Skip to content
Snippets Groups Projects
WebRequest.pm 17.5 KiB
Newer Older
package IdPAccountManager::WebRequest;

use strict;
use warnings;

use CGI;
use English qw(-no_match_vars);
use Template;
use Log::Any::Adapter;
use IdPAccountManager::Data::TestAccount;
use IdPAccountManager::Data::AuthenticationToken;
use IdPAccountManager::Data::ServiceProvider;
use IdPAccountManager::SAMLMetadata;
## Defining parameters format
my $urn_or_url_regex = '(http(s?):\/\/|urn:)[^\\\$\*\"\'\`\^\|\<\>\n\s]+'
  ;    ## Format de type URL HTTP ou URN
my $url_regex     = 'http(s?):\/\/[^\\\$\*\"\'\`\^\|\<\>\n\s]+';
my $email_regex   = '([\w\-\_\.\/\+\=\'\&]+|\".*\")\@[\w\-]+(\.[\w\-]+)+';
my $domains_regex = '[\w\.\-]+(,[\w\.\-]+)*';
my %format        = (
    ## URL
    #'attributeauthority' => $url_regex,
    'sp_entityid' => $urn_or_url_regex,
);

my %actions = (
    select_sp      => 'req_select_sp',
    account_wizard => 'req_account_wizard',
    generate_token => 'req_generate_token',
    validate_token => 'req_validation_token',
    home           => 'req_home',
);

## New web request
sub new {
    my ($pkg, %args) = @_;

    my $self = {
        configuration => $args{configuration},
    Log::Any::Adapter->set(
        'File',
        $self->{configuration}->{log_file},
        log_level => $self->{configuration}->{log_level}
    $self->{logger} = Log::Any->get_logger();

    IdPAccountManager::DB->register_db(
        driver          => $self->{configuration}->{database_type},
        database        => $self->{configuration}->{database_name},
        host            => $self->{configuration}->{database_host},
        password        => $self->{configuration}->{database_password},
        username        => $self->{configuration}->{database_user}
    );

    $self->{db} = IdPAccountManager::DB->new();
    $self->{cgi} = CGI->new();
    bless $self, $pkg;
    return $self;
sub run {
    my ($self) = @_;
    $self->execute();
    $self->respond();
}

## Execute a web request
sub execute {
    my ($self) = @_;

    # process input parameters
    my %parameters = $self->{cgi}->Vars();

    foreach my $parameter (keys %parameters) {

        # cleanup
        $parameters{$parameter} =~ s/\r//g;  # remove &0D char
        $parameters{$parameter} =~ s/\s+$//; # remove trailing spaces
        $parameters{$parameter} =~ s/^\s+//; # remove leading spaces

        # format check
        if (defined $format{$parameter}
            && !ref($format{$parameter})) {
            if ($parameters{$parameter} !~ /^$format{$parameter}$/) {
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
                push @{ $self->{out}->{errors} }, "format_$parameter";
                $self->{logger}->error(
                    "Incorrect parameter format : $parameter"

        # If action_xx parameter is set, set action parameter with value xx
        if ($parameter =~ /^action_(\w+)$/) {
            $parameters{action} = $1;
        }

        # register needed parameters
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        $self->{in} = {
            email_adress => $parameters{action},
            style        => $parameters{style},
            sp_entityid  => $parameters{sp_entityid},
            authentication_token => $parameters{authentication_token}
        };
    my $action = $parameters{action} || 'home';
    # initialize output parameters
    $self->{out} = {
        env => {
            REMOTE_HOST => $ENV{REMOTE_HOST},
            REMOTE_ADDR => $ENV{REMOTE_ADDR},
            SCRIPT_NAME => $ENV{SCRIPT_NAME}
        },
        conf => {
            accounts_validity_period => $self->{configuration}->{accounts_validity_period},
            app_name                 => $self->{configuration}->{app_name},
            app_url                  => $self->{configuration}->{app_url},
            idp_scope                => $self->{configuration}->{idp_scope},
            idp_displayname          => $self->{configuration}->{idp_displayname},
            support_email            => $self->{configuration}->{support_email},
            version                  => $self->{configuration}->{version},
        },
        action => $action,
        title  => $self->{configuration}->{app_name}
    };

    # process requested action
    if ($actions{$action}) {
        my $method = $actions{$action};
        $status = $self->$method();
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        push @{ $self->{out}->{errors} }, "unknown_action";
        $self->{logger}->error( "Unknown action '$action'");

    return 1;
}

## Return HTML content
sub respond {
    my ($self) = @_;
    ## Parse template
    my $tt2 = Template->new({
        INCLUDE_PATH => $self->{configuration}->{templates_dir}
    });
    ## nobanner is used to do AJAX to get only pieces of HTML to load in the web client
    if ($self->{in}->{style} && $self->{in}->{style} eq 'nobanner') {
        $template = 'web/index-nobanner.tt2.html';
        $template = 'web/index.tt2.html';
    unless ($tt2->process($template, $self->{out}, \*STDOUT)) {
        printf "Content-type: text/plain\n\n Error: %s", $tt2->error();
        $self->{logger}->errorf("Web parser error : %s", $tt2->error());
    }

    ## Ignore some type of errors
    my @errors_admin;
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
    foreach my $id_error (@{ $self->{out}->{errors} }) {
        unless ($id_error =~ /^(error_x)$/) {
            push @errors_admin, $id_error;
        }
    }

    ## Mail notification of admins about the error
    if (@errors_admin) {
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        $self->{out}->{subject} = 'Error notification - web interface';
        IdPAccountManager::Tools::mail_notice(
            template            => 'mail/notification_generic_error.tt2.eml',
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
            data                => $self->{out},
            logger              => $self->{logger},
            conf                => $self->{configuration},
            admin_email         => $self->{configuration}->{admin_email},
            dev_no_mail_outside => $self->{configuration}->{dev_no_mail_outside},
            dev_sp_contact      => $self->{configuration}->{dev_sp_contact},
            notice_from         => $self->{configuration}->{notice_from}
        );
    }
}

## Return the list of known SPs first
sub req_account_wizard {
    my ($self) = @_;
    my $metadata;
        $metadata = IdPAccountManager::SAMLMetadata->new(
            file => $self->{configuration}->{federation_metadata_file_path}
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        push @{ $self->{out}->{errors} }, "internal";
        $self->{logger}->error("Failed to load federation metadata: $EVAL_ERROR");
    $self->{out} = $metadata->parse();
    $self->{out}->{subtitle} = 'Select your Service Provider';

    return 1;
}

## Select a Service Provider and return metadata sctucture for the SP
## Sample URL : https://dev-edugain.renater.fr/accountmanager?action=select_sp&sp_entityid=http%3A%2F%2Fsp.lat.csc.fi
sub req_select_sp {
    my ($self) = @_;
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
    unless ($self->{in}->{sp_entityid}) {
        push @{ $self->{out}->{errors} }, "missing_sp_entityid";
        $self->{logger}->error("Missing parameter sp_entityid");
    my $federation_metadata;
    eval {
        $federation_metadata = IdPAccountManager::SAMLMetadata->new(
            file => $self->{configuration}->{federation_metadata_file_path}
        );
    };
    if ($EVAL_ERROR) {
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        push @{ $self->{out}->{errors} }, "internal";
        $self->{logger}->error("Failed to load federation metadata: $EVAL_ERROR");
    $federation_metadata->parse(
        filter_entity_id => $self->{in}->{sp_entityid}
    );

    ## Create a serviceprovider object to store major parameters for this SP in DB
    my $service_provider = IdPAccountManager::Data::ServiceProvider->new(
        db             => $self->{db},
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        entityid       => $self->{in}->{sp_entityid},
        dev_sp_contact => $self->{configuration}->{dev_sp_contact}

    ## Prepare data
    my $sp_metadata_as_hashref =
      $federation_metadata->{federation_metadata_as_hashref}->[0];
    if (defined $sp_metadata_as_hashref->{contacts}) {
        foreach my $contact (@{ $sp_metadata_as_hashref->{contacts} }) {
            my $email = $contact->{EmailAddress};
            $email =~ s/^(mailto:)//;    ## Remove 'mailto:' prefixes if any
            push @contacts, $email;
        }
    }
    my $display_name;
    if (defined $sp_metadata_as_hashref->{display_name}) {
        ## Use English version of displayName if available
        if ($sp_metadata_as_hashref->{display_name}->{en}) {
            $display_name = $sp_metadata_as_hashref->{display_name}->{en};
            ## Else any language
        } else {
            foreach
              my $lang (keys %{ $sp_metadata_as_hashref->{display_name} })
                  $sp_metadata_as_hashref->{display_name}->{$lang};
                last;
            }
        }
    }

    ## Try loading DB object first
    if ($service_provider->load(speculative => 1)) {
        $service_provider->contacts(join(',', @contacts));
        $service_provider->displayname($display_name);

    } else {

        $service_provider = IdPAccountManager::Data::ServiceProvider->new(
            db             => $self->{db},
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
            entityid       => $self->{in}->{sp_entityid},
            contacts       => join(',', @contacts),
            displayname    => $display_name,
            dev_sp_contact => $self->{configuration}->{dev_sp_contact}
        );
        unless (defined $service_provider) {
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
            push @{ $self->{out}->{errors} }, "internal";
            $self->{logger}->error("Failed to create serviceprovider object");
            return undef;
        }
    }

    unless ($service_provider->save()) {
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        push @{ $self->{out}->{errors} }, "internal";
        $self->{logger}->error("Failed to save serviceprovider object");
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
    $self->{out}->{sp_metadata_as_hashref} =
      $federation_metadata->{federation_metadata_as_hashref}->[0];
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
    $self->{out}->{serviceprovider} = $service_provider;
    $self->{out}->{subtitle} = 'Select your Service Provider';

    return 1;
}

## Generate an authentication token to validate an email address
## Sample call : dev-edugain.renater.fr/accountmanager?action=generate_token&style=nobanner&sp_entityid=https%3A%2F%2Fsourcesup.cru.fr%2Fshibboleth&email_address=support%40renater.fr
sub req_generate_token {
    my ($self) = @_;
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
    unless ($self->{in}->{sp_entityid}) {
        push @{ $self->{out}->{errors} }, "missing_sp_entityid";
        $self->{logger}->error("Missing parameter sp_entityid");
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
    unless ($self->{in}->{email_address}) {
        push @{ $self->{out}->{errors} }, "email_address";
        $self->{logger}->error("Missing parameter email_address");
        return undef;
    }

    ## Create a serviceprovider object to load parameters for this SP from DB
    my $service_provider = IdPAccountManager::Data::ServiceProvider->new(
        db             => $self->{db},
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        entityid       => $self->{in}->{sp_entityid},
        dev_sp_contact => $self->{configuration}->{dev_sp_contact}

    # Try loading DB object first
    unless ($service_provider->load(speculative => 1)) {
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        push @{ $self->{out}->{errors} }, "internal";
        $self->{logger}->errorf("Failed to load SP with entityid '%s'", $self->{in}->{sp_entityid});
        return undef;
    }

    ## Check that email_address is a known contact for this SP
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
    unless ($service_provider->is_contact($self->{in}->{email_address}))
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        push @{ $self->{out}->{errors} }, "internal";
        $self->{logger}->errorf(
            "Requested a token for %s for an unautorized address '%s'",
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
            $self->{in}->{sp_entityid},
            $self->{in}->{email_address}
    my $authentication_token = IdPAccountManager::Data::AuthenticationToken->new(
        db            => $self->{db},
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        email_address => $self->{in}->{email_address},
        sp_entityid   => $self->{in}->{sp_entityid}
    );
    unless (defined $authentication_token) {
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        push @{ $self->{out}->{errors} }, "internal";
        $self->{logger}->error("Failed to create authentication token");
        return undef;
    }

    ## First remove token if one exist for this email+SP
    if ($authentication_token->load(speculative => 1)) {
        unless ($authentication_token->delete()) {
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
            push @{ $self->{out}->{errors} }, "internal";
            $self->{logger}->errorf(
                "Failed to delete previous authentication token with ID %s",
                $authentication_token->get('id')
        $authentication_token = IdPAccountManager::Data::AuthenticationToken->new(
            db            => $self->{db},
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
            email_address => $self->{in}->{email_address},
            sp_entityid   => $self->{in}->{sp_entityid}
        );
        unless (defined $authentication_token) {
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
            push @{ $self->{out}->{errors} }, "internal";
            $self->{logger}->error("Failed to create authentication token");
            return undef;
        }
    }

    unless ($authentication_token->save()) {
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        push @{ $self->{out}->{errors} }, "internal";
        $self->{logger}->error("Failed to save authentication token");
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
    $self->{out}->{email_address} = $self->{in}->{email_address};
    $self->{out}->{sp_entityid}   = $self->{in}->{sp_entityid};
    $self->{out}->{to}            = $self->{in}->{email_address};
    $self->{out}->{authentication_token} =
        $authentication_token->get('token');
    $self->{out}->{subtitle} = 'Generate an authentication token';

    ## Send the challenge email with the token
    IdPAccountManager::Tools::mail_notice(
        template => 'mail/send_authentication_token.tt2.eml',
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        to       => $self->{in}->{email_address},
        data     => $self->{out},
        logger   => $self->{logger}
    $self->{logger}->infof(
        "Token send to %s for sp_entityid=%s;token=%s",
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        $self->{in}->{email_address},
        $self->{in}->{sp_entityid},
        $self->{out}->{authentication_token}
    );

    return 1;
}

## Validate an authentication token
## Test accounts get created
## Sample call : dev-edugain.renater.fr/accountmanager?action=validate_token&style=nobanner&sp_entityid=https%3A%2F%2Fsourcesup.cru.fr%2Fshibboleth&authentication_token=c1cfecb51ea40d39a695
sub req_validate_token {
    my ($self) = @_;
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
    unless ($self->{in}->{sp_entityid}) {
        push @{ $self->{out}->{errors} }, "missing_sp_entityid";
        $self->{logger}->error("Missing parameter sp_entityid");
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
    unless ($self->{in}->{authentication_token}) {
        push @{ $self->{out}->{errors} },
          "missing_authentication_token";
        $self->{logger}->error("Missing parameter authentication_token");
    my $authentication_token = IdPAccountManager::Data::AuthenticationToken->new(
        db    => $self->{db},
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        token => $self->{in}->{authentication_token});

    unless ($authentication_token->load()) {
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        push @{ $self->{out}->{errors} }, "wrong_token";
        $self->{logger}->errorf(
            "Failed to validate authentication token %s for sp_entityid %s",
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
            $self->{in}->{authentication_token},
            $self->{in}->{sp_entityid}
        );
        return undef;
    }

    unless ($authentication_token->get('sp_entityid') eq
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        $self->{in}->{sp_entityid})
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        push @{ $self->{out}->{errors} }, "wrong_token_for_sp";
        $self->{logger}->errorf(
            "Authentication token %s cannot be used for SP with entityid %s",
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
            $self->{in}->{authentication_token},
            $self->{in}->{sp_entityid}
        );
        return undef;
    }

    ## delete the token
    unless ($authentication_token->delete()) {
        $self->{logger}->errorf(
            "Failed to delete authentication token %s",
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
            $self->{in}->{authentication_token}
    foreach my $profile ($self->{configuration}->{account_profiles}) {
        my $test_account = IdPAccountManager::Data::TestAccount->new(
            db              => $self->{db},
            account_profile => $profile,
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
            sp_entityid     => $self->{in}->{sp_entityid}
        );
        next unless $test_account;
        next unless $test_account->save();
        push @test_accounts, $test_account;
    }

    unless (@test_accounts) {
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        push @{ $self->{out}->{errors} }, "accounts_creation_failed";
        $self->{logger}->errorf(
            "Failed to create test accounts for SP with entityid %s",
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
            $self->{in}->{sp_entityid}
        );
        return undef;
    }

    ## Update simpleSAMLphp configuration to enable test accounts
    unless (IdPAccountManager::Tools::update_ssp_authsources(
            $self->{configuration}->{templates_dir},
            $self->{configuration}
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        push @{ $self->{out}->{errors} }, "accounts_creation_failed";
        $self->{logger}->error(
            "Failed to create simpleSAMLphp configuration file"
    $self->{logger}->infof(
        "Token validated for sp_entityid=%s;token=%s",
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
        $self->{in}->{sp_entityid},
        $self->{in}->{authentication_token}
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
    $self->{out}->{sp_entityid}   = $self->{in}->{sp_entityid};
    $self->{out}->{test_accounts} = \@test_accounts;
    $self->{out}->{subtitle} = 'Complete Email Challenge';

    return 1;
}

## Return the homepage of the service
sub req_home {
    my ($self) = @_;