Changeset 4902

Timestamp:

03/02/09 12:55:39 (12 years ago)

Author:

pjkersha

Message:

Updated with updates from version on zonda: added case to SSO Hanlder for response from SSO service logout ensuring that the logout query argument is removed from the return to URL.

File:

• TI12-security/trunk/perl/NDG/Security/Client.pm (modified) (11 diffs)

TI12-security/trunk/perl/NDG/Security/Client.pm

@@ -62 +62 @@
                                      -salt=>1);
     
-    # Supply encoded form of return to URL ready to be passed to SSO Service for user login
+    # Supply encoded form of return to URL ready to be passed to SSO Service 
+    # for user login
     $self->{b64encReturnToURL} = '';
     
@@ -93 +94 @@
     if ($self->{cgi}->param('h'))
     {
-        # 'h' argument is present in query indicating a GET call from a Single Sign On
-        # Service in response to a login
-        
-        # Set a cookie based on the query args supplied from the SSO Service response
+        # 'h' argument is present in query indicating a GET call from a Single 
+        # Sign On Service in response to a login
+        
+        # Set a cookie based on the query args supplied from the SSO Service 
+        # response
         my $cookie = $self->_setSessionFromSSOResp();
         
@@ -104 +106 @@
         my $returnToURL = "http://" . $virtualHostName . $urlPath . $query;
             
-        $log->info("Generating redirection header for redirect to ".$returnToURL."...");
+        $log->info("Generating redirection header for redirect to "
+                           .$returnToURL."...");
 
         # nph flag crashes with Apache - intended for MS IIS?
         return $self->{cgi}->redirect(-uri=>$returnToURL, -cookie=>$cookie);
     }
+    elsif ($self->{cgi}->param('logout'))
+    {
+        # Service in response to a logout - strip logout query arg
+        my $query = $self->_stripSecurityQueryArgs();
+
+        my $returnToURL = "http://" . $virtualHostName . $urlPath . $query;
+        $log->info("Generating redirection header following logout for ".
+                   "redirect to ".$returnToURL."...");
+
+        return $self->{cgi}->redirect(-uri=>$returnToURL);
+    }
     elsif (! $self->_getSessionFromCookie())
     {
         $self->_makeHttpsReturnToURL();
         my $wayfURI = $self->{wayfURI}."?r=".$self->{b64encReturnToURL};
-        $log->info("User not logged in - Generating redirection header for WAYF: ".
-            $wayfURI."...");
+        $log->info("User not logged in - Generating redirection header for ".
+                           "WAYF: ".$wayfURI."...");
             
         return $self->{cgi}->redirect(-uri=>$wayfURI);
@@ -120 +134 @@
     else
     {
-        # No Call to the Single Sign On Service has been made - prepare return to URL 
-        # for such a call - encode it ready to be incorporated into a login request to # the Single Sign On Service
+        # No Call to the Single Sign On Service has been made - prepare return 
+        # to URL for such a call - encode it ready to be incorporated into a 
+        # login request to # the Single Sign On Service
         #
-        # URL is set to https to ensure encrypted channel for SSO service -> to THIS 
-        # SSO client transfer
+        # URL is set to https to ensure encrypted channel for SSO service -> to
+        # THIS SSO client transfer
         $self->_makeHttpsReturnToURL();
         return '';
@@ -144 +159 @@
     }
     
-    $log->info("Generating return to URL with SSL transport ".$returnToURL."...");
+    $log->info("Generating return to URL with SSL transport ".
+                   $returnToURL."...");
     
     $self->{b64encReturnToURL} = pyUrlSafeB64Encode($returnToURL);
@@ -157 +173 @@
     my $val;
     
-    # Iterate through the keys adding to the query string only if they are non-security
-    # related and they are a genuine URL parameter
+    # Iterate through the keys adding to the query string only if they are 
+    # non-security related and they are a genuine URL parameter
     while (($key, $val) = each %arg)
     {
@@ -251 +267 @@
 
 
-# Policy enforcement Point - provide access control decision given resource constraints
-# and user attributes
+# Policy enforcement Point - provide access control decision given resource 
+# constraints and user attributes
 sub pep
 {
@@ -261 +277 @@
     my $session = $self->_getSessionFromCookie();
     
-    my $msg = "resource ".$resrcFilePath." for user ".$session->{u}." with session ID = ". 
-        $session->{sid};
+    my $msg = "resource ".$resrcFilePath." for user ".$session->{u}.
+                  " with session ID = ". 
+                  $session->{sid};
     
     # Gather access constraint information for resource
@@ -268 +285 @@
     if ($accessInfo[0])
     {
-        # Access may be granted if read permission is set to public or if the file
-        # is previously cached
+        # Access may be granted if read permission is set to public or if the 
+        # file is previously cached
         $log->info("Access granted for ".$msg.": ".$accessInfo[1]->{msg});
         return 1;
@@ -293 +310 @@
 sub getFTPAccessFileReadPermissionsInfo
 {
-    # Adapted from FTPaccess::read_access for use with NDG Security - changed so that
-    # all access info is returned and now username or user group info is checked.  The
-    # latter needs to be done by python code checking the user's NDG Attribute Certificate
-    
-    #  Returns flag indicating if the user is allowed to read the directory containing 
-    # the given file. Also returns hash giving information about how the result was 
-    # arrived at.
+    # Adapted from FTPaccess::read_access for use with NDG Security - changed 
+    # so that all access info is returned and now username or user group info 
+    # is checked.  The latter needs to be done by python code checking the 
+    # user's NDG Attribute Certificate
+    
+    # Returns flag indicating if the user is allowed to read the directory 
+    # containing 
+    # the given file. Also returns hash giving information about how the result
+    # was arrived at.
     my $filePath = shift;   # File or directory name to check access for
     my %info;
             
-    my $ftpaccess_file = BADC::FTPaccess::find_nearest_ftpaccess_file($filePath);
+    my $ftpaccess_file=BADC::FTPaccess::find_nearest_ftpaccess_file($filePath);
     my $ftpaccess = BADC::FTPaccess->new($ftpaccess_file);
     
     $info{filePath} = $ftpaccess_file;
 
-    # Check that we do actually have an ftpaccess file to interogate. If not then grant
-    # read access
+    # Check that we do actually have an ftpaccess file to interogate. If not 
+    # then grant read access
     if (not $ftpaccess) 
     {
@@ -337 +356 @@
     $info{allowedUsers} = \@allowedUsers;
     
-    $info{msg} = 
-        "username and/or group information is needed to determine access permissions";
+    $info{msg} = "username and/or group information is needed to determine ".
+                         "access permissions";
     return (0, \%info);
 }