#!/usr/bin/perl
## Copyright (c) GEANT
## This software was developed by RENATER. The research leading to these results has received funding
## from the European Community¹s Seventh Framework Programme (FP7/2007-2013) under grant agreement nº 238875 (GÉANT).
## 15/09/2014, Olivier Salaün
## Web interface for the eduGAIN Access Check Account Manager
use strict;
use warnings;
use utf8;
use lib qw(lib conf);
use CGI;
use CGI::Cookie;
use CGI::Util;
use Template;
use Template::Constants qw( :debug );
use IdPAccountManager::TestAccount;
use IdPAccountManager::SAMLMetadata;
use IdPAccountManager::ServiceProvider;
use IdPAccountManager::AuthenticationToken;
## Defining parameters format
my $urn_or_url_regex = '(http(s?):\/\/|urn:)[^\\\$\*\"\'\`\^\|\<\>\n\s]+'
; ## Format de type URL HTTP ou URN
my $url_regex = 'http(s?):\/\/[^\\\$\*\"\'\`\^\|\<\>\n\s]+';
my $email_regex = '([\w\-\_\.\/\+\=\'\&]+|\".*\")\@[\w\-]+(\.[\w\-]+)+';
my $domains_regex = '[\w\.\-]+(,[\w\.\-]+)*';
my %format = (
## URL
#'attributeauthority' => $url_regex,
'sp_entityid' => $urn_or_url_regex,
);
my %actions = (
'select_sp' => { 'title_en' => 'Select your Service Provider' },
'account_wizard' => { 'title_en' => 'Select your Service Provider' },
'generate_token' => { 'title_en' => 'Generate an authentication token' },
'validate_token' => { 'title_en' => 'Complete Email Challenge' },
'home' => { 'title_en' => $Conf::global{'app_name'} },
);
## Gives writes for the group
umask 0002;
chdir $Conf::global{'root_manager_dir'};
my $request = new WebRequest;
if (defined $request) {
$request->execute();
}
$request->respond();
package WebRequest;
## New web request
sub new {
my $pkg = shift;
my $request = {};
IdPAccountManager::Tools::do_log('info', "");
my $http_query = new CGI;
## Input parameters
my %in_vars = $http_query->Vars;
$request->{'param_in'} = \%in_vars;
## Check if admin acts as another user
$request->{'cookies'} = CGI::Cookie->fetch;
#if (defined $request->{'cookies'}{'as_user'} && $request->{'is_admin'}) {
# $request->{'utilisateur'} = $request->{'as_user'} = $request->{'cookies'}{'as_user'}->value;
# $request->{'is_admin'} = 0;
#}
## Usefull data for output (web pages or mail notices)
$request->{'param_out'}{'url_cgi'} = $ENV{'SCRIPT_NAME'};
$request->{'param_out'}{'env'} = \%ENV;
$request->{'param_out'}{'actions'} = \%actions;
$request->{'param_out'}{'conf'} = \%Conf::global;
## Dumping input data
#open TMP, ">/tmp/account_manager.in"; IdPAccountManager::Tools::dump_var($request->{'param_in'}, 0, \*TMP); close TMP;
## Clean input vars
foreach my $key (keys %{ $request->{'param_in'} }) {
#IdPAccountManager::Tools::do_log('trace', "PARAM_ENTREE: %s=%s", $key, $request->{'param_in'}{$key});
## Removing all ^M (0D)
$request->{'param_in'}{$key} =~ s/\r//g;
$request->{'param_in'}{$key} =~ s/\s+$//; ## Remove trailing spaces
$request->{'param_in'}{$key} =~ s/^\s+//; ## Remove leading spaces
#if ($request->{'param_in'}{$key} =~ /\0/) {
# my @valeurs = split /\0/, $request->{'param_in'}{$key};
# $request->{'param_in'}{$key} = $valeurs[0]; ## Only keep first value of multi-valued parameters
#}
## If action_xx param is set, then action=xx
## Usefull to have sementicless values in submit forms
if ($key =~ /^action_(\w+)$/) {
#IdPAccountManager::Tools::do_log('trace', "ACTION $key");
$request->{'param_in'}{'action'} = $1;
}
}
## Check the requested action
if ($request->{'param_in'}{'action'}) {
$request->{'action'} = $request->{'param_in'}{'action'};
} else {
## Default action
IdPAccountManager::Tools::do_log('info', "Default action");
$request->{'action'} = 'home';
}
bless $request, $pkg;
return $request;
}
## Execute a web request
sub execute {
my $self = shift;
IdPAccountManager::Tools::do_log('debug', "");
my $status;
## Check input parameters format
foreach my $key (keys %{ $self->{'param_in'} }) {
if ( $self->{'param_in'}{$key} !~ /^\s*$/
&& defined $format{$key}
&& !ref($format{$key}))
{
unless ($self->{'param_in'}{$key} =~ /^$format{$key}$/) {
push @{ $self->{'param_out'}{'errors'} }, "format_$key";
IdPAccountManager::Tools::do_log('error',
"Incorrect parameter format : $key");
return undef;
}
}
}
do {
## Actions can be chained
$self->{'action'} = $self->{'next_action'} if ($self->{'next_action'});
delete $self->{'next_action'}; ## Prevent loops
if (defined $actions{ $self->{'action'} }) {
## Execute the target subroutine named req_actionName
no strict 'refs';
my $sub = 'req_' . $self->{'action'};
$status = &{$sub}($self);
} else {
## Inknown action
push @{ $self->{'param_out'}{'errors'} }, "unknown_action";
IdPAccountManager::Tools::do_log('error', "Unknown action '%s'",
$self->{'action'});
}
} while ($self->{'next_action'});
#return undef if (!defined $status);
return 1;
}
## Return HTML content
sub respond {
my $self = shift;
IdPAccountManager::Tools::do_log('debug', "");
## Dump output data
#open TMP, ">/tmp/account_registry.out"; IdPAccountManager::Tools::dump_var($self->{'param_out'}, 0, \*TMP); close TMP;
## Enable dumping off all variables in web pages
#$self->{'param_out'}{'dump'} = $self->{'param_out'};
## Automatic pass object entries to the output hash
foreach my $key (keys %{$self}) {
#IdPAccountManager::Tools::do_log('trace', "Passing $key");
$self->{'param_out'}{$key} ||= $self->{$key}
unless ($key eq 'param_out');
}
## An action may redirect to an external URL
if ($self->{'url_redirection'}) {
#IdPAccountManager::Tools::do_log('trace', "URL Redirect : $self->{'url_redirection'}");
printf "Location: %s\n\n", $self->{'url_redirection'};
} else {
#$self->{'param_out'}{'cookie'} = CGI::Cookie->new(-name=>'as_user',-value=>$self->{'as_user'},-expires=>'-1M');
## Parse template
my $tt2 = Template->new(
{
ENCODING => 'iso-8859-1', ## le défaut apparemment
FILTERS => {
'encode_utf8', =>
[ \&IdPAccountManager::Tools::encode_utf8, 0 ],
'escape_quotes' =>
[ \&IdPAccountManager::Tools::escape_quotes, 0 ]
},
INCLUDE_PATH => $Conf::global{'root_manager_dir'} . ':'
. $Conf::global{'root_manager_dir'}
. '/templates/accountProfiles',
#DEBUG => 'all',
#DEBUG => 'caller',
#DEBUG => 'parser'
}
);
my $template;
## nobanner is used to do AJAX to get only pieces of HTML to load in the web client
if ($self->{'param_in'}{'style'} eq 'nobanner') {
$template = 'templates/web/index-nobanner.tt2.html';
} else {
$template = 'templates/web/index.tt2.html';
}
unless ($tt2->process($template, $self->{'param_out'}, \*STDOUT)) {
printf "Content-type: text/plain\n\n Error: %s", $tt2->error();
IdPAccountManager::Tools::do_log('error', "Web parser error : %s",
$tt2->error());
}
}
## Ignore some type of errors
my @errors_admin;
foreach my $id_error (@{ $self->{'param_out'}{'errors'} }) {
unless ($id_error =~ /^(error_x)$/) {
push @errors_admin, $id_error;
}
}
## Mail notification of admins about the error
if (@errors_admin) {
$self->{'param_out'}{'subject'} = 'Error notification - web interface';
IdPAccountManager::Tools::mail_notice(
'template' => 'templates/mail/notification_generic_error.tt2.eml',
'data' => $self->{'param_out'}
);
}
}
## Return the list of known SPs first
sub req_account_wizard {
my $self = shift;
IdPAccountManager::Tools::do_log('info', "");
my $federation_metadata = new IdPAccountManager::SAMLMetadata;
unless (
$federation_metadata->load(
federation_metadata_file_path =>
$Conf::global{'federation_metadata_file_path'}
)
)
{
push @{ $self->{'param_out'}{'errors'} }, "internal";
IdPAccountManager::Tools::do_log('error',
"Failed to load federation metadata : $!");
return undef;
}
unless ($federation_metadata->parse()) {
push @{ $self->{'param_out'}{'errors'} }, "internal";
IdPAccountManager::Tools::do_log('error',
"Failed to parse federation metadata : $!");
return undef;
}
$self->{'param_out'}{'federation_metadata_as_hashref'} =
$federation_metadata->{'federation_metadata_as_hashref'};
return 1;
}
## Select a Service Provider and return metadata sctucture for the SP
## Sample URL : https://dev-edugain.renater.fr/accountmanager?action=select_sp&sp_entityid=http%3A%2F%2Fsp.lat.csc.fi
sub req_select_sp {
my $self = shift;
IdPAccountManager::Tools::do_log('info', "");
unless ($self->{'param_in'}{'sp_entityid'}) {
push @{ $self->{'param_out'}{'errors'} }, "missing_sp_entityid";
IdPAccountManager::Tools::do_log('error',
"Missing parameter sp_entityid");
return undef;
}
my $federation_metadata = new IdPAccountManager::SAMLMetadata;
unless (
$federation_metadata->load(
federation_metadata_file_path =>
$Conf::global{'federation_metadata_file_path'}
)
)
{
push @{ $self->{'param_out'}{'errors'} }, "internal";
IdPAccountManager::Tools::do_log('error',
"Failed to load federation metadata : $!");
return undef;
}
unless (
$federation_metadata->parse(
filter_entity_id => $self->{'param_in'}{'sp_entityid'}
)
)
{
push @{ $self->{'param_out'}{'errors'} }, "internal";
IdPAccountManager::Tools::do_log('error',
"Failed to parse federation metadata : $!");
return undef;
}
## Create a serviceprovider object to store major parameters for this SP in DB
my $service_provider = new IdPAccountManager::ServiceProvider(
entityid => $self->{'param_in'}{'sp_entityid'});
## Prepare data
#open TMP, ">/tmp/account_manager_metadata.dump"; IdPAccountManager::Tools::dump_var($federation_metadata->{'federation_metadata_as_hashref'}[0], 0, \*TMP); close TMP;
my $sp_metadata_as_hashref =
$federation_metadata->{'federation_metadata_as_hashref'}[0];
my @contacts;
if (defined $sp_metadata_as_hashref->{'contacts'}) {
foreach my $contact (@{ $sp_metadata_as_hashref->{'contacts'} }) {
my $email = $contact->{'EmailAddress'};
$email =~ s/^(mailto:)//; ## Remove 'mailto:' prefixes if any
push @contacts, $email;
}
}
my $display_name;
if (defined $sp_metadata_as_hashref->{'display_name'}) {
## Use English version of displayName if available
if ($sp_metadata_as_hashref->{'display_name'}{'en'}) {
$display_name = $sp_metadata_as_hashref->{'display_name'}{'en'};
## Else any language
} else {
foreach
my $lang (keys %{ $sp_metadata_as_hashref->{'display_name'} })
{
#IdPAccountManager::Tools::do_log('TRACE', "Display name(%s): %s", $lang, $sp_metadata_as_hashref->{'display_name'}{$lang});
$display_name =
$sp_metadata_as_hashref->{'display_name'}{$lang};
last;
}
}
}
## Try loading DB object first
if ($service_provider->load(speculative => 1)) {
$service_provider->contacts(join(',', @contacts));
$service_provider->displayname($display_name);
} else {
$service_provider = new IdPAccountManager::ServiceProvider(
entityid => $self->{'param_in'}{'sp_entityid'},
contacts => join(',', @contacts),
displayname => $display_name
);
unless (defined $service_provider) {
push @{ $self->{'param_out'}{'errors'} }, "internal";
IdPAccountManager::Tools::do_log('error',
"Failed to create serviceprovider object");
return undef;
}
}
unless ($service_provider->save()) {
push @{ $self->{'param_out'}{'errors'} }, "internal";
IdPAccountManager::Tools::do_log('error',
"Failed to save serviceprovider object");
return undef;
}
$self->{'param_out'}{'sp_metadata_as_hashref'} =
$federation_metadata->{'federation_metadata_as_hashref'}[0];
$self->{'param_out'}{'serviceprovider'} = $service_provider;
return 1;
}
## Generate an authentication token to validate an email address
## Sample call : dev-edugain.renater.fr/accountmanager?action=generate_token&style=nobanner&sp_entityid=https%3A%2F%2Fsourcesup.cru.fr%2Fshibboleth&email_address=support%40renater.fr
sub req_generate_token {
my $self = shift;
IdPAccountManager::Tools::do_log('info', "");
unless ($self->{'param_in'}{'sp_entityid'}) {
push @{ $self->{'param_out'}{'errors'} }, "missing_sp_entityid";
IdPAccountManager::Tools::do_log('error',
"Missing parameter sp_entityid");
return undef;
}
unless ($self->{'param_in'}{'email_address'}) {
push @{ $self->{'param_out'}{'errors'} }, "email_address";
IdPAccountManager::Tools::do_log('error',
"Missing parameter email_address");
return undef;
}
## Create a serviceprovider object to load parameters for this SP from DB
my $service_provider = new IdPAccountManager::ServiceProvider(
entityid => $self->{'param_in'}{'sp_entityid'});
# Try loading DB object first
unless ($service_provider->load(speculative => 1)) {
push @{ $self->{'param_out'}{'errors'} }, "internal";
IdPAccountManager::Tools::do_log(
'error',
"Failed to load SP with entityid '%s'",
$self->{'param_in'}{'sp_entityid'}
);
return undef;
}
## Check that email_address is a known contact for this SP
unless ($service_provider->is_contact($self->{'param_in'}{'email_address'}))
{
push @{ $self->{'param_out'}{'errors'} }, "internal";
IdPAccountManager::Tools::do_log(
'error',
"Requested a token for %s for an unautorized address '%s'",
$self->{'param_in'}{'sp_entityid'},
$self->{'param_in'}{'email_address'}
);
return undef;
}
my $authentication_token = new IdPAccountManager::AuthenticationToken(
'email_address' => $self->{'param_in'}{'email_address'},
'sp_entityid' => $self->{'param_in'}{'sp_entityid'}
);
unless (defined $authentication_token) {
push @{ $self->{'param_out'}{'errors'} }, "internal";
IdPAccountManager::Tools::do_log('error',
"Failed to create authentication token");
return undef;
}
## First remove token if one exist for this email+SP
if ($authentication_token->load()) {
unless ($authentication_token->delete()) {
push @{ $self->{'param_out'}{'errors'} }, "internal";
IdPAccountManager::Tools::do_log(
'error',
"Failed to delete previous authentication token with ID %s",
$authentication_token->get('id')
);
return undef;
}
$authentication_token = new IdPAccountManager::AuthenticationToken(
'email_address' => $self->{'param_in'}{'email_address'},
'sp_entityid' => $self->{'param_in'}{'sp_entityid'}
);
unless (defined $authentication_token) {
push @{ $self->{'param_out'}{'errors'} }, "internal";
IdPAccountManager::Tools::do_log('error',
"Failed to create authentication token");
return undef;
}
}
unless ($authentication_token->save()) {
push @{ $self->{'param_out'}{'errors'} }, "internal";
IdPAccountManager::Tools::do_log('error',
"Failed to save authentication token");
return undef;
}
$self->{'param_out'}{'authentication_token'} =
$authentication_token->get('token');
$self->{'param_out'}{'email_address'} =
$self->{'param_in'}{'email_address'};
$self->{'param_out'}{'sp_entityid'} = $self->{'param_in'}{'sp_entityid'};
$self->{'param_out'}{'to'} = $self->{'param_in'}{'email_address'};
## Send the challenge email with the token
IdPAccountManager::Tools::mail_notice(
'template' => 'templates/mail/send_authentication_token.tt2.eml',
'to' => $self->{'param_in'}{'email_address'},
'data' => $self->{'param_out'}
);
IdPAccountManager::Tools::do_log(
'info',
"Token send to %s for sp_entityid=%s;token=%s",
$self->{'param_in'}{'email_address'},
$self->{'param_in'}{'sp_entityid'},
$self->{'param_out'}{'authentication_token'}
);
return 1;
}
## Validate an authentication token
## Test accounts get created
## Sample call : dev-edugain.renater.fr/accountmanager?action=validate_token&style=nobanner&sp_entityid=https%3A%2F%2Fsourcesup.cru.fr%2Fshibboleth&authentication_token=c1cfecb51ea40d39a695
sub req_validate_token {
my $self = shift;
IdPAccountManager::Tools::do_log('info', "");
unless ($self->{'param_in'}{'sp_entityid'}) {
push @{ $self->{'param_out'}{'errors'} }, "missing_sp_entityid";
IdPAccountManager::Tools::do_log('error',
"Missing parameter sp_entityid");
return undef;
}
unless ($self->{'param_in'}{'authentication_token'}) {
push @{ $self->{'param_out'}{'errors'} },
"missing_authentication_token";
IdPAccountManager::Tools::do_log('error',
"Missing parameter authentication_token");
return undef;
}
my $authentication_token = new IdPAccountManager::AuthenticationToken(
token => $self->{'param_in'}{'authentication_token'});
unless ($authentication_token->load()) {
push @{ $self->{'param_out'}{'errors'} }, "wrong_token";
IdPAccountManager::Tools::do_log(
'error',
"Failed to validate authentication token %s for sp_entityid %s",
$self->{'param_in'}{'authentication_token'},
$self->{'param_in'}{'sp_entityid'}
);
return undef;
}
unless ($authentication_token->get('sp_entityid') eq
$self->{'param_in'}{'sp_entityid'})
{
push @{ $self->{'param_out'}{'errors'} }, "wrong_token_for_sp";
IdPAccountManager::Tools::do_log(
'error',
"Authentication token %s cannot be used for SP with entityid %s",
$self->{'param_in'}{'authentication_token'},
$self->{'param_in'}{'sp_entityid'}
);
return undef;
}
## delete the token
unless ($authentication_token->delete()) {
IdPAccountManager::Tools::do_log(
'error',
"Failed to delete authentication token %s",
$self->{'param_in'}{'authentication_token'}
);
}
## create test accounts
my @test_accounts =
IdPAccountManager::TestAccount::create_test_accounts_for_sp(
sp_entityid => $self->{'param_in'}{'sp_entityid'});
unless (@test_accounts) {
push @{ $self->{'param_out'}{'errors'} }, "accounts_creation_failed";
IdPAccountManager::Tools::do_log(
'error',
"Failed to create test accounts for SP with entityid %s",
$self->{'param_in'}{'sp_entityid'}
);
return undef;
}
## Update simpleSAMLphp configuration to enable test accounts
unless (IdPAccountManager::Tools::update_ssp_authsources()) {
push @{ $self->{'param_out'}{'errors'} }, "accounts_creation_failed";
IdPAccountManager::Tools::do_log('error',
"Failed to create simpleSAMLphp configuration file");
return undef;
}
IdPAccountManager::Tools::do_log(
'info',
"Token validated for sp_entityid=%s;token=%s",
$self->{'param_in'}{'sp_entityid'},
$self->{'param_in'}{'authentication_token'}
);
$self->{'param_out'}{'sp_entityid'} = $self->{'param_in'}{'sp_entityid'};
$self->{'param_out'}{'test_accounts'} = \@test_accounts;
return 1;
}
## Return the homepage of the service
sub req_home {
my $self = shift;
IdPAccountManager::Tools::do_log('info', "");
return 1;
}