From d7c6ac519c9ebe8c039c07ffe726c184b6e2cc3d Mon Sep 17 00:00:00 2001 From: xdrm-brackets Date: Sat, 3 Mar 2018 14:57:43 +0100 Subject: [PATCH] [module.cas] Now returns login if already validated by [api.core.auth-system-default] [api.core.auth-system-default] implemented permission management with : 'cas_user', 'cas_admin' (cas_user is always here, cas_admin is added only if admin) --- build/api/core/AuthSystemDefault.php | 105 ++++++++++++++++++++++++++- build/api/module/casController.php | 16 +++- 2 files changed, 116 insertions(+), 5 deletions(-) diff --git a/build/api/core/AuthSystemDefault.php b/build/api/core/AuthSystemDefault.php index e6b5814..17fb4dc 100644 --- a/build/api/core/AuthSystemDefault.php +++ b/build/api/core/AuthSystemDefault.php @@ -13,9 +13,68 @@ use \error\core\Err; use \error\core\Error; + use \database\core\Repo; + use \database\repo\professor; class AuthSystemDefault implements AuthSystem{ + + public function __construct(){ + + /* (1) Init session variables + ---------------------------------------------------------*/ + if( !isset($_SESSION['CAS']) || !is_array($_SESSION['CAS']) ) $_SESSION['CAS'] = []; + if( !isset($_SESSION['AUTH']) || !is_array($_SESSION['AUTH']) ) $_SESSION['AUTH'] = []; + + + /* (2) Check CAS + ---------------------------------------------------------*/ + if( isset($_SESSION['CAS']['login']) && isset($_SESSION['CAS']['ticket']) ){ + + /* (1) Get professor repo */ + /** @var professor $prof_repo */ + $prof_repo = Repo::getRepo('professor'); + + /* (2) Get professor with this login */ + $by_login = $prof_repo->getByLogin($_SESSION['CAS']['login']); + + /* (3) If found -> store useful information */ + if( is_array($by_login) && isset($by_login['idProfesseur']) && isset($by_login['admin']) ){ + + $_SESSION['CAS']['admin'] = (bool) $by_login['admin']; + $_SESSION['CAS']['id'] = (int) $by_login['idProfesseur']; + + /* (4) If no login found -> remove CAS auth */ + }else + $_SESSION['CAS'] = []; + + } + + + /* (3) Process AUTH + ---------------------------------------------------------*/ + /* (1) cas_admin | cas_user */ + if( isset($_SESSION['CAS']['admin']) && is_bool($_SESSION['CAS']['admin']) ){ + + // by default: cas_user + $_SESSION['AUTH'] = ['cas_user']; + + // if admin: cas_admin + if( $_SESSION['CAS']['admin'] === true ) + $_SESSION['AUTH'][] = ['cas_admin']; + + } + + /* (2) Other permissions */ + // TODO + } + + + + + + + /* VERIFICATION DES ACCES EN FONCTION DE PERMISSIONS ATTENDUES * * @expected Liste des permissions attendues @@ -24,7 +83,51 @@ * */ public static function permission($expected){ - return new Error(Err::Success); + + /* (1) Check format -> if not array of array(s) -> ERROR + ---------------------------------------------------------*/ + /* (1) If not array -> ERROR */ + if( !is_array($expected) ) + return new Error(Err::FormatError); + + /* (2) If not array of array(s) -> ERROR */ + foreach($expected as $permission_group) + if( !is_array($permission_group) ) + return new Error(Err::FormatError); + + + /* (2) For each OR group + ---------------------------------------------------------*/ + foreach($expected as $OR_group){ + + /* (1) By default suppose the group is valid */ + // -> an empty group will grant permission to all + $valid_group = true; + + /* (2) Check for each AND permission in the group */ + foreach($OR_group as $AND_perm){ + + /* (3) If not in session.auth -> invalidate the permission group */ + if( !in_array($AND_perm, $_SESSION['AUTH']) ){ + + $valid_group = false; + break; + + } + + } + + /* (4) If valid group -> Success */ + if( $valid_group ) + return new Error(Err::Success); + + + } + + + /* (5) If no valid group -> permission error */ + return new Error(Err::PermissionError); + } } diff --git a/build/api/module/casController.php b/build/api/module/casController.php index 3561def..da64137 100644 --- a/build/api/module/casController.php +++ b/build/api/module/casController.php @@ -27,11 +27,11 @@ class casController{ // login: https://sso.univ-pau.fr/cas/login?service=http://ptut.com:8080/api/v/1.0/cas // validate: https://sso.univ-pau.fr/cas/serviceValidate?ticket=***TICKET***&service=http://ptut.com:8080/api/v/1.0/cas - /* (1) Check validity + /* (1) Check if already connected ---------------------------------------------------------*/ - /* (1) Check origin */ - // TODO - + /* (1) If already -> return @cas_login */ + if( in_array('cas_user', $_SESSION['AUTH']) ) + return ['cas_login' => $_SESSION['CAS']['login']]; /* (2) Fail if no ticket */ if( !isset($_GET['ticket']) || !is_string($_GET['ticket']) || strlen($_GET['ticket']) < 1 ) @@ -68,6 +68,14 @@ class casController{ return ['error' => new Error(Err::PermissionError, 'cannot find cas login')]; + /* (3) Store data in session + ---------------------------------------------------------*/ + $_SESSION['CAS'] = [ + 'login' => $cas_login, + 'ticket' => $ticket + ]; + + return ['cas_login' => $cas_login ];