[Koha-patches] [PATCH] A first, quick and dirty try to use CAS SSO solution with Koha, but it work and seems to be harmless for non cas users.
Pascal Levy
pascal at black-ink.net
Fri Aug 7 17:56:16 CEST 2009
From 0b3dbb4b0cdf6c4c28987e467b5b31592bf16a6c Mon Sep 17 00:00:00 2001
From: Pascal <pascal at black-ink.net>
Date: Fri, 7 Aug 2009 16:46:08 +0200
Subject: [PATCH] A first, quick and dirty try to use CAS SSO solution with
Koha, but it work and seems to be harmless for non cas users.
Content-Type: text/plain; charset=\"utf-8\"
---
C4/Auth.pm | 29 +++++-
C4/Auth_with_cas.pm | 102
++++++++++++++++++++[PATCH] A first, quick and dirty try to use CAS SSO
solution with Koha, but it work and seems to be harmless for non cas users.
koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl | 2 +
3 files changed, 128 insertions(+), 5 deletions(-)
create mode 100644 C4/Auth_with_cas.pm
diff --git a/C4/Auth.pm b/C4/Auth.pm
index eb7a464..40a9b94 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -30,7 +30,7 @@ use C4::Branch; # GetBranches
use C4::VirtualShelves;
# use utf8;
-use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap);
+use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas);
BEGIN {
$VERSION = 3.02; # set version for version checking
@@ -44,6 +44,12 @@ BEGIN {
require C4::Auth_with_ldap; # no import
import C4::Auth_with_ldap qw(checkpw_ldap);
}
+ $cas = C4::Context->config('usecasauth') || 0 ;
+ if ($cas) {
+ require C4::Auth_with_cas; # no import
+ import C4::Auth_with_cas qw(checkpw_cas GetCasRedirect);
+ }
+
}
=head1 NAME
@@ -239,7 +245,8 @@ sub get_template_and_user {
$template->param( js_widgets => $in->{'js_widgets'} );
$template->param( sessionID => $sessionID );
-
+ $template->param( casinuse => 1) if $cas ;
+
my ($total, $pubshelves) = C4::Context->get_shelves_userenv(); # an
anonymous user has no 'barshelves'...
if (defined(($pubshelves))) {
$template->param( pubshelves => scalar (@$pubshelves),
@@ -529,10 +536,10 @@ sub checkauth {
$sessiontype = $session->param('sessiontype');
}
- if ( ($query->param('koha_login_context')) && ($query->param('userid')
ne $session->param('id')) ) {
+ if ( (($query->param('koha_login_context')) && ($query->param('userid')
ne $session->param('id'))) || ( $cas && $query->param('ticket') ) ) {
#if a user enters an id ne to the id in the current session, we need to
log them in...
#first we need to clear the anonymous session...
- $debug and warn "query id = " . $query->param('userid') . " but session id
= " . $session->param('id');
+ $debug and printf STDERR "query id = " . $query->param('userid') . " but
session id = " . $session->param('id');
$session->flush;
$session->delete();
C4::Context->_unset_userenv($sessionID);
@@ -587,9 +594,11 @@ sub checkauth {
my $sessionID = $session->id;
C4::Context->_new_userenv($sessionID);
$cookie = $query->cookie(CGISESSID => $sessionID);
- if ( $userid = $query->param('userid') ) {
+ if ( ( $userid = $query->param('userid') ) || ( ($userid =
$query->param('ticket')) and $cas )) {
my $password = $query->param('password');
my ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password
);
+ #whith CAS, we only have userid
+ $cas and $userid = $cardnumber ;
if ($return) {
_session_log(sprintf "%20s from %16s logged in at %30s.\n",
$userid,$ENV{'REMOTE_ADDR'},localtime);
if ( $flags = haspermission($userid, $flagsrequired) ) {
@@ -764,6 +773,10 @@ sub checkauth {
#
#
+ # if we have CAS, we can simply do this
+ if ($cas) {
+ GetCasRedirect() unless ( $info{'nopermission'} ||
$info{'invalid_username_or_password'} )
+ }
# get the inputs from the incoming query
my @inputs = ();
foreach my $name ( param $query) {
@@ -1211,6 +1224,12 @@ sub checkpw {
my ($retval,$retcard) = checkpw_ldap(@_); # EXTERNAL AUTH
($retval) and return ($retval,$retcard);
}
+ if ($cas) {
+ $debug and print STDERR "## checkpw - checking CAS\n";
+ my ($retval,$retcard) = checkpw_cas( $userid ); # EXTERNAL AUTH
+ $userid = $retcard ;
+ ($retval) and return ($retval,$retcard);
+ }
# INTERNAL AUTH
my $sth =
diff --git a/C4/Auth_with_cas.pm b/C4/Auth_with_cas.pm
new file mode 100644
index 0000000..05f0cae
--- /dev/null
+++ b/C4/Auth_with_cas.pm
@@ -0,0 +1,102 @@
+package C4::Auth_with_cas;
+
+# Copyright 2000-2002 Katipo Communications
+#
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it under the
+# terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+#
+# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR
+# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
with
+# Koha; if not, write to the Free Software Foundation, Inc., 59 Temple Place,
+# Suite 330, Boston, MA 02111-1307 USA
+
+use strict;
+use warnings;
+
+use Digest::MD5 qw(md5_base64);
+
+use C4::Debug;
+use C4::Context;
+use CGI;
+use AuthCAS;
+
+
+use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug);
+
+BEGIN {
+ require Exporter;
+ $VERSION = 3.03; # set the version for version checking
+ $debug = $ENV{DEBUG} || 0 ;
+ @ISA = qw(Exporter);
+ @EXPORT = qw( checkpw_cas GetCasRedirect );
+
+}
+
+sub _cas_auth_error ($) {
+ return sprintf('No "%s" defined in KOHA_CONF: ' . $ENV{KOHA_CONF}, shift);
+}
+
+use vars qw( $cas $login_url $casurl $sslca $isauthoritative );
+my $context = C4::Context->new() ; #or die 'C4::Context->new failed';
+my $casurl = C4::Context->config("casserverurl") or die
_cas_auth_error('casserverurl') ;
+my $sslca = C4::Context->config("sslcafile") or die
_cas_auth_error('sslcafile') ;
+my $isauthoritative = (C4::Context->config("sslcafile") ? 1 : 0 ) ;
+#
+my $cas = new AuthCAS(casUrl => $casurl ,
+ CAFile => $sslca
+ ) ;
+my $query = new CGI ;
+my $myurl = $query->url() ;
+
+sub checkpw_cas($) {
+
+ my $ST = shift ;
+ my $casuser = $cas->validateST($myurl, $ST) ;
+ $debug and printf STDERR "Debug: validateST return %s\n", $casuser ;
+ $casuser and return ( 1, $casuser ) ;
+ return 0 ;
+
+
+}
+sub GetCasRedirect() {
+ my $login_url = $cas->getServerLoginURL($myurl) ;
+ print $query->redirect($login_url) ;
+}
+
+
+
+1
+
+__END__
+=head1 NAME
+
+C4::Auth_with_cas
+
+=head1 SYNOPSIS
+
+ use C4::Auth_with_cas;
+ we want to authenticate our users with the CAS SSO solution
(http://www.jasig.org/cas). At a later time, we may use some code
+ from C4::Auth_with_ldap to allow retriving additional informations from a
ldap serveur.
+
+=head1 LDAP Configuration
+ we need a few additional things from KOHA_CONF :
+ * usecasauth 1 # do we really want Auth_with_cas ?
+ * casserverurl URL # the login URL of the CAS server, something like
htts://cas.myserver.com:8080
+ * sslcafile SSL # a SSL Certificate issued by a authority to validate SSL
serveur
+ connection (mandatory)
+ * casauthoritative O # do we want CAS to create new user automagically ?
(with very few
+ informations though...) Not yet implemented
+
+ <usecasauth>1</usecasauth>
+ <casserverurl>https://cas.koha.org</casserverurl>
+ <sslcafile>/etc/ssl/ca.crt</sslcafile>
+ <casauthoritative>O</casauthoritative>
+
+Of course, we need our userid to be the same as the identity provided by CAS
server.
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl b/koha-
tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl
index 601bc4b..31f2717 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl
@@ -93,6 +93,7 @@
<!-- TMPL_IF NAME="opacuserlogin" -->
<!-- TMPL_UNLESS NAME="loggedinusername" -->
+ <!-- TMPL_UNLESS NAME="casinuse" -->
<div class="yui-u">
<div id="login" class="container">
<form action="/cgi-bin/koha/opac-user.pl" method="post" name="auth"
id="auth">
@@ -109,6 +110,7 @@
</div>
</div>
<!-- /TMPL_UNLESS -->
+ <!-- /TMPL_UNLESS -->
<!-- /TMPL_IF -->
</div>
--
1.6.4
--
pourquoi et comment vous devriez crypter vos mels ?
http://openpgp.vie-privee.org/openpgp.html
telecharger ma (nouvelle) clef pgp : http://www.black-ink.net/paskey.asc
key fingerprint : FE20 7116 2493 B2D0 A609 104F 0D24 A4B2 43C4 66ED
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-A-first-quick-and-dirty-try-to-use-CAS-SSO-solution-.patch
Type: text/x-patch
Size: 8318 bytes
Desc: not available
URL: </pipermail/koha-patches/attachments/20090807/5c898df9/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/koha-patches/attachments/20090807/5c898df9/attachment-0002.pgp>
More information about the Koha-patches
mailing list