2014-06-27 18:20:51 +02:00
|
|
|
# Methods run at request serving
|
2014-03-13 16:07:36 +01:00
|
|
|
package Lemonldap::NG::Handler::Main;
|
|
|
|
|
|
|
|
use MIME::Base64;
|
|
|
|
use Exporter 'import';
|
|
|
|
|
2014-04-11 18:12:21 +02:00
|
|
|
use Lemonldap::NG::Common::Session;
|
2014-03-13 16:07:36 +01:00
|
|
|
use CGI::Util 'expires';
|
|
|
|
use constant UNPROTECT => 1;
|
|
|
|
use constant SKIP => 2;
|
|
|
|
use constant MAINTENANCE_CODE => 503;
|
|
|
|
|
|
|
|
#inherits Cache::Cache
|
|
|
|
#inherits Apache::Session
|
|
|
|
#link Lemonldap::NG::Common::Apache::Session::SOAP protected globalStorage
|
|
|
|
|
2014-04-11 18:12:21 +02:00
|
|
|
our $VERSION = '1.4.0';
|
2014-06-25 18:03:30 +02:00
|
|
|
our ( %EXPORT_TAGS, @EXPORT_OK, @EXPORT );
|
|
|
|
|
|
|
|
# my @threadSharedVar = qw(
|
2014-06-26 17:12:31 +02:00
|
|
|
# cda cipher
|
2014-06-25 18:03:30 +02:00
|
|
|
# cookieExpiration cookieName customFunctions
|
|
|
|
# defaultCondition defaultProtection forgeHeaders
|
|
|
|
# globalStorage globalStorageOptions headerList
|
|
|
|
# httpOnly https key
|
|
|
|
# localStorage localStorageOptions locationCondition
|
|
|
|
# locationConditionText locationCount locationProtection
|
|
|
|
# locationRegexp maintenance port
|
|
|
|
# refLocalStorage safe securedCookie
|
|
|
|
# statusOut statusPipe timeoutActivity
|
|
|
|
# transform useRedirectOnError useRedirectOnForbidden
|
|
|
|
# useSafeJail whatToTrace
|
2014-03-13 16:07:36 +01:00
|
|
|
# );
|
|
|
|
#
|
2014-06-25 18:03:30 +02:00
|
|
|
# non thread shared vars
|
2014-03-13 16:07:36 +01:00
|
|
|
# $datas
|
2014-06-25 18:03:30 +02:00
|
|
|
# $datasUpdate
|
2014-03-13 16:07:36 +01:00
|
|
|
|
2014-07-03 11:46:20 +02:00
|
|
|
our ( $session, $datas, $datasUpdate, $tsv );
|
2014-06-30 20:34:23 +02:00
|
|
|
$tsv = {};
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
BEGIN {
|
|
|
|
|
|
|
|
# globalStorage and locationRules are set for Manager compatibility only
|
|
|
|
%EXPORT_TAGS = (
|
|
|
|
globalStorage => [qw( )],
|
|
|
|
locationRules => [qw( )],
|
2014-06-25 18:03:30 +02:00
|
|
|
jailSharedVars => [qw( $datas )],
|
2014-03-13 16:07:36 +01:00
|
|
|
tsv => [qw( $tsv )],
|
|
|
|
import => [qw( import @EXPORT_OK @EXPORT %EXPORT_TAGS )],
|
2014-06-25 18:03:30 +02:00
|
|
|
post => [qw(postFilter)],
|
2014-03-13 16:07:36 +01:00
|
|
|
);
|
|
|
|
push( @EXPORT_OK, @{ $EXPORT_TAGS{$_} } ) foreach ( keys %EXPORT_TAGS );
|
|
|
|
$EXPORT_TAGS{all} = \@EXPORT_OK;
|
2014-06-25 18:03:30 +02:00
|
|
|
|
|
|
|
# For importing MP(), required modules, and constants
|
|
|
|
use Lemonldap::NG::Handler::API qw(:httpCodes);
|
|
|
|
Lemonldap::NG::Handler::API->thread_share($tsv);
|
2014-03-13 16:07:36 +01:00
|
|
|
}
|
|
|
|
|
2014-06-30 11:35:32 +02:00
|
|
|
use Lemonldap::NG::Handler::Reload;
|
2014-03-13 16:07:36 +01:00
|
|
|
use Lemonldap::NG::Handler::Main::Jail;
|
|
|
|
use Lemonldap::NG::Handler::Main::PostForm;
|
|
|
|
use Lemonldap::NG::Handler::Main::Logger;
|
|
|
|
|
|
|
|
|
|
|
|
## @rmethod protected void updateStatus(string user,string url,string action)
|
2014-06-25 18:03:30 +02:00
|
|
|
# Inform the status process of the result of the request if it is available
|
|
|
|
# @param request Apache2::RequestRec current request
|
|
|
|
# @param action string Result of access control (as OK, SKIP, LOGOUT...)
|
|
|
|
# @param optional user string Username to log, if undefined defaults to remote IP
|
|
|
|
# @param optional url string URL to log, if undefined defaults to request URI
|
2014-03-13 16:07:36 +01:00
|
|
|
sub updateStatus {
|
2014-07-01 14:58:04 +02:00
|
|
|
my ( $class, $action, $user, $url ) = @_;
|
|
|
|
$user ||= Lemonldap::NG::Handler::API->remote_ip;
|
|
|
|
$url ||= Lemonldap::NG::Handler::API->uri_with_args;
|
2014-03-13 16:07:36 +01:00
|
|
|
eval {
|
|
|
|
print { $tsv->{statusPipe} } "$user => "
|
2014-07-01 14:58:04 +02:00
|
|
|
. Lemonldap::NG::Handler::API->hostname
|
2014-03-13 16:07:36 +01:00
|
|
|
. "$url $action\n"
|
|
|
|
if ( $tsv->{statusPipe} );
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
## @rmethod protected int forbidden(string uri)
|
|
|
|
# Used to reject non authorized requests.
|
|
|
|
# Inform the status processus and call logForbidden().
|
2014-06-25 18:03:30 +02:00
|
|
|
# @param $uri URI
|
2014-03-13 16:07:36 +01:00
|
|
|
# @return Apache2::Const::REDIRECT or Apache2::Const::FORBIDDEN
|
|
|
|
sub forbidden {
|
2014-07-01 14:58:04 +02:00
|
|
|
my $class = shift;
|
|
|
|
my $uri = Lemonldap::NG::Handler::API->unparsed_uri;
|
2014-06-25 18:03:30 +02:00
|
|
|
|
2014-03-13 16:07:36 +01:00
|
|
|
if ( $datas->{_logout} ) {
|
2014-07-01 14:58:04 +02:00
|
|
|
$class->updateStatus( 'LOGOUT', $datas->{ $tsv->{whatToTrace} } );
|
2014-03-13 16:07:36 +01:00
|
|
|
my $u = $datas->{_logout};
|
|
|
|
$class->localUnlog;
|
2014-07-01 14:58:04 +02:00
|
|
|
return $class->goToPortal( $u, 'logout=1' );
|
2014-03-13 16:07:36 +01:00
|
|
|
}
|
2014-06-25 18:03:30 +02:00
|
|
|
|
|
|
|
# Log forbidding
|
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog(
|
|
|
|
"User "
|
|
|
|
. $datas->{ $tsv->{whatToTrace} }
|
|
|
|
. " was forbidden to access to $uri",
|
2014-07-01 14:58:04 +02:00
|
|
|
"notice"
|
2014-06-25 13:53:09 +02:00
|
|
|
);
|
2014-07-01 14:58:04 +02:00
|
|
|
$class->updateStatus( 'REJECT', $datas->{ $tsv->{whatToTrace} } );
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
# Redirect or Forbidden?
|
|
|
|
if ( $tsv->{useRedirectOnForbidden} ) {
|
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog(
|
2014-06-25 18:03:30 +02:00
|
|
|
"Use redirect for forbidden access",
|
2014-07-01 14:58:04 +02:00
|
|
|
'debug' );
|
|
|
|
return $class->goToPortal( $uri, 'lmError=403' );
|
2014-06-25 13:53:09 +02:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog( "Return forbidden access",
|
2014-07-01 14:58:04 +02:00
|
|
|
'debug' );
|
2014-03-13 16:07:36 +01:00
|
|
|
return FORBIDDEN;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
## @rmethod protected void hideCookie()
|
|
|
|
# Hide Lemonldap::NG cookie to the protected application.
|
|
|
|
sub hideCookie {
|
2014-07-01 14:58:04 +02:00
|
|
|
my $class = shift;
|
2014-06-25 18:03:30 +02:00
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog( "removing cookie",
|
2014-07-01 14:58:04 +02:00
|
|
|
'debug' );
|
|
|
|
my $cookie = Lemonldap::NG::Handler::API->header_in('Cookie');
|
2014-06-25 18:03:30 +02:00
|
|
|
$cookie =~ s/$tsv->{cookieName}(http)?=[^,;]*[,;\s]*//og;
|
|
|
|
if ($cookie) {
|
2014-07-01 14:58:04 +02:00
|
|
|
Lemonldap::NG::Handler::API->set_header_in( 'Cookie' => $cookie );
|
2014-03-13 16:07:36 +01:00
|
|
|
}
|
|
|
|
else {
|
2014-07-01 14:58:04 +02:00
|
|
|
Lemonldap::NG::Handler::API->unset_header_in('Cookie');
|
2014-03-13 16:07:36 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
## @rmethod protected string encodeUrl(string url)
|
|
|
|
# Encode URl in the format used by Lemonldap::NG::Portal for redirections.
|
|
|
|
# @return Base64 encoded string
|
|
|
|
sub encodeUrl {
|
2014-07-01 14:58:04 +02:00
|
|
|
my ( $class, $url ) = splice @_;
|
|
|
|
$url = $class->_buildUrl( $url ) if ( $url !~ m#^https?://# );
|
2014-03-13 16:07:36 +01:00
|
|
|
return encode_base64( $url, '' );
|
|
|
|
}
|
|
|
|
|
|
|
|
## @rmethod protected int goToPortal(string url, string arg)
|
|
|
|
# Redirect non-authenticated users to the portal by setting "Location:" header.
|
|
|
|
# @param $url Url requested
|
|
|
|
# @param $arg optionnal GET parameters
|
|
|
|
# @return Apache2::Const::REDIRECT
|
|
|
|
sub goToPortal {
|
2014-07-01 14:58:04 +02:00
|
|
|
my ( $class, $url, $arg ) = splice @_;
|
2014-03-13 16:07:36 +01:00
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog(
|
2014-06-25 18:03:30 +02:00
|
|
|
"Redirect "
|
2014-07-01 14:58:04 +02:00
|
|
|
. Lemonldap::NG::Handler::API->remote_ip
|
2014-06-25 18:03:30 +02:00
|
|
|
. " to portal (url was $url)",
|
2014-07-01 14:58:04 +02:00
|
|
|
'debug'
|
2014-06-25 18:03:30 +02:00
|
|
|
);
|
2014-07-01 14:58:04 +02:00
|
|
|
my $urlc_init = $class->encodeUrl($url);
|
|
|
|
Lemonldap::NG::Handler::API->set_header_out(
|
2014-06-30 20:34:23 +02:00
|
|
|
'Location' => &{ $tsv->{portal} }()
|
2014-03-13 16:07:36 +01:00
|
|
|
. "?url=$urlc_init"
|
|
|
|
. ( $arg ? "&$arg" : "" ) );
|
|
|
|
return REDIRECT;
|
|
|
|
}
|
|
|
|
|
|
|
|
## @rmethod protected $ fetchId()
|
|
|
|
# Get user cookies and search for Lemonldap::NG cookie.
|
|
|
|
# @return Value of the cookie if found, 0 else
|
|
|
|
sub fetchId {
|
2014-07-01 14:58:04 +02:00
|
|
|
my $class = shift;
|
|
|
|
my $t = Lemonldap::NG::Handler::API->header_in('Cookie');
|
2014-07-01 15:11:45 +02:00
|
|
|
my $vhost = $class->resolveAlias;
|
2014-03-13 16:07:36 +01:00
|
|
|
my $lookForHttpCookie = $tsv->{securedCookie} =~ /^(2|3)$/
|
|
|
|
&& !(
|
|
|
|
defined( $tsv->{https}->{$vhost} )
|
2014-04-22 16:47:30 +02:00
|
|
|
? $tsv->{https}->{$vhost}
|
2014-03-13 16:07:36 +01:00
|
|
|
: $tsv->{https}->{_}
|
|
|
|
);
|
|
|
|
my $value =
|
|
|
|
$lookForHttpCookie
|
|
|
|
? ( $t =~ /$tsv->{cookieName}http=([^,; ]+)/o ? $1 : 0 )
|
|
|
|
: ( $t =~ /$tsv->{cookieName}=([^,; ]+)/o ? $1 : 0 );
|
|
|
|
|
2014-06-25 18:03:30 +02:00
|
|
|
$value = $tsv->{cipher}->decryptHex( $value, "http" )
|
2014-03-13 16:07:36 +01:00
|
|
|
if ( $value && $lookForHttpCookie && $tsv->{securedCookie} == 3 );
|
|
|
|
return $value;
|
|
|
|
}
|
|
|
|
|
|
|
|
## @rmethod protected boolean retrieveSession(id)
|
|
|
|
# Tries to retrieve the session whose index is id
|
|
|
|
# @return true if the session was found, false else
|
|
|
|
sub retrieveSession {
|
2014-07-01 14:58:04 +02:00
|
|
|
my ( $class, $id ) = @_;
|
2014-03-13 16:07:36 +01:00
|
|
|
|
2014-04-11 18:12:21 +02:00
|
|
|
# 1. Search if the user was the same as previous (very efficient in
|
|
|
|
# persistent connection).
|
2014-03-13 16:07:36 +01:00
|
|
|
return 1
|
|
|
|
if ( defined $datas->{_session_id}
|
|
|
|
and $id eq $datas->{_session_id}
|
2014-06-25 18:03:30 +02:00
|
|
|
and ( time() - $datasUpdate < 60 ) );
|
2014-03-13 16:07:36 +01:00
|
|
|
|
2014-04-11 18:12:21 +02:00
|
|
|
# 2. Get the session from cache or backend
|
2014-07-03 11:46:20 +02:00
|
|
|
$session = Lemonldap::NG::Common::Session->new(
|
2014-04-11 18:12:21 +02:00
|
|
|
{
|
2014-06-30 20:34:23 +02:00
|
|
|
storageModule => $tsv->{sessionStorageModule},
|
|
|
|
storageModuleOptions => $tsv->{sessionStorageOptions},
|
|
|
|
cacheModule => $tsv->{sessionCacheModule},
|
|
|
|
cacheModuleOptions => $tsv->{sessionCacheOptions},
|
2014-04-11 18:12:21 +02:00
|
|
|
id => $id,
|
|
|
|
kind => "SSO",
|
|
|
|
}
|
|
|
|
);
|
2014-03-13 16:07:36 +01:00
|
|
|
|
2014-07-03 11:46:20 +02:00
|
|
|
if ( $datas = $session->data ) {
|
2014-06-25 13:53:09 +02:00
|
|
|
|
2014-06-16 21:45:54 +02:00
|
|
|
# Update the session to notify activity, if necessary
|
2014-07-03 11:46:20 +02:00
|
|
|
$session->update( { '_lastSeen' => time } )
|
2014-06-16 21:45:54 +02:00
|
|
|
if ( $tsv->{timeoutActivity} );
|
|
|
|
|
|
|
|
$datasUpdate = time();
|
|
|
|
return 1;
|
2014-06-25 13:53:09 +02:00
|
|
|
}
|
|
|
|
else {
|
2014-03-13 16:07:36 +01:00
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog(
|
2014-07-01 14:58:04 +02:00
|
|
|
"Session $id can't be retrieved", 'info' );
|
2014-03-13 16:07:36 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# MAIN SUBROUTINE called by Apache (using PerlHeaderParserHandler option)
|
|
|
|
|
2014-06-25 18:03:30 +02:00
|
|
|
## @rmethod int run(Apache2::RequestRec r)
|
2014-03-13 16:07:36 +01:00
|
|
|
# Main method used to control access.
|
|
|
|
# Calls :
|
|
|
|
# - fetchId()
|
|
|
|
# - retrieveSession()
|
|
|
|
# - lmSetApacheUser()
|
|
|
|
# - grant()
|
|
|
|
# - forbidden() if user is rejected
|
|
|
|
# - sendHeaders() if user is granted
|
|
|
|
# - hideCookie()
|
|
|
|
# - updateStatus()
|
2014-07-02 16:14:33 +02:00
|
|
|
# @param $cond optional Function granting access
|
|
|
|
# @param $protection optional Set to 1 or 2 if access unprotected
|
2014-03-13 16:07:36 +01:00
|
|
|
# @return Apache2::Const value (OK, FORBIDDEN, REDIRECT or SERVER_ERROR)
|
2014-07-02 16:14:33 +02:00
|
|
|
sub run {
|
|
|
|
my ( $class, $cond, $protection ) = @_;
|
2014-06-25 18:03:30 +02:00
|
|
|
return DECLINED
|
2014-07-01 14:58:04 +02:00
|
|
|
unless ( Lemonldap::NG::Handler::API->is_initial_req );
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
# Direct return if maintenance mode is active
|
2014-07-01 14:58:04 +02:00
|
|
|
if ( $class->checkMaintenanceMode ) {
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
if ( $tsv->{useRedirectOnError} ) {
|
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog(
|
2014-07-01 14:58:04 +02:00
|
|
|
"Got to portal with maintenance error code", 'debug' );
|
|
|
|
return $class->goToPortal( '/', 'lmError=' . MAINTENANCE_CODE );
|
2014-03-13 16:07:36 +01:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog(
|
2014-07-01 14:58:04 +02:00
|
|
|
"Return maintenance error code", 'debug' );
|
2014-03-13 16:07:36 +01:00
|
|
|
return MAINTENANCE_CODE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# Cross domain authentication
|
2014-07-01 14:58:04 +02:00
|
|
|
my $uri = Lemonldap::NG::Handler::API->unparsed_uri;
|
2014-06-25 18:03:30 +02:00
|
|
|
if ( $tsv->{cda}
|
|
|
|
and $uri =~ s/[\?&;]($tsv->{cookieName}(http)?=\w+)$//oi )
|
2014-03-13 16:07:36 +01:00
|
|
|
{
|
|
|
|
my $str = $1;
|
2014-07-01 14:58:04 +02:00
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog( 'CDA request', 'debug' );
|
|
|
|
my $redirectUrl = $class->_buildUrl($uri);
|
2014-03-13 16:07:36 +01:00
|
|
|
my $redirectHttps = ( $redirectUrl =~ m/^https/ );
|
2014-06-25 18:03:30 +02:00
|
|
|
Lemonldap::NG::Handler::API->set_err_header_out(
|
|
|
|
'Location' => $redirectUrl,
|
2014-03-13 16:07:36 +01:00
|
|
|
'Set-Cookie' => "$str; path=/"
|
2014-06-25 18:03:30 +02:00
|
|
|
. ( $redirectHttps ? "; secure" : "" )
|
|
|
|
. ( $tsv->{httpOnly} ? "; HttpOnly" : "" )
|
2014-03-13 16:07:36 +01:00
|
|
|
. (
|
2014-06-25 18:03:30 +02:00
|
|
|
$tsv->{cookieExpiration}
|
|
|
|
? "; expires=" . expires( $tsv->{cookieExpiration}, 'cookie' )
|
2014-03-13 16:07:36 +01:00
|
|
|
: ""
|
|
|
|
)
|
|
|
|
);
|
|
|
|
return REDIRECT;
|
|
|
|
}
|
|
|
|
|
2014-07-01 14:58:04 +02:00
|
|
|
$uri = Lemonldap::NG::Handler::API->uri_with_args;
|
2014-07-02 16:14:33 +02:00
|
|
|
$protection = $class->isUnprotected($uri)
|
|
|
|
unless ( defined $protection );
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
if ( $protection == SKIP ) {
|
2014-06-25 13:53:09 +02:00
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog( "Access control skipped",
|
2014-07-01 14:58:04 +02:00
|
|
|
'debug' );
|
|
|
|
$class->updateStatus('SKIP');
|
|
|
|
$class->hideCookie;
|
|
|
|
$class->cleanHeaders;
|
2014-03-13 16:07:36 +01:00
|
|
|
return OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
my $id;
|
|
|
|
|
|
|
|
# Try to recover cookie and user session
|
2014-07-01 14:58:04 +02:00
|
|
|
if ( $id = $class->fetchId
|
|
|
|
and $class->retrieveSession($id) )
|
2014-06-25 18:03:30 +02:00
|
|
|
{
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
# AUTHENTICATION done
|
|
|
|
|
2014-04-11 18:12:21 +02:00
|
|
|
# Local macros
|
2014-03-13 16:07:36 +01:00
|
|
|
my $kc = keys %$datas; # in order to detect new local macro
|
|
|
|
|
|
|
|
# ACCOUNTING (1. Inform Apache)
|
2014-07-01 14:58:04 +02:00
|
|
|
Lemonldap::NG::Handler::API->set_user( $datas->{ $tsv->{whatToTrace} } );
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
# AUTHORIZATION
|
2014-07-02 16:14:33 +02:00
|
|
|
return $class->forbidden unless ( $class->grant( $uri, $cond ) );
|
2014-07-01 14:58:04 +02:00
|
|
|
$class->updateStatus('OK', $datas->{ $tsv->{whatToTrace} } );
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
# ACCOUNTING (2. Inform remote application)
|
2014-07-01 14:58:04 +02:00
|
|
|
$class->sendHeaders;
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
# Store local macros
|
2014-07-03 11:46:20 +02:00
|
|
|
if ( keys %$datas > $kc ) {
|
2014-06-25 13:53:09 +02:00
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog( "Update local cache",
|
2014-07-01 14:58:04 +02:00
|
|
|
'debug' );
|
2014-07-03 11:46:20 +02:00
|
|
|
$session->update( $datas, { updateCache => 2 } );
|
2014-03-13 16:07:36 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
# Hide Lemonldap::NG cookie
|
2014-07-01 14:58:04 +02:00
|
|
|
$class->hideCookie;
|
2014-03-13 16:07:36 +01:00
|
|
|
|
2014-06-25 18:03:30 +02:00
|
|
|
# Log access granted
|
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog(
|
|
|
|
"User "
|
|
|
|
. $datas->{ $tsv->{whatToTrace} }
|
|
|
|
. " was granted to access to $uri",
|
2014-07-01 14:58:04 +02:00
|
|
|
'debug'
|
2014-06-25 18:03:30 +02:00
|
|
|
);
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
# Catch POST rules
|
2014-07-01 14:58:04 +02:00
|
|
|
Lemonldap::NG::Handler::Main::PostForm->transformUri($uri);
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
return OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
elsif ( $protection == UNPROTECT ) {
|
|
|
|
|
|
|
|
# Ignore unprotected URIs
|
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog(
|
2014-07-01 14:58:04 +02:00
|
|
|
"No valid session but unprotected access", 'debug' );
|
|
|
|
$class->updateStatus('UNPROTECT');
|
|
|
|
$class->hideCookie;
|
|
|
|
$class->cleanHeaders;
|
2014-03-13 16:07:36 +01:00
|
|
|
return OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
else {
|
|
|
|
|
|
|
|
# Redirect user to the portal
|
2014-07-01 14:58:04 +02:00
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog( "No cookie found", 'info' )
|
2014-03-13 16:07:36 +01:00
|
|
|
unless ($id);
|
|
|
|
|
|
|
|
# if the cookie was fetched, a log is sent by retrieveSession()
|
2014-07-01 14:58:04 +02:00
|
|
|
$class->updateStatus( $id ? 'EXPIRED' : 'REDIRECT' );
|
|
|
|
return $class->goToPortal( Lemonldap::NG::Handler::API->unparsed_uri );
|
2014-03-13 16:07:36 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
## @rmethod protected boolean checkMaintenanceMode
|
|
|
|
# Check if we are in maintenance mode
|
|
|
|
# @return true if maintenance mode
|
|
|
|
sub checkMaintenanceMode {
|
2014-07-01 14:58:04 +02:00
|
|
|
my $class = shift;
|
2014-07-01 15:11:45 +02:00
|
|
|
my $vhost = $class->resolveAlias;
|
2014-03-13 16:07:36 +01:00
|
|
|
my $_maintenance =
|
|
|
|
( defined $tsv->{maintenance}->{$vhost} )
|
|
|
|
? $tsv->{maintenance}->{$vhost}
|
|
|
|
: $tsv->{maintenance}->{_};
|
|
|
|
|
|
|
|
if ($_maintenance) {
|
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog(
|
2014-07-01 14:58:04 +02:00
|
|
|
"Maintenance mode activated", 'debug' );
|
2014-03-13 16:07:36 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
## @rmethod int abort(string mess)
|
|
|
|
# Logs message and exit or redirect to the portal if "useRedirectOnError" is
|
|
|
|
# set to true.
|
2014-06-25 18:03:30 +02:00
|
|
|
# @param $msg Message to log
|
2014-03-13 16:07:36 +01:00
|
|
|
# @return Apache2::Const::REDIRECT or Apache2::Const::SERVER_ERROR
|
|
|
|
sub abort {
|
2014-07-01 14:58:04 +02:00
|
|
|
my ( $class, $msg ) = @_;
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
# If abort is called without a valid request, fall to die
|
|
|
|
eval {
|
2014-07-01 14:58:04 +02:00
|
|
|
my $uri = Lemonldap::NG::Handler::API->unparsed_uri;
|
2014-03-13 16:07:36 +01:00
|
|
|
|
2014-07-01 14:58:04 +02:00
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog( $msg, 'error' );
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
# Redirect or die
|
|
|
|
if ( $tsv->{useRedirectOnError} ) {
|
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog(
|
2014-07-01 14:58:04 +02:00
|
|
|
"Use redirect for error", 'debug' );
|
|
|
|
return $class->goToPortal( $uri, 'lmError=500' );
|
2014-03-13 16:07:36 +01:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
return SERVER_ERROR;
|
|
|
|
}
|
|
|
|
};
|
2014-06-25 18:03:30 +02:00
|
|
|
die $msg if ($@);
|
2014-03-13 16:07:36 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
## @rmethod boolean grant()
|
|
|
|
# Grant or refuse client using compiled regexp and functions
|
2014-06-25 18:03:30 +02:00
|
|
|
# @param $uri URI
|
2014-07-02 16:14:33 +02:00
|
|
|
# @param $cond optional Function granting access
|
2014-03-13 16:07:36 +01:00
|
|
|
# @return True if the user is granted to access to the current URL
|
|
|
|
sub grant {
|
2014-07-02 16:14:33 +02:00
|
|
|
my ( $class, $uri, $cond ) = @_;
|
|
|
|
return &{ $cond }() if ($cond);
|
|
|
|
|
2014-07-01 15:11:45 +02:00
|
|
|
my $vhost = $class->resolveAlias;
|
2014-03-13 16:07:36 +01:00
|
|
|
for ( my $i = 0 ; $i < $tsv->{locationCount}->{$vhost} ; $i++ ) {
|
|
|
|
if ( $uri =~ $tsv->{locationRegexp}->{$vhost}->[$i] ) {
|
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog(
|
|
|
|
'Regexp "'
|
|
|
|
. $tsv->{locationConditionText}->{$vhost}->[$i]
|
|
|
|
. '" match',
|
2014-07-01 14:58:04 +02:00
|
|
|
'debug'
|
2014-03-13 16:07:36 +01:00
|
|
|
);
|
2014-07-01 14:58:04 +02:00
|
|
|
return &{ $tsv->{locationCondition}->{$vhost}->[$i] }();
|
2014-03-13 16:07:36 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
unless ( $tsv->{defaultCondition}->{$vhost} ) {
|
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog(
|
|
|
|
"User rejected because VirtualHost \"$vhost\" has no configuration",
|
2014-07-01 14:58:04 +02:00
|
|
|
'warn'
|
2014-03-13 16:07:36 +01:00
|
|
|
);
|
|
|
|
return 0;
|
|
|
|
}
|
2014-06-25 13:53:09 +02:00
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog( "$vhost: Apply default rule",
|
2014-07-01 14:58:04 +02:00
|
|
|
'debug' );
|
|
|
|
return &{ $tsv->{defaultCondition}->{$vhost} }();
|
2014-03-13 16:07:36 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
## @cmethod private string _buildUrl(string s)
|
|
|
|
# Transform /<s> into http(s?)://<host>:<port>/s
|
|
|
|
# @param $s path
|
|
|
|
# @return URL
|
|
|
|
sub _buildUrl {
|
2014-07-01 14:58:04 +02:00
|
|
|
my ( $class, $s ) = splice @_;
|
|
|
|
my $vhost = Lemonldap::NG::Handler::API->hostname;
|
2014-03-13 16:07:36 +01:00
|
|
|
my $portString =
|
|
|
|
$tsv->{port}->{$vhost}
|
|
|
|
|| $tsv->{port}->{_}
|
2014-07-01 14:58:04 +02:00
|
|
|
|| Lemonldap::NG::Handler::API->get_server_port;
|
2014-03-13 16:07:36 +01:00
|
|
|
my $_https = (
|
|
|
|
defined( $tsv->{https}->{$vhost} )
|
|
|
|
? $tsv->{https}->{$vhost}
|
|
|
|
: $tsv->{https}->{_}
|
|
|
|
);
|
|
|
|
$portString =
|
|
|
|
( $_https && $portString == 443 ) ? ''
|
|
|
|
: ( !$_https && $portString == 80 ) ? ''
|
|
|
|
: ':' . $portString;
|
2014-06-25 18:03:30 +02:00
|
|
|
my $url = "http" . ( $_https ? "s" : "" ) . "://$vhost$portString$s";
|
2014-07-01 14:58:04 +02:00
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog( "Build URL $url", 'debug' );
|
2014-03-13 16:07:36 +01:00
|
|
|
return $url;
|
|
|
|
}
|
|
|
|
|
|
|
|
## @rmethod protected void localUnlog()
|
|
|
|
# Delete current user from local cache entry.
|
|
|
|
sub localUnlog {
|
|
|
|
my $class = shift;
|
2014-07-01 14:58:04 +02:00
|
|
|
if ( my $id = $class->fetchId ) {
|
2014-03-13 16:07:36 +01:00
|
|
|
|
|
|
|
# Delete Apache thread datas
|
|
|
|
if ( $id eq $datas->{_session_id} ) {
|
|
|
|
$datas = {};
|
|
|
|
}
|
|
|
|
|
|
|
|
# Delete Apache local cache
|
|
|
|
if ( $tsv->{refLocalStorage} and $tsv->{refLocalStorage}->get($id) ) {
|
|
|
|
$tsv->{refLocalStorage}->remove($id);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-07-01 14:58:04 +02:00
|
|
|
## @rmethod protected int unlog()
|
2014-03-13 16:07:36 +01:00
|
|
|
# Call localUnlog() then goToPortal() to unlog the current user.
|
|
|
|
# @return Apache2::Const value returned by goToPortal()
|
|
|
|
sub unlog ($$) {
|
2014-07-01 14:58:04 +02:00
|
|
|
my $class = shift;
|
2014-03-13 16:07:36 +01:00
|
|
|
$class->localUnlog;
|
2014-07-01 14:58:04 +02:00
|
|
|
$class->updateStatus('LOGOUT');
|
|
|
|
return $class->goToPortal( '/', 'logout=1' );
|
2014-03-13 16:07:36 +01:00
|
|
|
}
|
|
|
|
|
2014-07-01 14:58:04 +02:00
|
|
|
## @rmethod int status
|
2014-03-13 16:07:36 +01:00
|
|
|
# Get the result from the status process and launch a PerlResponseHandler to
|
|
|
|
# display it.
|
|
|
|
# @return Apache2::Const::OK
|
|
|
|
sub status($$) {
|
2014-07-01 14:58:04 +02:00
|
|
|
my $class = shift;
|
|
|
|
Lemonldap::NG::Handler::Main::Logger->lmLog( "Request for status", 'debug' );
|
|
|
|
return $class->abort( "$class: status page can not be displayed" )
|
2014-03-13 16:07:36 +01:00
|
|
|
unless ( $tsv->{statusPipe} and $tsv->{statusOut} );
|
|
|
|
print { $tsv->{statusPipe} } "STATUS"
|
2014-06-25 18:03:30 +02:00
|
|
|
. (
|
2014-07-01 14:58:04 +02:00
|
|
|
Lemonldap::NG::Handler::API->args
|
|
|
|
? " " . Lemonldap::NG::Handler::API->args
|
2014-06-25 18:03:30 +02:00
|
|
|
: ''
|
|
|
|
) . "\n";
|
2014-03-13 16:07:36 +01:00
|
|
|
my $buf;
|
|
|
|
my $statusOut = $tsv->{statusOut};
|
|
|
|
while ($statusOut) {
|
|
|
|
last if (/^END$/);
|
|
|
|
$buf .= $_;
|
|
|
|
}
|
2014-07-01 14:58:04 +02:00
|
|
|
Lemonldap::NG::Handler::API->set_header_out(
|
2014-06-25 18:03:30 +02:00
|
|
|
( "Content-Type" => "text/html; charset=UTF-8" ) );
|
2014-07-01 14:58:04 +02:00
|
|
|
Lemonldap::NG::Handler::API->print( $buf );
|
2014-03-13 16:07:36 +01:00
|
|
|
return OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
## @rmethod protected int redirectFilter(string url, Apache2::Filter f)
|
|
|
|
# Launch the current HTTP request then redirects the user to $url.
|
|
|
|
# Used by logout_app and logout_app_sso targets
|
|
|
|
# @param $url URL to redirect the user
|
|
|
|
# @param $f Current Apache2::Filter object
|
|
|
|
# @return Apache2::Const::OK
|
|
|
|
sub redirectFilter {
|
|
|
|
my $class = shift;
|
|
|
|
my $url = shift;
|
|
|
|
my $f = shift;
|
|
|
|
unless ( $f->ctx ) {
|
|
|
|
|
2014-06-25 18:03:30 +02:00
|
|
|
# Here, we can use Apache2 functions instead of set_header_out
|
|
|
|
# since this function is used only with Apache2.
|
2014-03-13 16:07:36 +01:00
|
|
|
$f->r->status(REDIRECT);
|
|
|
|
$f->r->status_line("303 See Other");
|
|
|
|
$f->r->headers_out->unset('Location');
|
|
|
|
$f->r->err_headers_out->set( 'Location' => $url );
|
|
|
|
$f->ctx(1);
|
|
|
|
}
|
|
|
|
while ( $f->read( my $buffer, 1024 ) ) {
|
|
|
|
}
|
2014-06-25 18:03:30 +02:00
|
|
|
$class->updateStatus( $f->r, 'REDIRECT', $datas->{ $tsv->{whatToTrace} },
|
|
|
|
'filter' );
|
2014-03-13 16:07:36 +01:00
|
|
|
return OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
## @rmethod protected int isUnprotected()
|
2014-06-25 18:03:30 +02:00
|
|
|
# @param $uri URI
|
2014-03-13 16:07:36 +01:00
|
|
|
# @return 0 if URI is protected,
|
|
|
|
# UNPROTECT if it is unprotected by "unprotect",
|
|
|
|
# SKIP if is is unprotected by "skip"
|
|
|
|
sub isUnprotected {
|
2014-07-01 14:58:04 +02:00
|
|
|
my ( $class, $uri ) = @_;
|
2014-07-01 15:11:45 +02:00
|
|
|
my $vhost = $class->resolveAlias;
|
2014-03-13 16:07:36 +01:00
|
|
|
for ( my $i = 0 ; $i < $tsv->{locationCount}->{$vhost} ; $i++ ) {
|
|
|
|
if ( $uri =~ $tsv->{locationRegexp}->{$vhost}->[$i] ) {
|
|
|
|
return $tsv->{locationProtection}->{$vhost}->[$i];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return $tsv->{defaultProtection}->{$vhost};
|
|
|
|
}
|
|
|
|
|
2014-07-01 11:54:09 +02:00
|
|
|
## @rmethod void sendHeaders()
|
|
|
|
# Launch function compiled by forgeHeadersInit() for the current virtual host
|
|
|
|
sub sendHeaders {
|
2014-07-01 14:58:04 +02:00
|
|
|
my $class = shift;
|
2014-07-01 15:11:45 +02:00
|
|
|
my $vhost = $class->resolveAlias;
|
2014-07-01 11:54:09 +02:00
|
|
|
if ( defined( $tsv->{forgeHeaders}->{$vhost} ) ) {
|
2014-07-01 14:58:04 +02:00
|
|
|
Lemonldap::NG::Handler::API->set_header_in(
|
2014-07-01 11:54:09 +02:00
|
|
|
&{ $tsv->{forgeHeaders}->{$vhost} } );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
## @rmethod void cleanHeaders()
|
|
|
|
# Unset HTTP headers, when sendHeaders is skipped
|
|
|
|
sub cleanHeaders {
|
2014-07-01 14:58:04 +02:00
|
|
|
my $class = shift;
|
2014-07-01 15:11:45 +02:00
|
|
|
my $vhost = $class->resolveAlias;
|
2014-07-01 11:54:09 +02:00
|
|
|
if ( defined( $tsv->{headerList}->{$vhost} ) ) {
|
2014-07-01 14:58:04 +02:00
|
|
|
Lemonldap::NG::Handler::API->unset_header_in(
|
2014-07-01 11:54:09 +02:00
|
|
|
@{ $tsv->{headerList}->{$vhost} } );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-07-01 15:11:45 +02:00
|
|
|
## @rmethod string resolveAlias
|
|
|
|
# returns vhost whose current hostname is an alias
|
|
|
|
sub resolveAlias {
|
|
|
|
my $class = shift;
|
|
|
|
my $vhost = Lemonldap::NG::Handler::API->hostname;
|
|
|
|
return $tsv->{vhostAlias}->{$vhost} || $vhost;
|
|
|
|
}
|
|
|
|
|
2014-03-13 16:07:36 +01:00
|
|
|
1;
|