Enable optional shared ses cookie for SSO-like use

Enable a shared ses cookie which is set at the domain level and can
then be used by other web based systems to verify an Evergreen user.
One example would be EZproxy with one of the CGI authentication
options.

TODO: move shared_ses_domain_regex into a single location

Signed-off-by: Jeff Godin <jgodin@tadl.org>

diff --git a/Open-ILS/examples/apache/eg_vhost.conf.in b/Open-ILS/examples/apache/eg_vhost.conf.in
index 87e9054..6fad4d8 100644 (file)
--- a/Open-ILS/examples/apache/eg_vhost.conf.in
+++ b/Open-ILS/examples/apache/eg_vhost.conf.in
@@ -645,6 +645,10 @@ RewriteRule ^/openurl$ ${openurl:%1} [NE,PT]
     PerlSetVar OILSWebWebDir "@localstatedir@/web"
     PerlSetVar OILSWebDefaultTemplateExtension "tt2"
 
+    # An optional domain-level cookie "shared_ses" which will contain the
+    # evergreen auth token in addition to the standard "ses" cookie
+    #PerlSetVar OILSWebSharedSesCookieDomain "example.org"
+
     # Enable Template-Toolkit error debugging messages (apache error log)
     PerlSetVar OILSWebDebugTemplate "true"
 

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm
index 1a97835..58df011 100644 (file)
--- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm
@@ -30,6 +30,7 @@ use OpenILS::WWW::EGCatLoader::Register;
 my $U = 'OpenILS::Application::AppUtils';
 
 use constant COOKIE_SES => 'ses';
+use constant COOKIE_SHARED_SES => 'shared_ses';
 use constant COOKIE_LOGGEDIN => 'eg_loggedin';
 use constant COOKIE_PHYSICAL_LOC => 'eg_physical_loc';
 use constant COOKIE_SSS_EXPAND => 'eg_sss_expand';
@@ -278,7 +279,7 @@ sub load_common {
     $ctx->{home_page} = $ctx->{proto} . '://' . $ctx->{hostname} . $self->ctx->{opac_root} . "/home";
     $ctx->{logout_page} = ($ctx->{proto} eq 'http' ? 'https' : $ctx->{proto} ) . '://' . $ctx->{hostname} . $self->ctx->{opac_root} . "/logout";
 
-    if($e->authtoken($self->cgi->cookie(COOKIE_SES))) {
+    if($e->authtoken($self->cgi->cookie(COOKIE_SES)) || $e->authtoken($self->cgi->cookie(COOKIE_SHARED_SES))) {
 
         if($e->checkauth) {
 
@@ -449,27 +450,47 @@ sub load_login {
     # both login-related cookies should expire at the same time
     my $login_cookie_expires = ($persist) ? CORE::time + $response->{payload}->{authtime} : undef;
 
-    return $self->generic_redirect(
-        $cgi->param('redirect_to') || $acct,
-        [
-            # contains the actual auth token and should be sent only over https
+    my $cookies = [
+        # contains the actual auth token and should be sent only over https
+        $cgi->cookie(
+            -name => COOKIE_SES,
+            -path => '/',
+            -secure => 1,
+            -value => $response->{payload}->{authtoken},
+            -expires => $login_cookie_expires
+        ),
+        # contains only a hint that we are logged in, and is used to
+        # trigger a redirect to https
+        $cgi->cookie(
+            -name => COOKIE_LOGGEDIN,
+            -path => '/',
+            -secure => 0,
+            -value => '1',
+            -expires => $login_cookie_expires
+        )
+    ];
+
+    if (defined($self->apache->dir_config('OILSWebSharedSesCookieDomain'))) {
+        my $shared_ses_domain = $self->apache->dir_config('OILSWebSharedSesCookieDomain');
+        my $shared_ses_domain_regex = '\.' . $shared_ses_domain . '$';
+
+        if ($self->apache->hostname =~ /$shared_ses_domain_regex/) {
+            push @$cookies,
+            # an optional domain-shared copy of the auth token, useful for
+            # some SSO-like environments
             $cgi->cookie(
-                -name => COOKIE_SES,
+                -name => COOKIE_SHARED_SES,
                 -path => '/',
+                -domain => $shared_ses_domain,
                 -secure => 1,
                 -value => $response->{payload}->{authtoken},
                 -expires => $login_cookie_expires
-            ),
-            # contains only a hint that we are logged in, and is used to
-            # trigger a redirect to https
-            $cgi->cookie(
-                -name => COOKIE_LOGGEDIN,
-                -path => '/',
-                -secure => 0,
-                -value => '1',
-                -expires => $login_cookie_expires
-            )
-        ]
+            );
+        }
+    }
+
+    return $self->generic_redirect(
+        $cgi->param('redirect_to') || $acct, $cookies
     );
 }
 
@@ -492,10 +513,8 @@ sub load_logout {
         );
     } catch Error with {};
 
-    return $self->generic_redirect(
-        $redirect_to || $self->ctx->{home_page},
-        [
-            # clear value of and expire both of these login-related cookies
+    my $cookies = [
+            # clear value of and expire all of these login-related cookies
             $self->cgi->cookie(
                 -name => COOKIE_SES,
                 -path => '/',
@@ -508,7 +527,26 @@ sub load_logout {
                 -value => '',
                 -expires => '-1h'
             )
-        ]
+    ];
+
+    if (defined($self->apache->dir_config('OILSWebSharedSesCookieDomain'))) {
+        my $shared_ses_domain = $self->apache->dir_config('OILSWebSharedSesCookieDomain');
+        my $shared_ses_domain_regex = '\.' . $shared_ses_domain . '$';
+
+        if ($self->apache->hostname =~ /$shared_ses_domain_regex/) {
+            push @$cookies,
+            $self->cgi->cookie(
+                -name => COOKIE_SHARED_SES,
+                -path => '/',
+                -domain => $shared_ses_domain,
+                -value => '',
+                -expires => '-1h'
+            );
+        }
+    }
+
+    return $self->generic_redirect(
+        $redirect_to || $self->ctx->{home_page}, $cookies
     );
 }