X-Git-Url: http://git.rot13.org/?a=blobdiff_plain;f=C4%2FAuth_with_shibboleth.pm;h=cde0ede08bfe7bb82dbcb40aff3f0c0d21bd0ed3;hb=d475dae77313e8f0ee11146ce824d019351cbc5f;hp=18538ab6ee8d5def977c8a10a0fa89d467f594fb;hpb=3c9004357d48944ce36d3964f7e6f1ba15702b71;p=koha.git diff --git a/C4/Auth_with_shibboleth.pm b/C4/Auth_with_shibboleth.pm index 18538ab6ee..cde0ede08b 100644 --- a/C4/Auth_with_shibboleth.pm +++ b/C4/Auth_with_shibboleth.pm @@ -1,79 +1,88 @@ package C4::Auth_with_shibboleth; -# Copyright 2011 BibLibre +# Copyright 2014 PTFS Europe # # This file is part of Koha. # -# Koha is free software; you can redistribute it and/or modify it under the -# terms of the GNU General Public License as published by the Free Software -# Foundation; either version 2 of the License, or (at your option) any later -# version. +# Koha is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. # -# Koha is distributed in the hope that it will be useful, but WITHOUT ANY -# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR -# A PARTICULAR PURPOSE. See the GNU General Public License for more details. +# Koha is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with Koha; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU General Public License +# along with Koha; if not, see . -use strict; -use warnings; +use Modern::Perl; use C4::Debug; use C4::Context; +use Koha::AuthUtils qw(get_script_name); +use Koha::Database; use Carp; use CGI; -use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug); +use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug); BEGIN { require Exporter; - $VERSION = 3.03; # set the version for version checking $debug = $ENV{DEBUG}; @ISA = qw(Exporter); - @EXPORT = qw(logout_shib login_shib_url checkpw_shib get_login_shib); + @EXPORT = + qw(shib_ok logout_shib login_shib_url checkpw_shib get_login_shib); +} + +# Check that shib config is not malformed +sub shib_ok { + my $config = _get_shib_config(); + + if ($config) { + return 1; + } + + return 0; } -my $context = C4::Context->new() or die 'C4::Context->new failed'; -my $shib = C4::Context->config('shibboleth') or croak 'No in koha-conf.xml'; -my $shibbolethMatchField = $shib->{matchpoint} or croak 'No defined in koha-conf.xml'; -my $shibbolethMatchAttribute = $shib->{mapping}->{$shibbolethMatchField}->{is} or croak 'Matchpoint not mapped in koha-conf.xml'; -my $protocol = "https://"; # Logout from Shibboleth sub logout_shib { my ($query) = @_; - my $uri = $protocol . C4::Context->preference('OPACBaseURL'); + my $uri = _get_uri(); print $query->redirect( $uri . "/Shibboleth.sso/Logout?return=$uri" ); } # Returns Shibboleth login URL with callback to the requesting URL sub login_shib_url { - my ($query) = @_; - my $param = $protocol . C4::Context->preference('OPACBaseURL') . $query->script_name(); + + my $param = _get_uri() . get_script_name(); if ( $query->query_string() ) { $param = $param . '%3F' . $query->query_string(); } - my $uri = $protocol . C4::Context->preference('OPACBaseURL') . "/Shibboleth.sso/Login?target=$param"; + my $uri = _get_uri() . "/Shibboleth.sso/Login?target=$param"; return $uri; } # Returns shibboleth user login sub get_login_shib { - # In case of a Shibboleth authentication, we expect a shibboleth user attribute - # to contain the login match point of the shibboleth-authenticated user. This match - # point is configured in koha-conf.xml +# In case of a Shibboleth authentication, we expect a shibboleth user attribute +# to contain the login match point of the shibboleth-authenticated user. This match +# point is configured in koha-conf.xml + +# Shibboleth attributes are mapped into http environmement variables, so we're getting +# the match point of the user this way - # Shibboleth attributes are mapped into http environmement variables, so we're getting - # the match point of the user this way + # Get shibboleth config + my $config = _get_shib_config(); - $debug and warn "koha borrower field to match: $shibbolethMatchField"; - $debug and warn "shibboleth attribute to match: $shibbolethMatchAttribute"; - $debug and warn "$shibbolethMatchAttribute value: $ENV{$shibbolethMatchAttribute}"; + my $matchAttribute = $config->{mapping}->{ $config->{matchpoint} }->{is}; + $debug and warn $matchAttribute . " value: " . $ENV{$matchAttribute}; - return $ENV{$shibbolethMatchAttribute} || ''; + return $ENV{$matchAttribute} || ''; } # Checks for password correctness @@ -81,25 +90,76 @@ sub get_login_shib { sub checkpw_shib { $debug and warn "checkpw_shib"; - my ( $dbh, $userid ) = @_; - my $retnumber; - $debug and warn "User Shibboleth-authenticated as: $userid"; - - # Does the given shibboleth attribute value ($userid) match a valid koha user ? - my $sth = $dbh->prepare("select cardnumber, userid from borrowers where $shibbolethMatchField=?"); - $sth->execute($userid); - if ( $sth->rows ) { - my @retvals = $sth->fetchrow; - $retnumber = $retvals[1]; - $userid = $retvals[0]; - return ( 1, $retnumber, $userid ); + my ( $match ) = @_; + my $config = _get_shib_config(); + $debug and warn "User Shibboleth-authenticated as: $match"; + + # Does the given shibboleth attribute value ($match) match a valid koha user ? + my $borrower = + Koha::Database->new()->schema()->resultset('Borrower') + ->find( { $config->{matchpoint} => $match } ); + if ( defined($borrower) ) { + return ( 1, $borrower->get_column('cardnumber'), $borrower->get_column('userid') ); } # If we reach this point, the user is not a valid koha user - $debug and warn "User $userid is not a valid Koha user"; + $debug + and warn + "User with $config->{matchpoint} of $match is not a valid Koha user"; return 0; } +sub _get_uri { + + my $protocol = "https://"; + + my $uri = C4::Context->preference('OPACBaseURL') // ''; + if ($uri eq '') { + $debug and warn 'OPACBaseURL not set!'; + } + if ($uri =~ /(.*):\/\/(.*)/) { + my $oldprotocol = $1; + if ($oldprotocol ne 'https') { + $debug + and warn + 'Shibboleth requires OPACBaseURL to use the https protocol!'; + } + $uri = $2; + } + + my $return = $protocol . $uri; + return $return; +} + +sub _get_shib_config { + my $config = C4::Context->config('shibboleth'); + + if ( !$config ) { + carp 'shibboleth config not defined'; + return 0; + } + + if ( $config->{matchpoint} + && defined( $config->{mapping}->{ $config->{matchpoint} }->{is} ) ) + { + if ($debug) { + warn "koha borrower field to match: " . $config->{matchpoint}; + warn "shibboleth attribute to match: " + . $config->{mapping}->{ $config->{matchpoint} }->{is}; + } + return $config; + } + else { + if ( !$config->{matchpoint} ) { + carp 'shibboleth matchpoint not defined'; + } + else { + carp 'shibboleth matchpoint not mapped'; + } + return 0; + } +} + 1; __END__ @@ -215,7 +275,7 @@ Returns the shibboleth login attribute should it be found present in the http se Given a database handle and a shib_login attribute, this routine checks for a matching local user and if found returns true, their cardnumber and their userid. If a match is not found, then this returns false. - my ( $retval, $retcard, $retuserid ) = C4::Auth_with_shibboleth::checkpw_shib( $dbh, $shib_login ); + my ( $retval, $retcard, $retuserid ) = C4::Auth_with_shibboleth::checkpw_shib( $shib_login ); =head1 SEE ALSO