WIP: Hide _session_id with session & 2ndFA explorers (#2350)
This commit is contained in:
Christophe Maudoux
parent
dd199e32b8
commit
600569247f
|
|
@ -30,7 +30,7 @@ use constant DEFAULTCONFBACKENDOPTIONS => (
|
|||
dirName => '/usr/local/lemonldap-ng/data/conf',
|
||||
);
|
||||
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|(?:ustom(?:Plugins|Add)Param|ombModule)s)|a(?:(?:daptativeAuthenticationLevelR|ut(?:hChoiceMod|oSigninR))ules|pplicationList)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
|
||||
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|f(?:RemovedUseNotif|OnlyUpgrade)|kip(?:Upgrade|Renew)Confirmation|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Allow(?:PasswordGrant|Offline)|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|CertificateResetByMail|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:o(?:ntextSwitching(?:Allowed2fModifications|StopWithLogout)|mpactConf|rsEnabled)|a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:State|User|XSS)|da)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|freshSessions)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|d(?:isablePersistentStorage|biDynamicHashEnabled)|g(?:roupsBeforeMacros|lobalLogoutTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
|
||||
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|f(?:RemovedUseNotif|OnlyUpgrade)|kip(?:Upgrade|Renew)Confirmation|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Allow(?:PasswordGrant|Offline)|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|CertificateResetByMail|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:o(?:ntextSwitching(?:Allowed2fModifications|StopWithLogout)|mpactConf|rsEnabled)|a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:State|User|XSS)|da)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|freshSessions)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|d(?:is(?:ablePersistentStorage|playSessionId)|biDynamicHashEnabled)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|g(?:roupsBeforeMacros|lobalLogoutTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
|
||||
|
||||
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );
|
||||
|
||||
|
|
|
|||
|
|
@ -72,8 +72,9 @@ sub defaultValues {
|
|||
'mail' => 'mail',
|
||||
'uid' => 'uid'
|
||||
},
|
||||
'domain' => 'example.com',
|
||||
'exportedVars' => {
|
||||
'displaySessionId' => 1,
|
||||
'domain' => 'example.com',
|
||||
'exportedVars' => {
|
||||
'UA' => 'HTTP_USER_AGENT'
|
||||
},
|
||||
'ext2fActivation' => 0,
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@ sub init {
|
|||
$self->setTypes($conf);
|
||||
$self->{multiValuesSeparator} ||= '; ';
|
||||
$self->{hiddenAttributes} //= "_password";
|
||||
$self->{hiddenAttributes} .= ' _session_id' unless $conf->{displaySessionId};
|
||||
$self->{TOTPCheck} = $self->{U2FCheck} = $self->{UBKCheck} = '1';
|
||||
return 1;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1250,6 +1250,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
'default' => 0,
|
||||
'type' => 'bool'
|
||||
},
|
||||
'displaySessionId' => {
|
||||
'default' => 1,
|
||||
'type' => 'bool'
|
||||
},
|
||||
'domain' => {
|
||||
'default' => 'example.com',
|
||||
'msgFail' => '__badDomainName__',
|
||||
|
|
|
|||
|
|
@ -867,6 +867,11 @@ sub attributes {
|
|||
default => '_password _2fDevices',
|
||||
documentation => 'Name of attributes to hide in logs',
|
||||
},
|
||||
displaySessionId => {
|
||||
type => 'bool',
|
||||
default => 1,
|
||||
documentation => 'Display _session_id with sessions explorer',
|
||||
},
|
||||
persistentSessionAttributes => {
|
||||
type => 'text',
|
||||
default => '_loginHistory _2fDevices notification_',
|
||||
|
|
|
|||
|
|
@ -540,8 +540,10 @@ sub tree {
|
|||
title => 'logParams',
|
||||
help => 'logs.html',
|
||||
form => 'simpleInputContainer',
|
||||
nodes =>
|
||||
[ 'whatToTrace', 'customToTrace', 'hiddenAttributes' ]
|
||||
nodes => [
|
||||
'whatToTrace', 'customToTrace',
|
||||
'hiddenAttributes'
|
||||
]
|
||||
},
|
||||
{
|
||||
title => 'cookieParams',
|
||||
|
|
@ -559,6 +561,7 @@ sub tree {
|
|||
help => 'sessions.html',
|
||||
nodes => [
|
||||
'storePassword',
|
||||
'displaySessionId',
|
||||
'timeout',
|
||||
'timeoutActivity',
|
||||
'timeoutActivityInterval',
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ extends 'Lemonldap::NG::Manager::Plugin',
|
|||
'Lemonldap::NG::Common::Conf::AccessLib',
|
||||
'Lemonldap::NG::Common::Session::REST';
|
||||
|
||||
our $VERSION = '2.0.8';
|
||||
our $VERSION = '2.0.10';
|
||||
|
||||
#############################
|
||||
# I. INITIALIZATION METHODS #
|
||||
|
|
@ -55,7 +55,8 @@ sub init {
|
|||
$self->{ipField} ||= 'ipAddr';
|
||||
$self->{multiValuesSeparator} ||= '; ';
|
||||
$self->{impersonationPrefix} = $conf->{impersonationPrefix} || 'real_';
|
||||
$self->{hiddenAttributes} //= "_password";
|
||||
$self->{hiddenAttributes} //= '_password';
|
||||
$self->{hiddenAttributes} .= ' _session_id' unless $conf->{displaySessionId};
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -277,6 +277,7 @@
|
|||
"diffViewer":"المشاهد المختلف",
|
||||
"diffWithPrevious":"الفرق مع السابق",
|
||||
"disabled":"معطلة",
|
||||
"displaySessionId":"Display session identifier",
|
||||
"done":"تم",
|
||||
"dones":"تم",
|
||||
"down":"Move down",
|
||||
|
|
|
|||
|
|
@ -277,6 +277,7 @@
|
|||
"diffViewer":"Difference viewer",
|
||||
"diffWithPrevious":"difference with previous",
|
||||
"disabled":"Disabled",
|
||||
"displaySessionId":"Display session identifier",
|
||||
"done":"done",
|
||||
"dones":"Done",
|
||||
"down":"Move down",
|
||||
|
|
|
|||
|
|
@ -277,6 +277,7 @@
|
|||
"diffViewer":"Difference viewer",
|
||||
"diffWithPrevious":"difference with previous",
|
||||
"disabled":"Disabled",
|
||||
"displaySessionId":"Display session identifier",
|
||||
"done":"done",
|
||||
"dones":"Done",
|
||||
"down":"Move down",
|
||||
|
|
|
|||
|
|
@ -277,6 +277,7 @@
|
|||
"diffViewer":"Visualisateur de différence",
|
||||
"diffWithPrevious":"différence avec la précédente",
|
||||
"disabled":"Désactivé",
|
||||
"displaySessionId":"Afficher l'identifiant de session",
|
||||
"done":"validée",
|
||||
"dones":"Validées",
|
||||
"down":"Descendre",
|
||||
|
|
|
|||
|
|
@ -277,6 +277,7 @@
|
|||
"diffViewer":"Visualizzatore di differenza",
|
||||
"diffWithPrevious":"differenza con il precedente",
|
||||
"disabled":"Disabilitato",
|
||||
"displaySessionId":"Display session identifier",
|
||||
"done":"fatto",
|
||||
"dones":"Fatto",
|
||||
"down":"Move down",
|
||||
|
|
|
|||
|
|
@ -277,6 +277,7 @@
|
|||
"diffViewer":"Przeglądarka różnic",
|
||||
"diffWithPrevious":"różnica w stosunku do poprzednich",
|
||||
"disabled":"Wyłączone",
|
||||
"displaySessionId":"Display session identifier",
|
||||
"done":"wykonane",
|
||||
"dones":"Wykonane",
|
||||
"down":"Move down",
|
||||
|
|
|
|||
|
|
@ -277,6 +277,7 @@
|
|||
"diffViewer":"Fark görüntüleyici",
|
||||
"diffWithPrevious":"önceki ile farkı",
|
||||
"disabled":"Devre dışı",
|
||||
"displaySessionId":"Display session identifier",
|
||||
"done":"tamam",
|
||||
"dones":"Tamam",
|
||||
"down":"Aşağı taşı",
|
||||
|
|
|
|||
|
|
@ -277,6 +277,7 @@
|
|||
"diffViewer":"Người xem khác ",
|
||||
"diffWithPrevious":"khác biệt với cái trước",
|
||||
"disabled":"Tắt",
|
||||
"displaySessionId":"Display session identifier",
|
||||
"done":"Hoàn thành",
|
||||
"dones":"Hoàn thành",
|
||||
"down":"Move down",
|
||||
|
|
|
|||
|
|
@ -277,6 +277,7 @@
|
|||
"diffViewer":"Difference viewer",
|
||||
"diffWithPrevious":"difference with previous",
|
||||
"disabled":"Disabled",
|
||||
"displaySessionId":"Display session identifier",
|
||||
"done":"完成",
|
||||
"dones":"完成",
|
||||
"down":"Move down",
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue
Block a user