Merge branch '2674' into 'v2.0'

2674 See merge request lemonldap-ng/lemonldap-ng!286
2022-08-31 14:23:25 +00:00 · 2022-08-31 14:23:25 +00:00 · 2f6d91c27b
parent 98328cac1c bccef05a4b
commit 2f6d91c27b
40 changed files with 50 additions and 75 deletions
--- a/_example/etc/api-apache2.4.conf
+++ b/_example/etc/api-apache2.4.conf
@ -92,7 +92,4 @@
        Options +FollowSymLinks
        DirectoryIndex index.html start.html
    </Directory>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
--- a/_example/etc/api-apache2.X.conf
+++ b/_example/etc/api-apache2.X.conf
@ -105,7 +105,4 @@
        Options +FollowSymLinks
        DirectoryIndex index.html start.html
    </Directory>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
--- a/_example/etc/api-apache2.conf
+++ b/_example/etc/api-apache2.conf
@ -94,7 +94,4 @@
        Options +FollowSymLinks
        DirectoryIndex index.html start.html
    </Directory>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
--- a/_example/etc/api-nginx.conf
+++ b/_example/etc/api-nginx.conf
@ -40,9 +40,6 @@ server {
    #uwsgi_param SCRIPT_FILENAME $document_root$sc;
    #uwsgi_param SCRIPT_NAME $sc;

-    # Uncomment this if you use https only
-    #add_header Strict-Transport-Security "max-age=15768000";
-
  }

  # By default, access to this VHost is denied
--- a/_example/etc/handler-apache2.4.conf
+++ b/_example/etc/handler-apache2.4.conf
@ -44,9 +44,6 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503
    #    # an upper PerlHeaderParserHandler directive
    #    #PerlHeaderParserHandler Apache2::Const::DECLINED
    #</Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>


--- a/_example/etc/handler-apache2.X.conf
+++ b/_example/etc/handler-apache2.X.conf
@ -61,9 +61,6 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503
    #    # an upper PerlHeaderParserHandler directive
    #    #PerlHeaderParserHandler Apache2::Const::DECLINED
    #</Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>


--- a/_example/etc/handler-apache2.conf
+++ b/_example/etc/handler-apache2.conf
@ -51,9 +51,6 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503
    #    # an upper PerlHeaderParserHandler directive
    #    #PerlHeaderParserHandler Apache2::Const::DECLINED
    #</Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>


--- a/_example/etc/handler-nginx.conf
+++ b/_example/etc/handler-nginx.conf
@ -50,9 +50,6 @@ server {
  # Client requests
  location / {
    deny all;
-
-    # Uncomment this if you use https only
-    #add_header Strict-Transport-Security "max-age=15768000";
  }

  # Uncomment this if status is enabled
--- a/_example/etc/manager-apache2.4.conf
+++ b/_example/etc/manager-apache2.4.conf
@ -95,7 +95,4 @@
        Options +FollowSymLinks
        DirectoryIndex index.html start.html
    </Directory>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
--- a/_example/etc/manager-apache2.X.conf
+++ b/_example/etc/manager-apache2.X.conf
@ -114,7 +114,4 @@
        Options +FollowSymLinks
        DirectoryIndex index.html start.html
    </Directory>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
--- a/_example/etc/manager-apache2.conf
+++ b/_example/etc/manager-apache2.conf
@ -98,7 +98,4 @@
        Options +FollowSymLinks
        DirectoryIndex index.html start.html
    </Directory>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
--- a/_example/etc/manager-nginx.conf
+++ b/_example/etc/manager-nginx.conf
@ -35,9 +35,6 @@ server {
    #uwsgi_param LLTYPE psgi;
    #uwsgi_param SCRIPT_FILENAME $document_root$sc;
    #uwsgi_param SCRIPT_NAME $sc;
-
-    # Uncomment this if you use https only
-    #add_header Strict-Transport-Security "max-age=15768000";
  }

  location / {
--- a/_example/etc/portal-apache2.4.conf
+++ b/_example/etc/portal-apache2.4.conf
@ -113,8 +113,5 @@
                Header append Vary User-Agent env=!dont-vary
        </IfModule>
    </Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>

--- a/_example/etc/portal-apache2.X.conf
+++ b/_example/etc/portal-apache2.X.conf
@ -144,8 +144,5 @@
                Header append Vary User-Agent env=!dont-vary
        </IfModule>
    </Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>

--- a/_example/etc/portal-apache2.conf
+++ b/_example/etc/portal-apache2.conf
@ -110,8 +110,5 @@
                Header append Vary User-Agent env=!dont-vary
        </IfModule>
    </Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>

--- a/_example/etc/portal-nginx.conf
+++ b/_example/etc/portal-nginx.conf
@ -88,9 +88,6 @@ server {
  index index.psgi;
  location / {
    try_files $uri $uri/ =404;
-
-    # Uncomment this if you use https only
-    #add_header Strict-Transport-Security "max-age=15768000";
  }

  location /static/ {
--- a/_example/etc/test-apache2.4.conf
+++ b/_example/etc/test-apache2.4.conf
@ -41,7 +41,4 @@ PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
    <IfModule mod_dir.c>
        DirectoryIndex index.pl index.html
    </IfModule>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
--- a/_example/etc/test-apache2.X.conf
+++ b/_example/etc/test-apache2.X.conf
@ -41,7 +41,4 @@ PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
    <IfModule mod_dir.c>
        DirectoryIndex index.pl index.html
    </IfModule>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
--- a/_example/etc/test-apache2.conf
+++ b/_example/etc/test-apache2.conf
@ -36,7 +36,4 @@ PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
    <IfModule mod_dir.c>
        DirectoryIndex index.pl index.html
    </IfModule>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
--- a/_example/etc/test-nginx.conf
+++ b/_example/etc/test-nginx.conf
@ -88,9 +88,6 @@ server {
    # OR in the corresponding block
    #fastcgi_param HTTP_COOKIE $lmcookie;

-    # Uncomment this if you use https only
-    #add_header Strict-Transport-Security "max-age=15768000";
-
    # Set REMOTE_USER and REMOTE_CUSTOM (for FastCGI apps only)
    #fastcgi_param REMOTE_USER $lmremote_user;
    #fastcgi_param REMOTE_CUSTOM $lmremote_custom;
--- a/doc/sources/admin/authssl.rst
+++ b/doc/sources/admin/authssl.rst
@ -181,7 +181,6 @@ Nginx SSL Virtual Host example with uWSGI
     #index index.psgi;
     location / {
       try_files $uri $uri/ =404;
-       add_header Strict-Transport-Security "max-age=15768000";
     }
   }

--- a/doc/sources/admin/security.rst
+++ b/doc/sources/admin/security.rst
@ -332,6 +332,7 @@ Go in Manager, ``General parameters`` » ``Advanced parameters`` »
 -  **Form timeout**: Form token timeout (default to 120 seconds)
 -  **Use global storage**: Local cache is used by default for one time
   tokens. To use global storage, set it to 'On'
+-  **Strict-Transport-Security Max-age**: set STS header max-age if you use SSL only (by example: 15768000)
 -  **CrowdSec Bouncer**: set to 'On' to enable :doc:`CrowdSec Bouncer plugin<crowdsec>`
 -  **Brute-Force Attack protection**: set to 'On' to enable :doc:`Brute-force protection plugin<bruteforceprotection>`
 -  **LWP::UserAgent and SSL options**: insert here options to pass to
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -4259,6 +4259,9 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
            'default' => 0,
            'type'    => 'bool'
        },
+        'strictTransportSecurityMax_Age' => {
+            'type' => 'text'
+        },
        'successLoginNumber' => {
            'default' => 5,
            'type'    => 'int'
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
@ -1093,7 +1093,11 @@ sub attributes {
        corsMax_Age => {
            type          => 'text',
            default       => '86400',    # 24 hours
-            documentation => 'MAx-age for Cross-Origin Resource Sharing',
+            documentation => 'Max-age for Cross-Origin Resource Sharing',
+        },
+        strictTransportSecurityMax_Age => {
+            type          => 'text',
+            documentation => 'Max-age for Strict-Transport-Security',
        },
        cspDefault => {
            type          => 'text',
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
@ -1092,6 +1092,7 @@ sub tree {
                                'requireToken',
                                'formTimeout',
                                'tokenUseGlobalStorage',
+                                'strictTransportSecurityMax_Age',
                                {
                                    title => 'CrowdSecPlugin',
                                    help  => 'crowdsec.html',
--- a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
@ -1134,6 +1134,7 @@
 "stayConnectedTimeout":"Expiration time",
 "storePassword":"تخزين كلمة مرور المستخدم في بيانات الجلسة",
 "string":"String",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
 "subtitle":"Subtitle",
 "successLoginNumber":"Max successful logins count",
 "successfullySaved":"تم الحفظ بنجاح",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/en.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/en.json
@ -1133,6 +1133,7 @@
 "stayConnectedCookieName":"Cookie name",
 "stayConnectedTimeout":"Expiration time",
 "storePassword":"Store user password in session",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
 "string":"String",
 "subtitle":"Subtitle",
 "successLoginNumber":"Max successful logins count",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/es.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/es.json
@ -1134,6 +1134,7 @@
 "stayConnectedTimeout":"Expiration time",
 "storePassword":"Almacenar contraseña de usuario en la sesión",
 "string":"String",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
 "subtitle":"Subtítulo",
 "successLoginNumber":"Max successful logins count",
 "successfullySaved":"Salvado con éxito",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
@ -2,7 +2,7 @@
 "2faSessions":"Explorateur sessions 2ndFA",
 "2ndFA":"Seconds Facteurs",
 "ADPwdExpireWarning":"Avertissement avant expiration du mot de passe",
-"ADPwdMaxAge":"Âge maximal du mot de passe",
+"ADPwdMaxAge":"Age maximal du mot de passe",
 "AuthLDAPFilter":"Filtre d'authentification",
 "Configuration":"Configuration",
 "CrowdSecPlugin":"CrowdSec Bouncer",
@ -1134,6 +1134,7 @@
 "stayConnectedTimeout":"Durée de validité",
 "storePassword":"Stocke le mot de passe de l'utilisateur en session",
 "string":"Chaîne",
+"strictTransportSecurityMax_Age":"Age maximum Strict-Transport-Security",
 "subtitle":"Sous-titre",
 "successLoginNumber":"Nombre de connexions mémorisées",
 "successfullySaved":"Sauvegarde effectuée",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/he.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/he.json
@ -1134,6 +1134,7 @@
 "stayConnectedTimeout":"Expiration time",
 "storePassword":"Store user password in session",
 "string":"String",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
 "subtitle":"Subtitle",
 "successLoginNumber":"Max successful logins count",
 "successfullySaved":"נשמר בהצלחה",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/it.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/it.json
@ -1134,6 +1134,7 @@
 "stayConnectedTimeout":"Expiration time",
 "storePassword":"Memorizzare la password dell'utente nei dati di sessione",
 "string":"String",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
 "subtitle":"Subtitle",
 "successLoginNumber":"Max successful logins count",
 "successfullySaved":"Salvato con successo",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
@ -1134,6 +1134,7 @@
 "stayConnectedTimeout":"Data ważności",
 "storePassword":"Przechowuj hasło użytkownika w sesji",
 "string":"Łańcuch znaków",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
 "subtitle":"Podtytuł",
 "successLoginNumber":"Maksymalna liczba udanych logowań",
 "successfullySaved":"Pomyślnie zapisano",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
@ -1134,6 +1134,7 @@
 "stayConnectedTimeout":"Son kullanma süresi",
 "storePassword":"Kullanıcı parolasını oturumda sakla",
 "string":"Dize",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
 "subtitle":"Altyazı",
 "successLoginNumber":"Maksimum başarılı giriş sayısı",
 "successfullySaved":"Başarıyla kaydedildi",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
@ -1134,6 +1134,7 @@
 "stayConnectedTimeout":"Expiration time",
 "storePassword":"Lưu trữ mật khẩu người dùng trong các dữ liệu phiên",
 "string":"String",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
 "subtitle":"Subtitle",
 "successLoginNumber":"Max successful logins count",
 "successfullySaved":"Lưu thành công",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
@ -1134,6 +1134,7 @@
 "stayConnectedTimeout":"過期名稱",
 "storePassword":"在工作階段中儲存使用者密碼",
 "string":"字串",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
 "subtitle":"副標題",
 "successLoginNumber":"Max successful logins count",
 "successfullySaved":"成功儲存",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json
@ -1134,6 +1134,7 @@
 "stayConnectedTimeout":"過期名稱",
 "storePassword":"在工作階段中儲存使用者密碼",
 "string":"字串",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
 "subtitle":"副標題",
 "successLoginNumber":"Max successful logins count",
 "successfullySaved":"成功儲存",
--- a/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
+++ b/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
--- a/lemonldap-ng-manager/site/htdocs/static/struct.json
+++ b/lemonldap-ng-manager/site/htdocs/static/struct.json
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
@ -946,21 +946,32 @@ sub sendHtml {

    $self->setCorsHeaderFromConfig($res);

+    if (    $self->conf->{strictTransportSecurityMax_Age}
+        and $self->conf->{portal} =~ /^https:/ )
+    {
+        push @{ $res->[1] },
+          'Strict-Transport-Security' =>
+          "max-age=$self->{conf}->{strictTransportSecurityMax_Age}";
+        $self->logger->debug(
+"Set Strict-Transport-Security with: $self->{conf}->{strictTransportSecurityMax_Age}"
+        );
+    }
+
    # Set authorized URL for POST
    my $csp = $self->csp . "form-action " . $self->conf->{cspFormAction};
    if ( my $url = $req->urldc ) {
-        $self->logger->debug("Required urldc : $url");
+        $self->logger->debug("Required urldc: $url");
        $url =~ URIRE;
        $url = $2 . '://' . $3 . ( $4 ? ":$4" : '' );
-        $self->logger->debug("Set CSP form-action with urldc : $url");
+        $self->logger->debug("Set CSP form-action with urldc: $url");
        $csp .= " $url";
    }
    my $url = $args{params}->{URL};
    if ( defined $url ) {
-        $self->logger->debug("Required Params URL : $url");
+        $self->logger->debug("Required Params URL: $url");
        if ( $url =~ URIRE ) {
            $url = $2 . '://' . $3 . ( $4 ? ":$4" : '' );
-            $self->logger->debug("Set CSP form-action with Params URL : $url");
+            $self->logger->debug("Set CSP form-action with Params URL: $url");
            $csp .= " $url";
        }
    }
@ -1018,7 +1029,7 @@ sub sendHtml {

    # Set CSP header
    push @{ $res->[1] }, 'Content-Security-Policy' => $csp;
-    $self->logger->debug("Apply following CSP : $csp");
+    $self->logger->debug("Apply following CSP: $csp");
    return $res;
 }

@ -1259,7 +1270,7 @@ sub setCorsHeaderFromConfig {
    if ( $self->conf->{corsEnabled} ) {
        my @cors = split /;/, $self->cors;
        push @{ $response->[1] }, @cors;
-        $self->logger->debug('Apply following CORS policy :');
+        $self->logger->debug('Apply following CORS policy:');
        $self->logger->debug(" $_") for @cors;
    }
 }
--- a/lemonldap-ng-portal/t/01-AuthDemo.t
+++ b/lemonldap-ng-portal/t/01-AuthDemo.t
@ -11,9 +11,11 @@ my $res;

 my $client = LLNG::Manager::Test->new( {
        ini => {
-            logLevel      => 'error',
-            useSafeJail   => 1,
-            portalFavicon => 'common/llng.ico'
+            logLevel                       => 'error',
+            portal                         => 'https://auth.example.com/',
+            useSafeJail                    => 1,
+            strictTransportSecurityMax_Age => '1977',
+            portalFavicon                  => 'common/llng.ico'
        }
    }
 );
@ -33,6 +35,9 @@ ok(
    ),
    'Get Menu'
 );
+ok( getHeader( $res, 'Strict-Transport-Security' ) =~ /^max-age=1977$/,
+    'Strict-Transport-Security is set' )
+  or explain( $res->[1], 'Content-Type => application/xml' );
 ok( $res->[2]->[0] =~ /<span trmsg="37">/, 'Rejected with PE_BADURL' )
  or print STDERR Dumper( $res->[2]->[0] );
 ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
@ -40,7 +45,7 @@ ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
 ok( $res->[2]->[0] =~ m%link href="/static/common/llng.ico%,
    ' Custom favicon found' )
  or print STDERR Dumper( $res->[2]->[0] );
-count(4);
+count(5);

 # Test "first access" with a wildcard-protected url
 ok(