diff --git a/bin/cas-curl b/bin/cas-curl index 2e310972..41427a41 100755 --- a/bin/cas-curl +++ b/bin/cas-curl @@ -23,7 +23,7 @@ if [ "$1" == "--trace" ]; then shift else function trace() { - : + : # noop } function doCurl() { curl --fail-with-body --header "Authorization: $HSADMINNG_CAS_TICKET" "$@" @@ -45,23 +45,40 @@ EOF exit 1 fi +function casLogout() { + rm -f ~/.cas-login-tgt +} + function casLogin() { + # ticket granting ticket exists and not expired? + if find ~/.cas-login-tgt -type f -size +0c -mmin -60 2>/dev/null | grep -q .; then + return + fi if [ -z "$HSADMINNG_CAS_USERNAME" ]; then - read -p "Username: " HSADMINNG_CAS_USERNAME + read -e -p "Username: " HSADMINNG_CAS_USERNAME fi if [ -z "$HSADMINNG_CAS_PASSWORD" ]; then - read -s -p "Password: " HSADMINNG_CAS_PASSWORD + read -s -e -p "Password: " HSADMINNG_CAS_PASSWORD fi - HSADMINNG_CAS_TGT=`doCurl -s -i -X POST \ + # Do NOT use doCurl here! We do neither want to print the password nor pass a CAS service ticket. + trace "+ curl --fail-with-body -s -i -X POST \ + -H 'Content-Type: application/x-www-form-urlencoded' \ + -d \"username=$HSADMINNG_CAS_USERNAME&password=<>\" \ + $HSADMINNG_CAS_LOGIN -o ~/.cas-login-tgt.response -D -" + HSADMINNG_CAS_TGT=`curl --fail-with-body -s -i -X POST \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d "username=$HSADMINNG_CAS_USERNAME&password=$HSADMINNG_CAS_PASSWORD" \ - $HSADMINNG_CAS_LOGIN -o /dev/null -D - \ + $HSADMINNG_CAS_LOGIN -o ~/.cas-login-tgt.response -D - \ | grep -i "^Location: " | sed -e 's/^Location: //' -e 's/\\r//'` - echo "$HSADMINNG_CAS_TGT" >~/.cas-login-tgt - trace "$HSADMINNG_CAS_TGT" + if [ -z "$HSADMINNG_CAS_TGT" ]; then + echo "ERROR: could not get ticket granting ticket" >&2 + cat ~/.cas-login-tgt.response >&2 + fi + echo "$HSADMINNG_CAS_TGT" >~/.cas-login-tgt + trace "$HSADMINNG_CAS_TGT" } function casTicket() { @@ -87,6 +104,7 @@ function casValidate() { HSADMINNG_CAS_TICKET=`casTicket` trace "validating CAS-TICKET: $HSADMINNG_CAS_TICKET" + # Do NOT use doCurl here! We do not pass a CAS service ticket. trace curl -i -s $HSADMINNG_CAS_VALIDATE?ticket=${HSADMINNG_CAS_TICKET}\&service=${HSADMINNG_CAS_SERVICE_ID} HSADMINNG_CAS_USER=`curl -i -s $HSADMINNG_CAS_VALIDATE?ticket=${HSADMINNG_CAS_TICKET}\&service=${HSADMINNG_CAS_SERVICE_ID} | grep -oPm1 "(?<=)[^<]+"` if [ -z "$HSADMINNG_CAS_USER" ]; then @@ -96,37 +114,40 @@ function casValidate() { echo "CAS-User: $HSADMINNG_CAS_USER" } -if ! find ~/.cas-login-tgt -type f -size +0c -mmin -60 2>/dev/null | grep -q .; then - casLogin -fi - case "${1,,}" in - "login") # explicitly login using CAS-server and credentials in HSADMINNG_CAS_..., fetches ticket granting ticket + "login") # reads username+password and fetches ticket granting ticket (bypasses HSADMINNG_CAS_USERNAME+HSADMINNG_CAS_PASSWORD) + casLogout + export HSADMINNG_CAS_USERNAME= + export HSADMINNG_CAS_PASSWORD= casLogin ;; "logout") # logout, deleting ticket granting ticket - rm ~/.cas-login-tgt + casLogout ;; - "validate") # validate user login and print currently logged in user + "validate") # validates ticket granting ticket and prints currently logged in user casValidate ;; "get") # HTTP GET, add URL as parameter shift + casLogin HSADMINNG_CAS_TICKET=`casTicket` doCurl "$*" ;; "post") # HTTP POST, add curl options to specify the request body and the URL as last parameter shift + casLogin HSADMINNG_CAS_TICKET=`casTicket` doCurl --header "Content-Type: application/json" -X POST "$@" ;; "patch") # HTTP PATCH, add curl options to specify the request body and the URL as last parameter shift + casLogin HSADMINNG_CAS_TICKET=`casTicket` doCurl --header "Content-Type: application/json" -X POST "$*" ;; "delete") # HTTP DELETE, add curl options to specify the request body and the URL as last parameter shift + casLogin HSADMINNG_CAS_TICKET=`casTicket` curl -X POST "$@" ;;