CAS Issuer (#101):
* Manage gateway parameter (refused unauthenticated user) * Display CAS logout URL message * Do not check base64 encoded URL for CAS (mandatory for logout URL management)
This commit is contained in:
Clément Oudot
parent
7eb813fbca
commit
e3010de6e5
@ -134,7 +134,7 @@ elsif ( $portal->{error} == PE_CONFIRM ) {
|
||||
%templateParams = (
|
||||
AUTH_ERROR => $portal->error,
|
||||
AUTH_ERROR_TYPE => $portal->error_type,
|
||||
AUTH_URL => $portal->get_url,
|
||||
URL => $portal->get_url,
|
||||
MSG => $portal->info(),
|
||||
SKIN => $skin,
|
||||
HIDDEN_INPUTS => $portal->buildHiddenForm(),
|
||||
|
||||
@ -59,11 +59,19 @@ sub issuerForUnAuthUser {
|
||||
$self->setHiddenFormValue( 'gateway', $gateway );
|
||||
|
||||
# Gateway
|
||||
# Authentication must use non-interactive mean
|
||||
if ( $gateway eq 'true' ) {
|
||||
|
||||
# TODO
|
||||
$self->lmLog( "Gateway authentication not managed", 'warn' );
|
||||
# User should already be authenticated
|
||||
$self->lmLog(
|
||||
"Gateway authentication requested, but user is not logged in",
|
||||
'error' );
|
||||
|
||||
# Redirect user to the service
|
||||
$self->lmLog( "Redirect user to $service", 'debug' );
|
||||
|
||||
$self->{urldc} = $service;
|
||||
|
||||
return $self->_subProcess(qw(autoRedirect));
|
||||
|
||||
}
|
||||
|
||||
@ -79,9 +87,19 @@ sub issuerForUnAuthUser {
|
||||
|
||||
if ($logout_url) {
|
||||
|
||||
# We should display a link to the provided URL
|
||||
# TODO
|
||||
$self->lmLog( "Return URL not managed", 'warn' );
|
||||
# Display a link to the provided URL
|
||||
$self->lmLog( "Logout URL $logout_url will be displayed", 'debug' );
|
||||
|
||||
$self->info(
|
||||
"<h3>"
|
||||
. &Lemonldap::NG::Portal::_i18n::msg( PM_BACKTOCASURL,
|
||||
$ENV{HTTP_ACCEPT_LANGUAGE} )
|
||||
. "</h3>"
|
||||
);
|
||||
$self->info("<p><a href=\"$logout_url\">$logout_url</a></p>");
|
||||
$self->{activeTimer} = 0;
|
||||
|
||||
return PE_CONFIRM;
|
||||
}
|
||||
|
||||
return PE_LOGOUT_OK;
|
||||
@ -108,13 +126,6 @@ sub issuerForUnAuthUser {
|
||||
"Get validate request with ticket $ticket for service $service",
|
||||
'debug' );
|
||||
|
||||
# Get CAS session corresponding to ticket
|
||||
unless ( $ticket =~ s/^ST-// ) {
|
||||
$self->lmLog( "Provided ticket is not a service ticket (ST)",
|
||||
'error' );
|
||||
$self->returnCasValidateError();
|
||||
}
|
||||
|
||||
my $casServiceSession = $self->getCasSession($ticket);
|
||||
|
||||
unless ($casServiceSession) {
|
||||
@ -285,10 +296,11 @@ sub issuerForUnAuthUser {
|
||||
$casServiceSession->{_utime};
|
||||
|
||||
# Trace proxies
|
||||
$casProxyGrantingSession->{proxies} =
|
||||
( $proxies
|
||||
$casProxyGrantingSession->{proxies} = (
|
||||
$proxies
|
||||
? $proxies . $self->{multiValuesSeparator} . $pgtUrl
|
||||
: $pgtUrl );
|
||||
: $pgtUrl
|
||||
);
|
||||
|
||||
my $casProxyGrantingSessionID =
|
||||
$casProxyGrantingSession->{_session_id};
|
||||
@ -547,12 +559,6 @@ sub issuerForAuthUser {
|
||||
# GET parameters
|
||||
my $logout_url = $self->param('url');
|
||||
|
||||
if ($logout_url) {
|
||||
|
||||
# We should display a link to the provided URL
|
||||
# TODO
|
||||
}
|
||||
|
||||
# Delete linked CAS sessions
|
||||
$self->deleteCasSecondarySessions($session_id);
|
||||
|
||||
@ -563,6 +569,23 @@ sub issuerForAuthUser {
|
||||
$self->lmLog( "Fail to delete session $session_id ", 'error' );
|
||||
}
|
||||
|
||||
if ($logout_url) {
|
||||
|
||||
# Display a link to the provided URL
|
||||
$self->lmLog( "Logout URL $logout_url will be displayed", 'debug' );
|
||||
|
||||
$self->info(
|
||||
"<h3>"
|
||||
. &Lemonldap::NG::Portal::_i18n::msg( PM_BACKTOCASURL,
|
||||
$ENV{HTTP_ACCEPT_LANGUAGE} )
|
||||
. "</h3>"
|
||||
);
|
||||
$self->info("<p><a href=\"$logout_url\">$logout_url</a></p>");
|
||||
$self->{activeTimer} = 0;
|
||||
|
||||
return PE_CONFIRM;
|
||||
}
|
||||
|
||||
return PE_LOGOUT_OK;
|
||||
|
||||
}
|
||||
|
||||
@ -125,6 +125,7 @@ use constant {
|
||||
PM_SAML_SPLOGOUT => 11,
|
||||
PM_REDIRECTION => 12,
|
||||
PM_BACKTOSP => 13,
|
||||
PM_BACKTOCASURL => 14,
|
||||
};
|
||||
|
||||
# EXPORTER PARAMETERS
|
||||
@ -147,7 +148,7 @@ our @EXPORT = qw( PE_IMG_NOK PE_IMG_OK PE_INFO PE_REDIRECT PE_DONE PE_OK
|
||||
PM_USER PM_DATE PM_IP PM_SESSIONS_DELETED PM_OTHER_SESSIONS
|
||||
PM_REMOVE_OTHER_SESSIONS PM_PP_GRACE PM_PP_EXP_WARNING
|
||||
PM_SAML_IDPSELECT PM_SAML_IDPCHOOSEN PM_REMEMBERCHOICE PM_SAML_SPLOGOUT
|
||||
PM_REDIRECTION PM_BACKTOSP
|
||||
PM_REDIRECTION PM_BACKTOSP PM_BACKTOCASURL
|
||||
);
|
||||
our %EXPORT_TAGS = ( 'all' => [ @EXPORT, 'import' ], );
|
||||
|
||||
@ -1102,7 +1103,8 @@ sub controlUrlOrigin {
|
||||
$self->{_url} ||= '';
|
||||
if ( my $url = $self->param('url') ) {
|
||||
|
||||
# REJECT NON BASE64 URL
|
||||
# REJECT NON BASE64 URL except for CAS IssuerDB
|
||||
if ( $self->get_module('issuer') ne "CAS" ) {
|
||||
if ( $url =~ m#[^A-Za-z0-9\+/=]# ) {
|
||||
$self->lmLog( "XSS attack detected (param: url | value: $url)",
|
||||
"warn" );
|
||||
@ -1111,6 +1113,8 @@ sub controlUrlOrigin {
|
||||
|
||||
$self->{urldc} = decode_base64($url);
|
||||
$self->{urldc} =~ s/[\r\n]//sg;
|
||||
}
|
||||
else { $self->{urldc} = $url; }
|
||||
|
||||
# For logout request, test if Referer comes from an authorizated site
|
||||
my $tmp =
|
||||
|
||||
@ -352,6 +352,7 @@ sub error_ro {
|
||||
# * PM_SAML_SPLOGOUT 11
|
||||
# * PM_REDIRECTION 12
|
||||
# * PM_BACKTOSP 13
|
||||
# * PM_BACKTOCASURL 14
|
||||
|
||||
sub msg_en {
|
||||
use utf8;
|
||||
@ -370,6 +371,7 @@ sub msg_en {
|
||||
'Logout from service providers...',
|
||||
'Redirection in progress...',
|
||||
'Go back to service provider',
|
||||
'The application you just logged out of has provided a link it would like you to follow',
|
||||
];
|
||||
}
|
||||
|
||||
@ -390,6 +392,7 @@ sub msg_fr {
|
||||
'Déconnexion des services...',
|
||||
'Redirection en cours...',
|
||||
'Retourner sur le fournisseur de service',
|
||||
'Le service duquel vous arrivez a fourni un lien que vous êtes invité à suivre',
|
||||
];
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user