Changeset 4902 for TI12-security


Ignore:
Timestamp:
03/02/09 12:55:39 (11 years ago)
Author:
pjkersha
Message:

Updated with updates from version on zonda: added case to SSO Hanlder for response from SSO service logout ensuring that the logout query argument is removed from the return to URL.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/perl/NDG/Security/Client.pm

    r3780 r4902  
    6262                                     -salt=>1); 
    6363     
    64     # Supply encoded form of return to URL ready to be passed to SSO Service for user login 
     64    # Supply encoded form of return to URL ready to be passed to SSO Service  
     65    # for user login 
    6566    $self->{b64encReturnToURL} = ''; 
    6667     
     
    9394    if ($self->{cgi}->param('h')) 
    9495    { 
    95         # 'h' argument is present in query indicating a GET call from a Single Sign On 
    96         # Service in response to a login 
    97          
    98         # Set a cookie based on the query args supplied from the SSO Service response 
     96        # 'h' argument is present in query indicating a GET call from a Single  
     97        # Sign On Service in response to a login 
     98         
     99        # Set a cookie based on the query args supplied from the SSO Service  
     100        # response 
    99101        my $cookie = $self->_setSessionFromSSOResp(); 
    100102         
     
    104106        my $returnToURL = "http://" . $virtualHostName . $urlPath . $query; 
    105107             
    106         $log->info("Generating redirection header for redirect to ".$returnToURL."..."); 
     108        $log->info("Generating redirection header for redirect to " 
     109                           .$returnToURL."..."); 
    107110 
    108111        # nph flag crashes with Apache - intended for MS IIS? 
    109112        return $self->{cgi}->redirect(-uri=>$returnToURL, -cookie=>$cookie); 
    110113    } 
     114    elsif ($self->{cgi}->param('logout')) 
     115    { 
     116        # Service in response to a logout - strip logout query arg 
     117        my $query = $self->_stripSecurityQueryArgs(); 
     118 
     119        my $returnToURL = "http://" . $virtualHostName . $urlPath . $query; 
     120        $log->info("Generating redirection header following logout for ". 
     121                   "redirect to ".$returnToURL."..."); 
     122 
     123        return $self->{cgi}->redirect(-uri=>$returnToURL); 
     124    } 
    111125    elsif (! $self->_getSessionFromCookie()) 
    112126    { 
    113127        $self->_makeHttpsReturnToURL(); 
    114128        my $wayfURI = $self->{wayfURI}."?r=".$self->{b64encReturnToURL}; 
    115         $log->info("User not logged in - Generating redirection header for WAYF: ". 
    116             $wayfURI."..."); 
     129        $log->info("User not logged in - Generating redirection header for ". 
     130                           "WAYF: ".$wayfURI."..."); 
    117131             
    118132        return $self->{cgi}->redirect(-uri=>$wayfURI); 
     
    120134    else 
    121135    { 
    122         # No Call to the Single Sign On Service has been made - prepare return to URL  
    123         # for such a call - encode it ready to be incorporated into a login request to # the Single Sign On Service 
     136        # No Call to the Single Sign On Service has been made - prepare return  
     137        # to URL for such a call - encode it ready to be incorporated into a  
     138        # login request to # the Single Sign On Service 
    124139        # 
    125         # URL is set to https to ensure encrypted channel for SSO service -> to THIS  
    126         # SSO client transfer 
     140        # URL is set to https to ensure encrypted channel for SSO service -> to 
     141        # THIS SSO client transfer 
    127142        $self->_makeHttpsReturnToURL(); 
    128143        return ''; 
     
    144159    } 
    145160     
    146     $log->info("Generating return to URL with SSL transport ".$returnToURL."..."); 
     161    $log->info("Generating return to URL with SSL transport ". 
     162                   $returnToURL."..."); 
    147163     
    148164    $self->{b64encReturnToURL} = pyUrlSafeB64Encode($returnToURL); 
     
    157173    my $val; 
    158174     
    159     # Iterate through the keys adding to the query string only if they are non-security 
    160     # related and they are a genuine URL parameter 
     175    # Iterate through the keys adding to the query string only if they are  
     176    # non-security related and they are a genuine URL parameter 
    161177    while (($key, $val) = each %arg) 
    162178    { 
     
    251267 
    252268 
    253 # Policy enforcement Point - provide access control decision given resource constraints 
    254 # and user attributes 
     269# Policy enforcement Point - provide access control decision given resource  
     270# constraints and user attributes 
    255271sub pep 
    256272{ 
     
    261277    my $session = $self->_getSessionFromCookie(); 
    262278     
    263     my $msg = "resource ".$resrcFilePath." for user ".$session->{u}." with session ID = ".  
    264         $session->{sid}; 
     279    my $msg = "resource ".$resrcFilePath." for user ".$session->{u}. 
     280                  " with session ID = ".  
     281                  $session->{sid}; 
    265282     
    266283    # Gather access constraint information for resource 
     
    268285    if ($accessInfo[0]) 
    269286    { 
    270         # Access may be granted if read permission is set to public or if the file 
    271         # is previously cached 
     287        # Access may be granted if read permission is set to public or if the  
     288        # file is previously cached 
    272289        $log->info("Access granted for ".$msg.": ".$accessInfo[1]->{msg}); 
    273290        return 1; 
     
    293310sub getFTPAccessFileReadPermissionsInfo 
    294311{ 
    295     # Adapted from FTPaccess::read_access for use with NDG Security - changed so that 
    296     # all access info is returned and now username or user group info is checked.  The 
    297     # latter needs to be done by python code checking the user's NDG Attribute Certificate 
    298      
    299     #  Returns flag indicating if the user is allowed to read the directory containing  
    300     # the given file. Also returns hash giving information about how the result was  
    301     # arrived at. 
     312    # Adapted from FTPaccess::read_access for use with NDG Security - changed  
     313    # so that all access info is returned and now username or user group info  
     314    # is checked.  The latter needs to be done by python code checking the  
     315    # user's NDG Attribute Certificate 
     316     
     317    # Returns flag indicating if the user is allowed to read the directory  
     318    # containing  
     319    # the given file. Also returns hash giving information about how the result 
     320    # was arrived at. 
    302321    my $filePath = shift;   # File or directory name to check access for 
    303322    my %info; 
    304323             
    305     my $ftpaccess_file = BADC::FTPaccess::find_nearest_ftpaccess_file($filePath); 
     324    my $ftpaccess_file=BADC::FTPaccess::find_nearest_ftpaccess_file($filePath); 
    306325    my $ftpaccess = BADC::FTPaccess->new($ftpaccess_file); 
    307326     
    308327    $info{filePath} = $ftpaccess_file; 
    309328 
    310     # Check that we do actually have an ftpaccess file to interogate. If not then grant 
    311     # read access 
     329    # Check that we do actually have an ftpaccess file to interogate. If not  
     330    # then grant read access 
    312331    if (not $ftpaccess)  
    313332    { 
     
    337356    $info{allowedUsers} = \@allowedUsers; 
    338357     
    339     $info{msg} =  
    340         "username and/or group information is needed to determine access permissions"; 
     358    $info{msg} = "username and/or group information is needed to determine ". 
     359                         "access permissions"; 
    341360    return (0, \%info); 
    342361} 
Note: See TracChangeset for help on using the changeset viewer.