Christophe Maudoux
parent
0f659feda4
commit
1a73f7ab7f
|
|
@ -36,6 +36,7 @@ sub defaultValues {
|
||||||
'http://auth.example.com/certificateReset',
|
'http://auth.example.com/certificateReset',
|
||||||
'certificateResetByMailValidityDelay' => 0,
|
'certificateResetByMailValidityDelay' => 0,
|
||||||
'checkTime' => 600,
|
'checkTime' => 600,
|
||||||
|
'checkUserDisplayComputedSession' => 1,
|
||||||
'checkUserDisplayEmptyHeaders' => 0,
|
'checkUserDisplayEmptyHeaders' => 0,
|
||||||
'checkUserDisplayEmptyValues' => 0,
|
'checkUserDisplayEmptyValues' => 0,
|
||||||
'checkUserDisplayPersistentInfo' => 0,
|
'checkUserDisplayPersistentInfo' => 0,
|
||||||
|
|
|
||||||
|
|
@ -852,6 +852,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
||||||
'default' => 0,
|
'default' => 0,
|
||||||
'type' => 'bool'
|
'type' => 'bool'
|
||||||
},
|
},
|
||||||
|
'checkUserDisplayComputedSession' => {
|
||||||
|
'default' => 1,
|
||||||
|
'type' => 'boolOrExpr'
|
||||||
|
},
|
||||||
'checkUserDisplayEmptyHeaders' => {
|
'checkUserDisplayEmptyHeaders' => {
|
||||||
'default' => 0,
|
'default' => 0,
|
||||||
'type' => 'boolOrExpr'
|
'type' => 'boolOrExpr'
|
||||||
|
|
|
||||||
|
|
@ -491,6 +491,12 @@ sub attributes {
|
||||||
documentation => 'Display empty headers rule',
|
documentation => 'Display empty headers rule',
|
||||||
flags => 'p',
|
flags => 'p',
|
||||||
},
|
},
|
||||||
|
checkUserDisplayComputedSession => {
|
||||||
|
default => 1,
|
||||||
|
type => 'boolOrExpr',
|
||||||
|
documentation => 'Display empty headers rule',
|
||||||
|
flags => 'p',
|
||||||
|
},
|
||||||
globalLogoutRule => {
|
globalLogoutRule => {
|
||||||
type => 'boolOrExpr',
|
type => 'boolOrExpr',
|
||||||
default => 0,
|
default => 0,
|
||||||
|
|
|
||||||
|
|
@ -796,6 +796,7 @@ sub tree {
|
||||||
'checkUserUnrestrictedUsersRule',
|
'checkUserUnrestrictedUsersRule',
|
||||||
'checkUserHiddenAttributes',
|
'checkUserHiddenAttributes',
|
||||||
'checkUserSearchAttributes',
|
'checkUserSearchAttributes',
|
||||||
|
'checkUserDisplayComputedSession',
|
||||||
'checkUserDisplayEmptyHeaders',
|
'checkUserDisplayEmptyHeaders',
|
||||||
'checkUserDisplayEmptyValues',
|
'checkUserDisplayEmptyValues',
|
||||||
'checkUserDisplayPersistentInfo',
|
'checkUserDisplayPersistentInfo',
|
||||||
|
|
|
||||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
|
@ -4,12 +4,12 @@ use strict;
|
||||||
use Mouse;
|
use Mouse;
|
||||||
use Lemonldap::NG::Portal::Main::Constants qw(
|
use Lemonldap::NG::Portal::Main::Constants qw(
|
||||||
PE_BADCREDENTIALS
|
PE_BADCREDENTIALS
|
||||||
|
PE_MALFORMEDUSER
|
||||||
PE_TOKENEXPIRED
|
PE_TOKENEXPIRED
|
||||||
PE_NOTOKEN
|
PE_NOTOKEN
|
||||||
PE_MALFORMEDUSER
|
|
||||||
);
|
);
|
||||||
|
|
||||||
our $VERSION = '2.0.9';
|
our $VERSION = '2.0.10';
|
||||||
|
|
||||||
extends qw(
|
extends qw(
|
||||||
Lemonldap::NG::Portal::Main::Plugin
|
Lemonldap::NG::Portal::Main::Plugin
|
||||||
|
|
@ -29,13 +29,14 @@ has ott => (
|
||||||
return $ott;
|
return $ott;
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
has idRule => ( is => 'rw', default => sub { 1 } );
|
has idRule => ( is => 'rw', default => sub { 1 } );
|
||||||
has displayEmptyValuesRule => ( is => 'rw', default => sub { 0 } );
|
has displayEmptyValuesRule => ( is => 'rw', default => sub { 0 } );
|
||||||
has displayEmptyHeadersRule => ( is => 'rw', default => sub { 0 } );
|
has displayEmptyHeadersRule => ( is => 'rw', default => sub { 0 } );
|
||||||
has displayPersistentInfoRule => ( is => 'rw', default => sub { 0 } );
|
has displayPersistentInfoRule => ( is => 'rw', default => sub { 0 } );
|
||||||
has unrestrictedUsersRule => ( is => 'rw', default => sub { 0 } );
|
has displayComputedSessionRule => ( is => 'rw', default => sub { 0 } );
|
||||||
has sorted => ( is => 'rw', default => sub { 0 } );
|
has unrestrictedUsersRule => ( is => 'rw', default => sub { 0 } );
|
||||||
has merged => ( is => 'rw', default => '' );
|
has sorted => ( is => 'rw', default => sub { 0 } );
|
||||||
|
has merged => ( is => 'rw', default => '' );
|
||||||
|
|
||||||
sub hAttr {
|
sub hAttr {
|
||||||
$_[0]->{conf}->{checkUserHiddenAttributes} . ' '
|
$_[0]->{conf}->{checkUserHiddenAttributes} . ' '
|
||||||
|
|
@ -49,7 +50,7 @@ sub persistentAttrs {
|
||||||
|
|
||||||
sub init {
|
sub init {
|
||||||
my ($self) = @_;
|
my ($self) = @_;
|
||||||
$self->addAuthRoute( checkuser => 'check', ['POST'] );
|
$self->addAuthRoute( checkuser => 'check', ['POST'] );
|
||||||
$self->addAuthRouteWithRedirect( checkuser => 'display', ['GET'] );
|
$self->addAuthRouteWithRedirect( checkuser => 'display', ['GET'] );
|
||||||
|
|
||||||
# Parse checkUser rules
|
# Parse checkUser rules
|
||||||
|
|
@ -84,11 +85,19 @@ sub init {
|
||||||
$self->unrestrictedUsersRule(
|
$self->unrestrictedUsersRule(
|
||||||
$self->p->buildRule(
|
$self->p->buildRule(
|
||||||
$self->conf->{checkUserUnrestrictedUsersRule},
|
$self->conf->{checkUserUnrestrictedUsersRule},
|
||||||
'checkUserUnrestrictedUsers'
|
'checkUserUnrestrictedUsersRule'
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
return 0 unless $self->unrestrictedUsersRule;
|
return 0 unless $self->unrestrictedUsersRule;
|
||||||
|
|
||||||
|
$self->displayComputedSessionRule(
|
||||||
|
$self->p->buildRule(
|
||||||
|
$self->conf->{checkUserDisplayComputedSession},
|
||||||
|
'checkUserdisplayComputedSession'
|
||||||
|
)
|
||||||
|
);
|
||||||
|
return 0 unless $self->displayComputedSessionRule;
|
||||||
|
|
||||||
# Init. other options
|
# Init. other options
|
||||||
$self->sorted( $self->conf->{impersonationRule}
|
$self->sorted( $self->conf->{impersonationRule}
|
||||||
|| $self->conf->{contextSwitchingRule} );
|
|| $self->conf->{contextSwitchingRule} );
|
||||||
|
|
@ -100,13 +109,12 @@ sub init {
|
||||||
|
|
||||||
# RUNNING METHOD
|
# RUNNING METHOD
|
||||||
sub display {
|
sub display {
|
||||||
my ( $self, $req ) = @_;
|
my ( $self, $req ) = @_;
|
||||||
my ( $attrs, $array_attrs ) = ( {}, [] );
|
my ( $attrs, $array_attrs ) = ( $req->userData, [] );
|
||||||
|
|
||||||
$self->logger->debug("Display current session data...");
|
$self->logger->debug("Display current session data...");
|
||||||
$self->userLogger->info("Using spoofed SSO groups if exist")
|
$self->userLogger->info("Using spoofed SSO groups if exist")
|
||||||
if ( $self->conf->{impersonationRule} );
|
if ( $self->conf->{impersonationRule} );
|
||||||
$attrs = $req->userData;
|
|
||||||
|
|
||||||
$attrs = $self->_removePersistentAttributes($attrs)
|
$attrs = $self->_removePersistentAttributes($attrs)
|
||||||
unless $self->displayPersistentInfoRule->( $req, $req->userData );
|
unless $self->displayPersistentInfoRule->( $req, $req->userData );
|
||||||
|
|
@ -160,8 +168,9 @@ sub display {
|
||||||
sub check {
|
sub check {
|
||||||
my ( $self, $req ) = @_;
|
my ( $self, $req ) = @_;
|
||||||
my ( $attrs, $array_attrs, $array_hdrs ) = ( {}, [], [] );
|
my ( $attrs, $array_attrs, $array_hdrs ) = ( {}, [], [] );
|
||||||
my $msg = my $auth = my $compute = '';
|
my $msg = my $auth = my $computed = '';
|
||||||
my $unUser = $self->unrestrictedUsersRule->( $req, $req->userData ) || 0;
|
my $savedUserData = $req->userData;
|
||||||
|
my $unUser = $self->unrestrictedUsersRule->( $req, $savedUserData ) || 0;
|
||||||
|
|
||||||
# Check token
|
# Check token
|
||||||
if ( $self->ottRule->( $req, {} ) ) {
|
if ( $self->ottRule->( $req, {} ) ) {
|
||||||
|
|
@ -266,8 +275,8 @@ sub check {
|
||||||
$req->{user} = $user;
|
$req->{user} = $user;
|
||||||
$self->userLogger->info(
|
$self->userLogger->info(
|
||||||
"No session found in DB. Compute userData...");
|
"No session found in DB. Compute userData...");
|
||||||
$attrs = $self->_userData($req);
|
$attrs = $self->_userData($req);
|
||||||
$compute = 1;
|
$computed = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Check identities rule
|
# Check identities rule
|
||||||
|
|
@ -290,34 +299,42 @@ sub check {
|
||||||
else {
|
else {
|
||||||
$msg = 'checkUser' . $self->merged;
|
$msg = 'checkUser' . $self->merged;
|
||||||
$attrs = $self->_removePersistentAttributes($attrs)
|
$attrs = $self->_removePersistentAttributes($attrs)
|
||||||
unless $self->displayPersistentInfoRule->( $req, $req->userData );
|
unless $self->displayPersistentInfoRule->( $req, $savedUserData );
|
||||||
|
|
||||||
if ($compute) {
|
if ($computed) {
|
||||||
$msg = 'checkUserComputeSession';
|
if ( $self->displayComputedSessionRule->( $req, $savedUserData ) ) {
|
||||||
if ( $self->conf->{impersonationRule} ) {
|
$msg = 'checkUserComputedSession';
|
||||||
$self->logger->debug("Map real attributes...");
|
if ( $self->conf->{impersonationRule} ) {
|
||||||
my %realAttrs = map {
|
$self->logger->debug("Map real attributes...");
|
||||||
( "$self->{conf}->{impersonationPrefix}$_" => $attrs->{$_} )
|
my %realAttrs = map {
|
||||||
} keys %$attrs;
|
( "$self->{conf}->{impersonationPrefix}$_" =>
|
||||||
$attrs = { %$attrs, %realAttrs };
|
$attrs->{$_} )
|
||||||
|
} keys %$attrs;
|
||||||
|
$attrs = { %$attrs, %realAttrs };
|
||||||
|
|
||||||
# Compute groups and macros with real and spoofed attributes
|
# Compute groups and macros with real and spoofed attributes
|
||||||
$self->logger->debug(
|
$self->logger->debug(
|
||||||
"Compute groups and macros with real and spoofed attributes"
|
"Compute groups and macros with real and spoofed attributes"
|
||||||
);
|
);
|
||||||
$req->sessionInfo($attrs);
|
$req->sessionInfo($attrs);
|
||||||
delete $req->sessionInfo->{groups};
|
delete $req->sessionInfo->{groups};
|
||||||
$req->steps( [ $self->p->groupsAndMacros, 'setLocalGroups' ] );
|
$req->steps(
|
||||||
if ( my $error = $self->p->process($req) ) {
|
[ $self->p->groupsAndMacros, 'setLocalGroups' ] );
|
||||||
$self->logger->debug("Process returned error: $error");
|
if ( my $error = $self->p->process($req) ) {
|
||||||
return $req->error($error);
|
$self->logger->debug("Process returned error: $error");
|
||||||
|
return $req->error($error);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
$attrs = {};
|
||||||
|
$msg = 'checkUserNoSessionFound';
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Create an array of hashes for template loop
|
# Create an array of hashes for template loop
|
||||||
$self->logger->debug("Delete hidden or empty attributes");
|
$self->logger->debug("Delete hidden or empty attributes");
|
||||||
if ( $self->displayEmptyValuesRule->( $req, $req->userData ) ) {
|
if ( $self->displayEmptyValuesRule->( $req, $savedUserData ) ) {
|
||||||
foreach my $k ( sort keys %$attrs ) {
|
foreach my $k ( sort keys %$attrs ) {
|
||||||
|
|
||||||
# Ignore hidden attributes
|
# Ignore hidden attributes
|
||||||
|
|
@ -356,7 +373,7 @@ sub check {
|
||||||
. "$auth to access to $url" );
|
. "$auth to access to $url" );
|
||||||
|
|
||||||
# Return VirtualHost headers
|
# Return VirtualHost headers
|
||||||
$array_hdrs = $self->_headers( $req, $url, $attrs );
|
$array_hdrs = $self->_headers( $req, $url, $attrs, $savedUserData );
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$auth = 'VHnotFound';
|
$auth = 'VHnotFound';
|
||||||
|
|
@ -446,7 +463,8 @@ sub _userData {
|
||||||
$req->sessionInfo->{authenticationLevel} = $realAuthLevel;
|
$req->sessionInfo->{authenticationLevel} = $realAuthLevel;
|
||||||
delete $req->sessionInfo->{groups};
|
delete $req->sessionInfo->{groups};
|
||||||
|
|
||||||
$req->steps( [ 'setSessionInfo', $self->p->groupsAndMacros, 'setLocalGroups' ] );
|
$req->steps(
|
||||||
|
[ 'setSessionInfo', $self->p->groupsAndMacros, 'setLocalGroups' ] );
|
||||||
if ( my $error = $self->p->process($req) ) {
|
if ( my $error = $self->p->process($req) ) {
|
||||||
$self->logger->debug("CheckUser: Process returned error: $error");
|
$self->logger->debug("CheckUser: Process returned error: $error");
|
||||||
return $req->error($error);
|
return $req->error($error);
|
||||||
|
|
@ -479,7 +497,7 @@ sub _authorization {
|
||||||
}
|
}
|
||||||
|
|
||||||
sub _headers {
|
sub _headers {
|
||||||
my ( $self, $req, $uri, $attrs ) = @_;
|
my ( $self, $req, $uri, $attrs, $savedUserData ) = @_;
|
||||||
my ($vhost) = $uri =~ m#^https?://([^/]*).*#;
|
my ($vhost) = $uri =~ m#^https?://([^/]*).*#;
|
||||||
|
|
||||||
$vhost =~ s/:\d+$//;
|
$vhost =~ s/:\d+$//;
|
||||||
|
|
@ -488,7 +506,7 @@ sub _headers {
|
||||||
$self->logger->debug(
|
$self->logger->debug(
|
||||||
"Return \"$attrs->{ $self->{conf}->{whatToTrace} }\" headers");
|
"Return \"$attrs->{ $self->{conf}->{whatToTrace} }\" headers");
|
||||||
return $self->p->HANDLER->checkHeaders( $req, $attrs )
|
return $self->p->HANDLER->checkHeaders( $req, $attrs )
|
||||||
if ( $self->displayEmptyHeadersRule->( $req, $req->userData ) );
|
if ( $self->displayEmptyHeadersRule->( $req, $savedUserData ) );
|
||||||
|
|
||||||
$self->logger->debug("Remove empty headers");
|
$self->logger->debug("Remove empty headers");
|
||||||
my @headers = grep $_->{value} =~ /.+/,
|
my @headers = grep $_->{value} =~ /.+/,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user