Discard maintenance mode with bad rules files & improve hidden attributes filtering (#2668)

2021-12-01 10:48:08 +01:00 · 2021-12-01 10:48:08 +01:00 · 77e7575317
commit 77e7575317
parent d1676f8f39
2 changed files with 76 additions and 31 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckDevOps.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckDevOps.pm
@ -198,7 +198,7 @@ sub parse {
        # Removed hidden session attributes
        foreach my $v ( split /[,\s]+/, $self->conf->{hiddenAttributes} ) {
            foreach ( keys %{ $json->{headers} } ) {
-                if ( $json->{headers}->{$_} eq '$' . $v ) {
+                if ( $json->{headers}->{$_} =~ /\$$v/ ) {
                    delete $json->{headers}->{$_};
                    my $user = $req->userData->{ $self->conf->{whatToTrace} };
                    $self->userLogger->warn(
@ -212,39 +212,55 @@ sub parse {
        $handler->headersInit( undef, { $vhost => $json->{headers} } );
        $headers = $handler->checkHeaders( $req, $req->userData );

-        # Normalize headers name if required
-        if ( $self->conf->{checkDevOpsDisplayNormalizedHeaders} ) {
-            $self->logger->debug("Normalize headers...");
-            @$headers = map {
-                ;    # Prevent compilation error with old Perl versions
-                no strict 'refs';
-                {
-                    key   => &{ $handler . '::cgiName' }( $_->{key} ),
-                    value => $_->{value}
-                }
-            } @$headers;
+        if ( $handler->tsv->{maintenance}->{$vhost} ) {
+
+            # Prepare form params
+            undef $json;
+            $headers = [];
+            $alert   = 'alert-danger';
+            $msg     = 'PE' . PE_BAD_DEVOPS_FILE;
+            $self->userLogger->error(
+                "CheckDevOps: bad 'rules.json' file (headers)");
+            $handler->tsv->{maintenance}->{$vhost} = 0;
        }
+        else {

-        my $headers_list = join ', ', map "$_->{key}:$_->{value}", @$headers;
-        $self->logger->debug("CheckDevOps compiled headers: $headers_list");
-
-        # Compile rules
-        @$rules = map {
-            my ( $sub, $flag ) = $handler->conditionSub( $json->{rules}->{$_} );
-            {
-                uri    => $_,
-                access => $sub->( $req, $req->userData )
-                ? 'allowed'
-                : 'forbidden'
+            # Normalize headers name if required
+            if ( $self->conf->{checkDevOpsDisplayNormalizedHeaders} ) {
+                $self->logger->debug("Normalize headers...");
+                @$headers = map {
+                    ;    # Prevent compilation error with old Perl versions
+                    no strict 'refs';
+                    {
+                        key   => &{ $handler . '::cgiName' }( $_->{key} ),
+                        value => $_->{value}
+                    }
+                } @$headers;
            }
-        } sort keys %{ $json->{rules} };
-        my $rules_list = join ', ', map "$_->{uri}:$_->{access}", @$rules;
-        $self->logger->debug("CheckDevOps compiled rules: $rules_list");

-        # Prepare form params
-        $msg   = 'checkDevOps';
-        $alert = 'alert-info';
-        $json  = JSON->new->ascii->pretty->encode($json);    # Pretty print
+            my $headers_list = join ', ', map "$_->{key}:$_->{value}",
+              @$headers;
+            $self->logger->debug("CheckDevOps compiled headers: $headers_list");
+
+            # Compile rules
+            @$rules = map {
+                my ( $sub, $flag ) =
+                  $handler->conditionSub( $json->{rules}->{$_} );
+                {
+                    uri    => $_,
+                    access => $sub->( $req, $req->userData )
+                    ? 'allowed'
+                    : 'forbidden'
+                }
+            } sort keys %{ $json->{rules} };
+            my $rules_list = join ', ', map "$_->{uri}:$_->{access}", @$rules;
+            $self->logger->debug("CheckDevOps compiled rules: $rules_list");
+
+            # Prepare form params
+            $msg   = 'checkDevOps';
+            $alert = 'alert-info';
+            $json  = JSON->new->ascii->pretty->encode($json);    # Pretty print
+        }
    }

    # Prepare form
--- a/lemonldap-ng-portal/t/56-CheckDevOps.t
+++ b/lemonldap-ng-portal/t/56-CheckDevOps.t
@ -19,7 +19,7 @@ my $file = '{
    "User": "$uid",
    "Mail": "$mail",
    "Name": "$cn",
-    "UA": "$UA"
+    "UA": "$UA ? $UA : qq#FF#"
  }
 }';
 my $bad_file = '{
@ -31,6 +31,15 @@ my $bad_file = '{
    "User": "$uid",
  }
 }';
+my $bad_file2 = qq%{
+  "rules": {
+    "default": "accept"
+  },
+  "headers": {
+    "User": "'user",
+    "Mail": "'mail'"
+  }
+}%;
 my $client = LLNG::Manager::Test->new( {
        ini => {
            logLevel                            => 'error',
@ -122,6 +131,26 @@ count(2);
 ( $host, $url, $query ) =
  expectForm( $res, undef, '/checkdevops', 'checkDevOpsFile', 'token' );

+# POST bad file2
+# --------------
+$query .= "&checkDevOpsFile=$bad_file2";
+ok(
+    $res = $client->_post(
+        '/checkdevops',
+        IO::String->new($query),
+        cookie => "lemonldap=$id",
+        length => length($query),
+        accept => 'text/html'
+    ),
+    'POST checkdevops with bad file2'
+);
+ok( $res->[2]->[0] =~ m%<span trspan="PE104"></span>%,
+    'Found PE_BAD_DEVOPS_FILE' )
+  or explain( $res->[2]->[0], 'trspan="PE104"' );
+count(2);
+( $host, $url, $query ) =
+  expectForm( $res, undef, '/checkdevops', 'checkDevOpsFile', 'token' );
+
 # POST file
 # ---------
 $query .= "&checkDevOpsFile=$file";