start.php 7.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220
  1. <?php
  2. /* For licensing terms, see /license.txt */
  3. use ChamiloSession as Session;
  4. use OneLogin\Saml2\Auth;
  5. use OneLogin\Saml2\AuthnRequest;
  6. use OneLogin\Saml2\Settings;
  7. require_once '../../main/inc/global.inc.php';
  8. $pluginKeycloak = api_get_plugin_setting('keycloak', 'tool_enable') === 'true';
  9. if (!$pluginKeycloak) {
  10. api_not_allowed(true);
  11. }
  12. // Create a settings.dist.php
  13. if (file_exists('settings.php')) {
  14. require_once 'settings.php';
  15. } else {
  16. $message = '';
  17. if (api_is_platform_admin()) {
  18. $message = 'Create a settings.php file in plugin/keycloak/';
  19. }
  20. api_not_allowed(true, $message);
  21. }
  22. $content = '';
  23. $auth = new Auth($settingsInfo);
  24. /*if (isset($_REQUEST['delete'])) {
  25. Session::erase('samlNameId');
  26. Session::erase('samlSessionIndex');
  27. Session::erase('samlNameIdFormat');
  28. Session::erase('samlUserdata');
  29. Session::erase('AuthNRequestID');
  30. Session::erase('LogoutRequestID');
  31. echo 'delete all';
  32. exit;
  33. }*/
  34. $settings = new Settings($settingsInfo);
  35. $authRequest = new AuthnRequest($settings);
  36. $samlRequest = $authRequest->getRequest();
  37. $idpData = $settings->getIdPData();
  38. if (isset($_GET['sso'])) {
  39. $auth->login();
  40. // If AuthNRequest ID need to be saved in order to later validate it, do instead
  41. /*$ssoBuiltUrl = $auth->login(null, [], false, false, true);
  42. $_SESSION['AuthNRequestID'] = $auth->getLastRequestID();
  43. header('Pragma: no-cache');
  44. header('Cache-Control: no-cache, must-revalidate');
  45. header('Location: ' . $ssoBuiltUrl);
  46. exit();*/
  47. } elseif (isset($_GET['slo'])) {
  48. /*
  49. if (isset($idpData['singleLogoutService']) && isset($idpData['singleLogoutService']['url'])) {
  50. $sloUrl = $idpData['singleLogoutService']['url'];
  51. } else {
  52. throw new Exception("The IdP does not support Single Log Out");
  53. }
  54. if (isset($_SESSION['samlSessionIndex']) && !empty($_SESSION['samlSessionIndex'])) {
  55. $logoutRequest = new \OneLogin\Saml2\LogoutRequest($settings, null, $_SESSION['samlSessionIndex']);
  56. } else {
  57. $logoutRequest = new \OneLogin\Saml2\LogoutRequest($settings);
  58. }
  59. $samlRequest = $logoutRequest->getRequest();
  60. $parameters = array('SAMLRequest' => $samlRequest);
  61. $url = \OneLogin\Saml2\Utils::redirect($sloUrl, $parameters, true);
  62. header("Location: $url");
  63. exit;*/
  64. $returnTo = null;
  65. $parameters = [];
  66. $nameId = Session::read('samlNameId');
  67. $sessionIndex = Session::read('samlSessionIndex');
  68. $nameIdFormat = Session::read('samlNameIdFormat');
  69. $auth->logout($returnTo, $parameters, $nameId, $sessionIndex, false, $nameIdFormat);
  70. // If LogoutRequest ID need to be saved in order to later validate it, do instead
  71. // $sloBuiltUrl = $auth->logout(null, [], $nameId, $sessionIndex, true);
  72. /*$_SESSION['LogoutRequestID'] = $auth->getLastRequestID();
  73. header('Pragma: no-cache');
  74. header('Cache-Control: no-cache, must-revalidate');
  75. header('Location: ' . $sloBuiltUrl);
  76. exit();*/
  77. } elseif (isset($_GET['acs'])) {
  78. $requestID = Session::read('AuthNRequestID');
  79. $auth->processResponse($requestID);
  80. $errors = $auth->getErrors();
  81. if (!empty($errors)) {
  82. $content .= '<p>'.implode(', ', $errors).'</p>';
  83. }
  84. if (!$auth->isAuthenticated()) {
  85. api_not_allowed(true, $content.'<p>Not authenticated</p>');
  86. exit;
  87. }
  88. $keyCloackUserName = $auth->getNameId();
  89. $userInfo = api_get_user_info_from_username($keyCloackUserName);
  90. $attributes = $auth->getAttributes();
  91. $userId = 0;
  92. if (!empty($attributes) && empty($userInfo)) {
  93. $firstName = '';
  94. if (isset($attributes['FirstName']) && !empty($attributes['FirstName']) {
  95. $firstName = reset($attributes['FirstName']);
  96. }
  97. $lastName = '';
  98. if (isset($attributes['LastName']) && !empty($attributes['LastName']) {
  99. $lastName = reset($attributes['LastName']);
  100. }
  101. $email = '';
  102. if (isset($attributes['Email']) && !empty($attributes['Email']) {
  103. $email = reset($attributes['Email']);
  104. }
  105. if (empty($email)) {
  106. api_not_allowed(true);
  107. }
  108. $userId = UserManager::create_user(
  109. $firstName,
  110. $lastName,
  111. STUDENT,
  112. $email,
  113. $keyCloackUserName,
  114. '',
  115. '',
  116. '',
  117. '',
  118. '',
  119. 'keycloak'
  120. );
  121. if ($userId) {
  122. $userInfo = api_get_user_info($userId);
  123. }
  124. } else {
  125. // Only load users that were created using this method.
  126. if ($userInfo['auth_source'] === 'keycloak') {
  127. $userId = $userInfo['user_id'];
  128. }
  129. }
  130. if (!empty($userId)) {
  131. // Set chamilo sessions
  132. Session::write('samlUserdata', $auth->getAttributes());
  133. Session::write('samlNameId', $auth->getNameId());
  134. Session::write('samlNameIdFormat', $auth->getNameIdFormat());
  135. Session::write('samlSessionIndex', $auth->getSessionIndex());
  136. Session::erase('AuthNRequestID');
  137. // Filling session variables with new data
  138. Session::write('_uid', $userId);
  139. Session::write('_user', $userInfo);
  140. Session::write('is_platformAdmin', false);
  141. Session::write('is_allowedCreateCourse', false);
  142. } else {
  143. Display::addFlash(Display::return_message(get_lang('InvalidId')));
  144. }
  145. /*if (isset($_POST['RelayState']) && \OneLogin\Saml2\Utils::getSelfURL() != $_POST['RelayState']) {
  146. $auth->redirectTo($_POST['RelayState']);
  147. }*/
  148. header('Location: '.api_get_path(WEB_PATH));
  149. exit;
  150. } elseif (isset($_GET['sls'])) {
  151. $requestID = Session::read('LogoutRequestID');
  152. $auth->processSLO(false, $requestID);
  153. $errors = $auth->getErrors();
  154. if (empty($errors)) {
  155. Session::erase('samlNameId');
  156. Session::erase('samlSessionIndex');
  157. Session::erase('samlNameIdFormat');
  158. Session::erase('samlUserdata');
  159. Session::erase('AuthNRequestID');
  160. Session::erase('LogoutRequestID');
  161. Display::addFlash(Display::return_message('Sucessfully logged out'));
  162. header('Location: '.api_get_path(WEB_PATH));
  163. exit;
  164. } else {
  165. api_not_allowed(true, implode(', ', $errors));
  166. }
  167. }
  168. $template = new Template('');
  169. if (isset($_SESSION['samlUserdata'])) {
  170. $attributes = Session::read('samlUserdata');
  171. $params = [];
  172. if (!empty($attributes)) {
  173. $content .= 'You have the following attributes:<br>';
  174. $content .= '<table class="table"><thead><th>Name</th><th>Values</th></thead><tbody>';
  175. foreach ($attributes as $attributeName => $attributeValues) {
  176. $content .= '<tr><td>'.htmlentities($attributeName).'</td><td><ul>';
  177. foreach ($attributeValues as $attributeValue) {
  178. $content .= '<li>'.htmlentities($attributeValue).'</li>';
  179. }
  180. $content .= '</ul></td></tr>';
  181. }
  182. $content .= '</tbody></table>';
  183. } else {
  184. $content .= "<p>You don't have any attribute</p>";
  185. }
  186. $content .= '<p><a href="?slo" >Logout</a></p>';
  187. } else {
  188. $content .= '<p><a href="?sso" >Login</a></p>';
  189. $content .= '<p><a href="?sso2" >Login and access to attrs.php page</a></p>';
  190. }
  191. $template->assign('content', $content);
  192. $template->display_one_col_template();