Commit e3010de6 authored by Clément OUDOT's avatar Clément OUDOT
Browse files

CAS Issuer (#101):

* Manage gateway parameter (refused unauthenticated user)
* Display CAS logout URL message
* Do not check base64 encoded URL for CAS (mandatory for logout URL management)
parent 7eb813fb
......@@ -134,7 +134,7 @@ elsif ( $portal->{error} == PE_CONFIRM ) {
%templateParams = (
AUTH_ERROR => $portal->error,
AUTH_ERROR_TYPE => $portal->error_type,
AUTH_URL => $portal->get_url,
URL => $portal->get_url,
MSG => $portal->info(),
SKIN => $skin,
HIDDEN_INPUTS => $portal->buildHiddenForm(),
......
......@@ -59,11 +59,19 @@ sub issuerForUnAuthUser {
$self->setHiddenFormValue( 'gateway', $gateway );
# Gateway
# Authentication must use non-interactive mean
if ( $gateway eq 'true' ) {
# TODO
$self->lmLog( "Gateway authentication not managed", 'warn' );
# User should already be authenticated
$self->lmLog(
"Gateway authentication requested, but user is not logged in",
'error' );
# Redirect user to the service
$self->lmLog( "Redirect user to $service", 'debug' );
$self->{urldc} = $service;
return $self->_subProcess(qw(autoRedirect));
}
......@@ -79,9 +87,19 @@ sub issuerForUnAuthUser {
if ($logout_url) {
# We should display a link to the provided URL
# TODO
$self->lmLog( "Return URL not managed", 'warn' );
# Display a link to the provided URL
$self->lmLog( "Logout URL $logout_url will be displayed", 'debug' );
$self->info(
"<h3>"
. &Lemonldap::NG::Portal::_i18n::msg( PM_BACKTOCASURL,
$ENV{HTTP_ACCEPT_LANGUAGE} )
. "</h3>"
);
$self->info("<p><a href=\"$logout_url\">$logout_url</a></p>");
$self->{activeTimer} = 0;
return PE_CONFIRM;
}
return PE_LOGOUT_OK;
......@@ -108,13 +126,6 @@ sub issuerForUnAuthUser {
"Get validate request with ticket $ticket for service $service",
'debug' );
# Get CAS session corresponding to ticket
unless ( $ticket =~ s/^ST-// ) {
$self->lmLog( "Provided ticket is not a service ticket (ST)",
'error' );
$self->returnCasValidateError();
}
my $casServiceSession = $self->getCasSession($ticket);
unless ($casServiceSession) {
......@@ -285,10 +296,11 @@ sub issuerForUnAuthUser {
$casServiceSession->{_utime};
# Trace proxies
$casProxyGrantingSession->{proxies} =
( $proxies
$casProxyGrantingSession->{proxies} = (
$proxies
? $proxies . $self->{multiValuesSeparator} . $pgtUrl
: $pgtUrl );
: $pgtUrl
);
my $casProxyGrantingSessionID =
$casProxyGrantingSession->{_session_id};
......@@ -547,12 +559,6 @@ sub issuerForAuthUser {
# GET parameters
my $logout_url = $self->param('url');
if ($logout_url) {
# We should display a link to the provided URL
# TODO
}
# Delete linked CAS sessions
$self->deleteCasSecondarySessions($session_id);
......@@ -563,6 +569,23 @@ sub issuerForAuthUser {
$self->lmLog( "Fail to delete session $session_id ", 'error' );
}
if ($logout_url) {
# Display a link to the provided URL
$self->lmLog( "Logout URL $logout_url will be displayed", 'debug' );
$self->info(
"<h3>"
. &Lemonldap::NG::Portal::_i18n::msg( PM_BACKTOCASURL,
$ENV{HTTP_ACCEPT_LANGUAGE} )
. "</h3>"
);
$self->info("<p><a href=\"$logout_url\">$logout_url</a></p>");
$self->{activeTimer} = 0;
return PE_CONFIRM;
}
return PE_LOGOUT_OK;
}
......
......@@ -125,6 +125,7 @@ use constant {
PM_SAML_SPLOGOUT => 11,
PM_REDIRECTION => 12,
PM_BACKTOSP => 13,
PM_BACKTOCASURL => 14,
};
# EXPORTER PARAMETERS
......@@ -147,7 +148,7 @@ our @EXPORT = qw( PE_IMG_NOK PE_IMG_OK PE_INFO PE_REDIRECT PE_DONE PE_OK
PM_USER PM_DATE PM_IP PM_SESSIONS_DELETED PM_OTHER_SESSIONS
PM_REMOVE_OTHER_SESSIONS PM_PP_GRACE PM_PP_EXP_WARNING
PM_SAML_IDPSELECT PM_SAML_IDPCHOOSEN PM_REMEMBERCHOICE PM_SAML_SPLOGOUT
PM_REDIRECTION PM_BACKTOSP
PM_REDIRECTION PM_BACKTOSP PM_BACKTOCASURL
);
our %EXPORT_TAGS = ( 'all' => [ @EXPORT, 'import' ], );
......@@ -1102,7 +1103,8 @@ sub controlUrlOrigin {
$self->{_url} ||= '';
if ( my $url = $self->param('url') ) {
# REJECT NON BASE64 URL
# REJECT NON BASE64 URL except for CAS IssuerDB
if ( $self->get_module('issuer') ne "CAS" ) {
if ( $url =~ m#[^A-Za-z0-9\+/=]# ) {
$self->lmLog( "XSS attack detected (param: url | value: $url)",
"warn" );
......@@ -1111,6 +1113,8 @@ sub controlUrlOrigin {
$self->{urldc} = decode_base64($url);
$self->{urldc} =~ s/[\r\n]//sg;
}
else { $self->{urldc} = $url; }
# For logout request, test if Referer comes from an authorizated site
my $tmp =
......
......@@ -352,6 +352,7 @@ sub error_ro {
# * PM_SAML_SPLOGOUT 11
# * PM_REDIRECTION 12
# * PM_BACKTOSP 13
# * PM_BACKTOCASURL 14
sub msg_en {
use utf8;
......@@ -370,6 +371,7 @@ sub msg_en {
'Logout from service providers...',
'Redirection in progress...',
'Go back to service provider',
'The application you just logged out of has provided a link it would like you to follow',
];
}
......@@ -390,6 +392,7 @@ sub msg_fr {
'Déconnexion des services...',
'Redirection en cours...',
'Retourner sur le fournisseur de service',
'Le service duquel vous arrivez a fourni un lien que vous êtes invité à suivre',
];
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment