Restrict session data available for DevOps handler (#2456)
This commit is contained in:
parent
55071d5210
commit
5e28f76a64
|
@ -4,11 +4,9 @@ use strict;
|
|||
use Lemonldap::NG::Common::UserAgent;
|
||||
use JSON qw(from_json);
|
||||
|
||||
our $VERSION = '2.0.10';
|
||||
|
||||
our $VERSION = '2.0.12';
|
||||
our $_ua;
|
||||
|
||||
our $time;
|
||||
|
||||
sub ua {
|
||||
return $_ua if ($_ua);
|
||||
|
@ -19,25 +17,23 @@ sub checkMaintenanceMode {
|
|||
my ( $class, $req ) = @_;
|
||||
my $vhost = $class->resolveAlias($req);
|
||||
$class->tsv->{lastVhostUpdate} //= {};
|
||||
unless (
|
||||
$class->_loadVhostConfig( $req, $vhost )
|
||||
unless (
|
||||
$class->tsv->{defaultCondition}->{$vhost}
|
||||
and (
|
||||
time() - $class->tsv->{lastVhostUpdate}->{$vhost} <
|
||||
$class->tsv->{checkTime} )
|
||||
)
|
||||
{
|
||||
$class->loadVhostConfig( $req, $vhost );
|
||||
}
|
||||
);
|
||||
|
||||
return $class->Lemonldap::NG::Handler::Main::checkMaintenanceMode($req);
|
||||
}
|
||||
|
||||
sub loadVhostConfig {
|
||||
sub _loadVhostConfig {
|
||||
my ( $class, $req, $vhost ) = @_;
|
||||
my $json;
|
||||
if ( $class->tsv->{useSafeJail} ) {
|
||||
my $rUrl = $req->{env}->{RULES_URL}
|
||||
|| (
|
||||
(
|
||||
|| ( (
|
||||
$class->localConfig->{loopBackUrl}
|
||||
|| "http://127.0.0.1:" . $req->{env}->{SERVER_PORT}
|
||||
)
|
||||
|
@ -65,9 +61,21 @@ q"I refuse to compile rules.json when useSafeJail isn't activated! Yes I know, I
|
|||
}
|
||||
$json->{rules} ||= { default => 1 };
|
||||
$json->{headers} //= { 'Auth-User' => '$uid' };
|
||||
|
||||
# Removed forbidden session attributes
|
||||
foreach
|
||||
my $v ( split /\s+/, $class->tsv->{hiddenAttributes} )
|
||||
{
|
||||
foreach ( keys %{ $json->{headers} } ) {
|
||||
delete $json->{headers}->{$_}
|
||||
if $json->{headers}->{$_} eq '$' . $v;
|
||||
}
|
||||
}
|
||||
|
||||
$class->locationRulesInit( undef, { $vhost => $json->{rules} } );
|
||||
$class->headersInit( undef, { $vhost => $json->{headers} } );
|
||||
$class->tsv->{lastVhostUpdate}->{$vhost} = time;
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
@ -203,7 +203,7 @@ sub defaultValuesInit {
|
|||
timeoutActivityInterval useRedirectOnError useRedirectOnForbidden
|
||||
useSafeJail whatToTrace handlerInternalCache
|
||||
handlerServiceTokenTTL customToTrace lwpOpts lwpSslOpts
|
||||
authChoiceParam authChoiceAuthBasic
|
||||
authChoiceAuthBasic authChoiceParam hiddenAttributes
|
||||
)
|
||||
);
|
||||
|
||||
|
|
|
@ -22,7 +22,12 @@ ok(
|
|||
'Authorized query'
|
||||
);
|
||||
ok( $res->[0] == 200, 'Code is 200' ) or explain( $res->[0], 200 );
|
||||
count(2);
|
||||
my %headers = @{$res->[1]};
|
||||
ok( %headers{User} eq 'dwho', "'User' => 'dwho'" ) or explain( \%headers, 'dwho' );
|
||||
ok( %headers{Name} eq '', "'Name' => ''" ) or explain( \%headers, 'No Name' );
|
||||
ok( %headers{Mail} eq '', "'Mail' => ''" ) or explain( \%headers, 'No Mail' );
|
||||
ok( keys %headers == 7, "Seven headers sent" ) or explain( \%headers, 'Seven headers' );
|
||||
count(6);
|
||||
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
|
@ -76,7 +81,9 @@ sub LWP::UserAgent::request {
|
|||
"default": "accept"
|
||||
},
|
||||
"headers": {
|
||||
"User": "$uid"
|
||||
"User": "$uid",
|
||||
"Mail": "$mail",
|
||||
"Name": "$cn"
|
||||
}
|
||||
}';
|
||||
$httpResp = HTTP::Response->new( 200, 'OK' );
|
||||
|
|
|
@ -31,6 +31,7 @@ sub init {
|
|||
cookieName => 'lemonldap',
|
||||
securedCookie => 0,
|
||||
https => 0,
|
||||
hiddenAttributes => 'mail cn',
|
||||
logger => 'Lemonldap::NG::Common::Logger::Std',
|
||||
%$prms
|
||||
);
|
||||
|
|
|
@ -1275,6 +1275,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
'test' => qr/^[a-zA-Z][a-zA-Z0-9_:\-]*$/,
|
||||
'type' => 'keyTextContainer'
|
||||
},
|
||||
'devOpsHandlerForbiddenAttibutes' => {
|
||||
'type' => 'text'
|
||||
},
|
||||
'disablePersistentStorage' => {
|
||||
'default' => 0,
|
||||
'type' => 'bool'
|
||||
|
|
|
@ -1099,6 +1099,12 @@ sub attributes {
|
|||
documentation => 'Avoid assignment in expressions',
|
||||
flags => 'hp',
|
||||
},
|
||||
devOpsHandlerForbiddenAttibutes => {
|
||||
type => 'text',
|
||||
help => 'safejail.html',
|
||||
documentation => 'List of attributes that applications can not retrieve',
|
||||
flags => 'h',
|
||||
},
|
||||
whatToTrace => {
|
||||
type => 'lmAttrOrMacro',
|
||||
default => 'uid',
|
||||
|
|
|
@ -1003,6 +1003,7 @@ sub tree {
|
|||
'requireToken',
|
||||
'formTimeout',
|
||||
'tokenUseGlobalStorage',
|
||||
'devOpsHandlerForbiddenAttibutes',
|
||||
{
|
||||
title => 'bruteForceAttackProtection',
|
||||
help => 'bruteforceprotection.html',
|
||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue
Block a user