From e3010de6e57a68f51db8cfd995eb481d7a6a600f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= <clement@oodo.net>
Date: Fri, 27 Aug 2010 16:07:19 +0000
Subject: [PATCH] CAS Issuer (#101): * Manage gateway parameter (refused
 unauthenticated user) * Display CAS logout URL message * Do not check base64
 encoded URL for CAS (mandatory for logout URL management)

---
 .../lemonldap-ng-portal/example/index_skin.pl |  2 +-
 .../lib/Lemonldap/NG/Portal/IssuerDBCAS.pm    | 67 +++++++++++++------
 .../lib/Lemonldap/NG/Portal/Simple.pm         |  8 ++-
 .../lib/Lemonldap/NG/Portal/_i18n.pm          |  3 +
 4 files changed, 55 insertions(+), 25 deletions(-)

diff --git a/modules/lemonldap-ng-portal/example/index_skin.pl b/modules/lemonldap-ng-portal/example/index_skin.pl
index 0ea37451d..02843f173 100755
--- a/modules/lemonldap-ng-portal/example/index_skin.pl
+++ b/modules/lemonldap-ng-portal/example/index_skin.pl
@@ -134,7 +134,7 @@ elsif ( $portal->{error} == PE_CONFIRM ) {
     %templateParams = (
         AUTH_ERROR      => $portal->error,
         AUTH_ERROR_TYPE => $portal->error_type,
-        AUTH_URL        => $portal->get_url,
+        URL             => $portal->get_url,
         MSG             => $portal->info(),
         SKIN            => $skin,
         HIDDEN_INPUTS   => $portal->buildHiddenForm(),
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBCAS.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBCAS.pm
index 8bfab2ff5..d2f6ff4ef 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBCAS.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBCAS.pm
@@ -59,11 +59,19 @@ sub issuerForUnAuthUser {
         $self->setHiddenFormValue( 'gateway', $gateway );
 
         # Gateway
-        # Authentication must use non-interactive mean
         if ( $gateway eq 'true' ) {
 
-            # TODO
-            $self->lmLog( "Gateway authentication not managed", 'warn' );
+            # User should already be authenticated
+            $self->lmLog(
+                "Gateway authentication requested, but user is not logged in",
+                'error' );
+
+            # Redirect user to the service
+            $self->lmLog( "Redirect user to $service", 'debug' );
+
+            $self->{urldc} = $service;
+
+            return $self->_subProcess(qw(autoRedirect));
 
         }
 
@@ -79,9 +87,19 @@ sub issuerForUnAuthUser {
 
         if ($logout_url) {
 
-            # We should display a link to the provided URL
-            # TODO
-            $self->lmLog( "Return URL not managed", 'warn' );
+            # Display a link to the provided URL
+            $self->lmLog( "Logout URL $logout_url will be displayed", 'debug' );
+
+            $self->info(
+                "<h3>"
+                  . &Lemonldap::NG::Portal::_i18n::msg( PM_BACKTOCASURL,
+                    $ENV{HTTP_ACCEPT_LANGUAGE} )
+                  . "</h3>"
+            );
+            $self->info("<p><a href=\"$logout_url\">$logout_url</a></p>");
+            $self->{activeTimer} = 0;
+
+            return PE_CONFIRM;
         }
 
         return PE_LOGOUT_OK;
@@ -108,13 +126,6 @@ sub issuerForUnAuthUser {
             "Get validate request with ticket $ticket for service $service",
             'debug' );
 
-        # Get CAS session corresponding to ticket
-        unless ( $ticket =~ s/^ST-// ) {
-            $self->lmLog( "Provided ticket is not a service ticket (ST)",
-                'error' );
-            $self->returnCasValidateError();
-        }
-
         my $casServiceSession = $self->getCasSession($ticket);
 
         unless ($casServiceSession) {
@@ -285,10 +296,11 @@ sub issuerForUnAuthUser {
                   $casServiceSession->{_utime};
 
                 # Trace proxies
-                $casProxyGrantingSession->{proxies} =
-                  (   $proxies
+                $casProxyGrantingSession->{proxies} = (
+                      $proxies
                     ? $proxies . $self->{multiValuesSeparator} . $pgtUrl
-                    : $pgtUrl );
+                    : $pgtUrl
+                );
 
                 my $casProxyGrantingSessionID =
                   $casProxyGrantingSession->{_session_id};
@@ -547,12 +559,6 @@ sub issuerForAuthUser {
         # GET parameters
         my $logout_url = $self->param('url');
 
-        if ($logout_url) {
-
-            # We should display a link to the provided URL
-            # TODO
-        }
-
         # Delete linked CAS sessions
         $self->deleteCasSecondarySessions($session_id);
 
@@ -563,6 +569,23 @@ sub issuerForAuthUser {
             $self->lmLog( "Fail to delete session $session_id ", 'error' );
         }
 
+        if ($logout_url) {
+
+            # Display a link to the provided URL
+            $self->lmLog( "Logout URL $logout_url will be displayed", 'debug' );
+
+            $self->info(
+                "<h3>"
+                  . &Lemonldap::NG::Portal::_i18n::msg( PM_BACKTOCASURL,
+                    $ENV{HTTP_ACCEPT_LANGUAGE} )
+                  . "</h3>"
+            );
+            $self->info("<p><a href=\"$logout_url\">$logout_url</a></p>");
+            $self->{activeTimer} = 0;
+
+            return PE_CONFIRM;
+        }
+
         return PE_LOGOUT_OK;
 
     }
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
index 06bde7494..23a1edae9 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
@@ -125,6 +125,7 @@ use constant {
     PM_SAML_SPLOGOUT         => 11,
     PM_REDIRECTION           => 12,
     PM_BACKTOSP              => 13,
+    PM_BACKTOCASURL          => 14,
 };
 
 # EXPORTER PARAMETERS
@@ -147,7 +148,7 @@ our @EXPORT = qw( PE_IMG_NOK PE_IMG_OK PE_INFO PE_REDIRECT PE_DONE PE_OK
   PM_USER PM_DATE PM_IP PM_SESSIONS_DELETED PM_OTHER_SESSIONS
   PM_REMOVE_OTHER_SESSIONS PM_PP_GRACE PM_PP_EXP_WARNING
   PM_SAML_IDPSELECT PM_SAML_IDPCHOOSEN PM_REMEMBERCHOICE PM_SAML_SPLOGOUT
-  PM_REDIRECTION PM_BACKTOSP
+  PM_REDIRECTION PM_BACKTOSP PM_BACKTOCASURL
 );
 our %EXPORT_TAGS = ( 'all' => [ @EXPORT, 'import' ], );
 
@@ -1102,7 +1103,8 @@ sub controlUrlOrigin {
     $self->{_url} ||= '';
     if ( my $url = $self->param('url') ) {
 
-        # REJECT NON BASE64 URL
+        # REJECT NON BASE64 URL except for CAS IssuerDB
+        if ( $self->get_module('issuer') ne "CAS" ) {
         if ( $url =~ m#[^A-Za-z0-9\+/=]# ) {
             $self->lmLog( "XSS attack detected (param: url | value: $url)",
                 "warn" );
@@ -1111,6 +1113,8 @@ sub controlUrlOrigin {
 
         $self->{urldc} = decode_base64($url);
         $self->{urldc} =~ s/[\r\n]//sg;
+        }
+        else { $self->{urldc} = $url; }
 
         # For logout request, test if Referer comes from an authorizated site
         my $tmp =
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_i18n.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_i18n.pm
index 029dbe7a5..1db0327d8 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_i18n.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_i18n.pm
@@ -352,6 +352,7 @@ sub error_ro {
 # * PM_SAML_SPLOGOUT           11
 # * PM_REDIRECTION             12
 # * PM_BACKTOSP                13
+# * PM_BACKTOCASURL            14
 
 sub msg_en {
     use utf8;
@@ -370,6 +371,7 @@ sub msg_en {
         'Logout from service providers...',
         'Redirection in progress...',
         'Go back to service provider',
+'The application you just logged out of has provided a link it would like you to follow',
     ];
 }
 
@@ -390,6 +392,7 @@ sub msg_fr {
         'Déconnexion des services...',
         'Redirection en cours...',
         'Retourner sur le fournisseur de service',
+'Le service duquel vous arrivez a fourni un lien que vous êtes invité à suivre',
     ];
 }