Enable upgradeSession only if required & Append unit test (#2480)

2021-03-02 19:20:08 +01:00 · 2021-03-02 19:20:08 +01:00 · b46259cae9
parent a422af3038
commit b46259cae9
6 changed files with 102 additions and 5 deletions
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
@ -204,6 +204,7 @@ sub defaultValuesInit {
        useSafeJail             whatToTrace        handlerInternalCache
        handlerServiceTokenTTL  customToTrace      lwpOpts lwpSslOpts
        authChoiceAuthBasic     authChoiceParam    hiddenAttributes
+        upgradeSession
        )
    );

--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
@ -346,7 +346,6 @@ sub grant {
    return $cond->( $req, $session ) if ($cond);

    $vhost ||= $class->resolveAlias($req);
-
    my $level = $class->getLevel( $req, $uri );

    # Using VH authentification level if exists
@ -356,9 +355,11 @@ sub grant {
                "User authentication level = $session->{authenticationLevel}");
            $class->logger->debug("Required authentication level = $level");
            $class->logger->warn(
-"User rejected due to insufficient authentication level -> Session upgrade enabled"
-            );
-            $session->{_upgrade} = 1;
+                'User rejected due to insufficient authentication level');
+            if ( $class->tsv->{upgradeSession} ) {
+                $class->logger->warn(' -> Session upgrade enabled');
+                $session->{_upgrade} = 1;
+            }
            return 0;
        }
    }
--- a/lemonldap-ng-portal/MANIFEST
+++ b/lemonldap-ng-portal/MANIFEST
@ -663,6 +663,7 @@ t/62-Refresh-plugin.t
 t/62-SingleSession-with-History.t
 t/62-SingleSession-with-Rules.t
 t/62-SingleSession.t
+t/62-UpgradeSession-disabled.t
 t/62-UpgradeSession.t
 t/63-History.t
 t/64-StayConnected-with-2F-and-History.t
@ -748,6 +749,8 @@ t/gpghome/openpgp-revocs.d/9482CEFB055809CBAFE6D71AAB2D5542891D1677.rev
 t/gpghome/private-keys-v1.d/A076B0E7DB141A919271EE8B581CDFA8DA42F333.key
 t/gpghome/private-keys-v1.d/B7219440BCCD85200121CFB89F94C8D98C0397B3.key
 t/gpghome/pubring.kbx
+t/gpghome/pubring.kbx~
+t/gpghome/tofu.db
 t/gpghome/trustdb.gpg
 t/lib/Apache/Session/Timeout.pm
 t/lib/Lemonldap/NG/Common/Conf/Backends/Timeout.pm
--- a/lemonldap-ng-portal/t/62-UpgradeSession-disabled.t
+++ b/lemonldap-ng-portal/t/62-UpgradeSession-disabled.t
@ -0,0 +1,80 @@
+use Test::More;
+use strict;
+use IO::String;
+use Data::Dumper;
+
+require 't/test-lib.pm';
+require 't/smtp.pm';
+
+use_ok('Lemonldap::NG::Common::FormEncode');
+count(1);
+
+my $res;
+my $client = LLNG::Manager::Test->new( {
+        ini => {
+            logLevel                     => 'error',
+            upgradeSession               => 0,
+            authentication               => 'Choice',
+            apacheAuthnLevel             => 5,
+            userDB                       => 'Same',
+            'authChoiceModules'          => {
+                'strong' => 'Apache;Demo;Null;;;{}',
+                'weak'   => 'Demo;Demo;Null;;;{}'
+            },
+            'vhostOptions' => {
+                'test1.example.com' => {
+                    'vhostAuthnLevel' => 3
+                },
+            },
+            "locationRules" => {
+                "test1.example.com" => {
+                    'default'                      => 'accept',
+                    '^/AuthWeak(?#AuthnLevel=2)'   => 'deny',
+                    '^/AuthStrong(?#AuthnLevel=5)' => 'deny',
+                },
+            },
+        }
+    }
+);
+
+# Try to authenticate
+# -------------------
+ok(
+    $res = $client->_post(
+        '/',
+        IO::String->new('user=dwho&password=dwho&lmAuth=weak'),
+        length => 35,
+        accept => 'text/html',
+    ),
+    'Auth query'
+);
+count(1);
+my $id = expectCookie($res);
+
+ok(
+    $res = $client->_get(
+        '/AuthWeak',
+        accept => 'text/html',
+        cookie => "lemonldap=$id",
+        host   => 'test1.example.com',
+    ),
+    'GET http://test1.example.com/AuthWeak'
+);
+count(1);
+
+ok(
+    $res = $client->_get(
+        '/AuthStrong',
+        accept => 'text/html',
+        cookie => "lemonldap=$id",
+        host   => 'test1.example.com',
+    ),
+    'GET http://test1.example.com/AuthStrong'
+);
+count(1);
+expectForbidden($res);
+
+$client->logout($id);
+clean_sessions();
+done_testing( count() );
+
--- a/lemonldap-ng-portal/t/62-UpgradeSession.t
+++ b/lemonldap-ng-portal/t/62-UpgradeSession.t
@ -151,7 +151,7 @@ ok(
 count(1);
 expectOK($res);

+$client->logout($id);
 clean_sessions();
-
 done_testing( count() );

--- a/lemonldap-ng-portal/t/test-lib.pm
+++ b/lemonldap-ng-portal/t/test-lib.pm
@ -374,6 +374,18 @@ sub expectJSON {
    return $json;
 }

+=head4 expectForbidden($res)
+
+Verify that returned code is 403.
+
+=cut
+
+sub expectForbidden {
+    my ($res) = @_;
+    ok( $res->[0] == 403, ' HTTP code is 403' ) or explain( $res->[0], 403 );
+    count(1);
+}
+
 =head4 expectBadRequest($res)

 Verify that returned code is 400. Note that it works only for Ajax request