perl tidy
This commit is contained in:
parent
6533b0a36b
commit
80f5d06e82
|
@ -212,7 +212,9 @@ sub getConf {
|
||||||
# Create cipher object
|
# Create cipher object
|
||||||
unless ( $args->{raw} ) {
|
unless ( $args->{raw} ) {
|
||||||
|
|
||||||
eval { $res->{cipher} = Lemonldap::NG::Common::Crypto->new( $res->{key} ); };
|
eval {
|
||||||
|
$res->{cipher} = Lemonldap::NG::Common::Crypto->new( $res->{key} );
|
||||||
|
};
|
||||||
if ($@) {
|
if ($@) {
|
||||||
$msg .= "Bad key: $@. \n";
|
$msg .= "Bad key: $@. \n";
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,234 +5,250 @@ our $VERSION = '2.0.0';
|
||||||
|
|
||||||
sub defaultValues {
|
sub defaultValues {
|
||||||
return {
|
return {
|
||||||
'activeTimer' => 1,
|
'activeTimer' => 1,
|
||||||
'ADPwdExpireWarning' => 0,
|
'ADPwdExpireWarning' => 0,
|
||||||
'ADPwdMaxAge' => 0,
|
'ADPwdMaxAge' => 0,
|
||||||
'apacheAuthnLevel' => 4,
|
'apacheAuthnLevel' => 4,
|
||||||
'applicationList' => {
|
'applicationList' => {
|
||||||
'default' => {
|
'default' => {
|
||||||
'catname' => 'Default category',
|
'catname' => 'Default category',
|
||||||
'type' => 'category'
|
'type' => 'category'
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
'authChoiceParam' => 'lmAuth',
|
'authChoiceParam' => 'lmAuth',
|
||||||
'authentication' => 'Demo',
|
'authentication' => 'Demo',
|
||||||
'captcha_mail_enabled' => 1,
|
'captcha_mail_enabled' => 1,
|
||||||
'captcha_register_enabled' => 1,
|
'captcha_register_enabled' => 1,
|
||||||
'captcha_size' => 6,
|
'captcha_size' => 6,
|
||||||
'casAccessControlPolicy' => 'none',
|
'casAccessControlPolicy' => 'none',
|
||||||
'casAuthnLevel' => 1,
|
'casAuthnLevel' => 1,
|
||||||
'checkXSS' => 1,
|
'checkXSS' => 1,
|
||||||
'confirmFormMethod' => 'post',
|
'confirmFormMethod' => 'post',
|
||||||
'cookieName' => 'lemonldap',
|
'cookieName' => 'lemonldap',
|
||||||
'cspConnect' => '\'self\'',
|
'cspConnect' => '\'self\'',
|
||||||
'cspDefault' => '\'self\'',
|
'cspDefault' => '\'self\'',
|
||||||
'cspFont' => '\'self\'',
|
'cspFont' => '\'self\'',
|
||||||
'cspImg' => '\'self\' data:',
|
'cspImg' => '\'self\' data:',
|
||||||
'cspScript' => '\'self\'',
|
'cspScript' => '\'self\'',
|
||||||
'cspStyle' => '\'self\'',
|
'cspStyle' => '\'self\'',
|
||||||
'dbiAuthnLevel' => 2,
|
'dbiAuthnLevel' => 2,
|
||||||
'dbiExportedVars' => {},
|
'dbiExportedVars' => {},
|
||||||
'demoExportedVars' => {
|
'demoExportedVars' => {
|
||||||
'cn' => 'cn',
|
'cn' => 'cn',
|
||||||
'mail' => 'mail',
|
'mail' => 'mail',
|
||||||
'uid' => 'uid'
|
'uid' => 'uid'
|
||||||
},
|
},
|
||||||
'domain' => 'example.com',
|
'domain' => 'example.com',
|
||||||
'exportedVars' => {
|
'exportedVars' => {
|
||||||
'UA' => 'HTTP_USER_AGENT'
|
'UA' => 'HTTP_USER_AGENT'
|
||||||
},
|
},
|
||||||
'ext2fActivation' => 0,
|
'ext2fActivation' => 0,
|
||||||
'facebookAuthnLevel' => 1,
|
'facebookAuthnLevel' => 1,
|
||||||
'facebookExportedVars' => {},
|
'facebookExportedVars' => {},
|
||||||
'failedLoginNumber' => 5,
|
'failedLoginNumber' => 5,
|
||||||
'formTimeout' => 120,
|
'formTimeout' => 120,
|
||||||
'globalStorage' => 'Apache::Session::File',
|
'globalStorage' => 'Apache::Session::File',
|
||||||
'globalStorageOptions' => {
|
'globalStorageOptions' => {
|
||||||
'Directory' => '/var/lib/lemonldap-ng/sessions/',
|
'Directory' => '/var/lib/lemonldap-ng/sessions/',
|
||||||
'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256',
|
'generateModule' =>
|
||||||
'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/'
|
'Lemonldap::NG::Common::Apache::Session::Generate::SHA256',
|
||||||
},
|
'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/'
|
||||||
'groups' => {},
|
},
|
||||||
'hiddenAttributes' => '_password',
|
'groups' => {},
|
||||||
'httpOnly' => 1,
|
'hiddenAttributes' => '_password',
|
||||||
'infoFormMethod' => 'get',
|
'httpOnly' => 1,
|
||||||
'issuerDBCASPath' => '^/cas/',
|
'infoFormMethod' => 'get',
|
||||||
'issuerDBCASRule' => 1,
|
'issuerDBCASPath' => '^/cas/',
|
||||||
'issuerDBGetParameters' => {},
|
'issuerDBCASRule' => 1,
|
||||||
'issuerDBGetPath' => '^/get/',
|
'issuerDBGetParameters' => {},
|
||||||
'issuerDBGetRule' => 1,
|
'issuerDBGetPath' => '^/get/',
|
||||||
'issuerDBOpenIDConnectPath' => '^/oauth2/',
|
'issuerDBGetRule' => 1,
|
||||||
'issuerDBOpenIDConnectRule' => 1,
|
'issuerDBOpenIDConnectPath' => '^/oauth2/',
|
||||||
'issuerDBOpenIDPath' => '^/openidserver/',
|
'issuerDBOpenIDConnectRule' => 1,
|
||||||
'issuerDBOpenIDRule' => 1,
|
'issuerDBOpenIDPath' => '^/openidserver/',
|
||||||
'issuerDBSAMLPath' => '^/saml/',
|
'issuerDBOpenIDRule' => 1,
|
||||||
'issuerDBSAMLRule' => 1,
|
'issuerDBSAMLPath' => '^/saml/',
|
||||||
'jsRedirect' => 0,
|
'issuerDBSAMLRule' => 1,
|
||||||
'krbAuthnLevel' => 3,
|
'jsRedirect' => 0,
|
||||||
'ldapAuthnLevel' => 2,
|
'krbAuthnLevel' => 3,
|
||||||
'ldapBase' => 'dc=example,dc=com',
|
'ldapAuthnLevel' => 2,
|
||||||
'ldapExportedVars' => {
|
'ldapBase' => 'dc=example,dc=com',
|
||||||
'cn' => 'cn',
|
'ldapExportedVars' => {
|
||||||
'mail' => 'mail',
|
'cn' => 'cn',
|
||||||
'uid' => 'uid'
|
'mail' => 'mail',
|
||||||
},
|
'uid' => 'uid'
|
||||||
'ldapGroupAttributeName' => 'member',
|
},
|
||||||
'ldapGroupAttributeNameGroup' => 'dn',
|
'ldapGroupAttributeName' => 'member',
|
||||||
'ldapGroupAttributeNameSearch' => 'cn',
|
'ldapGroupAttributeNameGroup' => 'dn',
|
||||||
'ldapGroupAttributeNameUser' => 'dn',
|
'ldapGroupAttributeNameSearch' => 'cn',
|
||||||
'ldapGroupObjectClass' => 'groupOfNames',
|
'ldapGroupAttributeNameUser' => 'dn',
|
||||||
'ldapPasswordResetAttribute' => 'pwdReset',
|
'ldapGroupObjectClass' => 'groupOfNames',
|
||||||
'ldapPasswordResetAttributeValue' => 'TRUE',
|
'ldapPasswordResetAttribute' => 'pwdReset',
|
||||||
'ldapPort' => 389,
|
'ldapPasswordResetAttributeValue' => 'TRUE',
|
||||||
'ldapPwdEnc' => 'utf-8',
|
'ldapPort' => 389,
|
||||||
'ldapSearchDeref' => 'find',
|
'ldapPwdEnc' => 'utf-8',
|
||||||
'ldapServer' => 'ldap://localhost',
|
'ldapSearchDeref' => 'find',
|
||||||
'ldapTimeout' => 120,
|
'ldapServer' => 'ldap://localhost',
|
||||||
'ldapUsePasswordResetAttribute' => 1,
|
'ldapTimeout' => 120,
|
||||||
'ldapVersion' => 3,
|
'ldapUsePasswordResetAttribute' => 1,
|
||||||
'localSessionStorage' => 'Cache::FileCache',
|
'ldapVersion' => 3,
|
||||||
'localSessionStorageOptions' => {
|
'localSessionStorage' => 'Cache::FileCache',
|
||||||
'cache_depth' => 3,
|
'localSessionStorageOptions' => {
|
||||||
'cache_root' => '/tmp',
|
'cache_depth' => 3,
|
||||||
'default_expires_in' => 600,
|
'cache_root' => '/tmp',
|
||||||
'directory_umask' => '007',
|
'default_expires_in' => 600,
|
||||||
'namespace' => 'lemonldap-ng-sessions'
|
'directory_umask' => '007',
|
||||||
},
|
'namespace' => 'lemonldap-ng-sessions'
|
||||||
'locationRules' => {
|
},
|
||||||
'default' => 'deny'
|
'locationRules' => {
|
||||||
},
|
'default' => 'deny'
|
||||||
'logoutServices' => {},
|
},
|
||||||
'macros' => {},
|
'logoutServices' => {},
|
||||||
'mailCharset' => 'utf-8',
|
'macros' => {},
|
||||||
'mailFrom' => 'noreply@example.com',
|
'mailCharset' => 'utf-8',
|
||||||
'mailSessionKey' => 'mail',
|
'mailFrom' => 'noreply@example.com',
|
||||||
'mailTimeout' => 0,
|
'mailSessionKey' => 'mail',
|
||||||
'mailUrl' => 'http://auth.example.com/resetpwd',
|
'mailTimeout' => 0,
|
||||||
'managerDn' => '',
|
'mailUrl' => 'http://auth.example.com/resetpwd',
|
||||||
'managerPassword' => '',
|
'managerDn' => '',
|
||||||
'multiValuesSeparator' => '; ',
|
'managerPassword' => '',
|
||||||
'notificationStorage' => 'File',
|
'multiValuesSeparator' => '; ',
|
||||||
'notificationStorageOptions' => {
|
'notificationStorage' => 'File',
|
||||||
'dirName' => '/var/lib/lemonldap-ng/notifications'
|
'notificationStorageOptions' => {
|
||||||
},
|
'dirName' => '/var/lib/lemonldap-ng/notifications'
|
||||||
'notificationWildcard' => 'allusers',
|
},
|
||||||
'notifyDeleted' => 1,
|
'notificationWildcard' => 'allusers',
|
||||||
'nullAuthnLevel' => 0,
|
'notifyDeleted' => 1,
|
||||||
'oidcAuthnLevel' => 1,
|
'nullAuthnLevel' => 0,
|
||||||
'oidcRPCallbackGetParam' => 'openidconnectcallback',
|
'oidcAuthnLevel' => 1,
|
||||||
'oidcRPStateTimeout' => 600,
|
'oidcRPCallbackGetParam' => 'openidconnectcallback',
|
||||||
'oidcServiceAllowAuthorizationCodeFlow' => 1,
|
'oidcRPStateTimeout' => 600,
|
||||||
'oidcServiceMetaDataAuthnContext' => {
|
'oidcServiceAllowAuthorizationCodeFlow' => 1,
|
||||||
'loa-1' => 1,
|
'oidcServiceMetaDataAuthnContext' => {
|
||||||
'loa-2' => 2,
|
'loa-1' => 1,
|
||||||
'loa-3' => 3,
|
'loa-2' => 2,
|
||||||
'loa-4' => 4,
|
'loa-3' => 3,
|
||||||
'loa-5' => 5
|
'loa-4' => 4,
|
||||||
},
|
'loa-5' => 5
|
||||||
'oidcServiceMetaDataAuthorizeURI' => 'authorize',
|
},
|
||||||
'oidcServiceMetaDataBackChannelURI' => 'blogout',
|
'oidcServiceMetaDataAuthorizeURI' => 'authorize',
|
||||||
'oidcServiceMetaDataCheckSessionURI' => 'checksession.html',
|
'oidcServiceMetaDataBackChannelURI' => 'blogout',
|
||||||
'oidcServiceMetaDataEndSessionURI' => 'logout',
|
'oidcServiceMetaDataCheckSessionURI' => 'checksession.html',
|
||||||
'oidcServiceMetaDataFrontChannelURI' => 'flogout',
|
'oidcServiceMetaDataEndSessionURI' => 'logout',
|
||||||
'oidcServiceMetaDataIssuer' => 'http://auth.example.com',
|
'oidcServiceMetaDataFrontChannelURI' => 'flogout',
|
||||||
'oidcServiceMetaDataJWKSURI' => 'jwks',
|
'oidcServiceMetaDataIssuer' => 'http://auth.example.com',
|
||||||
'oidcServiceMetaDataRegistrationURI' => 'register',
|
'oidcServiceMetaDataJWKSURI' => 'jwks',
|
||||||
'oidcServiceMetaDataTokenURI' => 'token',
|
'oidcServiceMetaDataRegistrationURI' => 'register',
|
||||||
'oidcServiceMetaDataUserInfoURI' => 'userinfo',
|
'oidcServiceMetaDataTokenURI' => 'token',
|
||||||
'openIdAuthnLevel' => 1,
|
'oidcServiceMetaDataUserInfoURI' => 'userinfo',
|
||||||
'openIdExportedVars' => {},
|
'openIdAuthnLevel' => 1,
|
||||||
'openIdIDPList' => '0;',
|
'openIdExportedVars' => {},
|
||||||
'openIdSPList' => '0;',
|
'openIdIDPList' => '0;',
|
||||||
'openIdSreg_email' => 'mail',
|
'openIdSPList' => '0;',
|
||||||
'openIdSreg_fullname' => 'cn',
|
'openIdSreg_email' => 'mail',
|
||||||
'openIdSreg_nickname' => 'uid',
|
'openIdSreg_fullname' => 'cn',
|
||||||
'openIdSreg_timezone' => '_timezone',
|
'openIdSreg_nickname' => 'uid',
|
||||||
'pamAuthnLevel' => 2,
|
'openIdSreg_timezone' => '_timezone',
|
||||||
'pamService' => 'login',
|
'pamAuthnLevel' => 2,
|
||||||
'passwordDB' => 'Demo',
|
'pamService' => 'login',
|
||||||
'portal' => 'http://auth.example.com/',
|
'passwordDB' => 'Demo',
|
||||||
'portalAntiFrame' => 1,
|
'portal' => 'http://auth.example.com/',
|
||||||
'portalCheckLogins' => 1,
|
'portalAntiFrame' => 1,
|
||||||
'portalDisplayAppslist' => 1,
|
'portalCheckLogins' => 1,
|
||||||
'portalDisplayChangePassword' => '$_auth =~ /^(LDAP|DBI|Demo)$/',
|
'portalDisplayAppslist' => 1,
|
||||||
'portalDisplayLoginHistory' => 1,
|
'portalDisplayChangePassword' => '$_auth =~ /^(LDAP|DBI|Demo)$/',
|
||||||
'portalDisplayLogout' => 1,
|
'portalDisplayLoginHistory' => 1,
|
||||||
'portalDisplayRegister' => 1,
|
'portalDisplayLogout' => 1,
|
||||||
'portalErrorOnExpiredSession' => 1,
|
'portalDisplayRegister' => 1,
|
||||||
'portalForceAuthnInterval' => 5,
|
'portalErrorOnExpiredSession' => 1,
|
||||||
'portalPingInterval' => 60000,
|
'portalForceAuthnInterval' => 5,
|
||||||
'portalRequireOldPassword' => 1,
|
'portalPingInterval' => 60000,
|
||||||
'portalSkin' => 'bootstrap',
|
'portalRequireOldPassword' => 1,
|
||||||
'portalUserAttr' => '_user',
|
'portalSkin' => 'bootstrap',
|
||||||
'proxyAuthnLevel' => 2,
|
'portalUserAttr' => '_user',
|
||||||
'radiusAuthnLevel' => 3,
|
'proxyAuthnLevel' => 2,
|
||||||
'randomPasswordRegexp' => '[A-Z]{3}[a-z]{5}.\\d{2}',
|
'radiusAuthnLevel' => 3,
|
||||||
'redirectFormMethod' => 'get',
|
'randomPasswordRegexp' => '[A-Z]{3}[a-z]{5}.\\d{2}',
|
||||||
'registerDB' => 'Null',
|
'redirectFormMethod' => 'get',
|
||||||
'registerTimeout' => 0,
|
'registerDB' => 'Null',
|
||||||
'remoteGlobalStorage' => 'Lemonldap::NG::Common::Apache::Session::SOAP',
|
'registerTimeout' => 0,
|
||||||
'remoteGlobalStorageOptions' => {
|
'remoteGlobalStorage' => 'Lemonldap::NG::Common::Apache::Session::SOAP',
|
||||||
'ns' => 'http://auth.example.com/Lemonldap/NG/Common/PSGI/SOAPService',
|
'remoteGlobalStorageOptions' => {
|
||||||
'proxy' => 'http://auth.example.com/sessions'
|
'ns' =>
|
||||||
},
|
'http://auth.example.com/Lemonldap/NG/Common/PSGI/SOAPService',
|
||||||
'requireToken' => 1,
|
'proxy' => 'http://auth.example.com/sessions'
|
||||||
'samlAttributeAuthorityDescriptorAttributeServiceSOAP' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
|
},
|
||||||
'samlAuthnContextMapKerberos' => 4,
|
'requireToken' => 1,
|
||||||
'samlAuthnContextMapPassword' => 2,
|
'samlAttributeAuthorityDescriptorAttributeServiceSOAP' =>
|
||||||
'samlAuthnContextMapPasswordProtectedTransport' => 3,
|
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
|
||||||
'samlAuthnContextMapTLSClient' => 5,
|
'samlAuthnContextMapKerberos' => 4,
|
||||||
'samlEntityID' => '#PORTAL#/saml/metadata',
|
'samlAuthnContextMapPassword' => 2,
|
||||||
'samlIdPResolveCookie' => 'lemonldapidp',
|
'samlAuthnContextMapPasswordProtectedTransport' => 3,
|
||||||
'samlIDPSSODescriptorArtifactResolutionServiceArtifact' => '1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
|
'samlAuthnContextMapTLSClient' => 5,
|
||||||
'samlIDPSSODescriptorSingleLogoutServiceHTTPPost' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn',
|
'samlEntityID' => '#PORTAL#/saml/metadata',
|
||||||
'samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn',
|
'samlIdPResolveCookie' => 'lemonldapidp',
|
||||||
'samlIDPSSODescriptorSingleLogoutServiceSOAP' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;',
|
'samlIDPSSODescriptorArtifactResolutionServiceArtifact' =>
|
||||||
'samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;',
|
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
|
||||||
'samlIDPSSODescriptorSingleSignOnServiceHTTPPost' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;',
|
'samlIDPSSODescriptorSingleLogoutServiceHTTPPost' =>
|
||||||
'samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;',
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn',
|
||||||
'samlIDPSSODescriptorWantAuthnRequestsSigned' => 1,
|
'samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect' =>
|
||||||
'samlMetadataForceUTF8' => 1,
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn',
|
||||||
'samlNameIDFormatMapEmail' => 'mail',
|
'samlIDPSSODescriptorSingleLogoutServiceSOAP' =>
|
||||||
'samlNameIDFormatMapKerberos' => 'uid',
|
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;',
|
||||||
'samlNameIDFormatMapWindows' => 'uid',
|
'samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact' =>
|
||||||
'samlNameIDFormatMapX509' => 'mail',
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;',
|
||||||
'samlOrganizationDisplayName' => 'Example',
|
'samlIDPSSODescriptorSingleSignOnServiceHTTPPost' =>
|
||||||
'samlOrganizationName' => 'Example',
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;',
|
||||||
'samlOrganizationURL' => 'http://www.example.com',
|
'samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect' =>
|
||||||
'samlRelayStateTimeout' => 600,
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;',
|
||||||
'samlSPSSODescriptorArtifactResolutionServiceArtifact' => '1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
|
'samlIDPSSODescriptorWantAuthnRequestsSigned' => 1,
|
||||||
'samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact' => '1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact',
|
'samlMetadataForceUTF8' => 1,
|
||||||
'samlSPSSODescriptorAssertionConsumerServiceHTTPPost' => '0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost',
|
'samlNameIDFormatMapEmail' => 'mail',
|
||||||
'samlSPSSODescriptorAuthnRequestsSigned' => 1,
|
'samlNameIDFormatMapKerberos' => 'uid',
|
||||||
'samlSPSSODescriptorSingleLogoutServiceHTTPPost' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
|
'samlNameIDFormatMapWindows' => 'uid',
|
||||||
'samlSPSSODescriptorSingleLogoutServiceHTTPRedirect' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
|
'samlNameIDFormatMapX509' => 'mail',
|
||||||
'samlSPSSODescriptorSingleLogoutServiceSOAP' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;',
|
'samlOrganizationDisplayName' => 'Example',
|
||||||
'samlSPSSODescriptorWantAssertionsSigned' => 1,
|
'samlOrganizationName' => 'Example',
|
||||||
'securedCookie' => 0,
|
'samlOrganizationURL' => 'http://www.example.com',
|
||||||
'slaveAuthnLevel' => 2,
|
'samlRelayStateTimeout' => 600,
|
||||||
'slaveExportedVars' => {},
|
'samlSPSSODescriptorArtifactResolutionServiceArtifact' =>
|
||||||
'SMTPServer' => '',
|
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
|
||||||
'SMTPTLS' => '',
|
'samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact' =>
|
||||||
'SSLAuthnLevel' => 5,
|
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact',
|
||||||
'successLoginNumber' => 5,
|
'samlSPSSODescriptorAssertionConsumerServiceHTTPPost' =>
|
||||||
'timeout' => 72000,
|
'0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost',
|
||||||
'timeoutActivity' => 0,
|
'samlSPSSODescriptorAuthnRequestsSigned' => 1,
|
||||||
'timeoutActivityInterval' => 60,
|
'samlSPSSODescriptorSingleLogoutServiceHTTPPost' =>
|
||||||
'trustedProxies' => '',
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
|
||||||
'twitterAuthnLevel' => 1,
|
'samlSPSSODescriptorSingleLogoutServiceHTTPRedirect' =>
|
||||||
'u2fActivation' => 0,
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
|
||||||
'upgradeSession' => 1,
|
'samlSPSSODescriptorSingleLogoutServiceSOAP' =>
|
||||||
'userControl' => '^[\\w\\.\\-@]+$',
|
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;',
|
||||||
'userDB' => 'Same',
|
'samlSPSSODescriptorWantAssertionsSigned' => 1,
|
||||||
'useRedirectOnError' => 1,
|
'securedCookie' => 0,
|
||||||
'useSafeJail' => 1,
|
'slaveAuthnLevel' => 2,
|
||||||
'webIDAuthnLevel' => 1,
|
'slaveExportedVars' => {},
|
||||||
'webIDExportedVars' => {},
|
'SMTPServer' => '',
|
||||||
'whatToTrace' => 'uid',
|
'SMTPTLS' => '',
|
||||||
'yubikeyAuthnLevel' => 3,
|
'SSLAuthnLevel' => 5,
|
||||||
'yubikeyPublicIDSize' => 12
|
'successLoginNumber' => 5,
|
||||||
};
|
'timeout' => 72000,
|
||||||
|
'timeoutActivity' => 0,
|
||||||
|
'timeoutActivityInterval' => 60,
|
||||||
|
'trustedProxies' => '',
|
||||||
|
'twitterAuthnLevel' => 1,
|
||||||
|
'u2fActivation' => 0,
|
||||||
|
'upgradeSession' => 1,
|
||||||
|
'userControl' => '^[\\w\\.\\-@]+$',
|
||||||
|
'userDB' => 'Same',
|
||||||
|
'useRedirectOnError' => 1,
|
||||||
|
'useSafeJail' => 1,
|
||||||
|
'webIDAuthnLevel' => 1,
|
||||||
|
'webIDExportedVars' => {},
|
||||||
|
'whatToTrace' => 'uid',
|
||||||
|
'yubikeyAuthnLevel' => 3,
|
||||||
|
'yubikeyPublicIDSize' => 12
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
|
|
@ -475,7 +475,7 @@ sub _casMetaDataNodes {
|
||||||
|
|
||||||
# Return all exported attributes if asked
|
# Return all exported attributes if asked
|
||||||
if ( $query =~
|
if ( $query =~
|
||||||
/^(?:cas${type}MetaDataExportedVars|casSrvMetaDataOptionsProxiedServices)$/
|
/^(?:cas${type}MetaDataExportedVars|casSrvMetaDataOptionsProxiedServices)$/
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
my $pk = eval { $self->getConfKey( $req, $query )->{$partner} } // {};
|
my $pk = eval { $self->getConfKey( $req, $query )->{$partner} } // {};
|
||||||
|
|
|
@ -105,7 +105,8 @@ sub unset_header_in {
|
||||||
my $h = shift;
|
my $h = shift;
|
||||||
my $h2 = lc $h;
|
my $h2 = lc $h;
|
||||||
$h2 =~ s/-/_/g;
|
$h2 =~ s/-/_/g;
|
||||||
$request->env->{'psgi.r'}->headers_in->unset($h) if ( $h1 eq $h2 );
|
$request->env->{'psgi.r'}->headers_in->unset($h)
|
||||||
|
if ( $h1 eq $h2 );
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
|
@ -104,10 +104,12 @@ sub init {
|
||||||
}
|
}
|
||||||
|
|
||||||
$self->menuLinks( [] );
|
$self->menuLinks( [] );
|
||||||
if ( my $portal =
|
if (
|
||||||
|
my $portal =
|
||||||
$conf->{cfgNum}
|
$conf->{cfgNum}
|
||||||
? Lemonldap::NG::Handler::PSGI::Main->tsv->{portal}->()
|
? Lemonldap::NG::Handler::PSGI::Main->tsv->{portal}->()
|
||||||
: $conf->{portal} )
|
: $conf->{portal}
|
||||||
|
)
|
||||||
{
|
{
|
||||||
push @{ $self->menuLinks },
|
push @{ $self->menuLinks },
|
||||||
{
|
{
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -370,9 +370,10 @@ sub attributes {
|
||||||
documentation => 'Show error if session is expired',
|
documentation => 'Show error if session is expired',
|
||||||
},
|
},
|
||||||
portalErrorOnMailNotFound => {
|
portalErrorOnMailNotFound => {
|
||||||
type => 'bool',
|
type => 'bool',
|
||||||
default => 0,
|
default => 0,
|
||||||
documentation => 'Show error if mail is not found in password reset process',
|
documentation =>
|
||||||
|
'Show error if mail is not found in password reset process',
|
||||||
},
|
},
|
||||||
portalOpenLinkInNewWindow => {
|
portalOpenLinkInNewWindow => {
|
||||||
type => 'bool',
|
type => 'bool',
|
||||||
|
@ -2699,7 +2700,7 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
||||||
oidcRPMetaDataOptionsBypassConsent =>
|
oidcRPMetaDataOptionsBypassConsent =>
|
||||||
{ type => 'bool', help => 'openidconnectclaims.html', default => 0 },
|
{ type => 'bool', help => 'openidconnectclaims.html', default => 0 },
|
||||||
oidcRPMetaDataOptionsPostLogoutRedirectUris => { type => 'text', },
|
oidcRPMetaDataOptionsPostLogoutRedirectUris => { type => 'text', },
|
||||||
oidcRPMetaDataOptionsLogoutUrl => {
|
oidcRPMetaDataOptionsLogoutUrl => {
|
||||||
type => 'url',
|
type => 'url',
|
||||||
documentation => 'Logout URL',
|
documentation => 'Logout URL',
|
||||||
},
|
},
|
||||||
|
|
|
@ -172,19 +172,20 @@ sub tree {
|
||||||
title => 'dbiPassword',
|
title => 'dbiPassword',
|
||||||
help => 'authdbi.html#password',
|
help => 'authdbi.html#password',
|
||||||
form => 'simpleInputContainer',
|
form => 'simpleInputContainer',
|
||||||
nodes => ['dbiAuthPasswordHash',
|
nodes => [
|
||||||
{
|
'dbiAuthPasswordHash',
|
||||||
title => 'dbiDynamicHash',
|
{
|
||||||
help => 'authdbi.html#password',
|
title => 'dbiDynamicHash',
|
||||||
form => 'simpleInputContainer',
|
help => 'authdbi.html#password',
|
||||||
nodes => [
|
form => 'simpleInputContainer',
|
||||||
'dbiDynamicHashEnabled',
|
nodes => [
|
||||||
'dbiDynamicHashValidSchemes',
|
'dbiDynamicHashEnabled',
|
||||||
'dbiDynamicHashValidSaltedSchemes',
|
'dbiDynamicHashValidSchemes',
|
||||||
'dbiDynamicHashNewPasswordScheme'
|
'dbiDynamicHashValidSaltedSchemes',
|
||||||
]
|
'dbiDynamicHashNewPasswordScheme'
|
||||||
}
|
]
|
||||||
]
|
}
|
||||||
|
]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
|
|
@ -473,10 +473,13 @@ sub _scanNodes {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
elsif ( $target =~
|
elsif ( $target =~
|
||||||
/^(?:$casSrvMetaDataNodeKeys|$casAppMetaDataNodeKeys)/o )
|
/^(?:$casSrvMetaDataNodeKeys|$casAppMetaDataNodeKeys)/o
|
||||||
|
)
|
||||||
{
|
{
|
||||||
$self->set( $optKey, [ $oldName, $key ],
|
$self->set(
|
||||||
$target, $leaf->{data} );
|
$optKey, [ $oldName, $key ],
|
||||||
|
$target, $leaf->{data}
|
||||||
|
);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
push @{ $self->errors },
|
push @{ $self->errors },
|
||||||
|
|
|
@ -315,8 +315,8 @@ sub tests {
|
||||||
my %entityIds;
|
my %entityIds;
|
||||||
foreach my $spId ( keys %{ $conf->{samlSPMetaDataXML} } ) {
|
foreach my $spId ( keys %{ $conf->{samlSPMetaDataXML} } ) {
|
||||||
unless (
|
unless (
|
||||||
$conf->{samlSPMetaDataXML}->{$spId}->{samlSPMetaDataXML}
|
$conf->{samlSPMetaDataXML}->{$spId}->{samlSPMetaDataXML} =~
|
||||||
=~ /entityID=(['"])(.+?)\1/si )
|
/entityID=(['"])(.+?)\1/si )
|
||||||
{
|
{
|
||||||
push @msg, "$spId SAML metadata has no EntityID";
|
push @msg, "$spId SAML metadata has no EntityID";
|
||||||
$res = 0;
|
$res = 0;
|
||||||
|
|
File diff suppressed because one or more lines are too long
|
@ -78,7 +78,8 @@ sub extractFormInfo {
|
||||||
# another backend (Combination)
|
# another backend (Combination)
|
||||||
# switch to another backend
|
# switch to another backend
|
||||||
elsif ( defined $req->param('kerberos') ) {
|
elsif ( defined $req->param('kerberos') ) {
|
||||||
$self->userLogger->warn('Kerberos authentication has failed, back to portal');
|
$self->userLogger->warn(
|
||||||
|
'Kerberos authentication has failed, back to portal');
|
||||||
return PE_BADCREDENTIALS;
|
return PE_BADCREDENTIALS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -110,16 +111,11 @@ sub extractFormInfo {
|
||||||
$ENV{KRB5_KTNAME} = $self->keytab;
|
$ENV{KRB5_KTNAME} = $self->keytab;
|
||||||
my $gss_client_name;
|
my $gss_client_name;
|
||||||
my $status = GSSAPI::Context::accept(
|
my $status = GSSAPI::Context::accept(
|
||||||
my $server_context,
|
my $server_context, GSS_C_NO_CREDENTIAL,
|
||||||
GSS_C_NO_CREDENTIAL,
|
$data, GSS_C_NO_CHANNEL_BINDINGS,
|
||||||
$data,
|
$gss_client_name, undef,
|
||||||
GSS_C_NO_CHANNEL_BINDINGS,
|
my $gss_output_token, my $out_flags,
|
||||||
$gss_client_name,
|
my $out_time, my $gss_delegated_cred
|
||||||
undef,
|
|
||||||
my $gss_output_token,
|
|
||||||
my $out_flags,
|
|
||||||
my $out_time,
|
|
||||||
my $gss_delegated_cred
|
|
||||||
);
|
);
|
||||||
unless ($status) {
|
unless ($status) {
|
||||||
$self->logger->error('Unable to accept security context');
|
$self->logger->error('Unable to accept security context');
|
||||||
|
|
|
@ -331,7 +331,7 @@ sub validateST {
|
||||||
my $proxy_url;
|
my $proxy_url;
|
||||||
if (%$proxied) {
|
if (%$proxied) {
|
||||||
$proxy_url = $self->p->fullUrl($req);
|
$proxy_url = $self->p->fullUrl($req);
|
||||||
die if($proxy_url =~ /casProxy=1/);
|
die if ( $proxy_url =~ /casProxy=1/ );
|
||||||
$proxy_url .= ( $proxy_url =~ /\?/ ? '&' : '?' ) . 'casProxy=1';
|
$proxy_url .= ( $proxy_url =~ /\?/ ? '&' : '?' ) . 'casProxy=1';
|
||||||
if ( $self->conf->{authChoiceParam}
|
if ( $self->conf->{authChoiceParam}
|
||||||
and my $tmp = $req->param( $self->conf->{authChoiceParam} ) )
|
and my $tmp = $req->param( $self->conf->{authChoiceParam} ) )
|
||||||
|
|
|
@ -95,30 +95,29 @@ sub get_password {
|
||||||
my $table = $self->conf->{dbiAuthTable};
|
my $table = $self->conf->{dbiAuthTable};
|
||||||
my $loginCol = $self->conf->{dbiAuthLoginCol};
|
my $loginCol = $self->conf->{dbiAuthLoginCol};
|
||||||
my $passwordCol = $self->conf->{dbiAuthPasswordCol};
|
my $passwordCol = $self->conf->{dbiAuthPasswordCol};
|
||||||
|
|
||||||
my @rows = ();
|
my @rows = ();
|
||||||
eval {
|
eval {
|
||||||
my $sth = $dbh->prepare(
|
my $sth =
|
||||||
"SELECT $passwordCol FROM $table WHERE $loginCol=?"
|
$dbh->prepare( "SELECT $passwordCol FROM $table WHERE $loginCol=?" );
|
||||||
);
|
$sth->execute($user);
|
||||||
$sth->execute( $user);
|
|
||||||
@rows = $sth->fetchrow_array();
|
@rows = $sth->fetchrow_array();
|
||||||
};
|
};
|
||||||
if ($@) {
|
if ($@) {
|
||||||
$self->lmLog( "DBI error while getting password: $@", 'error' );
|
$self->lmLog( "DBI error while getting password: $@", 'error' );
|
||||||
return "";
|
return "";
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( @rows == 1 ) {
|
if ( @rows == 1 ) {
|
||||||
$self->logger->debug( "Successfully got password from database" );
|
$self->logger->debug("Successfully got password from database");
|
||||||
return $rows[0];
|
return $rows[0];
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$self->userLogger->warn( "Unable to check password for $user" );
|
$self->userLogger->warn("Unable to check password for $user");
|
||||||
return "";
|
return "";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
## @method protected Lemonldap::NG::Portal::_DBI hash_password_from_database
|
## @method protected Lemonldap::NG::Portal::_DBI hash_password_from_database
|
||||||
## (ref dbh, string dbmethod, string dbsalt, string password)
|
## (ref dbh, string dbmethod, string dbsalt, string password)
|
||||||
# Hash the given password calling the dbmethod function in database
|
# Hash the given password calling the dbmethod function in database
|
||||||
|
@ -128,17 +127,18 @@ sub get_password {
|
||||||
# @param password the password to hash
|
# @param password the password to hash
|
||||||
# @return hashed password
|
# @return hashed password
|
||||||
sub hash_password_from_database {
|
sub hash_password_from_database {
|
||||||
|
|
||||||
# Remark: database function must get hexadecimal input
|
# Remark: database function must get hexadecimal input
|
||||||
# and send back hexadecimal output
|
# and send back hexadecimal output
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
my $dbh = shift;
|
my $dbh = shift;
|
||||||
my $dbmethod = shift;
|
my $dbmethod = shift;
|
||||||
my $dbsalt = shift;
|
my $dbsalt = shift;
|
||||||
my $password = shift;
|
my $password = shift;
|
||||||
|
|
||||||
# convert password to hexa
|
# convert password to hexa
|
||||||
my $passwordh = unpack "H*", $password;
|
my $passwordh = unpack "H*", $password;
|
||||||
|
|
||||||
my @rows = ();
|
my @rows = ();
|
||||||
eval {
|
eval {
|
||||||
my $sth = $dbh->prepare("SELECT $dbmethod('$passwordh$dbsalt')");
|
my $sth = $dbh->prepare("SELECT $dbmethod('$passwordh$dbsalt')");
|
||||||
|
@ -146,67 +146,71 @@ sub hash_password_from_database {
|
||||||
@rows = $sth->fetchrow_array();
|
@rows = $sth->fetchrow_array();
|
||||||
};
|
};
|
||||||
if ($@) {
|
if ($@) {
|
||||||
$self->lmLog( "DBI error while hashing with '$dbmethod' hash function: $@", 'error' );
|
$self->lmLog(
|
||||||
$self->userLogger->warn( "Unable to check password" );
|
"DBI error while hashing with '$dbmethod' hash function: $@",
|
||||||
|
'error' );
|
||||||
|
$self->userLogger->warn("Unable to check password");
|
||||||
return "";
|
return "";
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( @rows == 1 ) {
|
if ( @rows == 1 ) {
|
||||||
$self->logger->debug( "Successfully hashed password with $dbmethod hash function in database" );
|
$self->logger->debug(
|
||||||
|
"Successfully hashed password with $dbmethod hash function in database"
|
||||||
|
);
|
||||||
|
|
||||||
# convert salt to binary
|
# convert salt to binary
|
||||||
my $dbsaltb = pack 'H*', $dbsalt;
|
my $dbsaltb = pack 'H*', $dbsalt;
|
||||||
|
|
||||||
# convert result to binary
|
# convert result to binary
|
||||||
my $res = pack 'H*', $rows[0];
|
my $res = pack 'H*', $rows[0];
|
||||||
|
|
||||||
return encode_base64($res . $dbsaltb ,'');
|
return encode_base64( $res . $dbsaltb, '' );
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$self->userLogger->warn( "Unable to check password with '$dbmethod'" );
|
$self->userLogger->warn("Unable to check password with '$dbmethod'");
|
||||||
return "";
|
return "";
|
||||||
}
|
}
|
||||||
|
|
||||||
# Return encode_base64(SQL_METHOD(password + salt) + salt)
|
# Return encode_base64(SQL_METHOD(password + salt) + salt)
|
||||||
}
|
}
|
||||||
|
|
||||||
## @method protected Lemonldap::NG::Portal::_DBI get_salt(string dbhash)
|
## @method protected Lemonldap::NG::Portal::_DBI get_salt(string dbhash)
|
||||||
# Return salt from salted hash password
|
# Return salt from salted hash password
|
||||||
# @param dbhash hash password
|
# @param dbhash hash password
|
||||||
# @return extracted salt
|
# @return extracted salt
|
||||||
sub get_salt {
|
sub get_salt {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
my $dbhash = shift;
|
my $dbhash = shift;
|
||||||
my $dbsalt;
|
my $dbsalt;
|
||||||
|
|
||||||
# get rid of scheme ({sha256})
|
# get rid of scheme ({sha256})
|
||||||
$dbhash =~ s/^\{[^}]+\}(.*)$/$1/;
|
$dbhash =~ s/^\{[^}]+\}(.*)$/$1/;
|
||||||
|
|
||||||
# get binary hash
|
# get binary hash
|
||||||
my $decoded = &decode_base64($dbhash);
|
my $decoded = &decode_base64($dbhash);
|
||||||
|
|
||||||
# get last 8 bytes
|
# get last 8 bytes
|
||||||
$dbsalt = substr $decoded, -8;
|
$dbsalt = substr $decoded, -8;
|
||||||
|
|
||||||
# get hexadecimal version of salt
|
# get hexadecimal version of salt
|
||||||
$dbsalt = unpack "H*", $dbsalt;
|
$dbsalt = unpack "H*", $dbsalt;
|
||||||
|
|
||||||
return $dbsalt;
|
return $dbsalt;
|
||||||
}
|
}
|
||||||
|
|
||||||
## @method protected Lemonldap::NG::Portal::_DBI gen_salt()
|
## @method protected Lemonldap::NG::Portal::_DBI gen_salt()
|
||||||
# Generate 8 bytes of hexadecimal random salt
|
# Generate 8 bytes of hexadecimal random salt
|
||||||
# @return generated salt
|
# @return generated salt
|
||||||
sub gen_salt {
|
sub gen_salt {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
my $dbsalt;
|
my $dbsalt;
|
||||||
my @set = ('0' ..'9', 'A' .. 'F');
|
my @set = ( '0' .. '9', 'A' .. 'F' );
|
||||||
|
|
||||||
$dbsalt = join '' => map $set[rand @set], 1 .. 16;
|
$dbsalt = join '' => map $set[ rand @set ], 1 .. 16;
|
||||||
|
|
||||||
return $dbsalt;
|
return $dbsalt;
|
||||||
}
|
}
|
||||||
|
|
||||||
## @method protected Lemonldap::NG::Portal::_DBI dynamic_hash_password(ref dbh,
|
## @method protected Lemonldap::NG::Portal::_DBI dynamic_hash_password(ref dbh,
|
||||||
## string user, string password, string table, string loginCol, string passwordCol)
|
## string user, string password, string table, string loginCol, string passwordCol)
|
||||||
# Return hashed password for use in SQL statement
|
# Return hashed password for use in SQL statement
|
||||||
|
@ -218,76 +222,88 @@ sub gen_salt {
|
||||||
# @param passwordCol name of the row containing the password
|
# @param passwordCol name of the row containing the password
|
||||||
# @return hashed password
|
# @return hashed password
|
||||||
sub dynamic_hash_password {
|
sub dynamic_hash_password {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
my $dbh = shift;
|
my $dbh = shift;
|
||||||
my $user = shift;
|
my $user = shift;
|
||||||
my $password = shift;
|
my $password = shift;
|
||||||
my $table = shift;
|
my $table = shift;
|
||||||
my $loginCol = shift;
|
my $loginCol = shift;
|
||||||
my $passwordCol = shift;
|
my $passwordCol = shift;
|
||||||
|
|
||||||
# Authorized hash schemes and salted hash schemes
|
# Authorized hash schemes and salted hash schemes
|
||||||
my @validSchemes = split / /, $self->conf->{dbiDynamicHashValidSchemes};
|
my @validSchemes = split / /, $self->conf->{dbiDynamicHashValidSchemes};
|
||||||
my @validSaltedSchemes = split / /, $self->conf->{dbiDynamicHashValidSaltedSchemes};
|
my @validSaltedSchemes = split / /,
|
||||||
|
$self->conf->{dbiDynamicHashValidSaltedSchemes};
|
||||||
my $dbhash; # hash currently stored in database
|
|
||||||
my $dbscheme; # current hash scheme stored in database
|
my $dbhash; # hash currently stored in database
|
||||||
my $dbmethod; # static hash method corresponding to a database function
|
my $dbscheme; # current hash scheme stored in database
|
||||||
my $dbsalt; # current salt stored in database
|
my $dbmethod; # static hash method corresponding to a database function
|
||||||
my $hash; # hash to compute from user password
|
my $dbsalt; # current salt stored in database
|
||||||
|
my $hash; # hash to compute from user password
|
||||||
|
|
||||||
# Search hash from database
|
# Search hash from database
|
||||||
$self->logger->debug( "Hash scheme is to be found in database" );
|
$self->logger->debug("Hash scheme is to be found in database");
|
||||||
$dbhash = $self->get_password($dbh, $user, $table, $loginCol, $passwordCol);
|
$dbhash =
|
||||||
|
$self->get_password( $dbh, $user, $table, $loginCol, $passwordCol );
|
||||||
|
|
||||||
# Get the scheme
|
# Get the scheme
|
||||||
$dbscheme = $dbhash;
|
$dbscheme = $dbhash;
|
||||||
$dbscheme =~ s/^\{([^}]+)\}.*/$1/;
|
$dbscheme =~ s/^\{([^}]+)\}.*/$1/;
|
||||||
$dbscheme = "" if $dbscheme eq $dbhash;
|
$dbscheme = "" if $dbscheme eq $dbhash;
|
||||||
|
|
||||||
# no hash scheme => assume clear text
|
# no hash scheme => assume clear text
|
||||||
if($dbscheme eq "") {
|
if ( $dbscheme eq "" ) {
|
||||||
$self->logger->info( "Password has no hash scheme" );
|
$self->logger->info("Password has no hash scheme");
|
||||||
return "?";
|
return "?";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# salted hash scheme
|
# salted hash scheme
|
||||||
elsif(grep( /^$dbscheme$/, @validSaltedSchemes )) {
|
elsif ( grep( /^$dbscheme$/, @validSaltedSchemes ) ) {
|
||||||
$self->logger->info( "Valid salted hash scheme: $dbscheme found for user $user" );
|
$self->logger->info(
|
||||||
|
"Valid salted hash scheme: $dbscheme found for user $user");
|
||||||
|
|
||||||
# extract non salted hash scheme
|
# extract non salted hash scheme
|
||||||
$dbmethod = $dbscheme;
|
$dbmethod = $dbscheme;
|
||||||
$dbmethod =~ s/^s//i;
|
$dbmethod =~ s/^s//i;
|
||||||
|
|
||||||
# extract the salt
|
# extract the salt
|
||||||
$dbsalt = $self->get_salt($dbhash);
|
$dbsalt = $self->get_salt($dbhash);
|
||||||
$self->logger->debug( "Get salt from password: $dbsalt");
|
$self->logger->debug("Get salt from password: $dbsalt");
|
||||||
|
|
||||||
# Hash password with given hash scheme and salt
|
# Hash password with given hash scheme and salt
|
||||||
$hash = $self->hash_password_from_database($dbh, $dbmethod, $dbsalt, $password);
|
$hash =
|
||||||
|
$self->hash_password_from_database( $dbh, $dbmethod, $dbsalt,
|
||||||
|
$password );
|
||||||
$hash = "{$dbscheme}$hash";
|
$hash = "{$dbscheme}$hash";
|
||||||
|
|
||||||
return "'$hash'";
|
return "'$hash'";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# static hash scheme
|
# static hash scheme
|
||||||
elsif(grep( /^$dbscheme$/, @validSchemes )) {
|
elsif ( grep( /^$dbscheme$/, @validSchemes ) ) {
|
||||||
$self->logger->info( "Valid hash scheme: $dbscheme found for user $user" );
|
$self->logger->info(
|
||||||
|
"Valid hash scheme: $dbscheme found for user $user");
|
||||||
|
|
||||||
# Hash given password with given hash scheme and no salt
|
# Hash given password with given hash scheme and no salt
|
||||||
$hash = $self->hash_password_from_database($dbh, $dbscheme, "", $password);
|
$hash =
|
||||||
|
$self->hash_password_from_database( $dbh, $dbscheme, "", $password );
|
||||||
$hash = "{$dbscheme}$hash";
|
$hash = "{$dbscheme}$hash";
|
||||||
|
|
||||||
return "'$hash'";
|
return "'$hash'";
|
||||||
}
|
}
|
||||||
|
|
||||||
# no valid hash scheme
|
# no valid hash scheme
|
||||||
else {
|
else {
|
||||||
$self->lmLog( "No valid hash scheme: $dbscheme for user $user", 'error' );
|
$self->lmLog( "No valid hash scheme: $dbscheme for user $user",
|
||||||
$self->userLogger->warn( "Unable to check password for $user" );
|
'error' );
|
||||||
|
$self->userLogger->warn("Unable to check password for $user");
|
||||||
return "";
|
return "";
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
## @method protected Lemonldap::NG::Portal::_DBI dynamic_hash_new_password(ref dbh,
|
## @method protected Lemonldap::NG::Portal::_DBI dynamic_hash_new_password(ref dbh,
|
||||||
## string user, string password)
|
## string user, string password)
|
||||||
# Return hashed password for use in SQL statement
|
# Return hashed password for use in SQL statement
|
||||||
|
@ -301,57 +317,67 @@ sub dynamic_hash_new_password {
|
||||||
my $dbh = shift;
|
my $dbh = shift;
|
||||||
my $user = shift;
|
my $user = shift;
|
||||||
my $password = shift;
|
my $password = shift;
|
||||||
my $dbscheme = $self->conf->{dbiDynamicHashNewPasswordScheme} || "";
|
my $dbscheme = $self->conf->{dbiDynamicHashNewPasswordScheme} || "";
|
||||||
|
|
||||||
# Authorized hash schemes and salted hash schemes
|
# Authorized hash schemes and salted hash schemes
|
||||||
my @validSchemes = split / /, $self->conf->{dbiDynamicHashValidSchemes};
|
my @validSchemes = split / /, $self->conf->{dbiDynamicHashValidSchemes};
|
||||||
my @validSaltedSchemes = split / /, $self->conf->{dbiDynamicHashValidSaltedSchemes};
|
my @validSaltedSchemes = split / /,
|
||||||
|
$self->conf->{dbiDynamicHashValidSaltedSchemes};
|
||||||
my $dbmethod; # static hash method corresponding to a database function
|
|
||||||
my $dbsalt; # salt to generate for new hashed password
|
my $dbmethod; # static hash method corresponding to a database function
|
||||||
my $hash; # hash to compute from user password
|
my $dbsalt; # salt to generate for new hashed password
|
||||||
|
my $hash; # hash to compute from user password
|
||||||
|
|
||||||
# no hash scheme => assume clear text
|
# no hash scheme => assume clear text
|
||||||
if($dbscheme eq "") {
|
if ( $dbscheme eq "" ) {
|
||||||
$self->logger->info( "No hash scheme selected, storing password in clear text" );
|
$self->logger->info(
|
||||||
|
"No hash scheme selected, storing password in clear text");
|
||||||
return "?";
|
return "?";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# salted hash scheme
|
# salted hash scheme
|
||||||
elsif(grep( /^$dbscheme$/, @validSaltedSchemes )) {
|
elsif ( grep( /^$dbscheme$/, @validSaltedSchemes ) ) {
|
||||||
$self->logger->info( "Selected salted hash scheme: $dbscheme" );
|
$self->logger->info("Selected salted hash scheme: $dbscheme");
|
||||||
|
|
||||||
# extract non salted hash scheme
|
# extract non salted hash scheme
|
||||||
$dbmethod = $dbscheme;
|
$dbmethod = $dbscheme;
|
||||||
$dbmethod =~ s/^s//i;
|
$dbmethod =~ s/^s//i;
|
||||||
|
|
||||||
# generate the salt
|
# generate the salt
|
||||||
$dbsalt = $self->gen_salt();
|
$dbsalt = $self->gen_salt();
|
||||||
$self->logger->debug( "Generated salt: $dbsalt" );
|
$self->logger->debug("Generated salt: $dbsalt");
|
||||||
|
|
||||||
# Hash given password with given hash scheme and salt
|
# Hash given password with given hash scheme and salt
|
||||||
$hash = $self->hash_password_from_database($dbh, $dbmethod, $dbsalt, $password);
|
$hash =
|
||||||
|
$self->hash_password_from_database( $dbh, $dbmethod, $dbsalt,
|
||||||
|
$password );
|
||||||
$hash = "{$dbscheme}$hash";
|
$hash = "{$dbscheme}$hash";
|
||||||
|
|
||||||
return "'$hash'";
|
return "'$hash'";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# static hash scheme
|
# static hash scheme
|
||||||
elsif(grep( /^$dbscheme$/, @validSchemes )) {
|
elsif ( grep( /^$dbscheme$/, @validSchemes ) ) {
|
||||||
$self->logger->info( "Selected hash scheme: $dbscheme" );
|
$self->logger->info("Selected hash scheme: $dbscheme");
|
||||||
|
|
||||||
# Hash given password with given hash scheme and no salt
|
# Hash given password with given hash scheme and no salt
|
||||||
$hash = $self->hash_password_from_database($dbh, $dbscheme, "", $password);
|
$hash =
|
||||||
|
$self->hash_password_from_database( $dbh, $dbscheme, "", $password );
|
||||||
$hash = "{$dbscheme}$hash";
|
$hash = "{$dbscheme}$hash";
|
||||||
|
|
||||||
return "'$hash'";
|
return "'$hash'";
|
||||||
}
|
}
|
||||||
|
|
||||||
# no valid hash scheme
|
# no valid hash scheme
|
||||||
else {
|
else {
|
||||||
$self->lmLog( "No selected hash scheme: $dbscheme is invalid", 'error' );
|
$self->lmLog( "No selected hash scheme: $dbscheme is invalid",
|
||||||
$self->userLogger->warn( "Unable to store password for $user" );
|
'error' );
|
||||||
|
$self->userLogger->warn("Unable to store password for $user");
|
||||||
return "";
|
return "";
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Verify user and password with SQL SELECT
|
# Verify user and password with SQL SELECT
|
||||||
|
@ -374,15 +400,17 @@ sub check_password {
|
||||||
|
|
||||||
my $passwordsql;
|
my $passwordsql;
|
||||||
if ( $dynamicHash == 1 ) {
|
if ( $dynamicHash == 1 ) {
|
||||||
|
|
||||||
# Dynamic password hashes
|
# Dynamic password hashes
|
||||||
$passwordsql =
|
$passwordsql =
|
||||||
$self->dynamic_hash_password( $self->dbh, $user, $password, $table, $loginCol, $passwordCol );
|
$self->dynamic_hash_password( $self->dbh, $user, $password, $table,
|
||||||
|
$loginCol, $passwordCol );
|
||||||
}
|
}
|
||||||
else
|
else {
|
||||||
{
|
|
||||||
# Static Password hashes
|
# Static Password hashes
|
||||||
$passwordsql =
|
$passwordsql =
|
||||||
$self->hash_password_for_select( "?", $self->conf->{dbiAuthPasswordHash} );
|
$self->hash_password_for_select( "?",
|
||||||
|
$self->conf->{dbiAuthPasswordHash} );
|
||||||
}
|
}
|
||||||
|
|
||||||
my @rows = ();
|
my @rows = ();
|
||||||
|
@ -390,8 +418,8 @@ sub check_password {
|
||||||
my $sth = $self->dbh->prepare(
|
my $sth = $self->dbh->prepare(
|
||||||
"SELECT $loginCol FROM $table WHERE $loginCol=? AND $passwordCol=$passwordsql"
|
"SELECT $loginCol FROM $table WHERE $loginCol=? AND $passwordCol=$passwordsql"
|
||||||
);
|
);
|
||||||
$sth->execute( $user, $password ) if $passwordsql =~ /.*\?.*/;
|
$sth->execute( $user, $password ) if $passwordsql =~ /.*\?.*/;
|
||||||
$sth->execute( $user ) unless $passwordsql =~ /.*\?.*/;
|
$sth->execute($user) unless $passwordsql =~ /.*\?.*/;
|
||||||
@rows = $sth->fetchrow_array();
|
@rows = $sth->fetchrow_array();
|
||||||
};
|
};
|
||||||
if ($@) {
|
if ($@) {
|
||||||
|
|
|
@ -22,28 +22,30 @@ sub confirm {
|
||||||
sub modifyPassword {
|
sub modifyPassword {
|
||||||
my ( $self, $req, $pwd ) = @_;
|
my ( $self, $req, $pwd ) = @_;
|
||||||
|
|
||||||
my $userCol = $self->conf->{dbiAuthLoginCol};
|
my $userCol = $self->conf->{dbiAuthLoginCol};
|
||||||
my $passwordCol = $self->conf->{dbiAuthPasswordCol};
|
my $passwordCol = $self->conf->{dbiAuthPasswordCol};
|
||||||
my $table = $self->conf->{dbiAuthTable};
|
my $table = $self->conf->{dbiAuthTable};
|
||||||
my $dynamicHash = $self->conf->{dbiDynamicHashEnabled} || 0;
|
my $dynamicHash = $self->conf->{dbiDynamicHashEnabled} || 0;
|
||||||
|
|
||||||
my $passwordsql;
|
my $passwordsql;
|
||||||
if ( $dynamicHash == 1 ) {
|
if ( $dynamicHash == 1 ) {
|
||||||
|
|
||||||
# Dynamic password hashes
|
# Dynamic password hashes
|
||||||
$passwordsql =
|
$passwordsql =
|
||||||
$self->dynamic_hash_new_password( $self->dbh, $req->user, $pwd, $table, $userCol, $passwordCol );
|
$self->dynamic_hash_new_password( $self->dbh, $req->user, $pwd,
|
||||||
|
$table, $userCol, $passwordCol );
|
||||||
}
|
}
|
||||||
else
|
else {
|
||||||
{
|
|
||||||
# Static Password hash
|
# Static Password hash
|
||||||
$passwordsql = $self->hash_password( "?", $self->conf->{dbiAuthPasswordHash} );
|
$passwordsql =
|
||||||
|
$self->hash_password( "?", $self->conf->{dbiAuthPasswordHash} );
|
||||||
}
|
}
|
||||||
|
|
||||||
eval {
|
eval {
|
||||||
my $sth = $self->dbh->prepare(
|
my $sth = $self->dbh->prepare(
|
||||||
"UPDATE $table SET $passwordCol=$passwordsql WHERE $userCol=?");
|
"UPDATE $table SET $passwordCol=$passwordsql WHERE $userCol=?");
|
||||||
$sth->execute( $pwd, $req->user ) if $passwordsql =~ /.*\?.*/;
|
$sth->execute( $pwd, $req->user ) if $passwordsql =~ /.*\?.*/;
|
||||||
$sth->execute( $req->user ) unless $passwordsql =~ /.*\?.*/;
|
$sth->execute( $req->user ) unless $passwordsql =~ /.*\?.*/;
|
||||||
};
|
};
|
||||||
if ($@) {
|
if ($@) {
|
||||||
|
|
||||||
|
|
|
@ -10,12 +10,12 @@ extends 'Lemonldap::NG::Portal::Password::Base';
|
||||||
|
|
||||||
our $VERSION = '2.0.0';
|
our $VERSION = '2.0.0';
|
||||||
|
|
||||||
sub init {1}
|
sub init { 1 }
|
||||||
|
|
||||||
sub confirm {1}
|
sub confirm { 1 }
|
||||||
|
|
||||||
sub modifyPassword {
|
sub modifyPassword {
|
||||||
PE_PASSWORD_OK
|
PE_PASSWORD_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
|
|
@ -7,7 +7,7 @@ BEGIN {
|
||||||
}
|
}
|
||||||
|
|
||||||
my $maintests = 8;
|
my $maintests = 8;
|
||||||
my $debug = 'error';
|
my $debug = 'error';
|
||||||
|
|
||||||
SKIP: {
|
SKIP: {
|
||||||
eval "require GSSAPI";
|
eval "require GSSAPI";
|
||||||
|
|
|
@ -86,9 +86,9 @@ expectAuthenticatedAs( $res, 'french' );
|
||||||
ok( $res = $sp->_get("/sessions/global/$spId"), 'Get UTF-8' );
|
ok( $res = $sp->_get("/sessions/global/$spId"), 'Get UTF-8' );
|
||||||
expectOK($res);
|
expectOK($res);
|
||||||
ok( $res = eval { JSON::from_json( $res->[2]->[0] ) }, ' GET JSON' )
|
ok( $res = eval { JSON::from_json( $res->[2]->[0] ) }, ' GET JSON' )
|
||||||
or print STDERR $@;
|
or print STDERR $@;
|
||||||
ok( $res->{cn} eq 'Frédéric Accents', 'UTF-8 values' )
|
ok( $res->{cn} eq 'Frédéric Accents', 'UTF-8 values' )
|
||||||
or explain( $res, 'cn => Frédéric Accents' );
|
or explain( $res, 'cn => Frédéric Accents' );
|
||||||
count(3);
|
count(3);
|
||||||
|
|
||||||
# Logout initiated by SP
|
# Logout initiated by SP
|
||||||
|
@ -212,16 +212,16 @@ sub issuer {
|
||||||
return LLNG::Manager::Test->new(
|
return LLNG::Manager::Test->new(
|
||||||
{
|
{
|
||||||
ini => {
|
ini => {
|
||||||
logLevel => $debug,
|
logLevel => $debug,
|
||||||
templatesDir => 'site/htdocs/static',
|
templatesDir => 'site/htdocs/static',
|
||||||
domain => 'idp.com',
|
domain => 'idp.com',
|
||||||
portal => 'http://auth.idp.com',
|
portal => 'http://auth.idp.com',
|
||||||
authentication => 'Demo',
|
authentication => 'Demo',
|
||||||
userDB => 'Same',
|
userDB => 'Same',
|
||||||
issuerDBCASActivation => 1,
|
issuerDBCASActivation => 1,
|
||||||
casAttr => 'uid',
|
casAttr => 'uid',
|
||||||
casAccessControlPolicy => 'error',
|
casAccessControlPolicy => 'error',
|
||||||
multiValuesSeparator => ';',
|
multiValuesSeparator => ';',
|
||||||
casAppMetaDataExportedVars => {
|
casAppMetaDataExportedVars => {
|
||||||
sp => {
|
sp => {
|
||||||
cn => 'cn',
|
cn => 'cn',
|
||||||
|
|
|
@ -245,14 +245,14 @@ sub sp {
|
||||||
return LLNG::Manager::Test->new(
|
return LLNG::Manager::Test->new(
|
||||||
{
|
{
|
||||||
ini => {
|
ini => {
|
||||||
logLevel => $debug,
|
logLevel => $debug,
|
||||||
domain => 'sp.com',
|
domain => 'sp.com',
|
||||||
portal => 'http://auth.sp.com',
|
portal => 'http://auth.sp.com',
|
||||||
authentication => 'CAS',
|
authentication => 'CAS',
|
||||||
userDB => 'CAS',
|
userDB => 'CAS',
|
||||||
restSessionServer => 1,
|
restSessionServer => 1,
|
||||||
issuerDBCASActivation => 0,
|
issuerDBCASActivation => 0,
|
||||||
multiValuesSeparator => ';',
|
multiValuesSeparator => ';',
|
||||||
casSrvMetaDataExportedVars => {
|
casSrvMetaDataExportedVars => {
|
||||||
idp => {
|
idp => {
|
||||||
cn => 'cn',
|
cn => 'cn',
|
||||||
|
|
|
@ -67,6 +67,7 @@ ok( $res->{_session_id} eq $spId, ' Good ID' )
|
||||||
or explain( $res, "_session_id => $spId" );
|
or explain( $res, "_session_id => $spId" );
|
||||||
ok( $res->{uid} eq 'french', ' Uid is french' )
|
ok( $res->{uid} eq 'french', ' Uid is french' )
|
||||||
or explain( $res, 'uid => french' );
|
or explain( $res, 'uid => french' );
|
||||||
|
|
||||||
#ok( $res->{cn} eq 'Frédéric Accents', 'UTF-8 values' )
|
#ok( $res->{cn} eq 'Frédéric Accents', 'UTF-8 values' )
|
||||||
# or explain( $res->{cn}, 'Frédéric Accents' );
|
# or explain( $res->{cn}, 'Frédéric Accents' );
|
||||||
count(4);
|
count(4);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user