[open-ils-commits] [GIT] Evergreen ILS branch master updated. 3706bb0514e49ba4f4db51b48cab9aae5524a895
Evergreen Git
git at git.evergreen-ils.org
Wed Jan 4 11:26:42 EST 2012
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, master has been updated
via 3706bb0514e49ba4f4db51b48cab9aae5524a895 (commit)
via f9493ae5b5416ff17685b9c8dcc0b813336f0ad8 (commit)
from 7f50fd7b3d5ec0c8f27a27a6768aab67601202ba (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3706bb0514e49ba4f4db51b48cab9aae5524a895
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Tue Jan 3 12:00:47 2012 -0500
Add OpenILS::WWW::Proxy::Authen Module
Enables HTTP Basic Authentication access control.
Uses the OILSProxyPermissions and OILSProxyLoginType settings, but prompts
are controlled by the Apache AuthName directive.
This module allows things like Directory Indexing and non-perl or otherwise
incompatible with the normal proxy module Response (or similar) handlers to
be password-protected.
It also supports the OpenILS::WWW::Proxy user/passwd CGI params to allow
an easier transition between the two.
For example:
<Location /authen_login/>
Options +Indexes
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "VIEW_REPORT_OUTPUT"
PerlSendHeader On
AuthType Basic
AuthName "Notices Login"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
require valid-user
allow from all
</Location>
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Mike Rylander <mrylander at gmail.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
new file mode 100644
index 0000000..e8962a3
--- /dev/null
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
@@ -0,0 +1,177 @@
+package OpenILS::WWW::Proxy::Authen;
+use strict; use warnings;
+
+use Apache2::Access;
+use Apache2::RequestUtil;
+use Apache2::Log;
+use Apache2::Const -compile => qw(OK HTTP_UNAUTHORIZED DECLINED HTTP_MOVED_TEMPORARILY NOT_FOUND :log);
+use APR::Const -compile => qw(:error SUCCESS);
+use CGI;
+use Data::Dumper;
+use Digest::MD5 qw/md5_hex/;
+
+use OpenSRF::EX qw(:try);
+use OpenSRF::System;
+
+# set the bootstrap config when
+# this module is loaded
+my $bootstrap;
+my $ssl_off;
+
+sub import {
+ my $self = shift;
+ $bootstrap = shift;
+ $ssl_off = shift;
+}
+
+
+sub child_init {
+ OpenSRF::System->bootstrap_client( config_file => $bootstrap );
+}
+
+sub handler {
+ my $apache = shift;
+
+ my $ltype = $apache->dir_config('OILSProxyLoginType');
+ my $perms = [ split ' ', $apache->dir_config('OILSProxyPermissions') ];
+
+ return Apache2::Const::NOT_FOUND unless (@$perms);
+
+ my $cgi = new CGI;
+ my $auth_ses = $cgi->cookie('ses') || $cgi->param('ses');
+ my $ws_ou = $apache->dir_config('OILSProxyLoginOU') || $cgi->cookie('ws_ou') || $cgi->param('ws_ou');
+
+ my $url = $cgi->url;
+ my $bad_auth = 1; # Assume failure until proven otherwise ;)
+
+ # push everyone to the secure site
+ if (!$ssl_off && $url =~ /^http:/o) {
+ my $base = $cgi->url(-base=>1);
+ $base =~ s/^http:/https:/o;
+ $apache->headers_out->set(Location => $base . $apache->unparsed_uri);
+ return Apache2::Const::HTTP_MOVED_TEMPORARILY;
+ }
+
+ my $tried_login = 0;
+ my $cookie;
+
+ while ($bad_auth && $tried_login == 0) {
+ if (!$auth_ses) {
+ $tried_login = 1;
+ my ($status, $p) = $apache->get_basic_auth_pw;
+ my $u;
+ if ($status == Apache2::Const::OK) {
+ $u = $apache->user;
+ } else {
+ $u = $cgi->param('user');
+ $p = $cgi->param('passwd');
+ return $status if (!$u);
+ }
+
+ if ($u) {
+ $auth_ses = oils_login($u, $p, $ltype);
+ if ($auth_ses) {
+ $cookie = $cgi->cookie(
+ -name=>'ses',
+ -value=>$auth_ses,
+ -path=>'/'
+ );
+ }
+ }
+ }
+
+ my $user = verify_login($auth_ses);
+
+ if ($user) {
+ $ws_ou ||= $user->home_ou;
+
+ warn "Checking perms " . join(',', @$perms) . " for user " . $user->id . " at location $ws_ou\n";
+
+ my $failures = OpenSRF::AppSession
+ ->create('open-ils.actor')
+ ->request('open-ils.actor.user.perm.check', $auth_ses, $user->id, $ws_ou, $perms)
+ ->gather(1);
+
+ if (@$failures > 0) {
+ $cookie = $cgi->cookie(
+ -name=>'ses',
+ -value=>'',
+ -path=>'/',
+ -expires=>'-1h'
+ );
+ } else {
+ $bad_auth = 0;
+ }
+ }
+
+ $auth_ses = undef if($bad_auth && !$tried_login);
+ }
+
+ if ($bad_auth) {
+ $apache->err_headers_out->add('Set-Cookie' => $cookie) if($cookie);
+ $apache->note_basic_auth_failure;
+ return Apache2::Const::HTTP_UNAUTHORIZED;
+ }
+
+ if ($tried_login) {
+ # We authenticated, and thus likely got a new auth key.
+ # Set it and redirect in case what we are protecting needs the key.
+
+ # When not redirecting we don't need the err_ variant of this. Noting for reference.
+ $apache->err_headers_out->add('Set-Cookie' => $cookie) if($cookie);
+ my $base = $cgi->url(-base=>1);
+ $apache->headers_out->set(Location => $base . $apache->unparsed_uri);
+ return Apache2::Const::HTTP_MOVED_TEMPORARILY;
+ }
+
+ # they're good, let 'em through
+ return Apache2::Const::OK;
+}
+
+# returns the user object if the session is valid, 0 otherwise
+sub verify_login {
+ my $auth_token = shift;
+ return undef unless $auth_token;
+
+ my $user = OpenSRF::AppSession
+ ->create("open-ils.auth")
+ ->request( "open-ils.auth.session.retrieve", $auth_token )
+ ->gather(1);
+
+ if (ref($user) eq 'HASH' && $user->{ilsevent} == 1001) {
+ return undef;
+ }
+
+ return $user if ref($user);
+ return undef;
+}
+
+sub oils_login {
+ my( $username, $password, $type ) = @_;
+
+ $type |= "staff";
+ my $nametype = 'username';
+ $nametype = 'barcode' if ($username =~ /^\d+$/o);
+
+ my $seed = OpenSRF::AppSession
+ ->create("open-ils.auth")
+ ->request( 'open-ils.auth.authenticate.init', $username )
+ ->gather(1);
+
+ return undef unless $seed;
+
+ my $response = OpenSRF::AppSession
+ ->create("open-ils.auth")
+ ->request( 'open-ils.auth.authenticate.complete',
+ { $nametype => $username,
+ password => md5_hex($seed . md5_hex($password)),
+ type => $type })
+ ->gather(1);
+
+ return undef unless $response;
+
+ return $response->{payload}->{authtoken};
+}
+
+1;
+
commit f9493ae5b5416ff17685b9c8dcc0b813336f0ad8
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Tue Jan 3 13:48:18 2012 -0500
Change default proxy configs to Authen variant
Also, because Authen causes Indexes to function, turn them off by default.
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Mike Rylander <mrylander at gmail.com>
diff --git a/Open-ILS/examples/apache/eg_vhost.conf b/Open-ILS/examples/apache/eg_vhost.conf
index cf593ed..82872da 100644
--- a/Open-ILS/examples/apache/eg_vhost.conf
+++ b/Open-ILS/examples/apache/eg_vhost.conf
@@ -71,6 +71,11 @@ RewriteCond %{REQUEST_URI} ^/opac/(.*?)/
RewriteRule . - [E=locale:%1]
# ----------------------------------------------------------------------------------
+# For sanity reasons, default indexes to Off
+# ----------------------------------------------------------------------------------
+Options -Indexes
+
+# ----------------------------------------------------------------------------------
# Configure the OPAC
# ----------------------------------------------------------------------------------
<LocationMatch /opac/>
@@ -371,10 +376,13 @@ RewriteRule . - [E=locale:en-US]
# ----------------------------------------------------------------------------------
<Location /exporter>
SetHandler perl-script
- PerlSetVar OILSProxyTitle "Exporter Login"
- PerlSetVar OILSProxyDescription "Please log in with an authorized staff account to export records"
+ AuthType Basic
+ AuthName "Exporter Login"
+ PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
- PerlHandler OpenILS::WWW::Proxy OpenILS::WWW::Exporter
+ PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+ require valid-user
+ PerlHandler OpenILS::WWW::Exporter
Options +ExecCGI
PerlSendHeader On
allow from all
@@ -382,21 +390,25 @@ RewriteRule . - [E=locale:en-US]
<Location /opac/extras/merge_template>
SetHandler perl-script
- PerlSetVar OILSProxyTitle "Batch Update Login"
- PerlSetVar OILSProxyDescription "Please log in to update records in batch"
+ AuthType Basic
+ AuthName "Batch Update Login"
+ PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
- PerlHandler OpenILS::WWW::Proxy OpenILS::WWW::TemplateBatchBibUpdate
+ PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+ require valid-user
+ PerlHandler OpenILS::WWW::TemplateBatchBibUpdate
PerlSendHeader On
Options +ExecCGI
allow from all
</Location>
<Location /opac/extras/circ>
- SetHandler perl-script
- PerlSetVar OILSProxyTitle "Circ Extras Login"
- PerlSetVar OILSProxyDescription "Please log in with an authorized staff account to export records"
+ AuthType Basic
+ AuthName "Circ Extras Login"
+ PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
- PerlHandler OpenILS::WWW::Proxy
+ PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+ require valid-user
Options +ExecCGI
PerlSendHeader On
allow from all
@@ -406,11 +418,12 @@ RewriteRule . - [E=locale:en-US]
# Reporting output lives here
# ----------------------------------------------------------------------------------
<Location /reporter/>
- SetHandler perl-script
- PerlSetVar OILSProxyTitle "Report Login"
- PerlSetVar OILSProxyDescription "Please log in with an authorized staff account to view this report"
+ AuthType Basic
+ AuthName "Report Login"
+ PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "VIEW_REPORT_OUTPUT"
- PerlHandler OpenILS::WWW::Proxy
+ PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+ require valid-user
Options +ExecCGI
PerlSendHeader On
allow from all
@@ -420,11 +433,12 @@ RewriteRule . - [E=locale:en-US]
# Selfcheck interface
# ----------------------------------------------------------------------------------
<LocationMatch .*/selfcheck.xml>
- SetHandler perl-script
- PerlSetVar OILSProxyTitle "Self-check Login"
- PerlSetVar OILSProxyDescription "Please log in with an authorized staff account to activate the self-check interface"
+ AuthType Basic
+ AuthName "Self-check Login"
+ PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
- PerlHandler OpenILS::WWW::Proxy
+ PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+ require valid-user
Options +ExecCGI
PerlSendHeader On
allow from all
@@ -482,11 +496,12 @@ RewriteRule ^/conify/([a-z]{2}-[A-Z]{2})/global/(.*)$ /conify/global/$2 [E=local
XMLEntContentType "text/html; charset=utf-8"
AddOutputFilter INCLUDES;XMLENT .html
- SetHandler perl-script
- PerlSetVar OILSProxyTitle "Dojo Admin Login"
- PerlSetVar OILSProxyDescription "Please log in with an authorized staff account to administer Evergreen"
+ AuthType Basic
+ AuthName "Dojo Admin Login"
+ PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
- PerlHandler OpenILS::WWW::Proxy
+ PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+ require valid-user
Options +ExecCGI
PerlSendHeader On
allow from all
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/examples/apache/eg_vhost.conf | 59 ++++---
.../src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm | 177 ++++++++++++++++++++
2 files changed, 214 insertions(+), 22 deletions(-)
create mode 100644 Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list