Annotation of loncom/auth/lonshibauth.pm, revision 1.14.2.1

1.1       raeburn     1: # The LearningOnline Network
1.13      raeburn     2: # Redirect Single Sign On authentication to designated URL: 
                      3: # /adm/sso, by default.
1.1       raeburn     4: #
1.14.2.1! raeburn     5: # $Id: lonshibauth.pm,v 1.14 2021/12/12 20:49:26 raeburn Exp $
1.1       raeburn     6: #
                      7: # Copyright Michigan State University Board of Trustees
                      8: #
                      9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
                     10: #
                     11: # LON-CAPA is free software; you can redistribute it and/or modify
                     12: # it under the terms of the GNU General Public License as published by
                     13: # the Free Software Foundation; either version 2 of the License, or
                     14: # (at your option) any later version.
                     15: #
                     16: # LON-CAPA is distributed in the hope that it will be useful,
                     17: # but WITHOUT ANY WARRANTY; without even the implied warranty of
                     18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
                     19: # GNU General Public License for more details.
                     20: #
                     21: # You should have received a copy of the GNU General Public License
                     22: # along with LON-CAPA; if not, write to the Free Software
                     23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
                     24: #
                     25: # /home/httpd/html/adm/gpl.txt
                     26: #
                     27: # http://www.lon-capa.org/
                     28: #
                     29: 
                     30: =head1 NAME
                     31: 
1.13      raeburn    32: Apache::lonshibauth - Redirect Single Sign On authentication
1.1       raeburn    33: 
                     34: =head1 SYNOPSIS
                     35: 
1.13      raeburn    36: Invoked when an Apache config file includes:
                     37: PerlAuthenHandler Apache::lonshibauth
1.1       raeburn    38: 
                     39: If server is configured as a Shibboleth SP, the main Apache 
1.13      raeburn    40: configuration file, e.g., /etc/httpd/conf/httpd.conf
1.1       raeburn    41: (for RHEL/CentOS/Scentific Linux/Fedora) should contain:
                     42: 
                     43: LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so
                     44: 
                     45: or equivalent (depending on Apache version) 
                     46: before the line to include conf/loncapa_apache.conf
                     47: 
1.13      raeburn    48: If some other Apache module is in use for Single Sign On
                     49: authentication e.g., mod_auth_cas or mod_sentinel,
                     50: then a separate config file should be created which
                     51: includes settings for the authentication module.
                     52:  
1.1       raeburn    53: =head1 INTRODUCTION
                     54: 
1.13      raeburn    55: Redirects a user requiring Single Sign On to a URL on the server  
                     56: which is configured to use that service. The default URL is:
                     57: /adm/sso. 
                     58: 
                     59: If this is to be used with a Single Sign On service other Shibboleth
                     60: then an Apache config file needs to be loaded which: 
                     61: 
                     62: (a) loads the corresponding Apache module, and 
                     63: (b) sets appropriate values for perl vars in 
                     64: an <IfModule mod_***></IfModule> block, and
                     65: (c) sets an appropriate value for AuthType in a
                     66: <Location /adm/sso><IfModule mod_***>
                     67: </IfModule></Location> block, which also contains
                     68: 
                     69: require valid-user
                     70: 
                     71: PerlAuthzHandler       Apache::lonshibacc
                     72: 
                     73: PerlAuthzHandler       Apache::lonacc 
                     74: 
                     75: In the case of Shibboleth no additional file is needed
                     76: because loncapa_apache.conf already contains:
                     77: 
                     78: <IfModule mod_shib>
                     79:     PerlAuthenHandler Apache::lonshibauth
                     80:     PerlSetVar lonOtherAuthen yes
                     81:     PerlSetVar lonOtherAuthenType Shibboleth
                     82: 
                     83: </IfModule>
                     84: 
                     85: and
                     86: 
                     87: <Location /adm/sso>
                     88:   Header set Cache-Control "private,no-store,no-cache,max-age=0"
                     89:   <IfModule mod_shib>
                     90:     AuthType shibboleth
                     91:     ShibUseEnvironment On
                     92:     ShibRequestSetting requireSession 1
                     93:     ShibRequestSetting redirectToSSL 443
                     94:     require valid-user
                     95:     PerlAuthzHandler       Apache::lonshibacc
                     96:     PerlAuthzHandler       Apache::lonacc
                     97:     ErrorDocument     403 /adm/login
                     98:     ErrorDocument     500 /adm/errorhandler
                     99:   </IfModule>
                    100:   <IfModule !mod_shib>
                    101:     PerlTypeHandler        Apache::lonnoshib
                    102:   </IfModule>
                    103: 
                    104: </Location>
                    105: 
                    106: If the service is not Shibboleth, then (optionally) a URL that is 
                    107: not /adm/sso can be used as the URL for the service, e.g., /adm/cas
                    108: or /adm/sentinel, by setting a lonOtherAuthenUrl perl var
                    109: in an Apache config file containing (for example):
                    110: 
                    111: PerlSetVar lonOtherAuthenUrl /adm/sentinel
                    112: 
                    113: <IfModule mod_sentinel>
                    114:     PerlAuthenHandler Apache::lonshibauth
                    115:     PerlSetVar lonOtherAuthen yes
                    116:     PerlSetVar lonOtherAuthenType Sentinel
                    117: 
                    118: </IfModule>
                    119: 
                    120: <Location /adm/sentinel>
                    121:   Header set Cache-Control "private,no-store,no-cache,max-age=0"
                    122:   <IfModule mod_sentinel>
                    123:     AuthType Sentinel
                    124:     require valid-user
                    125:     PerlAuthzHandler  Apache::lonshibacc
                    126:     PerlAuthzHandler  Apache::lonacc
                    127:     ErrorDocument     403 /adm/login
                    128:     ErrorDocument     500 /adm/errorhandler
                    129:   </IfModule>
                    130:   <IfModule !mod_sentinel>
                    131:     PerlTypeHandler        Apache::lonnoshib
                    132:   </IfModule>
                    133: 
                    134: </Location>
                    135: 
                    136: In the example above for Sentinel SSO, it would also be possible to 
                    137: use /adm/sso instead of /adm/sentinel, in which case (i) there would be 
                    138: no need to define lonOtherAuthenUrl, (ii) there would be <Location /adm/sso> 
                    139: and (iii) the <IfModule !></IfModule> block would not be needed as 
                    140: it is already present in /etc/httpd/conf/loncapa_apache.conf.
1.1       raeburn   141: 
                    142: =head1 HANDLER SUBROUTINE
                    143: 
                    144: This routine is called by Apache and mod_perl.
                    145: 
                    146: =over 4
                    147: 
1.13      raeburn   148: If $r->user is defined and requested URL is not /adm/sso or
                    149: other specific URL as set by a lonOtherAuthenUrl perlvar,
                    150: then redirect to /adm/sso (or to the specific URL).
                    151: 
                    152: Otherwise return DECLINED.
                    153: 
                    154: In the case of redirection a query string is appended,
                    155: which will contain either (a) the originally requested URL,
                    156: if not /adm/sso (or lonOtherAuthenUrl URL), and 
                    157: any existing query string in the original request, or
1.14.2.1! raeburn   158: (b) if redirect is to /adm/login to support dual SSO and
1.13      raeburn   159: non-SSO, a query string which contains sso=tokenID, where the
                    160: token contains information for deep-linking to course/resource. 
                    161: 
                    162: Support is included for use of LON-CAPA's standard log-in
                    163: page -- /adm/login -- to support dual SSO and non-SSO 
                    164: authentication from that "landing" page.
                    165: 
                    166: To enable dual SSO and non-SSO access from /adm/login
                    167: a Domain Coordinator will use the web GUI:
                    168: Main Menu > Set domain configuration > Display
                    169: ("Log-in page options" checked) 
                    170: and for any of the LON-CAPA domain's servers which
                    171: will offer dual login will check "Yes" and then set:
                    172: (a) SSO Text, Image, Alt Text, URL, Tool Tip
                    173: (b) non-SSO: Text
                    174: 
                    175: The value in the URL field should be /adm/sso,
                    176: or the same URL as set for the lonOtherAuthenUrl
                    177: perl var, e.g., /adm/sentinel.
1.1       raeburn   178: 
1.13      raeburn   179: =back
                    180: 
                    181: =head1 NOTABLE SUBROUTINES
                    182: 
                    183: =over 4
                    184: 
                    185: =item set_token()
                    186: 
                    187: Inputs: 2
                    188: $r - request object
                    189: $lonhost - hostID of current server
                    190: 
                    191: Output: 1
                    192: $querystring - query string to append to URL
                    193: when redirecting.
                    194: 
1.14.2.1! raeburn   195: If role and/or symb are present in the original query string:
        !           196: then they will be stored in the token file on the server,
        !           197: for access later to support deep-linking.
1.1       raeburn   198: 
                    199: =back
                    200: 
                    201: =cut
                    202: 
                    203: package Apache::lonshibauth;
                    204: 
                    205: use strict;
                    206: use lib '/home/httpd/lib/perl/';
1.3       raeburn   207: use Apache::lonnet;
1.11      raeburn   208: use Apache::loncommon;
                    209: use Apache::lonacc;
1.2       raeburn   210: use Apache::Constants qw(:common REDIRECT);
1.11      raeburn   211: use LONCAPA qw(:DEFAULT :match);
1.1       raeburn   212: 
                    213: sub handler {
                    214:     my $r = shift;
1.13      raeburn   215:     my $ssourl = '/adm/sso';
                    216:     if ($r->dir_config('lonOtherAuthenUrl') ne '') {
                    217:         $ssourl = $r->dir_config('lonOtherAuthenUrl');
                    218:     }
                    219:     my $target = $ssourl;
1.6       raeburn   220:     if (&Apache::lonnet::get_saml_landing()) {
                    221:         $target = '/adm/login';
                    222:     }
1.13      raeburn   223:     if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne $ssourl)) {
1.3       raeburn   224:         my $lonhost = $Apache::lonnet::perlvar{'lonHostID'};
                    225:         my $hostname = &Apache::lonnet::hostname($lonhost);
                    226:         if (!$hostname) { $hostname = $r->hostname(); }
                    227:         my $protocol = $Apache::lonnet::protocol{$lonhost};
                    228:         unless ($protocol eq 'https') { $protocol = 'http'; }
1.4       raeburn   229:         my $alias = &Apache::lonnet::use_proxy_alias($r,$lonhost);
1.7       raeburn   230:         if (($alias ne '') &&
1.14      raeburn   231:             (&Apache::lonnet::alias_sso($lonhost))) {
1.7       raeburn   232:             $hostname = $alias;
                    233:         }
1.3       raeburn   234:         my $dest = $protocol.'://'.$hostname.$target;
1.11      raeburn   235:         if ($target eq '/adm/login') {
                    236:              my $querystring = &set_token($r,$lonhost);
                    237:              if ($querystring ne '') {
                    238:                  $dest .= '?'.$querystring;
                    239:              }
                    240:         } else {
                    241:             my $uri = $r->uri;
1.14.2.1! raeburn   242:             if ($r->args ne '') {
        !           243:                 $dest .= (($dest=~/\?/)?'&':'?').$r->args;
        !           244:             }
        !           245:             unless (($uri eq '/adm/roles') || ($uri eq '/adm/logout')) {
        !           246:                 unless ($r->args =~ /origurl=/) {
        !           247:                     $dest.=(($dest=~/\?/)?'&':'?').'origurl='.$uri;
1.8       raeburn   248:                 }
                    249:             }
1.5       raeburn   250:         }
1.1       raeburn   251:         $r->header_out(Location => $dest);
                    252:         return REDIRECT;
                    253:     } else {
                    254:         return DECLINED;
                    255:     }
                    256: }
                    257: 
1.11      raeburn   258: sub set_token {
                    259:     my ($r,$lonhost) = @_;
                    260:     my ($firsturl,$querystring,$ssotoken,@names,%token);
1.14.2.1! raeburn   261:     @names = ('role','symb');
1.11      raeburn   262:     map { $token{$_} = 1; } @names;
                    263:     unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/logout')) {
                    264:         $firsturl = $r->uri;
                    265:     }
                    266:     if ($r->args ne '') {
                    267:         &Apache::loncommon::get_unprocessed_cgi($r->args);
                    268:     }
                    269:     my $extras;
                    270:     foreach my $name (@names) {
                    271:         if ($env{'form.'.$name} ne '') {
1.14.2.1! raeburn   272:             $extras .= '&'.$name.'='.&escape($env{'form.'.$name});
1.11      raeburn   273:         }
                    274:     }
                    275:     if (($firsturl ne '') || ($extras ne '')) {
                    276:         $extras .= ':sso';
                    277:         $ssotoken = &Apache::lonnet::reply('tmpput:'.&escape($firsturl).
                    278:                                            $extras,$lonhost);
                    279:         $querystring = 'sso='.$ssotoken;
                    280:     }
                    281:     if ($r->args ne '') {
                    282:         foreach my $key (sort(keys(%env))) {
                    283:             if ($key =~ /^form\.(.+)$/) {
                    284:                 my $name = $1;
1.14.2.1! raeburn   285:                 next if ($token{$name});
1.11      raeburn   286:                 $querystring .= '&'.$name.'='.$env{$key};
                    287:             }
                    288:         }
                    289:     }
                    290:     return $querystring;
                    291: }
                    292: 
1.1       raeburn   293: 1;
                    294: __END__

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>