contrib/shibuqam/shibuqam.nit

   1 # This file is part of NIT ( http://www.nitlanguage.org ).
   2 #
   3 # Licensed under the Apache License, Version 2.0 (the "License");
   4 # you may not use this file except in compliance with the License.
   5 # You may obtain a copy of the License at
   6 #
   7 #     http://www.apache.org/licenses/LICENSE-2.0
   8 #
   9 # Unless required by applicable law or agreed to in writing, software
  10 # distributed under the License is distributed on an "AS IS" BASIS,
  11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12 # See the License for the specific language governing permissions and
  13 # limitations under the License.
  14
  15 # Gather the authenticated users on UQAM websites.
  16 #
  17 # The main method to use is `HttpRequest::user` and it extracts the information
  18 # of the authenticated user from the request header.
  19 # The real authentication must be done by a mandatory reverse proxy server.
  20 module shibuqam
  21
  22 import nitcorn
  23 private import md5
  24
  25 # Information on a user from Shibboleth/UQAM
  26 class User
  27         # The *code permanent* (or the uid for non student)
  28         var id: String
  29
  30         # Usually the first name
  31         var given_name: String
  32
  33         # Usually "FamilyName, FirstName"
  34         var display_name: String
  35
  36         # The email @courrier.uqam.ca (or @uqam.ca for non student)
  37         var email: String
  38
  39         # The Gravatar URL (based on `email`)
  40         var avatar: String is lazy do
  41                 var md5 = email.md5
  42                 return "https://www.gravatar.com/avatar/{md5}?d=retro"
  43         end
  44 end
  45
  46 redef class HttpRequest
  47         # Extract the Shibboleth/UQAM information from the header, if any.
  48         #
  49         # We assume that a reverse proxy does the authentication and fill the request header.
  50         # If the server is accessible directly, these headers can be easily forged.
  51         # Thus, we assume that the reverse proxy is not by-passable.
  52         #
  53         # The reverse proxy might choose to force an authentication or not.
  54         # If there is no authentication, there is no information in the request header (or with the `(null)` value).
  55         # In this case, `null` is returned by this function.
  56         fun user: nullable User do
  57                 var user = header.get_or_null("Remote-User")
  58                 if user == null or user == "(null)" then return null
  59
  60                 var display_name = header.get_or_null("User-Display-Name")
  61                 var given_name = header.get_or_null("User-Given-Name")
  62                 var email = header.get_or_null("User-Mail")
  63
  64                 if display_name == null or given_name == null or email == null then return null
  65
  66                 var res = new User(user, given_name, display_name, email)
  67                 return res
  68         end
  69 end