LEMONLDAP::NG : SOAP HTTP basic authentication

build/lemonldap-ng/INSTALL

@@ -98,6 +98,8 @@ http://manager.example.com/
 2 - ADVANCED INSTALLATION
 -------------------------
 
+It is recommended to install the example first then to adapt it.
+
 2.1 - PREREQ
 
 2.1.1 - Apache

build/lemonldap-ng/Makefile

@@ -94,18 +94,20 @@ example: all
 	@echo "1 - Add this in your Apache configuration file:"
 	@echo "    with Apache-1.3.x"
 	@echo
-	@echo "    include ${EXAMPLEDIR}apache.conf"
+	@echo "      include ${EXAMPLEDIR}apache.conf"
 	@echo
 	@echo "    or with Apache-2.x:"
 	@echo
-	@echo "    include ${EXAMPLEDIR}apache2.conf"
+	@echo "      include ${EXAMPLEDIR}apache2.conf"
 	@echo
-	@echo "2 - Add test.example.com and auth.example.com in yout /etc/hosts :"
+	@echo "2 - Add test.example.com and auth.example.com in your /etc/hosts or"
+	@echo "    modify apache.conf to use NameVirtualHost, different port or"
+	@echo "    address;"
 	@echo
 	@echo "    cat ${EXAMPLEDIRBUILD}/for_etc_hosts >> /etc/hosts"
 	@echo
-	@echo "3 - edit ${EXAMPLEDIR}/conf/lmConf-1 and set ldapServer and ldapBase."
-	@echo "    or use the manager at http://manager.example.com/ (after apache restart)"
+	@echo "3 - Use the manager at http://manager.example.com/ (after apache restart)"
+	@echo "    or edit ${EXAMPLEDIR}/conf/lmConf-1 and set ldapServer and ldapBase."
 	@echo
 	@echo "4 - Restart Apache (or Apache2)"
 	@echo

build/lemonldap-ng/TODO

@@ -2,26 +2,25 @@ Lemonldap::NG TODO
 ------------------
 TODO list for Lemonldap::NG development
 
-- Priority: Low	Status: N/A	Created: 2007\05\03 11-40-36
-Delete buttons in virtualHosts if 'read"-"only'
-- Priority: Normal	Status: Planning	Created: 2007\05\03 12-28-30
-Modify example to use nameVirtualHost instead of 127.0.0.x adresses
-- Priority: Normal	Status: In progress	Created: 2007\05\03 10-41-36
-Modify install to make a running example as debian install
 - Priority: Normal	Status: In progress	Created: 2007\05\03 11-45-05
 Display errors in saveConf
-- Priority: Normal	Status: N/A	Created: 2007\05\03 11-50-17
-Test and documentation for SOAP authentication
-- Priority: Low	Status: Planning	Created: 2007\05\03 11-46-55
+- Priority: Normal	Status: In progress	Created: 2007\05\03 10-41-36
+Modify install to make a running example as debian install
+- Priority: Normal	Status: Planning	Created: 2007\05\03 12-28-30
+Modify example to use nameVirtualHost instead of 127.0.0.x adresses
+- Priority: Low	Status: Planning	Created: 2007\04\23 21-26-18
+TLS in LDAP connection. SSL works, but start_tls cannot yet be called.
+- Priority: Low	Status: N/A	Created: 2007\05\05 21-58-53
 Documentation :
- * logout documentation
+ * Translate FAQ in English (http://lemonldap.objectweb.org/)
+ * Security document
 - Priority: Low	Status: N/A	Created: 2007\05\03 11-47-42
 Order rules :
  * find a system to move up and down rules in manager interface
  * split locationRules into 2 arrays
+- Priority: Low	Status: N/A	Created: 2007\05\03 11-40-36
+Delete buttons in virtualHosts if 'read"-"only'
 - Priority: Low	Status: N/A	Created: 2007\04\21 13-14-55
 Simplified manager interface fo rules:
  * simplified regexp (* instead of .*,...)
  * simple combobox to choose groups
-- Priority: Low	Status: Planning	Created: 2007\04\23 21-26-18
-TLS in LDAP connection. SSL works, but start_tls cannot yet be called.

build/lemonldap-ng/debian/changelog

@@ -10,8 +10,10 @@ lemonldap-ng (0.8.1.2) unstable; urgency=low
     configuration file has moved to /var/lib/lemonldap-ng/conf/ and first
     configuration file is managed by debconf
   * Buttons to manage configurations in manager (next, previous, last, delete)
+  * SOAP: HTTP basic authentication and little bug correction in 'sessions'
+    mode
 
- -- Xavier Guimard <x.guimard@free.fr>  Thu, 03 May 2007 10:39:51 +0200
+ -- Xavier Guimard <x.guimard@free.fr>  Sun, 06 May 2007 16:18:40 +0200
 
 lemonldap-ng (0.8.1.1) unstable; urgency=low
 

build/lemonldap-ng/debian/liblemonldap-ng-conf-perl.install

+debian/tmp/usr/share/perl5/Lemonldap/NG/Manager/Apache/*
 debian/tmp/usr/share/perl5/Lemonldap/NG/Manager/Conf*
 debian/tmp/usr/share/man/man3/Lemonldap::NG::Manager::Conf*
 debian/tmp/usr/share/man/man1/lmConfig_File2MySQL.1p

modules/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/SharedConf.pm

@@ -253,8 +253,6 @@ local store.
 L<Lemonldap::NG::Handler>, L<Lemonldap::NG::Manager>, L<Lemonldap::NG::Portal>,
 http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation
 
-=back
-
 =head1 AUTHOR
 
 Xavier Guimard, E<lt>x.guimard@free.frE<gt>

modules/lemonldap-ng-manager/Changes

 Revision history for Perl extension Lemonldap::NG::Manager.
 
+0.65  Sun May 6 16:15:49 2007
+	- SOAP: HTTP basic authentication and little bug correction in 'sessions'
+	  mode
+	- More tests in conf
+
 0.64  Sun Apr 29 16:18:31 2007
 	- File permissions fix to 0640 in File.pm
 	- Multiple configuration in the same server is now possible

modules/lemonldap-ng-manager/MANIFEST

@@ -72,6 +72,7 @@ t/Lemonldap-NG-Manager-Conf-DBI.t
 t/Lemonldap-NG-Manager-Conf-File.t
 t/Lemonldap-NG-Manager-Conf-SOAP.t
 t/Lemonldap-NG-Manager-Conf.t
+t/Lemonldap-NG-Manager-SOAPServer.t
 t/Lemonldap-NG-Manager.t
 t/Lemonldap-NG-Manager_en.t
 t/Lemonldap-NG-Manager_fr.t

modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm

@@ -16,7 +16,7 @@ use MIME::Base64;
 
 our @ISA = qw(Lemonldap::NG::Manager::Base);
 
-our $VERSION = '0.64';
+our $VERSION = '0.65';
 
 sub new {
     my ( $class, $args ) = @_;

modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Apache/Session/SOAP.pm

@@ -3,15 +3,20 @@ package Lemonldap::NG::Manager::Apache::Session::SOAP;
 use strict;
 use SOAP::Lite;
 
-our $VERSION = 0.1;
+our $VERSION = 0.2;
 
 # Variables shared with SOAP::Transport::HTTP::Client
-my ( $username, $password );
+our ( $user, $password ) = ( '', '' );
+
+BEGIN {
+    sub SOAP::Transport::HTTP::Client::get_basic_credentials {
+        return $Lemonldap::NG::Manager::Apache::Session::SOAP::user => $Lemonldap::NG::Manager::Apache::Session::SOAP::password;
+    }
+}
 
 # PUBLIC INTERFACE
 
 sub TIEHASH {
-    print STDERR "TIEHASH\n";
     my $class = shift;
 
     my $session_id = shift;
@@ -26,7 +31,7 @@ sub TIEHASH {
     foreach (qw(proxy proxyOptions)) {
         $self->{$_} = $args->{$_};
     }
-    ($username, $password) = ( $args->{username}, $args->{password} );
+    ( $user, $password ) = ( $args->{User}, $args->{Password} );
     bless $self, $class;
 
     if (defined $session_id  && $session_id) {
@@ -41,14 +46,12 @@ sub TIEHASH {
 }
 
 sub FETCH {
-    print STDERR "FETCH\n";
     my $self = shift;
     my $key  = shift;
     return $self->{data}->{$key};
 }
 
 sub STORE {
-    print STDERR "STORE\n";
     my $self  = shift;
     my $key   = shift;
     my $value = shift;
@@ -59,7 +62,6 @@ sub STORE {
 }
 
 sub DELETE {
-    print STDERR "DELETE\n";
     my $self = shift;
     my $key  = shift;
 
@@ -69,7 +71,6 @@ sub DELETE {
 }
 
 sub CLEAR {
-    print STDERR "CLEAR\n";
     my $self = shift;
 
     $self->{modified} = 1;
@@ -78,27 +79,23 @@ sub CLEAR {
 }
 
 sub EXISTS {
-    print STDERR "EXISTS\n";
     my $self = shift;
     my $key  = shift;
     return exists $self->{data}->{$key};
 }
 
 sub FIRSTKEY {
-    print STDERR "FIRESTKEY\n";
     my $self = shift;
     my $reset = keys %{$self->{data}};
     return each %{$self->{data}};
 }
 
 sub NEXTKEY {
-    print STDERR "NEXTKEY\n";
     my $self = shift;
     return each %{$self->{data}};
 }
 
 sub DESTROY {
-    print STDERR "DESTROY\n";
     my $self = shift;
     $self->save;
 }
@@ -139,14 +136,6 @@ sub save {
     return $self->_soapCall( "set", $self->{_session_id}, $self->{data} );
 }
 
-BEGIN {
-    sub SOAP::Transport::HTTP::Client::get_basic_credentials {
-        return $username => $password;
-    }
-}
-
-# TODO: test and documentation of authentication
-
 1;
 __END__
 
@@ -173,6 +162,9 @@ access to Lemonldap::NG Web-SSO sessions via SOAP.
                  proxyOptions => {
                      timeout => 5,
                  },
+                 # If soapserver is protected by HTTP Basic:
+                 User     => 'http-user',
+                 Password => 'pass',
          },
          configStorage       => {
              ... # See Lemonldap::NG::Handler
@@ -187,8 +179,11 @@ access to Lemonldap::NG Web-SSO sessions via SOAP.
                  proxyOptions => {
                      timeout => 5,
                  },
+                 # If soapserver is protected by HTTP Basic:
+                 User     => 'http-user',
+                 Password => 'pass',
          },
-        configStorage => {
+         configStorage => {
              ... # See Lemonldap::NG::Portal
 
 You can also set parameters corresponding to "Apache::Session module" in the
@@ -211,8 +206,9 @@ Apache::Session module (set as Lemonldap::NG::Manager::SOAPServer parameter).
 
 As Lemonldap::NG::Manager::Conf::SOAP use SOAP::Lite, you have to see
 L<SOAP::Transport> to know arguments that can be passed to C<proxyOptions>.
+Lemonldap::NG provides a system for HTTP basic authentication.
 
-Example :
+Examples :
 
 =over
 
@@ -225,13 +221,6 @@ C<>SOAP::Transport::HTTP::Client::get_basic_credentials>:
   
   use base Lemonldap::NG::Handler::SharedConf;
   
-  # AUTHENTICATION
-  BEGIN {
-    sub SOAP::Transport::HTTP::Client::get_basic_credentials {
-      return 'username' => 'password';
-    }
-  }
-  
   __PACKAGE__->init ( {
       localStorage        => "Cache::FileCache",
       localStorageOptions => {
@@ -241,6 +230,8 @@ C<>SOAP::Transport::HTTP::Client::get_basic_credentials>:
       configStorage       => {
                 type  => 'SOAP',
                 proxy => 'http://manager.example.com/soapserver.pl',
+                User     => 'http-user',
+                Password => 'pass',
       },
       https               => 1,
   } );

modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/SOAP.pm

@@ -3,7 +3,17 @@ package Lemonldap::NG::Manager::Conf::SOAP;
 use strict;
 use SOAP::Lite;
 
-our $VERSION = 0.11;
+our $VERSION = 0.2;
+
+BEGIN {
+    *Lemonldap::NG::Manager::Conf::_soapCall = \&_soapCall;
+    *Lemonldap::NG::Manager::Conf::_connect = \&_connect;
+    sub SOAP::Transport::HTTP::Client::get_basic_credentials {
+       return $Lemonldap::NG::Manager::Conf::SOAP::username => $Lemonldap::NG::Manager::Conf::SOAP::password;
+    }
+}
+
+our ( $username, $password ) = ( '', '' );
 
 sub prereq {
     my $self = shift;
@@ -28,6 +38,8 @@ sub _connect {
 sub _soapCall {
     my $self = shift;
     my $func = shift;
+    $username = $self->{User};
+    $password = $self->{Password};
     return $self->_connect->$func(@_)->result;
 }
 
@@ -92,8 +104,11 @@ Lemonldap::NG Web-SSO configuration via SOAP.
                 'default_expires_in' => 600,
       },
       configStorage       => {
-                type  => 'SOAP',
-                proxy => 'http://manager.example.com/soapserver.pl',
+                type     => 'SOAP',
+                proxy    => 'http://manager.example.com/soapserver.pl',
+                # If soapserver is protected by HTTP Basic:
+                User     => 'http-user',
+                Password => 'pass',
       },
       https               => 0,
   } );
@@ -106,6 +121,9 @@ Lemonldap::NG Web-SSO configuration via SOAP.
           configStorage => {
                   type    => 'SOAP',
                   proxy   => 'http://localhost/devel/test.pl',
+                  # If soapserver is protected by HTTP Basic:
+                  User     => 'http-user',
+                  Password => 'pass',
           }
   });
   # Next as usual... See Lemonldap::NG::Portal(3)
@@ -121,6 +139,9 @@ Lemonldap::NG Web-SSO configuration via SOAP.
            configStorage=>{
                   type  => 'SOAP',
                   proxy => 'http://localhost/devel/test.pl'
+                  # If soapserver is protected by HTTP Basic:
+                  User     => 'http-user',
+                  Password => 'pass',
            },
             dhtmlXTreeImageLocation=> "/imgs/",
         }
@@ -152,27 +173,18 @@ configuration via SOAP.
 
 As Lemonldap::NG::Manager::Conf::SOAP use SOAP::Lite, you have to see
 L<SOAP::Transport> to know arguments that can be passed to C<proxyOptions>.
+Lemonldap::NG provides a system for HTTP basic authentication.
 
-Example :
+Examples :
 
 =over
 
 =item * HTTP Basic authentication
 
-SOAP::transport can use basic authentication by rewriting
-C<>SOAP::Transport::HTTP::Client::get_basic_credentials>:
-
   package My::Package;
   
   use base Lemonldap::NG::Handler::SharedConf;
   
-  # AUTHENTICATION
-  BEGIN {
-    sub SOAP::Transport::HTTP::Client::get_basic_credentials {
-      return 'username' => 'password';
-    }
-  }
-  
   __PACKAGE__->init ( {
       localStorage        => "Cache::FileCache",
       localStorageOptions => {
@@ -182,6 +194,8 @@ C<>SOAP::Transport::HTTP::Client::get_basic_credentials>:
       configStorage       => {
                 type  => 'SOAP',
                 proxy => 'http://manager.example.com/soapserver.pl',
+                User     => 'http-user',
+                Password => 'pass',
       },
       https               => 1,
   } );

modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/SOAPServer.pm

@@ -5,7 +5,7 @@ use SOAP::Transport::HTTP;
 use Lemonldap::NG::Manager::Conf;
 use UNIVERSAL qw(isa);
 
-our $VERSION = "0.1";
+our $VERSION = "0.2";
 
 # Initialization
 
@@ -42,8 +42,8 @@ sub new {
 sub init {
     my $self = shift;
     if( $self->{type} eq 'sessions' ) {
-        $Lemonldap::NG::Manager::SOAPService::Sessions::authorizatedFunc =
-          $self->{authorizatedFunc} || 'get';
+        $Lemonldap::NG::Manager::SOAPService::Sessions::authorizedFunctions =
+          $self->{AuthorizedFunctions} || 'get';
         $Lemonldap::NG::Manager::SOAPService::Sessions::config = $self;
     }
     else {
@@ -99,17 +99,23 @@ sub load {
 package Lemonldap::NG::Manager::SOAPService::Sessions;
 
 our $config;
-our $authorizedFunc = 'get';
+our $authorizedFunctions = 'get';
 
 sub newsession {
-    return 0 unless( $authorizedFunc =~ /\bnew\b/ );
+    unless( $authorizedFunctions =~ /\bnew\b/ ) {
+        print STDERR "Lemonldap::NG::Manager::SOAPService: 'new' is not authorized. Set 'AuthorizedFunctions' parameter if needed.\n";
+        return 0;
+    }
     my( $class, $args ) = @_;
     $args ||= {};
     my %h;
     eval {
         tie %h, $config->{realSessionStorage}, undef, $config->{realSessionStorageOptions};
     };
-    return 0 if ($@);
+    if ($@) {
+        print STDERR "Lemonldap::NG::Manager::SOAPService: $@\n";
+        return 0;
+    }
     # my $id = $h{_session_id};
     $h{$_} = $args->{$_} foreach ( keys %{ $args } );
     $h{_utime} = time();
@@ -119,8 +125,7 @@ sub newsession {
 }
 
 sub get {
-    print STDERR "get\n";
-    return 0 unless( $authorizedFunc =~ /\bget\b/ );
+    return 0 unless( $authorizedFunctions =~ /\bget\b/ );
     my( $class, $id ) = @_;
     my %h;
     eval {
@@ -135,7 +140,7 @@ sub get {
 }
 
 sub set {
-    return 0 unless( $authorizedFunc =~ /\bset\b/ );
+    return 0 unless( $authorizedFunctions =~ /\bset\b/ );
     my( $class, $id, $args ) = @_;
     my %h;
     eval {
@@ -168,7 +173,10 @@ Lemonldap::NG Web-SSO configuration or sessions via SOAP.
               # 2 types are available :
               #   * 'config' for configuration access
               #   * 'sessions' for sessions access
-              type          => 'config', 
+              type          => 'sessions',
+              # For 'sessions' type, you can choose exported functions (get
+              # only by default):
+              AuthorizedFunctions => 'new get set',
   );
 
 =head2 Client side
@@ -196,6 +204,9 @@ sessions access.
       configStorage       => {
                 type  => 'SOAP',
                 proxy => 'http://manager.example.com/soapserver.pl',
+                # If soapserver is protected by HTTP Basic:
+                User     => 'http-user',
+                Password => 'pass',
       },
       https               => 0,
   } );
@@ -208,6 +219,9 @@ sessions access.
           configStorage => {
                   type    => 'SOAP',
                   proxy   => 'http://localhost/devel/test.pl',
+                  # If soapserver is protected by HTTP Basic:
+                  User     => 'http-user',
+                  Password => 'pass',
           }
   });
   # Next as usual...
@@ -223,6 +237,9 @@ sessions access.
            configStorage=>{
                   type  => 'SOAP',
                   proxy => 'http://localhost/devel/test.pl'
+                  # If soapserver is protected by HTTP Basic:
+                  User     => 'http-user',
+                  Password => 'pass',
            },
             dhtmlXTreeImageLocation=> "/imgs/",
         }
@@ -265,7 +282,11 @@ overload this package.
 Since Lemonldap::NG::Manager::SOAPServer act as a CGI, you can protect
 configuration access by any of the HTTP protection mecanisms.
 See L<Lemonldap::NG::Manager::Conf::SOAP> for the security in the client
-side. 
+side.
+
+In "session" mode, you can control what functions can be used by SOAP. By
+default, only "get" can be used: it means that only handlers can work with it.
+Use "AuthorizedFunctions" parameter to grant other functions.
 
 =head1 SEE ALSO
 

modules/lemonldap-ng-manager/t/Lemonldap-NG-Manager-Conf-DBI.t

@@ -5,11 +5,22 @@
 
 # change 'tests => 1' to 'tests => last_test_to_print';
 
-use Test::More tests => 1;
-BEGIN { use_ok('Lemonldap::NG::Manager::Conf::DBI') }
+use Test::More tests => 2;
+BEGIN { use_ok('Lemonldap::NG::Manager::Conf') }
 
 #########################
 
 # Insert your test code below, the Test::More module is use()ed here so read
 # its man page ( perldoc Test::More ) for help writing this test script.
 
+my $h;
+@ARGV = ("help=groups");
+ok(
+    $h = new Lemonldap::NG::Manager::Conf(
+    {
+	    type     => 'DBI',
+	    dbiChain => "DBI:mysql:database=lemonldap-ng",
+	    dbiUser  => 'lemonldap-ng',
+	}
+    )
+);

modules/lemonldap-ng-manager/t/Lemonldap-NG-Manager-Conf-File.t

@@ -5,11 +5,21 @@
 
 # change 'tests => 1' to 'tests => last_test_to_print';
 
-use Test::More tests => 1;
-BEGIN { use_ok('Lemonldap::NG::Manager::Conf::File') }
+use Test::More tests => 2;
+BEGIN { use_ok('Lemonldap::NG::Manager::Conf') }
 
 #########################
 
 # Insert your test code below, the Test::More module is use()ed here so read
 # its man page ( perldoc Test::More ) for help writing this test script.
 
+my $h;
+@ARGV = ("help=groups");
+ok(
+    $h = new Lemonldap::NG::Manager::Conf(
+    {
+	    type    => 'File',
+	    dirName => ".",
+	}
+    )
+);

modules/lemonldap-ng-manager/t/Lemonldap-NG-Manager-SOAPServer.t

+# Before `make install' is performed this script should be runnable with
+# `make test'. After `make install' it should work as `perl Lemonldap-NG-Manager-SOAPServer.t'
+
+#########################
+
+# change 'tests => 1' to 'tests => last_test_to_print';
+
+use Test::More tests => 3;
+
+# SOAP::Lite is not required, so Lemonldap::NG::Manager::Conf::SOAP may
+# not run.
+SKIP: {
+    eval { require SOAP::Transport::HTTP };
+    skip "SOAP::Transport::HTTP is not installed, so Lemonldap::NG::Manager::SOAPServer will not be useable",
+      3
+      if ($@);
+    use_ok('Lemonldap::NG::Manager::SOAPServer');
+    my $s;
+    ok ( $s = Lemonldap::NG::Manager::SOAPServer->new (
+            type => 'config',
+            configStorage => {
+                type    => 'File',
+                dirName => '.',
+            }
+      )
+    );
+    eval { require Apache::Session::File };
+    skip "Apache::Session::File is not installed. Lemonldap::NG::Manager::SOAPServer will not be tested in 'sessions' mode",
+      1
+      if ($@);
+    ok ( $s = Lemonldap::NG::Manager::SOAPServer->new (
+            type => 'sessions',
+            realSessionStorage => 'Apache::Session::File',
+      )
+    );
+}
+
+#########################
+
+# Insert your test code below, the Test::More module is use()ed here so read
+# its man page ( perldoc Test::More ) for help writing this test script.
+

modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm

@@ -193,7 +193,6 @@ sub controlExistingSession {
         }
 
         # Logout if required
-        # TODO: logout documentation
         if($self->param('logout')) {
             # Delete session in global storage
             tied(%h)->delete;