Revision 5a00c5be
Von Moritz Bunkus vor 3 Monaten hinzugefügt
| SL/Auth/HTTPHeaders.pm | ||
|---|---|---|
|
}
|
||
|
}
|
||
|
|
||
|
=pod
|
||
|
|
||
|
=encoding utf8
|
||
|
|
||
|
=head1 NAME
|
||
|
|
||
|
SL::Auth::HTTPHeaders - Automatically log in users based on headers
|
||
|
sent by upstream servers
|
||
|
|
||
|
=head1 OVERVIEW
|
||
|
|
||
|
This module implements two modes for automatic log in for users:
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item HTTP Basic Authentication
|
||
|
|
||
|
=item passing user name & client ID via arbitrary headers
|
||
|
|
||
|
=back
|
||
|
|
||
|
The module must be enabled in the configuration file by setting
|
||
|
C<authentication.module=HTTPHeaders>. It is then configured by the
|
||
|
sections C<authentication/http_basic> & C<authentication/http_headers>.
|
||
|
|
||
|
=head1 SUPPORTED AUTHENTICATION METHODS
|
||
|
|
||
|
=head2 User name & client ID in HTTP headers
|
||
|
|
||
|
Must be enabled by setting
|
||
|
C<authentication/http_headers.enabled=1>. If enabled, it relies on
|
||
|
upstream servers (web server, proxy server) doing the authentication
|
||
|
with SSO solutions like Authelia & Authentik. These solutions must
|
||
|
then send the user name of the authenticated user in an HTTP header &
|
||
|
the desired client ID in another header.
|
||
|
|
||
|
In order to ensure no malicious third party can simply set these
|
||
|
header values, a shared secret must be configured in the configuration
|
||
|
file & sent along in a third header field.
|
||
|
|
||
|
The names of all three headers as well as the shared secret must be
|
||
|
set in the configuration file's C<authentication/http_headers>
|
||
|
section.
|
||
|
|
||
|
This mode is mutually exclusive with the HTTP Basic Authentication
|
||
|
mentioned below.
|
||
|
|
||
|
=head2 HTTP Basic Authentication (RFC 7617)
|
||
|
|
||
|
Must be enabled by setting C<authentication/http_basic.enabled=1>. If
|
||
|
enabled, it relies on the web server doing the authentication for it &
|
||
|
passing the result in the C<Authorization> header, which turns into e
|
||
|
environment variable C<HTTP_AUTHORIZATION> according to the CGI
|
||
|
specifications.
|
||
|
|
||
|
This mode only supports using the default client as no way to pass the
|
||
|
desired client ID has been implemented yet.
|
||
|
|
||
|
This mode is mutually exclusive with the "User name & client ID in
|
||
|
HTTP headers" mode mentioned above.
|
||
|
|
||
|
=head1 AUTHOR
|
||
|
|
||
|
Moritz Bunkus E<lt>m.bunkus@linet.deE<gt>
|
||
|
|
||
|
=cut
|
||
|
|
||
|
1;
|
||
| SL/BackgroundJob/UpdateEmployeeBaseData.pm | ||
|---|---|---|
|
package SL::BackgroundJob::UpdateEmployeeBaseData;
|
||
|
|
||
|
# When authentication via HTTP headers is active the regular login
|
||
|
# routine is skipped. That routine would normally copy values from the
|
||
|
# auth database to the employee table. This job can be run regularly
|
||
|
# to copy the same values.
|
||
|
|
||
|
use strict;
|
||
|
use utf8;
|
||
|
|
||
| ... | ... | |
|
}
|
||
|
|
||
|
1;
|
||
|
__END__
|
||
|
|
||
|
=pod
|
||
|
|
||
|
=encoding utf8
|
||
|
|
||
|
=head1 NAME
|
||
|
|
||
|
SL::BackgroundJob::UpdateEmployeeBaseData - Background job for copying
|
||
|
user data from the auth database to the "employee" table
|
||
|
|
||
|
=head1 OVERVIEW
|
||
|
|
||
|
When authentication via HTTP headers is active the regular login
|
||
|
routine is skipped. That routine would normally copy values from the
|
||
|
auth database to the employee table. This job can be run regularly to
|
||
|
copy the same values.
|
||
|
|
||
|
The job is enabled & set to run every five minutes by default.
|
||
|
|
||
|
=head1 AUTHOR
|
||
|
|
||
|
Moritz Bunkus E<lt>m.bunkus@linet.deE<gt>
|
||
|
|
||
|
=cut
|
||
| SL/Dispatcher/AuthHandler/Base.pm | ||
|---|---|---|
|
}
|
||
|
|
||
|
1;
|
||
|
__END__
|
||
|
|
||
|
=pod
|
||
|
|
||
|
=encoding utf8
|
||
|
|
||
|
=head1 NAME
|
||
|
|
||
|
SL::Dispatcher::AuthHandler::Base - Base class for different modules
|
||
|
handling user authentication
|
||
|
|
||
|
=head1 OVERVIEW
|
||
|
|
||
|
This module acts as a base class for the modules in the
|
||
|
C<SL::Dispatcher::AuthHandler> namespace. It contains a couple of
|
||
|
shared helper functions.
|
||
|
|
||
|
=head1 FUNCTIONS
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item C<_env_var_for_header $header_name>
|
||
|
|
||
|
Static method returning the name of an environment variable that holds
|
||
|
the value of the HTTP request header named C<$header_name> according
|
||
|
to the CGI specifications.
|
||
|
|
||
|
=item C<_parse_http_headers_auth>
|
||
|
|
||
|
When HTTP headers authentication is enabled in the configuration file,
|
||
|
this function parses the content of the configured HTTP request
|
||
|
headers. First, it ensures that the configuration is complete; if not,
|
||
|
an exception is thrown.
|
||
|
|
||
|
Next, it ensures that the shared secret was sent and equals the
|
||
|
expected value.
|
||
|
|
||
|
Lastly it fetches the name of the logged in user & the client ID sent
|
||
|
by the upstream servers & returns both as a two-element list.
|
||
|
|
||
|
This function returns an empty list if either the authentication
|
||
|
module is not C<HTTPHeaders> or if the configuration option
|
||
|
C<authentication/http_headers.enabled> is not true.
|
||
|
|
||
|
=item C<_parse_http_basic_auth>
|
||
|
|
||
|
When HTTP Basic Authentication is enabled in the configuration file,
|
||
|
this function parses the content of the C<Authorization> HTTP request
|
||
|
header via the corresponding environment variable according to the CGI
|
||
|
spec. It extracts the user name & password from the header & returns
|
||
|
both as a two-element list.
|
||
|
|
||
|
This function returns an empty list if either the authentication
|
||
|
module is not C<HTTPHeaders> or if the configuration option
|
||
|
C<authentication/http_basic.enabled> is not true.
|
||
|
|
||
|
=back
|
||
|
|
||
|
=head1 AUTHOR
|
||
|
|
||
|
Moritz Bunkus E<lt>m.bunkus@linet.deE<gt>
|
||
|
|
||
|
=cut
|
||
Auch abrufbar als: Unified diff
Auth: POD-Dokumentation für automatisches SSO mittels gewisser HTTP-Header