diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 330a33f39..3d5fecc29 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,17 +9,6 @@
- result/*
-.build_job_centos:
- stage: build
- script:
- - yum -y install epel-release
- - make rpm-dist
- - ci-build-pkg
- artifacts:
- expire_in: 1 day
- paths:
- - result/*
-
stages:
- build
- sign
@@ -59,8 +48,31 @@ build_bionic:
<<: *job_build
build_centos_7:
- image: buildpkg/centos:7
- extends: .build_job_centos
+ image: buildpkg/centos:7
+ stage: build
+ script:
+ - rm -f /etc/yum.repos.d/CentOS-Sources.repo
+ - yum -y install epel-release
+ - make rpm-dist
+ - ci-build-pkg
+ artifacts:
+ expire_in: 1 day
+ paths:
+ - result/*
+
+#build_centos_8:
+# image: buildpkg/centos:8
+# stage: build
+# script:
+# - yum-config-manager --enable PowerTools
+# - yum-config-manager --enable AppStream
+# - yum -y install epel-release
+# - make rpm-dist
+# - ci-build-pkg
+# artifacts:
+# expire_in: 1 day
+# paths:
+# - result/*
sign:
image: buildpkg/debian:stretch
@@ -77,6 +89,7 @@ sign:
- build_disco
- build_bionic
- build_centos_7
+# - build_centos_8
artifacts:
expire_in: 1 day
paths:
diff --git a/Makefile b/Makefile
index fd189574f..5c710fa5a 100644
--- a/Makefile
+++ b/Makefile
@@ -321,9 +321,11 @@ $(SRCMANAGERDIR)/site/htdocs/static/js/%.js: $(SRCMANAGERDIR)/site/coffee/%.coff
%.min.js: %.js
@echo "Compressing $*.js"
if test "$(UGLIFYJSVERSION)" = 2; then \
- uglifyjs $*.js --compress --mangle --comments='/Copyr/i' --source-map $*.min.js.map -o $*.min.js; \
+ cd `dirname $*`; \
+ uglifyjs `basename $*`.js --compress --mangle --comments='/Copyr/i' --source-map `basename $*`.min.js.map -o `basename $*`.min.js; \
else \
- uglifyjs $*.js --compress --mangle --comments='/Copyr/i' --source-map -o $*.min.js; \
+ cd `dirname $*`; \
+ uglifyjs `basename $*`.js --compress --mangle --comments='/Copyr/i' --source-map -o `basename $*`.min.js; \
fi
fastcgi-server/man/llng-fastcgi-server.8p: fastcgi-server/sbin/llng-fastcgi-server
@@ -637,17 +639,30 @@ install_bin: install_conf_dir
${SRCCOMMONDIR}/scripts/rotateOidcKeys \
${SRCMANAGERDIR}/scripts/lmConfigEditor \
${SRCCOMMONDIR}/scripts/lemonldap-ng-cli \
+ ${SRCCOMMONDIR}/scripts/lemonldap-ng-sessions \
${SRCCOMMONDIR}/scripts/importMetadata \
$(RBINDIR)
@if [ ! "$(APACHEUSER)" ]; then \
- $(PERL) -i -pe 's#__APACHEUSER__#nobody#g;' $(RBINDIR)/lmConfigEditor $(RBINDIR)/lemonldap-ng-cli; \
+ $(PERL) -i -pe 's#__APACHEUSER__#nobody#g;' \
+ $(RBINDIR)/lmConfigEditor \
+ $(RBINDIR)/lemonldap-ng-cli \
+ $(RBINDIR)/lemonldap-ng-sessions; \
else \
- $(PERL) -i -pe 's#__APACHEUSER__#$(APACHEUSER)#g;' $(RBINDIR)/lmConfigEditor $(RBINDIR)/lemonldap-ng-cli; \
+ $(PERL) -i -pe 's#__APACHEUSER__#$(APACHEUSER)#g;' \
+ $(RBINDIR)/lmConfigEditor \
+ $(RBINDIR)/lemonldap-ng-cli \
+ $(RBINDIR)/lemonldap-ng-sessions; \
fi
@if [ ! "$(APACHEGROUP)" ]; then \
- $(PERL) -i -pe 's#__APACHEGROUP__#nobody#g;' $(RBINDIR)/lmConfigEditor $(RBINDIR)/lemonldap-ng-cli; \
+ $(PERL) -i -pe 's#__APACHEGROUP__#nobody#g;' \
+ $(RBINDIR)/lmConfigEditor \
+ $(RBINDIR)/lemonldap-ng-cli \
+ $(RBINDIR)/lemonldap-ng-sessions; \
else \
- $(PERL) -i -pe 's#__APACHEGROUP__#$(APACHEGROUP)#g;' $(RBINDIR)/lmConfigEditor $(RBINDIR)/lemonldap-ng-cli; \
+ $(PERL) -i -pe 's#__APACHEGROUP__#$(APACHEGROUP)#g;' \
+ $(RBINDIR)/lmConfigEditor \
+ $(RBINDIR)/lemonldap-ng-cli \
+ $(RBINDIR)/lemonldap-ng-sessions; \
fi
@chmod +x $(RBINDIR)/*
@@ -1183,3 +1198,11 @@ e2e_cert:
-reqexts SAN \
-extensions SAN \
-config e2e-tests/openssl.cnf
+
+api_doc: doc/sources/manager-api/openapi-spec.yaml doc/sources/manager-api/config-codegen.json
+ @if [ -f "$(SWAGGER_CODEGEN)" ] ; then \
+ java -jar "$(SWAGGER_CODEGEN)" generate -i doc/sources/manager-api/openapi-spec.yaml -l html2 -o doc/pages/manager-api/ -c doc/sources/manager-api/config-codegen.json; \
+ else \
+ echo "Please run me with SWAGGER_CODEGEN=/path/to/swagger-codegen.jar"; \
+ fi
+
diff --git a/_example/etc/api-apache2.4.conf b/_example/etc/api-apache2.4.conf
index 112c5d7ab..53abd3403 100644
--- a/_example/etc/api-apache2.4.conf
+++ b/_example/etc/api-apache2.4.conf
@@ -40,6 +40,7 @@
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
# REST URLs
+ RewriteCond "%{REQUEST_URI}" "!^/(?:doc)"
RewriteRule "^/(.+)$" "/api.fcgi/$1" [PT]
# 2) FastCGI engine
@@ -83,6 +84,15 @@
+ # On-line documentation
+ Alias /doc/ __DEFDOCDIR__
+
+ Require all granted
+ ErrorDocument 404 /notfound.html
+ Options +FollowSymLinks
+ DirectoryIndex index.html start.html
+
+
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/api-apache2.X.conf b/_example/etc/api-apache2.X.conf
index 93eed0a1b..ffcc7425c 100644
--- a/_example/etc/api-apache2.X.conf
+++ b/_example/etc/api-apache2.X.conf
@@ -40,6 +40,7 @@
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
# REST URLs
+ RewriteCond "%{REQUEST_URI}" "!^/(?:doc)"
RewriteRule "^/(.+)$" "/api.fcgi/$1" [PT]
# 2) FastCGI engine
@@ -90,6 +91,21 @@
+ # On-line documentation
+ Alias /doc/ __DEFDOCDIR__
+
+ = 2.3>
+ Require all granted
+
+
+ Order Deny,Allow
+ Allow from all
+
+ ErrorDocument 404 /notfound.html
+ Options +FollowSymLinks
+ DirectoryIndex index.html start.html
+
+
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/api-apache2.conf b/_example/etc/api-apache2.conf
index 4f3854290..f362c8778 100644
--- a/_example/etc/api-apache2.conf
+++ b/_example/etc/api-apache2.conf
@@ -40,6 +40,7 @@
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
# REST URLs
+ RewriteCond "%{REQUEST_URI}" "!^/(?:doc)"
RewriteRule "^/(.+)$" "/api.fcgi/$1" [PT]
# 2) FastCGI engine
@@ -84,6 +85,16 @@
+ # On-line documentation
+ Alias /doc/ __DEFDOCDIR__
+
+ Order allow,deny
+ Allow from all
+ ErrorDocument 404 /notfound.html
+ Options +FollowSymLinks
+ DirectoryIndex index.html start.html
+
+
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/api-nginx.conf b/_example/etc/api-nginx.conf
index e4fa1d5f2..3f9668c1d 100644
--- a/_example/etc/api-nginx.conf
+++ b/_example/etc/api-nginx.conf
@@ -15,7 +15,13 @@ server {
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
- rewrite ^/(.*)$ /api.psgi/$1 break;
+ location /doc/ {
+ alias /usr/share/doc/lemonldap-ng-doc/;
+ index index.html start.html;
+ }
+ location / {
+ rewrite ^/(.*)$ /api.psgi/$1;
+ }
location ~ ^(?/.*\.psgi)(?:$|/) {
@@ -37,17 +43,18 @@ server {
# Uncomment this if you use https only
#add_header Strict-Transport-Security "max-age=15768000";
- # By default, access to this VHost is denied
- # If you want to enable the manager APIs, you MUST
- # implement a robust authentication scheme to protect this
- # VHost since LemonLDAP::NG provides no protection to the
- # Manager APIs yet
- #
- #allow 127.0.0.0/8;
- #allow ::1/128;
- deny all;
}
+ # By default, access to this VHost is denied
+ # If you want to enable the manager APIs, you MUST
+ # implement a robust authentication scheme to protect this
+ # VHost since LemonLDAP::NG provides no protection to the
+ # Manager APIs yet
+ #
+ #allow 127.0.0.0/8;
+ #allow ::1/128;
+ deny all;
+
# DEBIAN
# If install was made with USEDEBIANLIBS (official releases), uncomment this
#location /javascript/ {
diff --git a/_example/etc/portal-apache2.4.conf b/_example/etc/portal-apache2.4.conf
index 2b2480916..4c01b47a0 100644
--- a/_example/etc/portal-apache2.4.conf
+++ b/_example/etc/portal-apache2.4.conf
@@ -79,6 +79,11 @@
Require all denied
+ # REST/SOAP functions for proxy auth and password reset (disabled by default)
+
+ Require all denied
+
+
# REST/SOAP functions for sessions access (disabled by default)
Require all denied
diff --git a/_example/etc/portal-apache2.X.conf b/_example/etc/portal-apache2.X.conf
index 9f5662659..7c58699a6 100644
--- a/_example/etc/portal-apache2.X.conf
+++ b/_example/etc/portal-apache2.X.conf
@@ -86,6 +86,17 @@
+ # REST/SOAP functions for proxy auth and password reset (disabled by default)
+
+ = 2.3>
+ Require all denied
+
+
+ Order Deny,Allow
+ Deny from all
+
+
+
# REST/SOAP functions for sessions access (disabled by default)
= 2.3>
diff --git a/_example/etc/portal-apache2.conf b/_example/etc/portal-apache2.conf
index edbd63884..406ba919f 100644
--- a/_example/etc/portal-apache2.conf
+++ b/_example/etc/portal-apache2.conf
@@ -72,6 +72,12 @@
Deny from all
+ # REST/SOAP functions for proxy auth and password reset (disabled by default)
+
+ Order deny,allow
+ Deny from all
+
+
# REST/SOAP functions for sessions access (disabled by default)
Order deny,allow
diff --git a/_example/etc/portal-nginx.conf b/_example/etc/portal-nginx.conf
index 3ae467f66..948d29e3d 100644
--- a/_example/etc/portal-nginx.conf
+++ b/_example/etc/portal-nginx.conf
@@ -59,6 +59,12 @@ server {
deny all;
}
+ # REST/SOAP functions for proxy auth and password reset (disabled by default)
+ location ~ ^/index.psgi/proxy {
+ fastcgi_pass llng_portal_upstream;
+ deny all;
+ }
+
# REST/SOAP functions for sessions access (disabled by default)
location ~ ^/index.psgi/sessions {
fastcgi_pass llng_portal_upstream;
diff --git a/_example/etc/test-nginx.conf b/_example/etc/test-nginx.conf
index 1af7f57dc..1b873c48e 100644
--- a/_example/etc/test-nginx.conf
+++ b/_example/etc/test-nginx.conf
@@ -64,7 +64,7 @@ server {
# If CDA is used, uncomment this
#auth_request_set $cookie_value $upstream_http_set_cookie;
#add_header Set-Cookie $cookie_value;
- # Remove this for AuthBasic handler
+ # Remove this for AuthBasic and OAuth2 handlers
error_page 401 $lmlocation;
##################################
diff --git a/changelog b/changelog
index 7faa238ce..0a2a00060 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,121 @@
+lemonldap-ng (2.0.8) stable; urgency=medium
+
+ * Bugs:
+ * #1314: Workaround for memory Leak in perl-fcgi with Perl < 5.18
+ * #1659: RESTProxy doesn't fully work as a UserDB module
+ * #1776: Manager breaks when moving a newly created category or application
+ * #1939: expired issuer context is not reset when starting new authentication
+ * #1990: [warn] Route xxx redefined when using the fastCGI server
+ * #1992: Memory leak issue on CentOS 7 / perl 5.16
+ * #2048: t/32-OIDC-Refresh-Token.t fails randomly
+ * #2049: Unable to display notifications marked as done (DBI)
+ * #2050: Wrong message displayed by CheckUser plugin
+ * #2051: SAML Service Provider Macros are incorrectly displayed/saved by the manager
+ * #2057: Log in request without captcha returns an internal server error
+ * #2058: Use of configuration cache can mix global and local configuration parameters
+ * #2059: Error in Manager / CLI / Editor when an attribute is not defined
+ * #2061: pdata not cleaned with Kerberos authentication
+ * #2063: Javascript error: window.datas is undefined
+ * #2072: Configuration comparator error on application menu "order"
+ * #2074: Portal menu : display condition with sp: does not work for SAML SP
+ * #2080: SAML POST to SP becomes GET when an info is displayed
+ * #2081: Parameter added to external redirect URL when info.tpl is used
+ * #2082: SSLVarIf cannot be set in manager
+ * #2085: OIDC provider doesn't work when info is displayed during the login process
+ * #2086: LDAP notifications backend does not work
+ * #2089: Old format notifications with file backend don t work
+ * #2090: Session creation mixup when supplying an existing _session_id
+ * #2097: Error after activating userLogger (Apache)
+ * #2099: Error 500 when SAML Session is expired
+ * #2101: Wildcard in virtualhost names : URL contains a non protected host
+ * #2104: Sessions are not well computed by CheckUser plugin
+ * #2105: Using RS* ID Token signature algorithm without a RSA key causes ID Token to be returned as "null"
+ * #2111: Bad translation tag for password policy remaining grace message
+ * #2113: Password policy warning before password expiration is badly displayed
+ * #2116: Missing goToPortal translation for mails
+ * #2118: Multivalued attributes received from CAS server stored as string "ARRAY" in session
+ * #2120: OIDC: hybrid flow does not issue ID token
+ * #2123: Rest2F does not transmit session attributes to Verify URL
+ * #2127: Cache reload throw an error if status enabled
+ * #2128: Manager with CDA issue
+ * #2133: Issues with removed second factors notification system
+ * #2138: logout forward doesn't work anymore
+ * #2141: Auth Combination SSL/LDAP + VHOSTTYPE AuthBasic broken
+ * #2142: OIDC consent validation fails after second factor form or redirection from external IDP
+ * #2143: Enable redirection on forbidden access with self protected Portal URLs leads to an endless loop
+ * #2144: OTT is not sent if SSL authentication fails with Choice
+ * #2148: Bad request with Notification SPA
+ * #2151: Session upgrade does not work with multiple second factors
+ * #2152: Nginx configuration files do not work with IPv6
+ * #2159: Single session module configuration
+ * #2165: Server error with rule on Combination
+ * #2167: OAuth2 handler should return 401 when access token is missing or invalid
+ * #2168: LLNG is too strict on OIDC scope syntax
+ * #2169: duplicates in _oidcConsents when scope is updated
+ * #2171: Introspection endpoint does not recognize refreshed Access Tokens
+ * #2179: refresh my rights downgrades authentication level set by 2FA
+ * #2180: SingleSession plugin does not work if history is displayed
+
+ * New features:
+ * #2033: Manager API to reset 2FA
+ * #2034: Manager API to manage SAML and OIDC clients
+ * #2069: Manage Cookie SameSite value
+ * #2136: Possibility to override language with a parameter in URL
+ * #2154: Github authentication backend
+
+ * Improvements:
+ * #1598: Proxy Backend support for Password Module (passwordDB)
+ * #1877: Option to run setMacros after setGroups
+ * #1902: Configuration is saved even with errors with lemonldap-ng-cli
+ * #1957: Provide packages for CentOS 8
+ * #2046: compactConf is confusing
+ * #2064: Do not show action buttons on portal when displaying waiting message (Kerberos or SSL Ajax call)
+ * #2065: Improve diff.html templates to display Author, Date and Summary of both configurations
+ * #2068: Append an option to set CSP frame ancestors header
+ * #2070: LemonLDAP session cookie - SameSite attribute
+ * #2071: Allow users to see and display theirs accepted notifications
+ * #2073: Improve notifications SPA
+ * #2076: Possibility to configure a custom CSS file
+ * #2084: Make "error" the default log level for lasso
+ * #2088: BruteForce module: increase delay between each login attempt
+ * #2091: Better look for buttons in 2FA choice screen
+ * #2093: CheckUser - Remove persistent session attributes if required
+ * #2096: Improve introspection endpoint
+ * #2102: Bad Autologin rule lead to error 500 and crash the portal
+ * #2103: Add a rollback option to lemonldap-ng-cli
+ * #2106: CheckUser: Append an option to hide empty headers
+ * #2108: "Underlying object can't load conf" is a bad error message
+ * #2109: Securing the new API endpoints for 2.0.8 release
+ * #2114: Improve adaptive display and show instance name
+ * #2115: Possibility to select choice tab, as for menu tab
+ * #2117: Remove warning messages "uninitialized value $encryption_mode"
+ * #2119: Rely on "isRequired" XML field in importMetadata script to mark SAML attributes as mandatory
+ * #2121: Prevent Portal to crash if Custom Functions module is not found
+ * #2125: Internal Server Error when REST backend does not return a JSON Object
+ * #2126: Prevent Portal to crash if a bad rule is used for enabling a plugin
+ * #2129: AuthenticationLevel based macros and groups should be updated with second factor
+ * #2130: Append password policy options to define and require special characters
+ * #2131: Make json does nothing if only a Portal constant is appended
+ * #2132: Application icons are displayed with real sizes by the Manager and It is not particularly convenient
+ * #2135: Remove 'underscore' in notification reference
+ * #2140: Append an option to define applications tooltip
+ * #2145: Display a custom param with GlobalLogout plugin
+ * #2149: Add an easy way to set level of additional second factors
+ * #2155: Implement Resource Owner Password Credentials Grant
+ * #2156: "Require 2FA" should be renamed
+ * #2161: DBI should test that "table" is set
+ * #2164: Make SingleSession options configurable by a rule
+ * #2166: Configuration parser does not check validity of SAML/OIDC/CAS/vhost options
+ * #2173: Make CheckUser options configurable by a rule
+ * #2175: Reorganize OIDC RP options in manager
+ * #2177: OIDC: Allow additional audiences for ID Token
+ * #2178: Make require old password option configurable by a rule
+ * #2182: Append a Show/Hide password button into change password form
+ * #2184: SAML logout request returns 400 error code if session is not found
+ * #2185: Append a rule to display sfaManager link
+
+ -- Clément Mon, 04 May 2020 22:43:29 +0200
+
lemonldap-ng (2.0.7) stable; urgency=medium
* Bugs:
diff --git a/debian/changelog b/debian/changelog
index 5f678ac6f..c6168ade1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.0.8-1) unstable; urgency=medium
+
+ * New release. See changes on our website:
+ https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
+
+ -- Clement OUDOT Tue, 05 May 2020 16:00:00 +0100
+
lemonldap-ng (2.0.7-1) unstable; urgency=medium
* New release. See changes on our website:
diff --git a/debian/control b/debian/control
index 0e635ac2a..afb89360f 100644
--- a/debian/control
+++ b/debian/control
@@ -53,7 +53,7 @@ Build-Depends-Indep: libapache-session-perl ,
libxml-libxslt-perl ,
libxml-simple-perl ,
perl
-Standards-Version: 4.4.0
+Standards-Version: 4.5.0
Vcs-Browser: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng
Vcs-Git: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng.git
Homepage: https://lemonldap-ng.org/
diff --git a/debian/liblemonldap-ng-common-perl.install b/debian/liblemonldap-ng-common-perl.install
index c7cc2aa90..6444213c4 100644
--- a/debian/liblemonldap-ng-common-perl.install
+++ b/debian/liblemonldap-ng-common-perl.install
@@ -3,6 +3,7 @@
/usr/share/man/man1/convertConfig.1p
/usr/share/man/man1/convertSessions.1p
/usr/share/man/man1/lemonldap-ng-cli.1p
+/usr/share/man/man1/lemonldap-ng-sessions.1p
/usr/share/man/man3/Lemonldap::NG::Common*
/usr/share/perl5/auto/Lemonldap/NG/Common
/usr/share/perl5/Lemonldap/NG/Common*
@@ -10,6 +11,7 @@
/usr/share/lemonldap-ng/bin/convertConfig
/usr/share/lemonldap-ng/bin/convertSessions
/usr/share/lemonldap-ng/bin/importMetadata
+/usr/share/lemonldap-ng/bin/lemonldap-ng-sessions
/usr/share/lemonldap-ng/bin/lmMigrateConfFiles2ini
/usr/share/lemonldap-ng/bin/rotateOidcKeys
/var/lib/lemonldap-ng/conf/
diff --git a/doc/index.html b/doc/index.html
index 4b1c93b32..2eeb7c1d1 100644
--- a/doc/index.html
+++ b/doc/index.html
@@ -5,9 +5,14 @@
-
LemonLDAP::NG offline documentation
+
LemonLDAP::NG Administrator documentation
Documentation
+
+
LemonLDAP::NG Manager API documentation
+
+
API Reference
+