From 9a4df749fe2f05774832c73e2bc02044e691217e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= <clement@oodo.net>
Date: Mon, 30 Aug 2010 09:24:04 +0000
Subject: [PATCH] CAS: Manage renew flag in VALIDATE and SERVICE VALIDATE URL
 (#101)

---
 modules/lemonldap-ng-portal/example/cas.pl    |  6 ++-
 .../lib/Lemonldap/NG/Portal/IssuerDBCAS.pm    | 37 +++++++++++++++++--
 2 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/modules/lemonldap-ng-portal/example/cas.pl b/modules/lemonldap-ng-portal/example/cas.pl
index 09b90db1c..250071a73 100644
--- a/modules/lemonldap-ng-portal/example/cas.pl
+++ b/modules/lemonldap-ng-portal/example/cas.pl
@@ -36,7 +36,9 @@ else {
     # First time access
     unless ($ticket) {
         print $cgi->h1("Click below to use CAS");
-        print $cgi->h2("<a href=\"$login_url\">CAS LOGIN</a>");
+        print $cgi->h2("<a href=\"$login_url\">Simple login</a>");
+        print $cgi->h2("<a href=\"$login_url&renew=true\">Renew login</a>");
+        print $cgi->h2("<a href=\"$login_url&gateway=true\">Gateway login</a>");
     }
 
     # Ticket receveived
@@ -81,6 +83,8 @@ else {
             print $cgi->h2("Error: Unable to get proxy granting ticket");
         }
 
+	print $cgi->h2("<a href=\"".$cgi->url."\">Home</a>");
+
     }
 
     print $cgi->end_html();
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBCAS.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBCAS.pm
index e7e70bfcf..461eaa704 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBCAS.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBCAS.pm
@@ -153,8 +153,16 @@ sub issuerForUnAuthUser {
         if ( $renew eq 'true' ) {
 
             # We should check the ST was delivered with primary credentials
-            # TODO
-            $self->lmLog( "Renew parameter not managed", 'warn' );
+            $self->lmLog( "Renew flag detected ", 'debug' );
+
+            unless ( $casServiceSession->{renew} ) {
+                $self->lmLog(
+"Authentication renew requested, but not done in former authentication process",
+                    'error'
+                );
+                untie %$casServiceSession;
+                $self->returnCasValidateError();
+            }
         }
 
         # Open local session
@@ -268,8 +276,17 @@ sub issuerForUnAuthUser {
         if ( $renew eq 'true' ) {
 
             # We should check the ST was delivered with primary credentials
-            # TODO
-            $self->lmLog( "Renew parameter not managed", 'warn' );
+            $self->lmLog( "Renew flag detected ", 'debug' );
+
+            unless ( $casServiceSession->{renew} ) {
+                $self->lmLog(
+"Authentication renew requested, but not done in former authentication process",
+                    'error'
+                );
+                untie %$casServiceSession;
+                $self->returnCasValidateError();
+            }
+
         }
 
         # Proxies (for PROXY VALIDATE only)
@@ -529,6 +546,17 @@ sub issuerForAuthUser {
             return PE_OK;
         }
 
+        # Check last authentication time to decide if
+        # the authentication is recent or not
+        my $casRenewFlag = 0;
+        my $last_authn_utime = $self->{sessionInfo}->{_lastAuthnUTime} || 0;
+        if ( time() - $last_authn_utime < $self->{portalForceAuthnInterval} ) {
+            $self->lmLog(
+                "Authentication is recent, will set CAS renew flag to true",
+                'debug' );
+            $casRenewFlag = 1;
+        }
+
         # Create a service ticket
         $self->lmLog( "Create a CAS service ticket for service $service",
             'debug' );
@@ -542,6 +570,7 @@ sub issuerForAuthUser {
 
         $casServiceSession->{type}    = 'casService';
         $casServiceSession->{service} = $service;
+        $casServiceSession->{renew}   = $casRenewFlag;
         $casServiceSession->{_cas_id} = $session_id;
         $casServiceSession->{_utime}  = $time;