contrib/shibuqam/shibuqam.nit

   1 # This file is part of NIT ( http://www.nitlanguage.org ).
   2 #
   3 # Licensed under the Apache License, Version 2.0 (the "License");
   4 # you may not use this file except in compliance with the License.
   5 # You may obtain a copy of the License at
   6 #
   7 #     http://www.apache.org/licenses/LICENSE-2.0
   8 #
   9 # Unless required by applicable law or agreed to in writing, software
  10 # distributed under the License is distributed on an "AS IS" BASIS,
  11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12 # See the License for the specific language governing permissions and
  13 # limitations under the License.
  14
  15 # Gather the authenticated users on UQAM websites.
  16 #
  17 # The main method to use is `HttpRequest::user` and it extracts the information
  18 # of the authenticated user from the request header.
  19 # The real authentication must be done by a mandatory reverse proxy server.
  20 module shibuqam
  21
  22 import nitcorn
  23 private import md5
  24 import serialization
  25
  26 # Information on a user from Shibboleth/UQAM
  27 class User
  28         serialize
  29
  30         # The *code permanent* (or the uid for non student)
  31         var id: String
  32
  33         # Usually the first name
  34         var given_name: String
  35
  36         # Usually "FamilyName, FirstName"
  37         var display_name: String
  38
  39         # The email @courrier.uqam.ca (or @uqam.ca for non student)
  40         var email: String
  41
  42         # The Gravatar URL (based on `email`)
  43         var avatar: String is lazy do
  44                 var md5 = email.md5
  45                 return "https://www.gravatar.com/avatar/{md5}?d=retro"
  46         end
  47 end
  48
  49 redef class HttpRequest
  50         # Extract the Shibboleth/UQAM information from the header, if any.
  51         #
  52         # We assume that a reverse proxy does the authentication and fill the request header.
  53         # If the server is accessible directly, these headers can be easily forged.
  54         # Thus, we assume that the reverse proxy is not by-passable.
  55         #
  56         # The reverse proxy might choose to force an authentication or not.
  57         # If there is no authentication, there is no information in the request header (or with the `(null)` value).
  58         # In this case, `null` is returned by this function.
  59         fun user: nullable User do
  60                 var user = header.get_or_null("Remote-User")
  61                 if user == null or user == "(null)" then return null
  62
  63                 var display_name = header.get_or_null("User-Display-Name")
  64                 var given_name = header.get_or_null("User-Given-Name")
  65                 var email = header.get_or_null("User-Mail")
  66
  67                 if display_name == null or given_name == null or email == null then return null
  68
  69                 var res = new User(user, given_name, display_name, email)
  70                 return res
  71         end
  72 end