2016-09-30 07:15:17 +02:00
|
|
|
package Lemonldap::NG::Handler::Lib::AuthBasic;
|
|
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
|
use Exporter;
|
|
|
|
|
use Digest::MD5;
|
|
|
|
|
use MIME::Base64;
|
|
|
|
|
use HTTP::Headers;
|
|
|
|
|
use SOAP::Lite; # link protected portalRequest
|
|
|
|
|
use Lemonldap::NG::Common::Session;
|
|
|
|
|
|
|
|
|
|
our $VERSION = '2.0.0';
|
|
|
|
|
our @ISA = ('Exporter');
|
|
|
|
|
our @EXPORT = qw(fetchId retrieveSession createSession hideCookie goToPortal);
|
|
|
|
|
our @EXPORT_OK = @EXPORT;
|
|
|
|
|
|
|
|
|
|
## @rmethod protected fetchId
|
|
|
|
|
# Get user session id from Authorization header
|
|
|
|
|
# Unlike usual processing, session id is computed from user creds,
|
|
|
|
|
# so that it remains secret but handler can easily get it.
|
|
|
|
|
# It is still changed from time to time - once a day - to prevent from
|
|
|
|
|
# using indefinitely a session id disclosed accidentally or maliciously.
|
|
|
|
|
# @return session id
|
|
|
|
|
sub fetchId {
|
|
|
|
|
my $class = shift;
|
|
|
|
|
if ( my $creds = $class->header_in('Authorization') ) {
|
|
|
|
|
$creds =~ s/^Basic\s+//;
|
|
|
|
|
my @date = localtime;
|
|
|
|
|
my $day = $date[5] * 366 + $date[7];
|
|
|
|
|
return Digest::MD5::md5_hex( $creds . $day );
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
## @rmethod protected boolean retrieveSession(id)
|
|
|
|
|
# Tries to retrieve the session whose index is id,
|
|
|
|
|
# and if needed, ask portal to create it through a SOAP request
|
|
|
|
|
# @return true if the session was found, false else
|
|
|
|
|
sub retrieveSession {
|
|
|
|
|
my ( $class, $id ) = @_;
|
|
|
|
|
|
|
|
|
|
# First check if session already exists
|
2016-12-26 10:23:35 +01:00
|
|
|
return 1
|
2017-02-08 23:18:52 +01:00
|
|
|
if ( $class->Lemonldap::NG::Handler::Main::retrieveSession($id) );
|
2016-09-30 07:15:17 +02:00
|
|
|
|
|
|
|
|
# Then ask portal to create it
|
|
|
|
|
if ( $class->createSession($id) ) {
|
2017-02-08 23:18:52 +01:00
|
|
|
return $class->Lemonldap::NG::Handler::Main::retrieveSession($id);
|
2016-09-30 07:15:17 +02:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-06 10:04:00 +01:00
|
|
|
## @rmethod protected boolean createSession(id)
|
2016-09-30 07:15:17 +02:00
|
|
|
# Ask portal to create it through a SOAP request
|
|
|
|
|
# @return true if the session is created, else false
|
|
|
|
|
sub createSession {
|
|
|
|
|
my ( $class, $id ) = @_;
|
|
|
|
|
|
|
|
|
|
# Add client IP as X-Forwarded-For IP in SOAP request
|
|
|
|
|
my $xheader = $class->header_in('X-Forwarded-For');
|
|
|
|
|
$xheader .= ", " if ($xheader);
|
|
|
|
|
$xheader .= $class->remote_ip;
|
|
|
|
|
my $soapHeaders = HTTP::Headers->new( "X-Forwarded-For" => $xheader );
|
|
|
|
|
|
2017-02-08 23:18:52 +01:00
|
|
|
# TODO: use adminSession or sessions
|
|
|
|
|
my $soapClient = SOAP::Lite->proxy(
|
|
|
|
|
$class->tsv->{portal}->() . '/sessions',
|
|
|
|
|
default_headers => $soapHeaders
|
|
|
|
|
)->uri('urn:Lemonldap/NG/Common/PSGI/SOAPService');
|
2016-09-30 07:15:17 +02:00
|
|
|
|
|
|
|
|
my $creds = $class->header_in('Authorization');
|
|
|
|
|
$creds =~ s/^Basic\s+//;
|
|
|
|
|
my ( $user, $pwd ) = ( decode_base64($creds) =~ /^(.*?):(.*)$/ );
|
2017-02-15 07:41:50 +01:00
|
|
|
$class->logger->debug("AuthBasic authentication for user: $user");
|
2016-09-30 07:15:17 +02:00
|
|
|
my $soapRequest = $soapClient->getCookies( $user, $pwd, $id );
|
|
|
|
|
|
|
|
|
|
# Catch SOAP errors
|
|
|
|
|
if ( $soapRequest->fault ) {
|
|
|
|
|
$class->abort( "SOAP request to the portal failed: "
|
|
|
|
|
. $soapRequest->fault->{faultstring} );
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
my $res = $soapRequest->result();
|
|
|
|
|
|
|
|
|
|
# If authentication failed, display error
|
|
|
|
|
if ( $res->{errorCode} ) {
|
2017-02-15 07:41:50 +01:00
|
|
|
$class->userLogger->notice( "Authentication failed for $user: "
|
|
|
|
|
. $soapClient->error( $res->{errorCode}, 'en' )->result() );
|
2016-09-30 07:15:17 +02:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
## @rmethod protected void hideCookie()
|
|
|
|
|
# Hide user credentials to the protected application
|
|
|
|
|
sub hideCookie {
|
|
|
|
|
my $class = shift;
|
2017-02-15 07:41:50 +01:00
|
|
|
$class->logger->debug("removing Authorization header");
|
2016-09-30 07:15:17 +02:00
|
|
|
$class->unset_header_in('Authorization');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
## @rmethod protected int goToPortal(string url, string arg)
|
|
|
|
|
# If user is asked to authenticate, return $class->AUTH_REQUIRED,
|
|
|
|
|
# else redirect him to the portal to display some message defined by $arg
|
|
|
|
|
# @param $url Url requested
|
|
|
|
|
# @param $arg optionnal GET parameters
|
|
|
|
|
# @return Apache2::Const::REDIRECT or Apache2::Const::AUTH_REQUIRED
|
|
|
|
|
sub goToPortal {
|
|
|
|
|
my ( $class, $url, $arg ) = @_;
|
|
|
|
|
if ($arg) {
|
2017-02-08 23:18:52 +01:00
|
|
|
return $class->Lemonldap::NG::Handler::Main::goToPortal( $url, $arg );
|
2016-09-30 07:15:17 +02:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
$class->set_header_out(
|
|
|
|
|
'WWW-Authenticate' => 'Basic realm="LemonLDAP::NG"' );
|
|
|
|
|
return $class->AUTH_REQUIRED;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
1;
|
