Add new inGroup function to test group membership (#2036)

lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm

@@ -595,6 +595,9 @@ sub substitute {
     $expr =~ s/\$env->\{/\$r->{env}->\{/g;
     $expr =~ s/\bskip\b/q\{999_SKIP\}/g;
 
+    # handle inGroup
+    $expr =~ s/\binGroup\(([^)]*)\)/listMatch(\$s->{'hGroups'},\1,1),/g;
+
     return $expr;
 }
 

lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t

@@ -81,6 +81,23 @@ ok( $res = $client->_get( '/deny', undef, undef, "lemonldap=$sessionId" ),
 ok( $res->[0] == 403, 'Code is 403' ) or explain( $res->[0], 403 );
 count(2);
 
+# Required "timelords" group
+ok(
+    $res =
+      $client->_get( '/fortimelords', undef, undef, "lemonldap=$sessionId" ),
+    'Require Timelords group'
+);
+ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
+count(2);
+
+# Required "dalek" group
+ok(
+    $res = $client->_get( '/fordaleks', undef, undef, "lemonldap=$sessionId" ),
+    'Require Dalek group'
+);
+ok( $res->[0] == 403, 'Code is 403' ) or explain( $res, 403 );
+count(2);
+
 # Required AuthnLevel = 1
 ok( $res = $client->_get( '/AuthWeak', undef, undef, "lemonldap=$sessionId" ),
     'Weak Authentified query' );

lemonldap-ng-handler/t/lmConf-1.json

@@ -47,6 +47,8 @@
       "^/test-uri2": "varIsInUri($ENV{REQUEST_URI}, '/test-uri2/', $uid)",
       "^/test-restricted_uri": "varIsInUri($ENV{REQUEST_URI}, '/test-restricted_uri/', \"$uid/\", 1)",
       "^/skipif": "$ENV{REQUEST_URI} =~ /zz/ ? skip : 1",
+      "^/fortimelords": "inGroup('timelords')",
+      "^/fordaleks": "inGroup('daleks')",
       "^/logout": "logout_sso",
       "^/deny": "deny",
       "default": "accept"

lemonldap-ng-handler/t/test-psgi-lib.pm

@@ -46,17 +46,42 @@ sub init {
     my $now = time;
     my $ts  = strftime "%Y%m%d%H%M%S", localtime;
 
-    print F '{"_updateTime":"'
-      . $ts
-      . '","_timezone":"1","_session_kind":"SSO","_passwordDB":"Demo","_startTime":"'
-      . $ts
-      . '","ipAddr":"127.0.0.1","UA":"Mozilla/5.0 (X11; VAX4000; rv:43.0) Gecko/20100101 Firefox/143.0 Iceweasel/143.0.1","_user":"dwho","_userDB":"Demo","_lastAuthnUTime":'
-      . $now
-      . ',"uid":"dwho","_issuerDB":"Null","_session_id":"f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545","authenticationLevel":1,"_whatToTrace":"dwho","_auth":"Demo","_utime":'
-      . $now
-      . ',"_loginHistory":{"successLogin":[{"ipAddr":"127.0.0.1","_utime":'
-      . $now
-      . '}]},"cn":"Doctor Who","mail":"dwho@badwolf.org"}';
+    print F <<EOF;
+    {
+   "_startTime" : "$ts",
+   "_session_kind" : "SSO",
+   "UA" : "Mozilla/5.0 (X11; VAX4000; rv:43.0) Gecko/20100101 Firefox/143.0 Iceweasel/143.0.1",
+   "cn" : "Doctor Who",
+   "_utime" : $now,
+   "_whatToTrace" : "dwho",
+   "mail" : "dwho\@badwolf.org",
+   "_passwordDB" : "Demo",
+   "_lastAuthnUTime" : $now,
+   "uid" : "dwho",
+   "_issuerDB" : "Null",
+   "_userDB" : "Demo",
+   "_user" : "dwho",
+   "_session_id" : "f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545",
+   "authenticationLevel" : 1,
+   "_auth" : "Demo",
+   "_updateTime" : "$ts",
+   "_loginHistory" : {
+      "successLogin" : [
+         {
+            "ipAddr" : "127.0.0.1",
+            "_utime" : $now
+         }
+      ]
+   },
+   "ipAddr" : "127.0.0.1",
+   "_timezone" : "1",
+   "groups" : "users; timelords",
+   "hGroups" : {
+      "users" : {},
+      "timelords" : {}
+   }
+}
+EOF
     close F;
 }