integrated optional SLCS support into core TG-Webauth, separated configuration from logic

git-svn-id: https://textgridlab.org/svn/textgrid/trunk/middleware/tgauth@6797 7c539038-3410-0410-b1ec-0f2a7bf1c452

info.textgrid.middleware.tgauth.webauth/secure/TextGrid-WebAuth.php

@@ -439,15 +439,14 @@ function showCertificateInfoButton () {
 }
 
 function showCertificateButtons () {
-    global $slcPortalDelegationURL, $slcNoDelegationURL, $remote_user, $newSid, $rbacbase;
+    global $slcPortalDelegationURL, $slcNoDelegationURL, $remote_user, $newSid, $authZinstance;
   
     echo "<form method=\"get\" action=\"${slcPortalDelegationURL}\">\n";
-    echo "<input type=\"hidden\" name=\"ePPNplusSID\" value=\"" . $remote_user . "|" .$newSid . "\">\n";
-    echo "<input type=\"hidden\" name=\"rbacbase\" value=\"" . $rbacbase . "\">\n";
+    echo "<input type=\"hidden\" name=\"userDetails\" value=\"" . $remote_user . "|" .$newSid ."|". $authZinstance . "\">\n";
     echo "<input type=\"submit\" value=\"Request Certificate\">\n";
     echo "</form>\n\n";
 
-    echo "<form method=\"get\" action=\"${slcNoDelegationURL}\">\n";
+    echo "<form method=\"post\" action=\"${slcNoDelegationURL}\">\n";
     echo "<input type=\"hidden\" name=\"ePPNplusSID\" value=\"" . $remote_user . "|" .$newSid . "\" />\n";
     echo "<input type=\"submit\" value=\"Use Existing Certificate\"/>\n";
     echo "</form>\n";

info.textgrid.middleware.tgauth.webauth/secure/portal.cgi

+#!/usr/bin/perl -w
+######################################################################
+# TextGrid demo portal used for delegation of short-lived credentials
+# initially based on gridshib-ca-demo-portal.cgi.in,v 1.5 2006/11/20 00:07:38 welch Exp 
+# 
+# (c) Martin Haase / DAASI International GmbH / Gap-SLC
+# Version 2.0 
+# Fr 23. Jul 09:34:20 CEST 2010
+######################################################################
+
+use CGI;
+use XML::Simple;
+
+my $conf = "../../../config_tgwebauth.xml";
+
+######################################################################
+$cgi = new CGI;
+$status = $cgi->param("status");
+
+if (!defined($status))
+{
+    # No status, we are being called for the first time by the user
+    # Create a certificate request and create a form for requesting
+    # delegation.
+    makeRequest();
+}
+elsif ($status eq "success")
+{
+    # Successful delegation from GridShib-CA. Read in certificate
+    # and store.
+    handleSuccess();
+}
+elsif ($status eq "rejected")
+{
+    # We were rejected for some reason. Clean up.
+    handleRejected();
+}
+
+exit(0);
+
+######################################################################
+
+sub makeRequest
+{
+    use MIME::Base64;
+
+    $userDetails = $cgi->param("userDetails");
+    if (not defined ($userDetails)) {
+	errorExit("Sorry, your Browser is not supported.");
+    }
+    @all = split "\\|", $userDetails;
+    $eppn = $all[0];
+    $sid = $all[1];
+    $authZinstance = $all[2];
+
+    $slcConfig = getConfig($conf, $authZinstance);
+
+    # generate certificate request with key remotely
+    $rethash = invokeWebService (
+	$slcConfig->{rbacbase}.'tgextra.php', 
+	'http://textgrid.info/namespaces/middleware/tgauth',
+	'getCSRRequest', {'auth' => $sid}
+	);
+
+    $reqPEM = decode_base64 ( $rethash->{csr} );
+
+    my $targetURL = $slcConfig->{SLCSaddress};
+    # this does not work on ws1:
+    # my $myURL = $cgi->url(); 
+    $myURL = $slcConfig->{portalDelegationURL};
+
+    print $cgi->header();
+    print $cgi->start_html("TextGrid / SLC Demo");
+    print <<"EOF";
+<center>
+Welcome to the SLC demo for TextGrid for YOU ($eppn)
+</center>
+<p>
+This script shows how the TextGrid middleware can ask for a delegated <b>S</b>hort-<b>L</b>ived <b>C</b>redential
+from the DFN SLC Service by redirecting a user there with a credential request.
+<p>
+This demo uses the GridShib CA at: $targetURL
+<p>
+Your certificate request has been generated.
+<p>
+<form action="$targetURL" method="get">
+<input name="certificateRequest" type="hidden" value="$reqPEM">
+<input name="portalURL" type="hidden" value="$myURL">
+<input name="portalData" type="hidden" value="$userDetails">
+<input value="Click to submit Delegation request" type="submit">
+</form>
+EOF
+    print $cgi->end_html();
+    
+}
+
+sub handleSuccess
+{
+    my $certificate = $cgi->param("certificate");
+    my $userDetails = $cgi->param("portalData");
+    @all = split "\\|", $userDetails;
+    $eppn = $all[0];
+    $sid = $all[1];
+    $authZinstance = $all[2];
+
+    $slcConfig = getConfig($conf, $authZinstance);
+
+    $certificate =~ s/\x0d\x0a/\x0a/g;
+
+    $rethash = invokeWebService (
+        $slcConfig->{rbacbase}.'tgextra.php',
+	'http://textgrid.info/namespaces/middleware/tgauth',
+	'putCRTRequest', {'auth' => $sid, 'crt' => $certificate}
+	);
+
+    $noDelegationURL = $slcConfig->{noDelegationURL};
+
+    $success = $rethash->{success};
+    if ($success eq 'false') {
+        errorExitWithSID($eppn, $sid, $noDelegationURL , "Could not store your credentials in TG-auth*.");
+    }
+
+    print $cgi->header();
+    print $cgi->start_html("Delegation Successful");
+    print <<"EOF";
+Your delegated credential was successfully retrieved and stored in TG-auth*. Here is its public key:
+<p>
+<pre>
+$certificate
+</pre>
+The corresponding private key is now held by TG-auth*. This service will be integrated in the TextGrid middleware soon.
+<p>
+<form method="post" action="$noDelegationURL">
+  <input type="hidden" name="ePPNplusSID" value="$eppn|$sid" />
+  <input type="submit" value="Return to the TextGridLab"/>
+</form><br/>
+EOF
+print $cgi->end_html();
+
+}
+
+sub handleRejected
+{
+    print $cgi->header();
+    print $cgi->start_html("Delegation Request Rejected");
+    print "The delegation failed.";
+    print $cgi->end_html();
+}
+
+######################################################################
+#
+# Utility functions
+#
+
+sub getConfig {
+    my ($configfilename, $authZinstance) = @_;
+
+    my $xml = new XML::Simple;
+
+    my $data = $xml->XMLin($configfilename);
+
+    @instance = grep $_->{'instance'} eq $authZinstance, @{$data->{'authz'}};
+
+    $SLCoptions = @instance[0]->{'SLCsupport'};
+
+    return {
+    rbacbase => @instance[0]->{rbacbase},
+    noDelegationURL => $SLCoptions->{noDelegationURL},
+    portalDelegationURL => $SLCoptions->{portalDelegationURL},
+    SLCSaddress => $SLCoptions->{SLCSaddress}
+    };
+
+
+}
+
+
+sub invokeWebService {
+    my ($endpointInWSDL,$namespace,$methodname,$arghash) = @_;
+
+    use SOAP::Lite;
+
+    my $soap = SOAP::Lite->new( proxy => $endpointInWSDL);
+    $soap->default_ns($namespace);
+
+    @args = ();
+    foreach $k (keys %{$arghash}) {
+	push @args, SOAP::Data->name($k)->value( $arghash->{$k});
+    }
+
+    my $result = $soap->call( $methodname, @args );
+
+    die $result->fault->{ faultstring } if ($result->fault);
+
+    return $result->freeform; # i.e. a hash
+}
+
+
+sub errorExitWithSID { 
+    my ($eppn, $sid, $noDelegationURL, $format) = @_;
+    print $cgi->header();
+    print $cgi->start_html(
+	-title=>"Delegation not successful");
+
+    print sprintf("Error: " . $format, @_);
+
+    print "<br/>\n";
+    print "Delegation did not succeed. However, you can also work without a certificate now.<br/>\n";
+    print "<form method=\"post\" action=\"" . $noDelegationURL,  . "\">\n";
+    print "<input type=\"hidden\" name=\"ePPNplusSID\" value=\"" . $eppn ."|". $sid . "\" />\n";
+    print "<input type=\"submit\" value=\"Work without a Certificate\"/>\n";
+    print "</form><br/>\n";
+
+    print $cgi->end_html();
+    exit(1);
+}
+
+
+# errorExit()
+# Dump HTML error and exit
+sub errorExit
+{
+    my $format = shift;
+    print $cgi->header();
+    print sprintf("Error: " . $format, @_);
+    exit(1);
+}
+