dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'v2.0'

This commit is contained in:
Yadd 2021-08-01 08:38:55 +02:00
parent f1fe0f3e5e 9174a81d6c
commit ac1cfd6398
47 changed files with 407 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
RELEASE
View File

@ -37,6 +37,8 @@ Before release
- Check Debian packages quality
$ cme check dpkg
- Update doc/admin/documentation.rst to display vulnerable packaged versions
For minor release
-----------------

1
_example/conf/lmConf-1.json
View File

@ -85,6 +85,7 @@
},
"authentication" : "Demo",
"cfgAuthor" : "The LemonLDAP::NG team",
"cfgDate" : "1627287638",
"cfgNum" : 1,
"cfgVersion" : "2.1.0",
"cookieName" : "lemonldap",

83
changelog
View File

@ -1,3 +1,86 @@
lemonldap-ng (2.0.12) focal; urgency=medium
* Bugs:
* #2153: logout forward url pointing to a protected application cause infinite redirection (pdata)
* #2439: Unable to configure oidcOPMetaDataJSON and oidcOPMetaDataJWKS trough lemonldap-ng-cli
* #2453: Manager API: missing doc and array handling of additional audiences
* #2455: llng-fastcgi-server exited with signal 13
* #2459: Debian packages: missing dependency to gsfonts may break Captcha
* #2460: "Underlying object can't load conf" in v2.0.11
* #2463: Portal plugin hooks triggered multiple times after reload
* #2469: mySessionAuthorizedRWKeys causes internal server error when removing OIDC consent
* #2474: OAuth2 endpoints should return an error when multiple client authentication methods are used
* #2475: OIDC: Invalid error code returned in badAuthRequest
* #2477: [security:low] Wildcard in virtualhost allows being redirected to untrusted domains
* #2480: Set an authLevel and disable ReAuthentication plugin leads to an endless loop
* #2481: missing _utime in OIDC Client Credential sessions
* #2482: unexpected persistent sessions appear since 2.0.10
* #2483: Second factor removal does not work when hiding session ids from manager
* #2487: Incorrect error reporting in convertSessions
* #2489: Do not grant the openid scope during Resource Owner Password Grant
* #2493: Unable to register a new configuration attribute with CLI when option force is enabled and backend is RDBI
* #2495: [security:medium] XSS on register form
* #2498: convertSessions does not filter sessionKind correctly
* #2503: REST/SOAP exported attributes are not sent by REST server
* #2509: Local password policy: Allowing ALL special characters does not work
* #2511: expires_in in token response has the wrong JSON type in some cases
* #2513: LLNG 2.0.11 : SAML SLO from IDP to SP with POST Binding blocked by browser
* #2518: SAML: persistent NameID is empty when using "unspecified" format on SP side
* #2520: Missing translations for DBI configuration
* #2525: Gracefully handle invalid perl expression in CAS/SAML/OIDC
* #2529: [bug] OIDC userinfo as jwt not readable
* #2531: calling to_json with hash containing file handle fails
* #2534: CDA does not work with wildcard vhosts
* #2535: [security:low] Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application
* #2539: [security:high, CVE-2021-35472] session cache corruption can lead to authorization bypass or spoofing
* #2541: Misleading TOTP options
* #2543: [security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret
* #2547: Parameter oidcRPMetaDataOptionsUserInfoSignAlg is missing in Manager
* #2548: OpenID Connect ACR value can't be configured with something else than 'loa-...'
* #2549: [security:low, CVE-2021-35473] OAuth2 handler does not verify access token validity
* #2550: Token endpoint should only emit ID token when scope contains "openid"
* New features:
* #1976: FindUser plugin
* #2451: CrowdSec plugin to query Crowdsec server
* #2458: CheckDevOps plugin
* #2510: Hook on password change
* #2532: add oidcGenerateCode hook
* #2554: Remove OIDC checksession iframe from metadata
* Improvements:
* #2260: Missing elements in sphinx documentation (mongodb)
* #2419: Support JWT as OAuth 2.0 Bearer Access Tokens
* #2424: Feature: Scope Rules
* #2454: Append a Show/Hide password button into login form
* #2456: Prevent DevOps handler to send hidden session attributes
* #2462: Use timezone provided in input dates in extended function "checkDate"
* #2465: Force OIDC error messages to use JSON
* #2472: Loading metadata can be slow due to parsing of default certificate bundle
* #2484: Hook for populating client credential session
* #2488: Allow selection of AssertionConsumerServiceURL in IDP-Initiated SAML login
* #2496: Add new option to ignore undeclared OIDC scopes
* #2499: add key mapper for convertSession
* #2502: Resource Owner Password fails with PE_FIRSTACCESS when using Auth::Choice
* #2506: CAS: add an option to forbid host-based matching
* #2521: Avoid browsers parameter hide placeholder
* #2533: add hooks for CAS issuer
* #2536: optimize SingleSession to avoid unneeded session fetches
* #2544: Default 2FA register timeout is too low
* #2557: Avoid browsers to store new, old and confirmed password during update process
* #2562: Add --user/--group options to lmConfigEditor and lemonldap-ng-cli (user:group hardcoded to apache may not work correctly)
* Templates:
* #1976: FindUser plugin
* #2454: Append a Show/Hide password button into login form
* #2458: CheckDevOps plugin
* #2495: [security:medium] XSS on register form
* #2521: Avoid browsers parameter hide placeholder
* #2541: Misleading TOTP options
* #2557: Avoid browsers to store new, old and confirmed password during update process
-- Clément <clem.oudot@gmail.com> Thu, 22 Jul 2021 17:41:44 +0200
lemonldap-ng (2.0.11) focal; urgency=medium
* Bugs:

7
debian/changelog vendored
View File

@ -1,3 +1,10 @@
lemonldap-ng (2.0.12-1) unstable; urgency=medium
* New release. See changes on our website:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
-- Clement OUDOT <clement@oodo.net> Thu, 22 Jul 2021 22:00:00 +0100
lemonldap-ng (2.0.11-1) unstable; urgency=medium
* New release. See changes on our website:

1
doc/sources/admin/changesessionbackend.rst
View File

@ -46,6 +46,7 @@ Options:
- ``-c``: job configuration file (mandatory)
- ``-r oldkey=newkey``: rename session keys during conversion (optional, can be given multiple times)
- ``-x key``: remove session keys during conversion (optional, can be given multiple times)
- ``-i``: ignore errors. By default errors will stop the script
execution
- ``-d``: print debugging output

11
doc/sources/admin/configlocation.rst
View File

@ -174,6 +174,11 @@ and is stored in the LemonLDAP::NG bin/ directory, for example
This script must be run as root, it will then use the Apache
user and group to access configuration.
.. tip::
You can change the user and group by setting ``--user`` and
``--group`` options in the command line.
The script uses the ``editor`` system command, that links to your
favorite editor. To change it:
@ -276,6 +281,11 @@ You can use accessors (options) to change the behavior:
configuration.
- -force: set it to 1 to save a configuration earlier than latest.
Additional options:
- --user=<user>: change user running the script
- --group=<group>: change group running the script
Some examples:
::
@ -283,6 +293,7 @@ Some examples:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -cfgNum 10 get exportedHeaders/test1.example.com
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set notification 1
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -sep ',' get macros,_whatToTrace
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli get portal --user=nginx --group=nginx
.. tip::

19
doc/sources/admin/documentation.rst
View File

@ -51,6 +51,7 @@ Debian
.. tip::
Following Debian Policy, LLNG packages are never upgraded in published distributions. However, security patches are backported by maintenance teams *(except some inor ones)*.
See `Security tracker <https://security-tracker.debian.org/tracker/source-package/lemonldap-ng>`__
=========== ======================== ======================================== ===================================================== ============================================================ =============================== =============================================================
Debian dist LLNG version Secured Maintenance LTS Limit `Extended LTS <https://wiki.debian.org/LTS/Extended>`__ Limit
@ -60,9 +61,9 @@ Debian dist LLNG version Se
**8** Jessie `1.3.3 </documentation/1.3/>`__ |clean| CVE-2019-19791 tagged as minor **None** [1]_ June 2020 Probably 2023
**9** Stretch `1.9.7 </documentation/1.9/>`__ |clean| CVE-2019-19791 tagged as minor `Debian LTS Team <https://www.debian.org/lts/>`__ June 2022
\ *Stretch-backports* `2.0.2 </documentation/2.0/>`__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2019-15941 *None* *June 2019*
\ Stretch-backports-sloppy `2.0.9 </documentation/2.0/>`__ |bad| *Maybe none*, "best effort" [3]_ Until Debian 11 release [4]_
\ Stretch-backports-sloppy `2.0.11 </documentation/2.0/>`__ |maybe| *Maybe none*, "best effort" [3]_ Until Debian 11 release [4]_
**10** Buster `2.0.2 </documentation/2.0/>`__ |clean| CVE-2019-19791 tagged as minor `Debian Security Team <https://security-team.debian.org/>`__ Probably July 2024
\ Buster-backports `2.0.11 </documentation/2.0/>`__ |clean| `LLNG Team </team>`__ Until Debian 11 release [4]_
\ Buster-backports `2.0.11 </documentation/2.0/>`__ |clean| `LLNG Team </team>`, "best effort" [3]_ Until Debian 11 release [4]_
\ Bullseye `2.0.11 </documentation/2.0/>`__ |clean| `Debian Security Team <https://security-team.debian.org/>`__ Probably July 2026
**Next** Testing Latest [5]_ |clean| `LLNG Team </team>`__
=========== ======================== ======================================== ===================================================== ============================================================ =============================== =============================================================
@ -86,12 +87,9 @@ Ubuntu dist LLNG version Secured
14.04 Trusty `1.2.5 </documentation/1.2/>`__ |maybe| No known vulnerability None
16.04 Xenial [9]_ `1.4.6 </documentation/1.4/>`__ |bad| CVE-2019-12046, CVE-2019-13031 None
18.04 Bionic [9]_ `1.9.16 </documentation/1.9/>`__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2020-24660 None
18.10 Cosmic `1.9.17 </documentation/1.9/>`__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2020-24660 None
19.04 Disco `2.0.2 </documentation/2.0/>`__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2019-15941, CVE-2020-24660 None
19.10 Eoan `2.0.5 </documentation/2.0/>`__ |bad| CVE-2019-15941, CVE-2020-24660 None
20.04 Focal [9]_ `2.0.7 </documentation/2.0/>`__ |bad| CVE-2020-24660 None
20.10 Groovy `2.0.8 </documentation/2.0/>`__ |bad| CVE-2020-24660 None
21.04 Hirsute `2.0.11 </documentation/2.0/>`__ |clean| None
20.04 Focal [9]_ `2.0.7 </documentation/2.0/>`__ |bad| CVE-2020-24660, CVE-2021-35472, CVE-2021-35473 None
20.10 Groovy `2.0.8 </documentation/2.0/>`__ |bad| CVE-2020-24660, CVE-2021-35472, CVE-2021-35473 None
21.04 Hirsute `2.0.11 </documentation/2.0/>`__ |bad| CVE-2021-35472, CVE-2021-35473 None
=========== ============= ================================ ==================================================================== ===========
Bug report
@ -139,8 +137,9 @@ Other
Possible `Extended LTS <https://wiki.debian.org/LTS/Extended>`__
.. [3]
updated by `LLNG Team </team>`__ until dependencies are compatible,
however this distribution seems unmaintained now
updated by `LLNG Team </team>`__ until dependencies are compatible.
Don't use backports unless you plan to update your system because
backports are not covered by Debian Security Policy
.. [4]
around September 2021

12
doc/sources/admin/mongodbconfbackend.rst
View File

@ -6,6 +6,18 @@ used both for storing configuration and
:doc:`sessions<mongodbsessionbackend>`. You need to install Perl MongoDB
module to be able to use this backend.
For Debian, you can install mongodb module with:
::
apt install libmongodb-perl
For CentOS:
::
yum install perl-MongoDB
See :doc:`how to change configuration backend<changeconfbackend>` to
change your configuration database.

15
doc/sources/admin/mongodbsessionbackend.rst
View File

@ -20,6 +20,21 @@ Perl module (version ⩾ 0.15 required). You also need a recent version of
client <http://search.cpan.org/~mongodb/MongoDB-v1.2.2/>`__ (version ⩾
1.00 required).
For Debian, you can install mongodb module and Apache::Session module with:
::
apt install libmongodb-perl
cpan Apache::Session::MongoDB
For CentOS:
::
yum install perl-MongoDB
cpan Apache::Session::MongoDB
In the manager: set
`Apache::Session::MongoDB <http://search.cpan.org/perldoc?Apache::Session::MongoDB>`__
in ``General parameters`` » ``Sessions`` » ``Session storage`` »

2
doc/sources/admin/nosqlsessionbackend.rst
View File

@ -32,7 +32,7 @@ Name Comment Example
**sentinels** Redis sentinels list 127.0.0.1:26379,127.0.0.2:26379,127.0.0.3:26379
**service** Sentinel service name mymaster
**password** password (== requirepass) ChangeMe
**select** Redis DB 1
**database** Redis DB 1
**Index** Fields to index refer to :ref:`fieldstoindex`
============= =========================== ===============================================

16
doc/sources/admin/parameterlist.rst
View File

@ -60,6 +60,7 @@ casAuthnLevel CAS authentication level
casSrvMetaDataOptions Root of CAS server options ✔ [1]
casStorage Apache::Session module to store CAS user data ✔
casStorageOptions Apache::Session module parameters ✔
casStrictMatching Disable host-based matching of CAS services ✔
cda Enable Cross Domain Authentication ✔ ✔
certificateResetByMailCeaAttribute ✔
certificateResetByMailCertificateAttribute ✔
@ -75,6 +76,8 @@ cfgDate Timestamp of the current
cfgLog Configuration update log ✔ ✔
cfgNum Enable Cross Domain Authentication ✔ ✔
cfgVersion Version of LLNG which build configuration ✔ ✔
checkDevOps Enable check DevOps ✔
checkDevOpsDownload Enable check DevOps download field ✔
checkState Enable CheckState plugin ✔
checkStateSecret Secret token for CheckState plugin ✔
checkTime Timeout to check new configuration in local cache ✔ ✔ ✔
@ -110,6 +113,10 @@ corsAllow_Origin Allowed origine for Cros
corsEnabled Enable Cross-Origin Resource Sharing ✔
corsExpose_Headers Exposed headers for Cross-Origin Resource Sharing ✔
corsMax_Age MAx-age for Cross-Origin Resource Sharing ✔
crowdsec CrowdSec plugin activation ✔
crowdsecAction CrowdSec action ✔
crowdsecKey CrowdSec API key ✔
crowdsecUrl Base URL of CrowdSec local API ✔
cspConnect Authorized Ajax destination for Content-Security-Policy ✔
cspDefault Default value for Content-Security-Policy ✔
cspFont Font source for Content-Security-Policy ✔
@ -273,9 +280,9 @@ log4perlConfFile Log4Perl logger configur
logLevel Log level, must be set in .ini ✔ ✔ ✔ ✔
logger technical logger ✔ ✔ ✔ ✔
loginHistoryEnabled Enable login history ✔
logoutServices Send logout through GET request to these services ✔
lwpOpts Options given to LWP::UserAgent
lwpSslOpts SSL options given to LWP::UserAgent
logoutServices Send logout trough GET request to these services ✔
lwpOpts Options passed to LWP::UserAgent
lwpSslOpts SSL options passed to LWP::UserAgent
macros Macros ✔
mail2fActivation Mail second factor activation ✔
mail2fAuthnLevel Authentication level for users authenticated by Mail second factor ✔
@ -333,6 +340,7 @@ oidcServiceAllowAuthorizationCodeFlow OpenID Connect allow aut
oidcServiceAllowDynamicRegistration OpenID Connect allow dynamic client registration ✔
oidcServiceAllowHybridFlow OpenID Connect allow hybrid flow ✔
oidcServiceAllowImplicitFlow OpenID Connect allow implicit flow ✔
oidcServiceAllowOnlyDeclaredScopes OpenID Connect allow only declared scopes ✔
oidcServiceAuthorizationCodeExpiration OpenID Connect global code TTL ✔
oidcServiceDynamicRegistrationExportedVars OpenID Connect exported variables for dynamic registration ✔
oidcServiceDynamicRegistrationExtraClaims OpenID Connect extra claims for dynamic registration ✔
@ -403,6 +411,7 @@ portalDisplayPasswordPolicy Display policy in passwo
portalDisplayRefreshMyRights Display link to refresh the user session ✔
portalDisplayRegister Display register button in portal ✔
portalDisplayResetPassword Display reset password button in portal ✔
portalEnablePasswordDisplay Allow to display password in login form ✔
portalErrorOnExpiredSession Show error if session is expired ✔
portalErrorOnMailNotFound Show error if mail is not found in password reset process ✔
portalForceAuthn Enable force to authenticate when displaying portal ✔
@ -534,6 +543,7 @@ sfEngine Second factor engine
sfExtra Extra second factors ✔
sfManagerRule Rule to display second factor Manager link ✔
sfOnlyUpgrade Only trigger second factor on session upgrade ✔
sfRegisterTimeout Timeout for 2F registration process ✔
sfRemovedMsgRule Display a message if at leat one expired SF has been removed ✔
sfRemovedNotifMsg Notification message ✔
sfRemovedNotifRef Notification reference ✔

18
doc/sources/admin/portalcustom.rst
View File

@ -46,7 +46,7 @@ Custom CSS file
You can define a custom CSS file, for example ``custom.css``, which will
be loaded after default CSS files. This file needs to be created in the
static repository
(``/usr/share/lemonldap-ng/portal/htdocs/static/boostrap/css``).
(``/usr/share/lemonldap-ng/portal/htdocs/static/bootstrap/css``).
Then set this value in Custom CSS parameter :
``bootstrap/css/custom.css``.
@ -114,11 +114,17 @@ To achieve this, you can create a rule in the Manager: select
``General Parameters`` > ``Portal`` > ``Customization`` >
``Skin display rules`` on click on "New key". Then fill the two fields;
- **Rule**: a Perl expression (you can use %ENV hash to get environment
variables, or $_url to get URL called before redirection, or $ipAddr
to use user IP address). If the rule evaluation is true, the
corresponding skin is applied.
- **Skin**: the name of the skin to use.
- **Key**: a Perl expression (you can use ``%ENV`` hash to get environment
variables, or ``$_url`` to get URL called before redirection, or ``$ipAddr``
to use user IP address). If the rule evaluation is true, the corresponding
skin is applied.
- **Value**: the name of the skin to use.
Example:
```
$_url =~ m#^http://test1.example.com#
```
Skin files
~~~~~~~~~~

4
doc/sources/admin/restconfbackend.rst
View File

@ -77,3 +77,7 @@ You can also add some other parameters
# LWP::UserAgent parameters
proxyOptions = { timeout => 5 }
`User` and `Password` parameters are only used if the entry point `index.fcgi/config`
is protected by a basic authentication. Thus, handlers will make requests to the portal
using these parameters.

6
doc/sources/admin/restsessionbackend.rst
View File

@ -68,6 +68,10 @@ Name Comment Example
**password** Password to use for auth basic mechanism
=================== ======================================== ==================================================
`user` and `password` parameters are only used if the entry point `index.fcgi/sessions/global`
is protected by a basic authentication. Thus, handlers will make requests to the portal
using these parameters.
.. attention::
@ -86,7 +90,7 @@ configuration (for example, access by IP range):
# REST/SOAP functions for sessions access (disabled by default)
<Location /index.fcgi/sessions>
Require 192.168.2.0/24
Require ip 192.168.2.0/24
</Location>
Real session backend

4
doc/sources/admin/soapsessionbackend.rst
View File

@ -78,12 +78,12 @@ configuration (for example, access by IP range):
# SOAP functions for sessions management (disabled by default)
<Location /index.fcgi/adminSessions>
Require 192.168.2.0/24
Require ip 192.168.2.0/24
</Location>
# SOAP functions for sessions access (disabled by default)
<Location /index.fcgi/sessions>
Require 192.168.2.0/24
Require ip 192.168.2.0/24
</Location>
Real session backend

31
doc/sources/admin/upgrade_2_0_x.rst
View File

@ -30,13 +30,40 @@ None
2.0.12
------
Security
~~~~~~~~
* **CVE-2021-35473**: Access token lifetime is not verified with OAuth2 Handler (see `issue 2549 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2549>`__)
* **CVE-2021-35472**: Session cache corruption can lead to authorization bypass or spoofing (see `issue 2539 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2539>`__)
* 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret (see `issue 2543 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2543>`__)
* Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application (see `issue 2535 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2535>`__)
* XSS on register form (see `issue 2495 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2495>`__)
* Wildcard in virtualhost allows being redirected to untrusted domains (see `issue 2477 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2477>`__)
Portal templates changes
~~~~~~~~~~~~~~~~~~~~~~~~
If you customized the HTML mail content, you must update them to use HTML::Template variables (this was changed to fix XSS injections).
For session variables, replace for example ``$cn`` by ``<TMPL_VAR NAME="session_cn" ESCAPE=HTML>``, and for other variables, replace for example ``$url`` by ``<TMPL_VAR NAME="url" ESCAPE=HTML>``.
Some changes have been made to include new plugins (FindUser and CheckDevOps), you need to report them only if you have a custom theme and you want to use these plugins
To benefit from the new feature allowing to show password on login form, adapt ``standardform.tpl`` (see `changes <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/bdeb1e70d98ddc89316b0912d9d5ee6d11d0bee5#fbbcec1fdc36cc042eeaa83274a32ef2231fe977_23_23>`__)
To disable password store in browser when changing password (this was already possible for login form), adapt ``password.tpl`` (see `changes <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/466b6a3241fff5013d27b3dd22982e5e26ed7dfb#0ae060b3d1e289f08f510c268ed72de5dcafe425_36_35>`__)
To fix placeholder display in password field when password store is disabled in browser, adapt ``password.tpl`` (see `changes <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/547d80985290495d33ed72a388e9ddf482980354#fbbcec1fdc36cc042eeaa83274a32ef2231fe977_21_20>`__)
See also "Simplification of TOTP options" below.
Client Credential sessions missing expiration time
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you started using Client Credential grants in 2.0.11, you may have encountered
`issue 2481 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2481>`__.
Because of this bug, the created sessions may never be purged by the `purgeCentralCache` script.
Because of this bug, the created sessions may never be purged by the ``purgeCentralCache`` script.
In order to detect these sessions, you can run the following command:
@ -78,7 +105,7 @@ The following options have been removed from TOTP configuration:
* Display existing secret (``totp2fDisplayExistingSecret``)
* Change existing secret (``totp2fUserCanChangeKey``)
As a consequence, users who are *not* using the default `bootstrap` skin may need to ajust their ``totp2fregister.tpl`` template:
As a consequence, users who are *not* using the default ``bootstrap`` skin may need to ajust their ``totp2fregister.tpl`` template:
* Move ``#divToHide`` from the ``.col-md-6`` div to the ``.card`` div
* Change::

2
fastcgi-server/man/llng-fastcgi-server.8p
View File

@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "llng-fastcgi-server 8"
.TH llng-fastcgi-server 8 "2021-07-09" "perl v5.32.1" "User Contributed Perl Documentation"
.TH llng-fastcgi-server 8 "2021-08-01" "perl v5.32.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l

1
lemonldap-ng-common/META.json
View File

@ -40,6 +40,7 @@
"Cookie::Baker::XS" : "0",
"Crypt::URandom" : "0",
"DBI" : "0",
"Date::Parse" : "0",
"LWP::Protocol::https" : "0",
"Net::LDAP" : "0",
"SOAP::Lite" : "0",

1
lemonldap-ng-common/META.yml
View File

@ -26,6 +26,7 @@ recommends:
Cookie::Baker::XS: '0'
Crypt::URandom: '0'
DBI: '0'
Date::Parse: '0'
LWP::Protocol::https: '0'
Net::LDAP: '0'
SOAP::Lite: '0'

1
lemonldap-ng-common/Makefile.PL
View File

@ -47,6 +47,7 @@ WriteMakefile(
'Convert::Base32' => 0,
'Cookie::Baker::XS' => 0,
'Crypt::URandom' => 0,
'Date::Parse' => 0,
'String::Random' => 0,
'DBI' => 0,
'Net::LDAP' => 0,

17
lemonldap-ng-common/scripts/convertSessions
View File

@ -16,18 +16,20 @@ use strict;
use Getopt::Long;
use Pod::Usage;
our $VERSION = "2.0.6";
our $VERSION = "2.0.12";
# Options
# -d: debug mode
# -c: configuration file
# -r: configuration file
# -r: rename attributes
# -i: ignore errors
# -x: exclude attributes
my $debug;
my $config_file;
my $ignore_errors;
my %rename;
my @exclude;
my $help;
my $nb_converted = 0;
my $nb_error = 0;
@ -38,6 +40,7 @@ GetOptions(
'config|c=s' => \$config_file,
'ignore-errors|i' => \$ignore_errors,
'rename|r=s' => \%rename,
'exclude|x=s' => \@exclude,
) or pod2usage(2);
pod2usage(
-exitval => 1,
@ -133,6 +136,16 @@ Lemonldap::NG::Common::Apache::Session->get_key_from_all_sessions(
}
}
if (@exclude) {
for my $excludekey (@exclude) {
if ( $entry->{$excludekey} ) {
print "Exclude $excludekey in session $id\n"
if $debug;
delete $entry->{$excludekey};
}
}
}
print "Processing session $id\n" if $debug;
my $s = Lemonldap::NG::Common::Session->new( {
storageModule => $backendTo->{backend},

19
lemonldap-ng-common/scripts/lemonldap-ng-cli
View File

@ -3,15 +3,14 @@
use warnings;
use strict;
use POSIX;
use Getopt::Long;
use Getopt::Long qw(:config pass_through);
our $opt_user = '__APACHEUSER__';
our $opt_group = '__APACHEGROUP';
GetOptions (
"user=s" => \$opt_user,
"group=s" => \$opt_group
)
or die("Error in command line arguments\n");
our $opt_user = '__APACHEUSER__';
our $opt_group = '__APACHEGROUP__';
GetOptions(
"user=s" => \$opt_user,
"group=s" => \$opt_group
) or die("Error in command line arguments\n");
my $action;
@ -77,6 +76,10 @@ Options:
- sep <char> : separator of hierarchical values (by default: /)
- iniFile <file> : path to an alternate lemonldap-ng.ini file
Additional options:
- --user=<user> : change user running the script
- --group=<group> : change group running the script
See Lemonldap::NG::Manager::Cli(3) for more
};
}

23
lemonldap-ng-common/scripts/lemonldap-ng-sessions
View File

@ -10,11 +10,13 @@ use strict;
use Getopt::Long;
use Pod::Usage;
our $VERSION = "2.0.9";
our $VERSION = "2.0.12";
# Options
my $opts = {};
my $help;
my $opt_user = '__APACHEUSER__';
my $opt_group = '__APACHEGROUP__';
GetOptions(
'help|h' => \$help,
@ -23,13 +25,15 @@ GetOptions(
'backend|b=s' => \$opts->{backend},
'persistent|p' => \$opts->{persistent},
'id-only|i' => \$opts->{idonly},
'user|u=s' => \$opt_user,
'group|g=s' => \$opt_group,
) or pod2usage( -exitcode => 1, -verbose => 0 );
pod2usage( -exitcode => 0, -verbose => 2 ) if $help;
eval {
POSIX::setgid( scalar( getgrnam('__APACHEGROUP__') ) );
POSIX::setuid( scalar( getpwnam('__APACHEUSER__') ) );
POSIX::setgid( scalar( getgrnam($opt_group) ) );
POSIX::setuid( scalar( getpwnam($opt_user) ) );
};
my $action = shift @ARGV;
@ -127,7 +131,8 @@ Options:
--persistent Search in persistent sessions
--where Set search filter (search/delete only)
--id-only Only return IDs (search only)
--user Change user running the script
--group Change group running the script
=head1 COMMANDS
@ -288,7 +293,7 @@ Examples:
=item B<--persistent>,B<-p>
This options is a shortcut for specifying --backend persistent and using
This option is a shortcut for specifying --backend persistent and using
the UID hash as a session ID
Example:
@ -303,7 +308,7 @@ is the same as
=item B<--id-only>,B<-i>
This option replace the standard JSON output format with a simpler format of
This option replaces the standard JSON output format with a simpler format of
one session ID per line.
This allows some intersting combos using xargs. For example, if you want to
@ -312,7 +317,13 @@ remove all sessions started by "dwho"
lemonldap-ng-sessions search --where uid=dwho --id-only | \
xargs lemonldap-ng-sessions delete
=item B<--user>,B<-u>
This option forces the system user that runs the script.
=item B<--group>,B<-g>
This option forces the system group that runs the script.
=back

15
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm
View File

@ -129,13 +129,7 @@ sub token {
# Fake reval method if useSafeJail is off
sub reval {
my ( $self, $e ) = @_;
my $res = eval $e;
if ($@) {
$self->error($@);
return undef;
}
return $res;
return eval $e;
}
## @method wrap_code_ref
@ -180,11 +174,10 @@ sub share_from {
sub jail_reval {
my ( $self, $reval ) = @_;
# if nothing is returned by reval, add the return statement to
# the "no safe wrap" reval
# If nothing is returned by reval, add the return statement to
# the "no safe wrap" reval
my $res;
eval { $res = ( $self->jail->reval($reval) ) };
my $res = $self->jail->reval($reval);
if ($@) {
$self->error($@);
return undef;

12
lemonldap-ng-handler/t/12-Lemonldap-NG-Handler-Jail.t
View File

@ -6,7 +6,7 @@
# change 'tests => 1' to 'tests => last_test_to_print';
use strict;
use Test::More tests => 20;
use Test::More tests => 22;
require 't/test.pm';
BEGIN { use_ok('Lemonldap::NG::Handler::Main::Jail') }
@ -60,7 +60,7 @@ ok(
ok( $res = &$code, "Function works" );
ok( $res == 1, 'Get good result' );
$sub = "sub { return(checkDate('20000101000000+0100','21000101000000+0100')) }";
$sub = "sub { return(checkDate('20000101000000+0100','21000101000000+0100')) }";
$code = $jail->jail_reval($sub);
ok(
( defined($code) and ref($code) eq 'CODE' ),
@ -105,3 +105,11 @@ is(
"Function works"
);
$sub = "sub { return(";
$code = $jail->jail_reval($sub);
ok( ( not defined($code) ), 'Syntax error yields undef result' );
like(
$jail->error,
qr/Missing right curly or square bracket/,
'Found correct error message'
);

14
lemonldap-ng-handler/t/13-Lemonldap-NG-Handler-Fake-Safe.t
View File

@ -5,7 +5,7 @@
# change 'tests => 1' to 'tests => last_test_to_print';
use Test::More tests => 14;
use Test::More tests => 16;
require 't/test.pm';
BEGIN { use_ok('Lemonldap::NG::Handler::Main::Jail') }
@ -43,7 +43,8 @@ my $checkDate = $jail->jail_reval($sub3);
ok( &$checkDate == "1",
'checkDate extended function working without Safe Jail' );
my $sub4 = "sub { return(checkDate('20000101000000+0100','21000101000000+0100')) }";
my $sub4 =
"sub { return(checkDate('20000101000000+0100','21000101000000+0100')) }";
my $checkDate = $jail->jail_reval($sub4);
ok( &$checkDate == "1",
'checkDate extended function working without Safe Jail' );
@ -96,3 +97,12 @@ is(
0,
"Function works"
);
$sub = "sub { return(";
$code = $jail->jail_reval($sub);
ok( ( not defined($code) ), 'Syntax error yields undef result' );
like(
$jail->error,
qr/Missing right curly or square bracket/,
'Found correct error message'
);

1
lemonldap-ng-manager/META.json
View File

@ -22,6 +22,7 @@
"prereqs" : {
"build" : {
"requires" : {
"Email::Sender" : "0",
"IO::String" : "0",
"Regexp::Common" : "0",
"Test::Pod" : "1"

1
lemonldap-ng-manager/META.yml
View File

@ -3,6 +3,7 @@ abstract: 'Perl extension for managing Lemonldap::NG Web-SSO system.'
author:
- 'Xavier Guimard <x.guimard@free.fr>, Clément Oudot <clement@oodo.net>'
build_requires:
Email::Sender: '0'
IO::String: '0'
Regexp::Common: '0'
Test::Pod: '1'

1
lemonldap-ng-manager/Makefile.PL
View File

@ -8,6 +8,7 @@ WriteMakefile(
VERSION_FROM => 'lib/Lemonldap/NG/Manager.pm', # finds $VERSION
LICENSE => 'gpl',
BUILD_REQUIRES => {
'Email::Sender' => 0,
'IO::String' => 0,
'Regexp::Common' => 0,
'Test::Pod' => 1.00,

5
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Zero.pm
View File

@ -5,7 +5,9 @@ use strict;
our $VERSION = '2.1.0';
sub zeroConf {
my ( $domain, $sessionDir, $persistentSessionDir, $notificationDir, $cacheDir ) = @_;
my ( $domain, $sessionDir, $persistentSessionDir, $notificationDir,
$cacheDir )
= @_;
$domain ||= 'example.com';
$sessionDir ||= '/var/lib/lemonldap-ng/sessions';
$persistentSessionDir ||= '/var/lib/lemonldap-ng/psessions';
@ -179,6 +181,7 @@ sub zeroConf {
'securedCookie' => 0,
'cookieName' => 'lemonldap',
'cfgAuthor' => 'The LemonLDAP::NG team',
'cfgDate' => '1627287638',
'cfgVersion' => $VERSION,
'exportedVars' => {},
'portalSkin' => 'bootstrap',

11
lemonldap-ng-manager/scripts/lmConfigEditor
View File

@ -15,14 +15,13 @@ use strict;
my $cli = Lemonldap::NG::Manager::Cli::Lib->new;
our $opt_user = '__APACHEUSER__';
our $opt_user = '__APACHEUSER__';
our $opt_group = '__APACHEGROUP__';
GetOptions (
"user=s" => \$opt_user,
"group=s" => \$opt_group
)
or die("Error in command line arguments\n");
GetOptions(
"user=s" => \$opt_user,
"group=s" => \$opt_group
) or die("Error in command line arguments\n");
eval {
setgid( ( getgrnam($opt_group) )[2] );

6
lemonldap-ng-manager/site/htdocs/static/languages/fr.json
View File

@ -753,7 +753,7 @@
"pamAuthnLevel":"Niveau d'authentification",
"pamParams":"Paramètres PAM",
"pamService":"Service PAM",
"password":"Mot-de-passe",
"password":"Mot de passe",
"passwordDB":"Module de mot de passe",
"passwordManagement":"Gestion des mots de passe",
"passwordPolicy":"Politique des mots de passe",
@ -878,8 +878,8 @@
"restFindUserDBUrl":"URL des comptes utilisateurs",
"restParams":"Paramètres REST",
"restPasswordServer":"Serveur de réinitialisation de mdp",
"restPwdConfirmUrl":"URL de confirmation de mot-de-passe",
"restPwdModifyUrl":"URL de modification de mot-de-passe",
"restPwdConfirmUrl":"URL de confirmation de mot de passe",
"restPwdModifyUrl":"URL de modification de mot de passe",
"restServices":"Services REST",
"restSessionServer":"Serveur de sessions",
"restUserDBUrl":"URL de données utilisateurs",

2
lemonldap-ng-manager/site/htdocs/static/languages/tr.json
View File

@ -790,7 +790,7 @@
"portalDisplayRefreshMyRights":"Görüntüleme hakları yenileme bağlantısı",
"portalDisplayRegister":"Yeni hesap kaydet",
"portalDisplayResetPassword":"Parolayı sıfırla",
"portalEnablePasswordDisplay":"Allow to display password",
"portalEnablePasswordDisplay":"Parolayı göstermeye izin ver",
"portalErrorOnExpiredSession":"Süresi dolmuş oturumda hatayı göster",
"portalErrorOnMailNotFound":"E-posta bulunamadığında hatayı göster",
"portalForceAuthn":"Kimlik doğrulamaya zorla",

11
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm
View File

@ -94,6 +94,11 @@ sub run {
# We use a specific text message, no html
$body = $self->conf->{mail2fBody};
# Replace variables in body
$body =~ s/\$code/$code/g;
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
}
else {
@ -109,12 +114,6 @@ sub run {
$html = 1;
}
# Replace variables in body
# FIXME: kept for compatibility with 2.0.0 mail templates
# in future versions this should only happen for plaintext emails
$body =~ s/\$code/$code/g;
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
# Send mail
unless ( $self->send_mail( $dest, $subject, $body, $html ) ) {
$self->logger->error( 'Unable to send 2F code mail to ' . $dest );

7
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
View File

@ -1358,8 +1358,7 @@ sub sendOIDCError {
sub returnBearerError {
my ( $self, $error_code, $error_message ) = @_;
# TODO: verify this
return [
my $res = [
401,
[
'WWW-Authenticate' =>
@ -1367,6 +1366,10 @@ sub returnBearerError {
],
[]
];
$self->p->setCorsHeaderFromConfig($res);
return $res;
}
sub checkEndPointAuthenticationCredentials {

4
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
View File

@ -531,13 +531,13 @@ sub findEP {
}
}
}
$self->logger->debug("Plugin $plugin initializated");
$self->logger->debug("Plugin $plugin initialized");
# Rules for menu
if ( $obj->can('spRules') ) {
foreach my $k ( keys %{ $obj->{spRules} } ) {
$self->logger->info(
"$k is defined more than one time, it can have some bad effect on Menu display"
"$k is defined more than one time, it can have some bad effects on Menu display"
) if ( $self->spRules->{$k} );
$self->spRules->{$k} = $obj->{spRules}->{$k};
}

40
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
View File

@ -875,12 +875,7 @@ sub sendHtml {
'Pragma' => 'no-cache', # HTTP 1.0
'Expires' => '0'; # Proxies
if ( $self->conf->{corsEnabled} ) {
my @cors = split /;/, $self->cors;
push @{ $res->[1] }, @cors;
$self->logger->debug('Apply following CORS policy :');
$self->logger->debug(" $_") for @cors;
}
$self->setCorsHeaderFromConfig($res);
# Set authorized URL for POST
my $csp = $self->csp . "form-action " . $self->conf->{cspFormAction};
@ -1086,7 +1081,7 @@ sub registerLogin {
}
my $history = $req->sessionInfo->{_loginHistory} ||= {};
my $type = ( $req->authResult > 0 ? 'failed' : 'success' ) . 'Login';
my $type = ( $req->authResult > 0 ? 'failed' : 'success' ) . 'Login';
$history->{$type} ||= [];
$self->logger->debug("Current login saved into $type");
@ -1129,13 +1124,11 @@ sub _sumUpSession {
sub corsPreflight {
my ( $self, $req ) = @_;
my @headers;
if ( $self->conf->{corsEnabled} ) {
my @cors = split /;/, $self->cors;
push @headers, @cors;
$self->logger->debug('Apply following CORS policy :');
$self->logger->debug(" $_") for @cors;
}
return [ 204, \@headers, [] ];
my $res = [ 204, \@headers, [] ];
$self->setCorsHeaderFromConfig($res);
return $res;
}
sub sendJSONresponse {
@ -1164,11 +1157,8 @@ sub sendJSONresponse {
"Access-Control-Allow-Credentials" => "true";
}
elsif ( $self->conf->{corsEnabled} ) {
my @cors = split /;/, $self->cors;
push @{ $res->[1] }, @cors;
$self->logger->debug('Apply following CORS policy :');
$self->logger->debug(" $_") for @cors;
else {
$self->setCorsHeaderFromConfig($res);
}
return $res;
}
@ -1176,13 +1166,21 @@ sub sendJSONresponse {
sub sendRawHtml {
my ($self) = $_[0];
my $res = Lemonldap::NG::Common::PSGI::sendRawHtml(@_);
$self->setCorsHeaderFromConfig($res);
return $res;
}
sub setCorsHeaderFromConfig {
my ( $self, $response ) = @_;
if ( $self->conf->{corsEnabled} ) {
my @cors = split /;/, $self->cors;
push @{ $res->[1] }, @cors;
push @{ $response->[1] }, @cors;
$self->logger->debug('Apply following CORS policy :');
$self->logger->debug(" $_") for @cors;
}
return $res;
}
# Temlate loader

24
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CertificateResetByMail.pm
View File

@ -371,6 +371,13 @@ sub _certificateReset {
# We use a specific text message, no html
$body = $self->conf->{certificateResetByMailStep1Body};
# Replace variables in body
$body =~ s/\$expMailDate/$req->data->{expMailDate}/ge;
$body =~ s/\$expMailTime/$req->data->{expMailTime}/ge;
$body =~ s/\$url/$url/g;
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
}
else {
@ -387,14 +394,6 @@ sub _certificateReset {
$html = 1;
}
# Replace variables in body
# FIXME: kept for compatibility with 2.0.0 mail templates
# in future versions this should only happen for plaintext emails
$body =~ s/\$expMailDate/$req->data->{expMailDate}/ge;
$body =~ s/\$expMailTime/$req->data->{expMailTime}/ge;
$body =~ s/\$url/$url/g;
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
# Send mail
unless (
$self->send_mail(
@ -555,6 +554,10 @@ sub modifyCertificate {
# We use a specific text message, no html
$body = $self->conf->{certificateResetByMailStep2Body};
# Replace variables in body
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
}
else {
@ -568,11 +571,6 @@ sub modifyCertificate {
$html = 1;
}
# Replace variables in body
# FIXME: kept for compatibility with 2.0.0 mail templates
# in future versions this should only happen for plaintext emails
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
# Send mail
return PE_MAILERROR
unless $self->send_mail( $req->data->{mailAddress}, $subject, $body,

26
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm
View File

@ -335,6 +335,13 @@ sub _reset {
# We use a specific text message, no html
$body = $self->conf->{mailConfirmBody};
# Replace variables in body
$body =~ s/\$expMailDate/$req->data->{expMailDate}/ge;
$body =~ s/\$expMailTime/$req->data->{expMailTime}/ge;
$body =~ s/\$url/$url/g;
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
}
else {
@ -352,14 +359,6 @@ sub _reset {
$html = 1;
}
# Replace variables in body
# FIXME: kept for compatibility with 2.0.0 mail templates
# in future versions this should only happen for plaintext emails
$body =~ s/\$expMailDate/$req->data->{expMailDate}/ge;
$body =~ s/\$expMailTime/$req->data->{expMailTime}/ge;
$body =~ s/\$url/$url/g;
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
$self->logger->info( "User "
. $req->data->{mailAddress}
. " is trying to reset his/her password" );
@ -515,6 +514,11 @@ sub changePwd {
# We use a specific text message, no html
$body = $self->conf->{mailBody};
# Replace variables in body
$body =~ s/\$password/$password/g;
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
}
else {
@ -530,12 +534,6 @@ sub changePwd {
$html = 1;
}
# Replace variables in body
# FIXME: kept for compatibility with 2.0.0 mail templates
# in future versions this should only happen for plaintext emails
$body =~ s/\$password/$password/g;
$body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
# Send mail
return PE_MAILERROR
unless $self->send_mail( $req->data->{mailAddress}, $subject, $body,

14
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Register.pm
View File

@ -322,14 +322,6 @@ sub _register {
},
);
# Replace variables in body
# FIXME: kept for compatibility with 2.0.0 mail templates
# in future versions this should only happen for plaintext emails
$body =~ s/\$expMailDate/$req->data->{expMailDate}/g;
$body =~ s/\$expMailTime/$req->data->{expMailTime}/g;
$body =~ s/\$url/$url/g;
$body =~ s/\$(\w+)/$req->data->{registerInfo}->{$1}/eg;
# Send mail
return PE_MAILERROR
unless $self->send_mail( $req->data->{registerInfo}->{mail},
@ -397,12 +389,6 @@ sub _register {
},
);
# Replace variables in body
# FIXME: kept for compatibility with 2.0.0 mail templates
# in future versions this should only happen for plaintext emails
$body =~ s/\$url/$url/g;
$body =~ s/\$(\w+)/$req->data->{registerInfo}->{$1}/ge;
# Send mail
return PE_MAILERROR
unless $self->send_mail( $req->data->{registerInfo}->{mail},

14
lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.js
View File

@ -33,5 +33,19 @@ $(window).on("load", function() {
modal.find('.remove2f').attr('epoch', epoch)
})
// Set tab items (my applications, password, history, logout) tabbable
// (ie accessible via tab key)
// needed because of jquery-ui setting only active element tabbable
// (see #2561)
$('.nav-item').click(function() {
$('.nav-item').attr( "tabIndex", 0 );
});
$('.nav-item').focusin(function() {
$('.nav-item').attr( "tabIndex", 0 );
});
$('.nav-item').focusout(function() {
$('.nav-item').attr( "tabIndex", 0 );
});
});

2
lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.min.js vendored
View File

@ -1 +1 @@
$(window).on("load",function(){$("div.message-positive").addClass("alert-success"),$("div.message-warning").addClass("alert-warning"),$("div.message-negative").addClass("alert-danger"),$("table.info").addClass("table"),$(".notifCheck").addClass("checkbox"),$('.collapse li[class!="dropdown"]').on("click",function(){$(".navbar-toggler").hasClass("collapsed")||$(".navbar-toggler").trigger("click")}),$("#authMenu .nav-link").on("click",function(a){window.datas.choicetab=a.target.hash.substr(1)}),$("#remove2fModal").on("show.bs.modal",function(a){var e=$(a.relatedTarget),s=e.attr("device"),a=e.attr("epoch"),e=$(this);e.find(".remove2f").attr("device",s),e.find(".remove2f").attr("epoch",a)})});
$(window).on("load",function(){$("div.message-positive").addClass("alert-success"),$("div.message-warning").addClass("alert-warning"),$("div.message-negative").addClass("alert-danger"),$("table.info").addClass("table"),$(".notifCheck").addClass("checkbox"),$('.collapse li[class!="dropdown"]').on("click",function(){$(".navbar-toggler").hasClass("collapsed")||$(".navbar-toggler").trigger("click")}),$("#authMenu .nav-link").on("click",function(a){window.datas.choicetab=a.target.hash.substr(1)}),$("#remove2fModal").on("show.bs.modal",function(a){var t=$(a.relatedTarget),e=t.attr("device"),a=t.attr("epoch"),t=$(this);t.find(".remove2f").attr("device",e),t.find(".remove2f").attr("epoch",a)}),$(".nav-item").click(function(){$(".nav-item").attr("tabIndex",0)}),$(".nav-item").focusin(function(){$(".nav-item").attr("tabIndex",0)}),$(".nav-item").focusout(function(){$(".nav-item").attr("tabIndex",0)})});

2
lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.min.js.map
View File

@ -1 +1 @@
{"version":3,"sources":["skin.js"],"names":["$","window","on","addClass","hasClass","trigger","e","datas","choicetab","target","hash","substr","event","button","relatedTarget","device","attr","epoch","modal","this","find"],"mappings":"AAAAA,EAAEC,QAAQC,GAAG,OAAQ,WAGnBF,EAAE,wBAAwBG,SAAS,iBACnCH,EAAE,uBAAuBG,SAAS,iBAClCH,EAAE,wBAAwBG,SAAS,gBAEnCH,EAAE,cAAcG,SAAS,SAEzBH,EAAE,eAAeG,SAAS,YAG1BH,EAAE,mCAAmCE,GAAG,QAAS,WAC1CF,EAAE,mBAAmBI,SAAS,cACjCJ,EAAE,mBAAmBK,QAAQ,WAKjCL,EAAE,uBAAuBE,GAAG,QAAS,SAAUI,GAC3CL,OAAOM,MAAMC,UAAYF,EAAEG,OAAOC,KAAKC,OAAO,KAIlDX,EAAE,kBAAkBE,GAAG,gBAAiB,SAAUU,GAClD,IAAIC,EAASb,EAAEY,EAAME,eACjBC,EAASF,EAAOG,KAAK,UACrBC,EAAQJ,EAAOG,KAAK,SACpBE,EAAQlB,EAAEmB,MAGdD,EAAME,KAAK,aAAaJ,KAAK,SAAUD,GACvCG,EAAME,KAAK,aAAaJ,KAAK,QAASC"}
{"version":3,"sources":["skin.js"],"names":["$","window","on","addClass","hasClass","trigger","e","datas","choicetab","target","hash","substr","event","button","relatedTarget","device","attr","epoch","modal","this","find","click","focusin","focusout"],"mappings":"AAAAA,EAAEC,QAAQC,GAAG,OAAQ,WAGnBF,EAAE,wBAAwBG,SAAS,iBACnCH,EAAE,uBAAuBG,SAAS,iBAClCH,EAAE,wBAAwBG,SAAS,gBAEnCH,EAAE,cAAcG,SAAS,SAEzBH,EAAE,eAAeG,SAAS,YAG1BH,EAAE,mCAAmCE,GAAG,QAAS,WAC1CF,EAAE,mBAAmBI,SAAS,cACjCJ,EAAE,mBAAmBK,QAAQ,WAKjCL,EAAE,uBAAuBE,GAAG,QAAS,SAAUI,GAC3CL,OAAOM,MAAMC,UAAYF,EAAEG,OAAOC,KAAKC,OAAO,KAIlDX,EAAE,kBAAkBE,GAAG,gBAAiB,SAAUU,GAClD,IAAIC,EAASb,EAAEY,EAAME,eACjBC,EAASF,EAAOG,KAAK,UACrBC,EAAQJ,EAAOG,KAAK,SACpBE,EAAQlB,EAAEmB,MAGdD,EAAME,KAAK,aAAaJ,KAAK,SAAUD,GACvCG,EAAME,KAAK,aAAaJ,KAAK,QAASC,KAOtCjB,EAAE,aAAaqB,MAAM,WACnBrB,EAAE,aAAagB,KAAM,WAAY,KAEnChB,EAAE,aAAasB,QAAQ,WACrBtB,EAAE,aAAagB,KAAM,WAAY,KAEnChB,EAAE,aAAauB,SAAS,WACtBvB,EAAE,aAAagB,KAAM,WAAY"}

2
lemonldap-ng-portal/site/htdocs/static/languages/fr.json
View File

@ -234,7 +234,7 @@
"openidPA":"La politique d'utilisation des données est disponible ici",
"openidRpns":"Le paramètre %s exigé pour la fédération n'est pas disponible",
"otherSessions":"Autres sessions ouvertes",
"password":"Mot-de-passe",
"password":"Mot de passe",
"passwordPolicy":"Merci de respecter la politique suivante :",
"passwordPolicyMinDigit":"Minimum de chiffres :",
"passwordPolicyMinLower":"Minimum de minuscules :",

2
lemonldap-ng-portal/site/templates/common/mail/fr.json
View File

@ -8,7 +8,7 @@
"hello":"Bonjour",
"mail2fSubject":"[LemonLDAP::NG] Votre code de connexion",
"mailConfirmSubject": "[LemonLDAP::NG] Confirmation de réinitialisation de mot de passe",
"mailSubject": "[LemonLDAP::NG] Votre nouveau mot-de-passe",
"mailSubject": "[LemonLDAP::NG] Votre nouveau mot de passe",
"newPwdIs":"Votre nouveau mot de passe est",
"pwdChanged":"Votre mot de passe a été changé.",
"pwdIs":"Votre mot de passe est",

34
lemonldap-ng-portal/t/32-OIDC-Token-Security.t
View File

@ -150,6 +150,10 @@ count(1);
# Expect an invalid request
expectReject( $res, 400, "invalid_grant" );
is( getHeader( $res, "Access-Control-Allow-Origin" ),
"*", "CORS header present on Token error response" );
count(1);
# Get new code for RP1
$query =
"response_type=code&scope=openid%20profile%20email&client_id=rpid&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Frp.com%2F";
@ -202,10 +206,36 @@ ok(
"Post auth code on correct RP"
);
count(1);
is( getHeader( $res, "Access-Control-Allow-Origin" ),
"*", "CORS header present on Token response" );
count(1);
$res = expectJSON($res);
my $token = $res->{access_token};
ok( $token, 'Access token present' );
count(1);
ok(
$res = $op->_post(
"/oauth2/userinfo",
IO::String->new(""),
accept => 'text/html',
length => 0,
custom => {
HTTP_AUTHORIZATION => "Bearer " . $token,
},
),
"post to userinfo",
);
count(1);
ok( $res->[0] == 200, "Userinfo successful" );
count(1);
is( getHeader( $res, "Access-Control-Allow-Origin" ),
"*", "CORS header present on userinfo response" );
count(1);
Time::Fake->offset("+2h");
ok(
@ -224,6 +254,10 @@ count(1);
ok( $res->[0] == 401, "Access denied with expired token" );
count(1);
is( getHeader( $res, "Access-Control-Allow-Origin" ),
"*", "CORS header present on userinfo error response" );
count(1);
clean_sessions();
done_testing( count() );

7
rpm/lemonldap-ng.spec
View File

@ -34,8 +34,8 @@
# Main package
#==============================================================================
Name: lemonldap-ng
Version: 2.0.11
Release: %{?pre_release:0.}2%{?pre_release:.%{pre_release}}%{?dist}
Version: 2.0.12
Release: %{?pre_release:0.}1%{?pre_release:.%{pre_release}}%{?dist}
Summary: LemonLDAP-NG WebSSO
License: GPLv2+
URL: http://lemonldap-ng.org
@ -745,6 +745,9 @@ fi
# Changelog
#==============================================================================
%changelog
* Thu Jul 22 2021 Clement Oudot <clem.oudot@gmail.com> - 2.0.12-1
- Update to 2.0.12
* Wed Mar 17 2021 Xavier Bachelot <xavier@bachelot.org> - 2.0.11-2
- Add BR: make