From 1a81264ac1fff96d6a678ec7abe730e1ac2c9dbc Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Wed, 26 Apr 2017 12:39:15 +0100 Subject: [PATCH] Bug 18506: Add xShibOnly preference for Shibboleth authentication This patch adds two system preferences to Koha, opacShibOnly and staffShibOnly, allowing users to restrict authentication to just one method, Shibboleth. We do however, allow for local fallback for the SCO/SCI logins. A system preference was chosen over a configuration file update to allow for local override at the virtualhost level. In this way a hosting provider can setup a 'backdoor opac' for example to allow fallback to local logins for support operations. Signed-off-by: Matthias Meusburger Signed-off-by: Nick Clemens Signed-off-by: Martin Renvoize Signed-off-by: Jonathan Druart --- C4/Auth.pm | 24 +++++++++++++++++++ .../data/mysql/atomicupdate/shibOnly.perl | 6 +++++ .../en/modules/admin/preferences/opac.pref | 7 ++++++ .../admin/preferences/staff_interface.pref | 7 ++++++ .../bootstrap/en/modules/opac-auth.tt | 8 +++++++ 5 files changed, 52 insertions(+) create mode 100644 installer/data/mysql/atomicupdate/shibOnly.perl diff --git a/C4/Auth.pm b/C4/Auth.pm index f4e0b903ae..d76c2a2a76 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1100,6 +1100,23 @@ sub checkauth { } } + # If shib configured and shibOnly enabled, we should ignore anything other than a shibboleth type login. + if ( + $shib + && !$shibSuccess + && ( + ( + ( $type eq 'opac' ) + && C4::Context->preference('opacShibOnly') + ) + || ( ( $type ne 'opac' ) + && C4::Context->preference('staffShibOnly') ) + ) + ) + { + $return = 0; + } + # $return: 1 = valid user if ($return) { @@ -1393,6 +1410,13 @@ sub checkauth { } if ($shib) { + #If shibOnly is enabled just go ahead and redirect directly + if ( (($type eq 'opac') && C4::Context->preference('opacShibOnly')) || (($type ne 'opac') && C4::Context->preference('staffShibOnly')) ) { + my $redirect_url = login_shib_url( $query ); + print $query->redirect( -uri => "$redirect_url", -status => 303 ); + safe_exit; + } + $template->param( shibbolethAuthentication => $shib, shibbolethLoginUrl => login_shib_url($query), diff --git a/installer/data/mysql/atomicupdate/shibOnly.perl b/installer/data/mysql/atomicupdate/shibOnly.perl new file mode 100644 index 0000000000..9b67d0fb42 --- /dev/null +++ b/installer/data/mysql/atomicupdate/shibOnly.perl @@ -0,0 +1,6 @@ +$DBversion = 'XXX'; # will be replaced by the RM +if( CheckVersion( $DBversion ) ) { + $dbh->do( "INSERT IGNORE INTO systempreferences (variable,value,explanation,options,type) VALUES ('opacShibOnly','0','If ON enables shibboleth only authentication for the opac','','YesNo'),('staffShibOnly','0','If ON enables shibboleth only authentication for the staff client','','YesNo')" ); + SetVersion( $DBversion ); + print "Upgrade to $DBversion done (Bug XXXXX - shibOnly preferences)\n"; +} diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/opac.pref b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/opac.pref index 3e747afd03..16d18c1d6c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/opac.pref +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/opac.pref @@ -932,3 +932,10 @@ OPAC: BaseURL: "OPACBaseURL" OPACAlias: "configured return URL" - "." + Authentication: + - + - pref: opacShibOnly + choices: + yes: "Don't allow" + no: Allow + - patrons to login by means other than Shibboleth. diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/staff_interface.pref b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/staff_interface.pref index 249a783e4f..30132b35fc 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/staff_interface.pref +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/staff_interface.pref @@ -181,3 +181,10 @@ Staff interface: yes: Show no: "Don't show" - a search field pulldown for 'Search the catalog' boxes. + Authentication: + - + - pref: staffShibOnly + choices: + yes: "Don't allow" + no: Allow + - staff to login by means other than shibboleth. diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt index c30170ffe2..4479588c6b 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt @@ -79,6 +79,7 @@

Sorry, your Shibboleth identity does not match a valid library identity.

+ [% UNLESS ( Koha.Preference('opacShibOnly') ) %] [% IF ( casAuthentication ) %] [% IF ( invalidCasLogin ) %] @@ -89,11 +90,13 @@ [% ELSE %]

If you have a local account, you may use that below.

[% END %] + [% END %]
[% ELSE %]

Shibboleth Login

Log in using a Shibboleth account.

[% END # /IF invalidShibLogin %] + [% UNLESS ( Koha.Preference('opacShibOnly') ) %] [% IF ( casAuthentication ) %]

CAS login

If you do not have a Shibboleth account, but you do have a CAS account, you can use CAS.

@@ -101,8 +104,10 @@

Local login

If you do not have a Shibboleth account, but you do have a local login, then you may login below.

[% END %] + [% END %] [% END # /IF shibbolethAuthentication %] + [% UNLESS ( Koha.Preference('opacShibOnly') ) %] [% IF ( casAuthentication ) %] [% IF ( shibbolethAuthentication ) %] [% IF ( casServerUrl ) %] @@ -158,7 +163,9 @@ Log in with Google

If you do not have a Google account, but do have a local account, you can still log in:

[% END # /IF GoogleOpenIDConnect %] + [% END # /UNLESS opacShibOnly %] + [% IF !Koha.Preference('opacShibOnly') or SCO_login or SCI_login %] [% IF SCO_login %]
[% ELSIF SCI_login %] @@ -208,6 +215,7 @@ [% END %]
+ [% END # / IF !opacShibOnly or SCO_login or SCI_login %] [% END # / IF loginprompt %] [% ELSE %] -- 2.39.5