From 5117d5989916a2f5d612ea446401ec30662abf8b Mon Sep 17 00:00:00 2001 From: Petr Skoda Date: Sun, 1 Nov 2009 11:55:14 +0000 Subject: [PATCH] MDL-20700 coding style cleanup - cvs keywords removed, closign php tag removed, trailing whitespace cleanup --- auth/README.txt | 2 +- auth/cas/auth.php | 10 +-- auth/cas/cas_ldap_sync_users.php | 1 - auth/cas/config.html | 14 ++-- auth/cas/languages.php | 4 -- auth/db/auth.php | 2 +- auth/db/auth_db_sync_users.php | 1 - auth/email/auth.php | 14 ++-- auth/email/config.html | 2 +- auth/fc/auth.php | 2 +- auth/imap/auth.php | 2 +- auth/ldap/auth.php | 28 ++++---- auth/ldap/auth_ldap_sync_users.php | 2 +- auth/ldap/config.html | 2 +- auth/ldap/ntlmsso_finish.php | 2 +- auth/ldap/ntlmsso_magic.php | 6 +- auth/manual/auth.php | 8 +-- auth/mnet/auth.php | 6 +- auth/mnet/jump.php | 2 +- auth/mnet/land.php | 2 +- auth/nntp/auth.php | 2 +- auth/nologin/auth.php | 2 +- auth/none/auth.php | 2 +- auth/pam/auth.php | 2 +- auth/pop3/auth.php | 2 +- auth/radius/auth.php | 2 +- auth/shibboleth/README.txt | 108 ++++++++++++++--------------- auth/shibboleth/auth.php | 86 +++++++++++------------ auth/shibboleth/config.html | 10 +-- auth/shibboleth/index.php | 28 ++++---- auth/shibboleth/index_form.html | 10 +-- auth/shibboleth/login.php | 12 ++-- auth/shibboleth/logout.php | 76 ++++++++++---------- auth/webservice/auth.php | 4 +- 34 files changed, 224 insertions(+), 234 deletions(-) diff --git a/auth/README.txt b/auth/README.txt index 7597615f064..48337b4e7f4 100644 --- a/auth/README.txt +++ b/auth/README.txt @@ -120,7 +120,7 @@ They contain the same functions that were previously in each plugin's lib.php fi but refactored to become class methods, and tweaked to reference the plugin's instantiated config to get at the settings, rather than the global $CFG variable. -When creating new plugins you can either extend the abstract auth_plugin_base class +When creating new plugins you can either extend the abstract auth_plugin_base class (defined in lib/authlib.php) or create a new one and implement all methods from auth_plugin_base. diff --git a/auth/cas/auth.php b/auth/cas/auth.php index 0ecb2053873..d9ec82969f6 100644 --- a/auth/cas/auth.php +++ b/auth/cas/auth.php @@ -122,7 +122,7 @@ class auth_plugin_cas extends auth_plugin_base { $frm->password="guest"; return; } - + if ($this->config->multiauth) { $authCAS = optional_param("authCAS", '', PARAM_RAW); if ($authCAS=="NOCAS") @@ -443,7 +443,7 @@ if ( !is_object($PHPCAS_CLIENT) ) { */ function ldap_connect($binddn='',$bindpwd='') { // Cache ldap connections (they are expensive to set up - // and can drain the TCP/IP ressources on the server if we + // and can drain the TCP/IP ressources on the server if we // are syncing a lot of users (as we try to open a new connection // to get the user details). This is the least invasive way // to reuse existing connections without greater code surgery. @@ -488,7 +488,7 @@ if ( !is_object($PHPCAS_CLIENT) ) { if ($bindresult) { // Set the connection counter so we can call PHP's ldap_close() // when we call $this->ldap_close() for the last 'open' connection. - $this->ldapconns = 1; + $this->ldapconns = 1; $this->ldapconnection = $connresult; return $connresult; } @@ -695,7 +695,7 @@ if ( !is_object($PHPCAS_CLIENT) ) { // find users in DB that aren't in ldap -- to be removed! // this is still not as scalable (but how often do we mass delete?) if (!empty($this->config->removeuser)) { - $sql = "SELECT u.id, u.username, u.email, u.auth + $sql = "SELECT u.id, u.username, u.email, u.auth FROM {user} u LEFT JOIN {tmp_extuser} e ON (u.username = e.username AND u.mnethostid = ?) WHERE u.auth='cas' @@ -1139,4 +1139,4 @@ if (!empty($this->config->attrcreators)) { return $text; } } -?> + diff --git a/auth/cas/cas_ldap_sync_users.php b/auth/cas/cas_ldap_sync_users.php index 15454bc7c21..2c16f13bda5 100644 --- a/auth/cas/cas_ldap_sync_users.php +++ b/auth/cas/cas_ldap_sync_users.php @@ -44,4 +44,3 @@ if (!is_enabled_auth('cas')) { $casauth = get_auth_plugin('cas'); $casauth->sync_users(true); -?> \ No newline at end of file diff --git a/auth/cas/config.html b/auth/cas/config.html index a4ceb20212b..1bb2fe8d1f7 100644 --- a/auth/cas/config.html +++ b/auth/cas/config.html @@ -16,31 +16,31 @@ // set to defaults if undefined (CAS) - if (!isset ($config->hostname)) + if (!isset ($config->hostname)) $config->hostname = ''; - if (!isset ($config->port)) + if (!isset ($config->port)) $config->port = ''; - if (!isset ($config->casversion)) + if (!isset ($config->casversion)) $config->casversion = ''; - if (!isset ($config->baseuri)) + if (!isset ($config->baseuri)) $config->baseuri = ''; - if (!isset ($config->language)) + if (!isset ($config->language)) $config->language = ''; - if (!isset ($config->proxycas)) + if (!isset ($config->proxycas)) $config->proxycas = ''; - if (!isset ($config->logoutcas)) + if (!isset ($config->logoutcas)) $config->logoutcas = ''; diff --git a/auth/cas/languages.php b/auth/cas/languages.php index 9edb8e768ed..88007856fdd 100644 --- a/auth/cas/languages.php +++ b/auth/cas/languages.php @@ -1,7 +1,5 @@ "English", "french" => "French"); - -?> diff --git a/auth/db/auth.php b/auth/db/auth.php index b23b65ce32e..4cc1865ba44 100644 --- a/auth/db/auth.php +++ b/auth/db/auth.php @@ -702,4 +702,4 @@ class auth_plugin_db extends auth_plugin_base { } } -?> + diff --git a/auth/db/auth_db_sync_users.php b/auth/db/auth_db_sync_users.php index d6eb5e7c714..fe476a5b858 100644 --- a/auth/db/auth_db_sync_users.php +++ b/auth/db/auth_db_sync_users.php @@ -43,4 +43,3 @@ if (!is_enabled_auth('db')) { $dbauth = get_auth_plugin('db'); $dbauth->sync_users(true); -?> \ No newline at end of file diff --git a/auth/email/auth.php b/auth/email/auth.php index 01304c86115..5b709d2cc89 100644 --- a/auth/email/auth.php +++ b/auth/email/auth.php @@ -76,13 +76,13 @@ class auth_plugin_email extends auth_plugin_base { function user_signup($user, $notify=true) { global $CFG, $DB; require_once($CFG->dirroot.'/user/profile/lib.php'); - + $user->password = hash_internal_user_password($user->password); if (! ($user->id = $DB->insert_record('user', $user)) ) { print_error('auth_emailnoinsert','auth_email'); } - + /// Save any custom profile field information profile_save_data($user); @@ -201,15 +201,15 @@ class auth_plugin_email extends auth_plugin_base { */ function process_config($config) { // set to defaults if undefined - if (!isset($config->recaptcha)) { - $config->recaptcha = false; + if (!isset($config->recaptcha)) { + $config->recaptcha = false; } - + // save settings set_config('recaptcha', $config->recaptcha, 'auth/email'); return true; } - + /** * Returns whether or not the captcha element is enabled, and the admin settings fulfil its requirements. * @return bool @@ -221,4 +221,4 @@ class auth_plugin_email extends auth_plugin_base { } -?> + diff --git a/auth/email/config.html b/auth/email/config.html index 7ef72f6435f..b7a558d9c1e 100644 --- a/auth/email/config.html +++ b/auth/email/config.html @@ -22,7 +22,7 @@ echo $OUTPUT->select(html_select::make($yesno, 'recaptcha', $config->recaptcha, false)); ?> - + + diff --git a/auth/imap/auth.php b/auth/imap/auth.php index a8ed884cc96..e8028c3054d 100644 --- a/auth/imap/auth.php +++ b/auth/imap/auth.php @@ -151,4 +151,4 @@ class auth_plugin_imap extends auth_plugin_base { } -?> + diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php index 2bcf07ad582..bc65003facc 100644 --- a/auth/ldap/auth.php +++ b/auth/ldap/auth.php @@ -628,7 +628,7 @@ class auth_plugin_ldap extends auth_plugin_base { // find users in DB that aren't in ldap -- to be removed! // this is still not as scalable (but how often do we mass delete?) if (!empty($this->config->removeuser)) { - $sql = "SELECT u.id, u.username, u.email, u.auth + $sql = "SELECT u.id, u.username, u.email, u.auth FROM {user} u LEFT JOIN {tmp_extuser} e ON (u.username = e.username AND u.mnethostid = ?) WHERE u.auth='ldap' @@ -1518,7 +1518,7 @@ class auth_plugin_ldap extends auth_plugin_base { */ function ldap_connect($binddn='',$bindpwd='') { // Cache ldap connections (they are expensive to set up - // and can drain the TCP/IP ressources on the server if we + // and can drain the TCP/IP ressources on the server if we // are syncing a lot of users (as we try to open a new connection // to get the user details). This is the least invasive way // to reuse existing connections without greater code surgery. @@ -1575,7 +1575,7 @@ class auth_plugin_ldap extends auth_plugin_base { if ($bindresult) { // Set the connection counter so we can call PHP's ldap_close() // when we call $this->ldap_close() for the last 'open' connection. - $this->ldapconns = 1; + $this->ldapconns = 1; $this->ldapconnection = $connresult; return $connresult; } @@ -1799,7 +1799,7 @@ class auth_plugin_ldap extends auth_plugin_base { // HTTPS is potentially required httpsrequired(); - + if (($_SERVER['REQUEST_METHOD'] === 'GET' // Only on initial GET of loginpage || ($_SERVER['REQUEST_METHOD'] === 'POST' && (get_referer() != strip_querystring(qualified_me())))) @@ -1834,7 +1834,7 @@ class auth_plugin_ldap extends auth_plugin_base { redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_attempt.php'); } } - + // No NTLM SSO, Use the normal login page instead. // If $SESSION->wantsurl is empty and we have a 'Referer:' header, the login @@ -1852,9 +1852,9 @@ class auth_plugin_ldap extends auth_plugin_base { /** * To be called from a page running under NTLM's - * "Integrated Windows Authentication". + * "Integrated Windows Authentication". * - * If successful, it will set a special "cookie" (not an HTTP cookie!) + * If successful, it will set a special "cookie" (not an HTTP cookie!) * in cache_flags under the "auth/ldap/ntlmsess" "plugin" and return true. * The "cookie" will be picked up by ntlmsso_finish() to complete the * process. @@ -1862,7 +1862,7 @@ class auth_plugin_ldap extends auth_plugin_base { * On failure it will return false for the caller to display an appropriate * error message (probably saying that Integrated Windows Auth isn't enabled!) * - * NOTE that this code will execute under the OS user credentials, + * NOTE that this code will execute under the OS user credentials, * so we MUST avoid dealing with files -- such as session files. * (The caller should define('NO_MOODLE_COOKIES', true) before including config.php) * @@ -1886,13 +1886,13 @@ class auth_plugin_ldap extends auth_plugin_base { } /** - * Find the session set by ntlmsso_magic(), validate it and + * Find the session set by ntlmsso_magic(), validate it and * call authenticate_user_login() to authenticate the user through * the auth machinery. - * + * * It is complemented by a similar check in user_login(). - * - * If it succeeds, it never returns. + * + * If it succeeds, it never returns. * */ function ntlmsso_finish() { @@ -1932,7 +1932,7 @@ class auth_plugin_ldap extends auth_plugin_base { } // Should never reach here. return false; - } + } /** * Sync roles for this user @@ -2236,4 +2236,4 @@ class auth_plugin_ldap extends auth_plugin_base { } -?> + diff --git a/auth/ldap/auth_ldap_sync_users.php b/auth/ldap/auth_ldap_sync_users.php index 22a38d50f7a..45cbb8e4046 100755 --- a/auth/ldap/auth_ldap_sync_users.php +++ b/auth/ldap/auth_ldap_sync_users.php @@ -42,4 +42,4 @@ if (!is_enabled_auth('ldap')) { $ldapauth = get_auth_plugin('ldap'); $ldapauth->sync_users(true); -?> + diff --git a/auth/ldap/config.html b/auth/ldap/config.html index 4c6a8b22473..d00f7dd012d 100644 --- a/auth/ldap/config.html +++ b/auth/ldap/config.html @@ -49,7 +49,7 @@ {$config->forcechangepassword = 0; } if (!isset($config->stdchangepassword)) {$config->stdchangepassword = 0; } - if (!isset($config->passtype)) + if (!isset($config->passtype)) {$config->passtype = 'plaintext';} if (!isset($config->changepasswordurl)) {$config->changepasswordurl = ''; } diff --git a/auth/ldap/ntlmsso_finish.php b/auth/ldap/ntlmsso_finish.php index 93e7455980a..5e26b76c889 100644 --- a/auth/ldap/ntlmsso_finish.php +++ b/auth/ldap/ntlmsso_finish.php @@ -31,6 +31,6 @@ if (!$authplugin->ntlmsso_finish()) { $PAGE->set_title("$site->fullname: $loginsite"); $PAGE->set_heading($site->fullname); echo $OUTPUT->header(); - redirect($CFG->httpswwwroot . '/login/index.php?authldap_skipntlmsso=1', + redirect($CFG->httpswwwroot . '/login/index.php?authldap_skipntlmsso=1', get_string('ntlmsso_failed','auth_ldap'), 3); } diff --git a/auth/ldap/ntlmsso_magic.php b/auth/ldap/ntlmsso_magic.php index 8636a913c3f..e42cbeece1e 100644 --- a/auth/ldap/ntlmsso_magic.php +++ b/auth/ldap/ntlmsso_magic.php @@ -24,14 +24,14 @@ if (empty($authplugin->config->ntlmsso_enabled)) { $sesskey = required_param('sesskey', PARAM_RAW); $file = $CFG->dirroot . '/pix/spacer.gif'; -if ($authplugin->ntlmsso_magic($sesskey) +if ($authplugin->ntlmsso_magic($sesskey) && file_exists($file)) { if (!empty($authplugin->config->ntlmsso_ie_fastpath)) { if (check_browser_version('MSIE')) { redirect($CFG->wwwroot . '/auth/ldap/ntlmsso_finish.php'); } - } + } // Serve GIF // Type @@ -47,4 +47,4 @@ if ($authplugin->ntlmsso_magic($sesskey) print_error('ntlmsso_iwamagicnotenabled','auth_ldap'); } -?> + diff --git a/auth/manual/auth.php b/auth/manual/auth.php index cdc22251053..4010c8f9b62 100644 --- a/auth/manual/auth.php +++ b/auth/manual/auth.php @@ -121,10 +121,10 @@ class auth_plugin_manual extends auth_plugin_base { /** * Confirm the new user as registered. This should normally not be used, - * but it may be necessary if the user auth_method is changed to manual + * but it may be necessary if the user auth_method is changed to manual * before the user is confirmed. */ - function user_confirm($username, $confirmsecret = null) { + function user_confirm($username, $confirmsecret = null) { global $DB; $user = get_complete_user_data('username', $username); @@ -132,7 +132,7 @@ class auth_plugin_manual extends auth_plugin_base { if (!empty($user)) { if ($user->confirmed) { return AUTH_CONFIRM_ALREADY; - } else { + } else { if (!$DB->set_field("user", "confirmed", 1, array("id"=>$user->id))) { return AUTH_CONFIRM_FAIL; } @@ -148,4 +148,4 @@ class auth_plugin_manual extends auth_plugin_base { } -?> + diff --git a/auth/mnet/auth.php b/auth/mnet/auth.php index 052fdf52046..c3a4f999ad7 100644 --- a/auth/mnet/auth.php +++ b/auth/mnet/auth.php @@ -1,4 +1,4 @@ -username); $logEntryObj = $this->trim_logline($logEntryObj); - $insertok = $DB->insert_record('mnet_log', $logEntryObj, false); + $insertok = $DB->insert_record('mnet_log', $logEntryObj, false); if ($insertok) { $MNET_REMOTE_CLIENT->last_log_id = $logEntryObj->remoteid; @@ -1349,5 +1349,3 @@ class auth_plugin_mnet extends auth_plugin_base { } - -?> diff --git a/auth/mnet/jump.php b/auth/mnet/jump.php index 6a4f23cb830..f65a25c9385 100644 --- a/auth/mnet/jump.php +++ b/auth/mnet/jump.php @@ -46,4 +46,4 @@ if (empty($url)) { } redirect($url); -?> + diff --git a/auth/mnet/land.php b/auth/mnet/land.php index 96ba3e9acbc..e3ae0fe4c57 100644 --- a/auth/mnet/land.php +++ b/auth/mnet/land.php @@ -49,4 +49,4 @@ if ($wantsremoteurl) { } redirect($CFG->wwwroot . $wantsurl); -?> + diff --git a/auth/nntp/auth.php b/auth/nntp/auth.php index e24e1e37462..36cdeb395ca 100644 --- a/auth/nntp/auth.php +++ b/auth/nntp/auth.php @@ -120,4 +120,4 @@ class auth_plugin_nntp extends auth_plugin_base { } -?> + diff --git a/auth/nologin/auth.php b/auth/nologin/auth.php index 91070593673..20794da7194 100644 --- a/auth/nologin/auth.php +++ b/auth/nologin/auth.php @@ -74,4 +74,4 @@ class auth_plugin_nologin extends auth_plugin_base { } -?> + diff --git a/auth/none/auth.php b/auth/none/auth.php index 740d4dd1f57..e6022cdc387 100644 --- a/auth/none/auth.php +++ b/auth/none/auth.php @@ -121,4 +121,4 @@ class auth_plugin_none extends auth_plugin_base { } -?> + diff --git a/auth/pam/auth.php b/auth/pam/auth.php index 428479a340c..5bb65831a61 100644 --- a/auth/pam/auth.php +++ b/auth/pam/auth.php @@ -117,4 +117,4 @@ class auth_plugin_pam extends auth_plugin_base { } -?> + diff --git a/auth/pop3/auth.php b/auth/pop3/auth.php index 3e93d375f32..d4abd780e12 100644 --- a/auth/pop3/auth.php +++ b/auth/pop3/auth.php @@ -155,4 +155,4 @@ class auth_plugin_pop3 extends auth_plugin_base { } -?> + diff --git a/auth/radius/auth.php b/auth/radius/auth.php index d84e2a956e7..976432d9680 100644 --- a/auth/radius/auth.php +++ b/auth/radius/auth.php @@ -190,4 +190,4 @@ class auth_plugin_radius extends auth_plugin_base { } -?> + diff --git a/auth/shibboleth/README.txt b/auth/shibboleth/README.txt index 1a39df42286..038401b20ae 100644 --- a/auth/shibboleth/README.txt +++ b/auth/shibboleth/README.txt @@ -21,9 +21,9 @@ Changes: attributes on request of Markus Hagman - 11. 2007: Integrated WAYF Service in Moodle - 12. 2008: Shibboleth 2.x and Single Logout support added -- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth +- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth language files. -- 3. 2009: Added various improvements and bug fixes reported by Ina Müller from +- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from university Tuebingen and Peter Ellis of University of Washington - 4. 2009: Added another requirement for logout regarding the call back script - 6. 2009: Changed handler URL when integrated Discovery Service is used @@ -47,9 +47,9 @@ Moodle Configuration with Dual login with something that fits your needs, e.g. 'require affiliation student'. For IIS you have protect the auth/shibboleth directory directly in the - RequestMap of the Shibboleth configuration file (shibboleth.xml or - shibboleth2.xml). - + RequestMap of the Shibboleth configuration file (shibboleth.xml or + shibboleth2.xml). + -- @@ -57,14 +57,14 @@ Moodle Configuration with Dual login ... - + -- - + Also see: https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapper and https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl -2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and +2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and click on the the 'Shibboleth' settings. 3. Fill in the fields of the form. The fields 'Username', 'First name', @@ -79,37 +79,37 @@ Moodle Configuration with Dual login ############################################################################# Shibboleth Attributes needed by Moodle: For Moodle to work properly Shibboleth should at least provide the attribute - that is used as username in Moodle. It has to be unique for all Shibboleth + that is used as username in Moodle. It has to be unique for all Shibboleth Be aware that Moodle converts the username to lowercase. So, the overall behaviour of the username will be case-insensitive. - All attributes used for moodle must obey a certain length, otherwise Moodle - cuts off the ends. Consult the Moodle documentation for further information + All attributes used for moodle must obey a certain length, otherwise Moodle + cuts off the ends. Consult the Moodle documentation for further information on the maximum lengths for each field in the user profile. ############################################################################# 4.a If you want Shibboleth as your only authentication method with an external - Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the - 'Common settings' in 'Administrations >> Users >> Authentication Options' - to the the URL of the file 'moodle/auth/shibboleth/index.php'. + Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the + 'Common settings' in 'Administrations >> Users >> Authentication Options' + to the the URL of the file 'moodle/auth/shibboleth/index.php'. This will enforce Shibboleth login. 4.b If you want to use the Moodle integrated WAYF service, you have to activate it - in the Moodle Shibboleth authentication settings by checking the - 'Moodle WAYF Service' checkbox and providing a list of entity IDs in the - 'Identity Providers' textarea together with a name and an optional - SessionInitiator URL, which usually is an absolute or relative URL pointing - to the same host. If no SessionInitiator URL is given, the default one - '/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For + in the Moodle Shibboleth authentication settings by checking the + 'Moodle WAYF Service' checkbox and providing a list of entity IDs in the + 'Identity Providers' textarea together with a name and an optional + SessionInitiator URL, which usually is an absolute or relative URL pointing + to the same host. If no SessionInitiator URL is given, the default one + '/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator. Also see https://spaces.internet2.edu/display/SHIB/SessionInitiator and https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator Important Note: If you upgraded from a previous version of Moodle and now want to use the integrated WAYF, you have to make sure that - in step 1 only the index.php script in - moodle/auth/shibboleth/ is protected but *not* the other + in step 1 only the index.php script in + moodle/auth/shibboleth/ is protected but *not* the other scripts and especially not the login.php script. - + If you were using the integrated WAYF alread with Shibboleth 1.3, it could be that the integrated WAYF is not working anymore after you updated Moodle. The reason is that the implicitly set default SessionInitiator changed in @@ -120,12 +120,12 @@ Moodle Configuration with Dual login 5. Save the changes for the 'Shibboleth settings'. - Important Note: If you went for 4.b (integrated WAYF service), saving the + Important Note: If you went for 4.b (integrated WAYF service), saving the settings will overwrite the Moodle Alternate Login URL using the Moodle web root URL. 6. If you want to use Shibboleth in addition to another authentication method - not using the integrated WAYF service from 4.b, change the 'Instructions' in + not using the integrated WAYF service from 4.b, change the 'Instructions' in 'Administrations >> Users >> Manage authentication' to contain a link to the moodle/auth/shibboleth/index.php file which is protected by Shibboleth (see step 1.) and causes the Shibboleth login procedure to start. @@ -144,7 +144,7 @@ Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only authentication method (see 4.a), this happens automatically when a user selects his home organization in the Moodle WAYF service or if the alternate login URL is configured to be the protected /auth/shibboleth/index.php -Otherwise, the user has to click on the link on the dual login page you +Otherwise, the user has to click on the link on the dual login page you provided in step 5.b. Moodle basically checks whether the Shibboleth attribute that you mapped @@ -169,11 +169,11 @@ authentication method unless they have two accounts in Moodle. Shibboleth dual login with custom login page -------------------------------------------------------------------------------- You can create a dual login page that better fits your needs. For this -to work, you have to set up the two authentication methods (e.g. 'Manual +to work, you have to set up the two authentication methods (e.g. 'Manual Accounts' and 'Shibboleth') and specify an alternate login link to your own dual login page. On that page you basically need a link to the Shibboleth-protected page ('/auth/shibboleth/index.php') for the Shibboleth login and a -form that sends 'username' and 'password' to moodle/login/index.php. Set this +form that sends 'username' and 'password' to moodle/login/index.php. Set this web page then als alternate login page. Consult the Moodle documentation for further instructions and requirements. @@ -209,16 +209,16 @@ Example file: if ($_SERVER[$this->config->field_map_address] != '') { // $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich' - // We want to split this up to get: + // We want to split this up to get: // institution, street, zipcode, city and country $address = $_SERVER[$this->config->field_map_address]; list($institution, $street, $zip_city) = split('\$', $address); ereg(' (.+)',$zip_city, $regs); $city = $regs[1]; - + ereg('(.+)-',$zip_city, $regs); $country = $regs[1]; - + $result["address"] = $street; $result["city"] = $city; $result["country"] = $country; @@ -233,32 +233,32 @@ Example file: How to upgrade your Service Provider to 2.x ------------------------------------------------------------------------------- -In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact -that in version 2.0 the default behaviour regarding attribute propagation +In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact +that in version 2.0 the default behaviour regarding attribute propagation changed. While the Service Provider 1.3.x published the Shibboleth attributes to the -web server environment as HTTP Request headers, the Service Provider 2.x +web server environment as HTTP Request headers, the Service Provider 2.x publishes attributes as environment variables, which increases the security for some platforms. However, this change has the effect that the attribute names change. -E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME' +E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME' with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname'] -or depending on your /etc/shibboleth/attribute-map.xml file just as +or depending on your /etc/shibboleth/attribute-map.xml file just as $_SERVER['sn']. Because Moodle needs to know what Shibboleth attributes it shall map onto which Moodle user profile field, one has to make sure the mapping is updated as well after the Service Provider upgrade. ******************************************************************************** -Because you risk locking yourself out of Moodle it is strongly +Because you risk locking yourself out of Moodle it is strongly recommended to use the following approach when upgrading the Service Provider: -1. Enable manual authentication before the upgrade. -2. Make sure that you have at least one manual account with administration +1. Enable manual authentication before the upgrade. +2. Make sure that you have at least one manual account with administration privileges working before upgrading your Service Provider to 2.x. -3. After the SP upgrade, use this account to log into Moodle and adapt the - attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect +3. After the SP upgrade, use this account to log into Moodle and adapt the + attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect the changed attribute names. - You find the attribute names in the file /etc/shibboleth/attribute-map.xml + You find the attribute names in the file /etc/shibboleth/attribute-map.xml listed as the 'id' value of an attribute definition. 4. If you are using the integrated WAYF, you may have to set the third parameter of each entry to '/Shibboleth.sso/DS' @@ -268,8 +268,8 @@ recommended to use the following approach when upgrading the Service Provider: How to add logout support -------------------------------------------------------------------------------- -In order make Moodle support Shibboleth logout, one has to make the Shibboleth -Service Provider (SP) aware of the Moodle logout capability. Only then the SP +In order make Moodle support Shibboleth logout, one has to make the Shibboleth +Service Provider (SP) aware of the Moodle logout capability. Only then the SP can trigger Moodle's front or back channel logout handler. To make the SP aware of the Moodle logout, you have to add the following to the @@ -277,17 +277,17 @@ Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/) just before the element. -- - -- -Then restart the Shibboleth daemon and check the log file for errors. If there -were no errors, you can test the logout feature by accessing Moodle, +Then restart the Shibboleth daemon and check the log file for errors. If there +were no errors, you can test the logout feature by accessing Moodle, authenticating via Shibboleth and the access the URL: -#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard +#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard Shibboleth installation). If everything worked well, you should see a Shibboleth -page saying that you were successfully logged out and if you go back to Moodle +page saying that you were successfully logged out and if you go back to Moodle you also should be logged out from Moodle. Requirements: @@ -318,14 +318,14 @@ As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support Single Logout (SLO). Therefore, the single logout feature cannot be used yet in a Shibboleth only setup but there may be other SAML2 products that could be used as Identity Provider, e.g. SimpleSAML PHP. -One of the reasons why SLO isn't supported yet is because there aren't many -applications yet that were adapted to support front and back channel -logout. Hopefully, the Moodle logout helps to motivate the developers to +One of the reasons why SLO isn't supported yet is because there aren't many +applications yet that were adapted to support front and back channel +logout. Hopefully, the Moodle logout helps to motivate the developers to implement SLO. On the other hand, the easiest and safest way to log out still is to tell users to quit their web browsers :) -Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues and -https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator for some +Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues and +https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator for some background information on this topic. -------------------------------------------------------------------------------- diff --git a/auth/shibboleth/auth.php b/auth/shibboleth/auth.php index f69bee1e976..1cfaa462bca 100644 --- a/auth/shibboleth/auth.php +++ b/auth/shibboleth/auth.php @@ -68,7 +68,7 @@ class auth_plugin_shibboleth extends auth_plugin_base { } } } - + // Set shibboleth session ID for logout $SESSION->shibboleth_session_id = $sessionkey; @@ -81,7 +81,7 @@ class auth_plugin_shibboleth extends auth_plugin_base { } - + /** * Returns the user information for 'external' users. In this case the * attributes provided by Shibboleth @@ -103,7 +103,7 @@ class auth_plugin_shibboleth extends auth_plugin_base { $search_attribs = array(); foreach ($attrmap as $key=>$value) { - // Check if attribute is present + // Check if attribute is present if (!isset($_SERVER[$value])){ $result[$key] = ''; continue; @@ -183,22 +183,22 @@ class auth_plugin_shibboleth extends auth_plugin_base { return; } - + /** * Hook for logout page * */ function logoutpage_hook() { global $redirect; - + // Only do this if logout handler is defined if ( - isset($this->config->logout_handler) + isset($this->config->logout_handler) && !empty($this->config->logout_handler) ){ // Check if there is an alternative logout return url defined if ( - isset($this->config->logout_return_url) + isset($this->config->logout_return_url) && !empty($this->config->logout_return_url) ){ // Set temp_redirect to alternative return url @@ -207,7 +207,7 @@ class auth_plugin_shibboleth extends auth_plugin_base { // Backup old redirect url $temp_redirect = $redirect; } - + // Overwrite redirect in order to send user to Shibboleth logout page and let him return back $redirect = $this->config->logout_handler.'?return='.urlencode($temp_redirect); } @@ -246,15 +246,15 @@ class auth_plugin_shibboleth extends auth_plugin_base { if (!isset ($config->convert_data)) { $config->convert_data = ''; } - + if (!isset($config->changepasswordurl)) { $config->changepasswordurl = ''; } - + if (!isset($config->login_name)) { $config->login_name = 'Shibboleth Login'; } - + // Clean idp list if (isset($config->organization_selection) && !empty($config->organization_selection) && isset($config->alt_login) && $config->alt_login == 'on') { $idp_list = get_idp_list($config->organization_selection); @@ -266,11 +266,11 @@ class auth_plugin_shibboleth extends auth_plugin_base { $config->organization_selection .= $idp.', '.$value[0].', '.$value[1]."\n"; } } - + // save settings set_config('user_attribute', $config->user_attribute, 'auth/shibboleth'); - + if (isset($config->organization_selection) && !empty($config->organization_selection)) { set_config('organization_selection', $config->organization_selection, 'auth/shibboleth'); } @@ -280,27 +280,27 @@ class auth_plugin_shibboleth extends auth_plugin_base { set_config('convert_data', $config->convert_data, 'auth/shibboleth'); set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth'); set_config('changepasswordurl', $config->changepasswordurl, 'auth/shibboleth'); - + // Overwrite alternative login URL if integrated WAYF is used if (isset($config->alt_login) && $config->alt_login == 'on'){ set_config('alt_login', $config->alt_login, 'auth/shibboleth'); set_config('alternateloginurl', $CFG->wwwroot.'/auth/shibboleth/login.php'); } else { // Check if integrated WAYF was enabled and is now turned off - // If it was and only then, reset the Moodle alternate URL + // If it was and only then, reset the Moodle alternate URL if ($this->config->alt_login == 'on'){ set_config('alt_login', 'off', 'auth/shibboleth'); set_config('alternateloginurl', ''); } $config->alt_login = 'off'; } - + // Check values and return false if something is wrong // Patch Anyware Technologies (14/05/07) if (($config->convert_data != '')&&(!file_exists($config->convert_data) || !is_readable($config->convert_data))){ return false; } - + // Check if there is at least one entry in the IdP list if (isset($config->organization_selection) && empty($config->organization_selection) && isset($config->alt_login) && $config->alt_login == 'on'){ return false; @@ -322,7 +322,7 @@ class auth_plugin_shibboleth extends auth_plugin_base { } } - + /** * Sets the standard SAML domain cookie that is also used to preselect * the right entry on the local wayf @@ -341,25 +341,25 @@ class auth_plugin_shibboleth extends auth_plugin_base { $IDPArray = appendCookieValue($selectedIDP, $IDPArray); setcookie ('_saml_idp', generate_cookie_value($IDPArray), time() + (100*24*3600)); } - + /** - * Prints the option elements for the select element of the drop down list + * Prints the option elements for the select element of the drop down list * */ function print_idp_list(){ $config = get_config('auth/shibboleth'); - + $IdPs = get_idp_list($config->organization_selection); if (isset($_COOKIE['_saml_idp'])){ $idp_cookie = generate_cookie_array($_COOKIE['_saml_idp']); do { $selectedIdP = array_pop($idp_cookie); } while (!isset($IdPs[$selectedIdP]) && count($idp_cookie) > 0); - + } else { $selectedIdP = '-'; } - + foreach($IdPs as $IdP => $data){ if ($IdP == $selectedIdP){ echo ''; @@ -368,80 +368,80 @@ class auth_plugin_shibboleth extends auth_plugin_base { } } } - - + + /** * Generate array of IdPs from Moodle Shibboleth settings * * @param string Text containing tuble/triple of IdP entityId, name and (optionally) session initiator - * @return array Identifier of IdPs and their name/session initiator + * @return array Identifier of IdPs and their name/session initiator */ function get_idp_list($organization_selection) { $idp_list = array(); - + $idp_raw_list = split("\n", $organization_selection); - + foreach ($idp_raw_list as $idp_line){ $idp_data = split(',', $idp_line); if (isset($idp_data[2])) { - $idp_list[trim($idp_data[0])] = array(trim($idp_data[1]),trim($idp_data[2])); + $idp_list[trim($idp_data[0])] = array(trim($idp_data[1]),trim($idp_data[2])); } elseif(isset($idp_data[1])) { $idp_list[trim($idp_data[0])] = array(trim($idp_data[1])); } } - + return $idp_list; } - + /** * Generates an array of IDPs using the cookie value * - * @param string Value of SAML domain cookie - * @return array Identifiers of IdPs + * @param string Value of SAML domain cookie + * @return array Identifiers of IdPs */ function generate_cookie_array($value) { - + // Decodes and splits cookie value $CookieArray = split(' ', $value); $CookieArray = array_map('base64_decode', $CookieArray); - + return $CookieArray; } - + /** * Generate the value that is stored in the cookie using the list of IDPs * - * @param array IdP identifiers + * @param array IdP identifiers * @return string SAML domain cookie value */ function generate_cookie_value($CookieArray) { - + // Merges cookie content and encodes it $CookieArray = array_map('base64_encode', $CookieArray); $value = implode(' ', $CookieArray); return $value; } - + /** * Append a value to the array of IDPs * * @param string IdP identifier * @param array IdP identifiers - * @return array IdP identifiers with appended IdP + * @return array IdP identifiers with appended IdP */ function appendCookieValue($value, $CookieArray) { - + array_push($CookieArray, $value); $CookieArray = array_reverse($CookieArray); $CookieArray = array_unique($CookieArray); $CookieArray = array_reverse($CookieArray); - + return $CookieArray; } -?> + diff --git a/auth/shibboleth/config.html b/auth/shibboleth/config.html index 07744278514..3e3012427ee 100755 --- a/auth/shibboleth/config.html +++ b/auth/shibboleth/config.html @@ -47,7 +47,7 @@ : - alt_login) and $config->alt_login == 'on' ){ echo 'checked="checked"'; } @@ -60,7 +60,7 @@ :