First implementation of BrowserID authentication module (#584)

2013-07-17 13:46:59 +00:00 · 2013-07-17 13:46:59 +00:00 · d3c53c2235
commit d3c53c2235
parent 53e8d74758
8 changed files with 335 additions and 0 deletions
--- a/lemonldap-ng-portal/example/skins/common/BrowserID.png
+++ b/lemonldap-ng-portal/example/skins/common/BrowserID.png
--- a/lemonldap-ng-portal/example/skins/common/browserid.js
+++ b/lemonldap-ng-portal/example/skins/common/browserid.js
@ -0,0 +1,19 @@
+/* Watch login and logout events */
+
+navigator.id.watch({
+  loggedInUser: null,
+  onlogin: function(assertion) {
+	  // Return on page with BrowserID assertion
+	  var portalUrl = window.location.href;
+	  var portalSearch = window.location.search;
+	  if ( portalSearch ) {
+		  portalUrl += '&browserIdAssertion='+assertion
+	  } else {
+		  portalUrl += '?browserIdAssertion='+assertion
+	  }
+	  window.location.assign(portalUrl);
+  },
+  onlogout: function() {
+	  // Do nothing
+  }
+});
--- a/lemonldap-ng-portal/example/skins/common/browseridlogin.js
+++ b/lemonldap-ng-portal/example/skins/common/browseridlogin.js
@ -0,0 +1,3 @@
+$(document).ready(function(){
+	navigator.id.request();
+});
--- a/lemonldap-ng-portal/example/skins/common/browseridlogout.js
+++ b/lemonldap-ng-portal/example/skins/common/browseridlogout.js
@ -0,0 +1,3 @@
+$(document).ready(function(){
+	navigator.id.logout();
+});
--- a/lemonldap-ng-portal/example/skins/impact/header.tpl
+++ b/lemonldap-ng-portal/example/skins/impact/header.tpl
@ -6,6 +6,9 @@
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <meta http-equiv="Content-Script-Type" content="text/javascript" />
 	<meta http-equiv="cache-control" content="no-cache" />
+	<TMPL_IF NAME="browserIdEnabled">
+	<meta http-equiv="X-UA-Compatible" content="IE=Edge">
+	</TMPL_IF>
        <link rel="stylesheet" type="text/css" href="<TMPL_VAR NAME="SKIN_PATH">/<TMPL_VAR NAME="SKIN">/css/styles.css" />
        <link href="<TMPL_VAR NAME="SKIN_PATH">/common/favicon.ico" rel="icon" type="image/x-icon" />
        <link href="<TMPL_VAR NAME="SKIN_PATH">/common/favicon.ico" rel="shortcut icon" />
@ -17,6 +20,17 @@
        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/jquery-ui-1.8.5.custom.min.js"></script>
        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/jquery.base64.js"></script>
        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/jquery.cookie.js"></script>
+	<TMPL_IF NAME="browserIdEnabled">
+        <script src="https://login.persona.org/include.js"></script>
+        </TMPL_IF>
+	<TMPL_IF NAME="browserIdLoadLoginScript">
+        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/browserid.js"></script>
+        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/browseridlogin.js"></script>
+        </TMPL_IF>
+	<TMPL_IF NAME="browserIdLoadLogoutScript">
+        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/browserid.js"></script>
+        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/browseridlogout.js"></script>
+        </TMPL_IF>
        <script type="text/javascript">//<![CDATA[
            var displaytab='<TMPL_VAR NAME="DISPLAY_TAB">';
            var choicetab='<TMPL_VAR NAME="CHOICE_VALUE">';
--- a/lemonldap-ng-portal/example/skins/pastel/header.tpl
+++ b/lemonldap-ng-portal/example/skins/pastel/header.tpl
@ -6,6 +6,9 @@
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <meta http-equiv="Content-Script-Type" content="text/javascript" />
 	<meta http-equiv="cache-control" content="no-cache" />
+        <TMPL_IF NAME="browserIdEnabled">
+        <meta http-equiv="X-UA-Compatible" content="IE=Edge">
+        </TMPL_IF>
        <link rel="stylesheet" type="text/css" href="<TMPL_VAR NAME="SKIN_PATH">/<TMPL_VAR NAME="SKIN">/css/styles.css" />
        <link href="<TMPL_VAR NAME="SKIN_PATH">/common/favicon.ico" rel="icon" type="image/x-icon" />
        <link href="<TMPL_VAR NAME="SKIN_PATH">/common/favicon.ico" rel="shortcut icon" />
@ -17,6 +20,17 @@
        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/jquery-ui-1.8.5.custom.min.js"></script>
        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/jquery.base64.js"></script>
        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/jquery.cookie.js"></script>
+        <TMPL_IF NAME="browserIdEnabled">
+        <script src="https://login.persona.org/include.js"></script>
+        </TMPL_IF>
+        <TMPL_IF NAME="browserIdLoadLoginScript">
+        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/browserid.js"></script>
+        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/browseridlogin.js"></script>
+        </TMPL_IF>
+        <TMPL_IF NAME="browserIdLoadLogoutScript">
+        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/browserid.js"></script>
+        <script type="text/javascript" src="<TMPL_VAR NAME="SKIN_PATH">/common/browseridlogout.js"></script>
+        </TMPL_IF>
        <script type="text/javascript">//<![CDATA[
            var displaytab='<TMPL_VAR NAME="DISPLAY_TAB">';
            var choicetab='<TMPL_VAR NAME="CHOICE_VALUE">';
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthBrowserID.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthBrowserID.pm
@ -0,0 +1,255 @@
+##@file
+# BrowserID authentication backend file
+
+##@class
+# BrowserID authentication backend class
+package Lemonldap::NG::Portal::AuthBrowserID;
+
+use strict;
+use Lemonldap::NG::Portal::Simple;
+use LWP::UserAgent;
+use HTTP::Request;
+use JSON;
+
+our $VERSION = '1.3.0';
+
+## @apmethod int authInit()
+# Enables Browser ID (required for templates)
+# @return Lemonldap::NG::Portal constant
+sub authInit {
+    my $self = shift;
+
+    $self->{browserIdVerificationURL} ||=
+      "https://verifier.login.persona.org/verify";
+    $self->{browserIdAuthnLevel} = "2"
+      unless defined $self->{browserIdAuthnLevel};
+
+    # Enable BrowserID in template
+    $self->{tpl_browserIdEnabled} = 1;
+
+    PE_OK;
+}
+
+## @apmethod int setAuthSessionInfo()
+# @return Lemonldap::NG::Portal constant
+sub setAuthSessionInfo {
+    my $self = shift;
+
+    $self->{sessionInfo}->{authenticationLevel} = $self->{browserIdAuthnLevel};
+
+    PE_OK;
+}
+
+## @apmethod int extractFormInfo()
+# Get BrowserID assertion
+# @return Lemonldap::NG::Portal constant
+sub extractFormInfo {
+    my $self = shift;
+
+    # Assertion should be in POST browserIdAssertion parameter (ajax call)
+    if ( $self->{browserIdAssertion} = $self->param('browserIdAssertion') ) {
+        $self->lmLog(
+            "BrowserID Assertion found: " . $self->{browserIdAssertion},
+            'debug' );
+        return PE_OK;
+    }
+
+    # No assertion, return to login page with BrowserID login script
+    $self->{tpl_browserIdLoadLoginScript} = 1;
+    return PE_FIRSTACCESS;
+}
+
+## @apmethod int authenticate()
+# Verify assertion and audience
+# @return Lemonldap::NG::Portal constant
+sub authenticate {
+    my $self = shift;
+
+    # Return unless BrowserID assertion
+    return PE_FIRSTACCESS unless ( $self->{browserIdAssertion} );
+
+    my $ua = new LWP::UserAgent;
+    push @{ $ua->requests_redirectable }, 'POST';
+
+    my $postdata =
+        "assertion="
+      . $self->{browserIdAssertion}
+      . "&audience="
+      . $self->{portal};
+
+    $self->lmLog( "Send $postdata to " . $self->{browserIdVerificationURL},
+        'debug' );
+
+    my $request =
+      HTTP::Request->new( 'POST' => $self->{browserIdVerificationURL} );
+    $request->content_type('application/x-www-form-urlencoded');
+    $request->content($postdata);
+
+    my $answer = $ua->request($request);
+
+    $self->lmLog( "Verification response: " . $answer->as_string, 'debug' );
+
+    if ( $answer->code() == "200" ) {
+
+        # Get JSON answser
+        my $browserIdVerificationAnswer = $answer->content;
+        $self->lmLog( "Received BrowserID answer: $browserIdVerificationAnswer",
+            'debug' );
+
+        my $json = new JSON();
+        $self->{browserIdAnswer} = $json->decode($browserIdVerificationAnswer);
+
+        if ( $self->{browserIdAnswer}->{status} eq "okay" ) {
+            $self->{_user} = $self->{browserIdAnswer}->{email};
+            $self->{sessionInfo}->{user} = $self->{_user};
+
+            $self->lmLog(
+                "Found user "
+                  . $self->{_user}
+                  . " in BrowserID verification answer",
+                'debug'
+            );
+
+            # TODO - check audience
+            # TODO - adjust session duration with BrowserID expires field
+            # TODO - check SSL certificate
+
+            return PE_OK;
+        }
+        else {
+            $self->lmLog(
+                "Assertion "
+                  . $self->{browserIdAssertion}
+                  . " not verified by BrowserID provider",
+                'error'
+            );
+            return PE_ERROR;
+        }
+    }
+    else {
+        $self->lmLog(
+            "Fail to validate BrowserId assertion "
+              . $self->{browserIdAssertion},
+            'error'
+        );
+        return PE_ERROR;
+    }
+
+}
+
+## @apmethod int authFinish()
+# Does nothing.
+# @return Lemonldap::NG::Portal constant
+sub authFinish {
+    PE_OK;
+}
+
+## @apmethod int authLogout()
+# Call BrowserID logout method
+# @return Lemonldap::NG::Portal constant
+sub authLogout {
+    my $self = shift;
+    $self->{tpl_browserIdLoadLogoutScript} = 1;
+    PE_OK;
+}
+
+## @apmethod boolean authForce()
+# Does nothing
+# @return result
+sub authForce {
+    return 0;
+}
+
+## @method string getDisplayType
+# @return display type
+sub getDisplayType {
+    return "logo";
+}
+
+1;
+__END__
+
+=head1 NAME
+
+=encoding utf8
+
+Lemonldap::NG::Portal::AuthBrowserID - Perl extension for building Lemonldap::NG
+compatible portals with Mozilla BrowserID protocol
+
+=head1 SYNOPSIS
+
+  use Lemonldap::NG::Portal::SharedConf;
+  my $portal = new Lemonldap::NG::Portal::Simple(
+         configStorage     => {...}, # See Lemonldap::NG::Portal
+         authentication    => 'BrowserID',
+    );
+
+  if($portal->process()) {
+    # Write here the menu with CGI methods. This page is displayed ONLY IF
+    # the user was not redirected here.
+    print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))
+    print "...";
+
+    # or redirect the user to the menu
+    print $portal->redirect( -uri => 'https://portal/menu');
+  }
+  else {
+    print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))
+    print "<html><body><h1>Unable to work</h1>";
+    print "This server isn't well configured. Contact your administrator.";
+    print "</body></html>";
+  }
+
+=head1 DESCRIPTION
+
+This library just overload few methods of Lemonldap::NG::Portal::Simple to 
+create sessions for anonymous users.
+
+See L<Lemonldap::NG::Portal::Simple> for usage and other methods.
+
+=head1 SEE ALSO
+
+L<Lemonldap::NG::Portal>, L<Lemonldap::NG::Portal::Simple>,
+L<http://lemonldap-ng.org/>
+
+=head1 AUTHOR
+
+=over
+
+=item Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>
+
+=back
+
+=head1 BUG REPORT
+
+Use OW2 system to report bug or ask for features:
+L<http://jira.ow2.org>
+
+=head1 DOWNLOAD
+
+Lemonldap::NG is available at
+L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
+
+=head1 COPYRIGHT AND LICENSE
+
+=over
+
+=item Copyright (C) 2013 by Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>
+
+=back
+
+This library is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see L<http://www.gnu.org/licenses/>.
+
+=cut
+
--- a/lemonldap-ng-portal/t/67-Lemonldap-NG-Portal-AuthBrowserID.t
+++ b/lemonldap-ng-portal/t/67-Lemonldap-NG-Portal-AuthBrowserID.t
@ -0,0 +1,27 @@
+# Before `make install' is performed this script should be runnable with
+# `make test'. After `make install' it should work as `perl Lemonldap-NG-Portal-AuthSsl.t'
+
+#########################
+
+# change 'tests => 1' to 'tests => last_test_to_print';
+
+use Test::More tests => 2;
+BEGIN { use_ok('Lemonldap::NG::Portal::Simple') }
+
+#########################
+
+# Insert your test code below, the Test::More module is use()ed here so read
+# its man page ( perldoc Test::More ) for help writing this test script.
+
+$ENV{"REQUEST_METHOD"} = 'GET';
+my $p;
+ok(
+    $p = Lemonldap::NG::Portal::Simple->new(
+        {
+            globalStorage  => 'Apache::Session::File',
+            domain         => 'example.com',
+            authentication => 'BrowserID',
+        }
+    )
+);
+