Source for file PoA.php
Documentation is available at PoA.php
* @copyright Copyright 2005-2010 RedIRIS, http://www.rediris.es/
* This file is part of phpPoA2.
* phpPoA2 is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
* phpPoA2 is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with phpPoA2. If not, see <http://www.gnu.org/licenses/>.
* @license http://www.gnu.org/licenses/gpl.html GNU General Public License
* @author Jaime Perez <jaime.perez@rediris.es>
PATH_SEPARATOR. dirname(__FILE__ ). "/messages".
PATH_SEPARATOR. dirname(__FILE__ ). "/lib".
PATH_SEPARATOR. dirname(__FILE__ ). "/lib/db".
PATH_SEPARATOR. dirname(__FILE__ ). "/lib/authn".
PATH_SEPARATOR. dirname(__FILE__ ). "/lib/authz");
require_once("definitions.php");
require_once("utils.php");
require_once("PoAEventHandler.php");
include_once("AutoPoA.php");
include_once("LitePoA.php");
* Standard class that implements all the functionallity of the phpPoA.
* Main constructor. Configures the PoA and performs initialization.
* @param site The identifier to determine which configuration to apply.
// manage generic session
if (!isset ($_COOKIE[$site. '_session'])) {
$_COOKIE[$site. '_session'] = $id;
// register autoload function
} catch (Exception $e) { // unrecoverable!!
// we have no logging, so do our best here
// put a message in the error log and in STDOUT and exit
$this->handler->abort(E_USER_ERROR, $e);
$this->log = new PoALog($this->cfg->getLogLevel(), $this->cfg->getLogFile());
// initialize error handling
// load authentication engine
$engine = $this->cfg->getAuthnEngine();
$this->authn_engine = new $engine($this->cfg->getAuthnEngineConfFile(), $site);
// load authorization engines
$engines = $this->cfg->getAuthzEngines();
foreach ($engines as $engine) {
$this->authz_engines[$engine] = new $engine($this->cfg->getAuthzEngineConfFile($engine), $site);
protected function clean() {
* Attach a hook object to the appropriate entry point of the available
* authentication or authorization engines.
* @param name The name of the hook. Refer to each individual engine
* for a complete list of available hooks.
* @param hook A hook object with the function or method to attach.
* @return true if the hook was successfully attached, false otherwise.
public function addHook($name, $hook) {
// register autoload function
// add hook for authentication engine
// add hook for authorization engines
$result |= $engine->addHook($name, $hook);
* Remove a hook from the specified entry point of the available
* authentication or authorization engines.
* @param name The name of the hook. Refer to each individual engine
* for a complete list of available hooks.
* @param hook The hook object which shall be removed.
* @return true if the hook was successfully removed, false otherwise.
// register autoload function
// remove hook from authentication engine
// remove hook from authorization engines
$result |= $engine->removeHook($name, $hook);
/****************************
* Authentication interface *
****************************/
* Perform a federated login for the user.
* @return AUTHN_SUCCESS if authentication succeeds, AUTHN_FAILED in
// register autoload function
// check if we have an authentication engine configured
* Query the current status of the user in the federation.
* @return AUTHN_SUCCESS if authentication succeeded, AUTHN_FAILED in
// register autoload function
// check if we have an authentication engine configured
* Retrieve the attributes provided by the user when logged in.
* @return an associative array containing all attributes.
// register autoload function
// check if we have an authentication engine configured
* Get the value (or values) of an attribute, if present.
* @param name The name of the attribute.
* @param namespace The namespace of the attribute, if any.
* @return the attribute value or an array containing all values.
* Null in any other case.
// register autoload function
// check if we have an authentication engine configured
return $this->authn_engine->getAttribute($name, $namespace);
* Remove the user's session and trigger a logout for the specified authentication
* @param slo Whether to perform a Single Log Out or a local logout.
* @return true if success, false in any other case.
public function logout($slo) {
// register autoload function
// check if we have an authentication engine configured
/***************************
* Authorization interface *
***************************/
* Perform authorization for the a given subject.
* Multiple authorization engines are supported, so
* authorization will succeed if any of these succeeds.
* @param user The subject queried.
* @param attrs The attributes of the user.
* @param engine The authorization engine(s) to use. All engines are used if none specified.
* If more than one engine should be checked then this must be an array.
* @return AUTHZ_SUCCESS if any of the supported (or selected) engines succeeds or if no
* authorization engine is configured. AUTHZ_FAILED if all the engines fail.
public function isAuthorized($user, $attrs, $engine = null) {
// register autoload function
// bypass if no authorization engine
// check specific engines
if (!is_array($engine)) $engines = array($engine);
foreach ($engines as $e) {
$result |= $this->authz_engines[$e]->isAuthorized($user, $attrs);
// check all configured engines
$result |= $e->isAuthorized($user, $attrs);
* Authorize a given subject with the data retrieved from federated login.
* Multiple authorization engines are supported, so
* authorization will be done in all of them.
* @param user The subject of authorization.
* @param attrs The attributes of the user.
* @param reference An internal reference that may be valuable for the engine, tipically
* referring to a previous invitation or similar.
* @param expires The time (POSIX) when authorization will expire. Use 0 if authorization
* should never expire. Defaults to 0.
* @param engine The authorization engine(s) to use. All engines are used if none specified.
* If more than one engine should be checked then this must be an array.
* @return AUTHZ_SUCCESS if any of the supported engines succeeds or if no
* authorization engine is configured. AUTHZ_FAILED if all the engines fail.
public function authorize($user, $attrs, $reference = null, $expires = 0, $engine = null) {
// register autoload function
// check specific engines
if (!is_array($engine)) $engines = array($engine);
foreach ($engines as $e) {
$result |= $this->authz_engines[$e]->authorize($user, $attrs, $reference, $expires);
// check all configured engines
$result |= $e->authorize($user, $attrs, $reference, $expires);
* Revoke authorization for a given subject identified by an e-mail.
* @param mail The e-mail of the user.
* @param engine The authorization engine(s) to use. All engines are used if none specified.
* If more than one engine should be checked then this must be an array.
* @return true if authorization is revoked correctly for all authorization
* engines, false in any other case.
public function revoke($mail, $engine = null) {
// register autoload function
// check specific engines
if (!is_array($engine)) $engines = array($engine);
foreach ($engines as $e) {
// check all configured engines
$result |= $e->revoke($user);
* Returns the authorization engines configured for the current PoA, or
* @param engine The name of the authorization engine to retrieve.
* If more than one engine should be returned then this must be an array.
* @return The authorization engine(s) requested if it was previously configured.
* If none was specified, all configured engines will be returned. An empty
* array will be returned if no authorization engines were found.
// register autoload function
// check specific engines
if (!is_array($engine)) $engines = array($engine);
foreach ($engines as $e) {
|