dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Pass encryption key to custom functions + Update doc

This commit is contained in:
Christophe Maudoux 2022-06-18 17:56:05 +02:00
parent 2f1d2a5e3b
commit 7ad7ce8bac
8 changed files with 28 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/sources/admin/conf.py
View File

@ -50,7 +50,7 @@ master_doc = 'start'
# General information about the project.
project = u'LemonLDAP::NG'
copyright = u'2021, LemonLDAP::NG'
copyright = u'2022, LemonLDAP::NG'
author = u'LemonLDAP::NG'
# The version info for the project you're documenting, acts as replacement for

16
doc/sources/admin/decryptvalue.rst
View File

@ -16,19 +16,19 @@ DecryptValue plugin can be allowed or denied for specific users.
- **Use rule**: Select which users may use this plugin
- **Decrypt functions**: Set functions used for decrypting ciphered
values. Each function is tested until one succeeds. Let it blank
to use internal decrypt function.
to use internal ``decrypt`` extended function.
.. danger::
.. attention::
The ciphered value is the first parameter passed to custom functions.
The ``Encryption key`` is passed to custom funtions as second parameter
(see :ref:`Security settings<security-configure-security-settings>)`.
Custom functions must be defined into
``Lemonldap::NG::Portal::My::Plugin`` and set:
``My::Plugin`` and set:
::
My::Plugin::function1 My::Plugin::function2
.. |image0| image:: /documentation/beta.png
:width: 100px

2
doc/sources/admin/security.rst
View File

@ -310,7 +310,7 @@ Go in Manager, ``General parameters`` » ``Advanced parameters`` »
authentication renewal cannot be forced, used to prevent to loose the
current authentication during the main process. If you experience
slow network performances, you can increase this value.
- **Encryption key**: key used to crypt some data, should not be known
- **Encryption key**: key used for crypting some data, should not be known
by other applications
- **Trusted domains**: domains on which the user can be redirected
after login on portal.

2
doc/sources/admin/start.rst
View File

@ -288,7 +288,7 @@ Name Description
:doc:`Context switching<contextswitching>` [7]_\ |new| Switch context other users
:doc:`CrowdSec<crowdsec>` [8]_\ |new| CrowdSec bouncer
:doc:`Custom<plugincustom>` Write a custom plugin
:doc:`Decrypt value<decryptvalue>` [9]_\ |beta| Decrypt ciphered values
:doc:`Decrypt value<decryptvalue>` [9]_\ Decrypt ciphered values
:doc:`Display login history<loginhistory>` Display Success/Fails logins
:doc:`Force Authentication<forcereauthn>` Force authentication to access to Portal
:doc:`Global Logout<globallogout>` [10]_ Suggest to close all opened sessions at logout

34
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/DecryptValue.pm
View File

@ -8,7 +8,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
PE_DECRYPTVALUE_SERVICE_NOT_ALLOWED
);
our $VERSION = '2.0.12';
our $VERSION = '2.0.15';
extends qw(
Lemonldap::NG::Portal::Main::Plugin
@ -37,13 +37,7 @@ sub init {
$self->rule(
$self->p->buildRule( $self->conf->{decryptValueRule}, 'decryptValue' )
);
return 0 unless $self->rule;
# Add warning in log
$self->logger->warn(
"DecryptValue plugin is enabled. You are using a beta version!");
return 1;
return $self->rule ? 1 : 0;
}
# RUNNING METHOD
@ -59,10 +53,6 @@ sub display {
# Display form
my $params = {
PORTAL => $self->conf->{portal},
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->p->getSkin($req),
LANGS => $self->conf->{showLanguages},
MSG => 'decryptCipheredValue',
ALERTE => 'alert-warning',
TOKEN => (
@ -106,10 +96,6 @@ sub run {
}
my $params = {
PORTAL => $self->conf->{portal},
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->p->getSkin($req),
LANGS => $self->conf->{showLanguages},
MSG => "PE$msg",
ALERTE => 'alert-warning',
TOKEN => $token,
@ -124,18 +110,20 @@ sub run {
$self->logger->debug("decryptValue tried with value: $cipheredValue");
if ($cipheredValue) {
if ( $self->{conf}->{decryptValueFunctions}
and $self->{conf}->{decryptValueFunctions} =~
if ( $self->conf->{decryptValueFunctions}
and $self->conf->{decryptValueFunctions} =~
qr/^(?:\w+(?:::\w+)*(?:\s+\w+(?:::\w+)*)*)?$/ )
{
foreach ( split( /\s+/, $self->{conf}->{decryptValueFunctions} ) ) {
$self->userLogger->notice(
"Try to decrypt value with function: $_");
/^([\w:{2}]*?)(?:::)?(?:\w+)$/;
eval "require Lemonldap::NG::Portal::$1";
eval "require $1";
$self->logger->debug("Unable to load decrypt module: $@")
if ($@);
$decryptedValue = eval "$_" . '($cipheredValue)' unless ($@);
my $key = $self->conf->{key};
$decryptedValue = eval "$_" . '($cipheredValue, $key)'
unless ($@);
$self->logger->debug(
$@
? "Unable to eval decrypt function: $@"
@ -146,7 +134,7 @@ sub run {
}
else {
$self->userLogger->notice("Malformed decrypt functions")
if $self->{conf}->{decryptValueFunctions};
if $self->conf->{decryptValueFunctions};
$self->userLogger->notice(
"Try to decrypt value with internal LL::NG decrypt function");
$decryptedValue =
@ -161,10 +149,6 @@ sub run {
# Display form
my $params = {
PORTAL => $self->conf->{portal},
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->p->getSkin($req),
LANGS => $self->conf->{showLanguages},
MSG => 'decryptCipheredValue',
DECRYPTED => (
$decryptedValue ? $decryptedValue

6
lemonldap-ng-portal/site/htdocs/static/languages/fr.json
View File

@ -136,7 +136,7 @@
"checkUserNoSessionFound":"Pas de session SSO trouvée",
"choose2f":"Choisissez votre second facteur",
"chooseApp":"Choisissez une application à laquelle vous êtes autorisé à accéder",
"cipheredValue":"Valeur cryptée",
"cipheredValue":"Valeur chiffrée",
"click2Reset":"Cliquez içi pour réinitialiser votre mot de passe",
"clickHere":"Cliquez ici",
"clickOnYubikey":"Cliquez sur votre Yubikey",
@ -155,7 +155,7 @@
"current":"Courante",
"currentPwd":"Mot de passe actuel",
"date":"Date",
"decryptCipheredValue":"Déchiffrer une valeur cryptée",
"decryptCipheredValue":"Décoder une valeur chriffée",
"enterCred":"Merci de vous authentifier",
"enterExt2fCode":"Un code vous a été envoyé, entrez-le ici",
"enterMail2fCode":"Un code vous a été envoyé par mail, entrez-le ici",
@ -216,7 +216,7 @@
"noNotification":"Aucune notification acceptée trouvée",
"noTOTPFound":"Aucun secret TOTP trouvé",
"noU2FKeyFound":"Aucune clef U2F trouvée",
"notAnEncryptedValue":"Ce n'est pas une valeur cryptée",
"notAnEncryptedValue":"Impossible de décoder cette valeur",
"notAuthorized":"Vous n'êtes pas autorisé à faire cette requête",
"notAuthorizedAuthLevel":"Cette action requiert un niveau d'authentification supérieur",
"notFound":"Non trouvé : vous tentez d'accéder à une page non disponible",

5
lemonldap-ng-portal/t/58-DecryptValue-with-custom-function.t
View File

@ -14,12 +14,13 @@ my $client = LLNG::Manager::Test->new( {
logLevel => 'error',
authentication => 'Demo',
userDB => 'Same',
key => 'Demo',
loginHistoryEnabled => 0,
brutForceProtection => 0,
requireToken => 0,
decryptValueRule => 1,
decryptValueFunctions =>
'Custom::empty Custom::test_uc Custom::undefined',
'Lemonldap::NG::Portal::Custom::empty Lemonldap::NG::Portal::Custom::test_uc Lemonldap::NG::Portal::Custom::undefined',
}
}
);
@ -84,7 +85,7 @@ ok(
),
'POST decryptvalue with valid value'
);
ok( $res->[2]->[0] =~ m%<span trspan="LOWERCASE"></span>%,
ok( $res->[2]->[0] =~ m%<span trspan="LOWERCASE_DEMO"></span>%,
'Found decryted value' )
or explain( $res->[2]->[0], 'Decryted value NOT found' );
count(2);

4
lemonldap-ng-portal/t/lib/Lemonldap/NG/Portal/Custom.pm
View File

@ -1,4 +1,4 @@
package Custom;
package Lemonldap::NG::Portal::Custom;
sub empty {
return '';
@ -9,7 +9,7 @@ sub undefined {
}
sub test_uc {
return uc $_[0];
return uc($_[0] . '_' . $_[1]);
}
1;