# Apache2::AuthCAS
# Jason Hitt, March 2007
#
# Apache auth module to protect underlying resources using JA-SIG's Central
# Authentication Service
package Apache2::AuthCAS;

$Apache2::AuthCAS::VERSION = "0.4";

use strict;
use warnings FATAL => 'all';

use Apache2::RequestRec ();
use Apache2::RequestIO ();
use Apache2::RequestUtil ();
#use Apache2::ServerRec ();
use Apache2::Module ();
use Apache2::URI ();

use Apache2::Const -compile => qw(FORBIDDEN HTTP_MOVED_TEMPORARILY OK DECLINED HTTP_OK :log);

use mod_perl2;
use vars qw($INITIALIZED $SESSION_CLEANUP_COUNTER);

use APR::URI;
use Apache2::Log;
use Net::SSLeay;
use MIME::Base64;
use DBI;
use URI::Escape;
use XML::Simple;

# logging flags
my $LOG_ERROR  = 0;
my $LOG_WARN   = 1;
my $LOG_INFO   = 2;
my $LOG_DEBUG  = 3;
my $LOG_EMERG  = 4;

my %ERROR_CODES = (
    "DB"               => "Database Service Error",
    "PGT"              => "CAS Proxy Service Error",
    "PGT_RECEPTOR"     => "Proxy Receptor Error",
    "INVALID_RESPONSE" => "Invalid Service Response",
    "INVALID_PGT"      => "Invalid Proxy Granting Ticket",
    "MISSING_PGT"      => "Missing Proxy Granting Ticket",
    "CAS_CONNECT"      => "CAS couldn't validate service ticket",
);

my %DEFAULTS = (
        "Host"                    => "localhost",
        "Port"                    => "443",
        "LoginUri"                => "/cas/login",
        "LogoutUri"               => "/cas/logout",
        "ProxyUri"                => "/cas/proxy",
        "ProxyValidateUri"        => "/cas/proxyValidate",
        "ServiceValidateUri"      => "/cas/serviceValidate",

        "LogLevel"                => 0,
        "PretendBasicAuth"        => 0,
        "Service"                 => undef,
        "ProxyService"            => undef,
        "ErrorUrl"                => "http://localhost/cas/error/",
        "SessionCleanupThreshold" => 10,
        "SessionCookieName"       => "APACHECAS",
        "SessionCookieDomain"     => undef,
        "SessionCookieSecure"     => 0,
        "SessionTimeout"          => 1800,
        "RemoveTicket"            => 0,
        "NumProxyTickets"         => 0,

        "DbDriver"                => "Pg",
        "DbDataSource"            => "dbname=apache_cas;host=localhost;port=5432",
        "DbSessionTable"          => "cas_sessions",
        "DbUser"                  => "cas",
        "DbPass"                  => "cas",
);

# default to 0
$SESSION_CLEANUP_COUNTER = 0 if (!defined($SESSION_CLEANUP_COUNTER));

sub dbConnect($)
{
    my($self) = @_;

    my $dbh = DBI->connect(
        "dbi:" . $self->casConfig("DbDriver")
            . ":" . $self->casConfig("DbDataSource"),
        $self->casConfig("DbUser"), $self->casConfig("DbPass"),
        { AutoCommit => 1 }
    );
    if (!defined($dbh))
    {
        $self->logMsg("db connect error: $DBI::errstr");
        return undef;
    }

    return $dbh;
}

sub getApacheConfig($)
{
    my($self) = @_;
    $self->{'casConfig'} = Apache2::Module::get_config('Apache2::AuthCAS::Configuration'
        , $self->{'request'}->server
        , $self->{'request'}->per_dir_config);

    # Now add in our defaults
    foreach my $key (keys(%DEFAULTS))
    {
        $self->{'casConfig'}->{$key} = $DEFAULTS{$key}
            if !exists($self->{'casConfig'}->{$key});
    }

    $self->logMsg("Apache Config:", $LOG_DEBUG);
    foreach my $key (sort(keys(%{$self->{'casConfig'}})))
    {
        my $val = $self->casConfig($key) || 'undef';
        $self->logMsg("    $key => $val", $LOG_DEBUG);
    }
}

sub casConfig($$)
{
    my($self, $var) = @_;

    return $self->{'casConfig'}->{$var};
}

sub logMsg($$;$)
{
    my($self, $msg, $logLevel) = @_;

    $logLevel = $LOG_ERROR if (!$logLevel);

    if ($self->casConfig("LogLevel") >= $logLevel)
    {
        my $sub = (caller(1))[3];
        $sub =~ /(\w+)$/;
        $self->{'request'}->log->alert("CAS($$): $1: $msg");
    }
}

# used for underlying services that need proxy tickets (PTs)
sub authenticate($$)
{
    my($class, $r) = @_;

    # Only authenticate the first internal request
    return (Apache2::Const::OK) unless $r->is_initial_req;

    # Let's make this easy on ourselves and pass an object around
    # for reading config variables and the request object
    my $self = {};
    bless($self, ref $class || $class);
    $self->{'request'} = $r;
    $self->getApacheConfig();

    # grab the uri that was requested
    my $uri = $r->parsed_uri;

    # Check for a logout request (CAS 3 single sign-off)
    my $query = $uri->query() || "";
    $query =~ /logoutRequest=(.*?)[&;]/;
    my $logoutRequest = $1;

    if ($logoutRequest)
    {
        $logoutRequest =~ /<samlp:SessionIndex>(ST-[0-9]+-[^<]+)<\/samlp:SessionIndex>/;
        my $delete_service_ticket = $1;

        $self->logMsg("deleting session mapping for service_ticket='$delete_service_ticket'", $LOG_DEBUG);

        my $dbh = $self->dbConnect() or return 0;
        $dbh->do("DELETE FROM " . $self->casConfig("DbSessionTable")
            . " WHERE service_ticket= ?", undef, $delete_service_ticket 
        );
        if ($dbh->err)
        {
            $self->logMsg("error deleting session mapping for service_ticket='$delete_service_ticket' ($DBI::errstr)", $LOG_DEBUG);
        }
    }

    # perform any cleanup that is needed
    $self->cleanup();

    # see if any of our other handlers have specified that they have already
    # sufficiently checked the authenticating user
    my $authenticated = $r->subprocess_env->{'AUTHENTICATED'} || "";
    $self->logMsg("authenticated='$authenticated'", $LOG_DEBUG);
    return (Apache2::Const::OK) if ($authenticated eq "true");

    # Parse the query string to get the ticket, plus any GET variables
    # to rebuild our service string (which is needed for CAS to send the
    # client back to the originating service).

    my %params = $self->parse_query_parameters($uri->query);

    # Check for a proxy receptor call
    if ($params{'pgt'} and $params{'pgtIou'})
    {
        return $self->proxy_receptor($params{'pgtIou'}, $params{'pgt'});
    }

    # Check for a session cookie
    if (my $cookie = $r->headers_in->{'Cookie'})
    {
        # we have a session cookie, so we need to get the session id
        $self->logMsg("cookie found: '$cookie'", $LOG_DEBUG);

        # get session id from the cookie
        my $cookieName = $self->casConfig("SessionCookieName");
        $cookie =~ /.*$cookieName=([^;]+)(\s*;.*|\s*$)/;
        my $sid = $1;
        $self->logMsg(($sid ? "" : "no") . " session id found", $LOG_DEBUG);

        # Check for a valid session id
        if ($sid and defined(my $rc = $self->check_session($sid)))
        {
            return $rc;
        }
    }
    else
    {
        my $service = $self->this_url(1);
        $self->logMsg("no session cookie for service: '$service'", $LOG_DEBUG);
    }

    # No session (or an expired one).  Check for a ticket
    if (my $ticket = $params{'ticket'})
    {
        # validate service ticket through CAS, since no valid cookie was found
        my($error, $user, $pgtiou) = $self->validate_service_ticket($ticket);

        if ($error)
        {
            return $self->redirect($self->casConfig("ErrorUrl"), $error);
        }

        # map a new session id to this pgtiou and give the client a cookie
        my $sid = $self->create_session($user, $pgtiou, $ticket);

        if (!$sid)
        {
            # if something bad happened, like database unavailability
            return $self->redirect($self->casConfig("ErrorUrl"), $ERROR_CODES{"DB"});
        }

        my $cookie = $self->casConfig("SessionCookieName") . "=$sid;path=/";
        if ($self->casConfig("SessionCookieDomain"))
        {
            $cookie .= ";domain=." . $self->casConfig("SessionCookieDomain");
        }
        if ($self->casConfig("SessionCookieSecure"))
        {
            $cookie .= ";secure";
        }

        # send the cookie to the browser
        $self->setHeader(0, 'Set-Cookie', $cookie);

        # in case we redirect (considered an "error")
        $r->err_headers_out->{"Set-Cookie"} = $cookie;

        if ($self->casConfig("ProxyService"))
        {
            return $self->do_proxy($sid, undef, $user, 1);
        }
        else
        {
            $self->setHeader(1, 'CAS_FILTER_USER', $user);
            $self->add_basic_auth($user);

            # redirect to this same page minus the ticket
            return $self->redirect_without_ticket() if ($self->casConfig("RemoveTicket"));

            return (Apache2::Const::OK);
        }
    }

    # No valid session, no ticket.  Redirect to CAS login
    return $self->redirect_login();
}

sub check_session($$$)
{
    my($self, $sid) = @_;

    # we set up our own session here, so that we don't have to continually
    # go through this whole process!  we associate a session id with a PGTIOU

    # try to get a session record for the session id we received
    # session_data - session id, last accessed, netid, pgtiou
    if (my($last_accessed, $user, $pgt) = $self->get_session_data($sid))
    {
        # make sure the session is still valid
        if ($last_accessed + $self->casConfig("SessionTimeout") >= time())
        {
            # session is still valid
            $self->logMsg("session '$sid' is still valid", $LOG_DEBUG);

            # record the last time the session was accessed
            # if something bad happened, like database unavailability
            if (!$self->touch_session($sid))
            {
                return $self->redirect($self->casConfig("ErrorUrl"), $ERROR_CODES{"DB"});
            }

            if ($self->casConfig("ProxyService"))
            {
                return $self->do_proxy($sid, $pgt, $user, 0);
            }
            else
            {
                $self->setHeader(1, 'CAS_FILTER_USER', $user);
                $self->add_basic_auth($user);

                return (Apache2::Const::OK);
            }
        }
        else
        {
            $self->logMsg("session '$sid' has expired", $LOG_DEBUG);
            $self->delete_session_data($sid);
        }
    }
    else
    {
        $self->logMsg("session '$sid' is invalid", $LOG_DEBUG);
    }

    return undef;
}

sub cleanup()
{
    my($self) = @_;

    $SESSION_CLEANUP_COUNTER++;
    $self->logMsg("counter=$SESSION_CLEANUP_COUNTER", $LOG_DEBUG);

    # perform session cleanup
    if ($SESSION_CLEANUP_COUNTER == 1)
    {
        $self->delete_expired_sessions();
    }

    # reset counter if we have reached our threshold
    $SESSION_CLEANUP_COUNTER = 0
        if ($SESSION_CLEANUP_COUNTER >= $self->casConfig("SessionCleanupThreshold"));
}

sub add_basic_auth($$)
{
    my($self, $user) = @_;

    if ($self->casConfig("PretendBasicAuth"))
    {
        # setup this up for underlying authz modules that rely
        # on Basic auth having been performed
        $self->setHeader(1, 'Authorization'
            , "Basic " . encode_base64($user . ":DUMMYPASS"));
        $self->{'request'}->ap_auth_type("Basic");
        $self->{'request'}->user($user);
    }
}

sub redirect_without_ticket($)
{
    my($self) = @_;

    $self->logMsg("redirecting to remove service ticket from service string", $LOG_INFO);

    $self->setHeader(0, 'Location', $self->this_url());
    return (Apache2::Const::HTTP_MOVED_TEMPORARILY);
}

sub redirect_login($)
{
    my($self) = @_;

    $self->logMsg("start", $LOG_DEBUG);

    my $service = $self->this_url(1);
    $self->logMsg("redirecting to CAS for service: '$service'", $LOG_INFO);

    $service = uri_escape($service);
    $self->setHeader(0, 'Location', "https://"
        . $self->casConfig("Host") . ":" . $self->casConfig("Port")
        . $self->casConfig("LoginUri") . "?service=$service");
    return (Apache2::Const::HTTP_MOVED_TEMPORARILY);
}

sub redirect($;$$)
{
    my($self, $url, $errcode) = @_;

    if ($url)
    {
        my $service = $self->this_url(1);
        $self->logMsg("redirecting to url: '$url' service: '$service'", $LOG_INFO);

        $self->setHeader(0, 'CAS_FILTER_CAS_HOST',      $self->casConfig("Host"));
        $self->setHeader(0, 'CAS_FILTER_CAS_PORT',      $self->casConfig("Port"));
        $self->setHeader(0, 'CAS_FILTER_CAS_LOGIN_URI', $self->casConfig("LoginUri"));
        $self->setHeader(0, 'CAS_FILTER_SERVICE',       $service);

        $self->logMsg("redirecting to error page") if ($errcode);
        $errcode = "" if (!$errcode);

        $service = uri_escape($service);
        $self->setHeader(0, 'Location'
            , "$url?login_url=https://" . $self->casConfig("Host")
            . ":" . $self->casConfig("Port") . $self->casConfig("LoginUri")
            . "?service=$service&errcode=$errcode");
        return (Apache2::Const::HTTP_MOVED_TEMPORARILY);
    }
    else
    {
        $self->logMsg("no redirect URL, displaying message", $LOG_INFO);
        $self->{'request'}->content_type('text/html');
        $self->{'request'}->print("<html><body>service misconfigured</body></html>");
        $self->{'request'}->rflush();
        return (Apache2::Const::HTTP_OK);
    }
}

# params
#     apache request object
#     ticket to be validated
# returns a hash with keys on success
#       'user', 'pgtiou'
# NULL on failure
sub validate_service_ticket($$$)
{
    my($self, $ticket) = @_;

    my $proxy = $self->casConfig("ProxyService") ? "1" : "0";

    my $service = $self->this_url(1);
    $self->logMsg("Validating service ticket '$ticket' for service '$service'", $LOG_DEBUG);

    my $url;
    if ($proxy)
    {
        my $pgtUrl = $self->{'request'}->construct_url();
        $url = $self->casConfig("ProxyValidateUri") . "?pgtUrl=$pgtUrl&";
    }
    else
    {
        $url = $self->casConfig("ServiceValidateUri") . "?";
    }

    $service = uri_escape($service);
    $url .= "service=$service&ticket=$ticket";

    $self->logMsg("request URL: '$url'", $LOG_DEBUG);

    # Net::SSLeay::trace options
    # 0=no debugging, 1=ciphers, 2=trace, 3=dump data
    $Net::SSLeay::trace = ($self->casConfig("LogLevel") >= $LOG_EMERG) ? 3 : 0;

    my($page) = Net::SSLeay::get_https(
        $self->casConfig("Host"), $self->casConfig("Port"), $url);
    $self->logMsg("response page: $page", $LOG_EMERG);

    # if we had some type of connection problem
    if (!defined($page))
    {
        $self->logMsg("error validating service");
        return ($ERROR_CODES{"CAS_CONNECT"});
    }

    my $casResponse = eval { XMLin($page); } || {};

    my($errorMsg, $user, $pgtiou);
    if (my $successBlock = $casResponse->{"cas:authenticationSuccess"})
    {
        $user = $successBlock->{"cas:user"};
        $self->logMsg("valid service ticket, user='$user'", $LOG_DEBUG);

        # only try to get PGTIOU if we are doing proxy stuff
        if ($proxy)
        {
            if ($pgtiou = $successBlock->{"cas:proxyGrantingTicket"})
            {
                $self->logMsg("proxying - pgtiou='$pgtiou'", $LOG_DEBUG);
            }
            else
            {
                $self->logMsg("proxying and no pgtiou in response from CAS", $LOG_ERROR);
                $errorMsg = $ERROR_CODES{"PGT"};
            }
        }
    }
    elsif (my $failBlock = $casResponse->{"cas:authenticationFailure"})
    {
        $errorMsg = $failBlock->{"code"} . " " . $failBlock->{"content"};
        $self->logMsg("authentication failure, access denied ($errorMsg)" , $LOG_DEBUG);
    }
    else
    {
        $self->logMsg("invalid service response", $LOG_DEBUG);
        $errorMsg = $ERROR_CODES{"INVALID_RESPONSE"};
    }

    return ($errorMsg, $user, $pgtiou);
}

sub proxy_receptor($$$)
{
    my($self, $pgtiou, $pgt) = @_;

    # This is the proxy receptor.
    # We should only enter here when CAS sends us the PGTIOU and the PGT
    if ($pgtiou and $pgt)
    {
        $self->logMsg("proxy receptor invoked with '$pgtiou' => '$pgt'", $LOG_DEBUG);

        # save the pgtiou/pgt mapping
        if (!$self->set_pgt($pgtiou, $pgt))
        {
            $self->logMsg("couldn't save '$pgtiou' => '$pgt'");
            return $self->redirect($self->{'request'}
                , $self->casConfig("ErrorUrl"), $ERROR_CODES{"PGT_RECEPTOR"});
        }

        $self->logMsg("saved '$pgtiou' => '$pgt'", $LOG_DEBUG);

        # Return a successful response to CAS.
        # We have to not let the request fall through to real content here.
        $self->{'request'}->push_handlers(PerlResponseHandler => \&send_proxysuccess);
        return (Apache2::Const::OK);
    }
    else
    {
        $self->logMsg("invalid proxy receptor call - missing ticket information"
            , $LOG_DEBUG);
        return $self->redirect($self->casConfig("ErrorUrl") , $ERROR_CODES{"PGT_RECEPTOR"});
    }
}

sub send_proxysuccess($$)
{
    my($self) = @_;

    $self->logMsg("sending proxy success for CAS callback", $LOG_DEBUG);

    $self->{'request'}->content_type("text/html");
    $self->{'request'}->print("<casClient:proxySuccess xmlns:casClient=\"http://www.yale.edu/tp/casClient\"/>\n");
    $self->{'request'}->rflush();
    return (Apache2::Const::OK);
}

sub get_proxy_tickets($$;$$)
{
    my($self, $pgt, $target, $numTickets) = @_;

    return () if (!$target or !$numTickets);

    $self->logMsg("retrieving '$numTickets' PTs for PGT='$pgt', target='$target'", $LOG_DEBUG);

    my @tickets = ();

    # Net::SSLeay::trace options
    # 0=no debugging, 1=ciphers, 2=trace, 3=dump data
    $Net::SSLeay::trace = ($self->casConfig("LogLevel") >= $LOG_EMERG) ? 3 : 0;

    my $uri = $self->casConfig("ProxyUri") . "?pgt=$pgt&targetService=$target";
    $self->logMsg("Proxy request URL: '$uri'", $LOG_DEBUG);

    for (my $i = 0; $i < $numTickets; $i++)
    {
        my ($page) = Net::SSLeay::get_https(
            $self->casConfig("Host"), $self->casConfig("Port"), $uri);
        $self->logMsg("page: $page", $LOG_EMERG);

        my $casResponse = eval { XMLin($page); } || "";

        if (my $successBlock = $casResponse->{"cas:proxySuccess"})
        {
            if (my $proxyTicket = $successBlock->{"cas:proxyTicket"})
            {
                $self->logMsg("retrieved PT: '$proxyTicket'", $LOG_DEBUG);
                push(@tickets, $proxyTicket);
            }
            else
            {
                $self->logMsg("no PT in response", $LOG_DEBUG);
                return ();
            }
        }
        elsif (my $failBlock = $casResponse->{"cas:proxyFailure"})
        {
            my $errorMsg = $failBlock->{"code"} . " " . $failBlock->{"content"};
            $self->logMsg("proxy response failure ($errorMsg)" , $LOG_DEBUG);
            return ();
        }
        else
        {
            $self->logMsg("invalid proxy ticket response", $LOG_DEBUG);
            return ();
        }
    }

    return @tickets;
}

# place data in the session
sub create_session($$$$)
{
    my($self, $uid, $pgtiou, $ticket) = @_;

    $self->logMsg("creating session for uid='$uid'"
        . ($pgtiou ? ", pgtiou='$pgtiou'" : ""), $LOG_DEBUG);

    my $sid = sprintf("%10d-", time());
    srand();
    for (my $i = 0; $i < 21; $i++)
    {
        $sid .= ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64];
    }

    $self->logMsg("sid='$sid'", $LOG_DEBUG);

    my $dbh = $self->dbConnect() or return undef;

    $dbh->do("INSERT INTO " . $self->casConfig("DbSessionTable")
        . " (id, last_accessed, user_id, pgtiou, service_ticket)"
        . " VALUES (?, ?, ?, ?, ?)"
        , undef, $sid, time(), $uid, $pgtiou, $ticket
    );

    if ($dbh->err)
    {
        $self->logMsg("error creating session ($DBI::errstr)", $LOG_DEBUG);
        undef($sid);
    }

    $dbh->disconnect();

    return $sid;
}

# "touch" the session
sub touch_session($$)
{
    my($self, $sid) = @_;

    $self->logMsg("touching session '$sid'", $LOG_DEBUG);

    my $dbh = $self->dbConnect() or return 0;

    $dbh->do("UPDATE " . $self->casConfig("DbSessionTable")
        . " SET last_accessed = ? WHERE id = ?"
        , undef, time(), $sid
    );

    my $rc = 1;
    if ($dbh->err)
    {
        $self->logMsg("error touching session ($DBI::errstr)", $LOG_DEBUG);
        $rc = 0;
    }

    $dbh->disconnect();

    return $rc;
}

# takes a session id and returns an array
sub get_session_data($$)
{
    my($self, $sid) = @_;

    $self->logMsg("retrieving session data for sid='$sid'", $LOG_DEBUG);

    # retrieve a session object for this session id
    my $dbh = $self->dbConnect() or return ();

    my($last_accessed, $uid, $pgt) = $dbh->selectrow_array(
        "SELECT last_accessed, user_id, pgt FROM "
        . $self->casConfig("DbSessionTable")
        . " WHERE id = ?"
        , undef, $sid
    );

    $dbh->disconnect();

    if (!$dbh->err and $last_accessed)
    {
        $self->logMsg("session data for sid='$sid':"
            . " last_accessed='$last_accessed' uid='$uid'"
            . ($pgt ? "pgt='$pgt'" : ""), $LOG_DEBUG);
        return ($last_accessed, $uid, $pgt);
    }

    $self->logMsg("couldn't get session data for sid='$sid'", $LOG_DEBUG);
    return ();
}

# delete session
sub delete_session_data($$)
{
    my($self, $sid) = @_;

    $self->logMsg("deleting session mapping for sid='$sid'", $LOG_DEBUG);

    # retrieve a session object for this session id
    my $dbh = $self->dbConnect() or return 0;

    $dbh->do("DELETE FROM " . $self->casConfig("DbSessionTable") . " WHERE id = ?"
        , undef, $sid
    );

    my $rc = 1;
    if ($dbh->err)
    {
        $self->logMsg("error deleting session mapping for sid='$sid' ($DBI::errstr)", $LOG_DEBUG);
        $rc = 0;
    }

    $dbh->disconnect();

    return $rc;
}

# delete expired sessions
sub delete_expired_sessions($)
{
    my($self) = @_;

    my $oldestValidTime = time() - $self->casConfig("SessionTimeout");
    $self->logMsg("deleting sessions older than '$oldestValidTime'", $LOG_DEBUG);

    # retrieve a session object for this session id
    my $dbh = $self->dbConnect() or return 0;

    $dbh->do("DELETE FROM " . $self->casConfig("DbSessionTable")
        . " WHERE last_accessed < ?"
        , undef, $oldestValidTime
    );

    my $rc = 1;
    if ($dbh->err)
    {
        $self->logMsg("error deleting expired sessions ($DBI::errstr)", $LOG_ERROR);
        $rc = 0;
    }

    $dbh->disconnect();

    return $rc;
}

# place the pgt mapping in the database
sub set_pgt($$$)
{
    my($self, $pgtiou, $pgt) = @_;

    $self->logMsg("adding map for pgtiou='$pgtiou' pgt='$pgt'", $LOG_DEBUG);

    my $dbh = $self->dbConnect() or return 0;

    $dbh->do(
        "UPDATE " . $self->casConfig("DbSessionTable") . "
        SET pgt = ?
        WHERE pgtiou = ?"
        , undef, $pgt, $pgtiou
    );

    my $rc = 1;
    if ($dbh->err)
    {
        $self->logMsg("error adding map ($DBI::errstr)", $LOG_ERROR);
        $rc = 0;
    }

    $dbh->disconnect();

    return $rc;
}

sub do_proxy($$$$$$)
{
    my($self, $sid, $pgt, $user, $removeTicket) = @_;

    $self->logMsg("proxying request, sid='$sid'", $LOG_DEBUG);
    $self->logMsg("pgt='$pgt'", $LOG_DEBUG) if ($pgt);

    if (!$pgt)
    {
        my(@sessionData) = $self->get_session_data($sid);
        $pgt = $sessionData[2];
        $self->logMsg("pgt lookup, pgt='$pgt'", $LOG_DEBUG) if ($pgt);
    }

    if (!$pgt)
    {
        return $self->redirect($self->casConfig("ErrorUrl")
            , $ERROR_CODES{"MISSING_PGT"});
    }

    my @tickets = $self->get_proxy_tickets(
        $pgt, $self->casConfig("ProxyService"), $self->casConfig("NumProxyTickets"));
    if (scalar(@tickets))
    {
        # place headers in request for underlying service
        my $service = $self->this_url(1);

        $self->logMsg("Setting CAS FILTER response headers", $LOG_DEBUG);

        $self->setHeader(1, 'CAS_FILTER_CAS_HOST',      $self->casConfig("Host"));
        $self->setHeader(1, 'CAS_FILTER_CAS_PORT',      $self->casConfig("Port"));
        $self->setHeader(1, 'CAS_FILTER_CAS_LOGIN_URI', $self->casConfig("LoginUri"));
        $self->setHeader(1, 'CAS_FILTER_SERVICE',       $service);
        $self->setHeader(1, 'CAS_FILTER_USER',          $user);

        $self->setHeader(1, 'CAS_FILTER_PT',  $tickets[0]);
        for (my $i = 1; $i <= scalar(@tickets); $i++)
        {
            $self->setHeader(1, "CAS_FILTER_PT$i", $tickets[$i-1]);
        }

        $self->add_basic_auth($user);

        if ($removeTicket and $self->casConfig("RemoveTicket"))
        {
            return $self->redirect_without_ticket();
        }

        return (Apache2::Const::OK);
    }
    else
    {
        $self->delete_session_data($sid);
        return $self->redirect($self->casConfig("ErrorUrl")
            , $ERROR_CODES{"INVALID_PGT"});
    }
}

sub setHeader($$$$)
{
    my($self, $in, $header, $value) = @_;

    $self->logMsg("Setting header: $header = $value", $LOG_DEBUG);

    if ($in)
    {
        $self->{'request'}->headers_in->{$header} = $value;
    }
    else
    {
        $self->{'request'}->headers_out->{$header} = $value;
    }
}

# strips the ticket from the query and returns the full service URL
sub this_url($$;$)
{
    my($self, $serviceOverride) = @_;

    if ($serviceOverride and my $service = $self->casConfig("Service"))
    {
        return $service;
    }

    my $url = $self->{'request'}->construct_url();
    my $uri = $self->{'request'}->parsed_uri;

    if (my $query = $uri->query)
    {
        $query =~ s/\??&?ticket=[^&]+//;
        $url .= "?$query" if ($query ne "");
    }
    elsif ($self->{'request'}->unparsed_uri =~ /\?$/)
    {
        $url .= "?";
    }

    return $url;
}

sub parse_query_parameters($$)
{
    my($self, $query) = @_;

    return () if (!$query);

    my %params = ();
    foreach my $param (split(/&/, $query))
    {
        my($key, $value) = split(/=/, $param);

        $value = "" if (!$value);
        $self->logMsg("PARAM: '$key' => '$value'", $LOG_DEBUG);
        $params{$key} = $value;
    }

    return %params;
}

1;
__END__

=head1 NAME

Apache2::AuthCAS - A configurable Apache authentication module that enables you
to protect content on an Apache server using an existing JA-SIG CAS
authentication server.

=head1 SYNOPSIS

C<perl -MCPAN -e 'install Apache2::AuthCAS'>

=head1 DESCRIPTION

=head2 General

The I<Apache2::AuthCAS> module allows a user to protect arbitrary content
on an Apache server with JA-SIG CAS.

Add the following lines to your Apache configuration file to load the custom
configuration tags for CAS and allow for CAS authentication:

    PerlLoadModule APR::Table
    PerlLoadModule Apache2::AuthCAS::Configuration
    PerlLoadModule Apache2::AuthCAS

At this point, the configuration directives may be used.  All directives
can be nested in Location, Directory, or VirtualHost sections.

Add the following lines to an Apache configuration file or .htaccess file:

    AuthType Apache2::AuthCAS
    AuthName "CAS"
    PerlAuthenHandler Apache2::AuthCAS->authenticate
    require valid-user

    *note* - this simple config assumes that the rest of the settings have
             been set in your Apache configuration file.  If not, they
             will need to be set here (if allowed by your configuration).

Any options that are not set in the Apache configuration will default to the
values preconfigured in the Apache2::AuthCAS module.  Either explicitly override
those options that do not match your environment or set them in the module
itself.

=head2 Requirements

Apache 2.x with mod_perl2

Perl modules:
    Net::SSLeay
    MIME::Base64
    URI::Escape
    XML::Simple
    DBI
    DBD::<module name> (i.e. DBD::Pg)

=head2 Proxiable Credentials

This module can be optionally configured to use proxy credentials.  This is
enabled by setting the I<CASService> and I<CASProxyService> configuration
parameters.

=head2 Examples

Example configuration without proxiable credentials:

    AuthType Apache2::AuthCAS
    AuthName "CAS"
    PerlAuthenHandler Apache2::AuthCAS->authenticate
    require valid-user

    CASHost         "auth.yourdomain.com"
    CASErrorURL     "https://yourdomain.com/cas/error/"
    CASDbDataSource "dbname=cas;host=dbhost.yourdomain.com;port=5432"


Example configuration without proxiable credentials, using custom database
parameters:

    AuthType Apache2::AuthCAS
    AuthName "CAS"
    PerlAuthenHandler Apache2::AuthCAS->authenticate
    require valid-user

    CASHost           "auth.yourdomain.com"
    CASErrorURL       "https://yourdomain.com/cas/error/"
    CASDbDriver       "Oracle
    CASDbDataSource   "sid=yourdb;host=dbhost.yourdomain.com;port=1521"
    CASDbUser         "cas_user"
    CASDbPass         "cas_pass"
    CASDbSessionTable "cas_sessions_service1"


Example configuration with proxiable credentials:

    AuthType Apache2::AuthCAS
    AuthName "CAS"
    PerlAuthenHandler Apache2::AuthCAS->authenticate
    require valid-user

    CASService       "https://yourdomain.com/email/"
    CASProxyService  "mail.yourdomain.com"


Example configuration with proxiable credentials, using custom database parameters:

    AuthType Apache2::AuthCAS
    AuthName "CAS"
    PerlAuthenHandler Apache2::AuthCAS->authenticate
    require valid-user

    CASService       "https://yourdomain.com/email/"
    CASProxyService  "mail.yourdomain.com"
    CASDbDriver       "Oracle
    CASDbDataSource   "sid=yourdb;host=dbhost.yourdomain.com;port=1521"
    CASDbUser         "cas_user"
    CASDbPass         "cas_pass"
    CASDbSessionTable "cas_sessions_service1"

=head2 Configuration Options

These are the Apache configuration options, defaults, and descriptions
for Apache2::AuthCAS.

    # The CAS server parameters.  These should be self explanatory.
    CASHost                     "localhost"
    CASPort                     "443"
    CASLoginUri                 "/cas/login"
    CASLogoutUri                "/cas/logout"
    CASProxyUri                 "/cas/proxy"
    CASProxyValidateUri         "/cas/proxyValidate"
    CASServiceValidateUri       "/cas/serviceValidate"

    # The level of logging, ERROR(0) - EMERG(4)
    CASLogLevel                 0

    # Should we set the 'Basic' authentication header?
    CASPretendBasicAuth         0

    # Where do we redirect if there is an error?
    CASErrorUrl                 "http://localhost/cas/error/"

    # Session cleanup threshold (1 in N requests)
    # Session cleanup will occur for each Apache thread or process -
    #   i.e. for 10 processes, it may take as many as 100 requests before
    # session cleanup is performed with a threshold of 10)

    CASSessionCleanupThreshold  10

    # Session cookie configuration for this service
    CASSessionCookieDomain      ""
    CASSessionCookieName        "APACHECAS"
    CASSessionTimeout           1800

    # Should the ticket parameter be removed from the URL?
    CASRemoveTicket             0

    # Optional override for this service name
    CASService                  ""

    # If you are proxying for a backend service you will need to specify
    # these parameters.  The service is the name of the backend service
    # you are proxying for, the receptor is the URL you will listen at
    # for pgtiou/pgt mappings from the CAS server, and the final parameter
    # specifies how many proxy tickets should be requested for the backend
    # service.
    CASProxyService             ""
    CASNumProxyTickets          0

    # Database parameters for session and ticket management
    CASDbDriver                 "Pg"
    CASDbDataSource             "dbname=apache_cas;host=localhost;port=5432"
    CASDbSessionTable           "cas_sessions"
    CASDbUser                   "cas"
    CASDbPass                   "cas"

=head1 NOTES

Configuration

    Any options that are not set in the Apache configuration will default to the
    values preconfigured in the Apache2::AuthCAS module.  You should explicitly
    override those options that do not match your environment.

Database

    If you installed this module via CPAN shell, cpan2rpm, or some other automated installer, don't forget to create the session table!

    The SQL-92 format of the table is:
        CREATE TABLE cas_sessions (
            id             varchar(32) not null primary key,
            last_accessed  int8        not null,
            user_id        varchar(32) not null,
            pgtiou         varchar(256),
            pgt            varchar(256)
            service_ticket varchar(256)
        );
    Add indexes and adjust as appropriate for your database and usage.

SSL

    Be careful not to use the CASSessionCookieSecure flag with an HTTP resource.
    If this flag is set and the protocol is HTTP, then no cookie will get sent
    to Apache and Apache2::AuthCAS may act very strange.
    Be sure to set CASSessionCookieSecure only on HTTPS resources!

=head1 COMPATIBILITY

This module will only work with mod_perl2.  mod_perl1 is not supported.

=head1 SEE ALSO

=head2 Official JA-SIG CAS Website

http://www.ja-sig.org/products/cas/

=head2 mod_perl Documentation

http://perl.apache.org/

=head1 AUTHORS

Jason Hitt <jhitt@illumasys.com>

=head1 COPYRIGHT

Copyright (C) 2007 Jason Hitt <jhitt@illumasys.com>

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with
this program; if not, write to the Free Software Foundation, Inc.,
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA


=cut