Process.pm 11.8 KB
Newer Older
Yadd's avatar
Yadd committed
1 2
package Lemonldap::NG::Portal::Main::Process;

Yadd's avatar
Yadd committed
3 4 5 6
our $VERSION = '2.0.0';

package Lemonldap::NG::Portal::Main;

Yadd's avatar
Yadd committed
7
use strict;
Yadd's avatar
Yadd committed
8
use MIME::Base64;
Yadd's avatar
Yadd committed
9
use POSIX qw(strftime);
Yadd's avatar
Yadd committed
10

Yadd's avatar
Yadd committed
11 12 13 14 15 16 17 18 19 20 21 22 23
# Main method
# -----------
# Launch all methods declared in request "steps" array. Methods can be
# declared by their name (in Lemonldap::NG::Portal::Main namespace) or point
# to a subroutine (see Lemonldap::NG::Portal::Main::Run.pm)

sub process {
    my ( $self, $req ) = @_;

    #$req->error(PE_OK);
    my $err = PE_OK;
    while ( my $sub = shift @{ $req->steps } ) {
        if ( ref $sub ) {
Yadd's avatar
Yadd committed
24
            $self->lmLog( "Processing code ref", 'debug' );
Yadd's avatar
Yadd committed
25
            last if ( $err = $sub->($req) );
Yadd's avatar
Yadd committed
26 27
        }
        else {
Yadd's avatar
Yadd committed
28
            $self->lmLog( "Processing $sub", 'debug' );
Yadd's avatar
Yadd committed
29 30 31
            last if ( $err = $self->$sub($req) );
        }
    }
Yadd's avatar
Yadd committed
32
    $self->lmLog( "Returned error: $err", 'debug' ) if ($err);
Yadd's avatar
Yadd committed
33 34 35
    return $err;
}

Yadd's avatar
Yadd committed
36 37 38 39 40 41 42
# First process block: check args
# -------------------------------

# For post requests, parse datas
sub restoreArgs {
    my ( $self, $req ) = @_;
    $req->parseBody;
Yadd's avatar
Yadd committed
43
    $req->mustRedirect(1);
Yadd's avatar
Yadd committed
44 45 46
    return ( %{ $req->params } ? PE_OK : PE_FORMEMPTY );
}

Yadd's avatar
Yadd committed
47 48 49
sub importHandlerDatas {
    my ( $self, $req ) = @_;
    $req->{sessionInfo} = HANDLER->datas;
Yadd's avatar
Yadd committed
50
    $req->id( $req->sessionInfo->{_session_id} );
Yadd's avatar
Yadd committed
51 52 53
    PE_OK;
}

Yadd's avatar
Yadd committed
54 55 56
# Verify url parameter
sub controlUrl {
    my ( $self, $req ) = @_;
Yadd's avatar
Yadd committed
57
    $req->{datas}->{_url} ||= '';
Yadd's avatar
Yadd committed
58 59
    if ( my $url = $req->param('url') ) {

Yadd's avatar
Yadd committed
60 61
        # REJECT NON BASE64 URL
        if ( $req->urlNotBase64 ) {
Yadd's avatar
Yadd committed
62
            $req->{urldc} = $url;
Yadd's avatar
Yadd committed
63 64
        }
        else {
Yadd's avatar
Yadd committed
65 66 67 68 69 70
            if ( $url =~ m#[^A-Za-z0-9\+/=]# ) {
                $self->lmLog(
                    "Value must be in BASE64 (param: url | value: $url)",
                    "warn" );
                return PE_BADURL;
            }
Yadd's avatar
Yadd committed
71 72
            $req->{urldc} = decode_base64($url);
            $req->{urldc} =~ s/[\r\n]//sg;
Yadd's avatar
Yadd committed
73 74 75
        }

        # For logout request, test if Referer comes from an authorizated site
Yadd's avatar
Yadd committed
76 77
        my $tmp = (
              $req->param('logout')
Yadd's avatar
Yadd committed
78
            ? $req->referer
Yadd's avatar
Yadd committed
79
            : $req->{urldc}
Yadd's avatar
Yadd committed
80
        );
Yadd's avatar
Yadd committed
81 82 83 84 85

        # XSS attack
        if (
            $self->checkXSSAttack(
                $req->param('logout') ? 'HTTP Referer' : 'urldc',
Yadd's avatar
Yadd committed
86
                $req->{urldc}
Yadd's avatar
Yadd committed
87 88 89
            )
          )
        {
Yadd's avatar
Yadd committed
90
            delete $req->{urldc};
Yadd's avatar
Yadd committed
91 92 93 94 95 96 97 98 99 100 101
            return PE_BADURL;
        }

        # Non protected hosts
        if ( $tmp and !$self->isTrustedUrl($tmp) ) {
            $self->lmLog(
                "URL contains a non protected host (param: "
                  . ( $req->param('logout') ? 'HTTP Referer' : 'urldc' )
                  . " | value: $tmp)",
                "warn"
            );
Yadd's avatar
Yadd committed
102
            delete $req->{urldc};
Yadd's avatar
Yadd committed
103 104 105 106 107 108 109 110 111
            return PE_BADURL;
        }

        $req->datas->{_url} = $url;
    }

    PE_OK;
}

Yadd's avatar
Yadd committed
112 113 114
sub checkLogout {
    my ( $self, $req ) = @_;
    if ( $req->param('logout') ) {
Yadd's avatar
Yadd committed
115 116
        $req->steps(
            [ @{ $self->beforeLogout }, 'authLogout', 'deleteSession' ] );
Yadd's avatar
Yadd committed
117 118 119 120
    }
    PE_OK;
}

Yadd's avatar
Yadd committed
121
sub authLogout {
Yadd's avatar
Yadd committed
122
    my ( $self, $req ) = @_;
Yadd's avatar
Yadd committed
123 124 125
    return $self->_authentication->authLogout(@_);
}

Yadd's avatar
Yadd committed
126 127 128 129 130 131 132 133 134
sub deleteSession {
    my ( $self, $req ) = @_;
    my $apacheSession = $self->getApacheSession( $req->id );
    unless ( $self->_deleteSession( $req, $apacheSession ) ) {
        $self->lmLog( "Unable to delete session " . $req->id, 'error' );
        $self->lmLog( $apacheSession->error,                  'error' );
        return PE_ERROR;
    }
    else {
Yadd's avatar
Yadd committed
135
        HANDLER->localUnlog( $req->id );
Yadd's avatar
Yadd committed
136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154
        $self->lmLog( "Session $req->{id} deleted from global storage",
            'debug' );
    }

    # Collect logout services and build hidden iFrames
    #if ( $self->{logoutServices} and %{ $self->{logoutServices} } ) {

    #    $self->lmLog( "Create iFrames to forward logout to services",
    #        'debug' );

    #    $self->info( "<h3>" . $self->msg(PM_LOGOUT) . "</h3>" );

    #    foreach ( keys %{ $self->{logoutServices} } ) {
    #        my $logoutServiceName = $_;
    #        my $logoutServiceUrl =
    #          $self->{logoutServices}->{$logoutServiceName};

    #        $self->lmLog(
    #"Find lo#gout service $logoutServiceName ($logoutServiceUrl)",
Yadd's avatar
Yadd committed
155

Yadd's avatar
Yadd committed
156 157
    #            'debug'
    #        );
Yadd's avatar
Yadd committed
158 159 160 161 162 163 164 165

#        my $iframe =
#            "<iframe src=\"$logoutServiceUrl\""
#          . " alt=\"$logoutServiceName\" marginwidth=\"0\""
#          . " marginheight=\"0\" scrolling=\"no\" style=\"border: none;display: hidden;margin: 0\""
#          . " width=\"0\" height=\"0\" frameborder=\"0\">"
#          . "</iframe>";

Yadd's avatar
Yadd committed
166 167
    #        $self->info($iframe);
    #    }
Yadd's avatar
Yadd committed
168

Yadd's avatar
Yadd committed
169 170 171 172 173
    #    # Redirect on logout page if no other target defined
    #    if ( !$self->{urldc} and !$self->{postUrl} ) {
    #        $self->{urldc} = $ENV{SCRIPT_NAME} . "?logout=1";
    #    }
    #}
Yadd's avatar
Yadd committed
174

Yadd's avatar
Yadd committed
175 176 177 178
    # Redirect or Post if asked by authLogout
    #return $self->_subProcess(qw(autoRedirect))
    #  if (  $self->{urldc}
    #    and $self->{urldc} ne $self->{portal} );
Yadd's avatar
Yadd committed
179

Yadd's avatar
Yadd committed
180 181
    #return $self->_subProcess(qw(autoPost))
    #  if ( $self->{postUrl} );
Yadd's avatar
Yadd committed
182

Yadd's avatar
Yadd committed
183 184 185 186 187
    # If logout redirects to another URL, just remove next steps for the
    # request so autoRedirect will be called
    if ( $req->{urldc} and $req->{urldc} ne $self->conf->{portal} ) {
        $req->steps( [] );
        return PE_OK;
Yadd's avatar
Yadd committed
188 189
    }

Yadd's avatar
Yadd committed
190 191
    # Else display "error"
    return PE_LOGOUT_OK;
Yadd's avatar
Yadd committed
192 193
}

Yadd's avatar
Yadd committed
194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213
# Check value to detect XSS attack
# @param name Parameter name
# @param value Parameter value
# @return 1 if attack detected, 0 else
sub checkXSSAttack {
    my ( $self, $name, $value ) = @_;

    # Empty values are not bad
    return 0 unless $value;

    # Test value
    if ( $value =~ m/(?:\0|<|'|"|`|\%(?:00|25|3C|22|27|2C))/ ) {
        $self->lmLog( "XSS attack detected (param: $name | value: $value)",
            "warn" );
        return $self->conf->{checkXSS};
    }

    return 0;
}

Yadd's avatar
Yadd committed
214 215 216
# Second block: auth process (call auth or userDB object)
# -------------------------------------------------------

Yadd's avatar
Yadd committed
217
sub extractFormInfo {
Yadd's avatar
Yadd committed
218 219
    my ( $self, $req ) = @_;
    return $self->_authentication->extractFormInfo($req);
Yadd's avatar
Yadd committed
220 221 222
}

sub getUser {
Yadd's avatar
Yadd committed
223 224
    my ( $self, $req ) = @_;
    return $self->_userDB->getUser($req);
Yadd's avatar
Yadd committed
225 226 227
}

sub authenticate {
Yadd's avatar
Yadd committed
228 229
    my ( $self, $req ) = @_;
    return $self->_authentication->authenticate($req);
Yadd's avatar
Yadd committed
230 231
}

Yadd's avatar
Yadd committed
232 233
# Third block: Session data providing
# -----------------------------------
Yadd's avatar
Yadd committed
234 235 236 237

sub setSessionInfo {
    my ( $self, $req ) = @_;

Yadd's avatar
Yadd committed
238 239 240
    # Set _user
    $req->{sessionInfo}->{_user} = $req->{user};

Yadd's avatar
Yadd committed
241
    # Get the current user module
Yadd's avatar
Yadd committed
242 243
    $req->{sessionInfo}->{_auth}   = $self->getModule( $req, "auth" );
    $req->{sessionInfo}->{_userDB} = $self->getModule( $req, "user" );
Yadd's avatar
Yadd committed
244 245 246 247 248 249 250 251 252 253 254 255 256

    # Store IP address from remote address or X-FORWARDED-FOR header
    $req->{sessionInfo}->{ipAddr} = $req->remote_ip;

    # Date and time
    if ( $self->conf->{updateSession} ) {
        $req->{sessionInfo}->{updateTime} =
          strftime( "%Y%m%d%H%M%S", localtime() );
    }
    else {
        $req->{sessionInfo}->{_utime} ||= time();
        $req->{sessionInfo}->{startTime} =
          strftime( "%Y%m%d%H%M%S", localtime() );
Yadd's avatar
Yadd committed
257 258
        $req->{sessionInfo}->{_lastSeen} = time()
          if $self->conf->{timeoutActivity};
Yadd's avatar
Yadd committed
259 260 261 262 263 264 265 266 267 268 269
    }

    # Get environment variables matching exportedVars
    foreach ( keys %{ $self->conf->{exportedVars} } ) {
        if ( my $tmp = $ENV{ $self->conf->{exportedVars}->{$_} } ) {
            $tmp =~ s/[\r\n]/ /gs;
            $req->{sessionInfo}->{$_} = $tmp;
        }
    }

    # Store URL origin in session
Yadd's avatar
Yadd committed
270
    $req->{sessionInfo}->{_url} = $req->{urldc};
Yadd's avatar
Yadd committed
271

272
    # Share sessionInfo with underlying handler (needed for safe jail)
Yadd's avatar
Yadd committed
273
    HANDLER->datas( $req->{sessionInfo} );
274

Yadd's avatar
Yadd committed
275
    # Call UserDB setSessionInfo
Yadd's avatar
Yadd committed
276
    return $self->_userDB->setSessionInfo($req);
Yadd's avatar
Yadd committed
277 278 279 280 281

    PE_OK;
}

sub setMacros {
Yadd's avatar
Yadd committed
282 283
    my ( $self, $req ) = @_;
    foreach ( sort keys %{ $self->_macros } ) {
Yadd's avatar
Yadd committed
284
        $req->{sessionInfo}->{$_} = $self->_macros->{$_}->();
Yadd's avatar
Yadd committed
285 286
    }
    PE_OK;
Yadd's avatar
Yadd committed
287 288 289
}

sub setGroups {
Yadd's avatar
Yadd committed
290
    my ( $self, $req ) = @_;
Yadd's avatar
Yadd committed
291
    return $self->_userDB->setGroups($req);
Yadd's avatar
Yadd committed
292 293 294
}

sub setPersistentSessionInfo {
Yadd's avatar
Yadd committed
295
    my ( $self, $req ) = @_;
Yadd's avatar
Yadd committed
296

Yadd's avatar
Yadd committed
297 298 299
    # Do not restore infos if session already opened
    unless ( $req->{id} ) {
        my $key = $req->{sessionInfo}->{ $self->conf->{whatToTrace} };
Yadd's avatar
Yadd committed
300

Yadd's avatar
Yadd committed
301
        return PE_OK unless ( $key and length($key) );
Yadd's avatar
Yadd committed
302

Yadd's avatar
Yadd committed
303
        my $persistentSession = $self->getPersistentSession($key);
Yadd's avatar
Yadd committed
304

Yadd's avatar
Yadd committed
305 306 307
        if ($persistentSession) {
            $self->lmLog( "Persistent session found for $key", 'debug' );
            foreach my $k ( keys %{ $persistentSession->data } ) {
Yadd's avatar
Yadd committed
308

Yadd's avatar
Yadd committed
309 310 311 312 313 314 315
                # Do not restore some parameters
                next if $k =~ /^_(?:utime|session_(?:u?id|kind))$/;
                $self->lmLog( "Restore persistent parameter $k", 'debug' );
                $req->{sessionInfo}->{$k} = $persistentSession->data->{$k};
            }
        }
    }
Yadd's avatar
Yadd committed
316

Yadd's avatar
Yadd committed
317
    PE_OK;
Yadd's avatar
Yadd committed
318 319 320
}

sub setLocalGroups {
Yadd's avatar
Yadd committed
321 322
    my ( $self, $req ) = @_;
    foreach ( sort keys %{ $self->_groups } ) {
Yadd's avatar
Yadd committed
323
        if ( $self->_groups->{$_}->() ) {
Yadd's avatar
Yadd committed
324 325 326 327 328 329 330 331 332 333 334 335
            $req->{sessionInfo}->{groups} .=
              $self->conf->{multiValuesSeparator} . $_;
            $req->{sessionInfo}->{hGroups}->{$_}->{name} = $_;
        }
    }

    # Clear values separator at the beginning
    if ( $req->{sessionInfo}->{groups} ) {
        $req->{sessionInfo}->{groups} =~
          s/^\Q$self->conf->{multiValuesSeparator}\E//o;
    }
    PE_OK;
Yadd's avatar
Yadd committed
336 337 338
}

sub store {
Yadd's avatar
Yadd committed
339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358
    my ( $self, $req ) = @_;

    # Now, user is authenticated => inform handler
    $req->userData( $req->sessionInfo );

    # Create second session for unsecure cookie
    if ( $self->conf->{securedCookie} == 2 ) {
        my $session2 = $self->getApacheSession( undef, 1 );

        my %infos = %{ $req->{sessionInfo} };
        $infos{_httpSessionType} = 1;

        $session2->update( \%infos );

        $req->{sessionInfo}->{_httpSession} = $session2->id;
    }

    # Main session
    my $session = $self->getApacheSession( $req->{id}, 0, $self->{force} );
    return PE_APACHESESSIONERROR unless ($session);
Yadd's avatar
Yadd committed
359
    $req->id( $session->{id} );
Yadd's avatar
Yadd committed
360 361 362 363 364 365 366 367 368 369 370 371

    # Compute unsecure cookie value if needed
    if ( $self->conf->{securedCookie} == 3 ) {
        $req->{sessionInfo}->{_httpSession} =
          $self->conf->{cipher}->encryptHex( $self->{id}, "http" );
    }

    # Fill session
    my $infos = {};
    foreach my $k ( keys %{ $req->{sessionInfo} } ) {
        next unless defined $req->{sessionInfo}->{$k};
        my $displayValue = $req->{sessionInfo}->{$k};
Yadd's avatar
Yadd committed
372 373 374
        if (    $self->conf->{hiddenAttributes}
            and $self->conf->{hiddenAttributes} =~ /\b$k\b/ )
        {
Yadd's avatar
Yadd committed
375 376 377 378
            $displayValue = '****';
        }
        $self->lmLog( "Store $displayValue in session key $k", 'debug' );
        $self->_dump($displayValue) if ref($displayValue);
Yadd's avatar
Yadd committed
379
        $infos->{$k} = $req->{sessionInfo}->{$k};
Yadd's avatar
Yadd committed
380 381 382 383
    }
    $session->update($infos);

    PE_OK;
Yadd's avatar
Yadd committed
384 385 386
}

sub buildCookie {
Yadd's avatar
Yadd committed
387
    my ( $self, $req ) = @_;
Yadd's avatar
Yadd committed
388 389 390 391 392
    push @{ $req->respHeaders },
      'Set-Cookie' => $self->cookie(
        name     => $self->conf->{cookieName},
        value    => $req->{id},
        domain   => $self->conf->{domain},
Yadd's avatar
Yadd committed
393
        path     => "/",
Yadd's avatar
Yadd committed
394 395 396
        secure   => $self->conf->{securedCookie},
        HttpOnly => $self->conf->{httpOnly},
        expires  => $self->conf->{cookieExpiration},
Yadd's avatar
Yadd committed
397 398
      );
    if ( $self->conf->{securedCookie} >= 2 ) {
Yadd's avatar
Yadd committed
399 400 401 402 403
        push @{ $req->respHeaders },
          'Set-Cookie' => $self->cookie(
            name     => $self->conf->{cookieName} . "http",
            value    => $req->{sessionInfo}->{_httpSession},
            domain   => $self->conf->{domain},
Yadd's avatar
Yadd committed
404 405
            path     => "/",
            secure   => 0,
Yadd's avatar
Yadd committed
406 407
            HttpOnly => $self->conf->{httpOnly},
            expires  => $self->conf->{cookieExpiration},
Yadd's avatar
Yadd committed
408 409 410
          );
    }
    PE_OK;
Yadd's avatar
Yadd committed
411 412 413
}

sub cookie {
Yadd's avatar
Yadd committed
414 415 416 417 418 419
    my ( $self, %h ) = @_;
    my @res;
    $res[0] = "$h{name}" or die("name required");
    $res[0] .= "=$h{value}";
    foreach (qw(domain path expires max_age)) {
        my $f = $_;
Yadd's avatar
Yadd committed
420 421
        $f =~ s/_/-/g;
        push @res, "$f=$h{$_}" if ( $h{$_} );
Yadd's avatar
Yadd committed
422 423
    }
    return join( '; ', @res );
Yadd's avatar
Yadd committed
424 425 426
}

1;