add CAS authentication #138

Merged
hsh-michaelhoennig merged 24 commits from feature/add-cas-authentication into master 2024-12-23 12:49:46 +01:00
Showing only changes of commit 01e4929f8b - Show all commits

View File

@ -23,7 +23,7 @@ if [ "$1" == "--trace" ]; then
shift shift
else else
function trace() { function trace() {
: : # noop
} }
function doCurl() { function doCurl() {
curl --fail-with-body --header "Authorization: $HSADMINNG_CAS_TICKET" "$@" curl --fail-with-body --header "Authorization: $HSADMINNG_CAS_TICKET" "$@"
@ -45,23 +45,40 @@ EOF
exit 1 exit 1
fi fi
function casLogout() {
rm -f ~/.cas-login-tgt
}
function casLogin() { function casLogin() {
# ticket granting ticket exists and not expired?
if find ~/.cas-login-tgt -type f -size +0c -mmin -60 2>/dev/null | grep -q .; then
return
fi
if [ -z "$HSADMINNG_CAS_USERNAME" ]; then if [ -z "$HSADMINNG_CAS_USERNAME" ]; then
read -p "Username: " HSADMINNG_CAS_USERNAME read -e -p "Username: " HSADMINNG_CAS_USERNAME
fi fi
if [ -z "$HSADMINNG_CAS_PASSWORD" ]; then if [ -z "$HSADMINNG_CAS_PASSWORD" ]; then
read -s -p "Password: " HSADMINNG_CAS_PASSWORD read -s -e -p "Password: " HSADMINNG_CAS_PASSWORD
fi fi
HSADMINNG_CAS_TGT=`doCurl -s -i -X POST \ # Do NOT use doCurl here! We do neither want to print the password nor pass a CAS service ticket.
trace "+ curl --fail-with-body -s -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d \"username=$HSADMINNG_CAS_USERNAME&password=<<PASSWORD OMITTED>>\" \
$HSADMINNG_CAS_LOGIN -o ~/.cas-login-tgt.response -D -"
HSADMINNG_CAS_TGT=`curl --fail-with-body -s -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Content-Type: application/x-www-form-urlencoded' \
-d "username=$HSADMINNG_CAS_USERNAME&password=$HSADMINNG_CAS_PASSWORD" \ -d "username=$HSADMINNG_CAS_USERNAME&password=$HSADMINNG_CAS_PASSWORD" \
$HSADMINNG_CAS_LOGIN -o /dev/null -D - \ $HSADMINNG_CAS_LOGIN -o ~/.cas-login-tgt.response -D - \
| grep -i "^Location: " | sed -e 's/^Location: //' -e 's/\\r//'` | grep -i "^Location: " | sed -e 's/^Location: //' -e 's/\\r//'`
echo "$HSADMINNG_CAS_TGT" >~/.cas-login-tgt if [ -z "$HSADMINNG_CAS_TGT" ]; then
trace "$HSADMINNG_CAS_TGT" echo "ERROR: could not get ticket granting ticket" >&2
cat ~/.cas-login-tgt.response >&2
fi
echo "$HSADMINNG_CAS_TGT" >~/.cas-login-tgt
trace "$HSADMINNG_CAS_TGT"
} }
function casTicket() { function casTicket() {
@ -87,6 +104,7 @@ function casValidate() {
HSADMINNG_CAS_TICKET=`casTicket` HSADMINNG_CAS_TICKET=`casTicket`
trace "validating CAS-TICKET: $HSADMINNG_CAS_TICKET" trace "validating CAS-TICKET: $HSADMINNG_CAS_TICKET"
# Do NOT use doCurl here! We do not pass a CAS service ticket.
trace curl -i -s $HSADMINNG_CAS_VALIDATE?ticket=${HSADMINNG_CAS_TICKET}\&service=${HSADMINNG_CAS_SERVICE_ID} trace curl -i -s $HSADMINNG_CAS_VALIDATE?ticket=${HSADMINNG_CAS_TICKET}\&service=${HSADMINNG_CAS_SERVICE_ID}
HSADMINNG_CAS_USER=`curl -i -s $HSADMINNG_CAS_VALIDATE?ticket=${HSADMINNG_CAS_TICKET}\&service=${HSADMINNG_CAS_SERVICE_ID} | grep -oPm1 "(?<=<cas:user>)[^<]+"` HSADMINNG_CAS_USER=`curl -i -s $HSADMINNG_CAS_VALIDATE?ticket=${HSADMINNG_CAS_TICKET}\&service=${HSADMINNG_CAS_SERVICE_ID} | grep -oPm1 "(?<=<cas:user>)[^<]+"`
if [ -z "$HSADMINNG_CAS_USER" ]; then if [ -z "$HSADMINNG_CAS_USER" ]; then
@ -96,37 +114,40 @@ function casValidate() {
echo "CAS-User: $HSADMINNG_CAS_USER" echo "CAS-User: $HSADMINNG_CAS_USER"
} }
if ! find ~/.cas-login-tgt -type f -size +0c -mmin -60 2>/dev/null | grep -q .; then
casLogin
fi
case "${1,,}" in case "${1,,}" in
"login") # explicitly login using CAS-server and credentials in HSADMINNG_CAS_..., fetches ticket granting ticket "login") # reads username+password and fetches ticket granting ticket (bypasses HSADMINNG_CAS_USERNAME+HSADMINNG_CAS_PASSWORD)
casLogout
export HSADMINNG_CAS_USERNAME=
export HSADMINNG_CAS_PASSWORD=
casLogin casLogin
;; ;;
"logout") # logout, deleting ticket granting ticket "logout") # logout, deleting ticket granting ticket
rm ~/.cas-login-tgt casLogout
;; ;;
"validate") # validate user login and print currently logged in user "validate") # validates ticket granting ticket and prints currently logged in user
casValidate casValidate
;; ;;
"get") # HTTP GET, add URL as parameter "get") # HTTP GET, add URL as parameter
shift shift
casLogin
HSADMINNG_CAS_TICKET=`casTicket` HSADMINNG_CAS_TICKET=`casTicket`
doCurl "$*" doCurl "$*"
;; ;;
"post") # HTTP POST, add curl options to specify the request body and the URL as last parameter "post") # HTTP POST, add curl options to specify the request body and the URL as last parameter
shift shift
casLogin
HSADMINNG_CAS_TICKET=`casTicket` HSADMINNG_CAS_TICKET=`casTicket`
doCurl --header "Content-Type: application/json" -X POST "$@" doCurl --header "Content-Type: application/json" -X POST "$@"
;; ;;
"patch") # HTTP PATCH, add curl options to specify the request body and the URL as last parameter "patch") # HTTP PATCH, add curl options to specify the request body and the URL as last parameter
shift shift
casLogin
HSADMINNG_CAS_TICKET=`casTicket` HSADMINNG_CAS_TICKET=`casTicket`
doCurl --header "Content-Type: application/json" -X POST "$*" doCurl --header "Content-Type: application/json" -X POST "$*"
;; ;;
"delete") # HTTP DELETE, add curl options to specify the request body and the URL as last parameter "delete") # HTTP DELETE, add curl options to specify the request body and the URL as last parameter
shift shift
casLogin
HSADMINNG_CAS_TICKET=`casTicket` HSADMINNG_CAS_TICKET=`casTicket`
curl -X POST "$@" curl -X POST "$@"
;; ;;