dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Allow findUser with UpgradeSession (#1976)

Browse Source
This commit is contained in:
Christophe Maudoux 2021-05-06 23:16:26 +02:00
parent a24ed7bc41
commit cf55716825
8 changed files with 191 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/sources/admin/openidconnectservice.rst
View File

@ -92,7 +92,7 @@ run for example each week:
Session management
------------------
LL::NG implements the `OpenID Connect Chance Notification specification <http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification>`__
LL::NG implements the `OpenID Connect Change Notification specification <http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification>`__
A ``changed`` state will be sent if the user is disconnected from LL::NG
portal (or has destroyed its SSO cookie). Else the ``unchanged`` state

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/FindUser.pm
View File

@ -32,6 +32,8 @@ sub init {
my ($self) = @_;
( my $imp = grep /::Plugins::Impersonation$/, $self->p->enabledPlugins )
? $self->addUnauthRoute( finduser => 'provideUser', ['POST'] )
->addAuthRoute( finduser => 'provideUser',
['POST'] ) # Allow findUser with reAuth
: $self->logger->warn('FindUser plugin enabled without Impersonation');
$self->logger->warn('FindUser plugin enabled without searching attribute')
unless keys %{ $self->conf->{findUserSearchingAttributes} };

3
lemonldap-ng-portal/t/68-FindUser-with-Combination.t
View File

@ -7,7 +7,6 @@ require 't/test-lib.pm';
my $res;
my $json;
my $request;
my $maintests = 24;
SKIP: {
@ -43,7 +42,7 @@ SKIP: {
my ( $host, $url, $query ) =
expectForm( $res, '#', undef, 'user', 'password', 'spoofId' );
$request = '';
my $request = '';
ok(
$res = $client->_post(
'/finduser', IO::String->new($request),

3
lemonldap-ng-portal/t/68-FindUser-with-DBI.t
View File

@ -15,7 +15,6 @@ SKIP: {
}
my $res;
my $json;
my $request;
my $dbh = DBI->connect("dbi:SQLite:dbname=$userdb");
$dbh->do(
'CREATE TABLE users (uid text,password text,cn text,type text,guy text, room text)'
@ -77,7 +76,7 @@ SKIP: {
expectForm( $res, '#', undef, 'user', 'password', 'spoofId' );
( $host, $url, $query ) =
expectForm( $res, '#', undef, 'uid', 'guy', 'cn', 'room' );
$request = '';
my $request = '';
ok(
$res = $client->_post(
'/finduser', IO::String->new($request),

3
lemonldap-ng-portal/t/68-FindUser-with-Demo-and-required-select.t
View File

@ -9,7 +9,6 @@ my $maintests = 25;
my $res;
my $json;
my $request;
my $client = LLNG::Manager::Test->new( {
ini => {
logLevel => 'error',
@ -39,7 +38,7 @@ ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Portal', );
my ( $host, $url, $query ) =
expectForm( $res, '#', undef, 'user', 'password', 'spoofId' );
$request = '';
my $request = '';
ok(
$res = $client->_post(
'/finduser', IO::String->new($request),

183
lemonldap-ng-portal/t/68-FindUser-with-UpgradeSession.t Normal file
View File

@ -0,0 +1,183 @@
use Test::More;
use strict;
use JSON;
use IO::String;
require 't/test-lib.pm';
my $maintests = 14;
my $res;
my $json;
my $client = LLNG::Manager::Test->new( {
ini => {
logLevel => 'error',
authentication => 'Choice',
userDB => 'Same',
apacheAuthnLevel => 5,
upgradeSession => 1,
useSafeJail => 1,
requireToken => 0,
findUser => 1,
impersonationRule => 1,
findUserControl => '^[\w*\s]+$',
findUserWildcard => '*',
findUserSearchingAttributes => {
uid => 'User',
},
authChoiceModules => {
strong => 'Apache;Demo;Null;;;{}',
weak => 'Demo;Demo;Null;;;{}'
},
vhostOptions => {
'test1.example.com' => {
vhostAuthnLevel => 3
},
locationRules => {
'test1.example.com' => {
default => 'accept',
},
},
}
}
}
);
use Lemonldap::NG::Portal::Main::Constants 'PE_USERNOTFOUND';
## Simple access
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Portal', );
my ( $host, $url, $query ) =
expectForm( $res, '#', undef, 'user', 'password', 'spoofId' );
my $request = '';
ok(
$res = $client->_post(
'/finduser', IO::String->new($request),
accept => 'text/html',
length => length($request)
),
'Post empty FindUser request'
);
( $host, $url, $query ) =
expectForm( $res, '#', undef, 'user', 'password', 'spoofId' );
( $host, $url, $query ) = expectForm( $res, '#', undef, 'uid' );
ok(
$res->[2]->[0] =~
m%<input id="spoofIdfield" name="spoofId" type="text" class="form-control" value="" autocomplete="off"%,
'value=""'
) or explain( $res->[2]->[0], 'value=""' );
ok(
$res->[2]->[0] =~
m%<input id="findUser_uid" name="uid" type="text" autocomplete="off" class="form-control" placeholder="User" />%,
'id="findUser_uid"'
) or explain( $res->[2]->[0], 'id="findUser_uid"' );
# Try to authenticate
# -------------------
ok(
$res = $client->_post(
'/',
IO::String->new('user=dwho&password=dwho&lmAuth=weak'),
length => 35,
accept => 'text/html',
),
'Auth query'
);
my $id = expectCookie($res);
# Portal IS NOT a handler
#########################
ok(
$res = $client->_get(
'/',
accept => 'text/html',
cookie => "lemonldap=$id",
host => 'test1.example.com',
),
'GET http://test1.example.com/'
);
expectOK($res);
# After attempting to access test1,
# the handler sends up back to /upgradesession
# --------------------------------------------
ok(
$res = $client->_get(
'/upgradesession',
query => 'url=aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29t',
accept => 'text/html',
cookie => "lemonldap=$id",
),
'Upgrade session query'
);
( $host, $url, $query ) =
expectForm( $res, undef, '/upgradesession', 'confirm', 'url' );
# Accept session upgrade
# ----------------------
ok(
$res = $client->_post(
'/upgradesession',
IO::String->new($query),
length => length($query),
accept => 'text/html',
cookie => "lemonldap=$id",
),
'Accept session upgrade query'
);
my $pdata = expectCookie( $res, 'lemonldappdata' );
( $host, $url, $query ) = expectForm( $res, '#', undef, 'upgrading', 'url' );
$request = 'uid=rt*';
ok(
$res = $client->_post(
'/finduser',
IO::String->new($request),
length => length($request),
cookie => "lemonldap=$id;lemonldappdata=$pdata",
custom => {
REMOTE_USER => 'dwho',
},
),
'Post FindUser request'
);
ok( $json = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' )
or print STDERR "$@\n" . Dumper($res);
ok( $json->{result} == 1, ' Good result' )
or explain( $json, 'result => 1' );
ok( $json->{user} eq 'rtyler', ' Good user' )
or explain( $json, "user => 'rtyler'" );
# Attempt login
$query = $query . "&spoofId=rtyler&lmAuth=strong";
ok(
$res = $client->_post(
'/upgradesession',
IO::String->new($query),
length => length($query),
accept => 'text/html',
cookie => "lemonldap=$id;lemonldappdata=$pdata",
custom => {
REMOTE_USER => 'dwho',
},
),
'Post login'
);
$pdata = expectCookie( $res, 'lemonldappdata' );
$id = expectCookie($res);
expectRedirection( $res, 'http://test1.example.com' );
ok(
$res = $client->_get(
'/',
accept => 'text/html',
cookie => "lemonldap=$id;lemonldappdata=$pdata",
),
'Post login'
);
expectOK($res);
expectAuthenticatedAs( $res, 'rtyler' );
count($maintests);
done_testing( count() );

3
lemonldap-ng-portal/t/68-FindUser-without-Impersonation.t
View File

@ -9,7 +9,6 @@ my $maintests = 6;
my $res;
my $json;
my $request;
my $client = LLNG::Manager::Test->new( {
ini => {
logLevel => 'error',
@ -35,7 +34,7 @@ ok(
m%<span trspan="searchAccount">Search for an account</span>%,
'Search an account not found'
) or explain( $res->[2]->[0], 'Found search for an account' );
$request = 'uid=dwho';
my $request = 'uid=dwho';
ok(
$res = $client->_post(
'/finduser', IO::String->new($request),

3
lemonldap-ng-portal/t/68-FindUser-without-attribute.t
View File

@ -9,7 +9,6 @@ my $maintests = 6;
my $res;
my $json;
my $request;
my $client = LLNG::Manager::Test->new( {
ini => {
logLevel => 'error',
@ -34,7 +33,7 @@ ok(
m%<span trspan="searchAccount">Search for an account</span>%,
'Search an account not found'
) or explain( $res->[2]->[0], 'Found search for an account' );
$request = 'uid=dwho';
my $request = 'uid=dwho';
ok(
$res = $client->_post(
'/finduser', IO::String->new($request),