--- loncom/auth/lonlogin.pm	2022/02/24 15:51:28	1.195
+++ loncom/auth/lonlogin.pm	2022/08/24 20:58:50	1.202
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Login Screen
 #
-# $Id: lonlogin.pm,v 1.195 2022/02/24 15:51:28 raeburn Exp $
+# $Id: lonlogin.pm,v 1.202 2022/08/24 20:58:50 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -68,6 +68,11 @@ sub handler {
             $env{'form.ltoken'} = $info{'ltoken'};
         } elsif ($info{'linkprot'}) {
             $env{'form.linkprot'} = $info{'linkprot'};
+            foreach my $item ('linkprotuser','linkprotexit') {
+                if ($info{$item} ne '') {
+                    $env{'form.'.$item} = $info{$item};
+                }
+            }
         } elsif ($info{'linkkey'} ne '') {
             $env{'form.linkkey'} = $info{'linkkey'};
         }
@@ -181,6 +186,11 @@ sub handler {
                     $link_info{'ltoken'} = $env{'form.ltoken'};
                 } elsif ($env{'form.linkprot'}) {
                     $link_info{'linkprot'} = $env{'form.linkprot'};
+                    foreach my $item ('linkprotuser','linkprotexit') {
+                        if ($env{'form.'.$item} ne '') {
+                            $link_info{$item} = $env{'form.'.$item};
+                        }
+                    }
                 } elsif ($env{'form.linkkey'} ne '') {
                     $link_info{'linkkey'} = $env{'form.linkkey'};
                 }
@@ -249,16 +259,38 @@ sub handler {
             $dest = &HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');
         }
         if (($env{'form.ltoken'}) || ($env{'form.linkprot'})) {
-            my $linkprot;
+            my ($linkprot,$linkprotuser,$linkprotexit);
             if ($env{'form.ltoken'}) {
                 my %info = &Apache::lonnet::tmpget($env{'form.ltoken'});
                 $linkprot = $info{'linkprot'};
-                my $delete = &Apache::lonnet::tmpdel($env{'form.ltoken'});
+                if ($info{'linkprotuser'} ne '') {
+                    $linkprotuser = $info{'linkprotuser'};
+                }
+                if ($info{'linkprotexit'} ne '') {
+                    $linkprotexit = $info{'linkprotexit'};
+                }
             } else {
                 $linkprot = $env{'form.linkprot'};
+                $linkprotuser = $env{'form.linkprotuser'};
+                $linkprotexit = $env{'form.linkprotexit'};
             }
             if ($linkprot) {
                 my ($linkprotector,$deeplink) = split(/:/,$linkprot,2);
+                if (($deeplink =~ m{^/tiny/$match_domain/\w+$}) &&
+                    ($linkprotuser ne '') && ($linkprotuser ne $env{'user.name'}.':'.$env{'user.domain'})) {
+                    my $ip = &Apache::lonnet::get_requestor_ip();
+                    my %linkprotinfo = (
+                                          origurl => $deeplink,
+                                          linkprot => $linkprot,
+                                          linkprotuser => $linkprotuser,
+                                          linkprotexit => $linkprotexit,
+                                       );    
+                    if ($env{'form.ltoken'}) {
+                        my $delete = &Apache::lonnet::tmpdel($env{'form.ltoken'});
+                    }
+                    &Apache::migrateuser::logout($r,$ip,$handle,undef,undef,\%linkprotinfo);
+                    return OK;
+                }
                 if ($env{'user.linkprotector'}) {
                     my @protectors = split(/,/,$env{'user.linkprotector'});
                     unless (grep(/^\Q$linkprotector\E$/,@protectors)) {
@@ -304,6 +336,9 @@ sub handler {
                 }
             }
         }
+        if ($env{'form.ltoken'}) {
+            my $delete = &Apache::lonnet::tmpdel($env{'form.ltoken'});
+        }
 	$r->print(
                   $start_page
                  .'<p class="LC_warning">'.&mt('You are already logged in!').'</p>'
@@ -428,20 +463,30 @@ sub handler {
     if ($uextkey>2147483647) { $uextkey-=4294967296; }
 
 # -------------------------------------------------------- Store away log token
-    my ($tokenextras,$tokentype);
-    my @names = ('role','symb','iptoken','ltoken','linkprot','linkkey');
+    my ($tokenextras,$tokentype,$linkprot_for_login);
+    my @names = ('role','symb','iptoken','ltoken','linkprotuser','linkprotexit','linkprot','linkkey');
     foreach my $name (@names) {
         if ($env{'form.'.$name} ne '') {
             if ($name eq 'ltoken') {
                 my %info = &Apache::lonnet::tmpget($env{'form.'.$name});
                 if ($info{'linkprot'}) {
+                    $linkprot_for_login = $info{'linkprot'};
                     $tokenextras .= '&linkprot='.&escape($info{'linkprot'});
+                    foreach my $item ('linkprotuser','linkprotexit') {
+                        if ($info{$item}) {
+                            $tokenextras .= '&'.$item.'='.&escape($info{$item});
+                        }
+                    }
                     $tokentype = 'link';
                     last;
                 }
             } else {
                 $tokenextras .= '&'.$name.'='.&escape($env{'form.'.$name});
                 if (($name eq 'linkkey') || ($name eq 'linkprot')) {
+                    if ((($env{'form.retry'}) || ($env{'form.sso'})) && 
+                        (!$env{'form.ltoken'}) && ($name eq 'linkprot')) {
+                        $linkprot_for_login = $env{'form.linkprot'};
+                    }
                     $tokentype = 'link';
                 }
             }
@@ -619,7 +664,8 @@ function enableInput() {
 ENDSCRIPT
 
     my ($lonhost_in_use,@hosts,%defaultdomconf,$saml_prefix,$saml_landing,
-        $samlssotext,$samlnonsso,$samlssoimg,$samlssoalt,$samlssourl,$samltooltip);
+        $samlssotext,$samlnonsso,$samlssoimg,$samlssoalt,$samlssourl,$samltooltip,
+        $samlnoframe,$samlwindow);
     %defaultdomconf = &Apache::loncommon::get_domainconf($defdom);
     @hosts = &Apache::lonnet::current_machine_ids();
     $lonhost_in_use = $lonhost;
@@ -640,6 +686,7 @@ ENDSCRIPT
         $samlssoalt = $defaultdomconf{$saml_prefix.'alt_'.$lonhost_in_use};
         $samlssourl = $defaultdomconf{$saml_prefix.'url_'.$lonhost_in_use};
         $samltooltip = $defaultdomconf{$saml_prefix.'title_'.$lonhost_in_use};
+        $samlwindow = $defaultdomconf{$saml_prefix.'window_'.$lonhost_in_use};
     }
     if ($saml_landing) {
        if ($samlssotext eq '') {
@@ -827,6 +874,7 @@ HEADER
 
     my $stdauthformstyle = 'inline-block';
     my $ssoauthstyle = 'none';
+    my $sso_onclick;
     my $logintype;
     $r->print('<div style="float:left;margin-top:0;">');
     if ($saml_landing) {
@@ -837,6 +885,8 @@ HEADER
         if ($samlssourl  ne '') {
             $ssologin = $samlssourl;
         }
+        my $ssologin_for_js = &js_escape($ssologin);
+        my $querystr_for_js;
         if (($logtoken eq 'con_lost') || ($logtoken eq 'no_such_host')) {
             my $querystring;
             if ($env{'form.firsturl'} ne '') {
@@ -857,16 +907,44 @@ HEADER
             }
             if ($querystring ne '') {
                 $ssologin .= (($ssologin=~/\?/)?'&amp;':'?') . $querystring;
+                $querystr_for_js = &js_escape($querystring);
             }
         } elsif ($logtoken ne '') {
             $ssologin .= (($ssologin=~/\?/)?'&amp;':'?') . 'logtoken='.$logtoken;
+            $querystr_for_js = &js_escape('logtoken='.$logtoken);
         }
         my $ssohref;
+        if ($samlwindow) {
+            $sso_onclick = <<"ENDJS";
+if (document.getElementById('LC_sso_login_link')) {
+    var ssoelem = document.getElementById('LC_sso_login_link')
+    ssoelem.addEventListener('click',samlWinFunction,false);
+    var windows = {};
+    function samlWinFunction(evt) {
+        evt.preventDefault();
+        var url = '$ssologin_for_js';
+        var name = 'lcssowin';
+        var querystr = '$querystr_for_js';
+        if (querystr) {
+            url += '?'+querystr+'&lcssowin=1';
+        } else {
+            url += '?lcssowin=1';
+        }
+        if ((typeof windows[name] !== 'undefined') && (!windows[name].closed)) {
+            windows[name].close();
+        }
+        windows[name]=window.open(url,name,'width=350,height=600');
+        windows[name].focus();
+        return false;
+    }
+}
+ENDJS
+        }
         if ($samlssoimg ne '') {
-            $ssohref = '<a href="'.$ssologin.'" title="'.$samltooltip.'">'.
+            $ssohref = '<a href="'.$ssologin.'" title="'.$samltooltip.'" id="LC_sso_login_link">'.
                        '<img src="'.$samlssoimg.'" alt="'.$samlssoalt.'" id="lcssobutton" /></a>';
         } else {
-            $ssohref = '<a href="'.$ssologin.'">'.$samlssotext.'</a>';
+            $ssohref = '<a href="'.$ssologin.'" id="LC_sso_login_link">'.$samlssotext.'</a>';
         }
         if (($env{'form.saml'} eq 'no') ||
             (($env{'form.username'} ne '') && ($env{'form.domain'} ne ''))) {
@@ -898,6 +976,46 @@ ENDSAML
             delete($env{'form.ltoken'});
         }
     }
+    my $in_frame_js;
+    if ($linkprot_for_login) {
+        my ($linkprotector,$linkproturi) = split(/:/,$linkprot_for_login,2);
+        if (($linkprotector =~ /^\d+(c|d)$/) && ($linkproturi =~ m{^/+tiny/+$LONCAPA::match_domain/+\w+$})) {
+            my $set_target;
+            if (($env{'form.retry'}) || ($env{'form.sso'})) {
+                if ($linkproturi eq $env{'form.firsturl'}) {
+                    $set_target = "    document.server.target = '_self';";
+                }
+            } else {
+                $set_target = <<ENDTARG;
+    var linkproturi = '$linkproturi';
+    var path = document.location.pathname.replace( new RegExp('^/adm/launch'),'');
+    if (linkproturi == path) {
+        document.server.target = '_self';
+    }
+ENDTARG
+            }
+            $in_frame_js = <<ENDJS;
+<script type="text/javascript">
+// <![CDATA[
+if ((window.self !== window.top) && (document.server.target != '_self')) {
+    $set_target
+    $sso_onclick
+}
+// ]]>
+</script>
+ENDJS
+        }
+    } elsif ($samlwindow) {
+        $in_frame_js = <<ENDJS;
+<script type="text/javascript">
+// <![CDATA[
+if ((window.self !== window.top) && (document.server.target != '_self')) {
+    $sso_onclick
+}
+// ]]>
+</script>
+ENDJS
+    }
 
     $r->print(<<ENDLOGIN);
 <div style="display:$stdauthformstyle;" id="LC_standard_login">
@@ -998,6 +1116,7 @@ $versionrow
     <br style="clear:both;" />
  </div>
 
+$in_frame_js
 <script type="text/javascript">
 // <![CDATA[
 // the if prevents the script error if the browser can not handle this
@@ -1090,31 +1209,60 @@ sub redirect_page {
         $path = '/'.$path;
     }
     my $url = $protocol.'://'.$hostname.$path;
-    if ($env{'form.firsturl'} ne '') {
+    my $args = {};
+    if ($env{'form.firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
+        $url = $protocol.'://'.$hostname.$env{'form.firsturl'};
+        if (($env{'form.ltoken'}) || ($env{'form.linkprot'} ne '') ||
+            ($env{'form.linkkey'} ne '')) {
+            my %link_info;
+            if ($env{'form.ltoken'}) {
+                %link_info = &Apache::lonnet::tmpget($env{'form.ltoken'});
+                &Apache::lonnet::tmpdel($env{'form.ltoken'});
+                $args->{'only_body'} = 1;
+            } elsif ($env{'form.linkprot'}) {
+                $link_info{'linkprot'} = $env{'form.linkprot'};
+                foreach my $item ('linkprotuser','linkprotexit') {
+                    if ($env{'form.'.$item}) {
+                        $link_info{$item} = $env{'form.'.$item};
+                    }
+                }
+                $args->{'only_body'} = 1;
+            } elsif ($env{'form.linkkey'} ne '') {
+                $link_info{'linkkey'} = $env{'form.linkkey'};
+            }
+            my $token = &Apache::lonnet::tmpput(\%link_info,$desthost,'link');
+            unless (($token eq 'con_lost') || ($token eq 'refused') ||
+                    ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
+                $url .= '?ltoken='.$token;
+            }
+        }
+    } else {
         my $querystring;
-        if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
-            $querystring = &uri_escape_utf8($env{'form.firsturl'});
-        } else {
-            $querystring = &uri_escape($env{'form.firsturl'});
+        if ($env{'form.firsturl'} ne '') {
+            if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
+                $querystring = &uri_escape_utf8($env{'form.firsturl'});
+            } else {
+                $querystring = &uri_escape($env{'form.firsturl'});
+            }
+            $querystring = &HTML::Entities::encode($querystring,"'");
+            $querystring = '?firsturl='.$querystring;
         }
-        $querystring = &HTML::Entities::encode($querystring,"'");
-        $url .='?firsturl='.$querystring;
-    }
-    if (($env{'form.ltoken'}) || ($env{'form.linkkey'} ne '')) {
-        my %link_info;
         if ($env{'form.ltoken'}) {
-            $link_info{'ltoken'} = $env{'form.ltoken'};
-        } elsif ($env{'form.linkkey'} ne '') {
-            $link_info{'linkkey'} = $env{'form.linkkey'};
-        }
-        my $token = &Apache::lonnet::tmpput(\%link_info,$desthost,'link');
-        unless (($token eq 'con_lost') || ($token eq 'refused') ||
-                ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
-            $url .= (($url=~/\?/)?'&amp;':'?') . 'ttoken='.$token;
+            my %link_info = &Apache::lonnet::tmpget($env{'form.ltoken'});
+            &Apache::lonnet::tmpdel($env{'form.ltoken'});
+            my $token = &Apache::lonnet::tmpput(\%link_info,$desthost,'link');
+            unless (($token eq 'con_lost') || ($token eq 'refused') || ($token =~ /^error:/) ||
+                    ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
+                unless (($path eq '/adm/roles') || ($path eq '/adm/login')) {
+                    $url = $protocol.'://'.$hostname.'/adm/roles';
+                }
+                $querystring .= (($querystring =~/^\?/)?'&amp;':'?') . 'ttoken='.$token;
+            }
         }
+        $url .= $querystring;
     }
-    my $start_page = &Apache::loncommon::start_page('Switching Server ...',undef,
-                                                    {'redirect' => [0,$url],});
+    $args->{'redirect'} = [0,$url];
+    my $start_page = &Apache::loncommon::start_page('Switching Server ...',undef,$args);
     my $end_page   = &Apache::loncommon::end_page();
     return $start_page.$end_page;
 }