Merge branch 'v2.0'

doc/sources/admin/authchoice.rst

@@ -50,8 +50,8 @@ Then, go in ``Choice Parameters``:
 -  **URL parameter**: parameter name used to set choice value (default:
    ``lmAuth``)
 -  **Allowed modules**: click on ``New chain`` to add a choice.
--  **AuthBasic handler parameter**: authentication module called by
-   AuthBasic handler (:doc:`AuthBasic handler<handlerauthbasic>`)
+-  **Choice used for password authentication**: authentication module used by
+   :doc:`AuthBasic handler<handlerauthbasic>` and :ref:`OAuth2.0 Password Grant <resource-owner-password-grant>`
 -  **FindUser plugin parameter**: authentication module called by
    Find user plugin (:doc:`Find user plugin<finduser>`)
 

doc/sources/admin/handlerauthbasic.rst

@@ -53,7 +53,7 @@ to access required locations in Portal Virtual Host.
 
     requireToken => $env->{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
 
-    With AutChoice, you have to declare which authentication module is
+    With :doc:`authchoice`, you have to declare which authentication module is
     requested by handler to create global session.
 
     Go to:
@@ -61,7 +61,7 @@ to access required locations in Portal Virtual Host.
 
     and set authentication module's name :
 
-    **AuthBasic handler parameter** => 2_LDAP (by example)
+    **Choice used for password authentication** => 2_LDAP (by example)
 
 
 

doc/sources/admin/idpopenidconnect.rst

@@ -339,6 +339,10 @@ Resource Owner Password Credentials Grant
 
 The Resource Owner Password Credentials Grant allows you to exchange a user's login and password for an access token. This must be considered a legacy form of authentication, since the Authorization Code web-based flow is prefered for all applications that support it. It can however be useful in some scenarios involving technical accounts that cannot implement a web-based authentication flow.
 
+.. versionchanged:: 2.0.12
+
+   when using the :doc:`Choice <authchoice>` authentication module, the *Choice used for password authentication* setting can be used to select which authentication choice is used by the Resource Owner Password Credentials Grant. Naturally, the selected choice must be a password-based authentication method (LDAP, DBI, REST, etc.)
+
 .. seealso::
 
    `Specification for the Resource Owner Password Credentials Grant <https://tools.ietf.org/html/rfc6749#section-4.3>`__

lemonldap-ng-manager/site/htdocs/static/languages/ar.json

@@ -76,7 +76,7 @@
 "authAndUserdb":"الترخيص وقاعدة بيانات المستخدم",
 "authChain":"سلسلة إثبات الهوية",
 "authChoice":"اختيار إثبات الهوية",
-"authChoiceAuthBasic":"AuthBasic handler parameter",
+"authChoiceAuthBasic":"Choice used for password authentication",
 "authChoiceFindUser":"FindUser plugin parameter",
 "authChoiceModules":"الوحدات المسموح بها",
 "authChoiceParam":"معايير URL",

lemonldap-ng-manager/site/htdocs/static/languages/de.json

@@ -76,7 +76,7 @@
 "authAndUserdb":"Authz and user DB",
 "authChain":"Authentication chain",
 "authChoice":"Authentication choice",
-"authChoiceAuthBasic":"AuthBasic handler parameter",
+"authChoiceAuthBasic":"Choice used for password authentication",
 "authChoiceFindUser":"FindUser plugin parameter",
 "authChoiceModules":"Allowed modules",
 "authChoiceParam":"URL parameter",

lemonldap-ng-manager/site/htdocs/static/languages/en.json

@@ -76,7 +76,7 @@
 "authAndUserdb":"Authz and user DB",
 "authChain":"Authentication chain",
 "authChoice":"Authentication choice",
-"authChoiceAuthBasic":"AuthBasic handler parameter",
+"authChoiceAuthBasic":"Choice used for password authentication",
 "authChoiceFindUser":"FindUser plugin parameter",
 "authChoiceModules":"Allowed modules",
 "authChoiceParam":"URL parameter",

lemonldap-ng-manager/site/htdocs/static/languages/es.json

@@ -76,7 +76,7 @@
 "authAndUserdb":"Authz and user DB",
 "authChain":"Cadena de autentificación",
 "authChoice":"Opción de autentificación",
-"authChoiceAuthBasic":"AuthBasic handler parameter",
+"authChoiceAuthBasic":"Choice used for password authentication",
 "authChoiceFindUser":"FindUser plugin parameter",
 "authChoiceModules":"Módulos permitidos",
 "authChoiceParam":"Parámetro URL",

lemonldap-ng-manager/site/htdocs/static/languages/fr.json

@@ -76,7 +76,7 @@
 "authAndUserdb":"Authent. et BD utilisateurs",
 "authChain":"Chaîne d'authentification",
 "authChoice":"Choix d'authentification",
-"authChoiceAuthBasic":"Paramètre du handler AuthBasic",
+"authChoiceAuthBasic":"Choix à utiliser pour l'authentification par mot de passe",
 "authChoiceFindUser":"Paramètre de recherche de compte",
 "authChoiceModules":"Modules autorisés",
 "authChoiceParam":"Paramètre de l'URL",

lemonldap-ng-manager/site/htdocs/static/languages/it.json

@@ -76,7 +76,7 @@
 "authAndUserdb":"Authz e utente DB",
 "authChain":"Catena di autenticazione",
 "authChoice":"Scelta di autenticazione",
-"authChoiceAuthBasic":"AuthBasic handler parameter",
+"authChoiceAuthBasic":"Choice used for password authentication",
 "authChoiceFindUser":"FindUser plugin parameter",
 "authChoiceModules":"Moduli consentiti",
 "authChoiceParam":"Parametri URL",

lemonldap-ng-manager/site/htdocs/static/languages/pl.json

@@ -76,7 +76,7 @@
 "authAndUserdb":"Authz i baza danych użytkownika",
 "authChain":"Łańcuch uwierzytelnienia",
 "authChoice":"Wybór uwierzytelnienia",
-"authChoiceAuthBasic":"Parametr handlera AuthBasic",
+"authChoiceAuthBasic":"Choice used for password authentication",
 "authChoiceFindUser":"Parametr wtyczki FindUser",
 "authChoiceModules":"Dozwolone moduły",
 "authChoiceParam":"Parametr adresu URL",

lemonldap-ng-manager/site/htdocs/static/languages/tr.json

@@ -76,7 +76,7 @@
 "authAndUserdb":"Yetkilendirme ve kullanıcı veri tabanı",
 "authChain":"Doğrulama zinciri",
 "authChoice":"Kimlik doğrulama tercihi",
-"authChoiceAuthBasic":"AuthBasic işleyici parametresi",
+"authChoiceAuthBasic":"Choice used for password authentication",
 "authChoiceFindUser":"FindUser eklenti parametresi",
 "authChoiceModules":"İzin verilen modüller",
 "authChoiceParam":"URL parametresi",

lemonldap-ng-manager/site/htdocs/static/languages/vi.json

@@ -76,7 +76,7 @@
 "authAndUserdb":"Authz và user DB",
 "authChain":"Chuỗi xác thực",
 "authChoice":"Lựa chọn xác thực",
-"authChoiceAuthBasic":"AuthBasic handler parameter",
+"authChoiceAuthBasic":"Choice used for password authentication",
 "authChoiceFindUser":"FindUser plugin parameter",
 "authChoiceModules":"Các mô-đun được phép",
 "authChoiceParam":"Tham số URL",

lemonldap-ng-manager/site/htdocs/static/languages/zh.json

@@ -76,7 +76,7 @@
 "authAndUserdb":"授权和用户数据库",
 "authChain":"认证chain",
 "authChoice":"认证方式选择",
-"authChoiceAuthBasic":"AuthBasic handler parameter",
+"authChoiceAuthBasic":"Choice used for password authentication",
 "authChoiceFindUser":"FindUser plugin parameter",
 "authChoiceModules":"允许的模块",
 "authChoiceParam":"URL 参数",

lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json

@@ -76,7 +76,7 @@
 "authAndUserdb":"驗證與使用者資料庫",
 "authChain":"驗證鏈",
 "authChoice":"驗證選擇",
-"authChoiceAuthBasic":"AuthBasic 處理程式參數",
+"authChoiceAuthBasic":"Choice used for password authentication",
 "authChoiceFindUser":"FindUser plugin parameter",
 "authChoiceModules":"已允許的模組",
 "authChoiceParam":"URL 參數",

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm

@@ -16,6 +16,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
   PE_BADCREDENTIALS
   PE_UNAUTHORIZEDPARTNER
   PE_OIDC_SERVICE_NOT_ALLOWED
+  PE_FIRSTACCESS
 );
 use String::Random qw/random_string/;
 
@@ -1157,6 +1158,9 @@ sub _handlePasswordGrant {
     $req->parameters->{password} = $password;
     $req->data->{skipToken}      = 1;
 
+    # This makes Auth::Choice use authChoiceAuthBasic if defined
+    $req->data->{_pwdCheck} = 1;
+
     $req->steps( [
             @{ $self->p->beforeAuth },
             $self->p->authProcess,
@@ -1169,6 +1173,15 @@ sub _handlePasswordGrant {
     );
     my $result = $self->p->process($req);
 
+    if (    ( $result == PE_FIRSTACCESS )
+        and ( $self->conf->{authentication} eq "Choice" ) )
+    {
+        $self->logger->warn(
+                "Choice module did not know which module to choose. "
+              . "You should define authChoiceAuthBasic or specify desired module in the URL"
+        );
+    }
+
     $self->logger->debug( "Credentials check returned "
           . $self->p->_formatProcessResult($result) )
       if $result;

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Choice.pm

@@ -116,6 +116,13 @@ sub checkChoice {
         }
     }
 
+    unless ($name) {
+        # Set by OAuth Resource Owner grant // RESTServer pwdCheck
+        if ($req->data->{_pwdCheck} and $self->{conf}->{authChoiceAuthBasic}) {
+            $name = $self->{conf}->{authChoiceAuthBasic};
+        }
+    }
+
     unless ($name) {
 
         # Check with other methods

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm

@@ -697,7 +697,8 @@ sub pwdConfirm {
     }
 
     $req->user($user);
-    $req->data->{password} = $password;
+    $req->data->{password}  = $password;
+    $req->data->{_pwdCheck} = 1;
 
     if ( $self->p->_userDB ) {
         $req->steps( [ 'getUser', 'authenticate' ] );
@@ -736,6 +737,7 @@ sub getUser {
     }
 
     $req->user( $user || $mail );
+    $req->data->{_pwdCheck} = 1;
 
     # Search user in database
     $req->steps( [

lemonldap-ng-portal/t/32-OIDC-Password-Grant-with-Bruteforce-and-Choice.t

@@ -17,12 +17,17 @@ my $debug = 'error';
 # Initialization
 my $op = LLNG::Manager::Test->new( {
         ini => {
-            logLevel       => $debug,
-            domain         => 'op.com',
-            portal         => 'http://auth.op.com',
-            authentication => 'Demo',
-            userDB         => 'Same',
-            macros         => {
+            logLevel            => $debug,
+            domain              => 'op.com',
+            portal              => 'http://auth.op.com',
+            authChoiceAuthBasic => "MyChoice",
+            authentication      => 'Choice',
+            userDB              => 'Same',
+            'authChoiceModules' => {
+                'MyChoice' => 'Demo;Demo;Null;;;{}'
+            },
+
+            macros => {
                 gender       => '"32"',
                 _whatToTrace => '$uid',
                 nickname     => '"froggie; frenchie"',
@@ -57,7 +62,7 @@ my $op = LLNG::Manager::Test->new( {
             oidcRPMetaDataScopeRules => {
                 rp => {
                     "read"   => '$requested',
-                    "french"   => '$uid eq "french"',
+                    "french" => '$uid eq "french"',
                     "always" => '1',
                 },
             },
@@ -172,7 +177,8 @@ unlike( $payload->{scope}, qr/\bread\b/,
     "Scope read not asked, and thus not found" );
 like( $payload->{scope}, qr/\bfrench\b/, "Attribute-based scope found" );
 like( $payload->{scope}, qr/\balways\b/, "Rule-enforced scope found" );
-is ($payload->{scope}, $token_res_scope, "Token response scope matches token scope");
+is( $payload->{scope}, $token_res_scope,
+    "Token response scope matches token scope" );
 
 clean_sessions();
 done_testing();

scripts/addTrEntry

@@ -3,10 +3,12 @@
 use strict;
 use JSON;
 use Getopt::Long;
+use Encode::Locale qw/decode_argv/;
 my ( $portal, $modify, $help, $delete, $reorder );
 my $json =
   JSON->new->utf8->pretty()->canonical()->space_before(0)->space_after(0);
 
+decode_argv();
 GetOptions(
     "portal|p"  => \$portal,
     "modify|m"  => \$modify,