2019-03-06 16:24:10 +01:00
|
|
|
package Lemonldap::NG::Portal::Plugins::Impersonation;
|
2019-03-02 22:18:42 +01:00
|
|
|
|
|
|
|
use strict;
|
|
|
|
use Mouse;
|
2019-03-03 21:24:13 +01:00
|
|
|
use Lemonldap::NG::Portal::Main::Constants
|
2019-03-07 18:22:16 +01:00
|
|
|
qw( PE_OK PE_BADCREDENTIALS PE_IMPERSONATION_SERVICE_NOT_ALLOWED PE_MALFORMEDUSER );
|
2019-03-02 22:18:42 +01:00
|
|
|
|
|
|
|
our $VERSION = '2.0.3';
|
|
|
|
|
|
|
|
extends 'Lemonldap::NG::Portal::Main::Plugin';
|
|
|
|
|
|
|
|
# INITIALIZATION
|
|
|
|
|
|
|
|
use constant endAuth => 'run';
|
|
|
|
|
2019-03-08 11:39:19 +01:00
|
|
|
has rule => ( is => 'rw', default => sub { 1 } );
|
|
|
|
has idRule => ( is => 'rw', default => sub { 1 } );
|
2019-03-03 21:24:13 +01:00
|
|
|
|
2019-03-02 23:27:56 +01:00
|
|
|
sub hAttr {
|
2019-03-06 16:24:10 +01:00
|
|
|
$_[0]->{conf}->{impersonationHiddenAttributes} . ' '
|
2019-03-07 18:22:16 +01:00
|
|
|
. $_[0]->{conf}->{hiddenAttributes};
|
2019-03-02 23:27:56 +01:00
|
|
|
}
|
|
|
|
|
2019-03-03 21:24:13 +01:00
|
|
|
sub init {
|
|
|
|
my ($self) = @_;
|
2019-03-08 11:39:19 +01:00
|
|
|
my $hd = $self->p->HANDLER;
|
2019-03-03 21:24:13 +01:00
|
|
|
|
|
|
|
# Parse activation rule
|
|
|
|
$self->logger->debug(
|
2019-03-08 11:39:19 +01:00
|
|
|
"Impersonation rule -> " . $self->conf->{impersonationRule} );
|
2019-03-07 18:22:16 +01:00
|
|
|
my $rule =
|
|
|
|
$hd->buildSub( $hd->substitute( $self->conf->{impersonationRule} ) );
|
2019-03-03 21:24:13 +01:00
|
|
|
unless ($rule) {
|
2019-03-07 18:22:16 +01:00
|
|
|
$self->error( "Bad impersonation rule -> " . $hd->tsv->{jail}->error );
|
2019-03-03 21:24:13 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
$self->{rule} = $rule;
|
2019-03-08 11:39:19 +01:00
|
|
|
|
|
|
|
# Parse identity rule
|
2019-03-09 23:27:54 +01:00
|
|
|
$self->logger->debug( "Impersonation identities rule -> "
|
2019-03-08 11:39:19 +01:00
|
|
|
. $self->conf->{impersonationIdRule} );
|
|
|
|
$rule =
|
|
|
|
$hd->buildSub( $hd->substitute( $self->conf->{impersonationIdRule} ) );
|
|
|
|
unless ($rule) {
|
|
|
|
$self->error(
|
2019-03-09 23:27:54 +01:00
|
|
|
"Bad impersonation identities rule -> " . $hd->tsv->{jail}->error );
|
2019-03-08 11:39:19 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
$self->{idRule} = $rule;
|
|
|
|
|
2019-03-03 21:24:13 +01:00
|
|
|
return 1;
|
|
|
|
}
|
2019-03-02 22:18:42 +01:00
|
|
|
|
|
|
|
# RUNNING METHOD
|
|
|
|
|
|
|
|
sub run {
|
|
|
|
my ( $self, $req ) = @_;
|
2019-03-09 21:31:49 +01:00
|
|
|
my $spoofId = $req->param('spoofId') || $req->{user};
|
2019-03-11 22:06:28 +01:00
|
|
|
$self->logger->debug("No impersonation required") if ( $spoofId eq $req->{user} );
|
|
|
|
my $statut = PE_OK;
|
|
|
|
|
|
|
|
if ( $spoofId !~ /$self->{conf}->{userControl}/o ) {
|
|
|
|
$self->userLogger->error('Malformed spoofed Id');
|
|
|
|
$self->logger->debug("Impersonation tried with spoofed Id: $spoofId");
|
|
|
|
$spoofId = $req->{user};
|
|
|
|
$statut = PE_MALFORMEDUSER;
|
|
|
|
}
|
2019-03-02 22:18:42 +01:00
|
|
|
|
2019-03-03 21:24:13 +01:00
|
|
|
# Check activation rule
|
2019-03-11 22:06:28 +01:00
|
|
|
if ( $spoofId ne $req->{user} ) {
|
|
|
|
$self->logger->debug("Spoofied Id: $spoofId / Real Id: $req->{user}");
|
|
|
|
unless ( $self->rule->( $req, $req->sessionInfo ) ) {
|
|
|
|
$self->userLogger->error('Impersonation service not authorized');
|
|
|
|
$spoofId = $req->{user};
|
|
|
|
$statut = PE_IMPERSONATION_SERVICE_NOT_ALLOWED;
|
|
|
|
}
|
2019-03-03 21:24:13 +01:00
|
|
|
}
|
|
|
|
|
2019-03-02 22:18:42 +01:00
|
|
|
# Fill spoof session
|
|
|
|
my ( $realSession, $spoofSession ) = ( {}, {} );
|
2019-03-11 22:06:28 +01:00
|
|
|
$self->logger->debug("Rename real attributes...");
|
2019-03-02 22:18:42 +01:00
|
|
|
my $spk = '';
|
|
|
|
foreach my $k ( keys %{ $req->{sessionInfo} } ) {
|
2019-03-06 16:24:10 +01:00
|
|
|
if ( $self->{conf}->{impersonationSkipEmptyValues} ) {
|
2019-03-02 23:27:56 +01:00
|
|
|
next unless defined $req->{sessionInfo}->{$k};
|
|
|
|
}
|
2019-03-06 16:24:10 +01:00
|
|
|
$spk = "$self->{conf}->{impersonationPrefix}$k";
|
2019-03-02 23:27:56 +01:00
|
|
|
unless ( $self->hAttr =~ /\b$k\b/ ) {
|
|
|
|
$realSession->{$spk} = $req->{sessionInfo}->{$k};
|
|
|
|
$self->logger->debug("-> Store $k in realSession key: $spk");
|
|
|
|
}
|
2019-03-06 21:29:03 +01:00
|
|
|
$self->logger->debug("Delete $k");
|
|
|
|
delete $req->{sessionInfo}->{$k};
|
2019-03-02 22:18:42 +01:00
|
|
|
}
|
2019-03-08 11:39:19 +01:00
|
|
|
|
2019-03-11 22:06:28 +01:00
|
|
|
$spoofSession = $self->_userDatas( $req, $spoofId, $realSession );
|
|
|
|
if ( $req->error ) {
|
|
|
|
if ( $req->error == PE_BADCREDENTIALS ) {
|
|
|
|
$statut = PE_BADCREDENTIALS;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
return $req->error;
|
|
|
|
}
|
|
|
|
}
|
2019-03-08 11:39:19 +01:00
|
|
|
|
2019-03-09 13:05:44 +01:00
|
|
|
# Update spoofed session
|
2019-03-11 22:06:28 +01:00
|
|
|
$self->logger->debug("Populating spoofed session...");
|
2019-03-09 13:05:44 +01:00
|
|
|
foreach (qw (_auth _userDB)) {
|
|
|
|
$self->logger->debug("Processing $_...");
|
|
|
|
$spk = "$self->{conf}->{impersonationPrefix}$_";
|
|
|
|
$spoofSession->{$_} = $realSession->{$spk};
|
|
|
|
}
|
2019-03-05 14:50:30 +01:00
|
|
|
|
2019-03-11 22:06:28 +01:00
|
|
|
# Merging SSO Groups and hGroups & dedup
|
2019-03-09 13:05:44 +01:00
|
|
|
$spoofSession->{groups} ||= '';
|
2019-03-06 16:24:10 +01:00
|
|
|
if ( $self->{conf}->{impersonationMergeSSOgroups} ) {
|
2019-03-05 14:50:30 +01:00
|
|
|
$self->userLogger->warn("MERGING SSO groups and hGroups...");
|
2019-03-06 16:24:10 +01:00
|
|
|
my $spg = "$self->{conf}->{impersonationPrefix}groups";
|
|
|
|
my $sphg = "$self->{conf}->{impersonationPrefix}hGroups";
|
2019-03-05 14:50:30 +01:00
|
|
|
my $separator = $self->{conf}->{multiValuesSeparator};
|
2019-03-06 21:29:03 +01:00
|
|
|
$realSession->{$spg} ||= '';
|
2019-03-07 10:47:14 +01:00
|
|
|
|
2019-03-06 21:29:03 +01:00
|
|
|
$self->logger->debug("Processing groups...");
|
|
|
|
my @spoofGrps = my @realGrps = ();
|
|
|
|
@spoofGrps = split /\Q$separator/, $spoofSession->{groups};
|
2019-03-07 10:47:14 +01:00
|
|
|
@realGrps = split /\Q$separator/, $realSession->{$spg};
|
2019-03-06 21:29:03 +01:00
|
|
|
@spoofGrps = ( @spoofGrps, @realGrps );
|
|
|
|
my %hash = map { $_, 1 } @spoofGrps;
|
|
|
|
$spoofSession->{groups} = join $separator, sort keys %hash;
|
|
|
|
|
|
|
|
$self->logger->debug("Processing hGroups...");
|
|
|
|
$spoofSession->{hGroups} ||= {};
|
|
|
|
$realSession->{$sphg} ||= {};
|
2019-03-07 18:22:16 +01:00
|
|
|
$spoofSession->{hGroups} =
|
|
|
|
{ %{ $spoofSession->{hGroups} }, %{ $realSession->{$sphg} } };
|
2019-03-05 14:50:30 +01:00
|
|
|
}
|
|
|
|
|
2019-03-02 23:27:56 +01:00
|
|
|
# Main session
|
2019-03-03 20:56:22 +01:00
|
|
|
$self->p->updateSession( $req, $spoofSession );
|
2019-03-11 22:06:28 +01:00
|
|
|
return $statut;
|
2019-03-02 22:18:42 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
sub _userDatas {
|
2019-03-11 22:06:28 +01:00
|
|
|
my ( $self, $req, $spoofId, $realSession ) = @_;
|
|
|
|
my $realId = $req->{user};
|
|
|
|
$req->{user} = $spoofId;
|
|
|
|
my $raz = 0;
|
|
|
|
|
|
|
|
# Compute Macros and Groups with real and spoofed sessions
|
|
|
|
$req->{sessionInfo} = {%$realSession};
|
2019-03-02 22:18:42 +01:00
|
|
|
|
|
|
|
# Search user in database
|
2019-03-07 18:22:16 +01:00
|
|
|
$req->steps( [
|
|
|
|
'getUser', 'setSessionInfo',
|
2019-03-02 23:27:56 +01:00
|
|
|
'setMacros', 'setGroups',
|
|
|
|
'setLocalGroups'
|
2019-03-02 22:18:42 +01:00
|
|
|
]
|
|
|
|
);
|
|
|
|
if ( my $error = $self->p->process($req) ) {
|
|
|
|
if ( $error == PE_BADCREDENTIALS ) {
|
|
|
|
$self->userLogger->warn(
|
2019-03-07 18:22:16 +01:00
|
|
|
'Impersonation requested for an unvalid user ('
|
|
|
|
. $req->{user}
|
|
|
|
. ")" );
|
2019-03-02 22:18:42 +01:00
|
|
|
}
|
|
|
|
$self->logger->debug("Process returned error: $error");
|
2019-03-11 22:06:28 +01:00
|
|
|
$req->error($error);
|
|
|
|
$raz = 1;
|
2019-03-02 22:18:42 +01:00
|
|
|
}
|
2019-03-08 11:39:19 +01:00
|
|
|
|
2019-03-11 22:06:28 +01:00
|
|
|
# Check identity rule if impersonation required
|
|
|
|
if ( $realId ne $spoofId ) {
|
|
|
|
unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
|
|
|
|
$self->userLogger->warn(
|
|
|
|
'Impersonation requested for an unvalid user ('
|
|
|
|
. $req->{user}
|
|
|
|
. ")" );
|
|
|
|
$self->logger->debug('Identity not authorized');
|
|
|
|
$raz = 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# Same real and spoofed session - Compute Macros and Groups
|
|
|
|
if ($raz) {
|
2019-03-09 23:27:54 +01:00
|
|
|
$req->{sessionInfo} = {};
|
2019-03-11 22:06:28 +01:00
|
|
|
$req->{sessionInfo} = {%$realSession};
|
|
|
|
$req->{user} = $realId;
|
|
|
|
$req->steps( [
|
|
|
|
'getUser', 'setSessionInfo',
|
|
|
|
'setMacros', 'setGroups',
|
|
|
|
'setLocalGroups'
|
|
|
|
]
|
|
|
|
);
|
|
|
|
$self->logger->debug('Spoofed session equal real session');
|
|
|
|
$req->error(PE_BADCREDENTIALS);
|
|
|
|
if ( my $error = $self->p->process($req) ) {
|
|
|
|
$self->logger->debug("Process returned error: $error");
|
|
|
|
$req->error($error);
|
|
|
|
}
|
2019-03-08 11:39:19 +01:00
|
|
|
}
|
|
|
|
|
2019-03-02 22:18:42 +01:00
|
|
|
return $req->{sessionInfo};
|
|
|
|
}
|
|
|
|
|
|
|
|
1;
|