1 package OpenILS::WWW::Proxy::Authen;
2 use strict; use warnings;
5 use Apache2::RequestUtil;
7 use Apache2::Const -compile => qw(OK HTTP_UNAUTHORIZED DECLINED HTTP_MOVED_TEMPORARILY NOT_FOUND :log);
8 use APR::Const -compile => qw(:error SUCCESS);
11 use Digest::MD5 qw/md5_hex/;
13 use OpenSRF::EX qw(:try);
15 use OpenSRF::Utils::Logger qw/$logger/;
17 # set the bootstrap config when
18 # this module is loaded
30 OpenSRF::System->bootstrap_client( config_file => $bootstrap );
31 return Apache2::Const::OK;
37 my $ltype = $apache->dir_config('OILSProxyLoginType');
38 my $perms = [ split ' ', $apache->dir_config('OILSProxyPermissions') ];
40 return Apache2::Const::NOT_FOUND unless (@$perms);
43 my $auth_ses = $cgi->param('ses') || $cgi->cookie('ses') || $cgi->cookie('eg.auth.token');
44 if ($auth_ses =~ /^"(.+)"$/) { # came from eg2 login, is json encoded
48 # Note that the handler accepts an eg.auth.token from the web staff
49 # client but will not set it if it has to ask the user for
50 # credentials (it will only set 'ses'). As of 2022-11, it works this
51 # way to avoid this authen handler from becoming a way to create
52 # a staff login session that does not have a workstation set.
54 my $ws_ou = $apache->dir_config('OILSProxyLoginOU') || $cgi->param('ws_ou') || $cgi->cookie('ws_ou');
57 my $bad_auth = 1; # Assume failure until proven otherwise ;)
59 # push everyone to the secure site
60 if (!$ssl_off && $url =~ /^http:/o) {
61 my $base = $cgi->url(-base=>1);
62 $base =~ s/^http:/https:/o;
63 $apache->headers_out->set(Location => $base . $apache->unparsed_uri);
64 return Apache2::Const::HTTP_MOVED_TEMPORARILY;
70 while ($bad_auth && $tried_login == 0) {
73 my ($status, $p) = $apache->get_basic_auth_pw;
75 if ($status == Apache2::Const::OK) {
78 $u = $cgi->param('user');
79 $p = $cgi->param('passwd');
80 return $status if (!$u);
84 $auth_ses = oils_login($u, $p, $ltype);
86 $cookie = $cgi->cookie(
96 my $user = verify_login($auth_ses);
99 $ws_ou ||= $user->home_ou;
101 $logger->debug("Checking perms " . join(',', @$perms) . " for user " . $user->id . " at location $ws_ou\n");
103 my $failures = OpenSRF::AppSession
104 ->create('open-ils.actor')
105 ->request('open-ils.actor.user.perm.check', $auth_ses, $user->id, $ws_ou, $perms)
108 if (@$failures > 0) {
109 $cookie = $cgi->cookie(
116 # it appears that as of Apache 2.4, authentication
117 # handlers are expected to ensure that the request
118 # object has ->user set.
119 $apache->user($user->usrname);
124 $auth_ses = undef if($bad_auth && !$tried_login);
128 $apache->err_headers_out->add('Set-Cookie' => $cookie) if($cookie);
129 $apache->note_basic_auth_failure;
130 return Apache2::Const::HTTP_UNAUTHORIZED;
134 # We authenticated, and thus likely got a new auth key.
135 # Set it and redirect in case what we are protecting needs the key.
137 # When not redirecting we don't need the err_ variant of this. Noting for reference.
138 $apache->err_headers_out->add('Set-Cookie' => $cookie) if($cookie);
139 my $base = $cgi->url(-base=>1);
140 $apache->headers_out->set(Location => $base . $apache->unparsed_uri);
141 return Apache2::Const::HTTP_MOVED_TEMPORARILY;
144 # they're good, let 'em through
145 return Apache2::Const::OK;
148 # returns the user object if the session is valid, 0 otherwise
150 my $auth_token = shift;
151 return undef unless $auth_token;
153 my $user = OpenSRF::AppSession
154 ->create("open-ils.auth")
155 ->request( "open-ils.auth.session.retrieve", $auth_token )
158 if (ref($user) eq 'HASH' && $user->{ilsevent} == 1001) {
162 return $user if ref($user);
167 my( $username, $password, $type ) = @_;
170 my $nametype = 'username';
171 $nametype = 'barcode' if ($username =~ /^\d+$/o);
173 my $seed = OpenSRF::AppSession
174 ->create("open-ils.auth")
175 ->request( 'open-ils.auth.authenticate.init', $username )
178 return undef unless $seed;
180 my $response = OpenSRF::AppSession
181 ->create("open-ils.auth")
182 ->request( 'open-ils.auth.authenticate.complete',
183 { $nametype => $username, agent => 'authproxy',
184 password => md5_hex($seed . md5_hex($password)),
188 return undef unless $response;
190 return $response->{payload}->{authtoken};