Fix CAS proxy code (#1224)
This commit is contained in:
parent
b0d9e1c9c7
commit
9dfe054e64
|
@ -8,12 +8,12 @@ sub types {
|
|||
'authParamsText' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'blackWhiteList' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'bool' => {
|
||||
'msgFail' => '__notABoolean__',
|
||||
|
@ -27,7 +27,7 @@ sub types {
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
@ -36,17 +36,17 @@ sub types {
|
|||
split( /\n/, $@, 0 ) )
|
||||
);
|
||||
return $err ? ( 1, "__badExpression__: $err" ) : 1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'catAndAppList' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'file' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'hostname' => {
|
||||
'form' => 'text',
|
||||
|
@ -80,48 +80,48 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
|
|||
if $_ =~ /exportedvars$/i and defined $conf->{$_}{$val};
|
||||
}
|
||||
return 1, "__unknownAttrOrMacro__: $val";
|
||||
}
|
||||
}
|
||||
},
|
||||
'longtext' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'menuApp' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'menuCat' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'oidcmetadatajson' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'oidcmetadatajwks' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'oidcOPMetaDataNode' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'oidcRPMetaDataNode' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'password' => {
|
||||
'msgFail' => '__malformedValue__',
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'pcre' => {
|
||||
'form' => 'text',
|
||||
|
@ -132,7 +132,7 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
|
|||
}
|
||||
};
|
||||
return $@ ? ( 0, "__badRegexp__: $@" ) : 1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'PerlModule' => {
|
||||
'form' => 'text',
|
||||
|
@ -142,17 +142,17 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
|
|||
'portalskin' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'portalskinbackground' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'post' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'RSAPrivateKey' => {
|
||||
'test' => sub {
|
||||
|
@ -160,7 +160,7 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
|
|||
m[^(?:(?:\-+\s*BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY\s*\-+\r?\n)?(?:Proc-Type:.*\r?\nDEK-Info:.*\r?\n[\r\n]*)?[a-zA-Z0-9/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:RSA\s+)PRIVATE\s+KEY\s*\-+)?[\r\n]*)?$]s
|
||||
? 1
|
||||
: ( 1, '__badPemEncoding__' );
|
||||
}
|
||||
}
|
||||
},
|
||||
'RSAPublicKey' => {
|
||||
'test' => sub {
|
||||
|
@ -168,7 +168,7 @@ m[^(?:(?:\-+\s*BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY\s*\-+\r?\n)?(?:Proc-Type:.*\r?\n
|
|||
m[^(?:(?:\-+\s*BEGIN\s+PUBLIC\s+KEY\s*\-+\r?\n)?[a-zA-Z0-9/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+PUBLIC\s+KEY\s*\-+)?[\r\n]*)?$]s
|
||||
? 1
|
||||
: ( 1, '__badPemEncoding__' );
|
||||
}
|
||||
}
|
||||
},
|
||||
'RSAPublicKeyOrCertificate' => {
|
||||
'test' => sub {
|
||||
|
@ -176,37 +176,37 @@ m[^(?:(?:\-+\s*BEGIN\s+PUBLIC\s+KEY\s*\-+\r?\n)?[a-zA-Z0-9/\+\r\n]+={0,2}(?:\r?\
|
|||
m[^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+)?[\r\n]*)?$]s
|
||||
? 1
|
||||
: ( 1, '__badPemEncoding__' );
|
||||
}
|
||||
}
|
||||
},
|
||||
'rule' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'samlAssertion' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'samlAttribute' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'samlIDPMetaDataNode' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'samlService' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'samlSPMetaDataNode' => {
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'select' => {
|
||||
'test' => sub {
|
||||
|
@ -216,19 +216,19 @@ m[^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9/\+\r\
|
|||
return $test
|
||||
? 1
|
||||
: ( 1, "Invalid value '$_[0]' for this select" );
|
||||
}
|
||||
}
|
||||
},
|
||||
'subContainer' => {
|
||||
'keyTest' => qr/\w/,
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'text' => {
|
||||
'msgFail' => '__malformedValue__',
|
||||
'test' => sub {
|
||||
1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'trool' => {
|
||||
'msgFail' => '__authorizedValues__: -1, 0, 1',
|
||||
|
@ -662,7 +662,7 @@ sub attributes {
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
@ -1036,7 +1036,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval $s;
|
||||
my $err = join(
|
||||
|
@ -1045,7 +1045,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
split( /\n/, $@, 0 ) )
|
||||
);
|
||||
return $err ? ( 1, "__badExpression__: $err" ) : 1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'type' => 'keyTextContainer'
|
||||
},
|
||||
|
@ -1121,7 +1121,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
@ -1144,7 +1144,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
@ -1220,7 +1220,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
|||
and defined $conf->{$_}{$val};
|
||||
}
|
||||
return 1, "__unknownAttrOrMacro__: $val";
|
||||
}
|
||||
}
|
||||
},
|
||||
'type' => 'doubleHash'
|
||||
},
|
||||
|
@ -1499,7 +1499,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval $s;
|
||||
my $err = join(
|
||||
|
@ -1508,7 +1508,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
split( /\n/, $@, 0 ) )
|
||||
);
|
||||
return $err ? ( 1, "__badExpression__: $err" ) : 1;
|
||||
}
|
||||
}
|
||||
},
|
||||
'type' => 'ruleContainer'
|
||||
},
|
||||
|
@ -1545,7 +1545,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
@ -1904,7 +1904,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
@ -2241,7 +2241,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
@ -2958,7 +2958,7 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
@ -3037,19 +3037,19 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
'default' => 0,
|
||||
'select' => [
|
||||
{
|
||||
'k' => '0',
|
||||
'k' => 0,
|
||||
'v' => 'unsecuredCookie'
|
||||
},
|
||||
{
|
||||
'k' => '1',
|
||||
'k' => 1,
|
||||
'v' => 'securedCookie'
|
||||
},
|
||||
{
|
||||
'k' => '2',
|
||||
'k' => 2,
|
||||
'v' => 'doubleCookie'
|
||||
},
|
||||
{
|
||||
'k' => '3',
|
||||
'k' => 3,
|
||||
'v' => 'doubleCookieForSingleSession'
|
||||
}
|
||||
],
|
||||
|
|
|
@ -222,12 +222,12 @@ sub cTrees {
|
|||
'casSrvMetaDataOptionsUrl',
|
||||
'casSrvMetaDataOptionsRenew',
|
||||
'casSrvMetaDataOptionsGateway',
|
||||
'casSrvMetaDataOptionsProxiedServices',
|
||||
'casSrvMetaDataOptionsDisplayName',
|
||||
'casSrvMetaDataOptionsIcon',
|
||||
]
|
||||
},
|
||||
'casSrvMetaDataExportedVars',
|
||||
'casSrvMetaDataOptionsProxiedServices',
|
||||
],
|
||||
casAppMetaDataNode => [
|
||||
{
|
||||
|
|
|
@ -75,12 +75,6 @@ function templates(tpl,key) {
|
|||
"title" : "casSrvMetaDataOptionsGateway",
|
||||
"type" : "bool"
|
||||
},
|
||||
{
|
||||
"cnodes" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsProxiedServices",
|
||||
"id" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsProxiedServices",
|
||||
"title" : "casSrvMetaDataOptionsProxiedServices",
|
||||
"type" : "keyTextContainer"
|
||||
},
|
||||
{
|
||||
"get" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsDisplayName",
|
||||
"id" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsDisplayName",
|
||||
|
@ -120,6 +114,12 @@ function templates(tpl,key) {
|
|||
"id" : tpl+"s/"+key+"/"+"casSrvMetaDataExportedVars",
|
||||
"title" : "casSrvMetaDataExportedVars",
|
||||
"type" : "keyTextContainer"
|
||||
},
|
||||
{
|
||||
"cnodes" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsProxiedServices",
|
||||
"id" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsProxiedServices",
|
||||
"title" : "casSrvMetaDataOptionsProxiedServices",
|
||||
"type" : "keyTextContainer"
|
||||
}
|
||||
]
|
||||
;
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -187,12 +187,15 @@ sub extractFormInfo {
|
|||
|
||||
$self->logger->debug("CAS: Service Ticket received: $ticket");
|
||||
|
||||
my $proxied =
|
||||
$self->conf->{casSrvMetaDataOptionsProxiedServices}->{$srv} || {};
|
||||
|
||||
# Ticket found, try to validate it
|
||||
$local_url =~ s/ticket=[^&]+//;
|
||||
$local_url =~ s/\?$//;
|
||||
$local_url =~ s/\&$//;
|
||||
( $req->{user}, $req->datas->{casAttrs} ) =
|
||||
$self->validateST( $req, $local_url, $ticket, $srvConf );
|
||||
$self->validateST( $req, $local_url, $ticket, $srvConf, $proxied );
|
||||
unless ( $req->{user} ) {
|
||||
$self->userLogger->error("CAS: Unable to validate ST $ticket");
|
||||
return PE_ERROR;
|
||||
|
@ -202,8 +205,6 @@ sub extractFormInfo {
|
|||
}
|
||||
|
||||
# Request proxy tickets for proxied services
|
||||
my $proxied =
|
||||
$srvConf->{casSrvMetaDataOptionsProxiedServices}->{$srv} || {};
|
||||
if (%$proxied) {
|
||||
|
||||
# Check we received a PGT
|
||||
|
@ -218,7 +219,7 @@ sub extractFormInfo {
|
|||
# Get a proxy ticket for each proxied service
|
||||
foreach ( keys %$proxied ) {
|
||||
my $service = $proxied->{$_};
|
||||
my $pt = $self->retrievePT( $service, $srvConf );
|
||||
my $pt = $self->retrievePT( $service, $pgtId, $srvConf );
|
||||
|
||||
unless ($pt) {
|
||||
$self->logger->error(
|
||||
|
|
|
@ -334,12 +334,10 @@ sub getServerLogoutURL {
|
|||
|
||||
# Validate ST
|
||||
sub validateST {
|
||||
my ( $self, $req, $service, $ticket, $srvConf ) = @_;
|
||||
my $proxyUrl;
|
||||
my ( $self, $req, $service, $ticket, $srvConf, $proxied ) = @_;
|
||||
|
||||
my %prm = ( service => $service, ticket => $ticket );
|
||||
|
||||
my $proxied = $srvConf->{casSrvMetaDataOptionsProxiedServices} || {};
|
||||
my $proxy_url;
|
||||
if (%$proxied) {
|
||||
$proxy_url = $self->p->fullUrl($req);
|
||||
|
@ -358,9 +356,13 @@ sub validateST {
|
|||
$prm{pgtUrl} = $proxy_url;
|
||||
}
|
||||
|
||||
my $response =
|
||||
$self->ua->get( "$srvConf->{casSrvMetaDataOptionsUrl}/serviceValidate?"
|
||||
. build_urlencoded(%prm) );
|
||||
my $serviceValidateUrl =
|
||||
"$srvConf->{casSrvMetaDataOptionsUrl}/serviceValidate?"
|
||||
. build_urlencoded(%prm);
|
||||
|
||||
$self->logger->debug("Validate ST on CAS URL $serviceValidateUrl");
|
||||
|
||||
my $response = $self->ua->get($serviceValidateUrl);
|
||||
|
||||
$self->logger->debug(
|
||||
"Get CAS serviceValidate response: " . $response->as_string );
|
||||
|
@ -442,10 +444,10 @@ sub storePGT {
|
|||
|
||||
# Retrieve Proxy Ticket
|
||||
sub retrievePT {
|
||||
my ( $self, $service, $srvConf ) = @_;
|
||||
my ( $self, $service, $pgtId, $srvConf ) = @_;
|
||||
|
||||
my $proxyUrl = "$srvConf->{casSrvMetaDataOptionsUrl}/proxy?"
|
||||
. build_urlencoded( targetService => $service, pgt => $self->{pgtId} );
|
||||
. build_urlencoded( targetService => $service, pgt => $pgtId );
|
||||
|
||||
my $response = $self->ua->get($proxyUrl);
|
||||
|
||||
|
|
|
@ -257,11 +257,13 @@ sub sp {
|
|||
idp => {
|
||||
casSrvMetaDataOptionsUrl => 'http://auth.idp.com/cas',
|
||||
casSrvMetaDataOptionsGateway => 0,
|
||||
casSrvMetaDataOptionsProxiedServices => {
|
||||
test => 'http://test.sp.com/',
|
||||
},
|
||||
}
|
||||
},
|
||||
casSrvMetaDataOptionsProxiedServices => {
|
||||
idp => {
|
||||
test => 'http://test.sp.com/',
|
||||
}
|
||||
},
|
||||
},
|
||||
}
|
||||
);
|
||||
|
|
Loading…
Reference in New Issue
Block a user