2016-06-10 13:50:37 +02:00
|
|
|
# Base package for simple issuers plugins
|
|
|
|
|
#
|
|
|
|
|
# Issuer should just implement a run() method that will be called only for
|
|
|
|
|
# authenticated users when PATH_INFO starts with issuerDBXXPath
|
|
|
|
|
#
|
|
|
|
|
# run() should just return a Lemonldap::NG::Portal::Main::Constants value. It
|
|
|
|
|
# is called using process() method (Lemonldap::NG::Portal::Main::Process)
|
|
|
|
|
package Lemonldap::NG::Portal::Main::Issuer;
|
|
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
|
use Mouse;
|
|
|
|
|
use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
|
|
|
|
|
|
|
|
|
|
extends 'Lemonldap::NG::Portal::Main::Plugin';
|
|
|
|
|
|
|
|
|
|
our $VERSION = '2.0.0';
|
|
|
|
|
|
|
|
|
|
# PROPERTIES
|
|
|
|
|
|
|
|
|
|
has type => ( is => 'rw' );
|
|
|
|
|
|
2016-06-12 18:52:37 +02:00
|
|
|
# INTERFACE
|
|
|
|
|
|
|
|
|
|
# Only logout is called in normal use. Issuer that inherits from this
|
|
|
|
|
# package are called only by their path
|
|
|
|
|
sub beforeLogout { 'logout' }
|
|
|
|
|
|
2016-06-10 13:50:37 +02:00
|
|
|
# INITIALIZATION
|
|
|
|
|
|
|
|
|
|
sub init {
|
|
|
|
|
my ($self) = @_;
|
|
|
|
|
my $type = ref( $_[0] );
|
|
|
|
|
$type =~ s/.*:://;
|
|
|
|
|
$self->type($type);
|
|
|
|
|
if ( my $path = $self->conf->{"issuerDB${type}Path"} ) {
|
2016-06-12 21:26:14 +02:00
|
|
|
$path =~ s/^.*?(\w+).*?$/$1/;
|
2016-12-17 21:19:46 +01:00
|
|
|
$self->addUnauthRoute( $path => { '*' => '_redirect' }, ['GET'] );
|
|
|
|
|
$self->addUnauthRoute( $path => { '*' => '_pRedirect' }, ['POST'] );
|
|
|
|
|
$self->addAuthRoute( $path => { '*' => "_forAuthUser" }, ['GET'] );
|
|
|
|
|
$self->addAuthRoute( $path => { '*' => "_pForAuthUser" }, ['POST'] );
|
2016-06-10 13:50:37 +02:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
$self->lmLog( "No path declared for issuer $type. Skipping", 'debug' );
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# RUNNING METHODS
|
|
|
|
|
|
|
|
|
|
# Case 1: Unauthentified users are redirected to the main portal
|
|
|
|
|
|
|
|
|
|
sub _redirect {
|
2016-12-21 19:06:23 +01:00
|
|
|
my ( $self, $req, @path ) = @_;
|
2016-11-28 22:15:57 +01:00
|
|
|
my $prms = $req->params;
|
|
|
|
|
foreach my $k ( keys %$prms ) {
|
|
|
|
|
$self->p->setHiddenFormValue( $req, $k, $prms->{$k}, '', 0 );
|
|
|
|
|
}
|
2016-12-09 11:25:05 +01:00
|
|
|
$self->p->setHiddenFormValue( $req, 'issuerMethod', $req->method, '', 0 );
|
|
|
|
|
$self->p->setHiddenFormValue( $req, 'issuerQuery', $req->query, '', 0 );
|
2016-06-10 13:50:37 +02:00
|
|
|
$req->{urldc} =
|
|
|
|
|
$self->conf->{portal}
|
|
|
|
|
. $req->path
|
2016-12-01 23:25:05 +01:00
|
|
|
. ( $req->query ? '?' . $req->query : '' );
|
2016-06-12 21:38:02 +02:00
|
|
|
|
2016-06-12 18:52:37 +02:00
|
|
|
# TODO: launch normal process with 'run' at the end
|
2016-06-12 21:38:02 +02:00
|
|
|
return $self->p->do(
|
|
|
|
|
$req,
|
|
|
|
|
[
|
|
|
|
|
'controlUrl',
|
|
|
|
|
@{ $self->p->beforeAuth },
|
|
|
|
|
$self->p->authProcess,
|
|
|
|
|
@{ $self->p->betweenAuthAndDatas },
|
|
|
|
|
$self->p->sessionDatas,
|
|
|
|
|
@{ $self->p->afterDatas },
|
2016-06-12 18:52:37 +02:00
|
|
|
sub {
|
2016-12-21 19:06:23 +01:00
|
|
|
return $self->run(@_, @path);
|
2016-06-12 21:38:02 +02:00
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
);
|
2016-06-10 13:50:37 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sub _pRedirect {
|
2016-12-21 19:06:23 +01:00
|
|
|
my ( $self, $req, @path ) = @_;
|
2016-12-09 11:25:05 +01:00
|
|
|
$self->lmLog( 'Parsing posted datas', 'debug' );
|
2016-06-10 13:50:37 +02:00
|
|
|
$req->parseBody;
|
2016-12-21 19:06:23 +01:00
|
|
|
return $self->_redirect( $req, @path );
|
2016-06-10 13:50:37 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Case 3: authentified user, launch
|
|
|
|
|
sub _forAuthUser {
|
|
|
|
|
my ( $self, $req ) = @_;
|
|
|
|
|
return $self->p->do(
|
|
|
|
|
$req,
|
|
|
|
|
[
|
|
|
|
|
'importHandlerDatas',
|
|
|
|
|
'controlUrl',
|
|
|
|
|
@{ $self->p->forAuthUser },
|
|
|
|
|
sub {
|
2016-06-12 18:52:37 +02:00
|
|
|
return $self->run(@_);
|
2016-06-10 13:50:37 +02:00
|
|
|
},
|
|
|
|
|
]
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-09 11:25:05 +01:00
|
|
|
sub _pForAuthUser {
|
|
|
|
|
my ( $self, $req ) = @_;
|
|
|
|
|
$self->lmLog( 'Parsing posted datas', 'debug' );
|
|
|
|
|
$req->parseBody;
|
|
|
|
|
return $self->_forAuthUser($req);
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-10 13:50:37 +02:00
|
|
|
1;
|
2016-12-19 17:15:31 +01:00
|
|
|
__END__
|
|
|
|
|
|
|
|
|
|
=pod
|
|
|
|
|
|
|
|
|
|
=encoding utf8
|
|
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG::Portal::Main::Issuer - Base class for identity providers.
|
|
|
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
|
|
package Lemonldap::NG::Portal::Issuer::My;
|
|
|
|
|
use strict;
|
|
|
|
|
use Mouse;
|
|
|
|
|
extends 'Lemonldap::NG::Portal::Main::Issuer';
|
|
|
|
|
use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
|
|
|
|
|
|
|
|
|
|
# Optional initialization method
|
|
|
|
|
sub init {
|
|
|
|
|
my ($self) = @_;
|
|
|
|
|
...
|
|
|
|
|
# Must return 1 (succeed) or 0 (failure)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Required methods are run() and logout(), they are launched only for
|
|
|
|
|
# authenticated users
|
|
|
|
|
# $req is a Lemonldap::NG::Portal::Main::Request object
|
|
|
|
|
# They must return a Lemonldap::NG::Portal::Main::Constants constant
|
|
|
|
|
sub run {
|
|
|
|
|
my ( $self, $req ) = @_
|
|
|
|
|
...
|
|
|
|
|
return PE_OK
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sub logout {
|
|
|
|
|
my ( $self, $req ) = @_
|
|
|
|
|
...
|
|
|
|
|
return PE_OK
|
|
|
|
|
}
|
|
|
|
|
1;
|
|
|
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG::Portal::Main::Issuer is a base class to write identity providers
|
|
|
|
|
for Lemonldap::NG web-SSO system. It provide several methods to write easily
|
|
|
|
|
an IdP and manage authentication if the identity request comes before
|
|
|
|
|
authentication.
|
|
|
|
|
|
|
|
|
|
=head1 WRITING AN IDENTITY PROVIDER
|
|
|
|
|
|
|
|
|
|
To write a classic identity provider, you just have to inherit this class and
|
|
|
|
|
write run() and logout() methods. These methods must return a
|
|
|
|
|
Lemonldap::NG::Portal::Main::Constants constant.
|
|
|
|
|
|
|
|
|
|
A classic identity provider needs a "issuerDBE<gt>XXXE<lt>Path" parameter in
|
|
|
|
|
LLNG configuration to declare its base URI path (see
|
|
|
|
|
L<Lemonldap::NG::Manager::Build>). Example: /saml/. All requests that starts
|
2016-12-19 21:51:51 +01:00
|
|
|
with /saml/ will call run() after authentication if needed, and no one else.
|
2016-12-19 17:15:31 +01:00
|
|
|
|
|
|
|
|
The logout() function is called when user asks for logout on this server. If
|
|
|
|
|
you want to write an identity provider, you must implement a single logout
|
|
|
|
|
system.
|
|
|
|
|
|
|
|
|
|
=head2 managing other URI path
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG::Portal::Main::Issuer provides methods to bind a method to an
|
|
|
|
|
URI path:
|
|
|
|
|
|
|
|
|
|
=over
|
|
|
|
|
|
|
|
|
|
=item addAuthRoute() for authenticated users
|
|
|
|
|
|
|
|
|
|
=item addUnauthRoute() for unauthenticated users
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
They must be called during initialization process (so you must write the
|
|
|
|
|
optional init() sub).
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
sub init {
|
|
|
|
|
my ($self) = @_;
|
|
|
|
|
...
|
|
|
|
|
$self->addUnauthRoute( saml => { soap => 'soapServer' }, [ 'POST' ] );
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
sub soapServer {
|
|
|
|
|
my ( $self, $req ) = @_;
|
|
|
|
|
...
|
|
|
|
|
# You must return a valid PSGI response
|
|
|
|
|
return [ 200, [ 'Content-Type' => 'application/xml' ], [] ];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
|
|
|
|
|
L<http://lemonldap-ng.org/>
|
|
|
|
|
|
|
|
|
|
=head1 AUTHOR
|
|
|
|
|
|
|
|
|
|
=over
|
|
|
|
|
|
|
|
|
|
=item Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>
|
|
|
|
|
|
|
|
|
|
=item Xavier Guimard, E<lt>x.guimard@free.frE<gt>
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
=head1 BUG REPORT
|
|
|
|
|
|
|
|
|
|
Use OW2 system to report bug or ask for features:
|
|
|
|
|
L<http://jira.ow2.org>
|
|
|
|
|
|
|
|
|
|
=head1 DOWNLOAD
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG is available at
|
|
|
|
|
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
|
|
|
|
|
|
|
|
|
=head1 COPYRIGHT AND LICENSE
|
|
|
|
|
|
|
|
|
|
=over
|
|
|
|
|
|
|
|
|
|
=item Copyright (C) 2016 by Xavier Guimard, E<lt>x.guimard@free.frE<gt>
|
|
|
|
|
|
|
|
|
|
=item Copyright (C) 2016 by Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
This library is free software; you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation; either version 2, or (at your option)
|
|
|
|
|
any later version.
|
|
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with this program. If not, see L<http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
=cut
|
