Update code
This commit is contained in:
Christophe Maudoux
parent
aedda63b3e
commit
c0803bc306
|
|
@ -4,12 +4,12 @@ use strict;
|
|||
use Mouse;
|
||||
use Lemonldap::NG::Common::Conf::ReConstants;
|
||||
|
||||
our $VERSION = '2.0.8';
|
||||
our $VERSION = '2.0.15';
|
||||
|
||||
sub compactConf {
|
||||
my ( $self, $conf ) = @_;
|
||||
|
||||
return $conf unless ( $conf->{'compactConf'} );
|
||||
return $conf unless $conf->{compactConf};
|
||||
|
||||
# Remove unused auth parameters
|
||||
my %keep;
|
||||
|
|
|
|||
|
|
@ -2,19 +2,18 @@ package Lemonldap::NG::Common::Logger::Dispatch;
|
|||
|
||||
use strict;
|
||||
|
||||
our $VERSION = '2.0.14';
|
||||
our $VERSION = '2.0.15';
|
||||
|
||||
sub new {
|
||||
no warnings 'redefine';
|
||||
my $self = bless {}, shift;
|
||||
my ( $conf, %args ) = @_;
|
||||
my %bck;
|
||||
my $last;
|
||||
my $show = 1;
|
||||
my ( %bck, $last );
|
||||
my $root = $args{user} ? 'userLogDispatch' : 'logDispatch';
|
||||
unless ( $conf->{ $root . 'Error' } ) {
|
||||
die "At least, ${root}Error must be defined in conf";
|
||||
}
|
||||
my $show = 1;
|
||||
die "At least, ${root}Error must be defined in conf"
|
||||
unless ( $conf->{ $root . 'Error' } );
|
||||
|
||||
foreach my $l (qw(error warn notice info debug)) {
|
||||
if ($show) {
|
||||
$last = $conf->{ $root . ucfirst($l) } || $last;
|
||||
|
|
@ -33,9 +32,9 @@ sub new {
|
|||
eval qq'sub $l {1}';
|
||||
}
|
||||
$show = 0 if ( $conf->{logLevel} eq $l );
|
||||
|
||||
}
|
||||
die "Unknown logLevel $conf->{logLevel}" if ($show);
|
||||
die "Unknown logLevel $conf->{logLevel}" if $show;
|
||||
|
||||
return $self;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ sub new {
|
|||
my ($conf) = @_;
|
||||
my $show = 1;
|
||||
$self->{raven} = Sentry::Raven->new( sentry_dsn => $conf->{sentryDsn} );
|
||||
|
||||
foreach (qw(error warn notice info debug)) {
|
||||
my $rl = $_;
|
||||
$rl = 'warning' if ( $rl = 'warn' );
|
||||
|
|
@ -31,7 +32,8 @@ qq'sub $_ {\$_[0]->{raven}->capture_message(\$_[1],level => "$rl")}';
|
|||
}
|
||||
$show = 0 if ( $conf->{logLevel} eq $_ );
|
||||
}
|
||||
die "Unknown logLevel $conf->{logLevel}" if ($show);
|
||||
die "Unknown logLevel $conf->{logLevel}" if $show;
|
||||
|
||||
return $self;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ sub new {
|
|||
no warnings 'redefine';
|
||||
my $level = $_[1]->{logLevel} || 'info';
|
||||
my $show = 1;
|
||||
|
||||
foreach (qw(error warn notice info debug)) {
|
||||
if ($show) {
|
||||
eval
|
||||
|
|
@ -18,7 +19,8 @@ qq'sub $_ {print STDERR "[".localtime."] [LLNG:\$\$] [$_] \$_[1]\n"}';
|
|||
}
|
||||
$show = 0 if ( $level eq $_ );
|
||||
}
|
||||
die "Unknown logLevel $level" if ($show);
|
||||
die "Unknown logLevel $level" if $show;
|
||||
|
||||
return bless {}, shift;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ sub new {
|
|||
eval { openlog( 'LLNG', $self->{options}, $self->{facility} ) };
|
||||
no warnings 'redefine';
|
||||
my $show = 1;
|
||||
|
||||
foreach (qw(error warn notice info debug)) {
|
||||
if ($show) {
|
||||
my $name = $_;
|
||||
|
|
@ -34,7 +35,8 @@ sub new {
|
|||
}
|
||||
$show = 0 if ( $level eq $_ );
|
||||
}
|
||||
die "Unknown logLevel $level" if ($show);
|
||||
die "Unknown logLevel $level" if $show;
|
||||
|
||||
return $self;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -38,9 +38,9 @@ sub new {
|
|||
return bless( $self, $_[0] );
|
||||
}
|
||||
|
||||
sub data { $_[0]->{data} }
|
||||
sub data { return $_[0]->{data} }
|
||||
|
||||
sub uri { $_[0]->{uri} }
|
||||
sub uri { return $_[0]->{uri} }
|
||||
|
||||
sub userData {
|
||||
my ( $self, $v ) = @_;
|
||||
|
|
|
|||
|
|
@ -14,21 +14,19 @@ use Scalar::Util 'weaken';
|
|||
use IO::Socket::Timeout;
|
||||
use utf8;
|
||||
|
||||
our $VERSION = '2.0.14';
|
||||
our $VERSION = '2.0.15';
|
||||
|
||||
# INITIALIZATION
|
||||
|
||||
# Build a Net::LDAP object using parameters issued from $portal
|
||||
sub new {
|
||||
my ( $class, $args ) = @_;
|
||||
my $portal = $args->{p} or die "$class : p argument required !";
|
||||
my $conf = $args->{conf} or die "$class : conf argument required !";
|
||||
my $self;
|
||||
my $portal = $args->{p} or die "$class: p argument is required!";
|
||||
my $conf = $args->{conf} or die "$class: conf argument is required!";
|
||||
my ( $self, @servers, %tlsParams );
|
||||
my $useStartTls = 0;
|
||||
my %tlsParams;
|
||||
my @servers = ();
|
||||
foreach my $server ( split /[\s,]+/, $conf->{ldapServer} ) {
|
||||
|
||||
foreach my $server ( split /[\s,]+/, $conf->{ldapServer} ) {
|
||||
if ( $server =~ m{^ldap\+tls://([^/]+)/?\??(.*)$} ) {
|
||||
$useStartTls = 1;
|
||||
$server = $1;
|
||||
|
|
@ -44,9 +42,9 @@ sub new {
|
|||
}
|
||||
push @servers, $server;
|
||||
}
|
||||
$tlsParams{cafile} ||= $conf->{ldapCAFile} if ( $conf->{ldapCAFile} );
|
||||
$tlsParams{capath} ||= $conf->{ldapCAPath} if ( $conf->{ldapCAPath} );
|
||||
$tlsParams{verify} ||= $conf->{ldapVerify} if ( $conf->{ldapVerify} );
|
||||
$tlsParams{cafile} ||= $conf->{ldapCAFile} if $conf->{ldapCAFile};
|
||||
$tlsParams{capath} ||= $conf->{ldapCAPath} if $conf->{ldapCAPath};
|
||||
$tlsParams{verify} ||= $conf->{ldapVerify} if $conf->{ldapVerify};
|
||||
$self = Net::LDAP->new(
|
||||
\@servers,
|
||||
onerror => undef,
|
||||
|
|
@ -110,10 +108,9 @@ sub new {
|
|||
# @return Net::LDAP::Message
|
||||
sub bind {
|
||||
my ( $self, $dn, %args ) = @_;
|
||||
my $mesg;
|
||||
|
||||
$self->{portal}->logger->debug("Call bind for $dn") if $dn;
|
||||
|
||||
my $mesg;
|
||||
unless ($dn) {
|
||||
$dn = $self->{conf}->{managerDn};
|
||||
$args{password} =
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package Lemonldap::NG::Portal::Lib::Slave;
|
|||
use strict;
|
||||
use Mouse;
|
||||
|
||||
our $VERSION = '2.0.10';
|
||||
our $VERSION = '2.0.15';
|
||||
|
||||
# RUNNING METHODS
|
||||
|
||||
|
|
@ -33,7 +33,7 @@ sub checkHeader {
|
|||
unless ( $self->conf->{slaveHeaderName}
|
||||
and $self->conf->{slaveHeaderContent} );
|
||||
|
||||
my $slave_header = 'HTTP_' . uc( $self->{conf}->{slaveHeaderName} );
|
||||
my $slave_header = 'HTTP_' . uc( $self->conf->{slaveHeaderName} );
|
||||
$slave_header =~ s/\-/_/g;
|
||||
my $headerContent = $req->env->{$slave_header};
|
||||
$self->logger->debug(
|
||||
|
|
|
|||
|
|
@ -9,10 +9,10 @@ use URI;
|
|||
use Carp;
|
||||
with 'Lemonldap::NG::Portal::Lib::2fDevices';
|
||||
|
||||
our $VERSION = '2.0.12';
|
||||
our $VERSION = '2.0.15';
|
||||
|
||||
has rp_id => ( is => 'rw', lazy => 1, builder => "_build_rp_id" );
|
||||
has origin => ( is => 'rw', lazy => 1, builder => "_build_origin" );
|
||||
has rp_id => ( is => 'rw', lazy => 1, builder => "_build_rp_id" );
|
||||
has origin => ( is => 'rw', lazy => 1, builder => "_build_origin" );
|
||||
has type => ( is => 'ro', default => 'WebAuthn' );
|
||||
has verifier => ( is => 'rw', lazy => 1, builder => "_build_verifier" );
|
||||
|
||||
|
|
@ -68,10 +68,9 @@ sub generateChallenge {
|
|||
my ( $self, $req, $data ) = @_;
|
||||
|
||||
# Find webauthn devices for user
|
||||
my @webauthn_devices = $self->find2fDevicesByType( $req, $data, $self->type );
|
||||
unless (@webauthn_devices) {
|
||||
return;
|
||||
}
|
||||
my @webauthn_devices =
|
||||
$self->find2fDevicesByType( $req, $data, $self->type );
|
||||
return unless @webauthn_devices;
|
||||
|
||||
my $challenge_base64 = encode_base64url( Crypt::URandom::urandom(32) );
|
||||
my $userVerification = $self->conf->{webauthn2fUserVerification};
|
||||
|
|
@ -91,16 +90,12 @@ sub generateChallenge {
|
|||
|
||||
sub validateCredential {
|
||||
my ( $self, $req, $registration_options, $credential_json ) = @_;
|
||||
|
||||
my $credential = from_json($credential_json);
|
||||
|
||||
my $credential = from_json($credential_json);
|
||||
my $client_data_json_b64 = $credential->{response}->{clientDataJSON};
|
||||
my $attestation_object_b64 = $credential->{response}->{attestationObject};
|
||||
|
||||
my $requested_uv =
|
||||
$registration_options->{authenticatorSelection}->{userVerification} || "";
|
||||
my $challenge_b64 = $registration_options->{challenge};
|
||||
|
||||
my $token_binding_id_b64 = encode_base64url(
|
||||
$req->headers->header('Sec-Provided-Token-Binding-ID') );
|
||||
|
||||
|
|
@ -115,11 +110,10 @@ sub validateCredential {
|
|||
|
||||
sub validateAssertion {
|
||||
my ( $self, $req, $data, $signature_options, $credential_json ) = @_;
|
||||
|
||||
my $user = $data->{ $self->conf->{whatToTrace} };
|
||||
$self->logger->debug("Get asserted credential $credential_json");
|
||||
my $credential = from_json($credential_json);
|
||||
|
||||
$self->logger->debug("Get asserted credential $credential_json");
|
||||
my $credential = from_json($credential_json);
|
||||
my $credential_id = $credential->{id};
|
||||
croak("Empty credential id in credential response") unless $credential_id;
|
||||
|
||||
|
|
@ -128,26 +122,24 @@ sub validateAssertion {
|
|||
# options.allowCredentials.
|
||||
my @allowed_credential_ids =
|
||||
map { $_->{id} } @{ $signature_options->{allowCredentials} };
|
||||
if ( @allowed_credential_ids
|
||||
and not grep { $_ eq $credential_id } @allowed_credential_ids )
|
||||
{
|
||||
croak("Received credential ID $credential_id was not requested");
|
||||
}
|
||||
croak("Received credential ID $credential_id was not requested")
|
||||
if ( @allowed_credential_ids
|
||||
and not grep { $_ eq $credential_id } @allowed_credential_ids );
|
||||
|
||||
# 6. Identify the user being authenticated and verify that this user is the
|
||||
# owner of the public key credential source credentialSource identified by
|
||||
# credential.id If the user was identified before the authentication
|
||||
# ceremony was initiated, e.g., via a username or cookie, verify that the
|
||||
# identified user is the owner of credentialSource.
|
||||
my @webauthn_devices = $self->find2fDevicesByType( $req, $data, $self->type );
|
||||
my @webauthn_devices =
|
||||
$self->find2fDevicesByType( $req, $data, $self->type );
|
||||
my @matching_credentials =
|
||||
grep { $_->{_credentialId} eq $credential_id } @webauthn_devices;
|
||||
if ( @matching_credentials < 1 ) {
|
||||
croak("Received credential ID $credential_id does not belong to user");
|
||||
}
|
||||
if ( @matching_credentials > 1 ) {
|
||||
croak("Found multiple credentials with ID $credential_id for user");
|
||||
}
|
||||
|
||||
croak("Received credential ID $credential_id does not belong to user")
|
||||
if ( @matching_credentials < 1 );
|
||||
croak("Found multiple credentials with ID $credential_id for user")
|
||||
if ( @matching_credentials > 1 );
|
||||
my $matching_credential = $matching_credentials[0];
|
||||
|
||||
# If response.userHandle is present, let userHandle be its value.
|
||||
|
|
@ -155,11 +147,9 @@ sub validateAssertion {
|
|||
if ( $credential->{response}->{userHandle} ) {
|
||||
my $user_handle = $credential->{response}->{userHandle};
|
||||
my $current_user_handle = $self->getUserHandle( $req, $data );
|
||||
unless ( $user_handle eq $current_user_handle ) {
|
||||
croak(
|
||||
croak(
|
||||
"Received user handle ($user_handle) does not match current user ($current_user_handle)"
|
||||
);
|
||||
}
|
||||
) unless ( $user_handle eq $current_user_handle );
|
||||
}
|
||||
|
||||
# TODO If the user was not identified before the authentication ceremony
|
||||
|
|
|
|||
|
|
@ -11,6 +11,6 @@ extends 'Lemonldap::NG::Portal::Main::Plugin';
|
|||
|
||||
has authnLevel => ( is => 'rw' );
|
||||
|
||||
sub stop { 0 }
|
||||
sub stop { return 0 }
|
||||
|
||||
1;
|
||||
|
|
|
|||
Loading…
Reference in New Issue