2010-02-21 15:00:53 +01:00
|
|
|
##@file
|
|
|
|
# OpenID authentication backend file
|
|
|
|
|
|
|
|
##@class
|
2010-02-21 15:47:16 +01:00
|
|
|
# OpenID authentication backend class.
|
2010-09-02 12:38:28 +02:00
|
|
|
# The form must return a openid_identifier field
|
2010-02-21 15:00:53 +01:00
|
|
|
package Lemonldap::NG::Portal::AuthOpenID;
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
use Lemonldap::NG::Portal::Simple;
|
|
|
|
use LWP::UserAgent;
|
2010-09-01 11:16:02 +02:00
|
|
|
require Cache::FileCache;
|
2010-02-21 15:00:53 +01:00
|
|
|
|
|
|
|
our $VERSION = '0.1';
|
2010-09-23 17:09:27 +02:00
|
|
|
our $initDone;
|
2010-02-21 15:00:53 +01:00
|
|
|
|
|
|
|
## @apmethod int authInit()
|
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
sub authInit {
|
|
|
|
my $self = shift;
|
2010-09-23 17:09:27 +02:00
|
|
|
$self->{openIdSecret} ||= $self->{cipher}->encrypt(0);
|
|
|
|
return PE_OK if ($initDone);
|
|
|
|
|
2010-09-01 11:16:02 +02:00
|
|
|
eval { require Net::OpenID::Consumer };
|
|
|
|
$self->abort( 'Unable to load Net::OpenID::Consumer', $@ ) if ($@);
|
2010-09-23 17:09:27 +02:00
|
|
|
|
|
|
|
$initDone = 1;
|
2010-02-21 15:00:53 +01:00
|
|
|
PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
## @apmethod int extractFormInfo()
|
|
|
|
# Read username return by OpenID authentication system.
|
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
sub extractFormInfo {
|
|
|
|
my $self = shift;
|
2010-02-27 15:10:23 +01:00
|
|
|
|
2010-08-27 17:35:53 +02:00
|
|
|
my $ua = LWP::UserAgent->new();
|
2010-09-01 14:52:56 +02:00
|
|
|
|
2010-08-27 17:35:53 +02:00
|
|
|
# TODO : LWP options to use a proxy for example
|
2010-02-27 15:10:23 +01:00
|
|
|
$self->{csr} = Net::OpenID::Consumer->new(
|
2010-08-27 17:35:53 +02:00
|
|
|
ua => $ua,
|
2010-09-01 11:16:02 +02:00
|
|
|
cache => $self->{refLocalStorage} || Cache::FileCache->new,
|
2010-02-27 15:10:23 +01:00
|
|
|
args => $self,
|
|
|
|
consumer_secret => $self->{openIdSecret},
|
|
|
|
required_root => $self->{portal},
|
|
|
|
);
|
|
|
|
|
2010-02-21 15:00:53 +01:00
|
|
|
my ( $url, $openid );
|
|
|
|
|
|
|
|
# 1. If no openid element has been detected
|
2010-02-27 15:10:23 +01:00
|
|
|
$openid = $self->param('openid');
|
2010-02-21 15:00:53 +01:00
|
|
|
return PE_FIRSTACCESS
|
2010-09-02 12:38:28 +02:00
|
|
|
unless ( $url = $self->param('openid_identifier') or $openid );
|
2010-02-21 15:00:53 +01:00
|
|
|
|
|
|
|
# 2. Check OpenID responses
|
|
|
|
if ($openid) {
|
|
|
|
my $csr = $self->{csr};
|
|
|
|
|
|
|
|
# Remote error
|
|
|
|
unless ( $csr->is_server_response() ) {
|
|
|
|
$self->{msg} = 'No OpenID valid message found' . $csr->err();
|
|
|
|
$self->lmLog( $self->{msg}, 'debug' );
|
|
|
|
return PE_BADCREDENTIALS;
|
|
|
|
}
|
|
|
|
|
2010-02-21 15:47:16 +01:00
|
|
|
# If confirmation is needed
|
2010-02-21 15:00:53 +01:00
|
|
|
if ( my $setup_url = $csr->user_setup_url ) {
|
2010-02-27 15:10:23 +01:00
|
|
|
$self->lmLog( 'OpenID confirmation needed', 'debug' );
|
2010-02-21 15:47:16 +01:00
|
|
|
print $self->redirect($setup_url);
|
|
|
|
$self->quit();
|
2010-02-21 15:00:53 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
# Check if user has refused to share his authentication
|
|
|
|
elsif ( $csr->user_cancel() ) {
|
|
|
|
$self->{msg} = "OpenID request cancelled by user";
|
|
|
|
$self->lmLog( $self->{msg}, 'debug' );
|
|
|
|
return PE_FIRSTACCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
# TODO: check verified identity
|
2010-02-27 15:10:23 +01:00
|
|
|
elsif ( $self->{vident} = $csr->verified_identity ) {
|
|
|
|
$self->{user} = $self->{vident}->url();
|
|
|
|
$self->lmLog( "OpenID good authentication for $self->{user}",
|
|
|
|
'debug' );
|
|
|
|
$self->{mustRedirect} = 1;
|
2010-02-21 15:00:53 +01:00
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Other errors
|
|
|
|
else {
|
2010-02-27 15:10:23 +01:00
|
|
|
$self->{msg} = 'OpenID error: ' . $csr->err;
|
2010-02-21 15:47:16 +01:00
|
|
|
$self->lmLog( $self->{msg}, 'debug' );
|
|
|
|
return PE_ERROR;
|
2010-02-21 15:00:53 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# 3. Check if an OpenID url has been submitted
|
|
|
|
else {
|
|
|
|
my $claimed_identity = $self->{csr}->claimed_identity($url);
|
|
|
|
|
|
|
|
# Check if url is valid
|
|
|
|
unless ($claimed_identity) {
|
|
|
|
$self->{msg} = "OpenID error : " . $self->{csr}->err();
|
|
|
|
$self->lmLog( $self->{msg}, 'debug' );
|
|
|
|
return PE_BADCREDENTIALS;
|
|
|
|
}
|
|
|
|
|
2010-09-03 15:34:35 +02:00
|
|
|
# Build the redirection
|
2010-02-21 15:00:53 +01:00
|
|
|
$self->lmLog( "OpenID redirection to $url", 'debug' );
|
|
|
|
my $check_url = $claimed_identity->check_url(
|
2010-09-03 15:34:35 +02:00
|
|
|
return_to => $self->{portal}
|
|
|
|
. '?openid=1'
|
2010-09-03 16:58:25 +02:00
|
|
|
. ( $self->{_url} ? "&url=$self->{_url}" : '' )
|
|
|
|
. (
|
|
|
|
$self->param( $self->{authChoiceParam} )
|
|
|
|
? "&"
|
|
|
|
. $self->{authChoiceParam} . "="
|
|
|
|
. $self->param( $self->{authChoiceParam} )
|
|
|
|
: ''
|
|
|
|
),
|
2010-06-14 08:19:34 +02:00
|
|
|
trust_root => $self->{portal},
|
|
|
|
delayed_return => 1,
|
2010-02-21 15:00:53 +01:00
|
|
|
);
|
2010-09-03 15:34:35 +02:00
|
|
|
|
|
|
|
# If UserDB uses OpenID, add "OpenID Simple Registration Extension"
|
|
|
|
# compatible fields
|
|
|
|
if ( $self->{userDB} =~ /^OpenID/
|
|
|
|
or $self->{stack}->[1]->[0]->{m} =~ /^OpenID/ )
|
|
|
|
{
|
|
|
|
my ( @r, @o );
|
2010-09-24 16:21:19 +02:00
|
|
|
while ( my ( $v, $k ) = each %{ $self->{exportedVars} } ) {
|
2010-09-03 15:34:35 +02:00
|
|
|
if ( $k =~
|
|
|
|
/^(?:(?:(?:full|nick)nam|languag|postcod|timezon)e|country|gender|email|dob)$/
|
|
|
|
)
|
|
|
|
{
|
2010-09-24 16:21:19 +02:00
|
|
|
if ( $v =~ s/^!// ) { push @r, $k }
|
2010-09-29 08:42:48 +02:00
|
|
|
else { push @o, $k }
|
2010-09-03 15:34:35 +02:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog(
|
|
|
|
"Unknown \"OpenID Simple Registration Extension\" field name: $k",
|
|
|
|
'error'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
2010-09-24 16:21:19 +02:00
|
|
|
my @tmp;
|
|
|
|
push @tmp, 'openid.sreg.required' => join( ',', @r ) if (@r);
|
|
|
|
push @tmp, 'openid.sreg.optional' => join( ',', @o ) if (@o);
|
2010-09-03 15:34:35 +02:00
|
|
|
OpenID::util::push_url_arg( \$check_url, @tmp ) if (@tmp);
|
|
|
|
}
|
2010-02-21 15:47:16 +01:00
|
|
|
print $self->redirect($check_url);
|
|
|
|
$self->quit();
|
2010-02-21 15:00:53 +01:00
|
|
|
}
|
|
|
|
PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
## @apmethod int setAuthSessionInfo()
|
2010-04-14 17:37:57 +02:00
|
|
|
# Set _user and authenticationLevel.
|
2010-02-21 15:00:53 +01:00
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
sub setAuthSessionInfo {
|
|
|
|
my $self = shift;
|
|
|
|
|
2010-03-15 10:53:56 +01:00
|
|
|
$self->{sessionInfo}->{'_user'} = $self->{user};
|
2010-02-21 15:00:53 +01:00
|
|
|
|
2010-09-01 18:06:01 +02:00
|
|
|
$self->{sessionInfo}->{authenticationLevel} = $self->{openIdAuthnLevel};
|
2010-04-14 17:37:57 +02:00
|
|
|
|
2010-02-21 15:00:53 +01:00
|
|
|
PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
## @apmethod int authenticate()
|
|
|
|
# Does nothing.
|
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
sub authenticate {
|
|
|
|
PE_OK;
|
|
|
|
}
|
|
|
|
|
2010-09-01 10:59:39 +02:00
|
|
|
## @apmethod int authFinish()
|
|
|
|
# Does nothing.
|
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
sub authFinish {
|
|
|
|
PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
## @apmethod int authLogout()
|
|
|
|
# Does nothing
|
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
sub authLogout {
|
|
|
|
PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
## @apmethod boolean authForce()
|
|
|
|
# Does nothing
|
|
|
|
# @return result
|
|
|
|
sub authForce {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2010-02-21 15:00:53 +01:00
|
|
|
1;
|
|
|
|
__END__
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
|
|
=encoding utf8
|
|
|
|
|
2010-02-27 23:37:59 +01:00
|
|
|
Lemonldap::NG::Portal::AuthOpenID - Perl extension for building Lemonldap::NG
|
2010-02-21 15:00:53 +01:00
|
|
|
compatible portals with OpenID authentication.
|
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
use Lemonldap::NG::Portal::SharedConf;
|
|
|
|
my $portal = new Lemonldap::NG::Portal::Simple(
|
|
|
|
configStorage => {...}, # See Lemonldap::NG::Portal
|
|
|
|
authentication => 'OpenID',
|
|
|
|
);
|
|
|
|
|
|
|
|
if($portal->process()) {
|
|
|
|
# Write here the menu with CGI methods. This page is displayed ONLY IF
|
|
|
|
# the user was not redirected here.
|
|
|
|
print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))
|
|
|
|
print "...";
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
# If the user enters here, IT MEANS THAT CAS REDIRECTION DOES NOT WORK
|
|
|
|
print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))
|
|
|
|
print "<html><body><h1>Unable to work</h1>";
|
|
|
|
print "This server isn't well configured. Contact your administrator.";
|
|
|
|
print "</body></html>";
|
|
|
|
}
|
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
This library just overload few methods of Lemonldap::NG::Portal::Simple to use
|
|
|
|
OpenID authentication mechanism.
|
|
|
|
|
|
|
|
See L<Lemonldap::NG::Portal::Simple> for usage and other methods.
|
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
|
|
|
L<Lemonldap::NG::Portal>, L<Lemonldap::NG::Portal::Simple>,
|
|
|
|
http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation
|
|
|
|
|
|
|
|
=head1 AUTHOR
|
|
|
|
|
|
|
|
Thomas Chemineau, E<lt>thomas.chemineau@linagora.comE<gt>,
|
|
|
|
Xavier Guimard, E<lt>x.guimard@free.frE<gt>
|
|
|
|
|
|
|
|
=head1 BUG REPORT
|
|
|
|
|
|
|
|
Use OW2 system to report bug or ask for features:
|
|
|
|
L<http://forge.objectweb.org/tracker/?group_id=274>
|
|
|
|
|
|
|
|
=head1 DOWNLOAD
|
|
|
|
|
|
|
|
Lemonldap::NG is available at
|
|
|
|
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
|
|
|
|
|
|
|
=head1 COPYRIGHT AND LICENSE
|
|
|
|
|
2010-02-21 21:17:13 +01:00
|
|
|
Copyright (C) 2010 Xavier Guimard E<lt>x.guimard@free.frE<gt>
|
2010-02-21 15:00:53 +01:00
|
|
|
|
|
|
|
This library is free software; you can redistribute it and/or modify
|
|
|
|
it under the same terms as Perl itself, either Perl version 5.8.4 or,
|
|
|
|
at your option, any later version of Perl 5 you may have available.
|
|
|
|
|
|
|
|
=cut
|
|
|
|
|
|
|
|
|