From 802f80d5d4e648f4d5d047ef0855bee90b7c28ae Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Wed, 26 Apr 2017 12:39:15 +0100 Subject: [PATCH] Bug 18506: Add xShibOnly preference for Shibboleth authentication This patch adds two system preferences to Koha, opacShibOnly and staffShibOnly, allowing users to restrict authentication to just one method, Shibboleth. We do however, allow for local fallback for the SCO/SCI logins. A system preference was chosen over a configuration file update to allow for local override at the virtualhost level. In this way a hosting provider can setup a 'backdoor opac' for example to allow fallback to local logins for support operations. Signed-off-by: Matthias Meusburger Signed-off-by: Nick Clemens Signed-off-by: Martin Renvoize Signed-off-by: Jonathan Druart (cherry picked from commit 1a81264ac1fff96d6a678ec7abe730e1ac2c9dbc) Signed-off-by: Fridolin Somers --- C4/Auth.pm | 24 +++++++++++++++++++ .../data/mysql/atomicupdate/shibOnly.perl | 6 +++++ .../en/modules/admin/preferences/opac.pref | 7 ++++++ .../admin/preferences/staff_interface.pref | 7 ++++++ .../bootstrap/en/modules/opac-auth.tt | 8 +++++++ 5 files changed, 52 insertions(+) create mode 100644 installer/data/mysql/atomicupdate/shibOnly.perl diff --git a/C4/Auth.pm b/C4/Auth.pm index c09334e259..18a3ac8cf3 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1101,6 +1101,23 @@ sub checkauth { } } + # If shib configured and shibOnly enabled, we should ignore anything other than a shibboleth type login. + if ( + $shib + && !$shibSuccess + && ( + ( + ( $type eq 'opac' ) + && C4::Context->preference('opacShibOnly') + ) + || ( ( $type ne 'opac' ) + && C4::Context->preference('staffShibOnly') ) + ) + ) + { + $return = 0; + } + # $return: 1 = valid user if ($return) { @@ -1395,6 +1412,13 @@ sub checkauth { } if ($shib) { + #If shibOnly is enabled just go ahead and redirect directly + if ( (($type eq 'opac') && C4::Context->preference('opacShibOnly')) || (($type ne 'opac') && C4::Context->preference('staffShibOnly')) ) { + my $redirect_url = login_shib_url( $query ); + print $query->redirect( -uri => "$redirect_url", -status => 303 ); + safe_exit; + } + $template->param( shibbolethAuthentication => $shib, shibbolethLoginUrl => login_shib_url($query), diff --git a/installer/data/mysql/atomicupdate/shibOnly.perl b/installer/data/mysql/atomicupdate/shibOnly.perl new file mode 100644 index 0000000000..9b67d0fb42 --- /dev/null +++ b/installer/data/mysql/atomicupdate/shibOnly.perl @@ -0,0 +1,6 @@ +$DBversion = 'XXX'; # will be replaced by the RM +if( CheckVersion( $DBversion ) ) { + $dbh->do( "INSERT IGNORE INTO systempreferences (variable,value,explanation,options,type) VALUES ('opacShibOnly','0','If ON enables shibboleth only authentication for the opac','','YesNo'),('staffShibOnly','0','If ON enables shibboleth only authentication for the staff client','','YesNo')" ); + SetVersion( $DBversion ); + print "Upgrade to $DBversion done (Bug XXXXX - shibOnly preferences)\n"; +} diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/opac.pref b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/opac.pref index 58751f119b..1c594c3474 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/opac.pref +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/opac.pref @@ -932,3 +932,10 @@ OPAC: BaseURL: "OPACBaseURL" OPACAlias: "configured return URL" - "." + Authentication: + - + - pref: opacShibOnly + choices: + yes: "Don't allow" + no: Allow + - patrons to login by means other than Shibboleth. diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/staff_interface.pref b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/staff_interface.pref index 249a783e4f..30132b35fc 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/staff_interface.pref +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/staff_interface.pref @@ -181,3 +181,10 @@ Staff interface: yes: Show no: "Don't show" - a search field pulldown for 'Search the catalog' boxes. + Authentication: + - + - pref: staffShibOnly + choices: + yes: "Don't allow" + no: Allow + - staff to login by means other than shibboleth. diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt index 7644b8bc97..c0b2763937 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt @@ -79,6 +79,7 @@

Sorry, your Shibboleth identity does not match a valid library identity.

+ [% UNLESS ( Koha.Preference('opacShibOnly') ) %] [% IF ( casAuthentication ) %] [% IF ( invalidCasLogin ) %] @@ -89,11 +90,13 @@ [% ELSE %]

If you have a local account, you may use that below.

[% END %] + [% END %]
[% ELSE %]

Shibboleth Login

If you have a Shibboleth account, please click here to log in.

[% END # /IF invalidShibLogin %] + [% UNLESS ( Koha.Preference('opacShibOnly') ) %] [% IF ( casAuthentication ) %]

CAS login

If you do not have a Shibboleth account, but you do have a CAS account, you can use CAS.

@@ -101,8 +104,10 @@

Local login

If you do not have a Shibboleth account, but you do have a local login, then you may login below.

[% END %] + [% END %] [% END # /IF shibbolethAuthentication %] + [% UNLESS ( Koha.Preference('opacShibOnly') ) %] [% IF ( casAuthentication ) %] [% IF ( shibbolethAuthentication ) %] [% IF ( casServerUrl ) %] @@ -158,7 +163,9 @@ Log in with Google

If you do not have a Google account, but do have a local account, you can still log in:

[% END # /IF GoogleOpenIDConnect %] + [% END # /UNLESS opacShibOnly %] + [% IF !Koha.Preference('opacShibOnly') or SCO_login or SCI_login %] [% IF SCO_login %]
[% ELSIF SCI_login %] @@ -208,6 +215,7 @@ [% END %]
+ [% END # / IF !opacShibOnly or SCO_login or SCI_login %] [% END # / IF loginprompt %] [% ELSE %] -- 2.39.5