Add option to compute userdb groups before macros (#1877)
This commit is contained in:
Maxime Besson
parent
402799bafe
commit
68be974e51
|
|
@ -24,7 +24,7 @@ use constant MANAGERSECTION => "manager";
|
|||
use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
|
||||
use constant APPLYSECTION => "apply";
|
||||
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|(?:ustom(?:Plugins|Add)Param|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
|
||||
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|AllowOffline|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|mpactConf|rsEnabled)|da)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?)?|y(?:Deleted|Other))|AjaxHook)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Session|Config)Server|ExportSecretKeys)|freshSessions)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|d(?:isablePersistentStorage|biDynamicHashEnabled)|br(?:owsersDontStorePassword|uteForceProtection)|(?:(?:globalLogout|active)Tim|wsdlServ)er|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs))$/;
|
||||
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|AllowOffline|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|mpactConf|rsEnabled)|da)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?)?|y(?:Deleted|Other))|AjaxHook)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Session|Config)Server|ExportSecretKeys)|freshSessions)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|d(?:isablePersistentStorage|biDynamicHashEnabled)|br(?:owsersDontStorePassword|uteForceProtection)|g(?:roupsBeforeMacros|lobalLogoutTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
|
||||
|
||||
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );
|
||||
|
||||
|
|
|
|||
|
|
@ -1319,6 +1319,10 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
},
|
||||
'type' => 'keyTextContainer'
|
||||
},
|
||||
'groupsBeforeMacros' => {
|
||||
'default' => 0,
|
||||
'type' => 'bool'
|
||||
},
|
||||
'handlerInternalCache' => {
|
||||
'default' => 15,
|
||||
'type' => 'int'
|
||||
|
|
|
|||
|
|
@ -413,6 +413,11 @@ sub attributes {
|
|||
type => 'text',
|
||||
documentation => 'Prefix of static files for HTML templates',
|
||||
},
|
||||
groupsBeforeMacros => {
|
||||
type => 'bool',
|
||||
default => 0,
|
||||
documentation => 'Compute groups before macros',
|
||||
},
|
||||
multiValuesSeparator => {
|
||||
type => 'authParamsText',
|
||||
default => '; ',
|
||||
|
|
|
|||
|
|
@ -892,6 +892,7 @@ sub tree {
|
|||
nodes => [
|
||||
'customFunctions',
|
||||
'multiValuesSeparator',
|
||||
'groupsBeforeMacros',
|
||||
{
|
||||
title => 'SMTP',
|
||||
help => 'smtp.html',
|
||||
|
|
|
|||
|
|
@ -323,6 +323,7 @@
|
|||
"gpgParams":"GPG parameters",
|
||||
"grantSessionRules":"ظروف الافتتاح",
|
||||
"groups":"المجموعات",
|
||||
"groupsBeforeMacros":"Compute groups before macros",
|
||||
"hashkey":"المفتاح",
|
||||
"headers":"هيدر إتش تي تي بي ",
|
||||
"hGroups":"المجموعات (هاش ريف)",
|
||||
|
|
|
|||
|
|
@ -323,6 +323,7 @@
|
|||
"gpgParams":"GPG parameters",
|
||||
"grantSessionRules":"Opening conditions",
|
||||
"groups":"Groups",
|
||||
"groupsBeforeMacros":"Compute groups before macros",
|
||||
"hashkey":"Key",
|
||||
"headers":"HTTP Headers",
|
||||
"hGroups":"Groups (HashRef)",
|
||||
|
|
|
|||
|
|
@ -323,6 +323,7 @@
|
|||
"gpgParams":"GPG parameters",
|
||||
"grantSessionRules":"Opening conditions",
|
||||
"groups":"Groups",
|
||||
"groupsBeforeMacros":"Compute groups before macros",
|
||||
"hashkey":"Key",
|
||||
"headers":"HTTP Headers",
|
||||
"hGroups":"Groups (HashRef)",
|
||||
|
|
|
|||
|
|
@ -323,6 +323,7 @@
|
|||
"gpgParams":"Paramètres GPG",
|
||||
"grantSessionRules":"Conditions d'ouverture",
|
||||
"groups":"Groupes",
|
||||
"groupsBeforeMacros":"Calculer les groupes avant les macros",
|
||||
"hashkey":"Clef",
|
||||
"headers":"En-têtes HTTP",
|
||||
"hGroups":"Groupes (HashRef)",
|
||||
|
|
|
|||
|
|
@ -323,6 +323,7 @@
|
|||
"gpgParams":"Parametri GPG",
|
||||
"grantSessionRules":"Condizioni di apertura",
|
||||
"groups":"Gruppi",
|
||||
"groupsBeforeMacros":"Compute groups before macros",
|
||||
"hashkey":"Chiave",
|
||||
"headers":"Intestazioni HTTP",
|
||||
"hGroups":"Gruppi (HashRef)",
|
||||
|
|
|
|||
|
|
@ -323,6 +323,7 @@
|
|||
"gpgParams":"GPG parametreleri",
|
||||
"grantSessionRules":"Açılış koşulları",
|
||||
"groups":"Gruplar",
|
||||
"groupsBeforeMacros":"Compute groups before macros",
|
||||
"hashkey":"Anahtar",
|
||||
"headers":"HTTP Başlıkları",
|
||||
"hGroups":"Gruplar (HashRef)",
|
||||
|
|
@ -1109,4 +1110,4 @@
|
|||
"samlRelayStateTimeout":"RelayState oturum zaman aşımı",
|
||||
"samlUseQueryStringSpecific":"Spesifik query_string metodu kullan",
|
||||
"samlOverrideIDPEntityID":"IDP olarak davrandığında Varlık ID'yi geçersiz kıl"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -323,6 +323,7 @@
|
|||
"gpgParams":"Tham số GPG",
|
||||
"grantSessionRules":"Điều kiện mở",
|
||||
"groups":"Nhóm",
|
||||
"groupsBeforeMacros":"Compute groups before macros",
|
||||
"hashkey":"Khóa",
|
||||
"headers":"Tiêu đề HTTP",
|
||||
"hGroups":"Nhóm (HashRef)",
|
||||
|
|
|
|||
|
|
@ -323,6 +323,7 @@
|
|||
"gpgParams":"GPG parameters",
|
||||
"grantSessionRules":"Opening conditions",
|
||||
"groups":"Groups",
|
||||
"groupsBeforeMacros":"Compute groups before macros",
|
||||
"hashkey":"Key",
|
||||
"headers":"HTTP Headers",
|
||||
"hGroups":"Groups (HashRef)",
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
|
@ -1381,8 +1381,8 @@ sub token {
|
|||
$req->user( $refreshSession->data->{_session_uid} );
|
||||
$req->steps( [
|
||||
'getUser', @{ $self->p->betweenAuthAndData },
|
||||
'setSessionInfo', 'setMacros',
|
||||
'setGroups', 'setLocalGroups',
|
||||
'setSessionInfo', $self->p->groupsAndMacros,
|
||||
'setLocalGroups',
|
||||
]
|
||||
);
|
||||
$req->{error} = $self->p->process($req);
|
||||
|
|
|
|||
|
|
@ -19,12 +19,23 @@ use JSON;
|
|||
|
||||
has trOverCache => ( is => 'rw', default => sub { {} } );
|
||||
|
||||
# The execution order between groups and macros can be
|
||||
# modified in config (#1877)
|
||||
sub groupsAndMacros {
|
||||
return (
|
||||
$_[0]->conf->{groupsBeforeMacros}
|
||||
? qw(setGroups setMacros)
|
||||
: qw(setMacros setGroups)
|
||||
);
|
||||
}
|
||||
|
||||
# List constants
|
||||
sub authProcess { qw(extractFormInfo getUser authenticate) }
|
||||
|
||||
sub sessionData {
|
||||
qw(setAuthSessionInfo setSessionInfo setMacros setGroups setPersistentSessionInfo
|
||||
setLocalGroups store secondFactor);
|
||||
return
|
||||
qw(setAuthSessionInfo setSessionInfo), $_[0]->groupsAndMacros,
|
||||
qw(setPersistentSessionInfo setLocalGroups store secondFactor);
|
||||
}
|
||||
|
||||
sub validSession {
|
||||
|
|
@ -178,8 +189,7 @@ sub refresh {
|
|||
@{ $self->betweenAuthAndData },
|
||||
'setAuthSessionInfo',
|
||||
'setSessionInfo',
|
||||
'setMacros',
|
||||
'setGroups',
|
||||
$self->groupsAndMacros,
|
||||
'setLocalGroups',
|
||||
sub {
|
||||
$req->sessionInfo->{$_} = $data{$_} foreach ( keys %data );
|
||||
|
|
|
|||
|
|
@ -48,12 +48,9 @@ sub check {
|
|||
# - "extractFormInfo" due to "token"
|
||||
# - "buildCookie" useless here
|
||||
$req->steps( [
|
||||
'getUser',
|
||||
'authenticate',
|
||||
@{ $self->p->betweenAuthAndData },
|
||||
qw( setAuthSessionInfo setSessionInfo setMacros setGroups
|
||||
setPersistentSessionInfo setLocalGroups store secondFactor),
|
||||
@{ $self->p->afterData }, 'storeHistory',
|
||||
'getUser', 'authenticate',
|
||||
@{ $self->p->betweenAuthAndData }, $self->sessionData,
|
||||
@{ $self->p->afterData }, 'storeHistory',
|
||||
@{ $self->p->endAuth }
|
||||
]
|
||||
);
|
||||
|
|
|
|||
|
|
@ -354,7 +354,7 @@ sub _userData {
|
|||
my ( $self, $req ) = @_;
|
||||
|
||||
# Compute session
|
||||
my $steps = [ 'getUser', 'setSessionInfo', 'setMacros', 'setGroups' ];
|
||||
my $steps = [ 'getUser', 'setSessionInfo', $self->p->groupsAndMacros, ];
|
||||
$self->conf->{checkUserDisplayPersistentInfo}
|
||||
? push @$steps, 'setPersistentSessionInfo', 'setLocalGroups'
|
||||
: push @$steps, 'setLocalGroups';
|
||||
|
|
|
|||
|
|
@ -145,7 +145,8 @@ sub run {
|
|||
return $self->p->do( $req, [ sub { PE_NOTOKEN } ] );
|
||||
}
|
||||
unless ( $self->ott->getToken($token) ) {
|
||||
$self->userLogger->warn('ContextSwitching called with an expired/bad token');
|
||||
$self->userLogger->warn(
|
||||
'ContextSwitching called with an expired/bad token');
|
||||
return $self->p->do( $req, [ sub { PE_TOKENEXPIRED } ] );
|
||||
}
|
||||
}
|
||||
|
|
@ -202,11 +203,10 @@ sub _switchContext {
|
|||
|
||||
# Search user in database & create session
|
||||
$req->steps( [
|
||||
'getUser', 'setAuthSessionInfo',
|
||||
'setSessionInfo', 'setMacros',
|
||||
'setGroups', 'setPersistentSessionInfo',
|
||||
'setLocalGroups', 'store',
|
||||
'buildCookie'
|
||||
'getUser', 'setAuthSessionInfo',
|
||||
'setSessionInfo', $self->p->groupsAndMacros,
|
||||
'setPersistentSessionInfo', 'setLocalGroups',
|
||||
'store', 'buildCookie'
|
||||
]
|
||||
);
|
||||
if ( my $error = $self->p->process($req) ) {
|
||||
|
|
|
|||
|
|
@ -119,7 +119,8 @@ sub run {
|
|||
$self->logger->debug("Populating spoof session...");
|
||||
foreach (qw (_auth _userDB authenticationLevel)) {
|
||||
$self->logger->debug("Processing $_...");
|
||||
$spoofSession->{$_} = $realSession->{"$self->{conf}->{impersonationPrefix}$_"};
|
||||
$spoofSession->{$_} =
|
||||
$realSession->{"$self->{conf}->{impersonationPrefix}$_"};
|
||||
}
|
||||
|
||||
# Merging SSO Groups and hGroups & dedup
|
||||
|
|
@ -192,9 +193,8 @@ sub _userData {
|
|||
|
||||
# Search user in database
|
||||
$req->steps( [
|
||||
'getUser', 'setSessionInfo',
|
||||
'setMacros', 'setGroups',
|
||||
'setLocalGroups'
|
||||
'getUser', 'setSessionInfo',
|
||||
$self->p->groupsAndMacros, 'setLocalGroups'
|
||||
]
|
||||
);
|
||||
if ( my $error = $self->p->process($req) ) {
|
||||
|
|
@ -227,9 +227,8 @@ sub _userData {
|
|||
$req->{sessionInfo} = {%$realSession};
|
||||
$req->{user} = $realId;
|
||||
$req->steps( [
|
||||
'getUser', 'setSessionInfo',
|
||||
'setMacros', 'setGroups',
|
||||
'setLocalGroups'
|
||||
'getUser', 'setSessionInfo',
|
||||
$self->p->groupsAndMacros, 'setLocalGroups'
|
||||
]
|
||||
);
|
||||
$self->logger->debug('Spoof session equal real session');
|
||||
|
|
|
|||
|
|
@ -188,9 +188,9 @@ sub _reset {
|
|||
|
||||
# Search user in database
|
||||
$req->steps( [
|
||||
'getUser', 'setSessionInfo',
|
||||
'setMacros', 'setGroups',
|
||||
'setPersistentSessionInfo', 'setLocalGroups'
|
||||
'getUser', 'setSessionInfo',
|
||||
$self->p->groupsAndMacros, 'setPersistentSessionInfo',
|
||||
'setLocalGroups'
|
||||
]
|
||||
);
|
||||
if ( my $error = $self->p->process( $req, useMail => $searchByMail ) ) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user