<?php /* * studip-sp.php - Shibboleth authentication proxy for Stud.IP * Copyright (c) 2007-2011 Elmar Ludwig, Universitaet Osnabrueck * * Version: 1.3.1 * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; either version 2 of * the License, or (at your option) any later version. */ // load configuration settings require_once 'studip-sp-config.php'; if (isset($_REQUEST['target'])) { $token = generate_token(); perform_redirect($_REQUEST['target'], $token); } else if (isset($_SERVER['PATH_INFO'])) { $token = substr($_SERVER['PATH_INFO'], 1); validate_token($token); } function generate_token () { // get shibboleth user name $remote_user = $_SERVER['REMOTE_USER'] ?? null; $userdata = []; // import authentication information $userdata['username'] = $remote_user; foreach ($_SERVER as $key => $value) { if (preg_match('/^[a-zA-Z]+$/', $key)) { $key = strtolower($key); $userdata[$key] = $value; } } // create cache dir if necessary if (!file_exists(AUTH_DIR)) { mkdir(AUTH_DIR); } $token = md5(uniqid(rand(), true)); if (!empty($userdata['username'])) { $auth = json_encode($userdata); file_put_contents(AUTH_DIR . '/' . $token, $auth); } return $token; } function perform_redirect ($target, $token) { global $service_urls; // drop query string from service URL [$service_url] = explode('?', $target); // check for valid service_url foreach ($service_urls as $url) { if (strncasecmp($service_url, $url, strlen($url)) == 0) { $target .= strpos($target, '?') === false ? '?' : '&'; $target .= 'token='.$token; header('Location: '.$target); echo '<html><body></body></html>'; return; } } header('HTTP/1.1 403 Forbidden'); echo '<html><head>'. '<title>Invalid Service URL</title>'. '</head><body>'. '<h2>Invalid Service URL</h2>'. '<p>The service <tt>'.htmlspecialchars($service_url). '</tt> is not allowed to use this proxy.</p>'. '</body></html>'; } function validate_token ($token) { $file = AUTH_DIR.'/'.$token; // check for cached authentication data if (preg_match('/^[0-9a-f]+$/', $token) && file_exists($file)) { readfile($file); unlink($file); } }