Merge branch '2655' into 'v2.0'

Impersonation is the last loaded plugin (#2655)

See merge request lemonldap-ng/lemonldap-ng!236

lemonldap-ng-portal/MANIFEST

@@ -274,6 +274,7 @@ site/htdocs/static/common/favicon.ico
 site/htdocs/static/common/fi.png
 site/htdocs/static/common/fonts/password.ttf
 site/htdocs/static/common/fr.png
+site/htdocs/static/common/he.png
 site/htdocs/static/common/icons/application_cascade.png
 site/htdocs/static/common/icons/arrow_refresh.png
 site/htdocs/static/common/icons/calendar.png
@@ -380,6 +381,7 @@ site/htdocs/static/languages/en.json
 site/htdocs/static/languages/es.json
 site/htdocs/static/languages/fi.json
 site/htdocs/static/languages/fr.json
+site/htdocs/static/languages/he.json
 site/htdocs/static/languages/it.json
 site/htdocs/static/languages/nl.json
 site/htdocs/static/languages/pl.json
@@ -735,6 +737,7 @@ t/68-FindUser-with-UpgradeSession.t
 t/68-FindUser-without-attribute.t
 t/68-FindUser-without-Impersonation.t
 t/68-Impersonation-with-2F.t
+t/68-Impersonation-with-Custom-Plugin.t
 t/68-Impersonation-with-doubleCookies.t
 t/68-Impersonation-with-filtered-merge.t
 t/68-Impersonation-with-History.t
@@ -780,6 +783,7 @@ t/91-Handler-cache-cleaned.t
 t/91-Memory-Leak.t
 t/99-Dont-load-Dumper.t
 t/99-pod.t
+t/AfterDataCustomPlugin.pm
 t/CasHookPlugin.pm
 t/gpghome/key.asc
 t/gpghome/openpgp-revocs.d/9482CEFB055809CBAFE6D71AAB2D5542891D1677.rev

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugins.pm

@@ -2,7 +2,7 @@
 # into "plugins" list in lemonldap-ng.ini, section "portal"
 package Lemonldap::NG::Portal::Main::Plugins;
 
-our $VERSION = '2.0.12';
+our $VERSION = '2.0.14';
 
 package Lemonldap::NG::Portal::Main;
 
@@ -29,16 +29,15 @@ our @pList = (
     portalForceAuthn                    => '::Plugins::ForceAuthn',
     checkUser                           => '::Plugins::CheckUser',
     checkDevOps                         => '::Plugins::CheckDevOps',
-    impersonationRule                   => '::Plugins::Impersonation',
     contextSwitchingRule                => '::Plugins::ContextSwitching',
     decryptValueRule                    => '::Plugins::DecryptValue',
     findUser                            => '::Plugins::FindUser',
     newLocationWarning                  => '::Plugins::NewLocationWarning',
-    adaptativeAuthenticationLevelRules  =>
+    adaptativeAuthenticationLevelRules =>
       '::Plugins::AdaptativeAuthenticationLevel',
-    globalLogoutRule => '::Plugins::GlobalLogout',
     refreshSessions  => '::Plugins::Refresh',
     crowdsec         => '::Plugins::CrowdSec',
+    globalLogoutRule => '::Plugins::GlobalLogout',
 );
 
 ##@method list enabledPlugins
@@ -82,7 +81,7 @@ sub enabledPlugins {
       if ( $conf->{soapSessionServer}
         or $conf->{soapConfigServer} );
 
-    # Add REST (check is done by it)
+    # Add REST (check is done by plugin itself)
     push @res, '::Plugins::RESTServer';
 
     # Check if password is enabled
@@ -99,7 +98,14 @@ sub enabledPlugins {
         $self->logger->debug( 'Custom plugins: ' . $conf->{customPlugins} );
         push @res, grep ( /\w+/, split( /,\s*/, $conf->{customPlugins} ) );
     }
-    
+
+    # Impersonation overwrites req->step and pops 'afterData' EP.
+    # Static and custom 'afterData' plugins will be never launched
+    # if they are loaded after Impersonation.
+    # This plugin must be the last 'afterData' loaded plugin. Fix #2655
+    push @res, '::Plugins::Impersonation'
+      if $conf->{impersonationRule};
+
     return @res;
 }
 

lemonldap-ng-portal/t/68-Impersonation-with-Custom-Plugin.t

@@ -0,0 +1,57 @@
+use Test::More;
+use strict;
+use IO::String;
+use JSON;
+use Lemonldap::NG::Portal::Main::Constants qw(PE_BADCREDENTIALS);
+
+require 't/test-lib.pm';
+
+my $res;
+my $client = LLNG::Manager::Test->new( {
+        ini => {
+            logLevel            => 'error',
+            passwordDB          => 'Demo',
+            impersonationRule   => 1,
+            customPlugins       => 't::AfterDataCustomPlugin',
+            customPluginsParams => { uid => 'rtyler' }
+        }
+    }
+);
+
+ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu' );
+count(1);
+my ( $host, $url, $query ) =
+  expectForm( $res, '#', undef, 'user', 'password', 'spoofId' );
+
+# Try to authenticate
+# -------------------
+ok(
+    $res = $client->_post(
+        '/',
+        IO::String->new('user=dwho&password=dwho'),
+        length => 23
+    ),
+    'Auth query'
+);
+count(1);
+expectOK($res);
+my $id = expectCookie($res);
+$client->logout($id);
+
+# Try to authenticate
+ok(
+    $res = $client->_post(
+        '/',
+        IO::String->new('user=rtyler&password=rtyler'),
+        length => 27
+    ),
+    'Auth query'
+);
+eval { $res = JSON::from_json( $res->[2]->[0] ) };
+ok( not($@), 'Content is JSON' )
+  or explain( $res->[2]->[0], 'JSON content' );
+ok( $res->{error} == PE_BADCREDENTIALS, 'BAD CREDENTIALS' );
+count(3);
+
+clean_sessions();
+done_testing( count() );

lemonldap-ng-portal/t/AfterDataCustomPlugin.pm

@@ -0,0 +1,23 @@
+package t::AfterDataCustomPlugin;
+
+use strict;
+use Mouse;
+use Lemonldap::NG::Portal::Main::Constants qw(
+  PE_OK
+  PE_BADCREDENTIALS
+);
+
+extends 'Lemonldap::NG::Portal::Main::Plugin';
+
+use constant afterData => 'BadCredentials';
+
+sub BadCredentials {
+    my ( $self, $req ) = @_;
+    my $uid = $self->conf->{customPluginsParams}->{uid};
+    $self->logger->debug("user=" . $req->user());
+    $self->logger->debug("Bad credentials required for: $uid");
+    
+    return $req->user() eq $uid ? PE_BADCREDENTIALS : PE_OK;
+}
+
+1;