2017-01-30 22:00:54 +01:00
|
|
|
package Lemonldap::NG::Portal::Auth::WebID;
|
|
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
|
use Mouse;
|
|
|
|
|
use Regexp::Assemble;
|
|
|
|
|
use Web::ID;
|
|
|
|
|
use Lemonldap::NG::Portal::Main::Constants qw(
|
2021-02-01 22:30:37 +01:00
|
|
|
PE_OK
|
|
|
|
|
PE_BADPARTNER
|
2017-01-30 22:00:54 +01:00
|
|
|
PE_BADCERTIFICATE
|
|
|
|
|
PE_BADCREDENTIALS
|
|
|
|
|
PE_CERTIFICATEREQUIRED
|
2021-02-01 22:30:37 +01:00
|
|
|
|
2017-01-30 22:00:54 +01:00
|
|
|
);
|
|
|
|
|
|
2021-02-01 22:30:37 +01:00
|
|
|
our $VERSION = '2.0.12';
|
2017-01-30 22:00:54 +01:00
|
|
|
|
2018-02-19 22:11:43 +01:00
|
|
|
extends 'Lemonldap::NG::Portal::Main::Auth';
|
2017-01-30 22:00:54 +01:00
|
|
|
|
|
|
|
|
# PROPERTIES
|
|
|
|
|
|
|
|
|
|
has SSLField => (
|
|
|
|
|
is => 'rw',
|
2017-03-27 18:51:18 +02:00
|
|
|
lazy => 1,
|
2017-01-30 22:00:54 +01:00
|
|
|
default => sub {
|
|
|
|
|
return ( $_[0]->{conf}->{SSLVar} || 'SSL_CLIENT_S_DN_Email' );
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
has reWebIDWhitelist => ( is => 'rw' );
|
|
|
|
|
|
|
|
|
|
# INITIALIZATION
|
|
|
|
|
|
|
|
|
|
sub init {
|
|
|
|
|
my ($self) = @_;
|
2022-02-16 17:43:29 +01:00
|
|
|
my @hosts = split /\s+/, $self->{conf}->{webIDWhitelist};
|
2017-01-30 22:00:54 +01:00
|
|
|
unless (@hosts) {
|
|
|
|
|
$self->error(
|
|
|
|
|
'WebID white list is empty. Set it in manager, use * to accept all FOAF providers'
|
|
|
|
|
);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
my $re = Regexp::Assemble->new();
|
|
|
|
|
foreach my $h (@hosts) {
|
2017-02-15 07:41:50 +01:00
|
|
|
$self->logger->debug("Add $h in WebID whitelist");
|
2017-01-30 22:00:54 +01:00
|
|
|
$h = quotemeta($h);
|
|
|
|
|
$h =~ s/\\\*/\.\*\?/g;
|
|
|
|
|
$re->add($h);
|
|
|
|
|
}
|
|
|
|
|
my $reString = '^https?://' . $re->as_string . '(?:/.*|)$';
|
|
|
|
|
$self->reWebIDWhitelist(qr($reString));
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Read username in SSL environment variables, or return an error
|
|
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
|
sub extractFormInfo {
|
|
|
|
|
my ( $self, $req ) = @_;
|
|
|
|
|
|
|
|
|
|
# 1. Verify SSL exchange
|
|
|
|
|
unless ( $req->{SSL_CLIENT_S_DN} ) {
|
2018-06-13 21:18:15 +02:00
|
|
|
$self->userLogger->warn( 'No certificate found for ' . $req->address );
|
2017-01-30 22:00:54 +01:00
|
|
|
return PE_CERTIFICATEREQUIRED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# 2. Verify that certificate is WebID compliant
|
|
|
|
|
# NB: WebID URI is used as user field
|
|
|
|
|
eval {
|
2018-07-05 22:56:16 +02:00
|
|
|
$req->data->{_webid} =
|
2017-01-30 22:00:54 +01:00
|
|
|
Web::ID->new( certificate => $req->{SSL_CLIENT_CERT} );
|
2018-07-05 22:56:16 +02:00
|
|
|
$req->user( $req->data->{_webid}->uri->as_string );
|
2017-01-30 22:00:54 +01:00
|
|
|
};
|
|
|
|
|
return PE_BADCERTIFICATE if ( $@ or not( $req->user ) );
|
|
|
|
|
|
|
|
|
|
# 3. Verify that FOAF host is in white list
|
|
|
|
|
return PE_BADPARTNER unless ( $req->user =~ $self->reWebIDWhitelist );
|
|
|
|
|
|
|
|
|
|
# 4. Verify FOAF document
|
2018-07-05 22:56:16 +02:00
|
|
|
return PE_BADCREDENTIALS unless ( $req->data->{_webid}->valid() );
|
|
|
|
|
$req->data->{_webIdAuthDone}++;
|
2017-01-30 22:00:54 +01:00
|
|
|
|
|
|
|
|
# 5. OK, access granted
|
|
|
|
|
return PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sub authenticate {
|
2021-02-01 22:30:37 +01:00
|
|
|
return PE_OK;
|
2017-01-30 22:00:54 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sub setAuthSessionInfo {
|
|
|
|
|
my ( $self, $req ) = @_;
|
|
|
|
|
$req->{sessionInfo}->{authenticationLevel} = $self->conf->{webIDAuthnLevel};
|
2021-02-01 22:30:37 +01:00
|
|
|
return PE_OK;
|
2017-01-30 22:00:54 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sub getDisplayType {
|
|
|
|
|
return "logo";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
1;
|
