dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CAS proxy code (#1224)

Browse Source
This commit is contained in:
Clément OUDOT 2018-06-19 16:47:09 +02:00
parent b0d9e1c9c7
commit 9dfe054e64
7 changed files with 75 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
View File

@ -8,12 +8,12 @@ sub types {
'authParamsText' => {
'test' => sub {
1;
}
}
},
'blackWhiteList' => {
'test' => sub {
1;
}
}
},
'bool' => {
'msgFail' => '__notABoolean__',
@ -27,7 +27,7 @@ sub types {
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
@ -36,17 +36,17 @@ sub types {
split( /\n/, $@, 0 ) )
);
return $err ? ( 1, "__badExpression__: $err" ) : 1;
}
}
},
'catAndAppList' => {
'test' => sub {
1;
}
}
},
'file' => {
'test' => sub {
1;
}
}
},
'hostname' => {
'form' => 'text',
@ -80,48 +80,48 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
if $_ =~ /exportedvars$/i and defined $conf->{$_}{$val};
}
return 1, "__unknownAttrOrMacro__: $val";
}
}
},
'longtext' => {
'test' => sub {
1;
}
}
},
'menuApp' => {
'test' => sub {
1;
}
}
},
'menuCat' => {
'test' => sub {
1;
}
}
},
'oidcmetadatajson' => {
'test' => sub {
1;
}
}
},
'oidcmetadatajwks' => {
'test' => sub {
1;
}
}
},
'oidcOPMetaDataNode' => {
'test' => sub {
1;
}
}
},
'oidcRPMetaDataNode' => {
'test' => sub {
1;
}
}
},
'password' => {
'msgFail' => '__malformedValue__',
'test' => sub {
1;
}
}
},
'pcre' => {
'form' => 'text',
@ -132,7 +132,7 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
}
};
return $@ ? ( 0, "__badRegexp__: $@" ) : 1;
}
}
},
'PerlModule' => {
'form' => 'text',
@ -142,17 +142,17 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
'portalskin' => {
'test' => sub {
1;
}
}
},
'portalskinbackground' => {
'test' => sub {
1;
}
}
},
'post' => {
'test' => sub {
1;
}
}
},
'RSAPrivateKey' => {
'test' => sub {
@ -160,7 +160,7 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
m[^(?:(?:\-+\s*BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY\s*\-+\r?\n)?(?:Proc-Type:.*\r?\nDEK-Info:.*\r?\n[\r\n]*)?[a-zA-Z0-9/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:RSA\s+)PRIVATE\s+KEY\s*\-+)?[\r\n]*)?$]s
? 1
: ( 1, '__badPemEncoding__' );
}
}
},
'RSAPublicKey' => {
'test' => sub {
@ -168,7 +168,7 @@ m[^(?:(?:\-+\s*BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY\s*\-+\r?\n)?(?:Proc-Type:.*\r?\n
m[^(?:(?:\-+\s*BEGIN\s+PUBLIC\s+KEY\s*\-+\r?\n)?[a-zA-Z0-9/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+PUBLIC\s+KEY\s*\-+)?[\r\n]*)?$]s
? 1
: ( 1, '__badPemEncoding__' );
}
}
},
'RSAPublicKeyOrCertificate' => {
'test' => sub {
@ -176,37 +176,37 @@ m[^(?:(?:\-+\s*BEGIN\s+PUBLIC\s+KEY\s*\-+\r?\n)?[a-zA-Z0-9/\+\r\n]+={0,2}(?:\r?\
m[^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+)?[\r\n]*)?$]s
? 1
: ( 1, '__badPemEncoding__' );
}
}
},
'rule' => {
'test' => sub {
1;
}
}
},
'samlAssertion' => {
'test' => sub {
1;
}
}
},
'samlAttribute' => {
'test' => sub {
1;
}
}
},
'samlIDPMetaDataNode' => {
'test' => sub {
1;
}
}
},
'samlService' => {
'test' => sub {
1;
}
}
},
'samlSPMetaDataNode' => {
'test' => sub {
1;
}
}
},
'select' => {
'test' => sub {
@ -216,19 +216,19 @@ m[^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9/\+\r\
return $test
? 1
: ( 1, "Invalid value '$_[0]' for this select" );
}
}
},
'subContainer' => {
'keyTest' => qr/\w/,
'test' => sub {
1;
}
}
},
'text' => {
'msgFail' => '__malformedValue__',
'test' => sub {
1;
}
}
},
'trool' => {
'msgFail' => '__authorizedValues__: -1, 0, 1',
@ -662,7 +662,7 @@ sub attributes {
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
@ -1036,7 +1036,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval $s;
my $err = join(
@ -1045,7 +1045,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
split( /\n/, $@, 0 ) )
);
return $err ? ( 1, "__badExpression__: $err" ) : 1;
}
}
},
'type' => 'keyTextContainer'
},
@ -1121,7 +1121,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
@ -1144,7 +1144,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
@ -1220,7 +1220,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
and defined $conf->{$_}{$val};
}
return 1, "__unknownAttrOrMacro__: $val";
}
}
},
'type' => 'doubleHash'
},
@ -1499,7 +1499,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval $s;
my $err = join(
@ -1508,7 +1508,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
split( /\n/, $@, 0 ) )
);
return $err ? ( 1, "__badExpression__: $err" ) : 1;
}
}
},
'type' => 'ruleContainer'
},
@ -1545,7 +1545,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
@ -1904,7 +1904,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
@ -2241,7 +2241,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
@ -2958,7 +2958,7 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
@ -3037,19 +3037,19 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => 0,
'select' => [
{
'k' => '0',
'k' => 0,
'v' => 'unsecuredCookie'
},
{
'k' => '1',
'k' => 1,
'v' => 'securedCookie'
},
{
'k' => '2',
'k' => 2,
'v' => 'doubleCookie'
},
{
'k' => '3',
'k' => 3,
'v' => 'doubleCookieForSingleSession'
}
],

2
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
View File

@ -222,12 +222,12 @@ sub cTrees {
'casSrvMetaDataOptionsUrl',
'casSrvMetaDataOptionsRenew',
'casSrvMetaDataOptionsGateway',
'casSrvMetaDataOptionsProxiedServices',
'casSrvMetaDataOptionsDisplayName',
'casSrvMetaDataOptionsIcon',
]
},
'casSrvMetaDataExportedVars',
'casSrvMetaDataOptionsProxiedServices',
],
casAppMetaDataNode => [
{

12
lemonldap-ng-manager/site/htdocs/static/js/conftree.js
View File

@ -75,12 +75,6 @@ function templates(tpl,key) {
"title" : "casSrvMetaDataOptionsGateway",
"type" : "bool"
},
{
"cnodes" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsProxiedServices",
"id" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsProxiedServices",
"title" : "casSrvMetaDataOptionsProxiedServices",
"type" : "keyTextContainer"
},
{
"get" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsDisplayName",
"id" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsDisplayName",
@ -120,6 +114,12 @@ function templates(tpl,key) {
"id" : tpl+"s/"+key+"/"+"casSrvMetaDataExportedVars",
"title" : "casSrvMetaDataExportedVars",
"type" : "keyTextContainer"
},
{
"cnodes" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsProxiedServices",
"id" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsProxiedServices",
"title" : "casSrvMetaDataOptionsProxiedServices",
"type" : "keyTextContainer"
}
]
;

2
lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js vendored
View File

File diff suppressed because one or more lines are too long

9
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/CAS.pm
View File

@ -187,12 +187,15 @@ sub extractFormInfo {
$self->logger->debug("CAS: Service Ticket received: $ticket");
my $proxied =
$self->conf->{casSrvMetaDataOptionsProxiedServices}->{$srv} || {};
# Ticket found, try to validate it
$local_url =~ s/ticket=[^&]+//;
$local_url =~ s/\?$//;
$local_url =~ s/\&$//;
( $req->{user}, $req->datas->{casAttrs} ) =
$self->validateST( $req, $local_url, $ticket, $srvConf );
$self->validateST( $req, $local_url, $ticket, $srvConf, $proxied );
unless ( $req->{user} ) {
$self->userLogger->error("CAS: Unable to validate ST $ticket");
return PE_ERROR;
@ -202,8 +205,6 @@ sub extractFormInfo {
}
# Request proxy tickets for proxied services
my $proxied =
$srvConf->{casSrvMetaDataOptionsProxiedServices}->{$srv} || {};
if (%$proxied) {
# Check we received a PGT
@ -218,7 +219,7 @@ sub extractFormInfo {
# Get a proxy ticket for each proxied service
foreach ( keys %$proxied ) {
my $service = $proxied->{$_};
my $pt = $self->retrievePT( $service, $srvConf );
my $pt = $self->retrievePT( $service, $pgtId, $srvConf );
unless ($pt) {
$self->logger->error(

18
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/CAS.pm
View File

@ -334,12 +334,10 @@ sub getServerLogoutURL {
# Validate ST
sub validateST {
my ( $self, $req, $service, $ticket, $srvConf ) = @_;
my $proxyUrl;
my ( $self, $req, $service, $ticket, $srvConf, $proxied ) = @_;
my %prm = ( service => $service, ticket => $ticket );
my $proxied = $srvConf->{casSrvMetaDataOptionsProxiedServices} || {};
my $proxy_url;
if (%$proxied) {
$proxy_url = $self->p->fullUrl($req);
@ -358,9 +356,13 @@ sub validateST {
$prm{pgtUrl} = $proxy_url;
}
my $response =
$self->ua->get( "$srvConf->{casSrvMetaDataOptionsUrl}/serviceValidate?"
. build_urlencoded(%prm) );
my $serviceValidateUrl =
"$srvConf->{casSrvMetaDataOptionsUrl}/serviceValidate?"
. build_urlencoded(%prm);
$self->logger->debug("Validate ST on CAS URL $serviceValidateUrl");
my $response = $self->ua->get($serviceValidateUrl);
$self->logger->debug(
"Get CAS serviceValidate response: " . $response->as_string );
@ -442,10 +444,10 @@ sub storePGT {
# Retrieve Proxy Ticket
sub retrievePT {
my ( $self, $service, $srvConf ) = @_;
my ( $self, $service, $pgtId, $srvConf ) = @_;
my $proxyUrl = "$srvConf->{casSrvMetaDataOptionsUrl}/proxy?"
. build_urlencoded( targetService => $service, pgt => $self->{pgtId} );
. build_urlencoded( targetService => $service, pgt => $pgtId );
my $response = $self->ua->get($proxyUrl);

8
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-proxied.t
View File

@ -257,11 +257,13 @@ sub sp {
idp => {
casSrvMetaDataOptionsUrl => 'http://auth.idp.com/cas',
casSrvMetaDataOptionsGateway => 0,
casSrvMetaDataOptionsProxiedServices => {
test => 'http://test.sp.com/',
},
}
},
casSrvMetaDataOptionsProxiedServices => {
idp => {
test => 'http://test.sp.com/',
}
},
},
}
);