From 3ea28768af1293682c25cb11e07b9e377675dc50 Mon Sep 17 00:00:00 2001
From: exe-cutor <exe-cutor>
Date: Fri, 9 Mar 2007 13:20:55 +0000
Subject: [PATCH] Merging authentication changes back to head

---
 auth/shibboleth/README.txt  | 37 ++++++++++++++-------------
 auth/shibboleth/auth.php    | 51 ++++++++++++++++++++++++++-----------
 auth/shibboleth/config.html | 10 +++++++-
 auth/shibboleth/index.php   | 31 ++++++++++++++--------
 4 files changed, 85 insertions(+), 44 deletions(-)

diff --git a/auth/shibboleth/README.txt b/auth/shibboleth/README.txt
index 9c655294691..d23f0ce5951 100644
--- a/auth/shibboleth/README.txt
+++ b/auth/shibboleth/README.txt
@@ -15,7 +15,7 @@ Changes:
 - 02. 2006: Simplified authentication so that authorization works properly
             Added instructions for IIS
 - 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+
-
+- 03. 2007: Adapted authentication method to Moodle 1.8
 
 Moodle Configuration with Dual login
 -------------------------------------------------------------------------------
@@ -36,10 +36,11 @@ Moodle Configuration with Dual login
 
    For IIS you have protect the auth/shibboleth directory directly in the
    RequestMap of the Shibboleth configuration file (shibboleth.xml). See
-   https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/xmlaccesscontrol?topic=XMLAccessControl
+   
+   https://spaces.internet2.edu/display/SHIB/xmlaccesscontrol?topic=XMLAccessControl
 
 2. As Moodle admin, go to the 'Administrations >> Users >> Authentication
-   Options' and select the 'Shibboleth' authentication method from the pop-up.
+   Options' and click on the the 'Shibboleth' settings.
 
 3. Fill in the fields of the form. The fields 'Username', 'First name',
    'Surname', etc should contain the name of the environment variables of the
@@ -60,30 +61,30 @@ Moodle Configuration with Dual login
    lengths for each field in the user profile.
    #############################################################################
 
-4. The large text field 'Instructions' must contain a link to the
-   moodle/auth/shibboleth/index.php file which is protected by
-   Shibboleth (see step 1) and causes the Shibboleth login procedure to start.
-   You could also use HTML code in that field, e.g. to create your own
-   Shibboleth login button.
+4. Save the changes for the 'Shibboleth settings'.
 
-5. Save the changes for the Shibboleth authentication method.
+5.a  If you want Shibboleth as your only authentication method, set the 
+     'Alternate Login URL' in the 'Common settings' in 
+     'Administrations >> Users >> Authentication Options' to the the URL of the
+     file 'moodle/auth/shibboleth/index.php'. This will enforce Shibboleth login.
 
-Moodle Configuration with Shibboleth only login
--------------------------------------------------------------------------------
-If you want Shibboleth as your only authentication method, configure Moodle as
-described in the dual login section above and do the following steps:
+6.b If you want to use another authentication method together with Shibboleth, 
+    in parallel, change the 'Instructions' in the 'Common settings' of the
+    'Administrations >> Users >> Authentication Options' to contain a link to the
+     moodle/auth/shibboleth/index.php file which is protected by
+     Shibboleth (see step 1) and causes the Shibboleth login procedure to start.
+     You can also use HTML code in that field, e.g. to include an image as a
+     Shibboleth login button.
 
-4.a  On the Moodle Shibboleth settings page, set the 'Alternate Login URL' to
-     the URL of the file 'moodle/auth/shibboleth/index.php'
-     This will enforce Shibboleth login.
+7. Save the changes for the 'Common settings'.
 
 How the Shibboleth authentication works
 --------------------------------------------------------------------------------
 To get Shibboleth authenticated in Moodle a user basically must access the
 Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only
-authentication method (see 4.a), this happens automatically when a user wants to
+authentication method (see 5.a), this happens automatically when a user wants to
 login in Moodle. Otherwise, the user has to click on the link on the login page
-you provided in step 4.
+you provided in step 5.b.
 
 Moodle basically checks whether the Shibboleth attribute that you mapped
 as the username is present. This attribute should only be present if a user is
diff --git a/auth/shibboleth/auth.php b/auth/shibboleth/auth.php
index eb759428dee..0a49ae81bb7 100644
--- a/auth/shibboleth/auth.php
+++ b/auth/shibboleth/auth.php
@@ -1,6 +1,7 @@
 <?php
 /**
  * @author Martin Dougiamas
+ * @author Lukas Haemmerle
  * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
  * @package moodle multiauth
  *
@@ -8,14 +9,15 @@
  *
  * Authentication using Shibboleth.
  *
- * 10.2004 SHIBBOLETH Authentication functions v.0.1
- * 05.2005 Various extensions and fixes by Lukas Haemmerle
- * 10.2005 Added better error messags
- * 05.2006 Added better handling of mutli-valued attributes
  * Distributed under GPL (c)Markus Hagman 2004-2006
  *
+ * 10.2004     SHIBBOLETH Authentication functions v.0.1
+ * 05.2005     Various extensions and fixes by Lukas Haemmerle
+ * 10.2005     Added better error messags
+ * 05.2006     Added better handling of mutli-valued attributes
  * 2006-08-28  File created, code imported from lib.php
  * 2006-10-27  Upstream 1.7 changes merged in, added above credits from lib.php :-)
+ * 2007-03-09  Fixed authentication but may need some other changes
  */
 
 if (!defined('MOODLE_INTERNAL')) {
@@ -48,9 +50,10 @@ class auth_plugin_shibboleth {
      * @return bool Authentication success or failure.
      */
     function user_login($username, $password) {
+        
         // If we are in the shibboleth directory then we trust the server var
-        if (!empty($_SERVER[$config->user_attribute])) {
-            return ($_SERVER[$config->user_attribute] == $username);
+        if (!empty($_SERVER[$this->config->user_attribute])) {
+            return ($_SERVER[$this->config->user_attribute] == $username);
         } else {
             // If we are not, the user has used the manual login and the login name is
             // unknown, so we return false.
@@ -58,18 +61,26 @@ class auth_plugin_shibboleth {
         }
     }
 
+
+    
+    /**
+     * Returns the user information for 'external' users. In this case the
+     * attributes provided by Shibboleth
+     *
+     * @return array $result Associative array of user data
+     */
     function get_userinfo($username) {
     // reads user information from shibboleth attributes and return it in array()
         global $CFG;
 
         // Check whether we have got all the essential attributes
         if (
-               empty($_SERVER[$config->user_attribute])
-            || empty($_SERVER[$config->field_map_firstname])
-            || empty($_SERVER[$config->field_map_lastname])
-            || empty($_SERVER[$config->field_map_email])
+               empty($_SERVER[$this->config->user_attribute])
+            || empty($_SERVER[$this->config->field_map_firstname])
+            || empty($_SERVER[$this->config->field_map_lastname])
+            || empty($_SERVER[$this->config->field_map_email])
             ) {
-            error(get_string( 'shib_not_all_attributes_error', 'auth' , "'".$config->user_attribute."' ('".$_SERVER[$config->user_attribute]."'), '".$config->field_map_firstname."' ('".$_SERVER[$config->field_map_firstname]."'), '".$config->field_map_lastname."' ('".$_SERVER[$config->field_map_lastname]."') and '".$config->field_map_email."' ('".$_SERVER[$config->field_map_email]."')"));
+            error(get_string( 'shib_not_all_attributes_error', 'auth' , "'".$this->config->user_attribute."' ('".$_SERVER[$this->config->user_attribute]."'), '".$this->config->field_map_firstname."' ('".$_SERVER[$this->config->field_map_firstname]."'), '".$this->config->field_map_lastname."' ('".$_SERVER[$this->config->field_map_lastname]."') and '".$this->config->field_map_email."' ('".$_SERVER[$this->config->field_map_email]."')"));
         }
 
         $attrmap = $this->get_attributes();
@@ -84,14 +95,14 @@ class auth_plugin_shibboleth {
          // Provide an API to modify the information to fit the Moodle internal
         // data representation
         if (
-              $config->convert_data
-              && $config->convert_data != ''
-              && is_readable($config->convert_data)
+              $this->config->convert_data
+              && $this->config->convert_data != ''
+              && is_readable($this->config->convert_data)
             ) {
 
             // Include a custom file outside the Moodle dir to
             // modify the variable $moodleattributes
-            include($config->convert_data);
+            include($this->config->convert_data);
         }
 
         return $result;
@@ -151,6 +162,9 @@ class auth_plugin_shibboleth {
 
     /**
      * Processes and stores configuration data for this authentication plugin.
+     *
+     *
+     * @param object $config Configuration object
      */
     function process_config($config) {
         // set to defaults if undefined
@@ -173,11 +187,18 @@ class auth_plugin_shibboleth {
         set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth');
         set_config('changepasswordurl', $config->changepasswordurl, 'auth/shibboleth');
 
+        // Check values and return false if something is wrong
+        if (!file_exists($config->convert_data) || !is_readable($config->convert_data)){
+            return false;
+        }
+
         return true;
     }
 
     /**
      * Cleans and returns first of potential many values (multi-valued attributes)
+     *
+     * @param string $string Possibly multi-valued attribute from Shibboleth
      */
     function get_first_string($string) {
         $list = split( ';', $string);
diff --git a/auth/shibboleth/config.html b/auth/shibboleth/config.html
index e09e6b2a7e9..3d5fa33eb37 100755
--- a/auth/shibboleth/config.html
+++ b/auth/shibboleth/config.html
@@ -27,6 +27,12 @@
     <td><?php print_string("auth_shib_username_description", "auth") ?></td>
 </tr>
 
+<!-- 
+This is kind of obsolete because the login instructions are now centralized 
+On the other hand it would be great for Shibboleth to have seperate login 
+instructions
+-->
+<!--
 <tr valign="top">
     <td align="right"><?php print_string("instructions", "auth") ?>:</td>
     <td>
@@ -34,13 +40,14 @@
     </td>
     <td>
         <?php
-
+  
         print_string("auth_shib_instructions_help", "auth", htmlspecialchars($CFG->wwwroot.'/auth/shibboleth/index.php'));
         helpbutton("text", get_string("helptext"));
 
         ?>
     </td>
 </tr>
+-->
 
 <tr valign="top">
     <td align="right"><?php print_string("auth_shib_convert_data", "auth") ?>:</td>
@@ -59,6 +66,7 @@
     <td><?php print_string("auth_shib_convert_data_description", "auth") ?></td>
 </tr>
 
+
 <tr valign="top">
     <td align="right"><?php print_string('auth_shib_changepasswordurl', 'auth') ?>: </td>
     <td>
diff --git a/auth/shibboleth/index.php b/auth/shibboleth/index.php
index 398688c1637..2f329384c3a 100644
--- a/auth/shibboleth/index.php
+++ b/auth/shibboleth/index.php
@@ -2,7 +2,6 @@
       // Designed to be redirected from moodle/login/index.php
 
     require('../../config.php');
-    require('lib.php');
 
     if (isloggedin() && $USER->username != 'guest') {      // Nothing to do
         if (isset($SESSION->wantsurl) and (strpos($SESSION->wantsurl, $CFG->wwwroot) === 0)) {
@@ -18,7 +17,8 @@
     }
 
     $pluginconfig   = get_config('auth/shibboleth');
-
+    $shibbolethauth = get_auth_plugin('shibboleth');
+    
     // Check whether Shibboleth is configured properly
     if (empty($pluginconfig->user_attribute)) {
         error(get_string( 'shib_not_set_up_error', 'auth'));
@@ -33,17 +33,22 @@
 
     /// Check if the user has actually submitted login data to us
 
-        if ($user = authenticate_user_login($frm->username, $frm->password)) {
-
-            // Let's get them all set up.
-            $USER = $user;
-
-            add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID, $USER->id, 0, $USER->id);
-
+        if ($shibbolethauth->user_login($frm->username, $frm->password)) {
+            
+            $USER = authenticate_user_login($frm->username, $frm->password);
+            
+            $USER->loggedin = true;
+            $USER->site     = $CFG->wwwroot; // for added security, store the site in the 
+            
             update_user_login_times();
             set_moodle_cookie($USER->username);
             set_login_session_preferences();
-
+            
+            unset($SESSION->lang);
+            $SESSION->justloggedin = true;
+            
+            add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID, $USER->id, 0, $USER->id);
+            
             if (user_not_fully_set_up($USER)) {
                 $urltogo = $CFG->wwwroot.'/user/edit.php?id='.$USER->id.'&amp;course='.SITEID;
                 // We don't delete $SESSION->wantsurl yet, so we get there later
@@ -67,6 +72,12 @@
             load_all_capabilities();     /// This is what lets the user do anything on the site  :-)
 
             redirect($urltogo);
+            
+            exit;
+        } 
+        
+        else {
+            // For some weird reason the Shibboleth user couldn't be authenticated
         }
     }