dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Pass encryption key to custom functions + Update doc

This commit is contained in:
Christophe Maudoux 2022-06-18 17:56:05 +02:00
parent 2f1d2a5e3b
commit 7ad7ce8bac
8 changed files with 28 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/sources/admin/conf.py
View File

@ -50,7 +50,7 @@ master_doc = 'start'
# General information about the project. # General information about the project.
project = u'LemonLDAP::NG' project = u'LemonLDAP::NG'
copyright = u'2021, LemonLDAP::NG' copyright = u'2022, LemonLDAP::NG'
author = u'LemonLDAP::NG' author = u'LemonLDAP::NG'
# The version info for the project you're documenting, acts as replacement for # The version info for the project you're documenting, acts as replacement for

16
doc/sources/admin/decryptvalue.rst
View File

@ -16,19 +16,19 @@ DecryptValue plugin can be allowed or denied for specific users.
- **Use rule**: Select which users may use this plugin - **Use rule**: Select which users may use this plugin
- **Decrypt functions**: Set functions used for decrypting ciphered - **Decrypt functions**: Set functions used for decrypting ciphered
values. Each function is tested until one succeeds. Let it blank values. Each function is tested until one succeeds. Let it blank
to use internal decrypt function. to use internal ``decrypt`` extended function.
.. danger:: .. attention::
The ciphered value is the first parameter passed to custom functions.
The ``Encryption key`` is passed to custom funtions as second parameter
(see :ref:`Security settings<security-configure-security-settings>)`.
Custom functions must be defined into Custom functions must be defined into
``Lemonldap::NG::Portal::My::Plugin`` and set: ``My::Plugin`` and set:
:: ::
My::Plugin::function1 My::Plugin::function2 My::Plugin::function1 My::Plugin::function2
.. |image0| image:: /documentation/beta.png
:width: 100px

2
doc/sources/admin/security.rst
View File

@ -310,7 +310,7 @@ Go in Manager, ``General parameters`` » ``Advanced parameters`` »
authentication renewal cannot be forced, used to prevent to loose the authentication renewal cannot be forced, used to prevent to loose the
current authentication during the main process. If you experience current authentication during the main process. If you experience
slow network performances, you can increase this value. slow network performances, you can increase this value.
- **Encryption key**: key used to crypt some data, should not be known - **Encryption key**: key used for crypting some data, should not be known
by other applications by other applications
- **Trusted domains**: domains on which the user can be redirected - **Trusted domains**: domains on which the user can be redirected
after login on portal. after login on portal.

2
doc/sources/admin/start.rst
View File

@ -288,7 +288,7 @@ Name Description
:doc:`Context switching<contextswitching>` [7]_\ |new| Switch context other users :doc:`Context switching<contextswitching>` [7]_\ |new| Switch context other users
:doc:`CrowdSec<crowdsec>` [8]_\ |new| CrowdSec bouncer :doc:`CrowdSec<crowdsec>` [8]_\ |new| CrowdSec bouncer
:doc:`Custom<plugincustom>` Write a custom plugin :doc:`Custom<plugincustom>` Write a custom plugin
:doc:`Decrypt value<decryptvalue>` [9]_\ |beta| Decrypt ciphered values :doc:`Decrypt value<decryptvalue>` [9]_\ Decrypt ciphered values
:doc:`Display login history<loginhistory>` Display Success/Fails logins :doc:`Display login history<loginhistory>` Display Success/Fails logins
:doc:`Force Authentication<forcereauthn>` Force authentication to access to Portal :doc:`Force Authentication<forcereauthn>` Force authentication to access to Portal
:doc:`Global Logout<globallogout>` [10]_ Suggest to close all opened sessions at logout :doc:`Global Logout<globallogout>` [10]_ Suggest to close all opened sessions at logout

34
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/DecryptValue.pm
View File

@ -8,7 +8,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
PE_DECRYPTVALUE_SERVICE_NOT_ALLOWED PE_DECRYPTVALUE_SERVICE_NOT_ALLOWED
); );
our $VERSION = '2.0.12'; our $VERSION = '2.0.15';
extends qw( extends qw(
Lemonldap::NG::Portal::Main::Plugin Lemonldap::NG::Portal::Main::Plugin
@ -37,13 +37,7 @@ sub init {
$self->rule( $self->rule(
$self->p->buildRule( $self->conf->{decryptValueRule}, 'decryptValue' ) $self->p->buildRule( $self->conf->{decryptValueRule}, 'decryptValue' )
); );
return 0 unless $self->rule; return $self->rule ? 1 : 0;
# Add warning in log
$self->logger->warn(
"DecryptValue plugin is enabled. You are using a beta version!");
return 1;
} }
# RUNNING METHOD # RUNNING METHOD
@ -59,10 +53,6 @@ sub display {
# Display form # Display form
my $params = { my $params = {
PORTAL => $self->conf->{portal},
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->p->getSkin($req),
LANGS => $self->conf->{showLanguages},
MSG => 'decryptCipheredValue', MSG => 'decryptCipheredValue',
ALERTE => 'alert-warning', ALERTE => 'alert-warning',
TOKEN => ( TOKEN => (
@ -106,10 +96,6 @@ sub run {
} }
my $params = { my $params = {
PORTAL => $self->conf->{portal},
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->p->getSkin($req),
LANGS => $self->conf->{showLanguages},
MSG => "PE$msg", MSG => "PE$msg",
ALERTE => 'alert-warning', ALERTE => 'alert-warning',
TOKEN => $token, TOKEN => $token,
@ -124,18 +110,20 @@ sub run {
$self->logger->debug("decryptValue tried with value: $cipheredValue"); $self->logger->debug("decryptValue tried with value: $cipheredValue");
if ($cipheredValue) { if ($cipheredValue) {
if ( $self->{conf}->{decryptValueFunctions} if ( $self->conf->{decryptValueFunctions}
and $self->{conf}->{decryptValueFunctions} =~ and $self->conf->{decryptValueFunctions} =~
qr/^(?:\w+(?:::\w+)*(?:\s+\w+(?:::\w+)*)*)?$/ ) qr/^(?:\w+(?:::\w+)*(?:\s+\w+(?:::\w+)*)*)?$/ )
{ {
foreach ( split( /\s+/, $self->{conf}->{decryptValueFunctions} ) ) { foreach ( split( /\s+/, $self->{conf}->{decryptValueFunctions} ) ) {
$self->userLogger->notice( $self->userLogger->notice(
"Try to decrypt value with function: $_"); "Try to decrypt value with function: $_");
/^([\w:{2}]*?)(?:::)?(?:\w+)$/; /^([\w:{2}]*?)(?:::)?(?:\w+)$/;
eval "require Lemonldap::NG::Portal::$1"; eval "require $1";
$self->logger->debug("Unable to load decrypt module: $@") $self->logger->debug("Unable to load decrypt module: $@")
if ($@); if ($@);
$decryptedValue = eval "$_" . '($cipheredValue)' unless ($@); my $key = $self->conf->{key};
$decryptedValue = eval "$_" . '($cipheredValue, $key)'
unless ($@);
$self->logger->debug( $self->logger->debug(
$@ $@
? "Unable to eval decrypt function: $@" ? "Unable to eval decrypt function: $@"
@ -146,7 +134,7 @@ sub run {
} }
else { else {
$self->userLogger->notice("Malformed decrypt functions") $self->userLogger->notice("Malformed decrypt functions")
if $self->{conf}->{decryptValueFunctions}; if $self->conf->{decryptValueFunctions};
$self->userLogger->notice( $self->userLogger->notice(
"Try to decrypt value with internal LL::NG decrypt function"); "Try to decrypt value with internal LL::NG decrypt function");
$decryptedValue = $decryptedValue =
@ -161,10 +149,6 @@ sub run {
# Display form # Display form
my $params = { my $params = {
PORTAL => $self->conf->{portal},
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->p->getSkin($req),
LANGS => $self->conf->{showLanguages},
MSG => 'decryptCipheredValue', MSG => 'decryptCipheredValue',
DECRYPTED => ( DECRYPTED => (
$decryptedValue ? $decryptedValue $decryptedValue ? $decryptedValue

6
lemonldap-ng-portal/site/htdocs/static/languages/fr.json
View File

@ -136,7 +136,7 @@
"checkUserNoSessionFound":"Pas de session SSO trouvée", "checkUserNoSessionFound":"Pas de session SSO trouvée",
"choose2f":"Choisissez votre second facteur", "choose2f":"Choisissez votre second facteur",
"chooseApp":"Choisissez une application à laquelle vous êtes autorisé à accéder", "chooseApp":"Choisissez une application à laquelle vous êtes autorisé à accéder",
"cipheredValue":"Valeur cryptée", "cipheredValue":"Valeur chiffrée",
"click2Reset":"Cliquez içi pour réinitialiser votre mot de passe", "click2Reset":"Cliquez içi pour réinitialiser votre mot de passe",
"clickHere":"Cliquez ici", "clickHere":"Cliquez ici",
"clickOnYubikey":"Cliquez sur votre Yubikey", "clickOnYubikey":"Cliquez sur votre Yubikey",
@ -155,7 +155,7 @@
"current":"Courante", "current":"Courante",
"currentPwd":"Mot de passe actuel", "currentPwd":"Mot de passe actuel",
"date":"Date", "date":"Date",
"decryptCipheredValue":"Déchiffrer une valeur cryptée", "decryptCipheredValue":"Décoder une valeur chriffée",
"enterCred":"Merci de vous authentifier", "enterCred":"Merci de vous authentifier",
"enterExt2fCode":"Un code vous a été envoyé, entrez-le ici", "enterExt2fCode":"Un code vous a été envoyé, entrez-le ici",
"enterMail2fCode":"Un code vous a été envoyé par mail, entrez-le ici", "enterMail2fCode":"Un code vous a été envoyé par mail, entrez-le ici",
@ -216,7 +216,7 @@
"noNotification":"Aucune notification acceptée trouvée", "noNotification":"Aucune notification acceptée trouvée",
"noTOTPFound":"Aucun secret TOTP trouvé", "noTOTPFound":"Aucun secret TOTP trouvé",
"noU2FKeyFound":"Aucune clef U2F trouvée", "noU2FKeyFound":"Aucune clef U2F trouvée",
"notAnEncryptedValue":"Ce n'est pas une valeur cryptée", "notAnEncryptedValue":"Impossible de décoder cette valeur",
"notAuthorized":"Vous n'êtes pas autorisé à faire cette requête", "notAuthorized":"Vous n'êtes pas autorisé à faire cette requête",
"notAuthorizedAuthLevel":"Cette action requiert un niveau d'authentification supérieur", "notAuthorizedAuthLevel":"Cette action requiert un niveau d'authentification supérieur",
"notFound":"Non trouvé : vous tentez d'accéder à une page non disponible", "notFound":"Non trouvé : vous tentez d'accéder à une page non disponible",

5
lemonldap-ng-portal/t/58-DecryptValue-with-custom-function.t
View File

@ -14,12 +14,13 @@ my $client = LLNG::Manager::Test->new( {
logLevel => 'error', logLevel => 'error',
authentication => 'Demo', authentication => 'Demo',
userDB => 'Same', userDB => 'Same',
key => 'Demo',
loginHistoryEnabled => 0, loginHistoryEnabled => 0,
brutForceProtection => 0, brutForceProtection => 0,
requireToken => 0, requireToken => 0,
decryptValueRule => 1, decryptValueRule => 1,
decryptValueFunctions => decryptValueFunctions =>
'Custom::empty Custom::test_uc Custom::undefined', 'Lemonldap::NG::Portal::Custom::empty Lemonldap::NG::Portal::Custom::test_uc Lemonldap::NG::Portal::Custom::undefined',
} }
} }
); );
@ -84,7 +85,7 @@ ok(
), ),
'POST decryptvalue with valid value' 'POST decryptvalue with valid value'
); );
ok( $res->[2]->[0] =~ m%<span trspan="LOWERCASE"></span>%, ok( $res->[2]->[0] =~ m%<span trspan="LOWERCASE_DEMO"></span>%,
'Found decryted value' ) 'Found decryted value' )
or explain( $res->[2]->[0], 'Decryted value NOT found' ); or explain( $res->[2]->[0], 'Decryted value NOT found' );
count(2); count(2);

4
lemonldap-ng-portal/t/lib/Lemonldap/NG/Portal/Custom.pm
View File

@ -1,4 +1,4 @@
package Custom; package Lemonldap::NG::Portal::Custom;
sub empty { sub empty {
return ''; return '';
@ -9,7 +9,7 @@ sub undefined {
} }
sub test_uc { sub test_uc {
return uc $_[0]; return uc($_[0] . '_' . $_[1]);
} }
1; 1;