Migrate to cas-lib

Author: tvdijen

.github/workflows/php.yml

@@ -11,7 +11,7 @@ on:  # yamllint disable-line rule:truthy
     branches: [master, release-*]
     paths-ignore:
       - '**.md'
-  workflow_dispatch
+  workflow_dispatch:
 
 jobs:
   linter:

composer.json

@@ -31,14 +31,17 @@
         }
     },
     "require": {
-        "php": "^8.0",
-        "simplesamlphp/composer-module-installer": "^1.3.2",
-        "simplesamlphp/simplesamlphp": "^3@dev",
-        "simplesamlphp/simplesamlphp-module-ldap": "~1.2",
-        "symfony/http-foundation": "^6.0"
+        "php": "^7.4 || ^8.0",
+        "ext-pcre": "*",
+
+        "simplesamlphp/assert": "^0.8 || ^1.0",
+        "simplesamlphp/cas": "^1.0",
+        "simplesamlphp/composer-module-installer": "^1.3",
+        "simplesamlphp/simplesamlphp": "^2.0",
+        "simplesamlphp/simplesamlphp-module-ldap": "^1.2"
     },
     "require-dev": {
-        "simplesamlphp/simplesamlphp-test-framework": "^1.5.1"
+        "simplesamlphp/simplesamlphp-test-framework": "^1.5"
     },
     "support": {
         "issues": "https://github.com/simplesamlphp/simplesamlphp-module-cas/issues",

src/Auth/Source/CAS.php

@@ -4,12 +4,16 @@
 
 use DOMXpath;
 use Exception;
-use SAML2\DOMDocumentFactory;
 use SimpleSAML\Auth;
+use SimpleSAML\CAS\XML\cas\AuthenticationFailure;
+use SimpleSAML\CAS\XML\cas\AuthenticationSuccess;
+use SimpleSAML\CAS\XML\cas\ServiceResponse;
+use SimpleSAML\CAS\Utils\XPath;
 use SimpleSAML\Configuration;
 use SimpleSAML\Module;
 use SimpleSAML\Module\ldap\Auth\Ldap;
 use SimpleSAML\Utils;
+use SimpleSAML\XML\DOMDocumentFactory;
 
 use function array_key_exists;
 use function array_merge_recursive;
@@ -147,32 +151,34 @@ private function casServiceValidate(string $ticket, string $service): array
 
         /** @var string $result */
         $dom = DOMDocumentFactory::fromString($result);
-        $xPath = new DOMXpath($dom);
-        $xPath->registerNamespace("cas", 'http://www.yale.edu/tp/cas');
-        $success = $xPath->query("/cas:serviceResponse/cas:authenticationSuccess/cas:user");
-        if ($success->length == 0) {
-            $failure = $xPath->evaluate("/cas:serviceResponse/cas:authenticationFailure");
-            throw new Exception("Error when validating CAS service ticket: " . $failure->item(0)->textContent);
-        } else {
+
+        $serviceResponse = ServiceResponse::fromXML($dom->documentElement);
+        $message = $serviceResponse->getResponse();
+        if ($message instanceof AuthenticationFailure) {
+            throw new Exception(sprintf(
+                "Error when validating CAS service ticket: %s (%s)",
+                $message->getContent(),
+                $message->getCode(),
+            ));
+        } elseif ($message instanceof AuthenticationSuccess) {
+            $user = $message->getUser()->getContent();
+            $xPath = XPath::getXPath();
+
             $attributes = [];
             if ($casattributes = $this->casConfig['attributes']) {
-                // Some has attributes in the xml - attributes is a list of XPath expressions to get them
+                // Some have attributes in the xml - attributes is a list of XPath expressions to get them
                 foreach ($casattributes as $name => $query) {
-                    $attrs = $xPath->query($query);
+                    $attrs = $xPath->xpQuery($query, $xPath);
                     foreach ($attrs as $attrvalue) {
                         $attributes[$name][] = $attrvalue->textContent;
                     }
                 }
             }
 
-            $item = $success->item(0);
-            if (is_null($item)) {
-                throw new Exception("Error parsing serviceResponse.");
-            }
-            $casusername = $item->textContent;
-
-            return [$casusername, $attributes];
+            return [$user, $attributes];
         }
+
+        throw new Exception("Error parsing serviceResponse.");
     }
 
 
@@ -206,8 +212,8 @@ public function finalStep(array &$state): void
         $ticket = $state['cas:ticket'];
         $stateId = Auth\State::saveState($state, self::STAGE_INIT);
         $service = Module::getModuleURL('cas/linkback.php', ['stateId' => $stateId]);
-        list($username, $casattributes) = $this->casValidation($ticket, $service);
-        $ldapattributes = [];
+        list($username, $casAttributes) = $this->casValidation($ticket, $service);
+        $ldapAttributes = [];
 
         $config = Configuration::loadFromArray(
             $this->ldapConfig,
@@ -222,12 +228,13 @@ public function finalStep(array &$state): void
                 $config->getOptionalInteger('port', 389),
                 $config->getOptionalBoolean('referrals', true)
             );
-            $ldapattributes = $ldap->validate($this->ldapConfig, $username);
-            if ($ldapattributes === false) {
+
+            $ldapAttributes = $ldap->validate($this->ldapConfig, $username);
+            if ($ldapAttributes === false) {
                 throw new Exception("Failed to authenticate against LDAP-server.");
             }
         }
-        $attributes = array_merge_recursive($casattributes, $ldapattributes);
+        $attributes = array_merge_recursive($casAttributes, $ldapAttributes);
         $state['Attributes'] = $attributes;
     }