Append identities rule (#1658)

This commit is contained in:
Christophe Maudoux 2019-03-09 23:29:10 +01:00
parent 7e1119a88d
commit be28b60e66
14 changed files with 70 additions and 13 deletions

View File

@ -29,6 +29,7 @@ sub defaultValues {
'casAuthnLevel' => 1,
'checkTime' => 600,
'checkUserHiddenAttributes' => '_2fDevices _loginHistory hGroups',
'checkUserIdRule' => 1,
'checkXSS' => 1,
'confirmFormMethod' => 'post',
'cookieName' => 'lemonldap',

View File

@ -783,6 +783,21 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => '_2fDevices _loginHistory hGroups',
'type' => 'text'
},
'checkUserIdRule' => {
'default' => 1,
'test' => sub {
my ( $val, $conf ) = @_;
my $s = '';
'Safe'->new->reval("BEGIN { warnings->unimport; } $s $val");
my $err = join(
'',
grep( { $_ =~ /Undefined subroutine/ ? () : $_; }
split( /\n/, $@, 0 ) )
);
return $err ? ( 1, "__badExpression__: $err" ) : 1;
},
'type' => 'text'
},
'checkXSS' => {
'default' => 1,
'type' => 'bool'

View File

@ -422,6 +422,12 @@ sub attributes {
documentation => 'Enable check user',
flags => 'p',
},
checkUserIdRule => {
type => 'text',
test => $perlExpr,
default => 1,
documentation => 'checkUser identities rule',
},
checkUserHiddenAttributes => {
type => 'text',
default => '_2fDevices _loginHistory hGroups',
@ -461,7 +467,7 @@ sub attributes {
type => 'text',
test => $perlExpr,
default => 1,
documentation => 'Impersonation identity rule',
documentation => 'Impersonation identities rule',
},
impersonationHiddenAttributes => {
type => 'text',

View File

@ -642,6 +642,7 @@ sub tree {
form => 'simpleInputContainer',
nodes => [
'checkUser',
'checkUserIdRule',
'checkUserHiddenAttributes',
'checkUserDisplayPersistentInfo',
'checkUserDisplayEmptyValues',

View File

@ -153,6 +153,7 @@
"checkStateSecret":"Shared secret",
"checkUsers":"SSO profile Check",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayEmptyValues":"Display empty values",

View File

@ -152,11 +152,12 @@
"checkState":"Activation",
"checkStateSecret":"Shared secret",
"checkUsers":"SSO profile Check",
"choiceParams":"Choice parameters",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayEmptyValues":"Display empty values",
"choiceParams":"Choice parameters",
"chooseLogo":"Choose logo",
"chooseSkin":"Choose skin",
"combination":"Combination",

View File

@ -153,6 +153,7 @@
"checkStateSecret":"Shared secret",
"checkUsers":"SSO profile Check",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayEmptyValues":"Display empty values",

View File

@ -153,6 +153,7 @@
"checkStateSecret":"Secret partagé",
"checkUsers":"Vérification des profils SSO",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Attributs masqués",
"checkUserDisplayPersistentInfo":"Afficher les données de session persistante",
"checkUserDisplayEmptyValues":"Afficher les valeurs nulles",

View File

@ -153,6 +153,7 @@
"checkStateSecret":"Segreto condiviso",
"checkUsers":"SSO profile Check",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayEmptyValues":"Display empty values",

View File

@ -151,8 +151,9 @@
"clickHereToForce":"Nhấp vào đây để bắt buộc",
"checkState":"Kích hoạt",
"checkStateSecret":"Shared secret",
"checkUsers":"Session Check",
"checkUsers":"SSO profile Check",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayEmptyValues":"Display empty values",

View File

@ -153,6 +153,7 @@
"checkStateSecret":"Shared secret",
"checkUsers":"SSO profile Check",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayEmptyValues":"Display empty values",

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View File

@ -25,6 +25,7 @@ has ott => (
return $ott;
}
);
has idRule => ( is => 'rw', default => sub { 1 } );
sub hAttr {
$_[0]->{conf}->{checkUserHiddenAttributes} . ' '
@ -33,8 +34,22 @@ sub hAttr {
sub init {
my ($self) = @_;
my $hd = $self->p->HANDLER;
$self->addAuthRoute( checkuser => 'check', ['POST'] );
$self->addAuthRoute( checkuser => 'display', ['GET'] );
# Parse identity rule
$self->logger->debug(
"checkUser identities rule -> " . $self->conf->{checkUserIdRule} );
my $rule =
$hd->buildSub( $hd->substitute( $self->conf->{checkUserIdRule} ) );
unless ($rule) {
$self->error(
"Bad checkUser identities rule -> " . $hd->tsv->{jail}->error );
return 0;
}
$self->{idRule} = $rule;
return 1;
}
@ -91,7 +106,7 @@ sub check {
LANGS => $self->conf->{showLanguages},
MSG => 'PE' . PE_MALFORMEDUSER,
ALERTE => 'alert-warning',
LOGIN => $req->{user},
LOGIN => '',
TOKEN => (
$self->conf->{requireToken}
? $self->ott->createToken( $req->userData )
@ -183,8 +198,8 @@ sub check {
MSG => $msg,
ALERTE => ( $msg eq 'checkUser' ? 'alert-info' : 'alert-warning' ),
LOGIN => (
$self->p->checkXSSAttack( 'LOGIN', $req->{user} ) ? ""
: $req->{user}
$self->p->checkXSSAttack( 'LOGIN', $req->{userData}->{uid} ) ? ""
: $req->{userData}->{uid}
),
URL => (
$self->p->checkXSSAttack( 'URL', $url ) ? ""
@ -218,11 +233,8 @@ sub display {
LANGS => $self->conf->{showLanguages},
MSG => 'checkUser',
ALERTE => 'alert-info',
LOGIN => (
$self->p->checkXSSAttack( 'LOGIN', $req->{user} ) ? ""
: $req->{user}
),
TOKEN => (
LOGIN => '',
TOKEN => (
$self->conf->{requireToken}
? $self->ott->createToken( $req->userData )
: ''
@ -251,6 +263,17 @@ sub _userDatas {
$self->logger->debug("Process returned error: $error");
return $req->error($error);
}
# Check identities rule
unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
$self->userLogger->warn(
'checkUser requested for an unvalid user (' . $req->{user} . ")" );
$req->{sessionInfo} = {};
$self->logger->debug('Identity not authorized');
return $req->error(PE_BADCREDENTIALS);
}
$self->logger->debug("Return \"$req->{user}\" sessionInfo");
return $req->{sessionInfo};
}
@ -268,6 +291,8 @@ sub _authorization {
last;
}
}
$self->logger->debug("Return \"$req->{user}\" authorization");
return $exist
? $self->p->HANDLER->grant( $req, $req->{userData}, $appuri,
undef, $vhost )
@ -280,6 +305,8 @@ sub _headers {
$vhost =~ s/:\d+$//;
$req->{env}->{HTTP_HOST} = $vhost;
$self->p->HANDLER->headersInit( $self->{conf} );
$self->logger->debug("Return \"$req->{user}\" headers");
return $self->p->HANDLER->checkHeaders( $req, $req->{userData} );
}