2008-12-26 18:58:48 +01:00
|
|
|
##@file
|
2008-12-03 14:27:30 +01:00
|
|
|
# Base package for Lemonldap::NG portal
|
|
|
|
|
|
2009-02-02 09:53:51 +01:00
|
|
|
##@class Lemonldap::NG::Portal::Simple
|
2008-12-03 14:27:30 +01:00
|
|
|
# Base class for Lemonldap::NG portal
|
2006-12-18 12:32:33 +01:00
|
|
|
package Lemonldap::NG::Portal::Simple;
|
|
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
|
use warnings;
|
|
|
|
|
|
|
|
|
|
use Exporter 'import';
|
|
|
|
|
|
|
|
|
|
use warnings;
|
|
|
|
|
use MIME::Base64;
|
2008-11-21 18:51:52 +01:00
|
|
|
use Lemonldap::NG::Common::CGI;
|
2007-02-11 09:31:56 +01:00
|
|
|
use CGI::Cookie;
|
2007-03-23 20:56:33 +01:00
|
|
|
require POSIX;
|
2009-04-07 22:38:24 +02:00
|
|
|
use Lemonldap::NG::Portal::_i18n; #inherits
|
2009-04-05 10:12:16 +02:00
|
|
|
use Lemonldap::NG::Common::Safelib; #link protected safe Safe object
|
2010-01-11 17:04:36 +01:00
|
|
|
use Lemonldap::NG::Common::Apache::Session
|
|
|
|
|
; #link protected session Apache::Session object
|
2008-11-21 18:51:52 +01:00
|
|
|
use Safe;
|
2006-12-18 12:32:33 +01:00
|
|
|
|
2009-02-03 10:36:13 +01:00
|
|
|
# Special comments for doxygen
|
2009-02-25 19:10:07 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::_SOAP
|
2009-02-03 10:36:13 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::AuthApache
|
2009-12-10 18:03:57 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::AuthDBI
|
2009-02-03 10:36:13 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::AuthCAS
|
|
|
|
|
#inherits Lemonldap::NG::Portal::AuthLDAP
|
2009-02-25 19:10:07 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::AuthRemote
|
2009-02-03 10:36:13 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::AuthSSL
|
|
|
|
|
#inherits Lemonldap::NG::Portal::Menu
|
2009-02-17 16:22:42 +01:00
|
|
|
#link Lemonldap::NG::Portal::Notification protected notification
|
2009-12-10 18:03:57 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::UserDBDBI
|
|
|
|
|
#inherits Lemonldap::NG::Portal::UserDBEnv
|
2009-02-03 10:36:13 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::UserDBLDAP
|
2009-02-25 19:10:07 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::UserDBRemote
|
2009-12-10 18:03:57 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::PasswordDBDBI
|
2009-05-14 18:19:49 +02:00
|
|
|
#inherits Lemonldap::NG::Portal::PasswordDBLDAP
|
2009-02-03 10:36:13 +01:00
|
|
|
#inherits Apache::Session
|
2009-02-17 16:22:42 +01:00
|
|
|
#link Lemonldap::NG::Common::Apache::Session::SOAP protected globalStorage
|
2009-02-03 10:36:13 +01:00
|
|
|
|
2010-01-21 18:38:55 +01:00
|
|
|
our $VERSION = '0.91';
|
2006-12-18 12:32:33 +01:00
|
|
|
|
2008-12-03 14:27:30 +01:00
|
|
|
use base qw(Lemonldap::NG::Common::CGI Exporter);
|
|
|
|
|
our @ISA;
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
# Constants
|
2008-05-30 08:07:37 +02:00
|
|
|
use constant {
|
2010-01-11 17:04:36 +01:00
|
|
|
|
2010-01-15 23:01:04 +01:00
|
|
|
# Portal errors
|
2010-01-11 17:04:36 +01:00
|
|
|
# Developers warning, do not use PE_INFO, it's reserved to autoRedirect.
|
|
|
|
|
# If you want to send an information, use $self->info('text').
|
2010-04-29 15:47:57 +02:00
|
|
|
PE_IMG_NOK => -5,
|
|
|
|
|
PE_IMG_OK => -4,
|
2010-01-12 10:53:49 +01:00
|
|
|
PE_INFO => -3,
|
2008-08-08 18:19:16 +02:00
|
|
|
PE_REDIRECT => -2,
|
|
|
|
|
PE_DONE => -1,
|
|
|
|
|
PE_OK => 0,
|
|
|
|
|
PE_SESSIONEXPIRED => 1,
|
|
|
|
|
PE_FORMEMPTY => 2,
|
|
|
|
|
PE_WRONGMANAGERACCOUNT => 3,
|
|
|
|
|
PE_USERNOTFOUND => 4,
|
|
|
|
|
PE_BADCREDENTIALS => 5,
|
|
|
|
|
PE_LDAPCONNECTFAILED => 6,
|
|
|
|
|
PE_LDAPERROR => 7,
|
|
|
|
|
PE_APACHESESSIONERROR => 8,
|
|
|
|
|
PE_FIRSTACCESS => 9,
|
|
|
|
|
PE_BADCERTIFICATE => 10,
|
|
|
|
|
PE_PP_ACCOUNT_LOCKED => 21,
|
|
|
|
|
PE_PP_PASSWORD_EXPIRED => 22,
|
|
|
|
|
PE_CERTIFICATEREQUIRED => 23,
|
|
|
|
|
PE_ERROR => 24,
|
|
|
|
|
PE_PP_CHANGE_AFTER_RESET => 25,
|
|
|
|
|
PE_PP_PASSWORD_MOD_NOT_ALLOWED => 26,
|
|
|
|
|
PE_PP_MUST_SUPPLY_OLD_PASSWORD => 27,
|
|
|
|
|
PE_PP_INSUFFICIENT_PASSWORD_QUALITY => 28,
|
|
|
|
|
PE_PP_PASSWORD_TOO_SHORT => 29,
|
|
|
|
|
PE_PP_PASSWORD_TOO_YOUNG => 30,
|
|
|
|
|
PE_PP_PASSWORD_IN_HISTORY => 31,
|
2008-09-19 17:28:00 +02:00
|
|
|
PE_PP_GRACE => 32,
|
|
|
|
|
PE_PP_EXP_WARNING => 33,
|
|
|
|
|
PE_PASSWORD_MISMATCH => 34,
|
|
|
|
|
PE_PASSWORD_OK => 35,
|
2008-11-24 07:57:18 +01:00
|
|
|
PE_NOTIFICATION => 36,
|
2008-12-03 14:27:30 +01:00
|
|
|
PE_BADURL => 37,
|
2009-03-08 09:50:58 +01:00
|
|
|
PE_NOSCHEME => 38,
|
2009-05-18 15:53:51 +02:00
|
|
|
PE_BADOLDPASSWORD => 39,
|
2009-12-19 09:57:59 +01:00
|
|
|
PE_MALFORMEDUSER => 40,
|
2010-01-11 15:02:43 +01:00
|
|
|
PE_SESSIONNOTGRANTED => 41,
|
2010-01-12 12:05:01 +01:00
|
|
|
PE_CONFIRM => 42,
|
2010-01-21 18:38:55 +01:00
|
|
|
PE_MAILFORMEMPTY => 43,
|
|
|
|
|
PE_BADMAILTOKEN => 44,
|
|
|
|
|
PE_MAILERROR => 45,
|
|
|
|
|
PE_MAILOK => 46,
|
2010-02-18 18:22:04 +01:00
|
|
|
PE_LOGOUT_OK => 47,
|
2010-07-05 17:38:02 +02:00
|
|
|
PE_SAML_ERROR => 48,
|
|
|
|
|
PE_SAML_LOAD_SERVICE_ERROR => 49,
|
|
|
|
|
PE_SAML_LOAD_IDP_ERROR => 50,
|
|
|
|
|
PE_SAML_SSO_ERROR => 51,
|
|
|
|
|
PE_SAML_UNKNOWN_ENTITY => 52,
|
|
|
|
|
PE_SAML_DESTINATION_ERROR => 53,
|
|
|
|
|
PE_SAML_CONDITIONS_ERROR => 54,
|
|
|
|
|
PE_SAML_IDPSSOINITIATED_NOTALLOWED => 55,
|
|
|
|
|
PE_SAML_SLO_ERROR => 56,
|
|
|
|
|
PE_SAML_SIGNATURE_ERROR => 57,
|
|
|
|
|
PE_SAML_ART_ERROR => 58,
|
|
|
|
|
PE_SAML_SESSION_ERROR => 59,
|
2010-07-05 17:58:03 +02:00
|
|
|
PE_SAML_LOAD_SP_ERROR => 60,
|
|
|
|
|
PE_SAML_ATTR_ERROR => 61,
|
2010-01-15 23:01:04 +01:00
|
|
|
|
|
|
|
|
# Portal messages
|
|
|
|
|
PM_USER => 0,
|
|
|
|
|
PM_DATE => 1,
|
|
|
|
|
PM_IP => 2,
|
|
|
|
|
PM_SESSIONS_DELETED => 3,
|
|
|
|
|
PM_OTHER_SESSIONS => 4,
|
|
|
|
|
PM_REMOVE_OTHER_SESSIONS => 5,
|
|
|
|
|
PM_PP_GRACE => 6,
|
|
|
|
|
PM_PP_EXP_WARNING => 7,
|
2010-02-04 13:30:18 +01:00
|
|
|
PM_SAML_IDPSELECT => 8,
|
|
|
|
|
PM_SAML_IDPCHOOSEN => 9,
|
2010-03-01 21:32:28 +01:00
|
|
|
PM_REMEMBERCHOICE => 10,
|
2010-04-23 18:26:23 +02:00
|
|
|
PM_SAML_SPLOGOUT => 11,
|
2010-06-01 11:59:37 +02:00
|
|
|
PM_REDIRECTION => 12,
|
2010-08-18 15:39:15 +02:00
|
|
|
PM_BACKTOSP => 13,
|
2008-05-30 08:07:37 +02:00
|
|
|
};
|
2006-12-18 12:32:33 +01:00
|
|
|
|
2007-01-11 07:42:57 +01:00
|
|
|
# EXPORTER PARAMETERS
|
2010-04-29 15:47:57 +02:00
|
|
|
our @EXPORT = qw( PE_IMG_NOK PE_IMG_OK PE_INFO PE_REDIRECT PE_DONE PE_OK
|
2010-04-29 15:39:26 +02:00
|
|
|
PE_SESSIONEXPIRED PE_FORMEMPTY PE_WRONGMANAGERACCOUNT PE_USERNOTFOUND
|
|
|
|
|
PE_BADCREDENTIALS PE_LDAPCONNECTFAILED PE_LDAPERROR PE_APACHESESSIONERROR
|
|
|
|
|
PE_FIRSTACCESS PE_BADCERTIFICATE PE_PP_ACCOUNT_LOCKED PE_PP_PASSWORD_EXPIRED
|
2010-01-11 17:04:36 +01:00
|
|
|
PE_CERTIFICATEREQUIRED PE_ERROR PE_PP_CHANGE_AFTER_RESET
|
|
|
|
|
PE_PP_PASSWORD_MOD_NOT_ALLOWED PE_PP_MUST_SUPPLY_OLD_PASSWORD
|
|
|
|
|
PE_PP_INSUFFICIENT_PASSWORD_QUALITY PE_PP_PASSWORD_TOO_SHORT
|
|
|
|
|
PE_PP_PASSWORD_TOO_YOUNG PE_PP_PASSWORD_IN_HISTORY PE_PP_GRACE
|
|
|
|
|
PE_PP_EXP_WARNING PE_PASSWORD_MISMATCH PE_PASSWORD_OK PE_NOTIFICATION
|
2010-01-11 17:58:57 +01:00
|
|
|
PE_BADURL PE_NOSCHEME PE_BADOLDPASSWORD PE_MALFORMEDUSER PE_SESSIONNOTGRANTED
|
2010-01-21 18:38:55 +01:00
|
|
|
PE_CONFIRM PE_MAILFORMEMPTY PE_BADMAILTOKEN PE_MAILERROR PE_MAILOK
|
2010-07-05 17:38:02 +02:00
|
|
|
PE_LOGOUT_OK PE_SAML_ERROR PE_SAML_LOAD_SERVICE_ERROR PE_SAML_LOAD_IDP_ERROR
|
|
|
|
|
PE_SAML_SSO_ERROR PE_SAML_UNKNOWN_ENTITY PE_SAML_DESTINATION_ERROR
|
|
|
|
|
PE_SAML_CONDITIONS_ERROR PE_SAML_IDPSSOINITIATED_NOTALLOWED PE_SAML_SLO_ERROR
|
|
|
|
|
PE_SAML_SIGNATURE_ERROR PE_SAML_ART_ERROR PE_SAML_SESSION_ERROR
|
2010-07-05 17:58:03 +02:00
|
|
|
PE_SAML_LOAD_SP_ERROR PE_SAML_ATTR_ERROR
|
2010-01-21 18:38:55 +01:00
|
|
|
PM_USER PM_DATE PM_IP PM_SESSIONS_DELETED PM_OTHER_SESSIONS
|
2010-01-15 23:01:04 +01:00
|
|
|
PM_REMOVE_OTHER_SESSIONS PM_PP_GRACE PM_PP_EXP_WARNING
|
2010-04-26 17:39:38 +02:00
|
|
|
PM_SAML_IDPSELECT PM_SAML_IDPCHOOSEN PM_REMEMBERCHOICE PM_SAML_SPLOGOUT
|
2010-08-18 15:39:15 +02:00
|
|
|
PM_REDIRECTION PM_BACKTOSP
|
2010-01-11 17:04:36 +01:00
|
|
|
);
|
2008-05-25 14:54:45 +02:00
|
|
|
our %EXPORT_TAGS = ( 'all' => [ @EXPORT, 'import' ], );
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );
|
|
|
|
|
|
2008-11-20 19:13:27 +01:00
|
|
|
# Secure jail
|
2008-12-11 18:02:02 +01:00
|
|
|
our $safe;
|
2008-11-20 19:13:27 +01:00
|
|
|
our $self; # Safe cannot share a variable declared with my
|
|
|
|
|
|
2008-12-29 11:28:31 +01:00
|
|
|
##@cmethod Lemonldap::NG::Portal::Simple new(hashRef args)
|
2008-12-03 14:27:30 +01:00
|
|
|
# Class constructor.
|
2008-12-26 18:58:48 +01:00
|
|
|
#@param args hash reference
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal::Simple object
|
2006-12-18 12:32:33 +01:00
|
|
|
sub new {
|
2009-12-10 18:03:57 +01:00
|
|
|
|
2010-02-26 11:53:43 +01:00
|
|
|
@ISA = qw(Lemonldap::NG::Common::CGI Exporter);
|
2008-12-06 08:27:35 +01:00
|
|
|
binmode( STDOUT, ":utf8" );
|
2006-12-18 12:32:33 +01:00
|
|
|
my $class = shift;
|
2008-12-07 15:12:36 +01:00
|
|
|
return $class if ( ref($class) );
|
2009-02-05 18:05:18 +01:00
|
|
|
my $self = $class->SUPER::new();
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Reinit _url
|
2009-04-11 13:16:44 +02:00
|
|
|
$self->{_url} = '';
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Get global configuration
|
2008-11-21 18:51:52 +01:00
|
|
|
$self->getConf(@_)
|
|
|
|
|
or $self->abort( "Configuration error",
|
|
|
|
|
"Unable to get configuration: $Lemonldap::NG::Common::Conf::msg" );
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Default values
|
2009-02-14 09:55:19 +01:00
|
|
|
$self->setDefaultValues();
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Test mandatory elements
|
2008-11-21 18:51:52 +01:00
|
|
|
$self->abort( "Configuration error",
|
|
|
|
|
"You've to indicate a an Apache::Session storage module !" )
|
2006-12-18 12:32:33 +01:00
|
|
|
unless ( $self->{globalStorage} );
|
|
|
|
|
eval "require " . $self->{globalStorage};
|
2008-11-21 18:51:52 +01:00
|
|
|
$self->abort( "Configuration error",
|
|
|
|
|
"Module " . $self->{globalStorage} . " not found in \@INC" )
|
|
|
|
|
if ($@);
|
2010-04-09 15:27:54 +02:00
|
|
|
if ( $self->{samlStorage} ne $self->{globalStorage} ) {
|
|
|
|
|
eval "require " . $self->{samlStorage};
|
|
|
|
|
$self->abort( "Configuration error",
|
|
|
|
|
"Module " . $self->{samlStorage} . " not found in \@INC" )
|
|
|
|
|
if ($@);
|
|
|
|
|
}
|
2008-11-21 18:51:52 +01:00
|
|
|
$self->abort( "Configuration error",
|
|
|
|
|
"You've to indicate a domain for cookies" )
|
|
|
|
|
unless ( $self->{domain} );
|
2006-12-18 12:32:33 +01:00
|
|
|
$self->{domain} =~ s/^([^\.])/.$1/;
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Rules to allow redirection
|
2008-12-28 09:36:52 +01:00
|
|
|
$self->{mustRedirect} = (
|
|
|
|
|
( $ENV{REQUEST_METHOD} eq 'POST' and not $self->param('newpassword') )
|
|
|
|
|
or $self->param('logout')
|
|
|
|
|
) ? 1 : 0;
|
2008-06-06 05:51:39 +02:00
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# Push authentication/userDB/passwordDb/issuerDB modules in @ISA
|
2010-07-21 14:13:12 +02:00
|
|
|
foreach my $type (qw(authentication userDB passwordDB issuerDB)) {
|
2009-12-10 18:03:57 +01:00
|
|
|
my $module_name = 'Lemonldap::NG::Portal::';
|
2010-07-21 14:13:12 +02:00
|
|
|
my $db_type = $type;
|
2009-12-11 22:17:06 +01:00
|
|
|
my $db_name = $self->{$db_type};
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Adapt module type to real module name
|
|
|
|
|
$db_type =~ s/authentication/Auth/;
|
|
|
|
|
$db_type =~ s/userDB/UserDB/;
|
|
|
|
|
$db_type =~ s/passwordDB/PasswordDB/;
|
|
|
|
|
$db_type =~ s/issuerDB/IssuerDB/;
|
|
|
|
|
|
|
|
|
|
# Full module name
|
|
|
|
|
$module_name .= $db_type . $db_name;
|
|
|
|
|
|
|
|
|
|
# Remove white spaces
|
|
|
|
|
$module_name =~ s/\s.*$//;
|
|
|
|
|
|
|
|
|
|
# Try to load module
|
2010-01-28 15:47:51 +01:00
|
|
|
$self->abort( "Configuration error", "Unable to load $module_name" )
|
|
|
|
|
unless $self->loadModule($module_name);
|
2008-10-05 20:42:50 +02:00
|
|
|
|
|
|
|
|
# $self->{authentication} and $self->{userDB} can contains arguments
|
|
|
|
|
# (key1 = scalar_value; key2 = ...)
|
2009-12-10 18:03:57 +01:00
|
|
|
unless ( $db_name =~ /^Multi/ ) {
|
|
|
|
|
$db_name =~ s/^\w+\s*//;
|
|
|
|
|
my %h = split( /\s*[=;]\s*/, $db_name ) if ($db_name);
|
2009-03-08 09:50:58 +01:00
|
|
|
%$self = ( %h, %$self );
|
|
|
|
|
}
|
2008-10-05 20:42:50 +02:00
|
|
|
}
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Notifications
|
2008-11-24 07:57:18 +01:00
|
|
|
if ( $self->{notification} ) {
|
2009-01-28 18:37:10 +01:00
|
|
|
require Lemonldap::NG::Portal::Notification;
|
2009-01-30 16:26:34 +01:00
|
|
|
my $tmp;
|
|
|
|
|
if ( $self->{notificationStorage} ) {
|
|
|
|
|
$tmp = $self->{notificationStorage};
|
|
|
|
|
}
|
|
|
|
|
else {
|
2009-02-11 17:18:38 +01:00
|
|
|
(%$tmp) = ( %{ $self->{lmConf} } );
|
2009-01-30 16:26:34 +01:00
|
|
|
$self->abort( "notificationStorage not defined",
|
|
|
|
|
"This parameter is required to use notification system" )
|
|
|
|
|
unless ( ref($tmp) );
|
2009-02-11 17:18:38 +01:00
|
|
|
$tmp->{type} =~ s/.*:://;
|
2009-01-30 16:26:34 +01:00
|
|
|
$tmp->{table} = 'notifications';
|
|
|
|
|
}
|
2009-02-12 20:48:53 +01:00
|
|
|
$tmp->{p} = $self;
|
2009-01-30 16:26:34 +01:00
|
|
|
$self->{notifObject} = Lemonldap::NG::Portal::Notification->new($tmp);
|
|
|
|
|
$self->abort($Lemonldap::NG::Portal::Notification::msg)
|
|
|
|
|
unless ( $self->{notifObject} );
|
2008-11-24 07:57:18 +01:00
|
|
|
}
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# SOAP
|
2009-02-24 18:53:59 +01:00
|
|
|
if ( $self->{Soap} or $self->{soap} ) {
|
|
|
|
|
require Lemonldap::NG::Portal::_SOAP;
|
|
|
|
|
push @ISA, 'Lemonldap::NG::Portal::_SOAP';
|
2010-01-11 17:04:36 +01:00
|
|
|
if ( $self->{notification} ) {
|
|
|
|
|
$self->{CustomSOAPServices}->{'/notification'} = 'newNotification';
|
|
|
|
|
}
|
2009-02-24 18:53:59 +01:00
|
|
|
$self->startSoapServices();
|
2008-12-07 15:12:36 +01:00
|
|
|
}
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Trusted domains
|
2009-06-14 18:43:02 +02:00
|
|
|
unless ( defined( $self->{trustedDomains} ) ) {
|
|
|
|
|
$self->{trustedDomains} = $self->{domain};
|
|
|
|
|
}
|
2009-10-02 18:10:23 +02:00
|
|
|
if ( $self->{trustedDomains} eq '*' ) {
|
|
|
|
|
$self->{trustedDomains} = '|\w[\w\-\.]*\w';
|
|
|
|
|
}
|
|
|
|
|
elsif ( $self->{trustedDomains} ) {
|
2009-11-09 16:32:27 +01:00
|
|
|
$self->{trustedDomains} = '|(?:[^/]*)?(?:'
|
|
|
|
|
. join( '|',
|
|
|
|
|
( map { s/\./\\\./g; $_ } split /\s+/, $self->{trustedDomains} ) )
|
|
|
|
|
. ')';
|
2009-06-14 18:43:02 +02:00
|
|
|
}
|
2009-12-10 18:03:57 +01:00
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
return $self;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-28 15:47:51 +01:00
|
|
|
##@method boolean loadModule(string module)
|
|
|
|
|
# Load a module into portal namespace
|
|
|
|
|
# @param module module name
|
|
|
|
|
# @return boolean
|
|
|
|
|
sub loadModule {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
my $module = shift;
|
|
|
|
|
|
|
|
|
|
return 1 unless $module;
|
|
|
|
|
|
|
|
|
|
# Load module test
|
|
|
|
|
eval "require $module";
|
|
|
|
|
if ($@) {
|
|
|
|
|
$self->lmLog( "$module load error: $@", 'error' );
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Push module in @ISA
|
|
|
|
|
push @ISA, $module;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-29 11:28:31 +01:00
|
|
|
##@method protected boolean getConf(hashRef args)
|
2008-12-03 14:27:30 +01:00
|
|
|
# Copy all parameters in caller object.
|
2008-12-26 18:58:48 +01:00
|
|
|
#@param args hash-ref
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return True
|
2006-12-18 12:32:33 +01:00
|
|
|
sub getConf {
|
|
|
|
|
my ($self) = shift;
|
|
|
|
|
my %args;
|
|
|
|
|
if ( ref( $_[0] ) ) {
|
|
|
|
|
%args = %{ $_[0] };
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
%args = @_;
|
|
|
|
|
}
|
|
|
|
|
%$self = ( %$self, %args );
|
|
|
|
|
1;
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-14 09:55:19 +01:00
|
|
|
##@method protected void setDefaultValues()
|
|
|
|
|
# Set default values.
|
|
|
|
|
sub setDefaultValues {
|
|
|
|
|
my $self = shift;
|
2010-01-22 12:25:37 +01:00
|
|
|
$self->{portal} ||=
|
|
|
|
|
"http" . ( $ENV{HTTPS} ? 's' : '' ) . '://' . $self->server_name();
|
2009-12-11 22:17:06 +01:00
|
|
|
$self->{whatToTrace} ||= 'uid';
|
|
|
|
|
$self->{whatToTrace} =~ s/^\$//;
|
|
|
|
|
$self->{httpOnly} = 1 unless ( defined( $self->{httpOnly} ) );
|
|
|
|
|
$self->{portalSkin} ||= 'pastel';
|
|
|
|
|
$self->{portalDisplayLogout} = 1
|
|
|
|
|
unless ( defined( $self->{portalDisplayLogout} ) );
|
|
|
|
|
$self->{portalDisplayResetPassword} = 1
|
|
|
|
|
unless ( defined( $self->{portalDisplayResetPassword} ) );
|
|
|
|
|
$self->{portalDisplayChangePassword} = 1
|
|
|
|
|
unless ( defined( $self->{portalDisplayChangePassword} ) );
|
|
|
|
|
$self->{portalDisplayAppslist} = 1
|
|
|
|
|
unless ( defined( $self->{portalDisplayAppslist} ) );
|
|
|
|
|
$self->{portalAutocomplete} ||= "off";
|
|
|
|
|
$self->{portalRequireOldPassword} = 1
|
|
|
|
|
unless ( defined( $self->{portalRequireOldPassword} ) );
|
2009-12-17 15:10:39 +01:00
|
|
|
$self->{portalOpenLinkInNewWindow} = 0
|
|
|
|
|
unless ( defined( $self->{portalOpenLinkInNewWindow} ) );
|
2010-02-05 11:21:48 +01:00
|
|
|
$self->{portalForceAuthn} = 0
|
|
|
|
|
unless ( defined( $self->{portalForceAuthn} ) );
|
|
|
|
|
$self->{portalForceAuthnInterval} = 5
|
|
|
|
|
unless ( defined( $self->{portalForceAuthnInterval} ) );
|
2009-12-11 22:17:06 +01:00
|
|
|
$self->{portalUserAttr} ||= "_user";
|
2010-04-02 11:17:02 +02:00
|
|
|
$self->{portalHiddenFormValues} = ();
|
2009-12-11 22:17:06 +01:00
|
|
|
$self->{securedCookie} ||= 0;
|
|
|
|
|
$self->{cookieName} ||= "lemonldap";
|
|
|
|
|
$self->{authentication} ||= 'LDAP';
|
|
|
|
|
$self->{authentication} =~ s/^ldap/LDAP/;
|
|
|
|
|
$self->{SMTPServer} ||= 'localhost';
|
|
|
|
|
$self->{mailLDAPFilter} ||= '(&(mail=$mail)(objectClass=inetOrgPerson))';
|
|
|
|
|
$self->{randomPasswordRegexp} ||= '[A-Z]{3}[a-z]{5}.\d{2}';
|
|
|
|
|
$self->{mailFrom} ||= "noreply@" . $self->{domain};
|
2010-01-22 12:25:37 +01:00
|
|
|
$self->{mailSubject} ||= "[LemonLDAP::NG] Your new password";
|
|
|
|
|
$self->{mailConfirmSubject} ||=
|
|
|
|
|
"[LemonLDAP::NG] Password reset confirmation";
|
2010-04-15 13:15:36 +02:00
|
|
|
$self->{mailSessionKey} ||= 'mail';
|
|
|
|
|
$self->{mailUrl} ||= $self->{portal} . "/mail.pl";
|
|
|
|
|
$self->{issuerDB} ||= 'Null';
|
|
|
|
|
$self->{multiValuesSeparator} ||= '; ';
|
2010-08-18 17:10:30 +02:00
|
|
|
$self->{activeTimer} = 1 unless ( defined( $self->{activeTimer} ) );
|
2010-08-19 18:19:30 +02:00
|
|
|
$self->{infoFormMethod} ||= "get";
|
|
|
|
|
$self->{confirmFormMethod} ||= "post";
|
2009-12-10 12:30:43 +01:00
|
|
|
|
|
|
|
|
# Set default userDB and passwordDB to DBI if authentication is DBI
|
|
|
|
|
if ( $self->{authentication} =~ /DBI/i ) {
|
2009-12-11 22:17:06 +01:00
|
|
|
$self->{userDB} ||= "DBI";
|
|
|
|
|
$self->{passwordDB} ||= "DBI";
|
|
|
|
|
}
|
2010-01-28 15:47:51 +01:00
|
|
|
|
|
|
|
|
# Set default userDB and passwordDB to Null if authentication is Null
|
|
|
|
|
if ( $self->{authentication} =~ /Null/i ) {
|
|
|
|
|
$self->{userDB} ||= "Null";
|
|
|
|
|
$self->{passwordDB} ||= "Null";
|
|
|
|
|
}
|
2009-12-11 22:17:06 +01:00
|
|
|
else {
|
|
|
|
|
|
2009-12-10 12:30:43 +01:00
|
|
|
# Default to LDAP
|
2009-12-11 22:17:06 +01:00
|
|
|
$self->{userDB} ||= "LDAP";
|
|
|
|
|
$self->{passwordDB} ||= "LDAP";
|
2009-12-10 12:30:43 +01:00
|
|
|
}
|
2010-02-04 13:30:18 +01:00
|
|
|
|
2010-02-05 15:17:55 +01:00
|
|
|
# LDAP
|
|
|
|
|
$self->{ldapGroupObjectClass} ||= "groupOfNames";
|
|
|
|
|
$self->{ldapGroupAttributeName} ||= "member";
|
|
|
|
|
$self->{ldapGroupAttributeNameUser} ||= "dn";
|
|
|
|
|
$self->{ldapGroupAttributeNameGroup} ||= "dn";
|
|
|
|
|
$self->{ldapGroupAttributeNameSearch} ||= ["cn"];
|
|
|
|
|
$self->{ldapGroupRecursive} ||= 0;
|
|
|
|
|
|
2010-02-04 13:30:18 +01:00
|
|
|
# SAML
|
2010-04-09 15:27:54 +02:00
|
|
|
$self->{samlIdPResolveCookie} ||= $self->{cookieName} . "idp";
|
|
|
|
|
$self->{samlStorage} ||= $self->{globalStorage};
|
|
|
|
|
$self->{samlStorageOptions} ||= $self->{globalStorageOptions};
|
2010-06-28 11:11:59 +02:00
|
|
|
$self->{samlMetadataForceUTF8} = 1
|
|
|
|
|
unless ( defined( $self->{samlMetadataForceUTF8} ) );
|
2009-02-14 09:55:19 +01:00
|
|
|
}
|
|
|
|
|
|
2010-08-20 12:31:20 +02:00
|
|
|
## @method protected void setHiddenFormValue(string fieldname, string value, string prefix, boolean base64)
|
2010-04-02 11:17:02 +02:00
|
|
|
# Add element into $self->{portalHiddenFormValues}, those values could be
|
|
|
|
|
# used to hide values into HTML form.
|
2010-08-20 12:31:20 +02:00
|
|
|
# @param fieldname The field name which will contain the correponding value
|
|
|
|
|
# @param value The associated value
|
|
|
|
|
# @param prefix Prefix of the field key
|
|
|
|
|
# @param base64 Encode value in base64
|
|
|
|
|
# @return nothing
|
2010-04-02 11:17:02 +02:00
|
|
|
sub setHiddenFormValue {
|
2010-08-20 12:31:20 +02:00
|
|
|
my ( $self, $key, $val, $prefix, $base64 ) = splice @_;
|
|
|
|
|
|
|
|
|
|
# Default values
|
|
|
|
|
$prefix = "lmhidden_" unless defined $prefix;
|
|
|
|
|
$base64 = 1 unless defined $base64;
|
|
|
|
|
|
|
|
|
|
# Store value
|
2010-04-09 15:27:54 +02:00
|
|
|
if ($val) {
|
2010-08-20 12:31:20 +02:00
|
|
|
$key = $prefix . $key;
|
|
|
|
|
$val = encode_base64($val) if $base64;
|
|
|
|
|
$self->{portalHiddenFormValues}->{$key} = $val;
|
2010-04-02 17:28:29 +02:00
|
|
|
}
|
2010-04-02 11:17:02 +02:00
|
|
|
}
|
|
|
|
|
|
2010-08-20 12:31:20 +02:00
|
|
|
## @method public void getHiddenFormValue(string fieldname, string prefix, boolean base64)
|
2010-04-02 11:17:02 +02:00
|
|
|
# Get value into $self->{portalHiddenFormValues}.
|
2010-08-20 12:31:20 +02:00
|
|
|
# @param fieldname The existing field name which contains a value
|
|
|
|
|
# @param prefix Prefix of the field key
|
|
|
|
|
# @param base64 Decode value from base64
|
|
|
|
|
# @return string The associated value
|
2010-04-02 11:17:02 +02:00
|
|
|
sub getHiddenFormValue {
|
2010-08-20 12:31:20 +02:00
|
|
|
my ( $self, $key, $prefix, $base64 ) = splice @_;
|
|
|
|
|
|
|
|
|
|
# Default values
|
|
|
|
|
$prefix = "lmhidden_" unless defined $prefix;
|
|
|
|
|
$base64 = 1 unless defined $base64;
|
|
|
|
|
|
|
|
|
|
$key = $prefix . $key;
|
|
|
|
|
|
|
|
|
|
# Get value
|
2010-04-09 15:27:54 +02:00
|
|
|
if ( my $val = $self->param($key) ) {
|
2010-08-20 12:31:20 +02:00
|
|
|
$val = decode_base64($val) if $base64;
|
|
|
|
|
return $val;
|
2010-04-02 17:28:29 +02:00
|
|
|
}
|
2010-08-20 12:31:20 +02:00
|
|
|
|
|
|
|
|
# No value found
|
2010-04-02 17:28:29 +02:00
|
|
|
return undef;
|
2010-04-02 11:17:02 +02:00
|
|
|
}
|
|
|
|
|
|
2010-08-20 12:31:20 +02:00
|
|
|
## @method protected void clearHiddenFormValue(arrayref keys)
|
|
|
|
|
# Clear values form stored hidden fields
|
|
|
|
|
# Delete all keys if no keys provided
|
|
|
|
|
# @param keys Array reference of keys
|
|
|
|
|
# @return nothing
|
2010-08-20 12:52:52 +02:00
|
|
|
sub clearHiddenFormValue {
|
2010-08-20 12:31:20 +02:00
|
|
|
my ( $self, $keys ) = splice @_;
|
|
|
|
|
|
|
|
|
|
unless ( defined $keys ) {
|
|
|
|
|
delete $self->{portalHiddenFormValues};
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
delete $self->{portalHiddenFormValues}->{$_} foreach (@$keys);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2010-04-02 11:17:02 +02:00
|
|
|
##@method public string buildHiddenForm()
|
|
|
|
|
# Return an HTML representation of hidden values.
|
2010-08-20 12:31:20 +02:00
|
|
|
# @return HTML code
|
2010-04-02 11:17:02 +02:00
|
|
|
sub buildHiddenForm {
|
|
|
|
|
my $self = shift;
|
2010-04-09 15:27:54 +02:00
|
|
|
my @keys = keys %{ $self->{portalHiddenFormValues} };
|
2010-04-14 17:37:57 +02:00
|
|
|
my $val = '';
|
2010-08-20 12:31:20 +02:00
|
|
|
|
2010-04-09 15:27:54 +02:00
|
|
|
foreach (@keys) {
|
2010-08-20 12:31:20 +02:00
|
|
|
|
|
|
|
|
# Check XSS attacks
|
|
|
|
|
if ( $self->{portalHiddenFormValues}->{$_} =~
|
|
|
|
|
m/(?:\0|<|'|"|`|\%(?:00|25|3C|22|27|2C))/ )
|
|
|
|
|
{
|
|
|
|
|
$self->lmLog(
|
|
|
|
|
"XSS attack detected (param: $_ | value: "
|
|
|
|
|
. $self->{portalHiddenFormValues}->{$_} . ")",
|
|
|
|
|
"warn"
|
|
|
|
|
);
|
|
|
|
|
next;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Build hidden input HTML code
|
2010-04-09 15:27:54 +02:00
|
|
|
$val .=
|
|
|
|
|
'<input type="hidden" name="'
|
|
|
|
|
. $_
|
|
|
|
|
. '" id="'
|
|
|
|
|
. $_
|
|
|
|
|
. '" value="'
|
|
|
|
|
. $self->{portalHiddenFormValues}->{$_} . '" />';
|
2010-04-02 11:17:02 +02:00
|
|
|
}
|
2010-08-20 12:31:20 +02:00
|
|
|
|
2010-04-02 11:17:02 +02:00
|
|
|
return $val;
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-01 16:38:06 +01:00
|
|
|
=begin WSDL
|
|
|
|
|
|
|
|
|
|
_IN lang $string Language
|
|
|
|
|
_IN code $int Error code
|
|
|
|
|
_RETURN $string Error string
|
|
|
|
|
|
|
|
|
|
=end WSDL
|
|
|
|
|
|
|
|
|
|
=cut
|
|
|
|
|
|
2008-12-29 11:28:31 +01:00
|
|
|
##@method string error(string lang)
|
2008-12-07 21:07:52 +01:00
|
|
|
# error calls Portal/_i18n.pm to display error in the wanted language.
|
2008-12-28 09:36:52 +01:00
|
|
|
#@param $lang optional (browser language is used instead)
|
2008-12-26 18:58:48 +01:00
|
|
|
#@return error message
|
2006-12-18 12:32:33 +01:00
|
|
|
sub error {
|
|
|
|
|
my $self = shift;
|
2008-12-07 21:07:52 +01:00
|
|
|
my $lang = shift || $ENV{HTTP_ACCEPT_LANGUAGE};
|
2008-12-08 11:56:19 +01:00
|
|
|
my $code = shift || $self->{error};
|
2009-02-12 20:48:53 +01:00
|
|
|
my $tmp = &Lemonldap::NG::Portal::_i18n::error( $code, $lang );
|
2009-02-14 09:55:19 +01:00
|
|
|
return (
|
|
|
|
|
$ENV{HTTP_SOAPACTION}
|
2009-02-12 20:48:53 +01:00
|
|
|
? SOAP::Data->name( result => $tmp )->type('string')
|
2009-02-14 09:55:19 +01:00
|
|
|
: $tmp
|
|
|
|
|
);
|
2006-12-18 12:32:33 +01:00
|
|
|
}
|
|
|
|
|
|
2008-12-29 11:28:31 +01:00
|
|
|
##@method string error_type(int code)
|
2008-09-18 10:34:17 +02:00
|
|
|
# error_type tells if error is positive, warning or negative
|
2008-12-28 09:36:52 +01:00
|
|
|
# @param $code Lemonldap::NG error code
|
|
|
|
|
# @return "positive", "warning" or "negative"
|
2008-09-18 10:34:17 +02:00
|
|
|
sub error_type {
|
|
|
|
|
my $self = shift;
|
2008-12-07 21:07:52 +01:00
|
|
|
my $code = shift || $self->{error};
|
2008-09-18 10:34:17 +02:00
|
|
|
|
|
|
|
|
# Positive errors
|
2008-10-07 22:15:48 +02:00
|
|
|
return "positive"
|
|
|
|
|
if (
|
|
|
|
|
scalar(
|
2010-02-20 12:44:05 +01:00
|
|
|
grep { /^$code$/ } (
|
|
|
|
|
PE_REDIRECT, PE_DONE, PE_OK, PE_PASSWORD_OK,
|
|
|
|
|
PE_MAILOK, PE_LOGOUT_OK,
|
|
|
|
|
)
|
2008-10-07 22:15:48 +02:00
|
|
|
)
|
|
|
|
|
);
|
2008-09-18 10:34:17 +02:00
|
|
|
|
|
|
|
|
# Warning errors
|
2008-10-07 22:15:48 +02:00
|
|
|
return "warning"
|
|
|
|
|
if (
|
|
|
|
|
scalar(
|
2008-12-07 21:07:52 +01:00
|
|
|
grep { /^$code$/ } (
|
2010-01-12 10:53:49 +01:00
|
|
|
PE_INFO, PE_SESSIONEXPIRED,
|
|
|
|
|
PE_FORMEMPTY, PE_FIRSTACCESS,
|
|
|
|
|
PE_PP_GRACE, PE_PP_EXP_WARNING,
|
|
|
|
|
PE_NOTIFICATION, PE_BADURL,
|
2010-01-21 18:38:55 +01:00
|
|
|
PE_CONFIRM, PE_MAILFORMEMPTY,
|
2008-10-07 22:15:48 +02:00
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
);
|
2008-09-18 10:34:17 +02:00
|
|
|
|
|
|
|
|
# Negative errors (default)
|
|
|
|
|
return "negative";
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-28 09:36:52 +01:00
|
|
|
##@method void header()
|
2008-12-26 18:58:48 +01:00
|
|
|
# Overload CGI::header() to add Lemonldap::NG cookie.
|
2006-12-18 12:32:33 +01:00
|
|
|
sub header {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
if ( $self->{cookie} ) {
|
|
|
|
|
$self->SUPER::header( @_, -cookie => $self->{cookie} );
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
$self->SUPER::header(@_);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-28 09:36:52 +01:00
|
|
|
##@method void redirect()
|
2008-12-26 18:58:48 +01:00
|
|
|
# Overload CGI::redirect() to add Lemonldap::NG cookie.
|
2006-12-18 12:32:33 +01:00
|
|
|
sub redirect {
|
|
|
|
|
my $self = shift;
|
2007-07-30 21:38:19 +02:00
|
|
|
if ( $self->{cookie} ) {
|
|
|
|
|
$self->SUPER::redirect( @_, -cookie => $self->{cookie} );
|
2006-12-18 12:32:33 +01:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
$self->SUPER::redirect(@_);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2010-07-05 11:36:52 +02:00
|
|
|
## @method protected hashref getApacheSession(string id, boolean noInfo)
|
2009-02-14 09:55:19 +01:00
|
|
|
# Try to recover the session corresponding to id and return session datas.
|
|
|
|
|
# If $id is set to undef, return a new session.
|
2010-07-05 11:36:52 +02:00
|
|
|
# @param id session reference
|
|
|
|
|
# @param noInfo do not set Apache REMOTE_USER
|
|
|
|
|
# return session hashref
|
2009-02-23 18:35:38 +01:00
|
|
|
sub getApacheSession {
|
2009-02-24 18:53:59 +01:00
|
|
|
my ( $self, $id, $noInfo ) = @_;
|
2009-02-17 16:39:14 +01:00
|
|
|
my %h;
|
2008-10-05 20:42:50 +02:00
|
|
|
|
2009-02-17 16:39:14 +01:00
|
|
|
# Trying to recover session from global session storage
|
2009-02-14 09:55:19 +01:00
|
|
|
eval { tie %h, $self->{globalStorage}, $id, $self->{globalStorageOptions}; };
|
2009-02-17 16:39:14 +01:00
|
|
|
if ( $@ or not tied(%h) ) {
|
2008-10-05 20:42:50 +02:00
|
|
|
|
2009-02-17 16:39:14 +01:00
|
|
|
# Session not available (expired ?)
|
2009-02-15 09:53:44 +01:00
|
|
|
if ($id) {
|
|
|
|
|
$self->lmLog( "Session $id isn't yet available ($ENV{REMOTE_ADDR})",
|
|
|
|
|
'info' );
|
2008-10-05 20:42:50 +02:00
|
|
|
}
|
2009-02-14 09:55:19 +01:00
|
|
|
else {
|
|
|
|
|
$self->lmLog( "Unable to create new session: $@", 'error' );
|
2008-10-05 20:42:50 +02:00
|
|
|
}
|
2009-02-14 09:55:19 +01:00
|
|
|
return 0;
|
2008-10-05 20:42:50 +02:00
|
|
|
}
|
2010-04-30 07:27:06 +02:00
|
|
|
unless ($noInfo) {
|
|
|
|
|
$self->setApacheUser( $h{ $self->{whatToTrace} } ) if ($id);
|
|
|
|
|
$self->{id} = $h{_session_id};
|
|
|
|
|
}
|
2009-02-14 09:55:19 +01:00
|
|
|
return \%h;
|
2008-10-05 20:42:50 +02:00
|
|
|
}
|
|
|
|
|
|
2010-04-12 15:50:42 +02:00
|
|
|
## @method void updateSession(hashRef infos, string id)
|
2008-12-26 18:58:48 +01:00
|
|
|
# Update session stored.
|
2010-04-12 15:50:42 +02:00
|
|
|
# If no id is given, try to get it from cookie.
|
|
|
|
|
# If the session is available, update datas with $info.
|
2010-06-08 12:39:34 +02:00
|
|
|
# @param infos hash reference of information to update
|
2010-04-12 15:50:42 +02:00
|
|
|
# @param id Session ID
|
|
|
|
|
# @return nothing
|
2008-10-16 09:35:42 +02:00
|
|
|
sub updateSession {
|
2009-02-17 15:56:38 +01:00
|
|
|
|
|
|
|
|
# TODO: update all caches
|
2010-04-12 15:50:42 +02:00
|
|
|
my ( $self, $infos, $id ) = splice @_;
|
2008-10-16 09:35:42 +02:00
|
|
|
my %cookies = fetch CGI::Cookie;
|
|
|
|
|
|
2010-04-12 15:50:42 +02:00
|
|
|
# Session ID
|
|
|
|
|
unless ($id) {
|
|
|
|
|
$id = $cookies{ $self->{cookieName} }->value
|
|
|
|
|
if defined $cookies{ $self->{cookieName} };
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($id) {
|
2010-07-05 11:36:52 +02:00
|
|
|
my $h = $self->getApacheSession( $id, 1 ) or return undef;
|
2008-10-16 09:35:42 +02:00
|
|
|
|
|
|
|
|
# Store/update session values
|
|
|
|
|
foreach ( keys %$infos ) {
|
2009-02-14 09:55:19 +01:00
|
|
|
$h->{$_} = $infos->{$_};
|
2008-10-16 09:35:42 +02:00
|
|
|
}
|
|
|
|
|
|
2010-01-25 18:40:46 +01:00
|
|
|
# Store updateTime
|
|
|
|
|
$h->{updateTime} = &POSIX::strftime( "%Y%m%d%H%M%S", localtime() );
|
|
|
|
|
|
2009-02-14 09:55:19 +01:00
|
|
|
untie %$h;
|
2008-10-16 09:35:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2010-05-21 11:03:29 +02:00
|
|
|
## @method string getFirstValue(string value)
|
|
|
|
|
# Get the first value of a multivaluated session value
|
|
|
|
|
# @param value the complete value
|
|
|
|
|
# @return first value
|
|
|
|
|
sub getFirstValue {
|
|
|
|
|
my ( $self, $value ) = splice @_;
|
|
|
|
|
|
|
|
|
|
my @values = split /\Q$self->{multiValuesSeparator}\E/, $value;
|
|
|
|
|
|
|
|
|
|
return $values[0];
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-28 09:36:52 +01:00
|
|
|
##@method protected int _subProcess(array @subs)
|
2008-12-26 18:58:48 +01:00
|
|
|
# Execute methods until an error is returned.
|
|
|
|
|
# If $self->{$sub} exists, launch it, else launch $self->$sub
|
|
|
|
|
#@param @subs array list of subroutines
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal error
|
2007-10-22 21:42:19 +02:00
|
|
|
sub _subProcess {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
my @subs = @_;
|
|
|
|
|
my $err = undef;
|
|
|
|
|
|
|
|
|
|
foreach my $sub (@subs) {
|
2009-02-17 16:39:14 +01:00
|
|
|
last if ( $err = $self->_sub($sub) );
|
|
|
|
|
}
|
2007-10-22 21:42:19 +02:00
|
|
|
return $err;
|
|
|
|
|
}
|
2010-01-28 15:47:51 +01:00
|
|
|
|
2008-12-28 09:36:52 +01:00
|
|
|
##@method protected void updateStatus()
|
2008-12-26 18:58:48 +01:00
|
|
|
# Inform status mechanism module.
|
|
|
|
|
# If an handler is launched on the same server with "status=>1", inform the
|
|
|
|
|
# status module with the result (portal error).
|
2008-05-11 21:21:39 +02:00
|
|
|
sub updateStatus {
|
2009-04-07 22:38:24 +02:00
|
|
|
my $self = shift;
|
2008-05-11 21:21:39 +02:00
|
|
|
print $Lemonldap::NG::Handler::Simple::statusPipe (
|
|
|
|
|
$self->{user} ? $self->{user} : $ENV{REMOTE_ADDR} )
|
|
|
|
|
. " => $ENV{SERVER_NAME}$ENV{SCRIPT_NAME} "
|
|
|
|
|
. $self->{error} . "\n"
|
|
|
|
|
if ($Lemonldap::NG::Handler::Simple::statusPipe);
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@method protected string notification()
|
|
|
|
|
#@return Notification stored by checkNotification()
|
2008-11-24 07:57:18 +01:00
|
|
|
sub notification {
|
2009-04-07 22:38:24 +02:00
|
|
|
my $self = shift;
|
2008-11-24 07:57:18 +01:00
|
|
|
return $self->{_notification};
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@method protected string get_url()
|
2009-04-08 18:31:13 +02:00
|
|
|
# Return url parameter
|
2008-12-28 09:36:52 +01:00
|
|
|
# @return url parameter if good, nothing else.
|
2008-12-03 17:41:30 +01:00
|
|
|
sub get_url {
|
2009-04-07 22:38:24 +02:00
|
|
|
my $self = shift;
|
2009-04-11 13:16:44 +02:00
|
|
|
return $self->{_url};
|
2008-12-03 17:41:30 +01:00
|
|
|
}
|
2008-06-06 05:51:39 +02:00
|
|
|
|
2009-05-19 10:52:27 +02:00
|
|
|
##@method protected string get_user()
|
|
|
|
|
# Return user parameter
|
|
|
|
|
# @return user parameter if good, nothing else.
|
|
|
|
|
sub get_user {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
return "" unless $self->{user};
|
2009-06-14 18:43:02 +02:00
|
|
|
return $self->{user}
|
|
|
|
|
unless ( $self->{user} =~ m/(?:\0|<|'|"|`|\%(?:00|25|3C|22|27|2C))/ );
|
|
|
|
|
$self->lmLog(
|
|
|
|
|
"XSS attack detected (param: user | value: " . $self->{user} . ")",
|
|
|
|
|
"warn" );
|
2009-05-19 10:52:27 +02:00
|
|
|
return "";
|
|
|
|
|
}
|
|
|
|
|
|
2010-03-15 10:53:56 +01:00
|
|
|
## @method string get_module(string type)
|
|
|
|
|
# Return current used module
|
|
|
|
|
# @param type auth/user/password/issuer
|
|
|
|
|
# @return module name
|
|
|
|
|
sub get_module {
|
|
|
|
|
my ( $self, $type ) = splice @_;
|
|
|
|
|
|
|
|
|
|
if ( $type =~ /auth/i ) {
|
|
|
|
|
if ( defined $self->{_multi}->{stack}->[0] ) {
|
|
|
|
|
return $self->{_multi}->{stack}->[0]->[0]->{n};
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
return $self->{authentication};
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ( $type =~ /user/i ) {
|
|
|
|
|
if ( defined $self->{_multi}->{stack}->[1] ) {
|
|
|
|
|
return $self->{_multi}->{stack}->[1]->[0]->{n};
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
return $self->{userDB};
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ( $type =~ /password/i ) {
|
|
|
|
|
return $self->{passwordDB};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ( $type =~ /issuer/i ) {
|
|
|
|
|
return $self->{issuerDB};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-28 09:36:52 +01:00
|
|
|
##@method private Safe safe()
|
2008-12-11 18:02:02 +01:00
|
|
|
# Provide the security jail.
|
|
|
|
|
#@return Safe object
|
|
|
|
|
sub safe {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
return $safe if ($safe);
|
|
|
|
|
$safe = new Safe;
|
|
|
|
|
my @t =
|
|
|
|
|
$self->{customFunctions} ? split( /\s+/, $self->{customFunctions} ) : ();
|
|
|
|
|
foreach (@t) {
|
|
|
|
|
my $sub = $_;
|
|
|
|
|
unless (/::/) {
|
|
|
|
|
$sub = ref($self) . "::$_";
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
s/^.*:://;
|
|
|
|
|
}
|
|
|
|
|
next if ( $self->can($_) );
|
|
|
|
|
eval "sub $_ {
|
|
|
|
|
return $sub( '$self->{portal}', \@_ );
|
|
|
|
|
}";
|
2009-02-12 20:48:53 +01:00
|
|
|
$self->lmLog( $@, 'error' ) if ($@);
|
2008-12-11 18:02:02 +01:00
|
|
|
}
|
2009-03-08 18:37:31 +01:00
|
|
|
$safe->share_from( 'main', ['%ENV'] );
|
2009-04-05 10:12:16 +02:00
|
|
|
$safe->share_from( 'Lemonldap::NG::Common::Safelib',
|
|
|
|
|
$Lemonldap::NG::Common::Safelib::functions );
|
2009-03-08 18:37:31 +01:00
|
|
|
$safe->share( '&encode_base64', @t );
|
2008-12-11 18:02:02 +01:00
|
|
|
return $safe;
|
|
|
|
|
}
|
|
|
|
|
|
2010-02-18 18:22:04 +01:00
|
|
|
##@method private boolean _deleteSession(Apache::Session* h, boolean preserveCookie)
|
2010-01-12 10:53:49 +01:00
|
|
|
# Delete an existing session. If "securedCookie" is set to 2, the http session
|
|
|
|
|
# will also be removed.
|
2010-02-18 18:22:04 +01:00
|
|
|
# @param h tied Apache::Session object
|
|
|
|
|
# @param preserveCookie do not delete cookie
|
2010-01-12 10:53:49 +01:00
|
|
|
# @return True if session has been deleted
|
2009-04-03 18:17:57 +02:00
|
|
|
sub _deleteSession {
|
2010-01-12 11:36:04 +01:00
|
|
|
my ( $self, $h, $preserveCookie ) = @_;
|
2010-02-18 18:22:04 +01:00
|
|
|
my $result = 1;
|
2010-01-12 10:53:49 +01:00
|
|
|
|
2010-05-17 18:02:21 +02:00
|
|
|
# Return false if $h is not a hashref
|
2010-05-19 16:59:43 +02:00
|
|
|
if ( ref $h ne "HASH" ) {
|
|
|
|
|
$self->lmLog( "_deleteSession: \$h is not a session object", 'error' );
|
2010-06-04 10:43:42 +02:00
|
|
|
return 0;
|
2010-05-17 18:02:21 +02:00
|
|
|
}
|
|
|
|
|
|
2010-01-12 10:53:49 +01:00
|
|
|
# Try to find a linked http session (securedCookie=>2)
|
2009-04-03 18:17:57 +02:00
|
|
|
if ( my $id2 = $h->{_httpSession} ) {
|
2010-04-30 07:27:06 +02:00
|
|
|
if ( my $h2 = $self->getApacheSession( $id2, 1 ) ) {
|
2010-01-12 10:53:49 +01:00
|
|
|
|
|
|
|
|
# Try to purge local cache
|
|
|
|
|
# (if an handler is running on the same server)
|
|
|
|
|
eval { $self->{lmConf}->{refLocalStorage}->remove($id2); };
|
2010-01-15 23:01:04 +01:00
|
|
|
eval { tied(%$h2)->delete() };
|
|
|
|
|
$self->lmLog( $@, 'error' ) if ($@);
|
2009-04-03 18:17:57 +02:00
|
|
|
|
2010-01-12 10:53:49 +01:00
|
|
|
# Create an obsolete cookie to remove it
|
2010-01-15 23:01:04 +01:00
|
|
|
push @{ $self->{cookie} },
|
|
|
|
|
$self->cookie(
|
|
|
|
|
-name => $self->{cookieName} . 'http',
|
|
|
|
|
-value => 0,
|
|
|
|
|
-domain => $self->{domain},
|
|
|
|
|
-path => "/",
|
|
|
|
|
-secure => 0,
|
|
|
|
|
-expires => '-1d',
|
|
|
|
|
@_,
|
|
|
|
|
);
|
|
|
|
|
}
|
2010-01-12 10:53:49 +01:00
|
|
|
}
|
2010-02-18 18:22:04 +01:00
|
|
|
|
|
|
|
|
my $logged_user = $h->{ $self->{whatToTrace} };
|
2010-01-12 10:53:49 +01:00
|
|
|
|
|
|
|
|
# Try to purge local cache
|
|
|
|
|
# (if an handler is running on the same server)
|
|
|
|
|
eval { $self->{lmConf}->{refLocalStorage}->remove( $h->{_session_id} ); };
|
2010-02-18 18:22:04 +01:00
|
|
|
eval { tied(%$h)->delete() };
|
|
|
|
|
if ($@) {
|
|
|
|
|
$self->lmLog( $@, 'error' );
|
|
|
|
|
$result = 0;
|
|
|
|
|
}
|
2009-04-03 18:17:57 +02:00
|
|
|
|
2010-01-12 10:53:49 +01:00
|
|
|
# Create an obsolete cookie to remove it
|
2009-04-03 18:17:57 +02:00
|
|
|
push @{ $self->{cookie} },
|
|
|
|
|
$self->cookie(
|
|
|
|
|
-name => $self->{cookieName},
|
|
|
|
|
-value => 0,
|
|
|
|
|
-domain => $self->{domain},
|
|
|
|
|
-path => "/",
|
|
|
|
|
-secure => 0,
|
|
|
|
|
-expires => '-1d',
|
|
|
|
|
@_,
|
2010-01-12 11:36:04 +01:00
|
|
|
) unless ($preserveCookie);
|
2010-01-12 10:53:49 +01:00
|
|
|
|
|
|
|
|
# Log
|
2010-04-15 15:46:45 +02:00
|
|
|
$self->_sub( 'userNotice', "User $logged_user has been disconnected" )
|
|
|
|
|
if $logged_user;
|
2010-01-12 10:53:49 +01:00
|
|
|
|
|
|
|
|
# Return the result of tied(%$h)->delete()
|
2010-02-18 18:22:04 +01:00
|
|
|
return $result;
|
2009-04-03 18:17:57 +02:00
|
|
|
}
|
|
|
|
|
|
2010-02-04 13:30:18 +01:00
|
|
|
##@method private void _dump( variable )
|
|
|
|
|
# Dump variable in debug mode
|
|
|
|
|
# @param $variable
|
|
|
|
|
# @return void
|
|
|
|
|
sub _dump {
|
2010-03-01 21:32:28 +01:00
|
|
|
my $self = shift;
|
|
|
|
|
my $variable = shift;
|
2010-02-04 13:30:18 +01:00
|
|
|
|
2010-04-28 21:57:16 +02:00
|
|
|
require Data::Dumper;
|
|
|
|
|
$self->lmLog( "Dump: " . Data::Dumper::Dumper($variable), 'debug' );
|
2010-02-04 13:30:18 +01:00
|
|
|
|
2010-03-01 21:32:28 +01:00
|
|
|
return;
|
2010-02-04 13:30:18 +01:00
|
|
|
}
|
|
|
|
|
|
2010-01-11 17:04:36 +01:00
|
|
|
##@method protected string info(string t)
|
|
|
|
|
# Get or set info to display to the user.
|
|
|
|
|
# @param $t optional text to store
|
|
|
|
|
# @return HTML text to display
|
|
|
|
|
sub info {
|
|
|
|
|
my ( $self, $t ) = @_;
|
2010-01-12 10:53:49 +01:00
|
|
|
$self->{_info} .= $t if ( defined $t );
|
2010-01-11 17:04:36 +01:00
|
|
|
return $self->{_info};
|
|
|
|
|
}
|
|
|
|
|
|
2010-08-18 15:39:15 +02:00
|
|
|
##@method protected string loginInfo(string t)
|
|
|
|
|
# Get or set info to display to the user on login screen
|
|
|
|
|
# @param $t optional text to store
|
|
|
|
|
# @return HTML text to display
|
|
|
|
|
sub loginInfo {
|
|
|
|
|
my ( $self, $t ) = @_;
|
|
|
|
|
$self->{_loginInfo} .= $t if ( defined $t );
|
|
|
|
|
return $self->{_loginInfo};
|
|
|
|
|
}
|
|
|
|
|
|
2010-04-29 15:39:26 +02:00
|
|
|
##@method public void printImage(string file, string type)
|
|
|
|
|
# Print image to STDOUT
|
|
|
|
|
# @param $file The path to the file to print
|
|
|
|
|
# @param $type The content-type to use (ie: image/png)
|
|
|
|
|
# @return void
|
|
|
|
|
sub printImage {
|
|
|
|
|
my ( $self, $file, $type ) = @_;
|
|
|
|
|
binmode STDOUT;
|
2010-05-01 15:12:28 +02:00
|
|
|
unless ( open( IMAGE, '<', $file ) ) {
|
2010-04-29 15:39:26 +02:00
|
|
|
$self->lmLog( "Could not display image '$file'", 'error' );
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
print $self->header(
|
2010-05-01 15:12:28 +02:00
|
|
|
$type . '; charset=utf-8; content-length=' . ( stat($file) )[10] );
|
2010-04-29 15:39:26 +02:00
|
|
|
my $buffer = "";
|
2010-05-01 15:12:28 +02:00
|
|
|
while ( read( IMAGE, $buffer, 4096 ) ) {
|
2010-04-29 15:39:26 +02:00
|
|
|
print $buffer;
|
|
|
|
|
}
|
|
|
|
|
close(IMAGE);
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-07 21:07:52 +01:00
|
|
|
###############################################################
|
|
|
|
|
# MAIN subroutine: call all steps until one returns something #
|
|
|
|
|
# different than PE_OK #
|
|
|
|
|
###############################################################
|
|
|
|
|
|
2008-12-28 09:36:52 +01:00
|
|
|
##@method boolean process()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Main method calling functions issued from:
|
|
|
|
|
# - itself:
|
|
|
|
|
# - controlUrlOrigin
|
|
|
|
|
# - checkNotifBack
|
|
|
|
|
# - controlExistingSession
|
|
|
|
|
# - setMacros
|
|
|
|
|
# - setLocalGroups
|
|
|
|
|
# - removeOther
|
2010-01-11 15:02:43 +01:00
|
|
|
# - grantSession
|
2009-12-10 18:03:57 +01:00
|
|
|
# - store
|
|
|
|
|
# - buildCookie
|
|
|
|
|
# - checkNotification
|
|
|
|
|
# - autoRedirect
|
|
|
|
|
# - updateStatus
|
|
|
|
|
# - authentication module:
|
|
|
|
|
# - authInit
|
|
|
|
|
# - extractFormInfo
|
|
|
|
|
# - setAuthSessionInfo
|
|
|
|
|
# - authenticate
|
2010-05-17 18:02:21 +02:00
|
|
|
# - authFinish
|
2009-12-10 18:03:57 +01:00
|
|
|
# - userDB module:
|
|
|
|
|
# - userDBInit
|
|
|
|
|
# - getUser
|
|
|
|
|
# - setSessionInfo
|
|
|
|
|
# - setGroups
|
|
|
|
|
# - passwordDB module:
|
|
|
|
|
# - passwordDBInit
|
|
|
|
|
# - modifyPassword
|
|
|
|
|
# - issuerDB module:
|
|
|
|
|
# - issuerDBInit
|
|
|
|
|
# - issuerForUnAuthUser
|
|
|
|
|
# - issuerForAuthUser
|
|
|
|
|
#
|
|
|
|
|
#@return 1 if all is OK, 0 if session isn't created or a notification has to be done
|
2008-12-07 21:07:52 +01:00
|
|
|
sub process {
|
|
|
|
|
my ($self) = @_;
|
|
|
|
|
$self->{error} = PE_OK;
|
|
|
|
|
$self->{error} = $self->_subProcess(
|
2009-12-10 18:03:57 +01:00
|
|
|
qw(controlUrlOrigin checkNotifBack controlExistingSession issuerDBInit
|
2010-07-02 17:14:54 +02:00
|
|
|
authInit issuerForUnAuthUser extractFormInfo userDBInit getUser
|
2009-06-14 18:43:02 +02:00
|
|
|
setAuthSessionInfo passwordDBInit modifyPassword setSessionInfo
|
2010-01-21 18:38:55 +01:00
|
|
|
setMacros setLocalGroups setGroups authenticate removeOther
|
2010-05-17 18:02:21 +02:00
|
|
|
grantSession store authFinish buildCookie checkNotification
|
|
|
|
|
issuerForAuthUser autoRedirect)
|
2008-12-07 21:07:52 +01:00
|
|
|
);
|
|
|
|
|
$self->updateStatus;
|
|
|
|
|
return ( ( $self->{error} > 0 ) ? 0 : 1 );
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int controlUrlOrigin()
|
2009-12-10 18:03:57 +01:00
|
|
|
# If the user was redirected here, loads 'url' parameter.
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2006-12-18 12:32:33 +01:00
|
|
|
sub controlUrlOrigin {
|
|
|
|
|
my $self = shift;
|
2009-04-11 13:16:44 +02:00
|
|
|
$self->{_url} ||= '';
|
2009-04-08 18:31:13 +02:00
|
|
|
if ( my $url = $self->param('url') ) {
|
2008-12-07 10:02:44 +01:00
|
|
|
|
|
|
|
|
# REJECT NON BASE64 URL
|
2009-05-19 10:52:27 +02:00
|
|
|
if ( $url =~ m#[^A-Za-z0-9\+/=]# ) {
|
2009-06-14 18:43:02 +02:00
|
|
|
$self->lmLog( "XSS attack detected (param: url | value: $url)",
|
|
|
|
|
"warn" );
|
2009-05-19 10:52:27 +02:00
|
|
|
return PE_BADURL;
|
|
|
|
|
}
|
2008-12-07 10:02:44 +01:00
|
|
|
|
2009-04-07 22:38:24 +02:00
|
|
|
$self->{urldc} = decode_base64($url);
|
2008-12-07 13:15:40 +01:00
|
|
|
$self->{urldc} =~ s/[\r\n]//sg;
|
2008-12-03 17:05:27 +01:00
|
|
|
|
2010-05-01 15:12:28 +02:00
|
|
|
# For logout request, test if Referer comes from an authorizated site
|
|
|
|
|
my $tmp =
|
|
|
|
|
( $self->param('logout') ? $ENV{HTTP_REFERER} : $self->{urldc} );
|
|
|
|
|
|
2008-12-07 10:02:44 +01:00
|
|
|
# REJECT [\0<'"`] in URL or encoded '%' and non protected hosts
|
2008-12-24 15:55:44 +01:00
|
|
|
if (
|
2008-12-24 15:57:23 +01:00
|
|
|
$self->{urldc} =~ /(?:\0|<|'|"|`|\%(?:00|25|3C|22|27|2C))/
|
2010-05-05 18:42:22 +02:00
|
|
|
or ( $tmp
|
|
|
|
|
and $tmp !~
|
2010-05-01 15:12:28 +02:00
|
|
|
/^https?:\/\/(?:$self->{reVHosts}$self->{trustedDomains})(?::\d+)?(?:\/.*)?$/o
|
|
|
|
|
)
|
2008-12-24 15:55:44 +01:00
|
|
|
)
|
2008-12-06 08:27:35 +01:00
|
|
|
{
|
2009-06-14 18:43:02 +02:00
|
|
|
$self->lmLog(
|
2010-05-01 15:12:28 +02:00
|
|
|
"XSS attack detected (param: "
|
|
|
|
|
. ( $self->param('logout') ? 'HTTP Referer' : 'urldc' )
|
|
|
|
|
. " | value: $tmp)",
|
2009-06-14 18:43:02 +02:00
|
|
|
"warn"
|
|
|
|
|
);
|
2008-12-03 17:41:30 +01:00
|
|
|
delete $self->{urldc};
|
2008-12-06 08:27:35 +01:00
|
|
|
return PE_BADURL;
|
|
|
|
|
}
|
2009-04-11 13:16:44 +02:00
|
|
|
$self->{_url} = $url;
|
2006-12-18 12:32:33 +01:00
|
|
|
}
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int checkNotifBack()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Checks if a message has been notified to the connected user.
|
2009-01-30 16:26:34 +01:00
|
|
|
# Call Lemonldap::NG::Portal::Notification::checkNotification()
|
|
|
|
|
#@return Lemonldap::NG::Portal error code
|
|
|
|
|
sub checkNotifBack {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
if ( $self->{notification} and grep( /^reference/, $self->param() ) ) {
|
|
|
|
|
unless ( $self->{notifObject}->checkNotification($self) ) {
|
|
|
|
|
$self->{_notification} =
|
|
|
|
|
$self->{notifObject}->getNotification($self);
|
|
|
|
|
return PE_NOTIFICATION;
|
|
|
|
|
}
|
|
|
|
|
else {
|
2009-04-07 22:38:24 +02:00
|
|
|
$self->{error} = $self->_subProcess(
|
2010-07-02 17:42:22 +02:00
|
|
|
qw(checkNotification issuerDBInit authInit issuerForAuthUser autoRedirect)
|
2009-12-11 22:17:06 +01:00
|
|
|
);
|
2009-01-30 16:26:34 +01:00
|
|
|
return $self->{error} || PE_DONE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int controlExistingSession(string id)
|
2009-12-10 18:03:57 +01:00
|
|
|
# Control existing sessions.
|
2008-12-03 14:27:30 +01:00
|
|
|
# To overload to control what to do with existing sessions.
|
2007-02-23 06:31:32 +01:00
|
|
|
# what to do with existing sessions ?
|
2008-12-03 14:27:30 +01:00
|
|
|
# - nothing: user is authenticated and process returns true (default)
|
|
|
|
|
# - delete and create a new session (not implemented)
|
2010-01-25 18:40:46 +01:00
|
|
|
# - re-authentication (set portalForceAuthn to 1)
|
2009-01-30 16:26:34 +01:00
|
|
|
#@param $id optional value of the session-id else cookies are examinated.
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2006-12-18 12:32:33 +01:00
|
|
|
sub controlExistingSession {
|
2009-01-30 16:26:34 +01:00
|
|
|
my ( $self, $id ) = @_;
|
|
|
|
|
my %cookies;
|
|
|
|
|
%cookies = fetch CGI::Cookie unless ($id);
|
2008-05-11 21:21:39 +02:00
|
|
|
|
2007-02-11 09:31:56 +01:00
|
|
|
# Test if Lemonldap::NG cookie is available
|
2009-01-30 16:26:34 +01:00
|
|
|
if (
|
|
|
|
|
$id
|
|
|
|
|
or ( $cookies{ $self->{cookieName} }
|
|
|
|
|
and $id = $cookies{ $self->{cookieName} }->value )
|
|
|
|
|
)
|
2008-05-11 21:21:39 +02:00
|
|
|
{
|
2009-02-23 18:35:38 +01:00
|
|
|
my $h = $self->getApacheSession($id) or return PE_OK;
|
2009-02-15 09:53:44 +01:00
|
|
|
%{ $self->{sessionInfo} } = %$h;
|
2007-03-14 08:28:53 +01:00
|
|
|
|
2007-03-18 19:33:38 +01:00
|
|
|
# Logout if required
|
2008-05-11 21:21:39 +02:00
|
|
|
if ( $self->param('logout') ) {
|
|
|
|
|
|
2007-03-18 19:33:38 +01:00
|
|
|
# Delete session in global storage
|
2010-02-20 12:44:05 +01:00
|
|
|
unless ( $self->_deleteSession($h) ) {
|
|
|
|
|
$self->lmLog( "Unable to delete session $id", 'error' );
|
|
|
|
|
return PE_ERROR;
|
|
|
|
|
}
|
2010-02-18 18:22:04 +01:00
|
|
|
|
|
|
|
|
# Call issuerDB logout
|
2010-04-28 21:57:16 +02:00
|
|
|
eval {
|
|
|
|
|
$self->{error} =
|
2010-07-02 17:42:22 +02:00
|
|
|
$self->_subProcess(qw(issuerDBInit authInit issuerLogout));
|
2010-04-28 21:57:16 +02:00
|
|
|
};
|
2010-02-18 18:22:04 +01:00
|
|
|
if ($@) {
|
|
|
|
|
$self->lmLog( "Error when calling issuerLogout: $@", 'debug' );
|
|
|
|
|
}
|
2010-04-27 17:11:53 +02:00
|
|
|
return $self->{error} if $self->{error} > 0;
|
2010-02-18 18:22:04 +01:00
|
|
|
|
|
|
|
|
# Call authentication logout
|
2010-02-26 10:12:18 +01:00
|
|
|
eval { $self->{error} = $self->_sub('authLogout'); };
|
2010-02-18 18:22:04 +01:00
|
|
|
if ($@) {
|
|
|
|
|
$self->lmLog( "Error when calling authLogout: $@", 'debug' );
|
|
|
|
|
}
|
2010-04-27 17:11:53 +02:00
|
|
|
return $self->{error} if $self->{error} > 0;
|
2010-02-18 18:22:04 +01:00
|
|
|
|
2010-02-24 11:11:01 +01:00
|
|
|
# Redirect or Post if asked by authLogout
|
2010-02-28 20:07:02 +01:00
|
|
|
$self->_subProcess(qw(autoRedirect))
|
|
|
|
|
if ( $self->{urldc} and $self->{urldc} ne $self->{portal} );
|
2010-03-01 21:32:28 +01:00
|
|
|
$self->_subProcess(qw(autoPost)) if ( $self->{postUrl} );
|
2010-02-24 11:11:01 +01:00
|
|
|
|
2010-02-20 12:44:05 +01:00
|
|
|
# Display logout message
|
|
|
|
|
return PE_LOGOUT_OK;
|
2007-03-14 08:28:53 +01:00
|
|
|
}
|
2010-01-12 11:36:04 +01:00
|
|
|
|
|
|
|
|
# If the user wants to purge other sessions
|
|
|
|
|
elsif ( $self->param('removeOther') ) {
|
|
|
|
|
$self->{notifyDeleted} = 1;
|
|
|
|
|
$self->{singleSession} = 1;
|
|
|
|
|
$self->_sub( 'removeOther', $id );
|
|
|
|
|
}
|
2009-04-03 18:17:57 +02:00
|
|
|
untie %$h;
|
2007-05-23 08:48:07 +02:00
|
|
|
$self->{id} = $id;
|
2008-05-11 21:21:39 +02:00
|
|
|
|
2007-02-11 09:31:56 +01:00
|
|
|
# A session has been find => calling &existingSession
|
2009-02-23 18:35:38 +01:00
|
|
|
my $r = $self->_sub( 'existingSession', $id, $self->{sessionInfo} );
|
2008-05-11 21:21:39 +02:00
|
|
|
if ( $r == PE_DONE ) {
|
2010-01-11 17:04:36 +01:00
|
|
|
$self->{error} = $self->_subProcess(
|
2010-07-02 17:42:22 +02:00
|
|
|
qw(checkNotification issuerDBInit authInit issuerForAuthUser autoRedirect)
|
2010-01-11 17:04:36 +01:00
|
|
|
);
|
2007-02-11 09:31:56 +01:00
|
|
|
return $self->{error} || PE_DONE;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
return $r;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
## @method int existingSession()
|
|
|
|
|
# Launched by controlExistingSession() to know what to do with existing
|
|
|
|
|
# sessions.
|
2009-12-10 18:03:57 +01:00
|
|
|
# Can return:
|
|
|
|
|
# - PE_DONE: session is unchanged and process() return true
|
|
|
|
|
# - PE_OK: process() return false to display the form
|
2009-02-17 15:56:38 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2007-02-11 09:31:56 +01:00
|
|
|
sub existingSession {
|
2010-01-25 18:40:46 +01:00
|
|
|
my $self = shift;
|
2010-02-28 20:07:02 +01:00
|
|
|
my $forceAuthn;
|
2010-01-25 18:40:46 +01:00
|
|
|
|
|
|
|
|
# Check portalForceAuthn parameter
|
2010-02-28 20:07:02 +01:00
|
|
|
# and authForce method
|
|
|
|
|
eval { $forceAuthn = $self->authForce(); };
|
|
|
|
|
if ($@) {
|
|
|
|
|
$self->lmLog( "Error when calling authForce: $@", 'debug' );
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$forceAuthn = 1 if ( $self->{portalForceAuthn} );
|
|
|
|
|
|
|
|
|
|
if ($forceAuthn) {
|
2010-01-25 18:40:46 +01:00
|
|
|
my $referer = $self->referer();
|
|
|
|
|
my $id = $self->{id};
|
|
|
|
|
|
2010-02-05 11:21:48 +01:00
|
|
|
# Do not force authentication when password is modified
|
|
|
|
|
return PE_DONE if $self->param('newpassword');
|
|
|
|
|
|
|
|
|
|
# Do not force authentication if last successful authentication is recent
|
|
|
|
|
my $last_authn_utime = $self->{sessionInfo}->{_lastAuthnUTime} || 0;
|
|
|
|
|
if ( time() - $last_authn_utime < $self->{portalForceAuthnInterval} ) {
|
|
|
|
|
$self->lmLog(
|
|
|
|
|
"Authentication is recent, so do not force authentication for session $id",
|
|
|
|
|
'debug'
|
|
|
|
|
);
|
|
|
|
|
return PE_DONE;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-27 15:04:41 +01:00
|
|
|
# If coming from the portal follow the normal process to update the session
|
2010-01-25 18:40:46 +01:00
|
|
|
if ( $referer ? ( $referer =~ m#$self->{portal}#i ) : 0 ) {
|
|
|
|
|
$self->lmLog( "Portal referer detected for session $id", 'debug' );
|
|
|
|
|
|
|
|
|
|
# Set flag to update session timestamp
|
|
|
|
|
$self->{updateSession} = 1;
|
|
|
|
|
|
|
|
|
|
# Process
|
|
|
|
|
$self->{error} = $self->_subProcess(
|
2010-07-02 17:14:54 +02:00
|
|
|
qw(issuerDBInit authInit issuerForUnAuthUser extractFormInfo
|
2010-01-27 15:04:41 +01:00
|
|
|
userDBInit getUser setAuthSessionInfo setSessionInfo
|
2010-01-25 18:40:46 +01:00
|
|
|
setMacros setLocalGroups setGroups authenticate
|
2010-05-17 18:02:21 +02:00
|
|
|
store authFinish)
|
2010-01-25 18:40:46 +01:00
|
|
|
);
|
|
|
|
|
return $self->{error} || PE_DONE;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
$self->lmLog( "Force reauthentication for session $id", 'debug' );
|
|
|
|
|
return PE_OK;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Else return PE_DONE
|
2008-12-01 10:36:02 +01:00
|
|
|
PE_DONE;
|
2006-12-18 12:32:33 +01:00
|
|
|
}
|
|
|
|
|
|
2010-01-27 17:30:19 +01:00
|
|
|
## @apmethod int issuerDBInit()
|
|
|
|
|
# Set _issuerDB
|
|
|
|
|
# call issuerDBInit in issuerDB* module
|
|
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
|
sub issuerDBInit {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
|
2010-01-28 15:47:51 +01:00
|
|
|
# Get the current issuer module
|
2010-03-15 10:53:56 +01:00
|
|
|
$self->{sessionInfo}->{_issuerDB} = $self->get_module("issuer");
|
2010-01-27 17:30:19 +01:00
|
|
|
|
|
|
|
|
return $self->SUPER::issuerDBInit();
|
|
|
|
|
}
|
2008-11-20 19:13:27 +01:00
|
|
|
|
2010-01-28 15:47:51 +01:00
|
|
|
# authInit(): must be implemented in Auth* module
|
|
|
|
|
|
2010-07-02 17:42:22 +02:00
|
|
|
# issuerForUnAuthUser(): must be implemented in IssuerDB* module
|
|
|
|
|
|
2010-01-28 15:47:51 +01:00
|
|
|
# extractFormInfo(): must be implemented in Auth* module
|
|
|
|
|
# * set $self->{user}
|
|
|
|
|
# * authenticate user if possible (or do it in authenticate())
|
|
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# getUser(): must be implemented in UserDB* module
|
2009-05-14 18:19:49 +02:00
|
|
|
|
2010-01-27 17:30:19 +01:00
|
|
|
## @apmethod int setAuthSessionInfo()
|
|
|
|
|
# Set _auth
|
|
|
|
|
# call setAuthSessionInfo in Auth* module
|
|
|
|
|
#@return Lemonldap::NG::Portal constant
|
|
|
|
|
sub setAuthSessionInfo {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
|
|
|
|
|
# Get the current authentication module
|
2010-03-15 10:53:56 +01:00
|
|
|
$self->{sessionInfo}->{_auth} = $self->get_module("auth");
|
2009-12-10 18:03:57 +01:00
|
|
|
|
2010-01-27 17:30:19 +01:00
|
|
|
return $self->SUPER::setAuthSessionInfo();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
## @apmethod int passwordDBInit()
|
|
|
|
|
# Set _passwordDB
|
|
|
|
|
# call passwordDBInit in passwordDB* module
|
|
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
|
sub passwordDBInit {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
|
2010-01-28 15:47:51 +01:00
|
|
|
# Get the current password module
|
2010-03-15 10:53:56 +01:00
|
|
|
$self->{sessionInfo}->{_passwordDB} = $self->get_module("password");
|
2010-01-27 17:30:19 +01:00
|
|
|
|
|
|
|
|
return $self->SUPER::passwordDBInit();
|
|
|
|
|
}
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# modifyPassword(): must be implemented in PasswordDB* module
|
2009-05-14 18:19:49 +02:00
|
|
|
|
2009-02-24 18:53:59 +01:00
|
|
|
##@apmethod int setSessionInfo()
|
2010-01-27 17:30:19 +01:00
|
|
|
# Set ipAddr, xForwardedForAddr, startTime, updateTime, _utime and _userDB
|
|
|
|
|
# Call setSessionInfo() in UserDB* module
|
2009-02-24 18:53:59 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
|
|
|
|
sub setSessionInfo {
|
|
|
|
|
my $self = shift;
|
2010-01-27 17:30:19 +01:00
|
|
|
|
2010-01-28 15:47:51 +01:00
|
|
|
# Get the current user module
|
2010-03-15 10:53:56 +01:00
|
|
|
$self->{sessionInfo}->{_userDB} = $self->get_module("user");
|
2009-02-24 18:53:59 +01:00
|
|
|
|
2010-01-11 17:04:36 +01:00
|
|
|
# Store IP address
|
2009-02-24 18:53:59 +01:00
|
|
|
$self->{sessionInfo}->{ipAddr} = $ENV{REMOTE_ADDR};
|
2009-06-14 18:43:02 +02:00
|
|
|
|
2010-01-11 17:04:36 +01:00
|
|
|
# Extract and store client IP from X-FORWARDED-FOR header
|
2009-06-03 16:52:22 +02:00
|
|
|
my $xheader = $ENV{HTTP_X_FORWARDED_FOR};
|
2009-06-04 16:27:36 +02:00
|
|
|
$xheader =~ s/(.*?)(\,)+.*/$1/ if $xheader;
|
2009-06-03 16:52:22 +02:00
|
|
|
$self->{sessionInfo}->{xForwardedForAddr} = $xheader || $ENV{REMOTE_ADDR};
|
2010-01-11 17:04:36 +01:00
|
|
|
|
2010-05-07 23:33:57 +02:00
|
|
|
# Date and time
|
2010-01-25 18:40:46 +01:00
|
|
|
if ( $self->{updateSession} ) {
|
|
|
|
|
$self->{sessionInfo}->{updateTime} =
|
|
|
|
|
&POSIX::strftime( "%Y%m%d%H%M%S", localtime() );
|
|
|
|
|
}
|
|
|
|
|
else {
|
2010-03-24 14:44:24 +01:00
|
|
|
$self->{sessionInfo}->{_utime} ||= time();
|
2010-03-01 21:32:28 +01:00
|
|
|
$self->{sessionInfo}->{startTime} =
|
|
|
|
|
&POSIX::strftime( "%Y%m%d%H%M%S", localtime() );
|
2010-01-25 18:40:46 +01:00
|
|
|
}
|
2010-05-07 23:33:57 +02:00
|
|
|
|
|
|
|
|
# Get environment variables matching exportedVars
|
|
|
|
|
foreach ( keys %{ $self->{exportedVars} } ) {
|
|
|
|
|
if ( my $tmp = $ENV{ $self->{exportedVars}->{$_} } ) {
|
|
|
|
|
$tmp =~ s/[\r\n]/ /gs;
|
|
|
|
|
$self->{sessionInfo}->{$_} = $tmp;
|
|
|
|
|
delete $self->{exportedVars}->{$_};
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Call UserDB setSessionInfo
|
2009-02-24 18:53:59 +01:00
|
|
|
return $self->SUPER::setSessionInfo();
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int setMacro()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Macro mechanism.
|
|
|
|
|
# * store macro results in $self->{sessionInfo}
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2007-01-13 20:34:03 +01:00
|
|
|
sub setMacros {
|
2008-11-20 19:13:27 +01:00
|
|
|
local $self = shift;
|
2009-02-05 18:05:18 +01:00
|
|
|
$self->safe->share('$self');
|
2008-11-20 19:13:27 +01:00
|
|
|
while ( my ( $n, $e ) = each( %{ $self->{macros} } ) ) {
|
2010-04-14 18:13:24 +02:00
|
|
|
$e =~ s/\$(?!ENV)(\w+)/\$self->{sessionInfo}->{$1}/g;
|
2008-12-11 18:02:02 +01:00
|
|
|
$self->{sessionInfo}->{$n} = $self->safe->reval($e);
|
2008-11-20 19:13:27 +01:00
|
|
|
}
|
2007-01-13 20:34:03 +01:00
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-06-04 11:13:03 +02:00
|
|
|
##@apmethod int setLocalGroups()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Groups mechanism.
|
|
|
|
|
# * store all groups name that the user match in $self->{sessionInfo}->{groups}
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2009-06-04 11:13:03 +02:00
|
|
|
sub setLocalGroups {
|
2008-11-20 19:13:27 +01:00
|
|
|
local $self = shift;
|
|
|
|
|
my $groups;
|
2009-02-05 18:05:18 +01:00
|
|
|
$self->safe->share('$self');
|
2008-11-20 19:13:27 +01:00
|
|
|
while ( my ( $group, $expr ) = each %{ $self->{groups} } ) {
|
2008-11-24 07:57:18 +01:00
|
|
|
$expr =~ s/\$(\w+)/\$self->{sessionInfo}->{$1}/g;
|
2010-04-15 13:15:36 +02:00
|
|
|
$groups .= $group . $self->{multiValuesSeparator}
|
|
|
|
|
if ( $self->safe->reval($expr) );
|
2008-11-20 19:13:27 +01:00
|
|
|
}
|
|
|
|
|
$self->{sessionInfo}->{groups} = $groups;
|
2006-12-18 12:32:33 +01:00
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# setGroups(): must be implemented in UserDB* module
|
2009-06-04 11:13:03 +02:00
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int authenticate()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Call authenticate() in Auth* module and call userNotice().
|
2009-02-17 15:56:38 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2009-02-15 18:58:38 +01:00
|
|
|
sub authenticate {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
my $tmp;
|
2009-02-17 16:39:14 +01:00
|
|
|
return $tmp if ( $tmp = $self->SUPER::authenticate() );
|
2010-02-05 11:21:48 +01:00
|
|
|
|
|
|
|
|
# Log good authentication
|
2010-04-15 15:46:45 +02:00
|
|
|
my $user = $self->{sessionInfo}->{ $self->{whatToTrace} };
|
|
|
|
|
$self->_sub( 'userNotice', "Good authentication for $user" ) if $user;
|
2010-02-05 11:21:48 +01:00
|
|
|
|
|
|
|
|
# Set _lastAuthnUTime
|
|
|
|
|
$self->{sessionInfo}->{_lastAuthnUTime} = time();
|
|
|
|
|
|
2009-02-15 18:58:38 +01:00
|
|
|
PE_OK;
|
|
|
|
|
}
|
2008-11-20 19:13:27 +01:00
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
##@apmethod int removeOther()
|
|
|
|
|
# check singleSession or singleIP parameters, and remove other sessions if needed
|
|
|
|
|
#@return Lemonldap::NG::Portal constant
|
2009-10-21 14:43:13 +02:00
|
|
|
sub removeOther {
|
2010-01-12 11:36:04 +01:00
|
|
|
my ( $self, $current ) = @_;
|
2010-01-15 23:01:04 +01:00
|
|
|
$self->{deleted} = [];
|
2010-01-12 10:53:49 +01:00
|
|
|
$self->{otherSessions} = [];
|
|
|
|
|
if ( $self->{singleSession} or $self->{singleIP} or $self->{notifyOther} ) {
|
2009-11-09 16:32:27 +01:00
|
|
|
my $sessions =
|
|
|
|
|
$self->{globalStorage}->searchOn( $self->{globalStorageOptions},
|
|
|
|
|
$self->{whatToTrace},
|
|
|
|
|
$self->{sessionInfo}->{ $self->{whatToTrace} } );
|
2009-10-21 14:43:13 +02:00
|
|
|
foreach my $id ( keys %$sessions ) {
|
2010-01-12 11:36:04 +01:00
|
|
|
next if ( $current and ( $current eq $id ) );
|
2010-04-30 07:27:06 +02:00
|
|
|
my $h = $self->getApacheSession( $id, 1 ) or next;
|
2010-01-12 10:53:49 +01:00
|
|
|
if (
|
|
|
|
|
$self->{singleSession}
|
|
|
|
|
or ( $self->{singleIP}
|
|
|
|
|
and $self->{sessionInfo}->{ipAddr} ne $h->{ipAddr} )
|
|
|
|
|
)
|
2009-11-09 16:32:27 +01:00
|
|
|
{
|
2010-01-11 17:04:36 +01:00
|
|
|
push @{ $self->{deleted} },
|
2010-01-12 10:53:49 +01:00
|
|
|
{
|
|
|
|
|
time => $h->{_utime},
|
|
|
|
|
ip => $h->{ipAddr},
|
|
|
|
|
user => $h->{ $self->{whatToTrace} },
|
|
|
|
|
};
|
2010-01-12 11:36:04 +01:00
|
|
|
$self->_deleteSession( $h, 1 );
|
2010-01-12 10:53:49 +01:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
push @{ $self->{otherSessions} },
|
|
|
|
|
{
|
|
|
|
|
time => $h->{_utime},
|
|
|
|
|
ip => $h->{ipAddr},
|
|
|
|
|
user => $h->{ $self->{whatToTrace} },
|
|
|
|
|
};
|
2009-11-25 13:38:22 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if ( $self->{singleUserByIP} ) {
|
|
|
|
|
my $sessions =
|
|
|
|
|
$self->{globalStorage}->searchOn( $self->{globalStorageOptions},
|
2010-06-22 18:30:38 +02:00
|
|
|
'ipAddr', $ENV{REMOTE_ADDR} );
|
2009-11-25 13:38:22 +01:00
|
|
|
foreach my $id ( keys %$sessions ) {
|
2010-01-12 11:36:04 +01:00
|
|
|
next if ( $current and $current eq $id );
|
2010-04-30 07:27:06 +02:00
|
|
|
my $h = $self->getApacheSession( $id, 1 ) or next;
|
2009-12-11 22:17:06 +01:00
|
|
|
unless ( $self->{sessionInfo}->{ $self->{whatToTrace} } eq
|
|
|
|
|
$h->{ $self->{whatToTrace} } )
|
2009-11-25 13:38:22 +01:00
|
|
|
{
|
2010-01-11 17:04:36 +01:00
|
|
|
push @{ $self->{deleted} },
|
2010-01-12 10:53:49 +01:00
|
|
|
{
|
|
|
|
|
time => $h->{_utime},
|
|
|
|
|
ip => $h->{ipAddr},
|
|
|
|
|
user => $h->{ $self->{whatToTrace} },
|
|
|
|
|
};
|
2010-01-12 11:36:04 +01:00
|
|
|
$self->_deleteSession( $h, 1 );
|
2010-01-11 17:04:36 +01:00
|
|
|
}
|
2009-10-21 14:43:13 +02:00
|
|
|
}
|
2010-01-15 23:01:04 +01:00
|
|
|
}
|
2010-01-12 10:53:49 +01:00
|
|
|
$self->info(
|
|
|
|
|
$self->_mkDateIpArray(
|
2010-01-15 23:01:04 +01:00
|
|
|
&Lemonldap::NG::Portal::_i18n::msg( PM_SESSIONS_DELETED,
|
|
|
|
|
$ENV{HTTP_ACCEPT_LANGUAGE}
|
|
|
|
|
),
|
2010-01-12 10:53:49 +01:00
|
|
|
@{ $self->{deleted} }
|
|
|
|
|
)
|
|
|
|
|
) if ( $self->{notifyDeleted} and @{ $self->{deleted} } );
|
|
|
|
|
$self->info(
|
|
|
|
|
$self->_mkDateIpArray(
|
2010-01-15 23:01:04 +01:00
|
|
|
&Lemonldap::NG::Portal::_i18n::msg( PM_OTHER_SESSIONS,
|
|
|
|
|
$ENV{HTTP_ACCEPT_LANGUAGE}
|
|
|
|
|
),
|
2010-01-12 10:53:49 +01:00
|
|
|
@{ $self->{otherSessions} }
|
2010-01-15 23:01:04 +01:00
|
|
|
)
|
2010-08-20 15:48:09 +02:00
|
|
|
. $self->_mkRemoveOtherLink()
|
2010-01-12 10:53:49 +01:00
|
|
|
) if ( $self->{notifyOther} and @{ $self->{otherSessions} } );
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
##@method private string _mkDateIpArray(string title,array datas)
|
|
|
|
|
# Build the HTML array to display sessions deleted or found by removeOther()
|
|
|
|
|
# @param $title Title of the array
|
|
|
|
|
# @param @datas Array of hash ref containing sessions datas
|
|
|
|
|
# @return HTML string
|
|
|
|
|
sub _mkDateIpArray {
|
|
|
|
|
my ( $self, $title, @datas ) = @_;
|
2010-01-12 12:07:31 +01:00
|
|
|
my $tmp = "<h3>$title</h3>";
|
2010-01-15 23:01:04 +01:00
|
|
|
$tmp .= "<table class=\"info\"><tbody><tr>";
|
2010-01-12 10:53:49 +01:00
|
|
|
$tmp .= '<th>'
|
|
|
|
|
. &Lemonldap::NG::Portal::_i18n::msg( $_, $ENV{HTTP_ACCEPT_LANGUAGE} )
|
|
|
|
|
. '</th>'
|
2010-01-15 23:01:04 +01:00
|
|
|
foreach ( PM_USER, PM_DATE, PM_IP );
|
|
|
|
|
$tmp .= '</tr>';
|
2010-01-12 10:53:49 +01:00
|
|
|
foreach (@datas) {
|
|
|
|
|
$tmp .=
|
|
|
|
|
"<tr><td>$_->{user}</td><td>"
|
|
|
|
|
. "<script>var _date=new Date($_->{time}*1000);document.write(_date.toLocaleString());</script>"
|
|
|
|
|
. "</td><td>$_->{ip}</td></tr>";
|
2010-01-15 23:01:04 +01:00
|
|
|
}
|
|
|
|
|
$tmp .= '</tbody></table>';
|
2010-01-12 10:53:49 +01:00
|
|
|
return $tmp;
|
2009-10-21 14:43:13 +02:00
|
|
|
}
|
2010-01-12 10:53:49 +01:00
|
|
|
|
2010-08-20 15:48:09 +02:00
|
|
|
## @method private string _mkRemoveOtherLink()
|
|
|
|
|
# Build the removeOther link
|
2010-08-20 17:07:55 +02:00
|
|
|
# Last part of URL is built trough javascript
|
2010-08-20 15:48:09 +02:00
|
|
|
# @return removeOther link in HTML code
|
|
|
|
|
sub _mkRemoveOtherLink {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
|
2010-08-20 17:07:55 +02:00
|
|
|
my $link = $self->{portal} . "?removeOther=1";
|
2010-08-20 15:48:09 +02:00
|
|
|
|
|
|
|
|
return "<p class=\"removeOther\"><a href=\"$link\" onclick=\"_go=0\">"
|
|
|
|
|
. &Lemonldap::NG::Portal::_i18n::msg( PM_REMOVE_OTHER_SESSIONS,
|
|
|
|
|
$ENV{HTTP_ACCEPT_LANGUAGE} )
|
|
|
|
|
. "</a></p>";
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-11 15:02:43 +01:00
|
|
|
##@apmethod int grantSession()
|
|
|
|
|
# Check grantSessionRule to allow session creation.
|
|
|
|
|
#@return Lemonldap::NG::Portal constant
|
|
|
|
|
sub grantSession {
|
|
|
|
|
my ($self) = @_;
|
|
|
|
|
|
|
|
|
|
# Return PE_OK if no grantSessionRule
|
|
|
|
|
return PE_OK unless defined $self->{grantSessionRule};
|
|
|
|
|
|
|
|
|
|
# Eval grantSessionRule
|
|
|
|
|
my $grantSessionRule = $self->{grantSessionRule};
|
|
|
|
|
$grantSessionRule =~ s/\$(\w+)/\$self->{sessionInfo}->{$1}/g;
|
|
|
|
|
|
|
|
|
|
unless ( $self->safe->reval($grantSessionRule) ) {
|
2010-01-12 10:53:49 +01:00
|
|
|
$self->lmLog(
|
|
|
|
|
"User " . $self->{user} . " was not granted to open session",
|
|
|
|
|
'error' );
|
2010-01-11 15:02:43 +01:00
|
|
|
return PE_SESSIONNOTGRANTED;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-12 10:53:49 +01:00
|
|
|
$self->lmLog( "Session granted for " . $self->{user}, 'notice' );
|
2010-01-11 15:02:43 +01:00
|
|
|
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int store()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Store user's datas in sessions database.
|
|
|
|
|
# Now, the user is known, authenticated and session variable are evaluated.
|
|
|
|
|
# It's time to store his parameters with Apache::Session::* module
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2006-12-18 12:32:33 +01:00
|
|
|
sub store {
|
|
|
|
|
my ($self) = @_;
|
2009-02-14 09:55:19 +01:00
|
|
|
|
|
|
|
|
# Now, user is authenticated => inform Apache
|
|
|
|
|
$self->setApacheUser( $self->{sessionInfo}->{ $self->{whatToTrace} } );
|
2010-01-25 18:40:46 +01:00
|
|
|
|
|
|
|
|
# Create second session for unsecure cookie
|
2009-03-31 12:52:43 +02:00
|
|
|
if ( $self->{securedCookie} == 2 ) {
|
2010-04-30 07:27:06 +02:00
|
|
|
my $h2 = $self->getApacheSession( undef, 1 );
|
2009-03-31 12:52:43 +02:00
|
|
|
$h2->{$_} = $self->{sessionInfo}->{$_}
|
|
|
|
|
foreach ( keys %{ $self->{sessionInfo} } );
|
|
|
|
|
$self->{sessionInfo}->{_httpSession} = $h2->{_session_id};
|
|
|
|
|
$h2->{_httpSessionType} = 1;
|
|
|
|
|
untie %$h2;
|
|
|
|
|
}
|
2010-01-25 18:40:46 +01:00
|
|
|
|
|
|
|
|
# Main session
|
|
|
|
|
my $h = $self->getApacheSession( $self->{id} )
|
|
|
|
|
or return PE_APACHESESSIONERROR;
|
2010-04-15 15:46:45 +02:00
|
|
|
foreach ( keys %{ $self->{sessionInfo} } ) {
|
|
|
|
|
next unless defined $self->{sessionInfo}->{$_};
|
|
|
|
|
$self->lmLog(
|
|
|
|
|
"Store " . $self->{sessionInfo}->{$_} . " in session key $_",
|
|
|
|
|
'debug' );
|
|
|
|
|
$h->{$_} = $self->{sessionInfo}->{$_};
|
|
|
|
|
}
|
2009-02-14 09:55:19 +01:00
|
|
|
untie %$h;
|
2010-01-25 18:40:46 +01:00
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2010-05-17 18:02:21 +02:00
|
|
|
## @apmethod int authFinish
|
|
|
|
|
# Call authFinish method from authentication module
|
|
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
|
sub authFinish {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
|
|
|
|
|
eval { $self->{error} = $self->SUPER::authFinish; };
|
|
|
|
|
if ($@) {
|
|
|
|
|
$self->lmLog(
|
2010-05-19 16:59:43 +02:00
|
|
|
"Optional authFinish method not defined in current authentication module: $@",
|
|
|
|
|
'debug'
|
|
|
|
|
);
|
2010-05-17 18:02:21 +02:00
|
|
|
return PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $self->{error};
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int buildCookie()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Build the Lemonldap::NG cookie.
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2006-12-18 12:32:33 +01:00
|
|
|
sub buildCookie {
|
|
|
|
|
my $self = shift;
|
2008-08-08 18:19:16 +02:00
|
|
|
push @{ $self->{cookie} },
|
|
|
|
|
$self->cookie(
|
2009-08-20 16:19:40 +02:00
|
|
|
-name => $self->{cookieName},
|
|
|
|
|
-value => $self->{id},
|
|
|
|
|
-domain => $self->{domain},
|
|
|
|
|
-path => "/",
|
|
|
|
|
-secure => $self->{securedCookie},
|
|
|
|
|
-httponly => $self->{httpOnly},
|
2009-12-03 12:47:50 +01:00
|
|
|
-expires => $self->{cookieExpiration},
|
2006-12-18 12:32:33 +01:00
|
|
|
@_,
|
2008-08-08 18:19:16 +02:00
|
|
|
);
|
2009-03-31 12:52:43 +02:00
|
|
|
if ( $self->{securedCookie} == 2 ) {
|
|
|
|
|
push @{ $self->{cookie} },
|
|
|
|
|
$self->cookie(
|
2009-08-20 16:19:40 +02:00
|
|
|
-name => $self->{cookieName} . "http",
|
|
|
|
|
-value => $self->{sessionInfo}->{_httpSession},
|
|
|
|
|
-domain => $self->{domain},
|
|
|
|
|
-path => "/",
|
|
|
|
|
-secure => 0,
|
|
|
|
|
-httponly => $self->{httpOnly},
|
2009-12-03 12:47:50 +01:00
|
|
|
-expires => $self->{cookieExpiration},
|
2009-03-31 12:52:43 +02:00
|
|
|
@_,
|
|
|
|
|
);
|
|
|
|
|
}
|
2006-12-18 12:32:33 +01:00
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int checkNotification()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Check if messages has to be notified.
|
2009-01-30 16:26:34 +01:00
|
|
|
# Call Lemonldap::NG::Portal::Notification::getNotification().
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2008-11-24 07:57:18 +01:00
|
|
|
sub checkNotification {
|
|
|
|
|
my $self = shift;
|
2009-01-30 16:26:34 +01:00
|
|
|
if ( $self->{notification}
|
2010-01-11 17:04:36 +01:00
|
|
|
and $self->{_notification} ||=
|
2009-01-30 16:26:34 +01:00
|
|
|
$self->{notifObject}->getNotification($self) )
|
|
|
|
|
{
|
|
|
|
|
return PE_NOTIFICATION;
|
2008-11-24 07:57:18 +01:00
|
|
|
}
|
|
|
|
|
return PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2010-05-19 16:59:43 +02:00
|
|
|
## @apmethod int issuerForAuthUser()
|
|
|
|
|
# Check IssuerDB activation rule and then call IssuerDB module method
|
|
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
|
sub issuerForAuthUser {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
|
|
|
|
|
# If no rule defined, it's ok
|
|
|
|
|
return $self->SUPER::issuerForAuthUser()
|
|
|
|
|
unless defined $self->{issuerActivationRule};
|
|
|
|
|
|
|
|
|
|
# Check activation rule
|
|
|
|
|
my $issuerActivationRule = $self->{issuerActivationRule};
|
|
|
|
|
$issuerActivationRule =~ s/\$(\w+)/\$self->{sessionInfo}->{$1}/g;
|
|
|
|
|
|
|
|
|
|
$self->lmLog( "Applying issuerActivationRule: $issuerActivationRule",
|
|
|
|
|
'debug' );
|
|
|
|
|
|
|
|
|
|
unless ( $self->safe->reval($issuerActivationRule) ) {
|
|
|
|
|
$self->lmLog(
|
|
|
|
|
"User "
|
|
|
|
|
. $self->{sessionInfo}->{_user}
|
|
|
|
|
. " was not allowed to use IssuerDB module",
|
|
|
|
|
'warn'
|
|
|
|
|
);
|
|
|
|
|
return PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$self->lmLog(
|
|
|
|
|
"User "
|
|
|
|
|
. $self->{sessionInfo}->{_user}
|
|
|
|
|
. " allowed to use IssuerDB module",
|
|
|
|
|
'debug'
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
# Call IssuerDB module method
|
|
|
|
|
return $self->SUPER::issuerForAuthUser();
|
|
|
|
|
}
|
2009-12-10 18:03:57 +01:00
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int autoRedirect()
|
2009-12-10 18:03:57 +01:00
|
|
|
# If the user was redirected to the portal, we will now redirect him
|
|
|
|
|
# to the requested URL.
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2006-12-18 12:32:33 +01:00
|
|
|
sub autoRedirect {
|
|
|
|
|
my $self = shift;
|
2009-02-12 18:09:33 +01:00
|
|
|
|
2009-02-23 18:35:38 +01:00
|
|
|
# default redirection URL
|
2010-01-12 10:53:49 +01:00
|
|
|
$self->{urldc} ||= $self->{portal}
|
|
|
|
|
if ( $self->{mustRedirect} or $self->info() );
|
2010-01-11 17:04:36 +01:00
|
|
|
|
|
|
|
|
# Display info before redirecting
|
2010-08-20 12:31:20 +02:00
|
|
|
if ( $self->info() ) {
|
2010-08-20 17:07:55 +02:00
|
|
|
$self->{infoFormMethod} = $self->param('method') || "get";
|
2010-08-20 12:52:52 +02:00
|
|
|
$self->clearHiddenFormValue();
|
2010-08-20 12:31:20 +02:00
|
|
|
my ($query_string) = ( $self->{urldc} =~ /.+?\?(.+)/ );
|
|
|
|
|
if ($query_string) {
|
|
|
|
|
$self->lmLog(
|
|
|
|
|
"Transfrom query string $query_string into hidden form values",
|
|
|
|
|
'debug'
|
|
|
|
|
);
|
|
|
|
|
my $query = CGI->new($query_string);
|
|
|
|
|
my $formFields = $query->Vars;
|
|
|
|
|
foreach ( keys %$formFields ) {
|
|
|
|
|
$self->setHiddenFormValue( $_, $formFields->{$_}, "", 0 );
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return PE_INFO;
|
|
|
|
|
}
|
2009-02-23 18:35:38 +01:00
|
|
|
|
2009-02-12 18:09:33 +01:00
|
|
|
# Redirection should be made if
|
|
|
|
|
# - urldc defined
|
2010-01-15 23:01:04 +01:00
|
|
|
if ( $self->{urldc} ) {
|
2009-02-17 16:39:14 +01:00
|
|
|
|
2009-02-23 18:35:38 +01:00
|
|
|
# Cross-domain mechanism
|
2009-06-15 16:13:09 +02:00
|
|
|
if ( $self->{cda}
|
2009-02-17 16:39:14 +01:00
|
|
|
and $self->{id}
|
2010-06-04 10:43:42 +02:00
|
|
|
and $self->{urldc} !~ m#^http(s?)://[^/]*$self->{domain}/#oi )
|
2009-02-17 16:39:14 +01:00
|
|
|
{
|
2010-06-04 10:43:42 +02:00
|
|
|
my $ssl = $1;
|
2009-02-17 16:39:14 +01:00
|
|
|
$self->lmLog( 'CDA request', 'debug' );
|
|
|
|
|
$self->{urldc} .=
|
2010-06-21 17:29:59 +02:00
|
|
|
( $self->{urldc} =~ /\?/ ? '&' : '?' )
|
2009-02-23 18:35:38 +01:00
|
|
|
. $self->{cookieName} . "="
|
2010-06-21 17:29:59 +02:00
|
|
|
. (
|
|
|
|
|
( $self->{securedCookie} != 2 or $ssl )
|
2010-06-04 10:43:42 +02:00
|
|
|
? $self->{id}
|
2010-06-21 17:29:59 +02:00
|
|
|
: $self->{sessionInfo}->{_httpSession}
|
|
|
|
|
);
|
2009-02-17 16:39:14 +01:00
|
|
|
}
|
2008-05-11 21:21:39 +02:00
|
|
|
$self->updateStatus;
|
2006-12-18 12:32:33 +01:00
|
|
|
print $self->SUPER::redirect(
|
2009-02-12 18:09:33 +01:00
|
|
|
-uri => $self->{urldc},
|
2006-12-18 12:32:33 +01:00
|
|
|
-cookie => $self->{cookie},
|
2009-08-18 15:33:36 +02:00
|
|
|
-status => '303 See Other'
|
2006-12-18 12:32:33 +01:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
# Remove this lines if your browsers does not support redirections
|
|
|
|
|
# print << "EOF";
|
|
|
|
|
#<html>
|
|
|
|
|
#<head>
|
|
|
|
|
#<script language="Javascript">
|
|
|
|
|
#function redirect() {
|
2007-01-14 20:39:07 +01:00
|
|
|
# document.location.href='$u';
|
2006-12-18 12:32:33 +01:00
|
|
|
#}
|
|
|
|
|
#</script>
|
|
|
|
|
#</head>
|
|
|
|
|
#<body onload="redirect();">
|
2007-01-14 20:39:07 +01:00
|
|
|
# <h2>The document has moved <a href="$u">HERE</a></h2>
|
2006-12-18 12:32:33 +01:00
|
|
|
#</body>
|
|
|
|
|
#</html>
|
|
|
|
|
#EOF
|
2010-01-11 17:04:36 +01:00
|
|
|
$self->quit();
|
2006-12-18 12:32:33 +01:00
|
|
|
}
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2010-02-19 12:33:34 +01:00
|
|
|
## @method void returnSOAPMessage()
|
|
|
|
|
# Print SOAP message
|
|
|
|
|
# @return void
|
|
|
|
|
sub returnSOAPMessage {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
|
2010-06-02 11:12:35 +02:00
|
|
|
# Quit if no SOAP message
|
|
|
|
|
$self->quit() unless $self->{SOAPMessage};
|
2010-02-19 12:33:34 +01:00
|
|
|
|
|
|
|
|
# Print HTTP header and SOAP message
|
2010-02-22 11:08:14 +01:00
|
|
|
print $self->header( -type => 'application/xml' );
|
2010-02-19 12:33:34 +01:00
|
|
|
print $self->{SOAPMessage};
|
|
|
|
|
|
|
|
|
|
# Exit
|
|
|
|
|
$self->quit();
|
|
|
|
|
}
|
|
|
|
|
|
2010-02-22 12:07:48 +01:00
|
|
|
## @method void autoPost()
|
|
|
|
|
# Transfer POST data with auto submit
|
|
|
|
|
# @return void
|
|
|
|
|
sub autoPost {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
|
2010-08-20 12:31:20 +02:00
|
|
|
# Get URL and Form fields
|
|
|
|
|
my $url = $self->{postUrl};
|
|
|
|
|
my $formFields = $self->{postFields};
|
|
|
|
|
|
2010-08-19 18:19:30 +02:00
|
|
|
# Display info before redirecting
|
|
|
|
|
if ( $self->info() ) {
|
2010-08-20 17:07:55 +02:00
|
|
|
$self->{infoFormMethod} = $self->param('method') || "post";
|
2010-08-20 12:52:52 +02:00
|
|
|
$self->clearHiddenFormValue();
|
2010-08-20 12:31:20 +02:00
|
|
|
$self->{urldc} = $url;
|
|
|
|
|
foreach ( keys %$formFields ) {
|
|
|
|
|
$self->setHiddenFormValue( $_, $formFields->{$_}, "", 0 );
|
|
|
|
|
}
|
2010-08-19 18:19:30 +02:00
|
|
|
return PE_INFO;
|
|
|
|
|
}
|
|
|
|
|
|
2010-06-02 11:12:35 +02:00
|
|
|
# Quit if no URL
|
|
|
|
|
$self->quit() unless $self->{postUrl};
|
2010-02-22 12:07:48 +01:00
|
|
|
|
2010-06-01 11:59:37 +02:00
|
|
|
# Simple CSS
|
|
|
|
|
my $css = "
|
|
|
|
|
body {
|
|
|
|
|
background: #ddd;
|
|
|
|
|
color: #fff;
|
|
|
|
|
}
|
|
|
|
|
h1 {
|
|
|
|
|
size: 10pt;
|
|
|
|
|
text-align: center;
|
|
|
|
|
letter-spacing: 5px;
|
|
|
|
|
margin-top: 100px;
|
|
|
|
|
}
|
|
|
|
|
form {
|
|
|
|
|
display: none;
|
|
|
|
|
}
|
|
|
|
|
";
|
|
|
|
|
|
2010-06-01 12:11:35 +02:00
|
|
|
my $message =
|
|
|
|
|
&Lemonldap::NG::Portal::_i18n::msg( PM_REDIRECTION,
|
|
|
|
|
$ENV{HTTP_ACCEPT_LANGUAGE} );
|
|
|
|
|
|
2010-02-22 12:07:48 +01:00
|
|
|
# Print page
|
|
|
|
|
print $self->header();
|
2010-06-01 12:11:35 +02:00
|
|
|
print $self->start_html( -title => $message, -style => { -code => $css } );
|
2010-06-01 11:59:37 +02:00
|
|
|
|
2010-06-01 12:11:35 +02:00
|
|
|
print $self->h1($message);
|
2010-06-01 11:59:37 +02:00
|
|
|
|
2010-02-22 12:07:48 +01:00
|
|
|
print $self->start_form( -action => $url );
|
|
|
|
|
|
|
|
|
|
$self->lmLog( "POST form action: $url", 'debug' );
|
|
|
|
|
|
|
|
|
|
# Create fields
|
|
|
|
|
foreach ( keys %$formFields ) {
|
|
|
|
|
print $self->textfield( -name => $_, -value => $formFields->{$_} );
|
|
|
|
|
$self->lmLog( "POST field $_: " . $formFields->{$_}, 'debug' );
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
print $self->submit();
|
|
|
|
|
print $self->end_form();
|
|
|
|
|
|
|
|
|
|
# Auto submit javascript
|
|
|
|
|
print "<script language=\"JavaScript\" type=\"text/javascript\">\n";
|
|
|
|
|
print "document.forms[0].submit();\n";
|
|
|
|
|
print "</script>\n";
|
|
|
|
|
|
|
|
|
|
# End page
|
|
|
|
|
print $self->end_html();
|
|
|
|
|
|
|
|
|
|
# Exit
|
|
|
|
|
$self->quit();
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
1;
|
|
|
|
|
|
|
|
|
|
__END__
|
|
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
2010-01-03 09:09:59 +01:00
|
|
|
=encoding utf8
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
Lemonldap::NG::Portal::Simple - Base module for building Lemonldap::NG compatible portals
|
|
|
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
|
|
use Lemonldap::NG::Portal::Simple;
|
|
|
|
|
my $portal = new Lemonldap::NG::Portal::Simple(
|
2007-04-10 07:15:26 +02:00
|
|
|
domain => 'example.com',
|
2006-12-18 12:32:33 +01:00
|
|
|
globalStorage => 'Apache::Session::MySQL',
|
2007-01-14 20:39:07 +01:00
|
|
|
globalStorageOptions => {
|
|
|
|
|
DataSource => 'dbi:mysql:database=dbname;host=127.0.0.1',
|
|
|
|
|
UserName => 'db_user',
|
|
|
|
|
Password => 'db_password',
|
|
|
|
|
TableName => 'sessions',
|
|
|
|
|
LockDataSource => 'dbi:mysql:database=dbname;host=127.0.0.1',
|
|
|
|
|
LockUserName => 'db_user',
|
|
|
|
|
LockPassword => 'db_password',
|
|
|
|
|
},
|
2007-05-15 06:31:10 +02:00
|
|
|
ldapServer => 'ldap.domaine.com,ldap-backup.domaine.com',
|
2007-01-14 20:39:07 +01:00
|
|
|
securedCookie => 1,
|
2008-09-10 12:40:01 +02:00
|
|
|
exportedVars => {
|
|
|
|
|
uid => 'uid',
|
|
|
|
|
cn => 'cn',
|
|
|
|
|
mail => 'mail',
|
|
|
|
|
appli => 'appli',
|
2008-12-07 21:07:52 +01:00
|
|
|
},
|
|
|
|
|
# Activate SOAP service
|
|
|
|
|
Soap => 1
|
2006-12-18 12:32:33 +01:00
|
|
|
);
|
2008-12-07 21:07:52 +01:00
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
if($portal->process()) {
|
|
|
|
|
# Write here the menu with CGI methods. This page is displayed ONLY IF
|
|
|
|
|
# the user was not redirected here.
|
2008-06-06 05:51:39 +02:00
|
|
|
print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see L<CGI(3)>)
|
2006-12-18 12:32:33 +01:00
|
|
|
print "...";
|
|
|
|
|
|
|
|
|
|
# or redirect the user to the menu
|
|
|
|
|
print $portal->redirect( -uri => 'https://portal/menu');
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
# Write here the html form used to authenticate with CGI methods.
|
|
|
|
|
# $portal->error returns the error message if athentification failed
|
|
|
|
|
# Warning: by defaut, input names are "user" and "password"
|
2008-06-06 05:51:39 +02:00
|
|
|
print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see L<CGI(3)>)
|
2006-12-18 12:32:33 +01:00
|
|
|
print "...";
|
|
|
|
|
print '<form method="POST">';
|
|
|
|
|
# In your form, the following value is required for redirection
|
|
|
|
|
print '<input type="hidden" name="url" value="'.$portal->param('url').'">';
|
|
|
|
|
# Next, login and password
|
|
|
|
|
print 'Login : <input name="user"><br>';
|
|
|
|
|
print 'Password : <input name="password" type="password" autocomplete="off">';
|
|
|
|
|
print '<input type="submit" value="go" />';
|
|
|
|
|
print '</form>';
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-07 21:07:52 +01:00
|
|
|
SOAP mode authentication (client) :
|
|
|
|
|
|
|
|
|
|
#!/usr/bin/perl -l
|
|
|
|
|
|
|
|
|
|
use SOAP::Lite;
|
|
|
|
|
use Data::Dumper;
|
|
|
|
|
|
|
|
|
|
my $soap =
|
|
|
|
|
SOAP::Lite->proxy('http://auth.example.com/')
|
2009-02-08 20:12:08 +01:00
|
|
|
->uri('urn:/Lemonldap::NG::Common::CGI::SOAPService');
|
2008-12-07 21:07:52 +01:00
|
|
|
my $r = $soap->getCookies( 'user', 'password' );
|
|
|
|
|
|
|
|
|
|
# Catch SOAP errors
|
|
|
|
|
if ( $r->fault ) {
|
|
|
|
|
print STDERR "SOAP Error: " . $r->fault->{faultstring};
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
my $res = $r->result();
|
|
|
|
|
|
|
|
|
|
# If authentication failed, display error
|
|
|
|
|
if ( $res->{error} ) {
|
|
|
|
|
print STDERR "Error: " . $soap->error( 'fr', $res->{error} )->result();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# print session-ID
|
|
|
|
|
else {
|
|
|
|
|
print "Cookie: lemonldap=" . $res->{cookies}->{lemonldap};
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG::Portal::Simple is the base module for building Lemonldap::NG
|
|
|
|
|
compatible portals. You can use it either by inheritance or by writing
|
|
|
|
|
anonymous methods like in the example above.
|
|
|
|
|
|
2006-12-24 09:37:27 +01:00
|
|
|
See L<Lemonldap::NG::Portal::SharedConf> for a complete example of use of
|
2006-12-18 12:32:33 +01:00
|
|
|
Lemonldap::Portal::* libraries.
|
|
|
|
|
|
|
|
|
|
=head1 METHODS
|
|
|
|
|
|
|
|
|
|
=head2 Constructor (new)
|
|
|
|
|
|
|
|
|
|
=head3 Args
|
|
|
|
|
|
|
|
|
|
=over
|
|
|
|
|
|
2010-06-08 12:39:34 +02:00
|
|
|
=item * ldapServer: server(s) used to retrive session information and to valid
|
2007-05-15 06:31:10 +02:00
|
|
|
credentials (localhost by default). More than one server can be set here
|
|
|
|
|
separated by commas. The servers will be tested in the specifies order.
|
2007-07-22 22:30:27 +02:00
|
|
|
To use TLS, set "ldap+tls://server" and to use LDAPS, set "ldaps://server"
|
|
|
|
|
instead of server name. If you use TLS, you can set any of the
|
|
|
|
|
Net::LDAP->start_tls() sub like this:
|
|
|
|
|
"ldap/tls://server/verify=none&capath=/etc/ssl"
|
|
|
|
|
You can also use caFile and caPath parameters.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=item * ldapPort: tcp port used by ldap server.
|
|
|
|
|
|
|
|
|
|
=item * ldapBase: base of the ldap directory.
|
|
|
|
|
|
|
|
|
|
=item * managerDn: dn to used to connect to ldap server. By default, anonymous
|
|
|
|
|
bind is used.
|
|
|
|
|
|
|
|
|
|
=item * managerPassword: password to used to connect to ldap server. By
|
|
|
|
|
default, anonymous bind is used.
|
|
|
|
|
|
2007-07-22 22:30:27 +02:00
|
|
|
=item * securedCookie: set it to 1 if you want to protect user cookies.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
2007-07-22 22:30:27 +02:00
|
|
|
=item * cookieName: name of the cookie used by Lemonldap::NG (lemon by default).
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=item * domain: cookie domain. You may have to give it else the SSO will work
|
|
|
|
|
only on your server.
|
|
|
|
|
|
|
|
|
|
=item * globalStorage: required: L<Apache::Session> library to used to store
|
2010-06-08 12:39:34 +02:00
|
|
|
session information.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=item * globalStorageOptions: parameters to bind to L<Apache::Session> module
|
|
|
|
|
|
|
|
|
|
=item * authentication: sheme to authenticate users (default: "ldap"). It can
|
|
|
|
|
be set to:
|
|
|
|
|
|
|
|
|
|
=over
|
|
|
|
|
|
|
|
|
|
=item * B<SSL>: See L<Lemonldap::NG::Portal::AuthSSL>.
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
2007-07-22 22:30:27 +02:00
|
|
|
=item * caPath, caFile: if you use ldap+tls you can overwrite cafile or capath
|
2010-01-03 09:09:59 +01:00
|
|
|
options with those parameters. This is useful if you use a shared
|
2007-07-22 22:30:27 +02:00
|
|
|
configuration.
|
|
|
|
|
|
2008-05-10 11:31:43 +02:00
|
|
|
=item * ldapPpolicyControl: set it to 1 if you want to use LDAP Password Policy
|
|
|
|
|
|
2010-01-11 15:02:43 +01:00
|
|
|
=item * grantSessionRule: rule applied to grant session opening for a user. Can
|
|
|
|
|
use all exported attributes, macros, groups and custom functions.
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
=head2 Methods that can be overloaded
|
|
|
|
|
|
2007-05-05 16:13:44 +02:00
|
|
|
All the functions above can be overloaded to adapt Lemonldap::NG to your
|
2006-12-18 12:32:33 +01:00
|
|
|
environment. They MUST return one of the exported constants (see above)
|
|
|
|
|
and are called in this order by process().
|
|
|
|
|
|
|
|
|
|
=head3 controlUrlOrigin
|
|
|
|
|
|
2007-05-05 16:13:44 +02:00
|
|
|
If the user was redirected by a Lemonldap::NG handler, stores the url that will be
|
2006-12-18 12:32:33 +01:00
|
|
|
used to redirect the user after authentication.
|
|
|
|
|
|
|
|
|
|
=head3 controlExistingSession
|
|
|
|
|
|
2007-02-11 09:31:56 +01:00
|
|
|
Controls if a previous session is always available. If true, it call the sub
|
|
|
|
|
C<existingSession> with two parameters: id and a scalar tied on Apache::Session
|
|
|
|
|
module choosed to store sessions. See bellow
|
|
|
|
|
|
|
|
|
|
=head3 existingSession
|
|
|
|
|
|
|
|
|
|
This sub is called only if a previous session exists and is available. By
|
|
|
|
|
defaults, it returns PE_OK so user is re-authenticated. You can overload it:
|
|
|
|
|
for example if existingSession just returns PE_DONE: authenticated users are
|
|
|
|
|
not re-authenticated and C<>process> returns true.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=head3 extractFormInfo
|
|
|
|
|
|
2008-06-11 08:00:26 +02:00
|
|
|
Method implemented into Lemonldap::NG::Portal::Auth* modules. By default
|
|
|
|
|
(ldap bind), converts form input into object variables ($self->{user} and
|
2006-12-18 12:32:33 +01:00
|
|
|
$self->{password}).
|
|
|
|
|
|
|
|
|
|
=head3 formateParams
|
|
|
|
|
|
|
|
|
|
Does nothing. To be overloaded if needed.
|
|
|
|
|
|
|
|
|
|
=head3 formateFilter
|
|
|
|
|
|
|
|
|
|
Creates the ldap filter using $self->{user}. By default :
|
|
|
|
|
|
2008-05-30 06:47:32 +02:00
|
|
|
$self->{filter} = "(&(uid=" . $self->{user} . ")(objectClass=inetOrgPerson))";
|
2006-12-18 12:32:33 +01:00
|
|
|
|
2009-04-05 10:12:16 +02:00
|
|
|
If $self->{AuthLDAPFilter} is set, it is used instead of this. This is used by
|
2008-06-11 08:00:26 +02:00
|
|
|
Lemonldap::NG::Portal::Auth* modules to overload filter.
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head3 connectLDAP
|
|
|
|
|
|
|
|
|
|
Connects to LDAP server.
|
|
|
|
|
|
|
|
|
|
=head3 bind
|
|
|
|
|
|
|
|
|
|
Binds to the LDAP server using $self->{managerDn} and $self->{managerPassword}
|
|
|
|
|
if exist. Anonymous bind is provided else.
|
|
|
|
|
|
|
|
|
|
=head3 search
|
|
|
|
|
|
|
|
|
|
Retrives the LDAP entry corresponding to the user using $self->{filter}.
|
|
|
|
|
|
2008-06-11 08:00:26 +02:00
|
|
|
=head3 setAuthSessionInfo
|
|
|
|
|
|
|
|
|
|
Same as setSessionInfo but implemented in Lemonldap::NG::Portal::Auth* modules.
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head3 setSessionInfo
|
|
|
|
|
|
|
|
|
|
Prepares variables to store in central cache (stored temporarily in
|
|
|
|
|
C<$self->{sessionInfo}>). It use C<exportedVars> entry (passed to the new sub)
|
|
|
|
|
if defined to know what to store else it stores uid, cn and mail attributes.
|
|
|
|
|
|
2008-09-19 17:28:00 +02:00
|
|
|
=head3 getSessionInfo
|
|
|
|
|
|
|
|
|
|
Pick up an information stored in session.
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head3 setGroups
|
|
|
|
|
|
|
|
|
|
Does nothing by default.
|
|
|
|
|
|
|
|
|
|
=head3 authenticate
|
|
|
|
|
|
2008-06-11 08:00:26 +02:00
|
|
|
Method implemented in Lemonldap::NG::Portal::Auth* modules. By default (ldap),
|
|
|
|
|
authenticates the user by rebinding to the LDAP server using the dn retrived
|
2006-12-18 12:32:33 +01:00
|
|
|
with search() and the password.
|
|
|
|
|
|
2010-01-11 15:02:43 +01:00
|
|
|
=head3 grantSession
|
|
|
|
|
|
|
|
|
|
Use grantSessionRule parameter to allow session opening.
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head3 store
|
|
|
|
|
|
2010-06-08 12:39:34 +02:00
|
|
|
Stores information collected by setSessionInfo into the central cache.
|
2006-12-18 12:32:33 +01:00
|
|
|
The portal connects the cache using the L<Apache::Session> module passed by
|
|
|
|
|
the globalStorage parameters (see constructor).
|
|
|
|
|
|
|
|
|
|
=head3 unbind
|
|
|
|
|
|
|
|
|
|
Disconnects from the LDAP server.
|
|
|
|
|
|
|
|
|
|
=head3 buildCookie
|
|
|
|
|
|
2007-05-05 16:13:44 +02:00
|
|
|
Creates the Lemonldap::NG cookie.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=head3 log
|
|
|
|
|
|
|
|
|
|
Does nothing. To be overloaded if wanted.
|
|
|
|
|
|
2007-01-11 07:42:57 +01:00
|
|
|
=head3 autoRedirect
|
|
|
|
|
|
|
|
|
|
Redirects the user to the url stored by controlUrlOrigin().
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head2 Other methods
|
|
|
|
|
|
|
|
|
|
=head3 process
|
|
|
|
|
|
|
|
|
|
Main method.
|
|
|
|
|
|
|
|
|
|
=head3 error
|
|
|
|
|
|
|
|
|
|
Returns the error message corresponding to the error returned by the methods
|
|
|
|
|
described above
|
|
|
|
|
|
2008-09-19 17:28:00 +02:00
|
|
|
=head3 error_type
|
|
|
|
|
|
|
|
|
|
Give the type of the error (positive, warning or positive)
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head3 _bind( $ldap, $dn, $password )
|
|
|
|
|
|
2008-06-06 05:51:39 +02:00
|
|
|
Method used to bind to the ldap server.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=head3 header
|
|
|
|
|
|
2007-05-05 16:13:44 +02:00
|
|
|
Overloads the CGI::header method to add Lemonldap::NG cookie.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=head3 redirect
|
|
|
|
|
|
2007-05-05 16:13:44 +02:00
|
|
|
Overloads the CGI::redirect method to add Lemonldap::NG cookie.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=head2 EXPORT
|
|
|
|
|
|
|
|
|
|
=head3 Constants
|
|
|
|
|
|
|
|
|
|
=over 5
|
|
|
|
|
|
|
|
|
|
=item * B<PE_OK>: all is good
|
|
|
|
|
|
|
|
|
|
=item * B<PE_SESSIONEXPIRED>: the user session has expired
|
|
|
|
|
|
|
|
|
|
=item * B<PE_FORMEMPTY>: Nothing was entered in the login form
|
|
|
|
|
|
|
|
|
|
=item * B<PE_USERNOTFOUND>: the user was not found in the (ldap) directory
|
|
|
|
|
|
|
|
|
|
=item * B<PE_WRONGMANAGERACCOUNT>: the account used to bind to LDAP server in order to
|
|
|
|
|
find the user distinguished name (dn) was refused by the server
|
|
|
|
|
|
|
|
|
|
=item * B<PE_BADCREDENTIALS>: bad login or password
|
|
|
|
|
|
|
|
|
|
=item * B<PE_LDAPERROR>: abnormal error from ldap
|
|
|
|
|
|
|
|
|
|
=item * B<PE_APACHESESSIONERROR>: abnormal error from Apache::Session
|
|
|
|
|
|
|
|
|
|
=item * B<PE_FIRSTACCESS>: First access to the portal
|
|
|
|
|
|
|
|
|
|
=item * B<PE_BADCERTIFICATE>: Wrong certificate
|
|
|
|
|
|
2008-06-11 08:00:26 +02:00
|
|
|
=item * PE_PP_ACCOUNT_LOCKED: account locked
|
|
|
|
|
|
|
|
|
|
=item * PE_PP_PASSWORD_EXPIRED: password axpired
|
|
|
|
|
|
|
|
|
|
=item * PE_CERTIFICATEREQUIRED: certificate required
|
|
|
|
|
|
|
|
|
|
=item * PE_ERROR: unclassified error
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
|
2007-04-02 21:13:05 +02:00
|
|
|
L<Lemonldap::NG::Handler>, L<Lemonldap::NG::Portal::SharedConf>, L<CGI>,
|
|
|
|
|
http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=head1 AUTHOR
|
|
|
|
|
|
|
|
|
|
Xavier Guimard, E<lt>x.guimard@free.frE<gt>
|
|
|
|
|
|
2007-04-14 15:12:11 +02:00
|
|
|
=head1 BUG REPORT
|
|
|
|
|
|
|
|
|
|
Use OW2 system to report bug or ask for features:
|
|
|
|
|
L<http://forge.objectweb.org/tracker/?group_id=274>
|
|
|
|
|
|
|
|
|
|
=head1 DOWNLOAD
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG is available at
|
|
|
|
|
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head1 COPYRIGHT AND LICENSE
|
|
|
|
|
|
2009-12-13 16:40:33 +01:00
|
|
|
Copyright (C) 2005-2009 by Xavier Guimard E<lt>x.guimard@free.frE<gt> and
|
|
|
|
|
Clement Oudot, E<lt>coudot@linagora.comE<gt>
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
This library is free software; you can redistribute it and/or modify
|
|
|
|
|
it under the same terms as Perl itself, either Perl version 5.8.4 or,
|
|
|
|
|
at your option, any later version of Perl 5 you may have available.
|
|
|
|
|
|
|
|
|
|
=cut
|
