Enable upgradeSession only if required & Append unit test (#2480)
This commit is contained in:
parent
a422af3038
commit
b46259cae9
|
@ -204,6 +204,7 @@ sub defaultValuesInit {
|
|||
useSafeJail whatToTrace handlerInternalCache
|
||||
handlerServiceTokenTTL customToTrace lwpOpts lwpSslOpts
|
||||
authChoiceAuthBasic authChoiceParam hiddenAttributes
|
||||
upgradeSession
|
||||
)
|
||||
);
|
||||
|
||||
|
|
|
@ -346,7 +346,6 @@ sub grant {
|
|||
return $cond->( $req, $session ) if ($cond);
|
||||
|
||||
$vhost ||= $class->resolveAlias($req);
|
||||
|
||||
my $level = $class->getLevel( $req, $uri );
|
||||
|
||||
# Using VH authentification level if exists
|
||||
|
@ -356,9 +355,11 @@ sub grant {
|
|||
"User authentication level = $session->{authenticationLevel}");
|
||||
$class->logger->debug("Required authentication level = $level");
|
||||
$class->logger->warn(
|
||||
"User rejected due to insufficient authentication level -> Session upgrade enabled"
|
||||
);
|
||||
$session->{_upgrade} = 1;
|
||||
'User rejected due to insufficient authentication level');
|
||||
if ( $class->tsv->{upgradeSession} ) {
|
||||
$class->logger->warn(' -> Session upgrade enabled');
|
||||
$session->{_upgrade} = 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -663,6 +663,7 @@ t/62-Refresh-plugin.t
|
|||
t/62-SingleSession-with-History.t
|
||||
t/62-SingleSession-with-Rules.t
|
||||
t/62-SingleSession.t
|
||||
t/62-UpgradeSession-disabled.t
|
||||
t/62-UpgradeSession.t
|
||||
t/63-History.t
|
||||
t/64-StayConnected-with-2F-and-History.t
|
||||
|
@ -748,6 +749,8 @@ t/gpghome/openpgp-revocs.d/9482CEFB055809CBAFE6D71AAB2D5542891D1677.rev
|
|||
t/gpghome/private-keys-v1.d/A076B0E7DB141A919271EE8B581CDFA8DA42F333.key
|
||||
t/gpghome/private-keys-v1.d/B7219440BCCD85200121CFB89F94C8D98C0397B3.key
|
||||
t/gpghome/pubring.kbx
|
||||
t/gpghome/pubring.kbx~
|
||||
t/gpghome/tofu.db
|
||||
t/gpghome/trustdb.gpg
|
||||
t/lib/Apache/Session/Timeout.pm
|
||||
t/lib/Lemonldap/NG/Common/Conf/Backends/Timeout.pm
|
||||
|
|
|
@ -0,0 +1,80 @@
|
|||
use Test::More;
|
||||
use strict;
|
||||
use IO::String;
|
||||
use Data::Dumper;
|
||||
|
||||
require 't/test-lib.pm';
|
||||
require 't/smtp.pm';
|
||||
|
||||
use_ok('Lemonldap::NG::Common::FormEncode');
|
||||
count(1);
|
||||
|
||||
my $res;
|
||||
my $client = LLNG::Manager::Test->new( {
|
||||
ini => {
|
||||
logLevel => 'error',
|
||||
upgradeSession => 0,
|
||||
authentication => 'Choice',
|
||||
apacheAuthnLevel => 5,
|
||||
userDB => 'Same',
|
||||
'authChoiceModules' => {
|
||||
'strong' => 'Apache;Demo;Null;;;{}',
|
||||
'weak' => 'Demo;Demo;Null;;;{}'
|
||||
},
|
||||
'vhostOptions' => {
|
||||
'test1.example.com' => {
|
||||
'vhostAuthnLevel' => 3
|
||||
},
|
||||
},
|
||||
"locationRules" => {
|
||||
"test1.example.com" => {
|
||||
'default' => 'accept',
|
||||
'^/AuthWeak(?#AuthnLevel=2)' => 'deny',
|
||||
'^/AuthStrong(?#AuthnLevel=5)' => 'deny',
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
# Try to authenticate
|
||||
# -------------------
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new('user=dwho&password=dwho&lmAuth=weak'),
|
||||
length => 35,
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
count(1);
|
||||
my $id = expectCookie($res);
|
||||
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/AuthWeak',
|
||||
accept => 'text/html',
|
||||
cookie => "lemonldap=$id",
|
||||
host => 'test1.example.com',
|
||||
),
|
||||
'GET http://test1.example.com/AuthWeak'
|
||||
);
|
||||
count(1);
|
||||
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/AuthStrong',
|
||||
accept => 'text/html',
|
||||
cookie => "lemonldap=$id",
|
||||
host => 'test1.example.com',
|
||||
),
|
||||
'GET http://test1.example.com/AuthStrong'
|
||||
);
|
||||
count(1);
|
||||
expectForbidden($res);
|
||||
|
||||
$client->logout($id);
|
||||
clean_sessions();
|
||||
done_testing( count() );
|
||||
|
|
@ -151,7 +151,7 @@ ok(
|
|||
count(1);
|
||||
expectOK($res);
|
||||
|
||||
$client->logout($id);
|
||||
clean_sessions();
|
||||
|
||||
done_testing( count() );
|
||||
|
||||
|
|
|
@ -374,6 +374,18 @@ sub expectJSON {
|
|||
return $json;
|
||||
}
|
||||
|
||||
=head4 expectForbidden($res)
|
||||
|
||||
Verify that returned code is 403.
|
||||
|
||||
=cut
|
||||
|
||||
sub expectForbidden {
|
||||
my ($res) = @_;
|
||||
ok( $res->[0] == 403, ' HTTP code is 403' ) or explain( $res->[0], 403 );
|
||||
count(1);
|
||||
}
|
||||
|
||||
=head4 expectBadRequest($res)
|
||||
|
||||
Verify that returned code is 400. Note that it works only for Ajax request
|
||||
|
|
Loading…
Reference in New Issue