Add manager option for dynamic scopes (#2424)

2021-01-14 08:55:10 +01:00 · 2021-01-14 08:55:10 +01:00 · 88cc6004a4
commit 88cc6004a4
parent 1119af91d4
20 changed files with 57 additions and 15 deletions
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm
@ -418,7 +418,7 @@ sub _oidcMetaDataNodes {
    }
    # Return all exported attributes if asked
    elsif ( $query =~
-/^(?:oidc${type}MetaDataExportedVars|oidcRPMetaDataOptionsExtraClaims|oidcRPMetaDataMacros)$/
+/^(?:oidc${type}MetaDataExportedVars|oidcRPMetaDataOptionsExtraClaims|oidcRPMetaDataMacros|oidcRPMetaDataScopeRules)$/
      )
    {
        my $pk = eval { $self->getConfKey( $req, $query )->{$partner} } // {};
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
@ -27,7 +27,7 @@ our $specialNodeKeys = '(?:(?:(?:saml(?:ID|S)|oidc[OR])P|cas(?:App|Srv))MetaData
 our $casAppMetaDataNodeKeys = 'casAppMetaData(?:Options(?:(?:UserAttribut|Servic|Rul)e|AuthnLevel)|(?:ExportedVar|Macro)s)';
 our $casSrvMetaDataNodeKeys = 'casSrvMetaData(?:Options(?:ProxiedServices|DisplayName|SortNumber|Gateway|Renew|Icon|Url)|ExportedVars)';
 our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|S(?:toreIDToken|ortNumber|cope)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues|MaxAge)|ExportedVars|J(?:SON|WKS))';
-our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|uth(?:orizationCodeExpiration|nLevel)|ccessTokenExpiration|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|Logout(?:SessionRequired|Type|Url)|P(?:ostLogoutRedirectUris|ublic)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims|UserIDAttr)|(?:ExportedVar|Macro)s)';
+our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|uth(?:orizationCodeExpiration|nLevel)|ccessTokenExpiration|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|Logout(?:SessionRequired|Type|Url)|P(?:ostLogoutRedirectUris|ublic)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims|UserIDAttr)|(?:ExportedVar|ScopeRule|Macro)s)';
 our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ign(?:S[LS]OMessage|atureMethod)|toreSAMLToken|[LS]OBinding|ortNumber)|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Re(?:questedAuthnContext|solutionRule|layStateURL)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
 our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:S(?:ign(?:S[LS]OMessage|atureMethod)|essionNotOnOrAfterTimeout)|N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|AuthnLevel|ForceUTF8)|(?:ExportedAttribute|Macro)s|XML)';
 our $virtualHostKeys = '(?:vhost(?:A(?:ccessToTrace|uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|Https|Port)|(?:exportedHeader|locationRule)s|post)';
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -2384,6 +2384,17 @@ m[^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
        'oidcRPMetaDataOptionsUserIDAttr' => {
            'type' => 'text'
        },
+        'oidcRPMetaDataScopeRules' => {
+            'default' => {},
+            'test'    => {
+                'keyMsgFail' => '__badMacroName__',
+                'keyTest'    => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
+                'test'       => sub {
+                    return perlExpr(@_);
+                }
+            },
+            'type' => 'keyTextContainer'
+        },
        'oidcRPStateTimeout' => {
            'default' => 600,
            'type'    => 'int'
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
@ -4286,6 +4286,17 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
            default       => {},
            documentation => 'Macros',
        },
+        oidcRPMetaDataScopeRules => {
+            type => 'keyTextContainer',
+            help => 'idpopenidconnect.html#scope-rules',
+            test => {
+                keyTest    => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
+                keyMsgFail => '__badMacroName__',
+                test       => sub { return perlExpr(@_) },
+            },
+            default       => {},
+            documentation => 'Scope rules',
+        },
    };
 }

--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
@ -252,6 +252,7 @@ sub cTrees {
                ]
            },
            'oidcRPMetaDataMacros',
+            'oidcRPMetaDataScopeRules',
            {
                title => 'oidcRPMetaDataOptionsDisplay',
                form  => 'simpleInputContainer',
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm
@ -439,7 +439,7 @@ sub _scanNodes {
                    }
                }
                elsif (
-                    $target =~ /^oidc(?:O|R)PMetaData(?:ExportedVars|Macros)$/ )
+                    $target =~ /^oidc(?:O|R)PMetaData(?:ExportedVars|Macros|ScopeRules)$/ )
                {
                    hdebug("  $target");
                    if ( $leaf->{cnodes} ) {
--- a/lemonldap-ng-manager/site/htdocs/static/js/conftree.js
+++ b/lemonldap-ng-manager/site/htdocs/static/js/conftree.js
@ -657,6 +657,14 @@ function templates(tpl,key) {
      "title" : "oidcRPMetaDataMacros",
      "type" : "keyTextContainer"
   },
+   {
+      "cnodes" : tpl+"s/"+key+"/"+"oidcRPMetaDataScopeRules",
+      "default" : [],
+      "help" : "idpopenidconnect.html#scope-rules",
+      "id" : tpl+"s/"+key+"/"+"oidcRPMetaDataScopeRules",
+      "title" : "oidcRPMetaDataScopeRules",
+      "type" : "keyTextContainer"
+   },
   {
      "_nodes" : [
         {
--- a/lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js
+++ b/lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js
--- a/lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js.map
+++ b/lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js.map
--- a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
@ -630,6 +630,7 @@
 "oidcRPMetaDataOptionsAuthnLevel":"مستوى إثبات الهوية",
 "oidcRPMetaDataOptionsRule":"قاعدة الدخول",
 "oidcRPMetaDataMacros":"ماكرو",
+"oidcRPMetaDataScopeRules":"Scope rules",
 "oidcOPMetaDataOptionsScope":"نطاق",
 "oidcOPMetaDataOptionsStoreIDToken":"مخزن تعريف التوكن",
 "oidcOPMetaDataOptionsTokenEndpointAuthMethod":"توكن نقطة النهاية لطريقة إثبات الهوية",
@ -1194,4 +1195,4 @@
 "samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ",
 "samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}
--- a/lemonldap-ng-manager/site/htdocs/static/languages/de.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/de.json
@ -630,6 +630,7 @@
 "oidcRPMetaDataOptionsAuthnLevel":"Authentication level",
 "oidcRPMetaDataOptionsRule":"Access rule",
 "oidcRPMetaDataMacros":"Macros",
+"oidcRPMetaDataScopeRules":"Scope rules",
 "oidcOPMetaDataOptionsScope":"Scope",
 "oidcOPMetaDataOptionsStoreIDToken":"Store ID Token",
 "oidcOPMetaDataOptionsTokenEndpointAuthMethod":"Token endpoint authentication method",
@ -1194,4 +1195,4 @@
 "samlRelayStateTimeout":"RelayState session timeout",
 "samlUseQueryStringSpecific":"Use specific query_string method",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}
--- a/lemonldap-ng-manager/site/htdocs/static/languages/en.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/en.json
@ -630,6 +630,7 @@
 "oidcRPMetaDataOptionsAuthnLevel":"Authentication level",
 "oidcRPMetaDataOptionsRule":"Access rule",
 "oidcRPMetaDataMacros":"Macros",
+"oidcRPMetaDataScopeRules":"Scope rules",
 "oidcOPMetaDataOptionsScope":"Scope",
 "oidcOPMetaDataOptionsStoreIDToken":"Store ID Token",
 "oidcOPMetaDataOptionsTokenEndpointAuthMethod":"Token endpoint authentication method",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/es.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/es.json
@ -630,6 +630,7 @@
 "oidcRPMetaDataOptionsAuthnLevel":"Authentication level",
 "oidcRPMetaDataOptionsRule":"Regla de acceso",
 "oidcRPMetaDataMacros":"Macros",
+"oidcRPMetaDataScopeRules":"Scope rules",
 "oidcOPMetaDataOptionsScope":"Ámbito",
 "oidcOPMetaDataOptionsStoreIDToken":"Guardar token ID",
 "oidcOPMetaDataOptionsTokenEndpointAuthMethod":"Token endpoint authentication method",
@ -1194,4 +1195,4 @@
 "samlRelayStateTimeout":"RelayState session timeout",
 "samlUseQueryStringSpecific":"Use specific query_string method",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}
--- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
@ -631,7 +631,8 @@
 "oidcRPMetaDataOptionsAuthnLevel":"Niveau d'authentification",
 "oidcRPMetaDataOptionsRule":"Règle d'accès",
 "oidcRPMetaDataMacros":"Macros",
-"oidcOPMetaDataOptionsScope":"Étendue",
+"oidcRPMetaDataScopeRules":"Règles de scope",
+"oidcOPMetaDataOptionsScope":"Scope",
 "oidcOPMetaDataOptionsStoreIDToken":"Conserver le jeton d'identité",
 "oidcOPMetaDataOptionsTokenEndpointAuthMethod":"Méthode d'authentification pour l'accès aux jetons",
 "oidcOPName":"Nom du fournisseur OpenID Connect",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/it.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/it.json
@ -630,6 +630,7 @@
 "oidcRPMetaDataOptionsAuthnLevel":"Livello di autenticazione",
 "oidcRPMetaDataOptionsRule":"Regola di accesso",
 "oidcRPMetaDataMacros":"Macro",
+"oidcRPMetaDataScopeRules":"Scope rules",
 "oidcOPMetaDataOptionsScope":"Scopo",
 "oidcOPMetaDataOptionsStoreIDToken":"Immagazzina ID Token",
 "oidcOPMetaDataOptionsTokenEndpointAuthMethod":"Metodo di autenticazione degli endpoint di token",
@ -1194,4 +1195,4 @@
 "samlRelayStateTimeout":"Timeout di sessione di RelayState",
 "samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
 "samlOverrideIDPEntityID":"Sostituisci l'ID entità quando agisce come IDP"
-}
+}
--- a/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
@ -630,6 +630,7 @@
 "oidcRPMetaDataOptionsAuthnLevel":"Poziom uwierzytelnienia",
 "oidcRPMetaDataOptionsRule":"Reguła dostępu",
 "oidcRPMetaDataMacros":"Makra",
+"oidcRPMetaDataScopeRules":"Scope rules",
 "oidcOPMetaDataOptionsScope":"Zakres",
 "oidcOPMetaDataOptionsStoreIDToken":"Przechowuj token identyfikacyjny",
 "oidcOPMetaDataOptionsTokenEndpointAuthMethod":"Metoda uwierzytelniania tokena punktu końcowego",
@ -1194,4 +1195,4 @@
 "samlRelayStateTimeout":"Limit czasu sesji RelayState",
 "samlUseQueryStringSpecific":"Użyj określonej metody query_string",
 "samlOverrideIDPEntityID":"Zastąp identyfikator jednostki podczas działania jako IDP"
-}
+}
--- a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
@ -630,6 +630,7 @@
 "oidcRPMetaDataOptionsAuthnLevel":"Doğrulama seviyesi",
 "oidcRPMetaDataOptionsRule":"Erişim kuralı",
 "oidcRPMetaDataMacros":"Makrolar",
+"oidcRPMetaDataScopeRules":"Scope rules",
 "oidcOPMetaDataOptionsScope":"Kapsam",
 "oidcOPMetaDataOptionsStoreIDToken":"ID Jetonu Sakla",
 "oidcOPMetaDataOptionsTokenEndpointAuthMethod":"Jeton uç noktası doğrulama metodu",
@ -1194,4 +1195,4 @@
 "samlRelayStateTimeout":"RelayState oturum zaman aşımı",
 "samlUseQueryStringSpecific":"Spesifik query_string metodu kullan",
 "samlOverrideIDPEntityID":"IDP olarak davrandığında Varlık ID'yi geçersiz kıl"
-}
+}
--- a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
@ -630,6 +630,7 @@
 "oidcRPMetaDataOptionsAuthnLevel":"Mức xác thực",
 "oidcRPMetaDataOptionsRule":"Quy tắc truy cập",
 "oidcRPMetaDataMacros":"Macros",
+"oidcRPMetaDataScopeRules":"Scope rules",
 "oidcOPMetaDataOptionsScope":"Phạm vi",
 "oidcOPMetaDataOptionsStoreIDToken":"Mã thông báo Cửa hàng",
 "oidcOPMetaDataOptionsTokenEndpointAuthMethod":"Phương pháp xác thực thiết bị đầu cuối Token",
@ -1194,4 +1195,4 @@
 "samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
 "samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}
--- a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
@ -630,6 +630,7 @@
 "oidcRPMetaDataOptionsAuthnLevel":"认证级别",
 "oidcRPMetaDataOptionsRule":"Access rule",
 "oidcRPMetaDataMacros":"Macros",
+"oidcRPMetaDataScopeRules":"Scope rules",
 "oidcOPMetaDataOptionsScope":"Scope",
 "oidcOPMetaDataOptionsStoreIDToken":"Store ID Token",
 "oidcOPMetaDataOptionsTokenEndpointAuthMethod":"Token endpoint authentication method",
@ -1194,4 +1195,4 @@
 "samlRelayStateTimeout":"RelayState session timeout",
 "samlUseQueryStringSpecific":"Use specific query_string method",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}
--- a/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json
@ -630,6 +630,7 @@
 "oidcRPMetaDataOptionsAuthnLevel":"驗證等級",
 "oidcRPMetaDataOptionsRule":"存取規則",
 "oidcRPMetaDataMacros":"巨集",
+"oidcRPMetaDataScopeRules":"Scope rules",
 "oidcOPMetaDataOptionsScope":"範圍",
 "oidcOPMetaDataOptionsStoreIDToken":"儲存 ID 權杖",
 "oidcOPMetaDataOptionsTokenEndpointAuthMethod":"權杖端點驗證方法",
@ -1194,4 +1195,4 @@
 "samlRelayStateTimeout":"RelayState 工作階段逾時",
 "samlUseQueryStringSpecific":"使用特定的 query_string 方法",
 "samlOverrideIDPEntityID":"充當 IDP 覆寫實體 ID"
-}
+}