From a6ef5d3e2ca634722ee9693d351be8f130145696 Mon Sep 17 00:00:00 2001
From: inghamn <inghamn@bloomington.in.gov>
Date: Fri, 13 Dec 2013 09:46:23 -0500
Subject: [PATCH] Switched from simpleCAS to phpCAS

---
 configuration.inc.default | 11 ++++----
 html/login/home.php       | 54 ++++++++++++++++++---------------------
 2 files changed, 30 insertions(+), 35 deletions(-)

diff --git a/configuration.inc.default b/configuration.inc.default
index 38b52cd..f4dea65 100644
--- a/configuration.inc.default
+++ b/configuration.inc.default
@@ -123,15 +123,14 @@ if (!defined('STDIN')) {
 }
 
 /**
- * We now do single sign-on using CAS  http://www.jasig.org/cas
+ * CAS authentication http://www.jasig.org/cas
  *
- * http://code.google.com/p/simplecas/
+ * https://wiki.jasig.org/display/CASC/phpCAS
  *
- * SimpleCAS is a PHP library for handling the calls to the CAS service
- * The version we're running right now has been modified to remove
- * the depency on HTTP_Request2.  Instead, it uses curl
+ * phpCAS is a PHP library for handling the calls to the CAS service
+ * It is the official library, part of the Jasig CAS project
  */
-define('CAS','/var/www/libraries/SimpleCAS');
+define('CAS', APPLICATION_HOME.'/libraries/phpCAS');
 define('CAS_SERVER','cas.somewhere.org');
 define('CAS_URI','cas');
 
diff --git a/html/login/home.php b/html/login/home.php
index a55922e..62df4d9 100644
--- a/html/login/home.php
+++ b/html/login/home.php
@@ -2,41 +2,37 @@
 /**
  *	Logs a user into the system using CAS
  *
- * @copyright 2006-2010 City of Bloomington, Indiana
+ * @copyright 2006-2013 City of Bloomington, Indiana
  * @license http://www.gnu.org/licenses/agpl.txt GNU/AGPL, see LICENSE.txt
  * @author Cliff Ingham <inghamn@bloomington.in.gov>
  */
-if (defined('CAS')) {
-	if (isset($_REQUEST['return_url'])) {
-		$_SESSION['return_url'] = $_REQUEST['return_url'];
-	}
+// If they don't have CAS configured, send them onto the application's
+// internal authentication system
+if (!defined('CAS')) {
+	header('Location: '.BASE_URL.'/login/login.php?return_url='.$this->return_url);
+	exit();
+}
 
-	require_once CAS.'/SimpleCAS/Autoload.php';
+require_once CAS.'/CAS.php';
+phpCAS::client(CAS_VERSION_2_0, CAS_SERVER, 443, CAS_URI, false);
+phpCAS::setNoCasServerValidation();
+phpCAS::forceAuthentication();
 
-	$options = array('hostname'=>CAS_SERVER,'uri'=>CAS_URI);
-	$protocol = new SimpleCAS_Protocol_Version2($options);
-	$client = SimpleCAS::client($protocol);
-	$client->forceAuthentication();
+// at this step, the user has been authenticated by the CAS server
+// and the user's login name can be read with phpCAS::getUser().
 
-	if ($client->isAuthenticated()) {
-		try {
-			$user = new User($client->getUsername());
-			$user->startNewSession();
-
-			if (isset($_SESSION['return_url'])) {
-				header('Location: '.$_SESSION['return_url']);
-			}
-			else {
-				header('Location: '.BASE_URL);
-			}
-		}
-		catch (Exception $e) {
-			$_SESSION['errorMessages'][] = $e;
-		}
-	}
-	else {
-		header('Location: '.BASE_URL);
-	}
+// They may be authenticated according to CAS,
+// but that doesn't mean they have person record
+// and even if they have a person record, they may not
+// have a user account for that person record.
+try {
+	$user = new User(phpCAS::getUser());
+	$user->startNewSession();
+	header("Location: ".BASE_URL);
+	exit();
+}
+catch (Exception $e) {
+	$_SESSION['errorMessages'][] = $e;
 }
 
 $template = new Template();