap-3192905
Commits
5d34287b
Commit
5d34287b
authored
11 years ago
by
Jeff Geerling
Committed by
John Barclay
11 years ago
Browse files
Options
Downloads
Patches
Plain Diff
Issue
#2104117
-1 patch for coder cleanup of ldap sso
parent
1b7fd4cd
No related branches found
Branches containing commit
No related tags found
Tags containing commit
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
ldap_sso/ldap_sso.module
+94
-69
94 additions, 69 deletions
ldap_sso/ldap_sso.module
with
94 additions
and
69 deletions
ldap_sso/ldap_sso.module
+
94
−
69
View file @
5d34287b
...
...
@@ -26,14 +26,12 @@ function ldap_sso_menu() {
* Implements hook_user_logout().
*
* The user just logged out.
*
*/
function
ldap_sso_user_logout
(
$account
)
{
$auth_conf
=
ldap_authentication_get_valid_conf
();
if
(
$auth_conf
->
seamlessLogin
==
1
)
{
$cookie_string
=
'do not auto login'
;
$cookie_timeout
=
(
int
)
$auth_conf
->
cookieExpire
;
$cookie_timeout
=
(
int
)
$auth_conf
->
cookieExpire
;
setcookie
(
'seamless_login'
,
$cookie_string
,
((
$cookie_timeout
==
-
1
)
?
0
:
$cookie_timeout
+
time
()),
base_path
(),
""
);
ldap_servers_set_globals
(
'_SESSION'
,
'seamless_login'
,
$cookie_string
);
}
...
...
@@ -41,9 +39,10 @@ function ldap_sso_user_logout($account) {
/**
* Implements hook_boot().
* Perform setup tasks. This entry point is used because hook_user_load no
* longer runs on anonymous users, and hook_boot is guaranteed to run,
* regardless of cache
*
* Perform setup tasks. This entry point is used because hook_user_load no
* longer runs on anonymous users, and hook_boot is guaranteed to run,
* regardless of cache.
*/
function
ldap_sso_boot
()
{
...
...
@@ -55,18 +54,19 @@ function ldap_sso_boot() {
module_load_include
(
'module'
,
'ldap_servers'
);
if
(
!
(
isset
(
$_COOKIE
[
'seamless_login'
]))
||
$_COOKIE
[
'seamless_login'
]
==
'auto login'
)
{
if
((
arg
(
0
)
==
'user'
&&
!
(
is_numeric
(
arg
(
1
))))
||
arg
(
0
)
==
'logout'
)
{
if
((
arg
(
0
)
==
'user'
&&
!
(
is_numeric
(
arg
(
1
))))
||
arg
(
0
)
==
'logout'
)
{
return
;
}
else
{
if
(
isset
(
$_COOKIE
[
'seamless_login_attempted'
]))
if
(
isset
(
$_COOKIE
[
'seamless_login_attempted'
]))
{
$login_attempted
=
$_COOKIE
[
'seamless_login_attempted'
];
}
else
{
$login_attempted
=
FALSE
;
}
require_once
(
DRUPAL_ROOT
.
'/includes/common.inc'
)
;
require_once
(
DRUPAL_ROOT
.
'/includes/path.inc'
)
;
require_once
DRUPAL_ROOT
.
'/includes/common.inc'
;
require_once
DRUPAL_ROOT
.
'/includes/path.inc'
;
$ldap_authentication_conf
=
variable_get
(
'ldap_authentication_conf'
,
array
());
if
(
isset
(
$ldap_authentication_conf
[
'seamlessLogin'
])
&&
$ldap_authentication_conf
[
'seamlessLogin'
]
==
1
&&
(
$login_attempted
!=
'true'
))
{
...
...
@@ -74,14 +74,14 @@ function ldap_sso_boot() {
setcookie
(
"seamless_login_attempted"
,
'true'
,
0
,
base_path
(),
""
);
}
else
{
setcookie
(
'seamless_login_attempted'
,
'true'
,
time
()
+
(
int
)
$ldap_authentication_conf
[
'cookieExpire'
],
base_path
(),
""
);
setcookie
(
'seamless_login_attempted'
,
'true'
,
time
()
+
(
int
)
$ldap_authentication_conf
[
'cookieExpire'
],
base_path
(),
""
);
}
ldap_servers_set_globals
(
'_SESSION'
,
'seamless_login_attempted'
,
$login_attempted
);
// removed with http://drupal.org/node/1485118 patch
//$ldap_sso_q = (!isset($_GET['q']) || $_GET['q'] == '') ? 'user' : $_GET['q'];
//drupal_goto('user/login/sso', array('query' => array('destination' => rawurlencode($ldap_sso_q))));
drupal_bootstrap
(
DRUPAL_BOOTSTRAP_LANGUAGE
);
if
(
ldap_sso_path_excluded_from_sso
())
{
// seems redundant, but need to check this again after additional bootstrap
// Seems redundant, but need to check this again after additional
// bootstrap.
if
(
ldap_sso_path_excluded_from_sso
())
{
return
;
}
// Add the query key to the drupal_goto() options array only if there
...
...
@@ -89,8 +89,8 @@ function ldap_sso_boot() {
$options
=
array
();
$destination
=
drupal_get_destination
();
if
(
!
empty
(
$destination
[
'destination'
]))
{
$options
[
'query'
]
=
$destination
;
}
$options
[
'query'
]
=
$destination
;
}
drupal_goto
(
'user/login/sso'
,
$options
);
}
else
{
...
...
@@ -101,28 +101,36 @@ function ldap_sso_boot() {
}
}
/**
* Default excluded paths.
*/
function
ldap_sso_default_excluded_paths
()
{
return
array
(
'admin/config/search/clean-urls/check'
'admin/config/search/clean-urls/check'
,
);
}
/**
* Paths excluded from SSO.
*/
function
ldap_sso_path_excluded_from_sso
(
$path
=
FALSE
)
{
module_load_include
(
'module'
,
'ldap_servers'
);
$result
=
FALSE
;
if
(
$path
)
{
//
d
on't derive
//
D
on't derive
.
}
elseif
(
ldap_servers_get_globals
(
'_SERVER'
,
'PHP_SELF'
)
==
'/index.php'
)
{
$path
=
$_GET
[
'q'
];
}
else
{
$path
=
ltrim
(
ldap_servers_get_globals
(
'_SERVER'
,
'PHP_SELF'
),
'/'
);
// cron.php, etc.
// Cron.php, etc.
$path
=
ltrim
(
ldap_servers_get_globals
(
'_SERVER'
,
'PHP_SELF'
),
'/'
);
}
if
(
in_array
(
$path
,
ldap_sso_default_excluded_paths
()))
{
return
TRUE
;
}
$ldap_authentication_conf
=
variable_get
(
'ldap_authentication_conf'
,
array
());
if
(
isset
(
$ldap_authentication_conf
[
'ssoExcludedHosts'
])
&&
is_array
(
$ldap_authentication_conf
[
'ssoExcludedHosts'
]))
{
...
...
@@ -133,10 +141,9 @@ function ldap_sso_path_excluded_from_sso($path = FALSE) {
}
}
}
if
(
isset
(
$ldap_authentication_conf
[
'ssoExcludedPaths'
]))
{
$patterns
=
join
(
"
\r\n
"
,
$ldap_authentication_conf
[
'ssoExcludedPaths'
]);
$patterns
=
implode
(
"
\r\n
"
,
$ldap_authentication_conf
[
'ssoExcludedPaths'
]);
if
(
$patterns
)
{
if
(
function_exists
(
'drupal_get_path_alias'
))
{
$path
=
drupal_get_path_alias
(
$path
);
...
...
@@ -144,18 +151,21 @@ function ldap_sso_path_excluded_from_sso($path = FALSE) {
$path
=
(
function_exists
(
'drupal_strtolower'
))
?
drupal_strtolower
(
$path
)
:
strtolower
(
$path
);
$to_replace
=
array
(
'/(\r\n?|\n)/'
,
// newlines
'/\\\\\*/'
,
// asterisks
'/(^|\|)\\\\<front\\\\>($|\|)/'
// <front>
// Newlines.
'/(\r\n?|\n)/'
,
// Asterisks.
'/\\\\\*/'
,
// <front>.
'/(^|\|)\\\\<front\\\\>($|\|)/'
,
);
$replacements
=
array
(
'|'
,
'.*'
,
'\1'
.
preg_quote
(
variable_get
(
'site_frontpage'
,
'node'
),
'/'
)
.
'\2'
'\1'
.
preg_quote
(
variable_get
(
'site_frontpage'
,
'node'
),
'/'
)
.
'\2'
,
);
$patterns_quoted
=
preg_quote
(
$patterns
,
'/'
);
$regex
=
'/^('
.
preg_replace
(
$to_replace
,
$replacements
,
$patterns_quoted
)
.
')$/'
;
$result
=
(
bool
)
preg_match
(
$regex
,
$path
);
$result
=
(
bool
)
preg_match
(
$regex
,
$path
);
}
}
...
...
@@ -165,16 +175,15 @@ function ldap_sso_path_excluded_from_sso($path = FALSE) {
/**
* A proxy function for the actual authentication routine. This is in place
* so various implementations of grabbing NTLM credentials can be used and
* selected from an administration page. This is the real gatekeeper since
* this assumes that any NTLM authentication from the underlying web server
* is good enough, and only checks that there are values in place for the
* A proxy function for the actual authentication routine.
*
* This is in place so various implementations of grabbing NTLM credentials can
* be used and selected from an administration page. This is the real gatekeeper
* since this assumes that any NTLM authentication from the underlying web
* server is good enough, and only checks that there are values in place for the
* user name, and anything else that is set for a particular implementation. In
* the case that there are no credentials set by the underlying web server, the
* user is redirected to the normal user login form.
*
* @return false
*/
function
ldap_sso_user_login_sso
()
{
...
...
@@ -188,7 +197,7 @@ function ldap_sso_user_login_sso() {
'!server_remote_user'
=>
@
$_SERVER
[
'REMOTE_USER'
],
'!server_redirect_remote_user'
=>
@
$_SERVER
[
'REDIRECT_REMOTE_USER'
],
'!ssoRemoteUserStripDomainName'
=>
$auth_conf
->
ssoRemoteUserStripDomainName
,
'!seamlessLogin'
=>
$auth_conf
->
seamlessLogin
'!seamlessLogin'
=>
$auth_conf
->
seamlessLogin
,
);
watchdog
(
...
...
@@ -199,15 +208,13 @@ function ldap_sso_user_login_sso() {
);
}
/**
* Step 1. Derive $remote_user, $realm, and $domain from $_SERVER variable
*/
// Step 1. Derive $remote_user, $realm, and $domain from $_SERVER variable.
$remote_user
=
NULL
;
$realm
=
NULL
;
$domain
=
NULL
;
switch
(
$auth_conf
->
ldapImplementation
)
{
case
'mod_auth_sspi'
:
case
'mod_auth_sspi'
:
$remote_user
=
FALSE
;
if
(
$remote_user
=
ldap_servers_get_globals
(
'_SERVER'
,
'REMOTE_USER'
))
{
}
...
...
@@ -216,7 +223,7 @@ function ldap_sso_user_login_sso() {
}
break
;
case
'mod_auth_kerb'
:
case
'mod_auth_kerb'
:
if
(
$remote_user
=
ldap_servers_get_globals
(
'_SERVER'
,
'REMOTE_USER'
))
{
}
else
{
...
...
@@ -225,7 +232,8 @@ function ldap_sso_user_login_sso() {
if
(
$remote_user
&&
preg_match
(
'/^([A-Za-z0-9_\-\.]+)@([A-Za-z0-9_\-.]+)$/'
,
$remote_user
,
$matches
))
{
$remote_user
=
$matches
[
1
];
$realm
=
$matches
[
2
];
// This can be used later if realms is ever supported properly
// This can be used later if realms is ever supported properly.
$realm
=
$matches
[
2
];
}
break
;
}
...
...
@@ -237,10 +245,9 @@ function ldap_sso_user_login_sso() {
$watchdog_tokens
,
WATCHDOG_DEBUG
);
}
if
(
$remote_user
)
{
if
(
$auth_conf
->
ssoRemoteUserStripDomainName
)
{
//
m
ight be in form <remote_user>@<domain> or <domain>\<remote_user>
//
M
ight be in form <remote_user>@<domain> or <domain>\<remote_user>
.
$domain
=
NULL
;
$exploded
=
preg_split
(
'/[\@\\\\]/'
,
$remote_user
);
if
(
count
(
$exploded
)
==
2
)
{
...
...
@@ -274,7 +281,8 @@ function ldap_sso_user_login_sso() {
'sso_login'
=>
TRUE
,
);
// Make sure we're populating the global user object so that we can log this user in.
// Make sure we're populating the global user object so that we can log this
// user in.
global
$user
;
$user
=
ldap_authentication_user_login_authenticate_validate
(
array
(),
$fake_form_state
,
TRUE
);
...
...
@@ -295,8 +303,8 @@ function ldap_sso_user_login_sso() {
ldap_servers_set_globals
(
'_SESSION'
,
'seamless_login'
,
'auto login'
);
setcookie
(
"seamless_login_attempted"
,
''
);
ldap_servers_delete_globals
(
'_SESSION'
,
'seamless_login_attempted'
);
// Make sure we tell Drupal to create the session cookie for this
authenticated user.
// Make sure we tell Drupal to create the session cookie for this
// authenticated user.
}
user_login_finalize
();
if
(
$auth_conf
->
ssoNotifyAuthentication
)
{
...
...
@@ -316,11 +324,9 @@ function ldap_sso_user_login_sso() {
setcookie
(
"seamless_login"
,
'do not auto login'
,
time
()
+
$auth_conf
->
cookieExpire
,
base_path
(),
""
);
ldap_servers_set_globals
(
'_SESSION'
,
'seamless_login'
,
'do not auto login'
);
}
drupal_set_message
(
theme
(
'ldap_authentication_message_not_found'
,
array
(
'message'
=>
t
(
'Sorry, your LDAP credentials were not found, '
.
'or the LDAP server is not available. You may log in '
.
'with other credentials on the !user_login_form.'
,
array
(
'!user_login_form'
=>
l
(
t
(
'user login form'
),
'user/login'
))))
drupal_set_message
(
theme
(
'ldap_authentication_message_not_found'
,
array
(
'message'
=>
t
(
'Sorry, your LDAP credentials were not found, or the LDAP server is not available. You may log in with other credentials on the !user_login_form.'
,
array
(
'!user_login_form'
=>
l
(
t
(
'user login form'
),
'user/login'
))))
),
'error'
);
if
(
$detailed_watchdog_log
)
{
watchdog
(
'ldap_authentication'
,
'ldap_sso_user_login_sso.remote_user.user_fail.drupal_goto user/logint'
,
$watchdog_tokens
,
WATCHDOG_DEBUG
);
...
...
@@ -337,12 +343,9 @@ function ldap_sso_user_login_sso() {
watchdog
(
'ldap_authentication'
,
'ldap_sso_user_login_sso.no_remote_user.seamlessLogin'
,
$watchdog_tokens
,
WATCHDOG_DEBUG
);
}
}
drupal_set_message
(
theme
(
'ldap_authentication_message_not_authenticated'
,
array
(
'message'
=>
t
(
'You were not authenticated by the server.
You may log in with your credentials below.'
)
)
),
'error'
);
drupal_set_message
(
theme
(
'ldap_authentication_message_not_authenticated'
,
array
(
'message'
=>
t
(
'You were not authenticated by the server. You may log in with your credentials below.'
),
)),
'error'
);
if
(
$detailed_watchdog_log
)
{
watchdog
(
'ldap_authentication'
,
'ldap_sso_user_login_sso.no_remote_user.drupal_goto user/login'
,
$watchdog_tokens
,
WATCHDOG_DEBUG
);
}
...
...
@@ -352,16 +355,19 @@ function ldap_sso_user_login_sso() {
/**
* used to mock $_SERVER, $_SESSION, etc globals for simpletests
* @param string $global_type = _SERVER, _ENV, _COOKIE, _GET, _POST, _REQUEST
* @param string $key such as 'SERVER_ADDR', 'SERVER_PROTOCAL', etc.
* @param boolean $only_mock_values signifying, don't get actual values when mock values don't exist
* Used to mock $_SERVER, $_SESSION, etc globals for simpletests.
*
* @return mixed value of ldap_simpletest_globals variable for global and key
* or $_SERVER[][], $_ENV[][], etv value if not in a simpletes or mock variable not available
* @param string $global_type
* _SERVER, _ENV, _COOKIE, _GET, _POST, _REQUEST.
* @param string $key
* Such as 'SERVER_ADDR', 'SERVER_PROTOCOL', etc.
* @param bool $only_mock_values
* Don't get actual values when mock values don't exist.
*
* */
* @return mixed
* ldap_simpletest_globals variable for global and key or $_SERVER[][],
* $_ENV[][], etv value if not in a simpletest or mock variable not available.
*/
function
ldap_servers_get_globals
(
$global_type
,
$key
,
$only_mock_values
=
FALSE
)
{
$simpletest_globals
=
variable_get
(
'ldap_simpletest_globals'
,
array
());
$simpletest
=
variable_get
(
'ldap_simpletest'
,
FALSE
);
...
...
@@ -369,12 +375,22 @@ function ldap_servers_get_globals($global_type, $key, $only_mock_values = FALSE)
if
(
$simpletest
&&
(
isset
(
$simpletest_globals
[
$global_type
][
$key
])
||
$only_mock_values
))
{
return
(
$simpletest_globals
[
$global_type
][
$key
])
?
$simpletest_globals
[
$global_type
][
$key
]
:
NULL
;
}
else
{
else
{
return
(
isset
(
$GLOBALS
[
$global_type
][
$key
])
&&
!
$only_mock_values
)
?
$GLOBALS
[
$global_type
][
$key
]
:
NULL
;
}
}
/**
* Set globals.
*
* @param string $global_type
* _SERVER, _ENV, _COOKIE, _GET, _POST, _REQUEST.
* @param string $key
* Such as 'SERVER_ADDR', 'SERVER_PROTOCOL', etc.
* @param string $value
* The value to be set.
*/
function
ldap_servers_set_globals
(
$global_type
,
$key
,
$value
)
{
$simpletest_globals
=
variable_get
(
'ldap_simpletest_globals'
,
array
());
$simpletest
=
variable_get
(
'ldap_simpletest'
,
FALSE
);
...
...
@@ -388,6 +404,16 @@ function ldap_servers_set_globals($global_type, $key, $value) {
}
/**
* Delete globals.
*
* @param string $global_type
* _SERVER, _ENV, _COOKIE, _GET, _POST, _REQUEST.
* @param string $key
* Such as 'SERVER_ADDR', 'SERVER_PROTOCOL', etc.
* @param bool $only_mock_values
* Don't get actual values when mock values don't exist.
*/
function
ldap_servers_delete_globals
(
$global_type
,
$key
,
$only_mock_values
=
FALSE
)
{
$simpletest_globals
=
variable_get
(
'ldap_simpletest_globals'
,
array
());
$simpletest
=
variable_get
(
'ldap_simpletest'
,
FALSE
);
...
...
@@ -400,4 +426,3 @@ function ldap_servers_delete_globals($global_type, $key, $only_mock_values = FAL
}
}
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment