dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Try to compute the correct value of SameSite by default (#2281)

Browse Source
This commit is contained in:
Maxime Besson 2020-08-14 18:09:18 +02:00
parent 79d0a4c936
commit 26cd1945fb
6 changed files with 20 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
View File

@ -274,7 +274,7 @@ sub defaultValues {
'rest2fActivation' => 0, 'rest2fActivation' => 0,
'restAuthnLevel' => 2, 'restAuthnLevel' => 2,
'restClockTolerance' => 15, 'restClockTolerance' => 15,
'sameSite' => 'None', 'sameSite' => '',
'samlAttributeAuthorityDescriptorAttributeServiceSOAP' => 'samlAttributeAuthorityDescriptorAttributeServiceSOAP' =>
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;', 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
'samlAuthnContextMapKerberos' => 4, 'samlAuthnContextMapKerberos' => 4,

6
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
View File

@ -2917,8 +2917,12 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'type' => 'url' 'type' => 'url'
}, },
'sameSite' => { 'sameSite' => {
'default' => 'None', 'default' => '',
'select' => [ { 'select' => [ {
'k' => '',
'v' => ''
},
{
'k' => 'Strict', 'k' => 'Strict',
'v' => 'Strict' 'v' => 'Strict'
}, },

6
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
View File

@ -32,10 +32,9 @@ sub perlExpr {
my $url_re = $RE{URI}{HTTP}{ -scheme => "https?" }; my $url_re = $RE{URI}{HTTP}{ -scheme => "https?" };
$url_re =~ s/(?<=[^\\])\$/\\\$/g; $url_re =~ s/(?<=[^\\])\$/\\\$/g;
my $url = qr/$url_re/; my $url = qr/$url_re/;
my $urlOrEmpty = qr/(?:^$|$url_re)/; my $urlOrEmpty = qr/(?:^$|$url_re)/;
sub types { sub types {
return { return {
@ -1155,11 +1154,12 @@ sub attributes {
sameSite => { sameSite => {
type => 'select', type => 'select',
select => [ select => [
{ k => '', v => '' },
{ k => 'Strict', v => 'Strict' }, { k => 'Strict', v => 'Strict' },
{ k => 'Lax', v => 'Lax' }, { k => 'Lax', v => 'Lax' },
{ k => 'None', v => 'None' }, { k => 'None', v => 'None' },
], ],
default => 'None', default => '',
documentation => 'Cookie SameSite value', documentation => 'Cookie SameSite value',
flags => 'hp', flags => 'hp',
}, },

2
lemonldap-ng-manager/site/htdocs/static/struct.json
View File

File diff suppressed because one or more lines are too long

9
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
View File

@ -15,6 +15,7 @@ package Lemonldap::NG::Portal::Main;
use strict; use strict;
use Mouse; use Mouse;
use Regexp::Assemble; use Regexp::Assemble;
use Lemonldap::NG::Common::Util qw(getSameSite);
# PROPERTIES # PROPERTIES
@ -87,6 +88,9 @@ has csp => ( is => 'rw' );
# Cross-Origine Resource Sharing headers # Cross-Origine Resource Sharing headers
has cors => ( is => 'rw' ); has cors => ( is => 'rw' );
# Cookie SameSite value
has cookieSameSite => ( is => 'rw' );
# INITIALIZATION # INITIALIZATION
sub init { sub init {
@ -268,6 +272,11 @@ sub reloadConf {
} }
$self->conf->{domain} =~ s/^([^\.])/.$1/; $self->conf->{domain} =~ s/^([^\.])/.$1/;
# Initialize cookie SameSite value
$self->cookieSameSite( getSameSite( $self->conf ) );
$self->logger->debug(
"Cookies will use SameSite=" . $self->cookieSameSite );
# Load menu # Load menu
# --------- # ---------
$self->menu( $self->loadPlugin('::Main::Menu') ); $self->menu( $self->loadPlugin('::Main::Menu') );

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
View File

@ -790,7 +790,7 @@ sub cookie {
$h{HttpOnly} //= $self->conf->{httpOnly}; $h{HttpOnly} //= $self->conf->{httpOnly};
$h{max_age} //= $self->conf->{cookieExpiration} $h{max_age} //= $self->conf->{cookieExpiration}
if ( $self->conf->{cookieExpiration} ); if ( $self->conf->{cookieExpiration} );
$h{SameSite} ||= $self->conf->{sameSite}; $h{SameSite} ||= $self->cookieSameSite;
foreach (qw(domain path expires max_age HttpOnly SameSite)) { foreach (qw(domain path expires max_age HttpOnly SameSite)) {
my $f = $_; my $f = $_;