Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/C4/Auth_with_cas.pm
Jonathan Druart 41a8005d10 Bug 28606: Remove $DEBUG and $ENV{DEBUG} 
We should remove the debug statements or use Koha::Logger when we want
to keep it.

Test plan:
Confirm that occurrences of remaining occurrences of DEBUG need to be
kept (historical scripts for instance)
Confirm that the occurrences removed by this patch can be removed
Confirm that the occurrences replaced by Koha::Logger are correct

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Looks good to me, noting a few minor points on BZ.

JD amended patch: replace "warn #Finished" with "#warn Finished", and
put the statement on a single line

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-24 11:53:44 +02:00

293 lines
8.7 KiB
Perl
Raw Blame History

package C4::Auth_with_cas;
# Copyright 2009 BibLibre SARL
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use strict;
use warnings;
use C4::Context;
use Koha::AuthUtils qw(get_script_name);
use Authen::CAS::Client;
use CGI qw ( -utf8 );
use FindBin;
use YAML::XS;
use Koha::Logger;
use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS);
BEGIN {
require Exporter;
@ISA = qw(Exporter);
@EXPORT = qw(check_api_auth_cas checkpw_cas login_cas logout_cas login_cas_url logout_if_required);
}
my $defaultcasserver;
my $casservers;
my $yamlauthfile = C4::Context->config('intranetdir') . "/C4/Auth_cas_servers.yaml";
# If there's a configuration for multiple cas servers, then we get it
if (multipleAuth()) {
($defaultcasserver, $casservers) = YAML::XS::LoadFile($yamlauthfile);
$defaultcasserver = $defaultcasserver->{'default'};
} else {
# Else, we fall back to casServerUrl syspref
$defaultcasserver = 'default';
$casservers = { 'default' => C4::Context->preference('casServerUrl') };
}
=head1 Subroutines
=cut
# Is there a configuration file for multiple cas servers?
sub multipleAuth {
return (-e qq($yamlauthfile));
}
# Returns configured CAS servers' list if multiple authentication is enabled
sub getMultipleAuth {
return $casservers;
}
# Logout from CAS
sub logout_cas {
my ( $query, $type ) = @_;
my ( $cas, $uri ) = _get_cas_and_service( $query, undef, $type );
# We don't want to keep triggering a logout, if we got here,
# the borrower is already logged out of Koha
$uri =~ s/\?logout\.x=1//;
my $logout_url = $cas->logout_url( url => $uri );
$logout_url =~ s/url=/service=/
if C4::Context->preference('casServerVersion') eq '3';
print $query->redirect($logout_url);
}
# Login to CAS
sub login_cas {
my ($query, $type) = @_;
my ( $cas, $uri ) = _get_cas_and_service($query, undef, $type);
print $query->redirect( $cas->login_url($uri));
}
# Returns CAS login URL with callback to the requesting URL
sub login_cas_url {
my ( $query, $key, $type ) = @_;
my ( $cas, $uri ) = _get_cas_and_service( $query, $key, $type );
return $cas->login_url($uri);
}
# Checks for password correctness
# In our case : is there a ticket, is it valid and does it match one of our users ?
sub checkpw_cas {
my ($dbh, $ticket, $query, $type) = @_;
my $retnumber;
my ( $cas, $uri ) = _get_cas_and_service($query, undef, $type);
# If we got a ticket
if ($ticket) {
# We try to validate it
my $val = $cas->service_validate($uri, $ticket );
# If it's valid
if ( $val->is_success() ) {
my $userid = $val->user();
# we should store the CAS ticekt too, we need this for single logout https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html#233-single-logout
# Does it match one of our users ?
my $sth = $dbh->prepare("select cardnumber from borrowers where userid=?");
$sth->execute($userid);
if ( $sth->rows ) {
$retnumber = $sth->fetchrow;
return ( 1, $retnumber, $userid, $ticket );
}
$sth = $dbh->prepare("select userid from borrowers where cardnumber=?");
$sth->execute($userid);
if ( $sth->rows ) {
$retnumber = $sth->fetchrow;
return ( 1, $retnumber, $userid, $ticket );
}
# If we reach this point, then the user is a valid CAS user, but not a Koha user
Koha::Logger->get->info("User $userid is not a valid Koha user");
} else {
my $logger = Koha::Logger->get;
$logger->debug("Problem when validating ticket : $ticket");
$logger->debug("Authen::CAS::Client::Response::Error: " . $val->error()) if $val->is_error();
$logger->debug("Authen::CAS::Client::Response::Failure: " . $val->message()) if $val->is_failure();
$logger->debug(Data::Dumper::Dumper($@)) if $val->is_error() or $val->is_failure();
return 0;
}
}
return 0;
}
# Proxy CAS auth
sub check_api_auth_cas {
my ($dbh, $PT, $query, $type) = @_;
my $retnumber;
my ( $cas, $uri ) = _get_cas_and_service($query, undef, $type);
# If we have a Proxy Ticket
if ($PT) {
my $r = $cas->proxy_validate( $uri, $PT );
# If the PT is valid
if ( $r->is_success ) {
# We've got a username !
my $userid = $r->user;
# we should store the CAS ticket too, we need this for single logout https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html#233-single-logout
# Does it match one of our users ?
my $sth = $dbh->prepare("select cardnumber from borrowers where userid=?");
$sth->execute($userid);
if ( $sth->rows ) {
$retnumber = $sth->fetchrow;
return ( 1, $retnumber, $userid, $PT );
}
$sth = $dbh->prepare("select userid from borrowers where cardnumber=?");
return $r->user;
$sth->execute($userid);
if ( $sth->rows ) {
$retnumber = $sth->fetchrow;
return ( 1, $retnumber, $userid, $PT );
}
# If we reach this point, then the user is a valid CAS user, but not a Koha user
Koha::Logger->get->info("User $userid is not a valid Koha user");
} else {
Koha::Logger->get->debug("Proxy Ticket authentication failed");
return 0;
}
}
return 0;
}
# Get CAS handler and service URI
sub _get_cas_and_service {
my $query = shift;
my $key = shift; # optional
my $type = shift;
my $uri = _url_with_get_params($query, $type);
my $casparam = $defaultcasserver;
$casparam = $query->param('cas') if defined $query->param('cas');
$casparam = $key if defined $key;
my $cas = Authen::CAS::Client->new( $casservers->{$casparam} );
return ( $cas, $uri );
}
# Get the current URL with parameters contained directly into URL (GET params)
# This method replaces $query->url() which will give both GET and POST params
sub _url_with_get_params {
my $query = shift;
my $type = shift;
my $uri_base_part =
( $type eq 'opac' )
? C4::Context->preference('OPACBaseURL')
: C4::Context->preference('staffClientBaseURL');
$uri_base_part .= get_script_name();
my $uri_params_part = '';
foreach my $param ( $query->url_param() ) {
# url_param() always returns parameters that were deleted by delete()
# This additional check ensure that parameter was not deleted.
my $uriPiece = $query->param($param);
if ($uriPiece) {
$uri_params_part .= '&' if $uri_params_part;
$uri_params_part .= $param . '=';
$uri_params_part .= URI::Escape::uri_escape( $uriPiece );
}
}
$uri_base_part .= '?' if $uri_params_part;
return $uri_base_part . $uri_params_part;
}
=head2 logout_if_required
If using CAS, this subroutine will trigger single-signout of the CAS server.
=cut
sub logout_if_required {
my ( $query ) = @_;
# Check we havent been hit by a logout call
my $xml = $query->param('logoutRequest');
return 0 unless $xml;
my $dom = XML::LibXML->load_xml(string => $xml);
my $ticket;
foreach my $node ($dom->findnodes('/samlp:LogoutRequest')){
# We got a cas single logout request from a cas server;
$ticket = $node->findvalue('./samlp:SessionIndex');
}
return 0 unless $ticket;
# We've been called as part of the single logout destroy the session associated with the cas ticket
my $params = C4::Auth::_get_session_params();
my $success = CGI::Session->find( $params->{dsn}, sub {delete_cas_session(@_, $ticket)}, $params->{dsn_args} );
print $query->header;
exit;
}
sub delete_cas_session {
my $session = shift;
my $ticket = shift;
if ($session->param('cas_ticket') && $session->param('cas_ticket') eq $ticket ) {
$session->delete;
$session->flush;
}
}
1;
__END__
=head1 NAME
C4::Auth - Authenticates Koha users
=head1 SYNOPSIS
use C4::Auth_with_cas;
=cut
=head1 SEE ALSO
CGI(3)
Authen::CAS::Client
=cut
View git blame Copy permalink