forked from Panopto/Moodle-2.0-plugin-for-Panopto
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSSO.php
95 lines (75 loc) · 3.57 KB
/
SSO.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* manages the single sign on logic between Panopto and Moodle
*
* @package block_panopto
* @copyright Panopto 2009 - 2016 /With contributions from Spenser Jones ([email protected])
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
// This can't be defined Moodle internal because it is called from Panopto to authorize login.
global $CFG, $USER;
if (empty($CFG)) {
require_once(dirname(__FILE__) . '/../../config.php');
}
require_once($CFG->libdir . '/weblib.php');
require_once(dirname(__FILE__) . '/lib/block_panopto_lib.php');
$servername = required_param('serverName', PARAM_HOST);
$callbackurl = required_param('callbackURL', PARAM_URL);
if (strpos($callbackurl, 'http%') !== false
|| strpos($callbackurl, 'https%') !== false) {
$callbackurl = urldecode($callbackurl);
}
// A float doesn't have the required precision.
$expiration = preg_replace('/[^0-9\.]/', '', required_param('expiration', PARAM_RAW));
$requestauthcode = required_param('authCode', PARAM_ALPHANUM);
$action = optional_param('action', '', PARAM_ALPHA);
$relogin = ($action == 'relogin');
if ($relogin || (isset($USER->username) && ($USER->username == 'guest'))) {
require_logout();
// Return to this page, minus the "action=relogin" parameter.
redirect($CFG->wwwroot . '/blocks/panopto/SSO.php' .
"?authCode=$requestauthcode" .
"&serverName=$servername" .
"&expiration=$expiration" .
'&callbackURL=' . urlencode($callbackurl));
return;
}
// No course ID (0). Don't autologin guests (false).
require_login(0, false);
// Reproduce canonically-ordered incoming auth payload.
$requestauthpayload = 'serverName=' . $servername . '&expiration=' . $expiration;
// Verify passed in parameters are properly signed.
if (panopto_validate_auth_code($requestauthpayload, $requestauthcode)) {
$userkey = panopto_decorate_username($USER->username);
// Generate canonically-ordered auth payload string.
$responseparams = 'serverName=' . $servername . '&externalUserKey=' . $userkey . '&expiration=' . $expiration;
// Sign payload with shared key and hash.
$responseauthcode = panopto_generate_auth_code($responseparams);
// Encode user key in case the backslash causes a sequence to be interpreted as an escape sequence
// (e.g. in the case of usernames that begin with digits).
// Maintain the original canonical string to avoid signature mismatch.
$responseparamsencoded = 'serverName=' . $servername . '&externalUserKey=' . urlencode($userkey) . '&expiration=' . $expiration;
$separator = (strpos($callbackurl, '?') ? '&' : '?');
$redirecturl = $callbackurl . $separator . $responseparamsencoded . '&authCode=' . $responseauthcode;
// Redirect to Panopto Focus login page.
redirect($redirecturl);
} else {
echo $OUTPUT->header();
echo 'Invalid auth code.';
echo $OUTPUT->footer();
}
/* End of file SSO.php */