Changeset 3775 for TI12-security

Timestamp:

09/04/08 09:45:36 (12 years ago)

Author:

pjkersha

Message:

Working Perl NDG Single Sign On client.

Location:

TI12-security/trunk/perl

Files:

• NDG/Security/Client.pm (modified) (4 diffs)
• ndglogin.pl (modified) (1 diff)

TI12-security/trunk/perl/NDG/Security/Client.pm

@@ -1 +1 @@
 #!/usr/bin/env perl
-package ndgsecurity::ssoclient;
-
-use Inline Python => <<'END';
-import base64
-def urlSafeB64Encode(str):
-    return base64.urlsafe_b64encode(str)
-  
-from paste.registry import RegistryManager, StackedObjectProxy
-session = StackedObjectProxy()
-
-from ndg.security.common.pylons.security_util import setSecuritySession
-def pySetSecuritySession(h, sid, u, org, rolesStr):
-    roles = rolesStr.split('r')
-    setSecuritySession(h=h, sid=sid, u=u, org=org, roles=roles)
-END
+use strict;
+package NDG::Security::Client;
 
 use Storable qw(freeze thaw);
 use Crypt::CBC;
-use CGI;
+use URI::Escape;
+use CGI qw/-debug/;
+use Log::Log4perl;
+
+Log::Log4perl::init('/var/www/cgi-bin/NDG/Security/ndg-security-log.cfg');
+
+my $log = Log::Log4perl->get_logger;
+
+my %SECURITY_ARG = ('h'=>1, 'roles'=>1, 'sid'=>1, 'org'=>1, 'u'=>1);
+
 
 sub new 
 {
     # Constructor
-    my $type = shift;
+    my $class = shift;
     my $cgi = shift;
     my $encryptionKey = "123456789";
     my $self = {
-    "cgi"  => undef,
-    "encyptionKey" => $encryptionKey,
-    "cipher" => undef,
-    "cookieName" => "ndg-security",
+        "cgi"  => undef,
+        "encyptionKey" => $encryptionKey,
+        "cipher" => undef,
+        "cookieName" => "ndg-security",
+        "wayfURI" => "https://localhost/sso/wayf",
+        "b64encReturnToURL" => undef,
     };
 
-    bless $self;
+    bless($self, $class);
 
+    # CGI object for convenient access to http environment
+    $self->{cgi} = $cgi or CGI->new();
+
+    # Cipher for encryption of session cookie
     $self->{cipher} = new Crypt::CBC(-key=>$encryptionKey);
-    $self->{cgi} = $cgi or CGI->new();
+    
+    # Supply encoded form of return to URL ready to be passed to SSO Service for user login
+    $self->{b64encReturnToURL} = '';
+    
     return $self;
 }
 
-sub sessionHandler
+
+sub ssoHandler
 {
     my $self = shift;
+    
+    my $virtualHostName = $self->{cgi}->virtual_host();
+    my $urlPath = $self->{cgi}->url(-absolute=>1);
+        
     if ($self->{cgi}->param('h'))
     {
-        my $cookie = self->setSession();
-        my $returnTo = 
-            "http://" . $self->{cgi}->virtual_host() . $self->{cgi}->url(-absolute=>1);
-        $self->{cgi}->redirect(-uri=>$returnTo, -cookie=>$cookie, -nph=>1);
+        # 'h' argument is present in query indicating a GET call from a Single Sign On
+        # Service in response to a login
+        
+        # Set a cookie based on the query args supplied from the SSO Service response
+        my $cookie = $self->_setSessionFromSSOResp();
+        
+        # Create query string with security args filtered out
+        my $query = $self->_stripSecurityQueryArgs();
+        
+        my $returnToURL = "http://" . $virtualHostName . $urlPath . $query;
+            
+        $log->info("Generating redirection header for redirect to ".$returnToURL."...");
+
+        # nph flag crashes with Apache - intended for MS IIS?
+        return $self->{cgi}->redirect(-uri=>$returnToURL, -cookie=>$cookie);
+    }
+    else
+    {
+        # No Call to the Single Sign On Service has been made - prepare return to URL 
+        # for such a call - encode it ready to be incorporated into a login request to # the Single Sign On Service
+        #
+        # URL is set to https to ensure encrypted channel for SSO service -> to THIS 
+        # SSO client transfer
+        my $queryStr = $self->{cgi}->query_string();
+        my $returnToURL = "https://" . $virtualHostName . $urlPath ."?" . $queryStr;
+        
+        $log->info("Generating return to URL with SSL transport ".$returnToURL."...");
+        
+        $self->{b64encReturnToURL} = urlSafeB64Encode($returnToURL);
+        return '';
     }
 }
 
 
-sub makeCookie
+sub _stripSecurityQueryArgs
+{
+    my $self = shift;
+    my %arg = $self->{cgi}->Vars;
+    my $queryStr = '?';
+    my $key;
+    my $val;
+    
+    # Iterate through the keys adding to the query string only if they are non-security
+    # related and they are a genuine URL parameter
+    while (($key, $val) = each %arg)
+    {
+        if (! $SECURITY_ARG{$key})# && $self->{cgi}->url_param($key))
+        {
+            $queryStr .= uri_escape($key)."=".uri_escape($val)."&";
+        }
+    }
+    # Remove trailing '&' (or '?' if no args set)
+    $queryStr = substr($queryStr, 0, -1);
+    return $queryStr;
+}
+
+
+sub _makeCookie
 {
     my $self = shift;
@@ -61 +120 @@
     my $encrSess = $self->{cipher}->encrypt_hex($serializedSess);
     my $cookie = $self->{cgi}->cookie(
-    #new CGI::Cookie(
-            -name=>$self->{cookieName},
-            -value=>$encrSess,
-            -path=>'/',
-            -expires=>'+8h'
-            );
-            
+        -name=>$self->{cookieName},
+        -value=>$encrSess,
+        -path=>'/',
+        -expires=>'+8h'
+        );
+
     return $cookie;
 }
 
 
-sub getCookie
+sub _getCookie
 {
     my $self = shift;
@@ -78 +136 @@
     my $cookie = $self->{cgi}->cookie($self->{cookieName});
     my $serialisedSess = $self->{cipher}->decrypt_hex($cookie);
-    my %session = thaw($serializedSess);
+    my %session = thaw($serialisedSess);
     return %session;
 }
  
  
-sub setSession
+# Parse query response from SSO Service and set a security session cookie
+sub _setSessionFromSSOResp
 {
     my $self = shift;
@@ -98 +157 @@
         roles => @roles);
         
-    return $self->makeCookie(%session);
+    return $self->_makeCookie(%session);
 }
 
-1;    # ensure good finish
+
+use Inline Python => <<'END';
+import base64
+def urlSafeB64Encode(str):
+    return base64.urlsafe_b64encode(str)
+END
+
+1;
 __END__
 

TI12-security/trunk/perl/ndglogin.pl

@@ -4 +4 @@
 use warnings;
 use CGI;
-#use MIME::Base64::URLSafe;
-use ndgsecurity::ssoclient qw (urlSafeB64Encode);
- 
+#use ndgsecurity::ssoclient;
+use NDG::Security::Client;
+
 my $cgi = CGI->new();
 #my $session = ndgsecurity::ssoclient->new($cgi);
-my $session = eval {new ndgsecurity::ssoclient($cgi)};
+my $session = eval {new NDG::Security::Client($cgi)};
 
-$session->sessionHandler();
-my $wayfURI = "https://localhost/sso/wayf";
-
-# Refer back to THIS URL but over https rather than http
-my $returnTo = "https://" . $cgi->virtual_host() . $cgi->url(-absolute=>1);
-my $b64encReturnTo = "";#urlSafeB64Encode($returnTo);
-
-print $cgi->header('text/html');
-print $cgi->start_html('NDG Login'),
-$cgi->h1('NDG Login'),
-$returnTo, $cgi->br,
-$cgi->start_form(-action=>$wayfURI),
-$cgi->hidden('r', $b64encReturnTo), $cgi->br,
-$cgi->submit('NDG Login'),
-$cgi->end_form, $cgi->p,
-$cgi->hr;
-
-print $cgi->end_html;
-
+# Call Single Sign On handler
+my $redirectHdr = $session->ssoHandler();
+if ($redirectHdr)
+{
+    # A redirect header has created indicating the handler has received a response from
+    # a Single Sign Service
+    print $redirectHdr;
+}
+else
+{
+    # Create a form based on the WAYF address and encoded return to address formulated by
+    # ssoHandler
+    print $cgi->header('text/html');
+    print $cgi->start_html('NDG Login'),
+    $cgi->h1('NDG Login'),
+    $cgi->start_form(-action=>$session->{wayfURI}),
+    $cgi->hidden('r', $session->{b64encReturnToURL}), $cgi->br,
+    $cgi->submit('NDG Login'),
+    $cgi->end_form, $cgi->p,
+    $cgi->hr;
     
+    print $cgi->end_html;
+}
+