lemonldap-ng/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm

package Lemonldap::NG::Portal::Plugins::Impersonation;

use strict;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants
  qw( PE_OK PE_BADCREDENTIALS PE_IMPERSONATION_SERVICE_NOT_ALLOWED PE_MALFORMEDUSER );

our $VERSION = '2.0.3';

extends 'Lemonldap::NG::Portal::Main::Plugin';

# INITIALIZATION

use constant endAuth => 'run';

has rule => ( is => 'rw', default => sub { 1 } );

sub hAttr {
    $_[0]->{conf}->{impersonationHiddenAttributes} . ' '
      . $_[0]->{conf}->{hiddenAttributes};
}

sub init {
    my ($self) = @_;

    # Parse activation rule
    my $hd = $self->p->HANDLER;
    $self->logger->debug(
        "impersonation rule -> " . $self->conf->{impersonationRule} );
    my $rule =
      $hd->buildSub( $hd->substitute( $self->conf->{impersonationRule} ) );
    unless ($rule) {
        $self->error( "Bad impersonation rule -> " . $hd->tsv->{jail}->error );
        return 0;
    }
    $self->{rule} = $rule;
    return 1;
}

# RUNNING METHOD

sub run {
    my ( $self, $req ) = @_;

    my $spoofId = $req->param('spoofId') || '';
    return PE_MALFORMEDUSER
      if (  $spoofId
        and $req->param('spoofId') !~ /$self->{conf}->{userControl}/o );

    # Skip if no submitted SpoofId
    return PE_OK unless $spoofId;

    # Check activation rule
    unless ( $self->rule->( $req, $req->sessionInfo ) ) {
        $self->userLogger->error('Impersonation service not authorized');
        return PE_IMPERSONATION_SERVICE_NOT_ALLOWED;
    }

    # Fill spoof session
    my ( $realSession, $spoofSession ) = ( {}, {} );
    $self->logger->debug("Spoofing Id: $spoofId...");
    my $spk = '';
    foreach my $k ( keys %{ $req->{sessionInfo} } ) {
        if ( $self->{conf}->{impersonationSkipEmptyValues} ) {
            next unless defined $req->{sessionInfo}->{$k};
        }
        $spk = "$self->{conf}->{impersonationPrefix}$k";
        unless ( $self->hAttr =~ /\b$k\b/ ) {
            $realSession->{$spk} = $req->{sessionInfo}->{$k};
            $self->logger->debug("-> Store $k in realSession key: $spk");
        }
        $self->logger->debug("Delete $k");
        delete $req->{sessionInfo}->{$k};
    }
    $req->{user} = $spoofId;
    $spoofSession = $self->_userDatas($req);
    $spoofSession->{groups} ||= '';

    # Merging SSO groups and hGroups & Dedup
    if ( $self->{conf}->{impersonationMergeSSOgroups} ) {
        $self->userLogger->warn("MERGING SSO groups and hGroups...");
        my $spg       = "$self->{conf}->{impersonationPrefix}groups";
        my $sphg      = "$self->{conf}->{impersonationPrefix}hGroups";
        my $separator = $self->{conf}->{multiValuesSeparator};
        $realSession->{$spg} ||= '';

        $self->logger->debug("Processing groups...");
        my @spoofGrps = my @realGrps = ();
        @spoofGrps = split /\Q$separator/, $spoofSession->{groups};
        @realGrps  = split /\Q$separator/, $realSession->{$spg};
        @spoofGrps = ( @spoofGrps, @realGrps );
        my %hash = map { $_, 1 } @spoofGrps;
        $spoofSession->{groups} = join $separator, sort keys %hash;

        $self->logger->debug("Processing hGroups...");
        $spoofSession->{hGroups} ||= {};
        $realSession->{$sphg} ||= {};
        $spoofSession->{hGroups} =
          { %{ $spoofSession->{hGroups} }, %{ $realSession->{$sphg} } };
    }

    # Create spoofed session
    foreach (qw (_auth _userDB)) {
        $self->logger->debug("Processing $_...");
        $spk = "$self->{conf}->{impersonationPrefix}$_";
        $spoofSession->{$_} = $realSession->{$spk};
    }
    $spoofSession = { %$spoofSession, %$realSession };

    # Main session
    $self->p->updateSession( $req, $spoofSession );
    return PE_OK;
}

sub _userDatas {
    my ( $self, $req ) = @_;
    $req->{sessionInfo} = {};

    # Search user in database
    $req->steps( [
            'getUser',   'setSessionInfo',
            'setMacros', 'setGroups',
            'setLocalGroups'
        ]
    );
    if ( my $error = $self->p->process($req) ) {
        if ( $error == PE_BADCREDENTIALS ) {
            $self->userLogger->warn(
                    'Impersonation requested for an unvalid user ('
                  . $req->{user}
                  . ")" );
        }
        $self->logger->debug("Process returned error: $error");
        return $req->error($error);
    }
    $self->logger->debug("Populating spoofed session...");
    return $req->{sessionInfo};
}

1;
Rename idSpoofing plugin to Impersonation & all relative parameters (#1664) 2019-03-06 16:24:10 +01:00			`package Lemonldap::NG::Portal::Plugins::Impersonation;`
WIP - Create session (#1664) 2019-03-02 22:18:42 +01:00
			`use strict;`
			`use Mouse;`
Append access rule (#1664) 2019-03-03 21:24:13 +01:00			`use Lemonldap::NG::Portal::Main::Constants`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`qw( PE_OK PE_BADCREDENTIALS PE_IMPERSONATION_SERVICE_NOT_ALLOWED PE_MALFORMEDUSER );`
WIP - Create session (#1664) 2019-03-02 22:18:42 +01:00
			`our $VERSION = '2.0.3';`

			`extends 'Lemonldap::NG::Portal::Main::Plugin';`

			`# INITIALIZATION`

			`use constant endAuth => 'run';`

Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`has rule => ( is => 'rw', default => sub { 1 } );`
Append access rule (#1664) 2019-03-03 21:24:13 +01:00
WIP - Append conf. parameters (#1664) 2019-03-02 23:27:56 +01:00			`sub hAttr {`
Rename idSpoofing plugin to Impersonation & all relative parameters (#1664) 2019-03-06 16:24:10 +01:00			`$_[0]->{conf}->{impersonationHiddenAttributes} . ' '`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`. $_[0]->{conf}->{hiddenAttributes};`
WIP - Append conf. parameters (#1664) 2019-03-02 23:27:56 +01:00			`}`

Append access rule (#1664) 2019-03-03 21:24:13 +01:00			`sub init {`
			`my ($self) = @_;`

			`# Parse activation rule`
			`my $hd = $self->p->HANDLER;`
			`$self->logger->debug(`
Rename idSpoofing plugin to Impersonation & all relative parameters (#1664) 2019-03-06 16:24:10 +01:00			`"impersonation rule -> " . $self->conf->{impersonationRule} );`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`my $rule =`
			`$hd->buildSub( $hd->substitute( $self->conf->{impersonationRule} ) );`
Append access rule (#1664) 2019-03-03 21:24:13 +01:00			`unless ($rule) {`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`$self->error( "Bad impersonation rule -> " . $hd->tsv->{jail}->error );`
Append access rule (#1664) 2019-03-03 21:24:13 +01:00			`return 0;`
			`}`
			`$self->{rule} = $rule;`
			`return 1;`
			`}`
WIP - Create session (#1664) 2019-03-02 22:18:42 +01:00
			`# RUNNING METHOD`

			`sub run {`
			`my ( $self, $req ) = @_;`
Test submitted user param (#1667) 2019-03-06 23:08:22 +01:00
WIP - Append parameters (#1664) 2019-03-03 20:50:21 +01:00			`my $spoofId = $req->param('spoofId') \|\| '';`
Typo (#1664) 2019-03-07 23:39:50 +01:00			`return PE_MALFORMEDUSER`
			`if ( $spoofId`
			`and $req->param('spoofId') !~ /$self->{conf}->{userControl}/o );`
Append access rule (#1664) 2019-03-03 21:24:13 +01:00
			`# Skip if no submitted SpoofId`
WIP - Append parameters (#1664) 2019-03-03 20:50:21 +01:00			`return PE_OK unless $spoofId;`
WIP - Create session (#1664) 2019-03-02 22:18:42 +01:00
Append access rule (#1664) 2019-03-03 21:24:13 +01:00			`# Check activation rule`
			`unless ( $self->rule->( $req, $req->sessionInfo ) ) {`
Rename idSpoofing plugin to Impersonation & all relative parameters (#1664) 2019-03-06 16:24:10 +01:00			`$self->userLogger->error('Impersonation service not authorized');`
			`return PE_IMPERSONATION_SERVICE_NOT_ALLOWED;`
Append access rule (#1664) 2019-03-03 21:24:13 +01:00			`}`

WIP - Create session (#1664) 2019-03-02 22:18:42 +01:00			`# Fill spoof session`
			`my ( $realSession, $spoofSession ) = ( {}, {} );`
WIP - Append debug logs (#1664) 2019-03-03 20:56:22 +01:00			`$self->logger->debug("Spoofing Id: $spoofId...");`
WIP - Create session (#1664) 2019-03-02 22:18:42 +01:00			`my $spk = '';`
			`foreach my $k ( keys %{ $req->{sessionInfo} } ) {`
Rename idSpoofing plugin to Impersonation & all relative parameters (#1664) 2019-03-06 16:24:10 +01:00			`if ( $self->{conf}->{impersonationSkipEmptyValues} ) {`
WIP - Append conf. parameters (#1664) 2019-03-02 23:27:56 +01:00			`next unless defined $req->{sessionInfo}->{$k};`
			`}`
Rename idSpoofing plugin to Impersonation & all relative parameters (#1664) 2019-03-06 16:24:10 +01:00			`$spk = "$self->{conf}->{impersonationPrefix}$k";`
WIP - Append conf. parameters (#1664) 2019-03-02 23:27:56 +01:00			`unless ( $self->hAttr =~ /\b$k\b/ ) {`
			`$realSession->{$spk} = $req->{sessionInfo}->{$k};`
			`$self->logger->debug("-> Store $k in realSession key: $spk");`
			`}`
Fix session update (#1664) 2019-03-06 21:29:03 +01:00			`$self->logger->debug("Delete $k");`
			`delete $req->{sessionInfo}->{$k};`
WIP - Create session (#1664) 2019-03-02 22:18:42 +01:00			`}`
			`$req->{user} = $spoofId;`
			`$spoofSession = $self->_userDatas($req);`
Fix session update (#1664) 2019-03-06 21:29:03 +01:00			`$spoofSession->{groups} \|\|= '';`
Merge SSO groups (#1664) 2019-03-05 14:50:30 +01:00
			`# Merging SSO groups and hGroups & Dedup`
Rename idSpoofing plugin to Impersonation & all relative parameters (#1664) 2019-03-06 16:24:10 +01:00			`if ( $self->{conf}->{impersonationMergeSSOgroups} ) {`
Merge SSO groups (#1664) 2019-03-05 14:50:30 +01:00			`$self->userLogger->warn("MERGING SSO groups and hGroups...");`
Rename idSpoofing plugin to Impersonation & all relative parameters (#1664) 2019-03-06 16:24:10 +01:00			`my $spg = "$self->{conf}->{impersonationPrefix}groups";`
			`my $sphg = "$self->{conf}->{impersonationPrefix}hGroups";`
Merge SSO groups (#1664) 2019-03-05 14:50:30 +01:00			`my $separator = $self->{conf}->{multiValuesSeparator};`
Fix session update (#1664) 2019-03-06 21:29:03 +01:00			`$realSession->{$spg} \|\|= '';`
Fix test submitted user param (#1667) 2019-03-07 10:47:14 +01:00
Fix session update (#1664) 2019-03-06 21:29:03 +01:00			`$self->logger->debug("Processing groups...");`
			`my @spoofGrps = my @realGrps = ();`
			`@spoofGrps = split /\Q$separator/, $spoofSession->{groups};`
Fix test submitted user param (#1667) 2019-03-07 10:47:14 +01:00			`@realGrps = split /\Q$separator/, $realSession->{$spg};`
Fix session update (#1664) 2019-03-06 21:29:03 +01:00			`@spoofGrps = ( @spoofGrps, @realGrps );`
			`my %hash = map { $_, 1 } @spoofGrps;`
			`$spoofSession->{groups} = join $separator, sort keys %hash;`

			`$self->logger->debug("Processing hGroups...");`
			`$spoofSession->{hGroups} \|\|= {};`
			`$realSession->{$sphg} \|\|= {};`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`$spoofSession->{hGroups} =`
			`{ %{ $spoofSession->{hGroups} }, %{ $realSession->{$sphg} } };`
Merge SSO groups (#1664) 2019-03-05 14:50:30 +01:00			`}`

			`# Create spoofed session`
Spoof Authentication and userDB modules (#1664) 2019-03-06 16:30:36 +01:00			`foreach (qw (_auth _userDB)) {`
			`$self->logger->debug("Processing $_...");`
			`$spk = "$self->{conf}->{impersonationPrefix}$_";`
			`$spoofSession->{$_} = $realSession->{$spk};`
			`}`
WIP - Append conf. parameters (#1664) 2019-03-02 23:27:56 +01:00			`$spoofSession = { %$spoofSession, %$realSession };`
WIP - Create session (#1664) 2019-03-02 22:18:42 +01:00
WIP - Append conf. parameters (#1664) 2019-03-02 23:27:56 +01:00			`# Main session`
WIP - Append debug logs (#1664) 2019-03-03 20:56:22 +01:00			`$self->p->updateSession( $req, $spoofSession );`
WIP - Append conf. parameters (#1664) 2019-03-02 23:27:56 +01:00			`return PE_OK;`
WIP - Create session (#1664) 2019-03-02 22:18:42 +01:00			`}`

			`sub _userDatas {`
			`my ( $self, $req ) = @_;`
			`$req->{sessionInfo} = {};`

			`# Search user in database`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`$req->steps( [`
			`'getUser', 'setSessionInfo',`
WIP - Append conf. parameters (#1664) 2019-03-02 23:27:56 +01:00			`'setMacros', 'setGroups',`
			`'setLocalGroups'`
WIP - Create session (#1664) 2019-03-02 22:18:42 +01:00			`]`
			`);`
			`if ( my $error = $self->p->process($req) ) {`
			`if ( $error == PE_BADCREDENTIALS ) {`
			`$self->userLogger->warn(`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`'Impersonation requested for an unvalid user ('`
			`. $req->{user}`
			`. ")" );`
WIP - Create session (#1664) 2019-03-02 22:18:42 +01:00			`}`
			`$self->logger->debug("Process returned error: $error");`
			`return $req->error($error);`
			`}`
WIP - Append debug logs (#1664) 2019-03-03 20:56:22 +01:00			`$self->logger->debug("Populating spoofed session...");`
WIP - Create session (#1664) 2019-03-02 22:18:42 +01:00			`return $req->{sessionInfo};`
			`}`

			`1;`