Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 4.3.x will end 7 October 2024 (12 months).
  • Bug fixes for security issues in 4.3.x will end 21 April 2025 (18 months).
  • PHP version: minimum PHP 8.0.0 Note: minimum PHP version has increased since Moodle 4.1. PHP 8.2.x is supported too.

Licensed to Jasig under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. Jasig licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:

Author: Pascal Aubry <pascal.aubry@univ-rennes1.fr>
Author: Olivier Berger <olivier.berger@it-sudparis.eu>
Author: Brett Bieber <brett.bieber@gmail.com>
Author: Joachim Fritschi <jfritschi@freenet.de>
Author: Adam Franco <afranco@middlebury.edu>
License: http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
File Size: 2083 lines (65 kb)
Included or required: 1 time
Referenced: 0 times
Includes or requires: 1 file
 auth/cas/CAS/vendor/apereo/phpcas/source/CAS/Autoload.php

Defines 1 class

phpCAS:: (68 methods):
  client()
  proxy()
  isInitialized()
  setLogger()
  setDebug()
  setVerbose()
  getVerbose()
  log()
  error()
  trace()
  traceBegin()
  traceEnd()
  traceExit()
  setLang()
  getVersion()
  getSupportedProtocols()
  setHTMLHeader()
  setHTMLFooter()
  setPGTStorage()
  setPGTStorageDb()
  setPGTStorageFile()
  getProxiedService()
  initializeProxiedService()
  serviceWeb()
  serviceMail()
  setCacheTimesForAuthRecheck()
  setCasAttributeParserCallback()
  setPostAuthenticateCallback()
  setSingleSignoutCallback()
  checkAuthentication()
  forceAuthentication()
  renewAuthentication()
  isAuthenticated()
  isSessionAuthenticated()
  getUser()
  getAttributes()
  hasAttributes()
  hasAttribute()
  getAttribute()
  handleLogoutRequests()
  getServerLoginURL()
  setServerLoginURL()
  setServerServiceValidateURL()
  setServerProxyValidateURL()
  setServerSamlValidateURL()
  getServerLogoutURL()
  setServerLogoutURL()
  logout()
  logoutWithRedirectService()
  logoutWithUrl()
  logoutWithRedirectServiceAndUrl()
  setFixedCallbackURL()
  setFixedServiceURL()
  getServiceURL()
  retrievePT()
  setCasServerCACert()
  setNoCasServerValidation()
  setNoClearTicketsFromUrl()
  setExtraCurlOption()
  setSessionIdSalt()
  allowProxyChain()
  getProxies()
  addRebroadcastNode()
  addRebroadcastHeader()
  _validateClientExists()
  _validateProxyExists()
  getCasClient()
  setCasClient()

Defines 68 functions

  gettmpdir()

Class: phpCAS  - X-Ref

The phpCAS class is a simple container for the phpCAS library. It provides CAS
authentication for web applications written in PHP.

client($server_version, $server_hostname,$server_port, $server_uri, $service_base_url,$changeSessionID = true, \SessionHandlerInterface $sessionHandler = null)   X-Ref
phpCAS client initializer.

param: string                   $server_version  the version of the CAS server
param: string                   $server_hostname the hostname of the CAS server
param: int                      $server_port     the port the CAS server is running on
param: string                   $server_uri      the URI the CAS server is responding on
param: string|string[]|CAS_ServiceBaseUrl_Interface
param: bool                     $changeSessionID Allow phpCAS to change the session_id
param: \SessionHandlerInterface $sessionHandler  the session handler
return: void a newly created CAS_Client object

proxy($server_version, $server_hostname,$server_port, $server_uri, $service_base_url,$changeSessionID = true, \SessionHandlerInterface $sessionHandler = null)   X-Ref
phpCAS proxy initializer.

param: string                   $server_version  the version of the CAS server
param: string                   $server_hostname the hostname of the CAS server
param: string                   $server_port     the port the CAS server is running on
param: string                   $server_uri      the URI the CAS server is responding on
param: string|string[]|CAS_ServiceBaseUrl_Interface
param: bool                     $changeSessionID Allow phpCAS to change the session_id
param: \SessionHandlerInterface $sessionHandler  the session handler
return: void a newly created CAS_Client object

isInitialized()   X-Ref
Answer whether or not the client or proxy has been initialized

return: bool

setLogger($logger = null)   X-Ref
Set/unset PSR-3 logger

param: LoggerInterface $logger the PSR-3 logger used for logging, or
return: void

setDebug($filename = '')   X-Ref
Set/unset debug mode

param: string $filename the name of the file used for logging, or false
return: void

setVerbose($verbose)   X-Ref
Enable verbose errors messages in the website output
This is a security relevant since internal status info may leak an may
help an attacker. Default is therefore false

param: bool $verbose enable verbose output
return: void

getVerbose()   X-Ref
Show is verbose mode is on

return: bool verbose

log($str)   X-Ref
Logs a string in debug mode.

param: string $str the string to write
return: void

error($msg)   X-Ref
This method is used by interface methods to print an error and where the
function was originally called from.

param: string $msg the message to print
return: void

trace($str)   X-Ref
This method is used to log something in debug mode.

param: string $str string to log
return: void

traceBegin()   X-Ref
This method is used to indicate the start of the execution of a function
in debug mode.

return: void

traceEnd($res = '')   X-Ref
This method is used to indicate the end of the execution of a function in
debug mode.

param: mixed $res the result of the function
return: void

traceExit()   X-Ref
This method is used to indicate the end of the execution of the program

return: void

setLang($lang)   X-Ref
This method is used to set the language used by phpCAS.

param: string $lang string representing the language.
return: void

getVersion()   X-Ref
This method returns the phpCAS version.

return: string the phpCAS version.

getSupportedProtocols()   X-Ref
This method returns supported protocols.

return: array an array of all supported protocols. Use internal protocol name as array key.

setHTMLHeader($header)   X-Ref
This method sets the HTML header used for all outputs.

param: string $header the HTML header.
return: void

setHTMLFooter($footer)   X-Ref
This method sets the HTML footer used for all outputs.

param: string $footer the HTML footer.
return: void

setPGTStorage($storage)   X-Ref
This method can be used to set a custom PGT storage object.

param: CAS_PGTStorage_AbstractStorage $storage a PGT storage object that inherits from the
return: void

setPGTStorageDb($dsn_or_pdo, $username='',$password='', $table='', $driver_options=null)   X-Ref
This method is used to tell phpCAS to store the response of the
CAS server to PGT requests in a database.

param: string $dsn_or_pdo     a dsn string to use for creating a PDO
param: string $username       the username to use when connecting to the
param: string $password       the password to use when connecting to the
param: string $table          the table to use for storing and retrieving
param: string $driver_options any driver options to use when connecting
return: void

setPGTStorageFile($path = '')   X-Ref
This method is used to tell phpCAS to store the response of the
CAS server to PGT requests onto the filesystem.

param: string $path the path where the PGT's should be stored
return: void

getProxiedService($type)   X-Ref
Answer a proxy-authenticated service handler.

param: string $type The service type. One of
return: CAS_ProxiedService

initializeProxiedService(CAS_ProxiedService $proxiedService)   X-Ref
Initialize a proxied-service handler with the proxy-ticket it should use.

param: CAS_ProxiedService $proxiedService Proxied Service Handler
return: void

serviceWeb($url, & $err_code, & $output)   X-Ref
This method is used to access an HTTP[S] service.

param: string $url       the service to access.
param: int &$err_code an error code Possible values are
param: string &$output   the output of the service (also used to give an
return: bool true on success, false otherwise (in this later case,

serviceMail($url, $service, $flags, & $err_code, & $err_msg, & $pt)   X-Ref
This method is used to access an IMAP/POP3/NNTP service.

param: string $url       a string giving the URL of the service,
param: string $service   a string giving for CAS retrieve Proxy ticket
param: string $flags     options given to imap_open().
param: int &$err_code an error code Possible values are
param: string &$err_msg  an error message on failure
param: string &$pt       the Proxy Ticket (PT) retrieved from the CAS
return: object|false IMAP stream on success, false otherwise (in this later

setCacheTimesForAuthRecheck($n)   X-Ref
Set the times authentication will be cached before really accessing the
CAS server in gateway mode:
- -1: check only once, and then never again (until you pree login)
- 0: always check
- n: check every "n" time

param: int $n an integer.
return: void

setCasAttributeParserCallback($function, array $additionalArgs = array()   X-Ref
Set a callback function to be run when receiving CAS attributes

The callback function will be passed an $success_elements
payload of the response (\DOMElement) as its first parameter.

param: string $function       Callback function
param: array  $additionalArgs optional array of arguments
return: void

setPostAuthenticateCallback($function, array $additionalArgs = array()   X-Ref
Set a callback function to be run when a user authenticates.

The callback function will be passed a $logoutTicket as its first
parameter, followed by any $additionalArgs you pass. The $logoutTicket
parameter is an opaque string that can be used to map the session-id to
logout request in order to support single-signout in applications that
manage their own sessions (rather than letting phpCAS start the session).

phpCAS::forceAuthentication() will always exit and forward client unless
they are already authenticated. To perform an action at the moment the user
logs in (such as registering an account, performing logging, etc), register
a callback function here.

param: callable $function       Callback function
param: array  $additionalArgs optional array of arguments
return: void

setSingleSignoutCallback($function, array $additionalArgs = array()   X-Ref
Set a callback function to be run when a single-signout request is
received. The callback function will be passed a $logoutTicket as its
first parameter, followed by any $additionalArgs you pass. The
$logoutTicket parameter is an opaque string that can be used to map a
session-id to the logout request in order to support single-signout in
applications that manage their own sessions (rather than letting phpCAS
start and destroy the session).

param: callable $function       Callback function
param: array  $additionalArgs optional array of arguments
return: void

checkAuthentication()   X-Ref
This method is called to check if the user is already authenticated
locally or has a global cas session. A already existing cas session is
determined by a cas gateway call.(cas login call without any interactive
prompt)

return: bool true when the user is authenticated, false when a previous

forceAuthentication()   X-Ref
This method is called to force authentication if the user was not already
authenticated. If the user is not authenticated, halt by redirecting to
the CAS server.

return: bool Authentication

renewAuthentication()   X-Ref
This method is called to renew the authentication.

return: void

isAuthenticated()   X-Ref
This method is called to check if the user is authenticated (previously or by
tickets given in the URL).

return: bool true when the user is authenticated.

isSessionAuthenticated()   X-Ref
Checks whether authenticated based on $_SESSION. Useful to avoid
server calls.

return: bool true if authenticated, false otherwise.

getUser()   X-Ref
This method returns the CAS user's login name.

return: string the login name of the authenticated user

getAttributes()   X-Ref
Answer attributes about the authenticated user.

return: array

hasAttributes()   X-Ref
Answer true if there are attributes for the authenticated user.

return: bool

hasAttribute($key)   X-Ref
Answer true if an attribute exists for the authenticated user.

param: string $key attribute name
return: bool

getAttribute($key)   X-Ref
Answer an attribute for the authenticated user.

param: string $key attribute name
return: mixed string for a single value or an array if multiple values exist.

handleLogoutRequests($check_client = true, $allowed_clients = array()   X-Ref
Handle logout requests.

param: bool  $check_client    additional safety check
param: array $allowed_clients array of allowed clients
return: void

getServerLoginURL()   X-Ref
This method returns the URL to be used to login.

return: string the login URL

setServerLoginURL($url = '')   X-Ref
Set the login URL of the CAS server.

param: string $url the login URL
return: void

setServerServiceValidateURL($url = '')   X-Ref
Set the serviceValidate URL of the CAS server.
Used for all CAS versions of URL validations.
Examples:
CAS 1.0 http://www.exemple.com/validate
CAS 2.0 http://www.exemple.com/validateURL
CAS 3.0 http://www.exemple.com/p3/serviceValidate

param: string $url the serviceValidate URL
return: void

setServerProxyValidateURL($url = '')   X-Ref
Set the proxyValidate URL of the CAS server.
Used for all CAS versions of proxy URL validations
Examples:
CAS 1.0 http://www.exemple.com/
CAS 2.0 http://www.exemple.com/proxyValidate
CAS 3.0 http://www.exemple.com/p3/proxyValidate

param: string $url the proxyValidate URL
return: void

setServerSamlValidateURL($url = '')   X-Ref
Set the samlValidate URL of the CAS server.

param: string $url the samlValidate URL
return: void

getServerLogoutURL()   X-Ref
This method returns the URL to be used to logout.

return: string the URL to use to log out

setServerLogoutURL($url = '')   X-Ref
Set the logout URL of the CAS server.

param: string $url the logout URL
return: void

logout($params = "")   X-Ref
This method is used to logout from CAS.

param: string $params an array that contains the optional url and
return: void

logoutWithRedirectService($service)   X-Ref
This method is used to logout from CAS. Halts by redirecting to the CAS
server.

param: string $service a URL that will be transmitted to the CAS server
return: void

logoutWithUrl($url)   X-Ref
This method is used to logout from CAS. Halts by redirecting to the CAS
server.

param: string $url a URL that will be transmitted to the CAS server
return: void

logoutWithRedirectServiceAndUrl($service, $url)   X-Ref
This method is used to logout from CAS. Halts by redirecting to the CAS
server.

param: string $service a URL that will be transmitted to the CAS server
param: string $url     a URL that will be transmitted to the CAS server
return: void

setFixedCallbackURL($url = '')   X-Ref
Set the fixed URL that will be used by the CAS server to transmit the
PGT. When this method is not called, a phpCAS script uses its own URL
for the callback.

param: string $url the URL
return: void

setFixedServiceURL($url)   X-Ref
Set the fixed URL that will be set as the CAS service parameter. When this
method is not called, a phpCAS script uses its own URL.

param: string $url the URL
return: void

getServiceURL()   X-Ref
Get the URL that is set as the CAS service parameter.

return: string Service Url

retrievePT($target_service, & $err_code, & $err_msg)   X-Ref
Retrieve a Proxy Ticket from the CAS server.

param: string $target_service Url string of service to proxy
param: int &$err_code      error code
param: string &$err_msg       error message
return: string Proxy Ticket

setCasServerCACert($cert, $validate_cn = true)   X-Ref
Set the certificate of the CAS server CA and if the CN should be properly
verified.

param: string $cert        CA certificate file name
param: bool   $validate_cn Validate CN in certificate (default true)
return: void

setNoCasServerValidation()   X-Ref
Set no SSL validation for the CAS server.

return: void

setNoClearTicketsFromUrl()   X-Ref
Disable the removal of a CAS-Ticket from the URL when authenticating
DISABLING POSES A SECURITY RISK:
We normally remove the ticket by an additional redirect as a security
precaution to prevent a ticket in the HTTP_REFERRER or be carried over in
the URL parameter

return: void

setExtraCurlOption($key, $value)   X-Ref
Change CURL options.
CURL is used to connect through HTTPS to CAS server

param: string $key   the option key
param: string $value the value to set
return: void

setSessionIdSalt($salt)   X-Ref
Set a salt/seed for the session-id hash to make it harder to guess.

When $changeSessionID = true phpCAS will create a session-id that is derived
from the service ticket. Doing so allows phpCAS to look-up and destroy the
proper session on single-log-out requests. While the service tickets
provided by the CAS server may include enough data to generate a strong
hash, clients may provide an additional salt to ensure that session ids
are not guessable if the session tickets do not have enough entropy.

param: string $salt The salt to combine with the session ticket.
return: void

allowProxyChain(CAS_ProxyChain_Interface $proxy_chain)   X-Ref
If you want your service to be proxied you have to enable it (default
disabled) and define an accepable list of proxies that are allowed to
proxy your service.

Add each allowed proxy definition object. For the normal CAS_ProxyChain
class, the constructor takes an array of proxies to match. The list is in
reverse just as seen from the service. Proxies have to be defined in reverse
from the service to the user. If a user hits service A and gets proxied via
B to service C the list of acceptable on C would be array(B,A). The definition
of an individual proxy can be either a string or a regexp (preg_match is used)
that will be matched against the proxy list supplied by the cas server
when validating the proxy tickets. The strings are compared starting from
the beginning and must fully match with the proxies in the list.
Example:
phpCAS::allowProxyChain(new CAS_ProxyChain(array(
'https://app.example.com/'
)));
phpCAS::allowProxyChain(new CAS_ProxyChain(array(
'/^https:\/\/app[0-9]\.example\.com\/rest\//',
'http://client.example.com/'
)));

For quick testing or in certain production screnarios you might want to
allow allow any other valid service to proxy your service. To do so, add
the "Any" chain:
phpCAS::allowProxyChain(new CAS_ProxyChain_Any);
THIS SETTING IS HOWEVER NOT RECOMMENDED FOR PRODUCTION AND HAS SECURITY
IMPLICATIONS: YOU ARE ALLOWING ANY SERVICE TO ACT ON BEHALF OF A USER
ON THIS SERVICE.

param: CAS_ProxyChain_Interface $proxy_chain A proxy-chain that will be
return: void

getProxies()   X-Ref
Answer an array of proxies that are sitting in front of this application.
This method will only return a non-empty array if we have received and
validated a Proxy Ticket.

return: array

addRebroadcastNode($rebroadcastNodeUrl)   X-Ref
Add a pgtIou/pgtId and logoutRequest rebroadcast node.

param: string $rebroadcastNodeUrl The rebroadcast node URL. Can be
return: void

addRebroadcastHeader($header)   X-Ref
This method is used to add header parameters when rebroadcasting
pgtIou/pgtId or logoutRequest.

param: String $header Header to send when rebroadcasting.
return: void

_validateClientExists()   X-Ref
Checks if a client already exists

return: void

_validateProxyExists()   X-Ref
Checks of a proxy client aready exists

return: void

getCasClient()   X-Ref

return: CAS_Client

setCasClient(\CAS_Client $client)   X-Ref
For testing purposes, use this method to set the client to a test double

return: void

Functions that are not part of a class:

gettmpdir()   X-Ref
The default directory for the debug file under Unix.

return: string directory for the debug file