# F5 generated LTPA token for Lotus Domino
# By Per Henrik Lausten
# June 16, 2009
# http://per.lausten.dk/blog/
#
# This code snippet only contains the code necessary to generate a working LTPA token that Lotus Domino accepts.
# You need to add the code necessary to do authentication of the user.

when RULE_INIT {

  set cookie_name "LtpaToken"				# Don't change this
  set ltpa_version "\x00\x01\x02\x03"		# Don't change this
  set ltpa_secret "b64encodedsecretkey"		# Set this to the LTPA secrey key from your Lotus Domino LTPA configuration
  set ltpa_timeout "1800"					# Set this to the timeout value from your Lotus Domino LTPA configuration  
}

when HTTP_REQUEST {
  #
  # Do your usual F5 HTTP authentication here
  #

  # Initial values
  set creation_time_temp [clock seconds]
  set creation_time [format %X $creation_time_temp]  
  set expr_time_temp [expr { $creation_time_temp + $::ltpa_timeout}]
  set expr_time [format %X $expr_time_temp]  
  set username [HTTP::username]
  set ltpa_secret_decode [b64decode $::ltpa_secret]    

  # First part of token  
  set cookie_data_raw {}
  append cookie_data_raw $::ltpa_version
  append cookie_data_raw $creation_time
  append cookie_data_raw $expr_time
  append cookie_data_raw $username
  append cookie_data_raw $ltpa_secret_decode

  # SHA1 of first part of token
  set sha_cookie_raw [sha1 $cookie_data_raw]
 
  # Final not yet encoded token
  set ltpa_token_raw {}
  append ltpa_token_raw $::ltpa_version
  append ltpa_token_raw $creation_time
  append ltpa_token_raw $expr_time
  append ltpa_token_raw $username
  append ltpa_token_raw $sha_cookie_raw
 
  # Final Base64 encoded token
  set ltpa_token_final [b64encode $ltpa_token_raw]

  # Insert the cookie
  HTTP::cookie insert name $::cookie_name value $ltpa_token_final
  }

  # Remove Authorization HTTP header to avoid using basic authentication
  if { [HTTP::header exists "Authorization"] } {
    HTTP::header remove "Authorization"
  }              
}