Auth::Kerberos skeleton (#707)

8 years ago · 9ab046311c
parent 289930e2ad
commit 9ab046311c
2 changed files with 89 additions and 0 deletions
--- a/lemonldap-ng-portal/MANIFEST
+++ b/lemonldap-ng-portal/MANIFEST
@ -19,6 +19,7 @@ lib/Lemonldap/NG/Portal/Auth/Custom.pm
 lib/Lemonldap/NG/Portal/Auth/DBI.pm
 lib/Lemonldap/NG/Portal/Auth/Demo.pm
 lib/Lemonldap/NG/Portal/Auth/Facebook.pm
+lib/Lemonldap/NG/Portal/Auth/Kerberos.pm
 lib/Lemonldap/NG/Portal/Auth/LDAP.pm
 lib/Lemonldap/NG/Portal/Auth/Null.pm
 lib/Lemonldap/NG/Portal/Auth/OpenID.pm
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Kerberos.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Kerberos.pm
@ -0,0 +1,88 @@
+package Lemonldap::NG::Portal::Auth::Kerberos;
+
+use strict;
+use Mouse;
+use GSSAPI;
+use MIME::Base64;
+use Lemonldap::NG::Portal::Main::Constants qw(
+  PE_ERROR
+  PE_OK
+  PE_SENDRESPONSE
+);
+
+our $VERSION = '2.0.0';
+
+extends 'Lemonldap::NG::Portal::Auth::Base';
+
+# INITIALIZATION
+
+sub init {
+    my ($self) = @_;
+}
+
+sub extractFormInfo {
+    my ( $self, $req ) = @_;
+    my $auth = $req->env->{HTTP_AUTHORIZATION};
+    unless ($auth) {
+        $req->response(
+            [
+                410,
+                [ 'WWW-Authenticate' => 'Negotiate' ],
+                ['Authentication required']
+            ]
+        );
+        return PE_SENDRESPONSE;
+    }
+    if ( $auth !~ /^Negotiate (.*)$/ ) {
+        $self->userLogger->error('Bad authorization header');
+        $req->response( [ 403, [], ['Forbidden'] ] );
+        return PE_SENDRESPONSE;
+    }
+    my $data;
+    eval { $data = MIME::Base64::decode($1) };
+    if ($@) {
+        $self->userLogger->error( 'Bad authorization header: ' . $@ );
+        return PE_ERROR;
+    }
+    my $server_context;
+    my $status = GSSAPI::Context::accept(
+        $server_context,
+        GSS_C_NO_CREDENTIAL,
+        $data,
+        GSS_C_NO_CHANNEL_BINDINGS,
+        my $gss_client_name,
+        my $out_mech,
+        my $gss_output_token,
+        my $out_flags,
+        my $out_time,
+        my $gss_delegated_cred
+    );
+    unless ($status) {
+        $self->logger->error('Unable to accept security context');
+        return PE_ERROR;
+    }
+    my $client_name;
+    $status = $gss_client_name->display($client_name);
+    unless ($status) {
+        $self->logger->error('Unable to display KRB client name');
+        return PE_ERROR;
+    }
+    $req->user($client_name);
+    return PE_OK;
+}
+
+sub authenticate {
+    PE_OK;
+}
+
+sub setAuthSessionInfo {
+    my ( $self, $req ) = @_;
+    $req->{sessionInfo}->{authenticationLevel} = $self->conf->{SSLAuthnLevel};
+    PE_OK;
+}
+
+sub getDisplayType {
+    return "logo";
+}
+
+1;