WIP - ContextSwitching (#1783)
This commit is contained in:
Christophe Maudoux
parent
b69ffc0ff8
commit
8c47c913fe
|
|
@ -55,8 +55,8 @@ sub init {
|
|||
$rule =
|
||||
$hd->buildSub( $hd->substitute( $self->conf->{contextSwitchingIdRule} ) );
|
||||
unless ($rule) {
|
||||
$self->error(
|
||||
"Bad contextSwitching identities rule -> " . $hd->tsv->{jail}->error );
|
||||
$self->error( "Bad contextSwitching identities rule -> "
|
||||
. $hd->tsv->{jail}->error );
|
||||
return 0;
|
||||
}
|
||||
$self->idRule($rule);
|
||||
|
|
@ -92,36 +92,35 @@ sub run {
|
|||
my $statut = PE_OK;
|
||||
my $spoofId = $req->param('spoofId') || ''; # Impersonation required ?
|
||||
|
||||
unless ($spoofId) {
|
||||
$self->logger->debug("No context switching required");
|
||||
$req->mustRedirect(1);
|
||||
return $self->p->do( $req, [ sub { PE_OK } ] );
|
||||
}
|
||||
|
||||
unless ( $spoofId =~ /$self->{conf}->{userControl}/o ) {
|
||||
$self->userLogger->error('Malformed spoofed Id');
|
||||
$self->logger->debug(
|
||||
"Context switching tried with spoofed Id: $spoofId");
|
||||
$spoofId = $req->{user};
|
||||
$statut = PE_MALFORMEDUSER;
|
||||
}
|
||||
|
||||
# Check activation rule
|
||||
unless ( $self->rule->( $req, $req->userData ) ) {
|
||||
$self->userLogger->error('Context switching service not authorized');
|
||||
$spoofId = '';
|
||||
$statut = PE_IMPERSONATION_SERVICE_NOT_ALLOWED;
|
||||
}
|
||||
|
||||
if ($spoofId) {
|
||||
$self->logger->debug("Spoof Id: $spoofId");
|
||||
unless ( $self->rule->( $req, $req->sessionInfo ) ) {
|
||||
$self->userLogger->error(
|
||||
'Context switching service not authorized');
|
||||
$spoofId = '';
|
||||
$statut = PE_IMPERSONATION_SERVICE_NOT_ALLOWED;
|
||||
unless ( $spoofId =~ /$self->{conf}->{userControl}/o ) {
|
||||
$self->userLogger->error('Malformed spoofed Id');
|
||||
$self->logger->debug(
|
||||
"Context switching tried with spoofed Id: $spoofId");
|
||||
$statut = PE_MALFORMEDUSER;
|
||||
}
|
||||
}
|
||||
else {
|
||||
$self->logger->debug("No context switching required");
|
||||
$req->mustRedirect(1);
|
||||
}
|
||||
|
||||
return $self->p->do( $req, [ sub { $statut } ] ) if $statut;
|
||||
|
||||
# Fill spoof session
|
||||
my ( $realSession, $spoofSession ) = ( {}, {} );
|
||||
$self->logger->debug("Rename real attributes...");
|
||||
my $spk = '';
|
||||
foreach my $k ( keys %{ $req->{userData} } ) {
|
||||
|
||||
# if ( $self->{conf}->{impersonationSkipEmptyValues} ) {
|
||||
# next unless defined $req->{userData}->{$k};
|
||||
# }
|
||||
|
|
@ -142,7 +141,7 @@ sub run {
|
|||
$statut = PE_BADCREDENTIALS;
|
||||
}
|
||||
else {
|
||||
return $req->error;
|
||||
$statut = $req->error;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -157,44 +156,46 @@ sub run {
|
|||
# Merging SSO Groups and hGroups & dedup
|
||||
$spoofSession->{groups} ||= '';
|
||||
$spoofSession->{hGroups} ||= {};
|
||||
|
||||
#if ( $self->{conf}->{impersonationMergeSSOgroups} ) {
|
||||
$self->userLogger->warn("MERGING SSO groups and hGroups...");
|
||||
my $spg = "$self->{conf}->{impersonationPrefix}groups";
|
||||
my $sphg = "$self->{conf}->{impersonationPrefix}hGroups";
|
||||
my $separator = $self->{conf}->{multiValuesSeparator};
|
||||
$self->userLogger->warn("MERGING SSO groups and hGroups...");
|
||||
my $spg = "$self->{conf}->{impersonationPrefix}groups";
|
||||
my $sphg = "$self->{conf}->{impersonationPrefix}hGroups";
|
||||
my $separator = $self->{conf}->{multiValuesSeparator};
|
||||
|
||||
## GROUPS
|
||||
my @spoofGrps = split /\Q$separator/, $spoofSession->{groups};
|
||||
my @realGrps = split /\Q$separator/, $realSession->{$spg};
|
||||
## GROUPS
|
||||
my @spoofGrps = split /\Q$separator/, $spoofSession->{groups};
|
||||
my @realGrps = split /\Q$separator/, $realSession->{$spg};
|
||||
|
||||
## hGROUPS
|
||||
$realSession->{$sphg} ||= {};
|
||||
## hGROUPS
|
||||
$realSession->{$sphg} ||= {};
|
||||
|
||||
# Merge specified groups/hGroups only
|
||||
# unless ( $self->{conf}->{impersonationMergeSSOgroups} eq 1 ) {
|
||||
# my %SSOgroups = map { $_, 1 } split /\Q$separator/,
|
||||
# $self->{conf}->{impersonationMergeSSOgroups};
|
||||
# Merge specified groups/hGroups only
|
||||
# unless ( $self->{conf}->{impersonationMergeSSOgroups} eq 1 ) {
|
||||
# my %SSOgroups = map { $_, 1 } split /\Q$separator/,
|
||||
# $self->{conf}->{impersonationMergeSSOgroups};
|
||||
|
||||
# $self->logger->debug("Filtering specified groups/hGroups...");
|
||||
# @realGrps = grep { exists $SSOgroups{$_} } @realGrps;
|
||||
# my %intersct =
|
||||
# map {
|
||||
# $realSession->{$sphg}->{$_}
|
||||
# ? ( $_, $realSession->{$sphg}->{$_} )
|
||||
# : ()
|
||||
# } keys %SSOgroups;
|
||||
# $realSession->{$sphg} = \%intersct;
|
||||
# }
|
||||
# $self->logger->debug("Filtering specified groups/hGroups...");
|
||||
# @realGrps = grep { exists $SSOgroups{$_} } @realGrps;
|
||||
# my %intersct =
|
||||
# map {
|
||||
# $realSession->{$sphg}->{$_}
|
||||
# ? ( $_, $realSession->{$sphg}->{$_} )
|
||||
# : ()
|
||||
# } keys %SSOgroups;
|
||||
# $realSession->{$sphg} = \%intersct;
|
||||
# }
|
||||
|
||||
$self->logger->debug("Processing groups...");
|
||||
@spoofGrps = ( @spoofGrps, @realGrps );
|
||||
my %hash = map { $_, 1 } @spoofGrps;
|
||||
$spoofSession->{groups} = join $separator, sort keys %hash;
|
||||
$self->logger->debug("Processing groups...");
|
||||
@spoofGrps = ( @spoofGrps, @realGrps );
|
||||
my %hash = map { $_, 1 } @spoofGrps;
|
||||
$spoofSession->{groups} = join $separator, sort keys %hash;
|
||||
|
||||
$self->logger->debug("Processing hGroups...");
|
||||
$spoofSession->{hGroups} =
|
||||
{ %{ $spoofSession->{hGroups} }, %{ $realSession->{$sphg} } };
|
||||
# }
|
||||
$self->logger->debug("Processing hGroups...");
|
||||
$spoofSession->{hGroups} =
|
||||
{ %{ $spoofSession->{hGroups} }, %{ $realSession->{$sphg} } };
|
||||
|
||||
# }
|
||||
|
||||
# Main session
|
||||
$self->p->updateSession( $req, $spoofSession );
|
||||
|
|
@ -264,7 +265,8 @@ sub _userData {
|
|||
|
||||
sub displaySwitchContext {
|
||||
my ( $self, $req ) = @_;
|
||||
return 2 if $req->userData->{"$self->{conf}->{impersonationPrefix}_session_id"};
|
||||
return 2
|
||||
if $req->userData->{"$self->{conf}->{impersonationPrefix}_session_id"};
|
||||
return $self->rule->( $req, $req->userData );
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -143,8 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching":"Impersonate another user",
|
||||
"switchContext":"Switch context",
|
||||
"contextSwitching1":"Impersonate another user",
|
||||
"contextSwitching2":"Stop impersonation",
|
||||
"imSure":"انا متاكد",
|
||||
"info":"معلومات",
|
||||
"ipAddr":"عنوان الأي بي",
|
||||
|
|
@ -220,6 +220,7 @@
|
|||
"SSOSessionInactive":"جلسة الدخول الموحد غير نشطة",
|
||||
"stayConnected":"ابق على اتصال على هذا الجهاز",
|
||||
"submit":"قدم",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"يرجى لمس جهاز U2F وامض الآن.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
|||
|
|
@ -143,8 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"ID",
|
||||
"contextSwitching":"Impersonate another user",
|
||||
"switchContext":"Switch context",
|
||||
"contextSwitching1":"Impersonate another user",
|
||||
"contextSwitching2":"Stop impersonation",
|
||||
"imSure":"Ich bin sicher",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP Adresse",
|
||||
|
|
@ -220,6 +220,7 @@
|
|||
"SSOSessionInactive":"SSO Sitzung inaktiv",
|
||||
"stayConnected":"Auf diesem Gerät verbunden bleiben",
|
||||
"submit":"Absenden",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"Es existiert bereits ein TOTP-Secret",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
|||
|
|
@ -143,8 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching":"Impersonate another user",
|
||||
"switchContext":"Switch context",
|
||||
"contextSwitching1":"Impersonate another user",
|
||||
"contextSwitching2":"Stop impersonation",
|
||||
"imSure":"I'm sure",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP address",
|
||||
|
|
@ -220,6 +220,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected": "Stay connected on this device",
|
||||
"submit":"Submit",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice": "Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp": "Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
|||
|
|
@ -143,8 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching":"Impersonate another user",
|
||||
"switchContext":"Switch context",
|
||||
"contextSwitching1":"Impersonate another user",
|
||||
"contextSwitching2":"Stop impersonation",
|
||||
"imSure":"I'm sure",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP address",
|
||||
|
|
@ -220,6 +220,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected":"Stay connected on this device",
|
||||
"submit":"Submit",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
|||
|
|
@ -143,8 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching":"Impersonate another user",
|
||||
"switchContext":"Switch context",
|
||||
"contextSwitching1":"Impersonate another user",
|
||||
"contextSwitching2":"Stop impersonation",
|
||||
"imSure":"Olen varma",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP-osoite",
|
||||
|
|
@ -220,6 +220,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected":"Stay connected on this device",
|
||||
"submit":"Lähetä",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
|||
|
|
@ -143,8 +143,8 @@
|
|||
"groups_sso":"GROUPES SSO",
|
||||
"headers":"ENTETES",
|
||||
"id":"Id",
|
||||
"contextSwitching":"Endosser l'identité d'un autre utilisateur",
|
||||
"switchContext":"Changer de contexte",
|
||||
"contextSwitching1":"Endosser l'identité d'un autre utilisateur",
|
||||
"contextSwitching2":"Stopper l'endossement",
|
||||
"imSure":"Je suis sûr",
|
||||
"info":"Information",
|
||||
"ipAddr":"Adresse IP",
|
||||
|
|
@ -220,6 +220,7 @@
|
|||
"SSOSessionInactive":"Session SSO inactive",
|
||||
"stayConnected": "Rester connecté sur cet appareil",
|
||||
"submit":"Envoyer",
|
||||
"switchContext":"Changer de contexte",
|
||||
"totpExistingKey":"Un secret TOTP existe déjà !!!",
|
||||
"touchU2fDevice": "Posez votre doigt sur le périphérique U2F",
|
||||
"touchU2fDeviceOrEnterTotp": "Posez votre doigt sur le périphérique U2F ou entrez le code TOTP",
|
||||
|
|
|
|||
|
|
@ -143,8 +143,8 @@
|
|||
"groups_sso":"GRUPPI SSO",
|
||||
"headers":"INTESTAZIONI",
|
||||
"id":"Id",
|
||||
"contextSwitching":"Impersonate another user",
|
||||
"switchContext":"Switch context",
|
||||
"contextSwitching1":"Impersonate another user",
|
||||
"contextSwitching2":"Stop impersonation",
|
||||
"imSure":"Sono sicuro",
|
||||
"info":"Informazioni",
|
||||
"ipAddr":"Indirizzo IP",
|
||||
|
|
@ -220,6 +220,7 @@
|
|||
"SSOSessionInactive":"Sessione SSO inattiva",
|
||||
"stayConnected":"Resta connesso su questo dispositivo",
|
||||
"submit":"Invia",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"Un segreto TOTP esiste già",
|
||||
"touchU2fDevice":"Adesso tocca il dispositivo U2F lampeggiante.",
|
||||
"touchU2fDeviceOrEnterTotp":"Tocca il dispositivo U2F lampeggiante o inserisci il codice TOTP.",
|
||||
|
|
|
|||
|
|
@ -143,8 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching":"Impersonate another user",
|
||||
"switchContext":"Switch context",
|
||||
"contextSwitching1":"Impersonate another user",
|
||||
"contextSwitching2":"Stop impersonation",
|
||||
"imSure":"I'm sure",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP address",
|
||||
|
|
@ -220,6 +220,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected":"Stay connected on this device",
|
||||
"submit":"Submit",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
|||
|
|
@ -143,8 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching":"Impersonate another user",
|
||||
"switchContext":"Switch context",
|
||||
"contextSwitching1":"Impersonate another user",
|
||||
"contextSwitching2":"Stop impersonation",
|
||||
"imSure":"I'm sure",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP address",
|
||||
|
|
@ -220,6 +220,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected":"Stay connected on this device",
|
||||
"submit":"Submit",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
|||
|
|
@ -143,8 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching":"Impersonate another user",
|
||||
"switchContext":"Switch context",
|
||||
"contextSwitching1":"Impersonate another user",
|
||||
"contextSwitching2":"Stop impersonation",
|
||||
"imSure":"I'm sure",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP address",
|
||||
|
|
@ -220,6 +220,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected":"Stay connected on this device",
|
||||
"submit":"Submit",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
|||
|
|
@ -143,8 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching":"Impersonate another user",
|
||||
"switchContext":"Switch context",
|
||||
"contextSwitching1":"Impersonate another user",
|
||||
"contextSwitching2":"Stop impersonation",
|
||||
"imSure":"Tôi chắc chắn",
|
||||
"info":"Thông tin",
|
||||
"ipAddr":"Địa chỉ IP",
|
||||
|
|
@ -220,6 +220,7 @@
|
|||
"SSOSessionInactive":"Phiên SSO không hoạt động",
|
||||
"stayConnected":"Giữ kết nối trên thiết bị này",
|
||||
"submit":"Gửi",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Vui lòng chạm vào thiết bị U2F nhấp nháy ngay bây giờ.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
|||
|
|
@ -143,8 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching":"Impersonate another user",
|
||||
"switchContext":"Switch context",
|
||||
"contextSwitching1":"Impersonate another user",
|
||||
"contextSwitching2":"Stop impersonation",
|
||||
"imSure":"我确认",
|
||||
"info":"信息",
|
||||
"ipAddr":"IP 地址",
|
||||
|
|
@ -220,6 +220,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected":"在该项设备上保持连接",
|
||||
"submit":"提交",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
|||
|
|
@ -69,8 +69,8 @@
|
|||
</TMPL_IF>
|
||||
<TMPL_IF NAME="contextSwitching">
|
||||
<li class="dropdown-item"><a href="/switchcontext" class="nav-link">
|
||||
<img src="<TMPL_VAR NAME="STATIC_PREFIX">common/icons/switchcontext1.png" width="16" height="16" alt="refresh" />
|
||||
<span trspan="contextSwitching">contextSwitching</span>
|
||||
<img src="<TMPL_VAR NAME="STATIC_PREFIX">common/icons/switchcontext<TMPL_VAR NAME="contextSwitching">.png" width="20" height="20" alt="refresh" />
|
||||
<span trspan="contextSwitching<TMPL_VAR NAME="contextSwitching">">contextSwitching<TMPL_VAR NAME="contextSwitching"></span>
|
||||
</a></li>
|
||||
</TMPL_IF>
|
||||
<li class="dropdown-item"><a href="/refresh" class="nav-link">
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user