From 86b305d19b113500be5136d0391c5f1ba6ae5edf Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 18 Jun 2019 21:57:40 +0200 Subject: [PATCH 01/12] Typo (#1664) --- .../lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm index be70ea2bb..aa5501ce4 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm @@ -70,7 +70,7 @@ sub run { $self->logger->debug("No impersonation required") if ( $spoofId eq $req->{user} ); - if ( $spoofId !~ /$self->{conf}->{userControl}/o ) { + unless ( $spoofId =~ /$self->{conf}->{userControl}/o ) { $self->userLogger->error('Malformed spoofed Id'); $self->logger->debug("Impersonation tried with spoofed Id: $spoofId"); $spoofId = $req->{user}; From c4d4b482a504b71bf729fafc3777f02c114ac74a Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 18 Jun 2019 22:00:03 +0200 Subject: [PATCH 02/12] Provide to plugins message display functions (#1796) --- .../Lemonldap/NG/Portal/2F/Engines/Default.pm | 92 +++++-------------- .../lib/Lemonldap/NG/Portal/Main/Plugin.pm | 49 +++++++++- 2 files changed, 71 insertions(+), 70 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm index 3e390b8e1..5c0d617c9 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm @@ -19,7 +19,6 @@ use Lemonldap::NG::Portal::Main::Constants qw( PE_OK PE_SENDRESPONSE PE_TOKENEXPIRED - PE_INFO ); our $VERSION = '2.0.5'; @@ -31,7 +30,7 @@ extends 'Lemonldap::NG::Portal::Main::Plugin'; has sfModules => ( is => 'rw', default => sub { [] } ); has sfRModules => ( is => 'rw', default => sub { [] } ); has sfReq => ( is => 'rw' ); -has sfRule => ( is => 'rw' ); +has sfMsgRule => ( is => 'rw' ); has ott => ( is => 'rw', @@ -108,7 +107,7 @@ sub init { } unless ( - $self->sfRule( + $self->sfMsgRule( $self->p->HANDLER->buildSub( $self->p->HANDLER->substitute( $self->conf->{sfRemovedMsgRule} @@ -202,19 +201,27 @@ sub run { $self->p->updatePersistentSession( $req, { _2fDevices => to_json($_2fDevices) } ); - # Display notification or message if required - my $res = 0; - if ( $self->sfRule->( $req, $req->sessionInfo ) ) { - my $notifEngine = $self->p->loadedModules->{ - 'Lemonldap::NG::Portal::Plugins::Notifications'}; - if ( $notifEngine && $self->conf->{sfRemovedUseNotif} ) { - $self->logger->debug("Notifications plugin enabled"); - $res = - $self->_sendNotification( $req, $notifEngine, $removed ); - } - else { - $res = $self->_sendInfo( $req, $removed ); - } + # Display message if required + if ( $self->sfMsgRule->( $req, $req->sessionInfo ) ) { + my $uid = $req->user; + my $date = strftime "%Y-%m-%d", localtime; + my $ref = $self->conf->{sfRemovedNotifRef} || 'RemoveSF'; + my $title = $self->conf->{sfRemovedNotifTitle} + || 'Second factor notification'; + my $msg = $self->conf->{sfRemovedNotifMsg} + || "$removed expired second factor(s) has/have been removed!"; + $msg =~ s/_removedSF_/$removed/; + + my $params = + $removed > 1 + ? { trspan => "expired2Fremoved, $removed" } + : { trspan => "oneExpired2Fremoved" }; + + my $res = + $self->conf->{sfRemovedUseNotif} + ? $self->createNotification( $req, $uid, $date, $ref, $title, + $msg ) + : $self->displayTemplate( $req, 'simpleInfo', $params ); return $res if $res; } } @@ -494,57 +501,4 @@ sub restoreSession { : $self->_displayRegister( $req, @path ); } -sub _sendInfo { - my ( $self, $req, $removed ) = @_; - $self->logger->debug("Return simpleInfo template"); - $req->info( - $self->loadTemplate( - 'simpleInfo', - ( - $removed > 1 - ? ( - params => { - trspan => "expired2Fremoved, $removed" - } - ) - : ( params => { trspan => "oneExpired2Fremoved" } ) - ) - ) - ); - return PE_INFO; -} - -sub _sendNotification { - my ( $self, $req, $notifEngine, $removed ) = @_; - my $uid = $req->user; - my $date = strftime "%Y-%m-%d", localtime; - my $ref = $self->conf->{sfRemovedNotifRef} || 'RemoveSF'; - my $title = - $self->conf->{sfRemovedNotifTitle} || 'Second factor notification'; - my $msg = $self->conf->{sfRemovedNotifMsg} - || "$removed expired second factor(s) has/have been removed!"; - $msg =~ s/_removedSF_/$removed/; - - # Prepare notification - my $content = - $self->conf->{oldNotifFormat} - ? '_title__msg_' - : '[{"uid":"_uid_","date":"_date_","title":"_title_","reference":"_ref_","text":"_msg_"}]'; - $content =~ s/_uid_/$uid/; - $content =~ s/_ref_/$ref/; - $content =~ s/_date_/$date/; - $content =~ s/_title_/$title/; - $content =~ s/_msg_/$msg/; - - if ( $notifEngine->module->notifObject->newNotification($content) ) { - $self->logger->debug("Notification SF successfully appended"); - $self->userLogger->notice("Notification SF successfully appended"); - return PE_OK; - } - else { - $self->logger->debug("Notification NOT created!"); - return $self->_sendInfo( $req, $removed ); - } -} - 1; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugin.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugin.pm index 24635a48b..f511a2d4d 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugin.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugin.pm @@ -5,8 +5,13 @@ package Lemonldap::NG::Portal::Main::Plugin; use strict; use Mouse; use HTML::Template; +use Lemonldap::NG::Portal::Main::Constants qw( + PE_OK + PE_INFO + PE_ERROR +); -our $VERSION = '2.0.2'; +our $VERSION = '2.0.5'; extends 'Lemonldap::NG::Common::Module'; @@ -61,6 +66,48 @@ sub loadTemplate { return $self->p->loadTemplate(@_); } +sub displayTemplate { + my ( $self, $req, $template, $params ) = @_; + $self->logger->debug("Return $template template"); + $req->info( + $self->loadTemplate( + $template, params => $params + ) + ); + return PE_INFO; +} + +sub createNotification { + my ( $self, $req, $uid, $date, $ref, $title, $msg ) = @_; + my $notifEngine = $self->p->loadedModules->{ + 'Lemonldap::NG::Portal::Plugins::Notifications'}; + + return PE_ERROR unless $notifEngine; + + # Prepare notification + my $content = + $self->conf->{oldNotifFormat} + ? '_title__msg_' + : '[{"uid":"_uid_","date":"_date_","title":"_title_","reference":"_ref_","text":"_msg_"}]'; + $content =~ s/_uid_/$uid/; + $content =~ s/_date_/$date/; + $content =~ s/_ref_/$ref/; + $content =~ s/_title_/$title/; + $content =~ s/_msg_/$msg/; + + if ( $notifEngine->module->notifObject->newNotification($content) ) + { + $self->logger->debug("Notification $ref successfully created"); + $self->userLogger->notice( + "Notification $ref / $date successfully created for $uid"); + return PE_OK; + } + else { + $self->logger->debug("Notification $ref NOT created!"); + return PE_ERROR; + } +} + 1; __END__ From 4a58de0b927bf75f1834aa2b758e30b5c91f14ec Mon Sep 17 00:00:00 2001 From: Xavier Date: Wed, 19 Jun 2019 08:30:38 +0200 Subject: [PATCH 03/12] Apache::Session::Generate::SHA256 improvements (#1808) --- .../Common/Apache/Session/Generate/SHA256.pm | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm index 244c9e563..4b98889b0 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm @@ -10,7 +10,7 @@ package Lemonldap::NG::Common::Apache::Session::Generate::SHA256; use strict; use Crypt::URandom; -use Digest::SHA qw(sha256 sha256_hex sha256_base64); +use Digest::SHA qw(sha256_hex); our $VERSION = '2.0.2'; @@ -22,15 +22,17 @@ sub generate { $length = $session->{args}->{IDLength}; } - $session->{data}->{_session_id} = substr( - Digest::SHA::sha256_hex( - Digest::SHA::sha256_hex( - time() . {} . Crypt::URandom::urandom($length) . $$ - ) - ), - 0, $length - ); - + eval { + $session->{data}->{_session_id} = + substr( Digest::SHA::sha256_hex( Crypt::URandom::urandom(256) ), + 0, $length ); + }; + if ($@) { + print STDERR "Crypt::URandom::urandom failed: $@\n"; + $session->{data}->{_session_id} = + substr( Digest::SHA::sha256_hex( time() . {} . rand() . $$ ), + 0, $length ); + } } sub validate { From 05f2dc6993cfb77294a74769912aa3021db9b774 Mon Sep 17 00:00:00 2001 From: Xavier Date: Wed, 19 Jun 2019 09:14:03 +0200 Subject: [PATCH 04/12] Fix t/28-AuthChoice-and-password.t --- lemonldap-ng-portal/t/28-AuthChoice-and-password.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemonldap-ng-portal/t/28-AuthChoice-and-password.t b/lemonldap-ng-portal/t/28-AuthChoice-and-password.t index 7c655a53a..680c6efe8 100644 --- a/lemonldap-ng-portal/t/28-AuthChoice-and-password.t +++ b/lemonldap-ng-portal/t/28-AuthChoice-and-password.t @@ -68,7 +68,7 @@ SKIP: { # ------------------- ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get menu' ); my @form = ( $res->[2]->[0] =~ m##sg ); - ok( @form == 2, 'Display 2 choices' ); + ok( @form == 3, 'Display 3 choices' ) or explain(scalar(@form),3); foreach (@form) { expectForm( [ $res->[0], $res->[1], [$_] ], undef, undef, 'test' ); } From 2d5b38fb95be2216d69b6e91386e1f4880f06814 Mon Sep 17 00:00:00 2001 From: Xavier Date: Wed, 19 Jun 2019 09:22:44 +0200 Subject: [PATCH 05/12] Fix LDAP schema path for Debian. This permits to enable LDAP tests during build --- lemonldap-ng-portal/t/test-ldap.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lemonldap-ng-portal/t/test-ldap.pm b/lemonldap-ng-portal/t/test-ldap.pm index 835fa6d90..3159e7a48 100644 --- a/lemonldap-ng-portal/t/test-ldap.pm +++ b/lemonldap-ng-portal/t/test-ldap.pm @@ -3,7 +3,11 @@ if ( $ENV{LLNGTESTLDAP} ) { my $slapd_bin = $ENV{LLNGTESTLDAP_SLAPD_BIN} || '/usr/sbin/slapd'; my $slapadd_bin = $ENV{LLNGTESTLDAP_SLAPADD_BIN} || '/usr/sbin/slapadd'; - my $slapd_schema_dir = $ENV{LLNGTESTLDAP_SCHEMA_DIR} || '/etc/slapd/schema'; + my $slapd_schema_dir = + ( $ENV{LLNGTESTLDAP_SCHEMA_DIR} + and -d $ENV{LLNGTESTLDAP_SCHEMA_DIR} ? $ENV{LLNGTESTLDAP_SCHEMA_DIR} + : -d '/etc/slapd/schema' ? '/etc/slapd/schema' + : '/etc/ldap/schema' ); eval { mkdir 't/testslapd/slapd.d' }; eval { mkdir 't/testslapd/data' }; system('cp t/testslapd/slapd.ldif t/testslapd/slapd-test.ldif'); From c325c55e5c06a630a66e06deb0b967a68544c0e4 Mon Sep 17 00:00:00 2001 From: Xavier Date: Wed, 19 Jun 2019 19:14:31 +0200 Subject: [PATCH 06/12] Use only Crypt::URandom for session id (#1808) --- .../Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm index 4b98889b0..876a53f90 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm @@ -10,7 +10,6 @@ package Lemonldap::NG::Common::Apache::Session::Generate::SHA256; use strict; use Crypt::URandom; -use Digest::SHA qw(sha256_hex); our $VERSION = '2.0.2'; @@ -24,11 +23,11 @@ sub generate { eval { $session->{data}->{_session_id} = - substr( Digest::SHA::sha256_hex( Crypt::URandom::urandom(256) ), - 0, $length ); + unpack( 'H*', Crypt::URandom::urandom(32) ); }; if ($@) { print STDERR "Crypt::URandom::urandom failed: $@\n"; + require Digest::SHA; $session->{data}->{_session_id} = substr( Digest::SHA::sha256_hex( time() . {} . rand() . $$ ), 0, $length ); From 2fa7efcaf3a06eac0e238a80975d451521e4c173 Mon Sep 17 00:00:00 2001 From: Xavier Date: Wed, 19 Jun 2019 21:13:57 +0200 Subject: [PATCH 07/12] Fix llng-fastcgi-server could fail to setgid (#1810) --- fastcgi-server/sbin/llng-fastcgi-server | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fastcgi-server/sbin/llng-fastcgi-server b/fastcgi-server/sbin/llng-fastcgi-server index 7e3947d77..7f8b59c12 100644 --- a/fastcgi-server/sbin/llng-fastcgi-server +++ b/fastcgi-server/sbin/llng-fastcgi-server @@ -44,13 +44,13 @@ GetOptions( ); if ($group) { - my $grp = getgrnam($group) or warn "Can't change uid to $group"; - POSIX::setgid($grp); + my $grp = getgrnam($group) or die "Can't change uid to $group"; + POSIX::setgid($grp) or die "setgid: $!"; } if ($user) { - my $uid = getpwnam($user) or warn "Can't change uid to $user"; - POSIX::setuid($uid); + my $uid = getpwnam($user) or die "Can't change uid to $user"; + POSIX::setuid($uid) or die "setuid: $!"; } unless ($>) { From 1c195437f129b45e2e3d0b3c5b23a7104a5e3a25 Mon Sep 17 00:00:00 2001 From: Xavier Date: Wed, 19 Jun 2019 21:47:07 +0200 Subject: [PATCH 08/12] Typo (#1810) --- fastcgi-server/sbin/llng-fastcgi-server | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fastcgi-server/sbin/llng-fastcgi-server b/fastcgi-server/sbin/llng-fastcgi-server index 7f8b59c12..a634abefd 100644 --- a/fastcgi-server/sbin/llng-fastcgi-server +++ b/fastcgi-server/sbin/llng-fastcgi-server @@ -44,7 +44,7 @@ GetOptions( ); if ($group) { - my $grp = getgrnam($group) or die "Can't change uid to $group"; + my $grp = getgrnam($group) or die "Can't change gid to $group"; POSIX::setgid($grp) or die "setgid: $!"; } From 50ba6e6144a1712db6a08ebc0a8dc052a0cab552 Mon Sep 17 00:00:00 2001 From: Xavier Date: Thu, 20 Jun 2019 12:51:00 +0200 Subject: [PATCH 09/12] Install nginx* files for all handlers (Fixes: #1811) --- debian/lemonldap-ng-fastcgi-server.install | 1 - debian/lemonldap-ng-handler.install | 1 + .../lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/lemonldap-ng-fastcgi-server.install b/debian/lemonldap-ng-fastcgi-server.install index 517c88d11..c1debe483 100644 --- a/debian/lemonldap-ng-fastcgi-server.install +++ b/debian/lemonldap-ng-fastcgi-server.install @@ -1,2 +1 @@ /usr/sbin/llng-fastcgi-server -/etc/lemonldap-ng/nginx* diff --git a/debian/lemonldap-ng-handler.install b/debian/lemonldap-ng-handler.install index 964a4603c..0c6ecc870 100644 --- a/debian/lemonldap-ng-handler.install +++ b/debian/lemonldap-ng-handler.install @@ -1,3 +1,4 @@ +/etc/lemonldap-ng/nginx* /etc/lemonldap-ng/handler-apache2.conf /etc/lemonldap-ng/handler-nginx.conf /etc/lemonldap-ng/test-apache2.conf diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm index 876a53f90..3837ec2dc 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm @@ -23,7 +23,7 @@ sub generate { eval { $session->{data}->{_session_id} = - unpack( 'H*', Crypt::URandom::urandom(32) ); + unpack( 'H*', Crypt::URandom::urandom( int( $length / 2 ) ) ); }; if ($@) { print STDERR "Crypt::URandom::urandom failed: $@\n"; From 8bd2a6c244a1903b2c22f1e22a551bb5c3dcae8e Mon Sep 17 00:00:00 2001 From: Xavier Date: Thu, 20 Jun 2019 21:17:29 +0200 Subject: [PATCH 10/12] Prove that sessionInfo() is launched by each UserDB in combination (#1809) --- lemonldap-ng-portal/t/36-Combination.t | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/lemonldap-ng-portal/t/36-Combination.t b/lemonldap-ng-portal/t/36-Combination.t index 9c51c239b..2da9f6d9b 100644 --- a/lemonldap-ng-portal/t/36-Combination.t +++ b/lemonldap-ng-portal/t/36-Combination.t @@ -5,7 +5,7 @@ use IO::String; require 't/test-lib.pm'; my $res; -my $maintests = 0; +my $maintests = 3; my $client; eval { unlink 't/userdb.db' }; @@ -35,7 +35,15 @@ SKIP: { $client = iniCmb( 'if($env->{HTTP_X} eq "rtyler") then [Dm] and [DB] else if($env->{HTTP_X} eq "dvador") then [DB] else [DB]' ); - expectCookie( try('rtyler') ); + my $id = expectCookie( try('rtyler') ); + my $res; + ok( $res = $client->_get("/sessions/global/$id"), 'Get session content' ); + ok( $res = eval { JSON::from_json( $res->[2]->[0] ) }, ' GET JSON' ) + or print STDERR $@; + ok( + ( $res->{demo} eq 'rtyler' and $res->{dbi} eq 'rtyler' ), + ' Demo and DBI exported variables exists in session' + ); expectCookie( try('dvador') ); expectReject( try('dwho') ); } @@ -66,10 +74,11 @@ sub iniCmb { if ( my $res = LLNG::Manager::Test->new( { ini => { - logLevel => 'error', - useSafeJail => 1, - authentication => 'Combination', - userDB => 'Same', + logLevel => 'error', + useSafeJail => 1, + authentication => 'Combination', + userDB => 'Same', + restSessionServer => 1, combination => $expr, combModules => { @@ -90,8 +99,8 @@ sub iniCmb { dbiAuthLoginCol => 'user', dbiAuthPasswordCol => 'password', dbiAuthPasswordHash => '', - dbiExportedVars => {}, - demoExportedVars => {}, + dbiExportedVars => { dbi => 'user' }, + demoExportedVars => { demo => 'uid' }, } } ) From 38bb0cedf627dceb1f9312099ff1e1e59053dd70 Mon Sep 17 00:00:00 2001 From: Xavier Date: Thu, 20 Jun 2019 21:27:49 +0200 Subject: [PATCH 11/12] Typo --- lemonldap-ng-portal/t/36-Combination.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemonldap-ng-portal/t/36-Combination.t b/lemonldap-ng-portal/t/36-Combination.t index 2da9f6d9b..dae307d7c 100644 --- a/lemonldap-ng-portal/t/36-Combination.t +++ b/lemonldap-ng-portal/t/36-Combination.t @@ -42,7 +42,7 @@ SKIP: { or print STDERR $@; ok( ( $res->{demo} eq 'rtyler' and $res->{dbi} eq 'rtyler' ), - ' Demo and DBI exported variables exists in session' + ' Demo and DBI exported variables exist in session' ); expectCookie( try('dvador') ); expectReject( try('dwho') ); From 750eaafe65726f918f469e9a06de928142cea33b Mon Sep 17 00:00:00 2001 From: Xavier Date: Thu, 20 Jun 2019 21:48:13 +0200 Subject: [PATCH 12/12] Fix test rule to hide some warnings --- lemonldap-ng-portal/t/lmConf-1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemonldap-ng-portal/t/lmConf-1.json b/lemonldap-ng-portal/t/lmConf-1.json index cf395cf20..f91ae4076 100644 --- a/lemonldap-ng-portal/t/lmConf-1.json +++ b/lemonldap-ng-portal/t/lmConf-1.json @@ -31,7 +31,7 @@ "LockDirectory": "t/sessions/lock", "generateModule": "Lemonldap::NG::Common::Apache::Session::Generate::SHA256" }, - "groups": { "su":"$uid eq \"rtyler\"", "test_su": "$uid eq \"rtyler\"", "su_test": "$uid eq \"rtyler\"" }, + "groups": { "su":"$uid and $uid eq \"rtyler\"", "test_su": "$uid and $uid eq \"rtyler\"", "su_test": "$uid and $uid eq \"rtyler\"" }, "key": "qwertyui", "locationRules": { "auth.example.com" : {