[Koha-patches] [PATCH] A first, quick and dirty try to use CAS SSO solution with Koha, but it work and seems to be harmless for non cas users.

Fri Aug 7 17:56:16 CEST 2009

From 0b3dbb4b0cdf6c4c28987e467b5b31592bf16a6c Mon Sep 17 00:00:00 2001
From: Pascal <pascal at black-ink.net>
Date: Fri, 7 Aug 2009 16:46:08 +0200
Subject: [PATCH] A first, quick and dirty try to use CAS SSO solution with 
Koha, but it work and seems to be harmless for non cas users.
Content-Type: text/plain; charset=\"utf-8\"

---
 C4/Auth.pm                                         |   29 +++++-
 C4/Auth_with_cas.pm                                |  102 
++++++++++++++++++++[PATCH] A first, quick and dirty try to use CAS SSO 
solution with Koha, but it work and seems to be harmless for non cas users.
 koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl |    2 +
 3 files changed, 128 insertions(+), 5 deletions(-)
 create mode 100644 C4/Auth_with_cas.pm

diff --git a/C4/Auth.pm b/C4/Auth.pm
index eb7a464..40a9b94 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -30,7 +30,7 @@ use C4::Branch; # GetBranches
 use C4::VirtualShelves;
 
 # use utf8;
-use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap);
+use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas);
 
 BEGIN {
     $VERSION = 3.02;        # set version for version checking
@@ -44,6 +44,12 @@ BEGIN {
         require C4::Auth_with_ldap;             # no import
         import  C4::Auth_with_ldap qw(checkpw_ldap);
     }
+   $cas = C4::Context->config('usecasauth') || 0 ;
+   if ($cas) {
+	require C4::Auth_with_cas;             # no import
+        import  C4::Auth_with_cas qw(checkpw_cas GetCasRedirect);
+   }
+
 }
 
 =head1 NAME
@@ -239,7 +245,8 @@ sub get_template_and_user {
         $template->param( js_widgets => $in->{'js_widgets'} );
 
         $template->param( sessionID        => $sessionID );
-		
+        $template->param( casinuse => 1) if $cas ;
+
 		my ($total, $pubshelves) = C4::Context->get_shelves_userenv();	# an 
anonymous user has no 'barshelves'...
 		if (defined(($pubshelves))) {
         	$template->param(	pubshelves     	=> scalar (@$pubshelves),
@@ -529,10 +536,10 @@ sub checkauth {
 			$sessiontype = $session->param('sessiontype');
         }
    
-   		if ( ($query->param('koha_login_context')) && ($query->param('userid') 
ne $session->param('id')) ) {
+   		if ( (($query->param('koha_login_context')) && ($query->param('userid') 
ne $session->param('id'))) || ( $cas && $query->param('ticket') ) ) {
 			#if a user enters an id ne to the id in the current session, we need to 
log them in...
 			#first we need to clear the anonymous session...
-			$debug and warn "query id = " . $query->param('userid') . " but session id 
= " . $session->param('id');
+			$debug and printf STDERR "query id = " . $query->param('userid') . " but 
session id = " . $session->param('id');
             $session->flush;      
             $session->delete();
             C4::Context->_unset_userenv($sessionID);
@@ -587,9 +594,11 @@ sub checkauth {
         my $sessionID = $session->id;
        	C4::Context->_new_userenv($sessionID);
         $cookie = $query->cookie(CGISESSID => $sessionID);
-        if ( $userid    = $query->param('userid') ) {
+        if ( ( $userid    = $query->param('userid') ) || ( ($userid  = 
$query->param('ticket')) and $cas )) {
             my $password = $query->param('password');
             my ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password 
);
+	    #whith CAS, we only have userid
+	    $cas and $userid = $cardnumber ;
             if ($return) {
                 _session_log(sprintf "%20s from %16s logged in  at %30s.\n", 
$userid,$ENV{'REMOTE_ADDR'},localtime);
                 if ( $flags = haspermission($userid, $flagsrequired) ) {
@@ -764,6 +773,10 @@ sub checkauth {
 #
 #
     
+   # if we have CAS, we can simply do this
+    if ($cas) {
+    GetCasRedirect() unless ( $info{'nopermission'} || 
$info{'invalid_username_or_password'} )
+    }
     # get the inputs from the incoming query
     my @inputs = ();
     foreach my $name ( param $query) {
@@ -1211,6 +1224,12 @@ sub checkpw {
         my ($retval,$retcard) = checkpw_ldap(@_);    # EXTERNAL AUTH
         ($retval) and return ($retval,$retcard);
     }
+    if ($cas) {
+        $debug and print STDERR "## checkpw - checking CAS\n";
+        my ($retval,$retcard) = checkpw_cas( $userid );    # EXTERNAL AUTH
+	$userid = $retcard ;
+        ($retval) and return ($retval,$retcard);
+    }
 
     # INTERNAL AUTH
     my $sth =
diff --git a/C4/Auth_with_cas.pm b/C4/Auth_with_cas.pm
new file mode 100644
index 0000000..05f0cae
--- /dev/null
+++ b/C4/Auth_with_cas.pm
@@ -0,0 +1,102 @@
+package C4::Auth_with_cas;
+
+# Copyright 2000-2002 Katipo Communications
+#
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it under the
+# terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+#
+# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS 
FOR
+# A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along 
with
+# Koha; if not, write to the Free Software Foundation, Inc., 59 Temple Place,
+# Suite 330, Boston, MA  02111-1307 USA
+
+use strict;
+use warnings;
+
+use Digest::MD5 qw(md5_base64);
+
+use C4::Debug;
+use C4::Context;
+use CGI;
+use AuthCAS;
+
+
+use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug);
+
+BEGIN {
+	require Exporter;
+	$VERSION = 3.03;	# set the version for version checking
+	$debug = $ENV{DEBUG} || 0 ;
+	@ISA    = qw(Exporter);
+	@EXPORT = qw( checkpw_cas GetCasRedirect );
+
+}
+
+sub _cas_auth_error ($) {
+	return sprintf('No  "%s" defined in KOHA_CONF: ' . $ENV{KOHA_CONF}, shift);
+}
+
+use vars qw( $cas $login_url $casurl $sslca $isauthoritative );
+my $context = C4::Context->new() 	; #or die 'C4::Context->new failed';
+my $casurl = C4::Context->config("casserverurl") or die 
_cas_auth_error('casserverurl') ;
+my $sslca = C4::Context->config("sslcafile") or die  
_cas_auth_error('sslcafile') ;
+my $isauthoritative = (C4::Context->config("sslcafile") ? 1 : 0 ) ;
+# 
+my $cas = new AuthCAS(casUrl => $casurl ,
+		CAFile => $sslca
+	) ;
+my $query = new CGI ;
+my $myurl = $query->url() ;
+	
+sub checkpw_cas($) {
+
+	my $ST  = shift ;
+	my $casuser = $cas->validateST($myurl, $ST)  ;
+	$debug and printf STDERR "Debug: validateST return %s\n", $casuser ;
+	$casuser and return ( 1, $casuser ) ;
+	return 0 ;
+
+	
+}
+sub GetCasRedirect() {
+	my $login_url = $cas->getServerLoginURL($myurl) ;
+ 	print $query->redirect($login_url) ;
+}
+
+
+
+1
+
+__END__
+=head1 NAME
+
+C4::Auth_with_cas
+
+=head1 SYNOPSIS
+
+  use C4::Auth_with_cas;
+  we want to authenticate our users with the CAS SSO solution 
(http://www.jasig.org/cas). At a later time, we may use some code
+  from C4::Auth_with_ldap to allow retriving additional informations from a 
ldap serveur.
+
+=head1 LDAP Configuration
+  we need a few additional things from KOHA_CONF :
+	* usecasauth 1    # do we really want Auth_with_cas ?
+	* casserverurl URL   # the login URL of the CAS server, something like 
htts://cas.myserver.com:8080
+	* sslcafile SSL   # a SSL Certificate issued by a authority to validate SSL 
serveur
+			connection (mandatory)
+	* casauthoritative O  # do we want CAS to create new user automagically ? 
(with very few
+	informations though...) Not yet implemented
+	
+	<usecasauth>1</usecasauth>
+	<casserverurl>https://cas.koha.org</casserverurl>
+	<sslcafile>/etc/ssl/ca.crt</sslcafile>
+	<casauthoritative>O</casauthoritative>
+	
+Of course, we need our userid to be the same as the identity provided by CAS 
server.
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl b/koha-
tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl
index 601bc4b..31f2717 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-main.tmpl
@@ -93,6 +93,7 @@
 		
 	<!-- TMPL_IF NAME="opacuserlogin" -->
     <!-- TMPL_UNLESS NAME="loggedinusername" -->
+    <!-- TMPL_UNLESS NAME="casinuse" -->
     <div class="yui-u">
 	<div id="login" class="container">
 	<form action="/cgi-bin/koha/opac-user.pl" method="post" name="auth" 
id="auth">
@@ -109,6 +110,7 @@
 	</div>
 	 </div>
     <!-- /TMPL_UNLESS -->
+    <!-- /TMPL_UNLESS -->
 	
 <!-- /TMPL_IF -->
 </div>
-- 
1.6.4

-- 
pourquoi et comment vous devriez crypter vos mels ?
http://openpgp.vie-privee.org/openpgp.html
telecharger ma (nouvelle) clef pgp : http://www.black-ink.net/paskey.asc
key fingerprint : FE20 7116 2493 B2D0 A609  104F 0D24 A4B2 43C4 66ED
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-A-first-quick-and-dirty-try-to-use-CAS-SSO-solution-.patch
Type: text/x-patch
Size: 8318 bytes
Desc: not available
URL: </pipermail/koha-patches/attachments/20090807/5c898df9/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/koha-patches/attachments/20090807/5c898df9/attachment-0002.pgp>
