worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
LemonLDAP::NG Web SSO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2844 Commits
107 Branches
123 Tags
110 MiB
 
 
 
 
 
Tag: Branch: Tree: e174ff4732
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e174ff4732'
${ noResults }
lemonldap-ng/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm

3105 lines
97 KiB
Raw Blame History Escape

##@file
# Base package for Lemonldap::NG portal
##@class Lemonldap::NG::Portal::Simple
# Base class for Lemonldap::NG portal
package Lemonldap::NG::Portal::Simple;
use strict;
use warnings;
use Exporter 'import';
use warnings;
use MIME::Base64;
use Lemonldap::NG::Common::CGI;
use CGI::Cookie;
use POSIX qw(strftime);
use Lemonldap::NG::Portal::_i18n; #inherits
use Lemonldap::NG::Common::Apache::Session
; #link protected session Apache::Session object
use Lemonldap::NG::Common::Safe; #link protected safe Safe object
use Lemonldap::NG::Common::Safelib;
use Digest::MD5;
# Special comments for doxygen
#inherits Lemonldap::NG::Portal::_SOAP
#inherits Lemonldap::NG::Portal::AuthApache;
#inherits Lemonldap::NG::Portal::AuthAD;
#inherits Lemonldap::NG::Portal::AuthCAS;
#inherits Lemonldap::NG::Portal::AuthChoice;
#inherits Lemonldap::NG::Portal::AuthDBI;
#inherits Lemonldap::NG::Portal::AuthFacebook;
#inherits Lemonldap::NG::Portal::AuthGoogle;
#inherits Lemonldap::NG::Portal::AuthLDAP;
#inherits Lemonldap::NG::Portal::AuthMulti;
#inherits Lemonldap::NG::Portal::AuthNull;
#inherits Lemonldap::NG::Portal::AuthOpenID;
#inherits Lemonldap::NG::Portal::AuthProxy;
#inherits Lemonldap::NG::Portal::AuthRadius;
#inherits Lemonldap::NG::Portal::AuthRemote;
#inherits Lemonldap::NG::Portal::AuthSAML;
#inherits Lemonldap::NG::Portal::AuthSSL;
#inherits Lemonldap::NG::Portal::AuthTwitter;
#inherits Lemonldap::NG::Portal::Display;
#inherits Lemonldap::NG::Portal::IssuerDBCAS
#inherits Lemonldap::NG::Portal::IssuerDBNull
#inherits Lemonldap::NG::Portal::IssuerDBOpenID
#inherits Lemonldap::NG::Portal::IssuerDBSAML
#inherits Lemonldap::NG::Portal::Menu
#link Lemonldap::NG::Common::Notification protected notification
#inherits Lemonldap::NG::Portal::PasswordDBChoice;
#inherits Lemonldap::NG::Portal::PasswordDBDBI;
#inherits Lemonldap::NG::Portal::PasswordDBLDAP;
#inherits Lemonldap::NG::Portal::PasswordDBNull;
#inherits Lemonldap::NG::Portal::UserDBAD;
#inherits Lemonldap::NG::Portal::UserDBChoice;
#inherits Lemonldap::NG::Portal::UserDBDBI;
#inherits Lemonldap::NG::Portal::UserDBFacebook;
#inherits Lemonldap::NG::Portal::UserDBGoogle;
#inherits Lemonldap::NG::Portal::UserDBLDAP;
#inherits Lemonldap::NG::Portal::UserDBMulti;
#inherits Lemonldap::NG::Portal::UserDBNull;
#inherits Lemonldap::NG::Portal::UserDBOpenID;
#inherits Lemonldap::NG::Portal::UserDBProxy;
#inherits Lemonldap::NG::Portal::UserDBRemote;
#inherits Lemonldap::NG::Portal::UserDBSAML;
#inherits Lemonldap::NG::Portal::PasswordDBDBI
#inherits Lemonldap::NG::Portal::PasswordDBLDAP
#inherits Apache::Session
#link Lemonldap::NG::Common::Apache::Session::SOAP protected globalStorage
our $VERSION = '1.3.0';
use base qw(Lemonldap::NG::Common::CGI Exporter);
our @ISA;
# Constants
use constant {
# Portal errors
# Developers warning, do not use PE_INFO, it's reserved to autoRedirect.
# If you want to send an information, use $self->info('text').
PE_IMG_NOK => -5,
PE_IMG_OK => -4,
PE_INFO => -3,
PE_REDIRECT => -2,
PE_DONE => -1,
PE_OK => 0,
PE_SESSIONEXPIRED => 1,
PE_FORMEMPTY => 2,
PE_WRONGMANAGERACCOUNT => 3,
PE_USERNOTFOUND => 4,
PE_BADCREDENTIALS => 5,
PE_LDAPCONNECTFAILED => 6,
PE_LDAPERROR => 7,
PE_APACHESESSIONERROR => 8,
PE_FIRSTACCESS => 9,
PE_BADCERTIFICATE => 10,
PE_PP_ACCOUNT_LOCKED => 21,
PE_PP_PASSWORD_EXPIRED => 22,
PE_CERTIFICATEREQUIRED => 23,
PE_ERROR => 24,
PE_PP_CHANGE_AFTER_RESET => 25,
PE_PP_PASSWORD_MOD_NOT_ALLOWED => 26,
PE_PP_MUST_SUPPLY_OLD_PASSWORD => 27,
PE_PP_INSUFFICIENT_PASSWORD_QUALITY => 28,
PE_PP_PASSWORD_TOO_SHORT => 29,
PE_PP_PASSWORD_TOO_YOUNG => 30,
PE_PP_PASSWORD_IN_HISTORY => 31,
PE_PP_GRACE => 32,
PE_PP_EXP_WARNING => 33,
PE_PASSWORD_MISMATCH => 34,
PE_PASSWORD_OK => 35,
PE_NOTIFICATION => 36,
PE_BADURL => 37,
PE_NOSCHEME => 38,
PE_BADOLDPASSWORD => 39,
PE_MALFORMEDUSER => 40,
PE_SESSIONNOTGRANTED => 41,
PE_CONFIRM => 42,
PE_MAILFORMEMPTY => 43,
PE_BADMAILTOKEN => 44,
PE_MAILERROR => 45,
PE_MAILOK => 46,
PE_LOGOUT_OK => 47,
PE_SAML_ERROR => 48,
PE_SAML_LOAD_SERVICE_ERROR => 49,
PE_SAML_LOAD_IDP_ERROR => 50,
PE_SAML_SSO_ERROR => 51,
PE_SAML_UNKNOWN_ENTITY => 52,
PE_SAML_DESTINATION_ERROR => 53,
PE_SAML_CONDITIONS_ERROR => 54,
PE_SAML_IDPSSOINITIATED_NOTALLOWED => 55,
PE_SAML_SLO_ERROR => 56,
PE_SAML_SIGNATURE_ERROR => 57,
PE_SAML_ART_ERROR => 58,
PE_SAML_SESSION_ERROR => 59,
PE_SAML_LOAD_SP_ERROR => 60,
PE_SAML_ATTR_ERROR => 61,
PE_OPENID_EMPTY => 62,
PE_OPENID_BADID => 63,
PE_MISSINGREQATTR => 64,
PE_BADPARTNER => 65,
PE_MAILCONFIRMATION_ALREADY_SENT => 66,
PE_PASSWORDFORMEMPTY => 67,
PE_CAS_SERVICE_NOT_ALLOWED => 68,
PE_MAILFIRSTACCESS => 69,
PE_MAILNOTFOUND => 70,
PE_PASSWORDFIRSTACCESS => 71,
PE_MAILCONFIRMOK => 72,
PE_RADIUSCONNECTFAILED => 73,
PE_MUST_SUPPLY_OLD_PASSWORD => 74,
PE_FORBIDDENIP => 75,
PE_CAPTCHAERROR => 76,
PE_CAPTCHAEMPTY => 77,
# Portal messages
PM_USER => 0,
PM_DATE => 1,
PM_IP => 2,
PM_SESSIONS_DELETED => 3,
PM_OTHER_SESSIONS => 4,
PM_REMOVE_OTHER_SESSIONS => 5,
PM_PP_GRACE => 6,
PM_PP_EXP_WARNING => 7,
PM_SAML_IDPSELECT => 8,
PM_SAML_IDPCHOOSEN => 9,
PM_REMEMBERCHOICE => 10,
PM_SAML_SPLOGOUT => 11,
PM_REDIRECTION => 12,
PM_BACKTOSP => 13,
PM_BACKTOCASURL => 14,
PM_LOGOUT => 15,
PM_OPENID_EXCHANGE => 16,
PM_CDC_WRITER => 17,
PM_OPENID_RPNS => 18, # OpenID "requested parameter is not set"
PM_OPENID_PA => 19, # "OpenID policy available at"
PM_OPENID_AP => 20, # OpenID "Asked parameter"
PM_ERROR_MSG => 21,
PM_LAST_LOGINS => 22,
PM_LAST_FAILED_LOGINS => 23,
};
# EXPORTER PARAMETERS
our @EXPORT = qw( PE_IMG_NOK PE_IMG_OK PE_INFO PE_REDIRECT PE_DONE PE_OK
PE_SESSIONEXPIRED PE_FORMEMPTY PE_WRONGMANAGERACCOUNT PE_USERNOTFOUND
PE_BADCREDENTIALS PE_LDAPCONNECTFAILED PE_LDAPERROR PE_APACHESESSIONERROR
PE_FIRSTACCESS PE_BADCERTIFICATE PE_PP_ACCOUNT_LOCKED PE_PP_PASSWORD_EXPIRED
PE_CERTIFICATEREQUIRED PE_ERROR PE_PP_CHANGE_AFTER_RESET
PE_PP_PASSWORD_MOD_NOT_ALLOWED PE_PP_MUST_SUPPLY_OLD_PASSWORD
PE_PP_INSUFFICIENT_PASSWORD_QUALITY PE_PP_PASSWORD_TOO_SHORT
PE_PP_PASSWORD_TOO_YOUNG PE_PP_PASSWORD_IN_HISTORY PE_PP_GRACE
PE_PP_EXP_WARNING PE_PASSWORD_MISMATCH PE_PASSWORD_OK PE_NOTIFICATION
PE_BADURL PE_NOSCHEME PE_BADOLDPASSWORD PE_MALFORMEDUSER PE_SESSIONNOTGRANTED
PE_CONFIRM PE_MAILFORMEMPTY PE_BADMAILTOKEN PE_MAILERROR PE_MAILOK
PE_LOGOUT_OK PE_SAML_ERROR PE_SAML_LOAD_SERVICE_ERROR PE_SAML_LOAD_IDP_ERROR
PE_SAML_SSO_ERROR PE_SAML_UNKNOWN_ENTITY PE_SAML_DESTINATION_ERROR
PE_SAML_CONDITIONS_ERROR PE_SAML_IDPSSOINITIATED_NOTALLOWED PE_SAML_SLO_ERROR
PE_SAML_SIGNATURE_ERROR PE_SAML_ART_ERROR PE_SAML_SESSION_ERROR
PE_SAML_LOAD_SP_ERROR PE_SAML_ATTR_ERROR PE_OPENID_EMPTY PE_OPENID_BADID
PE_MISSINGREQATTR PE_BADPARTNER PE_MAILCONFIRMATION_ALREADY_SENT
PE_PASSWORDFORMEMPTY PE_CAS_SERVICE_NOT_ALLOWED PE_MAILFIRSTACCESS
PE_MAILNOTFOUND PE_PASSWORDFIRSTACCESS PE_MAILCONFIRMOK
PE_MUST_SUPPLY_OLD_PASSWORD PE_FORBIDDENIP PE_CAPTCHAERROR PE_CAPTCHAEMPTY
PM_USER PM_DATE PM_IP PM_SESSIONS_DELETED PM_OTHER_SESSIONS
PM_REMOVE_OTHER_SESSIONS PM_PP_GRACE PM_PP_EXP_WARNING
PM_SAML_IDPSELECT PM_SAML_IDPCHOOSEN PM_REMEMBERCHOICE PM_SAML_SPLOGOUT
PM_REDIRECTION PM_BACKTOSP PM_BACKTOCASURL PM_LOGOUT PM_OPENID_EXCHANGE
PM_CDC_WRITER PM_OPENID_RPNS PM_OPENID_PA PM_OPENID_AP PM_ERROR_MSG
PM_LAST_LOGINS PM_LAST_FAILED_LOGINS
);
our %EXPORT_TAGS = ( 'all' => [ @EXPORT, 'import' ], );
our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );
# Share secure jail between threads
our $safe;
BEGIN {
eval {
require threads::shared;
threads::shared::share($safe);
};
}
##@cmethod Lemonldap::NG::Portal::Simple new(hashRef args)
# Class constructor.
#@param args hash reference
#@return Lemonldap::NG::Portal::Simple object
sub new {
@ISA = qw(Lemonldap::NG::Common::CGI Exporter);
binmode( STDOUT, ":utf8" );
my $class = shift;
return $class if ( ref($class) );
my $self = $class->SUPER::new() or return undef;
# Reinit _url
$self->{_url} = '';
# Get global configuration
$self->getConf(@_)
or $self->abort( "Configuration error",
"Unable to get configuration: $Lemonldap::NG::Common::Conf::msg" );
# Test mandatory elements
# 1. Sessions backend
$self->abort( "Configuration error",
"You've to indicate a an Apache::Session storage module !" )
unless ( $self->{globalStorage} );
unless ( $self->{globalStorage}->can('populate') ) {
eval "require " . $self->{globalStorage};
$self->abort( "Configuration error",
"Module " . $self->{globalStorage} . " not found in \@INC" )
if ($@);
}
# Use LemonLDAP::NG custom Apache::Session
$self->{globalStorageOptions}->{backend} = $self->{globalStorage};
$self->{globalStorage} = 'Lemonldap::NG::Common::Apache::Session';
# Check specific persistent session configuration
if ( $self->{persistentStorage} ) {
$self->{persistentStorageOptions}->{backend} =
$self->{persistentStorage};
$self->{persistentStorage} = 'Lemonldap::NG::Common::Apache::Session';
}
else {
$self->{persistentStorage} = $self->{globalStorage};
$self->{persistentStorageOptions} = $self->{globalStorageOptions};
}
# Default values
$self->setDefaultValues();
# Load other storages if needed
foreach my $otherStorage ( $self->{samlStorage}, $self->{casStorage} ) {
if ( $otherStorage ne $self->{globalStorage} ) {
eval "require " . $otherStorage;
$self->abort( "Configuration error",
"Module " . $otherStorage . " not found in \@INC" )
if ($@);
}
}
# 2. Domain
$self->abort( "Configuration error",
"You've to indicate a domain for cookies" )
unless ( $self->{domain} );
$self->{domain} =~ s/^([^\.])/.$1/;
# Load Display and Menu functions
$self->loadModule('Lemonldap::NG::Portal::Menu');
$self->loadModule('Lemonldap::NG::Portal::Display');
# Rules to allow redirection
$self->{mustRedirect} =
defined $ENV{REQUEST_METHOD}
? ( $ENV{REQUEST_METHOD} eq "POST" and not $self->param('newpassword') )
: $self->param('logout') ? 1
: 0;
# Push authentication/userDB/passwordDB modules in @ISA
foreach my $type (qw(authentication userDB passwordDB)) {
my $module_name = 'Lemonldap::NG::Portal::';
my $db_type = $type;
my $db_name = $self->{$db_type};
# Adapt module type to real module name
$db_type =~ s/authentication/Auth/;
$db_type =~ s/userDB/UserDB/;
$db_type =~ s/passwordDB/PasswordDB/;
# Full module name
$module_name .= $db_type . $db_name;
# Remove white spaces
$module_name =~ s/\s.*$//;
# Try to load module
$self->abort( "Configuration error", "Unable to load $module_name" )
unless $self->loadModule($module_name);
# $self->{authentication} and $self->{userDB} can contains arguments
# (key1 = scalar_value; key2 = ...)
unless ( $db_name =~ /^Multi/ ) {
$db_name =~ s/^\w+\s*//;
my %h = split( /\s*[=;]\s*/, $db_name ) if ($db_name);
%$self = ( %h, %$self );
}
}
# Check issuerDB path to load the correct issuerDB module
foreach my $issuerDBtype (qw(SAML OpenID CAS)) {
my $module_name = 'Lemonldap::NG::Portal::IssuerDB' . $issuerDBtype;
$self->lmLog( "[IssuerDB activation] Try issuerDB module $issuerDBtype",
'debug' );
# Check activation flag
my $activation =
$self->{ "issuerDB" . $issuerDBtype . "Activation" } ||= "0";
unless ($activation) {
$self->lmLog(
"[IssuerDB activation] Activation flag set to off, trying next",
'debug'
);
next;
}
# Check the path
my $path = $self->{ "issuerDB" . $issuerDBtype . "Path" };
if ( defined $path ) {
$self->lmLog( "[IssuerDB activation] Found path $path", 'debug' );
# Get current path
my $url_path = $self->url( -absolute => 1 );
$url_path =~ s#^//#/#;
$self->lmLog(
"[IssuerDB activation] Path of current request is $url_path",
'debug' );
# Match regular expression
if ( $url_path =~ m#$path# ) {
$self->abort( "Configuration error",
"Unable to load $module_name" )
unless $self->loadModule($module_name);
# Remember loaded module
$self->{_activeIssuerDB} = $issuerDBtype;
$self->lmLog(
"[IssuerDB activation] IssuerDB module $issuerDBtype loaded",
'debug'
);
last;
}
else {
$self->lmLog(
"[IssuerDB activation] Path do not match, trying next",
'debug' );
next;
}
}
else {
$self->lmLog( "[IssuerDB activation] No path defined", 'debug' );
next;
}
}
# Load default issuerDB module if none was choosed
unless ( $self->{_activeIssuerDB} ) {
# Manage old configuration format
my $db_type = $self->{'issuerDB'} || 'Null';
my $module_name = 'Lemonldap::NG::Portal::IssuerDB' . $db_type;
$self->abort( "Configuration error", "Unable to load $module_name" )
unless $self->loadModule($module_name);
# Remember loaded module
$self->{_activeIssuerDB} = $db_type;
$self->lmLog( "[IssuerDB activation] IssuerDB module $db_type loaded",
'debug' );
}
# Notifications
if ( $self->{notification} ) {
require Lemonldap::NG::Common::Notification;
my $tmp;
# Use configuration options
if ( $self->{notificationStorage} ) {
$tmp->{type} = $self->{notificationStorage};
foreach ( keys %{ $self->{notificationStorageOptions} } ) {
$tmp->{$_} = $self->{notificationStorageOptions}->{$_};
}
}
# Else use the configuration backend
else {
(%$tmp) = ( %{ $self->{lmConf} } );
$self->abort( "notificationStorage not defined",
"This parameter is required to use notification system" )
unless ( ref($tmp) );
# Get the type
$tmp->{type} =~ s/.*:://;
$tmp->{type} =~ s/(CDBI|RDBI)/DBI/; # CDBI/RDBI are DBI
# If type not File or DBI, abort
$self->abort("Only File or DBI supported for Notifications")
unless $tmp->{type} =~ /^(File|DBI)$/;
# Force table name
$tmp->{table} = 'notifications';
}
$tmp->{p} = $self;
$self->{notifObject} = Lemonldap::NG::Common::Notification->new($tmp);
$self->abort($Lemonldap::NG::Common::Notification::msg)
unless ( $self->{notifObject} );
}
# SOAP
if ( $self->{Soap} or $self->{soap} ) {
$self->loadModule('Lemonldap::NG::Portal::_SOAP');
if ( $self->{notification} and $ENV{PATH_INFO} ) {
$self->{CustomSOAPServices} ||= {};
$self->{CustomSOAPServices}->{'/notification'} = {
f => 'newNotification deleteNotification',
o => $self->{notifObject}
};
}
$self->startSoapServices();
}
# Trusted domains
$self->{trustedDomains} ||= "";
$self->{trustedDomains} = "*"
if ( $self->{trustedDomains} =~ /(^|\s)\*(\s|$)/ );
if ( $self->{trustedDomains} and $self->{trustedDomains} ne "*" ) {
$self->{trustedDomains} =~ s#(^|\s+)\.#${1}[^/]+.#g;
$self->{trustedDomains} =
'(' . join( '|', split( /\s+/, $self->{trustedDomains} ) ) . ')';
$self->{trustedDomains} =~ s/\./\\./g;
}
# Init the captcha feature if it's enabled
if ( $self->{captcha_login_enabled} || $self->{captcha_mail_enabled} ) {
eval { $self->initCaptcha(); };
$self->lmLog( "Can't init captcha: $@", "error" ) if $@;
}
return $self;
}
##@method boolean loadModule(string module, boolean ignoreError)
# Load a module into portal namespace
# @param module module name
# @param ignoreError set to 1 if error should not appear in logs
# @return boolean
sub loadModule {
my ( $self, $module, $ignoreError ) = splice @_;
return 1 unless $module;
# Load module test
eval "require $module";
if ($@) {
$self->lmLog( "$module load error: $@", 'error' ) unless $ignoreError;
return 0;
}
# Push module in @ISA
push @ISA, $module;
$self->lmLog( "Module $module loaded", 'debug' );
return 1;
}
##@method protected boolean getConf(hashRef args)
# Copy all parameters in caller object.
#@param args hash-ref
#@return True
sub getConf {
my ($self) = shift;
my %args;
if ( ref( $_[0] ) ) {
%args = %{ $_[0] };
}
else {
%args = @_;
}
%$self = ( %$self, %args );
1;
}
##@method protected void setDefaultValues()
# Set default values.
sub setDefaultValues {
my $self = shift;
$self->{portal} ||=
"http" . ( $ENV{HTTPS} ? 's' : '' ) . '://' . $self->server_name();
$self->{whatToTrace} ||= 'uid';
$self->{whatToTrace} =~ s/^\$//;
$self->{httpOnly} = 1 unless ( defined( $self->{httpOnly} ) );
$self->{portalSkin} ||= 'pastel';
$self->{portalDisplayLogout} = 1
unless ( defined( $self->{portalDisplayLogout} ) );
$self->{portalDisplayResetPassword} = 1
unless ( defined( $self->{portalDisplayResetPassword} ) );
$self->{portalDisplayChangePassword} = 1
unless ( defined( $self->{portalDisplayChangePassword} ) );
$self->{portalDisplayAppslist} = 1
unless ( defined( $self->{portalDisplayAppslist} ) );
$self->{portalDisplayLoginHistory} = 1
unless ( defined( $self->{portalDisplayLoginHistory} ) );
$self->{jsRedirect} = 0
unless ( defined( $self->{jsRedirect} ) );
$self->{portalAutocomplete} ||= 0;
$self->{portalRequireOldPassword} = 1
unless ( defined( $self->{portalRequireOldPassword} ) );
$self->{portalOpenLinkInNewWindow} = 0
unless ( defined( $self->{portalOpenLinkInNewWindow} ) );
$self->{portalForceAuthn} = 0
unless ( defined( $self->{portalForceAuthn} ) );
$self->{portalForceAuthnInterval} = 5
unless ( defined( $self->{portalForceAuthnInterval} ) );
$self->{portalUserAttr} ||= "_user";
$self->{portalHiddenFormValues} = ();
$self->{securedCookie} ||= 0;
$self->{cookieName} ||= "lemonldap";
$self->{authentication} ||= 'LDAP';
$self->{authentication} =~ s/^ldap/LDAP/;
$self->{SMTPServer} ||= 'localhost';
$self->{randomPasswordRegexp} ||= '[A-Z]{3}[a-z]{5}.\d{2}';
$self->{mailFrom} ||= "noreply@" . $self->{domain};
$self->{mailSubject} ||= "[LemonLDAP::NG] Your new password";
$self->{mailConfirmSubject} ||=
"[LemonLDAP::NG] Password reset confirmation";
$self->{mailSessionKey} ||= 'mail';
$self->{mailUrl} ||= $self->{portal} . "/mail.pl";
$self->{multiValuesSeparator} ||= '; ';
$self->{activeTimer} = 1 unless ( defined( $self->{activeTimer} ) );
$self->{infoFormMethod} ||= "get";
$self->{confirmFormMethod} ||= "post";
$self->{redirectFormMethod} ||= "get";
$self->{authChoiceParam} ||= "lmAuth";
$self->{hiddenAttributes} = "_password"
unless defined $self->{hiddenAttributes};
# Set default userDB and passwordDB to DBI if authentication is DBI
if ( $self->{authentication} =~ /DBI/i ) {
$self->{userDB} ||= "DBI";
$self->{passwordDB} ||= "DBI";
}
# Set default userDB and passwordDB to Null if authentication is Null
if ( $self->{authentication} =~ /Null/i ) {
$self->{userDB} ||= "Null";
$self->{passwordDB} ||= "Null";
}
# Set userDB and passwordDB to Choice if authentication is Choice
if ( $self->{authentication} =~ /Choice/i ) {
$self->{userDB} = "Choice";
$self->{passwordDB} = "Choice";
}
# Else default to LDAP
else {
# Default to LDAP
$self->{userDB} ||= "LDAP";
$self->{passwordDB} ||= "LDAP";
}
# LDAP
$self->{ldapGroupObjectClass} ||= "groupOfNames";
$self->{ldapGroupAttributeName} ||= "member";
$self->{ldapGroupAttributeNameUser} ||= "dn";
$self->{ldapGroupAttributeNameGroup} ||= "dn";
$self->{ldapGroupAttributeNameSearch} ||= ["cn"];
$self->{ldapGroupRecursive} ||= 0;
# SAML
$self->{samlIdPResolveCookie} ||= $self->{cookieName} . "idp";
$self->{samlStorage} ||= $self->{globalStorage};
if ( !$self->{samlStorageOptions} or !%{ $self->{samlStorageOptions} } ) {
$self->{samlStorageOptions} = $self->{globalStorageOptions};
}
$self->{samlMetadataForceUTF8} = 1
unless ( defined( $self->{samlMetadataForceUTF8} ) );
$self->{samlAuthnContextMapPassword} = 2
unless defined $self->{samlAuthnContextMapPassword};
$self->{samlAuthnContextMapPasswordProtectedTransport} = 3
unless defined $self->{samlAuthnContextMapPasswordProtectedTransport};
$self->{samlAuthnContextMapTLSClient} = 5
unless defined $self->{samlAuthnContextMapTLSClient};
$self->{samlAuthnContextMapKerberos} = 4
unless defined $self->{samlAuthnContextMapKerberos};
# CAS
$self->{casStorage} ||= $self->{globalStorage};
if ( !$self->{casStorageOptions} or !%{ $self->{casStorageOptions} } ) {
$self->{casStorageOptions} = $self->{globalStorageOptions};
}
$self->{casAccessControlPolicy} ||= "none";
# Authentication levels
$self->{ldapAuthnLevel} = 2 unless defined $self->{ldapAuthnLevel};
$self->{dbiAuthnLevel} = 2 unless defined $self->{dbiAuthnLevel};
$self->{SSLAuthnLevel} = 5 unless defined $self->{SSLAuthnLevel};
$self->{apacheAuthnLevel} = 4 unless defined $self->{apacheAuthnLevel};
$self->{nullAuthnLevel} = 0 unless defined $self->{nullAuthnLevel};
$self->{radiusAuthnLevel} = 3 unless defined $self->{radiusAuthnLevel};
foreach my $k (
qw(CAS_authnLevel openIdAuthnLevel twitterAuthnLevel googleAuthnLevel
facebookAuthnLevel)
)
{
$self->{$k} = 1 unless defined $self->{$k};
}
# Other
$self->{logoutServices} ||= {};
$self->{useSafeJail} = 1 unless defined $self->{useSafeJail};
$self->{ldapUsePasswordResetAttribute} = 1
unless ( defined( $self->{ldapUsePasswordResetAttribute} ) );
$self->{ldapPasswordResetAttribute} ||= "pwdReset";
$self->{ldapPasswordResetAttributeValue} ||= "TRUE";
$self->{mailOnPasswordChange} ||= 0;
# Captcha parameters
$self->{captcha_login_enabled} = 0
unless defined $self->{captcha_login_enabled};
$self->{captcha_mail_enabled} = 0
unless defined $self->{captcha_mail_enabled};
$self->{captcha_size} = 6 unless defined $self->{captcha_size};
# Notification
$self->{notificationWildcard} ||= "allusers";
# Login History
$self->{loginHistoryEnabled} = 1
unless defined $self->{loginHistoryEnabled};
$self->{successLoginNumber} = 5 unless defined $self->{successLoginNumber};
$self->{failedLoginNumber} = 5 unless defined $self->{failedLoginNumber};
$self->{portalCheckLogins} = 1
unless defined $self->{portalCheckLogins};
# XSS
$self->{checkXSS} = 1 unless defined $self->{checkXSS};
}
## @method protected void setHiddenFormValue(string fieldname, string value, string prefix, boolean base64)
# Add element into $self->{portalHiddenFormValues}, those values could be
# used to hide values into HTML form.
# @param fieldname The field name which will contain the correponding value
# @param value The associated value
# @param prefix Prefix of the field key
# @param base64 Encode value in base64
# @return nothing
sub setHiddenFormValue {
my ( $self, $key, $val, $prefix, $base64 ) = splice @_;
# Default values
$prefix = "lmhidden_" unless defined $prefix;
$base64 = 1 unless defined $base64;
# Store value
if ($val) {
$key = $prefix . $key;
$val = encode_base64($val) if $base64;
$self->{portalHiddenFormValues}->{$key} = $val;
}
}
## @method public void getHiddenFormValue(string fieldname, string prefix, boolean base64)
# Get value into $self->{portalHiddenFormValues}.
# @param fieldname The existing field name which contains a value
# @param prefix Prefix of the field key
# @param base64 Decode value from base64
# @return string The associated value
sub getHiddenFormValue {
my ( $self, $key, $prefix, $base64 ) = splice @_;
# Default values
$prefix = "lmhidden_" unless defined $prefix;
$base64 = 1 unless defined $base64;
$key = $prefix . $key;
# Get value
if ( my $val = $self->param($key) ) {
$val = decode_base64($val) if $base64;
return $val;
}
# No value found
return undef;
}
## @method protected void clearHiddenFormValue(arrayref keys)
# Clear values form stored hidden fields
# Delete all keys if no keys provided
# @param keys Array reference of keys
# @return nothing
sub clearHiddenFormValue {
my ( $self, $keys ) = splice @_;
unless ( defined $keys ) {
delete $self->{portalHiddenFormValues};
}
else {
delete $self->{portalHiddenFormValues}->{$_} foreach (@$keys);
}
return;
}
##@method public string buildHiddenForm()
# Return an HTML representation of hidden values.
# @return HTML code
sub buildHiddenForm {
my $self = shift;
my @keys = keys %{ $self->{portalHiddenFormValues} };
my $val = '';
foreach (@keys) {
# Check XSS attacks
next
if $self->checkXSSAttack( $_, $self->{portalHiddenFormValues}->{$_} );
# Build hidden input HTML code
$val .=
'<input type="hidden" name="'
. $_
. '" id="'
. $_
. '" value="'
. $self->{portalHiddenFormValues}->{$_} . '" />';
}
return $val;
}
## @method void initCaptcha(void)
# init captcha module and generate captcha
# @return nothing
sub initCaptcha {
my $self = shift;
# Load module
require Authen::Captcha;
# Build Authen::Captcha object
$self->{captcha} = Authen::Captcha->new(
data_folder => $self->{captcha_data},
output_folder => $self->{captcha_output}
);
# Generate a new captcha from captcha object
$self->{captcha_code} =
$self->{captcha}->generate_code( $self->{captcha_size} );
$self->{captcha_img} = "/captcha_output/" . $self->{captcha_code} . ".png";
$self->lmLog( "Captcha code generated: " . $self->{captcha_code}, 'debug' );
return;
}
## @method boolean isTrustedUrl(string url)
# Check if an URL's domain name is declared in LL::NG config or is declared as trusted domain
# @param url Parameter url
# @param value Parameter value
# @return 1 if url can be trusted, 0 else
sub isTrustedUrl {
my ( $self, $url ) = splice @_;
return
$url =~ m#^https?://$self->{reVHosts}(:\d+)?/#o
|| $self->{trustedDomains} eq "*"
|| $self->{trustedDomains}
&& $url =~ m#^https?://$self->{trustedDomains}(:\d+)?/#o;
}
## @method boolean checkXSSAttack(string name, string value)
# Check value to detect XSS attack
# @param name Parameter name
# @param value Parameter value
# @return 1 if attack detected, 0 else
sub checkXSSAttack {
my ( $self, $name, $value ) = splice @_;
# Empty values are not bad
return 0 unless $value;
# Test value
if ( $value =~ m/(?:\0|<|'|"|`|\%(?:00|25|3C|22|27|2C))/ ) {
$self->lmLog( "XSS attack detected (param: $name | value: $value)",
"warn" );
return $self->{checkXSS};
}
return 0;
}
=begin WSDL
_IN lang $string Language
_IN code $int Error code
_RETURN $string Error string
=end WSDL
=cut
##@method string msg(int code)
# calls Portal/_i18n.pm to display message in the client's language.
#@param $code message code
#@return message
sub msg {
my $self = shift;
my $code = shift;
return &Lemonldap::NG::Portal::_i18n::msg( $code, $self->{lang} );
}
##@method string error(int code)
# calls Portal/_i18n.pm to display error in the client's language.
#@param $code optional error code
#@return error message
sub error {
my $self = shift;
my $code = shift || $self->{error};
if ( my $lang = shift ) { # only for SOAP error requests
$self->{lang} = $self->extract_lang($lang);
}
my $msg;
# Check for customized message
foreach ( @{ $self->{lang} } ) {
if ( $self->{ "error_" . $_ . "_" . $code } ) {
$msg = $self->{ "error_" . $_ . "_" . $code };
last;
}
}
$msg ||= $self->{ "error_" . $code };
# Use customized message or built-in message
if ( defined $msg ) {
# Manage UTF-8
utf8::decode($msg);
$self->lmLog( "Use customized message $msg for error $code", 'debug' );
}
else {
$msg = &Lemonldap::NG::Portal::_i18n::error( $code, $self->{lang} );
}
# Return message
# Manage SOAP
return $msg;
}
##@method string error_type(int code)
# error_type tells if error is positive, warning or negative
# @param $code Lemonldap::NG error code
# @return "positive", "warning" or "negative"
sub error_type {
my $self = shift;
my $code = shift || $self->{error};
# Positive errors
return "positive"
if (
scalar(
grep { /^$code$/ } (
PE_REDIRECT, PE_DONE,
PE_OK, PE_PASSWORD_OK,
PE_MAILOK, PE_LOGOUT_OK,
PE_MAILFIRSTACCESS, PE_PASSWORDFIRSTACCESS,
PE_MAILCONFIRMOK,
)
)
);
# Warning errors
return "warning"
if (
scalar(
grep { /^$code$/ } (
PE_INFO, PE_SESSIONEXPIRED,
PE_FORMEMPTY, PE_FIRSTACCESS,
PE_PP_GRACE, PE_PP_EXP_WARNING,
PE_NOTIFICATION, PE_BADURL,
PE_CONFIRM, PE_MAILFORMEMPTY,
PE_MAILCONFIRMATION_ALREADY_SENT, PE_PASSWORDFORMEMPTY,
PE_CAPTCHAEMPTY,
)
)
);
# Negative errors (default)
return "negative";
}
##@method void header()
# Overload CGI::header() to add Lemonldap::NG cookie.
sub header {
my $self = shift;
unshift @_, '-type' unless ($#_);
if ( $self->{cookie} ) {
$self->SUPER::header( @_, -cookie => $self->{cookie} );
}
else {
$self->SUPER::header(@_);
}
}
##@method void redirect()
# Overload CGI::redirect() to add Lemonldap::NG cookie.
sub redirect {
my $self = shift;
if ( $self->{cookie} ) {
$self->SUPER::redirect( @_, -cookie => $self->{cookie} );
}
else {
$self->SUPER::redirect(@_);
}
}
## @method protected hashref getApacheSession(string id, boolean noInfo)
# Try to recover the session corresponding to id and return session datas.
# If $id is set to undef, return a new session.
# @param id session reference
# @param noInfo do not set Apache REMOTE_USER
# return session hashref
sub getApacheSession {
my ( $self, $id, $noInfo ) = @_;
my %h;
# Trying to recover session from global session storage
eval { tie %h, $self->{globalStorage}, $id, $self->{globalStorageOptions}; };
if ( $@ or not tied(%h) ) {
# Session not available (expired ?)
if ($id) {
$self->lmLog(
"Session $id can't be retrieved (" . $self->ipAddr . ")",
'info' )
unless $noInfo;
}
else {
$self->lmLog( "Unable to create new session: $@", 'error' );
}
return 0;
}
unless ($noInfo) {
$self->setApacheUser( $h{ $self->{whatToTrace} } ) if ($id);
$self->{id} = $h{_session_id};
}
return \%h;
}
## @method protected hashref getPersistentSession(string id)
# Try to recover the persitent session corresponding to id and return session datas.
# If $id is set to undef, return a new session.
# @param id session reference
# return session hashref
sub getPersistentSession {
my ( $self, $id ) = splice @_;
my %h;
# Trying to recover session from persistent session storage
eval {
tie %h, $self->{persistentStorage}, $id,
$self->{persistentStorageOptions};
};
if ( $@ or not tied(%h) ) {
# Session not available
if ($id) {
$self->lmLog( "Persistent session $id not available", 'debug' );
}
else {
$self->lmLog( "Unable to create new persistent session: $@",
'error' );
}
return 0;
}
return \%h;
}
## @method protected string _md5hash(string s)
# Return md5(s)
# @param $s String to hash
# @return hashed value
sub _md5hash {
my ( $self, $s ) = splice @_;
return substr( Digest::MD5::md5_hex($s), 0, 32 );
}
## @method void updatePersistentSession(hashRef infos, string uid, string id)
# Update persistent session.
# Call updateSession() and store %$infos in a persistent session.
# Note that if the session does not exists, it will be created.
# @param infos hash reference of information to update
# @param uid optional Unhashed persistent session ID
# @param id optional SSO session ID
# @return nothing
sub updatePersistentSession {
my ( $self, $infos, $uid, $id ) = splice @_;
# Return if no infos to update
return () unless ( ref $infos eq 'HASH' and %$infos );
# Update current session
$self->updateSession( $infos, $id );
$uid ||= $self->{sessionInfo}->{ $self->{whatToTrace} };
return () unless ($uid);
my $h = $self->getPersistentSession( $self->_md5hash($uid) );
unless ($h) {
$h = {}; # reset $h
my %opts = %{ $self->{persistentStorageOptions} };
$opts{setId} = $self->_md5hash($uid);
eval { tie %$h, $self->{persistentStorage}, undef, \%opts; };
if ($@) {
$self->lmLog( "Unable to create persistent session: $@", 'warn' );
return ();
}
else {
$self->lmLog(
"Persistent session " . $h->{_session_id} . " created for $uid",
'debug'
);
}
}
foreach ( keys %$infos ) {
if ( defined( $infos->{$_} ) ) {
$self->lmLog(
"Update persistent session key $_ with " . $infos->{$_},
'debug' );
$h->{$_} = $infos->{$_};
}
else {
$self->lmLog( "Delete persistent session key $_", 'debug' );
delete $h->{$_};
}
}
untie %$h;
}
## @method void updateSession(hashRef infos, string id)
# Update session stored.
# If no id is given, try to get it from cookie.
# If the session is available, update datas with $info.
# Note that outdated session data may remain some time on
# server local cache, if there are several LL::NG servers.
# @param infos hash reference of information to update
# @param id Session ID
# @return nothing
sub updateSession {
my ( $self, $infos, $id ) = splice @_;
# Return if no infos to update
return () unless ( ref $infos eq 'HASH' and %$infos );
# Recover session ID unless given
$id ||= $self->{id};
unless ($id) {
my %cookies = fetch CGI::Cookie;
$id ||= $cookies{ $self->{cookieName} }->value
if ( defined $cookies{ $self->{cookieName} } );
}
if ($id) {
# Update sessionInfo data
## sessionInfo updated if $id defined : quite strange !!
## See http://jira.ow2.org/browse/LEMONLDAP-430
foreach ( keys %$infos ) {
$self->lmLog( "Update sessionInfo $_ with " . $infos->{$_},
'debug' );
$self->{sessionInfo}->{$_} = $infos->{$_};
}
# Delete session from local storage
eval { $self->{lmConf}->{refLocalStorage}->remove($id); };
# Update session in global storage
if ( my $h = $self->getApacheSession( $id, 1 ) ) {
# Store/update session values
foreach ( keys %$infos ) {
if ( defined( $infos->{$_} ) ) {
$self->lmLog( "Update session key $_ with " . $infos->{$_},
'debug' );
$h->{$_} = $infos->{$_};
}
else {
$self->lmLog( "Delete session key $_", 'debug' );
delete $h->{$_};
}
}
# Store updateTime
$h->{updateTime} = strftime( "%Y%m%d%H%M%S", localtime() );
untie %$h;
}
}
}
## @method void addSessionValue(string key, string value, string id)
# Add a value into session key if not already present
# @param key Session key
# @param value Value to add
# @param id optional Session identifier
sub addSessionValue {
my ( $self, $key, $value, $id ) = splice @_;
# Mandatory parameters
return () unless defined $key;
return () unless defined $value;
# Get current key value
my $old_value = $self->{sessionInfo}->{$key};
# Split old values
if ( defined $old_value ) {
my @old_values = split /\Q$self->{multiValuesSeparator}\E/, $old_value;
# Do nothing if value already exists
foreach (@old_values) {
return () if ( $_ eq $value );
}
# Add separator
$old_value .= $self->{multiValuesSeparator};
}
else {
$old_value = "";
}
# Store new value
my $new_value = $old_value . $value;
$self->updateSession( { $key => $new_value }, $id );
# Return
return ();
}
## @method string getFirstValue(string value)
# Get the first value of a multivaluated session value
# @param value the complete value
# @return first value
sub getFirstValue {
my ( $self, $value ) = splice @_;
my @values = split /\Q$self->{multiValuesSeparator}\E/, $value;
return $values[0];
}
##@method protected int _subProcess(array @subs)
# Execute methods until an error is returned.
# If $self->{$sub} exists, launch it, else launch $self->$sub
#@param @subs array list of subroutines
#@return Lemonldap::NG::Portal error
sub _subProcess {
my $self = shift;
my @subs = @_;
my $err = undef;
foreach my $sub (@subs) {
last if ( $err = $self->_sub($sub) );
}
return $err;
}
##@method protected void updateStatus()
# Inform status mechanism module.
# If an handler is launched on the same server with "status=>1", inform the
# status module with the result (portal error).
sub updateStatus {
my $self = shift;
print $Lemonldap::NG::Handler::Simple::statusPipe (
$self->{user} ? $self->{user} : $self->ipAddr )
. " => $ENV{SERVER_NAME}$ENV{SCRIPT_NAME} "
. $self->{error} . "\n"
if ($Lemonldap::NG::Handler::Simple::statusPipe);
}
##@method protected string notification()
#@return Notification stored by checkNotification()
sub notification {
my $self = shift;
return $self->{_notification};
}
##@method protected string get_url()
# Return url parameter
# @return url parameter if good, nothing else.
sub get_url {
my $self = shift;
return $self->{_url};
}
##@method protected string get_user()
# Return user parameter
# @return user parameter if good, nothing else.
sub get_user {
my $self = shift;
return "" unless $self->{user};
return $self->{user}
unless ( $self->checkXSSAttack( 'user', $self->{user} ) );
return "";
}
## @method string get_module(string type)
# Return current used module
# @param type auth/user/password/issuer
# @return module name
sub get_module {
my ( $self, $type ) = splice @_;
if ( $type =~ /auth/i ) {
if ( defined $self->{_multi}->{stack}->[0] ) {
return $self->{_multi}->{stack}->[0]->[0]->{n};
}
if ( defined $self->{_choice}->{modules} ) {
return $self->{_choice}->{modules}->[0]->{n};
}
else {
return $self->{authentication};
}
}
if ( $type =~ /user/i ) {
if ( defined $self->{_multi}->{stack}->[1] ) {
return $self->{_multi}->{stack}->[1]->[0]->{n};
}
if ( defined $self->{_choice}->{modules} ) {
return $self->{_choice}->{modules}->[1]->{n};
}
else {
return $self->{userDB};
}
}
if ( $type =~ /password/i ) {
if ( defined $self->{_choice}->{modules} ) {
return $self->{_choice}->{modules}->[2]->{n};
}
else {
return $self->{passwordDB};
}
}
if ( $type =~ /issuer/i ) {
return $self->{_activeIssuerDB};
}
return;
}
##@method private Safe safe()
# Provide the security jail.
#@return Safe object
sub safe {
my $self = shift;
# Test if safe already exists
if ($safe) {
# Refresh the portal object inside it
$safe->{p} = $self;
# Refresh environment variables
$safe->share_from( 'main', ['%ENV'] );
return $safe;
}
# Else create it
$safe = Lemonldap::NG::Common::Safe->new($self);
# Get custom functions
my @t =
$self->{customFunctions}
? split( /\s+/, $self->{customFunctions} )
: ();
foreach (@t) {
my $sub = $_;
unless (/::/) {
$sub = ref($self) . "::$_";
}
else {
s/^.*:://;
}
next if ( $self->can($_) );
eval "sub $_ {
return $sub( '$self->{portal}', \@_ );
}";
$self->lmLog( $@, 'error' ) if ($@);
}
# Share %ENV
$safe->share_from( 'main', ['%ENV'] );
# Share Safelib
$safe->share_from( 'Lemonldap::NG::Common::Safelib',
$Lemonldap::NG::Common::Safelib::functions );
# Share custom functions and &encode_base64
$safe->share( '&encode_base64', @t );
return $safe;
}
##@method private boolean _deleteSession(Apache::Session* h, boolean preserveCookie)
# Delete an existing session. If "securedCookie" is set to 2, the http session
# will also be removed.
# @param h tied Apache::Session object
# @param preserveCookie do not delete cookie
# @return True if session has been deleted
sub _deleteSession {
my ( $self, $h, $preserveCookie ) = @_;
my $result = 1;
# Return false if $h is not a hashref
if ( ref $h ne "HASH" ) {
$self->lmLog( "_deleteSession: \$h is not a session object", 'error' );
return 0;
}
# Invalidate http cookie and session, if set
if ( $self->{securedCookie} >= 2 ) {
# Try to find a linked http session (securedCookie == 2)
if ( my $id2 = $h->{_httpSession} ) {
if ( my $h2 = $self->getApacheSession( $id2, 1 ) ) {
# Try to purge local cache
# (if an handler is running on the same server)
eval { $self->{lmConf}->{refLocalStorage}->remove($id2); };
eval { tied(%$h2)->delete() };
$self->lmLog( $@, 'error' ) if ($@);
}
}
# Create an obsolete cookie to remove it
push @{ $self->{cookie} },
$self->cookie(
-name => $self->{cookieName} . 'http',
-value => 0,
-domain => $self->{domain},
-path => "/",
-secure => 0,
-expires => '-1d',
@_,
);
}
# Try to purge local cache
# (if an handler is running on the same server)
eval { $self->{lmConf}->{refLocalStorage}->remove( $h->{_session_id} ); };
eval { tied(%$h)->delete() };
if ($@) {
$self->lmLog( $@, 'error' );
$result = 0;
}
# Create an obsolete cookie to remove it
push @{ $self->{cookie} },
$self->cookie(
-name => $self->{cookieName},
-value => 0,
-domain => $self->{domain},
-path => "/",
-secure => 0,
-expires => '-1d',
@_,
) unless ($preserveCookie);
# Log
my $user = $h->{ $self->{whatToTrace} };
$self->_sub( 'userNotice', "User $user has been disconnected" )
if $user;
# Return the result of tied(%$h)->delete()
return $result;
}
##@method private void _dump(void* variable)
# Dump variable in debug mode
# @param $variable
# @return void
sub _dump {
my $self = shift;
my $variable = shift;
require Data::Dumper;
$self->lmLog( "Dump: " . Data::Dumper::Dumper($variable), 'debug' );
return;
}
##@method protected string info(string t)
# Get or set info to display to the user.
# @param $t optional text to store
# @return HTML text to display
sub info {
my ( $self, $t ) = @_;
$self->{_info} .= $t if ( defined $t );
return $self->{_info};
}
##@method protected string loginInfo(string t)
# Get or set info to display to the user on login screen
# @param $t optional text to store
# @return HTML text to display
sub loginInfo {
my ( $self, $t ) = @_;
$self->{_loginInfo} .= $t if ( defined $t );
return $self->{_loginInfo};
}
##@method public void printImage(string file, string type)
# Print image to STDOUT
# @param $file The path to the file to print
# @param $type The content-type to use (ie: image/png)
# @return void
sub printImage {
my ( $self, $file, $type ) = @_;
binmode STDOUT;
unless ( open( IMAGE, '<', $file ) ) {
$self->lmLog( "Could not display image '$file'", 'error' );
return;
}
print $self->header(
$type . '; charset=utf-8; content-length=' . ( stat($file) )[10] );
my $buffer = "";
while ( read( IMAGE, $buffer, 4096 ) ) {
print $buffer;
}
close(IMAGE);
}
sub stamp {
my $self = shift;
return $self->{cipher} ? $self->{cipher}->encrypt( time() ) : 1;
}
## @method string convertSec(int sec)
# Convert seconds to hours, minutes, seconds
# @param $sec number of seconds
# @return a formated time
sub convertSec {
my ( $self, $sec ) = splice @_;
my ( $day, $hrs, $min ) = ( 0, 0, 0 );
# Calculate the minutes
if ( $sec > 60 ) {
$min = $sec / 60, $sec %= 60;
$min = int($min);
}
# Calculate the hours
if ( $min > 60 ) {
$hrs = $min / 60, $min %= 60;
$hrs = int($hrs);
}
# Calculate the days
if ( $hrs > 24 ) {
$day = $hrs / 24, $hrs %= 24;
$day = int($day);
}
# Return the date
return ( $day, $hrs, $min, $sec );
}
## @method string getSkin()
# Return skin name
# @return skin name
sub getSkin {
my ($self) = splice @_;
my $skin = $self->{portalSkin};
# Fill sessionInfo to eval rule if empty (unauthenticated user)
$self->{sessionInfo}->{_url} ||= $self->{urldc};
$self->{sessionInfo}->{ipAddr} ||= $self->ipAddr;
# Load specific skin from skinRules
if ( $self->{portalSkinRules} ) {
foreach my $skinRule ( sort keys %{ $self->{portalSkinRules} } ) {
if ( $self->safe->reval($skinRule) ) {
$skin = $self->{portalSkinRules}->{$skinRule};
$self->lmLog( "Skin $skin selected from skin rule", 'debug' );
}
}
}
return $skin;
}
###############################################################
# MAIN subroutine: call all steps until one returns something #
# different than PE_OK #
###############################################################
##@method boolean process()
# Main method calling functions issued from:
# - itself:
# - controlUrlOrigin
# - checkNotifBack
# - controlExistingSession
# - setMacros
# - setLocalGroups
# - setPersistentSessionInfo
# - removeOther
# - grantSession
# - store
# - buildCookie
# - checkNotification
# - autoRedirect
# - updateStatus
# - authentication module:
# - authInit
# - extractFormInfo
# - setAuthSessionInfo
# - authenticate
# - authFinish
# - userDB module:
# - userDBInit
# - getUser
# - setSessionInfo
# - setGroups
# - passwordDB module:
# - passwordDBInit
# - modifyPassword
# - issuerDB module:
# - issuerDBInit
# - issuerForUnAuthUser
# - issuerForAuthUser
# - MailReset:
# - sendPasswordMail
#
#@return 1 if all is OK, 0 if session isn't created or a notification has to be done
sub process {
my ($self) = @_;
$self->{error} = PE_OK;
$self->{error} = $self->_subProcess(
qw(controlUrlOrigin checkNotifBack controlExistingSession
issuerDBInit authInit issuerForUnAuthUser extractFormInfo
userDBInit getUser setAuthSessionInfo passwordDBInit
modifyPassword setSessionInfo setMacros setGroups
setPersistentSessionInfo setLocalGroups sendPasswordMail
authenticate grantSession removeOther store authFinish
buildCookie checkNotification issuerForAuthUser autoRedirect)
);
$self->updateStatus;
return ( ( $self->{error} > 0 ) ? 0 : 1 );
}
##@apmethod int controlUrlOrigin()
# If the user was redirected here, loads 'url' parameter.
# Check also confirm parameter.
#@return Lemonldap::NG::Portal constant
sub controlUrlOrigin {
my $self = shift;
if ( my $c = $self->param('confirm') ) {
# Replace confirm stamp by 1 or -1
$c =~ s/^(-?)(.*)$/${1}1/;
# Decrypt confirm stamp if cipher available
# and confirm not already decrypted
if ( $self->{cipher} and $2 ne "1" ) {
my $time = time() - $self->{cipher}->decrypt($2);
if ( $time < 600 ) {
$self->lmLog( "Confirm parameter accepted $c", 'debug' );
$self->param( 'confirm', $c );
}
else {
$self->lmLog( 'Confirmation to old, refused', 'notice' );
$self->param( 'confirm', 0 );
}
}
}
$self->{_url} ||= '';
if ( my $url = $self->param('url') ) {
# REJECT NON BASE64 URL except for CAS IssuerDB
if ( $self->get_module('issuer') ne "CAS" ) {
if ( $url =~ m#[^A-Za-z0-9\+/=]# ) {
$self->lmLog(
"Value must be in BASE64 (param: url | value: $url)",
"warn" );
return PE_BADURL;
}
$self->{urldc} = decode_base64($url);
$self->{urldc} =~ s/[\r\n]//sg;
}
else { $self->{urldc} = $url; }
# For logout request, test if Referer comes from an authorizated site
my $tmp =
( $self->param('logout') ? $ENV{HTTP_REFERER} : $self->{urldc} );
# XSS attack
if (
$self->checkXSSAttack(
$self->param('logout') ? 'HTTP Referer' : 'urldc',
$self->{urldc}
)
)
{
delete $self->{urldc};
return PE_BADURL;
}
# Non protected hosts
if ( $tmp and !$self->isTrustedUrl($tmp) ) {
$self->lmLog(
"URL contains a non protected host (param: "
. ( $self->param('logout') ? 'HTTP Referer' : 'urldc' )
. " | value: $tmp)",
"warn"
);
delete $self->{urldc};
return PE_BADURL;
}
$self->{_url} = $url;
}
PE_OK;
}
##@apmethod int checkNotifBack()
# Checks if a message has been notified to the connected user.
# Call Lemonldap::NG::Common::Notification::checkNotification()
#@return Lemonldap::NG::Portal error code
sub checkNotifBack {
my $self = shift;
if ( $self->{notification} and grep( /^reference/, $self->param() ) ) {
$self->lmLog( "User was on a notification step", 'debug' );
unless ( $self->{notifObject}->checkNotification($self) ) {
$self->lmLog(
"All notifications have not been accepted, display them again",
'debug'
);
$self->{_notification} =
$self->{notifObject}->getNotification($self);
return PE_NOTIFICATION;
}
else {
$self->lmLog(
"All notifications have been accepted, follow the authentication process",
'debug'
);
$self->{error} = $self->_subProcess(
qw(issuerDBInit authInit issuerForAuthUser autoRedirect));
return $self->{error} || PE_DONE;
}
}
PE_OK;
}
##@apmethod int controlExistingSession(string id)
# Control existing sessions.
# To overload to control what to do with existing sessions.
# what to do with existing sessions ?
# - nothing: user is authenticated and process returns true (default)
# - delete and create a new session (not implemented)
# - re-authentication (set portalForceAuthn to 1)
#@param $id optional value of the session-id else cookies are examinated.
#@return Lemonldap::NG::Portal constant
sub controlExistingSession {
my ( $self, $id ) = @_;
my %cookies;
%cookies = fetch CGI::Cookie unless ($id);
# Test if Lemonldap::NG cookie is available
if (
$id
or ( $cookies{ $self->{cookieName} }
and $id = $cookies{ $self->{cookieName} }->value )
)
{
my $h = $self->getApacheSession($id);
if ($h) {
%{ $self->{sessionInfo} } = %$h;
# Logout if required
if ( $self->param('logout') ) {
# Delete session
unless ( $self->_deleteSession($h) ) {
$self->lmLog( "Unable to delete session $id", 'error' );
return PE_ERROR;
}
else {
$self->lmLog( "Session $id deleted from global storage",
'debug' );
}
# Call issuerDB logout on each used issuerDBmodule
my $issuerDBList = $self->{sessionInfo}->{_issuerDB};
if ( defined $issuerDBList ) {
foreach my $issuerDBtype (
split(
/\Q$self->{multiValuesSeparator}\E/,
$issuerDBList
)
)
{
my $module_name =
'Lemonldap::NG::Portal::IssuerDB' . $issuerDBtype;
$self->lmLog(
"Process logout for issuerDB module $issuerDBtype",
'debug'
);
# Load current IssuerDB module
unless ( $self->loadModule($module_name) ) {
$self->lmLog( "Unable to load $module_name",
'error' );
next;
}
$self->{error} = $self->_subProcess(
$module_name . "::issuerDBInit",
$module_name . '::issuerLogout'
);
}
}
# Call logout for the module used to authenticate
$self->lmLog(
"Process logout for authentication module " . $h->{_auth},
'debug' );
if ( $h->{'_auth'} ne $self->get_module('auth') ) {
my $module_name =
'Lemonldap::NG::Portal::Auth' . $h->{_auth};
unless ( $self->loadModule($module_name) ) {
$self->lmLog( "Unable to load $module_name", 'error' );
}
else {
eval {
$self->{error} = $self->_subProcess(
$module_name . "::authInit",
$module_name . "::authLogout"
);
};
}
}
else {
eval {
$self->{error} =
$self->_subProcess( 'authInit', 'authLogout' );
};
}
if ($@) {
$self->lmLog(
"Error when calling authentication logout: $@",
'debug' );
}
return $self->{error} if $self->{error} > 0;
# Collect logout services and build hidden iFrames
if ( %{ $self->{logoutServices} } ) {
$self->lmLog(
"Create iFrames to forward logout to services",
'debug' );
$self->info( "<h3>" . $self->msg(PM_LOGOUT) . "</h3>" );
foreach ( keys %{ $self->{logoutServices} } ) {
my $logoutServiceName = $_;
my $logoutServiceUrl =
$self->{logoutServices}->{$logoutServiceName};
$self->lmLog(
"Find logout service $logoutServiceName ($logoutServiceUrl)",
'debug'
);
my $iframe =
"<iframe src=\"$logoutServiceUrl\""
. " alt=\"$logoutServiceName\" marginwidth=\"0\""
. " marginheight=\"0\" scrolling=\"no\" style=\"border: none;display: hidden;margin: 0\""
. " width=\"0\" height=\"0\" frameborder=\"0\">"
. "</iframe>";
$self->info($iframe);
}
# Redirect on logout page if no other target defined
if ( !$self->{urldc} and !$self->{postUrl} ) {
$self->{urldc} = $ENV{SCRIPT_NAME} . "?logout=1";
}
}
untie %$h;
# Redirect or Post if asked by authLogout
return $self->_subProcess(qw(autoRedirect))
if ( $self->{urldc}
and $self->{urldc} ne $self->{portal} );
return $self->_subProcess(qw(autoPost))
if ( $self->{postUrl} );
# Display logout message
return PE_LOGOUT_OK;
}
# If the user wants to purge other sessions
elsif ( $self->param('removeOther') ) {
$self->{notifyDeleted} = 1;
$self->{singleSession} = 1;
$self->_sub( 'removeOther', $id );
}
untie %$h;
# Special ajax request "ping" to check if session is available
if ( $self->param('ping') ) {
print $self->header( -type => 'application/json' )
. '{"auth":true}';
$self->quit();
}
# Special ajax request "storeAppsListOrder"
if ( $self->param('storeAppsListOrder') ) {
my $order = $self->param('storeAppsListOrder');
$self->lmLog( "Get new apps list order: $order", 'debug' );
$self->updatePersistentSession( { appsListOrder => $order } );
$self->quit();
}
$self->{id} = $id;
# A session has been found => call existingSession
my $r = $self->_sub( 'existingSession', $id, $self->{sessionInfo} );
if ( $r == PE_DONE ) {
$self->{error} = $self->_subProcess(
qw(checkNotification issuerDBInit authInit issuerForAuthUser autoRedirect)
);
return $self->{error} || PE_DONE;
}
else {
return $r;
}
}
}
# Display logout success if logout asked
# and we do not have valid session
if ( $self->param('ping') ) {
print $self->header( -type => 'application/json' ) . '{"auth":false}';
$self->quit();
}
return PE_LOGOUT_OK if $self->param('logout');
# Else continue authentication process
PE_OK;
}
## @method int existingSession()
# Launched by controlExistingSession() to know what to do with existing
# sessions.
# Can return:
# - PE_DONE: session is unchanged and process() return true
# - PE_OK: process() return false to display the form
#@return Lemonldap::NG::Portal constant
sub existingSession {
my $self = shift;
my $forceAuthn;
# Check portalForceAuthn parameter
# and authForce method
eval { $forceAuthn = $self->_sub('authForce'); };
if ($@) {
$self->lmLog( "Error when calling authForce: $@", 'debug' );
}
$forceAuthn = 1 if ( $self->{portalForceAuthn} );
if ($forceAuthn) {
my $referer = $self->referer();
my $id = $self->{id};
# Do not force authentication when password is modified
return PE_DONE if $self->param('newpassword');
# Do not force authentication if last successful authentication is recent
my $last_authn_utime = $self->{sessionInfo}->{_lastAuthnUTime} || 0;
if ( time() - $last_authn_utime < $self->{portalForceAuthnInterval} ) {
$self->lmLog(
"Authentication is recent, so do not force authentication for session $id",
'debug'
);
return PE_DONE;
}
# If coming from the portal follow the normal process to update the session
if ( $referer ? ( $referer =~ m#$self->{portal}#i ) : 0 ) {
$self->lmLog( "Portal referer detected for session $id", 'debug' );
# Set flag to update session timestamp
$self->{updateSession} = 1;
# Process
$self->{error} = $self->_subProcess(
qw(issuerDBInit authInit issuerForUnAuthUser extractFormInfo
userDBInit getUser setAuthSessionInfo setSessionInfo
setMacros setGroups setPersistentSessionInfo
setLocalGroups authenticate store authFinish)
);
return $self->{error} || PE_DONE;
}
else {
$self->lmLog( "Force reauthentication for session $id", 'debug' );
return PE_OK;
}
}
# Else return PE_DONE
PE_DONE;
}
# issuerDBInit(): must be implemented in IssuerDB* module
# authInit(): must be implemented in Auth* module
# issuerForUnAuthUser(): must be implemented in IssuerDB* module
##@apmethod int extractFormInfo()
# Extract data common to all authentication modules,
# and call extractFormInfo() in Auth* module
# Auth*::extractFormInfo set $self->{user} and in some cases
# authenticate user (done in authenticate() else)
#@return Lemonldap::NG::Portal constant
sub extractFormInfo {
my $self = shift;
return PE_OK if $self->{skipExtractFormInfo};
$self->{checkLogins} = $self->param('checkLogins');
return $self->SUPER::extractFormInfo;
}
# getUser(): must be implemented in UserDB* module
## @apmethod int setAuthSessionInfo()
# Set _auth
# call setAuthSessionInfo in Auth* module
#@return Lemonldap::NG::Portal constant
sub setAuthSessionInfo {
my $self = shift;
# Get the current authentication module
$self->{sessionInfo}->{_auth} = $self->get_module("auth");
return $self->SUPER::setAuthSessionInfo();
}
## @apmethod int passwordDBInit()
# Set _passwordDB
# call passwordDBInit in passwordDB* module
# @return Lemonldap::NG::Portal constant
sub passwordDBInit {
my $self = shift;
# Get the current password module
$self->{sessionInfo}->{_passwordDB} = $self->get_module("password");
return $self->SUPER::passwordDBInit();
}
## @apmethod int modifyPassword()
# Call modifyPassword from PasswordDB* module
# Continue auth process if password change is ok
# @return Lemonldap::NG::Portal constant
sub modifyPassword {
my $self = shift;
my $res = $self->SUPER::modifyPassword();
if ( $res == PE_PASSWORD_OK ) {
# Update password in session if needed
$self->lmLog( "Update password in session for " . $self->{user},
'debug' );
my $infos;
$infos->{_password} = $self->{newpassword};
$self->updateSession($infos) if ( $self->{storePassword} );
# Set a flag to ignore password change in Menu
$self->{ignorePasswordChange} = 1;
# Set a flag to allow sending a mail
$self->{passwordWasChanged} = 1;
# Continue process if password change is ok
return PE_OK;
}
return $res;
}
##@apmethod int setSessionInfo()
# Set ipAddr, startTime, updateTime, _utime and _userDB
# Call setSessionInfo() in UserDB* module
#@return Lemonldap::NG::Portal constant
sub setSessionInfo {
my $self = shift;
# Get the current user module
$self->{sessionInfo}->{_userDB} = $self->get_module("user");
# Store IP address from remote address or X-FORWARDED-FOR header
$self->{sessionInfo}->{ipAddr} = $self->ipAddr;
# Date and time
if ( $self->{updateSession} ) {
$self->{sessionInfo}->{updateTime} =
strftime( "%Y%m%d%H%M%S", localtime() );
}
else {
$self->{sessionInfo}->{_utime} ||= time();
$self->{sessionInfo}->{startTime} =
strftime( "%Y%m%d%H%M%S", localtime() );
}
# Get environment variables matching exportedVars
foreach ( keys %{ $self->{exportedVars} } ) {
if ( my $tmp = $ENV{ $self->{exportedVars}->{$_} } ) {
$tmp =~ s/[\r\n]/ /gs;
$self->{sessionInfo}->{$_} = $tmp;
delete $self->{exportedVars}->{$_};
}
}
# Store URL origin in session
$self->{sessionInfo}->{_url} = $self->{urldc};
# Call UserDB setSessionInfo
if ( my $res = $self->SUPER::setSessionInfo() ) {
return $res;
}
PE_OK;
}
##@apmethod int setMacros()
# Macro mechanism.
# * store macro results in $self->{sessionInfo}
#@return Lemonldap::NG::Portal constant
sub setMacros {
my $self = shift;
foreach ( sort keys %{ $self->{macros} } ) {
$self->{sessionInfo}->{$_} =
$self->safe->reval( $self->{macros}->{$_} );
}
PE_OK;
}
##@apmethod int setLocalGroups()
# Groups mechanism.
# * store all groups name that the user match in $self->{sessionInfo}->{groups}
#@return Lemonldap::NG::Portal constant
sub setLocalGroups {
my $self = shift;
foreach ( sort keys %{ $self->{groups} } ) {
$self->{sessionInfo}->{groups} .= $self->{multiValuesSeparator} . $_
if ( $self->safe->reval( $self->{groups}->{$_} ) );
}
# Clear values separator at the beginning
if ( $self->{sessionInfo}->{groups} ) {
$self->{sessionInfo}->{groups} =~
s/^\Q$self->{multiValuesSeparator}\E//;
}
PE_OK;
}
# setGroups(): must be implemented in UserDB* module
##@apmethod int setPersistentSessionInfo()
# Restore persistent session info
#@return Lemonldap::NG::Portal constant
sub setPersistentSessionInfo {
my $self = shift;
# Do not restore infos if session already opened
unless ( $self->{id} ) {
my $key = $self->{sessionInfo}->{ $self->{whatToTrace} };
return PE_OK unless ( $key and length($key) );
my $h = $self->getPersistentSession( $self->_md5hash($key) );
if ($h) {
$self->lmLog( "Persistent session found for $key", 'debug' );
foreach my $k ( keys %$h ) {
# Do not restore _session_id
next if $k =~ /^_session_id$/;
$self->lmLog( "Restore persistent parameter $k", 'debug' );
$self->{sessionInfo}->{$k} = $h->{$k};
}
untie %$h;
}
}
PE_OK;
}
## @apmethod sendPasswordMail
# Call sendPasswordMail from MailReset if option is configured
# @return Lemonldap::NG::Portal constant
sub sendPasswordMail {
my $self = shift;
if ( $self->{mailOnPasswordChange} && $self->{passwordWasChanged} ) {
$self->lmLog( "Send password by mail requested", 'debug' );
eval "require Lemonldap::NG::Portal::MailReset";
&Lemonldap::NG::Portal::MailReset::smtpInit($self);
&Lemonldap::NG::Portal::MailReset::sendPasswordMail($self);
}
# Never stop the process here
return PE_OK;
}
##@apmethod int authenticate()
# Call authenticate() in Auth* module, and registerLogin()
# if authentication failed, userNotice() if it succeeded.
#@return Lemonldap::NG::Portal constant
sub authenticate {
my $self = shift;
if ( my $errorCode = $self->SUPER::authenticate() ) {
$self->registerLogin($errorCode);
return $errorCode;
}
# Log good authentication
my $user = $self->{sessionInfo}->{ $self->{whatToTrace} };
$self->_sub( 'userNotice',
"Good authentication for $user by $self->{sessionInfo}->{_auth}" )
if $user;
# Set _lastAuthnUTime
$self->{sessionInfo}->{_lastAuthnUTime} = time();
PE_OK;
}
##@method registerLogin
# Store current login in login history
# @param $errorCode Code returned by authenticate()
sub registerLogin {
my ( $self, $errorCode ) = @_;
if ( $self->{loginHistoryEnabled} ) {
my $history = $self->{sessionInfo}->{loginHistory} ||= {};
my $type = ( $errorCode ? "failed" : "success" ) . "Login";
$history->{$type} ||= [];
$self->lmLog( "Current login saved into $type", "debug" );
# Gather current login's parameters
my $login = $self->_sumUpSession( $self->{sessionInfo}, 1 );
$login->{error} = $self->error($errorCode)
if ($errorCode);
# Add current login into history
unshift @{ $history->{$type} }, $login;
# Forget oldest logins
splice @{ $history->{$type} }, $self->{ $type . "Number" }
if ( scalar @{ $history->{$type} } > $self->{ $type . "Number" } );
# Save into persistent session
$self->updatePersistentSession( { loginHistory => $history, } );
}
}
##@apmethod int removeOther()
# check singleSession or singleIP parameters, and remove other sessions if needed
#@return Lemonldap::NG::Portal constant
sub removeOther {
my ( $self, $current ) = @_;
$self->{deleted} = [];
$self->{otherSessions} = [];
if ( $self->{singleSession}
or $self->{singleIP}
or $self->{notifyOther} )
{
my $sessions =
$self->{globalStorage}->searchOn( $self->{globalStorageOptions},
$self->{whatToTrace},
$self->{sessionInfo}->{ $self->{whatToTrace} } );
foreach my $id ( keys %$sessions ) {
next if ( $current and ( $current eq $id ) );
my $h = $self->getApacheSession( $id, 1 ) or next;
if (
$self->{singleSession}
or ( $self->{singleIP}
and $self->{sessionInfo}->{ipAddr} ne $h->{ipAddr} )
)
{
push @{ $self->{deleted} }, $self->_sumUpSession($h);
$self->_deleteSession( $h, 1 );
}
else {
push @{ $self->{otherSessions} }, $self->_sumUpSession($h);
}
}
}
if ( $self->{singleUserByIP} ) {
my $sessions =
$self->{globalStorage}
->searchOn( $self->{globalStorageOptions}, 'ipAddr', $self->ipAddr );
foreach my $id ( keys %$sessions ) {
next if ( $current and $current eq $id );
my $h = $self->getApacheSession( $id, 1 ) or next;
unless ( $self->{sessionInfo}->{ $self->{whatToTrace} } eq
$h->{ $self->{whatToTrace} } )
{
push @{ $self->{deleted} }, $self->_sumUpSession($h);
$self->_deleteSession( $h, 1 );
}
}
}
$self->info(
$self->mkSessionArray(
$self->{deleted}, $self->msg(PM_SESSIONS_DELETED), 1
)
) if ( $self->{notifyDeleted} and @{ $self->{deleted} } );
$self->info(
$self->mkSessionArray( $self->{otherSessions},
$self->msg(PM_OTHER_SESSIONS), 1 )
. $self->_mkRemoveOtherLink()
) if ( $self->{notifyOther} and @{ $self->{otherSessions} } );
$self->info(
(
$self->{sessionInfo}->{loginHistory}->{successLogin}
? $self->mkSessionArray(
$self->{sessionInfo}->{loginHistory}->{successLogin},
$self->msg(PM_LAST_LOGINS),
0, 0
)
: ""
)
. (
$self->{sessionInfo}->{loginHistory}->{failedLogin}
? $self->mkSessionArray(
$self->{sessionInfo}->{loginHistory}->{failedLogin},
$self->msg(PM_LAST_FAILED_LOGINS),
0, 1
)
: ""
)
) if ( $self->{checkLogins} );
PE_OK;
}
##@method private hashref _sumUpSession(hashref session)
# put main session data into a hash ref
# @param hashref $session The session to sum up
# @return hashref
sub _sumUpSession {
my ( $self, $session, $withoutUser ) = @_;
my $res =
$withoutUser
? {}
: { user => $session->{ $self->{whatToTrace} } };
$res->{$_} = $session->{$_}
foreach ( "_utime", "ipAddr", keys %{ $self->{sessionDataToRemember} } );
return $res;
}
##@method private string mkSessionArray(string title,array datas)
# Build an HTML array to display sessions
# @param $sessions Array ref of hash ref containing sessions datas
# @param $title Title of the array
# @param $displayUser To display "User" column
# @param $displaError To display "Error" column
# @return HTML string
sub mkSessionArray {
my ( $self, $sessions, $title, $displayUser, $displayError ) = @_;
return "" unless ( ref $sessions eq "ARRAY" and @$sessions );
my $tmp = $title ? "<h3>$title</h3>" : "";
$tmp .= "<table class=\"info\"><tbody>";
$tmp .= "<tr>";
$tmp .= "<th>" . $self->msg(PM_USER) . "</th>"
if ($displayUser);
$tmp .= "<th>" . $self->msg(PM_DATE) . "</th>";
$tmp .= "<th>" . $self->msg(PM_IP) . "</th>";
$tmp .= "<th>" . $self->{sessionDataToRemember}->{$_} . "</th>"
foreach ( keys %{ $self->{sessionDataToRemember} } );
$tmp .= '<th>' . $self->msg(PM_ERROR_MSG) . '</th>'
if ($displayError);
$tmp .= '</tr>';
foreach my $session (@$sessions) {
$tmp .= "<tr>";
$tmp .= "<td>$session->{user}</td>" if ($displayUser);
$tmp .=
"<td><script type=\"text/javascript\">var _date=new Date($session->{_utime}*1000);document.write(_date.toLocaleString());</script></td>";
$tmp .= "<td>$session->{ipAddr}</td>";
$tmp .= "<td>" . ( $session->{$_} || "" ) . "</td>"
foreach ( keys %{ $self->{sessionDataToRemember} } );
$tmp .= "<td>$session->{error}</td>" if ($displayError);
$tmp .= "</tr>";
}
$tmp .= '</tbody></table>';
return $tmp;
}
## @method private string _mkRemoveOtherLink()
# Build the removeOther link
# Last part of URL is built trough javascript
# @return removeOther link in HTML code
sub _mkRemoveOtherLink {
my $self = shift;
my $link = $self->{portal} . "?removeOther=1";
return
"<p class=\"removeOther\"><a href=\"$link\" onclick=\"_go=0\">"
. $self->msg(PM_REMOVE_OTHER_SESSIONS)
. "</a></p>";
}
##@apmethod int grantSession()
# Check grantSessionRule to allow session creation.
#@return Lemonldap::NG::Portal constant
sub grantSession {
my ($self) = @_;
if ( defined $self->{grantSessionRule} ) {
# Eval grantSessionRule
# Kept for backward compatibility with LL::NG 1.1.2 and previous
my $grantSessionRule = $self->{grantSessionRule};
unless ( $self->safe->reval($grantSessionRule) ) {
$self->lmLog(
"User " . $self->{user} . " was not granted to open session",
'error' );
$self->registerLogin(PE_SESSIONNOTGRANTED);
return PE_SESSIONNOTGRANTED;
}
}
# Eval grantSessionRules sorted by comments
sub sortByComment {
my $A = ( $a =~ /^.*?##(.*)$/ )[0];
my $B = ( $b =~ /^.*?##(.*)$/ )[0];
return !$A ? 1 : !$B ? -1 : $A cmp $B;
}
foreach ( sort sortByComment keys %{ $self->{grantSessionRules} } ) {
$self->lmLog( "Grant session condition \"$_\" checked", "debug" );
unless ( $self->safe->reval($_) ) {
$self->lmLog(
"User " . $self->{user} . " was not granted to open session",
'error' );
my $msg = $self->safe->reval( $self->{grantSessionRules}->{$_} );
$msg = $self->{grantSessionRules}->{$_} if ($@);
$self->{ "error_" . PE_SESSIONNOTGRANTED } = $msg if ($msg);
$self->registerLogin(PE_SESSIONNOTGRANTED);
return PE_SESSIONNOTGRANTED;
}
}
my $user = $self->{sessionInfo}->{ $self->{whatToTrace} };
$self->_sub( 'userNotice', "Session granted for $user" ) if ($user);
$self->registerLogin(PE_OK);
return PE_OK;
}
##@apmethod int store()
# Store user's datas in sessions database.
# Now, the user is known, authenticated and session variable are evaluated.
# It's time to store his parameters with Apache::Session::* module
#@return Lemonldap::NG::Portal constant
sub store {
my ($self) = @_;
# Now, user is authenticated => inform Apache
$self->setApacheUser( $self->{sessionInfo}->{ $self->{whatToTrace} } );
# Create second session for unsecure cookie
if ( $self->{securedCookie} == 2 ) {
my $h2 = $self->getApacheSession( undef, 1 );
$h2->{$_} = $self->{sessionInfo}->{$_}
foreach ( keys %{ $self->{sessionInfo} } );
$self->{sessionInfo}->{_httpSession} = $h2->{_session_id};
$h2->{_httpSessionType} = 1;
untie %$h2;
}
# Main session
my $h = $self->getApacheSession( $self->{id} )
or return PE_APACHESESSIONERROR;
foreach my $k ( keys %{ $self->{sessionInfo} } ) {
next unless defined $self->{sessionInfo}->{$k};
my $displayValue = $self->{sessionInfo}->{$k};
if ( $self->{hiddenAttributes} =~ /\b$k\b/ ) {
$displayValue = '****';
}
$self->lmLog( "Store $displayValue in session key $k", 'debug' );
$h->{$k} = $self->{sessionInfo}->{$k};
}
untie %$h;
PE_OK;
}
## @apmethod int authFinish
# Call authFinish method from authentication module
# @return Lemonldap::NG::Portal constant
sub authFinish {
my $self = shift;
eval { $self->{error} = $self->SUPER::authFinish; };
if ($@) {
$self->lmLog(
"Optional authFinish method not defined in current authentication module: $@",
'debug'
);
return PE_OK;
}
return $self->{error};
}
##@apmethod int buildCookie()
# Build the Lemonldap::NG cookie.
#@return Lemonldap::NG::Portal constant
sub buildCookie {
my $self = shift;
push @{ $self->{cookie} },
$self->cookie(
-name => $self->{cookieName},
-value => $self->{id},
-domain => $self->{domain},
-path => "/",
-secure => $self->{securedCookie},
-httponly => $self->{httpOnly},
-expires => $self->{cookieExpiration},
@_,
);
if ( $self->{securedCookie} >= 2 ) {
push @{ $self->{cookie} },
$self->cookie(
-name => $self->{cookieName} . "http",
-value => (
$self->{securedCookie} == 2
? $self->{sessionInfo}->{_httpSession}
: $self->{cipher}->encryptHex( $self->{id}, "http" )
),
-domain => $self->{domain},
-path => "/",
-secure => 0,
-httponly => $self->{httpOnly},
-expires => $self->{cookieExpiration},
@_,
);
}
PE_OK;
}
##@apmethod int checkNotification()
# Check if messages has to be notified.
# Call Lemonldap::NG::Common::Notification::getNotification().
#@return Lemonldap::NG::Portal constant
sub checkNotification {
my $self = shift;
if ( $self->{notification}
and $self->{_notification} ||=
$self->{notifObject}->getNotification($self) )
{
return PE_NOTIFICATION;
}
return PE_OK;
}
## @apmethod int issuerForAuthUser()
# Check IssuerDB activation rule
# Register used module in user session
# @return Lemonldap::NG::Portal constant
sub issuerForAuthUser {
my $self = shift;
# User information
my $user = $self->{sessionInfo}->{ $self->{whatToTrace} } || 'unknown';
# Get active module
my $issuerDBtype = $self->get_module('issuer');
# Eval activation rule
my $rule = $self->{ 'issuerDB' . $issuerDBtype . 'Rule' };
if ( defined $rule ) {
$self->lmLog( "Applying rule: $rule", 'debug' );
unless ( $self->safe->reval($rule) ) {
$self->lmLog(
"User $user was not allowed to use IssuerDB $issuerDBtype",
'warn' );
return PE_OK;
}
}
else {
$self->lmLog( "No rule found for IssuerDB $issuerDBtype", 'debug' );
}
$self->lmLog( "User $user allowed to use IssuerDB $issuerDBtype", 'debug' );
# Register IssuerDB module in session
$self->addSessionValue( '_issuerDB', $issuerDBtype, $self->{id} );
# Call IssuerDB module method
return $self->SUPER::issuerForAuthUser();
}
##@apmethod int autoRedirect()
# If the user was redirected to the portal, we will now redirect him
# to the requested URL.
#@return Lemonldap::NG::Portal constant
sub autoRedirect {
my $self = shift;
$self->clearHiddenFormValue();
# Default redirection URL
$self->{urldc} ||= $self->{portal}
if ( $self->{mustRedirect} or $self->info() );
# Display info before redirecting
if ( $self->info() ) {
$self->{infoFormMethod} = $self->param('method') || "get";
$self->clearHiddenFormValue();
my ($query_string) = ( $self->{urldc} =~ /.+?\?(.+)/ );
if ($query_string) {
$self->lmLog(
"Transform query string $query_string into hidden form values",
'debug'
);
my $query = CGI->new($query_string);
my $formFields = $query->Vars;
foreach ( keys %$formFields ) {
$self->setHiddenFormValue( $_, $formFields->{$_}, "", 0 );
}
}
return PE_INFO;
}
# Redirection should be made if
# - urldc defined
if ( $self->{urldc} ) {
# Cross-domain mechanism
if ( $self->{cda}
and $self->{id}
and $self->{urldc} !~ m#^https?://[^/]*$self->{domain}(:\d+)?/#oi
and $self->isTrustedUrl( $self->{urldc} ) )
{
my $ssl = $self->{urldc} =~ /^https/;
$self->lmLog( 'CDA request', 'debug' );
$self->{urldc} .= ( $self->{urldc} =~ /\?/ ? '&' : '?' )
. (
( $self->{securedCookie} < 2 or $ssl )
? $self->{cookieName} . "=" . $self->{id}
: $self->{cookieName} . "http="
. $self->{sessionInfo}->{_httpSession}
);
}
$self->updateStatus;
if ( $self->safe->reval( $self->{jsRedirect} ) ) {
$self->{redirectFormMethod} = "get";
return PE_REDIRECT;
}
else {
print $self->redirect(
-status => '303 See Other',
-location => $self->{urldc},
);
$self->quit();
}
}
PE_OK;
}
## @method void returnSOAPMessage()
# Print SOAP message
# @return void
sub returnSOAPMessage {
my $self = shift;
# Quit if no SOAP message
$self->quit() unless $self->{SOAPMessage};
# Print HTTP header and SOAP message
binmode( STDOUT, ":bytes" );
print $self->header( -type => 'application/xml' );
print $self->{SOAPMessage};
# Exit
$self->quit();
}
## @method void autoPost()
# Transfer POST data with auto submit
# @return void
sub autoPost {
my $self = shift;
# Get URL and Form fields
$self->{urldc} = $self->{postUrl};
my $formFields = $self->{postFields};
$self->clearHiddenFormValue();
foreach ( keys %$formFields ) {
$self->setHiddenFormValue( $_, $formFields->{$_}, "", 0 );
}
# Display info before redirecting
if ( $self->info() ) {
$self->{infoFormMethod} = $self->param('method') || "post";
return PE_INFO;
}
$self->{redirectFormMethod} = "post";
return PE_REDIRECT;
}
## @method HASHREF getCustomTemplateParameters()
# Find custom templates parameters
# @return Custom parameters
sub getCustomTemplateParameters {
my $self = shift;
my $customTplParams = {};
foreach ( keys %$self ) {
next unless ( $_ =~ /^tpl_(.+)$/ );
my $tplParam = $1;
my $tplValue = $self->{ "tpl_" . $tplParam };
$self->lmLog( "Set custom template parameter $tplParam with $tplValue",
'debug' );
$customTplParams->{$tplParam} = $tplValue;
}
return $customTplParams;
}
1;
__END__
=head1 NAME
=encoding utf8
Lemonldap::NG::Portal::Simple - Base module for building Lemonldap::NG compatible portals
=head1 SYNOPSIS
use Lemonldap::NG::Portal::Simple;
my $portal = new Lemonldap::NG::Portal::Simple(
domain => 'example.com',
globalStorage => 'Apache::Session::MySQL',
globalStorageOptions => {
DataSource => 'dbi:mysql:database=dbname;host=127.0.0.1',
UserName => 'db_user',
Password => 'db_password',
TableName => 'sessions',
LockDataSource => 'dbi:mysql:database=dbname;host=127.0.0.1',
LockUserName => 'db_user',
LockPassword => 'db_password',
},
ldapServer => 'ldap.domaine.com,ldap-backup.domaine.com',
securedCookie => 1,
exportedVars => {
uid => 'uid',
cn => 'cn',
mail => 'mail',
appli => 'appli',
},
# Activate SOAP service
Soap => 1
);
if($portal->process()) {
# Write here the menu with CGI methods. This page is displayed ONLY IF
# the user was not redirected here.
print $portal->header('text/html; charset=utf-8'); # DON'T FORGET THIS (see L<CGI(3)>)
print "...";
# or redirect the user to the menu
print $portal->redirect( -uri => 'https://portal/menu');
}
else {
# Write here the html form used to authenticate with CGI methods.
# $portal->error returns the error message if athentification failed
# Warning: by defaut, input names are "user" and "password"
print $portal->header('text/html; charset=utf-8'); # DON'T FORGET THIS (see L<CGI(3)>)
print "...";
print '<form method="POST">';
# In your form, the following value is required for redirection
print '<input type="hidden" name="url" value="'.$portal->param('url').'">';
# Next, login and password
print 'Login : <input name="user"><br>';
print 'Password : <input name="password" type="password" autocomplete="off">';
print '<input type="submit" value="go" />';
print '</form>';
}
SOAP mode authentication (client) :
#!/usr/bin/perl -l
use SOAP::Lite;
use Data::Dumper;
my $soap =
SOAP::Lite->proxy('http://auth.example.com/')
->uri('urn:/Lemonldap::NG::Common::CGI::SOAPService');
my $r = $soap->getCookies( 'user', 'password' );
# Catch SOAP errors
if ( $r->fault ) {
print STDERR "SOAP Error: " . $r->fault->{faultstring};
}
else {
my $res = $r->result();
# If authentication failed, display error
if ( $res->{error} ) {
print STDERR "Error: " . $soap->error( $res->{error} )->result();
}
# print session-ID
else {
print "Cookie: lemonldap=" . $res->{cookies}->{lemonldap};
}
}
=head1 DESCRIPTION
Lemonldap::NG::Portal::Simple is the base module for building Lemonldap::NG
compatible portals. You can use it either by inheritance or by writing
anonymous methods like in the example above.
See L<Lemonldap::NG::Portal::SharedConf> for a complete example of use of
Lemonldap::Portal::* libraries.
=head1 METHODS
=head2 Constructor (new)
=head3 Args
=over
=item * ldapServer: server(s) used to retrive session information and to valid
credentials (localhost by default). More than one server can be set here
separated by commas. The servers will be tested in the specifies order.
To use TLS, set "ldap+tls://server" and to use LDAPS, set "ldaps://server"
instead of server name. If you use TLS, you can set any of the
Net::LDAP->start_tls() sub like this:
"ldap/tls://server/verify=none&capath=/etc/ssl"
You can also use caFile and caPath parameters.
=item * ldapPort: tcp port used by ldap server.
=item * ldapBase: base of the ldap directory.
=item * managerDn: dn to used to connect to ldap server. By default, anonymous
bind is used.
=item * managerPassword: password to used to connect to ldap server. By
default, anonymous bind is used.
=item * securedCookie: set it to 1 if you want to protect user cookies.
=item * cookieName: name of the cookie used by Lemonldap::NG (lemon by default).
=item * domain: cookie domain. You may have to give it else the SSO will work
only on your server.
=item * globalStorage: required: L<Apache::Session> library to used to store
session information.
=item * globalStorageOptions: parameters to bind to L<Apache::Session> module
=item * authentication: sheme to authenticate users (default: "ldap"). It can
be set to:
=over
=item * B<SSL>: See L<Lemonldap::NG::Portal::AuthSSL>.
=back
=item * caPath, caFile: if you use ldap+tls you can overwrite cafile or capath
options with those parameters. This is useful if you use a shared
configuration.
=item * ldapPpolicyControl: set it to 1 if you want to use LDAP Password Policy
=item * grantSessionRule: rule applied to grant session opening for a user. Can
use all exported attributes, macros, groups and custom functions.
=back
=head2 Methods that can be overloaded
All the functions above can be overloaded to adapt Lemonldap::NG to your
environment. They MUST return one of the exported constants (see above)
and are called in this order by process().
=head3 controlUrlOrigin
If the user was redirected by a Lemonldap::NG handler, stores the url that will be
used to redirect the user after authentication.
=head3 controlExistingSession
Controls if a previous session is always available. If true, it call the sub
C<existingSession> with two parameters: id and a scalar tied on Apache::Session
module choosed to store sessions. See bellow
=head3 existingSession
This sub is called only if a previous session exists and is available. By
defaults, it returns PE_OK so user is re-authenticated. You can overload it:
for example if existingSession just returns PE_DONE: authenticated users are
not re-authenticated and C<>process> returns true.
=head3 extractFormInfo
Method implemented into Lemonldap::NG::Portal::Auth* modules. By default
(ldap bind), converts form input into object variables ($self->{user} and
$self->{password}).
=head3 formateParams
Does nothing. To be overloaded if needed.
=head3 formateFilter
Creates the ldap filter using $self->{user}. By default :
$self->{filter} = "(&(uid=" . $self->{user} . ")(objectClass=inetOrgPerson))";
If $self->{AuthLDAPFilter} is set, it is used instead of this. This is used by
Lemonldap::NG::Portal::Auth* modules to overload filter.
=head3 connectLDAP
Connects to LDAP server.
=head3 bind
Binds to the LDAP server using $self->{managerDn} and $self->{managerPassword}
if exist. Anonymous bind is provided else.
=head3 search
Retrives the LDAP entry corresponding to the user using $self->{filter}.
=head3 setAuthSessionInfo
Same as setSessionInfo but implemented in Lemonldap::NG::Portal::Auth* modules.
=head3 setSessionInfo
Prepares variables to store in central cache (stored temporarily in
C<$self->{sessionInfo}>). It use C<exportedVars> entry (passed to the new sub)
if defined to know what to store else it stores uid, cn and mail attributes.
=head3 getSessionInfo
Pick up an information stored in session.
=head3 setGroups
Does nothing by default.
=head3 authenticate
Method implemented in Lemonldap::NG::Portal::Auth* modules. By default (ldap),
authenticates the user by rebinding to the LDAP server using the dn retrived
with search() and the password.
=head3 grantSession
Use grantSessionRule parameter to allow session opening.
=head3 store
Stores information collected by setSessionInfo into the central cache.
The portal connects the cache using the L<Apache::Session> module passed by
the globalStorage parameters (see constructor).
=head3 unbind
Disconnects from the LDAP server.
=head3 buildCookie
Creates the Lemonldap::NG cookie.
=head3 log
Does nothing. To be overloaded if wanted.
=head3 autoRedirect
Redirects the user to the url stored by controlUrlOrigin().
=head2 Other methods
=head3 process
Main method.
=head3 error
Returns the error message corresponding to the error returned by the methods
described above
=head3 error_type
Give the type of the error (positive, warning or positive)
=head3 _bind( $ldap, $dn, $password )
Method used to bind to the ldap server.
=head3 header
Overloads the CGI::header method to add Lemonldap::NG cookie.
=head3 redirect
Overloads the CGI::redirect method to add Lemonldap::NG cookie.
=head2 EXPORT
=head3 Constants
=over 5
=item * B<PE_OK>: all is good
=item * B<PE_SESSIONEXPIRED>: the user session has expired
=item * B<PE_FORMEMPTY>: Nothing was entered in the login form
=item * B<PE_USERNOTFOUND>: the user was not found in the (ldap) directory
=item * B<PE_WRONGMANAGERACCOUNT>: the account used to bind to LDAP server in order to
find the user distinguished name (dn) was refused by the server
=item * B<PE_BADCREDENTIALS>: bad login or password
=item * B<PE_LDAPERROR>: abnormal error from ldap
=item * B<PE_APACHESESSIONERROR>: abnormal error from Apache::Session
=item * B<PE_FIRSTACCESS>: First access to the portal
=item * B<PE_BADCERTIFICATE>: Wrong certificate
=item * PE_PP_ACCOUNT_LOCKED: account locked
=item * PE_PP_PASSWORD_EXPIRED: password axpired
=item * PE_CERTIFICATEREQUIRED: certificate required
=item * PE_ERROR: unclassified error
=back
=head1 SEE ALSO
L<Lemonldap::NG::Handler>, L<Lemonldap::NG::Portal::SharedConf>, L<CGI>,
L<http://lemonldap-ng.org/>
=head1 AUTHOR
=over
=item Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>
=item François-Xavier Deltombe, E<lt>fxdeltombe@gmail.com.E<gt>
=item Xavier Guimard, E<lt>x.guimard@free.frE<gt>
=item Sandro Cazzaniga, E<lt>cazzaniga.sandro@gmail.comE<gt>
=item Thomas Chemineau, E<lt>thomas.chemineau@gmail.comE<gt>
=back
=head1 BUG REPORT
Use OW2 system to report bug or ask for features:
L<http://jira.ow2.org>
=head1 DOWNLOAD
Lemonldap::NG is available at
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
=head1 COPYRIGHT AND LICENSE
=over
=item Copyright (C) 2006, 2007, 2008, 2009, 2010, 2012 by Xavier Guimard, E<lt>x.guimard@free.frE<gt>
=item Copyright (C) 2012 by Sandro Cazzaniga, E<lt>cazzaniga.sandro@gmail.comE<gt>
=item Copyright (C) 2012, 2012, 2013 by François-Xavier Deltombe, E<lt>fxdeltombe@gmail.com.E<gt>
=item Copyright (C) 2006, 2008, 2009, 2010, 2011, 2012, 2012, 2013 by Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>
=item Copyright (C) 2010, 2011 by Thomas Chemineau, E<lt>thomas.chemineau@gmail.comE<gt>
=back
This library is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see L<http://www.gnu.org/licenses/>.
=cut