dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'v2.0' into fix-ssl-error-reporting-2110

Browse Source
This commit is contained in:
Christophe Maudoux 2020-04-16 23:02:35 +02:00
commit c3f7755055
25 changed files with 246 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_example/etc/api-nginx.conf
View File

@ -1,5 +1,6 @@
server {
listen __PORT__;
listen [::]:__PORT__;
server_name manager-api.__DNSDOMAIN__;
root __MANAGERAPIDIR__;
# Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
@ -38,6 +39,7 @@ server {
# Access control
#allow 127.0.0.0/8;
#allow ::1/128;
deny all;
}

7
_example/etc/handler-nginx.conf
View File

@ -18,6 +18,7 @@ include __CONFDIR__/nginx-lmlog.conf;
server {
listen __PORT__;
listen [::]:__PORT__;
server_name reload.__DNSDOMAIN__;
root /var/www/html;
@ -31,7 +32,8 @@ server {
#real_ip_header X-Forwarded-For;
location = /reload {
allow 127.0.0.1;
allow 127.0.0.1/8;
allow ::1/128;
deny all;
# FastCGI configuration
@ -55,7 +57,8 @@ server {
# Uncomment this if status is enabled
#location = /status {
# allow 127.0.0.1;
# allow 127.0.0.1/8;
# allow ::1/128;
# deny all;
# # FastCGI configuration
# include /etc/nginx/fastcgi_params;

2
_example/etc/manager-nginx.conf
View File

@ -1,5 +1,6 @@
server {
listen __PORT__;
listen [::]:__PORT__;
server_name manager.__DNSDOMAIN__;
root __MANAGERSITEDIR__;
# Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
@ -43,6 +44,7 @@ server {
index manager.psgi;
try_files $uri $uri/ =404;
allow 127.0.0.0/8;
allow ::1/128;
deny all;
}

1
_example/etc/portal-nginx.conf
View File

@ -12,6 +12,7 @@ upstream llng_portal_upstream {
server {
listen __PORT__;
listen [::]:__PORT__;
server_name auth.__DNSDOMAIN__;
root __PORTALSITEDIR__;
# Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)

4
_example/etc/test-nginx.conf
View File

@ -1,5 +1,6 @@
server {
listen __PORT__;
listen [::]:__PORT__;
server_name test1.__DNSDOMAIN__ test2.__DNSDOMAIN__;
root __TESTDIR__;
@ -113,7 +114,8 @@ server {
}
#location = /status {
# allow 127.0.0.1;
# allow 127.0.0.1/8;
# allow ::1/128;
# deny all;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
View File

@ -8,7 +8,7 @@ sub defaultValues {
'activeTimer' => 1,
'ADPwdExpireWarning' => 0,
'ADPwdMaxAge' => 0,
'apacheAuthnLevel' => 4,
'apacheAuthnLevel' => 3,
'applicationList' => {
'default' => {
'catname' => 'Default category',

10
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/CDA.pm
View File

@ -2,13 +2,13 @@ package Lemonldap::NG::Handler::Lib::CDA;
use strict;
our $VERSION = '2.0.7';
our $VERSION = '2.0.6';
sub run {
my ( $class, $req, $rule, $protection ) = @_;
my $uri = $req->{env}->{REQUEST_URI};
my $cn = $class->tsv->{cookieName};
my ( $id, $ret, $session );
my ( $id, $session );
if ( $uri =~ s/[\?&;]${cn}cda=(\w+)$//oi ) {
if ( $id = $class->fetchId($req)
and $session = $class->retrieveSession( $req, $id ) )
@ -48,10 +48,8 @@ sub run {
return $class->REDIRECT;
}
}
( $ret, $session ) =
$class->Lemonldap::NG::Handler::Main::run( $req, $rule, $protection );
return $ret;
return $class->Lemonldap::NG::Handler::Main::run( $req, $rule,
$protection );
}
## @rmethod protected hash getCDAInfos(id)

2
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
View File

@ -271,7 +271,7 @@ sub attributes {
'type' => 'int'
},
'apacheAuthnLevel' => {
'default' => 4,
'default' => 3,
'type' => 'int'
},
'applicationList' => {

2
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
View File

@ -3477,7 +3477,7 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
# Apache
apacheAuthnLevel => {
type => 'int',
default => 4,
default => 3,
documentation => 'Apache authentication level',
},

6
lemonldap-ng-manager/site/coffee/sessions.coffee
View File

@ -320,6 +320,9 @@ llapp.controller 'SessionsExplorerCtrl', ['$scope', '$translator', '$location',
for key, value of l
if !key.match /^(_utime|ipAddr|error)$/
cv += ", #{key} : #{value}"
tab = cv.split ', '
tab.sort()
cv = tab.join ', '
tmp.push
t: l._utime
title: $scope.localeDate l._utime
@ -331,6 +334,9 @@ llapp.controller 'SessionsExplorerCtrl', ['$scope', '$translator', '$location',
for key, value of l
if !key.match /^(_utime|ipAddr|error)$/
cv += ", #{key} : #{value}"
tab = cv.split ', '
tab.sort()
cv = tab.join ', '
tmp.push
t: l._utime
title: $scope.localeDate l._utime

8
lemonldap-ng-manager/site/htdocs/static/js/sessions.js
View File

@ -228,7 +228,7 @@
$scope.displaySession = function(scope) {
var sessionId, transformSession;
transformSession = function(session) {
var _insert, array, attr, attrs, category, cv, element, epoch, i, id, j, k, key, l, len, len1, len2, len3, len4, len5, m, name, o, oidcConsent, p, real, ref, ref1, res, sfDevice, spoof, subres, time, title, tmp, value;
var _insert, array, attr, attrs, category, cv, element, epoch, i, id, j, k, key, l, len, len1, len2, len3, len4, len5, m, name, o, oidcConsent, p, real, ref, ref1, res, sfDevice, spoof, subres, tab, time, title, tmp, value;
_insert = function(re, title) {
var key, reg, tmp, value;
tmp = [];
@ -374,6 +374,9 @@
cv += ", " + key + " : " + value;
}
}
tab = cv.split(', ');
tab.sort();
cv = tab.join(', ');
tmp.push({
t: l._utime,
title: $scope.localeDate(l._utime),
@ -392,6 +395,9 @@
cv += ", " + key + " : " + value;
}
}
tab = cv.split(', ');
tab.sort();
cv = tab.join(', ');
tmp.push({
t: l._utime,
title: $scope.localeDate(l._utime),

2
lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js.map
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/struct.json
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
View File

@ -163,6 +163,8 @@ sub init {
# Enable REST request only if more than 1 2F module is enabled
if ( @{ $self->{sfModules} } > 1 ) {
$self->addAuthRoute( '2fchoice' => '_choice', ['POST'] );
$self->addAuthRoute( '2fchoice' => '_redirect', ['GET'] );
$self->addUnauthRoute( '2fchoice' => '_choice', ['POST'] );
$self->addUnauthRoute( '2fchoice' => '_redirect', ['GET'] );
}

16
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm
View File

@ -74,13 +74,15 @@ sub init {
sub display {
my ( $self, $req ) = @_;
my $realSessionId =
$req->userData->{"$self->{conf}->{contextSwitchingPrefix}_session_id"};
my $realSession;
unless ( $realSession = $self->p->getApacheSession($realSessionId) ) {
$self->userLogger->info(
"ContextSwitching: session $realSessionId expired");
return $self->p->do( $req, [ sub { PE_SESSIONEXPIRED } ] );
my ( $realSession, $realSessionId );
if ( $realSessionId =
$req->userData->{"$self->{conf}->{contextSwitchingPrefix}_session_id"} )
{
unless ( $realSession = $self->p->getApacheSession($realSessionId) ) {
$self->userLogger->info(
"ContextSwitching: session $realSessionId expired");
return $self->p->do( $req, [ sub { PE_SESSIONEXPIRED } ] );
}
}
# Check access rules

7
lemonldap-ng-portal/site/coffee/portal.coffee
View File

@ -343,11 +343,14 @@ $(window).on 'load', () ->
console.log 'Get lang from window' if lang && !queryLang
else if lang not in window.availableLanguages
lang = window.availableLanguages[0]
console.log 'Get default lang' if !queryLang
console.log 'Lang not available -> Get default lang' if !queryLang
if queryLang
if queryLang not in window.availableLanguages
console.log 'Lang not available -> Get default lang'
queryLang = window.availableLanguages[0]
console.log 'Selected lang ->', queryLang
if setCookieLang
console.log 'Set lang ->', queryLang
console.log 'Set cookie lang ->', queryLang
setCookie 'llnglanguage', queryLang
translatePage(queryLang)
else

8
lemonldap-ng-portal/site/htdocs/static/common/js/portal.js
View File

@ -349,13 +349,17 @@ LemonLDAP::NG Portal jQuery scripts
} else if (indexOf.call(window.availableLanguages, lang) < 0) {
lang = window.availableLanguages[0];
if (!queryLang) {
console.log('Get default lang');
console.log('Lang not available -> Get default lang');
}
}
if (queryLang) {
if (indexOf.call(window.availableLanguages, queryLang) < 0) {
console.log('Lang not available -> Get default lang');
queryLang = window.availableLanguages[0];
}
console.log('Selected lang ->', queryLang);
if (setCookieLang) {
console.log('Set lang ->', queryLang);
console.log('Set cookie lang ->', queryLang);
setCookie('llnglanguage', queryLang);
}
translatePage(queryLang);

2
lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js.map
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-portal/site/htdocs/static/common/js/ssl.js
View File

@ -1,4 +1,4 @@
// Generated by CoffeeScript 1.12.8
// Generated by CoffeeScript 1.12.7
(function() {
var sendUrl, tryssl;

2
lemonldap-ng-portal/site/htdocs/static/common/js/sslChoice.js
View File

@ -1,4 +1,4 @@
// Generated by CoffeeScript 1.12.8
// Generated by CoffeeScript 1.12.7
(function() {
var sendUrl, tryssl;

2
lemonldap-ng-portal/site/htdocs/static/common/js/totpregistration.js
View File

@ -1,4 +1,4 @@
// Generated by CoffeeScript 1.12.8
// Generated by CoffeeScript 1.12.7
/*
LemonLDAP::NG TOTP registration script

2
lemonldap-ng-portal/site/htdocs/static/common/js/u2fregistration.js
View File

@ -1,4 +1,4 @@
// Generated by CoffeeScript 1.12.8
// Generated by CoffeeScript 1.12.7
/*
LemonLDAP::NG U2F registration script

182
lemonldap-ng-portal/t/78-2F-Upgrade-Many.t Normal file
View File

@ -0,0 +1,182 @@
use Test::More;
use strict;
use IO::String;
use Data::Dumper;
require 't/test-lib.pm';
require 't/smtp.pm';
use_ok('Lemonldap::NG::Common::FormEncode');
count(1);
my $res;
my $client = LLNG::Manager::Test->new( {
ini => {
logLevel => 'error',
upgradeSession => 1,
mail2fActivation => '$_choice eq "strong"',
mail2fCodeRegex => '\d{4}',
mail2fAuthnLevel => 5,
ext2fActivation => '$_choice eq "strong"',
ext2fCodeActivation => 0,
ext2FSendCommand => 't/sendOTP.pl -uid $uid',
ext2FValidateCommand => 't/vrfyOTP.pl -uid $uid -code $code',
authentication => 'Choice',
userDB => 'Same',
'authChoiceModules' => {
'strong' => 'Demo;Demo;Null;;;{}',
'weak' => 'Demo;Demo;Null;;;{}'
},
'vhostOptions' => {
'test1.example.com' => {
'vhostAuthnLevel' => 3
},
},
}
}
);
# Try to authenticate
# -------------------
ok(
$res = $client->_post(
'/',
IO::String->new('user=dwho&password=dwho&lmAuth=weak'),
length => 35,
accept => 'text/html',
),
'Auth query'
);
count(1);
my $id = expectCookie($res);
# After attempting to access test1,
# the handler sends up back to /upgradesession
# --------------------------------------------
ok(
$res = $client->_get(
'/upgradesession',
query => 'url=aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29t',
accept => 'text/html',
cookie => "lemonldap=$id",
),
'Upgrade session query'
);
my ( $host, $url, $query ) =
expectForm( $res, undef, '/upgradesession', 'confirm', 'url' );
ok( $res->[2]->[0] =~ qq%<img src="/static/common/logos/logo_llng_400px.png"%,
'Found custom Main Logo' )
or print STDERR Dumper( $res->[2]->[0] );
ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
or print STDERR Dumper( $res->[2]->[0] );
count(3);
# Accept session upgrade
# ----------------------
ok(
$res = $client->_post(
'/upgradesession',
IO::String->new($query),
length => length($query),
accept => 'text/html',
cookie => "lemonldap=$id",
),
'Accept session upgrade query'
);
count(1);
my $pdata = expectCookie( $res, 'lemonldappdata' );
( $host, $url, $query ) = expectForm( $res, '#', undef, 'upgrading', 'url' );
$query = $query . "&user=dwho&password=dwho&lmAuth=strong";
# Attempt login with the "strong" auth choice
# this should trigger 2FA
# -------------------------------------------
ok(
$res = $client->_post(
'/upgradesession',
IO::String->new($query),
length => length($query),
accept => 'text/html',
cookie => "lemonldap=$id;lemonldappdata=$pdata",
),
'Post login'
);
count(1);
$pdata = expectCookie( $res, 'lemonldappdata' );
( $host, $url, $query ) =
expectForm( $res, undef, '/2fchoice', 'token', 'checkLogins' );
ok(
$res->[2]->[0] =~
qq%<button type="submit" name="sf" value="mail" class="mx-3 btn btn-light" role="button">%,
'Found mail'
) or print STDERR Dumper( $res->[2]->[0] );
count(1);
$query .= '&sf=mail';
ok(
$res = $client->_post(
'/2fchoice',
IO::String->new($query),
length => length($query),
accept => 'text/html',
cookie => "lemonldap=$id;lemonldappdata=$pdata",
),
'Post ext2f choice'
);
count(1);
$pdata = expectCookie( $res, 'lemonldappdata' );
( $host, $url, $query ) =
expectForm( $res, undef, '/mail2fcheck?skin=bootstrap', 'token', 'code' );
ok(
$res->[2]->[0] =~
qr%<input name="code" value="" type="text" class="form-control" id="extcode" trplaceholder="code" autocomplete="off" />%,
'Found EXTCODE input'
) or print STDERR Dumper( $res->[2]->[0] );
count(1);
ok( mail() =~ m%<b>(\d{4})</b>%, 'Found 2F code in mail' )
or print STDERR Dumper( mail() );
count(1);
my $code = $1;
# Post 2F code
# ------------
$query =~ s/code=/code=${code}/;
ok(
$res = $client->_post(
'/mail2fcheck',
IO::String->new($query),
length => length($query),
accept => 'text/html',
cookie => "lemonldap=$id;lemonldappdata=$pdata",
),
'Post code'
);
count(1);
expectRedirection( $res, 'http://test1.example.com' );
$id = expectCookie($res);
my $cookies = getCookies($res);
ok( !$cookies->{lemonldappdata}, " Make sure no pdata is returned" );
count(1);
clean_sessions();
done_testing( count() );