loncom/auth/lonshibauth.pm - view

File: [LON-CAPA] / loncom / auth / lonshibauth.pm
Revision 1.18: download - view: text, annotated - select for diffs
Fri Jun 2 01:20:26 2023 UTC (11 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_12_X, version_2_11_4_msu, HEAD

- Bugs 6754 and 6907
  - Return of grades to launcher CMS supported for resources or folders
    accessed via LTI-mediated deep link.
  - Support option: "Encrypt stored consumer secrets defined in domain"
  - Signing of LTI payloads for roster retrieval, passback of grades,
    and callback to logput launcher CMS session all now occur on
    primary library server for course's domain.

1: # The LearningOnline Network 2: # Redirect Single Sign On authentication to designated URL: 3: # /adm/sso, by default. 4: # 5: # $Id: lonshibauth.pm,v 1.18 2023/06/02 01:20:26 raeburn Exp $ 6: # 7: # Copyright Michigan State University Board of Trustees 8: # 9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA). 10: # 11: # LON-CAPA is free software; you can redistribute it and/or modify 12: # it under the terms of the GNU General Public License as published by 13: # the Free Software Foundation; either version 2 of the License, or 14: # (at your option) any later version. 15: # 16: # LON-CAPA is distributed in the hope that it will be useful, 17: # but WITHOUT ANY WARRANTY; without even the implied warranty of 18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19: # GNU General Public License for more details. 20: # 21: # You should have received a copy of the GNU General Public License 22: # along with LON-CAPA; if not, write to the Free Software 23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 24: # 25: # /home/httpd/html/adm/gpl.txt 26: # 27: # http://www.lon-capa.org/ 28: # 29: 30: =head1 NAME 31: 32: Apache::lonshibauth - Redirect Single Sign On authentication 33: 34: =head1 SYNOPSIS 35: 36: Invoked when an Apache config file includes: 37: PerlAuthenHandler Apache::lonshibauth 38: 39: If server is configured as a Shibboleth SP, the main Apache 40: configuration file, e.g., /etc/httpd/conf/httpd.conf 41: (for RHEL/CentOS/Scentific Linux/Fedora) should contain: 42: 43: LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so 44: 45: or equivalent (depending on Apache version) 46: before the line to include conf/loncapa_apache.conf 47: 48: If some other Apache module is in use for Single Sign On 49: authentication e.g., mod_auth_cas or mod_sentinel, 50: then a separate config file should be created which 51: includes settings for the authentication module. 52: 53: =head1 INTRODUCTION 54: 55: Redirects a user requiring Single Sign On to a URL on the server 56: which is configured to use that service. The default URL is: 57: /adm/sso. 58: 59: If this is to be used with a Single Sign On service other Shibboleth 60: then an Apache config file needs to be loaded which: 61: 62: (a) loads the corresponding Apache module, and 63: (b) sets appropriate values for perl vars in 64: an <IfModule mod_***></IfModule> block, and 65: (c) sets an appropriate value for AuthType in a 66: <Location /adm/sso><IfModule mod_***> 67: </IfModule></Location> block, which also contains 68: 69: require valid-user 70: 71: PerlAuthzHandler Apache::lonshibacc 72: 73: PerlAuthzHandler Apache::lonacc 74: 75: In the case of Shibboleth no additional file is needed 76: because loncapa_apache.conf already contains: 77: 78: <IfModule mod_shib> 79: PerlAuthenHandler Apache::lonshibauth 80: PerlSetVar lonOtherAuthen yes 81: PerlSetVar lonOtherAuthenType Shibboleth 82: 83: </IfModule> 84: 85: and 86: 87: <Location /adm/sso> 88: Header set Cache-Control "private,no-store,no-cache,max-age=0" 89: <IfModule mod_shib> 90: AuthType shibboleth 91: ShibUseEnvironment On 92: ShibRequestSetting requireSession 1 93: ShibRequestSetting redirectToSSL 443 94: require valid-user 95: PerlAuthzHandler Apache::lonshibacc 96: PerlAuthzHandler Apache::lonacc 97: ErrorDocument 403 /adm/login 98: ErrorDocument 500 /adm/errorhandler 99: </IfModule> 100: <IfModule !mod_shib> 101: PerlTypeHandler Apache::lonnoshib 102: </IfModule> 103: 104: </Location> 105: 106: If the service is not Shibboleth, then (optionally) a URL that is 107: not /adm/sso can be used as the URL for the service, e.g., /adm/cas 108: or /adm/sentinel, by setting a lonOtherAuthenUrl perl var 109: in an Apache config file containing (for example): 110: 111: PerlSetVar lonOtherAuthenUrl /adm/sentinel 112: 113: <IfModule mod_sentinel> 114: PerlAuthenHandler Apache::lonshibauth 115: PerlSetVar lonOtherAuthen yes 116: PerlSetVar lonOtherAuthenType Sentinel 117: 118: </IfModule> 119: 120: <Location /adm/sentinel> 121: Header set Cache-Control "private,no-store,no-cache,max-age=0" 122: <IfModule mod_sentinel> 123: AuthType Sentinel 124: require valid-user 125: PerlAuthzHandler Apache::lonshibacc 126: PerlAuthzHandler Apache::lonacc 127: ErrorDocument 403 /adm/login 128: ErrorDocument 500 /adm/errorhandler 129: </IfModule> 130: <IfModule !mod_sentinel> 131: PerlTypeHandler Apache::lonnoshib 132: </IfModule> 133: 134: </Location> 135: 136: In the example above for Sentinel SSO, it would also be possible to 137: use /adm/sso instead of /adm/sentinel, in which case (i) there would be 138: no need to define lonOtherAuthenUrl, (ii) there would be <Location /adm/sso> 139: and (iii) the <IfModule !></IfModule> block would not be needed as 140: it is already present in /etc/httpd/conf/loncapa_apache.conf. 141: 142: =head1 HANDLER SUBROUTINE 143: 144: This routine is called by Apache and mod_perl. 145: 146: =over 4 147: 148: If $r->user is defined and requested URL is not /adm/sso or 149: other specific URL as set by a lonOtherAuthenUrl perlvar, 150: then redirect to /adm/sso (or to the specific URL). 151: 152: Otherwise return DECLINED. 153: 154: In the case of redirection a query string is appended, 155: which will contain either (a) the originally requested URL, 156: if not /adm/sso (or lonOtherAuthenUrl URL), and 157: any existing query string in the original request, or 158: (b) if original request was for /tiny/domain/uniqueID, 159: or if redirect is to /adm/login to support dual SSO and 160: non-SSO, a query string which contains sso=tokenID, where the 161: token contains information for deep-linking to course/resource. 162: 163: Support is included for use of LON-CAPA's standard log-in 164: page -- /adm/login -- to support dual SSO and non-SSO 165: authentication from that "landing" page. 166: 167: To enable dual SSO and non-SSO access from /adm/login 168: a Domain Coordinator will use the web GUI: 169: Main Menu > Set domain configuration > Display 170: ("Log-in page options" checked) 171: and for any of the LON-CAPA domain's servers which 172: will offer dual login will check "Yes" and then set: 173: (a) SSO Text, Image, Alt Text, URL, Tool Tip 174: (b) non-SSO: Text 175: 176: The value in the URL field should be /adm/sso, 177: or the same URL as set for the lonOtherAuthenUrl 178: perl var, e.g., /adm/sentinel. 179: 180: =back 181: 182: =head1 NOTABLE SUBROUTINES 183: 184: =over 4 185: 186: =item set_token() 187: 188: Inputs: 2 189: $r - request object 190: $lonhost - hostID of current server 191: 192: Output: 1 193: $querystring - query string to append to URL 194: when redirecting. 195: 196: If any of the following items are present in the original query string: 197: role, symb, and linkkey, then they will be stored in the token file 198: on the server, for access later to support deep-linking. If the ltoken 199: item is available, from successful launch from an LTI Consumer where 200: LON-CAPA is the LTI Provider, but not configured to accept user 201: information, and the destination is a deep-link URL /tiny/domain/uniqueiD, 202: then the LTI number, type (c or d), and tiny URL will be saved as the 203: linkprot item in a token file. 204: 205: =item set_mailtoken() 206: 207: Inputs: 2 208: $r - request object 209: $lonhost - hostID of current server 210: 211: Output: 1 212: $querystring - query string to append to URL 213: when redirecting. 214: 215: Called if requested URL is /adm/email, dual SSO and non-SSO login 216: are supported by /adm/login and original query string contains values 217: for elements: display, username and domain, which will then be 218: stored in the token file on the server to support direct access 219: to a specific message sent to the user. 220: 221: =back 222: 223: =cut 224: 225: package Apache::lonshibauth; 226: 227: use strict; 228: use lib '/home/httpd/lib/perl/'; 229: use Apache::lonnet; 230: use Apache::loncommon; 231: use Apache::lonacc; 232: use Apache::Constants qw(:common REDIRECT); 233: use LONCAPA qw(:DEFAULT :match); 234: 235: sub handler { 236: my $r = shift; 237: my $ssourl = '/adm/sso'; 238: if ($r->dir_config('lonOtherAuthenUrl') ne '') { 239: $ssourl = $r->dir_config('lonOtherAuthenUrl'); 240: } 241: my $target = $ssourl; 242: if (&Apache::lonnet::get_saml_landing()) { 243: $target = '/adm/login'; 244: } 245: if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne $ssourl)) { 246: my $lonhost = $Apache::lonnet::perlvar{'lonHostID'}; 247: my $hostname = &Apache::lonnet::hostname($lonhost); 248: if (!$hostname) { $hostname = $r->hostname(); } 249: my $protocol = $Apache::lonnet::protocol{$lonhost}; 250: unless ($protocol eq 'https') { $protocol = 'http'; } 251: my $alias = &Apache::lonnet::use_proxy_alias($r,$lonhost); 252: if (($alias ne '') && 253: (&Apache::lonnet::alias_sso($lonhost))) { 254: $hostname = $alias; 255: } 256: my $dest = $protocol.'://'.$hostname.$target; 257: if ($target eq '/adm/login') { 258: my $uri = $r->uri; 259: my $querystring; 260: if (($uri eq '/adm/email') && ($r->args ne '')) { 261: $querystring = &set_mailtoken($r,$lonhost); 262: } else { 263: $querystring = &set_token($r,$lonhost); 264: } 265: if ($querystring ne '') { 266: $dest .= '?'.$querystring; 267: } 268: } else { 269: my $uri = $r->uri; 270: if ($uri =~ m{^/tiny/$match_domain/\w+$}) { 271: my $querystring = &set_token($r,$lonhost); 272: if ($querystring ne '') { 273: $dest .= '?'.$querystring; 274: } 275: } elsif ((&Apache::lonnet::get_saml_landing()) && 276: ($uri eq '/adm/email') && ($r->args ne '')) { 277: my $querystring = &set_mailtoken($r,$lonhost); 278: if ($querystring ne '') { 279: $dest .= '?'.$querystring; 280: } 281: } else { 282: if ($r->args ne '') { 283: $dest .= (($dest=~/\?/)?'&':'?').$r->args; 284: } 285: unless (($uri eq '/adm/roles') || ($uri eq '/adm/logout')) { 286: unless ($r->args =~ /origurl=/) { 287: $dest.=(($dest=~/\?/)?'&':'?').'origurl='.$uri; 288: } 289: } 290: } 291: } 292: $r->header_out(Location => $dest); 293: return REDIRECT; 294: } else { 295: return DECLINED; 296: } 297: } 298: 299: sub set_token { 300: my ($r,$lonhost) = @_; 301: my ($firsturl,$querystring,$ssotoken,@names,%token); 302: @names = ('role','symb','ltoken','linkkey'); 303: map { $token{$_} = 1; } @names; 304: unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/logout')) { 305: $firsturl = $r->uri; 306: } 307: if ($r->args ne '') { 308: &Apache::loncommon::get_unprocessed_cgi($r->args); 309: } 310: if ($r->uri =~ m{^/tiny/$match_domain/\w+$}) { 311: if ($env{'form.ttoken'}) { 312: my %info = &Apache::lonnet::tmpget($env{'form.ttoken'}); 313: &Apache::lonnet::tmpdel($env{'form.ttoken'}); 314: if ($info{'ltoken'}) { 315: $env{'form.ltoken'} = $info{'ltoken'}; 316: } elsif ($info{'linkkey'} ne '') { 317: $env{'form.linkkey'} = $info{'linkkey'}; 318: } 319: } else { 320: unless (($env{'form.ltoken'}) || ($env{'form.linkkey'})) { 321: &Apache::lonacc::get_posted_cgi($r,['linkkey']); 322: } 323: } 324: unless (($r->is_initial_req()) || ($env{'form.ltoken'}) || 325: ($env{'form.linkkey'})) { 326: return; 327: } 328: } 329: my $extras; 330: foreach my $name (@names) { 331: if ($env{'form.'.$name} ne '') { 332: if ($name eq 'ltoken') { 333: my %info = &Apache::lonnet::tmpget($env{'form.ltoken'}); 334: &Apache::lonnet::tmpdel($env{'form.ltoken'}); 335: if ($info{'linkprot'}) { 336: $extras .= '&linkprot='.&escape($info{'linkprot'}); 337: foreach my $item ('linkprotuser','linkprotexit','linkprotpbid','linkprotpburl') { 338: if ($info{$item} ne '') { 339: $extras .= '&'.$item.'='.&escape($info{$item}); 340: } 341: } 342: last; 343: } 344: } else { 345: $extras .= '&'.$name.'='.&escape($env{'form.'.$name}); 346: } 347: } 348: } 349: if (($firsturl ne '') || ($extras ne '')) { 350: $extras .= ':sso'; 351: $ssotoken = &Apache::lonnet::reply('tmpput:'.&escape($firsturl). 352: $extras,$lonhost); 353: $querystring = 'sso='.$ssotoken; 354: } 355: if ($r->args ne '') { 356: foreach my $key (sort(keys(%env))) { 357: if ($key =~ /^form\.(.+)$/) { 358: my $name = $1; 359: next if (($token{$name}) || ($name eq 'ttoken')); 360: $querystring .= '&'.$name.'='.$env{$key}; 361: } 362: } 363: } 364: return $querystring; 365: } 366: 367: sub set_mailtoken { 368: my ($r,$lonhost) = @_; 369: my $firsturl = $r->uri; 370: my ($querystring,$ssotoken,$extras); 371: &Apache::loncommon::get_unprocessed_cgi($r->args); 372: my $extras; 373: if (($env{'form.display'} ne '') && 374: ($env{'form.username'} =~ /^$match_username$/) && 375: ($env{'form.domain'} =~ /^$match_domain$/)) { 376: $extras .= '&display='.&escape($env{'form.display'}). 377: '&mailrecip='.&escape($env{'form.username'}.':'.$env{'form.domain'}); 378: } 379: if (($firsturl ne '') || ($extras ne '')) { 380: $extras .= ':sso'; 381: $ssotoken = &Apache::lonnet::reply('tmpput:'.&escape($firsturl). 382: $extras,$lonhost); 383: $querystring = 'sso='.$ssotoken; 384: } 385: if ($r->args ne '') { 386: foreach my $key (sort(keys(%env))) { 387: if ($key =~ /^form\.(.+)$/) { 388: my $name = $1; 389: next if (($name eq 'display') || ($name eq 'username') || ($name eq 'domain')); 390: $querystring .= '&'.$name.'='.$env{$key}; 391: } 392: } 393: } 394: return $querystring; 395: } 396: 397: 1; 398: __END__