Append identities rule (#1658)
This commit is contained in:
parent
7e1119a88d
commit
be28b60e66
|
@ -29,6 +29,7 @@ sub defaultValues {
|
|||
'casAuthnLevel' => 1,
|
||||
'checkTime' => 600,
|
||||
'checkUserHiddenAttributes' => '_2fDevices _loginHistory hGroups',
|
||||
'checkUserIdRule' => 1,
|
||||
'checkXSS' => 1,
|
||||
'confirmFormMethod' => 'post',
|
||||
'cookieName' => 'lemonldap',
|
||||
|
|
|
@ -783,6 +783,21 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
'default' => '_2fDevices _loginHistory hGroups',
|
||||
'type' => 'text'
|
||||
},
|
||||
'checkUserIdRule' => {
|
||||
'default' => 1,
|
||||
'test' => sub {
|
||||
my ( $val, $conf ) = @_;
|
||||
my $s = '';
|
||||
'Safe'->new->reval("BEGIN { warnings->unimport; } $s $val");
|
||||
my $err = join(
|
||||
'',
|
||||
grep( { $_ =~ /Undefined subroutine/ ? () : $_; }
|
||||
split( /\n/, $@, 0 ) )
|
||||
);
|
||||
return $err ? ( 1, "__badExpression__: $err" ) : 1;
|
||||
},
|
||||
'type' => 'text'
|
||||
},
|
||||
'checkXSS' => {
|
||||
'default' => 1,
|
||||
'type' => 'bool'
|
||||
|
|
|
@ -422,6 +422,12 @@ sub attributes {
|
|||
documentation => 'Enable check user',
|
||||
flags => 'p',
|
||||
},
|
||||
checkUserIdRule => {
|
||||
type => 'text',
|
||||
test => $perlExpr,
|
||||
default => 1,
|
||||
documentation => 'checkUser identities rule',
|
||||
},
|
||||
checkUserHiddenAttributes => {
|
||||
type => 'text',
|
||||
default => '_2fDevices _loginHistory hGroups',
|
||||
|
@ -461,7 +467,7 @@ sub attributes {
|
|||
type => 'text',
|
||||
test => $perlExpr,
|
||||
default => 1,
|
||||
documentation => 'Impersonation identity rule',
|
||||
documentation => 'Impersonation identities rule',
|
||||
},
|
||||
impersonationHiddenAttributes => {
|
||||
type => 'text',
|
||||
|
|
|
@ -642,6 +642,7 @@ sub tree {
|
|||
form => 'simpleInputContainer',
|
||||
nodes => [
|
||||
'checkUser',
|
||||
'checkUserIdRule',
|
||||
'checkUserHiddenAttributes',
|
||||
'checkUserDisplayPersistentInfo',
|
||||
'checkUserDisplayEmptyValues',
|
||||
|
|
|
@ -153,6 +153,7 @@
|
|||
"checkStateSecret":"Shared secret",
|
||||
"checkUsers":"SSO profile Check",
|
||||
"checkUser":"Activation",
|
||||
"checkUserIdRule":"Identities use rule",
|
||||
"checkUserHiddenAttributes":"Hidden attributes",
|
||||
"checkUserDisplayPersistentInfo":"Display persistent session",
|
||||
"checkUserDisplayEmptyValues":"Display empty values",
|
||||
|
|
|
@ -152,11 +152,12 @@
|
|||
"checkState":"Activation",
|
||||
"checkStateSecret":"Shared secret",
|
||||
"checkUsers":"SSO profile Check",
|
||||
"choiceParams":"Choice parameters",
|
||||
"checkUser":"Activation",
|
||||
"checkUserIdRule":"Identities use rule",
|
||||
"checkUserHiddenAttributes":"Hidden attributes",
|
||||
"checkUserDisplayPersistentInfo":"Display persistent session",
|
||||
"checkUserDisplayEmptyValues":"Display empty values",
|
||||
"choiceParams":"Choice parameters",
|
||||
"chooseLogo":"Choose logo",
|
||||
"chooseSkin":"Choose skin",
|
||||
"combination":"Combination",
|
||||
|
|
|
@ -153,6 +153,7 @@
|
|||
"checkStateSecret":"Shared secret",
|
||||
"checkUsers":"SSO profile Check",
|
||||
"checkUser":"Activation",
|
||||
"checkUserIdRule":"Identities use rule",
|
||||
"checkUserHiddenAttributes":"Hidden attributes",
|
||||
"checkUserDisplayPersistentInfo":"Display persistent session",
|
||||
"checkUserDisplayEmptyValues":"Display empty values",
|
||||
|
|
|
@ -153,6 +153,7 @@
|
|||
"checkStateSecret":"Secret partagé",
|
||||
"checkUsers":"Vérification des profils SSO",
|
||||
"checkUser":"Activation",
|
||||
"checkUserIdRule":"Identities use rule",
|
||||
"checkUserHiddenAttributes":"Attributs masqués",
|
||||
"checkUserDisplayPersistentInfo":"Afficher les données de session persistante",
|
||||
"checkUserDisplayEmptyValues":"Afficher les valeurs nulles",
|
||||
|
|
|
@ -153,6 +153,7 @@
|
|||
"checkStateSecret":"Segreto condiviso",
|
||||
"checkUsers":"SSO profile Check",
|
||||
"checkUser":"Activation",
|
||||
"checkUserIdRule":"Identities use rule",
|
||||
"checkUserHiddenAttributes":"Hidden attributes",
|
||||
"checkUserDisplayPersistentInfo":"Display persistent session",
|
||||
"checkUserDisplayEmptyValues":"Display empty values",
|
||||
|
|
|
@ -151,8 +151,9 @@
|
|||
"clickHereToForce":"Nhấp vào đây để bắt buộc",
|
||||
"checkState":"Kích hoạt",
|
||||
"checkStateSecret":"Shared secret",
|
||||
"checkUsers":"Session Check",
|
||||
"checkUsers":"SSO profile Check",
|
||||
"checkUser":"Activation",
|
||||
"checkUserIdRule":"Identities use rule",
|
||||
"checkUserHiddenAttributes":"Hidden attributes",
|
||||
"checkUserDisplayPersistentInfo":"Display persistent session",
|
||||
"checkUserDisplayEmptyValues":"Display empty values",
|
||||
|
|
|
@ -153,6 +153,7 @@
|
|||
"checkStateSecret":"Shared secret",
|
||||
"checkUsers":"SSO profile Check",
|
||||
"checkUser":"Activation",
|
||||
"checkUserIdRule":"Identities use rule",
|
||||
"checkUserHiddenAttributes":"Hidden attributes",
|
||||
"checkUserDisplayPersistentInfo":"Display persistent session",
|
||||
"checkUserDisplayEmptyValues":"Display empty values",
|
||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -25,6 +25,7 @@ has ott => (
|
|||
return $ott;
|
||||
}
|
||||
);
|
||||
has idRule => ( is => 'rw', default => sub { 1 } );
|
||||
|
||||
sub hAttr {
|
||||
$_[0]->{conf}->{checkUserHiddenAttributes} . ' '
|
||||
|
@ -33,8 +34,22 @@ sub hAttr {
|
|||
|
||||
sub init {
|
||||
my ($self) = @_;
|
||||
my $hd = $self->p->HANDLER;
|
||||
$self->addAuthRoute( checkuser => 'check', ['POST'] );
|
||||
$self->addAuthRoute( checkuser => 'display', ['GET'] );
|
||||
|
||||
# Parse identity rule
|
||||
$self->logger->debug(
|
||||
"checkUser identities rule -> " . $self->conf->{checkUserIdRule} );
|
||||
my $rule =
|
||||
$hd->buildSub( $hd->substitute( $self->conf->{checkUserIdRule} ) );
|
||||
unless ($rule) {
|
||||
$self->error(
|
||||
"Bad checkUser identities rule -> " . $hd->tsv->{jail}->error );
|
||||
return 0;
|
||||
}
|
||||
$self->{idRule} = $rule;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -91,7 +106,7 @@ sub check {
|
|||
LANGS => $self->conf->{showLanguages},
|
||||
MSG => 'PE' . PE_MALFORMEDUSER,
|
||||
ALERTE => 'alert-warning',
|
||||
LOGIN => $req->{user},
|
||||
LOGIN => '',
|
||||
TOKEN => (
|
||||
$self->conf->{requireToken}
|
||||
? $self->ott->createToken( $req->userData )
|
||||
|
@ -183,8 +198,8 @@ sub check {
|
|||
MSG => $msg,
|
||||
ALERTE => ( $msg eq 'checkUser' ? 'alert-info' : 'alert-warning' ),
|
||||
LOGIN => (
|
||||
$self->p->checkXSSAttack( 'LOGIN', $req->{user} ) ? ""
|
||||
: $req->{user}
|
||||
$self->p->checkXSSAttack( 'LOGIN', $req->{userData}->{uid} ) ? ""
|
||||
: $req->{userData}->{uid}
|
||||
),
|
||||
URL => (
|
||||
$self->p->checkXSSAttack( 'URL', $url ) ? ""
|
||||
|
@ -218,11 +233,8 @@ sub display {
|
|||
LANGS => $self->conf->{showLanguages},
|
||||
MSG => 'checkUser',
|
||||
ALERTE => 'alert-info',
|
||||
LOGIN => (
|
||||
$self->p->checkXSSAttack( 'LOGIN', $req->{user} ) ? ""
|
||||
: $req->{user}
|
||||
),
|
||||
TOKEN => (
|
||||
LOGIN => '',
|
||||
TOKEN => (
|
||||
$self->conf->{requireToken}
|
||||
? $self->ott->createToken( $req->userData )
|
||||
: ''
|
||||
|
@ -251,6 +263,17 @@ sub _userDatas {
|
|||
$self->logger->debug("Process returned error: $error");
|
||||
return $req->error($error);
|
||||
}
|
||||
|
||||
# Check identities rule
|
||||
unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
|
||||
$self->userLogger->warn(
|
||||
'checkUser requested for an unvalid user (' . $req->{user} . ")" );
|
||||
$req->{sessionInfo} = {};
|
||||
$self->logger->debug('Identity not authorized');
|
||||
return $req->error(PE_BADCREDENTIALS);
|
||||
}
|
||||
|
||||
$self->logger->debug("Return \"$req->{user}\" sessionInfo");
|
||||
return $req->{sessionInfo};
|
||||
}
|
||||
|
||||
|
@ -268,6 +291,8 @@ sub _authorization {
|
|||
last;
|
||||
}
|
||||
}
|
||||
|
||||
$self->logger->debug("Return \"$req->{user}\" authorization");
|
||||
return $exist
|
||||
? $self->p->HANDLER->grant( $req, $req->{userData}, $appuri,
|
||||
undef, $vhost )
|
||||
|
@ -280,6 +305,8 @@ sub _headers {
|
|||
$vhost =~ s/:\d+$//;
|
||||
$req->{env}->{HTTP_HOST} = $vhost;
|
||||
$self->p->HANDLER->headersInit( $self->{conf} );
|
||||
|
||||
$self->logger->debug("Return \"$req->{user}\" headers");
|
||||
return $self->p->HANDLER->checkHeaders( $req, $req->{userData} );
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user