lemonldap-ng/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthGoogle.pm

##@file
# Google authentication backend file

##@class
# Google authentication backend class.
# The form must return a google_go field
package Lemonldap::NG::Portal::AuthGoogle;

use strict;
use Lemonldap::NG::Portal::Simple;
use Lemonldap::NG::Common::Regexp;
use LWP::UserAgent;
use URI::Escape;
use Cache::FileCache;

use constant AXSPECURL      => 'http://openid.net/srv/ax/1.0';
use constant GOOGLEENDPOINT => 'https://www.google.com/accounts/o8/id';

our $VERSION = '1.3.0';
our $initDone;
our $googleEndPoint;

BEGIN {
    eval {
        require threads::shared;
        threads::shared::share($initDone);
        threads::shared::share($googleEndPoint);
    };
}

## @method string googleEndPoint()
# Return the Google OpenID endpoint given by
# https://www.google.com/accounts/o8/id
# @return string
sub googleEndPoint {
    my $self = shift;

    unless ($googleEndPoint) {
        my $response =
          $self->ua()->get( GOOGLEENDPOINT, Accept => 'application/xrds+xml' );
        if ( $response->is_success ) {

            # Dirty XML parse
            # (searching for <URI>https://www.google.com/accounts/o8/ud</URI>)
            my $tmp = $response->decoded_content;
            if ( $tmp =~ m#<URI.*?>(\S+)</URI>#mi ) {
                $googleEndPoint = $1;
            }
            else {
                $self->lmLog( 'Here is the Google response: '
                      . $response->decoded_content );
                $self->abort('Can\'t find endpoint in Googe response');
            }
        }
        else {
            $self->abort('Can\'t access to Google endpoint');
        }
    }
    return $googleEndPoint;
}

## @method LWP::UserAgent ua()
# @return LWP::UserAgent object
sub ua {
    my $self = shift;
    return $self->{ua} ||= LWP::UserAgent->new();
}

## @method boolean checkGoogleSession()
# Search for claimed_id in persistent sessions DB.
# @return true if sessions was recovered
sub checkGoogleSession {
    my $self = shift;

    # Find in Google response for AX attributes
    # See https://developers.google.com/accounts/docs/OpenID#Parameters
    # for more
    ( $self->{_AXNS} ) = map {
            ( /^openid\.ns\.(.*)/ and $self->param($_) eq AXSPECURL )
          ? ($1)
          : ()
    } $self->param();

    # Look at persistent database
    my $id = $self->_md5hash( $self->param('openid.claimed_id') );
    my $h  = $self->getPersistentSession($id);
    my $gs;

    # No AX response, if datas are already shared, store them
    unless ( $self->{_AXNS} ) {
        if ($h) {
            $self->{user} = $h->{email};
            while ( my ( $k, $v ) = each %$h ) {
                $gs->{$k} = $v;
            }
        }
    }
    else {

        # First store email as user key. Note that this is the returned value
        # so if it's empty, request is retried
        $self->{user} = $self->param("openid.$self->{_AXNS}.value.email");

        # If persistent session does not exist, create it
        unless ($h) {
            $h = {};
            my %opts = %{ $self->{persistentStorageOptions} };
            $opts{setId} = $id;
            eval { tie %$h, $self->{persistentStorage}, undef, \%opts; };
            if ($@) {
                $self->abort(
"Unable to create persistent session required to use Google backend: $@"
                );
            }
            else {
                $self->lmLog(
                    "Persistent session $h->{_session_id} created to store "
                      . $self->{user}
                      . ' Google shared datas',
                    'debug'
                );
            }
        }

        # Retrieve AX datas
        foreach my $k ( $self->param() ) {
            if ( $k =~ /^openid\.$self->{_AXNS}\.value\.(\w+)$/ ) {
                $gs->{$1} = $h->{$1} = $self->param($k);
            }
        }
    }

    # Now store datas in session
    while ( my ( $k, $v ) = each %{ $self->{exportedVars} } ) {
        my $attr = $k;
        $attr =~ s/^!//;

        # Value (ie AX attribute) must be one of:
        if ( $v =~ /^(?:(?:la(?:nguag|stnam)|firstnam)e|country|email)$/ ) {

            # One value is missing:
            unless ( exists( $gs->{$v} ) ) {

                # Case 1: value was asked but not returned, set an empty value
                #         in persistent session (so that it's defined)
                if ( $self->{_AXNS} ) {
                    $self->lmLog(
"$v required attribute is missing in Google response, storing ''",
                        'info'
                    );
                    $h->{$v} = $gs->{$v} = '';
                }

                # Case 2: value is not stored, probably configuration has
                #         changed and this value was never asked
                else {
                    $self->lmLog(
"$v required attribute is missing in persistent session, let's ask it",
                        'info'
                    );
                    return 0;
                }
            }
            $self->{sessionInfo}->{$attr} = $gs->{$v};
        }
        else {
            $self->lmLog(
                'Ignoring attribute '
                  . $self->{exportedVars}->{$k}
                  . ' which is not a valid Google OpenID AX attribute',
                'warn'
            );
        }
    }
    untie %$h if ($h);
    return $self->{user};
}

## @apmethod int authInit()
# @return Lemonldap::NG::Portal constant
sub authInit {
    PE_OK;
}

## @apmethod int extractFormInfo()
# Read username return by Google authentication system.
# @return Lemonldap::NG::Portal constant
sub extractFormInfo {
    my $self = shift;
    my $ax   = '';

    # 1. Check Google responses
    if ( $self->param('openid.mode') ) {

        # 1.1 First, verify that the response isn't forged

        # Build verification request
        my $check_url = $self->googleEndPoint() . "?" . join(
            '&',
            map {
                my $val = $self->param($_);
                $val = 'check_authentication' if $_ eq 'openid.mode';
                sprintf '%s=%s', uri_escape_utf8($_), uri_escape_utf8($val);
            } $self->param()
        );

        # Launch request
        my $response = $self->ua()->get( $check_url, Accept => 'text/plain' );
        unless ( $response->is_success ) {
            $self->abort('Can\'t verify Google authentication');
        }
        else {
            my %tmp =
              map { my ( $key, $value ) = split /:/, $_, 2; $key => $value }
              split /\n/, $response->decoded_content;

            # Reject invalid requests
            unless ( $tmp{is_valid} eq 'true' ) {
                return PE_BADCREDENTIALS;
            }

            # 1.2 Check if datas are already shared with Google
            unless ( $self->checkGoogleSession() ) {

                # Datas are missing, prepare to launch a new request with
                # AX request

                # a) email is required, will be used as 'user' field
                $ax =
                    '&openid.ns.ax='
                  . AXSPECURL
                  . '&openid.ax.mode=fetch_request'
                  . '&openid.ax.type.email=http://axschema.org/contact/email'
                  . '&openid.ax.required=email';

                # b) if UserDB is Google, ask for exported variables
                if ( $self->get_module('user') eq 'Google' ) {
                    my $u;
                    while ( my ( $v, $k ) = each %{ $self->{exportedVars} } ) {
                        next if ( $k eq 'email' );
                        if ( $k =~
                            /^(?:(?:la(?:nguag|stnam)|firstnam)e|country)$/ )
                        {
                            $ax .= ",$k";
                            $u  .= "&openid.ax.type.$k="
                              . {
                                country =>
                                  "http://axschema.org/contact/country/home",
                                firstname =>
                                  "http://axschema.org/namePerson/first",
                                lastname =>
                                  "http://axschema.org/namePerson/last",
                                language => "http://axschema.org/pref/language"
                              }->{$k};
                        }
                        else {
                            $self->lmLog(
                                "Field name: $k is not exported by Google",
                                'warn' );
                        }
                    }
                    $ax .= $u;
                }
            }

            # 1.3 Datas are recovered, user is authenticated
            else {
                $self->lmLog( 'Good Google authentication', 'debug' );

                # Force redirection to avoid displaying OpenID datas
                $self->{mustRedirect} = 1;
                return PE_OK;
            }
        }
    }

    # 2. Redirect user to Google login page:
    #    * no OpenID response or missing datas
    my $check_url =
        $self->googleEndPoint()
      . '?openid.mode=checkid_setup'
      . '&openid.ns=http://specs.openid.net/auth/2.0'
      . '&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select'
      . '&openid.identity=http://specs.openid.net/auth/2.0/identifier_select'
      . $ax;
    my $sep = '?';
    my $ret = $self->{portal};
    foreach my $v (
        [ $self->{_url},                            "url" ],
        [ $self->param( $self->{authChoiceParam} ), $self->{authChoiceParam} ]
      )
    {
        if ( $v->[0] ) {
            $ret .= "$sep$v->[1]=$v->[0]";
            $sep = '&';
        }
    }
    $check_url .= '&openid.return_to=' . uri_escape_utf8($ret);
    print $self->redirect($check_url);
    $self->quit();
}

## @apmethod int setAuthSessionInfo()
# Set _user and authenticationLevel.
# @return Lemonldap::NG::Portal constant
sub setAuthSessionInfo {
    my $self = shift;

    $self->{sessionInfo}->{'_user'} = $self->{user};

    $self->{sessionInfo}->{authenticationLevel} = $self->{googleAuthnLevel};

    PE_OK;
}

## @apmethod int authenticate()
# Does nothing.
# @return Lemonldap::NG::Portal constant
sub authenticate {
    PE_OK;
}

## @apmethod int authFinish()
# Does nothing.
# @return Lemonldap::NG::Portal constant
sub authFinish {
    PE_OK;
}

## @apmethod int authLogout()
# Does nothing
# @return Lemonldap::NG::Portal constant
sub authLogout {
    PE_OK;
}

## @apmethod boolean authForce()
# Does nothing
# @return result
sub authForce {
    return 0;
}

## @method string getDisplayType
# @return display type
sub getDisplayType {
    return "logo";
}

1;
__END__

=head1 NAME

=encoding utf8

Lemonldap::NG::Portal::AuthGoogle - Perl extension for building Lemonldap::NG
compatible portals with Google authentication.

=head1 SYNOPSIS

  use Lemonldap::NG::Portal::SharedConf;
  my $portal = new Lemonldap::NG::Portal::Simple(
         configStorage     => {...}, # See Lemonldap::NG::Portal
         authentication    => 'Google',
    );

  if($portal->process()) {
    # Write here the menu with CGI methods. This page is displayed ONLY IF
    # the user was not redirected here.
    print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))
    print "...";
  }
  else {
    # If the user enters here, IT MEANS THAT CAS REDIRECTION DOES NOT WORK
    print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))
    print "<html><body><h1>Unable to work</h1>";
    print "This server isn't well configured. Contact your administrator.";
    print "</body></html>";
  }

=head1 DESCRIPTION

This library just overload few methods of Lemonldap::NG::Portal::Simple to use
Google authentication mechanism.

See L<Lemonldap::NG::Portal::Simple> for usage and other methods.

=head1 SEE ALSO

L<Lemonldap::NG::Portal>, L<Lemonldap::NG::Portal::Simple>,
L<http://lemonldap-ng.org/>,
L<https://developers.google.com/accounts/docs/OpenID>

=head1 AUTHOR

=over

=item Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>

=item Xavier Guimard, E<lt>x.guimard@free.frE<gt>

=back

=head1 BUG REPORT

Use OW2 system to report bug or ask for features:
L<http://jira.ow2.org>

=head1 DOWNLOAD

Lemonldap::NG is available at
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>

=head1 COPYRIGHT AND LICENSE

=over

=item Copyright (C) 2013 by Xavier Guimard, E<lt>x.guimard@free.frE<gt>

=item Copyright (C) 2013 by Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>

=back

This library is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see L<http://www.gnu.org/licenses/>.

=cut
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00			`##@file`
			`# Google authentication backend file`

			`##@class`
			`# Google authentication backend class.`
			`# The form must return a google_go field`
			`package Lemonldap::NG::Portal::AuthGoogle;`

			`use strict;`
			`use Lemonldap::NG::Portal::Simple;`
			`use Lemonldap::NG::Common::Regexp;`
			`use LWP::UserAgent;`
Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`use URI::Escape;`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00			`use Cache::FileCache;`

Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`use constant AXSPECURL => 'http://openid.net/srv/ax/1.0';`
			`use constant GOOGLEENDPOINT => 'https://www.google.com/accounts/o8/id';`

Update $VERSION 2013-09-28 07:41:37 +02:00			`our $VERSION = '1.3.0';`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00			`our $initDone;`
Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`our $googleEndPoint;`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00
			`BEGIN {`
			`eval {`
			`require threads::shared;`
			`threads::shared::share($initDone);`
Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`threads::shared::share($googleEndPoint);`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00			`};`
			`}`

Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`## @method string googleEndPoint()`
			`# Return the Google OpenID endpoint given by`
			`# https://www.google.com/accounts/o8/id`
			`# @return string`
			`sub googleEndPoint {`
Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`my $self = shift;`

			`unless ($googleEndPoint) {`
			`my $response =`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`$self->ua()->get( GOOGLEENDPOINT, Accept => 'application/xrds+xml' );`
Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`if ( $response->is_success ) {`

			`# Dirty XML parse`
			`# (searching for <URI>https://www.google.com/accounts/o8/ud</URI>)`
			`my $tmp = $response->decoded_content;`
Little regexp change 2013-09-29 18:43:15 +02:00			`if ( $tmp =~ m#<URI.*?>(\S+)</URI>#mi ) {`
Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`$googleEndPoint = $1;`
			`}`
			`else {`
			`$self->lmLog( 'Here is the Google response: '`
			`. $response->decoded_content );`
			`$self->abort('Can\'t find endpoint in Googe response');`
			`}`
			`}`
			`else {`
			`$self->abort('Can\'t access to Google endpoint');`
			`}`
			`}`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`return $googleEndPoint;`
			`}`

			`## @method LWP::UserAgent ua()`
			`# @return LWP::UserAgent object`
			`sub ua {`
			`my $self = shift;`
			`return $self->{ua} \|\|= LWP::UserAgent->new();`
			`}`

			`## @method boolean checkGoogleSession()`
			`# Search for claimed_id in persistent sessions DB.`
			`# @return true if sessions was recovered`
			`sub checkGoogleSession {`
			`my $self = shift;`

Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`# Find in Google response for AX attributes`
			`# See https://developers.google.com/accounts/docs/OpenID#Parameters`
			`# for more`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`( $self->{_AXNS} ) = map {`
			`( /^openid\.ns\.(.*)/ and $self->param($_) eq AXSPECURL )`
			`? ($1)`
			`: ()`
			`} $self->param();`

Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`# Look at persistent database`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`my $id = $self->_md5hash( $self->param('openid.claimed_id') );`
			`my $h = $self->getPersistentSession($id);`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`my $gs;`

			`# No AX response, if datas are already shared, store them`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`unless ( $self->{_AXNS} ) {`
			`if ($h) {`
			`$self->{user} = $h->{email};`
			`while ( my ( $k, $v ) = each %$h ) {`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`$gs->{$k} = $v;`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`}`
			`}`
			`}`
			`else {`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00
			`# First store email as user key. Note that this is the returned value`
			`# so if it's empty, request is retried`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`$self->{user} = $self->param("openid.$self->{_AXNS}.value.email");`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00
			`# If persistent session does not exist, create it`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`unless ($h) {`
			`$h = {};`
			`my %opts = %{ $self->{persistentStorageOptions} };`
			`$opts{setId} = $id;`
			`eval { tie %$h, $self->{persistentStorage}, undef, \%opts; };`
			`if ($@) {`
			`$self->abort(`
			`"Unable to create persistent session required to use Google backend: $@"`
			`);`
			`}`
			`else {`
			`$self->lmLog(`
			`"Persistent session $h->{_session_id} created to store "`
			`. $self->{user}`
			`. ' Google shared datas',`
			`'debug'`
			`);`
			`}`
			`}`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00
			`# Retrieve AX datas`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`foreach my $k ( $self->param() ) {`
			`if ( $k =~ /^openid\.$self->{_AXNS}\.value\.(\w+)$/ ) {`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`$gs->{$1} = $h->{$1} = $self->param($k);`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`}`
			`}`
			`}`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00
			`# Now store datas in session`
			`while ( my ( $k, $v ) = each %{ $self->{exportedVars} } ) {`
			`my $attr = $k;`
			`$attr =~ s/^!//;`

			`# Value (ie AX attribute) must be one of:`
			`if ( $v =~ /^(?:(?:la(?:nguag\|stnam)\|firstnam)e\|country\|email)$/ ) {`

May close the bug revealed in LEMONLDAP-615#comment-01-oct-13 2013-10-02 13:42:57 +02:00			`# One value is missing:`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`unless ( exists( $gs->{$v} ) ) {`
May close the bug revealed in LEMONLDAP-615#comment-01-oct-13 2013-10-02 13:42:57 +02:00
			`# Case 1: value was asked but not returned, set an empty value`
			`# in persistent session (so that it's defined)`
			`if ( $self->{_AXNS} ) {`
			`$self->lmLog(`
Force redirection to avoid displaying OpenID datas 2013-10-02 21:45:33 +02:00			`"$v required attribute is missing in Google response, storing ''",`
May close the bug revealed in LEMONLDAP-615#comment-01-oct-13 2013-10-02 13:42:57 +02:00			`'info'`
			`);`
			`$h->{$v} = $gs->{$v} = '';`
			`}`

			`# Case 2: value is not stored, probably configuration has`
			`# changed and this value was never asked`
			`else {`
			`$self->lmLog(`
Force redirection to avoid displaying OpenID datas 2013-10-02 21:45:33 +02:00			`"$v required attribute is missing in persistent session, let's ask it",`
May close the bug revealed in LEMONLDAP-615#comment-01-oct-13 2013-10-02 13:42:57 +02:00			`'info'`
			`);`
			`return 0;`
			`}`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`}`
			`$self->{sessionInfo}->{$attr} = $gs->{$v};`
			`}`
			`else {`
			`$self->lmLog(`
			`'Ignoring attribute '`
			`. $self->{exportedVars}->{$k}`
			`. ' which is not a valid Google OpenID AX attribute',`
			`'warn'`
			`);`
			`}`
			`}`
May close the bug revealed in LEMONLDAP-615#comment-01-oct-13 2013-10-02 13:42:57 +02:00			`untie %$h if ($h);`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`return $self->{user};`
			`}`

			`## @apmethod int authInit()`
			`# @return Lemonldap::NG::Portal constant`
			`sub authInit {`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00			`PE_OK;`
			`}`

			`## @apmethod int extractFormInfo()`
			`# Read username return by Google authentication system.`
			`# @return Lemonldap::NG::Portal constant`
			`sub extractFormInfo {`
			`my $self = shift;`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`my $ax = '';`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00
Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`# 1. Check Google responses`
			`if ( $self->param('openid.mode') ) {`
Add UserDBGoogle 2013-09-29 09:09:32 +02:00
Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`# 1.1 First, verify that the response isn't forged`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00
Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`# Build verification request`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`my $check_url = $self->googleEndPoint() . "?" . join(`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00			`'&',`
			`map {`
			`my $val = $self->param($_);`
			`$val = 'check_authentication' if $_ eq 'openid.mode';`
			`sprintf '%s=%s', uri_escape_utf8($_), uri_escape_utf8($val);`
			`} $self->param()`
			`);`

Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`# Launch request`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`my $response = $self->ua()->get( $check_url, Accept => 'text/plain' );`
			`unless ( $response->is_success ) {`
			`$self->abort('Can\'t verify Google authentication');`
			`}`
			`else {`
Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`my %tmp =`
			`map { my ( $key, $value ) = split /:/, $_, 2; $key => $value }`
			`split /\n/, $response->decoded_content;`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00
			`# Reject invalid requests`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`unless ( $tmp{is_valid} eq 'true' ) {`
			`return PE_BADCREDENTIALS;`
			`}`

Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`# 1.2 Check if datas are already shared with Google`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`unless ( $self->checkGoogleSession() ) {`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00
			`# Datas are missing, prepare to launch a new request with`
			`# AX request`

			`# a) email is required, will be used as 'user' field`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`$ax =`
			`'&openid.ns.ax='`
			`. AXSPECURL`
			`. '&openid.ax.mode=fetch_request'`
			`. '&openid.ax.type.email=http://axschema.org/contact/email'`
			`. '&openid.ax.required=email';`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00
			`# b) if UserDB is Google, ask for exported variables`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`if ( $self->get_module('user') eq 'Google' ) {`
			`my $u;`
			`while ( my ( $v, $k ) = each %{ $self->{exportedVars} } ) {`
			`next if ( $k eq 'email' );`
			`if ( $k =~`
			`/^(?:(?:la(?:nguag\|stnam)\|firstnam)e\|country)$/ )`
			`{`
			`$ax .= ",$k";`
			`$u .= "&openid.ax.type.$k="`
			`. {`
			`country =>`
			`"http://axschema.org/contact/country/home",`
			`firstname =>`
			`"http://axschema.org/namePerson/first",`
			`lastname =>`
			`"http://axschema.org/namePerson/last",`
			`language => "http://axschema.org/pref/language"`
			`}->{$k};`
			`}`
			`else {`
			`$self->lmLog(`
			`"Field name: $k is not exported by Google",`
			`'warn' );`
			`}`
			`}`
			`$ax .= $u;`
Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`}`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`}`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00
			`# 1.3 Datas are recovered, user is authenticated`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`else {`
Force redirection to avoid displaying OpenID datas 2013-10-02 21:45:33 +02:00			`$self->lmLog( 'Good Google authentication', 'debug' );`

			`# Force redirection to avoid displaying OpenID datas`
			`$self->{mustRedirect} = 1;`
Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`return PE_OK;`
			`}`
			`}`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00			`}`

Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`# 2. Redirect user to Google login page:`
			`# * no OpenID response or missing datas`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`my $check_url =`
			`$self->googleEndPoint()`
			`. '?openid.mode=checkid_setup'`
			`. '&openid.ns=http://specs.openid.net/auth/2.0'`
			`. '&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select'`
			`. '&openid.identity=http://specs.openid.net/auth/2.0/identifier_select'`
			`. $ax;`
			`my $sep = '?';`
			`my $ret = $self->{portal};`
			`foreach my $v (`
			`[ $self->{_url}, "url" ],`
			`[ $self->param( $self->{authChoiceParam} ), $self->{authChoiceParam} ]`
			`)`
			`{`
			`if ( $v->[0] ) {`
			`$ret .= "$sep$v->[1]=$v->[0]";`
			`$sep = '&';`
Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`}`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00			`}`
Implement persistent cache for already shared datas (AuthGoogle) 2013-09-29 18:26:41 +02:00			`$check_url .= '&openid.return_to=' . uri_escape_utf8($ret);`
			`print $self->redirect($check_url);`
			`$self->quit();`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00			`}`

			`## @apmethod int setAuthSessionInfo()`
			`# Set _user and authenticationLevel.`
			`# @return Lemonldap::NG::Portal constant`
			`sub setAuthSessionInfo {`
			`my $self = shift;`

			`$self->{sessionInfo}->{'_user'} = $self->{user};`

			`$self->{sessionInfo}->{authenticationLevel} = $self->{googleAuthnLevel};`

			`PE_OK;`
			`}`

			`## @apmethod int authenticate()`
			`# Does nothing.`
			`# @return Lemonldap::NG::Portal constant`
			`sub authenticate {`
			`PE_OK;`
			`}`

			`## @apmethod int authFinish()`
			`# Does nothing.`
			`# @return Lemonldap::NG::Portal constant`
			`sub authFinish {`
			`PE_OK;`
			`}`

			`## @apmethod int authLogout()`
			`# Does nothing`
			`# @return Lemonldap::NG::Portal constant`
			`sub authLogout {`
			`PE_OK;`
			`}`

			`## @apmethod boolean authForce()`
			`# Does nothing`
			`# @return result`
			`sub authForce {`
			`return 0;`
			`}`

			`## @method string getDisplayType`
			`# @return display type`
			`sub getDisplayType {`
Change Google display type to logo (#615) 2013-09-30 16:33:38 +02:00			`return "logo";`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00			`}`

			`1;`
			`__END__`

			`=head1 NAME`

			`=encoding utf8`

Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`Lemonldap::NG::Portal::AuthGoogle - Perl extension for building Lemonldap::NG`
			`compatible portals with Google authentication.`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00
			`=head1 SYNOPSIS`

			`use Lemonldap::NG::Portal::SharedConf;`
			`my $portal = new Lemonldap::NG::Portal::Simple(`
			`configStorage => {...}, # See Lemonldap::NG::Portal`
Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`authentication => 'Google',`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00			`);`

			`if($portal->process()) {`
			`# Write here the menu with CGI methods. This page is displayed ONLY IF`
			`# the user was not redirected here.`
			`print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))`
			`print "...";`
			`}`
			`else {`
			`# If the user enters here, IT MEANS THAT CAS REDIRECTION DOES NOT WORK`
			`print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))`
			`print "<html><body><h1>Unable to work</h1>";`
			`print "This server isn't well configured. Contact your administrator.";`
			`print "</body></html>";`
			`}`

			`=head1 DESCRIPTION`

			`This library just overload few methods of Lemonldap::NG::Portal::Simple to use`
Add UserDBGoogle 2013-09-29 09:09:32 +02:00			`Google authentication mechanism.`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00
			`See L<Lemonldap::NG::Portal::Simple> for usage and other methods.`

			`=head1 SEE ALSO`

			`L<Lemonldap::NG::Portal>, L<Lemonldap::NG::Portal::Simple>,`
Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`L<http://lemonldap-ng.org/>,`
			`L<https://developers.google.com/accounts/docs/OpenID>`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00
			`=head1 AUTHOR`

			`=over`

			`=item Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>`

			`=item Xavier Guimard, E<lt>x.guimard@free.frE<gt>`

			`=back`

			`=head1 BUG REPORT`

			`Use OW2 system to report bug or ask for features:`
			`L<http://jira.ow2.org>`

			`=head1 DOWNLOAD`

			`Lemonldap::NG is available at`
			`L<http://forge.objectweb.org/project/showfiles.php?group_id=274>`

			`=head1 COPYRIGHT AND LICENSE`

			`=over`

Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`=item Copyright (C) 2013 by Xavier Guimard, E<lt>x.guimard@free.frE<gt>`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00
Store session datas directly + comments 2013-09-29 20:09:38 +02:00			`=item Copyright (C) 2013 by Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>`
Starting LEMONLDAP-615: Add AuthGoogle module 2013-09-27 21:34:31 +02:00
			`=back`

			`This library is free software; you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`the Free Software Foundation; either version 2, or (at your option)`
			`any later version.`

			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU General Public License for more details.`

			`You should have received a copy of the GNU General Public License`
			`along with this program. If not, see L<http://www.gnu.org/licenses/>.`

			`=cut`