See ChangeLog

Monotone-Parent: f5359c59c0bb008203154487db17e1ecdd274c0d Monotone-Revision: 7c78ba28d583536196a1acf34df5c96f40db238e Monotone-Author: ludovic@Sophos.ca Monotone-Date: 2010-12-28T17:42:50 Monotone-Branch: ca.inverse.sogo
2026-06-24 11:24:17 +00:00 · 2010-12-28 17:42:50 +00:00
parent 7ffe6ee26a
commit f46ebda105
22 changed files with 738 additions and 53 deletions
@@ -46,6 +46,7 @@ SOGo_HEADER_FILES = \
 	NSURL+DAV.h			\
 	\
 	SOGoAuthenticator.h		\
+ 	SOGoSession.h			\
 	SOGoCASSession.h		\
 	SOGoDAVAuthenticator.h		\
 	SOGoProxyAuthenticator.h	\
@@ -108,6 +109,7 @@ SOGo_OBJC_FILES = \
 	NSString+Utilities.m		\
 	NSURL+DAV.m	  		\
 	\
+	SOGoSession.m			\
 	SOGoCASSession.m		\
 	SOGoDAVAuthenticator.m		\
 	SOGoProxyAuthenticator.m	\
@@ -1,6 +1,6 @@
 /* SOGoCache.h - this file is part of SOGo
 *
- * Copyright (C) 2008-2010 Inverse inc.
+ * Copyright (C) 2008-2011 Inverse inc.
 *
 * Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
 *         Ludovic Marcotte <lmarcotte@inverse.ca>
@@ -92,7 +92,9 @@
                forLogin: (NSString *) login;
 - (NSString *) userSettingsForLogin: (NSString *) theLogin;

-/* CAS support */
+//
+// CAS support
+//
 - (NSString *) CASTicketFromIdentifier: (NSString *) identifier;
 - (NSString *) CASSessionWithTicket: (NSString *) ticket;
 - (void) setCASSession: (NSString *) casSession
@@ -103,9 +105,11 @@
 - (void) setCASPGTId: (NSString *) pgtId
           forPGTIOU: (NSString *) pgtIou;

+//
+// ACL caching support
+//
 - (void) setACLs: (NSDictionary *) theACLs
 	 forPath: (NSString *) thePath;
-
 - (NSMutableDictionary *) aclsForPath: (NSString *) thePath;

@end
@@ -36,8 +36,13 @@
 * <uid>+attributes      value = NSMutableDictionary instance > user's LDAP attributes
 * <object path>+acl     value = NSDictionary instance > ACLs on an object at specified path
 * <groupname>+<domain>  value = NSString instance (array components separated by ",") or group member logins for a specific group in domain
+ * cas-id:< >            value = 
+ * cas-ticket:< >        value =
+ * cas-pgtiou:< >        value =
+ * session:< >           value =
 */

+
 #import <Foundation/NSArray.h>
 #import <Foundation/NSData.h>
 #import <Foundation/NSDictionary.h>
@@ -437,7 +442,9 @@ static memcached_st *handle = NULL;
  return [self _valuesOfType: @"settings" forKey: theLogin];
 }

-/* CAS session support */
+//
+// CAS session support
+//
 - (NSString *) CASTicketFromIdentifier: (NSString *) identifier
 {
  return [self valueForKey: [NSString stringWithFormat: @"cas-id:%@",
@@ -481,7 +488,7 @@ static memcached_st *handle = NULL;
 }

 //
-//
+// ACL caching code
 //
 - (void) setACLs: (NSDictionary *) theACLs
 	 forPath: (NSString *) thePath
@@ -1,14 +1,15 @@
 /*
+  Copyright (C) 2007-2011 Inverse inc.
  Copyright (C) 2004 SKYRIX Software AG

-  This file is part of OpenGroupware.org.
+  This file is part of SOGo.

-  OGo is free software; you can redistribute it and/or modify it under
+  SOGo is free software; you can redistribute it and/or modify it under
  the terms of the GNU Lesser General Public License as published by the
  Free Software Foundation; either version 2, or (at your option) any
  later version.

-  OGo is distributed in the hope that it will be useful, but WITHOUT ANY
+  SOGo is distributed in the hope that it will be useful, but WITHOUT ANY
  WARRANTY; without even the implied warranty of MERCHANTABILITY or
  FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
  License for more details.
@@ -1,6 +1,6 @@
 /* SOGoProxyAuthenticator.h - this file is part of SOGo
 *
- * Copyright (C) 2009 Inverse inc.
+ * Copyright (C) 2009-2011 Inverse inc.
 *
 * Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
 *
@@ -402,7 +402,6 @@
 			    grace: grace];
    }

-
  return checkOK;
 }

@@ -1,6 +1,6 @@
 /* SOGoWebAuthenticator.m - this file is part of SOGo
 *
- * Copyright (C) 2007-2010 Inverse inc.
+ * Copyright (C) 2007-2011 Inverse inc.
 *
 * Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
 *
@@ -32,13 +32,16 @@
 #import <NGObjWeb/WOResponse.h>
 #import <NGExtensions/NSCalendarDate+misc.h>
 #import <NGExtensions/NSObject+Logs.h>
+#import <NGExtensions/NSNull+misc.h>
 #import <NGLdap/NGLdapConnection.h>

 #import <MainUI/SOGoRootPage.h>

+#import "SOGoCache.h"
 #import "SOGoCASSession.h"
 #import "SOGoConstants.h"
 #import "SOGoPermissions.h"
+#import "SOGoSession.h"
 #import "SOGoSystemDefaults.h"
 #import "SOGoUser.h"
 #import "SOGoUserManager.h"
@@ -59,12 +62,32 @@

 - (BOOL) checkLogin: (NSString *) _login
 	   password: (NSString *) _pwd
-{
+{ 
+  NSString *username, *password, *value;
  SOGoPasswordPolicyError perr;
  int expire, grace;
+ 

-  return [self checkLogin: _login
-	       password: _pwd
+  // We check for the existence of the session in the database/memcache
+  // and we extract the real password from it. Here,
+  //
+  // _login == userKey
+  // _pwd == sessionKey
+  //
+  // If the session isn't present in the database, we fail the login process.
+  //
+  value = [SOGoSession valueForSessionKey: _pwd];
+
+  if (!value)
+    return NO;
+
+  [SOGoSession decodeValue: value
+	       usingKey: _login
+	       login: &username
+	       password: &password];
+
+  return [self checkLogin: username
+	       password: password
 	       perr: &perr
 	       expire: &expire
 	       grace: &grace];
@@ -97,13 +120,16 @@
 					      expire: _expire
 					      grace: _grace];
  
-  //  [self logWithFormat: @"Checked login with ppolicy enabled: %d %d %d", *_perr, *_expire, *_grace];
+  //[self logWithFormat: @"Checked login with ppolicy enabled: %d %d %d", *_perr, *_expire, *_grace];
  
  // It's important to return the real value here. The callee will handle
  // the return code and check for the _perr value.
  return rc;
 }

+//
+//
+//
 - (SOGoUser *) userInContext: (WOContext *)_ctx
 {
  static SOGoUser *anonymous = nil;
@@ -124,20 +150,64 @@

 - (NSString *) passwordInContext: (WOContext *) context
 {
-  NSArray *creds;
  NSString *auth, *password;
+  NSArray *creds;

  auth = [[context request]
           cookieValueForKey: [self cookieNameInContext: context]];
  creds = [self parseCredentials: auth];
  if ([creds count] > 1)
-    password = [creds objectAtIndex: 1];
+    {
+      NSString *login;
+      
+      [SOGoSession decodeValue: [SOGoSession valueForSessionKey: [creds objectAtIndex: 1]]
+		   usingKey: [creds objectAtIndex: 0]
+		   login: &login
+		   password: &password];
+    }
  else
    password = nil;

  return password;
 }

+//
+// We overwrite SOPE's method in order to proper retrieve
+// the username from the cookie.
+//
+- (NSString *) checkCredentials: (NSString *)_creds
+{
+  NSString *login, *pwd, *userKey, *sessionKey;
+  NSArray *creds;
+
+  SOGoPasswordPolicyError perr;
+  int expire, grace;
+  
+  if (![(creds = [self parseCredentials:_creds]) isNotEmpty])
+    return nil;
+
+  userKey = [creds objectAtIndex:0];
+  if ([userKey isEqualToString:@"anonymous"])
+    return @"anonymous";
+  
+  sessionKey = [creds objectAtIndex:1];
+  
+  [SOGoSession decodeValue: [SOGoSession valueForSessionKey: sessionKey]
+	       usingKey: userKey
+	       login: &login
+	       password: &pwd];
+  
+  if (![self checkLogin: login
+	     password: pwd
+	     perr: &perr
+	     expire: &expire
+	     grace: &grace])
+    return nil;
+  
+  return login;
+}
+
+
 - (NSString *) imapPasswordInContext: (WOContext *) context
                           forServer: (NSString *) imapServer
                          forceRenew: (BOOL) renew
@@ -176,12 +246,12 @@
  return [SOGoUser userWithLogin: login roles: roles];
 }

+//
+// This is called by SoObjectRequestHandler prior doing any significant
+// processing to allow the authenticator to reject invalid requests.
+//
 - (WOResponse *) preprocessCredentialsInContext: (WOContext *) context
 {
-  /*
-    This is called by SoObjectRequestHandler prior doing any significant
-    processing to allow the authenticator to reject invalid requests.
-  */
  WOResponse *response;
  NSString *auth;