2008-12-26 18:58:48 +01:00
|
|
|
##@file
|
2008-12-03 14:27:30 +01:00
|
|
|
# Base package for Lemonldap::NG portal
|
|
|
|
|
|
2009-02-02 09:53:51 +01:00
|
|
|
##@class Lemonldap::NG::Portal::Simple
|
2008-12-03 14:27:30 +01:00
|
|
|
# Base class for Lemonldap::NG portal
|
2006-12-18 12:32:33 +01:00
|
|
|
package Lemonldap::NG::Portal::Simple;
|
|
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
|
use warnings;
|
|
|
|
|
|
|
|
|
|
use Exporter 'import';
|
|
|
|
|
|
|
|
|
|
use warnings;
|
|
|
|
|
use MIME::Base64;
|
2008-11-21 18:51:52 +01:00
|
|
|
use Lemonldap::NG::Common::CGI;
|
2007-02-11 09:31:56 +01:00
|
|
|
use CGI::Cookie;
|
2007-03-23 20:56:33 +01:00
|
|
|
require POSIX;
|
2009-04-07 22:38:24 +02:00
|
|
|
use Lemonldap::NG::Portal::_i18n; #inherits
|
2009-04-05 10:12:16 +02:00
|
|
|
use Lemonldap::NG::Common::Safelib; #link protected safe Safe object
|
2009-12-11 22:17:06 +01:00
|
|
|
use Lemonldap::NG::Common::Apache::Session; #link protected session Apache::Session object
|
2008-11-21 18:51:52 +01:00
|
|
|
use Safe;
|
2006-12-18 12:32:33 +01:00
|
|
|
|
2009-02-03 10:36:13 +01:00
|
|
|
# Special comments for doxygen
|
2009-02-25 19:10:07 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::_SOAP
|
2009-02-03 10:36:13 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::AuthApache
|
2009-12-10 18:03:57 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::AuthDBI
|
2009-02-03 10:36:13 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::AuthCAS
|
|
|
|
|
#inherits Lemonldap::NG::Portal::AuthLDAP
|
2009-02-25 19:10:07 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::AuthRemote
|
2009-02-03 10:36:13 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::AuthSSL
|
|
|
|
|
#inherits Lemonldap::NG::Portal::Menu
|
2009-02-17 16:22:42 +01:00
|
|
|
#link Lemonldap::NG::Portal::Notification protected notification
|
2009-12-10 18:03:57 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::UserDBDBI
|
|
|
|
|
#inherits Lemonldap::NG::Portal::UserDBEnv
|
2009-02-03 10:36:13 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::UserDBLDAP
|
2009-02-25 19:10:07 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::UserDBRemote
|
2009-12-10 18:03:57 +01:00
|
|
|
#inherits Lemonldap::NG::Portal::PasswordDBDBI
|
2009-05-14 18:19:49 +02:00
|
|
|
#inherits Lemonldap::NG::Portal::PasswordDBLDAP
|
2009-02-03 10:36:13 +01:00
|
|
|
#inherits Apache::Session
|
2009-02-17 16:22:42 +01:00
|
|
|
#link Lemonldap::NG::Common::Apache::Session::SOAP protected globalStorage
|
2009-02-03 10:36:13 +01:00
|
|
|
|
2009-10-11 10:13:50 +02:00
|
|
|
our $VERSION = '0.90';
|
2006-12-18 12:32:33 +01:00
|
|
|
|
2008-12-03 14:27:30 +01:00
|
|
|
use base qw(Lemonldap::NG::Common::CGI Exporter);
|
|
|
|
|
our @ISA;
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
# Constants
|
2008-05-30 08:07:37 +02:00
|
|
|
use constant {
|
2008-08-08 18:19:16 +02:00
|
|
|
PE_REDIRECT => -2,
|
|
|
|
|
PE_DONE => -1,
|
|
|
|
|
PE_OK => 0,
|
|
|
|
|
PE_SESSIONEXPIRED => 1,
|
|
|
|
|
PE_FORMEMPTY => 2,
|
|
|
|
|
PE_WRONGMANAGERACCOUNT => 3,
|
|
|
|
|
PE_USERNOTFOUND => 4,
|
|
|
|
|
PE_BADCREDENTIALS => 5,
|
|
|
|
|
PE_LDAPCONNECTFAILED => 6,
|
|
|
|
|
PE_LDAPERROR => 7,
|
|
|
|
|
PE_APACHESESSIONERROR => 8,
|
|
|
|
|
PE_FIRSTACCESS => 9,
|
|
|
|
|
PE_BADCERTIFICATE => 10,
|
|
|
|
|
PE_PP_ACCOUNT_LOCKED => 21,
|
|
|
|
|
PE_PP_PASSWORD_EXPIRED => 22,
|
|
|
|
|
PE_CERTIFICATEREQUIRED => 23,
|
|
|
|
|
PE_ERROR => 24,
|
|
|
|
|
PE_PP_CHANGE_AFTER_RESET => 25,
|
|
|
|
|
PE_PP_PASSWORD_MOD_NOT_ALLOWED => 26,
|
|
|
|
|
PE_PP_MUST_SUPPLY_OLD_PASSWORD => 27,
|
|
|
|
|
PE_PP_INSUFFICIENT_PASSWORD_QUALITY => 28,
|
|
|
|
|
PE_PP_PASSWORD_TOO_SHORT => 29,
|
|
|
|
|
PE_PP_PASSWORD_TOO_YOUNG => 30,
|
|
|
|
|
PE_PP_PASSWORD_IN_HISTORY => 31,
|
2008-09-19 17:28:00 +02:00
|
|
|
PE_PP_GRACE => 32,
|
|
|
|
|
PE_PP_EXP_WARNING => 33,
|
|
|
|
|
PE_PASSWORD_MISMATCH => 34,
|
|
|
|
|
PE_PASSWORD_OK => 35,
|
2008-11-24 07:57:18 +01:00
|
|
|
PE_NOTIFICATION => 36,
|
2008-12-03 14:27:30 +01:00
|
|
|
PE_BADURL => 37,
|
2009-03-08 09:50:58 +01:00
|
|
|
PE_NOSCHEME => 38,
|
2009-05-18 15:53:51 +02:00
|
|
|
PE_BADOLDPASSWORD => 39,
|
2009-12-19 09:57:59 +01:00
|
|
|
PE_MALFORMEDUSER => 40,
|
2010-01-11 15:02:43 +01:00
|
|
|
PE_SESSIONNOTGRANTED => 41,
|
2008-05-30 08:07:37 +02:00
|
|
|
};
|
2006-12-18 12:32:33 +01:00
|
|
|
|
2007-01-11 07:42:57 +01:00
|
|
|
# EXPORTER PARAMETERS
|
2008-05-11 21:21:39 +02:00
|
|
|
our @EXPORT =
|
2008-05-25 14:54:45 +02:00
|
|
|
qw( PE_DONE PE_OK PE_SESSIONEXPIRED PE_FORMEMPTY PE_WRONGMANAGERACCOUNT
|
|
|
|
|
PE_USERNOTFOUND PE_BADCREDENTIALS PE_LDAPCONNECTFAILED PE_LDAPERROR
|
|
|
|
|
PE_APACHESESSIONERROR PE_FIRSTACCESS PE_BADCERTIFICATE PE_REDIRECT
|
2008-06-06 05:51:39 +02:00
|
|
|
PE_PP_ACCOUNT_LOCKED PE_PP_PASSWORD_EXPIRED PE_CERTIFICATEREQUIRED
|
2008-08-08 18:19:16 +02:00
|
|
|
PE_ERROR PE_PP_CHANGE_AFTER_RESET PE_PP_PASSWORD_MOD_NOT_ALLOWED
|
|
|
|
|
PE_PP_MUST_SUPPLY_OLD_PASSWORD PE_PP_INSUFFICIENT_PASSWORD_QUALITY
|
|
|
|
|
PE_PP_PASSWORD_TOO_SHORT PE_PP_PASSWORD_TOO_YOUNG
|
2008-09-19 17:28:00 +02:00
|
|
|
PE_PP_PASSWORD_IN_HISTORY PE_PP_GRACE PE_PP_EXP_WARNING
|
2009-03-08 09:50:58 +01:00
|
|
|
PE_PASSWORD_MISMATCH PE_PASSWORD_OK PE_NOTIFICATION PE_BADURL
|
2009-12-19 09:57:59 +01:00
|
|
|
PE_NOSCHEME PE_BADOLDPASSWORD PE_MALFORMEDUSER);
|
2008-05-25 14:54:45 +02:00
|
|
|
our %EXPORT_TAGS = ( 'all' => [ @EXPORT, 'import' ], );
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );
|
|
|
|
|
|
2008-11-20 19:13:27 +01:00
|
|
|
# Secure jail
|
2008-12-11 18:02:02 +01:00
|
|
|
our $safe;
|
2008-11-20 19:13:27 +01:00
|
|
|
our $self; # Safe cannot share a variable declared with my
|
|
|
|
|
|
2008-12-29 11:28:31 +01:00
|
|
|
##@cmethod Lemonldap::NG::Portal::Simple new(hashRef args)
|
2008-12-03 14:27:30 +01:00
|
|
|
# Class constructor.
|
2008-12-26 18:58:48 +01:00
|
|
|
#@param args hash reference
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal::Simple object
|
2006-12-18 12:32:33 +01:00
|
|
|
sub new {
|
2009-12-10 18:03:57 +01:00
|
|
|
|
2008-12-06 08:27:35 +01:00
|
|
|
binmode( STDOUT, ":utf8" );
|
2006-12-18 12:32:33 +01:00
|
|
|
my $class = shift;
|
2008-12-07 15:12:36 +01:00
|
|
|
return $class if ( ref($class) );
|
2009-02-05 18:05:18 +01:00
|
|
|
my $self = $class->SUPER::new();
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Reinit _url
|
2009-04-11 13:16:44 +02:00
|
|
|
$self->{_url} = '';
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Get global configuration
|
2008-11-21 18:51:52 +01:00
|
|
|
$self->getConf(@_)
|
|
|
|
|
or $self->abort( "Configuration error",
|
|
|
|
|
"Unable to get configuration: $Lemonldap::NG::Common::Conf::msg" );
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Default values
|
2009-02-14 09:55:19 +01:00
|
|
|
$self->setDefaultValues();
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Test mandatory elements
|
2008-11-21 18:51:52 +01:00
|
|
|
$self->abort( "Configuration error",
|
|
|
|
|
"You've to indicate a an Apache::Session storage module !" )
|
2006-12-18 12:32:33 +01:00
|
|
|
unless ( $self->{globalStorage} );
|
|
|
|
|
eval "require " . $self->{globalStorage};
|
2008-11-21 18:51:52 +01:00
|
|
|
$self->abort( "Configuration error",
|
|
|
|
|
"Module " . $self->{globalStorage} . " not found in \@INC" )
|
|
|
|
|
if ($@);
|
|
|
|
|
$self->abort( "Configuration error",
|
|
|
|
|
"You've to indicate a domain for cookies" )
|
|
|
|
|
unless ( $self->{domain} );
|
2006-12-18 12:32:33 +01:00
|
|
|
$self->{domain} =~ s/^([^\.])/.$1/;
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Rules to allow redirection
|
2008-12-28 09:36:52 +01:00
|
|
|
$self->{mustRedirect} = (
|
|
|
|
|
( $ENV{REQUEST_METHOD} eq 'POST' and not $self->param('newpassword') )
|
|
|
|
|
or $self->param('logout')
|
|
|
|
|
) ? 1 : 0;
|
2008-06-06 05:51:39 +02:00
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# Push authentication/userDB/passwordDb/issuerDB modules in @ISA
|
|
|
|
|
foreach (qw(authentication userDB passwordDB issuerDB)) {
|
|
|
|
|
my $module_name = 'Lemonldap::NG::Portal::';
|
2009-12-11 22:17:06 +01:00
|
|
|
my $db_type = $_;
|
|
|
|
|
my $db_name = $self->{$db_type};
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Adapt module type to real module name
|
|
|
|
|
$db_type =~ s/authentication/Auth/;
|
|
|
|
|
$db_type =~ s/userDB/UserDB/;
|
|
|
|
|
$db_type =~ s/passwordDB/PasswordDB/;
|
|
|
|
|
$db_type =~ s/issuerDB/IssuerDB/;
|
|
|
|
|
|
|
|
|
|
# Full module name
|
|
|
|
|
$module_name .= $db_type . $db_name;
|
|
|
|
|
|
|
|
|
|
# Remove white spaces
|
|
|
|
|
$module_name =~ s/\s.*$//;
|
|
|
|
|
|
|
|
|
|
# Try to load module
|
|
|
|
|
eval "require $module_name";
|
2008-11-21 18:51:52 +01:00
|
|
|
$self->abort( "Configuration error", $@ ) if ($@);
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Push module in @ISA
|
|
|
|
|
push @ISA, $module_name;
|
2008-10-05 20:42:50 +02:00
|
|
|
|
|
|
|
|
# $self->{authentication} and $self->{userDB} can contains arguments
|
|
|
|
|
# (key1 = scalar_value; key2 = ...)
|
2009-12-10 18:03:57 +01:00
|
|
|
unless ( $db_name =~ /^Multi/ ) {
|
|
|
|
|
$db_name =~ s/^\w+\s*//;
|
|
|
|
|
my %h = split( /\s*[=;]\s*/, $db_name ) if ($db_name);
|
2009-03-08 09:50:58 +01:00
|
|
|
%$self = ( %h, %$self );
|
|
|
|
|
}
|
2008-10-05 20:42:50 +02:00
|
|
|
}
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Notifications
|
2008-11-24 07:57:18 +01:00
|
|
|
if ( $self->{notification} ) {
|
2009-01-28 18:37:10 +01:00
|
|
|
require Lemonldap::NG::Portal::Notification;
|
2009-01-30 16:26:34 +01:00
|
|
|
my $tmp;
|
|
|
|
|
if ( $self->{notificationStorage} ) {
|
|
|
|
|
$tmp = $self->{notificationStorage};
|
|
|
|
|
}
|
|
|
|
|
else {
|
2009-02-11 17:18:38 +01:00
|
|
|
(%$tmp) = ( %{ $self->{lmConf} } );
|
2009-01-30 16:26:34 +01:00
|
|
|
$self->abort( "notificationStorage not defined",
|
|
|
|
|
"This parameter is required to use notification system" )
|
|
|
|
|
unless ( ref($tmp) );
|
2009-02-11 17:18:38 +01:00
|
|
|
$tmp->{type} =~ s/.*:://;
|
2009-01-30 16:26:34 +01:00
|
|
|
$tmp->{table} = 'notifications';
|
|
|
|
|
}
|
2009-02-12 20:48:53 +01:00
|
|
|
$tmp->{p} = $self;
|
2009-01-30 16:26:34 +01:00
|
|
|
$self->{notifObject} = Lemonldap::NG::Portal::Notification->new($tmp);
|
|
|
|
|
$self->abort($Lemonldap::NG::Portal::Notification::msg)
|
|
|
|
|
unless ( $self->{notifObject} );
|
2008-11-24 07:57:18 +01:00
|
|
|
}
|
2009-12-10 18:03:57 +01:00
|
|
|
|
2009-02-08 08:59:46 +01:00
|
|
|
if ( $self->{notification}
|
|
|
|
|
and $ENV{PATH_INFO}
|
2009-02-24 18:53:59 +01:00
|
|
|
and $ENV{PATH_INFO} =~ m#^/notification# )
|
2009-02-08 08:59:46 +01:00
|
|
|
{
|
2009-02-03 10:36:13 +01:00
|
|
|
require SOAP::Lite;
|
2009-02-08 08:59:46 +01:00
|
|
|
$self->soapTest( 'newNotification', $self->{notifObject} );
|
|
|
|
|
$self->abort( 'Bad request',
|
|
|
|
|
'Only SOAP requests are accepted with "/notification"' );
|
2009-02-03 10:36:13 +01:00
|
|
|
}
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# SOAP
|
2009-02-24 18:53:59 +01:00
|
|
|
if ( $self->{Soap} or $self->{soap} ) {
|
|
|
|
|
require Lemonldap::NG::Portal::_SOAP;
|
|
|
|
|
push @ISA, 'Lemonldap::NG::Portal::_SOAP';
|
|
|
|
|
$self->startSoapServices();
|
2008-12-07 15:12:36 +01:00
|
|
|
}
|
2009-12-10 18:03:57 +01:00
|
|
|
|
|
|
|
|
# Trusted domains
|
2009-06-14 18:43:02 +02:00
|
|
|
unless ( defined( $self->{trustedDomains} ) ) {
|
|
|
|
|
$self->{trustedDomains} = $self->{domain};
|
|
|
|
|
}
|
2009-10-02 18:10:23 +02:00
|
|
|
if ( $self->{trustedDomains} eq '*' ) {
|
|
|
|
|
$self->{trustedDomains} = '|\w[\w\-\.]*\w';
|
|
|
|
|
}
|
|
|
|
|
elsif ( $self->{trustedDomains} ) {
|
2009-11-09 16:32:27 +01:00
|
|
|
$self->{trustedDomains} = '|(?:[^/]*)?(?:'
|
|
|
|
|
. join( '|',
|
|
|
|
|
( map { s/\./\\\./g; $_ } split /\s+/, $self->{trustedDomains} ) )
|
|
|
|
|
. ')';
|
2009-06-14 18:43:02 +02:00
|
|
|
}
|
2009-12-10 18:03:57 +01:00
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
return $self;
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-29 11:28:31 +01:00
|
|
|
##@method protected boolean getConf(hashRef args)
|
2008-12-03 14:27:30 +01:00
|
|
|
# Copy all parameters in caller object.
|
2008-12-26 18:58:48 +01:00
|
|
|
#@param args hash-ref
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return True
|
2006-12-18 12:32:33 +01:00
|
|
|
sub getConf {
|
|
|
|
|
my ($self) = shift;
|
|
|
|
|
my %args;
|
|
|
|
|
if ( ref( $_[0] ) ) {
|
|
|
|
|
%args = %{ $_[0] };
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
%args = @_;
|
|
|
|
|
}
|
|
|
|
|
%$self = ( %$self, %args );
|
|
|
|
|
1;
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-14 09:55:19 +01:00
|
|
|
##@method protected void setDefaultValues()
|
|
|
|
|
# Set default values.
|
|
|
|
|
sub setDefaultValues {
|
|
|
|
|
my $self = shift;
|
2009-12-11 22:17:06 +01:00
|
|
|
$self->{whatToTrace} ||= 'uid';
|
|
|
|
|
$self->{whatToTrace} =~ s/^\$//;
|
|
|
|
|
$self->{httpOnly} = 1 unless ( defined( $self->{httpOnly} ) );
|
|
|
|
|
$self->{portalSkin} ||= 'pastel';
|
|
|
|
|
$self->{portalDisplayLogout} = 1
|
|
|
|
|
unless ( defined( $self->{portalDisplayLogout} ) );
|
|
|
|
|
$self->{portalDisplayResetPassword} = 1
|
|
|
|
|
unless ( defined( $self->{portalDisplayResetPassword} ) );
|
|
|
|
|
$self->{portalDisplayChangePassword} = 1
|
|
|
|
|
unless ( defined( $self->{portalDisplayChangePassword} ) );
|
|
|
|
|
$self->{portalDisplayAppslist} = 1
|
|
|
|
|
unless ( defined( $self->{portalDisplayAppslist} ) );
|
|
|
|
|
$self->{portalAutocomplete} ||= "off";
|
|
|
|
|
$self->{portalRequireOldPassword} = 1
|
|
|
|
|
unless ( defined( $self->{portalRequireOldPassword} ) );
|
2009-12-17 15:10:39 +01:00
|
|
|
$self->{portalOpenLinkInNewWindow} = 0
|
|
|
|
|
unless ( defined( $self->{portalOpenLinkInNewWindow} ) );
|
2009-12-11 22:17:06 +01:00
|
|
|
$self->{portalUserAttr} ||= "_user";
|
|
|
|
|
$self->{securedCookie} ||= 0;
|
|
|
|
|
$self->{cookieName} ||= "lemonldap";
|
|
|
|
|
$self->{authentication} ||= 'LDAP';
|
|
|
|
|
$self->{authentication} =~ s/^ldap/LDAP/;
|
|
|
|
|
$self->{SMTPServer} ||= 'localhost';
|
|
|
|
|
$self->{mailLDAPFilter} ||= '(&(mail=$mail)(objectClass=inetOrgPerson))';
|
|
|
|
|
$self->{randomPasswordRegexp} ||= '[A-Z]{3}[a-z]{5}.\d{2}';
|
|
|
|
|
$self->{mailFrom} ||= "noreply@" . $self->{domain};
|
|
|
|
|
$self->{mailSubject} ||= "Change password request";
|
|
|
|
|
$self->{mailBody} ||= 'Your new password is $password';
|
|
|
|
|
$self->{issuerDB} ||= 'Null';
|
2009-12-10 12:30:43 +01:00
|
|
|
|
|
|
|
|
# Set default userDB and passwordDB to DBI if authentication is DBI
|
|
|
|
|
if ( $self->{authentication} =~ /DBI/i ) {
|
2009-12-11 22:17:06 +01:00
|
|
|
$self->{userDB} ||= "DBI";
|
|
|
|
|
$self->{passwordDB} ||= "DBI";
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
|
2009-12-10 12:30:43 +01:00
|
|
|
# Default to LDAP
|
2009-12-11 22:17:06 +01:00
|
|
|
$self->{userDB} ||= "LDAP";
|
|
|
|
|
$self->{passwordDB} ||= "LDAP";
|
2009-12-10 12:30:43 +01:00
|
|
|
}
|
2009-02-14 09:55:19 +01:00
|
|
|
}
|
|
|
|
|
|
2009-02-01 16:38:06 +01:00
|
|
|
=begin WSDL
|
|
|
|
|
|
|
|
|
|
_IN lang $string Language
|
|
|
|
|
_IN code $int Error code
|
|
|
|
|
_RETURN $string Error string
|
|
|
|
|
|
|
|
|
|
=end WSDL
|
|
|
|
|
|
|
|
|
|
=cut
|
|
|
|
|
|
2008-12-29 11:28:31 +01:00
|
|
|
##@method string error(string lang)
|
2008-12-07 21:07:52 +01:00
|
|
|
# error calls Portal/_i18n.pm to display error in the wanted language.
|
2008-12-28 09:36:52 +01:00
|
|
|
#@param $lang optional (browser language is used instead)
|
2008-12-26 18:58:48 +01:00
|
|
|
#@return error message
|
2006-12-18 12:32:33 +01:00
|
|
|
sub error {
|
|
|
|
|
my $self = shift;
|
2008-12-07 21:07:52 +01:00
|
|
|
my $lang = shift || $ENV{HTTP_ACCEPT_LANGUAGE};
|
2008-12-08 11:56:19 +01:00
|
|
|
my $code = shift || $self->{error};
|
2009-02-12 20:48:53 +01:00
|
|
|
my $tmp = &Lemonldap::NG::Portal::_i18n::error( $code, $lang );
|
2009-02-14 09:55:19 +01:00
|
|
|
return (
|
|
|
|
|
$ENV{HTTP_SOAPACTION}
|
2009-02-12 20:48:53 +01:00
|
|
|
? SOAP::Data->name( result => $tmp )->type('string')
|
2009-02-14 09:55:19 +01:00
|
|
|
: $tmp
|
|
|
|
|
);
|
2006-12-18 12:32:33 +01:00
|
|
|
}
|
|
|
|
|
|
2008-12-29 11:28:31 +01:00
|
|
|
##@method string error_type(int code)
|
2008-09-18 10:34:17 +02:00
|
|
|
# error_type tells if error is positive, warning or negative
|
2008-12-28 09:36:52 +01:00
|
|
|
# @param $code Lemonldap::NG error code
|
|
|
|
|
# @return "positive", "warning" or "negative"
|
2008-09-18 10:34:17 +02:00
|
|
|
sub error_type {
|
|
|
|
|
my $self = shift;
|
2008-12-07 21:07:52 +01:00
|
|
|
my $code = shift || $self->{error};
|
2008-09-18 10:34:17 +02:00
|
|
|
|
|
|
|
|
# Positive errors
|
2008-10-07 22:15:48 +02:00
|
|
|
return "positive"
|
|
|
|
|
if (
|
|
|
|
|
scalar(
|
2008-12-07 21:07:52 +01:00
|
|
|
grep { /^$code$/ } (
|
2008-10-07 22:15:48 +02:00
|
|
|
-2, #PE_REDIRECT
|
|
|
|
|
-1, #PE_DONE,
|
|
|
|
|
0, #PE_OK
|
|
|
|
|
35, #PE_PASSWORD_OK
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
);
|
2008-09-18 10:34:17 +02:00
|
|
|
|
|
|
|
|
# Warning errors
|
2008-10-07 22:15:48 +02:00
|
|
|
return "warning"
|
|
|
|
|
if (
|
|
|
|
|
scalar(
|
2008-12-07 21:07:52 +01:00
|
|
|
grep { /^$code$/ } (
|
2008-10-07 22:15:48 +02:00
|
|
|
1, #PE_SESSIONEXPIRED
|
|
|
|
|
2, #PE_FORMEMPTY
|
|
|
|
|
9, #PE_FIRSTACCESS
|
|
|
|
|
32, #PE_PP_GRACE
|
|
|
|
|
33, #PE_PP_EXP_WARNING
|
2008-11-24 07:57:18 +01:00
|
|
|
36, #PE_NOTIFICATION
|
2008-12-03 17:05:27 +01:00
|
|
|
37, #PE_BADURL
|
2008-10-07 22:15:48 +02:00
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
);
|
2008-09-18 10:34:17 +02:00
|
|
|
|
|
|
|
|
# Negative errors (default)
|
|
|
|
|
return "negative";
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-28 09:36:52 +01:00
|
|
|
##@method void header()
|
2008-12-26 18:58:48 +01:00
|
|
|
# Overload CGI::header() to add Lemonldap::NG cookie.
|
2006-12-18 12:32:33 +01:00
|
|
|
sub header {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
if ( $self->{cookie} ) {
|
|
|
|
|
$self->SUPER::header( @_, -cookie => $self->{cookie} );
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
$self->SUPER::header(@_);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-28 09:36:52 +01:00
|
|
|
##@method void redirect()
|
2008-12-26 18:58:48 +01:00
|
|
|
# Overload CGI::redirect() to add Lemonldap::NG cookie.
|
2006-12-18 12:32:33 +01:00
|
|
|
sub redirect {
|
|
|
|
|
my $self = shift;
|
2007-07-30 21:38:19 +02:00
|
|
|
if ( $self->{cookie} ) {
|
|
|
|
|
$self->SUPER::redirect( @_, -cookie => $self->{cookie} );
|
2006-12-18 12:32:33 +01:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
$self->SUPER::redirect(@_);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-23 18:35:38 +01:00
|
|
|
## @method protected hashref getApacheSession(string id)
|
2009-02-14 09:55:19 +01:00
|
|
|
# Try to recover the session corresponding to id and return session datas.
|
|
|
|
|
# If $id is set to undef, return a new session.
|
|
|
|
|
# @param $id session reference
|
2009-02-23 18:35:38 +01:00
|
|
|
sub getApacheSession {
|
2009-02-24 18:53:59 +01:00
|
|
|
my ( $self, $id, $noInfo ) = @_;
|
2009-02-17 16:39:14 +01:00
|
|
|
my %h;
|
2008-10-05 20:42:50 +02:00
|
|
|
|
2009-02-17 16:39:14 +01:00
|
|
|
# Trying to recover session from global session storage
|
2009-02-14 09:55:19 +01:00
|
|
|
eval { tie %h, $self->{globalStorage}, $id, $self->{globalStorageOptions}; };
|
2009-02-17 16:39:14 +01:00
|
|
|
if ( $@ or not tied(%h) ) {
|
2008-10-05 20:42:50 +02:00
|
|
|
|
2009-02-17 16:39:14 +01:00
|
|
|
# Session not available (expired ?)
|
2009-02-15 09:53:44 +01:00
|
|
|
if ($id) {
|
|
|
|
|
$self->lmLog( "Session $id isn't yet available ($ENV{REMOTE_ADDR})",
|
|
|
|
|
'info' );
|
2008-10-05 20:42:50 +02:00
|
|
|
}
|
2009-02-14 09:55:19 +01:00
|
|
|
else {
|
|
|
|
|
$self->lmLog( "Unable to create new session: $@", 'error' );
|
2008-10-05 20:42:50 +02:00
|
|
|
}
|
2009-02-14 09:55:19 +01:00
|
|
|
return 0;
|
2008-10-05 20:42:50 +02:00
|
|
|
}
|
2009-02-24 18:53:59 +01:00
|
|
|
$self->setApacheUser( $h{ $self->{whatToTrace} } )
|
|
|
|
|
if ( $id and not $noInfo );
|
2009-02-23 18:35:38 +01:00
|
|
|
$self->{id} = $h{_session_id};
|
2009-02-14 09:55:19 +01:00
|
|
|
return \%h;
|
2008-10-05 20:42:50 +02:00
|
|
|
}
|
|
|
|
|
|
2008-12-29 11:28:31 +01:00
|
|
|
##@method void updateSession(hashRef infos)
|
2008-12-26 18:58:48 +01:00
|
|
|
# Update session stored.
|
|
|
|
|
# If lemonldap cookie exists, reads it and search session. If the session is
|
|
|
|
|
# available, update datas with $info.
|
|
|
|
|
#@param $infos hash
|
2008-10-16 09:35:42 +02:00
|
|
|
sub updateSession {
|
2009-02-17 15:56:38 +01:00
|
|
|
|
|
|
|
|
# TODO: update all caches
|
2008-11-24 07:57:18 +01:00
|
|
|
my $self = shift;
|
2008-11-21 18:51:52 +01:00
|
|
|
my ($infos) = @_;
|
2008-10-16 09:35:42 +02:00
|
|
|
my %cookies = fetch CGI::Cookie;
|
|
|
|
|
|
|
|
|
|
# Test if Lemonldap::NG cookie is available
|
|
|
|
|
if ( $cookies{ $self->{cookieName} }
|
|
|
|
|
and my $id = $cookies{ $self->{cookieName} }->value )
|
|
|
|
|
{
|
2009-02-23 18:35:38 +01:00
|
|
|
my $h = $self->getApacheSession($id) or return undef;
|
2008-10-16 09:35:42 +02:00
|
|
|
|
|
|
|
|
# Store/update session values
|
|
|
|
|
foreach ( keys %$infos ) {
|
2009-02-14 09:55:19 +01:00
|
|
|
$h->{$_} = $infos->{$_};
|
2008-10-16 09:35:42 +02:00
|
|
|
}
|
|
|
|
|
|
2009-02-14 09:55:19 +01:00
|
|
|
untie %$h;
|
2008-10-16 09:35:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-28 09:36:52 +01:00
|
|
|
##@method protected int _subProcess(array @subs)
|
2008-12-26 18:58:48 +01:00
|
|
|
# Execute methods until an error is returned.
|
|
|
|
|
# If $self->{$sub} exists, launch it, else launch $self->$sub
|
|
|
|
|
#@param @subs array list of subroutines
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal error
|
2007-10-22 21:42:19 +02:00
|
|
|
sub _subProcess {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
my @subs = @_;
|
|
|
|
|
my $err = undef;
|
|
|
|
|
|
|
|
|
|
foreach my $sub (@subs) {
|
2009-02-17 16:39:14 +01:00
|
|
|
last if ( $err = $self->_sub($sub) );
|
|
|
|
|
}
|
2007-10-22 21:42:19 +02:00
|
|
|
return $err;
|
|
|
|
|
}
|
2008-12-28 09:36:52 +01:00
|
|
|
##@method protected void updateStatus()
|
2008-12-26 18:58:48 +01:00
|
|
|
# Inform status mechanism module.
|
|
|
|
|
# If an handler is launched on the same server with "status=>1", inform the
|
|
|
|
|
# status module with the result (portal error).
|
2008-05-11 21:21:39 +02:00
|
|
|
sub updateStatus {
|
2009-04-07 22:38:24 +02:00
|
|
|
my $self = shift;
|
2008-05-11 21:21:39 +02:00
|
|
|
print $Lemonldap::NG::Handler::Simple::statusPipe (
|
|
|
|
|
$self->{user} ? $self->{user} : $ENV{REMOTE_ADDR} )
|
|
|
|
|
. " => $ENV{SERVER_NAME}$ENV{SCRIPT_NAME} "
|
|
|
|
|
. $self->{error} . "\n"
|
|
|
|
|
if ($Lemonldap::NG::Handler::Simple::statusPipe);
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@method protected string notification()
|
|
|
|
|
#@return Notification stored by checkNotification()
|
2008-11-24 07:57:18 +01:00
|
|
|
sub notification {
|
2009-04-07 22:38:24 +02:00
|
|
|
my $self = shift;
|
2008-11-24 07:57:18 +01:00
|
|
|
return $self->{_notification};
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@method protected string get_url()
|
2009-04-08 18:31:13 +02:00
|
|
|
# Return url parameter
|
2008-12-28 09:36:52 +01:00
|
|
|
# @return url parameter if good, nothing else.
|
2008-12-03 17:41:30 +01:00
|
|
|
sub get_url {
|
2009-04-07 22:38:24 +02:00
|
|
|
my $self = shift;
|
2009-04-11 13:16:44 +02:00
|
|
|
return $self->{_url};
|
2008-12-03 17:41:30 +01:00
|
|
|
}
|
2008-06-06 05:51:39 +02:00
|
|
|
|
2009-05-19 10:52:27 +02:00
|
|
|
##@method protected string get_user()
|
|
|
|
|
# Return user parameter
|
|
|
|
|
# @return user parameter if good, nothing else.
|
|
|
|
|
sub get_user {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
return "" unless $self->{user};
|
2009-06-14 18:43:02 +02:00
|
|
|
return $self->{user}
|
|
|
|
|
unless ( $self->{user} =~ m/(?:\0|<|'|"|`|\%(?:00|25|3C|22|27|2C))/ );
|
|
|
|
|
$self->lmLog(
|
|
|
|
|
"XSS attack detected (param: user | value: " . $self->{user} . ")",
|
|
|
|
|
"warn" );
|
2009-05-19 10:52:27 +02:00
|
|
|
return "";
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-28 09:36:52 +01:00
|
|
|
##@method private Safe safe()
|
2008-12-11 18:02:02 +01:00
|
|
|
# Provide the security jail.
|
|
|
|
|
#@return Safe object
|
|
|
|
|
sub safe {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
return $safe if ($safe);
|
|
|
|
|
$safe = new Safe;
|
|
|
|
|
my @t =
|
|
|
|
|
$self->{customFunctions} ? split( /\s+/, $self->{customFunctions} ) : ();
|
|
|
|
|
foreach (@t) {
|
|
|
|
|
my $sub = $_;
|
|
|
|
|
unless (/::/) {
|
|
|
|
|
$sub = ref($self) . "::$_";
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
s/^.*:://;
|
|
|
|
|
}
|
|
|
|
|
next if ( $self->can($_) );
|
|
|
|
|
eval "sub $_ {
|
|
|
|
|
return $sub( '$self->{portal}', \@_ );
|
|
|
|
|
}";
|
2009-02-12 20:48:53 +01:00
|
|
|
$self->lmLog( $@, 'error' ) if ($@);
|
2008-12-11 18:02:02 +01:00
|
|
|
}
|
2009-03-08 18:37:31 +01:00
|
|
|
$safe->share_from( 'main', ['%ENV'] );
|
2009-04-05 10:12:16 +02:00
|
|
|
$safe->share_from( 'Lemonldap::NG::Common::Safelib',
|
|
|
|
|
$Lemonldap::NG::Common::Safelib::functions );
|
2009-03-08 18:37:31 +01:00
|
|
|
$safe->share( '&encode_base64', @t );
|
2008-12-11 18:02:02 +01:00
|
|
|
return $safe;
|
|
|
|
|
}
|
|
|
|
|
|
2009-04-03 18:17:57 +02:00
|
|
|
##@method private boolean _deleteSession(Apache::Session* h)
|
|
|
|
|
# Delete an existing session
|
|
|
|
|
# @param $h tied Apache::Session object
|
|
|
|
|
sub _deleteSession {
|
|
|
|
|
my ( $self, $h ) = @_;
|
|
|
|
|
if ( my $id2 = $h->{_httpSession} ) {
|
|
|
|
|
my $h2 = $self->getApacheSession($id2);
|
2009-10-12 18:55:35 +02:00
|
|
|
eval { tied(%$h2)->delete() };
|
2009-09-23 15:35:19 +02:00
|
|
|
$self->lmLog( $@, 'error' ) if ($@);
|
2009-04-03 18:17:57 +02:00
|
|
|
|
|
|
|
|
# Delete cookie
|
|
|
|
|
push @{ $self->{cookie} },
|
|
|
|
|
$self->cookie(
|
|
|
|
|
-name => $self->{cookieName} . 'http',
|
|
|
|
|
-value => 0,
|
|
|
|
|
-domain => $self->{domain},
|
|
|
|
|
-path => "/",
|
|
|
|
|
-secure => 0,
|
|
|
|
|
-expires => '-1d',
|
|
|
|
|
@_,
|
|
|
|
|
);
|
|
|
|
|
}
|
2009-09-23 15:35:19 +02:00
|
|
|
my $r;
|
2009-10-12 18:55:35 +02:00
|
|
|
eval { $r = tied(%$h)->delete() };
|
2009-09-23 15:35:19 +02:00
|
|
|
$self->lmLog( $@, 'error' ) if ($@);
|
2009-04-03 18:17:57 +02:00
|
|
|
|
|
|
|
|
# Delete cookie
|
|
|
|
|
push @{ $self->{cookie} },
|
|
|
|
|
$self->cookie(
|
|
|
|
|
-name => $self->{cookieName},
|
|
|
|
|
-value => 0,
|
|
|
|
|
-domain => $self->{domain},
|
|
|
|
|
-path => "/",
|
|
|
|
|
-secure => 0,
|
|
|
|
|
-expires => '-1d',
|
|
|
|
|
@_,
|
|
|
|
|
);
|
|
|
|
|
return $r;
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-07 21:07:52 +01:00
|
|
|
###############################################################
|
|
|
|
|
# MAIN subroutine: call all steps until one returns something #
|
|
|
|
|
# different than PE_OK #
|
|
|
|
|
###############################################################
|
|
|
|
|
|
2008-12-28 09:36:52 +01:00
|
|
|
##@method boolean process()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Main method calling functions issued from:
|
|
|
|
|
# - itself:
|
|
|
|
|
# - controlUrlOrigin
|
|
|
|
|
# - checkNotifBack
|
|
|
|
|
# - controlExistingSession
|
|
|
|
|
# - setMacros
|
|
|
|
|
# - setLocalGroups
|
|
|
|
|
# - removeOther
|
2010-01-11 15:02:43 +01:00
|
|
|
# - grantSession
|
2009-12-10 18:03:57 +01:00
|
|
|
# - store
|
|
|
|
|
# - buildCookie
|
|
|
|
|
# - checkNotification
|
|
|
|
|
# - autoRedirect
|
|
|
|
|
# - updateStatus
|
|
|
|
|
# - authentication module:
|
|
|
|
|
# - authInit
|
|
|
|
|
# - extractFormInfo
|
|
|
|
|
# - setAuthSessionInfo
|
|
|
|
|
# - authenticate
|
|
|
|
|
# - userDB module:
|
|
|
|
|
# - userDBInit
|
|
|
|
|
# - getUser
|
|
|
|
|
# - setSessionInfo
|
|
|
|
|
# - setGroups
|
|
|
|
|
# - passwordDB module:
|
|
|
|
|
# - passwordDBInit
|
|
|
|
|
# - modifyPassword
|
|
|
|
|
# - resetPasswordByMail
|
|
|
|
|
# - issuerDB module:
|
|
|
|
|
# - issuerDBInit
|
|
|
|
|
# - issuerForUnAuthUser
|
|
|
|
|
# - issuerForAuthUser
|
|
|
|
|
#
|
|
|
|
|
#@return 1 if all is OK, 0 if session isn't created or a notification has to be done
|
2008-12-07 21:07:52 +01:00
|
|
|
sub process {
|
|
|
|
|
my ($self) = @_;
|
|
|
|
|
$self->{error} = PE_OK;
|
|
|
|
|
$self->{error} = $self->_subProcess(
|
2009-12-10 18:03:57 +01:00
|
|
|
qw(controlUrlOrigin checkNotifBack controlExistingSession issuerDBInit
|
|
|
|
|
issuerForUnAuthUser authInit extractFormInfo userDBInit getUser
|
2009-06-14 18:43:02 +02:00
|
|
|
setAuthSessionInfo passwordDBInit modifyPassword setSessionInfo
|
2009-06-04 11:13:03 +02:00
|
|
|
resetPasswordByMail setMacros setLocalGroups setGroups authenticate
|
2010-01-11 15:02:43 +01:00
|
|
|
removeOther grantSession store buildCookie checkNotification issuerForAuthUser
|
2009-12-16 16:53:49 +01:00
|
|
|
autoRedirect)
|
2008-12-07 21:07:52 +01:00
|
|
|
);
|
|
|
|
|
$self->updateStatus;
|
|
|
|
|
return ( ( $self->{error} > 0 ) ? 0 : 1 );
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int controlUrlOrigin()
|
2009-12-10 18:03:57 +01:00
|
|
|
# If the user was redirected here, loads 'url' parameter.
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2006-12-18 12:32:33 +01:00
|
|
|
sub controlUrlOrigin {
|
|
|
|
|
my $self = shift;
|
2009-04-11 13:16:44 +02:00
|
|
|
$self->{_url} ||= '';
|
2009-04-08 18:31:13 +02:00
|
|
|
if ( my $url = $self->param('url') ) {
|
2008-12-07 10:02:44 +01:00
|
|
|
|
|
|
|
|
# REJECT NON BASE64 URL
|
2009-05-19 10:52:27 +02:00
|
|
|
if ( $url =~ m#[^A-Za-z0-9\+/=]# ) {
|
2009-06-14 18:43:02 +02:00
|
|
|
$self->lmLog( "XSS attack detected (param: url | value: $url)",
|
|
|
|
|
"warn" );
|
2009-05-19 10:52:27 +02:00
|
|
|
return PE_BADURL;
|
|
|
|
|
}
|
2008-12-07 10:02:44 +01:00
|
|
|
|
2009-04-07 22:38:24 +02:00
|
|
|
$self->{urldc} = decode_base64($url);
|
2008-12-07 13:15:40 +01:00
|
|
|
$self->{urldc} =~ s/[\r\n]//sg;
|
2008-12-03 17:05:27 +01:00
|
|
|
|
2008-12-07 10:02:44 +01:00
|
|
|
# REJECT [\0<'"`] in URL or encoded '%' and non protected hosts
|
2008-12-24 15:55:44 +01:00
|
|
|
if (
|
2008-12-24 15:57:23 +01:00
|
|
|
$self->{urldc} =~ /(?:\0|<|'|"|`|\%(?:00|25|3C|22|27|2C))/
|
2008-12-28 09:36:52 +01:00
|
|
|
or ( $self->{urldc} !~
|
2009-06-14 18:43:02 +02:00
|
|
|
m#^https?://(?:$self->{reVHosts}$self->{trustedDomains})(?::\d+)?(?:/.*)?$#o
|
2008-12-24 15:55:44 +01:00
|
|
|
and not $self->param('logout') )
|
|
|
|
|
)
|
2008-12-06 08:27:35 +01:00
|
|
|
{
|
2009-06-14 18:43:02 +02:00
|
|
|
$self->lmLog(
|
|
|
|
|
"XSS attack detected (param: urldc | value: "
|
|
|
|
|
. $self->{urldc} . ")",
|
|
|
|
|
"warn"
|
|
|
|
|
);
|
2008-12-03 17:41:30 +01:00
|
|
|
delete $self->{urldc};
|
2008-12-06 08:27:35 +01:00
|
|
|
return PE_BADURL;
|
|
|
|
|
}
|
2009-04-11 13:16:44 +02:00
|
|
|
$self->{_url} = $url;
|
2006-12-18 12:32:33 +01:00
|
|
|
}
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int checkNotifBack()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Checks if a message has been notified to the connected user.
|
2009-01-30 16:26:34 +01:00
|
|
|
# Call Lemonldap::NG::Portal::Notification::checkNotification()
|
|
|
|
|
#@return Lemonldap::NG::Portal error code
|
|
|
|
|
sub checkNotifBack {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
if ( $self->{notification} and grep( /^reference/, $self->param() ) ) {
|
|
|
|
|
unless ( $self->{notifObject}->checkNotification($self) ) {
|
|
|
|
|
$self->{_notification} =
|
|
|
|
|
$self->{notifObject}->getNotification($self);
|
|
|
|
|
return PE_NOTIFICATION;
|
|
|
|
|
}
|
|
|
|
|
else {
|
2009-04-07 22:38:24 +02:00
|
|
|
$self->{error} = $self->_subProcess(
|
2009-12-16 16:53:49 +01:00
|
|
|
qw(checkNotification issuerDBInit issuerForAuthUser autoRedirect)
|
2009-12-11 22:17:06 +01:00
|
|
|
);
|
2009-01-30 16:26:34 +01:00
|
|
|
return $self->{error} || PE_DONE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int controlExistingSession(string id)
|
2009-12-10 18:03:57 +01:00
|
|
|
# Control existing sessions.
|
2008-12-03 14:27:30 +01:00
|
|
|
# To overload to control what to do with existing sessions.
|
2007-02-23 06:31:32 +01:00
|
|
|
# what to do with existing sessions ?
|
2008-12-03 14:27:30 +01:00
|
|
|
# - nothing: user is authenticated and process returns true (default)
|
|
|
|
|
# - delete and create a new session (not implemented)
|
|
|
|
|
# - re-authentication (set existingSession => sub{PE_OK})
|
2009-01-30 16:26:34 +01:00
|
|
|
#@param $id optional value of the session-id else cookies are examinated.
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2006-12-18 12:32:33 +01:00
|
|
|
sub controlExistingSession {
|
2009-01-30 16:26:34 +01:00
|
|
|
my ( $self, $id ) = @_;
|
|
|
|
|
my %cookies;
|
|
|
|
|
%cookies = fetch CGI::Cookie unless ($id);
|
2008-05-11 21:21:39 +02:00
|
|
|
|
2007-02-11 09:31:56 +01:00
|
|
|
# Test if Lemonldap::NG cookie is available
|
2009-01-30 16:26:34 +01:00
|
|
|
if (
|
|
|
|
|
$id
|
|
|
|
|
or ( $cookies{ $self->{cookieName} }
|
|
|
|
|
and $id = $cookies{ $self->{cookieName} }->value )
|
|
|
|
|
)
|
2008-05-11 21:21:39 +02:00
|
|
|
{
|
2009-02-23 18:35:38 +01:00
|
|
|
my $h = $self->getApacheSession($id) or return PE_OK;
|
2009-02-15 09:53:44 +01:00
|
|
|
%{ $self->{sessionInfo} } = %$h;
|
2007-03-14 08:28:53 +01:00
|
|
|
|
2007-03-18 19:33:38 +01:00
|
|
|
# Logout if required
|
2008-05-11 21:21:39 +02:00
|
|
|
if ( $self->param('logout') ) {
|
|
|
|
|
|
2007-03-18 19:33:38 +01:00
|
|
|
# Delete session in global storage
|
2009-04-03 18:17:57 +02:00
|
|
|
$self->_deleteSession($h);
|
2008-12-03 19:30:57 +01:00
|
|
|
$self->{error} = PE_REDIRECT;
|
2009-12-16 16:53:49 +01:00
|
|
|
# Call issuerDB logout
|
2009-12-10 18:03:57 +01:00
|
|
|
$self->issuerLogout();
|
2009-12-16 16:53:49 +01:00
|
|
|
# Log
|
2009-02-17 16:39:14 +01:00
|
|
|
$self->_sub( 'userNotice',
|
|
|
|
|
$self->{sessionInfo}->{ $self->{whatToTrace} }
|
|
|
|
|
. " has been disconnected" );
|
2009-12-16 16:53:49 +01:00
|
|
|
# Call authentication logout
|
2009-04-07 22:38:24 +02:00
|
|
|
eval { $self->_sub('authLogout') };
|
2009-12-16 16:53:49 +01:00
|
|
|
# Redirect user
|
2009-02-15 18:58:38 +01:00
|
|
|
$self->_subProcess(qw(autoRedirect));
|
2007-03-14 08:28:53 +01:00
|
|
|
return PE_FIRSTACCESS;
|
|
|
|
|
}
|
2009-04-03 18:17:57 +02:00
|
|
|
untie %$h;
|
2007-05-23 08:48:07 +02:00
|
|
|
$self->{id} = $id;
|
2008-05-11 21:21:39 +02:00
|
|
|
|
2007-02-11 09:31:56 +01:00
|
|
|
# A session has been find => calling &existingSession
|
2009-02-23 18:35:38 +01:00
|
|
|
my $r = $self->_sub( 'existingSession', $id, $self->{sessionInfo} );
|
2008-05-11 21:21:39 +02:00
|
|
|
if ( $r == PE_DONE ) {
|
2009-01-28 18:37:10 +01:00
|
|
|
$self->{error} =
|
2009-12-16 16:53:49 +01:00
|
|
|
$self->_subProcess(qw(checkNotification issuerDBInit issuerForAuthUser autoRedirect));
|
2007-02-11 09:31:56 +01:00
|
|
|
return $self->{error} || PE_DONE;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
return $r;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
## @method int existingSession()
|
|
|
|
|
# Launched by controlExistingSession() to know what to do with existing
|
|
|
|
|
# sessions.
|
2009-12-10 18:03:57 +01:00
|
|
|
# Can return:
|
|
|
|
|
# - PE_DONE: session is unchanged and process() return true
|
|
|
|
|
# - PE_OK: process() return false to display the form
|
2009-02-17 15:56:38 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2007-02-11 09:31:56 +01:00
|
|
|
sub existingSession {
|
2008-11-21 18:51:52 +01:00
|
|
|
|
2008-12-01 10:36:02 +01:00
|
|
|
PE_DONE;
|
2006-12-18 12:32:33 +01:00
|
|
|
}
|
|
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# issuerDBInit(): must be implemented in IssuerDB* module
|
2008-11-20 19:13:27 +01:00
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# issuerForUnAuthUser(): must be implemented in IssuerDB* module
|
2008-11-20 19:13:27 +01:00
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# authInit(): must be implemented in Auth* module
|
2008-11-20 19:13:27 +01:00
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# extractFormInfo(): must be implemented in Auth* module
|
|
|
|
|
# * set $self->{user}
|
|
|
|
|
# * authenticate user if possible (or do it in authenticate())
|
2008-11-20 19:13:27 +01:00
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# userDBInit(): must be implemented in UserDB* module
|
2008-11-20 19:13:27 +01:00
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# getUser(): must be implemented in UserDB* module
|
2009-05-14 18:19:49 +02:00
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# setAuthSessionInfo(): must be implemented in Auth* module:
|
|
|
|
|
# * store exported datas in $self->{sessionInfo}
|
|
|
|
|
|
|
|
|
|
# passwordDBInit(): must be implemented in PasswordDB* module
|
|
|
|
|
|
|
|
|
|
# modifyPassword(): must be implemented in PasswordDB* module
|
2009-05-14 18:19:49 +02:00
|
|
|
|
2009-02-24 18:53:59 +01:00
|
|
|
##@apmethod int setSessionInfo()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Call setSessionInfo() in User* module and set ipAddr and startTime
|
2009-02-24 18:53:59 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
|
|
|
|
sub setSessionInfo {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
|
|
|
|
|
# Store IP address and start time
|
|
|
|
|
$self->{sessionInfo}->{ipAddr} = $ENV{REMOTE_ADDR};
|
2009-06-14 18:43:02 +02:00
|
|
|
|
2009-06-03 16:52:22 +02:00
|
|
|
# Extract client IP from X-FORWARDED-FOR header
|
|
|
|
|
my $xheader = $ENV{HTTP_X_FORWARDED_FOR};
|
2009-06-04 16:27:36 +02:00
|
|
|
$xheader =~ s/(.*?)(\,)+.*/$1/ if $xheader;
|
2009-06-03 16:52:22 +02:00
|
|
|
$self->{sessionInfo}->{xForwardedForAddr} = $xheader || $ENV{REMOTE_ADDR};
|
2009-02-24 18:53:59 +01:00
|
|
|
$self->{sessionInfo}->{startTime} =
|
2009-03-08 09:50:58 +01:00
|
|
|
&POSIX::strftime( "%Y%m%d%H%M%S", localtime() );
|
2009-06-14 18:43:02 +02:00
|
|
|
$self->lmLog(
|
|
|
|
|
"Store ipAddr: " . $self->{sessionInfo}->{ipAddr} . " in session",
|
|
|
|
|
'debug' );
|
|
|
|
|
$self->lmLog(
|
|
|
|
|
"Store xForwardedForAddr: "
|
|
|
|
|
. $self->{sessionInfo}->{xForwardedForAddr}
|
|
|
|
|
. " in session",
|
|
|
|
|
'debug'
|
|
|
|
|
);
|
|
|
|
|
$self->lmLog(
|
|
|
|
|
"Store startTime: " . $self->{sessionInfo}->{startTime} . " in session",
|
|
|
|
|
'debug'
|
|
|
|
|
);
|
2009-02-24 18:53:59 +01:00
|
|
|
return $self->SUPER::setSessionInfo();
|
|
|
|
|
}
|
|
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# resetPasswordByMail(): must be implemented in PasswordDB* module
|
2009-06-03 18:40:41 +02:00
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int setMacro()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Macro mechanism.
|
|
|
|
|
# * store macro results in $self->{sessionInfo}
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2007-01-13 20:34:03 +01:00
|
|
|
sub setMacros {
|
2008-11-20 19:13:27 +01:00
|
|
|
local $self = shift;
|
2009-02-05 18:05:18 +01:00
|
|
|
$self->safe->share('$self');
|
2008-11-20 19:13:27 +01:00
|
|
|
while ( my ( $n, $e ) = each( %{ $self->{macros} } ) ) {
|
|
|
|
|
$e =~ s/\$(\w+)/\$self->{sessionInfo}->{$1}/g;
|
2008-12-11 18:02:02 +01:00
|
|
|
$self->{sessionInfo}->{$n} = $self->safe->reval($e);
|
2008-11-20 19:13:27 +01:00
|
|
|
}
|
2007-01-13 20:34:03 +01:00
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-06-04 11:13:03 +02:00
|
|
|
##@apmethod int setLocalGroups()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Groups mechanism.
|
|
|
|
|
# * store all groups name that the user match in $self->{sessionInfo}->{groups}
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2009-06-04 11:13:03 +02:00
|
|
|
sub setLocalGroups {
|
2008-11-20 19:13:27 +01:00
|
|
|
local $self = shift;
|
|
|
|
|
my $groups;
|
2009-02-05 18:05:18 +01:00
|
|
|
$self->safe->share('$self');
|
2008-11-20 19:13:27 +01:00
|
|
|
while ( my ( $group, $expr ) = each %{ $self->{groups} } ) {
|
2008-11-24 07:57:18 +01:00
|
|
|
$expr =~ s/\$(\w+)/\$self->{sessionInfo}->{$1}/g;
|
2009-06-04 11:13:03 +02:00
|
|
|
$groups .= "$group; " if ( $self->safe->reval($expr) );
|
2008-11-20 19:13:27 +01:00
|
|
|
}
|
|
|
|
|
$self->{sessionInfo}->{groups} = $groups;
|
2006-12-18 12:32:33 +01:00
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# setGroups(): must be implemented in UserDB* module
|
2009-06-04 11:13:03 +02:00
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int authenticate()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Call authenticate() in Auth* module and call userNotice().
|
2009-02-17 15:56:38 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2009-02-15 18:58:38 +01:00
|
|
|
sub authenticate {
|
|
|
|
|
my $self = shift;
|
|
|
|
|
my $tmp;
|
2009-02-17 16:39:14 +01:00
|
|
|
return $tmp if ( $tmp = $self->SUPER::authenticate() );
|
|
|
|
|
$self->_sub( 'userNotice',
|
|
|
|
|
"Good authentication for "
|
2009-02-15 18:58:38 +01:00
|
|
|
. $self->{sessionInfo}->{ $self->{whatToTrace} } );
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
2008-11-20 19:13:27 +01:00
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
##@apmethod int removeOther()
|
|
|
|
|
# check singleSession or singleIP parameters, and remove other sessions if needed
|
|
|
|
|
#@return Lemonldap::NG::Portal constant
|
2009-10-21 14:43:13 +02:00
|
|
|
sub removeOther {
|
|
|
|
|
my $self = shift;
|
2009-11-09 16:32:27 +01:00
|
|
|
if ( $self->{singleSession} or $self->{singleIP} ) {
|
|
|
|
|
my $sessions =
|
|
|
|
|
$self->{globalStorage}->searchOn( $self->{globalStorageOptions},
|
|
|
|
|
$self->{whatToTrace},
|
|
|
|
|
$self->{sessionInfo}->{ $self->{whatToTrace} } );
|
2009-10-21 14:43:13 +02:00
|
|
|
foreach my $id ( keys %$sessions ) {
|
|
|
|
|
my $h = $self->getApacheSession($id);
|
2009-11-09 16:32:27 +01:00
|
|
|
unless ($self->{singleIP}
|
|
|
|
|
and $self->{sessionInfo}->{ipAddr} eq $h->{ipAddr} )
|
|
|
|
|
{
|
2009-10-21 14:43:13 +02:00
|
|
|
tied(%$h)->delete();
|
2009-11-09 16:32:27 +01:00
|
|
|
$self->lmLog( "Deleting session $id", 'debug' );
|
2009-12-11 22:17:06 +01:00
|
|
|
eval {
|
|
|
|
|
$self->{lmConf}->{refLocalStorage}->remove($id);
|
|
|
|
|
|
|
|
|
|
#$Lemonldap::NG::Handler::Simple::refLocalStorage->remove($id);
|
|
|
|
|
};
|
2009-11-25 13:38:22 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if ( $self->{singleUserByIP} ) {
|
|
|
|
|
my $sessions =
|
|
|
|
|
$self->{globalStorage}->searchOn( $self->{globalStorageOptions},
|
2009-12-11 22:17:06 +01:00
|
|
|
$self->{ipAddr}, $ENV{REMOTE_ADDR} );
|
2009-11-25 13:38:22 +01:00
|
|
|
foreach my $id ( keys %$sessions ) {
|
|
|
|
|
my $h = $self->getApacheSession($id);
|
2009-12-11 22:17:06 +01:00
|
|
|
unless ( $self->{sessionInfo}->{ $self->{whatToTrace} } eq
|
|
|
|
|
$h->{ $self->{whatToTrace} } )
|
2009-11-25 13:38:22 +01:00
|
|
|
{
|
|
|
|
|
tied(%$h)->delete();
|
|
|
|
|
$self->lmLog( "Deleting session $id", 'debug' );
|
2009-12-11 22:17:06 +01:00
|
|
|
eval {
|
|
|
|
|
$self->{lmConf}->{refLocalStorage}->remove($id);
|
|
|
|
|
|
|
|
|
|
#$Lemonldap::NG::Handler::Simple::refLocalStorage->remove($id);
|
|
|
|
|
};
|
2009-10-21 14:43:13 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
2010-01-11 15:02:43 +01:00
|
|
|
##@apmethod int grantSession()
|
|
|
|
|
# Check grantSessionRule to allow session creation.
|
|
|
|
|
#@return Lemonldap::NG::Portal constant
|
|
|
|
|
sub grantSession {
|
|
|
|
|
my ($self) = @_;
|
|
|
|
|
|
|
|
|
|
# Return PE_OK if no grantSessionRule
|
|
|
|
|
return PE_OK unless defined $self->{grantSessionRule};
|
|
|
|
|
|
|
|
|
|
# Eval grantSessionRule
|
|
|
|
|
my $grantSessionRule = $self->{grantSessionRule};
|
|
|
|
|
$grantSessionRule =~ s/\$(\w+)/\$self->{sessionInfo}->{$1}/g;
|
|
|
|
|
|
|
|
|
|
unless ( $self->safe->reval($grantSessionRule) ) {
|
|
|
|
|
$self->lmLog( "User ".$self->{user}." was not granted to open session", 'error');
|
|
|
|
|
return PE_SESSIONNOTGRANTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$self->lmLog( "Session granted for ".$self->{user}, 'notice' );
|
|
|
|
|
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-10-21 14:43:13 +02:00
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int store()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Store user's datas in sessions database.
|
|
|
|
|
# Now, the user is known, authenticated and session variable are evaluated.
|
|
|
|
|
# It's time to store his parameters with Apache::Session::* module
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2006-12-18 12:32:33 +01:00
|
|
|
sub store {
|
|
|
|
|
my ($self) = @_;
|
2009-02-14 09:55:19 +01:00
|
|
|
|
|
|
|
|
# Now, user is authenticated => inform Apache
|
|
|
|
|
$self->setApacheUser( $self->{sessionInfo}->{ $self->{whatToTrace} } );
|
|
|
|
|
|
2009-03-31 12:52:43 +02:00
|
|
|
$self->{sessionInfo}->{_utime} = time();
|
|
|
|
|
if ( $self->{securedCookie} == 2 ) {
|
|
|
|
|
my $h2 = $self->getApacheSession(undef);
|
|
|
|
|
$h2->{$_} = $self->{sessionInfo}->{$_}
|
|
|
|
|
foreach ( keys %{ $self->{sessionInfo} } );
|
|
|
|
|
$self->{sessionInfo}->{_httpSession} = $h2->{_session_id};
|
|
|
|
|
$h2->{_httpSessionType} = 1;
|
|
|
|
|
untie %$h2;
|
|
|
|
|
}
|
2009-02-23 18:35:38 +01:00
|
|
|
my $h = $self->getApacheSession(undef) or return PE_APACHESESSIONERROR;
|
2009-02-14 09:55:19 +01:00
|
|
|
$h->{$_} = $self->{sessionInfo}->{$_}
|
2007-01-04 09:42:13 +01:00
|
|
|
foreach ( keys %{ $self->{sessionInfo} } );
|
2009-02-14 09:55:19 +01:00
|
|
|
untie %$h;
|
2006-12-18 12:32:33 +01:00
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int buildCookie()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Build the Lemonldap::NG cookie.
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2006-12-18 12:32:33 +01:00
|
|
|
sub buildCookie {
|
|
|
|
|
my $self = shift;
|
2008-08-08 18:19:16 +02:00
|
|
|
push @{ $self->{cookie} },
|
|
|
|
|
$self->cookie(
|
2009-08-20 16:19:40 +02:00
|
|
|
-name => $self->{cookieName},
|
|
|
|
|
-value => $self->{id},
|
|
|
|
|
-domain => $self->{domain},
|
|
|
|
|
-path => "/",
|
|
|
|
|
-secure => $self->{securedCookie},
|
|
|
|
|
-httponly => $self->{httpOnly},
|
2009-12-03 12:47:50 +01:00
|
|
|
-expires => $self->{cookieExpiration},
|
2006-12-18 12:32:33 +01:00
|
|
|
@_,
|
2008-08-08 18:19:16 +02:00
|
|
|
);
|
2009-03-31 12:52:43 +02:00
|
|
|
if ( $self->{securedCookie} == 2 ) {
|
|
|
|
|
push @{ $self->{cookie} },
|
|
|
|
|
$self->cookie(
|
2009-08-20 16:19:40 +02:00
|
|
|
-name => $self->{cookieName} . "http",
|
|
|
|
|
-value => $self->{sessionInfo}->{_httpSession},
|
|
|
|
|
-domain => $self->{domain},
|
|
|
|
|
-path => "/",
|
|
|
|
|
-secure => 0,
|
|
|
|
|
-httponly => $self->{httpOnly},
|
2009-12-03 12:47:50 +01:00
|
|
|
-expires => $self->{cookieExpiration},
|
2009-03-31 12:52:43 +02:00
|
|
|
@_,
|
|
|
|
|
);
|
|
|
|
|
}
|
2006-12-18 12:32:33 +01:00
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int checkNotification()
|
2009-12-10 18:03:57 +01:00
|
|
|
# Check if messages has to be notified.
|
2009-01-30 16:26:34 +01:00
|
|
|
# Call Lemonldap::NG::Portal::Notification::getNotification().
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2008-11-24 07:57:18 +01:00
|
|
|
sub checkNotification {
|
|
|
|
|
my $self = shift;
|
2009-01-30 16:26:34 +01:00
|
|
|
if ( $self->{notification}
|
|
|
|
|
and $self->{_notification} =
|
|
|
|
|
$self->{notifObject}->getNotification($self) )
|
|
|
|
|
{
|
|
|
|
|
return PE_NOTIFICATION;
|
2008-11-24 07:57:18 +01:00
|
|
|
}
|
|
|
|
|
return PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
# issuerForAuthUser(): must be implemented in IssuerDB* module
|
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
##@apmethod int autoRedirect()
|
2009-12-10 18:03:57 +01:00
|
|
|
# If the user was redirected to the portal, we will now redirect him
|
|
|
|
|
# to the requested URL.
|
2008-12-28 09:36:52 +01:00
|
|
|
#@return Lemonldap::NG::Portal constant
|
2006-12-18 12:32:33 +01:00
|
|
|
sub autoRedirect {
|
|
|
|
|
my $self = shift;
|
2009-02-12 18:09:33 +01:00
|
|
|
|
2009-02-23 18:35:38 +01:00
|
|
|
# default redirection URL
|
|
|
|
|
$self->{urldc} ||= $self->{portal} if ( $self->{mustRedirect} );
|
|
|
|
|
|
2009-02-12 18:09:33 +01:00
|
|
|
# Redirection should be made if
|
|
|
|
|
# - urldc defined
|
|
|
|
|
# - no warnings on ppolicy
|
2009-02-15 09:53:44 +01:00
|
|
|
if ( $self->{urldc}
|
|
|
|
|
and !$self->{ppolicy}->{time_before_expiration}
|
|
|
|
|
and !$self->{ppolicy}->{grace_authentications_remaining} )
|
|
|
|
|
{
|
2009-02-17 16:39:14 +01:00
|
|
|
|
2009-02-23 18:35:38 +01:00
|
|
|
# Cross-domain mechanism
|
2009-06-15 16:13:09 +02:00
|
|
|
if ( $self->{cda}
|
2009-02-17 16:39:14 +01:00
|
|
|
and $self->{id}
|
|
|
|
|
and $self->{urldc} !~ m#^https?://[^/]*$self->{domain}/#oi )
|
|
|
|
|
{
|
|
|
|
|
$self->lmLog( 'CDA request', 'debug' );
|
|
|
|
|
$self->{urldc} .=
|
2009-02-23 18:35:38 +01:00
|
|
|
( $self->{urldc} =~ /\?/ ? '&' : '?' )
|
|
|
|
|
. $self->{cookieName} . "="
|
|
|
|
|
. $self->{id};
|
2009-02-17 16:39:14 +01:00
|
|
|
}
|
2008-05-11 21:21:39 +02:00
|
|
|
$self->updateStatus;
|
2006-12-18 12:32:33 +01:00
|
|
|
print $self->SUPER::redirect(
|
2009-02-12 18:09:33 +01:00
|
|
|
-uri => $self->{urldc},
|
2006-12-18 12:32:33 +01:00
|
|
|
-cookie => $self->{cookie},
|
2009-08-18 15:33:36 +02:00
|
|
|
-status => '303 See Other'
|
2006-12-18 12:32:33 +01:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
# Remove this lines if your browsers does not support redirections
|
|
|
|
|
# print << "EOF";
|
|
|
|
|
#<html>
|
|
|
|
|
#<head>
|
|
|
|
|
#<script language="Javascript">
|
|
|
|
|
#function redirect() {
|
2007-01-14 20:39:07 +01:00
|
|
|
# document.location.href='$u';
|
2006-12-18 12:32:33 +01:00
|
|
|
#}
|
|
|
|
|
#</script>
|
|
|
|
|
#</head>
|
|
|
|
|
#<body onload="redirect();">
|
2007-01-14 20:39:07 +01:00
|
|
|
# <h2>The document has moved <a href="$u">HERE</a></h2>
|
2006-12-18 12:32:33 +01:00
|
|
|
#</body>
|
|
|
|
|
#</html>
|
|
|
|
|
#EOF
|
|
|
|
|
exit;
|
|
|
|
|
}
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
1;
|
|
|
|
|
|
|
|
|
|
__END__
|
|
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
2010-01-03 09:09:59 +01:00
|
|
|
=encoding utf8
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
Lemonldap::NG::Portal::Simple - Base module for building Lemonldap::NG compatible portals
|
|
|
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
|
|
use Lemonldap::NG::Portal::Simple;
|
|
|
|
|
my $portal = new Lemonldap::NG::Portal::Simple(
|
2007-04-10 07:15:26 +02:00
|
|
|
domain => 'example.com',
|
2006-12-18 12:32:33 +01:00
|
|
|
globalStorage => 'Apache::Session::MySQL',
|
2007-01-14 20:39:07 +01:00
|
|
|
globalStorageOptions => {
|
|
|
|
|
DataSource => 'dbi:mysql:database=dbname;host=127.0.0.1',
|
|
|
|
|
UserName => 'db_user',
|
|
|
|
|
Password => 'db_password',
|
|
|
|
|
TableName => 'sessions',
|
|
|
|
|
LockDataSource => 'dbi:mysql:database=dbname;host=127.0.0.1',
|
|
|
|
|
LockUserName => 'db_user',
|
|
|
|
|
LockPassword => 'db_password',
|
|
|
|
|
},
|
2007-05-15 06:31:10 +02:00
|
|
|
ldapServer => 'ldap.domaine.com,ldap-backup.domaine.com',
|
2007-01-14 20:39:07 +01:00
|
|
|
securedCookie => 1,
|
2008-09-10 12:40:01 +02:00
|
|
|
exportedVars => {
|
|
|
|
|
uid => 'uid',
|
|
|
|
|
cn => 'cn',
|
|
|
|
|
mail => 'mail',
|
|
|
|
|
appli => 'appli',
|
2008-12-07 21:07:52 +01:00
|
|
|
},
|
|
|
|
|
# Activate SOAP service
|
|
|
|
|
Soap => 1
|
2006-12-18 12:32:33 +01:00
|
|
|
);
|
2008-12-07 21:07:52 +01:00
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
if($portal->process()) {
|
|
|
|
|
# Write here the menu with CGI methods. This page is displayed ONLY IF
|
|
|
|
|
# the user was not redirected here.
|
2008-06-06 05:51:39 +02:00
|
|
|
print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see L<CGI(3)>)
|
2006-12-18 12:32:33 +01:00
|
|
|
print "...";
|
|
|
|
|
|
|
|
|
|
# or redirect the user to the menu
|
|
|
|
|
print $portal->redirect( -uri => 'https://portal/menu');
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
# Write here the html form used to authenticate with CGI methods.
|
|
|
|
|
# $portal->error returns the error message if athentification failed
|
|
|
|
|
# Warning: by defaut, input names are "user" and "password"
|
2008-06-06 05:51:39 +02:00
|
|
|
print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see L<CGI(3)>)
|
2006-12-18 12:32:33 +01:00
|
|
|
print "...";
|
|
|
|
|
print '<form method="POST">';
|
|
|
|
|
# In your form, the following value is required for redirection
|
|
|
|
|
print '<input type="hidden" name="url" value="'.$portal->param('url').'">';
|
|
|
|
|
# Next, login and password
|
|
|
|
|
print 'Login : <input name="user"><br>';
|
|
|
|
|
print 'Password : <input name="password" type="password" autocomplete="off">';
|
|
|
|
|
print '<input type="submit" value="go" />';
|
|
|
|
|
print '</form>';
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-07 21:07:52 +01:00
|
|
|
SOAP mode authentication (client) :
|
|
|
|
|
|
|
|
|
|
#!/usr/bin/perl -l
|
|
|
|
|
|
|
|
|
|
use SOAP::Lite;
|
|
|
|
|
use Data::Dumper;
|
|
|
|
|
|
|
|
|
|
my $soap =
|
|
|
|
|
SOAP::Lite->proxy('http://auth.example.com/')
|
2009-02-08 20:12:08 +01:00
|
|
|
->uri('urn:/Lemonldap::NG::Common::CGI::SOAPService');
|
2008-12-07 21:07:52 +01:00
|
|
|
my $r = $soap->getCookies( 'user', 'password' );
|
|
|
|
|
|
|
|
|
|
# Catch SOAP errors
|
|
|
|
|
if ( $r->fault ) {
|
|
|
|
|
print STDERR "SOAP Error: " . $r->fault->{faultstring};
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
my $res = $r->result();
|
|
|
|
|
|
|
|
|
|
# If authentication failed, display error
|
|
|
|
|
if ( $res->{error} ) {
|
|
|
|
|
print STDERR "Error: " . $soap->error( 'fr', $res->{error} )->result();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# print session-ID
|
|
|
|
|
else {
|
|
|
|
|
print "Cookie: lemonldap=" . $res->{cookies}->{lemonldap};
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG::Portal::Simple is the base module for building Lemonldap::NG
|
|
|
|
|
compatible portals. You can use it either by inheritance or by writing
|
|
|
|
|
anonymous methods like in the example above.
|
|
|
|
|
|
2006-12-24 09:37:27 +01:00
|
|
|
See L<Lemonldap::NG::Portal::SharedConf> for a complete example of use of
|
2006-12-18 12:32:33 +01:00
|
|
|
Lemonldap::Portal::* libraries.
|
|
|
|
|
|
|
|
|
|
=head1 METHODS
|
|
|
|
|
|
|
|
|
|
=head2 Constructor (new)
|
|
|
|
|
|
|
|
|
|
=head3 Args
|
|
|
|
|
|
|
|
|
|
=over
|
|
|
|
|
|
2007-05-15 06:31:10 +02:00
|
|
|
=item * ldapServer: server(s) used to retrive session informations and to valid
|
|
|
|
|
credentials (localhost by default). More than one server can be set here
|
|
|
|
|
separated by commas. The servers will be tested in the specifies order.
|
2007-07-22 22:30:27 +02:00
|
|
|
To use TLS, set "ldap+tls://server" and to use LDAPS, set "ldaps://server"
|
|
|
|
|
instead of server name. If you use TLS, you can set any of the
|
|
|
|
|
Net::LDAP->start_tls() sub like this:
|
|
|
|
|
"ldap/tls://server/verify=none&capath=/etc/ssl"
|
|
|
|
|
You can also use caFile and caPath parameters.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=item * ldapPort: tcp port used by ldap server.
|
|
|
|
|
|
|
|
|
|
=item * ldapBase: base of the ldap directory.
|
|
|
|
|
|
|
|
|
|
=item * managerDn: dn to used to connect to ldap server. By default, anonymous
|
|
|
|
|
bind is used.
|
|
|
|
|
|
|
|
|
|
=item * managerPassword: password to used to connect to ldap server. By
|
|
|
|
|
default, anonymous bind is used.
|
|
|
|
|
|
2007-07-22 22:30:27 +02:00
|
|
|
=item * securedCookie: set it to 1 if you want to protect user cookies.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
2007-07-22 22:30:27 +02:00
|
|
|
=item * cookieName: name of the cookie used by Lemonldap::NG (lemon by default).
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=item * domain: cookie domain. You may have to give it else the SSO will work
|
|
|
|
|
only on your server.
|
|
|
|
|
|
|
|
|
|
=item * globalStorage: required: L<Apache::Session> library to used to store
|
2007-07-22 22:30:27 +02:00
|
|
|
session informations.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=item * globalStorageOptions: parameters to bind to L<Apache::Session> module
|
|
|
|
|
|
|
|
|
|
=item * authentication: sheme to authenticate users (default: "ldap"). It can
|
|
|
|
|
be set to:
|
|
|
|
|
|
|
|
|
|
=over
|
|
|
|
|
|
|
|
|
|
=item * B<SSL>: See L<Lemonldap::NG::Portal::AuthSSL>.
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
2007-07-22 22:30:27 +02:00
|
|
|
=item * caPath, caFile: if you use ldap+tls you can overwrite cafile or capath
|
2010-01-03 09:09:59 +01:00
|
|
|
options with those parameters. This is useful if you use a shared
|
2007-07-22 22:30:27 +02:00
|
|
|
configuration.
|
|
|
|
|
|
2008-05-10 11:31:43 +02:00
|
|
|
=item * ldapPpolicyControl: set it to 1 if you want to use LDAP Password Policy
|
|
|
|
|
|
2010-01-11 15:02:43 +01:00
|
|
|
=item * grantSessionRule: rule applied to grant session opening for a user. Can
|
|
|
|
|
use all exported attributes, macros, groups and custom functions.
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
=head2 Methods that can be overloaded
|
|
|
|
|
|
2007-05-05 16:13:44 +02:00
|
|
|
All the functions above can be overloaded to adapt Lemonldap::NG to your
|
2006-12-18 12:32:33 +01:00
|
|
|
environment. They MUST return one of the exported constants (see above)
|
|
|
|
|
and are called in this order by process().
|
|
|
|
|
|
|
|
|
|
=head3 controlUrlOrigin
|
|
|
|
|
|
2007-05-05 16:13:44 +02:00
|
|
|
If the user was redirected by a Lemonldap::NG handler, stores the url that will be
|
2006-12-18 12:32:33 +01:00
|
|
|
used to redirect the user after authentication.
|
|
|
|
|
|
|
|
|
|
=head3 controlExistingSession
|
|
|
|
|
|
2007-02-11 09:31:56 +01:00
|
|
|
Controls if a previous session is always available. If true, it call the sub
|
|
|
|
|
C<existingSession> with two parameters: id and a scalar tied on Apache::Session
|
|
|
|
|
module choosed to store sessions. See bellow
|
|
|
|
|
|
|
|
|
|
=head3 existingSession
|
|
|
|
|
|
|
|
|
|
This sub is called only if a previous session exists and is available. By
|
|
|
|
|
defaults, it returns PE_OK so user is re-authenticated. You can overload it:
|
|
|
|
|
for example if existingSession just returns PE_DONE: authenticated users are
|
|
|
|
|
not re-authenticated and C<>process> returns true.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=head3 extractFormInfo
|
|
|
|
|
|
2008-06-11 08:00:26 +02:00
|
|
|
Method implemented into Lemonldap::NG::Portal::Auth* modules. By default
|
|
|
|
|
(ldap bind), converts form input into object variables ($self->{user} and
|
2006-12-18 12:32:33 +01:00
|
|
|
$self->{password}).
|
|
|
|
|
|
|
|
|
|
=head3 formateParams
|
|
|
|
|
|
|
|
|
|
Does nothing. To be overloaded if needed.
|
|
|
|
|
|
|
|
|
|
=head3 formateFilter
|
|
|
|
|
|
|
|
|
|
Creates the ldap filter using $self->{user}. By default :
|
|
|
|
|
|
2008-05-30 06:47:32 +02:00
|
|
|
$self->{filter} = "(&(uid=" . $self->{user} . ")(objectClass=inetOrgPerson))";
|
2006-12-18 12:32:33 +01:00
|
|
|
|
2009-04-05 10:12:16 +02:00
|
|
|
If $self->{AuthLDAPFilter} is set, it is used instead of this. This is used by
|
2008-06-11 08:00:26 +02:00
|
|
|
Lemonldap::NG::Portal::Auth* modules to overload filter.
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head3 connectLDAP
|
|
|
|
|
|
|
|
|
|
Connects to LDAP server.
|
|
|
|
|
|
|
|
|
|
=head3 bind
|
|
|
|
|
|
|
|
|
|
Binds to the LDAP server using $self->{managerDn} and $self->{managerPassword}
|
|
|
|
|
if exist. Anonymous bind is provided else.
|
|
|
|
|
|
|
|
|
|
=head3 search
|
|
|
|
|
|
|
|
|
|
Retrives the LDAP entry corresponding to the user using $self->{filter}.
|
|
|
|
|
|
2008-06-11 08:00:26 +02:00
|
|
|
=head3 setAuthSessionInfo
|
|
|
|
|
|
|
|
|
|
Same as setSessionInfo but implemented in Lemonldap::NG::Portal::Auth* modules.
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head3 setSessionInfo
|
|
|
|
|
|
|
|
|
|
Prepares variables to store in central cache (stored temporarily in
|
|
|
|
|
C<$self->{sessionInfo}>). It use C<exportedVars> entry (passed to the new sub)
|
|
|
|
|
if defined to know what to store else it stores uid, cn and mail attributes.
|
|
|
|
|
|
2008-09-19 17:28:00 +02:00
|
|
|
=head3 getSessionInfo
|
|
|
|
|
|
|
|
|
|
Pick up an information stored in session.
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head3 setGroups
|
|
|
|
|
|
|
|
|
|
Does nothing by default.
|
|
|
|
|
|
|
|
|
|
=head3 authenticate
|
|
|
|
|
|
2008-06-11 08:00:26 +02:00
|
|
|
Method implemented in Lemonldap::NG::Portal::Auth* modules. By default (ldap),
|
|
|
|
|
authenticates the user by rebinding to the LDAP server using the dn retrived
|
2006-12-18 12:32:33 +01:00
|
|
|
with search() and the password.
|
|
|
|
|
|
2010-01-11 15:02:43 +01:00
|
|
|
=head3 grantSession
|
|
|
|
|
|
|
|
|
|
Use grantSessionRule parameter to allow session opening.
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head3 store
|
|
|
|
|
|
|
|
|
|
Stores the informations collected by setSessionInfo into the central cache.
|
|
|
|
|
The portal connects the cache using the L<Apache::Session> module passed by
|
|
|
|
|
the globalStorage parameters (see constructor).
|
|
|
|
|
|
|
|
|
|
=head3 unbind
|
|
|
|
|
|
|
|
|
|
Disconnects from the LDAP server.
|
|
|
|
|
|
|
|
|
|
=head3 buildCookie
|
|
|
|
|
|
2007-05-05 16:13:44 +02:00
|
|
|
Creates the Lemonldap::NG cookie.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=head3 log
|
|
|
|
|
|
|
|
|
|
Does nothing. To be overloaded if wanted.
|
|
|
|
|
|
2007-01-11 07:42:57 +01:00
|
|
|
=head3 autoRedirect
|
|
|
|
|
|
|
|
|
|
Redirects the user to the url stored by controlUrlOrigin().
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head2 Other methods
|
|
|
|
|
|
|
|
|
|
=head3 process
|
|
|
|
|
|
|
|
|
|
Main method.
|
|
|
|
|
|
|
|
|
|
=head3 error
|
|
|
|
|
|
|
|
|
|
Returns the error message corresponding to the error returned by the methods
|
|
|
|
|
described above
|
|
|
|
|
|
2008-09-19 17:28:00 +02:00
|
|
|
=head3 error_type
|
|
|
|
|
|
|
|
|
|
Give the type of the error (positive, warning or positive)
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head3 _bind( $ldap, $dn, $password )
|
|
|
|
|
|
2008-06-06 05:51:39 +02:00
|
|
|
Method used to bind to the ldap server.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=head3 header
|
|
|
|
|
|
2007-05-05 16:13:44 +02:00
|
|
|
Overloads the CGI::header method to add Lemonldap::NG cookie.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=head3 redirect
|
|
|
|
|
|
2007-05-05 16:13:44 +02:00
|
|
|
Overloads the CGI::redirect method to add Lemonldap::NG cookie.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=head2 EXPORT
|
|
|
|
|
|
|
|
|
|
=head3 Constants
|
|
|
|
|
|
|
|
|
|
=over 5
|
|
|
|
|
|
|
|
|
|
=item * B<PE_OK>: all is good
|
|
|
|
|
|
|
|
|
|
=item * B<PE_SESSIONEXPIRED>: the user session has expired
|
|
|
|
|
|
|
|
|
|
=item * B<PE_FORMEMPTY>: Nothing was entered in the login form
|
|
|
|
|
|
|
|
|
|
=item * B<PE_USERNOTFOUND>: the user was not found in the (ldap) directory
|
|
|
|
|
|
|
|
|
|
=item * B<PE_WRONGMANAGERACCOUNT>: the account used to bind to LDAP server in order to
|
|
|
|
|
find the user distinguished name (dn) was refused by the server
|
|
|
|
|
|
|
|
|
|
=item * B<PE_BADCREDENTIALS>: bad login or password
|
|
|
|
|
|
|
|
|
|
=item * B<PE_LDAPERROR>: abnormal error from ldap
|
|
|
|
|
|
|
|
|
|
=item * B<PE_APACHESESSIONERROR>: abnormal error from Apache::Session
|
|
|
|
|
|
|
|
|
|
=item * B<PE_FIRSTACCESS>: First access to the portal
|
|
|
|
|
|
|
|
|
|
=item * B<PE_BADCERTIFICATE>: Wrong certificate
|
|
|
|
|
|
2008-06-11 08:00:26 +02:00
|
|
|
=item * PE_PP_ACCOUNT_LOCKED: account locked
|
|
|
|
|
|
|
|
|
|
=item * PE_PP_PASSWORD_EXPIRED: password axpired
|
|
|
|
|
|
|
|
|
|
=item * PE_CERTIFICATEREQUIRED: certificate required
|
|
|
|
|
|
|
|
|
|
=item * PE_ERROR: unclassified error
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
|
2007-04-02 21:13:05 +02:00
|
|
|
L<Lemonldap::NG::Handler>, L<Lemonldap::NG::Portal::SharedConf>, L<CGI>,
|
|
|
|
|
http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
=head1 AUTHOR
|
|
|
|
|
|
|
|
|
|
Xavier Guimard, E<lt>x.guimard@free.frE<gt>
|
|
|
|
|
|
2007-04-14 15:12:11 +02:00
|
|
|
=head1 BUG REPORT
|
|
|
|
|
|
|
|
|
|
Use OW2 system to report bug or ask for features:
|
|
|
|
|
L<http://forge.objectweb.org/tracker/?group_id=274>
|
|
|
|
|
|
|
|
|
|
=head1 DOWNLOAD
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG is available at
|
|
|
|
|
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head1 COPYRIGHT AND LICENSE
|
|
|
|
|
|
2009-12-13 16:40:33 +01:00
|
|
|
Copyright (C) 2005-2009 by Xavier Guimard E<lt>x.guimard@free.frE<gt> and
|
|
|
|
|
Clement Oudot, E<lt>coudot@linagora.comE<gt>
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
|
This library is free software; you can redistribute it and/or modify
|
|
|
|
|
it under the same terms as Perl itself, either Perl version 5.8.4 or,
|
|
|
|
|
at your option, any later version of Perl 5 you may have available.
|
|
|
|
|
|
|
|
|
|
=cut
|
