[LON-CAPA-cvs] cvs: loncom /auth lonshibauth.pm /html/adm/help/tex Domain_Configuration_WAF_Proxy.tex /interface domainprefs.pm /lonnet/perl lonnet.pm
raeburn
raeburn at source.lon-capa.org
Thu Oct 7 11:51:17 EDT 2021
raeburn Thu Oct 7 15:51:17 2021 EDT
Modified files:
/loncom/interface domainprefs.pm
/loncom/auth lonshibauth.pm
/loncom/lonnet/perl lonnet.pm
/loncom/html/adm/help/tex Domain_Configuration_WAF_Proxy.tex
Log:
- Bug 6914
Domain configuration for WAF/Proxy includes Y/N option for use of alias in
redirection to /adm/sso for server(s) supporting Shibboleth Single Sign On.
-------------- next part --------------
Index: loncom/interface/domainprefs.pm
diff -u loncom/interface/domainprefs.pm:1.387 loncom/interface/domainprefs.pm:1.388
--- loncom/interface/domainprefs.pm:1.387 Mon Sep 27 03:26:24 2021
+++ loncom/interface/domainprefs.pm Thu Oct 7 15:51:15 2021
@@ -1,7 +1,7 @@
# The LearningOnline Network with CAPA
# Handler to set domain-wide configuration settings
#
-# $Id: domainprefs.pm,v 1.387 2021/09/27 03:26:24 raeburn Exp $
+# $Id: domainprefs.pm,v 1.388 2021/10/07 15:51:15 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -7518,7 +7518,7 @@
my $itemcount = 0;
my $datatable;
my %servers = &Apache::lonnet::internet_dom_servers($dom);
- my (%othercontrol,%otherdoms,%aliases,%values,$setdom,$showdom);
+ my (%othercontrol,%otherdoms,%aliases,%saml,%values,$setdom,$showdom);
my %lt = &wafproxy_titles();
foreach my $server (sort(keys(%servers))) {
my $serverhome = &Apache::lonnet::get_server_homeID($servers{$server});
@@ -7543,6 +7543,9 @@
$showdom = 1;
}
}
+ if (ref($settings->{'saml'}) eq 'HASH') {
+ $saml{$dom} = $settings->{'saml'};
+ }
}
}
}
@@ -7562,6 +7565,9 @@
my %config = &Apache::lonnet::get_dom('configuration',['wafproxy'],$domain);
if (ref($config{'wafproxy'}) eq 'HASH') {
$aliases{$domain} = $config{'wafproxy'}{'alias'};
+ if (exists($config{'wafproxy'}{'saml'})) {
+ $saml{$domain} = $config{'wafproxy'}{'saml'};
+ }
foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext') {
$values{$domain}{$item} = $config{'wafproxy'}{$item};
}
@@ -7580,14 +7586,22 @@
'<i>'.&Apache::lonnet::hostname($server).'</i></td><td> </td>';
if ($othercontrol{$server}) {
$dom_in_effect = $othercontrol{$server};
- my $current;
+ my ($current,$forsaml);
if (ref($aliases{$dom_in_effect}) eq 'HASH') {
$current = $aliases{$dom_in_effect}{$server};
}
+ if (ref($saml{$dom_in_effect}) eq 'HASH') {
+ if ($saml{$dom_in_effect}{$server}) {
+ $forsaml = 1;
+ }
+ }
$aliasrows .= '<td class="LC_left_item" style="vertical-align: baseline;">'.
&mt('Alias').': ';
if ($current) {
$aliasrows .= $current;
+ if ($forsaml) {
+ $aliasrows .= ' ('.&mt('also for Shibboleth').')';
+ }
} else {
$aliasrows .= &mt('None');
}
@@ -7596,16 +7610,30 @@
'<b>'.$dom_in_effect.'</b>').')</span></td>';
} else {
$dom_in_effect = $dom;
- my $current;
+ my ($current,$samlon,$samloff);
+ $samloff = ' checked="checked"';
if (ref($aliases{$dom}) eq 'HASH') {
if ($aliases{$dom}{$server}) {
$current = $aliases{$dom}{$server};
}
}
+ if (ref($saml{$dom}) eq 'HASH') {
+ if ($saml{$dom}{$server}) {
+ $samlon = $samloff;
+ undef($samloff);
+ }
+ }
$aliasrows .= '<td class="LC_left_item" style="vertical-align: baseline;">'.
&mt('Alias').': '.
'<input type="text" name="wafproxy_alias_'.$server.'" '.
- 'value="'.$current.'" size="30" /></td>';
+ 'value="'.$current.'" size="30" />'.
+ (' 'x2).'<span class="LC_nobreak">'.
+ &mt('Alias used for Shibboleth').': <label>'.
+ '<input type="radio" value="0"'.$samloff.' name="wafproxy_alias_saml_'.$server.'" />'.
+ &mt('No').'</label> <label>'.
+ '<input type="radio" value="1"'.$samlon.' name="wafproxy_alias_saml_'.$server.'" />'.
+ &mt('Yes').'</label></span>'.
+ '</td>';
}
$aliasrows .= '</tr>';
$aliasinfo{$dom_in_effect} .= $aliasrows;
@@ -20236,8 +20264,8 @@
sub modify_wafproxy {
my ($dom,$action,$lastactref,%domconfig) = @_;
my %servers = &Apache::lonnet::internet_dom_servers($dom);
- my (%othercontrol,%canset,%values,%curralias,%currvalue, at warnings,%wafproxy,
- %changes,%expirecache);
+ my (%othercontrol,%canset,%values,%curralias,%currsaml,%currvalue, at warnings,
+ %wafproxy,%changes,%expirecache,%expiresaml);
foreach my $server (sort(keys(%servers))) {
my $serverhome = &Apache::lonnet::get_server_homeID($servers{$server});
if ($serverhome eq $server) {
@@ -20252,6 +20280,9 @@
if (ref($domconfig{'wafproxy'}{'alias'}) eq 'HASH') {
%curralias = %{$domconfig{'wafproxy'}{'alias'}};
}
+ if (ref($domconfig{'wafproxy'}{'saml'}) eq 'HASH') {
+ %currsaml = %{$domconfig{'wafproxy'}{'saml'}};
+ }
foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext','sslopt') {
$currvalue{$item} = $domconfig{'wafproxy'}{$item};
}
@@ -20259,6 +20290,7 @@
my $output;
if (keys(%canset)) {
%{$wafproxy{'alias'}} = ();
+ %{$wafproxy{'saml'}} = ();
foreach my $key (sort(keys(%canset))) {
if ($env{'form.wafproxy_'.$dom}) {
$wafproxy{'alias'}{$key} = $env{'form.wafproxy_alias_'.$key};
@@ -20266,11 +20298,21 @@
if ($wafproxy{'alias'}{$key} ne $curralias{$key}) {
$changes{'alias'} = 1;
}
+ if ($env{'form.wafproxy_alias_saml_'.$key}) {
+ $wafproxy{'saml'}{$key} = 1;
+ }
+ if ($wafproxy{'saml'}{$key} ne $currsaml{$key}) {
+ $changes{'saml'} = 1;
+ }
} else {
$wafproxy{'alias'}{$key} = '';
+ $wafproxy{'saml'}{$key} = '';
if ($curralias{$key}) {
$changes{'alias'} = 1;
}
+ if ($currsaml{$key}) {
+ $changes{'saml'} = 1;
+ }
}
if ($wafproxy{'alias'}{$key} eq '') {
if ($curralias{$key}) {
@@ -20278,11 +20320,20 @@
}
delete($wafproxy{'alias'}{$key});
}
+ if ($wafproxy{'saml'}{$key} eq '') {
+ if ($currsaml{$key}) {
+ $expiresaml{$key} = 1;
+ }
+ delete($wafproxy{'saml'}{$key});
+ }
}
unless (keys(%{$wafproxy{'alias'}})) {
delete($wafproxy{'alias'});
}
- # Localization for values in %warn occus in &mt() calls separately.
+ unless (keys(%{$wafproxy{'saml'}})) {
+ delete($wafproxy{'saml'});
+ }
+ # Localization for values in %warn occurs in &mt() calls separately.
my %warn = (
trusted => 'trusted IP range(s)',
vpnint => 'internal IP range(s) for VPN sessions(s)',
@@ -20350,6 +20401,9 @@
} else {
if (keys(%curralias)) {
$changes{'alias'} = 1;
+ }
+ if (keys(%currsaml)) {
+ $changes{'saml'} = 1;
}
if (keys(%currvalue)) {
foreach my $key (keys(%currvalue)) {
@@ -20402,6 +20456,23 @@
$lastactref->{'proxyalias'} = \%updates;
}
}
+ if ((exists($wafproxy{'saml'})) || (keys(%expiresaml))) {
+ my %samlupdates = %expiresaml;
+ foreach my $key (keys(%expiresaml)) {
+ &Apache::lonnet::devalidate_cache_new('proxysaml',$key);
+ }
+ if (ref($wafproxy{'saml'}) eq 'HASH') {
+ my $cachetime = 24*60*60;
+ foreach my $key (keys(%{$wafproxy{'saml'}})) {
+ $samlupdates{$key} = 1;
+ &Apache::lonnet::do_cache_new('proxysaml',$key,$wafproxy{'saml'}{$key},
+ $cachetime);
+ }
+ }
+ if (ref($lastactref) eq 'HASH') {
+ $lastactref->{'proxysaml'} = \%samlupdates;
+ }
+ }
$output = &mt('Changes were made to Web Application Firewall/Reverse Proxy').'<ul>';
foreach my $item ('alias','remoteip','ipheader','trusted','vpnint','vpnext','sslopt') {
if ($changes{$item}) {
@@ -20425,6 +20496,19 @@
unless ($numaliased) {
$output .= '<li>'.&mt('Aliases deleted for hostnames').'</li>';
}
+ } elsif ($item eq 'saml') {
+ my $shown;
+ if (ref($wafproxy{'saml'}) eq 'HASH') {
+ if (keys(%{$wafproxy{'saml'}})) {
+ $shown = join(', ',sort(keys(%{$wafproxy{'saml'}})));
+ }
+ }
+ if ($shown) {
+ $output .= '<li>'.&mt('Alias used by Shibboleth for: [_1]',
+ $shown).'</li>';
+ } else {
+ $output .= '<li>'.&mt('No alias used for Shibboleth').'</li>';
+ }
} else {
if ($item eq 'remoteip') {
my %ip_methods = &remoteip_methods();
@@ -22218,7 +22302,7 @@
my %thismachine;
map { $thismachine{$_} = 1; } &Apache::lonnet::current_machine_ids();
my @posscached = ('domainconfig','domdefaults','ltitools','usersessions',
- 'directorysrch','passwdconf','cats','proxyalias');
+ 'directorysrch','passwdconf','cats','proxyalias','proxysaml');
my %cache_by_lonhost;
if (exists($cachekeys->{'samllanding'})) {
if (ref($cachekeys->{'samllanding'}) eq 'HASH') {
@@ -22244,7 +22328,7 @@
my @cached;
foreach my $name (@posscached) {
if ($cachekeys->{$name}) {
- if ($name eq 'proxyalias') {
+ if (($name eq 'proxyalias') || ($name eq 'proxysaml')) {
if (ref($cachekeys->{$name}) eq 'HASH') {
foreach my $key (keys(%{$cachekeys->{$name}})) {
push(@cached,&escape($name).':'.&escape($key));
Index: loncom/auth/lonshibauth.pm
diff -u loncom/auth/lonshibauth.pm:1.6 loncom/auth/lonshibauth.pm:1.7
--- loncom/auth/lonshibauth.pm:1.6 Tue Sep 21 22:54:26 2021
+++ loncom/auth/lonshibauth.pm Thu Oct 7 15:51:16 2021
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Redirect Shibboleth authentication to designated URL (/adm/sso).
#
-# $Id: lonshibauth.pm,v 1.6 2021/09/21 22:54:26 raeburn Exp $
+# $Id: lonshibauth.pm,v 1.7 2021/10/07 15:51:16 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -85,7 +85,10 @@
my $protocol = $Apache::lonnet::protocol{$lonhost};
unless ($protocol eq 'https') { $protocol = 'http'; }
my $alias = &Apache::lonnet::use_proxy_alias($r,$lonhost);
- $hostname = $alias if ($alias ne '');
+ if (($alias ne '') &&
+ (&Apache::lonnet::alias_shibboleth($lonhost))) {
+ $hostname = $alias;
+ }
my $dest = $protocol.'://'.$hostname.$target;
$r->subprocess_env;
if ($ENV{'QUERY_STRING'} ne '') {
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.1466 loncom/lonnet/perl/lonnet.pm:1.1467
--- loncom/lonnet/perl/lonnet.pm:1.1466 Wed Sep 22 13:52:02 2021
+++ loncom/lonnet/perl/lonnet.pm Thu Oct 7 15:51:16 2021
@@ -1,7 +1,7 @@
# The LearningOnline Network
# TCP networking package
#
-# $Id: lonnet.pm,v 1.1466 2021/09/22 13:52:02 raeburn Exp $
+# $Id: lonnet.pm,v 1.1467 2021/10/07 15:51:16 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -14608,7 +14608,7 @@
if ($alias) {
my $dom = &host_domain($lonid);
if ($dom ne '') {
- my $proxyinfo = &get_proxy_settings($dom );
+ my $proxyinfo = &get_proxy_settings($dom);
my ($vpnint,$remote_ip);
if (ref($proxyinfo) eq 'HASH') {
$vpnint = $proxyinfo->{'vpnint'};
@@ -14624,6 +14624,35 @@
return;
}
+sub alias_shibboleth {
+ my ($lonid) = @_;
+ if ($lonid eq '') {
+ $lonid = $perlvar{'lonHostID'};
+ }
+ if (!defined(&hostname($lonid))) {
+ return;
+ }
+ if ($lonid ne '') {
+ my ($use_alias,$cached) = &is_cached_new('proxysaml',$lonid);
+ if ($cached) {
+ return $use_alias;
+ }
+ my $dom = &Apache::lonnet::host_domain($lonid);
+ if ($dom ne '') {
+ my $cachetime = 60*60*24;
+ my %domconfig =
+ &Apache::lonnet::get_dom('configuration',['wafproxy'],$dom);
+ if (ref($domconfig{'wafproxy'}) eq 'HASH') {
+ if (ref($domconfig{'wafproxy'}{'saml'}) eq 'HASH') {
+ $use_alias = $domconfig{'wafproxy'}{'saml'}{$lonid};
+ }
+ }
+ return &do_cache_new('proxysaml',$lonid,$use_alias,$cachetime);
+ }
+ }
+ return;
+}
+
sub get_saml_landing {
my ($lonid) = @_;
if ($lonid eq '') {
Index: loncom/html/adm/help/tex/Domain_Configuration_WAF_Proxy.tex
diff -u loncom/html/adm/help/tex/Domain_Configuration_WAF_Proxy.tex:1.1 loncom/html/adm/help/tex/Domain_Configuration_WAF_Proxy.tex:1.2
--- loncom/html/adm/help/tex/Domain_Configuration_WAF_Proxy.tex:1.1 Mon Dec 21 11:27:31 2020
+++ loncom/html/adm/help/tex/Domain_Configuration_WAF_Proxy.tex Thu Oct 7 15:51:17 2021
@@ -16,7 +16,8 @@
The ``Web Application Firewall/Reverse Proxy'' domain configuration is used to indicate
if a WAF is in use, and if so, to provide the alias assigned to each LON-CAPA
-server which will use the WAF.
+server which will use the WAF. For each one there is also an option to indicate whether
+a node supporting Shibboleth Single Sign On, will use the alias when redirecting to /adm/sso.
\item\textbf{Determining a user's remote IP address}
More information about the LON-CAPA-cvs
mailing list