Restrict session data available for DevOps handler (#2456)

2021-02-05 19:38:13 +01:00 · 2021-02-05 19:38:13 +01:00 · 5e28f76a64
commit 5e28f76a64
parent 55071d5210
9 changed files with 42 additions and 16 deletions
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/DevOps.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/DevOps.pm
@ -4,11 +4,9 @@ use strict;
 use Lemonldap::NG::Common::UserAgent;
 use JSON qw(from_json);

-our $VERSION = '2.0.10';
-
+our $VERSION = '2.0.12';
 our $_ua;

-our $time;

 sub ua {
    return $_ua if ($_ua);
@ -19,25 +17,23 @@ sub checkMaintenanceMode {
    my ( $class, $req ) = @_;
    my $vhost = $class->resolveAlias($req);
    $class->tsv->{lastVhostUpdate} //= {};
-    unless (
+    $class->_loadVhostConfig( $req, $vhost )
+      unless (
        $class->tsv->{defaultCondition}->{$vhost}
        and (
            time() - $class->tsv->{lastVhostUpdate}->{$vhost} <
            $class->tsv->{checkTime} )
-      )
-    {
-        $class->loadVhostConfig( $req, $vhost );
-    }
+      );
+
    return $class->Lemonldap::NG::Handler::Main::checkMaintenanceMode($req);
 }

-sub loadVhostConfig {
+sub _loadVhostConfig {
    my ( $class, $req, $vhost ) = @_;
    my $json;
    if ( $class->tsv->{useSafeJail} ) {
        my $rUrl = $req->{env}->{RULES_URL}
-          || (
-            (
+          || ( (
                $class->localConfig->{loopBackUrl}
                || "http://127.0.0.1:" . $req->{env}->{SERVER_PORT}
            )
@ -65,9 +61,21 @@ q"I refuse to compile rules.json when useSafeJail isn't activated! Yes I know, I
    }
    $json->{rules} ||= { default => 1 };
    $json->{headers} //= { 'Auth-User' => '$uid' };
+
+    # Removed forbidden session attributes
+    foreach
+      my $v ( split /\s+/, $class->tsv->{hiddenAttributes} )
+    {
+        foreach ( keys %{ $json->{headers} } ) {
+            delete $json->{headers}->{$_}
+              if $json->{headers}->{$_} eq '$' . $v;
+        }
+    }
+
    $class->locationRulesInit( undef, { $vhost => $json->{rules} } );
    $class->headersInit( undef,       { $vhost => $json->{headers} } );
    $class->tsv->{lastVhostUpdate}->{$vhost} = time;
+
    return;
 }

--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
@ -203,7 +203,7 @@ sub defaultValuesInit {
        timeoutActivityInterval useRedirectOnError useRedirectOnForbidden
        useSafeJail             whatToTrace        handlerInternalCache
        handlerServiceTokenTTL  customToTrace      lwpOpts lwpSslOpts
-        authChoiceParam         authChoiceAuthBasic
+        authChoiceAuthBasic     authChoiceParam    hiddenAttributes
        )
    );

--- a/lemonldap-ng-handler/t/64-Lemonldap-NG-Handler-PSGI-DevOps.t
+++ b/lemonldap-ng-handler/t/64-Lemonldap-NG-Handler-PSGI-DevOps.t
@ -22,7 +22,12 @@ ok(
    'Authorized query'
 );
 ok( $res->[0] == 200, 'Code is 200' ) or explain( $res->[0], 200 );
-count(2);
+my %headers = @{$res->[1]};
+ok( %headers{User} eq 'dwho', "'User' => 'dwho'" ) or explain( \%headers, 'dwho' );
+ok( %headers{Name} eq '', "'Name' => ''" ) or explain( \%headers, 'No Name' );
+ok( %headers{Mail} eq '', "'Mail' => ''" ) or explain( \%headers, 'No Mail' );
+ok( keys %headers == 7, "Seven headers sent" ) or explain( \%headers, 'Seven headers' );
+count(6);

 ok(
    $res = $client->_get(
@ -76,7 +81,9 @@ sub LWP::UserAgent::request {
    "default": "accept"
  },
  "headers": {
-    "User": "$uid"
+    "User": "$uid",
+    "Mail": "$mail",
+    "Name": "$cn"
  }
 }';
    $httpResp = HTTP::Response->new( 200, 'OK' );
--- a/lemonldap-ng-handler/t/test-psgi-lib.pm
+++ b/lemonldap-ng-handler/t/test-psgi-lib.pm
@ -31,6 +31,7 @@ sub init {
        cookieName          => 'lemonldap',
        securedCookie       => 0,
        https               => 0,
+        hiddenAttributes    => 'mail cn',
        logger              => 'Lemonldap::NG::Common::Logger::Std',
        %$prms
    );
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -1275,6 +1275,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
            'test'       => qr/^[a-zA-Z][a-zA-Z0-9_:\-]*$/,
            'type'       => 'keyTextContainer'
        },
+        'devOpsHandlerForbiddenAttibutes' => {
+            'type' => 'text'
+        },
        'disablePersistentStorage' => {
            'default' => 0,
            'type'    => 'bool'
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
@ -1099,6 +1099,12 @@ sub attributes {
            documentation => 'Avoid assignment in expressions',
            flags         => 'hp',
        },
+        devOpsHandlerForbiddenAttibutes => {
+            type          => 'text',
+            help          => 'safejail.html',
+            documentation => 'List of attributes that applications can not retrieve',
+            flags         => 'h',
+        },
        whatToTrace => {
            type          => 'lmAttrOrMacro',
            default       => 'uid',
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
@ -1003,6 +1003,7 @@ sub tree {
                                'requireToken',
                                'formTimeout',
                                'tokenUseGlobalStorage',
+                                'devOpsHandlerForbiddenAttibutes',
                                {
                                    title => 'bruteForceAttackProtection',
                                    help  => 'bruteforceprotection.html',
--- a/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
+++ b/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
--- a/lemonldap-ng-manager/site/htdocs/static/struct.json
+++ b/lemonldap-ng-manager/site/htdocs/static/struct.json