chamilo-lms/plugin/keycloak/start.php

<?php
/* For licensing terms, see /license.txt */

use ChamiloSession as Session;
use OneLogin\Saml2\Auth;
use OneLogin\Saml2\AuthnRequest;
use OneLogin\Saml2\Settings;

require_once '../../main/inc/global.inc.php';

$pluginKeycloak = api_get_plugin_setting('keycloak', 'tool_enable') === 'true';

if (!$pluginKeycloak) {
    api_not_allowed(true);
}

// Create a settings.dist.php
if (file_exists('settings.php')) {
    require_once 'settings.php';
} else {
    $message = '';
    if (api_is_platform_admin()) {
        $message = 'Create a settings.php file in plugin/keycloak/';
    }
    api_not_allowed(true, $message);
}

$content = '';
$auth = new Auth($settingsInfo);

/*if (isset($_REQUEST['delete'])) {
    Session::erase('samlNameId');
    Session::erase('samlSessionIndex');
    Session::erase('samlNameIdFormat');
    Session::erase('samlUserdata');
    Session::erase('AuthNRequestID');
    Session::erase('LogoutRequestID');
    echo 'delete all';
    exit;
}*/

$settings = new Settings($settingsInfo);
$authRequest = new AuthnRequest($settings);

$samlRequest = $authRequest->getRequest();
$idpData = $settings->getIdPData();

if (isset($_GET['sso'])) {
    $auth->login();
// If AuthNRequest ID need to be saved in order to later validate it, do instead
    /*$ssoBuiltUrl = $auth->login(null, [], false, false, true);
    $_SESSION['AuthNRequestID'] = $auth->getLastRequestID();
    header('Pragma: no-cache');
    header('Cache-Control: no-cache, must-revalidate');
    header('Location: ' . $ssoBuiltUrl);
    exit();*/
} elseif (isset($_GET['slo'])) {
    /*
    if (isset($idpData['singleLogoutService']) && isset($idpData['singleLogoutService']['url'])) {
        $sloUrl = $idpData['singleLogoutService']['url'];
    } else {
        throw new Exception("The IdP does not support Single Log Out");
    }

    if (isset($_SESSION['samlSessionIndex']) && !empty($_SESSION['samlSessionIndex'])) {
        $logoutRequest = new \OneLogin\Saml2\LogoutRequest($settings, null, $_SESSION['samlSessionIndex']);
    } else {
        $logoutRequest = new \OneLogin\Saml2\LogoutRequest($settings);
    }
    $samlRequest = $logoutRequest->getRequest();
    $parameters = array('SAMLRequest' => $samlRequest);
    $url = \OneLogin\Saml2\Utils::redirect($sloUrl, $parameters, true);
    header("Location: $url");
    exit;*/
    $returnTo = null;
    $parameters = [];
    $nameId = Session::read('samlNameId');
    $sessionIndex = Session::read('samlSessionIndex');
    $nameIdFormat = Session::read('samlNameIdFormat');
    $auth->logout($returnTo, $parameters, $nameId, $sessionIndex, false, $nameIdFormat);

// If LogoutRequest ID need to be saved in order to later validate it, do instead
    // $sloBuiltUrl = $auth->logout(null, [], $nameId, $sessionIndex, true);
    /*$_SESSION['LogoutRequestID'] = $auth->getLastRequestID();
    header('Pragma: no-cache');
    header('Cache-Control: no-cache, must-revalidate');
    header('Location: ' . $sloBuiltUrl);
    exit();*/
} elseif (isset($_GET['acs'])) {
    $requestID = Session::read('AuthNRequestID');
    $auth->processResponse($requestID);
    $errors = $auth->getErrors();
    if (!empty($errors)) {
        $content .= '<p>'.implode(', ', $errors).'</p>';
    }

    if (!$auth->isAuthenticated()) {
        api_not_allowed(true, $content.'<p>Not authenticated</p>');
        exit;
    }

    $keyCloackUserName = $auth->getNameId();
    $userInfo = api_get_user_info_from_username($keyCloackUserName);
    $attributes = $auth->getAttributes();
    $userId = 0;
    if (!empty($attributes) && empty($userInfo)) {
        $firstName = '';
        if (isset($attributes['FirstName']) && !empty($attributes['FirstName'])) {
            $firstName = reset($attributes['FirstName']);
        }

        $lastName = '';
        if (isset($attributes['LastName']) && !empty($attributes['LastName'])) {
            $lastName = reset($attributes['LastName']);
        }

        $email = '';
        if (isset($attributes['Email']) && !empty($attributes['Email'])) {
            $email = reset($attributes['Email']);
        }

        if (empty($email)) {
            api_not_allowed(true);
        }

        $userId = UserManager::create_user(
            $firstName,
            $lastName,
            STUDENT,
            $email,
            $keyCloackUserName,
            '',
            '',
            '',
            '',
            '',
            'keycloak'
        );

        if ($userId) {
            $userInfo = api_get_user_info($userId);
        }
    } else {
        // Only load users that were created using this method.
        if ($userInfo['auth_source'] === 'keycloak') {
            $userId = $userInfo['user_id'];
        }
    }

    if (!empty($userId)) {
        // Set chamilo sessions
        Session::write('samlUserdata', $auth->getAttributes());
        Session::write('samlNameId', $auth->getNameId());
        Session::write('samlNameIdFormat', $auth->getNameIdFormat());
        Session::write('samlSessionIndex', $auth->getSessionIndex());
        Session::erase('AuthNRequestID');

        // Filling session variables with new data
        Session::write('_uid', $userId);
        Session::write('_user', $userInfo);
        Session::write('is_platformAdmin', false);
        Session::write('is_allowedCreateCourse', false);
    } else {
        Display::addFlash(Display::return_message(get_lang('InvalidId')));
    }

    /*if (isset($_POST['RelayState']) && \OneLogin\Saml2\Utils::getSelfURL() != $_POST['RelayState']) {
        $auth->redirectTo($_POST['RelayState']);
    }*/
    header('Location: '.api_get_path(WEB_PATH));
    exit;
} elseif (isset($_GET['sls'])) {
    $requestID = Session::read('LogoutRequestID');
    $auth->processSLO(false, $requestID);
    $errors = $auth->getErrors();

    if (empty($errors)) {
        Session::erase('samlNameId');
        Session::erase('samlSessionIndex');
        Session::erase('samlNameIdFormat');
        Session::erase('samlUserdata');
        Session::erase('AuthNRequestID');
        Session::erase('LogoutRequestID');

        Display::addFlash(Display::return_message('Sucessfully logged out'));
        header('Location: '.api_get_path(WEB_PATH));
        exit;
    } else {
        api_not_allowed(true, implode(', ', $errors));
    }
}

$template = new Template('');

if (isset($_SESSION['samlUserdata'])) {
    $attributes = Session::read('samlUserdata');
    $params = [];
    if (!empty($attributes)) {
        $content .= 'You have the following attributes:<br>';
        $content .= '<table class="table"><thead><th>Name</th><th>Values</th></thead><tbody>';
        foreach ($attributes as $attributeName => $attributeValues) {
            $content .= '<tr><td>'.htmlentities($attributeName).'</td><td><ul>';
            foreach ($attributeValues as $attributeValue) {
                $content .= '<li>'.htmlentities($attributeValue).'</li>';
            }
            $content .= '</ul></td></tr>';
        }
        $content .= '</tbody></table>';
    } else {
        $content .= "<p>You don't have any attribute</p>";
    }

    $content .= '<p><a href="?slo" >Logout</a></p>';
} else {
    $content .= '<p><a href="?sso" >Login</a></p>';
    $content .= '<p><a href="?sso2" >Login and access to attrs.php page</a></p>';
}

$template->assign('content', $content);
$template->display_one_col_template();
Add keycloack plugin BT#15160 7 years ago			`<?php`
			`/* For licensing terms, see /license.txt */`

			`use ChamiloSession as Session;`
			`use OneLogin\Saml2\Auth;`
			`use OneLogin\Saml2\AuthnRequest;`
Minor - flint fixes 7 years ago			`use OneLogin\Saml2\Settings;`
Add keycloack plugin BT#15160 7 years ago
			`require_once '../../main/inc/global.inc.php';`

			`$pluginKeycloak = api_get_plugin_setting('keycloak', 'tool_enable') === 'true';`

			`if (!$pluginKeycloak) {`
			`api_not_allowed(true);`
			`}`

			`// Create a settings.dist.php`
Minor - check if file exists, add comments 7 years ago			`if (file_exists('settings.php')) {`
			`require_once 'settings.php';`
			`} else {`
			`$message = '';`
			`if (api_is_platform_admin()) {`
			`$message = 'Create a settings.php file in plugin/keycloak/';`
			`}`
			`api_not_allowed(true, $message);`
			`}`
Add keycloack plugin BT#15160 7 years ago
Minor - check if file exists, add comments 7 years ago			`$content = '';`
Add keycloack plugin BT#15160 7 years ago			`$auth = new Auth($settingsInfo);`

Minor - check if file exists, add comments 7 years ago			`/*if (isset($_REQUEST['delete'])) {`
Add keycloack plugin BT#15160 7 years ago			`Session::erase('samlNameId');`
			`Session::erase('samlSessionIndex');`
			`Session::erase('samlNameIdFormat');`
			`Session::erase('samlUserdata');`
			`Session::erase('AuthNRequestID');`
			`Session::erase('LogoutRequestID');`
			`echo 'delete all';`
			`exit;`
Minor - check if file exists, add comments 7 years ago			`}*/`
Add keycloack plugin BT#15160 7 years ago
			`$settings = new Settings($settingsInfo);`
			`$authRequest = new AuthnRequest($settings);`

			`$samlRequest = $authRequest->getRequest();`
			`$idpData = $settings->getIdPData();`

			`if (isset($_GET['sso'])) {`
			`$auth->login();`
Minor - flint fixes 7 years ago			`// If AuthNRequest ID need to be saved in order to later validate it, do instead`
Add keycloack plugin BT#15160 7 years ago			`/*$ssoBuiltUrl = $auth->login(null, [], false, false, true);`
			`$_SESSION['AuthNRequestID'] = $auth->getLastRequestID();`
			`header('Pragma: no-cache');`
			`header('Cache-Control: no-cache, must-revalidate');`
			`header('Location: ' . $ssoBuiltUrl);`
			`exit();*/`
Minor - flint fixes 7 years ago			`} elseif (isset($_GET['slo'])) {`
Add keycloack plugin BT#15160 7 years ago			`/*`
			`if (isset($idpData['singleLogoutService']) && isset($idpData['singleLogoutService']['url'])) {`
			`$sloUrl = $idpData['singleLogoutService']['url'];`
			`} else {`
			`throw new Exception("The IdP does not support Single Log Out");`
			`}`

			`if (isset($_SESSION['samlSessionIndex']) && !empty($_SESSION['samlSessionIndex'])) {`
			`$logoutRequest = new \OneLogin\Saml2\LogoutRequest($settings, null, $_SESSION['samlSessionIndex']);`
			`} else {`
			`$logoutRequest = new \OneLogin\Saml2\LogoutRequest($settings);`
			`}`
			`$samlRequest = $logoutRequest->getRequest();`
			`$parameters = array('SAMLRequest' => $samlRequest);`
			`$url = \OneLogin\Saml2\Utils::redirect($sloUrl, $parameters, true);`
			`header("Location: $url");`
			`exit;*/`
			`$returnTo = null;`
			`$parameters = [];`
			`$nameId = Session::read('samlNameId');`
			`$sessionIndex = Session::read('samlSessionIndex');`
			`$nameIdFormat = Session::read('samlNameIdFormat');`
			`$auth->logout($returnTo, $parameters, $nameId, $sessionIndex, false, $nameIdFormat);`

Minor - flint fixes 7 years ago			`// If LogoutRequest ID need to be saved in order to later validate it, do instead`
Add keycloack plugin BT#15160 7 years ago			`// $sloBuiltUrl = $auth->logout(null, [], $nameId, $sessionIndex, true);`
			`/*$_SESSION['LogoutRequestID'] = $auth->getLastRequestID();`
			`header('Pragma: no-cache');`
			`header('Cache-Control: no-cache, must-revalidate');`
			`header('Location: ' . $sloBuiltUrl);`
			`exit();*/`
Minor - flint fixes 7 years ago			`} elseif (isset($_GET['acs'])) {`
Add keycloack plugin BT#15160 7 years ago			`$requestID = Session::read('AuthNRequestID');`
			`$auth->processResponse($requestID);`
			`$errors = $auth->getErrors();`
			`if (!empty($errors)) {`
			`$content .= '<p>'.implode(', ', $errors).'</p>';`
			`}`

			`if (!$auth->isAuthenticated()) {`
			`api_not_allowed(true, $content.'<p>Not authenticated</p>');`
			`exit;`
			`}`

Fix keycloak login see BT#15160 7 years ago			`$keyCloackUserName = $auth->getNameId();`
Add keycloack plugin BT#15160 7 years ago			`$userInfo = api_get_user_info_from_username($keyCloackUserName);`
Minor - fix php warning 7 years ago			`$attributes = $auth->getAttributes();`
Minor - only load keycloak users, add flash message see BT#15160 7 years ago			`$userId = 0;`
Minor - fix php warning 7 years ago			`if (!empty($attributes) && empty($userInfo)) {`
Minor - fix php warnings 7 years ago			`$firstName = '';`
Minor - fix php errors 7 years ago			`if (isset($attributes['FirstName']) && !empty($attributes['FirstName'])) {`
Minor - fix php warnings 7 years ago			`$firstName = reset($attributes['FirstName']);`
			`}`

Minor - format code 7 years ago			`$lastName = '';`
Minor - fix php errors 7 years ago			`if (isset($attributes['LastName']) && !empty($attributes['LastName'])) {`
Minor - fix php warnings 7 years ago			`$lastName = reset($attributes['LastName']);`
			`}`

			`$email = '';`
Minor - fix php errors 7 years ago			`if (isset($attributes['Email']) && !empty($attributes['Email'])) {`
Minor - fix php warnings 7 years ago			`$email = reset($attributes['Email']);`
			`}`
Add keycloack plugin BT#15160 7 years ago
Minor - fix php warning 7 years ago			`if (empty($email)) {`
			`api_not_allowed(true);`
			`}`

Add keycloack plugin BT#15160 7 years ago			`$userId = UserManager::create_user(`
			`$firstName,`
			`$lastName,`
			`STUDENT,`
			`$email,`
			`$keyCloackUserName,`
			`'',`
			`'',`
			`'',`
			`'',`
			`'',`
			`'keycloak'`
			`);`
Minor - check if file exists, add comments 7 years ago
			`if ($userId) {`
			`$userInfo = api_get_user_info($userId);`
			`}`
Add keycloack plugin BT#15160 7 years ago			`} else {`
Minor - only load keycloak users, add flash message see BT#15160 7 years ago			`// Only load users that were created using this method.`
			`if ($userInfo['auth_source'] === 'keycloak') {`
			`$userId = $userInfo['user_id'];`
			`}`
Add keycloack plugin BT#15160 7 years ago			`}`

			`if (!empty($userId)) {`
Minor - fix php warning 7 years ago			`// Set chamilo sessions`
			`Session::write('samlUserdata', $auth->getAttributes());`
			`Session::write('samlNameId', $auth->getNameId());`
			`Session::write('samlNameIdFormat', $auth->getNameIdFormat());`
			`Session::write('samlSessionIndex', $auth->getSessionIndex());`
			`Session::erase('AuthNRequestID');`

Add keycloack plugin BT#15160 7 years ago			`// Filling session variables with new data`
			`Session::write('_uid', $userId);`
			`Session::write('_user', $userInfo);`
			`Session::write('is_platformAdmin', false);`
			`Session::write('is_allowedCreateCourse', false);`
Minor - only load keycloak users, add flash message see BT#15160 7 years ago			`} else {`
			`Display::addFlash(Display::return_message(get_lang('InvalidId')));`
Add keycloack plugin BT#15160 7 years ago			`}`

Minor - check if file exists, add comments 7 years ago			`/*if (isset($_POST['RelayState']) && \OneLogin\Saml2\Utils::getSelfURL() != $_POST['RelayState']) {`
			`$auth->redirectTo($_POST['RelayState']);`
			`}*/`
Add keycloack plugin BT#15160 7 years ago			`header('Location: '.api_get_path(WEB_PATH));`
			`exit;`
Minor - flint fixes 7 years ago			`} elseif (isset($_GET['sls'])) {`
Add keycloack plugin BT#15160 7 years ago			`$requestID = Session::read('LogoutRequestID');`
			`$auth->processSLO(false, $requestID);`
			`$errors = $auth->getErrors();`

			`if (empty($errors)) {`
			`Session::erase('samlNameId');`
			`Session::erase('samlSessionIndex');`
			`Session::erase('samlNameIdFormat');`
			`Session::erase('samlUserdata');`
			`Session::erase('AuthNRequestID');`
			`Session::erase('LogoutRequestID');`

			`Display::addFlash(Display::return_message('Sucessfully logged out'));`
			`header('Location: '.api_get_path(WEB_PATH));`
			`exit;`
			`} else {`
			`api_not_allowed(true, implode(', ', $errors));`
			`}`
			`}`

			`$template = new Template('');`

			`if (isset($_SESSION['samlUserdata'])) {`
			`$attributes = Session::read('samlUserdata');`
			`$params = [];`
			`if (!empty($attributes)) {`
			`$content .= 'You have the following attributes:<br>';`
			`$content .= '<table class="table"><thead><th>Name</th><th>Values</th></thead><tbody>';`
			`foreach ($attributes as $attributeName => $attributeValues) {`
Minor - flint fixes 7 years ago			`$content .= '<tr><td>'.htmlentities($attributeName).'</td><td><ul>';`
Add keycloack plugin BT#15160 7 years ago			`foreach ($attributeValues as $attributeValue) {`
Minor - flint fixes 7 years ago			`$content .= '<li>'.htmlentities($attributeValue).'</li>';`
Add keycloack plugin BT#15160 7 years ago			`}`
			`$content .= '</ul></td></tr>';`
			`}`
			`$content .= '</tbody></table>';`
			`} else {`
			`$content .= "<p>You don't have any attribute</p>";`
			`}`

			`$content .= '<p><a href="?slo" >Logout</a></p>';`
			`} else {`
			`$content .= '<p><a href="?sso" >Login</a></p>';`
			`$content .= '<p><a href="?sso2" >Login and access to attrs.php page</a></p>';`
			`}`

			`$template->assign('content', $content);`
Minor - flint fixes 7 years ago			`$template->display_one_col_template();`