From 2b6c478f414f7ffda036eee3058139f3caad2267 Mon Sep 17 00:00:00 2001
From: Christophe Maudoux <chrmdx@gmail.com>
Date: Wed, 12 Jan 2022 14:34:05 +0100
Subject: [PATCH] Append redirection params (#2685)

---
 doc/sources/admin/ssoaas.rst                  | 16 +++++++-
 .../lib/Lemonldap/NG/Handler/Lib/DevOps.pm    |  4 ++
 ...onldap-NG-Handler-PSGI-DevOps-with-param.t | 40 ++++++++++++++++++-
 3 files changed, 58 insertions(+), 2 deletions(-)

diff --git a/doc/sources/admin/ssoaas.rst b/doc/sources/admin/ssoaas.rst
index ffee54281..e30c6850b 100644
--- a/doc/sources/admin/ssoaas.rst
+++ b/doc/sources/admin/ssoaas.rst
@@ -86,7 +86,11 @@ request authorization from a central FastCGI server:
        # Keep original request (LLNG server will received /lmauth)
        fastcgi_param X_ORIGINAL_URI  $original_uri;
 
-       # Set dynamically rules (LLNG will poll it every 10 mn)
+       # Set redirection params
+       fastcgi_param HTTPS_REDIRECT "$https";
+       fastcgi_param PORT_REDIRECT $server_port;
+
+       # Set dynamically rules (LL::NG will poll it every 10 mn)
        fastcgi_param RULES_URL http://rulesserver/my.json;
      }
      location /rules.json {
@@ -138,6 +142,8 @@ FastCGI" configuration.
        # used to make the authentication decision about this virtualhost
        # Make sure the central FastCGI server can reach it
        PerlSetVar RULES_URL http://app.tld/rules.json
+       PerlSetVar HTTPS_REDIRECT HTTPS
+       PerlSetVar PORT_REDIRECT SERVER_PORT
        ...
    </VirtualHost>
 
@@ -158,6 +164,8 @@ you can protect also an Express server. Example:
      port: 9090,
      PARAMS: {
        RULES_URL: 'http://my-server/rules.json'
+       HTTPS_REDIRECT: 'ON',
+       PORT_REDIRECT: '443'
      }
    });
 
@@ -204,6 +212,8 @@ Simple example:
        port => '9090',
        fcgi_auth_params => {
          RULES_URL => 'https://my-server/my.json',
+         HTTPS_REDIRECT => 'ON',
+         PORT_REDIRECT  => 443
        },
        # Optional rejection subroutine
        #on_reject => \&on_reject;
@@ -229,6 +239,7 @@ directory.
 .. code-block:: nginx
 
    server {
+     listen <port>;
      server_name "~^(?<vhost>.+?)\.dev\.sso\.my\.domain$";
      location = /lmauth {
        internal;
@@ -243,6 +254,9 @@ directory.
        fastcgi_param HOST $http_host;
        # Keep original request (LL::NG server will received /lmauth)
        fastcgi_param X_ORIGINAL_URI  $original_uri;
+       # Set redirection params
+       fastcgi_param HTTPS_REDIRECT "$https";
+       fastcgi_param PORT_REDIRECT $server_port;
      }
      location /rules.json {
        auth_request off;
diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/DevOps.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/DevOps.pm
index 5fa0943f1..25d6ae506 100644
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/DevOps.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/DevOps.pm
@@ -94,6 +94,10 @@ q"I refuse to compile 'rules.json' when useSafeJail isn't activated! Yes I know,
     $class->locationRulesInit( undef, { $vhost => $json->{rules} } );
     $class->headersInit( undef,       { $vhost => $json->{headers} } );
     $class->tsv->{lastVhostUpdate}->{$vhost} = time;
+    $class->tsv->{https}->{$vhost} = uc $req->env->{HTTPS_REDIRECT} eq 'ON'
+      if exists $req->env->{HTTPS_REDIRECT};
+    $class->tsv->{port}->{$vhost} = $req->env->{PORT_REDIRECT}
+      if exists $req->env->{PORT_REDIRECT};
 
     return;
 }
diff --git a/lemonldap-ng-handler/t/64-Lemonldap-NG-Handler-PSGI-DevOps-with-param.t b/lemonldap-ng-handler/t/64-Lemonldap-NG-Handler-PSGI-DevOps-with-param.t
index 53f6da7ff..e866b37d7 100644
--- a/lemonldap-ng-handler/t/64-Lemonldap-NG-Handler-PSGI-DevOps-with-param.t
+++ b/lemonldap-ng-handler/t/64-Lemonldap-NG-Handler-PSGI-DevOps-with-param.t
@@ -11,9 +11,11 @@ BEGIN {
 init(
     'Lemonldap::NG::Handler::Server',
     {
-        #logLevel            => 'debug',
+        logLevel     => 'debug',
         vhostOptions => {
             'test3.example.com' => {
+                vhostHttps => 0,
+                vhostPort => 80,
                 vhostDevOpsRulesUrl =>
                   'http://donotuse.example.com/myfile.json',
             },
@@ -23,6 +25,42 @@ init(
 
 my $res;
 
+# Unauthorized queries
+ok(
+    $res = $client->_get(
+        '/',                 undef,
+        'test3.example.com', undef,
+        VHOSTTYPE => 'DevOps',
+        RULES_URL => 'http://devops.example.com/file.json'
+    ),
+    'Unauthorized query'
+);
+ok( $res->[0] == 302, 'Code is 302' ) or explain( $res->[0], 302 );
+${ $res->[1] }[1] =~ m#http://auth\.example\.com/\?url=(.+?)%#;
+ok( decode_base64 $1 eq 'http://test3.example.com/', 'Redirect URL found' )
+  or explain( decode_base64 $1, 'http://test3.example.com/' );
+count(3);
+
+Time::Fake->offset("+700s");
+
+ok(
+    $res = $client->_get(
+        '/',                 undef,
+        'test3.example.com', undef,
+        HTTPS_REDIRECT => 'on',
+        PORT_REDIRECT  => 8443,
+        VHOSTTYPE      => 'DevOps',
+        RULES_URL      => 'http://devops.example.com/file.json'
+    ),
+    'Unauthorized query 2'
+);
+ok( $res->[0] == 302, 'Code is 302' ) or explain( $res->[0], 302 );
+${ $res->[1] }[1] =~ m#http://auth\.example\.com/\?url=(.+?)%#;
+ok( decode_base64 $1 eq 'https://test3.example.com:8443/',
+    'Redirect URL found' )
+  or explain( decode_base64 $1, 'https://test3.example.com:8443/' );
+count(3);
+
 # Authorized queries
 ok(
     $res = $client->_get(