From bb63ef6a2e988208db5444bef472a3c7edcc02f4 Mon Sep 17 00:00:00 2001 From: Matthias Meusburger Date: Fri, 2 Jan 2015 16:23:31 +0100 Subject: [PATCH] Bug 13507: Add intranet support for CAS authentication This patch allows to use CAS authentication for intranet login. It works exactly the same as the OPAC login, except that the staffClientBaseURL syspref must be set for intranet login (like OPACBaseURL must be set for OPAC login). Signed-off-by: Koha Team AMU Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi --- C4/Auth.pm | 17 ++++----- C4/Auth_with_cas.pm | 36 +++++++++++-------- .../intranet-tmpl/prog/en/modules/auth.tt | 23 ++++++++++++ 3 files changed, 53 insertions(+), 23 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 3767b2297c..017517cd39 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -799,8 +799,8 @@ sub checkauth { $sessionID = undef; $userid = undef; - if ( $cas and $caslogout ) { - logout_cas($query); + if ($cas and $caslogout) { + logout_cas($query, $type); } # If we are in a shibboleth session (shibboleth is enabled, a shibboleth match attribute is set and matches koha matchpoint) @@ -907,7 +907,7 @@ sub checkauth { if ( $cas && $query->param('ticket') ) { my $retuserid; ( $return, $cardnumber, $retuserid ) = - checkpw( $dbh, $userid, $password, $query ); + checkpw( $dbh, $userid, $password, $query, $type ); $userid = $retuserid; $info{'invalidCasLogin'} = 1 unless ($return); } @@ -968,7 +968,7 @@ sub checkauth { else { my $retuserid; ( $return, $cardnumber, $retuserid ) = - checkpw( $dbh, $userid, $password, $query ); + checkpw( $dbh, $userid, $password, $query, $type ); $userid = $retuserid if ($retuserid); $info{'invalid_username_or_password'} = 1 unless ($return); } @@ -1222,14 +1222,14 @@ sub checkauth { my $casservers = C4::Auth_with_cas::getMultipleAuth(); my @tmplservers; foreach my $key ( keys %$casservers ) { - push @tmplservers, { name => $key, value => login_cas_url( $query, $key ) . "?cas=$key" }; + push @tmplservers, { name => $key, value => login_cas_url( $query, $key, $type ) . "?cas=$key" }; } $template->param( casServersLoop => \@tmplservers ); } else { $template->param( - casServerUrl => login_cas_url($query), + casServerUrl => login_cas_url($query, undef, $type), ); } @@ -1676,7 +1676,8 @@ sub get_session { } sub checkpw { - my ( $dbh, $userid, $password, $query ) = @_; + my ( $dbh, $userid, $password, $query, $type ) = @_; + $type = 'opac' unless $type; if ($ldap) { $debug and print STDERR "## checkpw - checking LDAP\n"; my ( $retval, $retcard, $retuserid ) = checkpw_ldap(@_); # EXTERNAL AUTH @@ -1690,7 +1691,7 @@ sub checkpw { # In case of a CAS authentication, we use the ticket instead of the password my $ticket = $query->param('ticket'); $query->delete('ticket'); # remove ticket to come back to original URL - my ( $retval, $retcard, $retuserid ) = checkpw_cas( $dbh, $ticket, $query ); # EXTERNAL AUTH + my ( $retval, $retcard, $retuserid ) = checkpw_cas( $dbh, $ticket, $query, $type ); # EXTERNAL AUTH ($retval) and return ( $retval, $retcard, $retuserid ); return 0; } diff --git a/C4/Auth_with_cas.pm b/C4/Auth_with_cas.pm index c5f21a822e..82e3d83057 100644 --- a/C4/Auth_with_cas.pm +++ b/C4/Auth_with_cas.pm @@ -25,6 +25,7 @@ use C4::Context; use Authen::CAS::Client; use CGI qw ( -utf8 ); use FindBin; +use YAML; use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug); @@ -39,12 +40,12 @@ BEGIN { my $context = C4::Context->new() or die 'C4::Context->new failed'; my $defaultcasserver; my $casservers; -my $yamlauthfile = "../C4/Auth_cas_servers.yaml"; +my $yamlauthfile = C4::Context->config('intranetdir') . "/C4/Auth_cas_servers.yaml"; # If there's a configuration for multiple cas servers, then we get it if (multipleAuth()) { - ($defaultcasserver, $casservers) = YAML::LoadFile(qq($FindBin::Bin/$yamlauthfile)); + ($defaultcasserver, $casservers) = YAML::LoadFile($yamlauthfile); $defaultcasserver = $defaultcasserver->{'default'}; } else { # Else, we fall back to casServerUrl syspref @@ -54,7 +55,7 @@ if (multipleAuth()) { # Is there a configuration file for multiple cas servers? sub multipleAuth { - return (-e qq($FindBin::Bin/$yamlauthfile)); + return (-e qq($yamlauthfile)); } # Returns configured CAS servers' list if multiple authentication is enabled @@ -64,23 +65,23 @@ sub getMultipleAuth { # Logout from CAS sub logout_cas { - my ($query) = @_; - my ( $cas, $uri ) = _get_cas_and_service($query); + my ($query, $type) = @_; + my ( $cas, $uri ) = _get_cas_and_service($query, undef, $type); print $query->redirect( $cas->logout_url($uri)); print $query->redirect( $cas->logout_url(url => $uri)); } # Login to CAS sub login_cas { - my ($query) = @_; - my ( $cas, $uri ) = _get_cas_and_service($query); + my ($query, $type) = @_; + my ( $cas, $uri ) = _get_cas_and_service($query, undef, $type); print $query->redirect( $cas->login_url($uri)); } # Returns CAS login URL with callback to the requesting URL sub login_cas_url { - my ( $query, $key ) = @_; - my ( $cas, $uri ) = _get_cas_and_service( $query, $key ); + my ( $query, $key, $type ) = @_; + my ( $cas, $uri ) = _get_cas_and_service( $query, $key, $type ); return $cas->login_url($uri); } @@ -88,9 +89,9 @@ sub login_cas_url { # In our case : is there a ticket, is it valid and does it match one of our users ? sub checkpw_cas { $debug and warn "checkpw_cas"; - my ($dbh, $ticket, $query) = @_; + my ($dbh, $ticket, $query, $type) = @_; my $retnumber; - my ( $cas, $uri ) = _get_cas_and_service($query); + my ( $cas, $uri ) = _get_cas_and_service($query, undef, $type); # If we got a ticket if ($ticket) { @@ -136,9 +137,9 @@ sub checkpw_cas { # Proxy CAS auth sub check_api_auth_cas { $debug and warn "check_api_auth_cas"; - my ($dbh, $PT, $query) = @_; + my ($dbh, $PT, $query, $type) = @_; my $retnumber; - my ( $cas, $uri ) = _get_cas_and_service($query); + my ( $cas, $uri ) = _get_cas_and_service($query, undef, $type); # If we have a Proxy Ticket if ($PT) { @@ -184,8 +185,9 @@ sub check_api_auth_cas { sub _get_cas_and_service { my $query = shift; my $key = shift; # optional + my $type = shift; - my $uri = _url_with_get_params($query); + my $uri = _url_with_get_params($query, $type); my $casparam = $defaultcasserver; $casparam = $query->param('cas') if defined $query->param('cas'); @@ -199,8 +201,12 @@ sub _get_cas_and_service { # This method replaces $query->url() which will give both GET and POST params sub _url_with_get_params { my $query = shift; + my $type = shift; + + my $uri_base_part = ($type eq 'opac') ? + C4::Context->preference('OPACBaseURL') . $query->script_name(): + C4::Context->preference('staffClientBaseURL'); - my $uri_base_part = C4::Context->preference('OPACBaseURL') . $query->script_name(); my $uri_params_part = ''; foreach ( $query->url_param() ) { # url_param() always returns parameters that were deleted by delete() diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt index c7e78d0eda..9ae147e5cc 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt @@ -68,11 +68,34 @@

+[% IF ( casAuthentication ) %] +

Cas login

+ +[% IF ( invalidCasLogin ) %] + +

Sorry, the CAS login failed.

+[% END %] + +

If you have a CAS account, +[% IF ( casServerUrl ) %] + please click here to login.

+[% END %] + +[% IF ( casServersLoop ) %] +please choose against which one you would like to authenticate:

+