From 4ca371e43c69526987af37ccd712f9e92a79106a Mon Sep 17 00:00:00 2001
From: berick <berick@esilibrary.com>
Date: Fri, 18 Feb 2011 10:40:08 -0500
Subject: [PATCH] ensure all login requests are over SSL; warn of any non-SSL
 logout requests; add log line prefixes for simpler grepping

---
 .../src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm    | 40 +++++++++++++++++-----
 Open-ILS/src/perlmods/lib/OpenILS/WWW/EGWeb.pm     | 20 +++++------
 2 files changed, 42 insertions(+), 18 deletions(-)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm
index 4e9c683996..af4a8af978 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm
@@ -83,15 +83,28 @@ sub load {
 
     return $self->load_simple("home") if $path =~ /opac\/home/;
     return $self->load_simple("advanced") if $path =~ /opac\/advanced/;
-    return $self->load_login if $path =~ /opac\/login/;
-    return $self->load_logout if $path =~ /opac\/logout/;
     return $self->load_rresults if $path =~ /opac\/results/;
     return $self->load_record if $path =~ /opac\/record/;
 
     # ----------------------------------------------------------------
-    #  Everything below here requires authentication
+    # Logout and login require SSL
     # ----------------------------------------------------------------
-    return $self->redirect_secure($path) 
+    if($path =~ /opac\/login/) {
+        return $self->redirect_ssl unless $self->cgi->https;
+        return $self->load_login;
+    }
+
+    if($path =~ /opac\/logout/) {
+        #return Apache2::Const::FORBIDDEN unless $self->cgi->https; 
+        $self->apache->log->warn("catloader: logout called in non-secure context from " . 
+            ($self->ctx->{referer} || '<no referer>')) unless $self->cgi->https;
+        return $self->load_logout;
+    }
+
+    # ----------------------------------------------------------------
+    #  Everything below here requires SSL + authentication
+    # ----------------------------------------------------------------
+    return $self->redirect_auth
         unless $self->cgi->https and $self->editor->requestor;
 
     return $self->load_place_hold if $path =~ /opac\/place_hold/;
@@ -105,12 +118,23 @@ sub load {
     return Apache2::Const::OK;
 }
 
+
+# -----------------------------------------------------------------------------
+# Redirect to SSL equivalent of a given page
+# -----------------------------------------------------------------------------
+sub redirect_ssl {
+    my $self = shift;
+    my $new_page = sprintf('https://%s%s', $self->apache->hostname, $self->apache->unparsed_uri);
+    $self->apache->print($self->cgi->redirect(-url => $new_page));
+    return Apache2::Const::REDIRECT;
+}
+
 # -----------------------------------------------------------------------------
-# If a secure resource is requested insecurely, redirect to the login page,
+# If an authnticated resource is requested w/o auth, redirect to the login page,
 # then return to the originally requrested resource upon successful login.
 # -----------------------------------------------------------------------------
-sub redirect_secure {
-    my ($self, $path) = @_;
+sub redirect_auth {
+    my $self = shift;
     my $login_page = sprintf('https://%s%s/login', $self->apache->hostname, $self->ctx->{opac_root});
     my $redirect_to = uri_escape($self->apache->unparsed_uri);
     $self->apache->print($self->cgi->redirect(-url => "$login_page?redirect_to=$redirect_to"));
@@ -160,7 +184,7 @@ sub load_common {
         } else {
 
             # For now, keep an eye out for any pages being unceremoniously redirected to logout...
-            $self->apache->log->info("loading " . $ctx->{path_info} . "; auth session " . 
+            $self->apache->log->info("catloader: loading " . $ctx->{path_info} . "; auth session " . 
                 $e->authtoken . " no longer valid; redirecting to logout");
 
             return $self->load_logout;
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGWeb.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGWeb.pm
index 63836f8f2f..df33d5a787 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGWeb.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGWeb.pm
@@ -55,7 +55,7 @@ sub handler {
     });
 
     unless($tt->process($template, {ctx => $ctx, l => set_text_handler($ctx, $r)})) {
-        $r->log->warn('Template error: ' . $tt->error);
+        $r->log->warn('egweb: template error: ' . $tt->error);
         return Apache2::Const::HTTP_INTERNAL_SERVER_ERROR;
     }
 
@@ -69,10 +69,10 @@ sub set_text_handler {
     my $locale = $ctx->{locale};
     $locale =~ s/-/_/g;
 
-    $r->log->info("messages locale = $locale");
+    $r->log->debug("egweb: messages locale = $locale");
 
     unless($lh_cache{$locale}) {
-        $r->log->info("Unsupported locale: $locale");
+        $r->log->info("egweb: Unsupported locale: $locale");
         $lh_cache{$locale} = $lh_cache{'en_US'};
     }
 
@@ -97,11 +97,11 @@ sub run_context_loader {
     };
 
     if($@) {
-        $r->log->error("Context Loader error: $@");
+        $r->log->error("egweb: Context Loader error: $@");
         return Apache2::Const::HTTP_INTERNAL_SERVER_ERROR;
     }
 
-    $r->log->info("context loader resulted in status $stat");
+    $r->log->debug("egweb: context loader resulted in status $stat");
     return $stat;
 }
 
@@ -120,7 +120,7 @@ sub parse_as_xml {
     } otherwise {
 	    my $e = shift;
         my $err = "Invalid XML: $e";
-        $r->log->error($err);
+        $r->log->error("egweb: $err");
         $r->content_type('text/plain; encoding=utf8');
         $r->print("\n$err\n\n$data");
     };
@@ -206,7 +206,7 @@ sub find_template {
             last unless $localpath;
             for my $tpath (@{$ctx->{template_paths}}) {
                 my $fpath = "$tpath/$skin/$localpath.$ext";
-                $r->log->debug("looking at possible template $fpath");
+                $r->log->debug("egweb: looking at possible template $fpath");
                 if(-r $fpath) {
                     $template = "$localpath.$ext";
                     last;
@@ -221,12 +221,12 @@ sub find_template {
 
         # no template configured or found
         unless($template) {
-            $r->log->warn("No template configured for path $path");
+            $r->log->debug("egweb: No template configured for path $path");
             return ();
         }
     }
 
-    $r->log->debug("template = $template : page args = @$page_args");
+    $r->log->debug("egweb: template = $template : page args = @$page_args");
     return ($template, $page_args, $as_xml);
 }
 
@@ -236,7 +236,7 @@ sub check_web_config {
     my $r = shift;
     my $epoch = stat($web_config_file)->mtime;
     unless($web_config_edit_time and $web_config_edit_time == $epoch) {
-        $r->log->debug("Reloading web config after edit...") if $r;
+        $r->log->debug("egweb: Reloading web config after edit...") if $r;
         $web_config_edit_time = $epoch;
         $web_config = parse_config($web_config_file);
     }
-- 
2.11.0