Implement persistent cache for already shared datas (AuthGoogle)
This commit is contained in:
parent
e67a05d6c1
commit
41105ae772
@ -28,16 +28,17 @@ BEGIN {
|
|||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
## @apmethod int authInit()
|
## @method string googleEndPoint()
|
||||||
# @return Lemonldap::NG::Portal constant
|
# Return the Google OpenID endpoint given by
|
||||||
sub authInit {
|
# https://www.google.com/accounts/o8/id
|
||||||
|
# @return string
|
||||||
|
sub googleEndPoint {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
|
|
||||||
# Get the Google OpenID endpoint
|
# Get the Google OpenID endpoint
|
||||||
unless ($googleEndPoint) {
|
unless ($googleEndPoint) {
|
||||||
$self->{ua} ||= LWP::UserAgent->new();
|
|
||||||
my $response =
|
my $response =
|
||||||
$self->{ua}->get( GOOGLEENDPOINT, Accept => 'application/xrds+xml' );
|
$self->ua()->get( GOOGLEENDPOINT, Accept => 'application/xrds+xml' );
|
||||||
if ( $response->is_success ) {
|
if ( $response->is_success ) {
|
||||||
|
|
||||||
# Dirty XML parse
|
# Dirty XML parse
|
||||||
@ -56,6 +57,73 @@ sub authInit {
|
|||||||
$self->abort('Can\'t access to Google endpoint');
|
$self->abort('Can\'t access to Google endpoint');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return $googleEndPoint;
|
||||||
|
}
|
||||||
|
|
||||||
|
## @method LWP::UserAgent ua()
|
||||||
|
# @return LWP::UserAgent object
|
||||||
|
sub ua {
|
||||||
|
my $self = shift;
|
||||||
|
return $self->{ua} ||= LWP::UserAgent->new();
|
||||||
|
}
|
||||||
|
|
||||||
|
## @method boolean checkGoogleSession()
|
||||||
|
# Search for claimed_id in persistent sessions DB.
|
||||||
|
# @return true if sessions was recovered
|
||||||
|
sub checkGoogleSession {
|
||||||
|
my $self = shift;
|
||||||
|
|
||||||
|
# Now User is authenticated, check for datas returned
|
||||||
|
( $self->{_AXNS} ) = map {
|
||||||
|
( /^openid\.ns\.(.*)/ and $self->param($_) eq AXSPECURL )
|
||||||
|
? ($1)
|
||||||
|
: ()
|
||||||
|
} $self->param();
|
||||||
|
|
||||||
|
my $id = $self->_md5hash( $self->param('openid.claimed_id') );
|
||||||
|
my $h = $self->getPersistentSession($id);
|
||||||
|
unless ( $self->{_AXNS} ) {
|
||||||
|
if ($h) {
|
||||||
|
$self->{user} = $h->{email};
|
||||||
|
while ( my ( $k, $v ) = each %$h ) {
|
||||||
|
$self->{googleSessionInfo}->{$k} = $v;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$self->{user} = $self->param("openid.$self->{_AXNS}.value.email");
|
||||||
|
unless ($h) {
|
||||||
|
$h = {};
|
||||||
|
my %opts = %{ $self->{persistentStorageOptions} };
|
||||||
|
$opts{setId} = $id;
|
||||||
|
eval { tie %$h, $self->{persistentStorage}, undef, \%opts; };
|
||||||
|
if ($@) {
|
||||||
|
$self->abort(
|
||||||
|
"Unable to create persistent session required to use Google backend: $@"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$self->lmLog(
|
||||||
|
"Persistent session $h->{_session_id} created to store "
|
||||||
|
. $self->{user}
|
||||||
|
. ' Google shared datas',
|
||||||
|
'debug'
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
foreach my $k ( $self->param() ) {
|
||||||
|
if ( $k =~ /^openid\.$self->{_AXNS}\.value\.(\w+)$/ ) {
|
||||||
|
$self->{googleSessionInfo}->{$1} = $h->{$1} = $self->param($k);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
untie %$h;
|
||||||
|
}
|
||||||
|
return $self->{user};
|
||||||
|
}
|
||||||
|
|
||||||
|
## @apmethod int authInit()
|
||||||
|
# @return Lemonldap::NG::Portal constant
|
||||||
|
sub authInit {
|
||||||
PE_OK;
|
PE_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -65,10 +133,9 @@ sub authInit {
|
|||||||
sub extractFormInfo {
|
sub extractFormInfo {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
|
|
||||||
my $ua = LWP::UserAgent->new();
|
|
||||||
|
|
||||||
# 1. If no openid element has been detected
|
# 1. If no openid element has been detected
|
||||||
my $openid = $self->param('openid.mode');
|
my $openid = $self->param('openid.mode');
|
||||||
|
my $ax = '';
|
||||||
|
|
||||||
# TODO: direct access to Google page
|
# TODO: direct access to Google page
|
||||||
return PE_FIRSTACCESS
|
return PE_FIRSTACCESS
|
||||||
@ -76,7 +143,7 @@ sub extractFormInfo {
|
|||||||
|
|
||||||
# 2. Check Google responses
|
# 2. Check Google responses
|
||||||
if ($openid) {
|
if ($openid) {
|
||||||
my $check_url = "$googleEndPoint?" . join(
|
my $check_url = $self->googleEndPoint() . "?" . join(
|
||||||
'&',
|
'&',
|
||||||
map {
|
map {
|
||||||
my $val = $self->param($_);
|
my $val = $self->param($_);
|
||||||
@ -85,70 +152,74 @@ sub extractFormInfo {
|
|||||||
} $self->param()
|
} $self->param()
|
||||||
);
|
);
|
||||||
|
|
||||||
my $response =
|
my $response = $self->ua()->get( $check_url, Accept => 'text/plain' );
|
||||||
LWP::UserAgent->new()->get( $check_url, Accept => 'text/plain' );
|
unless ( $response->is_success ) {
|
||||||
if ( $response->is_success ) {
|
$self->abort('Can\'t verify Google authentication');
|
||||||
|
}
|
||||||
|
else {
|
||||||
my %tmp =
|
my %tmp =
|
||||||
map { my ( $key, $value ) = split /:/, $_, 2; $key => $value }
|
map { my ( $key, $value ) = split /:/, $_, 2; $key => $value }
|
||||||
split /\n/, $response->decoded_content;
|
split /\n/, $response->decoded_content;
|
||||||
if ( $tmp{is_valid} eq 'true' ) {
|
unless ( $tmp{is_valid} eq 'true' ) {
|
||||||
my ($ns) = map {
|
|
||||||
( /openid\.ns\.(.*)/ and $self->param($_) eq AXSPECURL )
|
|
||||||
? ($1)
|
|
||||||
: ()
|
|
||||||
} $self->param();
|
|
||||||
if ($ns) {
|
|
||||||
$self->{user} = $self->param("openid.$ns.value.email");
|
|
||||||
$self->{_AXNS} = $ns;
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
$self->{user} = $self->param('openid.claimed_id');
|
|
||||||
}
|
|
||||||
return PE_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
# TODO: look for returned errors
|
|
||||||
return PE_BADCREDENTIALS;
|
return PE_BADCREDENTIALS;
|
||||||
}
|
}
|
||||||
else {
|
|
||||||
$self->abort('Can\'t verify Google authentication');
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# 3. Redirect user to Google login page
|
# Datas are missing, prepare to launch a new request with
|
||||||
else {
|
# AX request
|
||||||
my $check_url =
|
unless ( $self->checkGoogleSession() ) {
|
||||||
$googleEndPoint
|
$ax =
|
||||||
. '?openid.mode=checkid_setup'
|
'&openid.ns.ax='
|
||||||
. '&openid.ns=http://specs.openid.net/auth/2.0'
|
|
||||||
. '&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select'
|
|
||||||
. '&openid.identity=http://specs.openid.net/auth/2.0/identifier_select'
|
|
||||||
. '&openid.ns.ax='
|
|
||||||
. AXSPECURL
|
. AXSPECURL
|
||||||
. '&openid.ax.mode=fetch_request'
|
. '&openid.ax.mode=fetch_request'
|
||||||
. '&openid.ax.type.email=http://axschema.org/contact/email'
|
. '&openid.ax.type.email=http://axschema.org/contact/email'
|
||||||
. '&openid.ax.required=email';
|
. '&openid.ax.required=email';
|
||||||
if ( $self->get_module('user') eq 'Google' ) {
|
if ( $self->get_module('user') eq 'Google' ) {
|
||||||
my ( @r, @o );
|
my $u;
|
||||||
while ( my ( $v, $k ) = each %{ $self->{exportedVars} } ) {
|
while ( my ( $v, $k ) = each %{ $self->{exportedVars} } ) {
|
||||||
next if ( $k eq 'email' );
|
next if ( $k eq 'email' );
|
||||||
if ( $k =~ /^(?:(?:la(?:nguag|stnam)|firstnam)e|country)$/ ) {
|
if ( $k =~
|
||||||
$check_url .= ",$k";
|
/^(?:(?:la(?:nguag|stnam)|firstnam)e|country)$/ )
|
||||||
|
{
|
||||||
|
$ax .= ",$k";
|
||||||
|
$u .= "&openid.ax.type.$k="
|
||||||
|
. {
|
||||||
|
country =>
|
||||||
|
"http://axschema.org/contact/country/home",
|
||||||
|
firstname =>
|
||||||
|
"http://axschema.org/namePerson/first",
|
||||||
|
lastname =>
|
||||||
|
"http://axschema.org/namePerson/last",
|
||||||
|
language => "http://axschema.org/pref/language"
|
||||||
|
}->{$k};
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$self->lmLog( "Field name: $k is not exported by Google",
|
$self->lmLog(
|
||||||
|
"Field name: $k is not exported by Google",
|
||||||
'warn' );
|
'warn' );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
$ax .= $u;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
return PE_OK;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# 3. Redirect user to Google login page
|
||||||
|
my $check_url =
|
||||||
|
$self->googleEndPoint()
|
||||||
|
. '?openid.mode=checkid_setup'
|
||||||
|
. '&openid.ns=http://specs.openid.net/auth/2.0'
|
||||||
|
. '&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select'
|
||||||
|
. '&openid.identity=http://specs.openid.net/auth/2.0/identifier_select'
|
||||||
|
. $ax;
|
||||||
my $sep = '?';
|
my $sep = '?';
|
||||||
my $ret = $self->{portal};
|
my $ret = $self->{portal};
|
||||||
foreach my $v (
|
foreach my $v (
|
||||||
[ $self->{_url}, "url" ],
|
[ $self->{_url}, "url" ],
|
||||||
[
|
[ $self->param( $self->{authChoiceParam} ), $self->{authChoiceParam} ]
|
||||||
$self->param( $self->{authChoiceParam} ),
|
|
||||||
$self->{authChoiceParam}
|
|
||||||
]
|
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
if ( $v->[0] ) {
|
if ( $v->[0] ) {
|
||||||
@ -157,12 +228,9 @@ sub extractFormInfo {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
$check_url .= '&openid.return_to=' . uri_escape_utf8($ret);
|
$check_url .= '&openid.return_to=' . uri_escape_utf8($ret);
|
||||||
print STDERR $check_url . "\n";
|
|
||||||
print $self->redirect($check_url);
|
print $self->redirect($check_url);
|
||||||
$self->quit();
|
$self->quit();
|
||||||
}
|
}
|
||||||
PE_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
## @apmethod int setAuthSessionInfo()
|
## @apmethod int setAuthSessionInfo()
|
||||||
# Set _user and authenticationLevel.
|
# Set _user and authenticationLevel.
|
||||||
|
@ -41,20 +41,13 @@ sub getUser {
|
|||||||
# @return Lemonldap::NG::Portal error code
|
# @return Lemonldap::NG::Portal error code
|
||||||
sub setSessionInfo {
|
sub setSessionInfo {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
unless ( $self->{_AXNS} ) {
|
|
||||||
$self->abort(
|
|
||||||
'AX namespace not found in Google response, no datas will be stored'
|
|
||||||
);
|
|
||||||
}
|
|
||||||
foreach my $k ( keys %{ $self->{exportedVars} } ) {
|
foreach my $k ( keys %{ $self->{exportedVars} } ) {
|
||||||
my $attr = $k;
|
my $attr = $k;
|
||||||
my $required = ( $attr =~ s/^!// );
|
my $required = ( $attr =~ s/^!// );
|
||||||
if ( $self->{exportedVars}->{$k} =~
|
if ( $self->{exportedVars}->{$k} =~
|
||||||
/^(?:(?:la(?:nguag|stnam)|firstnam)e|country|email)$/ )
|
/^(?:(?:la(?:nguag|stnam)|firstnam)e|country|email)$/ )
|
||||||
{
|
{
|
||||||
$self->{sessionInfo}->{$attr} =
|
$self->{sessionInfo}->{$attr} = $self->{googleSessionInfo}->{$attr};
|
||||||
$self->param(
|
|
||||||
"openid.$self->{_AXNS}.value.$self->{exportedVars}->{$k}");
|
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$self->lmLog(
|
$self->lmLog(
|
||||||
@ -64,11 +57,11 @@ sub setSessionInfo {
|
|||||||
'warn'
|
'warn'
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $required and not defined( $self->{sessionInfo}->{$attr} ) ) {
|
if ( $required and not defined( $self->{sessionInfo}->{$attr} ) ) {
|
||||||
$self->lmLog(
|
$self->lmLog(
|
||||||
"Required parameter $attr is not provided by Google, aborted",
|
"Required parameter $attr is not provided by Google server, aborted",
|
||||||
'warn' );
|
'warn'
|
||||||
|
);
|
||||||
|
|
||||||
$self->{mustRedirect} = 0;
|
$self->{mustRedirect} = 0;
|
||||||
return PE_MISSINGREQATTR;
|
return PE_MISSINGREQATTR;
|
||||||
|
Loading…
Reference in New Issue
Block a user