Merge branch 'v2.0'
This commit is contained in:
commit
af63d55c08
12
COPYING
12
COPYING
|
@ -111,6 +111,18 @@ License: CC-3
|
|||
Comment: This work, "star1.png", is a derivative of
|
||||
"Golden star with red border.png" by ANGELUS, under CC-BYSA-3.0.
|
||||
|
||||
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_OFF.png
|
||||
Copyright: Christophe Maudoux <chrmdx@gmail.com>
|
||||
License: CC-4
|
||||
Comment: This work, "switchcontext_OFF.png", is a derivative of
|
||||
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
|
||||
|
||||
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_ON.png
|
||||
Copyright: Christophe Maudoux <chrmdx@gmail.com>
|
||||
License: CC-4
|
||||
Comment: This work, "switchcontext_ON.png", is a derivative of
|
||||
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
|
||||
|
||||
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/CustomAuth.png
|
||||
Copyright: Christophe Maudoux <chrmdx@gmail.com>
|
||||
License: CC-3
|
||||
|
|
|
@ -326,6 +326,8 @@ status = 0
|
|||
;hideSignature = 1
|
||||
; Set ServiceToken timeout
|
||||
;handlerServiceTokenTTL = 30
|
||||
; Set Impersonation/ContextSwitching prefix
|
||||
; impersonationPrefix = real_
|
||||
useRedirectOnError = 1
|
||||
|
||||
; Zimbra Handler parameters
|
||||
|
|
|
@ -24,7 +24,7 @@ use constant MANAGERSECTION => "manager";
|
|||
use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
|
||||
use constant APPLYSECTION => "apply";
|
||||
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars)|c(?:as(?:S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions)|A(?:ppMetaData(?:(?:ExportedVar|Option)s|Node)|ttributes))|(?:ustomAddParam|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
|
||||
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:ErrorOn(?:ExpiredSession|MailNotFound)|DisplayRe(?:setPassword|gister)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|orsEnabled|da)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|no(?:tif(?:ication(?:Server)?|y(?:Deleted|Other))|AjaxHook)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|rest(?:(?:Session|Config)Server|ExportSecretKeys)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs)|dbiDynamicHashEnabled|bruteForceProtection)$/;
|
||||
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|rsEnabled)|da)|p(?:ortal(?:ErrorOn(?:ExpiredSession|MailNotFound)|DisplayRe(?:setPassword|gister)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|no(?:tif(?:ication(?:Server)?|y(?:Deleted|Other))|AjaxHook)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|d(?:isablePersistentStorage|biDynamicHashEnabled)|rest(?:(?:Session|Config)Server|ExportSecretKeys)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs)|bruteForceProtection)$/;
|
||||
|
||||
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );
|
||||
|
||||
|
|
|
@ -18,38 +18,41 @@ sub defaultValues {
|
|||
'authChoiceParam' => 'lmAuth',
|
||||
'authentication' => 'Demo',
|
||||
'available2F' => 'UTOTP,TOTP,U2F,REST,Mail2F,Ext2F,Yubikey',
|
||||
'available2FSelfRegistration' => 'TOTP,U2F,Yubikey',
|
||||
'bruteForceProtectionMaxAge' => 300,
|
||||
'bruteForceProtectionMaxFailed' => 3,
|
||||
'bruteForceProtectionTempo' => 30,
|
||||
'captcha_mail_enabled' => 1,
|
||||
'captcha_register_enabled' => 1,
|
||||
'captcha_size' => 6,
|
||||
'casAccessControlPolicy' => 'none',
|
||||
'casAuthnLevel' => 1,
|
||||
'checkTime' => 600,
|
||||
'checkUserHiddenAttributes' => '_loginHistory hGroups',
|
||||
'checkUserIdRule' => 1,
|
||||
'checkXSS' => 1,
|
||||
'confirmFormMethod' => 'post',
|
||||
'cookieName' => 'lemonldap',
|
||||
'corsAllow_Credentials' => 'true',
|
||||
'corsAllow_Headers' => '*',
|
||||
'corsAllow_Methods' => 'POST,GET',
|
||||
'corsAllow_Origin' => '*',
|
||||
'corsEnabled' => 1,
|
||||
'corsExpose_Headers' => '*',
|
||||
'corsMax_Age' => '86400',
|
||||
'cspConnect' => '\'self\'',
|
||||
'cspDefault' => '\'self\'',
|
||||
'cspFont' => '\'self\'',
|
||||
'cspFormAction' => '\'self\'',
|
||||
'cspImg' => '\'self\' data:',
|
||||
'cspScript' => '\'self\'',
|
||||
'cspStyle' => '\'self\'',
|
||||
'dbiAuthnLevel' => 2,
|
||||
'dbiExportedVars' => {},
|
||||
'demoExportedVars' => {
|
||||
'available2FSelfRegistration' => 'TOTP,U2F,Yubikey',
|
||||
'bruteForceProtectionMaxAge' => 300,
|
||||
'bruteForceProtectionMaxFailed' => 3,
|
||||
'bruteForceProtectionTempo' => 30,
|
||||
'captcha_mail_enabled' => 1,
|
||||
'captcha_register_enabled' => 1,
|
||||
'captcha_size' => 6,
|
||||
'casAccessControlPolicy' => 'none',
|
||||
'casAuthnLevel' => 1,
|
||||
'checkTime' => 600,
|
||||
'checkUserHiddenAttributes' => '_loginHistory hGroups',
|
||||
'checkUserIdRule' => 1,
|
||||
'checkXSS' => 1,
|
||||
'confirmFormMethod' => 'post',
|
||||
'contextSwitchingIdRule' => 1,
|
||||
'contextSwitchingRule' => 0,
|
||||
'contextSwitchingStopWithLogout' => 1,
|
||||
'cookieName' => 'lemonldap',
|
||||
'corsAllow_Credentials' => 'true',
|
||||
'corsAllow_Headers' => '*',
|
||||
'corsAllow_Methods' => 'POST,GET',
|
||||
'corsAllow_Origin' => '*',
|
||||
'corsEnabled' => 1,
|
||||
'corsExpose_Headers' => '*',
|
||||
'corsMax_Age' => '86400',
|
||||
'cspConnect' => '\'self\'',
|
||||
'cspDefault' => '\'self\'',
|
||||
'cspFont' => '\'self\'',
|
||||
'cspFormAction' => '\'self\'',
|
||||
'cspImg' => '\'self\' data:',
|
||||
'cspScript' => '\'self\'',
|
||||
'cspStyle' => '\'self\'',
|
||||
'dbiAuthnLevel' => 2,
|
||||
'dbiExportedVars' => {},
|
||||
'demoExportedVars' => {
|
||||
'cn' => 'cn',
|
||||
'mail' => 'mail',
|
||||
'uid' => 'uid'
|
||||
|
|
|
@ -47,6 +47,9 @@ Available actions:
|
|||
- set <key> <value> : set parameter(s) value(s)
|
||||
- addKey <key> <subkey> <value> : add or set a subkey in a parameter
|
||||
- delKey <key> <subkey> : delete subkey of a parameter
|
||||
- save : export configuration to STDOUT
|
||||
- restore - : import configuration from STDIN
|
||||
- restore <file> : import configuration from file
|
||||
|
||||
See Lemonldap::NG::Common::Cli(3) or Lemonldap::NG::Manager::CLi(3) for more
|
||||
};
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
# change 'tests => 1' to 'tests => last_test_to_print';
|
||||
|
||||
use Test::More tests => 22;
|
||||
use Test::More tests => 21;
|
||||
use Digest::MD5 qw(md5 md5_hex md5_base64);
|
||||
use strict;
|
||||
|
||||
|
@ -31,10 +31,7 @@ foreach my $i ( 1 .. 17 ) {
|
|||
$s = join( '', map { chr( int( rand(94) ) + 33 ) } ( 1 .. $i ) );
|
||||
ok( $c->decrypt( $c->encrypt($s) ) eq $s,
|
||||
"Test of base64 encrypting with $i characters string" )
|
||||
or diag "Source: $s\nCypher: "
|
||||
. $c->encrypt($s)
|
||||
. "\nUncipher:"
|
||||
. $c->decrypt( $c->encrypt($s) );
|
||||
or diagErr( $s, $c->decrypt( $c->encrypt($s) ), $c->encrypt($s) );
|
||||
}
|
||||
|
||||
my $data = md5_hex(rand);
|
||||
|
@ -42,13 +39,23 @@ my $secondKey = md5(rand);
|
|||
ok(
|
||||
$c->decryptHex( $c->encryptHex( $data, $secondKey ), $secondKey ) eq $data,
|
||||
"Test of hexadecimal encrypting"
|
||||
);
|
||||
)
|
||||
or diagErr(
|
||||
$data,
|
||||
$c->decryptHex( $c->encryptHex( $data, $secondKey ), $secondKey ),
|
||||
$c->encryptHex( $data, $secondKey )
|
||||
);
|
||||
|
||||
# Test a long value, and replace carriage return by %0A
|
||||
my $long = "f5a1f72e7ab2f7712855a068af0066f36bfcf2c87e6feb9cf4200da1868e1dfe";
|
||||
my $long = Lemonldap::NG::Common::Crypto::srandom()->randpattern( "s" x 1000 );
|
||||
ok( $c->decrypt( $c->encrypt($long) ) eq $long,
|
||||
"Test of long value encrypting" );
|
||||
ok(
|
||||
$c->decryptHex( $c->encryptHex($long) ) eq $long,
|
||||
"Test of long value encrypting (hex)"
|
||||
);
|
||||
"Test of long value encrypting" )
|
||||
or diagErr(
|
||||
$long,
|
||||
$c->decryptHex( $c->encryptHex($long) ),
|
||||
$c->encryptHex($long)
|
||||
);
|
||||
|
||||
sub diagErr {
|
||||
diag "Expect: $_[0]\nGet : $_[1]\nCipher: $_[2]";
|
||||
}
|
||||
|
|
|
@ -208,6 +208,7 @@ t/11-save-changed-conf-with-confirmation.t
|
|||
t/12-save-changed-conf.t
|
||||
t/14-bad-changes-in-conf.t
|
||||
t/15-combination.t
|
||||
t/16-cli.t
|
||||
t/20-test-coverage.t
|
||||
t/40-sessions.t
|
||||
t/50-notifications-DBI.t
|
||||
|
|
|
@ -926,6 +926,21 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
],
|
||||
'type' => 'select'
|
||||
},
|
||||
'contextSwitchingIdRule' => {
|
||||
'default' => 1,
|
||||
'test' => sub {
|
||||
return perlExpr(@_);
|
||||
},
|
||||
'type' => 'text'
|
||||
},
|
||||
'contextSwitchingRule' => {
|
||||
'default' => 0,
|
||||
'type' => 'boolOrExpr'
|
||||
},
|
||||
'contextSwitchingStopWithLogout' => {
|
||||
'default' => 1,
|
||||
'type' => 'bool'
|
||||
},
|
||||
'cookieExpiration' => {
|
||||
'type' => 'int'
|
||||
},
|
||||
|
@ -1083,6 +1098,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
'test' => qr/^[a-zA-Z][a-zA-Z0-9_:\-]*$/,
|
||||
'type' => 'keyTextContainer'
|
||||
},
|
||||
'disablePersistentStorage' => {
|
||||
'default' => 0,
|
||||
'type' => 'bool'
|
||||
},
|
||||
'domain' => {
|
||||
'default' => 'example.com',
|
||||
'msgFail' => '__badDomainName__',
|
||||
|
|
|
@ -479,12 +479,14 @@ sub attributes {
|
|||
type => 'boolOrExpr',
|
||||
default => 0,
|
||||
documentation => 'Impersonation activation rule',
|
||||
flags => 'p',
|
||||
},
|
||||
impersonationIdRule => {
|
||||
type => 'text',
|
||||
test => sub { return perlExpr(@_) },
|
||||
default => 1,
|
||||
documentation => 'Impersonation identities rule',
|
||||
flags => 'p',
|
||||
},
|
||||
impersonationHiddenAttributes => {
|
||||
type => 'text',
|
||||
|
@ -498,6 +500,25 @@ sub attributes {
|
|||
documentation => 'Skip session empty values',
|
||||
flags => 'p',
|
||||
},
|
||||
contextSwitchingRule => {
|
||||
type => 'boolOrExpr',
|
||||
default => 0,
|
||||
documentation => 'Context switching activation rule',
|
||||
flags => 'p',
|
||||
},
|
||||
contextSwitchingIdRule => {
|
||||
type => 'text',
|
||||
test => sub { return perlExpr(@_) },
|
||||
default => 1,
|
||||
documentation => 'Context switching identities rule',
|
||||
flags => 'p',
|
||||
},
|
||||
contextSwitchingStopWithLogout => {
|
||||
type => 'bool',
|
||||
default => 1,
|
||||
documentation => 'Stop context switching by logout',
|
||||
flags => 'p',
|
||||
},
|
||||
skipRenewConfirmation => {
|
||||
type => 'bool',
|
||||
default => 0,
|
||||
|
@ -1134,7 +1155,11 @@ sub attributes {
|
|||
keyMsgFail => '__invalidSessionData__',
|
||||
documentation => 'Data to remember in login history',
|
||||
},
|
||||
|
||||
disablePersistentStorage => {
|
||||
default => 0,
|
||||
type => 'bool',
|
||||
documentation => 'Enabled persistent storage',
|
||||
},
|
||||
# SAML issuer
|
||||
issuerDBSAMLActivation => {
|
||||
default => 0,
|
||||
|
|
|
@ -554,9 +554,11 @@ sub tree {
|
|||
{
|
||||
title => 'persistentSessions',
|
||||
nodes => [
|
||||
'persistentStorage', 'persistentStorageOptions'
|
||||
'disablePersistentStorage',
|
||||
'persistentStorage',
|
||||
'persistentStorageOptions'
|
||||
]
|
||||
}
|
||||
},
|
||||
]
|
||||
},
|
||||
{
|
||||
|
@ -669,12 +671,22 @@ sub tree {
|
|||
nodes => [
|
||||
'impersonationRule',
|
||||
'impersonationIdRule',
|
||||
'impersonationPrefix',
|
||||
'impersonationHiddenAttributes',
|
||||
'impersonationSkipEmptyValues',
|
||||
'impersonationMergeSSOgroups',
|
||||
]
|
||||
},
|
||||
{
|
||||
title => 'contextSwitching',
|
||||
help => 'contextswitching.html',
|
||||
form => 'simpleInputContainer',
|
||||
nodes => [
|
||||
'contextSwitchingRule',
|
||||
'contextSwitchingIdRule',
|
||||
'contextSwitchingStopWithLogout',
|
||||
#'contextSwitchingHiddenAttributes',
|
||||
]
|
||||
},
|
||||
]
|
||||
},
|
||||
{
|
||||
|
|
|
@ -203,15 +203,20 @@ sub save {
|
|||
|
||||
sub restore {
|
||||
my ( $self, $file ) = @_;
|
||||
unless ($file) {
|
||||
die "No file provided. Aborting";
|
||||
}
|
||||
require IO::String;
|
||||
my $conf;
|
||||
if ( $file eq '-' ) {
|
||||
$conf = join '', <STDIN>;
|
||||
}
|
||||
else {
|
||||
open my $f, $file;
|
||||
die "Unable to read $file" unless ( -r $file );
|
||||
open( my $f, $file ) or die $!;
|
||||
$conf = join '', <$f>;
|
||||
close $f;
|
||||
die "Empty or malformed file $file" unless ( $conf =~ /\w/s );
|
||||
}
|
||||
my $res = $self->_post( '/confs/raw', '', IO::String->new($conf),
|
||||
'application/json', length($conf) );
|
||||
|
|
|
@ -643,16 +643,37 @@ sub tests {
|
|||
return 1;
|
||||
},
|
||||
|
||||
# Warn if Impersonation is enabled without prefix
|
||||
impersonationPrefix => sub {
|
||||
return 1 unless ( $conf->{impersonationRule} );
|
||||
# Warn if Impersonation and ContextSwitching are simultaneously enabled
|
||||
impersonation => sub {
|
||||
return ( 1,
|
||||
"Impersonation is enabled without real attributes prefix" )
|
||||
unless ( $conf->{impersonationPrefix} );
|
||||
"Impersonation and ContextSwitching are simultaneously enabled" )
|
||||
if ( $conf->{impersonationRule} && $conf->{contextSwitchingRule} );
|
||||
|
||||
# Return
|
||||
return 1;
|
||||
},
|
||||
|
||||
# Warn if persistent storage is disabled with 2FA, History, OIDCConsents and Notifications
|
||||
persistentStorage => sub {
|
||||
return 1 unless ( $conf->{disablePersistentStorage} );
|
||||
return ( 1, "2FA enabled WITHOUT persistent session storage" )
|
||||
if ( $conf->{totp2fActivation}
|
||||
|| $conf->{yubikey2fActivation}
|
||||
|| $conf->{u2fActivation}
|
||||
|| $conf->{utotp2fActivation} );
|
||||
return ( 1, "History enabled WITHOUT persistent session storage" )
|
||||
if ( $conf->{loginHistoryEnabled} );
|
||||
return ( 1,
|
||||
"OIDC consents enabled WITHOUT persistent session storage" )
|
||||
if ( $conf->{portalDisplayOidcConsents} );
|
||||
return ( 1,
|
||||
"Notifications enabled WITHOUT persistent session storage" )
|
||||
if ( $conf->{notification} );
|
||||
|
||||
# Return
|
||||
return 1;
|
||||
},
|
||||
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -140,6 +140,11 @@
|
|||
"categoryName":"اسم الفئة",
|
||||
"cda":"نطاقات متعددة",
|
||||
"contentSecurityPolicy":"السياسة الأمنية للمحتوى",
|
||||
"contextSwitching":"Switch context anoter user",
|
||||
"contextSwitchingHiddenAttributes":"Hidden attributes",
|
||||
"contextSwitchingIdRule":"Identities use rule",
|
||||
"contextSwitchingRule":"استخدام القاعدة",
|
||||
"contextSwitchingStopWithLogout":"Stop by logout",
|
||||
"cspDefault":"القيمة الاعتيادية ",
|
||||
"cspFormAction":"Form destinations",
|
||||
"cspImg":"مصدر الصورة",
|
||||
|
@ -253,6 +258,7 @@
|
|||
"emptyConf":"إعدادات فارغة",
|
||||
"emptyValueNotAllowed":"القيمة الفارغة غير مسموح بها",
|
||||
"enabled":"مفعلة",
|
||||
"disablePersistentStorage":"Disable storage",
|
||||
"enterPassword":"أدخل كلمة المرور (اختياري)",
|
||||
"error":"خطأ",
|
||||
"errors":"ERRORS",
|
||||
|
@ -307,7 +313,6 @@
|
|||
"impersonationIdRule":"Identities use rule",
|
||||
"impersonationHiddenAttributes":"السمات المخفية",
|
||||
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
|
||||
"impersonationPrefix":"Real attributes prefix",
|
||||
"impersonationSkipEmptyValues":"Skip empty values",
|
||||
"incompleteForm":"الحقول المطلوبة مفقودة",
|
||||
"index":"فهرس",
|
||||
|
|
|
@ -140,6 +140,11 @@
|
|||
"categoryName":"Category name",
|
||||
"cda":"Mehrere Domains",
|
||||
"contentSecurityPolicy":"Content security policy",
|
||||
"contextSwitching":"Switch context anoter user",
|
||||
"contextSwitchingHiddenAttributes":"Hidden attributes",
|
||||
"contextSwitchingIdRule":"Identities use rule",
|
||||
"contextSwitchingRule":"Use rule",
|
||||
"contextSwitchingStopWithLogout":"Stop by logout",
|
||||
"cspDefault":"Default value",
|
||||
"cspFormAction":"Form destinations",
|
||||
"cspImg":"Image source",
|
||||
|
@ -252,6 +257,7 @@
|
|||
"emptyConf":"Empty configuration",
|
||||
"emptyValueNotAllowed":"Empty value not allowed",
|
||||
"enabled":"Aktiviert",
|
||||
"disablePersistentStorage":"Disable storage",
|
||||
"enterPassword":"Enter password (optional)",
|
||||
"error":"Error",
|
||||
"errors":"ERRORS",
|
||||
|
@ -306,7 +312,6 @@
|
|||
"impersonationIdRule":"Identities use rule",
|
||||
"impersonationHiddenAttributes":"Hidden attributes",
|
||||
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
|
||||
"impersonationPrefix":"Real attributes prefix",
|
||||
"impersonationSkipEmptyValues":"Skip empty values",
|
||||
"incompleteForm":"Required fields are missing",
|
||||
"index":"Index",
|
||||
|
|
|
@ -140,6 +140,11 @@
|
|||
"categoryName":"Category name",
|
||||
"cda":"Multiple domains",
|
||||
"contentSecurityPolicy":"Content security policy",
|
||||
"contextSwitching":"Switch context anoter user",
|
||||
"contextSwitchingHiddenAttributes":"Hidden attributes",
|
||||
"contextSwitchingIdRule":"Identities use rule",
|
||||
"contextSwitchingRule":"Use rule",
|
||||
"contextSwitchingStopWithLogout":"Stop by logout",
|
||||
"cspDefault":"Default value",
|
||||
"cspFormAction":"Form destinations",
|
||||
"cspImg":"Image source",
|
||||
|
@ -252,6 +257,7 @@
|
|||
"emptyConf":"Empty configuration",
|
||||
"emptyValueNotAllowed":"Empty value not allowed",
|
||||
"enabled":"Enabled",
|
||||
"disablePersistentStorage":"Disable storage",
|
||||
"enterPassword":"Enter password (optional)",
|
||||
"error":"Error",
|
||||
"errors":"ERRORS",
|
||||
|
@ -306,7 +312,6 @@
|
|||
"impersonationIdRule":"Identities use rule",
|
||||
"impersonationHiddenAttributes":"Hidden attributes",
|
||||
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
|
||||
"impersonationPrefix":"Real attributes prefix",
|
||||
"impersonationSkipEmptyValues":"Skip empty values",
|
||||
"incompleteForm":"Required fields are missing",
|
||||
"index":"Index",
|
||||
|
|
|
@ -140,6 +140,11 @@
|
|||
"categoryName":"Nom de la catégorie",
|
||||
"cda":"Domaines multiples",
|
||||
"contentSecurityPolicy":"Politique de sécurité de contenu",
|
||||
"contextSwitching":"Endossement d'identité",
|
||||
"contextSwitchingHiddenAttributes":"Attributs masqués",
|
||||
"contextSwitchingIdRule":"Règle d'utilisation des identités",
|
||||
"contextSwitchingRule":"Règle d'utilisation",
|
||||
"contextSwitchingStopWithLogout":"Arrêt par déconnexion",
|
||||
"cspDefault":"Valeur par défaut",
|
||||
"cspFormAction":"Destinations des formulaires",
|
||||
"cspImg":"Sources des images",
|
||||
|
@ -252,6 +257,7 @@
|
|||
"emptyConf":"Configuration vide",
|
||||
"emptyValueNotAllowed":"Valeur nulle non accordé",
|
||||
"enabled":"Activé",
|
||||
"disablePersistentStorage":"Désactiver le stockage",
|
||||
"enterPassword":"Entrer le mot de passe (optionnel)",
|
||||
"error":"Erreur",
|
||||
"errors":"ERREURS",
|
||||
|
@ -306,7 +312,6 @@
|
|||
"impersonationIdRule":"Règle d'utilisation des identités",
|
||||
"impersonationHiddenAttributes":"Attributs masqués",
|
||||
"impersonationMergeSSOgroups":"Fusionner les groupes SSO réels et usurpés",
|
||||
"impersonationPrefix":"Préfix des vrais attributs",
|
||||
"impersonationSkipEmptyValues":"Ignorer les valeurs nulles",
|
||||
"incompleteForm":"Des champs requis manquent",
|
||||
"index":"Index",
|
||||
|
|
|
@ -140,6 +140,11 @@
|
|||
"categoryName":"Nome della categoria",
|
||||
"cda":"Domini multipli",
|
||||
"contentSecurityPolicy":"Politica di protezione dei contenuti",
|
||||
"contextSwitching":"Switch context anoter user",
|
||||
"contextSwitchingHiddenAttributes":"Hidden attributes",
|
||||
"contextSwitchingIdRule":"Identities use rule",
|
||||
"contextSwitchingRule":"Utilizza la regola",
|
||||
"contextSwitchingStopWithLogout":"Stop by logout",
|
||||
"cspDefault":"Valore di default",
|
||||
"cspFormAction":"Formare le destinazioni",
|
||||
"cspImg":"Origine immagine",
|
||||
|
@ -252,6 +257,7 @@
|
|||
"emptyConf":"Configurazione vuota",
|
||||
"emptyValueNotAllowed":"Valore vuoto non consentito",
|
||||
"enabled":"Abilitato",
|
||||
"disablePersistentStorage":"Disable storage",
|
||||
"enterPassword":"Inserisci password (opzionale)",
|
||||
"error":"Errore",
|
||||
"errors":"ERRORI",
|
||||
|
@ -306,7 +312,6 @@
|
|||
"impersonationIdRule":"Le identità usano la regola",
|
||||
"impersonationHiddenAttributes":"Attributi nascosti",
|
||||
"impersonationMergeSSOgroups":"Unisci gruppi SSO usurpati e reali",
|
||||
"impersonationPrefix":"Prefisso degli attributi reali",
|
||||
"impersonationSkipEmptyValues":"Salta valori vuoti",
|
||||
"incompleteForm":"Mancano campi obbligatori",
|
||||
"index":"Indice",
|
||||
|
|
|
@ -140,6 +140,11 @@
|
|||
"categoryName":"Tên thể loại",
|
||||
"cda":"Nhiều tên miền",
|
||||
"contentSecurityPolicy":"Chính sách bảo mật nội dung",
|
||||
"contextSwitching":"Switch context anoter user",
|
||||
"contextSwitchingHiddenAttributes":"Hidden attributes",
|
||||
"contextSwitchingIdRule":"Identities use rule",
|
||||
"contextSwitchingRule":"Quy tắc sử dụng",
|
||||
"contextSwitchingStopWithLogout":"Stop by logout",
|
||||
"cspDefault":"Giá trị mặc định",
|
||||
"cspFormAction":"Form destinations",
|
||||
"cspImg":"Nguồn ảnh",
|
||||
|
@ -252,6 +257,7 @@
|
|||
"emptyConf":"Cấu hình trống rỗng",
|
||||
"emptyValueNotAllowed":"Không cho phép giá trị trống",
|
||||
"enabled":"Đã bật",
|
||||
"disablePersistentStorage":"Disable storage",
|
||||
"enterPassword":"Nhập mật khẩu (tùy chọn)",
|
||||
"error":"Lỗi",
|
||||
"errors":"ERRORS",
|
||||
|
@ -306,7 +312,6 @@
|
|||
"impersonationIdRule":"Identities use rule",
|
||||
"impersonationHiddenAttributes":"Thuộc tính ẩn",
|
||||
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
|
||||
"impersonationPrefix":"Real attributes prefix",
|
||||
"impersonationSkipEmptyValues":"Skip empty values",
|
||||
"incompleteForm":"Các trường bắt buộc bị thiếu",
|
||||
"index":"Chỉ mục",
|
||||
|
|
|
@ -140,6 +140,11 @@
|
|||
"categoryName":"分类名称",
|
||||
"cda":"Multiple domains",
|
||||
"contentSecurityPolicy":"Content security policy",
|
||||
"contextSwitching":"Switch context anoter user",
|
||||
"contextSwitchingHiddenAttributes":"Hidden attributes",
|
||||
"contextSwitchingIdRule":"Identities use rule",
|
||||
"contextSwitchingRule":"Use rule",
|
||||
"contextSwitchingStopWithLogout":"Stop by logout",
|
||||
"cspDefault":"Default value",
|
||||
"cspFormAction":"Form destinations",
|
||||
"cspImg":"Image source",
|
||||
|
@ -252,6 +257,7 @@
|
|||
"emptyConf":"Empty configuration",
|
||||
"emptyValueNotAllowed":"Empty value not allowed",
|
||||
"enabled":"开启",
|
||||
"disablePersistentStorage":"Disable storage",
|
||||
"enterPassword":"输入密码(可选)",
|
||||
"error":"错误",
|
||||
"errors":"ERRORS",
|
||||
|
@ -306,7 +312,6 @@
|
|||
"impersonationIdRule":"Identities use rule",
|
||||
"impersonationHiddenAttributes":"Hidden attributes",
|
||||
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
|
||||
"impersonationPrefix":"Real attributes prefix",
|
||||
"impersonationSkipEmptyValues":"Skip empty values",
|
||||
"incompleteForm":"Required fields are missing",
|
||||
"index":"Index",
|
||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,38 @@
|
|||
my $tests;
|
||||
|
||||
BEGIN { $tests = 5 }
|
||||
|
||||
use Test::More tests => $tests;
|
||||
use JSON;
|
||||
use strict;
|
||||
|
||||
use_ok('Lemonldap::NG::Common::Cli');
|
||||
use_ok('Lemonldap::NG::Manager::Cli');
|
||||
&cleanConfFiles;
|
||||
|
||||
SKIP: {
|
||||
eval 'use Test::Output;';
|
||||
if ($@) {
|
||||
skip 'Test::Output is missing, skipping', $tests - 2;
|
||||
}
|
||||
my @cmd;
|
||||
@cmd = ('save');
|
||||
my $client =
|
||||
Lemonldap::NG::Manager::Cli->new( iniFile => 't/lemonldap-ng.ini' );
|
||||
my $res = Capture::Tiny::capture_stdout( sub { $client->run(@cmd) } );
|
||||
ok( $res =~ /^\s*(\{.*\})\s*$/s, '"save" result looks like JSON' );
|
||||
eval { JSON::from_json($res) };
|
||||
ok( not($@), ' result is JSON' ) or diag "error: $@";
|
||||
close STDIN;
|
||||
open STDIN, '<', \$res;
|
||||
@cmd = ( 'restore', '-' );
|
||||
Test::Output::combined_like( sub { $client->run(@cmd) },
|
||||
qr/"cfgNum"\s*:\s*"2"/s, 'New config: 2' );
|
||||
}
|
||||
&cleanConfFiles;
|
||||
|
||||
sub cleanConfFiles {
|
||||
foreach ( 2 .. $tests - 3 ) {
|
||||
unlink "t/conf/lmConf-$_.json";
|
||||
}
|
||||
}
|
|
@ -55,7 +55,7 @@ my @notManagedAttributes = (
|
|||
'configStorage', 'status', 'localStorageOptions', 'localStorage',
|
||||
'max2FDevices', 'max2FDevicesNameLength', 'checkTime',
|
||||
'mySessionAuthorizedRWKeys', 'handlerInternalCache',
|
||||
'handlerServiceTokenTTL'
|
||||
'handlerServiceTokenTTL', 'impersonationPrefix'
|
||||
);
|
||||
|
||||
# Words used either as attribute name and node title
|
||||
|
|
|
@ -1348,6 +1348,12 @@
|
|||
"id": "persistentSessions",
|
||||
"title": "persistentSessions",
|
||||
"nodes": [{
|
||||
"default": 0,
|
||||
"id": "disablePersistentStorage",
|
||||
"title": "disablePersistentStorage",
|
||||
"type": "bool",
|
||||
"data": 0
|
||||
}, {
|
||||
"id": "persistentStorage",
|
||||
"title": "persistentStorage",
|
||||
"data": "Apache::Session::File"
|
||||
|
|
|
@ -1348,6 +1348,12 @@
|
|||
"id": "persistentSessions",
|
||||
"title": "persistentSessions",
|
||||
"nodes": [{
|
||||
"default": 0,
|
||||
"id": "disablePersistentStorage",
|
||||
"title": "disablePersistentStorage",
|
||||
"type": "bool",
|
||||
"data": 0
|
||||
}, {
|
||||
"id": "persistentStorage",
|
||||
"title": "persistentStorage",
|
||||
"data": "Apache::Session::File"
|
||||
|
|
|
@ -102,6 +102,7 @@ lib/Lemonldap/NG/Portal/Plugins/BruteForceProtection.pm
|
|||
lib/Lemonldap/NG/Portal/Plugins/CDA.pm
|
||||
lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
|
||||
lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
|
||||
lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm
|
||||
lib/Lemonldap/NG/Portal/Plugins/FavApps.pm
|
||||
lib/Lemonldap/NG/Portal/Plugins/ForceAuthn.pm
|
||||
lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm
|
||||
|
@ -262,6 +263,8 @@ site/htdocs/static/common/icons/ok.png
|
|||
site/htdocs/static/common/icons/sfa_manager.png
|
||||
site/htdocs/static/common/icons/star0.png
|
||||
site/htdocs/static/common/icons/star1.png
|
||||
site/htdocs/static/common/icons/switchcontext_OFF.png
|
||||
site/htdocs/static/common/icons/switchcontext_ON.png
|
||||
site/htdocs/static/common/icons/vcard_edit.png
|
||||
site/htdocs/static/common/icons/warning.png
|
||||
site/htdocs/static/common/it.png
|
||||
|
@ -339,6 +342,7 @@ site/templates/bootstrap/checklogins.tpl
|
|||
site/templates/bootstrap/checkuser.tpl
|
||||
site/templates/bootstrap/choice.tpl
|
||||
site/templates/bootstrap/confirm.tpl
|
||||
site/templates/bootstrap/contextSwitching.tpl
|
||||
site/templates/bootstrap/customfooter.tpl
|
||||
site/templates/bootstrap/customhead.tpl
|
||||
site/templates/bootstrap/customheader.tpl
|
||||
|
@ -499,6 +503,7 @@ t/37-SAML-SP-GET-to-OIDC-OP.t
|
|||
t/37-SAML-SP-POST-to-CAS-server-with-Choice.t
|
||||
t/37-SAML-SP-POST-to-CAS-server.t
|
||||
t/37-SAML-SP-POST-to-OIDC-OP.t
|
||||
t/38-No-persistent-session.t
|
||||
t/40-Notifications-JSON-DBI.t
|
||||
t/40-Notifications-JSON-File-with-token.t
|
||||
t/40-Notifications-JSON-File.t
|
||||
|
@ -544,6 +549,8 @@ t/67-CheckUser-with-Global-token.t
|
|||
t/67-CheckUser-with-issuer-SAML-POST.t
|
||||
t/67-CheckUser-with-token.t
|
||||
t/67-CheckUser.t
|
||||
t/68-ContextSwitching-with-Logout.t
|
||||
t/68-ContextSwitching.t
|
||||
t/68-Impersonation-with-doubleCookies.t
|
||||
t/68-Impersonation-with-filtered-merge.t
|
||||
t/68-Impersonation-with-History.t
|
||||
|
|
|
@ -119,6 +119,16 @@ sub params {
|
|||
$self->p->_sfEngine->display2fRegisters( $req, $req->userData );
|
||||
$self->logger->debug("Display 2fRegisters link") if $res{sfaManager};
|
||||
|
||||
# Display ContextSwitching link only if allowed
|
||||
my $cswPlugin = $self->p->loadedModules->{
|
||||
'Lemonldap::NG::Portal::Plugins::ContextSwitching'};
|
||||
$res{contextSwitching} =
|
||||
$cswPlugin
|
||||
? $cswPlugin->displaySwitchContext( $req, $req->userData )
|
||||
: '';
|
||||
$self->logger->debug("Display SwitchContext link -> $res{contextSwitching}")
|
||||
if $res{contextSwitching};
|
||||
|
||||
return %res;
|
||||
}
|
||||
|
||||
|
|
|
@ -28,6 +28,7 @@ our @pList = (
|
|||
checkUser => '::Plugins::CheckUser',
|
||||
impersonationRule => '::Plugins::Impersonation',
|
||||
portalDisplayFavApps => '::Plugins::FavApps',
|
||||
contextSwitchingRule => '::Plugins::ContextSwitching',
|
||||
);
|
||||
|
||||
##@method list enabledPlugins
|
||||
|
|
|
@ -405,7 +405,7 @@ sub getApacheSession {
|
|||
sub getPersistentSession {
|
||||
my ( $self, $uid, $info ) = @_;
|
||||
|
||||
return unless defined $uid;
|
||||
return unless ( defined $uid and !$self->conf->{disablePersistentStorage} );
|
||||
|
||||
# Compute persistent identifier
|
||||
my $pid = $self->_md5hash($uid);
|
||||
|
@ -452,7 +452,8 @@ sub updatePersistentSession {
|
|||
my ( $self, $req, $infos, $uid, $id ) = @_;
|
||||
|
||||
# Return if no infos to update
|
||||
return () unless ( ref $infos eq 'HASH' and %$infos );
|
||||
return () unless ( ref $infos eq 'HASH' and %$infos and !$self->conf->{disablePersistentStorage} );
|
||||
|
||||
$uid ||= $req->{sessionInfo}->{ $self->conf->{whatToTrace} }
|
||||
|| $req->userData->{ $self->conf->{whatToTrace} };
|
||||
$self->logger->debug("Found 'whatToTrace' -> $uid");
|
||||
|
|
|
@ -29,6 +29,7 @@ has ott => (
|
|||
}
|
||||
);
|
||||
has idRule => ( is => 'rw', default => sub { 1 } );
|
||||
has sorted => ( is => 'rw', default => sub { 0 } );
|
||||
|
||||
sub hAttr {
|
||||
$_[0]->{conf}->{checkUserHiddenAttributes} . ' '
|
||||
|
@ -52,7 +53,8 @@ sub init {
|
|||
return 0;
|
||||
}
|
||||
$self->idRule($rule);
|
||||
|
||||
$self->sorted( $self->conf->{impersonationRule}
|
||||
|| $self->conf->{contextSwitchingRule} );
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -430,7 +432,7 @@ sub _splitAttributes {
|
|||
}
|
||||
|
||||
# Sort real and spoofed attributes if required
|
||||
if ( $self->conf->{impersonationRule} ) {
|
||||
if ( $self->sorted ) {
|
||||
$self->logger->debug('Dispatching real and spoofed attributes...');
|
||||
my ( $realAttrs, $spoofedAttrs ) = ( [], [] );
|
||||
my $prefix = "$self->{conf}->{impersonationPrefix}";
|
||||
|
|
|
@ -0,0 +1,227 @@
|
|||
package Lemonldap::NG::Portal::Plugins::ContextSwitching;
|
||||
|
||||
use strict;
|
||||
use Mouse;
|
||||
use Lemonldap::NG::Portal::Main::Constants
|
||||
qw( PE_OK PE_REDIRECT PE_BADCREDENTIALS PE_IMPERSONATION_SERVICE_NOT_ALLOWED PE_MALFORMEDUSER );
|
||||
|
||||
our $VERSION = '2.0.6';
|
||||
|
||||
extends
|
||||
qw(Lemonldap::NG::Portal::Main::Plugin Lemonldap::NG::Portal::Lib::_tokenRule);
|
||||
|
||||
# INITIALIZATION
|
||||
|
||||
has ott => (
|
||||
is => 'rw',
|
||||
lazy => 1,
|
||||
default => sub {
|
||||
my $ott =
|
||||
$_[0]->{p}->loadModule('Lemonldap::NG::Portal::Lib::OneTimeToken');
|
||||
$ott->timeout( $_[0]->{conf}->{formTimeout} );
|
||||
return $ott;
|
||||
}
|
||||
);
|
||||
has rule => ( is => 'rw', default => sub { 1 } );
|
||||
has idRule => ( is => 'rw', default => sub { 1 } );
|
||||
|
||||
sub init {
|
||||
my ($self) = @_;
|
||||
my $hd = $self->p->HANDLER;
|
||||
$self->addAuthRoute( switchcontext => 'run', ['POST'] );
|
||||
$self->addAuthRoute( switchcontext => 'display', ['GET'] );
|
||||
|
||||
# Parse activation rule
|
||||
$self->logger->debug(
|
||||
'ContextSwitching rule -> ' . $self->conf->{contextSwitchingRule} );
|
||||
my $rule =
|
||||
$hd->buildSub( $hd->substitute( $self->conf->{contextSwitchingRule} ) );
|
||||
unless ($rule) {
|
||||
$self->error(
|
||||
'Bad contextSwitching rule -> ' . $hd->tsv->{jail}->error );
|
||||
return 0;
|
||||
}
|
||||
$self->rule($rule);
|
||||
|
||||
# Parse identity rule
|
||||
$self->logger->debug( "ContextSwitching identities rule -> "
|
||||
. $self->conf->{contextSwitchingIdRule} );
|
||||
$rule =
|
||||
$hd->buildSub( $hd->substitute( $self->conf->{contextSwitchingIdRule} ) );
|
||||
unless ($rule) {
|
||||
$self->error( "Bad contextSwitching identities rule -> "
|
||||
. $hd->tsv->{jail}->error );
|
||||
return 0;
|
||||
}
|
||||
$self->idRule($rule);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
# RUNNING METHOD
|
||||
|
||||
sub display {
|
||||
my ( $self, $req ) = @_;
|
||||
|
||||
# Check access rules
|
||||
unless ( $self->rule->( $req, $req->userData )
|
||||
|| $req->userData->{"$self->{conf}->{impersonationPrefix}_session_id"} )
|
||||
{
|
||||
$self->userLogger->error('Context switching service not authorized');
|
||||
return $self->p->do( $req,
|
||||
[ sub { PE_IMPERSONATION_SERVICE_NOT_ALLOWED } ] );
|
||||
}
|
||||
|
||||
if ( $req->userData->{"$self->{conf}->{impersonationPrefix}_session_id"} ) {
|
||||
$self->logger->debug('Request to stop ContextSwitching');
|
||||
if ( $self->conf->{contextSwitchingStopWithLogout} ) {
|
||||
$self->logger->debug('Send logout request');
|
||||
return $self->p->do( $req,
|
||||
[ @{ $self->p->beforeLogout }, 'authLogout', 'deleteSession' ]
|
||||
);
|
||||
}
|
||||
else {
|
||||
$req = $self->_abortImpersonation( $req, 0 );
|
||||
$self->p->updateSession( $req, $req->userData );
|
||||
return $self->p->do( $req, [ sub { PE_REDIRECT } ] );
|
||||
}
|
||||
}
|
||||
|
||||
# Display form
|
||||
my $params = {
|
||||
PORTAL => $self->conf->{portal},
|
||||
MAIN_LOGO => $self->conf->{portalMainLogo},
|
||||
LANGS => $self->conf->{showLanguages},
|
||||
MSG => 'contextSwitching_ON',
|
||||
ALERTE => 'alert-danger',
|
||||
LOGIN => '',
|
||||
SPOOFID => $self->conf->{contextSwitchingRule},
|
||||
TOKEN => (
|
||||
$self->ottRule->( $req, {} )
|
||||
? $self->ott->createToken()
|
||||
: ''
|
||||
)
|
||||
};
|
||||
|
||||
return $self->p->sendHtml( $req, 'contextSwitching', params => $params, );
|
||||
}
|
||||
|
||||
sub run {
|
||||
my ( $self, $req ) = @_;
|
||||
my $statut = PE_OK;
|
||||
my $spoofId = $req->param('spoofId') || ''; # ContextSwitching required ?
|
||||
|
||||
# Check activation rule
|
||||
unless ( $self->rule->( $req, $req->userData ) ) {
|
||||
$self->userLogger->warn('Context switching service not authorized');
|
||||
$spoofId = '';
|
||||
return $self->p->do( $req,
|
||||
[ sub { PE_IMPERSONATION_SERVICE_NOT_ALLOWED } ] );
|
||||
}
|
||||
|
||||
# ContextSwitching required -> Check user Id
|
||||
if ( $spoofId && $spoofId ne $req->{user} ) {
|
||||
$self->logger->debug("Spoof Id: $spoofId");
|
||||
unless ( $spoofId =~ /$self->{conf}->{userControl}/o ) {
|
||||
$self->userLogger->warn('Malformed spoofed Id');
|
||||
$self->logger->debug(
|
||||
"Context switching tried with spoofed Id: $spoofId");
|
||||
return $self->p->do( $req, [ sub { PE_MALFORMEDUSER } ] );
|
||||
}
|
||||
}
|
||||
else {
|
||||
$self->logger->debug("No context switching required");
|
||||
$req->urldc( $self->conf->{portal} );
|
||||
return $self->p->do( $req, [ sub { PE_OK } ] );
|
||||
}
|
||||
|
||||
# Create spoofed session
|
||||
$req = $self->_switchContext( $req, $spoofId );
|
||||
if ( $req->error ) {
|
||||
if ( $req->error == PE_BADCREDENTIALS ) {
|
||||
$statut = PE_MALFORMEDUSER;
|
||||
}
|
||||
else {
|
||||
$statut = $req->error;
|
||||
}
|
||||
}
|
||||
|
||||
# Main session
|
||||
$self->p->updateSession( $req, $req->sessionInfo );
|
||||
return $self->p->do( $req, [ sub { $statut } ] );
|
||||
}
|
||||
|
||||
sub _switchContext {
|
||||
my ( $self, $req, $spoofId ) = @_;
|
||||
my $realSessionId = $req->userData->{_session_id};
|
||||
my $raz = 0;
|
||||
$req->{user} = $spoofId;
|
||||
|
||||
# Search user in database & create session
|
||||
$req->steps( [ 'getUser', $self->p->sessionData, 'buildCookie' ] );
|
||||
if ( my $error = $self->p->process($req) ) {
|
||||
if ( $error == PE_BADCREDENTIALS ) {
|
||||
$self->userLogger->warn(
|
||||
'ContextSwitching requested for an unvalid user ('
|
||||
. $req->{user}
|
||||
. ")" );
|
||||
}
|
||||
$self->logger->debug("Process returned error: $error");
|
||||
$req->error($error);
|
||||
$raz = 1;
|
||||
}
|
||||
|
||||
# Check identity rule if ContextSwitching required
|
||||
unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
|
||||
$self->userLogger->warn(
|
||||
'ContextSwitching requested for an unvalid user ('
|
||||
. $req->{user}
|
||||
. ")" );
|
||||
$self->logger->debug('Identity NOT authorized');
|
||||
$req->error(PE_MALFORMEDUSER); # Hide error to preserve protected Id
|
||||
$raz = 1;
|
||||
}
|
||||
|
||||
$req->sessionInfo->{"$self->{conf}->{impersonationPrefix}_session_id"} =
|
||||
$realSessionId;
|
||||
|
||||
return $raz ? $self->_abortImpersonation( $req, 1 ) : $req;
|
||||
}
|
||||
|
||||
sub _abortImpersonation {
|
||||
my ( $self, $req, $abort ) = @_;
|
||||
my $type = $abort ? 'sessionInfo' : 'userData';
|
||||
my $realSessionId =
|
||||
$req->{$type}->{"$self->{conf}->{impersonationPrefix}_session_id"};
|
||||
my $session = $self->p->getApacheSession($realSessionId)->data;
|
||||
|
||||
if ($abort) {
|
||||
$self->logger->debug('ABORT ContextSwitching');
|
||||
$self->userLogger->notice('ABORT ContextSwitching');
|
||||
$self->p->updateSession( $req, { '_session_kind' => 'SPOOF' } );
|
||||
}
|
||||
else {
|
||||
$self->logger->debug('STOP ContextSwitching');
|
||||
$self->userLogger->notice('STOP ContextSwitching');
|
||||
$self->p->deleteSession($req);
|
||||
}
|
||||
|
||||
# Restore real session
|
||||
$req->{$type} = {%$session};
|
||||
$req->{user} = $session->{_user};
|
||||
$req->urldc( $self->conf->{portal} );
|
||||
$req->id($realSessionId);
|
||||
$self->p->buildCookie($req);
|
||||
delete $req->{$type}->{"$self->{conf}->{impersonationPrefix}_session_id"};
|
||||
|
||||
return $req;
|
||||
}
|
||||
|
||||
sub displaySwitchContext {
|
||||
my ( $self, $req ) = @_;
|
||||
return 'OFF'
|
||||
if $req->userData->{"$self->{conf}->{impersonationPrefix}_session_id"};
|
||||
return 'ON' if $self->rule->( $req, $req->userData );
|
||||
}
|
||||
|
||||
1;
|
|
@ -37,13 +37,13 @@ sub init {
|
|||
$self->rule($rule);
|
||||
|
||||
# Parse identity rule
|
||||
$self->logger->debug( "Impersonation identity rule -> "
|
||||
$self->logger->debug( "Impersonation identities rule -> "
|
||||
. $self->conf->{impersonationIdRule} );
|
||||
$rule =
|
||||
$hd->buildSub( $hd->substitute( $self->conf->{impersonationIdRule} ) );
|
||||
unless ($rule) {
|
||||
$self->error(
|
||||
"Bad impersonation identity rule -> " . $hd->tsv->{jail}->error );
|
||||
"Bad impersonation identities rule -> " . $hd->tsv->{jail}->error );
|
||||
return 0;
|
||||
}
|
||||
$self->idRule($rule);
|
||||
|
@ -71,7 +71,7 @@ sub run {
|
|||
if ( $spoofId eq $req->{user} );
|
||||
|
||||
unless ( $spoofId =~ /$self->{conf}->{userControl}/o ) {
|
||||
$self->userLogger->error('Malformed spoofed Id');
|
||||
$self->userLogger->warn('Malformed spoofed Id');
|
||||
$self->logger->debug("Impersonation tried with spoofed Id: $spoofId");
|
||||
$spoofId = $req->{user};
|
||||
$statut = PE_MALFORMEDUSER;
|
||||
|
@ -81,7 +81,7 @@ sub run {
|
|||
if ( $spoofId ne $req->{user} ) {
|
||||
$self->logger->debug("Spoof Id: $spoofId / Real Id: $req->{user}");
|
||||
unless ( $self->rule->( $req, $req->sessionInfo ) ) {
|
||||
$self->userLogger->error('Impersonation service not authorized');
|
||||
$self->userLogger->warn('Impersonation service not authorized');
|
||||
$spoofId = $req->{user};
|
||||
$statut = PE_IMPERSONATION_SERVICE_NOT_ALLOWED;
|
||||
}
|
||||
|
@ -90,12 +90,11 @@ sub run {
|
|||
# Fill spoof session
|
||||
my ( $realSession, $spoofSession ) = ( {}, {} );
|
||||
$self->logger->debug("Rename real attributes...");
|
||||
my $spk = '';
|
||||
foreach my $k ( keys %{ $req->{sessionInfo} } ) {
|
||||
if ( $self->{conf}->{impersonationSkipEmptyValues} ) {
|
||||
next unless defined $req->{sessionInfo}->{$k};
|
||||
}
|
||||
$spk = "$self->{conf}->{impersonationPrefix}$k";
|
||||
my $spk = "$self->{conf}->{impersonationPrefix}$k";
|
||||
unless ( $self->hAttr =~ /\b$k\b/
|
||||
|| $k =~ /^(?:_imp|token|_type)\w*\b/ )
|
||||
{
|
||||
|
@ -120,7 +119,7 @@ sub run {
|
|||
$self->logger->debug("Populating spoof session...");
|
||||
foreach (qw (_auth _userDB)) {
|
||||
$self->logger->debug("Processing $_...");
|
||||
$spk = "$self->{conf}->{impersonationPrefix}$_";
|
||||
my $spk = "$self->{conf}->{impersonationPrefix}$_";
|
||||
$spoofSession->{$_} = $realSession->{$spk};
|
||||
}
|
||||
|
||||
|
@ -217,7 +216,7 @@ sub _userData {
|
|||
'Impersonation requested for an unvalid user ('
|
||||
. $req->{user}
|
||||
. ")" );
|
||||
$self->logger->debug('Identity not authorized');
|
||||
$self->logger->debug('Identity NOT authorized');
|
||||
$raz = 1;
|
||||
}
|
||||
}
|
||||
|
|
Binary file not shown.
After Width: | Height: | Size: 895 B |
Binary file not shown.
After Width: | Height: | Size: 787 B |
|
@ -143,6 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching_ON":"Impersonate another user",
|
||||
"contextSwitching_OFF":"Stop impersonation",
|
||||
"imSure":"انا متاكد",
|
||||
"info":"معلومات",
|
||||
"ipAddr":"عنوان الأي بي",
|
||||
|
@ -219,6 +221,7 @@
|
|||
"SSOSessionInactive":"جلسة الدخول الموحد غير نشطة",
|
||||
"stayConnected":"ابق على اتصال على هذا الجهاز",
|
||||
"submit":"قدم",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"يرجى لمس جهاز U2F وامض الآن.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
@ -143,6 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"ID",
|
||||
"contextSwitching_ON":"Impersonate another user",
|
||||
"contextSwitching_OFF":"Stop impersonation",
|
||||
"imSure":"Ich bin sicher",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP Adresse",
|
||||
|
@ -219,6 +221,7 @@
|
|||
"SSOSessionInactive":"SSO Sitzung inaktiv",
|
||||
"stayConnected":"Auf diesem Gerät verbunden bleiben",
|
||||
"submit":"Absenden",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"Es existiert bereits ein TOTP-Secret",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
@ -143,6 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching_ON":"Impersonate another user",
|
||||
"contextSwitching_OFF":"Stop impersonation",
|
||||
"imSure":"I'm sure",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP address",
|
||||
|
@ -219,6 +221,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected": "Stay connected on this device",
|
||||
"submit":"Submit",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice": "Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp": "Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
@ -143,6 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching_ON":"Impersonate another user",
|
||||
"contextSwitching_OFF":"Stop impersonation",
|
||||
"imSure":"I'm sure",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP address",
|
||||
|
@ -219,6 +221,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected":"Stay connected on this device",
|
||||
"submit":"Submit",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
@ -143,6 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching_ON":"Impersonate another user",
|
||||
"contextSwitching_OFF":"Stop impersonation",
|
||||
"imSure":"Olen varma",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP-osoite",
|
||||
|
@ -219,6 +221,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected":"Stay connected on this device",
|
||||
"submit":"Lähetä",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
@ -143,6 +143,8 @@
|
|||
"groups_sso":"GROUPES SSO",
|
||||
"headers":"ENTETES",
|
||||
"id":"Id",
|
||||
"contextSwitching_ON":"Endosser l'identité d'un autre utilisateur",
|
||||
"contextSwitching_OFF":"Stopper l'endossement",
|
||||
"imSure":"Je suis sûr",
|
||||
"info":"Information",
|
||||
"ipAddr":"Adresse IP",
|
||||
|
@ -219,6 +221,7 @@
|
|||
"SSOSessionInactive":"Session SSO inactive",
|
||||
"stayConnected": "Rester connecté sur cet appareil",
|
||||
"submit":"Envoyer",
|
||||
"switchContext":"Changer de contexte",
|
||||
"totpExistingKey":"Un secret TOTP existe déjà !!!",
|
||||
"touchU2fDevice": "Posez votre doigt sur le périphérique U2F",
|
||||
"touchU2fDeviceOrEnterTotp": "Posez votre doigt sur le périphérique U2F ou entrez le code TOTP",
|
||||
|
|
|
@ -143,6 +143,8 @@
|
|||
"groups_sso":"GRUPPI SSO",
|
||||
"headers":"INTESTAZIONI",
|
||||
"id":"Id",
|
||||
"contextSwitching_ON":"Impersonate another user",
|
||||
"contextSwitching_OFF":"Stop impersonation",
|
||||
"imSure":"Sono sicuro",
|
||||
"info":"Informazioni",
|
||||
"ipAddr":"Indirizzo IP",
|
||||
|
@ -219,6 +221,7 @@
|
|||
"SSOSessionInactive":"Sessione SSO inattiva",
|
||||
"stayConnected":"Resta connesso su questo dispositivo",
|
||||
"submit":"Invia",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"Un segreto TOTP esiste già",
|
||||
"touchU2fDevice":"Adesso tocca il dispositivo U2F lampeggiante.",
|
||||
"touchU2fDeviceOrEnterTotp":"Tocca il dispositivo U2F lampeggiante o inserisci il codice TOTP.",
|
||||
|
|
|
@ -143,6 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching_ON":"Impersonate another user",
|
||||
"contextSwitching_OFF":"Stop impersonation",
|
||||
"imSure":"I'm sure",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP address",
|
||||
|
@ -219,6 +221,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected":"Stay connected on this device",
|
||||
"submit":"Submit",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
@ -143,6 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching_ON":"Impersonate another user",
|
||||
"contextSwitching_OFF":"Stop impersonation",
|
||||
"imSure":"I'm sure",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP address",
|
||||
|
@ -219,6 +221,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected":"Stay connected on this device",
|
||||
"submit":"Submit",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
@ -143,6 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching_ON":"Impersonate another user",
|
||||
"contextSwitching_OFF":"Stop impersonation",
|
||||
"imSure":"I'm sure",
|
||||
"info":"Information",
|
||||
"ipAddr":"IP address",
|
||||
|
@ -219,6 +221,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected":"Stay connected on this device",
|
||||
"submit":"Submit",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
@ -143,6 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching_ON":"Impersonate another user",
|
||||
"contextSwitching_OFF":"Stop impersonation",
|
||||
"imSure":"Tôi chắc chắn",
|
||||
"info":"Thông tin",
|
||||
"ipAddr":"Địa chỉ IP",
|
||||
|
@ -219,6 +221,7 @@
|
|||
"SSOSessionInactive":"Phiên SSO không hoạt động",
|
||||
"stayConnected":"Giữ kết nối trên thiết bị này",
|
||||
"submit":"Gửi",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Vui lòng chạm vào thiết bị U2F nhấp nháy ngay bây giờ.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
@ -143,6 +143,8 @@
|
|||
"groups_sso":"SSO GROUPS",
|
||||
"headers":"HEADERS",
|
||||
"id":"Id",
|
||||
"contextSwitching_ON":"Impersonate another user",
|
||||
"contextSwitching_OFF":"Stop impersonation",
|
||||
"imSure":"我确认",
|
||||
"info":"信息",
|
||||
"ipAddr":"IP 地址",
|
||||
|
@ -219,6 +221,7 @@
|
|||
"SSOSessionInactive":"SSO session inactive",
|
||||
"stayConnected":"在该项设备上保持连接",
|
||||
"submit":"提交",
|
||||
"switchContext":"Switch context",
|
||||
"totpExistingKey":"A TOTP secret already exists",
|
||||
"touchU2fDevice":"Please touch the flashing U2F device now.",
|
||||
"touchU2fDeviceOrEnterTotp":"Please touch the flashing U2F device or enter TOTP code.",
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
<TMPL_INCLUDE NAME="header.tpl">
|
||||
|
||||
<div id="errorcontent" class="container">
|
||||
<!--
|
||||
<div class="message message-positive alert"><span trspan="<TMPL_VAR NAME="MSG">"></span></div>
|
||||
-->
|
||||
<div class="alert <TMPL_VAR NAME="ALERTE"> alert"><div class="text-center"><span trspan="<TMPL_VAR NAME="MSG">"></span></div></div>
|
||||
<form id="contextSwitching" action="/switchcontext" method="post" class="password" role="form">
|
||||
<div class="buttons">
|
||||
<TMPL_IF NAME="TOKEN">
|
||||
<input type="hidden" name="token" value="<TMPL_VAR NAME="TOKEN">" />
|
||||
</TMPL_IF>
|
||||
|
||||
<TMPL_INCLUDE NAME="impersonation.tpl">
|
||||
|
||||
<button type="submit" class="btn btn-success">
|
||||
<span class="fa fa-random"></span>
|
||||
<span trspan="switchContext">switchContext</span>
|
||||
</button>
|
||||
</div>
|
||||
</form>
|
||||
|
||||
<div class="buttons">
|
||||
<!--
|
||||
<button type="submit" class="btn btn-success">
|
||||
<span class="fa fa-sign-in"></span>
|
||||
<span trspan="search">Search</span>
|
||||
</button>
|
||||
-->
|
||||
<a href="<TMPL_VAR NAME="PORTAL_URL">" class="btn btn-primary" role="button">
|
||||
<span class="fa fa-home"></span>
|
||||
<span trspan="goToPortal">Go to portal</span>
|
||||
</a>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<TMPL_INCLUDE NAME="footer.tpl">
|
|
@ -72,6 +72,12 @@
|
|||
<span trspan="sfaManager">sfaManager</span>
|
||||
</a></li>
|
||||
</TMPL_IF>
|
||||
<TMPL_IF NAME="contextSwitching">
|
||||
<li class="dropdown-item"><a href="/switchcontext" class="nav-link">
|
||||
<img src="<TMPL_VAR NAME="STATIC_PREFIX">common/icons/switchcontext_<TMPL_VAR NAME="contextSwitching">.png" width="20" height="20" alt="refresh" />
|
||||
<span trspan="contextSwitching_<TMPL_VAR NAME="contextSwitching">">contextSwitching_<TMPL_VAR NAME="contextSwitching"></span>
|
||||
</a></li>
|
||||
</TMPL_IF>
|
||||
<li class="dropdown-item"><a href="/refresh" class="nav-link">
|
||||
<img src="<TMPL_VAR NAME="STATIC_PREFIX">common/icons/arrow_refresh.png" width="16" height="16" alt="refresh" />
|
||||
<span trspan="refreshrights">Refresh</span>
|
||||
|
|
|
@ -0,0 +1,155 @@
|
|||
use Test::More;
|
||||
use strict;
|
||||
use IO::String;
|
||||
|
||||
require 't/test-lib.pm';
|
||||
my $maintests = 18;
|
||||
|
||||
SKIP: {
|
||||
eval { require Convert::Base32 };
|
||||
if ($@) {
|
||||
skip 'Convert::Base32 is missing', $maintests;
|
||||
}
|
||||
eval { require Authen::OATH };
|
||||
if ($@) {
|
||||
skip 'Authen::OATH is missing', $maintests;
|
||||
}
|
||||
require Lemonldap::NG::Common::TOTP;
|
||||
|
||||
my $client = LLNG::Manager::Test->new( {
|
||||
ini => {
|
||||
logLevel => 'error',
|
||||
totp2fSelfRegistration => 1,
|
||||
totp2fActivation => 1,
|
||||
totp2fDigits => 8,
|
||||
totp2fTTL => -1,
|
||||
loginHistoryEnabled => 1,
|
||||
disablePersistentStorage => 1,
|
||||
}
|
||||
}
|
||||
);
|
||||
my $res;
|
||||
|
||||
# Try to authenticate 1
|
||||
# ---------------------
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new('user=dwho&password=dwho'),
|
||||
length => 23
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
my $id = expectCookie($res);
|
||||
$client->logout($id);
|
||||
|
||||
# Try to authenticate 2
|
||||
# ---------------------
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new('user=dwho&password=dwho'),
|
||||
length => 23
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
$id = expectCookie($res);
|
||||
$client->logout($id);
|
||||
|
||||
# Try to authenticate 3
|
||||
# ---------------------
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new('user=dwho&password=dwho&checkLogins=1'),
|
||||
length => 37,
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
$id = expectCookie($res);
|
||||
|
||||
ok( $res->[2]->[0] =~ /trspan="lastLogins"/, 'History found' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
my @c = ( $res->[2]->[0] =~ /<td>127.0.0.1/gs );
|
||||
ok( @c == 1, ' -> NO history : only one entry found' );
|
||||
|
||||
# TOTP form
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/2fregisters',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Form registration'
|
||||
);
|
||||
expectRedirection( $res, qr#/2fregisters/totp$# );
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/2fregisters/totp',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Form registration'
|
||||
);
|
||||
ok( $res->[2]->[0] =~ /totpregistration\.(?:min\.)?js/, 'Found TOTP js' );
|
||||
|
||||
# JS query
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/2fregisters/totp/getkey', IO::String->new(''),
|
||||
cookie => "lemonldap=$id",
|
||||
length => 0,
|
||||
),
|
||||
'Get new key'
|
||||
);
|
||||
eval { $res = JSON::from_json( $res->[2]->[0] ) };
|
||||
ok( not($@), 'Content is JSON' )
|
||||
or explain( $res->[2]->[0], 'JSON content' );
|
||||
my ( $key, $token );
|
||||
ok( $key = $res->{secret}, 'Found secret' );
|
||||
ok( $token = $res->{token}, 'Found token' );
|
||||
$key = Convert::Base32::decode_base32($key);
|
||||
|
||||
# Post code
|
||||
my $code;
|
||||
ok( $code = Lemonldap::NG::Common::TOTP::_code( undef, $key, 0, 30, 8 ),
|
||||
'Code' );
|
||||
ok( $code =~ /^\d{8}$/, 'Code contains 8 digits' );
|
||||
my $s = "code=$code&token=$token";
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/2fregisters/totp/verify',
|
||||
IO::String->new($s),
|
||||
length => length($s),
|
||||
cookie => "lemonldap=$id",
|
||||
),
|
||||
'Post code'
|
||||
);
|
||||
eval { $res = JSON::from_json( $res->[2]->[0] ) };
|
||||
ok( not($@), 'Content is JSON' )
|
||||
or explain( $res->[2]->[0], 'JSON content' );
|
||||
ok( $res->{result} == 1, 'Key is registered' );
|
||||
|
||||
# Try to sign-in
|
||||
$client->logout($id);
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new('user=dwho&password=dwho'),
|
||||
length => 23,
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
|
||||
# NO 2FA stored
|
||||
$id = expectCookie($res);
|
||||
$client->logout($id);
|
||||
}
|
||||
count($maintests);
|
||||
|
||||
clean_sessions();
|
||||
|
||||
done_testing( count() );
|
||||
|
|
@ -0,0 +1,148 @@
|
|||
use Test::More;
|
||||
use strict;
|
||||
use IO::String;
|
||||
|
||||
BEGIN {
|
||||
require 't/test-lib.pm';
|
||||
}
|
||||
|
||||
my $res;
|
||||
|
||||
my $client = LLNG::Manager::Test->new( {
|
||||
ini => {
|
||||
logLevel => 'error',
|
||||
authentication => 'Demo',
|
||||
userDB => 'Same',
|
||||
loginHistoryEnabled => 0,
|
||||
brutForceProtection => 0,
|
||||
portalMainLogo => 'common/logos/logo_llng_old.png',
|
||||
requireToken => 0,
|
||||
checkUser => 1,
|
||||
impersonationPrefix => 'testPrefix_',
|
||||
securedCookie => 0,
|
||||
https => 0,
|
||||
checkUserDisplayPersistentInfo => 0,
|
||||
checkUserDisplayEmptyValues => 0,
|
||||
contextSwitchingRule => 1,
|
||||
contextSwitchingIdRule => 1,
|
||||
contextSwitchingStopWithLogout => 1,
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
##
|
||||
## Try to authenticate
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new('user=rtyler&password=rtyler'),
|
||||
length => 27,
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
count(1);
|
||||
my $id = expectCookie($res);
|
||||
expectRedirection( $res, 'http://auth.example.com/' );
|
||||
|
||||
# Get Menu
|
||||
# ------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Get Menu',
|
||||
);
|
||||
count(1);
|
||||
expectOK($res);
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="connectedAs">Connected as</span> rtyler%,
|
||||
'Connected as rtyler' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
expectAuthenticatedAs( $res, 'rtyler' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">contextSwitching_ON</span>%,
|
||||
'Connected as rtyler' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(2);
|
||||
|
||||
# ContextSwitching form -> PE_OK
|
||||
# ------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/switchcontext',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'ContextSwitching form',
|
||||
);
|
||||
count(1);
|
||||
|
||||
my ( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/switchcontext', 'spoofId' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%, 'Found trspan="contextSwitching_ON"' )
|
||||
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
|
||||
$query =~ s/spoofId=/spoofId=dwho/;
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/switchcontext',
|
||||
IO::String->new($query),
|
||||
cookie => "lemonldap=$id",
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'POST switchcontext'
|
||||
);
|
||||
$id = expectCookie($res);
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Get Menu',
|
||||
);
|
||||
count(3);
|
||||
expectAuthenticatedAs( $res, 'dwho' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_OFF">%, 'Found trspan="contextSwitching_OFF"' )
|
||||
or explain( $res->[2]->[0], 'trspan="contextSwitching_OFF"' );
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/checkuser',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'CheckUser form',
|
||||
);
|
||||
count(2);
|
||||
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/checkuser', 'user', 'url' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="checkUser">%, 'Found trspan="checkUser"' )
|
||||
or explain( $res->[2]->[0], 'trspan="checkUser"' );
|
||||
ok( $res->[2]->[0] =~ m%<td scope="row">_user</td>%, 'Found attribute _user' )
|
||||
or explain( $res->[2]->[0], 'Attribute _user' );
|
||||
ok( $res->[2]->[0] =~ m%<td scope="row">dwho</td>%, 'Found value dwho' )
|
||||
or explain( $res->[2]->[0], 'Value dwho' );
|
||||
ok( $res->[2]->[0] =~ m%<td scope="row">mail</td>%, 'Found attribute mail' )
|
||||
or explain( $res->[2]->[0], 'Attribute mail' );
|
||||
ok( $res->[2]->[0] =~ m%<td scope="row">testPrefix__session_id</td>%, 'Found spoofed _id_session' )
|
||||
or explain( $res->[2]->[0], 'Spoofed _id_session' );
|
||||
count(5);
|
||||
|
||||
# Stop ContextSwitching
|
||||
# ------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/switchcontext',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Stop context switching',
|
||||
);
|
||||
ok( $res->[2]->[0] =~ /trmsg="-7"/, 'Found logout message' );
|
||||
count(2);
|
||||
|
||||
clean_sessions();
|
||||
|
||||
done_testing( count() );
|
|
@ -0,0 +1,343 @@
|
|||
use Test::More;
|
||||
use strict;
|
||||
use IO::String;
|
||||
|
||||
BEGIN {
|
||||
require 't/test-lib.pm';
|
||||
}
|
||||
|
||||
my $res;
|
||||
|
||||
my $client = LLNG::Manager::Test->new( {
|
||||
ini => {
|
||||
logLevel => 'error',
|
||||
authentication => 'Demo',
|
||||
userDB => 'Same',
|
||||
loginHistoryEnabled => 0,
|
||||
brutForceProtection => 0,
|
||||
portalMainLogo => 'common/logos/logo_llng_old.png',
|
||||
requireToken => 0,
|
||||
checkUser => 0,
|
||||
impersonationPrefix => 'testPrefix_',
|
||||
securedCookie => 0,
|
||||
https => 0,
|
||||
checkUserDisplayPersistentInfo => 0,
|
||||
checkUserDisplayEmptyValues => 0,
|
||||
contextSwitchingRule => '$uid eq "dwho"',
|
||||
contextSwitchingIdRule => '$uid ne "msmith"',
|
||||
contextSwitchingStopWithLogout => 0,
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
##
|
||||
## Try to authenticate with a user not authorized to switch context
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new('user=rtyler&password=rtyler'),
|
||||
length => 27,
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
count(1);
|
||||
my $id = expectCookie($res);
|
||||
expectRedirection( $res, 'http://auth.example.com/' );
|
||||
|
||||
# Get Menu
|
||||
# ------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Get Menu',
|
||||
);
|
||||
count(1);
|
||||
expectOK($res);
|
||||
ok(
|
||||
$res->[2]->[0] =~ m%<span trspan="connectedAs">Connected as</span> rtyler%,
|
||||
'Connected as rtyler'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
expectAuthenticatedAs( $res, 'rtyler' );
|
||||
ok( $res->[2]->[0] !~ m%contextSwitching_ON%, 'Connected as dwho' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(2);
|
||||
|
||||
$client->logout($id);
|
||||
|
||||
##
|
||||
## Try to authenticate with a user authorized to switch context
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new('user=dwho&password=dwho'),
|
||||
length => 23,
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
count(1);
|
||||
$id = expectCookie($res);
|
||||
expectRedirection( $res, 'http://auth.example.com/' );
|
||||
|
||||
# Get Menu
|
||||
# ------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Get Menu',
|
||||
);
|
||||
count(1);
|
||||
expectOK($res);
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="connectedAs">Connected as</span> dwho%,
|
||||
'Connected as dwho' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
expectAuthenticatedAs( $res, 'dwho' );
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<span trspan="contextSwitching_ON">contextSwitching_ON</span>%,
|
||||
'Connected as dwho'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(2);
|
||||
|
||||
# ContextSwitching form -> PE_MALFORMEDUSER
|
||||
# ------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/switchcontext',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'ContextSwitching form',
|
||||
);
|
||||
count(1);
|
||||
|
||||
my ( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/switchcontext', 'spoofId' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
|
||||
'Found trspan="contextSwitching_ON"' )
|
||||
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
|
||||
count(1);
|
||||
$query =~ s/spoofId=/spoofId=msmith/;
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/switchcontext',
|
||||
IO::String->new($query),
|
||||
cookie => "lemonldap=$id",
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'POST switchcontext'
|
||||
);
|
||||
ok( $res->[2]->[0] =~ m%<span trmsg="40">%, 'PE_MALFORMEDUSER' )
|
||||
or explain( $res->[2]->[0], 'PE_MALFORMEDUSER' );
|
||||
count(2);
|
||||
|
||||
# ContextSwitching form -> PE_MALFORMEDUSER
|
||||
# ------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/switchcontext',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'ContextSwitching form',
|
||||
);
|
||||
count(1);
|
||||
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/switchcontext', 'spoofId' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
|
||||
'Found trspan="contextSwitching_ON"' )
|
||||
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
|
||||
count(1);
|
||||
$query =~ s/spoofId=/spoofId=</;
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/switchcontext',
|
||||
IO::String->new($query),
|
||||
cookie => "lemonldap=$id",
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'POST switchcontext'
|
||||
);
|
||||
ok( $res->[2]->[0] =~ m%<span trmsg="40">%, 'PE_MALFORMEDUSER' )
|
||||
or explain( $res->[2]->[0], 'PE_MALFORMEDUSER' );
|
||||
count(2);
|
||||
|
||||
# ContextSwitching form -> PE_MALFORMEDUSER
|
||||
# ------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/switchcontext',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'ContextSwitching form',
|
||||
);
|
||||
count(1);
|
||||
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/switchcontext', 'spoofId' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
|
||||
'Found trspan="contextSwitching_ON"' )
|
||||
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
|
||||
count(1);
|
||||
$query =~ s/spoofId=/spoofId=darkVador/;
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/switchcontext',
|
||||
IO::String->new($query),
|
||||
cookie => "lemonldap=$id",
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'POST switchcontext'
|
||||
);
|
||||
ok( $res->[2]->[0] =~ m%<span trmsg="40">%, 'PE_MALFORMEDUSER' )
|
||||
or explain( $res->[2]->[0], 'PE_MALFORMEDUSER' );
|
||||
count(2);
|
||||
|
||||
# ContextSwitching form -> No impersonation required
|
||||
# ------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/switchcontext',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'ContextSwitching form',
|
||||
);
|
||||
count(1);
|
||||
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/switchcontext', 'spoofId' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
|
||||
'Found trspan="contextSwitching_ON"' )
|
||||
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
|
||||
$query =~ s/spoofId=/spoofId=dwho/;
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/switchcontext',
|
||||
IO::String->new($query),
|
||||
cookie => "lemonldap=$id",
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'POST switchcontext'
|
||||
);
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Get Menu',
|
||||
);
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
|
||||
'Found trspan="contextSwitching_ON"' )
|
||||
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
|
||||
count(4);
|
||||
expectAuthenticatedAs( $res, 'dwho' );
|
||||
|
||||
# ContextSwitching form -> PE_OK
|
||||
# ------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/switchcontext',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'ContextSwitching form',
|
||||
);
|
||||
count(1);
|
||||
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/switchcontext', 'spoofId' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
|
||||
'Found trspan="contextSwitching_ON"' )
|
||||
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
|
||||
$query =~ s/spoofId=/spoofId=rtyler/;
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/switchcontext',
|
||||
IO::String->new($query),
|
||||
cookie => "lemonldap=$id",
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'POST switchcontext'
|
||||
);
|
||||
|
||||
# Refresh cookie value
|
||||
$id = expectCookie($res);
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Get Menu',
|
||||
);
|
||||
count(3);
|
||||
expectAuthenticatedAs( $res, 'rtyler' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_OFF">%,
|
||||
'Found trspan="contextSwitching_ON"' )
|
||||
or explain( $res->[2]->[0], 'trspan="contextSwitching_OFF"' );
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/switchcontext',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Stop context switching',
|
||||
);
|
||||
|
||||
# Refresh cookie value
|
||||
$id = expectCookie($res);
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Get Menu',
|
||||
);
|
||||
count(3);
|
||||
expectAuthenticatedAs( $res, 'dwho' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
|
||||
'Found trspan="contextSwitching_ON"' )
|
||||
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
|
||||
count(1);
|
||||
|
||||
# Log out request
|
||||
# ------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/',
|
||||
query => 'logout=1',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Get Menu',
|
||||
);
|
||||
count(1);
|
||||
expectOK($res);
|
||||
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="message message-positive alert"><span trmsg="-7"></span></div>%,
|
||||
'Dwho has been well disconnected'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(1);
|
||||
|
||||
clean_sessions();
|
||||
|
||||
done_testing( count() );
|
|
@ -49,7 +49,11 @@
|
|||
# Main package
|
||||
#==============================================================================
|
||||
Name: lemonldap-ng
|
||||
<<<<<<< HEAD
|
||||
Version: 2.1.0
|
||||
=======
|
||||
Version: 2.0.5
|
||||
>>>>>>> v2.0
|
||||
Release: %{?pre_release:0.}1%{?pre_release:.%{pre_release}}%{?dist}
|
||||
Summary: LemonLDAP-NG WebSSO
|
||||
License: GPLv2+
|
||||
|
@ -124,7 +128,7 @@ BuildRequires: perl(IO::Select)
|
|||
BuildRequires: perl(IO::Socket::INET)
|
||||
BuildRequires: perl(IO::String)
|
||||
BuildRequires: perl(JSON)
|
||||
%if 0%{?fedora} >= 29
|
||||
%if 0%{?fedora}
|
||||
BuildRequires: perl(Lasso)
|
||||
BuildRequires: perl(Glib)
|
||||
%endif
|
||||
|
@ -194,16 +198,13 @@ Requires: lemonldap-ng-test = %{version}-%{release}
|
|||
|
||||
%if 0%{?fedora}
|
||||
%{?perl_default_filter}
|
||||
%if 0%{?fedora} < 29
|
||||
%global __requires_exclude perl\\(Lasso
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%description
|
||||
LemonLdap::NG is a modular Web-SSO based on Apache::Session modules. It
|
||||
simplifies the build of a protected area with a few changes in the
|
||||
application. It manages both authentication and authorization and provides
|
||||
headers for accounting.
|
||||
headers for accounting.
|
||||
So you can have a full AAA protection for your web space as described below.
|
||||
|
||||
#==============================================================================
|
||||
|
|
Loading…
Reference in New Issue