dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Append redirection params (#2685)

This commit is contained in:
Christophe Maudoux 2022-01-12 14:34:05 +01:00 committed by Yadd
parent 56460d1d5b
commit 2b6c478f41
3 changed files with 58 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
doc/sources/admin/ssoaas.rst
View File

@ -86,7 +86,11 @@ request authorization from a central FastCGI server:
# Keep original request (LLNG server will received /lmauth)
fastcgi_param X_ORIGINAL_URI $original_uri;
# Set dynamically rules (LLNG will poll it every 10 mn)
# Set redirection params
fastcgi_param HTTPS_REDIRECT "$https";
fastcgi_param PORT_REDIRECT $server_port;
# Set dynamically rules (LL::NG will poll it every 10 mn)
fastcgi_param RULES_URL http://rulesserver/my.json;
}
location /rules.json {
@ -138,6 +142,8 @@ FastCGI" configuration.
# used to make the authentication decision about this virtualhost
# Make sure the central FastCGI server can reach it
PerlSetVar RULES_URL http://app.tld/rules.json
PerlSetVar HTTPS_REDIRECT HTTPS
PerlSetVar PORT_REDIRECT SERVER_PORT
...
</VirtualHost>
@ -158,6 +164,8 @@ you can protect also an Express server. Example:
port: 9090,
PARAMS: {
RULES_URL: 'http://my-server/rules.json'
HTTPS_REDIRECT: 'ON',
PORT_REDIRECT: '443'
}
});
@ -204,6 +212,8 @@ Simple example:
port => '9090',
fcgi_auth_params => {
RULES_URL => 'https://my-server/my.json',
HTTPS_REDIRECT => 'ON',
PORT_REDIRECT => 443
},
# Optional rejection subroutine
#on_reject => \&on_reject;
@ -229,6 +239,7 @@ directory.
.. code-block:: nginx
server {
listen <port>;
server_name "~^(?<vhost>.+?)\.dev\.sso\.my\.domain$";
location = /lmauth {
internal;
@ -243,6 +254,9 @@ directory.
fastcgi_param HOST $http_host;
# Keep original request (LL::NG server will received /lmauth)
fastcgi_param X_ORIGINAL_URI $original_uri;
# Set redirection params
fastcgi_param HTTPS_REDIRECT "$https";
fastcgi_param PORT_REDIRECT $server_port;
}
location /rules.json {
auth_request off;

4
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/DevOps.pm
View File

@ -94,6 +94,10 @@ q"I refuse to compile 'rules.json' when useSafeJail isn't activated! Yes I know,
$class->locationRulesInit( undef, { $vhost => $json->{rules} } );
$class->headersInit( undef, { $vhost => $json->{headers} } );
$class->tsv->{lastVhostUpdate}->{$vhost} = time;
$class->tsv->{https}->{$vhost} = uc $req->env->{HTTPS_REDIRECT} eq 'ON'
if exists $req->env->{HTTPS_REDIRECT};
$class->tsv->{port}->{$vhost} = $req->env->{PORT_REDIRECT}
if exists $req->env->{PORT_REDIRECT};
return;
}

40
lemonldap-ng-handler/t/64-Lemonldap-NG-Handler-PSGI-DevOps-with-param.t
View File

@ -11,9 +11,11 @@ BEGIN {
init(
'Lemonldap::NG::Handler::Server',
{
#logLevel => 'debug',
logLevel => 'debug',
vhostOptions => {
'test3.example.com' => {
vhostHttps => 0,
vhostPort => 80,
vhostDevOpsRulesUrl =>
'http://donotuse.example.com/myfile.json',
},
@ -23,6 +25,42 @@ init(
my $res;
# Unauthorized queries
ok(
$res = $client->_get(
'/', undef,
'test3.example.com', undef,
VHOSTTYPE => 'DevOps',
RULES_URL => 'http://devops.example.com/file.json'
),
'Unauthorized query'
);
ok( $res->[0] == 302, 'Code is 302' ) or explain( $res->[0], 302 );
${ $res->[1] }[1] =~ m#http://auth\.example\.com/\?url=(.+?)%#;
ok( decode_base64 $1 eq 'http://test3.example.com/', 'Redirect URL found' )
or explain( decode_base64 $1, 'http://test3.example.com/' );
count(3);
Time::Fake->offset("+700s");
ok(
$res = $client->_get(
'/', undef,
'test3.example.com', undef,
HTTPS_REDIRECT => 'on',
PORT_REDIRECT => 8443,
VHOSTTYPE => 'DevOps',
RULES_URL => 'http://devops.example.com/file.json'
),
'Unauthorized query 2'
);
ok( $res->[0] == 302, 'Code is 302' ) or explain( $res->[0], 302 );
${ $res->[1] }[1] =~ m#http://auth\.example\.com/\?url=(.+?)%#;
ok( decode_base64 $1 eq 'https://test3.example.com:8443/',
'Redirect URL found' )
or explain( decode_base64 $1, 'https://test3.example.com:8443/' );
count(3);
# Authorized queries
ok(
$res = $client->_get(