Append extended conversion functions compliant with jail (#2624)

2022-06-30 23:14:16 +02:00 · 2022-06-30 23:14:16 +02:00 · 0576212979
parent 0831143a6b
commit 0576212979
3 changed files with 224 additions and 170 deletions
--- a/doc/sources/admin/extendedfunctions.rst
+++ b/doc/sources/admin/extendedfunctions.rst
@ -18,12 +18,12 @@ This is also true for:

 Inside this jail, you can access to:

-* all session values and CGI environment variables (through `$ENV{<HTTP_NAME>}`)
+* All session values and CGI environment variables (through `$ENV{<HTTP_NAME>}`)
 * Core Perl subroutines (split, pop, map, etc.)
 * :doc:`Custom functions<customfunctions>`
 * The `encode_base64 <http://perldoc.perl.org/MIME/Base64.html>`__ subroutine
 * Information about current request
-* Extended functions:
+* Extended functions except basic, iso2unicode and unicode2iso:

  * basic_
  * checkDate_
@ -36,9 +36,11 @@ Inside this jail, you can access to:
  * inGroup_ (|new| in version 2.0.8)
  * isInNet6_
  * iso2unicode_
+  * iso2unicodeSafe_ (|new| in version 2.0.15)
  * listMatch_ (|new| in version 2.0.7)
  * token_
  * unicode2iso_
+  * unicode2isoSafe_ (|new| in version 2.0.15)
  * varIsInUri_ (|new| in version 2.0.7)


@ -53,48 +55,71 @@ Inside this jail, you can access to:
 Extended Functions List
 -----------------------

-date
-~~~~
+basic
+~~~~~

-Returns the date, in format YYYYMMDDHHMMSS, local time by default, GMT
-by calling ``date(1)``
+.. attention::

-::
+    This function is not compliant with the :doc:`Safe jail<safejail>`,
+    you will have to disable the jail to use it.

-    For example: date(1) lt '19551018080000'
-  
-dateToTime
-~~~~~~~~~~
+This function builds the ``Authorization`` HTTP header employed in
+:doc:`HTTP Basic authentication scheme<applications/authbasic>`. It will
+convert `user` and `password` parameters from UTF-8 to ISO-8859-1.

-.. versionadded:: 2.0.12
+Functions parameters:

-Converts a string date into epoch time.
-
-The date format is the LDAP date syntax, for example for the 1st March
-2009 (GMT):
-
-::
-
-    20090301000000Z
-
-The date may end with a differential timezone that is interpreted to 
-adjust the epoch time, for example for the 1st March 2009 (+0100):
-
-::
-
-    20090301000000+0100
+-  **user**
+-  **password**

 Simple usage example:

 ::

-    dateToTime($ssoStartDate) lt dateToTime(date(1))
+   basic($uid,$_password)
+
+checkDate
+~~~~~~~~~
+
+This function checks date of current request, and compare it to
+a start date and an end date. It returns 1 if this matches, 0 else.
+
+
+The date format corresponds to LDAP date syntax, for example for the 1st of March
+2009 (GMT)
+
+::
+
+   20090301000000Z
+
+|new| Since version 2.0.12, the date may end with a differential timezone, 
+for example for the 1st of March 2009 (+0100):
+
+::
+
+    20090301000000+0100
+
+
+Functions parameters:
+
+-  **start**: Start date (GMT unless, |new| since version 2.0.12, a
+   differential timezone is included)
+-  **end**: End date (GMT unless, |new| since version 2.0.12, a
+   differential timezone is included)
+-  **default_access** (optional): Which result to return if **start** and
+   **end** dates are empty
+
+Simple usage example:
+
+::
+
+   checkDate($ssoStartDate, $ssoEndDate)

 checkLogonHours
 ~~~~~~~~~~~~~~~

-This function will check the day and the hour of current request, and
-compare it to allowed days and hours. It returns 1 if this match, 0
+This function checks the day and the hour of current request, and
+compare it to allowed days and hours. It returns 1 if matches, 0
 else. By default, the allowed days and hours is an hexadecimal
 value, representing each hour of the week. A day has 24 hours, and a
 week 7 days, so the value contains 168 bits, converted into 42
@ -112,12 +137,12 @@ For example, for a full access, excepted week-end:
    You can use the binary value from the logonHours attribute of Active
    Directory, or create a custom attribute in your LDAP schema.

-Functions parameters:
+Function parameters:

-  **logon_hours**: string representing allowed logon hours (GMT)
+-  **logon_hours**: String representing allowed logon hours (GMT)
 -  **syntax** (optional): ``hexadecimal`` (default) or ``octetstring``
-  **time_correction** (optional): hours to add or to subtract
-  **default_access** (optional): what result to return if
+-  **time_correction** (optional): Hours to add or to subtract
+-  **default_access** (optional): Which result to return if
   **logon_hours** is empty

 Simple usage example:
@ -156,113 +181,58 @@ rejected. You can allow these users instead of reject them:

   checkLogonHours($ssoLogonHours, '', '', '1')

+date
+~~~~

-checkDate
-~~~~~~~~~
-
-This function will check the date of current request, and compare it to
-a start date and an end date. It returns 1 if this match, 0 else.
-
-
-The date format is the LDAP date syntax, for example for the 1st of March
-2009 (GMT)
+Returns the date, in format YYYYMMDDHHMMSS, local time by default, GMT
+by calling ``date(1)``

 ::

-   20090301000000Z
+    For example: date(1) lt '19551018080000'

-|new| Since version 2.0.12, the date may end with a differential timezone, 
-for example for the 1st of March 2009 (+0100):
+dateToTime
+~~~~~~~~~~
+
+.. versionadded:: 2.0.12
+
+Used for converting a string date into epoch time.
+
+The date format is the LDAP date syntax, for example for the 1st March
+2009 (GMT):
+
+::
+
+    20090301000000Z
+
+The date may end with a differential timezone that is interpreted to 
+adjust the epoch time, for example for the 1st March 2009 (+0100):

 ::

    20090301000000+0100

-
-Functions parameters:
-
-  **start**: Start date (GMT unless, |new| since version 2.0.12, a
-   differential timezone is included)
-  **end**: End date (GMT unless, |new| since version 2.0.12, a
-   differential timezone is included)
-  **default_access** (optional): what result to return if **start** and
-   **end** are empty
-
 Simple usage example:

 ::

-   checkDate($ssoStartDate, $ssoEndDate)
+    dateToTime($ssoStartDate) lt dateToTime(date(1))

+encrypt
+~~~~~~~

-basic
-~~~~~
+.. tip::

-.. attention::
+    Since version 2.0, this function is now compliant with
+    :doc:`Safe jail<safejail>`.

-    This function is not compliant with
-    :doc:`Safe jail<safejail>`, you will need to disable the jail to use
-    it.
-
-This function builds the ``Authorization`` HTTP header used in
-:doc:`HTTP Basic authentication scheme<applications/authbasic>`. It will
-force conversion from UTF-8 to ISO-8859-1 of user and password data.
-
-Functions parameters:
-
-  **user**
-  **password**
-
-Simple usage example:
+This function uses the secret key of LL::NG configuration to crypt a data.
+This can be used for anonymizing identifier given to the protected
+application.

 ::

-   basic($uid,$_password)
-
-
-unicode2iso
-~~~~~~~~~~~
-
-
-.. attention::
-
-    This function is not compliant with
-    :doc:`Safe jail<safejail>`, you will need to disable the jail to use
-    it.
-
-This function convert a string from UTF-8 to ISO-8859-1.
-
-Functions parameters:
-
-  **string**
-
-Simple usage example:
-
-::
-
-   unicode2iso($name)
-
-iso2unicode
-~~~~~~~~~~~
-
-
-.. attention::
-
-    This function is not compliant with
-    :doc:`Safe jail<safejail>`, you will need to disable the jail to use
-    it.
-
-This function convert a string from ISO-8859-1 to UTF-8.
-
-Functions parameters:
-
-  **string**
-
-Simple usage example:
-
-::
-
-   iso2unicode($name)
+   encrypt($_whatToTrace)

 groupMatch
 ~~~~~~~~~~
@ -316,6 +286,71 @@ Example::

      $_2fDevices =~ /"type":\s*"TOTP"/s

+inGroup
+~~~~~~~
+
+.. versionadded:: 2.0.8
+
+This function lets you test if the user is in a given group. It is
+case-insensitive.
+
+Usage example:
+
+::
+
+   inGroup('admins')
+
+   inGroup('test users')
+
+The function returns 1 if the user belongs to the given group, and 0 if
+they don't.
+
+isInNet6
+~~~~~~~~
+
+Function to check if an IPv6 address is in a subnet. Example *check if
+IP address is local*:
+
+.. code-block:: perl
+
+   isInNet6($ipAddr, 'fe80::/10')
+
+iso2unicode
+~~~~~~~~~~~
+
+.. attention::
+
+    This function is not compliant with :doc:`Safe jail<safejail>`.
+    You will have to disable the jail to use it.
+
+This function converts a string from ISO-8859-1 to UTF-8.
+
+Function parameter:
+
+-  **string**
+
+Simple usage example:
+
+::
+
+   iso2unicode($name)
+
+iso2unicodeSafe
+~~~~~~~~~~~~~~~
+
+This function converts a string from ISO-8859-1 to UTF-8
+but it is not as portable as the original one.
+
+Functions parameters:
+
+-  **string**
+
+Simple usage example:
+
+::
+
+   iso2unicodeSafe($name)
+
 .. _listMatch:

 listMatch
@ -346,42 +381,6 @@ Simple usage example:
 The function returns 1 if the value was found, and 0 if it was not
 found.

-inGroup
-~~~~~~~
-
-.. versionadded:: 2.0.8
-
-This function lets you test if the user is in a given group. It is
-case-insensitive.
-
-Usage example:
-
-::
-
-   inGroup('admins')
-
-   inGroup('test users')
-
-The function returns 1 if the user belongs to the given group, and 0 if
-they don't.
-
-encrypt
-~~~~~~~
-
-
-.. tip::
-
-    Since version 2.0, this function is now compliant with
-    :doc:`Safe jail<safejail>`.
-
-This function uses the secret key of LLNG configuration to crypt a data.
-This can be used for anonymizing identifier given to the protected
-application.
-
-::
-
-   encrypt($_whatToTrace)
-
 token
 ~~~~~

@ -392,16 +391,6 @@ This function generates token used for

   token($_session_id,'webapp1.example.com','webapp2.example.com')

-isInNet6
-~~~~~~~~
-
-Function to check if an IPv6 address is in a subnet. Example *check if
-IP address is local*:
-
-.. code-block:: perl
-
-   isInNet6($ipAddr, 'fe80::/10')
-
 varIsInUri
 ~~~~~~~~~~

@ -433,3 +422,39 @@ Example *check if $uid is in /check-auth/ URI*:
   :width: 35px
 .. |image1| image:: /documentation/new.png
   :width: 35px
+
+unicode2iso
+~~~~~~~~~~~
+
+.. attention::
+
+    This function is not compliant with :doc:`Safe jail<safejail>`.
+    You will have to disable the jail to use it.
+
+This function convert a string from UTF-8 to ISO-8859-1.
+
+Function parameter:
+
+-  **string**
+
+Simple usage example:
+
+::
+
+   unicode2iso($name)
+
+unicode2isoSafe
+~~~~~~~~~~~~~~~
+
+This function convert a string from UTF-8 to ISO-8859-1
+but it is not as portable as the original one.
+
+Function parameter:
+
+-  **string**
+
+Simple usage example:
+
+::
+
+   unicode2isoSafe($name)
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Safelib.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Safelib.pm
@ -12,13 +12,13 @@ use Lemonldap::NG::Common::IPv6;
 use JSON::XS;
 use Date::Parse;

-our $VERSION = '2.0.12';
+our $VERSION = '2.0.15';

 # Set here all the names of functions that must be available in Safe objects.
-# Not that only functions, not methods, can be written here
+# Note that only functions, not methods, can be written here
 our $functions =
  [
-    qw(&checkLogonHours &date &dateToTime &checkDate &basic &unicode2iso &iso2unicode &groupMatch &isInNet6 &varIsInUri &has2f_internal)
+    qw(&checkLogonHours &date &dateToTime &checkDate &basic &unicode2iso &unicode2isoSafe &iso2unicode &iso2unicodeSafe &groupMatch &isInNet6 &varIsInUri &has2f_internal)
  ];

 ## @function boolean checkLogonHours(string logon_hours, string syntax, string time_correction, boolean default_access)
@ -202,6 +202,21 @@ sub unicode2iso {
    return encode( "iso-8859-1", decode( "utf-8", $string ) );
 }

+## @function string unicode2isoSafe(string string)
+## This function is compliant with the Safe jail
+## but not as portable as the original one
+# Convert UTF-8 in ISO-8859-1
+# @param string UTF-8 string
+# @return ISO string
+sub unicode2isoSafe {
+    my ($string) = @_;
+
+    my $res = $string;
+    utf8::decode($res);
+    utf8::downgrade($res);
+    return $res;
+}
+
 ## @function string iso2unicode(string string)
 # Convert ISO-8859-1 in UTF-8
 # @param string ISO string
@ -212,6 +227,20 @@ sub iso2unicode {
    return encode( "utf-8", decode( "iso-8859-1", $string ) );
 }

+## @function string iso2unicodeSafe(string string)
+## This function is compliant with the Safe jail
+## but not as portable as the original one
+# Convert ISO-8859-1 in UTF-8
+# @param string ISO string
+# @return UTF-8 string
+sub iso2unicodeSafe {
+    my ($string) = @_;
+
+    my $res = $string;
+    utf8::encode($res);
+    return $res;
+}
+
 ## @function int groupMatch(hashref groups, string attribute, string value)
 # Check in hGroups structure if a group attribute contains a value
 # @param groups The $hGroups variable
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm
@ -7,7 +7,7 @@ use Exporter 'import';
 our $VERSION = '2.0.14';

 use constant HANDLER => 'Lemonldap::NG::Handler::PSGI::Main';
-use constant URIRE =>
+use constant URIRE   =>
 qr{(((?^:https?))://((?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-9]*[a-zA-Z0-9]|[a-zA-Z])[.]?)|(?:[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+)))(?::((?:[0-9]*)))?(/(((?:(?:(?:(?:[a-zA-Z0-9\-_.!~*'():\@&=+\$,]+|(?:%[a-fA-F0-9][a-fA-F0-9]))*)(?:;(?:(?:[a-zA-Z0-9\-_.!~*'():\@&=+\$,]+|(?:%[a-fA-F0-9][a-fA-F0-9]))*))*)(?:/(?:(?:(?:[a-zA-Z0-9\-_.!~*'():\@&=+\$,]+|(?:%[a-fA-F0-9][a-fA-F0-9]))*)(?:;(?:(?:[a-zA-Z0-9\-_.!~*'():\@&=+\$,]+|(?:%[a-fA-F0-9][a-fA-F0-9]))*))*))*))(?:[?]((?:(?:[;/?:\@&=+\$,a-zA-Z0-9\-_.!~*'()]+|(?:%[a-fA-F0-9][a-fA-F0-9]))*)))?))?)};
 use constant {
    PE_IDPCHOICE                         => -5,