[module.cas] Now returns login if already validated by [api.core.auth-system-default]

[api.core.auth-system-default] implemented permission management with : 'cas_user', 'cas_admin' (cas_user is always here, cas_admin is added only if admin)
This commit is contained in:
xdrm-brackets 2018-03-03 14:57:43 +01:00
parent 3a2eaefd7f
commit d7c6ac519c
2 changed files with 116 additions and 5 deletions

View File

@ -13,9 +13,68 @@
use \error\core\Err;
use \error\core\Error;
use \database\core\Repo;
use \database\repo\professor;
class AuthSystemDefault implements AuthSystem{
public function __construct(){
/* (1) Init session variables
---------------------------------------------------------*/
if( !isset($_SESSION['CAS']) || !is_array($_SESSION['CAS']) ) $_SESSION['CAS'] = [];
if( !isset($_SESSION['AUTH']) || !is_array($_SESSION['AUTH']) ) $_SESSION['AUTH'] = [];
/* (2) Check CAS
---------------------------------------------------------*/
if( isset($_SESSION['CAS']['login']) && isset($_SESSION['CAS']['ticket']) ){
/* (1) Get professor repo */
/** @var professor $prof_repo */
$prof_repo = Repo::getRepo('professor');
/* (2) Get professor with this login */
$by_login = $prof_repo->getByLogin($_SESSION['CAS']['login']);
/* (3) If found -> store useful information */
if( is_array($by_login) && isset($by_login['idProfesseur']) && isset($by_login['admin']) ){
$_SESSION['CAS']['admin'] = (bool) $by_login['admin'];
$_SESSION['CAS']['id'] = (int) $by_login['idProfesseur'];
/* (4) If no login found -> remove CAS auth */
}else
$_SESSION['CAS'] = [];
}
/* (3) Process AUTH
---------------------------------------------------------*/
/* (1) cas_admin | cas_user */
if( isset($_SESSION['CAS']['admin']) && is_bool($_SESSION['CAS']['admin']) ){
// by default: cas_user
$_SESSION['AUTH'] = ['cas_user'];
// if admin: cas_admin
if( $_SESSION['CAS']['admin'] === true )
$_SESSION['AUTH'][] = ['cas_admin'];
}
/* (2) Other permissions */
// TODO
}
/* VERIFICATION DES ACCES EN FONCTION DE PERMISSIONS ATTENDUES
*
* @expected<array> Liste des permissions attendues
@ -24,7 +83,51 @@
*
*/
public static function permission($expected){
/* (1) Check format -> if not array of array(s) -> ERROR
---------------------------------------------------------*/
/* (1) If not array -> ERROR */
if( !is_array($expected) )
return new Error(Err::FormatError);
/* (2) If not array of array(s) -> ERROR */
foreach($expected as $permission_group)
if( !is_array($permission_group) )
return new Error(Err::FormatError);
/* (2) For each OR group
---------------------------------------------------------*/
foreach($expected as $OR_group){
/* (1) By default suppose the group is valid */
// -> an empty group will grant permission to all
$valid_group = true;
/* (2) Check for each AND permission in the group */
foreach($OR_group as $AND_perm){
/* (3) If not in session.auth -> invalidate the permission group */
if( !in_array($AND_perm, $_SESSION['AUTH']) ){
$valid_group = false;
break;
}
}
/* (4) If valid group -> Success */
if( $valid_group )
return new Error(Err::Success);
}
/* (5) If no valid group -> permission error */
return new Error(Err::PermissionError);
}
}

View File

@ -27,11 +27,11 @@ class casController{
// login: https://sso.univ-pau.fr/cas/login?service=http://ptut.com:8080/api/v/1.0/cas
// validate: https://sso.univ-pau.fr/cas/serviceValidate?ticket=***TICKET***&service=http://ptut.com:8080/api/v/1.0/cas
/* (1) Check validity
/* (1) Check if already connected
---------------------------------------------------------*/
/* (1) Check origin */
// TODO
/* (1) If already -> return @cas_login */
if( in_array('cas_user', $_SESSION['AUTH']) )
return ['cas_login' => $_SESSION['CAS']['login']];
/* (2) Fail if no ticket */
if( !isset($_GET['ticket']) || !is_string($_GET['ticket']) || strlen($_GET['ticket']) < 1 )
@ -68,6 +68,14 @@ class casController{
return ['error' => new Error(Err::PermissionError, 'cannot find cas login')];
/* (3) Store data in session
---------------------------------------------------------*/
$_SESSION['CAS'] = [
'login' => $cas_login,
'ticket' => $ticket
];
return ['cas_login' => $cas_login ];