From 9969dd69e2b0779228fd7899cf1266a6c8bc60e0 Mon Sep 17 00:00:00 2001
From: Xavier Guimard <xavier.guimard@laposte.net>
Date: Wed, 8 Dec 2010 06:04:57 +0000
Subject: [PATCH] Add slave mechanism. Closes #222

---
 .../example/skins/default/js/manager.js       |   1 +
 .../lib/Lemonldap/NG/Manager/_Struct.pm       |  12 ++
 .../example/slavePortal.pl                    | 117 ------------------
 .../lib/Lemonldap/NG/Portal/AuthApache.pm     |   2 +-
 .../lib/Lemonldap/NG/Portal/AuthNull.pm       |   4 +-
 .../lib/Lemonldap/NG/Portal/AuthSlave.pm      |  96 ++++++++++++++
 .../lib/Lemonldap/NG/Portal/UserDBSlave.pm    |  30 +++++
 7 files changed, 142 insertions(+), 120 deletions(-)
 delete mode 100755 modules/lemonldap-ng-portal/example/slavePortal.pl
 create mode 100644 modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSlave.pm
 create mode 100644 modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDBSlave.pm

diff --git a/modules/lemonldap-ng-manager/example/skins/default/js/manager.js b/modules/lemonldap-ng-manager/example/skins/default/js/manager.js
index f825d78f9..0448a5bdd 100644
--- a/modules/lemonldap-ng-manager/example/skins/default/js/manager.js
+++ b/modules/lemonldap-ng-manager/example/skins/default/js/manager.js
@@ -24,6 +24,7 @@ var helpCh={
 	'authParams':'/pages/documentation/latest/start.html#authentication_users_and_password_databases',
 	'authProxy':'/pages/documentation/latest/authproxy.html',
 	'authRemote':'/pages/documentation/latest/authremote.html',
+	'authSlave':'/pages/documentation/latest/authslave.html',
 	'authSSL':'/pages/documentation/latest/authssl.html',
 	'authTwitter':'/pages/documentation/latest/authtwitter.html',
 	'cookies':'/pages/documentation/latest/ssocookie.html',
diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
index c326294fe..2d2fccffa 100644
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
@@ -341,6 +341,7 @@ sub struct {
                             dbi     => ['dbiParams'],
                             apache  => ['apacheParams'],
                             null    => ['nullParams'],
+                            slave   => ['slaveParams'],
                             choice  => [
                                 qw(ldapParams sslParams casParams remoteParams proxyParams openIdParams twitterParams dbiParams apacheParams nullParams choiceParams)
                             ],
@@ -572,6 +573,13 @@ sub struct {
                     nullAuthnLevel => 'int:/nullAuthnLevel',
                 },
 
+                # Slave
+                slaveParams => {
+                    _nodes         => [qw(slaveAuthnLevel)],
+                    _help          => 'authSlave',
+                    slaveAuthnLevel => 'int:/slaveAuthnLevel',
+                },
+
                 # Choice
                 choiceParams => {
                     _nodes => [qw(authChoiceParam n:authChoiceModules)],
@@ -1645,6 +1653,9 @@ sub testStruct {
         # Null
         nullAuthnLevel => $integer,
 
+        # Slave
+        slaveAuthnLevel => $integer,
+
         # Choice
         authChoiceParams  => $testNotDefined,
         authChoiceModules => {
@@ -1878,6 +1889,7 @@ sub defaultConf {
         twitterAuthnLevel => 1,
         apacheAuthnLevel  => 4,
         nullAuthnLevel    => 0,
+        slaveAuthnLevel   => 2,
 
     };
 }
diff --git a/modules/lemonldap-ng-portal/example/slavePortal.pl b/modules/lemonldap-ng-portal/example/slavePortal.pl
deleted file mode 100755
index d766344ff..000000000
--- a/modules/lemonldap-ng-portal/example/slavePortal.pl
+++ /dev/null
@@ -1,117 +0,0 @@
-#!/usr/bin/perl
-
-=pod
-
-=head1 NON AUTHENTICATING PORTAL TO USE WITH OTHER WEB-SSO
-
-If Lemonldap::NG has to operate with another Web-SSO without any interworking
-system, Lemonldap::NG can be used as slave.
-
-Install :
-
-=over
-
-=item * Install and adapt this file in an area protected by the master SSO
-
-=item * Use L<Lemonldap::NG::Handler::CDA> to protect Lemonldap::NG area if
-this area is not in the same DNS domain than the portal
-
-=back
-
-Authentication scheme :
-
-=over
-
-=item * a user that wants to access to a protected url, Lemonldap::NG::Handler
-redirect it to the portal
-
-=item * the portal creates the Lemonldap::NG session with the parameters given
-by the master SSO
-
-=item * the user is redirected to the wanted application. If it is not in the
-same domain, the handler detects the session id with the Lemonldap::NG 
-cross-domain-authentication mechanism and generates the cookie
-
-=back
-
-=cut
-
-use Lemonldap::NG::Portal::SharedConf;
-
-my $portal = Lemonldap::NG::Portal::SharedConf->new(
-    {
-        cda => 1,
-
-        # SUBROUTINES OVERLOAD
-        # 2 cases :
-        # 1 - If LDAP search is not needed (the master SSO gives all
-        #     that we need)
-        extractFormInfo => sub { PE_OK },
-        connectLDAP     => sub { PE_OK },
-        bind            => sub { PE_OK },
-        search          => sub { PE_OK },
-        setSessionInfo  => sub {
-            my $self = shift;
-
-            # TODO: You have to set $self->{sessionInfo}
-            #       hash table with user attributes
-            #       Example:
-            #          $self->{sessionInfo}->{uid} = $ENV{REMOTE_USER};
-            PE_OK,;
-        },
-        unbind => sub { PE_OK },
-
-        # 2 - Else, LDAP will do its job, but we have to set UID or
-        #     what is needed by C<formateFilter> subroutine.
-        extractFormInfo => sub {
-            my $self = shift;
-
-            # EXAMPLE with $ENV{REMOTE_USER}
-            $self->{user} = $ENV{REMOTE_USER};
-            PE_OK;
-        },
-
-        # In the 2 cases, authentication phase has to be avoided
-        authenticate => sub { PE_OK },
-
-        # If no Lemonldap::NG protected application is in the same domaine than
-        # the portal, it is recommended to not set a lemonldap::NG cookie in the
-        # other domain :
-        #     Lemonldap::NG::Handler protect its cookie from remote application
-        #     (to avoid developers to spoof an identity), but the master SSO
-        #     will probably keep it.
-        buildCookie => sub {
-            my $self = shift;
-            $self->{cookie} = $self->cookie(
-                -name => $self->{cookieName},
-
-                # null value instead of de $self->{id}
-                -value  => '',
-                -domain => $self->{domain},
-                -path   => "/",
-                -secure => $self->{securedCookie},
-                @_,
-            );
-            PE_OK;
-        },
-    }
-);
-
-# Else, we process as usual, but without prompting users with a form
-
-if ( $portal->process() ) {
-    print $portal->header('text/html; charset=utf-8');
-    print $portal->start_html;
-    print "<h1>You are well authenticated !</h1>";
-    print $portal->end_html;
-}
-else {
-    print $portal->header('text/html; charset=utf-8');
-    print $portal->start_html;
-    print qq#<h2>Authentication failed</h2>
-    Portal is not able to recognize you
-    <br />
-    Contact your administrator (Error: # . $portal->error . ')';
-    print $portal->end_html;
-}
-1;
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthApache.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthApache.pm
index a01463404..778539641 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthApache.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthApache.pm
@@ -83,7 +83,7 @@ __END__
 
 =encoding utf8
 
-Lemonldap::NG::Portal::Apache - Perl extension for building Lemonldap::NG
+Lemonldap::NG::Portal::AuthApache - Perl extension for building Lemonldap::NG
 compatible portals with Apache authentication.
 
 =head1 SYNOPSIS
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthNull.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthNull.pm
index 71c00ac5b..8d8c206ef 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthNull.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthNull.pm
@@ -71,8 +71,8 @@ __END__
 
 =encoding utf8
 
-Lemonldap::NG::Portal::Apache - Perl extension for building Lemonldap::NG
-compatible portals with Apache authentication.
+Lemonldap::NG::Portal::AuthNull - Perl extension for building Lemonldap::NG
+compatible portals with no authentication.
 
 =head1 SYNOPSIS
 
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSlave.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSlave.pm
new file mode 100644
index 000000000..6f203927e
--- /dev/null
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSlave.pm
@@ -0,0 +1,96 @@
+##@file
+# Slave authentication backend file
+
+##@class
+# Slave authentication backend class
+package Lemonldap::NG::Portal::AuthSlave;
+
+use strict;
+use Lemonldap::NG::Portal::Simple;
+use Lemonldap::NG::Portal::AuthNull;
+
+our $VERSION = '1.0.0';
+our @ISA     = qw(Lemonldap::NG::Portal::AuthNull);
+
+## @apmethod int setAuthSessionInfo()
+# Set _user value to 'anonymous' and authenticationLevel to 0
+# @return Lemonldap::NG::Portal constant
+sub setAuthSessionInfo {
+    my $self = shift;
+
+    $self->{sessionInfo}->{'_user'} = 'anonymous';
+    $self->{sessionInfo}->{authenticationLevel} = $self->{slaveAuthnLevel};
+
+    PE_OK;
+}
+
+1;
+__END__
+
+=head1 NAME
+
+=encoding utf8
+
+Lemonldap::NG::Portal::AuthSlave - Perl extension for building Lemonldap::NG
+compatible portals with Apache authentication.
+
+=head1 SYNOPSIS
+
+  use Lemonldap::NG::Portal::SharedConf;
+  my $portal = new Lemonldap::NG::Portal::Simple(
+         configStorage     => {...}, # See Lemonldap::NG::Portal
+         authentication    => 'Slave',
+    );
+
+  if($portal->process()) {
+    # Write here the menu with CGI methods. This page is displayed ONLY IF
+    # the user was not redirected here.
+    print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))
+    print "...";
+
+    # or redirect the user to the menu
+    print $portal->redirect( -uri => 'https://portal/menu');
+  }
+  else {
+    print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))
+    print "<html><body><h1>Unable to work</h1>";
+    print "This server isn't well configured. Contact your administrator.";
+    print "</body></html>";
+  }
+
+=head1 DESCRIPTION
+
+This library just overload few methods of Lemonldap::NG::Portal::Simple to 
+create sessions for anonymous users.
+
+See L<Lemonldap::NG::Portal::Simple> for usage and other methods.
+
+=head1 SEE ALSO
+
+L<Lemonldap::NG::Portal>, L<Lemonldap::NG::Portal::Simple>,
+L<http://lemonldap-ng.org/>
+
+=head1 AUTHOR
+
+Clement Oudot, E<lt>clement@oodo.netE<gt>
+
+=head1 BUG REPORT
+
+Use OW2 system to report bug or ask for features:
+L<http://jira.ow2.org>
+
+=head1 DOWNLOAD
+
+Lemonldap::NG is available at
+L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright (C) 2010 by Clement Oudot
+
+This library is free software; you can redistribute it and/or modify
+it under the same terms as Perl itself, either Perl version 5.10.0 or,
+at your option, any later version of Perl 5 you may have available.
+
+=cut
+
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDBSlave.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDBSlave.pm
new file mode 100644
index 000000000..54fd0544a
--- /dev/null
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDBSlave.pm
@@ -0,0 +1,30 @@
+## @file
+# Slave userDB mechanism
+
+## @class
+# Slave userDB mechanism class
+package Lemonldap::NG::Portal::UserDBSlave;
+
+use strict;
+use Lemonldap::NG::Portal::Simple;
+use Lemonldap::NG::Portal::UserDBNull;
+
+our $VERSION = '1.0.0';
+our @ISA     = qw(Lemonldap::NG::Portal::UserDBNull);
+
+## @apmethod int setSessionInfo()
+# Search exportedVars values in HTTP headers.
+# @return Lemonldap::NG::Portal constant
+sub setSessionInfo {
+    my $self = shift;
+    my $c = 0;
+    while ( my ( $k, $v ) = each %{ $self->{exportedVars} } ) {
+        $v = 'HTTP_' . uc($v);
+        $v =~ s/\-/_/g;
+        $self->{sessionInfo}->{$k} = $ENV{$v} and $c++;
+    }
+    return ( $c ? PE_OK : PE_USERNOTFOUND );
+}
+
+1;
+