Append ContextSwitching unrestrictedUsers rule (#2207)
This commit is contained in:
parent
312445d543
commit
1113fab014
|
@ -271,14 +271,14 @@ sub check {
|
|||
}
|
||||
|
||||
# Check identities rule
|
||||
$self->logger->info("\"$user\" is an unrestricted user!") if $unUser;
|
||||
unless ( $unUser || $self->idRule->( $req, $attrs ) ) {
|
||||
$self->userLogger->warn(
|
||||
"checkUser requested for an unvalid user ($user)");
|
||||
$req->{sessionInfo} = {};
|
||||
$self->logger->debug('Identity not authorized');
|
||||
$req->error(PE_BADCREDENTIALS);
|
||||
$req->error(PE_BADCREDENTIALS); # Catch error to preserve protected Id
|
||||
}
|
||||
$self->logger->info("\"$user\" is an unrestricted user!") if $unUser;
|
||||
}
|
||||
|
||||
if ( $req->error ) {
|
||||
|
|
|
@ -14,7 +14,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
|
|||
PE_IMPERSONATION_SERVICE_NOT_ALLOWED
|
||||
);
|
||||
|
||||
our $VERSION = '2.0.8';
|
||||
our $VERSION = '2.0.9';
|
||||
|
||||
extends qw(
|
||||
Lemonldap::NG::Portal::Main::Plugin
|
||||
|
@ -36,6 +36,7 @@ has ott => (
|
|||
);
|
||||
has rule => ( is => 'rw', default => sub { 0 } );
|
||||
has idRule => ( is => 'rw', default => sub { 1 } );
|
||||
has unrestrictedUsersRule => ( is => 'rw', default => sub { 0 } );
|
||||
|
||||
sub init {
|
||||
my ($self) = @_;
|
||||
|
@ -59,6 +60,14 @@ sub init {
|
|||
);
|
||||
return 0 unless $self->idRule;
|
||||
|
||||
$self->unrestrictedUsersRule(
|
||||
$self->p->buildRule(
|
||||
$self->conf->{contextSwitchingUnrestrictedUsersRule},
|
||||
'contextSwitchingUnrestrictedUsers'
|
||||
)
|
||||
);
|
||||
return 0 unless $self->unrestrictedUsersRule;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -133,6 +142,7 @@ sub run {
|
|||
my $statut = PE_OK;
|
||||
my $realId = $req->{user};
|
||||
my $spoofId = $req->param('spoofId') || ''; # ContextSwitching required ?
|
||||
my $unUser = $self->unrestrictedUsersRule->( $req, $req->userData ) || 0;
|
||||
|
||||
# Check token
|
||||
if ( $self->ottRule->( $req, {} ) ) {
|
||||
|
@ -173,7 +183,7 @@ sub run {
|
|||
}
|
||||
|
||||
# Create spoofed session
|
||||
$req = $self->_switchContext( $req, $spoofId );
|
||||
$req = $self->_switchContext( $req, $spoofId, $unUser );
|
||||
$statut =
|
||||
( $req->error == PE_BADCREDENTIALS ? PE_MALFORMEDUSER : $req->error )
|
||||
if $req->error;
|
||||
|
@ -187,7 +197,7 @@ sub run {
|
|||
}
|
||||
|
||||
sub _switchContext {
|
||||
my ( $self, $req, $spoofId ) = @_;
|
||||
my ( $self, $req, $spoofId, $unUser ) = @_;
|
||||
my $realSessionId = $req->userData->{_session_id};
|
||||
my $realAuthLevel = $req->userData->{authenticationLevel};
|
||||
my $realId = $req->{user};
|
||||
|
@ -213,8 +223,9 @@ sub _switchContext {
|
|||
$raz = 1;
|
||||
}
|
||||
|
||||
# Check identity rule if ContextSwitching required
|
||||
unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
|
||||
# Check identities rule if ContextSwitching required
|
||||
$self->logger->info("\"$realId\" is an unrestricted user!") if $unUser;
|
||||
unless ( $unUser || $self->idRule->( $req, $req->sessionInfo ) ) {
|
||||
$self->userLogger->warn(
|
||||
'ContextSwitching requested for an unvalid user ('
|
||||
. $req->{user}
|
||||
|
|
|
@ -131,7 +131,7 @@ sub run {
|
|||
if ( $req->error ) {
|
||||
$self->setSecurity($req);
|
||||
if ( $req->error == PE_BADCREDENTIALS ) {
|
||||
$statut = PE_BADCREDENTIALS;
|
||||
$statut = PE_BADCREDENTIALS; # Catch error to preserve protected Id
|
||||
}
|
||||
else {
|
||||
return $req->error;
|
||||
|
@ -200,9 +200,8 @@ sub run {
|
|||
sub _userData {
|
||||
my ( $self, $req, $spoofId, $realSession, $unUser ) = @_;
|
||||
my $realId = $req->{user};
|
||||
$self->logger->info("\"$realId\" is an unrestricted user!") if $unUser;
|
||||
$req->{user} = $spoofId;
|
||||
my $raz = 0;
|
||||
$req->{user} = $spoofId;
|
||||
|
||||
# Compute Macros and Groups with real and spoof sessions
|
||||
$req->sessionInfo($realSession);
|
||||
|
@ -224,8 +223,9 @@ sub _userData {
|
|||
$raz = 1;
|
||||
}
|
||||
|
||||
# Check identity rule if Impersonation required
|
||||
# Check identities rule if Impersonation required
|
||||
if ( $realId ne $spoofId ) {
|
||||
$self->logger->info("\"$realId\" is an unrestricted user!") if $unUser;
|
||||
unless ( $unUser || $self->idRule->( $req, $req->sessionInfo ) ) {
|
||||
$self->userLogger->warn(
|
||||
'Impersonation requested for an unvalid user ('
|
||||
|
|
Loading…
Reference in New Issue
Block a user