Annotation of loncom/auth/lonshibauth.pm, revision 1.11

1.1       raeburn     1: # The LearningOnline Network
                      2: # Redirect Shibboleth authentication to designated URL (/adm/sso).
                      3: #
1.11    ! raeburn     4: # $Id: lonshibauth.pm,v 1.10 2021/10/10 23:59:19 raeburn Exp $
1.1       raeburn     5: #
                      6: # Copyright Michigan State University Board of Trustees
                      7: #
                      8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
                      9: #
                     10: # LON-CAPA is free software; you can redistribute it and/or modify
                     11: # it under the terms of the GNU General Public License as published by
                     12: # the Free Software Foundation; either version 2 of the License, or
                     13: # (at your option) any later version.
                     14: #
                     15: # LON-CAPA is distributed in the hope that it will be useful,
                     16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
                     17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
                     18: # GNU General Public License for more details.
                     19: #
                     20: # You should have received a copy of the GNU General Public License
                     21: # along with LON-CAPA; if not, write to the Free Software
                     22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
                     23: #
                     24: # /home/httpd/html/adm/gpl.txt
                     25: #
                     26: # http://www.lon-capa.org/
                     27: #
                     28: 
                     29: =head1 NAME
                     30: 
                     31: Apache::lonshibauth - Redirect Shibboleth authentication
                     32: 
                     33: =head1 SYNOPSIS
                     34: 
                     35: Invoked when lonOtherAuthen is set to yes, and type is Shibboleth 
                     36: 
                     37: If server is configured as a Shibboleth SP, the main Apache 
                     38: configuration file, e.g.,  /etc/httpd/conf/httpd.conf
                     39: (for RHEL/CentOS/Scentific Linux/Fedora) should contain:
                     40: 
                     41: LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so
                     42: 
                     43: or equivalent (depending on Apache version) 
                     44: before the line to include conf/loncapa_apache.conf
                     45: 
                     46: =head1 INTRODUCTION
                     47: 
                     48: Redirects a user requiring Single Sign On via Shibboleth to a  
                     49: URL -- /adm/sso -- on the server which is configured to use that service.
                     50: 
                     51: =head1 HANDLER SUBROUTINE
                     52: 
                     53: This routine is called by Apache and mod_perl.
                     54: 
                     55: =over 4
                     56: 
                     57: If $r->user defined and requested uri not /adm/sso
                     58: redirect to /adm/sso
                     59: 
                     60: Otherwise return DECLINED
                     61: 
                     62: =back
                     63: 
                     64: =cut
                     65: 
                     66: package Apache::lonshibauth;
                     67: 
                     68: use strict;
                     69: use lib '/home/httpd/lib/perl/';
1.3       raeburn    70: use Apache::lonnet;
1.11    ! raeburn    71: use Apache::loncommon;
        !            72: use Apache::lonacc;
1.2       raeburn    73: use Apache::Constants qw(:common REDIRECT);
1.11    ! raeburn    74: use LONCAPA qw(:DEFAULT :match);
1.1       raeburn    75: 
                     76: sub handler {
                     77:     my $r = shift;
                     78:     my $target = '/adm/sso';
1.6       raeburn    79:     if (&Apache::lonnet::get_saml_landing()) {
                     80:         $target = '/adm/login';
                     81:     }
1.11    ! raeburn    82:     if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne '/adm/sso')) {
1.3       raeburn    83:         my $lonhost = $Apache::lonnet::perlvar{'lonHostID'};
                     84:         my $hostname = &Apache::lonnet::hostname($lonhost);
                     85:         if (!$hostname) { $hostname = $r->hostname(); }
                     86:         my $protocol = $Apache::lonnet::protocol{$lonhost};
                     87:         unless ($protocol eq 'https') { $protocol = 'http'; }
1.4       raeburn    88:         my $alias = &Apache::lonnet::use_proxy_alias($r,$lonhost);
1.7       raeburn    89:         if (($alias ne '') &&
                     90:             (&Apache::lonnet::alias_shibboleth($lonhost))) {
                     91:             $hostname = $alias;
                     92:         }
1.3       raeburn    93:         my $dest = $protocol.'://'.$hostname.$target;
1.11    ! raeburn    94:         if ($target eq '/adm/login') {
        !            95:              my $querystring = &set_token($r,$lonhost);
        !            96:              if ($querystring ne '') {
        !            97:                  $dest .= '?'.$querystring;
        !            98:              }
        !            99:         } else {
        !           100:             my $uri = $r->uri;
        !           101:             if ($r->args ne '') {
        !           102:                 $dest .= (($dest=~/\?/)?'&':'?').$r->args;
        !           103:             }
        !           104:             unless (($uri eq '/adm/roles') || ($uri eq '/adm/logout')) {
        !           105:                 unless ($r->args =~ /origurl=/) {
        !           106:                     $dest.=(($dest=~/\?/)?'&':'?').'origurl='.$uri;
1.8       raeburn   107:                 }
1.11    ! raeburn   108:             }
        !           109:             if ($uri =~ m{^/tiny/$match_domain/\w+$}) {
        !           110:                 unless (($r->args =~ /ltoken=/) || ($r->args =~ /linkkey=/)) {
        !           111:                     &Apache::lonacc::get_posted_cgi($r,['linkkey']);
        !           112:                     if ($env{'form.linkkey'} ne '') {
        !           113:                         $dest.=(($dest=~/\?/)?'&':'?').'linkkey='.$env{'form.linkkey'};
        !           114:                     }
1.8       raeburn   115:                 }
                    116:             }
1.5       raeburn   117:         }
1.1       raeburn   118:         $r->header_out(Location => $dest);
                    119:         return REDIRECT;
                    120:     } else {
                    121:         return DECLINED;
                    122:     }
                    123: }
                    124: 
1.11    ! raeburn   125: sub set_token {
        !           126:     my ($r,$lonhost) = @_;
        !           127:     my ($firsturl,$querystring,$ssotoken,@names,%token);
        !           128:     @names = ('role','symb','ltoken','linkkey');
        !           129:     map { $token{$_} = 1; } @names;
        !           130:     unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/logout')) {
        !           131:         $firsturl = $r->uri;
        !           132:     }
        !           133:     if ($r->args ne '') {
        !           134:         &Apache::loncommon::get_unprocessed_cgi($r->args);
        !           135:     }
        !           136:     if ($r->uri =~ m{^/tiny/$match_domain/\w+$}) {
        !           137:         unless (($env{'form.ltoken'}) || ($env{'form.linkkey'})) {
        !           138:             &Apache::lonacc::get_posted_cgi($r,['linkkey']);
        !           139:         }
        !           140:     }
        !           141:     my $extras;
        !           142:     foreach my $name (@names) {
        !           143:         if ($env{'form.'.$name} ne '') {
        !           144:             if ($name eq 'ltoken') {
        !           145:                 my %info = &Apache::lonnet::tmpget($env{'form.ltoken'});
        !           146:                 if ($info{'linkprot'}) {
        !           147:                     $extras .= '&linkprot='.&escape($info{'linkprot'});
        !           148:                     last;
        !           149:                 }
        !           150:             } else {
        !           151:                 $extras .= '&'.$name.'='.&escape($env{'form.'.$name});
        !           152:             }
        !           153:         }
        !           154:     }
        !           155:     if (($firsturl ne '') || ($extras ne '')) {
        !           156:         $extras .= ':sso';
        !           157:         $ssotoken = &Apache::lonnet::reply('tmpput:'.&escape($firsturl).
        !           158:                                            $extras,$lonhost);
        !           159:         $querystring = 'sso='.$ssotoken;
        !           160:     }
        !           161:     if ($r->args ne '') {
        !           162:         foreach my $key (sort(keys(%env))) {
        !           163:             if ($key =~ /^form\.(.+)$/) {
        !           164:                 my $name = $1;
        !           165:                 next if ($token{$name});
        !           166:                 $querystring .= '&'.$name.'='.$env{$key};
        !           167:             }
        !           168:         }
        !           169:     }
        !           170:     return $querystring;
        !           171: }
        !           172: 
1.1       raeburn   173: 1;
                    174: __END__

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>