dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Replace lmLog by logger-> (#857)

This commit is contained in:
Xavier Guimard 2017-02-15 06:41:50 +00:00
parent b7d4dac6ea
commit deb28bc9cb
124 changed files with 1619 additions and 7175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lemonldap-ng-common/MANIFEST
View File

@ -35,6 +35,7 @@ lib/Lemonldap/NG/Common/Crypto.pm
lib/Lemonldap/NG/Common/FormEncode.pm
lib/Lemonldap/NG/Common/Logger/Apache2.pm
lib/Lemonldap/NG/Common/Logger/Std.pm
lib/Lemonldap/NG/Common/Logger/Syslog.pm
lib/Lemonldap/NG/Common/Module.pm
lib/Lemonldap/NG/Common/Notifications.pm
lib/Lemonldap/NG/Common/Notifications/DBI.pm

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf.pm
View File

@ -173,7 +173,7 @@ sub getConf {
unless ( ref( $self->{refLocalStorage} ) ) {
$msg .= "Get remote configuration (localStorage unavailable).\n";
$r = $self->getDBConf($args);
return undef unless ($r->{cfgNum});
return undef unless ( $r->{cfgNum} );
$self->setDefault( $r, $args->{localPrm} );
$self->compactConf($r);
}

4
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/File.pm
View File

@ -96,14 +96,14 @@ sub store {
sub load {
my ( $self, $cfgNum, $fields ) = @_;
my ($f,$filename);
my ( $f, $filename );
if ( -e $self->_file($cfgNum) ) {
$filename = $self->_file($cfgNum);
}
elsif ( -e "$self->{dirName}/lmConf-$cfgNum.js" ) {
$filename = "$self->{dirName}/lmConf-$cfgNum.js";
}
if($filename) {
if ($filename) {
local $/ = '';
my $ret;
unless ( open FILE, $filename ) {

4
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Compact.pm
View File

@ -18,7 +18,7 @@ sub compactConf {
$keep{$mod} = 1;
}
if ( $keep{combination} ) {
foreach my $md (keys %{$conf->{combModules}}) {
foreach my $md ( keys %{ $conf->{combModules} } ) {
$_ = $conf->{combModules}->{$md}->{type};
s/^(\w+).*$/lc($1)/e;
s/OpenIDConnect/oidc/i;
@ -35,7 +35,7 @@ sub compactConf {
}
}
}
foreach my $key (keys %$authParameters) {
foreach my $key ( keys %$authParameters ) {
my $mod = $key;
$mod =~ s/Params$//;
unless ( $keep{$mod} ) {

16
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm
View File

@ -28,14 +28,14 @@ extends 'Lemonldap::NG::Common::Conf::AccessLib';
#@return keyvalue (string, int or hashref)
sub getConfKey {
my ( $self, $req, $key, @args ) = @_;
$self->lmLog( "Search for $key in conf", 'debug' );
$self->logger->debug("Search for $key in conf");
# Verify that cfgNum has been asked
unless ( defined $req->params('cfgNum') ) {
$req->error("Missing configuration number");
return undef;
}
$self->lmLog( "Cfgnum set to " . $req->params('cfgNum'), 'debug' );
$self->logger->debug( "Cfgnum set to " . $req->params('cfgNum') );
# when 'latest' => replace by last cfgNum
if ( $req->params('cfgNum') eq 'latest' ) {
@ -117,7 +117,7 @@ sub getConfByNum {
#@return PSGI JSON response
sub complexNodesRoot {
my ( $self, $req, $query, $tpl ) = @_;
$self->lmLog( "Query for $query template keys", 'debug' );
$self->logger->debug("Query for $query template keys");
my $tmp = $self->getConfKey( $req, $query );
return $self->sendError( $req, undef, 400 ) if ( $req->error );
@ -170,7 +170,7 @@ sub virtualHosts {
my ( $id, $resp ) = ( 1, [] );
my $vhk = eval { $self->getConfKey( $req, $query )->{$vh} } // {};
return $self->sendError( $req, undef, 400 ) if ( $req->error );
$self->lmLog( "Query for $vh/$query keys", 'debug' );
$self->logger->debug("Query for $vh/$query keys");
# Keys are ordered except 'default' which must be at the end
foreach my $r (
@ -210,7 +210,7 @@ sub virtualHosts {
return $self->sendJSONresponse( $req, $resp );
}
elsif ( $query =~ /^vhost(?:(?:Aliase|Http)s|Maintenance|Port|Type)$/ ) {
$self->lmLog( "Query for $vh/$query key", 'debug' );
$self->logger->debug("Query for $vh/$query key");
# TODO: verify how this is done actually
my $k1 = $self->getConfKey( $req, 'vhostOptions' );
@ -593,14 +593,14 @@ sub combModules {
foreach my $mod ( keys %$val ) {
my $tmp;
$tmp->{title} = $mod;
$tmp->{id} = "combModules/$mod";
$tmp->{type} = 'cmbModule';
$tmp->{id} = "combModules/$mod";
$tmp->{type} = 'cmbModule';
$tmp->{data}->{$_} = $val->{$mod}->{$_} foreach (qw(type for));
my $over = $val->{$mod}->{over} // {};
$tmp->{data}->{over} = [ map { [ $_, $over->{$_} ] } keys %$over ];
push @$res, $tmp;
}
return $self->sendJSONresponse($req,$res);
return $self->sendJSONresponse( $req, $res );
}
# 33 - Root queries

4
lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/Apache2.pm
View File

@ -2,7 +2,7 @@ package Lemonldap::NG::Common::Logger::Apache2;
use Apache2::ServerRec;
sub new{
sub new {
return bless {}, shift;
}
@ -10,6 +10,6 @@ sub AUTOLOAD {
shift;
$AUTOLOAD =~ s/.*:://;
return Apache2::ServerRec->log->$AUTOLOAD(@_);
};
}
1;

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/Syslog.pm
View File

@ -22,7 +22,7 @@ sub new {
$name = 'warning' if ( $_ eq 'warn' );
$name = 'err' if ( $_ eq 'error' );
eval qq'sub $_ {syslog("$name|".\$_[0]->{facility},\$_[1])}';
die $@ if($@);
die $@ if ($@);
}
else {
eval qq'sub $_ {1}';

8
lemonldap-ng-common/lib/Lemonldap/NG/Common/Module.pm
View File

@ -5,16 +5,14 @@ use Mouse;
our $VERSION = '2.0.0';
# Object that provides lmLog and error methods (typically PSGI object)
# Object that provides loggers and error methods (typically PSGI object)
has p => ( is => 'rw', weak_ref => 1 );
# Lemonldap::NG configuration hash ref
has conf => ( is => 'rw', weak_ref => 1 );
sub lmLog {
my $self = shift;
return $self->p->lmLog(@_);
}
has logger => ( is => 'ro', default => sub { $_[0]->{p}->logger } );
has userLogger => ( is => 'ro', default => sub { $_[0]->{p}->userLogger } );
sub error {
my $self = shift;

21
lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/DBI.pm
View File

@ -14,9 +14,10 @@ use Encode;
our $VERSION = '2.0.0';
extends 'Lemonldap::NG::Common::Notifications';
sub import {
shift;
return Lemonldap::NG::Common::Notifications->import(@_)
return Lemonldap::NG::Common::Notifications->import(@_);
}
has dbiTable => (
@ -32,7 +33,7 @@ has dbiChain => (
has dbiUser => (
is => 'ro',
default => sub {
$_[0]->{p}->lmLog( 'Warning: "dbiUser" parameter is not set', 'warn' );
$_[0]->{p}->logger->warn('Warning: "dbiUser" parameter is not set');
return '';
}
);
@ -49,7 +50,7 @@ has _dbh => (
$self->{dbiChain}, $self->{dbiUser},
$self->{dbiPassword}, { RaiseError => 0 }
);
$self->lmLog( $DBI::errstr, 'error' ) unless ($r);
$self->logger->error($DBI::errstr) unless ($r);
return $r;
}
);
@ -83,7 +84,7 @@ sub get {
&getIdentifier( $self, $h->{uid}, $h->{ref}, $h->{date} );
$result->{$identifier} = $xml;
}
$self->lmLog( $self->sth->err(), 'warn' ) if ( $self->sth->err() );
$self->logger->warn( $self->sth->err() ) if ( $self->sth->err() );
return $result;
}
@ -104,7 +105,7 @@ sub getAll {
condition => $h->{condition}
};
}
$self->lmLog( $self->sth->err(), 'warn' ) if ( $self->sth->err() );
$self->logger->warn( $self->sth->err() ) if ( $self->sth->err() );
return $result;
}
@ -115,7 +116,7 @@ sub delete {
my ( $self, $myref ) = @_;
my ( $d, $u, $r );
unless ( ( $d, $u, $r ) = ( $myref =~ /^([^#]+)#(.+?)#(.+)$/ ) ) {
$self->lmLog( "Bad reference $myref", 'warn' );
$self->logger->warn("Bad reference $myref");
return 0;
}
my @ts = localtime();
@ -136,7 +137,7 @@ sub purge {
my ( $self, $myref, $force ) = @_;
my ( $d, $u, $r );
unless ( ( $d, $u, $r ) = ( $myref =~ /^([^#]+)#(.+?)#(.+)$/ ) ) {
$self->lmLog( "Bad reference $myref", 'warn' );
$self->logger->warn("Bad reference $myref");
return 0;
}
@ -186,7 +187,7 @@ sub getDone {
$result->{"$h->{date}#$h->{uid}#$h->{ref}"} =
{ notified => $done, uid => $h->{uid}, ref => $h->{ref}, };
}
$self->lmLog( $self->sth->err(), 'warn' ) if ( $self->sth->err() );
$self->logger->warn( $self->sth->err() ) if ( $self->sth->err() );
return $result;
}
@ -197,12 +198,12 @@ sub _execute {
my ( $self, $query, @args ) = @_;
my $dbh = $self->_dbh or return 0;
unless ( $self->sth( $dbh->prepare($query) ) ) {
$self->lmLog( $dbh->errstr(), 'warn' );
$self->logger->warn( $dbh->errstr() );
return 0;
}
my $tmp;
unless ( $tmp = $self->sth->execute(@args) ) {
$self->lmLog( $self->sth->errstr(), 'warn' );
$self->logger->warn( $self->sth->errstr() );
return 0;
}
return $tmp;

4
lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/File.pm
View File

@ -48,8 +48,8 @@ sub get {
my $files;
foreach my $file (@notif) {
unless ( open F, $self->{dirName} . "/$file" ) {
$self->lmLog( "Unable to read notification $self->{dirName}/$file",
'error' );
$self->logger->error(
"Unable to read notification $self->{dirName}/$file");
next;
}
$files->{$file} = join( '', <F> );

16
lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/JSON.pm
View File

@ -9,7 +9,7 @@ sub newNotification {
my $json;
eval { $json = from_json($jsonString) };
if ( my $err = $@ ) {
eval { $self->lmLog( "Unable to decode JSON file: $err", 'error' ) };
eval { $self->logger->error("Unable to decode JSON file: $err") };
return 0;
}
my @notifs;
@ -21,7 +21,7 @@ sub newNotification {
foreach (qw(date uid reference)) {
my $tmp;
unless ( $tmp = $notif->{$_} ) {
$self->lmLog( "Attribute $_ is missing", 'error' );
$self->logger->error("Attribute $_ is missing");
return 0;
}
push @datas, $tmp;
@ -44,16 +44,14 @@ sub deleteNotification {
# Check input parameters
unless ( $uid and $myref ) {
$self->lmLog(
'REST service "delete notification" called without all parameters',
'error'
$self->userLogger->error(
'REST service "delete notification" called without all parameters'
);
return 0;
}
$self->lmLog(
"REST service deleteNotification called for uid $uid and reference $myref",
'debug'
$self->logger->debug(
"REST service deleteNotification called for uid $uid and reference $myref"
);
# Get notifications
@ -79,7 +77,7 @@ sub deleteNotification {
# Delete the notification (really)
foreach (@data) {
if ( $self->purge( $_, 1 ) ) {
$self->lmLog( "Notification $_ was removed.", 'debug' );
$self->logger->debug("Notification $_ was removed.");
$count++;
}
}

19
lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/LDAP.pm
View File

@ -16,9 +16,10 @@ use utf8;
our $VERSION = '2.0.0';
extends 'Lemonldap::NG::Common::Notifications';
sub import {
shift;
return Lemonldap::NG::Common::Notifications->import(@_)
return Lemonldap::NG::Common::Notifications->import(@_);
}
has ldapServer => (
@ -38,7 +39,7 @@ has ldapConfBase => (
has ldapBindDN => (
is => 'ro',
default => sub {
$_[0]->p->lmLog( 'Warning: "ldapBindDN" parameter is not set', 'warn' );
$_[0]->p->logger->warn('Warning: "ldapBindDN" parameter is not set');
return '';
}
);
@ -69,7 +70,7 @@ sub get {
my $identifier =
&getIdentifier( $self, $f->{uid}, $f->{ref}, $f->{date} );
$result->{$identifier} = "$xml";
$self->lmLog( "notification $identifier found", 'info' );
$self->logger->info("notification $identifier found");
}
return $result;
@ -113,7 +114,7 @@ sub delete {
my ( $self, $myref ) = @_;
my ( $d, $u, $r );
unless ( ( $d, $u, $r ) = ( $myref =~ /^([^#]+)#(.+?)#(.+)$/ ) ) {
$self->lmLog( "Bad reference $myref", 'warn' );
$self->logger->warn("Bad reference $myref");
return 0;
}
my @ts = localtime();
@ -140,7 +141,7 @@ sub purge {
my ( $self, $myref, $force ) = @_;
my ( $d, $u, $r );
unless ( ( $d, $u, $r ) = ( $myref =~ /^([^#]+)#(.+?)#(.+)$/ ) ) {
$self->lmLog( "Bad reference $myref", 'warn' );
$self->logger->warn("Bad reference $myref");
return 0;
}
@ -235,7 +236,7 @@ sub _search {
);
if ( $search->code ) {
$self->lmLog( "search error: " . $search->error(), 'error' );
$self->logger->error( "search error: " . $search->error() );
return ();
}
@ -385,7 +386,7 @@ sub _ldap {
);
unless ($ldap) {
$self->lmLog( 'connexion failed: ' . $@, 'error' );
$self->logger->error( 'connexion failed: ' . $@ );
return;
}
@ -396,7 +397,7 @@ sub _ldap {
$h{capath} = $self->{caPath} if ( $self->{caPath} );
my $start_tls = $ldap->start_tls(%h);
if ( $start_tls->code ) {
$self->lmLog( 'tls failed: ' . $start_tls->error, 'error' );
$self->logger->error( 'tls failed: ' . $start_tls->error );
return;
}
}
@ -405,7 +406,7 @@ sub _ldap {
my $bind =
$ldap->bind( $self->{ldapBindDN}, password => $self->{ldapBindPassword} );
if ( $bind->code ) {
$self->lmLog( 'bind failed: ' . $bind->error, 'error' );
$self->logger->error( 'bind failed: ' . $bind->error );
return;
}

16
lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/XML.pm
View File

@ -19,7 +19,7 @@ sub newNotification {
my ( $self, $xml ) = @_;
eval { $xml = $self->parser->parse_string($xml) };
if ( my $err = $@ ) {
eval { $self->lmLog( "Unable to read XML file : $err", 'error' ) };
eval { $self->logger->error("Unable to read XML file : $err") };
return 0;
}
my @notifs;
@ -33,7 +33,7 @@ sub newNotification {
foreach (qw(date uid reference)) {
my $tmp;
unless ( $tmp = $notif->getAttribute($_) ) {
$self->lmLog( "Attribute $_ is missing", 'error' );
$self->logger->error("Attribute $_ is missing");
return 0;
}
push @datas, $tmp;
@ -75,15 +75,13 @@ sub deleteNotification {
# Check input parameters
unless ( $uid and $myref ) {
$self->lmLog(
"SOAP service deleteNotification called without all parameters",
'error' );
$self->userLogger->error(
"SOAP service deleteNotification called without all parameters");
return 0;
}
$self->lmLog(
"SOAP service deleteNotification called for uid $uid and reference $myref",
'debug'
$self->logger->debug(
"SOAP service deleteNotification called for uid $uid and reference $myref"
);
# Get notifications
@ -111,7 +109,7 @@ sub deleteNotification {
# Delete the notification (really)
foreach (@data) {
if ( $self->purge( $_, 1 ) ) {
$self->lmLog( "Notification $_ was removed.", 'debug' );
$self->logger->debug("Notification $_ was removed.");
$count++;
}
}

6
lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI.pm
View File

@ -186,7 +186,7 @@ body{background:#000;color:#fff;padding:10px 50px;font-family:sans-serif;}a{text
sub abort {
my ( $self, $err ) = @_;
$self->lmLog( $err, 'error' );
$self->logger->error($err);
return sub {
$self->sendError( Lemonldap::NG::Common::PSGI::Request->new( $_[0] ),
$err, 500 );
@ -233,7 +233,7 @@ sub sendHtml {
return $self->sendError( $req, "Unable to read $template", 500 )
unless ( -r $template and -f $template );
eval {
$self->lmLog( "Starting HTML generation using $template", 'debug' );
$self->logger->debug("Starting HTML generation using $template");
require HTML::Template;
$htpl = HTML::Template->new(
filehandle => IO::File->new($template),
@ -263,7 +263,7 @@ sub sendHtml {
# Set headers
my $hdrs = [ 'Content-Type' => 'text/html', @{ $args{headers} } ];
$self->lmLog( "Sending $template", 'debug' );
$self->logger->debug("Sending $template");
return [ $args{code}, $hdrs, [ $htpl->output() ] ];
}

4
lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Request.pm
View File

@ -37,8 +37,8 @@ sub new {
sub uri { $_[0]->{uri} }
sub userData {
my($self,$v)=@_;
return $_[0]->{userData} = $v if($v);
my ( $self, $v ) = @_;
return $_[0]->{userData} = $v if ($v);
return $_[0]->{userData} || { _whatToTrace => $_[0]->user, };
}

8
lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Router.pm
View File

@ -22,7 +22,7 @@ sub addRoute {
my ( $self, $word, $dest, $methods, $transform ) = (@_);
$methods ||= [qw(GET POST PUT DELETE)];
foreach my $method (@$methods) {
$self->lmLog( "Add $method route:", 'debug' );
$self->logger->debug("Add $method route:");
$self->genRoute( $self->routes->{$method}, $word, $dest, $transform );
}
return $self;
@ -51,7 +51,7 @@ sub genRoute {
}
if ( $dest =~ /^(.+)\.html$/ ) {
my $tpl = $1 or die;
$self->lmLog( "route $dest will use $tpl", 'debug' );
$self->logger->debug("route $dest will use $tpl");
$routes->{$word} = sub { $self->sendHtml( $_[1], $tpl ) };
return;
}
@ -85,7 +85,7 @@ sub genRoute {
else {
die "$dest() isn't a method";
}
$self->lmLog( "route $word added", 'debug' );
$self->logger->debug("route $word added");
}
}
@ -121,7 +121,7 @@ sub handler {
$last = 1 if ( $_ =~ /[^\.\w]/ );
( $last or /^$/ ? 0 : 1 );
} split /\//, $req->path();
$self->lmLog( "Start routing " . ( $path[0] // 'default route' ), 'debug' );
$self->logger->debug( "Start routing " . ( $path[0] // 'default route' ) );
if ( !@path and $self->defaultRoute ) {
@path = ( $self->defaultRoute );

3
lemonldap-ng-common/lib/Lemonldap/NG/Common/Session.pm
View File

@ -125,8 +125,7 @@ sub _tie_session {
eval {
# SOAP session module must be directly tied
if ( $self->storageModule =~
/^Lemonldap::NG::Common::Apache::Session/ )
if ( $self->storageModule =~ /^Lemonldap::NG::Common::Apache::Session/ )
{
tie %h, $self->storageModule, $self->id,
{ %{ $self->options }, %$options };

2
lemonldap-ng-common/t/50-Combination-Parser.t
View File

@ -59,7 +59,7 @@ ok(
'if(0) then [A,B] else [A,B] and [B,C]' );
while ( my $expr = shift @tests ) {
ok( [getok($expr)]->[0] == 0, qq{"$expr" returns PE_OK as auth result} )
ok( [ getok($expr) ]->[0] == 0, qq{"$expr" returns PE_OK as auth result} )
or print STDERR "Expect 0, get " . getok($expr) . "\n";
}

1
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/ApacheMP2/Main.pm
View File

@ -36,7 +36,6 @@ eval { require threads::shared; };
our $request; # Apache2::RequestRec object for current request
#*run = \&Lemonldap::NG::Handler::Main::run;
## @rmethod protected int redirectFilter(string url, Apache2::Filter f)

11
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/AuthBasic.pm
View File

@ -74,7 +74,7 @@ sub createSession {
my $creds = $class->header_in('Authorization');
$creds =~ s/^Basic\s+//;
my ( $user, $pwd ) = ( decode_base64($creds) =~ /^(.*?):(.*)$/ );
$class->lmLog( "AuthBasic authentication for user: $user", 'debug' );
$class->logger->debug("AuthBasic authentication for user: $user");
my $soapRequest = $soapClient->getCookies( $user, $pwd, $id );
# Catch SOAP errors
@ -87,11 +87,8 @@ sub createSession {
# If authentication failed, display error
if ( $res->{errorCode} ) {
$class->lmLog(
"Authentication failed for $user: "
. $soapClient->error( $res->{errorCode}, 'en' )->result(),
'notice'
);
$class->userLogger->notice( "Authentication failed for $user: "
. $soapClient->error( $res->{errorCode}, 'en' )->result() );
return 0;
}
else {
@ -104,7 +101,7 @@ sub createSession {
# Hide user credentials to the protected application
sub hideCookie {
my $class = shift;
$class->lmLog( "removing Authorization header", 'debug' );
$class->logger->debug("removing Authorization header");
$class->unset_header_in('Authorization');
}

14
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/PSGI.pm
View File

@ -45,7 +45,7 @@ sub _run {
# Override _run() only if protection != 'none'
if ( !$self->rule or $self->rule ne 'none' ) {
$self->lmLog( 'PSGI app is protected', 'debug' );
$self->logger->debug('PSGI app is protected');
# Handle requests
# Developers, be careful: Only this part is executed at each request
@ -56,13 +56,13 @@ sub _run {
}
else {
$self->lmLog( 'PSGI app is not protected', 'debug' );
$self->logger->debug('PSGI app is not protected');
# Check if main handler initialization has been done
unless ( $self->api->tsv ) {
$self->lmLog( 'Checking conf', 'debug' );
$self->logger->debug('Checking conf');
eval { $self->api->checkConf() };
$self->lmLog( $@, 'error' ) if ($@);
$self->logger->error($@) if ($@);
}
# Handle unprotected requests
@ -83,7 +83,7 @@ sub status {
# Check if main handler initialization has been done
unless ( %$self->api->tsv ) {
eval { $self->api->checkConf() };
$self->lmLog( $@, 'error' ) if ($@);
$self->logger->error($@) if ($@);
}
return sub {
my $req = Lemonldap::NG::Common::PSGI::Request->new( $_[0] );
@ -100,7 +100,7 @@ sub reload {
# Check if main handler initialization has been done
unless ( %$self->api->tsv ) {
eval { $self->api->checkConf() };
$self->lmLog( $@, 'error' ) if ($@);
$self->logger->error($@) if ($@);
}
return sub {
my $req = Lemonldap::NG::Common::PSGI::Request->new( $_[0] );
@ -134,7 +134,7 @@ sub _authAndTrace {
return [ $res, $req->{respHeaders}, [] ];
}
else {
$self->lmLog( 'User authenticated, calling handler()', 'debug' );
$self->logger->debug('User authenticated, calling handler()');
$res = $self->handler($req);
push @{ $res->[1] }, @{ $req->{respHeaders} };
}

32
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/SecureToken.pm
View File

@ -56,30 +56,28 @@ sub run {
foreach (qw/secureTokenMemcachedServers secureTokenUrls/) {
no strict 'refs';
unless ( ref ${$_} eq "ARRAY" ) {
$class->lmLog( "Transform $_ value into an array reference",
'debug' );
$class->logger->debug("Transform $_ value into an array reference");
my @array = split( /\s+/, ${$_} );
${$_} = \@array;
}
}
# Display found values in debug mode
$class->lmLog( "secureTokenMemcachedServers: @$secureTokenMemcachedServers",
'debug' );
$class->lmLog( "secureTokenExpiration: $secureTokenExpiration", 'debug' );
$class->lmLog( "secureTokenAttribute: $secureTokenAttribute", 'debug' );
$class->lmLog( "secureTokenUrls: @$secureTokenUrls", 'debug' );
$class->lmLog( "secureTokenHeader: $secureTokenHeader", 'debug' );
$class->lmLog( "secureTokenAllowOnError: $secureTokenAllowOnError",
'debug' );
$class->logger->debug(
"secureTokenMemcachedServers: @$secureTokenMemcachedServers");
$class->logger->debug("secureTokenExpiration: $secureTokenExpiration");
$class->logger->debug("secureTokenAttribute: $secureTokenAttribute");
$class->logger->debug("secureTokenUrls: @$secureTokenUrls");
$class->logger->debug("secureTokenHeader: $secureTokenHeader");
$class->logger->debug("secureTokenAllowOnError: $secureTokenAllowOnError");
# Return if we are not on a secure token URL
my $checkurl = 0;
foreach (@$secureTokenUrls) {
if ( $uri =~ m#$_# ) {
$checkurl = 1;
$class->lmLog( "URL $uri detected as an Secure Token URL (rule $_)",
'debug' );
$class->logger->debug(
"URL $uri detected as an Secure Token URL (rule $_)");
last;
}
}
@ -138,7 +136,7 @@ sub _createMemcachedConnection {
'debug' => 0,
};
$class->lmLog( "Memcached connection created", 'debug' );
$class->logger->debug("Memcached connection created");
return $memd;
}
@ -162,7 +160,7 @@ sub _setToken {
return;
}
$class->lmLog( "Set $value in token $key", 'info' );
$class->logger->info("Set $value in token $key");
return $key;
}
@ -180,7 +178,7 @@ sub _deleteToken {
$class->( "Unable to delete secure token $key", 'error' );
}
else {
$class->lmLog( "Token $key deleted", 'info' );
$class->logger->info("Token $key deleted");
}
return $res;
@ -228,12 +226,12 @@ sub _returnError {
# Redirect or Forbidden?
if ( $class->tsv->{useRedirectOnError} ) {
$class->lmLog( "Use redirect for error", 'debug' );
$class->logger->debug("Use redirect for error");
return $class->goToPortal( '/', 'lmError=500' );
}
else {
$class->lmLog( "Return error", 'debug' );
$class->logger->debug("Return error");
return $class->SERVER_ERROR;
}
}

2
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/Status.pm
View File

@ -157,7 +157,7 @@ sub run {
if ( my ( $cacheModule, $cacheOptions ) = ( $1, $2 ) ) {
eval "use $cacheModule;"
. "\$cache = new $cacheModule(\$cacheOptions);";
print STDERR "$@\n" if ($@); # TODO: use lmLog instead
print STDERR "$@\n" if ($@); # TODO: use logger instead
}
else {
$cache = undef;

25
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/ZimbraPreAuth.pm
View File

@ -18,8 +18,8 @@ our $VERSION = '2.0.0';
# Overload main run method
sub run {
my($class,$req) = @_;
my $ret = $class->SUPER::run($req);
my ( $class, $req ) = @_;
my $ret = $class->SUPER::run($req);
# Continue only if user is authorized
return $ret unless ( $ret == $class->OK );
@ -37,19 +37,19 @@ sub run {
my $timeout = $localConfig->{'timeout'} || '0';
# Display found values in debug mode
$class->lmLog( "zimbraPreAuthKey: $zimbraPreAuthKey", 'debug' );
$class->lmLog( "zimbraAccountKey: $zimbraAccountKey", 'debug' );
$class->lmLog( "zimbraBy: $zimbraBy", 'debug' );
$class->lmLog( "zimbraUrl: $zimbraUrl", 'debug' );
$class->lmLog( "zimbraSsoUrl: $zimbraSsoUrl", 'debug' );
$class->lmLog( "timeout: $timeout", 'debug' );
$class->logger->debug("zimbraPreAuthKey: $zimbraPreAuthKey");
$class->logger->debug("zimbraAccountKey: $zimbraAccountKey");
$class->logger->debug("zimbraBy: $zimbraBy");
$class->logger->debug("zimbraUrl: $zimbraUrl");
$class->logger->debug("zimbraSsoUrl: $zimbraSsoUrl");
$class->logger->debug("timeout: $timeout");
# Return if we are not on a Zimbra SSO URI
return $class->OK unless ( $uri =~ $zimbraSsoUrl );
# Check mandatory parameters
unless ($zimbraPreAuthKey) {
$class->lmLog( "No Zimbra preauth key configured", 'error' );
$class->logger->error("No Zimbra preauth key configured");
return $class->SERVER_ERROR;
}
@ -88,15 +88,14 @@ sub _buildZimbraPreAuthUrl {
my $computed_value =
hmac_sha1_hex( "$account|$by|$expires|$timestamp", $key );
$class->lmLog(
"Compute value $account|$by|$expires|$timestamp into $computed_value",
'debug' );
$class->logger->debug(
"Compute value $account|$by|$expires|$timestamp into $computed_value");
# Build PreAuth URL
my $zimbra_url =
"$url?account=$account&by=$by&timestamp=$timestamp&expires=$expires&preauth=$computed_value";
$class->lmLog( "Build Zimbra URL: $zimbra_url", 'debug' );
$class->logger->debug("Build Zimbra URL: $zimbra_url");
return $zimbra_url;
}

7
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm
View File

@ -38,7 +38,7 @@ sub build_jail {
$self->customFunctions ? split( /\s+/, $self->customFunctions ) : ();
foreach (@t) {
no warnings 'redefine';
$api->lmLog( "Custom function : $_", 'debug' );
$api->logger->debug("Custom function : $_");
my $sub = $_;
unless (/::/) {
$sub = "$self\::$_";
@ -51,7 +51,7 @@ sub build_jail {
my \$uri = $api\::uri_with_args();
return $sub(\$uri,\@_)
}";
$api->lmLog( $@, 'error' ) if ($@);
$api->logger->error($@) if ($@);
$_ = "&$_";
}
@ -149,7 +149,8 @@ sub jail_reval {
my $res;
eval {
$res = (
SAFEWRAP and $self->useSafeJail
SAFEWRAP
and $self->useSafeJail
? $self->jail->wrap_code_ref( $self->jail->reval($reval) )
: $self->jail->reval($reval)
);

72
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
View File

@ -37,37 +37,32 @@ sub checkConf {
{ local => !$force, localPrm => $class->localConfig } );
unless ( ref($conf) ) {
$class->lmLog(
"$class: Unable to load configuration: $Lemonldap::NG::Common::Conf::msg",
'error'
$class->logger->error(
"$class: Unable to load configuration: $Lemonldap::NG::Common::Conf::msg"
);
return $force ? 0 : $class->cfgNum ? 1 : 0;
}
if ( !$class->cfgNum or $class->cfgNum != $conf->{cfgNum} ) {
$class->lmLog(
"Get configuration $conf->{cfgNum} ($Lemonldap::NG::Common::Conf::msg)",
'debug'
$class->logger->debug(
"Get configuration $conf->{cfgNum} ($Lemonldap::NG::Common::Conf::msg)"
);
$class->lastCheck( time() );
unless ( $class->cfgNum( $conf->{cfgNum} ) ) {
$class->lmLog( 'No configuration available', 'error' );
$class->logger->error('No configuration available');
return 0;
}
$class->configReload($conf);
}
$class->lmLog( "$class: configuration is up to date", 'debug' );
$class->logger->debug("$class: configuration is up to date");
foreach (@_onReload) {
my ( $obj, $sub ) = @$_;
if ($obj) {
$class->lmLog( 'Launching ' . ref($obj) . "->$sub(conf)", 'debug' );
$class->logger->debug( 'Launching ' . ref($obj) . "->$sub(conf)" );
unless ( $obj->$sub($conf) ) {
$class->lmLog(
"Underlying object can't load conf ("
$class->logger->error( "Underlying object can't load conf ("
. ref($obj)
. "->$sub)",
'error'
);
. "->$sub)" );
}
}
}
@ -83,7 +78,7 @@ sub checkConf {
# @return Apache constant ($class->OK or $class->SERVER_ERROR)
sub reload {
my $class = shift;
$class->lmLog( "Request for configuration reload", 'notice' );
$class->logger->notice("Request for configuration reload");
return $class->checkConf(1) ? $class->DONE : $class->SERVER_ERROR;
}
@ -150,15 +145,15 @@ sub reload {
# @param $tsv reference to the thread-shared parameters conf
sub configReload {
my ( $class, $conf ) = @_;
$class->lmLog( "Loading configuration $conf->{cfgNum} for process $$",
"info" );
$class->logger->info(
"Loading configuration $conf->{cfgNum} for process $$");
foreach my $sub (
qw( jailInit defaultValuesInit portalInit locationRulesInit
sessionStorageInit headersInit postUrlInit aliasInit )
)
{
$class->lmLog( "Process $$ calls $sub", "debug" );
$class->logger->debug("Process $$ calls $sub");
$class->$sub($conf);
}
return 1;
@ -211,8 +206,8 @@ sub defaultValuesInit {
# Keep default value if $val is negative
if ( defined $val and $val >= 0 ) {
$class->lmLog( "Options $opt for vhost $vhost: $val",
'debug' );
$class->logger->debug(
"Options $opt for vhost $vhost: $val");
$class->tsv->{$opt}->{$vhost} = $val;
}
}
@ -233,7 +228,7 @@ sub defaultValuesInit {
sub portalInit {
my ( $class, $conf ) = @_;
unless ( $conf->{portal} ) {
$class->lmLog( "portal parameter required", 'error' );
$class->logger->error("portal parameter required");
return 0;
}
if ( $conf->{portal} =~ /[\$\(&\|"']/ ) {
@ -267,11 +262,9 @@ sub locationRulesInit {
my ( $cond, $prot ) = $class->conditionSub( $rules->{$url} );
unless ($cond) {
$class->tsv->{maintenance}->{$vhost} = 1;
$class->lmLog(
$class->logger->error(
"Unable to build rule '$rules->{$url}': "
. $class->tsv->{jail}->error,
'error'
);
. $class->tsv->{jail}->error );
next;
}
@ -307,7 +300,7 @@ sub locationRulesInit {
sub sessionStorageInit {
my ( $class, $conf ) = @_;
unless ( $class->tsv->{sessionStorageModule} = $conf->{globalStorage} ) {
$class->lmLog( "globalStorage required", 'error' );
$class->logger->error("globalStorage required");
return 0;
}
eval "use " . $class->tsv->{sessionStorageModule};
@ -355,10 +348,8 @@ sub headersInit {
$class->buildSub($sub) )
{
$class->tsv->{maintenance}->{$vhost} = 1;
$class->lmLog(
"$class Unable to forge headers: " . $class->tsv->{jail}->error,
'error'
);
$class->logger->error( "$class Unable to forge headers: "
. $class->tsv->{jail}->error );
}
}
return 1;
@ -376,7 +367,7 @@ sub postUrlInit {
# Browse all POST URI
foreach my $url ( keys %{ $conf->{post}->{$vhost} } ) {
my $d = $conf->{post}->{$vhost}->{$url};
$class->lmLog( "Compiling POST data for $url", 'debug' );
$class->logger->debug("Compiling POST data for $url");
# Where to POST
$d->{target} ||= $url;
@ -392,11 +383,9 @@ sub postUrlInit {
$class->buildSub($sub) )
{
$class->tsv->{maintenance}->{$vhost} = 1;
$class->lmLog(
$class->logger->error(
"$class: Unable to build post datas: "
. $class->tsv->{jail}->error,
'error'
);
. $class->tsv->{jail}->error );
}
$class->tsv->{postFormParams}->{$vhost}->{$url} = $d;
@ -457,8 +446,8 @@ sub conditionSub {
if ( $cond =~ /^logout_app/i
and not $class->isa('Lemonldap::NG::Handler::ApacheMP2::Main') )
{
$class->lmLog( "Rules logout_app and logout_app_sso require Apache>=2",
'info' );
$class->logger->info(
"Rules logout_app and logout_app_sso require Apache>=2");
return ( sub { 1 }, 0 );
}
@ -509,11 +498,8 @@ sub conditionSub {
$cond = $class->substitute($cond);
my $sub;
unless ( $sub = $class->buildSub($cond) ) {
$class->lmLog(
"$class: Unable to build condition ($cond): "
. $class->tsv->{jail}->error,
'error'
);
$class->logger->error( "$class: Unable to build condition ($cond): "
. $class->tsv->{jail}->error );
}
# Return sub and protected flag
@ -530,7 +516,7 @@ sub aliasInit {
if ( my $aliases = $conf->{vhostOptions}->{$vhost}->{vhostAliases} ) {
foreach ( split /\s+/, $aliases ) {
$class->tsv->{vhostAlias}->{$_} = $vhost;
$class->lmLog( "Registering $_ as alias of $vhost", 'debug' );
$class->logger->debug("Registering $_ as alias of $vhost");
}
}
}

108
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
View File

@ -39,7 +39,7 @@ sub status {
# Return Handler::Lib::Status output
sub getStatus {
my ($class) = @_;
$class->lmLog( "Request for status", 'debug' );
$class->logger->debug("Request for status");
my $statusPipe = $class->tsv->{statusPipe};
my $statusOut = $class->tsv->{statusOut};
return $class->abort("$class: status page can not be displayed")
@ -90,12 +90,11 @@ sub run {
if ( $class->checkMaintenanceMode ) {
if ( $class->tsv->{useRedirectOnError} ) {
$class->lmLog( "Got to portal with maintenance error code",
'debug' );
$class->logger->debug("Go to portal with maintenance error code");
return $class->goToPortal( '/', 'lmError=' . $class->MAINTENANCE );
}
else {
$class->lmLog( "Return maintenance error code", 'debug' );
$class->logger->debug("Return maintenance error code");
return $class->MAINTENANCE;
}
}
@ -107,18 +106,16 @@ sub run {
and $uri =~ s/[\?&;]${cn}cda=(\w+)$//oi )
{
if ( $class->fetchId and $session = $class->retrieveSession($id) ) {
$class->lmLog(
'CDA asked for an already available session, skipping',
'info' );
$class->logger->info(
'CDA asked for an already available session, skipping');
}
else {
my $cdaid = $1;
$class->lmLog( "CDA request with id $cdaid", 'debug' );
$class->logger->debug("CDA request with id $cdaid");
my $cdaInfos = $class->getCDAInfos($cdaid);
unless ( $cdaInfos->{cookie_value} and $cdaInfos->{cookie_name} ) {
$class->lmLog( "CDA request for id $cdaid is not valid",
'error' );
$class->logger->error("CDA request for id $cdaid is not valid");
return $class->FORBIDDEN;
}
@ -151,7 +148,7 @@ sub run {
unless ( defined $protection );
if ( $protection == $class->SKIP ) {
$class->lmLog( "Access control skipped", 'debug' );
$class->logger->debug("Access control skipped");
$class->updateStatus('SKIP');
$class->hideCookie;
$class->cleanHeaders;
@ -182,7 +179,7 @@ sub run {
# Store local macros
if ( keys %$session > $kc ) {
$class->lmLog( "Update local cache", 'debug' );
$class->logger->debug("Update local cache");
$class->session->update( $session, { updateCache => 2 } );
}
@ -190,12 +187,9 @@ sub run {
$class->hideCookie;
# Log access granted
$class->lmLog(
"User "
$class->logger->debug( "User "
. $session->{ $class->tsv->{whatToTrace} }
. " was granted to access to $uri",
'debug'
);
. " was granted to access to $uri" );
# Catch POST rules
$class->postOutputFilter( $session, $uri );
@ -207,7 +201,7 @@ sub run {
elsif ( $protection == $class->UNPROTECT ) {
# Ignore unprotected URIs
$class->lmLog( "No valid session but unprotected access", 'debug' );
$class->logger->debug("No valid session but unprotected access");
$class->updateStatus('UNPROTECT');
$class->hideCookie;
$class->cleanHeaders;
@ -217,7 +211,7 @@ sub run {
else {
# Redirect user to the portal
$class->lmLog( "No cookie found", 'info' )
$class->logger->info("No cookie found")
unless ($id);
# if the cookie was fetched, a log is sent by retrieveSession()
@ -274,7 +268,7 @@ sub checkMaintenanceMode {
: $class->tsv->{maintenance}->{_};
if ($_maintenance) {
$class->lmLog( "Maintenance mode activated", 'debug' );
$class->logger->debug("Maintenance mode activated");
return 1;
}
return 0;
@ -292,23 +286,19 @@ sub grant {
$vhost ||= $class->resolveAlias;
for ( my $i = 0 ; $i < $class->tsv->{locationCount}->{$vhost} ; $i++ ) {
if ( $uri =~ $class->tsv->{locationRegexp}->{$vhost}->[$i] ) {
$class->lmLog(
'Regexp "'
$class->logger->debug( 'Regexp "'
. $class->tsv->{locationConditionText}->{$vhost}->[$i]
. '" match',
'debug'
);
. '" match' );
return $class->tsv->{locationCondition}->{$vhost}->[$i]->($session);
}
}
unless ( $class->tsv->{defaultCondition}->{$vhost} ) {
$class->lmLog(
"User rejected because VirtualHost \"$vhost\" has no configuration",
'warn'
$class->logger->warn(
"User rejected because VirtualHost \"$vhost\" has no configuration"
);
return 0;
}
$class->lmLog( "$vhost: Apply default rule", 'debug' );
$class->logger->debug("$vhost: Apply default rule");
return $class->tsv->{defaultCondition}->{$vhost}->($session);
}
@ -331,21 +321,18 @@ sub forbidden {
}
# Log forbidding
$class->lmLog(
"User "
$class->userLogger->notice( "User "
. $session->{ $class->tsv->{whatToTrace} }
. " was forbidden to access to $vhost$uri",
"notice"
);
. " was forbidden to access to $vhost$uri" );
$class->updateStatus( 'REJECT', $session->{ $class->tsv->{whatToTrace} } );
# Redirect or Forbidden?
if ( $class->tsv->{useRedirectOnForbidden} ) {
$class->lmLog( "Use redirect for forbidden access", 'debug' );
$class->logger->debug("Use redirect for forbidden access");
return $class->goToPortal( $uri, 'lmError=403' );
}
else {
$class->lmLog( "Return forbidden access", 'debug' );
$class->logger->debug("Return forbidden access");
return $class->FORBIDDEN;
}
}
@ -354,7 +341,7 @@ sub forbidden {
# Hide Lemonldap::NG cookie to the protected application.
sub hideCookie {
my $class = shift;
$class->lmLog( "removing cookie", 'debug' );
$class->logger->debug("removing cookie");
my $cookie = $class->header_in('Cookie');
my $cn = $class->tsv->{cookieName};
$cookie =~ s/$cn(http)?=[^,;]*[,;\s]*//og;
@ -384,9 +371,8 @@ sub goToPortal {
my ( $class, $url, $arg ) = @_;
my ( $ret, $msg );
my $urlc_init = $class->encodeUrl($url);
$class->lmLog(
"Redirect " . $class->remote_ip . " to portal (url was $url)",
'debug' );
$class->logger->debug(
"Redirect " . $class->remote_ip . " to portal (url was $url)" );
$class->set_header_out( 'Location' => $class->tsv->{portal}->()
. "?url=$urlc_init"
. ( $arg ? "&$arg" : "" ) );
@ -418,8 +404,8 @@ sub fetchId {
elsif ( $value =~ s/^c:// ) {
$value = $class->tsv->{cipher}->decrypt($value);
unless ( $value =~ s/^(.*)? (.*)$/$1/ and $2 eq $vhost ) {
$class->lmLog( "Bad CDA cookie: available for $2 instead od $vhost",
'error' );
$class->userLogger->error(
"Bad CDA cookie: available for $2 instead od $vhost");
return undef;
}
}
@ -439,7 +425,7 @@ sub retrieveSession {
and $id eq $class->datas->{_session_id}
and ( $now - $class->datasUpdate < 60 ) )
{
$class->lmLog( "Get session $id from Handler internal cache", 'debug' );
$class->logger->debug("Get session $id from Handler internal cache");
return $class->datas;
}
@ -461,7 +447,7 @@ sub retrieveSession {
$class->datas( $session->data );
$class->lmLog( "Get session $id", 'debug' );
$class->logger->debug("Get session $id");
# Verify that session is valid
if (
@ -472,7 +458,7 @@ sub retrieveSession {
$class->tsv->{timeoutActivity} )
)
{
$class->lmLog( "Session $id expired", 'info' );
$class->logger->info("Session $id expired");
# Clean cached data
$class->datas( {} );
@ -489,11 +475,11 @@ sub retrieveSession {
$class->session->update( { '_lastSeen' => $now } );
if ( $session->error ) {
$class->lmLog( "Cannot update session $id", 'error' );
$class->lmLog( $class->session->error, 'error' );
$class->logger->error("Cannot update session $id");
$class->logger->error( $class->session->error );
}
else {
$class->lmLog( "Update _lastSeen with $now", 'debug' );
$class->logger->debug("Update _lastSeen with $now");
}
}
@ -501,8 +487,8 @@ sub retrieveSession {
return $session->data;
}
else {
$class->lmLog( "Session $id can't be retrieved", 'info' );
$class->lmLog( $session->error, 'info' );
$class->logger->info("Session $id can't be retrieved");
$class->logger->info( $session->error );
return 0;
}
@ -528,7 +514,7 @@ sub getCDAInfos {
);
unless ( $cdaSession->error ) {
$class->lmLog( "Get CDA session $id", 'debug' );
$class->logger->debug("Get CDA session $id");
$infos->{cookie_value} = $cdaSession->data->{cookie_value};
$infos->{cookie_name} = $cdaSession->data->{cookie_name};
@ -536,8 +522,8 @@ sub getCDAInfos {
$cdaSession->remove;
}
else {
$class->lmLog( "CDA Session $id can't be retrieved", 'info' );
$class->lmLog( $cdaSession->error, 'info' );
$class->logger->info("CDA Session $id can't be retrieved");
$class->logger->info( $cdaSession->error );
}
return $infos;
@ -564,7 +550,7 @@ sub _buildUrl {
or ( !$_https && $portString == 80 )
) ? '' : ":$portString";
my $url = "http" . ( $_https ? "s" : "" ) . "://$vhost$portString$s";
$class->lmLog( "Build URL $url", 'debug' );
$class->logger->debug("Build URL $url");
return $url;
}
@ -595,10 +581,10 @@ sub sendHeaders {
my %headers = $class->tsv->{forgeHeaders}->{$vhost}->($session);
foreach my $h ( sort keys %headers ) {
if ( defined( my $v = $headers{$h} ) ) {
$class->lmLog( "Send header $h with value $v", 'debug' );
$class->logger->debug("Send header $h with value $v");
}
else {
$class->lmLog( "Send header $h with empty value", 'debug' );
$class->logger->debug("Send header $h with empty value");
}
}
$class->set_header_in(%headers);
@ -637,11 +623,11 @@ sub abort {
eval {
my $uri = $class->unparsed_uri;
$class->lmLog( $msg, 'error' );
$class->logger->error($msg);
# Redirect or die
if ( $class->tsv->{useRedirectOnError} ) {
$class->lmLog( "Use redirect for error", 'debug' );
$class->logger->debug("Use redirect for error");
return $class->goToPortal( $uri, 'lmError=500' );
}
else {
@ -655,7 +641,7 @@ sub abort {
# Delete current user from local cache entry.
sub localUnlog {
my ( $class, $id ) = @_;
$class->lmLog( 'Local handler logout', 'debug' );
$class->logger->debug('Local handler logout');
if ( $id //= $class->fetchId ) {
# Delete thread datas
@ -682,7 +668,7 @@ sub postOutputFilter {
my $vhost = $class->resolveAlias;
if ( defined( $class->tsv->{outputPostData}->{$vhost}->{$uri} ) ) {
$class->lmLog( "Filling a html form with fake data", "debug" );
$class->logger->debug("Filling a html form with fake data");
$class->unset_header_in("Accept-Encoding");
my %postdata =
@ -701,7 +687,7 @@ sub postInputFilter {
my $vhost = $class->resolveAlias;
if ( defined( $class->tsv->{inputPostData}->{$vhost}->{$uri} ) ) {
$class->lmLog( "Replacing fake data with real form data", "debug" );
$class->logger->debug("Replacing fake data with real form data");
my %data = $class->tsv->{inputPostData}->{$vhost}->{$uri}->($session);
foreach ( keys %data ) {

6
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/PSGI.pm
View File

@ -9,10 +9,10 @@ extends 'Lemonldap::NG::Handler::Lib::PSGI', 'Lemonldap::NG::Common::PSGI';
our $VERSION = '2.0.0';
sub init {
my ($self,$args)=@_;
my ( $self, $args ) = @_;
$self->api('Lemonldap::NG::Handler::PSGI::Main') unless ( $self->api );
my $tmp = ( $self->Lemonldap::NG::Common::PSGI::init( $args )
and $self->Lemonldap::NG::Handler::Lib::PSGI::init( $args ) );
my $tmp = ( $self->Lemonldap::NG::Common::PSGI::init($args)
and $self->Lemonldap::NG::Handler::Lib::PSGI::init($args) );
return $tmp;
}

7
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/PSGI/Main.pm
View File

@ -14,7 +14,7 @@ use constant DONE => 0;
use constant SERVER_ERROR => 500;
use constant AUTH_REQUIRED => 401;
use constant MAINTENANCE => 503;
use constant defaultLogger => 'Lemonldap::NG::Common::Logger::Std';
use constant defaultLogger => 'Lemonldap::NG::Common::Logger::Std';
our $request;
@ -179,9 +179,8 @@ sub cgiName {
sub addToHtmlHead {
my $self = shift;
$self->lmLog(
'Features like form replay or logout_app can only be used with Apache',
'error'
$self->logger->error(
'Features like form replay or logout_app can only be used with Apache'
),
;
}

9
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/PSGI/Try.pm
View File

@ -24,14 +24,14 @@ sub addRoute {
sub addAuthRoute {
my $self = shift;
$self->routes( $self->authRoutes );
$self->lmLog( 'Declaring auth route', 'debug' );
$self->logger->debug('Declaring auth route');
return $self->SUPER::addRoute(@_);
}
sub addUnauthRoute {
my $self = shift;
$self->routes( $self->unAuthRoutes );
$self->lmLog( 'Declaring unauth route', 'debug' );
$self->logger->debug('Declaring unauth route');
return $self->SUPER::addRoute(@_);
}
@ -60,9 +60,8 @@ sub _run {
}
else {
# Unset headers (handler adds a Location header)
$self->lmLog(
"User not authenticated, Try in use, cancel redirection",
'debug' );
$self->logger->debug(
"User not authenticated, Try in use, cancel redirection");
$req->userData( {} );
$req->respHeaders( [] );
$self->routes( $self->unAuthRoutes );

2
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Server/Nginx.pm
View File

@ -28,7 +28,7 @@ sub _run {
my $self = shift;
return sub {
my $req = $_[0];
$self->lmLog( 'New request', 'debug' );
$self->logger->debug('New request');
my $res = $self->_authAndTrace(
Lemonldap::NG::Common::PSGI::Request->new($req) );

2
lemonldap-ng-handler/t/10-Lemonldap-NG-Handler-SharedConf.t
View File

@ -55,7 +55,7 @@ my $h = 'Lemonldap::NG::Handler::Test';
ok( $h->init(), 'Initialize handler' );
ok( $h->checkType($apacheRequest) eq 'Main', 'Get Main type');
ok( $h->checkType($apacheRequest) eq 'Main', 'Get Main type' );
ok( $ret = $h->run($apacheRequest),
'run Handler with basic configuration and no cookie' );

22
lemonldap-ng-handler/t/12-Lemonldap-NG-Handler-Jail.t
View File

@ -31,22 +31,28 @@ ok( ( defined($basic) ), 'basic extended function is defined' );
$sub = "sub { return ( encode_base64('test','') ) }";
my $code = $jail->jail_reval($sub);
ok( ( defined($code) and ref($code) eq 'CODE' ),
'encode_base64 function is defined' );
ok(
( defined($code) and ref($code) eq 'CODE' ),
'encode_base64 function is defined'
);
ok( $res = &$code, "Function works" );
ok( $res eq 'dGVzdA==', 'Get good result' );
$sub = "sub { return(checkDate('20000000000000','21000000000000')) }";
$sub = "sub { return(checkDate('20000000000000','21000000000000')) }";
$code = $jail->jail_reval($sub);
ok( ( defined($code) and ref($code) eq 'CODE' ),
'checkDate extended function is defined' );
ok(
( defined($code) and ref($code) eq 'CODE' ),
'checkDate extended function is defined'
);
ok( $res = &$code, "Function works" );
ok( $res == 1, 'Get good result' );
$sub = "sub { return (hostname()) }";
$sub = "sub { return (hostname()) }";
$code = $jail->jail_reval($sub);
ok( ( defined($code) and ref($code) eq 'CODE' ),
'hostname api function is defined' );
ok(
( defined($code) and ref($code) eq 'CODE' ),
'hostname api function is defined'
);
ok( $res = &$code, "Function works $res" );
ok( $res eq 'test1.example.com', 'Get good result' );

2
lemonldap-ng-handler/t/63-Lemonldap-NG-Handler-PSGI-Try.t
View File

@ -64,7 +64,7 @@ count(3);
# Pad path test
ok($res = $client->_get('/[]/test'), 'Try a bad path');
ok( $res = $client->_get('/[]/test'), 'Try a bad path' );
ok( $res->[0] == 400, 'Response is 400' );
count(2);

5
lemonldap-ng-handler/t/test.pm
View File

@ -1,6 +1,6 @@
package main;
sub hostname { 'test1.example.com' };
sub hostname { 'test1.example.com' }
package Lemonldap::NG::Handler::Test;
@ -11,9 +11,10 @@ our $header;
use constant defaultLogger => 'Lemonldap::NG::Common::Logger::Std';
use constant REDIRECT => 302;
#sub hostname { 'test1.example.com' }
*hostname = \&main::hostname;
*logger = \&Lemonldap::NG::Handler::Main::logger;
*logger = \&Lemonldap::NG::Handler::Main::logger;
sub newRequest { 1 }
sub header_in { "" }
sub is_initial_req { '1' }

16
lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
View File

@ -33,7 +33,7 @@ sub init {
if ( my $localconf = $self->confAcc->getLocalConf(MANAGERSECTION) ) {
$self->{$_} = $args->{$_} //= $localconf->{$_}
foreach ( grep {$_ !~ /^(?:l|userL)ogger$/} keys %$localconf );
foreach ( grep { $_ !~ /^(?:l|userL)ogger$/ } keys %$localconf );
}
# Manager needs to keep new Ajax behaviour
@ -59,14 +59,14 @@ sub init {
for ( my $i = 0 ; $i < @enabledModules ; $i++ ) {
my $mod = $enabledModules[$i];
no strict 'refs';
if ( &{"${mod}::addRoutes"}($self,$conf) ) {
$self->lmLog( "Module $mod enabled", 'debug' );
if ( &{"${mod}::addRoutes"}( $self, $conf ) ) {
$self->logger->debug("Module $mod enabled");
push @working, $mod;
}
else {
$links[$i] = undef;
$self->lmLog( "Module $mod can not be enabled: " . $self->error,
'error' );
$self->logger->error(
"Module $mod can not be enabled: " . $self->error );
}
}
return 0 unless (@working);
@ -114,9 +114,11 @@ sub javascript {
return
'var formPrefix=staticPrefix+"forms/";var confPrefix=scriptname+"confs/";'
. ( $self->links ? 'var links=' . to_json( $self->links ) . ';' : '' )
. ( $self->menuLinks
. (
$self->menuLinks
? 'var menulinks=' . to_json( $self->menuLinks ) . ';'
: '' );
: ''
);
}
1;

3
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
View File

@ -25,7 +25,8 @@ sub cTrees {
help => 'configvhost.html#options',
nodes => [
'vhostPort', 'vhostHttps',
'vhostMaintenance', 'vhostAliases', 'vhostType',
'vhostMaintenance', 'vhostAliases',
'vhostType',
],
},
],

8
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
View File

@ -252,8 +252,7 @@ sub tree {
{
title => 'combinationParams',
help => 'authcombination.html',
nodes =>
[ 'combination', 'combModules' ]
nodes => [ 'combination', 'combModules' ]
},
{
title => 'nullParams',
@ -439,9 +438,8 @@ sub tree {
title => 'logParams',
help => 'logs.html',
form => 'simpleInputContainer',
nodes => [
'trustedProxies', 'whatToTrace', 'hiddenAttributes'
]
nodes =>
[ 'trustedProxies', 'whatToTrace', 'hiddenAttributes' ]
},
{
title => 'cookieParams',

4
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf.pm
View File

@ -27,7 +27,7 @@ our $VERSION = '2.0.0';
use constant defaultRoute => 'manager.html';
sub addRoutes {
my($self,$conf) = @_;
my ( $self, $conf ) = @_;
# HTML template
$self->addRoute( 'manager.html', undef, ['GET'] )
@ -167,7 +167,7 @@ sub getConfByNum {
}
else {
$tmp = $self->SUPER::getConfByNum( $cfgNum, @args );
return undef unless (defined $tmp);
return undef unless ( defined $tmp );
}
}
return $cfgNum;

18
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Notifications.pm
View File

@ -232,8 +232,8 @@ sub notification {
my ( $uid, $ref ) = ( $id =~ /([^_]+?)_(.+)/ );
my $n = $self->notifAccess->get( $uid, $ref );
unless ($n) {
$self->lmLog( "Notification $ref not found for user $uid",
'notice' );
$self->userLogger->notice(
"Notification $ref not found for user $uid");
return $self->sendJSONresponse(
$req,
{
@ -291,14 +291,14 @@ sub newNotification {
delete $json->{xml};
};
if ($@) {
$self->lmLog( "Notification malformed $@", 'error' );
$self->logger->error("Notification malformed $@");
return $self->sendError( $req, "Notification malformed: $@", 200 );
}
$newNotif = to_json($json);
}
unless ( eval { $self->notifAccess->newNotification($newNotif) } ) {
$self->lmLog( "Notification not created: $@", 'error' );
$self->logger->error("Notification not created: $@");
return $self->sendError( $req, "Notification not created: $@", 200 );
}
else {
@ -323,7 +323,7 @@ sub updateNotification {
my ( $uid, $ref ) = ( $id =~ /([^_]+?)_(.+)/ );
my ( $n, $res );
unless ( $n = $self->notifAccess->get( $uid, $ref ) ) {
$self->lmLog( "Notification $ref not found for user $uid", 'notice' );
$self->logger->notice("Notification $ref not found for user $uid");
return $self->sendError( $req,
"Notification $ref not found for user $uid" );
}
@ -335,13 +335,13 @@ sub updateNotification {
}
unless ($status) {
$self->lmLog( "Notification $ref for user $uid not deleted", 'error' );
$self->logger->error("Notification $ref for user $uid not deleted");
return $self->sendError( $req,
"Notification $ref for user $uid not deleted" );
}
else {
$self->lmLog( "Notification $ref deleted for user $uid", 'info' );
$self->logger->info("Notification $ref deleted for user $uid");
return $self->sendJSONresponse( $req, { result => 1 } );
}
}
@ -355,12 +355,12 @@ sub deleteDoneNotification {
my ( $uid, $ref, $date ) = ( $id =~ /([^_]+?)_([^_]+?)_(.+)/ );
my $identifier = $self->notifAccess->getIdentifier( $uid, $ref, $date );
unless ( eval { $self->notifAccess->purge($identifier) } ) {
$self->lmLog( "Notification $identifier not purged ($@)", 'warn' );
$self->logger->warn("Notification $identifier not purged ($@)");
return $self->sendError( $req,
"Notification $identifier not purged ($@)", 400 );
}
$self->lmLog( "Notification $identifier purged", 'info' );
$self->logger->info("Notification $identifier purged");
return $self->sendJSONresponse( $req, { result => 1 } );
}

2
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Sessions.pm
View File

@ -25,7 +25,7 @@ our $VERSION = '2.0.0';
use constant defaultRoute => 'sessions.html';
sub addRoutes {
my($self,$conf) = @_;
my ( $self, $conf ) = @_;
# HTML template
$self->addRoute( 'sessions.html', undef, ['GET'] )

11
lemonldap-ng-manager/t/15-combination.t
View File

@ -24,12 +24,17 @@ ok( $resBody = from_json( $res->[2]->[0] ), "Result body contains JSON text" );
ok( $resBody->{result} == 1, "JSON response contains \"result:1\"" )
or print STDERR Dumper($res);
ok( $res = &client->_get( '/confs/2/combModules', 'application/json' ), 'Get combModules');
ok( $res = &client->_get( '/confs/2/combModules', 'application/json' ),
'Get combModules' );
ok( $resBody = from_json( $res->[2]->[0] ), "Result body contains JSON text" );
ok( $res = &client->_get( '/confs/2/ldapServer', 'application/json' ), 'Get combModules');
ok( $res = &client->_get( '/confs/2/ldapServer', 'application/json' ),
'Get combModules' );
ok( $resBody = from_json( $res->[2]->[0] ), "Result body contains JSON text" );
ok( $resBody->{value} eq 'ldap://192.168.1.1', 'Key ldapServer has been modified');
ok(
$resBody->{value} eq 'ldap://192.168.1.1',
'Key ldapServer has been modified'
);
count(9);

5
lemonldap-ng-portal/MANIFEST
View File

@ -7,8 +7,6 @@ example/soaperrortest.pl
example/soaptest.pl
KINEMATIC.md
lib/Lemonldap/NG/Portal.pm
lib/Lemonldap/NG/Portal/_i18n.pm
lib/Lemonldap/NG/Portal/_Multi.pm
lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
lib/Lemonldap/NG/Portal/Auth/AD.pm
lib/Lemonldap/NG/Portal/Auth/Apache.pm
@ -34,7 +32,6 @@ lib/Lemonldap/NG/Portal/Auth/WebID.pm
lib/Lemonldap/NG/Portal/Auth/Yubikey.pm
lib/Lemonldap/NG/Portal/AuthMulti.pm
lib/Lemonldap/NG/Portal/CDC.pm
lib/Lemonldap/NG/Portal/Display.pm
lib/Lemonldap/NG/Portal/Issuer/CAS.pm
lib/Lemonldap/NG/Portal/Issuer/Get.pm
lib/Lemonldap/NG/Portal/Issuer/OpenID.pm
@ -71,7 +68,6 @@ lib/Lemonldap/NG/Portal/Main/Plugins.pm
lib/Lemonldap/NG/Portal/Main/Process.pm
lib/Lemonldap/NG/Portal/Main/Request.pm
lib/Lemonldap/NG/Portal/Main/Run.pm
lib/Lemonldap/NG/Portal/Menu.pm
lib/Lemonldap/NG/Portal/Password/Base.pm
lib/Lemonldap/NG/Portal/Password/Choice.pm
lib/Lemonldap/NG/Portal/Password/DBI.pm
@ -90,7 +86,6 @@ lib/Lemonldap/NG/Portal/Register/AD.pm
lib/Lemonldap/NG/Portal/Register/Demo.pm
lib/Lemonldap/NG/Portal/Register/LDAP.pm
lib/Lemonldap/NG/Portal/Register/U2F.pm
lib/Lemonldap/NG/Portal/Simple.pm
lib/Lemonldap/NG/Portal/UserDB/AD.pm
lib/Lemonldap/NG/Portal/UserDB/Choice.pm
lib/Lemonldap/NG/Portal/UserDB/Combination.pm

3
lemonldap-ng-portal/example/soapconfigtest.pl
View File

@ -11,8 +11,7 @@ use SOAP::Lite;
use Data::Dumper;
# Service
my $soap =
SOAP::Lite->new( proxy => 'http://auth.example.com/config' );
my $soap = SOAP::Lite->new( proxy => 'http://auth.example.com/config' );
$soap->default_ns('urn:Lemonldap/NG/Common/CGI/SOAPService');
# Call SOAP methods

3
lemonldap-ng-portal/example/soaptest.pl
View File

@ -14,8 +14,7 @@ use Data::Dumper;
my $session_id = shift @ARGV;
# Service
my $soap =
SOAP::Lite->new( proxy => 'http://auth.example.com/sessions' );
my $soap = SOAP::Lite->new( proxy => 'http://auth.example.com/sessions' );
$soap->default_ns('urn:Lemonldap/NG/Common/CGI/SOAPService');
# Call some SOAP methods

4
lemonldap-ng-portal/lib/Lemonldap/NG/Portal.pm
View File

@ -108,7 +108,9 @@ portal main object. Some main methods are mapped to the plugin namespace:
=over
=item lmLog()
=item logger() accessor to log
=item userLogger() accessor to log user actions
=item error() accessor (use it to store error during initialization)

10
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/AD.pm
View File

@ -51,9 +51,9 @@ sub init {
if ( $self->adPwdExpireWarning > $self->adPwdMaxAge ) {
$self->adPwdExpireWarning( $self->adPwdMaxAge );
$self->lmLog(
$self->logger->warn(
"Error: ADPwdExpireWarning > ADPwdMaxAge, this should not happen",
'warn' );
);
}
return $self->SUPER::init();
}
@ -73,14 +73,14 @@ sub authenticate {
my $expired_flag =
0x800000; # 8 at 6th position for flag UF_PASSWORD_EXPIRED to be set
if ( ( $computed & $mask ) == $expired_flag ) {
$self->lmLog( "[AD] Password has expired", 'warn' );
$self->logger->warn("[AD] Password has expired");
$res = PE_PP_PASSWORD_EXPIRED;
}
# Password must be changed if pwdLastSet 0
if ( defined $pls and $pls == 0 ) {
$self->lmLog( "[AD] Password reset. User must change his password",
'warn' );
$self->userLogger->warn(
"[AD] Password reset. User must change his password");
$res = PE_PP_CHANGE_AFTER_RESET;
}

3
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Apache.pm
View File

@ -19,8 +19,7 @@ sub init {
sub extractFormInfo {
my ( $self, $req ) = @_;
unless ( $req->{user} = $req->env->{REMOTE_USER} ) {
$self->lmLog( 'Apache is not configured to authenticate users!',
'error' );
$self->logger->error('Apache is not configured to authenticate users!');
return PE_ERROR;
}

33
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Base.pm
View File

@ -78,7 +78,9 @@ Lemonldap::NG portal. They must provides methods described below.
=item conf: configuration hash (as reference)
=item lmLog: alias for p->lmLog method
=item logger alias for p->logger accessor
=item userLogger alias for p->userLogger accessor
=item error: alias for p->error method
@ -147,6 +149,35 @@ Last method called during authentication process.
=head4 authLogout($req)
=head1 LOGGING
Logging is provided by $self->logger and $self->userLogger. The following rules
must be applied:
=over
=item logger->debug: technical debugging messages
=item logger->info: simple technical information
=item logger->notice: technical information that could interest administrators
=item logger->warn: technical warning
=item logger->error: error that must be reported to administrator
=item userLogger->info: simple information about user's action
=item userLogger->notice: information that may be registered (auth success,...)
=item userLogger->warn: bad action of a user (auth failure). Auth/Combination
transform it to "info" when another authentication scheme is available
=item userLogger->error: bad action of a user that must be reported, (even if
another backend is available with Combination)
=back
=head1 AUTHORS
=over

37
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/CAS.pm
View File

@ -72,7 +72,7 @@ sub extractFormInfo {
and %{ $req->{portalHiddenFormValues} } )
{
$self->lmLog( "Add hidden values to CAS redirect URL\n", 'debug' );
$self->logger->debug("Add hidden values to CAS redirect URL\n");
foreach ( keys %{ $req->{portalHiddenFormValues} } ) {
$local_url .=
@ -83,7 +83,7 @@ sub extractFormInfo {
}
if ( $self->proxy ) {
$self->lmLog( "CAS: Proxy mode activated", 'debug' );
$self->logger->debug("CAS: Proxy mode activated");
my $proxy_url = $self->p->fullUrl($req) . '?casProxy=1';
if ( $self->conf->{authChoiceParam}
@ -92,7 +92,7 @@ sub extractFormInfo {
$proxy_url .= '&' . $self->conf->{authChoiceParam} . "=$tmp";
}
$self->lmLog( "CAS Proxy URL: $proxy_url", 'debug' );
$self->logger->debug("CAS Proxy URL: $proxy_url");
$self->cas->proxyMode(
pgtFile => $self->conf->{CAS_pgtFile},
@ -102,7 +102,7 @@ sub extractFormInfo {
# Catch proxy callback
if ( $req->param('casProxy') ) {
$self->lmLog( "CAS: Proxy callback detected", 'debug' );
$self->logger->debug("CAS: Proxy callback detected");
my $pgtIou = $req->param('pgtIou');
my $pgtId = $req->param('pgtId');
@ -111,11 +111,11 @@ sub extractFormInfo {
# Store pgtId and pgtIou
unless ( $self->cas->storePGT( $pgtIou, $pgtId ) ) {
$self->lmLog( "CAS: error " . &AuthCAS::get_errors(), 'error' );
$self->logger->error( "CAS: error " . &AuthCAS::get_errors() );
}
else {
$self->lmLog( "CAS: Store pgtIou $pgtIou and pgtId $pgtId",
'debug' );
$self->logger->debug(
"CAS: Store pgtIou $pgtIou and pgtId $pgtId");
}
}
@ -134,21 +134,21 @@ sub extractFormInfo {
# Unless a ticket has been found, we redirect the user
unless ($ticket) {
$self->lmLog( "CAS: Redirect user to $login_url", 'debug' );
$self->logger->debug("CAS: Redirect user to $login_url");
$req->{urldc} = $login_url;
$req->steps( [] );
return PE_REDIRECT;
}
$self->lmLog( "CAS: Service Ticket received: $ticket", 'debug' );
$self->logger->debug("CAS: Service Ticket received: $ticket");
# Ticket found, try to validate it
unless ( $req->{user} = $self->cas->validateST( $local_url, $ticket ) ) {
$self->lmLog( "CAS: error " . &AuthCAS::get_errors(), 'error' );
$self->logger->error( "CAS: error " . &AuthCAS::get_errors() );
return PE_ERROR;
}
else {
$self->lmLog( "CAS: User $req->{user} found", 'debug' );
$self->logger->debug("CAS: User $req->{user} found");
}
# Request proxy tickets for proxied services
@ -158,8 +158,8 @@ sub extractFormInfo {
my $pgtId = $self->cas->{pgtId};
unless ($pgtId) {
$self->lmLog( "CAS: Proxy mode activated, but no PGT received",
'error' );
$self->logger->error(
"CAS: Proxy mode activated, but no PGT received");
return PE_ERROR;
}
@ -169,14 +169,13 @@ sub extractFormInfo {
my $pt = $self->cas->retrievePT($service);
unless ($pt) {
$self->lmLog(
"CAS: No proxy ticket recevied for service $service",
'error' );
$self->logger->error(
"CAS: No proxy ticket recevied for service $service");
return PE_ERROR;
}
$self->lmLog( "CAS: Received proxy ticket $pt for service $service",
'debug' );
$self->logger->debug(
"CAS: Received proxy ticket $pt for service $service");
# Store it in session
$req->{sessionInfo}->{ '_casPT' . $_ } = $pt;
@ -205,7 +204,7 @@ sub authLogout {
my $logout_url =
$self->cas->getServerLogoutURL( uri_escape( $self->p->fullUrl($req) ) );
$self->lmLog( "Build CAS logout URL: $logout_url", 'debug' );
$self->logger->debug("Build CAS logout URL: $logout_url");
# Register CAS logout URL in logoutServices
$req->datas->{logoutServices}->{CASserver} = $logout_url;

6
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Combination.pm
View File

@ -124,7 +124,7 @@ sub getStack {
return $req->datas->{multiStack} if ( $req->datas->{multiStack} );
my $stack = $req->datas->{multiStack} = $self->stackSub->( $req->env );
unless ($stack) {
$self->lmLog( 'No authentication scheme for this user', 'error' );
$self->logger->error('No authentication scheme for this user');
}
@{ $req->datas->{multiSteps} } = ( @steps, @{ $req->steps } );
$req->datas->{multiTry} = 0;
@ -145,8 +145,8 @@ sub try {
# On error, restart authentication with next scheme
if ( $res > PE_OK ) {
$self->lmLog( qq'Scheme "$name" has return $res, trying next',
'info' );
$self->logger->info(
qq'Scheme "$name" has return $res, trying next');
$req->datas->{multiTry}++;
$req->steps( [ @{ $req->datas->{multiSteps} } ] );
return PE_OK;

5
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Demo.pm
View File

@ -21,9 +21,8 @@ sub init {
my $self = shift;
# Add warning in log
$self->lmLog(
"Using demonstration mode, go to Manager to edit the configuration",
'warn' );
$self->logger->warn(
"Using demonstration mode, go to Manager to edit the configuration");
return $self->Lemonldap::NG::Portal::Auth::_WebForm::init();
}

16
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Facebook.pm
View File

@ -61,14 +61,13 @@ sub extractFormInfo {
{ fields => join( ',', @fields ) }
)->as_hash;
unless ( ref $datas ) {
$self->lmLog( "Unable to get any Facebook field", 'error' );
$self->logger->error("Unable to get any Facebook field");
return PE_ERROR;
}
if ( $datas->{error} ) {
my $tmp = pop @fields;
$self->lmLog(
"Unable to get some Facebook fields ($datas->{error}->{message}). Retrying without $tmp",
'warn'
$self->logger->warn(
"Unable to get some Facebook fields ($datas->{error}->{message}). Retrying without $tmp"
);
}
else {
@ -76,13 +75,13 @@ sub extractFormInfo {
}
}
unless (@fields) {
$self->lmLog( "Unable to get any Facebook field", 'error' );
$self->logger->error("Unable to get any Facebook field");
return PE_ERROR;
}
# Use id fieldto trace user
unless ( $req->{user} = $datas->{id} ) {
$self->lmLog( 'Unable to get Facebook id', 'error' );
$self->logger->error('Unable to get Facebook id');
return PE_ERROR;
}
$req->datas->{_facebookDatas} = $datas;
@ -97,8 +96,7 @@ sub extractFormInfo {
# 1.2 Bad responses
if ( my $error_code = $req->param('error_code') ) {
my $error_message = $req->param('error_message');
$self->lmLog( "Facebook error code $error_code: $error_message",
'error' );
$self->logger->error("Facebook error code $error_code: $error_message");
return PE_ERROR;
}
@ -160,7 +158,7 @@ sub fb {
callback => $ret,
);
};
$self->lmLog( $@, 'error' ) if ($@);
$self->logger->error($@) if ($@);
return $fb;
}

19
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenID.pm
View File

@ -93,7 +93,7 @@ sub extractFormInfo {
# Remote error
unless ( $csr->is_server_response() ) {
$self->lmLog( 'No OpenID valid message found', 'info' );
$self->logger->info('No OpenID valid message found');
return PE_BADCREDENTIALS;
}
@ -106,22 +106,22 @@ sub extractFormInfo {
# Check if user has refused to share his authentication
elsif ( $csr->user_cancel() ) {
$self->lmLog( 'OpenID request cancelled by user', 'info' );
$self->logger->info('OpenID request cancelled by user');
return PE_FIRSTACCESS;
}
# TODO: check verified identity
elsif ( $req->datas->{vident} = $csr->verified_identity ) {
$req->user( $req->datas->{vident}->url() );
$self->lmLog( "OpenID good authentication for $req->{user}",
'debug' );
$self->userLogger->notice(
"OpenID good authentication for $req->{user}");
$req->{mustRedirect} = 1;
return PE_OK;
}
# Other errors
else {
$self->lmLog( 'OpenID error: ' . $csr->err, 'warn' );
$self->logger->warn( 'OpenID error: ' . $csr->err );
return PE_ERROR;
}
}
@ -138,12 +138,12 @@ sub extractFormInfo {
# Check if url is valid
unless ($claimed_identity) {
$self->lmLog( 'OpenID error : ' . $req->{csr}->err(), 'warn' );
$self->logger->warn( 'OpenID error : ' . $req->{csr}->err() );
return PE_BADCREDENTIALS;
}
# Build the redirection
$self->lmLog( "OpenID redirection to $url", 'debug' );
$self->logger->debug("OpenID redirection to $url");
my $check_url = $claimed_identity->check_url(
return_to => $self->conf->{portal}
. '?openid=1&'
@ -175,9 +175,8 @@ sub extractFormInfo {
else { push @o, $k }
}
else {
$self->lmLog(
qq'Unknown "OpenID Simple Registration Extension" field name: $k',
'warn'
$self->logger->warn(
qq'Unknown "OpenID Simple Registration Extension" field name: $k'
);
}
}

75
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm
View File

@ -26,7 +26,7 @@ sub init {
return 0 unless ( $self->loadOPs and $self->refreshJWKSdata );
my @tab = ( sort keys %{ $self->oidcOPList } );
unless (@tab) {
$self->lmLog( "No OP configured", 'error' );
$self->logger->error("No OP configured");
return 0;
}
$self->opNumber( scalar @tab );
@ -69,8 +69,8 @@ sub extractFormInfo {
# Check callback
if ( $req->param( $self->conf->{oidcRPCallbackGetParam} ) ) {
$self->lmLog( 'OpenIDConnect callback URI detected: ' . $req->uri,
'debug' );
$self->logger->debug(
'OpenIDConnect callback URI detected: ' . $req->uri );
# AuthN Response
my $state = $req->param('state');
@ -78,10 +78,10 @@ sub extractFormInfo {
# Restore state
if ($state) {
if ( $self->extractState( $req, $state ) ) {
$self->lmLog( "State $state extracted", 'debug' );
$self->logger->debug("State $state extracted");
}
else {
$self->lmLog( "Unable to extract state $state", 'error' );
$self->logger->error("Unable to extract state $state");
return PE_ERROR;
}
}
@ -90,11 +90,11 @@ sub extractFormInfo {
my $op = $req->datas->{_oidcOPCurrent};
unless ($op) {
$self->lmLog( "OpenID Provider not found", 'error' );
$self->logger->error("OpenID Provider not found");
return PE_ERROR;
}
$self->lmLog( "Using OpenID Provider $op", 'debug' );
$self->logger->debug("Using OpenID Provider $op");
# Check error
my $error = $req->param("error");
@ -102,10 +102,10 @@ sub extractFormInfo {
my $error_description = $req->param("error_description");
my $error_uri = $req->param("error_uri");
$self->lmLog( "Error returned by $op Provider: $error", 'error' );
$self->lmLog( "Error description: $error_description", 'error' )
$self->logger->error("Error returned by $op Provider: $error");
$self->logger->error("Error description: $error_description")
if $error_description;
$self->lmLog( "Error URI: $error_uri", 'error' ) if $error_uri;
$self->logger->error("Error URI: $error_uri") if $error_uri;
return PE_ERROR;
}
@ -125,38 +125,37 @@ sub extractFormInfo {
my $json = $self->decodeJSON($content);
if ( $json->{error} ) {
$self->lmLog( "Error in token response:" . $json->{error},
'error' );
$self->logger->error( "Error in token response:" . $json->{error} );
return PE_ERROR;
}
# Check validity of token response
unless ( $self->checkTokenResponseValidity($json) ) {
$self->lmLog( "Token response is not valid", 'error' );
$self->logger->error("Token response is not valid");
return PE_ERROR;
}
else {
$self->lmLog( "Token response is valid", 'debug' );
$self->logger->debug("Token response is valid");
}
my $access_token = $json->{access_token};
my $id_token = $json->{id_token};
$self->lmLog( "Access token: $access_token", 'debug' );
$self->lmLog( "ID token: $id_token", 'debug' );
$self->logger->debug("Access token: $access_token");
$self->logger->debug("ID token: $id_token");
# Verify JWT signature
if ( $self->conf->{oidcOPMetaDataOptions}->{$op}
->{oidcOPMetaDataOptionsCheckJWTSignature} )
{
unless ( $self->verifyJWTSignature( $id_token, $op ) ) {
$self->lmLog( "JWT signature verification failed", 'error' );
$self->logger->error("JWT signature verification failed");
return PE_ERROR;
}
$self->lmLog( "JWT signature verified", 'debug' );
$self->logger->debug("JWT signature verified");
}
else {
$self->lmLog( "JWT signature check disabled", 'debug' );
$self->logger->debug("JWT signature check disabled");
}
my $id_token_payload = $self->extractJWT($id_token)->[1];
@ -168,25 +167,24 @@ sub extractFormInfo {
my $at_hash = $id_token_payload_hash->{at_hash};
if ($at_hash) {
unless ( $self->verifyHash( $access_token, $at_hash, $id_token ) ) {
$self->lmLog( "Access token hash verification failed",
'error' );
$self->userLogger->error(
"Access token hash verification failed");
return PE_ERROR;
}
$self->lmLog( "Access token hash verified", 'debug' );
$self->logger->debug("Access token hash verified");
}
else {
$self->lmLog(
"No at_hash in ID Token, access token will not be verified",
'debug' );
$self->logger->debug(
"No at_hash in ID Token, access token will not be verified");
}
# Check validity of ID Token
unless ( $self->checkIDTokenValidity( $op, $id_token_payload_hash ) ) {
$self->lmLog( 'ID Token not valid', 'error' );
$self->logger->error('ID Token not valid');
return PE_ERROR;
}
else {
$self->lmLog( 'ID Token is valid', 'debug' );
$self->logger->debug('ID Token is valid');
}
# Get user id defined in 'sub' field
@ -196,7 +194,7 @@ sub extractFormInfo {
$req->datas->{access_token} = $access_token;
$req->datas->{id_token} = $id_token;
$self->lmLog( "Found user_id: " . $user_id, 'debug' );
$self->logger->debug( "Found user_id: " . $user_id );
$req->user($user_id);
return PE_OK;
@ -206,12 +204,12 @@ sub extractFormInfo {
my $op;
unless ( $op = $req->param("idp") ) {
$self->lmLog( "Redirecting user to OP list", 'debug' );
$self->logger->debug("Redirecting user to OP list");
# Auto select provider if there is only one
if ( $self->opNumber == 1 ) {
$op = $self->opList->[0]->{val};
$self->lmLog( "Selecting the only defined OP: $op", 'debug' );
$self->logger->debug("Selecting the only defined OP: $op");
}
else {
@ -231,12 +229,12 @@ sub extractFormInfo {
}
# Provider is choosen
$self->lmLog( "OpenID Provider $op choosen", 'debug' );
$self->logger->debug("OpenID Provider $op choosen");
$req->datas->{_oidcOPCurrent} = $op;
# AuthN Request
$self->lmLog( "Build OpenIDConnect AuthN Request", 'debug' );
$self->logger->debug("Build OpenIDConnect AuthN Request");
# Save state
my $state = $self->storeState( $req, qw/urldc checkLogins _oidcOPCurrent/ );
@ -245,7 +243,7 @@ sub extractFormInfo {
$req->urldc(
$self->buildAuthorizationCodeAuthnRequest( $req, $op, $state ) );
$self->lmLog( "Redirect user to " . $req->{urldc}, 'debug' );
$self->logger->debug( "Redirect user to " . $req->{urldc} );
$req->continue(1);
$req->steps( [] );
@ -270,11 +268,11 @@ sub setAuthSessionInfo {
my $store_IDToken = $self->conf->{oidcOPMetaDataOptions}->{$op}
->{oidcOPMetaDataOptionsStoreIDToken};
if ($store_IDToken) {
$self->lmLog( "Store ID Token in session", 'debug' );
$self->logger->debug("Store ID Token in session");
$req->{sessionInfo}->{OpenIDConnect_IDToken} = $req->datas->{id_token};
}
else {
$self->lmLog( "ID Token will not be stored in session", 'debug' );
$self->logger->debug("ID Token will not be stored in session");
}
PE_OK;
@ -298,12 +296,11 @@ sub authLogout {
)
);
$self->lmLog(
"OpenID Connect logout to $op will be done on " . $req->urldc,
'debug' );
$self->logger->debug(
"OpenID Connect logout to $op will be done on " . $req->urldc );
}
else {
$self->lmLog( "No end session endpoint found for $op", 'debug' );
$self->logger->debug("No end session endpoint found for $op");
}
PE_OK;
}

17
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Radius.pm
View File

@ -17,9 +17,12 @@ our $VERSION = '2.0.0';
has radius => ( is => 'rw' );
has authnLevel => ( is => 'rw', default => sub {
$_[0]->conf->{radiusAuthnLevel};
});
has authnLevel => (
is => 'rw',
default => sub {
$_[0]->conf->{radiusAuthnLevel};
}
);
sub initRadius {
$_[0]->radius(
@ -44,11 +47,11 @@ sub init {
sub authenticate {
my ( $self, $req ) = @_;
$self->initRadius unless($self->radius);
return PE_RADIUSCONNECTFAILED unless($self->radius);
$self->initRadius unless ( $self->radius );
return PE_RADIUSCONNECTFAILED unless ( $self->radius );
my $res = $self->radius->check_pwd($req->user, $req->datas->{password});
unless($res==1){
my $res = $self->radius->check_pwd( $req->user, $req->datas->{password} );
unless ( $res == 1 ) {
$self->p->userNotice("Unable to authenticate $req->{user} !");
return PE_BADCREDENTIALS;
}

358
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/SAML.pm
View File

@ -85,8 +85,8 @@ sub extractFormInfo {
# 1.1 SSO assertion consumer
if ( $url =~ $self->sloAssConsumerRe ) {
$self->lmLog( "URL $url detected as an SSO assertion consumer URL",
'debug' );
$self->logger->debug(
"URL $url detected as an SSO assertion consumer URL");
# Check SAML Message
my ( $request, $response, $method, $relaystate, $artifact ) =
@ -111,29 +111,28 @@ sub extractFormInfo {
}
unless ($result) {
$self->lmLog( "SSO: Fail to process authentication response",
'error' );
$self->logger->error(
"SAML SSO: Fail to process authentication response");
return PE_SAML_SSO_ERROR;
}
$self->lmLog( "SSO: authentication response is valid", 'debug' );
$self->logger->debug("SSO: authentication response is valid");
# Get IDP entityID
my $idp = $login->remote_providerID();
$self->lmLog( "Found entityID $idp in SAML message", 'debug' );
$self->logger->debug("Found entityID $idp in SAML message");
# IDP conf key
my $idpConfKey = $self->idpList->{$idp}->{confKey};
unless ($idpConfKey) {
$self->lmLog( "$idp do not match any IDP in configuration",
'error' );
$self->userLogger->error(
"$idp do not match any IDP in configuration");
return PE_SAML_UNKNOWN_ENTITY;
}
$self->lmLog( "$idp match $idpConfKey IDP in configuration",
'debug' );
$self->logger->debug("$idp match $idpConfKey IDP in configuration");
# Do we check signature?
my $checkSSOMessageSignature =
@ -153,22 +152,21 @@ sub extractFormInfo {
}
unless ($result) {
$self->lmLog( "Signature is not valid", 'error' );
$self->logger->error("Signature is not valid");
return PE_SAML_SIGNATURE_ERROR;
}
else {
$self->lmLog( "Signature is valid", 'debug' );
$self->logger->debug("Signature is valid");
}
}
else {
$self->lmLog( "Message signature will not be checked",
'debug' );
$self->logger->debug("Message signature will not be checked");
}
# Get SAML response
my $saml_response = $login->response();
unless ($saml_response) {
$self->lmLog( "No SAML response found", 'error' );
$self->logger->error("No SAML response found");
return PE_SAML_SSO_ERROR;
}
@ -183,9 +181,8 @@ sub extractFormInfo {
# Assertion was already consumed or is expired
# Force authentication replay
$self->lmLog(
"Message $assertion_responded already used or expired, replay authentication",
'error'
$self->userLogger->error(
"Message $assertion_responded already used or expired, replay authentication"
);
delete $req->{urldc};
$req->mustRedirect(1);
@ -194,9 +191,8 @@ sub extractFormInfo {
}
}
else {
$self->lmLog(
"Assertion is not a response to a created authentication request, do not control replay",
'debug'
$self->logger->debug(
"Assertion is not a response to a created authentication request, do not control replay"
);
}
@ -204,13 +200,12 @@ sub extractFormInfo {
my $assertion = $self->getAssertion($login);
unless ($assertion) {
$self->lmLog( "No assertion found", 'error' );
$self->logger->error("No assertion found");
return PE_SAML_SSO_ERROR;
}
# Do we check conditions?
my $checkTime =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
my $checkTime = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsCheckTime};
my $checkAudience =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
@ -224,7 +219,7 @@ sub extractFormInfo {
)
)
{
$self->lmLog( "Conditions not validated", 'error' );
$self->logger->error("Conditions not validated");
return PE_SAML_CONDITIONS_ERROR;
}
@ -234,7 +229,7 @@ sub extractFormInfo {
# Extract RelayState information
if ( $self->extractRelayState( $relaystate, $relayStateURL ) ) {
$self->lmLog( "RelayState $relaystate extracted", 'debug' );
$self->logger->debug("RelayState $relaystate extracted");
}
# Check if we accept direct login from IDP
@ -242,9 +237,8 @@ sub extractFormInfo {
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsAllowLoginFromIDP};
if ( !$assertion_responded and !$allowLoginFromIDP ) {
$self->lmLog(
"Direct login from IDP $idpConfKey is not allowed",
'error' );
$self->userLogger->error(
"Direct login from IDP $idpConfKey is not allowed");
return PE_SAML_IDPSSOINITIATED_NOTALLOWED;
}
@ -256,15 +250,13 @@ sub extractFormInfo {
->AuthnContextClassRef();
};
if ($@) {
$self->lmLog(
"Unable to get authentication context from $idpConfKey",
'debug' );
$self->logger->debug(
"Unable to get authentication context from $idpConfKey");
$responseAuthnContext = $self->getAuthnContext("unspecified");
}
else {
$self->lmLog(
"Found authentication context: $responseAuthnContext",
'debug' );
$self->logger->debug(
"Found authentication context: $responseAuthnContext");
}
# Map authentication context to authentication level
@ -282,10 +274,10 @@ sub extractFormInfo {
$session_index = $assertion->AuthnStatement()->SessionIndex();
};
if ( $@ or !defined($session_index) ) {
$self->lmLog( "No SessionIndex found", 'debug' );
$self->logger->debug("No SessionIndex found");
}
else {
$self->lmLog( "Found SessionIndex $session_index", 'debug' );
$self->logger->debug("Found SessionIndex $session_index");
}
# Get NameID
@ -295,11 +287,11 @@ sub extractFormInfo {
my $user = $nameid->content;
unless ($user) {
$self->lmLog( "No NameID value found", 'error' );
$self->logger->error("No NameID value found");
return PE_SAML_SSO_ERROR;
}
$self->lmLog( "Found NameID: $user", 'debug' );
$self->logger->debug("Found NameID: $user");
$req->user($user);
# Store Lasso objects
@ -312,7 +304,7 @@ sub extractFormInfo {
# Store Token
my $saml_token = $assertion->export_to_xml;
$self->lmLog( "SAML Token: $saml_token", 'debug' );
$self->logger->debug("SAML Token: $saml_token");
$req->datas->{_samlToken} = $saml_token;
@ -329,9 +321,8 @@ sub extractFormInfo {
# Warning if more than one session found
if ( $#saml_sessions_keys > 0 ) {
$self->lmLog(
"More than one SAML proxy session found for ID $assertion_responded",
'warn'
$self->logger->warn(
"More than one SAML proxy session found for ID $assertion_responded"
);
}
@ -339,9 +330,8 @@ sub extractFormInfo {
my $saml_session = shift @saml_sessions_keys;
# Get session
$self->lmLog(
"Retrieve SAML proxy session $saml_session for ID $assertion_responded",
'debug'
$self->logger->debug(
"Retrieve SAML proxy session $saml_session for ID $assertion_responded"
);
my $samlSessionInfo = $self->getSamlSession($saml_session);
@ -364,16 +354,15 @@ sub extractFormInfo {
elsif ($request) {
# Do nothing
$self->lmLog(
"This module do not manage SSO request, see IssuerDBSAML",
'debug' );
$self->logger->debug(
"This module do not manage SSO request, see IssuerDBSAML");
return PE_OK;
}
else {
# This should not happen
$self->lmLog( "SSO request or response was not found", 'error' );
$self->logger->error("SSO request or response was not found");
return PE_SAML_ERROR;
}
@ -382,7 +371,7 @@ sub extractFormInfo {
# 1.2 SLO
elsif ( $url =~ $self->sloRe ) {
$self->lmLog( "URL $url detected as an SLO URL", 'debug' );
$self->logger->debug("URL $url detected as an SLO URL");
# TODO: call authLogout instead of duplicating SLO
$req->steps( [ @{ $self->p->beforeLogout }, 'deleteSession' ] );
@ -404,11 +393,11 @@ sub extractFormInfo {
my $result = $self->processLogoutResponseMsg( $logout, $response );
unless ($result) {
$self->lmLog( "Fail to process logout response", 'error' );
$self->logger->error("Fail to process logout response");
return PE_SAML_SLO_ERROR;
}
$self->lmLog( "Logout response is valid", 'debug' );
$self->logger->debug("Logout response is valid");
# Check Destination
return PE_SAML_DESTINATION_ERROR
@ -417,19 +406,18 @@ sub extractFormInfo {
# Get IDP entityID
my $idp = $logout->remote_providerID();
$self->lmLog( "Found entityID $idp in SAML message", 'debug' );
$self->logger->debug("Found entityID $idp in SAML message");
# IDP conf key
my $idpConfKey = $self->idpList->{$idp}->{confKey};
unless ($idpConfKey) {
$self->lmLog( "$idp do not match any IDP in configuration",
'error' );
$self->userLogger->error(
"$idp do not match any IDP in configuration");
return PE_SAML_UNKNOWN_ENTITY;
}
$self->lmLog( "$idp match $idpConfKey IDP in configuration",
'debug' );
$self->logger->debug("$idp match $idpConfKey IDP in configuration");
# Do we check signature?
my $checkSLOMessageSignature =
@ -443,16 +431,15 @@ sub extractFormInfo {
$result = $self->processLogoutResponseMsg( $logout, $response );
unless ($result) {
$self->lmLog( "Signature is not valid", 'error' );
$self->logger->error("Signature is not valid");
return PE_SAML_SIGNATURE_ERROR;
}
else {
$self->lmLog( "Signature is valid", 'debug' );
$self->logger->debug("Signature is valid");
}
}
else {
$self->lmLog( "Message signature will not be checked",
'debug' );
$self->logger->debug("Message signature will not be checked");
}
# Replay protection
@ -461,16 +448,16 @@ sub extractFormInfo {
unless ( $self->replayProtection($samlID) ) {
# Logout request was already consumed or is expired
$self->lmLog( "Message $samlID already used or expired",
'error' );
$self->userLogger->error(
"Message $samlID already used or expired");
return PE_SAML_SLO_ERROR;
}
# If URL in RelayState, different from portal, redirect user
if ( $self->extractRelayState($relaystate) ) {
$self->lmLog( "RelayState $relaystate extracted", 'debug' );
$self->lmLog( "URL " . $req->urldc . " found in RelayState",
'debug' );
$self->logger->debug("RelayState $relaystate extracted");
$self->logger->debug(
"URL " . $req->urldc . " found in RelayState" );
}
if ( $req->urldc
@ -496,11 +483,11 @@ sub extractFormInfo {
# Process logout request
unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
$self->lmLog( "Fail to process logout request", 'error' );
$self->logger->error("Fail to process logout request");
$logout_error = 1;
}
$self->lmLog( "Logout request is valid", 'debug' );
$self->logger->debug("Logout request is valid");
# Check Destination
return PE_SAML_DESTINATION_ERROR
@ -509,19 +496,18 @@ sub extractFormInfo {
# Get IDP entityID
my $idp = $logout->remote_providerID();
$self->lmLog( "Found entityID $idp in SAML message", 'debug' );
$self->logger->debug("Found entityID $idp in SAML message");
# IDP conf key
my $idpConfKey = $self->idpList->{$idp}->{confKey};
unless ($idpConfKey) {
$self->lmLog( "$idp do not match any IDP in configuration",
'error' );
$self->userLogger->error(
"$idp do not match any IDP in configuration");
return PE_SAML_UNKNOWN_ENTITY;
}
$self->lmLog( "$idp match $idpConfKey IDP in configuration",
'debug' );
$self->logger->debug("$idp match $idpConfKey IDP in configuration");
# Do we check signature?
my $checkSLOMessageSignature =
@ -530,16 +516,15 @@ sub extractFormInfo {
if ($checkSLOMessageSignature) {
unless ( $self->checkSignatureStatus($logout) ) {
$self->lmLog( "Signature is not valid", 'error' );
$self->logger->error("Signature is not valid");
return PE_SAML_SIGNATURE_ERROR;
}
else {
$self->lmLog( "Signature is valid", 'debug' );
$self->logger->debug("Signature is valid");
}
}
else {
$self->lmLog( "Message signature will not be checked",
'debug' );
$self->logger->debug("Message signature will not be checked");
}
# Get NameID and SessionIndex
@ -548,12 +533,12 @@ sub extractFormInfo {
my $user = $name_id->content;
unless ($name_id) {
$self->lmLog( "Fail to get NameID from logout request",
'error' );
$self->userLogger->error(
"Fail to get NameID from logout request");
$logout_error = 1;
}
$self->lmLog( "Logout request NameID content: $user", 'debug' );
$self->logger->debug("Logout request NameID content: $user");
# Get SAML sessions with the same NameID
my $moduleOptions = $self->conf->{samlStorageOptions} || {};
@ -571,9 +556,8 @@ sub extractFormInfo {
my $local_session = $_;
# Get session
$self->lmLog(
"Retrieve SAML session $local_session for user $user",
'debug' );
$self->logger->debug(
"Retrieve SAML session $local_session for user $user");
my $sessionInfo = $self->getSamlSession($local_session);
@ -583,9 +567,8 @@ sub extractFormInfo {
and $session_index ne
$sessionInfo->data->{_sessionIndex} )
{
$self->lmLog(
"Session $local_session has not the good session index, skipping",
'debug'
$self->logger->debug(
"Session $local_session has not the good session index, skipping"
);
next;
}
@ -607,9 +590,8 @@ sub extractFormInfo {
if ( $ssoSession
&& $ssoSession->data->{_lassoSessionDump} )
{
$self->lmLog(
"Get Lasso::Session dump from session $real_session",
'debug'
$self->logger->debug(
"Get Lasso::Session dump from session $real_session"
);
$session_dump =
$ssoSession->data->{_lassoSessionDump};
@ -620,9 +602,8 @@ sub extractFormInfo {
# Delete SAML session
my $del_saml_result = $sessionInfo->remove();
$self->lmLog(
"Delete SAML session $local_session result: $del_saml_result",
'debug'
$self->logger->debug(
"Delete SAML session $local_session result: $del_saml_result"
);
$logout_error = 1 unless $del_saml_result;
@ -631,8 +612,8 @@ sub extractFormInfo {
# Set session from dump
unless ( $self->setSessionFromDump( $logout, $session_dump ) ) {
$self->lmLog( "Cannot set session from dump in logout",
'error' );
$self->userLogger->error(
"Cannot set session from dump in logout");
$logout_error = 1;
}
@ -640,7 +621,7 @@ sub extractFormInfo {
else {
# No corresponding session found
$self->lmLog( "No SAML session found for user $user", 'debug' );
$self->logger->debug("No SAML session found for user $user");
$logout_error = 1;
@ -649,14 +630,14 @@ sub extractFormInfo {
# Validate request if no previous error
unless ($logout_error) {
unless ( $self->validateLogoutRequest($logout) ) {
$self->lmLog( "SLO request is not valid", 'error' );
$self->logger->error("SLO request is not valid");
}
}
# Set RelayState
if ($relaystate) {
$logout->msg_relayState($relaystate);
$self->lmLog( "Set $relaystate in RelayState", 'debug' );
$self->logger->debug("Set $relaystate in RelayState");
}
# Do we set signature?
@ -665,26 +646,24 @@ sub extractFormInfo {
->{samlIDPMetaDataOptionsSignSLOMessage};
if ( $signSLOMessage == 0 ) {
$self->lmLog(
"SLO message to IDP $idpConfKey will not be signed",
'debug' );
$self->logger->debug(
"SLO message to IDP $idpConfKey will not be signed");
$self->disableSignature($logout);
}
elsif ( $signSLOMessage == 1 ) {
$self->lmLog( "SLO message to IDP $idpConfKey will be signed",
'debug' );
$self->logger->debug(
"SLO message to IDP $idpConfKey will be signed");
$self->forceSignature($logout);
}
else {
$self->lmLog(
"SLO message to IDP $idpConfKey signature according to metadata",
'debug'
$self->logger->debug(
"SLO message to IDP $idpConfKey signature according to metadata"
);
}
# Logout response
unless ( $self->buildLogoutResponseMsg($logout) ) {
$self->lmLog( "Unable to build SLO response", 'error' );
$self->logger->error("Unable to build SLO response");
return PE_SAML_SLO_ERROR;
}
@ -695,7 +674,7 @@ sub extractFormInfo {
# Redirect user to response URL
my $slo_url = $logout->msg_url;
$self->lmLog( "Redirect user to $slo_url", 'debug' );
$self->logger->debug("Redirect user to $slo_url");
$req->urldc($slo_url);
@ -726,7 +705,7 @@ sub extractFormInfo {
my $slo_body = $logout->msg_body;
$self->lmLog( "SOAP response $slo_body", 'debug' );
$self->logger->debug("SOAP response $slo_body");
$req->response(
[
@ -758,7 +737,7 @@ sub extractFormInfo {
else {
# This should not happen
$self->lmLog( "SLO request or response was not found", 'error' );
$self->logger->error("SLO request or response was not found");
# Redirect user
$req->mustRedirect(1);
@ -770,8 +749,8 @@ sub extractFormInfo {
# 1.3 Artifact
elsif ( $url =~ $self->artRe ) {
$self->lmLog( "URL $url detected as an artifact resolution service URL",
'debug' );
$self->logger->debug(
"URL $url detected as an artifact resolution service URL");
# Artifact request are sent with SOAP trough POST
my $art_request = $req->content;
@ -782,8 +761,8 @@ sub extractFormInfo {
# Process request message
unless ( $self->processArtRequestMsg( $login, $art_request ) ) {
$self->lmLog( "Unable to process artifact request message",
'error' );
$self->userLogger->error(
"Unable to process artifact request message");
return PE_SAML_ART_ERROR;
}
@ -794,8 +773,7 @@ sub extractFormInfo {
# Create artifact response
unless ( $art_response = $self->createArtifactResponse( $req, $login ) )
{
$self->lmLog( "Unable to create artifact response message",
'error' );
$self->logger("Unable to create artifact response message");
return PE_SAML_ART_ERROR;
}
@ -824,7 +802,7 @@ sub extractFormInfo {
# If confirmation is -1 from resolved IDP screen,
# or IDP was not resolve, let the user choose its IDP
if ( $confirm_flag == -1 or !$idp ) {
$self->lmLog( "Redirecting user to IDP list", 'debug' );
$self->logger->debug("Redirecting user to IDP list");
# Control url parameter
my $urlcheck = $self->p->controlUrl($req);
@ -860,7 +838,7 @@ sub extractFormInfo {
# If IDP is found but not confirmed, let the user confirm it
elsif ( $confirm_flag != 1 ) {
$self->lmLog( "IDP $idp selected, need user confirmation", 'debug' );
$self->logger->debug("IDP $idp selected, need user confirmation");
# Control url parameter
my $urlcheck = $self->p->controlUrl($req);
@ -889,7 +867,7 @@ sub extractFormInfo {
# Here confirmation is OK (confirm_flag == 1), store choosen IDP in cookie
unless ( $idp_cookie and $idp eq $idp_cookie ) {
$self->lmLog( "Build cookie to remember $idp as IDP choice", 'debug' );
$self->logger->debug("Build cookie to remember $idp as IDP choice");
# Control url parameter
my $urlcheck = $self->p->controlUrl($req);
@ -915,36 +893,31 @@ sub extractFormInfo {
my $idpConfKey = $self->idpList->{$idp}->{confKey};
unless ($idpConfKey) {
$self->lmLog( "$idp do not match any IDP in configuration", 'error' );
$self->logger->error("$idp do not match any IDP in configuration");
return PE_SAML_UNKNOWN_ENTITY;
}
$self->lmLog( "$idp match $idpConfKey IDP in configuration", 'debug' );
$self->logger->debug("$idp match $idpConfKey IDP in configuration");
# IDP ForceAuthn
my $forceAuthn =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
my $forceAuthn = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsForceAuthn};
# IDP IsPassive
my $isPassive =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
my $isPassive = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsIsPassive};
# IDP NameIDFormat
my $nameIDFormat =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
my $nameIDFormat = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsNameIDFormat};
$nameIDFormat = $self->getNameIDFormat($nameIDFormat) if $nameIDFormat;
# IDP ProxyRestriction
my $allowProxiedAuthn =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
my $allowProxiedAuthn = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsAllowProxiedAuthn};
# IDP HTTP method
my $method =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
my $method = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsSSOBinding};
$method = $self->getHttpMethod($method);
@ -958,21 +931,17 @@ sub extractFormInfo {
# Failback to HTTP-REDIRECT
unless ( defined $method and $method != -1 ) {
$self->lmLog( "No method found with IDP $idpConfKey for SSO profile",
'debug' );
$self->logger->debug(
"No method found with IDP $idpConfKey for SSO profile");
$method = $self->getHttpMethod("redirect");
}
$self->lmLog(
"Use method "
$self->logger->debug( "Use method "
. $self->getHttpMethodString($method)
. " with IDP $idpConfKey for SSO profile",
'debug'
);
. " with IDP $idpConfKey for SSO profile" );
# Set signature
my $signSSOMessage =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
my $signSSOMessage = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsSignSSOMessage} // -1;
# Authentication Context
@ -991,17 +960,17 @@ sub extractFormInfo {
);
unless ($login) {
$self->lmLog( "Could not create authentication request on $idpConfKey",
'error' );
$self->logger->error(
"Could not create authentication request on $idpConfKey");
return PE_SAML_SSO_ERROR;
}
$self->lmLog( "Authentication request created", 'debug' );
$self->logger->debug("Authentication request created");
# Keep assertion ID in memory to prevent replay
my $samlID = $login->request()->ID;
unless ( $self->storeReplayProtection($samlID) ) {
$self->lmLog( "Unable to store assertion ID", 'error' );
$self->logger->error("Unable to store assertion ID");
return PE_SAML_SSO_ERROR;
}
@ -1024,8 +993,8 @@ sub extractFormInfo {
$samlSessionInfo->update($infos);
$self->lmLog( "Keep initial SAML request data in memory for ID $samlID",
'debug' );
$self->logger->debug(
"Keep initial SAML request data in memory for ID $samlID");
}
# Send SSO request depending on request method
@ -1036,7 +1005,7 @@ sub extractFormInfo {
# Redirect user to response URL
my $sso_url = $login->msg_url;
$self->lmLog( "Redirect user to $sso_url", 'debug' );
$self->logger->debug("Redirect user to $sso_url");
$req->urldc($sso_url);
@ -1089,13 +1058,12 @@ sub setAuthSessionInfo {
my $assertion = $self->getAssertion($login);
unless ($assertion) {
$self->lmLog( "No assertion found", 'error' );
$self->logger->error("No assertion found");
return PE_SAML_SSO_ERROR;
}
# Force UTF-8
my $force_utf8 =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
my $force_utf8 = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsForceUTF8};
# Try to get attributes if attribute statement is present in assertion
@ -1140,7 +1108,7 @@ sub setAuthSessionInfo {
};
if ( $@ or !$sessionNotOnOrAfter ) {
$self->lmLog( "No SessionNotOnOrAfter value found", 'debug' );
$self->logger->debug("No SessionNotOnOrAfter value found");
}
else {
@ -1156,9 +1124,8 @@ sub setAuthSessionInfo {
# Use SAML time to determine the start of the session
my $new_utime = $samltime - $timeout;
$req->{sessionInfo}->{_utime} = $new_utime;
$self->lmLog(
"Adapt _utime with SessionNotOnOrAfter value, new _utime: $new_utime",
'debug'
$self->logger->debug(
"Adapt _utime with SessionNotOnOrAfter value, new _utime: $new_utime"
);
}
@ -1166,8 +1133,8 @@ sub setAuthSessionInfo {
# Establish federation (required for attribute request in UserDBSAML)
unless ( $self->acceptSSO($login) ) {
$self->lmLog( "Error while accepting SSO from IDP $idpConfKey",
'error' );
$self->userLogger->error(
"Error while accepting SSO from IDP $idpConfKey");
return PE_SAML_SSO_ERROR;
}
@ -1180,15 +1147,14 @@ sub setAuthSessionInfo {
$req->{sessionInfo}->{_lassoIdentityDump} = $identity->dump() if $identity;
# Keep SAML Token in session
my $store_samlToken =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
my $store_samlToken = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsStoreSAMLToken};
if ($store_samlToken) {
$self->lmLog( "Store SAML Token in session", 'debug' );
$self->logger->debug("Store SAML Token in session");
$req->{sessionInfo}->{_samlToken} = $req->datas->{_samlToken};
}
else {
$self->lmLog( "SAML Token will not be stored in session", 'debug' );
$self->logger->debug("SAML Token will not be stored in session");
}
$req->datas->{_lassoLogin} = $login;
@ -1210,12 +1176,9 @@ sub authFinish {
my $nameid = $req->datas->{_nameID};
my $session_index = $req->datas->{_sessionIndex};
$self->lmLog(
"Store NameID "
$self->logger->debug( "Store NameID "
. $nameid->dump
. " and SessionIndex $session_index for session $id",
'debug'
);
. " and SessionIndex $session_index for session $id" );
# Save SAML session
my $samlSessionInfo = $self->getSamlSession();
@ -1233,7 +1196,7 @@ sub authFinish {
my $session_id = $samlSessionInfo->id;
$self->lmLog( "Link session $id to SAML session $session_id", 'debug' );
$self->logger->debug("Link session $id to SAML session $session_id");
return PE_OK;
}
@ -1253,13 +1216,12 @@ sub authLogout {
my $session_dump = $req->{sessionInfo}->{_lassoSessionDump};
unless ($session_dump) {
$self->lmLog( "Could not get session dump from session", 'error' );
$self->logger->error("Could not get session dump from session");
return PE_SAML_SLO_ERROR;
}
# IDP HTTP method
$method =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
$method = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsSLOBinding};
$method = $self->getHttpMethod($method);
@ -1273,21 +1235,17 @@ sub authLogout {
# Skip SLO if no method found
unless ( defined $method and $method != -1 ) {
$self->lmLog( "No method found with IDP $idpConfKey for SLO profile",
'debug' );
$self->logger->debug(
"No method found with IDP $idpConfKey for SLO profile");
return PE_OK;
}
$self->lmLog(
"Use method "
$self->logger->debug( "Use method "
. $self->getHttpMethodString($method)
. " with IDP $idpConfKey for SLO profile",
'debug'
);
. " with IDP $idpConfKey for SLO profile" );
# Set signature
my $signSLOMessage =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
my $signSLOMessage = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsSignSLOMessage} // 0;
# Build Logout Request
@ -1295,15 +1253,15 @@ sub authLogout {
$self->createLogoutRequest( $req, $self->lassoServer, $session_dump,
$method, $signSLOMessage );
unless ($logout) {
$self->lmLog( "Could not create logout request", 'error' );
$self->logger->error("Could not create logout request");
return PE_SAML_SLO_ERROR;
}
$self->lmLog( "Logout request created", 'debug' );
$self->logger->debug("Logout request created");
# Keep request ID in memory to prevent replay
unless ( $self->storeReplayProtection( $logout->request()->ID ) ) {
$self->lmLog( "Unable to store Logout request ID", 'error' );
$self->logger->error("Unable to store Logout request ID");
return PE_SAML_SLO_ERROR;
}
@ -1315,7 +1273,7 @@ sub authLogout {
# Redirect user to response URL
my $slo_url = $logout->msg_url;
$self->lmLog( "Redirect user to $slo_url", 'debug' );
$self->logger->debug("Redirect user to $slo_url");
$req->urldc($slo_url);
@ -1331,7 +1289,7 @@ sub authLogout {
# Use autosubmit form
my $slo_url = $logout->msg_url;
my $slo_body = $logout->msg_body;
$self->lmLog( "Redirect user to $slo_url using autoPost", 'debug' );
$self->logger->debug("Redirect user to $slo_url using autoPost");
$req->postUrl($slo_url);
$req->postFields( { 'SAMLRequest' => $slo_body } );
@ -1355,7 +1313,7 @@ sub authLogout {
my $response = $self->sendSOAPMessage( $slo_url, $slo_body );
unless ($response) {
$self->lmLog( "No logout response to SOAP request", 'error' );
$self->logger->error("No logout response to SOAP request");
return PE_SAML_SLO_ERROR;
}
@ -1366,11 +1324,11 @@ sub authLogout {
my $result = $self->processLogoutResponseMsg( $logout, $response );
unless ($result) {
$self->lmLog( "Fail to process logout response", 'error' );
$self->logger->error("Fail to process logout response");
return PE_SAML_SLO_ERROR;
}
$self->lmLog( "Logout response is valid", 'debug' );
$self->logger->debug("Logout response is valid");
# Replay protection
my $samlID = $logout->response()->InResponseTo;
@ -1378,14 +1336,14 @@ sub authLogout {
unless ( $self->replayProtection($samlID) ) {
# Logout request was already consumed or is expired
$self->lmLog( "Message $samlID already used or expired", 'error' );
$self->logger->error("Message $samlID already used or expired");
return PE_SAML_SLO_ERROR;
}
return PE_OK;
}
else {
$self->lmLog( "Lasso method $method not implemented here", 'error' );
$self->logger->error("Lasso method $method not implemented here");
return PE_SAML_SLO_ERROR;
}
}
@ -1431,10 +1389,8 @@ sub getIDP {
my $idpConfKey = $self->idpList->{$_}->{confKey};
if ( $idpName eq $idpConfKey ) {
$idp = $_;
$self->lmLog(
"IDP $idp found from idpName URL Parameter ($idpName)",
'debug'
);
$self->logger->debug(
"IDP $idp found from idpName URL Parameter ($idpName)");
last;
}
}
@ -1442,7 +1398,7 @@ sub getIDP {
# Case 3: Recover IDP from cookie
if ( !$idp and $idp = $idp_cookie ) {
$self->lmLog( "IDP $idp found in IDP resolution cookie", 'debug' );
$self->logger->debug("IDP $idp found in IDP resolution cookie");
}
# Case 4: check all IDP resolution rules
@ -1450,13 +1406,12 @@ sub getIDP {
else {
foreach ( keys %{ $self->idpList } ) {
my $idpConfKey = $self->idpList->{$_}->{confKey};
my $cond =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
my $cond = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsResolutionRule};
next unless defined $cond;
if ( $self->safe->reval($cond) ) {
$self->lmLog( "IDP $idpConfKey resolution rule match",
'debug' );
$self->logger->debug(
"IDP $idpConfKey resolution rule match");
$idp = $_;
last;
}
@ -1468,9 +1423,8 @@ sub getIDP {
and $self->conf->{samlCommonDomainCookieActivation}
and $self->conf->{samlCommonDomainCookieReader} )
{
$self->lmLog(
"Will try to use Common Domain Cookie for IDP resolution",
'debug' );
$self->logger->debug(
"Will try to use Common Domain Cookie for IDP resolution");
# Add current URL to CDC Reader URL
my $return_url = encode_base64( $self->self_url(), '' );
@ -1483,7 +1437,7 @@ sub getIDP {
: '?url=' . $return_url
);
$self->lmLog( "Redirect user to $cdc_reader_url", 'debug' );
$self->logger->debug("Redirect user to $cdc_reader_url");
$req->urldc($cdc_reader_url);
@ -1491,7 +1445,7 @@ sub getIDP {
return PE_REDIRECT;
}
$self->lmLog( 'No IDP found', 'debug' ) unless ($idp);
$self->logger->debug('No IDP found') unless ($idp);
}
# Alert when selected IDP is unknown

4
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Slave.pm
View File

@ -28,8 +28,8 @@ sub extractFormInfo {
$user_header =~ s/\-/_/g;
unless ( $req->{user} = $req->env->{$user_header} ) {
$self->lmLog( "No header " . $self->conf->{slaveUserHeader} . " found",
'error' );
$self->userLogger->error(
"No header " . $self->conf->{slaveUserHeader} . " found" );
return PE_USERNOTFOUND;
}
PE_OK;

37
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Twitter.pm
View File

@ -56,7 +56,7 @@ sub extractFormInfo {
# 1. Request to authenticate
unless ( $req->param('twitterback') ) {
$self->lmLog( 'Redirection to Twitter', 'debug' );
$self->logger->debug('Redirection to Twitter');
# 1.1 Try to get token to dialog with Twitter
my $callback_url = $self->url();
@ -80,8 +80,7 @@ sub extractFormInfo {
# Forward hidden fields
if ( exists $req->{portalHiddenFormValues} ) {
$self->lmLog( "Add hidden values to Twitter redirect URL",
'debug' );
$self->logger->debug("Add hidden values to Twitter redirect URL");
foreach ( keys %{ $req->{portalHiddenFormValues} } ) {
$callback_url .=
@ -106,10 +105,10 @@ sub extractFormInfo {
my $request_url = $request->to_url;
$self->lmLog( "POST $request_url to Twitter", 'debug' );
$self->logger->debug("POST $request_url to Twitter");
my $res = $self->ua()->post($request_url);
$self->lmLog( "Twitter response: " . $res->as_string, 'debug' );
$self->logger->debug( "Twitter response: " . $res->as_string );
if ( $res->is_success ) {
my $response = Net::OAuth->response('request token')
@ -131,8 +130,8 @@ sub extractFormInfo {
$self->quit();
}
else {
$self->lmLog( 'Twitter OAuth protocol error: ' . $res->content,
'error' );
$self->logger->error(
'Twitter OAuth protocol error: ' . $res->content );
return PE_ERROR;
}
}
@ -141,13 +140,12 @@ sub extractFormInfo {
my $request_token = $req->param('oauth_token');
my $verifier = $req->param('oauth_verifier');
unless ( $request_token and $verifier ) {
$self->lmLog( 'Twitter OAuth protocol error', 'error' );
$self->logger->error('Twitter OAuth protocol error');
return PE_ERROR;
}
$self->lmLog(
"Get token $request_token and verifier $verifier from Twitter",
'debug' );
$self->logger->debug(
"Get token $request_token and verifier $verifier from Twitter");
# 2.1 Reconnect to Twitter
my $access = Net::OAuth->request("access token")->new(
@ -166,10 +164,10 @@ sub extractFormInfo {
my $access_url = $access->to_url;
$self->lmLog( "POST $access_url to Twitter", 'debug' );
$self->logger->debug("POST $access_url to Twitter");
my $res_access = $self->ua()->post($access_url);
$self->lmLog( "Twitter response: " . $res_access->as_string, 'debug' );
$self->logger->debug( "Twitter response: " . $res_access->as_string );
if ( $res_access->is_success ) {
my $response = Net::OAuth->response('access token')
@ -180,23 +178,20 @@ sub extractFormInfo {
$req->datas->{_twitterScreenName} =
$response->{extra_params}->{screen_name};
$self->lmLog(
"Get user id "
$self->logger->debug( "Get user id "
. $req->datas->{_twitterUserId}
. " and screen name "
. $req->datas->{_twitterScreenName},
'debug'
);
. $req->datas->{_twitterScreenName} );
}
else {
$self->lmLog( 'Twitter OAuth protocol error: ' . $res_access->content,
'error' );
$self->logger->error(
'Twitter OAuth protocol error: ' . $res_access->content );
return PE_ERROR;
}
# 2.4 Set $req->{user} to screen name
$req->user( $req->datas->{_twitterScreenName} );
$self->lmLog( "Good Twitter authentication for $req->{user}", 'debug' );
$self->logger->debug("Good Twitter authentication for $req->{user}");
# Force redirection to avoid displaying OAuth datas
$req->{mustRedirect} = 1;

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/WebID.pm
View File

@ -40,7 +40,7 @@ sub init {
}
my $re = Regexp::Assemble->new();
foreach my $h (@hosts) {
$self->lmLog( "Add $h in WebID whitelist", 'debug' );
$self->logger->debug("Add $h in WebID whitelist");
$h = quotemeta($h);
$h =~ s/\\\*/\.\*\?/g;
$re->add($h);

6
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Yubikey.pm
View File

@ -24,8 +24,8 @@ sub init {
unless ($self->conf->{yubikeyClientID}
and $self->conf->{yubikeySecretKey} )
{
$self->lmLog( "Missing mandatory parameters (Client ID and secret key)",
'error' );
$self->logger->error(
"Missing mandatory parameters (Client ID and secret key)");
return 0;
}
$self->conf->{yubikeyPublicIDSize} ||= 12;
@ -39,7 +39,7 @@ sub extractFormInfo {
my $otp = $req->param('yubikeyOTP');
return PE_FORMEMPTY unless $otp;
$self->lmLog( "Received Yubikey OTP $otp", 'debug' );
$self->logger->debug("Received Yubikey OTP $otp");
# Verify OTP
my $result = Auth::Yubikey_WebClient::yubikey_webclient(

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
View File

@ -113,7 +113,7 @@ sub extractFormInfo {
$self->p->userNotice("Captcha failed: wrong or expired code");
return PE_CAPTCHAERROR;
}
$self->lmLog( "Captcha code verified", 'debug' );
$self->logger->debug("Captcha code verified");
}
elsif ( $self->ott ) {
unless ( $self->ott->getToken($token) ) {

28
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm
View File

@ -40,12 +40,9 @@ sub init {
}
$self->cdc_name( $conf->{samlCommonDomainCookieName} || '_saml_idp' );
$self->cdc_domain( $conf->{samlCommonDomainCookieDomain} );
$self->lmLog( "[CDC] Cookie name: " . $self->cdc_name, 'debug' );
$self->lmLog(
"[CDC] Domain name: "
. ( $self->cdc_domain ? $self->cdc_domain : '<host name>' ),
'debug'
);
$self->logger->debug( "[CDC] Cookie name: " . $self->cdc_name );
$self->logger->debug( "[CDC] Domain name: "
. ( $self->cdc_domain ? $self->cdc_domain : '<host name>' ) );
foreach (qw(httpOnly cookieExpiration oldStyleUrl)) {
$self->$_( $conf->{$_} );
@ -71,7 +68,7 @@ sub handler {
# TODO: Control URL
#my $control_url = $self->_sub('controlUrlOrigin');
#unless ( $control_url == PE_OK ) {
# $self->lmLog( "[CDC] Bad URL", 'error' );
# $self->logger->error( "[CDC] Bad URL");
# return $control_url;
#}
@ -81,7 +78,7 @@ sub handler {
$cdc_cookie = $cookies{ $self->cdc_name } if %cookies;
if ($cdc_cookie) {
$self->lmLog( "[CDC] Cookie found with value $cdc_cookie", 'debug' );
$self->logger->debug("[CDC] Cookie found with value $cdc_cookie");
}
# Write request
@ -90,7 +87,7 @@ sub handler {
# Append IDP to common domain cookie
if ( $action eq 'write' ) {
$self->lmLog( "[CDC] Write request detected", 'debug' );
$self->logger->debug("[CDC] Write request detected");
# Check IDP value
unless ($idp) {
@ -98,7 +95,7 @@ sub handler {
}
# Add IDP value
$self->lmLog( "[CDC] Will add IDP $idp to IDP list", 'debug' );
$self->logger->debug("[CDC] Will add IDP $idp to IDP list");
my $encoded_idp = encode_base64( $idp, '' );
@ -109,9 +106,8 @@ sub handler {
$cdc_cookie .= ( $cdc_cookie ? " " : "" );
$cdc_cookie .= $encoded_idp;
$self->lmLog(
"[CDC] Build cookie $self->{cdc_name} with value $cdc_cookie",
'debug' );
$self->logger->debug(
"[CDC] Build cookie $self->{cdc_name} with value $cdc_cookie");
# Build cookie
$req->addCookie(
@ -130,15 +126,15 @@ sub handler {
elsif ( $action eq 'read' ) {
$self->lmLog( "[CDC] Read request detected", 'debug' );
$self->logger->debug("[CDC] Read request detected");
# Get last IDP from cookie
if ($cdc_cookie) {
$cdc_idp = decode_base64( ( split /\s+/, $cdc_cookie )[-1] );
$self->lmLog( "[CDC] Get value $cdc_idp", 'debug' );
$self->logger->debug("[CDC] Get value $cdc_idp");
}
else {
$self->lmLog( "[CDC] No cookie, set a default value", 'debug' );
$self->logger->debug("[CDC] No cookie, set a default value");
$cdc_idp = 'notfound';
}
}

341
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Display.pm
View File

@ -1,341 +0,0 @@
## @file
# Display functions for LemonLDAP::NG Portal
## @class
# Display functions for LemonLDAP::NG Portal
package Lemonldap::NG::Portal::Display;
use strict;
use Lemonldap::NG::Portal::Simple;
use utf8;
our $VERSION = '2.0.0';
## @method array display()
# Call portal process and set template parameters
# @return template name and template parameters
sub display {
my $self = shift;
my $skin_dir = $self->getApacheHtdocsPath() . "/skins";
my ( $skinfile, %templateParams );
my $http_error = $self->param('lmError');
# 0. Display error page
if ($http_error) {
$skinfile = 'error.tpl';
# Error code
my $error500 = 1 if ( $http_error eq "500" );
my $error403 = 1 if ( $http_error eq "403" );
my $error503 = 1 if ( $http_error eq "503" );
# Check URL
$self->_sub('controlUrlOrigin');
# Load session content
$self->_sub('controlExistingSession');
%templateParams = (
PORTAL_URL => $self->{portal},
LOGOUT_URL => $self->{portal} . "?logout=1",
URL => $self->{urldc},
ERROR403 => $error403,
ERROR500 => $error500,
ERROR503 => $error503,
);
}
# 1. Good authentication
elsif ( $self->process() ) {
# 1.1 Image mode
if ( $self->{error} == PE_IMG_OK || $self->{error} == PE_IMG_NOK ) {
$skinfile = "$skin_dir/common/"
. (
$self->{error} == PE_IMG_OK
? 'ok.png'
: 'warning.png'
);
$self->printImage( $skinfile, 'image/png' );
exit;
}
# 1.2 Case : there is a message to display
elsif ( my $info = $self->info() ) {
$skinfile = 'info.tpl';
%templateParams = (
AUTH_ERROR_TYPE => $self->error_type,
MSG => $info,
URL => $self->{urldc},
HIDDEN_INPUTS => $self->buildHiddenForm(),
ACTIVE_TIMER => $self->{activeTimer},
FORM_METHOD => $self->{infoFormMethod},
);
}
# 1.3 Redirection
elsif ( $self->{error} == PE_REDIRECT ) {
$skinfile = "redirect.tpl";
%templateParams = (
URL => $self->{urldc},
HIDDEN_INPUTS => $self->buildHiddenForm(),
FORM_METHOD => $self->{redirectFormMethod},
);
}
# 1.4 Case : display menu
else {
# Initialize menu elements
$self->_sub('menuInit');
$skinfile = 'menu.tpl';
my $auth_user = $self->{sessionInfo}->{ $self->{portalUserAttr} };
utf8::decode($auth_user);
%templateParams = (
AUTH_USER => $auth_user,
NEWWINDOW => $self->{portalOpenLinkInNewWindow},
AUTH_ERROR => $self->error( $self->{menuError} ),
AUTH_ERROR_TYPE => $self->error_type( $self->{menuError} ),
DISPLAY_TAB => $self->{menuDisplayTab},
LOGOUT_URL => "$ENV{SCRIPT_NAME}?logout=1",
REQUIRE_OLDPASSWORD => $self->{portalRequireOldPassword},
HIDE_OLDPASSWORD =>
0, # Do not hide old password if it is required
DISPLAY_MODULES => $self->{menuDisplayModules},
APPSLIST_MENU => $self->{menuAppslistMenu}, # For old templates
APPSLIST_DESC => $self->{menuAppslistDesc}, # For old templates
SCRIPT_NAME => $ENV{SCRIPT_NAME},
APPSLIST_ORDER => $self->{sessionInfo}->{'appsListOrder'},
PING => $self->{portalPingInterval},
);
}
}
# 2. Authentication not complete
# 2.1 A notification has to be done (session is created but hidden and unusable
# until the user has accept the message)
elsif ( my $notif = $self->notification ) {
$skinfile = 'notification.tpl';
%templateParams = (
AUTH_ERROR_TYPE => $self->error_type,
NOTIFICATION => $notif,
HIDDEN_INPUTS => $self->buildHiddenForm(),
AUTH_URL => $self->get_url,
CHOICE_PARAM => $self->{authChoiceParam},
CHOICE_VALUE => $self->{_authChoice},
);
}
# 2.2 An authentication (or userDB) module needs to ask a question
# before processing to the request
elsif ( $self->{error} == PE_CONFIRM ) {
$skinfile = 'confirm.tpl';
%templateParams = (
AUTH_ERROR => $self->error,
AUTH_ERROR_TYPE => $self->error_type,
AUTH_URL => $self->get_url,
MSG => $self->info(),
HIDDEN_INPUTS => $self->buildHiddenForm(),
ACTIVE_TIMER => $self->{activeTimer},
FORM_METHOD => $self->{confirmFormMethod},
CHOICE_PARAM => $self->{authChoiceParam},
CHOICE_VALUE => $self->{_authChoice},
CHECK_LOGINS => $self->{portalCheckLogins} && $self->{login},
ASK_LOGINS => $self->{checkLogins},
CONFIRMKEY => $self->stamp(),
LIST => $self->{list} || [],
REMEMBER => $self->{confirmRemember},
);
}
# 2.3 There is a message to display
elsif ( my $info = $self->info() ) {
$skinfile = 'info.tpl';
%templateParams = (
AUTH_ERROR => $self->error,
AUTH_ERROR_TYPE => $self->error_type,
MSG => $info,
URL => $self->{urldc},
HIDDEN_INPUTS => $self->buildHiddenForm(),
ACTIVE_TIMER => $self->{activeTimer},
FORM_METHOD => $self->{infoFormMethod},
CHOICE_PARAM => $self->{authChoiceParam},
CHOICE_VALUE => $self->{_authChoice},
);
}
# 2.4 OpenID menu page
elsif ($self->{error} == PE_OPENID_EMPTY
or $self->{error} == PE_OPENID_BADID )
{
$skinfile = 'openid.tpl';
my $p = $self->{portal} . $self->{issuerDBOpenIDPath};
$p =~ s#(?<!:)/\^?/#/#g;
%templateParams = (
AUTH_ERROR => $self->error,
AUTH_ERROR_TYPE => $self->error_type,
PROVIDERURI => $p,
ID => $self->{_openidPortal}
. $self->{sessionInfo}
->{ $self->{openIdAttr} || $self->{whatToTrace} },
PORTAL_URL => $self->{portal},
MSG => $self->info(),
);
}
# 2.5 Authentication has been refused OR this is the first access
else {
$skinfile = 'login.tpl';
%templateParams = (
AUTH_ERROR => $self->error,
AUTH_ERROR_TYPE => $self->error_type,
AUTH_URL => $self->get_url,
LOGIN => $self->get_user,
CHECK_LOGINS => $self->{portalCheckLogins},
ASK_LOGINS => $self->{checkLogins},
DISPLAY_RESETPASSWORD => $self->{portalDisplayResetPassword},
DISPLAY_REGISTER => $self->{portalDisplayRegister},
MAIL_URL => $self->{mailUrl},
REGISTER_URL => $self->{registerUrl},
HIDDEN_INPUTS => $self->buildHiddenForm(),
LOGIN_INFO => $self->loginInfo(),
);
# Display captcha if it's enabled
if ( $self->{captcha_login_enabled} ) {
%templateParams = (
%templateParams,
CAPTCHA_IMG => $self->{captcha_img},
CAPTCHA_CODE => $self->{captcha_code},
CAPTCHA_SIZE => $self->{captcha_size}
);
}
# Show password form if password policy error
if (
$self->{error} == PE_PP_CHANGE_AFTER_RESET
or $self->{error} == PE_PP_MUST_SUPPLY_OLD_PASSWORD
or $self->{error} == PE_PP_INSUFFICIENT_PASSWORD_QUALITY
or $self->{error} == PE_PP_PASSWORD_TOO_SHORT
or $self->{error} == PE_PP_PASSWORD_TOO_YOUNG
or $self->{error} == PE_PP_PASSWORD_IN_HISTORY
or $self->{error} == PE_PASSWORD_MISMATCH
or $self->{error} == PE_BADOLDPASSWORD
or $self->{error} == PE_PASSWORDFORMEMPTY
or ( $self->{error} == PE_PP_PASSWORD_EXPIRED
and $self->{ldapAllowResetExpiredPassword} )
)
{
%templateParams = (
%templateParams,
REQUIRE_OLDPASSWORD =>
1, # Old password is required to check user credentials
DISPLAY_FORM => 0,
DISPLAY_OPENID_FORM => 0,
DISPLAY_YUBIKEY_FORM => 0,
DISPLAY_PASSWORD => 1,
DISPLAY_RESETPASSWORD => 0,
AUTH_LOOP => [],
CHOICE_PARAM => $self->{authChoiceParam},
CHOICE_VALUE => $self->{_authChoice},
OLDPASSWORD =>
$self->checkXSSAttack( 'oldpassword', $self->{oldpassword} )
? ""
: $self->{oldpassword},
HIDE_OLDPASSWORD => $self->{hideOldPassword},
);
}
# Disable all forms on:
# * Logout message
# * Bad URL error
elsif ($self->{error} == PE_LOGOUT_OK
or $self->{error} == PE_BADURL )
{
%templateParams = (
%templateParams,
DISPLAY_RESETPASSWORD => 0,
DISPLAY_FORM => 0,
DISPLAY_OPENID_FORM => 0,
DISPLAY_YUBIKEY_FORM => 0,
AUTH_LOOP => [],
PORTAL_URL => $self->{portal},
MSG => $self->info(),
);
}
# Display authentifcation form
else {
# Authentication loop
if ( $self->{authLoop} ) {
%templateParams = (
%templateParams,
AUTH_LOOP => $self->{authLoop},
CHOICE_PARAM => $self->{authChoiceParam},
CHOICE_VALUE => $self->{_authChoice},
DISPLAY_FORM => 0,
DISPLAY_OPENID_FORM => 0,
DISPLAY_YUBIKEY_FORM => 0,
);
}
# Choose what form to display if not in a loop
else {
my $displayType = $self->getDisplayType();
$self->lmLog( "Display type $displayType ", 'debug' );
%templateParams = (
%templateParams,
DISPLAY_FORM => $displayType eq "standardform" ? 1 : 0,
DISPLAY_OPENID_FORM => $displayType eq "openidform" ? 1 : 0,
DISPLAY_YUBIKEY_FORM => $displayType eq "yubikeyform" ? 1
: 0,
DISPLAY_LOGO_FORM => $displayType eq "logo" ? 1 : 0,
module => $displayType eq "logo" ? $self->get_module('auth')
: "",
AUTH_LOOP => [],
PORTAL_URL => $displayType eq "logo" ? $self->{portal} : 0,
MSG => $self->info(),
);
}
}
}
## Common template params
my $skin = $self->getSkin();
my $portalPath = $self->{portal};
$portalPath =~ s#^https?://[^/]+/?#/#;
$portalPath =~ s#[^/]+\.fcgi$##;
%templateParams = (
%templateParams,
SKIN_PATH => $portalPath . "skins",
SKIN => $skin,
ANTIFRAME => $self->{portalAntiFrame},
SKIN_BG => $self->{portalSkinBackground},
);
## Custom template params
if ( my $customParams = $self->getCustomTemplateParameters() ) {
%templateParams = ( %templateParams, %$customParams );
}
return ( "$skin_dir/$skin/$skinfile", %templateParams );
}
1;

218
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm
View File

@ -61,7 +61,7 @@ sub run {
# 1. LOGIN
if ( $target eq $cas_login ) {
$self->lmLog( "URL $url detected as an CAS LOGIN URL", 'debug' );
$self->logger->debug("URL $url detected as an CAS LOGIN URL");
# GET parameters
my $service = $self->p->getHiddenFormValue( $req, 'service' )
@ -76,7 +76,7 @@ sub run {
if ( $renew and $renew eq 'true' ) {
# Authentication must be replayed
$self->lmLog( "Authentication renew requested", 'debug' );
$self->logger->debug("Authentication renew requested");
$self->{updateSession} = 1;
$req->steps(
[
@ -92,7 +92,7 @@ sub run {
# If no service defined, exit
unless ( defined $service ) {
$self->lmLog( "No service defined in CAS URL", 'debug' );
$self->logger->debug("No service defined in CAS URL");
return PE_OK;
}
@ -100,36 +100,34 @@ sub run {
my $casAccessControlPolicy = $self->conf->{casAccessControlPolicy};
if ( $casAccessControlPolicy =~ /^(error|faketicket)$/i ) {
$self->lmLog( "CAS access control requested on service $service",
'debug' );
$self->logger->debug(
"CAS access control requested on service $service");
## HERE
unless ( $service =~ m#^https?://([^/]+)(/.*)?$# ) {
$self->lmLog( "Bad service $service", 'error' );
$self->logger->error("Bad service $service");
return PE_ERROR;
}
my ( $host, $uri ) = ( $1, $2 );
if ( $self->p->HANDLER->grant( $req->sessionInfo, $1, undef, $2 ) )
{
$self->lmLog( "CAS service $service access allowed", 'debug' );
$self->logger->debug("CAS service $service access allowed");
}
else {
$self->lmLog( "CAS service $service access not allowed",
'error' );
$self->userLogger->error(
"CAS service $service access not allowed");
if ( $casAccessControlPolicy =~ /^(error)$/i ) {
$self->lmLog(
"Return error instead of redirecting user on CAS service",
'debug'
$self->logger->debug(
"Return error instead of redirecting user on CAS service"
);
return PE_CAS_SERVICE_NOT_ALLOWED;
}
else {
$self->lmLog(
"Redirect user on CAS service with a fake ticket",
'debug' );
$self->logger->debug(
"Redirect user on CAS service with a fake ticket");
$casServiceTicket = "ST-F4K3T1CK3T";
}
}
@ -145,21 +143,20 @@ sub run {
time() - $last_authn_utime <
$self->conf->{portalForceAuthnInterval} )
{
$self->lmLog(
"Authentication is recent, will set CAS renew flag to true",
'debug'
$self->logger->debug(
"Authentication is recent, will set CAS renew flag to true"
);
$casRenewFlag = 1;
}
# Create a service ticket
$self->lmLog( "Create a CAS service ticket for service $service",
'debug' );
$self->logger->debug(
"Create a CAS service ticket for service $service");
my $casServiceSession = $self->getCasSession();
unless ($casServiceSession) {
$self->lmLog( "Unable to create CAS session", 'error' );
$self->logger->error("Unable to create CAS session");
return PE_ERROR;
}
@ -175,8 +172,8 @@ sub run {
my $casServiceSessionID = $casServiceSession->id;
$casServiceTicket = "ST-" . $casServiceSessionID;
$self->lmLog( "CAS service session $casServiceSessionID created",
'debug' );
$self->logger->debug(
"CAS service session $casServiceSessionID created");
}
# Redirect to service
@ -187,7 +184,7 @@ sub run {
: '?ticket=' . $casServiceTicket
);
$self->lmLog( "Redirect user to $service_url", 'debug' );
$self->logger->debug("Redirect user to $service_url");
$req->{urldc} = $service_url;
@ -198,7 +195,7 @@ sub run {
# 2. LOGOUT
if ( $target eq $cas_logout ) {
$self->lmLog( "URL $url detected as an CAS LOGOUT URL", 'debug' );
$self->logger->debug("URL $url detected as an CAS LOGOUT URL");
# Disable Content-Security-Policy header since logout can be embedded
# in a frame
@ -213,14 +210,14 @@ sub run {
# Delete local session
if ( my $session = $self->p->getApacheSession($session_id) ) {
unless ( $self->p->_deleteSession( $req, $session ) ) {
$self->lmLog( "Fail to delete session $session_id ", 'error' );
$self->logger->error("Fail to delete session $session_id ");
}
if ($logout_url) {
# Display a link to the provided URL
$self->lmLog( "Logout URL $logout_url will be displayed",
'debug' );
$self->logger->debug(
"Logout URL $logout_url will be displayed");
$req->info(
'<h3 trmsg="back2CasUrl">The application you just logged out of has provided a link it would like you to follow</h3>'
@ -232,7 +229,7 @@ sub run {
}
}
else {
$self->lmLog( "Unknown session $session_id", 'info' );
$self->logger->info("Unknown session $session_id");
}
return PE_LOGOUT_OK;
@ -242,12 +239,11 @@ sub run {
# 3. VALIDATE [CAS 1.0]
if ( $target eq $cas_validate ) {
$self->lmLog( "URL $url detected as an CAS VALIDATE URL", 'debug' );
$self->logger->debug("URL $url detected as an CAS VALIDATE URL");
# This URL must not be called by authenticated users
$self->lmLog(
"CAS VALIDATE URL called by authenticated user, ignore it",
'info' );
$self->userLogger->info(
"CAS VALIDATE URL called by authenticated user, ignore it");
return PE_OK;
}
@ -255,14 +251,12 @@ sub run {
# 4. SERVICE VALIDATE [CAS 2.0]
if ( $target eq $cas_serviceValidate ) {
$self->lmLog( "URL $url detected as an CAS SERVICE VALIDATE URL",
'debug' );
$self->logger->debug(
"URL $url detected as an CAS SERVICE VALIDATE URL");
# This URL must not be called by authenticated users
$self->lmLog(
"CAS SERVICE VALIDATE URL called by authenticated user, ignore it",
'info'
);
$self->userLogger->info(
"CAS SERVICE VALIDATE URL called by authenticated user, ignore it");
return PE_OK;
}
@ -270,13 +264,11 @@ sub run {
# 5. PROXY VALIDATE [CAS 2.0]
if ( $target eq $cas_proxyValidate ) {
$self->lmLog( "URL $url detected as an CAS PROXY VALIDATE URL",
'debug' );
$self->logger->debug("URL $url detected as an CAS PROXY VALIDATE URL");
# This URL must not be called by authenticated users
$self->lmLog(
"CAS PROXY VALIDATE URL called by authenticated user, ignore it",
'info' );
$self->userLogger->info(
"CAS PROXY VALIDATE URL called by authenticated user, ignore it");
return PE_OK;
}
@ -284,11 +276,11 @@ sub run {
# 6. PROXY [CAS 2.0]
if ( $target eq $cas_proxy ) {
$self->lmLog( "URL $url detected as an CAS PROXY URL", 'debug' );
$self->logger->debug("URL $url detected as an CAS PROXY URL");
# This URL must not be called by authenticated users
$self->lmLog( "CAS PROXY URL called by authenticated user, ignore it",
'info' );
$self->userLogger->info(
"CAS PROXY URL called by authenticated user, ignore it");
return PE_OK;
}
@ -312,8 +304,8 @@ sub logout {
sub validate {
my ( $self, $req ) = @_;
$self->lmLog( 'URL ' . $req->uri . ' detected as an CAS VALIDATE URL',
'debug' );
$self->logger->debug(
'URL ' . $req->uri . ' detected as an CAS VALIDATE URL' );
# GET parameters
my $service = $req->param('service');
@ -322,27 +314,26 @@ sub validate {
# Required parameters: service and ticket
unless ( $service and $ticket ) {
$self->lmLog( "Service and Ticket parameters required", 'error' );
$self->logger->error("Service and Ticket parameters required");
return $self->returnCasValidateError();
}
$self->lmLog(
"Get validate request with ticket $ticket for service $service",
'debug' );
$self->logger->debug(
"Get validate request with ticket $ticket for service $service");
unless ( $ticket =~ s/^ST-// ) {
$self->lmLog( "Provided ticket is not a service ticket (ST)", 'error' );
$self->logger->error("Provided ticket is not a service ticket (ST)");
return $self->returnCasValidateError();
}
my $casServiceSession = $self->getCasSession($ticket);
unless ($casServiceSession) {
$self->lmLog( "Service ticket session $ticket not found", 'error' );
$self->logger->error("Service ticket session $ticket not found");
return $self->returnCasValidateError();
}
$self->lmLog( "Service ticket session $ticket found", 'debug' );
$self->logger->debug("Service ticket session $ticket found");
my $service1_uri = URI->new($service);
my $service2_uri = URI->new( $casServiceSession->data->{service} );
@ -354,38 +345,32 @@ sub validate {
if ( $service1_uri->rel($service2_uri) eq "./"
or $service2_uri->rel($service1_uri) eq "./" )
{
$self->lmLog(
$self->logger->notice(
"Submitted service $service1_uri does not exactly match initial service "
. $service2_uri
. ' but difference is tolerated.',
'warn'
);
. ' but difference is tolerated.' );
}
else {
$self->lmLog(
$self->logger->error(
"Submitted service $service does not match initial service "
. $casServiceSession->data->{service},
'error'
);
. $casServiceSession->data->{service} );
$self->deleteCasSession($casServiceSession);
return $self->returnCasValidateError();
}
}
else {
$self->lmLog( "Submitted service $service math initial servce",
'debug' );
$self->logger->debug("Submitted service $service math initial servce");
}
# Check renew
if ( $renew and $renew eq 'true' ) {
# We should check the ST was delivered with primary credentials
$self->lmLog( "Renew flag detected ", 'debug' );
$self->logger->debug("Renew flag detected ");
unless ( $casServiceSession->data->{renew} ) {
$self->lmLog(
"Authentication renew requested, but not done in former authentication process",
'error'
$self->logger->error(
"Authentication renew requested, but not done in former authentication process"
);
$self->deleteCasSession($casServiceSession);
return $self->returnCasValidateError();
@ -397,12 +382,9 @@ sub validate {
$self->p->getApacheSession( $casServiceSession->data->{_cas_id} );
unless ($localSession) {
$self->lmLog(
"Local session "
$self->logger->warn( "Local session "
. $casServiceSession->data->{_cas_id}
. " notfound",
'error'
);
. " notfound" );
$self->deleteCasSession($casServiceSession);
return $self->returnCasValidateError();
}
@ -412,7 +394,7 @@ sub validate {
$localSession->data->{ $self->conf->{casAttr}
|| $self->conf->{whatToTrace} };
$self->lmLog( "Get username $username", 'debug' );
$self->logger->debug("Get username $username");
# Return success message
$self->deleteCasSession($casServiceSession);
@ -437,9 +419,8 @@ sub proxyValidate {
sub _validate2 {
my ( $self, $urlType, $req ) = @_;
$self->lmLog(
'URL ' . $req->uri . " detected as an CAS $urlType VALIDATE URL",
'debug' );
$self->logger->debug(
'URL ' . $req->uri . " detected as an CAS $urlType VALIDATE URL" );
# GET parameters
my $service = $req->param('service');
@ -452,27 +433,24 @@ sub _validate2 {
# Required parameters: service and ticket
unless ( $service and $ticket ) {
$self->lmLog( "Service and Ticket parameters required", 'error' );
$self->logger->error("Service and Ticket parameters required");
return $self->returnCasServiceValidateError( 'INVALID_REQUEST',
'Missing mandatory parameters (service, ticket)' );
}
$self->lmLog(
"Get "
$self->logger->debug( "Get "
. lc($urlType)
. " validate request with ticket $ticket for service $service",
'debug'
);
. " validate request with ticket $ticket for service $service" );
# Get CAS session corresponding to ticket
if ( $urlType eq 'SERVICE' and !( $ticket =~ s/^ST-// ) ) {
$self->lmLog( "Provided ticket is not a service ticket (ST)", 'error' );
$self->logger->error("Provided ticket is not a service ticket (ST)");
return $self->returnCasServiceValidateError( 'INVALID_TICKET',
'Provided ticket is not a service ticket' );
}
elsif ( $urlType eq 'PROXY' and !( $ticket =~ s/^(P|S)T-// ) ) {
$self->lmLog( "Provided ticket is not a service or proxy ticket ($1T)",
'error' );
$self->userLogger->error(
"Provided ticket is not a service or proxy ticket ($1T)");
return $self->returnCasServiceValidateError( 'INVALID_TICKET',
'Provided ticket is not a service or proxy ticket' );
}
@ -480,12 +458,12 @@ sub _validate2 {
my $casServiceSession = $self->getCasSession($ticket);
unless ($casServiceSession) {
$self->lmLog( "$urlType ticket session $ticket not found", 'error' );
$self->logger->error("$urlType ticket session $ticket not found");
return $self->returnCasServiceValidateError( 'INVALID_TICKET',
'Ticket not found' );
}
$self->lmLog( "$urlType ticket session $ticket found", 'debug' );
$self->logger->debug("$urlType ticket session $ticket found");
my $service1_uri = URI->new($service);
my $service2_uri = URI->new( $casServiceSession->data->{service} );
@ -497,39 +475,34 @@ sub _validate2 {
if ( $service1_uri->rel($service2_uri) eq "./"
or $service2_uri->rel($service1_uri) eq "./" )
{
$self->lmLog(
$self->logger->notice(
"Submitted service $service1_uri does not exactly match initial service "
. $service2_uri
. ' but difference is tolerated.',
'warn'
);
. ' but difference is tolerated.' );
}
else {
$self->lmLog(
$self->userLogger->error(
"Submitted service $service does not match initial service "
. $casServiceSession->data->{service},
'error'
);
. $casServiceSession->data->{service} );
$self->deleteCasSession($casServiceSession);
return $self->returnCasServiceValidateError( 'INVALID_SERVICE',
'Submitted service does not match initial service' );
}
}
else {
$self->lmLog( "Submitted service $service match initial service",
'debug' );
$self->logger->debug(
"Submitted service $service match initial service");
}
# Check renew
if ( $renew and $renew eq 'true' ) {
# We should check the ST was delivered with primary credentials
$self->lmLog( "Renew flag detected ", 'debug' );
$self->logger->debug("Renew flag detected ");
unless ( $casServiceSession->data->{renew} ) {
$self->lmLog(
"Authentication renew requested, but not done in former authentication process",
'error'
$self->logger->error(
"Authentication renew requested, but not done in former authentication process"
);
$self->deleteCasSession($casServiceSession);
return $self->returnCasValidateError();
@ -544,8 +517,8 @@ sub _validate2 {
if ($pgtUrl) {
# Create a proxy granting ticket
$self->lmLog( "Create a CAS proxy granting ticket for service $service",
'debug' );
$self->logger->debug(
"Create a CAS proxy granting ticket for service $service");
my $casProxyGrantingSession = $self->getCasSession();
@ -571,9 +544,8 @@ sub _validate2 {
$casProxyGrantingSession->update($PGinfos);
$self->lmLog(
"CAS proxy granting session $casProxyGrantingSessionID created",
'debug'
$self->logger->debug(
"CAS proxy granting session $casProxyGrantingSessionID created"
);
# Generate the proxy granting ticket IOU
@ -583,9 +555,8 @@ sub _validate2 {
$casProxyGrantingTicketIOU = "PGTIOU-" . $tmpCasSession->id;
$self->deleteCasSession($tmpCasSession);
$self->lmLog(
"Generate proxy granting ticket IOU $casProxyGrantingTicketIOU",
'debug'
$self->logger->debug(
"Generate proxy granting ticket IOU $casProxyGrantingTicketIOU"
);
# Request pgtUrl
@ -596,22 +567,20 @@ sub _validate2 {
)
)
{
$self->lmLog(
"Proxy granting URL $pgtUrl called with success",
'debug' );
$self->logger->debug(
"Proxy granting URL $pgtUrl called with success");
}
else {
$self->lmLog( "Error calling proxy granting URL $pgtUrl",
'warn' );
$self->logger->error(
"Error calling proxy granting URL $pgtUrl");
$casProxyGrantingTicketIOU = undef;
}
}
}
else {
$self->lmLog(
"Error in proxy granting ticket management, bypass it",
'warn' );
$self->logger->warn(
"Error in proxy granting ticket management, bypass it");
}
}
@ -620,12 +589,9 @@ sub _validate2 {
$self->p->getApacheSession( $casServiceSession->data->{_cas_id} );
unless ($localSession) {
$self->lmLog(
"Local session "
$self->userLogger->error( "Local session "
. $casServiceSession->data->{_cas_id}
. " notfound",
'error'
);
. " notfound" );
$self->deleteCasSession($casServiceSession);
return $self->returnCasServiceValidateError( 'INTERNAL_ERROR',
'No session associated to ticket' );
@ -636,7 +602,7 @@ sub _validate2 {
$localSession->data->{ $self->conf->{casAttr}
|| $self->conf->{whatToTrace} };
$self->lmLog( "Get username $username", 'debug' );
$self->logger->debug("Get username $username");
# Get attributes [CAS 3.0]
my $attributes = {};

16
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/Get.pm
View File

@ -22,19 +22,19 @@ sub run {
$req->path =~ m#^$self->{conf}->{issuerDBGetPath}/(log(?:in|out))#;
my $logInOut = $1 || 'login';
if ( $logInOut eq 'login' ) {
$self->lmLog( "IssuerGet: request for login", 'debug' );
$self->logger->debug("IssuerGet: request for login");
$self->computeGetParams($req);
return PE_OK;
}
elsif ( $logInOut eq 'logout' ) {
$self->lmLog( "IssuerGet: request for logout", 'debug' );
$self->logger->debug("IssuerGet: request for logout");
# TODO
# Display a link to the provided URL
return PE_OK;
}
else {
$self->lmLog( "IssuerGet: bad url", 'error' );
$self->logger->error("IssuerGet: bad url");
return PE_BADURL;
}
}
@ -53,21 +53,21 @@ sub computeGetParams {
my @getPrms;
if ( exists $self->conf->{issuerDBGetParameters} ) {
unless ( $req->urldc =~ m#^https?://([^/]+)# ) {
$self->lmLog( "Malformed url $req->urldc", 'error' );
$self->logger->error("Malformed url $req->urldc");
return;
}
my $vhost = $1;
my $prms = $self->conf->{issuerDBGetParameters}->{$vhost};
unless ($prms) {
$self->lmLog( "IssuerGet: $vhost has no configuration", 'warn' );
$self->logger->warn("IssuerGet: $vhost has no configuration");
return '';
}
foreach my $param ( keys %$prms ) {
my $value =
eval { uri_escape( $req->{sessionInfo}->{ $prms->{$param} } ) };
if ($@) {
$self->lmLog( "IssuerGet: unable to compute $param ($@)",
'error' );
$self->logger->error(
"IssuerGet: unable to compute $param ($@)");
return;
}
$value =~ s/[\r\n\t]//;
@ -75,7 +75,7 @@ sub computeGetParams {
}
}
else {
$self->lmLog( "IssuerGet: no configuration", 'warn' );
$self->logger->warn("IssuerGet: no configuration");
return;
}
my $getVars = join '&', @getPrms;

23
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenID.pm
View File

@ -72,7 +72,7 @@ sub forUnauthUser {
my ( $self, $req ) = @_;
my $mode = $req->param('openid.mode');
unless ($mode) {
$self->lmLog( 'OpenID SP test', 'debug' );
$self->logger->debug('OpenID SP test');
return PE_OPENID_EMPTY;
}
if ( $mode eq 'associate' ) {
@ -91,14 +91,13 @@ sub run {
my $mode = $req->param('openid.mode');
unless ($mode) {
$self->lmLog( 'OpenID SP test', 'debug' );
$self->logger->debug('OpenID SP test');
return PE_OPENID_EMPTY;
}
unless ( $mode =~ /^checkid_(?:immediate|setup)/ ) {
$self->lmLog(
"OpenID error : $mode is not known at this step (issuerForAuthUser)",
'error'
$self->logger->error(
"OpenID error : $mode is not known at this step (issuerForAuthUser)"
);
return PE_ERROR;
}
@ -149,13 +148,13 @@ sub openIDServer {
my $tmp = $trust_root;
$tmp =~ s#^http://(.*?)/#$1#;
if ( $tmp =~ $self->spList xor $self->listIsWhite ) {
$self->lmLog( "$trust_root is forbidden for openID exchange",
'warn' );
$self->userLogger->warn(
"$trust_root is forbidden for openID exchange");
$req->datas->{_openIdForbidden} = 1;
return 0;
}
elsif ( $req->{sessionInfo}->{"_openidTrust$trust_root"} ) {
$self->lmLog( 'OpenID request already trusted', 'debug' );
$self->logger->debug('OpenID request already trusted');
return 1;
}
elsif ( $req->param("confirm") and $req->param("confirm") == 1 ) {
@ -169,7 +168,7 @@ sub openIDServer {
return 0;
}
else {
$self->lmLog( 'OpenID request not trusted', 'debug' );
$self->logger->debug('OpenID request not trusted');
$req->datas->{_openIdTrustRequired} = 1;
return 0;
}
@ -194,7 +193,7 @@ sub _openIDResponse {
# Redirect
if ( $type eq 'redirect' ) {
$self->lmLog( "OpenID redirection to $data", 'debug' );
$self->logger->debug("OpenID redirection to $data");
$req->{urldc} = $data;
return PE_REDIRECT;
}
@ -209,7 +208,7 @@ sub _openIDResponse {
$req->info('<h3 trspan="openidExchange,$data->{trust_root}"></h3>');
$req->info( $req->datas->{_openIdTrustExtMsg} )
if ( $req->datas->{_openIdTrustExtMsg} );
$self->lmLog( 'OpenID confirmation', 'debug' );
$self->logger->debug('OpenID confirmation');
return PE_CONFIRM;
}
elsif ( $req->datas->{_badOpenIdentity} ) {
@ -231,7 +230,7 @@ sub _openIDResponse {
}
}
elsif ($type) {
$self->lmLog( "OpenID generated page ($type)", 'debug' );
$self->logger->debug("OpenID generated page ($type)");
$req->response( [ 200, [ 'Content-Type' => $type ], [$data] ] );
}
else {

270
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
View File

@ -90,8 +90,8 @@ sub run {
# AUTHORIZE
if ( $path eq $self->conf->{oidcServiceMetaDataAuthorizeURI} ) {
$self->lmLog( "URL detected as an OpenID Connect AUTHORIZE URL",
'debug' );
$self->logger->debug(
"URL detected as an OpenID Connect AUTHORIZE URL");
# Get and save parameters
my $oidc_request = {};
@ -103,11 +103,8 @@ sub run {
{
if ( $req->param($param) ) {
$oidc_request->{$param} = $req->param($param);
$self->lmLog(
"OIDC request parameter $param: "
. $oidc_request->{$param},
'debug'
);
$self->logger->debug( "OIDC request parameter $param: "
. $oidc_request->{$param} );
}
}
@ -116,13 +113,11 @@ sub run {
my $flow = $self->getFlowType($response_type);
unless ($flow) {
$self->lmLog( "Unknown response type: $response_type",
'error' );
$self->logger->error("Unknown response type: $response_type");
return PE_ERROR;
}
$self->lmLog(
"OIDC $flow flow requested (response type: $response_type)",
'debug' );
$self->logger->debug(
"OIDC $flow flow requested (response type: $response_type)");
# Extract request_uri/request parameter
if ( $oidc_request->{'request_uri'} ) {
@ -133,8 +128,7 @@ sub run {
$oidc_request->{'request'} = $request;
}
else {
$self->lmLog( "Error with Request URI resolution",
'error' );
$self->logger->error("Error with Request URI resolution");
return PE_ERROR;
}
}
@ -145,9 +139,8 @@ sub run {
# Override OIDC parameters by request content
foreach ( keys %$request ) {
$self->lmLog(
"Override $_ OIDC param by value present in request parameter",
'debug'
$self->logger->debug(
"Override $_ OIDC param by value present in request parameter"
);
$oidc_request->{$_} = $request->{$_};
$self->p->setHiddenFormValue( $_, $request->{$_}, '' );
@ -156,11 +149,11 @@ sub run {
# Check all required parameters
unless ( $oidc_request->{'redirect_uri'} ) {
$self->lmLog( "Redirect URI is required", 'error' );
$self->logger->error("Redirect URI is required");
return PE_ERROR;
}
unless ( $oidc_request->{'scope'} ) {
$self->lmLog( "Scope is required", 'error' );
$self->logger->error("Scope is required");
$self->returnRedirectError(
$req,
$oidc_request->{'redirect_uri'},
@ -172,7 +165,7 @@ sub run {
);
}
unless ( $oidc_request->{'client_id'} ) {
$self->lmLog( "Client ID is required", 'error' );
$self->logger->error("Client ID is required");
return $self->returnRedirectError(
$req,
$oidc_request->{'redirect_uri'},
@ -185,7 +178,7 @@ sub run {
}
if ( $flow eq "implicit" and not defined $oidc_request->{'nonce'} )
{
$self->lmLog( "Nonce is required for implicit flow", 'error' );
$self->logger->error("Nonce is required for implicit flow");
return $self->returnRedirectError(
$req, $oidc_request->{'redirect_uri'},
"invalid_request", "nonce required",
@ -197,8 +190,8 @@ sub run {
if ( $flow eq "authorizationcode"
and not $self->conf->{oidcServiceAllowAuthorizationCodeFlow} )
{
$self->lmLog( "Authorization code flow is not allowed",
'error' );
$self->userLogger->error(
"Authorization code flow is not allowed");
return $self->returnRedirectError(
$req, $oidc_request->{'redirect_uri'},
"server_error", "Authorization code flow not allowed",
@ -209,7 +202,7 @@ sub run {
if ( $flow eq "implicit"
and not $self->conf->{oidcServiceAllowImplicitFlow} )
{
$self->lmLog( "Implicit flow is not allowed", 'error' );
$self->logger->error("Implicit flow is not allowed");
return $self->returnRedirectError(
$req, $oidc_request->{'redirect_uri'},
"server_error", "Implicit flow not allowed",
@ -220,7 +213,7 @@ sub run {
if ( $flow eq "hybrid"
and not $self->conf->{oidcServiceAllowHybridFlow} )
{
$self->lmLog( "Hybrid flow is not allowed", 'error' );
$self->logger->error("Hybrid flow is not allowed");
return $self->returnRedirectError(
$req, $oidc_request->{'redirect_uri'},
"server_error", "Hybrid flow not allowed",
@ -233,9 +226,8 @@ sub run {
my $reauthentication = 0;
my $prompt = $oidc_request->{'prompt'};
if ( $prompt and $prompt =~ /\blogin\b/ ) {
$self->lmLog(
"Reauthentication requested by Relying Party in prompt parameter",
'debug'
$self->logger->debug(
"Reauthentication requested by Relying Party in prompt parameter"
);
$reauthentication = 1;
}
@ -243,9 +235,8 @@ sub run {
my $max_age = $oidc_request->{'max_age'};
my $_lastAuthnUTime = $req->{sessionInfo}->{_lastAuthnUTime};
if ( $max_age && time > $_lastAuthnUTime + $max_age ) {
$self->lmLog(
"Reauthentication forced cause authentication time ($_lastAuthnUTime) is too old (>$max_age s)",
'debug'
$self->logger->debug(
"Reauthentication forced cause authentication time ($_lastAuthnUTime) is too old (>$max_age s)"
);
$reauthentication = 1;
}
@ -272,7 +263,7 @@ sub run {
# Check openid scope
unless ( $oidc_request->{'scope'} =~ /\bopenid\b/ ) {
$self->lmLog( "No openid scope found", 'debug' );
$self->logger->debug("No openid scope found");
#TODO manage standard OAuth request
return PE_OK;
@ -280,15 +271,14 @@ sub run {
# Check client_id
my $client_id = $oidc_request->{'client_id'};
$self->lmLog( "Request from client id $client_id", 'debug' );
$self->logger->debug("Request from client id $client_id");
# Verify that client_id is registered in configuration
my $rp = $self->getRP($client_id);
unless ($rp) {
$self->lmLog(
"No registered Relying Party found with client_id $client_id",
'error'
$self->logger->error(
"No registered Relying Party found with client_id $client_id"
);
return $self->returnRedirectError(
$req,
@ -301,7 +291,7 @@ sub run {
);
}
else {
$self->lmLog( "Client id $client_id match RP $rp", 'debug' );
$self->logger->debug("Client id $client_id match RP $rp");
}
# Check Request JWT signature
@ -313,12 +303,12 @@ sub run {
)
)
{
$self->lmLog( "Request JWT signature could not be verified",
'error' );
$self->logger->error(
"Request JWT signature could not be verified");
return PE_ERROR;
}
else {
$self->lmLog( "Request JWT signature verified", 'debug' );
$self->logger->debug("Request JWT signature verified");
}
}
@ -333,8 +323,8 @@ sub run {
$redirect_uri_allowed = 1 if $redirect_uri eq $_;
}
unless ($redirect_uri_allowed) {
$self->lmLog( "Redirect URI $redirect_uri not allowed",
'error' );
$self->userLogger->error(
"Redirect URI $redirect_uri not allowed");
return PE_BADURL;
}
}
@ -343,7 +333,7 @@ sub run {
my $id_token_hint = $oidc_request->{'id_token_hint'};
if ($id_token_hint) {
$self->lmLog( "Check sub of ID Token $id_token_hint", 'debug' );
$self->logger->debug("Check sub of ID Token $id_token_hint");
# Check that id_token_hint sub match current user
my $sub = $self->getIDTokenSub($id_token_hint);
@ -353,9 +343,8 @@ sub run {
|| $self->conf->{whatToTrace};
my $user_id = $req->{sessionInfo}->{$user_id_attribute};
unless ( $sub eq $user_id ) {
$self->lmLog(
"ID Token hint sub $sub do not match user $user_id",
'error' );
$self->userLogger->error(
"ID Token hint sub $sub do not match user $user_id");
return $self->returnRedirectError(
$req,
$oidc_request->{'redirect_uri'},
@ -367,8 +356,8 @@ sub run {
);
}
else {
$self->lmLog( "ID Token hint sub $sub match current user",
'debug' );
$self->logger->debug(
"ID Token hint sub $sub match current user");
}
}
@ -376,9 +365,8 @@ sub run {
my $bypassConsent = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsBypassConsent};
if ($bypassConsent) {
$self->lmLog(
"Consent is disabled for RP $rp, user will not be prompted",
'debug'
$self->logger->debug(
"Consent is disabled for RP $rp, user will not be prompted"
);
}
else {
@ -392,9 +380,8 @@ sub run {
my $consent_scope =
$req->{sessionInfo}->{"_oidc_consent_scope_$rp"};
$self->lmLog(
"Consent already given for Relying Party $rp (time: $consent_time, scope: $consent_scope)",
'debug'
$self->logger->debug(
"Consent already given for Relying Party $rp (time: $consent_time, scope: $consent_scope)"
);
# Check accepted scope
@ -402,14 +389,12 @@ sub run {
split( /\s+/, $oidc_request->{'scope'} ) )
{
if ( $consent_scope =~ /\b$requested_scope\b/ ) {
$self->lmLog(
"Scope $requested_scope already accepted",
'debug' );
$self->logger->debug(
"Scope $requested_scope already accepted");
}
else {
$self->lmLog(
"Scope $requested_scope was not previously accepted",
'debug'
$self->logger->debug(
"Scope $requested_scope was not previously accepted"
);
$ask_for_consent = 1;
last;
@ -431,15 +416,14 @@ sub run {
$oidc_request->{'scope'}
}
);
$self->lmLog( "Consent given for Relying Party $rp",
'debug' );
$self->logger->debug(
"Consent given for Relying Party $rp");
}
elsif ( $req->param('confirm')
and $req->param('confirm') == -1 )
{
$self->lmLog(
"User refused consent for Relying party $rp",
'debug' );
$self->logger->debug(
"User refused consent for Relying party $rp");
return $self->returnRedirectError(
$req,
$oidc_request->{'redirect_uri'},
@ -451,15 +435,13 @@ sub run {
);
}
else {
$self->lmLog(
"Obtain user consent for Relying Party $rp",
'debug' );
$self->logger->debug(
"Obtain user consent for Relying Party $rp");
# Return error if prompt is none
if ( $prompt and $prompt =~ /\bnone\b/ ) {
$self->lmLog(
"Consent is needed but prompt is none",
'debug' );
$self->logger->debug(
"Consent is needed but prompt is none");
return $self->returnRedirectError(
$req,
$oidc_request->{'redirect_uri'},
@ -526,7 +508,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
my $codeSession = $self->getOpenIDConnectSession();
my $code = $codeSession->id();
$self->lmLog( "Generated code: $code", 'debug' );
$self->logger->debug("Generated code: $code");
# Store data in session
$codeSession->update(
@ -546,7 +528,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
$session_state
);
$self->lmLog( "Redirect user to $response_url", 'debug' );
$self->logger->debug("Redirect user to $response_url");
$req->urldc($response_url);
return PE_REDIRECT;
@ -564,9 +546,8 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
my $accessTokenSession = $self->getOpenIDConnectSession;
unless ($accessTokenSession) {
$self->lmLog(
"Unable to create OIDC session for access_token",
"error" );
$self->logger->error(
"Unable to create OIDC session for access_token");
$self->returnRedirectError( $req,
$oidc_request->{'redirect_uri'},
"server_error", undef, undef,
@ -585,8 +566,8 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
$access_token = $accessTokenSession->id;
$self->lmLog( "Generated access token: $access_token",
'debug' );
$self->logger->debug(
"Generated access token: $access_token");
# Compute hash to store in at_hash
my $alg = $self->conf->{oidcRPMetaDataOptions}->{$rp}
@ -642,7 +623,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
my $id_token =
$self->createIDToken( $id_token_payload_hash, $rp );
$self->lmLog( "Generated id token: $id_token", 'debug' );
$self->logger->debug("Generated id token: $id_token");
# Send token response
my $expires_in = $self->conf->{oidcRPMetaDataOptions}->{$rp}
@ -656,7 +637,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
$session_state
);
$self->lmLog( "Redirect user to $response_url", 'debug' );
$self->logger->debug("Redirect user to $response_url");
$req->urldc($response_url);
return PE_REDIRECT;
@ -679,7 +660,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
my $codeSession = $self->getOpenIDConnectSession();
my $code = $codeSession->id();
$self->lmLog( "Generated code: $code", 'debug' );
$self->logger->debug("Generated code: $code");
# Store data in session
$codeSession->update(
@ -701,9 +682,8 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
my $accessTokenSession = $self->getOpenIDConnectSession;
unless ($accessTokenSession) {
$self->lmLog(
"Unable to create OIDC session for access_token",
"error" );
$self->logger->error(
"Unable to create OIDC session for access_token");
return $self->returnRedirectError( $req,
$oidc_request->{'redirect_uri'},
"server_error", undef, undef,
@ -722,8 +702,8 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
$access_token = $accessTokenSession->id;
$self->lmLog( "Generated access token: $access_token",
'debug' );
$self->logger->debug(
"Generated access token: $access_token");
# Compute hash to store in at_hash
$at_hash = $self->createHash( $access_token, $hash_level );
@ -769,7 +749,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
$id_token =
$self->createIDToken( $id_token_payload_hash, $rp );
$self->lmLog( "Generated id token: $id_token", 'debug' );
$self->logger->debug("Generated id token: $id_token");
}
my $expires_in = $self->conf->{oidcRPMetaDataOptions}->{$rp}
@ -783,30 +763,27 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
$session_state
);
$self->lmLog( "Redirect user to $response_url", 'debug' );
$self->logger->debug("Redirect user to $response_url");
$req->urldc($response_url);
return PE_REDIRECT;
}
$self->lmLog( "No flow has been selected", 'debug' );
$self->logger->debug("No flow has been selected");
return PE_OK;
}
# LOGOUT
elsif ( $path eq $self->conf->{oidcServiceMetaDataEndSessionURI} ) {
$self->lmLog( "URL detected as an OpenID Connect END SESSION URL",
'debug' );
$self->logger->debug(
"URL detected as an OpenID Connect END SESSION URL");
# Set hidden fields
my $oidc_request = {};
foreach my $param (qw/id_token_hint post_logout_redirect_uri state/)
{
if ( $oidc_request->{$param} = $req->param($param) ) {
$self->lmLog(
"OIDC request parameter $param: "
. $oidc_request->{$param},
'debug'
);
$self->logger->debug( "OIDC request parameter $param: "
. $oidc_request->{$param} );
$self->p->setHiddenFormValue( $param,
$oidc_request->{$param}, '' );
}
@ -830,7 +807,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
$self->buildLogoutResponse( $post_logout_redirect_uri,
$state );
$self->lmLog( "Redirect user to $response_url", 'debug' );
$self->logger->debug("Redirect user to $response_url");
$req->urldc($response_url);
return PE_REDIRECT;
}
@ -844,23 +821,22 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
return PE_CONFIRM;
}
}
$self->lmLog( "Unknown OIDC endpoint $path, skipping", 'error' );
$self->logger->error("Unknown OIDC endpoint $path, skipping");
return PE_ERROR;
}
# Handle token endpoint
sub token {
my ( $self, $req ) = @_;
$self->lmLog( "URL detected as an OpenID Connect TOKEN URL", 'debug' );
$self->logger->debug("URL detected as an OpenID Connect TOKEN URL");
# Check authentication
my ( $client_id, $client_secret ) =
$self->getEndPointAuthenticationCredentials($req);
unless ( $client_id && $client_secret ) {
$self->lmLog(
"No authentication provided to get token, or authentication type not supported",
"error"
$self->logger->error(
"No authentication provided to get token, or authentication type not supported"
);
return $self->p->sendError( $req, 'unauthorized_client', 401 );
}
@ -869,43 +845,39 @@ sub token {
my $rp = $self->getRP($client_id);
unless ($rp) {
$self->lmLog(
"No registered Relying Party found with client_id $client_id",
'error' );
$self->userLogger->error(
"No registered Relying Party found with client_id $client_id");
return $self->p->sendError( $req, "unauthorized_client", 403 );
}
else {
$self->lmLog( "Client id $client_id match RP $rp", 'debug' );
$self->logger->debug("Client id $client_id match RP $rp");
}
# Check client_secret
unless ( $client_secret eq $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsClientSecret} )
{
$self->lmLog( "Wrong credentials for $rp", "error" );
$self->logger->error("Wrong credentials for $rp");
return $self->p->sendError( "access_denied", 403 );
}
# Get code session
my $code = $req->param('code');
$self->lmLog( "OpenID Connect Code: $code", 'debug' );
$self->logger->debug("OpenID Connect Code: $code");
my $codeSession = $self->getOpenIDConnectSession($code);
unless ($codeSession) {
$self->lmLog( "Unable to find OIDC session $code", "error" );
$self->logger->error("Unable to find OIDC session $code");
$self->p->sendError( $req, "invalid_grant", 400 );
}
# Check we have the same redirect_uri value
unless ( $req->param("redirect_uri") eq $codeSession->data->{redirect_uri} )
{
$self->lmLog(
"Provided redirect_uri is different from "
. $codeSession->{redirect_uri},
"error"
);
$self->userLogger->error( "Provided redirect_uri is different from "
. $codeSession->{redirect_uri} );
$self->p->sendError( $req, "invalid_request", 400 );
}
@ -915,9 +887,8 @@ sub token {
noInfo => 1 );
unless ($apacheSession) {
$self->lmLog(
"Unable to find user session linked to OIDC session $code",
"error" );
$self->userLogger->error(
"Unable to find user session linked to OIDC session $code");
$codeSession->remove();
$self->p->sendError( $req, "invalid_request", 400 );
}
@ -928,14 +899,14 @@ sub token {
|| $self->conf->{whatToTrace};
my $user_id = $apacheSession->data->{$user_id_attribute};
$self->lmLog( "Found corresponding user: $user_id", 'debug' );
$self->logger->debug("Found corresponding user: $user_id");
# Generate access_token
my $accessTokenSession = $self->getOpenIDConnectSession;
unless ($accessTokenSession) {
$self->lmLog( "Unable to create OIDC session for access_token",
"error" );
$self->userLogger->error(
"Unable to create OIDC session for access_token");
$codeSession->remove();
$self->p->sendError( $req, "invalid_request", 400 );
}
@ -952,7 +923,7 @@ sub token {
my $access_token = $accessTokenSession->id;
$self->lmLog( "Generated access token: $access_token", 'debug' );
$self->logger->debug("Generated access token: $access_token");
# Compute hash to store in at_hash
my $alg = $self->conf->{oidcRPMetaDataOptions}->{$rp}
@ -973,8 +944,8 @@ sub token {
aud => [$client_id], # Audience
exp => $id_token_exp, # expiration
iat => time, # Issued time
auth_time =>
$apacheSession->data->{_lastAuthnUTime}, # Authentication time
auth_time => $apacheSession->data->{_lastAuthnUTime}
, # Authentication time
acr => $id_token_acr, # Authentication Context Class Reference
azp => $client_id, # Authorized party
# TODO amr
@ -987,7 +958,7 @@ sub token {
# Create ID Token
my $id_token = $self->createIDToken( $id_token_payload_hash, $rp );
$self->lmLog( "Generated id token: $id_token", 'debug' );
$self->logger->debug("Generated id token: $id_token");
# Send token response
my $expires_in = $self->conf->{oidcRPMetaDataOptions}->{$rp}
@ -1000,7 +971,7 @@ sub token {
id_token => $id_token,
};
$self->lmLog( "Send token response", 'debug' );
$self->logger->debug("Send token response");
$codeSession->remove();
return $self->p->sendJSONresponse( $req, $token_response );
@ -1009,23 +980,23 @@ sub token {
# Handle uerinfo endpoint
sub userInfo {
my ( $self, $req ) = @_;
$self->lmLog( "URL detected as an OpenID Connect USERINFO URL", 'debug' );
$self->logger->debug("URL detected as an OpenID Connect USERINFO URL");
my $access_token = $self->getEndPointAccessToken($req);
unless ($access_token) {
$self->lmLog( "Unable to get access_token", "error" );
$self->logger->error("Unable to get access_token");
return $self->returnBearerError( "invalid_request",
"Access token not found in request" );
}
$self->lmLog( "Received Access Token $access_token", 'debug' );
$self->logger->debug("Received Access Token $access_token");
my $accessTokenSession = $self->getOpenIDConnectSession($access_token);
unless ($accessTokenSession) {
$self->lmLog( "Unable to get access token session for id $access_token",
"error" );
$self->userLogger->error(
"Unable to get access token session for id $access_token");
return $self->returnBearerError( "invalid_token",
"Access Token not found or expired" );
}
@ -1050,7 +1021,7 @@ sub userInfo {
else {
my $userinfo_jwt =
$self->createJWT( $userinfo_response, $userinfo_sign_alg, $rp );
$self->lmLog( "Return UserInfo as JWT: $userinfo_jwt", 'debug' );
$self->logger->debug("Return UserInfo as JWT: $userinfo_jwt");
return [
200,
[
@ -1065,7 +1036,7 @@ sub userInfo {
# Handle jwks endpoint
sub jwks {
my ( $self, $req ) = @_;
$self->lmLog( "URL detected as an OpenID Connect JWKS URL", 'debug' );
$self->logger->debug("URL detected as an OpenID Connect JWKS URL");
my $jwks = { keys => [] };
@ -1078,26 +1049,25 @@ sub jwks {
$key->{kid} = $key_id_sig if $key_id_sig;
push @{ $jwks->{keys} }, $key;
}
$self->lmLog( "Send JWKS response sent", 'debug' );
$self->logger->debug("Send JWKS response sent");
return $self->p->sendJSONresponse( $req, $jwks );
}
# Handle register endpoint
sub registration {
my ( $self, $req ) = @_;
$self->lmLog( "URL detected as an OpenID Connect REGISTRATION URL",
'debug' );
$self->logger->debug("URL detected as an OpenID Connect REGISTRATION URL");
# TODO: check Initial Access Token
# Specific message to allow DOS detection
my $source_ip = $req->address;
$self->lmLog( "OpenID Connect Registration request from $source_ip",
'warn' );
$self->logger->notice(
"OpenID Connect Registration request from $source_ip");
# Check dynamic registration is allowed
unless ( $self->conf->{oidcServiceAllowDynamicRegistration} ) {
$self->lmLog( "Dynamic registration is not allowed", 'error' );
$self->logger->error("Dynamic registration is not allowed");
$self->p->sendError( $req, 'server_error' );
}
@ -1107,14 +1077,14 @@ sub registration {
return $self->p->sendError( $req, 'Missing POST datas', 400 );
}
$self->lmLog( "Client metadata received: $client_metadata_json", 'debug' );
$self->logger->debug("Client metadata received: $client_metadata_json");
my $client_metadata = $self->decodeJSON($client_metadata_json);
my $registration_response = {};
# Check redirect_uris
unless ( $client_metadata->{redirect_uris} ) {
$self->lmLog( "Field redirect_uris is mandatory", 'error' );
$self->logger->error("Field redirect_uris is mandatory");
return $self->p->sendError( $req, 'invalid_client_metadata', 400 );
}
@ -1179,13 +1149,12 @@ sub registration {
if defined $userinfo_signed_response_alg;
}
else {
$self->lmLog(
"Configuration not saved: $Lemonldap::NG::Common::Conf::msg",
'error' );
$self->logger->error(
"Configuration not saved: $Lemonldap::NG::Common::Conf::msg");
return $self->p->sendError( $req, 'server_error', 500 );
}
$self->lmLog( "Registration response sent", 'debug' );
$self->logger->debug("Registration response sent");
return $self->p->sendJSONresponse( $req, $registration_response,
code => 201 );
}
@ -1193,9 +1162,8 @@ sub registration {
# Handle logout endpoint for unauthenticated users
sub endSessionDone {
my ( $self, $req ) = @_;
$self->lmLog( "URL detected as an OpenID Connect END SESSION URL",
'debug' );
$self->lmLog( "User is already logged out", 'debug' );
$self->logger->debug("URL detected as an OpenID Connect END SESSION URL");
$self->logger->debug("User is already logged out");
my $post_logout_redirect_uri = $req->param('post_logout_redirect_uri');
my $state = $req->param('state');
@ -1206,7 +1174,7 @@ sub endSessionDone {
my $response_url =
$self->buildLogoutResponse( $post_logout_redirect_uri, $state );
$self->lmLog( "Redirect user to $response_url", 'debug' );
$self->logger->debug("Redirect user to $response_url");
return [ 302, [ Location => $response_url ], [] ];
}
@ -1217,8 +1185,8 @@ sub endSessionDone {
# Handle checksession endpoint
sub checkSession {
my ( $self, $req ) = @_;
$self->lmLog( "URL detected as an OpenID Connect CHECK SESSION URL",
'debug' );
$self->logger->debug(
"URL detected as an OpenID Connect CHECK SESSION URL");
# TODO: access_control_allow_origin => '*'
$req->frame(1);
@ -1252,7 +1220,7 @@ sub addRouteFromConf {
my $sub = $subs{$_};
my $path = $self->conf->{$_};
unless ($path) {
$self->lmLog( "$_ parameter not defined", 'error' );
$self->logger->error("$_ parameter not defined");
next;
}
$self->$adder( $self->path => { $path => $sub }, [ 'GET', 'POST' ] );

395
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm
View File

File diff suppressed because it is too large Load Diff

37
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/CAS.pm
View File

@ -49,8 +49,8 @@ sub getCasSession {
$self->p->userInfo("CAS session $id isn't yet available");
}
else {
$self->lmLog( "Unable to create new CAS session", 'error' );
$self->lmLog( $casSession->error, 'error' );
$self->logger->error("Unable to create new CAS session");
$self->logger->error( $casSession->error );
}
return undef;
}
@ -62,7 +62,7 @@ sub getCasSession {
sub returnCasValidateError {
my ( $self, $req ) = @_;
$self->lmLog( "Return CAS validate error", 'debug' );
$self->logger->debug("Return CAS validate error");
return [ 200, [ 'Content-Length' => 4 ], ["no\n\n"] ];
}
@ -71,8 +71,7 @@ sub returnCasValidateError {
sub returnCasValidateSuccess {
my ( $self, $req, $username ) = @_;
$self->lmLog( "Return CAS validate success with username $username",
'debug' );
$self->logger->debug("Return CAS validate success with username $username");
return $self->sendSoapResponse( $req, "yes\n$username\n" );
}
@ -84,7 +83,7 @@ sub returnCasServiceValidateError {
$code ||= 'INTERNAL_ERROR';
$text ||= 'No description provided';
$self->lmLog( "Return CAS service validate error $code ($text)", 'debug' );
$self->logger->debug("Return CAS service validate error $code ($text)");
return $self->sendSoapResponse(
$req, "<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
@ -99,8 +98,8 @@ sub returnCasServiceValidateError {
sub returnCasServiceValidateSuccess {
my ( $self, $req, $username, $pgtIou, $proxies, $attributes ) = @_;
$self->lmLog( "Return CAS service validate success with username $username",
'debug' );
$self->logger->debug(
"Return CAS service validate success with username $username");
my $s = "<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
\t<cas:authenticationSuccess>
@ -121,13 +120,12 @@ sub returnCasServiceValidateSuccess {
$s .= "\t\t</cas:attributes>\n";
}
if ( defined $pgtIou ) {
$self->lmLog( "Add proxy granting ticket $pgtIou in response",
'debug' );
$self->logger->debug("Add proxy granting ticket $pgtIou in response");
$s .=
"\t\t<cas:proxyGrantingTicket>$pgtIou</cas:proxyGrantingTicket>\n";
}
if ($proxies) {
$self->lmLog( "Add proxies $proxies in response", 'debug' );
$self->logger->debug("Add proxies $proxies in response");
$s .= "\t\t<cas:proxies>\n\t\t\t<cas:proxy>$_</cas:proxy>\n"
foreach ( split( /$self->{multiValuesSeparator}/, $proxies ) );
$s .= "\t\t</cas:proxies>\n";
@ -144,7 +142,7 @@ sub returnCasProxyError {
$code ||= 'INTERNAL_ERROR';
$text ||= 'No description provided';
$self->lmLog( "Return CAS proxy error $code ($text)", 'debug' );
$self->logger->debug("Return CAS proxy error $code ($text)");
return $self->sendSoapResponse(
$req, "<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
@ -159,7 +157,7 @@ sub returnCasProxyError {
sub returnCasProxySuccess {
my ( $self, $req, $ticket ) = @_;
$self->lmLog( "Return CAS proxy success with ticket $ticket", 'debug' );
$self->logger->debug("Return CAS proxy success with ticket $ticket");
return $self->sendSoapResponse(
$req, "<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
@ -188,7 +186,7 @@ sub deleteCasSecondarySessions {
foreach my $cas_session (@cas_sessions_keys) {
# Get session
$self->lmLog( "Retrieve CAS session $cas_session", 'debug' );
$self->logger->debug("Retrieve CAS session $cas_session");
my $casSession = $self->getCasSession($cas_session);
@ -197,8 +195,7 @@ sub deleteCasSecondarySessions {
}
}
else {
$self->lmLog( "No CAS session found for session $session_id ",
'debug' );
$self->logger->debug("No CAS session found for session $session_id ");
}
return $result;
@ -211,7 +208,7 @@ sub deleteCasSession {
# Check session object
unless ( $session && $session->data ) {
$self->lmLog( "No session to delete", 'error' );
$self->logger->error("No session to delete");
return 0;
}
@ -220,11 +217,11 @@ sub deleteCasSession {
# Delete session
unless ( $session->remove ) {
$self->lmLog( $session->error, 'error' );
$self->logger->error( $session->error );
return 0;
}
$self->lmLog( "CAS session $session_id deleted", 'debug' );
$self->logger->debug("CAS session $session_id deleted");
return 1;
}
@ -237,7 +234,7 @@ sub callPgtUrl {
my $url =
$pgtUrl . ( $pgtUrl =~ /\?/ ? '&' : '?' ) . "pgtIou=$pgtIou&pgtId=$pgtId";
$self->lmLog( "Call URL $url", 'debug' );
$self->logger->debug("Call URL $url");
# GET URL
my $response = $self->ua->get($url);

8
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Captcha.pm
View File

@ -58,21 +58,21 @@ sub validateCaptcha {
my ( $self, $token, $value ) = @_;
my $s = $self->ott->getToken($token);
unless ($s) {
$self->lmLog( "Captcha token $token isn't valid", 'warn' );
$self->logger->warn("Captcha token $token isn't valid");
return 0;
}
unless ( $s->{captcha} == $value ) {
$self->lmLog( 'Bad captcha response', 'notice' );
$self->logger->notice('Bad captcha response');
return 0;
}
$self->lmLog( 'Good captcha response', 'debug' );
$self->logger->debug('Good captcha response');
return 1;
}
sub setCaptcha {
my ( $self, $req ) = @_;
my ( $token, $image ) = $self->getCaptcha;
$self->lmLog( 'Prepare captcha', 'debug' );
$self->logger->debug('Prepare captcha');
$req->token($token);
$req->captcha($image);
}

24
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Choice.pm
View File

@ -37,16 +37,13 @@ sub init {
. $mods[$type];
if ( $module = $self->loadPlugin( $name, $module ) ) {
$self->modules->{$name} = $module;
$self->p->lmLog(
$self->logger->debug(
[qw(Authentication User Password)]->[$type]
. " module $name selected",
'debug'
);
. " module $name selected" );
}
else {
$self->lmLog(
"Choice: unable to load $name, disabling it: " . $self->error,
'error' );
$self->logger->error(
"Choice: unable to load $name, disabling it: " . $self->error );
$self->error('');
}
}
@ -65,7 +62,7 @@ sub checkChoice {
or return 0;
return $name if ( $req->datas->{ "enabledMods" . $self->type } );
unless ( defined $self->modules->{$name} ) {
$self->lmLog( "Unknown choice '$name'", 'error' );
$self->logger->error("Unknown choice '$name'");
return 0;
}
$req->sessionInfo->{_choice} = $name;
@ -94,7 +91,7 @@ sub _buildAuthLoop {
# Test authentication choices
unless ( ref $self->conf->{authChoiceModules} eq 'HASH' ) {
$self->lmLog( "No authentication choices defined", 'warn' );
$self->logger->warn("No authentication choices defined");
return [];
}
@ -121,7 +118,7 @@ sub _buildAuthLoop {
# Default URL
$url = ( defined $url ? $url .= $req->env->{'REQUEST_URI'} : '#' );
$self->lmLog( "Use URL $url", 'debug' );
$self->logger->debug("Use URL $url");
# Options to store in the loop
my $optionsLoop =
@ -132,8 +129,7 @@ sub _buildAuthLoop {
my $displayType = "Lemonldap::NG::Portal::Auth::${auth}"
->can('getDisplayType')->( undef, $req );
$self->lmLog( "Display type $displayType for module $auth",
'debug' );
$self->logger->debug("Display type $displayType for module $auth");
$optionsLoop->{$displayType} = 1;
# If displayType is logo, check if key.png is available
@ -151,8 +147,8 @@ sub _buildAuthLoop {
# Register item in loop
push @authLoop, $optionsLoop;
$self->lmLog( "Authentication choice $name will be displayed",
'debug' );
$self->logger->debug(
"Authentication choice $name will be displayed");
}
else {

12
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/DBI.pm
View File

@ -31,7 +31,7 @@ sub dbh {
);
};
if ($@) {
$_[0]->{p}->lmLog( "DBI connection error: $@", 'error' );
$_[0]->{p}->logger->error("DBI connection error: $@");
return 0;
}
return $_[0]->{_dbh};
@ -54,12 +54,12 @@ sub init {
sub hash_password {
my ( $self, $password, $hash ) = @_;
if ( $hash =~ /^(md5|sha|sha1|encrypt)$/i ) {
$self->lmLog( "Using " . uc($hash) . " to hash password", 'debug' );
$self->logger->debug( "Using " . uc($hash) . " to hash password" );
return uc($hash) . "($password)";
}
else {
$self->lmLog( "No valid password hash, using clear text for password",
'warn' );
$self->logger->notice(
"No valid password hash, using clear text for password");
return $password;
}
@ -115,12 +115,12 @@ sub check_password {
if ($@) {
# If connection isn't available, error is displayed by dbh()
$self->lmLog( "DBI error: $@", 'error' ) if ( $self->_dbh );
$self->logger->error("DBI error: $@") if ( $self->_dbh );
return 0;
}
if ( @rows == 1 ) {
$self->lmLog( "One row returned by SQL query", 'debug' );
$self->logger->debug("One row returned by SQL query");
return 1;
}
else {

15
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm
View File

@ -29,16 +29,16 @@ sub newLdap {
)
{
if ( $msg->code != 0 ) {
$self->lmLog( "LDAP error: " . $msg->error, 'error' );
$self->logger->error( "LDAP error: " . $msg->error );
}
else {
if ( $self->{conf}->{ldapPpolicyControl} and not $ldap->loadPP() ) {
$self->lmLog( "LDAP password policy error", 'error' );
$self->logger->error("LDAP password policy error");
}
}
}
else {
$self->lmLog( "LDAP error: $@", 'error' );
$self->logger->error("LDAP error: $@");
}
return $ldap;
}
@ -51,7 +51,7 @@ has filter => (
sub buildFilter {
my $conf = $_[0]->{conf};
$_[0]->{p}->lmLog( "LDAP Search base: $_[0]->{conf}->{ldapBase}", 'debug' );
$_[0]->{p}->logger->debug("LDAP Search base: $_[0]->{conf}->{ldapBase}");
# TODO : mailLDAPFilter
my $filter =
@ -63,7 +63,7 @@ sub buildFilter {
$filter =~ s/\$req->\{sessionInfo\}->\{user\}/\$req->{user}/g;
$filter =~
s/\$req->\{sessionInfo\}->\{(_?password|mail)\}/\$req->{datas}->{$1}/g;
$_[0]->{p}->lmLog( "LDAP transformed filter: $filter", 'debug' );
$_[0]->{p}->logger->debug("LDAP transformed filter: $filter");
$filter = "sub{my(\$req)=\$_[0];return \"$filter\";}";
return eval $filter;
}
@ -74,6 +74,7 @@ sub init {
my ($self) = @_;
$self->ldap and $self->filter;
}
# RUNNING METHODS
# Test LDAP connection before trying to bind
@ -84,10 +85,10 @@ sub bind {
{
$self->ldap( $self->newLdap );
}
return undef unless($self->ldap);
return undef unless ( $self->ldap );
my $msg = $self->ldap->bind(@_);
if ( $msg->code ) {
$self->lmLog( $msg->error, 'error' );
$self->logger->error( $msg->error );
return undef;
}
return 1;

63
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm
View File

@ -55,7 +55,7 @@ sub new {
( $conf->{caPath} ? ( capath => $conf->{caPath} ) : () ),
);
unless ($self) {
$portal->lmLog( $@, 'error' );
$portal->logger->error($@);
return 0;
}
bless $self, $class;
@ -65,7 +65,7 @@ sub new {
$h{capath} = $conf->{caPath} if ( $conf->{caPath} );
my $mesg = $self->start_tls(%h);
if ( $mesg->code ) {
$portal->lmLog( 'StartTLS failed', 'error' );
$portal->logger->error('StartTLS failed');
return 0;
}
}
@ -122,7 +122,7 @@ sub unbind {
my $self = shift;
my $ldap_uri = $self->uri;
$self->{portal}->lmLog( "Unbind and disconnect from $ldap_uri", 'debug' );
$self->{portal}->logger->debug("Unbind and disconnect from $ldap_uri");
my $mesg = $self->SUPER::unbind();
$self->SUPER::disconnect();
@ -147,9 +147,8 @@ sub loadPP {
# Require Perl module
eval { require Net::LDAP::Control::PasswordPolicy };
if ($@) {
$self->{portal}->lmLog(
"Module Net::LDAP::Control::PasswordPolicy not found in @INC",
'error' );
$self->{portal}->logger->error(
"Module Net::LDAP::Control::PasswordPolicy not found in @INC");
return 0;
}
$ppLoaded = 1;
@ -261,7 +260,7 @@ sub userModifyPassword {
$oldpassword =
utf8( chr(34) . $oldpassword . chr(34) )->utf16le();
}
$self->{portal}->lmLog( "Active Directory mode enabled", 'debug' );
$self->{portal}->logger->debug("Active Directory mode enabled");
}
@ -275,7 +274,7 @@ sub userModifyPassword {
$mesg = $self->bind( $dn, password => $oldpassword );
if ( $mesg->code != 0 ) {
$self->{portal}->lmLog( "Bad old password", 'debug' );
$self->{portal}->userLogger->notice("Bad old password");
return PE_BADOLDPASSWORD;
}
}
@ -296,7 +295,7 @@ sub userModifyPassword {
# Catch the "Unwilling to perform" error
if ( $mesg->code == 53 ) {
$self->{portal}->lmLog( "Bad old password", 'debug' );
$self->{portal}->userLogger->notice("Bad old password");
return PE_BADOLDPASSWORD;
}
}
@ -334,7 +333,7 @@ sub userModifyPassword {
# 52e: password is incorrect
unless ( ( $1 eq '532' ) || ( $1 eq '773' ) ) {
$self->{portal}
->lmLog( "Bad old password", 'warn' );
->userLogger->warn("Bad old password");
return PE_BADOLDPASSWORD;
}
}
@ -345,7 +344,7 @@ sub userModifyPassword {
{ # this is not AD, a 0 error code means good old password
if ( $mesg->code != 0 ) {
$self->{portal}
->lmLog( "Bad old password", 'warn' );
->userLogger->warn('Bad old password');
return PE_BADOLDPASSWORD;
}
}
@ -361,7 +360,7 @@ sub userModifyPassword {
}
}
$self->{portal}
->lmLog( "Modification return code: " . $mesg->code, 'debug' );
->logger->debug( 'Modification return code: ' . $mesg->code );
return PE_WRONGMANAGERACCOUNT
if ( $mesg->code == 50 || $mesg->code == 8 );
return PE_PP_INSUFFICIENT_PASSWORD_QUALITY
@ -395,7 +394,7 @@ sub userModifyPassword {
unless ( defined $bind_resp ) {
if ( $mesg->code != 0 ) {
$self->{portal}->lmLog( "Bad old password", 'debug' );
$self->{portal}->logger->debug("Bad old password");
return PE_BADOLDPASSWORD;
}
}
@ -407,15 +406,13 @@ sub userModifyPassword {
and $pp_error == 0
and $self->{conf}->{ldapAllowResetExpiredPassword} )
{
$self->{portal}->lmLog(
"Password is expired but user is allowed to change it",
'debug'
$self->{portal}->logger->debug(
"Password is expired but user is allowed to change it"
);
}
else {
if ( $mesg->code != 0 ) {
$self->{portal}
->lmLog( "Bad old password", 'debug' );
$self->{portal}->logger->debug("Bad old password");
return PE_BADOLDPASSWORD;
}
}
@ -442,7 +439,7 @@ sub userModifyPassword {
# Catch the "Unwilling to perform" error
if ( $mesg->code == 53 ) {
$self->{portal}->lmLog( "Bad old password", 'debug' );
$self->{portal}->logger->debug("Bad old password");
return PE_BADOLDPASSWORD;
}
}
@ -459,7 +456,7 @@ sub userModifyPassword {
unless ( defined $bind_resp ) {
if ( $mesg->code != 0 ) {
$self->{portal}->lmLog( "Bad old password", 'debug' );
$self->{portal}->logger->debug("Bad old password");
return PE_BADOLDPASSWORD;
}
}
@ -471,15 +468,13 @@ sub userModifyPassword {
and $pp_error == 0
and $self->{conf}->{ldapAllowResetExpiredPassword} )
{
$self->{portal}->lmLog(
"Password is expired but user is allowed to change it",
'debug'
$self->{portal}->logger->debug(
"Password is expired but user is allowed to change it"
);
}
else {
if ( $mesg->code != 0 ) {
$self->{portal}
->lmLog( "Bad old password", 'debug' );
$self->{portal}->logger->debug("Bad old password");
return PE_BADOLDPASSWORD;
}
}
@ -502,7 +497,7 @@ sub userModifyPassword {
my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
$self->{portal}
->lmLog( "Modification return code: " . $mesg->code, 'debug' );
->logger->debug( "Modification return code: " . $mesg->code );
return PE_WRONGMANAGERACCOUNT
if ( $mesg->code == 50 || $mesg->code == 8 );
if ( $mesg->code == 0 ) {
@ -549,14 +544,14 @@ sub ldap {
and my $mesg = $self->{ldap}->bind )
{
if ( $mesg->code != 0 ) {
$self->lmLog( "LDAP error: " . $mesg->error, 'error' );
$self->logger->error( "LDAP error: " . $mesg->error );
$self->{ldap}->unbind;
}
else {
if ( $self->{ldapPpolicyControl}
and not $self->{ldap}->loadPP() )
{
$self->lmLog( "LDAP password policy error", 'error' );
$self->logger->error("LDAP password policy error");
$self->{ldap}->unbind;
}
else {
@ -566,7 +561,7 @@ sub ldap {
}
}
else {
$self->lmLog( "LDAP error: $@", 'error' );
$self->logger->error("LDAP error: $@");
}
return 0;
}
@ -591,7 +586,7 @@ sub searchGroups {
}
$searchFilter .= "))";
$self->{p}->lmLog( "Group search filter: $searchFilter", 'debug' );
$self->{p}->logger->debug("Group search filter: $searchFilter");
# Search
my $mesg = $self->search(
@ -606,7 +601,7 @@ sub searchGroups {
foreach my $entry ( $mesg->all_entries ) {
$self->{p}
->lmLog( "Matching group " . $entry->dn() . " found", 'debug' );
->logger->debug( "Matching group " . $entry->dn() . " found" );
# If recursive search is activated, do it here
if ( $self->{conf}->{ldapGroupRecursive} ) {
@ -620,7 +615,7 @@ sub searchGroups {
if ($group_value) {
$self->{p}
->lmLog( "Recursive search for $group_value", 'debug' );
->logger->debug("Recursive search for $group_value");
my $recursive_groups =
$self->searchGroups( $base, $key, $group_value,
@ -646,8 +641,8 @@ sub searchGroups {
my $data = $entry->get_value( $_, asref => 1 );
if ($data) {
$self->{p}->lmLog( "Store values of $_ in group $groupName",
'debug' );
$self->{p}
->logger->debug("Store values of $_ in group $groupName");
$groups->{$groupName}->{$_} = $data;
}
}

27
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Notifications/JSON.pm
View File

@ -45,14 +45,14 @@ sub checkForNotifications {
# Get the reference
my $reference = $notif->{reference};
$self->lmLog( "Get reference $reference", 'debug' );
$self->logger->debug("Get reference $reference");
# Check it in session
if ( exists $req->{sessionInfo}->{"notification_$reference"} ) {
# The notification was already accepted
$self->lmLog( "Notification $reference was already accepted",
'debug' );
$self->logger->debug(
"Notification $reference was already accepted");
next LOOP;
}
push @res, $notif;
@ -146,9 +146,8 @@ sub getNotifBack {
# Current pending notification has not been found in
# request
$result = $fileResult = 0;
$self->lmLog(
'Current pending notification has not been found',
'debug' );
$self->logger->debug(
'Current pending notification has not been found');
next;
}
@ -157,15 +156,14 @@ sub getNotifBack {
"$uid has accepted notification $reference");
$self->p->updatePersistentSession( $req,
{ "notification_$reference" => time() } );
$self->lmLog(
"Notification $reference registered in persistent session",
'debug'
$self->logger->debug(
"Notification $reference registered in persistent session"
);
}
# Notifications accepted for this file, delete it unless it's a wildcard
if ( $fileResult and exists $forUser->{$fileName} ) {
$self->lmLog( "Notification file deleted", 'debug' );
$self->logger->debug("Notification file deleted");
$self->notifObject->delete($fileName);
}
}
@ -174,22 +172,21 @@ sub getNotifBack {
# One pending notification has been found and not accepted,
# restart process to display pending notifications
# TODO: is it a good idea to launch all 'afterDatas' subs ?
$self->lmLog(
'Pending notification has been found and not accepted',
'debug' );
$self->logger->debug(
'Pending notification has been found and not accepted');
return $self->p->do( $req, $self->p->afterDatas );
}
# All pending notifications have been accepted, restore cookies and
# launch 'controlUrl' to restore "urldc" using do()
$self->lmLog( 'All pending notifications have been accepted', 'debug' );
$self->logger->debug('All pending notifications have been accepted');
$self->p->rebuildCookies($req);
return $self->p->do( $req, ['controlUrl'] );
}
else {
# No notifications checked here, this entry point must not be called.
# Redirecting to portal
$self->lmLog( 'No notifications checked', 'debug' );
$self->logger->debug('No notifications checked');
$req->mustRedirect(1);
return $self->p->do( $req, [] );
}

33
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Notifications/XML.pm
View File

@ -70,14 +70,14 @@ sub checkForNotifications {
# Get the reference
my $reference = $notif->getAttribute('reference');
$self->lmLog( "Get reference $reference", 'debug' );
$self->logger->debug("Get reference $reference");
# Check it in session
if ( exists $req->{sessionInfo}->{"notification_$reference"} ) {
# The notification was already accepted
$self->lmLog( "Notification $reference was already accepted",
'debug' );
$self->logger->debug(
"Notification $reference was already accepted");
# Remove it from XML
$notif->unbindNode();
@ -89,11 +89,10 @@ sub checkForNotifications {
if ($condition) {
$self->lmLog( "Get condition $condition", 'debug' );
$self->logger->debug("Get condition $condition");
unless ( $self->p->HANDLER->safe->reval($condition) ) {
$self->lmLog( "Notification condition not accepted",
'debug' );
$self->logger->debug("Notification condition not accepted");
# Remove it from XML
$notif->unbindNode();
@ -113,8 +112,8 @@ sub checkForNotifications {
$form .= $self->stylesheet->output_string($results);
}
if ($@) {
$self->lmLog( "Bad XML file: a notification for $uid was not done ($@)",
'warn' );
$self->userLogger->warn(
"Bad XML file: a notification for $uid was not done ($@)");
return 0;
}
@ -197,7 +196,7 @@ sub getNotifBack {
# Current pending notification has not been found in
# request
$result = $fileResult = 0;
$self->lmLog(
$self->logger->debulogger->debug(
'Current pending notification has not been found',
'debug' );
next;
@ -208,15 +207,14 @@ sub getNotifBack {
"$uid has accepted notification $reference");
$self->p->updatePersistentSession( $req,
{ "notification_$reference" => time() } );
$self->lmLog(
"Notification $reference registered in persistent session",
'debug'
$self->logger->debug(
"Notification $reference registered in persistent session"
);
}
# Notifications accepted for this file, delete it unless it's a wildcard
if ( $fileResult and exists $forUser->{$fileName} ) {
$self->lmLog( "Notification file deleted", 'debug' );
$self->logger->debug("Notification file deleted");
$self->notifObject->delete($fileName);
}
}
@ -225,22 +223,21 @@ sub getNotifBack {
# One pending notification has been found and not accepted,
# restart process to display pending notifications
# TODO: is it a good idea to launch all 'afterDatas' subs ?
$self->lmLog(
'Pending notification has been found and not accepted',
'debug' );
$self->logger->debug(
'Pending notification has been found and not accepted');
return $self->p->do( $req, $self->p->afterDatas );
}
# All pending notifications have been accepted, restore cookies and
# launch 'controlUrl' to restore "urldc" using do()
$self->lmLog( 'All pending notifications have been accepted', 'debug' );
$self->logger->debug('All pending notifications have been accepted');
$self->p->rebuildCookies($req);
return $self->p->do( $req, ['controlUrl'] );
}
else {
# No notifications checked here, this entry point must not be called.
# Redirecting to portal
$self->lmLog( 'No notifications checked', 'debug' );
$self->logger->debug('No notifications checked');
$req->mustRedirect(1);
return $self->p->do( $req, [] );
}

6
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OneTimeToken.pm
View File

@ -43,14 +43,14 @@ sub createToken {
sub getToken {
my ( $self, $id ) = @_;
unless ($id) {
$self->lmLog( 'getToken called without id', 'error' );
$self->logger->error('getToken called without id');
return undef;
}
# Get token session
my $tsession = $self->p->getApacheSession($id);
unless ($tsession) {
$self->lmLog( "Bad (or expired) token $id", 'notice' );
$self->logger->notice("Bad (or expired) token $id");
return undef;
}
my %h = %{ $tsession->{data} };
@ -60,7 +60,7 @@ sub getToken {
sub setToken {
my ( $self, $req, $info ) = @_;
$self->lmLog( 'Prepare token', 'debug' );
$self->logger->debug('Prepare token');
$req->token( $self->createToken($info) );
}

32
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenID/SREG.pm
View File

@ -29,7 +29,7 @@ sub sregHook {
# If identity is not trusted, does nothing
return ( 0, $prm ) unless ( $is_id and $is_trusted );
$self->lmLog( "SREG start", 'debug' );
$self->logger->debug("SREG start");
my $accepted = 1;
@ -40,7 +40,8 @@ sub sregHook {
if ( $k eq 'policy_url' ) {
if ( $v =~ Lemonldap::NG::Common::Regexp::HTTP_URI ) {
$req->datas->{_openIdTrustExtMsg} .=
'<dl><dt trspan="openidPA">' . "&nbsp;:</dt><dd><a href=\"$v\">$v</a></dd></dl>";
'<dl><dt trspan="openidPA">'
. "&nbsp;:</dt><dd><a href=\"$v\">$v</a></dd></dl>";
# Question: is it important to notify policy changes ?
# if yes, uncomment this
@ -49,24 +50,25 @@ sub sregHook {
#$accepted = 0 unless ( $p and $p eq $v );
}
else {
$self->lmLog( "Bad policy url", 'error' );
$self->logger->error("Bad policy url");
}
}
# Parse required attributes
elsif ( $k eq 'required' ) {
$self->lmLog( "Required attr $v", 'debug' );
$self->logger->debug("Required attr $v");
push @req, split( /,/, $v );
}
# Parse optional attributes
elsif ( $k eq 'optional' ) {
$self->lmLog( "Optional attr $v", 'debug' );
push @opt, grep { defined $self->conf->{"openIdSreg_$trust_root$_"} }
$self->logger->debug("Optional attr $v");
push @opt,
grep { defined $self->conf->{"openIdSreg_$trust_root$_"} }
split( /,/, $v );
}
else {
$self->lmLog( "Unknown OpenID SREG request $k", 'error' );
$self->logger->error("Unknown OpenID SREG request $k");
}
}
@ -81,12 +83,11 @@ sub sregHook {
# If a required data is not available, returns nothing
foreach my $k (@req) {
unless ( $self->conf->{"openIdSreg_$k"} ) {
$self->lmLog(
"Parameter $k is required by $trust_root but not defined in configuration",
'notice'
$self->logger->notice(
"Parameter $k is required by $trust_root but not defined in configuration"
);
$req->info( qq'<h3 trspan="openidRpns,$k"></h3>');
$req->info(qq'<h3 trspan="openidRpns,$k"></h3>');
return ( 0, {} );
}
}
@ -202,7 +203,7 @@ sub sregHook {
$req->datas->{_openIdTrustExtMsg} .= "</table>\n";
$self->lmLog( 'Building validation form', 'debug' );
$self->logger->debug('Building validation form');
return ( 0, $prm );
}
}
@ -231,12 +232,9 @@ sub sregfilter {
# Warn if some parameters are rejected
if (@rej) {
$self->lmLog(
"Requested parameter(s) "
$self->logger->warn( "Requested parameter(s) "
. join( ',', @rej )
. "is(are) not valid OpenID SREG parameter(s)",
'warn'
);
. "is(are) not valid OpenID SREG parameter(s)" );
}
# Return valid SREG parameters

3
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenID/Server.pm
View File

@ -17,7 +17,8 @@ our $VERSION = '2.0.0';
use constant OPENID2_NS => 'http://specs.openid.net/auth/2.0';
use constant OPENID2_ID_SELECT => 'http://specs.openid.net/auth/2.0/identifier_select';
use constant OPENID2_ID_SELECT =>
'http://specs.openid.net/auth/2.0/identifier_select';
*_push_url_arg =
( $Net::OpenID::Server::VERSION >= 1.09 )

197
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
View File

@ -64,8 +64,8 @@ sub loadOPs {
unless ( $self->conf->{oidcOPMetaDataJSON}
and keys %{ $self->conf->{oidcOPMetaDataJSON} } )
{
$self->lmLog( "No OpenID Connect Provider found in configuration",
'warn' );
$self->logger->warn(
"No OpenID Connect Provider found in configuration");
}
# Extract JSON data
@ -88,8 +88,8 @@ sub loadRPs {
unless ( $self->conf->{oidcRPMetaDataOptions}
and keys %{ $self->conf->{oidcRPMetaDataOptions} } )
{
$self->lmLog( "No OpenID Connect Relying Party found in configuration",
'warn' );
$self->logger->warn(
"No OpenID Connect Relying Party found in configuration");
}
$self->oidcRPList( $self->conf->{oidcRPMetaDataOptions} );
foreach my $rp ( keys %{ $self->oidcRPList } ) {
@ -106,7 +106,7 @@ sub loadRPs {
if ($extraClaims) {
foreach my $claim ( keys %$extraClaims ) {
$self->lmLog( "Using extra claim $claim for $rp", 'debug' );
$self->logger->debug("Using extra claim $claim for $rp");
my @extraAttributes = split( /\s/, $extraClaims->{$claim} );
$attributes->{$claim} = \@extraAttributes;
}
@ -125,9 +125,8 @@ sub refreshJWKSdata {
unless ( $self->conf->{oidcOPMetaDataJSON}
and keys %{ $self->conf->{oidcOPMetaDataJSON} } )
{
$self->lmLog(
"No OpenID Provider configured, JWKS data will not be refreshed",
'debug' );
$self->logger->debug(
"No OpenID Provider configured, JWKS data will not be refreshed");
return 1;
}
@ -143,33 +142,30 @@ sub refreshJWKSdata {
my $jwksUri = $self->oidcOPList->{$_}->{conf}->{jwks_uri};
unless ($jwksTimeout) {
$self->lmLog( "No JWKS refresh timeout defined for $_, skipping...",
'debug' );
$self->logger->debug(
"No JWKS refresh timeout defined for $_, skipping...");
next;
}
unless ($jwksUri) {
$self->lmLog( "No JWKS URI defined for $_, skipping...", 'debug' );
$self->logger->debug("No JWKS URI defined for $_, skipping...");
next;
}
if ( $self->oidcOPList->{$_}->{jwks}->{time} + $jwksTimeout > time ) {
$self->lmLog( "JWKS data still valid for $_, skipping...",
'debug' );
$self->logger->debug("JWKS data still valid for $_, skipping...");
next;
}
$self->lmLog( "Refresh JWKS data for $_ from $jwksUri", 'debug' );
$self->logger->debug("Refresh JWKS data for $_ from $jwksUri");
my $response = $self->ua->get($jwksUri);
if ( $response->is_error ) {
$self->lmLog(
$self->logger->warn(
"Unable to get JWKS data for $_ from $jwksUri: "
. $response->message,
"warn"
);
$self->lmLog( $response->content, 'debug' );
. $response->message );
$self->logger->debug( $response->content );
next;
}
@ -222,7 +218,7 @@ sub getCallbackUri {
$req->param( $self->conf->{authChoiceParam} ) );
}
$self->lmLog( "OpenIDConnect Callback URI: $callback_uri", 'debug' );
$self->logger->debug("OpenIDConnect Callback URI: $callback_uri");
return $callback_uri;
}
@ -285,9 +281,8 @@ sub buildAuthorizationCodeAuthnRequest {
( defined $acr_values ? ( acr_values => $acr_values ) : () )
);
$self->lmLog(
"OpenIDConnect Authorization Code Flow Authn Request: $authn_uri",
'debug' );
$self->logger->debug(
"OpenIDConnect Authorization Code Flow Authn Request: $authn_uri");
return $authn_uri;
}
@ -391,13 +386,12 @@ sub getAuthorizationCodeAccessToken {
my $grant_type = "authorization_code";
unless ( $auth_method =~ /^client_secret_(basic|post)$/o ) {
$self->lmLog( "Bad authentication method on token endpoint", 'error' );
$self->logger->error("Bad authentication method on token endpoint");
return 0;
}
$self->lmLog(
"Using auth method $auth_method to token endpoint $access_token_uri",
'debug' );
$self->logger->debug(
"Using auth method $auth_method to token endpoint $access_token_uri");
my $response;
@ -429,13 +423,13 @@ sub getAuthorizationCodeAccessToken {
"Content-Type" => 'application/x-www-form-urlencoded' );
}
else {
$self->lmLog( "Unknown auth method $auth_method", 'error' );
$self->logger->error("Unknown auth method $auth_method");
}
if ( $response->is_error ) {
$self->lmLog( "Bad authorization response: " . $response->message,
"error" );
$self->lmLog( $response->content, 'debug' );
$self->logger->error(
"Bad authorization response: " . $response->message );
$self->logger->debug( $response->content );
return 0;
}
return $response->decoded_content;
@ -448,15 +442,14 @@ sub checkTokenResponseValidity {
# token_type MUST be Bearer
unless ( $json->{token_type} eq "Bearer" ) {
$self->lmLog(
"Token type is " . $json->{token_type} . " but must be Bearer",
'error' );
$self->logger->error(
"Token type is " . $json->{token_type} . " but must be Bearer" );
return 0;
}
# id_token MUST be present
unless ( $json->{id_token} ) {
$self->lmLog( "No id_token", 'error' );
$self->logger->error("No id_token");
return 0;
}
@ -486,7 +479,7 @@ sub checkIDTokenValidity {
# Check issuer
unless ( $id_token->{iss} eq $self->oidcOPList->{$op}->{conf}->{issuer} ) {
$self->lmLog( "Issuer mismatch", 'error' );
$self->logger->error("Issuer mismatch");
return 0;
}
@ -494,29 +487,28 @@ sub checkIDTokenValidity {
if ( ref $id_token->{aud} ) {
my @audience = @{ $id_token->{aud} };
unless ( grep $_ eq $client_id, @audience ) {
$self->lmLog( "Client ID not found in audience array", 'error' );
$self->logger->error("Client ID not found in audience array");
return 0;
}
if ( $#audience > 1 ) {
unless ( $id_token->{azp} eq $client_id ) {
$self->lmLog(
"More than one audience, and azp not equal to client ID",
'error' );
$self->logger->error(
"More than one audience, and azp not equal to client ID");
return 0;
}
}
}
else {
unless ( $id_token->{aud} eq $client_id ) {
$self->lmLog( "Audience mismatch", 'error' );
$self->logger->error("Audience mismatch");
return 0;
}
}
# Check time
unless ( time < $id_token->{exp} ) {
$self->lmLog( "ID token expired", 'error' );
$self->logger->error("ID token expired");
return 0;
}
@ -524,8 +516,8 @@ sub checkIDTokenValidity {
my $iat = $id_token->{iat};
if ($id_token_max_age) {
unless ( $iat + $id_token_max_age > time ) {
$self->lmLog( "ID token too old (Max age: $id_token_max_age)",
'error' );
$self->logger->error(
"ID token too old (Max age: $id_token_max_age)");
return 0;
}
}
@ -534,19 +526,19 @@ sub checkIDTokenValidity {
if ($use_nonce) {
my $nonce = $id_token->{nonce};
unless ($nonce) {
$self->lmLog( "Nonce was not returned by OP $op", 'error' );
$self->logger->error("Nonce was not returned by OP $op");
return 0;
}
else {
# Get nonce session
my $nonceSession = $self->getOpenIDConnectSession($nonce);
unless ($nonceSession) {
$self->lmLog( "Nonce $nonce verification failed", 'error' );
$self->logger->error("Nonce $nonce verification failed");
return 0;
}
else {
$nonceSession->remove;
$self->lmLog( "Nonce $nonce deleted", 'debug' );
$self->logger->debug("Nonce $nonce deleted");
}
}
}
@ -555,13 +547,12 @@ sub checkIDTokenValidity {
my $acr = $id_token->{acr};
if ( defined $acr_values ) {
unless ($acr) {
$self->lmLog( "ACR was not returned by OP $op", 'error' );
$self->logger->error("ACR was not returned by OP $op");
return 0;
}
unless ( $acr_values =~ /\b$acr\b/i ) {
$self->lmLog(
"ACR $acr not listed in request ACR values ($acr_values)",
'error' );
$self->logger->error(
"ACR $acr not listed in request ACR values ($acr_values)");
return 0;
}
}
@ -570,13 +561,12 @@ sub checkIDTokenValidity {
my $auth_time = $id_token->{auth_time};
if ($max_age) {
unless ($auth_time) {
$self->lmLog( "Auth time was not returned by OP $op", 'error' );
$self->logger->error("Auth time was not returned by OP $op");
return 0;
}
if ( $auth_time + $max_age > time ) {
$self->lmLog(
"Authentication time ($auth_time) is too old (Max age: $max_age)",
'error'
$self->userLogger->error(
"Authentication time ($auth_time) is too old (Max age: $max_age)"
);
return 0;
}
@ -594,20 +584,19 @@ sub getUserInfo {
$self->oidcOPList->{$op}->{conf}->{userinfo_endpoint};
unless ($userinfo_uri) {
$self->lmLog( "UserInfo URI not found in $op configuration", 'error' );
$self->logger->error("UserInfo URI not found in $op configuration");
return 0;
}
$self->lmLog(
"Request User Info on $userinfo_uri with access token $access_token",
'debug' );
$self->logger->debug(
"Request User Info on $userinfo_uri with access token $access_token");
my $response = $self->ua->get( $userinfo_uri,
"Authorization" => "Bearer $access_token" );
if ( $response->is_error ) {
$self->lmLog( "Bad userinfo response: " . $response->message, "error" );
$self->lmLog( $response->content, 'debug' );
$self->logger->error( "Bad userinfo response: " . $response->message );
$self->logger->debug( $response->content );
return 0;
}
@ -661,9 +650,8 @@ sub getOpenIDConnectSession {
$self->p->userInfo("OpenIDConnect session $id isn't yet available");
}
else {
$self->lmLog( "Unable to create new OpenIDConnect session",
'error' );
$self->lmLog( $oidcSession->error, 'error' );
$self->logger->error("Unable to create new OpenIDConnect session");
$self->logger->error( $oidcSession->error );
}
return undef;
}
@ -730,17 +718,17 @@ sub extractState {
$req->$_($tmp);
}
else {
$self->lmLog( "Unknown request property $_, skipping", 'warn' );
$self->logger->warn("Unknown request property $_, skipping");
}
}
# Delete state session
if ( $stateSession->remove ) {
$self->lmLog( "State $state was deleted", 'debug' );
$self->logger->debug("State $state was deleted");
}
else {
$self->lmLog( "Unable to delete state $state", 'error' );
$self->lmLog( $stateSession->error, 'error' );
$self->logger->error("Unable to delete state $state");
$self->logger->error( $stateSession->error );
}
return 1;
@ -761,7 +749,7 @@ sub extractJWT {
sub verifyJWTSignature {
my ( $self, $jwt, $op, $rp ) = @_;
$self->lmLog( "Verification of JWT signature: $jwt", 'debug' );
$self->logger->debug("Verification of JWT signature: $jwt");
# Extract JWT parts
my $jwt_parts = $self->extractJWT($jwt);
@ -774,18 +762,15 @@ sub verifyJWTSignature {
# Get signature algorithm
my $alg = $jwt_header_hash->{alg};
$self->lmLog( "JWT signature algorithm: $alg", 'debug' );
$self->logger->debug("JWT signature algorithm: $alg");
if ( $alg eq "none" ) {
# If none alg, signature should be empty
if ( $jwt_parts->[2] ) {
$self->lmLog(
"Signature "
$self->logger->debug( "Signature "
. $jwt_parts->[2]
. " is present but algorithm is 'none'",
'debug'
);
. " is present but algorithm is 'none'" );
return 0;
}
return 1;
@ -829,9 +814,8 @@ sub verifyJWTSignature {
$digest =~ s/\//_/g;
unless ( $digest eq $jwt_parts->[2] ) {
$self->lmLog(
"Digest $digest not equal to signature " . $jwt_parts->[2],
'debug' );
$self->logger->debug(
"Digest $digest not equal to signature " . $jwt_parts->[2] );
return 0;
}
return 1;
@ -840,14 +824,14 @@ sub verifyJWTSignature {
if ( $alg eq "RS256" or $alg eq "RS384" or $alg eq "RS512" ) {
if ($rp) {
$self->lmLog( "Algorithm $alg not supported", 'debug' );
$self->logger->debug("Algorithm $alg not supported");
return 0;
}
# The public key is needed
unless ( $self->oidcOPList->{$op}->{jwks} ) {
$self->lmLog( "Cannot verify $alg signature: no JWKS data found",
'error' );
$self->logger->error(
"Cannot verify $alg signature: no JWKS data found");
return 0;
}
@ -858,7 +842,7 @@ sub verifyJWTSignature {
my $kid = $jwt_header_hash->{kid};
if ($kid) {
$self->lmLog( "Search key with id $kid", 'debug' );
$self->logger->debug("Search key with id $kid");
foreach (@$keys) {
if ( $_->{kid} eq $kid ) {
$key_hash = $_;
@ -871,14 +855,14 @@ sub verifyJWTSignature {
}
unless ($key_hash) {
$self->lmLog( "No key found in JWKS data", 'error' );
$self->logger->error("No key found in JWKS data");
return 0;
}
$self->lmLog( "Found public key parameter n: " . $key_hash->{n},
'debug' );
$self->lmLog( "Found public key parameter e: " . $key_hash->{e},
'debug' );
$self->logger->debug(
"Found public key parameter n: " . $key_hash->{n} );
$self->logger->debug(
"Found public key parameter e: " . $key_hash->{e} );
# Create public key
my $n =
@ -909,7 +893,7 @@ sub verifyJWTSignature {
}
# Other algorithms not managed
$self->lmLog( "Algorithm $alg not known", 'debug' );
$self->logger->debug("Algorithm $alg not known");
return 0;
}
@ -924,7 +908,7 @@ sub verifyJWTSignature {
sub verifyHash {
my ( $self, $value, $hash, $id_token ) = @_;
$self->lmLog( "Verification of value $value with hash $hash", 'debug' );
$self->logger->debug("Verification of value $value with hash $hash");
# Extract ID token parts
my $jwt_parts = $self->extractJWT($id_token);
@ -937,13 +921,12 @@ sub verifyHash {
# Get signature algorithm
my $alg = $jwt_header_hash->{alg};
$self->lmLog( "ID Token signature algorithm: $alg", 'debug' );
$self->logger->debug("ID Token signature algorithm: $alg");
if ( $alg eq "none" ) {
# Not supported
$self->lmLog( "Cannot check hash without signature algorithm",
'debug' );
$self->logger->debug("Cannot check hash without signature algorithm");
return 0;
}
@ -952,20 +935,20 @@ sub verifyHash {
# Hash Level
my $hash_level = $1;
$self->lmLog( "Use SHA $hash_level to check hash", 'debug' );
$self->logger->debug("Use SHA $hash_level to check hash");
my $cHash = $self->createHash( $value, $hash_level );
# Compare values
unless ( $cHash eq $hash ) {
$self->lmLog( "Hash $hash not equal to hash $cHash", 'debug' );
$self->logger->debug("Hash $hash not equal to hash $cHash");
return 0;
}
return 1;
}
# Other algorithms not managed
$self->lmLog( "Algorithm $alg not known", 'debug' );
$self->logger->debug("Algorithm $alg not known");
return 0;
}
@ -977,7 +960,7 @@ sub verifyHash {
sub createHash {
my ( $self, $value, $hash_level ) = @_;
$self->lmLog( "Use SHA $hash_level to hash $value", 'debug' );
$self->logger->debug("Use SHA $hash_level to hash $value");
my $hash;
@ -1059,15 +1042,15 @@ sub getEndPointAuthenticationCredentials {
my $authorization = $req->authorization;
if ( $authorization and $authorization =~ /^Basic (\w+)/i ) {
$self->lmLog( "Method client_secret_basic used", 'debug' );
$self->logger->debug("Method client_secret_basic used");
eval {
( $client_id, $client_secret ) =
split( /:/, decode_base64($1) );
};
$self->lmLog( "Bad authentication header: $@", 'error' ) if ($@);
$self->logger->error("Bad authentication header: $@") if ($@);
}
elsif ( $req->param('client_id') and $req->param('client_secret') ) {
$self->lmLog( "Method client_secret_post used", 'debug' );
$self->logger->debug("Method client_secret_post used");
$client_id = $req->param('client_id');
$client_secret = $req->param('client_secret');
}
@ -1083,11 +1066,11 @@ sub getEndPointAccessToken {
my $authorization = $req->authorization;
if ( $authorization =~ /^Bearer (\w+)/i ) {
$self->lmLog( "Bearer access token", 'debug' );
$self->logger->debug("Bearer access token");
$access_token = $1;
}
elsif ( $access_token = $req->param('access_token') ) {
$self->lmLog( "GET/POST access token", 'debug' );
$self->logger->debug("GET/POST access token");
}
return $access_token;
@ -1115,7 +1098,7 @@ sub buildUserInfoResponse {
my $apacheSession = $self->p->getApacheSession($user_session_id);
unless ($apacheSession) {
$self->lmLog( "Unable to find user session", "error" );
$self->logger->error("Unable to find user session");
return undef;
}
my $user_id_attribute =
@ -1124,14 +1107,14 @@ sub buildUserInfoResponse {
|| $self->conf->{whatToTrace};
my $user_id = $apacheSession->data->{$user_id_attribute};
$self->lmLog( "Found corresponding user: $user_id", 'debug' );
$self->logger->debug("Found corresponding user: $user_id");
$userinfo_response->{sub} = $user_id;
# Parse scope and return allowed attributes
foreach my $claim ( split( /\s/, $scope ) ) {
next if ( $claim eq "openid" );
$self->lmLog( "Get attributes linked to claim $claim", 'debug' );
$self->logger->debug("Get attributes linked to claim $claim");
my $list = $self->getAttributesListFromClaim( $rp, $claim );
next unless $list;
foreach my $attribute (@$list) {
@ -1233,7 +1216,7 @@ sub createJWT {
return $jwt_header . "." . $jwt_payload . "." . $digest;
}
$self->lmLog( "Algorithm $alg not supported to sign JWT", 'debug' );
$self->logger->debug("Algorithm $alg not supported to sign JWT");
return;
}
@ -1248,7 +1231,7 @@ sub createIDToken {
# Get signature algorithm
my $alg = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsIDTokenSignAlg};
$self->lmLog( "ID Token signature algorithm: $alg", 'debug' );
$self->logger->debug("ID Token signature algorithm: $alg");
return $self->createJWT( $payload, $alg, $rp );
}
@ -1371,7 +1354,7 @@ sub getRequestJWT {
my $response = $self->ua->get($request_uri);
if ( $response->is_error ) {
$self->lmLog( "Unable to get request JWT on $request_uri", 'error' );
$self->logger->error("Unable to get request JWT on $request_uri");
return;
}

32
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/RESTProxy.pm
View File

@ -35,20 +35,19 @@ no warnings 'once';
sub getUser {
my ( $self, $req ) = @_;
return PE_OK if ( $req->datas->{_proxyQueryDone} );
$self->lmLog( 'Proxy push auth to ' . $self->conf->{proxyAuthService},
'debug' );
$self->logger->debug(
'Proxy push auth to ' . $self->conf->{proxyAuthService} );
my $resp = $self->ua->post( $self->conf->{proxyAuthService},
{ user => $req->{user}, password => $req->datas->{password} } );
unless ( $resp->is_success ) {
$self->lmLog(
'Unable to query authentication service: ' . $resp->status_line,
'error' );
$self->logger->error(
'Unable to query authentication service: ' . $resp->status_line );
return PE_ERROR;
}
$self->lmLog( 'Proxy gets a response', 'debug' );
$self->logger->debug('Proxy gets a response');
my $res = eval { JSON::from_json( $resp->content ) };
if ($@) {
$self->lmLog("Bad content: $@");
$self->logger->error("Bad content: $@");
return PE_ERROR;
}
$req->sessionInfo->{_proxyQueryDone}++;
@ -58,11 +57,9 @@ sub getUser {
}
$req->sessionInfo->{_proxyCookies} = join '; ',
map { s/;.*$//; $_ } $resp->header('Set-Cookie');
$self->lmLog(
'Store remote cookies in session ('
. $req->sessionInfo->{_proxyCookies} . ')',
'debug'
);
$self->logger->debug( 'Store remote cookies in session ('
. $req->sessionInfo->{_proxyCookies}
. ')' );
PE_OK;
}
@ -78,14 +75,14 @@ sub setSessionInfo {
);
my $resp = $self->ua->request($q);
unless ( $resp->is_success ) {
$self->lmLog( 'Unable to query session service: ' . $resp->status_line,
'error' );
$self->logger->error(
'Unable to query session service: ' . $resp->status_line );
return PE_ERROR;
}
$self->lmLog( 'Proxy gets a response', 'debug' );
$self->logger->debug('Proxy gets a response');
my $res = eval { JSON::from_json( $resp->content ) };
if ($@) {
$self->lmLog("Bad content: $@");
$self->logger->error("Bad content: $@");
return PE_ERROR;
}
foreach ( keys %$res ) {
@ -97,7 +94,8 @@ sub setSessionInfo {
sub authLogout {
my ( $self, $req ) = @_;
$self->lmLog( 'Proxy ask logout to '. $self->conf->{proxyAuthService},'debug');
$self->logger->debug(
'Proxy ask logout to ' . $self->conf->{proxyAuthService} );
my $q = HTTP::Request->new(
GET => $self->conf->{proxyAuthService} . '?logout=1',
[

4
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Remote.pm
View File

@ -56,8 +56,8 @@ sub checkRemoteId {
);
if ( $remoteSession->error ) {
$self->lmLog( "Remote session error", 'error' );
$self->lmLog( $remoteSession->error, 'error' );
$self->logger->error("Remote session error");
$self->logger->error( $remoteSession->error );
return PE_ERROR;
}

336
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
View File

@ -106,18 +106,18 @@ sub init {
}
unless (LASSOTHINSESSIONS) {
$self->lmLog( 'Lasso thin-sessions flag could not be set', 'warn' );
$self->logger->warn('Lasso thin-sessions flag could not be set');
}
else {
$self->lmLog( 'Lasso thin-sessions flag set', 'debug' );
$self->logger->debug('Lasso thin-sessions flag set');
}
if (GLIB) {
Glib::Log->set_handler(
"Lasso",
[qw/ error critical warning message info debug /],
sub {
$self->lmLog( $_[0] . " error " . $_[1] . ": " . $_[2],
'debug' );
$self->logger->debug(
$_[0] . " error " . $_[1] . ": " . $_[2] );
}
);
}
@ -154,12 +154,12 @@ sub loadService {
and $self->conf->{samlServicePublicKeySig} =~ /CERTIFICATE/ )
{
$serviceCertificate = $self->conf->{samlServicePublicKeySig};
$self->lmLog( 'Certificate will be used in SAML responses', 'debug' );
$self->logger->debug('Certificate will be used in SAML responses');
}
# Get metadata from configuration
$self->lmLog( "Get Metadata for this service", 'debug' );
$self->logger->debug("Get Metadata for this service");
my $service_metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new();
# Create Lasso server with service metadata
@ -188,7 +188,7 @@ sub loadService {
$self->error('Unable to create Lasso server');
return 0;
}
$self->lmLog( "Service created", 'debug' );
$self->logger->debug("Service created");
return $server;
}
@ -200,7 +200,7 @@ sub loadIDPs {
unless ( $self->conf->{samlIDPMetaDataXML}
and keys %{ $self->conf->{samlIDPMetaDataXML} } )
{
$self->lmLog( "No IDP found in configuration", 'warn' );
$self->logger->warn("No IDP found in configuration");
}
# Load identity provider metadata
@ -212,7 +212,7 @@ sub loadIDPs {
# TODO: QUESTION: do we have to return 0 (<=> block initialization) if one
# IdP load fails ?
foreach ( keys %{ $self->conf->{samlIDPMetaDataXML} } ) {
$self->lmLog( "Get Metadata for IDP $_", 'debug' );
$self->logger->debug("Get Metadata for IDP $_");
my $idp_metadata =
$self->conf->{samlIDPMetaDataXML}->{$_}->{samlIDPMetaDataXML};
@ -261,10 +261,9 @@ sub loadIDPs {
return 0;
}
$self->lmLog( "Set encryption mode $encryption_mode on IDP $_",
'debug' );
$self->logger->debug("Set encryption mode $encryption_mode on IDP $_");
$self->lmLog( "IDP $_ added", 'debug' );
$self->logger->debug("IDP $_ added");
}
return 1;
}
@ -276,7 +275,7 @@ sub loadSPs {
unless ( $self->conf->{samlSPMetaDataXML}
and keys %{ $self->conf->{samlSPMetaDataXML} } )
{
$self->lmLog( "No SP found in configuration", 'warn' );
$self->logger->warn("No SP found in configuration");
}
# Load service provider metadata
@ -286,7 +285,7 @@ sub loadSPs {
$self->spList( {} );
foreach ( keys %{ $self->conf->{samlSPMetaDataXML} } ) {
$self->lmLog( "Get Metadata for SP $_", 'debug' );
$self->logger->debug("Get Metadata for SP $_");
my $sp_metadata =
$self->conf->{samlSPMetaDataXML}->{$_}->{samlSPMetaDataXML};
@ -335,10 +334,9 @@ sub loadSPs {
return 0;
}
$self->lmLog( "Set encryption mode $encryption_mode on SP $_",
'debug' );
$self->logger->debug("Set encryption mode $encryption_mode on SP $_");
$self->lmLog( "SP $_ added", 'debug' );
$self->logger->debug("SP $_ added");
}
return 1;
@ -365,13 +363,13 @@ sub checkMessage {
if ( $request_method eq 'GET' ) {
$method = Lasso::Constants::HTTP_METHOD_REDIRECT;
$self->lmLog( "SAML method: HTTP-REDIRECT", 'debug' );
$self->logger->debug("SAML method: HTTP-REDIRECT");
if ( $req->param('SAMLResponse') ) {
# Response in query string
$response = $self->getQueryString($req);
$self->lmLog( "HTTP-REDIRECT: SAML Response $response", 'debug' );
$self->logger->debug("HTTP-REDIRECT: SAML Response $response");
}
@ -379,7 +377,7 @@ sub checkMessage {
# Request in query string
$request = $self->getQueryString($req);
$self->lmLog( "HTTP-REDIRECT: SAML Request $request", 'debug' );
$self->logger->debug("HTTP-REDIRECT: SAML Request $request");
}
@ -387,7 +385,7 @@ sub checkMessage {
# Artifact in query string
$artifact = $self->getQueryString($req);
$self->lmLog( "HTTP-REDIRECT: SAML Artifact $artifact", 'debug' );
$self->logger->debug("HTTP-REDIRECT: SAML Artifact $artifact");
# Resolve Artifact
$method = Lasso::Constants::HTTP_METHOD_ARTIFACT_GET;
@ -411,13 +409,13 @@ sub checkMessage {
if ( $content_type !~ /xml/ ) {
$method = Lasso::Constants::HTTP_METHOD_POST;
$self->lmLog( "SAML method: HTTP-POST", 'debug' );
$self->logger->debug("SAML method: HTTP-POST");
if ( $req->param('SAMLResponse') ) {
# Response in body part
$response = $req->param('SAMLResponse');
$self->lmLog( "HTTP-POST: SAML Response $response", 'debug' );
$self->logger->debug("HTTP-POST: SAML Response $response");
}
@ -425,7 +423,7 @@ sub checkMessage {
# Request in body part
$request = $req->param('SAMLRequest');
$self->lmLog( "HTTP-POST: SAML Request $request", 'debug' );
$self->logger->debug("HTTP-POST: SAML Request $request");
}
@ -433,7 +431,7 @@ sub checkMessage {
# Artifact in SAMLart param
$artifact = $req->param('SAMLart');
$self->lmLog( "HTTP-POST: SAML Artifact $artifact", 'debug' );
$self->logger->debug("HTTP-POST: SAML Artifact $artifact");
# Resolve Artifact
$method = Lasso::Constants::HTTP_METHOD_ARTIFACT_POST;
@ -456,11 +454,11 @@ sub checkMessage {
else {
$method = Lasso::Constants::HTTP_METHOD_SOAP;
$self->lmLog( "SAML method: HTTP-SOAP", 'debug' );
$self->logger->debug("SAML method: HTTP-SOAP");
# SOAP is always a request
$request = $req->content;
$self->lmLog( "HTTP-SOAP: SAML Request $request", 'debug' );
$self->logger->debug("HTTP-SOAP: SAML Request $request");
}
@ -482,13 +480,13 @@ sub checkLassoError {
# If $error is not a Lasso::Error object, display error string
unless ( ref($error) and $error->isa("Lasso::Error") ) {
return 1 unless $error;
$self->lmLog( "Lasso error: $error", $level );
$self->p->lmLog( "Lasso error: $error", $level );
return 0;
}
# Else check error code and error message
if ( $error->{code} ) {
$self->lmLog(
$self->p->lmLog(
"Lasso error code " . $error->{code} . ": " . $error->{message},
$level );
return 0;
@ -696,14 +694,14 @@ sub createAuthnRequest {
my $login = $self->createLogin($server);
unless ($login) {
$self->lmLog( 'Unable to create Lasso login', 'error' );
$self->logger->error('Unable to create Lasso login');
return;
}
# Init authentication request
unless ( $self->initAuthnRequest( $login, $idp, $method ) ) {
$self->lmLog( "Could not initiate authentication request on $idp",
'error' );
$self->logger->error(
"Could not initiate authentication request on $idp");
return;
}
@ -712,7 +710,7 @@ sub createAuthnRequest {
$self->storeRelayState( $req, 'urldc', 'checkLogins' ) )
{
$login->msg_relayState($relaystate);
$self->lmLog( "Set $relaystate in RelayState", 'debug' );
$self->logger->debug("Set $relaystate in RelayState");
}
# Customize request
@ -724,7 +722,7 @@ sub createAuthnRequest {
# * Forward some authn constraints
if ( $req->datas->{_proxiedSamlRequest} ) {
$self->lmLog( "IDP Proxy mode detected", 'debug' );
$self->logger->debug("IDP Proxy mode detected");
# Get ProxyCount value
eval {
@ -735,12 +733,12 @@ sub createAuthnRequest {
# Deny request if ProxyCount eq 0
if ( defined $proxyCount ) {
$self->lmLog( "Found proxyCount $proxyCount in proxied request",
'debug' );
$self->logger->debug(
"Found proxyCount $proxyCount in proxied request");
if ( $proxyCount eq 0 ) {
$self->lmLog( "SAML request cannot be proxied (ProxyCount 0)",
'error' );
$self->userLogger->error(
"SAML request cannot be proxied (ProxyCount 0)");
return;
}
else {
@ -767,7 +765,7 @@ sub createAuthnRequest {
# NameIDFormat
if ($nameIDFormat) {
$self->lmLog( "Use NameIDFormat $nameIDFormat", 'debug' );
$self->logger->debug("Use NameIDFormat $nameIDFormat");
$request->NameIDPolicy()->Format($nameIDFormat);
}
@ -776,19 +774,19 @@ sub createAuthnRequest {
# Force authentication
if ($forceAuthn) {
$self->lmLog( "Force authentication on IDP", 'debug' );
$self->logger->debug("Force authentication on IDP");
$request->ForceAuthn(1);
}
# Passive authentication
if ($isPassive) {
$self->lmLog( "Passive authentication on IDP", 'debug' );
$self->logger->debug("Passive authentication on IDP");
$request->IsPassive(1);
}
# Allow proxy
unless ($allowProxiedAuthn) {
$self->lmLog( "Do not allow this request to be proxied", 'debug' );
$self->logger->debug("Do not allow this request to be proxied");
eval {
my $proxyRestriction = Lasso::Saml2ProxyRestriction->new();
$proxyRestriction->Audience($idp);
@ -806,25 +804,24 @@ sub createAuthnRequest {
# Signature
if ( $signSSOMessage == 0 ) {
$self->lmLog( "SSO request will not be signed", 'debug' );
$self->logger->debug("SSO request will not be signed");
$self->disableSignature($login);
}
elsif ( $signSSOMessage == 1 ) {
$self->lmLog( "SSO request will be signed", 'debug' );
$self->logger->debug("SSO request will be signed");
$self->forceSignature($login);
}
else {
$self->lmLog( "SSO request signature according to metadata", 'debug' );
$self->logger->debug("SSO request signature according to metadata");
}
# Requested authentication context
if ($proxyRequestedAuthnContext) {
$self->lmLog( "Use RequestedAuthnContext from proxied request",
'debug' );
$self->logger->debug("Use RequestedAuthnContext from proxied request");
$request->RequestedAuthnContext($proxyRequestedAuthnContext);
}
elsif ($requestedAuthnContext) {
$self->lmLog( "Request $requestedAuthnContext context", 'debug' );
$self->logger->debug("Request $requestedAuthnContext context");
eval {
my $context = Lasso::Samlp2RequestedAuthnContext->new();
$context->AuthnContextClassRef($requestedAuthnContext);
@ -839,8 +836,7 @@ sub createAuthnRequest {
# Build authentication request
unless ( $self->buildAuthnRequestMsg($login) ) {
$self->lmLog( "Could not build authentication request on $idp",
'error' );
$self->logger->error("Could not build authentication request on $idp");
return;
}
@ -1145,7 +1141,7 @@ sub extractRelayState {
return 0 unless $relaystate;
if ( $relayStateURL and $relaystate =~ /^https?:\/\// ) {
$self->lmLog( "RelayState is a redirection URL: $relaystate", 'debug' );
$self->logger->debug("RelayState is a redirection URL: $relaystate");
$req->{urldc} = $relaystate;
return 1;
}
@ -1164,11 +1160,11 @@ sub extractRelayState {
# delete relaystate session
if ( $samlSessionInfo->remove ) {
$self->lmLog( "Relaystate $relaystate was deleted", 'debug' );
$self->logger->debug("Relaystate $relaystate was deleted");
}
else {
$self->lmLog( "Unable to delete relaystate $relaystate", 'error' );
$self->lmLog( $samlSessionInfo->error, 'error' );
$self->logger->error("Unable to delete relaystate $relaystate");
$self->logger->error( $samlSessionInfo->error );
}
}
@ -1258,8 +1254,7 @@ sub validateConditions {
# Time
if ($checkTime) {
eval {
$status =
Lasso::Saml2Assertion::validate_time_checks( $assertion,
$status = Lasso::Saml2Assertion::validate_time_checks( $assertion,
$tolerance );
};
@ -1269,15 +1264,14 @@ sub validateConditions {
}
unless ( $status eq Lasso::Constants::SAML2_ASSERTION_VALID ) {
$self->lmLog( "Time conditions validations result: $status",
'error' );
$self->logger->error("Time conditions validations result: $status");
return 0;
}
$self->lmLog( "Time conditions validated", 'debug' );
$self->logger->debug("Time conditions validated");
}
else {
$self->lmLog( "Time conditions not checked", 'debug' );
$self->logger->debug("Time conditions not checked");
}
# Audience
@ -1293,15 +1287,15 @@ sub validateConditions {
}
unless ( $status eq Lasso::Constants::SAML2_ASSERTION_VALID ) {
$self->lmLog( "Audience conditions validations result: $status",
'error' );
$self->logger->error(
"Audience conditions validations result: $status");
return 0;
}
$self->lmLog( "Audience conditions validated", 'debug' );
$self->logger->debug("Audience conditions validated");
}
else {
$self->lmLog( "Audience conditions not checked", 'debug' );
$self->logger->debug("Audience conditions not checked");
}
return 1;
@ -1322,39 +1316,38 @@ sub createLogoutRequest {
my $logout = $self->createLogout($server);
unless ( $self->setSessionFromDump( $logout, $session_dump ) ) {
$self->lmLog( "Could not fill Lasso::Logout with session dump",
'error' );
$self->logger->error("Could not fill Lasso::Logout with session dump");
return;
}
# Init logout request
unless ( $self->initLogoutRequest( $logout, undef, $method ) ) {
$self->lmLog( "Could not initiate logout request", 'error' );
$self->logger->error("Could not initiate logout request");
return;
}
# Set RelayState
if ( my $relaystate = $self->storeRelayState( $req, 'urldc' ) ) {
$logout->msg_relayState($relaystate);
$self->lmLog( "Set $relaystate in RelayState", 'debug' );
$self->logger->debug("Set $relaystate in RelayState");
}
# Signature
if ( $signSLOMessage == 0 ) {
$self->lmLog( "SLO request will not be signed", 'debug' );
$self->logger->debug("SLO request will not be signed");
$self->disableSignature($logout);
}
elsif ( $signSLOMessage == 1 ) {
$self->lmLog( "SLO request will be signed", 'debug' );
$self->logger->debug("SLO request will be signed");
$self->forceSignature($logout);
}
else {
$self->lmLog( "SLO request signature according to metadata", 'debug' );
$self->logger->debug("SLO request signature according to metadata");
}
# Build logout request
unless ( $self->buildLogoutRequestMsg($logout) ) {
$self->lmLog( "Could not build logout request", 'error' );
$self->logger->error("Could not build logout request");
return;
}
@ -1420,7 +1413,7 @@ sub buildLogoutRequestMsg {
sub setSessionFromDump {
my ( $self, $profile, $dump ) = @_;
$self->lmLog( "Loading Session dump: $dump", 'debug' );
$self->logger->debug("Loading Session dump: $dump");
eval { Lasso::Profile::set_session_from_dump( $profile, $dump ); };
@ -1475,7 +1468,7 @@ sub getRouteFromMetaDataURL {
my ( $self, $key, $index, $sub ) = @_;
my $uri = $self->getMetaDataURL( $key, $index, 0 );
unless ( $uri =~ m#^/\w# ) {
$self->lmLog( "$key has no index $index", 'debug' );
$self->logger->debug("$key has no index $index");
return ();
}
my @t = grep /\w/, split( /\//, $uri );
@ -1539,8 +1532,7 @@ sub processLogoutRequestMsg {
return 1 if ( $@ or !$notOnOrAfter );
$self->lmLog( "Found NotOnOrAfter $notOnOrAfter in logout request",
'debug' );
$self->logger->debug("Found NotOnOrAfter $notOnOrAfter in logout request");
my $expirationTime = $self->samldate2timestamp($notOnOrAfter);
@ -1597,8 +1589,8 @@ sub storeReplayProtection {
my $session_id = $samlSessionInfo->id;
$self->lmLog( "Keep request ID $samlID in assertion session $session_id",
'debug' );
$self->logger->debug(
"Keep request ID $samlID in assertion session $session_id");
return 1;
}
@ -1611,8 +1603,8 @@ sub replayProtection {
my ( $self, $samlID ) = @_;
unless ($samlID) {
$self->lmLog( "Cannot verify replay because no SAML ID given",
'error' );
$self->userLogger->error(
"Cannot verify replay because no SAML ID given");
return 0;
}
@ -1639,18 +1631,16 @@ sub replayProtection {
}
if ( $samlSessionInfo->remove ) {
$self->lmLog(
"Assertion session $session (Message ID $samlID) was deleted",
'debug'
$self->logger->debug(
"Assertion session $session (Message ID $samlID) was deleted"
);
return $result;
}
else {
$self->lmLog(
"Unable to delete assertion session $session (Message ID $samlID)",
'error'
$self->logger->error(
"Unable to delete assertion session $session (Message ID $samlID)"
);
$self->lmLog( $samlSessionInfo->error, 'error' );
$self->logger->error( $samlSessionInfo->error );
return 0;
}
}
@ -1681,7 +1671,7 @@ sub resolveArtifact {
return unless $self->checkLassoError($@);
unless ( $profile->msg_url ) {
$self->lmLog( "No artifact resolution URL found", 'error' );
$self->logger->error("No artifact resolution URL found");
return;
}
@ -1690,15 +1680,14 @@ sub resolveArtifact {
$request->header( Accept => 'application/xml' );
$request->content( $profile->msg_body );
$self->lmLog(
"Send message " . $profile->msg_body . " to " . $profile->msg_url,
'debug' );
$self->logger->debug(
"Send message " . $profile->msg_body . " to " . $profile->msg_url );
# SOAP call
my $soap_answer = $self->ua->request($request);
if ( $soap_answer->code() == "200" ) {
$message = $soap_answer->content();
$self->lmLog( "Get message $message", 'debug' );
$self->logger->debug("Get message $message");
}
}
@ -1730,7 +1719,7 @@ sub storeArtifact {
my $art_session_id = $samlSessionInfo->id;
$self->lmLog( "Keep artifact $id in session $art_session_id", 'debug' );
$self->logger->debug("Keep artifact $id in session $art_session_id");
return 1;
}
@ -1744,7 +1733,7 @@ sub loadArtifact {
my $art_session;
unless ($id) {
$self->lmLog( "Cannot load artifact because no id given", 'error' );
$self->logger->error("Cannot load artifact because no id given");
return;
}
@ -1758,7 +1747,7 @@ sub loadArtifact {
my $nb_sessions = $#keys + 1;
$self->lmLog( "Found $nb_sessions sessions for artifact $id", 'debug' );
$self->logger->debug("Found $nb_sessions sessions for artifact $id");
# There should only be 1 result
return if ( $nb_sessions != 1 );
@ -1778,15 +1767,15 @@ sub loadArtifact {
# Delete session
if ( $samlSessionInfo->remove ) {
$self->lmLog( "Artifact session $session (ID $id) was deleted",
'debug' );
$self->logger->debug(
"Artifact session $session (ID $id) was deleted");
return $art_session;
}
else {
$self->lmLog( "Unable to delete artifact session $session (ID $id)",
'error' );
$self->lmLog( $samlSessionInfo->error, 'error' );
$self->logger->error(
"Unable to delete artifact session $session (ID $id)");
$self->logger->error( $samlSessionInfo->error );
return;
}
}
@ -1808,21 +1797,20 @@ sub createArtifactResponse {
eval { $login->set_artifact_message( $art_session->{message} ); };
if ($@) {
$self->checkLassoError($@);
$self->lmLog( "Cannot load artifact message", 'error' );
$self->logger->error("Cannot load artifact message");
return;
}
$self->lmLog( "Response loaded", 'debug' );
$self->logger->debug("Response loaded");
# Try to get Lasso session
my $session_id = $art_session->{_saml_id};
if ($session_id) {
$self->lmLog( "Find session_id $session_id in artifact session",
'debug' );
$self->logger->debug("Find session_id $session_id in artifact session");
my $session = $self->p->getApacheSession($session_id);
unless ($session) {
$self->lmLog( "Unable to open session $session_id", 'error' );
$self->logger->error("Unable to open session $session_id");
return;
}
@ -1830,29 +1818,29 @@ sub createArtifactResponse {
if ($lassoSession) {
unless ( $self->setSessionFromDump( $login, $lassoSession ) ) {
$self->lmLog( "Unable to load Lasso Session", 'error' );
$self->logger->error("Unable to load Lasso Session");
return;
}
$self->lmLog( "Lasso Session loaded", 'debug' );
$self->logger->debug("Lasso Session loaded");
}
}
else {
$self->lmLog( "No session_id in artifact session", 'debug' );
$self->logger->debug("No session_id in artifact session");
}
# Build artifact response
eval { Lasso::Login::build_response_msg($login); };
if ($@) {
$self->checkLassoError($@);
$self->lmLog( "Cannot build artifact response", 'error' );
$self->logger->error("Cannot build artifact response");
return;
}
$self->lmLog( "Artifact response built", 'debug' );
$self->logger->debug("Artifact response built");
# Store Lasso session if session opened
if ( $session_id and $login->is_session_dirty ) {
$self->lmLog( "Save Lasso session in session", 'debug' );
$self->logger->debug("Save Lasso session in session");
$self->updateSession( $req,
{ _lassoSessionDump => $login->get_session->dump }, $session_id );
}
@ -1913,16 +1901,16 @@ sub sendSOAPMessage {
$request->header( Accept => 'application/xml' );
$request->content($message);
$self->lmLog( "Send SOAP message $message to $endpoint", 'debug' );
$self->logger->debug("Send SOAP message $message to $endpoint");
# SOAP call
my $soap_answer = $self->ua()->request($request);
if ( $soap_answer->code() == "200" ) {
$response = $soap_answer->content();
$self->lmLog( "Get response $response", 'debug' );
$self->logger->debug("Get response $response");
}
else {
$self->lmLog( "No response to SOAP request", 'debug' );
$self->logger->debug("No response to SOAP request");
return;
}
@ -1961,7 +1949,7 @@ sub createAttributeRequest {
# Create assertion query
return unless ( $query = $self->createAssertionQuery($server) );
$self->lmLog( "Assertion query created", 'debug' );
$self->logger->debug("Assertion query created");
# Init request
my $method = Lasso::Constants::HTTP_METHOD_SOAP;
@ -1974,7 +1962,7 @@ sub createAttributeRequest {
return;
}
$self->lmLog( "Assertion query request initiated", 'debug' );
$self->logger->debug("Assertion query request initiated");
# Set NameID
eval { $query->request()->Subject()->NameID($nameid); };
@ -1983,8 +1971,8 @@ sub createAttributeRequest {
return;
}
$self->lmLog( "Set NameID " . $nameid->dump . " in assertion query",
'debug' );
$self->logger->debug(
"Set NameID " . $nameid->dump . " in assertion query" );
# Store attributes in request
my @requested_attributes;
@ -2053,7 +2041,7 @@ sub processAttributeRequest {
# Create assertion query
return unless ( $query = $self->createAssertionQuery($server) );
$self->lmLog( "Assertion query created", 'debug' );
$self->logger->debug("Assertion query created");
# Process response
eval { Lasso::AssertionQuery::process_request_msg( $query, $request ); };
@ -2062,7 +2050,7 @@ sub processAttributeRequest {
return;
}
$self->lmLog( "Attribute request is valid", 'debug' );
$self->logger->debug("Attribute request is valid");
return $query;
}
@ -2096,7 +2084,7 @@ sub processAttributeResponse {
# Create assertion query
return unless ( $query = $self->createAssertionQuery($server) );
$self->lmLog( "Assertion query created", 'debug' );
$self->logger->debug("Assertion query created");
# Process response
eval { Lasso::AssertionQuery::process_response_msg( $query, $response ); };
@ -2105,7 +2093,7 @@ sub processAttributeResponse {
return;
}
$self->lmLog( "Attribute response is valid", 'debug' );
$self->logger->debug("Attribute response is valid");
return $query;
}
@ -2305,8 +2293,8 @@ sub timestamp2samldate {
my @t = gmtime($timestamp);
my $samldate = strftime( "%Y-%m-%dT%TZ", @t );
$self->lmLog( "Convert timestamp $timestamp in SAML2 date: $samldate",
'debug' );
$self->logger->debug(
"Convert timestamp $timestamp in SAML2 date: $samldate");
return $samldate;
}
@ -2318,15 +2306,14 @@ sub timestamp2samldate {
sub samldate2timestamp {
my ( $self, $samldate ) = @_;
my ( $year, $mon, $mday, $hour, $min, $sec, $msec, $ztime ) =
( $samldate =~
my ( $year, $mon, $mday, $hour, $min, $sec, $msec, $ztime ) = ( $samldate =~
/(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(\.\d+)?(Z)?/ );
my $timestamp =
timegm( $sec, $min, $hour, $mday, $mon - 1, $year - 1900, 0 );
$self->lmLog( "Convert SAML2 date $samldate in timestamp: $timestamp",
'debug' );
$self->logger->debug(
"Convert SAML2 date $samldate in timestamp: $timestamp");
return $timestamp;
}
@ -2403,7 +2390,7 @@ sub sendLogoutRequestToProvider {
# Find EntityID in spList or idpList
unless ( defined $self->{ lc($type) . 'List' }->{$providerID} ) {
$self->lmLog( "$providerID does not match any known $type", 'error' );
$self->logger->error("$providerID does not match any known $type");
return ( 0, undef, undef );
}
@ -2429,56 +2416,54 @@ sub sendLogoutRequestToProvider {
->{ 'saml' . $type . 'MetaDataOptionsSignSLOMessage' };
if ( $signSLOMessage == 0 ) {
$self->lmLog( "SLO request will not be signed", 'debug' );
$self->logger->debug("SLO request will not be signed");
$self->disableSignature($logout);
}
elsif ( $signSLOMessage == 1 ) {
$self->lmLog( "SLO request will be signed", 'debug' );
$self->logger->debug("SLO request will be signed");
$self->forceSignature($logout);
}
else {
$self->lmLog( "SLO request signature according to metadata", 'debug' );
$self->logger->debug("SLO request signature according to metadata");
}
# Relay State
if ($relayState) {
eval { $logout->msg_relayState($relayState); };
if ($@) {
$self->lmLog(
"Unable to set Relay State $relayState in SLO request for $confKey",
'error'
$self->logger->error(
"Unable to set Relay State $relayState in SLO request for $confKey"
);
return ( 0, $method, undef );
}
$self->lmLog( 'Relay state set', 'debug' );
$self->logger->debug('Relay state set');
}
# Build the request
unless ( $logout->request() ) {
$self->lmLog( "No logout request found, build it", 'debug' );
$self->logger->debug("No logout request found, build it");
# Initiate the logout request
unless ( $self->initLogoutRequest( $logout, $providerID, $method ) ) {
$self->lmLog( "Initiate logout request failed for $providerID",
'error' );
$self->logger->error(
"Initiate logout request failed for $providerID");
return ( 0, $method, undef );
}
# Build request message
unless ( $self->buildLogoutRequestMsg($logout) ) {
$self->lmLog( "Build logout request failed for $providerID",
'error' );
$self->logger->error("Build logout request failed for $providerID");
return ( 0, $method, undef );
}
$self->lmLog( "Request built for $providerID", 'debug' );
$self->logger->debug("Request built for $providerID");
}
# Keep message ID in memory to prevent replay
my $samlID = $logout->request()->ID;
unless ( $self->storeReplayProtection($samlID) ) {
$self->lmLog( "Unable to store message ID", 'error' );
$self->logger->error("Unable to store message ID");
return ( 0, $method, undef );
}
@ -2490,8 +2475,8 @@ sub sendLogoutRequestToProvider {
# HTTP-REDIRECT
if ( $method == Lasso::Constants::HTTP_METHOD_REDIRECT ) {
$self->lmLog( "Send HTTP-REDIRECT logout request to $providerID",
'debug' );
$self->logger->debug(
"Send HTTP-REDIRECT logout request to $providerID");
# Redirect user to response URL
my $slo_url = $logout->msg_url;
@ -2507,8 +2492,7 @@ sub sendLogoutRequestToProvider {
# HTTP-POST
elsif ( $method == Lasso::Constants::HTTP_METHOD_POST ) {
$self->lmLog( "Build POST relay logout request to $providerID",
'debug' );
$self->logger->debug("Build POST relay logout request to $providerID");
# Create a new relay session
my $relayInfos = $self->getSamlSession();
@ -2544,8 +2528,8 @@ sub sendLogoutRequestToProvider {
# Build a relay request, to be used after SLO process is done
if ($relay) {
$self->lmLog( "Build SOAP relay logout request for $providerID",
'debug' );
$self->logger->debug(
"Build SOAP relay logout request for $providerID");
# Create a new relay session
my $relayInfos = $self->getSamlSession();
@ -2580,7 +2564,7 @@ sub sendLogoutRequestToProvider {
# Send the request directly
else {
$self->lmLog( "Send SOAP logout request to $providerID", 'debug' );
$self->logger->debug("Send SOAP logout request to $providerID");
my $slo_url = $logout->msg_url;
my $slo_body = $logout->msg_body;
@ -2589,7 +2573,7 @@ sub sendLogoutRequestToProvider {
my $sp_response = $self->sendSOAPMessage( $slo_url, $slo_body );
unless ($sp_response) {
$self->lmLog( "No logout response to SOAP request", 'error' );
$self->logger->error("No logout response to SOAP request");
return ( 0, $method, undef );
}
@ -2598,7 +2582,7 @@ sub sendLogoutRequestToProvider {
$self->processLogoutResponseMsg( $logout, $sp_response );
unless ($sp_result) {
$self->lmLog( "Fail to process logout response", 'error' );
$self->logger->error("Fail to process logout response");
return ( 0, $method, undef );
}
@ -2607,18 +2591,16 @@ sub sendLogoutRequestToProvider {
if ($sloStatusSessionInfos) {
$sloStatusSessionInfos->update( { $confKey => 1 } );
$self->lmLog(
"Store SLO status for $confKey in session $relayState",
'debug' );
$self->logger->debug(
"Store SLO status for $confKey in session $relayState");
}
else {
$self->lmLog(
"Unable to store SLO status for $confKey in session $relayState",
'warn'
$self->logger->warn(
"Unable to store SLO status for $confKey in session $relayState"
);
}
$self->lmLog( "Logout response is valid", 'debug' );
$self->logger->debug("Logout response is valid");
}
@ -2704,8 +2686,9 @@ sub authnContext2authnLevel {
return $self->conf->{samlAuthnContextMapPassword}
if ( $authnContext eq $self->getAuthnContext("password") );
return $self->conf->{samlAuthnContextMapPasswordProtectedTransport}
if ( $authnContext eq
$self->getAuthnContext("password-protected-transport") );
if (
$authnContext eq $self->getAuthnContext("password-protected-transport")
);
return $self->conf->{samlAuthnContextMapKerberos}
if ( $authnContext eq $self->getAuthnContext("kerberos") );
return $self->conf->{samlAuthnContextMapTLSClient}
@ -2748,11 +2731,11 @@ sub checkDestination {
# Ok if no Destination
if ( $@ or !$destination ) {
$self->lmLog( "No Destination in SAML message", 'debug' );
$self->logger->debug("No Destination in SAML message");
return 1;
}
$self->lmLog( "Destination $destination found in SAML message", 'debug' );
$self->logger->debug("Destination $destination found in SAML message");
# Retrieve full URL
my $portal = $self->conf->{portal};
@ -2762,11 +2745,11 @@ sub checkDestination {
# Compare Destination and URL
if ( $destination eq $url ) {
$self->lmLog( "Destination match URL $url", 'debug' );
$self->logger->debug("Destination match URL $url");
return 1;
}
$self->lmLog( "Destination does not match URL $url", 'error' );
$self->logger->error("Destination does not match URL $url");
return 0;
}
@ -2794,8 +2777,8 @@ sub getSamlSession {
$self->userInfo("SAML session $id isn't yet available");
}
else {
$self->lmLog( "Unable to create new SAML session", 'error' );
$self->lmLog( $samlSession->error, 'error' );
$self->logger->error("Unable to create new SAML session");
$self->logger->error( $samlSession->error );
}
return undef;
}
@ -2849,9 +2832,9 @@ sub createAttributeValue {
return unless defined $value;
# Decode UTF-8
$self->lmLog( "Decode UTF8 value $value", 'debug' ) if $force_utf8;
$self->logger->debug("Decode UTF8 value $value") if $force_utf8;
$value = decode( "utf8", $value ) if $force_utf8;
$self->lmLog( "Create attribute value $value", 'debug' );
$self->logger->debug("Create attribute value $value");
# SAML2 attribute value
eval { $saml2value = Lasso::Saml2AttributeValue->new(); };
@ -2931,25 +2914,24 @@ sub deleteSAMLSecondarySessions {
foreach my $saml_session (@saml_sessions_keys) {
# Get session
$self->lmLog( "Retrieve SAML session $saml_session", 'debug' );
$self->logger->debug("Retrieve SAML session $saml_session");
my $samlSessionInfo = $self->getSamlSession($saml_session);
# Delete session
if ( $samlSessionInfo->remove ) {
$self->lmLog( "SAML session $saml_session deleted", 'debug' );
$self->logger->debug("SAML session $saml_session deleted");
}
else {
$self->lmLog( "Unable to delete SAML session $saml_session",
'error' );
$self->lmLog( $samlSessionInfo->error, "error" );
$self->logger->error(
"Unable to delete SAML session $saml_session");
$self->logger->error( $samlSessionInfo->error );
$result = 0;
}
}
}
else {
$self->lmLog( "No SAML session found for session $session_id ",
'debug' );
$self->logger->debug("No SAML session found for session $session_id ");
}
return $result;
@ -2992,7 +2974,7 @@ sub sendSLOSoapErrorResponse {
"Could not set empty session in logout object" );
}
my $slo_body = $logout->msg_body;
$self->lmLog( "SOAP response $slo_body", 'debug' );
$self->logger->debug("SOAP response $slo_body");
return [
200,
[

16
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm
View File

@ -42,19 +42,19 @@ sub gen_password {
# @return boolean result
sub send_mail {
my ( $self, $mail, $subject, $body, $html ) = @_;
$self->lmLog( "send_mail called to send \"$subject\" to $mail", 'debug' );
$self->logger->debug("send_mail called to send \"$subject\" to $mail");
# Encode the body with the given charset
$body = encode( $self->charset, decode( 'utf-8', $body ) );
$subject = encode( $self->charset, decode( 'utf-8', $subject ) );
# Debug messages
$self->lmLog( "SMTP From " . $self->conf->{mailFrom}, 'debug' );
$self->lmLog( "SMTP To " . $mail, 'debug' );
$self->lmLog( "SMTP Subject " . $subject, 'debug' );
$self->lmLog( "SMTP Body " . $body, 'debug' );
$self->lmLog( "SMTP HTML flag " . ( $html ? "on" : "off" ), 'debug' );
$self->lmLog( "SMTP Reply-To " . $self->conf->{mailReplyTo}, 'debug' )
$self->logger->debug( "SMTP From " . $self->conf->{mailFrom} );
$self->logger->debug( "SMTP To " . $mail );
$self->logger->debug( "SMTP Subject " . $subject );
$self->logger->debug( "SMTP Body " . $body );
$self->logger->debug( "SMTP HTML flag " . ( $html ? "on" : "off" ) );
$self->logger->debug( "SMTP Reply-To " . $self->conf->{mailReplyTo} )
if $self->conf->{mailReplyTo};
# Encode the subject
@ -130,7 +130,7 @@ sub send_mail {
: $message->send();
};
if ($@) {
$self->lmLog( "Send message failed: $@", 'error' );
$self->logger->error("Send message failed: $@");
return 0;
}

15
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SOAPProxy.pm
View File

@ -34,11 +34,8 @@ sub getUser {
->uri('urn:Lemonldap/NG/Common/PSGI/SOAPService');
my $r = $soap->getCookies( $req->{user}, $req->datas->{password} );
if ( $r->fault ) {
$self->lmLog(
"Unable to query authentication service: "
. $r->fault->{faultstring},
'error'
);
$self->logger->error( "Unable to query authentication service: "
. $r->fault->{faultstring} );
return PE_ERROR;
}
my $res = $r->result();
@ -52,7 +49,7 @@ sub getUser {
unless ( $req->datas->{_remoteId} =
$res->{cookies}->{ $self->conf->{remoteCookieName} } )
{
$self->lmLog( "No cookie named $self->{remoteCookieName}", 'error' );
$self->logger->error("No cookie named $self->{remoteCookieName}");
return PE_ERROR;
}
$req->datas->{_proxyQueryDone}++;
@ -66,10 +63,8 @@ sub setSessionInfo {
->uri('urn:Lemonldap/NG/Common/PSGI/SOAPService');
my $r = $soap->getAttributes( $req->datas->{_remoteId} );
if ( $r->fault ) {
$self->lmLog(
"Unable to query authentication service" . $r->fault->{faultstring},
'error'
);
$self->logger->error( "Unable to query authentication service"
. $r->fault->{faultstring} );
}
my $res = $r->result();
if ( $res->{error} ) {

29
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
View File

@ -20,11 +20,9 @@ sub displayInit {
[ $self->conf->{portalSkinRules}->{$skinRule}, $sub ];
}
else {
$self->lmLog(
$self->logger->error(
qq(Skin rule "$skinRule" returns an error: )
. HANDLER->tsv->{jail}->error,
'error'
);
. HANDLER->tsv->{jail}->error );
}
}
}
@ -190,10 +188,7 @@ sub display {
);
}
if ( $req->token ) {
%templateParams = (
%templateParams,
TOKEN => $req->token,
);
%templateParams = ( %templateParams, TOKEN => $req->token, );
}
# Show password form if password policy error
@ -274,7 +269,7 @@ sub display {
my $displayType = $self->_authentication->getDisplayType($req);
$self->lmLog( "Display type $displayType ", 'debug' );
$self->logger->debug("Display type $displayType ");
%templateParams = (
%templateParams,
@ -317,7 +312,7 @@ sub display {
%templateParams = ( %templateParams, %$customParams );
}
$self->lmLog( "Skin returned: $skinfile", 'debug' );
$self->logger->debug("Skin returned: $skinfile");
return ( $skinfile, \%templateParams );
}
@ -381,7 +376,7 @@ sub getSkin {
foreach my $rule ( @{ $self->conf->{skinRules} } ) {
if ( $rule->[1]->( $req->sessionInfo ) ) {
$skin = $rule->[0];
$self->lmLog( "Skin $skin selected from skin rule", 'debug' );
$self->logger->debug("Skin $skin selected from skin rule");
}
}
@ -389,7 +384,7 @@ sub getSkin {
my $skinParam = $req->param('skin');
if ( defined $skinParam && !$self->checkXSSAttack( 'skin', $skinParam ) ) {
$skin = $skinParam;
$self->lmLog( "Skin $skin selected from GET/POST parameter", 'debug' );
$self->logger->debug("Skin $skin selected from GET/POST parameter");
}
return $skin;
@ -406,8 +401,8 @@ sub getCustomTemplateParameters {
next unless ( $_ =~ /^tpl_(.+)$/ );
my $tplParam = $1;
my $tplValue = $conf->{$_};
$self->lmLog( "Set custom template parameter $tplParam with $tplValue",
'debug' );
$self->logger->debug(
"Set custom template parameter $tplParam with $tplValue");
$customTplParams->{$tplParam} = $tplValue;
}
@ -439,9 +434,9 @@ sub mkSessionArray {
foreach my $session (@$sessions) {
$tmp .= "<tr>"
.($displayUser ? "<td>$session->{user}</td>" : '')
. qq'<td class="localeDate" val="$session->{_utime}"></td>'
. "<td>$session->{ipAddr}</td>";
. ( $displayUser ? "<td>$session->{user}</td>" : '' )
. qq'<td class="localeDate" val="$session->{_utime}"></td>'
. "<td>$session->{ipAddr}</td>";
$tmp .= "<td>" . ( $session->{$_} || "" ) . "</td>"
foreach ( keys %{ $self->conf->{sessionDataToRemember} } );
$tmp .= "<td>$session->{error}</td>" if ($displayError);

34
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
View File

@ -93,7 +93,7 @@ sub init {
# Purge loaded module list
$self->loadedModules( {} );
Lemonldap::NG::Handler::Main->onReload( $self, 'reloadConf' );
return 0 unless ( $self->SUPER::init($self->localConfig) );
return 0 unless ( $self->SUPER::init( $self->localConfig ) );
return 0 if ( $self->error );
# Handle requests (other path may be declared in enabled plugins)
@ -205,7 +205,7 @@ sub reloadConf {
foreach ( split( /\s+/, $td ) ) {
next unless ($td);
s#^\.#([^/]+\.)?#;
$self->lmLog( "Domain $_ added in trusted domains", 'debug' );
$self->logger->debug("Domain $_ added in trusted domains");
s/\./\\./g;
# This regexp is valid for the followings hosts:
@ -219,14 +219,14 @@ sub reloadConf {
}
}
foreach my $vhost ( keys %{ $self->conf->{locationRules} } ) {
$self->lmLog( "Vhost $vhost added in trusted domains", 'debug' );
$self->logger->debug("Vhost $vhost added in trusted domains");
$re->add( quotemeta($vhost) );
if ( my $tmp =
$self->conf->{vhostOptions}->{$vhost}->{vhostAliases} )
{
foreach my $alias ( split /\s+/, $tmp ) {
$self->lmLog( "Alias $alias added in trusted domains",
'debug' );
$self->logger->debug(
"Alias $alias added in trusted domains");
$re->add( quotemeta($alias) );
}
}
@ -247,20 +247,16 @@ sub reloadConf {
$self->{"_$type"}->{$name} = $sub;
}
else {
$self->lmLog(
"$type $name returns an error: "
. HANDLER->tsv->{jail}->error,
'error'
);
$self->logger->error( "$type $name returns an error: "
. HANDLER->tsv->{jail}->error );
}
}
}
}
$self->{_jsRedirect} =
HANDLER->buildSub( HANDLER->substitute( $self->conf->{jsRedirect} ) )
or $self->lmLog(
'jsRedirect returns an error: ' . HANDLER->tsv->{jail}->error,
'error' );
or $self->logger->error(
'jsRedirect returns an error: ' . HANDLER->tsv->{jail}->error );
$self->menu( $self->loadPlugin('::Main::Menu') );
$self->displayInit;
@ -287,15 +283,15 @@ sub findEP {
qw(beforeAuth betweenAuthAndDatas afterDatas forAuthUser beforeLogout))
{
if ( $obj->can($sub) ) {
$self->lmLog( " Found $sub entry point:", 'debug' );
$self->logger->debug(" Found $sub entry point:");
if ( my $callback = $obj->$sub ) {
push @{ $self->{$sub} }, sub { $obj->$callback( $_[0] ) };
$self->lmLog( " -> $callback", 'debug' );
$self->logger->debug(" -> $callback");
}
}
}
( $obj and $obj->init ) or return 0;
$self->lmLog( "Plugin $plugin initializated", 'debug' );
$self->logger->debug("Plugin $plugin initializated");
return $obj;
}
@ -307,12 +303,12 @@ sub loadModule {
eval "require $module";
if ($@) {
$self->lmLog( "$module load error: $@", 'error' );
$self->logger->error("$module load error: $@");
return 0;
}
eval {
$obj = $module->new( { p => $self, conf => $conf } );
$self->lmLog( "Module $module loaded", 'debug' );
$self->logger->debug("Module $module loaded");
};
if ($@) {
$self->error("Unable to build $module object: $@");
@ -323,7 +319,7 @@ sub loadModule {
}
sub fail {
$_[0]->lmLog( $_[0]->error, 'error' );
$_[0]->userLogger->error( $_[0]->error );
$_[0]->addUnauthRoute( '*' => 'displayError' );
$_[0]->addAuthRoute( '*' => 'displayError' );
return 0;

19
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Issuer.pm
View File

@ -37,11 +37,17 @@ sub init {
if ( my $path = $self->conf->{"issuerDB${type}Path"} ) {
$path =~ s/^.*?(\w+).*?$/$1/;
$self->path($path);
$self->addUnauthRoute( $path => { '*' => '_redirect' }, ['GET','POST'] );
$self->addAuthRoute( $path => { '*' => "_forAuthUser" }, ['GET','POST'] );
$self->addUnauthRoute(
$path => { '*' => '_redirect' },
[ 'GET', 'POST' ]
);
$self->addAuthRoute(
$path => { '*' => "_forAuthUser" },
[ 'GET', 'POST' ]
);
}
else {
$self->lmLog( "No path declared for issuer $type. Skipping", 'debug' );
$self->logger->debug("No path declared for issuer $type. Skipping");
}
}
@ -51,13 +57,14 @@ sub init {
sub _redirect {
my ( $self, $req, @path ) = @_;
$self->lmLog( 'Processing _redirect', 'debug' );
$self->logger->debug('Processing _redirect');
my $prms = $req->parameters;
foreach my $k ( keys %$prms ) {
$self->p->setHiddenFormValue( $req, $k, $prms->{$k}, '', 0 );
}
$self->p->setHiddenFormValue( $req, 'issuerMethod', $req->method, '', 0 );
$self->p->setHiddenFormValue( $req, 'issuerQuery', $req->query_string, '', 0 );
$self->p->setHiddenFormValue( $req, 'issuerQuery', $req->query_string, '',
0 );
$req->{urldc} =
$self->conf->{portal}
. $req->path
@ -83,7 +90,7 @@ sub _redirect {
# Case 3: authentified user, launch
sub _forAuthUser {
my ( $self, $req, @path ) = @_;
$self->lmLog( 'Processing _forAuthUser', 'debug' );
$self->logger->debug('Processing _forAuthUser');
return $self->p->do(
$req,
[

8
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Menu.pm
View File

@ -18,8 +18,7 @@ has menuModules => (
my @res;
foreach (qw(Appslist ChangePassword LoginHistory Logout)) {
my $cond = $conf->{"portalDisplay$_"} // 1;
$_[0]
->p->lmLog( "Evaluate condition $cond for module $_", 'debug' );
$_[0]->p->logger->debug("Evaluate condition $cond for module $_");
my $tmp =
$_[0]->{p}->HANDLER->buildSub($cond);
push @res, [ $_, $tmp ] if ($tmp);
@ -31,7 +30,8 @@ has menuModules => (
has imgPath => (
is => 'rw',
builder => sub {
return $_[0]->{conf}->{impgPath} || $_[0]->{conf}->{staticPrefix} . '/logos';
return $_[0]->{conf}->{impgPath}
|| $_[0]->{conf}->{staticPrefix} . '/logos';
}
);
@ -104,7 +104,7 @@ sub displayModules {
# Foreach module, eval condition
# Store module in result if condition is valid
foreach my $module ( @{ $self->menuModules } ) {
$self->lmLog( "Check if $module->[0] has to be displayed", 'debug' );
$self->logger->debug("Check if $module->[0] has to be displayed");
if ( $module->[1]->() ) {
my $moduleHash = { $module->[0] => 1 };

6
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugins.pm
View File

@ -33,7 +33,7 @@ sub enabledPlugins {
# Search for Issuer* modules enabled
foreach my $key (qw(SAML OpenID CAS OpenIDConnect Get)) {
if ( $self->conf->{"issuerDB${key}Activation"} ) {
$self->lmLog( "Issuer${key} enabled", 'debug' );
$self->logger->debug("Issuer${key} enabled");
push @res, "::Issuer::$key";
}
}
@ -62,8 +62,8 @@ sub enabledPlugins {
# Check if custom plugins are required
# TODO: change this name
if ( $self->conf->{customPlugins} ) {
$self->lmLog( 'Custom plugins: ' . $self->conf->{customPlugins},
'debug' );
$self->logger->debug(
'Custom plugins: ' . $self->conf->{customPlugins} );
push @res, grep ( /\w/, split( /,\s*/, $self->conf->{customPlugins} ) );
}
return @res;

61
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
View File

@ -21,15 +21,15 @@ sub process {
my $err = PE_OK;
while ( my $sub = shift @{ $req->steps } ) {
if ( ref $sub ) {
$self->lmLog( "Processing code ref", 'debug' );
$self->logger->debug("Processing code ref");
last if ( $err = $sub->($req) );
}
else {
$self->lmLog( "Processing $sub", 'debug' );
$self->logger->debug("Processing $sub");
last if ( $err = $self->$sub($req) );
}
}
$self->lmLog( "Returned error: $err", 'debug' ) if ($err);
$self->logger->debug("Returned error: $err") if ($err);
return $err;
}
@ -64,11 +64,11 @@ sub controlUrl {
if ( $self->conf->{cipher} and $2 ne "1" ) {
my $time = time() - $self->conf->{cipher}->decrypt($2);
if ( $time < 600 ) {
$self->lmLog( "Confirm parameter accepted $c", 'debug' );
$self->logger->debug("Confirm parameter accepted $c");
$req->set_param( 'confirm', $c );
}
else {
$self->lmLog( 'Confirmation to old, refused', 'notice' );
$self->logger->notice('Confirmation to old, refused');
$req->set_param( 'confirm', 0 );
}
}
@ -82,9 +82,8 @@ sub controlUrl {
}
else {
if ( $url =~ m#[^A-Za-z0-9\+/=]# ) {
$self->lmLog(
"Value must be in BASE64 (param: url | value: $url)",
"warn" );
$self->userLogger->error(
"Value must be in BASE64 (param: url | value: $url)");
return PE_BADURL;
}
$req->{urldc} = decode_base64($url);
@ -112,12 +111,10 @@ sub controlUrl {
# Non protected hosts
if ( $tmp and !$self->isTrustedUrl($tmp) ) {
$self->lmLog(
"URL contains a non protected host (param: "
$self->userLogger->error(
"URL contains a non protected host (param: "
. ( $req->param('logout') ? 'HTTP Referer' : 'urldc' )
. " | value: $tmp)",
"warn"
);
. " | value: $tmp)" );
delete $req->{urldc};
return PE_BADURL;
}
@ -147,16 +144,16 @@ sub deleteSession {
my $apacheSession = $self->getApacheSession( $req->id );
my $id = $req->id;
unless ($apacheSession) {
$self->lmLog( "Session $id already deleted", 'debug' );
$self->logger->debug("Session $id already deleted");
return PE_OK;
}
unless ( $self->_deleteSession( $req, $apacheSession ) ) {
$self->lmLog( "Unable to delete session $id", 'error' );
$self->lmLog( $apacheSession->error, 'error' );
$self->logger->error("Unable to delete session $id");
$self->logger->error( $apacheSession->error );
return PE_ERROR;
}
else {
$self->lmLog( "Session $id deleted from global storage", 'debug' );
$self->logger->debug("Session $id deleted from global storage");
}
# TODO
@ -164,7 +161,7 @@ sub deleteSession {
if ( $req->datas->{logoutServices} and %{ $req->datas->{logoutServices} } )
{
$self->lmLog( "Create iFrames to forward logout to services", 'debug' );
$self->logger->debug("Create iFrames to forward logout to services");
$req->info('<h3 trmsg="logoutFromOtherApp"></h3>');
@ -173,11 +170,8 @@ sub deleteSession {
my $logoutServiceUrl =
$req->datas->{logoutServices}->{$logoutServiceName};
$self->lmLog(
"Find logout service $logoutServiceName ($logoutServiceUrl)",
'debug'
);
$self->logger->debug(
"Find logout service $logoutServiceName ($logoutServiceUrl)");
my $iframe =
qq'<iframe src="$logoutServiceUrl" alt="$logoutServiceName"'
@ -190,8 +184,7 @@ sub deleteSession {
# Redirect on logout page if no other target defined
if ( !$req->urldc and !$req->postUrl ) {
$self->lmLog( 'No other target defined, redirect on logout',
'debug' );
$self->logger->debug('No other target defined, redirect on logout');
$req->urldc( $req->script_name . "?logout=1" );
}
}
@ -231,8 +224,8 @@ sub checkXSSAttack {
# Test value
$value =~ s/\%25/\%/g;
if ( $value =~ m/(?:\0|<|'|"|`|\%(?:00|3C|22|27|2C))/ ) {
$self->lmLog( "XSS attack detected (param: $name | value: $value)",
"warn" );
$self->userLogger->error(
"XSS attack detected (param: $name | value: $value)");
return $self->conf->{checkXSS};
}
@ -246,9 +239,8 @@ sub extractFormInfo {
my ( $self, $req ) = @_;
my $ret = $self->_authentication->extractFormInfo($req);
if ( $ret == PE_OK and not( $req->user or $req->continue ) ) {
$self->lmLog(
'Authentication module succeed but has not set $req->user',
'error' );
$self->logger->error(
'Authentication module succeed but has not set $req->user');
return PE_ERROR;
}
elsif ( $ret == PE_FIRSTACCESS
@ -287,8 +279,7 @@ sub setAuthSessionInfo {
if ( $ret == PE_OK
and not( defined $req->sessionInfo->{authenticationLevel} ) )
{
$self->lmLog( 'Authentication level is not set by auth module',
'error' );
$self->logger->error('Authentication level is not set by auth module');
}
return $ret;
}
@ -366,12 +357,12 @@ sub setPersistentSessionInfo {
my $persistentSession = $self->getPersistentSession($key);
if ($persistentSession) {
$self->lmLog( "Persistent session found for $key", 'debug' );
$self->logger->debug("Persistent session found for $key");
foreach my $k ( keys %{ $persistentSession->data } ) {
# Do not restore some parameters
next if $k =~ /^_(?:utime|session_(?:u?id|kind))$/;
$self->lmLog( "Restore persistent parameter $k", 'debug' );
$self->logger->debug("Restore persistent parameter $k");
$req->{sessionInfo}->{$k} = $persistentSession->data->{$k};
}
}
@ -438,7 +429,7 @@ sub store {
{
$displayValue = '****';
}
$self->lmLog( "Store $displayValue in session key $k", 'debug' );
$self->logger->debug("Store $displayValue in session key $k");
$self->_dump($displayValue) if ref($displayValue);
$infos->{$k} = $req->{sessionInfo}->{$k};
}

60
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
View File

@ -128,7 +128,7 @@ sub do {
return $req->response;
}
if ( !$self->conf->{noAjaxHook} and $req->wantJSON ) {
$self->lmLog( 'Processing to JSON response', 'debug' );
$self->logger->debug('Processing to JSON response');
if ( $err > 0 and !$req->id ) {
return [
401,
@ -170,11 +170,11 @@ sub do {
)
{
my ( $tpl, $prms ) = $self->display($req);
$self->lmLog( "Calling sendHtml with template $tpl", 'debug' );
$self->logger->debug("Calling sendHtml with template $tpl");
return $self->sendHtml( $req, $tpl, params => $prms );
}
else {
$self->lmLog( 'Calling autoredirect', 'debug' );
$self->logger->debug('Calling autoredirect');
return $self->autoRedirect($req);
}
}
@ -224,12 +224,12 @@ sub autoRedirect {
$req->datas->{redirectFormMethod} = "get";
}
else {
return [ 302, [ Location => $req->{urldc}, @{ $req->respHeaders } ],
[] ];
return [ 302,
[ Location => $req->{urldc}, @{ $req->respHeaders } ], [] ];
}
}
my ( $tpl, $prms ) = $self->display($req);
$self->lmLog( "Calling sendHtml with template $tpl", 'debug' );
$self->logger->debug("Calling sendHtml with template $tpl");
return $self->sendHtml( $req, $tpl, params => $prms );
}
@ -240,10 +240,10 @@ sub getApacheSession {
$args{kind} ||= "SSO";
if ($id) {
$self->lmLog( "Try to get $args{kind} session $id", 'debug' );
$self->logger->debug("Try to get $args{kind} session $id");
}
else {
$self->lmLog( "Try to get a new $args{kind} session", 'debug' );
$self->logger->debug("Try to get a new $args{kind} session");
}
my $as = Lemonldap::NG::Common::Session->new(
@ -265,7 +265,7 @@ sub getApacheSession {
}
if ( $id and !$args{force} and !$as->data ) {
$self->lmLog( "Session $args{kind} $id not found", 'debug' );
$self->logger->debug("Session $args{kind} $id not found");
return;
}
@ -282,11 +282,11 @@ sub getApacheSession {
)
)
{
$self->lmLog( "Session $args{kind} $id expired", 'debug' );
$self->logger->debug("Session $args{kind} $id expired");
return;
}
$self->lmLog( "Return $args{kind} session " . $as->id, 'debug' );
$self->logger->debug( "Return $args{kind} session " . $as->id );
return $as;
}
@ -311,7 +311,7 @@ sub getPersistentSession {
);
if ( $ps->error ) {
$self->lmLog( $ps->error, 'debug' );
$self->logger->debug( $ps->error );
}
# Set _session_uid if not already present
@ -346,21 +346,19 @@ sub updatePersistentSession {
$uid ||= $req->{sessionInfo}->{ $self->conf->{whatToTrace} }
|| $req->userData->{ $self->conf->{whatToTrace} };
unless ($uid) {
$self->lmLog( 'No uid found, skipping updatePersistentSession',
'debug' );
$self->logger->debug('No uid found, skipping updatePersistentSession');
return ();
}
$self->lmLog( "Update $uid persistent session", 'debug' );
$self->logger->debug("Update $uid persistent session");
my $persistentSession = $self->getPersistentSession($uid);
$persistentSession->update($infos);
if ( $persistentSession->error ) {
$self->lmLog(
"Cannot update persistent session " . $self->_md5hash($uid),
'error' );
$self->lmLog( $persistentSession->error, 'error' );
$self->logger->error(
"Cannot update persistent session " . $self->_md5hash($uid) );
$self->logger->error( $persistentSession->error );
}
}
@ -387,8 +385,8 @@ sub updateSession {
## sessionInfo updated if $id defined : quite strange !!
## See http://jira.ow2.org/browse/LEMONLDAP-430
foreach ( keys %$infos ) {
$self->lmLog( "Update sessionInfo $_ with " . $infos->{$_},
'debug' );
$self->logger->debug(
"Update sessionInfo $_ with " . $infos->{$_} );
$req->{sessionInfo}->{$_} = $infos->{$_};
}
@ -402,8 +400,8 @@ sub updateSession {
$apacheSession->update($infos);
if ( $apacheSession->error ) {
$self->lmLog( "Cannot update session $id", 'error' );
$self->lmLog( $apacheSession->error, 'error' );
$self->logger->error("Cannot update session $id");
$self->logger->error( $apacheSession->error );
}
}
}
@ -427,9 +425,9 @@ sub _deleteSession {
if ( my $session2 = $self->getApacheSession($id2) ) {
$session2->remove;
if ( $session2->error ) {
$self->lmLog( "Unable to remove linked session $id2",
'debug' );
$self->lmLog( $session2->error, 'debug' );
$self->logger->debug(
"Unable to remove linked session $id2");
$self->logger->debug( $session2->error );
}
}
}
@ -531,7 +529,7 @@ sub setHiddenFormValue {
$key = $prefix . $key;
$val =~ s/\+/%2B/g;
$req->{portalHiddenFormValues}->{$key} = $val;
$self->lmLog( "Store $val in hidden key $key", 'debug' );
$self->logger->debug("Store $val in hidden key $key");
}
}
@ -554,7 +552,7 @@ sub getHiddenFormValue {
if ( my $val = $req->param($key) ) {
$val = decode_base64($val) if $base64;
return $val;
$self->lmLog( "Hidden value $val found for key $key", 'debug' );
$self->logger->debug("Hidden value $val found for key $key");
}
# No value found
@ -571,12 +569,12 @@ sub clearHiddenFormValue {
unless ( defined $keys ) {
delete $req->{portalHiddenFormValues};
$self->lmLog( "Delete all hidden values", 'debug' );
$self->logger->debug("Delete all hidden values");
}
else {
foreach (@$keys) {
delete $req->{portalHiddenFormValues}->{$_};
$self->lmLog( "Delete hidden value for key $_", 'debug' );
$self->logger->debug("Delete hidden value for key $_");
}
}
@ -625,7 +623,7 @@ sub _dump {
my ( $self, $variable ) = @_;
require Data::Dumper;
$Data::Dumper::Indent = 0;
$self->lmLog( "Dump: " . Data::Dumper::Dumper($variable), 'debug' );
$self->logger->debug( "Dump: " . Data::Dumper::Dumper($variable) );
return;
}

553
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Menu.pm
View File

@ -1,553 +0,0 @@
##@file
# menu for lemonldap::ng portal
##@class
# menu class for lemonldap::ng portal
package Lemonldap::NG::Portal::Menu;
use strict;
use utf8;
use warnings;
use Lemonldap::NG::Portal::Simple;
use Lemonldap::NG::Portal::_LibAccess;
use base qw(Lemonldap::NG::Portal::_LibAccess);
use Clone qw(clone);
our $VERSION = '2.0.0';
our $catlevel = 0;
## @method void menuInit()
# Prepare menu template elements
# @return nothing
sub menuInit {
my $self = shift;
$self->{apps}->{imgpath} ||= '/apps/';
# Modules to display
$self->{menuModules} ||= "Appslist ChangePassword LoginHistory Logout";
$self->{menuDisplayModules} = $self->displayModules();
# Extract password from POST data
$self->{oldpassword} = $self->param('oldpassword');
$self->{newpassword} = $self->param('newpassword');
$self->{confirmpassword} = $self->param('confirmpassword');
$self->{dn} = $self->{sessionInfo}->{dn};
$self->{user} = $self->{sessionInfo}->{_user};
# Try to change password
$self->{menuError} =
$self->_subProcess(
qw(passwordDBInit modifyPassword passwordDBFinish sendPasswordMail))
unless $self->{ignorePasswordChange};
# Default menu error code
$self->{menuError} = PE_PASSWORD_OK if ( $self->{passwordWasChanged} );
$self->{menuError} ||= $self->{error};
# Tab to display
# Get the tab URL parameter
$self->{menuDisplayTab} = $self->param("tab") || "none";
# Default to appslist if invalid tab URL parameter
$self->{menuDisplayTab} = "appslist"
unless ( $self->{menuDisplayTab} =~ /^(password|logout|loginHistory)$/ );
# Force password tab in case of password error
$self->{menuDisplayTab} = "password"
if (
(
scalar(
grep { $_ == $self->{menuError} } (
25, #PE_PP_CHANGE_AFTER_RESET
26, #PE_PP_PASSWORD_MOD_NOT_ALLOWED
27, #PE_PP_MUST_SUPPLY_OLD_PASSWORD
28, #PE_PP_INSUFFICIENT_PASSWORD_QUALITY
29, #PE_PP_PASSWORD_TOO_SHORT
30, #PE_PP_PASSWORD_TOO_YOUNG
31, #PE_PP_PASSWORD_IN_HISTORY
32, #PE_PP_GRACE
33, #PE_PP_EXP_WARNING
34, #PE_PASSWORD_MISMATCH
39, #PE_BADOLDPASSWORD
74, #PE_MUST_SUPPLY_OLD_PASSWORD
)
)
)
);
# Application list for old templates
if ( $self->{useOldMenuItems} ) {
$self->{menuAppslistMenu} = $self->appslistMenu();
$self->{menuAppslistDesc} = $self->appslistDescription();
}
return;
}
## @method arrayref displayModules()
# List modules that can be displayed in Menu
# @return modules list
sub displayModules {
my $self = shift;
my $displayModules = [];
# Modules list
my @modules = split( /\s/, $self->{menuModules} );
# Foreach module, eval condition
# Store module in result if condition is valid
foreach my $module (@modules) {
my $cond = $self->{ 'portalDisplay' . $module };
$cond = 1 unless defined $cond;
$self->lmLog( "Evaluate condition $cond for module $module", 'debug' );
if ( $self->safe->reval($cond) ) {
my $moduleHash = { $module => 1 };
$moduleHash->{'APPSLIST_LOOP'} = $self->appslist()
if ( $module eq 'Appslist' );
if ( $module eq 'LoginHistory' ) {
$moduleHash->{'SUCCESS_LOGIN'} =
$self->mkSessionArray(
$self->{sessionInfo}->{loginHistory}->{successLogin},
"", 0, 0 );
$moduleHash->{'FAILED_LOGIN'} =
$self->mkSessionArray(
$self->{sessionInfo}->{loginHistory}->{failedLogin},
"", 0, 1 );
}
push @$displayModules, $moduleHash;
}
}
return $displayModules;
}
## @method arrayref appslist()
# Returns categories and applications list as HTML::Template loop
# @return categories and applications list
sub appslist {
my ($self) = @_;
my $appslist = [];
return $appslist unless defined $self->{applicationList};
# Reset level
$catlevel = 0;
my $applicationList = clone( $self->{applicationList} );
my $filteredList = $self->_filter($applicationList);
push @$appslist, $self->_buildCategoryHash( "", $filteredList, $catlevel );
# We must return an ARRAY ref
return ( ref $appslist->[0]->{categories} eq "ARRAY" )
? $appslist->[0]->{categories}
: [];
}
## @method private hashref _buildCategoryHash(string catname,hashref cathash, int catlevel)
# Build hash for a category
# @param catname Category name
# @param cathash Hash of category elements
# @param catlevel Category level
# @return Category Hash
sub _buildCategoryHash {
my ( $self, $catid, $cathash, $catlevel ) = @_;
my $catname = $cathash->{catname} || $catid;
utf8::decode($catname);
my $applications;
my $categories;
# Extract applications from hash
my $apphash;
foreach my $catkey ( sort keys %$cathash ) {
next if $catkey =~ /(type|options|catname)/;
if ( $cathash->{$catkey}->{type} eq "application" ) {
$apphash->{$catkey} = $cathash->{$catkey};
}
}
# Display applications first
if ( scalar keys %$apphash > 0 ) {
foreach my $appkey ( sort keys %$apphash ) {
push @$applications,
$self->_buildApplicationHash( $appkey, $apphash->{$appkey} );
}
}
# Display subcategories
foreach my $catkey ( sort keys %$cathash ) {
next if $catkey =~ /(type|options|catname)/;
if ( $cathash->{$catkey}->{type} eq "category" ) {
push @$categories,
$self->_buildCategoryHash( $catkey, $cathash->{$catkey},
$catlevel + 1 );
}
}
my $categoryHash = {
category => 1,
catname => $catname,
catid => $catid,
catlevel => $catlevel
};
$categoryHash->{applications} = $applications if $applications;
$categoryHash->{categories} = $categories if $categories;
return $categoryHash;
}
## @method private hashref _buildApplicationHash(string appid, hashref apphash)
# Build hash for an application
# @param $appid Application ID
# @param $apphash Hash of application elements
# @return Application Hash
sub _buildApplicationHash {
my ( $self, $appid, $apphash ) = @_;
my $applications;
# Get application items
my $appname = $apphash->{options}->{name} || $appid;
my $appuri = $apphash->{options}->{uri} || "";
my $appdesc = $apphash->{options}->{description};
my $applogo = $apphash->{options}->{logo};
utf8::decode($appname);
utf8::decode($appdesc) if $appdesc;
# Detect sub applications
my $subapphash;
foreach my $key ( sort keys %$apphash ) {
next if $key =~ /(type|options|catname)/;
if ( $apphash->{$key}->{type} eq "application" ) {
$subapphash->{$key} = $apphash->{$key};
}
}
# Display sub applications
if ( scalar keys %$subapphash > 0 ) {
foreach my $appkey ( sort keys %$subapphash ) {
push @$applications,
$self->_buildApplicationHash( $appkey, $subapphash->{$appkey} );
}
}
my $applicationHash = {
application => 1,
appname => $appname,
appuri => $appuri,
appdesc => $appdesc,
applogo => $applogo,
appid => $appid,
};
$applicationHash->{applications} = $applications if $applications;
return $applicationHash;
}
## @method string appslistMenu()
# Returns HTML code for application list menu.
# @return HTML string
sub appslistMenu {
my $self = shift;
# We no more use XML file for menu configuration
unless ( defined $self->{applicationList} ) {
$self->abort(
"XML menu configuration is deprecated",
"Please use lmMigrateConfFiles2ini to migrate your menu configuration"
);
}
# Use configuration to get menu parameters
my $applicationList = clone( $self->{applicationList} );
my $filteredList = $self->_filter($applicationList);
return $self->_displayConfCategory( "", $filteredList, $catlevel );
}
## @method string appslistDescription()
# Returns HTML code for application description.
# @return HTML string
sub appslistDescription {
my $self = shift;
# We no more use XML file for menu configuration
unless ( defined $self->{applicationList} ) {
$self->lmLog(
"XML menu configuration is deprecated. Please use lmMigrateConfFiles2ini to migrate your menu configuration",
'error'
);
return "&nbsp;";
}
# Use configuration to get menu parameters
my $applicationList = clone( $self->{applicationList} );
return $self->_displayConfDescription( "", $applicationList );
}
## @method string _displayConfCategory(string catname, hashref cathash, int catlevel)
# Creates and returns HTML code for a category.
# @param catname Category name
# @param cathash Hash of category elements
# @param catlevel Category level
# @return HTML string
sub _displayConfCategory {
my ( $self, $catname, $cathash, $catlevel ) = @_;
my $html;
my $key;
# Init HTML list
$html .= "<ul class=\"category cat-level-$catlevel\">\n";
$html .= "<li class=\"catname\">\n";
$html .= "<span>$catname</span>\n" if $catname;
# Increase category level
$catlevel++;
# Extract applications from hash
my $apphash;
foreach $key ( keys %$cathash ) {
next if $key =~ /(type|options|catname)/;
if ( $cathash->{$key}->{type}
and $cathash->{$key}->{type} eq "application" )
{
$apphash->{$key} = $cathash->{$key};
}
}
# display applications first
if ( scalar keys %$apphash > 0 ) {
$html .= "<ul>";
foreach $key ( keys %$apphash ) {
$html .= $self->_displayConfApplication( $key, $apphash->{$key} );
}
$html .= "</ul>";
}
# Display subcategories
foreach $key ( keys %$cathash ) {
next if $key =~ /(type|options|catname)/;
if ( $cathash->{$key}->{type}
and $cathash->{$key}->{type} eq "category" )
{
$html .=
$self->_displayConfCategory( $key, $cathash->{$key}, $catlevel );
}
}
# Close HTML list
$html .= "</li>\n";
$html .= "</ul>\n";
return $html;
}
## @method private string _displayConfApplication(string appid, hashref apphash)
# Creates HTML code for an application.
# @param $appid Application ID
# @param $apphash Hash of application elements
# @return HTML string
sub _displayConfApplication {
my $self = shift;
my ( $appid, $apphash ) = @_;
my $html;
my $key;
# Get application items
my $appname = $apphash->{options}->{name} || $appid;
my $appuri = $apphash->{options}->{uri} || "";
# Display application
$html .=
"<li title=\"$appid\" class=\"appname $appid\"><span>"
. ( $appuri ? "<a href=\"$appuri\">$appname</a>" : "<a>$appname</a>" )
. "</span>\n";
# Detect sub applications
my $subapphash;
foreach $key ( keys %$apphash ) {
next if $key =~ /(type|options|catname)/;
if ( $apphash->{$key}->{type} eq "application" ) {
$subapphash->{$key} = $apphash->{$key};
}
}
# Display sub applications
if ( scalar keys %$subapphash > 0 ) {
$html .= "<ul>";
foreach $key ( keys %$subapphash ) {
$html .=
$self->_displayConfApplication( $key, $subapphash->{$key} );
}
$html .= "</ul>";
}
$html .= "</li>";
return $html;
}
## @method private string _displayConfDescription(string appid, hashref apphash)
# Create HTML code for application description.
# @param $appid Application ID
# @param $apphash Hash
# @return HTML string
sub _displayConfDescription {
my $self = shift;
my ( $appid, $apphash ) = @_;
my $html = "";
my $key;
if ( defined $apphash->{type} and $apphash->{type} eq "application" ) {
# Get application items
my $appname = $apphash->{options}->{name} || $appid;
my $appuri = $apphash->{options}->{uri} || "";
my $appdesc = $apphash->{options}->{description};
my $applogofile = $apphash->{options}->{logo};
my $applogo = $self->{apps}->{imgpath} . $applogofile
if $applogofile;
# Display application description
$html .= "<div id=\"$appid\" class=\"appsdesc\">\n";
$html .=
"<a href=\"$appuri\"><img src=\"$applogo\" alt=\"$appid logo\" /></a>\n"
if $applogofile;
$html .= "<p class=\"appname\">$appname</p>\n" if defined $appname;
$html .= "<p class=\"appdesc\">$appdesc</p>\n" if defined $appdesc;
$html .= "</div>\n";
}
# Sublevels
foreach $key ( keys %$apphash ) {
next if $key =~ /(type|options|catname)/;
$html .= $self->_displayConfDescription( $key, $apphash->{$key} );
}
return $html;
}
## @method private string _filter(hashref apphash)
# Duplicate hash reference
# Remove unauthorized menu elements
# Hide empty categories
# @param $apphash Menu elements
# @return filtered hash
sub _filter {
my ( $self, $apphash ) = @_;
my $filteredHash;
my $key;
# Copy hash reference into a new hash
foreach $key ( keys %$apphash ) {
$filteredHash->{$key} = $apphash->{$key};
}
# Filter hash
$self->_filterHash($filteredHash);
# Hide empty categories
$self->_isCategoryEmpty($filteredHash);
return $filteredHash;
}
## @method private string _filterHash(hashref apphash)
# Remove unauthorized menu elements
# @param $apphash Menu elements
# @return filtered hash
sub _filterHash {
my $self = shift;
my ($apphash) = @_;
my $key;
my $appkey;
foreach $key ( keys %$apphash ) {
next if $key =~ /(type|options|catname)/;
if ( $apphash->{$key}->{type}
and $apphash->{$key}->{type} eq "category" )
{
# Filter the category
$self->_filterHash( $apphash->{$key} );
}
if ( $apphash->{$key}->{type}
and $apphash->{$key}->{type} eq "application" )
{
# Find sub applications and filter them
foreach $appkey ( keys %{ $apphash->{$key} } ) {
next if $appkey =~ /(type|options|catname)/;
# We have sub elements, so we filter them
$self->_filterHash( $apphash->{$key} );
}
# Check rights
my $appdisplay = $apphash->{$key}->{options}->{display}
|| "auto";
my $appuri = $apphash->{$key}->{options}->{uri};
# Remove if display is "no" or "off"
delete $apphash->{$key} and next if ( $appdisplay =~ /^(no|off)$/ );
# Keep node if display is "yes" or "on"
next if ( $appdisplay =~ /^(yes|on)$/ );
# Check grant function if display is "auto" (this is the default)
delete $apphash->{$key} unless ( $self->_grant($appuri) );
next;
}
}
}
## @method private void _isCategoryEmpty(hashref apphash)
# Check if a category is empty
# @param $apphash Menu elements
# @return boolean
sub _isCategoryEmpty {
my $self = shift;
my ($apphash) = @_;
my $key;
# Test sub categories
foreach $key ( keys %$apphash ) {
next if $key =~ /(type|options|catname)/;
if ( $apphash->{$key}->{type}
and $apphash->{$key}->{type} eq "category" )
{
delete $apphash->{$key}
if $self->_isCategoryEmpty( $apphash->{$key} );
}
}
# Test this category
if ( $apphash->{type} and $apphash->{type} eq "category" ) {
# Temporary store 'options'
my $tmp_options = $apphash->{options};
my $tmp_catname = $apphash->{catname};
delete $apphash->{type};
delete $apphash->{options};
delete $apphash->{catname};
if ( scalar( keys %$apphash ) ) {
# There are sub categories or sub applications
# Restore type and options
$apphash->{type} = "category";
$apphash->{options} = $tmp_options;
$apphash->{catname} = $tmp_catname;
# Return false
return 0;
}
else {
# Return true
return 1;
}
}
return 0;
}
1;

4
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Password/Base.pm
View File

@ -39,7 +39,7 @@ sub _modifyPassword {
# TODO: verify oldpassword
unless ( $req->datas->{oldpassword} = $req->param('oldpassword') ) {
$self->lmLog( "Portal require old password", 'warn' );
$self->logger->warn("Portal require old password");
return PE_PP_MUST_SUPPLY_OLD_PASSWORD;
}
@ -56,7 +56,7 @@ sub _modifyPassword {
# Call password package
my $res = $self->modifyPassword( $req, $req->datas->{newpassword} );
if ( $res == PE_PASSWORD_OK ) {
$self->lmLog( 'Update password in session for ' . $req->user, 'debug' );
$self->logger->debug( 'Update password in session for ' . $req->user );
my $infos;
# Store new password if asked

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Password/DBI.pm
View File

@ -33,7 +33,7 @@ sub modifyPassword {
if ($@) {
# If connection isn't available, error is displayed by dbh()
$self->lmLog( "DBI password modification error: $@", 'error' )
$self->logger->error("DBI password modification error: $@")
if ( $self->_dbh );
return PE_ERROR;
}

14
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Password/LDAP.pm
View File

@ -48,24 +48,18 @@ sub modifyPassword {
);
unless ( $result->code == 0 ) {
$self->lmLog(
"LDAP modify "
$self->logger->error( "LDAP modify "
. $self->{ldapPasswordResetAttribute}
. " error: "
. $result->code,
'error'
);
. $result->code );
$self->ldap->unbind;
$self->{flags}->{ldapActive} = 0;
return PE_LDAPERROR;
}
$self->lmLog(
$self->{ldapPasswordResetAttribute}
$self->logger->debug( $self->{ldapPasswordResetAttribute}
. " set to "
. $self->{ldapPasswordResetAttributeValue},
'debug'
);
. $self->{ldapPasswordResetAttributeValue} );
}
return $code;

6
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CDA.pm
View File

@ -23,7 +23,7 @@ sub changeUrldc {
and $self->p->isTrustedUrl($urldc) )
{
my $ssl = $urldc =~ /^https/;
$self->lmLog( 'CDA request', 'debug' );
$self->logger->debug('CDA request');
# Create CDA session
if ( my $cdaSession = $self->getApacheSession( undef, kind => "CDA" ) )
@ -46,10 +46,10 @@ sub changeUrldc {
. $self->{conf}->{cookieName} . "cda="
. $cdaSession->id;
$self->lmLog( "CDA redirection to " . $req->{urldc}, 'debug' );
$self->logger->debug( "CDA redirection to " . $req->{urldc} );
}
else {
$self->lmLog( "Unable to create CDA session", 'error' );
$self->logger->error("Unable to create CDA session");
return PE_APACHESESSIONERROR;
}
}

7
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ForceAuth.pm
View File

@ -21,15 +21,14 @@ sub forceAuth {
# Do not force authentication if last successful authentication is recent
my $last_authn_utime = $req->{sessionInfo}->{_lastAuthnUTime} || 0;
if ( time() - $last_authn_utime < $self->{portalForceAuthnInterval} ) {
$self->lmLog(
"Authentication is recent, so do not force authentication for session $req->id",
'debug'
$self->logger->debug(
"Authentication is recent, so do not force authentication for session $req->id"
);
}
else {
# Else, launch authentication process
$self->lmLog( "Force reauthentication for session $req->id", 'debug' );
$self->logger->debug("Force reauthentication for session $req->id");
$req->steps(
[
@{ $self->p->beforeAuth },

36
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailReset.pm
View File

@ -106,8 +106,7 @@ sub _reset {
# OTHER FORMS
if ($mailToken) {
$self->lmLog( "Token given for password reset: " . $mailToken,
'debug' );
$self->logger->debug( "Token given for password reset: " . $mailToken );
# Check if token is valid
my $mailSession = $self->mailott->getToken($mailToken);
@ -119,7 +118,7 @@ sub _reset {
$req->{mail} = $mailSession->{user};
$req->datas->{mailAddress} =
$mailSession->{ $self->conf->{mailSessionKey} };
$self->lmLog( 'User associated to: ' . $req->{mail}, 'debug' );
$self->logger->debug( 'User associated to: ' . $req->{mail} );
}
# Check for values posted
@ -159,7 +158,7 @@ sub _reset {
$self->setSecurity($req);
return PE_CAPTCHAERROR;
}
$self->lmLog( "Captcha code verified", 'debug' );
$self->logger->debug("Captcha code verified");
}
elsif ( $self->conf->{requireToken} ) {
unless ( $self->ott->getToken($token) ) {
@ -234,7 +233,7 @@ sub _reset {
$req->id( $mailSession->id );
}
elsif ($mailSession) {
$self->lmLog( 'Mail session found: ' . $mailSession->id, 'debug' );
$self->logger->debug( 'Mail session found: ' . $mailSession->id );
$req->datas->{mailAlreadySent} = 1;
}
@ -244,7 +243,7 @@ sub _reset {
# Mail session expiration date
my $expTimestamp = $mailSession->data->{mailSessionTimeoutTimestamp};
$self->lmLog( "Mail expiration timestamp: $expTimestamp", 'debug' );
$self->logger->debug("Mail expiration timestamp: $expTimestamp");
$req->datas->{expMailDate} =
strftime( "%d/%m/%Y", localtime $expTimestamp );
@ -254,7 +253,7 @@ sub _reset {
# Mail session start date
my $startTimestamp = $mailSession->data->{mailSessionStartTimestamp};
$self->lmLog( "Mail start timestamp: $startTimestamp", 'debug' );
$self->logger->debug("Mail start timestamp: $startTimestamp");
$req->datas->{startMailDate} =
strftime( "%d/%m/%Y", localtime $startTimestamp );
$req->datas->{startMailTime} =
@ -326,7 +325,7 @@ sub _reset {
)
)
{
$self->lmLog( 'Unable to send reset mail', 'debug' );
$self->logger->debug('Unable to send reset mail');
# Don't return an error here to avoid enumeration
}
@ -342,7 +341,7 @@ sub _reset {
sub changePwd {
my ( $self, $req ) = @_;
$self->lmLog( 'Change password form response', 'debug' );
$self->logger->debug('Change password form response');
if ( my $token = $req->param('token') ) {
$req->sessionInfo( $self->ott->getToken($token) );
@ -368,15 +367,14 @@ sub changePwd {
# Check if user wants to generate the new password
if ( $req->param('reset') ) {
$self->lmLog(
"Reset password request for " . $req->{sessionInfo}->{_user},
'debug' );
$self->logger->debug(
"Reset password request for " . $req->{sessionInfo}->{_user} );
# Generate a complex password
my $password =
$self->gen_password( $self->conf->{randomPasswordRegexp} );
$self->lmLog( "Generated password: " . $password, 'debug' );
$self->logger->debug( "Generated password: " . $password );
$req->datas->{newpassword} = $password;
$req->datas->{confirmpassword} = $password;
@ -460,7 +458,7 @@ sub setSecurity {
sub display {
my ( $self, $req ) = @_;
$self->lmLog( 'Display called with code: ' . $req->error, 'debug' );
$self->logger->debug( 'Display called with code: ' . $req->error );
my %tplPrm = (
PORTAL_URL => $self->conf->{portal},
SKIN_PATH => '/static',
@ -514,25 +512,25 @@ sub display {
and !$req->datas->{mailToken}
)
{
$self->lmLog( 'Display form', 'debug' );
$self->logger->debug('Display form');
$tplPrm{DISPLAY_FORM} = 1;
}
# Display mail confirmation resent form
elsif ( $req->error == PE_MAILCONFIRMATION_ALREADY_SENT ) {
$self->lmLog( 'Display resend form', 'debug' );
$self->logger->debug('Display resend form');
$tplPrm{DISPLAY_RESEND_FORM} = 1;
}
# Display confirmation mail sent
elsif ( $req->error == PE_MAILCONFIRMOK ) {
$self->lmLog( 'Display "confirm mail sent"', 'debug' );
$self->logger->debug('Display "confirm mail sent"');
$tplPrm{DISPLAY_CONFIRMMAILSENT} = 1;
}
# Display mail sent
elsif ( $req->error == PE_MAILOK ) {
$self->lmLog( 'Display "mail sent"', 'debug' );
$self->logger->debug('Display "mail sent"');
$tplPrm{DISPLAY_MAILSENT} = 1;
}
@ -542,7 +540,7 @@ sub display {
and $req->error != PE_BADMAILTOKEN
and $req->error != PE_MAILOK )
{
$self->lmLog( 'Display password form', 'debug' );
$self->logger->debug('Display password form');
$tplPrm{DISPLAY_PASSWORD_FORM} = 1;
}

Some files were not shown because too many files have changed in this diff Show More