From c222fb4009b14039b79b202cb7d6e74a8af64fd1 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Wed, 26 Jun 2019 07:50:31 +0200 Subject: [PATCH 01/14] Update tr --- lemonldap-ng-manager/site/htdocs/static/languages/zh.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json index 1248ea465..d451ab8b5 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json @@ -730,7 +730,7 @@ "sfaTitle":"Second Factors Authentication", "sfRequired":"Require 2FA", "sfRemovedNotification":"Display a message if an expired SF is removed", -"sfRemovedMsgRule":"Activation", +"sfRemovedMsgRule":"激活", "sfRemovedUseNotif":"Use Notifications plugin", "sfRemovedNotifMsg":"Notification message", "sfRemovedNotifRef":"Notification reference", From 45a0b68c3bcdb07062ba1dd63c5b7f945fc40dc7 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Wed, 26 Jun 2019 11:32:10 +0200 Subject: [PATCH 02/14] Disable external entities in XML parsers (Fixes: #1818) --- .../lib/Lemonldap/NG/Common/Notifications/XML.pm | 2 +- .../lib/Lemonldap/NG/Portal/Lib/Notifications/XML.pm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/XML.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/XML.pm index 5dadca8c8..144a3f702 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/XML.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/XML.pm @@ -10,7 +10,7 @@ our $VERSION = '2.0.0'; has parser => ( is => 'rw', builder => sub { - return XML::LibXML->new(); + return XML::LibXML->new( load_ext_dtd => 0, expand_entities => 0 ); } ); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Notifications/XML.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Notifications/XML.pm index 1f5f355b7..9993dee0f 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Notifications/XML.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Notifications/XML.pm @@ -17,7 +17,7 @@ extends 'Lemonldap::NG::Portal::Main::Plugin'; has parser => ( is => 'rw', builder => sub { - return XML::LibXML->new(); + return XML::LibXML->new( load_ext_dtd => 0, expand_entities => 0 ); } ); From e15a41bc66648fafaebbee9f9137ebfd8b248614 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Wed, 26 Jun 2019 11:59:13 +0200 Subject: [PATCH 03/14] Fix typo: s/templatesDir/templateDir/g (#1819) --- .../lib/Lemonldap/NG/Portal/Lib/Notifications/XML.pm | 2 +- lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Notifications/XML.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Notifications/XML.pm index 9993dee0f..b20215bac 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Notifications/XML.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Notifications/XML.pm @@ -32,7 +32,7 @@ has stylesheet => ( ( $self->conf->{notificationXSLTfile} and -e $self->conf->{notificationXSLTfile} ) ? $self->conf->{notificationXSLTfile} - : $self->conf->{templatesDir} . '/common/notification.xsl'; + : $self->conf->{templateDir} . '/common/notification.xsl'; unless ( -e $styleFile ) { $self->{logger}->error("$styleFile not found, aborting"); die "$styleFile not found"; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm index 4c8a4e87f..9a0c2ab77 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm @@ -36,7 +36,7 @@ sub displayInit { sub display { my ( $self, $req ) = @_; - my $skin_dir = $self->conf->{templatesDir}; + my $skin_dir = $self->conf->{templateDir}; my ( $skinfile, %templateParams ); # 1. Authentication not complete @@ -438,9 +438,9 @@ sub staticFile { require Plack::Util; require Cwd; require HTTP::Date; - open my $fh, '<:raw', $self->conf->{templatesDir} . "/$file" + open my $fh, '<:raw', $self->conf->{templateDir} . "/$file" or return $self->sendError( $req, - $self->conf->{templatesDir} . "/$file: $!", 403 ); + $self->conf->{templateDir} . "/$file: $!", 403 ); my @stat = stat $file; Plack::Util::set_io_path( $fh, Cwd::realpath($file) ); return [ From a42c5f9f71fe595dbc17d36a83358fb7783678f3 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Wed, 26 Jun 2019 13:17:26 +0200 Subject: [PATCH 04/14] Clean tests (#1819) --- ...0-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO-IdP-initiated.t | 1 - .../t/30-Auth-and-issuer-SAML-POST-IdP-initiated.t | 1 - .../t/30-Auth-and-issuer-SAML-Redirect-IdP-initiated.t | 1 - lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-20.t | 1 - lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t | 1 - lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-XSS-on-logout.t | 1 - .../t/31-Auth-and-issuer-CAS-declared-app-userattr.t | 1 - lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-app.t | 1 - lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-apps.t | 1 - lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-default.t | 1 - lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-gateway.t | 1 - lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-proxied.t | 1 - .../t/31-Auth-and-issuer-CAS-with-choice-and-cancel.t | 1 - lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-with-choice.t | 1 - lemonldap-ng-portal/t/32-CAS-10.t | 1 - lemonldap-ng-portal/t/33-Auth-and-issuer-OpenID2.t | 1 - lemonldap-ng-portal/t/34-Auth-Proxy-and-REST-Server.t | 1 - lemonldap-ng-portal/t/34-Auth-Proxy-and-SOAP-Server.t | 1 - lemonldap-ng-portal/t/35-REST-config-backend.t | 1 - lemonldap-ng-portal/t/35-REST-export-password.t | 1 - lemonldap-ng-portal/t/35-REST-sessions-with-AuthBasic-handler.t | 1 - lemonldap-ng-portal/t/35-REST-sessions-with-REST-server.t | 1 - lemonldap-ng-portal/t/35-SOAP-config-backend.t | 1 - lemonldap-ng-portal/t/35-SOAP-sessions-with-SOAP-server.t | 1 - .../t/37-SAML-SP-POST-to-CAS-server-with-Choice.t | 1 - lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server.t | 1 - lemonldap-ng-portal/t/40-Notifications-JSON-DBI.t | 1 - lemonldap-ng-portal/t/40-Notifications-JSON-File-with-token.t | 1 - lemonldap-ng-portal/t/40-Notifications-JSON-File.t | 1 - lemonldap-ng-portal/t/40-Notifications-JSON-Server.t | 1 - lemonldap-ng-portal/t/40-Notifications-XML-DBI.t | 1 - lemonldap-ng-portal/t/40-Notifications-XML-File.t | 1 - lemonldap-ng-portal/t/40-Notifications-XML-Server.t | 1 - lemonldap-ng-portal/t/70-2F-TOTP-with-TTL-and-JSON.t | 1 - lemonldap-ng-portal/t/70-2F-TOTP-with-TTL-and-XML.t | 1 - 35 files changed, 35 deletions(-) diff --git a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO-IdP-initiated.t b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO-IdP-initiated.t index 38c13ffe8..61994c811 100644 --- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO-IdP-initiated.t +++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO-IdP-initiated.t @@ -173,7 +173,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-IdP-initiated.t b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-IdP-initiated.t index 31474c0fb..ac2b14dd8 100644 --- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-IdP-initiated.t +++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-IdP-initiated.t @@ -204,7 +204,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-IdP-initiated.t b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-IdP-initiated.t index 7680c125b..fd34edede 100644 --- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-IdP-initiated.t +++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-IdP-initiated.t @@ -186,7 +186,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-20.t b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-20.t index 1ec7e531f..d88bf2ecd 100644 --- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-20.t +++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-20.t @@ -190,7 +190,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t index acad9cb1f..d647cf252 100644 --- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t +++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t @@ -185,7 +185,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-XSS-on-logout.t b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-XSS-on-logout.t index 25a530365..1d3106695 100644 --- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-XSS-on-logout.t +++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-XSS-on-logout.t @@ -204,7 +204,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-app-userattr.t b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-app-userattr.t index 62e10bc8b..3926787dc 100644 --- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-app-userattr.t +++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-app-userattr.t @@ -258,7 +258,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-app.t b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-app.t index 65d556110..fec6ba40d 100644 --- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-app.t +++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-app.t @@ -258,7 +258,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-apps.t b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-apps.t index bc3ed7d44..94826cfe9 100644 --- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-apps.t +++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-apps.t @@ -110,7 +110,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-default.t b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-default.t index 286cda5a8..f9742e032 100644 --- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-default.t +++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-default.t @@ -229,7 +229,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-gateway.t b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-gateway.t index 9f05944c5..77023dd06 100644 --- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-gateway.t +++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-gateway.t @@ -118,7 +118,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-proxied.t b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-proxied.t index cdf63f76e..cbd6a2656 100644 --- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-proxied.t +++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-proxied.t @@ -221,7 +221,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-with-choice-and-cancel.t b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-with-choice-and-cancel.t index 09c5e7737..2ab95ecfa 100644 --- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-with-choice-and-cancel.t +++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-with-choice-and-cancel.t @@ -159,7 +159,6 @@ sub issuer { skipRenewConfirmation => 1, logLevel => $debug, - #templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-with-choice.t b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-with-choice.t index 3e0e37d2c..92a238a4a 100644 --- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-with-choice.t +++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-with-choice.t @@ -313,7 +313,6 @@ sub issuer { ini => { skipRenewConfirmation => 1, logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Choice', diff --git a/lemonldap-ng-portal/t/32-CAS-10.t b/lemonldap-ng-portal/t/32-CAS-10.t index 18bf6751c..f94e8594a 100644 --- a/lemonldap-ng-portal/t/32-CAS-10.t +++ b/lemonldap-ng-portal/t/32-CAS-10.t @@ -93,7 +93,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/33-Auth-and-issuer-OpenID2.t b/lemonldap-ng-portal/t/33-Auth-and-issuer-OpenID2.t index d85cc0598..7cb9c7493 100644 --- a/lemonldap-ng-portal/t/33-Auth-and-issuer-OpenID2.t +++ b/lemonldap-ng-portal/t/33-Auth-and-issuer-OpenID2.t @@ -193,7 +193,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/34-Auth-Proxy-and-REST-Server.t b/lemonldap-ng-portal/t/34-Auth-Proxy-and-REST-Server.t index 6ab334d22..f47e1e017 100644 --- a/lemonldap-ng-portal/t/34-Auth-Proxy-and-REST-Server.t +++ b/lemonldap-ng-portal/t/34-Auth-Proxy-and-REST-Server.t @@ -308,7 +308,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/34-Auth-Proxy-and-SOAP-Server.t b/lemonldap-ng-portal/t/34-Auth-Proxy-and-SOAP-Server.t index f64923e1f..b9ad56d33 100644 --- a/lemonldap-ng-portal/t/34-Auth-Proxy-and-SOAP-Server.t +++ b/lemonldap-ng-portal/t/34-Auth-Proxy-and-SOAP-Server.t @@ -145,7 +145,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/35-REST-config-backend.t b/lemonldap-ng-portal/t/35-REST-config-backend.t index 45b911674..142779bb9 100644 --- a/lemonldap-ng-portal/t/35-REST-config-backend.t +++ b/lemonldap-ng-portal/t/35-REST-config-backend.t @@ -168,7 +168,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/35-REST-export-password.t b/lemonldap-ng-portal/t/35-REST-export-password.t index 110700341..60c1352f5 100644 --- a/lemonldap-ng-portal/t/35-REST-export-password.t +++ b/lemonldap-ng-portal/t/35-REST-export-password.t @@ -127,7 +127,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/35-REST-sessions-with-AuthBasic-handler.t b/lemonldap-ng-portal/t/35-REST-sessions-with-AuthBasic-handler.t index fb366369a..b5c32bd3b 100644 --- a/lemonldap-ng-portal/t/35-REST-sessions-with-AuthBasic-handler.t +++ b/lemonldap-ng-portal/t/35-REST-sessions-with-AuthBasic-handler.t @@ -97,7 +97,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/35-REST-sessions-with-REST-server.t b/lemonldap-ng-portal/t/35-REST-sessions-with-REST-server.t index a50f98295..62aeb379c 100644 --- a/lemonldap-ng-portal/t/35-REST-sessions-with-REST-server.t +++ b/lemonldap-ng-portal/t/35-REST-sessions-with-REST-server.t @@ -163,7 +163,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/35-SOAP-config-backend.t b/lemonldap-ng-portal/t/35-SOAP-config-backend.t index 7c559e4e4..d3a0ff644 100644 --- a/lemonldap-ng-portal/t/35-SOAP-config-backend.t +++ b/lemonldap-ng-portal/t/35-SOAP-config-backend.t @@ -137,7 +137,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/35-SOAP-sessions-with-SOAP-server.t b/lemonldap-ng-portal/t/35-SOAP-sessions-with-SOAP-server.t index 81879c140..e0047941e 100644 --- a/lemonldap-ng-portal/t/35-SOAP-sessions-with-SOAP-server.t +++ b/lemonldap-ng-portal/t/35-SOAP-sessions-with-SOAP-server.t @@ -128,7 +128,6 @@ sub issuer { return LLNG::Manager::Test->new( { ini => { logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server-with-Choice.t b/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server-with-Choice.t index 7f9cd5ade..d3fc94c52 100644 --- a/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server-with-Choice.t +++ b/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server-with-Choice.t @@ -228,7 +228,6 @@ sub issuer { ini => { skipRenewConfirmation => 1, logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server.t b/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server.t index 1f348698a..7167f8427 100644 --- a/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server.t +++ b/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server.t @@ -213,7 +213,6 @@ sub issuer { ini => { skipRenewConfirmation => 1, logLevel => $debug, - templatesDir => 'site/htdocs/static', domain => 'idp.com', portal => 'http://auth.idp.com', authentication => 'Demo', diff --git a/lemonldap-ng-portal/t/40-Notifications-JSON-DBI.t b/lemonldap-ng-portal/t/40-Notifications-JSON-DBI.t index a24702021..5dc2e1ed8 100644 --- a/lemonldap-ng-portal/t/40-Notifications-JSON-DBI.t +++ b/lemonldap-ng-portal/t/40-Notifications-JSON-DBI.t @@ -39,7 +39,6 @@ q{INSERT INTO notifications VALUES ('dwho','testref','2016-05-30 00:00:00',?,nul logLevel => 'error', useSafeJail => 1, notification => 1, - templatesDir => 'site/templates/', notificationStorage => 'DBI', notificationStorageOptions => { dbiChain => "dbi:SQLite:dbname=$file", diff --git a/lemonldap-ng-portal/t/40-Notifications-JSON-File-with-token.t b/lemonldap-ng-portal/t/40-Notifications-JSON-File-with-token.t index 3d7352b7a..1898c1057 100644 --- a/lemonldap-ng-portal/t/40-Notifications-JSON-File-with-token.t +++ b/lemonldap-ng-portal/t/40-Notifications-JSON-File-with-token.t @@ -26,7 +26,6 @@ my $client = LLNG::Manager::Test->new( { logLevel => 'error', useSafeJail => 1, notification => 1, - templatesDir => 'site/templates/', notificationStorage => 'File', notificationStorageOptions => { dirName => 't' diff --git a/lemonldap-ng-portal/t/40-Notifications-JSON-File.t b/lemonldap-ng-portal/t/40-Notifications-JSON-File.t index 386d1126a..f3b3eb21d 100644 --- a/lemonldap-ng-portal/t/40-Notifications-JSON-File.t +++ b/lemonldap-ng-portal/t/40-Notifications-JSON-File.t @@ -26,7 +26,6 @@ my $client = LLNG::Manager::Test->new( { logLevel => 'error', useSafeJail => 1, notification => 1, - templatesDir => 'site/templates/', notificationStorage => 'File', notificationStorageOptions => { dirName => 't' }, oldNotifFormat => 0, diff --git a/lemonldap-ng-portal/t/40-Notifications-JSON-Server.t b/lemonldap-ng-portal/t/40-Notifications-JSON-Server.t index 738ce5a33..b47995dae 100644 --- a/lemonldap-ng-portal/t/40-Notifications-JSON-Server.t +++ b/lemonldap-ng-portal/t/40-Notifications-JSON-Server.t @@ -22,7 +22,6 @@ my $client = LLNG::Manager::Test->new( { useSafeJail => 1, notification => 1, notificationServer => 1, - templatesDir => 'site/templates/', notificationStorage => 'File', notificationStorageOptions => { dirName => 't' diff --git a/lemonldap-ng-portal/t/40-Notifications-XML-DBI.t b/lemonldap-ng-portal/t/40-Notifications-XML-DBI.t index 047f10512..8e7761256 100644 --- a/lemonldap-ng-portal/t/40-Notifications-XML-DBI.t +++ b/lemonldap-ng-portal/t/40-Notifications-XML-DBI.t @@ -38,7 +38,6 @@ qq{INSERT INTO notifications VALUES ('dwho','testref','2016-05-30 00:00:00',' 'error', useSafeJail => 1, notification => 1, - templatesDir => 'site/templates/', notificationStorage => 'DBI', notificationStorageOptions => { dbiChain => "dbi:SQLite:dbname=$file", diff --git a/lemonldap-ng-portal/t/40-Notifications-XML-File.t b/lemonldap-ng-portal/t/40-Notifications-XML-File.t index e11d70ba1..aedf1f115 100644 --- a/lemonldap-ng-portal/t/40-Notifications-XML-File.t +++ b/lemonldap-ng-portal/t/40-Notifications-XML-File.t @@ -30,7 +30,6 @@ SKIP: { logLevel => 'error', useSafeJail => 1, notification => 1, - templatesDir => 'site/templates/', notificationStorage => 'File', notificationStorageOptions => { dirName => 't' }, oldNotifFormat => 1, diff --git a/lemonldap-ng-portal/t/40-Notifications-XML-Server.t b/lemonldap-ng-portal/t/40-Notifications-XML-Server.t index 510585f38..be4319acf 100644 --- a/lemonldap-ng-portal/t/40-Notifications-XML-Server.t +++ b/lemonldap-ng-portal/t/40-Notifications-XML-Server.t @@ -64,7 +64,6 @@ SKIP: { useSafeJail => 1, notification => 1, notificationServer => 1, - templatesDir => 'site/templates/', notificationStorage => 'File', notificationStorageOptions => { dirName => 't' diff --git a/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL-and-JSON.t b/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL-and-JSON.t index 54177d7ca..32bd65509 100644 --- a/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL-and-JSON.t +++ b/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL-and-JSON.t @@ -23,7 +23,6 @@ SKIP: { sfRemovedUseNotif => 1, portalMainLogo => 'common/logos/logo_llng_old.png', notification => 1, - templatesDir => 'site/templates/', notificationStorage => 'File', notificationStorageOptions => { dirName => 't' }, oldNotifFormat => 0, diff --git a/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL-and-XML.t b/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL-and-XML.t index 7fd370ca0..3b8f9176a 100644 --- a/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL-and-XML.t +++ b/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL-and-XML.t @@ -23,7 +23,6 @@ SKIP: { sfRemovedUseNotif => 1, portalMainLogo => 'common/logos/logo_llng_old.png', notification => 1, - templatesDir => 'site/templates/', notificationStorage => 'File', notificationStorageOptions => { dirName => 't' }, oldNotifFormat => 1, From 3582cfb12b0bc57abb59bbc7d0ef2171ba8e3645 Mon Sep 17 00:00:00 2001 From: Xavier Date: Wed, 26 Jun 2019 21:47:01 +0200 Subject: [PATCH 05/14] Don't keep pdata on upgrade (Fixes: #1821) --- .../lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm index 2de63b84e..91ad9416f 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm @@ -58,7 +58,9 @@ sub ask { sub confirm { my ( $self, $req ) = @_; - $req->pdata->{keepPdata} = 1; + + # Disabled due to #1821 + #$req->pdata->{keepPdata} = 1; my $upg; if ( my $t = $req->param('upgrading') ) { if ( $self->ott->getToken($t) ) { From 98650cd9f0bc4f854afd529eb9d8bc50df6e94b3 Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Wed, 26 Jun 2019 22:13:12 +0200 Subject: [PATCH 06/14] Add unit test for #1821 --- lemonldap-ng-portal/t/62-UpgradeSession.t | 126 ++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 lemonldap-ng-portal/t/62-UpgradeSession.t diff --git a/lemonldap-ng-portal/t/62-UpgradeSession.t b/lemonldap-ng-portal/t/62-UpgradeSession.t new file mode 100644 index 000000000..456c62721 --- /dev/null +++ b/lemonldap-ng-portal/t/62-UpgradeSession.t @@ -0,0 +1,126 @@ +use Test::More; +use strict; +use IO::String; +use Data::Dumper; + +require 't/test-lib.pm'; +require 't/smtp.pm'; + +use_ok('Lemonldap::NG::Common::FormEncode'); +count(1); + +my $client = LLNG::Manager::Test->new( { + ini => { + logLevel => 'error', + upgradeSession => 1, + authentication => 'Choice', + apacheAuthnLevel => 5, + userDB => 'Same', + 'authChoiceModules' => { + 'strong' => 'Apache;Demo;Null;;;{}', + 'weak' => 'Demo;Demo;Null;;;{}' + }, + 'vhostOptions' => { + 'test1.example.com' => { + 'vhostAuthnLevel' => 3 + }, + }, + } + } +); + +# Try to authenticate +# ------------------- +ok( + my $res = $client->_post( + '/', + IO::String->new('user=dwho&password=dwho&lmAuth=weak'), + length => 35, + accept => 'text/html', + ), + 'Auth query' +); +count(1); + +my $id = expectCookie($res); + +# After attempting to access test1, +# the handler sends up back to /upgradesession +# -------------------------------------------- + +ok( + my $res = $client->_get( + '/upgradesession', + query => 'url=aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29t', + accept => 'text/html', + cookie => "lemonldap=$id", + ), + 'Upgrade session query' +); +count(1); + +my ( $host, $url, $query ) = + expectForm( $res, undef, '/upgradesession', 'confirm', 'url' ); + +# Accept session upgrade +# ---------------------- + +ok( + my $res = $client->_post( + '/upgradesession', + IO::String->new($query), + length => length($query), + accept => 'text/html', + cookie => "lemonldap=$id", + ), + 'Accept session upgrade query' +); +count(1); + +my $pdata = expectCookie( $res, 'lemonldappdata' ); + +my ( $host, $url, $query ) = expectForm( $res, '#', undef, 'upgrading', 'url' ); + +$query = $query . "&lmAuth=strong"; + +# Attempt login with the "strong" auth choice +# this should trigger 2FA +# ------------------------------------------- + +ok( + my $res = $client->_post( + '/upgradesession', + IO::String->new($query), + length => length($query), + accept => 'text/html', + cookie => "lemonldap=$id;lemonldappdata=$pdata", + custom => { + REMOTE_USER => 'dwho', + }, + ), + 'Post login' +); +count(1); + +$pdata = expectCookie( $res, 'lemonldappdata' ); +$id = expectCookie($res); + +expectRedirection( $res, 'http://test1.example.com' ); + +# Make pdata was cleared and we aren't being redirected +ok( + my $res = $client->_get( + '/', + accept => 'text/html', + cookie => "lemonldap=$id;lemonldappdata=$pdata", + ), + 'Post login' +); +count(1); + +expectOK($res); + +clean_sessions(); + +done_testing( count() ); + From 5f9c4c231d207ea073da122cbbcd094ec4bc2bdf Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Wed, 26 Jun 2019 22:01:05 +0200 Subject: [PATCH 07/14] Add authenticated routes to 2FA for session upgrade (#1822) --- .../Lemonldap/NG/Portal/Main/SecondFactor.pm | 8 + lemonldap-ng-portal/t/78-2F-Upgrade.t | 159 ++++++++++++++++++ 2 files changed, 167 insertions(+) create mode 100644 lemonldap-ng-portal/t/78-2F-Upgrade.t diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm index 510d384b8..8fd6ec75c 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm @@ -37,6 +37,14 @@ sub init { my ($self) = @_; unless ( $self->noRoute ) { $self->logger->debug( 'Adding ' . $self->prefix . '2fcheck routes' ); + $self->addAuthRoute( + $self->prefix . '2fcheck' => '_verify', + ['POST'] + ); + $self->addAuthRoute( + $self->prefix . '2fcheck' => '_redirect', + ['GET'] + ); $self->addUnauthRoute( $self->prefix . '2fcheck' => '_verify', ['POST'] diff --git a/lemonldap-ng-portal/t/78-2F-Upgrade.t b/lemonldap-ng-portal/t/78-2F-Upgrade.t new file mode 100644 index 000000000..c0ae41fc4 --- /dev/null +++ b/lemonldap-ng-portal/t/78-2F-Upgrade.t @@ -0,0 +1,159 @@ +use Test::More; +use strict; +use IO::String; +use Data::Dumper; + +require 't/test-lib.pm'; +require 't/smtp.pm'; + +use_ok('Lemonldap::NG::Common::FormEncode'); +count(1); + +my $client = LLNG::Manager::Test->new( { + ini => { + logLevel => 'error', + upgradeSession => 1, + mail2fActivation => '$_choice eq "strong"', + mail2fCodeRegex => '\d{4}', + mail2fAuthnLevel => 5, + authentication => 'Choice', + userDB => 'Same', + 'authChoiceModules' => { + 'strong' => 'Demo;Demo;Null;;;{}', + 'weak' => 'Demo;Demo;Null;;;{}' + }, + 'vhostOptions' => { + 'test1.example.com' => { + 'vhostAuthnLevel' => 3 + }, + }, + } + } +); + +# Try to authenticate +# ------------------- +ok( + my $res = $client->_post( + '/', + IO::String->new('user=dwho&password=dwho&lmAuth=weak'), + length => 35, + accept => 'text/html', + ), + 'Auth query' +); +count(1); + +my $id = expectCookie($res); + +# After attempting to access test1, +# the handler sends up back to /upgradesession +# -------------------------------------------- + +ok( + my $res = $client->_get( + '/upgradesession', + query => 'url=aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29t', + accept => 'text/html', + cookie => "lemonldap=$id", + ), + 'Upgrade session query' +); +count(1); + +my ( $host, $url, $query ) = + expectForm( $res, undef, '/upgradesession', 'confirm', 'url' ); + +# Accept session upgrade +# ---------------------- + +ok( + my $res = $client->_post( + '/upgradesession', + IO::String->new($query), + length => length($query), + accept => 'text/html', + cookie => "lemonldap=$id", + ), + 'Accept session upgrade query' +); +count(1); + +my $pdata = expectCookie( $res, 'lemonldappdata' ); + +my ( $host, $url, $query ) = expectForm( $res, '#', undef, 'upgrading', 'url' ); + +$query = $query . "&user=dwho&password=dwho&lmAuth=strong"; + +# Attempt login with the "strong" auth choice +# this should trigger 2FA +# ------------------------------------------- + +ok( + my $res = $client->_post( + '/upgradesession', + IO::String->new($query), + length => length($query), + accept => 'text/html', + cookie => "lemonldap=$id;lemonldappdata=$pdata", + ), + 'Post login' +); +count(1); + +my $pdata = expectCookie( $res, 'lemonldappdata' ); + +( $host, $url, $query ) = + expectForm( $res, undef, '/mail2fcheck', 'token', 'code' ); + +ok( + $res->[2]->[0] =~ +qr%%, + 'Found EXTCODE input' +) or print STDERR Dumper( $res->[2]->[0] ); +count(1); + +ok( mail() =~ m%(\d{4})%, 'Found 2F code in mail' ) + or print STDERR Dumper( mail() ); +count(1); + +my $code = $1; + +# Post 2F code +# ------------ + +$query =~ s/code=/code=${code}/; +ok( + $res = $client->_post( + '/mail2fcheck', + IO::String->new($query), + length => length($query), + accept => 'text/html', + cookie => "lemonldap=$id;lemonldappdata=$pdata", + ), + 'Post code' +); +count(1); + +$pdata = expectCookie( $res, 'lemonldappdata' ); +$id = expectCookie($res); + +expectRedirection( $res, 'http://test1.example.com' ); + +# Make pdata was cleared and we aren't being redirected +ok( + my $res = $client->_get( + '/', + accept => 'text/html', + cookie => "lemonldap=$id;lemonldappdata=$pdata", + ), + 'Post login' +); +count(1); + +expectOK($res); + +clean_sessions(); + +done_testing( count() ); + From 859d7fad79568614f1200e76e35a9898cffbe775 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Thu, 27 Jun 2019 10:49:59 +0200 Subject: [PATCH 08/14] Update fr.json --- lemonldap-ng-manager/site/htdocs/static/languages/fr.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json index 98ffd7238..dc8cfbc7b 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json @@ -298,7 +298,7 @@ "hideTree":"Masquer l'arbre", "httpOnly":"Protection contre javascript", "https":"HTTPS", -"impersonation":"Usurpation d'identité", +"impersonation":"Simulation d'identité", "impersonationRule":"Règle d'utilisation", "impersonationIdRule":"Règle d'utilisation des identités", "impersonationHiddenAttributes":"Attributs masqués", From e1f927a195e5cfd3e34fb9f8f283373b902c4cc5 Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Thu, 27 Jun 2019 12:36:18 +0200 Subject: [PATCH 09/14] Check service= parameter on CAS logout (#1795) service= redirect URL is not checked when logging out from CAS, to avoid insecure redirect attacks. The verification is only made if CAS access control is enabled. In order for this to work in common cases (applications redirects to an unprotected page after logout), we add CAS App domains to the list of globally trusted domains. If your application wants to redirect to a third-party domain, it needs to be added to LLNG's trustedDomains --- .../lib/Lemonldap/NG/Portal/Issuer/CAS.pm | 14 ++++++++++ .../lib/Lemonldap/NG/Portal/Main/Init.pm | 14 ++++++++++ .../t/31-Auth-and-issuer-CAS-Logout-30.t | 26 ++++++++++++++++--- 3 files changed, 51 insertions(+), 3 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm index 7b9ff1231..45af0ba2d 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm @@ -10,6 +10,7 @@ use Lemonldap::NG::Portal::Main::Constants qw( PE_ERROR PE_LOGOUT_OK PE_OK + PE_BADURL PE_SENDRESPONSE ); @@ -265,6 +266,19 @@ sub run { $logout_service = '' if ( $self->p->checkXSSAttack( 'service', $logout_service ) ); + # If we use access control, check that the service URL is trusted + if ( $self->conf->{casAccessControlPolicy} =~ /^(error|faketicket)$/i ) + { + if ( $logout_service + and not $self->p->isTrustedUrl($logout_service) ) + { + $self->userLogger->error( + "Untrusted service URL $logout_service" + . "specified for CAS Logout" ); + return PE_BADURL; + } + } + # Delete linked CAS sessions $self->deleteCasSecondarySessions($session_id); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm index dbfaf673d..7cada12cc 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm @@ -312,8 +312,22 @@ sub reloadConf { } } } + + # Add CAS Services, so we can check service= parameter on logout + foreach my $casSrv ( keys %{ $self->conf->{casAppMetaDataOptions} } ) { + if ( my $serviceUrl = + $self->conf->{casAppMetaDataOptions}->{$casSrv} + ->{casAppMetaDataOptionsService} ) + { + $serviceUrl =~ s#https?://([^/]*).*$#$1#; + $self->logger->debug( + "CAS Service $serviceUrl added in trusted domains"); + $re->add( quotemeta($serviceUrl) ); + } + } my $tmp = 'https?://' . $re->as_string . '(?::\d+)?(?:/|$)'; $self->trustedDomainsRe(qr/$tmp/); + } # Compile macros in _macros, groups in _groups diff --git a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t index d647cf252..3bece21d1 100644 --- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t +++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t @@ -152,7 +152,7 @@ ok( $res->{cn} eq 'Frédéric Accents', 'UTF-8 values' ) or explain( $res, 'cn => Frédéric Accents' ); count(3); -# Logout initiated by CAS +# Logout initiated by CAS, try with invalid service URL first switch ('issuer'); ok( $res = $issuer->_get( @@ -164,7 +164,22 @@ ok( 'Query SP for logout' ); count(1); -expectRedirection( $res, 'http://url.test/' ); +ok( $res->[2]->[0] =~ m%%, ' PE37 found' ); +count(1); + +# Logout initiated by CAS, try with valid service URL +ok( + $res = $issuer->_get( + '/cas/logout', + query => 'service=http://auth.sp.com/', + cookie => "lemonldap=$idpId,llngcasserver=idp", + accept => 'text/html' + ), + 'Query SP for logout' +); +count(1); + +expectRedirection( $res, 'http://auth.sp.com/' ); # Verify that user has been disconnected ok( $res = $issuer->_get( '/', cookie => "lemonldap=$idpId" ), 'Query IdP' ); @@ -192,8 +207,13 @@ sub issuer { issuerDBCASActivation => 1, casAttr => 'uid', casAttributes => { cn => 'cn', uid => 'uid', }, - casAccessControlPolicy => 'none', + casAccessControlPolicy => 'error', multiValuesSeparator => ';', + casAppMetaDataOptions => { + sp => { + casAppMetaDataOptionsService => 'http://auth.sp.com', + }, + }, } } ); From 8f834f5bb8c8fcb7bd3fe83f284631b12516c2f5 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Thu, 27 Jun 2019 13:27:05 +0200 Subject: [PATCH 10/14] Append use directive (#1824) --- lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm | 1 + lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm | 1 + 2 files changed, 2 insertions(+) diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm index aaa0e4da4..fd4a1efe0 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm @@ -2,6 +2,7 @@ package Lemonldap::NG::Manager::Attributes; our $VERSION = '2.0.5'; +use Lemonldap::NG::Handler::Main::Jail; sub perlExpr { my ( $val, $conf ) = @_; diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm index 427e157e0..80e01a12b 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm @@ -380,6 +380,7 @@ EOF package Lemonldap::NG::Manager::Attributes; our \$VERSION = '$Lemonldap::NG::Manager::Build::Attributes::VERSION'; +use Lemonldap::NG::Handler::Main::Jail; $managerSub From 264410409d39eb2e758befa6f01c67b5a975548b Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Thu, 27 Jun 2019 16:55:12 +0200 Subject: [PATCH 11/14] Move CAS service verification from main to Issuer::CAS (#1795) --- .../lib/Lemonldap/NG/Portal/Issuer/CAS.pm | 12 ++ .../lib/Lemonldap/NG/Portal/Main/Init.pm | 115 ++++++++---------- 2 files changed, 66 insertions(+), 61 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm index 45af0ba2d..b6ea7cfa8 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm @@ -56,6 +56,18 @@ sub init { }, ['GET'] ); + + # Add CAS Services, so we can check service= parameter on logout + foreach my $casSrv ( keys %{ $self->conf->{casAppMetaDataOptions} } ) { + if ( my $serviceUrl = + $self->conf->{casAppMetaDataOptions}->{$casSrv} + ->{casAppMetaDataOptionsService} ) + { + push @{ $self->p->{additionalTrustedDomains} }, $serviceUrl; + $self->logger->debug( + "CAS Service $serviceUrl added in trusted domains"); + } + } return $res; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm index 7cada12cc..2c5f65314 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm @@ -39,6 +39,7 @@ has _jsRedirect => ( is => 'rw' ); # TrustedDomain regexp has trustedDomainsRe => ( is => 'rw' ); +has additionalTrustedDomains => ( is => 'rw', default => sub { [] } ); # Lists to store plugins entry-points my @entryPoints; @@ -269,67 +270,6 @@ sub reloadConf { unless $self->{_sfEngine} = $self->loadPlugin( $self->conf->{'sfEngine'} ); - # Initialize trusted domain regexp - if ( $self->conf->{trustedDomains} - and $self->conf->{trustedDomains} =~ /^\s*\*\s*$/ ) - { - $self->trustedDomainsRe(qr#^https?://#); - } - else { - my $re = Regexp::Assemble->new(); - if ( my $td = $self->conf->{trustedDomains} ) { - $td =~ s/^\s*(.*?)\s*/$1/; - foreach ( split( /\s+/, $td ) ) { - next unless ($td); - s#^\.#([^/]+\.)?#; - $self->logger->debug("Domain $_ added in trusted domains"); - s/\./\\./g; - - # This regexp is valid for the followings hosts: - # - $td - # - $domainlabel.$td - # $domainlabel is build looking RFC2396 - # (see Regexp::Common::URI::RFC2396) - $_ =~ - s/\*\\\./(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9]\\.)*/g; - $re->add("$_"); - } - } - my $p = $self->conf->{portal}; - $p =~ s#https?://([^/]*).*$#$1#; - $re->add( quotemeta($p) ); - foreach my $vhost ( keys %{ $self->conf->{locationRules} } ) { - $self->logger->debug("Vhost $vhost added in trusted domains"); - $re->add( quotemeta($vhost) ); - $self->conf->{vhostOptions} ||= {}; - if ( my $tmp = - $self->conf->{vhostOptions}->{$vhost}->{vhostAliases} ) - { - foreach my $alias ( split /\s+/, $tmp ) { - $self->logger->debug( - "Alias $alias added in trusted domains"); - $re->add( quotemeta($alias) ); - } - } - } - - # Add CAS Services, so we can check service= parameter on logout - foreach my $casSrv ( keys %{ $self->conf->{casAppMetaDataOptions} } ) { - if ( my $serviceUrl = - $self->conf->{casAppMetaDataOptions}->{$casSrv} - ->{casAppMetaDataOptionsService} ) - { - $serviceUrl =~ s#https?://([^/]*).*$#$1#; - $self->logger->debug( - "CAS Service $serviceUrl added in trusted domains"); - $re->add( quotemeta($serviceUrl) ); - } - } - my $tmp = 'https?://' . $re->as_string . '(?::\d+)?(?:/|$)'; - $self->trustedDomainsRe(qr/$tmp/); - - } - # Compile macros in _macros, groups in _groups foreach my $type (qw(macros groups)) { $self->{"_$type"} = {}; @@ -358,6 +298,59 @@ sub reloadConf { $self->loadPlugin($plugin) or return $self->fail; } + # Initialize trusted domain regexp + if ( $self->conf->{trustedDomains} + and $self->conf->{trustedDomains} =~ /^\s*\*\s*$/ ) + { + $self->trustedDomainsRe(qr#^https?://#); + } + else { + my $re = Regexp::Assemble->new(); + if ( my $td = $self->conf->{trustedDomains} ) { + $td =~ s/^\s*(.*?)\s*/$1/; + foreach ( split( /\s+/, $td ) ) { + next unless ($td); + s#^\.#([^/]+\.)?#; + $self->logger->debug("Domain $_ added in trusted domains"); + s/\./\\./g; + + # This regexp is valid for the followings hosts: + # - $td + # - $domainlabel.$td + # $domainlabel is build looking RFC2396 + # (see Regexp::Common::URI::RFC2396) + $_ =~ + s/\*\\\./(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9]\\.)*/g; + $re->add("$_"); + } + } + foreach ( @{ $self->{additionalTrustedDomains} }, + $self->conf->{portal} ) + { + my $p = $_; + $p =~ s#https?://([^/]*).*$#$1#; + $re->add( quotemeta($p) ); + } + foreach my $vhost ( keys %{ $self->conf->{locationRules} } ) { + $self->logger->debug("Vhost $vhost added in trusted domains"); + $re->add( quotemeta($vhost) ); + $self->conf->{vhostOptions} ||= {}; + if ( my $tmp = + $self->conf->{vhostOptions}->{$vhost}->{vhostAliases} ) + { + foreach my $alias ( split /\s+/, $tmp ) { + $self->logger->debug( + "Alias $alias added in trusted domains"); + $re->add( quotemeta($alias) ); + } + } + } + + my $tmp = 'https?://' . $re->as_string . '(?::\d+)?(?:/|$)'; + $self->trustedDomainsRe(qr/$tmp/); + + } + # Clean $req->pdata after authentication push @{ $self->endAuth }, sub { unless ( $_[0]->pdata->{keepPdata} ) { From 4b48f955076c9170b012616f26993062844a250d Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Thu, 27 Jun 2019 17:08:21 +0200 Subject: [PATCH 12/14] Move missing deps in the good place (#1824) --- lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm | 1 - lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm | 1 - lemonldap-ng-manager/scripts/lmConfigEditor | 1 + 3 files changed, 1 insertion(+), 2 deletions(-) diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm index fd4a1efe0..aaa0e4da4 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm @@ -2,7 +2,6 @@ package Lemonldap::NG::Manager::Attributes; our $VERSION = '2.0.5'; -use Lemonldap::NG::Handler::Main::Jail; sub perlExpr { my ( $val, $conf ) = @_; diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm index 80e01a12b..427e157e0 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm @@ -380,7 +380,6 @@ EOF package Lemonldap::NG::Manager::Attributes; our \$VERSION = '$Lemonldap::NG::Manager::Build::Attributes::VERSION'; -use Lemonldap::NG::Handler::Main::Jail; $managerSub diff --git a/lemonldap-ng-manager/scripts/lmConfigEditor b/lemonldap-ng-manager/scripts/lmConfigEditor index 1d2ab7968..a1ac31089 100644 --- a/lemonldap-ng-manager/scripts/lmConfigEditor +++ b/lemonldap-ng-manager/scripts/lmConfigEditor @@ -3,6 +3,7 @@ use Lemonldap::NG::Common::Conf; use Lemonldap::NG::Common::Conf::Constants; use Lemonldap::NG::Manager::Conf::Parser; +use Lemonldap::NG::Handler::Main::Jail; use Data::Dumper; use English qw(-no_match_vars); use File::Temp; From e53129568a695d4a19807423cb840cf2465b68f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Thu, 27 Jun 2019 17:29:56 +0200 Subject: [PATCH 13/14] Set some default values for lemonldap-ng-cli info (#1827) --- lemonldap-ng-common/lib/Lemonldap/NG/Common/Cli.pm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Cli.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Cli.pm index 82a657feb..34f5355f4 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Cli.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Cli.pm @@ -4,7 +4,7 @@ use strict; use Mouse; use Lemonldap::NG::Common::Conf; -our $VERSION = '2.0.0'; +our $VERSION = '2.0.5'; has confAccess => ( is => 'rw', @@ -31,6 +31,9 @@ sub info { my $conf = $self->confAccess->getConf( { cfgNum => $self->cfgNum, raw => 1 } ) or die $Lemonldap::NG::Common::Conf::msg; + $conf->{cfgAuthorIP} ||= "No IP provided"; + $conf->{cfgDate} ||= 0; + $conf->{cfgLog} ||= "No log provided"; print qq{ Num : $conf->{cfgNum} Author : $conf->{cfgAuthor} From e23611b73b1408ade2f7587c1d7f25e0d9104360 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Thu, 27 Jun 2019 17:40:50 +0200 Subject: [PATCH 14/14] Avoid failure with future Perl (warnings reserved) --- fastcgi-server/man/llng-fastcgi-server.1p | 2 +- lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm | 2 +- .../lib/Lemonldap/NG/Manager/Build/Attributes.pm | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fastcgi-server/man/llng-fastcgi-server.1p b/fastcgi-server/man/llng-fastcgi-server.1p index dea827ce1..960a19d0e 100644 --- a/fastcgi-server/man/llng-fastcgi-server.1p +++ b/fastcgi-server/man/llng-fastcgi-server.1p @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "llng-fastcgi-server 1" -.TH llng-fastcgi-server 1 "2019-06-13" "perl v5.28.1" "User Contributed Perl Documentation" +.TH llng-fastcgi-server 1 "2019-06-27" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm index aaa0e4da4..14c3851fb 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm @@ -11,7 +11,7 @@ sub perlExpr { [ '&encrypt', '&token' ] ); $cpt->share_from( 'Lemonldap::NG::Common::Safelib', $Lemonldap::NG::Common::Safelib::functions ); - $cpt->reval("BEGIN { warnings->unimport; } $val"); + $cpt->reval("BEGIN { 'warnings'->unimport; } $val"); my $err = join( '', grep( { $_ =~ /Undefined subroutine/ ? () : $_; } split( /\n/, $@, 0 ) ) diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm index 3a5faa6f2..6430a3306 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm @@ -18,7 +18,7 @@ sub perlExpr { [ '&encrypt', '&token' ] ); $cpt->share_from( 'Lemonldap::NG::Common::Safelib', $Lemonldap::NG::Common::Safelib::functions ); - $cpt->reval("BEGIN { warnings->unimport; } $val"); + $cpt->reval("BEGIN { 'warnings'->unimport; } $val"); my $err = join( '', grep { $_ =~ /Undefined subroutine/ ? () : $_ } split( /\n/, $@ ) ); return $err ? ( 1, "__badExpression__: $err" ) : (1);