Commit 007a5432 authored by Christophe Maudoux's avatar Christophe Maudoux

Restore CAS activation global rule (#1625)

parent fc316991
......@@ -23,8 +23,20 @@ extends 'Lemonldap::NG::Portal::Main::Issuer',
use constant beforeAuth => 'storeEnvAndCheckGateway';
use constant sessionKind => 'ICAS';
has rule => ( is => 'rw', default => sub { {} } );
sub init {
my ($self) = @_;
my $hd = $self->p->HANDLER;
$self->logger->debug( "CAS Rule -> " . $self->conf->{issuerDBCASRule} );
my $rule
= $hd->buildSub( $hd->substitute( $self->conf->{issuerDBCASRule} ) );
unless ($rule) {
$self->error( "Bad CAS rule " . $hd->tsv->{jail}->error );
return 0;
}
$self->{rule} = $rule;
# Launch parents initialization subroutines, then launch IdP en SP lists
my $res = $self->Lemonldap::NG::Portal::Main::Issuer::init();
......@@ -78,6 +90,11 @@ sub storeEnvAndCheckGateway {
sub run {
my ( $self, $req, $target ) = @_;
unless ( $self->rule->( $req, $req->sessionInfo ) ) {
$self->userLogger->error('CAS service not authorized');
return PE_CAS_SERVICE_NOT_ALLOWED;
}
# CAS URL
my $cas_login = 'login';
my $cas_logout = 'logout';
......@@ -105,8 +122,8 @@ sub run {
# GET parameters
my $service = $self->p->getHiddenFormValue( $req, 'service' )
|| $req->param('service');
my $renew =
$self->p->getHiddenFormValue( $req, 'renew' ) || $req->param('renew');
my $renew = $self->p->getHiddenFormValue( $req, 'renew' )
|| $req->param('renew');
my $gateway = $self->p->getHiddenFormValue( $req, 'gateway' )
|| $req->param('gateway');
my $casServiceTicket;
......@@ -114,8 +131,8 @@ sub run {
# Renew
if ( $renew
and $renew eq 'true'
and time - $req->sessionInfo->{_utime} >
$self->conf->{portalForceAuthnInterval} )
and time - $req->sessionInfo->{_utime}
> $self->conf->{portalForceAuthnInterval} )
{
# Authentication must be replayed
......@@ -151,7 +168,8 @@ sub run {
}
if ( my $rule = $self->spRules->{$app} ) {
if ( $rule->( $req, $req->sessionInfo ) ) {
$self->logger->debug("CAS service $service access allowed");
$self->logger->debug(
"CAS service $service access allowed");
}
else {
......@@ -160,14 +178,15 @@ sub run {
if ( $casAccessControlPolicy =~ /^(error)$/i ) {
$self->logger->debug(
"Return error instead of redirecting user on CAS service"
"Return error instead of redirecting user on CAS service"
);
return PE_CAS_SERVICE_NOT_ALLOWED;
}
else {
$self->logger->debug(
"Redirect user on CAS service with a fake ticket");
"Redirect user on CAS service with a fake ticket"
);
$casServiceTicket = "ST-F4K3T1CK3T";
}
}
......@@ -179,10 +198,10 @@ sub run {
# Check last authentication time to decide if
# the authentication is recent or not
my $casRenewFlag = 0;
my $last_authn_utime = $req->{sessionInfo}->{_lastAuthnUTime} || 0;
if (
time() - $last_authn_utime <
$self->conf->{portalForceAuthnInterval} )
my $last_authn_utime
= $req->{sessionInfo}->{_lastAuthnUTime} || 0;
if (time() - $last_authn_utime
< $self->conf->{portalForceAuthnInterval} )
{
$self->logger->debug(
"Authentication is recent, will set CAS renew flag to true"
......@@ -296,7 +315,8 @@ sub run {
}
# 4. SERVICE VALIDATE [CAS 2.0]
if ( $target eq $cas_serviceValidate || $target eq $cas_p3_serviceValidate )
if ( $target eq $cas_serviceValidate
|| $target eq $cas_p3_serviceValidate )
{
$self->logger->debug(
......@@ -304,7 +324,8 @@ sub run {
# This URL must not be called by authenticated users
$self->userLogger->info(
"CAS SERVICE VALIDATE URL called by authenticated user, ignore it");
"CAS SERVICE VALIDATE URL called by authenticated user, ignore it"
);
return PE_OK;
}
......@@ -312,7 +333,8 @@ sub run {
# 5. PROXY VALIDATE [CAS 2.0]
if ( $target eq $cas_proxyValidate || $target eq $cas_p3_proxyValidate ) {
$self->logger->debug("URL $url detected as an CAS PROXY VALIDATE URL");
$self->logger->debug(
"URL $url detected as an CAS PROXY VALIDATE URL");
# This URL must not be called by authenticated users
$self->userLogger->info(
......@@ -394,7 +416,7 @@ sub validate {
or $service2_uri->rel($service1_uri) eq "./" )
{
$self->logger->notice(
"Submitted service $service1_uri does not exactly match initial service "
"Submitted service $service1_uri does not exactly match initial service "
. $service2_uri
. ' but difference is tolerated.' );
}
......@@ -407,7 +429,8 @@ sub validate {
}
}
else {
$self->logger->debug("Submitted service $service math initial servce");
$self->logger->debug(
"Submitted service $service math initial servce");
}
# Check renew
......@@ -418,7 +441,7 @@ sub validate {
unless ( $casServiceSession->data->{renew} ) {
$self->logger->error(
"Authentication renew requested, but not done in former authentication process"
"Authentication renew requested, but not done in former authentication process"
);
$self->deleteCasSession($casServiceSession);
return $self->returnCasValidateError();
......@@ -426,8 +449,8 @@ sub validate {
}
# Open local session
my $localSession =
$self->p->getApacheSession( $casServiceSession->data->{_cas_id} );
my $localSession
= $self->p->getApacheSession( $casServiceSession->data->{_cas_id} );
unless ($localSession) {
$self->logger->warn( "Local session "
......@@ -438,8 +461,7 @@ sub validate {
}
# Get username
my $username =
$localSession->data->{ $self->conf->{casAttr}
my $username = $localSession->data->{ $self->conf->{casAttr}
|| $self->conf->{whatToTrace} };
$self->logger->debug("Get username $username");
......@@ -587,7 +609,7 @@ sub _validate2 {
or $service2_uri->rel($service1_uri) eq "./" )
{
$self->logger->notice(
"Submitted service $service1_uri does not exactly match initial service "
"Submitted service $service1_uri does not exactly match initial service "
. $service2_uri
. ' but difference is tolerated.' );
}
......@@ -614,7 +636,7 @@ sub _validate2 {
unless ( $casServiceSession->data->{renew} ) {
$self->logger->error(
"Authentication renew requested, but not done in former authentication process"
"Authentication renew requested, but not done in former authentication process"
);
$self->deleteCasSession($casServiceSession);
return $self->returnCasValidateError();
......@@ -667,12 +689,11 @@ sub _validate2 {
$casProxyGrantingTicketIOU = "PGTIOU-" . $tmpCasSession->id;
$self->deleteCasSession($tmpCasSession);
$self->logger->debug(
"Generate proxy granting ticket IOU $casProxyGrantingTicketIOU"
"Generate proxy granting ticket IOU $casProxyGrantingTicketIOU"
);
# Request pgtUrl
if (
$self->callPgtUrl(
if ($self->callPgtUrl(
$pgtUrl, $casProxyGrantingTicketIOU,
$casProxyGrantingTicket
)
......@@ -696,8 +717,8 @@ sub _validate2 {
}
# Open local session
my $localSession =
$self->p->getApacheSession( $casServiceSession->data->{_cas_id} );
my $localSession
= $self->p->getApacheSession( $casServiceSession->data->{_cas_id} );
unless ($localSession) {
$self->userLogger->error( "Local session "
......@@ -709,16 +730,15 @@ sub _validate2 {
}
# Get username
my $username =
$localSession->data->{ $self->conf->{casAttr}
my $username = $localSession->data->{ $self->conf->{casAttr}
|| $self->conf->{whatToTrace} };
$self->logger->debug("Get username $username");
# Get attributes [CAS 3.0]
my $attributes = {};
my $ev =
( $app and $self->conf->{casAppMetaDataExportedVars}->{$app} )
my $ev
= ( $app and $self->conf->{casAppMetaDataExportedVars}->{$app} )
? $self->conf->{casAppMetaDataExportedVars}->{$app}
: {};
unless (%$ev) {
......
......@@ -217,6 +217,7 @@ sub issuer {
authentication => 'Demo',
userDB => 'Same',
issuerDBCASActivation => 1,
issuerDBCASRule => '$uid eq "french"',
casAttr => 'uid',
casAccessControlPolicy => 'error',
multiValuesSeparator => ';',
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment