use Koha::AuthUtils qw(hash_password);
use POSIX qw/strftime/;
use List::MoreUtils qw/ any /;
+use Encode qw( encode is_utf8);
# use utf8;
-use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout);
+use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout $shib $shib_login);
BEGIN {
sub psgi_env { any { /^psgi\./ } keys %ENV }
%EXPORT_TAGS = ( EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)] );
$ldap = C4::Context->config('useldapserver') || 0;
$cas = C4::Context->preference('casAuthentication');
+ $shib = C4::Context->config('useshibboleth') || 0;
$caslogout = C4::Context->preference('casLogout');
require C4::Auth_with_cas; # no import
if ($ldap) {
require C4::Auth_with_ldap;
import C4::Auth_with_ldap qw(checkpw_ldap);
}
+ if ($shib) {
+ require C4::Auth_with_shibboleth;
+ import C4::Auth_with_shibboleth
+ qw(shib_ok checkpw_shib logout_shib login_shib_url get_login_shib);
+
+ # Check for good config
+ if ( shib_ok() ) {
+ # Get shibboleth login attribute
+ $shib_login = get_login_shib();
+ }
+ # Bad config, disable shibboleth
+ else {
+ $shib = 0;
+ }
+ }
if ($cas) {
import C4::Auth_with_cas qw(check_api_auth_cas checkpw_cas login_cas logout_cas login_cas_url);
}
# user info
$template->param( loggedinusername => $user );
+ $template->param( loggedinusernumber => $borrowernumber );
$template->param( sessionID => $sessionID );
my ($total, $pubshelves, $barshelves) = C4::VirtualShelves::GetSomeShelfNames($borrowernumber, 'MASTHEAD');
}
else { # if this is an anonymous session, setup to display public lists...
+ # If shibboleth is enabled, and we're in an anonymous session, we should allow
+ # the user to attemp login via shibboleth.
+ if ( $shib ) {
+ $template->param( shibbolethAuthentication => $shib,
+ shibbolethLoginUrl => login_shib_url($in->{'query'}),
+ );
+ # If shibboleth is enabled and we have a shibboleth login attribute,
+ # but we are in an anonymous session, then we clearly have an invalid
+ # shibboleth koha account.
+ if ( $shib_login ) {
+ $template->param( invalidShibLogin => '1');
+ }
+ }
+
$template->param( sessionID => $sessionID );
my ($total, $pubshelves) = C4::VirtualShelves::GetSomeShelfNames(undef, 'MASTHEAD');
OPACShelfBrowser => "". C4::Context->preference("OPACShelfBrowser"),
OPACURLOpenInNewWindow => "" . C4::Context->preference("OPACURLOpenInNewWindow"),
OPACUserCSS => "". C4::Context->preference("OPACUserCSS"),
- OPACMobileUserCSS => "". C4::Context->preference("OPACMobileUserCSS"),
OPACViewOthersSuggestions => "" . C4::Context->preference("OPACViewOthersSuggestions"),
OpacAuthorities => C4::Context->preference("OpacAuthorities"),
OPACBaseURL => ($using_https ? "https://" : "http://") . $opac_base_url,
OpacCloud => C4::Context->preference("OpacCloud"),
OpacKohaUrl => C4::Context->preference("OpacKohaUrl"),
OpacMainUserBlock => "" . C4::Context->preference("OpacMainUserBlock"),
- OpacMainUserBlockMobile => "" . C4::Context->preference("OpacMainUserBlockMobile"),
- OpacShowLibrariesPulldownMobile => C4::Context->preference("OpacShowLibrariesPulldownMobile"),
OpacNav => "" . C4::Context->preference("OpacNav"),
OpacNavRight => "" . C4::Context->preference("OpacNavRight"),
OpacNavBottom => "" . C4::Context->preference("OpacNavBottom"),
my $casparam = $query->param('cas');
my $q_userid = $query->param('userid') // '';
- if ( $userid = $ENV{'REMOTE_USER'} ) {
- # Using Basic Authentication, no cookies required
+ # Basic authentication is incompatible with the use of Shibboleth,
+ # as Shibboleth may return REMOTE_USER as a Shibboleth attribute,
+ # and it may not be the attribute we want to use to match the koha login.
+ #
+ # Also, do not consider an empty REMOTE_USER.
+ #
+ # Finally, after those tests, we can assume (although if it would be better with
+ # a syspref) that if we get a REMOTE_USER, that's from basic authentication,
+ # and we can affect it to $userid.
+ if ( !$shib and defined($ENV{'REMOTE_USER'}) and $ENV{'REMOTE_USER'} ne '' and $userid = $ENV{'REMOTE_USER'} ) {
+
+ # Using Basic Authentication, no cookies required
$cookie = $query->cookie(
-name => 'CGISESSID',
-value => '',
$session->param('surname'), $session->param('branch'),
$session->param('branchname'), $session->param('flags'),
$session->param('emailaddress'), $session->param('branchprinter'),
- $session->param('persona')
+ $session->param('persona'), $session->param('shibboleth')
);
C4::Context::set_shelves_userenv('bar',$session->param('barshelves'));
C4::Context::set_shelves_userenv('pub',$session->param('pubshelves'));
$sessiontype = $session->param('sessiontype') || '';
}
if ( ( $query->param('koha_login_context') && ($q_userid ne $s_userid) )
- || ( $cas && $query->param('ticket') ) ) {
+ || ( $cas && $query->param('ticket') ) || ( $shib && $shib_login && !$logout ) ) {
#if a user enters an id ne to the id in the current session, we need to log them in...
#first we need to clear the anonymous session...
$debug and warn "query id = $q_userid but session id = $s_userid";
}
elsif ($logout) {
# voluntary logout the user
+ # check wether the user was using their shibboleth session or a local one
+ my $shibSuccess = C4::Context->userenv->{'shibboleth'};
$session->delete();
$session->flush;
C4::Context->_unset_userenv($sessionID);
$sessionID = undef;
$userid = undef;
- if ($cas and $caslogout) {
- logout_cas($query);
- }
+ if ($cas and $caslogout) {
+ logout_cas($query);
+ }
+
+ # If we are in a shibboleth session (shibboleth is enabled, a shibboleth match attribute is set and matches koha matchpoint)
+ if ( $shib and $shib_login and $shibSuccess and $type eq 'opac') {
+ # (Note: $type eq 'opac' condition should be removed when shibboleth authentication for intranet will be implemented)
+ logout_shib($query);
+ }
}
elsif ( !$lasttime || ($lasttime < time() - $timeout) ) {
# timed logout
}
if ( ( $cas && $query->param('ticket') )
|| $userid
+ || ( $shib && $shib_login )
|| $pki_field ne 'None'
|| $persona )
{
my $password = $query->param('password');
+ my $shibSuccess = 0;
my ( $return, $cardnumber );
- if ( $cas && $query->param('ticket') ) {
+ # If shib is enabled and we have a shib login, does the login match a valid koha user
+ if ( $shib && $shib_login && $type eq 'opac' ) {
+ my $retuserid;
+ # Do not pass password here, else shib will not be checked in checkpw.
+ ( $return, $cardnumber, $retuserid ) = checkpw( $dbh, $userid, undef, $query );
+ $userid = $retuserid;
+ $shibSuccess = $return;
+ $info{'invalidShibLogin'} = 1 unless ($return);
+ }
+ # If shib login and match were successfull, skip further login methods
+ unless ( $shibSuccess ) {
+ if ( $cas && $query->param('ticket') ) {
my $retuserid;
( $return, $cardnumber, $retuserid ) =
checkpw( $dbh, $userid, $password, $query );
( $return, $cardnumber, $retuserid ) =
checkpw( $dbh, $userid, $password, $query );
$userid = $retuserid if ( $retuserid );
- }
+ $info{'invalid_username_or_password'} = 1 unless ($return);
+ } }
if ($return) {
#_session_log(sprintf "%20s from %16s logged in at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime));
if ( $flags = haspermission( $userid, $flagsrequired ) ) {
$session->param('emailaddress',$emailaddress);
$session->param('ip',$session->remote_addr());
$session->param('lasttime',time());
+ $session->param('shibboleth',$shibSuccess);
$debug and printf STDERR "AUTH_4: (%s)\t%s %s - %s\n", map {$session->param($_)} qw(cardnumber firstname surname branch) ;
}
elsif ( $return == 2 ) {
$session->param('surname'), $session->param('branch'),
$session->param('branchname'), $session->param('flags'),
$session->param('emailaddress'), $session->param('branchprinter'),
- $session->param('persona')
+ $session->param('persona'), $session->param('shibboleth')
);
}
login => 1,
INPUTS => \@inputs,
casAuthentication => C4::Context->preference("casAuthentication"),
+ shibbolethAuthentication => $shib,
suggestion => C4::Context->preference("suggestion"),
virtualshelves => C4::Context->preference("virtualshelves"),
LibraryName => "" . C4::Context->preference("LibraryName"),
);
}
+ if ($shib) {
+ $template->param(
+ shibbolethAuthentication => $shib,
+ shibbolethLoginUrl => login_shib_url($query),
+ );
+ }
+
my $self_url = $query->url( -absolute => 1 );
$template->param(
url => $self_url,
sub checkpw {
my ( $dbh, $userid, $password, $query ) = @_;
-
if ($ldap) {
$debug and print STDERR "## checkpw - checking LDAP\n";
my ($retval,$retcard,$retuserid) = checkpw_ldap(@_); # EXTERNAL AUTH
return 0;
}
+ # If we are in a shibboleth session (shibboleth is enabled, and a shibboleth match attribute is present)
+ # Check for password to asertain whether we want to be testing against shibboleth or another method this
+ # time around.
+ if ($shib && $shib_login && !$password) {
+
+ $debug and print STDERR "## checkpw - checking Shibboleth\n";
+ # In case of a Shibboleth authentication, we expect a shibboleth user attribute
+ # (defined under shibboleth mapping in koha-conf.xml) to contain the login of the
+ # shibboleth-authenticated user
+
+ # Then, we check if it matches a valid koha user
+ if ($shib_login) {
+ my ( $retval, $retcard, $retuserid ) = C4::Auth_with_shibboleth::checkpw_shib( $shib_login ); # EXTERNAL AUTH
+ ($retval) and return ( $retval, $retcard, $retuserid );
+ return 0;
+ }
+ }
+
+ # INTERNAL AUTH
return checkpw_internal(@_)
}
sub checkpw_internal {
my ( $dbh, $userid, $password ) = @_;
+ $password = Encode::encode( 'UTF-8', $password )
+ if Encode::is_utf8($password);
+
if ( $userid && $userid eq C4::Context->config('user') ) {
if ( $password && $password eq C4::Context->config('pass') ) {
# Koha superuser account