From 0b3dbb4b0cdf6c4c28987e467b5b31592bf16a6c Mon Sep 17 00:00:00 2001 From: Pascal <[email protected]> Date: Fri, 7 Aug 2009 16:46:08 +0200 Subject: [PATCH] A first, quick and dirty try to use CAS SSO solution with Koha, but it work and seems to be harmless for non cas users. Content-Type: text/plain; charset=\"utf-8\"
---
C4/Auth.pm | 29 +++++-
C4/Auth_with_cas.pm | 102
++++++++++++++++++++[PATCH] A first, quick and dirty try to use CAS SSO
solution with Koha, but it work and seems to be harmless for non cas users.
koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl | 2 +
3 files changed, 128 insertions(+), 5 deletions(-)
create mode 100644 C4/Auth_with_cas.pm
diff --git a/C4/Auth.pm b/C4/Auth.pm
index eb7a464..40a9b94 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -30,7 +30,7 @@ use C4::Branch; # GetBranches
use C4::VirtualShelves;
# use utf8;
-use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap);
+use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas);
BEGIN {
$VERSION = 3.02; # set version for version checking
@@ -44,6 +44,12 @@ BEGIN {
require C4::Auth_with_ldap; # no import
import C4::Auth_with_ldap qw(checkpw_ldap);
}
+ $cas = C4::Context->config('usecasauth') || 0 ;
+ if ($cas) {
+ require C4::Auth_with_cas; # no import
+ import C4::Auth_with_cas qw(checkpw_cas GetCasRedirect);
+ }
+
}
=head1 NAME
@@ -239,7 +245,8 @@ sub get_template_and_user {
$template->param( js_widgets => $in->{'js_widgets'} );
$template->param( sessionID => $sessionID );
-
+ $template->param( casinuse => 1) if $cas ;
+
my ($total, $pubshelves) = C4::Context->get_shelves_userenv();
# an
anonymous user has no 'barshelves'...
if (defined(($pubshelves))) {
$template->param( pubshelves => scalar
(@$pubshelves),
@@ -529,10 +536,10 @@ sub checkauth {
$sessiontype = $session->param('sessiontype');
}
- if ( ($query->param('koha_login_context')) &&
($query->param('userid')
ne $session->param('id')) ) {
+ if ( (($query->param('koha_login_context')) &&
($query->param('userid')
ne $session->param('id'))) || ( $cas && $query->param('ticket') ) ) {
#if a user enters an id ne to the id in the current
session, we need to
log them in...
#first we need to clear the anonymous session...
- $debug and warn "query id = " . $query->param('userid')
. " but session id
= " . $session->param('id');
+ $debug and printf STDERR "query id = " .
$query->param('userid') . " but
session id = " . $session->param('id');
$session->flush;
$session->delete();
C4::Context->_unset_userenv($sessionID);
@@ -587,9 +594,11 @@ sub checkauth {
my $sessionID = $session->id;
C4::Context->_new_userenv($sessionID);
$cookie = $query->cookie(CGISESSID => $sessionID);
- if ( $userid = $query->param('userid') ) {
+ if ( ( $userid = $query->param('userid') ) || ( ($userid =
$query->param('ticket')) and $cas )) {
my $password = $query->param('password');
my ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password
);
+ #whith CAS, we only have userid
+ $cas and $userid = $cardnumber ;
if ($return) {
_session_log(sprintf "%20s from %16s logged in at %30s.\n",
$userid,$ENV{'REMOTE_ADDR'},localtime);
if ( $flags = haspermission($userid, $flagsrequired) ) {
@@ -764,6 +773,10 @@ sub checkauth {
#
#
+ # if we have CAS, we can simply do this
+ if ($cas) {
+ GetCasRedirect() unless ( $info{'nopermission'} ||
$info{'invalid_username_or_password'} )
+ }
# get the inputs from the incoming query
my @inputs = ();
foreach my $name ( param $query) {
@@ -1211,6 +1224,12 @@ sub checkpw {
my ($retval,$retcard) = checkpw_ldap(@_); # EXTERNAL AUTH
($retval) and return ($retval,$retcard);
}
+ if ($cas) {
+ $debug and print STDERR "## checkpw - checking CAS\n";
+ my ($retval,$retcard) = checkpw_cas( $userid ); # EXTERNAL AUTH
+ $userid = $retcard ;
+ ($retval) and return ($retval,$retcard);
+ }
# INTERNAL AUTH
my $sth =
diff --git a/C4/Auth_with_cas.pm b/C4/Auth_with_cas.pm
new file mode 100644
index 0000000..05f0cae
--- /dev/null
+++ b/C4/Auth_with_cas.pm
@@ -0,0 +1,102 @@
+package C4::Auth_with_cas;
+
+# Copyright 2000-2002 Katipo Communications
+#
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it under the
+# terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+#
+# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR
+# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
with
+# Koha; if not, write to the Free Software Foundation, Inc., 59 Temple Place,
+# Suite 330, Boston, MA 02111-1307 USA
+
+use strict;
+use warnings;
+
+use Digest::MD5 qw(md5_base64);
+
+use C4::Debug;
+use C4::Context;
+use CGI;
+use AuthCAS;
+
+
+use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug);
+
+BEGIN {
+ require Exporter;
+ $VERSION = 3.03; # set the version for version checking
+ $debug = $ENV{DEBUG} || 0 ;
+ @ISA = qw(Exporter);
+ @EXPORT = qw( checkpw_cas GetCasRedirect );
+
+}
+
+sub _cas_auth_error ($) {
+ return sprintf('No "%s" defined in KOHA_CONF: ' . $ENV{KOHA_CONF},
shift);
+}
+
+use vars qw( $cas $login_url $casurl $sslca $isauthoritative );
+my $context = C4::Context->new() ; #or die 'C4::Context->new failed';
+my $casurl = C4::Context->config("casserverurl") or die
_cas_auth_error('casserverurl') ;
+my $sslca = C4::Context->config("sslcafile") or die
_cas_auth_error('sslcafile') ;
+my $isauthoritative = (C4::Context->config("sslcafile") ? 1 : 0 ) ;
+#
+my $cas = new AuthCAS(casUrl => $casurl ,
+ CAFile => $sslca
+ ) ;
+my $query = new CGI ;
+my $myurl = $query->url() ;
+
+sub checkpw_cas($) {
+
+ my $ST = shift ;
+ my $casuser = $cas->validateST($myurl, $ST) ;
+ $debug and printf STDERR "Debug: validateST return %s\n", $casuser ;
+ $casuser and return ( 1, $casuser ) ;
+ return 0 ;
+
+
+}
+sub GetCasRedirect() {
+ my $login_url = $cas->getServerLoginURL($myurl) ;
+ print $query->redirect($login_url) ;
+}
+
+
+
+1
+
+__END__
+=head1 NAME
+
+C4::Auth_with_cas
+
+=head1 SYNOPSIS
+
+ use C4::Auth_with_cas;
+ we want to authenticate our users with the CAS SSO solution
(http://www.jasig.org/cas). At a later time, we may use some code
+ from C4::Auth_with_ldap to allow retriving additional informations from a
ldap serveur.
+
+=head1 LDAP Configuration
+ we need a few additional things from KOHA_CONF :
+ * usecasauth 1 # do we really want Auth_with_cas ?
+ * casserverurl URL # the login URL of the CAS server, something like
htts://cas.myserver.com:8080
+ * sslcafile SSL # a SSL Certificate issued by a authority to validate
SSL
serveur
+ connection (mandatory)
+ * casauthoritative O # do we want CAS to create new user automagically
?
(with very few
+ informations though...) Not yet implemented
+
+ <usecasauth>1</usecasauth>
+ <casserverurl>https://cas.koha.org</casserverurl>
+ <sslcafile>/etc/ssl/ca.crt</sslcafile>
+ <casauthoritative>O</casauthoritative>
+
+Of course, we need our userid to be the same as the identity provided by CAS
server.
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl b/koha-
tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl
index 601bc4b..31f2717 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl
@@ -93,6 +93,7 @@
<!-- TMPL_IF NAME="opacuserlogin" -->
<!-- TMPL_UNLESS NAME="loggedinusername" -->
+ <!-- TMPL_UNLESS NAME="casinuse" -->
<div class="yui-u">
<div id="login" class="container">
<form action="/cgi-bin/koha/opac-user.pl" method="post" name="auth"
id="auth">
@@ -109,6 +110,7 @@
</div>
</div>
<!-- /TMPL_UNLESS -->
+ <!-- /TMPL_UNLESS -->
<!-- /TMPL_IF -->
</div>
--
1.6.4
--
pourquoi et comment vous devriez crypter vos mels ?
http://openpgp.vie-privee.org/openpgp.html
telecharger ma (nouvelle) clef pgp : http://www.black-ink.net/paskey.asc
key fingerprint : FE20 7116 2493 B2D0 A609 104F 0D24 A4B2 43C4 66ED
From 0b3dbb4b0cdf6c4c28987e467b5b31592bf16a6c Mon Sep 17 00:00:00 2001 From: Pascal <[email protected]> Date: Fri, 7 Aug 2009 16:46:08 +0200 Subject: [PATCH] A first, quick and dirty try to use CAS SSO solution with Koha, but it work and seems to be harmless for non cas users. Content-Type: text/plain; charset=\"utf-8\" --- C4/Auth.pm | 29 +++++- C4/Auth_with_cas.pm | 102 ++++++++++++++++++++ koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl | 2 + 3 files changed, 128 insertions(+), 5 deletions(-) create mode 100644 C4/Auth_with_cas.pm diff --git a/C4/Auth.pm b/C4/Auth.pm index eb7a464..40a9b94 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -30,7 +30,7 @@ use C4::Branch; # GetBranches use C4::VirtualShelves; # use utf8; -use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap); +use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas); BEGIN { $VERSION = 3.02; # set version for version checking @@ -44,6 +44,12 @@ BEGIN { require C4::Auth_with_ldap; # no import import C4::Auth_with_ldap qw(checkpw_ldap); } + $cas = C4::Context->config('usecasauth') || 0 ; + if ($cas) { + require C4::Auth_with_cas; # no import + import C4::Auth_with_cas qw(checkpw_cas GetCasRedirect); + } + } =head1 NAME @@ -239,7 +245,8 @@ sub get_template_and_user { $template->param( js_widgets => $in->{'js_widgets'} ); $template->param( sessionID => $sessionID ); - + $template->param( casinuse => 1) if $cas ; + my ($total, $pubshelves) = C4::Context->get_shelves_userenv(); # an anonymous user has no 'barshelves'... if (defined(($pubshelves))) { $template->param( pubshelves => scalar (@$pubshelves), @@ -529,10 +536,10 @@ sub checkauth { $sessiontype = $session->param('sessiontype'); } - if ( ($query->param('koha_login_context')) && ($query->param('userid') ne $session->param('id')) ) { + if ( (($query->param('koha_login_context')) && ($query->param('userid') ne $session->param('id'))) || ( $cas && $query->param('ticket') ) ) { #if a user enters an id ne to the id in the current session, we need to log them in... #first we need to clear the anonymous session... - $debug and warn "query id = " . $query->param('userid') . " but session id = " . $session->param('id'); + $debug and printf STDERR "query id = " . $query->param('userid') . " but session id = " . $session->param('id'); $session->flush; $session->delete(); C4::Context->_unset_userenv($sessionID); @@ -587,9 +594,11 @@ sub checkauth { my $sessionID = $session->id; C4::Context->_new_userenv($sessionID); $cookie = $query->cookie(CGISESSID => $sessionID); - if ( $userid = $query->param('userid') ) { + if ( ( $userid = $query->param('userid') ) || ( ($userid = $query->param('ticket')) and $cas )) { my $password = $query->param('password'); my ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password ); + #whith CAS, we only have userid + $cas and $userid = $cardnumber ; if ($return) { _session_log(sprintf "%20s from %16s logged in at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},localtime); if ( $flags = haspermission($userid, $flagsrequired) ) { @@ -764,6 +773,10 @@ sub checkauth { # # + # if we have CAS, we can simply do this + if ($cas) { + GetCasRedirect() unless ( $info{'nopermission'} || $info{'invalid_username_or_password'} ) + } # get the inputs from the incoming query my @inputs = (); foreach my $name ( param $query) { @@ -1211,6 +1224,12 @@ sub checkpw { my ($retval,$retcard) = checkpw_ldap(@_); # EXTERNAL AUTH ($retval) and return ($retval,$retcard); } + if ($cas) { + $debug and print STDERR "## checkpw - checking CAS\n"; + my ($retval,$retcard) = checkpw_cas( $userid ); # EXTERNAL AUTH + $userid = $retcard ; + ($retval) and return ($retval,$retcard); + } # INTERNAL AUTH my $sth = diff --git a/C4/Auth_with_cas.pm b/C4/Auth_with_cas.pm new file mode 100644 index 0000000..05f0cae --- /dev/null +++ b/C4/Auth_with_cas.pm @@ -0,0 +1,102 @@ +package C4::Auth_with_cas; + +# Copyright 2000-2002 Katipo Communications +# +# This file is part of Koha. +# +# Koha is free software; you can redistribute it and/or modify it under the +# terms of the GNU General Public License as published by the Free Software +# Foundation; either version 2 of the License, or (at your option) any later +# version. +# +# Koha is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR +# A PARTICULAR PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along with +# Koha; if not, write to the Free Software Foundation, Inc., 59 Temple Place, +# Suite 330, Boston, MA 02111-1307 USA + +use strict; +use warnings; + +use Digest::MD5 qw(md5_base64); + +use C4::Debug; +use C4::Context; +use CGI; +use AuthCAS; + + +use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug); + +BEGIN { + require Exporter; + $VERSION = 3.03; # set the version for version checking + $debug = $ENV{DEBUG} || 0 ; + @ISA = qw(Exporter); + @EXPORT = qw( checkpw_cas GetCasRedirect ); + +} + +sub _cas_auth_error ($) { + return sprintf('No "%s" defined in KOHA_CONF: ' . $ENV{KOHA_CONF}, shift); +} + +use vars qw( $cas $login_url $casurl $sslca $isauthoritative ); +my $context = C4::Context->new() ; #or die 'C4::Context->new failed'; +my $casurl = C4::Context->config("casserverurl") or die _cas_auth_error('casserverurl') ; +my $sslca = C4::Context->config("sslcafile") or die _cas_auth_error('sslcafile') ; +my $isauthoritative = (C4::Context->config("sslcafile") ? 1 : 0 ) ; +# +my $cas = new AuthCAS(casUrl => $casurl , + CAFile => $sslca + ) ; +my $query = new CGI ; +my $myurl = $query->url() ; + +sub checkpw_cas($) { + + my $ST = shift ; + my $casuser = $cas->validateST($myurl, $ST) ; + $debug and printf STDERR "Debug: validateST return %s\n", $casuser ; + $casuser and return ( 1, $casuser ) ; + return 0 ; + + +} +sub GetCasRedirect() { + my $login_url = $cas->getServerLoginURL($myurl) ; + print $query->redirect($login_url) ; +} + + + +1 + +__END__ +=head1 NAME + +C4::Auth_with_cas + +=head1 SYNOPSIS + + use C4::Auth_with_cas; + we want to authenticate our users with the CAS SSO solution (http://www.jasig.org/cas). At a later time, we may use some code + from C4::Auth_with_ldap to allow retriving additional informations from a ldap serveur. + +=head1 LDAP Configuration + we need a few additional things from KOHA_CONF : + * usecasauth 1 # do we really want Auth_with_cas ? + * casserverurl URL # the login URL of the CAS server, something like htts://cas.myserver.com:8080 + * sslcafile SSL # a SSL Certificate issued by a authority to validate SSL serveur + connection (mandatory) + * casauthoritative O # do we want CAS to create new user automagically ? (with very few + informations though...) Not yet implemented + + <usecasauth>1</usecasauth> + <casserverurl>https://cas.koha.org</casserverurl> + <sslcafile>/etc/ssl/ca.crt</sslcafile> + <casauthoritative>O</casauthoritative> + +Of course, we need our userid to be the same as the identity provided by CAS server. diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl index 601bc4b..31f2717 100644 --- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl +++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl @@ -93,6 +93,7 @@ <!-- TMPL_IF NAME="opacuserlogin" --> <!-- TMPL_UNLESS NAME="loggedinusername" --> + <!-- TMPL_UNLESS NAME="casinuse" --> <div class="yui-u"> <div id="login" class="container"> <form action="/cgi-bin/koha/opac-user.pl" method="post" name="auth" id="auth"> @@ -109,6 +110,7 @@ </div> </div> <!-- /TMPL_UNLESS --> + <!-- /TMPL_UNLESS --> <!-- /TMPL_IF --> </div> -- 1.6.4
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Koha-patches mailing list [email protected] http://lists.koha.org/mailman/listinfo/koha-patches
