Merge branch 'v2.0'
This commit is contained in:
Christophe Maudoux
commit
9ec3ef8cfe
|
|
@ -142,7 +142,7 @@
|
|||
"loginHistoryEnabled" : 1,
|
||||
"macros" : {
|
||||
"UA" : "$ENV{HTTP_USER_AGENT}",
|
||||
"_whatToTrace" : "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : $_auth eq 'OpenIDConnect' ? \"$_user\\@$_oidcConnectedRP\" : \"$_user\""
|
||||
"_whatToTrace" : "$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidcConnectedRP) : lc($_user)"
|
||||
},
|
||||
"mailUrl" : "http://auth.__DNSDOMAIN__/resetpwd",
|
||||
"notification" : 1,
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ package Lemonldap::NG::Handler::Lib::AuthBasic;
|
|||
|
||||
use strict;
|
||||
use Exporter;
|
||||
use Digest::SHA;
|
||||
use Digest::SHA qw(sha256_hex);
|
||||
use MIME::Base64;
|
||||
use HTTP::Headers;
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
package Lemonldap::NG::Handler::Lib::ZimbraPreAuth;
|
||||
|
||||
use strict;
|
||||
use Digest::HMAC_SHA1 qw(hmac_sha1 hmac_sha1_hex);
|
||||
use Digest::HMAC_SHA1 qw(hmac_sha1_hex);
|
||||
|
||||
our $VERSION = '2.1.0';
|
||||
|
||||
|
|
|
|||
|
|
@ -843,6 +843,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
},
|
||||
'type' => 'text'
|
||||
},
|
||||
'checkUserSearchAttributes' => {
|
||||
'type' => 'text'
|
||||
},
|
||||
'checkXSS' => {
|
||||
'default' => 1,
|
||||
'type' => 'bool'
|
||||
|
|
|
|||
|
|
@ -449,6 +449,11 @@ sub attributes {
|
|||
documentation => 'Attributes to hide in CheckUser plugin',
|
||||
flags => 'p',
|
||||
},
|
||||
checkUserSearchAttributes => {
|
||||
type => 'text',
|
||||
documentation => 'Attributes used for retrieving sessions in user DataBase',
|
||||
flags => 'p',
|
||||
},
|
||||
checkUserDisplayPersistentInfo => {
|
||||
default => 0,
|
||||
type => 'bool',
|
||||
|
|
|
|||
|
|
@ -726,6 +726,7 @@ sub tree {
|
|||
'checkUser',
|
||||
'checkUserIdRule',
|
||||
'checkUserHiddenAttributes',
|
||||
'checkUserSearchAttributes',
|
||||
'checkUserDisplayPersistentInfo',
|
||||
'checkUserDisplayEmptyValues',
|
||||
]
|
||||
|
|
|
|||
|
|
@ -108,7 +108,7 @@ sub zeroConf {
|
|||
},
|
||||
'macros' => {
|
||||
'_whatToTrace' =>
|
||||
'$_auth eq \'SAML\' ? "$_user\\@$_idpConfKey" : $_auth eq \'OpenIDConnect\' ? "$_user\\@$_oidcConnectedRP" : "$_user"',
|
||||
'$_auth eq \'SAML\' ? lc($_user.\'@\'.$_idpConfKey) : $_auth eq \'OpenIDConnect\' ? lc($_user.\'@\'.$_oidcConnectedRP) : lc($_user)',
|
||||
'UA' => '$ENV{HTTP_USER_AGENT}'
|
||||
},
|
||||
'notificationStorageOptions' => {
|
||||
|
|
|
|||
|
|
@ -187,6 +187,7 @@
|
|||
"checkUserHiddenAttributes":"السمات المخفية",
|
||||
"checkUserDisplayPersistentInfo":"Display persistent session",
|
||||
"checkUserDisplayEmptyValues":"Display empty values",
|
||||
"checkUserSearchAttributes":"Attributes used for searching sessions",
|
||||
"choiceParams":"اختيارالإعدادات",
|
||||
"chooseLogo":"اختيار الشعار",
|
||||
"chooseSkin":"اختيار الغلاف",
|
||||
|
|
|
|||
|
|
@ -187,6 +187,7 @@
|
|||
"checkUserHiddenAttributes":"Hidden attributes",
|
||||
"checkUserDisplayPersistentInfo":"Display persistent session",
|
||||
"checkUserDisplayEmptyValues":"Display empty values",
|
||||
"checkUserSearchAttributes":"Attributes used for searching sessions",
|
||||
"choiceParams":"Choice parameters",
|
||||
"chooseLogo":"Choose logo",
|
||||
"chooseSkin":"Choose skin",
|
||||
|
|
|
|||
|
|
@ -187,6 +187,7 @@
|
|||
"checkUserHiddenAttributes":"Hidden attributes",
|
||||
"checkUserDisplayPersistentInfo":"Display persistent session",
|
||||
"checkUserDisplayEmptyValues":"Display empty values",
|
||||
"checkUserSearchAttributes":"Attributes used for searching sessions",
|
||||
"choiceParams":"Choice parameters",
|
||||
"chooseLogo":"Choose logo",
|
||||
"chooseSkin":"Choose skin",
|
||||
|
|
|
|||
|
|
@ -187,6 +187,7 @@
|
|||
"checkUserHiddenAttributes":"Attributs masqués",
|
||||
"checkUserDisplayPersistentInfo":"Afficher les données de session persistante",
|
||||
"checkUserDisplayEmptyValues":"Afficher les valeurs nulles",
|
||||
"checkUserSearchAttributes":"Attributs utilisés pour rechercher les sessions",
|
||||
"choiceParams":"Paramètres des choix",
|
||||
"chooseLogo":"Choisir le logo",
|
||||
"chooseSkin":"Choisir le thème",
|
||||
|
|
|
|||
|
|
@ -187,6 +187,7 @@
|
|||
"checkUserHiddenAttributes":"Attributi nascosti",
|
||||
"checkUserDisplayPersistentInfo":"Mostra sessione persistente",
|
||||
"checkUserDisplayEmptyValues":"Mostra valori vuoti",
|
||||
"checkUserSearchAttributes":"Attributes used for searching sessions",
|
||||
"choiceParams":"Scelta parametri",
|
||||
"chooseLogo":"Scegli logo",
|
||||
"chooseSkin":"Scegli interfaccia",
|
||||
|
|
|
|||
|
|
@ -187,6 +187,7 @@
|
|||
"checkUserHiddenAttributes":"Thuộc tính ẩn",
|
||||
"checkUserDisplayPersistentInfo":"Display persistent session",
|
||||
"checkUserDisplayEmptyValues":"Display empty values",
|
||||
"checkUserSearchAttributes":"Attributes used for searching sessions",
|
||||
"choiceParams":"Các tham số lựa chọn",
|
||||
"chooseLogo":"Chọn logo",
|
||||
"chooseSkin":"Chọn giao diện",
|
||||
|
|
|
|||
|
|
@ -187,6 +187,7 @@
|
|||
"checkUserHiddenAttributes":"Hidden attributes",
|
||||
"checkUserDisplayPersistentInfo":"Display persistent session",
|
||||
"checkUserDisplayEmptyValues":"Display empty values",
|
||||
"checkUserSearchAttributes":"Attributes used for searching sessions",
|
||||
"choiceParams":"Choice parameters",
|
||||
"chooseLogo":"Choose logo",
|
||||
"chooseSkin":"Choose skin",
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
|
@ -187,10 +187,10 @@ sub run {
|
|||
if ( $rule->( $req, $req->sessionInfo ) ) {
|
||||
$self->logger->debug("CAS service $service access allowed");
|
||||
}
|
||||
|
||||
else {
|
||||
$self->userLogger->error(
|
||||
"CAS service $service access not allowed");
|
||||
$self->userLogger->warn( 'User '
|
||||
. $req->sessionInfo->{ $self->conf->{whatToTrace} }
|
||||
. " is not authorized to access to $service" );
|
||||
|
||||
if ( $casAccessControlPolicy =~ /^(error)$/i ) {
|
||||
$self->logger->debug(
|
||||
|
|
@ -208,6 +208,10 @@ sub run {
|
|||
}
|
||||
}
|
||||
|
||||
$self->userLogger->notice( 'User '
|
||||
. $req->sessionInfo->{ $self->conf->{whatToTrace} }
|
||||
. " is authorized to access to $service" );
|
||||
|
||||
unless ($casServiceTicket) {
|
||||
|
||||
# Check last authentication time to decide if
|
||||
|
|
|
|||
|
|
@ -255,11 +255,15 @@ sub run {
|
|||
unless ( $rule->( $req, $req->sessionInfo ) ) {
|
||||
$self->userLogger->warn( 'User '
|
||||
. $req->sessionInfo->{ $self->conf->{whatToTrace} }
|
||||
. " was not authorized to access to $rp" );
|
||||
. " is not authorized to access to $rp" );
|
||||
return PE_UNAUTHORIZEDPARTNER;
|
||||
}
|
||||
}
|
||||
|
||||
$self->userLogger->notice( 'User '
|
||||
. $req->sessionInfo->{ $self->conf->{whatToTrace} }
|
||||
. " is authorized to access to $rp" );
|
||||
|
||||
# Check redirect_uri
|
||||
my $redirect_uri = $oidc_request->{'redirect_uri'};
|
||||
my $redirect_uris = $self->conf->{oidcRPMetaDataOptions}->{$rp}
|
||||
|
|
|
|||
|
|
@ -388,11 +388,15 @@ sub run {
|
|||
unless ( $rule->( $req, $req->sessionInfo ) ) {
|
||||
$self->userLogger->warn( 'User '
|
||||
. $req->sessionInfo->{ $self->conf->{whatToTrace} }
|
||||
. " was not authorized to access to $sp" );
|
||||
. " is not authorized to access to $sp" );
|
||||
return PE_UNAUTHORIZEDPARTNER;
|
||||
}
|
||||
}
|
||||
|
||||
$self->userLogger->notice( 'User '
|
||||
. $req->sessionInfo->{ $self->conf->{whatToTrace} }
|
||||
. " is authorized to access to $sp" );
|
||||
|
||||
# Do we check signature?
|
||||
my $checkSSOMessageSignature =
|
||||
$self->conf->{samlSPMetaDataOptions}->{$spConfKey}
|
||||
|
|
@ -1474,7 +1478,7 @@ sub sloRelayTerm {
|
|||
my $session = $logout->get_session();
|
||||
|
||||
unless ($session) {
|
||||
$self->lmLog( "Could not get session from logout", 'error' );
|
||||
$self->logger->error( "Could not get session from logout" );
|
||||
return PE_SAML_SLO_ERROR;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ sub hAttr {
|
|||
sub init {
|
||||
my ($self) = @_;
|
||||
my $hd = $self->p->HANDLER;
|
||||
$self->addAuthRoute( checkuser => 'check', ['POST'] );
|
||||
$self->addAuthRoute( checkuser => 'check', ['POST'] );
|
||||
$self->addAuthRouteWithRedirect( checkuser => 'display', ['GET'] );
|
||||
|
||||
# Parse identity rule
|
||||
|
|
@ -141,9 +141,17 @@ sub check {
|
|||
$self->logger->debug('Try to retrieve session from DB...');
|
||||
my $moduleOptions = $self->conf->{globalStorageOptions} || {};
|
||||
$moduleOptions->{backend} = $self->conf->{globalStorage};
|
||||
my $sessions =
|
||||
$self->module->searchOn( $moduleOptions, $self->conf->{whatToTrace},
|
||||
$user );
|
||||
|
||||
my $sessions = {};
|
||||
my $searchAttrs = $self->conf->{checkUserSearchAttributes}
|
||||
|| $self->conf->{whatToTrace};
|
||||
|
||||
foreach ( split /\s+/, $searchAttrs ) {
|
||||
$self->logger->debug("Searching with: $_ = $user");
|
||||
$sessions = $self->module->searchOn( $moduleOptions, $_, $user );
|
||||
last if (keys %$sessions);
|
||||
}
|
||||
|
||||
my $age = '1';
|
||||
foreach my $id ( keys %$sessions ) {
|
||||
my $session = $self->p->getApacheSession($id) or next;
|
||||
|
|
@ -270,7 +278,7 @@ sub check {
|
|||
}
|
||||
|
||||
sub display {
|
||||
my ( $self, $req ) = @_;
|
||||
my ( $self, $req ) = @_;
|
||||
my ( $attrs, $array_attrs ) = ( {}, [] );
|
||||
|
||||
$self->logger->debug("Display current session data...");
|
||||
|
|
|
|||
|
|
@ -10,14 +10,15 @@ my $res;
|
|||
|
||||
my $client = LLNG::Manager::Test->new( {
|
||||
ini => {
|
||||
logLevel => 'error',
|
||||
authentication => 'Demo',
|
||||
userDB => 'Same',
|
||||
loginHistoryEnabled => 0,
|
||||
brutForceProtection => 0,
|
||||
checkUser => 1,
|
||||
requireToken => 0,
|
||||
checkUserIdRule => '$uid ne "msmith"',
|
||||
logLevel => 'error',
|
||||
authentication => 'Demo',
|
||||
userDB => 'Same',
|
||||
loginHistoryEnabled => 0,
|
||||
brutForceProtection => 0,
|
||||
checkUser => 1,
|
||||
requireToken => 0,
|
||||
checkUserIdRule => '$uid ne "msmith"',
|
||||
checkUserSearchAttributes => 'employee_nbr test1 _user test2 mail',
|
||||
checkUserDisplayPersistentInfo => 1,
|
||||
checkUserDisplayEmptyValues => 1,
|
||||
totp2fSelfRegistration => 1,
|
||||
|
|
@ -239,8 +240,40 @@ ok( $res->[2]->[0] =~ m%<td scope="row">dwho</td>%, 'Found dwho' )
|
|||
or explain( $res->[2]->[0], 'Macro Value dwho' );
|
||||
count(3);
|
||||
|
||||
# Request with mail
|
||||
$query =~ s/user=dwho/user=dwho%40badwolf.org/;
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/checkuser',
|
||||
IO::String->new($query),
|
||||
cookie => "lemonldap=$id",
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'POST checkuser'
|
||||
);
|
||||
count(1);
|
||||
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/checkuser', 'user', 'url' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="checkUser">%, 'Found trspan="checkUser"' )
|
||||
or explain( $res->[2]->[0], 'trspan="checkUser"' );
|
||||
ok( $res->[2]->[0] =~ m%value="dwho\@badwolf.org" trplaceholder="user"%, 'Found trplaceholder with mail' )
|
||||
or explain( $res->[2]->[0], 'trplaceholder with mail' );
|
||||
count(3);
|
||||
ok( $res->[2]->[0] =~ m%Auth-User: %, 'Found Auth-User' )
|
||||
or explain( $res->[2]->[0], 'Header Key: Auth-User' );
|
||||
ok( $res->[2]->[0] =~ m%: dwho<br/>%, 'Found dwho' )
|
||||
or explain( $res->[2]->[0], 'Header Value: dwho' );
|
||||
ok( $res->[2]->[0] =~ m%<td scope="row">_whatToTrace</td>%,
|
||||
'Found _whatToTrace' )
|
||||
or explain( $res->[2]->[0], 'Macro Key _whatToTrace' );
|
||||
ok( $res->[2]->[0] =~ m%<td scope="row">dwho</td>%, 'Found dwho' )
|
||||
or explain( $res->[2]->[0], 'Macro Value dwho' );
|
||||
count(3);
|
||||
|
||||
# Request with bad VH
|
||||
$query =~ s/user=dwho/user=rtyler/;
|
||||
$query =~ s/user=dwho%40badwolf.org/user=rtyler/;
|
||||
$query =~
|
||||
s/url=http%3A%2F%2Ftest1.example.com/url=http%3A%2F%2Ftry.example.com/;
|
||||
ok(
|
||||
|
|
|
|||
Loading…
Reference in New Issue