From 8c4367fd3f730f29d65c560f6f63f04ec25abd6b Mon Sep 17 00:00:00 2001
From: Xavier Guimard <xavier.guimard@laposte.net>
Date: Fri, 3 Mar 2017 06:29:50 +0000
Subject: [PATCH] Service token in progress (#971)

---
 lemonldap-ng-handler/MANIFEST                 |  4 +++
 .../NG/Handler/ApacheMP2/ServiceToken.pm      | 13 ++++++++++
 .../Lemonldap/NG/Handler/Lib/ServiceToken.pm  | 25 +++++++++++++++++++
 .../lib/Lemonldap/NG/Handler/Main/Run.pm      |  3 +--
 .../Lemonldap/NG/Handler/PSGI/ServiceToken.pm | 13 ++++++++++
 .../NG/Handler/Server/ServiceToken.pm         | 13 ++++++++++
 lemonldap-ng-portal/MANIFEST                  |  1 +
 .../NG/Portal/Plugins/ServiceTokenServer.pm   |  8 +++---
 8 files changed, 74 insertions(+), 6 deletions(-)
 create mode 100644 lemonldap-ng-handler/lib/Lemonldap/NG/Handler/ApacheMP2/ServiceToken.pm
 create mode 100644 lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm
 create mode 100644 lemonldap-ng-handler/lib/Lemonldap/NG/Handler/PSGI/ServiceToken.pm
 create mode 100644 lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Server/ServiceToken.pm

diff --git a/lemonldap-ng-handler/MANIFEST b/lemonldap-ng-handler/MANIFEST
index 0bc199041..b776f8a79 100644
--- a/lemonldap-ng-handler/MANIFEST
+++ b/lemonldap-ng-handler/MANIFEST
@@ -11,12 +11,14 @@ lib/Lemonldap/NG/Handler/ApacheMP2/DevOps.pm
 lib/Lemonldap/NG/Handler/ApacheMP2/Main.pm
 lib/Lemonldap/NG/Handler/ApacheMP2/Menu.pm
 lib/Lemonldap/NG/Handler/ApacheMP2/SecureToken.pm
+lib/Lemonldap/NG/Handler/ApacheMP2/ServiceToken.pm
 lib/Lemonldap/NG/Handler/ApacheMP2/ZimbraPreAuth.pm
 lib/Lemonldap/NG/Handler/Lib/AuthBasic.pm
 lib/Lemonldap/NG/Handler/Lib/CDA.pm
 lib/Lemonldap/NG/Handler/Lib/DevOps.pm
 lib/Lemonldap/NG/Handler/Lib/PSGI.pm
 lib/Lemonldap/NG/Handler/Lib/SecureToken.pm
+lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm
 lib/Lemonldap/NG/Handler/Lib/Status.pm
 lib/Lemonldap/NG/Handler/Lib/ZimbraPreAuth.pm
 lib/Lemonldap/NG/Handler/Main.pm
@@ -30,6 +32,7 @@ lib/Lemonldap/NG/Handler/PSGI/AuthBasic.pm
 lib/Lemonldap/NG/Handler/PSGI/CDA.pm
 lib/Lemonldap/NG/Handler/PSGI/Main.pm
 lib/Lemonldap/NG/Handler/PSGI/Router.pm
+lib/Lemonldap/NG/Handler/PSGI/ServiceToken.pm
 lib/Lemonldap/NG/Handler/PSGI/Try.pm
 lib/Lemonldap/NG/Handler/Server.pm
 lib/Lemonldap/NG/Handler/Server/AuthBasic.pm
@@ -38,6 +41,7 @@ lib/Lemonldap/NG/Handler/Server/DevOps.pm
 lib/Lemonldap/NG/Handler/Server/Main.pm
 lib/Lemonldap/NG/Handler/Server/Nginx.pm
 lib/Lemonldap/NG/Handler/Server/SecureToken.pm
+lib/Lemonldap/NG/Handler/Server/ServiceToken.pm
 lib/Lemonldap/NG/Handler/Server/ZimbraPreAuth.pm
 Makefile.PL
 MANIFEST			This list of files
diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/ApacheMP2/ServiceToken.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/ApacheMP2/ServiceToken.pm
new file mode 100644
index 000000000..478b4c2bd
--- /dev/null
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/ApacheMP2/ServiceToken.pm
@@ -0,0 +1,13 @@
+# LLNG wrapper class to enable ServiceToken handler with Apache-2/ModPerl-2
+#
+# See http://lemonldap-ng.org/documentation/latest/handlerarch
+package Lemonldap::NG::Handler::ApacheMP2::ServiceToken;
+
+use strict;
+
+use base 'Lemonldap::NG::Handler::Lib::ServiceToken',
+  'Lemonldap::NG::Handler::ApacheMP2::Main';
+
+our $VERSION = '2.0.0';
+
+1;
diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm
new file mode 100644
index 000000000..b875cf048
--- /dev/null
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm
@@ -0,0 +1,25 @@
+package Lemonldap::NG::Handler::Lib::ServiceToken;
+
+use strict;
+
+our $VERSION = '2.0.0';
+
+sub fetchId {
+    my($class) = @_;
+    my $token = $class->header_in('X-Llng-Token');
+    return $class->Lemonldap::NG::Handler::Main::fetchId() unless($token);
+    $class->logger->debug('Found token header');
+    my $s $class->tsv->{cipher}->decrypt($s);
+    my($t,$_session_id,@vhosts) = split /:/, $s;
+    unless(@vhosts) {
+        $class->userLogger->error('Bad token');
+        return 0;
+    }
+    unless($t <= time and $t > time -15) {
+        $class->userLogger->warn('Expired token');
+        return 0;
+    }
+    return $_session_id;
+}
+
+1;
diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
index 2b80af7ba..8bb83ac42 100644
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
@@ -117,8 +117,7 @@ sub run {
     }
 
     # Try to recover cookie and user session
-    if (   !$id
-        and $id      = $class->fetchId
+    if (    $id = $class->fetchId
         and $session = $class->retrieveSession($id) )
     {
 
diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/PSGI/ServiceToken.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/PSGI/ServiceToken.pm
new file mode 100644
index 000000000..98050e4a2
--- /dev/null
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/PSGI/ServiceToken.pm
@@ -0,0 +1,13 @@
+# LLNG wrapper class to enable ServiceToken handler with FastCGI handler
+#
+# See http://lemonldap-ng.org/documentation/latest/handlerarch
+package Lemonldap::NG::Handler::PSGI::ServiceToken;
+
+use strict;
+
+use base 'Lemonldap::NG::Handler::Lib::ServiceToken',
+  'Lemonldap::NG::Handler::PSGI::Main';
+
+our $VERSION = '2.0.0';
+
+1;
diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Server/ServiceToken.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Server/ServiceToken.pm
new file mode 100644
index 000000000..731e8af99
--- /dev/null
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Server/ServiceToken.pm
@@ -0,0 +1,13 @@
+# LLNG wrapper class to enable ServiceToken handler with FastCGI handler
+#
+# See http://lemonldap-ng.org/documentation/latest/handlerarch
+package Lemonldap::NG::Handler::Server::ServiceToken;
+
+use strict;
+
+use base 'Lemonldap::NG::Handler::Lib::ServiceToken',
+  'Lemonldap::NG::Handler::Server::Main';
+
+our $VERSION = '2.0.0';
+
+1;
diff --git a/lemonldap-ng-portal/MANIFEST b/lemonldap-ng-portal/MANIFEST
index 041b69367..d38835e47 100644
--- a/lemonldap-ng-portal/MANIFEST
+++ b/lemonldap-ng-portal/MANIFEST
@@ -368,6 +368,7 @@ t/19-Auth-Null.t
 t/20-Auth-and-password-DBI.t
 t/20-Auth-DBI-utf8.t
 t/21-Auth-and-password-LDAP.t
+t/21-Auth-LDAP-utf8.t
 t/22-Auth-and-password-AD.t
 t/23-Auth-and-password-REST.t
 t/24-AuthApache.t
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ServiceTokenServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ServiceTokenServer.pm
index ed4d78926..60d94de06 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ServiceTokenServer.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ServiceTokenServer.pm
@@ -12,8 +12,8 @@
 #    Token header are also added for App-1 (application that wants to query
 #    others on behalf of the connected user)
 # 1) App 1 received a token in headers (header is generated using
-#    "token($uid,'ref')" where ref is a key of "sTokenScopes" configuration
-#    parameter).
+#    "token($_session_id,'ref')" where ref is a key of "sTokenScopes"
+#    configuration parameter).
 # 2) It send it to this plugin (request to /tokenfor)
 # 3) run() method verify that token is available and return a service token that
 #    can be used to request a fixed list of servers. This list is the value of
@@ -77,7 +77,7 @@ sub run {
       or return $self->p->sendError( $req, 'Bad token', 403 );
 
     # 3. Verify time
-    my ( $t, $uid, $ref ) = split /:/, $s;
+    my ( $t, $_session_id, $ref ) = split /:/, $s;
     unless ( $t <= time and $t > time - 15 ) {
         return $self->p->sendError( $req, 'Token expired', 403 );
     }
@@ -85,7 +85,7 @@ sub run {
         return $self->p->sendError( $req, 'Bad reference', 403 );
     }
     my $respToken = $self->conf->{cipher}
-      ->encrypt( join ':', time, $uid, $self->tokenScopes->{$ref} );
+      ->encrypt( join ':', time, $_session_id, $self->tokenScopes->{$ref} );
     return $self->p->sendJSONresponse( $req, { sToken => $respToken } );
 }