diff --git a/Services/Authentication/classes/Frontend/class.ilAuthFrontendCredentialsApache.php b/Services/Authentication/classes/Frontend/class.ilAuthFrontendCredentialsApache.php index 7b2acdf6e9d4..06013398919b 100644 --- a/Services/Authentication/classes/Frontend/class.ilAuthFrontendCredentialsApache.php +++ b/Services/Authentication/classes/Frontend/class.ilAuthFrontendCredentialsApache.php @@ -18,27 +18,23 @@ declare(strict_types=1); -use Psr\Http\Message\ServerRequestInterface; - -/** - * Description of class class - * - * @author Stefan Meyer - * @author Michael Jansen - * - */ class ilAuthFrontendCredentialsApache extends ilAuthFrontendCredentials { - private ServerRequestInterface $httpRequest; - private ilCtrlInterface $ctrl; - private ilSetting $settings; - private ilLogger $logger; - - public function __construct(ServerRequestInterface $httpRequest, ilCtrlInterface $ctrl) - { + private readonly \ILIAS\HTTP\GlobalHttpState $http; + private readonly \ILIAS\Refinery\Factory $refinery; + private readonly ilCtrlInterface $ctrl; + private readonly ilSetting $settings; + private readonly ilLogger $logger; + + public function __construct( + \ILIAS\HTTP\GlobalHttpState $http, + \ILIAS\Refinery\Factory $refinery, + ilCtrlInterface $ctrl + ) { global $DIC; $this->logger = $DIC->logger()->auth(); - $this->httpRequest = $httpRequest; + $this->http = $http; + $this->refinery = $refinery; $this->ctrl = $ctrl; $this->settings = new ilSetting('apache_auth'); parent::__construct(); @@ -50,15 +46,6 @@ public function __construct(ServerRequestInterface $httpRequest, ilCtrlInterface */ public function tryAuthenticationOnLoginPage(): void { - $cmd = (string) ($this->httpRequest->getQueryParams()['cmd'] ?? ''); - if ('' === $cmd) { - $cmd = (string) ($this->httpRequest->getParsedBody()['cmd'] ?? ''); - } - - if ('force_login' === $cmd) { - return; - } - if (!$this->getSettings()->get('apache_enable_auth', '0')) { return; } @@ -70,27 +57,31 @@ public function tryAuthenticationOnLoginPage(): void if ( (defined('IL_CERT_SSO') && (int) IL_CERT_SSO === 1) || !ilContext::supportsRedirects() || - isset($this->httpRequest->getQueryParams()['passed_sso']) + $this->http->wrapper()->query()->has('passed_sso') ) { return; } - $path = (string) ($this->httpRequest->getServerParams()['REQUEST_URI'] ?? ''); - if (strpos($path, '/') === 0) { - $path = substr($path, 1); + $url = (string) ($this->http->request()->getServerParams()['REQUEST_URI'] ?? ''); + if (str_starts_with($url, '/')) { + $url = substr($url, 1); } - if (strpos($path, 'http') !== 0) { + if (!str_starts_with($url, 'http')) { $parts = parse_url(ILIAS_HTTP_PATH); - $path = $parts['scheme'] . '://' . $parts['host'] . '/' . $path; + $url = $parts['scheme'] . '://' . $parts['host'] . '/' . $url; + } + + $uri = new \ILIAS\Data\URI($url); + // We assume that the current script is always "login.php" if the "target" query parameter is set on the login page. + if ($this->http->wrapper()->query()->has('target')) { + $uri = $uri->withPath(str_replace('login.php', 'goto.php', $uri->getPath())); } $this->ctrl->redirectToURL( ilUtil::getHtmlPath( './sso/index.php?force_mode_apache=1&' . - 'r=' . urlencode($path) . - '&cookie_path=' . urlencode(IL_COOKIE_PATH) . - '&ilias_path=' . urlencode(ILIAS_HTTP_PATH) + 'r=' . urlencode($this->refinery->uri()->toString()->transform($uri)) ) ); } @@ -102,15 +93,15 @@ protected function getSettings(): ilSetting public function initFromRequest(): void { - $mappingFieldName = $this->getSettings()->get('apache_auth_username_direct_mapping_fieldname', ''); + $mapping_field_name = $this->getSettings()->get('apache_auth_username_direct_mapping_fieldname', ''); - $this->logger->dump($this->httpRequest->getServerParams(), ilLogLevel::DEBUG); - $this->logger->debug($mappingFieldName); + $this->logger->dump($this->http->request()->getServerParams(), ilLogLevel::DEBUG); + $this->logger->debug($mapping_field_name); switch ($this->getSettings()->get('apache_auth_username_config_type')) { case ilAuthProviderApache::APACHE_AUTH_TYPE_DIRECT_MAPPING: - if (isset($this->httpRequest->getServerParams()[$mappingFieldName])) { - $this->setUsername($this->httpRequest->getServerParams()[$mappingFieldName]); + if (isset($this->http->request()->getServerParams()[$mapping_field_name])) { + $this->setUsername($this->http->request()->getServerParams()[$mapping_field_name]); } break; @@ -122,26 +113,33 @@ public function initFromRequest(): void public function hasValidTargetUrl(): bool { - $targetUrl = trim((string) ($this->httpRequest->getQueryParams()['r'] ?? '')); - if ($targetUrl === '') { + $target_url = trim( + $this->http->wrapper()->query()->retrieve('r', $this->refinery->byTrying([ + $this->refinery->kindlyTo()->string(), + $this->refinery->always(''), + ])) + ); + if ($target_url === '') { return false; } - $validDomains = []; + $valid_hosts = []; $path = ILIAS_DATA_DIR . '/' . CLIENT_ID . '/apache_auth_allowed_domains.txt'; if (file_exists($path) && is_readable($path)) { foreach (file($path) as $line) { if (trim($line)) { - $validDomains[] = trim($line); + $valid_hosts[] = trim($line); } } } - return (new ilWhiteListUrlValidator($targetUrl, $validDomains))->isValid(); + return (new ilWhiteListUrlValidator($target_url, $valid_hosts))->isValid(); } public function getTargetUrl(): string { - return ilUtil::appendUrlParameterString(trim($this->httpRequest->getQueryParams()['r']), 'passed_sso=1'); + $target_url = trim($this->http->wrapper()->query()->retrieve('r', $this->refinery->kindlyTo()->string())); + + return ilUtil::appendUrlParameterString($target_url, 'passed_sso=1'); } } diff --git a/Services/Init/classes/class.ilStartUpGUI.php b/Services/Init/classes/class.ilStartUpGUI.php index f59d48676252..513f04d77eef 100755 --- a/Services/Init/classes/class.ilStartUpGUI.php +++ b/Services/Init/classes/class.ilStartUpGUI.php @@ -262,7 +262,7 @@ private function showLoginPage(ILIAS\UI\Component\Input\Container\Form\Form $for $credentials->setPassword($soapPw); $credentials->tryAuthenticationOnLoginPage(); - $frontend = new ilAuthFrontendCredentialsApache($this->httpRequest, $this->ctrl); + $frontend = new ilAuthFrontendCredentialsApache($this->http, $this->refinery, $this->ctrl); $frontend->tryAuthenticationOnLoginPage(); $tpl = self::initStartUpTemplate('tpl.login.html'); @@ -688,7 +688,7 @@ private function doApacheAuthentication(): void { $this->getLogger()->debug('Trying apache authentication'); - $credentials = new ilAuthFrontendCredentialsApache($this->httpRequest, $this->ctrl); + $credentials = new ilAuthFrontendCredentialsApache($this->http, $this->refinery, $this->ctrl); $credentials->initFromRequest(); $provider_factory = new ilAuthProviderFactory(); diff --git a/sso/index.php b/sso/index.php index f0f7eb02344e..bef3bda05966 100644 --- a/sso/index.php +++ b/sso/index.php @@ -21,6 +21,7 @@ $_COOKIE["ilClientId"] = $_GET["client_id"]; } +define('IL_CERT_SSO', true); define('IL_COOKIE_PATH', $cookie_path); include_once './Services/Context/classes/class.ilContext.php';