From 845ff2da850865c10b0be31969a95520d37c87d5 Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Thu, 26 Mar 2020 10:57:37 +0100 Subject: [PATCH 01/10] fix param transmission in rest2f (#2123) --- .../lib/Lemonldap/NG/Portal/2F/REST.pm | 2 +- lemonldap-ng-portal/t/72-2F-REST-with-History.t | 14 ++++++++------ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/REST.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/REST.pm index f7e27b02a..58279b8f4 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/REST.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/REST.pm @@ -122,7 +122,7 @@ sub verify { $args->{$k} = ( $k eq 'code' ? $code - : $req->sessionInfo->{ $self->{vrfyAttrs}->{$k} } + : $session->{ $self->{vrfyAttrs}->{$k} } ); } diff --git a/lemonldap-ng-portal/t/72-2F-REST-with-History.t b/lemonldap-ng-portal/t/72-2F-REST-with-History.t index ff0b13e47..e85bd69cf 100644 --- a/lemonldap-ng-portal/t/72-2F-REST-with-History.t +++ b/lemonldap-ng-portal/t/72-2F-REST-with-History.t @@ -5,20 +5,22 @@ use IO::String; use LWP::UserAgent; use LWP::Protocol::PSGI; use Plack::Request; +use JSON qw/from_json/; require 't/test-lib.pm'; -my $maintests = 6; +my $maintests = 7; LWP::Protocol::PSGI->register( sub { my $req = Plack::Request->new(@_); if ( $req->path_info eq '/init' ) { - ok( $req->content eq '{"name":"dwho"}', ' Init req gives dwho' ) - or explain( $req->content, '{"name":"dwho"}' ); + my $json = from_json( $req->content ); + is( $json->{name}, "dwho", ' Init req gives dwho' ); } elsif ( $req->path_info eq '/vrfy' ) { - ok( $req->content eq '{"code":"1234"}', ' Code is 1234' ) - or explain( $req->content, '{"code":"1234"}' ); + my $json = from_json( $req->content ); + is( $json->{name}, "dwho", ' Verify req contains name' ); + is( $json->{code}, "1234", ' Verify req contains code' ); } else { fail( ' Bad REST call ' . $req->path_info ); @@ -38,7 +40,7 @@ my $client = LLNG::Manager::Test->new( { rest2fInitUrl => 'http://auth.example.com/init', rest2fInitArgs => { name => 'uid' }, rest2fVerifyUrl => 'http://auth.example.com/vrfy', - rest2fVerifyArgs => { code => 'code' }, + rest2fVerifyArgs => { name => 'uid', code => 'code' }, loginHistoryEnabled => 1, authentication => 'Demo', userDB => 'Same', From e9bab71585f02f07eb81d7da8b2d80f77d736307 Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Thu, 26 Mar 2020 11:31:33 +0100 Subject: [PATCH 02/10] Make sure restCall returns a hashref (#2125) --- lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/REST.pm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/REST.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/REST.pm index b34d08f47..7e9297d36 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/REST.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/REST.pm @@ -31,8 +31,11 @@ sub restCall { unless ( $resp->is_success ) { die $resp->status_line; } - my $res = eval { from_json( $resp->content, { allow_nonref => 1 } ) }; + my $res = eval { from_json( $resp->content ) }; die "Bad REST response: $@" if ($@); + if ( ref($res) ne "HASH" ) { + die "Bad REST response: expecting a JSON HASH, got " . ref($res); + } return $res; } From 9c0e09f89d73623d106ce87ef1b4e7c61bf62a8d Mon Sep 17 00:00:00 2001 From: Xavier Montagutelli Date: Thu, 26 Mar 2020 16:48:31 +0100 Subject: [PATCH 03/10] Update OpenIDConnect.pm - Correct typo staticPrefi*x* --- .../lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index 85e64552a..5ce4aeaad 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -544,7 +544,7 @@ sub run { $imgSrc = ( $icon =~ m#^https?://# ) ? $icon - : $self->p->staticPrefic . "/common/" . $icon; + : $self->p->staticPrefix . "/common/" . $icon; } my $scope_messages = { From 5842bcfc56334920043ed48a7ff73186d3de7293 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sat, 28 Mar 2020 00:17:25 +0100 Subject: [PATCH 04/10] Typo --- lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm index 1aa8a8b70..4673efcf0 100644 --- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm +++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm @@ -67,7 +67,7 @@ sub build_jail { $self->customFunctions ? split( /\s+/, $self->customFunctions ) : (); foreach (@builtCustomFunctions) { no warnings 'redefine'; - $api->logger->debug("Custom function : $_"); + $api->logger->debug("Custom function: $_"); my $sub = $_; unless (/::/) { $sub = "$self\::$_"; From fd337a211086bac0808639f4f60a7c86a6c10dce Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sat, 28 Mar 2020 01:23:41 +0100 Subject: [PATCH 05/10] Don t save conf if bad expression (#2126) --- lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm | 2 +- .../lib/Lemonldap/NG/Manager/Build/Attributes.pm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm index dcb3ce1b8..d9572bc73 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm @@ -21,7 +21,7 @@ sub perlExpr { '', grep( { $_ =~ /Undefined subroutine/ ? () : $_; } split( /\n/, $@, 0 ) ) ); - return $err ? ( 1, "__badExpression__: $err" ) : 1; + return $err ? ( 0, "__badExpression__: $err" ) : 1; } sub types { diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm index 86786a4b1..a986b9686 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm @@ -26,7 +26,7 @@ sub perlExpr { $cpt->reval("BEGIN { 'warnings'->unimport; } $val"); my $err = join( '', grep { $_ =~ /Undefined subroutine/ ? () : $_ } split( /\n/, $@ ) ); - return $err ? ( 1, "__badExpression__: $err" ) : (1); + return $err ? ( 0, "__badExpression__: $err" ) : (1); } my $url = $RE{URI}{HTTP}{ -scheme => "https?" }; From a7a2a425a5db93d065edba949c1d701762c3a147 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sat, 28 Mar 2020 13:53:25 +0100 Subject: [PATCH 06/10] Better fix to avoid side effects and Jail warning (#2126 & #1717) --- .../lib/Lemonldap/NG/Manager/Attributes.pm | 5 +++-- .../lib/Lemonldap/NG/Manager/Build/Attributes.pm | 4 ++-- .../lib/Lemonldap/NG/Manager/Conf/Parser.pm | 9 ++++++++- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm index d9572bc73..3189ccd98 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm @@ -19,9 +19,10 @@ sub perlExpr { $cpt->reval("BEGIN { 'warnings'->unimport; } $val"); my $err = join( '', - grep( { $_ =~ /Undefined subroutine/ ? () : $_; } split( /\n/, $@, 0 ) ) + grep( { $_ =~ /(?:Undefined subroutine|Devel::StackTrace)/ ? () : $_; } + split( /\n/, $@, 0 ) ) ); - return $err ? ( 0, "__badExpression__: $err" ) : 1; + return $err ? ( -1, "__badExpression__: $err" ) : 1; } sub types { diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm index a986b9686..028047fcf 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm @@ -25,8 +25,8 @@ sub perlExpr { $Lemonldap::NG::Common::Safelib::functions ); $cpt->reval("BEGIN { 'warnings'->unimport; } $val"); my $err = join( '', - grep { $_ =~ /Undefined subroutine/ ? () : $_ } split( /\n/, $@ ) ); - return $err ? ( 0, "__badExpression__: $err" ) : (1); + grep { $_ =~ /(?:Undefined subroutine|Devel::StackTrace)/ ? () : $_ } split( /\n/, $@ ) ); + return $err ? ( -1, "__badExpression__: $err" ) : (1); } my $url = $RE{URI}{HTTP}{ -scheme => "https?" }; diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm index c69b71b72..69f311bc5 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm @@ -1207,7 +1207,14 @@ sub _execTest { if ( $ref eq 'CODE' ) { my ( $r, $m ) = ( $test->( $value, $conf, $attr ) ); if ($m) { - push @{ $self->{ ( $r ? 'warnings' : 'errors' ) } }, + push @{ + $self->{ ( + $r > 0 + ? 'warnings' + : ( $r < 0 ? 'needConfirmation' : 'errors' ) + ) + } + }, { message => "$key: $m" }; } elsif ( !$r ) { From 68e2e818984f20beac7929b2aef73d35fe076746 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sat, 28 Mar 2020 17:58:39 +0100 Subject: [PATCH 07/10] Fix warning if error is undefined (#2126 & #1625) --- .../lib/Lemonldap/NG/Portal/Issuer/CAS.pm | 3 ++- .../lib/Lemonldap/NG/Portal/Issuer/Get.pm | 3 ++- .../lib/Lemonldap/NG/Portal/Issuer/OpenID.pm | 3 ++- .../lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm | 3 ++- .../lib/Lemonldap/NG/Portal/Issuer/SAML.pm | 3 ++- .../lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm | 4 ++-- .../Lemonldap/NG/Portal/Plugins/ContextSwitching.pm | 10 +++++----- .../lib/Lemonldap/NG/Portal/Plugins/DecryptValue.pm | 3 ++- .../lib/Lemonldap/NG/Portal/Plugins/GlobalLogout.pm | 3 ++- .../lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm | 6 ++++-- .../lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm | 7 ++++--- 11 files changed, 29 insertions(+), 19 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm index 81b2289d1..507496afc 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm @@ -35,7 +35,8 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{issuerDBCASRule} ) ); unless ($rule) { - $self->error( "Bad CAS rule -> " . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error("Bad CAS activation rule -> $error"); return 0; } $self->{rule} = $rule; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm index a64945ea8..1e05bb247 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm @@ -24,7 +24,8 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{issuerDBGetRule} ) ); unless ($rule) { - $self->error( "Bad GET rule -> " . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error( "Bad GET activation rule -> $error" ); return 0; } $self->{rule} = $rule; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenID.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenID.pm index 40bc83a3c..72930540d 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenID.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenID.pm @@ -64,7 +64,8 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{issuerDBOpenIDRule} ) ); unless ($rule) { - $self->error( "Bad OpenID rule -> " . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error( "Bad OpenID activation rule -> $error" ); return 0; } $self->{rule} = $rule; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index 5ce4aeaad..fe6558d9e 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -76,7 +76,8 @@ sub init { $hd->buildSub( $hd->substitute( $self->conf->{issuerDBOpenIDConnectRule} ) ); unless ($rule) { - $self->error( "Bad OIDC rule -> " . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error( "Bad OIDC activation rule -> $error" ); return 0; } $self->{rule} = $rule; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm index e1bae8a67..565f80717 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm @@ -47,7 +47,8 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{issuerDBSAMLRule} ) ); unless ($rule) { - $self->error( "Bad SAML rule -> " . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error( "Bad SAML activation rule -> $error" ); return 0; } $self->{rule} = $rule; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm index be615a195..453b02c40 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm @@ -55,8 +55,8 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{checkUserIdRule} ) ); unless ($rule) { - $self->error( - "Bad checkUser identities rule -> " . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error("Bad checkUser identities rule -> $error"); return 0; } $self->idRule($rule); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm index bb1174625..ca22ed52c 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm @@ -40,7 +40,7 @@ has idRule => ( is => 'rw', default => sub { 1 } ); sub init { my ($self) = @_; my $hd = $self->p->HANDLER; - $self->addAuthRoute( switchcontext => 'run', ['POST'] ) + $self->addAuthRoute( switchcontext => 'run', ['POST'] ) ->addAuthRoute( switchcontext => 'display', ['GET'] ); # Parse activation rule @@ -49,8 +49,8 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{contextSwitchingRule} ) ); unless ($rule) { - $self->error( - 'Bad contextSwitching rule -> ' . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error("Bad contextSwitching rule -> $error"); return 0; } $self->rule($rule); @@ -61,8 +61,8 @@ sub init { $rule = $hd->buildSub( $hd->substitute( $self->conf->{contextSwitchingIdRule} ) ); unless ($rule) { - $self->error( "Bad contextSwitching identities rule -> " - . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error("Bad contextSwitching identities rule -> $error"); return 0; } $self->idRule($rule); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/DecryptValue.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/DecryptValue.pm index 70f3f0946..75bbd9a23 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/DecryptValue.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/DecryptValue.pm @@ -40,7 +40,8 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{decryptValueRule} ) ); unless ($rule) { - $self->error( 'Bad decryptValue rule -> ' . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error("Bad decryptValue rule -> $error"); return 0; } $self->rule($rule); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GlobalLogout.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GlobalLogout.pm index 9c17f5e82..8abe79391 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GlobalLogout.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GlobalLogout.pm @@ -45,7 +45,8 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{globalLogoutRule} ) ); unless ($rule) { - $self->error( "Bad globalLogout rule -> " . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error("Bad globalLogout rule -> $error"); return 0; } $self->rule($rule); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm index 92feffa81..d1d857484 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm @@ -27,7 +27,8 @@ sub init { $hd->buildSub( $hd->substitute( $self->conf->{grantSessionRules}->{$_} ) ); unless ($rule) { - $self->error( "Bad grantSession rule " . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error("Bad grantSession rule -> $error"); return 0; } $self->rules->{$_} = $rule; @@ -66,7 +67,8 @@ sub run { my $hd = $self->p->HANDLER; my $msg = $hd->substitute($1); unless ( $msg = $hd->buildSub($msg) ) { - $self->error( "Bad message " . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error("Bad message -> $error"); return PE_OK; } $msg = $msg->( $req, $req->sessionInfo ); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm index 40a9782dc..9787e31e7 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm @@ -31,7 +31,8 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{impersonationRule} ) ); unless ($rule) { - $self->error( "Bad impersonation rule -> " . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error("Bad impersonation rule -> $error"); return 0; } $self->rule($rule); @@ -42,8 +43,8 @@ sub init { $rule = $hd->buildSub( $hd->substitute( $self->conf->{impersonationIdRule} ) ); unless ($rule) { - $self->error( - "Bad impersonation identities rule -> " . $hd->tsv->{jail}->error ); + my $error = $hd->tsv->{jail}->error || ''; + $self->error("Bad impersonation identities rule -> $error"); return 0; } $self->idRule($rule); From ea8b0bb0245205161708febde1d7eb59b0962f31 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sat, 28 Mar 2020 18:12:34 +0100 Subject: [PATCH 08/10] Highlight error message (#2126 & #1625) --- lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm | 2 +- lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm | 2 +- lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenID.pm | 2 +- .../lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm | 2 +- lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm | 2 +- .../lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm | 2 +- .../lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm | 4 ++-- .../lib/Lemonldap/NG/Portal/Plugins/DecryptValue.pm | 2 +- .../lib/Lemonldap/NG/Portal/Plugins/GlobalLogout.pm | 2 +- .../lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm | 4 ++-- .../lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm | 4 ++-- 11 files changed, 14 insertions(+), 14 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm index 507496afc..460f31443 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm @@ -35,7 +35,7 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{issuerDBCASRule} ) ); unless ($rule) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error("Bad CAS activation rule -> $error"); return 0; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm index 1e05bb247..ab2c2f27e 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm @@ -24,7 +24,7 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{issuerDBGetRule} ) ); unless ($rule) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error( "Bad GET activation rule -> $error" ); return 0; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenID.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenID.pm index 72930540d..9a20e8623 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenID.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenID.pm @@ -64,7 +64,7 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{issuerDBOpenIDRule} ) ); unless ($rule) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error( "Bad OpenID activation rule -> $error" ); return 0; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index fe6558d9e..d0501c799 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -76,7 +76,7 @@ sub init { $hd->buildSub( $hd->substitute( $self->conf->{issuerDBOpenIDConnectRule} ) ); unless ($rule) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error( "Bad OIDC activation rule -> $error" ); return 0; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm index 565f80717..07f82ebd8 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm @@ -47,7 +47,7 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{issuerDBSAMLRule} ) ); unless ($rule) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error( "Bad SAML activation rule -> $error" ); return 0; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm index 453b02c40..2aead3ab8 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm @@ -55,7 +55,7 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{checkUserIdRule} ) ); unless ($rule) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error("Bad checkUser identities rule -> $error"); return 0; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm index ca22ed52c..a85962269 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm @@ -49,7 +49,7 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{contextSwitchingRule} ) ); unless ($rule) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error("Bad contextSwitching rule -> $error"); return 0; } @@ -61,7 +61,7 @@ sub init { $rule = $hd->buildSub( $hd->substitute( $self->conf->{contextSwitchingIdRule} ) ); unless ($rule) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error("Bad contextSwitching identities rule -> $error"); return 0; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/DecryptValue.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/DecryptValue.pm index 75bbd9a23..1d438f425 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/DecryptValue.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/DecryptValue.pm @@ -40,7 +40,7 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{decryptValueRule} ) ); unless ($rule) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error("Bad decryptValue rule -> $error"); return 0; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GlobalLogout.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GlobalLogout.pm index 8abe79391..fc07402cf 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GlobalLogout.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GlobalLogout.pm @@ -45,7 +45,7 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{globalLogoutRule} ) ); unless ($rule) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error("Bad globalLogout rule -> $error"); return 0; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm index d1d857484..c448ee4aa 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm @@ -27,7 +27,7 @@ sub init { $hd->buildSub( $hd->substitute( $self->conf->{grantSessionRules}->{$_} ) ); unless ($rule) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error("Bad grantSession rule -> $error"); return 0; } @@ -67,7 +67,7 @@ sub run { my $hd = $self->p->HANDLER; my $msg = $hd->substitute($1); unless ( $msg = $hd->buildSub($msg) ) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error("Bad message -> $error"); return PE_OK; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm index 9787e31e7..44d28d73a 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm @@ -31,7 +31,7 @@ sub init { my $rule = $hd->buildSub( $hd->substitute( $self->conf->{impersonationRule} ) ); unless ($rule) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error("Bad impersonation rule -> $error"); return 0; } @@ -43,7 +43,7 @@ sub init { $rule = $hd->buildSub( $hd->substitute( $self->conf->{impersonationIdRule} ) ); unless ($rule) { - my $error = $hd->tsv->{jail}->error || ''; + my $error = $hd->tsv->{jail}->error || '???'; $self->error("Bad impersonation identities rule -> $error"); return 0; } From 9a18f2f5537f4f46869e28d829104b02f9ff4293 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Wed, 1 Apr 2020 00:33:49 +0200 Subject: [PATCH 09/10] Fix cache reload error with status (#2127) --- .../lib/Lemonldap/NG/Handler/Main/Reload.pm | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm index 4fc6b46ab..d7dad20c9 100644 --- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm +++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm @@ -185,7 +185,8 @@ sub jailInit { multiValuesSeparator => $conf->{multiValuesSeparator}, } ); - $class->tsv->{jail}->build_jail( $class, $conf->{require}, $conf->{requireDontDie} ); + $class->tsv->{jail} + ->build_jail( $class, $conf->{require}, $conf->{requireDontDie} ); } ## @imethod protected void defaultValuesInit(hashRef args) @@ -363,13 +364,14 @@ sub sessionStorageInit { if ( $conf->{status} ) { my $params = ""; if ( $class->tsv->{sessionCacheModule} ) { - $params = ' ' . join( + $params = $class->tsv->{sessionCacheModule} . ',{' . join( ',', - $class->tsv->{sessionCacheModule} . map { - "$_ => " - . $class->tsv->{sessionCacheOptions}->{$_} - } keys %{ $class->tsv->{sessionCacheOptions} // {} } - ); + map { + "$_ => '" + . $class->tsv->{sessionCacheOptions}->{$_} . "'" + } + keys %{ $class->tsv->{sessionCacheOptions} // {} } + ) . '}'; } $class->tsv->{statusPipe}->print("RELOADCACHE $params\n"); } From 2a34d1ae8ccebd087d212f17159250cf308beccd Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Wed, 1 Apr 2020 00:35:09 +0200 Subject: [PATCH 10/10] Update sessionInfo if second factor succeeds & Improve unit tests (#2129) --- .../lib/Lemonldap/NG/Portal/2F/TOTP.pm | 3 +- .../Lemonldap/NG/Portal/Main/SecondFactor.pm | 14 ++- .../Lemonldap/NG/Portal/Plugins/CheckUser.pm | 11 ++ .../NG/Portal/Plugins/ContextSwitching.pm | 28 ++++- .../lib/Lemonldap/NG/Portal/UserDB/Demo.pm | 6 +- .../t/59-Double-cookies-Refresh-and-Logout.t | 8 +- lemonldap-ng-portal/t/67-CheckUser.t | 19 ++- ...textSwitching-with-TOTP-and-Notification.t | 115 ++++++++++++++++-- lemonldap-ng-portal/t/lmConf-1.json | 3 +- 9 files changed, 178 insertions(+), 29 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/TOTP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/TOTP.pm index 136ddf20b..d68aa94e4 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/TOTP.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/TOTP.pm @@ -112,8 +112,7 @@ sub verify { } else { $self->userLogger->notice( 'Invalid TOTP for ' - . $session->{ $self->conf->{whatToTrace} } - . ')' ); + . $session->{ $self->conf->{whatToTrace} } ); return PE_BADOTP; } } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm index c04b14069..668cc5aa4 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm @@ -124,8 +124,20 @@ sub _verify { . $req->sessionInfo->{ $self->conf->{whatToTrace} } ); if ( my $l = $self->conf->{ $self->prefix . '2fAuthnLevel' } ) { - $self->p->updateSession( $req, { authenticationLevel => $l } ); + $self->logger->debug("Update sessionInfo with new authenticationLevel: $l"); + $req->sessionInfo->{authenticationLevel} = $l; + delete $req->sessionInfo->{groups}; + + # Compute groups & macros again with new authenticationLevel + $req->steps( [ $self->p->groupsAndMacros, 'setLocalGroups'] ); + if ( my $error = $self->p->process($req) ) { + $self->logger->debug("SFA: Process returned error: $error"); + $req->error($error); + return $self->p->do( $req, [ sub { $error } ] ); + } + $self->p->updateSession( $req, $req->sessionInfo ); } + $req->authResult(PE_SENDRESPONSE); return $self->p->do( $req, diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm index 2aead3ab8..11d9d2cd2 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm @@ -369,6 +369,7 @@ sub _urlFormat { sub _userData { my ( $self, $req ) = @_; + my $realAuthLevel = $req->userData->{authenticationLevel}; # Compute session my $steps = [ @@ -406,6 +407,16 @@ sub _userData { return $req->error(PE_BADCREDENTIALS); } + # Compute groups & macros again with real authenticationLevel + $req->sessionInfo->{authenticationLevel} = $realAuthLevel; + delete $req->sessionInfo->{groups}; + $req->steps( [ $self->p->groupsAndMacros, 'setLocalGroups' ] ); + if ( my $error = $self->p->process($req) ) { + $self->logger->debug( + "ContextSwitching: Process returned error: $error"); + return $req->error($error); + } + $self->logger->debug("Return \"$req->{user}\" sessionInfo"); return $req->{sessionInfo}; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm index a85962269..9b0af3abf 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm @@ -197,6 +197,7 @@ sub run { sub _switchContext { my ( $self, $req, $spoofId ) = @_; my $realSessionId = $req->userData->{_session_id}; + my $realAuthLevel = $req->userData->{authenticationLevel}; my $realId = $req->{user}; my $raz = 0; $req->{user} = $spoofId; @@ -234,13 +235,28 @@ sub _switchContext { $req->sessionInfo->{"$self->{conf}->{impersonationPrefix}_session_id"} = $realSessionId; - $self->userLogger->notice( - "Start ContextSwitching: $realId becomes $spoofId ") - unless $raz; - return $raz - ? $self->_abortImpersonation( $req, $spoofId, $realId, 1 ) - : $req; + if ($raz) { + return $self->_abortImpersonation( $req, $spoofId, $realId, 1 ); + } + else { + $self->logger->debug( + "Update sessionInfo with real authenticationLevel: $realAuthLevel"); + $req->sessionInfo->{authenticationLevel} = $realAuthLevel; + delete $req->sessionInfo->{groups}; + + # Compute groups & macros again with real authenticationLevel + $req->steps( [ $self->p->groupsAndMacros, 'setLocalGroups' ] ); + if ( my $error = $self->p->process($req) ) { + $self->logger->debug( + "ContextSwitching: Process returned error: $error"); + $req->error($error); + } + + $self->userLogger->notice( + "Start ContextSwitching: $realId becomes $spoofId "); + return $req; + } } sub _abortImpersonation { diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDB/Demo.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDB/Demo.pm index 45263c18d..5f067bebe 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDB/Demo.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDB/Demo.pm @@ -11,7 +11,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(PE_OK PE_BADCREDENTIALS); extends 'Lemonldap::NG::Common::Module'; -our $VERSION = '2.0.2'; +our $VERSION = '2.0.8'; # Sample accounts from Doctor Who characters our %demoAccounts = ( @@ -89,11 +89,11 @@ sub setSessionInfo { # @return Lemonldap::NG::Portal constant sub setGroups { my ( $self, $req ) = @_; - + my $user = $req->user || $req->sessionInfo->{ $self->conf->{whatToTrace} }; my $groups = $req->sessionInfo->{groups} || ''; my $hGroups = $req->sessionInfo->{hGroups} || {}; for my $grp ( keys %demoGroups ) { - if ( grep { $_ eq $req->user } @{ $demoGroups{$grp} } ) { + if ( grep { $_ eq $user } @{ $demoGroups{$grp} } ) { $hGroups->{$grp} = {}; $groups = ($groups) diff --git a/lemonldap-ng-portal/t/59-Double-cookies-Refresh-and-Logout.t b/lemonldap-ng-portal/t/59-Double-cookies-Refresh-and-Logout.t index ed8e0cbba..50cba9b5c 100644 --- a/lemonldap-ng-portal/t/59-Double-cookies-Refresh-and-Logout.t +++ b/lemonldap-ng-portal/t/59-Double-cookies-Refresh-and-Logout.t @@ -116,8 +116,8 @@ ok( 'POST checkuser' ); my %attributes = map /(.+)?<\/td>/g, $res->[2]->[0]; -ok( scalar keys %attributes == 17, 'Found 17 attributes' ) - or print STDERR "Missing attributes -> " . scalar keys %attributes; +ok( scalar keys %attributes == 18, 'Found 18 attributes' ) + or print STDERR "Wrong number of attributes -> " . scalar keys %attributes; ok( $attributes{'_updateTime'} =~ /^\d{14}$/, 'Timestamp found' ) or print STDERR Dumper( \%attributes ); count(3); @@ -184,8 +184,8 @@ ok( 'POST checkuser' ); my %attributes2 = map /(.+)?<\/td>/g, $res->[2]->[0]; -ok( scalar keys %attributes2 == 17, 'Found 17 attributes' ) - or print STDERR "Missing attributes -> " . scalar keys %attributes2; +ok( scalar keys %attributes2 == 18, 'Found 18 attributes' ) + or print STDERR "Wrong nunber of attributes -> " . scalar keys %attributes2; ok( $attributes2{'_updateTime'} =~ /^\d{14}$/, 'Timestamp found' ) or print STDERR Dumper( \%attributes2 ); count(3); diff --git a/lemonldap-ng-portal/t/67-CheckUser.t b/lemonldap-ng-portal/t/67-CheckUser.t index 66466b8b9..f9ea333df 100644 --- a/lemonldap-ng-portal/t/67-CheckUser.t +++ b/lemonldap-ng-portal/t/67-CheckUser.t @@ -16,8 +16,8 @@ my $client = LLNG::Manager::Test->new( { userDB => 'Same', loginHistoryEnabled => 0, brutForceProtection => 0, - checkUser => 1, requireToken => 0, + checkUser => 1, checkUserIdRule => '$uid ne "msmith"', checkUserSearchAttributes => 'employee_nbr test1 _user test2 mail', checkUserDisplayPersistentInfo => 1, @@ -26,6 +26,7 @@ my $client = LLNG::Manager::Test->new( { totp2fSelfRegistration => 1, totp2fActivation => 1, totp2fDigits => 6, + totp2fAuthnLevel => 8, impersonationRule => 1, #hiddenAttributes => 'test', @@ -173,7 +174,6 @@ ok( my ( $host, $url, $query ) = expectForm( $res, undef, '/totp2fcheck', 'token' ); # Generate TOTP with LLNG - my $totp = Lemonldap::NG::Common::TOTP::_code( undef, $key, 0, 30, 6 ); $query =~ s/code=/code=$code/; @@ -189,7 +189,6 @@ $id = expectCookie($res); # CheckUser form -> granted # ------------------------ - ok( $res = $client->_get( '/checkuser', @@ -210,7 +209,17 @@ ok( $res->[2]->[0] =~ m%dwho%, 'Found value dwho' ) or explain( $res->[2]->[0], 'Value dwho' ); ok( $res->[2]->[0] !~ m%_2fDevices%, '_2fDevices NOT Found!' ) or explain( $res->[2]->[0], 'Value _2fDevices' ); -count(4); + +ok( $res->[2]->[0] =~ m%authMode%, 'Found macro authMode' ) + or explain( $res->[2]->[0], 'Macro Key authMode' ); +ok( $res->[2]->[0] =~ m%DEMO%, 'Found DEMO' ) + or explain( $res->[2]->[0], 'Macro Value DEMO' ); +ok( $res->[2]->[0] =~ m%real_authMode%, + 'Found macro real_authMode' ) + or explain( $res->[2]->[0], 'Macro Key real_authMode' ); +ok( $res->[2]->[0] =~ m%TOTP%, 'Found TOTP' ) + or explain( $res->[2]->[0], 'Macro Value TOTP' ); +count(8); $query =~ s/url=/url=http%3A%2F%2Ftest1.example.com/; ok( @@ -345,7 +354,7 @@ m%
new( { contextSwitchingIdRule => 1, totp2fSelfRegistration => 1, totp2fActivation => 1, + totp2fAuthnLevel => 8, contextSwitchingStopWithLogout => 0, + checkUser => 1, notification => 1, notificationStorage => 'File', notificationStorageOptions => { dirName => $main::tmpDir }, @@ -147,15 +149,14 @@ ok( eval { $res = JSON::from_json( $res->[2]->[0] ) }; ok( not($@), 'Content is JSON' ) or explain( $res->[2]->[0], 'JSON content' ); -my ( $key, $token ); -ok( $key = $res->{secret}, 'Found secret' ); +my $keyR; +ok( $keyR = $res->{secret}, 'Found secret' ); ok( $token = $res->{token}, 'Found token' ); -$key = Convert::Base32::decode_base32($key); +$keyR = Convert::Base32::decode_base32($keyR); count(4); # Post code -my $code; -ok( $code = Lemonldap::NG::Common::TOTP::_code( undef, $key, 0, 30, 6 ), +ok( $code = Lemonldap::NG::Common::TOTP::_code( undef, $keyR, 0, 30, 6 ), 'Code' ); ok( $code =~ /^\d{6}$/, 'Code contains 6 digits' ); my $s = "code=$code&token=$token"; @@ -220,6 +221,26 @@ ok( $res->[2]->[0] =~ m%%, or explain( $res->[2]->[0], 'trspan="contextSwitching_OFF"' ); count(6); +# CheckUser form +ok( + $res = $client->_get( + '/checkuser', + cookie => "lemonldap=$id", + accept => 'text/html' + ), + 'CheckUser form', +); + +( $host, $url, $query ) = + expectForm( $res, undef, '/checkuser', 'user', 'url' ); +ok( $res->[2]->[0] =~ m%%, 'Found trspan="checkUser"' ) + or explain( $res->[2]->[0], 'trspan="checkUser"' ); +ok( $res->[2]->[0] =~ m%authMode%, 'Found macro authMode' ) + or explain( $res->[2]->[0], 'Macro Key authMode' ); +ok( $res->[2]->[0] =~ m%DEMO%, 'Found DEMO' ) + or explain( $res->[2]->[0], 'Macro Value DEMO' ); +count(4); + # Stop ContextSwitching # ------------------------ ok( @@ -336,10 +357,90 @@ ok( ), 'Auth query' ); -ok( $res->[2]->[0] =~ m%%, - 'TOTP code required' ) + +ok( $res->[2]->[0] =~ m%%, 'TOTP code required' ) or explain( $res->[2]->[0], 'trspan="enterTotpCode"' ); count(2); +( $host, $url, $query ) = expectForm( $res, undef, '/totp2fcheck', 'token' ); +ok( $code = Lemonldap::NG::Common::TOTP::_code( undef, $key, 0, 30, 6 ), + 'LLNG Code' ); +$query =~ s/code=/code=$code/; +ok( + $res = $client->_post( + '/totp2fcheck', + IO::String->new($query), + length => length($query), + ), + 'Post code' +); +count(2); +$id = expectCookie($res); + +# CheckUser form +ok( + $res = $client->_get( + '/checkuser', + cookie => "lemonldap=$id", + accept => 'text/html' + ), + 'CheckUser form', +); + +( $host, $url, $query ) = + expectForm( $res, undef, '/checkuser', 'user', 'url' ); +ok( $res->[2]->[0] =~ m%%, 'Found trspan="checkUser"' ) + or explain( $res->[2]->[0], 'trspan="checkUser"' ); +ok( $res->[2]->[0] =~ m%authMode%, 'Found macro authMode' ) + or explain( $res->[2]->[0], 'Macro Key authMode' ); +ok( $res->[2]->[0] =~ m%TOTP%, 'Found TOTP' ) + or explain( $res->[2]->[0], 'Macro Value TOTP' ); +count(4); + +# Request not connected user +$query =~ s/user=dwho/user=davros/; +ok( + $res = $client->_post( + '/checkuser', + IO::String->new($query), + cookie => "lemonldap=$id", + length => length($query), + accept => 'text/html', + ), + 'POST checkuser' +); + +( $host, $url, $query ) = + expectForm( $res, undef, '/checkuser', 'user', 'url' ); +ok( $res->[2]->[0] =~ m%%, 'Found trspan="checkUserComputeSession"' ) + or explain( $res->[2]->[0], 'trspan="checkUserComputeSession"' ); +ok( $res->[2]->[0] =~ m%authMode%, 'Found macro authMode' ) + or explain( $res->[2]->[0], 'Macro Key authMode' ); +ok( $res->[2]->[0] =~ m%TOTP%, 'Found TOTP' ) + or explain( $res->[2]->[0], 'Macro Value TOTP' ); +count(4); + +# Request connected user +$query =~ s/user=davros/user=msmith/; +ok( + $res = $client->_post( + '/checkuser', + IO::String->new($query), + cookie => "lemonldap=$id", + length => length($query), + accept => 'text/html', + ), + 'POST checkuser' +); + +( $host, $url, $query ) = + expectForm( $res, undef, '/checkuser', 'user', 'url' ); +ok( $res->[2]->[0] =~ m%%, 'Found trspan="checkUser"' ) + or explain( $res->[2]->[0], 'trspan="checkUser"' ); +ok( $res->[2]->[0] =~ m%authMode%, 'Found macro authMode' ) + or explain( $res->[2]->[0], 'Macro Key authMode' ); +ok( $res->[2]->[0] =~ m%DEMO%, 'Found DEMO' ) + or explain( $res->[2]->[0], 'Macro Value DEMO' ); +count(4); clean_sessions(); diff --git a/lemonldap-ng-portal/t/lmConf-1.json b/lemonldap-ng-portal/t/lmConf-1.json index e5aae9710..83cdab64c 100644 --- a/lemonldap-ng-portal/t/lmConf-1.json +++ b/lemonldap-ng-portal/t/lmConf-1.json @@ -67,7 +67,8 @@ }, "macros": { "_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"", - "array": "$uid eq 'french' ? 'doctor; who' : ''" + "array": "$uid eq 'french' ? 'doctor; who' : ''", + "authMode": "$authenticationLevel == 8 ? TOTP : 'DEMO'" }, "notifications": 0, "passwordDB": "Null",