diff --git a/RELEASE b/RELEASE index 40d794624..83dc49865 100644 --- a/RELEASE +++ b/RELEASE @@ -37,6 +37,8 @@ Before release - Check Debian packages quality $ cme check dpkg +- Update doc/admin/documentation.rst to display vulnerable packaged versions + For minor release ----------------- diff --git a/_example/conf/lmConf-1.json b/_example/conf/lmConf-1.json index 2cabe896e..3dde42cd3 100644 --- a/_example/conf/lmConf-1.json +++ b/_example/conf/lmConf-1.json @@ -85,6 +85,7 @@ }, "authentication" : "Demo", "cfgAuthor" : "The LemonLDAP::NG team", + "cfgDate" : "1627287638", "cfgNum" : 1, "cfgVersion" : "2.1.0", "cookieName" : "lemonldap", diff --git a/changelog b/changelog index 389ae15aa..46376b978 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,86 @@ +lemonldap-ng (2.0.12) focal; urgency=medium + + * Bugs: + * #2153: logout forward url pointing to a protected application cause infinite redirection (pdata) + * #2439: Unable to configure oidcOPMetaDataJSON and oidcOPMetaDataJWKS trough lemonldap-ng-cli + * #2453: Manager API: missing doc and array handling of additional audiences + * #2455: llng-fastcgi-server exited with signal 13 + * #2459: Debian packages: missing dependency to gsfonts may break Captcha + * #2460: "Underlying object can't load conf" in v2.0.11 + * #2463: Portal plugin hooks triggered multiple times after reload + * #2469: mySessionAuthorizedRWKeys causes internal server error when removing OIDC consent + * #2474: OAuth2 endpoints should return an error when multiple client authentication methods are used + * #2475: OIDC: Invalid error code returned in badAuthRequest + * #2477: [security:low] Wildcard in virtualhost allows being redirected to untrusted domains + * #2480: Set an authLevel and disable ReAuthentication plugin leads to an endless loop + * #2481: missing _utime in OIDC Client Credential sessions + * #2482: unexpected persistent sessions appear since 2.0.10 + * #2483: Second factor removal does not work when hiding session ids from manager + * #2487: Incorrect error reporting in convertSessions + * #2489: Do not grant the openid scope during Resource Owner Password Grant + * #2493: Unable to register a new configuration attribute with CLI when option force is enabled and backend is RDBI + * #2495: [security:medium] XSS on register form + * #2498: convertSessions does not filter sessionKind correctly + * #2503: REST/SOAP exported attributes are not sent by REST server + * #2509: Local password policy: Allowing ALL special characters does not work + * #2511: expires_in in token response has the wrong JSON type in some cases + * #2513: LLNG 2.0.11 : SAML SLO from IDP to SP with POST Binding blocked by browser + * #2518: SAML: persistent NameID is empty when using "unspecified" format on SP side + * #2520: Missing translations for DBI configuration + * #2525: Gracefully handle invalid perl expression in CAS/SAML/OIDC + * #2529: [bug] OIDC userinfo as jwt not readable + * #2531: calling to_json with hash containing file handle fails + * #2534: CDA does not work with wildcard vhosts + * #2535: [security:low] Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application + * #2539: [security:high, CVE-2021-35472] session cache corruption can lead to authorization bypass or spoofing + * #2541: Misleading TOTP options + * #2543: [security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret + * #2547: Parameter oidcRPMetaDataOptionsUserInfoSignAlg is missing in Manager + * #2548: OpenID Connect ACR value can't be configured with something else than 'loa-...' + * #2549: [security:low, CVE-2021-35473] OAuth2 handler does not verify access token validity + * #2550: Token endpoint should only emit ID token when scope contains "openid" + + * New features: + * #1976: FindUser plugin + * #2451: CrowdSec plugin to query Crowdsec server + * #2458: CheckDevOps plugin + * #2510: Hook on password change + * #2532: add oidcGenerateCode hook + * #2554: Remove OIDC checksession iframe from metadata + + * Improvements: + * #2260: Missing elements in sphinx documentation (mongodb) + * #2419: Support JWT as OAuth 2.0 Bearer Access Tokens + * #2424: Feature: Scope Rules + * #2454: Append a Show/Hide password button into login form + * #2456: Prevent DevOps handler to send hidden session attributes + * #2462: Use timezone provided in input dates in extended function "checkDate" + * #2465: Force OIDC error messages to use JSON + * #2472: Loading metadata can be slow due to parsing of default certificate bundle + * #2484: Hook for populating client credential session + * #2488: Allow selection of AssertionConsumerServiceURL in IDP-Initiated SAML login + * #2496: Add new option to ignore undeclared OIDC scopes + * #2499: add key mapper for convertSession + * #2502: Resource Owner Password fails with PE_FIRSTACCESS when using Auth::Choice + * #2506: CAS: add an option to forbid host-based matching + * #2521: Avoid browsers parameter hide placeholder + * #2533: add hooks for CAS issuer + * #2536: optimize SingleSession to avoid unneeded session fetches + * #2544: Default 2FA register timeout is too low + * #2557: Avoid browsers to store new, old and confirmed password during update process + * #2562: Add --user/--group options to lmConfigEditor and lemonldap-ng-cli (user:group hardcoded to apache may not work correctly) + + * Templates: + * #1976: FindUser plugin + * #2454: Append a Show/Hide password button into login form + * #2458: CheckDevOps plugin + * #2495: [security:medium] XSS on register form + * #2521: Avoid browsers parameter hide placeholder + * #2541: Misleading TOTP options + * #2557: Avoid browsers to store new, old and confirmed password during update process + + -- Clément Thu, 22 Jul 2021 17:41:44 +0200 + lemonldap-ng (2.0.11) focal; urgency=medium * Bugs: diff --git a/debian/changelog b/debian/changelog index 32a241ab7..73281a2ee 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (2.0.12-1) unstable; urgency=medium + + * New release. See changes on our website: + https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng + + -- Clement OUDOT Thu, 22 Jul 2021 22:00:00 +0100 + lemonldap-ng (2.0.11-1) unstable; urgency=medium * New release. See changes on our website: diff --git a/doc/sources/admin/changesessionbackend.rst b/doc/sources/admin/changesessionbackend.rst index d14c4e2f6..90c1e4e90 100644 --- a/doc/sources/admin/changesessionbackend.rst +++ b/doc/sources/admin/changesessionbackend.rst @@ -46,6 +46,7 @@ Options: - ``-c``: job configuration file (mandatory) - ``-r oldkey=newkey``: rename session keys during conversion (optional, can be given multiple times) +- ``-x key``: remove session keys during conversion (optional, can be given multiple times) - ``-i``: ignore errors. By default errors will stop the script execution - ``-d``: print debugging output diff --git a/doc/sources/admin/configlocation.rst b/doc/sources/admin/configlocation.rst index d31bae612..5d018f6d5 100644 --- a/doc/sources/admin/configlocation.rst +++ b/doc/sources/admin/configlocation.rst @@ -174,6 +174,11 @@ and is stored in the LemonLDAP::NG bin/ directory, for example This script must be run as root, it will then use the Apache user and group to access configuration. +.. tip:: + + You can change the user and group by setting ``--user`` and + ``--group`` options in the command line. + The script uses the ``editor`` system command, that links to your favorite editor. To change it: @@ -276,6 +281,11 @@ You can use accessors (options) to change the behavior: configuration. - -force: set it to 1 to save a configuration earlier than latest. +Additional options: + +- --user=: change user running the script +- --group=: change group running the script + Some examples: :: @@ -283,6 +293,7 @@ Some examples: /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -cfgNum 10 get exportedHeaders/test1.example.com /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set notification 1 /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -sep ',' get macros,_whatToTrace + /usr/share/lemonldap-ng/bin/lemonldap-ng-cli get portal --user=nginx --group=nginx .. tip:: diff --git a/doc/sources/admin/documentation.rst b/doc/sources/admin/documentation.rst index a3c35de67..b76f7c596 100644 --- a/doc/sources/admin/documentation.rst +++ b/doc/sources/admin/documentation.rst @@ -51,6 +51,7 @@ Debian .. tip:: Following Debian Policy, LLNG packages are never upgraded in published distributions. However, security patches are backported by maintenance teams *(except some inor ones)*. + See `Security tracker `__ =========== ======================== ======================================== ===================================================== ============================================================ =============================== ============================================================= Debian dist LLNG version Secured Maintenance LTS Limit `Extended LTS `__ Limit @@ -60,9 +61,9 @@ Debian dist LLNG version Se **8** Jessie `1.3.3 `__ |clean| CVE-2019-19791 tagged as minor **None** [1]_ June 2020 Probably 2023 **9** Stretch `1.9.7 `__ |clean| CVE-2019-19791 tagged as minor `Debian LTS Team `__ June 2022 \ *Stretch-backports* `2.0.2 `__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2019-15941 *None* *June 2019* -\ Stretch-backports-sloppy `2.0.9 `__ |bad| *Maybe none*, "best effort" [3]_ Until Debian 11 release [4]_ +\ Stretch-backports-sloppy `2.0.11 `__ |maybe| *Maybe none*, "best effort" [3]_ Until Debian 11 release [4]_ **10** Buster `2.0.2 `__ |clean| CVE-2019-19791 tagged as minor `Debian Security Team `__ Probably July 2024 -\ Buster-backports `2.0.11 `__ |clean| `LLNG Team `__ Until Debian 11 release [4]_ +\ Buster-backports `2.0.11 `__ |clean| `LLNG Team `, "best effort" [3]_ Until Debian 11 release [4]_ \ Bullseye `2.0.11 `__ |clean| `Debian Security Team `__ Probably July 2026 **Next** Testing Latest [5]_ |clean| `LLNG Team `__ =========== ======================== ======================================== ===================================================== ============================================================ =============================== ============================================================= @@ -86,12 +87,9 @@ Ubuntu dist LLNG version Secured 14.04 Trusty `1.2.5 `__ |maybe| No known vulnerability None 16.04 Xenial [9]_ `1.4.6 `__ |bad| CVE-2019-12046, CVE-2019-13031 None 18.04 Bionic [9]_ `1.9.16 `__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2020-24660 None -18.10 Cosmic `1.9.17 `__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2020-24660 None -19.04 Disco `2.0.2 `__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2019-15941, CVE-2020-24660 None -19.10 Eoan `2.0.5 `__ |bad| CVE-2019-15941, CVE-2020-24660 None -20.04 Focal [9]_ `2.0.7 `__ |bad| CVE-2020-24660 None -20.10 Groovy `2.0.8 `__ |bad| CVE-2020-24660 None -21.04 Hirsute `2.0.11 `__ |clean| None +20.04 Focal [9]_ `2.0.7 `__ |bad| CVE-2020-24660, CVE-2021-35472, CVE-2021-35473 None +20.10 Groovy `2.0.8 `__ |bad| CVE-2020-24660, CVE-2021-35472, CVE-2021-35473 None +21.04 Hirsute `2.0.11 `__ |bad| CVE-2021-35472, CVE-2021-35473 None =========== ============= ================================ ==================================================================== =========== Bug report @@ -139,8 +137,9 @@ Other Possible `Extended LTS `__ .. [3] - updated by `LLNG Team `__ until dependencies are compatible, - however this distribution seems unmaintained now + updated by `LLNG Team `__ until dependencies are compatible. + Don't use backports unless you plan to update your system because + backports are not covered by Debian Security Policy .. [4] around September 2021 diff --git a/doc/sources/admin/mongodbconfbackend.rst b/doc/sources/admin/mongodbconfbackend.rst index ef572c819..f8c7062e6 100644 --- a/doc/sources/admin/mongodbconfbackend.rst +++ b/doc/sources/admin/mongodbconfbackend.rst @@ -6,6 +6,18 @@ used both for storing configuration and :doc:`sessions`. You need to install Perl MongoDB module to be able to use this backend. +For Debian, you can install mongodb module with: + +:: + + apt install libmongodb-perl + +For CentOS: + +:: + + yum install perl-MongoDB + See :doc:`how to change configuration backend` to change your configuration database. diff --git a/doc/sources/admin/mongodbsessionbackend.rst b/doc/sources/admin/mongodbsessionbackend.rst index cb13ec340..a0dd794e8 100644 --- a/doc/sources/admin/mongodbsessionbackend.rst +++ b/doc/sources/admin/mongodbsessionbackend.rst @@ -20,6 +20,21 @@ Perl module (version ⩾ 0.15 required). You also need a recent version of client `__ (version ⩾ 1.00 required). +For Debian, you can install mongodb module and Apache::Session module with: + +:: + + apt install libmongodb-perl + cpan Apache::Session::MongoDB + +For CentOS: + +:: + + yum install perl-MongoDB + cpan Apache::Session::MongoDB + + In the manager: set `Apache::Session::MongoDB `__ in ``General parameters`` » ``Sessions`` » ``Session storage`` » diff --git a/doc/sources/admin/nosqlsessionbackend.rst b/doc/sources/admin/nosqlsessionbackend.rst index d108bc7f4..3f62f1e47 100644 --- a/doc/sources/admin/nosqlsessionbackend.rst +++ b/doc/sources/admin/nosqlsessionbackend.rst @@ -32,7 +32,7 @@ Name Comment Example **sentinels** Redis sentinels list 127.0.0.1:26379,127.0.0.2:26379,127.0.0.3:26379 **service** Sentinel service name mymaster **password** password (== requirepass) ChangeMe -**select** Redis DB 1 +**database** Redis DB 1 **Index** Fields to index refer to :ref:`fieldstoindex` ============= =========================== =============================================== diff --git a/doc/sources/admin/parameterlist.rst b/doc/sources/admin/parameterlist.rst index 3b37c59f7..dbbaa54aa 100644 --- a/doc/sources/admin/parameterlist.rst +++ b/doc/sources/admin/parameterlist.rst @@ -60,6 +60,7 @@ casAuthnLevel CAS authentication level casSrvMetaDataOptions Root of CAS server options ✔ [1] casStorage Apache::Session module to store CAS user data ✔ casStorageOptions Apache::Session module parameters ✔ +casStrictMatching Disable host-based matching of CAS services ✔ cda Enable Cross Domain Authentication ✔ ✔ certificateResetByMailCeaAttribute ✔ certificateResetByMailCertificateAttribute ✔ @@ -75,6 +76,8 @@ cfgDate Timestamp of the current cfgLog Configuration update log ✔ ✔ cfgNum Enable Cross Domain Authentication ✔ ✔ cfgVersion Version of LLNG which build configuration ✔ ✔ +checkDevOps Enable check DevOps ✔ +checkDevOpsDownload Enable check DevOps download field ✔ checkState Enable CheckState plugin ✔ checkStateSecret Secret token for CheckState plugin ✔ checkTime Timeout to check new configuration in local cache ✔ ✔ ✔ @@ -110,6 +113,10 @@ corsAllow_Origin Allowed origine for Cros corsEnabled Enable Cross-Origin Resource Sharing ✔ corsExpose_Headers Exposed headers for Cross-Origin Resource Sharing ✔ corsMax_Age MAx-age for Cross-Origin Resource Sharing ✔ +crowdsec CrowdSec plugin activation ✔ +crowdsecAction CrowdSec action ✔ +crowdsecKey CrowdSec API key ✔ +crowdsecUrl Base URL of CrowdSec local API ✔ cspConnect Authorized Ajax destination for Content-Security-Policy ✔ cspDefault Default value for Content-Security-Policy ✔ cspFont Font source for Content-Security-Policy ✔ @@ -273,9 +280,9 @@ log4perlConfFile Log4Perl logger configur logLevel Log level, must be set in .ini ✔ ✔ ✔ ✔ logger technical logger ✔ ✔ ✔ ✔ loginHistoryEnabled Enable login history ✔ -logoutServices Send logout through GET request to these services ✔ -lwpOpts Options given to LWP::UserAgent ✔ -lwpSslOpts SSL options given to LWP::UserAgent ✔ +logoutServices Send logout trough GET request to these services ✔ +lwpOpts Options passed to LWP::UserAgent ✔ +lwpSslOpts SSL options passed to LWP::UserAgent ✔ macros Macros ✔ mail2fActivation Mail second factor activation ✔ mail2fAuthnLevel Authentication level for users authenticated by Mail second factor ✔ @@ -333,6 +340,7 @@ oidcServiceAllowAuthorizationCodeFlow OpenID Connect allow aut oidcServiceAllowDynamicRegistration OpenID Connect allow dynamic client registration ✔ oidcServiceAllowHybridFlow OpenID Connect allow hybrid flow ✔ oidcServiceAllowImplicitFlow OpenID Connect allow implicit flow ✔ +oidcServiceAllowOnlyDeclaredScopes OpenID Connect allow only declared scopes ✔ oidcServiceAuthorizationCodeExpiration OpenID Connect global code TTL ✔ oidcServiceDynamicRegistrationExportedVars OpenID Connect exported variables for dynamic registration ✔ oidcServiceDynamicRegistrationExtraClaims OpenID Connect extra claims for dynamic registration ✔ @@ -403,6 +411,7 @@ portalDisplayPasswordPolicy Display policy in passwo portalDisplayRefreshMyRights Display link to refresh the user session ✔ portalDisplayRegister Display register button in portal ✔ portalDisplayResetPassword Display reset password button in portal ✔ +portalEnablePasswordDisplay Allow to display password in login form ✔ portalErrorOnExpiredSession Show error if session is expired ✔ portalErrorOnMailNotFound Show error if mail is not found in password reset process ✔ portalForceAuthn Enable force to authenticate when displaying portal ✔ @@ -534,6 +543,7 @@ sfEngine Second factor engine sfExtra Extra second factors ✔ sfManagerRule Rule to display second factor Manager link ✔ sfOnlyUpgrade Only trigger second factor on session upgrade ✔ +sfRegisterTimeout Timeout for 2F registration process ✔ sfRemovedMsgRule Display a message if at leat one expired SF has been removed ✔ sfRemovedNotifMsg Notification message ✔ sfRemovedNotifRef Notification reference ✔ diff --git a/doc/sources/admin/portalcustom.rst b/doc/sources/admin/portalcustom.rst index c7a247f87..1c04679cc 100644 --- a/doc/sources/admin/portalcustom.rst +++ b/doc/sources/admin/portalcustom.rst @@ -46,7 +46,7 @@ Custom CSS file You can define a custom CSS file, for example ``custom.css``, which will be loaded after default CSS files. This file needs to be created in the static repository -(``/usr/share/lemonldap-ng/portal/htdocs/static/boostrap/css``). +(``/usr/share/lemonldap-ng/portal/htdocs/static/bootstrap/css``). Then set this value in Custom CSS parameter : ``bootstrap/css/custom.css``. @@ -114,11 +114,17 @@ To achieve this, you can create a rule in the Manager: select ``General Parameters`` > ``Portal`` > ``Customization`` > ``Skin display rules`` on click on "New key". Then fill the two fields; -- **Rule**: a Perl expression (you can use %ENV hash to get environment - variables, or $_url to get URL called before redirection, or $ipAddr - to use user IP address). If the rule evaluation is true, the - corresponding skin is applied. -- **Skin**: the name of the skin to use. +- **Key**: a Perl expression (you can use ``%ENV`` hash to get environment + variables, or ``$_url`` to get URL called before redirection, or ``$ipAddr`` + to use user IP address). If the rule evaluation is true, the corresponding + skin is applied. +- **Value**: the name of the skin to use. + +Example: + +``` +$_url =~ m#^http://test1.example.com# +``` Skin files ~~~~~~~~~~ diff --git a/doc/sources/admin/restconfbackend.rst b/doc/sources/admin/restconfbackend.rst index d1224c3fe..17864c45d 100644 --- a/doc/sources/admin/restconfbackend.rst +++ b/doc/sources/admin/restconfbackend.rst @@ -77,3 +77,7 @@ You can also add some other parameters # LWP::UserAgent parameters proxyOptions = { timeout => 5 } +`User` and `Password` parameters are only used if the entry point `index.fcgi/config` +is protected by a basic authentication. Thus, handlers will make requests to the portal +using these parameters. + diff --git a/doc/sources/admin/restsessionbackend.rst b/doc/sources/admin/restsessionbackend.rst index 9e845f7c8..29e2a497c 100644 --- a/doc/sources/admin/restsessionbackend.rst +++ b/doc/sources/admin/restsessionbackend.rst @@ -68,6 +68,10 @@ Name Comment Example **password** Password to use for auth basic mechanism =================== ======================================== ================================================== +`user` and `password` parameters are only used if the entry point `index.fcgi/sessions/global` +is protected by a basic authentication. Thus, handlers will make requests to the portal +using these parameters. + .. attention:: @@ -86,7 +90,7 @@ configuration (for example, access by IP range): # REST/SOAP functions for sessions access (disabled by default) - Require 192.168.2.0/24 + Require ip 192.168.2.0/24 Real session backend diff --git a/doc/sources/admin/soapsessionbackend.rst b/doc/sources/admin/soapsessionbackend.rst index 2578d8385..1af8066af 100644 --- a/doc/sources/admin/soapsessionbackend.rst +++ b/doc/sources/admin/soapsessionbackend.rst @@ -78,12 +78,12 @@ configuration (for example, access by IP range): # SOAP functions for sessions management (disabled by default) - Require 192.168.2.0/24 + Require ip 192.168.2.0/24 # SOAP functions for sessions access (disabled by default) - Require 192.168.2.0/24 + Require ip 192.168.2.0/24 Real session backend diff --git a/doc/sources/admin/upgrade_2_0_x.rst b/doc/sources/admin/upgrade_2_0_x.rst index 037870c31..93dd34621 100644 --- a/doc/sources/admin/upgrade_2_0_x.rst +++ b/doc/sources/admin/upgrade_2_0_x.rst @@ -30,13 +30,40 @@ None 2.0.12 ------ +Security +~~~~~~~~ + +* **CVE-2021-35473**: Access token lifetime is not verified with OAuth2 Handler (see `issue 2549 `__) +* **CVE-2021-35472**: Session cache corruption can lead to authorization bypass or spoofing (see `issue 2539 `__) +* 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret (see `issue 2543 `__) +* Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application (see `issue 2535 `__) +* XSS on register form (see `issue 2495 `__) +* Wildcard in virtualhost allows being redirected to untrusted domains (see `issue 2477 `__) + +Portal templates changes +~~~~~~~~~~~~~~~~~~~~~~~~ + +If you customized the HTML mail content, you must update them to use HTML::Template variables (this was changed to fix XSS injections). + +For session variables, replace for example ``$cn`` by ````, and for other variables, replace for example ``$url`` by ````. + +Some changes have been made to include new plugins (FindUser and CheckDevOps), you need to report them only if you have a custom theme and you want to use these plugins + +To benefit from the new feature allowing to show password on login form, adapt ``standardform.tpl`` (see `changes `__) + +To disable password store in browser when changing password (this was already possible for login form), adapt ``password.tpl`` (see `changes `__) + +To fix placeholder display in password field when password store is disabled in browser, adapt ``password.tpl`` (see `changes `__) + +See also "Simplification of TOTP options" below. + Client Credential sessions missing expiration time ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you started using Client Credential grants in 2.0.11, you may have encountered `issue 2481 `__. -Because of this bug, the created sessions may never be purged by the `purgeCentralCache` script. +Because of this bug, the created sessions may never be purged by the ``purgeCentralCache`` script. In order to detect these sessions, you can run the following command: @@ -78,7 +105,7 @@ The following options have been removed from TOTP configuration: * Display existing secret (``totp2fDisplayExistingSecret``) * Change existing secret (``totp2fUserCanChangeKey``) -As a consequence, users who are *not* using the default `bootstrap` skin may need to ajust their ``totp2fregister.tpl`` template: +As a consequence, users who are *not* using the default ``bootstrap`` skin may need to ajust their ``totp2fregister.tpl`` template: * Move ``#divToHide`` from the ``.col-md-6`` div to the ``.card`` div * Change:: diff --git a/fastcgi-server/man/llng-fastcgi-server.8p b/fastcgi-server/man/llng-fastcgi-server.8p index 117637235..46fff453f 100644 --- a/fastcgi-server/man/llng-fastcgi-server.8p +++ b/fastcgi-server/man/llng-fastcgi-server.8p @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "llng-fastcgi-server 8" -.TH llng-fastcgi-server 8 "2021-07-09" "perl v5.32.1" "User Contributed Perl Documentation" +.TH llng-fastcgi-server 8 "2021-08-01" "perl v5.32.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/lemonldap-ng-common/META.json b/lemonldap-ng-common/META.json index c6c70a6f7..6fe9cf00e 100644 --- a/lemonldap-ng-common/META.json +++ b/lemonldap-ng-common/META.json @@ -40,6 +40,7 @@ "Cookie::Baker::XS" : "0", "Crypt::URandom" : "0", "DBI" : "0", + "Date::Parse" : "0", "LWP::Protocol::https" : "0", "Net::LDAP" : "0", "SOAP::Lite" : "0", diff --git a/lemonldap-ng-common/META.yml b/lemonldap-ng-common/META.yml index 21b7326fd..3db41a62a 100644 --- a/lemonldap-ng-common/META.yml +++ b/lemonldap-ng-common/META.yml @@ -26,6 +26,7 @@ recommends: Cookie::Baker::XS: '0' Crypt::URandom: '0' DBI: '0' + Date::Parse: '0' LWP::Protocol::https: '0' Net::LDAP: '0' SOAP::Lite: '0' diff --git a/lemonldap-ng-common/Makefile.PL b/lemonldap-ng-common/Makefile.PL index 76f8f7d1e..e1c73a982 100644 --- a/lemonldap-ng-common/Makefile.PL +++ b/lemonldap-ng-common/Makefile.PL @@ -47,6 +47,7 @@ WriteMakefile( 'Convert::Base32' => 0, 'Cookie::Baker::XS' => 0, 'Crypt::URandom' => 0, + 'Date::Parse' => 0, 'String::Random' => 0, 'DBI' => 0, 'Net::LDAP' => 0, diff --git a/lemonldap-ng-common/scripts/convertSessions b/lemonldap-ng-common/scripts/convertSessions index 9ba895895..66e1465a4 100755 --- a/lemonldap-ng-common/scripts/convertSessions +++ b/lemonldap-ng-common/scripts/convertSessions @@ -16,18 +16,20 @@ use strict; use Getopt::Long; use Pod::Usage; -our $VERSION = "2.0.6"; +our $VERSION = "2.0.12"; # Options # -d: debug mode # -c: configuration file -# -r: configuration file +# -r: rename attributes # -i: ignore errors +# -x: exclude attributes my $debug; my $config_file; my $ignore_errors; my %rename; +my @exclude; my $help; my $nb_converted = 0; my $nb_error = 0; @@ -38,6 +40,7 @@ GetOptions( 'config|c=s' => \$config_file, 'ignore-errors|i' => \$ignore_errors, 'rename|r=s' => \%rename, + 'exclude|x=s' => \@exclude, ) or pod2usage(2); pod2usage( -exitval => 1, @@ -133,6 +136,16 @@ Lemonldap::NG::Common::Apache::Session->get_key_from_all_sessions( } } + if (@exclude) { + for my $excludekey (@exclude) { + if ( $entry->{$excludekey} ) { + print "Exclude $excludekey in session $id\n" + if $debug; + delete $entry->{$excludekey}; + } + } + } + print "Processing session $id\n" if $debug; my $s = Lemonldap::NG::Common::Session->new( { storageModule => $backendTo->{backend}, diff --git a/lemonldap-ng-common/scripts/lemonldap-ng-cli b/lemonldap-ng-common/scripts/lemonldap-ng-cli index 538bed739..51fc2a81e 100755 --- a/lemonldap-ng-common/scripts/lemonldap-ng-cli +++ b/lemonldap-ng-common/scripts/lemonldap-ng-cli @@ -3,15 +3,14 @@ use warnings; use strict; use POSIX; -use Getopt::Long; +use Getopt::Long qw(:config pass_through); -our $opt_user = '__APACHEUSER__'; -our $opt_group = '__APACHEGROUP'; -GetOptions ( - "user=s" => \$opt_user, - "group=s" => \$opt_group -) -or die("Error in command line arguments\n"); +our $opt_user = '__APACHEUSER__'; +our $opt_group = '__APACHEGROUP__'; +GetOptions( + "user=s" => \$opt_user, + "group=s" => \$opt_group +) or die("Error in command line arguments\n"); my $action; @@ -77,6 +76,10 @@ Options: - sep : separator of hierarchical values (by default: /) - iniFile : path to an alternate lemonldap-ng.ini file +Additional options: + - --user= : change user running the script + - --group= : change group running the script + See Lemonldap::NG::Manager::Cli(3) for more }; } diff --git a/lemonldap-ng-common/scripts/lemonldap-ng-sessions b/lemonldap-ng-common/scripts/lemonldap-ng-sessions index c13e14d68..39a7e2b0e 100755 --- a/lemonldap-ng-common/scripts/lemonldap-ng-sessions +++ b/lemonldap-ng-common/scripts/lemonldap-ng-sessions @@ -10,11 +10,13 @@ use strict; use Getopt::Long; use Pod::Usage; -our $VERSION = "2.0.9"; +our $VERSION = "2.0.12"; # Options my $opts = {}; my $help; +my $opt_user = '__APACHEUSER__'; +my $opt_group = '__APACHEGROUP__'; GetOptions( 'help|h' => \$help, @@ -23,13 +25,15 @@ GetOptions( 'backend|b=s' => \$opts->{backend}, 'persistent|p' => \$opts->{persistent}, 'id-only|i' => \$opts->{idonly}, + 'user|u=s' => \$opt_user, + 'group|g=s' => \$opt_group, ) or pod2usage( -exitcode => 1, -verbose => 0 ); pod2usage( -exitcode => 0, -verbose => 2 ) if $help; eval { - POSIX::setgid( scalar( getgrnam('__APACHEGROUP__') ) ); - POSIX::setuid( scalar( getpwnam('__APACHEUSER__') ) ); + POSIX::setgid( scalar( getgrnam($opt_group) ) ); + POSIX::setuid( scalar( getpwnam($opt_user) ) ); }; my $action = shift @ARGV; @@ -127,7 +131,8 @@ Options: --persistent Search in persistent sessions --where Set search filter (search/delete only) --id-only Only return IDs (search only) - + --user Change user running the script + --group Change group running the script =head1 COMMANDS @@ -288,7 +293,7 @@ Examples: =item B<--persistent>,B<-p> -This options is a shortcut for specifying --backend persistent and using +This option is a shortcut for specifying --backend persistent and using the UID hash as a session ID Example: @@ -303,7 +308,7 @@ is the same as =item B<--id-only>,B<-i> -This option replace the standard JSON output format with a simpler format of +This option replaces the standard JSON output format with a simpler format of one session ID per line. This allows some intersting combos using xargs. For example, if you want to @@ -312,7 +317,13 @@ remove all sessions started by "dwho" lemonldap-ng-sessions search --where uid=dwho --id-only | \ xargs lemonldap-ng-sessions delete +=item B<--user>,B<-u> +This option forces the system user that runs the script. + +=item B<--group>,B<-g> + +This option forces the system group that runs the script. =back diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm index 2443c31df..db8fc762e 100644 --- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm +++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm @@ -129,13 +129,7 @@ sub token { # Fake reval method if useSafeJail is off sub reval { my ( $self, $e ) = @_; - - my $res = eval $e; - if ($@) { - $self->error($@); - return undef; - } - return $res; + return eval $e; } ## @method wrap_code_ref @@ -180,11 +174,10 @@ sub share_from { sub jail_reval { my ( $self, $reval ) = @_; - # if nothing is returned by reval, add the return statement to - # the "no safe wrap" reval + # If nothing is returned by reval, add the return statement to + # the "no safe wrap" reval - my $res; - eval { $res = ( $self->jail->reval($reval) ) }; + my $res = $self->jail->reval($reval); if ($@) { $self->error($@); return undef; diff --git a/lemonldap-ng-handler/t/12-Lemonldap-NG-Handler-Jail.t b/lemonldap-ng-handler/t/12-Lemonldap-NG-Handler-Jail.t index 25c6329d6..55ed31859 100644 --- a/lemonldap-ng-handler/t/12-Lemonldap-NG-Handler-Jail.t +++ b/lemonldap-ng-handler/t/12-Lemonldap-NG-Handler-Jail.t @@ -6,7 +6,7 @@ # change 'tests => 1' to 'tests => last_test_to_print'; use strict; -use Test::More tests => 20; +use Test::More tests => 22; require 't/test.pm'; BEGIN { use_ok('Lemonldap::NG::Handler::Main::Jail') } @@ -60,7 +60,7 @@ ok( ok( $res = &$code, "Function works" ); ok( $res == 1, 'Get good result' ); -$sub = "sub { return(checkDate('20000101000000+0100','21000101000000+0100')) }"; +$sub = "sub { return(checkDate('20000101000000+0100','21000101000000+0100')) }"; $code = $jail->jail_reval($sub); ok( ( defined($code) and ref($code) eq 'CODE' ), @@ -105,3 +105,11 @@ is( "Function works" ); +$sub = "sub { return("; +$code = $jail->jail_reval($sub); +ok( ( not defined($code) ), 'Syntax error yields undef result' ); +like( + $jail->error, + qr/Missing right curly or square bracket/, + 'Found correct error message' +); diff --git a/lemonldap-ng-handler/t/13-Lemonldap-NG-Handler-Fake-Safe.t b/lemonldap-ng-handler/t/13-Lemonldap-NG-Handler-Fake-Safe.t index b6584b765..c2911f736 100644 --- a/lemonldap-ng-handler/t/13-Lemonldap-NG-Handler-Fake-Safe.t +++ b/lemonldap-ng-handler/t/13-Lemonldap-NG-Handler-Fake-Safe.t @@ -5,7 +5,7 @@ # change 'tests => 1' to 'tests => last_test_to_print'; -use Test::More tests => 14; +use Test::More tests => 16; require 't/test.pm'; BEGIN { use_ok('Lemonldap::NG::Handler::Main::Jail') } @@ -43,7 +43,8 @@ my $checkDate = $jail->jail_reval($sub3); ok( &$checkDate == "1", 'checkDate extended function working without Safe Jail' ); -my $sub4 = "sub { return(checkDate('20000101000000+0100','21000101000000+0100')) }"; +my $sub4 = + "sub { return(checkDate('20000101000000+0100','21000101000000+0100')) }"; my $checkDate = $jail->jail_reval($sub4); ok( &$checkDate == "1", 'checkDate extended function working without Safe Jail' ); @@ -96,3 +97,12 @@ is( 0, "Function works" ); + +$sub = "sub { return("; +$code = $jail->jail_reval($sub); +ok( ( not defined($code) ), 'Syntax error yields undef result' ); +like( + $jail->error, + qr/Missing right curly or square bracket/, + 'Found correct error message' +); diff --git a/lemonldap-ng-manager/META.json b/lemonldap-ng-manager/META.json index 988234b6c..366acec15 100644 --- a/lemonldap-ng-manager/META.json +++ b/lemonldap-ng-manager/META.json @@ -22,6 +22,7 @@ "prereqs" : { "build" : { "requires" : { + "Email::Sender" : "0", "IO::String" : "0", "Regexp::Common" : "0", "Test::Pod" : "1" diff --git a/lemonldap-ng-manager/META.yml b/lemonldap-ng-manager/META.yml index ee1756b1f..1746f38d2 100644 --- a/lemonldap-ng-manager/META.yml +++ b/lemonldap-ng-manager/META.yml @@ -3,6 +3,7 @@ abstract: 'Perl extension for managing Lemonldap::NG Web-SSO system.' author: - 'Xavier Guimard , Clément Oudot ' build_requires: + Email::Sender: '0' IO::String: '0' Regexp::Common: '0' Test::Pod: '1' diff --git a/lemonldap-ng-manager/Makefile.PL b/lemonldap-ng-manager/Makefile.PL index 7f9de9d95..49c5abd83 100644 --- a/lemonldap-ng-manager/Makefile.PL +++ b/lemonldap-ng-manager/Makefile.PL @@ -8,6 +8,7 @@ WriteMakefile( VERSION_FROM => 'lib/Lemonldap/NG/Manager.pm', # finds $VERSION LICENSE => 'gpl', BUILD_REQUIRES => { + 'Email::Sender' => 0, 'IO::String' => 0, 'Regexp::Common' => 0, 'Test::Pod' => 1.00, diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Zero.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Zero.pm index 7a8a0f78a..fac770c67 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Zero.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Zero.pm @@ -5,7 +5,9 @@ use strict; our $VERSION = '2.1.0'; sub zeroConf { - my ( $domain, $sessionDir, $persistentSessionDir, $notificationDir, $cacheDir ) = @_; + my ( $domain, $sessionDir, $persistentSessionDir, $notificationDir, + $cacheDir ) + = @_; $domain ||= 'example.com'; $sessionDir ||= '/var/lib/lemonldap-ng/sessions'; $persistentSessionDir ||= '/var/lib/lemonldap-ng/psessions'; @@ -179,6 +181,7 @@ sub zeroConf { 'securedCookie' => 0, 'cookieName' => 'lemonldap', 'cfgAuthor' => 'The LemonLDAP::NG team', + 'cfgDate' => '1627287638', 'cfgVersion' => $VERSION, 'exportedVars' => {}, 'portalSkin' => 'bootstrap', diff --git a/lemonldap-ng-manager/scripts/lmConfigEditor b/lemonldap-ng-manager/scripts/lmConfigEditor index 7bc186214..6d23891c0 100755 --- a/lemonldap-ng-manager/scripts/lmConfigEditor +++ b/lemonldap-ng-manager/scripts/lmConfigEditor @@ -15,14 +15,13 @@ use strict; my $cli = Lemonldap::NG::Manager::Cli::Lib->new; -our $opt_user = '__APACHEUSER__'; +our $opt_user = '__APACHEUSER__'; our $opt_group = '__APACHEGROUP__'; -GetOptions ( - "user=s" => \$opt_user, - "group=s" => \$opt_group -) -or die("Error in command line arguments\n"); +GetOptions( + "user=s" => \$opt_user, + "group=s" => \$opt_group +) or die("Error in command line arguments\n"); eval { setgid( ( getgrnam($opt_group) )[2] ); diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json index 5b961e2ff..e179e3f7c 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json @@ -753,7 +753,7 @@ "pamAuthnLevel":"Niveau d'authentification", "pamParams":"Paramètres PAM", "pamService":"Service PAM", -"password":"Mot-de-passe", +"password":"Mot de passe", "passwordDB":"Module de mot de passe", "passwordManagement":"Gestion des mots de passe", "passwordPolicy":"Politique des mots de passe", @@ -878,8 +878,8 @@ "restFindUserDBUrl":"URL des comptes utilisateurs", "restParams":"Paramètres REST", "restPasswordServer":"Serveur de réinitialisation de mdp", -"restPwdConfirmUrl":"URL de confirmation de mot-de-passe", -"restPwdModifyUrl":"URL de modification de mot-de-passe", +"restPwdConfirmUrl":"URL de confirmation de mot de passe", +"restPwdModifyUrl":"URL de modification de mot de passe", "restServices":"Services REST", "restSessionServer":"Serveur de sessions", "restUserDBUrl":"URL de données utilisateurs", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json index 363f73617..706063def 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json @@ -790,7 +790,7 @@ "portalDisplayRefreshMyRights":"Görüntüleme hakları yenileme bağlantısı", "portalDisplayRegister":"Yeni hesap kaydet", "portalDisplayResetPassword":"Parolayı sıfırla", -"portalEnablePasswordDisplay":"Allow to display password", +"portalEnablePasswordDisplay":"Parolayı göstermeye izin ver", "portalErrorOnExpiredSession":"Süresi dolmuş oturumda hatayı göster", "portalErrorOnMailNotFound":"E-posta bulunamadığında hatayı göster", "portalForceAuthn":"Kimlik doğrulamaya zorla", diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm index 9e7c5bf07..823ae6cfa 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm @@ -94,6 +94,11 @@ sub run { # We use a specific text message, no html $body = $self->conf->{mail2fBody}; + + # Replace variables in body + $body =~ s/\$code/$code/g; + $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge; + } else { @@ -109,12 +114,6 @@ sub run { $html = 1; } - # Replace variables in body - # FIXME: kept for compatibility with 2.0.0 mail templates - # in future versions this should only happen for plaintext emails - $body =~ s/\$code/$code/g; - $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge; - # Send mail unless ( $self->send_mail( $dest, $subject, $body, $html ) ) { $self->logger->error( 'Unable to send 2F code mail to ' . $dest ); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm index 765449033..2dcd79593 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm @@ -1358,8 +1358,7 @@ sub sendOIDCError { sub returnBearerError { my ( $self, $error_code, $error_message ) = @_; - # TODO: verify this - return [ + my $res = [ 401, [ 'WWW-Authenticate' => @@ -1367,6 +1366,10 @@ sub returnBearerError { ], [] ]; + + $self->p->setCorsHeaderFromConfig($res); + + return $res; } sub checkEndPointAuthenticationCredentials { diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm index 7a73d2daf..d1fd7c3d5 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm @@ -531,13 +531,13 @@ sub findEP { } } } - $self->logger->debug("Plugin $plugin initializated"); + $self->logger->debug("Plugin $plugin initialized"); # Rules for menu if ( $obj->can('spRules') ) { foreach my $k ( keys %{ $obj->{spRules} } ) { $self->logger->info( -"$k is defined more than one time, it can have some bad effect on Menu display" +"$k is defined more than one time, it can have some bad effects on Menu display" ) if ( $self->spRules->{$k} ); $self->spRules->{$k} = $obj->{spRules}->{$k}; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm index 1ece9547d..655dbafdc 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm @@ -875,12 +875,7 @@ sub sendHtml { 'Pragma' => 'no-cache', # HTTP 1.0 'Expires' => '0'; # Proxies - if ( $self->conf->{corsEnabled} ) { - my @cors = split /;/, $self->cors; - push @{ $res->[1] }, @cors; - $self->logger->debug('Apply following CORS policy :'); - $self->logger->debug(" $_") for @cors; - } + $self->setCorsHeaderFromConfig($res); # Set authorized URL for POST my $csp = $self->csp . "form-action " . $self->conf->{cspFormAction}; @@ -1086,7 +1081,7 @@ sub registerLogin { } my $history = $req->sessionInfo->{_loginHistory} ||= {}; - my $type = ( $req->authResult > 0 ? 'failed' : 'success' ) . 'Login'; + my $type = ( $req->authResult > 0 ? 'failed' : 'success' ) . 'Login'; $history->{$type} ||= []; $self->logger->debug("Current login saved into $type"); @@ -1129,13 +1124,11 @@ sub _sumUpSession { sub corsPreflight { my ( $self, $req ) = @_; my @headers; - if ( $self->conf->{corsEnabled} ) { - my @cors = split /;/, $self->cors; - push @headers, @cors; - $self->logger->debug('Apply following CORS policy :'); - $self->logger->debug(" $_") for @cors; - } - return [ 204, \@headers, [] ]; + my $res = [ 204, \@headers, [] ]; + + $self->setCorsHeaderFromConfig($res); + + return $res; } sub sendJSONresponse { @@ -1164,11 +1157,8 @@ sub sendJSONresponse { "Access-Control-Allow-Credentials" => "true"; } - elsif ( $self->conf->{corsEnabled} ) { - my @cors = split /;/, $self->cors; - push @{ $res->[1] }, @cors; - $self->logger->debug('Apply following CORS policy :'); - $self->logger->debug(" $_") for @cors; + else { + $self->setCorsHeaderFromConfig($res); } return $res; } @@ -1176,13 +1166,21 @@ sub sendJSONresponse { sub sendRawHtml { my ($self) = $_[0]; my $res = Lemonldap::NG::Common::PSGI::sendRawHtml(@_); + + $self->setCorsHeaderFromConfig($res); + + return $res; +} + +sub setCorsHeaderFromConfig { + my ( $self, $response ) = @_; + if ( $self->conf->{corsEnabled} ) { my @cors = split /;/, $self->cors; - push @{ $res->[1] }, @cors; + push @{ $response->[1] }, @cors; $self->logger->debug('Apply following CORS policy :'); $self->logger->debug(" $_") for @cors; } - return $res; } # Temlate loader diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CertificateResetByMail.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CertificateResetByMail.pm index 6d9d5d8c6..bfc8c4ee2 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CertificateResetByMail.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CertificateResetByMail.pm @@ -371,6 +371,13 @@ sub _certificateReset { # We use a specific text message, no html $body = $self->conf->{certificateResetByMailStep1Body}; + + # Replace variables in body + $body =~ s/\$expMailDate/$req->data->{expMailDate}/ge; + $body =~ s/\$expMailTime/$req->data->{expMailTime}/ge; + $body =~ s/\$url/$url/g; + $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge; + } else { @@ -387,14 +394,6 @@ sub _certificateReset { $html = 1; } - # Replace variables in body - # FIXME: kept for compatibility with 2.0.0 mail templates - # in future versions this should only happen for plaintext emails - $body =~ s/\$expMailDate/$req->data->{expMailDate}/ge; - $body =~ s/\$expMailTime/$req->data->{expMailTime}/ge; - $body =~ s/\$url/$url/g; - $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge; - # Send mail unless ( $self->send_mail( @@ -555,6 +554,10 @@ sub modifyCertificate { # We use a specific text message, no html $body = $self->conf->{certificateResetByMailStep2Body}; + + # Replace variables in body + $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge; + } else { @@ -568,11 +571,6 @@ sub modifyCertificate { $html = 1; } - # Replace variables in body - # FIXME: kept for compatibility with 2.0.0 mail templates - # in future versions this should only happen for plaintext emails - $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge; - # Send mail return PE_MAILERROR unless $self->send_mail( $req->data->{mailAddress}, $subject, $body, diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm index 39ce024ad..9e4bb4b24 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm @@ -335,6 +335,13 @@ sub _reset { # We use a specific text message, no html $body = $self->conf->{mailConfirmBody}; + + # Replace variables in body + $body =~ s/\$expMailDate/$req->data->{expMailDate}/ge; + $body =~ s/\$expMailTime/$req->data->{expMailTime}/ge; + $body =~ s/\$url/$url/g; + $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge; + } else { @@ -352,14 +359,6 @@ sub _reset { $html = 1; } - # Replace variables in body - # FIXME: kept for compatibility with 2.0.0 mail templates - # in future versions this should only happen for plaintext emails - $body =~ s/\$expMailDate/$req->data->{expMailDate}/ge; - $body =~ s/\$expMailTime/$req->data->{expMailTime}/ge; - $body =~ s/\$url/$url/g; - $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge; - $self->logger->info( "User " . $req->data->{mailAddress} . " is trying to reset his/her password" ); @@ -515,6 +514,11 @@ sub changePwd { # We use a specific text message, no html $body = $self->conf->{mailBody}; + + # Replace variables in body + $body =~ s/\$password/$password/g; + $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge; + } else { @@ -530,12 +534,6 @@ sub changePwd { $html = 1; } - # Replace variables in body - # FIXME: kept for compatibility with 2.0.0 mail templates - # in future versions this should only happen for plaintext emails - $body =~ s/\$password/$password/g; - $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge; - # Send mail return PE_MAILERROR unless $self->send_mail( $req->data->{mailAddress}, $subject, $body, diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Register.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Register.pm index 67ceb5fef..3307efb92 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Register.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Register.pm @@ -322,14 +322,6 @@ sub _register { }, ); - # Replace variables in body - # FIXME: kept for compatibility with 2.0.0 mail templates - # in future versions this should only happen for plaintext emails - $body =~ s/\$expMailDate/$req->data->{expMailDate}/g; - $body =~ s/\$expMailTime/$req->data->{expMailTime}/g; - $body =~ s/\$url/$url/g; - $body =~ s/\$(\w+)/$req->data->{registerInfo}->{$1}/eg; - # Send mail return PE_MAILERROR unless $self->send_mail( $req->data->{registerInfo}->{mail}, @@ -397,12 +389,6 @@ sub _register { }, ); - # Replace variables in body - # FIXME: kept for compatibility with 2.0.0 mail templates - # in future versions this should only happen for plaintext emails - $body =~ s/\$url/$url/g; - $body =~ s/\$(\w+)/$req->data->{registerInfo}->{$1}/ge; - # Send mail return PE_MAILERROR unless $self->send_mail( $req->data->{registerInfo}->{mail}, diff --git a/lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.js b/lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.js index 0ae09ab37..eaa600b8a 100644 --- a/lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.js +++ b/lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.js @@ -33,5 +33,19 @@ $(window).on("load", function() { modal.find('.remove2f').attr('epoch', epoch) }) + // Set tab items (my applications, password, history, logout) tabbable + // (ie accessible via tab key) + // needed because of jquery-ui setting only active element tabbable + // (see #2561) + $('.nav-item').click(function() { + $('.nav-item').attr( "tabIndex", 0 ); + }); + $('.nav-item').focusin(function() { + $('.nav-item').attr( "tabIndex", 0 ); + }); + $('.nav-item').focusout(function() { + $('.nav-item').attr( "tabIndex", 0 ); + }); + }); diff --git a/lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.min.js b/lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.min.js index 81d55ca1e..c8824ed74 100644 --- a/lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.min.js +++ b/lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.min.js @@ -1 +1 @@ -$(window).on("load",function(){$("div.message-positive").addClass("alert-success"),$("div.message-warning").addClass("alert-warning"),$("div.message-negative").addClass("alert-danger"),$("table.info").addClass("table"),$(".notifCheck").addClass("checkbox"),$('.collapse li[class!="dropdown"]').on("click",function(){$(".navbar-toggler").hasClass("collapsed")||$(".navbar-toggler").trigger("click")}),$("#authMenu .nav-link").on("click",function(a){window.datas.choicetab=a.target.hash.substr(1)}),$("#remove2fModal").on("show.bs.modal",function(a){var e=$(a.relatedTarget),s=e.attr("device"),a=e.attr("epoch"),e=$(this);e.find(".remove2f").attr("device",s),e.find(".remove2f").attr("epoch",a)})}); \ No newline at end of file +$(window).on("load",function(){$("div.message-positive").addClass("alert-success"),$("div.message-warning").addClass("alert-warning"),$("div.message-negative").addClass("alert-danger"),$("table.info").addClass("table"),$(".notifCheck").addClass("checkbox"),$('.collapse li[class!="dropdown"]').on("click",function(){$(".navbar-toggler").hasClass("collapsed")||$(".navbar-toggler").trigger("click")}),$("#authMenu .nav-link").on("click",function(a){window.datas.choicetab=a.target.hash.substr(1)}),$("#remove2fModal").on("show.bs.modal",function(a){var t=$(a.relatedTarget),e=t.attr("device"),a=t.attr("epoch"),t=$(this);t.find(".remove2f").attr("device",e),t.find(".remove2f").attr("epoch",a)}),$(".nav-item").click(function(){$(".nav-item").attr("tabIndex",0)}),$(".nav-item").focusin(function(){$(".nav-item").attr("tabIndex",0)}),$(".nav-item").focusout(function(){$(".nav-item").attr("tabIndex",0)})}); \ No newline at end of file diff --git a/lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.min.js.map b/lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.min.js.map index c9a6e4853..f57723e90 100644 --- a/lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.min.js.map +++ b/lemonldap-ng-portal/site/htdocs/static/bootstrap/js/skin.min.js.map @@ -1 +1 @@ -{"version":3,"sources":["skin.js"],"names":["$","window","on","addClass","hasClass","trigger","e","datas","choicetab","target","hash","substr","event","button","relatedTarget","device","attr","epoch","modal","this","find"],"mappings":"AAAAA,EAAEC,QAAQC,GAAG,OAAQ,WAGnBF,EAAE,wBAAwBG,SAAS,iBACnCH,EAAE,uBAAuBG,SAAS,iBAClCH,EAAE,wBAAwBG,SAAS,gBAEnCH,EAAE,cAAcG,SAAS,SAEzBH,EAAE,eAAeG,SAAS,YAG1BH,EAAE,mCAAmCE,GAAG,QAAS,WAC1CF,EAAE,mBAAmBI,SAAS,cACjCJ,EAAE,mBAAmBK,QAAQ,WAKjCL,EAAE,uBAAuBE,GAAG,QAAS,SAAUI,GAC3CL,OAAOM,MAAMC,UAAYF,EAAEG,OAAOC,KAAKC,OAAO,KAIlDX,EAAE,kBAAkBE,GAAG,gBAAiB,SAAUU,GAClD,IAAIC,EAASb,EAAEY,EAAME,eACjBC,EAASF,EAAOG,KAAK,UACrBC,EAAQJ,EAAOG,KAAK,SACpBE,EAAQlB,EAAEmB,MAGdD,EAAME,KAAK,aAAaJ,KAAK,SAAUD,GACvCG,EAAME,KAAK,aAAaJ,KAAK,QAASC"} \ No newline at end of file +{"version":3,"sources":["skin.js"],"names":["$","window","on","addClass","hasClass","trigger","e","datas","choicetab","target","hash","substr","event","button","relatedTarget","device","attr","epoch","modal","this","find","click","focusin","focusout"],"mappings":"AAAAA,EAAEC,QAAQC,GAAG,OAAQ,WAGnBF,EAAE,wBAAwBG,SAAS,iBACnCH,EAAE,uBAAuBG,SAAS,iBAClCH,EAAE,wBAAwBG,SAAS,gBAEnCH,EAAE,cAAcG,SAAS,SAEzBH,EAAE,eAAeG,SAAS,YAG1BH,EAAE,mCAAmCE,GAAG,QAAS,WAC1CF,EAAE,mBAAmBI,SAAS,cACjCJ,EAAE,mBAAmBK,QAAQ,WAKjCL,EAAE,uBAAuBE,GAAG,QAAS,SAAUI,GAC3CL,OAAOM,MAAMC,UAAYF,EAAEG,OAAOC,KAAKC,OAAO,KAIlDX,EAAE,kBAAkBE,GAAG,gBAAiB,SAAUU,GAClD,IAAIC,EAASb,EAAEY,EAAME,eACjBC,EAASF,EAAOG,KAAK,UACrBC,EAAQJ,EAAOG,KAAK,SACpBE,EAAQlB,EAAEmB,MAGdD,EAAME,KAAK,aAAaJ,KAAK,SAAUD,GACvCG,EAAME,KAAK,aAAaJ,KAAK,QAASC,KAOtCjB,EAAE,aAAaqB,MAAM,WACnBrB,EAAE,aAAagB,KAAM,WAAY,KAEnChB,EAAE,aAAasB,QAAQ,WACrBtB,EAAE,aAAagB,KAAM,WAAY,KAEnChB,EAAE,aAAauB,SAAS,WACtBvB,EAAE,aAAagB,KAAM,WAAY"} \ No newline at end of file diff --git a/lemonldap-ng-portal/site/htdocs/static/languages/fr.json b/lemonldap-ng-portal/site/htdocs/static/languages/fr.json index a47624999..511c0b2ef 100644 --- a/lemonldap-ng-portal/site/htdocs/static/languages/fr.json +++ b/lemonldap-ng-portal/site/htdocs/static/languages/fr.json @@ -234,7 +234,7 @@ "openidPA":"La politique d'utilisation des données est disponible ici", "openidRpns":"Le paramètre %s exigé pour la fédération n'est pas disponible", "otherSessions":"Autres sessions ouvertes", -"password":"Mot-de-passe", +"password":"Mot de passe", "passwordPolicy":"Merci de respecter la politique suivante :", "passwordPolicyMinDigit":"Minimum de chiffres :", "passwordPolicyMinLower":"Minimum de minuscules :", diff --git a/lemonldap-ng-portal/site/templates/common/mail/fr.json b/lemonldap-ng-portal/site/templates/common/mail/fr.json index d900e644f..b8b26819f 100644 --- a/lemonldap-ng-portal/site/templates/common/mail/fr.json +++ b/lemonldap-ng-portal/site/templates/common/mail/fr.json @@ -8,7 +8,7 @@ "hello":"Bonjour", "mail2fSubject":"[LemonLDAP::NG] Votre code de connexion", "mailConfirmSubject": "[LemonLDAP::NG] Confirmation de réinitialisation de mot de passe", -"mailSubject": "[LemonLDAP::NG] Votre nouveau mot-de-passe", +"mailSubject": "[LemonLDAP::NG] Votre nouveau mot de passe", "newPwdIs":"Votre nouveau mot de passe est", "pwdChanged":"Votre mot de passe a été changé.", "pwdIs":"Votre mot de passe est", diff --git a/lemonldap-ng-portal/t/32-OIDC-Token-Security.t b/lemonldap-ng-portal/t/32-OIDC-Token-Security.t index ccb535571..33d1fd904 100644 --- a/lemonldap-ng-portal/t/32-OIDC-Token-Security.t +++ b/lemonldap-ng-portal/t/32-OIDC-Token-Security.t @@ -150,6 +150,10 @@ count(1); # Expect an invalid request expectReject( $res, 400, "invalid_grant" ); +is( getHeader( $res, "Access-Control-Allow-Origin" ), + "*", "CORS header present on Token error response" ); +count(1); + # Get new code for RP1 $query = "response_type=code&scope=openid%20profile%20email&client_id=rpid&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Frp.com%2F"; @@ -202,10 +206,36 @@ ok( "Post auth code on correct RP" ); count(1); + +is( getHeader( $res, "Access-Control-Allow-Origin" ), + "*", "CORS header present on Token response" ); +count(1); + $res = expectJSON($res); my $token = $res->{access_token}; ok( $token, 'Access token present' ); count(1); + +ok( + $res = $op->_post( + "/oauth2/userinfo", + IO::String->new(""), + accept => 'text/html', + length => 0, + custom => { + HTTP_AUTHORIZATION => "Bearer " . $token, + }, + ), + "post to userinfo", +); +count(1); +ok( $res->[0] == 200, "Userinfo successful" ); +count(1); + +is( getHeader( $res, "Access-Control-Allow-Origin" ), + "*", "CORS header present on userinfo response" ); +count(1); + Time::Fake->offset("+2h"); ok( @@ -224,6 +254,10 @@ count(1); ok( $res->[0] == 401, "Access denied with expired token" ); count(1); +is( getHeader( $res, "Access-Control-Allow-Origin" ), + "*", "CORS header present on userinfo error response" ); +count(1); + clean_sessions(); done_testing( count() ); diff --git a/rpm/lemonldap-ng.spec b/rpm/lemonldap-ng.spec index a719a222c..cc13684f3 100644 --- a/rpm/lemonldap-ng.spec +++ b/rpm/lemonldap-ng.spec @@ -34,8 +34,8 @@ # Main package #============================================================================== Name: lemonldap-ng -Version: 2.0.11 -Release: %{?pre_release:0.}2%{?pre_release:.%{pre_release}}%{?dist} +Version: 2.0.12 +Release: %{?pre_release:0.}1%{?pre_release:.%{pre_release}}%{?dist} Summary: LemonLDAP-NG WebSSO License: GPLv2+ URL: http://lemonldap-ng.org @@ -745,6 +745,9 @@ fi # Changelog #============================================================================== %changelog +* Thu Jul 22 2021 Clement Oudot - 2.0.12-1 +- Update to 2.0.12 + * Wed Mar 17 2021 Xavier Bachelot - 2.0.11-2 - Add BR: make