--- loncom/interface/domainprefs.pm 2021/09/01 00:21:52 1.385
+++ loncom/interface/domainprefs.pm 2021/10/07 15:51:15 1.388
@@ -1,7 +1,7 @@
# The LearningOnline Network with CAPA
# Handler to set domain-wide configuration settings
#
-# $Id: domainprefs.pm,v 1.385 2021/09/01 00:21:52 raeburn Exp $
+# $Id: domainprefs.pm,v 1.388 2021/10/07 15:51:15 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -297,7 +297,10 @@ sub handler {
{col1 => 'Log-in Help',
col2 => 'Value'},
{col1 => 'Custom HTML in document head',
- col2 => 'Value'}],
+ col2 => 'Value'},
+ {col1 => 'SSO',
+ col2 => 'Dual login: SSO and non-SSO options'},
+ ],
print => \&print_login,
modify => \&modify_login,
},
@@ -632,7 +635,10 @@ sub handler {
{col1 => 'Log-in Help',
col2 => 'Value'},
{col1 => 'Custom HTML in document head',
- col2 => 'Value'}],
+ col2 => 'Value'},
+ {col1 => 'SSO',
+ col2 => 'Dual login: SSO and non-SSO options'},
+ ],
print => \&print_login,
modify => \&modify_login,
};
@@ -859,6 +865,8 @@ sub print_config_box {
$output .= &wafproxy_javascript($dom);
} elsif ($action eq 'autoupdate') {
$output .= &autoupdate_javascript();
+ } elsif ($action eq 'login') {
+ $output .= &saml_javascript();
}
$output .=
'
@@ -878,7 +886,7 @@ sub print_config_box {
my $leftnobr = '';
if (($action eq 'rolecolors') || ($action eq 'defaults') ||
($action eq 'directorysrch') ||
- (($action eq 'login') && ($numheaders < 4))) {
+ (($action eq 'login') && ($numheaders < 5))) {
$colspan = ' colspan="2"';
}
if ($action eq 'usersessions') {
@@ -909,7 +917,7 @@ sub print_config_box {
} elsif ($action eq 'scantron') {
$output .= $item->{'print'}->($r,'top',$dom,$confname,$settings,\$rowtotal);
} elsif ($action eq 'login') {
- if ($numheaders == 4) {
+ if ($numheaders == 5) {
$colspan = ' colspan="2"';
$output .= &print_login('service',$dom,$confname,$phase,$settings,\$rowtotal);
} else {
@@ -1050,7 +1058,7 @@ sub print_config_box {
'.&mt($item->{'header'}->[3]->{'col2'}).' '.
$item->{'print'}->('bottom',$dom,$settings,\$rowtotal);
} elsif ($action eq 'login') {
- if ($numheaders == 4) {
+ if ($numheaders == 5) {
$output .= &print_login('page',$dom,$confname,$phase,$settings,\$rowtotal).'
@@ -1074,7 +1082,7 @@ sub print_config_box {
';
- if ($numheaders == 4) {
+ if ($numheaders == 5) {
$output .= '
'.&mt($item->{'header'}->[3]->{'col1'}).'
'.&mt($item->{'header'}->[3]->{'col2'}).'
@@ -1086,7 +1094,27 @@ sub print_config_box {
';
}
$rowtotal ++;
- $output .= &print_login('headtag',$dom,$confname,$phase,$settings,\$rowtotal);
+ $output .= &print_login('headtag',$dom,$confname,$phase,$settings,\$rowtotal).'
+
+
+
+
+
+
+ ';
+ if ($numheaders == 5) {
+ $output .= '
+ '.&mt($item->{'header'}->[4]->{'col1'}).'
+ '.&mt($item->{'header'}->[4]->{'col2'}).'
+ ';
+ } else {
+ $output .= '
+ '.&mt($item->{'header'}->[3]->{'col1'}).'
+ '.&mt($item->{'header'}->[3]->{'col2'}).'
+ ';
+ }
+ $rowtotal ++;
+ $output .= &print_login('saml',$dom,$confname,$phase,$settings,\$rowtotal);
} elsif ($action eq 'requestcourses') {
$output .= &print_requestmail($dom,$action,$settings,\$rowtotal);
$rowtotal ++;
@@ -1221,9 +1249,12 @@ sub print_config_box {
sub print_login {
my ($caller,$dom,$confname,$phase,$settings,$rowtotal) = @_;
- my ($css_class,$datatable);
+ my ($css_class,$datatable,$switchserver,%lt);
my %choices = &login_choices();
-
+ if (($caller eq 'help') || ($caller eq 'headtag') || ($caller eq 'saml')) {
+ %lt = &login_file_options();
+ $switchserver = &check_switchserver($dom,$confname);
+ }
if ($caller eq 'service') {
my %servers = &Apache::lonnet::internet_dom_servers($dom);
my $choice = $choices{'disallowlogin'};
@@ -1417,18 +1448,10 @@ sub print_login {
$datatable .= &display_color_options($dom,$confname,$phase,'login',$itemcount,\%choices,\%is_custom,\%defaults,\%designs,\@images,\@bgs,\@links,\%alt_text,$rowtotal,\@logintext);
$datatable .= '
';
} elsif ($caller eq 'help') {
- my ($defaulturl,$defaulttype,%url,%type,%lt,%langchoices);
- my $switchserver = &check_switchserver($dom,$confname);
+ my ($defaulturl,$defaulttype,%url,%type,%langchoices);
my $itemcount = 1;
$defaulturl = '/adm/loginproblems.html';
$defaulttype = 'default';
- %lt = &Apache::lonlocal::texthash (
- del => 'Delete?',
- rep => 'Replace:',
- upl => 'Upload:',
- default => 'Default',
- custom => 'Custom',
- );
%langchoices = &Apache::lonlocal::texthash(&get_languages_hash());
my @currlangs;
if (ref($settings) eq 'HASH') {
@@ -1525,14 +1548,6 @@ sub print_login {
}
}
}
- my %lt = &Apache::lonlocal::texthash(
- del => 'Delete?',
- rep => 'Replace:',
- upl => 'Upload:',
- curr => 'View contents',
- none => 'None',
- );
- my $switchserver = &check_switchserver($dom,$confname);
foreach my $lonhost (sort(keys(%domservers))) {
my $exempt = &check_exempt_addresses($currexempt{$lonhost});
$datatable .= ''.$domservers{$lonhost}.' ';
@@ -1556,6 +1571,88 @@ sub print_login {
$datatable .= ''.
+ ' '.&Apache::lonnet::hostname($server).' ';
if ($othercontrol{$server}) {
$dom_in_effect = $othercontrol{$server};
- my $current;
+ my ($current,$forsaml);
if (ref($aliases{$dom_in_effect}) eq 'HASH') {
$current = $aliases{$dom_in_effect}{$server};
}
+ if (ref($saml{$dom_in_effect}) eq 'HASH') {
+ if ($saml{$dom_in_effect}{$server}) {
+ $forsaml = 1;
+ }
+ }
$aliasrows .= ''.
&mt('Alias').': ';
if ($current) {
$aliasrows .= $current;
+ if ($forsaml) {
+ $aliasrows .= ' ('.&mt('also for Shibboleth').')';
+ }
} else {
$aliasrows .= &mt('None');
}
@@ -7443,16 +7610,30 @@ sub print_wafproxy {
''.$dom_in_effect.' ').') ';
} else {
$dom_in_effect = $dom;
- my $current;
+ my ($current,$samlon,$samloff);
+ $samloff = ' checked="checked"';
if (ref($aliases{$dom}) eq 'HASH') {
if ($aliases{$dom}{$server}) {
$current = $aliases{$dom}{$server};
}
}
+ if (ref($saml{$dom}) eq 'HASH') {
+ if ($saml{$dom}{$server}) {
+ $samlon = $samloff;
+ undef($samloff);
+ }
+ }
$aliasrows .= ''.
&mt('Alias').': '.
' ';
+ 'value="'.$current.'" size="30" />'.
+ (' 'x2).''.
+ &mt('Alias used for Shibboleth').': '.
+ ' '.
+ ' '.
+ '';
}
$aliasrows .= '';
$aliasinfo{$dom_in_effect} .= $aliasrows;
@@ -11251,12 +11432,14 @@ sub usertype_update_row {
sub modify_login {
my ($r,$dom,$confname,$lastactref,%domconfig) = @_;
my ($resulttext,$errors,$colchgtext,%changes,%colchanges,%newfile,%newurl,
- %curr_loginvia,%loginhash,@currlangs,@newlangs,$addedfile,%title,@offon);
+ %curr_loginvia,%loginhash,@currlangs,@newlangs,$addedfile,%title,@offon,
+ %currsaml,%saml,%samltext,%samlimg,%samlalt,%samlurl,%samltitle,%samlnotsso);
%title = ( coursecatalog => 'Display course catalog',
adminmail => 'Display administrator E-mail address',
helpdesk => 'Display "Contact Helpdesk" link',
newuser => 'Link for visitors to create a user account',
- loginheader => 'Log-in box header');
+ loginheader => 'Log-in box header',
+ saml => 'Dual SSO and non-SSO login');
@offon = ('off','on');
if (ref($domconfig{login}) eq 'HASH') {
if (ref($domconfig{login}{loginvia}) eq 'HASH') {
@@ -11264,6 +11447,20 @@ sub modify_login {
$curr_loginvia{$lonhost} = $domconfig{login}{loginvia}{$lonhost};
}
}
+ if (ref($domconfig{login}{'saml'}) eq 'HASH') {
+ foreach my $lonhost (keys(%{$domconfig{login}{'saml'}})) {
+ if (ref($domconfig{login}{'saml'}{$lonhost}) eq 'HASH') {
+ $currsaml{$lonhost} = $domconfig{login}{'saml'}{$lonhost};
+ $saml{$lonhost} = 1;
+ $samltext{$lonhost} = $domconfig{login}{'saml'}{$lonhost}{'text'};
+ $samlurl{$lonhost} = $domconfig{login}{'saml'}{$lonhost}{'url'};
+ $samlalt{$lonhost} = $domconfig{login}{'saml'}{$lonhost}{'alt'};
+ $samlimg{$lonhost} = $domconfig{login}{'saml'}{$lonhost}{'img'};
+ $samltitle{$lonhost} = $domconfig{login}{'saml'}{$lonhost}{'title'};
+ $samlnotsso{$lonhost} = $domconfig{login}{'saml'}{$lonhost}{'notsso'};
+ }
+ }
+ }
}
($errors,%colchanges) = &modify_colors($r,$dom,$confname,['login'],
\%domconfig,\%loginhash);
@@ -11510,6 +11707,86 @@ sub modify_login {
$errors .= ''.$error.' '.$puberror.' '.$error.' '.&mt("$title{$item} in use for [_1]","$lonhost ").
+ '';
+ foreach my $key ('text','img','alt','url','title','notsso') {
+ if ($currsaml{$lonhost}{$key} eq '') {
+ $resulttext .= ''.&mt("$notlt{$key} not in use").' ';
+ } else {
+ my $value = "'$currsaml{$lonhost}{$key}'";
+ if ($key eq 'img') {
+ $value = ''.&mt("$notlt{$key} set to: [_1]",
+ $value).' ';
+ }
+ }
+ $resulttext .= ' ';
+ } else {
+ $resulttext .= ''.&mt("$title{$item} not in use for [_1]",$lonhost).' ';
+ }
+ }
+ }
} elsif ($item eq 'captcha') {
if (ref($loginhash{'login'}) eq 'HASH') {
my $chgtxt;
@@ -19930,8 +20264,8 @@ sub modify_selfenrollment {
sub modify_wafproxy {
my ($dom,$action,$lastactref,%domconfig) = @_;
my %servers = &Apache::lonnet::internet_dom_servers($dom);
- my (%othercontrol,%canset,%values,%curralias,%currvalue,@warnings,%wafproxy,
- %changes,%expirecache);
+ my (%othercontrol,%canset,%values,%curralias,%currsaml,%currvalue,@warnings,
+ %wafproxy,%changes,%expirecache,%expiresaml);
foreach my $server (sort(keys(%servers))) {
my $serverhome = &Apache::lonnet::get_server_homeID($servers{$server});
if ($serverhome eq $server) {
@@ -19946,6 +20280,9 @@ sub modify_wafproxy {
if (ref($domconfig{'wafproxy'}{'alias'}) eq 'HASH') {
%curralias = %{$domconfig{'wafproxy'}{'alias'}};
}
+ if (ref($domconfig{'wafproxy'}{'saml'}) eq 'HASH') {
+ %currsaml = %{$domconfig{'wafproxy'}{'saml'}};
+ }
foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext','sslopt') {
$currvalue{$item} = $domconfig{'wafproxy'}{$item};
}
@@ -19953,6 +20290,7 @@ sub modify_wafproxy {
my $output;
if (keys(%canset)) {
%{$wafproxy{'alias'}} = ();
+ %{$wafproxy{'saml'}} = ();
foreach my $key (sort(keys(%canset))) {
if ($env{'form.wafproxy_'.$dom}) {
$wafproxy{'alias'}{$key} = $env{'form.wafproxy_alias_'.$key};
@@ -19960,11 +20298,21 @@ sub modify_wafproxy {
if ($wafproxy{'alias'}{$key} ne $curralias{$key}) {
$changes{'alias'} = 1;
}
+ if ($env{'form.wafproxy_alias_saml_'.$key}) {
+ $wafproxy{'saml'}{$key} = 1;
+ }
+ if ($wafproxy{'saml'}{$key} ne $currsaml{$key}) {
+ $changes{'saml'} = 1;
+ }
} else {
$wafproxy{'alias'}{$key} = '';
+ $wafproxy{'saml'}{$key} = '';
if ($curralias{$key}) {
$changes{'alias'} = 1;
}
+ if ($currsaml{$key}) {
+ $changes{'saml'} = 1;
+ }
}
if ($wafproxy{'alias'}{$key} eq '') {
if ($curralias{$key}) {
@@ -19972,11 +20320,20 @@ sub modify_wafproxy {
}
delete($wafproxy{'alias'}{$key});
}
+ if ($wafproxy{'saml'}{$key} eq '') {
+ if ($currsaml{$key}) {
+ $expiresaml{$key} = 1;
+ }
+ delete($wafproxy{'saml'}{$key});
+ }
}
unless (keys(%{$wafproxy{'alias'}})) {
delete($wafproxy{'alias'});
}
- # Localization for values in %warn occus in &mt() calls separately.
+ unless (keys(%{$wafproxy{'saml'}})) {
+ delete($wafproxy{'saml'});
+ }
+ # Localization for values in %warn occurs in &mt() calls separately.
my %warn = (
trusted => 'trusted IP range(s)',
vpnint => 'internal IP range(s) for VPN sessions(s)',
@@ -20044,6 +20401,9 @@ sub modify_wafproxy {
} else {
if (keys(%curralias)) {
$changes{'alias'} = 1;
+ }
+ if (keys(%currsaml)) {
+ $changes{'saml'} = 1;
}
if (keys(%currvalue)) {
foreach my $key (keys(%currvalue)) {
@@ -20096,6 +20456,23 @@ sub modify_wafproxy {
$lastactref->{'proxyalias'} = \%updates;
}
}
+ if ((exists($wafproxy{'saml'})) || (keys(%expiresaml))) {
+ my %samlupdates = %expiresaml;
+ foreach my $key (keys(%expiresaml)) {
+ &Apache::lonnet::devalidate_cache_new('proxysaml',$key);
+ }
+ if (ref($wafproxy{'saml'}) eq 'HASH') {
+ my $cachetime = 24*60*60;
+ foreach my $key (keys(%{$wafproxy{'saml'}})) {
+ $samlupdates{$key} = 1;
+ &Apache::lonnet::do_cache_new('proxysaml',$key,$wafproxy{'saml'}{$key},
+ $cachetime);
+ }
+ }
+ if (ref($lastactref) eq 'HASH') {
+ $lastactref->{'proxysaml'} = \%samlupdates;
+ }
+ }
$output = &mt('Changes were made to Web Application Firewall/Reverse Proxy').'';
foreach my $item ('alias','remoteip','ipheader','trusted','vpnint','vpnext','sslopt') {
if ($changes{$item}) {
@@ -20119,6 +20496,19 @@ sub modify_wafproxy {
unless ($numaliased) {
$output .= ''.&mt('Aliases deleted for hostnames').' ';
}
+ } elsif ($item eq 'saml') {
+ my $shown;
+ if (ref($wafproxy{'saml'}) eq 'HASH') {
+ if (keys(%{$wafproxy{'saml'}})) {
+ $shown = join(', ',sort(keys(%{$wafproxy{'saml'}})));
+ }
+ }
+ if ($shown) {
+ $output .= ''.&mt('Alias used by Shibboleth for: [_1]',
+ $shown).' ';
+ } else {
+ $output .= ''.&mt('No alias used for Shibboleth').' ';
+ }
} else {
if ($item eq 'remoteip') {
my %ip_methods = &remoteip_methods();
@@ -21912,15 +22302,34 @@ sub devalidate_remote_domconfs {
my %thismachine;
map { $thismachine{$_} = 1; } &Apache::lonnet::current_machine_ids();
my @posscached = ('domainconfig','domdefaults','ltitools','usersessions',
- 'directorysrch','passwdconf','cats','proxyalias');
+ 'directorysrch','passwdconf','cats','proxyalias','proxysaml');
+ my %cache_by_lonhost;
+ if (exists($cachekeys->{'samllanding'})) {
+ if (ref($cachekeys->{'samllanding'}) eq 'HASH') {
+ my %landing = %{$cachekeys->{'samllanding'}};
+ my %domservers = &Apache::lonnet::get_servers($dom);
+ if (keys(%domservers)) {
+ foreach my $server (keys(%domservers)) {
+ my @cached;
+ next if ($thismachine{$server});
+ if ($landing{$server}) {
+ push(@cached,&escape('samllanding').':'.&escape($server));
+ }
+ if (@cached) {
+ $cache_by_lonhost{$server} = \@cached;
+ }
+ }
+ }
+ }
+ }
if (keys(%servers)) {
foreach my $server (keys(%servers)) {
next if ($thismachine{$server});
my @cached;
foreach my $name (@posscached) {
if ($cachekeys->{$name}) {
- if ($name eq 'proxyalias') {
- if (ref($cachekeys->{$name}) eq 'HASH') {
+ if (($name eq 'proxyalias') || ($name eq 'proxysaml')) {
+ if (ref($cachekeys->{$name}) eq 'HASH') {
foreach my $key (keys(%{$cachekeys->{$name}})) {
push(@cached,&escape($name).':'.&escape($key));
}
@@ -21930,6 +22339,10 @@ sub devalidate_remote_domconfs {
}
}
}
+ if ((exists($cache_by_lonhost{$server})) &&
+ (ref($cache_by_lonhost{$server}) eq 'ARRAY')) {
+ push(@cached,@{$cache_by_lonhost{$server}});
+ }
if (@cached) {
&Apache::lonnet::remote_devalidate_cache($server,\@cached);
}