Unbreak http auth, make it more sane. Old broken method renamed to null, in

case crazy people still want it.  Add support for redirecting to a SSO 
provider after logout.

config/ampache.cfg.php.dist

@@ -82,9 +82,14 @@ session_cookiesecure       = 0
 ; to use and in which order, if auto_create isn't enabled
 ; The user must exist locally. Local method uses PHP's PAM Auth module
 ; DEFAULT: mysql
-; VALUES: mysql,ldap,http,local
+; VALUES: mysql,ldap,http,local,null
 auth_methods = "mysql"
 
+; Logout redirection target
+; Defaults to our own login.php, but we can override it here if, for instance, 
+; we want to redirect to an SSO provider instead.
+; logout_redirect = "http://sso.example.com/logout"
+
 ;#####################
 ;  Program Settings  #
 ;#####################

lib/class/vauth.class.php

@@ -152,13 +152,19 @@ class vauth {
 	 * This is the function used for the Ajax logouts, if no id is passed
 	 * it tries to find one from the session
 	 */
-	public static function logout($key='') {
+	public static function logout($key='',$relogin=true) {
 
 		// If no key is passed try to find the session id
 		$key = $key ? $key : session_id();
 
 		// Nuke the cookie before all else
 		self::destroy($key);
+		if ((! $relogin) && Config::get('logout_redirect')) {
+			$target = Config::get('logout_redirect');
+		}
+		else {
+			$target = Config::get('web_path') . '/login.php';
+		}
 
 		// Do a quick check to see if this is an AJAX'd logout request
 		// if so use the iframe to redirect
@@ -174,7 +180,6 @@ class vauth {
 			header("Cache-Control: no-store, no-cache, must-revalidate");
 			header("Pragma: no-cache");
 
-			$target = Config::get('web_path') . '/login.php';
 			$results['rfc3514'] = '<script type="text/javascript">reload_logout("'.$target.'")</script>';
 			echo xml_from_array($results);
 		}
@@ -182,7 +187,7 @@ class vauth {
 
 		/* Redirect them to the login page */
 		if (AJAX_INCLUDE != '1') {
-			header ('Location: ' . Config::get('web_path') . '/login.php');
+			header('Location: ' . $target);
 		}
 
 		exit;
@@ -673,20 +678,39 @@ class vauth {
 	/**
 	 * http_auth
 	 * This auth method relies on HTTP auth from Apache
-	 * This is not a very secure method of authentication
-	 * and defaults to off.
 	 */
-	public static function http_auth($username) {
-
+	private static function http_auth($username) {
+		if (($_SERVER['REMOTE_USER'] == $username) || 
+		($_SERVER['HTTP_REMOTE_USER'] == $username)) {
 		$results['success']	= true;
 		$results['type']	= 'http';
 		$results['username']	= $username;
 		$results['name']	= $username;
 		$results['email']	= '';
+		}
+		else {
+			$results['success'] = false;
+			$results['error'] = "HTTP auth: REMOTE_USER not set";
+		}
 		return $results;
-
 	} // http_auth
 
+	/**
+	 * null_auth
+	 * This is the equivalent of the old http_auth and assumes that if you
+	 * can access the page, you're a trusted user.
+	 * This is not a very secure method of authentication, since it allows
+	 * you to log in with an arbitrary username.
+	 */
+	private static function null_auth($username) {
+		$results['success']	= true;
+		$results['type']	= 'null';
+		$results['username']	= $username;
+		$results['name']	= $username;
+		$results['email']	= '';
+		return $results;
+	} // null_auth
+
 } // end of vauth class
 
 ?>

lib/init.php

@@ -1,4 +1,5 @@
 <?php
+/* vim:set tabstop=8 softtabstop=8 shiftwidth=8 noexpandtab: */
 /*
 
  Copyright (c) Ampache.org
@@ -179,24 +180,6 @@ set_memory_limit($results['memory_limit']);
 
 /**** END Set PHP Vars ****/
 
-/* We have to check for HTTP Auth, only run this if we don't have an ampache session cookie */
-$session_name = Config::get('session_name');
-if (in_array("http",$results['auth_methods']) AND empty($_COOKIE[$session_name])) { 
-
-	$username = scrub_in($_SERVER['PHP_AUTH_USER']);
-	$results = vauth::http_auth($username);
-
-	// We've found someone or were able to create them, go ahead and generate the session
-	if ($results['success']) { 
-		vauth::create_cookie();
-		vauth::session_create($results);
-		$session_name = Config::get('session_name');
-		$_SESSION['userdata'] = $results;
-		$_COOKIE[$session_name] = session_id();
-	} 
-
-} // end if http auth
-
 // If we want a session
 if (NO_SESSION != '1' AND Config::get('use_auth')) { 
 	/* Verify Their session */

login.php

@@ -45,8 +45,11 @@ if (Config::get('access_control')) {
 /* Clean Auth values */
 unset($auth);
 
-/* Check for posted username and password */
-if ($_POST['username'] && $_POST['password']) {
+/* Check for posted username and password, or appropriate environment
+variable if using HTTP auth */
+if (($_POST['username'] && $_POST['password']) || 
+(in_array('http',Config::get('auth_methods')) && 
+($_SERVER['REMOTE_USER'] || $_SERVER['HTTP_REMOTE_USER']))) {
 
 	if ($_POST['rememberme']) {
 		vauth::create_remember_cookie(); 
@@ -60,8 +63,19 @@ if ($_POST['username'] && $_POST['password']) {
 		$auth['info']['offset_limit']	= 25;
 	}
 	else {
+		if ($_POST['username'] && $_POST['password']) {
 		$username = scrub_in($_POST['username']);
 		$password = scrub_in($_POST['password']);
+		}
+		else {
+			if ($_SERVER['REMOTE_USER']) {
+				$username = $_SERVER['REMOTE_USER'];
+			}
+			else if ($_SERVER['HTTP_REMOTE_USER']) {
+				$username = $_SERVER['HTTP_REMOTE_USER'];
+			}
+			$password = '';
+		}
 		$auth = vauth::authenticate($username, $password);
 		$user = User::get_from_username($username);
 		

logout.php

@@ -1,4 +1,5 @@
 <?php 
+/* vim:set tabstop=8 softtabstop=8 shiftwidth=8 noexpandtab: */
 /*
 
  Copyright (c) Ampache.org
@@ -26,5 +27,5 @@
 require_once 'lib/init.php';
 
 // To end a legitimate session, just call logout.
-vauth::logout();
+vauth::logout('',false);
 ?>