From b1048043e9268b271d63cad566a4ff177824aabc Mon Sep 17 00:00:00 2001
From: Christophe Maudoux <chrmdx@gmail.com>
Date: Thu, 7 Feb 2019 17:16:29 +0100
Subject: [PATCH] Restore GET activation global rule & Improve unit test
 (#1625)

---
 .../lib/Lemonldap/NG/Portal/Issuer/Get.pm     | 31 ++++++++++++++++++-
 .../lib/Lemonldap/NG/Portal/Main/Constants.pm |  3 +-
 lemonldap-ng-portal/t/50-IssuerGet.t          |  3 +-
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm
index a9d881e6e..6fcddbd05 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm
@@ -4,17 +4,46 @@ use strict;
 use Mouse;
 use URI::Escape;
 use Lemonldap::NG::Common::FormEncode;
-use Lemonldap::NG::Portal::Main::Constants qw(PE_OK PE_BADURL);
+use Lemonldap::NG::Portal::Main::Constants qw(PE_OK PE_BADURL PE_GET_SERVICE_NOT_ALLOWED);
 
 our $VERSION = '2.0.0';
 
 extends 'Lemonldap::NG::Portal::Main::Issuer';
 
+has rule => ( is => 'rw', default => sub { {} } );
+
+# INITIALIZATION
+
+sub init {
+    my ($self) = @_;
+
+    # Parse activation rule
+    my $hd = $self->p->HANDLER;
+    $self->logger->debug(
+        "GET rule -> " . $self->conf->{issuerDBGetRule} );
+    my $rule =
+      $hd->buildSub(
+        $hd->substitute( $self->conf->{issuerDBGetRule} ) );
+    unless ($rule) {
+        $self->error( "Bad GET rule -> " . $hd->tsv->{jail}->error );
+        return 0;
+    }
+    $self->{rule} = $rule;
+    return 0 unless ( $self->SUPER::init() );
+    return 1;
+}
+
 # RUNNING METHODS
 
 sub run {
     my ( $self, $req ) = @_;
 
+    # Check activation rule
+    unless ( $self->rule->( $req, $req->sessionInfo ) ) {
+        $self->userLogger->error('GET service not authorized');
+        return PE_GET_SERVICE_NOT_ALLOWED;
+    }
+
     # Session ID
     my $session_id = $req->{sessionInfo}->{_session_id} || $self->{id};
 
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm
index d097b6ad3..c4feef030 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm
@@ -97,6 +97,7 @@ use constant {
     PE_SAML_SERVICE_NOT_ALLOWED         => 89,
     PE_OIDC_SERVICE_NOT_ALLOWED         => 90,
     PE_OID_SERVICE_NOT_ALLOWED          => 91,
+    PE_GET_SERVICE_NOT_ALLOWED          => 92,
 
 };
 
@@ -125,7 +126,7 @@ our @EXPORT_OK = qw( PE_SENDRESPONSE PE_INFO PE_REDIRECT PE_DONE PE_OK
   PE_REGISTERALREADYEXISTS PE_NOTOKEN PE_TOKENEXPIRED HANDLER PE_U2FFAILED
   PE_UNAUTHORIZEDPARTNER PE_RENEWSESSION PE_IDPCHOICE PE_WAIT PE_MUSTAUTHN
   PE_MUSTHAVEMAIL PE_SAML_SERVICE_NOT_ALLOWED PE_OIDC_SERVICE_NOT_ALLOWED
-  PE_OID_SERVICE_NOT_ALLOWED
+  PE_OID_SERVICE_NOT_ALLOWED PE_GET_SERVICE_NOT_ALLOWED
 );
 our %EXPORT_TAGS = ( 'all' => [ @EXPORT_OK, 'import' ], );
 
diff --git a/lemonldap-ng-portal/t/50-IssuerGet.t b/lemonldap-ng-portal/t/50-IssuerGet.t
index cc4665063..22250301f 100644
--- a/lemonldap-ng-portal/t/50-IssuerGet.t
+++ b/lemonldap-ng-portal/t/50-IssuerGet.t
@@ -8,9 +8,10 @@ my $res;
 
 my $client = LLNG::Manager::Test->new( {
         ini => {
-            logLevel              => 'error',
+            logLevel              => 'debug',
             useSafeJail           => 1,
             issuerDBGetActivation => 1,
+            issuerDBGetRule       => '$uid eq "dwho"',
             issuerDBGetPath       => '^/test/',
             issuerDBGetParameters =>
               { 'test1.example.com' => { ID => '_session_id' } }