[BACK]Return to lonshibauth.pm CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom / auth
File:  [LON-CAPA] / loncom / auth / lonshibauth.pm
Revision 1.12: download - view: text, annotated - select for diffs
Wed Nov 3 01:04:02 2021 UTC (2 years, 9 months ago) by raeburn
Branches: MAIN
CVS tags: HEAD
- Bug 6907
  - Use of token to store linkprot or linkkey compatible with use of
    btoken and iptoken (for load balancing and IP change respectively).
  - Launching access from a deeplink, with its own ltoken and/or linkkey,
    for a user session originally launched from a different deeplink will
    update required session information.

    1: # The LearningOnline Network
    2: # Redirect Shibboleth authentication to designated URL (/adm/sso).
    3: #
    4: # $Id: lonshibauth.pm,v 1.12 2021/11/03 01:04:02 raeburn Exp $
    5: #
    6: # Copyright Michigan State University Board of Trustees
    7: #
    8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
    9: #
   10: # LON-CAPA is free software; you can redistribute it and/or modify
   11: # it under the terms of the GNU General Public License as published by
   12: # the Free Software Foundation; either version 2 of the License, or
   13: # (at your option) any later version.
   14: #
   15: # LON-CAPA is distributed in the hope that it will be useful,
   16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
   17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   18: # GNU General Public License for more details.
   19: #
   20: # You should have received a copy of the GNU General Public License
   21: # along with LON-CAPA; if not, write to the Free Software
   22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   23: #
   24: # /home/httpd/html/adm/gpl.txt
   25: #
   26: # http://www.lon-capa.org/
   27: #
   28: 
   29: =head1 NAME
   30: 
   31: Apache::lonshibauth - Redirect Shibboleth authentication
   32: 
   33: =head1 SYNOPSIS
   34: 
   35: Invoked when lonOtherAuthen is set to yes, and type is Shibboleth 
   36: 
   37: If server is configured as a Shibboleth SP, the main Apache 
   38: configuration file, e.g.,  /etc/httpd/conf/httpd.conf
   39: (for RHEL/CentOS/Scentific Linux/Fedora) should contain:
   40: 
   41: LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so
   42: 
   43: or equivalent (depending on Apache version) 
   44: before the line to include conf/loncapa_apache.conf
   45: 
   46: =head1 INTRODUCTION
   47: 
   48: Redirects a user requiring Single Sign On via Shibboleth to a  
   49: URL -- /adm/sso -- on the server which is configured to use that service.
   50: 
   51: =head1 HANDLER SUBROUTINE
   52: 
   53: This routine is called by Apache and mod_perl.
   54: 
   55: =over 4
   56: 
   57: If $r->user defined and requested uri not /adm/sso
   58: redirect to /adm/sso
   59: 
   60: Otherwise return DECLINED
   61: 
   62: =back
   63: 
   64: =cut
   65: 
   66: package Apache::lonshibauth;
   67: 
   68: use strict;
   69: use lib '/home/httpd/lib/perl/';
   70: use Apache::lonnet;
   71: use Apache::loncommon;
   72: use Apache::lonacc;
   73: use Apache::Constants qw(:common REDIRECT);
   74: use LONCAPA qw(:DEFAULT :match);
   75: 
   76: sub handler {
   77:     my $r = shift;
   78:     my $target = '/adm/sso';
   79:     if (&Apache::lonnet::get_saml_landing()) {
   80:         $target = '/adm/login';
   81:     }
   82:     if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne '/adm/sso')) {
   83:         my $lonhost = $Apache::lonnet::perlvar{'lonHostID'};
   84:         my $hostname = &Apache::lonnet::hostname($lonhost);
   85:         if (!$hostname) { $hostname = $r->hostname(); }
   86:         my $protocol = $Apache::lonnet::protocol{$lonhost};
   87:         unless ($protocol eq 'https') { $protocol = 'http'; }
   88:         my $alias = &Apache::lonnet::use_proxy_alias($r,$lonhost);
   89:         if (($alias ne '') &&
   90:             (&Apache::lonnet::alias_shibboleth($lonhost))) {
   91:             $hostname = $alias;
   92:         }
   93:         my $dest = $protocol.'://'.$hostname.$target;
   94:         if ($target eq '/adm/login') {
   95:              my $querystring = &set_token($r,$lonhost);
   96:              if ($querystring ne '') {
   97:                  $dest .= '?'.$querystring;
   98:              }
   99:         } else {
  100:             my $uri = $r->uri;
  101:             if ($uri =~ m{^/tiny/$match_domain/\w+$}) {
  102:                 my $querystring = &set_token($r,$lonhost);
  103:                 if ($querystring ne '') {
  104:                     $dest .= '?'.$querystring;
  105:                 }
  106:             } else {
  107:                 if ($r->args ne '') {
  108:                     $dest .= (($dest=~/\?/)?'&':'?').$r->args;
  109:                 }
  110:                 unless (($uri eq '/adm/roles') || ($uri eq '/adm/logout')) {
  111:                     unless ($r->args =~ /origurl=/) {
  112:                         $dest.=(($dest=~/\?/)?'&':'?').'origurl='.$uri;
  113:                     }
  114:                 }
  115:             }
  116:         }
  117:         $r->header_out(Location => $dest);
  118:         return REDIRECT;
  119:     } else {
  120:         return DECLINED;
  121:     }
  122: }
  123: 
  124: sub set_token {
  125:     my ($r,$lonhost) = @_;
  126:     my ($firsturl,$querystring,$ssotoken,@names,%token);
  127:     @names = ('role','symb','ltoken','linkkey');
  128:     map { $token{$_} = 1; } @names;
  129:     unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/logout')) {
  130:         $firsturl = $r->uri;
  131:     }
  132:     if ($r->args ne '') {
  133:         &Apache::loncommon::get_unprocessed_cgi($r->args);
  134:     }
  135:     if ($r->uri =~ m{^/tiny/$match_domain/\w+$}) {
  136:         if ($env{'form.ttoken'}) {
  137:             my %info = &Apache::lonnet::tmpget($env{'form.ttoken'});
  138:             &Apache::lonnet::tmpdel($env{'form.ttoken'});
  139:             if ($info{'ltoken'}) {
  140:                 $env{'form.ltoken'} = $info{'ltoken'};
  141:             } elsif ($info{'linkkey'} ne '') {
  142:                 $env{'form.linkkey'} = $info{'linkkey'};
  143:             }
  144:         } else {
  145:             unless (($env{'form.ltoken'}) || ($env{'form.linkkey'})) {
  146:                 &Apache::lonacc::get_posted_cgi($r,['linkkey']);
  147:             }
  148:         }
  149:     }
  150:     my $extras;
  151:     foreach my $name (@names) {
  152:         if ($env{'form.'.$name} ne '') {
  153:             if ($name eq 'ltoken') {
  154:                 my %info = &Apache::lonnet::tmpget($env{'form.ltoken'});
  155:                 &Apache::lonnet::tmpdel($env{'form.ltoken'});
  156:                 if ($info{'linkprot'}) {
  157:                     $extras .= '&linkprot='.&escape($info{'linkprot'});
  158:                     last;
  159:                 }
  160:             } else {
  161:                 $extras .= '&'.$name.'='.&escape($env{'form.'.$name});
  162:             }
  163:         }
  164:     }
  165:     if (($firsturl ne '') || ($extras ne '')) {
  166:         $extras .= ':sso';
  167:         $ssotoken = &Apache::lonnet::reply('tmpput:'.&escape($firsturl).
  168:                                            $extras,$lonhost);
  169:         $querystring = 'sso='.$ssotoken;
  170:     }
  171:     if ($r->args ne '') {
  172:         foreach my $key (sort(keys(%env))) {
  173:             if ($key =~ /^form\.(.+)$/) {
  174:                 my $name = $1;
  175:                 next if (($token{$name}) || ($name eq 'ttoken'));
  176:                 $querystring .= '&'.$name.'='.$env{$key};
  177:             }
  178:         }
  179:     }
  180:     return $querystring;
  181: }
  182: 
  183: 1;
  184: __END__
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>