-
Notifications
You must be signed in to change notification settings - Fork 257
/
Auth_with_cas.pm
291 lines (228 loc) · 8.68 KB
/
Auth_with_cas.pm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
package C4::Auth_with_cas;
# Copyright 2009 BibLibre SARL
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use strict;
use warnings;
use C4::Context;
use Koha::AuthUtils qw( get_script_name );
use Authen::CAS::Client;
use CGI qw ( -utf8 );
use YAML::XS;
use URI::Escape;
use Koha::Logger;
our (@ISA, @EXPORT_OK);
BEGIN {
require Exporter;
@ISA = qw(Exporter);
@EXPORT_OK = qw(check_api_auth_cas checkpw_cas login_cas logout_cas login_cas_url logout_if_required multipleAuth getMultipleAuth);
}
my $defaultcasserver;
my $casservers;
my $yamlauthfile = C4::Context->config('intranetdir') . "/C4/Auth_cas_servers.yaml";
# If there's a configuration for multiple cas servers, then we get it
if (multipleAuth()) {
($defaultcasserver, $casservers) = YAML::XS::LoadFile($yamlauthfile);
$defaultcasserver = $defaultcasserver->{'default'};
} else {
# Else, we fall back to casServerUrl syspref
$defaultcasserver = 'default';
$casservers = { 'default' => C4::Context->preference('casServerUrl') };
}
=head1 Subroutines
=cut
# Is there a configuration file for multiple cas servers?
sub multipleAuth {
return (-e qq($yamlauthfile));
}
# Returns configured CAS servers' list if multiple authentication is enabled
sub getMultipleAuth {
return $casservers;
}
# Logout from CAS
sub logout_cas {
my ( $query, $type ) = @_;
my ( $cas, $uri ) = _get_cas_and_service( $query, undef, $type );
# We don't want to keep triggering a logout, if we got here,
# the borrower is already logged out of Koha
$uri =~ s/\?logout\.x=1//;
my $logout_url = $cas->logout_url( url => $uri );
$logout_url =~ s/url=/service=/
if C4::Context->preference('casServerVersion') eq '3';
print $query->redirect($logout_url);
}
# Login to CAS
sub login_cas {
my ($query, $type) = @_;
my ( $cas, $uri ) = _get_cas_and_service($query, undef, $type);
print $query->redirect( $cas->login_url($uri));
}
# Returns CAS login URL with callback to the requesting URL
sub login_cas_url {
my ( $query, $key, $type ) = @_;
my ( $cas, $uri ) = _get_cas_and_service( $query, $key, $type );
return $cas->login_url($uri);
}
# Checks for password correctness
# In our case : is there a ticket, is it valid and does it match one of our users ?
sub checkpw_cas {
my ($ticket, $query, $type) = @_;
my $retnumber;
my ( $cas, $uri ) = _get_cas_and_service($query, undef, $type);
# If we got a ticket
if ($ticket) {
# We try to validate it
my $val = $cas->service_validate($uri, $ticket );
# If it's valid
if ( $val->is_success() ) {
my $userid = $val->user();
# we should store the CAS ticekt too, we need this for single logout https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html#233-single-logout
# Does it match one of our users ?
my $dbh = C4::Context->dbh;
my $patron = Koha::Patrons->find( { userid => $userid } );
if ($patron) {
return ( 1, $patron->cardnumber, $patron->userid, $ticket, $patron );
}
$patron = Koha::Patrons->find( { cardnumber => $userid } );
if ($patron) {
return ( 1, $patron->cardnumber, $patron->userid, $ticket, $patron );
}
# If we reach this point, then the user is a valid CAS user, but not a Koha user
Koha::Logger->get->info("User $userid is not a valid Koha user");
} else {
my $logger = Koha::Logger->get;
$logger->debug("Problem when validating ticket : $ticket");
$logger->debug("Authen::CAS::Client::Response::Error: " . $val->error()) if $val->is_error();
$logger->debug("Authen::CAS::Client::Response::Failure: " . $val->message()) if $val->is_failure();
$logger->debug(Data::Dumper::Dumper($@)) if $val->is_error() or $val->is_failure();
return 0;
}
}
return 0;
}
# Proxy CAS auth
sub check_api_auth_cas {
my ($PT, $query, $type) = @_;
my $retnumber;
my ( $cas, $uri ) = _get_cas_and_service($query, undef, $type);
# If we have a Proxy Ticket
if ($PT) {
my $r = $cas->proxy_validate( $uri, $PT );
# If the PT is valid
if ( $r->is_success ) {
# We've got a username !
my $userid = $r->user;
# we should store the CAS ticket too, we need this for single logout https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html#233-single-logout
# Does it match one of our users ?
my $dbh = C4::Context->dbh;
my $sth = $dbh->prepare("select cardnumber from borrowers where userid=?");
$sth->execute($userid);
if ( $sth->rows ) {
$retnumber = $sth->fetchrow;
return ( 1, $retnumber, $userid, $PT );
}
$sth = $dbh->prepare("select userid from borrowers where cardnumber=?");
return $r->user;
$sth->execute($userid);
if ( $sth->rows ) {
$retnumber = $sth->fetchrow;
return ( 1, $retnumber, $userid, $PT );
}
# If we reach this point, then the user is a valid CAS user, but not a Koha user
Koha::Logger->get->info("User $userid is not a valid Koha user");
} else {
Koha::Logger->get->debug("Proxy Ticket authentication failed");
return 0;
}
}
return 0;
}
# Get CAS handler and service URI
sub _get_cas_and_service {
my $query = shift;
my $key = shift; # optional
my $type = shift;
my $uri = _url_with_get_params($query, $type);
my $casparam = $defaultcasserver;
$casparam = $query->param('cas') if defined $query->param('cas');
$casparam = $key if defined $key;
my $cas = Authen::CAS::Client->new( $casservers->{$casparam} );
return ( $cas, $uri );
}
# Get the current URL with parameters contained directly into URL (GET params)
# This method replaces $query->url() which will give both GET and POST params
sub _url_with_get_params {
my $query = shift;
my $type = shift;
my $uri_base_part =
( $type eq 'opac' )
? C4::Context->preference('OPACBaseURL')
: C4::Context->preference('staffClientBaseURL');
$uri_base_part .= get_script_name();
my $uri_params_part = '';
foreach my $param ( $query->url_param() ) {
# url_param() always returns parameters that were deleted by delete()
# This additional check ensure that parameter was not deleted.
my $uriPiece = $query->param($param);
if ($uriPiece) {
$uri_params_part .= '&' if $uri_params_part;
$uri_params_part .= $param . '=';
$uri_params_part .= URI::Escape::uri_escape( $uriPiece );
}
}
$uri_base_part .= '?' if $uri_params_part;
return $uri_base_part . $uri_params_part;
}
=head2 logout_if_required
If using CAS, this subroutine will trigger single-signout of the CAS server.
=cut
sub logout_if_required {
my ( $query ) = @_;
# Check we havent been hit by a logout call
my $xml = $query->param('logoutRequest');
return 0 unless $xml;
my $dom = XML::LibXML->load_xml(string => $xml);
my $ticket;
foreach my $node ($dom->findnodes('/samlp:LogoutRequest')){
# We got a cas single logout request from a cas server;
$ticket = $node->findvalue('./samlp:SessionIndex');
}
return 0 unless $ticket;
# We've been called as part of the single logout destroy the session associated with the cas ticket
my $params = C4::Auth::_get_session_params();
my $success = CGI::Session->find( $params->{dsn}, sub {delete_cas_session(@_, $ticket)}, $params->{dsn_args} );
print $query->header;
exit;
}
sub delete_cas_session {
my $session = shift;
my $ticket = shift;
if ($session->param('cas_ticket') && $session->param('cas_ticket') eq $ticket ) {
$session->delete;
$session->flush;
}
}
1;
__END__
=head1 NAME
C4::Auth - Authenticates Koha users
=head1 SYNOPSIS
use C4::Auth_with_cas;
=cut
=head1 SEE ALSO
CGI(3)
Authen::CAS::Client
=cut