From c1e059eeb329b4b114d570b674fbd1df1383538a Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Thu, 1 Apr 2021 19:11:07 +0200 Subject: [PATCH 1/4] Use authChoiceAuthBasic to select Choice (#2502) --- .../lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm | 13 +++++++++++++ .../lib/Lemonldap/NG/Portal/Lib/Choice.pm | 7 +++++++ .../lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm | 4 +++- 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index 944a3e62d..538495033 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -16,6 +16,7 @@ use Lemonldap::NG::Portal::Main::Constants qw( PE_BADCREDENTIALS PE_UNAUTHORIZEDPARTNER PE_OIDC_SERVICE_NOT_ALLOWED + PE_FIRSTACCESS ); use String::Random qw/random_string/; @@ -1157,6 +1158,9 @@ sub _handlePasswordGrant { $req->parameters->{password} = $password; $req->data->{skipToken} = 1; + # This makes Auth::Choice use authChoiceAuthBasic if defined + $req->data->{_pwdCheck} = 1; + $req->steps( [ @{ $self->p->beforeAuth }, $self->p->authProcess, @@ -1169,6 +1173,15 @@ sub _handlePasswordGrant { ); my $result = $self->p->process($req); + if ( ( $result == PE_FIRSTACCESS ) + and ( $self->conf->{authentication} eq "Choice" ) ) + { + $self->logger->warn( + "Choice module did not know which module to choose. " + . "You should define authChoiceAuthBasic or specify desired module in the URL" + ); + } + $self->logger->debug( "Credentials check returned " . $self->p->_formatProcessResult($result) ) if $result; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Choice.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Choice.pm index 6476dc079..da389e5d8 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Choice.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Choice.pm @@ -115,6 +115,13 @@ sub checkChoice { } } + unless ($name) { + # Set by OAuth Resource Owner grant // RESTServer pwdCheck + if ($req->data->{_pwdCheck} and $self->{conf}->{authChoiceAuthBasic}) { + $name = $self->{conf}->{authChoiceAuthBasic}; + } + } + unless ($name) { # Check with other methods diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index e87e5c1e1..c210a5f08 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -697,7 +697,8 @@ sub pwdConfirm { } $req->user($user); - $req->data->{password} = $password; + $req->data->{password} = $password; + $req->data->{_pwdCheck} = 1; if ( $self->p->_userDB ) { $req->steps( [ 'getUser', 'authenticate' ] ); @@ -736,6 +737,7 @@ sub getUser { } $req->user( $user || $mail ); + $req->data->{_pwdCheck} = 1; # Search user in database $req->steps( [ From 1253effa29b0dd751f7a70305812ac100af95f66 Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Wed, 7 Apr 2021 14:47:12 +0200 Subject: [PATCH 2/4] Unit test for #2502 --- ...ssword-Grant-with-Bruteforce-and-Choice.t} | 22 ++++++++++++------- 1 file changed, 14 insertions(+), 8 deletions(-) rename lemonldap-ng-portal/t/{32-OIDC-Password-Grant-with-Bruteforce.t => 32-OIDC-Password-Grant-with-Bruteforce-and-Choice.t} (90%) diff --git a/lemonldap-ng-portal/t/32-OIDC-Password-Grant-with-Bruteforce.t b/lemonldap-ng-portal/t/32-OIDC-Password-Grant-with-Bruteforce-and-Choice.t similarity index 90% rename from lemonldap-ng-portal/t/32-OIDC-Password-Grant-with-Bruteforce.t rename to lemonldap-ng-portal/t/32-OIDC-Password-Grant-with-Bruteforce-and-Choice.t index 721cf451d..e2775c462 100644 --- a/lemonldap-ng-portal/t/32-OIDC-Password-Grant-with-Bruteforce.t +++ b/lemonldap-ng-portal/t/32-OIDC-Password-Grant-with-Bruteforce-and-Choice.t @@ -17,12 +17,17 @@ my $debug = 'error'; # Initialization my $op = LLNG::Manager::Test->new( { ini => { - logLevel => $debug, - domain => 'op.com', - portal => 'http://auth.op.com', - authentication => 'Demo', - userDB => 'Same', - macros => { + logLevel => $debug, + domain => 'op.com', + portal => 'http://auth.op.com', + authChoiceAuthBasic => "MyChoice", + authentication => 'Choice', + userDB => 'Same', + 'authChoiceModules' => { + 'MyChoice' => 'Demo;Demo;Null;;;{}' + }, + + macros => { gender => '"32"', _whatToTrace => '$uid', nickname => '"froggie; frenchie"', @@ -57,7 +62,7 @@ my $op = LLNG::Manager::Test->new( { oidcRPMetaDataScopeRules => { rp => { "read" => '$requested', - "french" => '$uid eq "french"', + "french" => '$uid eq "french"', "always" => '1', }, }, @@ -172,7 +177,8 @@ unlike( $payload->{scope}, qr/\bread\b/, "Scope read not asked, and thus not found" ); like( $payload->{scope}, qr/\bfrench\b/, "Attribute-based scope found" ); like( $payload->{scope}, qr/\balways\b/, "Rule-enforced scope found" ); -is ($payload->{scope}, $token_res_scope, "Token response scope matches token scope"); +is( $payload->{scope}, $token_res_scope, + "Token response scope matches token scope" ); clean_sessions(); done_testing(); From 715b78c34f33afe3a371b69bd452d2e77e1d4662 Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Wed, 7 Apr 2021 16:40:15 +0200 Subject: [PATCH 3/4] Documentation for #2502 --- doc/sources/admin/authchoice.rst | 4 ++-- doc/sources/admin/handlerauthbasic.rst | 4 ++-- doc/sources/admin/idpopenidconnect.rst | 4 ++++ lemonldap-ng-manager/site/htdocs/static/languages/ar.json | 2 +- lemonldap-ng-manager/site/htdocs/static/languages/de.json | 2 +- lemonldap-ng-manager/site/htdocs/static/languages/en.json | 2 +- lemonldap-ng-manager/site/htdocs/static/languages/es.json | 2 +- lemonldap-ng-manager/site/htdocs/static/languages/fr.json | 2 +- lemonldap-ng-manager/site/htdocs/static/languages/it.json | 2 +- lemonldap-ng-manager/site/htdocs/static/languages/pl.json | 2 +- lemonldap-ng-manager/site/htdocs/static/languages/tr.json | 2 +- lemonldap-ng-manager/site/htdocs/static/languages/vi.json | 2 +- lemonldap-ng-manager/site/htdocs/static/languages/zh.json | 2 +- lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json | 2 +- 14 files changed, 19 insertions(+), 15 deletions(-) diff --git a/doc/sources/admin/authchoice.rst b/doc/sources/admin/authchoice.rst index 608b9a0f3..e45ff951a 100644 --- a/doc/sources/admin/authchoice.rst +++ b/doc/sources/admin/authchoice.rst @@ -50,8 +50,8 @@ Then, go in ``Choice Parameters``: - **URL parameter**: parameter name used to set choice value (default: ``lmAuth``) - **Allowed modules**: click on ``New chain`` to add a choice. -- **AuthBasic handler parameter**: authentication module called by - AuthBasic handler (:doc:`AuthBasic handler`) +- **Choice used for password authentication**: authentication module used by + :doc:`AuthBasic handler` and :ref:`OAuth2.0 Password Grant ` - **FindUser plugin parameter**: authentication module called by Find user plugin (:doc:`Find user plugin`) diff --git a/doc/sources/admin/handlerauthbasic.rst b/doc/sources/admin/handlerauthbasic.rst index d139768cc..36036be9c 100644 --- a/doc/sources/admin/handlerauthbasic.rst +++ b/doc/sources/admin/handlerauthbasic.rst @@ -53,7 +53,7 @@ to access required locations in Portal Virtual Host. requireToken => $env->{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/ - With AutChoice, you have to declare which authentication module is + With :doc:`authchoice`, you have to declare which authentication module is requested by handler to create global session. Go to: @@ -61,7 +61,7 @@ to access required locations in Portal Virtual Host. and set authentication module's name : - **AuthBasic handler parameter** => 2_LDAP (by example) + **Choice used for password authentication** => 2_LDAP (by example) diff --git a/doc/sources/admin/idpopenidconnect.rst b/doc/sources/admin/idpopenidconnect.rst index 2352054f5..2688e7bfd 100644 --- a/doc/sources/admin/idpopenidconnect.rst +++ b/doc/sources/admin/idpopenidconnect.rst @@ -339,6 +339,10 @@ Resource Owner Password Credentials Grant The Resource Owner Password Credentials Grant allows you to exchange a user's login and password for an access token. This must be considered a legacy form of authentication, since the Authorization Code web-based flow is prefered for all applications that support it. It can however be useful in some scenarios involving technical accounts that cannot implement a web-based authentication flow. +.. versionchanged:: 2.0.12 + + when using the :doc:`Choice ` authentication module, the *Choice used for password authentication* setting can be used to select which authentication choice is used by the Resource Owner Password Credentials Grant. Naturally, the selected choice must be a password-based authentication method (LDAP, DBI, REST, etc.) + .. seealso:: `Specification for the Resource Owner Password Credentials Grant `__ diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json index ee66c196e..447854d7d 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json @@ -76,7 +76,7 @@ "authAndUserdb":"الترخيص وقاعدة بيانات المستخدم", "authChain":"سلسلة إثبات الهوية", "authChoice":"اختيار إثبات الهوية", -"authChoiceAuthBasic":"AuthBasic handler parameter", +"authChoiceAuthBasic":"Choice used for password authentication", "authChoiceFindUser":"FindUser plugin parameter", "authChoiceModules":"الوحدات المسموح بها", "authChoiceParam":"معايير URL", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/de.json b/lemonldap-ng-manager/site/htdocs/static/languages/de.json index 5c7e4c86b..4b9f7be3e 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/de.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/de.json @@ -76,7 +76,7 @@ "authAndUserdb":"Authz and user DB", "authChain":"Authentication chain", "authChoice":"Authentication choice", -"authChoiceAuthBasic":"AuthBasic handler parameter", +"authChoiceAuthBasic":"Choice used for password authentication", "authChoiceFindUser":"FindUser plugin parameter", "authChoiceModules":"Allowed modules", "authChoiceParam":"URL parameter", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/en.json b/lemonldap-ng-manager/site/htdocs/static/languages/en.json index 60fb3842e..eaa0aa3bc 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/en.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/en.json @@ -76,7 +76,7 @@ "authAndUserdb":"Authz and user DB", "authChain":"Authentication chain", "authChoice":"Authentication choice", -"authChoiceAuthBasic":"AuthBasic handler parameter", +"authChoiceAuthBasic":"Choice used for password authentication", "authChoiceFindUser":"FindUser plugin parameter", "authChoiceModules":"Allowed modules", "authChoiceParam":"URL parameter", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/es.json b/lemonldap-ng-manager/site/htdocs/static/languages/es.json index 1f694af7e..4c60d055a 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/es.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/es.json @@ -76,7 +76,7 @@ "authAndUserdb":"Authz and user DB", "authChain":"Cadena de autentificación", "authChoice":"Opción de autentificación", -"authChoiceAuthBasic":"AuthBasic handler parameter", +"authChoiceAuthBasic":"Choice used for password authentication", "authChoiceFindUser":"FindUser plugin parameter", "authChoiceModules":"Módulos permitidos", "authChoiceParam":"Parámetro URL", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json index 65e91fa84..3980cdf62 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json @@ -76,7 +76,7 @@ "authAndUserdb":"Authent. et BD utilisateurs", "authChain":"Chaîne d'authentification", "authChoice":"Choix d'authentification", -"authChoiceAuthBasic":"Paramètre du handler AuthBasic", +"authChoiceAuthBasic":"Choix à utiliser pour l'authentification par mot de passe", "authChoiceFindUser":"Paramètre de recherche de compte", "authChoiceModules":"Modules autorisés", "authChoiceParam":"Paramètre de l'URL", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/it.json b/lemonldap-ng-manager/site/htdocs/static/languages/it.json index a13af79b5..dae99153b 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/it.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/it.json @@ -76,7 +76,7 @@ "authAndUserdb":"Authz e utente DB", "authChain":"Catena di autenticazione", "authChoice":"Scelta di autenticazione", -"authChoiceAuthBasic":"AuthBasic handler parameter", +"authChoiceAuthBasic":"Choice used for password authentication", "authChoiceFindUser":"FindUser plugin parameter", "authChoiceModules":"Moduli consentiti", "authChoiceParam":"Parametri URL", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/pl.json b/lemonldap-ng-manager/site/htdocs/static/languages/pl.json index d1db4279a..91c01f269 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/pl.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/pl.json @@ -76,7 +76,7 @@ "authAndUserdb":"Authz i baza danych użytkownika", "authChain":"Łańcuch uwierzytelnienia", "authChoice":"Wybór uwierzytelnienia", -"authChoiceAuthBasic":"Parametr handlera AuthBasic", +"authChoiceAuthBasic":"Choice used for password authentication", "authChoiceFindUser":"Parametr wtyczki FindUser", "authChoiceModules":"Dozwolone moduły", "authChoiceParam":"Parametr adresu URL", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json index b5e9dbefd..f6895c27e 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json @@ -76,7 +76,7 @@ "authAndUserdb":"Yetkilendirme ve kullanıcı veri tabanı", "authChain":"Doğrulama zinciri", "authChoice":"Kimlik doğrulama tercihi", -"authChoiceAuthBasic":"AuthBasic işleyici parametresi", +"authChoiceAuthBasic":"Choice used for password authentication", "authChoiceFindUser":"FindUser eklenti parametresi", "authChoiceModules":"İzin verilen modüller", "authChoiceParam":"URL parametresi", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json index 14034fadc..97cffb4db 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json @@ -76,7 +76,7 @@ "authAndUserdb":"Authz và user DB", "authChain":"Chuỗi xác thực", "authChoice":"Lựa chọn xác thực", -"authChoiceAuthBasic":"AuthBasic handler parameter", +"authChoiceAuthBasic":"Choice used for password authentication", "authChoiceFindUser":"FindUser plugin parameter", "authChoiceModules":"Các mô-đun được phép", "authChoiceParam":"Tham số URL", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json index 1450e7a84..45b2ec8a4 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json @@ -76,7 +76,7 @@ "authAndUserdb":"授权和用户数据库", "authChain":"认证chain", "authChoice":"认证方式选择", -"authChoiceAuthBasic":"AuthBasic handler parameter", +"authChoiceAuthBasic":"Choice used for password authentication", "authChoiceFindUser":"FindUser plugin parameter", "authChoiceModules":"允许的模块", "authChoiceParam":"URL 参数", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json b/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json index fdcc49eb3..2886cdfc4 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json @@ -76,7 +76,7 @@ "authAndUserdb":"驗證與使用者資料庫", "authChain":"驗證鏈", "authChoice":"驗證選擇", -"authChoiceAuthBasic":"AuthBasic 處理程式參數", +"authChoiceAuthBasic":"Choice used for password authentication", "authChoiceFindUser":"FindUser plugin parameter", "authChoiceModules":"已允許的模組", "authChoiceParam":"URL 參數", From db104460647dc14d0d720568d555b090ef76deff Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Wed, 7 Apr 2021 17:01:55 +0200 Subject: [PATCH 4/4] Handle UTF-8 locales in addTrEntry --- scripts/addTrEntry | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/addTrEntry b/scripts/addTrEntry index 8ea042491..3cb2810e7 100755 --- a/scripts/addTrEntry +++ b/scripts/addTrEntry @@ -3,10 +3,12 @@ use strict; use JSON; use Getopt::Long; +use Encode::Locale qw/decode_argv/; my ( $portal, $modify, $help, $delete, $reorder ); my $json = JSON->new->utf8->pretty()->canonical()->space_before(0)->space_after(0); +decode_argv(); GetOptions( "portal|p" => \$portal, "modify|m" => \$modify,