Annotation of loncom/auth/lonshibauth.pm, revision 1.13

1.1       raeburn     1: # The LearningOnline Network
1.13    ! raeburn     2: # Redirect Single Sign On authentication to designated URL: 
        !             3: # /adm/sso, by default.
1.1       raeburn     4: #
1.13    ! raeburn     5: # $Id: lonshibauth.pm,v 1.12 2021/11/03 01:04:02 raeburn Exp $
1.1       raeburn     6: #
                      7: # Copyright Michigan State University Board of Trustees
                      8: #
                      9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
                     10: #
                     11: # LON-CAPA is free software; you can redistribute it and/or modify
                     12: # it under the terms of the GNU General Public License as published by
                     13: # the Free Software Foundation; either version 2 of the License, or
                     14: # (at your option) any later version.
                     15: #
                     16: # LON-CAPA is distributed in the hope that it will be useful,
                     17: # but WITHOUT ANY WARRANTY; without even the implied warranty of
                     18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
                     19: # GNU General Public License for more details.
                     20: #
                     21: # You should have received a copy of the GNU General Public License
                     22: # along with LON-CAPA; if not, write to the Free Software
                     23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
                     24: #
                     25: # /home/httpd/html/adm/gpl.txt
                     26: #
                     27: # http://www.lon-capa.org/
                     28: #
                     29: 
                     30: =head1 NAME
                     31: 
1.13    ! raeburn    32: Apache::lonshibauth - Redirect Single Sign On authentication
1.1       raeburn    33: 
                     34: =head1 SYNOPSIS
                     35: 
1.13    ! raeburn    36: Invoked when an Apache config file includes:
        !            37: PerlAuthenHandler Apache::lonshibauth
1.1       raeburn    38: 
                     39: If server is configured as a Shibboleth SP, the main Apache 
1.13    ! raeburn    40: configuration file, e.g., /etc/httpd/conf/httpd.conf
1.1       raeburn    41: (for RHEL/CentOS/Scentific Linux/Fedora) should contain:
                     42: 
                     43: LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so
                     44: 
                     45: or equivalent (depending on Apache version) 
                     46: before the line to include conf/loncapa_apache.conf
                     47: 
1.13    ! raeburn    48: If some other Apache module is in use for Single Sign On
        !            49: authentication e.g., mod_auth_cas or mod_sentinel,
        !            50: then a separate config file should be created which
        !            51: includes settings for the authentication module.
        !            52:  
1.1       raeburn    53: =head1 INTRODUCTION
                     54: 
1.13    ! raeburn    55: Redirects a user requiring Single Sign On to a URL on the server  
        !            56: which is configured to use that service. The default URL is:
        !            57: /adm/sso. 
        !            58: 
        !            59: If this is to be used with a Single Sign On service other Shibboleth
        !            60: then an Apache config file needs to be loaded which: 
        !            61: 
        !            62: (a) loads the corresponding Apache module, and 
        !            63: (b) sets appropriate values for perl vars in 
        !            64: an <IfModule mod_***></IfModule> block, and
        !            65: (c) sets an appropriate value for AuthType in a
        !            66: <Location /adm/sso><IfModule mod_***>
        !            67: </IfModule></Location> block, which also contains
        !            68: 
        !            69: require valid-user
        !            70: 
        !            71: PerlAuthzHandler       Apache::lonshibacc
        !            72: 
        !            73: PerlAuthzHandler       Apache::lonacc 
        !            74: 
        !            75: In the case of Shibboleth no additional file is needed
        !            76: because loncapa_apache.conf already contains:
        !            77: 
        !            78: <IfModule mod_shib>
        !            79:     PerlAuthenHandler Apache::lonshibauth
        !            80:     PerlSetVar lonOtherAuthen yes
        !            81:     PerlSetVar lonOtherAuthenType Shibboleth
        !            82: 
        !            83: </IfModule>
        !            84: 
        !            85: and
        !            86: 
        !            87: <Location /adm/sso>
        !            88:   Header set Cache-Control "private,no-store,no-cache,max-age=0"
        !            89:   <IfModule mod_shib>
        !            90:     AuthType shibboleth
        !            91:     ShibUseEnvironment On
        !            92:     ShibRequestSetting requireSession 1
        !            93:     ShibRequestSetting redirectToSSL 443
        !            94:     require valid-user
        !            95:     PerlAuthzHandler       Apache::lonshibacc
        !            96:     PerlAuthzHandler       Apache::lonacc
        !            97:     ErrorDocument     403 /adm/login
        !            98:     ErrorDocument     500 /adm/errorhandler
        !            99:   </IfModule>
        !           100:   <IfModule !mod_shib>
        !           101:     PerlTypeHandler        Apache::lonnoshib
        !           102:   </IfModule>
        !           103: 
        !           104: </Location>
        !           105: 
        !           106: If the service is not Shibboleth, then (optionally) a URL that is 
        !           107: not /adm/sso can be used as the URL for the service, e.g., /adm/cas
        !           108: or /adm/sentinel, by setting a lonOtherAuthenUrl perl var
        !           109: in an Apache config file containing (for example):
        !           110: 
        !           111: PerlSetVar lonOtherAuthenUrl /adm/sentinel
        !           112: 
        !           113: <IfModule mod_sentinel>
        !           114:     PerlAuthenHandler Apache::lonshibauth
        !           115:     PerlSetVar lonOtherAuthen yes
        !           116:     PerlSetVar lonOtherAuthenType Sentinel
        !           117: 
        !           118: </IfModule>
        !           119: 
        !           120: <Location /adm/sentinel>
        !           121:   Header set Cache-Control "private,no-store,no-cache,max-age=0"
        !           122:   <IfModule mod_sentinel>
        !           123:     AuthType Sentinel
        !           124:     require valid-user
        !           125:     PerlAuthzHandler  Apache::lonshibacc
        !           126:     PerlAuthzHandler  Apache::lonacc
        !           127:     ErrorDocument     403 /adm/login
        !           128:     ErrorDocument     500 /adm/errorhandler
        !           129:   </IfModule>
        !           130:   <IfModule !mod_sentinel>
        !           131:     PerlTypeHandler        Apache::lonnoshib
        !           132:   </IfModule>
        !           133: 
        !           134: </Location>
        !           135: 
        !           136: In the example above for Sentinel SSO, it would also be possible to 
        !           137: use /adm/sso instead of /adm/sentinel, in which case (i) there would be 
        !           138: no need to define lonOtherAuthenUrl, (ii) there would be <Location /adm/sso> 
        !           139: and (iii) the <IfModule !></IfModule> block would not be needed as 
        !           140: it is already present in /etc/httpd/conf/loncapa_apache.conf.
1.1       raeburn   141: 
                    142: =head1 HANDLER SUBROUTINE
                    143: 
                    144: This routine is called by Apache and mod_perl.
                    145: 
                    146: =over 4
                    147: 
1.13    ! raeburn   148: If $r->user is defined and requested URL is not /adm/sso or
        !           149: other specific URL as set by a lonOtherAuthenUrl perlvar,
        !           150: then redirect to /adm/sso (or to the specific URL).
        !           151: 
        !           152: Otherwise return DECLINED.
        !           153: 
        !           154: In the case of redirection a query string is appended,
        !           155: which will contain either (a) the originally requested URL,
        !           156: if not /adm/sso (or lonOtherAuthenUrl URL), and 
        !           157: any existing query string in the original request, or
        !           158: (b) if original request was for /tiny/domain/uniqueID,
        !           159: or if redirect is to /adm/login to support dual SSO and
        !           160: non-SSO, a query string which contains sso=tokenID, where the
        !           161: token contains information for deep-linking to course/resource. 
        !           162: 
        !           163: Support is included for use of LON-CAPA's standard log-in
        !           164: page -- /adm/login -- to support dual SSO and non-SSO 
        !           165: authentication from that "landing" page.
        !           166: 
        !           167: To enable dual SSO and non-SSO access from /adm/login
        !           168: a Domain Coordinator will use the web GUI:
        !           169: Main Menu > Set domain configuration > Display
        !           170: ("Log-in page options" checked) 
        !           171: and for any of the LON-CAPA domain's servers which
        !           172: will offer dual login will check "Yes" and then set:
        !           173: (a) SSO Text, Image, Alt Text, URL, Tool Tip
        !           174: (b) non-SSO: Text
        !           175: 
        !           176: The value in the URL field should be /adm/sso,
        !           177: or the same URL as set for the lonOtherAuthenUrl
        !           178: perl var, e.g., /adm/sentinel.
1.1       raeburn   179: 
1.13    ! raeburn   180: =back
        !           181: 
        !           182: =head1 NOTABLE SUBROUTINES
        !           183: 
        !           184: =over 4
        !           185: 
        !           186: =item set_token()
        !           187: 
        !           188: Inputs: 2
        !           189: $r - request object
        !           190: $lonhost - hostID of current server
        !           191: 
        !           192: Output: 1
        !           193: $querystring - query string to append to URL
        !           194: when redirecting.
        !           195: 
        !           196: If any of the following items are present in the original query string:
        !           197: role, symb, and linkkey, then they will be stored in the token file
        !           198: on the server, for access later to support deep-linking.  If the ltoken
        !           199: item is available, from successful launch from an LTI Consumer where
        !           200: LON-CAPA is the LTI Provider, but not configured to accept user 
        !           201: information, and the destination is a deep-link URL /tiny/domain/uniqueiD,
        !           202: then the LTI number, type (c or d), and tiny URL will be saved as the
        !           203: linkprot item in a token file.
1.1       raeburn   204: 
                    205: =back
                    206: 
                    207: =cut
                    208: 
                    209: package Apache::lonshibauth;
                    210: 
                    211: use strict;
                    212: use lib '/home/httpd/lib/perl/';
1.3       raeburn   213: use Apache::lonnet;
1.11      raeburn   214: use Apache::loncommon;
                    215: use Apache::lonacc;
1.2       raeburn   216: use Apache::Constants qw(:common REDIRECT);
1.11      raeburn   217: use LONCAPA qw(:DEFAULT :match);
1.1       raeburn   218: 
                    219: sub handler {
                    220:     my $r = shift;
1.13    ! raeburn   221:     my $ssourl = '/adm/sso';
        !           222:     if ($r->dir_config('lonOtherAuthenUrl') ne '') {
        !           223:         $ssourl = $r->dir_config('lonOtherAuthenUrl');
        !           224:     }
        !           225:     my $target = $ssourl;
1.6       raeburn   226:     if (&Apache::lonnet::get_saml_landing()) {
                    227:         $target = '/adm/login';
                    228:     }
1.13    ! raeburn   229:     if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne $ssourl)) {
1.3       raeburn   230:         my $lonhost = $Apache::lonnet::perlvar{'lonHostID'};
                    231:         my $hostname = &Apache::lonnet::hostname($lonhost);
                    232:         if (!$hostname) { $hostname = $r->hostname(); }
                    233:         my $protocol = $Apache::lonnet::protocol{$lonhost};
                    234:         unless ($protocol eq 'https') { $protocol = 'http'; }
1.4       raeburn   235:         my $alias = &Apache::lonnet::use_proxy_alias($r,$lonhost);
1.7       raeburn   236:         if (($alias ne '') &&
                    237:             (&Apache::lonnet::alias_shibboleth($lonhost))) {
                    238:             $hostname = $alias;
                    239:         }
1.3       raeburn   240:         my $dest = $protocol.'://'.$hostname.$target;
1.11      raeburn   241:         if ($target eq '/adm/login') {
                    242:              my $querystring = &set_token($r,$lonhost);
                    243:              if ($querystring ne '') {
                    244:                  $dest .= '?'.$querystring;
                    245:              }
                    246:         } else {
                    247:             my $uri = $r->uri;
1.12      raeburn   248:             if ($uri =~ m{^/tiny/$match_domain/\w+$}) {
                    249:                 my $querystring = &set_token($r,$lonhost);
                    250:                 if ($querystring ne '') {
                    251:                     $dest .= '?'.$querystring;
                    252:                 }
                    253:             } else {
                    254:                 if ($r->args ne '') {
                    255:                     $dest .= (($dest=~/\?/)?'&':'?').$r->args;
1.8       raeburn   256:                 }
1.12      raeburn   257:                 unless (($uri eq '/adm/roles') || ($uri eq '/adm/logout')) {
                    258:                     unless ($r->args =~ /origurl=/) {
                    259:                         $dest.=(($dest=~/\?/)?'&':'?').'origurl='.$uri;
1.11      raeburn   260:                     }
1.8       raeburn   261:                 }
                    262:             }
1.5       raeburn   263:         }
1.1       raeburn   264:         $r->header_out(Location => $dest);
                    265:         return REDIRECT;
                    266:     } else {
                    267:         return DECLINED;
                    268:     }
                    269: }
                    270: 
1.11      raeburn   271: sub set_token {
                    272:     my ($r,$lonhost) = @_;
                    273:     my ($firsturl,$querystring,$ssotoken,@names,%token);
                    274:     @names = ('role','symb','ltoken','linkkey');
                    275:     map { $token{$_} = 1; } @names;
                    276:     unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/logout')) {
                    277:         $firsturl = $r->uri;
                    278:     }
                    279:     if ($r->args ne '') {
                    280:         &Apache::loncommon::get_unprocessed_cgi($r->args);
                    281:     }
                    282:     if ($r->uri =~ m{^/tiny/$match_domain/\w+$}) {
1.12      raeburn   283:         if ($env{'form.ttoken'}) {
                    284:             my %info = &Apache::lonnet::tmpget($env{'form.ttoken'});
                    285:             &Apache::lonnet::tmpdel($env{'form.ttoken'});
                    286:             if ($info{'ltoken'}) {
                    287:                 $env{'form.ltoken'} = $info{'ltoken'};
                    288:             } elsif ($info{'linkkey'} ne '') {
                    289:                 $env{'form.linkkey'} = $info{'linkkey'};
                    290:             }
                    291:         } else {
                    292:             unless (($env{'form.ltoken'}) || ($env{'form.linkkey'})) {
                    293:                 &Apache::lonacc::get_posted_cgi($r,['linkkey']);
                    294:             }
1.11      raeburn   295:         }
                    296:     }
                    297:     my $extras;
                    298:     foreach my $name (@names) {
                    299:         if ($env{'form.'.$name} ne '') {
                    300:             if ($name eq 'ltoken') {
                    301:                 my %info = &Apache::lonnet::tmpget($env{'form.ltoken'});
1.12      raeburn   302:                 &Apache::lonnet::tmpdel($env{'form.ltoken'});
1.11      raeburn   303:                 if ($info{'linkprot'}) {
                    304:                     $extras .= '&linkprot='.&escape($info{'linkprot'});
                    305:                     last;
                    306:                 }
                    307:             } else {
                    308:                 $extras .= '&'.$name.'='.&escape($env{'form.'.$name});
                    309:             }
                    310:         }
                    311:     }
                    312:     if (($firsturl ne '') || ($extras ne '')) {
                    313:         $extras .= ':sso';
                    314:         $ssotoken = &Apache::lonnet::reply('tmpput:'.&escape($firsturl).
                    315:                                            $extras,$lonhost);
                    316:         $querystring = 'sso='.$ssotoken;
                    317:     }
                    318:     if ($r->args ne '') {
                    319:         foreach my $key (sort(keys(%env))) {
                    320:             if ($key =~ /^form\.(.+)$/) {
                    321:                 my $name = $1;
1.12      raeburn   322:                 next if (($token{$name}) || ($name eq 'ttoken'));
1.11      raeburn   323:                 $querystring .= '&'.$name.'='.$env{$key};
                    324:             }
                    325:         }
                    326:     }
                    327:     return $querystring;
                    328: }
                    329: 
1.1       raeburn   330: 1;
                    331: __END__

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>