Issuer.pm 6.67 KB
Newer Older
Yadd's avatar
Yadd committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Base package for simple issuers plugins
#
# Issuer should just implement a run() method that will be called only for
# authenticated users when PATH_INFO starts with issuerDBXXPath
#
# run() should just return a Lemonldap::NG::Portal::Main::Constants value. It
# is called using process() method (Lemonldap::NG::Portal::Main::Process)
package Lemonldap::NG::Portal::Main::Issuer;

use strict;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);

extends 'Lemonldap::NG::Portal::Main::Plugin';

our $VERSION = '2.0.0';

# PROPERTIES

has type => ( is => 'rw' );

Yadd's avatar
Yadd committed
22
23
has path => ( is => 'rw' );

Yadd's avatar
Yadd committed
24
25
26
27
28
29
# INTERFACE

# Only logout is called in normal use. Issuer that inherits from this
# package are called only by their path
sub beforeLogout { 'logout' }

Yadd's avatar
Yadd committed
30
31
32
33
34
35
36
37
# INITIALIZATION

sub init {
    my ($self) = @_;
    my $type = ref( $_[0] );
    $type =~ s/.*:://;
    $self->type($type);
    if ( my $path = $self->conf->{"issuerDB${type}Path"} ) {
Yadd's avatar
Yadd committed
38
        $path =~ s/^.*?(\w+).*?$/$1/;
Yadd's avatar
Yadd committed
39
        $self->path($path);
40
41
42
43
        $self->addUnauthRoute( $path => { '*' => '_redirect' },  ['GET'] );
        $self->addUnauthRoute( $path => { '*' => '_pRedirect' }, ['POST'] );
        $self->addAuthRoute( $path => { '*' => "_forAuthUser" },  ['GET'] );
        $self->addAuthRoute( $path => { '*' => "_pForAuthUser" }, ['POST'] );
Yadd's avatar
Yadd committed
44
45
46
47
48
49
50
51
52
53
54
    }
    else {
        $self->lmLog( "No path declared for issuer $type. Skipping", 'debug' );
    }
}

# RUNNING METHODS

# Case 1: Unauthentified users are redirected to the main portal

sub _redirect {
Yadd's avatar
Yadd committed
55
    my ( $self, $req, @path ) = @_;
Yadd's avatar
Yadd committed
56
    $self->lmLog( 'Processing _redirect', 'debug' );
Yadd's avatar
Yadd committed
57
58
59
60
    my $prms = $req->params;
    foreach my $k ( keys %$prms ) {
        $self->p->setHiddenFormValue( $req, $k, $prms->{$k}, '', 0 );
    }
Yadd's avatar
Yadd committed
61
62
    $self->p->setHiddenFormValue( $req, 'issuerMethod', $req->method, '', 0 );
    $self->p->setHiddenFormValue( $req, 'issuerQuery',  $req->query,  '', 0 );
Yadd's avatar
Yadd committed
63
64
65
    $req->{urldc} =
        $self->conf->{portal}
      . $req->path
Yadd's avatar
Yadd committed
66
      . ( $req->query ? '?' . $req->query : '' );
Yadd's avatar
Yadd committed
67

Yadd's avatar
Yadd committed
68
    # TODO: launch normal process with 'run' at the end
Yadd's avatar
Yadd committed
69
70
71
72
73
74
75
76
77
    return $self->p->do(
        $req,
        [
            'controlUrl',
            @{ $self->p->beforeAuth },
            $self->p->authProcess,
            @{ $self->p->betweenAuthAndDatas },
            $self->p->sessionDatas,
            @{ $self->p->afterDatas },
Yadd's avatar
Yadd committed
78
            sub {
Yadd's avatar
Yadd committed
79
                return $self->run( @_, @path );
Yadd's avatar
Yadd committed
80
81
82
              }
        ]
    );
Yadd's avatar
Yadd committed
83
84
85
}

sub _pRedirect {
Yadd's avatar
Yadd committed
86
    my ( $self, $req, @path ) = @_;
Yadd's avatar
Yadd committed
87
    $self->lmLog( '_pRedirect: parsing posted datas', 'debug' );
Yadd's avatar
Yadd committed
88
    $req->parseBody;
Yadd's avatar
Yadd committed
89
    return $self->_redirect( $req, @path );
Yadd's avatar
Yadd committed
90
91
92
93
}

# Case 3: authentified user, launch
sub _forAuthUser {
Yadd's avatar
Yadd committed
94
    my ( $self, $req, @path ) = @_;
Yadd's avatar
Yadd committed
95
    $self->lmLog( 'Processing _forAuthUser', 'debug' );
Yadd's avatar
Yadd committed
96
97
98
99
100
101
102
    return $self->p->do(
        $req,
        [
            'importHandlerDatas',
            'controlUrl',
            @{ $self->p->forAuthUser },
            sub {
Yadd's avatar
Yadd committed
103
                return $self->run( @_, @path );
Yadd's avatar
Yadd committed
104
105
106
107
108
            },
        ]
    );
}

Yadd's avatar
Yadd committed
109
110
111
112
113
114
115
sub _pForAuthUser {
    my ( $self, $req ) = @_;
    $self->lmLog( 'Parsing posted datas', 'debug' );
    $req->parseBody;
    return $self->_forAuthUser($req);
}

Yadd's avatar
Yadd committed
116
1;
Yadd's avatar
Yadd committed
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
__END__

=pod

=encoding utf8

=head1 NAME

Lemonldap::NG::Portal::Main::Issuer - Base class for identity providers.

=head1 SYNOPSIS

  package Lemonldap::NG::Portal::Issuer::My;
  use strict;
  use Mouse;
  extends 'Lemonldap::NG::Portal::Main::Issuer';
  use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
  
  # Optional initialization method
  sub init {
      my ($self) = @_;
      ...
      # Must return 1 (succeed) or 0 (failure)
  }
  
  # Required methods are run() and logout(), they are launched only for
  # authenticated users
  # $req is a Lemonldap::NG::Portal::Main::Request object
  # They must return a Lemonldap::NG::Portal::Main::Constants constant
  sub run {
      my ( $self, $req ) = @_
      ...
      return PE_OK
  }
  
  sub logout {
      my ( $self, $req ) = @_
      ...
      return PE_OK
  }
  1;

=head1 DESCRIPTION

Lemonldap::NG::Portal::Main::Issuer is a base class to write identity providers
for Lemonldap::NG web-SSO system. It provide several methods to write easily
an IdP and manage authentication if the identity request comes before
authentication.

=head1 WRITING AN IDENTITY PROVIDER

To write a classic identity provider, you just have to inherit this class and
write run() and logout() methods. These methods must return a
Lemonldap::NG::Portal::Main::Constants constant.

A classic identity provider needs a "issuerDBE<gt>XXXE<lt>Path" parameter in
LLNG configuration to declare its base URI path (see
L<Lemonldap::NG::Manager::Build>). Example: /saml/. All requests that starts
Yadd's avatar
Yadd committed
175
with /saml/ will call run() after authentication if needed, and no one else.
Yadd's avatar
Yadd committed
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259

The logout() function is called when user asks for logout on this server. If
you want to write an identity provider, you must implement a single logout
system.

=head2 managing other URI path

Lemonldap::NG::Portal::Main::Issuer provides methods to bind a method to an
URI path:

=over

=item addAuthRoute() for authenticated users

=item addUnauthRoute() for unauthenticated users

=back

They must be called during initialization process (so you must write the
optional init() sub).

Example:

  sub init {
      my ($self) = @_;
      ...
      $self->addUnauthRoute( saml => { soap => 'soapServer' }, [ 'POST' ] );
      return 1;
  }
  sub soapServer {
      my ( $self, $req ) = @_;
      ...
      # You must return a valid PSGI response
      return [ 200, [ 'Content-Type' => 'application/xml' ], [] ];
  }

=head1 SEE ALSO

L<http://lemonldap-ng.org/>

=head1 AUTHOR

=over

=item Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>

=item Xavier Guimard, E<lt>x.guimard@free.frE<gt>

=back

=head1 BUG REPORT

Use OW2 system to report bug or ask for features:
L<http://jira.ow2.org>

=head1 DOWNLOAD

Lemonldap::NG is available at
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>

=head1 COPYRIGHT AND LICENSE

=over

=item Copyright (C) 2016 by Xavier Guimard, E<lt>x.guimard@free.frE<gt>

=item Copyright (C) 2016 by Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>

=back

This library is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see L<http://www.gnu.org/licenses/>.

=cut