loncom/auth/lonshibauth.pm - view

File: [LON-CAPA] / loncom / auth / lonshibauth.pm
Revision 1.11: download - view: text, annotated - select for diffs
Tue Oct 26 15:52:54 2021 UTC (2 years, 7 months ago) by raeburn
Branches: MAIN
CVS tags: HEAD

- Use token to store role, symb, linkprot, and/or linkkey when dual log-in
  page to support SSO (Shibboleth) and non-SSO is in use, and for "log in
  again" retry link for failed login, instead of using query string directly.
- When digest is used by tmpput handler in lond to generate an id, only use
  id which does not already exist in LON-CAPA's tmp directory.

1: # The LearningOnline Network 2: # Redirect Shibboleth authentication to designated URL (/adm/sso). 3: # 4: # $Id: lonshibauth.pm,v 1.11 2021/10/26 15:52:54 raeburn Exp $ 5: # 6: # Copyright Michigan State University Board of Trustees 7: # 8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA). 9: # 10: # LON-CAPA is free software; you can redistribute it and/or modify 11: # it under the terms of the GNU General Public License as published by 12: # the Free Software Foundation; either version 2 of the License, or 13: # (at your option) any later version. 14: # 15: # LON-CAPA is distributed in the hope that it will be useful, 16: # but WITHOUT ANY WARRANTY; without even the implied warranty of 17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18: # GNU General Public License for more details. 19: # 20: # You should have received a copy of the GNU General Public License 21: # along with LON-CAPA; if not, write to the Free Software 22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23: # 24: # /home/httpd/html/adm/gpl.txt 25: # 26: # http://www.lon-capa.org/ 27: # 28: 29: =head1 NAME 30: 31: Apache::lonshibauth - Redirect Shibboleth authentication 32: 33: =head1 SYNOPSIS 34: 35: Invoked when lonOtherAuthen is set to yes, and type is Shibboleth 36: 37: If server is configured as a Shibboleth SP, the main Apache 38: configuration file, e.g., /etc/httpd/conf/httpd.conf 39: (for RHEL/CentOS/Scentific Linux/Fedora) should contain: 40: 41: LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so 42: 43: or equivalent (depending on Apache version) 44: before the line to include conf/loncapa_apache.conf 45: 46: =head1 INTRODUCTION 47: 48: Redirects a user requiring Single Sign On via Shibboleth to a 49: URL -- /adm/sso -- on the server which is configured to use that service. 50: 51: =head1 HANDLER SUBROUTINE 52: 53: This routine is called by Apache and mod_perl. 54: 55: =over 4 56: 57: If $r->user defined and requested uri not /adm/sso 58: redirect to /adm/sso 59: 60: Otherwise return DECLINED 61: 62: =back 63: 64: =cut 65: 66: package Apache::lonshibauth; 67: 68: use strict; 69: use lib '/home/httpd/lib/perl/'; 70: use Apache::lonnet; 71: use Apache::loncommon; 72: use Apache::lonacc; 73: use Apache::Constants qw(:common REDIRECT); 74: use LONCAPA qw(:DEFAULT :match); 75: 76: sub handler { 77: my $r = shift; 78: my $target = '/adm/sso'; 79: if (&Apache::lonnet::get_saml_landing()) { 80: $target = '/adm/login'; 81: } 82: if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne '/adm/sso')) { 83: my $lonhost = $Apache::lonnet::perlvar{'lonHostID'}; 84: my $hostname = &Apache::lonnet::hostname($lonhost); 85: if (!$hostname) { $hostname = $r->hostname(); } 86: my $protocol = $Apache::lonnet::protocol{$lonhost}; 87: unless ($protocol eq 'https') { $protocol = 'http'; } 88: my $alias = &Apache::lonnet::use_proxy_alias($r,$lonhost); 89: if (($alias ne '') && 90: (&Apache::lonnet::alias_shibboleth($lonhost))) { 91: $hostname = $alias; 92: } 93: my $dest = $protocol.'://'.$hostname.$target; 94: if ($target eq '/adm/login') { 95: my $querystring = &set_token($r,$lonhost); 96: if ($querystring ne '') { 97: $dest .= '?'.$querystring; 98: } 99: } else { 100: my $uri = $r->uri; 101: if ($r->args ne '') { 102: $dest .= (($dest=~/\?/)?'&':'?').$r->args; 103: } 104: unless (($uri eq '/adm/roles') || ($uri eq '/adm/logout')) { 105: unless ($r->args =~ /origurl=/) { 106: $dest.=(($dest=~/\?/)?'&':'?').'origurl='.$uri; 107: } 108: } 109: if ($uri =~ m{^/tiny/$match_domain/\w+$}) { 110: unless (($r->args =~ /ltoken=/) || ($r->args =~ /linkkey=/)) { 111: &Apache::lonacc::get_posted_cgi($r,['linkkey']); 112: if ($env{'form.linkkey'} ne '') { 113: $dest.=(($dest=~/\?/)?'&':'?').'linkkey='.$env{'form.linkkey'}; 114: } 115: } 116: } 117: } 118: $r->header_out(Location => $dest); 119: return REDIRECT; 120: } else { 121: return DECLINED; 122: } 123: } 124: 125: sub set_token { 126: my ($r,$lonhost) = @_; 127: my ($firsturl,$querystring,$ssotoken,@names,%token); 128: @names = ('role','symb','ltoken','linkkey'); 129: map { $token{$_} = 1; } @names; 130: unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/logout')) { 131: $firsturl = $r->uri; 132: } 133: if ($r->args ne '') { 134: &Apache::loncommon::get_unprocessed_cgi($r->args); 135: } 136: if ($r->uri =~ m{^/tiny/$match_domain/\w+$}) { 137: unless (($env{'form.ltoken'}) || ($env{'form.linkkey'})) { 138: &Apache::lonacc::get_posted_cgi($r,['linkkey']); 139: } 140: } 141: my $extras; 142: foreach my $name (@names) { 143: if ($env{'form.'.$name} ne '') { 144: if ($name eq 'ltoken') { 145: my %info = &Apache::lonnet::tmpget($env{'form.ltoken'}); 146: if ($info{'linkprot'}) { 147: $extras .= '&linkprot='.&escape($info{'linkprot'}); 148: last; 149: } 150: } else { 151: $extras .= '&'.$name.'='.&escape($env{'form.'.$name}); 152: } 153: } 154: } 155: if (($firsturl ne '') || ($extras ne '')) { 156: $extras .= ':sso'; 157: $ssotoken = &Apache::lonnet::reply('tmpput:'.&escape($firsturl). 158: $extras,$lonhost); 159: $querystring = 'sso='.$ssotoken; 160: } 161: if ($r->args ne '') { 162: foreach my $key (sort(keys(%env))) { 163: if ($key =~ /^form\.(.+)$/) { 164: my $name = $1; 165: next if ($token{$name}); 166: $querystring .= '&'.$name.'='.$env{$key}; 167: } 168: } 169: } 170: return $querystring; 171: } 172: 173: 1; 174: __END__