You are here

function cas_login_check in CAS 5

Same name and namespace in other branches
  1. 5.4 cas.module \cas_login_check()
  2. 5.3 cas.module \cas_login_check()
  3. 6.3 cas.module \cas_login_check()
  4. 6 cas.module \cas_login_check()
  5. 6.2 cas.module \cas_login_check()
  6. 7 cas.module \cas_login_check()

Implementation of hook_init Traps a page load to see if authentication is required.

1 call to cas_login_check()
cas_menu in ./cas.module
Implements hook_menu.

File

./cas.module, line 66

Code

function cas_login_check() {
  global $user, $account;
  if ($user->uid) {

    //do nothing because user is already logged into Drupal
  }
  elseif (_cas_force_login()) {
    $cas_user_register = variable_get('cas_user_register', 1);
    $cas_authmap = variable_get('cas_authmap', 0);
    $all_roles = user_roles();
    $cas_roles = array();
    foreach ($all_roles as $key => $value) {
      if (array_key_exists($key, variable_get('cas_auto_assigned_role', array(
        DRUPAL_AUTHENTICATED_RID,
      )))) {
        $cas_roles[$key] = $key;
      }
    }

    //     phpCAS::setDebug();
    $server_version = (string) variable_get('cas_version', '2.0');
    $server_cas_server = (string) variable_get('cas_server', '');
    $server_port = (int) variable_get('cas_port', '443');
    $server_uri = (string) variable_get('cas_uri', '');
    $cas_domain = (string) variable_get('cas_domain', '');
    $cas_cert_verify = (string) variable_get('cas_cert_verify', CAS_NO_VERIFY);
    $cas_cert = (string) variable_get('cas_cert', '');

    // Drupal takes care of its own session
    $start_session = (bool) FALSE;
    cas_save_page();
    phpCAS::client($server_version, $server_cas_server, $server_port, $server_uri, $start_session);

    // force CAS authentication
    // Determine if CA option is set.  This is only avialable in version 0.6 or greater, so we need to test
    // to make sure its callable.
    if (is_callable(array(
      phpCAS,
      'setNoCasServerValidation',
    ))) {
      switch ($cas_cert_verify) {
        case CAS_NO_VERIFY:
          phpCAS::setNoCasServerValidation();
          break;
        case CAS_VERIFY:
          phpCAS::setCasServerCert($cas_cert);
          break;
        case CAS_CA_VERIFY:
          phpCAS::setCasServerCACert($cas_cert);
          break;
      }
    }

    // using function check for backward compatibility of the cas libraries.
    // Newer versions of the cas client use authenticateIfNeeded,
    // but older versions use forceAuthentication
    if (is_callable(array(
      phpCAS,
      'authenticateIfNeeded',
    ))) {
      phpCAS::authenticateIfNeeded();
    }
    else {
      phpCAS::forceAuthentication();
    }
    $cas_name = phpCAS::getUser();

    /*
     * Invoke hook_auth_transform($op, &$username)
     *
     * Allow other modules to change the login name
     * eg. if phpCAS::getUser() returns a string like it:johndoe:10.10.1.2:200805064255
     * eg. if your cas users in Drupal need to be johndoe@cas
     *
     * Note: this transformation needs to happen before we check for blocked users.
     */
    cas_invoke_auth_transform($cas_name);

    /*
     * Invoke hook_auth_filter($op, &$username)
     *
     * Allow other modules to filter out some cas logins
     * eg. if you want to use cas authentication but only allow SOME people in
     * eg. if you want to filter out people without LDAP home directories
     */
    if (($allow = cas_invoke_auth_filter($cas_name)) === FALSE) {
      drupal_set_message("The user account {$cas_name} is not available on this site.", "error");
      return;
    }
    if (user_is_blocked($cas_name)) {

      // blocked in user administration
      drupal_set_message("The username {$cas_name} has been blocked.", "error");
      return;
    }
    else {
      if (drupal_is_denied('user', $cas_name)) {

        // denied by access controls
        drupal_set_message("The name {$cas_name} is a reserved username.", "error");
        return;
      }
    }

    // try to log into Drupal
    if ($cas_authmap) {

      // users are coming from Drupal; no need to use the external_load and the authmap
      $user = user_load(array(
        "name" => $cas_name,
      ));
    }
    else {

      // users are external; use authmap table for associating external users
      $user = user_external_load($cas_name);
      if (!$user->uid && variable_get('cas_hijack_user', 0)) {
        $user = user_load(array(
          "name" => $cas_name,
        ));
        if ($user->uid) {
          user_set_authmaps($user, array(
            'authname_cas' => $cas_name,
          ));
        }
      }
    }

    // If we don't have a user register them.
    if (!$user->uid) {
      if ($cas_user_register == 1) {
        $user_default = array(
          "name" => $cas_name,
          "pass" => user_password(),
          "init" => db_escape_string($cas_name),
          "status" => 1,
          "roles" => $cas_roles,
        );
        if (!$cas_authmap) {
          $user_default['authname_cas'] = $cas_name;
        }
        if ($cas_domain) {
          $user_default['mail'] = $cas_name . '@' . $cas_domain;
        }

        // Become user 1 to be able to save profile information
        $admin = array(
          'uid' => 1,
        );
        $user = user_load($admin);

        // now save the user and become the new user.
        $user = user_save("", $user_default);
        watchdog("user", t('new user: %n (CAS)', array(
          '%n' => $user->name,
        )), WATCHDOG_NOTICE, l(t("edit user"), "admin/user/edit/{$user->uid}"));
        if ($user->uid && $user->uid > 0 && $cas_authmap) {
          module_invoke_all('user', 'login', null, $user);
          unset($_SESSION['cas_goto']);
          watchdog('user', t('Session opened for %name.', array(
            '%name' => $user->name,
          )));
          drupal_goto("user/" . $user->uid . "/edit");
        }

        // Set a session variable to denote this the initial login
        $_SESSION['cas_first_login'] = true;
      }
    }

    // final check to make sure we have a good user
    if ($user->uid && $user->uid > 0) {

      /*
       ** LDAPAuth interfacing - BEGIN
       */
      if (variable_get('cas_useldap_groups', '')) {
        if ($ldap_config_name = _get_ldap_config_name($user->name)) {
          _ldapauth_init($ldap_config_name);
          include_once 'modules/ldap_integration/ldapgroups.module';
          $user->ldap_authentified = true;
          ldapgroups_user_login($user);
        }
      }

      /*
       ** LDAPAuth interfacing - END
       */

      // update the roles and reset the password
      $roles = $user->roles;
      foreach ($cas_roles as $role) {
        $roles[$role] = $role;
      }
      $user_up = array(
        "pass" => user_password(),
        "roles" => $roles,
      );
      $user = user_save($user, $user_up);
      module_invoke_all('user', 'login', null, $user);
      drupal_set_message(t(variable_get('cas_login_message', 'Logged in via CAS as %cas_username.'), array(
        '%cas_username' => $user->name,
      )));
      watchdog('user', t('Session opened for %name.', array(
        '%name' => $user->name,
      )));

      // We can't count on the menu because we're changing login states.
      cas_login_page();
    }
    else {
      session_destroy();
      $user = drupal_anonymous_user();
    }
  }

  // End if user is already logged in else
}