auth_cas.ml 5.46 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
(**************************************************************************)
(*                                BELENIOS                                *)
(*                                                                        *)
(*  Copyright © 2012-2014 Inria                                           *)
(*                                                                        *)
(*  This program is free software: you can redistribute it and/or modify  *)
(*  it under the terms of the GNU Affero General Public License as        *)
(*  published by the Free Software Foundation, either version 3 of the    *)
(*  License, or (at your option) any later version, with the additional   *)
(*  exemption that compiling, linking, and/or using OpenSSL is allowed.   *)
(*                                                                        *)
(*  This program is distributed in the hope that it will be useful, but   *)
(*  WITHOUT ANY WARRANTY; without even the implied warranty of            *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU     *)
(*  Affero General Public License for more details.                       *)
(*                                                                        *)
(*  You should have received a copy of the GNU Affero General Public      *)
(*  License along with this program.  If not, see                         *)
(*  <http://www.gnu.org/licenses/>.                                       *)
(**************************************************************************)

22
open Lwt
23
24
25
26
27
28
29
open Web_signatures
open Web_common

let next_lf str i =
  try Some (String.index_from str i '\n')
  with Not_found -> None

30
31
type config = { server : string }

32
33
34
35
module type CONFIG = sig
  val server : string
end

36
module Make (C : CONFIG) (N : NAME) (S : AUTH_SERVICES) (L : AUTH_LINKS) : AUTH_HANDLERS = struct
37

Stephane Glondu's avatar
Stephane Glondu committed
38
39
  let scope = Eliom_common.default_session_scope

Stephane Glondu's avatar
Stephane Glondu committed
40
  let cas_login = Eliom_service.Http.external_service
41
42
    ~prefix:C.server
    ~path:["login"]
Stephane Glondu's avatar
Stephane Glondu committed
43
    ~get_params:Eliom_parameter.(string "service" ** opt (bool "renew"))
44
45
    ()

Stephane Glondu's avatar
Stephane Glondu committed
46
  let cas_logout = Eliom_service.Http.external_service
47
48
49
50
51
    ~prefix:C.server
    ~path:["logout"]
    ~get_params:Eliom_parameter.(string "service")
    ()

Stephane Glondu's avatar
Stephane Glondu committed
52
  let cas_validate = Eliom_service.Http.external_service
53
54
55
56
57
    ~prefix:C.server
    ~path:["validate"]
    ~get_params:Eliom_parameter.(string "service" ** string "ticket")
    ()

Stephane Glondu's avatar
Stephane Glondu committed
58
  let login_cas = Eliom_service.Http.service
59
    ~path:N.path
60
61
62
63
64
    ~get_params:Eliom_parameter.(opt (string "ticket"))
    ()

  let service = Eliom_service.preapply login_cas None

65
  let self =
66
    lazy (Eliom_uri.make_string_uri ~absolute:true ~service () |> rewrite_prefix)
67

Stephane Glondu's avatar
Stephane Glondu committed
68
69
  let login_cont = Eliom_reference.eref ~scope None
  let logout_cont = Eliom_reference.eref ~scope None
70
71

  let () = Eliom_registration.Any.register
72
73
74
75
76
    ~service:login_cas
    (fun ticket () ->
      match ticket with
      | Some x ->
        let validation =
77
          let service = Eliom_service.preapply cas_validate (Lazy.force self, x) in
78
79
80
81
82
83
84
85
86
87
88
89
90
91
          Eliom_uri.make_string_uri ~absolute:true ~service ()
        in
        lwt reply = Ocsigen_http_client.get_url validation in
        (match reply.Ocsigen_http_frame.frame_content with
          | Some stream ->
            lwt info = Ocsigen_stream.(string_of_stream 1000 (get stream)) in
            Ocsigen_stream.finalize stream `Success >>
            (match next_lf info 0 with
              | Some i ->
                (match String.sub info 0 i with
                  | "yes" ->
                    (match next_lf info (i+1) with
                      | Some j ->
                        let user_name = String.sub info (i+1) (j-i-1) in
92
93
94
95
96
97
                        (match_lwt Eliom_reference.get login_cont with
                        | Some cont ->
                          Eliom_reference.unset login_cont >>
                          cont user_name ()
                        | None -> fail_http 400
                        )
98
99
100
101
102
103
104
105
106
                      | None -> fail_http 502
                    )
                  | "no" -> fail_http 401
                  | _ -> fail_http 502
                )
              | None -> fail_http 502
            )
          | None -> fail_http 502
        )
107
108
109
      | None ->
        match_lwt Eliom_reference.get logout_cont with
        | None ->
110
111
112
113
114
          lwt () = security_log (fun () ->
            Printf.sprintf
              "user is trying to log in, redirecting to CAS [%s]"
              C.server
          ) in
115
          Eliom_service.preapply cas_login (Lazy.force self, Some true) |>
116
117
118
119
          Eliom_registration.Redirection.send
        | Some cont ->
          Eliom_reference.unset logout_cont >>
          cont () ()
120
    )
121

122
123
  let login cont () =
    Eliom_reference.set login_cont (Some cont) >>
124
    Eliom_registration.Redirection.send service
125

126
127
128
129
130
  let logout cont () =
    security_log (fun () ->
      Printf.sprintf "user logged out, redirecting to CAS [%s]" C.server
    ) >>
    lwt () = Eliom_reference.set logout_cont (Some cont) in
131
    Eliom_service.preapply cas_logout (Lazy.force self) |>
132
133
    Eliom_registration.Redirection.send

134
end
135

136
137
let name = "cas"

138
let parse_config ~attributes =
139
  match attributes with
140
141
  | ["server", server] -> Some {server}
  | _ -> None
142
143
144
145
146
147
148
149
150
151
152
153
154
155

let make {server} =
  let module C = struct let server = server end in
  (module Make (C) : AUTH_SERVICE)

type c = config

module A : AUTH_SYSTEM = struct
  type config = c
  let name = name
  let parse_config = parse_config
  let make = make
end

156
let () = Web_auth.register_auth_system (module A : AUTH_SYSTEM)