2008-12-26 20:18:23 +01:00
|
|
|
##@file
|
|
|
|
# CAS authentication backend file
|
|
|
|
|
|
|
|
##@class
|
|
|
|
# CAS authentication backend class
|
2007-03-01 21:03:19 +01:00
|
|
|
package Lemonldap::NG::Portal::AuthCAS;
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
use Lemonldap::NG::Portal::Simple;
|
2010-09-03 16:53:31 +02:00
|
|
|
use URI::Escape;
|
2007-03-01 21:03:19 +01:00
|
|
|
|
2013-01-15 15:19:42 +01:00
|
|
|
our $VERSION = '1.2.3';
|
2010-09-23 17:09:27 +02:00
|
|
|
our $initDone;
|
2008-06-01 08:25:09 +02:00
|
|
|
|
2010-10-30 21:25:38 +02:00
|
|
|
BEGIN {
|
|
|
|
eval {
|
|
|
|
require threads::shared;
|
|
|
|
threads::shared::share($initDone);
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
## @apmethod int authInit()
|
2009-11-17 16:43:05 +01:00
|
|
|
# Try to load AuthCAS perl module
|
2008-12-28 09:36:52 +01:00
|
|
|
# @return Lemonldap::NG::Portal constant
|
2008-06-06 05:51:39 +02:00
|
|
|
sub authInit {
|
2009-11-17 16:43:05 +01:00
|
|
|
my $self = shift;
|
2010-09-23 17:09:27 +02:00
|
|
|
return PE_OK if ($initDone);
|
2009-11-17 16:43:05 +01:00
|
|
|
|
|
|
|
# require Perl module
|
|
|
|
eval { require AuthCAS };
|
|
|
|
if ($@) {
|
2010-08-27 16:42:07 +02:00
|
|
|
$self->lmLog( "CAS: Module AuthCAS not found in @INC", 'error' );
|
2009-11-17 16:43:05 +01:00
|
|
|
return PE_ERROR;
|
|
|
|
}
|
|
|
|
|
2010-09-23 17:09:27 +02:00
|
|
|
$initDone = 1;
|
2008-10-07 22:15:48 +02:00
|
|
|
PE_OK;
|
2008-06-06 05:51:39 +02:00
|
|
|
}
|
2008-06-01 08:25:09 +02:00
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
## @apmethod int extractFormInfo()
|
2008-12-26 18:58:48 +01:00
|
|
|
# Read username return by CAS authentication system.
|
|
|
|
# If user isn't authenticated, redirect it to CAS portal.
|
2008-12-28 09:36:52 +01:00
|
|
|
# @return Lemonldap::NG::Portal constant
|
2008-06-06 05:51:39 +02:00
|
|
|
sub extractFormInfo {
|
|
|
|
my $self = shift;
|
2010-08-30 18:01:25 +02:00
|
|
|
|
2010-09-01 14:56:15 +02:00
|
|
|
my $cas = new AuthCAS(
|
2008-06-06 05:51:39 +02:00
|
|
|
casUrl => $self->{CAS_url},
|
|
|
|
CAFile => $self->{CAS_CAFile},
|
|
|
|
);
|
2009-11-05 15:25:55 +01:00
|
|
|
|
2010-08-27 10:50:09 +02:00
|
|
|
# Local URL
|
|
|
|
my $local_url = $self->url();
|
|
|
|
|
2010-09-03 16:24:19 +02:00
|
|
|
# Add request state parameters
|
2009-11-07 14:05:50 +01:00
|
|
|
if ( $self->{_url} ) {
|
2010-09-03 16:53:31 +02:00
|
|
|
my $url_param = 'url=' . uri_escape( $self->{_url} );
|
2010-08-27 10:50:09 +02:00
|
|
|
$local_url .= ( $local_url =~ /\?/ ? '&' : '?' ) . $url_param;
|
2009-11-05 15:25:55 +01:00
|
|
|
}
|
2010-09-03 16:24:19 +02:00
|
|
|
if ( $self->param( $self->{authChoiceParam} ) ) {
|
2010-09-03 16:53:31 +02:00
|
|
|
my $url_param =
|
|
|
|
$self->{authChoiceParam} . '='
|
|
|
|
. uri_escape( $self->param( $self->{authChoiceParam} ) );
|
2010-09-03 16:24:19 +02:00
|
|
|
$local_url .= ( $local_url =~ /\?/ ? '&' : '?' ) . $url_param;
|
|
|
|
}
|
2009-11-05 15:25:55 +01:00
|
|
|
|
2013-01-15 15:19:42 +01:00
|
|
|
# Forward hidden fields
|
|
|
|
if ( exists $self->{portalHiddenFormValues} ) {
|
|
|
|
|
|
|
|
$self->lmLog( "Add hidden values to CAS redirect URL\n", 'debug' );
|
|
|
|
|
|
|
|
foreach ( keys %{ $self->{portalHiddenFormValues} } ) {
|
|
|
|
$local_url .=
|
2013-07-17 08:32:29 +02:00
|
|
|
( $local_url =~ /\?/ ? '&' : '?' )
|
2013-01-15 15:19:42 +01:00
|
|
|
. $_ . '='
|
|
|
|
. uri_escape( $self->{portalHiddenFormValues}->{$_} );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-08-27 16:42:07 +02:00
|
|
|
# Act as a proxy if proxied services configured
|
2010-11-19 12:43:52 +01:00
|
|
|
my $proxy =
|
|
|
|
ref( $self->{CAS_proxiedServices} ) eq 'HASH'
|
|
|
|
? ( %{ $self->{CAS_proxiedServices} } ? 1 : 0 )
|
|
|
|
: 0;
|
2010-08-27 16:42:07 +02:00
|
|
|
|
|
|
|
if ($proxy) {
|
|
|
|
$self->lmLog( "CAS: Proxy mode activated", 'debug' );
|
|
|
|
my $proxy_url = $self->url() . '?casProxy=1';
|
2010-09-03 16:53:31 +02:00
|
|
|
|
|
|
|
if ( $self->param( $self->{authChoiceParam} ) ) {
|
|
|
|
$proxy_url .= '&'
|
|
|
|
. $self->{authChoiceParam} . '='
|
|
|
|
. ( $self->param( $self->{authChoiceParam} ) );
|
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "CAS Proxy URL: $proxy_url", 'debug' );
|
|
|
|
|
2010-08-27 16:42:07 +02:00
|
|
|
$cas->proxyMode(
|
|
|
|
pgtFile => $self->{CAS_pgtFile},
|
|
|
|
pgtCallbackUrl => $proxy_url
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
# Catch proxy callback
|
|
|
|
if ( $self->param('casProxy') ) {
|
|
|
|
$self->lmLog( "CAS: Proxy callback detected", 'debug' );
|
|
|
|
|
|
|
|
my $pgtIou = $self->param('pgtIou');
|
|
|
|
my $pgtId = $self->param('pgtId');
|
|
|
|
|
|
|
|
if ( $pgtIou and $pgtId ) {
|
|
|
|
|
|
|
|
# Store pgtId and pgtIou
|
|
|
|
unless ( $cas->storePGT( $pgtIou, $pgtId ) ) {
|
|
|
|
$self->lmLog( "CAS: error " . &AuthCAS::get_errors(), 'error' );
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "CAS: Store pgtIou $pgtIou and pgtId $pgtId",
|
|
|
|
'debug' );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# Exit
|
|
|
|
print $self->header();
|
|
|
|
$self->quit();
|
|
|
|
}
|
|
|
|
|
2010-08-27 10:50:09 +02:00
|
|
|
# Build login URL
|
|
|
|
my $login_url = $cas->getServerLoginURL($local_url);
|
2010-08-30 15:41:45 +02:00
|
|
|
$login_url .= '&renew=true' if $self->{CAS_renew};
|
|
|
|
$login_url .= '&gateway=true' if $self->{CAS_gateway};
|
2008-06-06 05:51:39 +02:00
|
|
|
|
2010-08-27 10:50:09 +02:00
|
|
|
# Check Service Ticket
|
2008-06-06 05:51:39 +02:00
|
|
|
my $ticket = $self->param('ticket');
|
|
|
|
|
|
|
|
# Unless a ticket has been found, we redirect the user
|
2010-08-27 10:50:09 +02:00
|
|
|
unless ($ticket) {
|
2010-08-27 16:42:07 +02:00
|
|
|
$self->lmLog( "CAS: Redirect user to $login_url", 'debug' );
|
2010-08-27 10:50:09 +02:00
|
|
|
$self->{urldc} = $login_url;
|
|
|
|
return $self->_subProcess(qw(autoRedirect));
|
|
|
|
}
|
|
|
|
|
2010-08-27 16:42:07 +02:00
|
|
|
$self->lmLog( "CAS: Service Ticket received: $ticket", 'debug' );
|
|
|
|
|
2010-08-27 10:50:09 +02:00
|
|
|
# Ticket found, try to validate it
|
|
|
|
unless ( $self->{user} = $cas->validateST( $local_url, $ticket ) ) {
|
2010-08-27 16:42:07 +02:00
|
|
|
$self->lmLog( "CAS: error " . &AuthCAS::get_errors(), 'error' );
|
2010-08-27 10:50:09 +02:00
|
|
|
return PE_ERROR;
|
|
|
|
}
|
|
|
|
else {
|
2010-08-30 18:01:25 +02:00
|
|
|
$self->lmLog( "CAS: User " . $self->{user} . " found", 'debug' );
|
2010-08-27 16:42:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Request proxy tickets for proxied services
|
|
|
|
if ($proxy) {
|
|
|
|
|
|
|
|
# Check we received a PGT
|
|
|
|
my $pgtId = $cas->{pgtId};
|
|
|
|
|
|
|
|
unless ($pgtId) {
|
|
|
|
$self->lmLog( "CAS: Proxy mode activated, but no PGT received",
|
|
|
|
'error' );
|
|
|
|
return PE_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Get a proxy ticket for each proxied service
|
|
|
|
foreach ( keys %{ $self->{CAS_proxiedServices} } ) {
|
|
|
|
my $service = $self->{CAS_proxiedServices}->{$_};
|
|
|
|
my $pt = $cas->retrievePT($service);
|
|
|
|
|
|
|
|
unless ($pt) {
|
|
|
|
$self->lmLog(
|
|
|
|
"CAS: No proxy ticket recevied for service $service",
|
|
|
|
'error' );
|
|
|
|
return PE_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "CAS: Received proxy ticket $pt for service $service",
|
|
|
|
'debug' );
|
|
|
|
|
|
|
|
# Store it in session
|
|
|
|
$self->{sessionInfo}->{ '_casPT' . $_ } = $pt;
|
|
|
|
}
|
|
|
|
|
2008-06-06 05:51:39 +02:00
|
|
|
}
|
2010-08-27 10:50:09 +02:00
|
|
|
|
2008-06-06 05:51:39 +02:00
|
|
|
PE_OK;
|
|
|
|
}
|
2008-06-01 08:25:09 +02:00
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
## @apmethod int setAuthSessionInfo()
|
2010-04-14 17:37:57 +02:00
|
|
|
# Set _user and authenticationLevel.
|
2009-02-17 15:56:38 +01:00
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
sub setAuthSessionInfo {
|
2009-05-26 14:24:03 +02:00
|
|
|
my $self = shift;
|
2009-05-25 14:59:57 +02:00
|
|
|
|
|
|
|
# Store user submitted login for basic rules
|
|
|
|
$self->{sessionInfo}->{'_user'} = $self->{'user'};
|
|
|
|
|
2010-09-01 18:06:01 +02:00
|
|
|
$self->{sessionInfo}->{authenticationLevel} = $self->{CAS_authnLevel};
|
2010-04-14 17:37:57 +02:00
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
## @apmethod int authenticate()
|
2008-12-26 18:58:48 +01:00
|
|
|
# Does nothing.
|
2008-12-28 09:36:52 +01:00
|
|
|
# @return Lemonldap::NG::Portal constant
|
2008-06-06 05:51:39 +02:00
|
|
|
sub authenticate {
|
|
|
|
PE_OK;
|
|
|
|
}
|
2007-03-01 21:03:19 +01:00
|
|
|
|
2010-08-30 10:38:53 +02:00
|
|
|
## @apmethod int authFinish()
|
|
|
|
# Does nothing.
|
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
sub authFinish {
|
|
|
|
PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
## @apmethod int authLogout()
|
|
|
|
# Call CAS server logout URL
|
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
sub authLogout {
|
|
|
|
my $self = shift;
|
|
|
|
|
2010-08-30 18:01:25 +02:00
|
|
|
my $cas = new AuthCAS(
|
|
|
|
casUrl => $self->{CAS_url},
|
|
|
|
CAFile => $self->{CAS_CAFile},
|
|
|
|
);
|
|
|
|
|
|
|
|
# Build CAS logout URL
|
|
|
|
my $logout_url = $cas->getServerLogoutURL( $self->url() );
|
|
|
|
|
|
|
|
$self->lmLog( "Build CAS logout URL: $logout_url", 'debug' );
|
|
|
|
|
|
|
|
# Register CAS logout URL in logoutServices
|
|
|
|
$self->{logoutServices}->{CASserver} = $logout_url;
|
2010-08-30 10:38:53 +02:00
|
|
|
|
|
|
|
PE_OK;
|
|
|
|
}
|
|
|
|
|
2010-08-30 11:01:15 +02:00
|
|
|
## @apmethod boolean authForce()
|
|
|
|
# Does nothing
|
|
|
|
# @return result
|
|
|
|
sub authForce {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-03-24 15:47:47 +01:00
|
|
|
## @method string getDisplayType
|
|
|
|
# @return display type
|
|
|
|
sub getDisplayType {
|
|
|
|
return "logo";
|
|
|
|
}
|
|
|
|
|
2007-03-01 21:03:19 +01:00
|
|
|
1;
|
2010-08-30 11:01:15 +02:00
|
|
|
|
2007-03-01 21:03:19 +01:00
|
|
|
__END__
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
2010-01-03 09:09:59 +01:00
|
|
|
=encoding utf8
|
|
|
|
|
2007-03-01 21:03:19 +01:00
|
|
|
Lemonldap::NG::Portal::AuthCAS - Perl extension for building Lemonldap::NG
|
2013-02-03 07:40:51 +01:00
|
|
|
compatible portals with CAS authentication.
|
2007-03-01 21:03:19 +01:00
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
use Lemonldap::NG::Portal::SharedConf;
|
|
|
|
my $portal = new Lemonldap::NG::Portal::Simple(
|
|
|
|
configStorage => {...}, # See Lemonldap::NG::Portal
|
|
|
|
authentication => 'CAS',
|
|
|
|
CAS_url => 'https://cas.myserver',
|
|
|
|
CAS_CAFile => '/etc/httpd/conf/ssl.crt/ca-bundle.crt',
|
|
|
|
);
|
|
|
|
|
|
|
|
if($portal->process()) {
|
|
|
|
# Write here the menu with CGI methods. This page is displayed ONLY IF
|
|
|
|
# the user was not redirected here.
|
2013-10-17 21:21:45 +02:00
|
|
|
print $portal->header('text/html; charset=utf-8'); # DON'T FORGET THIS (see CGI(3))
|
2007-03-01 21:03:19 +01:00
|
|
|
print "...";
|
|
|
|
|
|
|
|
# or redirect the user to the menu
|
|
|
|
print $portal->redirect( -uri => 'https://portal/menu');
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
# If the user enters here, IT MEANS THAT CAS REDIRECTION DOES NOT WORK
|
2013-10-17 21:21:45 +02:00
|
|
|
print $portal->header('text/html; charset=utf-8'); # DON'T FORGET THIS (see CGI(3))
|
2007-03-01 21:03:19 +01:00
|
|
|
print "<html><body><h1>Unable to work</h1>";
|
|
|
|
print "This server isn't well configured. Contact your administrator.";
|
|
|
|
print "</body></html>";
|
|
|
|
}
|
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
This library just overload few methods of Lemonldap::NG::Portal::Simple to use
|
|
|
|
CAS mechanism: we've just try to get CAS ticket.
|
|
|
|
|
|
|
|
See L<Lemonldap::NG::Portal::Simple> for usage and other methods.
|
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
2007-04-02 21:13:05 +02:00
|
|
|
L<Lemonldap::NG::Portal>, L<Lemonldap::NG::Portal::Simple>,
|
2010-10-26 08:08:16 +02:00
|
|
|
L<http://lemonldap-ng.org/>
|
2007-03-01 21:03:19 +01:00
|
|
|
|
|
|
|
=head1 AUTHOR
|
|
|
|
|
2013-01-31 06:33:10 +01:00
|
|
|
=over
|
|
|
|
|
|
|
|
=item Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>
|
|
|
|
|
|
|
|
=item Xavier Guimard, E<lt>x.guimard@free.frE<gt>
|
|
|
|
|
2013-02-01 06:37:38 +01:00
|
|
|
=item Thomas Chemineau, E<lt>thomas.chemineau@gmail.comE<gt>
|
2013-01-31 06:33:10 +01:00
|
|
|
|
|
|
|
=back
|
2007-03-01 21:03:19 +01:00
|
|
|
|
2007-04-14 15:12:11 +02:00
|
|
|
=head1 BUG REPORT
|
|
|
|
|
|
|
|
Use OW2 system to report bug or ask for features:
|
2010-10-26 08:08:16 +02:00
|
|
|
L<http://jira.ow2.org>
|
2007-04-14 15:12:11 +02:00
|
|
|
|
|
|
|
=head1 DOWNLOAD
|
|
|
|
|
|
|
|
Lemonldap::NG is available at
|
|
|
|
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
|
|
|
|
2007-03-01 21:03:19 +01:00
|
|
|
=head1 COPYRIGHT AND LICENSE
|
|
|
|
|
2013-01-31 06:33:10 +01:00
|
|
|
=over
|
|
|
|
|
|
|
|
=item Copyright (C) 2007, 2008, 2009, 2010 by Xavier Guimard, E<lt>x.guimard@free.frE<gt>
|
|
|
|
|
|
|
|
=item Copyright (C) 2009, 2010, 2012, 2013 by Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>
|
|
|
|
|
2013-02-01 06:37:38 +01:00
|
|
|
=item Copyright (C) 2009 by Thomas Chemineau, E<lt>thomas.chemineau@gmail.comE<gt>
|
2013-01-31 06:33:10 +01:00
|
|
|
|
|
|
|
=back
|
2007-03-01 21:03:19 +01:00
|
|
|
|
|
|
|
This library is free software; you can redistribute it and/or modify
|
2013-01-31 06:33:10 +01:00
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
the Free Software Foundation; either version 2, or (at your option)
|
|
|
|
any later version.
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
along with this program. If not, see L<http://www.gnu.org/licenses/>.
|
2007-03-01 21:03:19 +01:00
|
|
|
|
|
|
|
=cut
|
|
|
|
|