worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
LemonLDAP::NG Web SSO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
377 Commits
107 Branches
123 Tags
109 MiB
 
 
 
 
 
Tag: Branch: Tree: cae4cbade0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'cae4cbade0'
${ noResults }
lemonldap-ng/modules/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/CGI.pm

277 lines
7.6 KiB
Raw Blame History

package Lemonldap::NG::Handler::CGI;
use strict;
use CGI;
use CGI::Cookie;
use MIME::Base64;
our @ISA = qw(CGI);
use Lemonldap::NG::Handler::SharedConf qw(:all);
our $VERSION = '0.11';
sub abort {
my $self = shift;
my $cgi = CGI->new;
my ( $t1, $t2 ) = @_;
$t2 ||= "See Apache's logs";
print $cgi->header('text/html; charset=utf8');
print $cgi->start_html(
-title => $t1,
-encoding => 'utf8',
);
print "<h1>$t1</h1>";
print "<p>$t2</p>";
exit;
}
sub new {
my $class = shift;
my $self = $class->SUPER::new() or $class->abort("Unable to build CGI");
$self->{_handler} = bless {}, 'Lemonldap::NG::Handler::_CGI';
$self->_handler->init(@_);
$self->_handler->initLocalStorage();
$class->abort("Unable to get configuration")
unless $self->_handler->localConfUpdate() == OK;
# Arguments
my @args = @_;
if(ref($args[0])) {
%$self = (%$self,%{$args[0]});
}
else {
%$self = (%$self,@args);
}
# Protection
if ( $self->{protection} ) {
$self->authenticate();
# ACCOUNTING
if ( $self->{protection} =~ /^manager$/i ) {
$self->authorize() or $self->abort( 'Forbidden',
"You don't have rights to access this page" );
}
elsif ( $self->{protection} =~ /rule\s*:\s*(.*)\s*$/i ) {
my $rule = $1;
$rule =~ s/\$date/&POSIX::strftime("%Y%m%d%H%M%S",localtime())/e;
$rule =~ s/\$(\w+)/\$datas->{$1}/g;
$rule = 0 if($rule eq 'deny');
my $r;
unless ( $rule eq 'accept' or $safe->reval($rule) ) {
$self->abort( 'Forbidden',
"You don't have rights to access this page" );
}
}
elsif ( $self->{protection} !~ /^authenticate$/i ) {
$self->abort( 'Bad configuration',
"The rule <code>" . $self->{protection} . "</code> is not known" );
}
}
return $self;
}
sub authenticate {
my $self = shift;
my %cookies = fetch CGI::Cookie;
my $id;
unless ( $cookies{$cookieName} and $id = $cookies{$cookieName}->value ) {
return $self->goToPortal();
}
unless ( $datas and $id eq $datas->{_session_id} ) {
unless ( $refLocalStorage and $datas = $refLocalStorage->get($id) ) {
my %h;
eval { tie %h, $globalStorage, $id, $globalStorageOptions; };
if ($@) {
return $self->goToPortal();
}
$datas->{$_} = $h{$_} foreach ( keys %h );
if ($refLocalStorage) {
$refLocalStorage->set( $id, $datas, "10 minutes" );
}
}
}
# Accounting : set user in apache logs
$self->lmSetApacheUser($self->r, $datas->{$whatToTrace});
return 1;
}
sub authorize {
my $self = shift;
return $self->_handler->grant( $ENV{REQUEST_URI} );
}
sub testUri {
my $self = shift;
my $uri = shift;
my $host = ( $uri =~ s#^(?:https?://)?([^/]*)/#/# ) ? $1 : $ENV{SERVER_NAME};
return -1 unless ( $self->_handler->vhostAvailable($host) );
return $self->_handler->grant( $uri, $host );
}
sub user {
return $datas;
}
sub group {
my ( $self, $group ) = @_;
return ( $datas->{groups} =~ /\b$group\b/ );
}
sub goToPortal {
my $self = shift;
my $tmp = encode_base64( $self->_uri );
$tmp =~ s/[\r\n]//sg;
print CGI::redirect( -uri => "$portal?url=$tmp" );
exit;
}
sub _uri {
return 'http'
. ( $https ? 's' : '' ) . '://'
. $ENV{SERVER_NAME}
. $ENV{REQUEST_URI};
}
sub _handler {
return shift->{_handler};
}
package Lemonldap::NG::Handler::_CGI;
use Lemonldap::NG::Handler::SharedConf qw(:locationRules :localStorage);
our @ISA = qw(Lemonldap::NG::Handler::SharedConf);
sub localInit {
my($class, $args) = @_;
if($localStorage = $args->{localStorage}) {
$localStorageOptions = $args->{localStorageOptions};
$localStorageOptions->{namespace} ||= "lemonldap";
$localStorageOptions->{default_expires_in} ||= 600;
}
$lmConf = Lemonldap::NG::Common::Conf->new( $args->{configStorage} );
$class->defaultValuesInit($args);
}
sub lmLog {
my ( $self, $mess, $level ) = @_;
$mess =~ s/^.*HASH[^:]*:/__PACKAGE__/e;
print STDERR "$mess\n" unless ( $level eq 'debug' );
}
sub vhostAvailable {
my ( $self, $vhost ) = @_;
return defined( $defaultCondition->{$vhost} );
}
sub grant {
my ( $self, $uri, $vhost ) = @_;
$vhost ||= $ENV{SERVER_NAME};
for ( my $i = 0 ; $i < $locationCount->{$vhost} ; $i++ ) {
if ( $uri =~ $locationRegexp->{$vhost}->[$i] ) {
return &{ $locationCondition->{$vhost}->[$i] }($datas);
}
}
unless ( $defaultCondition->{$vhost} ) {
$self->lmLog(
"User rejected because VirtualHost \"$vhost\" has no configuration",
'warn'
);
return 0;
}
return &{ $defaultCondition->{$vhost} }($datas);
}
1;
__END__
=head1 NAME
Lemonldap::NG::Handler::CGI - Perl extension for using Lemonldap::NG
authentication in Perl CGI without using Lemonldap::NG::Handler
=head1 SYNOPSIS
use Lemonldap::NG::Handler::CGI;
my $cgi = Lemonldap::NG::Handler::CGI->new ( {
# Local storage used for sessions and configuration
localStorage => "Cache::FileCache",
localStorageOptions => {...},
# How to get my configuration
configStorage => {
type => "DBI",
dbiChain => "DBI:mysql:database=lemondb;host=$hostname",
dbiUser => "lemonldap",
dbiPassword => "password",
},
https => 0,
# Optionnal
protection => 'rule: $uid eq "admin"',
# Or to use rules from manager
protection => 'manager',
# Or just to authenticate without managing authorization
protection => 'authenticate',
}
);
# Lemonldap::NG cookie validation (done if you set "protection")
$cgi->authenticate();
# Optionnal Lemonldap::NG authorization (done if you set "protection")
$cgi->authorize();
# See CGI(3) for more about writing HTML pages
print $cgi->header;
print $cgi->start_html;
# Since authentication phase, you can use user attributes and macros
my $name = $cgi->user->{cn};
# Instead of using "$cgi->user->{groups} =~ /\badmin\b/", you can use
if( $cgi->group('admin') ) {
# special html code for admins
}
else {
# another HTML code
}
=head1 DESCRIPTION
Lemonldap::NG::Handler provides the protection part of Lemonldap::NG web-SSO
system. It can be used with any system used with Apache (PHP or JSP pages for
example). If you need to protect only few Perl CGI, you can use this library
instead.
Warning, this module must not be used in a Lemonldap::NG::Handler protected
area because it hides Lemonldap::NG cookies.
=head1 SEE ALSO
L<http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation>,
L<CGI>, L<Lemonldap::NG::Handler>, L<Lemonldap::NG::Manager>,
L<Lemonldap::NG::Portal>
=head1 AUTHOR
Xavier Guimard, E<lt>x.guimard@free.frE<gt>
=head1 BUG REPORT
Use OW2 system to report bug or ask for features:
L<http://forge.objectweb.org/tracker/?group_id=274>
=head1 DOWNLOAD
Lemonldap::NG is available at
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
=head1 COPYRIGHT AND LICENSE
Copyright (C) 2007 by Xavier Guimard
This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself, either Perl version 5.8.8 or,
at your option, any later version of Perl 5 you may have available.
=cut