2019-03-06 16:24:10 +01:00
|
|
|
package Lemonldap::NG::Portal::Plugins::Impersonation;
|
2019-03-02 22:18:42 +01:00
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
|
use Mouse;
|
2020-08-28 23:50:57 +02:00
|
|
|
use Lemonldap::NG::Portal::Main::Constants qw(
|
2020-10-09 22:26:00 +02:00
|
|
|
PE_MALFORMEDUSER
|
2020-08-28 23:50:57 +02:00
|
|
|
PE_OK PE_BADCREDENTIALS
|
|
|
|
|
PE_IMPERSONATION_SERVICE_NOT_ALLOWED
|
|
|
|
|
);
|
2019-03-02 22:18:42 +01:00
|
|
|
|
2020-10-09 22:26:00 +02:00
|
|
|
our $VERSION = '2.0.10';
|
2019-03-02 22:18:42 +01:00
|
|
|
|
2020-10-09 22:26:00 +02:00
|
|
|
extends qw(
|
2020-11-04 16:48:43 +01:00
|
|
|
Lemonldap::NG::Portal::Main::Plugin
|
2020-10-09 22:26:00 +02:00
|
|
|
Lemonldap::NG::Portal::Lib::_tokenRule
|
2020-11-04 16:48:43 +01:00
|
|
|
);
|
2019-03-02 22:18:42 +01:00
|
|
|
|
|
|
|
|
# INITIALIZATION
|
|
|
|
|
|
2019-04-30 14:56:26 +02:00
|
|
|
use constant afterData => 'run';
|
2019-03-02 22:18:42 +01:00
|
|
|
|
2020-05-19 23:33:07 +02:00
|
|
|
has rule => ( is => 'rw', default => sub { 1 } );
|
|
|
|
|
has idRule => ( is => 'rw', default => sub { 1 } );
|
|
|
|
|
has unrestrictedUsersRule => ( is => 'rw', default => sub { 0 } );
|
|
|
|
|
|
|
|
|
|
# Form timeout token generator (used if requireToken is set)
|
|
|
|
|
has ott => ( is => 'rw' );
|
|
|
|
|
|
|
|
|
|
# Captcha generator
|
|
|
|
|
has captcha => ( is => 'rw' );
|
2019-03-03 21:24:13 +01:00
|
|
|
|
2019-03-02 23:27:56 +01:00
|
|
|
sub hAttr {
|
2019-03-06 16:24:10 +01:00
|
|
|
$_[0]->{conf}->{impersonationHiddenAttributes} . ' '
|
2019-03-07 18:22:16 +01:00
|
|
|
. $_[0]->{conf}->{hiddenAttributes};
|
2019-03-02 23:27:56 +01:00
|
|
|
}
|
|
|
|
|
|
2019-03-03 21:24:13 +01:00
|
|
|
sub init {
|
|
|
|
|
my ($self) = @_;
|
2020-04-25 14:47:10 +02:00
|
|
|
|
|
|
|
|
# Parse Impersonation rules
|
|
|
|
|
$self->rule(
|
2020-04-25 14:48:27 +02:00
|
|
|
$self->p->buildRule(
|
|
|
|
|
$self->conf->{impersonationRule}, 'impersonation'
|
|
|
|
|
)
|
|
|
|
|
);
|
2020-04-25 14:47:10 +02:00
|
|
|
return 0 unless $self->rule;
|
|
|
|
|
|
|
|
|
|
$self->idRule(
|
2020-04-25 14:48:27 +02:00
|
|
|
$self->p->buildRule(
|
|
|
|
|
$self->conf->{impersonationIdRule},
|
|
|
|
|
'impersonationId'
|
|
|
|
|
)
|
|
|
|
|
);
|
2020-04-25 14:47:10 +02:00
|
|
|
return 0 unless $self->idRule;
|
|
|
|
|
|
2020-05-19 23:33:07 +02:00
|
|
|
$self->unrestrictedUsersRule(
|
|
|
|
|
$self->p->buildRule(
|
|
|
|
|
$self->conf->{impersonationUnrestrictedUsersRule},
|
|
|
|
|
'impersonationUnrestrictedUsers'
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
return 0 unless $self->unrestrictedUsersRule;
|
|
|
|
|
|
|
|
|
|
# Initialize Captcha if needed
|
|
|
|
|
if ( $self->{conf}->{captcha_login_enabled} ) {
|
|
|
|
|
$self->captcha( $self->p->loadModule('::Lib::Captcha') ) or return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Initialize form token if needed (captcha provides also a token)
|
|
|
|
|
else {
|
|
|
|
|
$self->ott( $self->p->loadModule('::Lib::OneTimeToken') ) or return 0;
|
|
|
|
|
$self->ott->timeout( $self->conf->{formTimeout} );
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-03 21:24:13 +01:00
|
|
|
return 1;
|
|
|
|
|
}
|
2019-03-02 22:18:42 +01:00
|
|
|
|
|
|
|
|
# RUNNING METHOD
|
|
|
|
|
|
|
|
|
|
sub run {
|
|
|
|
|
my ( $self, $req ) = @_;
|
2019-06-02 22:39:35 +02:00
|
|
|
|
2019-06-08 22:07:47 +02:00
|
|
|
return $req->authResult
|
|
|
|
|
if $req->authResult >
|
2020-08-28 23:50:57 +02:00
|
|
|
PE_OK; # Skip Impersonation if an error occurs during Auth process
|
2019-06-02 22:39:35 +02:00
|
|
|
|
|
|
|
|
my $statut = PE_OK;
|
2020-05-19 23:33:07 +02:00
|
|
|
my $unUser = 0;
|
2019-06-02 22:39:35 +02:00
|
|
|
my $loginHistory =
|
|
|
|
|
$req->{sessionInfo}->{_loginHistory}; # Store login history
|
2022-02-16 17:43:29 +01:00
|
|
|
$req->{user} ||= $req->{sessionInfo}->{_impUser}; # If 2FA is enabled
|
|
|
|
|
my $spoofId = $req->param('spoofId') # Impersonation required
|
|
|
|
|
|| $req->{sessionInfo}->{_impSpoofId} # If 2FA is enabled
|
|
|
|
|
|| $req->{user}; # Impersonation not required
|
2019-06-01 23:22:20 +02:00
|
|
|
|
2019-05-11 20:18:43 +02:00
|
|
|
$self->logger->debug("No impersonation required")
|
|
|
|
|
if ( $spoofId eq $req->{user} );
|
2019-03-11 22:06:28 +01:00
|
|
|
|
2019-06-18 21:57:40 +02:00
|
|
|
unless ( $spoofId =~ /$self->{conf}->{userControl}/o ) {
|
2019-06-24 23:35:33 +02:00
|
|
|
$self->userLogger->warn('Malformed spoofed Id');
|
2019-03-11 22:06:28 +01:00
|
|
|
$self->logger->debug("Impersonation tried with spoofed Id: $spoofId");
|
|
|
|
|
$spoofId = $req->{user};
|
|
|
|
|
$statut = PE_MALFORMEDUSER;
|
|
|
|
|
}
|
2019-03-02 22:18:42 +01:00
|
|
|
|
2020-05-19 23:33:07 +02:00
|
|
|
# Check activation & unrestrictedUsers rules
|
2019-06-02 22:39:35 +02:00
|
|
|
if ( $spoofId ne $req->{user} ) {
|
|
|
|
|
$self->logger->debug("Spoof Id: $spoofId / Real Id: $req->{user}");
|
2019-03-11 22:06:28 +01:00
|
|
|
unless ( $self->rule->( $req, $req->sessionInfo ) ) {
|
2019-06-24 23:35:33 +02:00
|
|
|
$self->userLogger->warn('Impersonation service not authorized');
|
2019-03-11 22:06:28 +01:00
|
|
|
$spoofId = $req->{user};
|
|
|
|
|
$statut = PE_IMPERSONATION_SERVICE_NOT_ALLOWED;
|
|
|
|
|
}
|
2020-05-19 23:33:07 +02:00
|
|
|
$unUser = $self->unrestrictedUsersRule->( $req, $req->sessionInfo );
|
2019-03-03 21:24:13 +01:00
|
|
|
}
|
|
|
|
|
|
2019-03-02 22:18:42 +01:00
|
|
|
# Fill spoof session
|
|
|
|
|
my ( $realSession, $spoofSession ) = ( {}, {} );
|
2019-03-11 22:06:28 +01:00
|
|
|
$self->logger->debug("Rename real attributes...");
|
2019-03-02 22:18:42 +01:00
|
|
|
foreach my $k ( keys %{ $req->{sessionInfo} } ) {
|
2019-03-06 16:24:10 +01:00
|
|
|
if ( $self->{conf}->{impersonationSkipEmptyValues} ) {
|
2019-03-02 23:27:56 +01:00
|
|
|
next unless defined $req->{sessionInfo}->{$k};
|
|
|
|
|
}
|
2019-06-23 22:55:46 +02:00
|
|
|
my $spk = "$self->{conf}->{impersonationPrefix}$k";
|
2019-06-01 19:13:45 +02:00
|
|
|
unless ( $self->hAttr =~ /\b$k\b/
|
|
|
|
|
|| $k =~ /^(?:_imp|token|_type)\w*\b/ )
|
|
|
|
|
{
|
2019-03-02 23:27:56 +01:00
|
|
|
$realSession->{$spk} = $req->{sessionInfo}->{$k};
|
|
|
|
|
$self->logger->debug("-> Store $k in realSession key: $spk");
|
|
|
|
|
}
|
2019-03-06 21:29:03 +01:00
|
|
|
$self->logger->debug("Delete $k");
|
|
|
|
|
delete $req->{sessionInfo}->{$k};
|
2019-03-02 22:18:42 +01:00
|
|
|
}
|
2019-03-08 11:39:19 +01:00
|
|
|
|
2020-05-19 23:33:07 +02:00
|
|
|
$spoofSession = $self->_userData( $req, $spoofId, $realSession, $unUser );
|
2019-03-11 22:06:28 +01:00
|
|
|
if ( $req->error ) {
|
2020-05-19 23:33:07 +02:00
|
|
|
$self->setSecurity($req);
|
2019-03-11 22:06:28 +01:00
|
|
|
if ( $req->error == PE_BADCREDENTIALS ) {
|
2020-05-24 00:04:33 +02:00
|
|
|
$statut = PE_BADCREDENTIALS; # Catch error to preserve protected Id
|
2019-03-11 22:06:28 +01:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
return $req->error;
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-03-08 11:39:19 +01:00
|
|
|
|
2019-03-11 22:06:28 +01:00
|
|
|
# Merging SSO Groups and hGroups & dedup
|
2019-06-14 17:23:26 +02:00
|
|
|
$spoofSession->{groups} ||= '';
|
2019-06-09 19:54:00 +02:00
|
|
|
$spoofSession->{hGroups} ||= {};
|
2019-03-06 16:24:10 +01:00
|
|
|
if ( $self->{conf}->{impersonationMergeSSOgroups} ) {
|
2019-03-05 14:50:30 +01:00
|
|
|
$self->userLogger->warn("MERGING SSO groups and hGroups...");
|
2019-03-06 16:24:10 +01:00
|
|
|
my $spg = "$self->{conf}->{impersonationPrefix}groups";
|
|
|
|
|
my $sphg = "$self->{conf}->{impersonationPrefix}hGroups";
|
2019-03-05 14:50:30 +01:00
|
|
|
my $separator = $self->{conf}->{multiValuesSeparator};
|
2019-03-07 10:47:14 +01:00
|
|
|
|
2019-06-08 22:07:47 +02:00
|
|
|
## GROUPS
|
2019-09-11 16:18:35 +02:00
|
|
|
$realSession->{$spg} ||= '';
|
2019-06-09 19:54:00 +02:00
|
|
|
my @spoofGrps = split /\Q$separator/, $spoofSession->{groups};
|
|
|
|
|
my @realGrps = split /\Q$separator/, $realSession->{$spg};
|
2019-06-08 22:07:47 +02:00
|
|
|
|
|
|
|
|
## hGROUPS
|
|
|
|
|
$realSession->{$sphg} ||= {};
|
|
|
|
|
|
2019-06-09 19:54:00 +02:00
|
|
|
# Merge specified groups/hGroups only
|
2020-06-06 23:27:37 +02:00
|
|
|
my %intersct = %{ $realSession->{$sphg} };
|
2019-06-08 22:07:47 +02:00
|
|
|
unless ( $self->{conf}->{impersonationMergeSSOgroups} eq 1 ) {
|
2020-08-25 00:27:06 +02:00
|
|
|
%intersct = ();
|
2019-06-08 22:07:47 +02:00
|
|
|
my %SSOgroups = map { $_, 1 } split /\Q$separator/,
|
|
|
|
|
$self->{conf}->{impersonationMergeSSOgroups};
|
|
|
|
|
|
|
|
|
|
$self->logger->debug("Filtering specified groups/hGroups...");
|
|
|
|
|
@realGrps = grep { exists $SSOgroups{$_} } @realGrps;
|
2020-06-06 23:27:37 +02:00
|
|
|
%intersct =
|
2019-06-08 22:07:47 +02:00
|
|
|
map {
|
|
|
|
|
$realSession->{$sphg}->{$_}
|
|
|
|
|
? ( $_, $realSession->{$sphg}->{$_} )
|
|
|
|
|
: ()
|
|
|
|
|
} keys %SSOgroups;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$self->logger->debug("Processing groups...");
|
2019-03-06 21:29:03 +01:00
|
|
|
@spoofGrps = ( @spoofGrps, @realGrps );
|
|
|
|
|
my %hash = map { $_, 1 } @spoofGrps;
|
|
|
|
|
$spoofSession->{groups} = join $separator, sort keys %hash;
|
|
|
|
|
|
|
|
|
|
$self->logger->debug("Processing hGroups...");
|
2019-03-07 18:22:16 +01:00
|
|
|
$spoofSession->{hGroups} =
|
2020-06-06 23:27:37 +02:00
|
|
|
{ %{ $spoofSession->{hGroups} }, %intersct };
|
2019-03-05 14:50:30 +01:00
|
|
|
}
|
|
|
|
|
|
2019-03-02 23:27:56 +01:00
|
|
|
# Main session
|
2019-03-03 20:56:22 +01:00
|
|
|
$self->p->updateSession( $req, $spoofSession );
|
2019-06-02 22:39:35 +02:00
|
|
|
$req->{sessionInfo}->{_loginHistory} =
|
|
|
|
|
$loginHistory; # Restore login history
|
2019-04-30 14:56:26 +02:00
|
|
|
$req->steps( [ $self->p->validSession, @{ $self->p->endAuth } ] );
|
|
|
|
|
|
2019-06-02 22:39:35 +02:00
|
|
|
# Restore _httpSession for Double Cookies
|
2019-05-12 22:59:21 +02:00
|
|
|
if ( $self->conf->{securedCookie} >= 2 ) {
|
|
|
|
|
$self->p->updateSession( $req, $spoofSession,
|
|
|
|
|
$req->{sessionInfo}->{real__httpSession} );
|
|
|
|
|
$req->{sessionInfo}->{_httpSession} =
|
|
|
|
|
$req->{sessionInfo}->{real__httpSession};
|
|
|
|
|
}
|
2019-03-11 22:06:28 +01:00
|
|
|
return $statut;
|
2019-03-02 22:18:42 +01:00
|
|
|
}
|
|
|
|
|
|
2019-06-02 22:39:35 +02:00
|
|
|
sub _userData {
|
2020-05-19 23:33:07 +02:00
|
|
|
my ( $self, $req, $spoofId, $realSession, $unUser ) = @_;
|
2019-03-11 22:06:28 +01:00
|
|
|
my $realId = $req->{user};
|
2020-05-24 00:04:33 +02:00
|
|
|
my $raz = 0;
|
2020-05-20 21:43:37 +02:00
|
|
|
$req->{user} = $spoofId;
|
2019-03-11 22:06:28 +01:00
|
|
|
|
2019-06-02 22:39:35 +02:00
|
|
|
# Compute Macros and Groups with real and spoof sessions
|
2020-02-25 10:04:30 +01:00
|
|
|
$req->sessionInfo($realSession);
|
2019-03-07 18:22:16 +01:00
|
|
|
$req->steps( [
|
2020-02-25 10:04:30 +01:00
|
|
|
'getUser', 'setAuthSessionInfo',
|
|
|
|
|
'setSessionInfo', $self->p->groupsAndMacros,
|
|
|
|
|
'setLocalGroups'
|
2019-03-02 22:18:42 +01:00
|
|
|
]
|
|
|
|
|
);
|
|
|
|
|
if ( my $error = $self->p->process($req) ) {
|
|
|
|
|
if ( $error == PE_BADCREDENTIALS ) {
|
|
|
|
|
$self->userLogger->warn(
|
2020-08-28 21:53:19 +02:00
|
|
|
'Impersonation requested for an invalid user ('
|
2019-03-07 18:22:16 +01:00
|
|
|
. $req->{user}
|
|
|
|
|
. ")" );
|
2019-03-02 22:18:42 +01:00
|
|
|
}
|
|
|
|
|
$self->logger->debug("Process returned error: $error");
|
2019-03-11 22:06:28 +01:00
|
|
|
$req->error($error);
|
|
|
|
|
$raz = 1;
|
2019-03-02 22:18:42 +01:00
|
|
|
}
|
2019-03-08 11:39:19 +01:00
|
|
|
|
2020-05-20 21:43:37 +02:00
|
|
|
# Check identities rule if Impersonation required
|
2019-03-11 22:06:28 +01:00
|
|
|
if ( $realId ne $spoofId ) {
|
2020-05-20 21:43:37 +02:00
|
|
|
$self->logger->info("\"$realId\" is an unrestricted user!") if $unUser;
|
2020-05-19 23:33:07 +02:00
|
|
|
unless ( $unUser || $self->idRule->( $req, $req->sessionInfo ) ) {
|
2019-03-11 22:06:28 +01:00
|
|
|
$self->userLogger->warn(
|
2020-08-28 21:53:19 +02:00
|
|
|
'Impersonation requested for an invalid user ('
|
2019-03-11 22:06:28 +01:00
|
|
|
. $req->{user}
|
|
|
|
|
. ")" );
|
2019-06-24 23:35:33 +02:00
|
|
|
$self->logger->debug('Identity NOT authorized');
|
2019-03-11 22:06:28 +01:00
|
|
|
$raz = 1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-02 22:39:35 +02:00
|
|
|
# Same real and spoof session - Compute Macros and Groups
|
2019-03-11 22:06:28 +01:00
|
|
|
if ($raz) {
|
2019-03-09 23:27:54 +01:00
|
|
|
$req->{sessionInfo} = {};
|
2019-03-11 22:06:28 +01:00
|
|
|
$req->{sessionInfo} = {%$realSession};
|
|
|
|
|
$req->{user} = $realId;
|
|
|
|
|
$req->steps( [
|
2019-12-16 23:21:43 +01:00
|
|
|
'getUser', 'setSessionInfo',
|
|
|
|
|
$self->p->groupsAndMacros, 'setLocalGroups'
|
2019-03-11 22:06:28 +01:00
|
|
|
]
|
|
|
|
|
);
|
2020-05-19 23:33:07 +02:00
|
|
|
$self->logger->debug('Reset Impersonation process');
|
2019-03-11 22:06:28 +01:00
|
|
|
$req->error(PE_BADCREDENTIALS);
|
|
|
|
|
if ( my $error = $self->p->process($req) ) {
|
|
|
|
|
$self->logger->debug("Process returned error: $error");
|
|
|
|
|
$req->error($error);
|
|
|
|
|
}
|
2019-03-08 11:39:19 +01:00
|
|
|
}
|
2020-04-01 18:38:01 +02:00
|
|
|
|
|
|
|
|
# Compute groups & macros again with real authenticationLevel
|
|
|
|
|
$req->sessionInfo->{authenticationLevel} =
|
|
|
|
|
$realSession->{real_authenticationLevel};
|
|
|
|
|
delete $req->sessionInfo->{groups};
|
2020-04-23 14:16:35 +02:00
|
|
|
$req->steps(
|
|
|
|
|
[ 'setSessionInfo', $self->p->groupsAndMacros, 'setLocalGroups' ] );
|
2020-04-01 18:38:01 +02:00
|
|
|
if ( my $error = $self->p->process($req) ) {
|
|
|
|
|
$self->logger->debug("Impersonation: Process returned error: $error");
|
|
|
|
|
$req->error($error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$self->logger->debug("Return \"$req->{user}\" sessionInfo");
|
2019-03-02 22:18:42 +01:00
|
|
|
return $req->{sessionInfo};
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-19 23:33:07 +02:00
|
|
|
sub setSecurity {
|
|
|
|
|
my ( $self, $req ) = @_;
|
|
|
|
|
if ( $self->captcha ) {
|
|
|
|
|
$self->captcha->setCaptcha($req);
|
|
|
|
|
}
|
|
|
|
|
elsif ( $self->ottRule->( $req, {} ) ) {
|
|
|
|
|
$self->ott->setToken($req);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-05-11 20:18:43 +02:00
|
|
|
1;
|
