From bf1fd28aff1724c9c4df32aaa2f68f2851b13987 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Thu, 9 Jun 2016 11:45:10 +0000 Subject: [PATCH] Backport #1036 --- .../lib/Lemonldap/NG/Common/Apache/Session.pm | 10 +++---- .../lib/Lemonldap/NG/Handler/Main/Reload.pm | 8 +++--- .../lib/Lemonldap/NG/Handler/Main/Run.pm | 12 ++++++++ .../t/60-Lemonldap-NG-Handler-PSGI.t | 26 +++++------------ .../t/61-Lemonldap-NG-Handler-PSGI-Server.t | 23 ++++----------- .../t/62-Lemonldap-NG-Handler-Nginx.t | 23 ++++----------- ...2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545 | 1 - lemonldap-ng-handler/t/test-psgi-lib.pm | 24 ++++++++++++++++ .../lib/Lemonldap/NG/Portal/Main/Run.pm | 28 ++++++++++++++++++- 9 files changed, 88 insertions(+), 67 deletions(-) delete mode 100644 lemonldap-ng-handler/t/sessions/f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545 diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session.pm index da2005dff..00e10303e 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session.pm @@ -193,10 +193,7 @@ sub _dbiGKFAS { my ( $class, $type, $args, $data ) = @_; my $next; if ( $type !~ /(?:MySQL)/ ) { - $next = sub { - require MIME::Base64; - return thaw( MIME::Base64::decode_base64( $_[0] ) ); - }; + $next = \&decodeThaw64; if ( $args->{useStorable} ) { $args->{unserialize} = $next; } @@ -349,7 +346,7 @@ sub _LDAPGKFAS { $entry->get_value('cn'), $entry->get_value( $args->{ldapAttributeContent} ) ); - eval { $v = decodeThaw64($v); }; + eval { $v = $args->{unserialize}->( $v, \&decodeThaw64 ); }; next if ($@); if ( ref($data) eq 'CODE' ) { $res{$k} = &$data( $v, $k ); @@ -375,7 +372,8 @@ sub _NoSQLGKFAS { my %res; foreach my $k (@keys) { - my $v = eval { decodeThaw64( $redis->get($k) ); }; + my $v = + eval { $args->{unserialize}->( $redis->get($k), \&decodeThaw64 ); }; next if ($@); if ( ref($data) eq 'CODE' ) { $res{$k} = &$data( $v, $k ); diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm index 962f18113..3558d51a3 100644 --- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm +++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm @@ -184,10 +184,10 @@ sub defaultValuesInit { $class->tsv->{$_} = $conf->{$_} foreach ( qw( - cda cookieExpiration cookieName - customFunctions httpOnly securedCookie - timeoutActivity useRedirectOnError useRedirectOnForbidden - useSafeJail whatToTrace + cda cookieExpiration cookieName + customFunctions httpOnly securedCookie + timeout timeoutActivity useRedirectOnError + useRedirectOnForbidden useSafeJail whatToTrace ) ); diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm index 5835981c5..1178cb514 100644 --- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm +++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm @@ -410,6 +410,18 @@ sub retrieveSession { $class->lmLog( "Get session $id", 'debug' ); + # Verify that session is valid + if ( + $now - $class->datas->{_utime} > $class->tsv->{timeout} + or ( $class->tsv->{timeoutActivity} + and $class->datas->{_lastSeen} + and $now - $class->datas->{_lastSeen} > $class->tsv->{timeoutActivity} ) + ) + { + $class->lmLog( "Session expired", 'info' ); + return 0; + } + # Update the session to notify activity, if necessary if ( $class->tsv->{timeoutActivity} and ( $now - $class->datas->{_lastSeen} > 60 ) ) diff --git a/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t b/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t index 60c379d65..03db2702a 100644 --- a/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t +++ b/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t @@ -33,29 +33,15 @@ count(4); # -------------------- # Authorizated query -ok( - $res = $client->_get( - '/', - undef, - undef, -'lemonldap=f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545' - ), - 'Authentified query' -); -ok( $res->[0] == 200, 'Code is 200' ) or explain( $res->[0], 200 ); +ok( $res = $client->_get( '/', undef, undef, "lemonldap=$sessionId" ), + 'Authentified query' ); +ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 ); count(2); # Denied query -ok( - $res = $client->_get( - '/deny', - undef, - undef, -'lemonldap=f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545' - ), - 'Denied query' -); +ok( $res = $client->_get( '/deny', undef, undef, "lemonldap=$sessionId" ), + 'Denied query' ); ok( $res->[0] == 403, 'Code is 403' ) or explain( $res->[0], 403 ); count(2); @@ -79,6 +65,8 @@ count(2); done_testing( count() ); +clean(); + sub Lemonldap::NG::Handler::PSGI::handler { my ( $self, $req ) = @_; ok( $req->{HTTP_AUTH_USER} eq 'dwho', 'Header is given to app' ) diff --git a/lemonldap-ng-handler/t/61-Lemonldap-NG-Handler-PSGI-Server.t b/lemonldap-ng-handler/t/61-Lemonldap-NG-Handler-PSGI-Server.t index 4fe203bb2..fa72cc0fe 100644 --- a/lemonldap-ng-handler/t/61-Lemonldap-NG-Handler-PSGI-Server.t +++ b/lemonldap-ng-handler/t/61-Lemonldap-NG-Handler-PSGI-Server.t @@ -33,15 +33,8 @@ count(4); # -------------------- # Authorizated query -ok( - $res = $client->_get( - '/', - undef, - undef, -'lemonldap=f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545' - ), - 'Authentified query' -); +ok( $res = $client->_get( '/', undef, undef, "lemonldap=$sessionId" ), + 'Authentified query' ); ok( $res->[0] == 200, 'Code is 200' ) or explain( $res->[0], 200 ); count(2); @@ -53,15 +46,8 @@ ok( $h{'Auth-User'} eq 'dwho', 'Header Auth-User is set to "dwho"' ) count(1); # Denied query -ok( - $res = $client->_get( - '/deny', - undef, - undef, -'lemonldap=f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545' - ), - 'Denied query' -); +ok( $res = $client->_get( '/deny', undef, undef, "lemonldap=$sessionId" ), + 'Denied query' ); ok( $res->[0] == 403, 'Code is 403' ) or explain( $res->[0], 403 ); count(2); @@ -85,3 +71,4 @@ count(2); done_testing( count() ); +clean(); diff --git a/lemonldap-ng-handler/t/62-Lemonldap-NG-Handler-Nginx.t b/lemonldap-ng-handler/t/62-Lemonldap-NG-Handler-Nginx.t index 2303a47bf..a4ac647b2 100644 --- a/lemonldap-ng-handler/t/62-Lemonldap-NG-Handler-Nginx.t +++ b/lemonldap-ng-handler/t/62-Lemonldap-NG-Handler-Nginx.t @@ -33,15 +33,8 @@ count(4); # -------------------- # Authorizated query -ok( - $res = $client->_get( - '/', - undef, - undef, -'lemonldap=f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545' - ), - 'Authentified query' -); +ok( $res = $client->_get( '/', undef, undef, "lemonldap=$sessionId" ), + 'Authentified query' ); ok( $res->[0] == 200, 'Code is 200' ) or explain( $res->[0], 200 ); count(2); @@ -55,15 +48,8 @@ ok( $h{'Headervalue1'} eq 'dwho', 'Headervalue1 is set to "dwho"' ) count(2); # Denied query -ok( - $res = $client->_get( - '/deny', - undef, - undef, -'lemonldap=f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545' - ), - 'Denied query' -); +ok( $res = $client->_get( '/deny', undef, undef, "lemonldap=$sessionId" ), + 'Denied query' ); ok( $res->[0] == 403, 'Code is 403' ) or explain( $res->[0], 403 ); count(2); @@ -87,3 +73,4 @@ count(2); done_testing( count() ); +clean(); diff --git a/lemonldap-ng-handler/t/sessions/f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545 b/lemonldap-ng-handler/t/sessions/f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545 deleted file mode 100644 index b6ce7cc7a..000000000 --- a/lemonldap-ng-handler/t/sessions/f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545 +++ /dev/null @@ -1 +0,0 @@ -{"updateTime":"20160201202726","_timezone":"1","_session_kind":"SSO","_passwordDB":"Demo","startTime":"20160201202726","ipAddr":"127.0.0.1","UA":"Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4","_user":"dwho","_userDB":"Demo","_lastAuthnUTime":1454354846,"uid":"dwho","_issuerDB":"Null","_url":"http://manager.example.com:19876/%5Bobject%20Object%5DaHR0cDovL21hbmFnZXIuZXhhbXBsZS5jb206MTk4NzYvIy9jb25mcy9sYXRlc3Q=","_session_id":"f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545","authenticationLevel":1,"_whatToTrace":"dwho","_auth":"Demo","_utime":1454354846,"loginHistory":{"successLogin":[{"ipAddr":"127.0.0.1","_utime":1454354846}]},"cn":"Doctor Who","mail":"dwho@badwolf.org"} \ No newline at end of file diff --git a/lemonldap-ng-handler/t/test-psgi-lib.pm b/lemonldap-ng-handler/t/test-psgi-lib.pm index 012bc76af..d6a7b4c10 100644 --- a/lemonldap-ng-handler/t/test-psgi-lib.pm +++ b/lemonldap-ng-handler/t/test-psgi-lib.pm @@ -3,6 +3,7 @@ use strict; use Data::Dumper; use 5.10.0; +use POSIX 'strftime'; use_ok('Lemonldap::NG::Common::PSGI::Cli::Lib'); our $client; @@ -10,6 +11,8 @@ our $count = 1; $Data::Dumper::Deparse = 1; my $module; +our $sessionId = 'f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545'; +our $file = "t/sessions/$sessionId"; sub init { my $arg = shift; @@ -20,6 +23,23 @@ sub init { ok( $client = Lemonldap::NG::Handler::PSGI::Cli::Lib->new(), 'Client object' ); count(2); + open F, ">$file" + or die $!; + my $now = time; + my $ts = strftime "%Y%m%d%H%M%S", localtime; + + print F '{"updateTime":"' + . $ts + . '","_timezone":"1","_session_kind":"SSO","_passwordDB":"Demo","startTime":"' + . $ts + . '","ipAddr":"127.0.0.1","UA":"Mozilla/5.0 (X11; VAX4000; rv:43.0) Gecko/20100101 Firefox/143.0 Iceweasel/143.0.1","_user":"dwho","_userDB":"Demo","_lastAuthnUTime":' + . $now + . ',"uid":"dwho","_issuerDB":"Null","_session_id":"f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545","authenticationLevel":1,"_whatToTrace":"dwho","_auth":"Demo","_utime":' + . $now + . ',"loginHistory":{"successLogin":[{"ipAddr":"127.0.0.1","_utime":' + . $now + . '}]},"cn":"Doctor Who","mail":"dwho@badwolf.org"}'; + close F; } sub client { @@ -45,6 +65,10 @@ sub explain { print STDERR "Expect $ref, get $get\n"; } +sub clean { + unlink $file; +} + package Lemonldap::NG::Handler::PSGI::Cli::Lib; use Mouse; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm index 79bdc6237..e295b997e 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm @@ -212,6 +212,13 @@ sub autoRedirect { sub getApacheSession { my ( $self, $id, $noInfo, $force ) = @_; + if ($id) { + $self->lmLog( "Try to get session $id", 'debug' ); + } + else { + $self->lmLog( "Try to get a new session", 'debug' ); + } + my $as = Lemonldap::NG::Common::Session->new( { storageModule => $self->conf->{globalStorage}, @@ -225,7 +232,7 @@ sub getApacheSession { ); if ( $as->error ) { - $self->lmLog( $as->error, 'debug' ); + $self->lmLog( $as->error, 'error' ); return; } @@ -234,9 +241,28 @@ sub getApacheSession { return; } + my $now = time; + if ( + $id + and ( + $now - $as->data->{_utime} > $self->conf->{timeout} + or ( $self->conf->{timeoutActivity} + and $as->data->{_lastSeen} + and $now - $as->data->{_lastSeen} > + $self->conf->{timeoutActivity} ) + ) + ) + { + $self->lmLog( "Session $id expired", 'debug' ); + return; + } + unless ($noInfo) { $self->{id} = $as->id; } + + $self->lmLog( "Return session " . $as->id, 'debug' ); + return $as; }