dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch '1783' into v2.0

Browse Source
This commit is contained in:
Christophe Maudoux 2019-06-30 19:00:41 +02:00
commit a1f5791e06
43 changed files with 980 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
COPYING
View File

@ -99,6 +99,18 @@ License: CC-3
Comment: This work, "sfa_manager.png", is a derivative of
"Noun project 1162.svg" by Christopher T. Howlett, under CC-BY-3.0.
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_OFF.png
Copyright: Christophe Maudoux <chrmdx@gmail.com>
License: CC-4
Comment: This work, "switchcontext_OFF.png", is a derivative of
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_ON.png
Copyright: Christophe Maudoux <chrmdx@gmail.com>
License: CC-4
Comment: This work, "switchcontext_ON.png", is a derivative of
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/CustomAuth.png
Copyright: Christophe Maudoux <chrmdx@gmail.com>
License: CC-3

2
lemonldap-ng-common/lemonldap-ng.ini
View File

@ -326,6 +326,8 @@ status = 0
;hideSignature = 1
; Set ServiceToken timeout
;handlerServiceTokenTTL = 30
; Set Impersonation/ContextSwitching prefix
; impersonationPrefix = real_
useRedirectOnError = 1
; Zimbra Handler parameters

6
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm
View File

@ -5,7 +5,7 @@ use strict;
use Exporter 'import';
use base qw(Exporter);
our $VERSION = '2.0.5';
our $VERSION = '2.0.6';
# CONSTANTS
@ -24,7 +24,11 @@ use constant MANAGERSECTION => "manager";
use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
use constant APPLYSECTION => "apply";
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars)|c(?:as(?:S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions)|A(?:ppMetaData(?:(?:ExportedVar|Option)s|Node)|ttributes))|(?:ustomAddParam|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
<<<<<<< HEAD
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:ErrorOn(?:ExpiredSession|MailNotFound)|DisplayRe(?:setPassword|gister)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|orsEnabled|da)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|(?:mai(?:lOnPasswordChang|ntenanc)|enablePersistentStorag|vhostMaintenanc)e|no(?:tif(?:ication(?:Server)?|y(?:Deleted|Other))|AjaxHook)|rest(?:(?:Session|Config)Server|ExportSecretKeys)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs)|dbiDynamicHashEnabled|bruteForceProtection)$/;
=======
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|rsEnabled)|da)|p(?:ortal(?:ErrorOn(?:ExpiredSession|MailNotFound)|DisplayRe(?:setPassword|gister)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|no(?:tif(?:ication(?:Server)?|y(?:Deleted|Other))|AjaxHook)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|rest(?:(?:Session|Config)Server|ExportSecretKeys)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs)|dbiDynamicHashEnabled|bruteForceProtection)$/;
>>>>>>> 1783
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );

69
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
View File

@ -1,7 +1,7 @@
# This file is generated by Lemonldap::NG::Manager::Build. Don't modify it by hand
package Lemonldap::NG::Common::Conf::DefaultValues;
our $VERSION = '2.0.5';
our $VERSION = '2.0.6';
sub defaultValues {
return {
@ -18,38 +18,41 @@ sub defaultValues {
'authChoiceParam' => 'lmAuth',
'authentication' => 'Demo',
'available2F' => 'UTOTP,TOTP,U2F,REST,Mail2F,Ext2F,Yubikey',
'available2FSelfRegistration' => 'TOTP,U2F,Yubikey',
'bruteForceProtectionMaxAge' => 300,
'bruteForceProtectionMaxFailed' => 3,
'bruteForceProtectionTempo' => 30,
'captcha_mail_enabled' => 1,
'captcha_register_enabled' => 1,
'captcha_size' => 6,
'casAccessControlPolicy' => 'none',
'casAuthnLevel' => 1,
'checkTime' => 600,
'checkUserHiddenAttributes' => '_loginHistory hGroups',
'checkUserIdRule' => 1,
'checkXSS' => 1,
'confirmFormMethod' => 'post',
'cookieName' => 'lemonldap',
'corsAllow_Credentials' => 'true',
'corsAllow_Headers' => '*',
'corsAllow_Methods' => 'POST,GET',
'corsAllow_Origin' => '*',
'corsEnabled' => 1,
'corsExpose_Headers' => '*',
'corsMax_Age' => '86400',
'cspConnect' => '\'self\'',
'cspDefault' => '\'self\'',
'cspFont' => '\'self\'',
'cspFormAction' => '\'self\'',
'cspImg' => '\'self\' data:',
'cspScript' => '\'self\'',
'cspStyle' => '\'self\'',
'dbiAuthnLevel' => 2,
'dbiExportedVars' => {},
'demoExportedVars' => {
'available2FSelfRegistration' => 'TOTP,U2F,Yubikey',
'bruteForceProtectionMaxAge' => 300,
'bruteForceProtectionMaxFailed' => 3,
'bruteForceProtectionTempo' => 30,
'captcha_mail_enabled' => 1,
'captcha_register_enabled' => 1,
'captcha_size' => 6,
'casAccessControlPolicy' => 'none',
'casAuthnLevel' => 1,
'checkTime' => 600,
'checkUserHiddenAttributes' => '_loginHistory hGroups',
'checkUserIdRule' => 1,
'checkXSS' => 1,
'confirmFormMethod' => 'post',
'contextSwitchingIdRule' => 1,
'contextSwitchingRule' => 0,
'contextSwitchingStopWithLogout' => 1,
'cookieName' => 'lemonldap',
'corsAllow_Credentials' => 'true',
'corsAllow_Headers' => '*',
'corsAllow_Methods' => 'POST,GET',
'corsAllow_Origin' => '*',
'corsEnabled' => 1,
'corsExpose_Headers' => '*',
'corsMax_Age' => '86400',
'cspConnect' => '\'self\'',
'cspDefault' => '\'self\'',
'cspFont' => '\'self\'',
'cspFormAction' => '\'self\'',
'cspImg' => '\'self\' data:',
'cspScript' => '\'self\'',
'cspStyle' => '\'self\'',
'dbiAuthnLevel' => 2,
'dbiExportedVars' => {},
'demoExportedVars' => {
'cn' => 'cn',
'mail' => 'mail',
'uid' => 'uid'

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
View File

@ -5,7 +5,7 @@ use strict;
use Exporter 'import';
use base qw(Exporter);
our $VERSION = '2.0.5';
our $VERSION = '2.0.6';
our %EXPORT_TAGS = ( 'all' => [qw($simpleHashKeys $doubleHashKeys $specialNodeKeys $casAppMetaDataNodeKeys $casSrvMetaDataNodeKeys $oidcOPMetaDataNodeKeys $oidcRPMetaDataNodeKeys $samlIDPMetaDataNodeKeys $samlSPMetaDataNodeKeys $virtualHostKeys $specialNodeHash $authParameters $issuerParameters $samlServiceParameters $oidcServiceParameters $casServiceParameters)] );
our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );

17
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
View File

@ -1,7 +1,7 @@
# This file is generated by Lemonldap::NG::Manager::Build. Don't modify it by hand
package Lemonldap::NG::Manager::Attributes;
our $VERSION = '2.0.5';
our $VERSION = '2.0.6';
sub perlExpr {
my ( $val, $conf ) = @_;
@ -923,6 +923,21 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
],
'type' => 'select'
},
'contextSwitchingIdRule' => {
'default' => 1,
'test' => sub {
return perlExpr(@_);
},
'type' => 'text'
},
'contextSwitchingRule' => {
'default' => 0,
'type' => 'boolOrExpr'
},
'contextSwitchingStopWithLogout' => {
'default' => 1,
'type' => 'bool'
},
'cookieExpiration' => {
'type' => 'int'
},

21
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
View File

@ -467,12 +467,14 @@ sub attributes {
type => 'boolOrExpr',
default => 0,
documentation => 'Impersonation activation rule',
flags => 'p',
},
impersonationIdRule => {
type => 'text',
test => sub { return perlExpr(@_) },
default => 1,
documentation => 'Impersonation identities rule',
flags => 'p',
},
impersonationHiddenAttributes => {
type => 'text',
@ -486,6 +488,25 @@ sub attributes {
documentation => 'Skip session empty values',
flags => 'p',
},
contextSwitchingRule => {
type => 'boolOrExpr',
default => 0,
documentation => 'Context switching activation rule',
flags => 'p',
},
contextSwitchingIdRule => {
type => 'text',
test => sub { return perlExpr(@_) },
default => 1,
documentation => 'Context switching identities rule',
flags => 'p',
},
contextSwitchingStopWithLogout => {
type => 'bool',
default => 1,
documentation => 'Stop context switching by logout',
flags => 'p',
},
skipRenewConfirmation => {
type => 'bool',
default => 0,

12
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
View File

@ -659,12 +659,22 @@ sub tree {
nodes => [
'impersonationRule',
'impersonationIdRule',
'impersonationPrefix',
'impersonationHiddenAttributes',
'impersonationSkipEmptyValues',
'impersonationMergeSSOgroups',
]
},
{
title => 'contextSwitching',
help => 'contextswitching.html',
form => 'simpleInputContainer',
nodes => [
'contextSwitchingRule',
'contextSwitchingIdRule',
'contextSwitchingStopWithLogout',
#'contextSwitchingHiddenAttributes',
]
},
]
},
{

19
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm
View File

@ -643,22 +643,11 @@ sub tests {
return 1;
},
# Warn if persistent storage is disabled with 2FA, History, OIDCConsents and Notifications
persistentStorage => sub {
return 1 if ( $conf->{enablePersistentStorage} );
return ( 1, "2FA enabled WITHOUT persistent session storage" )
if ( $conf->{totp2fActivation}
|| $conf->{yubikey2fActivation}
|| $conf->{u2fActivation}
|| $conf->{utotp2fActivation} );
return ( 1, "History enabled WITHOUT persistent session storage" )
if ( $conf->{loginHistoryEnabled} );
# Warn if Impersonation and ContextSwitching are simultaneously enabled
impersonation => sub {
return ( 1,
"OIDC consents enabled WITHOUT persistent session storage" )
if ( $conf->{portalDisplayOidcConsents} );
return ( 1,
"Notifications enabled WITHOUT persistent session storage" )
if ( $conf->{notification} );
"Impersonation and ContextSwitching are simultaneously enabled" )
if ( $conf->{impersonationRule} && $conf->{contextSwitchingRule} );
# Return
return 1;

6
lemonldap-ng-manager/site/htdocs/static/languages/ar.json
View File

@ -140,6 +140,11 @@
"categoryName":"اسم الفئة",
"cda":"نطاقات متعددة",
"contentSecurityPolicy":"السياسة الأمنية للمحتوى",
"contextSwitching":"Switch context anoter user",
"contextSwitchingHiddenAttributes":"Stop by logout",
"contextSwitchingIdRule":"Identities use rule",
"contextSwitchingRule":"استخدام القاعدة",
"contextSwitchingStopWithLogout":"Identities use rule",
"cspDefault":"القيمة الاعتيادية ",
"cspFormAction":"Form destinations",
"cspImg":"مصدر الصورة",
@ -304,7 +309,6 @@
"impersonationIdRule":"Identities use rule",
"impersonationHiddenAttributes":"السمات المخفية",
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
"impersonationPrefix":"Real attributes prefix",
"impersonationSkipEmptyValues":"Skip empty values",
"incompleteForm":"الحقول المطلوبة مفقودة",
"index":"فهرس",

6
lemonldap-ng-manager/site/htdocs/static/languages/de.json
View File

@ -140,6 +140,11 @@
"categoryName":"Category name",
"cda":"Mehrere Domains",
"contentSecurityPolicy":"Content security policy",
"contextSwitching":"Switch context anoter user",
"contextSwitchingHiddenAttributes":"Hidden attributes",
"contextSwitchingIdRule":"Identities use rule",
"contextSwitchingRule":"Use rule",
"contextSwitchingStopWithLogout":"Stop by logout",
"cspDefault":"Default value",
"cspFormAction":"Form destinations",
"cspImg":"Image source",
@ -304,7 +309,6 @@
"impersonationIdRule":"Identities use rule",
"impersonationHiddenAttributes":"Hidden attributes",
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
"impersonationPrefix":"Real attributes prefix",
"impersonationSkipEmptyValues":"Skip empty values",
"incompleteForm":"Required fields are missing",
"index":"Index",

6
lemonldap-ng-manager/site/htdocs/static/languages/en.json
View File

@ -140,6 +140,11 @@
"categoryName":"Category name",
"cda":"Multiple domains",
"contentSecurityPolicy":"Content security policy",
"contextSwitching":"Switch context anoter user",
"contextSwitchingHiddenAttributes":"Hidden attributes",
"contextSwitchingIdRule":"Identities use rule",
"contextSwitchingRule":"Use rule",
"contextSwitchingStopWithLogout":"Stop by logout",
"cspDefault":"Default value",
"cspFormAction":"Form destinations",
"cspImg":"Image source",
@ -304,7 +309,6 @@
"impersonationIdRule":"Identities use rule",
"impersonationHiddenAttributes":"Hidden attributes",
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
"impersonationPrefix":"Real attributes prefix",
"impersonationSkipEmptyValues":"Skip empty values",
"incompleteForm":"Required fields are missing",
"index":"Index",

6
lemonldap-ng-manager/site/htdocs/static/languages/fr.json
View File

@ -140,6 +140,11 @@
"categoryName":"Nom de la catégorie",
"cda":"Domaines multiples",
"contentSecurityPolicy":"Politique de sécurité de contenu",
"contextSwitching":"Endossement d'identité",
"contextSwitchingHiddenAttributes":"Attributs masqués",
"contextSwitchingIdRule":"Règle d'utilisation des identités",
"contextSwitchingRule":"Règle d'utilisation",
"contextSwitchingStopWithLogout":"Arrêt par déconnexion",
"cspDefault":"Valeur par défaut",
"cspFormAction":"Destinations des formulaires",
"cspImg":"Sources des images",
@ -304,7 +309,6 @@
"impersonationIdRule":"Règle d'utilisation des identités",
"impersonationHiddenAttributes":"Attributs masqués",
"impersonationMergeSSOgroups":"Fusionner les groupes SSO réels et usurpés",
"impersonationPrefix":"Préfix des vrais attributs",
"impersonationSkipEmptyValues":"Ignorer les valeurs nulles",
"incompleteForm":"Des champs requis manquent",
"index":"Index",

6
lemonldap-ng-manager/site/htdocs/static/languages/it.json
View File

@ -140,6 +140,11 @@
"categoryName":"Nome della categoria",
"cda":"Domini multipli",
"contentSecurityPolicy":"Politica di protezione dei contenuti",
"contextSwitching":"Switch context anoter user",
"contextSwitchingHiddenAttributes":"Hidden attributes",
"contextSwitchingIdRule":"Identities use rule",
"contextSwitchingRule":"Use rule",
"contextSwitchingStopWithLogout":"Stop by logout",
"cspDefault":"Valore di default",
"cspFormAction":"Formare le destinazioni",
"cspImg":"Origine immagine",
@ -304,7 +309,6 @@
"impersonationIdRule":"Le identità usano la regola",
"impersonationHiddenAttributes":"Attributi nascosti",
"impersonationMergeSSOgroups":"Unisci gruppi SSO usurpati e reali",
"impersonationPrefix":"Prefisso degli attributi reali",
"impersonationSkipEmptyValues":"Salta valori vuoti",
"incompleteForm":"Mancano campi obbligatori",
"index":"Indice",

6
lemonldap-ng-manager/site/htdocs/static/languages/vi.json
View File

@ -140,6 +140,11 @@
"categoryName":"Tên thể loại",
"cda":"Nhiều tên miền",
"contentSecurityPolicy":"Chính sách bảo mật nội dung",
"contextSwitching":"Switch context anoter user",
"contextSwitchingHiddenAttributes":"Hidden attributes",
"contextSwitchingIdRule":"Identities use rule",
"contextSwitchingRule":"Use rule",
"contextSwitchingStopWithLogout":"Stop by logout",
"cspDefault":"Giá trị mặc định",
"cspFormAction":"Form destinations",
"cspImg":"Nguồn ảnh",
@ -304,7 +309,6 @@
"impersonationIdRule":"Identities use rule",
"impersonationHiddenAttributes":"Thuộc tính ẩn",
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
"impersonationPrefix":"Real attributes prefix",
"impersonationSkipEmptyValues":"Skip empty values",
"incompleteForm":"Các trường bắt buộc bị thiếu",
"index":"Chỉ mục",

6
lemonldap-ng-manager/site/htdocs/static/languages/zh.json
View File

@ -140,6 +140,11 @@
"categoryName":"分类名称",
"cda":"Multiple domains",
"contentSecurityPolicy":"Content security policy",
"contextSwitching":"Switch context anoter user",
"contextSwitchingHiddenAttributes":"Hidden attributes",
"contextSwitchingIdRule":"Identities use rule",
"contextSwitchingRule":"Use rule",
"contextSwitchingStopWithLogout":"Stop by logout",
"cspDefault":"Default value",
"cspFormAction":"Form destinations",
"cspImg":"Image source",
@ -304,7 +309,6 @@
"impersonationIdRule":"Identities use rule",
"impersonationHiddenAttributes":"Hidden attributes",
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
"impersonationPrefix":"Real attributes prefix",
"impersonationSkipEmptyValues":"Skip empty values",
"incompleteForm":"Required fields are missing",
"index":"Index",

6
lemonldap-ng-manager/site/htdocs/static/reverseTree.json
View File

File diff suppressed because one or more lines are too long

6
lemonldap-ng-manager/site/htdocs/static/struct.json
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/t/80-attributes.t
View File

@ -55,7 +55,7 @@ my @notManagedAttributes = (
'configStorage', 'status', 'localStorageOptions', 'localStorage',
'max2FDevices', 'max2FDevicesNameLength', 'checkTime',
'mySessionAuthorizedRWKeys', 'handlerInternalCache',
'handlerServiceTokenTTL'
'handlerServiceTokenTTL', 'impersonationPrefix'
);
# Words used either as attribute name and node title

4
lemonldap-ng-portal/MANIFEST
View File

@ -102,6 +102,7 @@ lib/Lemonldap/NG/Portal/Plugins/BruteForceProtection.pm
lib/Lemonldap/NG/Portal/Plugins/CDA.pm
lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm
lib/Lemonldap/NG/Portal/Plugins/ForceAuthn.pm
lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm
lib/Lemonldap/NG/Portal/Plugins/History.pm
@ -258,6 +259,8 @@ site/htdocs/static/common/icons/key.png
site/htdocs/static/common/icons/oidc.png
site/htdocs/static/common/icons/ok.png
site/htdocs/static/common/icons/sfa_manager.png
site/htdocs/static/common/icons/switchcontext_OFF.png
site/htdocs/static/common/icons/switchcontext_ON.png
site/htdocs/static/common/icons/vcard_edit.png
site/htdocs/static/common/icons/warning.png
site/htdocs/static/common/it.png
@ -332,6 +335,7 @@ site/templates/bootstrap/casBack2Url.tpl
site/templates/bootstrap/checklogins.tpl
site/templates/bootstrap/checkuser.tpl
site/templates/bootstrap/confirm.tpl
site/templates/bootstrap/contextSwitching.tpl
site/templates/bootstrap/customfooter.tpl
site/templates/bootstrap/customhead.tpl
site/templates/bootstrap/customheader.tpl

10
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Menu.pm
View File

@ -114,6 +114,16 @@ sub params {
$self->p->_sfEngine->display2fRegisters( $req, $req->userData );
$self->logger->debug("Display 2fRegisters link") if $res{sfaManager};
# Display ContextSwitching link only if allowed
my $cswPlugin = $self->p->loadedModules->{
'Lemonldap::NG::Portal::Plugins::ContextSwitching'};
$res{contextSwitching} =
$cswPlugin
? $cswPlugin->displaySwitchContext( $req, $req->userData )
: '';
$self->logger->debug("Display SwitchContext link -> $res{contextSwitching}")
if $res{contextSwitching};
return %res;
}

1
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugins.pm
View File

@ -27,6 +27,7 @@ our @pList = (
portalForceAuthn => '::Plugins::ForceAuthn',
checkUser => '::Plugins::CheckUser',
impersonationRule => '::Plugins::Impersonation',
contextSwitchingRule => '::Plugins::ContextSwitching',
);
##@method list enabledPlugins

8
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
View File

@ -9,7 +9,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
PE_MALFORMEDUSER
);
our $VERSION = '2.0.5';
our $VERSION = '2.0.6';
extends qw(
Lemonldap::NG::Portal::Main::Plugin
@ -30,6 +30,7 @@ has ott => (
}
);
has idRule => ( is => 'rw', default => sub { 1 } );
has sorted => ( is => 'rw', default => sub { 0 } );
sub hAttr {
$_[0]->{conf}->{checkUserHiddenAttributes} . ' '
@ -53,7 +54,8 @@ sub init {
return 0;
}
$self->idRule($rule);
$self->sorted( $self->conf->{impersonationRule}
|| $self->conf->{contextSwitchingRule} );
return 1;
}
@ -432,7 +434,7 @@ sub _splitAttributes {
}
# Sort real and spoofed attributes if required
if ( $self->conf->{impersonationRule} ) {
if ( $self->sorted ) {
$self->logger->debug('Dispatching real and spoofed attributes...');
my ( $realAttrs, $spoofedAttrs ) = ( [], [] );
my $prefix = "$self->{conf}->{impersonationPrefix}";

227
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm Normal file
View File

@ -0,0 +1,227 @@
package Lemonldap::NG::Portal::Plugins::ContextSwitching;
use strict;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants
qw( PE_OK PE_REDIRECT PE_BADCREDENTIALS PE_IMPERSONATION_SERVICE_NOT_ALLOWED PE_MALFORMEDUSER );
our $VERSION = '2.0.6';
extends
qw(Lemonldap::NG::Portal::Main::Plugin Lemonldap::NG::Portal::Lib::_tokenRule);
# INITIALIZATION
has ott => (
is => 'rw',
lazy => 1,
default => sub {
my $ott =
$_[0]->{p}->loadModule('Lemonldap::NG::Portal::Lib::OneTimeToken');
$ott->timeout( $_[0]->{conf}->{formTimeout} );
return $ott;
}
);
has rule => ( is => 'rw', default => sub { 1 } );
has idRule => ( is => 'rw', default => sub { 1 } );
sub init {
my ($self) = @_;
my $hd = $self->p->HANDLER;
$self->addAuthRoute( switchcontext => 'run', ['POST'] );
$self->addAuthRoute( switchcontext => 'display', ['GET'] );
# Parse activation rule
$self->logger->debug(
'ContextSwitching rule -> ' . $self->conf->{contextSwitchingRule} );
my $rule =
$hd->buildSub( $hd->substitute( $self->conf->{contextSwitchingRule} ) );
unless ($rule) {
$self->error(
'Bad contextSwitching rule -> ' . $hd->tsv->{jail}->error );
return 0;
}
$self->rule($rule);
# Parse identity rule
$self->logger->debug( "ContextSwitching identities rule -> "
. $self->conf->{contextSwitchingIdRule} );
$rule =
$hd->buildSub( $hd->substitute( $self->conf->{contextSwitchingIdRule} ) );
unless ($rule) {
$self->error( "Bad contextSwitching identities rule -> "
. $hd->tsv->{jail}->error );
return 0;
}
$self->idRule($rule);
return 1;
}
# RUNNING METHOD
sub display {
my ( $self, $req ) = @_;
# Check access rules
unless ( $self->rule->( $req, $req->userData )
|| $req->userData->{"$self->{conf}->{impersonationPrefix}_session_id"} )
{
$self->userLogger->error('Context switching service not authorized');
return $self->p->do( $req,
[ sub { PE_IMPERSONATION_SERVICE_NOT_ALLOWED } ] );
}
if ( $req->userData->{"$self->{conf}->{impersonationPrefix}_session_id"} ) {
$self->logger->debug('Request to stop ContextSwitching');
if ( $self->conf->{contextSwitchingStopWithLogout} ) {
$self->logger->debug('Send logout request');
return $self->p->do( $req,
[ @{ $self->p->beforeLogout }, 'authLogout', 'deleteSession' ]
);
}
else {
$req = $self->_abortImpersonation( $req, 0 );
$self->p->updateSession( $req, $req->userData );
return $self->p->do( $req, [ sub { PE_REDIRECT } ] );
}
}
# Display form
my $params = {
PORTAL => $self->conf->{portal},
MAIN_LOGO => $self->conf->{portalMainLogo},
LANGS => $self->conf->{showLanguages},
MSG => 'contextSwitching_ON',
ALERTE => 'alert-danger',
LOGIN => '',
SPOOFID => $self->conf->{contextSwitchingRule},
TOKEN => (
$self->ottRule->( $req, {} )
? $self->ott->createToken()
: ''
)
};
return $self->p->sendHtml( $req, 'contextSwitching', params => $params, );
}
sub run {
my ( $self, $req ) = @_;
my $statut = PE_OK;
my $spoofId = $req->param('spoofId') || ''; # ContextSwitching required ?
# Check activation rule
unless ( $self->rule->( $req, $req->userData ) ) {
$self->userLogger->warn('Context switching service not authorized');
$spoofId = '';
return $self->p->do( $req,
[ sub { PE_IMPERSONATION_SERVICE_NOT_ALLOWED } ] );
}
# ContextSwitching required -> Check user Id
if ( $spoofId && $spoofId ne $req->{user} ) {
$self->logger->debug("Spoof Id: $spoofId");
unless ( $spoofId =~ /$self->{conf}->{userControl}/o ) {
$self->userLogger->warn('Malformed spoofed Id');
$self->logger->debug(
"Context switching tried with spoofed Id: $spoofId");
return $self->p->do( $req, [ sub { PE_MALFORMEDUSER } ] );
}
}
else {
$self->logger->debug("No context switching required");
$req->urldc( $self->conf->{portal} );
return $self->p->do( $req, [ sub { PE_OK } ] );
}
# Create spoofed session
$req = $self->_switchContext( $req, $spoofId );
if ( $req->error ) {
if ( $req->error == PE_BADCREDENTIALS ) {
$statut = PE_MALFORMEDUSER;
}
else {
$statut = $req->error;
}
}
# Main session
$self->p->updateSession( $req, $req->sessionInfo );
return $self->p->do( $req, [ sub { $statut } ] );
}
sub _switchContext {
my ( $self, $req, $spoofId ) = @_;
my $realSessionId = $req->userData->{_session_id};
my $raz = 0;
$req->{user} = $spoofId;
# Search user in database & create session
$req->steps( [ 'getUser', $self->p->sessionData, 'buildCookie' ] );
if ( my $error = $self->p->process($req) ) {
if ( $error == PE_BADCREDENTIALS ) {
$self->userLogger->warn(
'ContextSwitching requested for an unvalid user ('
. $req->{user}
. ")" );
}
$self->logger->debug("Process returned error: $error");
$req->error($error);
$raz = 1;
}
# Check identity rule if ContextSwitching required
unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
$self->userLogger->warn(
'ContextSwitching requested for an unvalid user ('
. $req->{user}
. ")" );
$self->logger->debug('Identity NOT authorized');
$req->error(PE_MALFORMEDUSER); # Hide error to preserve protected Id
$raz = 1;
}
$req->sessionInfo->{"$self->{conf}->{impersonationPrefix}_session_id"} =
$realSessionId;
return $raz ? $self->_abortImpersonation( $req, 1 ) : $req;
}
sub _abortImpersonation {
my ( $self, $req, $abort ) = @_;
my $type = $abort ? 'sessionInfo' : 'userData';
my $realSessionId =
$req->{$type}->{"$self->{conf}->{impersonationPrefix}_session_id"};
my $session = $self->p->getApacheSession($realSessionId)->data;
if ($abort) {
$self->logger->debug('ABORT ContextSwitching');
$self->userLogger->notice('ABORT ContextSwitching');
$self->p->updateSession( $req, { '_session_kind' => 'SPOOF' } );
}
else {
$self->logger->debug('STOP ContextSwitching');
$self->userLogger->notice('STOP ContextSwitching');
$self->p->deleteSession($req);
}
# Restore real session
$req->{$type} = {%$session};
$req->{user} = $session->{_user};
$req->urldc( $self->conf->{portal} );
$req->id($realSessionId);
$self->p->buildCookie($req);
delete $req->{$type}->{"$self->{conf}->{impersonationPrefix}_session_id"};
return $req;
}
sub displaySwitchContext {
my ( $self, $req ) = @_;
return 'OFF'
if $req->userData->{"$self->{conf}->{impersonationPrefix}_session_id"};
return 'ON' if $self->rule->( $req, $req->userData );
}
1;

17
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm
View File

@ -5,7 +5,7 @@ use Mouse;
use Lemonldap::NG::Portal::Main::Constants
qw( PE_OK PE_BADCREDENTIALS PE_IMPERSONATION_SERVICE_NOT_ALLOWED PE_MALFORMEDUSER );
our $VERSION = '2.0.5';
our $VERSION = '2.0.6';
extends 'Lemonldap::NG::Portal::Main::Plugin';
@ -37,13 +37,13 @@ sub init {
$self->rule($rule);
# Parse identity rule
$self->logger->debug( "Impersonation identity rule -> "
$self->logger->debug( "Impersonation identities rule -> "
. $self->conf->{impersonationIdRule} );
$rule =
$hd->buildSub( $hd->substitute( $self->conf->{impersonationIdRule} ) );
unless ($rule) {
$self->error(
"Bad impersonation identity rule -> " . $hd->tsv->{jail}->error );
"Bad impersonation identities rule -> " . $hd->tsv->{jail}->error );
return 0;
}
$self->idRule($rule);
@ -71,7 +71,7 @@ sub run {
if ( $spoofId eq $req->{user} );
unless ( $spoofId =~ /$self->{conf}->{userControl}/o ) {
$self->userLogger->error('Malformed spoofed Id');
$self->userLogger->warn('Malformed spoofed Id');
$self->logger->debug("Impersonation tried with spoofed Id: $spoofId");
$spoofId = $req->{user};
$statut = PE_MALFORMEDUSER;
@ -81,7 +81,7 @@ sub run {
if ( $spoofId ne $req->{user} ) {
$self->logger->debug("Spoof Id: $spoofId / Real Id: $req->{user}");
unless ( $self->rule->( $req, $req->sessionInfo ) ) {
$self->userLogger->error('Impersonation service not authorized');
$self->userLogger->warn('Impersonation service not authorized');
$spoofId = $req->{user};
$statut = PE_IMPERSONATION_SERVICE_NOT_ALLOWED;
}
@ -90,12 +90,11 @@ sub run {
# Fill spoof session
my ( $realSession, $spoofSession ) = ( {}, {} );
$self->logger->debug("Rename real attributes...");
my $spk = '';
foreach my $k ( keys %{ $req->{sessionInfo} } ) {
if ( $self->{conf}->{impersonationSkipEmptyValues} ) {
next unless defined $req->{sessionInfo}->{$k};
}
$spk = "$self->{conf}->{impersonationPrefix}$k";
my $spk = "$self->{conf}->{impersonationPrefix}$k";
unless ( $self->hAttr =~ /\b$k\b/
|| $k =~ /^(?:_imp|token|_type)\w*\b/ )
{
@ -120,7 +119,7 @@ sub run {
$self->logger->debug("Populating spoof session...");
foreach (qw (_auth _userDB)) {
$self->logger->debug("Processing $_...");
$spk = "$self->{conf}->{impersonationPrefix}$_";
my $spk = "$self->{conf}->{impersonationPrefix}$_";
$spoofSession->{$_} = $realSession->{$spk};
}
@ -217,7 +216,7 @@ sub _userData {
'Impersonation requested for an unvalid user ('
. $req->{user}
. ")" );
$self->logger->debug('Identity not authorized');
$self->logger->debug('Identity NOT authorized');
$raz = 1;
}
}

BIN
lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_OFF.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 895 B

BIN
lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_ON.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 787 B

3
lemonldap-ng-portal/site/htdocs/static/languages/ar.json
View File

@ -143,6 +143,8 @@
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"contextSwitching_ON":"Impersonate another user",
"contextSwitching_OFF":"Stop impersonation",
"imSure":"انا متاكد",
"info":"معلومات",
"ipAddr":"عنوان الأي بي",
@ -218,6 +220,7 @@
"SSOSessionInactive":"جلسة الدخول الموحد غير نشطة",
"stayConnected":"ابق على اتصال على هذا الجهاز",
"submit":"قدم",
"switchContext":"Switch context",
"totpExistingKey":"A TOTP secret already exists",
"touchU2fDevice":"يرجى لمس جهاز U2F وامض الآن.",
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",

3
lemonldap-ng-portal/site/htdocs/static/languages/de.json
View File

@ -143,6 +143,8 @@
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"ID",
"contextSwitching_ON":"Impersonate another user",
"contextSwitching_OFF":"Stop impersonation",
"imSure":"Ich bin sicher",
"info":"Information",
"ipAddr":"IP Adresse",
@ -218,6 +220,7 @@
"SSOSessionInactive":"SSO Sitzung inaktiv",
"stayConnected":"Auf diesem Gerät verbunden bleiben",
"submit":"Absenden",
"switchContext":"Switch context",
"totpExistingKey":"Es existiert bereits ein TOTP-Secret",
"touchU2fDevice":"Please touch the flashing U2F device now.",
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",

3
lemonldap-ng-portal/site/htdocs/static/languages/en.json
View File

@ -143,6 +143,8 @@
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"contextSwitching_ON":"Impersonate another user",
"contextSwitching_OFF":"Stop impersonation",
"imSure":"I'm sure",
"info":"Information",
"ipAddr":"IP address",
@ -218,6 +220,7 @@
"SSOSessionInactive":"SSO session inactive",
"stayConnected": "Stay connected on this device",
"submit":"Submit",
"switchContext":"Switch context",
"totpExistingKey":"A TOTP secret already exists",
"touchU2fDevice": "Please touch the flashing U2F device now.",
"touchU2fDeviceOrEnterTotp": "Please touch the flashing U2F device or enter TOTP code.",

3
lemonldap-ng-portal/site/htdocs/static/languages/es.json
View File

@ -143,6 +143,8 @@
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"contextSwitching_ON":"Impersonate another user",
"contextSwitching_OFF":"Stop impersonation",
"imSure":"I'm sure",
"info":"Information",
"ipAddr":"IP address",
@ -218,6 +220,7 @@
"SSOSessionInactive":"SSO session inactive",
"stayConnected":"Stay connected on this device",
"submit":"Submit",
"switchContext":"Switch context",
"totpExistingKey":"A TOTP secret already exists",
"touchU2fDevice":"Please touch the flashing U2F device now.",
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",

3
lemonldap-ng-portal/site/htdocs/static/languages/fi.json
View File

@ -143,6 +143,8 @@
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"contextSwitching_ON":"Impersonate another user",
"contextSwitching_OFF":"Stop impersonation",
"imSure":"Olen varma",
"info":"Information",
"ipAddr":"IP-osoite",
@ -218,6 +220,7 @@
"SSOSessionInactive":"SSO session inactive",
"stayConnected":"Stay connected on this device",
"submit":"Lähetä",
"switchContext":"Switch context",
"totpExistingKey":"A TOTP secret already exists",
"touchU2fDevice":"Please touch the flashing U2F device now.",
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",

3
lemonldap-ng-portal/site/htdocs/static/languages/fr.json
View File

@ -143,6 +143,8 @@
"groups_sso":"GROUPES SSO",
"headers":"ENTETES",
"id":"Id",
"contextSwitching_ON":"Endosser l'identité d'un autre utilisateur",
"contextSwitching_OFF":"Stopper l'endossement",
"imSure":"Je suis sûr",
"info":"Information",
"ipAddr":"Adresse IP",
@ -218,6 +220,7 @@
"SSOSessionInactive":"Session SSO inactive",
"stayConnected": "Rester connecté sur cet appareil",
"submit":"Envoyer",
"switchContext":"Changer de contexte",
"totpExistingKey":"Un secret TOTP existe déjà !!!",
"touchU2fDevice": "Posez votre doigt sur le périphérique U2F",
"touchU2fDeviceOrEnterTotp": "Posez votre doigt sur le périphérique U2F ou entrez le code TOTP",

3
lemonldap-ng-portal/site/htdocs/static/languages/it.json
View File

@ -143,6 +143,8 @@
"groups_sso":"GRUPPI SSO",
"headers":"INTESTAZIONI",
"id":"Id",
"contextSwitching_ON":"Impersonate another user",
"contextSwitching_OFF":"Stop impersonation",
"imSure":"Sono sicuro",
"info":"Informazioni",
"ipAddr":"Indirizzo IP",
@ -218,6 +220,7 @@
"SSOSessionInactive":"Sessione SSO inattiva",
"stayConnected":"Resta connesso su questo dispositivo",
"submit":"Invia",
"switchContext":"Switch context",
"totpExistingKey":"Un segreto TOTP esiste già",
"touchU2fDevice":"Adesso tocca il dispositivo U2F lampeggiante.",
"touchU2fDeviceOrEnterTotp":"Tocca il dispositivo U2F lampeggiante o inserisci il codice TOTP.",

3
lemonldap-ng-portal/site/htdocs/static/languages/nl.json
View File

@ -143,6 +143,8 @@
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"contextSwitching_ON":"Impersonate another user",
"contextSwitching_OFF":"Stop impersonation",
"imSure":"I'm sure",
"info":"Information",
"ipAddr":"IP address",
@ -218,6 +220,7 @@
"SSOSessionInactive":"SSO session inactive",
"stayConnected":"Stay connected on this device",
"submit":"Submit",
"switchContext":"Switch context",
"totpExistingKey":"A TOTP secret already exists",
"touchU2fDevice":"Please touch the flashing U2F device now.",
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",

3
lemonldap-ng-portal/site/htdocs/static/languages/pt.json
View File

@ -143,6 +143,8 @@
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"contextSwitching_ON":"Impersonate another user",
"contextSwitching_OFF":"Stop impersonation",
"imSure":"I'm sure",
"info":"Information",
"ipAddr":"IP address",
@ -218,6 +220,7 @@
"SSOSessionInactive":"SSO session inactive",
"stayConnected":"Stay connected on this device",
"submit":"Submit",
"switchContext":"Switch context",
"totpExistingKey":"A TOTP secret already exists",
"touchU2fDevice":"Please touch the flashing U2F device now.",
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",

3
lemonldap-ng-portal/site/htdocs/static/languages/ro.json
View File

@ -143,6 +143,8 @@
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"contextSwitching_ON":"Impersonate another user",
"contextSwitching_OFF":"Stop impersonation",
"imSure":"I'm sure",
"info":"Information",
"ipAddr":"IP address",
@ -218,6 +220,7 @@
"SSOSessionInactive":"SSO session inactive",
"stayConnected":"Stay connected on this device",
"submit":"Submit",
"switchContext":"Switch context",
"totpExistingKey":"A TOTP secret already exists",
"touchU2fDevice":"Please touch the flashing U2F device now.",
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",

3
lemonldap-ng-portal/site/htdocs/static/languages/vi.json
View File

@ -143,6 +143,8 @@
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"contextSwitching_ON":"Impersonate another user",
"contextSwitching_OFF":"Stop impersonation",
"imSure":"Tôi chắc chắn",
"info":"Thông tin",
"ipAddr":"Địa chỉ IP",
@ -218,6 +220,7 @@
"SSOSessionInactive":"Phiên SSO không hoạt động",
"stayConnected":"Giữ kết nối trên thiết bị này",
"submit":"Gửi",
"switchContext":"Switch context",
"totpExistingKey":"A TOTP secret already exists",
"touchU2fDevice":"Vui lòng chạm vào thiết bị U2F nhấp nháy ngay bây giờ.",
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",

3
lemonldap-ng-portal/site/htdocs/static/languages/zh.json
View File

@ -143,6 +143,8 @@
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"contextSwitching_ON":"Impersonate another user",
"contextSwitching_OFF":"Stop impersonation",
"imSure":"我确认",
"info":"信息",
"ipAddr":"IP 地址",
@ -218,6 +220,7 @@
"SSOSessionInactive":"SSO session inactive",
"stayConnected":"在该项设备上保持连接",
"submit":"提交",
"switchContext":"Switch context",
"totpExistingKey":"A TOTP secret already exists",
"touchU2fDevice":"Please touch the flashing U2F device now.",
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",

38
lemonldap-ng-portal/site/templates/bootstrap/contextSwitching.tpl Normal file
View File

@ -0,0 +1,38 @@
<TMPL_INCLUDE NAME="header.tpl">
<div id="errorcontent" class="container">
<!--
<div class="message message-positive alert"><span trspan="<TMPL_VAR NAME="MSG">"></span></div>
-->
<div class="alert <TMPL_VAR NAME="ALERTE"> alert"><div class="text-center"><span trspan="<TMPL_VAR NAME="MSG">"></span></div></div>
<form id="contextSwitching" action="/switchcontext" method="post" class="password" role="form">
<div class="buttons">
<TMPL_IF NAME="TOKEN">
<input type="hidden" name="token" value="<TMPL_VAR NAME="TOKEN">" />
</TMPL_IF>
<TMPL_INCLUDE NAME="impersonation.tpl">
<button type="submit" class="btn btn-success">
<span class="fa fa-random"></span>
<span trspan="switchContext">switchContext</span>
</button>
</div>
</form>
<div class="buttons">
<!--
<button type="submit" class="btn btn-success">
<span class="fa fa-sign-in"></span>
<span trspan="search">Search</span>
</button>
-->
<a href="<TMPL_VAR NAME="PORTAL_URL">" class="btn btn-primary" role="button">
<span class="fa fa-home"></span>
<span trspan="goToPortal">Go to portal</span>
</a>
</div>
</div>
</div>
<TMPL_INCLUDE NAME="footer.tpl">

6
lemonldap-ng-portal/site/templates/bootstrap/menu.tpl
View File

@ -67,6 +67,12 @@
<span trspan="sfaManager">sfaManager</span>
</a></li>
</TMPL_IF>
<TMPL_IF NAME="contextSwitching">
<li class="dropdown-item"><a href="/switchcontext" class="nav-link">
<img src="<TMPL_VAR NAME="STATIC_PREFIX">common/icons/switchcontext_<TMPL_VAR NAME="contextSwitching">.png" width="20" height="20" alt="refresh" />
<span trspan="contextSwitching_<TMPL_VAR NAME="contextSwitching">">contextSwitching_<TMPL_VAR NAME="contextSwitching"></span>
</a></li>
</TMPL_IF>
<li class="dropdown-item"><a href="/refresh" class="nav-link">
<img src="<TMPL_VAR NAME="STATIC_PREFIX">common/icons/arrow_refresh.png" width="16" height="16" alt="refresh" />
<span trspan="refreshrights">Refresh</span>

148
lemonldap-ng-portal/t/68-ContextSwitching-with-Logout.t Normal file
View File

@ -0,0 +1,148 @@
use Test::More;
use strict;
use IO::String;
BEGIN {
require 't/test-lib.pm';
}
my $res;
my $client = LLNG::Manager::Test->new( {
ini => {
logLevel => 'error',
authentication => 'Demo',
userDB => 'Same',
loginHistoryEnabled => 0,
brutForceProtection => 0,
portalMainLogo => 'common/logos/logo_llng_old.png',
requireToken => 0,
checkUser => 1,
impersonationPrefix => 'testPrefix_',
securedCookie => 0,
https => 0,
checkUserDisplayPersistentInfo => 0,
checkUserDisplayEmptyValues => 0,
contextSwitchingRule => 1,
contextSwitchingIdRule => 1,
contextSwitchingStopWithLogout => 1,
}
}
);
##
## Try to authenticate
ok(
$res = $client->_post(
'/',
IO::String->new('user=rtyler&password=rtyler'),
length => 27,
accept => 'text/html',
),
'Auth query'
);
count(1);
my $id = expectCookie($res);
expectRedirection( $res, 'http://auth.example.com/' );
# Get Menu
# ------------------------
ok(
$res = $client->_get(
'/',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'Get Menu',
);
count(1);
expectOK($res);
ok( $res->[2]->[0] =~ m%<span trspan="connectedAs">Connected as</span> rtyler%,
'Connected as rtyler' )
or print STDERR Dumper( $res->[2]->[0] );
expectAuthenticatedAs( $res, 'rtyler' );
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">contextSwitching_ON</span>%,
'Connected as rtyler' )
or print STDERR Dumper( $res->[2]->[0] );
count(2);
# ContextSwitching form -> PE_OK
# ------------------------
ok(
$res = $client->_get(
'/switchcontext',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'ContextSwitching form',
);
count(1);
my ( $host, $url, $query ) =
expectForm( $res, undef, '/switchcontext', 'spoofId' );
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%, 'Found trspan="contextSwitching_ON"' )
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
$query =~ s/spoofId=/spoofId=dwho/;
ok(
$res = $client->_post(
'/switchcontext',
IO::String->new($query),
cookie => "lemonldap=$id",
length => length($query),
accept => 'text/html',
),
'POST switchcontext'
);
$id = expectCookie($res);
ok(
$res = $client->_get(
'/',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'Get Menu',
);
count(3);
expectAuthenticatedAs( $res, 'dwho' );
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_OFF">%, 'Found trspan="contextSwitching_OFF"' )
or explain( $res->[2]->[0], 'trspan="contextSwitching_OFF"' );
ok(
$res = $client->_get(
'/checkuser',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'CheckUser form',
);
count(2);
( $host, $url, $query ) =
expectForm( $res, undef, '/checkuser', 'user', 'url' );
ok( $res->[2]->[0] =~ m%<span trspan="checkUser">%, 'Found trspan="checkUser"' )
or explain( $res->[2]->[0], 'trspan="checkUser"' );
ok( $res->[2]->[0] =~ m%<td scope="row">_user</td>%, 'Found attribute _user' )
or explain( $res->[2]->[0], 'Attribute _user' );
ok( $res->[2]->[0] =~ m%<td scope="row">dwho</td>%, 'Found value dwho' )
or explain( $res->[2]->[0], 'Value dwho' );
ok( $res->[2]->[0] =~ m%<td scope="row">mail</td>%, 'Found attribute mail' )
or explain( $res->[2]->[0], 'Attribute mail' );
ok( $res->[2]->[0] =~ m%<td scope="row">testPrefix__session_id</td>%, 'Found spoofed _id_session' )
or explain( $res->[2]->[0], 'Spoofed _id_session' );
count(5);
# Stop ContextSwitching
# ------------------------
ok(
$res = $client->_get(
'/switchcontext',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'Stop context switching',
);
ok( $res->[2]->[0] =~ /trmsg="47"/, 'Found logout message' );
count(2);
clean_sessions();
done_testing( count() );

343
lemonldap-ng-portal/t/68-ContextSwitching.t Normal file
View File

@ -0,0 +1,343 @@
use Test::More;
use strict;
use IO::String;
BEGIN {
require 't/test-lib.pm';
}
my $res;
my $client = LLNG::Manager::Test->new( {
ini => {
logLevel => 'error',
authentication => 'Demo',
userDB => 'Same',
loginHistoryEnabled => 0,
brutForceProtection => 0,
portalMainLogo => 'common/logos/logo_llng_old.png',
requireToken => 0,
checkUser => 0,
impersonationPrefix => 'testPrefix_',
securedCookie => 0,
https => 0,
checkUserDisplayPersistentInfo => 0,
checkUserDisplayEmptyValues => 0,
contextSwitchingRule => '$uid eq "dwho"',
contextSwitchingIdRule => '$uid ne "msmith"',
contextSwitchingStopWithLogout => 0,
}
}
);
##
## Try to authenticate with a user not authorized to switch context
ok(
$res = $client->_post(
'/',
IO::String->new('user=rtyler&password=rtyler'),
length => 27,
accept => 'text/html',
),
'Auth query'
);
count(1);
my $id = expectCookie($res);
expectRedirection( $res, 'http://auth.example.com/' );
# Get Menu
# ------------------------
ok(
$res = $client->_get(
'/',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'Get Menu',
);
count(1);
expectOK($res);
ok(
$res->[2]->[0] =~ m%<span trspan="connectedAs">Connected as</span> rtyler%,
'Connected as rtyler'
) or print STDERR Dumper( $res->[2]->[0] );
expectAuthenticatedAs( $res, 'rtyler' );
ok( $res->[2]->[0] !~ m%contextSwitching_ON%, 'Connected as dwho' )
or print STDERR Dumper( $res->[2]->[0] );
count(2);
$client->logout($id);
##
## Try to authenticate with a user authorized to switch context
ok(
$res = $client->_post(
'/',
IO::String->new('user=dwho&password=dwho'),
length => 23,
accept => 'text/html',
),
'Auth query'
);
count(1);
$id = expectCookie($res);
expectRedirection( $res, 'http://auth.example.com/' );
# Get Menu
# ------------------------
ok(
$res = $client->_get(
'/',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'Get Menu',
);
count(1);
expectOK($res);
ok( $res->[2]->[0] =~ m%<span trspan="connectedAs">Connected as</span> dwho%,
'Connected as dwho' )
or print STDERR Dumper( $res->[2]->[0] );
expectAuthenticatedAs( $res, 'dwho' );
ok(
$res->[2]->[0] =~
m%<span trspan="contextSwitching_ON">contextSwitching_ON</span>%,
'Connected as dwho'
) or print STDERR Dumper( $res->[2]->[0] );
count(2);
# ContextSwitching form -> PE_MALFORMEDUSER
# ------------------------
ok(
$res = $client->_get(
'/switchcontext',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'ContextSwitching form',
);
count(1);
my ( $host, $url, $query ) =
expectForm( $res, undef, '/switchcontext', 'spoofId' );
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
'Found trspan="contextSwitching_ON"' )
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
count(1);
$query =~ s/spoofId=/spoofId=msmith/;
ok(
$res = $client->_post(
'/switchcontext',
IO::String->new($query),
cookie => "lemonldap=$id",
length => length($query),
accept => 'text/html',
),
'POST switchcontext'
);
ok( $res->[2]->[0] =~ m%<span trmsg="40">%, 'PE_MALFORMEDUSER' )
or explain( $res->[2]->[0], 'PE_MALFORMEDUSER' );
count(2);
# ContextSwitching form -> PE_MALFORMEDUSER
# ------------------------
ok(
$res = $client->_get(
'/switchcontext',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'ContextSwitching form',
);
count(1);
( $host, $url, $query ) =
expectForm( $res, undef, '/switchcontext', 'spoofId' );
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
'Found trspan="contextSwitching_ON"' )
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
count(1);
$query =~ s/spoofId=/spoofId=</;
ok(
$res = $client->_post(
'/switchcontext',
IO::String->new($query),
cookie => "lemonldap=$id",
length => length($query),
accept => 'text/html',
),
'POST switchcontext'
);
ok( $res->[2]->[0] =~ m%<span trmsg="40">%, 'PE_MALFORMEDUSER' )
or explain( $res->[2]->[0], 'PE_MALFORMEDUSER' );
count(2);
# ContextSwitching form -> PE_MALFORMEDUSER
# ------------------------
ok(
$res = $client->_get(
'/switchcontext',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'ContextSwitching form',
);
count(1);
( $host, $url, $query ) =
expectForm( $res, undef, '/switchcontext', 'spoofId' );
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
'Found trspan="contextSwitching_ON"' )
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
count(1);
$query =~ s/spoofId=/spoofId=darkVador/;
ok(
$res = $client->_post(
'/switchcontext',
IO::String->new($query),
cookie => "lemonldap=$id",
length => length($query),
accept => 'text/html',
),
'POST switchcontext'
);
ok( $res->[2]->[0] =~ m%<span trmsg="40">%, 'PE_MALFORMEDUSER' )
or explain( $res->[2]->[0], 'PE_MALFORMEDUSER' );
count(2);
# ContextSwitching form -> No impersonation required
# ------------------------
ok(
$res = $client->_get(
'/switchcontext',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'ContextSwitching form',
);
count(1);
( $host, $url, $query ) =
expectForm( $res, undef, '/switchcontext', 'spoofId' );
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
'Found trspan="contextSwitching_ON"' )
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
$query =~ s/spoofId=/spoofId=dwho/;
ok(
$res = $client->_post(
'/switchcontext',
IO::String->new($query),
cookie => "lemonldap=$id",
length => length($query),
accept => 'text/html',
),
'POST switchcontext'
);
ok(
$res = $client->_get(
'/',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'Get Menu',
);
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
'Found trspan="contextSwitching_ON"' )
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
count(4);
expectAuthenticatedAs( $res, 'dwho' );
# ContextSwitching form -> PE_OK
# ------------------------
ok(
$res = $client->_get(
'/switchcontext',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'ContextSwitching form',
);
count(1);
( $host, $url, $query ) =
expectForm( $res, undef, '/switchcontext', 'spoofId' );
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
'Found trspan="contextSwitching_ON"' )
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
$query =~ s/spoofId=/spoofId=rtyler/;
ok(
$res = $client->_post(
'/switchcontext',
IO::String->new($query),
cookie => "lemonldap=$id",
length => length($query),
accept => 'text/html',
),
'POST switchcontext'
);
# Refresh cookie value
$id = expectCookie($res);
ok(
$res = $client->_get(
'/',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'Get Menu',
);
count(3);
expectAuthenticatedAs( $res, 'rtyler' );
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_OFF">%,
'Found trspan="contextSwitching_ON"' )
or explain( $res->[2]->[0], 'trspan="contextSwitching_OFF"' );
ok(
$res = $client->_get(
'/switchcontext',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'Stop context switching',
);
# Refresh cookie value
$id = expectCookie($res);
ok(
$res = $client->_get(
'/',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'Get Menu',
);
count(3);
expectAuthenticatedAs( $res, 'dwho' );
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
'Found trspan="contextSwitching_ON"' )
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
count(1);
# Log out request
# ------------------------
ok(
$res = $client->_get(
'/',
query => 'logout=1',
cookie => "lemonldap=$id",
accept => 'text/html'
),
'Get Menu',
);
count(1);
expectOK($res);
ok(
$res->[2]->[0] =~
m%<div class="message message-positive alert"><span trmsg="47"></span></div>%,
'Dwho has been well disconnected'
) or print STDERR Dumper( $res->[2]->[0] );
count(1);
clean_sessions();
done_testing( count() );