Pass encryption key to custom functions + Update doc
This commit is contained in:
parent
2f1d2a5e3b
commit
7ad7ce8bac
|
@ -50,7 +50,7 @@ master_doc = 'start'
|
||||||
|
|
||||||
# General information about the project.
|
# General information about the project.
|
||||||
project = u'LemonLDAP::NG'
|
project = u'LemonLDAP::NG'
|
||||||
copyright = u'2021, LemonLDAP::NG'
|
copyright = u'2022, LemonLDAP::NG'
|
||||||
author = u'LemonLDAP::NG'
|
author = u'LemonLDAP::NG'
|
||||||
|
|
||||||
# The version info for the project you're documenting, acts as replacement for
|
# The version info for the project you're documenting, acts as replacement for
|
||||||
|
|
|
@ -16,19 +16,19 @@ DecryptValue plugin can be allowed or denied for specific users.
|
||||||
- **Use rule**: Select which users may use this plugin
|
- **Use rule**: Select which users may use this plugin
|
||||||
- **Decrypt functions**: Set functions used for decrypting ciphered
|
- **Decrypt functions**: Set functions used for decrypting ciphered
|
||||||
values. Each function is tested until one succeeds. Let it blank
|
values. Each function is tested until one succeeds. Let it blank
|
||||||
to use internal decrypt function.
|
to use internal ``decrypt`` extended function.
|
||||||
|
|
||||||
|
|
||||||
.. danger::
|
.. attention::
|
||||||
|
|
||||||
|
The ciphered value is the first parameter passed to custom functions.
|
||||||
|
|
||||||
|
The ``Encryption key`` is passed to custom funtions as second parameter
|
||||||
|
(see :ref:`Security settings<security-configure-security-settings>)`.
|
||||||
|
|
||||||
Custom functions must be defined into
|
Custom functions must be defined into
|
||||||
``Lemonldap::NG::Portal::My::Plugin`` and set:
|
``My::Plugin`` and set:
|
||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
My::Plugin::function1 My::Plugin::function2
|
My::Plugin::function1 My::Plugin::function2
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
.. |image0| image:: /documentation/beta.png
|
|
||||||
:width: 100px
|
|
||||||
|
|
|
@ -310,7 +310,7 @@ Go in Manager, ``General parameters`` » ``Advanced parameters`` »
|
||||||
authentication renewal cannot be forced, used to prevent to loose the
|
authentication renewal cannot be forced, used to prevent to loose the
|
||||||
current authentication during the main process. If you experience
|
current authentication during the main process. If you experience
|
||||||
slow network performances, you can increase this value.
|
slow network performances, you can increase this value.
|
||||||
- **Encryption key**: key used to crypt some data, should not be known
|
- **Encryption key**: key used for crypting some data, should not be known
|
||||||
by other applications
|
by other applications
|
||||||
- **Trusted domains**: domains on which the user can be redirected
|
- **Trusted domains**: domains on which the user can be redirected
|
||||||
after login on portal.
|
after login on portal.
|
||||||
|
|
|
@ -288,7 +288,7 @@ Name Description
|
||||||
:doc:`Context switching<contextswitching>` [7]_\ |new| Switch context other users
|
:doc:`Context switching<contextswitching>` [7]_\ |new| Switch context other users
|
||||||
:doc:`CrowdSec<crowdsec>` [8]_\ |new| CrowdSec bouncer
|
:doc:`CrowdSec<crowdsec>` [8]_\ |new| CrowdSec bouncer
|
||||||
:doc:`Custom<plugincustom>` Write a custom plugin
|
:doc:`Custom<plugincustom>` Write a custom plugin
|
||||||
:doc:`Decrypt value<decryptvalue>` [9]_\ |beta| Decrypt ciphered values
|
:doc:`Decrypt value<decryptvalue>` [9]_\ Decrypt ciphered values
|
||||||
:doc:`Display login history<loginhistory>` Display Success/Fails logins
|
:doc:`Display login history<loginhistory>` Display Success/Fails logins
|
||||||
:doc:`Force Authentication<forcereauthn>` Force authentication to access to Portal
|
:doc:`Force Authentication<forcereauthn>` Force authentication to access to Portal
|
||||||
:doc:`Global Logout<globallogout>` [10]_ Suggest to close all opened sessions at logout
|
:doc:`Global Logout<globallogout>` [10]_ Suggest to close all opened sessions at logout
|
||||||
|
|
|
@ -8,7 +8,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
|
||||||
PE_DECRYPTVALUE_SERVICE_NOT_ALLOWED
|
PE_DECRYPTVALUE_SERVICE_NOT_ALLOWED
|
||||||
);
|
);
|
||||||
|
|
||||||
our $VERSION = '2.0.12';
|
our $VERSION = '2.0.15';
|
||||||
|
|
||||||
extends qw(
|
extends qw(
|
||||||
Lemonldap::NG::Portal::Main::Plugin
|
Lemonldap::NG::Portal::Main::Plugin
|
||||||
|
@ -37,13 +37,7 @@ sub init {
|
||||||
$self->rule(
|
$self->rule(
|
||||||
$self->p->buildRule( $self->conf->{decryptValueRule}, 'decryptValue' )
|
$self->p->buildRule( $self->conf->{decryptValueRule}, 'decryptValue' )
|
||||||
);
|
);
|
||||||
return 0 unless $self->rule;
|
return $self->rule ? 1 : 0;
|
||||||
|
|
||||||
# Add warning in log
|
|
||||||
$self->logger->warn(
|
|
||||||
"DecryptValue plugin is enabled. You are using a beta version!");
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# RUNNING METHOD
|
# RUNNING METHOD
|
||||||
|
@ -59,10 +53,6 @@ sub display {
|
||||||
|
|
||||||
# Display form
|
# Display form
|
||||||
my $params = {
|
my $params = {
|
||||||
PORTAL => $self->conf->{portal},
|
|
||||||
MAIN_LOGO => $self->conf->{portalMainLogo},
|
|
||||||
SKIN => $self->p->getSkin($req),
|
|
||||||
LANGS => $self->conf->{showLanguages},
|
|
||||||
MSG => 'decryptCipheredValue',
|
MSG => 'decryptCipheredValue',
|
||||||
ALERTE => 'alert-warning',
|
ALERTE => 'alert-warning',
|
||||||
TOKEN => (
|
TOKEN => (
|
||||||
|
@ -106,10 +96,6 @@ sub run {
|
||||||
}
|
}
|
||||||
|
|
||||||
my $params = {
|
my $params = {
|
||||||
PORTAL => $self->conf->{portal},
|
|
||||||
MAIN_LOGO => $self->conf->{portalMainLogo},
|
|
||||||
SKIN => $self->p->getSkin($req),
|
|
||||||
LANGS => $self->conf->{showLanguages},
|
|
||||||
MSG => "PE$msg",
|
MSG => "PE$msg",
|
||||||
ALERTE => 'alert-warning',
|
ALERTE => 'alert-warning',
|
||||||
TOKEN => $token,
|
TOKEN => $token,
|
||||||
|
@ -124,18 +110,20 @@ sub run {
|
||||||
$self->logger->debug("decryptValue tried with value: $cipheredValue");
|
$self->logger->debug("decryptValue tried with value: $cipheredValue");
|
||||||
|
|
||||||
if ($cipheredValue) {
|
if ($cipheredValue) {
|
||||||
if ( $self->{conf}->{decryptValueFunctions}
|
if ( $self->conf->{decryptValueFunctions}
|
||||||
and $self->{conf}->{decryptValueFunctions} =~
|
and $self->conf->{decryptValueFunctions} =~
|
||||||
qr/^(?:\w+(?:::\w+)*(?:\s+\w+(?:::\w+)*)*)?$/ )
|
qr/^(?:\w+(?:::\w+)*(?:\s+\w+(?:::\w+)*)*)?$/ )
|
||||||
{
|
{
|
||||||
foreach ( split( /\s+/, $self->{conf}->{decryptValueFunctions} ) ) {
|
foreach ( split( /\s+/, $self->{conf}->{decryptValueFunctions} ) ) {
|
||||||
$self->userLogger->notice(
|
$self->userLogger->notice(
|
||||||
"Try to decrypt value with function: $_");
|
"Try to decrypt value with function: $_");
|
||||||
/^([\w:{2}]*?)(?:::)?(?:\w+)$/;
|
/^([\w:{2}]*?)(?:::)?(?:\w+)$/;
|
||||||
eval "require Lemonldap::NG::Portal::$1";
|
eval "require $1";
|
||||||
$self->logger->debug("Unable to load decrypt module: $@")
|
$self->logger->debug("Unable to load decrypt module: $@")
|
||||||
if ($@);
|
if ($@);
|
||||||
$decryptedValue = eval "$_" . '($cipheredValue)' unless ($@);
|
my $key = $self->conf->{key};
|
||||||
|
$decryptedValue = eval "$_" . '($cipheredValue, $key)'
|
||||||
|
unless ($@);
|
||||||
$self->logger->debug(
|
$self->logger->debug(
|
||||||
$@
|
$@
|
||||||
? "Unable to eval decrypt function: $@"
|
? "Unable to eval decrypt function: $@"
|
||||||
|
@ -146,7 +134,7 @@ sub run {
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$self->userLogger->notice("Malformed decrypt functions")
|
$self->userLogger->notice("Malformed decrypt functions")
|
||||||
if $self->{conf}->{decryptValueFunctions};
|
if $self->conf->{decryptValueFunctions};
|
||||||
$self->userLogger->notice(
|
$self->userLogger->notice(
|
||||||
"Try to decrypt value with internal LL::NG decrypt function");
|
"Try to decrypt value with internal LL::NG decrypt function");
|
||||||
$decryptedValue =
|
$decryptedValue =
|
||||||
|
@ -161,10 +149,6 @@ sub run {
|
||||||
|
|
||||||
# Display form
|
# Display form
|
||||||
my $params = {
|
my $params = {
|
||||||
PORTAL => $self->conf->{portal},
|
|
||||||
MAIN_LOGO => $self->conf->{portalMainLogo},
|
|
||||||
SKIN => $self->p->getSkin($req),
|
|
||||||
LANGS => $self->conf->{showLanguages},
|
|
||||||
MSG => 'decryptCipheredValue',
|
MSG => 'decryptCipheredValue',
|
||||||
DECRYPTED => (
|
DECRYPTED => (
|
||||||
$decryptedValue ? $decryptedValue
|
$decryptedValue ? $decryptedValue
|
||||||
|
|
|
@ -136,7 +136,7 @@
|
||||||
"checkUserNoSessionFound":"Pas de session SSO trouvée",
|
"checkUserNoSessionFound":"Pas de session SSO trouvée",
|
||||||
"choose2f":"Choisissez votre second facteur",
|
"choose2f":"Choisissez votre second facteur",
|
||||||
"chooseApp":"Choisissez une application à laquelle vous êtes autorisé à accéder",
|
"chooseApp":"Choisissez une application à laquelle vous êtes autorisé à accéder",
|
||||||
"cipheredValue":"Valeur cryptée",
|
"cipheredValue":"Valeur chiffrée",
|
||||||
"click2Reset":"Cliquez içi pour réinitialiser votre mot de passe",
|
"click2Reset":"Cliquez içi pour réinitialiser votre mot de passe",
|
||||||
"clickHere":"Cliquez ici",
|
"clickHere":"Cliquez ici",
|
||||||
"clickOnYubikey":"Cliquez sur votre Yubikey",
|
"clickOnYubikey":"Cliquez sur votre Yubikey",
|
||||||
|
@ -155,7 +155,7 @@
|
||||||
"current":"Courante",
|
"current":"Courante",
|
||||||
"currentPwd":"Mot de passe actuel",
|
"currentPwd":"Mot de passe actuel",
|
||||||
"date":"Date",
|
"date":"Date",
|
||||||
"decryptCipheredValue":"Déchiffrer une valeur cryptée",
|
"decryptCipheredValue":"Décoder une valeur chriffée",
|
||||||
"enterCred":"Merci de vous authentifier",
|
"enterCred":"Merci de vous authentifier",
|
||||||
"enterExt2fCode":"Un code vous a été envoyé, entrez-le ici",
|
"enterExt2fCode":"Un code vous a été envoyé, entrez-le ici",
|
||||||
"enterMail2fCode":"Un code vous a été envoyé par mail, entrez-le ici",
|
"enterMail2fCode":"Un code vous a été envoyé par mail, entrez-le ici",
|
||||||
|
@ -216,7 +216,7 @@
|
||||||
"noNotification":"Aucune notification acceptée trouvée",
|
"noNotification":"Aucune notification acceptée trouvée",
|
||||||
"noTOTPFound":"Aucun secret TOTP trouvé",
|
"noTOTPFound":"Aucun secret TOTP trouvé",
|
||||||
"noU2FKeyFound":"Aucune clef U2F trouvée",
|
"noU2FKeyFound":"Aucune clef U2F trouvée",
|
||||||
"notAnEncryptedValue":"Ce n'est pas une valeur cryptée",
|
"notAnEncryptedValue":"Impossible de décoder cette valeur",
|
||||||
"notAuthorized":"Vous n'êtes pas autorisé à faire cette requête",
|
"notAuthorized":"Vous n'êtes pas autorisé à faire cette requête",
|
||||||
"notAuthorizedAuthLevel":"Cette action requiert un niveau d'authentification supérieur",
|
"notAuthorizedAuthLevel":"Cette action requiert un niveau d'authentification supérieur",
|
||||||
"notFound":"Non trouvé : vous tentez d'accéder à une page non disponible",
|
"notFound":"Non trouvé : vous tentez d'accéder à une page non disponible",
|
||||||
|
|
|
@ -14,12 +14,13 @@ my $client = LLNG::Manager::Test->new( {
|
||||||
logLevel => 'error',
|
logLevel => 'error',
|
||||||
authentication => 'Demo',
|
authentication => 'Demo',
|
||||||
userDB => 'Same',
|
userDB => 'Same',
|
||||||
|
key => 'Demo',
|
||||||
loginHistoryEnabled => 0,
|
loginHistoryEnabled => 0,
|
||||||
brutForceProtection => 0,
|
brutForceProtection => 0,
|
||||||
requireToken => 0,
|
requireToken => 0,
|
||||||
decryptValueRule => 1,
|
decryptValueRule => 1,
|
||||||
decryptValueFunctions =>
|
decryptValueFunctions =>
|
||||||
'Custom::empty Custom::test_uc Custom::undefined',
|
'Lemonldap::NG::Portal::Custom::empty Lemonldap::NG::Portal::Custom::test_uc Lemonldap::NG::Portal::Custom::undefined',
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
@ -84,7 +85,7 @@ ok(
|
||||||
),
|
),
|
||||||
'POST decryptvalue with valid value'
|
'POST decryptvalue with valid value'
|
||||||
);
|
);
|
||||||
ok( $res->[2]->[0] =~ m%<span trspan="LOWERCASE"></span>%,
|
ok( $res->[2]->[0] =~ m%<span trspan="LOWERCASE_DEMO"></span>%,
|
||||||
'Found decryted value' )
|
'Found decryted value' )
|
||||||
or explain( $res->[2]->[0], 'Decryted value NOT found' );
|
or explain( $res->[2]->[0], 'Decryted value NOT found' );
|
||||||
count(2);
|
count(2);
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
package Custom;
|
package Lemonldap::NG::Portal::Custom;
|
||||||
|
|
||||||
sub empty {
|
sub empty {
|
||||||
return '';
|
return '';
|
||||||
|
@ -9,7 +9,7 @@ sub undefined {
|
||||||
}
|
}
|
||||||
|
|
||||||
sub test_uc {
|
sub test_uc {
|
||||||
return uc $_[0];
|
return uc($_[0] . '_' . $_[1]);
|
||||||
}
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
|
Loading…
Reference in New Issue