Merge branch 'v2.0'
This commit is contained in:
commit
ac1cfd6398
2
RELEASE
2
RELEASE
|
@ -37,6 +37,8 @@ Before release
|
|||
- Check Debian packages quality
|
||||
$ cme check dpkg
|
||||
|
||||
- Update doc/admin/documentation.rst to display vulnerable packaged versions
|
||||
|
||||
For minor release
|
||||
-----------------
|
||||
|
||||
|
|
|
@ -85,6 +85,7 @@
|
|||
},
|
||||
"authentication" : "Demo",
|
||||
"cfgAuthor" : "The LemonLDAP::NG team",
|
||||
"cfgDate" : "1627287638",
|
||||
"cfgNum" : 1,
|
||||
"cfgVersion" : "2.1.0",
|
||||
"cookieName" : "lemonldap",
|
||||
|
|
83
changelog
83
changelog
|
@ -1,3 +1,86 @@
|
|||
lemonldap-ng (2.0.12) focal; urgency=medium
|
||||
|
||||
* Bugs:
|
||||
* #2153: logout forward url pointing to a protected application cause infinite redirection (pdata)
|
||||
* #2439: Unable to configure oidcOPMetaDataJSON and oidcOPMetaDataJWKS trough lemonldap-ng-cli
|
||||
* #2453: Manager API: missing doc and array handling of additional audiences
|
||||
* #2455: llng-fastcgi-server exited with signal 13
|
||||
* #2459: Debian packages: missing dependency to gsfonts may break Captcha
|
||||
* #2460: "Underlying object can't load conf" in v2.0.11
|
||||
* #2463: Portal plugin hooks triggered multiple times after reload
|
||||
* #2469: mySessionAuthorizedRWKeys causes internal server error when removing OIDC consent
|
||||
* #2474: OAuth2 endpoints should return an error when multiple client authentication methods are used
|
||||
* #2475: OIDC: Invalid error code returned in badAuthRequest
|
||||
* #2477: [security:low] Wildcard in virtualhost allows being redirected to untrusted domains
|
||||
* #2480: Set an authLevel and disable ReAuthentication plugin leads to an endless loop
|
||||
* #2481: missing _utime in OIDC Client Credential sessions
|
||||
* #2482: unexpected persistent sessions appear since 2.0.10
|
||||
* #2483: Second factor removal does not work when hiding session ids from manager
|
||||
* #2487: Incorrect error reporting in convertSessions
|
||||
* #2489: Do not grant the openid scope during Resource Owner Password Grant
|
||||
* #2493: Unable to register a new configuration attribute with CLI when option force is enabled and backend is RDBI
|
||||
* #2495: [security:medium] XSS on register form
|
||||
* #2498: convertSessions does not filter sessionKind correctly
|
||||
* #2503: REST/SOAP exported attributes are not sent by REST server
|
||||
* #2509: Local password policy: Allowing ALL special characters does not work
|
||||
* #2511: expires_in in token response has the wrong JSON type in some cases
|
||||
* #2513: LLNG 2.0.11 : SAML SLO from IDP to SP with POST Binding blocked by browser
|
||||
* #2518: SAML: persistent NameID is empty when using "unspecified" format on SP side
|
||||
* #2520: Missing translations for DBI configuration
|
||||
* #2525: Gracefully handle invalid perl expression in CAS/SAML/OIDC
|
||||
* #2529: [bug] OIDC userinfo as jwt not readable
|
||||
* #2531: calling to_json with hash containing file handle fails
|
||||
* #2534: CDA does not work with wildcard vhosts
|
||||
* #2535: [security:low] Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application
|
||||
* #2539: [security:high, CVE-2021-35472] session cache corruption can lead to authorization bypass or spoofing
|
||||
* #2541: Misleading TOTP options
|
||||
* #2543: [security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret
|
||||
* #2547: Parameter oidcRPMetaDataOptionsUserInfoSignAlg is missing in Manager
|
||||
* #2548: OpenID Connect ACR value can't be configured with something else than 'loa-...'
|
||||
* #2549: [security:low, CVE-2021-35473] OAuth2 handler does not verify access token validity
|
||||
* #2550: Token endpoint should only emit ID token when scope contains "openid"
|
||||
|
||||
* New features:
|
||||
* #1976: FindUser plugin
|
||||
* #2451: CrowdSec plugin to query Crowdsec server
|
||||
* #2458: CheckDevOps plugin
|
||||
* #2510: Hook on password change
|
||||
* #2532: add oidcGenerateCode hook
|
||||
* #2554: Remove OIDC checksession iframe from metadata
|
||||
|
||||
* Improvements:
|
||||
* #2260: Missing elements in sphinx documentation (mongodb)
|
||||
* #2419: Support JWT as OAuth 2.0 Bearer Access Tokens
|
||||
* #2424: Feature: Scope Rules
|
||||
* #2454: Append a Show/Hide password button into login form
|
||||
* #2456: Prevent DevOps handler to send hidden session attributes
|
||||
* #2462: Use timezone provided in input dates in extended function "checkDate"
|
||||
* #2465: Force OIDC error messages to use JSON
|
||||
* #2472: Loading metadata can be slow due to parsing of default certificate bundle
|
||||
* #2484: Hook for populating client credential session
|
||||
* #2488: Allow selection of AssertionConsumerServiceURL in IDP-Initiated SAML login
|
||||
* #2496: Add new option to ignore undeclared OIDC scopes
|
||||
* #2499: add key mapper for convertSession
|
||||
* #2502: Resource Owner Password fails with PE_FIRSTACCESS when using Auth::Choice
|
||||
* #2506: CAS: add an option to forbid host-based matching
|
||||
* #2521: Avoid browsers parameter hide placeholder
|
||||
* #2533: add hooks for CAS issuer
|
||||
* #2536: optimize SingleSession to avoid unneeded session fetches
|
||||
* #2544: Default 2FA register timeout is too low
|
||||
* #2557: Avoid browsers to store new, old and confirmed password during update process
|
||||
* #2562: Add --user/--group options to lmConfigEditor and lemonldap-ng-cli (user:group hardcoded to apache may not work correctly)
|
||||
|
||||
* Templates:
|
||||
* #1976: FindUser plugin
|
||||
* #2454: Append a Show/Hide password button into login form
|
||||
* #2458: CheckDevOps plugin
|
||||
* #2495: [security:medium] XSS on register form
|
||||
* #2521: Avoid browsers parameter hide placeholder
|
||||
* #2541: Misleading TOTP options
|
||||
* #2557: Avoid browsers to store new, old and confirmed password during update process
|
||||
|
||||
-- Clément <clem.oudot@gmail.com> Thu, 22 Jul 2021 17:41:44 +0200
|
||||
|
||||
lemonldap-ng (2.0.11) focal; urgency=medium
|
||||
|
||||
* Bugs:
|
||||
|
|
|
@ -1,3 +1,10 @@
|
|||
lemonldap-ng (2.0.12-1) unstable; urgency=medium
|
||||
|
||||
* New release. See changes on our website:
|
||||
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
|
||||
|
||||
-- Clement OUDOT <clement@oodo.net> Thu, 22 Jul 2021 22:00:00 +0100
|
||||
|
||||
lemonldap-ng (2.0.11-1) unstable; urgency=medium
|
||||
|
||||
* New release. See changes on our website:
|
||||
|
|
|
@ -46,6 +46,7 @@ Options:
|
|||
|
||||
- ``-c``: job configuration file (mandatory)
|
||||
- ``-r oldkey=newkey``: rename session keys during conversion (optional, can be given multiple times)
|
||||
- ``-x key``: remove session keys during conversion (optional, can be given multiple times)
|
||||
- ``-i``: ignore errors. By default errors will stop the script
|
||||
execution
|
||||
- ``-d``: print debugging output
|
||||
|
|
|
@ -174,6 +174,11 @@ and is stored in the LemonLDAP::NG bin/ directory, for example
|
|||
This script must be run as root, it will then use the Apache
|
||||
user and group to access configuration.
|
||||
|
||||
.. tip::
|
||||
|
||||
You can change the user and group by setting ``--user`` and
|
||||
``--group`` options in the command line.
|
||||
|
||||
The script uses the ``editor`` system command, that links to your
|
||||
favorite editor. To change it:
|
||||
|
||||
|
@ -276,6 +281,11 @@ You can use accessors (options) to change the behavior:
|
|||
configuration.
|
||||
- -force: set it to 1 to save a configuration earlier than latest.
|
||||
|
||||
Additional options:
|
||||
|
||||
- --user=<user>: change user running the script
|
||||
- --group=<group>: change group running the script
|
||||
|
||||
Some examples:
|
||||
|
||||
::
|
||||
|
@ -283,6 +293,7 @@ Some examples:
|
|||
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -cfgNum 10 get exportedHeaders/test1.example.com
|
||||
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set notification 1
|
||||
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -sep ',' get macros,_whatToTrace
|
||||
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli get portal --user=nginx --group=nginx
|
||||
|
||||
|
||||
.. tip::
|
||||
|
|
|
@ -51,6 +51,7 @@ Debian
|
|||
.. tip::
|
||||
|
||||
Following Debian Policy, LLNG packages are never upgraded in published distributions. However, security patches are backported by maintenance teams *(except some inor ones)*.
|
||||
See `Security tracker <https://security-tracker.debian.org/tracker/source-package/lemonldap-ng>`__
|
||||
|
||||
=========== ======================== ======================================== ===================================================== ============================================================ =============================== =============================================================
|
||||
Debian dist LLNG version Secured Maintenance LTS Limit `Extended LTS <https://wiki.debian.org/LTS/Extended>`__ Limit
|
||||
|
@ -60,9 +61,9 @@ Debian dist LLNG version Se
|
|||
**8** Jessie `1.3.3 </documentation/1.3/>`__ |clean| CVE-2019-19791 tagged as minor **None** [1]_ June 2020 Probably 2023
|
||||
**9** Stretch `1.9.7 </documentation/1.9/>`__ |clean| CVE-2019-19791 tagged as minor `Debian LTS Team <https://www.debian.org/lts/>`__ June 2022
|
||||
\ *Stretch-backports* `2.0.2 </documentation/2.0/>`__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2019-15941 *None* *June 2019*
|
||||
\ Stretch-backports-sloppy `2.0.9 </documentation/2.0/>`__ |bad| *Maybe none*, "best effort" [3]_ Until Debian 11 release [4]_
|
||||
\ Stretch-backports-sloppy `2.0.11 </documentation/2.0/>`__ |maybe| *Maybe none*, "best effort" [3]_ Until Debian 11 release [4]_
|
||||
**10** Buster `2.0.2 </documentation/2.0/>`__ |clean| CVE-2019-19791 tagged as minor `Debian Security Team <https://security-team.debian.org/>`__ Probably July 2024
|
||||
\ Buster-backports `2.0.11 </documentation/2.0/>`__ |clean| `LLNG Team </team>`__ Until Debian 11 release [4]_
|
||||
\ Buster-backports `2.0.11 </documentation/2.0/>`__ |clean| `LLNG Team </team>`, "best effort" [3]_ Until Debian 11 release [4]_
|
||||
\ Bullseye `2.0.11 </documentation/2.0/>`__ |clean| `Debian Security Team <https://security-team.debian.org/>`__ Probably July 2026
|
||||
**Next** Testing Latest [5]_ |clean| `LLNG Team </team>`__
|
||||
=========== ======================== ======================================== ===================================================== ============================================================ =============================== =============================================================
|
||||
|
@ -86,12 +87,9 @@ Ubuntu dist LLNG version Secured
|
|||
14.04 Trusty `1.2.5 </documentation/1.2/>`__ |maybe| No known vulnerability None
|
||||
16.04 Xenial [9]_ `1.4.6 </documentation/1.4/>`__ |bad| CVE-2019-12046, CVE-2019-13031 None
|
||||
18.04 Bionic [9]_ `1.9.16 </documentation/1.9/>`__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2020-24660 None
|
||||
18.10 Cosmic `1.9.17 </documentation/1.9/>`__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2020-24660 None
|
||||
19.04 Disco `2.0.2 </documentation/2.0/>`__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2019-15941, CVE-2020-24660 None
|
||||
19.10 Eoan `2.0.5 </documentation/2.0/>`__ |bad| CVE-2019-15941, CVE-2020-24660 None
|
||||
20.04 Focal [9]_ `2.0.7 </documentation/2.0/>`__ |bad| CVE-2020-24660 None
|
||||
20.10 Groovy `2.0.8 </documentation/2.0/>`__ |bad| CVE-2020-24660 None
|
||||
21.04 Hirsute `2.0.11 </documentation/2.0/>`__ |clean| None
|
||||
20.04 Focal [9]_ `2.0.7 </documentation/2.0/>`__ |bad| CVE-2020-24660, CVE-2021-35472, CVE-2021-35473 None
|
||||
20.10 Groovy `2.0.8 </documentation/2.0/>`__ |bad| CVE-2020-24660, CVE-2021-35472, CVE-2021-35473 None
|
||||
21.04 Hirsute `2.0.11 </documentation/2.0/>`__ |bad| CVE-2021-35472, CVE-2021-35473 None
|
||||
=========== ============= ================================ ==================================================================== ===========
|
||||
|
||||
Bug report
|
||||
|
@ -139,8 +137,9 @@ Other
|
|||
Possible `Extended LTS <https://wiki.debian.org/LTS/Extended>`__
|
||||
|
||||
.. [3]
|
||||
updated by `LLNG Team </team>`__ until dependencies are compatible,
|
||||
however this distribution seems unmaintained now
|
||||
updated by `LLNG Team </team>`__ until dependencies are compatible.
|
||||
Don't use backports unless you plan to update your system because
|
||||
backports are not covered by Debian Security Policy
|
||||
|
||||
.. [4]
|
||||
around September 2021
|
||||
|
|
|
@ -6,6 +6,18 @@ used both for storing configuration and
|
|||
:doc:`sessions<mongodbsessionbackend>`. You need to install Perl MongoDB
|
||||
module to be able to use this backend.
|
||||
|
||||
For Debian, you can install mongodb module with:
|
||||
|
||||
::
|
||||
|
||||
apt install libmongodb-perl
|
||||
|
||||
For CentOS:
|
||||
|
||||
::
|
||||
|
||||
yum install perl-MongoDB
|
||||
|
||||
See :doc:`how to change configuration backend<changeconfbackend>` to
|
||||
change your configuration database.
|
||||
|
||||
|
|
|
@ -20,6 +20,21 @@ Perl module (version ⩾ 0.15 required). You also need a recent version of
|
|||
client <http://search.cpan.org/~mongodb/MongoDB-v1.2.2/>`__ (version ⩾
|
||||
1.00 required).
|
||||
|
||||
For Debian, you can install mongodb module and Apache::Session module with:
|
||||
|
||||
::
|
||||
|
||||
apt install libmongodb-perl
|
||||
cpan Apache::Session::MongoDB
|
||||
|
||||
For CentOS:
|
||||
|
||||
::
|
||||
|
||||
yum install perl-MongoDB
|
||||
cpan Apache::Session::MongoDB
|
||||
|
||||
|
||||
In the manager: set
|
||||
`Apache::Session::MongoDB <http://search.cpan.org/perldoc?Apache::Session::MongoDB>`__
|
||||
in ``General parameters`` » ``Sessions`` » ``Session storage`` »
|
||||
|
|
|
@ -32,7 +32,7 @@ Name Comment Example
|
|||
**sentinels** Redis sentinels list 127.0.0.1:26379,127.0.0.2:26379,127.0.0.3:26379
|
||||
**service** Sentinel service name mymaster
|
||||
**password** password (== requirepass) ChangeMe
|
||||
**select** Redis DB 1
|
||||
**database** Redis DB 1
|
||||
**Index** Fields to index refer to :ref:`fieldstoindex`
|
||||
============= =========================== ===============================================
|
||||
|
||||
|
|
|
@ -60,6 +60,7 @@ casAuthnLevel CAS authentication level
|
|||
casSrvMetaDataOptions Root of CAS server options ✔ [1]
|
||||
casStorage Apache::Session module to store CAS user data ✔
|
||||
casStorageOptions Apache::Session module parameters ✔
|
||||
casStrictMatching Disable host-based matching of CAS services ✔
|
||||
cda Enable Cross Domain Authentication ✔ ✔
|
||||
certificateResetByMailCeaAttribute ✔
|
||||
certificateResetByMailCertificateAttribute ✔
|
||||
|
@ -75,6 +76,8 @@ cfgDate Timestamp of the current
|
|||
cfgLog Configuration update log ✔ ✔
|
||||
cfgNum Enable Cross Domain Authentication ✔ ✔
|
||||
cfgVersion Version of LLNG which build configuration ✔ ✔
|
||||
checkDevOps Enable check DevOps ✔
|
||||
checkDevOpsDownload Enable check DevOps download field ✔
|
||||
checkState Enable CheckState plugin ✔
|
||||
checkStateSecret Secret token for CheckState plugin ✔
|
||||
checkTime Timeout to check new configuration in local cache ✔ ✔ ✔
|
||||
|
@ -110,6 +113,10 @@ corsAllow_Origin Allowed origine for Cros
|
|||
corsEnabled Enable Cross-Origin Resource Sharing ✔
|
||||
corsExpose_Headers Exposed headers for Cross-Origin Resource Sharing ✔
|
||||
corsMax_Age MAx-age for Cross-Origin Resource Sharing ✔
|
||||
crowdsec CrowdSec plugin activation ✔
|
||||
crowdsecAction CrowdSec action ✔
|
||||
crowdsecKey CrowdSec API key ✔
|
||||
crowdsecUrl Base URL of CrowdSec local API ✔
|
||||
cspConnect Authorized Ajax destination for Content-Security-Policy ✔
|
||||
cspDefault Default value for Content-Security-Policy ✔
|
||||
cspFont Font source for Content-Security-Policy ✔
|
||||
|
@ -273,9 +280,9 @@ log4perlConfFile Log4Perl logger configur
|
|||
logLevel Log level, must be set in .ini ✔ ✔ ✔ ✔
|
||||
logger technical logger ✔ ✔ ✔ ✔
|
||||
loginHistoryEnabled Enable login history ✔
|
||||
logoutServices Send logout through GET request to these services ✔
|
||||
lwpOpts Options given to LWP::UserAgent ✔
|
||||
lwpSslOpts SSL options given to LWP::UserAgent ✔
|
||||
logoutServices Send logout trough GET request to these services ✔
|
||||
lwpOpts Options passed to LWP::UserAgent ✔
|
||||
lwpSslOpts SSL options passed to LWP::UserAgent ✔
|
||||
macros Macros ✔
|
||||
mail2fActivation Mail second factor activation ✔
|
||||
mail2fAuthnLevel Authentication level for users authenticated by Mail second factor ✔
|
||||
|
@ -333,6 +340,7 @@ oidcServiceAllowAuthorizationCodeFlow OpenID Connect allow aut
|
|||
oidcServiceAllowDynamicRegistration OpenID Connect allow dynamic client registration ✔
|
||||
oidcServiceAllowHybridFlow OpenID Connect allow hybrid flow ✔
|
||||
oidcServiceAllowImplicitFlow OpenID Connect allow implicit flow ✔
|
||||
oidcServiceAllowOnlyDeclaredScopes OpenID Connect allow only declared scopes ✔
|
||||
oidcServiceAuthorizationCodeExpiration OpenID Connect global code TTL ✔
|
||||
oidcServiceDynamicRegistrationExportedVars OpenID Connect exported variables for dynamic registration ✔
|
||||
oidcServiceDynamicRegistrationExtraClaims OpenID Connect extra claims for dynamic registration ✔
|
||||
|
@ -403,6 +411,7 @@ portalDisplayPasswordPolicy Display policy in passwo
|
|||
portalDisplayRefreshMyRights Display link to refresh the user session ✔
|
||||
portalDisplayRegister Display register button in portal ✔
|
||||
portalDisplayResetPassword Display reset password button in portal ✔
|
||||
portalEnablePasswordDisplay Allow to display password in login form ✔
|
||||
portalErrorOnExpiredSession Show error if session is expired ✔
|
||||
portalErrorOnMailNotFound Show error if mail is not found in password reset process ✔
|
||||
portalForceAuthn Enable force to authenticate when displaying portal ✔
|
||||
|
@ -534,6 +543,7 @@ sfEngine Second factor engine
|
|||
sfExtra Extra second factors ✔
|
||||
sfManagerRule Rule to display second factor Manager link ✔
|
||||
sfOnlyUpgrade Only trigger second factor on session upgrade ✔
|
||||
sfRegisterTimeout Timeout for 2F registration process ✔
|
||||
sfRemovedMsgRule Display a message if at leat one expired SF has been removed ✔
|
||||
sfRemovedNotifMsg Notification message ✔
|
||||
sfRemovedNotifRef Notification reference ✔
|
||||
|
|
|
@ -46,7 +46,7 @@ Custom CSS file
|
|||
You can define a custom CSS file, for example ``custom.css``, which will
|
||||
be loaded after default CSS files. This file needs to be created in the
|
||||
static repository
|
||||
(``/usr/share/lemonldap-ng/portal/htdocs/static/boostrap/css``).
|
||||
(``/usr/share/lemonldap-ng/portal/htdocs/static/bootstrap/css``).
|
||||
|
||||
Then set this value in Custom CSS parameter :
|
||||
``bootstrap/css/custom.css``.
|
||||
|
@ -114,11 +114,17 @@ To achieve this, you can create a rule in the Manager: select
|
|||
``General Parameters`` > ``Portal`` > ``Customization`` >
|
||||
``Skin display rules`` on click on "New key". Then fill the two fields;
|
||||
|
||||
- **Rule**: a Perl expression (you can use %ENV hash to get environment
|
||||
variables, or $_url to get URL called before redirection, or $ipAddr
|
||||
to use user IP address). If the rule evaluation is true, the
|
||||
corresponding skin is applied.
|
||||
- **Skin**: the name of the skin to use.
|
||||
- **Key**: a Perl expression (you can use ``%ENV`` hash to get environment
|
||||
variables, or ``$_url`` to get URL called before redirection, or ``$ipAddr``
|
||||
to use user IP address). If the rule evaluation is true, the corresponding
|
||||
skin is applied.
|
||||
- **Value**: the name of the skin to use.
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
$_url =~ m#^http://test1.example.com#
|
||||
```
|
||||
|
||||
Skin files
|
||||
~~~~~~~~~~
|
||||
|
|
|
@ -77,3 +77,7 @@ You can also add some other parameters
|
|||
# LWP::UserAgent parameters
|
||||
proxyOptions = { timeout => 5 }
|
||||
|
||||
`User` and `Password` parameters are only used if the entry point `index.fcgi/config`
|
||||
is protected by a basic authentication. Thus, handlers will make requests to the portal
|
||||
using these parameters.
|
||||
|
||||
|
|
|
@ -68,6 +68,10 @@ Name Comment Example
|
|||
**password** Password to use for auth basic mechanism
|
||||
=================== ======================================== ==================================================
|
||||
|
||||
`user` and `password` parameters are only used if the entry point `index.fcgi/sessions/global`
|
||||
is protected by a basic authentication. Thus, handlers will make requests to the portal
|
||||
using these parameters.
|
||||
|
||||
|
||||
.. attention::
|
||||
|
||||
|
@ -86,7 +90,7 @@ configuration (for example, access by IP range):
|
|||
|
||||
# REST/SOAP functions for sessions access (disabled by default)
|
||||
<Location /index.fcgi/sessions>
|
||||
Require 192.168.2.0/24
|
||||
Require ip 192.168.2.0/24
|
||||
</Location>
|
||||
|
||||
Real session backend
|
||||
|
|
|
@ -78,12 +78,12 @@ configuration (for example, access by IP range):
|
|||
|
||||
# SOAP functions for sessions management (disabled by default)
|
||||
<Location /index.fcgi/adminSessions>
|
||||
Require 192.168.2.0/24
|
||||
Require ip 192.168.2.0/24
|
||||
</Location>
|
||||
|
||||
# SOAP functions for sessions access (disabled by default)
|
||||
<Location /index.fcgi/sessions>
|
||||
Require 192.168.2.0/24
|
||||
Require ip 192.168.2.0/24
|
||||
</Location>
|
||||
|
||||
Real session backend
|
||||
|
|
|
@ -30,13 +30,40 @@ None
|
|||
2.0.12
|
||||
------
|
||||
|
||||
Security
|
||||
~~~~~~~~
|
||||
|
||||
* **CVE-2021-35473**: Access token lifetime is not verified with OAuth2 Handler (see `issue 2549 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2549>`__)
|
||||
* **CVE-2021-35472**: Session cache corruption can lead to authorization bypass or spoofing (see `issue 2539 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2539>`__)
|
||||
* 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret (see `issue 2543 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2543>`__)
|
||||
* Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application (see `issue 2535 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2535>`__)
|
||||
* XSS on register form (see `issue 2495 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2495>`__)
|
||||
* Wildcard in virtualhost allows being redirected to untrusted domains (see `issue 2477 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2477>`__)
|
||||
|
||||
Portal templates changes
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If you customized the HTML mail content, you must update them to use HTML::Template variables (this was changed to fix XSS injections).
|
||||
|
||||
For session variables, replace for example ``$cn`` by ``<TMPL_VAR NAME="session_cn" ESCAPE=HTML>``, and for other variables, replace for example ``$url`` by ``<TMPL_VAR NAME="url" ESCAPE=HTML>``.
|
||||
|
||||
Some changes have been made to include new plugins (FindUser and CheckDevOps), you need to report them only if you have a custom theme and you want to use these plugins
|
||||
|
||||
To benefit from the new feature allowing to show password on login form, adapt ``standardform.tpl`` (see `changes <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/bdeb1e70d98ddc89316b0912d9d5ee6d11d0bee5#fbbcec1fdc36cc042eeaa83274a32ef2231fe977_23_23>`__)
|
||||
|
||||
To disable password store in browser when changing password (this was already possible for login form), adapt ``password.tpl`` (see `changes <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/466b6a3241fff5013d27b3dd22982e5e26ed7dfb#0ae060b3d1e289f08f510c268ed72de5dcafe425_36_35>`__)
|
||||
|
||||
To fix placeholder display in password field when password store is disabled in browser, adapt ``password.tpl`` (see `changes <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/547d80985290495d33ed72a388e9ddf482980354#fbbcec1fdc36cc042eeaa83274a32ef2231fe977_21_20>`__)
|
||||
|
||||
See also "Simplification of TOTP options" below.
|
||||
|
||||
Client Credential sessions missing expiration time
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If you started using Client Credential grants in 2.0.11, you may have encountered
|
||||
`issue 2481 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2481>`__.
|
||||
|
||||
Because of this bug, the created sessions may never be purged by the `purgeCentralCache` script.
|
||||
Because of this bug, the created sessions may never be purged by the ``purgeCentralCache`` script.
|
||||
|
||||
In order to detect these sessions, you can run the following command:
|
||||
|
||||
|
@ -78,7 +105,7 @@ The following options have been removed from TOTP configuration:
|
|||
* Display existing secret (``totp2fDisplayExistingSecret``)
|
||||
* Change existing secret (``totp2fUserCanChangeKey``)
|
||||
|
||||
As a consequence, users who are *not* using the default `bootstrap` skin may need to ajust their ``totp2fregister.tpl`` template:
|
||||
As a consequence, users who are *not* using the default ``bootstrap`` skin may need to ajust their ``totp2fregister.tpl`` template:
|
||||
|
||||
* Move ``#divToHide`` from the ``.col-md-6`` div to the ``.card`` div
|
||||
* Change::
|
||||
|
|
|
@ -133,7 +133,7 @@
|
|||
.\" ========================================================================
|
||||
.\"
|
||||
.IX Title "llng-fastcgi-server 8"
|
||||
.TH llng-fastcgi-server 8 "2021-07-09" "perl v5.32.1" "User Contributed Perl Documentation"
|
||||
.TH llng-fastcgi-server 8 "2021-08-01" "perl v5.32.1" "User Contributed Perl Documentation"
|
||||
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
||||
.\" way too many mistakes in technical documents.
|
||||
.if n .ad l
|
||||
|
|
|
@ -40,6 +40,7 @@
|
|||
"Cookie::Baker::XS" : "0",
|
||||
"Crypt::URandom" : "0",
|
||||
"DBI" : "0",
|
||||
"Date::Parse" : "0",
|
||||
"LWP::Protocol::https" : "0",
|
||||
"Net::LDAP" : "0",
|
||||
"SOAP::Lite" : "0",
|
||||
|
|
|
@ -26,6 +26,7 @@ recommends:
|
|||
Cookie::Baker::XS: '0'
|
||||
Crypt::URandom: '0'
|
||||
DBI: '0'
|
||||
Date::Parse: '0'
|
||||
LWP::Protocol::https: '0'
|
||||
Net::LDAP: '0'
|
||||
SOAP::Lite: '0'
|
||||
|
|
|
@ -47,6 +47,7 @@ WriteMakefile(
|
|||
'Convert::Base32' => 0,
|
||||
'Cookie::Baker::XS' => 0,
|
||||
'Crypt::URandom' => 0,
|
||||
'Date::Parse' => 0,
|
||||
'String::Random' => 0,
|
||||
'DBI' => 0,
|
||||
'Net::LDAP' => 0,
|
||||
|
|
|
@ -16,18 +16,20 @@ use strict;
|
|||
use Getopt::Long;
|
||||
use Pod::Usage;
|
||||
|
||||
our $VERSION = "2.0.6";
|
||||
our $VERSION = "2.0.12";
|
||||
|
||||
# Options
|
||||
# -d: debug mode
|
||||
# -c: configuration file
|
||||
# -r: configuration file
|
||||
# -r: rename attributes
|
||||
# -i: ignore errors
|
||||
# -x: exclude attributes
|
||||
|
||||
my $debug;
|
||||
my $config_file;
|
||||
my $ignore_errors;
|
||||
my %rename;
|
||||
my @exclude;
|
||||
my $help;
|
||||
my $nb_converted = 0;
|
||||
my $nb_error = 0;
|
||||
|
@ -38,6 +40,7 @@ GetOptions(
|
|||
'config|c=s' => \$config_file,
|
||||
'ignore-errors|i' => \$ignore_errors,
|
||||
'rename|r=s' => \%rename,
|
||||
'exclude|x=s' => \@exclude,
|
||||
) or pod2usage(2);
|
||||
pod2usage(
|
||||
-exitval => 1,
|
||||
|
@ -133,6 +136,16 @@ Lemonldap::NG::Common::Apache::Session->get_key_from_all_sessions(
|
|||
}
|
||||
}
|
||||
|
||||
if (@exclude) {
|
||||
for my $excludekey (@exclude) {
|
||||
if ( $entry->{$excludekey} ) {
|
||||
print "Exclude $excludekey in session $id\n"
|
||||
if $debug;
|
||||
delete $entry->{$excludekey};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
print "Processing session $id\n" if $debug;
|
||||
my $s = Lemonldap::NG::Common::Session->new( {
|
||||
storageModule => $backendTo->{backend},
|
||||
|
|
|
@ -3,15 +3,14 @@
|
|||
use warnings;
|
||||
use strict;
|
||||
use POSIX;
|
||||
use Getopt::Long;
|
||||
use Getopt::Long qw(:config pass_through);
|
||||
|
||||
our $opt_user = '__APACHEUSER__';
|
||||
our $opt_group = '__APACHEGROUP';
|
||||
GetOptions (
|
||||
"user=s" => \$opt_user,
|
||||
"group=s" => \$opt_group
|
||||
)
|
||||
or die("Error in command line arguments\n");
|
||||
our $opt_user = '__APACHEUSER__';
|
||||
our $opt_group = '__APACHEGROUP__';
|
||||
GetOptions(
|
||||
"user=s" => \$opt_user,
|
||||
"group=s" => \$opt_group
|
||||
) or die("Error in command line arguments\n");
|
||||
|
||||
my $action;
|
||||
|
||||
|
@ -77,6 +76,10 @@ Options:
|
|||
- sep <char> : separator of hierarchical values (by default: /)
|
||||
- iniFile <file> : path to an alternate lemonldap-ng.ini file
|
||||
|
||||
Additional options:
|
||||
- --user=<user> : change user running the script
|
||||
- --group=<group> : change group running the script
|
||||
|
||||
See Lemonldap::NG::Manager::Cli(3) for more
|
||||
};
|
||||
}
|
||||
|
|
|
@ -10,11 +10,13 @@ use strict;
|
|||
use Getopt::Long;
|
||||
use Pod::Usage;
|
||||
|
||||
our $VERSION = "2.0.9";
|
||||
our $VERSION = "2.0.12";
|
||||
|
||||
# Options
|
||||
my $opts = {};
|
||||
my $help;
|
||||
my $opt_user = '__APACHEUSER__';
|
||||
my $opt_group = '__APACHEGROUP__';
|
||||
|
||||
GetOptions(
|
||||
'help|h' => \$help,
|
||||
|
@ -23,13 +25,15 @@ GetOptions(
|
|||
'backend|b=s' => \$opts->{backend},
|
||||
'persistent|p' => \$opts->{persistent},
|
||||
'id-only|i' => \$opts->{idonly},
|
||||
'user|u=s' => \$opt_user,
|
||||
'group|g=s' => \$opt_group,
|
||||
) or pod2usage( -exitcode => 1, -verbose => 0 );
|
||||
|
||||
pod2usage( -exitcode => 0, -verbose => 2 ) if $help;
|
||||
|
||||
eval {
|
||||
POSIX::setgid( scalar( getgrnam('__APACHEGROUP__') ) );
|
||||
POSIX::setuid( scalar( getpwnam('__APACHEUSER__') ) );
|
||||
POSIX::setgid( scalar( getgrnam($opt_group) ) );
|
||||
POSIX::setuid( scalar( getpwnam($opt_user) ) );
|
||||
};
|
||||
|
||||
my $action = shift @ARGV;
|
||||
|
@ -127,7 +131,8 @@ Options:
|
|||
--persistent Search in persistent sessions
|
||||
--where Set search filter (search/delete only)
|
||||
--id-only Only return IDs (search only)
|
||||
|
||||
--user Change user running the script
|
||||
--group Change group running the script
|
||||
|
||||
=head1 COMMANDS
|
||||
|
||||
|
@ -288,7 +293,7 @@ Examples:
|
|||
|
||||
=item B<--persistent>,B<-p>
|
||||
|
||||
This options is a shortcut for specifying --backend persistent and using
|
||||
This option is a shortcut for specifying --backend persistent and using
|
||||
the UID hash as a session ID
|
||||
|
||||
Example:
|
||||
|
@ -303,7 +308,7 @@ is the same as
|
|||
|
||||
=item B<--id-only>,B<-i>
|
||||
|
||||
This option replace the standard JSON output format with a simpler format of
|
||||
This option replaces the standard JSON output format with a simpler format of
|
||||
one session ID per line.
|
||||
|
||||
This allows some intersting combos using xargs. For example, if you want to
|
||||
|
@ -312,7 +317,13 @@ remove all sessions started by "dwho"
|
|||
lemonldap-ng-sessions search --where uid=dwho --id-only | \
|
||||
xargs lemonldap-ng-sessions delete
|
||||
|
||||
=item B<--user>,B<-u>
|
||||
|
||||
This option forces the system user that runs the script.
|
||||
|
||||
=item B<--group>,B<-g>
|
||||
|
||||
This option forces the system group that runs the script.
|
||||
|
||||
=back
|
||||
|
||||
|
|
|
@ -129,13 +129,7 @@ sub token {
|
|||
# Fake reval method if useSafeJail is off
|
||||
sub reval {
|
||||
my ( $self, $e ) = @_;
|
||||
|
||||
my $res = eval $e;
|
||||
if ($@) {
|
||||
$self->error($@);
|
||||
return undef;
|
||||
}
|
||||
return $res;
|
||||
return eval $e;
|
||||
}
|
||||
|
||||
## @method wrap_code_ref
|
||||
|
@ -180,11 +174,10 @@ sub share_from {
|
|||
sub jail_reval {
|
||||
my ( $self, $reval ) = @_;
|
||||
|
||||
# if nothing is returned by reval, add the return statement to
|
||||
# the "no safe wrap" reval
|
||||
# If nothing is returned by reval, add the return statement to
|
||||
# the "no safe wrap" reval
|
||||
|
||||
my $res;
|
||||
eval { $res = ( $self->jail->reval($reval) ) };
|
||||
my $res = $self->jail->reval($reval);
|
||||
if ($@) {
|
||||
$self->error($@);
|
||||
return undef;
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
# change 'tests => 1' to 'tests => last_test_to_print';
|
||||
|
||||
use strict;
|
||||
use Test::More tests => 20;
|
||||
use Test::More tests => 22;
|
||||
require 't/test.pm';
|
||||
BEGIN { use_ok('Lemonldap::NG::Handler::Main::Jail') }
|
||||
|
||||
|
@ -60,7 +60,7 @@ ok(
|
|||
ok( $res = &$code, "Function works" );
|
||||
ok( $res == 1, 'Get good result' );
|
||||
|
||||
$sub = "sub { return(checkDate('20000101000000+0100','21000101000000+0100')) }";
|
||||
$sub = "sub { return(checkDate('20000101000000+0100','21000101000000+0100')) }";
|
||||
$code = $jail->jail_reval($sub);
|
||||
ok(
|
||||
( defined($code) and ref($code) eq 'CODE' ),
|
||||
|
@ -105,3 +105,11 @@ is(
|
|||
"Function works"
|
||||
);
|
||||
|
||||
$sub = "sub { return(";
|
||||
$code = $jail->jail_reval($sub);
|
||||
ok( ( not defined($code) ), 'Syntax error yields undef result' );
|
||||
like(
|
||||
$jail->error,
|
||||
qr/Missing right curly or square bracket/,
|
||||
'Found correct error message'
|
||||
);
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
# change 'tests => 1' to 'tests => last_test_to_print';
|
||||
|
||||
use Test::More tests => 14;
|
||||
use Test::More tests => 16;
|
||||
require 't/test.pm';
|
||||
BEGIN { use_ok('Lemonldap::NG::Handler::Main::Jail') }
|
||||
|
||||
|
@ -43,7 +43,8 @@ my $checkDate = $jail->jail_reval($sub3);
|
|||
ok( &$checkDate == "1",
|
||||
'checkDate extended function working without Safe Jail' );
|
||||
|
||||
my $sub4 = "sub { return(checkDate('20000101000000+0100','21000101000000+0100')) }";
|
||||
my $sub4 =
|
||||
"sub { return(checkDate('20000101000000+0100','21000101000000+0100')) }";
|
||||
my $checkDate = $jail->jail_reval($sub4);
|
||||
ok( &$checkDate == "1",
|
||||
'checkDate extended function working without Safe Jail' );
|
||||
|
@ -96,3 +97,12 @@ is(
|
|||
0,
|
||||
"Function works"
|
||||
);
|
||||
|
||||
$sub = "sub { return(";
|
||||
$code = $jail->jail_reval($sub);
|
||||
ok( ( not defined($code) ), 'Syntax error yields undef result' );
|
||||
like(
|
||||
$jail->error,
|
||||
qr/Missing right curly or square bracket/,
|
||||
'Found correct error message'
|
||||
);
|
||||
|
|
|
@ -22,6 +22,7 @@
|
|||
"prereqs" : {
|
||||
"build" : {
|
||||
"requires" : {
|
||||
"Email::Sender" : "0",
|
||||
"IO::String" : "0",
|
||||
"Regexp::Common" : "0",
|
||||
"Test::Pod" : "1"
|
||||
|
|
|
@ -3,6 +3,7 @@ abstract: 'Perl extension for managing Lemonldap::NG Web-SSO system.'
|
|||
author:
|
||||
- 'Xavier Guimard <x.guimard@free.fr>, Clément Oudot <clement@oodo.net>'
|
||||
build_requires:
|
||||
Email::Sender: '0'
|
||||
IO::String: '0'
|
||||
Regexp::Common: '0'
|
||||
Test::Pod: '1'
|
||||
|
|
|
@ -8,6 +8,7 @@ WriteMakefile(
|
|||
VERSION_FROM => 'lib/Lemonldap/NG/Manager.pm', # finds $VERSION
|
||||
LICENSE => 'gpl',
|
||||
BUILD_REQUIRES => {
|
||||
'Email::Sender' => 0,
|
||||
'IO::String' => 0,
|
||||
'Regexp::Common' => 0,
|
||||
'Test::Pod' => 1.00,
|
||||
|
|
|
@ -5,7 +5,9 @@ use strict;
|
|||
our $VERSION = '2.1.0';
|
||||
|
||||
sub zeroConf {
|
||||
my ( $domain, $sessionDir, $persistentSessionDir, $notificationDir, $cacheDir ) = @_;
|
||||
my ( $domain, $sessionDir, $persistentSessionDir, $notificationDir,
|
||||
$cacheDir )
|
||||
= @_;
|
||||
$domain ||= 'example.com';
|
||||
$sessionDir ||= '/var/lib/lemonldap-ng/sessions';
|
||||
$persistentSessionDir ||= '/var/lib/lemonldap-ng/psessions';
|
||||
|
@ -179,6 +181,7 @@ sub zeroConf {
|
|||
'securedCookie' => 0,
|
||||
'cookieName' => 'lemonldap',
|
||||
'cfgAuthor' => 'The LemonLDAP::NG team',
|
||||
'cfgDate' => '1627287638',
|
||||
'cfgVersion' => $VERSION,
|
||||
'exportedVars' => {},
|
||||
'portalSkin' => 'bootstrap',
|
||||
|
|
|
@ -15,14 +15,13 @@ use strict;
|
|||
|
||||
my $cli = Lemonldap::NG::Manager::Cli::Lib->new;
|
||||
|
||||
our $opt_user = '__APACHEUSER__';
|
||||
our $opt_user = '__APACHEUSER__';
|
||||
our $opt_group = '__APACHEGROUP__';
|
||||
|
||||
GetOptions (
|
||||
"user=s" => \$opt_user,
|
||||
"group=s" => \$opt_group
|
||||
)
|
||||
or die("Error in command line arguments\n");
|
||||
GetOptions(
|
||||
"user=s" => \$opt_user,
|
||||
"group=s" => \$opt_group
|
||||
) or die("Error in command line arguments\n");
|
||||
|
||||
eval {
|
||||
setgid( ( getgrnam($opt_group) )[2] );
|
||||
|
|
|
@ -753,7 +753,7 @@
|
|||
"pamAuthnLevel":"Niveau d'authentification",
|
||||
"pamParams":"Paramètres PAM",
|
||||
"pamService":"Service PAM",
|
||||
"password":"Mot-de-passe",
|
||||
"password":"Mot de passe",
|
||||
"passwordDB":"Module de mot de passe",
|
||||
"passwordManagement":"Gestion des mots de passe",
|
||||
"passwordPolicy":"Politique des mots de passe",
|
||||
|
@ -878,8 +878,8 @@
|
|||
"restFindUserDBUrl":"URL des comptes utilisateurs",
|
||||
"restParams":"Paramètres REST",
|
||||
"restPasswordServer":"Serveur de réinitialisation de mdp",
|
||||
"restPwdConfirmUrl":"URL de confirmation de mot-de-passe",
|
||||
"restPwdModifyUrl":"URL de modification de mot-de-passe",
|
||||
"restPwdConfirmUrl":"URL de confirmation de mot de passe",
|
||||
"restPwdModifyUrl":"URL de modification de mot de passe",
|
||||
"restServices":"Services REST",
|
||||
"restSessionServer":"Serveur de sessions",
|
||||
"restUserDBUrl":"URL de données utilisateurs",
|
||||
|
|
|
@ -790,7 +790,7 @@
|
|||
"portalDisplayRefreshMyRights":"Görüntüleme hakları yenileme bağlantısı",
|
||||
"portalDisplayRegister":"Yeni hesap kaydet",
|
||||
"portalDisplayResetPassword":"Parolayı sıfırla",
|
||||
"portalEnablePasswordDisplay":"Allow to display password",
|
||||
"portalEnablePasswordDisplay":"Parolayı göstermeye izin ver",
|
||||
"portalErrorOnExpiredSession":"Süresi dolmuş oturumda hatayı göster",
|
||||
"portalErrorOnMailNotFound":"E-posta bulunamadığında hatayı göster",
|
||||
"portalForceAuthn":"Kimlik doğrulamaya zorla",
|
||||
|
|
|
@ -94,6 +94,11 @@ sub run {
|
|||
|
||||
# We use a specific text message, no html
|
||||
$body = $self->conf->{mail2fBody};
|
||||
|
||||
# Replace variables in body
|
||||
$body =~ s/\$code/$code/g;
|
||||
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
|
||||
|
||||
}
|
||||
else {
|
||||
|
||||
|
@ -109,12 +114,6 @@ sub run {
|
|||
$html = 1;
|
||||
}
|
||||
|
||||
# Replace variables in body
|
||||
# FIXME: kept for compatibility with 2.0.0 mail templates
|
||||
# in future versions this should only happen for plaintext emails
|
||||
$body =~ s/\$code/$code/g;
|
||||
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
|
||||
|
||||
# Send mail
|
||||
unless ( $self->send_mail( $dest, $subject, $body, $html ) ) {
|
||||
$self->logger->error( 'Unable to send 2F code mail to ' . $dest );
|
||||
|
|
|
@ -1358,8 +1358,7 @@ sub sendOIDCError {
|
|||
sub returnBearerError {
|
||||
my ( $self, $error_code, $error_message ) = @_;
|
||||
|
||||
# TODO: verify this
|
||||
return [
|
||||
my $res = [
|
||||
401,
|
||||
[
|
||||
'WWW-Authenticate' =>
|
||||
|
@ -1367,6 +1366,10 @@ sub returnBearerError {
|
|||
],
|
||||
[]
|
||||
];
|
||||
|
||||
$self->p->setCorsHeaderFromConfig($res);
|
||||
|
||||
return $res;
|
||||
}
|
||||
|
||||
sub checkEndPointAuthenticationCredentials {
|
||||
|
|
|
@ -531,13 +531,13 @@ sub findEP {
|
|||
}
|
||||
}
|
||||
}
|
||||
$self->logger->debug("Plugin $plugin initializated");
|
||||
$self->logger->debug("Plugin $plugin initialized");
|
||||
|
||||
# Rules for menu
|
||||
if ( $obj->can('spRules') ) {
|
||||
foreach my $k ( keys %{ $obj->{spRules} } ) {
|
||||
$self->logger->info(
|
||||
"$k is defined more than one time, it can have some bad effect on Menu display"
|
||||
"$k is defined more than one time, it can have some bad effects on Menu display"
|
||||
) if ( $self->spRules->{$k} );
|
||||
$self->spRules->{$k} = $obj->{spRules}->{$k};
|
||||
}
|
||||
|
|
|
@ -875,12 +875,7 @@ sub sendHtml {
|
|||
'Pragma' => 'no-cache', # HTTP 1.0
|
||||
'Expires' => '0'; # Proxies
|
||||
|
||||
if ( $self->conf->{corsEnabled} ) {
|
||||
my @cors = split /;/, $self->cors;
|
||||
push @{ $res->[1] }, @cors;
|
||||
$self->logger->debug('Apply following CORS policy :');
|
||||
$self->logger->debug(" $_") for @cors;
|
||||
}
|
||||
$self->setCorsHeaderFromConfig($res);
|
||||
|
||||
# Set authorized URL for POST
|
||||
my $csp = $self->csp . "form-action " . $self->conf->{cspFormAction};
|
||||
|
@ -1086,7 +1081,7 @@ sub registerLogin {
|
|||
}
|
||||
|
||||
my $history = $req->sessionInfo->{_loginHistory} ||= {};
|
||||
my $type = ( $req->authResult > 0 ? 'failed' : 'success' ) . 'Login';
|
||||
my $type = ( $req->authResult > 0 ? 'failed' : 'success' ) . 'Login';
|
||||
$history->{$type} ||= [];
|
||||
$self->logger->debug("Current login saved into $type");
|
||||
|
||||
|
@ -1129,13 +1124,11 @@ sub _sumUpSession {
|
|||
sub corsPreflight {
|
||||
my ( $self, $req ) = @_;
|
||||
my @headers;
|
||||
if ( $self->conf->{corsEnabled} ) {
|
||||
my @cors = split /;/, $self->cors;
|
||||
push @headers, @cors;
|
||||
$self->logger->debug('Apply following CORS policy :');
|
||||
$self->logger->debug(" $_") for @cors;
|
||||
}
|
||||
return [ 204, \@headers, [] ];
|
||||
my $res = [ 204, \@headers, [] ];
|
||||
|
||||
$self->setCorsHeaderFromConfig($res);
|
||||
|
||||
return $res;
|
||||
}
|
||||
|
||||
sub sendJSONresponse {
|
||||
|
@ -1164,11 +1157,8 @@ sub sendJSONresponse {
|
|||
"Access-Control-Allow-Credentials" => "true";
|
||||
|
||||
}
|
||||
elsif ( $self->conf->{corsEnabled} ) {
|
||||
my @cors = split /;/, $self->cors;
|
||||
push @{ $res->[1] }, @cors;
|
||||
$self->logger->debug('Apply following CORS policy :');
|
||||
$self->logger->debug(" $_") for @cors;
|
||||
else {
|
||||
$self->setCorsHeaderFromConfig($res);
|
||||
}
|
||||
return $res;
|
||||
}
|
||||
|
@ -1176,13 +1166,21 @@ sub sendJSONresponse {
|
|||
sub sendRawHtml {
|
||||
my ($self) = $_[0];
|
||||
my $res = Lemonldap::NG::Common::PSGI::sendRawHtml(@_);
|
||||
|
||||
$self->setCorsHeaderFromConfig($res);
|
||||
|
||||
return $res;
|
||||
}
|
||||
|
||||
sub setCorsHeaderFromConfig {
|
||||
my ( $self, $response ) = @_;
|
||||
|
||||
if ( $self->conf->{corsEnabled} ) {
|
||||
my @cors = split /;/, $self->cors;
|
||||
push @{ $res->[1] }, @cors;
|
||||
push @{ $response->[1] }, @cors;
|
||||
$self->logger->debug('Apply following CORS policy :');
|
||||
$self->logger->debug(" $_") for @cors;
|
||||
}
|
||||
return $res;
|
||||
}
|
||||
|
||||
# Temlate loader
|
||||
|
|
|
@ -371,6 +371,13 @@ sub _certificateReset {
|
|||
|
||||
# We use a specific text message, no html
|
||||
$body = $self->conf->{certificateResetByMailStep1Body};
|
||||
|
||||
# Replace variables in body
|
||||
$body =~ s/\$expMailDate/$req->data->{expMailDate}/ge;
|
||||
$body =~ s/\$expMailTime/$req->data->{expMailTime}/ge;
|
||||
$body =~ s/\$url/$url/g;
|
||||
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
|
||||
|
||||
}
|
||||
else {
|
||||
|
||||
|
@ -387,14 +394,6 @@ sub _certificateReset {
|
|||
$html = 1;
|
||||
}
|
||||
|
||||
# Replace variables in body
|
||||
# FIXME: kept for compatibility with 2.0.0 mail templates
|
||||
# in future versions this should only happen for plaintext emails
|
||||
$body =~ s/\$expMailDate/$req->data->{expMailDate}/ge;
|
||||
$body =~ s/\$expMailTime/$req->data->{expMailTime}/ge;
|
||||
$body =~ s/\$url/$url/g;
|
||||
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
|
||||
|
||||
# Send mail
|
||||
unless (
|
||||
$self->send_mail(
|
||||
|
@ -555,6 +554,10 @@ sub modifyCertificate {
|
|||
|
||||
# We use a specific text message, no html
|
||||
$body = $self->conf->{certificateResetByMailStep2Body};
|
||||
|
||||
# Replace variables in body
|
||||
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
|
||||
|
||||
}
|
||||
else {
|
||||
|
||||
|
@ -568,11 +571,6 @@ sub modifyCertificate {
|
|||
$html = 1;
|
||||
}
|
||||
|
||||
# Replace variables in body
|
||||
# FIXME: kept for compatibility with 2.0.0 mail templates
|
||||
# in future versions this should only happen for plaintext emails
|
||||
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
|
||||
|
||||
# Send mail
|
||||
return PE_MAILERROR
|
||||
unless $self->send_mail( $req->data->{mailAddress}, $subject, $body,
|
||||
|
|
|
@ -335,6 +335,13 @@ sub _reset {
|
|||
|
||||
# We use a specific text message, no html
|
||||
$body = $self->conf->{mailConfirmBody};
|
||||
|
||||
# Replace variables in body
|
||||
$body =~ s/\$expMailDate/$req->data->{expMailDate}/ge;
|
||||
$body =~ s/\$expMailTime/$req->data->{expMailTime}/ge;
|
||||
$body =~ s/\$url/$url/g;
|
||||
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
|
||||
|
||||
}
|
||||
else {
|
||||
|
||||
|
@ -352,14 +359,6 @@ sub _reset {
|
|||
$html = 1;
|
||||
}
|
||||
|
||||
# Replace variables in body
|
||||
# FIXME: kept for compatibility with 2.0.0 mail templates
|
||||
# in future versions this should only happen for plaintext emails
|
||||
$body =~ s/\$expMailDate/$req->data->{expMailDate}/ge;
|
||||
$body =~ s/\$expMailTime/$req->data->{expMailTime}/ge;
|
||||
$body =~ s/\$url/$url/g;
|
||||
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
|
||||
|
||||
$self->logger->info( "User "
|
||||
. $req->data->{mailAddress}
|
||||
. " is trying to reset his/her password" );
|
||||
|
@ -515,6 +514,11 @@ sub changePwd {
|
|||
|
||||
# We use a specific text message, no html
|
||||
$body = $self->conf->{mailBody};
|
||||
|
||||
# Replace variables in body
|
||||
$body =~ s/\$password/$password/g;
|
||||
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
|
||||
|
||||
}
|
||||
else {
|
||||
|
||||
|
@ -530,12 +534,6 @@ sub changePwd {
|
|||
$html = 1;
|
||||
}
|
||||
|
||||
# Replace variables in body
|
||||
# FIXME: kept for compatibility with 2.0.0 mail templates
|
||||
# in future versions this should only happen for plaintext emails
|
||||
$body =~ s/\$password/$password/g;
|
||||
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
|
||||
|
||||
# Send mail
|
||||
return PE_MAILERROR
|
||||
unless $self->send_mail( $req->data->{mailAddress}, $subject, $body,
|
||||
|
|
|
@ -322,14 +322,6 @@ sub _register {
|
|||
},
|
||||
);
|
||||
|
||||
# Replace variables in body
|
||||
# FIXME: kept for compatibility with 2.0.0 mail templates
|
||||
# in future versions this should only happen for plaintext emails
|
||||
$body =~ s/\$expMailDate/$req->data->{expMailDate}/g;
|
||||
$body =~ s/\$expMailTime/$req->data->{expMailTime}/g;
|
||||
$body =~ s/\$url/$url/g;
|
||||
$body =~ s/\$(\w+)/$req->data->{registerInfo}->{$1}/eg;
|
||||
|
||||
# Send mail
|
||||
return PE_MAILERROR
|
||||
unless $self->send_mail( $req->data->{registerInfo}->{mail},
|
||||
|
@ -397,12 +389,6 @@ sub _register {
|
|||
},
|
||||
);
|
||||
|
||||
# Replace variables in body
|
||||
# FIXME: kept for compatibility with 2.0.0 mail templates
|
||||
# in future versions this should only happen for plaintext emails
|
||||
$body =~ s/\$url/$url/g;
|
||||
$body =~ s/\$(\w+)/$req->data->{registerInfo}->{$1}/ge;
|
||||
|
||||
# Send mail
|
||||
return PE_MAILERROR
|
||||
unless $self->send_mail( $req->data->{registerInfo}->{mail},
|
||||
|
|
|
@ -33,5 +33,19 @@ $(window).on("load", function() {
|
|||
modal.find('.remove2f').attr('epoch', epoch)
|
||||
})
|
||||
|
||||
// Set tab items (my applications, password, history, logout) tabbable
|
||||
// (ie accessible via tab key)
|
||||
// needed because of jquery-ui setting only active element tabbable
|
||||
// (see #2561)
|
||||
$('.nav-item').click(function() {
|
||||
$('.nav-item').attr( "tabIndex", 0 );
|
||||
});
|
||||
$('.nav-item').focusin(function() {
|
||||
$('.nav-item').attr( "tabIndex", 0 );
|
||||
});
|
||||
$('.nav-item').focusout(function() {
|
||||
$('.nav-item').attr( "tabIndex", 0 );
|
||||
});
|
||||
|
||||
|
||||
});
|
||||
|
|
|
@ -1 +1 @@
|
|||
$(window).on("load",function(){$("div.message-positive").addClass("alert-success"),$("div.message-warning").addClass("alert-warning"),$("div.message-negative").addClass("alert-danger"),$("table.info").addClass("table"),$(".notifCheck").addClass("checkbox"),$('.collapse li[class!="dropdown"]').on("click",function(){$(".navbar-toggler").hasClass("collapsed")||$(".navbar-toggler").trigger("click")}),$("#authMenu .nav-link").on("click",function(a){window.datas.choicetab=a.target.hash.substr(1)}),$("#remove2fModal").on("show.bs.modal",function(a){var e=$(a.relatedTarget),s=e.attr("device"),a=e.attr("epoch"),e=$(this);e.find(".remove2f").attr("device",s),e.find(".remove2f").attr("epoch",a)})});
|
||||
$(window).on("load",function(){$("div.message-positive").addClass("alert-success"),$("div.message-warning").addClass("alert-warning"),$("div.message-negative").addClass("alert-danger"),$("table.info").addClass("table"),$(".notifCheck").addClass("checkbox"),$('.collapse li[class!="dropdown"]').on("click",function(){$(".navbar-toggler").hasClass("collapsed")||$(".navbar-toggler").trigger("click")}),$("#authMenu .nav-link").on("click",function(a){window.datas.choicetab=a.target.hash.substr(1)}),$("#remove2fModal").on("show.bs.modal",function(a){var t=$(a.relatedTarget),e=t.attr("device"),a=t.attr("epoch"),t=$(this);t.find(".remove2f").attr("device",e),t.find(".remove2f").attr("epoch",a)}),$(".nav-item").click(function(){$(".nav-item").attr("tabIndex",0)}),$(".nav-item").focusin(function(){$(".nav-item").attr("tabIndex",0)}),$(".nav-item").focusout(function(){$(".nav-item").attr("tabIndex",0)})});
|
|
@ -1 +1 @@
|
|||
{"version":3,"sources":["skin.js"],"names":["$","window","on","addClass","hasClass","trigger","e","datas","choicetab","target","hash","substr","event","button","relatedTarget","device","attr","epoch","modal","this","find"],"mappings":"AAAAA,EAAEC,QAAQC,GAAG,OAAQ,WAGnBF,EAAE,wBAAwBG,SAAS,iBACnCH,EAAE,uBAAuBG,SAAS,iBAClCH,EAAE,wBAAwBG,SAAS,gBAEnCH,EAAE,cAAcG,SAAS,SAEzBH,EAAE,eAAeG,SAAS,YAG1BH,EAAE,mCAAmCE,GAAG,QAAS,WAC1CF,EAAE,mBAAmBI,SAAS,cACjCJ,EAAE,mBAAmBK,QAAQ,WAKjCL,EAAE,uBAAuBE,GAAG,QAAS,SAAUI,GAC3CL,OAAOM,MAAMC,UAAYF,EAAEG,OAAOC,KAAKC,OAAO,KAIlDX,EAAE,kBAAkBE,GAAG,gBAAiB,SAAUU,GAClD,IAAIC,EAASb,EAAEY,EAAME,eACjBC,EAASF,EAAOG,KAAK,UACrBC,EAAQJ,EAAOG,KAAK,SACpBE,EAAQlB,EAAEmB,MAGdD,EAAME,KAAK,aAAaJ,KAAK,SAAUD,GACvCG,EAAME,KAAK,aAAaJ,KAAK,QAASC"}
|
||||
{"version":3,"sources":["skin.js"],"names":["$","window","on","addClass","hasClass","trigger","e","datas","choicetab","target","hash","substr","event","button","relatedTarget","device","attr","epoch","modal","this","find","click","focusin","focusout"],"mappings":"AAAAA,EAAEC,QAAQC,GAAG,OAAQ,WAGnBF,EAAE,wBAAwBG,SAAS,iBACnCH,EAAE,uBAAuBG,SAAS,iBAClCH,EAAE,wBAAwBG,SAAS,gBAEnCH,EAAE,cAAcG,SAAS,SAEzBH,EAAE,eAAeG,SAAS,YAG1BH,EAAE,mCAAmCE,GAAG,QAAS,WAC1CF,EAAE,mBAAmBI,SAAS,cACjCJ,EAAE,mBAAmBK,QAAQ,WAKjCL,EAAE,uBAAuBE,GAAG,QAAS,SAAUI,GAC3CL,OAAOM,MAAMC,UAAYF,EAAEG,OAAOC,KAAKC,OAAO,KAIlDX,EAAE,kBAAkBE,GAAG,gBAAiB,SAAUU,GAClD,IAAIC,EAASb,EAAEY,EAAME,eACjBC,EAASF,EAAOG,KAAK,UACrBC,EAAQJ,EAAOG,KAAK,SACpBE,EAAQlB,EAAEmB,MAGdD,EAAME,KAAK,aAAaJ,KAAK,SAAUD,GACvCG,EAAME,KAAK,aAAaJ,KAAK,QAASC,KAOtCjB,EAAE,aAAaqB,MAAM,WACnBrB,EAAE,aAAagB,KAAM,WAAY,KAEnChB,EAAE,aAAasB,QAAQ,WACrBtB,EAAE,aAAagB,KAAM,WAAY,KAEnChB,EAAE,aAAauB,SAAS,WACtBvB,EAAE,aAAagB,KAAM,WAAY"}
|
|
@ -234,7 +234,7 @@
|
|||
"openidPA":"La politique d'utilisation des données est disponible ici",
|
||||
"openidRpns":"Le paramètre %s exigé pour la fédération n'est pas disponible",
|
||||
"otherSessions":"Autres sessions ouvertes",
|
||||
"password":"Mot-de-passe",
|
||||
"password":"Mot de passe",
|
||||
"passwordPolicy":"Merci de respecter la politique suivante :",
|
||||
"passwordPolicyMinDigit":"Minimum de chiffres :",
|
||||
"passwordPolicyMinLower":"Minimum de minuscules :",
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
"hello":"Bonjour",
|
||||
"mail2fSubject":"[LemonLDAP::NG] Votre code de connexion",
|
||||
"mailConfirmSubject": "[LemonLDAP::NG] Confirmation de réinitialisation de mot de passe",
|
||||
"mailSubject": "[LemonLDAP::NG] Votre nouveau mot-de-passe",
|
||||
"mailSubject": "[LemonLDAP::NG] Votre nouveau mot de passe",
|
||||
"newPwdIs":"Votre nouveau mot de passe est",
|
||||
"pwdChanged":"Votre mot de passe a été changé.",
|
||||
"pwdIs":"Votre mot de passe est",
|
||||
|
|
|
@ -150,6 +150,10 @@ count(1);
|
|||
# Expect an invalid request
|
||||
expectReject( $res, 400, "invalid_grant" );
|
||||
|
||||
is( getHeader( $res, "Access-Control-Allow-Origin" ),
|
||||
"*", "CORS header present on Token error response" );
|
||||
count(1);
|
||||
|
||||
# Get new code for RP1
|
||||
$query =
|
||||
"response_type=code&scope=openid%20profile%20email&client_id=rpid&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Frp.com%2F";
|
||||
|
@ -202,10 +206,36 @@ ok(
|
|||
"Post auth code on correct RP"
|
||||
);
|
||||
count(1);
|
||||
|
||||
is( getHeader( $res, "Access-Control-Allow-Origin" ),
|
||||
"*", "CORS header present on Token response" );
|
||||
count(1);
|
||||
|
||||
$res = expectJSON($res);
|
||||
my $token = $res->{access_token};
|
||||
ok( $token, 'Access token present' );
|
||||
count(1);
|
||||
|
||||
ok(
|
||||
$res = $op->_post(
|
||||
"/oauth2/userinfo",
|
||||
IO::String->new(""),
|
||||
accept => 'text/html',
|
||||
length => 0,
|
||||
custom => {
|
||||
HTTP_AUTHORIZATION => "Bearer " . $token,
|
||||
},
|
||||
),
|
||||
"post to userinfo",
|
||||
);
|
||||
count(1);
|
||||
ok( $res->[0] == 200, "Userinfo successful" );
|
||||
count(1);
|
||||
|
||||
is( getHeader( $res, "Access-Control-Allow-Origin" ),
|
||||
"*", "CORS header present on userinfo response" );
|
||||
count(1);
|
||||
|
||||
Time::Fake->offset("+2h");
|
||||
|
||||
ok(
|
||||
|
@ -224,6 +254,10 @@ count(1);
|
|||
ok( $res->[0] == 401, "Access denied with expired token" );
|
||||
count(1);
|
||||
|
||||
is( getHeader( $res, "Access-Control-Allow-Origin" ),
|
||||
"*", "CORS header present on userinfo error response" );
|
||||
count(1);
|
||||
|
||||
clean_sessions();
|
||||
done_testing( count() );
|
||||
|
||||
|
|
|
@ -34,8 +34,8 @@
|
|||
# Main package
|
||||
#==============================================================================
|
||||
Name: lemonldap-ng
|
||||
Version: 2.0.11
|
||||
Release: %{?pre_release:0.}2%{?pre_release:.%{pre_release}}%{?dist}
|
||||
Version: 2.0.12
|
||||
Release: %{?pre_release:0.}1%{?pre_release:.%{pre_release}}%{?dist}
|
||||
Summary: LemonLDAP-NG WebSSO
|
||||
License: GPLv2+
|
||||
URL: http://lemonldap-ng.org
|
||||
|
@ -745,6 +745,9 @@ fi
|
|||
# Changelog
|
||||
#==============================================================================
|
||||
%changelog
|
||||
* Thu Jul 22 2021 Clement Oudot <clem.oudot@gmail.com> - 2.0.12-1
|
||||
- Update to 2.0.12
|
||||
|
||||
* Wed Mar 17 2021 Xavier Bachelot <xavier@bachelot.org> - 2.0.11-2
|
||||
- Add BR: make
|
||||
|
||||
|
|
Loading…
Reference in New Issue