PHPCAS-69 Merging of the PHPCAS-69 branch into trunk. The brings one API change. By default being proxied is denied. With ProxyChains it can be allowed now. This patch also contains a big refactoring of the whole ST/PT/SA decision making which is more straight forward now.

git-svn-id: https://source.jasig.org/cas-clients/phpcas/trunk@24917 f5dbab47-78f9-eb45-b975-e544023573eb

Author: jfritschi

docs/examples/config.php.example

@@ -66,6 +66,9 @@ $serviceUrl = $curbase.$curdir.'example_service.php';
 // access to a second service
 $serviceUrl2 = $curbase.$curdir.'example_service_that_proxies.php';
 
+$pgtBase = preg_quote(preg_replace('/^http:/', 'https:', $curbase.$curdir),'/');
+$pgtUrlRegexp = '/^'.$pgtbase.'.*$/';
+
 $cas_url = 'https://'.$cas_host;
 if ($cas_port != '443')
 {

docs/examples/example_service.php

@@ -21,6 +21,42 @@
 // VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL! 
 phpCAS::setNoCasServerValidation();
 
+// If you want your service to be proxied you have to enable it (default
+// disabled) and define an accepable list of proxies that are allowed to 
+// proxy your service. 
+// 
+// Add each allowed proxy definition object. For the normal CAS_ProxyChain
+// class, the constructor takes an array of proxies to match. The list is in 
+// reverse just as seen from the service. Proxies have to be defined in reverse 
+// from the service to the user. If a user hits service A and gets proxied via
+// B to service C the list of acceptable on C would be array(B,A). The definition
+// of an individual proxy can be either a string or a regexp (preg_match is used)
+// that will be matched against the proxy list supplied by the cas server 
+// when validating the proxy tickets. The strings are compared starting from 
+// the beginning and must fully match with the proxies in the list.
+// Example:
+// 		phpCAS::allowProxyChain(new CAS_ProxyChain(array(
+// 				'https://app.example.com/'
+// 			)));
+// 		phpCAS::allowProxyChain(new CAS_ProxyChain(array(
+// 				'/^https:\/\/app[0-9]\.example\.com\/rest\//',
+// 				'http://client.example.com/'
+// 			)));
+phpCAS::allowProxyChain(new CAS_ProxyChain(array($pgtUrlRegexp)));
+phpCAS::allowProxyChain(new CAS_ProxyChain(array(
+	'/^'.$pgtBase.'example_service_that_proxies.php$/',
+	'/^'.$pgtBase.'example_proxy_serviceWeb_chaining.php$/'
+)));
+
+// For quick testing or in certain production screnarios you might want to 
+// allow allow any other valid service to proxy your service. To do so, add
+// the "Any" chain: 
+// 		phpcas::allowProxyChain(new CAS_ProxyChain_Any);
+// THIS SETTING IS HOWEVER NOT RECOMMENDED FOR PRODUCTION AND HAS SECURITY 
+// IMPLICATIONS: YOU ARE ALLOWING ANY SERVICE TO ACT ON BEHALF OF A USER
+// ON THIS SERVICE.
+//phpcas::allowProxyChain(new CAS_ProxyChain_Any);
+
 // force CAS authentication
 phpCAS::forceAuthentication();
 

docs/examples/example_service_POST.php

@@ -21,6 +21,40 @@
 // VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL! 
 phpCAS::setNoCasServerValidation();
 
+
+// If you want your service to be proxied you have to enable it (default
+// disabled) and define an accepable list of proxies that are allowed to 
+// proxy your service. 
+// 
+// Add each allowed proxy definition object. For the normal CAS_ProxyChain
+// class, the constructor takes an array of proxies to match. The list is in 
+// reverse just as seen from the service. Proxies have to be defined in reverse 
+// from the service to the user. If a user hits service A and gets proxied via
+// B to service C the list of acceptable on C would be array(B,A). The definition
+// of an individual proxy can be either a string or a regexp (preg_match is used)
+// that will be matched against the proxy list supplied by the cas server 
+// when validating the proxy tickets. The strings are compared starting from 
+// the beginning and must fully match with the proxies in the list.
+// Example:
+// 		phpCAS::allowProxyChain(new CAS_ProxyChain(array(
+// 				'https://app.example.com/'
+// 			)));
+// 		phpCAS::allowProxyChain(new CAS_ProxyChain(array(
+// 				'/^https:\/\/app[0-9]\.example\.com\/rest\//',
+// 				'http://client.example.com/'
+// 			)));
+phpCAS::allowProxyChain(new CAS_ProxyChain(array($pgtUrlRegexp)));
+
+// For quick testing or in certain production screnarios you might want to 
+// allow allow any other valid service to proxy your service. To do so, add
+// the "Any" chain: 
+// 		phpcas::allowProxyChain(new CAS_ProxyChain_Any);
+// THIS SETTING IS HOWEVER NOT RECOMMENDED FOR PRODUCTION AND HAS SECURITY 
+// IMPLICATIONS: YOU ARE ALLOWING ANY SERVICE TO ACT ON BEHALF OF A USER
+// ON THIS SERVICE.
+//phpcas::allowProxyChain(new CAS_ProxyChain_Any);
+
+
 // force CAS authentication
 phpCAS::forceAuthentication();
 

docs/examples/example_service_that_proxies.php

@@ -21,6 +21,38 @@
 // VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL! 
 phpCAS::setNoCasServerValidation();
 
+// If you want your service to be proxied you have to enable it (default
+// disabled) and define an accepable list of proxies that are allowed to 
+// proxy your service. 
+// 
+// Add each allowed proxy definition object. For the normal CAS_ProxyChain
+// class, the constructor takes an array of proxies to match. The list is in 
+// reverse just as seen from the service. Proxies have to be defined in reverse 
+// from the service to the user. If a user hits service A and gets proxied via
+// B to service C the list of acceptable on C would be array(B,A). The definition
+// of an individual proxy can be either a string or a regexp (preg_match is used)
+// that will be matched against the proxy list supplied by the cas server 
+// when validating the proxy tickets. The strings are compared starting from 
+// the beginning and must fully match with the proxies in the list.
+// Example:
+// 		phpCAS::allowProxyChain(new CAS_ProxyChain(array(
+// 				'https://app.example.com/'
+// 			)));
+// 		phpCAS::allowProxyChain(new CAS_ProxyChain(array(
+// 				'/^https:\/\/app[0-9]\.example\.com\/rest\//',
+// 				'http://client.example.com/'
+// 			)));
+phpCAS::allowProxyChain(new CAS_ProxyChain(array($pgtUrlRegexp)));
+
+// For quick testing or in certain production screnarios you might want to 
+// allow allow any other valid service to proxy your service. To do so, add
+// the "Any" chain: 
+// 		phpcas::allowProxyChain(new CAS_ProxyChain_Any);
+// THIS SETTING IS HOWEVER NOT RECOMMENDED FOR PRODUCTION AND HAS SECURITY 
+// IMPLICATIONS: YOU ARE ALLOWING ANY SERVICE TO ACT ON BEHALF OF A USER
+// ON THIS SERVICE.
+//phpcas::allowProxyChain(new CAS_ProxyChain_Any);
+
 // force CAS authentication
 phpCAS::forceAuthentication();
 

source/CAS.php

@@ -1655,7 +1655,52 @@ public static function setExtraCurlOption($key, $value) {
 		phpCAS :: traceEnd();
 	}
 
-			
+	/**
+	 * If you want your service to be proxied you have to enable it (default
+	 * disabled) and define an accepable list of proxies that are allowed to 
+	 * proxy your service. 
+	 *
+	 * Add each allowed proxy definition object. For the normal CAS_ProxyChain
+	 * class, the constructor takes an array of proxies to match. The list is in 
+	 * reverse just as seen from the service. Proxies have to be defined in reverse 
+	 * from the service to the user. If a user hits service A and gets proxied via
+	 * B to service C the list of acceptable on C would be array(B,A). The definition
+	 * of an individual proxy can be either a string or a regexp (preg_match is used)
+	 * that will be matched against the proxy list supplied by the cas server 
+	 * when validating the proxy tickets. The strings are compared starting from 
+	 * the beginning and must fully match with the proxies in the list.
+	 * Example:
+	 * 		phpCAS::allowProxyChain(new CAS_ProxyChain(array(
+	 *				'https://app.example.com/'
+	 *			)));
+	 * 		phpCAS::allowProxyChain(new CAS_ProxyChain(array(
+	 *				'/^https:\/\/app[0-9]\.example\.com\/rest\//',
+	 *				'http://client.example.com/'
+	 *			)));
+	 *
+	 * For quick testing or in certain production screnarios you might want to 
+	 * allow allow any other valid service to proxy your service. To do so, add
+	 * the "Any" chain: 
+	 *		phpcas::allowProxyChain(new CAS_ProxyChain_Any);
+	 * THIS SETTING IS HOWEVER NOT RECOMMENDED FOR PRODUCTION AND HAS SECURITY 
+	 * IMPLICATIONS: YOU ARE ALLOWING ANY SERVICE TO ACT ON BEHALF OF A USER
+	 * ON THIS SERVICE.
+	 *
+	 * @param CAS_ProxyChain_Interface $proxy_chain A proxy-chain that will be matched against the proxies requesting access
+	 */
+	public static function allowProxyChain(CAS_ProxyChain_Interface $proxy_chain){
+		global $PHPCAS_CLIENT;
+		phpCAS :: traceBegin();
+		if (!is_object($PHPCAS_CLIENT)) {
+			phpCAS :: error('this method should only be called after ' . __CLASS__ . '::client() or' . __CLASS__ . '::proxy()');
+		}
+		if($PHPCAS_CLIENT->getServerVersion() !== CAS_VERSION_2_0){
+			phpCAS :: error('this method can only be used with the cas 2.0 protool');
+		}
+		$PHPCAS_CLIENT->getAllowedProxyChains()->allowProxyChain($proxy_chain);
+		phpCAS :: traceEnd();
+	}
+	
 	/**
 	 * Answer an array of proxies that are sitting in front of this application.
 	 *
@@ -1787,7 +1832,7 @@ public static function addRebroadcastHeader($header) {
 /** @defgroup internalProxyServices Proxy other services
  *  @ingroup internalProxy */
 
-/** @defgroup internalProxied CAS proxied client features (CAS 2.0, Proxy Tickets)
+/** @defgroup internalService CAS client features (CAS 2.0, Proxied service)
  *  @ingroup internal */
 
 /** @defgroup internalConfig Configuration