Append identities rule (#1658)

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -29,6 +29,7 @@ sub defaultValues {
         'casAuthnLevel'                 => 1,
         'checkTime'                     => 600,
         'checkUserHiddenAttributes'     => '_2fDevices _loginHistory hGroups',
+        'checkUserIdRule'               => 1,
         'checkXSS'                      => 1,
         'confirmFormMethod'             => 'post',
         'cookieName'                    => 'lemonldap',

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -783,6 +783,21 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
             'default' => '_2fDevices _loginHistory hGroups',
             'type'    => 'text'
         },
+        'checkUserIdRule' => {
+            'default' => 1,
+            'test'    => sub {
+                my ( $val, $conf ) = @_;
+                my $s = '';
+                'Safe'->new->reval("BEGIN { warnings->unimport; } $s $val");
+                my $err = join(
+                    '',
+                    grep( { $_ =~ /Undefined subroutine/ ? () : $_; }
+                        split( /\n/, $@, 0 ) )
+                );
+                return $err ? ( 1, "__badExpression__: $err" ) : 1;
+            },
+            'type' => 'text'
+        },
         'checkXSS' => {
             'default' => 1,
             'type'    => 'bool'

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -422,6 +422,12 @@ sub attributes {
             documentation => 'Enable check user',
             flags         => 'p',
         },
+        checkUserIdRule => {
+            type          => 'text',
+            test          => $perlExpr,
+            default       => 1,
+            documentation => 'checkUser identities rule',
+        },
         checkUserHiddenAttributes => {
             type          => 'text',
             default       => '_2fDevices _loginHistory hGroups',
@@ -461,7 +467,7 @@ sub attributes {
             type          => 'text',
             test          => $perlExpr,
             default       => 1,
-            documentation => 'Impersonation identity rule',
+            documentation => 'Impersonation identities rule',
         },
         impersonationHiddenAttributes => {
             type          => 'text',

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm

@@ -642,6 +642,7 @@ sub tree {
                             form  => 'simpleInputContainer',
                             nodes => [
                                 'checkUser',
+                                'checkUserIdRule',
                                 'checkUserHiddenAttributes',
                                 'checkUserDisplayPersistentInfo',
                                 'checkUserDisplayEmptyValues',

lemonldap-ng-manager/site/htdocs/static/languages/ar.json

@@ -153,6 +153,7 @@
 "checkStateSecret":"Shared secret",
 "checkUsers":"SSO profile Check",
 "checkUser":"Activation",
+"checkUserIdRule":"Identities use rule",
 "checkUserHiddenAttributes":"Hidden attributes",
 "checkUserDisplayPersistentInfo":"Display persistent session",
 "checkUserDisplayEmptyValues":"Display empty values",

lemonldap-ng-manager/site/htdocs/static/languages/de.json

@@ -152,11 +152,12 @@
 "checkState":"Activation",
 "checkStateSecret":"Shared secret",
 "checkUsers":"SSO profile Check",
-"choiceParams":"Choice parameters",
 "checkUser":"Activation",
+"checkUserIdRule":"Identities use rule",
 "checkUserHiddenAttributes":"Hidden attributes",
 "checkUserDisplayPersistentInfo":"Display persistent session",
 "checkUserDisplayEmptyValues":"Display empty values",
+"choiceParams":"Choice parameters",
 "chooseLogo":"Choose logo",
 "chooseSkin":"Choose skin",
 "combination":"Combination",

lemonldap-ng-manager/site/htdocs/static/languages/en.json

@@ -153,6 +153,7 @@
 "checkStateSecret":"Shared secret",
 "checkUsers":"SSO profile Check",
 "checkUser":"Activation",
+"checkUserIdRule":"Identities use rule",
 "checkUserHiddenAttributes":"Hidden attributes",
 "checkUserDisplayPersistentInfo":"Display persistent session",
 "checkUserDisplayEmptyValues":"Display empty values",

lemonldap-ng-manager/site/htdocs/static/languages/fr.json

@@ -153,6 +153,7 @@
 "checkStateSecret":"Secret partagé",
 "checkUsers":"Vérification des profils SSO",
 "checkUser":"Activation",
+"checkUserIdRule":"Identities use rule",
 "checkUserHiddenAttributes":"Attributs masqués",
 "checkUserDisplayPersistentInfo":"Afficher les données de session persistante",
 "checkUserDisplayEmptyValues":"Afficher les valeurs nulles",

lemonldap-ng-manager/site/htdocs/static/languages/it.json

@@ -153,6 +153,7 @@
 "checkStateSecret":"Segreto condiviso",
 "checkUsers":"SSO profile Check",
 "checkUser":"Activation",
+"checkUserIdRule":"Identities use rule",
 "checkUserHiddenAttributes":"Hidden attributes",
 "checkUserDisplayPersistentInfo":"Display persistent session",
 "checkUserDisplayEmptyValues":"Display empty values",

lemonldap-ng-manager/site/htdocs/static/languages/vi.json

@@ -151,8 +151,9 @@
 "clickHereToForce":"Nhấp vào đây để bắt buộc",
 "checkState":"Kích hoạt",
 "checkStateSecret":"Shared secret",
-"checkUsers":"Session Check",
+"checkUsers":"SSO profile Check",
 "checkUser":"Activation",
+"checkUserIdRule":"Identities use rule",
 "checkUserHiddenAttributes":"Hidden attributes",
 "checkUserDisplayPersistentInfo":"Display persistent session",
 "checkUserDisplayEmptyValues":"Display empty values",

lemonldap-ng-manager/site/htdocs/static/languages/zh.json

@@ -153,6 +153,7 @@
 "checkStateSecret":"Shared secret",
 "checkUsers":"SSO profile Check",
 "checkUser":"Activation",
+"checkUserIdRule":"Identities use rule",
 "checkUserHiddenAttributes":"Hidden attributes",
 "checkUserDisplayPersistentInfo":"Display persistent session",
 "checkUserDisplayEmptyValues":"Display empty values",

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm

@@ -25,6 +25,7 @@ has ott => (
         return $ott;
     }
 );
+has idRule => ( is => 'rw', default => sub { 1 } );
 
 sub hAttr {
     $_[0]->{conf}->{checkUserHiddenAttributes} . ' '
@@ -33,8 +34,22 @@ sub hAttr {
 
 sub init {
     my ($self) = @_;
+    my $hd = $self->p->HANDLER;
     $self->addAuthRoute( checkuser => 'check',   ['POST'] );
     $self->addAuthRoute( checkuser => 'display', ['GET'] );
+
+    # Parse identity rule
+    $self->logger->debug(
+        "checkUser identities rule -> " . $self->conf->{checkUserIdRule} );
+    my $rule =
+      $hd->buildSub( $hd->substitute( $self->conf->{checkUserIdRule} ) );
+    unless ($rule) {
+        $self->error(
+            "Bad checkUser identities rule -> " . $hd->tsv->{jail}->error );
+        return 0;
+    }
+    $self->{idRule} = $rule;
+
     return 1;
 }
 
@@ -91,7 +106,7 @@ sub check {
                 LANGS     => $self->conf->{showLanguages},
                 MSG       => 'PE' . PE_MALFORMEDUSER,
                 ALERTE    => 'alert-warning',
-                LOGIN     => $req->{user},
+                LOGIN     => '',
                 TOKEN     => (
                       $self->conf->{requireToken}
                     ? $self->ott->createToken( $req->userData )
@@ -183,8 +198,8 @@ sub check {
         MSG       => $msg,
         ALERTE    => ( $msg eq 'checkUser' ? 'alert-info' : 'alert-warning' ),
         LOGIN     => (
-              $self->p->checkXSSAttack( 'LOGIN', $req->{user} ) ? ""
-            : $req->{user}
+              $self->p->checkXSSAttack( 'LOGIN', $req->{userData}->{uid} ) ? ""
+            : $req->{userData}->{uid}
         ),
         URL => (
               $self->p->checkXSSAttack( 'URL', $url ) ? ""
@@ -218,11 +233,8 @@ sub display {
         LANGS     => $self->conf->{showLanguages},
         MSG       => 'checkUser',
         ALERTE    => 'alert-info',
-        LOGIN     => (
-              $self->p->checkXSSAttack( 'LOGIN', $req->{user} ) ? ""
-            : $req->{user}
-        ),
-        TOKEN => (
+        LOGIN     => '',
+        TOKEN     => (
               $self->conf->{requireToken}
             ? $self->ott->createToken( $req->userData )
             : ''
@@ -251,6 +263,17 @@ sub _userDatas {
         $self->logger->debug("Process returned error: $error");
         return $req->error($error);
     }
+
+    # Check identities rule
+    unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
+        $self->userLogger->warn(
+            'checkUser requested for an unvalid user (' . $req->{user} . ")" );
+        $req->{sessionInfo} = {};
+        $self->logger->debug('Identity not authorized');
+        return $req->error(PE_BADCREDENTIALS);
+    }
+
+    $self->logger->debug("Return \"$req->{user}\" sessionInfo");
     return $req->{sessionInfo};
 }
 
@@ -268,6 +291,8 @@ sub _authorization {
             last;
         }
     }
+
+    $self->logger->debug("Return \"$req->{user}\" authorization");
     return $exist
       ? $self->p->HANDLER->grant( $req, $req->{userData}, $appuri,
         undef, $vhost )
@@ -280,6 +305,8 @@ sub _headers {
     $vhost =~ s/:\d+$//;
     $req->{env}->{HTTP_HOST} = $vhost;
     $self->p->HANDLER->headersInit( $self->{conf} );
+
+    $self->logger->debug("Return \"$req->{user}\" headers");
     return $self->p->HANDLER->checkHeaders( $req, $req->{userData} );
 }